diff --git a/src/Admin/Views/Shared/_OrganizationFormScripts.cshtml b/src/Admin/Views/Shared/_OrganizationFormScripts.cshtml
index fc527750aa..85d62f6b08 100644
--- a/src/Admin/Views/Shared/_OrganizationFormScripts.cshtml
+++ b/src/Admin/Views/Shared/_OrganizationFormScripts.cshtml
@@ -113,6 +113,26 @@
}
}
+ function unlinkProvider(id) {
+ if (confirm('Are you sure you want to unlink this organization from its provider?')) {
+ $.ajax({
+ type: "POST",
+ url: `@Url.Action("UnlinkOrganizationFromProvider", "Organizations")?id=${id}`,
+ dataType: 'json',
+ contentType: false,
+ processData: false,
+ success: function (response) {
+ alert("Successfully unlinked provider");
+ window.location.href = `@Url.Action("Edit", "Organizations")?id=${id}`;
+ },
+ error: function (response) {
+ alert("Error!");
+ }
+ });
+ }
+ return false;
+ }
+
/***
* Set Secrets Manager values based on current usage (for migrating from SM beta or reinstating an old subscription)
*/
diff --git a/src/Api/AdminConsole/Controllers/GroupsController.cs b/src/Api/AdminConsole/Controllers/GroupsController.cs
index 447ea4bdc7..3a256043a0 100644
--- a/src/Api/AdminConsole/Controllers/GroupsController.cs
+++ b/src/Api/AdminConsole/Controllers/GroupsController.cs
@@ -3,7 +3,6 @@ using Bit.Api.AdminConsole.Models.Response;
using Bit.Api.Models.Response;
using Bit.Api.Utilities;
using Bit.Api.Vault.AuthorizationHandlers.Groups;
-using Bit.Core;
using Bit.Core.AdminConsole.OrganizationFeatures.Groups.Interfaces;
using Bit.Core.AdminConsole.Repositories;
using Bit.Core.AdminConsole.Services;
@@ -27,10 +26,8 @@ public class GroupsController : Controller
private readonly ICurrentContext _currentContext;
private readonly ICreateGroupCommand _createGroupCommand;
private readonly IUpdateGroupCommand _updateGroupCommand;
- private readonly IFeatureService _featureService;
private readonly IAuthorizationService _authorizationService;
-
- private bool UseFlexibleCollections => _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollections, _currentContext);
+ private readonly IApplicationCacheService _applicationCacheService;
public GroupsController(
IGroupRepository groupRepository,
@@ -41,7 +38,8 @@ public class GroupsController : Controller
IUpdateGroupCommand updateGroupCommand,
IDeleteGroupCommand deleteGroupCommand,
IFeatureService featureService,
- IAuthorizationService authorizationService)
+ IAuthorizationService authorizationService,
+ IApplicationCacheService applicationCacheService)
{
_groupRepository = groupRepository;
_groupService = groupService;
@@ -50,8 +48,8 @@ public class GroupsController : Controller
_createGroupCommand = createGroupCommand;
_updateGroupCommand = updateGroupCommand;
_deleteGroupCommand = deleteGroupCommand;
- _featureService = featureService;
_authorizationService = authorizationService;
+ _applicationCacheService = applicationCacheService;
}
[HttpGet("{id}")]
@@ -81,7 +79,7 @@ public class GroupsController : Controller
[HttpGet("")]
public async Task
> Get(Guid orgId)
{
- if (UseFlexibleCollections)
+ if (await FlexibleCollectionsIsEnabledAsync(orgId))
{
// New flexible collections logic
return await Get_vNext(orgId);
@@ -217,4 +215,10 @@ public class GroupsController : Controller
var responses = groups.Select(g => new GroupDetailsResponseModel(g.Item1, g.Item2));
return new ListResponseModel(responses);
}
+
+ private async Task FlexibleCollectionsIsEnabledAsync(Guid organizationId)
+ {
+ var organizationAbility = await _applicationCacheService.GetOrganizationAbilityAsync(organizationId);
+ return organizationAbility?.FlexibleCollections ?? false;
+ }
}
diff --git a/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs b/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
index 703696c6ad..1eacab68b8 100644
--- a/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
+++ b/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
@@ -4,7 +4,6 @@ using Bit.Api.Models.Request.Organizations;
using Bit.Api.Models.Response;
using Bit.Api.Utilities;
using Bit.Api.Vault.AuthorizationHandlers.OrganizationUsers;
-using Bit.Core;
using Bit.Core.AdminConsole.Enums;
using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
@@ -39,10 +38,8 @@ public class OrganizationUsersController : Controller
private readonly IUpdateSecretsManagerSubscriptionCommand _updateSecretsManagerSubscriptionCommand;
private readonly IUpdateOrganizationUserGroupsCommand _updateOrganizationUserGroupsCommand;
private readonly IAcceptOrgUserCommand _acceptOrgUserCommand;
- private readonly IFeatureService _featureService;
private readonly IAuthorizationService _authorizationService;
-
- private bool UseFlexibleCollections => _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollections, _currentContext);
+ private readonly IApplicationCacheService _applicationCacheService;
public OrganizationUsersController(
IOrganizationRepository organizationRepository,
@@ -57,8 +54,8 @@ public class OrganizationUsersController : Controller
IUpdateSecretsManagerSubscriptionCommand updateSecretsManagerSubscriptionCommand,
IUpdateOrganizationUserGroupsCommand updateOrganizationUserGroupsCommand,
IAcceptOrgUserCommand acceptOrgUserCommand,
- IFeatureService featureService,
- IAuthorizationService authorizationService)
+ IAuthorizationService authorizationService,
+ IApplicationCacheService applicationCacheService)
{
_organizationRepository = organizationRepository;
_organizationUserRepository = organizationUserRepository;
@@ -72,8 +69,8 @@ public class OrganizationUsersController : Controller
_updateSecretsManagerSubscriptionCommand = updateSecretsManagerSubscriptionCommand;
_updateOrganizationUserGroupsCommand = updateOrganizationUserGroupsCommand;
_acceptOrgUserCommand = acceptOrgUserCommand;
- _featureService = featureService;
_authorizationService = authorizationService;
+ _applicationCacheService = applicationCacheService;
}
[HttpGet("{id}")]
@@ -98,7 +95,7 @@ public class OrganizationUsersController : Controller
[HttpGet("")]
public async Task> Get(Guid orgId, bool includeGroups = false, bool includeCollections = false)
{
- var authorized = UseFlexibleCollections
+ var authorized = await FlexibleCollectionsIsEnabledAsync(orgId)
? (await _authorizationService.AuthorizeAsync(User, OrganizationUserOperations.ReadAll(orgId))).Succeeded
: await _currentContext.ViewAllCollections(orgId) ||
await _currentContext.ViewAssignedCollections(orgId) ||
@@ -518,4 +515,10 @@ public class OrganizationUsersController : Controller
return new ListResponseModel(result.Select(r =>
new OrganizationUserBulkResponseModel(r.Item1.Id, r.Item2)));
}
+
+ private async Task FlexibleCollectionsIsEnabledAsync(Guid organizationId)
+ {
+ var organizationAbility = await _applicationCacheService.GetOrganizationAbilityAsync(organizationId);
+ return organizationAbility?.FlexibleCollections ?? false;
+ }
}
diff --git a/src/Api/AdminConsole/Controllers/OrganizationsController.cs b/src/Api/AdminConsole/Controllers/OrganizationsController.cs
index 3293041a2b..e4f0c3aa50 100644
--- a/src/Api/AdminConsole/Controllers/OrganizationsController.cs
+++ b/src/Api/AdminConsole/Controllers/OrganizationsController.cs
@@ -40,7 +40,6 @@ public class OrganizationsController : Controller
private readonly IOrganizationRepository _organizationRepository;
private readonly IOrganizationUserRepository _organizationUserRepository;
private readonly IPolicyRepository _policyRepository;
- private readonly IProviderRepository _providerRepository;
private readonly IOrganizationService _organizationService;
private readonly IUserService _userService;
private readonly IPaymentService _paymentService;
@@ -51,7 +50,6 @@ public class OrganizationsController : Controller
private readonly IRotateOrganizationApiKeyCommand _rotateOrganizationApiKeyCommand;
private readonly ICreateOrganizationApiKeyCommand _createOrganizationApiKeyCommand;
private readonly IOrganizationApiKeyRepository _organizationApiKeyRepository;
- private readonly IUpdateOrganizationLicenseCommand _updateOrganizationLicenseCommand;
private readonly ICloudGetOrganizationLicenseQuery _cloudGetOrganizationLicenseQuery;
private readonly IFeatureService _featureService;
private readonly GlobalSettings _globalSettings;
@@ -64,7 +62,6 @@ public class OrganizationsController : Controller
IOrganizationRepository organizationRepository,
IOrganizationUserRepository organizationUserRepository,
IPolicyRepository policyRepository,
- IProviderRepository providerRepository,
IOrganizationService organizationService,
IUserService userService,
IPaymentService paymentService,
@@ -75,7 +72,6 @@ public class OrganizationsController : Controller
IRotateOrganizationApiKeyCommand rotateOrganizationApiKeyCommand,
ICreateOrganizationApiKeyCommand createOrganizationApiKeyCommand,
IOrganizationApiKeyRepository organizationApiKeyRepository,
- IUpdateOrganizationLicenseCommand updateOrganizationLicenseCommand,
ICloudGetOrganizationLicenseQuery cloudGetOrganizationLicenseQuery,
IFeatureService featureService,
GlobalSettings globalSettings,
@@ -87,7 +83,6 @@ public class OrganizationsController : Controller
_organizationRepository = organizationRepository;
_organizationUserRepository = organizationUserRepository;
_policyRepository = policyRepository;
- _providerRepository = providerRepository;
_organizationService = organizationService;
_userService = userService;
_paymentService = paymentService;
@@ -98,7 +93,6 @@ public class OrganizationsController : Controller
_rotateOrganizationApiKeyCommand = rotateOrganizationApiKeyCommand;
_createOrganizationApiKeyCommand = createOrganizationApiKeyCommand;
_organizationApiKeyRepository = organizationApiKeyRepository;
- _updateOrganizationLicenseCommand = updateOrganizationLicenseCommand;
_cloudGetOrganizationLicenseQuery = cloudGetOrganizationLicenseQuery;
_featureService = featureService;
_globalSettings = globalSettings;
@@ -245,6 +239,21 @@ public class OrganizationsController : Controller
return new OrganizationAutoEnrollStatusResponseModel(organization.Id, data?.AutoEnrollEnabled ?? false);
}
+ [HttpGet("{id}/risks-subscription-failure")]
+ public async Task RisksSubscriptionFailure(Guid id)
+ {
+ if (!await _currentContext.EditPaymentMethods(id))
+ {
+ return new OrganizationRisksSubscriptionFailureResponseModel(id, false);
+ }
+
+ var organization = await _organizationRepository.GetByIdAsync(id);
+
+ var risksSubscriptionFailure = await _paymentService.RisksSubscriptionFailure(organization);
+
+ return new OrganizationRisksSubscriptionFailureResponseModel(id, risksSubscriptionFailure);
+ }
+
[HttpPost("")]
[SelfHosted(NotSelfHostedOnly = true)]
public async Task Post([FromBody] OrganizationCreateRequestModel model)
@@ -775,7 +784,6 @@ public class OrganizationsController : Controller
}
[HttpPut("{id}/collection-management")]
- [RequireFeature(FeatureFlagKeys.FlexibleCollections)]
[SelfHosted(NotSelfHostedOnly = true)]
public async Task PutCollectionManagement(Guid id, [FromBody] OrganizationCollectionManagementUpdateRequestModel model)
{
@@ -790,6 +798,11 @@ public class OrganizationsController : Controller
throw new NotFoundException();
}
+ if (!organization.FlexibleCollections)
+ {
+ throw new BadRequestException("Organization does not have collection enhancements enabled");
+ }
+
var v1Enabled = _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1, _currentContext);
if (!v1Enabled)
diff --git a/src/Api/AdminConsole/Controllers/ProviderOrganizationsController.cs b/src/Api/AdminConsole/Controllers/ProviderOrganizationsController.cs
index 4d734e7cad..136119848a 100644
--- a/src/Api/AdminConsole/Controllers/ProviderOrganizationsController.cs
+++ b/src/Api/AdminConsole/Controllers/ProviderOrganizationsController.cs
@@ -1,10 +1,13 @@
using Bit.Api.AdminConsole.Models.Request.Providers;
using Bit.Api.AdminConsole.Models.Response.Providers;
using Bit.Api.Models.Response;
+using Bit.Core.AdminConsole.Providers.Interfaces;
using Bit.Core.AdminConsole.Repositories;
using Bit.Core.AdminConsole.Services;
+using Bit.Core.Billing.Commands;
using Bit.Core.Context;
using Bit.Core.Exceptions;
+using Bit.Core.Repositories;
using Bit.Core.Services;
using Bit.Core.Utilities;
using Microsoft.AspNetCore.Authorization;
@@ -16,22 +19,33 @@ namespace Bit.Api.AdminConsole.Controllers;
[Authorize("Application")]
public class ProviderOrganizationsController : Controller
{
-
- private readonly IProviderOrganizationRepository _providerOrganizationRepository;
- private readonly IProviderService _providerService;
- private readonly IUserService _userService;
private readonly ICurrentContext _currentContext;
