Merge 6fb74bfe59 into cbf7c292f3
This commit is contained in:
Thomas Avery
GitHub
commit
f8f98d687a
|
|
@ -58,3 +58,12 @@ export class ServiceAccountPeopleAccessPoliciesView {
|
|||
userAccessPolicies: UserServiceAccountAccessPolicyView[];
|
||||
groupAccessPolicies: GroupServiceAccountAccessPolicyView[];
|
||||
}
|
||||
|
||||
export class ServiceAccountProjectPolicyPermissionDetailsView {
|
||||
accessPolicy: ServiceAccountProjectAccessPolicyView;
|
||||
hasPermission: boolean;
|
||||
}
|
||||
|
||||
export class ServiceAccountGrantedPoliciesView {
|
||||
grantedProjectPolicies: ServiceAccountProjectPolicyPermissionDetailsView[];
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,17 +1,27 @@
|
|||
<div class="tw-mt-4 tw-w-2/5">
|
||||
<p class="tw-mt-6">
|
||||
{{ "machineAccountProjectsDescription" | i18n }}
|
||||
</p>
|
||||
<sm-access-selector
|
||||
[rows]="rows$ | async"
|
||||
granteeType="projects"
|
||||
[label]="'projects' | i18n"
|
||||
[hint]="'newSaSelectAccess' | i18n"
|
||||
[columnTitle]="'projects' | i18n"
|
||||
[emptyMessage]="'serviceAccountEmptyProjectAccesspolicies' | i18n"
|
||||
(onCreateAccessPolicies)="handleCreateAccessPolicies($event)"
|
||||
(onDeleteAccessPolicy)="handleDeleteAccessPolicy($event)"
|
||||
(onUpdateAccessPolicy)="handleUpdateAccessPolicy($event)"
|
||||
>
|
||||
</sm-access-selector>
|
||||
</div>
|
||||
<form [formGroup]="formGroup" [bitSubmit]="submit" *ngIf="!loading; else spinner">
|
||||
<div class="tw-w-2/5">
|
||||
<p class="tw-mt-8" *ngIf="!loading">
|
||||
{{ "machineAccountProjectsDescription" | i18n }}
|
||||
</p>
|
||||
<sm-access-policy-selector
|
||||
[loading]="loading"
|
||||
formControlName="accessPolicies"
|
||||
[addButtonMode]="true"
|
||||
[items]="potentialGrantees"
|
||||
[label]="'projects' | i18n"
|
||||
[hint]="'newSaSelectAccess' | i18n"
|
||||
[columnTitle]="'projects' | i18n"
|
||||
[emptyMessage]="'serviceAccountEmptyProjectAccesspolicies' | i18n"
|
||||
>
|
||||
</sm-access-policy-selector>
|
||||
<button bitButton buttonType="primary" bitFormButton type="submit" class="tw-mt-7">
|
||||
{{ "save" | i18n }}
|
||||
</button>
|
||||
</div>
|
||||
</form>
|
||||
|
||||
<ng-template #spinner>
|
||||
<div class="tw-items-center tw-justify-center tw-pt-64 tw-text-center">
|
||||
<i class="bwi bwi-spinner bwi-spin bwi-3x"></i>
|
||||
</div>
|
||||
</ng-template>
|
||||
|
|
|
|||
|
|
@ -1,90 +1,68 @@
|
|||
import { Component, OnDestroy, OnInit } from "@angular/core";
|
||||
import { ChangeDetectorRef, Component, OnDestroy, OnInit } from "@angular/core";
|
||||
import { FormControl, FormGroup } from "@angular/forms";
|
||||
import { ActivatedRoute } from "@angular/router";
|
||||
import { combineLatestWith, map, Observable, startWith, Subject, switchMap, takeUntil } from "rxjs";
|
||||
import { combineLatest, Subject, switchMap, takeUntil } from "rxjs";
|
||||
|
||||
import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
|
||||
import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
|
||||
import { ValidationService } from "@bitwarden/common/platform/abstractions/validation.service";
|
||||
import { SelectItemView } from "@bitwarden/components/src/multi-select/models/select-item-view";
|
||||
|
||||
import { ServiceAccountProjectAccessPolicyView } from "../../models/view/access-policy.view";
|
||||
import { AccessPolicyService } from "../../shared/access-policies/access-policy.service";
|
||||
import { ServiceAccountGrantedPoliciesView } from "../../models/view/access-policy.view";
|
||||
import {
|
||||
AccessSelectorComponent,
|
||||
AccessSelectorRowView,
|
||||
} from "../../shared/access-policies/access-selector.component";
|
||||
ApItemValueType,
|
||||
convertToServiceAccountGrantedPoliciesView,
|
||||
} from "../../shared/access-policies/access-policy-selector/models/ap-item-value.type";
|
||||
import {
|
||||
ApItemViewType,
|
||||
convertPotentialGranteesToApItemViewType,
|
||||
convertGrantedPoliciesToAccessPolicyItemViews,
|
||||
} from "../../shared/access-policies/access-policy-selector/models/ap-item-view.type";
|
||||
import { AccessPolicyService } from "../../shared/access-policies/access-policy.service";
|
||||
|
||||
@Component({
|
||||
selector: "sm-service-account-projects",
|
||||
templateUrl: "./service-account-projects.component.html",
|
||||
})
|
||||
export class ServiceAccountProjectsComponent implements OnInit, OnDestroy {
|
||||
private currentAccessPolicies: ApItemViewType[];
|
||||
private destroy$ = new Subject<void>();
|
||||
private serviceAccountId: string;
|
||||
private organizationId: string;
|
||||
private serviceAccountId: string;
|
||||
|
||||
protected rows$: Observable<AccessSelectorRowView[]> =
|
||||
this.accessPolicyService.serviceAccountGrantedPolicyChanges$.pipe(
|
||||
startWith(null),
|
||||
combineLatestWith(this.route.params),
|
||||
switchMap(([_, params]) =>
|
||||
this.accessPolicyService.getGrantedPolicies(params.serviceAccountId, params.organizationId),
|
||||
),
|
||||
map((policies) => {
|
||||
return policies.map((policy) => {
|
||||
return {
|
||||
type: "project",
|
||||
name: policy.grantedProjectName,
|
||||
id: policy.grantedProjectId,
|
||||
accessPolicyId: policy.id,
|
||||
read: policy.read,
|
||||
write: policy.write,
|
||||
icon: AccessSelectorComponent.projectIcon,
|
||||
static: false,
|
||||
} as AccessSelectorRowView;
|
||||
});
|
||||
}),
|
||||
);
|
||||
private currentAccessPolicies$ = combineLatest([this.route.params]).pipe(
|
||||
switchMap(([params]) =>
|
||||
