[AC-1387] Resource-based authentication for Groups

bitwarden_license/src/Scim/Controllers/v2/GroupsController.cs

@@ -1,7 +1,7 @@
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
-using Bit.Core.OrganizationFeatures.Groups.Interfaces;
 using Bit.Core.Repositories;
+using Bit.Core.Services;
 using Bit.Scim.Groups.Interfaces;
 using Bit.Scim.Models;
 using Bit.Scim.Utilities;
@@ -18,7 +18,7 @@ public class GroupsController : Controller
     private readonly IGroupRepository _groupRepository;
     private readonly IOrganizationRepository _organizationRepository;
     private readonly IGetGroupsListQuery _getGroupsListQuery;
-    private readonly IDeleteGroupCommand _deleteGroupCommand;
+    private readonly IEventService _eventService;
     private readonly IPatchGroupCommand _patchGroupCommand;
     private readonly IPostGroupCommand _postGroupCommand;
     private readonly IPutGroupCommand _putGroupCommand;
@@ -28,7 +28,7 @@ public GroupsController(
         IGroupRepository groupRepository,
         IOrganizationRepository organizationRepository,
         IGetGroupsListQuery getGroupsListQuery,
-        IDeleteGroupCommand deleteGroupCommand,
+        IEventService eventService,
         IPatchGroupCommand patchGroupCommand,
         IPostGroupCommand postGroupCommand,
         IPutGroupCommand putGroupCommand,
@@ -37,7 +37,7 @@ public GroupsController(
         _groupRepository = groupRepository;
         _organizationRepository = organizationRepository;
         _getGroupsListQuery = getGroupsListQuery;
-        _deleteGroupCommand = deleteGroupCommand;
+        _eventService = eventService;
         _patchGroupCommand = patchGroupCommand;
         _postGroupCommand = postGroupCommand;
         _putGroupCommand = putGroupCommand;
@@ -103,7 +103,14 @@ public async Task<IActionResult> Patch(Guid organizationId, Guid id, [FromBody]
     [HttpDelete("{id}")]
     public async Task<IActionResult> Delete(Guid organizationId, Guid id)
     {
-        await _deleteGroupCommand.DeleteGroupAsync(organizationId, id, EventSystemUser.SCIM);
+        var group = await _groupRepository.GetByIdAsync(id);
+        if (group == null || group.OrganizationId != organizationId)
+        {
+            throw new NotFoundException("Group not found.");
+        }
+
+        await _groupRepository.DeleteAsync(group);
+        await _eventService.LogGroupEventAsync(group, EventType.Group_Deleted, EventSystemUser.SCIM);
         return new NoContentResult();
     }
 }

bitwarden_license/src/Scim/Groups/PatchGroupCommand.cs

@@ -13,20 +13,23 @@ namespace Bit.Scim.Groups;
 public class PatchGroupCommand : IPatchGroupCommand
 {
     private readonly IGroupRepository _groupRepository;
-    private readonly IGroupService _groupService;
     private readonly IUpdateGroupCommand _updateGroupCommand;
     private readonly ILogger<PatchGroupCommand> _logger;
+    private readonly IOrganizationUserRepository _organizationUserRepository;
+    private readonly IEventService _eventService;
 
     public PatchGroupCommand(
         IGroupRepository groupRepository,
-        IGroupService groupService,
         IUpdateGroupCommand updateGroupCommand,
-        ILogger<PatchGroupCommand> logger)
+        ILogger<PatchGroupCommand> logger,
+        IOrganizationUserRepository organizationUserRepository,
+        IEventService eventService)
     {
         _groupRepository = groupRepository;
-        _groupService = groupService;
         _updateGroupCommand = updateGroupCommand;
         _logger = logger;
+        _organizationUserRepository = organizationUserRepository;
+        _eventService = eventService;
     }
 