+ private readonly IOrganizationRepository _organizationRepository;
+ private readonly IProviderOrganizationRepository _providerOrganizationRepository;
+ private readonly IProviderRepository _providerRepository;
+ private readonly IProviderService _providerService;
+ private readonly IRemoveOrganizationFromProviderCommand _removeOrganizationFromProviderCommand;
+ private readonly IRemovePaymentMethodCommand _removePaymentMethodCommand;
+ private readonly IUserService _userService;
public ProviderOrganizationsController(
+ ICurrentContext currentContext,
+ IOrganizationRepository organizationRepository,
IProviderOrganizationRepository providerOrganizationRepository,
+ IProviderRepository providerRepository,
IProviderService providerService,
- IUserService userService,
- ICurrentContext currentContext)
+ IRemoveOrganizationFromProviderCommand removeOrganizationFromProviderCommand,
+ IRemovePaymentMethodCommand removePaymentMethodCommand,
+ IUserService userService)
{
- _providerOrganizationRepository = providerOrganizationRepository;
- _providerService = providerService;
- _userService = userService;
_currentContext = currentContext;
+ _organizationRepository = organizationRepository;
+ _providerOrganizationRepository = providerOrganizationRepository;
+ _providerRepository = providerRepository;
+ _providerService = providerService;
+ _removeOrganizationFromProviderCommand = removeOrganizationFromProviderCommand;
+ _removePaymentMethodCommand = removePaymentMethodCommand;
+ _userService = userService;
}
[HttpGet("")]
@@ -87,7 +101,17 @@ public class ProviderOrganizationsController : Controller
throw new NotFoundException();
}
- var userId = _userService.GetProperUserId(User);
- await _providerService.RemoveOrganizationAsync(providerId, id, userId.Value);
+ var provider = await _providerRepository.GetByIdAsync(providerId);
+
+ var providerOrganization = await _providerOrganizationRepository.GetByIdAsync(id);
+
+ var organization = await _organizationRepository.GetByIdAsync(providerOrganization.OrganizationId);
+
+ await _removeOrganizationFromProviderCommand.RemoveOrganizationFromProvider(
+ provider,
+ providerOrganization,
+ organization);
+
+ await _removePaymentMethodCommand.RemovePaymentMethod(organization);
}
}
diff --git a/src/Api/AdminConsole/Models/Response/Organizations/OrganizationRisksSubscriptionFailureResponseModel.cs b/src/Api/AdminConsole/Models/Response/Organizations/OrganizationRisksSubscriptionFailureResponseModel.cs
new file mode 100644
index 0000000000..e91275da3c
--- /dev/null
+++ b/src/Api/AdminConsole/Models/Response/Organizations/OrganizationRisksSubscriptionFailureResponseModel.cs
@@ -0,0 +1,17 @@
+using Bit.Core.Models.Api;
+
+namespace Bit.Api.AdminConsole.Models.Response.Organizations;
+
+public class OrganizationRisksSubscriptionFailureResponseModel : ResponseModel
+{
+ public Guid OrganizationId { get; }
+ public bool RisksSubscriptionFailure { get; }
+
+ public OrganizationRisksSubscriptionFailureResponseModel(
+ Guid organizationId,
+ bool risksSubscriptionFailure) : base("organizationRisksSubscriptionFailure")
+ {
+ OrganizationId = organizationId;
+ RisksSubscriptionFailure = risksSubscriptionFailure;
+ }
+}
diff --git a/src/Api/Controllers/CollectionsController.cs b/src/Api/Controllers/CollectionsController.cs
index 7ae76ba750..4072518017 100644
--- a/src/Api/Controllers/CollectionsController.cs
+++ b/src/Api/Controllers/CollectionsController.cs
@@ -28,8 +28,8 @@ public class CollectionsController : Controller
private readonly IAuthorizationService _authorizationService;
private readonly ICurrentContext _currentContext;
private readonly IBulkAddCollectionAccessCommand _bulkAddCollectionAccessCommand;
- private readonly IFeatureService _featureService;
private readonly IOrganizationUserRepository _organizationUserRepository;
+ private readonly IApplicationCacheService _applicationCacheService;
public CollectionsController(
ICollectionRepository collectionRepository,
@@ -39,8 +39,8 @@ public class CollectionsController : Controller
IAuthorizationService authorizationService,
ICurrentContext currentContext,
IBulkAddCollectionAccessCommand bulkAddCollectionAccessCommand,
- IFeatureService featureService,
- IOrganizationUserRepository organizationUserRepository)
+ IOrganizationUserRepository organizationUserRepository,
+ IApplicationCacheService applicationCacheService)
{
_collectionRepository = collectionRepository;
_organizationUserRepository = organizationUserRepository;
@@ -50,16 +50,14 @@ public class CollectionsController : Controller
_authorizationService = authorizationService;
_currentContext = currentContext;
_bulkAddCollectionAccessCommand = bulkAddCollectionAccessCommand;
- _featureService = featureService;
_organizationUserRepository = organizationUserRepository;
+ _applicationCacheService = applicationCacheService;
}
- private bool FlexibleCollectionsIsEnabled => _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollections, _currentContext);
-
[HttpGet("{id}")]
public async Task Get(Guid orgId, Guid id)
{
- if (FlexibleCollectionsIsEnabled)
+ if (await FlexibleCollectionsIsEnabledAsync(orgId))
{
// New flexible collections logic
return await Get_vNext(id);
@@ -79,7 +77,7 @@ public class CollectionsController : Controller
[HttpGet("{id}/details")]
public async Task GetDetails(Guid orgId, Guid id)
{
- if (FlexibleCollectionsIsEnabled)
+ if (await FlexibleCollectionsIsEnabledAsync(orgId))
{
// New flexible collections logic
return await GetDetails_vNext(id);
@@ -104,7 +102,7 @@ public class CollectionsController : Controller
else
{
(var collection, var access) = await _collectionRepository.GetByIdWithAccessAsync(id,
- _currentContext.UserId.Value, FlexibleCollectionsIsEnabled);
+ _currentContext.UserId.Value, false);
if (collection == null || collection.OrganizationId != orgId)
{
throw new NotFoundException();
@@ -117,7 +115,7 @@ public class CollectionsController : Controller
[HttpGet("details")]
public async Task> GetManyWithDetails(Guid orgId)
{
- if (FlexibleCollectionsIsEnabled)
+ if (await FlexibleCollectionsIsEnabledAsync(orgId))
{
// New flexible collections logic
return await GetManyWithDetails_vNext(orgId);
@@ -132,7 +130,7 @@ public class CollectionsController : Controller
// We always need to know which collections the current user is assigned to
var assignedOrgCollections =
await _collectionRepository.GetManyByUserIdWithAccessAsync(_currentContext.UserId.Value, orgId,
- FlexibleCollectionsIsEnabled);
+ false);
if (await _currentContext.ViewAllCollections(orgId) || await _currentContext.ManageUsers(orgId))
{
@@ -159,7 +157,7 @@ public class CollectionsController : Controller
[HttpGet("")]
public async Task> Get(Guid orgId)
{
- if (FlexibleCollectionsIsEnabled)
+ if (await FlexibleCollectionsIsEnabledAsync(orgId))
{
// New flexible collections logic
return await GetByOrgId_vNext(orgId);
@@ -191,7 +189,7 @@ public class CollectionsController : Controller
public async Task> GetUser()
{
var collections = await _collectionRepository.GetManyByUserIdAsync(
- _userService.GetProperUserId(User).Value, FlexibleCollectionsIsEnabled);
+ _userService.GetProperUserId(User).Value, false);
var responses = collections.Select(c => new CollectionDetailsResponseModel(c));
return new ListResponseModel(responses);
}
@@ -199,7 +197,7 @@ public class CollectionsController : Controller
[HttpGet("{id}/users")]
public async Task> GetUsers(Guid orgId, Guid id)
{
- if (FlexibleCollectionsIsEnabled)
+ if (await FlexibleCollectionsIsEnabledAsync(orgId))
{
// New flexible collections logic
return await GetUsers_vNext(id);
@@ -217,7 +215,8 @@ public class CollectionsController : Controller
{
var collection = model.ToCollection(orgId);
- var authorized = FlexibleCollectionsIsEnabled
+ var flexibleCollectionsIsEnabled = await FlexibleCollectionsIsEnabledAsync(orgId);
+ var authorized = flexibleCollectionsIsEnabled
? (await _authorizationService.AuthorizeAsync(User, collection, BulkCollectionOperations.Create)).Succeeded
: await CanCreateCollection(orgId, collection.Id) || await CanEditCollectionAsync(orgId, collection.Id);
if (!authorized)
@@ -230,7 +229,7 @@ public class CollectionsController : Controller
// Pre-flexible collections logic assigned Managers to collections they create
var assignUserToCollection =
- !FlexibleCollectionsIsEnabled &&
+ !flexibleCollectionsIsEnabled &&
!await _currentContext.EditAnyCollection(orgId) &&
await _currentContext.EditAssignedCollections(orgId);
var isNewCollection = collection.Id == default;
@@ -258,7 +257,7 @@ public class CollectionsController : Controller
[HttpPost("{id}")]
public async Task Put(Guid orgId, Guid id, [FromBody] CollectionRequestModel model)
{
- if (FlexibleCollectionsIsEnabled)
+ if (await FlexibleCollectionsIsEnabledAsync(orgId))
{
// New flexible collections logic
return await Put_vNext(id, model);
@@ -280,7 +279,7 @@ public class CollectionsController : Controller
[HttpPut("{id}/users")]
public async Task PutUsers(Guid orgId, Guid id, [FromBody] IEnumerable model)
{
- if (FlexibleCollectionsIsEnabled)
+ if (await FlexibleCollectionsIsEnabledAsync(orgId))
{
// New flexible collections logic
await PutUsers_vNext(id, model);
@@ -299,14 +298,17 @@ public class CollectionsController : Controller
[HttpPost("bulk-access")]
[RequireFeature(FeatureFlagKeys.BulkCollectionAccess)]
- // Also gated behind Flexible Collections flag because it only has new authorization logic.
- // Could be removed if legacy authorization logic were implemented for many collections.
- [RequireFeature(FeatureFlagKeys.FlexibleCollections)]
- public async Task PostBulkCollectionAccess([FromBody] BulkCollectionAccessRequestModel model)
+ public async Task PostBulkCollectionAccess(Guid orgId, [FromBody] BulkCollectionAccessRequestModel model)
{
- var collections = await _collectionRepository.GetManyByManyIdsAsync(model.CollectionIds);
+ // Authorization logic assumes flexible collections is enabled
+ // Remove after all organizations have been migrated
+ if (!await FlexibleCollectionsIsEnabledAsync(orgId))
+ {
+ throw new NotFoundException("Feature disabled.");
+ }
- if (collections.Count != model.CollectionIds.Count())
+ var collections = await _collectionRepository.GetManyByManyIdsAsync(model.CollectionIds);
+ if (collections.Count(c => c.OrganizationId == orgId) != model.CollectionIds.Count())
{
throw new NotFoundException("One or more collections not found.");
}
@@ -328,7 +330,7 @@ public class CollectionsController : Controller
[HttpPost("{id}/delete")]
public async Task Delete(Guid orgId, Guid id)
{
- if (FlexibleCollectionsIsEnabled)
+ if (await FlexibleCollectionsIsEnabledAsync(orgId))
{
// New flexible collections logic
await Delete_vNext(id);
@@ -349,7 +351,7 @@ public class CollectionsController : Controller
[HttpPost("delete")]
public async Task DeleteMany(Guid orgId, [FromBody] CollectionBulkDeleteRequestModel model)
{
- if (FlexibleCollectionsIsEnabled)
+ if (await FlexibleCollectionsIsEnabledAsync(orgId))
{
// New flexible collections logic
var collections = await _collectionRepository.GetManyByManyIdsAsync(model.Ids);
@@ -385,7 +387,7 @@ public class CollectionsController : Controller
[HttpPost("{id}/delete-user/{orgUserId}")]
public async Task DeleteUser(Guid orgId, Guid id, Guid orgUserId)
{
- if (FlexibleCollectionsIsEnabled)
+ if (await FlexibleCollectionsIsEnabledAsync(orgId))
{
// New flexible collections logic
await DeleteUser_vNext(id, orgUserId);
@@ -397,19 +399,9 @@ public class CollectionsController : Controller
await _collectionService.DeleteUserAsync(collection, orgUserId);
}
- private void DeprecatedPermissionsGuard()
- {
- if (FlexibleCollectionsIsEnabled)
- {
- throw new FeatureUnavailableException("Flexible Collections is ON when it should be OFF.");
- }
- }
-
[Obsolete("Pre-Flexible Collections logic. Will be replaced by CollectionsAuthorizationHandler.")]
private async Task GetCollectionAsync(Guid id, Guid orgId)
{
- DeprecatedPermissionsGuard();
-
Collection collection = default;
if (await _currentContext.ViewAllCollections(orgId))
{
@@ -417,7 +409,7 @@ public class CollectionsController : Controller
}
else if (await _currentContext.ViewAssignedCollections(orgId))
{
- collection = await _collectionRepository.GetByIdAsync(id, _currentContext.UserId.Value, FlexibleCollectionsIsEnabled);
+ collection = await _collectionRepository.GetByIdAsync(id, _currentContext.UserId.Value, false);
}
if (collection == null || collection.OrganizationId != orgId)
@@ -431,8 +423,6 @@ public class CollectionsController : Controller
[Obsolete("Pre-Flexible Collections logic. Will be replaced by CollectionsAuthorizationHandler.")]
