mirror of
https://github.com/bitwarden/server.git
synced 2024-11-21 12:05:42 +01:00
[PM-10311] Account Management: Create helper methods for checking against verified domains (#4636)
* Add HasVerifiedDomainsAsync method to IOrganizationDomainService * Add GetManagedUserIdsByOrganizationIdAsync method to IOrganizationUserRepository and the corresponding queries * Fix case on the sproc OrganizationUser_ReadManagedIdsByOrganizationId parameter * Update the EF query to use the Email from the User table * dotnet format * Fix IOrganizationDomainService.HasVerifiedDomainsAsync by checking that domains have been Verified and add unit tests * Rename IOrganizationUserRepository.GetManagedUserIdsByOrganizationAsync * Fix domain queries * Add OrganizationUserRepository integration tests * Add summary to IOrganizationDomainService.HasVerifiedDomainsAsync * chore: Rename IOrganizationUserRepository.GetManagedUserIdsByOrganizationAsync to GetManyIdsManagedByOrganizationIdAsync * Add IsManagedByAnyOrganizationAsync method to IUserRepository * Add integration tests for UserRepository.IsManagedByAnyOrganizationAsync * Refactor to IUserService.IsManagedByAnyOrganizationAsync and IOrganizationService.GetUsersOrganizationManagementStatusAsync * chore: Refactor IsManagedByAnyOrganizationAsync method in UserService * Refactor IOrganizationService.GetUsersOrganizationManagementStatusAsync to return IDictionary<Guid, bool> * Extract IOrganizationService.GetUsersOrganizationManagementStatusAsync into a query * Update comments in OrganizationDomainService to use proper capitalization * Move OrganizationDomainService to AdminConsole ownership and update namespace * feat: Add support for organization domains in enterprise plans * feat: Add HasOrganizationDomains property to OrganizationAbility class * refactor: Update GetOrganizationUsersManagementStatusQuery to use IApplicationCacheService * Remove HasOrganizationDomains and use UseSso to check if Organization can have Verified Domains * Refactor UserService.IsManagedByAnyOrganizationAsync to simply check the UseSso flag * Add TODO comment for replacing 'UseSso' organization ability on user verified domain checks * Bump date on migration script * Add indexes to OrganizationDomain table * Bump script migration date; Remove WITH ONLINE = ON from data migration.
This commit is contained in:
parent
3f1127489d
commit
f2180aa7b7
@ -1,6 +1,6 @@
|
||||
using Bit.Core;
|
||||
using Bit.Core.AdminConsole.Services;
|
||||
using Bit.Core.Jobs;
|
||||
using Bit.Core.Services;
|
||||
using Quartz;
|
||||
|
||||
namespace Bit.Admin.Jobs;
|
||||
|
@ -1,6 +1,6 @@
|
||||
using Bit.Core;
|
||||
using Bit.Core.AdminConsole.Services;
|
||||
using Bit.Core.Jobs;
|
||||
using Bit.Core.Services;
|
||||
using Quartz;
|
||||
|
||||
namespace Bit.Api.Jobs;
|
||||
|
@ -0,0 +1,41 @@
|
||||
using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
|
||||
using Bit.Core.Repositories;
|
||||
using Bit.Core.Services;
|
||||
|
||||
namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers;
|
||||
|
||||
public class GetOrganizationUsersManagementStatusQuery : IGetOrganizationUsersManagementStatusQuery
|
||||
{
|
||||
private readonly IApplicationCacheService _applicationCacheService;
|
||||
private readonly IOrganizationUserRepository _organizationUserRepository;
|
||||
|
||||
public GetOrganizationUsersManagementStatusQuery(
|
||||
IApplicationCacheService applicationCacheService,
|
||||
IOrganizationUserRepository organizationUserRepository)
|
||||
{
|
||||
_applicationCacheService = applicationCacheService;
|
||||
_organizationUserRepository = organizationUserRepository;
|
||||
}
|
||||
|
||||
public async Task<IDictionary<Guid, bool>> GetUsersOrganizationManagementStatusAsync(Guid organizationId, IEnumerable<Guid> organizationUserIds)
|
||||
{
|
||||
if (organizationUserIds.Any())
|
||||
{
|
||||
// Users can only be managed by an Organization that is enabled and can have organization domains
|
||||
var organizationAbility = await _applicationCacheService.GetOrganizationAbilityAsync(organizationId);
|
||||
|
||||
// TODO: Replace "UseSso" with a new organization ability like "UseOrganizationDomains" (PM-11622).
|
||||
// Verified domains were tied to SSO, so we currently check the "UseSso" organization ability.
|
||||
if (organizationAbility is { Enabled: true, UseSso: true })
|
||||
{
|
||||
// Get all organization users with claimed domains by the organization
|
||||
var organizationUsersWithClaimedDomain = await _organizationUserRepository.GetManyByOrganizationWithClaimedDomainsAsync(organizationId);
|
||||
|
||||
// Create a dictionary with the OrganizationUserId and a boolean indicating if the user is managed by the organization
|
||||
return organizationUserIds.ToDictionary(ouId => ouId, ouId => organizationUsersWithClaimedDomain.Any(ou => ou.Id == ouId));
|
||||
}
|
||||
}
|
||||
|
||||
return organizationUserIds.ToDictionary(ouId => ouId, _ => false);
|
||||
}
|
||||
}
|
@ -0,0 +1,19 @@
|
||||
namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
|
||||
|
||||
public interface IGetOrganizationUsersManagementStatusQuery
|
||||
{
|
||||
/// <summary>
|
||||
/// Checks whether each user in the provided list of organization user IDs is managed by the specified organization.
|
||||
/// </summary>
|
||||
/// <param name="organizationId">The unique identifier of the organization to check against.</param>
|
||||
/// <param name="organizationUserIds">A list of OrganizationUserIds to be checked.</param>
|
||||
/// <remarks>
|
||||
/// A managed user is a user whose email domain matches one of the Organization's verified domains.
