mirror of
https://github.com/bitwarden/server.git
synced 2024-11-29 13:25:17 +01:00
Improved handling of grantor access to organizations after takeover (refactored) (#1134)
* Revert "Only return policy in TakeoverResponse if Owner" This reverts commitb20e6f5e85
. * Revert "Return grantor policy info in TakeoverResponse" This reverts commit204217a5e0
. * Add endpoint to get grantor policies on takeover
This commit is contained in:
parent
d51b592cb5
commit
9f42357705
@ -5,6 +5,7 @@ using Bit.Core.Exceptions;
|
||||
using Bit.Core.Models.Api;
|
||||
using Bit.Core.Models.Api.Request;
|
||||
using Bit.Core.Models.Api.Response;
|
||||
using Bit.Core.Models.Table;
|
||||
using Bit.Core.Repositories;
|
||||
using Bit.Core.Services;
|
||||
using Microsoft.AspNetCore.Authorization;
|
||||
@ -61,6 +62,15 @@ namespace Bit.Api.Controllers
|
||||
return new EmergencyAccessGranteeDetailsResponseModel(result);
|
||||
}
|
||||
|
||||
[HttpGet("{id}/policies")]
|
||||
public async Task<ListResponseModel<PolicyResponseModel>> Policies(string id)
|
||||
{
|
||||
var user = await _userService.GetUserByPrincipalAsync(User);
|
||||
var policies = await _emergencyAccessService.GetPoliciesAsync(new Guid(id), user);
|
||||
var responses = policies.Select<Policy, PolicyResponseModel>(policy => new PolicyResponseModel(policy));
|
||||
return new ListResponseModel<PolicyResponseModel>(responses);
|
||||
}
|
||||
|
||||
[HttpPut("{id}")]
|
||||
[HttpPost("{id}")]
|
||||
public async Task Put(string id, [FromBody]EmergencyAccessUpdateRequestModel model)
|
||||
@ -136,8 +146,8 @@ namespace Bit.Api.Controllers
|
||||
public async Task<EmergencyAccessTakeoverResponseModel> Takeover(string id)
|
||||
{
|
||||
var user = await _userService.GetUserByPrincipalAsync(User);
|
||||
var (result, grantor, policy) = await _emergencyAccessService.TakeoverAsync(new Guid(id), user);
|
||||
return new EmergencyAccessTakeoverResponseModel(result, grantor, policy);
|
||||
var (result, grantor) = await _emergencyAccessService.TakeoverAsync(new Guid(id), user);
|
||||
return new EmergencyAccessTakeoverResponseModel(result, grantor);
|
||||
}
|
||||
|
||||
[HttpPost("{id}/password")]
|
||||
|
@ -84,7 +84,7 @@ namespace Bit.Core.Models.Api.Response
|
||||
|
||||
public class EmergencyAccessTakeoverResponseModel : ResponseModel
|
||||
{
|
||||
public EmergencyAccessTakeoverResponseModel(EmergencyAccess emergencyAccess, User grantor, ICollection<Policy> policy, string obj = "emergencyAccessTakeover") : base(obj)
|
||||
public EmergencyAccessTakeoverResponseModel(EmergencyAccess emergencyAccess, User grantor, string obj = "emergencyAccessTakeover") : base(obj)
|
||||
{
|
||||
if (emergencyAccess == null)
|
||||
{
|
||||
@ -94,13 +94,11 @@ namespace Bit.Core.Models.Api.Response
|
||||
KeyEncrypted = emergencyAccess.KeyEncrypted;
|
||||
Kdf = grantor.Kdf;
|
||||
KdfIterations = grantor.KdfIterations;
|
||||
Policy = policy?.Select<Policy, PolicyResponseModel>(policy => new PolicyResponseModel(policy));
|
||||
}
|
||||
|
||||
public int KdfIterations { get; private set; }
|
||||
public KdfType Kdf { get; private set; }
|
||||
public string KeyEncrypted { get; private set; }
|
||||
public IEnumerable<PolicyResponseModel> Policy { get; private set; }
|
||||
}
|
||||
|
||||
public class EmergencyAccessViewResponseModel : ResponseModel
|
||||
|
@ -20,7 +20,8 @@ namespace Bit.Core.Services
|
||||
Task InitiateAsync(Guid id, User initiatingUser);
|
||||
Task ApproveAsync(Guid id, User approvingUser);
|
||||
Task RejectAsync(Guid id, User rejectingUser);
|
||||
Task<(EmergencyAccess, User, ICollection<Policy>)> TakeoverAsync(Guid id, User initiatingUser);
|
||||
Task<ICollection<Policy>> GetPoliciesAsync(Guid id, User requestingUser);
|
||||
Task<(EmergencyAccess, User)> TakeoverAsync(Guid id, User initiatingUser);
|
||||
Task PasswordAsync(Guid id, User user, string newMasterPasswordHash, string key);
|
||||
Task SendNotificationsAsync();
|
||||
Task HandleTimedOutRequestsAsync();
|
||||
|
@ -239,7 +239,7 @@ namespace Bit.Core.Services
|
||||
await _mailService.SendEmergencyAccessRecoveryRejected(emergencyAccess, NameOrEmail(rejectingUser), grantee.Email);
|
||||
}
|
||||
|
||||
public async Task<(EmergencyAccess, User, ICollection<Policy>)> TakeoverAsync(Guid id, User requestingUser)
|
||||
public async Task<ICollection<Policy>> GetPoliciesAsync(Guid id, User requestingUser)
|
||||
{
|
||||
var emergencyAccess = await _emergencyAccessRepository.GetByIdAsync(id);
|
||||
|
||||
@ -253,9 +253,24 @@ namespace Bit.Core.Services
|
||||
|
||||
var grantorOrganizations = await _organizationUserRepository.GetManyByUserAsync(grantor.Id);
|
||||
var isOrganizationOwner = grantorOrganizations.Any<OrganizationUser>(organization => organization.Type == OrganizationUserType.Owner);
|
||||
var policy = isOrganizationOwner ? await _policyRepository.GetManyByUserIdAsync(grantor.Id) : null;
|
||||
var policies = isOrganizationOwner ? await _policyRepository.GetManyByUserIdAsync(grantor.Id) : null;
|
||||
|
||||
return (emergencyAccess, grantor, policy);
|
||||
return policies;
|
||||
}
|
||||
|
||||
public async Task<(EmergencyAccess, User)> TakeoverAsync(Guid id, User requestingUser)
|
||||
{
|
||||
var emergencyAccess = await _emergencyAccessRepository.GetByIdAsync(id);
|
||||
|
||||
if (emergencyAccess == null || emergencyAccess.GranteeId != requestingUser.Id ||
|
||||
emergencyAccess.Status != EmergencyAccessStatusType.RecoveryApproved)
|
||||
{
|
||||
throw new BadRequestException("Emergency Access not valid.");
|
||||
}
|
||||
|
||||
var grantor = await _userRepository.GetByIdAsync(emergencyAccess.GrantorId);
|
||||
|
||||
return (emergencyAccess, grantor);
|
||||
}
|
||||
|
||||
public async Task PasswordAsync(Guid id, User requestingUser, string newMasterPasswordHash, string key)
|
||||
|
Loading…
Reference in New Issue
Block a user