private async Task CanCreateCollection(Guid orgId, Guid collectionId)
{
- DeprecatedPermissionsGuard();
-
if (collectionId != default)
{
return false;
@@ -445,8 +435,6 @@ public class CollectionsController : Controller
[Obsolete("Pre-Flexible Collections logic. Will be replaced by CollectionsAuthorizationHandler.")]
private async Task CanEditCollectionAsync(Guid orgId, Guid collectionId)
{
- DeprecatedPermissionsGuard();
-
if (collectionId == default)
{
return false;
@@ -460,7 +448,7 @@ public class CollectionsController : Controller
if (await _currentContext.EditAssignedCollections(orgId))
{
var collectionDetails =
- await _collectionRepository.GetByIdAsync(collectionId, _currentContext.UserId.Value, FlexibleCollectionsIsEnabled);
+ await _collectionRepository.GetByIdAsync(collectionId, _currentContext.UserId.Value, false);
return collectionDetails != null;
}
@@ -470,8 +458,6 @@ public class CollectionsController : Controller
[Obsolete("Pre-Flexible Collections logic. Will be replaced by CollectionsAuthorizationHandler.")]
private async Task CanDeleteCollectionAsync(Guid orgId, Guid collectionId)
{
- DeprecatedPermissionsGuard();
-
if (collectionId == default)
{
return false;
@@ -485,7 +471,7 @@ public class CollectionsController : Controller
if (await _currentContext.DeleteAssignedCollections(orgId))
{
var collectionDetails =
- await _collectionRepository.GetByIdAsync(collectionId, _currentContext.UserId.Value, FlexibleCollectionsIsEnabled);
+ await _collectionRepository.GetByIdAsync(collectionId, _currentContext.UserId.Value, false);
return collectionDetails != null;
}
@@ -495,8 +481,6 @@ public class CollectionsController : Controller
[Obsolete("Pre-Flexible Collections logic. Will be replaced by CollectionsAuthorizationHandler.")]
private async Task DeleteAnyCollection(Guid orgId)
{
- DeprecatedPermissionsGuard();
-
return await _currentContext.OrganizationAdmin(orgId) ||
(_currentContext.Organizations?.Any(o => o.Id == orgId
&& (o.Permissions?.DeleteAnyCollection ?? false)) ?? false);
@@ -505,8 +489,6 @@ public class CollectionsController : Controller
[Obsolete("Pre-Flexible Collections logic. Will be replaced by CollectionsAuthorizationHandler.")]
private async Task CanViewCollectionAsync(Guid orgId, Guid collectionId)
{
- DeprecatedPermissionsGuard();
-
if (collectionId == default)
{
return false;
@@ -520,7 +502,7 @@ public class CollectionsController : Controller
if (await _currentContext.ViewAssignedCollections(orgId))
{
var collectionDetails =
- await _collectionRepository.GetByIdAsync(collectionId, _currentContext.UserId.Value, FlexibleCollectionsIsEnabled);
+ await _collectionRepository.GetByIdAsync(collectionId, _currentContext.UserId.Value, false);
return collectionDetails != null;
}
@@ -530,8 +512,6 @@ public class CollectionsController : Controller
[Obsolete("Pre-Flexible Collections logic. Will be replaced by CollectionsAuthorizationHandler.")]
private async Task ViewAtLeastOneCollectionAsync(Guid orgId)
{
- DeprecatedPermissionsGuard();
-
return await _currentContext.ViewAllCollections(orgId) || await _currentContext.ViewAssignedCollections(orgId);
}
@@ -564,7 +544,7 @@ public class CollectionsController : Controller
{
// We always need to know which collections the current user is assigned to
var assignedOrgCollections = await _collectionRepository
- .GetManyByUserIdWithAccessAsync(_currentContext.UserId.Value, orgId, FlexibleCollectionsIsEnabled);
+ .GetManyByUserIdWithAccessAsync(_currentContext.UserId.Value, orgId, false);
var readAllAuthorized =
(await _authorizationService.AuthorizeAsync(User, CollectionOperations.ReadAllWithAccess(orgId))).Succeeded;
@@ -604,7 +584,7 @@ public class CollectionsController : Controller
}
else
{
- var assignedCollections = await _collectionRepository.GetManyByUserIdAsync(_currentContext.UserId.Value, FlexibleCollectionsIsEnabled);
+ var assignedCollections = await _collectionRepository.GetManyByUserIdAsync(_currentContext.UserId.Value, false);
orgCollections = assignedCollections.Where(c => c.OrganizationId == orgId && c.Manage).ToList();
}
@@ -676,4 +656,10 @@ public class CollectionsController : Controller
await _collectionService.DeleteUserAsync(collection, orgUserId);
}
+
+ private async Task FlexibleCollectionsIsEnabledAsync(Guid organizationId)
+ {
+ var organizationAbility = await _applicationCacheService.GetOrganizationAbilityAsync(organizationId);
+ return organizationAbility?.FlexibleCollections ?? false;
+ }
}
diff --git a/src/Api/Startup.cs b/src/Api/Startup.cs
index b82b2e1c27..7b5067f3fe 100644
--- a/src/Api/Startup.cs
+++ b/src/Api/Startup.cs
@@ -26,6 +26,7 @@ using Microsoft.Extensions.DependencyInjection.Extensions;
using Bit.Core.Auth.Identity;
using Bit.Core.Auth.UserFeatures;
using Bit.Core.Entities;
+using Bit.Core.Billing.Extensions;
using Bit.Core.OrganizationFeatures.OrganizationSubscriptions;
using Bit.Core.Tools.Entities;
using Bit.Core.Vault.Entities;
@@ -169,6 +170,7 @@ public class Startup
services.AddDefaultServices(globalSettings);
services.AddOrganizationSubscriptionServices();
services.AddCoreLocalizationServices();
+ services.AddBillingCommands();
// Authorization Handlers
services.AddAuthorizationHandlers();
diff --git a/src/Api/Controllers/OrganizationExportController.cs b/src/Api/Tools/Controllers/OrganizationExportController.cs
similarity index 97%
rename from src/Api/Controllers/OrganizationExportController.cs
rename to src/Api/Tools/Controllers/OrganizationExportController.cs
index be5aa0e14a..b3c0643b28 100644
--- a/src/Api/Controllers/OrganizationExportController.cs
+++ b/src/Api/Tools/Controllers/OrganizationExportController.cs
@@ -1,4 +1,5 @@
using Bit.Api.Models.Response;
+using Bit.Api.Tools.Models.Response;
using Bit.Api.Vault.Models.Response;
using Bit.Core.Context;
using Bit.Core.Entities;
@@ -9,7 +10,7 @@ using Bit.Core.Vault.Services;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
-namespace Bit.Api.Controllers;
+namespace Bit.Api.Tools.Controllers;
[Route("organizations/{organizationId}")]
[Authorize("Application")]
diff --git a/src/Api/Models/Response/OrganizationExportResponseModel.cs b/src/Api/Tools/Models/Response/OrganizationExportResponseModel.cs
similarity index 85%
rename from src/Api/Models/Response/OrganizationExportResponseModel.cs
rename to src/Api/Tools/Models/Response/OrganizationExportResponseModel.cs
index 1bfca7e3d5..a4b35d8de1 100644
--- a/src/Api/Models/Response/OrganizationExportResponseModel.cs
+++ b/src/Api/Tools/Models/Response/OrganizationExportResponseModel.cs
@@ -1,7 +1,8 @@
-using Bit.Api.Vault.Models.Response;
+using Bit.Api.Models.Response;
+using Bit.Api.Vault.Models.Response;
using Bit.Core.Models.Api;
-namespace Bit.Api.Models.Response;
+namespace Bit.Api.Tools.Models.Response;
public class OrganizationExportResponseModel : ResponseModel
{
diff --git a/src/Api/Vault/AuthorizationHandlers/Collections/BulkCollectionAuthorizationHandler.cs b/src/Api/Vault/AuthorizationHandlers/Collections/BulkCollectionAuthorizationHandler.cs
index 45e8bc9458..fb47602bc9 100644
--- a/src/Api/Vault/AuthorizationHandlers/Collections/BulkCollectionAuthorizationHandler.cs
+++ b/src/Api/Vault/AuthorizationHandlers/Collections/BulkCollectionAuthorizationHandler.cs
@@ -1,5 +1,4 @@
#nullable enable
-using Bit.Core;
using Bit.Core.Context;
using Bit.Core.Entities;
using Bit.Core.Enums;
@@ -20,33 +19,22 @@ public class BulkCollectionAuthorizationHandler : BulkAuthorizationHandler _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollections, _currentContext);
-
public BulkCollectionAuthorizationHandler(
ICurrentContext currentContext,
ICollectionRepository collectionRepository,
- IFeatureService featureService,
IApplicationCacheService applicationCacheService)
{
_currentContext = currentContext;
_collectionRepository = collectionRepository;
- _featureService = featureService;
_applicationCacheService = applicationCacheService;
}
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
BulkCollectionOperationRequirement requirement, ICollection? resources)
{
- if (!FlexibleCollectionsIsEnabled)
- {
- // Flexible collections is OFF, should not be using this handler
- throw new FeatureUnavailableException("Flexible collections is OFF when it should be ON.");
- }
-
// Establish pattern of authorization handler null checking passed resources
if (resources == null || !resources.Any())
{
@@ -281,9 +269,6 @@ public class BulkCollectionAuthorizationHandler : BulkAuthorizationHandler _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollections, _currentContext);
-
public CollectionAuthorizationHandler(
ICurrentContext currentContext,
IFeatureService featureService)
@@ -30,12 +26,6 @@ public class CollectionAuthorizationHandler : AuthorizationHandler _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollections, _currentContext);
-
public GroupAuthorizationHandler(
ICurrentContext currentContext,
IFeatureService featureService,
@@ -34,12 +30,6 @@ public class GroupAuthorizationHandler : AuthorizationHandler _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollections, _currentContext);
-
public OrganizationUserAuthorizationHandler(
ICurrentContext currentContext,
IFeatureService featureService,
@@ -34,12 +30,6 @@ public class OrganizationUserAuthorizationHandler : AuthorizationHandler, ISubscriber, IStorable, IStorabl
return providers[provider];
}
- public void UpdateFromLicense(
- OrganizationLicense license,
- bool flexibleCollectionsMvpIsEnabled,
- bool flexibleCollectionsV1IsEnabled)
+ public void UpdateFromLicense(OrganizationLicense license)
{
+ // The following properties are intentionally excluded from being updated:
+ // - Id - self-hosted org will have its own unique Guid
+ // - MaxStorageGb - not enforced for self-hosted because we're not providing the storage
+ // - FlexibleCollections - the self-hosted organization must do its own data migration to set this property, it cannot be updated from cloud
+
Name = license.Name;
BusinessName = license.BusinessName;
BillingEmail = license.BillingEmail;
@@ -275,7 +277,7 @@ public class Organization : ITableObject, ISubscriber, IStorable, IStorabl
UseSecretsManager = license.UseSecretsManager;
SmSeats = license.SmSeats;
SmServiceAccounts = license.SmServiceAccounts;
- LimitCollectionCreationDeletion = !flexibleCollectionsMvpIsEnabled || license.LimitCollectionCreationDeletion;
- AllowAdminAccessToAllCollectionItems = !flexibleCollectionsV1IsEnabled || license.AllowAdminAccessToAllCollectionItems;
+ LimitCollectionCreationDeletion = license.LimitCollectionCreationDeletion;
+ AllowAdminAccessToAllCollectionItems = license.AllowAdminAccessToAllCollectionItems;
}
}
diff --git a/src/Core/AdminConsole/Models/Data/Organizations/SelfHostedOrganizationDetails.cs b/src/Core/AdminConsole/Models/Data/Organizations/SelfHostedOrganizationDetails.cs
index ddca0d3c8a..39cc5a1d98 100644
--- a/src/Core/AdminConsole/Models/Data/Organizations/SelfHostedOrganizationDetails.cs
+++ b/src/Core/AdminConsole/Models/Data/Organizations/SelfHostedOrganizationDetails.cs
@@ -145,7 +145,8 @@ public class SelfHostedOrganizationDetails : Organization
MaxAutoscaleSeats = MaxAutoscaleSeats,
OwnersNotifiedOfAutoscaling = OwnersNotifiedOfAutoscaling,
LimitCollectionCreationDeletion = LimitCollectionCreationDeletion,
- AllowAdminAccessToAllCollectionItems = AllowAdminAccessToAllCollectionItems
+ AllowAdminAccessToAllCollectionItems = AllowAdminAccessToAllCollectionItems,
+ FlexibleCollections = FlexibleCollections
};
}
}
diff --git a/src/Core/AdminConsole/Providers/Interfaces/IRemoveOrganizationFromProviderCommand.cs b/src/Core/AdminConsole/Providers/Interfaces/IRemoveOrganizationFromProviderCommand.cs
new file mode 100644
index 0000000000..84013adc19
--- /dev/null
+++ b/src/Core/AdminConsole/Providers/Interfaces/IRemoveOrganizationFromProviderCommand.cs
@@ -0,0 +1,12 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Entities.Provider;
+
+namespace Bit.Core.AdminConsole.Providers.Interfaces;
+
+public interface IRemoveOrganizationFromProviderCommand
+{
+ Task RemoveOrganizationFromProvider(
+ Provider provider,
+ ProviderOrganization providerOrganization,
+ Organization organization);
+}
diff --git a/src/Core/AdminConsole/Services/IProviderService.cs b/src/Core/AdminConsole/Services/IProviderService.cs
index f71403e80c..fdaef4c03b 100644
--- a/src/Core/AdminConsole/Services/IProviderService.cs
+++ b/src/Core/AdminConsole/Services/IProviderService.cs
@@ -23,7 +23,6 @@ public interface IProviderService
Task AddOrganizationsToReseller(Guid providerId, IEnumerable organizationIds);
Task CreateOrganizationAsync(Guid providerId, OrganizationSignup organizationSignup,
string clientOwnerEmail, User user);
- Task RemoveOrganizationAsync(Guid providerId, Guid providerOrganizationId, Guid removingUserId);
Task LogProviderAccessToOrganizationAsync(Guid organizationId);
Task ResendProviderSetupInviteEmailAsync(Guid providerId, Guid ownerId);
Task SendProviderSetupInviteEmailAsync(Provider provider, string ownerEmail);
diff --git a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
index 3bd493e309..1355a15120 100644
--- a/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
+++ b/src/Core/AdminConsole/Services/Implementations/OrganizationService.cs
@@ -65,8 +65,6 @@ public class OrganizationService : IOrganizationService
private readonly IDataProtectorTokenFactory _orgUserInviteTokenDataFactory;
private readonly IFeatureService _featureService;
- private bool FlexibleCollectionsIsEnabled => _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollections, _currentContext);
-
public OrganizationService(
IOrganizationRepository organizationRepository,
IOrganizationUserRepository organizationUserRepository,
@@ -418,6 +416,9 @@ public class OrganizationService : IOrganizationService
}
}
+ ///
+ /// Create a new organization in a cloud environment
+ ///
public async Task> SignUpAsync(OrganizationSignup signup,
bool provider = false)
{
@@ -440,8 +441,9 @@ public class OrganizationService : IOrganizationService
await ValidateSignUpPoliciesAsync(signup.Owner.Id);
}
- var flexibleCollectionsIsEnabled =
- _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollections, _currentContext);
+ var flexibleCollectionsSignupEnabled =
+ _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollectionsSignup, _currentContext);
+
var flexibleCollectionsV1IsEnabled =
_featureService.IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1, _currentContext);
@@ -482,7 +484,15 @@ public class OrganizationService : IOrganizationService
Status = OrganizationStatusType.Created,
UsePasswordManager = true,
UseSecretsManager = signup.UseSecretsManager,
- LimitCollectionCreationDeletion = !flexibleCollectionsIsEnabled,
+
+ // This feature flag indicates that new organizations should be automatically onboarded to
+ // Flexible Collections enhancements
+ FlexibleCollections = flexibleCollectionsSignupEnabled,
+
+ // These collection management settings smooth the migration for existing organizations by disabling some FC behavior.