|
||||
/// The organization must be enabled and be on an Enterprise plan.
|
||||
/// </remarks>
|
||||
/// <returns>
|
||||
/// A dictionary containing the OrganizationUserId and a boolean indicating if the user is managed by the organization.
|
||||
/// </returns>
|
||||
Task<IDictionary<Guid, bool>> GetUsersOrganizationManagementStatusAsync(Guid organizationId,
|
||||
IEnumerable<Guid> organizationUserIds);
|
||||
}
|
@ -17,4 +17,9 @@ public interface IOrganizationRepository : IRepository<Organization, Guid>
|
||||
Task<SelfHostedOrganizationDetails?> GetSelfHostedOrganizationDetailsById(Guid id);
|
||||
Task<ICollection<Organization>> SearchUnassignedToProviderAsync(string name, string ownerEmail, int skip, int take);
|
||||
Task<IEnumerable<string>> GetOwnerEmailAddressesById(Guid organizationId);
|
||||
|
||||
/// <summary>
|
||||
/// Gets the organization that has a claimed domain matching the user's email domain.
|
||||
/// </summary>
|
||||
Task<Organization> GetByClaimedUserDomainAsync(Guid userId);
|
||||
}
|
||||
|
@ -55,4 +55,8 @@ public interface IOrganizationUserRepository : IRepository<OrganizationUser, Gui
|
||||
UpdateEncryptedDataForKeyRotation UpdateForKeyRotation(Guid userId,
|
||||
IEnumerable<OrganizationUser> resetPasswordKeys);
|
||||
|
||||
/// <summary>
|
||||
/// Returns a list of OrganizationUsers with email domains that match one of the Organization's claimed domains.
|
||||
/// </summary>
|
||||
Task<ICollection<OrganizationUser>> GetManyByOrganizationWithClaimedDomainsAsync(Guid organizationId);
|
||||
}
|
||||
|
11
src/Core/AdminConsole/Services/IOrganizationDomainService.cs
Normal file
11
src/Core/AdminConsole/Services/IOrganizationDomainService.cs
Normal file
@ -0,0 +1,11 @@
|
||||
namespace Bit.Core.AdminConsole.Services;
|
||||
|
||||
public interface IOrganizationDomainService
|
||||
{
|
||||
Task ValidateOrganizationsDomainAsync();
|
||||
Task OrganizationDomainMaintenanceAsync();
|
||||
/// <summary>
|
||||
/// Indicates if the organization has any verified domains.
|
||||
/// </summary>
|
||||
Task<bool> HasVerifiedDomainsAsync(Guid orgId);
|
||||
}
|
@ -1,9 +1,10 @@
|
||||
using Bit.Core.Enums;
|
||||
using Bit.Core.Repositories;
|
||||
using Bit.Core.Services;
|
||||
using Bit.Core.Settings;
|
||||
using Microsoft.Extensions.Logging;
|
||||
|
||||
namespace Bit.Core.Services;
|
||||
namespace Bit.Core.AdminConsole.Services.Implementations;
|
||||
|
||||
public class OrganizationDomainService : IOrganizationDomainService
|
||||
{
|
||||
@ -53,7 +54,7 @@ public class OrganizationDomainService : IOrganizationDomainService
|
||||
{
|
||||
_logger.LogInformation(Constants.BypassFiltersEventId, "Successfully validated domain");
|
||||
|
||||
//update entry on OrganizationDomain table
|
||||
// Update entry on OrganizationDomain table
|
||||
domain.SetLastCheckedDate();
|
||||
domain.SetVerifiedDate();
|
||||
domain.SetJobRunCount();
|
||||
@ -64,7 +65,7 @@ public class OrganizationDomainService : IOrganizationDomainService
|
||||
}
|
||||
else
|
||||
{
|
||||
//update entry on OrganizationDomain table
|
||||
// Update entry on OrganizationDomain table
|
||||
domain.SetLastCheckedDate();
|
||||
domain.SetJobRunCount();
|
||||
domain.SetNextRunDate(_globalSettings.DomainVerification.VerificationInterval);
|
||||
@ -78,7 +79,7 @@ public class OrganizationDomainService : IOrganizationDomainService
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
//update entry on OrganizationDomain table
|
||||
// Update entry on OrganizationDomain table
|
||||
domain.SetLastCheckedDate();
|
||||
domain.SetJobRunCount();
|
||||
domain.SetNextRunDate(_globalSettings.DomainVerification.VerificationInterval);
|
||||
@ -117,7 +118,7 @@ public class OrganizationDomainService : IOrganizationDomainService
|
||||
|
||||
_logger.LogInformation(Constants.BypassFiltersEventId, "Expired domain: {domainName}", domain.DomainName);
|
||||
}
|
||||
//delete domains that have not been verified within 7 days
|
||||
// Delete domains that have not been verified within 7 days
|
||||
var status = await _domainRepository.DeleteExpiredAsync(_globalSettings.DomainVerification.ExpirationPeriod);
|
||||
_logger.LogInformation(Constants.BypassFiltersEventId, "Delete status {status}", status);
|
||||
}
|
||||
@ -127,6 +128,12 @@ public class OrganizationDomainService : IOrganizationDomainService
|
||||
}
|
||||
}
|
||||
|
||||
public async Task<bool> HasVerifiedDomainsAsync(Guid orgId)
|
||||
{
|
||||
var orgDomains = await _domainRepository.GetDomainsByOrganizationIdAsync(orgId);
|
||||
return orgDomains.Any(od => od.VerifiedDate != null);
|
||||
}
|
||||
|
||||
private async Task<List<string>> GetAdminEmailsAsync(Guid organizationId)
|
||||
{
|
||||
var orgUsers = await _organizationUserRepository.GetManyDetailsByOrganizationAsync(organizationId);
|
@ -139,6 +139,7 @@ public static class OrganizationServiceCollectionExtensions
|
||||
services.AddScoped<ICountNewSmSeatsRequiredQuery, CountNewSmSeatsRequiredQuery>();
|
||||
services.AddScoped<IAcceptOrgUserCommand, AcceptOrgUserCommand>();
|
||||
services.AddScoped<IOrganizationUserUserDetailsQuery, OrganizationUserUserDetailsQuery>();
|
||||
services.AddScoped<IGetOrganizationUsersManagementStatusQuery, GetOrganizationUsersManagementStatusQuery>();
|
||||
}
|
||||
|
||||
// TODO: move to OrganizationSubscriptionServiceCollectionExtensions when OrganizationUser methods are moved out of
|
||||
|
@ -1,7 +0,0 @@
|
||||
namespace Bit.Core.Services;
|
||||
|
||||
public interface IOrganizationDomainService
|
||||
{
|
||||
Task ValidateOrganizationsDomainAsync();
|
||||
Task OrganizationDomainMaintenanceAsync();
|
||||
}
|
@ -86,4 +86,13 @@ public interface IUserService
|
||||
/// We force these users to the web to migrate their encryption scheme.
