[EC-92] Add organization vault export to event logs (#2128)

* Added nullable OrganizationId to EventModel

* Added EventType Organization_ClientExportedVault

* Updated CollectController to save the event Organization_ClientExportedVault

* Added OrganizationExportResponseModel to encapsulate Organization Export data

* Added OrganizationExportController to have a single endpoint for Organization vault export

* Added method GetOrganizationCollections to ICollectionService to get collections for an organization

* Added GetOrganizationCiphers to ICipherService to get ciphers for an organization

* Updated controllers to use new methods in ICollectionService and ICipherService

src/Api/Controllers/CiphersController.cs

@@ -216,40 +216,12 @@ namespace Bit.Api.Controllers
         {
             var userId = _userService.GetProperUserId(User).Value;
             var orgIdGuid = new Guid(organizationId);
-            if (!await _currentContext.ViewAllCollections(orgIdGuid) && !await _currentContext.AccessReports(orgIdGuid))
-            {
-                throw new NotFoundException();
-            }
-
-            IEnumerable<CipherOrganizationDetails> orgCiphers;
-            if (await _currentContext.OrganizationAdmin(orgIdGuid))
-            {
-                // Admins, Owners and Providers can access all items even if not assigned to them
-                orgCiphers = await _cipherRepository.GetManyOrganizationDetailsByOrganizationIdAsync(orgIdGuid);
-            }
-            else
-            {
-                var ciphers = await _cipherRepository.GetManyByUserIdAsync(userId, true);
-                orgCiphers = ciphers.Where(c => c.OrganizationId == orgIdGuid);
-            }
-
-            var orgCipherIds = orgCiphers.Select(c => c.Id);
-
-            var collectionCiphers = await _collectionCipherRepository.GetManyByOrganizationIdAsync(orgIdGuid);
-            var collectionCiphersGroupDict = collectionCiphers
-                .Where(c => orgCipherIds.Contains(c.CipherId))
-                .GroupBy(c => c.CipherId).ToDictionary(s => s.Key);
 
+            (IEnumerable<CipherOrganizationDetails> orgCiphers, Dictionary<Guid, IGrouping<Guid, CollectionCipher>> collectionCiphersGroupDict) = await _cipherService.GetOrganizationCiphers(userId, orgIdGuid);
 
             var responses = orgCiphers.Select(c => new CipherMiniDetailsResponseModel(c, _globalSettings,
                 collectionCiphersGroupDict, c.OrganizationUseTotp));
 
-
-            var providerId = await _currentContext.ProviderIdForOrg(orgIdGuid);
-            if (providerId.HasValue)
-            {
-                await _providerService.LogProviderAccessToOrganizationAsync(orgIdGuid);
-            }
             return new ListResponseModel<CipherMiniDetailsResponseModel>(responses);
         }
 

src/Api/Controllers/CollectionsController.cs

@@ -75,22 +75,7 @@ namespace Bit.Api.Controllers
         [HttpGet("")]
         public async Task<ListResponseModel<CollectionResponseModel>> Get(Guid orgId)
         {
-            if (!await _currentContext.ViewAllCollections(orgId) && !await _currentContext.ManageUsers(orgId))
+            IEnumerable<Collection> orgCollections = await _collectionService.GetOrganizationCollections(orgId);
-            {
-                throw new NotFoundException();
-            }
-
-            IEnumerable<Collection> orgCollections;
-            if (await _currentContext.OrganizationAdmin(orgId))
-            {
-                // Admins, Owners and Providers can access all items even if not assigned to them
-                orgCollections = await _collectionRepository.GetManyByOrganizationIdAsync(orgId);
-            }
-            else
-            {
-                var collections = await _collectionRepository.GetManyByUserIdAsync(_currentContext.UserId.Value);
-                orgCollections = collections.Where(c => c.OrganizationId == orgId);
-            }
 
             var responses = orgCollections.Select(c => new CollectionResponseModel(c));
             return new ListResponseModel<CollectionResponseModel>(responses);

