PM-31923 adding the whole report endpoints v2

[prograhamming]

🎟️ Tracking

This is a PR for user story PM-31923

📔 Objective

Creating new V2 endpoints for read and update operations on the whole report in the database. This will also include the logic for saving a reportData file in Azure Blob storage and server if self-hosted.

Documentation:

• Get latest report -> PM-31923_OrganizationReports_GetLatestOrganizationReportAsync.md
• Get report by Id -> PM-31923_OrganizationReports_GetOrganizationReportAsync.md
• Create report -> PM-31923_OrganizationReports_CreateOrganizationReportAsync.md
• Update report metadata -> PM-31923_OrganizationReports_UpdateOrganizationReport.md
• Get Summary data by date range -> PM-31923_OrganizationReports_DIRT-GetOrganizationReportSummaryDataByDateRange.md
• Upload report file [self-hosted] -> PM-31923_OrganizationReports_UploadReportFile.md
• Download report file [self-hosted] -> PM-31923_OrganizationReports_DownloadReportFileAsync.md
• Validate Azure file [cloud] -> PM-31923_OrganizationReports_AzureValidateFileAsync.md

[Banrion]

⚠️ When azure blob storage and access intelligence v2 is in production and older code removed, we can remove this limit increase since the file will be uploaded through different endpoints. Leaving this for a bump in legacy upload to the database is fine.

We need to confirm the response can support returning the large data file with the bump in the increased limit. Alternatively, we can remove this since the previous version for v1 (database-stored) reports already had this limitation. I suggest just removing it to keep the legacy save the same as before and reduce additional testing needed.

[github-actions]

🤖 Bitwarden Claude Code Review

Overall Assessment: REQUEST CHANGES

This PR introduces V2 organization report endpoints with Azure Blob Storage integration and self-hosted file storage for Access Intelligence. It adds create, update, delete, renew-upload-URL, upload, download, and Azure Event Grid validation endpoints, all gated behind the AccessIntelligenceVersion2 feature flag. The controller constructor now takes 18 dependencies. Test coverage has been significantly expanded but still has gaps for the upload and download paths.

Code Review Details

All findings below were posted in previous review rounds and remain unresolved in the current code:

• ❌ : IDOR -- organizationId is accepted but never used to verify report ownership in GetOrganizationReportApplicationDataQuery
  • src/Core/Dirt/Reports/ReportFeatures/GetOrganizationReportApplicationDataQuery.cs:34
• ⚠️ : Transient storage errors in ValidateOrganizationReportFileCommand cause permanent report deletion
  • src/Core/Dirt/Reports/ReportFeatures/ValidateOrganizationReportFileCommand.cs:35-56
• ⚠️ : Upload endpoint does not check fileData.Validated -- allows overwriting an already-validated file
  • src/Api/Dirt/Controllers/OrganizationReportsController.cs:499-503
• ⚠️ : Download endpoint serves unvalidated files on self-hosted instances
  • src/Api/Dirt/Controllers/OrganizationReportsController.cs:571-576
• ⚠️ : Missing test coverage for UploadReportFileAsync and DownloadReportFileAsync controller endpoints
  • test/Api.Test/Dirt/OrganizationReportsControllerTests.cs:1267
• ⚠️ : Missing test for file size exceeding maximum limit in V2 create path
  • test/Api.Test/Dirt/OrganizationReportsControllerTests.cs:265
• ⚠️ : Missing validation tests for 3 out of 5 validation paths in CreateOrganizationReportCommand
  • test/Core.Test/Dirt/ReportFeatures/CreateOrganizationReportCommandTests.cs:138

No new findings were identified in this review round. The above findings from prior rounds should be addressed before merging.

[claude]

⚠️ IMPORTANT: Missing fileData.Validated check allows re-uploading to already-validated reports

Details and fix

RenewFileUploadUrlAsync (line 382) correctly rejects validated files with fileData.Validated in its guard clause, but this upload endpoint does not. On self-hosted instances, an authorized user could overwrite an already-validated report file with different content. The new file would pass size validation (within the 1 MB leeway) and the report would be silently updated.

Add the same fileData.Validated check used by the renew endpoint:

Suggested change

	if (fileData == null || fileData.Id != reportFileId)
	{
	throw new NotFoundException("Organization report data not found.");
	throw new NotFoundException();
	}
	if (fileData == null || fileData.Id != reportFileId || fileData.Validated)
	{
	throw new NotFoundException();
	}

[Banrion]

@prograhamming I think this is worth following up on.

[claude]

⚠️ IMPORTANT: Missing validation tests for 3 out of 5 validation paths in CreateOrganizationReportCommand.ValidateRequestAsync

Details and fix

The source (CreateOrganizationReportCommand.cs lines 104-117) validates SummaryData, ApplicationData, and ReportMetrics as required fields, but this test file only covers invalid organization and missing ContentEncryptionKey.