|
||||
/// </summary>
|
||||
Task<bool> IsLegacyUser(string userId);
|
||||
|
||||
/// <summary>
|
||||
/// Indicates if the user is managed by any organization.
|
||||
/// </summary>
|
||||
/// <remarks>
|
||||
/// A managed user is a user whose email domain matches one of the Organization's verified domains.
|
||||
/// The organization must be enabled and be on an Enterprise plan.
|
||||
/// </remarks>
|
||||
Task<bool> IsManagedByAnyOrganizationAsync(Guid userId);
|
||||
}
|
||||
|
@ -1244,6 +1244,16 @@ public class UserService : UserManager<User>, IUserService, IDisposable
|
||||
return IsLegacyUser(user);
|
||||
}
|
||||
|
||||
public async Task<bool> IsManagedByAnyOrganizationAsync(Guid userId)
|
||||
{
|
||||
// Users can only be managed by an Organization that is enabled and can have organization domains
|
||||
var organization = await _organizationRepository.GetByClaimedUserDomainAsync(userId);
|
||||
|
||||
// TODO: Replace "UseSso" with a new organization ability like "UseOrganizationDomains" (PM-11622).
|
||||
// Verified domains were tied to SSO, so we currently check the "UseSso" organization ability.
|
||||
return organization is { Enabled: true, UseSso: true };
|
||||
}
|
||||
|
||||
/// <inheritdoc cref="IsLegacyUser(string)"/>
|
||||
public static bool IsLegacyUser(User user)
|
||||
{
|
||||
|
@ -167,4 +167,17 @@ public class OrganizationRepository : Repository<Organization, Guid>, IOrganizat
|
||||
new { OrganizationId = organizationId },
|
||||
commandType: CommandType.StoredProcedure);
|
||||
}
|
||||
|
||||
public async Task<Organization> GetByClaimedUserDomainAsync(Guid userId)
|
||||
{
|
||||
using (var connection = new SqlConnection(ConnectionString))
|
||||
{
|
||||
var result = await connection.QueryAsync<Organization>(
|
||||
"[dbo].[Organization_ReadByClaimedUserEmailDomain]",
|
||||
new { UserId = userId },
|
||||
commandType: CommandType.StoredProcedure);
|
||||
|
||||
return result.SingleOrDefault();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -545,4 +545,17 @@ public class OrganizationUserRepository : Repository<OrganizationUser, Guid>, IO
|
||||
transaction: transaction,
|
||||
commandType: CommandType.StoredProcedure);
|
||||
}
|
||||
|
||||
public async Task<ICollection<OrganizationUser>> GetManyByOrganizationWithClaimedDomainsAsync(Guid organizationId)
|
||||
{
|
||||
using (var connection = new SqlConnection(ConnectionString))
|
||||
{
|
||||
var results = await connection.QueryAsync<OrganizationUser>(
|
||||
$"[{Schema}].[OrganizationUser_ReadByOrganizationIdWithClaimedDomains]",
|
||||
new { OrganizationId = organizationId },
|
||||
commandType: CommandType.StoredProcedure);
|
||||
|
||||
return results.ToList();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -271,6 +271,25 @@ public class OrganizationRepository : Repository<Core.AdminConsole.Entities.Orga
|
||||
return await query.ToListAsync();
|
||||
}
|
||||
|
||||
public async Task<Core.AdminConsole.Entities.Organization> GetByClaimedUserDomainAsync(Guid userId)
|
||||
{
|
||||
using (var scope = ServiceScopeFactory.CreateScope())
|
||||
{
|
||||
var dbContext = GetDatabaseContext(scope);
|
||||
|
||||
var query = from u in dbContext.Users
|
||||
join ou in dbContext.OrganizationUsers on u.Id equals ou.UserId
|
||||
join o in dbContext.Organizations on ou.OrganizationId equals o.Id
|
||||
join od in dbContext.OrganizationDomains on ou.OrganizationId equals od.OrganizationId
|
||||
where u.Id == userId
|
||||
&& od.VerifiedDate != null
|
||||
&& u.Email.ToLower().EndsWith("@" + od.DomainName.ToLower())
|
||||
select o;
|
||||
|
||||
return await query.FirstOrDefaultAsync();
|
||||
}
|
||||
}
|
||||
|
||||
public Task EnableCollectionEnhancements(Guid organizationId)
|
||||
{
|
||||
throw new NotImplementedException("Collection enhancements migration is not yet supported for Entity Framework.");
|
||||
|
@ -711,4 +711,14 @@ public class OrganizationUserRepository : Repository<Core.Entities.OrganizationU
|
||||
};
|
||||
}
|
||||
|
||||
public async Task<ICollection<Core.Entities.OrganizationUser>> GetManyByOrganizationWithClaimedDomainsAsync(Guid organizationId)
|
||||
{
|
||||
using (var scope = ServiceScopeFactory.CreateScope())
|
||||
{
|
||||
var dbContext = GetDatabaseContext(scope);
|
||||
