mirror of
https://github.com/bitwarden/server.git
synced 2024-11-29 13:25:17 +01:00
Improved handling of grantor access to organizations after takeover (refactored) (#1134)
* Revert "Only return policy in TakeoverResponse if Owner" This reverts commitb20e6f5e85
. * Revert "Return grantor policy info in TakeoverResponse" This reverts commit204217a5e0
. * Add endpoint to get grantor policies on takeover
This commit is contained in:
parent
d51b592cb5
commit
9f42357705
@ -5,6 +5,7 @@ using Bit.Core.Exceptions;
|
|||||||
using Bit.Core.Models.Api;
|
using Bit.Core.Models.Api;
|
||||||
using Bit.Core.Models.Api.Request;
|
using Bit.Core.Models.Api.Request;
|
||||||
using Bit.Core.Models.Api.Response;
|
using Bit.Core.Models.Api.Response;
|
||||||
|
using Bit.Core.Models.Table;
|
||||||
using Bit.Core.Repositories;
|
using Bit.Core.Repositories;
|
||||||
using Bit.Core.Services;
|
using Bit.Core.Services;
|
||||||
using Microsoft.AspNetCore.Authorization;
|
using Microsoft.AspNetCore.Authorization;
|
||||||
@ -60,7 +61,16 @@ namespace Bit.Api.Controllers
|
|||||||
var result = await _emergencyAccessService.GetAsync(new Guid(id), userId.Value);
|
var result = await _emergencyAccessService.GetAsync(new Guid(id), userId.Value);
|
||||||
return new EmergencyAccessGranteeDetailsResponseModel(result);
|
return new EmergencyAccessGranteeDetailsResponseModel(result);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
[HttpGet("{id}/policies")]
|
||||||
|
public async Task<ListResponseModel<PolicyResponseModel>> Policies(string id)
|
||||||
|
{
|
||||||
|
var user = await _userService.GetUserByPrincipalAsync(User);
|
||||||
|
var policies = await _emergencyAccessService.GetPoliciesAsync(new Guid(id), user);
|
||||||
|
var responses = policies.Select<Policy, PolicyResponseModel>(policy => new PolicyResponseModel(policy));
|
||||||
|
return new ListResponseModel<PolicyResponseModel>(responses);
|
||||||
|
}
|
||||||
|
|
||||||
[HttpPut("{id}")]
|
[HttpPut("{id}")]
|
||||||
[HttpPost("{id}")]
|
[HttpPost("{id}")]
|
||||||
public async Task Put(string id, [FromBody]EmergencyAccessUpdateRequestModel model)
|
public async Task Put(string id, [FromBody]EmergencyAccessUpdateRequestModel model)
|
||||||
@ -136,8 +146,8 @@ namespace Bit.Api.Controllers
|
|||||||
public async Task<EmergencyAccessTakeoverResponseModel> Takeover(string id)
|
public async Task<EmergencyAccessTakeoverResponseModel> Takeover(string id)
|
||||||
{
|
{
|
||||||
var user = await _userService.GetUserByPrincipalAsync(User);
|
var user = await _userService.GetUserByPrincipalAsync(User);
|
||||||
var (result, grantor, policy) = await _emergencyAccessService.TakeoverAsync(new Guid(id), user);
|
var (result, grantor) = await _emergencyAccessService.TakeoverAsync(new Guid(id), user);
|
||||||
return new EmergencyAccessTakeoverResponseModel(result, grantor, policy);
|
return new EmergencyAccessTakeoverResponseModel(result, grantor);
|
||||||
}
|
}
|
||||||
|
|
||||||
[HttpPost("{id}/password")]
|
[HttpPost("{id}/password")]
|
||||||
|
@ -84,7 +84,7 @@ namespace Bit.Core.Models.Api.Response
|
|||||||
|
|
||||||
public class EmergencyAccessTakeoverResponseModel : ResponseModel
|
public class EmergencyAccessTakeoverResponseModel : ResponseModel
|
||||||
{
|
{
|
||||||
public EmergencyAccessTakeoverResponseModel(EmergencyAccess emergencyAccess, User grantor, ICollection<Policy> policy, string obj = "emergencyAccessTakeover") : base(obj)
|
public EmergencyAccessTakeoverResponseModel(EmergencyAccess emergencyAccess, User grantor, string obj = "emergencyAccessTakeover") : base(obj)
|
||||||
{
|
{
|
||||||
if (emergencyAccess == null)
|
if (emergencyAccess == null)
|
||||||
{
|
{
|
||||||
@ -94,13 +94,11 @@ namespace Bit.Core.Models.Api.Response
|
|||||||
KeyEncrypted = emergencyAccess.KeyEncrypted;
|
KeyEncrypted = emergencyAccess.KeyEncrypted;
|
||||||
Kdf = grantor.Kdf;
|
Kdf = grantor.Kdf;
|
||||||
KdfIterations = grantor.KdfIterations;
|
KdfIterations = grantor.KdfIterations;
|
||||||
Policy = policy?.Select<Policy, PolicyResponseModel>(policy => new PolicyResponseModel(policy));
