1
0
mirror of https://github.com/bitwarden/server.git synced 2024-11-25 12:45:18 +01:00

[AC-1638] Disallow Secrets Manager for MSP-managed organizations (#3297)

* Block MSPs from creating orgs with SM

* Block MSPs from adding SM to a managed org

* Prevent manually adding SM to an MSP-managed org

* Revert "Prevent manually adding SM to an MSP-managed org"

This change is no longer required

This reverts commit 51b086243b.

* Block provider from adding org with SM

* Update error message when adding existing org with SM to provider

* Update check to match client

* Revert "Update check to match client"

This reverts commit f195c1c1f6.
This commit is contained in:
Thomas Rittson 2023-10-13 00:56:50 +10:00 committed by GitHub
parent 79648b311e
commit 53f5eee215
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 82 additions and 3 deletions

View File

@ -354,6 +354,12 @@ public class ProviderService : IProviderService
var organization = await _organizationRepository.GetByIdAsync(organizationId);
ThrowOnInvalidPlanType(organization.PlanType);
if (organization.UseSecretsManager)
{
throw new BadRequestException(
"The organization is subscribed to Secrets Manager. Please contact Customer Support to manage the subscription.");
}
var providerOrganization = new ProviderOrganization
{
ProviderId = providerId,

View File

@ -431,6 +431,23 @@ public class ProviderServiceTests
Assert.Equal("Organization already belongs to a provider.", exception.Message);
}
[Theory, BitAutoData]
public async Task AddOrganization_OrganizationHasSecretsManager_Throws(Provider provider, Organization organization, string key,
SutProvider<ProviderService> sutProvider)
{
organization.PlanType = PlanType.EnterpriseAnnually;
organization.UseSecretsManager = true;
sutProvider.GetDependency<IProviderRepository>().GetByIdAsync(provider.Id).Returns(provider);
var providerOrganizationRepository = sutProvider.GetDependency<IProviderOrganizationRepository>();
providerOrganizationRepository.GetByOrganizationId(organization.Id).ReturnsNull();
sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
var exception = await Assert.ThrowsAsync<BadRequestException>(
() => sutProvider.Sut.AddOrganization(provider.Id, organization.Id, key));
Assert.Equal("The organization is subscribed to Secrets Manager. Please contact Customer Support to manage the subscription.", exception.Message);
}
[Theory, BitAutoData]
public async Task AddOrganization_Success(Provider provider, Organization organization, string key,
SutProvider<ProviderService> sutProvider)

View File

@ -1,8 +1,10 @@
using Bit.Core.Entities;
using Bit.Core.Enums;
using Bit.Core.Enums.Provider;
using Bit.Core.Exceptions;
using Bit.Core.Models.Business;
using Bit.Core.OrganizationFeatures.OrganizationSubscriptions.Interface;
using Bit.Core.Repositories;
using Bit.Core.Services;
using Bit.Core.Utilities;
@ -12,17 +14,21 @@ public class AddSecretsManagerSubscriptionCommand : IAddSecretsManagerSubscripti
{
private readonly IPaymentService _paymentService;
private readonly IOrganizationService _organizationService;
private readonly IProviderRepository _providerRepository;
public AddSecretsManagerSubscriptionCommand(
IPaymentService paymentService,
IOrganizationService organizationService)
IOrganizationService organizationService,
IProviderRepository providerRepository)
{
_paymentService = paymentService;
_organizationService = organizationService;
_providerRepository = providerRepository;
}
public async Task SignUpAsync(Organization organization, int additionalSmSeats,
int additionalServiceAccounts)
{
ValidateOrganization(organization);
await ValidateOrganization(organization);
var plan = StaticStore.GetSecretsManagerPlan(organization.PlanType);
var signup = SetOrganizationUpgrade(organization, additionalSmSeats, additionalServiceAccounts);
@ -55,7 +61,7 @@ public class AddSecretsManagerSubscriptionCommand : IAddSecretsManagerSubscripti
return signup;
}
private static void ValidateOrganization(Organization organization)
private async Task ValidateOrganization(Organization organization)
{
if (organization == null)
{
@ -83,5 +89,12 @@ public class AddSecretsManagerSubscriptionCommand : IAddSecretsManagerSubscripti
{
throw new BadRequestException("No subscription found.");
}
var provider = await _providerRepository.GetByOrganizationIdAsync(organization.Id);
if (provider is { Type: ProviderType.Msp })
{
throw new BadRequestException(
"Organizations with a Managed Service Provider do not support Secrets Manager.");
}
}
}