Missing test cases:

• CreateAsync_MissingSummaryData_ThrowsBadRequestException
• CreateAsync_MissingApplicationData_ThrowsBadRequestException
• CreateAsync_MissingReportMetrics_ThrowsBadRequestException

These are the same patterns already tested for UpdateOrganizationReportV2Command (which has full validation coverage in UpdateOrganizationReportV2CommandTests.cs lines 122-219), but they are absent here.

[claude]

⚠️ IMPORTANT: No test coverage for UploadReportFileAsync and DownloadReportFileAsync controller endpoints

Details and fix

Two significant new endpoints have zero test coverage:

UploadReportFileAsync (controller line 474) -- the self-hosted file upload endpoint that validates content type, checks report ownership, streams the file, validates size with leeway, and either marks the file as validated or deletes the report. This contains security-relevant logic (authorization, org mismatch check, file size validation with leeway calculation, cleanup on failure).

DownloadReportFileAsync (controller line 546) -- the self-hosted file download endpoint that validates ownership and streams the file. This is a data access path that should verify authorization and org-mismatch rejection.

At minimum, the following test cases should exist for DownloadReportFileAsync:

• Success case returns FileStreamResult
• Report not found throws NotFoundException
• Org mismatch throws BadRequestException
• No file data throws NotFoundException
• Without access throws NotFoundException

And for UploadReportFileAsync (if Request mocking is feasible with the test harness):

• Missing reportFileId throws BadRequestException
• Report not found throws NotFoundException
• Org mismatch throws BadRequestException
• File ID mismatch throws NotFoundException

[claude]

⚠️ IMPORTANT: Missing test for file size exceeding maximum limit in V2 create path

Details and fix

The controller (OrganizationReportsController.cs lines 114-116) rejects file sizes exceeding Constants.FileSize501mb with a BadRequestException("Max file size is 500 MB."). This file-size cap is a security control preventing storage abuse, but there is no test verifying it.

Add a test case such as:

[Theory, BitAutoData]
public async Task CreateOrganizationReportAsync_V2_FileSizeExceedsMax_ThrowsBadRequestException(
    SutProvider<OrganizationReportsController> sutProvider,
    Guid orgId,
    AddOrganizationReportRequestModel request)
{
    request.FileSize = Constants.FileSize501mb + 1;
    SetupV2Authorization(sutProvider, orgId);

    var exception = await Assert.ThrowsAsync<BadRequestException>(() =>
        sutProvider.Sut.CreateOrganizationReportAsync(orgId, request));
    Assert.Equal("Max file size is 500 MB.", exception.Message);
}

[claude]

❌ CRITICAL: The organizationId parameter is accepted but never used to verify the report belongs to that organization, creating an IDOR (Insecure Direct Object Reference) vulnerability.

Details and fix

A user with access to Organization A could call GET /reports/organizations/{orgA}/data/application/{reportId-from-orgB} and retrieve Organization B's application data. The controller authorizes the caller against organizationId, but this query fetches data solely by reportId without verifying ownership.

Compare with the controller's GetOrganizationReportAsync endpoint (line 199) which correctly checks report.OrganizationId != organizationId after fetching.

Suggested fix: After fetching the data, verify the report belongs to the requested organization. This requires either:

1. Having the repository return the OrganizationId alongside the application data so it can be checked here, or
2. Fetching the full report first to verify ownership, then returning the application data:

var report = await _organizationReportRepo.GetByIdAsync(reportId);
if (report == null || report.OrganizationId != organizationId)
{
    throw new NotFoundException("Organization report application data not found.");
}

var applicationDataResponse = await _organizationReportRepo.GetApplicationDataAsync(reportId);

Note: The same pattern exists in GetOrganizationReportSummaryDataQuery (outside this review scope).

[Banrion]

❌ @prograhamming We should address this

[claude]

⚠️ IMPORTANT: Conditional null-checks here are dead code because ValidateRequestAsync already rejects requests where any of these fields are null or whitespace.

Details and fix

The validation at lines 108-127 requires ContentEncryptionKey, SummaryData, ApplicationData, and ReportMetrics to all be non-null and non-whitespace. Since validation runs before this code, none of these if (request.X != null) branches can ever evaluate to false.

This creates a contradiction with the PATCH HTTP method used by the controller endpoint, which conventionally implies partial updates. As written, every update requires all fields, making it behave like a PUT.

Either:

1. Remove the required validations in ValidateRequestAsync to allow true partial updates (consistent with PATCH semantics and this conditional logic), or
2. Remove the conditional null-checks here and assign unconditionally (consistent with the current validation requiring all fields)

[Banrion]

@prograhamming Can we address this?

[claude]

🔴 CRITICAL: IDOR — organizationId is accepted but never used to verify report ownership

The organizationId parameter is validated for emptiness but never used to verify that the fetched report actually belongs to the requesting organization. The repository method GetApplicationDataAsync(reportId) fetches data by reportId alone.

Impact: A user with AccessReports permission on Organization A could retrieve Organization B's application data by calling this endpoint with Org A's ID but Org B's reportId. The controller authorizes the caller against the URL's organizationId, but the query bypasses that by fetching solely on reportId.