var query = new OrganizationUserReadByClaimedOrganizationDomainsQuery(organizationId);
|
||||
var data = await query.Run(dbContext).ToListAsync();
|
||||
return data;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -0,0 +1,27 @@
|
||||
using Bit.Core.Entities;
|
||||
|
||||
namespace Bit.Infrastructure.EntityFramework.Repositories.Queries;
|
||||
|
||||
public class OrganizationUserReadByClaimedOrganizationDomainsQuery : IQuery<OrganizationUser>
|
||||
{
|
||||
private readonly Guid _organizationId;
|
||||
|
||||
public OrganizationUserReadByClaimedOrganizationDomainsQuery(Guid organizationId)
|
||||
{
|
||||
_organizationId = organizationId;
|
||||
}
|
||||
|
||||
public IQueryable<OrganizationUser> Run(DatabaseContext dbContext)
|
||||
{
|
||||
var query = from ou in dbContext.OrganizationUsers
|
||||
join u in dbContext.Users on ou.UserId equals u.Id
|
||||
where ou.OrganizationId == _organizationId
|
||||
&& dbContext.OrganizationDomains
|
||||
.Any(od => od.OrganizationId == _organizationId &&
|
||||
od.VerifiedDate != null &&
|
||||
u.Email.ToLower().EndsWith("@" + od.DomainName.ToLower()))
|
||||
select ou;
|
||||
|
||||
return query;
|
||||
}
|
||||
}
|
@ -0,0 +1,18 @@
|
||||
CREATE PROCEDURE [dbo].[OrganizationUser_ReadByOrganizationIdWithClaimedDomains]
|
||||
@OrganizationId UNIQUEIDENTIFIER
|
||||
AS
|
||||
BEGIN
|
||||
SET NOCOUNT ON;
|
||||
|
||||
SELECT OU.*
|
||||
FROM [dbo].[OrganizationUserView] OU
|
||||
INNER JOIN [dbo].[UserView] U ON OU.[UserId] = U.[Id]
|
||||
WHERE OU.[OrganizationId] = @OrganizationId
|
||||
AND EXISTS (
|
||||
SELECT 1
|
||||
FROM [dbo].[OrganizationDomainView] OD
|
||||
WHERE OD.[OrganizationId] = @OrganizationId
|
||||
AND OD.[VerifiedDate] IS NOT NULL
|
||||
AND U.[Email] LIKE '%@' + OD.[DomainName]
|
||||
);
|
||||
END
|
@ -0,0 +1,15 @@
|
||||
CREATE PROCEDURE [dbo].[Organization_ReadByClaimedUserEmailDomain]
|
||||
@UserId UNIQUEIDENTIFIER
|
||||
AS
|
||||
BEGIN
|
||||
SET NOCOUNT ON;
|
||||
|
||||
SELECT O.*
|
||||
FROM [dbo].[UserView] U
|
||||
INNER JOIN [dbo].[OrganizationUserView] OU ON U.[Id] = OU.[UserId]
|
||||
INNER JOIN [dbo].[OrganizationView] O ON OU.[OrganizationId] = O.[Id]
|
||||
INNER JOIN [dbo].[OrganizationDomainView] OD ON OU.[OrganizationId] = OD.[OrganizationId]
|
||||
WHERE U.[Id] = @UserId
|
||||
AND OD.[VerifiedDate] IS NOT NULL
|
||||
AND U.[Email] LIKE '%@' + OD.[DomainName];
|
||||
END
|
@ -13,3 +13,12 @@ CREATE TABLE [dbo].[OrganizationDomain] (
|
||||
);
|
||||
|
||||
GO
|
||||
|
||||
CREATE NONCLUSTERED INDEX [IX_OrganizationDomain_OrganizationIdVerifiedDate]
|
||||
ON [dbo].[OrganizationDomain] ([OrganizationId],[VerifiedDate]);
|
||||
GO
|
||||
|
||||
CREATE NONCLUSTERED INDEX [IX_OrganizationDomain_VerifiedDate]
|
||||
ON [dbo].[OrganizationDomain] ([VerifiedDate])
|
||||
INCLUDE ([OrganizationId],[DomainName]);
|
||||
GO
|
||||
|
@ -0,0 +1,101 @@
|
||||
using Bit.Core.AdminConsole.Entities;
|
||||
using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers;
|
||||
using Bit.Core.Entities;
|
||||
using Bit.Core.Models.Data.Organizations;
|
||||
using Bit.Core.Repositories;
|
||||
using Bit.Core.Services;
|
||||
using Bit.Test.Common.AutoFixture;
|
||||
using Bit.Test.Common.AutoFixture.Attributes;
|
||||
using NSubstitute;
|
||||
using Xunit;
|
||||
|
||||
namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.OrganizationUsers;
|
||||
|
||||
[SutProviderCustomize]
|
||||
public class GetOrganizationUsersManagementStatusQueryTests
|
||||
{
|
||||
[Theory, BitAutoData]
|
||||
public async Task GetUsersOrganizationManagementStatusAsync_WithNoUsers_ReturnsEmpty(
|
||||
Organization organization,
|
||||
SutProvider<GetOrganizationUsersManagementStatusQuery> sutProvider)
|
||||
{
|
||||
var result = await sutProvider.Sut.GetUsersOrganizationManagementStatusAsync(organization.Id, new List<Guid>());
|
||||
|
||||
Assert.Empty(result);
|
||||
}
|
||||
|
||||
[Theory, BitAutoData]
|
||||
public async Task GetUsersOrganizationManagementStatusAsync_WithUseSsoEnabled_Success(
|
||||
Organization organization,
|
||||
ICollection<OrganizationUser> usersWithClaimedDomain,
|
||||
SutProvider<GetOrganizationUsersManagementStatusQuery> sutProvider)
|
||||
{
|
||||
organization.Enabled = true;
|
||||
organization.UseSso = true;
|
||||
|
||||
