[PM-14378] WIP

src/Core/Vault/Authorization/SecurityTasks/SecurityTaskAuthorizationHandler.cs

@@ -0,0 +1,134 @@
+using Bit.Core.Context;
+using Bit.Core.Enums;
+using Bit.Core.Vault.Entities;
+using Bit.Core.Vault.Models.Data;
+using Bit.Core.Vault.Queries;
+using Microsoft.AspNetCore.Authorization;
+
+
+namespace Bit.Core.Vault.Authorization.SecurityTasks;
+
+public class SecurityTaskAuthorizationHandler : AuthorizationHandler<SecurityTaskOperationRequirement, SecurityTask>
+{
+    private readonly ICurrentContext _currentContext;
+    private readonly IGetCipherPermissionsForUserQuery _getCipherPermissionsForUserQuery;
+
+    private readonly Dictionary<Guid, IDictionary<Guid, OrganizationCipherPermission>> _cipherPermissionCache = new();
+
+    public SecurityTaskAuthorizationHandler(ICurrentContext currentContext, IGetCipherPermissionsForUserQuery getCipherPermissionsForUserQuery)
+    {
+        _currentContext = currentContext;
+        _getCipherPermissionsForUserQuery = getCipherPermissionsForUserQuery;
+    }
+
+    protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
+        SecurityTaskOperationRequirement requirement,
+        SecurityTask task)
+    {
+        if (!_currentContext.UserId.HasValue)
+        {
+            return;
+        }
+
+        var authorized = requirement switch
+        {
+            not null when requirement == SecurityTaskOperations.Read => await CanReadAsync(task),
+            not null when requirement == SecurityTaskOperations.Create => await CanCreateAsync(task),
+            not null when requirement == SecurityTaskOperations.Update => await CanUpdateAsync(task),
+            _ => throw new ArgumentOutOfRangeException(nameof(requirement))
+        };
+
+        if (authorized)
+        {
+            context.Succeed(requirement);
+        }
+    }
+
+    private async Task<bool> CanReadAsync(SecurityTask task)
+    {
+        var org = _currentContext.GetOrganization(task.OrganizationId);
+
+        if (org == null)
+        {
+            // The user does not belong to the organization
+            return false;
+        }
+
+        if (task.CipherId.HasValue)
+        {
+            // Ensure the user has edit access to the cipher
+            return await CanEditCipherForOrgAsync(org, task.CipherId.Value);
+        }
+
+        return true;
+    }
+
+    private async Task<bool> CanCreateAsync(SecurityTask task)
+    {
+        var org = _currentContext.GetOrganization(task.OrganizationId);
+
+        // User must be an Admin/Owner or have custom permissions for reporting
+        if (org is
+            not ({ Type: OrganizationUserType.Admin or OrganizationUserType.Owner } or
+            { Permissions.EditAnyCollection: true } or
+            { Permissions.AccessReports: true }))
+        {
+            return false;
+        }
+
+        if (task.CipherId.HasValue)
+        {
+            return await CipherBelongsToOrgAsync(org, task.CipherId.Value);
+        }
+
+        return true;
+    }
+
+    private async Task<bool> CanUpdateAsync(SecurityTask task)
+    {
+        var org = _currentContext.GetOrganization(task.OrganizationId);
+
+        if (org == null)
+        {
+            // The user does not belong to the organization
+            return false;
+        }
+
+        if (task.CipherId.HasValue)
+        {
+            // Ensure the user has edit access to the cipher (required for updating a task)
+            return await CanEditCipherForOrgAsync(org, task.CipherId.Value);
+        }
+
+        return true;
+    }
+
+    private async Task<bool> CanEditCipherForOrgAsync(CurrentContextOrganization org, Guid cipherId)
+    {
+        var ciphers = await GetCipherPermissionsForOrgAsync(org);
+
+        return ciphers.TryGetValue(cipherId, out var cipher) && cipher.Edit;
+    }
+
+    private async Task<bool> CipherBelongsToOrgAsync(CurrentContextOrganization org, Guid cipherId)
+    {
+        var ciphers = await GetCipherPermissionsForOrgAsync(org);
+
+        return ciphers.ContainsKey(cipherId);
+    }
+
+    private async Task<IDictionary<Guid, OrganizationCipherPermission>> GetCipherPermissionsForOrgAsync(CurrentContextOrganization organization)
+    {
+        // Re-use permissions we've already fetched for the organization
+        if (_cipherPermissionCache.TryGetValue(organization.Id, out var cachedCiphers))
+        {
+            return cachedCiphers;
+        }
+
+        var cipherPermissions = await _getCipherPermissionsForUserQuery.GetByOrganization(organization.Id);
+
+        _cipherPermissionCache.Add(organization.Id, cipherPermissions);
+
+        return cipherPermissions;
+    }
+}

