mirror of
https://github.com/bitwarden/server.git
synced 2025-04-05 13:08:17 -05:00
Lift and shift of Restore User Async to command out of OrganizationService
This commit is contained in:
jrmccannon
parent
bb3ec6aca1
commit
87cfb41faa
@ -1,4 +1,5 @@
|
|||||||
using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
|
using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
|
||||||
|
using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RestoreOrganizationUser;
|
||||||
using Bit.Core.Enums;
|
using Bit.Core.Enums;
|
||||||
using Bit.Core.Exceptions;
|
using Bit.Core.Exceptions;
|
||||||
using Bit.Core.Repositories;
|
using Bit.Core.Repositories;
|
||||||
@ -23,6 +24,7 @@ public class UsersController : Controller
|
|||||||
private readonly IRemoveOrganizationUserCommand _removeOrganizationUserCommand;
|
private readonly IRemoveOrganizationUserCommand _removeOrganizationUserCommand;
|
||||||
private readonly IPatchUserCommand _patchUserCommand;
|
private readonly IPatchUserCommand _patchUserCommand;
|
||||||
private readonly IPostUserCommand _postUserCommand;
|
private readonly IPostUserCommand _postUserCommand;
|
||||||
|
private readonly IRestoreOrganizationUserCommand _restoreOrganizationUserCommand;
|
||||||
private readonly ILogger<UsersController> _logger;
|
private readonly ILogger<UsersController> _logger;
|
||||||
|
|
||||||
public UsersController(
|
public UsersController(
|
||||||
@ -32,6 +34,7 @@ public class UsersController : Controller
|
|||||||
IRemoveOrganizationUserCommand removeOrganizationUserCommand,
|
IRemoveOrganizationUserCommand removeOrganizationUserCommand,
|
||||||
IPatchUserCommand patchUserCommand,
|
IPatchUserCommand patchUserCommand,
|
||||||
IPostUserCommand postUserCommand,
|
IPostUserCommand postUserCommand,
|
||||||
|
IRestoreOrganizationUserCommand restoreOrganizationUserCommand,
|
||||||
ILogger<UsersController> logger)
|
ILogger<UsersController> logger)
|
||||||
{
|
{
|
||||||
_organizationUserRepository = organizationUserRepository;
|
_organizationUserRepository = organizationUserRepository;
|
||||||
@ -40,6 +43,7 @@ public class UsersController : Controller
|
|||||||
_removeOrganizationUserCommand = removeOrganizationUserCommand;
|
_removeOrganizationUserCommand = removeOrganizationUserCommand;
|
||||||
_patchUserCommand = patchUserCommand;
|
_patchUserCommand = patchUserCommand;
|
||||||
_postUserCommand = postUserCommand;
|
_postUserCommand = postUserCommand;
|
||||||
|
_restoreOrganizationUserCommand = restoreOrganizationUserCommand;
|
||||||
_logger = logger;
|
_logger = logger;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -93,7 +97,7 @@ public class UsersController : Controller
|
|||||||
|
|
||||||
if (model.Active && orgUser.Status == OrganizationUserStatusType.Revoked)
|
if (model.Active && orgUser.Status == OrganizationUserStatusType.Revoked)
|
||||||
{
|
{
|
||||||
await _organizationService.RestoreUserAsync(orgUser, EventSystemUser.SCIM);
|
await _restoreOrganizationUserCommand.RestoreUserAsync(orgUser, EventSystemUser.SCIM);
|
||||||
}
|
}
|
||||||
else if (!model.Active && orgUser.Status != OrganizationUserStatusType.Revoked)
|
else if (!model.Active && orgUser.Status != OrganizationUserStatusType.Revoked)
|
||||||
{
|
{
|
||||||
|
|||||||
@ -1,4 +1,5 @@
|
|||||||
using Bit.Core.Enums;
|
using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RestoreOrganizationUser;
|
||||||
|
using Bit.Core.Enums;
|
||||||
using Bit.Core.Exceptions;
|
using Bit.Core.Exceptions;
|
||||||
using Bit.Core.Repositories;
|
using Bit.Core.Repositories;
|
||||||
using Bit.Core.Services;
|
using Bit.Core.Services;
|
||||||
@ -11,15 +12,18 @@ public class PatchUserCommand : IPatchUserCommand
|
|||||||
{
|
{
|
||||||
private readonly IOrganizationUserRepository _organizationUserRepository;
|
private readonly IOrganizationUserRepository _organizationUserRepository;
|
||||||
private readonly IOrganizationService _organizationService;
|
private readonly IOrganizationService _organizationService;
|
||||||
|
private readonly IRestoreOrganizationUserCommand _restoreOrganizationUserCommand;
|
||||||
private readonly ILogger<PatchUserCommand> _logger;
|
private readonly ILogger<PatchUserCommand> _logger;
|
||||||
|
|
||||||
public PatchUserCommand(
|
public PatchUserCommand(
|
||||||
IOrganizationUserRepository organizationUserRepository,
|
IOrganizationUserRepository organizationUserRepository,
|
||||||
IOrganizationService organizationService,
|
IOrganizationService organizationService,
|
||||||
|
IRestoreOrganizationUserCommand restoreOrganizationUserCommand,
|
||||||
ILogger<PatchUserCommand> logger)
|
ILogger<PatchUserCommand> logger)
|
||||||
{
|
{
|
||||||
_organizationUserRepository = organizationUserRepository;
|
_organizationUserRepository = organizationUserRepository;
|
||||||
_organizationService = organizationService;
|
_organizationService = organizationService;
|
||||||
|
_restoreOrganizationUserCommand = restoreOrganizationUserCommand;
|
||||||
_logger = logger;
|
_logger = logger;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -71,7 +75,7 @@ public class PatchUserCommand : IPatchUserCommand
|
|||||||
{
|
{
|
||||||
if (active && orgUser.Status == OrganizationUserStatusType.Revoked)
|
if (active && orgUser.Status == OrganizationUserStatusType.Revoked)
|
||||||
{
|
{
|
||||||
await _organizationService.RestoreUserAsync(orgUser, EventSystemUser.SCIM);
|
await _restoreOrganizationUserCommand.RestoreUserAsync(orgUser, EventSystemUser.SCIM);
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
else if (!active && orgUser.Status != OrganizationUserStatusType.Revoked)
|
else if (!active && orgUser.Status != OrganizationUserStatusType.Revoked)
|
||||||
|
|||||||
@ -1,4 +1,5 @@
|
|||||||
using System.Text.Json;
|
using System.Text.Json;
|
||||||
|
using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RestoreOrganizationUser;
|
||||||
using Bit.Core.Entities;
|
using Bit.Core.Entities;
|
||||||
using Bit.Core.Enums;
|
using Bit.Core.Enums;
|
||||||
using Bit.Core.Exceptions;
|
using Bit.Core.Exceptions;
|
||||||
@ -43,7 +44,7 @@ public class PatchUserCommandTests
|
|||||||
|
|
||||||
await sutProvider.Sut.PatchUserAsync(organizationUser.OrganizationId, organizationUser.Id, scimPatchModel);
|
await sutProvider.Sut.PatchUserAsync(organizationUser.OrganizationId, organizationUser.Id, scimPatchModel);
|
||||||
|
|
||||||
await sutProvider.GetDependency<IOrganizationService>().Received(1).RestoreUserAsync(organizationUser, EventSystemUser.SCIM);
|
await sutProvider.GetDependency<IRestoreOrganizationUserCommand>().Received(1).RestoreUserAsync(organizationUser, EventSystemUser.SCIM);
|
||||||
}
|
}
|
||||||
|
|
||||||
[Theory]
|
[Theory]
|
||||||
@ -71,7 +72,7 @@ public class PatchUserCommandTests
|
|||||||
|
|
||||||
await sutProvider.Sut.PatchUserAsync(organizationUser.OrganizationId, organizationUser.Id, scimPatchModel);
|
await sutProvider.Sut.PatchUserAsync(organizationUser.OrganizationId, organizationUser.Id, scimPatchModel);
|
||||||
|
|
||||||
await sutProvider.GetDependency<IOrganizationService>().Received(1).RestoreUserAsync(organizationUser, EventSystemUser.SCIM);
|
await sutProvider.GetDependency<IRestoreOrganizationUserCommand>().Received(1).RestoreUserAsync(organizationUser, EventSystemUser.SCIM);
|
||||||
}
|
}
|
||||||
|
|
||||||
[Theory]
|
[Theory]
|
||||||
@ -147,7 +148,7 @@ public class PatchUserCommandTests
|
|||||||
|
|
||||||
await sutProvider.Sut.PatchUserAsync(organizationUser.OrganizationId, organizationUser.Id, scimPatchModel);
|
await sutProvider.Sut.PatchUserAsync(organizationUser.OrganizationId, organizationUser.Id, scimPatchModel);
|
||||||
|
|
||||||
await sutProvider.GetDependency<IOrganizationService>().DidNotReceiveWithAnyArgs().RestoreUserAsync(default, EventSystemUser.SCIM);
|
await sutProvider.GetDependency<IRestoreOrganizationUserCommand>().DidNotReceiveWithAnyArgs().RestoreUserAsync(default, EventSystemUser.SCIM);
|
||||||
await sutProvider.GetDependency<IOrganizationService>().DidNotReceiveWithAnyArgs().RevokeUserAsync(default, EventSystemUser.SCIM);
|
await sutProvider.GetDependency<IOrganizationService>().DidNotReceiveWithAnyArgs().RevokeUserAsync(default, EventSystemUser.SCIM);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -8,6 +8,7 @@ using Bit.Core.AdminConsole.Enums;
|
|||||||
using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
|
using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
|
||||||
using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Authorization;
|
using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Authorization;
|
||||||
using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
|
using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
|
||||||
|
using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RestoreOrganizationUser;
|
||||||
using Bit.Core.AdminConsole.OrganizationFeatures.Shared.Authorization;
|
using Bit.Core.AdminConsole.OrganizationFeatures.Shared.Authorization;
|
||||||
using Bit.Core.AdminConsole.Repositories;
|
using Bit.Core.AdminConsole.Repositories;
|
||||||
using Bit.Core.Auth.Enums;
|
using Bit.Core.Auth.Enums;
|
||||||
@ -57,6 +58,7 @@ public class OrganizationUsersController : Controller
|
|||||||
private readonly IGetOrganizationUsersManagementStatusQuery _getOrganizationUsersManagementStatusQuery;
