[AC-1387] Resource-based authentication for Groups

src/Api/Controllers/GroupsController.cs

@@ -2,6 +2,7 @@
 using Bit.Api.Models.Response;
 using Bit.Core.Context;
 using Bit.Core.Exceptions;
+using Bit.Core.OrganizationFeatures.AuthorizationHandlers;
 using Bit.Core.OrganizationFeatures.Groups.Interfaces;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
@@ -21,6 +22,7 @@ public class GroupsController : Controller
     private readonly ICurrentContext _currentContext;
     private readonly ICreateGroupCommand _createGroupCommand;
     private readonly IUpdateGroupCommand _updateGroupCommand;
+    private readonly IAuthorizationService _authorizationService;
 
     public GroupsController(
         IGroupRepository groupRepository,
@@ -29,7 +31,8 @@ public GroupsController(
         ICurrentContext currentContext,
         ICreateGroupCommand createGroupCommand,
         IUpdateGroupCommand updateGroupCommand,
-        IDeleteGroupCommand deleteGroupCommand)
+        IDeleteGroupCommand deleteGroupCommand,
+        IAuthorizationService authorizationService)
     {
         _groupRepository = groupRepository;
         _groupService = groupService;
@@ -38,13 +41,20 @@ public GroupsController(
         _createGroupCommand = createGroupCommand;
         _updateGroupCommand = updateGroupCommand;
         _deleteGroupCommand = deleteGroupCommand;
+        _authorizationService = authorizationService;
     }
 
     [HttpGet("{id}")]
     public async Task<GroupResponseModel> Get(string orgId, string id)
     {
         var group = await _groupRepository.GetByIdAsync(new Guid(id));
-        if (group == null || !await _currentContext.ManageGroups(group.OrganizationId))
+        if (group == null)
+        {
+            throw new NotFoundException();
+        }
+
+        var authorizationResult = await _authorizationService.AuthorizeAsync(User, group, GroupOperations.Read);
+        if (!authorizationResult.Succeeded)
         {
             throw new NotFoundException();
         }
@@ -56,7 +66,14 @@ public async Task<GroupResponseModel> Get(string orgId, string id)
     public async Task<GroupDetailsResponseModel> GetDetails(string orgId, string id)
     {
         var groupDetails = await _groupRepository.GetByIdWithCollectionsAsync(new Guid(id));
-        if (groupDetails?.Item1 == null || !await _currentContext.ManageGroups(groupDetails.Item1.OrganizationId))
+        if (groupDetails?.Item1 == null)
+        {
+            throw new NotFoundException();
+        }
+
+        var authorizationResult =
+            await _authorizationService.AuthorizeAsync(User, groupDetails.Item1, GroupOperations.Read);
+        if (!authorizationResult.Succeeded)
         {
             throw new NotFoundException();
         }
@@ -67,17 +84,16 @@ public async Task<GroupDetailsResponseModel> GetDetails(string orgId, string id)
     [HttpGet("")]
     public async Task<ListResponseModel<GroupDetailsResponseModel>> Get(string orgId)
     {
-        var orgIdGuid = new Guid(orgId);
-        var canAccess = await _currentContext.ManageGroups(orgIdGuid) ||
-            await _currentContext.ViewAssignedCollections(orgIdGuid) ||
-            await _currentContext.ViewAllCollections(orgIdGuid) ||
-            await _currentContext.ManageUsers(orgIdGuid);
+        var org = _currentContext.GetOrganization(orgId);
 
-        if (!canAccess)
+        var authorizationResult =
+            await _authorizationService.AuthorizeAsync(User, org, OrganizationOperations.ReadAllGroups);
+        if (!authorizationResult.Succeeded)
         {
             throw new NotFoundException();
         }
 