     public async Task PatchGroupAsync(Organization organization, Guid id, ScimPatchModel model)
@@ -97,10 +100,20 @@ public async Task PatchGroupAsync(Organization organization, Guid id, ScimPatchM
                 !string.IsNullOrWhiteSpace(operation.Path) &&
                 operation.Path.ToLowerInvariant().StartsWith("members[value eq "))
             {
-                var removeId = GetOperationPathId(operation.Path);
-                if (removeId.HasValue)
+                var organizationUserId = GetOperationPathId(operation.Path);
+                if (organizationUserId.HasValue)
                 {
-                    await _groupService.DeleteUserAsync(group, removeId.Value, EventSystemUser.SCIM);
+                    var groupUser = await _groupRepository.GetGroupUserByGroupIdOrganizationUserId(group.Id, organizationUserId.Value);
+                    if (groupUser == null)
+                    {
+                        throw new NotFoundException();
+                    }
+
+                    var orgUser = await _organizationUserRepository.GetByIdAsync(groupUser.OrganizationUserId);
+                    await _groupRepository.DeleteUserAsync(groupUser.GroupId, groupUser.OrganizationUserId);
+                    await _eventService.LogOrganizationUserEventAsync(orgUser, EventType.OrganizationUser_UpdatedGroups,
+                        EventSystemUser.SCIM);
+
                     operationHandled = true;
                 }
             }

bitwarden_license/test/Scim.Test/Groups/PatchGroupCommandTests.cs

@@ -173,30 +173,45 @@ public async Task PatchGroup_AddListMembers_Success(SutProvider<PatchGroupComman
 
     [Theory]
     [BitAutoData]
-    public async Task PatchGroup_RemoveSingleMember_Success(SutProvider<PatchGroupCommand> sutProvider, Organization organization, Group group, Guid userId)
+    public async Task PatchGroup_RemoveSingleMember_Success(SutProvider<PatchGroupCommand> sutProvider,
+        Organization organization, Group group, OrganizationUser organizationUser)
     {
         group.OrganizationId = organization.Id;
 
         sutProvider.GetDependency<IGroupRepository>()
             .GetByIdAsync(group.Id)
             .Returns(group);
 
+        sutProvider.GetDependency<IGroupRepository>()
+            .GetGroupUserByGroupIdOrganizationUserId(group.Id, organizationUser.Id)
+            .Returns(new GroupUser()
+            {
+                OrganizationUserId = organizationUser.Id,
+                GroupId = group.Id
+            });
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetByIdAsync(organizationUser.Id)
+            .Returns(organizationUser);
+
         var scimPatchModel = new Models.ScimPatchModel
         {
             Operations = new List<ScimPatchModel.OperationModel>
             {
                 new ScimPatchModel.OperationModel
                 {
                     Op = "remove",
-                    Path = $"members[value eq \"{userId}\"]",
+                    Path = $"members[value eq \"{organizationUser.Id}\"]",
                 }
             },
             Schemas = new List<string> { ScimConstants.Scim2SchemaUser }
         };
 
         await sutProvider.Sut.PatchGroupAsync(organization, group.Id, scimPatchModel);
 
-        await sutProvider.GetDependency<IGroupService>().Received(1).DeleteUserAsync(group, userId, EventSystemUser.SCIM);
+        await sutProvider.GetDependency<IGroupRepository>().Received(1).DeleteUserAsync(group.Id, organizationUser.Id);
+        await sutProvider.GetDependency<IEventService>().Received(1).LogOrganizationUserEventAsync(organizationUser,
+            EventType.OrganizationUser_UpdatedGroups, EventSystemUser.SCIM);
     }
 
     [Theory]
@@ -253,7 +268,7 @@ public async Task PatchGroup_NoAction_Success(SutProvider<PatchGroupCommand> sut
         await sutProvider.GetDependency<IGroupRepository>().DidNotReceiveWithAnyArgs().UpdateUsersAsync(default, default);
         await sutProvider.GetDependency<IGroupRepository>().DidNotReceiveWithAnyArgs().GetManyUserIdsByIdAsync(default);
         await sutProvider.GetDependency<IUpdateGroupCommand>().DidNotReceiveWithAnyArgs().UpdateGroupAsync(default, default);
-        await sutProvider.GetDependency<IGroupService>().DidNotReceiveWithAnyArgs().DeleteUserAsync(default, default);
+        await sutProvider.GetDependency<IGroupRepository>().DidNotReceiveWithAnyArgs().DeleteUserAsync(default, default);
     }
 
     [Theory]