|
private readonly IGetOrganizationUsersManagementStatusQuery _getOrganizationUsersManagementStatusQuery;
|
||||||
private readonly IFeatureService _featureService;
|
private readonly IFeatureService _featureService;
|
||||||
private readonly IPricingClient _pricingClient;
|
private readonly IPricingClient _pricingClient;
|
||||||
|
private readonly IRestoreOrganizationUserCommand _restoreOrganizationUserCommand;
|
||||||
|
|
||||||
public OrganizationUsersController(
|
public OrganizationUsersController(
|
||||||
IOrganizationRepository organizationRepository,
|
IOrganizationRepository organizationRepository,
|
||||||
@ -80,7 +82,8 @@ public class OrganizationUsersController : Controller
|
|||||||
IDeleteManagedOrganizationUserAccountCommand deleteManagedOrganizationUserAccountCommand,
|
IDeleteManagedOrganizationUserAccountCommand deleteManagedOrganizationUserAccountCommand,
|
||||||
IGetOrganizationUsersManagementStatusQuery getOrganizationUsersManagementStatusQuery,
|
IGetOrganizationUsersManagementStatusQuery getOrganizationUsersManagementStatusQuery,
|
||||||
IFeatureService featureService,
|
IFeatureService featureService,
|
||||||
IPricingClient pricingClient)
|
IPricingClient pricingClient,
|
||||||
|
IRestoreOrganizationUserCommand restoreOrganizationUserCommand)
|
||||||
{
|
{
|
||||||
_organizationRepository = organizationRepository;
|
_organizationRepository = organizationRepository;
|
||||||
_organizationUserRepository = organizationUserRepository;
|
_organizationUserRepository = organizationUserRepository;
|
||||||
@ -104,6 +107,7 @@ public class OrganizationUsersController : Controller
|
|||||||
_getOrganizationUsersManagementStatusQuery = getOrganizationUsersManagementStatusQuery;
|
_getOrganizationUsersManagementStatusQuery = getOrganizationUsersManagementStatusQuery;
|
||||||
_featureService = featureService;
|
_featureService = featureService;
|
||||||
_pricingClient = pricingClient;
|
_pricingClient = pricingClient;
|
||||||
|
_restoreOrganizationUserCommand = restoreOrganizationUserCommand;
|
||||||
}
|
}
|
||||||
|
|
||||||
[HttpGet("{id}")]
|
[HttpGet("{id}")]
|
||||||
@ -620,14 +624,14 @@ public class OrganizationUsersController : Controller
|
|||||||
[HttpPut("{id}/restore")]
|
[HttpPut("{id}/restore")]
|
||||||
public async Task RestoreAsync(Guid orgId, Guid id)
|
public async Task RestoreAsync(Guid orgId, Guid id)
|
||||||
{
|
{
|
||||||
await RestoreOrRevokeUserAsync(orgId, id, (orgUser, userId) => _organizationService.RestoreUserAsync(orgUser, userId));
|
await RestoreOrRevokeUserAsync(orgId, id, (orgUser, userId) => _restoreOrganizationUserCommand.RestoreUserAsync(orgUser, userId));
|
||||||
}
|
}
|
||||||
|
|
||||||
[HttpPatch("restore")]
|
[HttpPatch("restore")]
|
||||||
[HttpPut("restore")]
|
[HttpPut("restore")]
|
||||||
public async Task<ListResponseModel<OrganizationUserBulkResponseModel>> BulkRestoreAsync(Guid orgId, [FromBody] OrganizationUserBulkRequestModel model)
|
public async Task<ListResponseModel<OrganizationUserBulkResponseModel>> BulkRestoreAsync(Guid orgId, [FromBody] OrganizationUserBulkRequestModel model)
|
||||||
{
|
{
|
||||||
return await RestoreOrRevokeUsersAsync(orgId, model, (orgId, orgUserIds, restoringUserId) => _organizationService.RestoreUsersAsync(orgId, orgUserIds, restoringUserId, _userService));
|
return await RestoreOrRevokeUsersAsync(orgId, model, (orgId, orgUserIds, restoringUserId) => _restoreOrganizationUserCommand.RestoreUsersAsync(orgId, orgUserIds, restoringUserId, _userService));
|
||||||
}
|
}
|
||||||
|
|
||||||
[HttpPatch("enable-secrets-manager")]
|
[HttpPatch("enable-secrets-manager")]
|
||||||
@ -698,7 +702,9 @@ public class OrganizationUsersController : Controller
|
|||||||
}
|
}
|
||||||
|
|
||||||
var userId = _userService.GetProperUserId(User);
|
var userId = _userService.GetProperUserId(User);
|
||||||
|
|
||||||
var result = await statusAction(orgId, model.Ids, userId.Value);
|
var result = await statusAction(orgId, model.Ids, userId.Value);
|
||||||
|
|
||||||
return new ListResponseModel<OrganizationUserBulkResponseModel>(result.Select(r =>
|
return new ListResponseModel<OrganizationUserBulkResponseModel>(result.Select(r =>
|
||||||
new OrganizationUserBulkResponseModel(r.Item1.Id, r.Item2)));
|
new OrganizationUserBulkResponseModel(r.Item1.Id, r.Item2)));
|
||||||
}
|
}
|
||||||
|
|||||||
@ -0,0 +1,12 @@
|
|||||||
|
using Bit.Core.Entities;
|
||||||
|
using Bit.Core.Enums;
|
||||||
|
using Bit.Core.Services;
|
||||||
|
|
||||||
|
namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RestoreOrganizationUser;
|
||||||
|
|
||||||
|
public interface IRestoreOrganizationUserCommand
|
||||||
|
{
|
||||||
|
Task RestoreUserAsync(OrganizationUser organizationUser, Guid? restoringUserId);
|
||||||
|
Task RestoreUserAsync(OrganizationUser organizationUser, EventSystemUser systemUser);
|
||||||
|
Task<List<Tuple<OrganizationUser, string>>> RestoreUsersAsync(Guid organizationId, IEnumerable<Guid> organizationUserIds, Guid? restoringUserId, IUserService userService);
|
||||||
|
}
|
||||||
@ -0,0 +1,251 @@
|
|||||||
|
using Bit.Core.AdminConsole.Enums;
|
||||||
|
using Bit.Core.AdminConsole.Services;
|
||||||
|
using Bit.Core.Auth.UserFeatures.TwoFactorAuth.Interfaces;
|
||||||
|
using Bit.Core.Context;
|
||||||
|
using Bit.Core.Entities;
|
||||||
|
using Bit.Core.Enums;
|
||||||
|
using Bit.Core.Exceptions;
|
||||||
|
using Bit.Core.Platform.Push;
|
||||||
|
using Bit.Core.Repositories;
|
||||||
|
using Bit.Core.Services;
|
||||||
|
|
||||||
|
namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RestoreOrganizationUser;
|
||||||
|
|
||||||
|
public class RestoreOrganizationUserCommand(
|
||||||
|
ICurrentContext currentContext,
|
||||||
|
IEventService eventService,
|
||||||
|
IPushNotificationService pushNotificationService,
|
||||||
|
IFeatureService featureService,
|
||||||
|
IOrganizationRepository organizationRepository,
|
||||||
|
IOrganizationUserRepository organizationUserRepository,
|
||||||
|
IOrganizationService organizationService,
|
||||||
|
ITwoFactorIsEnabledQuery twoFactorIsEnabledQuery,
|
||||||
|
IPolicyService policyService,
|
||||||
|
IUserRepository userRepository) : IRestoreOrganizationUserCommand
|
||||||
|
{
|
||||||
|
public async Task RestoreUserAsync(OrganizationUser organizationUser, Guid? restoringUserId)
|
||||||
|
{
|
||||||
|
if (restoringUserId.HasValue && organizationUser.UserId == restoringUserId.Value)
|
||||||
|
{
|
||||||
|
throw new BadRequestException("You cannot restore yourself.");
|
||||||
|
}
|
||||||
|
|
||||||
|
if (organizationUser.Type == OrganizationUserType.Owner && restoringUserId.HasValue &&
|
||||||
|
!await currentContext.OrganizationOwner(organizationUser.OrganizationId))
|
||||||
|
{
|
||||||
|
throw new BadRequestException("Only owners can restore other owners.");
|
||||||
|
}
|
||||||
|
|
||||||
|
await RepositoryRestoreUserAsync(organizationUser);
|
||||||
|
await eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored);
|
||||||
|
|
||||||
|
if (featureService.IsEnabled(FeatureFlagKeys.PushSyncOrgKeysOnRevokeRestore) && organizationUser.UserId.HasValue)
|
||||||
|
{
|
||||||
|
await pushNotificationService.PushSyncOrgKeysAsync(organizationUser.UserId.Value);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
public async Task RestoreUserAsync(OrganizationUser organizationUser, EventSystemUser systemUser)
|
||||||
|
{
|
||||||
|
await RepositoryRestoreUserAsync(organizationUser);
|
||||||
|
await eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored, systemUser);
|
||||||
|
|
||||||
|
if (featureService.IsEnabled(FeatureFlagKeys.PushSyncOrgKeysOnRevokeRestore) && organizationUser.UserId.HasValue)
|
||||||
|
{
|
||||||
|
await pushNotificationService.PushSyncOrgKeysAsync(organizationUser.UserId.Value);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
private async Task RepositoryRestoreUserAsync(OrganizationUser organizationUser)
|
||||||
|
{
|
||||||
|
if (organizationUser.Status != OrganizationUserStatusType.Revoked)
|
||||||
|
{
|
||||||
|
throw new BadRequestException("Already active.");
|
||||||
|
}
|
||||||
|
|
||||||
|
var organization = await organizationRepository.GetByIdAsync(organizationUser.OrganizationId);
|
||||||
|
var occupiedSeats = await organizationUserRepository.GetOccupiedSeatCountByOrganizationIdAsync(organization.Id);
|
||||||
|
var availableSeats = organization.Seats.GetValueOrDefault(0) - occupiedSeats;
|
||||||
|
if (availableSeats < 1)
|
||||||
|
{
|
||||||
|
await organizationService.AutoAddSeatsAsync(organization, 1);
|
||||||
|
}
|
||||||
|
|
||||||
|
var userTwoFactorIsEnabled = false;
|
||||||
|
// Only check Two Factor Authentication status if the user is linked to a user account
|
||||||
|
if (organizationUser.UserId.HasValue)
|
||||||
|
{
|
||||||
|
userTwoFactorIsEnabled = (await twoFactorIsEnabledQuery.TwoFactorIsEnabledAsync(new[] { organizationUser.UserId.Value })).FirstOrDefault().twoFactorIsEnabled;
|
||||||
|
}
|
||||||
|
|
||||||
|
await CheckPoliciesBeforeRestoreAsync(organizationUser, userTwoFactorIsEnabled);
|
||||||
|
|
||||||
|
var status = GetPriorActiveOrganizationUserStatusType(organizationUser);
|
||||||
|
|
||||||
|
await organizationUserRepository.RestoreAsync(organizationUser.Id, status);
|
||||||
