diff --git a/bitwarden-server.sln b/bitwarden-server.sln index e9aff53f8e..892d2f4255 100644 --- a/bitwarden-server.sln +++ b/bitwarden-server.sln @@ -127,6 +127,8 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Infrastructure.Dapper.Test" EndProject Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Events.IntegrationTest", "test\Events.IntegrationTest\Events.IntegrationTest.csproj", "{4F4C63A9-AEE2-48C4-AB86-A5BCD665E401}" EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Core.IntegrationTest", "test\Core.IntegrationTest\Core.IntegrationTest.csproj", "{3631BA42-6731-4118-A917-DAA43C5032B9}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|Any CPU = Debug|Any CPU @@ -319,6 +321,10 @@ Global {4F4C63A9-AEE2-48C4-AB86-A5BCD665E401}.Debug|Any CPU.Build.0 = Debug|Any CPU {4F4C63A9-AEE2-48C4-AB86-A5BCD665E401}.Release|Any CPU.ActiveCfg = Release|Any CPU {4F4C63A9-AEE2-48C4-AB86-A5BCD665E401}.Release|Any CPU.Build.0 = Release|Any CPU + {3631BA42-6731-4118-A917-DAA43C5032B9}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {3631BA42-6731-4118-A917-DAA43C5032B9}.Debug|Any CPU.Build.0 = Debug|Any CPU + {3631BA42-6731-4118-A917-DAA43C5032B9}.Release|Any CPU.ActiveCfg = Release|Any CPU + {3631BA42-6731-4118-A917-DAA43C5032B9}.Release|Any CPU.Build.0 = Release|Any CPU EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE @@ -370,6 +376,7 @@ Global {90D85D8F-5577-4570-A96E-5A2E185F0F6F} = {DD5BD056-4AAE-43EF-BBD2-0B569B8DA84F} {4A725DB3-BE4F-4C23-9087-82D0610D67AF} = {DD5BD056-4AAE-43EF-BBD2-0B569B8DA84F} {4F4C63A9-AEE2-48C4-AB86-A5BCD665E401} = {DD5BD056-4AAE-43EF-BBD2-0B569B8DA84F} + {3631BA42-6731-4118-A917-DAA43C5032B9} = {DD5BD056-4AAE-43EF-BBD2-0B569B8DA84F} EndGlobalSection GlobalSection(ExtensibilityGlobals) = postSolution SolutionGuid = {E01CBF68-2E20-425F-9EDB-E0A6510CA92F} diff --git a/src/Api/KeyManagement/Validators/WebAuthnLoginKeyRotationValidator.cs b/src/Api/KeyManagement/Validators/WebAuthnLoginKeyRotationValidator.cs index 1706aebd78..9c7efe0fbe 100644 --- a/src/Api/KeyManagement/Validators/WebAuthnLoginKeyRotationValidator.cs +++ b/src/Api/KeyManagement/Validators/WebAuthnLoginKeyRotationValidator.cs @@ -17,20 +17,20 @@ public class WebAuthnLoginKeyRotationValidator : IRotationValidator> ValidateAsync(User user, IEnumerable keysToRotate) { - // 2024-06: Remove after 3 releases, for backward compatibility - if (keysToRotate == null) - { - return new List(); - } - var result = new List(); var existing = await _webAuthnCredentialRepository.GetManyByUserIdAsync(user.Id); - if (existing == null || !existing.Any()) + if (existing == null) { return result; } - foreach (var ea in existing) + var validCredentials = existing.Where(credential => credential.SupportsPrf); + if (!validCredentials.Any()) + { + return result; + } + + foreach (var ea in validCredentials) { var keyToRotate = keysToRotate.FirstOrDefault(c => c.Id == ea.Id); if (keyToRotate == null) diff --git a/src/Core/AdminConsole/Models/Data/Organizations/OrganizationIntegrationConfigurationDetails.cs b/src/Core/AdminConsole/Models/Data/Organizations/OrganizationIntegrationConfigurationDetails.cs new file mode 100644 index 0000000000..139a7aff25 --- /dev/null +++ b/src/Core/AdminConsole/Models/Data/Organizations/OrganizationIntegrationConfigurationDetails.cs @@ -0,0 +1,64 @@ +using System.Text.Json.Nodes; +using Bit.Core.Enums; + +#nullable enable + +namespace Bit.Core.Models.Data.Organizations; + +public class OrganizationIntegrationConfigurationDetails +{ + public Guid Id { get; set; } + public Guid OrganizationIntegrationId { get; set; } + public IntegrationType IntegrationType { get; set; } + public EventType EventType { get; set; } + public string? Configuration { get; set; } + public string? IntegrationConfiguration { get; set; } + public string? Template { get; set; } + + public JsonObject MergedConfiguration + { + get + { + var integrationJson = IntegrationConfigurationJson; + + foreach (var kvp in ConfigurationJson) + { + integrationJson[kvp.Key] = kvp.Value?.DeepClone(); + } + + return integrationJson; + } + } + + private JsonObject ConfigurationJson + { + get + { + try + { + var configuration = Configuration ?? string.Empty; + return JsonNode.Parse(configuration) as JsonObject ?? new JsonObject(); + } + catch + { + return new JsonObject(); + } + } + } + + private JsonObject IntegrationConfigurationJson + { + get + { + try + { + var integration = IntegrationConfiguration ?? string.Empty; + return JsonNode.Parse(integration) as JsonObject ?? new JsonObject(); + } + catch + { + return new JsonObject(); + } + } + } +} diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteManagedOrganizationUserAccountCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteManagedOrganizationUserAccountCommand.cs index 010f5de9bf..7b7d8003a3 100644 --- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteManagedOrganizationUserAccountCommand.cs +++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteManagedOrganizationUserAccountCommand.cs @@ -154,6 +154,12 @@ public class DeleteManagedOrganizationUserAccountCommand : IDeleteManagedOrganiz } } + if (orgUser.Type == OrganizationUserType.Admin && await _currentContext.OrganizationCustom(organizationId)) + { + throw new BadRequestException("Custom users can not delete admins."); + } + + if (!managementStatus.TryGetValue(orgUser.Id, out var isManaged) || !isManaged) { throw new BadRequestException("Member is not managed by the organization."); diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RemoveOrganizationUserCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RemoveOrganizationUserCommand.cs index 9375a231ec..3568a2a2b9 100644 --- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RemoveOrganizationUserCommand.cs +++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RemoveOrganizationUserCommand.cs @@ -25,7 +25,8 @@ public class RemoveOrganizationUserCommand : IRemoveOrganizationUserCommand public const string UserNotFoundErrorMessage = "User not found."; public const string UsersInvalidErrorMessage = "Users invalid."; public const string RemoveYourselfErrorMessage = "You cannot remove yourself."; - public const string RemoveOwnerByNonOwnerErrorMessage = "Only owners can delete other owners."; + public const string RemoveOwnerByNonOwnerErrorMessage = "Only owners can remove other owners."; + public const string RemoveAdminByCustomUserErrorMessage = "Custom users can not remove admins."; public const string RemoveLastConfirmedOwnerErrorMessage = "Organization must have at least one confirmed owner."; public const string RemoveClaimedAccountErrorMessage = "Cannot remove member accounts claimed by the organization. To offboard a member, revoke or delete the account."; @@ -153,6 +154,11 @@ public class RemoveOrganizationUserCommand : IRemoveOrganizationUserCommand } } + if (orgUser.Type == OrganizationUserType.Admin && await _currentContext.OrganizationCustom(orgUser.OrganizationId)) + { + throw new BadRequestException(RemoveAdminByCustomUserErrorMessage); + } + if (_featureService.IsEnabled(FeatureFlagKeys.AccountDeprovisioning) && deletingUserId.HasValue && eventSystemUser == null) { var managementStatus = await _getOrganizationUsersManagementStatusQuery.GetUsersOrganizationManagementStatusAsync(orgUser.OrganizationId, new[] { orgUser.Id }); diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RestoreUser/v1/RestoreOrganizationUserCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RestoreUser/v1/RestoreOrganizationUserCommand.cs index 3d4b0fba5c..f122463a98 100644 --- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RestoreUser/v1/RestoreOrganizationUserCommand.cs +++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RestoreUser/v1/RestoreOrganizationUserCommand.cs @@ -87,7 +87,10 @@ public class RestoreOrganizationUserCommand( .twoFactorIsEnabled; } - await CheckUserForOtherFreeOrganizationOwnershipAsync(organizationUser); + if (organization.PlanType == PlanType.Free) + { + await CheckUserForOtherFreeOrganizationOwnershipAsync(organizationUser); + } await CheckPoliciesBeforeRestoreAsync(organizationUser, userTwoFactorIsEnabled); @@ -100,7 +103,7 @@ public class RestoreOrganizationUserCommand( private async Task CheckUserForOtherFreeOrganizationOwnershipAsync(OrganizationUser organizationUser) { - var relatedOrgUsersFromOtherOrgs = await organizationUserRepository.GetManyByUserAsync(organizationUser.UserId.Value); + var relatedOrgUsersFromOtherOrgs = await organizationUserRepository.GetManyByUserAsync(organizationUser.UserId!.Value); var otherOrgs = await organizationRepository.GetManyByUserIdAsync(organizationUser.UserId.Value); var orgOrgUserDict = relatedOrgUsersFromOtherOrgs @@ -110,13 +113,16 @@ public class RestoreOrganizationUserCommand( CheckForOtherFreeOrganizationOwnership(organizationUser, orgOrgUserDict); } - private async Task> GetRelatedOrganizationUsersAndOrganizations( - IEnumerable organizationUsers) + private async Task> GetRelatedOrganizationUsersAndOrganizationsAsync( + List organizationUsers) { - var allUserIds = organizationUsers.Select(x => x.UserId.Value); + var allUserIds = organizationUsers + .Where(x => x.UserId.HasValue) + .Select(x => x.UserId.Value); var otherOrganizationUsers = (await organizationUserRepository.GetManyByManyUsersAsync(allUserIds)) - .Where(x => organizationUsers.Any(y => y.Id == x.Id) == false); + .Where(x => organizationUsers.Any(y => y.Id == x.Id) == false) + .ToArray(); var otherOrgs = await organizationRepository.GetManyByIdsAsync(otherOrganizationUsers .Select(x => x.OrganizationId) @@ -130,7 +136,9 @@ public class RestoreOrganizationUserCommand( Dictionary otherOrgUsersAndOrgs) { var ownerOrAdminList = new[] { OrganizationUserType.Owner, OrganizationUserType.Admin }; - if (otherOrgUsersAndOrgs.Any(x => + + if (ownerOrAdminList.Any(x => organizationUser.Type == x) && + otherOrgUsersAndOrgs.Any(x => x.Key.UserId == organizationUser.UserId && ownerOrAdminList.Any(userType => userType == x.Key.Type) && x.Key.Status == OrganizationUserStatusType.Confirmed && @@ -170,7 +178,7 @@ public class RestoreOrganizationUserCommand( var organizationUsersTwoFactorEnabled = await twoFactorIsEnabledQuery.TwoFactorIsEnabledAsync( filteredUsers.Where(ou => ou.UserId.HasValue).Select(ou => ou.UserId.Value)); - var orgUsersAndOrgs = await GetRelatedOrganizationUsersAndOrganizations(filteredUsers); + var orgUsersAndOrgs = await GetRelatedOrganizationUsersAndOrganizationsAsync(filteredUsers); var result = new List>(); @@ -201,7 +209,10 @@ public class RestoreOrganizationUserCommand( await CheckPoliciesBeforeRestoreAsync(organizationUser, twoFactorIsEnabled); - CheckForOtherFreeOrganizationOwnership(organizationUser, orgUsersAndOrgs); + if (organization.PlanType == PlanType.Free) + { + CheckForOtherFreeOrganizationOwnership(organizationUser, orgUsersAndOrgs); + } var status = OrganizationService.GetPriorActiveOrganizationUserStatusType(organizationUser); diff --git a/src/Core/AdminConsole/Repositories/IOrganizationIntegrationConfigurationRepository.cs b/src/Core/AdminConsole/Repositories/IOrganizationIntegrationConfigurationRepository.cs new file mode 100644 index 0000000000..516918fff9 --- /dev/null +++ b/src/Core/AdminConsole/Repositories/IOrganizationIntegrationConfigurationRepository.cs @@ -0,0 +1,13 @@ +using Bit.Core.AdminConsole.Entities; +using Bit.Core.Enums; +using Bit.Core.Models.Data.Organizations; + +namespace Bit.Core.Repositories; + +public interface IOrganizationIntegrationConfigurationRepository : IRepository +{ + Task> GetConfigurationDetailsAsync( + Guid organizationId, + IntegrationType integrationType, + EventType eventType); +} diff --git a/src/Core/AdminConsole/Repositories/IOrganizationIntegrationRepository.cs b/src/Core/AdminConsole/Repositories/IOrganizationIntegrationRepository.cs new file mode 100644 index 0000000000..cd7700c310 --- /dev/null +++ b/src/Core/AdminConsole/Repositories/IOrganizationIntegrationRepository.cs @@ -0,0 +1,7 @@ +using Bit.Core.AdminConsole.Entities; + +namespace Bit.Core.Repositories; + +public interface IOrganizationIntegrationRepository : IRepository +{ +} diff --git a/src/Core/Services/Implementations/MailKitSmtpMailDeliveryService.cs b/src/Core/Services/Implementations/MailKitSmtpMailDeliveryService.cs index 4e7b7ee105..dc4e89aa23 100644 --- a/src/Core/Services/Implementations/MailKitSmtpMailDeliveryService.cs +++ b/src/Core/Services/Implementations/MailKitSmtpMailDeliveryService.cs @@ -34,6 +34,9 @@ public class MailKitSmtpMailDeliveryService : IMailDeliveryService } public async Task SendEmailAsync(Models.Mail.MailMessage message) + => await SendEmailAsync(message, CancellationToken.None); + + public async Task SendEmailAsync(Models.Mail.MailMessage message, CancellationToken cancellationToken) { var mimeMessage = new MimeMessage(); mimeMessage.From.Add(new MailboxAddress(_globalSettings.SiteName, _replyEmail)); @@ -76,25 +79,37 @@ public class MailKitSmtpMailDeliveryService : IMailDeliveryService if (!_globalSettings.Mail.Smtp.StartTls && !_globalSettings.Mail.Smtp.Ssl && _globalSettings.Mail.Smtp.Port == 25) { - await client.ConnectAsync(_globalSettings.Mail.Smtp.Host, _globalSettings.Mail.Smtp.Port, - MailKit.Security.SecureSocketOptions.None); + await client.ConnectAsync( + _globalSettings.Mail.Smtp.Host, + _globalSettings.Mail.Smtp.Port, + MailKit.Security.SecureSocketOptions.None, + cancellationToken + ); } else { var useSsl = _globalSettings.Mail.Smtp.Port == 587 && !