+ // If the organization is onboarded to Flexible Collections on signup, we turn them OFF to enable all new behaviour.
+ // If the organization is NOT onboarded now, they will have to be migrated later, so they default to ON to limit FC changes on migration.
+ LimitCollectionCreationDeletion = !flexibleCollectionsSignupEnabled,
AllowAdminAccessToAllCollectionItems = !flexibleCollectionsV1IsEnabled
};
@@ -534,6 +544,9 @@ public class OrganizationService : IOrganizationService
}
}
+ ///
+ /// Create a new organization on a self-hosted instance
+ ///
public async Task> SignUpAsync(
OrganizationLicense license, User owner, string ownerKey, string collectionName, string publicKey,
string privateKey)
@@ -558,10 +571,8 @@ public class OrganizationService : IOrganizationService
await ValidateSignUpPoliciesAsync(owner.Id);
- var flexibleCollectionsMvpIsEnabled =
- _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollections, _currentContext);
- var flexibleCollectionsV1IsEnabled =
- _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1, _currentContext);
+ var flexibleCollectionsSignupEnabled =
+ _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollectionsSignup, _currentContext);
var organization = new Organization
{
@@ -603,8 +614,12 @@ public class OrganizationService : IOrganizationService
UseSecretsManager = license.UseSecretsManager,
SmSeats = license.SmSeats,
SmServiceAccounts = license.SmServiceAccounts,
- LimitCollectionCreationDeletion = !flexibleCollectionsMvpIsEnabled || license.LimitCollectionCreationDeletion,
- AllowAdminAccessToAllCollectionItems = !flexibleCollectionsV1IsEnabled || license.AllowAdminAccessToAllCollectionItems
+ LimitCollectionCreationDeletion = license.LimitCollectionCreationDeletion,
+ AllowAdminAccessToAllCollectionItems = license.AllowAdminAccessToAllCollectionItems,
+
+ // This feature flag indicates that new organizations should be automatically onboarded to
+ // Flexible Collections enhancements
+ FlexibleCollections = flexibleCollectionsSignupEnabled,
};
var result = await SignUpAsync(organization, owner.Id, ownerKey, collectionName, false);
@@ -616,6 +631,10 @@ public class OrganizationService : IOrganizationService
return result;
}
+ ///
+ /// Private helper method to create a new organization.
+ /// This is common code used by both the cloud and self-hosted methods.
+ ///
private async Task> SignUpAsync(Organization organization,
Guid ownerId, string ownerKey, string collectionName, bool withPayment)
{
@@ -829,6 +848,7 @@ public class OrganizationService : IOrganizationService
{
var inviteTypes = new HashSet(invites.Where(i => i.invite.Type.HasValue)
.Select(i => i.invite.Type.Value));
+
if (invitingUserId.HasValue && inviteTypes.Count > 0)
{
foreach (var (invite, _) in invites)
@@ -2008,7 +2028,11 @@ public class OrganizationService : IOrganizationService
throw new BadRequestException("Custom users can only grant the same custom permissions that they have.");
}
- if (FlexibleCollectionsIsEnabled && newType == OrganizationUserType.Manager && oldType is not OrganizationUserType.Manager)
+ // TODO: pass in the whole organization object when this is refactored into a command/query
+ // See AC-2036
+ var organizationAbility = await _applicationCacheService.GetOrganizationAbilityAsync(organizationId);
+ var flexibleCollectionsEnabled = organizationAbility?.FlexibleCollections ?? false;
+ if (flexibleCollectionsEnabled && newType == OrganizationUserType.Manager && oldType is not OrganizationUserType.Manager)
{
throw new BadRequestException("Manager role is deprecated after Flexible Collections.");
}
diff --git a/src/Core/Billing/Commands/IRemovePaymentMethodCommand.cs b/src/Core/Billing/Commands/IRemovePaymentMethodCommand.cs
new file mode 100644
index 0000000000..62bf0d0926
--- /dev/null
+++ b/src/Core/Billing/Commands/IRemovePaymentMethodCommand.cs
@@ -0,0 +1,8 @@
+using Bit.Core.AdminConsole.Entities;
+
+namespace Bit.Core.Billing.Commands;
+
+public interface IRemovePaymentMethodCommand
+{
+ Task RemovePaymentMethod(Organization organization);
+}
diff --git a/src/Core/Billing/Commands/Implementations/RemovePaymentMethodCommand.cs b/src/Core/Billing/Commands/Implementations/RemovePaymentMethodCommand.cs
new file mode 100644
index 0000000000..c5dbb6d927
--- /dev/null
+++ b/src/Core/Billing/Commands/Implementations/RemovePaymentMethodCommand.cs
@@ -0,0 +1,140 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.Services;
+using Braintree;
+using Microsoft.Extensions.Logging;
+
+namespace Bit.Core.Billing.Commands.Implementations;
+
+public class RemovePaymentMethodCommand : IRemovePaymentMethodCommand
+{
+ private readonly IBraintreeGateway _braintreeGateway;
+ private readonly ILogger _logger;
+ private readonly IStripeAdapter _stripeAdapter;
+
+ public RemovePaymentMethodCommand(
+ IBraintreeGateway braintreeGateway,
+ ILogger logger,
+ IStripeAdapter stripeAdapter)
+ {
+ _braintreeGateway = braintreeGateway;
+ _logger = logger;
+ _stripeAdapter = stripeAdapter;
+ }
+
+ public async Task RemovePaymentMethod(Organization organization)
+ {
+ const string braintreeCustomerIdKey = "btCustomerId";
+
+ if (organization == null)
+ {
+ throw new ArgumentNullException(nameof(organization));
+ }
+
+ if (organization.Gateway is not GatewayType.Stripe || string.IsNullOrEmpty(organization.GatewayCustomerId))
+ {
+ throw ContactSupport();
+ }
+
+ var stripeCustomer = await _stripeAdapter.CustomerGetAsync(organization.GatewayCustomerId, new Stripe.CustomerGetOptions
+ {
+ Expand = new List { "invoice_settings.default_payment_method", "sources" }
+ });
+
+ if (stripeCustomer == null)
+ {
+ _logger.LogError("Could not find Stripe customer ({ID}) when removing payment method", organization.GatewayCustomerId);
+
+ throw ContactSupport();
+ }
+
+ if (stripeCustomer.Metadata?.TryGetValue(braintreeCustomerIdKey, out var braintreeCustomerId) ?? false)
+ {
+ await RemoveBraintreePaymentMethodAsync(braintreeCustomerId);
+ }
+ else
+ {
+ await RemoveStripePaymentMethodsAsync(stripeCustomer);
+ }
+ }
+
+ private async Task RemoveBraintreePaymentMethodAsync(string braintreeCustomerId)
+ {
+ var customer = await _braintreeGateway.Customer.FindAsync(braintreeCustomerId);
+
+ if (customer == null)
+ {
+ _logger.LogError("Failed to retrieve Braintree customer ({ID}) when removing payment method", braintreeCustomerId);
+
+ throw ContactSupport();
+ }
+
+ if (customer.DefaultPaymentMethod != null)
+ {
+ var existingDefaultPaymentMethod = customer.DefaultPaymentMethod;
+
+ var updateCustomerResult = await _braintreeGateway.Customer.UpdateAsync(
+ braintreeCustomerId,
+ new CustomerRequest { DefaultPaymentMethodToken = null });
+
+ if (!updateCustomerResult.IsSuccess())
+ {
+ _logger.LogError("Failed to update payment method for Braintree customer ({ID}) | Message: {Message}",
+ braintreeCustomerId, updateCustomerResult.Message);
+
+ throw ContactSupport();
+ }
+
+ var deletePaymentMethodResult = await _braintreeGateway.PaymentMethod.DeleteAsync(existingDefaultPaymentMethod.Token);
+
+ if (!deletePaymentMethodResult.IsSuccess())
+ {
+ await _braintreeGateway.Customer.UpdateAsync(
+ braintreeCustomerId,
+ new CustomerRequest { DefaultPaymentMethodToken = existingDefaultPaymentMethod.Token });
+
+ _logger.LogError(
+ "Failed to delete Braintree payment method for Customer ({ID}), re-linked payment method. Message: {Message}",
+ braintreeCustomerId, deletePaymentMethodResult.Message);
+
+ throw ContactSupport();
+ }
+ }
+ else
+ {
+ _logger.LogWarning("Tried to remove non-existent Braintree payment method for Customer ({ID})", braintreeCustomerId);
+ }
+ }
+
+ private async Task RemoveStripePaymentMethodsAsync(Stripe.Customer customer)
+ {
+ if (customer.Sources != null && customer.Sources.Any())
+ {
+ foreach (var source in customer.Sources)
+ {
+ switch (source)
+ {
+ case Stripe.BankAccount:
+ await _stripeAdapter.BankAccountDeleteAsync(customer.Id, source.Id);
+ break;
+ case Stripe.Card:
+ await _stripeAdapter.CardDeleteAsync(customer.Id, source.Id);
+ break;
+ }
+ }
+ }
+
+ var paymentMethods = _stripeAdapter.PaymentMethodListAutoPagingAsync(new Stripe.PaymentMethodListOptions
+ {
+ Customer = customer.Id
+ });
+
+ await foreach (var paymentMethod in paymentMethods)
+ {
+ await _stripeAdapter.PaymentMethodDetachAsync(paymentMethod.Id, new Stripe.PaymentMethodDetachOptions());
+ }
+ }
+
+ private static GatewayException ContactSupport() => new("Could not remove your payment method. Please contact support for assistance.");
+}
diff --git a/src/Core/Billing/Extensions/ServiceCollectionExtensions.cs b/src/Core/Billing/Extensions/ServiceCollectionExtensions.cs
new file mode 100644
index 0000000000..37857cf3ce
--- /dev/null
+++ b/src/Core/Billing/Extensions/ServiceCollectionExtensions.cs
@@ -0,0 +1,14 @@
+using Bit.Core.Billing.Commands;
+using Bit.Core.Billing.Commands.Implementations;
+
+namespace Bit.Core.Billing.Extensions;
+
+using Microsoft.Extensions.DependencyInjection;
+
+public static class ServiceCollectionExtensions
+{
+ public static void AddBillingCommands(this IServiceCollection services)
+ {
+ services.AddSingleton();
+ }
+}
diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index a71032ea23..3f5d618e6c 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -96,12 +96,17 @@ public static class FeatureFlagKeys
public const string VaultOnboarding = "vault-onboarding";
public const string AutofillV2 = "autofill-v2";
public const string BrowserFilelessImport = "browser-fileless-import";
- public const string FlexibleCollections = "flexible-collections";
+ ///
+ /// Deprecated - never used, do not use. Will always default to false. Will be deleted as part of Flexible Collections cleanup
+ ///
+ public const string FlexibleCollections = "flexible-collections-disabled-do-not-use";
public const string FlexibleCollectionsV1 = "flexible-collections-v-1"; // v-1 is intentional
public const string BulkCollectionAccess = "bulk-collection-access";
public const string AutofillOverlay = "autofill-overlay";
public const string ItemShare = "item-share";
public const string KeyRotationImprovements = "key-rotation-improvements";
+ public const string FlexibleCollectionsMigration = "flexible-collections-migration";
+ public const string FlexibleCollectionsSignup = "flexible-collections-signup";
public static List GetAllKeys()
{
diff --git a/src/Core/Context/CurrentContext.cs b/src/Core/Context/CurrentContext.cs
index b346c20f3e..129e90e39d 100644
--- a/src/Core/Context/CurrentContext.cs
+++ b/src/Core/Context/CurrentContext.cs
@@ -5,7 +5,6 @@ using Bit.Core.AdminConsole.Models.Data.Provider;
using Bit.Core.AdminConsole.Repositories;
using Bit.Core.Entities;
using Bit.Core.Enums;
-using Bit.Core.Exceptions;
using Bit.Core.Identity;
using Bit.Core.Models.Data;
using Bit.Core.Repositories;
@@ -26,8 +25,6 @@ public class CurrentContext : ICurrentContext
private IEnumerable _providerOrganizationProviderDetails;
private IEnumerable _providerUserOrganizations;
- private bool FlexibleCollectionsIsEnabled => _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollections, this);
-
public virtual HttpContext HttpContext { get; set; }
public virtual Guid? UserId { get; set; }
public virtual User User { get; set; }
@@ -283,11 +280,6 @@ public class CurrentContext : ICurrentContext
public async Task OrganizationManager(Guid orgId)
{
- if (FlexibleCollectionsIsEnabled)
- {
- throw new FeatureUnavailableException("Flexible Collections is ON when it should be OFF.");
- }
-
return await OrganizationAdmin(orgId) ||
(Organizations?.Any(o => o.Id == orgId && o.Type == OrganizationUserType.Manager) ?? false);
}
@@ -350,22 +342,12 @@ public class CurrentContext : ICurrentContext
public async Task EditAssignedCollections(Guid orgId)
{
- if (FlexibleCollectionsIsEnabled)
- {
- throw new FeatureUnavailableException("Flexible Collections is ON when it should be OFF.");
- }
-
return await OrganizationManager(orgId) || (Organizations?.Any(o => o.Id == orgId
&& (o.Permissions?.EditAssignedCollections ?? false)) ?? false);
}
public async Task DeleteAssignedCollections(Guid orgId)
{
- if (FlexibleCollectionsIsEnabled)
- {
- throw new FeatureUnavailableException("Flexible Collections is ON when it should be OFF.");
- }
-
return await OrganizationManager(orgId) || (Organizations?.Any(o => o.Id == orgId
&& (o.Permissions?.DeleteAssignedCollections ?? false)) ?? false);
}
@@ -378,11 +360,6 @@ public class CurrentContext : ICurrentContext
* This entire method will be moved to the CollectionAuthorizationHandler in the future
*/
- if (FlexibleCollectionsIsEnabled)
- {
- throw new FeatureUnavailableException("Flexible Collections is ON when it should be OFF.");
- }
-
var org = GetOrganization(orgId);
return await EditAssignedCollections(orgId)
|| await DeleteAssignedCollections(orgId)
diff --git a/src/Core/Core.csproj b/src/Core/Core.csproj
index 9b664a788d..6752cca078 100644
--- a/src/Core/Core.csproj
+++ b/src/Core/Core.csproj
@@ -52,7 +52,7 @@
-
+
diff --git a/src/Core/MailTemplates/Handlebars/Provider/ProviderUpdatePaymentMethod.html.hbs b/src/Core/MailTemplates/Handlebars/Provider/ProviderUpdatePaymentMethod.html.hbs
new file mode 100644
index 0000000000..7b666cdd9a
--- /dev/null
+++ b/src/Core/MailTemplates/Handlebars/Provider/ProviderUpdatePaymentMethod.html.hbs
@@ -0,0 +1,27 @@
+{{#>FullHtmlLayout}}
+
+
+ |
+ Your organization, {{OrganizationName}}, is no longer managed by {{ProviderName}}. Please update your billing information.
