1
0
mirror of https://github.com/bitwarden/server.git synced 2024-11-25 12:45:18 +01:00

[PM-14378] WIP

This commit is contained in:
Shane Melton 2024-11-14 16:38:21 -08:00
parent eee7494c91
commit 8fa99834cc
No known key found for this signature in database
8 changed files with 359 additions and 0 deletions

View File

@ -0,0 +1,134 @@
using Bit.Core.Context;
using Bit.Core.Enums;
using Bit.Core.Vault.Entities;
using Bit.Core.Vault.Models.Data;
using Bit.Core.Vault.Queries;
using Microsoft.AspNetCore.Authorization;
namespace Bit.Core.Vault.Authorization.SecurityTasks;
public class SecurityTaskAuthorizationHandler : AuthorizationHandler<SecurityTaskOperationRequirement, SecurityTask>
{
private readonly ICurrentContext _currentContext;
private readonly IGetCipherPermissionsForUserQuery _getCipherPermissionsForUserQuery;
private readonly Dictionary<Guid, IDictionary<Guid, OrganizationCipherPermission>> _cipherPermissionCache = new();
public SecurityTaskAuthorizationHandler(ICurrentContext currentContext, IGetCipherPermissionsForUserQuery getCipherPermissionsForUserQuery)
{
_currentContext = currentContext;
_getCipherPermissionsForUserQuery = getCipherPermissionsForUserQuery;
}
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
SecurityTaskOperationRequirement requirement,
SecurityTask task)
{
if (!_currentContext.UserId.HasValue)
{
return;
}
var authorized = requirement switch
{
not null when requirement == SecurityTaskOperations.Read => await CanReadAsync(task),
not null when requirement == SecurityTaskOperations.Create => await CanCreateAsync(task),
not null when requirement == SecurityTaskOperations.Update => await CanUpdateAsync(task),
_ => throw new ArgumentOutOfRangeException(nameof(requirement))
};
if (authorized)
{
context.Succeed(requirement);
}
}
private async Task<bool> CanReadAsync(SecurityTask task)
{
var org = _currentContext.GetOrganization(task.OrganizationId);
if (org == null)
{
// The user does not belong to the organization
return false;
}
if (task.CipherId.HasValue)
{
// Ensure the user has edit access to the cipher
return await CanEditCipherForOrgAsync(org, task.CipherId.Value);
}
return true;
}
private async Task<bool> CanCreateAsync(SecurityTask task)
{
var org = _currentContext.GetOrganization(task.OrganizationId);
// User must be an Admin/Owner or have custom permissions for reporting
if (org is
not ({ Type: OrganizationUserType.Admin or OrganizationUserType.Owner } or
{ Permissions.EditAnyCollection: true } or
{ Permissions.AccessReports: true }))
{
return false;
}
if (task.CipherId.HasValue)
{
return await CipherBelongsToOrgAsync(org, task.CipherId.Value);
}
return true;
}
private async Task<bool> CanUpdateAsync(SecurityTask task)
{
var org = _currentContext.GetOrganization(task.OrganizationId);
if (org == null)
{
// The user does not belong to the organization
return false;
}
if (task.CipherId.HasValue)
{
// Ensure the user has edit access to the cipher (required for updating a task)
return await CanEditCipherForOrgAsync(org, task.CipherId.Value);
}
return true;
}
private async Task<bool> CanEditCipherForOrgAsync(CurrentContextOrganization org, Guid cipherId)
{
var ciphers = await GetCipherPermissionsForOrgAsync(org);
return ciphers.TryGetValue(cipherId, out var cipher) && cipher.Edit;
}
private async Task<bool> CipherBelongsToOrgAsync(CurrentContextOrganization org, Guid cipherId)
{
var ciphers = await GetCipherPermissionsForOrgAsync(org);
return ciphers.ContainsKey(cipherId);
}
private async Task<IDictionary<Guid, OrganizationCipherPermission>> GetCipherPermissionsForOrgAsync(CurrentContextOrganization organization)
{
// Re-use permissions we've already fetched for the organization
if (_cipherPermissionCache.TryGetValue(organization.Id, out var cachedCiphers))
{
return cachedCiphers;
}
var cipherPermissions = await _getCipherPermissionsForUserQuery.GetByOrganization(organization.Id);
_cipherPermissionCache.Add(organization.Id, cipherPermissions);
return cipherPermissions;
}
}