_globalSettings.Mail.Smtp.SslOverride ? false : _globalSettings.Mail.Smtp.Ssl; - await client.ConnectAsync(_globalSettings.Mail.Smtp.Host, _globalSettings.Mail.Smtp.Port, useSsl); + await client.ConnectAsync( + _globalSettings.Mail.Smtp.Host, + _globalSettings.Mail.Smtp.Port, + useSsl, + cancellationToken + ); } if (CoreHelpers.SettingHasValue(_globalSettings.Mail.Smtp.Username) && CoreHelpers.SettingHasValue(_globalSettings.Mail.Smtp.Password)) { - await client.AuthenticateAsync(_globalSettings.Mail.Smtp.Username, - _globalSettings.Mail.Smtp.Password); + await client.AuthenticateAsync( + _globalSettings.Mail.Smtp.Username, + _globalSettings.Mail.Smtp.Password, + cancellationToken + ); } - await client.SendAsync(mimeMessage); - await client.DisconnectAsync(true); + await client.SendAsync(mimeMessage, cancellationToken); + await client.DisconnectAsync(true, cancellationToken); } } } diff --git a/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationIntegrationConfigurationRepository.cs b/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationIntegrationConfigurationRepository.cs new file mode 100644 index 0000000000..f3227dfd22 --- /dev/null +++ b/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationIntegrationConfigurationRepository.cs @@ -0,0 +1,43 @@ +using System.Data; +using Bit.Core.AdminConsole.Entities; +using Bit.Core.Enums; +using Bit.Core.Models.Data.Organizations; +using Bit.Core.Repositories; +using Bit.Core.Settings; +using Bit.Infrastructure.Dapper.Repositories; +using Dapper; +using Microsoft.Data.SqlClient; + +namespace Bit.Infrastructure.Dapper.AdminConsole.Repositories; + +public class OrganizationIntegrationConfigurationRepository : Repository, IOrganizationIntegrationConfigurationRepository +{ + public OrganizationIntegrationConfigurationRepository(GlobalSettings globalSettings) + : this(globalSettings.SqlServer.ConnectionString, globalSettings.SqlServer.ReadOnlyConnectionString) + { } + + public OrganizationIntegrationConfigurationRepository(string connectionString, string readOnlyConnectionString) + : base(connectionString, readOnlyConnectionString) + { } + + public async Task> GetConfigurationDetailsAsync( + Guid organizationId, + IntegrationType integrationType, + EventType eventType) + { + using (var connection = new SqlConnection(ConnectionString)) + { + var results = await connection.QueryAsync( + "[dbo].[OrganizationIntegrationConfigurationDetails_ReadManyByEventTypeOrganizationIdIntegrationType]", + new + { + EventType = eventType, + OrganizationId = organizationId, + IntegrationType = integrationType + }, + commandType: CommandType.StoredProcedure); + + return results.ToList(); + } + } +} diff --git a/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationIntegrationRepository.cs b/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationIntegrationRepository.cs new file mode 100644 index 0000000000..99f0e35378 --- /dev/null +++ b/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationIntegrationRepository.cs @@ -0,0 +1,16 @@ +using Bit.Core.AdminConsole.Entities; +using Bit.Core.Repositories; +using Bit.Core.Settings; + +namespace Bit.Infrastructure.Dapper.Repositories; + +public class OrganizationIntegrationRepository : Repository, IOrganizationIntegrationRepository +{ + public OrganizationIntegrationRepository(GlobalSettings globalSettings) + : this(globalSettings.SqlServer.ConnectionString, globalSettings.SqlServer.ReadOnlyConnectionString) + { } + + public OrganizationIntegrationRepository(string connectionString, string readOnlyConnectionString) + : base(connectionString, readOnlyConnectionString) + { } +} diff --git a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationIntegrationConfigurationRepository.cs b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationIntegrationConfigurationRepository.cs new file mode 100644 index 0000000000..f051830035 --- /dev/null +++ b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationIntegrationConfigurationRepository.cs @@ -0,0 +1,33 @@ +using AutoMapper; +using Bit.Core.Enums; +using Bit.Core.Models.Data.Organizations; +using Bit.Core.Repositories; +using Bit.Infrastructure.EntityFramework.AdminConsole.Models; +using Bit.Infrastructure.EntityFramework.Repositories; +using Bit.Infrastructure.EntityFramework.Repositories.Queries; +using Microsoft.EntityFrameworkCore; +using Microsoft.Extensions.DependencyInjection; + +namespace Bit.Infrastructure.EntityFramework.AdminConsole.Repositories; + +public class OrganizationIntegrationConfigurationRepository : Repository, IOrganizationIntegrationConfigurationRepository +{ + public OrganizationIntegrationConfigurationRepository(IServiceScopeFactory serviceScopeFactory, IMapper mapper) + : base(serviceScopeFactory, mapper, context => context.OrganizationIntegrationConfigurations) + { } + + public async Task> GetConfigurationDetailsAsync( + Guid organizationId, + IntegrationType integrationType, + EventType eventType) + { + using (var scope = ServiceScopeFactory.CreateScope()) + { + var dbContext = GetDatabaseContext(scope); + var query = new OrganizationIntegrationConfigurationDetailsReadManyByEventTypeOrganizationIdIntegrationTypeQuery( + organizationId, eventType, integrationType + ); + return await query.Run(dbContext).ToListAsync(); + } + } +} diff --git a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationIntegrationRepository.cs b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationIntegrationRepository.cs new file mode 100644 index 0000000000..816ad3b25f --- /dev/null +++ b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationIntegrationRepository.cs @@ -0,0 +1,14 @@ +using AutoMapper; +using Bit.Core.Repositories; +using Bit.Infrastructure.EntityFramework.AdminConsole.Models; +using Bit.Infrastructure.EntityFramework.Repositories; +using Microsoft.Extensions.DependencyInjection; + +namespace Bit.Infrastructure.EntityFramework.AdminConsole.Repositories; + +public class OrganizationIntegrationRepository : Repository, IOrganizationIntegrationRepository +{ + public OrganizationIntegrationRepository(IServiceScopeFactory serviceScopeFactory, IMapper mapper) + : base(serviceScopeFactory, mapper, (DatabaseContext context) => context.OrganizationIntegrations) + { } +} diff --git a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/Queries/OrganizationIntegrationConfigurationDetailsReadManyByEventTypeOrganizationIdIntegrationTypeQuery.cs b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/Queries/OrganizationIntegrationConfigurationDetailsReadManyByEventTypeOrganizationIdIntegrationTypeQuery.cs new file mode 100644 index 0000000000..1a54d6588a --- /dev/null +++ b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/Queries/OrganizationIntegrationConfigurationDetailsReadManyByEventTypeOrganizationIdIntegrationTypeQuery.cs @@ -0,0 +1,39 @@ +using Bit.Core.Enums; +using Bit.Core.Models.Data.Organizations; + +namespace Bit.Infrastructure.EntityFramework.Repositories.Queries; + +public class OrganizationIntegrationConfigurationDetailsReadManyByEventTypeOrganizationIdIntegrationTypeQuery : IQuery +{ + private readonly Guid _organizationId; + private readonly EventType _eventType; + private readonly IntegrationType _integrationType; + + public OrganizationIntegrationConfigurationDetailsReadManyByEventTypeOrganizationIdIntegrationTypeQuery(Guid organizationId, EventType eventType, IntegrationType integrationType) + { + _organizationId = organizationId; + _eventType = eventType; + _integrationType = integrationType; + } + + public IQueryable Run(DatabaseContext dbContext) + { + var query = from oic in dbContext.OrganizationIntegrationConfigurations + join oi in dbContext.OrganizationIntegrations on oic.OrganizationIntegrationId equals oi.Id into oioic + from oi in dbContext.OrganizationIntegrations + where oi.OrganizationId == _organizationId && + oi.Type == _integrationType && + oic.EventType == _eventType + select new OrganizationIntegrationConfigurationDetails() + { + Id = oic.Id, + OrganizationIntegrationId = oic.OrganizationIntegrationId, + IntegrationType = oi.Type, + EventType = oic.EventType, + Configuration = oic.Configuration, + IntegrationConfiguration = oi.Configuration, + Template = oic.Template + }; + return query; + } +} diff --git a/src/Infrastructure.EntityFramework/EntityFrameworkServiceCollectionExtensions.cs b/src/Infrastructure.EntityFramework/EntityFrameworkServiceCollectionExtensions.cs index 3f805bbe2c..ad6c7cf369 100644 --- a/src/Infrastructure.EntityFramework/EntityFrameworkServiceCollectionExtensions.cs +++ b/src/Infrastructure.EntityFramework/EntityFrameworkServiceCollectionExtensions.cs @@ -78,6 +78,8 @@ public static class EntityFrameworkServiceCollectionExtensions services.AddSingleton(); services.AddSingleton(); services.AddSingleton(); + services.AddSingleton(); + services.AddSingleton(); services.AddSingleton(); services.AddSingleton(); services.AddSingleton(); diff --git a/src/Infrastructure.EntityFramework/Repositories/DatabaseContext.cs b/src/Infrastructure.EntityFramework/Repositories/DatabaseContext.cs index dd1b97b4f2..5c1c1bc87f 100644 --- a/src/Infrastructure.EntityFramework/Repositories/DatabaseContext.cs +++ b/src/Infrastructure.EntityFramework/Repositories/DatabaseContext.cs @@ -55,6 +55,8 @@ public class DatabaseContext : DbContext public DbSet OrganizationApiKeys { get; set; } public DbSet OrganizationSponsorships { get; set; } public DbSet OrganizationConnections { get; set; } + public DbSet OrganizationIntegrations { get; set; } + public DbSet OrganizationIntegrationConfigurations { get; set; } public DbSet OrganizationUsers { get; set; } public DbSet Policies { get; set; } public DbSet Providers { get; set; } diff --git a/test/Api.Test/KeyManagement/Validators/WebauthnLoginKeyRotationValidatorTests.cs b/test/Api.Test/KeyManagement/Validators/WebauthnLoginKeyRotationValidatorTests.cs index de661497e4..93652735ef 100644 --- a/test/Api.Test/KeyManagement/Validators/WebauthnLoginKeyRotationValidatorTests.cs +++ b/test/Api.Test/KeyManagement/Validators/WebauthnLoginKeyRotationValidatorTests.cs @@ -14,6 +14,59 @@ namespace Bit.Api.Test.KeyManagement.Validators; [SutProviderCustomize] public class WebAuthnLoginKeyRotationValidatorTests { + [Theory] + [BitAutoData] + public async Task ValidateAsync_Succeeds_ReturnsValidCredentials( + SutProvider sutProvider, User user, + IEnumerable webauthnRotateCredentialData) + { + var guid = Guid.NewGuid(); + + var webauthnKeysToRotate = webauthnRotateCredentialData.Select(e => new WebAuthnLoginRotateKeyRequestModel + { + Id = guid, + EncryptedPublicKey = e.EncryptedPublicKey, + EncryptedUserKey = e.EncryptedUserKey + }).ToList(); + + var data = new WebAuthnCredential + { + Id = guid, + SupportsPrf = true, + EncryptedPublicKey = "TestKey", + EncryptedUserKey = "Test" + }; + sutProvider.GetDependency().GetManyByUserIdAsync(user.Id) + .Returns(new List { data }); + + var result = await sutProvider.Sut.ValidateAsync(user, webauthnKeysToRotate); + Assert.Single(result); + Assert.Equal(guid, result.First().Id); + } + + [Theory] + [BitAutoData] + public async Task ValidateAsync_DoesNotSupportPRF_Ignores( + SutProvider sutProvider, User user, + IEnumerable webauthnRotateCredentialData) + { + var guid = Guid.NewGuid(); + var webauthnKeysToRotate = webauthnRotateCredentialData.Select(e => new WebAuthnLoginRotateKeyRequestModel + { + Id = guid, + EncryptedUserKey = e.EncryptedUserKey, + EncryptedPublicKey = e.EncryptedPublicKey, + }).ToList(); + + var data = new WebAuthnCredential { Id = guid, EncryptedUserKey = "Test", EncryptedPublicKey = "TestKey" }; + + sutProvider.GetDependency().GetManyByUserIdAsync(user.Id) + .Returns(new List { data }); + + var result = await sutProvider.Sut.ValidateAsync(user, webauthnKeysToRotate); + Assert.Empty(result); + } + [Theory] [BitAutoData] public async Task ValidateAsync_WrongWebAuthnKeys_Throws( @@ -30,6 +83,7 @@ public class WebAuthnLoginKeyRotationValidatorTests var data = new WebAuthnCredential { Id = Guid.Parse("00000000-0000-0000-0000-000000000002"), + SupportsPrf = true, EncryptedPublicKey = "TestKey", EncryptedUserKey = "Test" }; @@ -55,6 +109,7 @@ public class WebAuthnLoginKeyRotationValidatorTests var data = new WebAuthnCredential { Id = guid, + SupportsPrf = true, EncryptedPublicKey = "TestKey", EncryptedUserKey = "Test" }; @@ -81,6 +136,7 @@ public class WebAuthnLoginKeyRotationValidatorTests var data = new WebAuthnCredential { Id = guid, + SupportsPrf = true, EncryptedPublicKey = "TestKey", EncryptedUserKey = "Test" }; diff --git a/test/Core.IntegrationTest/Core.IntegrationTest.csproj b/test/Core.IntegrationTest/Core.IntegrationTest.csproj new file mode 100644 index 0000000000..6094209f23 --- /dev/null +++ b/test/Core.IntegrationTest/Core.IntegrationTest.csproj @@ -0,0 +1,29 @@ + + + + net8.0 + enable + enable + + false + true + + + + + + + + + + + + + + + + + + + + diff --git a/test/Core.IntegrationTest/MailKitSmtpMailDeliveryServiceTests.cs b/test/Core.IntegrationTest/MailKitSmtpMailDeliveryServiceTests.cs new file mode 100644 index 0000000000..db2b945fda --- /dev/null +++ b/test/Core.IntegrationTest/MailKitSmtpMailDeliveryServiceTests.cs @@ -0,0 +1,410 @@ +using System.Security.Cryptography; +using System.Security.Cryptography.X509Certificates; +using Bit.Core.Models.Mail; +using Bit.Core.Services; +using Bit.Core.Settings; +using MailKit.Security; +using Microsoft.Extensions.Logging; +using Microsoft.Extensions.Logging.Abstractions; +using Rnwood.SmtpServer; +using Rnwood.SmtpServer.Extensions.Auth; +using Xunit.Abstractions; + +namespace Bit.Core.IntegrationTest; + +public class MailKitSmtpMailDeliveryServiceTests +{ + private readonly X509Certificate2 _selfSignedCert; + + public MailKitSmtpMailDeliveryServiceTests(ITestOutputHelper testOutputHelper) + { + ConfigureSmtpServerLogging(testOutputHelper); + + _selfSignedCert = CreateSelfSignedCert("localhost"); + } + + private static X509Certificate2 CreateSelfSignedCert(string commonName) + { + using var rsa = RSA.Create(2048); + var certRequest = new CertificateRequest($"CN={commonName}", rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); + return certRequest.CreateSelfSigned(DateTimeOffset.UtcNow, DateTimeOffset.UtcNow.AddYears(1)); + } + + private static async Task SaveCertAsync(string filePath, X509Certificate2 certificate) + { + await File.WriteAllBytesAsync(filePath, certificate.Export(X509ContentType.Cert)); + } + + private static void ConfigureSmtpServerLogging(ITestOutputHelper testOutputHelper) + { + // Unfortunately this package doesn't public expose its logging infrastructure + // so we use private reflection to try and access it. + try + { + var loggingType = typeof(DefaultServerBehaviour).Assembly.GetType("Rnwood.SmtpServer.Logging") + ?? throw new Exception("No type found in RnWood.SmtpServer named 'Logging'"); + + var factoryProperty = loggingType.GetProperty("Factory") + ?? throw new Exception($"No property named 'Factory' found on class {loggingType.FullName}"); + + var factoryPropertyGet = factoryProperty.GetMethod + ?? throw new Exception($"{loggingType.FullName}.