nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-04-04 12:40:22 -05:00
Code

[PM-17449] Add logic to handle email updates for managed users. (#5422)

Browse Source
This commit is contained in:
Jimmy Vo 2025-02-20 15:38:59 -05:00 committed by GitHub
parent 2f4d5283d3
commit 06c96a96c5
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 38 additions and 100 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/Api/Auth/Controllers/AccountsController.cs
View File

@ -149,12 +149,6 @@ public class AccountsController : Controller
throw new BadRequestException("MasterPasswordHash", "Invalid password.");
}
// If Account Deprovisioning is enabled, we need to check if the user is managed by any organization.
if (_featureService.IsEnabled(FeatureFlagKeys.AccountDeprovisioning)
&& await _userService.IsManagedByAnyOrganizationAsync(user.Id))
{
throw new BadRequestException("Cannot change emails for accounts owned by an organization. Contact your organization administrator for additional details.");
}
await _userService.InitiateEmailChangeAsync(user, model.NewEmail);
}
@ -173,12 +167,6 @@ public class AccountsController : Controller
throw new BadRequestException("You cannot change your email when using Key Connector.");
}
// If Account Deprovisioning is enabled, we need to check if the user is managed by any organization.
if (_featureService.IsEnabled(FeatureFlagKeys.AccountDeprovisioning)
&& await _userService.IsManagedByAnyOrganizationAsync(user.Id))
{
throw new BadRequestException("Cannot change emails for accounts owned by an organization. Contact your organization administrator for additional details.");
}
var result = await _userService.ChangeEmailAsync(user, model.MasterPasswordHash, model.NewEmail,
model.NewMasterPasswordHash, model.Token, model.Key);

35
src/Core/Services/Implementations/UserService.cs
View File

@ -49,6 +49,7 @@ public class UserService : UserManager<User>, IUserService, IDisposable
private readonly ICipherRepository _cipherRepository;
private readonly IOrganizationUserRepository _organizationUserRepository;
private readonly IOrganizationRepository _organizationRepository;
private readonly IOrganizationDomainRepository _organizationDomainRepository;
private readonly IMailService _mailService;
private readonly IPushNotificationService _pushService;
private readonly IdentityErrorDescriber _identityErrorDescriber;
@ -81,6 +82,7 @@ public class UserService : UserManager<User>, IUserService, IDisposable
ICipherRepository cipherRepository,
IOrganizationUserRepository organizationUserRepository,
IOrganizationRepository organizationRepository,
IOrganizationDomainRepository organizationDomainRepository,
IMailService mailService,
IPushNotificationService pushService,
IUserStore<User> store,
@ -127,6 +129,7 @@ public class UserService : UserManager<User>, IUserService, IDisposable
_cipherRepository = cipherRepository;
_organizationUserRepository = organizationUserRepository;
_organizationRepository = organizationRepository;
_organizationDomainRepository = organizationDomainRepository;
_mailService = mailService;
_pushService = pushService;
_identityOptions = optionsAccessor?.Value ?? new IdentityOptions();
@ -521,6 +524,13 @@ public class UserService : UserManager<User>, IUserService, IDisposable
return IdentityResult.Failed(_identityErrorDescriber.PasswordMismatch());
}
var managedUserValidationResult = await ValidateManagedUserAsync(user, newEmail);
if (!managedUserValidationResult.Succeeded)
{
return managedUserValidationResult;
}
if (!await base.VerifyUserTokenAsync(user, _identityOptions.Tokens.ChangeEmailTokenProvider,
GetChangeEmailTokenPurpose(newEmail), token))
{
@ -586,6 +596,31 @@ public class UserService : UserManager<User>, IUserService, IDisposable
return IdentityResult.Success;
}
private async Task<IdentityResult> ValidateManagedUserAsync(User user, string newEmail)
{
var managingOrganizations = await GetOrganizationsManagingUserAsync(user.Id);
if (!managingOrganizations.Any())
{
return IdentityResult.Success;
}
var newDomain = CoreHelpers.GetEmailDomain(newEmail);
var verifiedDomains = await _organizationDomainRepository.GetVerifiedDomainsByOrganizationIdsAsync(managingOrganizations.Select(org => org.Id));
if (verifiedDomains.Any(verifiedDomain => verifiedDomain.DomainName == newDomain))
{
return IdentityResult.Success;
}
return IdentityResult.Failed(new IdentityError
{
Code = "EmailDomainMismatch",
Description = "Your new email must match your organization domain."
});
}
public async Task<IdentityResult> ChangePasswordAsync(User user, string masterPassword, string newMasterPassword, string passwordHint,
string key)
{