+ |
+
+
+ |
+ To maintain your subscription, update your organization billing information by navigating to the web vault -> Organization -> Billing -> Payment Method.
+ |
+
+
+ |
+ For more information, please refer to the following help article: Update billing information for organizations
+ |
+
+
+
+
+ Add payment method
+
+
+ |
+
+
+{{/FullHtmlLayout}}
diff --git a/src/Core/MailTemplates/Handlebars/Provider/ProviderUpdatePaymentMethod.text.hbs b/src/Core/MailTemplates/Handlebars/Provider/ProviderUpdatePaymentMethod.text.hbs
new file mode 100644
index 0000000000..56a857a6e4
--- /dev/null
+++ b/src/Core/MailTemplates/Handlebars/Provider/ProviderUpdatePaymentMethod.text.hbs
@@ -0,0 +1,7 @@
+{{#>BasicTextLayout}}
+ Your organization, {{OrganizationName}}, is no longer managed by {{ProviderName}}. Please update your billing information.
+
+ To maintain your subscription, update your organization billing information by navigating to the web vault -> Organization -> Billing -> Payment Method.
+
+ Or click the following link: {{{link PaymentMethodUrl}}}
+{{/BasicTextLayout}}
diff --git a/src/Core/Models/Mail/Provider/ProviderUpdatePaymentMethodViewModel.cs b/src/Core/Models/Mail/Provider/ProviderUpdatePaymentMethodViewModel.cs
new file mode 100644
index 0000000000..114aaa7c95
--- /dev/null
+++ b/src/Core/Models/Mail/Provider/ProviderUpdatePaymentMethodViewModel.cs
@@ -0,0 +1,11 @@
+namespace Bit.Core.Models.Mail.Provider;
+
+public class ProviderUpdatePaymentMethodViewModel : BaseMailModel
+{
+ public string OrganizationId { get; set; }
+ public string OrganizationName { get; set; }
+ public string ProviderName { get; set; }
+
+ public string PaymentMethodUrl =>
+ $"{WebVaultUrl}/organizations/{OrganizationId}/billing/payment-method";
+}
diff --git a/src/Core/OrganizationFeatures/OrganizationLicenses/UpdateOrganizationLicenseCommand.cs b/src/Core/OrganizationFeatures/OrganizationLicenses/UpdateOrganizationLicenseCommand.cs
index ac2e1b1012..62c46460aa 100644
--- a/src/Core/OrganizationFeatures/OrganizationLicenses/UpdateOrganizationLicenseCommand.cs
+++ b/src/Core/OrganizationFeatures/OrganizationLicenses/UpdateOrganizationLicenseCommand.cs
@@ -2,7 +2,6 @@
using System.Text.Json;
using Bit.Core.AdminConsole.Entities;
-using Bit.Core.Context;
using Bit.Core.Exceptions;
using Bit.Core.Models.Business;
using Bit.Core.Models.Data.Organizations;
@@ -18,21 +17,15 @@ public class UpdateOrganizationLicenseCommand : IUpdateOrganizationLicenseComman
private readonly ILicensingService _licensingService;
private readonly IGlobalSettings _globalSettings;
private readonly IOrganizationService _organizationService;
- private readonly IFeatureService _featureService;
- private readonly ICurrentContext _currentContext;
public UpdateOrganizationLicenseCommand(
ILicensingService licensingService,
IGlobalSettings globalSettings,
- IOrganizationService organizationService,
- IFeatureService featureService,
- ICurrentContext currentContext)
+ IOrganizationService organizationService)
{
_licensingService = licensingService;
_globalSettings = globalSettings;
_organizationService = organizationService;
- _featureService = featureService;
- _currentContext = currentContext;
}
public async Task UpdateLicenseAsync(SelfHostedOrganizationDetails selfHostedOrganization,
@@ -65,10 +58,8 @@ public class UpdateOrganizationLicenseCommand : IUpdateOrganizationLicenseComman
private async Task UpdateOrganizationAsync(SelfHostedOrganizationDetails selfHostedOrganizationDetails, OrganizationLicense license)
{
- var flexibleCollectionsMvpIsEnabled = _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollections, _currentContext);
- var flexibleCollectionsV1IsEnabled = _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1, _currentContext);
var organization = selfHostedOrganizationDetails.ToOrganization();
- organization.UpdateFromLicense(license, flexibleCollectionsMvpIsEnabled, flexibleCollectionsV1IsEnabled);
+ organization.UpdateFromLicense(license);
await _organizationService.ReplaceAndUpdateCacheAsync(organization);
}
diff --git a/src/Core/Services/IApplicationCacheService.cs b/src/Core/Services/IApplicationCacheService.cs
index 9c9b8ca550..ee47cf29fd 100644
--- a/src/Core/Services/IApplicationCacheService.cs
+++ b/src/Core/Services/IApplicationCacheService.cs
@@ -8,6 +8,9 @@ namespace Bit.Core.Services;
public interface IApplicationCacheService
{
Task> GetOrganizationAbilitiesAsync();
+#nullable enable
+ Task GetOrganizationAbilityAsync(Guid orgId);
+#nullable disable
Task> GetProviderAbilitiesAsync();
Task UpsertOrganizationAbilityAsync(Organization organization);
Task UpsertProviderAbilityAsync(Provider provider);
diff --git a/src/Core/Services/IMailService.cs b/src/Core/Services/IMailService.cs
index c2d81d6edb..93c6fd6e33 100644
--- a/src/Core/Services/IMailService.cs
+++ b/src/Core/Services/IMailService.cs
@@ -60,6 +60,11 @@ public interface IMailService
Task SendProviderInviteEmailAsync(string providerName, ProviderUser providerUser, string token, string email);
Task SendProviderConfirmedEmailAsync(string providerName, string email);
Task SendProviderUserRemoved(string providerName, string email);
+ Task SendProviderUpdatePaymentMethod(
+ Guid organizationId,
+ string organizationName,
+ string providerName,
+ IEnumerable emails);
Task SendUpdatedTempPasswordEmailAsync(string email, string userName);
Task SendFamiliesForEnterpriseOfferEmailAsync(string sponsorOrgName, string email, bool existingAccount, string token);
Task BulkSendFamiliesForEnterpriseOfferEmailAsync(string SponsorOrgName, IEnumerable<(string Email, bool ExistingAccount, string Token)> invites);
diff --git a/src/Core/Services/IPaymentService.cs b/src/Core/Services/IPaymentService.cs
index a66d227d3e..70cc88c206 100644
--- a/src/Core/Services/IPaymentService.cs
+++ b/src/Core/Services/IPaymentService.cs
@@ -49,4 +49,5 @@ public interface IPaymentService
Task ArchiveTaxRateAsync(TaxRate taxRate);
Task AddSecretsManagerToSubscription(Organization org, Plan plan, int additionalSmSeats,
int additionalServiceAccount, DateTime? prorationDate = null);
+ Task RisksSubscriptionFailure(Organization organization);
}
diff --git a/src/Core/Services/IStripeAdapter.cs b/src/Core/Services/IStripeAdapter.cs
index 60d14ffad8..073d5cdacd 100644
--- a/src/Core/Services/IStripeAdapter.cs
+++ b/src/Core/Services/IStripeAdapter.cs
@@ -23,6 +23,7 @@ public interface IStripeAdapter
Task InvoiceDeleteAsync(string id, Stripe.InvoiceDeleteOptions options = null);
Task InvoiceVoidInvoiceAsync(string id, Stripe.InvoiceVoidOptions options = null);
IEnumerable PaymentMethodListAutoPaging(Stripe.PaymentMethodListOptions options);
+ IAsyncEnumerable PaymentMethodListAutoPagingAsync(Stripe.PaymentMethodListOptions options);
Task PaymentMethodAttachAsync(string id, Stripe.PaymentMethodAttachOptions options = null);
Task PaymentMethodDetachAsync(string id, Stripe.PaymentMethodDetachOptions options = null);
Task TaxRateCreateAsync(Stripe.TaxRateCreateOptions options);
diff --git a/src/Core/Services/Implementations/HandlebarsMailService.cs b/src/Core/Services/Implementations/HandlebarsMailService.cs
index 8805e3af56..90b273bed2 100644
--- a/src/Core/Services/Implementations/HandlebarsMailService.cs
+++ b/src/Core/Services/Implementations/HandlebarsMailService.cs
@@ -754,6 +754,30 @@ public class HandlebarsMailService : IMailService
await _mailDeliveryService.SendEmailAsync(message);
}
+ public async Task SendProviderUpdatePaymentMethod(
+ Guid organizationId,
+ string organizationName,
+ string providerName,
+ IEnumerable emails)
+ {
+ var message = CreateDefaultMessage("Update your billing information", emails);
+
+ var model = new ProviderUpdatePaymentMethodViewModel
+ {
+ OrganizationId = organizationId.ToString(),
+ OrganizationName = CoreHelpers.SanitizeForEmail(organizationName),
+ ProviderName = CoreHelpers.SanitizeForEmail(providerName),
+ SiteName = _globalSettings.SiteName,
+ WebVaultUrl = _globalSettings.BaseServiceUri.VaultWithHash
+ };
+
+ await AddMessageContentAsync(message, "Provider.ProviderUpdatePaymentMethod", model);
+
+ message.Category = "ProviderUpdatePaymentMethod";
+
+ await _mailDeliveryService.SendEmailAsync(message);
+ }
+
public async Task SendUpdatedTempPasswordEmailAsync(string email, string userName)
{
var message = CreateDefaultMessage("Master Password Has Been Changed", email);
diff --git a/src/Core/Services/Implementations/InMemoryApplicationCacheService.cs b/src/Core/Services/Implementations/InMemoryApplicationCacheService.cs
index 63db4a88b6..256a9a08a4 100644
--- a/src/Core/Services/Implementations/InMemoryApplicationCacheService.cs
+++ b/src/Core/Services/Implementations/InMemoryApplicationCacheService.cs
@@ -30,6 +30,15 @@ public class InMemoryApplicationCacheService : IApplicationCacheService
return _orgAbilities;
}
+#nullable enable
+ public async Task GetOrganizationAbilityAsync(Guid organizationId)
+ {
+ (await GetOrganizationAbilitiesAsync())
+ .TryGetValue(organizationId, out var organizationAbility);
+ return organizationAbility;
+ }
+#nullable disable
+
public virtual async Task> GetProviderAbilitiesAsync()
{
await InitProviderAbilitiesAsync();
diff --git a/src/Core/Services/Implementations/StripeAdapter.cs b/src/Core/Services/Implementations/StripeAdapter.cs
index 747510d052..ef8d13aea8 100644
--- a/src/Core/Services/Implementations/StripeAdapter.cs
+++ b/src/Core/Services/Implementations/StripeAdapter.cs
@@ -138,6 +138,9 @@ public class StripeAdapter : IStripeAdapter
return _paymentMethodService.ListAutoPaging(options);
}
+ public IAsyncEnumerable PaymentMethodListAutoPagingAsync(Stripe.PaymentMethodListOptions options)
+ => _paymentMethodService.ListAutoPagingAsync(options);
+
public Task PaymentMethodAttachAsync(string id, Stripe.PaymentMethodAttachOptions options = null)
{
return _paymentMethodService.AttachAsync(id, options);
diff --git a/src/Core/Services/Implementations/StripePaymentService.cs b/src/Core/Services/Implementations/StripePaymentService.cs
index 8eae90ea2c..1aeda88076 100644
--- a/src/Core/Services/Implementations/StripePaymentService.cs
+++ b/src/Core/Services/Implementations/StripePaymentService.cs
@@ -1614,6 +1614,23 @@ public class StripePaymentService : IPaymentService
return await FinalizeSubscriptionChangeAsync(org, new SecretsManagerSubscribeUpdate(org, plan, additionalSmSeats, additionalServiceAccount), prorationDate);
}
+ public async Task RisksSubscriptionFailure(Organization organization)
+ {
+ var subscriptionInfo = await GetSubscriptionAsync(organization);
+
+ if (subscriptionInfo.Subscription is not { Status: "active" or "trialing" or "past_due" } ||
+ subscriptionInfo.UpcomingInvoice == null)
+ {
+ return false;
+ }
+
+ var customer = await GetCustomerAsync(organization.GatewayCustomerId);
+
+ var paymentSource = await GetBillingPaymentSourceAsync(customer);
+
+ return paymentSource == null;
+ }
+
private Stripe.PaymentMethod GetLatestCardPaymentMethod(string customerId)
{
var cardPaymentMethods = _stripeAdapter.PaymentMethodListAutoPaging(
