[AC-292] Public Api - allow configuration of custom permissions

bitwarden_license/src/Commercial.Core/AdminConsole/Services/ProviderService.cs

@@ -554,7 +554,7 @@ private static string GetEnumDisplayName(Enum value)
  ]
  : Array.Empty<CollectionAccessSelection>();
 
- await _organizationService.InviteUsersAsync(organization.Id, user.Id,
+ await _organizationService.InviteUsersAsync(organization.Id, user.Id, systemUser: null,
  new (OrganizationUserInvite, string)[]
  {
  (

bitwarden_license/src/Scim/Models/ScimUserRequestModel.cs

@@ -1,8 +1,67 @@
-namespace Bit.Scim.Models;
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.Enums;
+using Bit.Core.Models.Business;
+using Bit.Core.Models.Data;
+using Bit.Core.Utilities;
+
+namespace Bit.Scim.Models;
 
 public class ScimUserRequestModel : BaseScimUserModel
 {
  public ScimUserRequestModel()
  : base(false)
  { }
+
+ public OrganizationUserInvite ToOrganizationUserInvite(ScimProviderType scimProvider)
+ {
+ return new OrganizationUserInvite
+ {
+ Emails = new[] { EmailForInvite(scimProvider) },
+
+ // Permissions cannot be set via SCIM so we use default values
+ Type = OrganizationUserType.User,
+ AccessAll = false,
+ Collections = new List<CollectionAccessSelection>(),
+ Groups = new List<Guid>()
+ };
+ }
+
+ private string EmailForInvite(ScimProviderType scimProvider)
+ {
+ var email = PrimaryEmail?.ToLowerInvariant();
+
+ if (!string.IsNullOrWhiteSpace(email))
+ {
+ return email;
+ }
+
+ switch (scimProvider)
+ {
+ case ScimProviderType.AzureAd:
+ return UserName?.ToLowerInvariant();
+ default:
+ email = WorkEmail?.ToLowerInvariant();
+ if (string.IsNullOrWhiteSpace(email))
+ {
+ email = Emails?.FirstOrDefault()?.Value?.ToLowerInvariant();
+ }
+
+ return email;
+ }
+ }
+
+ public string ExternalIdForInvite()
+ {
+ if (!string.IsNullOrWhiteSpace(ExternalId))
+ {
+ return ExternalId;
+ }
+
+ if (!string.IsNullOrWhiteSpace(UserName))
+ {
+ return UserName;
+ }
+
+ return CoreHelpers.RandomString(15);
+ }
 }

bitwarden_license/src/Scim/Users/PostUserCommand.cs

@@ -1,11 +1,8 @@
-using Bit.Core.AdminConsole.Enums;
-using Bit.Core.Enums;
+using Bit.Core.Enums;
 using Bit.Core.Exceptions;
-using Bit.Core.Models.Data;
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
-using Bit.Core.Utilities;
 using Bit.Scim.Context;
 using Bit.Scim.Models;
 using Bit.Scim.Users.Interfaces;
@@ -30,23 +27,11 @@ public class PostUserCommand : IPostUserCommand
 
  public async Task<OrganizationUserUserDetails> PostUserAsync(Guid organizationId, ScimUserRequestModel model)
  {
- var email = model.PrimaryEmail?.ToLowerInvariant();
- if (string.IsNullOrWhiteSpace(email))
- {
- switch (_scimContext.RequestScimProvider)
- {
- case ScimProviderType.AzureAd:
- email = model.UserName?.ToLowerInvariant();
- break;
- default:
- email = model.WorkEmail?.ToLowerInvariant();
- if (string.IsNullOrWhiteSpace(email))
- {
- email = model.Emails?.FirstOrDefault()?.Value?.ToLowerInvariant();
- }
- break;
- }
- }
+ var scimProvider = _scimContext.RequestScimProvider;
+ var invite = model.ToOrganizationUserInvite(scimProvider);
+
+ var email = invite.Emails.Single();
+ var externalId = model.ExternalIdForInvite();
 
  if (string.IsNullOrWhiteSpace(email) || !model.Active)
  {
@@ -60,28 +45,14 @@ public async Task<OrganizationUserUserDetails> PostUserAsync(Guid organizationId
  throw new ConflictException();
  }
 
