src/Core/Vault/Queries/GetCipherPermissionsForUserQuery.cs

using Bit.Core.Context;
using Bit.Core.Enums;
using Bit.Core.Exceptions;
using Bit.Core.Services;
using Bit.Core.Vault.Models.Data;
using Bit.Core.Vault.Repositories;

namespace Bit.Core.Vault.Queries;

public class GetCipherPermissionsForUserQuery : IGetCipherPermissionsForUserQuery
{
    private readonly ICurrentContext _currentContext;
    private readonly ICipherRepository _cipherRepository;
    private readonly IApplicationCacheService _applicationCacheService;

    public GetCipherPermissionsForUserQuery(ICurrentContext currentContext, ICipherRepository cipherRepository, IApplicationCacheService applicationCacheService)
    {
        _currentContext = currentContext;
        _cipherRepository = cipherRepository;
        _applicationCacheService = applicationCacheService;
    }

    public async Task<IDictionary<Guid, OrganizationCipherPermission>> GetByOrganization(Guid organizationId)
    {
        var org = _currentContext.GetOrganization(organizationId);
        var userId = _currentContext.UserId;

        if (org == null || !userId.HasValue)
        {
            throw new NotFoundException();
        }

        var cipherPermissions =
            (await _cipherRepository.GetCipherPermissionsForOrganizationAsync(organizationId, userId.Value))
            .ToList()
            .ToDictionary(c => c.Id);

        if (await CanEditAllCiphersAsync(org))
        {
            foreach (var cipher in cipherPermissions)
            {
                cipher.Value.Read = true;
                cipher.Value.Edit = true;
                cipher.Value.Manage = true;
                cipher.Value.ViewPassword = true;
            }
        }
        else if (await CanAccessUnassignedCiphersAsync(org))
        {
            var unassignedCiphers = await _cipherRepository.GetManyUnassignedOrganizationDetailsByOrganizationIdAsync(organizationId);
            foreach (var unassignedCipher in unassignedCiphers)
            {
                if (cipherPermissions.TryGetValue(unassignedCipher.Id, out var p))
                {
                    p.Read = true;
                    p.Edit = true;
                    p.Manage = true;
                    p.ViewPassword = true;
                }
            }
        }

        return cipherPermissions;
    }

    private async Task<bool> CanEditAllCiphersAsync(CurrentContextOrganization org)
    {
        // Custom users with EditAnyCollection permissions can always edit all ciphers
        if (org is { Type: OrganizationUserType.Custom, Permissions.EditAnyCollection: true })
        {
            return true;
        }

        var orgAbility = await _applicationCacheService.GetOrganizationAbilityAsync(org.Id);

        // Owners/Admins can only edit all ciphers if the organization has the setting enabled
        if (orgAbility is { AllowAdminAccessToAllCollectionItems: true } && org is
            { Type: OrganizationUserType.Admin or OrganizationUserType.Owner })
        {
            return true;
        }

        return false;
    }

    private async Task<bool> CanAccessUnassignedCiphersAsync(CurrentContextOrganization org)
    {
        if (org is
        { Type: OrganizationUserType.Owner or OrganizationUserType.Admin } or
        { Permissions.EditAnyCollection: true })
        {
            return true;
        }

        return false;
    }
}
-												[PM-14378] SecurityTask Authorization Handler (#5039)

* [PM-14378] Introduce GetCipherPermissionsForOrganization query for Dapper CipherRepository

* [PM-14378] Introduce GetCipherPermissionsForOrganization method for Entity Framework

* [PM-14378] Add integration tests for new repository method

* [PM-14378] Introduce IGetCipherPermissionsForUserQuery CQRS query

* [PM-14378] Introduce SecurityTaskOperationRequirement

* [PM-14378] Introduce SecurityTaskAuthorizationHandler.cs

* [PM-14378] Introduce SecurityTaskOrganizationAuthorizationHandler.cs

* [PM-14378] Register new authorization handlers

* [PM-14378] Formatting

* [PM-14378] Add unit tests for GetCipherPermissionsForUserQuery

* [PM-15378] Cleanup SecurityTaskAuthorizationHandler and add tests

* [PM-14378] Add tests for SecurityTaskOrganizationAuthorizationHandler

* [PM-14378] Formatting

* [PM-14378] Update date in migration file

* [PM-14378] Add missing awaits

* [PM-14378] Bump migration script date

* [PM-14378] Remove Unassigned property from OrganizationCipherPermission as it was making the query too complicated

