[AC-1145] Add trusted devices option to SSO Config Data (#2909)

* [AC-1145] Add TDE feature flag * [AC-1145] Update .gitignore to ignore flags.json in the Api project * [AC-1145] Introduce MemberDecryptionType property on SsoConfigurationData * [AC-1145] Add MemberDecryptionType to the SsoConfigurationDataRequest model * [AC-1145] Automatically enable password reset policy on TDE selection * [AC-1145] Remove references to obsolete KeyConnectorEnabled field * [AC-1145] Formatting * [AC-1145] Update XML doc reference to MemberDecryptionType
2025-06-30 15:42:48 -05:00 · 2023-05-10 12:52:08 -07:00
parent 5a850f48e2
commit 620a7e0a8d
17 changed files with 112 additions and 31 deletions
--- a/src/Core/Auth/Enums/MemberDecryptionType.cs
+++ b/src/Core/Auth/Enums/MemberDecryptionType.cs
@ -0,0 +1,8 @@
+namespace Bit.Core.Auth.Enums;
+
+public enum MemberDecryptionType
+{
+    MasterPassword = 0,
+    KeyConnector = 1,
+    TrustedDeviceEncryption = 2
+}
--- a/src/Core/Auth/Models/Data/SsoConfigurationData.cs
+++ b/src/Core/Auth/Models/Data/SsoConfigurationData.cs
@ -22,7 +22,25 @@ public class SsoConfigurationData

    public SsoType ConfigType { get; set; }

-    public bool KeyConnectorEnabled { get; set; }
+    public MemberDecryptionType MemberDecryptionType { get; set; }
+
+    /// <summary>
+    /// Legacy property to determine if KeyConnector was enabled.
+    /// Kept for backwards compatibility with old configs that will not have
+    /// the new <see cref="MemberDecryptionType"/> when deserialized from the database.
+    /// </summary>
+    [Obsolete("Use MemberDecryptionType instead")]
+    public bool KeyConnectorEnabled
+    {
+        get => MemberDecryptionType == MemberDecryptionType.KeyConnector;
+        set
+        {
+            if (value)
+            {
+                MemberDecryptionType = MemberDecryptionType.KeyConnector;
+            }
+        }
+    }
    public string KeyConnectorUrl { get; set; }

    // OIDC
--- a/src/Core/Auth/Services/Implementations/SsoConfigService.cs
+++ b/src/Core/Auth/Services/Implementations/SsoConfigService.cs
@ -1,8 +1,10 @@
 using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Repositories;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
+using Bit.Core.Models.Data.Organizations.Policies;
 using Bit.Core.Repositories;
 using Bit.Core.Services;

@ -12,21 +14,30 @@ public class SsoConfigService : ISsoConfigService
 {
    private readonly ISsoConfigRepository _ssoConfigRepository;
    private readonly IPolicyRepository _policyRepository;
+    private readonly IPolicyService _policyService;
    private readonly IOrganizationRepository _organizationRepository;
    private readonly IOrganizationUserRepository _organizationUserRepository;
+    private readonly IUserService _userService;
+    private readonly IOrganizationService _organizationService;
    private readonly IEventService _eventService;

    public SsoConfigService(
        ISsoConfigRepository ssoConfigRepository,
        IPolicyRepository policyRepository,
+        IPolicyService policyService,
        IOrganizationRepository organizationRepository,
        IOrganizationUserRepository organizationUserRepository,
+        IUserService userService,
+        IOrganizationService organizationService,
        IEventService eventService)
    {
        _ssoConfigRepository = ssoConfigRepository;
        _policyRepository = policyRepository;
+        _policyService = policyService;
        _organizationRepository = organizationRepository;
        _organizationUserRepository = organizationUserRepository;
+        _userService = userService;
+        _organizationService = organizationService;
        _eventService = eventService;
    }

@ -39,19 +50,31 @@ public class SsoConfigService : ISsoConfigService
            config.CreationDate = now;
        }

-        var useKeyConnector = config.GetData().KeyConnectorEnabled;
+        var useKeyConnector = config.GetData().MemberDecryptionType == MemberDecryptionType.KeyConnector;
        if (useKeyConnector)
        {
            await VerifyDependenciesAsync(config, organization);
        }

        var oldConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(config.OrganizationId);
-        var disabledKeyConnector = oldConfig?.GetData()?.KeyConnectorEnabled == true && !useKeyConnector;
+        var disabledKeyConnector = oldConfig?.GetData()?.MemberDecryptionType == MemberDecryptionType.KeyConnector && !useKeyConnector;
        if (disabledKeyConnector && await AnyOrgUserHasKeyConnectorEnabledAsync(config.OrganizationId))
        {
            throw new BadRequestException("Key Connector cannot be disabled at this moment.");
        }

