[PM-12479] - Adding group-details endpoint

src/Api/AdminConsole/Controllers/GroupsController.cs

@@ -2,21 +2,22 @@
 using Bit.Api.AdminConsole.Models.Response;
 using Bit.Api.Models.Response;
 using Bit.Api.Vault.AuthorizationHandlers.Collections;
-using Bit.Api.Vault.AuthorizationHandlers.Groups;
+using Bit.Core;
+using Bit.Core.AdminConsole.OrganizationFeatures.Groups.Authorization;
 using Bit.Core.AdminConsole.OrganizationFeatures.Groups.Interfaces;
+using Bit.Core.AdminConsole.OrganizationFeatures.Shared.Authorization;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.AdminConsole.Services;
 using Bit.Core.Context;
 using Bit.Core.Exceptions;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
-using Bit.Core.Utilities;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 
 namespace Bit.Api.AdminConsole.Controllers;
 
-[Route("organizations/{orgId}/groups")]
+[Route("organizations/{orgId}")]
 [Authorize("Application")]
 public class GroupsController : Controller
 {
@@ -64,7 +65,7 @@
         _collectionRepository = collectionRepository;
     }
 
-    [HttpGet("{id}")]
+    [HttpGet("groups/{id}")]
     public async Task<GroupResponseModel> Get(string orgId, string id)
     {
         var group = await _groupRepository.GetByIdAsync(new Guid(id));
@@ -76,7 +77,7 @@
         return new GroupResponseModel(group);
     }
 
-    [HttpGet("{id}/details")]
+    [HttpGet("groups/{id}/details")]
     public async Task<GroupDetailsResponseModel> GetDetails(string orgId, string id)
     {
         var groupDetails = await _groupRepository.GetByIdWithCollectionsAsync(new Guid(id));
@@ -88,12 +89,32 @@
         return new GroupDetailsResponseModel(groupDetails.Item1, groupDetails.Item2);
     }
 
-    [HttpGet("")]
-    public async Task<ListResponseModel<GroupDetailsResponseModel>> Get(Guid orgId)
+    [HttpGet("groups")]
+    public async Task<ListResponseModel<GroupDetailsResponseModel>> GetOrganizationGroups(Guid orgId)
     {
-        var authorized =
-            (await _authorizationService.AuthorizeAsync(User, GroupOperations.ReadAll(orgId))).Succeeded;
-        if (!authorized)
+        var authResult = await _authorizationService.AuthorizeAsync(User, new OrganizationScope(orgId), GroupOperations.ReadAll);
+        if (!authResult.Succeeded)
+        {
+            throw new NotFoundException();
+        }
+
+        if (_featureService.IsEnabled(FeatureFlagKeys.SecureOrgGroupDetails))
+        {
+            var groups = await _groupRepository.GetManyByOrganizationIdAsync(orgId);
+            var responses = groups.Select(g => new GroupDetailsResponseModel(g, []));
+            return new ListResponseModel<GroupDetailsResponseModel>(responses);
+        }
+
+        var groupDetails = await _groupRepository.GetManyWithCollectionsByOrganizationIdAsync(orgId);
+        var detailResponses = groupDetails.Select(g => new GroupDetailsResponseModel(g.Item1, g.Item2));
+        return new ListResponseModel<GroupDetailsResponseModel>(detailResponses);
+    }
+
+    [HttpGet("group-details")]
+    public async Task<ListResponseModel<GroupDetailsResponseModel>> GetOrganizationGroupDetails(Guid orgId)
+    {
+        var authResult = await _authorizationService.AuthorizeAsync(User, new OrganizationScope(orgId), GroupOperations.ReadAllDetails);
+        if (!authResult.Succeeded)
         {
             throw new NotFoundException();
         }
@@ -103,7 +124,7 @@
         return new ListResponseModel<GroupDetailsResponseModel>(responses);
     }
 
-    [HttpGet("{id}/users")]
+    [HttpGet("groups/{id}/users")]
     public async Task<IEnumerable<Guid>> GetUsers(string orgId, string id)
     {
         var idGuid = new Guid(id);
@@ -117,7 +138,7 @@
         return groupIds;
     }
 
