nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-04-06 05:28:15 -05:00
Code

[Policy] Personal Ownership (#1013)

Browse Source 
* Initial commit of disable personal vault policy

* Added new sproc // updated policy check (was missing conditionals)

* Updated DeMorgan's law logic
This commit is contained in:
Vincent Salucci 2020-12-11 10:45:26 -06:00 committed by GitHub
parent fee5c932db
commit 70f5fd5030
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
12 changed files with 103 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
bitwarden_license/src/Portal/Models/PolicyEditModel.cs
View File

@ -84,6 +84,7 @@ namespace Bit.Portal.Models
case PolicyType.SingleOrg: case PolicyType.SingleOrg:
case PolicyType.TwoFactorAuthentication: case PolicyType.TwoFactorAuthentication:
case PolicyType.RequireSso: case PolicyType.RequireSso:
case PolicyType.PersonalOwnership:
break; break;
default: default:
throw new ArgumentOutOfRangeException(); throw new ArgumentOutOfRangeException();

5
bitwarden_license/src/Portal/Models/PolicyModel.cs
View File

@ -42,6 +42,11 @@ namespace Bit.Portal.Models
DescriptionKey = "RequireSsoDescription"; DescriptionKey = "RequireSsoDescription";
break; break;
case PolicyType.PersonalOwnership:
NameKey = "PersonalOwnership";
DescriptionKey = "PersonalOwnershipDescription";
break;
default: default:
throw new ArgumentOutOfRangeException(); throw new ArgumentOutOfRangeException();
} }

11
bitwarden_license/src/Portal/Views/Policies/Edit.cshtml
View File

@ -51,6 +51,17 @@
</div> </div>
} }
@if (Model.PolicyType == PolicyType.PersonalOwnership)
{
<div class="callout callout-warning" role="alert">
<h3 class="callout-heading">
<i class="fa fa-warning" *ngIf="icon" aria-hidden="true"></i>
@i18nService.T("Warning")
</h3>
@i18nService.T("PersonalOwnershipExemption")
</div>
}
<div asp-validation-summary="ModelOnly" class="alert alert-danger"></div> <div asp-validation-summary="ModelOnly" class="alert alert-danger"></div>
<div class="form-group"> <div class="form-group">

1
src/Core/Enums/PolicyType.cs
View File

@ -7,5 +7,6 @@
PasswordGenerator = 2, PasswordGenerator = 2,
SingleOrg = 3, SingleOrg = 3,
RequireSso = 4, RequireSso = 4,
PersonalOwnership = 5,
} }
} }

2
src/Core/Repositories/IOrganizationUserRepository.cs
View File

@ -23,6 +23,8 @@ namespace Bit.Core.Repositories
Task<ICollection<OrganizationUserUserDetails>> GetManyDetailsByOrganizationAsync(Guid organizationId); Task<ICollection<OrganizationUserUserDetails>> GetManyDetailsByOrganizationAsync(Guid organizationId);
Task<ICollection<OrganizationUserOrganizationDetails>> GetManyDetailsByUserAsync(Guid userId, Task<ICollection<OrganizationUserOrganizationDetails>> GetManyDetailsByUserAsync(Guid userId,
OrganizationUserStatusType? status = null); OrganizationUserStatusType? status = null);
Task<OrganizationUserOrganizationDetails> GetDetailsByUserAsync(Guid userId, Guid organizationId,
OrganizationUserStatusType? status = null);
Task UpdateGroupsAsync(Guid orgUserId, IEnumerable<Guid> groupIds); Task UpdateGroupsAsync(Guid orgUserId, IEnumerable<Guid> groupIds);
Task CreateAsync(OrganizationUser obj, IEnumerable<SelectionReadOnly> collections); Task CreateAsync(OrganizationUser obj, IEnumerable<SelectionReadOnly> collections);
Task ReplaceAsync(OrganizationUser obj, IEnumerable<SelectionReadOnly> collections); Task ReplaceAsync(OrganizationUser obj, IEnumerable<SelectionReadOnly> collections);

14
src/Core/Repositories/SqlServer/OrganizationUserRepository.cs
View File

@ -185,6 +185,20 @@ namespace Bit.Core.Repositories.SqlServer
} }
} }
public async Task<OrganizationUserOrganizationDetails> GetDetailsByUserAsync(Guid userId,
Guid organizationId, OrganizationUserStatusType? status = null)
{
using (var connection = new SqlConnection(ConnectionString))
{
var results = await connection.QueryAsync<OrganizationUserOrganizationDetails>(
"[dbo].[OrganizationUserOrganizationDetails_ReadByUserIdStatusOrganizationId]",
new { UserId = userId, Status = status, OrganizationId = organizationId },
commandType: CommandType.StoredProcedure);
return results.SingleOrDefault();
}
}
public async Task UpdateGroupsAsync(Guid orgUserId, IEnumerable<Guid> groupIds) public async Task UpdateGroupsAsync(Guid orgUserId, IEnumerable<Guid> groupIds)
{ {
using (var connection = new SqlConnection(ConnectionString)) using (var connection = new SqlConnection(ConnectionString))

9
src/Core/Resources/SharedResources.en.resx
View File

@ -566,4 +566,13 @@
<data name="RequireSsoExemption" xml:space="preserve"> <data name="RequireSsoExemption" xml:space="preserve">
<value>Organization Owners and Administrators are exempt from this policy's enforcement.</value> <value>Organization Owners and Administrators are exempt from this policy's enforcement.</value>
</data> </data>
<data name="PersonalOwnership" xml:space="preserve">
<value>Personal Ownership</value>
</data>
<data name="PersonalOwnershipDescription" xml:space="preserve">
<value>Require users to save vault items to an organization by removing the personal ownership option.</value>
</data>
<data name="PersonalOwnershipExemption" xml:space="preserve">
<value>Organization Owners and Administrators are exempt from this policy's enforcement.</value>
</data>
</root> </root>