this.accessPolicyService
|
||||
.getServiceAccountGrantedPolicies(params.organizationId, params.serviceAccountId)
|
||||
.then((policies) => {
|
||||
return convertGrantedPoliciesToAccessPolicyItemViews(policies);
|
||||
}),
|
||||
),
|
||||
);
|
||||
|
||||
protected handleCreateAccessPolicies(selected: SelectItemView[]) {
|
||||
const serviceAccountProjectAccessPolicyView = selected
|
||||
.filter((selection) => AccessSelectorComponent.getAccessItemType(selection) === "project")
|
||||
.map((filtered) => {
|
||||
const view = new ServiceAccountProjectAccessPolicyView();
|
||||
view.serviceAccountId = this.serviceAccountId;
|
||||
view.grantedProjectId = filtered.id;
|
||||
view.read = true;
|
||||
view.write = false;
|
||||
return view;
|
||||
});
|
||||
private potentialGrantees$ = combineLatest([this.route.params]).pipe(
|
||||
switchMap(([params]) =>
|
||||
this.accessPolicyService
|
||||
.getProjectsPotentialGrantees(params.organizationId)
|
||||
.then((grantees) => {
|
||||
return convertPotentialGranteesToApItemViewType(grantees);
|
||||
}),
|
||||
),
|
||||
);
|
||||
|
||||
return this.accessPolicyService.createGrantedPolicies(
|
||||
this.organizationId,
|
||||
this.serviceAccountId,
|
||||
serviceAccountProjectAccessPolicyView,
|
||||
);
|
||||
}
|
||||
protected formGroup = new FormGroup({
|
||||
accessPolicies: new FormControl([] as ApItemValueType[]),
|
||||
});
|
||||
|
||||
protected async handleUpdateAccessPolicy(policy: AccessSelectorRowView) {
|
||||
try {
|
||||
return await this.accessPolicyService.updateAccessPolicy(
|
||||
AccessSelectorComponent.getBaseAccessPolicyView(policy),
|
||||
);
|
||||
} catch (e) {
|
||||
this.validationService.showError(e);
|
||||
}
|
||||
}
|
||||
|
||||
protected async handleDeleteAccessPolicy(policy: AccessSelectorRowView) {
|
||||
try {
|
||||
await this.accessPolicyService.deleteAccessPolicy(policy.accessPolicyId);
|
||||
} catch (e) {
|
||||
this.validationService.showError(e);
|
||||
}
|
||||
}
|
||||
protected loading = true;
|
||||
protected potentialGrantees: ApItemViewType[];
|
||||
|
||||
constructor(
|
||||
private route: ActivatedRoute,
|
||||
private changeDetectorRef: ChangeDetectorRef,
|
||||
private validationService: ValidationService,
|
||||
private accessPolicyService: AccessPolicyService,
|
||||
private platformUtilsService: PlatformUtilsService,
|
||||
private i18nService: I18nService,
|
||||
) {}
|
||||
|
||||
ngOnInit(): void {
|
||||
|
|
@ -92,10 +70,119 @@ export class ServiceAccountProjectsComponent implements OnInit, OnDestroy {
|
|||
this.organizationId = params.organizationId;
|
||||
this.serviceAccountId = params.serviceAccountId;
|
||||
});
|
||||
|
||||
combineLatest([this.potentialGrantees$, this.currentAccessPolicies$])
|
||||
.pipe(takeUntil(this.destroy$))
|
||||
.subscribe(([potentialGrantees, currentAccessPolicies]) => {
|
||||
this.potentialGrantees = this.getPotentialGrantees(
|
||||
potentialGrantees,
|
||||
currentAccessPolicies,
|
||||
);
|
||||
this.setSelected(currentAccessPolicies);
|
||||
});
|
||||
}
|
||||
|
||||
ngOnDestroy(): void {
|
||||
this.destroy$.next();
|
||||
this.destroy$.complete();
|
||||
}
|
||||
|
||||
submit = async () => {
|
||||
if (this.isFormInvalid()) {
|
||||
return;
|
||||
}
|
||||
const formValues = this.getFormValues();
|
||||
this.formGroup.disable();
|
||||
|
||||
try {
|
||||
const grantedViews = await this.updateServiceAccountGrantedPolicies(
|
||||
this.organizationId,
|
||||
this.serviceAccountId,
|
||||
formValues,
|
||||
);
|
||||
|
||||
this.currentAccessPolicies = convertGrantedPoliciesToAccessPolicyItemViews(grantedViews);
|
||||
|
||||
this.platformUtilsService.showToast(
|
||||
"success",
|
||||
null,
|
||||
this.i18nService.t("serviceAccountAccessUpdated"),
|
||||
);
|
||||
} catch (e) {
|
||||
this.validationService.showError(e);
|
||||
this.setSelected(this.currentAccessPolicies);
|
||||
}
|
||||
this.formGroup.enable();
|
||||
};
|
||||
|
||||
private setSelected(policiesToSelect: ApItemViewType[]) {
|
||||
this.loading = true;
|
||||
this.currentAccessPolicies = policiesToSelect;
|
||||
if (policiesToSelect != undefined) {
|
||||
// Must detect changes so that AccessSelector @Inputs() are aware of the latest
|
||||
// potentialGrantees, otherwise no selected values will be patched below
|
||||
this.changeDetectorRef.detectChanges();
|
||||
this.formGroup.patchValue({
|
||||
accessPolicies: policiesToSelect.map((m) => ({
|
||||
type: m.type,
|
||||
id: m.id,
|
||||
permission: m.permission,
|
||||
readOnly: m.readOnly,
|
||||
})),
|
||||
});
|
||||
}
|
||||
this.loading = false;
|
||||
}
|
||||
|
||||
private isFormInvalid(): boolean {
|
||||
this.formGroup.markAllAsTouched();
|
||||
return this.formGroup.invalid;
|
||||
}
|
||||
|
||||
private async updateServiceAccountGrantedPolicies(
|
||||
organizationId: string,
|
||||
serviceAccountId: string,
|
||||
selectedPolicies: ApItemValueType[],
|
||||
): Promise<ServiceAccountGrantedPoliciesView> {
|
||||
const grantedViews = convertToServiceAccountGrantedPoliciesView(
|
||||
serviceAccountId,
|
||||
selectedPolicies,
|
||||
);
|
||||
return await this.accessPolicyService.putServiceAccountGrantedPolicies(
|
||||
organizationId,
|
||||
serviceAccountId,
|
||||
grantedViews,
|
||||
);
|
||||
}
|
||||
|
||||
private getPotentialGrantees(
|
||||
potentialGrantees: ApItemViewType[],
|
||||
currentAccessPolicies: ApItemViewType[],
|
||||
) {
|
||||
// If the user doesn't have access to the project, they won't be in the potentialGrantees list.
