Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[AC-2877] Make OrganizationUser.AccessAll optional #4521

Merged
merged 12 commits into from
Jul 24, 2024
Merged

[AC-2877] Make OrganizationUser.AccessAll optional #4521

merged 12 commits into from
Jul 24, 2024

Conversation

eliykat
Copy link
Member

@eliykat eliykat commented Jul 17, 2024
edited
Loading

🎟️ Tracking

https://bitwarden.atlassian.net/browse/AC-2877

📔 Objective

Step 1 of the EDD cycle in removing OrganizationUser.AccessAll from the database.

These changes fall into 3 categories:

Views

  • ./dbo/Views/OrganizationUserUserDetailsView.sql

This can be updated to remove AccessAll with no versioning, as Dapper mapping ignores missing and/or excess columns on read operations. It is already unused in the code.

Sprocs that do not use user-defined types

  • ./dbo/Stored Procedures/OrganizationUser_Create.sql
  • ./dbo/Stored Procedures/OrganizationUser_CreateWithCollections.sql
  • ./dbo/Stored Procedures/OrganizationUser_Update.sql
    -./dbo/Stored Procedures/OrganizationUser_UpdateWithCollections.sql

These set a default value of @AccessAll = 0 so that we can support 2 versions of the code (with and without the value).

User-defined types

  • ./dbo/User Defined Types/OrganizationUserType2.sql
  • ./dbo/Stored Procedures/OrganizationUser_CreateMany2.sql
  • ./dbo/Stored Procedures/OrganizationUser_UpdateMany2.sql

These are harder to update, you can't have optional columns on types, so we have to do it by versioning. Here we were already on version 2 so I've taken the opportunity to copy it back to a non-versioned name.

📸 Screenshots

⏰ Reminders before review

  • Contributor guidelines followed
  • All formatters and local linters executed and passed
  • Written new unit and / or integration tests where applicable
  • Protected functional changes with optionality (feature flags)
  • Used internationalization (i18n) for all UI strings
  • CI builds passed
  • Communicated to DevOps any deployment requirements
  • Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

  • 👍 (:+1:) or similar for great changes
  • 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
  • ❓ (:question:) for questions
  • 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
  • 🎨 (:art:) for suggestions / improvements
  • ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
  • 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
  • ⛏ (:pick:) for minor or nitpick changes

@codecov Codecov
Copy link

codecov bot commented Jul 17, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 41.64%. Comparing base (1ac2f39) to head (caba1cf).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #4521   +/-   ##
=======================================
  Coverage   41.64%   41.64%           
=======================================
  Files        1271     1271           
  Lines       60187    60187           
  Branches     5527     5527           
=======================================
  Hits        25066    25066           
  Misses      33951    33951           
  Partials     1170     1170

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jul 17, 2024
edited
Loading

Logo
Checkmarx One – Scan Summary & Details148bf2d7-eeb6-4b4a-8197-7a67991e7b43

New Issues

Severity Issue Source File / Package Checkmarx Insight
MEDIUM Privacy_Violation /src/Api/Auth/Controllers/TwoFactorController.cs: 445 Attack Vector
MEDIUM Privacy_Violation /src/Api/Auth/Controllers/WebAuthnController.cs: 178 Attack Vector
MEDIUM Privacy_Violation /src/Api/Controllers/DevicesController.cs: 133 Attack Vector
MEDIUM Privacy_Violation /src/Api/Auth/Controllers/AccountsController.cs: 549 Attack Vector
MEDIUM Privacy_Violation /src/Api/Auth/Controllers/AccountsController.cs: 829 Attack Vector
MEDIUM Privacy_Violation /src/Api/Auth/Controllers/AccountsController.cs: 847 Attack Vector
MEDIUM Privacy_Violation /src/Api/Vault/Controllers/CiphersController.cs: 953 Attack Vector
MEDIUM Privacy_Violation /src/Api/Auth/Controllers/AccountsController.cs: 412 Attack Vector
MEDIUM Privacy_Violation /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 260 Attack Vector
MEDIUM Privacy_Violation /src/Api/Controllers/DevicesController.cs: 159 Attack Vector
MEDIUM Privacy_Violation /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 429 Attack Vector
MEDIUM Privacy_Violation /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 376 Attack Vector
LOW Log_Forging /src/Api/Auth/Controllers/WebAuthnController.cs: 153 Attack Vector
LOW Log_Forging /src/Api/Auth/Controllers/WebAuthnController.cs: 85 Attack Vector
LOW Log_Forging /src/Api/Auth/Controllers/WebAuthnController.cs: 68 Attack Vector
LOW Log_Forging /src/Api/Vault/Controllers/CiphersController.cs: 217 Attack Vector
LOW Log_Forging /src/Api/Vault/Controllers/CiphersController.cs: 945 Attack Vector
LOW Log_Forging /src/Api/Auth/Controllers/AccountsController.cs: 404 Attack Vector
LOW Log_Forging /src/Api/Auth/Controllers/AccountsController.cs: 839 Attack Vector
LOW Log_Forging /src/Api/Auth/Controllers/AccountsController.cs: 821 Attack Vector
LOW Log_Forging /src/Api/Auth/Controllers/AccountsController.cs: 541 Attack Vector
LOW Log_Forging /src/Api/Controllers/DevicesController.cs: 124 Attack Vector
LOW Log_Forging /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 240 Attack Vector
LOW Log_Forging /src/Api/Controllers/DevicesController.cs: 150 Attack Vector
LOW Log_Forging /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 341 Attack Vector
LOW Log_Forging /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 404 Attack Vector

Fixed Issues

Severity Issue Source File / Package
MEDIUM CSRF /src/Billing/Controllers/StripeController.cs: 117
MEDIUM CSRF /src/Billing/Controllers/StripeController.cs: 130
MEDIUM CSRF /src/Api/Public/Controllers/CollectionsController.cs: 87
MEDIUM CSRF /src/Api/Controllers/CollectionsController.cs: 171
MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 646
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 577
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 577
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 107
MEDIUM CSRF /src/Identity/Controllers/AccountsController.cs: 75
MEDIUM CSRF /src/Api/Controllers/DevicesController.cs: 61
MEDIUM CSRF /src/Api/Controllers/DevicesController.cs: 74
LOW Log_Forging /src/Api/Vault/Controllers/CiphersController.cs: 577

@eliykat eliykat changed the title Make OrganizationUser.AccessAll optional in database [AC-2877] Make OrganizationUser.AccessAll optional in database Jul 18, 2024
@eliykat eliykat changed the title [AC-2877] Make OrganizationUser.AccessAll optional in database [AC-2877] Make OrganizationUser.AccessAll optional Jul 18, 2024
@eliykat eliykat marked this pull request as ready for review July 18, 2024 01:54
@eliykat eliykat requested a review from a team as a code owner July 18, 2024 01:54
@eliykat
Copy link
Member Author

eliykat commented Jul 24, 2024

The UpdateMany and CreateMany sprocs have been updated to remove the type and use json parsing instead.

rkac-bw
rkac-bw approved these changes Jul 24, 2024
View reviewed changes
Copy link
Contributor

@rkac-bw rkac-bw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@eliykat eliykat merged commit 2d762f8 into main Jul 24, 2024
52 checks passed
@eliykat eliykat deleted the ac/ac-2877/update-organizationuser-sprocs-to-make-accessall-nullable branch July 24, 2024 04:29
@eliykat eliykat mentioned this pull request Aug 12, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rkac-bw rkac-bw rkac-bw approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@eliykat @rkac-bw