59
test/Api.IntegrationTest/Controllers/AccountsControllerTest.cs
View File

@ -1,6 +1,4 @@
using System.Net;
using System.Net.Http.Headers;
using Bit.Api.Auth.Models.Request.Accounts;
using System.Net.Http.Headers;
using Bit.Api.IntegrationTest.Factories;
using Bit.Api.IntegrationTest.Helpers;
using Bit.Api.Models.Response;
@ -45,61 +43,6 @@ public class AccountsControllerTest : IClassFixture<ApiApplicationFactory>
Assert.NotNull(content.SecurityStamp);
}
[Fact]
public async Task PostEmailToken_WhenAccountDeprovisioningEnabled_WithManagedAccount_ThrowsBadRequest()
{
var email = await SetupOrganizationManagedAccount();
var tokens = await _factory.LoginAsync(email);
var client = _factory.CreateClient();
var model = new EmailTokenRequestModel
{
NewEmail = $"{Guid.NewGuid()}@example.com",
MasterPasswordHash = "master_password_hash"
};
using var message = new HttpRequestMessage(HttpMethod.Post, "/accounts/email-token")
{
Content = JsonContent.Create(model)
};
message.Headers.Authorization = new AuthenticationHeaderValue("Bearer", tokens.Token);
var response = await client.SendAsync(message);
Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);
var content = await response.Content.ReadAsStringAsync();
Assert.Contains("Cannot change emails for accounts owned by an organization", content);
}
[Fact]
public async Task PostEmail_WhenAccountDeprovisioningEnabled_WithManagedAccount_ThrowsBadRequest()
{
var email = await SetupOrganizationManagedAccount();
var tokens = await _factory.LoginAsync(email);
var client = _factory.CreateClient();
var model = new EmailRequestModel
{
NewEmail = $"{Guid.NewGuid()}@example.com",
MasterPasswordHash = "master_password_hash",
NewMasterPasswordHash = "master_password_hash",
Token = "validtoken",
Key = "key"
};
using var message = new HttpRequestMessage(HttpMethod.Post, "/accounts/email")
{
Content = JsonContent.Create(model)
};
message.Headers.Authorization = new AuthenticationHeaderValue("Bearer", tokens.Token);
var response = await client.SendAsync(message);
Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);
var content = await response.Content.ReadAsStringAsync();
Assert.Contains("Cannot change emails for accounts owned by an organization", content);
}
private async Task<string> SetupOrganizationManagedAccount()
{
_factory.SubstituteService<IFeatureService>(featureService =>

30
test/Api.Test/Auth/Controllers/AccountsControllerTests.cs
View File

@ -181,22 +181,6 @@ public class AccountsControllerTests : IDisposable
);
}
[Fact]
public async Task PostEmailToken_WithAccountDeprovisioningEnabled_WhenUserIsManagedByAnOrganization_ShouldThrowBadRequestException()
{
var user = GenerateExampleUser();
ConfigureUserServiceToReturnValidPrincipalFor(user);
ConfigureUserServiceToAcceptPasswordFor(user);
_featureService.IsEnabled(FeatureFlagKeys.AccountDeprovisioning).Returns(true);
_userService.IsManagedByAnyOrganizationAsync(user.Id).Returns(true);
var result = await Assert.ThrowsAsync<BadRequestException>(
() => _sut.PostEmailToken(new EmailTokenRequestModel())
);
Assert.Equal("Cannot change emails for accounts owned by an organization. Contact your organization administrator for additional details.", result.Message);
}
[Fact]
public async Task PostEmail_ShouldChangeUserEmail()
{
@ -248,20 +232,6 @@ public class AccountsControllerTests : IDisposable
);
}
[Fact]
public async Task PostEmail_WithAccountDeprovisioningEnabled_WhenUserIsManagedByAnOrganization_ShouldThrowBadRequestException()
{
var user = GenerateExampleUser();
ConfigureUserServiceToReturnValidPrincipalFor(user);
_featureService.IsEnabled(FeatureFlagKeys.AccountDeprovisioning).Returns(true);
_userService.IsManagedByAnyOrganizationAsync(user.Id).Returns(true);
var result = await Assert.ThrowsAsync<BadRequestException>(
() => _sut.PostEmail(new EmailRequestModel())
);
Assert.Equal("Cannot change emails for accounts owned by an organization. Contact your organization administrator for additional details.", result.Message);
}
[Fact]
public async Task PostVerifyEmail_ShouldSendEmailVerification()

2
test/Core.Test/Services/UserServiceTests.cs
View File

@ -248,6 +248,7 @@ public class UserServiceTests
sutProvider.GetDependency<ICipherRepository>(),
sutProvider.GetDependency<IOrganizationUserRepository>(),
sutProvider.GetDependency<IOrganizationRepository>(),
sutProvider.GetDependency<IOrganizationDomainRepository>(),
sutProvider.GetDependency<IMailService>(),
sutProvider.GetDependency<IPushNotificationService>(),
sutProvider.GetDependency<IUserStore<User>>(),
@ -829,6 +830,7 @@ public class UserServiceTests
sutProvider.GetDependency<ICipherRepository>(),
sutProvider.GetDependency<IOrganizationUserRepository>(),
sutProvider.GetDependency<IOrganizationRepository>(),
sutProvider.GetDependency<IOrganizationDomainRepository>(),
sutProvider.GetDependency<IMailService>(),
sutProvider.GetDependency<IPushNotificationService>(),
sutProvider.GetDependency<IUserStore<User>>(),