From fded36c999c79068c3bfc303d1367b0bc2d9b616 Mon Sep 17 00:00:00 2001 From: Vince Grassia <593223+vgrassia@users.noreply.github.com> Date: Tue, 5 Nov 2024 11:47:58 -0500 Subject: [PATCH 01/10] Add version bump task (#4976) --- .github/workflows/repository-management.yml | 216 +++++++++----------- 1 file changed, 92 insertions(+), 124 deletions(-) diff --git a/.github/workflows/repository-management.yml b/.github/workflows/repository-management.yml index 8b0e3bcc0..4cbf90c00 100644 --- a/.github/workflows/repository-management.yml +++ b/.github/workflows/repository-management.yml @@ -3,12 +3,13 @@ name: Repository management on: workflow_dispatch: inputs: - branch_to_cut: - default: "rc" - description: "Branch to cut" + task: + default: "Version Bump" + description: "Task to execute" options: - - "rc" - - "hotfix-rc" + - "Version Bump" + - "Version Bump and Cut rc" + - "Version Bump and Cut hotfix-rc" required: true type: choice target_ref: @@ -22,18 +23,51 @@ on: type: string jobs: + setup: + name: Setup + runs-on: ubuntu-24.04 + outputs: + branch: ${{ steps.set-branch.outputs.branch }} + token: ${{ steps.app-token.outputs.token }} + steps: + - name: Set branch + id: set-branch + env: + TASK: ${{ inputs.task }} + run: | + if [[ "$TASK" == "Version Bump" ]]; then + BRANCH="none" + elif [[ "$TASK" == "Version Bump and Cut rc" ]]; then + BRANCH="rc" + elif [[ "$TASK" == "Version Bump and Cut hotfix-rc" ]]; then + BRANCH="hotfix-rc" + fi + + echo "branch=$BRANCH" >> $GITHUB_OUTPUT + + - name: Generate GH App token + uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0 + id: app-token + with: + app-id: ${{ secrets.BW_GHAPP_ID }} + private-key: ${{ secrets.BW_GHAPP_KEY }} + + cut_branch: name: Cut branch - runs-on: ubuntu-22.04 + if: ${{ needs.setup.outputs.branch != 'none' }} + needs: setup + runs-on: ubuntu-24.04 steps: - name: Check out target ref uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.target_ref }} + token: ${{ needs.setup.outputs.token }} - - name: Check if ${{ inputs.branch_to_cut }} branch exists + - name: Check if ${{ needs.setup.outputs.branch }} branch exists env: - BRANCH_NAME: ${{ inputs.branch_to_cut }} + BRANCH_NAME: ${{ needs.setup.outputs.branch }} run: | if [[ $(git ls-remote --heads origin $BRANCH_NAME) ]]; then echo "$BRANCH_NAME already exists! Please delete $BRANCH_NAME before running again." >> $GITHUB_STEP_SUMMARY @@ -42,7 +76,7 @@ jobs: - name: Cut branch env: - BRANCH_NAME: ${{ inputs.branch_to_cut }} + BRANCH_NAME: ${{ needs.setup.outputs.branch }} run: | git switch --quiet --create $BRANCH_NAME git push --quiet --set-upstream origin $BRANCH_NAME @@ -50,8 +84,11 @@ jobs: bump_version: name: Bump Version - runs-on: ubuntu-22.04 - needs: cut_branch + if: ${{ always() }} + runs-on: ubuntu-24.04 + needs: + - cut_branch + - setup outputs: version: ${{ steps.set-final-version-output.outputs.version }} steps: @@ -65,6 +102,12 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: main + token: ${{ needs.setup.outputs.token }} + + - name: Configure Git + run: | + git config --local user.email "actions@github.com" + git config --local user.name "Github Actions" - name: Install xmllint run: | @@ -123,133 +166,69 @@ jobs: - name: Set final version output id: set-final-version-output + env: + VERSION: ${{ inputs.version_number_override }} run: | if [[ "${{ steps.bump-version-override.outcome }}" = "success" ]]; then - echo "version=${{ inputs.version_number_override }}" >> $GITHUB_OUTPUT + echo "version=$VERSION" >> $GITHUB_OUTPUT elif [[ "${{ steps.bump-version-automatic.outcome }}" = "success" ]]; then echo "version=${{ steps.calculate-next-version.outputs.version }}" >> $GITHUB_OUTPUT fi - - name: Configure Git - run: | - git config --local user.email "actions@github.com" - git config --local user.name "Github Actions" - - - name: Create version branch - id: create-branch - run: | - NAME=version_bump_${{ github.ref_name }}_$(date +"%Y-%m-%d") - git switch -c $NAME - echo "name=$NAME" >> $GITHUB_OUTPUT - - name: Commit files run: git commit -m "Bumped version to ${{ steps.set-final-version-output.outputs.version }}" -a - name: Push changes run: git push - - name: Generate GH App token - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0 - id: app-token - with: - app-id: ${{ secrets.BW_GHAPP_ID }} - private-key: ${{ secrets.BW_GHAPP_KEY }} - owner: ${{ github.repository_owner }} - - - name: Create version PR - id: create-pr - env: - GH_TOKEN: ${{ steps.app-token.outputs.token }} - PR_BRANCH: ${{ steps.create-branch.outputs.name }} - TITLE: "Bump version to ${{ steps.set-final-version-output.outputs.version }}" - run: | - PR_URL=$(gh pr create --title "$TITLE" \ - --base "main" \ - --head "$PR_BRANCH" \ - --label "version update" \ - --label "automated pr" \ - --body " - ## Type of change - - [ ] Bug fix - - [ ] New feature development - - [ ] Tech debt (refactoring, code cleanup, dependency upgrades, etc) - - [ ] Build/deploy pipeline (DevOps) - - [X] Other - ## Objective - Automated version bump to ${{ steps.set-final-version-output.outputs.version }}") - echo "pr_number=${PR_URL##*/}" >> $GITHUB_OUTPUT - - - name: Approve PR - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - PR_NUMBER: ${{ steps.create-pr.outputs.pr_number }} - run: gh pr review $PR_NUMBER --approve - - - name: Merge PR - env: - GH_TOKEN: ${{ steps.app-token.outputs.token }} - PR_NUMBER: ${{ steps.create-pr.outputs.pr_number }} - run: gh pr merge $PR_NUMBER --squash --auto --delete-branch - cherry_pick: name: Cherry-Pick Commit(s) - runs-on: ubuntu-22.04 - needs: bump_version + if: ${{ needs.setup.outputs.branch != 'none' }} + runs-on: ubuntu-24.04 + needs: + - bump_version + - setup steps: - name: Check out main branch uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: main - - - name: Install xmllint - run: | - sudo apt-get update - sudo apt-get install -y libxml2-utils - - - name: Verify version has been updated - env: - NEW_VERSION: ${{ needs.bump_version.outputs.version }} - run: | - # Wait for version to change. - while : ; do - echo "Waiting for version to be updated..." - git pull --force - CURRENT_VERSION=$(xmllint -xpath "/Project/PropertyGroup/Version/text()" Directory.Build.props) - - # If the versions don't match we continue the loop, otherwise we break out of the loop. - [[ "$NEW_VERSION" != "$CURRENT_VERSION" ]] || break - sleep 10 - done - - - name: Get last version commit(s) - id: get-commits - run: | - git switch main - MAIN_COMMIT=$(git log --reverse --pretty=format:"%H" --max-count=1 Directory.Build.props) - echo "main_commit=$MAIN_COMMIT" >> $GITHUB_OUTPUT - - if [[ $(git ls-remote --heads origin rc) ]]; then - git switch rc - RC_COMMIT=$(git log --reverse --pretty=format:"%H" --max-count=1 Directory.Build.props) - echo "rc_commit=$RC_COMMIT" >> $GITHUB_OUTPUT - - RC_VERSION=$(xmllint -xpath "/Project/PropertyGroup/Version/text()" Directory.Build.props) - echo "rc_version=$RC_VERSION" >> $GITHUB_OUTPUT - fi + token: ${{ needs.setup.outputs.token }} - name: Configure Git run: | git config --local user.email "actions@github.com" git config --local user.name "Github Actions" + - name: Install xmllint + run: | + sudo apt-get update + sudo apt-get install -y libxml2-utils + - name: Perform cherry-pick(s) env: - CUT_BRANCH: ${{ inputs.branch_to_cut }} - MAIN_COMMIT: ${{ steps.get-commits.outputs.main_commit }} - RC_COMMIT: ${{ steps.get-commits.outputs.rc_commit }} - RC_VERSION: ${{ steps.get-commits.outputs.rc_version }} + CUT_BRANCH: ${{ needs.setup.outputs.branch }} run: | + # Function for cherry-picking + cherry_pick () { + local source_branch=$1 + local destination_branch=$2 + + # Get project commit/version from source branch + git switch $source_branch + SOURCE_COMMIT=$(git log --reverse --pretty=format:"%H" --max-count=1 Directory.Build.props) + SOURCE_VERSION=$(xmllint -xpath "/Project/PropertyGroup/Version/text()" Directory.Build.props) + + # Get project commit/version from destination branch + git switch $destination_branch + DESTINATION_VERSION=$(xmllint -xpath "/Project/PropertyGroup/Version/text()" Directory.Build.props) + + if [[ "$DESTINATION_VERSION" != "$SOURCE_VERSION" ]]; then + git cherry-pick --strategy-option=theirs -x $SOURCE_COMMIT + git push -u origin $destination_branch + fi + # If we are cutting 'hotfix-rc': if [[ "$CUT_BRANCH" == "hotfix-rc" ]]; then @@ -257,25 +236,16 @@ jobs: if [[ $(git ls-remote --heads origin rc) ]]; then # Chery-pick from 'rc' into 'hotfix-rc' - git switch hotfix-rc - HOTFIX_RC_VERSION=$(xmllint -xpath "/Project/PropertyGroup/Version/text()" Directory.Build.props) - if [[ "$HOTFIX_RC_VERSION" != "$RC_VERSION" ]]; then - git cherry-pick --strategy-option=theirs -x $RC_COMMIT - git push -u origin hotfix-rc - fi + cherry_pick rc hotfix-rc # Cherry-pick from 'main' into 'rc' - git switch rc - git cherry-pick --strategy-option=theirs -x $MAIN_COMMIT - git push -u origin rc + cherry_pick main rc # If the 'rc' branch does not exist: else # Cherry-pick from 'main' into 'hotfix-rc' - git switch hotfix-rc - git cherry-pick --strategy-option=theirs -x $MAIN_COMMIT - git push -u origin hotfix-rc + cherry_pick main hotfix-rc fi @@ -283,9 +253,7 @@ jobs: elif [[ "$CUT_BRANCH" == "rc" ]]; then # Cherry-pick from 'main' into 'rc' - git switch rc - git cherry-pick --strategy-option=theirs -x $MAIN_COMMIT - git push -u origin rc + cherry_pick main rc fi From d5cfdb26d24d65c56fe8b93d030e5bf80fad2f60 Mon Sep 17 00:00:00 2001 From: Tom <144813356+ttalty@users.noreply.github.com> Date: Tue, 5 Nov 2024 13:06:05 -0500 Subject: [PATCH 02/10] Added the file change (#4975) --- src/Core/Constants.cs | 1 + 1 file changed, 1 insertion(+) diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs index 52931582e..e19f4aecd 100644 --- a/src/Core/Constants.cs +++ b/src/Core/Constants.cs @@ -148,6 +148,7 @@ public static class FeatureFlagKeys public const string LimitCollectionCreationDeletionSplit = "pm-10863-limit-collection-creation-deletion-split"; public const string GeneratorToolsModernization = "generator-tools-modernization"; public const string NewDeviceVerification = "new-device-verification"; + public const string RiskInsightsCriticalApplication = "pm-14466-risk-insights-critical-application"; public static List GetAllKeys() { From 50f7fa03dbc0f18a641206ab1a92fb11a1131572 Mon Sep 17 00:00:00 2001 From: Todd Martin <106564991+trmartin4@users.noreply.github.com> Date: Tue, 5 Nov 2024 13:13:09 -0500 Subject: [PATCH 03/10] Removed eu-environment feature flag (#4966) --- src/Core/Constants.cs | 1 - 1 file changed, 1 deletion(-) diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs index e19f4aecd..9ca76489d 100644 --- a/src/Core/Constants.cs +++ b/src/Core/Constants.cs @@ -100,7 +100,6 @@ public static class AuthenticationSchemes public static class FeatureFlagKeys { - public const string DisplayEuEnvironment = "display-eu-environment"; public const string BrowserFilelessImport = "browser-fileless-import"; public const string ReturnErrorOnExistingKeypair = "return-error-on-existing-keypair"; public const string UseTreeWalkerApiForPageDetailsCollection = "use-tree-walker-api-for-page-details-collection"; From dae493db72b10a4cbccb0478a52bea1eb6250630 Mon Sep 17 00:00:00 2001 From: Bernd Schoolmann Date: Tue, 5 Nov 2024 20:25:06 +0100 Subject: [PATCH 04/10] [PM-10394] Add new item type ssh key (#4575) * Add ssh key item type * Add fingerprint * Limit ssh key ciphers to new clients * Fix enc string length for 4096 bit rsa keys * Remove keyAlgorithm from ssh cipher * Add featureflag and exclude mobile from sync * Add ssh-agent flag --- src/Api/Vault/Controllers/SyncController.cs | 22 +++++++++++++++- src/Api/Vault/Models/CipherSSHKeyModel.cs | 26 +++++++++++++++++++ .../Models/Request/CipherRequestModel.cs | 19 ++++++++++++++ .../Models/Response/CipherResponseModel.cs | 7 +++++ src/Core/Constants.cs | 3 +++ src/Core/Vault/Enums/CipherType.cs | 1 + .../Vault/Models/Data/CipherSSHKeyData.cs | 10 +++++++ 7 files changed, 87 insertions(+), 1 deletion(-) create mode 100644 src/Api/Vault/Models/CipherSSHKeyModel.cs create mode 100644 src/Core/Vault/Models/Data/CipherSSHKeyData.cs diff --git a/src/Api/Vault/Controllers/SyncController.cs b/src/Api/Vault/Controllers/SyncController.cs index 853320ec6..5ffaa0e34 100644 --- a/src/Api/Vault/Controllers/SyncController.cs +++ b/src/Api/Vault/Controllers/SyncController.cs @@ -1,7 +1,9 @@ using Bit.Api.Vault.Models.Response; +using Bit.Core; using Bit.Core.AdminConsole.Entities; using Bit.Core.AdminConsole.Enums.Provider; using Bit.Core.AdminConsole.Repositories; +using Bit.Core.Context; using Bit.Core.Entities; using Bit.Core.Enums; using Bit.Core.Exceptions; @@ -10,6 +12,7 @@ using Bit.Core.Repositories; using Bit.Core.Services; using Bit.Core.Settings; using Bit.Core.Tools.Repositories; +using Bit.Core.Vault.Models.Data; using Bit.Core.Vault.Repositories; using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; @@ -30,6 +33,8 @@ public class SyncController : Controller private readonly IPolicyRepository _policyRepository; private readonly ISendRepository _sendRepository; private readonly GlobalSettings _globalSettings; + private readonly ICurrentContext _currentContext; + private readonly Version _sshKeyCipherMinimumVersion = new(Constants.SSHKeyCipherMinimumVersion); private