src/Api/Controllers/OrganizationExportController.cs

@@ -0,0 +1,64 @@
+using Bit.Api.Models.Response;
+using Bit.Core.Entities;
+using Bit.Core.Services;
+using Bit.Core.Settings;
+using Core.Models.Data;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+
+namespace Bit.Api.Controllers
+{
+    [Route("organizations/{organizationId}")]
+    [Authorize("Application")]
+    public class OrganizationExportController : Controller
+    {
+        private readonly IUserService _userService;
+        private readonly ICollectionService _collectionService;
+        private readonly ICipherService _cipherService;
+        private readonly GlobalSettings _globalSettings;
+
+        public OrganizationExportController(
+            ICipherService cipherService,
+            ICollectionService collectionService,
+            IUserService userService,
+            GlobalSettings globalSettings)
+        {
+            _cipherService = cipherService;
+            _collectionService = collectionService;
+            _userService = userService;
+            _globalSettings = globalSettings;
+        }
+
+        [HttpGet("export")]
+        public async Task<OrganizationExportResponseModel> Export(Guid organizationId)
+        {
+            var userId = _userService.GetProperUserId(User).Value;
+
+            IEnumerable<Collection> orgCollections = await _collectionService.GetOrganizationCollections(organizationId);
+            (IEnumerable<CipherOrganizationDetails> orgCiphers, Dictionary<Guid, IGrouping<Guid, CollectionCipher>> collectionCiphersGroupDict) = await _cipherService.GetOrganizationCiphers(userId, organizationId);
+
+            var result = new OrganizationExportResponseModel
+            {
+                Collections = GetOrganizationCollectionsResponse(orgCollections),
+                Ciphers = await GetOrganizationCiphersResponse(orgCiphers, collectionCiphersGroupDict)
+            };
+
+            return result;
+        }
+
+        private ListResponseModel<CollectionResponseModel> GetOrganizationCollectionsResponse(IEnumerable<Collection> orgCollections)
+        {
+            var collections = orgCollections.Select(c => new CollectionResponseModel(c));
+            return new ListResponseModel<CollectionResponseModel>(collections);
+        }
+
+        private async Task<ListResponseModel<CipherMiniDetailsResponseModel>> GetOrganizationCiphersResponse(IEnumerable<CipherOrganizationDetails> orgCiphers,
+            Dictionary<Guid, IGrouping<Guid, CollectionCipher>> collectionCiphersGroupDict)
+        {
+            var responses = orgCiphers.Select(c => new CipherMiniDetailsResponseModel(c, _globalSettings,
+                collectionCiphersGroupDict, c.OrganizationUseTotp));
+
+            return new ListResponseModel<CipherMiniDetailsResponseModel>(responses);
+        }
+    }
+}

src/Api/Models/Response/OrganizationExportResponseModel.cs

@@ -0,0 +1,13 @@
+namespace Bit.Api.Models.Response
+{
+    public class OrganizationExportResponseModel
+    {
+        public OrganizationExportResponseModel()
+        {
+        }
+
+        public ListResponseModel<CollectionResponseModel> Collections { get; set; }
+
+        public ListResponseModel<CipherMiniDetailsResponseModel> Ciphers { get; set; }
+    }
+}

src/Core/Enums/EventType.cs

@@ -56,7 +56,7 @@
 
         Organization_Updated = 1600,
         Organization_PurgedVault = 1601,
-        // Organization_ClientExportedVault = 1602,
+        Organization_ClientExportedVault = 1602,
         Organization_VaultAccessed = 1603,
         Organization_EnabledSso = 1604,
         Organization_DisabledSso = 1605,

src/Core/Services/ICipherService.cs

@@ -39,5 +39,6 @@ namespace Bit.Core.Services
         Task UploadFileForExistingAttachmentAsync(Stream stream, Cipher cipher, CipherAttachment.MetaData attachmentId);
         Task<AttachmentResponseData> GetAttachmentDownloadDataAsync(Cipher cipher, string attachmentId);
         Task<bool> ValidateCipherAttachmentFile(Cipher cipher, CipherAttachment.MetaData attachmentData);
+        Task<(IEnumerable<CipherOrganizationDetails>, Dictionary<Guid, IGrouping<Guid, CollectionCipher>>)> GetOrganizationCiphers(Guid userId, Guid organizationId);
     }
 }

