mirror of
https://github.com/bitwarden/server.git
synced 2024-11-25 12:45:18 +01:00
[PM-2260] Remove TDE feature flag (#3614)
* Remove TDE feature flag. * Removed references to feature service from decryption options builder. * Removed redundant references. * Removed test that is no longer valid, as it was testing the feature flag. * Removed remainder of TDE feature check.
This commit is contained in:
parent
06d0d933ee
commit
956efbdb39
@ -1,14 +1,12 @@
|
||||
using Bit.Api.AdminConsole.Models.Request;
|
||||
using Bit.Api.AdminConsole.Models.Response;
|
||||
using Bit.Api.Models.Response;
|
||||
using Bit.Core;
|
||||
using Bit.Core.AdminConsole.OrganizationAuth.Interfaces;
|
||||
using Bit.Core.Auth.Models.Api.Request.AuthRequest;
|
||||
using Bit.Core.Auth.Services;
|
||||
using Bit.Core.Context;
|
||||
using Bit.Core.Exceptions;
|
||||
using Bit.Core.Repositories;
|
||||
using Bit.Core.Utilities;
|
||||
using Microsoft.AspNetCore.Authorization;
|
||||
using Microsoft.AspNetCore.Mvc;
|
||||
|
||||
@ -16,7 +14,6 @@ namespace Bit.Api.AdminConsole.Controllers;
|
||||
|
||||
[Route("organizations/{orgId}/auth-requests")]
|
||||
[Authorize("Application")]
|
||||
[RequireFeature(FeatureFlagKeys.TrustedDeviceEncryption)]
|
||||
public class OrganizationAuthRequestsController : Controller
|
||||
{
|
||||
private readonly IAuthRequestRepository _authRequestRepository;
|
||||
|
@ -764,12 +764,6 @@ public class OrganizationsController : Controller
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
if (model.Data.MemberDecryptionType == MemberDecryptionType.TrustedDeviceEncryption &&
|
||||
!_featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext))
|
||||
{
|
||||
throw new BadRequestException(nameof(model.Data.MemberDecryptionType), "Invalid member decryption type.");
|
||||
}
|
||||
|
||||
var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(id);
|
||||
ssoConfig = ssoConfig == null ? model.ToSsoConfig(id) : model.ToSsoConfig(ssoConfig);
|
||||
organization.Identifier = model.Identifier;
|
||||
|
@ -1,12 +1,10 @@
|
||||
using Bit.Core;
|
||||
using Bit.Core.Auth.Entities;
|
||||
using Bit.Core.Auth.Entities;
|
||||
using Bit.Core.Auth.Enums;
|
||||
using Bit.Core.Auth.Models.Api.Response;
|
||||
using Bit.Core.Auth.Utilities;
|
||||
using Bit.Core.Context;
|
||||
using Bit.Core.Entities;
|
||||
using Bit.Core.Repositories;
|
||||
using Bit.Core.Services;
|
||||
using Bit.Identity.Utilities;
|
||||
|
||||
namespace Bit.Identity.IdentityServer;
|
||||
@ -20,7 +18,6 @@ namespace Bit.Identity.IdentityServer;
|
||||
public class UserDecryptionOptionsBuilder : IUserDecryptionOptionsBuilder
|
||||
{
|
||||
private readonly ICurrentContext _currentContext;
|
||||
private readonly IFeatureService _featureService;
|
||||
private readonly IDeviceRepository _deviceRepository;
|
||||
private readonly IOrganizationUserRepository _organizationUserRepository;
|
||||
|
||||
@ -31,13 +28,11 @@ public class UserDecryptionOptionsBuilder : IUserDecryptionOptionsBuilder
|
||||
|
||||
public UserDecryptionOptionsBuilder(
|
||||
ICurrentContext currentContext,
|
||||
IFeatureService featureService,
|
||||
IDeviceRepository deviceRepository,
|
||||
IOrganizationUserRepository organizationUserRepository
|
||||
)
|
||||
{
|
||||
_currentContext = currentContext;
|
||||
_featureService = featureService;
|
||||
_deviceRepository = deviceRepository;
|
||||
_organizationUserRepository = organizationUserRepository;
|
||||
}
|
||||
@ -95,7 +90,7 @@ public class UserDecryptionOptionsBuilder : IUserDecryptionOptionsBuilder
|
||||
private async Task BuildTrustedDeviceOptions()
|
||||
{
|
||||
// TrustedDeviceEncryption only exists for SSO, if that changes then these guards should change
|
||||
if (_ssoConfig == null || !_featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext))
|
||||
if (_ssoConfig == null)
