Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[AC-2274] Restrict Admin POST/PUT/DELETE Cipher Endpoints for V1 FC #3879

Merged
merged 9 commits into from Apr 30, 2024
Merged

[AC-2274] Restrict Admin POST/PUT/DELETE Cipher Endpoints for V1 FC #3879

merged 9 commits into from Apr 30, 2024

Conversation

shane-melton
Copy link
Member

@shane-melton shane-melton commented Mar 8, 2024
edited

Type of change

- [ ] Bug fix
- [X] New feature development
- [ ] Tech debt (refactoring, code cleanup, dependency upgrades, etc)
- [ ] Build/deploy pipeline (DevOps)
- [ ] Other

Objective

#3676 focused on adding new endpoints to restrict admins from reading all organization ciphers when the AllowAdminAccessToAllCollectionItems setting is disabled. This prevents admins from editing/deleting ciphers when that setting is disabled.

Code changes

CanEditAnyCipherAsAdminAsync() Helper

Creates a new helper to determine if the current user has admin capabilities based on the new logic defined in Flexible Collections V1. If Flexible Collections has not been enabled for the organization or the V1 flag is disabled fall back to current behavior (_currentContext.EditAnyCollections(orgId);).

All instances of _currentContext.EditAnyCollections(orgId) are then replaced with the new helper.

Before you submit

  • Please check for formatting errors (dotnet format --verify-no-changes) (required)
  • If making database changes - make sure you also update Entity Framework queries and/or migrations
  • Please add unit tests where it makes sense to do so (encouraged but not required)
  • If this change requires a documentation update - notify the documentation team
  • If this change has particular deployment requirements - notify the DevOps team

@shane-melton shane-melton requested a review from a team as a code owner March 8, 2024 01:19
@codecov Codecov
Copy link

codecov bot commented Mar 8, 2024
edited

Codecov Report

Attention: Patch coverage is 26.19048% with 31 lines in your changes are missing coverage. Please review.

Project coverage is 38.02%. Comparing base (78b57ba) to head (582e657).

Files Patch % Lines
src/Api/Vault/Controllers/CiphersController.cs 26.19% 31 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3879      +/-   ##
==========================================
+ Coverage   37.83%   38.02%   +0.18%     
==========================================
  Files        1192     1192              
  Lines       57958    57981      +23     
  Branches     5549     5555       +6     
==========================================
+ Hits        21930    22045     +115     
+ Misses      34995    34896      -99     
- Partials     1033     1040       +7

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@shane-melton shane-melton mentioned this pull request Mar 8, 2024
Merged
gbubemismith
gbubemismith previously approved these changes Mar 11, 2024
View reviewed changes
Copy link
Member

@gbubemismith gbubemismith left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@shane-melton
Copy link
Member Author

@gbubemismith I had to undo the change to the Purge endpoints as Owners should still be able to purge an organization vault regardless of the collection management setting.

gbubemismith
gbubemismith previously approved these changes Mar 25, 2024
View reviewed changes
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Mar 28, 2024
edited