View File

@ -410,6 +410,11 @@ public class OrganizationService : IOrganizationService
var secretsManagerPlan = StaticStore.SecretManagerPlans.FirstOrDefault(p => p.Type == signup.Plan);
if (signup.UseSecretsManager)
{
if (provider)
{
throw new BadRequestException(
"Organizations with a Managed Service Provider do not support Secrets Manager.");
}
ValidateSecretsManagerPlan(secretsManagerPlan, signup);
}

View File

@ -1,9 +1,12 @@
using Bit.Core.Entities;
using Bit.Core.Entities.Provider;
using Bit.Core.Enums;
using Bit.Core.Enums.Provider;
using Bit.Core.Exceptions;
using Bit.Core.Models.Business;
using Bit.Core.Models.StaticStore;
using Bit.Core.OrganizationFeatures.OrganizationSubscriptions;
using Bit.Core.Repositories;
using Bit.Core.Services;
using Bit.Core.Utilities;
using Bit.Test.Common.AutoFixture;
@ -127,6 +130,25 @@ public class AddSecretsManagerSubscriptionCommandTests
await VerifyDependencyNotCalledAsync(sutProvider);
}
[Theory]
[BitAutoData]
public async Task SignUpAsync_ThrowsException_WhenOrganizationIsManagedByMSP(
SutProvider<AddSecretsManagerSubscriptionCommand> sutProvider,
Organization organization,
Provider provider)
{
organization.UseSecretsManager = false;
organization.SecretsManagerBeta = false;
provider.Type = ProviderType.Msp;
sutProvider.GetDependency<IProviderRepository>().GetByOrganizationIdAsync(organization.Id).Returns(provider);
var exception = await Assert.ThrowsAsync<BadRequestException>(
() => sutProvider.Sut.SignUpAsync(organization, 10, 10));
Assert.Contains("Organizations with a Managed Service Provider do not support Secrets Manager.", exception.Message);
await VerifyDependencyNotCalledAsync(sutProvider);
}
private static async Task VerifyDependencyNotCalledAsync(SutProvider<AddSecretsManagerSubscriptionCommand> sutProvider)
{
await sutProvider.GetDependency<IPaymentService>().DidNotReceive()

View File

@ -263,6 +263,22 @@ public class OrganizationServiceTests
);
}
[Theory]
[BitAutoData(PlanType.EnterpriseAnnually)]
public async Task SignUp_SM_Throws_WhenManagedByMSP(PlanType planType, OrganizationSignup signup, SutProvider<OrganizationService> sutProvider)
{
signup.Plan = planType;
signup.UseSecretsManager = true;
signup.AdditionalSeats = 15;
signup.AdditionalSmSeats = 10;
signup.AdditionalServiceAccounts = 20;
signup.PaymentMethodType = PaymentMethodType.Card;
signup.PremiumAccessAddon = false;
var exception = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.SignUpAsync(signup, true));
Assert.Contains("Organizations with a Managed Service Provider do not support Secrets Manager.", exception.Message);
}
[Theory]
[BitAutoData]
public async Task SignUpAsync_SecretManager_AdditionalServiceAccounts_NotAllowedByPlan_ShouldThrowException(OrganizationSignup signup, SutProvider<OrganizationService> sutProvider)