readonly IFeatureService _featureService; public SyncController( @@ -43,6 +48,7 @@ public class SyncController : Controller IPolicyRepository policyRepository, ISendRepository sendRepository, GlobalSettings globalSettings, + ICurrentContext currentContext, IFeatureService featureService) { _userService = userService; @@ -55,6 +61,7 @@ public class SyncController : Controller _policyRepository = policyRepository; _sendRepository = sendRepository; _globalSettings = globalSettings; + _currentContext = currentContext; _featureService = featureService; } @@ -77,7 +84,8 @@ public class SyncController : Controller var hasEnabledOrgs = organizationUserDetails.Any(o => o.Enabled); var folders = await _folderRepository.GetManyByUserIdAsync(user.Id); - var ciphers = await _cipherRepository.GetManyByUserIdAsync(user.Id, withOrganizations: hasEnabledOrgs); + var allCiphers = await _cipherRepository.GetManyByUserIdAsync(user.Id, withOrganizations: hasEnabledOrgs); + var ciphers = FilterSSHKeys(allCiphers); var sends = await _sendRepository.GetManyByUserIdAsync(user.Id); IEnumerable collections = null; @@ -101,4 +109,16 @@ public class SyncController : Controller folders, collections, ciphers, collectionCiphersGroupDict, excludeDomains, policies, sends); return response; } + + private ICollection FilterSSHKeys(ICollection ciphers) + { + if (_currentContext.ClientVersion >= _sshKeyCipherMinimumVersion) + { + return ciphers; + } + else + { + return ciphers.Where(c => c.Type != Core.Vault.Enums.CipherType.SSHKey).ToList(); + } + } } diff --git a/src/Api/Vault/Models/CipherSSHKeyModel.cs b/src/Api/Vault/Models/CipherSSHKeyModel.cs new file mode 100644 index 000000000..47853aa36 --- /dev/null +++ b/src/Api/Vault/Models/CipherSSHKeyModel.cs @@ -0,0 +1,26 @@ +using Bit.Core.Utilities; +using Bit.Core.Vault.Models.Data; + +namespace Bit.Api.Vault.Models; + +public class CipherSSHKeyModel +{ + public CipherSSHKeyModel() { } + + public CipherSSHKeyModel(CipherSSHKeyData data) + { + PrivateKey = data.PrivateKey; + PublicKey = data.PublicKey; + KeyFingerprint = data.KeyFingerprint; + } + + [EncryptedString] + [EncryptedStringLength(5000)] + public string PrivateKey { get; set; } + [EncryptedString] + [EncryptedStringLength(5000)] + public string PublicKey { get; set; } + [EncryptedString] + [EncryptedStringLength(1000)] + public string KeyFingerprint { get; set; } +} diff --git a/src/Api/Vault/Models/Request/CipherRequestModel.cs b/src/Api/Vault/Models/Request/CipherRequestModel.cs index b62f2ff96..89eda415b 100644 --- a/src/Api/Vault/Models/Request/CipherRequestModel.cs +++ b/src/Api/Vault/Models/Request/CipherRequestModel.cs @@ -37,6 +37,7 @@ public class CipherRequestModel public CipherCardModel Card { get; set; } public CipherIdentityModel Identity { get; set; } public CipherSecureNoteModel SecureNote { get; set; } + public CipherSSHKeyModel SSHKey { get; set; } public DateTime? LastKnownRevisionDate { get; set; } = null; public CipherDetails ToCipherDetails(Guid userId, bool allowOrgIdSet = true) @@ -82,6 +83,9 @@ public class CipherRequestModel case CipherType.SecureNote: existingCipher.Data = JsonSerializer.Serialize(ToCipherSecureNoteData(), JsonHelpers.IgnoreWritingNull); break; + case CipherType.SSHKey: + existingCipher.Data = JsonSerializer.Serialize(ToCipherSSHKeyData(), JsonHelpers.IgnoreWritingNull); + break; default: throw new ArgumentException("Unsupported type: " + nameof(Type) + "."); } @@ -230,6 +234,21 @@ public class CipherRequestModel Type = SecureNote.Type, }; } + + private CipherSSHKeyData ToCipherSSHKeyData() + { + return new CipherSSHKeyData + { + Name = Name, + Notes = Notes, + Fields = Fields?.Select(f => f.ToCipherFieldData()), + PasswordHistory = PasswordHistory?.Select(ph => ph.ToCipherPasswordHistoryData()), + + PrivateKey = SSHKey.PrivateKey, + PublicKey = SSHKey.PublicKey, + KeyFingerprint = SSHKey.KeyFingerprint, + }; + } } public class CipherWithIdRequestModel : CipherRequestModel diff --git a/src/Api/Vault/Models/Response/CipherResponseModel.cs b/src/Api/Vault/Models/Response/CipherResponseModel.cs index aa86b17f5..10b77274b 100644 --- a/src/Api/Vault/Models/Response/CipherResponseModel.cs +++ b/src/Api/Vault/Models/Response/CipherResponseModel.cs @@ -48,6 +48,12 @@ public class CipherMiniResponseModel : ResponseModel cipherData = identityData; Identity = new CipherIdentityModel(identityData); break; + case CipherType.SSHKey: + var