1
0
mirror of https://github.com/bitwarden/server.git synced 2024-11-25 12:45:18 +01:00

Auth/PM-10130 - Registration with Email Verification - Respect Self-hosted Disable Open Registration flag (#4561)

* PM-10130 - Registration with email verification - respect self hosted disable open registration setting properly in non-org invite scenarios.

* PM-10130 - Fix unit tests.

* PM-10130 - Update integration tests.
This commit is contained in:
Jared Snider 2024-07-26 13:30:47 -04:00 committed by GitHub
parent f9017f8e8c
commit 54bd5fa894
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
6 changed files with 113 additions and 4 deletions

View File

@ -37,6 +37,8 @@ public class RegisterUserCommand : IRegisterUserCommand
private readonly IUserService _userService;
private readonly IMailService _mailService;
private readonly string _disabledUserRegistrationExceptionMsg = "Open registration has been disabled by the system administrator.";
public RegisterUserCommand(
IGlobalSettings globalSettings,
IOrganizationUserRepository organizationUserRepository,
@ -124,8 +126,6 @@ public class RegisterUserCommand : IRegisterUserCommand
private void ValidateOrgInviteToken(string orgInviteToken, Guid? orgUserId, User user)
{
const string disabledUserRegistrationExceptionMsg = "Open registration has been disabled by the system administrator.";
var orgInviteTokenProvided = !string.IsNullOrWhiteSpace(orgInviteToken);
if (orgInviteTokenProvided && orgUserId.HasValue)
@ -140,7 +140,7 @@ public class RegisterUserCommand : IRegisterUserCommand
if (_globalSettings.DisableUserRegistration)
{
throw new BadRequestException(disabledUserRegistrationExceptionMsg);
throw new BadRequestException(_disabledUserRegistrationExceptionMsg);
}
throw new BadRequestException("Organization invite token is invalid.");
@ -152,7 +152,7 @@ public class RegisterUserCommand : IRegisterUserCommand
// as you can't register without them.
if (_globalSettings.DisableUserRegistration)
{
throw new BadRequestException(disabledUserRegistrationExceptionMsg);
throw new BadRequestException(_disabledUserRegistrationExceptionMsg);
}
// Open registration is allowed
@ -233,6 +233,14 @@ public class RegisterUserCommand : IRegisterUserCommand
public async Task<IdentityResult> RegisterUserViaEmailVerificationToken(User user, string masterPasswordHash,
string emailVerificationToken)
{
// We validate open registration on send of initial email and here b/c a user could technically start the
// account creation process while open registration is enabled and then finish it after it has been
// disabled by the self hosted admin.
if (_globalSettings.DisableUserRegistration)
{
throw new BadRequestException(_disabledUserRegistrationExceptionMsg);
}
var tokenable = ValidateRegistrationEmailVerificationTokenable(emailVerificationToken, user.Email);
user.EmailVerified = true;

View File

@ -39,6 +39,11 @@ public class SendVerificationEmailForRegistrationCommand : ISendVerificationEmai
public async Task<string?> Run(string email, string? name, bool receiveMarketingEmails)
{
if (_globalSettings.DisableUserRegistration)
{
throw new BadRequestException("Open registration has been disabled by the system administrator.");
}
if (string.IsNullOrWhiteSpace(email))
{
throw new ArgumentNullException(nameof(email));

View File

@ -367,4 +367,18 @@ public class RegisterUserCommandTests
}
[Theory]
[BitAutoData]
public async Task RegisterUserViaEmailVerificationToken_DisabledOpenRegistration_ThrowsBadRequestException(SutProvider<RegisterUserCommand> sutProvider, User user, string masterPasswordHash, string emailVerificationToken)
{
// Arrange
sutProvider.GetDependency<IGlobalSettings>()
.DisableUserRegistration = true;
// Act & Assert
var result = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.RegisterUserViaEmailVerificationToken(user, masterPasswordHash, emailVerificationToken));
Assert.Equal("Open registration has been disabled by the system administrator.", result.Message);
}
}