|
||||
// Add them to the potentialGrantees list so they can be selected as read-only.
|
||||
for (const policy of currentAccessPolicies) {
|
||||
const exists = potentialGrantees.some((grantee) => grantee.id === policy.id);
|
||||
if (!exists) {
|
||||
potentialGrantees.push(policy);
|
||||
}
|
||||
}
|
||||
return potentialGrantees;
|
||||
}
|
||||
|
||||
private getFormValues(): ApItemValueType[] {
|
||||
// The read-only disabled form values are not included in the formGroup value.
|
||||
// Manually add them to the returned result to ensure they are included in the form submission.
|
||||
let formValues = this.formGroup.value.accessPolicies;
|
||||
formValues = formValues.concat(
|
||||
this.currentAccessPolicies
|
||||
.filter((m) => m.readOnly)
|
||||
.map((m) => ({
|
||||
id: m.id,
|
||||
type: m.type,
|
||||
permission: m.permission,
|
||||
})),
|
||||
);
|
||||
return formValues;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -29,14 +29,17 @@
|
|||
bitRow
|
||||
*ngFor="let item of selectionList.selectedItems; let i = index"
|
||||
[formGroupName]="i"
|
||||
[ngClass]="{ 'tw-text-muted': item.readOnly }"
|
||||
>
|
||||
<td bitCell class="tw-w-0 tw-pr-0">
|
||||
<i class="bwi {{ item.icon }} tw-text-muted" aria-hidden="true"></i>
|
||||
<i class="bwi {{ item.icon }}" aria-hidden="true"></i>
|
||||
</td>
|
||||
<td bitCell class="tw-max-w-sm tw-truncate">
|
||||
{{ item.labelName }}
|
||||
</td>
|
||||
<td bitCell class="tw-max-w-sm tw-truncate">{{ item.labelName }}</td>
|
||||
<td bitCell class="tw-mb-auto tw-inline-block tw-w-auto">
|
||||
<select
|
||||
*ngIf="!staticPermission; else static"
|
||||
*ngIf="!staticPermission && !item.readOnly; else readOnly"
|
||||
bitInput
|
||||
formControlName="permission"
|
||||
(blur)="handleBlur()"
|
||||
|
|
@ -45,15 +48,24 @@
|
|||
{{ p.labelId | i18n }}
|
||||
</option>
|
||||
</select>
|
||||
<ng-template #readOnly>
|
||||
<ng-container *ngIf="item.readOnly; else static">
|
||||
<div class="tw-overflow-hidden tw-overflow-ellipsis tw-whitespace-nowrap">
|
||||
{{ item.permission | i18n }}
|
||||
</div>
|
||||
</ng-container>
|
||||
</ng-template>
|
||||
<ng-template #static>
|
||||
<span>{{ staticPermission | i18n }}</span>
|
||||
</ng-template>
|
||||
</td>
|
||||
<td bitCell class="tw-w-0">
|
||||
<button
|
||||
*ngIf="!item.readOnly"
|
||||
type="button"
|
||||
bitIconButton="bwi-close"
|
||||
buttonType="main"
|
||||
[disabled]="disabled"
|
||||
size="default"
|
||||
[attr.title]="'remove' | i18n"
|
||||
[attr.aria-label]="'remove' | i18n"
|
||||
|
|
@ -84,7 +96,14 @@
|
|||
</bit-form-field>
|
||||
|
||||
<div class="tw-ml-3 tw-mt-7 tw-shrink-0">
|
||||
<button type="button" bitButton buttonType="secondary" (click)="addButton()">
|
||||
<button
|
||||
type="button"
|
||||
bitButton
|
||||
buttonType="secondary"
|
||||
[loading]="loading"
|
||||
[disabled]="disabled"
|
||||
(click)="addButton()"
|
||||
>
|
||||
{{ "add" | i18n }}
|
||||
</button>
|
||||
</div>
|
||||
|
|
|
|||
|
|
@ -35,6 +35,34 @@ export class AccessPolicySelectorComponent implements ControlValueAccessor, OnIn
|
|||
private notifyOnTouch: () => void;
|
||||
private pauseChangeNotification: boolean;
|
||||
|
||||
/**
|
||||
* Updates the enabled/disabled state of provided row form group based on the item's readonly state.
|
||||
* If a row is enabled, it also updates the enabled/disabled state of the permission control
|
||||
* based on the item's accessAllItems state and the current value of `permissionMode`.
|
||||
* @param controlRow - The form group for the row to update
|
||||
* @param item - The access item that is represented by the row
|
||||
*/
|
||||
private updateRowControlDisableState = (
|
||||
controlRow: FormGroup<ControlsOf<ApItemValueType>>,
|
||||
item: ApItemViewType,
|
||||
) => {
|
||||
// Disable entire row form group if readOnly
|
||||
if (item.readOnly || this.disabled) {
|
||||
controlRow.disable();
|
||||
} else {
|
||||
controlRow.enable();
|
||||
}
|
||||
};
|
||||
|
||||
/**
|
||||
* Updates the enabled/disabled state of ALL row form groups based on each item's readonly state.
