mirror of
https://github.com/bitwarden/server.git
synced 2024-11-25 12:45:18 +01:00
[PM-14378] WIP
This commit is contained in:
parent
eee7494c91
commit
8fa99834cc
@ -0,0 +1,134 @@
|
|||||||
|
using Bit.Core.Context;
|
||||||
|
using Bit.Core.Enums;
|
||||||
|
using Bit.Core.Vault.Entities;
|
||||||
|
using Bit.Core.Vault.Models.Data;
|
||||||
|
using Bit.Core.Vault.Queries;
|
||||||
|
using Microsoft.AspNetCore.Authorization;
|
||||||
|
|
||||||
|
|
||||||
|
namespace Bit.Core.Vault.Authorization.SecurityTasks;
|
||||||
|
|
||||||
|
public class SecurityTaskAuthorizationHandler : AuthorizationHandler<SecurityTaskOperationRequirement, SecurityTask>
|
||||||
|
{
|
||||||
|
private readonly ICurrentContext _currentContext;
|
||||||
|
private readonly IGetCipherPermissionsForUserQuery _getCipherPermissionsForUserQuery;
|
||||||
|
|
||||||
|
private readonly Dictionary<Guid, IDictionary<Guid, OrganizationCipherPermission>> _cipherPermissionCache = new();
|
||||||
|
|
||||||
|
public SecurityTaskAuthorizationHandler(ICurrentContext currentContext, IGetCipherPermissionsForUserQuery getCipherPermissionsForUserQuery)
|
||||||
|
{
|
||||||
|
_currentContext = currentContext;
|
||||||
|
_getCipherPermissionsForUserQuery = getCipherPermissionsForUserQuery;
|
||||||
|
}
|
||||||
|
|
||||||
|
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
|
||||||
|
SecurityTaskOperationRequirement requirement,
|
||||||
|
SecurityTask task)
|
||||||
|
{
|
||||||
|
if (!_currentContext.UserId.HasValue)
|
||||||
|
{
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
var authorized = requirement switch
|
||||||
|
{
|
||||||
|
not null when requirement == SecurityTaskOperations.Read => await CanReadAsync(task),
|
||||||
|
not null when requirement == SecurityTaskOperations.Create => await CanCreateAsync(task),
|
||||||
|
not null when requirement == SecurityTaskOperations.Update => await CanUpdateAsync(task),
|
||||||
|
_ => throw new ArgumentOutOfRangeException(nameof(requirement))
|
||||||
|
};
|
||||||
|
|
||||||
|
if (authorized)
|
||||||
|
{
|
||||||
|
context.Succeed(requirement);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
private async Task<bool> CanReadAsync(SecurityTask task)
|
||||||
|
{
|
||||||
|
var org = _currentContext.GetOrganization(task.OrganizationId);
|
||||||
|
|
||||||
|
if (org == null)
|
||||||
|
{
|
||||||
|
// The user does not belong to the organization
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (task.CipherId.HasValue)
|
||||||
|
{
|
||||||
|
// Ensure the user has edit access to the cipher
|
||||||
|
return await CanEditCipherForOrgAsync(org, task.CipherId.Value);
|
||||||
|
}
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
private async Task<bool> CanCreateAsync(SecurityTask task)
|
||||||
|
{
|
||||||
|
var org = _currentContext.GetOrganization(task.OrganizationId);
|
||||||
|
|
||||||
|
// User must be an Admin/Owner or have custom permissions for reporting
|
||||||
|
if (org is
|
||||||
|
not ({ Type: OrganizationUserType.Admin or OrganizationUserType.Owner } or
|
||||||
|
{ Permissions.EditAnyCollection: true } or
|
||||||
|
{ Permissions.AccessReports: true }))
|
||||||
|
{
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (task.CipherId.HasValue)
|
||||||
|
{
|
||||||
|
return await CipherBelongsToOrgAsync(org, task.CipherId.Value);
|
||||||
|
}
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
private async Task<bool> CanUpdateAsync(SecurityTask task)
|
||||||
|
{
|
||||||
|
var org = _currentContext.GetOrganization(task.OrganizationId);
|
||||||
|
|
||||||
|
if (org == null)
|
||||||
|
{
|
||||||
|
// The user does not belong to the organization