- string externalId = null;
- if (!string.IsNullOrWhiteSpace(model.ExternalId))
- {
- externalId = model.ExternalId;
- }
- else if (!string.IsNullOrWhiteSpace(model.UserName))
- {
- externalId = model.UserName;
- }
- else
- {
- externalId = CoreHelpers.RandomString(15);
- }
-
  var orgUserByExternalId = orgUsers.FirstOrDefault(ou => ou.ExternalId == externalId);
  if (orgUserByExternalId != null)
  {
  throw new ConflictException();
  }
 
- var invitedOrgUser = await _organizationService.InviteUserAsync(organizationId, EventSystemUser.SCIM, email,
- OrganizationUserType.User, false, externalId, new List<CollectionAccessSelection>(), new List<Guid>());
+ var invitedOrgUser = await _organizationService.InviteUserAsync(organizationId, invitingUserId: null, EventSystemUser.SCIM,
+ invite, externalId);
  var orgUser = await _organizationUserRepository.GetDetailsByIdAsync(invitedOrgUser.Id);
 
  return orgUser;

bitwarden_license/test/Commercial.Core.Test/AdminConsole/Services/ProviderServiceTests.cs

@@ -631,7 +631,7 @@ await sutProvider.GetDependency<IEventService>()
  .Received().LogProviderOrganizationEventAsync(providerOrganization,
  EventType.ProviderOrganization_Created);
  await sutProvider.GetDependency<IOrganizationService>()
- .Received().InviteUsersAsync(organization.Id, user.Id, Arg.Is<IEnumerable<(OrganizationUserInvite, string)>>(
+ .Received().InviteUsersAsync(organization.Id, user.Id, systemUser: null, Arg.Is<IEnumerable<(OrganizationUserInvite, string)>>(
  t => t.Count() == 1 &&
  t.First().Item1.Emails.Count() == 1 &&
  t.First().Item1.Emails.First() == clientOwnerEmail &&
@@ -709,6 +709,7 @@ await sutProvider.GetDependency<IOrganizationService>()
  .InviteUsersAsync(
  organization.Id,
  user.Id,
+ systemUser: null,
  Arg.Is<IEnumerable<(OrganizationUserInvite, string)>>(
  t =>
  t.Count() == 1 &&
@@ -740,7 +741,7 @@ await sutProvider.GetDependency<IEventService>()
  .Received().LogProviderOrganizationEventAsync(providerOrganization,
  EventType.ProviderOrganization_Created);
  await sutProvider.GetDependency<IOrganizationService>()
- .Received().InviteUsersAsync(organization.Id, user.Id, Arg.Is<IEnumerable<(OrganizationUserInvite, string)>>(
+ .Received().InviteUsersAsync(organization.Id, user.Id, systemUser: null, Arg.Is<IEnumerable<(OrganizationUserInvite, string)>>(
  t => t.Count() == 1 &&
  t.First().Item1.Emails.Count() == 1 &&
  t.First().Item1.Emails.First() == clientOwnerEmail &&

bitwarden_license/test/Scim.Test/Users/PostUserCommandTests.cs

@@ -1,6 +1,6 @@
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
-using Bit.Core.Models.Data;
+using Bit.Core.Models.Business;
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
@@ -34,15 +34,25 @@ public async Task PostUser_Success(SutProvider<PostUserCommand> sutProvider, str
  .Returns(organizationUsers);
 
  sutProvider.GetDependency<IOrganizationService>()
- .InviteUserAsync(organizationId, EventSystemUser.SCIM, scimUserRequestModel.PrimaryEmail.ToLowerInvariant(),
- OrganizationUserType.User, false, externalId, Arg.Any<List<CollectionAccessSelection>>(),
- Arg.Any<List<Guid>>())
+ .InviteUserAsync(organizationId, invitingUserId: null, EventSystemUser.SCIM,
+ Arg.Is<OrganizationUserInvite>(i =>
+ i.Emails.Single().Equals(scimUserRequestModel.PrimaryEmail.ToLowerInvariant()) &&
+ i.Type == OrganizationUserType.User &&
+ !i.AccessAll &&
+ !i.Collections.Any() &&
+ !i.Groups.Any()), externalId)
  .Returns(newUser);
 
  var user = await sutProvider.Sut.PostUserAsync(organizationId, scimUserRequestModel);
 