var userIdWithoutClaimedDomain = Guid.NewGuid();
|
||||
var userIdsToCheck = usersWithClaimedDomain.Select(u => u.Id).Concat(new List<Guid> { userIdWithoutClaimedDomain }).ToList();
|
||||
|
||||
sutProvider.GetDependency<IApplicationCacheService>()
|
||||
.GetOrganizationAbilityAsync(organization.Id)
|
||||
.Returns(new OrganizationAbility(organization));
|
||||
|
||||
sutProvider.GetDependency<IOrganizationUserRepository>()
|
||||
.GetManyByOrganizationWithClaimedDomainsAsync(organization.Id)
|
||||
.Returns(usersWithClaimedDomain);
|
||||
|
||||
var result = await sutProvider.Sut.GetUsersOrganizationManagementStatusAsync(organization.Id, userIdsToCheck);
|
||||
|
||||
Assert.All(usersWithClaimedDomain, ou => Assert.True(result[ou.Id]));
|
||||
Assert.False(result[userIdWithoutClaimedDomain]);
|
||||
}
|
||||
|
||||
[Theory, BitAutoData]
|
||||
public async Task GetUsersOrganizationManagementStatusAsync_WithUseSsoDisabled_ReturnsAllFalse(
|
||||
Organization organization,
|
||||
ICollection<OrganizationUser> usersWithClaimedDomain,
|
||||
SutProvider<GetOrganizationUsersManagementStatusQuery> sutProvider)
|
||||
{
|
||||
organization.Enabled = true;
|
||||
organization.UseSso = false;
|
||||
|
||||
var userIdWithoutClaimedDomain = Guid.NewGuid();
|
||||
var userIdsToCheck = usersWithClaimedDomain.Select(u => u.Id).Concat(new List<Guid> { userIdWithoutClaimedDomain }).ToList();
|
||||
|
||||
sutProvider.GetDependency<IApplicationCacheService>()
|
||||
.GetOrganizationAbilityAsync(organization.Id)
|
||||
.Returns(new OrganizationAbility(organization));
|
||||
|
||||
sutProvider.GetDependency<IOrganizationUserRepository>()
|
||||
.GetManyByOrganizationWithClaimedDomainsAsync(organization.Id)
|
||||
.Returns(usersWithClaimedDomain);
|
||||
|
||||
var result = await sutProvider.Sut.GetUsersOrganizationManagementStatusAsync(organization.Id, userIdsToCheck);
|
||||
|
||||
Assert.All(result, r => Assert.False(r.Value));
|
||||
}
|
||||
|
||||
[Theory, BitAutoData]
|
||||
public async Task GetUsersOrganizationManagementStatusAsync_WithDisabledOrganization_ReturnsAllFalse(
|
||||
Organization organization,
|
||||
ICollection<OrganizationUser> usersWithClaimedDomain,
|
||||
SutProvider<GetOrganizationUsersManagementStatusQuery> sutProvider)
|
||||
{
|
||||
organization.Enabled = false;
|
||||
|
||||
var userIdWithoutClaimedDomain = Guid.NewGuid();
|
||||
var userIdsToCheck = usersWithClaimedDomain.Select(u => u.Id).Concat(new List<Guid> { userIdWithoutClaimedDomain }).ToList();
|
||||
|
||||
sutProvider.GetDependency<IApplicationCacheService>()
|
||||
.GetOrganizationAbilityAsync(organization.Id)
|
||||
.Returns(new OrganizationAbility(organization));
|
||||
|
||||
sutProvider.GetDependency<IOrganizationUserRepository>()
|
||||
.GetManyByOrganizationWithClaimedDomainsAsync(organization.Id)
|
||||
.Returns(usersWithClaimedDomain);
|
||||
|
||||
var result = await sutProvider.Sut.GetUsersOrganizationManagementStatusAsync(organization.Id, userIdsToCheck);
|
||||
|
||||
Assert.All(result, r => Assert.False(r.Value));
|
||||
}
|
||||
}
|
@ -1,4 +1,5 @@
|
||||
using Bit.Core.Entities;
|
||||
using Bit.Core.AdminConsole.Services.Implementations;
|
||||
using Bit.Core.Entities;
|
||||
using Bit.Core.Enums;
|
||||
using Bit.Core.Repositories;
|
||||
using Bit.Core.Services;
|
||||
@ -7,7 +8,7 @@ using Bit.Test.Common.AutoFixture.Attributes;
|
||||
using NSubstitute;
|
||||
using Xunit;
|
||||
|
||||
namespace Bit.Core.Test.Services;
|
||||
namespace Bit.Core.Test.AdminConsole.Services;
|
||||
|
||||
[SutProviderCustomize]
|
||||
public class OrganizationDomainServiceTests
|
||||
@ -80,4 +81,48 @@ public class OrganizationDomainServiceTests
|
||||
await sutProvider.GetDependency<IOrganizationDomainRepository>().ReceivedWithAnyArgs(1)
|
||||
.DeleteExpiredAsync(7);
|
||||
}
|
||||
|
||||
[Theory, BitAutoData]
|
||||
public async Task HasVerifiedDomainsAsync_WithVerifiedDomain_ReturnsTrue(
|
||||
OrganizationDomain organizationDomain,
|
||||
SutProvider<OrganizationDomainService> sutProvider)
|
||||
{
|
||||
organizationDomain.SetVerifiedDate(); // Set the verified date to make it verified
|
||||
|
||||
sutProvider.GetDependency<IOrganizationDomainRepository>()
|
||||
.GetDomainsByOrganizationIdAsync(organizationDomain.OrganizationId)