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public int KdfIterations { get; private set; }
|
public int KdfIterations { get; private set; }
|
||||||
public KdfType Kdf { get; private set; }
|
public KdfType Kdf { get; private set; }
|
||||||
public string KeyEncrypted { get; private set; }
|
public string KeyEncrypted { get; private set; }
|
||||||
public IEnumerable<PolicyResponseModel> Policy { get; private set; }
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public class EmergencyAccessViewResponseModel : ResponseModel
|
public class EmergencyAccessViewResponseModel : ResponseModel
|
||||||
|
@ -20,7 +20,8 @@ namespace Bit.Core.Services
|
|||||||
Task InitiateAsync(Guid id, User initiatingUser);
|
Task InitiateAsync(Guid id, User initiatingUser);
|
||||||
Task ApproveAsync(Guid id, User approvingUser);
|
Task ApproveAsync(Guid id, User approvingUser);
|
||||||
Task RejectAsync(Guid id, User rejectingUser);
|
Task RejectAsync(Guid id, User rejectingUser);
|
||||||
Task<(EmergencyAccess, User, ICollection<Policy>)> TakeoverAsync(Guid id, User initiatingUser);
|
Task<ICollection<Policy>> GetPoliciesAsync(Guid id, User requestingUser);
|
||||||
|
Task<(EmergencyAccess, User)> TakeoverAsync(Guid id, User initiatingUser);
|
||||||
Task PasswordAsync(Guid id, User user, string newMasterPasswordHash, string key);
|
Task PasswordAsync(Guid id, User user, string newMasterPasswordHash, string key);
|
||||||
Task SendNotificationsAsync();
|
Task SendNotificationsAsync();
|
||||||
Task HandleTimedOutRequestsAsync();
|
Task HandleTimedOutRequestsAsync();
|
||||||
|
@ -239,7 +239,7 @@ namespace Bit.Core.Services
|
|||||||
await _mailService.SendEmergencyAccessRecoveryRejected(emergencyAccess, NameOrEmail(rejectingUser), grantee.Email);
|
await _mailService.SendEmergencyAccessRecoveryRejected(emergencyAccess, NameOrEmail(rejectingUser), grantee.Email);
|
||||||
}
|
}
|
||||||
|
|
||||||
public async Task<(EmergencyAccess, User, ICollection<Policy>)> TakeoverAsync(Guid id, User requestingUser)
|
public async Task<ICollection<Policy>> GetPoliciesAsync(Guid id, User requestingUser)
|
||||||
{
|
{
|
||||||
var emergencyAccess = await _emergencyAccessRepository.GetByIdAsync(id);
|
var emergencyAccess = await _emergencyAccessRepository.GetByIdAsync(id);
|
||||||
|
|
||||||
@ -253,9 +253,24 @@ namespace Bit.Core.Services
|
|||||||
|
|
||||||
var grantorOrganizations = await _organizationUserRepository.GetManyByUserAsync(grantor.Id);
|
var grantorOrganizations = await _organizationUserRepository.GetManyByUserAsync(grantor.Id);
|
||||||
var isOrganizationOwner = grantorOrganizations.Any<OrganizationUser>(organization => organization.Type == OrganizationUserType.Owner);
|
var isOrganizationOwner = grantorOrganizations.Any<OrganizationUser>(organization => organization.Type == OrganizationUserType.Owner);
|
||||||
var policy = isOrganizationOwner ? await _policyRepository.GetManyByUserIdAsync(grantor.Id) : null;
|
var policies = isOrganizationOwner ? await _policyRepository.GetManyByUserIdAsync(grantor.Id) : null;
|
||||||
|
|
||||||
return (emergencyAccess, grantor, policy);
|
return policies;
|
||||||
|
}
|
||||||
|
|
||||||
|
public async Task<(EmergencyAccess, User)> TakeoverAsync(Guid id, User requestingUser)
|
||||||
|
{
|
||||||
|
var emergencyAccess = await _emergencyAccessRepository.GetByIdAsync(id);
|
||||||
|
|
||||||
|
if (emergencyAccess == null || emergencyAccess.GranteeId != requestingUser.Id ||
|
||||||
|
emergencyAccess.Status != EmergencyAccessStatusType.RecoveryApproved)
|
||||||
|
{
|
||||||
|
throw new BadRequestException("Emergency Access not valid.");
|
||||||
|
}
|
||||||
|
|
||||||
|
var grantor = await _userRepository.GetByIdAsync(emergencyAccess.GrantorId);
|
||||||
|
|
||||||
|
return (emergencyAccess, grantor);
|
||||||
}
|
}
|
||||||
|
|
||||||
public async Task PasswordAsync(Guid id, User requestingUser, string newMasterPasswordHash, string key)
|
public async Task PasswordAsync(Guid id, User requestingUser, string newMasterPasswordHash, string key)
|
||||||
|
Loading…
Reference in New Issue
Block a user