+        var orgIdGuid = new Guid(orgId);
         var groups = await _groupRepository.GetManyWithCollectionsByOrganizationIdAsync(orgIdGuid);
         var responses = groups.Select(g => new GroupDetailsResponseModel(g.Item1, g.Item2));
         return new ListResponseModel<GroupDetailsResponseModel>(responses);
@@ -88,7 +104,14 @@ public async Task<IEnumerable<Guid>> GetUsers(string orgId, string id)
     {
         var idGuid = new Guid(id);
         var group = await _groupRepository.GetByIdAsync(idGuid);
-        if (group == null || !await _currentContext.ManageGroups(group.OrganizationId))
+        if (group == null)
+        {
+            throw new NotFoundException();
+        }
+
+        var authorizationResult =
+            await _authorizationService.AuthorizeAsync(User, group, GroupOperations.Read);
+        if (!authorizationResult.Succeeded)
         {
             throw new NotFoundException();
         }
@@ -101,13 +124,16 @@ public async Task<IEnumerable<Guid>> GetUsers(string orgId, string id)
     public async Task<GroupResponseModel> Post(string orgId, [FromBody] GroupRequestModel model)
     {
         var orgIdGuid = new Guid(orgId);
-        if (!await _currentContext.ManageGroups(orgIdGuid))
+        var organization = await _organizationRepository.GetByIdAsync(orgIdGuid);
+        var group = model.ToGroup(orgIdGuid);
+
+        var authorizationResult =
+            await _authorizationService.AuthorizeAsync(User, group, GroupOperations.Create);
+        if (!authorizationResult.Succeeded)
         {
             throw new NotFoundException();
         }
 
-        var organization = await _organizationRepository.GetByIdAsync(orgIdGuid);
-        var group = model.ToGroup(orgIdGuid);
         await _createGroupCommand.CreateGroupAsync(group, organization, model.Collections?.Select(c => c.ToSelectionReadOnly()), model.Users);
 
         return new GroupResponseModel(group);
@@ -118,7 +144,14 @@ public async Task<GroupResponseModel> Post(string orgId, [FromBody] GroupRequest
     public async Task<GroupResponseModel> Put(string orgId, string id, [FromBody] GroupRequestModel model)
     {
         var group = await _groupRepository.GetByIdAsync(new Guid(id));
-        if (group == null || !await _currentContext.ManageGroups(group.OrganizationId))
+        if (group == null)
+        {
+            throw new NotFoundException();
+        }
+
+        var authorizationResult =
+            await _authorizationService.AuthorizeAsync(User, group, GroupOperations.Update);
+        if (!authorizationResult.Succeeded)
         {
             throw new NotFoundException();
         }
@@ -134,10 +167,18 @@ public async Task<GroupResponseModel> Put(string orgId, string id, [FromBody] Gr
     public async Task PutUsers(string orgId, string id, [FromBody] IEnumerable<Guid> model)
     {
         var group = await _groupRepository.GetByIdAsync(new Guid(id));
-        if (group == null || !await _currentContext.ManageGroups(group.OrganizationId))
+        if (group == null)
+        {
+            throw new NotFoundException();
+        }
+
+        var authorizationResult =
+            await _authorizationService.AuthorizeAsync(User, group, GroupOperations.AddUser);
+        if (!authorizationResult.Succeeded)
         {
             throw new NotFoundException();
         }
+
         await _groupRepository.UpdateUsersAsync(group.Id, model);
     }
 
@@ -146,7 +187,14 @@ public async Task PutUsers(string orgId, string id, [FromBody] IEnumerable<Guid>
     public async Task Delete(string orgId, string id)
     {
         var group = await _groupRepository.GetByIdAsync(new Guid(id));
-        if (group == null || !await _currentContext.ManageGroups(group.OrganizationId))
+        if (group == null)
+        {
+            throw new NotFoundException();
+        }
+
+        var authorizationResult =
+            await _authorizationService.AuthorizeAsync(User, group, GroupOperations.Delete);
+        if (!authorizationResult.Succeeded)
         {
             throw new NotFoundException();
         }
@@ -162,7 +210,8 @@ public async Task BulkDelete([FromBody] GroupBulkRequestModel model)
 