|
organizationUser.Status = status;
|
||||||
|
}
|
||||||
|
|
||||||
|
public async Task<List<Tuple<OrganizationUser, string>>> RestoreUsersAsync(Guid organizationId,
|
||||||
|
IEnumerable<Guid> organizationUserIds, Guid? restoringUserId, IUserService userService)
|
||||||
|
{
|
||||||
|
var orgUsers = await organizationUserRepository.GetManyAsync(organizationUserIds);
|
||||||
|
var filteredUsers = orgUsers.Where(u => u.OrganizationId == organizationId)
|
||||||
|
.ToList();
|
||||||
|
|
||||||
|
if (!filteredUsers.Any())
|
||||||
|
{
|
||||||
|
throw new BadRequestException("Users invalid.");
|
||||||
|
}
|
||||||
|
|
||||||
|
var organization = await organizationRepository.GetByIdAsync(organizationId);
|
||||||
|
var occupiedSeats = await organizationUserRepository.GetOccupiedSeatCountByOrganizationIdAsync(organization.Id);
|
||||||
|
var availableSeats = organization.Seats.GetValueOrDefault(0) - occupiedSeats;
|
||||||
|
var newSeatsRequired = organizationUserIds.Count() - availableSeats;
|
||||||
|
await organizationService.AutoAddSeatsAsync(organization, newSeatsRequired);
|
||||||
|
|
||||||
|
var deletingUserIsOwner = false;
|
||||||
|
if (restoringUserId.HasValue)
|
||||||
|
{
|
||||||
|
deletingUserIsOwner = await currentContext.OrganizationOwner(organizationId);
|
||||||
|
}
|
||||||
|
|
||||||
|
// Query Two Factor Authentication status for all users in the organization
|
||||||
|
// This is an optimization to avoid querying the Two Factor Authentication status for each user individually
|
||||||
|
var organizationUsersTwoFactorEnabled = await twoFactorIsEnabledQuery.TwoFactorIsEnabledAsync(
|
||||||
|
filteredUsers.Where(ou => ou.UserId.HasValue).Select(ou => ou.UserId.Value));
|
||||||
|
|
||||||
|
var result = new List<Tuple<OrganizationUser, string>>();
|
||||||
|
|
||||||
|
foreach (var organizationUser in filteredUsers)
|
||||||
|
{
|
||||||
|
try
|
||||||
|
{
|
||||||
|
if (organizationUser.Status != OrganizationUserStatusType.Revoked)
|
||||||
|
{
|
||||||
|
throw new BadRequestException("Already active.");
|
||||||
|
}
|
||||||
|
|
||||||
|
if (restoringUserId.HasValue && organizationUser.UserId == restoringUserId)
|
||||||
|
{
|
||||||
|
throw new BadRequestException("You cannot restore yourself.");
|
||||||
|
}
|
||||||
|
|
||||||
|
if (organizationUser.Type == OrganizationUserType.Owner && restoringUserId.HasValue &&
|
||||||
|
!deletingUserIsOwner)
|
||||||
|
{
|
||||||
|
throw new BadRequestException("Only owners can restore other owners.");
|
||||||
|
}
|
||||||
|
|
||||||
|
var twoFactorIsEnabled = organizationUser.UserId.HasValue
|
||||||
|
&& organizationUsersTwoFactorEnabled
|
||||||
|
.FirstOrDefault(ou => ou.userId == organizationUser.UserId.Value)
|
||||||
|
.twoFactorIsEnabled;
|
||||||
|
await CheckPoliciesBeforeRestoreAsync(organizationUser, twoFactorIsEnabled);
|
||||||
|
|
||||||
|
var status = GetPriorActiveOrganizationUserStatusType(organizationUser);
|
||||||
|
|
||||||
|
await organizationUserRepository.RestoreAsync(organizationUser.Id, status);
|
||||||
|
organizationUser.Status = status;
|
||||||
|
await eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored);
|
||||||
|
if (featureService.IsEnabled(FeatureFlagKeys.PushSyncOrgKeysOnRevokeRestore) &&
|
||||||
|
organizationUser.UserId.HasValue)
|
||||||
|
{
|
||||||
|
await pushNotificationService.PushSyncOrgKeysAsync(organizationUser.UserId.Value);
|
||||||
|
}
|
||||||
|
|
||||||
|
result.Add(Tuple.Create(organizationUser, ""));
|
||||||
|
}
|
||||||
|
catch (BadRequestException e)
|
||||||
|
{
|
||||||
|
result.Add(Tuple.Create(organizationUser, e.Message));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return result;
|
||||||
|
}
|
||||||
|
|
||||||
|
private async Task CheckPoliciesBeforeRestoreAsync(OrganizationUser orgUser, bool userHasTwoFactorEnabled)
|
||||||
|
{
|
||||||
|
// An invited OrganizationUser isn't linked with a user account yet, so these checks are irrelevant
|
||||||
|
// The user will be subject to the same checks when they try to accept the invite
|
||||||
|
if (GetPriorActiveOrganizationUserStatusType(orgUser) == OrganizationUserStatusType.Invited)
|
||||||
|
{
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
var userId = orgUser.UserId.Value;
|
||||||
|
|
||||||
|
// Enforce Single Organization Policy of organization user is being restored to
|
||||||
|
var allOrgUsers = await organizationUserRepository.GetManyByUserAsync(userId);
|
||||||
|
var hasOtherOrgs = allOrgUsers.Any(ou => ou.OrganizationId != orgUser.OrganizationId);
|
||||||
|
var singleOrgPoliciesApplyingToRevokedUsers = await policyService.GetPoliciesApplicableToUserAsync(userId,
|
||||||
|
PolicyType.SingleOrg, OrganizationUserStatusType.Revoked);
|
||||||
|
var singleOrgPolicyApplies = singleOrgPoliciesApplyingToRevokedUsers.Any(p => p.OrganizationId == orgUser.OrganizationId);
|
||||||
|
|
||||||
|
var singleOrgCompliant = true;
|
||||||
|
var belongsToOtherOrgCompliant = true;
|
||||||
|
var twoFactorCompliant = true;
|
||||||
|
|
||||||
|
if (hasOtherOrgs && singleOrgPolicyApplies)
|
||||||
|
{
|
||||||
|
singleOrgCompliant = false;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Enforce Single Organization Policy of other organizations user is a member of
|
||||||
|
var anySingleOrgPolicies = await policyService.AnyPoliciesApplicableToUserAsync(userId,
|
||||||
|
PolicyType.SingleOrg);
|
||||||
|
if (anySingleOrgPolicies)
|
||||||
|
{
|
||||||
|
belongsToOtherOrgCompliant = false;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Enforce Two Factor Authentication Policy of organization user is trying to join
|
||||||
|
if (!userHasTwoFactorEnabled)
|
||||||
|
{
|
||||||
|
var invitedTwoFactorPolicies = await policyService.GetPoliciesApplicableToUserAsync(userId,
|
||||||
|
PolicyType.TwoFactorAuthentication, OrganizationUserStatusType.Revoked);
|
||||||
|
if (invitedTwoFactorPolicies.Any(p => p.OrganizationId == orgUser.OrganizationId))
|
||||||
|
{
|
||||||
|
twoFactorCompliant = false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
var user = await userRepository.GetByIdAsync(userId);
|
||||||
|
|
||||||
|
if (!singleOrgCompliant && !twoFactorCompliant)
|
||||||
|
{
|
||||||
|
throw new BadRequestException(user.Email + " is not compliant with the single organization and two-step login polciy");
|
||||||
|
}
|
||||||
|
else if (!singleOrgCompliant)
|
||||||
|
{
|
||||||
|
throw new BadRequestException(user.Email + " is not compliant with the single organization policy");
|
||||||
|
}
|
||||||
|
else if (!belongsToOtherOrgCompliant)
|
||||||
|
{
|
||||||
|
throw new BadRequestException(user.Email + " belongs to an organization that doesn't allow them to join multiple organizations");
|
||||||
|
}
|
||||||
|
else if (!twoFactorCompliant)
|
||||||
|
{
|
||||||
|
throw new BadRequestException(user.Email + " is not compliant with the two-step login policy");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
static OrganizationUserStatusType GetPriorActiveOrganizationUserStatusType(OrganizationUser organizationUser)
|
||||||
|
{
|
||||||
|
// Determine status to revert back to
|
||||||
|
var status = OrganizationUserStatusType.Invited;
|
||||||
|
if (organizationUser.UserId.HasValue && string.IsNullOrWhiteSpace(organizationUser.Email))
|
||||||
|
{
|
||||||
|
// Has UserId & Email is null, then Accepted
|
||||||
|
status = OrganizationUserStatusType.Accepted;
|
||||||
|
if (!string.IsNullOrWhiteSpace(organizationUser.Key))
|
||||||
|
{
|
||||||
|
// We have an org key for this user, user was confirmed
|
||||||
|
status = OrganizationUserStatusType.Confirmed;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return status;
|
||||||
|
}
|
||||||
|
}
|
||||||
@ -51,10 +51,6 @@ public interface IOrganizationService
|
|||||||
Task RevokeUserAsync(OrganizationUser organizationUser, EventSystemUser systemUser);
|
Task RevokeUserAsync(OrganizationUser organizationUser, EventSystemUser systemUser);
|
||||||
Task<List<Tuple<OrganizationUser, string>>> RevokeUsersAsync(Guid organizationId,
|
Task<List<Tuple<OrganizationUser, string>>> RevokeUsersAsync(Guid organizationId,
|
||||||
IEnumerable<Guid> organizationUserIds, Guid? revokingUserId);
|
IEnumerable<Guid> organizationUserIds, Guid? revokingUserId);
|
||||||
Task RestoreUserAsync(OrganizationUser organizationUser, Guid? restoringUserId);
|
|
||||||
Task RestoreUserAsync(OrganizationUser organizationUser, EventSystemUser systemUser);
|
|
||||||
Task<List<Tuple<OrganizationUser, string>>> RestoreUsersAsync(Guid organizationId,
|
|
||||||
IEnumerable<Guid> organizationUserIds, Guid? restoringUserId, IUserService userService);
|
|
||||||
Task CreatePendingOrganization(Organization organization, string ownerEmail, ClaimsPrincipal user, IUserService userService, bool salesAssistedTrialStarted);
|
Task CreatePendingOrganization(Organization organization, string ownerEmail, ClaimsPrincipal user, IUserService userService, bool salesAssistedTrialStarted);
|
||||||
/// <summary>
|
/// <summary>
|
||||||
/// Update an Organization entry by setting the public/private keys, set it as 'Enabled' and move the Status from 'Pending' to 'Created'.
|
/// Update an Organization entry by setting the public/private keys, set it as 'Enabled' and move the Status from 'Pending' to 'Created'.