src/Core/Services/ICollectionService.cs

@@ -8,5 +8,6 @@ namespace Bit.Core.Services
         Task SaveAsync(Collection collection, IEnumerable<SelectionReadOnly> groups = null, Guid? assignUserId = null);
         Task DeleteAsync(Collection collection);
         Task DeleteUserAsync(Collection collection, Guid organizationUserId);
+        Task<IEnumerable<Collection>> GetOrganizationCollections(Guid organizationId);
     }
 }

src/Core/Services/Implementations/CipherService.cs

@@ -1,4 +1,5 @@
 using System.Text.Json;
+using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
@@ -29,6 +30,8 @@ namespace Bit.Core.Services
         private readonly GlobalSettings _globalSettings;
         private const long _fileSizeLeeway = 1024L * 1024L; // 1MB 
         private readonly IReferenceEventService _referenceEventService;
+        private readonly ICurrentContext _currentContext;
+        private readonly IProviderService _providerService;
 
         public CipherService(
             ICipherRepository cipherRepository,
@@ -43,7 +46,8 @@ namespace Bit.Core.Services
             IUserService userService,
             IPolicyRepository policyRepository,
             GlobalSettings globalSettings,
-            IReferenceEventService referenceEventService)
+            IReferenceEventService referenceEventService,
+            ICurrentContext currentContext)
         {
             _cipherRepository = cipherRepository;
             _folderRepository = folderRepository;
@@ -58,6 +62,7 @@ namespace Bit.Core.Services
             _policyRepository = policyRepository;
             _globalSettings = globalSettings;
             _referenceEventService = referenceEventService;
+            _currentContext = currentContext;
         }
 
         public async Task SaveAsync(Cipher cipher, Guid savingUserId, DateTime? lastKnownRevisionDate,
@@ -845,6 +850,41 @@ namespace Bit.Core.Services
             await _pushService.PushSyncCiphersAsync(restoringUserId);
         }
 
+        public async Task<(IEnumerable<CipherOrganizationDetails>, Dictionary<Guid, IGrouping<Guid, CollectionCipher>>)> GetOrganizationCiphers(Guid userId, Guid organizationId)
+        {
+            if (!await _currentContext.ViewAllCollections(organizationId) && !await _currentContext.AccessReports(organizationId))
+            {
+                throw new NotFoundException();
+            }
+
+            IEnumerable<CipherOrganizationDetails> orgCiphers;
+            if (await _currentContext.OrganizationAdmin(organizationId))
+            {
+                // Admins, Owners and Providers can access all items even if not assigned to them
+                orgCiphers = await _cipherRepository.GetManyOrganizationDetailsByOrganizationIdAsync(organizationId);
+            }
+            else
+            {
+                var ciphers = await _cipherRepository.GetManyByUserIdAsync(userId, true);
+                orgCiphers = ciphers.Where(c => c.OrganizationId == organizationId);
+            }
+
+            var orgCipherIds = orgCiphers.Select(c => c.Id);
+
+            var collectionCiphers = await _collectionCipherRepository.GetManyByOrganizationIdAsync(organizationId);
+            var collectionCiphersGroupDict = collectionCiphers
+                .Where(c => orgCipherIds.Contains(c.CipherId))
+                .GroupBy(c => c.CipherId).ToDictionary(s => s.Key);
+
+            var providerId = await _currentContext.ProviderIdForOrg(organizationId);
+            if (providerId.HasValue)
+            {
+                await _providerService.LogProviderAccessToOrganizationAsync(organizationId);
+            }
+
+            return (orgCiphers, collectionCiphersGroupDict);
+        }
+
         private async Task<bool> UserCanEditAsync(Cipher cipher, Guid userId)
         {
             if (!cipher.OrganizationId.HasValue && cipher.UserId.HasValue && cipher.UserId.Value == userId)