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (task.CipherId.HasValue)
|
||||||
|
{
|
||||||
|
// Ensure the user has edit access to the cipher (required for updating a task)
|
||||||
|
return await CanEditCipherForOrgAsync(org, task.CipherId.Value);
|
||||||
|
}
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
private async Task<bool> CanEditCipherForOrgAsync(CurrentContextOrganization org, Guid cipherId)
|
||||||
|
{
|
||||||
|
var ciphers = await GetCipherPermissionsForOrgAsync(org);
|
||||||
|
|
||||||
|
return ciphers.TryGetValue(cipherId, out var cipher) && cipher.Edit;
|
||||||
|
}
|
||||||
|
|
||||||
|
private async Task<bool> CipherBelongsToOrgAsync(CurrentContextOrganization org, Guid cipherId)
|
||||||
|
{
|
||||||
|
var ciphers = await GetCipherPermissionsForOrgAsync(org);
|
||||||
|
|
||||||
|
return ciphers.ContainsKey(cipherId);
|
||||||
|
}
|
||||||
|
|
||||||
|
private async Task<IDictionary<Guid, OrganizationCipherPermission>> GetCipherPermissionsForOrgAsync(CurrentContextOrganization organization)
|
||||||
|
{
|
||||||
|
// Re-use permissions we've already fetched for the organization
|
||||||
|
if (_cipherPermissionCache.TryGetValue(organization.Id, out var cachedCiphers))
|
||||||
|
{
|
||||||
|
return cachedCiphers;
|
||||||
|
}
|
||||||
|
|
||||||
|
var cipherPermissions = await _getCipherPermissionsForUserQuery.GetByOrganization(organization.Id);
|
||||||
|
|
||||||
|
_cipherPermissionCache.Add(organization.Id, cipherPermissions);
|
||||||
|
|
||||||
|
return cipherPermissions;
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,20 @@
|
|||||||
|
using Microsoft.AspNetCore.Authorization.Infrastructure;
|
||||||
|
|
||||||
|
namespace Bit.Core.Vault.Authorization.SecurityTasks;
|
||||||
|
|
||||||
|
public class SecurityTaskOperationRequirement : OperationAuthorizationRequirement
|
||||||
|
{
|
||||||
|
public SecurityTaskOperationRequirement(string name)
|
||||||
|
{
|
||||||
|
Name = name;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
public static class SecurityTaskOperations
|
||||||
|
{
|
||||||
|
public static readonly SecurityTaskOperationRequirement Read = new SecurityTaskOperationRequirement(nameof(Read));
|
||||||
|
public static readonly SecurityTaskOperationRequirement Create = new SecurityTaskOperationRequirement(nameof(Create));
|
||||||
|
public static readonly SecurityTaskOperationRequirement Update = new SecurityTaskOperationRequirement(nameof(Update));
|
||||||
|
|
||||||
|
public static readonly SecurityTaskOperationRequirement ListAllForOrganization = new SecurityTaskOperationRequirement(nameof(ListAllForOrganization));
|
||||||
|
}
|
@ -0,0 +1,11 @@
|
|||||||
|
using Bit.Core.Context;
|
||||||
|
using Microsoft.AspNetCore.Authorization;
|
||||||
|
|
||||||
|
namespace Bit.Core.Vault.Authorization.SecurityTasks;
|
||||||
|
|
||||||
|
public class SecurityTaskOrganizationAuthorizationHandler : AuthorizationHandler<SecurityTaskOperationRequirement, CurrentContextOrganization>
|
||||||
|
{
|
||||||
|
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, SecurityTaskOperationRequirement requirement,
|
||||||
|
CurrentContextOrganization resource) =>
|
||||||
|
throw new NotImplementedException();
|
||||||
|
}
|
16
src/Core/Vault/Models/Data/OrganizationCipherPermission.cs
Normal file
16
src/Core/Vault/Models/Data/OrganizationCipherPermission.cs
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
namespace Bit.Core.Vault.Models.Data;
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Data model that represents a Users permissions for a given cipher
|
||||||
|
/// that belongs to an organization.