View File

@ -0,0 +1,20 @@
using Microsoft.AspNetCore.Authorization.Infrastructure;
namespace Bit.Core.Vault.Authorization.SecurityTasks;
public class SecurityTaskOperationRequirement : OperationAuthorizationRequirement
{
public SecurityTaskOperationRequirement(string name)
{
Name = name;
}
}
public static class SecurityTaskOperations
{
public static readonly SecurityTaskOperationRequirement Read = new SecurityTaskOperationRequirement(nameof(Read));
public static readonly SecurityTaskOperationRequirement Create = new SecurityTaskOperationRequirement(nameof(Create));
public static readonly SecurityTaskOperationRequirement Update = new SecurityTaskOperationRequirement(nameof(Update));
public static readonly SecurityTaskOperationRequirement ListAllForOrganization = new SecurityTaskOperationRequirement(nameof(ListAllForOrganization));
}

View File

@ -0,0 +1,11 @@
using Bit.Core.Context;
using Microsoft.AspNetCore.Authorization;
namespace Bit.Core.Vault.Authorization.SecurityTasks;
public class SecurityTaskOrganizationAuthorizationHandler : AuthorizationHandler<SecurityTaskOperationRequirement, CurrentContextOrganization>
{
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, SecurityTaskOperationRequirement requirement,
CurrentContextOrganization resource) =>
throw new NotImplementedException();
}

View File

@ -0,0 +1,16 @@
namespace Bit.Core.Vault.Models.Data;
/// <summary>
/// Data model that represents a Users permissions for a given cipher
/// that belongs to an organization.
/// To be used internally for authorization.
/// </summary>
public class OrganizationCipherPermission
{
public Guid Id { get; set; }
public Guid Organization { get; set; }
public bool Edit { get; set; }
public bool ViewPassword { get; set; }
public bool Manage { get; set; }
public bool Unassigned { get; set; }
}

View File

@ -0,0 +1,102 @@
using Bit.Core.Context;
using Bit.Core.Enums;
using Bit.Core.Exceptions;
using Bit.Core.Services;
using Bit.Core.Vault.Models.Data;
using Bit.Core.Vault.Repositories;
namespace Bit.Core.Vault.Queries;
public class GetCipherPermissionsForUserQuery : IGetCipherPermissionsForUserQuery
{
private readonly ICurrentContext _currentContext;
private readonly ICipherRepository _cipherRepository;
private readonly IApplicationCacheService _applicationCacheService;
private readonly IFeatureService _featureService;
public GetCipherPermissionsForUserQuery(ICurrentContext currentContext, ICipherRepository cipherRepository, IApplicationCacheService applicationCacheService, IFeatureService featureService)
{
_currentContext = currentContext;
_cipherRepository = cipherRepository;
_applicationCacheService = applicationCacheService;
_featureService = featureService;
}
public async Task<IDictionary<Guid, OrganizationCipherPermission>> GetByOrganization(Guid organizationId)
{
var org = _currentContext.GetOrganization(organizationId);
if (org == null)
{
throw new NotFoundException();
}
var cipherPermissions = (await _cipherRepository.GetCipherPermissionsForOrganizationAsync(organizationId)).ToList();
if (await CanEditAllCiphersAsync(org))
{
foreach (var cipher in cipherPermissions)
{
cipher.Edit = true;
cipher.Manage = true;
cipher.ViewPassword = true;
}
}
if (await CanAccessUnassignedCiphersAsync(org))
{
foreach (var unassignedCipher in cipherPermissions.Where(c => c.Unassigned))
{
unassignedCipher.Edit = true;
unassignedCipher.Manage = true;
unassignedCipher.ViewPassword = true;
}
}
return cipherPermissions.ToDictionary(c => c.Id);
}
private async Task<bool> CanEditAllCiphersAsync(CurrentContextOrganization org)
{
// Custom users with EditAnyCollection permissions can always edit all ciphers
if (org is { Type: OrganizationUserType.Custom, Permissions.EditAnyCollection: true })
{
return true;
}
var orgAbility = await _applicationCacheService.GetOrganizationAbilityAsync(org.Id);
// Owners/Admins can only edit all ciphers if the organization has the setting enabled
if (orgAbility is { AllowAdminAccessToAllCollectionItems: true } && org is
{ Type: OrganizationUserType.Admin or OrganizationUserType.Owner })
{
return true;
}
// Provider users can edit all ciphers if RestrictProviderAccess is disabled
if (await _currentContext.ProviderUserForOrgAsync(org.Id))
{
return !_featureService.IsEnabled(FeatureFlagKeys.RestrictProviderAccess);
}
return false;
}
private async Task<bool> CanAccessUnassignedCiphersAsync(CurrentContextOrganization org)
{
if (org is
{ Type: OrganizationUserType.Owner or OrganizationUserType.Admin } or
{ Permissions.EditAnyCollection: true })
{
return true;
}
// Provider users can only access all ciphers if RestrictProviderAccess is disabled
if (await _currentContext.ProviderUserForOrgAsync(org.Id))
{
return !_featureService.IsEnabled(FeatureFlagKeys.RestrictProviderAccess);
}
return false;
}
}

