mirror of
https://github.com/bitwarden/server.git
synced 2025-04-06 05:28:15 -05:00
[AC-1638] Disallow Secrets Manager for MSP-managed organizations (#3297)
* Block MSPs from creating orgs with SM * Block MSPs from adding SM to a managed org * Prevent manually adding SM to an MSP-managed org * Revert "Prevent manually adding SM to an MSP-managed org" This change is no longer required This reverts commit 51b086243bf7ab63897a904b6b14fa1077a2bc6e. * Block provider from adding org with SM * Update error message when adding existing org with SM to provider * Update check to match client * Revert "Update check to match client" This reverts commit f195c1c1f6546757a5d591068a0a650ef0d8dceb.
This commit is contained in:
Thomas Rittson
GitHub
parent
79648b311e
commit
53f5eee215
@ -354,6 +354,12 @@ public class ProviderService : IProviderService
|
|||||||
var organization = await _organizationRepository.GetByIdAsync(organizationId);
|
var organization = await _organizationRepository.GetByIdAsync(organizationId);
|
||||||
ThrowOnInvalidPlanType(organization.PlanType);
|
ThrowOnInvalidPlanType(organization.PlanType);
|
||||||
|
|
||||||
|
if (organization.UseSecretsManager)
|
||||||
|
{
|
||||||
|
throw new BadRequestException(
|
||||||
|
"The organization is subscribed to Secrets Manager. Please contact Customer Support to manage the subscription.");
|
||||||
|
}
|
||||||
|
|
||||||
var providerOrganization = new ProviderOrganization
|
var providerOrganization = new ProviderOrganization
|
||||||
{
|
{
|
||||||
ProviderId = providerId,
|
ProviderId = providerId,
|
||||||
|
|||||||
@ -431,6 +431,23 @@ public class ProviderServiceTests
|
|||||||
Assert.Equal("Organization already belongs to a provider.", exception.Message);
|
Assert.Equal("Organization already belongs to a provider.", exception.Message);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
[Theory, BitAutoData]
|
||||||
|
public async Task AddOrganization_OrganizationHasSecretsManager_Throws(Provider provider, Organization organization, string key,
|
||||||
|
SutProvider<ProviderService> sutProvider)
|
||||||
|
{
|
||||||
|
organization.PlanType = PlanType.EnterpriseAnnually;
|
||||||
|
organization.UseSecretsManager = true;
|
||||||
|
|
||||||
|
sutProvider.GetDependency<IProviderRepository>().GetByIdAsync(provider.Id).Returns(provider);
|
||||||
|
var providerOrganizationRepository = sutProvider.GetDependency<IProviderOrganizationRepository>();
|
||||||
|
providerOrganizationRepository.GetByOrganizationId(organization.Id).ReturnsNull();
|
||||||
|
sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
|
||||||
|
|
||||||
|
var exception = await Assert.ThrowsAsync<BadRequestException>(
|
||||||
|
() => sutProvider.Sut.AddOrganization(provider.Id, organization.Id, key));
|
||||||
|
Assert.Equal("The organization is subscribed to Secrets Manager. Please contact Customer Support to manage the subscription.", exception.Message);
|
||||||
|
}
|
||||||
|
|
||||||
[Theory, BitAutoData]
|
[Theory, BitAutoData]
|
||||||
public async Task AddOrganization_Success(Provider provider, Organization organization, string key,
|
public async Task AddOrganization_Success(Provider provider, Organization organization, string key,
|
||||||
SutProvider<ProviderService> sutProvider)
|
SutProvider<ProviderService> sutProvider)
|
||||||
|
|||||||
@ -1,8 +1,10 @@
|
|||||||
using Bit.Core.Entities;
|
using Bit.Core.Entities;
|
||||||
using Bit.Core.Enums;
|
using Bit.Core.Enums;
|
||||||
|
using Bit.Core.Enums.Provider;
|
||||||
using Bit.Core.Exceptions;
|
using Bit.Core.Exceptions;
|
||||||
using Bit.Core.Models.Business;
|
using Bit.Core.Models.Business;
|
||||||
using Bit.Core.OrganizationFeatures.OrganizationSubscriptions.Interface;
|
using Bit.Core.OrganizationFeatures.OrganizationSubscriptions.Interface;