|
||||
.Returns(new List<OrganizationDomain> { organizationDomain });
|
||||
|
||||
var result = await sutProvider.Sut.HasVerifiedDomainsAsync(organizationDomain.OrganizationId);
|
||||
|
||||
Assert.True(result);
|
||||
}
|
||||
|
||||
[Theory, BitAutoData]
|
||||
public async Task HasVerifiedDomainsAsync_WithoutVerifiedDomain_ReturnsFalse(
|
||||
OrganizationDomain organizationDomain,
|
||||
SutProvider<OrganizationDomainService> sutProvider)
|
||||
{
|
||||
sutProvider.GetDependency<IOrganizationDomainRepository>()
|
||||
.GetDomainsByOrganizationIdAsync(organizationDomain.OrganizationId)
|
||||
.Returns(new List<OrganizationDomain> { organizationDomain });
|
||||
|
||||
var result = await sutProvider.Sut.HasVerifiedDomainsAsync(organizationDomain.OrganizationId);
|
||||
|
||||
Assert.False(result);
|
||||
}
|
||||
|
||||
[Theory, BitAutoData]
|
||||
public async Task HasVerifiedDomainsAsync_WithoutOrganizationDomains_ReturnsFalse(
|
||||
Guid organizationId,
|
||||
SutProvider<OrganizationDomainService> sutProvider)
|
||||
{
|
||||
sutProvider.GetDependency<IOrganizationDomainRepository>()
|
||||
.GetDomainsByOrganizationIdAsync(organizationId)
|
||||
.Returns(new List<OrganizationDomain>());
|
||||
|
||||
var result = await sutProvider.Sut.HasVerifiedDomainsAsync(organizationId);
|
||||
|
||||
Assert.False(result);
|
||||
}
|
||||
}
|
@ -276,6 +276,51 @@ public class UserServiceTests
|
||||
.VerifyHashedPassword(user, "hashed_test_password", secret);
|
||||
}
|
||||
|
||||
[Theory, BitAutoData]
|
||||
public async Task IsManagedByAnyOrganizationAsync_WithManagingEnabledOrganization_ReturnsTrue(
|
||||
SutProvider<UserService> sutProvider, Guid userId, Organization organization)
|
||||
{
|
||||
organization.Enabled = true;
|
||||
organization.UseSso = true;
|
||||
|
||||
sutProvider.GetDependency<IOrganizationRepository>()
|
||||
.GetByClaimedUserDomainAsync(userId)
|
||||
.Returns(organization);
|
||||
|
||||
var result = await sutProvider.Sut.IsManagedByAnyOrganizationAsync(userId);
|
||||
Assert.True(result);
|
||||
}
|
||||
|
||||
[Theory, BitAutoData]
|
||||
public async Task IsManagedByAnyOrganizationAsync_WithManagingDisabledOrganization_ReturnsFalse(
|
||||
SutProvider<UserService> sutProvider, Guid userId, Organization organization)
|
||||
{
|
||||
organization.Enabled = false;
|
||||
organization.UseSso = true;
|
||||
|
||||
sutProvider.GetDependency<IOrganizationRepository>()
|
||||
.GetByClaimedUserDomainAsync(userId)
|
||||
.Returns(organization);
|
||||
|
||||
var result = await sutProvider.Sut.IsManagedByAnyOrganizationAsync(userId);
|
||||
Assert.False(result);
|
||||
}
|
||||
|
||||
[Theory, BitAutoData]
|
||||
public async Task IsManagedByAnyOrganizationAsync_WithOrganizationUseSsoFalse_ReturnsFalse(
|
||||
SutProvider<UserService> sutProvider, Guid userId, Organization organization)
|
||||
{
|
||||
organization.Enabled = true;
|
||||
organization.UseSso = false;
|
||||
|
||||
sutProvider.GetDependency<IOrganizationRepository>()
|
||||
.GetByClaimedUserDomainAsync(userId)
|
||||
.Returns(organization);
|
||||
|
||||
var result = await sutProvider.Sut.IsManagedByAnyOrganizationAsync(userId);
|
||||
Assert.False(result);
|
||||
}
|
||||
|
||||
private static void SetupUserAndDevice(User user,
|
||||
bool shouldHavePassword)
|
||||
{
|
||||
|
@ -0,0 +1,109 @@
|
||||
using Bit.Core.AdminConsole.Entities;
|
||||
using Bit.Core.Entities;
|
||||
using Bit.Core.Enums;
|
||||
using Bit.Core.Repositories;
|
||||
using Xunit;
|
||||
|
||||
namespace Bit.Infrastructure.IntegrationTest.Repositories;
|
||||
|
||||
public class OrganizationRepositoryTests
|
||||
{
|
||||
[DatabaseTheory, DatabaseData]
|
||||
public async Task GetByClaimedUserDomainAsync_WithVerifiedDomain_Success(
|
||||
IUserRepository userRepository,
|
||||
IOrganizationRepository organizationRepository,
|
||||
IOrganizationUserRepository organizationUserRepository,
|
||||
IOrganizationDomainRepository organizationDomainRepository)
|
||||
{
|
||||
var id = Guid.NewGuid();
|
||||
var domainName = $"{id}.example.com";
|
||||
|
||||
var user1 = await userRepository.CreateAsync(new User
|
||||
{
|
||||
Name = "Test User 1",
|
||||
Email = $"test+{id}@{domainName}",
|
||||
ApiKey = "TEST",
|
||||
SecurityStamp = "stamp",
|
||||
