[PM-13014] - Add CanToggleStatus property to PolicyRepsonseModel based on Policy Validators (#4940)

* Adding CanToggleState to PoliciesControllers (api/public) endpoints. Added mappings wrapped in feature flag. * Updated logic for determining CanToggle. Removed setting of toggle from List endpoint. Added new details model for single policy response. Validator now returns after first error.
2025-07-01 16:12:49 -05:00 · 2024-11-11 09:52:42 -06:00
parent 2e635c9505
commit 1dec51bf5a
14 changed files with 167 additions and 32 deletions
--- a/src/Core/AdminConsole/Models/Api/Response/PolicyResponseModel.cs
+++ b/src/Core/AdminConsole/Models/Api/Response/PolicyResponseModel.cs
@ -1,33 +0,0 @@
-using System.Text.Json;
-using Bit.Core.AdminConsole.Entities;
-using Bit.Core.AdminConsole.Enums;
-using Bit.Core.Models.Api;
-
-namespace Bit.Core.AdminConsole.Models.Api.Response;
-
-public class PolicyResponseModel : ResponseModel
-{
-    public PolicyResponseModel(Policy policy, string obj = "policy")
-        : base(obj)
-    {
-        if (policy == null)
-        {
-            throw new ArgumentNullException(nameof(policy));
-        }
-
-        Id = policy.Id;
-        OrganizationId = policy.OrganizationId;
-        Type = policy.Type;
-        Enabled = policy.Enabled;
-        if (!string.IsNullOrWhiteSpace(policy.Data))
-        {
-            Data = JsonSerializer.Deserialize<Dictionary<string, object>>(policy.Data);
-        }
-    }
-
-    public Guid Id { get; set; }
-    public Guid OrganizationId { get; set; }
-    public PolicyType Type { get; set; }
-    public Dictionary<string, object> Data { get; set; }
-    public bool Enabled { get; set; }
-}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationDomains/VerifyOrganizationDomainCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationDomains/VerifyOrganizationDomainCommand.cs
@ -20,7 +20,6 @@ public class VerifyOrganizationDomainCommand : IVerifyOrganizationDomainCommand
    private readonly IGlobalSettings _globalSettings;
    private readonly IPolicyService _policyService;
    private readonly IFeatureService _featureService;
-    private readonly IOrganizationService _organizationService;
    private readonly ILogger<VerifyOrganizationDomainCommand> _logger;

    public VerifyOrganizationDomainCommand(
@ -30,7 +29,6 @@ public class VerifyOrganizationDomainCommand : IVerifyOrganizationDomainCommand
        IGlobalSettings globalSettings,
        IPolicyService policyService,
        IFeatureService featureService,
-        IOrganizationService organizationService,
        ILogger<VerifyOrganizationDomainCommand> logger)
    {
        _organizationDomainRepository = organizationDomainRepository;
@ -39,7 +37,6 @@ public class VerifyOrganizationDomainCommand : IVerifyOrganizationDomainCommand
        _globalSettings = globalSettings;
        _policyService = policyService;
        _featureService = featureService;
-        _organizationService = organizationService;
        _logger = logger;
    }

--- a/src/Core/AdminConsole/OrganizationFeatures/Policies/Implementations/SavePolicyCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/Implementations/SavePolicyCommand.cs
@ -87,8 +87,7 @@ public class SavePolicyCommand : ISavePolicyCommand
        if (currentPolicy is not { Enabled: true } && policyUpdate.Enabled)
        {
            var missingRequiredPolicyTypes = validator.RequiredPolicies
-                .Where(requiredPolicyType =>
-                    savedPoliciesDict.GetValueOrDefault(requiredPolicyType) is not { Enabled: true })
+                .Where(requiredPolicyType => savedPoliciesDict.GetValueOrDefault(requiredPolicyType) is not { Enabled: true })
                .ToList();

            if (missingRequiredPolicyTypes.Count != 0)
--- a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/SingleOrgPolicyValidator.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/SingleOrgPolicyValidator.cs
@ -2,6 +2,7 @@

 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationDomains.Interfaces;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies.Models;
 using Bit.Core.Auth.Enums;
@ -23,7 +24,9 @@ public class SingleOrgPolicyValidator : IPolicyValidator
    private readonly IOrganizationRepository _organizationRepository;
    private readonly ISsoConfigRepository _ssoConfigRepository;
    private readonly ICurrentContext _currentContext;
+    private readonly IFeatureService _featureService;
    private readonly IRemoveOrganizationUserCommand _removeOrganizationUserCommand;
+    private readonly IOrganizationHasVerifiedDomainsQuery _organizationHasVerifiedDomainsQuery;

    public SingleOrgPolicyValidator(
        IOrganizationUserRepository organizationUserRepository,
@ -31,14 +34,18 @@ public class SingleOrgPolicyValidator : IPolicyValidator
        IOrganizationRepository organizationRepository,
        ISsoConfigRepository ssoConfigRepository,
        ICurrentContext currentContext,
-        IRemoveOrganizationUserCommand removeOrganizationUserCommand)
+        IFeatureService featureService,
+        IRemoveOrganizationUserCommand removeOrganizationUserCommand,
+        IOrganizationHasVerifiedDomainsQuery organizationHasVerifiedDomainsQuery)
    {
        _organizationUserRepository = organizationUserRepository;
        _mailService = mailService;
        _organizationRepository = organizationRepository;
        _ssoConfigRepository = ssoConfigRepository;
        _currentContext = currentContext;
+        _featureService = featureService;
        _removeOrganizationUserCommand = removeOrganizationUserCommand;
+        _organizationHasVerifiedDomainsQuery = organizationHasVerifiedDomainsQuery;
    }

    public IEnumerable<PolicyType> RequiredPolicies => [];
@ -93,9 +100,21 @@ public class SingleOrgPolicyValidator : IPolicyValidator
        if (policyUpdate is not { Enabled: true })
        {
            var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(policyUpdate.OrganizationId);
-            return ssoConfig.ValidateDecryptionOptionsNotEnabled([MemberDecryptionType.KeyConnector]);
+
+            var validateDecryptionErrorMessage = ssoConfig.ValidateDecryptionOptionsNotEnabled([MemberDecryptionType.KeyConnector]);
+
+            if (!string.IsNullOrWhiteSpace(validateDecryptionErrorMessage))
+            {
+                return validateDecryptionErrorMessage;
+            }
+
+            if (_featureService.IsEnabled(FeatureFlagKeys.AccountDeprovisioning)
+                && await _organizationHasVerifiedDomainsQuery.HasVerifiedDomainsAsync(policyUpdate.OrganizationId))
+            {
+                return "The Single organization policy is required for organizations that have enabled domain verification.";
+            }
        }

-        return "";
+        return string.Empty;
    }
 }
--- a/src/Core/AdminConsole/Services/Implementations/PolicyService.cs
+++ b/src/Core/AdminConsole/Services/Implementations/PolicyService.cs
@ -289,7 +289,7 @@ public class PolicyService : IPolicyService
        if (_featureService.IsEnabled(FeatureFlagKeys.AccountDeprovisioning)
            && await _organizationHasVerifiedDomainsQuery.HasVerifiedDomainsAsync(org.Id))
        {
-            throw new BadRequestException("Organization has verified domains.");
+            throw new BadRequestException("The Single organization policy is required for organizations that have enabled domain verification.");
        }
    }