|
||||||
|
using Bit.Core.Repositories;
|
||||||
using Bit.Core.Services;
|
using Bit.Core.Services;
|
||||||
using Bit.Core.Utilities;
|
using Bit.Core.Utilities;
|
||||||
|
|
||||||
@ -12,17 +14,21 @@ public class AddSecretsManagerSubscriptionCommand : IAddSecretsManagerSubscripti
|
|||||||
{
|
{
|
||||||
private readonly IPaymentService _paymentService;
|
private readonly IPaymentService _paymentService;
|
||||||
private readonly IOrganizationService _organizationService;
|
private readonly IOrganizationService _organizationService;
|
||||||
|
private readonly IProviderRepository _providerRepository;
|
||||||
|
|
||||||
public AddSecretsManagerSubscriptionCommand(
|
public AddSecretsManagerSubscriptionCommand(
|
||||||
IPaymentService paymentService,
|
IPaymentService paymentService,
|
||||||
IOrganizationService organizationService)
|
IOrganizationService organizationService,
|
||||||
|
IProviderRepository providerRepository)
|
||||||
{
|
{
|
||||||
_paymentService = paymentService;
|
_paymentService = paymentService;
|
||||||
_organizationService = organizationService;
|
_organizationService = organizationService;
|
||||||
|
_providerRepository = providerRepository;
|
||||||
}
|
}
|
||||||
public async Task SignUpAsync(Organization organization, int additionalSmSeats,
|
public async Task SignUpAsync(Organization organization, int additionalSmSeats,
|
||||||
int additionalServiceAccounts)
|
int additionalServiceAccounts)
|
||||||
{
|
{
|
||||||
ValidateOrganization(organization);
|
await ValidateOrganization(organization);
|
||||||
|
|
||||||
var plan = StaticStore.GetSecretsManagerPlan(organization.PlanType);
|
var plan = StaticStore.GetSecretsManagerPlan(organization.PlanType);
|
||||||
var signup = SetOrganizationUpgrade(organization, additionalSmSeats, additionalServiceAccounts);
|
var signup = SetOrganizationUpgrade(organization, additionalSmSeats, additionalServiceAccounts);
|
||||||
@ -55,7 +61,7 @@ public class AddSecretsManagerSubscriptionCommand : IAddSecretsManagerSubscripti
|
|||||||
return signup;
|
return signup;
|
||||||
}
|
}
|
||||||
|
|
||||||
private static void ValidateOrganization(Organization organization)
|
private async Task ValidateOrganization(Organization organization)
|
||||||
{
|
{
|
||||||
if (organization == null)
|
if (organization == null)
|
||||||
{
|
{
|
||||||
@ -83,5 +89,12 @@ public class AddSecretsManagerSubscriptionCommand : IAddSecretsManagerSubscripti
|
|||||||
{
|
{
|
||||||
throw new BadRequestException("No subscription found.");
|
throw new BadRequestException("No subscription found.");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
var provider = await _providerRepository.GetByOrganizationIdAsync(organization.Id);
|
||||||
|
if (provider is { Type: ProviderType.Msp })
|
||||||
|
{
|
||||||
|
throw new BadRequestException(
|
||||||
|
"Organizations with a Managed Service Provider do not support Secrets Manager.");
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -410,6 +410,11 @@ public class OrganizationService : IOrganizationService
|
|||||||
var secretsManagerPlan = StaticStore.SecretManagerPlans.FirstOrDefault(p => p.Type == signup.Plan);
|
var secretsManagerPlan = StaticStore.SecretManagerPlans.FirstOrDefault(p => p.Type == signup.Plan);
|
||||||
if (signup.UseSecretsManager)
|
if (signup.UseSecretsManager)
|
||||||
{
|
{
|
||||||
|
if (provider)
|
||||||
|
{
|
||||||
|
throw new BadRequestException(
|
||||||
|
"Organizations with a Managed Service Provider do not support Secrets Manager.");
|
||||||
|
}
|
||||||
ValidateSecretsManagerPlan(secretsManagerPlan, signup);
|
ValidateSecretsManagerPlan(secretsManagerPlan, signup);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -1,9 +1,12 @@
|
|||||||
using Bit.Core.Entities;
|
using Bit.Core.Entities;
