Add checks for vault timeout policy (#1694)

2025-04-05 13:08:17 -05:00 · 2021-11-08 14:37:40 +01:00 · 2021-11-08 14:37:40 +01:00 · 1aa25f2712
commit 1aa25f2712
parent 7837a850eb
2 changed files with 68 additions and 0 deletions
--- a/src/Core/Services/Implementations/PolicyService.cs
+++ b/src/Core/Services/Implementations/PolicyService.cs
@ -57,10 +57,18 @@ namespace Bit.Core.Services
                        {
                            throw new BadRequestException("Single Sign-On Authentication policy is enabled.");
                        }
+
+                        var vaultTimeout =
+                            await _policyRepository.GetByOrganizationIdTypeAsync(org.Id, PolicyType.MaximumVaultTimeout);
+                        if (vaultTimeout?.Enabled == true)
+                        {
+                            throw new BadRequestException("Maximum Vault Timeout policy is enabled.");
+                        }
                    }
                    break;
                
               case PolicyType.RequireSso:
+               case PolicyType.MaximumVaultTimeout:
                   if (policy.Enabled)
                   {
                       var singleOrg = await _policyRepository.GetByOrganizationIdTypeAsync(org.Id, PolicyType.SingleOrg);
--- a/test/Core.Test/Services/PolicyServiceTests.cs
+++ b/test/Core.Test/Services/PolicyServiceTests.cs
@ -97,6 +97,34 @@ namespace Bit.Core.Test.Services
                .LogPolicyEventAsync(default, default, default);
        }

+        [Theory, CustomAutoData(typeof(SutProviderCustomization))]
+        public async Task SaveAsync_SingleOrg_VaultTimeoutEnabled_ThrowsBadRequest([PolicyFixtures.Policy(Enums.PolicyType.SingleOrg)] Core.Models.Table.Policy policy, SutProvider<PolicyService> sutProvider)
+        {
+            policy.Enabled = false;
+
+            SetupOrg(sutProvider, policy.OrganizationId, new Organization
+            {
+                Id = policy.OrganizationId,
+                UsePolicies = true,
+            });
+
+            sutProvider.GetDependency<IPolicyRepository>()
+                .GetByOrganizationIdTypeAsync(policy.OrganizationId, Enums.PolicyType.MaximumVaultTimeout)
+                .Returns(new Policy { Enabled = true });
+
+            var badRequestException = await Assert.ThrowsAsync<BadRequestException>(
+                () => sutProvider.Sut.SaveAsync(policy,
+                    Substitute.For<IUserService>(),
+                    Substitute.For<IOrganizationService>(),
+                    Guid.NewGuid()));
+
+            Assert.Contains("Maximum Vault Timeout policy is enabled.", badRequestException.Message, StringComparison.OrdinalIgnoreCase);
+
+            await sutProvider.GetDependency<IPolicyRepository>()
+                .DidNotReceiveWithAnyArgs()
+                .UpsertAsync(default);
+        }
+
        [Theory, CustomAutoData(typeof(SutProviderCustomization))]
        public async Task SaveAsync_RequireSsoPolicy_NotEnabled_ThrowsBadRequestAsync([PolicyFixtures.Policy(Enums.PolicyType.RequireSso)] Core.Models.Table.Policy policy, SutProvider<PolicyService> sutProvider)
        {
@ -154,6 +182,38 @@ namespace Bit.Core.Test.Services
            Assert.True(policy.RevisionDate - utcNow < TimeSpan.FromSeconds(1));
        }

+        [Theory, CustomAutoData(typeof(SutProviderCustomization))]
+        public async Task SaveAsync_VaultTimeoutPolicy_NotEnabled_ThrowsBadRequestAsync([PolicyFixtures.Policy(Enums.PolicyType.MaximumVaultTimeout)] Core.Models.Table.Policy policy, SutProvider<PolicyService> sutProvider)
+        {
+            policy.Enabled = true;
+
+            SetupOrg(sutProvider, policy.OrganizationId, new Organization
+            {
+                Id = policy.OrganizationId,
+                UsePolicies = true,
+            });
+
+            sutProvider.GetDependency<IPolicyRepository>()
+                .GetByOrganizationIdTypeAsync(policy.OrganizationId, Enums.PolicyType.SingleOrg)
+                .Returns(Task.FromResult(new Core.Models.Table.Policy { Enabled = false }));
+
+            var badRequestException = await Assert.ThrowsAsync<BadRequestException>(
+                () => sutProvider.Sut.SaveAsync(policy,
+                    Substitute.For<IUserService>(),
+                    Substitute.For<IOrganizationService>(),
+                    Guid.NewGuid()));
+
+            Assert.Contains("Single Organization policy not enabled.", badRequestException.Message, StringComparison.OrdinalIgnoreCase);
+
+            await sutProvider.GetDependency<IPolicyRepository>()
+                .DidNotReceiveWithAnyArgs()
+                .UpsertAsync(default);
+
+            await sutProvider.GetDependency<IEventService>()
+                .DidNotReceiveWithAnyArgs()
+                .LogPolicyEventAsync(default, default, default);
+        }
+
        [Theory, CustomAutoData(typeof(SutProviderCustomization))]
        public async Task SaveAsync_ExistingPolicy_UpdateTwoFactor([PolicyFixtures.Policy(Enums.PolicyType.TwoFactorAuthentication)] Core.Models.Table.Policy policy, SutProvider<PolicyService> sutProvider)
        {