|
||||
*/
|
||||
private updateAllRowControlDisableStates = () => {
|
||||
this.selectionList.forEachControlItem((controlRow, item) => {
|
||||
this.updateRowControlDisableState(controlRow as FormGroup<ControlsOf<ApItemValueType>>, item);
|
||||
});
|
||||
};
|
||||
|
||||
/**
|
||||
* The internal selection list that tracks the value of this form control / component.
|
||||
* It's responsible for keeping items sorted and synced with the rendered form controls
|
||||
|
|
@ -59,6 +87,9 @@ export class AccessPolicySelectorComponent implements ControlValueAccessor, OnIn
|
|||
currentUserInGroup: new FormControl(currentUserInGroup),
|
||||
currentUser: new FormControl(currentUser),
|
||||
});
|
||||
|
||||
this.updateRowControlDisableState(fg, item);
|
||||
|
||||
return fg;
|
||||
}, this._itemComparator.bind(this));
|
||||
|
||||
|
|
@ -100,7 +131,13 @@ export class AccessPolicySelectorComponent implements ControlValueAccessor, OnIn
|
|||
|
||||
set items(val: ApItemViewType[]) {
|
||||
if (val != null) {
|
||||
const selected = this.selectionList.formArray.getRawValue() ?? [];
|
||||
let selected = this.selectionList.formArray.getRawValue() ?? [];
|
||||
selected = selected.concat(
|
||||
val
|
||||
.filter((m) => m.readOnly)
|
||||
.map((m) => ({ id: m.id, type: m.type, permission: m.permission })),
|
||||
);
|
||||
|
||||
this.selectionList.populateItems(
|
||||
val.map((m) => {
|
||||
m.icon = m.icon ?? ApItemEnumUtil.itemIcon(m.type);
|
||||
|
|
@ -137,6 +174,9 @@ export class AccessPolicySelectorComponent implements ControlValueAccessor, OnIn
|
|||
} else {
|
||||
this.formGroup.enable();
|
||||
this.multiSelectFormGroup.enable();
|
||||
// The enable() above automatically enables all the row controls,
|
||||
// so we need to disable the readonly ones again
|
||||
this.updateAllRowControlDisableStates();
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -149,6 +189,9 @@ export class AccessPolicySelectorComponent implements ControlValueAccessor, OnIn
|
|||
// Always clear the internal selection list on a new value
|
||||
this.selectionList.deselectAll();
|
||||
|
||||
// We need to also select any read only items to appear in the table
|
||||
this.selectionList.selectItems(this.items.filter((m) => m.readOnly).map((m) => m.id));
|
||||
|
||||
// If the new value is null, then we're done
|
||||
if (selectedItems == null) {
|
||||
this.pauseChangeNotification = false;
|
||||
|
|
|
|||
|
|
@ -347,6 +347,7 @@ function createApItemViewType(options: Partial<ApItemViewType> = {}) {
|
|||
labelName: options?.labelName ?? "test",
|
||||
type: options?.type ?? ApItemEnum.User,
|
||||
permission: options?.permission ?? ApPermissionEnum.CanRead,
|
||||
readOnly: options?.readOnly ?? false,
|
||||
};
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -5,6 +5,9 @@ import {
|
|||
ServiceAccountPeopleAccessPoliciesView,
|
||||
UserServiceAccountAccessPolicyView,
|
||||
GroupServiceAccountAccessPolicyView,
|
||||
ServiceAccountGrantedPoliciesView,
|
||||
ServiceAccountProjectPolicyPermissionDetailsView,
|
||||
ServiceAccountProjectAccessPolicyView,
|
||||
} from "../../../../models/view/access-policy.view";
|
||||
|
||||
import { ApItemEnum } from "./enums/ap-item.enum";
|
||||
|
|
@ -76,3 +79,26 @@ export function convertToServiceAccountPeopleAccessPoliciesView(
|
|||
});
|
||||
return view;
|
||||
}
|
||||
|
||||
export function convertToServiceAccountGrantedPoliciesView(
|
||||
serviceAccountId: string,
|
||||
selectedPolicyValues: ApItemValueType[],
|
||||
): ServiceAccountGrantedPoliciesView {
|
||||
const view = new ServiceAccountGrantedPoliciesView();
|
||||
|
||||
view.grantedProjectPolicies = selectedPolicyValues
|
||||
.filter((x) => x.type == ApItemEnum.Project)
|
||||
.map((filtered) => {
|
||||
const detailView = new ServiceAccountProjectPolicyPermissionDetailsView();
|
||||
const policyView = new ServiceAccountProjectAccessPolicyView();
|
||||
policyView.serviceAccountId = serviceAccountId;
|
||||
policyView.grantedProjectId = filtered.id;
|
||||
policyView.read = ApPermissionEnumUtil.toRead(filtered.permission);
|
||||
policyView.write = ApPermissionEnumUtil.toWrite(filtered.permission);
|
||||
|
||||
detailView.accessPolicy = policyView;
|
||||
return detailView;
|
||||
});
|
||||
|
||||
return view;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -3,6 +3,7 @@ import { SelectItemView } from "@bitwarden/components";
|
|||
|
||||
import {
|
||||
ProjectPeopleAccessPoliciesView,
|
||||
ServiceAccountGrantedPoliciesView,
|
||||
ServiceAccountPeopleAccessPoliciesView,
|
||||
} from "../../../../models/view/access-policy.view";
|
||||
import { PotentialGranteeView } from "../../../../models/view/potential-grantee.view";
|
||||
|
|
@ -13,6 +14,12 @@ import { ApPermissionEnum, ApPermissionEnumUtil } from "./enums/ap-permission.en
|
|||
export type ApItemViewType = SelectItemView & {
|
||||
accessPolicyId?: string;
|
||||
permission?: ApPermissionEnum;
|
||||
/**
|
||||
* Flag that this item cannot be modified.
|
||||
* This will disable the permission editor and will keep
|
||||
* the item always selected.