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
@ -1,18 +1,15 @@
|
||||
using System.Security.Claims;
|
||||
using System.Text.Json;
|
||||
using Bit.Core;
|
||||
using Bit.Core.AdminConsole.Entities;
|
||||
using Bit.Core.Auth.Entities;
|
||||
using Bit.Core.Auth.Enums;
|
||||
using Bit.Core.Auth.Models.Api.Request.Accounts;
|
||||
using Bit.Core.Auth.Models.Data;
|
||||
using Bit.Core.Auth.Repositories;
|
||||
using Bit.Core.Context;
|
||||
using Bit.Core.Entities;
|
||||
using Bit.Core.Enums;
|
||||
using Bit.Core.Models.Data;
|
||||
using Bit.Core.Repositories;
|
||||
using Bit.Core.Services;
|
||||
using Bit.Core.Utilities;
|
||||
using Bit.IntegrationTestCommon.Factories;
|
||||
using Bit.Test.Common.Helpers;
|
||||
@ -383,36 +380,6 @@ public class IdentityServerSsoTests
|
||||
|
||||
}
|
||||
|
||||
|
||||
[Fact]
|
||||
public async Task SsoLogin_TrustedDeviceEncryption_FlagTurnedOff_DoesNotReturnOption()
|
||||
{
|
||||
// This creates SsoConfig that HAS enabled trusted device encryption which should have only been
|
||||
// done with the feature flag turned on but we are testing that even if they have done that, this will turn off
|
||||
// if returning as an option if the flag has later been turned off. We should be very careful turning the flag
|
||||
// back off.
|
||||
using var responseBody = await RunSuccessTestAsync(async factory =>
|
||||
{
|
||||
await UpdateUserAsync(factory, user => user.MasterPassword = null);
|
||||
}, MemberDecryptionType.TrustedDeviceEncryption, trustedDeviceEnabled: false);
|
||||
|
||||
// Assert
|
||||
// If the organization has selected TrustedDeviceEncryption but the user still has their master password
|
||||
// they can decrypt with either option
|
||||
var root = responseBody.RootElement;
|
||||
AssertHelper.AssertJsonProperty(root, "access_token", JsonValueKind.String);
|
||||
var userDecryptionOptions = AssertHelper.AssertJsonProperty(root, "UserDecryptionOptions", JsonValueKind.Object);
|
||||
|
||||
// Expected to look like:
|
||||
// "UserDecryptionOptions": {
|
||||
// "Object": "userDecryptionOptions"
|
||||
// "HasMasterPassword": false
|
||||
// }
|
||||
|
||||
// Should only have 2 properties
|
||||
Assert.Equal(2, userDecryptionOptions.EnumerateObject().Count());
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task SsoLogin_KeyConnector_ReturnsOptions()
|
||||
{
|
||||
@ -511,12 +478,6 @@ public class IdentityServerSsoTests
|
||||
.Returns(authorizationCode);
|
||||
});
|
||||
|
||||
factory.SubstitueService<IFeatureService>(service =>
|
||||
{
|
||||
service.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, Arg.Any<ICurrentContext>())
|
||||
.Returns(trustedDeviceEnabled);
|
||||
});
|
||||
|
||||
// This starts the server and finalizes services
|
||||
var registerResponse = await factory.RegisterAsync(new RegisterRequestModel
|
||||
{
|
||||
|
@ -1,11 +1,9 @@
|
||||
using Bit.Core;
|
||||
using Bit.Core.Auth.Entities;
|
||||
using Bit.Core.Auth.Entities;
|
||||
using Bit.Core.Auth.Enums;
|
||||
using Bit.Core.Auth.Models.Data;
|
||||
using Bit.Core.Context;
|
||||
using Bit.Core.Entities;
|
||||
using Bit.Core.Repositories;
|
||||
using Bit.Core.Services;
|
||||
using Bit.Identity.IdentityServer;
|
||||
using Bit.Identity.Utilities;
|
||||
using Bit.Test.Common.AutoFixture.Attributes;
|
||||
@ -17,7 +15,6 @@ namespace Bit.Identity.Test.IdentityServer;
|
||||
public class UserDecryptionOptionsBuilderTests
|
||||
{
|
||||
private readonly ICurrentContext _currentContext;
|
||||
private readonly IFeatureService _featureService;
|
||||
private readonly IDeviceRepository _deviceRepository;
|
||||
private readonly IOrganizationUserRepository _organizationUserRepository;
|
||||
private readonly UserDecryptionOptionsBuilder _builder;
|
||||
@ -25,10 +22,9 @@ public class UserDecryptionOptionsBuilderTests
|
||||
public UserDecryptionOptionsBuilderTests()
|
||||
{
