[PM-3779] idor allow the attacker to delete the victim domain (#3308)

* [PM-3779] Added IOrganizationDomainRepository.GetDomainByIdAndOrganizationIdAsync and SQL stored procedure

* [PM-3779] Changed GetOrganizationDomainByIdQuery to also take OrgId as a parameter. Updated existing unit tests and added new. Updated controller to match command changes

* [PM-3779] Removed type from url routes

* [PM-3779] Renamed IGetOrganizationDomainByIdAndOrganizationIdQuery to IGetOrganizationDomainByIdOrganizationIdQuery

* [PM-3779] Renamed GetOrganizationDomainByIdOrganizationIdQueryTests file and added more tests

src/Core/OrganizationFeatures/OrganizationDomains/DeleteOrganizationDomainCommand.cs

@@ -1,5 +1,5 @@
-using Bit.Core.Enums;
-using Bit.Core.Exceptions;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
 using Bit.Core.OrganizationFeatures.OrganizationDomains.Interfaces;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
@@ -18,15 +18,9 @@ public class DeleteOrganizationDomainCommand : IDeleteOrganizationDomainCommand
         _eventService = eventService;
     }
 
-    public async Task DeleteAsync(Guid id)
+    public async Task DeleteAsync(OrganizationDomain organizationDomain)
     {
-        var domain = await _organizationDomainRepository.GetByIdAsync(id);
-        if (domain is null)
-        {
-            throw new NotFoundException();
-        }
-
-        await _organizationDomainRepository.DeleteAsync(domain);
-        await _eventService.LogOrganizationDomainEventAsync(domain, EventType.OrganizationDomain_Removed);
+        await _organizationDomainRepository.DeleteAsync(organizationDomain);
+        await _eventService.LogOrganizationDomainEventAsync(organizationDomain, EventType.OrganizationDomain_Removed);
     }
 }

src/Core/OrganizationFeatures/OrganizationDomains/GetOrganizationDomainByIdOrganizationIdQuery.cs

@@ -4,15 +4,15 @@ using Bit.Core.Repositories;
 
 namespace Bit.Core.OrganizationFeatures.OrganizationDomains;
 
-public class GetOrganizationDomainByIdQuery : IGetOrganizationDomainByIdQuery
+public class GetOrganizationDomainByIdOrganizationIdQuery : IGetOrganizationDomainByIdOrganizationIdQuery
 {
     private readonly IOrganizationDomainRepository _organizationDomainRepository;
 
-    public GetOrganizationDomainByIdQuery(IOrganizationDomainRepository organizationDomainRepository)
+    public GetOrganizationDomainByIdOrganizationIdQuery(IOrganizationDomainRepository organizationDomainRepository)
     {
         _organizationDomainRepository = organizationDomainRepository;
     }
 
-    public async Task<OrganizationDomain> GetOrganizationDomainById(Guid id)
-        => await _organizationDomainRepository.GetByIdAsync(id);
+    public async Task<OrganizationDomain> GetOrganizationDomainByIdOrganizationIdAsync(Guid id, Guid organizationId)
+        => await _organizationDomainRepository.GetDomainByIdOrganizationIdAsync(id, organizationId);
 }

src/Core/OrganizationFeatures/OrganizationDomains/GetOrganizationDomainByOrganizationIdQuery.cs

@@ -13,6 +13,6 @@ public class GetOrganizationDomainByOrganizationIdQuery : IGetOrganizationDomain
         _organizationDomainRepository = organizationDomainRepository;
     }
 
-    public async Task<ICollection<OrganizationDomain>> GetDomainsByOrganizationId(Guid orgId)
+    public async Task<ICollection<OrganizationDomain>> GetDomainsByOrganizationIdAsync(Guid orgId)
         => await _organizationDomainRepository.GetDomainsByOrganizationIdAsync(orgId);
 }

src/Core/OrganizationFeatures/OrganizationDomains/Interfaces/IDeleteOrganizationDomainCommand.cs

@@ -1,6 +1,8 @@
-namespace Bit.Core.OrganizationFeatures.OrganizationDomains.Interfaces;
+using Bit.Core.Entities;
+
+namespace Bit.Core.OrganizationFeatures.OrganizationDomains.Interfaces;
 
 public interface IDeleteOrganizationDomainCommand
 {
-    Task DeleteAsync(Guid id);
+    Task DeleteAsync(OrganizationDomain organizationDomain);
 }

src/Core/OrganizationFeatures/OrganizationDomains/Interfaces/IGetOrganizationDomainByIdOrganizationIdQuery.cs