         foreach (var group in groups)
         {
-            if (!await _currentContext.ManageGroups(group.OrganizationId))
+            var authorizationResult = await _authorizationService.AuthorizeAsync(User, group, GroupOperations.Delete);
+            if (!authorizationResult.Succeeded)
             {
                 throw new NotFoundException();
             }
@@ -176,7 +225,13 @@ public async Task BulkDelete([FromBody] GroupBulkRequestModel model)
     public async Task Delete(string orgId, string id, string orgUserId)
     {
         var group = await _groupRepository.GetByIdAsync(new Guid(id));
-        if (group == null || !await _currentContext.ManageGroups(group.OrganizationId))
+        if (group == null)
+        {
+            throw new NotFoundException();
+        }
+
+        var authorizationResult = await _authorizationService.AuthorizeAsync(User, group, GroupOperations.DeleteUser);
+        if (!authorizationResult.Succeeded)
         {
             throw new NotFoundException();
         }

src/Core/Context/CurrentContext.cs

@@ -529,4 +529,15 @@ protected async Task<IEnumerable<ProviderUserOrganizationDetails>> GetProviderOr
 
         return _providerUserOrganizations;
     }
+
+    public CurrentContentOrganization? GetOrganization(string orgId)
+    {
+        var guid = new Guid(orgId);
+        return GetOrganization(guid);
+    }
+
+    public CurrentContentOrganization? GetOrganization(Guid orgId)
+    {
+        return Organizations.Find(o => o.Id == orgId);
+    }
 }

src/Core/Context/ICurrentContext.cs

@@ -69,4 +69,6 @@ Task<ICollection<CurrentContentProvider>> ProviderMembershipAsync(
 
     Task<Guid?> ProviderIdForOrg(Guid orgId);
     bool AccessSecretsManager(Guid organizationId);
+    public CurrentContentOrganization? GetOrganization(string orgId);
+    public CurrentContentOrganization? GetOrganization(Guid orgId);
 }

src/Core/OrganizationFeatures/AuthorizationHandlers/GroupAuthHandler.cs

@@ -0,0 +1,33 @@
+using Bit.Core.Context;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Microsoft.AspNetCore.Authorization;
+
+namespace Bit.Core.OrganizationFeatures.AuthorizationHandlers;
+
+class GroupAuthHandler : AuthorizationHandler<GroupOperationRequirement, Group>
+{
+    private readonly ICurrentContext _currentContext;
+
+    public GroupAuthHandler(ICurrentContext currentContext)
+    {
+        _currentContext = currentContext;
+    }
+
+    protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
+        GroupOperationRequirement requirement,
+        Group resource)
+    {
+        // Currently all GroupOperationRequirements have the same permission requirements
+        // TODO: providers need to be included in the claims
+        var org = _currentContext.GetOrganization(resource.OrganizationId);
+        var canAccess = org.Type == OrganizationUserType.Owner ||
+                        org.Type == OrganizationUserType.Admin ||
+                        (org.Permissions?.ManageGroups ?? false);
+
+        if (canAccess)
+        {
+            context.Succeed(requirement);
+        }
+    }
+}

src/Core/OrganizationFeatures/AuthorizationHandlers/GroupOperations.cs

@@ -0,0 +1,18 @@
+using Microsoft.AspNetCore.Authorization.Infrastructure;
+
+namespace Bit.Core.OrganizationFeatures.AuthorizationHandlers;
+
+public class GroupOperationRequirement : OperationAuthorizationRequirement { }
+
+public static class GroupOperations
+{
+    // Operations on the Group object itself
+    public static readonly GroupOperationRequirement Create = new() { Name = "Create" };
+    public static readonly GroupOperationRequirement Read = new() { Name = "Read" };
+    public static readonly GroupOperationRequirement Update = new() { Name = "Update" };
+    public static readonly GroupOperationRequirement Delete = new() { Name = "Delete" };
+
+    // Operations on Group-User associations 
+    public static readonly GroupOperationRequirement AddUser = new() { Name = "AddUser" };
+    public static readonly GroupOperationRequirement DeleteUser = new() { Name = "DeleteUser" };
+}

