[AC-1145] Add trusted devices option to SSO Config Data (#2909)

* [AC-1145] Add TDE feature flag * [AC-1145] Update .gitignore to ignore flags.json in the Api project * [AC-1145] Introduce MemberDecryptionType property on SsoConfigurationData * [AC-1145] Add MemberDecryptionType to the SsoConfigurationDataRequest model * [AC-1145] Automatically enable password reset policy on TDE selection * [AC-1145] Remove references to obsolete KeyConnectorEnabled field * [AC-1145] Formatting * [AC-1145] Update XML doc reference to MemberDecryptionType
2025-06-30 15:42:48 -05:00 · 2023-05-10 12:52:08 -07:00
parent 5a850f48e2
commit 620a7e0a8d
17 changed files with 112 additions and 31 deletions
--- a/src/Api/Auth/Models/Request/OrganizationSsoRequestModel.cs
+++ b/src/Api/Auth/Models/Request/OrganizationSsoRequestModel.cs
@ -41,8 +41,14 @@ public class SsoConfigurationDataRequest : IValidatableObject

    [Required]
    public SsoType ConfigType { get; set; }
+    public MemberDecryptionType MemberDecryptionType { get; set; }

-    public bool KeyConnectorEnabled { get; set; }
+    [Obsolete("Use MemberDecryptionType instead")]
+    public bool KeyConnectorEnabled
+    {
+        // Setter is kept for backwards compatibility with older clients that still use this property.
+        set { MemberDecryptionType = value ? MemberDecryptionType.KeyConnector : MemberDecryptionType.MasterPassword; }
+    }
    public string KeyConnectorUrl { get; set; }

    // OIDC
@ -166,7 +172,7 @@ public class SsoConfigurationDataRequest : IValidatableObject
        return new SsoConfigurationData
        {
            ConfigType = ConfigType,
-            KeyConnectorEnabled = KeyConnectorEnabled,
+            MemberDecryptionType = MemberDecryptionType,
            KeyConnectorUrl = KeyConnectorUrl,
            Authority = Authority,
            ClientId = ClientId,
--- a/src/Api/Controllers/OrganizationsController.cs
+++ b/src/Api/Controllers/OrganizationsController.cs
@ -8,6 +8,8 @@ using Bit.Api.Models.Request.Organizations;
 using Bit.Api.Models.Response;
 using Bit.Api.Models.Response.Organizations;
 using Bit.Api.SecretsManager;
+using Bit.Core;
+using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Repositories;
 using Bit.Core.Auth.Services;
 using Bit.Core.Context;
@ -46,6 +48,7 @@ public class OrganizationsController : Controller
    private readonly IOrganizationApiKeyRepository _organizationApiKeyRepository;
    private readonly IUpdateOrganizationLicenseCommand _updateOrganizationLicenseCommand;
    private readonly ICloudGetOrganizationLicenseQuery _cloudGetOrganizationLicenseQuery;
+    private readonly IFeatureService _featureService;
    private readonly GlobalSettings _globalSettings;

    public OrganizationsController(
@ -65,6 +68,7 @@ public class OrganizationsController : Controller
        IOrganizationApiKeyRepository organizationApiKeyRepository,
        IUpdateOrganizationLicenseCommand updateOrganizationLicenseCommand,
        ICloudGetOrganizationLicenseQuery cloudGetOrganizationLicenseQuery,
+        IFeatureService featureService,
        GlobalSettings globalSettings)
    {
        _organizationRepository = organizationRepository;
@ -83,6 +87,7 @@ public class OrganizationsController : Controller
        _organizationApiKeyRepository = organizationApiKeyRepository;
        _updateOrganizationLicenseCommand = updateOrganizationLicenseCommand;
        _cloudGetOrganizationLicenseQuery = cloudGetOrganizationLicenseQuery;
+        _featureService = featureService;
        _globalSettings = globalSettings;
    }

@ -391,8 +396,7 @@ public class OrganizationsController : Controller
        var user = await _userService.GetUserByPrincipalAsync(User);

        var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(orgGuidId);
-        if (ssoConfig?.GetData()?.KeyConnectorEnabled == true &&
-            user.UsesKeyConnector)
+        if (ssoConfig?.GetData()?.MemberDecryptionType == MemberDecryptionType.KeyConnector && user.UsesKeyConnector)
        {
            throw new BadRequestException("Your organization's Single Sign-On settings prevent you from leaving.");
        }
@ -678,6 +682,12 @@ public class OrganizationsController : Controller
            throw new NotFoundException();
        }

+        if (model.Data.MemberDecryptionType == MemberDecryptionType.TrustedDeviceEncryption &&
+            !_featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext))
+        {
+            throw new BadRequestException(nameof(model.Data.MemberDecryptionType), "Invalid member decryption type.");
+        }
+
        var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(id);
        ssoConfig = ssoConfig == null ? model.ToSsoConfig(id) : model.ToSsoConfig(ssoConfig);
        organization.Identifier = model.Identifier;
--- a/src/Api/Models/Response/ProfileOrganizationResponseModel.cs
+++ b/src/Api/Models/Response/ProfileOrganizationResponseModel.cs
@ -1,4 +1,5 @@
-using Bit.Core.Auth.Models.Data;
+using Bit.Core.Auth.Enums;
+using Bit.Core.Auth.Models.Data;
 using Bit.Core.Enums;
 using Bit.Core.Enums.Provider;
 using Bit.Core.Models.Api;
@ -62,7 +63,7 @@ public class ProfileOrganizationResponseModel : ResponseModel
        if (organization.SsoConfig != null)
        {
            var ssoConfigData = SsoConfigurationData.Deserialize(organization.SsoConfig);
-            KeyConnectorEnabled = ssoConfigData.KeyConnectorEnabled && !string.IsNullOrEmpty(ssoConfigData.KeyConnectorUrl);
+            KeyConnectorEnabled = ssoConfigData.MemberDecryptionType == MemberDecryptionType.KeyConnector && !string.IsNullOrEmpty(ssoConfigData.KeyConnectorUrl);
            KeyConnectorUrl = ssoConfigData.KeyConnectorUrl;
        }
    }