|
||||
*/
|
||||
readOnly: boolean;
|
||||
} & (
|
||||
| {
|
||||
type: ApItemEnum.User;
|
||||
|
|
@ -47,6 +54,7 @@ export function convertToAccessPolicyItemViews(
|
|||
permission: ApPermissionEnumUtil.toApPermissionEnum(policy.read, policy.write),
|
||||
userId: policy.userId,
|
||||
currentUser: policy.currentUser,
|
||||
readOnly: false,
|
||||
});
|
||||
});
|
||||
|
||||
|
|
@ -60,12 +68,36 @@ export function convertToAccessPolicyItemViews(
|
|||
listName: policy.groupName,
|
||||
permission: ApPermissionEnumUtil.toApPermissionEnum(policy.read, policy.write),
|
||||
currentUserInGroup: policy.currentUserInGroup,
|
||||
readOnly: false,
|
||||
});
|
||||
});
|
||||
|
||||
return accessPolicies;
|
||||
}
|
||||
|
||||
export function convertGrantedPoliciesToAccessPolicyItemViews(
|
||||
value: ServiceAccountGrantedPoliciesView,
|
||||
): ApItemViewType[] {
|
||||
const accessPolicies: ApItemViewType[] = [];
|
||||
|
||||
value.grantedProjectPolicies.forEach((detailView) => {
|
||||
accessPolicies.push({
|
||||
type: ApItemEnum.Project,
|
||||
icon: ApItemEnumUtil.itemIcon(ApItemEnum.Project),
|
||||
id: detailView.accessPolicy.grantedProjectId,
|
||||
accessPolicyId: detailView.accessPolicy.id,
|
||||
labelName: detailView.accessPolicy.grantedProjectName,
|
||||
listName: detailView.accessPolicy.grantedProjectName,
|
||||
permission: ApPermissionEnumUtil.toApPermissionEnum(
|
||||
detailView.accessPolicy.read,
|
||||
detailView.accessPolicy.write,
|
||||
),
|
||||
readOnly: !detailView.hasPermission,
|
||||
});
|
||||
});
|
||||
return accessPolicies;
|
||||
}
|
||||
|
||||
export function convertPotentialGranteesToApItemViewType(
|
||||
grantees: PotentialGranteeView[],
|
||||
): ApItemViewType[] {
|
||||
|
|
@ -108,6 +140,7 @@ export function convertPotentialGranteesToApItemViewType(
|
|||
listName: listName,
|
||||
currentUserInGroup: granteeView.currentUserInGroup,
|
||||
currentUser: granteeView.currentUser,
|
||||
readOnly: false,
|
||||
};
|
||||
});
|
||||
}
|
||||
|
|
|
|||
|
|
@ -18,15 +18,17 @@ import {
|
|||
UserProjectAccessPolicyView,
|
||||
UserServiceAccountAccessPolicyView,
|
||||
ServiceAccountPeopleAccessPoliciesView,
|
||||
ServiceAccountGrantedPoliciesView,
|
||||
ServiceAccountProjectPolicyPermissionDetailsView,
|
||||
} from "../../models/view/access-policy.view";
|
||||
import { PotentialGranteeView } from "../../models/view/potential-grantee.view";
|
||||
import { AccessPoliciesCreateRequest } from "../../shared/access-policies/models/requests/access-policies-create.request";
|
||||
import { PeopleAccessPoliciesRequest } from "../../shared/access-policies/models/requests/people-access-policies.request";
|
||||
import { ProjectAccessPoliciesResponse } from "../../shared/access-policies/models/responses/project-access-policies.response";
|
||||
import { ServiceAccountGrantedPoliciesRequest } from "../access-policies/models/requests/service-account-granted-policies.request";
|
||||
|
||||
import { AccessPolicyUpdateRequest } from "./models/requests/access-policy-update.request";
|
||||
import { AccessPolicyRequest } from "./models/requests/access-policy.request";
|
||||
import { GrantedPolicyRequest } from "./models/requests/granted-policy.request";
|
||||
import {
|
||||
GroupServiceAccountAccessPolicyResponse,
|
||||
UserServiceAccountAccessPolicyResponse,
|
||||
|
|
@ -36,28 +38,21 @@ import {
|
|||
} from "./models/responses/access-policy.response";
|
||||
import { PotentialGranteeResponse } from "./models/responses/potential-grantee.response";
|
||||
import { ProjectPeopleAccessPoliciesResponse } from "./models/responses/project-people-access-policies.response";
|
||||
import { ServiceAccountGrantedPoliciesPermissionDetailsResponse } from "./models/responses/service-account-granted-policies-permission-details.response";
|
||||
import { ServiceAccountPeopleAccessPoliciesResponse } from "./models/responses/service-account-people-access-policies.response";
|
||||
import { ServiceAccountProjectPolicyPermissionDetailsResponse } from "./models/responses/service-account-project-policy-permission-details.response";
|
||||
|
||||
@Injectable({
|
||||
providedIn: "root",
|
||||
})
|
||||
export class AccessPolicyService {
|
||||
private _projectAccessPolicyChanges$ = new Subject<ProjectAccessPoliciesView>();
|
||||
private _serviceAccountGrantedPolicyChanges$ = new Subject<
|
||||
ServiceAccountProjectAccessPolicyView[]
|
||||
>();
|
||||
|
||||
/**
|
||||
* Emits when a project access policy is created or deleted.
|
||||
*/
|
||||
readonly projectAccessPolicyChanges$ = this._projectAccessPolicyChanges$.asObservable();
|
||||
|
||||
/**
|
||||
* Emits when a service account granted policy is created or deleted.
