From 6008715abc6ed6e4dde29418c825ffa46a724beb Mon Sep 17 00:00:00 2001
From: Oscar Hinton <oscar@oscarhinton.com>
Date: Thu, 18 Nov 2021 21:56:13 +0100
Subject: [PATCH] Add check to ensure admins or owners arn't enrolled in key
 connector (#1725)

---
 .../Services/Implementations/UserService.cs   | 42 ++++++++++++-------
 1 file changed, 27 insertions(+), 15 deletions(-)

diff --git a/src/Core/Services/Implementations/UserService.cs b/src/Core/Services/Implementations/UserService.cs
index a5b30de095..293166b282 100644
--- a/src/Core/Services/Implementations/UserService.cs
+++ b/src/Core/Services/Implementations/UserService.cs
@@ -639,15 +639,10 @@ namespace Bit.Core.Services
 
         public async Task<IdentityResult> SetKeyConnectorKeyAsync(User user, string key, string orgIdentifier)
         {
-            if (user == null)
+            var identityResult = CheckCanUseKeyConnector(user);
+            if (identityResult != null)
             {
-                throw new ArgumentNullException(nameof(user));
-            }
-
-            if (user.UsesKeyConnector)
-            {
-                Logger.LogWarning("Already uses Key Connector.");
-                return IdentityResult.Failed(_identityErrorDescriber.UserAlreadyHasPassword());
+                return identityResult;
             }
 
             user.RevisionDate = user.AccountRevisionDate = DateTime.UtcNow;
@@ -663,6 +658,24 @@ namespace Bit.Core.Services
         }
 
         public async Task<IdentityResult> ConvertToKeyConnectorAsync(User user)
+        {
+            var identityResult = CheckCanUseKeyConnector(user);
+            if (identityResult != null)
+            {
+                return identityResult;
+            }
+
+            user.RevisionDate = user.AccountRevisionDate = DateTime.UtcNow;
+            user.MasterPassword = null;
+            user.UsesKeyConnector = true;
+
+            await _userRepository.ReplaceAsync(user);
+            await _eventService.LogUserEventAsync(user.Id, EventType.User_MigratedKeyToKeyConnector);
+
+            return IdentityResult.Success;
+        }
+
+        private IdentityResult CheckCanUseKeyConnector(User user)
         {
             if (user == null)
             {
@@ -675,14 +688,13 @@ namespace Bit.Core.Services
                 return IdentityResult.Failed(_identityErrorDescriber.UserAlreadyHasPassword());
             }
 
-            user.RevisionDate = user.AccountRevisionDate = DateTime.UtcNow;
-            user.MasterPassword = null;
-            user.UsesKeyConnector = true;
+            if (_currentContext.Organizations.Any(u =>
+                    u.Type is OrganizationUserType.Owner or OrganizationUserType.Admin))
+            {
+                throw new BadRequestException("Cannot use Key Connector when admin or owner of an organization.");
+            }
 
-            await _userRepository.ReplaceAsync(user);
-            await _eventService.LogUserEventAsync(user.Id, EventType.User_MigratedKeyToKeyConnector);
-
-            return IdentityResult.Success;
+            return null;
         }
 
         public async Task<IdentityResult> AdminResetPasswordAsync(OrganizationUserType callingUserType, Guid orgId, Guid id, string newMasterPassword, string key)