View File

@ -31,6 +31,9 @@ public class SendVerificationEmailForRegistrationCommandTests
sutProvider.GetDependency<GlobalSettings>()
.EnableEmailVerification = true;
sutProvider.GetDependency<GlobalSettings>()
.DisableUserRegistration = false;
sutProvider.GetDependency<IMailService>()
.SendRegistrationVerificationEmailAsync(email, Arg.Any<string>())
.Returns(Task.CompletedTask);
@ -63,6 +66,9 @@ public class SendVerificationEmailForRegistrationCommandTests
sutProvider.GetDependency<GlobalSettings>()
.EnableEmailVerification = true;
sutProvider.GetDependency<GlobalSettings>()
.DisableUserRegistration = false;
var mockedToken = "token";
sutProvider.GetDependency<IDataProtectorTokenFactory<RegistrationEmailVerificationTokenable>>()
.Protect(Arg.Any<RegistrationEmailVerificationTokenable>())
@ -91,6 +97,9 @@ public class SendVerificationEmailForRegistrationCommandTests
sutProvider.GetDependency<GlobalSettings>()
.EnableEmailVerification = false;
sutProvider.GetDependency<GlobalSettings>()
.DisableUserRegistration = false;
var mockedToken = "token";
sutProvider.GetDependency<IDataProtectorTokenFactory<RegistrationEmailVerificationTokenable>>()
.Protect(Arg.Any<RegistrationEmailVerificationTokenable>())
@ -103,6 +112,19 @@ public class SendVerificationEmailForRegistrationCommandTests
Assert.Equal(mockedToken, result);
}
[Theory]
[BitAutoData]
public async Task SendVerificationEmailForRegistrationCommand_WhenOpenRegistrationDisabled_ThrowsBadRequestException(SutProvider<SendVerificationEmailForRegistrationCommand> sutProvider,
string email, string name, bool receiveMarketingEmails)
{
// Arrange
sutProvider.GetDependency<GlobalSettings>()
.DisableUserRegistration = true;
// Act & Assert
await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.Run(email, name, receiveMarketingEmails));
}
[Theory]
[BitAutoData]
public async Task SendVerificationEmailForRegistrationCommand_WhenIsExistingUserAndEnableEmailVerificationFalse_ThrowsBadRequestException(SutProvider<SendVerificationEmailForRegistrationCommand> sutProvider,
@ -125,6 +147,9 @@ public class SendVerificationEmailForRegistrationCommandTests
public async Task SendVerificationEmailForRegistrationCommand_WhenNullEmail_ThrowsArgumentNullException(SutProvider<SendVerificationEmailForRegistrationCommand> sutProvider,
string name, bool receiveMarketingEmails)
{
sutProvider.GetDependency<GlobalSettings>()
.DisableUserRegistration = false;
await Assert.ThrowsAsync<ArgumentNullException>(async () => await sutProvider.Sut.Run(null, name, receiveMarketingEmails));
}
@ -133,6 +158,8 @@ public class SendVerificationEmailForRegistrationCommandTests
public async Task SendVerificationEmailForRegistrationCommand_WhenEmptyEmail_ThrowsArgumentNullException(SutProvider<SendVerificationEmailForRegistrationCommand> sutProvider,
string name, bool receiveMarketingEmails)
{
sutProvider.GetDependency<GlobalSettings>()
.DisableUserRegistration = false;
await Assert.ThrowsAsync<ArgumentNullException>(async () => await sutProvider.Sut.Run("", name, receiveMarketingEmails));
}
}

View File

@ -62,6 +62,28 @@ public class AccountsControllerTests : IClassFixture<IdentityApplicationFactory>
Assert.Equal(StatusCodes.Status400BadRequest, context.Response.StatusCode);
}
[Theory, BitAutoData]
public async Task PostRegisterSendEmailVerification_DisabledOpenRegistration_ThrowsBadRequestException(string name, bool receiveMarketingEmails)
{
// Localize substitutions to this test.
var localFactory = new IdentityApplicationFactory();
localFactory.UpdateConfiguration("globalSettings:disableUserRegistration", "true");
var email = $"test+register+{name}@email.com";
var model = new RegisterSendVerificationEmailRequestModel
{
Email = email,
Name = name,
ReceiveMarketingEmails = receiveMarketingEmails
};
var context = await localFactory.PostRegisterSendEmailVerificationAsync(model);
Assert.Equal(StatusCodes.Status400BadRequest, context.Response.StatusCode);
}
[Theory]
[BitAutoData(true)]
[BitAutoData(false)]
@ -198,6 +220,38 @@ public class AccountsControllerTests : IClassFixture<IdentityApplicationFactory>
Assert.Equal(kdfParallelism, user.KdfParallelism);
}
[Theory, BitAutoData]
public async Task RegistrationWithEmailVerification_OpenRegistrationDisabled_ThrowsBadRequestException([Required] string name, string emailVerificationToken,
[StringLength(1000), Required] string masterPasswordHash, [StringLength(50)] string masterPasswordHint, [Required] string userSymmetricKey,
[Required] KeysRequestModel userAsymmetricKeys, int kdfMemory, int kdfParallelism)
{
// Localize substitutions to this test.
var localFactory = new IdentityApplicationFactory();
localFactory.UpdateConfiguration("globalSettings:disableUserRegistration", "true");
var email = $"test+register+{name}@email.com";
// Now we call the finish registration endpoint with the email verification token
var registerFinishReqModel = new RegisterFinishRequestModel
{
Email = email,
MasterPasswordHash = masterPasswordHash,
MasterPasswordHint = masterPasswordHint,
EmailVerificationToken = emailVerificationToken,
Kdf = KdfType.PBKDF2_SHA256,
KdfIterations = AuthConstants.PBKDF2_ITERATIONS.Default,
UserSymmetricKey = userSymmetricKey,
UserAsymmetricKeys = userAsymmetricKeys,
KdfMemory = kdfMemory,
KdfParallelism = kdfParallelism
};
var postRegisterFinishHttpContext = await localFactory.PostRegisterFinishAsync(registerFinishReqModel);
Assert.Equal(StatusCodes.Status400BadRequest, postRegisterFinishHttpContext.Response.StatusCode);
}
[Theory, BitAutoData]
public async Task RegistrationWithEmailVerification_WithOrgInviteToken_Succeeds(
[StringLength(1000)] string masterPasswordHash, [StringLength(50)] string masterPasswordHint, string userSymmetricKey,

View File

@ -144,6 +144,7 @@ public abstract class WebApplicationFactoryBase<T> : WebApplicationFactory<T>
// Email Verification
{ "globalSettings:enableEmailVerification", "true" },
{ "globalSettings:disableUserRegistration", "false" },
{ "globalSettings:launchDarkly:flagValues:email-verification", "true" }
});
});