|
||||||
|
/// To be used internally for authorization.
|
||||||
|
/// </summary>
|
||||||
|
public class OrganizationCipherPermission
|
||||||
|
{
|
||||||
|
public Guid Id { get; set; }
|
||||||
|
public Guid Organization { get; set; }
|
||||||
|
public bool Edit { get; set; }
|
||||||
|
public bool ViewPassword { get; set; }
|
||||||
|
public bool Manage { get; set; }
|
||||||
|
public bool Unassigned { get; set; }
|
||||||
|
}
|
102
src/Core/Vault/Queries/GetCipherPermissionsForUserQuery.cs
Normal file
102
src/Core/Vault/Queries/GetCipherPermissionsForUserQuery.cs
Normal file
@ -0,0 +1,102 @@
|
|||||||
|
using Bit.Core.Context;
|
||||||
|
using Bit.Core.Enums;
|
||||||
|
using Bit.Core.Exceptions;
|
||||||
|
using Bit.Core.Services;
|
||||||
|
using Bit.Core.Vault.Models.Data;
|
||||||
|
using Bit.Core.Vault.Repositories;
|
||||||
|
|
||||||
|
namespace Bit.Core.Vault.Queries;
|
||||||
|
|
||||||
|
public class GetCipherPermissionsForUserQuery : IGetCipherPermissionsForUserQuery
|
||||||
|
{
|
||||||
|
private readonly ICurrentContext _currentContext;
|
||||||
|
private readonly ICipherRepository _cipherRepository;
|
||||||
|
private readonly IApplicationCacheService _applicationCacheService;
|
||||||
|
private readonly IFeatureService _featureService;
|
||||||
|
|
||||||
|
public GetCipherPermissionsForUserQuery(ICurrentContext currentContext, ICipherRepository cipherRepository, IApplicationCacheService applicationCacheService, IFeatureService featureService)
|
||||||
|
{
|
||||||
|
_currentContext = currentContext;
|
||||||
|
_cipherRepository = cipherRepository;
|
||||||
|
_applicationCacheService = applicationCacheService;
|
||||||
|
_featureService = featureService;
|
||||||
|
}
|
||||||
|
|
||||||
|
public async Task<IDictionary<Guid, OrganizationCipherPermission>> GetByOrganization(Guid organizationId)
|
||||||
|
{
|
||||||
|
var org = _currentContext.GetOrganization(organizationId);
|
||||||
|
|
||||||
|
if (org == null)
|
||||||
|
{
|
||||||
|
throw new NotFoundException();
|
||||||
|
}
|
||||||
|
|
||||||
|
var cipherPermissions = (await _cipherRepository.GetCipherPermissionsForOrganizationAsync(organizationId)).ToList();
|
||||||
|
|
||||||
|
if (await CanEditAllCiphersAsync(org))
|
||||||
|
{
|
||||||
|
foreach (var cipher in cipherPermissions)
|
||||||
|
{
|
||||||
|
cipher.Edit = true;
|
||||||
|
cipher.Manage = true;
|
||||||
|
cipher.ViewPassword = true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (await CanAccessUnassignedCiphersAsync(org))
|
||||||
|
{
|
||||||
|
foreach (var unassignedCipher in cipherPermissions.Where(c => c.Unassigned))
|
||||||
|
{
|
||||||
|
unassignedCipher.Edit = true;
|
||||||
|
unassignedCipher.Manage = true;