src/Core/Vault/Authorization/SecurityTasks/SecurityTaskOperationRequirement.cs

@@ -0,0 +1,20 @@
+using Microsoft.AspNetCore.Authorization.Infrastructure;
+
+namespace Bit.Core.Vault.Authorization.SecurityTasks;
+
+public class SecurityTaskOperationRequirement : OperationAuthorizationRequirement
+{
+    public SecurityTaskOperationRequirement(string name)
+    {
+        Name = name;
+    }
+}
+
+public static class SecurityTaskOperations
+{
+    public static readonly SecurityTaskOperationRequirement Read = new SecurityTaskOperationRequirement(nameof(Read));
+    public static readonly SecurityTaskOperationRequirement Create = new SecurityTaskOperationRequirement(nameof(Create));
+    public static readonly SecurityTaskOperationRequirement Update = new SecurityTaskOperationRequirement(nameof(Update));
+
+    public static readonly SecurityTaskOperationRequirement ListAllForOrganization = new SecurityTaskOperationRequirement(nameof(ListAllForOrganization));
+}

src/Core/Vault/Authorization/SecurityTasks/SecurityTaskOrganizationAuthorizationHandler.cs

@@ -0,0 +1,11 @@
+using Bit.Core.Context;
+using Microsoft.AspNetCore.Authorization;
+
+namespace Bit.Core.Vault.Authorization.SecurityTasks;
+
+public class SecurityTaskOrganizationAuthorizationHandler : AuthorizationHandler<SecurityTaskOperationRequirement, CurrentContextOrganization>
+{
+    protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, SecurityTaskOperationRequirement requirement,
+        CurrentContextOrganization resource) =>
+        throw new NotImplementedException();
+}

src/Core/Vault/Models/Data/OrganizationCipherPermission.cs

@@ -0,0 +1,16 @@
+namespace Bit.Core.Vault.Models.Data;
+
+/// <summary>
+/// Data model that represents a Users permissions for a given cipher
+/// that belongs to an organization.
+/// To be used internally for authorization.
+/// </summary>
+public class OrganizationCipherPermission
+{
+    public Guid Id { get; set; }
+    public Guid Organization { get; set; }
+    public bool Edit { get; set; }
+    public bool ViewPassword { get; set; }
+    public bool Manage { get; set; }
+    public bool Unassigned { get; set; }
+}

src/Core/Vault/Queries/GetCipherPermissionsForUserQuery.cs

@@ -0,0 +1,102 @@
+using Bit.Core.Context;
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.Services;
+using Bit.Core.Vault.Models.Data;
+using Bit.Core.Vault.Repositories;
+
+namespace Bit.Core.Vault.Queries;
+
+public class GetCipherPermissionsForUserQuery : IGetCipherPermissionsForUserQuery
+{
+    private readonly ICurrentContext _currentContext;
+    private readonly ICipherRepository _cipherRepository;
+    private readonly IApplicationCacheService _applicationCacheService;
+    private readonly IFeatureService  _featureService;
+
+    public GetCipherPermissionsForUserQuery(ICurrentContext currentContext, ICipherRepository cipherRepository, IApplicationCacheService applicationCacheService, IFeatureService featureService)
+    {
+        _currentContext = currentContext;
+        _cipherRepository = cipherRepository;
+        _applicationCacheService = applicationCacheService;
+        _featureService = featureService;
+    }
+
+    public async Task<IDictionary<Guid, OrganizationCipherPermission>> GetByOrganization(Guid organizationId)
+    {
+        var org = _currentContext.GetOrganization(organizationId);
+
+        if (org == null)
+        {
+            throw new NotFoundException();
+        }
+
+        var cipherPermissions = (await _cipherRepository.GetCipherPermissionsForOrganizationAsync(organizationId)).ToList();
+
+        if (await CanEditAllCiphersAsync(org))
+        {
+            foreach (var cipher in cipherPermissions)
+            {
+                cipher.Edit = true;
+                cipher.Manage = true;
+                cipher.ViewPassword = true;
+            }
+        }
+
+        if (await CanAccessUnassignedCiphersAsync(org))
+        {
+            foreach (var unassignedCipher in cipherPermissions.Where(c => c.Unassigned))
+            {
+                unassignedCipher.Edit = true;
+                unassignedCipher.Manage = true;
+                unassignedCipher.ViewPassword = true;
+            }
+        }
+
+        return cipherPermissions.ToDictionary(c => c.Id);
+    }
+
+    private async Task<bool> CanEditAllCiphersAsync(CurrentContextOrganization org)
+    {
+        // Custom users with EditAnyCollection permissions can always edit all ciphers
+        if (org is { Type: OrganizationUserType.Custom, Permissions.EditAnyCollection: true })
+        {
+            return true;
+        }
+
+        var orgAbility = await _applicationCacheService.GetOrganizationAbilityAsync(org.Id);
+
+        // Owners/Admins can only edit all ciphers if the organization has the setting enabled
+        if (orgAbility is { AllowAdminAccessToAllCollectionItems: true } && org is
+                { Type: OrganizationUserType.Admin or OrganizationUserType.Owner })
+        {
+            return true;
+        }
+
+        // Provider users can edit all ciphers if RestrictProviderAccess is disabled
+        if (await _currentContext.ProviderUserForOrgAsync(org.Id))
+        {
+            return !_featureService.IsEnabled(FeatureFlagKeys.RestrictProviderAccess);
+        }
+
+        return false;
+    }
+
+    private async Task<bool> CanAccessUnassignedCiphersAsync(CurrentContextOrganization org)
+    {
+        if (org is
+            { Type: OrganizationUserType.Owner or OrganizationUserType.Admin } or
+            { Permissions.EditAnyCollection: true })
+        {
+            return true;
+        }
+
+        // Provider users can only access all ciphers if RestrictProviderAccess is disabled
+        if (await _currentContext.ProviderUserForOrgAsync(org.Id))
+        {
+            return !_featureService.IsEnabled(FeatureFlagKeys.RestrictProviderAccess);
+        }
+
+        return false;
+    }
+}