- await sutProvider.GetDependency<IOrganizationService>().Received(1).InviteUserAsync(organizationId, EventSystemUser.SCIM, scimUserRequestModel.PrimaryEmail.ToLowerInvariant(),
- OrganizationUserType.User, false, scimUserRequestModel.ExternalId, Arg.Any<List<CollectionAccessSelection>>(), Arg.Any<List<Guid>>());
+ await sutProvider.GetDependency<IOrganizationService>().Received(1).InviteUserAsync(organizationId,
+ invitingUserId: null, EventSystemUser.SCIM,
+ Arg.Is<OrganizationUserInvite>(i =>
+ i.Emails.Single().Equals(scimUserRequestModel.PrimaryEmail.ToLowerInvariant()) &&
+ i.Type == OrganizationUserType.User &&
+ !i.AccessAll &&
+ !i.Collections.Any() &&
+ !i.Groups.Any()), externalId);
  await sutProvider.GetDependency<IOrganizationUserRepository>().Received(1).GetDetailsByIdAsync(newUser.Id);
  }
 

src/Api/AdminConsole/Controllers/OrganizationUsersController.cs

@@ -208,7 +208,7 @@ public async Task Invite(Guid orgId, [FromBody] OrganizationUserInviteRequestMod
  }
 
  var userId = _userService.GetProperUserId(User);
- await _organizationService.InviteUsersAsync(orgId, userId.Value,
+ await _organizationService.InviteUsersAsync(orgId, userId.Value, systemUser: null,
  new (OrganizationUserInvite, string)[] { (new OrganizationUserInvite(model.ToData()), null) });
  }
 

src/Api/AdminConsole/Public/Controllers/MembersController.cs

@@ -127,10 +127,11 @@
  public async Task<IActionResult> Post([FromBody] MemberCreateRequestModel model)
  {
  var flexibleCollectionsIsEnabled = await FlexibleCollectionsIsEnabledAsync(_currentContext.OrganizationId.Value);
- var associations = model.Collections?.Select(c => c.ToCollectionAccessSelection(flexibleCollectionsIsEnabled)).ToList();
+ var invite = model.ToOrganizationUserInvite(flexibleCollectionsIsEnabled);
+
  var user = await _organizationService.InviteUserAsync(_currentContext.OrganizationId.Value, null,
- model.Email, model.Type.Value, model.AccessAll.Value, model.ExternalId, associations, model.Groups);
- var response = new MemberResponseModel(user, associations, flexibleCollectionsIsEnabled);
+ systemUser: null, invite, model.ExternalId);
+ var response = new MemberResponseModel(user, invite.Collections, flexibleCollectionsIsEnabled);
  return new JsonResult(response);
  }
 

src/Api/AdminConsole/Public/Models/MemberBaseModel.cs

@@ -1,4 +1,6 @@
-using System.ComponentModel.DataAnnotations;
+#nullable enable
+
+using System.ComponentModel.DataAnnotations;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Models.Data;
@@ -21,6 +23,11 @@
  AccessAll = user.AccessAll;
  ExternalId = user.ExternalId;
  ResetPasswordEnrolled = user.ResetPasswordKey != null;
+
+ if (user.Type == OrganizationUserType.Custom)
+ {
+ Permissions = new PermissionsModel(user.GetPermissions());
+ }
  }
 
  public MemberBaseModel(OrganizationUserUserDetails user, bool flexibleCollectionsEnabled)
@@ -34,6 +41,11 @@
  AccessAll = user.AccessAll;
  ExternalId = user.ExternalId;
  ResetPasswordEnrolled = user.ResetPasswordKey != null;
+
+ if (user.Type == OrganizationUserType.Custom)
+ {
+ Permissions = new PermissionsModel(user.GetPermissions());
+ }
  }
 