|
||||||
|
unassignedCipher.ViewPassword = true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return cipherPermissions.ToDictionary(c => c.Id);
|
||||||
|
}
|
||||||
|
|
||||||
|
private async Task<bool> CanEditAllCiphersAsync(CurrentContextOrganization org)
|
||||||
|
{
|
||||||
|
// Custom users with EditAnyCollection permissions can always edit all ciphers
|
||||||
|
if (org is { Type: OrganizationUserType.Custom, Permissions.EditAnyCollection: true })
|
||||||
|
{
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
var orgAbility = await _applicationCacheService.GetOrganizationAbilityAsync(org.Id);
|
||||||
|
|
||||||
|
// Owners/Admins can only edit all ciphers if the organization has the setting enabled
|
||||||
|
if (orgAbility is { AllowAdminAccessToAllCollectionItems: true } && org is
|
||||||
|
{ Type: OrganizationUserType.Admin or OrganizationUserType.Owner })
|
||||||
|
{
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Provider users can edit all ciphers if RestrictProviderAccess is disabled
|
||||||
|
if (await _currentContext.ProviderUserForOrgAsync(org.Id))
|
||||||
|
{
|
||||||
|
return !_featureService.IsEnabled(FeatureFlagKeys.RestrictProviderAccess);
|
||||||
|
}
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
private async Task<bool> CanAccessUnassignedCiphersAsync(CurrentContextOrganization org)
|
||||||
|
{
|
||||||
|
if (org is
|
||||||
|
{ Type: OrganizationUserType.Owner or OrganizationUserType.Admin } or
|
||||||
|
{ Permissions.EditAnyCollection: true })
|
||||||
|
{
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Provider users can only access all ciphers if RestrictProviderAccess is disabled
|
||||||
|
if (await _currentContext.ProviderUserForOrgAsync(org.Id))
|
||||||
|
{
|
||||||
|
return !_featureService.IsEnabled(FeatureFlagKeys.RestrictProviderAccess);
|
||||||
|
}
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
19
src/Core/Vault/Queries/IGetCipherPermissionsForUserQuery.cs
Normal file
19
src/Core/Vault/Queries/IGetCipherPermissionsForUserQuery.cs
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
using Bit.Core.Vault.Models.Data;
|
||||||
|
|
||||||
|
namespace Bit.Core.Vault.Queries;
|
||||||
|
|
||||||
|
public interface IGetCipherPermissionsForUserQuery
|
||||||
|
{
|
||||||
|
/// <summary>
|
||||||
|
/// Retrieves the permissions of every organization cipher (including unassigned) for the
|
||||||
|
/// ICurrentContext's user.
|
||||||
|
///
|
||||||
|
/// It considers the Collection Management setting for allowing Admin/Owners access to all ciphers.
|
||||||
|
/// </summary>
|
||||||
|
/// <remarks>
|
||||||
|
/// The primary use case of this query is internal cipher authorization logic.
