1
0
mirror of https://github.com/bitwarden/server.git synced 2024-11-26 12:55:17 +01:00

Improved handling of grantor access to organizations after takeover (refactored) (#1134)

* Revert "Only return policy in TakeoverResponse if Owner"

This reverts commit b20e6f5e85.

* Revert "Return grantor policy info in TakeoverResponse"

This reverts commit 204217a5e0.

* Add endpoint to get grantor policies on takeover
This commit is contained in:
Thomas Rittson 2021-02-10 09:06:42 +10:00 committed by GitHub
parent d51b592cb5
commit 9f42357705
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 34 additions and 10 deletions

View File

@ -5,6 +5,7 @@ using Bit.Core.Exceptions;
using Bit.Core.Models.Api;
using Bit.Core.Models.Api.Request;
using Bit.Core.Models.Api.Response;
using Bit.Core.Models.Table;
using Bit.Core.Repositories;
using Bit.Core.Services;
using Microsoft.AspNetCore.Authorization;
@ -60,7 +61,16 @@ namespace Bit.Api.Controllers
var result = await _emergencyAccessService.GetAsync(new Guid(id), userId.Value);
return new EmergencyAccessGranteeDetailsResponseModel(result);
}
[HttpGet("{id}/policies")]
public async Task<ListResponseModel<PolicyResponseModel>> Policies(string id)
{
var user = await _userService.GetUserByPrincipalAsync(User);
var policies = await _emergencyAccessService.GetPoliciesAsync(new Guid(id), user);
var responses = policies.Select<Policy, PolicyResponseModel>(policy => new PolicyResponseModel(policy));
return new ListResponseModel<PolicyResponseModel>(responses);
}
[HttpPut("{id}")]
[HttpPost("{id}")]
public async Task Put(string id, [FromBody]EmergencyAccessUpdateRequestModel model)
@ -136,8 +146,8 @@ namespace Bit.Api.Controllers
public async Task<EmergencyAccessTakeoverResponseModel> Takeover(string id)
{
var user = await _userService.GetUserByPrincipalAsync(User);
var (result, grantor, policy) = await _emergencyAccessService.TakeoverAsync(new Guid(id), user);
return new EmergencyAccessTakeoverResponseModel(result, grantor, policy);
var (result, grantor) = await _emergencyAccessService.TakeoverAsync(new Guid(id), user);
return new EmergencyAccessTakeoverResponseModel(result, grantor);
}
[HttpPost("{id}/password")]

View File

@ -84,7 +84,7 @@ namespace Bit.Core.Models.Api.Response
public class EmergencyAccessTakeoverResponseModel : ResponseModel
{
public EmergencyAccessTakeoverResponseModel(EmergencyAccess emergencyAccess, User grantor, ICollection<Policy> policy, string obj = "emergencyAccessTakeover") : base(obj)
public EmergencyAccessTakeoverResponseModel(EmergencyAccess emergencyAccess, User grantor, string obj = "emergencyAccessTakeover") : base(obj)
{
if (emergencyAccess == null)
{
@ -94,13 +94,11 @@ namespace Bit.Core.Models.Api.Response
KeyEncrypted = emergencyAccess.KeyEncrypted;
Kdf = grantor.Kdf;
KdfIterations = grantor.KdfIterations;
Policy = policy?.Select<Policy, PolicyResponseModel>(policy => new PolicyResponseModel(policy));
}
public int KdfIterations { get; private set; }
public KdfType Kdf { get; private set; }
public string KeyEncrypted { get; private set; }
public IEnumerable<PolicyResponseModel> Policy { get; private set; }
}
public class EmergencyAccessViewResponseModel : ResponseModel

View File

@ -20,7 +20,8 @@ namespace Bit.Core.Services
Task InitiateAsync(Guid id, User initiatingUser);
Task ApproveAsync(Guid id, User approvingUser);
Task RejectAsync(Guid id, User rejectingUser);
Task<(EmergencyAccess, User, ICollection<Policy>)> TakeoverAsync(Guid id, User initiatingUser);
Task<ICollection<Policy>> GetPoliciesAsync(Guid id, User requestingUser);
Task<(EmergencyAccess, User)> TakeoverAsync(Guid id, User initiatingUser);
Task PasswordAsync(Guid id, User user, string newMasterPasswordHash, string key);
Task SendNotificationsAsync();
Task HandleTimedOutRequestsAsync();

View File

@ -239,7 +239,7 @@ namespace Bit.Core.Services
await _mailService.SendEmergencyAccessRecoveryRejected(emergencyAccess, NameOrEmail(rejectingUser), grantee.Email);
}
public async Task<(EmergencyAccess, User, ICollection<Policy>)> TakeoverAsync(Guid id, User requestingUser)
public async Task<ICollection<Policy>> GetPoliciesAsync(Guid id, User requestingUser)
{
var emergencyAccess = await _emergencyAccessRepository.GetByIdAsync(id);
@ -253,9 +253,24 @@ namespace Bit.Core.Services
var grantorOrganizations = await _organizationUserRepository.GetManyByUserAsync(grantor.Id);
var isOrganizationOwner = grantorOrganizations.Any<OrganizationUser>(organization => organization.Type == OrganizationUserType.Owner);
var policy = isOrganizationOwner ? await _policyRepository.GetManyByUserIdAsync(grantor.Id) : null;
var policies = isOrganizationOwner ? await _policyRepository.GetManyByUserIdAsync(grantor.Id) : null;
return (emergencyAccess, grantor, policy);
return policies;
}
public async Task<(EmergencyAccess, User)> TakeoverAsync(Guid id, User requestingUser)
{
var emergencyAccess = await _emergencyAccessRepository.GetByIdAsync(id);
if (emergencyAccess == null || emergencyAccess.GranteeId != requestingUser.Id ||
emergencyAccess.Status != EmergencyAccessStatusType.RecoveryApproved)
{
throw new BadRequestException("Emergency Access not valid.");
}
var grantor = await _userRepository.GetByIdAsync(emergencyAccess.GrantorId);
return (emergencyAccess, grantor);
}
public async Task PasswordAsync(Guid id, User requestingUser, string newMasterPasswordHash, string key)