{factoryProperty.Name} does not have a get method."); + + if (factoryPropertyGet.Invoke(null, null) is not ILoggerFactory loggerFactory) + { + throw new Exception($"{loggingType.FullName}.{factoryProperty.Name} is not of type 'ILoggerFactory'" + + $"instead it's type '{factoryProperty.PropertyType.FullName}'"); + } + + loggerFactory.AddXUnit(testOutputHelper); + } + catch (Exception ex) + { + testOutputHelper.WriteLine($"Failed to configure logging for RnWood.SmtpServer (logging will not be configured):\n{ex.Message}"); + } + } + private static int RandomPort() + { + return Random.Shared.Next(50000, 60000); + } + + private static GlobalSettings GetSettings(Action configure) + { + var globalSettings = new GlobalSettings(); + globalSettings.SiteName = "TestSiteName"; + globalSettings.Mail.ReplyToEmail = "test@example.com"; + globalSettings.Mail.Smtp.Host = "localhost"; + // Set common defaults + configure(globalSettings); + return globalSettings; + } + + [Fact] + public async Task SendEmailAsync_SmtpServerUsingSelfSignedCert_CertNotInTrustedRootStore_ThrowsException() + { + // If an SMTP server is using a self signed cert we currently require + // that the certificate for their SMTP server is installed in the root CA + // we are building the ability to do so without installing it, when we add that + // this test can be copied, and changed to utilize that new feature and instead of + // failing it should successfully send the email. + var port = RandomPort(); + var behavior = new DefaultServerBehaviour(false, port, _selfSignedCert); + using var smtpServer = new SmtpServer(behavior); + smtpServer.Start(); + + var globalSettings = GetSettings(gs => + { + gs.Mail.Smtp.Port = port; + gs.Mail.Smtp.Ssl = true; + }); + + var mailKitDeliveryService = new MailKitSmtpMailDeliveryService( + globalSettings, + NullLogger.Instance + ); + + await Assert.ThrowsAsync( + async () => await mailKitDeliveryService.SendEmailAsync(new MailMessage + { + Subject = "Test", + ToEmails = ["test@example.com"], + TextContent = "Hi", + }, new CancellationTokenSource(TimeSpan.FromSeconds(5)).Token) + ); + } + + [Fact(Skip = "Upcoming feature")] + public async Task SendEmailAsync_SmtpServerUsingSelfSignedCert_CertInCustomLocation_Works() + { + // If an SMTP server is using a self signed cert we will in the future + // allow a custom location for certificates to be stored and the certitifactes + // stored there will also be trusted. + var port = RandomPort(); + var behavior = new DefaultServerBehaviour(false, port, _selfSignedCert); + using var smtpServer = new SmtpServer(behavior); + smtpServer.Start(); + + var globalSettings = GetSettings(gs => + { + gs.Mail.Smtp.Port = port; + gs.Mail.Smtp.Ssl = true; + }); + + // TODO: Setup custom location and save self signed cert there. + // await SaveCertAsync("./my-location", _selfSignedCert); + + var mailKitDeliveryService = new MailKitSmtpMailDeliveryService( + globalSettings, + NullLogger.Instance + ); + + var tcs = new TaskCompletionSource(); + var cts = new CancellationTokenSource(TimeSpan.FromSeconds(5)); + cts.Token.Register(() => _ = tcs.TrySetCanceled()); + + behavior.MessageReceivedEventHandler += (sender, args) => + { + if (args.Message.Recipients.Contains("test1@example.com")) + { + tcs.SetResult(); + } + return Task.CompletedTask; + }; + + await mailKitDeliveryService.SendEmailAsync(new MailMessage + { + Subject = "Test", + ToEmails = ["test1@example.com"], + TextContent = "Hi", + }, cts.Token); + + // Wait for email + await tcs.Task; + } + + [Fact(Skip = "Upcoming feature")] + public async Task SendEmailAsync_SmtpServerUsingSelfSignedCert_CertInCustomLocation_WithUnrelatedCerts_Works() + { + // If an SMTP server is using a self signed cert we will in the future + // allow a custom location for certificates to be stored and the certitifactes + // stored there will also be trusted. + var port = RandomPort(); + var behavior = new DefaultServerBehaviour(false, port, _selfSignedCert); + using var smtpServer = new SmtpServer(behavior); + smtpServer.Start(); + + var globalSettings = GetSettings(gs => + { + gs.Mail.Smtp.Port = port; + gs.Mail.Smtp.Ssl = true; + }); + + // TODO: Setup custom location and save self signed cert there + // along with another self signed cert that is not related to + // the SMTP server. + // await SaveCertAsync("./my-location", _selfSignedCert); + // await SaveCertAsync("./my-location", CreateSelfSignedCert("example.com")); + + var mailKitDeliveryService = new MailKitSmtpMailDeliveryService( + globalSettings, + NullLogger.Instance + ); + + var tcs = new TaskCompletionSource(); + var cts = new CancellationTokenSource(TimeSpan.FromSeconds(5)); + cts.Token.Register(() => _ = tcs.TrySetCanceled()); + + behavior.MessageReceivedEventHandler += (sender, args) => + { + if (args.Message.Recipients.Contains("test1@example.com")) + { + tcs.SetResult(); + } + return Task.CompletedTask; + }; + + await mailKitDeliveryService.SendEmailAsync(new MailMessage + { + Subject = "Test", + ToEmails = ["test1@example.com"], + TextContent = "Hi", + }, cts.Token); + + // Wait for email + await tcs.Task; + } + + [Fact] + public async Task SendEmailAsync_Succeeds_WhenCertIsSelfSigned_ServerIsTrusted() + { + // When the setting `TrustServer = true` is set even if the cert is + // self signed and the cert is not trusted in anyway the connection should + // still go through. + var port = RandomPort(); + var behavior = new DefaultServerBehaviour(false, port, _selfSignedCert); + using var smtpServer = new SmtpServer(behavior); + smtpServer.Start(); + + var globalSettings = GetSettings(gs => + { + gs.Mail.Smtp.Port = port; + gs.Mail.Smtp.Ssl = true; + gs.Mail.Smtp.TrustServer = true; + }); + + var mailKitDeliveryService = new MailKitSmtpMailDeliveryService( + globalSettings, + NullLogger.Instance + ); + + var tcs = new TaskCompletionSource(); + var cts = new CancellationTokenSource(TimeSpan.FromSeconds(5)); + cts.Token.Register(() => _ = tcs.TrySetCanceled()); + + behavior.MessageReceivedEventHandler += (sender, args) => + { + if (args.Message.Recipients.Contains("test1@example.com")) + { + tcs.SetResult(); + } + return Task.CompletedTask; + }; + + await mailKitDeliveryService.SendEmailAsync(new MailMessage + { + Subject = "Test", + ToEmails = ["test1@example.com"], + TextContent = "Hi", + }, cts.Token); + + // Wait for email + await tcs.Task; + } + + [Fact] + public async Task SendEmailAsync_FailsConnectingWithTls_ServerDoesNotSupportTls() + { + // If the SMTP server is not setup to use TLS but our server is expecting it + // to, we should fail. + var port = RandomPort(); + var