From 1aa25f2712dc739b2253b5fd0d73aa5d8a477bc2 Mon Sep 17 00:00:00 2001
From: Oscar Hinton <oscar@oscarhinton.com>
Date: Mon, 8 Nov 2021 14:37:40 +0100
Subject: [PATCH] Add checks for vault timeout policy (#1694)

---
 .../Services/Implementations/PolicyService.cs |  8 +++
 test/Core.Test/Services/PolicyServiceTests.cs | 60 +++++++++++++++++++
 2 files changed, 68 insertions(+)

diff --git a/src/Core/Services/Implementations/PolicyService.cs b/src/Core/Services/Implementations/PolicyService.cs
index 5e33bff28b..960c3ce79a 100644
--- a/src/Core/Services/Implementations/PolicyService.cs
+++ b/src/Core/Services/Implementations/PolicyService.cs
@@ -57,10 +57,18 @@ namespace Bit.Core.Services
                         {
                             throw new BadRequestException("Single Sign-On Authentication policy is enabled.");
                         }
+
+                        var vaultTimeout =
+                            await _policyRepository.GetByOrganizationIdTypeAsync(org.Id, PolicyType.MaximumVaultTimeout);
+                        if (vaultTimeout?.Enabled == true)
+                        {
+                            throw new BadRequestException("Maximum Vault Timeout policy is enabled.");
+                        }
                     }
                     break;
                 
                case PolicyType.RequireSso:
+               case PolicyType.MaximumVaultTimeout:
                    if (policy.Enabled)
                    {
                        var singleOrg = await _policyRepository.GetByOrganizationIdTypeAsync(org.Id, PolicyType.SingleOrg);
diff --git a/test/Core.Test/Services/PolicyServiceTests.cs b/test/Core.Test/Services/PolicyServiceTests.cs
index b344e1877c..e1fd3f7c54 100644
--- a/test/Core.Test/Services/PolicyServiceTests.cs
+++ b/test/Core.Test/Services/PolicyServiceTests.cs
@@ -97,6 +97,34 @@ namespace Bit.Core.Test.Services
                 .LogPolicyEventAsync(default, default, default);
         }
 
+        [Theory, CustomAutoData(typeof(SutProviderCustomization))]
+        public async Task SaveAsync_SingleOrg_VaultTimeoutEnabled_ThrowsBadRequest([PolicyFixtures.Policy(Enums.PolicyType.SingleOrg)] Core.Models.Table.Policy policy, SutProvider<PolicyService> sutProvider)
+        {
+            policy.Enabled = false;
+
+            SetupOrg(sutProvider, policy.OrganizationId, new Organization
+            {
+                Id = policy.OrganizationId,
+                UsePolicies = true,
+            });
+
+            sutProvider.GetDependency<IPolicyRepository>()
+                .GetByOrganizationIdTypeAsync(policy.OrganizationId, Enums.PolicyType.MaximumVaultTimeout)
+                .Returns(new Policy { Enabled = true });
+
+            var badRequestException = await Assert.ThrowsAsync<BadRequestException>(
+                () => sutProvider.Sut.SaveAsync(policy,
+                    Substitute.For<IUserService>(),
+                    Substitute.For<IOrganizationService>(),
+                    Guid.NewGuid()));
+
+            Assert.Contains("Maximum Vault Timeout policy is enabled.", badRequestException.Message, StringComparison.OrdinalIgnoreCase);
+
+            await sutProvider.GetDependency<IPolicyRepository>()
+                .DidNotReceiveWithAnyArgs()
+                .UpsertAsync(default);
+        }
+
         [Theory, CustomAutoData(typeof(SutProviderCustomization))]
         public async Task SaveAsync_RequireSsoPolicy_NotEnabled_ThrowsBadRequestAsync([PolicyFixtures.Policy(Enums.PolicyType.RequireSso)] Core.Models.Table.Policy policy, SutProvider<PolicyService> sutProvider)
         {
@@ -154,6 +182,38 @@ namespace Bit.Core.Test.Services
             Assert.True(policy.RevisionDate - utcNow < TimeSpan.FromSeconds(1));
         }
 
+        [Theory, CustomAutoData(typeof(SutProviderCustomization))]
+        public async Task SaveAsync_VaultTimeoutPolicy_NotEnabled_ThrowsBadRequestAsync([PolicyFixtures.Policy(Enums.PolicyType.MaximumVaultTimeout)] Core.Models.Table.Policy policy, SutProvider<PolicyService> sutProvider)
+        {
+            policy.Enabled = true;
+
+            SetupOrg(sutProvider, policy.OrganizationId, new Organization
+            {
+                Id = policy.OrganizationId,
+                UsePolicies = true,
+            });
+
+            sutProvider.GetDependency<IPolicyRepository>()
+                .GetByOrganizationIdTypeAsync(policy.OrganizationId, Enums.PolicyType.SingleOrg)
+                .Returns(Task.FromResult(new Core.Models.Table.Policy { Enabled = false }));
+
+            var badRequestException = await Assert.ThrowsAsync<BadRequestException>(
+                () => sutProvider.Sut.SaveAsync(policy,
+                    Substitute.For<IUserService>(),
+                    Substitute.For<IOrganizationService>(),
+                    Guid.NewGuid()));
+
+            Assert.Contains("Single Organization policy not enabled.", badRequestException.Message, StringComparison.OrdinalIgnoreCase);
+
+            await sutProvider.GetDependency<IPolicyRepository>()
+                .DidNotReceiveWithAnyArgs()
+                .UpsertAsync(default);
+
+            await sutProvider.GetDependency<IEventService>()
+                .DidNotReceiveWithAnyArgs()
+                .LogPolicyEventAsync(default, default, default);
+        }
+
         [Theory, CustomAutoData(typeof(SutProviderCustomization))]
         public async Task SaveAsync_ExistingPolicy_UpdateTwoFactor([PolicyFixtures.Policy(Enums.PolicyType.TwoFactorAuthentication)] Core.Models.Table.Policy policy, SutProvider<PolicyService> sutProvider)
         {