|
||||
*/
|
||||
readonly serviceAccountGrantedPolicyChanges$ =
|
||||
this._serviceAccountGrantedPolicyChanges$.asObservable();
|
||||
|
||||
constructor(
|
||||
private cryptoService: CryptoService,
|
||||
protected apiService: ApiService,
|
||||
|
|
@ -68,44 +63,6 @@ export class AccessPolicyService {
|
|||
this._projectAccessPolicyChanges$.next(null);
|
||||
}
|
||||
|
||||
async getGrantedPolicies(
|
||||
serviceAccountId: string,
|
||||
organizationId: string,
|
||||
): Promise<ServiceAccountProjectAccessPolicyView[]> {
|
||||
const r = await this.apiService.send(
|
||||
"GET",
|
||||
"/service-accounts/" + serviceAccountId + "/granted-policies",
|
||||
null,
|
||||
true,
|
||||
true,
|
||||
);
|
||||
|
||||
const results = new ListResponse(r, ServiceAccountProjectAccessPolicyResponse);
|
||||
return await this.createServiceAccountProjectAccessPolicyViews(results.data, organizationId);
|
||||
}
|
||||
|
||||
async createGrantedPolicies(
|
||||
organizationId: string,
|
||||
serviceAccountId: string,
|
||||
policies: ServiceAccountProjectAccessPolicyView[],
|
||||
): Promise<ServiceAccountProjectAccessPolicyView[]> {
|
||||
const request = this.getGrantedPoliciesCreateRequest(policies);
|
||||
const r = await this.apiService.send(
|
||||
"POST",
|
||||
"/service-accounts/" + serviceAccountId + "/granted-policies",
|
||||
request,
|
||||
true,
|
||||
true,
|
||||
);
|
||||
const results = new ListResponse(r, ServiceAccountProjectAccessPolicyResponse);
|
||||
const views = await this.createServiceAccountProjectAccessPolicyViews(
|
||||
results.data,
|
||||
organizationId,
|
||||
);
|
||||
this._serviceAccountGrantedPolicyChanges$.next(views);
|
||||
return views;
|
||||
}
|
||||
|
||||
async getProjectAccessPolicies(
|
||||
organizationId: string,
|
||||
projectId: string,
|
||||
|
|
@ -184,6 +141,40 @@ export class AccessPolicyService {
|
|||
return this.createServiceAccountPeopleAccessPoliciesView(results);
|
||||
}
|
||||
|
||||
async getServiceAccountGrantedPolicies(
|
||||
organizationId: string,
|
||||
serviceAccountId: string,
|
||||
): Promise<ServiceAccountGrantedPoliciesView> {
|
||||
const r = await this.apiService.send(
|
||||
"GET",
|
||||
"/service-accounts/" + serviceAccountId + "/granted-policies",
|
||||
null,
|
||||
true,
|
||||
true,
|
||||
);
|
||||
|
||||
const result = new ServiceAccountGrantedPoliciesPermissionDetailsResponse(r);
|
||||
return await this.createServiceAccountGrantedPoliciesView(result, organizationId);
|
||||
}
|
||||
|
||||
async putServiceAccountGrantedPolicies(
|
||||
organizationId: string,
|
||||
serviceAccountId: string,
|
||||
policies: ServiceAccountGrantedPoliciesView,
|
||||
): Promise<ServiceAccountGrantedPoliciesView> {
|
||||
const request = this.getServiceAccountGrantedPoliciesRequest(policies);
|
||||
const r = await this.apiService.send(
|
||||
"PUT",
|
||||
"/service-accounts/" + serviceAccountId + "/granted-policies",
|
||||
request,
|
||||
true,
|
||||
true,
|
||||
);
|
||||
|
||||
const result = new ServiceAccountGrantedPoliciesPermissionDetailsResponse(r);
|
||||
return await this.createServiceAccountGrantedPoliciesView(result, organizationId);
|
||||
}
|
||||
|
||||
async createProjectAccessPolicies(
|
||||
organizationId: string,
|
||||
projectId: string,
|
||||
|
|
@ -206,7 +197,6 @@ export class AccessPolicyService {
|
|||
async deleteAccessPolicy(accessPolicyId: string): Promise<void> {
|
||||
await this.apiService.send("DELETE", "/access-policies/" + accessPolicyId, null, true, false);
|
||||
this._projectAccessPolicyChanges$.next(null);
|
||||
this._serviceAccountGrantedPolicyChanges$.next(null);
|
||||
}
|
||||
|
||||
async updateAccessPolicy(baseAccessPolicyView: BaseAccessPolicyView): Promise<void> {
|
||||
|
|
@ -222,6 +212,158 @@ export class AccessPolicyService {
|
|||
);
|
||||
}
|
||||
|
||||
async getPeoplePotentialGrantees(organizationId: string) {
|
||||
const r = await this.apiService.send(
|
||||
"GET",
|
||||
"/organizations/" + organizationId + "/access-policies/people/potential-grantees",
|
||||
null,
|
||||
true,
|
||||
true,
|
||||
);
|
||||
const results = new ListResponse(r, PotentialGranteeResponse);
|
||||
return await this.createPotentialGranteeViews(organizationId, results.data);
|
||||
}
|
||||
|
||||
async getServiceAccountsPotentialGrantees(organizationId: string) {
|
||||
const r = await this.apiService.send(
|
||||
"GET",
|
||||
"/organizations/" + organizationId + "/access-policies/service-accounts/potential-grantees",
|
||||
null,
|
||||
true,
|
||||
true,
|
||||
);
|
||||
const results = new ListResponse(r, PotentialGranteeResponse);
|
||||
return await this.createPotentialGranteeViews(organizationId, results.data);
|
||||
}
|
||||
|
||||
async getProjectsPotentialGrantees(organizationId: string) {
|
||||
const r = await this.apiService.send(
|
||||
"GET",
|
||||
"/organizations/" + organizationId + "/access-policies/projects/potential-grantees",
|
||||
null,
|
||||
true,
|
||||
true,
|
||||
);
|
||||
const results = new ListResponse(r, PotentialGranteeResponse);
|
||||
return await this.createPotentialGranteeViews(organizationId, results.data);
|
||||
}
|
||||
|
||||
protected async getOrganizationKey(organizationId: string): Promise<SymmetricCryptoKey> {
|
||||
return await this.cryptoService.getOrgKey(organizationId);
|
||||
}
|
||||
|
||||
protected getAccessPolicyRequest(
|
||||
granteeId: string,
|
||||
view:
|
||||
| UserProjectAccessPolicyView
