From b98b107c4b6c6c7c296295e9b55758d7ae9808b6 Mon Sep 17 00:00:00 2001
From: Rui Tome <rtome@bitwarden.com>
Date: Wed, 9 Aug 2023 12:48:03 +0100
Subject: [PATCH] [AC-108] Updated PolicyService to use
 IApplicationCacheService to determine if an organization uses policies

---
 .../Data/Organizations/OrganizationAbility.cs |  2 ++
 .../Services/Implementations/PolicyService.cs |  5 ++++
 .../Repositories/OrganizationRepository.cs    |  3 ++-
 .../Organization_ReadAbilities.sql            |  1 +
 .../Endpoints/IdentityServerSsoTests.cs       |  3 ++-
 .../Endpoints/IdentityServerTests.cs          |  2 +-
 .../2023-08-09_00_OrgAbilitiesUsePolicies.sql | 27 +++++++++++++++++++
 7 files changed, 40 insertions(+), 3 deletions(-)
 create mode 100644 util/Migrator/DbScripts/2023-08-09_00_OrgAbilitiesUsePolicies.sql

diff --git a/src/Core/Models/Data/Organizations/OrganizationAbility.cs b/src/Core/Models/Data/Organizations/OrganizationAbility.cs
index 809f4d5d4..22bf4008e 100644
--- a/src/Core/Models/Data/Organizations/OrganizationAbility.cs
+++ b/src/Core/Models/Data/Organizations/OrganizationAbility.cs
@@ -20,6 +20,7 @@ public class OrganizationAbility
         UseScim = organization.UseScim;
         UseResetPassword = organization.UseResetPassword;
         UseCustomPermissions = organization.UseCustomPermissions;
+        UsePolicies = organization.UsePolicies;
     }
 
     public Guid Id { get; set; }
@@ -33,4 +34,5 @@ public class OrganizationAbility
     public bool UseScim { get; set; }
     public bool UseResetPassword { get; set; }
     public bool UseCustomPermissions { get; set; }
+    public bool UsePolicies { get; set; }
 }
diff --git a/src/Core/Services/Implementations/PolicyService.cs b/src/Core/Services/Implementations/PolicyService.cs
index 595a798e7..6f918e684 100644
--- a/src/Core/Services/Implementations/PolicyService.cs
+++ b/src/Core/Services/Implementations/PolicyService.cs
@@ -12,6 +12,7 @@ namespace Bit.Core.Services;
 
 public class PolicyService : IPolicyService
 {
+    private readonly IApplicationCacheService _applicationCacheService;
     private readonly IEventService _eventService;
     private readonly IOrganizationRepository _organizationRepository;
     private readonly IOrganizationUserRepository _organizationUserRepository;
@@ -23,6 +24,7 @@ public class PolicyService : IPolicyService
     private IEnumerable<OrganizationUserPolicyDetails> _cachedOrganizationUserPolicyDetails;
 
     public PolicyService(
+        IApplicationCacheService applicationCacheService,
         IEventService eventService,
         IOrganizationRepository organizationRepository,
         IOrganizationUserRepository organizationUserRepository,
@@ -31,6 +33,7 @@ public class PolicyService : IPolicyService
         IMailService mailService,
         GlobalSettings globalSettings)
     {
+        _applicationCacheService = applicationCacheService;
         _eventService = eventService;
         _organizationRepository = organizationRepository;
         _organizationUserRepository = organizationUserRepository;
@@ -206,7 +209,9 @@ public class PolicyService : IPolicyService
         }
 
         var excludedUserTypes = GetUserTypesExcludedFromPolicy(policyType);
+        var orgAbilities = await _applicationCacheService.GetOrganizationAbilitiesAsync();
         return _cachedOrganizationUserPolicyDetails.Where(o =>
+            (!orgAbilities.ContainsKey(o.OrganizationId) || orgAbilities[o.OrganizationId].Enabled && orgAbilities[o.OrganizationId].UsePolicies) &&
             (policyType == null || o.PolicyType == policyType) &&
             o.PolicyEnabled &&
             !excludedUserTypes.Contains(o.OrganizationUserType) &&
diff --git a/src/Infrastructure.EntityFramework/Repositories/OrganizationRepository.cs b/src/Infrastructure.EntityFramework/Repositories/OrganizationRepository.cs
index 045ac881e..702f9bea5 100644
--- a/src/Infrastructure.EntityFramework/Repositories/OrganizationRepository.cs
+++ b/src/Infrastructure.EntityFramework/Repositories/OrganizationRepository.cs
@@ -87,7 +87,8 @@ public class OrganizationRepository : Repository<Core.Entities.Organization, Org
                 UseKeyConnector = e.UseKeyConnector,
                 UseResetPassword = e.UseResetPassword,
                 UseScim = e.UseScim,
-                UseCustomPermissions = e.UseCustomPermissions
+                UseCustomPermissions = e.UseCustomPermissions,
+                UsePolicies = e.UsePolicies
             }).ToListAsync();
         }
     }
diff --git a/src/Sql/dbo/Stored Procedures/Organization_ReadAbilities.sql b/src/Sql/dbo/Stored Procedures/Organization_ReadAbilities.sql
index ef9ffe09a..4a3348073 100644
--- a/src/Sql/dbo/Stored Procedures/Organization_ReadAbilities.sql	
+++ b/src/Sql/dbo/Stored Procedures/Organization_ReadAbilities.sql	
@@ -19,6 +19,7 @@ BEGIN
         [UseKeyConnector],
         [UseScim],
         [UseResetPassword],
+        [UsePolicies],
         [Enabled]
     FROM
         [dbo].[Organization]
diff --git a/test/Identity.IntegrationTest/Endpoints/IdentityServerSsoTests.cs b/test/Identity.IntegrationTest/Endpoints/IdentityServerSsoTests.cs
index da23a2acd..35314ad9a 100644
--- a/test/Identity.IntegrationTest/Endpoints/IdentityServerSsoTests.cs
+++ b/test/Identity.IntegrationTest/Endpoints/IdentityServerSsoTests.cs
@@ -367,7 +367,7 @@ public class IdentityServerSsoTests
             RedirectUri = "https://localhost:8080/sso-connector.html",
             RequestedScopes = new[] { "api", "offline_access" },
             CodeChallenge = challenge.Sha256(),
-            CodeChallengeMethod = "plain", // 
+            CodeChallengeMethod = "plain", //
             Subject = null, // Temporarily set it to null
         };
 
@@ -397,6 +397,7 @@ public class IdentityServerSsoTests
         var organization = await organizationRepository.CreateAsync(new Organization
         {
             Name = "Test Org",
+            UsePolicies = true
         });
 
         var organizationUserRepository = factory.Services.GetRequiredService<IOrganizationUserRepository>();
diff --git a/test/Identity.IntegrationTest/Endpoints/IdentityServerTests.cs b/test/Identity.IntegrationTest/Endpoints/IdentityServerTests.cs
index b1e74bd17..cae6ed172 100644
--- a/test/Identity.IntegrationTest/Endpoints/IdentityServerTests.cs
+++ b/test/Identity.IntegrationTest/Endpoints/IdentityServerTests.cs
@@ -556,7 +556,7 @@ public class IdentityServerTests : IClassFixture<IdentityApplicationFactory>
         var organizationUserRepository = _factory.Services.GetService<IOrganizationUserRepository>();
         var policyRepository = _factory.Services.GetService<IPolicyRepository>();
 
-        var organization = new Bit.Core.Entities.Organization { Id = organizationId, Enabled = true, UseSso = ssoPolicyEnabled };
+        var organization = new Bit.Core.Entities.Organization { Id = organizationId, Enabled = true, UseSso = ssoPolicyEnabled, UsePolicies = true };
         await organizationRepository.CreateAsync(organization);
 
         var user = await userRepository.GetByEmailAsync(username);
diff --git a/util/Migrator/DbScripts/2023-08-09_00_OrgAbilitiesUsePolicies.sql b/util/Migrator/DbScripts/2023-08-09_00_OrgAbilitiesUsePolicies.sql
new file mode 100644
index 000000000..f19c189fd
--- /dev/null
+++ b/util/Migrator/DbScripts/2023-08-09_00_OrgAbilitiesUsePolicies.sql
@@ -0,0 +1,27 @@
+CREATE OR ALTER PROCEDURE [dbo].[Organization_ReadAbilities]
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    SELECT
+        [Id],
+        [UseEvents],
+        [Use2fa],
+        CASE
+        WHEN [Use2fa] = 1 AND [TwoFactorProviders] IS NOT NULL AND [TwoFactorProviders] != '{}' THEN
+            1
+        ELSE
+            0
+        END AS [Using2fa],
+        [UsersGetPremium],
+        [UseCustomPermissions],
+        [UseSso],
+        [UseKeyConnector],
+        [UseScim],
+        [UseResetPassword],
+        [UsePolicies],
+        [Enabled]
+    FROM
+        [dbo].[Organization]
+END
+GO