Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[AC-2538] Member modal - limit admin access - fix ManageUsers custom permission #4032

Merged
merged 7 commits into from
May 1, 2024
Merged

[AC-2538] Member modal - limit admin access - fix ManageUsers custom permission #4032

merged 7 commits into from
May 1, 2024

Conversation

eliykat
Copy link
Member

@eliykat eliykat commented Apr 30, 2024
edited

Type of change

- [x] Bug fix
- [ ] New feature development
- [ ] Tech debt (refactoring, code cleanup, dependency upgrades, etc)
- [ ] Build/deploy pipeline (DevOps)
- [ ] Other

Objective

Fix bug for Flexible Collections v1: the BulkCollectionAuthorizationHandler did not authorize the "Manage Users" or "Manage Groups" custom permissions, which broke the flow for #3934 (and would've for #3998).

This requires that we split the ModifyAccess operation into ModifyUserAccess and ModifyGroupAccess, to match the granularity of the custom permissions, and use these new operations where required.

Code changes

  • src/Api/Vault/AuthorizationHandlers/Collections/BulkCollectionOperations.cs - delete ModifyAccess and replace it with ModifyUserAccess and ModifyGroupAccess
  • src/Api/AdminConsole/Controllers/OrganizationUsersController.cs - update to use ModifyUserAccess, which is always what you're doing via the OrganizationUsersController
  • src/Api/Controllers/CollectionsController.cs - update to use the new operations as appropriate (depending on what the endpoint is updating)
  • src/Api/Vault/AuthorizationHandlers/Collections/BulkCollectionAuthorizationHandler.cs - the biggest changes:
    • make all private methods return a bool and call context.Succeed from the top-level method only. I really like how this simplified the handler
    • add private methods for the 2x new operations/requirements. They are subsets of the more general Update operation, e.g. if you can Update then you can ModifyUserAccess. There's an argument for splitting these out completely (so that Update only refers to the collection and not its access) but I decided to pull up for now.
  • update tests.

Before you submit

  • Please check for formatting errors (dotnet format --verify-no-changes) (required)
  • If making database changes - make sure you also update Entity Framework queries and/or migrations
  • Please add unit tests where it makes sense to do so (encouraged but not required)
  • If this change requires a documentation update - notify the documentation team
  • If this change has particular deployment requirements - notify the DevOps team

@eliykat eliykat requested review from a team as code owners April 30, 2024 01:30
@eliykat eliykat changed the title Ac/ac 2538/server fix manageusers custom permission [AC-2538] Member modal - limit admin access - fix ManageUsers custom permission Apr 30, 2024
@codecov Codecov
Copy link

codecov bot commented Apr 30, 2024
edited

Codecov Report

Attention: Patch coverage is 95.74468% with 2 lines in your changes are missing coverage. Please review.

Project coverage is 38.30%. Comparing base (3749fa6) to head (c2b949b).

Files Patch % Lines
src/Api/Controllers/CollectionsController.cs 50.00% 2 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4032      +/-   ##
==========================================
- Coverage   38.30%   38.30%   -0.01%     
==========================================
  Files        1195     1195              
  Lines       58232    58223       -9     
  Branches     5584     5583       -1     
==========================================
- Hits        22307    22302       -5     
+ Misses      34873    34871       -2     
+ Partials     1052     1050       -2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Apr 30, 2024
edited

Logo
Checkmarx One – Scan Summary & Details6353fc61-d49f-438e-8aa8-b6a62f93b1ef

New Issues

Severity Issue Source File / Package Checkmarx Insight
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 891 Attack Vector
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 173 Attack Vector
MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 744 Attack Vector
MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 900 Attack Vector
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 590 Attack Vector
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 230 Attack Vector
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 590 Attack Vector
MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 560 Attack Vector
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 590 Attack Vector
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 303 Attack Vector
MEDIUM Missing_HSTS_Header /bitwarden_license/src/Sso/Startup.cs: 57 Attack Vector
MEDIUM Privacy_Violation /src/Api/Vault/Controllers/CiphersController.cs: 919 Attack Vector
MEDIUM Privacy_Violation /src/Core/Auth/UserFeatures/UserMasterPassword/SetInitialMasterPasswordCommand.cs: 59 Attack Vector
MEDIUM Privacy_Violation /src/Core/Services/Implementations/UserService.cs: 647 Attack Vector
MEDIUM Privacy_Violation /src/Core/Services/Implementations/UserService.cs: 813 Attack Vector
MEDIUM Privacy_Violation /src/Core/Services/Implementations/UserService.cs: 592 Attack Vector
MEDIUM Privacy_Violation /src/Core/Services/Implementations/UserService.cs: 842 Attack Vector
LOW Log_Forging /src/Api/Vault/Controllers/CiphersController.cs: 911 Attack Vector

