[AC-1145] Add trusted devices option to SSO Config Data (#2909)

* [AC-1145] Add TDE feature flag * [AC-1145] Update .gitignore to ignore flags.json in the Api project * [AC-1145] Introduce MemberDecryptionType property on SsoConfigurationData * [AC-1145] Add MemberDecryptionType to the SsoConfigurationDataRequest model * [AC-1145] Automatically enable password reset policy on TDE selection * [AC-1145] Remove references to obsolete KeyConnectorEnabled field * [AC-1145] Formatting * [AC-1145] Update XML doc reference to MemberDecryptionType
2025-07-17 15:40:59 -05:00 · 2023-05-10 12:52:08 -07:00
parent 5a850f48e2
commit 620a7e0a8d
17 changed files with 112 additions and 31 deletions
--- a/src/Core/Auth/Services/Implementations/SsoConfigService.cs
+++ b/src/Core/Auth/Services/Implementations/SsoConfigService.cs
@ -1,8 +1,10 @@
 using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Repositories;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
+using Bit.Core.Models.Data.Organizations.Policies;
 using Bit.Core.Repositories;
 using Bit.Core.Services;

@ -12,21 +14,30 @@ public class SsoConfigService : ISsoConfigService
 {
    private readonly ISsoConfigRepository _ssoConfigRepository;
    private readonly IPolicyRepository _policyRepository;
+    private readonly IPolicyService _policyService;
    private readonly IOrganizationRepository _organizationRepository;
    private readonly IOrganizationUserRepository _organizationUserRepository;
+    private readonly IUserService _userService;
+    private readonly IOrganizationService _organizationService;
    private readonly IEventService _eventService;

    public SsoConfigService(
        ISsoConfigRepository ssoConfigRepository,
        IPolicyRepository policyRepository,
+        IPolicyService policyService,
        IOrganizationRepository organizationRepository,
        IOrganizationUserRepository organizationUserRepository,
+        IUserService userService,
+        IOrganizationService organizationService,
        IEventService eventService)
    {
        _ssoConfigRepository = ssoConfigRepository;
        _policyRepository = policyRepository;
+        _policyService = policyService;
        _organizationRepository = organizationRepository;
        _organizationUserRepository = organizationUserRepository;
+        _userService = userService;
+        _organizationService = organizationService;
        _eventService = eventService;
    }

@ -39,19 +50,31 @@ public class SsoConfigService : ISsoConfigService
            config.CreationDate = now;
        }

-        var useKeyConnector = config.GetData().KeyConnectorEnabled;
+        var useKeyConnector = config.GetData().MemberDecryptionType == MemberDecryptionType.KeyConnector;
        if (useKeyConnector)
        {
            await VerifyDependenciesAsync(config, organization);
        }

        var oldConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(config.OrganizationId);
-        var disabledKeyConnector = oldConfig?.GetData()?.KeyConnectorEnabled == true && !useKeyConnector;
+        var disabledKeyConnector = oldConfig?.GetData()?.MemberDecryptionType == MemberDecryptionType.KeyConnector && !useKeyConnector;
        if (disabledKeyConnector && await AnyOrgUserHasKeyConnectorEnabledAsync(config.OrganizationId))
        {
            throw new BadRequestException("Key Connector cannot be disabled at this moment.");
        }

+        // Automatically enable reset password policy if trusted device encryption is selected
+        if (config.GetData().MemberDecryptionType == MemberDecryptionType.TrustedDeviceEncryption)
+        {
+            var resetPolicy = await _policyRepository.GetByOrganizationIdTypeAsync(config.OrganizationId, PolicyType.ResetPassword) ??
+                              new Policy { OrganizationId = config.OrganizationId, Type = PolicyType.ResetPassword, };
+
+            resetPolicy.Enabled = true;
+            resetPolicy.SetDataModel(new ResetPasswordDataModel { AutoEnrollEnabled = true });
+
+            await _policyService.SaveAsync(resetPolicy, _userService, _organizationService, null);
+        }
+
        await LogEventsAsync(config, oldConfig);
        await _ssoConfigRepository.UpsertAsync(config);
    }
@ -97,8 +120,9 @@ public class SsoConfigService : ISsoConfigService
            await _eventService.LogOrganizationEventAsync(organization, e);
        }

-        var keyConnectorEnabled = config.GetData().KeyConnectorEnabled;
-        if (oldConfig?.GetData()?.KeyConnectorEnabled != keyConnectorEnabled)
+        var keyConnectorEnabled = config.GetData().MemberDecryptionType == MemberDecryptionType.KeyConnector;
+        var oldKeyConnectorEnabled = oldConfig?.GetData()?.MemberDecryptionType == MemberDecryptionType.KeyConnector;
+        if (oldKeyConnectorEnabled != keyConnectorEnabled)
        {
            var e = keyConnectorEnabled
                ? EventType.Organization_EnabledKeyConnector