Skip to content

[PM-40336] Access Rules: API#7983

Draft
Hinton wants to merge 2 commits into
pam/access-rulefrom
pam/access-rule-api
Draft

[PM-40336] Access Rules: API#7983
Hinton wants to merge 2 commits into
pam/access-rulefrom
pam/access-rule-api

Conversation

@Hinton

@Hinton Hinton commented Jul 14, 2026

Copy link
Copy Markdown
Member

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-40336

📔 Objective

Add the commercial CRUD API for org-scoped PAM Access Rules, consuming the
domain and persistence layer from #7981. This PR is stacked on #7981 — review
and merge that first; GitHub will retarget this PR to main once it lands.

All endpoints are gated behind the pm-37044-pam-v-0 (FeatureFlagKeys.Pam)
feature flag, so nothing is reachable in production until PAM v0 ships. Access-rule
data (name, description, conditions) is organization configuration metadata, not
Vault Data — no zero-knowledge surface is touched.

What's included

API — bitwarden_license/src/Services/Pam

  • CRUD endpoints on the AccessRule group: GET (list), GET {id}, POST,
    PUT {id}, DELETE {id}, all org-scoped and feature-flag gated.
  • Request/response models (AccessRuleRequestModel, AccessRuleResponseModel),
    condition models (time-of-day, IP allowlist, human approval, weekday) with a
    custom AccessWeekday JSON converter.
  • Create/Update/Delete commands behind interfaces; AccessRuleValidator
    validating the conditions JSON (max 10 conditions, per-type rules; empty list is
    vacuously valid and still routes access through PAM for audit).
  • Audit events emitted via IAccessAuditEventEmitter for rule created/updated/deleted.
  • Command and validator unit tests.

📸 Screenshots

N/A — backend only.

@github-actions

github-actions Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

🤖 Bitwarden Claude Code Review

Overall Assessment: APPROVE

Reviewed the commercial CRUD API for org-scoped PAM Access Rules (bitwarden_license/src/Services/Pam): the endpoints handler, request/response models, condition models with the custom AccessWeekday JSON converter, the create/update/delete commands, the conditions validator, and their unit tests. All endpoints are authorized via Policies.Application, org membership/admin checks, and gated behind FeatureFlagKeys.Pam at the group level, so nothing is reachable in production until PAM v0 ships. Access-rule data is organization configuration metadata, not Vault Data — no zero-knowledge surface is touched.

Code Review Details

No blocking findings.

Verification notes:

  • Authorization, feature gating, exception translation, and request validation are applied consistently at the group level in PamEndpointsExtensions; the handler additionally enforces org membership (read) and admin/owner (write), returning NotFoundException to avoid leaking existence.
  • Name-uniqueness is backed by the IX_AccessRule_OrganizationId_Name unique index, so the application-level duplicate check is a UX convenience rather than the sole guard against races.
  • Timezone validation via TimeZoneInfo.FindSystemTimeZoneById resolves IANA IDs correctly on the .NET 10 / Linux runtime.
  • PamDateTimeExtensions.AsUtc correctly relabels Dapper's unspecified-kind timestamps as UTC (using SpecifyKind, not ToUniversalTime) so clients don't shift the instant.
  • Command and validator unit tests cover the happy paths, authorization/ownership boundaries, collection validation, duplicate-name and extension-config edge cases.

@Hinton Hinton marked this pull request as draft July 14, 2026 17:36
@Hinton Hinton force-pushed the pam/access-rule branch from 79f7f4f to 51d6075 Compare July 14, 2026 17:57
@Hinton Hinton force-pushed the pam/access-rule-api branch 2 times, most recently from 0351a28 to 37a5507 Compare July 14, 2026 18:06
@Hinton Hinton force-pushed the pam/access-rule branch from 51d6075 to f5a81b6 Compare July 14, 2026 18:14
@Hinton Hinton force-pushed the pam/access-rule-api branch from 37a5507 to a85b172 Compare July 14, 2026 18:14
@Hinton Hinton force-pushed the pam/access-rule branch from f5a81b6 to 74777a5 Compare July 14, 2026 18:16
@Hinton Hinton force-pushed the pam/access-rule-api branch from a85b172 to 9c09687 Compare July 14, 2026 18:16
@codecov

codecov Bot commented Jul 14, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 63.30049% with 149 lines in your changes missing coverage. Please review.
⚠️ Please upload report for BASE (pam/access-rule@74777a5). Learn more about missing BASE report.

Files with missing lines Patch % Lines
...i/Endpoints/Handlers/AccessRuleEndpointsHandler.cs 0.00% 48 Missing ⚠️
...Pam/Api/Models/Response/AccessRuleResponseModel.cs 0.00% 39 Missing ⚠️
...s/Pam/Api/Models/Request/AccessRuleRequestModel.cs 0.00% 18 Missing ⚠️
...e/src/Services/Pam/Services/AccessRuleValidator.cs 79.74% 11 Missing and 5 partials ⚠️
...am/Models/Conditions/AccessWeekdayJsonConverter.cs 56.66% 12 Missing and 1 partial ⚠️
...zationFeatures/Commands/UpdateAccessRuleCommand.cs 85.54% 8 Missing and 4 partials ⚠️
...s/Pam/Api/Models/Response/PamDateTimeExtensions.cs 0.00% 2 Missing ⚠️
...zationFeatures/Commands/CreateAccessRuleCommand.cs 98.43% 0 Missing and 1 partial ⚠️
Additional details and impacted files
@@                Coverage Diff                 @@
##             pam/access-rule    #7983   +/-   ##
==================================================
  Coverage                   ?   61.99%           
==================================================
  Files                      ?     2293           
  Lines                      ?   100067           
  Branches                   ?     9029           
==================================================
  Hits                       ?    62035           
  Misses                     ?    35848           
  Partials                   ?     2184           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@Hinton Hinton force-pushed the pam/access-rule branch from 74777a5 to 268b892 Compare July 14, 2026 19:05
@Hinton Hinton force-pushed the pam/access-rule-api branch from 9c09687 to 56c6cac Compare July 14, 2026 19:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant