Upstream/bitwarden-server
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2024-11-21 12:05:42 +01:00
Code Issues Projects Releases Wiki Activity

[PM-10311] Account Management: Create helper methods for checking against verified domains (#4636)

Browse Source 
* Add HasVerifiedDomainsAsync method to IOrganizationDomainService

* Add GetManagedUserIdsByOrganizationIdAsync method to IOrganizationUserRepository and the corresponding queries

* Fix case on the sproc OrganizationUser_ReadManagedIdsByOrganizationId parameter

* Update the EF query to use the Email from the User table

* dotnet format

* Fix IOrganizationDomainService.HasVerifiedDomainsAsync by checking that domains have been Verified and add unit tests

* Rename IOrganizationUserRepository.GetManagedUserIdsByOrganizationAsync

* Fix domain queries

* Add OrganizationUserRepository integration tests

* Add summary to IOrganizationDomainService.HasVerifiedDomainsAsync

* chore: Rename IOrganizationUserRepository.GetManagedUserIdsByOrganizationAsync to GetManyIdsManagedByOrganizationIdAsync

* Add IsManagedByAnyOrganizationAsync method to IUserRepository

* Add integration tests for UserRepository.IsManagedByAnyOrganizationAsync

* Refactor to IUserService.IsManagedByAnyOrganizationAsync and IOrganizationService.GetUsersOrganizationManagementStatusAsync

* chore: Refactor IsManagedByAnyOrganizationAsync method in UserService

* Refactor IOrganizationService.GetUsersOrganizationManagementStatusAsync to return IDictionary<Guid, bool>

* Extract IOrganizationService.GetUsersOrganizationManagementStatusAsync into a query

* Update comments in OrganizationDomainService to use proper capitalization

* Move OrganizationDomainService to AdminConsole ownership and update namespace

* feat: Add support for organization domains in enterprise plans

* feat: Add HasOrganizationDomains property to OrganizationAbility class

* refactor: Update GetOrganizationUsersManagementStatusQuery to use IApplicationCacheService

* Remove HasOrganizationDomains and use UseSso to check if Organization can have Verified Domains

* Refactor UserService.IsManagedByAnyOrganizationAsync to simply check the UseSso flag

* Add TODO comment for replacing 'UseSso' organization ability on user verified domain checks

* Bump date on migration script

* Add indexes to OrganizationDomain table

* Bump script migration date; Remove WITH ONLINE = ON from data migration.
This commit is contained in:
Rui Tomé 2024-09-11 11:29:57 +01:00 committed by GitHub
parent 3f1127489d
commit f2180aa7b7
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
26 changed files with 692 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/Admin/Jobs/DeleteUnverifiedOrganizationDomainsJob.cs
View File

@ -1,6 +1,6 @@
using Bit.Core;
using Bit.Core.AdminConsole.Services;
using Bit.Core.Jobs;
using Bit.Core.Services;
using Quartz;
namespace Bit.Admin.Jobs;

2
src/Api/Jobs/ValidateOrganizationDomainJob.cs
View File

@ -1,6 +1,6 @@
using Bit.Core;
using Bit.Core.AdminConsole.Services;
using Bit.Core.Jobs;
using Bit.Core.Services;
using Quartz;
namespace Bit.Api.Jobs;

41
src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/GetOrganizationUsersManagementStatusQuery.cs Normal file
View File

@ -0,0 +1,41 @@
using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
using Bit.Core.Repositories;
using Bit.Core.Services;
namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers;
public class GetOrganizationUsersManagementStatusQuery : IGetOrganizationUsersManagementStatusQuery
{
private readonly IApplicationCacheService _applicationCacheService;
private readonly IOrganizationUserRepository _organizationUserRepository;
public GetOrganizationUsersManagementStatusQuery(
IApplicationCacheService applicationCacheService,
IOrganizationUserRepository organizationUserRepository)
{
_applicationCacheService = applicationCacheService;
_organizationUserRepository = organizationUserRepository;
}
public async Task<IDictionary<Guid, bool>> GetUsersOrganizationManagementStatusAsync(Guid organizationId, IEnumerable<Guid> organizationUserIds)
{
if (organizationUserIds.Any())
{
// Users can only be managed by an Organization that is enabled and can have organization domains
var organizationAbility = await _applicationCacheService.GetOrganizationAbilityAsync(organizationId);
// TODO: Replace "UseSso" with a new organization ability like "UseOrganizationDomains" (PM-11622).
// Verified domains were tied to SSO, so we currently check the "UseSso" organization ability.
if (organizationAbility is { Enabled: true, UseSso: true })
{
// Get all organization users with claimed domains by the organization
var organizationUsersWithClaimedDomain = await _organizationUserRepository.GetManyByOrganizationWithClaimedDomainsAsync(organizationId);
// Create a dictionary with the OrganizationUserId and a boolean indicating if the user is managed by the organization
return organizationUserIds.ToDictionary(ouId => ouId, ouId => organizationUsersWithClaimedDomain.Any(ou => ou.Id == ouId));
}
}
return organizationUserIds.ToDictionary(ouId => ouId, _ => false);
}
}

19
src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Interfaces/IGetOrganizationUsersManagementStatusQuery.cs Normal file
View File

@ -0,0 +1,19 @@
namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
public interface IGetOrganizationUsersManagementStatusQuery
{
/// <summary>
/// Checks whether each user in the provided list of organization user IDs is managed by the specified organization.
/// </summary>
/// <param name="organizationId">The unique identifier of the organization to check against.</param>
/// <param name="organizationUserIds">A list of OrganizationUserIds to be checked.</param>
/// <remarks>
/// A managed user is a user whose email domain matches one of the Organization's verified domains.
/// The organization must be enabled and be on an Enterprise plan.
/// </remarks>
/// <returns>
/// A dictionary containing the OrganizationUserId and a boolean indicating if the user is managed by the organization.
/// </returns>
Task<IDictionary<Guid, bool>> GetUsersOrganizationManagementStatusAsync(Guid organizationId,
IEnumerable<Guid> organizationUserIds);
}

5
src/Core/AdminConsole/Repositories/IOrganizationRepository.cs
View File

@ -17,4 +17,9 @@ public interface IOrganizationRepository : IRepository<Organization, Guid>
Task<SelfHostedOrganizationDetails?> GetSelfHostedOrganizationDetailsById(Guid id);
Task<ICollection<Organization>> SearchUnassignedToProviderAsync(string name, string ownerEmail, int skip, int take);
Task<IEnumerable<string>> GetOwnerEmailAddressesById(Guid organizationId);
/// <summary>
/// Gets the organization that has a claimed domain matching the user's email domain.
/// </summary>
Task<Organization> GetByClaimedUserDomainAsync(Guid userId);
}

4
src/Core/AdminConsole/Repositories/IOrganizationUserRepository.cs
View File

@ -55,4 +55,8 @@ public interface IOrganizationUserRepository : IRepository<OrganizationUser, Gui
UpdateEncryptedDataForKeyRotation UpdateForKeyRotation(Guid userId,
IEnumerable<OrganizationUser> resetPasswordKeys);
/// <summary>
/// Returns a list of OrganizationUsers with email domains that match one of the Organization's claimed domains.
/// </summary>
Task<ICollection<OrganizationUser>> GetManyByOrganizationWithClaimedDomainsAsync(Guid organizationId);
}

11
src/Core/AdminConsole/Services/IOrganizationDomainService.cs Normal file
View File

@ -0,0 +1,11 @@
namespace Bit.Core.AdminConsole.Services;
public interface IOrganizationDomainService
{
Task ValidateOrganizationsDomainAsync();
Task OrganizationDomainMaintenanceAsync();
/// <summary>
/// Indicates if the organization has any verified domains.
/// </summary>
Task<bool> HasVerifiedDomainsAsync(Guid orgId);
}

17
src/Core/Services/Implementations/OrganizationDomainService.cs → src/Core/AdminConsole/Services/Implementations/OrganizationDomainService.cs
View File

@ -1,9 +1,10 @@
using Bit.Core.Enums;
using Bit.Core.Repositories;
using Bit.Core.Services;
using Bit.Core.Settings;
using Microsoft.Extensions.Logging;
namespace Bit.Core.Services;
namespace Bit.Core.AdminConsole.Services.Implementations;
public class OrganizationDomainService : IOrganizationDomainService
{
@ -53,7 +54,7 @@ public class OrganizationDomainService : IOrganizationDomainService
{
_logger.LogInformation(Constants.BypassFiltersEventId, "Successfully validated domain");
//update entry on OrganizationDomain table
// Update entry on OrganizationDomain table
domain.SetLastCheckedDate();
domain.SetVerifiedDate();
domain.SetJobRunCount();
@ -64,7 +65,7 @@ public class OrganizationDomainService : IOrganizationDomainService
}
else
{
//update entry on OrganizationDomain table
// Update entry on OrganizationDomain table
domain.SetLastCheckedDate();
domain.SetJobRunCount();
domain.SetNextRunDate(_globalSettings.DomainVerification.VerificationInterval);
@ -78,7 +79,7 @@ public class OrganizationDomainService : IOrganizationDomainService
}
catch (Exception ex)
{
//update entry on OrganizationDomain table
// Update entry on OrganizationDomain table
domain.SetLastCheckedDate();
domain.SetJobRunCount();
domain.SetNextRunDate(_globalSettings.DomainVerification.VerificationInterval);
@ -117,7 +118,7 @@ public class OrganizationDomainService : IOrganizationDomainService
_logger.LogInformation(Constants.BypassFiltersEventId, "Expired domain: {domainName}", domain.DomainName);
}
//delete domains that have not been verified within 7 days
// Delete domains that have not been verified within 7 days
var status = await _domainRepository.DeleteExpiredAsync(_globalSettings.DomainVerification.ExpirationPeriod);
_logger.LogInformation(Constants.BypassFiltersEventId, "Delete status {status}", status);
}
@ -127,6 +128,12 @@ public class OrganizationDomainService : IOrganizationDomainService
}
}
public async Task<bool> HasVerifiedDomainsAsync(Guid orgId)
{
var orgDomains = await _domainRepository.GetDomainsByOrganizationIdAsync(orgId);
return orgDomains.Any(od => od.VerifiedDate != null);
}
private async Task<List<string>> GetAdminEmailsAsync(Guid organizationId)
{
var orgUsers = await _organizationUserRepository.GetManyDetailsByOrganizationAsync(organizationId);

1
src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs
View File

@ -139,6 +139,7 @@ public static class OrganizationServiceCollectionExtensions
services.AddScoped<ICountNewSmSeatsRequiredQuery, CountNewSmSeatsRequiredQuery>();
services.AddScoped<IAcceptOrgUserCommand, AcceptOrgUserCommand>();
services.AddScoped<IOrganizationUserUserDetailsQuery, OrganizationUserUserDetailsQuery>();
services.AddScoped<IGetOrganizationUsersManagementStatusQuery, GetOrganizationUsersManagementStatusQuery>();
}
// TODO: move to OrganizationSubscriptionServiceCollectionExtensions when OrganizationUser methods are moved out of

7
src/Core/Services/IOrganizationDomainService.cs
View File

@ -1,7 +0,0 @@
namespace Bit.Core.Services;
public interface IOrganizationDomainService
{
Task ValidateOrganizationsDomainAsync();
Task OrganizationDomainMaintenanceAsync();
}

9
src/Core/Services/IUserService.cs
View File

@ -86,4 +86,13 @@ public interface IUserService
/// We force these users to the web to migrate their encryption scheme.
/// </summary>
Task<bool> IsLegacyUser(string userId);
/// <summary>
/// Indicates if the user is managed by any organization.
/// </summary>
/// <remarks>
/// A managed user is a user whose email domain matches one of the Organization's verified domains.
/// The organization must be enabled and be on an Enterprise plan.
/// </remarks>
Task<bool> IsManagedByAnyOrganizationAsync(Guid userId);
}

10
src/Core/Services/Implementations/UserService.cs
View File

@ -1244,6 +1244,16 @@ public class UserService : UserManager<User>, IUserService, IDisposable
return IsLegacyUser(user);
}
public async Task<bool> IsManagedByAnyOrganizationAsync(Guid userId)
{
// Users can only be managed by an Organization that is enabled and can have organization domains
var organization = await _organizationRepository.GetByClaimedUserDomainAsync(userId);
// TODO: Replace "UseSso" with a new organization ability like "UseOrganizationDomains" (PM-11622).
// Verified domains were tied to SSO, so we currently check the "UseSso" organization ability.
return organization is { Enabled: true, UseSso: true };
}
/// <inheritdoc cref="IsLegacyUser(string)"/>
public static bool IsLegacyUser(User user)
{

13
src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationRepository.cs
View File

@ -167,4 +167,17 @@ public class OrganizationRepository : Repository<Organization, Guid>, IOrganizat
new { OrganizationId = organizationId },
commandType: CommandType.StoredProcedure);
}
public async Task<Organization> GetByClaimedUserDomainAsync(Guid userId)
{
using (var connection = new SqlConnection(ConnectionString))
{
var result = await connection.QueryAsync<Organization>(
"[dbo].[Organization_ReadByClaimedUserEmailDomain]",
new { UserId = userId },
commandType: CommandType.StoredProcedure);
return result.SingleOrDefault();
}
}
}

13
src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationUserRepository.cs
View File

@ -545,4 +545,17 @@ public class OrganizationUserRepository : Repository<OrganizationUser, Guid>, IO
transaction: transaction,
commandType: CommandType.StoredProcedure);
}
public async Task<ICollection<OrganizationUser>> GetManyByOrganizationWithClaimedDomainsAsync(Guid organizationId)
{
using (var connection = new SqlConnection(ConnectionString))
{
var results = await connection.QueryAsync<OrganizationUser>(
$"[{Schema}].[OrganizationUser_ReadByOrganizationIdWithClaimedDomains]",
new { OrganizationId = organizationId },
commandType: CommandType.StoredProcedure);
return results.ToList();
}
}
}

19
src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs
View File

@ -271,6 +271,25 @@ public class OrganizationRepository : Repository<Core.AdminConsole.Entities.Orga
return await query.ToListAsync();
}
public async Task<Core.AdminConsole.Entities.Organization> GetByClaimedUserDomainAsync(Guid userId)
{
using (var scope = ServiceScopeFactory.CreateScope())
{
var dbContext = GetDatabaseContext(scope);
var query = from u in dbContext.Users
join ou in dbContext.OrganizationUsers on u.Id equals ou.UserId
join o in dbContext.Organizations on ou.OrganizationId equals o.Id
join od in dbContext.OrganizationDomains on ou.OrganizationId equals od.OrganizationId
where u.Id == userId
&& od.VerifiedDate != null
&& u.Email.ToLower().EndsWith("@" + od.DomainName.ToLower())
select o;
return await query.FirstOrDefaultAsync();
}
}
public Task EnableCollectionEnhancements(Guid organizationId)
{
throw new NotImplementedException("Collection enhancements migration is not yet supported for Entity Framework.");

10
src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationUserRepository.cs
View File

@ -711,4 +711,14 @@ public class OrganizationUserRepository : Repository<Core.Entities.OrganizationU
};
}
public async Task<ICollection<Core.Entities.OrganizationUser>> GetManyByOrganizationWithClaimedDomainsAsync(Guid organizationId)
{
using (var scope = ServiceScopeFactory.CreateScope())
{
var dbContext = GetDatabaseContext(scope);
var query = new OrganizationUserReadByClaimedOrganizationDomainsQuery(organizationId);
var data = await query.Run(dbContext).ToListAsync();
return data;
}
}
}

27
src/Infrastructure.EntityFramework/AdminConsole/Repositories/Queries/OrganizationUserReadByClaimedOrganizationDomainsQuery.cs Normal file
View File

@ -0,0 +1,27 @@
using Bit.Core.Entities;
namespace Bit.Infrastructure.EntityFramework.Repositories.Queries;
public class OrganizationUserReadByClaimedOrganizationDomainsQuery : IQuery<OrganizationUser>
{
private readonly Guid _organizationId;
public OrganizationUserReadByClaimedOrganizationDomainsQuery(Guid organizationId)
{
_organizationId = organizationId;
}
public IQueryable<OrganizationUser> Run(DatabaseContext dbContext)
{
var query = from ou in dbContext.OrganizationUsers
join u in dbContext.Users on ou.UserId equals u.Id
where ou.OrganizationId == _organizationId
&& dbContext.OrganizationDomains
.Any(od => od.OrganizationId == _organizationId &&
od.VerifiedDate != null &&
u.Email.ToLower().EndsWith("@" + od.DomainName.ToLower()))
select ou;
return query;
}
}

18
src/Sql/dbo/Stored Procedures/OrganizationUser_ReadByOrganizationIdWithClaimedDomains.sql Normal file
View File

@ -0,0 +1,18 @@
CREATE PROCEDURE [dbo].[OrganizationUser_ReadByOrganizationIdWithClaimedDomains]
@OrganizationId UNIQUEIDENTIFIER
AS
BEGIN
SET NOCOUNT ON;
SELECT OU.*
FROM [dbo].[OrganizationUserView] OU
INNER JOIN [dbo].[UserView] U ON OU.[UserId] = U.[Id]
WHERE OU.[OrganizationId] = @OrganizationId
AND EXISTS (
SELECT 1
FROM [dbo].[OrganizationDomainView] OD
WHERE OD.[OrganizationId] = @OrganizationId
AND OD.[VerifiedDate] IS NOT NULL
AND U.[Email] LIKE '%@' + OD.[DomainName]
);
END

15
src/Sql/dbo/Stored Procedures/Organization_ReadByClaimedUserEmailDomain.sql Normal file
View File

@ -0,0 +1,15 @@
CREATE PROCEDURE [dbo].[Organization_ReadByClaimedUserEmailDomain]
@UserId UNIQUEIDENTIFIER
AS
BEGIN
SET NOCOUNT ON;
SELECT O.*
FROM [dbo].[UserView] U
INNER JOIN [dbo].[OrganizationUserView] OU ON U.[Id] = OU.[UserId]
INNER JOIN [dbo].[OrganizationView] O ON OU.[OrganizationId] = O.[Id]
INNER JOIN [dbo].[OrganizationDomainView] OD ON OU.[OrganizationId] = OD.[OrganizationId]
WHERE U.[Id] = @UserId
AND OD.[VerifiedDate] IS NOT NULL
AND U.[Email] LIKE '%@' + OD.[DomainName];
END

11
src/Sql/dbo/Tables/OrganizationDomain.sql
View File

@ -12,4 +12,13 @@ CREATE TABLE [dbo].[OrganizationDomain] (
CONSTRAINT [FK_OrganzationDomain_Organization] FOREIGN KEY ([OrganizationId]) REFERENCES [dbo].[Organization] ([Id])
);
GO
GO
CREATE NONCLUSTERED INDEX [IX_OrganizationDomain_OrganizationIdVerifiedDate]
ON [dbo].[OrganizationDomain] ([OrganizationId],[VerifiedDate]);
GO
CREATE NONCLUSTERED INDEX [IX_OrganizationDomain_VerifiedDate]
ON [dbo].[OrganizationDomain] ([VerifiedDate])
INCLUDE ([OrganizationId],[DomainName]);
GO

101
test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/GetOrganizationUsersManagementStatusQueryTests.cs Normal file
View File

@ -0,0 +1,101 @@
using Bit.Core.AdminConsole.Entities;
using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers;
using Bit.Core.Entities;
using Bit.Core.Models.Data.Organizations;
using Bit.Core.Repositories;
using Bit.Core.Services;
using Bit.Test.Common.AutoFixture;
using Bit.Test.Common.AutoFixture.Attributes;
using NSubstitute;
using Xunit;
namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.OrganizationUsers;
[SutProviderCustomize]
public class GetOrganizationUsersManagementStatusQueryTests
{
[Theory, BitAutoData]
public async Task GetUsersOrganizationManagementStatusAsync_WithNoUsers_ReturnsEmpty(
Organization organization,
SutProvider<GetOrganizationUsersManagementStatusQuery> sutProvider)
{
var result = await sutProvider.Sut.GetUsersOrganizationManagementStatusAsync(organization.Id, new List<Guid>());
Assert.Empty(result);
}
[Theory, BitAutoData]
public async Task GetUsersOrganizationManagementStatusAsync_WithUseSsoEnabled_Success(
Organization organization,
ICollection<OrganizationUser> usersWithClaimedDomain,
SutProvider<GetOrganizationUsersManagementStatusQuery> sutProvider)
{
organization.Enabled = true;
organization.UseSso = true;
var userIdWithoutClaimedDomain = Guid.NewGuid();
var userIdsToCheck = usersWithClaimedDomain.Select(u => u.Id).Concat(new List<Guid> { userIdWithoutClaimedDomain }).ToList();
sutProvider.GetDependency<IApplicationCacheService>()
.GetOrganizationAbilityAsync(organization.Id)
.Returns(new OrganizationAbility(organization));
sutProvider.GetDependency<IOrganizationUserRepository>()
.GetManyByOrganizationWithClaimedDomainsAsync(organization.Id)
.Returns(usersWithClaimedDomain);
var result = await sutProvider.Sut.GetUsersOrganizationManagementStatusAsync(organization.Id, userIdsToCheck);
Assert.All(usersWithClaimedDomain, ou => Assert.True(result[ou.Id]));
Assert.False(result[userIdWithoutClaimedDomain]);
}
[Theory, BitAutoData]
public async Task GetUsersOrganizationManagementStatusAsync_WithUseSsoDisabled_ReturnsAllFalse(
Organization organization,
ICollection<OrganizationUser> usersWithClaimedDomain,
SutProvider<GetOrganizationUsersManagementStatusQuery> sutProvider)
{
organization.Enabled = true;
organization.UseSso = false;
var userIdWithoutClaimedDomain = Guid.NewGuid();
var userIdsToCheck = usersWithClaimedDomain.Select(u => u.Id).Concat(new List<Guid> { userIdWithoutClaimedDomain }).ToList();
sutProvider.GetDependency<IApplicationCacheService>()
.GetOrganizationAbilityAsync(organization.Id)
.Returns(new OrganizationAbility(organization));
sutProvider.GetDependency<IOrganizationUserRepository>()
.GetManyByOrganizationWithClaimedDomainsAsync(organization.Id)
.Returns(usersWithClaimedDomain);
var result = await sutProvider.Sut.GetUsersOrganizationManagementStatusAsync(organization.Id, userIdsToCheck);
Assert.All(result, r => Assert.False(r.Value));
}
[Theory, BitAutoData]
public async Task GetUsersOrganizationManagementStatusAsync_WithDisabledOrganization_ReturnsAllFalse(
Organization organization,
ICollection<OrganizationUser> usersWithClaimedDomain,
SutProvider<GetOrganizationUsersManagementStatusQuery> sutProvider)
{
organization.Enabled = false;
var userIdWithoutClaimedDomain = Guid.NewGuid();
var userIdsToCheck = usersWithClaimedDomain.Select(u => u.Id).Concat(new List<Guid> { userIdWithoutClaimedDomain }).ToList();
sutProvider.GetDependency<IApplicationCacheService>()
.GetOrganizationAbilityAsync(organization.Id)
.Returns(new OrganizationAbility(organization));
sutProvider.GetDependency<IOrganizationUserRepository>()
.GetManyByOrganizationWithClaimedDomainsAsync(organization.Id)
.Returns(usersWithClaimedDomain);
var result = await sutProvider.Sut.GetUsersOrganizationManagementStatusAsync(organization.Id, userIdsToCheck);
Assert.All(result, r => Assert.False(r.Value));
}
}

49
test/Core.Test/Services/OrganizationDomainServiceTests.cs → test/Core.Test/AdminConsole/Services/OrganizationDomainServiceTests.cs
View File

@ -1,4 +1,5 @@
using Bit.Core.Entities;
using Bit.Core.AdminConsole.Services.Implementations;
using Bit.Core.Entities;
using Bit.Core.Enums;
using Bit.Core.Repositories;
using Bit.Core.Services;
@ -7,7 +8,7 @@ using Bit.Test.Common.AutoFixture.Attributes;
using NSubstitute;
using Xunit;
namespace Bit.Core.Test.Services;
namespace Bit.Core.Test.AdminConsole.Services;
[SutProviderCustomize]
public class OrganizationDomainServiceTests
@ -80,4 +81,48 @@ public class OrganizationDomainServiceTests
await sutProvider.GetDependency<IOrganizationDomainRepository>().ReceivedWithAnyArgs(1)
.DeleteExpiredAsync(7);
}
[Theory, BitAutoData]
public async Task HasVerifiedDomainsAsync_WithVerifiedDomain_ReturnsTrue(
OrganizationDomain organizationDomain,
SutProvider<OrganizationDomainService> sutProvider)
{
organizationDomain.SetVerifiedDate(); // Set the verified date to make it verified
sutProvider.GetDependency<IOrganizationDomainRepository>()
.GetDomainsByOrganizationIdAsync(organizationDomain.OrganizationId)
.Returns(new List<OrganizationDomain> { organizationDomain });
var result = await sutProvider.Sut.HasVerifiedDomainsAsync(organizationDomain.OrganizationId);
Assert.True(result);
}
[Theory, BitAutoData]
public async Task HasVerifiedDomainsAsync_WithoutVerifiedDomain_ReturnsFalse(
OrganizationDomain organizationDomain,
SutProvider<OrganizationDomainService> sutProvider)
{
sutProvider.GetDependency<IOrganizationDomainRepository>()
.GetDomainsByOrganizationIdAsync(organizationDomain.OrganizationId)
.Returns(new List<OrganizationDomain> { organizationDomain });
var result = await sutProvider.Sut.HasVerifiedDomainsAsync(organizationDomain.OrganizationId);
Assert.False(result);
}
[Theory, BitAutoData]
public async Task HasVerifiedDomainsAsync_WithoutOrganizationDomains_ReturnsFalse(
Guid organizationId,
SutProvider<OrganizationDomainService> sutProvider)
{
sutProvider.GetDependency<IOrganizationDomainRepository>()
.GetDomainsByOrganizationIdAsync(organizationId)
.Returns(new List<OrganizationDomain>());
var result = await sutProvider.Sut.HasVerifiedDomainsAsync(organizationId);
Assert.False(result);
}
}

45
test/Core.Test/Services/UserServiceTests.cs
View File

@ -276,6 +276,51 @@ public class UserServiceTests
.VerifyHashedPassword(user, "hashed_test_password", secret);
}
[Theory, BitAutoData]
public async Task IsManagedByAnyOrganizationAsync_WithManagingEnabledOrganization_ReturnsTrue(
SutProvider<UserService> sutProvider, Guid userId, Organization organization)
{
organization.Enabled = true;
organization.UseSso = true;
sutProvider.GetDependency<IOrganizationRepository>()
.GetByClaimedUserDomainAsync(userId)
.Returns(organization);
var result = await sutProvider.Sut.IsManagedByAnyOrganizationAsync(userId);
Assert.True(result);
}
[Theory, BitAutoData]
public async Task IsManagedByAnyOrganizationAsync_WithManagingDisabledOrganization_ReturnsFalse(
SutProvider<UserService> sutProvider, Guid userId, Organization organization)
{
organization.Enabled = false;
organization.UseSso = true;
sutProvider.GetDependency<IOrganizationRepository>()
.GetByClaimedUserDomainAsync(userId)
.Returns(organization);
var result = await sutProvider.Sut.IsManagedByAnyOrganizationAsync(userId);
Assert.False(result);
}
[Theory, BitAutoData]
public async Task IsManagedByAnyOrganizationAsync_WithOrganizationUseSsoFalse_ReturnsFalse(
SutProvider<UserService> sutProvider, Guid userId, Organization organization)
{
organization.Enabled = true;
organization.UseSso = false;
sutProvider.GetDependency<IOrganizationRepository>()
.GetByClaimedUserDomainAsync(userId)
.Returns(organization);
var result = await sutProvider.Sut.IsManagedByAnyOrganizationAsync(userId);
Assert.False(result);
}
private static void SetupUserAndDevice(User user,
bool shouldHavePassword)
{

109
test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationRepositoryTests.cs Normal file
View File

@ -0,0 +1,109 @@
using Bit.Core.AdminConsole.Entities;
using Bit.Core.Entities;
using Bit.Core.Enums;
using Bit.Core.Repositories;
using Xunit;
namespace Bit.Infrastructure.IntegrationTest.Repositories;
public class OrganizationRepositoryTests
{
[DatabaseTheory, DatabaseData]
public async Task GetByClaimedUserDomainAsync_WithVerifiedDomain_Success(
IUserRepository userRepository,
IOrganizationRepository organizationRepository,
IOrganizationUserRepository organizationUserRepository,
IOrganizationDomainRepository organizationDomainRepository)
{
var id = Guid.NewGuid();
var domainName = $"{id}.example.com";
var user1 = await userRepository.CreateAsync(new User
{
Name = "Test User 1",
Email = $"test+{id}@{domainName}",
ApiKey = "TEST",
SecurityStamp = "stamp",
Kdf = KdfType.PBKDF2_SHA256,
KdfIterations = 1,
KdfMemory = 2,
KdfParallelism = 3
});
var user2 = await userRepository.CreateAsync(new User
{
Name = "Test User 2",
Email = $"test+{id}@x-{domainName}", // Different domain
ApiKey = "TEST",
SecurityStamp = "stamp",
Kdf = KdfType.PBKDF2_SHA256,
KdfIterations = 1,
KdfMemory = 2,
KdfParallelism = 3
});
var user3 = await userRepository.CreateAsync(new User
{
Name = "Test User 2",
Email = $"test+{id}@{domainName}.example.com", // Different domain
ApiKey = "TEST",
SecurityStamp = "stamp",
Kdf = KdfType.PBKDF2_SHA256,
KdfIterations = 1,
KdfMemory = 2,
KdfParallelism = 3
});
var organization = await organizationRepository.CreateAsync(new Organization
{
Name = $"Test Org {id}",
BillingEmail = user1.Email, // TODO: EF does not enforce this being NOT NULl
Plan = "Test", // TODO: EF does not enforce this being NOT NULl
PrivateKey = "privatekey",
});
var organizationDomain = new OrganizationDomain
{
OrganizationId = organization.Id,
DomainName = domainName,
Txt = "btw+12345",
};
organizationDomain.SetVerifiedDate();
organizationDomain.SetNextRunDate(12);
organizationDomain.SetJobRunCount();
await organizationDomainRepository.CreateAsync(organizationDomain);
await organizationUserRepository.CreateAsync(new OrganizationUser
{
OrganizationId = organization.Id,
UserId = user1.Id,
Status = OrganizationUserStatusType.Confirmed,
ResetPasswordKey = "resetpasswordkey1",
});
await organizationUserRepository.CreateAsync(new OrganizationUser
{
OrganizationId = organization.Id,
UserId = user2.Id,
Status = OrganizationUserStatusType.Confirmed,
ResetPasswordKey = "resetpasswordkey1",
});
await organizationUserRepository.CreateAsync(new OrganizationUser
{
OrganizationId = organization.Id,
UserId = user3.Id,
Status = OrganizationUserStatusType.Confirmed,
ResetPasswordKey = "resetpasswordkey1",
});
var user1Response = await organizationRepository.GetByClaimedUserDomainAsync(user1.Id);
var user2Response = await organizationRepository.GetByClaimedUserDomainAsync(user2.Id);
var user3Response = await organizationRepository.GetByClaimedUserDomainAsync(user3.Id);
Assert.NotNull(user1Response);
Assert.Equal(organization.Id, user1Response.Id);
Assert.Null(user2Response);
Assert.Null(user3Response);
}
}

96
test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationUserRepositoryTests.cs
View File