Fixed Issues

Severity Issue Source File / Package
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 587
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 587
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 587
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 587
MEDIUM CSRF /src/Api/AdminConsole/Controllers/ProvidersController.cs: 141
MEDIUM CSRF /src/Admin/AdminConsole/Controllers/ProvidersController.cs: 309
MEDIUM CSRF /src/Api/AdminConsole/Controllers/GroupsController.cs: 145
MEDIUM CSRF /src/Api/AdminConsole/Controllers/GroupsController.cs: 145
MEDIUM CSRF /src/Api/Billing/Controllers/ProviderClientsController.cs: 30
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 190
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 331
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 331
MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 678
MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 702
MEDIUM CSRF /src/Api/Vault/Controllers/FoldersController.cs: 45
MEDIUM CSRF /src/Api/Controllers/SelfHosted/SelfHostedOrganizationLicensesController.cs: 51
MEDIUM CSRF /src/Api/Controllers/UsersController.cs: 22
MEDIUM CSRF /src/Api/Controllers/DevicesController.cs: 70
MEDIUM CSRF /src/Api/Controllers/DevicesController.cs: 57
MEDIUM CSRF /src/Api/AdminConsole/Public/Controllers/PoliciesController.cs: 69
MEDIUM CSRF /src/Api/AdminConsole/Public/Controllers/PoliciesController.cs: 49
MEDIUM CSRF /src/Api/AdminConsole/Public/Controllers/OrganizationController.cs: 42
MEDIUM CSRF /src/Api/AdminConsole/Public/Controllers/GroupsController.cs: 92
MEDIUM CSRF /src/Api/AdminConsole/Public/Controllers/GroupsController.cs: 49
MEDIUM CSRF /src/Api/AdminConsole/Controllers/ProviderUsersController.cs: 142
MEDIUM CSRF /src/Api/AdminConsole/Controllers/ProviderOrganizationsController.cs: 52
MEDIUM CSRF /src/Api/AdminConsole/Controllers/PoliciesController.cs: 148
MEDIUM CSRF /src/Api/AdminConsole/Controllers/PoliciesController.cs: 78
MEDIUM CSRF /src/Api/AdminConsole/Controllers/PoliciesController.cs: 61
MEDIUM CSRF /bitwarden_license/src/Sso/Controllers/AccountController.cs: 163
MEDIUM CSRF /bitwarden_license/src/Sso/Controllers/AccountController.cs: 96
MEDIUM CSRF /bitwarden_license/src/Scim/Controllers/v2/UsersController.cs: 50
MEDIUM CSRF /src/Api/AdminConsole/Public/Controllers/GroupsController.cs: 161
MEDIUM CSRF /src/Api/Auth/Controllers/EmergencyAccessController.cs: 159
MEDIUM CSRF /bitwarden_license/src/Scim/Controllers/v2/GroupsController.cs: 98
MEDIUM CSRF /bitwarden_license/src/Scim/Controllers/v2/GroupsController.cs: 88
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 299
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 550
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 159
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 222
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 607
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 607
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 702
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 1023
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 1023
MEDIUM CSRF /src/Api/Controllers/CollectionsController.cs: 303
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 193
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 244
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 174
MEDIUM CSRF /src/Api/Controllers/CollectionsController.cs: 410
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 284
MEDIUM CSRF /src/Api/AdminConsole/Public/Controllers/MembersController.cs: 187
MEDIUM CSRF /src/Api/Controllers/CollectionsController.cs: 374
MEDIUM CSRF /src/Api/Auth/Controllers/TwoFactorController.cs: 403
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 791
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 144
MEDIUM CSRF /src/Api/AdminConsole/Controllers/GroupsController.cs: 128
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 805
MEDIUM CSRF /src/Admin/AdminConsole/Controllers/OrganizationsController.cs: 308
MEDIUM CSRF /src/Admin/AdminConsole/Controllers/ProvidersController.cs: 232
MEDIUM CSRF /src/Api/AdminConsole/Controllers/GroupsController.cs: 77
MEDIUM CSRF /src/Api/AdminConsole/Controllers/GroupsController.cs: 114
MEDIUM CSRF /src/Api/AdminConsole/Controllers/ProviderUsersController.cs: 175
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 550
MEDIUM CSRF /src/Api/Controllers/SettingsController.cs: 36
MEDIUM CSRF /src/Api/AdminConsole/Public/Controllers/GroupsController.cs: 133
