bitwarden · jrmccannon · Oct 29, 2024 · Oct 30, 2024 · Oct 30, 2024 · Oct 30, 2024
@@ -3,6 +3,7 @@
 using Bit.Api.Models.Response;
 using Bit.Api.Vault.AuthorizationHandlers.Collections;
 using Bit.Api.Vault.AuthorizationHandlers.Groups;
+using Bit.Core;
 using Bit.Core.AdminConsole.OrganizationFeatures.Groups.Interfaces;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.AdminConsole.Services;
@@ -16,7 +17,7 @@
 
 namespace Bit.Api.AdminConsole.Controllers;
 
-[Route("organizations/{orgId}/groups")]
+[Route("organizations/{orgId}")]
 [Authorize("Application")]
 public class GroupsController : Controller
 {
@@ -64,7 +65,7 @@ public GroupsController(
         _collectionRepository = collectionRepository;
     }
 
-    [HttpGet("{id}")]
+    [HttpGet("groups/{id}")]
     public async Task<GroupResponseModel> Get(string orgId, string id)
     {
         var group = await _groupRepository.GetByIdAsync(new Guid(id));
@@ -76,7 +77,7 @@ public async Task<GroupResponseModel> Get(string orgId, string id)
         return new GroupResponseModel(group);
     }
 
-    [HttpGet("{id}/details")]
+    [HttpGet("groups/{id}/details")]
     public async Task<GroupDetailsResponseModel> GetDetails(string orgId, string id)
     {
         var groupDetails = await _groupRepository.GetByIdWithCollectionsAsync(new Guid(id));
@@ -88,11 +89,31 @@ public async Task<GroupDetailsResponseModel> GetDetails(string orgId, string id)
         return new GroupDetailsResponseModel(groupDetails.Item1, groupDetails.Item2);
     }
 
-    [HttpGet("")]
-    public async Task<ListResponseModel<GroupDetailsResponseModel>> Get(Guid orgId)
+    [HttpGet("groups")]
+    public async Task<ListResponseModel<GroupDetailsResponseModel>> GetOrganizationGroups(Guid orgId)
     {
-        var authorized =
-            (await _authorizationService.AuthorizeAsync(User, GroupOperations.ReadAll(orgId))).Succeeded;
+        var authorized = (await _authorizationService.AuthorizeAsync(User, GroupOperations.ReadAll(orgId))).Succeeded;
+        if (!authorized)
+        {
+            throw new NotFoundException();
+        }
+
+        if (_featureService.IsEnabled(FeatureFlagKeys.SecureOrgGroupDetails))
+        {
+            var groups = await _groupRepository.GetManyByOrganizationIdAsync(orgId);
+            var responses = groups.Select(g => new GroupDetailsResponseModel(g, []));
+            return new ListResponseModel<GroupDetailsResponseModel>(responses);
+        }
+
+        var groupDetails = await _groupRepository.GetManyWithCollectionsByOrganizationIdAsync(orgId);
+        var detailResponses = groupDetails.Select(g => new GroupDetailsResponseModel(g.Item1, g.Item2));
+        return new ListResponseModel<GroupDetailsResponseModel>(detailResponses);
+    }
+
+    [HttpGet("group-details")]
+    public async Task<ListResponseModel<GroupDetailsResponseModel>> GetOrganizationGroupDetails(Guid orgId)
+    {
+        var authorized = (await _authorizationService.AuthorizeAsync(User, GroupOperations.ReadDetails(orgId))).Succeeded;
         if (!authorized)
         {
             throw new NotFoundException();
@@ -103,7 +124,7 @@ public async Task<ListResponseModel<GroupDetailsResponseModel>> Get(Guid orgId)
         return new ListResponseModel<GroupDetailsResponseModel>(responses);
     }
 
-    [HttpGet("{id}/users")]
+    [HttpGet("groups/{id}/users")]
     public async Task<IEnumerable<Guid>> GetUsers(string orgId, string id)
     {
         var idGuid = new Guid(id);
@@ -117,7 +138,7 @@ public async Task<IEnumerable<Guid>> GetUsers(string orgId, string id)
         return groupIds;
     }
 
-    [HttpPost("")]
+    [HttpPost("groups")]
     public async Task<GroupResponseModel> Post(Guid orgId, [FromBody] GroupRequestModel model)
     {
         if (!await _currentContext.ManageGroups(orgId))
@@ -145,8 +166,8 @@ public async Task<GroupResponseModel> Post(Guid orgId, [FromBody] GroupRequestMo
         return new GroupResponseModel(group);
     }
 