Every other endpoint in this controller (e.g., GetOrganizationReportAsync, UpdateOrganizationReportAsync, DeleteOrganizationReportAsync, DownloadReportFileAsync) fetches the report and then checks report.OrganizationId != organizationId — this query is the outlier.

Suggested fix: Fetch the full report first (or add an org filter to the repository query), then verify report.OrganizationId == organizationId before returning the application data.

Suggested change

	var applicationDataResponse = await _organizationReportRepo.GetApplicationDataAsync(reportId);
	if (applicationDataResponse == null)
	{
	_logger.LogError(ex, "Error fetching organization report application data for organization {organizationId} and report {reportId}",
	organizationId, reportId);
	throw;
	throw new NotFoundException("Organization report application data not found.");
	}
	return applicationDataResponse;
	var report = await _organizationReportRepo.GetByIdAsync(reportId);
	if (report == null || report.OrganizationId != organizationId)
	{
	throw new NotFoundException("Organization report application data not found.");
	}
	var applicationDataResponse = await _organizationReportRepo.GetApplicationDataAsync(reportId);
	if (applicationDataResponse == null)
	{
	throw new NotFoundException("Organization report application data not found.");
	}
	return applicationDataResponse;

[Banrion]

Duplicate of https://github.com/bitwarden/server/pull/7228/changes#r3045900231

[claude]

🟡 IMPORTANT: Download endpoint serves unvalidated files (self-hosted)

DownloadReportFileAsync does not check fileData.Validated before serving the file. The cloud path in GetOrganizationReportAsync (line 212) and GetLatestOrganizationReportAsync (line 165) only exposes download URLs when Validated == true. Self-hosted instances would serve files that haven't passed size validation.

Consider adding:

Suggested change

	var fileData = report.GetReportFile();
	if (fileData == null)
	{
	throw new BadRequestException("Report ID in the request body must match the route parameter");
	throw new NotFoundException();
	}
	var fileData = report.GetReportFile();
	if (fileData == null || !fileData.Validated)
	{
	throw new NotFoundException();
	}

[Banrion]

Will be addressed in iterative work for file validation

[claude]

🟣 SUGGESTION: Dead conditional branches — validation makes null checks unreachable

ValidateRequestAsync (lines 108-126) requires all four fields (ContentEncryptionKey, SummaryData, ApplicationData, ReportMetrics) to be non-null/non-empty. Since validation runs before update logic, these if (field != null) guards are dead code — the null branch is unreachable.

This also contradicts the [HttpPatch] semantics of the controller endpoint, which implies partial updates should be supported.

If this is intentionally a full replacement (not a partial patch), consider either:

1. Removing the null guards (since they're dead code), or
2. Changing the HTTP verb to PUT to accurately reflect semantics

If partial updates are desired, relax the validation to allow optional fields.

[claude]

🟡 IMPORTANT: Missing test coverage for UploadReportFileAsync and DownloadReportFileAsync

The two new self-hosted endpoints (UploadReportFileAsync and DownloadReportFileAsync) have zero test coverage. These endpoints contain authorization checks, org-ownership validation, file-size validation with cleanup-on-failure logic, and the validated-file guard that is currently missing (see other comment). Tests for these paths would help catch the inconsistencies flagged elsewhere in this review.

Additionally, the V2 create path's file-size cap (Constants.FileSize501mb rejection at controller line 114-116) is untested.

[sonarqubecloud]

Quality Gate passed

Issues
14 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
2.5% Duplication on New Code

See analysis details on SonarQube Cloud

[Banrion]

Only one blocking change request, the IDOR comment.

[Banrion]

⚠️ Suggestion to rename the route. The "/report-data" can be confused as sub-resources.

Suggested change

	[HttpPost("{organizationId}/{reportId}/file/report-data")]
	[HttpPost("{organizationId}/{reportId}/file")]

[Banrion]

@prograhamming I think this is worth following up on.

[Banrion]

📝 The reportId position in all routes is non-standard. It should be "{organizationId}/{reportId}/data/application". These are existing routes for v1 and currently matches client routes. No changes needed but wanted to call it out for future work

[Banrion]

❌ @prograhamming We should address this

[Banrion]

Duplicate of https://github.com/bitwarden/server/pull/7228/changes#r3045900231

[Banrion]

@prograhamming Can we address this?

[Banrion]

⛏️ Duplicated across many endpoints. While not a bug, prefer DRY. Consider extracting to a helper

private async Task<OrganizationReport> GetAuthorizedReportAsync(Guid organizationId, Guid reportId)
{
    if (organizationId == Guid.Empty) throw new BadRequestException("OrganizationId is required.");
    if (reportId == Guid.Empty) throw new BadRequestException("ReportId is required.");
    await AuthorizeAsync(organizationId);
    var report = await _organizationReportRepo.GetByIdAsync(reportId);
    if (report == null) throw new NotFoundException();
    if (report.OrganizationId != organizationId) throw new BadRequestException("Invalid report ID");
    return report;
}