MEDIUM CSRF /src/Api/AdminConsole/Public/Controllers/MembersController.cs: 150
MEDIUM CSRF /src/Api/AdminConsole/Public/Controllers/MembersController.cs: 150
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 563
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 563
MEDIUM CSRF /src/Api/AdminConsole/Public/Controllers/OrganizationController.cs: 42
MEDIUM CSRF /src/Api/AdminConsole/Public/Controllers/OrganizationController.cs: 42
MEDIUM CSRF /src/Api/AdminConsole/Public/Controllers/OrganizationController.cs: 42
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 911
MEDIUM CSRF /src/Api/AdminConsole/Controllers/GroupsController.cs: 188
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 728
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 1080
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 997
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 997
MEDIUM CSRF /src/Api/AdminConsole/Controllers/ProviderUsersController.cs: 188
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 1046
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 1046
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 222
MEDIUM CSRF /src/Api/Controllers/CollectionsController.cs: 303
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 193
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 244
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 766
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 438
MEDIUM CSRF /src/Api/Controllers/CollectionsController.cs: 410
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 284
MEDIUM CSRF /src/Api/Controllers/CollectionsController.cs: 323
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 1100
MEDIUM CSRF /src/Api/AdminConsole/Controllers/GroupsController.cs: 205
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 878
MEDIUM CSRF /src/Api/Controllers/CollectionsController.cs: 374
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 86
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 216
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 298
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 316
MEDIUM CSRF /src/Api/AdminConsole/Public/Controllers/MembersController.cs: 59
MEDIUM CSRF /src/Api/AdminConsole/Public/Controllers/MembersController.cs: 127
MEDIUM CSRF /src/Api/Controllers/CollectionsController.cs: 156
MEDIUM CSRF /src/Api/Controllers/CollectionsController.cs: 187
MEDIUM CSRF /src/Api/Controllers/CollectionsController.cs: 196
MEDIUM CSRF /src/Identity/Controllers/AccountsController.cs: 72
MEDIUM CSRF /src/Api/Public/Controllers/CollectionsController.cs: 64
MEDIUM CSRF /src/Api/Tools/Controllers/ImportCiphersController.cs: 50
MEDIUM CSRF /src/Api/Tools/Controllers/ImportCiphersController.cs: 66
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 111
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 125
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 942
MEDIUM CSRF /src/Identity/Controllers/AccountsController.cs: 50
MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 313
MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 362
MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 433
MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 571
MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 222
MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 586
MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 288
MEDIUM

More results are available on AST platform

@eliykat eliykat mentioned this pull request Apr 30, 2024
Draft
vincentsalucci
vincentsalucci approved these changes Apr 30, 2024
View reviewed changes
Copy link
Member

@vincentsalucci vincentsalucci left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like centralizing the authorized boolean as well.

shane-melton
shane-melton approved these changes May 1, 2024
View reviewed changes
Copy link
Member

@shane-melton shane-melton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks great! I really like that we can simply return a boolean for the helpers and don't need to pass in the requirement everywhere!

@eliykat eliykat merged commit 5012d56 into main May 1, 2024
50 checks passed
@eliykat eliykat deleted the ac/ac-2538/server-fix-manageusers-custom-permission branch May 1, 2024 00:06
@eliykat eliykat mentioned this pull request May 1, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shane-melton shane-melton shane-melton approved these changes

@vincentsalucci vincentsalucci vincentsalucci approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@eliykat @shane-melton @vincentsalucci