-    [HttpPut("{id}")]
-    [HttpPost("{id}")]
+    [HttpPut("groups/{id}")]
+    [HttpPost("groups/{id}")]
     public async Task<GroupResponseModel> Put(Guid orgId, Guid id, [FromBody] GroupRequestModel model)
     {
         if (!await _currentContext.ManageGroups(orgId))
@@ -220,8 +241,8 @@ public async Task<GroupResponseModel> Put(Guid orgId, Guid id, [FromBody] GroupR
         return new GroupResponseModel(group);
     }
 
-    [HttpDelete("{id}")]
-    [HttpPost("{id}/delete")]
+    [HttpDelete("groups/{id}")]
+    [HttpPost("groups/{id}/delete")]
     public async Task Delete(string orgId, string id)
     {
         var group = await _groupRepository.GetByIdAsync(new Guid(id));
@@ -233,8 +254,8 @@ public async Task Delete(string orgId, string id)
         await _deleteGroupCommand.DeleteAsync(group);
     }
 
-    [HttpDelete("")]
-    [HttpPost("delete")]
+    [HttpDelete("groups/")]
+    [HttpPost("groups/delete")]
     public async Task BulkDelete([FromBody] GroupBulkRequestModel model)
     {
         var groups = await _groupRepository.GetManyByManyIds(model.Ids);
@@ -250,8 +271,8 @@ public async Task BulkDelete([FromBody] GroupBulkRequestModel model)
         await _deleteGroupCommand.DeleteManyAsync(groups);
     }
 
-    [HttpDelete("{id}/user/{orgUserId}")]
-    [HttpPost("{id}/delete-user/{orgUserId}")]
+    [HttpDelete("groups/{id}/user/{orgUserId}")]
+    [HttpPost("groups/{id}/delete-user/{orgUserId}")]
     public async Task Delete(string orgId, string id, string orgUserId)
     {
         var group = await _groupRepository.GetByIdAsync(new Guid(id));

@@ -1,5 +1,6 @@
 #nullable enable
 using Bit.Core.Context;
+using Bit.Core.Enums;
 using Microsoft.AspNetCore.Authorization;
 
 namespace Bit.Api.Vault.AuthorizationHandlers.Groups;
@@ -40,6 +41,9 @@ protected override async Task HandleRequirementAsync(AuthorizationHandlerContext
             case not null when requirement.Name == nameof(GroupOperations.ReadAll):
                 await CanReadAllAsync(context, requirement, org);
                 break;
+            case not null when requirement.Name == nameof(GroupOperations.ReadDetails):
+                await CanViewGroupDetailsAsync(context, requirement, org);
+                break;
         }
     }
 
@@ -59,4 +63,19 @@ private async Task CanReadAllAsync(AuthorizationHandlerContext context, GroupOpe
             context.Succeed(requirement);
         }
     }
+
+    private async Task CanViewGroupDetailsAsync(AuthorizationHandlerContext context, GroupOperationRequirement requirement,
+        CurrentContextOrganization? org)
+    {
+        if (org is not null
+            && (org.Permissions.ManageUsers
+                || org.Permissions.ManageGroups
+                || org.Type == OrganizationUserType.Admin
+                || org.Type == OrganizationUserType.Owner
+                || await _currentContext.ProviderUserForOrgAsync(org.Id)))
+        {
+
+            context.Succeed(requirement);
+        }
+    }
 }
@@ -19,4 +19,9 @@ public static GroupOperationRequirement ReadAll(Guid organizationId)
     {
         return new GroupOperationRequirement(nameof(ReadAll), organizationId);
     }
+
+    public static GroupOperationRequirement ReadDetails(Guid organizationId)
+    {
+        return new GroupOperationRequirement(nameof(ReadDetails), organizationId);
+    }
 }
diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
@@ -142,6 +142,7 @@ public static class FeatureFlagKeys
     public const string StorageReseedRefactor = "storage-reseed-refactor";
     public const string TrialPayment = "PM-8163-trial-payment";
     public const string RemoveServerVersionHeader = "remove-server-version-header";
+    public const string SecureOrgGroupDetails = "pm-12479-secure-org-group-details";
     public const string AccessIntelligence = "pm-13227-access-intelligence";
     public const string VerifiedSsoDomainEndpoint = "pm-12337-refactor-sso-details-endpoint";
     public const string PM12275_MultiOrganizationEnterprises = "pm-12275-multi-organization-enterprises";

