[PM-18237] Add RequireSsoPolicyRequirement (#5655)

* Add RequireSsoPolicyRequirement and its factory to enforce SSO policies * Enhance WebAuthnController to support RequireSsoPolicyRequirement with feature flag integration. Update tests to validate behavior when SSO policies are applicable. * Integrate IPolicyRequirementQuery into request validators to support RequireSsoPolicyRequirement. Update validation logic to check SSO policies based on feature flag. * Refactor RequireSsoPolicyRequirementFactoryTests to improve test coverage for SSO policies. Add tests for handling both valid and invalid policies in CanUsePasskeyLogin and SsoRequired methods. * Remove ExemptStatuses property from RequireSsoPolicyRequirementFactory to use default values from BasePolicyRequirementFactory * Restore ValidateRequireSsoPolicyDisabledOrNotApplicable * Refactor RequireSsoPolicyRequirement to update CanUsePasskeyLogin and SsoRequired properties to use init-only setters * Refactor RequireSsoPolicyRequirementFactoryTests to enhance test clarity * Refactor BaseRequestValidatorTests to improve test clarity * Refactor WebAuthnController to replace SSO policy validation with PolicyRequirement check * Refactor BaseRequestValidator to replace SSO policy validation with PolicyRequirement check * Refactor WebAuthnControllerTests to update test method names and adjust policy requirement checks * Add tests for AttestationOptions and Post methods in WebAuthnControllerTests to validate scenario where SSO is not required * Refactor RequireSsoPolicyRequirement initialization * Refactor SSO requirement check for improved readability * Rename test methods in RequireSsoPolicyRequirementFactoryTests for clarity on exempt status conditions * Update RequireSsoPolicyRequirement to refine user status checks for SSO policy requirements
2025-06-30 15:42:48 -05:00 · 2025-04-23 15:43:36 +01:00
parent 9667ecaf9e
commit 722fae81b3
11 changed files with 447 additions and 18 deletions
--- a/test/Identity.Test/IdentityServer/BaseRequestValidatorTests.cs
+++ b/test/Identity.Test/IdentityServer/BaseRequestValidatorTests.cs
@ -1,6 +1,7 @@
 using Bit.Core;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
 using Bit.Core.AdminConsole.Services;
 using Bit.Core.Auth.Repositories;
 using Bit.Core.Context;
@ -41,6 +42,7 @@ public class BaseRequestValidatorTests
    private readonly IFeatureService _featureService;
    private readonly ISsoConfigRepository _ssoConfigRepository;
    private readonly IUserDecryptionOptionsBuilder _userDecryptionOptionsBuilder;
+    private readonly IPolicyRequirementQuery _policyRequirementQuery;

    private readonly BaseRequestValidatorTestWrapper _sut;

@ -61,6 +63,7 @@ public class BaseRequestValidatorTests
        _featureService = Substitute.For<IFeatureService>();
        _ssoConfigRepository = Substitute.For<ISsoConfigRepository>();
        _userDecryptionOptionsBuilder = Substitute.For<IUserDecryptionOptionsBuilder>();
+        _policyRequirementQuery = Substitute.For<IPolicyRequirementQuery>();

        _sut = new BaseRequestValidatorTestWrapper(
            _userManager,
@ -77,7 +80,8 @@ public class BaseRequestValidatorTests
            _policyService,
            _featureService,
            _ssoConfigRepository,
-            _userDecryptionOptionsBuilder);
+            _userDecryptionOptionsBuilder,
+            _policyRequirementQuery);
    }

    /* Logic path
@ -276,6 +280,75 @@ public class BaseRequestValidatorTests
        Assert.Equal("SSO authentication is required.", errorResponse.Message);
    }

+    // Test grantTypes with RequireSsoPolicyRequirement when feature flag is enabled
+    [Theory]
+    [BitAutoData("password")]
+    [BitAutoData("webauthn")]
+    [BitAutoData("refresh_token")]
+    public async Task ValidateAsync_GrantTypes_WithPolicyRequirementsEnabled_OrgSsoRequiredTrue_ShouldSetSsoResult(
+        string grantType,
+        [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest tokenRequest,
+        CustomValidatorRequestContext requestContext,
+        GrantValidationResult grantResult)
+    {
+        // Arrange
+        _featureService.IsEnabled(FeatureFlagKeys.PolicyRequirements).Returns(true);
+        var context = CreateContext(tokenRequest, requestContext, grantResult);
+        context.CustomValidatorRequestContext.CaptchaResponse.IsBot = false;
+        _sut.isValid = true;
+
+        context.ValidatedTokenRequest.GrantType = grantType;
+        // Configure requirement to require SSO
+        var requirement = new RequireSsoPolicyRequirement { SsoRequired = true };
+        _policyRequirementQuery.GetAsync<RequireSsoPolicyRequirement>(Arg.Any<Guid>()).Returns(requirement);
+
+        // Act
+        await _sut.ValidateAsync(context);
+
+        // Assert
+        await _policyService.DidNotReceive().AnyPoliciesApplicableToUserAsync(
+                Arg.Any<Guid>(), PolicyType.RequireSso, OrganizationUserStatusType.Confirmed);
+        Assert.True(context.GrantResult.IsError);
+        var errorResponse = (ErrorResponseModel)context.GrantResult.CustomResponse["ErrorModel"];
+        Assert.Equal("SSO authentication is required.", errorResponse.Message);
+    }
+
+    [Theory]
+    [BitAutoData("password")]
+    [BitAutoData("webauthn")]
+    [BitAutoData("refresh_token")]
+    public async Task ValidateAsync_GrantTypes_WithPolicyRequirementsEnabled_OrgSsoRequiredFalse_ShouldSucceed(
+        string grantType,
+        [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest tokenRequest,
+        CustomValidatorRequestContext requestContext,
+        GrantValidationResult grantResult)
+    {
+        // Arrange
+        _featureService.IsEnabled(FeatureFlagKeys.PolicyRequirements).Returns(true);
+        var context = CreateContext(tokenRequest, requestContext, grantResult);
+        context.CustomValidatorRequestContext.CaptchaResponse.IsBot = false;
+        _sut.isValid = true;
+
+        context.ValidatedTokenRequest.GrantType = grantType;
+        context.ValidatedTokenRequest.ClientId = "web";
+
+        // Configure requirement to not require SSO
+        var requirement = new RequireSsoPolicyRequirement { SsoRequired = false };
+        _policyRequirementQuery.GetAsync<RequireSsoPolicyRequirement>(Arg.Any<Guid>()).Returns(requirement);
+
+        _twoFactorAuthenticationValidator.RequiresTwoFactorAsync(requestContext.User, tokenRequest)
+            .Returns(Task.FromResult(new Tuple<bool, Organization>(false, null)));
+        _deviceValidator.ValidateRequestDeviceAsync(tokenRequest, requestContext)
+            .Returns(Task.FromResult(true));
+
+        await _sut.ValidateAsync(context);
+
+        Assert.False(context.GrantResult.IsError);
+        await _eventService.Received(1).LogUserEventAsync(
+            context.CustomValidatorRequestContext.User.Id, EventType.User_LoggedIn);
+        await _userRepository.Received(1).ReplaceAsync(Arg.Any<User>());
+    }
+
    // Test grantTypes where SSO would be required but the user is not in an
    // organization that requires it
    [Theory]