server [SM-923] Project Service Account Access policy server side changes

Type of change

- [ ] Bug fix
- [ ] New feature development
- [ x ] Tech debt (refactoring, code cleanup, dependency upgrades, etc)
- [ ] Build/deploy pipeline (DevOps)
- [ ] Other

Objective

Code changes

file.ext: Description of what was changed and why

Before you submit

Please check for formatting errors (dotnet format --verify-no-changes) (required)
If making database changes - make sure you also update Entity Framework queries and/or migrations
Please add unit tests where it makes sense to do so (encouraged but not required)
If this change requires a documentation update - notify the documentation team
If this change has particular deployment requirements - notify the DevOps team

Dec 05 '23 21:12 cd-bitwarden

I plan on writing the tests after the initial PR review

Dec 05 '23 21:12 cd-bitwarden

Logo Checkmarx One – Scan Summary & Details – b46c59e5-07a1-42c9-8141-7a7cd850352e

New Issues

Issue	Source File / Package	Checkmarx Insight
CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 745	Attack Vector
CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 321	Attack Vector
CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 250	Attack Vector
CSRF	/src/Api/Controllers/CollectionsController.cs: 203	Attack Vector
CSRF	/src/Api/Controllers/CollectionsController.cs: 80	Attack Vector
CSRF	/src/Api/Controllers/CollectionsController.cs: 51	Attack Vector
Privacy_Violation	/src/Core/Auth/Services/Implementations/AuthRequestService.cs: 147	Attack Vector
Privacy_Violation	/src/Core/Auth/Services/Implementations/AuthRequestService.cs: 215	Attack Vector
Privacy_Violation	/src/Core/Auth/Services/Implementations/AuthRequestService.cs: 211	Attack Vector
Privacy_Violation	/src/Core/Services/Implementations/UserService.cs: 656	Attack Vector
Privacy_Violation	/src/Core/Services/Implementations/UserService.cs: 656	Attack Vector
Client_DOM_Open_Redirect	/src/Admin/Views/Shared/_OrganizationFormScripts.cshtml: 34	Attack Vector
Client_DOM_Open_Redirect	/src/Admin/Views/Shared/_OrganizationFormScripts.cshtml: 31	Attack Vector
Client_DOM_Open_Redirect	/src/Admin/Views/Shared/_OrganizationFormScripts.cshtml: 21	Attack Vector
Client_DOM_Open_Redirect	/src/Admin/Views/Shared/_OrganizationFormScripts.cshtml: 18	Attack Vector
Client_DOM_Open_Redirect	/src/Admin/Views/Users/Edit.cshtml: 66	Attack Vector
Client_DOM_Open_Redirect	/src/Admin/Views/Users/Edit.cshtml: 63	Attack Vector
Client_DOM_Open_Redirect	/src/Admin/Views/Users/Edit.cshtml: 51	Attack Vector
Client_DOM_Open_Redirect	/src/Admin/Views/Users/Edit.cshtml: 48	Attack Vector
Log_Forging	/src/Api/Controllers/AccountsController.cs: 104	Attack Vector
Log_Forging	/src/Api/Auth/Controllers/EmergencyAccessController.cs: 102	Attack Vector
Log_Forging	/src/Api/Controllers/OrganizationSponsorshipsController.cs: 68	Attack Vector
Log_Forging	/src/Identity/Controllers/AccountsController.cs: 39	Attack Vector
Log_Forging	/src/Api/Controllers/OrganizationSponsorshipsController.cs: 97	Attack Vector
Log_Forging	/src/Api/Auth/Controllers/EmergencyAccessController.cs: 116	Attack Vector
Log_Forging	/src/Api/Controllers/OrganizationSponsorshipsController.cs: 97	Attack Vector
Log_Forging	/src/Api/Auth/Controllers/EmergencyAccessController.cs: 116	Attack Vector
Log_Forging	/src/Api/Controllers/OrganizationSponsorshipsController.cs: 97	Attack Vector
Log_Forging	/src/Api/Auth/Controllers/EmergencyAccessController.cs: 116	Attack Vector