  /// <summary>
@@ -59,6 +71,11 @@
  /// </summary>
  [Required]
  public bool ResetPasswordEnrolled { get; set; }
+ /// <summary>
+ /// The member's custom permissions if the member has a Custom role. If not supplied, all custom permissions will
+ /// default to false.
+ /// </summary>
+ public PermissionsModel? Permissions { get; set; }
 
  // TODO: AC-2188 - Remove this method when the custom users with no other permissions than 'Edit/Delete Assigned Collections' are migrated
  private OrganizationUserType GetFlexibleCollectionsUserType(OrganizationUserType type, Permissions permissions)

src/Api/AdminConsole/Public/Models/PermissionsModel.cs

@@ -0,0 +1,67 @@
+#nullable enable
+
+using System.Text.Json.Serialization;
+using Bit.Core.Models.Data;
+
+namespace Bit.Api.AdminConsole.Public.Models;
+
+/// <summary>
+/// Represents a member's custom permissions if the member has a Custom role.
+/// </summary>
+public class PermissionsModel
+{
+ [JsonConstructor]
+ public PermissionsModel() { }
+ public PermissionsModel(Permissions? data)
+ {
+ if (data is null)
+ {
+ return;
+ }
+
+ AccessEventLogs = data.AccessEventLogs;
+ AccessImportExport = data.AccessImportExport;
+ AccessReports = data.AccessReports;
+ CreateNewCollections = data.CreateNewCollections;
+ EditAnyCollection = data.EditAnyCollection;
+ DeleteAnyCollection = data.DeleteAnyCollection;
+ ManageGroups = data.ManageGroups;
+ ManagePolicies = data.ManagePolicies;
+ ManageSso = data.ManageSso;
+ ManageUsers = data.ManageUsers;
+ ManageResetPassword = data.ManageResetPassword;
+ ManageScim = data.ManageScim;
+ }
+
+ public bool AccessEventLogs { get; set; }
+ public bool AccessImportExport { get; set; }
+ public bool AccessReports { get; set; }
+ public bool CreateNewCollections { get; set; }
+ public bool EditAnyCollection { get; set; }
+ public bool DeleteAnyCollection { get; set; }
+ public bool ManageGroups { get; set; }
+ public bool ManagePolicies { get; set; }
+ public bool ManageSso { get; set; }
+ public bool ManageUsers { get; set; }
+ public bool ManageResetPassword { get; set; }
+ public bool ManageScim { get; set; }
+
+ public Permissions ToData()
+ {
+ return new Permissions
+ {
+ AccessEventLogs = AccessEventLogs,
+ AccessImportExport = AccessImportExport,
+ AccessReports = AccessReports,
+ CreateNewCollections = CreateNewCollections,
+ EditAnyCollection = EditAnyCollection,
+ DeleteAnyCollection = DeleteAnyCollection,
+ ManageGroups = ManageGroups,
+ ManagePolicies = ManagePolicies,
+ ManageSso = ManageSso,
+ ManageUsers = ManageUsers,
+ ManageResetPassword = ManageResetPassword,
+ ManageScim = ManageScim
+ };
+ }
+}

src/Api/AdminConsole/Public/Models/Request/MemberCreateRequestModel.cs

@@ -1,5 +1,7 @@
 using System.ComponentModel.DataAnnotations;
 using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Models.Business;
 using Bit.Core.Utilities;
 
 namespace Bit.Api.AdminConsole.Public.Models.Request;
@@ -19,4 +21,24 @@
  {
  throw new NotImplementedException();
  }
+
+ public OrganizationUserInvite ToOrganizationUserInvite(bool flexibleCollectionsIsEnabled)
+ {
+ var invite = new OrganizationUserInvite
+ {
+ Emails = new[] { Email },
+ Type = Type.Value,
+ AccessAll = AccessAll.Value,
+ Collections = Collections?.Select(c => c.ToCollectionAccessSelection(flexibleCollectionsIsEnabled)).ToList(),
+ Groups = Groups
+ };
+
+ // Permissions property is optional for backwards compatibility with existing usage
+ if (Type is OrganizationUserType.Custom && Permissions is not null)
+ {
+ invite.Permissions = Permissions.ToData();
+ }
+
+ return invite;
+ }
 }