|
||||||
|
using Bit.Core.Entities.Provider;
|
||||||
using Bit.Core.Enums;
|
using Bit.Core.Enums;
|
||||||
|
using Bit.Core.Enums.Provider;
|
||||||
using Bit.Core.Exceptions;
|
using Bit.Core.Exceptions;
|
||||||
using Bit.Core.Models.Business;
|
using Bit.Core.Models.Business;
|
||||||
using Bit.Core.Models.StaticStore;
|
using Bit.Core.Models.StaticStore;
|
||||||
using Bit.Core.OrganizationFeatures.OrganizationSubscriptions;
|
using Bit.Core.OrganizationFeatures.OrganizationSubscriptions;
|
||||||
|
using Bit.Core.Repositories;
|
||||||
using Bit.Core.Services;
|
using Bit.Core.Services;
|
||||||
using Bit.Core.Utilities;
|
using Bit.Core.Utilities;
|
||||||
using Bit.Test.Common.AutoFixture;
|
using Bit.Test.Common.AutoFixture;
|
||||||
@ -127,6 +130,25 @@ public class AddSecretsManagerSubscriptionCommandTests
|
|||||||
await VerifyDependencyNotCalledAsync(sutProvider);
|
await VerifyDependencyNotCalledAsync(sutProvider);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
[Theory]
|
||||||
|
[BitAutoData]
|
||||||
|
public async Task SignUpAsync_ThrowsException_WhenOrganizationIsManagedByMSP(
|
||||||
|
SutProvider<AddSecretsManagerSubscriptionCommand> sutProvider,
|
||||||
|
Organization organization,
|
||||||
|
Provider provider)
|
||||||
|
{
|
||||||
|
organization.UseSecretsManager = false;
|
||||||
|
organization.SecretsManagerBeta = false;
|
||||||
|
provider.Type = ProviderType.Msp;
|
||||||
|
sutProvider.GetDependency<IProviderRepository>().GetByOrganizationIdAsync(organization.Id).Returns(provider);
|
||||||
|
|
||||||
|
var exception = await Assert.ThrowsAsync<BadRequestException>(
|
||||||
|
() => sutProvider.Sut.SignUpAsync(organization, 10, 10));
|
||||||
|
|
||||||
|
Assert.Contains("Organizations with a Managed Service Provider do not support Secrets Manager.", exception.Message);
|
||||||
|
await VerifyDependencyNotCalledAsync(sutProvider);
|
||||||
|
}
|
||||||
|
|
||||||
private static async Task VerifyDependencyNotCalledAsync(SutProvider<AddSecretsManagerSubscriptionCommand> sutProvider)
|
private static async Task VerifyDependencyNotCalledAsync(SutProvider<AddSecretsManagerSubscriptionCommand> sutProvider)
|
||||||
{
|
{
|
||||||
await sutProvider.GetDependency<IPaymentService>().DidNotReceive()
|
await sutProvider.GetDependency<IPaymentService>().DidNotReceive()
|
||||||
|
|||||||
@ -263,6 +263,22 @@ public class OrganizationServiceTests
|
|||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
[Theory]
|
||||||
|
[BitAutoData(PlanType.EnterpriseAnnually)]
|
||||||
|
public async Task SignUp_SM_Throws_WhenManagedByMSP(PlanType planType, OrganizationSignup signup, SutProvider<OrganizationService> sutProvider)
|
||||||
|
{
|
||||||
|
signup.Plan = planType;
|
||||||
|
signup.UseSecretsManager = true;
|
||||||
|
signup.AdditionalSeats = 15;
|
||||||
|
signup.AdditionalSmSeats = 10;
|
||||||
|
signup.AdditionalServiceAccounts = 20;
|
||||||
|
signup.PaymentMethodType = PaymentMethodType.Card;
|
||||||
|
signup.PremiumAccessAddon = false;
|
||||||
|
|
||||||
|
var exception = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.SignUpAsync(signup, true));
|
||||||
|
Assert.Contains("Organizations with a Managed Service Provider do not support Secrets Manager.", exception.Message);
|
||||||
|
}
|
||||||
|
|
||||||
[Theory]
|
[Theory]
|
||||||
[BitAutoData]
|
[BitAutoData]
|
||||||
public async Task SignUpAsync_SecretManager_AdditionalServiceAccounts_NotAllowedByPlan_ShouldThrowException(OrganizationSignup signup, SutProvider<OrganizationService> sutProvider)
|
public async Task SignUpAsync_SecretManager_AdditionalServiceAccounts_NotAllowedByPlan_ShouldThrowException(OrganizationSignup signup, SutProvider<OrganizationService> sutProvider)
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user