Fixed Issues

Severity	Issue	Source File / Package
	CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 288
	CSRF	/src/Api/Controllers/CollectionsController.cs: 278
	CSRF	/src/Api/Controllers/CollectionsController.cs: 237
	CSRF	/src/Api/Auth/Controllers/WebAuthnController.cs: 97
	CSRF	/src/Api/Auth/Controllers/WebAuthnController.cs: 68
	CSRF	/src/Api/Auth/Controllers/WebAuthnController.cs: 42
	CSRF	/src/Api/AdminConsole/Controllers/OrganizationsController.cs: 369
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 745
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 324
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 255
	CSRF	/src/Api/Controllers/ConfigController.cs: 28
	Healthcheck Not Set	/docker-compose.yml: 26
	Healthcheck Not Set	/docker-compose.override.yml: 4
	Healthcheck Not Set	/docker-compose.yml: 4
	Healthcheck Not Set	/docker-compose.yml: 11
	Host Namespace is Shared	/docker-compose.yml: 4
	Host Namespace is Shared	/docker-compose.override.yml: 4
	Host Namespace is Shared	/docker-compose.yml: 11
	Host Namespace is Shared	/docker-compose.yml: 26
	Memory Not Limited	/docker-compose.yml: 26
	Memory Not Limited	/docker-compose.yml: 11
	Memory Not Limited	/docker-compose.override.yml: 4
	Memory Not Limited	/docker-compose.yml: 4
	Networks Not Set	/docker-compose.yml: 11
	Networks Not Set	/docker-compose.yml: 4
	Networks Not Set	/docker-compose.override.yml: 4
	Networks Not Set	/docker-compose.yml: 26
	Privacy_Violation	/src/Core/Auth/UserFeatures/UserMasterPassword/SetInitialMasterPasswordCommand.cs: 59
	Privacy_Violation	/src/Core/Auth/Services/Implementations/AuthRequestService.cs: 147
	Privacy_Violation	/src/Core/Auth/Services/Implementations/AuthRequestService.cs: 215
	Privacy_Violation	/src/Core/Auth/Services/Implementations/AuthRequestService.cs: 211
	Privacy_Violation	/src/Core/Services/Implementations/RelayPushNotificationService.cs: 188
	Privacy_Violation	/src/Core/Services/Implementations/RelayPushNotificationService.cs: 187
	Privacy_Violation	/src/Core/Services/Implementations/RelayPushNotificationService.cs: 178
	Privacy_Violation	/src/Core/Services/Implementations/RelayPushNotificationService.cs: 173
	Privacy_Violation	/src/Core/Services/Implementations/NotificationsApiPushNotificationService.cs: 157
	Privacy_Violation	/src/Core/Auth/Services/Implementations/AuthRequestService.cs: 147
	Privacy_Violation	/src/Core/Auth/Services/Implementations/AuthRequestService.cs: 215
	Privacy_Violation	/src/Core/Auth/Services/Implementations/AuthRequestService.cs: 211
	Privacy_Violation	/src/Core/Services/Implementations/RelayPushNotificationService.cs: 188
	Privacy_Violation	/src/Core/Services/Implementations/RelayPushNotificationService.cs: 187
	Privacy_Violation	/src/Core/Services/Implementations/RelayPushNotificationService.cs: 178
	Privacy_Violation	/src/Core/Services/Implementations/RelayPushNotificationService.cs: 173
	Privacy_Violation	/src/Core/Services/Implementations/NotificationsApiPushNotificationService.cs: 157
	Privacy_Violation	/src/Core/Services/Implementations/UserService.cs: 549
	Privacy_Violation	/src/Core/Auth/UserFeatures/UserMasterPassword/SetInitialMasterPasswordCommand.cs: 59
	Security Opt Not Set	/docker-compose.yml: 11
	Security Opt Not Set	/docker-compose.override.yml: 4
	Security Opt Not Set	/docker-compose.yml: 4
	Security Opt Not Set	/docker-compose.yml: 26
	Unpinned Actions Full Length Commit SHA	/build.yml: 538
	Unpinned Actions Full Length Commit SHA	/build.yml: 613
	Unpinned Actions Full Length Commit SHA	/container-registry-purge.yml: 95
	Unpinned Actions Full Length Commit SHA	/build.yml: 280
	Unpinned Actions Full Length Commit SHA	/version-bump.yml: 47
	Unpinned Actions Full Length Commit SHA	/release.yml: 92
	Unpinned Actions Full Length Commit SHA	/release.yml: 44
	Unpinned Actions Full Length Commit SHA	/version-bump.yml: 26
	Client_DOM_Open_Redirect	/src/Admin/Views/Shared/_OrganizationFormScripts.cshtml: 37
	Client_DOM_Open_Redirect	/src/Admin/Views/Shared/_OrganizationFormScripts.cshtml: 34
	Client_DOM_Open_Redirect	/src/Admin/Views/Shared/_OrganizationFormScripts.cshtml: 23
	Client_DOM_Open_Redirect	/src/Admin/Views/Shared/_OrganizationFormScripts.cshtml: 20
	Container Capabilities Unrestricted	/docker-compose.override.yml: 4
	Container Capabilities Unrestricted	/docker-compose.yml: 4
	Container Capabilities Unrestricted	/docker-compose.yml: 26
	Container Capabilities Unrestricted	/docker-compose.yml: 11
	Cpus Not Limited	/docker-compose.yml: 4
	Cpus Not Limited	/docker-compose.yml: 26
	Cpus Not Limited	/docker-compose.yml: 11
	Cpus Not Limited	/docker-compose.override.yml: 4
	Heap_Inspection	/src/Core/Constants.cs: 87
	Log_Forging	/src/Billing/Controllers/StripeController.cs: 117
	Log_Forging	/src/Billing/Controllers/StripeController.cs: 114
	Log_Forging	/src/Billing/Controllers/PayPalController.cs: 64
	Log_Forging	/src/Api/Auth/Controllers/WebAuthnController.cs: 68
	Log_Forging	/src/Api/Auth/Controllers/WebAuthnController.cs: 68
	Log_Forging	/src/Api/Controllers/PushController.cs: 53
	Log_Forging	/src/Api/Controllers/DevicesController.cs: 88
	Log_Forging	/src/Api/Controllers/DevicesController.cs: 169
	Log_Forging	/src/Api/Controllers/PushController.cs: 38
	Log_Forging	/src/Api/Controllers/PushController.cs: 61
	Log_Forging	/src/Api/Controllers/DevicesController.cs: 88
	Log_Forging	/src/Api/Controllers/DevicesController.cs: 169
	Log_Forging	/src/Api/Controllers/PushController.cs: 38
	Log_Forging	/src/Api/Controllers/PushController.cs: 61
	Log_Forging	/src/Api/Controllers/PushController.cs: 53
	Use_Of_Hardcoded_Password	/src/Core/Constants.cs: 87
	Use_Of_Hardcoded_Password	/test/Core.Test/Auth/UserFeatures/UserMasterPassword/SetInitialMasterPasswordCommandTests.cs: 62

