Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[AC-1344] Provider users unable to bulk restore vault items for client organizations #2871

Merged
merged 10 commits into from
Aug 2, 2023
Merged

[AC-1344] Provider users unable to bulk restore vault items for client organizations #2871

merged 10 commits into from
Aug 2, 2023

Conversation

r-tome
Copy link
Contributor

@r-tome r-tome commented Apr 21, 2023
edited
Loading

Type of change

- [X] Bug fix
- [ ] New feature development
- [ ] Tech debt (refactoring, code cleanup, dependency upgrades, etc)
- [ ] Build/deploy pipeline (DevOps)
- [ ] Other

Objective

Bulk restoring items in the web vault is not working for Provider users because the existing API endpoint only allows that action for Organization members.

Code changes

This PR is related to this clients PR.

  • src/Api/Vault/Controllers/CiphersController.cs: Changed output model to ListResponseModel<CipherMiniResponseModel> and moved logic to CipherService. Added new endpoint PutRestoreManyAdmin
  • src/Api/Vault/Models/Request/CipherRequestModel.cs: Added OrganizationId field to CipherBulkRestoreRequestModel
  • src/Core/Vault/Repositories/ICipherRepository.cs: Added method RestoreByIdsOrganizationIdAsync to restore certain ciphers for an organization
  • src/Core/Vault/Services/ICipherService.cs: Added parameters organizationId and orgAdmin to RestoreManyAsync and updated output to ICollection<CipherOrganizationDetails>
  • src/Core/Vault/Services/Implementations/CipherService.cs: If an organizationId value is passed and orgAdmin == true then CipherRepository.RestoreByIdsOrganizationIdAsync is used otherwise its CipherRepository.RestoreAsync
  • src/Infrastructure.Dapper/Vault/Repositories/CipherRepository.cs: Added method to restore certain ciphers for an Organization
  • src/Infrastructure.EntityFramework/Vault/Repositories/CipherRepository.cs: Added method to restore certain ciphers for an Organization
  • src/Sql/Sql.sqlproj: Added file Cipher_RestoreByIdsOrganizationId.sql
  • src/Sql/Vault/dbo/Stored Procedures/Cipher/Cipher_RestoreByIdsOrganizationId.sql: Stored procedure to bulk restore ciphers that belong to an organization
  • test/Core.Test/Vault/Services/CipherServiceTests.cs: Fixed existing unit test
  • util/Migrator/DbScripts/2023-04-21_00_CipherRestoreByIdsOrganizationId.sql: SQL migration

Before you submit

  • Please check for formatting errors (dotnet format --verify-no-changes) (required)
  • If making database changes - make sure you also update Entity Framework queries and/or migrations
  • Please add unit tests where it makes sense to do so (encouraged but not required)
  • If this change requires a documentation update - notify the documentation team
  • If this change has particular deployment requirements - notify the DevOps team

@r-tome r-tome changed the title [AC-1344] Added method PutRestoreManyAdmin to CiphersController and r… [AC-1344] Provider users unable to bulk restore vault items for client organizations Apr 24, 2023
@r-tome r-tome mentioned this pull request Apr 24, 2023
Merged
@r-tome r-tome marked this pull request as ready for review April 24, 2023 15:50
@r-tome r-tome requested a review from a team as a code owner April 24, 2023 15:50
@r-tome r-tome requested a review from a team April 24, 2023 15:50
@r-tome
Merge branch 'master' into AC-1344-provider-users-unable-to-bulk-rest…
9bb06f7 
…ore-vault-items-for-client-organizations

# Conflicts:
#	src/Sql/Sql.sqlproj
eliykat
eliykat reviewed Jun 8, 2023
View reviewed changes
Copy link
Member

@eliykat eliykat left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think having -admin variants of basic operations is an antipattern. It duplicates a lot of the logic - the request, the controller endpoint, conditional logic in the service, and the db sproc, all to do the same thing (restore some ciphers). The only difference is the user's role, which is just authorization logic.

Can you please consider whether we can

  1. create a CiphersAuthorizationHandler to encapsulate authorization logic (refer back to [AC-1387] Resource-based authentication for Groups #2845 for this pattern)
  2. have 1 repository method + sproc which just restores the provided cipherIds, without needing to distinguish between users and admins

So the flow could more or less be

  1. get ciphers (or CipherDetails, whatever the auth logic requires)
  2. pass them to bitAuthorizationService to check permissions
  3. restore ciphers
  4. log the events

(That's very simplified - it may not be that tidy - but that's the ideal.)

This also has the advantage of creating up CiphersAuthorizationHandler for future use. If we can't do the full refactor above then I'd at least like to do that.

@bitwarden-bot
Copy link

bitwarden-bot commented Jul 19, 2023
edited
Loading

Logo
Checkmarx One – Scan Summary & Details5d8bae5a-a9e5-4c55-bdf3-fd853b553c7b

No New Or Fixed Issues Found

@r-tome r-tome requested a review from eliykat July 19, 2023 14:02
@r-tome
Copy link
Contributor Author

r-tome commented Jul 19, 2023

@eliykat as we've agreed to refactor this later to use resource-based authentication, please re-review this.

eliykat
eliykat requested changes Jul 20, 2023
View reviewed changes
Copy link
Member

@eliykat eliykat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! I'll also request a review from the Vault Team because ciphers are their domain.

test/Core.Test/Vault/Services/CipherServiceTests.cs Outdated
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would be good to add a test for the new parameters/behaviour as well.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Test added!

gbubemismith
gbubemismith reviewed Jul 20, 2023
View reviewed changes
Copy link
Member

@gbubemismith gbubemismith left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Everything looks good. I just have asked one question.

src/Core/Vault/Services/Implementations/CipherService.cs Show resolved Hide resolved
@r-tome r-tome requested a review from eliykat July 21, 2023 13:59
@gbubemismith
Copy link
Member

This looks good. Nice job!

@bitwarden-devops-bot bitwarden-devops-bot temporarily deployed to QA Cloud August 2, 2023 00:30 Inactive
@r-tome r-tome removed the needs-qa label Aug 2, 2023
@r-tome r-tome merged commit d94a545 into master Aug 2, 2023
84 of 85 checks passed
@r-tome r-tome deleted the AC-1344-provider-users-unable-to-bulk-restore-vault-items-for-client-organizations branch August 2, 2023 15:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gbubemismith gbubemismith gbubemismith left review comments

@eliykat eliykat eliykat approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@r-tome @bitwarden-bot @gbubemismith @eliykat @bitwarden-devops-bot