|
||||
_currentContext = Substitute.For<ICurrentContext>();
|
||||
_featureService = Substitute.For<IFeatureService>();
|
||||
_deviceRepository = Substitute.For<IDeviceRepository>();
|
||||
_organizationUserRepository = Substitute.For<IOrganizationUserRepository>();
|
||||
_builder = new UserDecryptionOptionsBuilder(_currentContext, _featureService, _deviceRepository, _organizationUserRepository);
|
||||
_builder = new UserDecryptionOptionsBuilder(_currentContext, _deviceRepository, _organizationUserRepository);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
@ -79,7 +75,6 @@ public class UserDecryptionOptionsBuilderTests
|
||||
[Theory, BitAutoData]
|
||||
public async Task Build_WhenTrustedDeviceIsEnabled_ShouldReturnTrustedDeviceOptions(SsoConfig ssoConfig, SsoConfigurationData configurationData, Device device)
|
||||
{
|
||||
_featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext).Returns(true);
|
||||
configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption;
|
||||
ssoConfig.Data = configurationData.Serialize();
|
||||
|
||||
@ -91,23 +86,9 @@ public class UserDecryptionOptionsBuilderTests
|
||||
Assert.False(result.TrustedDeviceOption!.HasManageResetPasswordPermission);
|
||||
}
|
||||
|
||||
// TODO: Remove when FeatureFlagKeys.TrustedDeviceEncryption is removed
|
||||
[Theory, BitAutoData]
|
||||
public async Task Build_WhenTrustedDeviceIsEnabledButFeatureFlagIsDisabled_ShouldNotReturnTrustedDeviceOptions(SsoConfig ssoConfig, SsoConfigurationData configurationData, Device device)
|
||||
{
|
||||
_featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext).Returns(false);
|
||||
configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption;
|
||||
ssoConfig.Data = configurationData.Serialize();
|
||||
|
||||
var result = await _builder.WithSso(ssoConfig).WithDevice(device).BuildAsync();
|
||||
|
||||
Assert.Null(result.TrustedDeviceOption);
|
||||
}
|
||||
|
||||
[Theory, BitAutoData]
|
||||
public async Task Build_WhenDeviceIsTrusted_ShouldReturnKeys(SsoConfig ssoConfig, SsoConfigurationData configurationData, Device device)
|
||||
{
|
||||
_featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext).Returns(true);
|
||||
configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption;
|
||||
ssoConfig.Data = configurationData.Serialize();
|
||||
device.EncryptedPrivateKey = "encryptedPrivateKey";
|
||||
@ -123,7 +104,6 @@ public class UserDecryptionOptionsBuilderTests
|
||||
[Theory, BitAutoData]
|
||||
public async Task Build_WhenHasLoginApprovingDevice_ShouldApprovingDeviceTrue(SsoConfig ssoConfig, SsoConfigurationData configurationData, User user, Device device, Device approvingDevice)
|
||||
{
|
||||
_featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext).Returns(true);
|
||||
configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption;
|
||||
ssoConfig.Data = configurationData.Serialize();
|
||||
approvingDevice.Type = LoginApprovingDeviceTypes.Types.First();
|
||||
@ -140,7 +120,6 @@ public class UserDecryptionOptionsBuilderTests
|
||||
SsoConfigurationData configurationData,
|
||||
CurrentContextOrganization organization)
|
||||
{
|
||||
_featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext).Returns(true);
|
||||
configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption;
|
||||
ssoConfig.Data = configurationData.Serialize();
|
||||
ssoConfig.OrganizationId = organization.Id;
|
||||
@ -159,7 +138,6 @@ public class UserDecryptionOptionsBuilderTests
|
||||
OrganizationUser organizationUser,
|
||||
User user)
|
||||
{
|
||||
_featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext).Returns(true);
|
||||
configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption;
|
||||
ssoConfig.Data = configurationData.Serialize();
|
||||
organizationUser.ResetPasswordKey = "resetPasswordKey";
|
||||
|
Loading…
Reference in New Issue
Block a user