behavior = new DefaultServerBehaviour(false, port); + using var smtpServer = new SmtpServer(behavior); + smtpServer.Start(); + + var globalSettings = GetSettings(gs => + { + gs.Mail.Smtp.Port = port; + gs.Mail.Smtp.Ssl = true; + gs.Mail.Smtp.TrustServer = true; + }); + + var mailKitDeliveryService = new MailKitSmtpMailDeliveryService( + globalSettings, + NullLogger.Instance + ); + + var cts = new CancellationTokenSource(TimeSpan.FromSeconds(5)); + + await Assert.ThrowsAsync( + async () => await mailKitDeliveryService.SendEmailAsync(new MailMessage + { + Subject = "Test", + ToEmails = ["test1@example.com"], + TextContent = "Hi", + }, cts.Token) + ); + } + + [Fact(Skip = "Requires permission to privileged port")] + public async Task SendEmailAsync_Works_NoSsl() + { + // If the SMTP server isn't set up with any SSL/TLS and we dont' expect + // any, then the email should go through just fine. Just without encryption. + // This test has to use port 25 + var port = 25; + var behavior = new DefaultServerBehaviour(false, port); + using var smtpServer = new SmtpServer(behavior); + smtpServer.Start(); + + var globalSettings = GetSettings(gs => + { + gs.Mail.Smtp.Port = port; + gs.Mail.Smtp.Ssl = false; + gs.Mail.Smtp.StartTls = false; + }); + + var mailKitDeliveryService = new MailKitSmtpMailDeliveryService( + globalSettings, + NullLogger.Instance + ); + + var tcs = new TaskCompletionSource(); + var cts = new CancellationTokenSource(TimeSpan.FromSeconds(5)); + cts.Token.Register(() => _ = tcs.TrySetCanceled()); + + behavior.MessageReceivedEventHandler += (sender, args) => + { + if (args.Message.Recipients.Contains("test1@example.com")) + { + tcs.SetResult(); + } + return Task.CompletedTask; + }; + + await mailKitDeliveryService.SendEmailAsync(new MailMessage + { + Subject = "Test", + ToEmails = ["test1@example.com"], + TextContent = "Hi", + }, cts.Token); + + // Wait for email + await tcs.Task; + } + + [Fact] + public async Task SendEmailAsync_Succeeds_WhenServerNeedsToAuthenticate() + { + // When the setting `TrustServer = true` is set even if the cert is + // self signed and the cert is not trusted in anyway the connection should + // still go through. + var port = RandomPort(); + var behavior = new DefaultServerBehaviour(false, port, _selfSignedCert); + behavior.AuthenticationCredentialsValidationRequiredEventHandler += (sender, args) => + { + args.AuthenticationResult = AuthenticationResult.Failure; + if (args.Credentials is not UsernameAndPasswordAuthenticationCredentials usernameAndPasswordCreds) + { + return Task.CompletedTask; + } + + if (usernameAndPasswordCreds.Username != "test" || usernameAndPasswordCreds.Password != "password") + { + return Task.CompletedTask; + } + + args.AuthenticationResult = AuthenticationResult.Success; + return Task.CompletedTask; + }; + using var smtpServer = new SmtpServer(behavior); + smtpServer.Start(); + + var globalSettings = GetSettings(gs => + { + gs.Mail.Smtp.Port = port; + gs.Mail.Smtp.Ssl = true; + gs.Mail.Smtp.TrustServer = true; + + gs.Mail.Smtp.Username = "test"; + gs.Mail.Smtp.Password = "password"; + }); + + var mailKitDeliveryService = new MailKitSmtpMailDeliveryService( + globalSettings, + NullLogger.Instance + ); + + var tcs = new TaskCompletionSource(); + var cts = new CancellationTokenSource(TimeSpan.FromSeconds(5)); + cts.Token.Register(() => _ = tcs.TrySetCanceled()); + + behavior.MessageReceivedEventHandler += (sender, args) => + { + if (args.Message.Recipients.Contains("test1@example.com")) + { + tcs.SetResult(); + } + return Task.CompletedTask; + }; + + await mailKitDeliveryService.SendEmailAsync(new MailMessage + { + Subject = "Test", + ToEmails = ["test1@example.com"], + TextContent = "Hi", + }, cts.Token); + + // Wait for email + await tcs.Task; + } +} diff --git a/test/Core.Test/AdminConsole/Models/Data/Organizations/OrganizationIntegrationConfigurationDetailsTests.cs b/test/Core.Test/AdminConsole/Models/Data/Organizations/OrganizationIntegrationConfigurationDetailsTests.cs new file mode 100644 index 0000000000..99a11903b4 --- /dev/null +++ b/test/Core.Test/AdminConsole/Models/Data/Organizations/OrganizationIntegrationConfigurationDetailsTests.cs @@ -0,0 +1,82 @@ +using System.Text.Json; +using Bit.Core.Models.Data.Organizations; +using Xunit; + +namespace Bit.Core.Test.Models.Data.Organizations; + +public class OrganizationIntegrationConfigurationDetailsTests +{ + [Fact] + public void MergedConfiguration_WithValidConfigAndIntegration_ReturnsMergedJson() + { + var config = new { config = "A new config value" }; + var integration = new { integration = "An integration value" }; + var expectedObj = new { integration = "An integration value", config = "A new config value" }; + var expected = JsonSerializer.Serialize(expectedObj); + + var sut = new OrganizationIntegrationConfigurationDetails(); + sut.Configuration = JsonSerializer.Serialize(config); + sut.IntegrationConfiguration = JsonSerializer.Serialize(integration); + + var result = sut.MergedConfiguration; + Assert.Equal(expected, result.ToJsonString()); + } + + [Fact] + public void MergedConfiguration_WithInvalidJsonConfigAndIntegration_ReturnsEmptyJson() + { + var expectedObj = new { }; + var expected = JsonSerializer.Serialize(expectedObj); + + var sut = new OrganizationIntegrationConfigurationDetails(); + sut.Configuration = "Not JSON"; + sut.IntegrationConfiguration = "Not JSON"; + + var result = sut.MergedConfiguration; + Assert.Equal(expected, result.ToJsonString()); + } + + [Fact] + public void MergedConfiguration_WithNullConfigAndIntegration_ReturnsEmptyJson() + { + var expectedObj = new { }; + var expected = JsonSerializer.Serialize(expectedObj); + + var sut = new OrganizationIntegrationConfigurationDetails(); + sut.Configuration = null; + sut.IntegrationConfiguration = null; + + var result = sut.MergedConfiguration; + Assert.Equal(expected, result.ToJsonString()); + } + + [Fact] + public void MergedConfiguration_WithValidIntegrationAndNullConfig_ReturnsIntegrationJson() + { + var integration = new { integration = "An integration value" }; + var expectedObj = new { integration = "An integration value" }; + var expected = JsonSerializer.Serialize(expectedObj); + + var sut = new OrganizationIntegrationConfigurationDetails(); + sut.Configuration = null; + sut.IntegrationConfiguration = JsonSerializer.Serialize(integration); + + var result = sut.MergedConfiguration; + Assert.Equal(expected, result.ToJsonString()); + } + + [Fact] + public void MergedConfiguration_WithValidConfigAndNullIntegration_ReturnsConfigJson() + { + var config = new { config = "A new config value" }; + var expectedObj = new { config = "A new config value" }; + var expected = JsonSerializer.Serialize(expectedObj); + + var sut = new OrganizationIntegrationConfigurationDetails(); + sut.Configuration = JsonSerializer.Serialize(config); + sut.IntegrationConfiguration = null; + + var result = sut.MergedConfiguration; + Assert.Equal(expected, result.ToJsonString()); + } +} diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteManagedOrganizationUserAccountCommandTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteManagedOrganizationUserAccountCommandTests.cs index b21ae5459f..f8f6bdb60d 100644 --- a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteManagedOrganizationUserAccountCommandTests.cs +++ b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteManagedOrganizationUserAccountCommandTests.cs @@ -131,6 +131,38 @@ public class DeleteManagedOrganizationUserAccountCommandTests .LogOrganizationUserEventAsync(Arg.Any(), Arg.Any(), Arg.Any()); } + [Theory] + [BitAutoData] + public async Task DeleteUserAsync_WhenCustomUserDeletesAdmin_ThrowsException( + SutProvider sutProvider, User user, + [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Admin)] OrganizationUser organizationUser, + Guid deletingUserId) + { + // Arrange + organizationUser.UserId = user.Id; + + sutProvider.GetDependency() + .GetByIdAsync(organizationUser.Id) + .Returns(organizationUser); + + sutProvider.GetDependency().GetByIdAsync(user.Id) + .Returns(user); + + sutProvider.GetDependency() + .OrganizationCustom(organizationUser.OrganizationId) + .Returns(true); + + // Act + var exception = await Assert.ThrowsAsync(() => + sutProvider.Sut.DeleteUserAsync(organizationUser.OrganizationId, organizationUser.Id, deletingUserId)); + + // Assert + Assert.Equal("Custom users can not delete admins.", exception.Message); + await sutProvider.GetDependency().Received(0).DeleteAsync(Arg.Any()); + await sutProvider.GetDependency().Received(0) + .LogOrganizationUserEventAsync(Arg.Any(), Arg.Any(), Arg.Any()); + } + [Theory] [BitAutoData] public async Task DeleteUserAsync_DeletingOwnerWhenNotOwner_ThrowsException( diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/RemoveOrganizationUserCommandTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/RemoveOrganizationUserCommandTests.cs index 6ab8236b8e..a60850c5a9 100644 --- a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/RemoveOrganizationUserCommandTests.cs +++ b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/RemoveOrganizationUserCommandTests.cs @@ -171,6 +171,28 @@ public class RemoveOrganizationUserCommandTests Assert.Contains(RemoveOrganizationUserCommand.RemoveOwnerByNonOwnerErrorMessage, exception.Message); } + [Theory, BitAutoData] + public async Task RemoveUser_WhenCustomUserRemovesAdmin_ThrowsException( + [OrganizationUser(type: OrganizationUserType.Admin)] OrganizationUser organizationUser, + [OrganizationUser(type: OrganizationUserType.Custom)] OrganizationUser deletingUser, + SutProvider sutProvider) + { + // Arrange + organizationUser.OrganizationId = deletingUser.OrganizationId; + + sutProvider.GetDependency() + .GetByIdAsync(organizationUser.Id) + .Returns(organizationUser); + sutProvider.GetDependency() + .OrganizationCustom(organizationUser.OrganizationId) + .Returns(true); + + // Act & Assert + var exception = await Assert.ThrowsAsync( + () => sutProvider.Sut.RemoveUserAsync(organizationUser.OrganizationId, organizationUser.Id, deletingUser.UserId)); + Assert.Contains(RemoveOrganizationUserCommand.RemoveAdminByCustomUserErrorMessage, exception.Message); + } + [Theory, BitAutoData] public async Task RemoveUser_WithDeletingUserId_RemovingLastOwner_ThrowsException( [OrganizationUser(type: OrganizationUserType.Owner)] OrganizationUser organizationUser, diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/RestoreUser/RestoreOrganizationUserCommandTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/RestoreUser/RestoreOrganizationUserCommandTests.cs index 726664849d..f91ca779a8 100644 --- a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/RestoreUser/RestoreOrganizationUserCommandTests.cs +++ b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/RestoreUser/RestoreOrganizationUserCommandTests.cs @@ -471,10 +471,11 @@ public class RestoreOrganizationUserCommandTests Organization organization, Organization otherOrganization, [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner, - [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser, + [OrganizationUser(OrganizationUserStatusType.Revoked, OrganizationUserType.Owner)] OrganizationUser organizationUser, [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser orgUserOwnerFromDifferentOrg, SutProvider sutProvider) { + organization.PlanType = PlanType.Free; organizationUser.Email = null; // this is required to mock that the user as had already been confirmed before the revoke orgUserOwnerFromDifferentOrg.UserId = organizationUser.UserId; @@ -506,6 +507,107 @@ public class RestoreOrganizationUserCommandTests Assert.Equal("User is an owner/admin of another free organization. Please have them upgrade to a paid plan to restore their account.", exception.Message); } + [Theory, BitAutoData] + public async Task RestoreUser_WhenUserOwningAnotherFreeOrganizationAndIsOnlyAUserInCurrentOrg_ThenUserShouldBeRestored( + Organization organization, + Organization otherOrganization, + [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner, + [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser, + [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser orgUserOwnerFromDifferentOrg, + SutProvider sutProvider) + { + organization.PlanType = PlanType.Free; + organizationUser.Email = null; // this is required to mock that the user as had already been confirmed before the revoke + + orgUserOwnerFromDifferentOrg.UserId = organizationUser.UserId; + otherOrganization.Id = orgUserOwnerFromDifferentOrg.OrganizationId; + otherOrganization.PlanType = PlanType.Free; + + RestoreUser_Setup(organization, owner, organizationUser, sutProvider); + + var organizationUserRepository = sutProvider.GetDependency(); + organizationUserRepository + .GetManyByUserAsync(organizationUser.UserId.Value) + .Returns([orgUserOwnerFromDifferentOrg]); + + sutProvider.GetDependency() + .GetManyByUserIdAsync(organizationUser.UserId.Value) + .Returns([otherOrganization]); + + sutProvider.GetDependency() + .GetPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.TwoFactorAuthentication, + Arg.Any()) + .Returns([ + new OrganizationUserPolicyDetails + { + OrganizationId = organizationUser.OrganizationId, + PolicyType = PolicyType.TwoFactorAuthentication + } + ]); + + sutProvider.GetDependency() + .TwoFactorIsEnabledAsync(Arg.Is>(i => i.Contains(organizationUser.UserId.Value))) + .Returns(new List<(Guid userId, bool twoFactorIsEnabled)> { (organizationUser.UserId.Value, true) }); + + await sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id); + + await organizationUserRepository + .Received(1) + .RestoreAsync(organizationUser.Id, + Arg.Is(x => x != OrganizationUserStatusType.Revoked)); + } + + [Theory, BitAutoData] + public async Task RestoreUser_WhenUserOwningAnotherFreeOrganizationAndCurrentOrgIsNotFree_ThenUserShouldBeRestored( + Organization organization, + Organization otherOrganization, + [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner, + [OrganizationUser(OrganizationUserStatusType.Revoked, OrganizationUserType.Owner)] OrganizationUser