Dec 08 '23 01:12 bitwarden-bot

@Thomas-Avery other than any changes you request to my most recent push, I just need a little help knowing which tests to add/remove/update :)

Dec 13 '23 21:12 cd-bitwarden

Codecov Report

Attention: 34 lines in your changes are missing coverage. Please review.

Comparison is base (6fbb790) 32.04% compared to head (8b0eca4) 32.24%. Report is 2 commits behind head on main.

Files	Patch %	Lines
...retsManager/Repositories/AccessPolicyRepository.cs	70.37%	11 Missing and 5 partials :warning:
...tsManager/Repositories/ServiceAccountRepository.cs	81.25%	4 Missing and 2 partials :warning:
...pi/SecretsManager/Utilities/AccessPolicyHelpers.cs	80.00%	4 Missing and 1 partial :warning:
...ojectServiceAccountsAccessPoliciesResponseModel.cs	81.25%	2 Missing and 1 partial :warning:
...rviceAccountsAccessPoliciesAuthorizationHandler.cs	97.82%	0 Missing and 1 partial :warning:
...ager/Models/Request/AccessPoliciesCreateRequest.cs	50.00%	1 Missing :warning:
...odels/Data/ProjectServiceAccountsAccessPolicies.cs	90.90%	0 Missing and 1 partial :warning:
.../Repositories/Noop/NoopServiceAccountRepository.cs	0.00%	1 Missing :warning:

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3524      +/-   ##
==========================================
+ Coverage   32.04%   32.24%   +0.19%     
==========================================
  Files        1211     1217       +6     
  Lines       63252    63448     +196     
  Branches     4816     4840      +24     
==========================================
+ Hits        20272    20460     +188     
- Misses      41935    41937       +2     
- Partials     1045     1051       +6

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

Jan 10 '24 19:01 codecov[bot]

Closing this work moved to https://github.com/bitwarden/server/pull/3993

Apr 23 '24 14:04 Thomas-Avery

server server copied to clipboard

[SM-923] Project Service Account Access policy server side changes

Type of change

Objective

Code changes

Before you submit

New Issues

Fixed Issues

Codecov Report

server
server copied to clipboard