[AC-1145] Add trusted devices option to SSO Config Data (#2909)

* [AC-1145] Add TDE feature flag * [AC-1145] Update .gitignore to ignore flags.json in the Api project * [AC-1145] Introduce MemberDecryptionType property on SsoConfigurationData * [AC-1145] Add MemberDecryptionType to the SsoConfigurationDataRequest model * [AC-1145] Automatically enable password reset policy on TDE selection * [AC-1145] Remove references to obsolete KeyConnectorEnabled field * [AC-1145] Formatting * [AC-1145] Update XML doc reference to MemberDecryptionType
2025-07-03 17:12:49 -05:00 · 2023-05-10 12:52:08 -07:00
parent 5a850f48e2
commit 620a7e0a8d
17 changed files with 112 additions and 31 deletions
--- a/src/Api/Controllers/OrganizationsController.cs
+++ b/src/Api/Controllers/OrganizationsController.cs
@ -8,6 +8,8 @@ using Bit.Api.Models.Request.Organizations;
 using Bit.Api.Models.Response;
 using Bit.Api.Models.Response.Organizations;
 using Bit.Api.SecretsManager;
+using Bit.Core;
+using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Repositories;
 using Bit.Core.Auth.Services;
 using Bit.Core.Context;
@ -46,6 +48,7 @@ public class OrganizationsController : Controller
    private readonly IOrganizationApiKeyRepository _organizationApiKeyRepository;
    private readonly IUpdateOrganizationLicenseCommand _updateOrganizationLicenseCommand;
    private readonly ICloudGetOrganizationLicenseQuery _cloudGetOrganizationLicenseQuery;
+    private readonly IFeatureService _featureService;
    private readonly GlobalSettings _globalSettings;

    public OrganizationsController(
@ -65,6 +68,7 @@ public class OrganizationsController : Controller
        IOrganizationApiKeyRepository organizationApiKeyRepository,
        IUpdateOrganizationLicenseCommand updateOrganizationLicenseCommand,
        ICloudGetOrganizationLicenseQuery cloudGetOrganizationLicenseQuery,
+        IFeatureService featureService,
        GlobalSettings globalSettings)
    {
        _organizationRepository = organizationRepository;
@ -83,6 +87,7 @@ public class OrganizationsController : Controller
        _organizationApiKeyRepository = organizationApiKeyRepository;
        _updateOrganizationLicenseCommand = updateOrganizationLicenseCommand;
        _cloudGetOrganizationLicenseQuery = cloudGetOrganizationLicenseQuery;
+        _featureService = featureService;
        _globalSettings = globalSettings;
    }

@ -391,8 +396,7 @@ public class OrganizationsController : Controller
        var user = await _userService.GetUserByPrincipalAsync(User);

        var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(orgGuidId);
-        if (ssoConfig?.GetData()?.KeyConnectorEnabled == true &&
-            user.UsesKeyConnector)
+        if (ssoConfig?.GetData()?.MemberDecryptionType == MemberDecryptionType.KeyConnector && user.UsesKeyConnector)
        {
            throw new BadRequestException("Your organization's Single Sign-On settings prevent you from leaving.");
        }
@ -678,6 +682,12 @@ public class OrganizationsController : Controller
            throw new NotFoundException();
        }

+        if (model.Data.MemberDecryptionType == MemberDecryptionType.TrustedDeviceEncryption &&
+            !_featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext))
+        {
+            throw new BadRequestException(nameof(model.Data.MemberDecryptionType), "Invalid member decryption type.");
+        }
+
        var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(id);
        ssoConfig = ssoConfig == null ? model.ToSsoConfig(id) : model.ToSsoConfig(ssoConfig);
        organization.Identifier = model.Identifier;