diff --git a/src/Core/Services/NoopImplementations/NoopMailService.cs b/src/Core/Services/NoopImplementations/NoopMailService.cs
index 92e548e0d5..81419b1864 100644
--- a/src/Core/Services/NoopImplementations/NoopMailService.cs
+++ b/src/Core/Services/NoopImplementations/NoopMailService.cs
@@ -197,6 +197,9 @@ public class NoopMailService : IMailService
return Task.FromResult(0);
}
+ public Task SendProviderUpdatePaymentMethod(Guid organizationId, string organizationName, string providerName,
+ IEnumerable emails) => Task.FromResult(0);
+
public Task SendUpdatedTempPasswordEmailAsync(string email, string userName)
{
return Task.FromResult(0);
diff --git a/src/Core/Vault/Services/Implementations/CipherService.cs b/src/Core/Vault/Services/Implementations/CipherService.cs
index 5517be1689..665f99aadf 100644
--- a/src/Core/Vault/Services/Implementations/CipherService.cs
+++ b/src/Core/Vault/Services/Implementations/CipherService.cs
@@ -788,7 +788,7 @@ public class CipherService : ICipherService
{
collection.SetNewId();
newCollections.Add(collection);
- if (UseFlexibleCollections)
+ if (org.FlexibleCollections)
{
newCollectionUsers.Add(new CollectionUser
{
diff --git a/src/Events/Controllers/CollectController.cs b/src/Events/Controllers/CollectController.cs
index 7c7962309c..144c248e46 100644
--- a/src/Events/Controllers/CollectController.cs
+++ b/src/Events/Controllers/CollectController.cs
@@ -35,8 +35,6 @@ public class CollectController : Controller
_featureService = featureService;
}
- bool UseFlexibleCollections => _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollections, _currentContext);
-
[HttpPost]
public async Task Post([FromBody] IEnumerable model)
{
diff --git a/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationRepository.cs b/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationRepository.cs
index 467fb8f8a8..f4c771adec 100644
--- a/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationRepository.cs
+++ b/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationRepository.cs
@@ -7,14 +7,21 @@ using Bit.Core.Repositories;
using Bit.Core.Settings;
using Dapper;
using Microsoft.Data.SqlClient;
+using Microsoft.Extensions.Logging;
namespace Bit.Infrastructure.Dapper.Repositories;
public class OrganizationRepository : Repository, IOrganizationRepository
{
- public OrganizationRepository(GlobalSettings globalSettings)
+ private readonly ILogger _logger;
+
+ public OrganizationRepository(
+ GlobalSettings globalSettings,
+ ILogger logger)
: this(globalSettings.SqlServer.ConnectionString, globalSettings.SqlServer.ReadOnlyConnectionString)
- { }
+ {
+ _logger = logger;
+ }
public OrganizationRepository(string connectionString, string readOnlyConnectionString)
: base(connectionString, readOnlyConnectionString)
@@ -153,6 +160,8 @@ public class OrganizationRepository : Repository, IOrganizat
public async Task> GetOwnerEmailAddressesById(Guid organizationId)
{
+ _logger.LogInformation("AC-1758: Executing GetOwnerEmailAddressesById (Dapper)");
+
await using var connection = new SqlConnection(ConnectionString);
return await connection.QueryAsync(
diff --git a/src/Infrastructure.Dapper/Infrastructure.Dapper.csproj b/src/Infrastructure.Dapper/Infrastructure.Dapper.csproj
index d8a57b3303..6c7ad57d19 100644
--- a/src/Infrastructure.Dapper/Infrastructure.Dapper.csproj
+++ b/src/Infrastructure.Dapper/Infrastructure.Dapper.csproj
@@ -5,7 +5,7 @@
-
+
diff --git a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs
index 6ad8cfbb4e..acc36c9449 100644
--- a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs
+++ b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs
@@ -5,15 +5,23 @@ using Bit.Core.Models.Data.Organizations;
using Bit.Core.Repositories;
using Microsoft.EntityFrameworkCore;
using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
using Organization = Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization;
namespace Bit.Infrastructure.EntityFramework.Repositories;
public class OrganizationRepository : Repository, IOrganizationRepository
{
- public OrganizationRepository(IServiceScopeFactory serviceScopeFactory, IMapper mapper)
- : base(serviceScopeFactory, mapper, (DatabaseContext context) => context.Organizations)
- { }
+ private readonly ILogger _logger;
+
+ public OrganizationRepository(
+ IServiceScopeFactory serviceScopeFactory,
+ IMapper mapper,
+ ILogger logger)
+ : base(serviceScopeFactory, mapper, context => context.Organizations)
+ {
+ _logger = logger;
+ }
public async Task GetByIdentifierAsync(string identifier)
{
@@ -240,6 +248,8 @@ public class OrganizationRepository : Repository> GetOwnerEmailAddressesById(Guid organizationId)
{
+ _logger.LogInformation("AC-1758: Executing GetOwnerEmailAddressesById (Entity Framework)");
+
using var scope = ServiceScopeFactory.CreateScope();
var dbContext = GetDatabaseContext(scope);
diff --git a/src/Infrastructure.EntityFramework/Auth/Configurations/GrantEntityTypeConfiguration.cs b/src/Infrastructure.EntityFramework/Auth/Configurations/GrantEntityTypeConfiguration.cs
index 599be37a84..77d8d1eb9f 100644
--- a/src/Infrastructure.EntityFramework/Auth/Configurations/GrantEntityTypeConfiguration.cs
+++ b/src/Infrastructure.EntityFramework/Auth/Configurations/GrantEntityTypeConfiguration.cs
@@ -10,6 +10,7 @@ public class GrantEntityTypeConfiguration : IEntityTypeConfiguration
{
builder
.HasKey(s => s.Id)
+ .HasName("PK_Grant")
.IsClustered();
builder
diff --git a/src/Infrastructure.EntityFramework/Infrastructure.EntityFramework.csproj b/src/Infrastructure.EntityFramework/Infrastructure.EntityFramework.csproj
index 51e7d935db..0a5cdaed5b 100644
--- a/src/Infrastructure.EntityFramework/Infrastructure.EntityFramework.csproj
+++ b/src/Infrastructure.EntityFramework/Infrastructure.EntityFramework.csproj
@@ -3,9 +3,9 @@
-
-
-
+
+
+
diff --git a/test/Api.Test/AdminConsole/Controllers/OrganizationsControllerTests.cs b/test/Api.Test/AdminConsole/Controllers/OrganizationsControllerTests.cs
index fd24c47af2..0e4ae48877 100644
--- a/test/Api.Test/AdminConsole/Controllers/OrganizationsControllerTests.cs
+++ b/test/Api.Test/AdminConsole/Controllers/OrganizationsControllerTests.cs
@@ -37,7 +37,6 @@ public class OrganizationsControllerTests : IDisposable
private readonly IOrganizationUserRepository _organizationUserRepository;
private readonly IPaymentService _paymentService;
private readonly IPolicyRepository _policyRepository;
- private readonly IProviderRepository _providerRepository;
private readonly ISsoConfigRepository _ssoConfigRepository;
private readonly ISsoConfigService _ssoConfigService;
private readonly IUserService _userService;
@@ -46,7 +45,6 @@ public class OrganizationsControllerTests : IDisposable
private readonly IOrganizationApiKeyRepository _organizationApiKeyRepository;
private readonly ICloudGetOrganizationLicenseQuery _cloudGetOrganizationLicenseQuery;
private readonly ICreateOrganizationApiKeyCommand _createOrganizationApiKeyCommand;
- private readonly IUpdateOrganizationLicenseCommand _updateOrganizationLicenseCommand;
private readonly IFeatureService _featureService;
private readonly ILicensingService _licensingService;
private readonly IUpdateSecretsManagerSubscriptionCommand _updateSecretsManagerSubscriptionCommand;
@@ -64,7 +62,6 @@ public class OrganizationsControllerTests : IDisposable
_organizationUserRepository = Substitute.For();
_paymentService = Substitute.For();
_policyRepository = Substitute.For();
- _providerRepository = Substitute.For();
_ssoConfigRepository = Substitute.For();
_ssoConfigService = Substitute.For();
_getOrganizationApiKeyQuery = Substitute.For();
@@ -73,19 +70,33 @@ public class OrganizationsControllerTests : IDisposable
_userService = Substitute.For();
_cloudGetOrganizationLicenseQuery = Substitute.For();
_createOrganizationApiKeyCommand = Substitute.For();
- _updateOrganizationLicenseCommand = Substitute.For();
_featureService = Substitute.For();
_licensingService = Substitute.For();
_updateSecretsManagerSubscriptionCommand = Substitute.For();
_upgradeOrganizationPlanCommand = Substitute.For();
_addSecretsManagerSubscriptionCommand = Substitute.For();
- _sut = new OrganizationsController(_organizationRepository, _organizationUserRepository,
- _policyRepository, _providerRepository, _organizationService, _userService, _paymentService, _currentContext,
- _ssoConfigRepository, _ssoConfigService, _getOrganizationApiKeyQuery, _rotateOrganizationApiKeyCommand,
- _createOrganizationApiKeyCommand, _organizationApiKeyRepository, _updateOrganizationLicenseCommand,
- _cloudGetOrganizationLicenseQuery, _featureService, _globalSettings, _licensingService,
- _updateSecretsManagerSubscriptionCommand, _upgradeOrganizationPlanCommand, _addSecretsManagerSubscriptionCommand);
+ _sut = new OrganizationsController(
+ _organizationRepository,
+ _organizationUserRepository,
+ _policyRepository,
+ _organizationService,
+ _userService,
+ _paymentService,
+ _currentContext,
+ _ssoConfigRepository,
+ _ssoConfigService,
+ _getOrganizationApiKeyQuery,
+ _rotateOrganizationApiKeyCommand,
+ _createOrganizationApiKeyCommand,
+ _organizationApiKeyRepository,
+ _cloudGetOrganizationLicenseQuery,
+ _featureService,
+ _globalSettings,
+ _licensingService,
+ _updateSecretsManagerSubscriptionCommand,
+ _upgradeOrganizationPlanCommand,
+ _addSecretsManagerSubscriptionCommand);
}
public void Dispose()
diff --git a/test/Api.Test/Controllers/CollectionsControllerTests.cs b/test/Api.Test/Controllers/CollectionsControllerTests.cs
index f8f3b890bb..6155ad0f77 100644
--- a/test/Api.Test/Controllers/CollectionsControllerTests.cs
+++ b/test/Api.Test/Controllers/CollectionsControllerTests.cs
@@ -2,16 +2,14 @@
using Bit.Api.Controllers;
using Bit.Api.Models.Request;
using Bit.Api.Vault.AuthorizationHandlers.Collections;
-using Bit.Core;
-using Bit.Core.AdminConsole.Entities;
using Bit.Core.Context;
using Bit.Core.Entities;
using Bit.Core.Exceptions;
using Bit.Core.Models.Data;
+using Bit.Core.Models.Data.Organizations;
using Bit.Core.OrganizationFeatures.OrganizationCollections.Interfaces;
using Bit.Core.Repositories;
using Bit.Core.Services;
-using Bit.Core.Test.AutoFixture;
using Bit.Test.Common.AutoFixture;
using Bit.Test.Common.AutoFixture.Attributes;
using Microsoft.AspNetCore.Authorization;
@@ -22,16 +20,17 @@ namespace Bit.Api.Test.Controllers;
[ControllerCustomize(typeof(CollectionsController))]
[SutProviderCustomize]
-[FeatureServiceCustomize(FeatureFlagKeys.FlexibleCollections)]
public class CollectionsControllerTests
{
[Theory, BitAutoData]
- public async Task Post_Success(Guid orgId, CollectionRequestModel collectionRequest,
+ public async Task Post_Success(OrganizationAbility organizationAbility, CollectionRequestModel collectionRequest,
SutProvider sutProvider)
{
+ ArrangeOrganizationAbility(sutProvider, organizationAbility);
+
Collection ExpectedCollection() => Arg.Is(c =>
c.Name == collectionRequest.Name && c.ExternalId == collectionRequest.ExternalId &&
- c.OrganizationId == orgId);
+ c.OrganizationId == organizationAbility.Id);
sutProvider.GetDependency()
.AuthorizeAsync(Arg.Any(),