18
src/Core/Services/Implementations/CipherService.cs
View File

@ -27,6 +27,7 @@ namespace Bit.Core.Services
private readonly IAttachmentStorageService _attachmentStorageService; private readonly IAttachmentStorageService _attachmentStorageService;
private readonly IEventService _eventService; private readonly IEventService _eventService;
private readonly IUserService _userService; private readonly IUserService _userService;
private readonly IPolicyRepository _policyRepository;
private readonly GlobalSettings _globalSettings; private readonly GlobalSettings _globalSettings;
public CipherService( public CipherService(
@ -41,6 +42,7 @@ namespace Bit.Core.Services
IAttachmentStorageService attachmentStorageService, IAttachmentStorageService attachmentStorageService,
IEventService eventService, IEventService eventService,
IUserService userService, IUserService userService,
IPolicyRepository policyRepository,
GlobalSettings globalSettings) GlobalSettings globalSettings)
{ {
_cipherRepository = cipherRepository; _cipherRepository = cipherRepository;
@ -54,6 +56,7 @@ namespace Bit.Core.Services
_attachmentStorageService = attachmentStorageService; _attachmentStorageService = attachmentStorageService;
_eventService = eventService; _eventService = eventService;
_userService = userService; _userService = userService;
_policyRepository = policyRepository;
_globalSettings = globalSettings; _globalSettings = globalSettings;
} }
@ -118,6 +121,21 @@ namespace Bit.Core.Services
} }
else else
{ {
// Make sure the user can save new ciphers to their personal vault
var userPolicies = await _policyRepository.GetManyByUserIdAsync(savingUserId);
if (userPolicies != null)
{
foreach (var policy in userPolicies.Where(p => p.Enabled && p.Type == PolicyType.PersonalOwnership))
{
var org = await _organizationUserRepository.GetDetailsByUserAsync(savingUserId, policy.OrganizationId,
OrganizationUserStatusType.Confirmed);
if(org != null && org.Enabled && org.UsePolicies
&& org.Type != OrganizationUserType.Admin && org.Type != OrganizationUserType.Owner)
{
throw new BadRequestException("Due to an Enterprise Policy, you are restricted from saving items to your personal vault.");
}
}
}
await _cipherRepository.CreateAsync(cipher); await _cipherRepository.CreateAsync(cipher);
} }
await _eventService.LogCipherEventAsync(cipher, Enums.EventType.Cipher_Created); await _eventService.LogCipherEventAsync(cipher, Enums.EventType.Cipher_Created);

1
src/Sql/Sql.sqlproj
View File

@ -295,6 +295,7 @@
<Build Include="dbo\Stored Procedures\TaxRate_Create.sql" /> <Build Include="dbo\Stored Procedures\TaxRate_Create.sql" />
<Build Include="dbo\Stored Procedures\TaxRate_Archive.sql" /> <Build Include="dbo\Stored Procedures\TaxRate_Archive.sql" />
<Build Include="dbo\Stored Procedures\OrganizationUser_ReadByOrganizationIdEmail.sql" /> <Build Include="dbo\Stored Procedures\OrganizationUser_ReadByOrganizationIdEmail.sql" />
<Build Include="dbo\Stored Procedures\OrganizationUserOrganizationDetails_ReadByUserIdStatusOrganizationId.sql" />
</ItemGroup> </ItemGroup>
</Project> </Project>

17
src/Sql/dbo/Stored Procedures/OrganizationUserOrganizationDetails_ReadByUserIdStatusOrganizationId.sql Normal file
View File

@ -0,0 +1,17 @@
CREATE PROCEDURE [dbo].[OrganizationUserOrganizationDetails_ReadByUserIdStatusOrganizationId]
@UserId UNIQUEIDENTIFIER,
@Status TINYINT,
@OrganizationId UNIQUEIDENTIFIER
AS
BEGIN
SET NOCOUNT ON
SELECT
*
FROM
[dbo].[OrganizationUserOrganizationDetailsView]
WHERE
[UserId] = @UserId
AND [OrganizationId] = @OrganizationId
AND (@Status IS NULL OR [Status] = @Status)
END

0
util/Migrator/DbScripts/2020_12_04_00_OrgUserReadByOrgEmail.sql → util/Migrator/DbScripts/2020-12-04_00_OrgUserReadByOrgEmail.sql
View File

24
util/Migrator/DbScripts/2020-12-06_00_OrgUserOrgDetailsReadByUserIdStatusOrgId.sql Normal file
View File

@ -0,0 +1,24 @@
IF OBJECT_ID('[dbo].[OrganizationUserOrganizationDetails_ReadByUserIdStatusOrganizationId]') IS NOT NULL
BEGIN
DROP PROCEDURE [dbo].[OrganizationUserOrganizationDetails_ReadByUserIdStatusOrganizationId]
END
GO
CREATE PROCEDURE [dbo].[OrganizationUserOrganizationDetails_ReadByUserIdStatusOrganizationId]
@UserId UNIQUEIDENTIFIER,
@Status TINYINT,
@OrganizationId UNIQUEIDENTIFIER
AS
BEGIN
SET NOCOUNT ON
SELECT
*
FROM
[dbo].[OrganizationUserOrganizationDetailsView]
WHERE
[UserId] = @UserId
AND [OrganizationId] = @OrganizationId
AND (@Status IS NULL OR [Status] = @Status)
END
GO