sshKeyData = JsonSerializer.Deserialize(cipher.Data); + Data = sshKeyData; + cipherData = sshKeyData; + SSHKey = new CipherSSHKeyModel(sshKeyData); + break; default: throw new ArgumentException("Unsupported " + nameof(Type) + "."); } @@ -76,6 +82,7 @@ public class CipherMiniResponseModel : ResponseModel public CipherCardModel Card { get; set; } public CipherIdentityModel Identity { get; set; } public CipherSecureNoteModel SecureNote { get; set; } + public CipherSSHKeyModel SSHKey { get; set; } public IEnumerable Fields { get; set; } public IEnumerable PasswordHistory { get; set; } public IEnumerable Attachments { get; set; } diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs index 9ca76489d..0bc6393d3 100644 --- a/src/Core/Constants.cs +++ b/src/Core/Constants.cs @@ -22,6 +22,7 @@ public static class Constants public const int OrganizationSelfHostSubscriptionGracePeriodDays = 60; public const string Fido2KeyCipherMinimumVersion = "2023.10.0"; + public const string SSHKeyCipherMinimumVersion = "2024.12.0"; /// /// Used by IdentityServer to identify our own provider. @@ -122,6 +123,8 @@ public static class FeatureFlagKeys public const string InlineMenuPositioningImprovements = "inline-menu-positioning-improvements"; public const string ProviderClientVaultPrivacyBanner = "ac-2833-provider-client-vault-privacy-banner"; public const string DeviceTrustLogging = "pm-8285-device-trust-logging"; + public const string SSHKeyItemVaultItem = "ssh-key-vault-item"; + public const string SSHAgent = "ssh-agent"; public const string AuthenticatorTwoFactorToken = "authenticator-2fa-token"; public const string EnableUpgradePasswordManagerSub = "AC-2708-upgrade-password-manager-sub"; public const string IdpAutoSubmitLogin = "idp-auto-submit-login"; diff --git a/src/Core/Vault/Enums/CipherType.cs b/src/Core/Vault/Enums/CipherType.cs index f3c7a90f4..a0a49ce99 100644 --- a/src/Core/Vault/Enums/CipherType.cs +++ b/src/Core/Vault/Enums/CipherType.cs @@ -8,4 +8,5 @@ public enum CipherType : byte SecureNote = 2, Card = 3, Identity = 4, + SSHKey = 5, } diff --git a/src/Core/Vault/Models/Data/CipherSSHKeyData.cs b/src/Core/Vault/Models/Data/CipherSSHKeyData.cs new file mode 100644 index 000000000..45c2cf607 --- /dev/null +++ b/src/Core/Vault/Models/Data/CipherSSHKeyData.cs @@ -0,0 +1,10 @@ +namespace Bit.Core.Vault.Models.Data; + +public class CipherSSHKeyData : CipherData +{ + public CipherSSHKeyData() { } + + public string PrivateKey { get; set; } + public string PublicKey { get; set; } + public string KeyFingerprint { get; set; } +} From 982d1bc55883714e96c7e2ce28d406dd162ce80b Mon Sep 17 00:00:00 2001 From: Jonas Hendrickx Date: Wed, 6 Nov 2024 09:44:16 +0100 Subject: [PATCH 05/10] [PM-13470] Allow creating clients for Multi-organization enterprise (#4977) --- .../AdminConsole/Services/ProviderService.cs | 30 ++++++++++++++----- .../Billing/ProviderBillingService.cs | 11 ++----- .../CreateClientOrganizationRequestBody.cs | 2 +- .../Responses/ProviderSubscriptionResponse.cs | 5 ++++ .../Billing/Extensions/BillingExtensions.cs | 2 +- 5 files changed, 32 insertions(+), 18 deletions(-) diff --git a/bitwarden_license/src/Commercial.Core/AdminConsole/Services/ProviderService.cs b/bitwarden_license/src/Commercial.Core/AdminConsole/Services/ProviderService.cs index b6773f0bd..48ea903ad 100644 --- a/bitwarden_license/src/Commercial.Core/AdminConsole/Services/ProviderService.cs +++ b/bitwarden_license/src/Commercial.Core/AdminConsole/Services/ProviderService.cs @@ -392,7 +392,9 @@ public class ProviderService : IProviderService var organization = await _organizationRepository.GetByIdAsync(organizationId); - ThrowOnInvalidPlanType(organization.PlanType); + var provider = await _providerRepository.GetByIdAsync(providerId); + + ThrowOnInvalidPlanType(provider.Type, organization.PlanType); if (organization.UseSecretsManager) { @@ -407,8 +409,6 @@ public class ProviderService : IProviderService Key = key, }; - var provider = await _providerRepository.GetByIdAsync(providerId); - await ApplyProviderPriceRateAsync(organization, provider); await _providerOrganizationRepository.CreateAsync(providerOrganization); @@ -547,7 +547,7 @@ public class ProviderService : IProviderService var consolidatedBillingEnabled = _featureService.IsEnabled(FeatureFlagKeys.EnableConsolidatedBilling) && provider.IsBillable(); - ThrowOnInvalidPlanType(organizationSignup.Plan, consolidatedBillingEnabled); + ThrowOnInvalidPlanType(provider.Type, organizationSignup.Plan, consolidatedBillingEnabled); var (organization, _, defaultCollection) = consolidatedBillingEnabled ? await _organizationService.SignupClientAsync(organizationSignup) @@ -687,11 +687,27 @@ public class ProviderService : IProviderService return confirmedOwnersIds.Except(providerUserIds).Any(); } - private void ThrowOnInvalidPlanType(PlanType requestedType, bool consolidatedBillingEnabled = false) + private void ThrowOnInvalidPlanType(ProviderType providerType, PlanType requestedType, bool consolidatedBillingEnabled = false) { - if (consolidatedBillingEnabled && requestedType is not (PlanType.TeamsMonthly or PlanType.EnterpriseMonthly)) + if (consolidatedBillingEnabled) { - throw new BadRequestException($"Providers cannot manage organizations with the plan type {requestedType}. Only Teams (Monthly) and Enterprise (Monthly) are allowed."); + switch (providerType) + { + case ProviderType.Msp: + if (requestedType is not (PlanType.TeamsMonthly or PlanType.EnterpriseMonthly)) + { + throw new BadRequestException($"Managed Service Providers cannot manage organizations with the plan type {requestedType}. Only Teams (Monthly) and Enterprise (Monthly) are allowed."); + } + break; + case ProviderType.MultiOrganizationEnterprise: + if (requestedType is not (PlanType.EnterpriseMonthly or PlanType.EnterpriseAnnually)) + { + throw new BadRequestException($"Multi-organization Enterprise Providers cannot manage organizations with the plan type {requestedType}. Only Enterprise (Monthly) and Enterprise (Annually) are allowed."); + } + break; + default: + throw new BadRequestException($"Unsupported provider type {providerType}."); + } } if (ProviderDisallowedOrganizationTypes.Contains(requestedType)) diff --git a/bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs b/bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs index 32698eaaf..e02160b06 100644 --- a/bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs +++ b/bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs @@ -209,16 +209,9 @@ public class ProviderBillingService( { ArgumentNullException.ThrowIfNull(provider); - if (provider.Type != ProviderType.Msp) + if (!provider.SupportsConsolidatedBilling()) { - logger.LogError("Non-MSP provider ({ProviderID}) cannot scale their seats", provider.Id); - - throw new BillingException(); - } - - if (!planType.SupportsConsolidatedBilling()) - { - logger.LogError("Cannot scale provider ({ProviderID}) seats for plan type {PlanType} as it does not support consolidated billing", provider.Id, planType.ToString()); + logger.LogError("Provider ({ProviderID}) cannot scale their seats", provider.Id); throw new BillingException(); } diff --git a/src/Api/Billing/Models/Requests/CreateClientOrganizationRequestBody.cs b/src/Api/Billing/Models/Requests/CreateClientOrganizationRequestBody.cs index 39b2e3323..95836151d 100644 --- a/src/Api/Billing/Models/Requests/CreateClientOrganizationRequestBody.cs +++ b/src/Api/Billing/Models/Requests/CreateClientOrganizationRequestBody.cs @@ -12,7 +12,7 @@ public class CreateClientOrganizationRequestBody [Required(ErrorMessage = "'ownerEmail' must be provided")] public string OwnerEmail { get; set; } - [EnumMatches(PlanType.TeamsMonthly, PlanType.EnterpriseMonthly, ErrorMessage = "'planType' must be Teams (Monthly) or Enterprise (Monthly)")] + [EnumMatches(PlanType.TeamsMonthly, PlanType.EnterpriseMonthly, PlanType.EnterpriseAnnually, ErrorMessage = "'planType' must be Teams (Monthly), Enterprise (Monthly) or Enterprise (Annually)")] public PlanType PlanType { get; set; } [Range(1, int.MaxValue, ErrorMessage = "'seats' must be greater than 0")] diff --git a/src/Api/Billing/Models/Responses/ProviderSubscriptionResponse.cs b/src/Api/Billing/Models/Responses/ProviderSubscriptionResponse.cs index e9902f98b..79e2dc0e0 100644 --- a/src/Api/Billing/Models/Responses/ProviderSubscriptionResponse.cs +++ b/src/Api/Billing/Models/Responses/ProviderSubscriptionResponse.cs @@ -1,4 +1,5 @@ using Bit.Core.Billing.Entities; +using Bit.Core.Billing.Enums; using Bit.Core.Billing.Models; using Bit.Core.Utilities; using Stripe; @@ -35,6 +36,8 @@ public record ProviderSubscriptionResponse( var cadence = plan.IsAnnual ? _annualCadence : _monthlyCadence; return new ProviderPlanResponse( plan.Name, + plan.Type, + plan.ProductTier, configuredProviderPlan.SeatMinimum, configuredProviderPlan.PurchasedSeats, configuredProviderPlan.AssignedSeats, @@ -59,6 +62,8 @@ public record ProviderSubscriptionResponse( public record ProviderPlanResponse( string PlanName, + PlanType Type, + ProductTierType ProductTier, int SeatMinimum, int PurchasedSeats, int AssignedSeats, diff --git a/src/Core/Billing/Extensions/BillingExtensions.cs b/src/Core/Billing/Extensions/BillingExtensions.cs index 21974b318..02e8de924 100644 --- a/src/Core/Billing/Extensions/BillingExtensions.cs +++ b/src/Core/Billing/Extensions/BillingExtensions.cs @@ -43,5 +43,5 @@ public static class BillingExtensions }; public static bool SupportsConsolidatedBilling(this PlanType planType) - => planType is PlanType.TeamsMonthly or PlanType.EnterpriseMonthly; + => planType is PlanType.TeamsMonthly or PlanType.EnterpriseMonthly or PlanType.EnterpriseAnnually; } From 05356248eb46e737b53ecca6d6ebfebffcb4d318 Mon Sep 17 00:00:00 2001 From: Jonas Hendrickx Date: Wed, 6 Nov 2024 15:46:20 +0100 Subject: [PATCH 06/10] [PM-13450] Change Client Plan when Provider's Plan changes. (#4980) --- .../Billing/ProviderBillingService.cs | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs b/bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs index e02160b06..7b1d33599 100644 --- a/bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs +++ b/bitwarden_license/src/Commercial.Core/Billing/ProviderBillingService.cs @@ -481,6 +481,23 @@ public class ProviderBillingService( }; await stripeAdapter.SubscriptionUpdateAsync(command.GatewaySubscriptionId, updateOptions); + + // Refactor later to ?ChangeClientPlanCommand? (ProviderPlanId, ProviderId, OrganizationId) + // 1. Retrieve PlanType and PlanName for ProviderPlan + // 2. Assign PlanType & PlanName to Organization + var providerOrganizations = await providerOrganizationRepository.GetManyDetailsByProviderAsync(plan.ProviderId); + + foreach (var providerOrganization in providerOrganizations) + { + var organization = await organizationRepository.GetByIdAsync(providerOrganization.OrganizationId); + if (organization == null) + { + throw new ConflictException($"Organization '{providerOrganization.Id}' not found."); + } + organization.PlanType = command.NewPlan; + organization.Plan = StaticStore.GetPlan(command.NewPlan).Name; + await organizationRepository.ReplaceAsync(organization); + } } public async Task UpdateSeatMinimums(UpdateProviderSeatMinimumsCommand command) From 9beeebaac50367e844a45ce89ab35b9612d7e57e Mon Sep 17 00:00:00 2001 From: Jonas Hendrickx Date: Wed, 6 Nov 2024 15:46:36 +0100 Subject: [PATCH 07/10] [PM-14456] Return provider type when getting provider's subscription (#4972) --- .../Controllers/ProviderBillingController.cs | 3 ++- .../Responses/ProviderSubscriptionResponse.cs | 13 +++++++++---- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/src/Api/Billing/Controllers/ProviderBillingController.cs b/src/Api/Billing/Controllers/ProviderBillingController.cs index eed7ed060..d2209685a 100644 --- a/src/Api/Billing/Controllers/ProviderBillingController.cs +++ b/src/Api/Billing/Controllers/ProviderBillingController.cs @@ -93,7 +93,8 @@ public class ProviderBillingController( subscription, providerPlans, taxInformation, - subscriptionSuspension); + subscriptionSuspension, + provider); return TypedResults.Ok(response); } diff --git a/src/Api/Billing/Models/Responses/ProviderSubscriptionResponse.cs b/src/Api/Billing/Models/Responses/ProviderSubscriptionResponse.cs index 79e2dc0e0..2b0592f0e 100644 --- a/src/Api/Billing/Models/Responses/ProviderSubscriptionResponse.cs +++ b/src/Api/Billing/Models/Responses/ProviderSubscriptionResponse.cs @@ -1,4 +1,6 @@ -using Bit.Core.Billing.Entities; +using Bit.Core.AdminConsole.Entities.Provider; +using Bit.Core.AdminConsole.Enums.Provider; +using Bit.Core.Billing.Entities; using Bit.Core.Billing.Enums; using Bit.Core.Billing.Models; using Bit.Core.Utilities; @@ -15,7 +17,8 @@ public record ProviderSubscriptionResponse( decimal AccountCredit, TaxInformation TaxInformation, DateTime? CancelAt, - SubscriptionSuspension Suspension) + SubscriptionSuspension Suspension, + ProviderType ProviderType) { private const string _annualCadence = "Annual"; private const string _monthlyCadence = "Monthly"; @@ -24,7 +27,8 @@ public record ProviderSubscriptionResponse( Subscription subscription, ICollection providerPlans, TaxInformation taxInformation, - SubscriptionSuspension subscriptionSuspension) + SubscriptionSuspension subscriptionSuspension, + Provider