organizationUser, + [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser orgUserOwnerFromDifferentOrg, + SutProvider sutProvider) + { + organization.PlanType = PlanType.EnterpriseAnnually2023; + + organizationUser.Email = null; // this is required to mock that the user as had already been confirmed before the revoke + + orgUserOwnerFromDifferentOrg.UserId = organizationUser.UserId; + otherOrganization.Id = orgUserOwnerFromDifferentOrg.OrganizationId; + otherOrganization.PlanType = PlanType.Free; + + RestoreUser_Setup(organization, owner, organizationUser, sutProvider); + + var organizationUserRepository = sutProvider.GetDependency(); + organizationUserRepository + .GetManyByUserAsync(organizationUser.UserId.Value) + .Returns([orgUserOwnerFromDifferentOrg]); + + sutProvider.GetDependency() + .GetManyByUserIdAsync(organizationUser.UserId.Value) + .Returns([otherOrganization]); + + sutProvider.GetDependency() + .GetPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.TwoFactorAuthentication, + Arg.Any()) + .Returns([ + new OrganizationUserPolicyDetails + { + OrganizationId = organizationUser.OrganizationId, + PolicyType = PolicyType.TwoFactorAuthentication + } + ]); + + sutProvider.GetDependency() + .TwoFactorIsEnabledAsync(Arg.Is>(i => i.Contains(organizationUser.UserId.Value))) + .Returns(new List<(Guid userId, bool twoFactorIsEnabled)> { (organizationUser.UserId.Value, true) }); + + await sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id); + + await organizationUserRepository + .Received(1) + .RestoreAsync(organizationUser.Id, + Arg.Is(x => x != OrganizationUserStatusType.Revoked)); + } + [Theory, BitAutoData] public async Task RestoreUsers_Success(Organization organization, [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner, @@ -612,7 +714,7 @@ public class RestoreOrganizationUserCommandTests [Theory, BitAutoData] public async Task RestoreUsers_UserOwnsAnotherFreeOrganization_BlocksOwnerUserFromBeingRestored(Organization organization, [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner, - [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser orgUser1, + [OrganizationUser(OrganizationUserStatusType.Revoked, OrganizationUserType.Owner)] OrganizationUser orgUser1, [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser orgUser2, [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser orgUser3, [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser orgUserFromOtherOrg, @@ -637,7 +739,7 @@ public class RestoreOrganizationUserCommandTests organizationUserRepository .GetManyAsync(Arg.Is>(ids => ids.Contains(orgUser1.Id) && ids.Contains(orgUser2.Id) && ids.Contains(orgUser3.Id))) - .Returns(new[] { orgUser1, orgUser2, orgUser3 }); + .Returns([orgUser1, orgUser2, orgUser3]); userRepository.GetByIdAsync(orgUser2.UserId!.Value).Returns(new User { Email = "test@example.com" }); @@ -674,6 +776,110 @@ public class RestoreOrganizationUserCommandTests .RestoreAsync(orgUser1.Id, OrganizationUserStatusType.Confirmed); } + [Theory, BitAutoData] + public async Task RestoreUsers_UserOwnsAnotherFreeOrganizationButReactivatingOrgIsPaid_RestoresUser(Organization organization, + [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner, + [OrganizationUser(OrganizationUserStatusType.Revoked, OrganizationUserType.Owner)] OrganizationUser orgUser1, + [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser orgUserFromOtherOrg, + Organization otherOrganization, + SutProvider sutProvider) + { + // Arrange + organization.PlanType = PlanType.EnterpriseAnnually2023; + + RestoreUser_Setup(organization, owner, orgUser1, sutProvider); + var organizationUserRepository = sutProvider.GetDependency(); + var policyService = sutProvider.GetDependency(); + var userService = Substitute.For(); + + orgUser1.OrganizationId = organization.Id; + + orgUserFromOtherOrg.UserId = orgUser1.UserId; + + otherOrganization.Id = orgUserFromOtherOrg.OrganizationId; + otherOrganization.PlanType = PlanType.Free; + + organizationUserRepository + .GetManyAsync(Arg.Is>(ids => ids.Contains(orgUser1.Id))) + .Returns([orgUser1]); + + organizationUserRepository + .GetManyByManyUsersAsync(Arg.Any>()) + .Returns([orgUserFromOtherOrg]); + + sutProvider.GetDependency() + .GetManyByIdsAsync(Arg.Is>(ids => ids.Contains(orgUserFromOtherOrg.OrganizationId))) + .Returns([otherOrganization]); + + + // Setup 2FA policy + policyService.GetPoliciesApplicableToUserAsync(Arg.Any(), PolicyType.TwoFactorAuthentication, Arg.Any()) + .Returns([new OrganizationUserPolicyDetails { OrganizationId = organization.Id, PolicyType = PolicyType.TwoFactorAuthentication }]); + + // User1 has 2FA, User2 doesn't + sutProvider.GetDependency() + .TwoFactorIsEnabledAsync(Arg.Is>(ids => ids.Contains(orgUser1.UserId!.Value))) + .Returns(new List<(Guid userId, bool twoFactorIsEnabled)> + { + (orgUser1.UserId!.Value, true) + }); + + // Act + var result = await sutProvider.Sut.RestoreUsersAsync(organization.Id, [orgUser1.Id], owner.Id, userService); + + // Assert + Assert.Single(result); + Assert.Equal(string.Empty, result[0].Item2); + await organizationUserRepository + .Received(1) + .RestoreAsync(orgUser1.Id, Arg.Is(x => x != OrganizationUserStatusType.Revoked)); + } + + [Theory] + [BitAutoData] + public async Task RestoreUsers_UserOwnsAnotherOrganizationButIsOnlyUserOfCurrentOrganization_UserShouldBeRestored( + Organization organization, + [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner, + [OrganizationUser(OrganizationUserStatusType.Revoked, OrganizationUserType.User)] OrganizationUser orgUser1, + [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser orgUserFromOtherOrg, + Organization otherOrganization, + SutProvider sutProvider) + { + // Arrange + organization.PlanType = PlanType.Free; + + RestoreUser_Setup(organization, owner, orgUser1, sutProvider); + var organizationUserRepository = sutProvider.GetDependency(); + var userService = Substitute.For(); + + orgUser1.OrganizationId = organization.Id; + + orgUserFromOtherOrg.UserId = orgUser1.UserId; + + otherOrganization.Id = orgUserFromOtherOrg.OrganizationId; + otherOrganization.PlanType = PlanType.Free; + + organizationUserRepository + .GetManyAsync(Arg.Is>(ids => ids.Contains(orgUser1.Id))) + .Returns([orgUser1]); + + organizationUserRepository + .GetManyByManyUsersAsync(Arg.Any>()) + .Returns([orgUserFromOtherOrg]); + + sutProvider.GetDependency().GetPoliciesApplicableToUserAsync(Arg.Any(), PolicyType.TwoFactorAuthentication, Arg.Any()) + .Returns([new OrganizationUserPolicyDetails { OrganizationId = organization.Id, PolicyType = PolicyType.TwoFactorAuthentication }]); + + // Act + var result = await sutProvider.Sut.RestoreUsersAsync(organization.Id, [orgUser1.Id], owner.Id, userService); + + Assert.Single(result); + Assert.Equal(string.Empty, result[0].Item2); + await organizationUserRepository + .Received(1) + .RestoreAsync(orgUser1.Id, Arg.Is(x => x != OrganizationUserStatusType.Revoked)); + } + private static void RestoreUser_Setup( Organization organization, OrganizationUser? requestingOrganizationUser,