src/Core/Vault/Queries/IGetCipherPermissionsForUserQuery.cs

@@ -0,0 +1,19 @@
+using Bit.Core.Vault.Models.Data;
+
+namespace Bit.Core.Vault.Queries;
+
+public interface IGetCipherPermissionsForUserQuery
+{
+    /// <summary>
+    /// Retrieves the permissions of every organization cipher (including unassigned) for the
+    /// ICurrentContext's user.
+    ///
+    /// It considers the Collection Management setting for allowing Admin/Owners access to all ciphers.
+    /// </summary>
+    /// <remarks>
+    /// The primary use case of this query is internal cipher authorization logic.
+    /// </remarks>
+    /// <param name="organizationId"></param>
+    /// <returns>A dictionary of CipherIds and a corresponding OrganizationCipherPermission</returns>
+    public Task<IDictionary<Guid, OrganizationCipherPermission>> GetByOrganization(Guid organizationId);
+}

src/Core/Vault/Repositories/ICipherRepository.cs

@@ -38,6 +38,7 @@ public interface ICipherRepository : IRepository<Cipher, Guid>
     Task<DateTime> RestoreAsync(IEnumerable<Guid> ids, Guid userId);
     Task<DateTime> RestoreByIdsOrganizationIdAsync(IEnumerable<Guid> ids, Guid organizationId);
     Task DeleteDeletedAsync(DateTime deletedDateBefore);
+    Task<IEnumerable<OrganizationCipherPermission>> GetCipherPermissionsForOrganizationAsync(Guid organizationId);
 
     /// <summary>
     /// Updates encrypted data for ciphers during a key rotation

src/Sql/Vault/dbo/Stored Procedures/Cipher/CipherOrganizationPermissions_GetByOrganizationId.sql

@@ -0,0 +1,56 @@
+CREATE PROCEDURE [dbo].[CipherOrganizationPermissions_GetByOrganizationId]
+    @OrganizationId UNIQUEIDENTIFIER,
+    @UserId UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    SELECT
+        C.[Id],
+        MAX(CASE
+            WHEN COALESCE(CU.[ReadOnly], CG.[ReadOnly], 1) = 0
+            THEN 1
+            ELSE 0
+        END) [Edit],
+        MAX(CASE
+            WHEN COALESCE(CU.[HidePasswords], CG.[HidePasswords], 1) = 0
+            THEN 1
+            ELSE 0
+        END) [ViewPassword],
+        MAX(COALESCE(CU.[Manage], CG.[Manage], 0)) [Manage],
+        CASE
+            WHEN COUNT(CC.[CollectionId]) > 0 THEN 0
+            ELSE 1
+        END [Unassigned]
+    FROM
+        [dbo].[CipherDetails](@UserId) C
+    INNER JOIN
+        [OrganizationUser] OU ON
+        C.[UserId] IS NULL
+        AND C.[OrganizationId] = @OrganizationId
+    INNER JOIN
+        [dbo].[Organization] O ON
+        O.[Id] = OU.[OrganizationId]
+        AND O.[Id] = C.[OrganizationId]
+        AND O.[Enabled] = 1
+    LEFT JOIN
+        [dbo].[CollectionCipher] CC ON
+        CC.[CipherId] = C.[Id]
+    LEFT JOIN
+        [dbo].[CollectionUser] CU ON
+        CU.[CollectionId] = CC.[CollectionId]
+        AND CU.[OrganizationUserId] = OU.[Id]
+    LEFT JOIN
+        [dbo].[GroupUser] GU ON
+        CU.[CollectionId] IS NULL
+        AND GU.[OrganizationUserId] = OU.[Id]
+    LEFT JOIN
+        [dbo].[Group] G ON
+        G.[Id] = GU.[GroupId]
+    LEFT JOIN
+        [dbo].[CollectionGroup] CG ON
+        CG.[CollectionId] = CC.[CollectionId]
+        AND CG.[GroupId] = GU.[GroupId]
+    GROUP BY
+        C.[Id]
+END