|
||||||
|
|||||||
@ -17,7 +17,6 @@ using Bit.Core.Billing.Constants;
|
|||||||
using Bit.Core.Billing.Enums;
|
using Bit.Core.Billing.Enums;
|
||||||
using Bit.Core.Billing.Extensions;
|
using Bit.Core.Billing.Extensions;
|
||||||
using Bit.Core.Billing.Pricing;
|
using Bit.Core.Billing.Pricing;
|
||||||
using Bit.Core.Billing.Services;
|
|
||||||
using Bit.Core.Context;
|
using Bit.Core.Context;
|
||||||
using Bit.Core.Entities;
|
using Bit.Core.Entities;
|
||||||
using Bit.Core.Enums;
|
using Bit.Core.Enums;
|
||||||
@ -73,7 +72,6 @@ public class OrganizationService : IOrganizationService
|
|||||||
private readonly IDataProtectorTokenFactory<OrgUserInviteTokenable> _orgUserInviteTokenDataFactory;
|
private readonly IDataProtectorTokenFactory<OrgUserInviteTokenable> _orgUserInviteTokenDataFactory;
|
||||||
private readonly IFeatureService _featureService;
|
private readonly IFeatureService _featureService;
|
||||||
private readonly ITwoFactorIsEnabledQuery _twoFactorIsEnabledQuery;
|
private readonly ITwoFactorIsEnabledQuery _twoFactorIsEnabledQuery;
|
||||||
private readonly IOrganizationBillingService _organizationBillingService;
|
|
||||||
private readonly IHasConfirmedOwnersExceptQuery _hasConfirmedOwnersExceptQuery;
|
private readonly IHasConfirmedOwnersExceptQuery _hasConfirmedOwnersExceptQuery;
|
||||||
private readonly IPricingClient _pricingClient;
|
private readonly IPricingClient _pricingClient;
|
||||||
|
|
||||||
@ -109,7 +107,6 @@ public class OrganizationService : IOrganizationService
|
|||||||
IProviderRepository providerRepository,
|
IProviderRepository providerRepository,
|
||||||
IFeatureService featureService,
|
IFeatureService featureService,
|
||||||
ITwoFactorIsEnabledQuery twoFactorIsEnabledQuery,
|
ITwoFactorIsEnabledQuery twoFactorIsEnabledQuery,
|
||||||
IOrganizationBillingService organizationBillingService,
|
|
||||||
IHasConfirmedOwnersExceptQuery hasConfirmedOwnersExceptQuery,
|
IHasConfirmedOwnersExceptQuery hasConfirmedOwnersExceptQuery,
|
||||||
IPricingClient pricingClient)
|
IPricingClient pricingClient)
|
||||||
{
|
{
|
||||||
@ -144,7 +141,6 @@ public class OrganizationService : IOrganizationService
|
|||||||
_orgUserInviteTokenDataFactory = orgUserInviteTokenDataFactory;
|
_orgUserInviteTokenDataFactory = orgUserInviteTokenDataFactory;
|
||||||
_featureService = featureService;
|
_featureService = featureService;
|
||||||
_twoFactorIsEnabledQuery = twoFactorIsEnabledQuery;
|
_twoFactorIsEnabledQuery = twoFactorIsEnabledQuery;
|
||||||
_organizationBillingService = organizationBillingService;
|
|
||||||
_hasConfirmedOwnersExceptQuery = hasConfirmedOwnersExceptQuery;
|
_hasConfirmedOwnersExceptQuery = hasConfirmedOwnersExceptQuery;
|
||||||
_pricingClient = pricingClient;
|
_pricingClient = pricingClient;
|
||||||
}
|
}
|
||||||
@ -2063,81 +2059,6 @@ public class OrganizationService : IOrganizationService
|
|||||||
organizationUser.Status = status;
|
organizationUser.Status = status;
|
||||||
}
|
}
|
||||||
|
|
||||||
public async Task<List<Tuple<OrganizationUser, string>>> RestoreUsersAsync(Guid organizationId,
|
|
||||||
IEnumerable<Guid> organizationUserIds, Guid? restoringUserId, IUserService userService)
|
|
||||||
{
|
|
||||||
var orgUsers = await _organizationUserRepository.GetManyAsync(organizationUserIds);
|
|
||||||
var filteredUsers = orgUsers.Where(u => u.OrganizationId == organizationId)
|
|
||||||
.ToList();
|
|
||||||
|
|
||||||
if (!filteredUsers.Any())
|
|
||||||
{
|
|
||||||
throw new BadRequestException("Users invalid.");
|
|
||||||
}
|
|
||||||
|
|
||||||
var organization = await _organizationRepository.GetByIdAsync(organizationId);
|
|
||||||
var occupiedSeats = await _organizationUserRepository.GetOccupiedSeatCountByOrganizationIdAsync(organization.Id);
|
|
||||||
var availableSeats = organization.Seats.GetValueOrDefault(0) - occupiedSeats;
|
|
||||||
var newSeatsRequired = organizationUserIds.Count() - availableSeats;
|
|
||||||
await AutoAddSeatsAsync(organization, newSeatsRequired);
|
|
||||||
|
|
||||||
var deletingUserIsOwner = false;
|
|
||||||
if (restoringUserId.HasValue)
|
|
||||||
{
|
|
||||||
deletingUserIsOwner = await _currentContext.OrganizationOwner(organizationId);
|
|
||||||
}
|
|
||||||
|
|
||||||
// Query Two Factor Authentication status for all users in the organization
|
|
||||||
// This is an optimization to avoid querying the Two Factor Authentication status for each user individually
|
|
||||||
var organizationUsersTwoFactorEnabled = await _twoFactorIsEnabledQuery.TwoFactorIsEnabledAsync(
|
|
||||||
filteredUsers.Where(ou => ou.UserId.HasValue).Select(ou => ou.UserId.Value));
|
|
||||||
|
|
||||||
var result = new List<Tuple<OrganizationUser, string>>();
|
|
||||||
|
|
||||||
foreach (var organizationUser in filteredUsers)
|
|
||||||
{
|
|
||||||
try
|
|
||||||
{
|
|
||||||
if (organizationUser.Status != OrganizationUserStatusType.Revoked)
|
|
||||||
{
|
|
||||||
throw new BadRequestException("Already active.");
|
|
||||||
}
|
|
||||||
|
|
||||||
if (restoringUserId.HasValue && organizationUser.UserId == restoringUserId)
|
|
||||||
{
|
|
||||||
throw new BadRequestException("You cannot restore yourself.");
|
|
||||||
}
|
|
||||||
|
|
||||||
if (organizationUser.Type == OrganizationUserType.Owner && restoringUserId.HasValue && !deletingUserIsOwner)
|
|
||||||
{
|
|
||||||
throw new BadRequestException("Only owners can restore other owners.");
|
|
||||||
}
|
|
||||||
|
|
||||||
var twoFactorIsEnabled = organizationUser.UserId.HasValue
|
|
||||||
&& organizationUsersTwoFactorEnabled.FirstOrDefault(ou => ou.userId == organizationUser.UserId.Value).twoFactorIsEnabled;
|
|
||||||
await CheckPoliciesBeforeRestoreAsync(organizationUser, twoFactorIsEnabled);
|
|
||||||
|
|
||||||
var status = GetPriorActiveOrganizationUserStatusType(organizationUser);
|
|
||||||
|
|
||||||
await _organizationUserRepository.RestoreAsync(organizationUser.Id, status);
|
|
||||||
organizationUser.Status = status;
|
|
||||||
await _eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored);
|
|
||||||
if (_featureService.IsEnabled(FeatureFlagKeys.PushSyncOrgKeysOnRevokeRestore) && organizationUser.UserId.HasValue)
|
|
||||||
{
|
|
||||||
await _pushNotificationService.PushSyncOrgKeysAsync(organizationUser.UserId.Value);
|
|
||||||
}
|
|
||||||
|
|
||||||
result.Add(Tuple.Create(organizationUser, ""));
|
|
||||||
}
|
|
||||||
catch (BadRequestException e)
|
|
||||||
{
|
|
||||||
result.Add(Tuple.Create(organizationUser, e.Message));
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return result;
|
|
||||||
}
|
|
||||||
|
|
||||||
private async Task CheckPoliciesBeforeRestoreAsync(OrganizationUser orgUser, bool userHasTwoFactorEnabled)
|
private async Task CheckPoliciesBeforeRestoreAsync(OrganizationUser orgUser, bool userHasTwoFactorEnabled)
|
||||||
{
|
{
|
||||||
// An invited OrganizationUser isn't linked with a user account yet, so these checks are irrelevant
|
// An invited OrganizationUser isn't linked with a user account yet, so these checks are irrelevant
|
||||||
|
|||||||
@ -13,6 +13,7 @@ using Bit.Core.AdminConsole.OrganizationFeatures.Organizations.Interfaces;
|
|||||||
using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers;
|
using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers;
|
||||||
using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Authorization;
|
using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Authorization;
|
||||||
using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
|
using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
|
||||||
|
using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RestoreOrganizationUser;
|
||||||
using Bit.Core.Models.Business.Tokenables;
|
using Bit.Core.Models.Business.Tokenables;
|
||||||
using Bit.Core.OrganizationFeatures.OrganizationCollections;
|
using Bit.Core.OrganizationFeatures.OrganizationCollections;
|
||||||
using Bit.Core.OrganizationFeatures.OrganizationCollections.Interfaces;
|
using Bit.Core.OrganizationFeatures.OrganizationCollections.Interfaces;
|
||||||
@ -167,6 +168,8 @@ public static class OrganizationServiceCollectionExtensions
|
|||||||
services.AddScoped<IOrganizationUserUserDetailsQuery, OrganizationUserUserDetailsQuery>();
|
services.AddScoped<IOrganizationUserUserDetailsQuery, OrganizationUserUserDetailsQuery>();
|
||||||
services.AddScoped<IGetOrganizationUsersManagementStatusQuery, GetOrganizationUsersManagementStatusQuery>();
|
services.AddScoped<IGetOrganizationUsersManagementStatusQuery, GetOrganizationUsersManagementStatusQuery>();
|
||||||
|
|
||||||
|
services.AddScoped<IRestoreOrganizationUserCommand, RestoreOrganizationUserCommand>();
|
||||||
|
|
||||||
services.AddScoped<IAuthorizationHandler, OrganizationUserUserMiniDetailsAuthorizationHandler>();
|
services.AddScoped<IAuthorizationHandler, OrganizationUserUserMiniDetailsAuthorizationHandler>();
|
||||||
services.AddScoped<IAuthorizationHandler, OrganizationUserUserDetailsAuthorizationHandler>();
|
services.AddScoped<IAuthorizationHandler, OrganizationUserUserDetailsAuthorizationHandler>();
|
||||||
services.AddScoped<IHasConfirmedOwnersExceptQuery, HasConfirmedOwnersExceptQuery>();
|
services.AddScoped<IHasConfirmedOwnersExceptQuery, HasConfirmedOwnersExceptQuery>();
|
||||||
|
|||||||
@ -0,0 +1,702 @@
|
|||||||
|
using Bit.Core.AdminConsole.Entities;
|
||||||
|
using Bit.Core.AdminConsole.Enums;
|
||||||
|
using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
|
||||||
|
using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RestoreOrganizationUser;
|
||||||
|
using Bit.Core.AdminConsole.Services;
|
||||||
|
using Bit.Core.Auth.UserFeatures.TwoFactorAuth.Interfaces;
|
||||||
|
using Bit.Core.Context;
|
||||||
|
using Bit.Core.Entities;
|
||||||
|
using Bit.Core.Enums;
|
||||||
|
using Bit.Core.Exceptions;
|
||||||
|
using Bit.Core.Models.Data.Organizations.OrganizationUsers;
|
||||||
|
using Bit.Core.Platform.Push;
|
||||||
|
using Bit.Core.Repositories;
|
||||||
|
using Bit.Core.Services;
|
||||||
|
using Bit.Core.Test.AutoFixture.OrganizationUserFixtures;
|
||||||
|
using Bit.Test.Common.AutoFixture;
|
||||||
|
using Bit.Test.Common.AutoFixture.Attributes;
|
||||||
|
using NSubstitute;
|
||||||
|
using Xunit;
|
||||||
|
|
||||||
|
namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.OrganizationUsers;
|
||||||
|
|
||||||
|
[SutProviderCustomize]
|
||||||
|
public class RestoreOrganizationUserCommandTests
|
||||||
|
{
|
||||||
|
|
||||||
|
[Theory, BitAutoData]
|
||||||
|
public async Task RestoreUser_Success(Organization organization,
|
||||||
|
[OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
|
||||||
|
[OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser,
|
||||||
|
SutProvider<IRestoreOrganizationUserCommand> sutProvider)
|
||||||
|
{
|
||||||
|
RestoreUser_Setup(organization, owner, organizationUser, sutProvider);
|
||||||
|
|
||||||
|
await sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id);
|
||||||
|
|
||||||
|
await sutProvider.GetDependency<IOrganizationUserRepository>()
|
||||||
|
.Received(1)
|
||||||
|
.RestoreAsync(organizationUser.Id, OrganizationUserStatusType.Invited);
|
||||||
|
await sutProvider.GetDependency<IEventService>()
|
||||||
|
.Received(1)
|
||||||
|
.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored);
|
||||||
|
}
|
||||||
|
|
||||||
|
[Theory, BitAutoData]
|
||||||
|
public async Task RestoreUser_WithPushSyncOrgKeysOnRevokeRestoreEnabled_Success(Organization organization,
|
||||||
|
[OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
|
||||||
|
[OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser,
|
||||||
|
SutProvider<IRestoreOrganizationUserCommand> sutProvider)
|
||||||
|
{
|
||||||
|
RestoreUser_Setup(organization, owner, organizationUser, sutProvider);
|
||||||
|
|
||||||
|
sutProvider.GetDependency<IFeatureService>()
|
||||||
|
.IsEnabled(FeatureFlagKeys.PushSyncOrgKeysOnRevokeRestore)
|
||||||
|
.Returns(true);
|
||||||
|
|
||||||
|
await sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id);
|
||||||
|
|
||||||
|
await sutProvider.GetDependency<IOrganizationUserRepository>()
|
||||||
|
.Received(1)
|
||||||
|
.RestoreAsync(organizationUser.Id, OrganizationUserStatusType.Invited);
|
||||||
|
await sutProvider.GetDependency<IEventService>()
|
||||||
|
.Received(1)
|
||||||
|
.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored);
|
||||||
|
await sutProvider.GetDependency<IPushNotificationService>()
|
||||||
|
.Received(1)
|
||||||
|
.PushSyncOrgKeysAsync(organizationUser.UserId!.Value);
|
||||||
|
}
|
||||||
|
|
||||||
|
[Theory, BitAutoData]
|
||||||
|
public async Task RestoreUser_WithEventSystemUser_Success(Organization organization,
|
||||||
|
[OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser,
|
||||||
|
EventSystemUser eventSystemUser,
|
||||||
|
SutProvider<IRestoreOrganizationUserCommand> sutProvider)
|
||||||
|
{
|
||||||
|
RestoreUser_Setup(organization, null, organizationUser, sutProvider);
|
||||||
|
|
||||||
|
await sutProvider.Sut.RestoreUserAsync(organizationUser, eventSystemUser);
|
||||||
|
|
||||||
|
await sutProvider.GetDependency<IOrganizationUserRepository>()
|
||||||
|
.Received(1)
|
||||||
|
.RestoreAsync(organizationUser.Id, OrganizationUserStatusType.Invited);
|
||||||
|
await sutProvider.GetDependency<IEventService>()
|
||||||
|
.Received(1)
|
||||||
|
.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored, eventSystemUser);
|
||||||
|
}
|
||||||
|
|
||||||
|
[Theory, BitAutoData]
|
||||||
|
public async Task RestoreUser_WithEventSystemUser_WithPushSyncOrgKeysOnRevokeRestoreEnabled_Success(
|
||||||
|
Organization organization,
|
||||||
|
[OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser,
|
||||||
|
EventSystemUser eventSystemUser,
|
||||||
|
SutProvider<IRestoreOrganizationUserCommand> sutProvider)
|
||||||
|
{
|
||||||
|
RestoreUser_Setup(organization, null, organizationUser, sutProvider);
|
||||||
|
|
||||||
|
sutProvider.GetDependency<IFeatureService>()
|
||||||
|
.IsEnabled(FeatureFlagKeys.PushSyncOrgKeysOnRevokeRestore)
|
||||||
|
.Returns(true);
|
||||||
|
|
||||||
|
await sutProvider.Sut.RestoreUserAsync(organizationUser, eventSystemUser);
|
||||||
|
|
||||||
|
await sutProvider.GetDependency<IOrganizationUserRepository>()
|
||||||
|
.Received(1)
|
||||||
|
.RestoreAsync(organizationUser.Id, OrganizationUserStatusType.Invited);
|
||||||
|
await sutProvider.GetDependency<IEventService>()
|
||||||
|
.Received(1)
|
||||||
|
.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored, eventSystemUser);
|
||||||
|
await sutProvider.GetDependency<IPushNotificationService>()
|
||||||
|
.Received(1)
|
||||||
|
.PushSyncOrgKeysAsync(organizationUser.UserId!.Value);
|
||||||
|
}
|
||||||
|
|
||||||
|
[Theory, BitAutoData]
|
||||||
|
public async Task RestoreUser_RestoreThemselves_Fails(Organization organization,
|
||||||
|
[OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
|
||||||
|
[OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser,
|
||||||
|
SutProvider<IRestoreOrganizationUserCommand> sutProvider)
|
||||||
|
{
|
||||||
|
organizationUser.UserId = owner.Id;
|
||||||
|
RestoreUser_Setup(organization, owner, organizationUser, sutProvider);
|
||||||
|
|
||||||
|
var exception = await Assert.ThrowsAsync<BadRequestException>(
|
||||||
|
() => sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id));
|
||||||
|
|
||||||
|
Assert.Contains("you cannot restore yourself", exception.Message.ToLowerInvariant());
|
||||||
|
|
||||||
|
await sutProvider.GetDependency<IOrganizationUserRepository>()
|
||||||
|
.DidNotReceiveWithAnyArgs()
|
||||||
|
.RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
|
||||||
|
await sutProvider.GetDependency<IEventService>()
|
||||||
|
.DidNotReceiveWithAnyArgs()
|
||||||
|
.LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(),
|
||||||
|
Arg.Any<EventSystemUser>());
|
||||||
|
await sutProvider.GetDependency<IPushNotificationService>()
|
||||||
|
.DidNotReceiveWithAnyArgs()
|
||||||
|
.PushSyncOrgKeysAsync(Arg.Any<Guid>());
|
||||||
|
}
|
||||||
|
|
||||||
|
[Theory]
|
||||||
|
[BitAutoData(OrganizationUserType.Admin)]
|
||||||
|
[BitAutoData(OrganizationUserType.Custom)]
|
||||||
|
public async Task RestoreUser_AdminRestoreOwner_Fails(OrganizationUserType restoringUserType,
|
||||||
|
Organization organization,
|
||||||
|
[OrganizationUser(OrganizationUserStatusType.Confirmed)] OrganizationUser restoringUser,
|
||||||
|
[OrganizationUser(OrganizationUserStatusType.Revoked, OrganizationUserType.Owner)] OrganizationUser organizationUser,
|
||||||
|
SutProvider<IRestoreOrganizationUserCommand> sutProvider)
|
||||||
|
{
|
||||||
|
restoringUser.Type = restoringUserType;
|
||||||
|
RestoreUser_Setup(organization, restoringUser, organizationUser, sutProvider);
|
||||||
|
|
||||||
|
var exception = await Assert.ThrowsAsync<BadRequestException>(
|
||||||
|
() => sutProvider.Sut.RestoreUserAsync(organizationUser, restoringUser.Id));
|
||||||
|
|
||||||
|
Assert.Contains("only owners can restore other owners", exception.Message.ToLowerInvariant());
|
||||||
|
|
||||||
|
await sutProvider.GetDependency<IOrganizationUserRepository>()
|
||||||
|
.DidNotReceiveWithAnyArgs()
|
||||||
|
.RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
|
||||||
|
await sutProvider.GetDependency<IEventService>()
|
||||||
|
.DidNotReceiveWithAnyArgs()
|
||||||
|
.LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(),
|
||||||
|
Arg.Any<EventSystemUser>());
|
||||||
|
await sutProvider.GetDependency<IPushNotificationService>()
|
||||||
|
.DidNotReceiveWithAnyArgs()
|
||||||
|
.PushSyncOrgKeysAsync(Arg.Any<Guid>());
|
||||||
|
}
|
||||||
|
|
||||||
|
[Theory]
|
||||||
|
[BitAutoData(OrganizationUserStatusType.Invited)]
|
||||||
|
[BitAutoData(OrganizationUserStatusType.Accepted)]
|
||||||
|
[BitAutoData(OrganizationUserStatusType.Confirmed)]
|
||||||
|
public async Task RestoreUser_WithStatusOtherThanRevoked_Fails(OrganizationUserStatusType userStatus,
|
||||||
|
Organization organization,
|
||||||
|
[OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
|
||||||
|
[OrganizationUser] OrganizationUser organizationUser,
|
||||||
|
SutProvider<IRestoreOrganizationUserCommand> sutProvider)
|
||||||
|
{
|
||||||
|
organizationUser.Status = userStatus;
|
||||||
|
RestoreUser_Setup(organization, owner, organizationUser, sutProvider);
|
||||||
|
|
||||||
|
var exception = await Assert.ThrowsAsync<BadRequestException>(
|
||||||
|
() => sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id));
|
||||||
|
|
||||||
|
Assert.Contains("already active", exception.Message.ToLowerInvariant());
|
||||||
|
|
||||||
|
await sutProvider.GetDependency<IOrganizationUserRepository>()
|
||||||
|
.DidNotReceiveWithAnyArgs()
|
||||||
|
.RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
|
||||||
|
await sutProvider.GetDependency<IEventService>()
|
||||||
|
.DidNotReceiveWithAnyArgs()
|
||||||
|
.LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(),
|
||||||
|
Arg.Any<EventSystemUser>());
|
||||||
|
await sutProvider.GetDependency<IPushNotificationService>()
|
||||||
|
.DidNotReceiveWithAnyArgs()
|
||||||
|
.PushSyncOrgKeysAsync(Arg.Any<Guid>());
|
||||||
|
}
|
||||||
|
|
||||||
|
[Theory, BitAutoData]
|
||||||
|
public async Task RestoreUser_WithOtherOrganizationSingleOrgPolicyEnabled_Fails(
|
||||||
|
Organization organization,
|
||||||
|
[OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
|
||||||
|
[OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser,
|
||||||
|
SutProvider<IRestoreOrganizationUserCommand> sutProvider)
|
||||||
|
{
|
||||||
|
organizationUser.Email =
|
||||||
|
null; // this is required to mock that the user as had already been confirmed before the revoke
|
||||||
|
RestoreUser_Setup(organization, owner, organizationUser, sutProvider);
|
||||||
|
|
||||||
|
sutProvider.GetDependency<IPolicyService>()
|
||||||
|
.AnyPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.SingleOrg,
|
||||||