View File

@ -0,0 +1,19 @@
using Bit.Core.Vault.Models.Data;
namespace Bit.Core.Vault.Queries;
public interface IGetCipherPermissionsForUserQuery
{
/// <summary>
/// Retrieves the permissions of every organization cipher (including unassigned) for the
/// ICurrentContext's user.
///
/// It considers the Collection Management setting for allowing Admin/Owners access to all ciphers.
/// </summary>
/// <remarks>
/// The primary use case of this query is internal cipher authorization logic.
/// </remarks>
/// <param name="organizationId"></param>
/// <returns>A dictionary of CipherIds and a corresponding OrganizationCipherPermission</returns>
public Task<IDictionary<Guid, OrganizationCipherPermission>> GetByOrganization(Guid organizationId);
}

View File

@ -38,6 +38,7 @@ public interface ICipherRepository : IRepository<Cipher, Guid>
Task<DateTime> RestoreAsync(IEnumerable<Guid> ids, Guid userId); Task<DateTime> RestoreAsync(IEnumerable<Guid> ids, Guid userId);
Task<DateTime> RestoreByIdsOrganizationIdAsync(IEnumerable<Guid> ids, Guid organizationId); Task<DateTime> RestoreByIdsOrganizationIdAsync(IEnumerable<Guid> ids, Guid organizationId);
Task DeleteDeletedAsync(DateTime deletedDateBefore); Task DeleteDeletedAsync(DateTime deletedDateBefore);
Task<IEnumerable<OrganizationCipherPermission>> GetCipherPermissionsForOrganizationAsync(Guid organizationId);
/// <summary> /// <summary>
/// Updates encrypted data for ciphers during a key rotation /// Updates encrypted data for ciphers during a key rotation

View File

@ -0,0 +1,56 @@
CREATE PROCEDURE [dbo].[CipherOrganizationPermissions_GetByOrganizationId]
@OrganizationId UNIQUEIDENTIFIER,
@UserId UNIQUEIDENTIFIER
AS
BEGIN
SET NOCOUNT ON
SELECT
C.[Id],
MAX(CASE
WHEN COALESCE(CU.[ReadOnly], CG.[ReadOnly], 1) = 0
THEN 1
ELSE 0
END) [Edit],
MAX(CASE
WHEN COALESCE(CU.[HidePasswords], CG.[HidePasswords], 1) = 0
THEN 1
ELSE 0
END) [ViewPassword],
MAX(COALESCE(CU.[Manage], CG.[Manage], 0)) [Manage],
CASE
WHEN COUNT(CC.[CollectionId]) > 0 THEN 0
ELSE 1
END [Unassigned]
FROM
[dbo].[CipherDetails](@UserId) C
INNER JOIN
[OrganizationUser] OU ON
C.[UserId] IS NULL
AND C.[OrganizationId] = @OrganizationId
INNER JOIN
[dbo].[Organization] O ON
O.[Id] = OU.[OrganizationId]
AND O.[Id] = C.[OrganizationId]
AND O.[Enabled] = 1
LEFT JOIN
[dbo].[CollectionCipher] CC ON
CC.[CipherId] = C.[Id]
LEFT JOIN
[dbo].[CollectionUser] CU ON
CU.[CollectionId] = CC.[CollectionId]
AND CU.[OrganizationUserId] = OU.[Id]
LEFT JOIN
[dbo].[GroupUser] GU ON
CU.[CollectionId] IS NULL
AND GU.[OrganizationUserId] = OU.[Id]
LEFT JOIN
[dbo].[Group] G ON
G.[Id] = GU.[GroupId]
LEFT JOIN
[dbo].[CollectionGroup] CG ON
CG.[CollectionId] = CC.[CollectionId]
AND CG.[GroupId] = GU.[GroupId]
GROUP BY
C.[Id]
END