-    [HttpPost("")]
+    [HttpPost("groups")]
     public async Task<GroupResponseModel> Post(Guid orgId, [FromBody] GroupRequestModel model)
     {
         if (!await _currentContext.ManageGroups(orgId))
@@ -145,8 +166,8 @@
         return new GroupResponseModel(group);
     }
 
-    [HttpPut("{id}")]
-    [HttpPost("{id}")]
+    [HttpPut("groups/{id}")]
+    [HttpPost("groups/{id}")]
     public async Task<GroupResponseModel> Put(Guid orgId, Guid id, [FromBody] GroupRequestModel model)
     {
         if (!await _currentContext.ManageGroups(orgId))
@@ -220,8 +241,8 @@
         return new GroupResponseModel(group);
     }
 
-    [HttpDelete("{id}")]
-    [HttpPost("{id}/delete")]
+    [HttpDelete("groups/{id}")]
+    [HttpPost("groups/{id}/delete")]
     public async Task Delete(string orgId, string id)
     {
         var group = await _groupRepository.GetByIdAsync(new Guid(id));
@@ -233,8 +254,8 @@
         await _deleteGroupCommand.DeleteAsync(group);
     }
 
-    [HttpDelete("")]
-    [HttpPost("delete")]
+    [HttpDelete("groups/")]
+    [HttpPost("groups/delete")]
     public async Task BulkDelete([FromBody] GroupBulkRequestModel model)
     {
         var groups = await _groupRepository.GetManyByManyIds(model.Ids);
@@ -250,8 +271,8 @@
         await _deleteGroupCommand.DeleteManyAsync(groups);
     }
 
-    [HttpDelete("{id}/user/{orgUserId}")]
-    [HttpPost("{id}/delete-user/{orgUserId}")]
+    [HttpDelete("groups/{id}/user/{orgUserId}")]
+    [HttpPost("groups/{id}/delete-user/{orgUserId}")]
     public async Task Delete(string orgId, string id, string orgUserId)
     {
         var group = await _groupRepository.GetByIdAsync(new Guid(id));

src/Api/AdminConsole/Controllers/OrganizationUsersController.cs

@@ -9,6 +9,7 @@
 using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Authorization;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.AdminConsole.OrganizationFeatures.Shared.Authorization;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Repositories;

src/Api/Api.csproj

@@ -37,5 +37,5 @@
     <PackageReference Include="Azure.Messaging.EventGrid" Version="4.25.0" />
     <PackageReference Include="Swashbuckle.AspNetCore" Version="6.8.1" />
   </ItemGroup>
-
+  
 </Project>

src/Api/Utilities/ServiceCollectionExtensions.cs

@@ -1,5 +1,5 @@
 using Bit.Api.Vault.AuthorizationHandlers.Collections;
-using Bit.Api.Vault.AuthorizationHandlers.Groups;
+using Bit.Core.AdminConsole.OrganizationFeatures.Groups.Authorization;
 using Bit.Core.IdentityServer;
 using Bit.Core.Settings;
 using Bit.Core.Utilities;

src/Core/AdminConsole/OrganizationFeatures/Groups/Authorization/GroupAuthorizationHandler.cs

@@ -0,0 +1,42 @@
+#nullable enable
+using Bit.Core.AdminConsole.OrganizationFeatures.Shared.Authorization;
+using Bit.Core.Context;
+using Bit.Core.Enums;
+using Microsoft.AspNetCore.Authorization;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.Groups.Authorization;
+
+/// <summary>
+/// Handles authorization logic for Group operations.
+/// This uses new logic implemented in the Flexible Collections initiative.
+/// </summary>
+public class GroupAuthorizationHandler(ICurrentContext currentContext)
+    : AuthorizationHandler<GroupOperationRequirement, OrganizationScope>
+{
+    protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
+        GroupOperationRequirement requirement, OrganizationScope organizationScope)
+    {
+        var authorized = requirement switch
+        {
+            not null when requirement.Name == nameof(GroupOperations.ReadAll) =>
+                await CanReadAllAsync(organizationScope),
+            not null when requirement.Name == nameof(GroupOperations.ReadAllDetails) =>
+                await CanViewGroupDetailsAsync(organizationScope),
+            _ => false
+        };
+
+        if (requirement is not null && authorized)
+        {
+            context.Succeed(requirement);
+        }
+    }
+
+    private async Task<bool> CanReadAllAsync(OrganizationScope organizationScope) =>
+        currentContext.GetOrganization(organizationScope) is not null
+        || await currentContext.ProviderUserForOrgAsync(organizationScope);
+
+    private async Task<bool> CanViewGroupDetailsAsync(OrganizationScope organizationScope) =>
+        currentContext.GetOrganization(organizationScope) is { Type: OrganizationUserType.Owner } or { Type: OrganizationUserType.Admin }
+            or { Permissions: { ManageGroups: true } or { ManageUsers: true } }
+        || await currentContext.ProviderUserForOrgAsync(organizationScope);
+}