|
Arg.Any<OrganizationUserStatusType>())
|
||||||
|
.Returns(true);
|
||||||
|
|
||||||
|
var user = new User();
|
||||||
|
user.Email = "test@bitwarden.com";
|
||||||
|
sutProvider.GetDependency<IUserRepository>().GetByIdAsync(organizationUser.UserId.Value).Returns(user);
|
||||||
|
|
||||||
|
var exception = await Assert.ThrowsAsync<BadRequestException>(
|
||||||
|
() => sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id));
|
||||||
|
|
||||||
|
Assert.Contains(
|
||||||
|
"test@bitwarden.com belongs to an organization that doesn't allow them to join multiple organizations",
|
||||||
|
exception.Message.ToLowerInvariant());
|
||||||
|
|
||||||
|
await sutProvider.GetDependency<IOrganizationUserRepository>()
|
||||||
|
.DidNotReceiveWithAnyArgs()
|
||||||
|
.RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
|
||||||
|
await sutProvider.GetDependency<IEventService>()
|
||||||
|
.DidNotReceiveWithAnyArgs()
|
||||||
|
.LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(),
|
||||||
|
Arg.Any<EventSystemUser>());
|
||||||
|
await sutProvider.GetDependency<IPushNotificationService>()
|
||||||
|
.DidNotReceiveWithAnyArgs()
|
||||||
|
.PushSyncOrgKeysAsync(Arg.Any<Guid>());
|
||||||
|
}
|
||||||
|
|
||||||
|
[Theory, BitAutoData]
|
||||||
|
public async Task RestoreUser_With2FAPolicyEnabled_WithoutUser2FAConfigured_Fails(
|
||||||
|
Organization organization,
|
||||||
|
[OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
|
||||||
|
[OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser,
|
||||||
|
SutProvider<IRestoreOrganizationUserCommand> sutProvider)
|
||||||
|
{
|
||||||
|
organizationUser.Email = null;
|
||||||
|
|
||||||
|
sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
|
||||||
|
.TwoFactorIsEnabledAsync(Arg.Is<IEnumerable<Guid>>(i => i.Contains(organizationUser.UserId.Value)))
|
||||||
|
.Returns(new List<(Guid userId, bool twoFactorIsEnabled)>() { (organizationUser.UserId.Value, false) });
|
||||||
|
|
||||||
|
RestoreUser_Setup(organization, owner, organizationUser, sutProvider);
|
||||||
|
|
||||||
|
sutProvider.GetDependency<IPolicyService>()
|
||||||
|
.GetPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.TwoFactorAuthentication,
|
||||||
|
Arg.Any<OrganizationUserStatusType>())
|
||||||
|
.Returns(new[]
|
||||||
|
{
|
||||||
|
new OrganizationUserPolicyDetails
|
||||||
|
{
|
||||||
|
OrganizationId = organizationUser.OrganizationId,
|
||||||
|
PolicyType = PolicyType.TwoFactorAuthentication
|
||||||
|
}
|
||||||
|
});
|
||||||
|
|
||||||
|
var user = new User();
|
||||||
|
user.Email = "test@bitwarden.com";
|
||||||
|
sutProvider.GetDependency<IUserRepository>().GetByIdAsync(organizationUser.UserId.Value).Returns(user);
|
||||||
|
|
||||||
|
var exception = await Assert.ThrowsAsync<BadRequestException>(
|
||||||
|
() => sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id));
|
||||||
|
|
||||||
|
Assert.Contains("test@bitwarden.com is not compliant with the two-step login policy",
|
||||||
|
exception.Message.ToLowerInvariant());
|
||||||
|
|
||||||
|
await sutProvider.GetDependency<IOrganizationUserRepository>()
|
||||||
|
.DidNotReceiveWithAnyArgs()
|
||||||
|
.RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
|
||||||
|
await sutProvider.GetDependency<IEventService>()
|
||||||
|
.DidNotReceiveWithAnyArgs()
|
||||||
|
.LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(),
|
||||||
|
Arg.Any<EventSystemUser>());
|
||||||
|
await sutProvider.GetDependency<IPushNotificationService>()
|
||||||
|
.DidNotReceiveWithAnyArgs()
|
||||||
|
.PushSyncOrgKeysAsync(Arg.Any<Guid>());
|
||||||
|
}
|
||||||
|
|
||||||
|
[Theory, BitAutoData]
|
||||||
|
public async Task RestoreUser_With2FAPolicyEnabled_WithUser2FAConfigured_Success(
|
||||||
|
Organization organization,
|
||||||
|
[OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
|
||||||
|
[OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser,
|
||||||
|
SutProvider<IRestoreOrganizationUserCommand> sutProvider)
|
||||||
|
{
|
||||||
|
organizationUser.Email =
|
||||||
|
null; // this is required to mock that the user as had already been confirmed before the revoke
|
||||||
|
RestoreUser_Setup(organization, owner, organizationUser, sutProvider);
|
||||||
|
|
||||||
|
sutProvider.GetDependency<IPolicyService>()
|
||||||
|
.GetPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.TwoFactorAuthentication,
|
||||||
|
Arg.Any<OrganizationUserStatusType>())
|
||||||
|
.Returns(new[]
|
||||||
|
{
|
||||||
|
new OrganizationUserPolicyDetails
|
||||||
|
{
|
||||||
|
OrganizationId = organizationUser.OrganizationId,
|
||||||
|
PolicyType = PolicyType.TwoFactorAuthentication
|
||||||
|
}
|
||||||
|
});
|
||||||
|
sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
|
||||||
|
.TwoFactorIsEnabledAsync(Arg.Is<IEnumerable<Guid>>(i => i.Contains(organizationUser.UserId.Value)))
|
||||||
|
.Returns(new List<(Guid userId, bool twoFactorIsEnabled)>() { (organizationUser.UserId.Value, true) });
|
||||||
|
|
||||||
|
await sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id);
|
||||||
|
|
||||||
|
await sutProvider.GetDependency<IOrganizationUserRepository>()
|
||||||
|
.Received(1)
|
||||||
|
.RestoreAsync(organizationUser.Id, OrganizationUserStatusType.Confirmed);
|
||||||
|
await sutProvider.GetDependency<IEventService>()
|
||||||
|
.Received(1)
|
||||||
|
.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored);
|
||||||
|
}
|
||||||
|
|
||||||
|
[Theory, BitAutoData]
|
||||||
|
public async Task RestoreUser_WithSingleOrgPolicyEnabled_Fails(
|
||||||
|
Organization organization,
|
||||||
|
[OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
|
||||||
|
[OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser,
|
||||||
|
[OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser secondOrganizationUser,
|
||||||
|
SutProvider<IRestoreOrganizationUserCommand> sutProvider)
|
||||||
|
{
|
||||||
|
organizationUser.Email =
|
||||||
|
null; // this is required to mock that the user as had already been confirmed before the revoke
|
||||||
|
secondOrganizationUser.UserId = organizationUser.UserId;
|
||||||
|
RestoreUser_Setup(organization, owner, organizationUser, sutProvider);
|
||||||
|
|
||||||
|
sutProvider.GetDependency<IOrganizationUserRepository>()
|
||||||
|
.GetManyByUserAsync(organizationUser.UserId.Value)
|
||||||
|
.Returns(new[] { organizationUser, secondOrganizationUser });
|
||||||
|
sutProvider.GetDependency<IPolicyService>()
|
||||||
|
.GetPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.SingleOrg,
|
||||||
|
Arg.Any<OrganizationUserStatusType>())
|
||||||
|
.Returns(new[]
|
||||||
|
{
|
||||||
|
new OrganizationUserPolicyDetails
|
||||||
|
{
|
||||||
|
OrganizationId = organizationUser.OrganizationId,
|
||||||
|
PolicyType = PolicyType.SingleOrg,
|
||||||
|
OrganizationUserStatus = OrganizationUserStatusType.Revoked
|
||||||
|
}
|
||||||
|
});
|
||||||
|
|
||||||
|
var user = new User();
|
||||||
|
user.Email = "test@bitwarden.com";
|
||||||
|
sutProvider.GetDependency<IUserRepository>().GetByIdAsync(organizationUser.UserId.Value).Returns(user);
|
||||||
|
|
||||||
|
var exception = await Assert.ThrowsAsync<BadRequestException>(
|
||||||
|
() => sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id));
|
||||||
|
|
||||||
|
Assert.Contains("test@bitwarden.com is not compliant with the single organization policy",
|
||||||
|
exception.Message.ToLowerInvariant());
|
||||||
|
|
||||||
|
await sutProvider.GetDependency<IOrganizationUserRepository>()
|
||||||
|
.DidNotReceiveWithAnyArgs()
|
||||||
|
.RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
|
||||||
|
await sutProvider.GetDependency<IEventService>()
|
||||||
|
.DidNotReceiveWithAnyArgs()
|
||||||
|
.LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(),
|
||||||
|
Arg.Any<EventSystemUser>());
|
||||||
|
await sutProvider.GetDependency<IPushNotificationService>()
|
||||||
|
.DidNotReceiveWithAnyArgs()
|
||||||
|
.PushSyncOrgKeysAsync(Arg.Any<Guid>());
|
||||||
|
}
|
||||||
|
|
||||||
|
[Theory, BitAutoData]
|
||||||
|
public async Task RestoreUser_vNext_WithOtherOrganizationSingleOrgPolicyEnabled_Fails(
|
||||||
|
Organization organization,
|
||||||
|
[OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
|
||||||
|
[OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser,
|
||||||
|
[OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser secondOrganizationUser,
|
||||||
|
SutProvider<IRestoreOrganizationUserCommand> sutProvider)
|
||||||
|
{
|
||||||
|
organizationUser.Email =
|
||||||
|
null; // this is required to mock that the user as had already been confirmed before the revoke
|
||||||
|
secondOrganizationUser.UserId = organizationUser.UserId;
|
||||||
|
RestoreUser_Setup(organization, owner, organizationUser, sutProvider);
|
||||||
|
|
||||||
|
sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
|
||||||
|
.TwoFactorIsEnabledAsync(Arg.Is<IEnumerable<Guid>>(i => i.Contains(organizationUser.UserId.Value)))
|
||||||
|
.Returns(new List<(Guid userId, bool twoFactorIsEnabled)>() { (organizationUser.UserId.Value, true) });
|
||||||
|
|
||||||
|
sutProvider.GetDependency<IPolicyService>()
|
||||||
|
.AnyPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.SingleOrg,
|
||||||
|
Arg.Any<OrganizationUserStatusType>())
|
||||||
|
.Returns(true);
|
||||||
|
|
||||||
|
var user = new User();
|
||||||
|
user.Email = "test@bitwarden.com";
|
||||||
|
sutProvider.GetDependency<IUserRepository>().GetByIdAsync(organizationUser.UserId.Value).Returns(user);
|
||||||
|
|
||||||
|
var exception = await Assert.ThrowsAsync<BadRequestException>(
|
||||||
|
() => sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id));
|
||||||
|
|
||||||
|
Assert.Contains(
|
||||||
|
"test@bitwarden.com belongs to an organization that doesn't allow them to join multiple organizations",
|
||||||
|
exception.Message.ToLowerInvariant());
|
||||||
|
|
||||||
|
await sutProvider.GetDependency<IOrganizationUserRepository>()
|
||||||
|
