[PM-14378] SecurityTask Authorization Handler (#5039)

* [PM-14378] Introduce GetCipherPermissionsForOrganization query for Dapper CipherRepository * [PM-14378] Introduce GetCipherPermissionsForOrganization method for Entity Framework * [PM-14378] Add integration tests for new repository method * [PM-14378] Introduce IGetCipherPermissionsForUserQuery CQRS query * [PM-14378] Introduce SecurityTaskOperationRequirement * [PM-14378] Introduce SecurityTaskAuthorizationHandler.cs * [PM-14378] Introduce SecurityTaskOrganizationAuthorizationHandler.cs * [PM-14378] Register new authorization handlers * [PM-14378] Formatting * [PM-14378] Add unit tests for GetCipherPermissionsForUserQuery * [PM-15378] Cleanup SecurityTaskAuthorizationHandler and add tests * [PM-14378] Add tests for SecurityTaskOrganizationAuthorizationHandler * [PM-14378] Formatting * [PM-14378] Update date in migration file * [PM-14378] Add missing awaits * [PM-14378] Bump migration script date * [PM-14378] Remove Unassigned property from OrganizationCipherPermission as it was making the query too complicated * [PM-14378] Update sproc to use Union All to improve query performance * [PM-14378] Bump migration script date
2026-02-06 09:03:21 +08:00 · 2025-01-09 12:14:24 -08:00
parent fd195e7cf3
commit a99f82dddd
18 changed files with 1669 additions and 0 deletions
--- a/src/Core/Vault/Queries/GetCipherPermissionsForUserQuery.cs
+++ b/src/Core/Vault/Queries/GetCipherPermissionsForUserQuery.cs
@@ -0,0 +1,97 @@
+using Bit.Core.Context;
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.Services;
+using Bit.Core.Vault.Models.Data;
+using Bit.Core.Vault.Repositories;
+
+namespace Bit.Core.Vault.Queries;
+
+public class GetCipherPermissionsForUserQuery : IGetCipherPermissionsForUserQuery
+{
+    private readonly ICurrentContext _currentContext;
+    private readonly ICipherRepository _cipherRepository;
+    private readonly IApplicationCacheService _applicationCacheService;
+
+    public GetCipherPermissionsForUserQuery(ICurrentContext currentContext, ICipherRepository cipherRepository, IApplicationCacheService applicationCacheService)
+    {
+        _currentContext = currentContext;
+        _cipherRepository = cipherRepository;
+        _applicationCacheService = applicationCacheService;
+    }
+
+    public async Task<IDictionary<Guid, OrganizationCipherPermission>> GetByOrganization(Guid organizationId)
+    {
+        var org = _currentContext.GetOrganization(organizationId);
+        var userId = _currentContext.UserId;
+
+        if (org == null || !userId.HasValue)
+        {
+            throw new NotFoundException();
+        }
+
+        var cipherPermissions =
+            (await _cipherRepository.GetCipherPermissionsForOrganizationAsync(organizationId, userId.Value))
+            .ToList()
+            .ToDictionary(c => c.Id);
+
+        if (await CanEditAllCiphersAsync(org))
+        {
+            foreach (var cipher in cipherPermissions)
+            {
+                cipher.Value.Read = true;
+                cipher.Value.Edit = true;
+                cipher.Value.Manage = true;
+                cipher.Value.ViewPassword = true;
+            }
+        }
+        else if (await CanAccessUnassignedCiphersAsync(org))
+        {
+            var unassignedCiphers = await _cipherRepository.GetManyUnassignedOrganizationDetailsByOrganizationIdAsync(organizationId);
+            foreach (var unassignedCipher in unassignedCiphers)
+            {
+                if (cipherPermissions.TryGetValue(unassignedCipher.Id, out var p))
+                {
+                    p.Read = true;
+                    p.Edit = true;
+                    p.Manage = true;
+                    p.ViewPassword = true;
+                }
+            }
+        }
+
+        return cipherPermissions;
+    }
+
+    private async Task<bool> CanEditAllCiphersAsync(CurrentContextOrganization org)
+    {
+        // Custom users with EditAnyCollection permissions can always edit all ciphers
+        if (org is { Type: OrganizationUserType.Custom, Permissions.EditAnyCollection: true })
+        {
+            return true;
+        }
+
+        var orgAbility = await _applicationCacheService.GetOrganizationAbilityAsync(org.Id);
+
+        // Owners/Admins can only edit all ciphers if the organization has the setting enabled
+        if (orgAbility is { AllowAdminAccessToAllCollectionItems: true } && org is
+            { Type: OrganizationUserType.Admin or OrganizationUserType.Owner })
+        {
+            return true;
+        }
+
+        return false;
+    }
+
+    private async Task<bool> CanAccessUnassignedCiphersAsync(CurrentContextOrganization org)
+    {
+        if (org is
+        { Type: OrganizationUserType.Owner or OrganizationUserType.Admin } or
+        { Permissions.EditAnyCollection: true })
+        {
+            return true;
+        }
+
+        return false;
+    }
+}