src/Core/Services/Implementations/CollectionService.cs

@@ -1,4 +1,5 @@
-using Bit.Core.Entities;
+using Bit.Core.Context;
+using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Business;
@@ -16,6 +17,7 @@ namespace Bit.Core.Services
         private readonly IUserRepository _userRepository;
         private readonly IMailService _mailService;
         private readonly IReferenceEventService _referenceEventService;
+        private readonly ICurrentContext _currentContext;
 
         public CollectionService(
             IEventService eventService,
@@ -24,7 +26,8 @@ namespace Bit.Core.Services
             ICollectionRepository collectionRepository,
             IUserRepository userRepository,
             IMailService mailService,
-            IReferenceEventService referenceEventService)
+            IReferenceEventService referenceEventService,
+            ICurrentContext currentContext)
         {
             _eventService = eventService;
             _organizationRepository = organizationRepository;
@@ -33,6 +36,7 @@ namespace Bit.Core.Services
             _userRepository = userRepository;
             _mailService = mailService;
             _referenceEventService = referenceEventService;
+            _currentContext = currentContext;
         }
 
         public async Task SaveAsync(Collection collection, IEnumerable<SelectionReadOnly> groups = null,
@@ -111,5 +115,27 @@ namespace Bit.Core.Services
             await _collectionRepository.DeleteUserAsync(collection.Id, organizationUserId);
             await _eventService.LogOrganizationUserEventAsync(orgUser, Enums.EventType.OrganizationUser_Updated);
         }
+
+        public async Task<IEnumerable<Collection>> GetOrganizationCollections(Guid organizationId)
+        {
+            if (!await _currentContext.ViewAllCollections(organizationId) && !await _currentContext.ManageUsers(organizationId))
+            {
+                throw new NotFoundException();
+            }
+
+            IEnumerable<Collection> orgCollections;
+            if (await _currentContext.OrganizationAdmin(organizationId))
+            {
+                // Admins, Owners and Providers can access all items even if not assigned to them
+                orgCollections = await _collectionRepository.GetManyByOrganizationIdAsync(organizationId);
+            }
+            else
+            {
+                var collections = await _collectionRepository.GetManyByUserIdAsync(_currentContext.UserId.Value);
+                orgCollections = collections.Where(c => c.OrganizationId == organizationId);
+            }
+
+            return orgCollections;
+        }
     }
 }

src/Events/Controllers/CollectController.cs

@@ -17,15 +17,18 @@ namespace Bit.Events.Controllers
         private readonly ICurrentContext _currentContext;
         private readonly IEventService _eventService;
         private readonly ICipherRepository _cipherRepository;
+        private readonly IOrganizationRepository _organizationRepository;
 
         public CollectController(
             ICurrentContext currentContext,
             IEventService eventService,
-            ICipherRepository cipherRepository)
+            ICipherRepository cipherRepository,
+            IOrganizationRepository organizationRepository)
         {
             _currentContext = currentContext;
             _eventService = eventService;
             _cipherRepository = cipherRepository;
+            _organizationRepository = organizationRepository;
         }
 
         [HttpPost]
@@ -78,6 +81,14 @@ namespace Bit.Events.Controllers
                         }
                         cipherEvents.Add(new Tuple<Cipher, EventType, DateTime?>(cipher, eventModel.Type, eventModel.Date));
                         break;
+                    case EventType.Organization_ClientExportedVault:
+                        if (!eventModel.OrganizationId.HasValue)
+                        {
+                            continue;
+                        }
+                        var organization = await _organizationRepository.GetByIdAsync(eventModel.OrganizationId.Value);
+                        await _eventService.LogOrganizationEventAsync(organization, eventModel.Type, eventModel.Date);
+                        break;
                     default:
                         continue;
                 }

src/Events/Models/EventModel.cs

@@ -7,5 +7,6 @@ namespace Bit.Events.Models
         public EventType Type { get; set; }
         public Guid? CipherId { get; set; }
         public DateTime Date { get; set; }
+        public Guid? OrganizationId { get; set; }
     }
 }