.DidNotReceiveWithAnyArgs()
|
||||||
|
.RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
|
||||||
|
await sutProvider.GetDependency<IEventService>()
|
||||||
|
.DidNotReceiveWithAnyArgs()
|
||||||
|
.LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(),
|
||||||
|
Arg.Any<EventSystemUser>());
|
||||||
|
await sutProvider.GetDependency<IPushNotificationService>()
|
||||||
|
.DidNotReceiveWithAnyArgs()
|
||||||
|
.PushSyncOrgKeysAsync(Arg.Any<Guid>());
|
||||||
|
}
|
||||||
|
|
||||||
|
[Theory, BitAutoData]
|
||||||
|
public async Task RestoreUser_WithSingleOrgPolicyEnabled_And_2FA_Policy_Fails(
|
||||||
|
Organization organization,
|
||||||
|
[OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
|
||||||
|
[OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser,
|
||||||
|
[OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser secondOrganizationUser,
|
||||||
|
SutProvider<IRestoreOrganizationUserCommand> sutProvider)
|
||||||
|
{
|
||||||
|
organizationUser.Email =
|
||||||
|
null; // this is required to mock that the user as had already been confirmed before the revoke
|
||||||
|
secondOrganizationUser.UserId = organizationUser.UserId;
|
||||||
|
RestoreUser_Setup(organization, owner, organizationUser, sutProvider);
|
||||||
|
|
||||||
|
sutProvider.GetDependency<IOrganizationUserRepository>()
|
||||||
|
.GetManyByUserAsync(organizationUser.UserId.Value)
|
||||||
|
.Returns(new[] { organizationUser, secondOrganizationUser });
|
||||||
|
sutProvider.GetDependency<IPolicyService>()
|
||||||
|
.GetPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.SingleOrg,
|
||||||
|
Arg.Any<OrganizationUserStatusType>())
|
||||||
|
.Returns(new[]
|
||||||
|
{
|
||||||
|
new OrganizationUserPolicyDetails
|
||||||
|
{
|
||||||
|
OrganizationId = organizationUser.OrganizationId,
|
||||||
|
PolicyType = PolicyType.SingleOrg,
|
||||||
|
OrganizationUserStatus = OrganizationUserStatusType.Revoked
|
||||||
|
}
|
||||||
|
});
|
||||||
|
|
||||||
|
sutProvider.GetDependency<IPolicyService>()
|
||||||
|
.GetPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.TwoFactorAuthentication,
|
||||||
|
Arg.Any<OrganizationUserStatusType>())
|
||||||
|
.Returns(new[]
|
||||||
|
{
|
||||||
|
new OrganizationUserPolicyDetails
|
||||||
|
{
|
||||||
|
OrganizationId = organizationUser.OrganizationId,
|
||||||
|
PolicyType = PolicyType.TwoFactorAuthentication,
|
||||||
|
OrganizationUserStatus = OrganizationUserStatusType.Revoked
|
||||||
|
}
|
||||||
|
});
|
||||||
|
|
||||||
|
var user = new User();
|
||||||
|
user.Email = "test@bitwarden.com";
|
||||||
|
sutProvider.GetDependency<IUserRepository>().GetByIdAsync(organizationUser.UserId.Value).Returns(user);
|
||||||
|
|
||||||
|
var exception = await Assert.ThrowsAsync<BadRequestException>(
|
||||||
|
() => sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id));
|
||||||
|
|
||||||
|
Assert.Contains("test@bitwarden.com is not compliant with the single organization and two-step login polciy",
|
||||||
|
exception.Message.ToLowerInvariant());
|
||||||
|
|
||||||
|
await sutProvider.GetDependency<IOrganizationUserRepository>()
|
||||||
|
.DidNotReceiveWithAnyArgs()
|
||||||
|
.RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
|
||||||
|
await sutProvider.GetDependency<IEventService>()
|
||||||
|
.DidNotReceiveWithAnyArgs()
|
||||||
|
.LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(),
|
||||||
|
Arg.Any<EventSystemUser>());
|
||||||
|
await sutProvider.GetDependency<IPushNotificationService>()
|
||||||
|
.DidNotReceiveWithAnyArgs()
|
||||||
|
.PushSyncOrgKeysAsync(Arg.Any<Guid>());
|
||||||
|
}
|
||||||
|
|
||||||
|
[Theory, BitAutoData]
|
||||||
|
public async Task RestoreUser_vNext_With2FAPolicyEnabled_WithoutUser2FAConfigured_Fails(
|
||||||
|
Organization organization,
|
||||||
|
[OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)]
|
||||||
|
OrganizationUser owner,
|
||||||
|
[OrganizationUser(OrganizationUserStatusType.Revoked)]
|
||||||
|
OrganizationUser organizationUser,
|
||||||
|
SutProvider<IRestoreOrganizationUserCommand> sutProvider)
|
||||||
|
{
|
||||||
|
organizationUser.Email = null;
|
||||||
|
|
||||||
|
RestoreUser_Setup(organization, owner, organizationUser, sutProvider);
|
||||||
|
|
||||||
|
sutProvider.GetDependency<IPolicyService>()
|
||||||
|
.GetPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.TwoFactorAuthentication,
|
||||||
|
Arg.Any<OrganizationUserStatusType>())
|
||||||
|
.Returns(new[]
|
||||||
|
{
|
||||||
|
new OrganizationUserPolicyDetails
|
||||||
|
{
|
||||||
|
OrganizationId = organizationUser.OrganizationId,
|
||||||
|
PolicyType = PolicyType.TwoFactorAuthentication
|
||||||
|
}
|
||||||
|
});
|
||||||
|
|
||||||
|
var user = new User();
|
||||||
|
user.Email = "test@bitwarden.com";
|
||||||
|
sutProvider.GetDependency<IUserRepository>().GetByIdAsync(organizationUser.UserId.Value).Returns(user);
|
||||||
|
|
||||||
|
var exception = await Assert.ThrowsAsync<BadRequestException>(
|
||||||
|
() => sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id));
|
||||||
|
|
||||||
|
Assert.Contains("test@bitwarden.com is not compliant with the two-step login policy",
|
||||||
|
exception.Message.ToLowerInvariant());
|
||||||
|
|
||||||
|
await sutProvider.GetDependency<IOrganizationUserRepository>()
|
||||||
|
.DidNotReceiveWithAnyArgs()
|
||||||
|
.RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
|
||||||
|
await sutProvider.GetDependency<IEventService>()
|
||||||
|
.DidNotReceiveWithAnyArgs()
|
||||||
|
.LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(),
|
||||||
|
Arg.Any<EventSystemUser>());
|
||||||
|
await sutProvider.GetDependency<IPushNotificationService>()
|
||||||
|
.DidNotReceiveWithAnyArgs()
|
||||||
|
.PushSyncOrgKeysAsync(Arg.Any<Guid>());
|
||||||
|
}
|
||||||
|
|
||||||
|
[Theory, BitAutoData]
|
||||||
|
public async Task RestoreUser_vNext_With2FAPolicyEnabled_WithUser2FAConfigured_Success(
|
||||||
|
Organization organization,
|
||||||
|
[OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
|
||||||
|
[OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser,
|
||||||
|
SutProvider<IRestoreOrganizationUserCommand> sutProvider)
|
||||||
|
{
|
||||||
|
organizationUser.Email =
|
||||||
|
null; // this is required to mock that the user as had already been confirmed before the revoke
|
||||||
|
RestoreUser_Setup(organization, owner, organizationUser, sutProvider);
|
||||||
|
|
||||||
|
sutProvider.GetDependency<IPolicyService>()
|
||||||
|
.GetPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.TwoFactorAuthentication,
|
||||||
|
Arg.Any<OrganizationUserStatusType>())
|
||||||
|
.Returns(new[]
|
||||||
|
{
|
||||||
|
new OrganizationUserPolicyDetails
|
||||||
|
{
|
||||||
|
OrganizationId = organizationUser.OrganizationId,
|
||||||
|
PolicyType = PolicyType.TwoFactorAuthentication
|
||||||
|
}
|
||||||
|
});
|
||||||
|
|
||||||
|
sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
|
||||||
|
.TwoFactorIsEnabledAsync(Arg.Is<IEnumerable<Guid>>(i => i.Contains(organizationUser.UserId.Value)))
|
||||||
|
.Returns(new List<(Guid userId, bool twoFactorIsEnabled)>() { (organizationUser.UserId.Value, true) });
|
||||||
|
|
||||||
|
await sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id);
|
||||||
|
|
||||||
|
await sutProvider.GetDependency<IOrganizationUserRepository>()
|
||||||
|
.Received(1)
|
||||||
|
.RestoreAsync(organizationUser.Id, OrganizationUserStatusType.Confirmed);
|
||||||
|
await sutProvider.GetDependency<IEventService>()
|
||||||
|
.Received(1)
|
||||||
|
.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored);
|
||||||
|
}
|
||||||
|
|
||||||
|
[Theory, BitAutoData]
|
||||||
|
public async Task RestoreUsers_Success(Organization organization,
|
||||||
|
[OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
|
||||||
|
[OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser orgUser1,
|
||||||
|
[OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser orgUser2,
|
||||||
|
SutProvider<IRestoreOrganizationUserCommand> sutProvider)
|
||||||
|
{
|
||||||
|
// Arrange
|
||||||
|
RestoreUser_Setup(organization, owner, orgUser1, sutProvider);
|
||||||
|
var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
|
||||||
|
var eventService = sutProvider.GetDependency<IEventService>();
|
||||||
|
var twoFactorIsEnabledQuery = sutProvider.GetDependency<ITwoFactorIsEnabledQuery>();
|
||||||
|
var userService = Substitute.For<IUserService>();
|
||||||
|
|
||||||
|
orgUser1.Email = orgUser2.Email = null; // Mock that users were previously confirmed
|
||||||
|
orgUser1.OrganizationId = orgUser2.OrganizationId = organization.Id;
|
||||||
|
organizationUserRepository
|
||||||
|
.GetManyAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.Contains(orgUser1.Id) && ids.Contains(orgUser2.Id)))
|
||||||
|
.Returns([orgUser1, orgUser2]);
|
||||||
|
|
||||||
|
twoFactorIsEnabledQuery
|
||||||
|
.TwoFactorIsEnabledAsync(Arg.Is<IEnumerable<Guid>>(ids =>
|
||||||
|
ids.Contains(orgUser1.UserId!.Value) && ids.Contains(orgUser2.UserId!.Value)))
|
||||||
|
.Returns(new List<(Guid userId, bool twoFactorIsEnabled)>
|
||||||
|
{
|
||||||
|
(orgUser1.UserId!.Value, true), (orgUser2.UserId!.Value, false)
|
||||||
|
});
|
||||||
|
|
||||||
|
// Act
|
||||||
|
var result = await sutProvider.Sut.RestoreUsersAsync(organization.Id, new[] { orgUser1.Id, orgUser2.Id },
|
||||||
|
owner.Id, userService);
|
||||||
|
|
||||||
|
// Assert
|
||||||
|
Assert.Equal(2, result.Count);
|
||||||
|
Assert.All(result, r => Assert.Empty(r.Item2)); // No error messages
|
||||||
|
await organizationUserRepository
|
||||||
|
.Received(1)
|
||||||
|
.RestoreAsync(orgUser1.Id, OrganizationUserStatusType.Confirmed);
|
||||||
|
await organizationUserRepository
|
||||||
|
.Received(1)
|
||||||
|
.RestoreAsync(orgUser2.Id, OrganizationUserStatusType.Confirmed);
|
||||||
|
await eventService.Received(1)
|
||||||
|
.LogOrganizationUserEventAsync(orgUser1, EventType.OrganizationUser_Restored);
|
||||||
|
await eventService.Received(1)