Kdf = KdfType.PBKDF2_SHA256,
|
||||
KdfIterations = 1,
|
||||
KdfMemory = 2,
|
||||
KdfParallelism = 3
|
||||
});
|
||||
|
||||
var user2 = await userRepository.CreateAsync(new User
|
||||
{
|
||||
Name = "Test User 2",
|
||||
Email = $"test+{id}@x-{domainName}", // Different domain
|
||||
ApiKey = "TEST",
|
||||
SecurityStamp = "stamp",
|
||||
Kdf = KdfType.PBKDF2_SHA256,
|
||||
KdfIterations = 1,
|
||||
KdfMemory = 2,
|
||||
KdfParallelism = 3
|
||||
});
|
||||
|
||||
var user3 = await userRepository.CreateAsync(new User
|
||||
{
|
||||
Name = "Test User 2",
|
||||
Email = $"test+{id}@{domainName}.example.com", // Different domain
|
||||
ApiKey = "TEST",
|
||||
SecurityStamp = "stamp",
|
||||
Kdf = KdfType.PBKDF2_SHA256,
|
||||
KdfIterations = 1,
|
||||
KdfMemory = 2,
|
||||
KdfParallelism = 3
|
||||
});
|
||||
|
||||
var organization = await organizationRepository.CreateAsync(new Organization
|
||||
{
|
||||
Name = $"Test Org {id}",
|
||||
BillingEmail = user1.Email, // TODO: EF does not enforce this being NOT NULl
|
||||
Plan = "Test", // TODO: EF does not enforce this being NOT NULl
|
||||
PrivateKey = "privatekey",
|
||||
});
|
||||
|
||||
var organizationDomain = new OrganizationDomain
|
||||
{
|
||||
OrganizationId = organization.Id,
|
||||
DomainName = domainName,
|
||||
Txt = "btw+12345",
|
||||
};
|
||||
organizationDomain.SetVerifiedDate();
|
||||
organizationDomain.SetNextRunDate(12);
|
||||
organizationDomain.SetJobRunCount();
|
||||
await organizationDomainRepository.CreateAsync(organizationDomain);
|
||||
|
||||
await organizationUserRepository.CreateAsync(new OrganizationUser
|
||||
{
|
||||
OrganizationId = organization.Id,
|
||||
UserId = user1.Id,
|
||||
Status = OrganizationUserStatusType.Confirmed,
|
||||
ResetPasswordKey = "resetpasswordkey1",
|
||||
});
|
||||
|
||||
await organizationUserRepository.CreateAsync(new OrganizationUser
|
||||
{
|
||||
OrganizationId = organization.Id,
|
||||
UserId = user2.Id,
|
||||
Status = OrganizationUserStatusType.Confirmed,
|
||||
ResetPasswordKey = "resetpasswordkey1",
|
||||
});
|
||||
|
||||
await organizationUserRepository.CreateAsync(new OrganizationUser
|
||||
{
|
||||
OrganizationId = organization.Id,
|
||||
UserId = user3.Id,
|
||||
Status = OrganizationUserStatusType.Confirmed,
|
||||
ResetPasswordKey = "resetpasswordkey1",
|
||||
});
|
||||
|
||||
var user1Response = await organizationRepository.GetByClaimedUserDomainAsync(user1.Id);
|
||||
var user2Response = await organizationRepository.GetByClaimedUserDomainAsync(user2.Id);
|
||||
var user3Response = await organizationRepository.GetByClaimedUserDomainAsync(user3.Id);
|
||||
|
||||
Assert.NotNull(user1Response);
|
||||
Assert.Equal(organization.Id, user1Response.Id);
|
||||
Assert.Null(user2Response);
|
||||
Assert.Null(user3Response);
|
||||
}
|
||||
}
|
@ -256,4 +256,100 @@ public class OrganizationUserRepositoryTests
|
||||
Assert.Equal(organization.LimitCollectionCreationDeletion, result.LimitCollectionCreationDeletion);
|
||||
Assert.Equal(organization.AllowAdminAccessToAllCollectionItems, result.AllowAdminAccessToAllCollectionItems);
|
||||
}
|
||||
|
||||
[DatabaseTheory, DatabaseData]
|
||||
public async Task GetManyByOrganizationWithClaimedDomainsAsync_WithVerifiedDomain_WithOneMatchingEmailDomain_ReturnsSingle(
|
||||
IUserRepository userRepository,
|
||||
IOrganizationRepository organizationRepository,
|
||||
IOrganizationUserRepository organizationUserRepository,
|
||||
IOrganizationDomainRepository organizationDomainRepository)
|
||||
{
|
||||
var id = Guid.NewGuid();
|
||||
var domainName = $"{id}.example.com";
|
||||
|
||||
var user1 = await userRepository.CreateAsync(new User
|
||||
{
|
||||
Name = "Test User 1",
|
||||
Email = $"test+{id}@{domainName}",
|
||||
ApiKey = "TEST",
|
||||
SecurityStamp = "stamp",
|
||||
Kdf = KdfType.PBKDF2_SHA256,
|
||||
KdfIterations = 1,
|
||||
KdfMemory = 2,
|
||||
KdfParallelism = 3
|
||||
});
|
||||
|
||||
var user2 = await userRepository.CreateAsync(new User
|
||||
{
|
||||
Name = "Test User 2",
|
||||
Email = $"test+{id}@x-{domainName}", // Different domain
|
||||
ApiKey = "TEST",
|
||||
SecurityStamp = "stamp",
|
||||
Kdf = KdfType.PBKDF2_SHA256,
|
||||
KdfIterations = 1,
|
||||
KdfMemory = 2,
|
||||
KdfParallelism = 3
|
||||
});
|
||||
|