* [PM-14378] Update sproc to use Union All to improve query performance

* [PM-14378] Bump migration script date
											
										
										
											2025-01-09 12:14:24 -08:00
+								using Bit.Core.Context;
 								using Bit.Core.Enums;
 								using Bit.Core.Exceptions;
 								using Bit.Core.Services;
 								using Bit.Core.Vault.Models.Data;
 								using Bit.Core.Vault.Repositories;
 								namespace Bit.Core.Vault.Queries;
 								public class GetCipherPermissionsForUserQuery : IGetCipherPermissionsForUserQuery
 								{
 								    private readonly ICurrentContext _currentContext;
 								    private readonly ICipherRepository _cipherRepository;
 								    private readonly IApplicationCacheService _applicationCacheService;
 								    public GetCipherPermissionsForUserQuery(ICurrentContext currentContext, ICipherRepository cipherRepository, IApplicationCacheService applicationCacheService)
 								    {
 								        _currentContext = currentContext;
 								        _cipherRepository = cipherRepository;
 								        _applicationCacheService = applicationCacheService;
 								    }
 								    public async Task<IDictionary<Guid, OrganizationCipherPermission>> GetByOrganization(Guid organizationId)
 								    {
 								        var org = _currentContext.GetOrganization(organizationId);
 								        var userId = _currentContext.UserId;
 								        if (org == null || !userId.HasValue)
 								        {
 								            throw new NotFoundException();
 								        }
 								        var cipherPermissions =
 								            (await _cipherRepository.GetCipherPermissionsForOrganizationAsync(organizationId, userId.Value))
 								            .ToList()
 								            .ToDictionary(c => c.Id);
 								        if (await CanEditAllCiphersAsync(org))
 								        {
 								            foreach (var cipher in cipherPermissions)
 								            {
 								                cipher.Value.Read = true;
 								                cipher.Value.Edit = true;
 								                cipher.Value.Manage = true;
 								                cipher.Value.ViewPassword = true;
 								            }
 								        }
 								        else if (await CanAccessUnassignedCiphersAsync(org))
 								        {
 								            var unassignedCiphers = await _cipherRepository.GetManyUnassignedOrganizationDetailsByOrganizationIdAsync(organizationId);
 								            foreach (var unassignedCipher in unassignedCiphers)
 								            {
 								                if (cipherPermissions.TryGetValue(unassignedCipher.Id, out var p))
 								                {
 								                    p.Read = true;
 								                    p.Edit = true;
 								                    p.Manage = true;
 								                    p.ViewPassword = true;
 								                }
 								            }
 								        }
 								        return cipherPermissions;
 								    }
 								    private async Task<bool> CanEditAllCiphersAsync(CurrentContextOrganization org)
 								    {
 								        // Custom users with EditAnyCollection permissions can always edit all ciphers
 								        if (org is { Type: OrganizationUserType.Custom, Permissions.EditAnyCollection: true })
 								        {
 								            return true;
 								        }
 								        var orgAbility = await _applicationCacheService.GetOrganizationAbilityAsync(org.Id);
 								        // Owners/Admins can only edit all ciphers if the organization has the setting enabled
 								        if (orgAbility is { AllowAdminAccessToAllCollectionItems: true } && org is
 								            { Type: OrganizationUserType.Admin or OrganizationUserType.Owner })
 								        {
 								            return true;
 								        }
 								        return false;
 								    }
 								    private async Task<bool> CanAccessUnassignedCiphersAsync(CurrentContextOrganization org)
 								    {
 								        if (org is
 								        { Type: OrganizationUserType.Owner or OrganizationUserType.Admin } or
 								        { Permissions.EditAnyCollection: true })
 								        {
 								            return true;
 								        }
 								        return false;
 								    }
 								}