src/Core/AdminConsole/OrganizationFeatures/Groups/Authorization/GroupOperations.cs

@@ -0,0 +1,17 @@
+using Microsoft.AspNetCore.Authorization.Infrastructure;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.Groups.Authorization;
+
+public class GroupOperationRequirement : OperationAuthorizationRequirement
+{
+    public GroupOperationRequirement(string name)
+    {
+        Name = name;
+    }
+}
+
+public static class GroupOperations
+{
+    public static readonly GroupOperationRequirement ReadAll = new(nameof(ReadAll));
+    public static readonly GroupOperationRequirement ReadAllDetails = new(nameof(ReadAllDetails));
+}

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Authorization/OrganizationUserUserDetailsAuthorizationHandler.cs

@@ -1,4 +1,5 @@
 #nullable enable
+using Bit.Core.AdminConsole.OrganizationFeatures.Shared.Authorization;
 using Bit.Core.Context;
 using Bit.Core.Enums;
 using Microsoft.AspNetCore.Authorization;

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Authorization/OrganizationUserUserMiniDetailsAuthorizationHandler.cs

@@ -1,20 +1,16 @@
-using Bit.Core.Context;
-using Bit.Core.Services;
+using Bit.Core.AdminConsole.OrganizationFeatures.Shared.Authorization;
+using Bit.Core.Context;
 using Microsoft.AspNetCore.Authorization;
 
 namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Authorization;
 
 public class OrganizationUserUserMiniDetailsAuthorizationHandler :
     AuthorizationHandler<OrganizationUserUserMiniDetailsOperationRequirement, OrganizationScope>
 {
-    private readonly IApplicationCacheService _applicationCacheService;
     private readonly ICurrentContext _currentContext;
 
-    public OrganizationUserUserMiniDetailsAuthorizationHandler(
-        IApplicationCacheService applicationCacheService,
-        ICurrentContext currentContext)
+    public OrganizationUserUserMiniDetailsAuthorizationHandler(ICurrentContext currentContext)
     {
-        _applicationCacheService = applicationCacheService;
         _currentContext = currentContext;
     }
 

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Authorization/OrganizationScope.cs → src/Core/AdminConsole/OrganizationFeatures/Shared/Authorization/OrganizationScope.cs

@@ -1,6 +1,6 @@
 #nullable enable
 
-namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Authorization;
+namespace Bit.Core.AdminConsole.OrganizationFeatures.Shared.Authorization;
 
 /// <summary>
 /// A typed wrapper for an organization Guid. This is used for authorization checks

src/Core/Constants.cs

@@ -142,6 +142,7 @@ public static class FeatureFlagKeys
     public const string StorageReseedRefactor = "storage-reseed-refactor";
     public const string TrialPayment = "PM-8163-trial-payment";
     public const string RemoveServerVersionHeader = "remove-server-version-header";
+    public const string SecureOrgGroupDetails = "pm-12479-secure-org-group-details";
     public const string AccessIntelligence = "pm-13227-access-intelligence";
     public const string VerifiedSsoDomainEndpoint = "pm-12337-refactor-sso-details-endpoint";
     public const string PM12275_MultiOrganizationEnterprises = "pm-12275-multi-organization-enterprises";