|
||||
| UserServiceAccountAccessPolicyView
|
||||
| GroupProjectAccessPolicyView
|
||||
| GroupServiceAccountAccessPolicyView
|
||||
| ServiceAccountProjectAccessPolicyView,
|
||||
) {
|
||||
const request = new AccessPolicyRequest();
|
||||
request.granteeId = granteeId;
|
||||
request.read = view.read;
|
||||
request.write = view.write;
|
||||
return request;
|
||||
}
|
||||
|
||||
protected createBaseAccessPolicyView(
|
||||
response:
|
||||
| UserProjectAccessPolicyResponse
|
||||
| UserServiceAccountAccessPolicyResponse
|
||||
| GroupProjectAccessPolicyResponse
|
||||
| GroupServiceAccountAccessPolicyResponse
|
||||
| ServiceAccountProjectAccessPolicyResponse,
|
||||
) {
|
||||
return {
|
||||
id: response.id,
|
||||
read: response.read,
|
||||
write: response.write,
|
||||
creationDate: response.creationDate,
|
||||
revisionDate: response.revisionDate,
|
||||
};
|
||||
}
|
||||
|
||||
private async createPotentialGranteeViews(
|
||||
organizationId: string,
|
||||
results: PotentialGranteeResponse[],
|
||||
): Promise<PotentialGranteeView[]> {
|
||||
const orgKey = await this.getOrganizationKey(organizationId);
|
||||
return await Promise.all(
|
||||
results.map(async (r) => {
|
||||
const view = new PotentialGranteeView();
|
||||
view.id = r.id;
|
||||
view.type = r.type;
|
||||
view.email = r.email;
|
||||
view.currentUser = r.currentUser;
|
||||
view.currentUserInGroup = r.currentUserInGroup;
|
||||
|
||||
if (r.type === "serviceAccount" || r.type === "project") {
|
||||
view.name = r.name
|
||||
? await this.encryptService.decryptToUtf8(new EncString(r.name), orgKey)
|
||||
: null;
|
||||
} else {
|
||||
view.name = r.name;
|
||||
}
|
||||
return view;
|
||||
}),
|
||||
);
|
||||
}
|
||||
|
||||
private getServiceAccountGrantedPoliciesRequest(
|
||||
policies: ServiceAccountGrantedPoliciesView,
|
||||
): ServiceAccountGrantedPoliciesRequest {
|
||||
const request = new ServiceAccountGrantedPoliciesRequest();
|
||||
|
||||
request.projectGrantedPolicyRequests = policies.grantedProjectPolicies.map((detailView) => ({
|
||||
grantedId: detailView.accessPolicy.grantedProjectId,
|
||||
read: detailView.accessPolicy.read,
|
||||
write: detailView.accessPolicy.write,
|
||||
}));
|
||||
|
||||
return request;
|
||||
}
|
||||
|
||||
private async createServiceAccountGrantedPoliciesView(
|
||||
response: ServiceAccountGrantedPoliciesPermissionDetailsResponse,
|
||||
organizationId: string,
|
||||
): Promise<ServiceAccountGrantedPoliciesView> {
|
||||
const orgKey = await this.getOrganizationKey(organizationId);
|
||||
|
||||
const view = new ServiceAccountGrantedPoliciesView();
|
||||
view.grantedProjectPolicies =
|
||||
await this.createServiceAccountProjectPolicyPermissionDetailsViews(
|
||||
orgKey,
|
||||
response.grantedProjectPolicies,
|
||||
);
|
||||
return view;
|
||||
}
|
||||
|
||||
private async createServiceAccountProjectPolicyPermissionDetailsViews(
|
||||
orgKey: SymmetricCryptoKey,
|
||||
responses: ServiceAccountProjectPolicyPermissionDetailsResponse[],
|
||||
): Promise<ServiceAccountProjectPolicyPermissionDetailsView[]> {
|
||||
return await Promise.all(
|
||||
responses.map(async (response) => {
|
||||
return await this.createServiceAccountProjectPolicyPermissionDetailsView(orgKey, response);
|
||||
}),
|
||||
);
|
||||
}
|
||||
|
||||
private async createServiceAccountProjectPolicyPermissionDetailsView(
|
||||
orgKey: SymmetricCryptoKey,
|
||||
response: ServiceAccountProjectPolicyPermissionDetailsResponse,
|
||||
): Promise<ServiceAccountProjectPolicyPermissionDetailsView> {
|
||||
const view = new ServiceAccountProjectPolicyPermissionDetailsView();
|
||||
view.hasPermission = response.hasPermission;
|
||||
view.accessPolicy = await this.createServiceAccountProjectAccessPolicyView(
|
||||
orgKey,
|
||||
response.accessPolicy,
|
||||
);
|
||||
return view;
|
||||
}
|
||||
|
||||
private async createProjectAccessPoliciesView(
|
||||
organizationId: string,
|
||||
projectAccessPoliciesResponse: ProjectAccessPoliciesResponse,
|
||||
|
|
@ -393,147 +535,4 @@ export class AccessPolicyService {
|
|||
currentUserInGroup: response.currentUserInGroup,
|
||||
};
|
||||
}
|
||||
|
||||
async getPeoplePotentialGrantees(organizationId: string) {
|
||||
const r = await this.apiService.send(
|
||||
"GET",
|
||||
"/organizations/" + organizationId + "/access-policies/people/potential-grantees",
|
||||
null,
|
||||
true,
|
||||
true,
|
||||
);
|
||||
const results = new ListResponse(r, PotentialGranteeResponse);
|
||||
return await this.createPotentialGranteeViews(organizationId, results.data);
|
||||
}
|
||||
|
||||
async getServiceAccountsPotentialGrantees(organizationId: string) {
|
||||
const r = await this.apiService.send(
|
||||
"GET",
|
||||
"/organizations/" + organizationId + "/access-policies/service-accounts/potential-grantees",
|
||||
null,
|
||||
true,
|
||||
true,
|
||||
);
|
||||
const results = new ListResponse(r, PotentialGranteeResponse);
|
||||
return await this.createPotentialGranteeViews(organizationId, results.data);
|
||||
}
|
||||
|
||||
async getProjectsPotentialGrantees(organizationId: string) {
|
||||
const r = await this.apiService.send(
|
||||
"GET",
|
||||
"/organizations/" + organizationId + "/access-policies/projects/potential-grantees",
|
||||
null,
|
||||
true,
|
||||
true,
|
||||
);
|
||||
const results = new ListResponse(r, PotentialGranteeResponse);
|
||||
return await this.createPotentialGranteeViews(organizationId, results.data);