+        // Automatically enable reset password policy if trusted device encryption is selected
+        if (config.GetData().MemberDecryptionType == MemberDecryptionType.TrustedDeviceEncryption)
+        {
+            var resetPolicy = await _policyRepository.GetByOrganizationIdTypeAsync(config.OrganizationId, PolicyType.ResetPassword) ??
+                              new Policy { OrganizationId = config.OrganizationId, Type = PolicyType.ResetPassword, };
+
+            resetPolicy.Enabled = true;
+            resetPolicy.SetDataModel(new ResetPasswordDataModel { AutoEnrollEnabled = true });
+
+            await _policyService.SaveAsync(resetPolicy, _userService, _organizationService, null);
+        }
+
        await LogEventsAsync(config, oldConfig);
        await _ssoConfigRepository.UpsertAsync(config);
    }
@ -97,8 +120,9 @@ public class SsoConfigService : ISsoConfigService
            await _eventService.LogOrganizationEventAsync(organization, e);
        }

-        var keyConnectorEnabled = config.GetData().KeyConnectorEnabled;
-        if (oldConfig?.GetData()?.KeyConnectorEnabled != keyConnectorEnabled)
+        var keyConnectorEnabled = config.GetData().MemberDecryptionType == MemberDecryptionType.KeyConnector;
+        var oldKeyConnectorEnabled = oldConfig?.GetData()?.MemberDecryptionType == MemberDecryptionType.KeyConnector;
+        if (oldKeyConnectorEnabled != keyConnectorEnabled)
        {
            var e = keyConnectorEnabled
                ? EventType.Organization_EnabledKeyConnector
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@ -30,6 +30,7 @@ public static class FeatureFlagKeys
    public const string SecretsManager = "secrets-manager";
    public const string DisplayEuEnvironment = "display-eu-environment";
    public const string DisplayLowKdfIterationWarning = "display-kdf-iteration-warning";
+    public const string TrustedDeviceEncryption = "trusted-device-encryption";

    public static List<string> GetAllKeys()
    {
--- a/src/Core/Models/Data/Organizations/SelfHostedOrganizationDetails.cs
+++ b/src/Core/Models/Data/Organizations/SelfHostedOrganizationDetails.cs
@ -1,5 +1,6 @@
 using Bit.Core.AdminConsole.Models.OrganizationConnectionConfigs;
 using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Enums;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Models.Business;
@ -56,7 +57,7 @@ public class SelfHostedOrganizationDetails : Organization
        }

        if (!license.UseKeyConnector && UseKeyConnector && SsoConfig?.Data != null &&
-            SsoConfig.GetData().KeyConnectorEnabled)
+            SsoConfig.GetData().MemberDecryptionType == MemberDecryptionType.KeyConnector)
        {
            exception = $"Your organization currently has Key Connector enabled. " +
                $"Your new license does not allow for the use of Key Connector. Disable your Key Connector.";
--- a/src/Core/Services/Implementations/OrganizationService.cs
+++ b/src/Core/Services/Implementations/OrganizationService.cs
@ -262,7 +262,7 @@ public class OrganizationService : IOrganizationService
        if (!newPlan.HasKeyConnector && organization.UseKeyConnector)
        {
            var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(organization.Id);
-            if (ssoConfig != null && ssoConfig.GetData().KeyConnectorEnabled)
+            if (ssoConfig != null && ssoConfig.GetData().MemberDecryptionType == MemberDecryptionType.KeyConnector)
            {
                throw new BadRequestException("Your new plan does not allow the Key Connector feature. " +
                                              "Disable your Key Connector.");
@ -2153,7 +2153,7 @@ public class OrganizationService : IOrganizationService
    private async Task ValidateDeleteOrganizationAsync(Organization organization)
    {
        var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(organization.Id);
-        if (ssoConfig?.GetData()?.KeyConnectorEnabled == true)
+        if (ssoConfig?.GetData()?.MemberDecryptionType == MemberDecryptionType.KeyConnector)
        {
            throw new BadRequestException("You cannot delete an Organization that is using Key Connector.");
        }
--- a/src/Core/Services/Implementations/PolicyService.cs
+++ b/src/Core/Services/Implementations/PolicyService.cs
@ -1,4 +1,5 @@
-using Bit.Core.Auth.Repositories;
+using Bit.Core.Auth.Enums;
+using Bit.Core.Auth.Repositories;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
@ -185,7 +186,7 @@ public class PolicyService : IPolicyService
    {

        var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(org.Id);
-        if (ssoConfig?.GetData()?.KeyConnectorEnabled == true)
+        if (ssoConfig?.GetData()?.MemberDecryptionType == MemberDecryptionType.KeyConnector)
        {
            throw new BadRequestException("Key Connector is enabled.");
        }