@ -256,4 +256,100 @@ public class OrganizationUserRepositoryTests
Assert.Equal(organization.LimitCollectionCreationDeletion, result.LimitCollectionCreationDeletion);
Assert.Equal(organization.AllowAdminAccessToAllCollectionItems, result.AllowAdminAccessToAllCollectionItems);
}
[DatabaseTheory, DatabaseData]
public async Task GetManyByOrganizationWithClaimedDomainsAsync_WithVerifiedDomain_WithOneMatchingEmailDomain_ReturnsSingle(
IUserRepository userRepository,
IOrganizationRepository organizationRepository,
IOrganizationUserRepository organizationUserRepository,
IOrganizationDomainRepository organizationDomainRepository)
{
var id = Guid.NewGuid();
var domainName = $"{id}.example.com";
var user1 = await userRepository.CreateAsync(new User
{
Name = "Test User 1",
Email = $"test+{id}@{domainName}",
ApiKey = "TEST",
SecurityStamp = "stamp",
Kdf = KdfType.PBKDF2_SHA256,
KdfIterations = 1,
KdfMemory = 2,
KdfParallelism = 3
});
var user2 = await userRepository.CreateAsync(new User
{
Name = "Test User 2",
Email = $"test+{id}@x-{domainName}", // Different domain
ApiKey = "TEST",
SecurityStamp = "stamp",
Kdf = KdfType.PBKDF2_SHA256,
KdfIterations = 1,
KdfMemory = 2,
KdfParallelism = 3
});
var user3 = await userRepository.CreateAsync(new User
{
Name = "Test User 2",
Email = $"test+{id}@{domainName}.example.com", // Different domain
ApiKey = "TEST",
SecurityStamp = "stamp",
Kdf = KdfType.PBKDF2_SHA256,
KdfIterations = 1,
KdfMemory = 2,
KdfParallelism = 3
});
var organization = await organizationRepository.CreateAsync(new Organization
{
Name = $"Test Org {id}",
BillingEmail = user1.Email, // TODO: EF does not enforce this being NOT NULl
Plan = "Test", // TODO: EF does not enforce this being NOT NULl
PrivateKey = "privatekey",
});
var organizationDomain = new OrganizationDomain
{
OrganizationId = organization.Id,
DomainName = domainName,
Txt = "btw+12345",
};
organizationDomain.SetVerifiedDate();
organizationDomain.SetNextRunDate(12);
organizationDomain.SetJobRunCount();
await organizationDomainRepository.CreateAsync(organizationDomain);
var orgUser1 = await organizationUserRepository.CreateAsync(new OrganizationUser
{
OrganizationId = organization.Id,
UserId = user1.Id,
Status = OrganizationUserStatusType.Confirmed,
ResetPasswordKey = "resetpasswordkey1",
});
await organizationUserRepository.CreateAsync(new OrganizationUser
{
OrganizationId = organization.Id,
UserId = user2.Id,
Status = OrganizationUserStatusType.Confirmed,
ResetPasswordKey = "resetpasswordkey1",
});
await organizationUserRepository.CreateAsync(new OrganizationUser
{
OrganizationId = organization.Id,
UserId = user3.Id,
Status = OrganizationUserStatusType.Confirmed,
ResetPasswordKey = "resetpasswordkey1",
});
var responseModel = await organizationUserRepository.GetManyByOrganizationWithClaimedDomainsAsync(organization.Id);
Assert.NotNull(responseModel);
Assert.Single(responseModel);
Assert.Equal(orgUser1.Id, responseModel.Single().Id);
}
}

55
util/Migrator/DbScripts/2024-09-10_00_UsersManagedByOrg.sql Normal file
View File

@ -0,0 +1,55 @@
IF NOT EXISTS(SELECT name
FROM sys.indexes
WHERE name = 'IX_OrganizationDomain_OrganizationIdVerifiedDate')
BEGIN
CREATE NONCLUSTERED INDEX [IX_OrganizationDomain_OrganizationIdVerifiedDate]
ON [dbo].[OrganizationDomain] ([OrganizationId],[VerifiedDate]);
END
GO
IF NOT EXISTS(SELECT name
FROM sys.indexes
WHERE name = 'IX_OrganizationDomain_VerifiedDate')
BEGIN
CREATE NONCLUSTERED INDEX [IX_OrganizationDomain_VerifiedDate]
ON [dbo].[OrganizationDomain] ([VerifiedDate])
INCLUDE ([OrganizationId],[DomainName]);
END
GO
CREATE OR ALTER PROCEDURE [dbo].[OrganizationUser_ReadByOrganizationIdWithClaimedDomains]
@OrganizationId UNIQUEIDENTIFIER
AS
BEGIN
SET NOCOUNT ON;
SELECT OU.*
FROM [dbo].[OrganizationUserView] OU
INNER JOIN [dbo].[UserView] U ON OU.[UserId] = U.[Id]
WHERE OU.[OrganizationId] = @OrganizationId
AND EXISTS (
SELECT 1
FROM [dbo].[OrganizationDomainView] OD
WHERE OD.[OrganizationId] = @OrganizationId
AND OD.[VerifiedDate] IS NOT NULL
AND U.[Email] LIKE '%@' + OD.[DomainName]
);
END
GO
CREATE OR ALTER PROCEDURE [dbo].[Organization_ReadByClaimedUserEmailDomain]
@UserId UNIQUEIDENTIFIER
AS
BEGIN
SET NOCOUNT ON;
SELECT O.*
FROM [dbo].[UserView] U
INNER JOIN [dbo].[OrganizationUserView] OU ON U.[Id] = OU.[UserId]
INNER JOIN [dbo].[OrganizationView] O ON OU.[OrganizationId] = O.[Id]
INNER JOIN [dbo].[OrganizationDomainView] OD ON OU.[OrganizationId] = OD.[OrganizationId]
WHERE U.[Id] = @UserId
AND OD.[VerifiedDate] IS NOT NULL
AND U.[Email] LIKE '%@' + OD.[DomainName];
END
GO