@@ -39,7 +38,7 @@ public class CollectionsControllerTests
Arg.Is>(r => r.Contains(BulkCollectionOperations.Create)))
.Returns(AuthorizationResult.Success());
- _ = await sutProvider.Sut.Post(orgId, collectionRequest);
+ _ = await sutProvider.Sut.Post(organizationAbility.Id, collectionRequest);
await sutProvider.GetDependency()
.Received(1)
@@ -49,8 +48,11 @@ public class CollectionsControllerTests
[Theory, BitAutoData]
public async Task Put_Success(Collection collection, CollectionRequestModel collectionRequest,
- SutProvider sutProvider)
+ SutProvider sutProvider, OrganizationAbility organizationAbility)
{
+ ArrangeOrganizationAbility(sutProvider, organizationAbility);
+ collection.OrganizationId = organizationAbility.Id;
+
Collection ExpectedCollection() => Arg.Is(c => c.Id == collection.Id &&
c.Name == collectionRequest.Name && c.ExternalId == collectionRequest.ExternalId &&
c.OrganizationId == collection.OrganizationId);
@@ -75,8 +77,11 @@ public class CollectionsControllerTests
[Theory, BitAutoData]
public async Task Put_WithNoCollectionPermission_ThrowsNotFound(Collection collection, CollectionRequestModel collectionRequest,
- SutProvider sutProvider)
+ SutProvider sutProvider, OrganizationAbility organizationAbility)
{
+ ArrangeOrganizationAbility(sutProvider, organizationAbility);
+ collection.OrganizationId = organizationAbility.Id;
+
sutProvider.GetDependency()
.AuthorizeAsync(Arg.Any(),
collection,
@@ -91,8 +96,11 @@ public class CollectionsControllerTests
}
[Theory, BitAutoData]
- public async Task GetOrganizationCollectionsWithGroups_WithReadAllPermissions_GetsAllCollections(Organization organization, Guid userId, SutProvider sutProvider)
+ public async Task GetOrganizationCollectionsWithGroups_WithReadAllPermissions_GetsAllCollections(OrganizationAbility organizationAbility,
+ Guid userId, SutProvider sutProvider)
{
+ ArrangeOrganizationAbility(sutProvider, organizationAbility);
+
sutProvider.GetDependency().UserId.Returns(userId);
sutProvider.GetDependency()
@@ -102,18 +110,20 @@ public class CollectionsControllerTests
Arg.Is>(requirements =>
requirements.Cast().All(operation =>
operation.Name == nameof(CollectionOperations.ReadAllWithAccess)
- && operation.OrganizationId == organization.Id)))
+ && operation.OrganizationId == organizationAbility.Id)))
.Returns(AuthorizationResult.Success());
- await sutProvider.Sut.GetManyWithDetails(organization.Id);
+ await sutProvider.Sut.GetManyWithDetails(organizationAbility.Id);
- await sutProvider.GetDependency().Received(1).GetManyByUserIdWithAccessAsync(userId, organization.Id, Arg.Any());
- await sutProvider.GetDependency().Received(1).GetManyByOrganizationIdWithAccessAsync(organization.Id);
+ await sutProvider.GetDependency().Received(1).GetManyByUserIdWithAccessAsync(userId, organizationAbility.Id, Arg.Any());
+ await sutProvider.GetDependency().Received(1).GetManyByOrganizationIdWithAccessAsync(organizationAbility.Id);
}
[Theory, BitAutoData]
- public async Task GetOrganizationCollectionsWithGroups_MissingReadAllPermissions_GetsAssignedCollections(Organization organization, Guid userId, SutProvider sutProvider)
+ public async Task GetOrganizationCollectionsWithGroups_MissingReadAllPermissions_GetsAssignedCollections(
+ OrganizationAbility organizationAbility, Guid userId, SutProvider sutProvider)
{
+ ArrangeOrganizationAbility(sutProvider, organizationAbility);
sutProvider.GetDependency().UserId.Returns(userId);
sutProvider.GetDependency()
@@ -123,7 +133,7 @@ public class CollectionsControllerTests
Arg.Is>(requirements =>
requirements.Cast().All(operation =>
operation.Name == nameof(CollectionOperations.ReadAllWithAccess)
- && operation.OrganizationId == organization.Id)))
+ && operation.OrganizationId == organizationAbility.Id)))
.Returns(AuthorizationResult.Failed());
sutProvider.GetDependency()
@@ -135,15 +145,19 @@ public class CollectionsControllerTests
operation.Name == nameof(BulkCollectionOperations.ReadWithAccess))))
.Returns(AuthorizationResult.Success());
- await sutProvider.Sut.GetManyWithDetails(organization.Id);
+ await sutProvider.Sut.GetManyWithDetails(organizationAbility.Id);
- await sutProvider.GetDependency().Received(1).GetManyByUserIdWithAccessAsync(userId, organization.Id, Arg.Any());
- await sutProvider.GetDependency().DidNotReceive().GetManyByOrganizationIdWithAccessAsync(organization.Id);
+ await sutProvider.GetDependency().Received(1).GetManyByUserIdWithAccessAsync(userId, organizationAbility.Id, Arg.Any());
+ await sutProvider.GetDependency().DidNotReceive().GetManyByOrganizationIdWithAccessAsync(organizationAbility.Id);
}
[Theory, BitAutoData]
- public async Task GetOrganizationCollections_WithReadAllPermissions_GetsAllCollections(Organization organization, ICollection collections, Guid userId, SutProvider sutProvider)
+ public async Task GetOrganizationCollections_WithReadAllPermissions_GetsAllCollections(
+ OrganizationAbility organizationAbility, List collections, Guid userId, SutProvider sutProvider)
{
+ ArrangeOrganizationAbility(sutProvider, organizationAbility);
+ collections.ForEach(c => c.OrganizationId = organizationAbility.Id);
+
sutProvider.GetDependency().UserId.Returns(userId);
sutProvider.GetDependency()
@@ -153,26 +167,30 @@ public class CollectionsControllerTests
Arg.Is>(requirements =>
requirements.Cast().All(operation =>
operation.Name == nameof(CollectionOperations.ReadAll)
- && operation.OrganizationId == organization.Id)))
+ && operation.OrganizationId == organizationAbility.Id)))
.Returns(AuthorizationResult.Success());
sutProvider.GetDependency()
- .GetManyByOrganizationIdAsync(organization.Id)
+ .GetManyByOrganizationIdAsync(organizationAbility.Id)
.Returns(collections);
- var response = await sutProvider.Sut.Get(organization.Id);
+ var response = await sutProvider.Sut.Get(organizationAbility.Id);
- await sutProvider.GetDependency().Received(1).GetManyByOrganizationIdAsync(organization.Id);
+ await sutProvider.GetDependency().Received(1).GetManyByOrganizationIdAsync(organizationAbility.Id);
Assert.Equal(collections.Count, response.Data.Count());
}
[Theory, BitAutoData]
- public async Task GetOrganizationCollections_MissingReadAllPermissions_GetsManageableCollections(Organization organization, ICollection collections, Guid userId, SutProvider sutProvider)
+ public async Task GetOrganizationCollections_MissingReadAllPermissions_GetsManageableCollections(
+ OrganizationAbility organizationAbility, List collections, Guid userId, SutProvider sutProvider)
{
- collections.First().OrganizationId = organization.Id;
- collections.First().Manage = true;
- collections.Skip(1).First().OrganizationId = organization.Id;
+ ArrangeOrganizationAbility(sutProvider, organizationAbility);
+ collections.ForEach(c => c.OrganizationId = organizationAbility.Id);
+ collections.ForEach(c => c.Manage = false);
+
+ var managedCollection = collections.First();
+ managedCollection.Manage = true;
sutProvider.GetDependency().UserId.Returns(userId);
@@ -183,7 +201,7 @@ public class CollectionsControllerTests
Arg.Is>(requirements =>
requirements.Cast().All(operation =>
operation.Name == nameof(CollectionOperations.ReadAll)
- && operation.OrganizationId == organization.Id)))
+ && operation.OrganizationId == organizationAbility.Id)))
.Returns(AuthorizationResult.Failed());
sutProvider.GetDependency()
@@ -196,22 +214,27 @@ public class CollectionsControllerTests
.Returns(AuthorizationResult.Success());
sutProvider.GetDependency()
- .GetManyByUserIdAsync(userId, true)
+ .GetManyByUserIdAsync(userId, false)
.Returns(collections);
- var result = await sutProvider.Sut.Get(organization.Id);
+ var result = await sutProvider.Sut.Get(organizationAbility.Id);
- await sutProvider.GetDependency().DidNotReceive().GetManyByOrganizationIdAsync(organization.Id);
- await sutProvider.GetDependency().Received(1).GetManyByUserIdAsync(userId, true);
+ await sutProvider.GetDependency().DidNotReceive().GetManyByOrganizationIdAsync(organizationAbility.Id);
+ await sutProvider.GetDependency().Received(1).GetManyByUserIdAsync(userId, false);
Assert.Single(result.Data);
- Assert.All(result.Data, c => Assert.Equal(organization.Id, c.OrganizationId));
+ Assert.All(result.Data, c => Assert.Equal(organizationAbility.Id, c.OrganizationId));
+ Assert.All(result.Data, c => Assert.Equal(managedCollection.Id, c.Id));
}
[Theory, BitAutoData]
- public async Task DeleteMany_Success(Guid orgId, Collection collection1, Collection collection2, SutProvider sutProvider)
+ public async Task DeleteMany_Success(OrganizationAbility organizationAbility, Collection collection1, Collection collection2,
+ SutProvider sutProvider)
{
// Arrange
+ var orgId = organizationAbility.Id;
+ ArrangeOrganizationAbility(sutProvider, organizationAbility);
+
var model = new CollectionBulkDeleteRequestModel
{
Ids = new[] { collection1.Id, collection2.Id }
@@ -251,9 +274,13 @@ public class CollectionsControllerTests
}
[Theory, BitAutoData]
- public async Task DeleteMany_PermissionDenied_ThrowsNotFound(Guid orgId, Collection collection1, Collection collection2, SutProvider sutProvider)
+ public async Task DeleteMany_PermissionDenied_ThrowsNotFound(OrganizationAbility organizationAbility, Collection collection1,
+ Collection collection2, SutProvider sutProvider)
{
// Arrange
+ var orgId = organizationAbility.Id;
+ ArrangeOrganizationAbility(sutProvider, organizationAbility);
+
var model = new CollectionBulkDeleteRequestModel
{
Ids = new[] { collection1.Id, collection2.Id }
@@ -292,9 +319,13 @@ public class CollectionsControllerTests
}
[Theory, BitAutoData]
- public async Task PostBulkCollectionAccess_Success(User actingUser, ICollection collections, SutProvider sutProvider)
+ public async Task PostBulkCollectionAccess_Success(User actingUser, List collections,
+ OrganizationAbility organizationAbility, SutProvider sutProvider)
{
// Arrange
+ ArrangeOrganizationAbility(sutProvider, organizationAbility);
+ collections.ForEach(c => c.OrganizationId = organizationAbility.Id);
+
var userId = Guid.NewGuid();
var groupId = Guid.NewGuid();
var model = new BulkCollectionAccessRequestModel
@@ -321,7 +352,7 @@ public class CollectionsControllerTests
IEnumerable ExpectedCollectionAccess() => Arg.Is>(cols => cols.SequenceEqual(collections));
// Act
- await sutProvider.Sut.PostBulkCollectionAccess(model);
+ await sutProvider.Sut.PostBulkCollectionAccess(organizationAbility.Id, model);
// Assert
await sutProvider.GetDependency().Received().AuthorizeAsync(
@@ -338,8 +369,13 @@ public class CollectionsControllerTests
}
[Theory, BitAutoData]
- public async Task PostBulkCollectionAccess_CollectionsNotFound_Throws(User actingUser, ICollection collections, SutProvider sutProvider)
+ public async Task PostBulkCollectionAccess_CollectionsNotFound_Throws(User actingUser,
+ OrganizationAbility organizationAbility, List collections,
+ SutProvider sutProvider)
{
+ ArrangeOrganizationAbility(sutProvider, organizationAbility);
+ collections.ForEach(c => c.OrganizationId = organizationAbility.Id);
+
var userId = Guid.NewGuid();
var groupId = Guid.NewGuid();
var model = new BulkCollectionAccessRequestModel