|
||||
}
|
||||
|
||||
protected async getOrganizationKey(organizationId: string): Promise<SymmetricCryptoKey> {
|
||||
return await this.cryptoService.getOrgKey(organizationId);
|
||||
}
|
||||
|
||||
protected getAccessPolicyRequest(
|
||||
granteeId: string,
|
||||
view:
|
||||
| UserProjectAccessPolicyView
|
||||
| UserServiceAccountAccessPolicyView
|
||||
| GroupProjectAccessPolicyView
|
||||
| GroupServiceAccountAccessPolicyView
|
||||
| ServiceAccountProjectAccessPolicyView,
|
||||
) {
|
||||
const request = new AccessPolicyRequest();
|
||||
request.granteeId = granteeId;
|
||||
request.read = view.read;
|
||||
request.write = view.write;
|
||||
return request;
|
||||
}
|
||||
|
||||
protected createBaseAccessPolicyView(
|
||||
response:
|
||||
| UserProjectAccessPolicyResponse
|
||||
| UserServiceAccountAccessPolicyResponse
|
||||
| GroupProjectAccessPolicyResponse
|
||||
| GroupServiceAccountAccessPolicyResponse
|
||||
| ServiceAccountProjectAccessPolicyResponse,
|
||||
) {
|
||||
return {
|
||||
id: response.id,
|
||||
read: response.read,
|
||||
write: response.write,
|
||||
creationDate: response.creationDate,
|
||||
revisionDate: response.revisionDate,
|
||||
};
|
||||
}
|
||||
|
||||
private async createPotentialGranteeViews(
|
||||
organizationId: string,
|
||||
results: PotentialGranteeResponse[],
|
||||
): Promise<PotentialGranteeView[]> {
|
||||
const orgKey = await this.getOrganizationKey(organizationId);
|
||||
return await Promise.all(
|
||||
results.map(async (r) => {
|
||||
const view = new PotentialGranteeView();
|
||||
view.id = r.id;
|
||||
view.type = r.type;
|
||||
view.email = r.email;
|
||||
view.currentUser = r.currentUser;
|
||||
view.currentUserInGroup = r.currentUserInGroup;
|
||||
|
||||
if (r.type === "serviceAccount" || r.type === "project") {
|
||||
view.name = r.name
|
||||
? await this.encryptService.decryptToUtf8(new EncString(r.name), orgKey)
|
||||
: null;
|
||||
} else {
|
||||
view.name = r.name;
|
||||
}
|
||||
return view;
|
||||
}),
|
||||
);
|
||||
}
|
||||
|
||||
private getGrantedPoliciesCreateRequest(
|
||||
policies: ServiceAccountProjectAccessPolicyView[],
|
||||
): GrantedPolicyRequest[] {
|
||||
return policies.map((ap) => {
|
||||
const request = new GrantedPolicyRequest();
|
||||
request.grantedId = ap.grantedProjectId;
|
||||
request.read = ap.read;
|
||||
request.write = ap.write;
|
||||
return request;
|
||||
});
|
||||
}
|
||||
|
||||
private async createServiceAccountProjectAccessPolicyViews(
|
||||
responses: ServiceAccountProjectAccessPolicyResponse[],
|
||||
organizationId: string,
|
||||
): Promise<ServiceAccountProjectAccessPolicyView[]> {
|
||||
const orgKey = await this.getOrganizationKey(organizationId);
|
||||
return await Promise.all(
|
||||
responses.map(async (response: ServiceAccountProjectAccessPolicyResponse) => {
|
||||
const view = new ServiceAccountProjectAccessPolicyView();
|
||||
view.id = response.id;
|
||||
view.read = response.read;
|
||||
view.write = response.write;
|
||||
view.creationDate = response.creationDate;
|
||||
view.revisionDate = response.revisionDate;
|
||||
view.serviceAccountId = response.serviceAccountId;
|
||||
view.grantedProjectId = response.grantedProjectId;
|
||||
view.serviceAccountName = response.serviceAccountName
|
||||
? await this.encryptService.decryptToUtf8(
|
||||
new EncString(response.serviceAccountName),
|
||||
orgKey,
|
||||
)
|
||||
: null;
|
||||
view.grantedProjectName = response.grantedProjectName
|
||||
? await this.encryptService.decryptToUtf8(
|
||||
new EncString(response.grantedProjectName),
|
||||
orgKey,
|
||||
)
|
||||
: null;
|
||||
return view;
|
||||
}),
|
||||
);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,5 @@
|
|||
import { GrantedPolicyRequest } from "./granted-policy.request";
|
||||
|
||||
export class ServiceAccountGrantedPoliciesRequest {
|
||||
projectGrantedPolicyRequests?: GrantedPolicyRequest[];
|
||||
}
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
import { BaseResponse } from "@bitwarden/common/models/response/base.response";
|
||||
|
||||
import { ServiceAccountProjectPolicyPermissionDetailsResponse } from "./service-account-project-policy-permission-details.response";
|
||||
|
||||
export class ServiceAccountGrantedPoliciesPermissionDetailsResponse extends BaseResponse {
|
||||
grantedProjectPolicies: ServiceAccountProjectPolicyPermissionDetailsResponse[];
|
||||
|
||||
constructor(response: any) {
|
||||
super(response);
|
||||
const grantedProjectPolicies = this.getResponseProperty("GrantedProjectPolicies");
|
||||
this.grantedProjectPolicies = grantedProjectPolicies.map(
|
||||
(k: any) => new ServiceAccountProjectPolicyPermissionDetailsResponse(k),
|
||||
);
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,14 @@
|
|||
import { BaseResponse } from "@bitwarden/common/models/response/base.response";
|
||||
|
||||
import { ServiceAccountProjectAccessPolicyResponse } from "./access-policy.response";
|
||||
|
||||
export class ServiceAccountProjectPolicyPermissionDetailsResponse extends BaseResponse {
|
||||
accessPolicy: ServiceAccountProjectAccessPolicyResponse;
|
||||
hasPermission: boolean;
|
||||
|
||||
constructor(response: any) {
|
||||
super(response);
|
||||
this.accessPolicy = this.getResponseProperty("AccessPolicy");
|
||||
this.hasPermission = this.getResponseProperty("HasPermission");
|
||||
}
|
||||
}
|
||||
Loading…
Reference in New Issue