[PM-18237] Add RequireSsoPolicyRequirement (#5655)

* Add RequireSsoPolicyRequirement and its factory to enforce SSO policies * Enhance WebAuthnController to support RequireSsoPolicyRequirement with feature flag integration. Update tests to validate behavior when SSO policies are applicable. * Integrate IPolicyRequirementQuery into request validators to support RequireSsoPolicyRequirement. Update validation logic to check SSO policies based on feature flag. * Refactor RequireSsoPolicyRequirementFactoryTests to improve test coverage for SSO policies. Add tests for handling both valid and invalid policies in CanUsePasskeyLogin and SsoRequired methods. * Remove ExemptStatuses property from RequireSsoPolicyRequirementFactory to use default values from BasePolicyRequirementFactory * Restore ValidateRequireSsoPolicyDisabledOrNotApplicable * Refactor RequireSsoPolicyRequirement to update CanUsePasskeyLogin and SsoRequired properties to use init-only setters * Refactor RequireSsoPolicyRequirementFactoryTests to enhance test clarity * Refactor BaseRequestValidatorTests to improve test clarity * Refactor WebAuthnController to replace SSO policy validation with PolicyRequirement check * Refactor BaseRequestValidator to replace SSO policy validation with PolicyRequirement check * Refactor WebAuthnControllerTests to update test method names and adjust policy requirement checks * Add tests for AttestationOptions and Post methods in WebAuthnControllerTests to validate scenario where SSO is not required * Refactor RequireSsoPolicyRequirement initialization * Refactor SSO requirement check for improved readability * Rename test methods in RequireSsoPolicyRequirementFactoryTests for clarity on exempt status conditions * Update RequireSsoPolicyRequirement to refine user status checks for SSO policy requirements
2025-07-02 16:42:50 -05:00 · 2025-04-23 15:43:36 +01:00
parent 9667ecaf9e
commit 722fae81b3
11 changed files with 447 additions and 18 deletions
--- a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/RequireSsoPolicyRequirement.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/RequireSsoPolicyRequirement.cs
@ -0,0 +1,62 @@
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+using Bit.Core.Enums;
+using Bit.Core.Settings;
+
+/// <summary>
+/// Policy requirements for the Require SSO policy.
+/// </summary>
+public class RequireSsoPolicyRequirement : IPolicyRequirement
+{
+    /// <summary>
+    /// Indicates whether the user can use passkey login.
+    /// </summary>
+    /// <remarks>
+    /// The user can use passkey login if they are not a member (Accepted/Confirmed) of an organization
+    /// that has the Require SSO policy enabled.
+    /// </remarks>
+    public bool CanUsePasskeyLogin { get; init; }
+
+    /// <summary>
+    /// Indicates whether SSO requirement is enforced for the user.
+    /// </summary>
+    /// <remarks>
+    /// The user is required to login with SSO if they are a confirmed member of an organization
+    /// that has the Require SSO policy enabled.
+    /// </remarks>
+    public bool SsoRequired { get; init; }
+}
+
+
+public class RequireSsoPolicyRequirementFactory : BasePolicyRequirementFactory<RequireSsoPolicyRequirement>
+{
+    private readonly GlobalSettings _globalSettings;
+
+    public RequireSsoPolicyRequirementFactory(GlobalSettings globalSettings)
+    {
+        _globalSettings = globalSettings;
+    }
+
+    public override PolicyType PolicyType => PolicyType.RequireSso;
+
+    protected override IEnumerable<OrganizationUserType> ExemptRoles =>
+        _globalSettings.Sso.EnforceSsoPolicyForAllUsers
+            ? Array.Empty<OrganizationUserType>()
+            : [OrganizationUserType.Owner, OrganizationUserType.Admin];
+
+    public override RequireSsoPolicyRequirement Create(IEnumerable<PolicyDetails> policyDetails)
+    {
+        var result = new RequireSsoPolicyRequirement
+        {
+            CanUsePasskeyLogin = policyDetails.All(p =>
+                p.OrganizationUserStatus == OrganizationUserStatusType.Revoked ||
+                p.OrganizationUserStatus == OrganizationUserStatusType.Invited),
+
+            SsoRequired = policyDetails.Any(p =>
+                p.OrganizationUserStatus == OrganizationUserStatusType.Confirmed)
+        };
+
+        return result;
+    }
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyServiceCollectionExtensions.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyServiceCollectionExtensions.cs
@ -35,5 +35,6 @@ public static class PolicyServiceCollectionExtensions
        services.AddScoped<IPolicyRequirementFactory<IPolicyRequirement>, SendOptionsPolicyRequirementFactory>();
        services.AddScoped<IPolicyRequirementFactory<IPolicyRequirement>, ResetPasswordPolicyRequirementFactory>();
        services.AddScoped<IPolicyRequirementFactory<IPolicyRequirement>, PersonalOwnershipPolicyRequirementFactory>();
+        services.AddScoped<IPolicyRequirementFactory<IPolicyRequirement>, RequireSsoPolicyRequirementFactory>();
    }
 }