provider) { var providerPlanResponses = providerPlans .Where(providerPlan => providerPlan.IsConfigured()) @@ -56,7 +60,8 @@ public record ProviderSubscriptionResponse( accountCredit, taxInformation, subscription.CancelAt, - subscriptionSuspension); + subscriptionSuspension, + provider.Type); } } From d63e18ec7a3c3b58ffb6ebbbc4e3e28162de8dad Mon Sep 17 00:00:00 2001 From: Matt Bishop Date: Wed, 6 Nov 2024 11:38:25 -0500 Subject: [PATCH 08/10] Check for secrets on database test report upload (#4984) --- .github/workflows/test-database.yml | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/.github/workflows/test-database.yml b/.github/workflows/test-database.yml index e16c080bc..f053e81a5 100644 --- a/.github/workflows/test-database.yml +++ b/.github/workflows/test-database.yml @@ -30,9 +30,28 @@ on: - "test/Infrastructure.IntegrationTest/**" # Any changes to the tests jobs: + check-test-secrets: + name: Check for test secrets + runs-on: ubuntu-22.04 + outputs: + available: ${{ steps.check-test-secrets.outputs.available }} + permissions: + contents: read + + steps: + - name: Check + id: check-test-secrets + run: | + if [ "${{ secrets.CODECOV_TOKEN }}" != '' ]; then + echo "available=true" >> $GITHUB_OUTPUT; + else + echo "available=false" >> $GITHUB_OUTPUT; + fi + test: name: Run tests runs-on: ubuntu-22.04 + needs: check-test-secrets steps: - name: Check out repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -128,7 +147,7 @@ jobs: - name: Report test results uses: dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5 # v1.9.1 - if: always() + if: ${{ needs.check-test-secrets.outputs.available == 'true' && !cancelled() }} with: name: Test Results path: "**/*-test-results.trx" From e7bd31c0090a2eb7f7bc8255db315369974c0d31 Mon Sep 17 00:00:00 2001 From: Matt Bishop Date: Wed, 6 Nov 2024 13:56:12 -0500 Subject: [PATCH 09/10] Check for secrets on Docker builds (#4985) --- .github/workflows/build.yml | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 17e3e999e..26a347781 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -115,12 +115,33 @@ jobs: path: ${{ matrix.base_path }}/${{ matrix.project_name }}/${{ matrix.project_name }}.zip if-no-files-found: error + check-akv-secrets: + name: Check for AKV secrets + runs-on: ubuntu-22.04 + outputs: + available: ${{ steps.check-akv-secrets.outputs.available }} + permissions: + contents: read + + steps: + - name: Check + id: check-akv-secrets + run: | + if [ "${{ secrets.AZURE_PROD_KV_CREDENTIALS }}" != '' ]; then + echo "available=true" >> $GITHUB_OUTPUT; + else + echo "available=false" >> $GITHUB_OUTPUT; + fi + build-docker: name: Build Docker images runs-on: ubuntu-22.04 permissions: security-events: write - needs: build-artifacts + needs: + - build-artifacts + - check-akv-secrets + if: ${{ needs.check-akv-secrets.outputs.available == 'true' }} strategy: fail-fast: false matrix: From 355ebfa889138b8d7d86148e943501977e2a81af Mon Sep 17 00:00:00 2001 From: Justin Baur <19896123+justindbaur@users.noreply.github.com> Date: Wed, 6 Nov 2024 14:36:07 -0500 Subject: [PATCH 10/10] Move Packages to Platform Ownership (#4988) --- .github/renovate.json | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/.github/renovate.json b/.github/renovate.json index efab875d6..ac0813404 100644 --- a/.github/renovate.json +++ b/.github/renovate.json @@ -29,7 +29,7 @@ "commitMessagePrefix": "[deps] DevOps:" }, { - "matchPackageNames": ["DnsClient", "Quartz"], + "matchPackageNames": ["DnsClient"], "description": "Admin Console owned dependencies", "commitMessagePrefix": "[deps] AC:", "reviewers": ["team:team-admin-console-dev"] @@ -42,14 +42,7 @@ }, { "matchPackageNames": [ - "AspNetCoreRateLimit", - "AspNetCoreRateLimit.Redis", - "Azure.Data.Tables", "Azure.Extensions.AspNetCore.DataProtection.Blobs", - "Azure.Messaging.EventGrid", - "Azure.Messaging.ServiceBus", - "Azure.Storage.Blobs", - "Azure.Storage.Queues", "DuoUniversal", "Fido2.AspNet", "Duende.IdentityServer", @@ -128,8 +121,16 @@ }, { "matchPackageNames": [ + "AspNetCoreRateLimit", + "AspNetCoreRateLimit.Redis", + "Azure.Data.Tables", + "Azure.Messaging.EventGrid", + "Azure.Messaging.ServiceBus", + "Azure.Storage.Blobs", + "Azure.Storage.Queues", "Microsoft.AspNetCore.Authentication.JwtBearer", - "Microsoft.AspNetCore.Http" + "Microsoft.AspNetCore.Http", + "Quartz" ], "description": "Platform owned dependencies", "commitMessagePrefix": "[deps] Platform:",