@@ -356,7 +392,8 @@ public class CollectionsControllerTests
.GetManyByManyIdsAsync(model.CollectionIds)
.Returns(collections.Skip(1).ToList());
- var exception = await Assert.ThrowsAsync(() => sutProvider.Sut.PostBulkCollectionAccess(model));
+ var exception = await Assert.ThrowsAsync(
+ () => sutProvider.Sut.PostBulkCollectionAccess(organizationAbility.Id, model));
Assert.Equal("One or more collections not found.", exception.Message);
await sutProvider.GetDependency().DidNotReceiveWithAnyArgs().AuthorizeAsync(
@@ -369,8 +406,81 @@ public class CollectionsControllerTests
}
[Theory, BitAutoData]
- public async Task PostBulkCollectionAccess_AccessDenied_Throws(User actingUser, ICollection collections, SutProvider sutProvider)
+ public async Task PostBulkCollectionAccess_CollectionsBelongToDifferentOrganizations_Throws(User actingUser,
+ OrganizationAbility organizationAbility, List collections,
+ SutProvider sutProvider)
{
+ ArrangeOrganizationAbility(sutProvider, organizationAbility);
+
+ // First collection has a different orgId
+ collections.Skip(1).ToList().ForEach(c => c.OrganizationId = organizationAbility.Id);
+
+ var userId = Guid.NewGuid();
+ var groupId = Guid.NewGuid();
+ var model = new BulkCollectionAccessRequestModel
+ {
+ CollectionIds = collections.Select(c => c.Id),
+ Users = new[] { new SelectionReadOnlyRequestModel { Id = userId, Manage = true } },
+ Groups = new[] { new SelectionReadOnlyRequestModel { Id = groupId, ReadOnly = true } },
+ };
+
+ sutProvider.GetDependency()
+ .UserId.Returns(actingUser.Id);
+
+ sutProvider.GetDependency()
+ .GetManyByManyIdsAsync(model.CollectionIds)
+ .Returns(collections);
+
+ var exception = await Assert.ThrowsAsync(
+ () => sutProvider.Sut.PostBulkCollectionAccess(organizationAbility.Id, model));
+
+ Assert.Equal("One or more collections not found.", exception.Message);
+ await sutProvider.GetDependency().DidNotReceiveWithAnyArgs().AuthorizeAsync(
+ Arg.Any(),
+ Arg.Any>(),
+ Arg.Any>()
+ );
+ await sutProvider.GetDependency().DidNotReceiveWithAnyArgs()
+ .AddAccessAsync(default, default, default);
+ }
+
+ [Theory, BitAutoData]
+ public async Task PostBulkCollectionAccess_FlexibleCollectionsDisabled_Throws(OrganizationAbility organizationAbility, List collections,
+ SutProvider sutProvider)
+ {
+ organizationAbility.FlexibleCollections = false;
+ sutProvider.GetDependency().GetOrganizationAbilityAsync(organizationAbility.Id)
+ .Returns(organizationAbility);
+
+ var userId = Guid.NewGuid();
+ var groupId = Guid.NewGuid();
+ var model = new BulkCollectionAccessRequestModel
+ {
+ CollectionIds = collections.Select(c => c.Id),
+ Users = new[] { new SelectionReadOnlyRequestModel { Id = userId, Manage = true } },
+ Groups = new[] { new SelectionReadOnlyRequestModel { Id = groupId, ReadOnly = true } },
+ };
+
+ var exception = await Assert.ThrowsAsync(
+ () => sutProvider.Sut.PostBulkCollectionAccess(organizationAbility.Id, model));
+
+ Assert.Equal("Feature disabled.", exception.Message);
+ await sutProvider.GetDependency().DidNotReceiveWithAnyArgs().AuthorizeAsync(
+ Arg.Any(),
+ Arg.Any>(),
+ Arg.Any>()
+ );
+ await sutProvider.GetDependency().DidNotReceiveWithAnyArgs()
+ .AddAccessAsync(default, default, default);
+ }
+
+ [Theory, BitAutoData]
+ public async Task PostBulkCollectionAccess_AccessDenied_Throws(User actingUser, List collections,
+ OrganizationAbility organizationAbility, SutProvider sutProvider)
+ {
+ ArrangeOrganizationAbility(sutProvider, organizationAbility);
+ collections.ForEach(c => c.OrganizationId = organizationAbility.Id);
+
var userId = Guid.NewGuid();
var groupId = Guid.NewGuid();
var model = new BulkCollectionAccessRequestModel
@@ -396,7 +506,7 @@ public class CollectionsControllerTests
IEnumerable ExpectedCollectionAccess() => Arg.Is>(cols => cols.SequenceEqual(collections));
- await Assert.ThrowsAsync(() => sutProvider.Sut.PostBulkCollectionAccess(model));
+ await Assert.ThrowsAsync(() => sutProvider.Sut.PostBulkCollectionAccess(organizationAbility.Id, model));
await sutProvider.GetDependency().Received().AuthorizeAsync(
Arg.Any(),
ExpectedCollectionAccess(),
@@ -406,4 +516,12 @@ public class CollectionsControllerTests
await sutProvider.GetDependency().DidNotReceiveWithAnyArgs()
.AddAccessAsync(default, default, default);
}
+
+ private void ArrangeOrganizationAbility(SutProvider sutProvider, OrganizationAbility organizationAbility)
+ {
+ organizationAbility.FlexibleCollections = true;
+
+ sutProvider.GetDependency().GetOrganizationAbilityAsync(organizationAbility.Id)
+ .Returns(organizationAbility);
+ }
}
diff --git a/test/Api.Test/Vault/AuthorizationHandlers/BulkCollectionAuthorizationHandlerTests.cs b/test/Api.Test/Vault/AuthorizationHandlers/BulkCollectionAuthorizationHandlerTests.cs
index 092412a3fb..63406c00db 100644
--- a/test/Api.Test/Vault/AuthorizationHandlers/BulkCollectionAuthorizationHandlerTests.cs
+++ b/test/Api.Test/Vault/AuthorizationHandlers/BulkCollectionAuthorizationHandlerTests.cs
@@ -1,6 +1,5 @@
using System.Security.Claims;
using Bit.Api.Vault.AuthorizationHandlers.Collections;
-using Bit.Core;
using Bit.Core.Context;
using Bit.Core.Entities;
using Bit.Core.Enums;
@@ -9,7 +8,6 @@ using Bit.Core.Models.Data;
using Bit.Core.Models.Data.Organizations;
using Bit.Core.Repositories;
using Bit.Core.Services;
-using Bit.Core.Test.AutoFixture;
using Bit.Core.Test.Vault.AutoFixture;
using Bit.Test.Common.AutoFixture;
using Bit.Test.Common.AutoFixture.Attributes;
@@ -20,7 +18,6 @@ using Xunit;
namespace Bit.Api.Test.Vault.AuthorizationHandlers;
[SutProviderCustomize]
-[FeatureServiceCustomize(FeatureFlagKeys.FlexibleCollections)]
public class BulkCollectionAuthorizationHandlerTests
{
[Theory, CollectionCustomization]
@@ -35,7 +32,7 @@ public class BulkCollectionAuthorizationHandlerTests
organization.Type = userType;
organization.Permissions = new Permissions();
- var organizationAbilities = ArrangeOrganizationAbilitiesDictionary(organization.Id, true);
+ ArrangeOrganizationAbility(sutProvider, organization, true);
var context = new AuthorizationHandlerContext(
new[] { BulkCollectionOperations.Create },
@@ -44,7 +41,6 @@ public class BulkCollectionAuthorizationHandlerTests
sutProvider.GetDependency().UserId.Returns(userId);
sutProvider.GetDependency().GetOrganization(organization.Id).Returns(organization);
- sutProvider.GetDependency().GetOrganizationAbilitiesAsync().Returns(organizationAbilities);
await sutProvider.Sut.HandleAsync(context);
@@ -61,7 +57,7 @@ public class BulkCollectionAuthorizationHandlerTests
organization.Type = OrganizationUserType.User;
- var organizationAbilities = ArrangeOrganizationAbilitiesDictionary(organization.Id, false);
+ ArrangeOrganizationAbility(sutProvider, organization, false);
var context = new AuthorizationHandlerContext(
new[] { BulkCollectionOperations.Create },
@@ -70,7 +66,6 @@ public class BulkCollectionAuthorizationHandlerTests
sutProvider.GetDependency().UserId.Returns(actingUserId);
sutProvider.GetDependency().GetOrganization(organization.Id).Returns(organization);
- sutProvider.GetDependency().GetOrganizationAbilitiesAsync().Returns(organizationAbilities);
await sutProvider.Sut.HandleAsync(context);
@@ -97,7 +92,7 @@ public class BulkCollectionAuthorizationHandlerTests
ManageUsers = false
};
- var organizationAbilities = ArrangeOrganizationAbilitiesDictionary(organization.Id, true);
+ ArrangeOrganizationAbility(sutProvider, organization, true);
var context = new AuthorizationHandlerContext(
new[] { BulkCollectionOperations.Create },
@@ -106,7 +101,6 @@ public class BulkCollectionAuthorizationHandlerTests
sutProvider.GetDependency().UserId.Returns(actingUserId);
sutProvider.GetDependency().GetOrganization(organization.Id).Returns(organization);
- sutProvider.GetDependency().GetOrganizationAbilitiesAsync().Returns(organizationAbilities);
sutProvider.GetDependency().ProviderUserForOrgAsync(Arg.Any()).Returns(false);
await sutProvider.Sut.HandleAsync(context);
@@ -117,10 +111,12 @@ public class BulkCollectionAuthorizationHandlerTests
[Theory, BitAutoData, CollectionCustomization]
public async Task CanCreateAsync_WhenMissingOrgAccess_NoSuccess(
Guid userId,
- ICollection collections,
+ CurrentContextOrganization organization,
+ List collections,
SutProvider sutProvider)
{
- var organizationAbilities = ArrangeOrganizationAbilitiesDictionary(collections.First().OrganizationId, true);
+ collections.ForEach(c => c.OrganizationId = organization.Id);
+ ArrangeOrganizationAbility(sutProvider, organization, true);
var context = new AuthorizationHandlerContext(
new[] { BulkCollectionOperations.Create },
@@ -130,7 +126,6 @@ public class BulkCollectionAuthorizationHandlerTests
sutProvider.GetDependency().UserId.Returns(userId);
sutProvider.GetDependency().GetOrganization(Arg.Any()).Returns((CurrentContextOrganization)null);
- sutProvider.GetDependency().GetOrganizationAbilitiesAsync().Returns(organizationAbilities);
sutProvider.GetDependency().ProviderUserForOrgAsync(Arg.Any()).Returns(false);
await sutProvider.Sut.HandleAsync(context);
@@ -747,7 +742,7 @@ public class BulkCollectionAuthorizationHandlerTests
organization.Type = userType;
organization.Permissions = new Permissions();
- var organizationAbilities = ArrangeOrganizationAbilitiesDictionary(organization.Id, true);
+ ArrangeOrganizationAbility(sutProvider, organization, true);
var context = new AuthorizationHandlerContext(
new[] { BulkCollectionOperations.Delete },
@@ -756,8 +751,6 @@ public class BulkCollectionAuthorizationHandlerTests
sutProvider.GetDependency().UserId.Returns(userId);
sutProvider.GetDependency().GetOrganization(organization.Id).Returns(organization);
- sutProvider.GetDependency().GetOrganizationAbilitiesAsync()
- .Returns(organizationAbilities);
await sutProvider.Sut.HandleAsync(context);
@@ -778,7 +771,7 @@ public class BulkCollectionAuthorizationHandlerTests
DeleteAnyCollection = true
};
- var organizationAbilities = ArrangeOrganizationAbilitiesDictionary(organization.Id, true);
+ ArrangeOrganizationAbility(sutProvider, organization, true);
var context = new AuthorizationHandlerContext(
new[] { BulkCollectionOperations.Delete },
@@ -787,8 +780,6 @@ public class BulkCollectionAuthorizationHandlerTests
sutProvider.GetDependency().UserId.Returns(actingUserId);
sutProvider.GetDependency().GetOrganization(organization.Id).Returns(organization);
- sutProvider.GetDependency().GetOrganizationAbilitiesAsync()
- .Returns(organizationAbilities);
await sutProvider.Sut.HandleAsync(context);
@@ -806,13 +797,11 @@ public class BulkCollectionAuthorizationHandlerTests
organization.Type = OrganizationUserType.User;
organization.Permissions = new Permissions();
- var organizationAbilities = ArrangeOrganizationAbilitiesDictionary(organization.Id, false);
+ ArrangeOrganizationAbility(sutProvider, organization, false);
sutProvider.GetDependency().UserId.Returns(actingUserId);
sutProvider.GetDependency().GetOrganization(organization.Id).Returns(organization);
sutProvider.GetDependency().GetManyByUserIdAsync(actingUserId, Arg.Any()).Returns(collections);
- sutProvider.GetDependency