src/Core/OrganizationFeatures/AuthorizationHandlers/OrganizationAuthHandler.cs

@@ -0,0 +1,41 @@
+using Bit.Core.Context;
+using Bit.Core.Enums;
+using Microsoft.AspNetCore.Authorization;
+
+namespace Bit.Core.OrganizationFeatures.AuthorizationHandlers;
+
+class OrganizationAuthHandler : AuthorizationHandler<OrganizationOperationRequirement, CurrentContentOrganization>
+{
+    protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
+        OrganizationOperationRequirement requirement,
+        CurrentContentOrganization resource)
+    {
+        if (requirement == OrganizationOperations.ReadAllGroups)
+        {
+            await ReadAllGroupsAsync(context, requirement, resource);
+            return;
+        }
+    }
+
+    private async Task ReadAllGroupsAsync(AuthorizationHandlerContext context,
+        OrganizationOperationRequirement requirement,
+        CurrentContentOrganization resource)
+    {
+        // TODO: providers need to be included in the claims
+
+        var canAccess = resource.Type == OrganizationUserType.Owner ||
+            resource.Type == OrganizationUserType.Admin ||
+            resource.Type == OrganizationUserType.Manager ||
+            (resource.Permissions?.ManageGroups ?? false) ||
+            (resource.Permissions?.EditAssignedCollections ?? false) ||
+            (resource.Permissions?.DeleteAssignedCollections ?? false) ||
+            (resource.Permissions?.CreateNewCollections ?? false) ||
+            (resource.Permissions?.EditAnyCollection ?? false) ||
+            (resource.Permissions?.DeleteAnyCollection ?? false);
+
+        if (canAccess)
+        {
+            context.Succeed(requirement);
+        }
+    }
+}

src/Core/OrganizationFeatures/AuthorizationHandlers/OrganizationOperations.cs

@@ -0,0 +1,10 @@
+using Microsoft.AspNetCore.Authorization.Infrastructure;
+
+namespace Bit.Core.OrganizationFeatures.AuthorizationHandlers;
+
+public class OrganizationOperationRequirement : OperationAuthorizationRequirement { }
+
+public static class OrganizationOperations
+{
+    public static readonly OrganizationOperationRequirement ReadAllGroups = new() { Name = "ReadAllGroups" };
+}

src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs

@@ -1,4 +1,5 @@
 using Bit.Core.Models.Business.Tokenables;
+using Bit.Core.OrganizationFeatures.AuthorizationHandlers;
 using Bit.Core.OrganizationFeatures.Groups;
 using Bit.Core.OrganizationFeatures.Groups.Interfaces;
 using Bit.Core.OrganizationFeatures.OrganizationApiKeys;
@@ -18,6 +19,7 @@
 using Bit.Core.Services;
 using Bit.Core.Settings;
 using Bit.Core.Tokens;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.DataProtection;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
@@ -30,6 +32,7 @@ public static void AddOrganizationServices(this IServiceCollection services, IGl
     {
         services.AddScoped<IOrganizationService, OrganizationService>();
         services.AddTokenizers();
+        services.AddAuthorizationHandlers();
         services.AddOrganizationGroupCommands();
         services.AddOrganizationConnectionCommands();
         services.AddOrganizationSponsorshipCommands(globalSettings);
@@ -117,4 +120,10 @@ private static void AddTokenizers(this IServiceCollection services)
                 serviceProvider.GetRequiredService<ILogger<DataProtectorTokenFactory<OrganizationSponsorshipOfferTokenable>>>())
         );
     }
+
+    private static void AddAuthorizationHandlers(this IServiceCollection services)
+    {
+        services.AddScoped<IAuthorizationHandler, OrganizationAuthHandler>();
+        services.AddScoped<IAuthorizationHandler, GroupAuthHandler>();
+    }
 }