1
0
mirror of https://github.com/bitwarden/server.git synced 2025-01-21 21:41:21 +01:00

Fix missing validation

This commit is contained in:
Thomas Rittson 2024-10-07 12:55:23 +10:00
parent ed9ee20dc4
commit 5c7d47402d
No known key found for this signature in database
GPG Key ID: CDDDA03861C35E27
3 changed files with 56 additions and 9 deletions

View File

@ -1,11 +1,43 @@
#nullable enable
using Bit.Core.AdminConsole.Entities;
using Bit.Core.AdminConsole.Enums;
using Bit.Core.Auth.Enums;
using Bit.Core.Auth.Repositories;
namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.Implementations;
public class RequireSsoPolicyDefinition : IPolicyDefinition
{
private readonly ISsoConfigRepository _ssoConfigRepository;
public RequireSsoPolicyDefinition(ISsoConfigRepository ssoConfigRepository)
{
_ssoConfigRepository = ssoConfigRepository;
}
public PolicyType Type => PolicyType.RequireSso;
public IEnumerable<PolicyType> RequiredPolicies => [PolicyType.SingleOrg];
public async Task<string?> ValidateAsync(Policy? currentPolicy, Policy modifiedPolicy)
{
if (modifiedPolicy is not { Enabled: true })
{
return await ValidateDisableAsync(modifiedPolicy);
}
return null;
}
private async Task<string?> ValidateDisableAsync(Policy policy)
{
// Do not allow this policy to be disabled if Key Connector or TDE are being used
var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(policy.OrganizationId);
return ssoConfig?.GetData().MemberDecryptionType switch
{
MemberDecryptionType.KeyConnector => "Key Connector is enabled.",
MemberDecryptionType.TrustedDeviceEncryption => "Trusted device encryption is on and requires this policy.",
_ => null
};
}
}

View File

@ -22,14 +22,21 @@ public class ResetPasswordPolicyDefinition : IPolicyDefinition
public async Task<string?> ValidateAsync(Policy? currentPolicy, Policy modifiedPolicy)
{
if (modifiedPolicy is not { Enabled:true } ||
modifiedPolicy.GetDataModel<ResetPasswordDataModel>()?.AutoEnrollEnabled == false)
modifiedPolicy.GetDataModel<ResetPasswordDataModel>().AutoEnrollEnabled == false)
{
var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(modifiedPolicy.OrganizationId);
if (ssoConfig?.GetData()?.MemberDecryptionType == MemberDecryptionType.TrustedDeviceEncryption)
return await ValidateDisableAsync(modifiedPolicy);
}
return null;
}
private async Task<string?> ValidateDisableAsync(Policy policy)
{
var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(policy.OrganizationId);
if (ssoConfig?.GetData().MemberDecryptionType == MemberDecryptionType.TrustedDeviceEncryption)
{
return "Trusted device encryption is on and requires this policy.";
}
}
return null;
}

View File

@ -83,11 +83,19 @@ public class SingleOrgPolicyDefinition : IPolicyDefinition
public async Task<string?> ValidateAsync(Policy? currentPolicy, Policy modifiedPolicy)
{
var organizationId = modifiedPolicy.OrganizationId;
if (modifiedPolicy is not { Enabled: true })
{
return await ValidateDisableAsync(modifiedPolicy);
}
return null;
}
private async Task<string?> ValidateDisableAsync(Policy policy)
{
// Do not allow this policy to be disabled if Key Connector is being used
var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(organizationId);
if (ssoConfig?.GetData()?.MemberDecryptionType == MemberDecryptionType.KeyConnector)
var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(policy.OrganizationId);
if (ssoConfig?.GetData().MemberDecryptionType == MemberDecryptionType.KeyConnector)
{
return "Key Connector is enabled.";
}