@@ -122,4 +122,137 @@ public async Task HandleRequirementAsync_NoSpecifiedOrgId_Failure(
         Assert.False(context.HasSucceeded);
         Assert.True(context.HasFailed);
     }
+
+    [Theory]
+    [BitAutoData(OrganizationUserType.Admin)]
+    [BitAutoData(OrganizationUserType.Owner)]
+    public async Task HandleRequirementsAsync_GivenViewDetailsOperation_WhenUserIsAdminOwner_ThenShouldSucceed(OrganizationUserType userType,
+        Guid userId, CurrentContextOrganization organization, SutProvider<GroupAuthorizationHandler> sutProvider)
+    {
+        organization.Type = userType;
+        organization.Permissions = new Permissions();
+
+        var context = new AuthorizationHandlerContext(
+            [GroupOperations.ReadDetails(organization.Id)],
+            new ClaimsPrincipal(),
+            null
+        );
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+
+        await sutProvider.Sut.HandleAsync(context);
+        Assert.True(context.HasSucceeded);
+    }
+
+    [Theory]
+    [BitAutoData(OrganizationUserType.User)]
+    [BitAutoData(OrganizationUserType.Custom)]
+    public async Task HandleRequirementsAsync_GivenViewDetailsOperation_WhenUserIsNotOwnerOrAdmin_ThenShouldFail(OrganizationUserType userType,
+        Guid userId, CurrentContextOrganization organization, SutProvider<GroupAuthorizationHandler> sutProvider)
+    {
+        organization.Type = userType;
+        organization.Permissions = new Permissions();
+
+        var context = new AuthorizationHandlerContext(
+            [GroupOperations.ReadDetails(organization.Id)],
+            new ClaimsPrincipal(),
+            null
+        );
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+
+        await sutProvider.Sut.HandleAsync(context);
+        Assert.False(context.HasSucceeded);
+    }
+
+    [Theory, BitAutoData]
+    public async Task HandleRequirementsAsync_GivenViewDetailsOperation_WhenUserHasManageGroupPermission_ThenShouldSucceed(
+        Guid userId, CurrentContextOrganization organization, SutProvider<GroupAuthorizationHandler> sutProvider)
+    {
+        organization.Type = OrganizationUserType.Custom;
+        organization.Permissions = new Permissions
+        {
+            ManageGroups = true
+        };
+
+        var context = new AuthorizationHandlerContext(
+            [GroupOperations.ReadDetails(organization.Id)],
+            new ClaimsPrincipal(),
+            null
+        );
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+
+        await sutProvider.Sut.HandleAsync(context);
+        Assert.True(context.HasSucceeded);
+    }
+
+    [Theory, BitAutoData]
+    public async Task HandleRequirementsAsync_GivenViewDetailsOperation_WhenUserHasManageUserPermission_ThenShouldSucceed(
+        Guid userId, CurrentContextOrganization organization, SutProvider<GroupAuthorizationHandler> sutProvider)
+    {
+        organization.Type = OrganizationUserType.Custom;
+        organization.Permissions = new Permissions
+        {
+            ManageUsers = true
+        };
+
+        var context = new AuthorizationHandlerContext(
+            [GroupOperations.ReadDetails(organization.Id)],
+            new ClaimsPrincipal(),
+            null
+        );
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+
+        await sutProvider.Sut.HandleAsync(context);
+        Assert.True(context.HasSucceeded);
+    }
+
+    [Theory, BitAutoData]
+    public async Task HandleRequirementsAsync_GivenViewDetailsOperation_WhenUserIsStandardUserTypeWithoutElevatedPermissions_ThenShouldFail(
+        Guid userId, CurrentContextOrganization organization, SutProvider<GroupAuthorizationHandler> sutProvider)
+    {
+        organization.Type = OrganizationUserType.User;
+        organization.Permissions = new Permissions();
+
+        var context = new AuthorizationHandlerContext(
+            [GroupOperations.ReadDetails(organization.Id)],
+            new ClaimsPrincipal(),
+            null
+        );
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(organization.Id).Returns(false);
+
+        await sutProvider.Sut.HandleAsync(context);
+        Assert.False(context.HasSucceeded);
+    }
+
+    [Theory, BitAutoData]
+    public async Task HandleRequirementsAsync_GivenViewDetailsOperation_WhenIsProviderUser_ThenShouldSucceed(
+        Guid userId,
+        SutProvider<GroupAuthorizationHandler> sutProvider, CurrentContextOrganization organization)
+    {
+        organization.Type = OrganizationUserType.User;
+        organization.Permissions = new Permissions();
+
+        var context = new AuthorizationHandlerContext(
+            new[] { GroupOperations.ReadAll(organization.Id) },
+            new ClaimsPrincipal(),
+            null);
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(organization.Id).Returns(true);
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.True(context.HasSucceeded);
+    }
 }