||||
var user3 = await userRepository.CreateAsync(new User
|
||||
{
|
||||
Name = "Test User 2",
|
||||
Email = $"test+{id}@{domainName}.example.com", // Different domain
|
||||
ApiKey = "TEST",
|
||||
SecurityStamp = "stamp",
|
||||
Kdf = KdfType.PBKDF2_SHA256,
|
||||
KdfIterations = 1,
|
||||
KdfMemory = 2,
|
||||
KdfParallelism = 3
|
||||
});
|
||||
|
||||
var organization = await organizationRepository.CreateAsync(new Organization
|
||||
{
|
||||
Name = $"Test Org {id}",
|
||||
BillingEmail = user1.Email, // TODO: EF does not enforce this being NOT NULl
|
||||
Plan = "Test", // TODO: EF does not enforce this being NOT NULl
|
||||
PrivateKey = "privatekey",
|
||||
});
|
||||
|
||||
var organizationDomain = new OrganizationDomain
|
||||
{
|
||||
OrganizationId = organization.Id,
|
||||
DomainName = domainName,
|
||||
Txt = "btw+12345",
|
||||
};
|
||||
organizationDomain.SetVerifiedDate();
|
||||
organizationDomain.SetNextRunDate(12);
|
||||
organizationDomain.SetJobRunCount();
|
||||
await organizationDomainRepository.CreateAsync(organizationDomain);
|
||||
|
||||
var orgUser1 = await organizationUserRepository.CreateAsync(new OrganizationUser
|
||||
{
|
||||
OrganizationId = organization.Id,
|
||||
UserId = user1.Id,
|
||||
Status = OrganizationUserStatusType.Confirmed,
|
||||
ResetPasswordKey = "resetpasswordkey1",
|
||||
});
|
||||
|
||||
await organizationUserRepository.CreateAsync(new OrganizationUser
|
||||
{
|
||||
OrganizationId = organization.Id,
|
||||
UserId = user2.Id,
|
||||
Status = OrganizationUserStatusType.Confirmed,
|
||||
ResetPasswordKey = "resetpasswordkey1",
|
||||
});
|
||||
|
||||
await organizationUserRepository.CreateAsync(new OrganizationUser
|
||||
{
|
||||
OrganizationId = organization.Id,
|
||||
UserId = user3.Id,
|
||||
Status = OrganizationUserStatusType.Confirmed,
|
||||
ResetPasswordKey = "resetpasswordkey1",
|
||||
});
|
||||
|
||||
var responseModel = await organizationUserRepository.GetManyByOrganizationWithClaimedDomainsAsync(organization.Id);
|
||||
|
||||
Assert.NotNull(responseModel);
|
||||
Assert.Single(responseModel);
|
||||
Assert.Equal(orgUser1.Id, responseModel.Single().Id);
|
||||
}
|
||||
}
|
||||
|
55
util/Migrator/DbScripts/2024-09-10_00_UsersManagedByOrg.sql
Normal file
55
util/Migrator/DbScripts/2024-09-10_00_UsersManagedByOrg.sql
Normal file
@ -0,0 +1,55 @@
|
||||
IF NOT EXISTS(SELECT name
|
||||
FROM sys.indexes
|
||||
WHERE name = 'IX_OrganizationDomain_OrganizationIdVerifiedDate')
|
||||
BEGIN
|
||||
CREATE NONCLUSTERED INDEX [IX_OrganizationDomain_OrganizationIdVerifiedDate]
|
||||
ON [dbo].[OrganizationDomain] ([OrganizationId],[VerifiedDate]);
|
||||
END
|
||||
GO
|
||||
|
||||
IF NOT EXISTS(SELECT name
|
||||
FROM sys.indexes
|
||||
WHERE name = 'IX_OrganizationDomain_VerifiedDate')
|
||||
BEGIN
|
||||
CREATE NONCLUSTERED INDEX [IX_OrganizationDomain_VerifiedDate]
|
||||
ON [dbo].[OrganizationDomain] ([VerifiedDate])
|
||||
INCLUDE ([OrganizationId],[DomainName]);
|
||||
END
|
||||
GO
|
||||
|
||||
CREATE OR ALTER PROCEDURE [dbo].[OrganizationUser_ReadByOrganizationIdWithClaimedDomains]
|
||||
@OrganizationId UNIQUEIDENTIFIER
|
||||
AS
|
||||
BEGIN
|
||||
SET NOCOUNT ON;
|
||||
|
||||
SELECT OU.*
|
||||
FROM [dbo].[OrganizationUserView] OU
|
||||
INNER JOIN [dbo].[UserView] U ON OU.[UserId] = U.[Id]
|
||||
WHERE OU.[OrganizationId] = @OrganizationId
|
||||
AND EXISTS (
|
||||
SELECT 1
|
||||
FROM [dbo].[OrganizationDomainView] OD
|
||||
WHERE OD.[OrganizationId] = @OrganizationId
|
||||
AND OD.[VerifiedDate] IS NOT NULL
|
||||
AND U.[Email] LIKE '%@' + OD.[DomainName]
|
||||
);
|
||||
END
|
||||
GO
|
||||
|
||||
CREATE OR ALTER PROCEDURE [dbo].[Organization_ReadByClaimedUserEmailDomain]
|
||||
@UserId UNIQUEIDENTIFIER
|
||||
AS
|
||||
BEGIN
|
||||
SET NOCOUNT ON;
|
||||
|
||||
SELECT O.*
|
||||
FROM [dbo].[UserView] U
|
||||
INNER JOIN [dbo].[OrganizationUserView] OU ON U.[Id] = OU.[UserId]
|
||||
INNER JOIN [dbo].[OrganizationView] O ON OU.[OrganizationId] = O.[Id]
|
||||
INNER JOIN [dbo].[OrganizationDomainView] OD ON OU.[OrganizationId] = OD.[OrganizationId]
|
||||
WHERE U.[Id] = @UserId
|
||||
AND OD.[VerifiedDate] IS NOT NULL
|
||||
AND U.[Email] LIKE '%@' + OD.[DomainName];
|
||||
END
|
||||
GO
|
Loading…
Reference in New Issue
Block a user