Add check to ensure admins or owners arn't enrolled in key connector (#1725)

2024-11-25 12:45:18 +01:00 · 2021-11-18 21:56:13 +01:00 · 2021-11-18 21:56:13 +01:00 · 6008715abc
commit 6008715abc
parent 2dc29e51d1
1 changed files with 27 additions and 15 deletions
--- a/src/Core/Services/Implementations/UserService.cs
+++ b/src/Core/Services/Implementations/UserService.cs
@ -639,15 +639,10 @@ namespace Bit.Core.Services

        public async Task<IdentityResult> SetKeyConnectorKeyAsync(User user, string key, string orgIdentifier)
        {
-            if (user == null)
+            var identityResult = CheckCanUseKeyConnector(user);
+            if (identityResult != null)
            {
-                throw new ArgumentNullException(nameof(user));
-            }
-
-            if (user.UsesKeyConnector)
-            {
-                Logger.LogWarning("Already uses Key Connector.");
-                return IdentityResult.Failed(_identityErrorDescriber.UserAlreadyHasPassword());
+                return identityResult;
            }

            user.RevisionDate = user.AccountRevisionDate = DateTime.UtcNow;
@ -663,6 +658,24 @@ namespace Bit.Core.Services
        }

        public async Task<IdentityResult> ConvertToKeyConnectorAsync(User user)
+        {
+            var identityResult = CheckCanUseKeyConnector(user);
+            if (identityResult != null)
+            {
+                return identityResult;
+            }
+
+            user.RevisionDate = user.AccountRevisionDate = DateTime.UtcNow;
+            user.MasterPassword = null;
+            user.UsesKeyConnector = true;
+
+            await _userRepository.ReplaceAsync(user);
+            await _eventService.LogUserEventAsync(user.Id, EventType.User_MigratedKeyToKeyConnector);
+
+            return IdentityResult.Success;
+        }
+
+        private IdentityResult CheckCanUseKeyConnector(User user)
        {
            if (user == null)
            {
@ -675,14 +688,13 @@ namespace Bit.Core.Services
                return IdentityResult.Failed(_identityErrorDescriber.UserAlreadyHasPassword());
            }

-            user.RevisionDate = user.AccountRevisionDate = DateTime.UtcNow;
-            user.MasterPassword = null;
-            user.UsesKeyConnector = true;
+            if (_currentContext.Organizations.Any(u =>
+                    u.Type is OrganizationUserType.Owner or OrganizationUserType.Admin))
+            {
+                throw new BadRequestException("Cannot use Key Connector when admin or owner of an organization.");
+            }

-            await _userRepository.ReplaceAsync(user);
-            await _eventService.LogUserEventAsync(user.Id, EventType.User_MigratedKeyToKeyConnector);
-
-            return IdentityResult.Success;
+            return null;
        }

        public async Task<IdentityResult> AdminResetPasswordAsync(OrganizationUserType callingUserType, Guid orgId, Guid id, string newMasterPassword, string key)