Logo
Checkmarx One – Scan Summary & Details3d7b9a13-4ba6-4a8d-b157-bc77467df8d2

Fixed Issues

Severity Issue Source File / Package
MEDIUM CSRF /src/Api/AdminConsole/Controllers/ProvidersController.cs: 141
MEDIUM CSRF /src/Admin/AdminConsole/Controllers/ProvidersController.cs: 284
MEDIUM CSRF /src/Api/AdminConsole/Controllers/GroupsController.cs: 145
MEDIUM CSRF /src/Api/AdminConsole/Controllers/GroupsController.cs: 145
MEDIUM CSRF /src/Api/Billing/Controllers/ProviderClientsController.cs: 30
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 563
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 563
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 563
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 563
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 318
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 318
MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 702
MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 678
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 891
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 173
MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 744
MEDIUM CSRF /src/Api/Vault/Controllers/FoldersController.cs: 45
MEDIUM CSRF /src/Api/Controllers/SelfHosted/SelfHostedOrganizationLicensesController.cs: 51
MEDIUM CSRF /src/Api/Controllers/UsersController.cs: 22
MEDIUM CSRF /src/Api/Controllers/DevicesController.cs: 70
MEDIUM CSRF /src/Api/Controllers/DevicesController.cs: 57
MEDIUM CSRF /src/Api/AdminConsole/Public/Controllers/PoliciesController.cs: 69
MEDIUM CSRF /src/Api/AdminConsole/Public/Controllers/PoliciesController.cs: 49
MEDIUM CSRF /src/Api/AdminConsole/Public/Controllers/OrganizationController.cs: 42
MEDIUM CSRF /src/Api/AdminConsole/Public/Controllers/GroupsController.cs: 92
MEDIUM CSRF /src/Api/AdminConsole/Public/Controllers/GroupsController.cs: 49
MEDIUM CSRF /src/Api/AdminConsole/Controllers/ProviderUsersController.cs: 142
MEDIUM CSRF /src/Api/AdminConsole/Controllers/ProviderOrganizationsController.cs: 52
MEDIUM CSRF /src/Api/AdminConsole/Controllers/PoliciesController.cs: 148
MEDIUM CSRF /src/Api/AdminConsole/Controllers/PoliciesController.cs: 78
MEDIUM CSRF /src/Api/AdminConsole/Controllers/PoliciesController.cs: 61
MEDIUM CSRF /bitwarden_license/src/Scim/Controllers/v2/UsersController.cs: 50
MEDIUM CSRF /src/Api/AdminConsole/Public/Controllers/GroupsController.cs: 161
MEDIUM CSRF /src/Api/Auth/Controllers/EmergencyAccessController.cs: 159
MEDIUM CSRF /bitwarden_license/src/Scim/Controllers/v2/GroupsController.cs: 98
MEDIUM CSRF /bitwarden_license/src/Scim/Controllers/v2/GroupsController.cs: 88
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 231
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 271
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 144
MEDIUM CSRF /src/Api/AdminConsole/Controllers/ProviderUsersController.cs: 188
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 744
MEDIUM CSRF /src/Api/AdminConsole/Controllers/ProviderUsersController.cs: 175
MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 613
MEDIUM CSRF /src/Api/Controllers/CollectionsController.cs: 303
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 669
MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 222
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 858
MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 807
MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 288
MEDIUM CSRF /src/Api/Controllers/CollectionsController.cs: 410
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 191
MEDIUM CSRF /src/Api/AdminConsole/Public/Controllers/MembersController.cs: 187
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 526
MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 362
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 174
MEDIUM CSRF /src/Api/AdminConsole/Controllers/GroupsController.cs: 128
MEDIUM CSRF /bitwarden_license/src/Sso/Controllers/AccountController.cs: 97
MEDIUM CSRF /bitwarden_license/src/Sso/Controllers/AccountController.cs: 164
MEDIUM CSRF /src/Admin/AdminConsole/Controllers/OrganizationsController.cs: 308
MEDIUM CSRF /src/Admin/AdminConsole/Controllers/ProvidersController.cs: 207
MEDIUM CSRF /src/Api/AdminConsole/Controllers/GroupsController.cs: 77
MEDIUM CSRF /src/Api/AdminConsole/Controllers/GroupsController.cs: 114
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 230
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 331
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 590
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 85
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 203
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 285
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 303
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 286
MEDIUM CSRF /src/Api/Controllers/CollectionsController.cs: 374
MEDIUM CSRF /src/Api/Auth/Controllers/TwoFactorController.cs: 403
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 231
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 220
MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 408
MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 900
MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 571
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 271
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 970
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 970
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 726
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 590
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 590
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 590
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 825
MEDIUM CSRF /src/Api/Controllers/SettingsController.cs: 36
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 590
MEDIUM CSRF /src/Api/AdminConsole/Controllers/GroupsController.cs: 188
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 993
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 993
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 583
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 583
MEDIUM CSRF /src/Api/AdminConsole/Public/Controllers/MembersController.cs: 150
MEDIUM CSRF /src/Api/AdminConsole/Public/Controllers/MembersController.cs: 150
MEDIUM CSRF /src/Api/AdminConsole/Public/Controllers/GroupsController.cs: 133
MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 586
MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 433
MEDIUM CSRF /src/Api/AdminConsole/Public/Controllers/OrganizationController.cs: 42
MEDIUM CSRF /src/Api/AdminConsole/Public/Controllers/OrganizationController.cs: 42
MEDIUM CSRF /src/Api/AdminConsole/Public/Controllers/OrganizationController.cs: 42
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 159
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 1027
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 369
MEDIUM CSRF /src/Api/Controllers/CollectionsController.cs: 303
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 688
MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 313
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 758
MEDIUM CSRF /src/Api/AdminConsole/Controllers/GroupsController.cs: 205
MEDIUM CSRF /src/Api/Controllers/CollectionsController.cs: 410
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 191
MEDIUM CSRF /src/Api/Controllers/CollectionsController.cs: 323
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 526
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 220
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 1047
MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 959
MEDIUM CSRF /src/Api/Controllers/CollectionsController.cs: 374
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 944
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 944
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 539
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 539
MEDIUM CSRF /src/Api/AdminConsole/Public/Controllers/MembersController.cs: 59
MEDIUM CSRF /src/Api/AdminConsole/Public/Controllers/MembersController.cs: 127
MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 560
MEDIUM CSRF /src/Api/Controllers/CollectionsController.cs: 156
MEDIUM CSRF /src/Api/Controllers/CollectionsController.cs: 187
MEDIUM CSRF /src/Api/Controllers/CollectionsController.cs: 196
MEDIUM CSRF /src/Api/Public/Controllers/CollectionsController.cs: 64
MEDIUM CSRF /src/Api/Tools/Controllers/ImportCiphersController.cs: 50
MEDIUM CSRF /src/Api/Tools/Controllers/ImportCiphersController.cs: 66
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 111
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 125
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 889
MEDIUM CSRF /src/Identity/Controllers/AccountsController.cs: 50
MEDIUM CSRF /src/Identity/Controllers/AccountsController.cs: 72
MEDIUM CSRF /src/Admin/AdminConsole/Controllers/ProviderOrganizationsController.cs: 38
MEDIUM CSRF /src/Api/Auth/Controllers/WebAuthnController.cs: 130
MEDIUM CSRF /src/Api/Auth/Controllers/WebAuthnController.cs: 101
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 626
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 1047
MEDIUM CSRF /src/Api/AdminConsole/Controllers/GroupsController.cs: 89
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 116
MEDIUM CSRF /src/Api/Controllers/CollectionsController.cs: 374
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationDomainController.cs: 75
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 318
MEDIUM CSRF /src/Api/AdminConsole/Controllers/GroupsController.cs: 145
MEDIUM CSRF /src/Api/Auth/Controllers/WebAuthnController.cs: 59
MEDIUM CSRF /src/Api/Auth/Controllers/WebAuthnController.cs: 153
MEDIUM

More results are available on AST platform

@shane-melton shane-melton merged commit 8e7bd79 into main Apr 30, 2024
49 checks passed
@shane-melton shane-melton deleted the vault/ac-2274/restrict-admin-cipher-endpoints branch April 30, 2024 17:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gbubemismith gbubemismith gbubemismith approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@shane-melton @gbubemismith @bitwarden-devops-bot @kejaeger