[AC-1638] Disallow Secrets Manager for MSP-managed organizations (#3297)

* Block MSPs from creating orgs with SM * Block MSPs from adding SM to a managed org * Prevent manually adding SM to an MSP-managed org * Revert "Prevent manually adding SM to an MSP-managed org" This change is no longer required This reverts commit 51b086243b. * Block provider from adding org with SM * Update error message when adding existing org with SM to provider * Update check to match client * Revert "Update check to match client" This reverts commit f195c1c1f6.
2025-06-30 15:42:48 -05:00 · 2023-10-13 00:56:50 +10:00
parent 79648b311e
commit 53f5eee215
6 changed files with 82 additions and 3 deletions
--- a/src/Core/OrganizationFeatures/OrganizationSubscriptions/AddSecretsManagerSubscriptionCommand.cs
+++ b/src/Core/OrganizationFeatures/OrganizationSubscriptions/AddSecretsManagerSubscriptionCommand.cs
@ -1,8 +1,10 @@
 using Bit.Core.Entities;
 using Bit.Core.Enums;
+using Bit.Core.Enums.Provider;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Business;
 using Bit.Core.OrganizationFeatures.OrganizationSubscriptions.Interface;
+using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Utilities;

@ -12,17 +14,21 @@ public class AddSecretsManagerSubscriptionCommand : IAddSecretsManagerSubscripti
 {
    private readonly IPaymentService _paymentService;
    private readonly IOrganizationService _organizationService;
+    private readonly IProviderRepository _providerRepository;
+
    public AddSecretsManagerSubscriptionCommand(
        IPaymentService paymentService,
-        IOrganizationService organizationService)
+        IOrganizationService organizationService,
+        IProviderRepository providerRepository)
    {
        _paymentService = paymentService;
        _organizationService = organizationService;
+        _providerRepository = providerRepository;
    }
    public async Task SignUpAsync(Organization organization, int additionalSmSeats,
        int additionalServiceAccounts)
    {
-        ValidateOrganization(organization);
+        await ValidateOrganization(organization);

        var plan = StaticStore.GetSecretsManagerPlan(organization.PlanType);
        var signup = SetOrganizationUpgrade(organization, additionalSmSeats, additionalServiceAccounts);
@ -55,7 +61,7 @@ public class AddSecretsManagerSubscriptionCommand : IAddSecretsManagerSubscripti
        return signup;
    }

-    private static void ValidateOrganization(Organization organization)
+    private async Task ValidateOrganization(Organization organization)
    {
        if (organization == null)
        {
@ -83,5 +89,12 @@ public class AddSecretsManagerSubscriptionCommand : IAddSecretsManagerSubscripti
        {
            throw new BadRequestException("No subscription found.");
        }
+
+        var provider = await _providerRepository.GetByOrganizationIdAsync(organization.Id);
+        if (provider is { Type: ProviderType.Msp })
+        {
+            throw new BadRequestException(
+                "Organizations with a Managed Service Provider do not support Secrets Manager.");
+        }
    }
 }
--- a/src/Core/Services/Implementations/OrganizationService.cs
+++ b/src/Core/Services/Implementations/OrganizationService.cs
@ -410,6 +410,11 @@ public class OrganizationService : IOrganizationService
        var secretsManagerPlan = StaticStore.SecretManagerPlans.FirstOrDefault(p => p.Type == signup.Plan);
        if (signup.UseSecretsManager)
        {
+            if (provider)
+            {
+                throw new BadRequestException(
+                    "Organizations with a Managed Service Provider do not support Secrets Manager.");
+            }
            ValidateSecretsManagerPlan(secretsManagerPlan, signup);
        }