@@ -0,0 +1,8 @@
+using Bit.Core.Entities;
+
+namespace Bit.Core.OrganizationFeatures.OrganizationDomains.Interfaces;
+
+public interface IGetOrganizationDomainByIdOrganizationIdQuery
+{
+    Task<OrganizationDomain> GetOrganizationDomainByIdOrganizationIdAsync(Guid id, Guid organizationId);
+}

src/Core/OrganizationFeatures/OrganizationDomains/Interfaces/IGetOrganizationDomainByIdQuery.cs

@@ -1,8 +0,0 @@
-using Bit.Core.Entities;
-
-namespace Bit.Core.OrganizationFeatures.OrganizationDomains.Interfaces;
-
-public interface IGetOrganizationDomainByIdQuery
-{
-    Task<OrganizationDomain> GetOrganizationDomainById(Guid id);
-}

src/Core/OrganizationFeatures/OrganizationDomains/Interfaces/IGetOrganizationDomainByOrganizationIdQuery.cs

@@ -4,5 +4,5 @@ namespace Bit.Core.OrganizationFeatures.OrganizationDomains.Interfaces;
 
 public interface IGetOrganizationDomainByOrganizationIdQuery
 {
-    Task<ICollection<OrganizationDomain>> GetDomainsByOrganizationId(Guid orgId);
+    Task<ICollection<OrganizationDomain>> GetDomainsByOrganizationIdAsync(Guid orgId);
 }

src/Core/OrganizationFeatures/OrganizationDomains/Interfaces/IVerifyOrganizationDomainCommand.cs

@@ -4,5 +4,5 @@ namespace Bit.Core.OrganizationFeatures.OrganizationDomains.Interfaces;
 
 public interface IVerifyOrganizationDomainCommand
 {
-    Task<OrganizationDomain> VerifyOrganizationDomain(Guid id);
+    Task<OrganizationDomain> VerifyOrganizationDomainAsync(OrganizationDomain organizationDomain);
 }

src/Core/OrganizationFeatures/OrganizationDomains/VerifyOrganizationDomainCommand.cs

@@ -27,14 +27,8 @@ public class VerifyOrganizationDomainCommand : IVerifyOrganizationDomainCommand
         _logger = logger;
     }
 
-    public async Task<OrganizationDomain> VerifyOrganizationDomain(Guid id)
+    public async Task<OrganizationDomain> VerifyOrganizationDomainAsync(OrganizationDomain domain)
     {
-        var domain = await _organizationDomainRepository.GetByIdAsync(id);
-        if (domain is null)
-        {
-            throw new NotFoundException();
-        }
-
         if (domain.VerifiedDate is not null)
         {
             domain.SetLastCheckedDate();

src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs

@@ -118,7 +118,7 @@ public static class OrganizationServiceCollectionExtensions
     {
         services.AddScoped<ICreateOrganizationDomainCommand, CreateOrganizationDomainCommand>();
         services.AddScoped<IVerifyOrganizationDomainCommand, VerifyOrganizationDomainCommand>();
-        services.AddScoped<IGetOrganizationDomainByIdQuery, GetOrganizationDomainByIdQuery>();
+        services.AddScoped<IGetOrganizationDomainByIdOrganizationIdQuery, GetOrganizationDomainByIdOrganizationIdQuery>();
         services.AddScoped<IGetOrganizationDomainByOrganizationIdQuery, GetOrganizationDomainByOrganizationIdQuery>();
         services.AddScoped<IDeleteOrganizationDomainCommand, DeleteOrganizationDomainCommand>();
     }

src/Core/Repositories/IOrganizationDomainRepository.cs

@@ -9,6 +9,7 @@ public interface IOrganizationDomainRepository : IRepository<OrganizationDomain,
     Task<ICollection<OrganizationDomain>> GetDomainsByOrganizationIdAsync(Guid orgId);
     Task<ICollection<OrganizationDomain>> GetManyByNextRunDateAsync(DateTime date);
     Task<OrganizationDomainSsoDetailsData> GetOrganizationDomainSsoDetailsAsync(string email);
+    Task<OrganizationDomain> GetDomainByIdOrganizationIdAsync(Guid id, Guid organizationId);
     Task<OrganizationDomain> GetDomainByOrgIdAndDomainNameAsync(Guid orgId, string domainName);
     Task<ICollection<OrganizationDomain>> GetExpiredOrganizationDomainsAsync();
     Task<bool> DeleteExpiredAsync(int expirationPeriod);