|
||||||
|
/// </remarks>
|
||||||
|
/// <param name="organizationId"></param>
|
||||||
|
/// <returns>A dictionary of CipherIds and a corresponding OrganizationCipherPermission</returns>
|
||||||
|
public Task<IDictionary<Guid, OrganizationCipherPermission>> GetByOrganization(Guid organizationId);
|
||||||
|
}
|
@ -38,6 +38,7 @@ public interface ICipherRepository : IRepository<Cipher, Guid>
|
|||||||
Task<DateTime> RestoreAsync(IEnumerable<Guid> ids, Guid userId);
|
Task<DateTime> RestoreAsync(IEnumerable<Guid> ids, Guid userId);
|
||||||
Task<DateTime> RestoreByIdsOrganizationIdAsync(IEnumerable<Guid> ids, Guid organizationId);
|
Task<DateTime> RestoreByIdsOrganizationIdAsync(IEnumerable<Guid> ids, Guid organizationId);
|
||||||
Task DeleteDeletedAsync(DateTime deletedDateBefore);
|
Task DeleteDeletedAsync(DateTime deletedDateBefore);
|
||||||
|
Task<IEnumerable<OrganizationCipherPermission>> GetCipherPermissionsForOrganizationAsync(Guid organizationId);
|
||||||
|
|
||||||
/// <summary>
|
/// <summary>
|
||||||
/// Updates encrypted data for ciphers during a key rotation
|
/// Updates encrypted data for ciphers during a key rotation
|
||||||
|
@ -0,0 +1,56 @@
|
|||||||
|
CREATE PROCEDURE [dbo].[CipherOrganizationPermissions_GetByOrganizationId]
|
||||||
|
@OrganizationId UNIQUEIDENTIFIER,
|
||||||
|
@UserId UNIQUEIDENTIFIER
|
||||||
|
AS
|
||||||
|
BEGIN
|
||||||
|
SET NOCOUNT ON
|
||||||
|
|
||||||
|
SELECT
|
||||||
|
C.[Id],
|
||||||
|
MAX(CASE
|
||||||
|
WHEN COALESCE(CU.[ReadOnly], CG.[ReadOnly], 1) = 0
|
||||||
|
THEN 1
|
||||||
|
ELSE 0
|
||||||
|
END) [Edit],
|
||||||
|
MAX(CASE
|
||||||
|
WHEN COALESCE(CU.[HidePasswords], CG.[HidePasswords], 1) = 0
|
||||||
|
THEN 1
|
||||||
|
ELSE 0
|
||||||
|
END) [ViewPassword],
|
||||||
|
MAX(COALESCE(CU.[Manage], CG.[Manage], 0)) [Manage],
|
||||||
|
CASE
|
||||||
|
WHEN COUNT(CC.[CollectionId]) > 0 THEN 0
|
||||||
|
ELSE 1
|
||||||
|
END [Unassigned]
|
||||||
|
FROM
|
||||||
|
[dbo].[CipherDetails](@UserId) C
|
||||||
|
INNER JOIN
|
||||||
|
[OrganizationUser] OU ON
|
||||||
|
C.[UserId] IS NULL
|
||||||
|
AND C.[OrganizationId] = @OrganizationId
|
||||||
|
INNER JOIN
|
||||||
|
[dbo].[Organization] O ON
|
||||||
|
O.[Id] = OU.[OrganizationId]
|
||||||
|
AND O.[Id] = C.[OrganizationId]
|
||||||
|
AND O.[Enabled] = 1
|
||||||
|
LEFT JOIN
|
||||||
|
[dbo].[CollectionCipher] CC ON
|
||||||
|
CC.[CipherId] = C.[Id]
|
||||||
|
LEFT JOIN
|
||||||
|
[dbo].[CollectionUser] CU ON
|
||||||
|
CU.[CollectionId] = CC.[CollectionId]
|
||||||
|
AND CU.[OrganizationUserId] = OU.[Id]
|
||||||
|
LEFT JOIN
|
||||||
|
[dbo].[GroupUser] GU ON
|
||||||
|
CU.[CollectionId] IS NULL
|
||||||
|
AND GU.[OrganizationUserId] = OU.[Id]
|
||||||
|
LEFT JOIN
|
||||||
|
[dbo].[Group] G ON
|
||||||
|
G.[Id] = GU.[GroupId]
|
||||||
|
LEFT JOIN
|
||||||
|
[dbo].[CollectionGroup] CG ON
|
||||||
|
CG.[CollectionId] = CC.[CollectionId]
|
||||||
|
AND CG.[GroupId] = GU.[GroupId]
|
||||||
|
GROUP BY
|
||||||
|
C.[Id]
|
||||||
|
END
|
Loading…
Reference in New Issue
Block a user