|
||||||
|
.LogOrganizationUserEventAsync(orgUser2, EventType.OrganizationUser_Restored);
|
||||||
|
}
|
||||||
|
|
||||||
|
[Theory, BitAutoData]
|
||||||
|
public async Task RestoreUsers_With2FAPolicy_BlocksNonCompliantUser(Organization organization,
|
||||||
|
[OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
|
||||||
|
[OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser orgUser1,
|
||||||
|
[OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser orgUser2,
|
||||||
|
[OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser orgUser3,
|
||||||
|
SutProvider<IRestoreOrganizationUserCommand> sutProvider)
|
||||||
|
{
|
||||||
|
// Arrange
|
||||||
|
RestoreUser_Setup(organization, owner, orgUser1, sutProvider);
|
||||||
|
var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
|
||||||
|
var userRepository = sutProvider.GetDependency<IUserRepository>();
|
||||||
|
var policyService = sutProvider.GetDependency<IPolicyService>();
|
||||||
|
var userService = Substitute.For<IUserService>();
|
||||||
|
|
||||||
|
orgUser1.Email = orgUser2.Email = null;
|
||||||
|
orgUser3.UserId = null;
|
||||||
|
orgUser3.Key = null;
|
||||||
|
orgUser1.OrganizationId = orgUser2.OrganizationId = orgUser3.OrganizationId = organization.Id;
|
||||||
|
organizationUserRepository
|
||||||
|
.GetManyAsync(Arg.Is<IEnumerable<Guid>>(ids =>
|
||||||
|
ids.Contains(orgUser1.Id) && ids.Contains(orgUser2.Id) && ids.Contains(orgUser3.Id)))
|
||||||
|
.Returns([orgUser1, orgUser2, orgUser3]);
|
||||||
|
|
||||||
|
userRepository.GetByIdAsync(orgUser2.UserId!.Value).Returns(new User { Email = "test@example.com" });
|
||||||
|
|
||||||
|
// Setup 2FA policy
|
||||||
|
policyService.GetPoliciesApplicableToUserAsync(Arg.Any<Guid>(), PolicyType.TwoFactorAuthentication,
|
||||||
|
Arg.Any<OrganizationUserStatusType>())
|
||||||
|
.Returns(new[]
|
||||||
|
{
|
||||||
|
new OrganizationUserPolicyDetails
|
||||||
|
{
|
||||||
|
OrganizationId = organization.Id, PolicyType = PolicyType.TwoFactorAuthentication
|
||||||
|
}
|
||||||
|
});
|
||||||
|
|
||||||
|
// User1 has 2FA, User2 doesn't
|
||||||
|
sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
|
||||||
|
.TwoFactorIsEnabledAsync(Arg.Is<IEnumerable<Guid>>(ids =>
|
||||||
|
ids.Contains(orgUser1.UserId!.Value) && ids.Contains(orgUser2.UserId!.Value)))
|
||||||
|
.Returns(new List<(Guid userId, bool twoFactorIsEnabled)>
|
||||||
|
{
|
||||||
|
(orgUser1.UserId!.Value, true), (orgUser2.UserId!.Value, false)
|
||||||
|
});
|
||||||
|
|
||||||
|
// Act
|
||||||
|
var result = await sutProvider.Sut.RestoreUsersAsync(organization.Id,
|
||||||
|
[orgUser1.Id, orgUser2.Id, orgUser3.Id], owner.Id, userService);
|
||||||
|
|
||||||
|
// Assert
|
||||||
|
Assert.Equal(3, result.Count);
|
||||||
|
Assert.Empty(result[0].Item2); // First user should succeed
|
||||||
|
Assert.Contains("two-step login", result[1].Item2); // Second user should fail
|
||||||
|
Assert.Empty(result[2].Item2); // Third user should succeed
|
||||||
|
await organizationUserRepository
|
||||||
|
.Received(1)
|
||||||
|
.RestoreAsync(orgUser1.Id, OrganizationUserStatusType.Confirmed);
|
||||||
|
await organizationUserRepository
|
||||||
|
.DidNotReceive()
|
||||||
|
.RestoreAsync(orgUser2.Id, Arg.Any<OrganizationUserStatusType>());
|
||||||
|
await organizationUserRepository
|
||||||
|
.Received(1)
|
||||||
|
.RestoreAsync(orgUser3.Id, OrganizationUserStatusType.Invited);
|
||||||
|
}
|
||||||
|
|
||||||
|
private static void RestoreUser_Setup(
|
||||||
|
Organization organization,
|
||||||
|
OrganizationUser? requestingOrganizationUser,
|
||||||
|
OrganizationUser targetOrganizationUser,
|
||||||
|
SutProvider<IRestoreOrganizationUserCommand> sutProvider)
|
||||||
|
{
|
||||||
|
if (requestingOrganizationUser != null)
|
||||||
|
{
|
||||||
|
requestingOrganizationUser.OrganizationId = organization.Id;
|
||||||
|
}
|
||||||
|
|
||||||
|
targetOrganizationUser.OrganizationId = organization.Id;
|
||||||
|
|
||||||
|
sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
|
||||||
|
sutProvider.GetDependency<ICurrentContext>().OrganizationOwner(organization.Id).Returns(
|
||||||
|
requestingOrganizationUser is { Type: OrganizationUserType.Owner });
|
||||||
|
sutProvider.GetDependency<ICurrentContext>().ManageUsers(organization.Id).Returns(
|
||||||
|
requestingOrganizationUser is { Type: OrganizationUserType.Owner or OrganizationUserType.Admin });
|
||||||
|
sutProvider.GetDependency<IHasConfirmedOwnersExceptQuery>()
|
||||||
|
.HasConfirmedOwnersExceptAsync(organization.Id, Arg.Any<IEnumerable<Guid>>())
|
||||||
|
.Returns(true);
|
||||||
|
}
|
||||||
|
}
|
||||||
@ -1534,451 +1534,6 @@ OrganizationUserInvite invite, SutProvider<OrganizationService> sutProvider)
|
|||||||
.PushSyncOrgKeysAsync(organizationUser.UserId!.Value);
|
.PushSyncOrgKeysAsync(organizationUser.UserId!.Value);
|
||||||
}
|
}
|
||||||
|
|
||||||
[Theory, BitAutoData]
|
|
||||||
public async Task RestoreUser_Success(Organization organization, [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
|
|
||||||
[OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser, SutProvider<OrganizationService> sutProvider)
|
|
||||||
{
|
|
||||||
RestoreRevokeUser_Setup(organization, owner, organizationUser, sutProvider);
|
|
||||||
|
|
||||||
await sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id);
|
|
||||||
|
|
||||||
await sutProvider.GetDependency<IOrganizationUserRepository>()
|
|
||||||
.Received(1)
|
|
||||||
.RestoreAsync(organizationUser.Id, OrganizationUserStatusType.Invited);
|
|
||||||
await sutProvider.GetDependency<IEventService>()
|
|
||||||
.Received(1)
|
|
||||||
.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored);
|
|
||||||
}
|
|
||||||
|
|
||||||
[Theory, BitAutoData]
|
|
||||||
public async Task RestoreUser_WithPushSyncOrgKeysOnRevokeRestoreEnabled_Success(Organization organization, [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
|
|
||||||
[OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser, SutProvider<OrganizationService> sutProvider)
|
|
||||||
{
|
|
||||||
RestoreRevokeUser_Setup(organization, owner, organizationUser, sutProvider);
|
|
||||||
|
|
||||||
sutProvider.GetDependency<IFeatureService>()
|
|
||||||
.IsEnabled(FeatureFlagKeys.PushSyncOrgKeysOnRevokeRestore)
|
|
||||||
.Returns(true);
|
|
||||||
|
|
||||||
await sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id);
|
|
||||||
|
|
||||||
await sutProvider.GetDependency<IOrganizationUserRepository>()
|
|
||||||
.Received(1)
|
|
||||||
.RestoreAsync(organizationUser.Id, OrganizationUserStatusType.Invited);
|
|
||||||
await sutProvider.GetDependency<IEventService>()
|
|
||||||
.Received(1)
|
|
||||||
.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored);
|
|
||||||
await sutProvider.GetDependency<IPushNotificationService>()
|
|
||||||
.Received(1)
|
|
||||||
.PushSyncOrgKeysAsync(organizationUser.UserId!.Value);
|
|
||||||
}
|
|
||||||
|
|
||||||
[Theory, BitAutoData]
|
|
||||||
public async Task RestoreUser_WithEventSystemUser_Success(Organization organization, [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser, EventSystemUser eventSystemUser, SutProvider<OrganizationService> sutProvider)
|
|
||||||
{
|
|
||||||
RestoreRevokeUser_Setup(organization, null, organizationUser, sutProvider);
|
|
||||||
|
|
||||||
await sutProvider.Sut.RestoreUserAsync(organizationUser, eventSystemUser);
|
|
||||||
|
|
||||||
await sutProvider.GetDependency<IOrganizationUserRepository>()
|
|
||||||
.Received(1)
|
|
||||||
.RestoreAsync(organizationUser.Id, OrganizationUserStatusType.Invited);
|
|
||||||
await sutProvider.GetDependency<IEventService>()
|
|
||||||
.Received(1)
|
|
||||||
.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored, eventSystemUser);
|
|
||||||
}
|
|
||||||
|
|
||||||
[Theory, BitAutoData]
|
|
||||||
public async Task RestoreUser_WithEventSystemUser_WithPushSyncOrgKeysOnRevokeRestoreEnabled_Success(Organization organization, [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser, EventSystemUser eventSystemUser, SutProvider<OrganizationService> sutProvider)
|
|
||||||
{
|
|
||||||
RestoreRevokeUser_Setup(organization, null, organizationUser, sutProvider);
|
|
||||||
|
|
||||||
sutProvider.GetDependency<IFeatureService>()
|
|
||||||
.IsEnabled(FeatureFlagKeys.PushSyncOrgKeysOnRevokeRestore)
|
|
||||||
.Returns(true);
|
|
||||||
|
|
||||||
await sutProvider.Sut.RestoreUserAsync(organizationUser, eventSystemUser);
|
|
||||||
|
|
||||||
await sutProvider.GetDependency<IOrganizationUserRepository>()
|
|
||||||
.Received(1)
|
|
||||||
.RestoreAsync(organizationUser.Id, OrganizationUserStatusType.Invited);
|
|
||||||
await sutProvider.GetDependency<IEventService>()
|
|
||||||
.Received(1)
|
|
||||||
.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored, eventSystemUser);
|
|
||||||
await sutProvider.GetDependency<IPushNotificationService>()
|
|
||||||
.Received(1)
|
|
||||||
.PushSyncOrgKeysAsync(organizationUser.UserId!.Value);
|
|
||||||
}
|
|
||||||
|
|
||||||
[Theory, BitAutoData]
|
|
||||||
public async Task RestoreUser_RestoreThemselves_Fails(Organization organization, [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
|
|
||||||
[OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser, SutProvider<OrganizationService> sutProvider)
|
|
||||||
{
|
|
||||||
organizationUser.UserId = owner.Id;
|
|
||||||
RestoreRevokeUser_Setup(organization, owner, organizationUser, sutProvider);
|
|
||||||
|
|
||||||
var exception = await Assert.ThrowsAsync<BadRequestException>(
|
|
||||||
() => sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id));
|
|
||||||
|
|
||||||
Assert.Contains("you cannot restore yourself", exception.Message.ToLowerInvariant());
|
|
||||||
|
|
||||||
await sutProvider.GetDependency<IOrganizationUserRepository>()
|
|
||||||
.DidNotReceiveWithAnyArgs()
|
|
||||||
.RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
|
|
||||||
await sutProvider.GetDependency<IEventService>()
|
|
||||||
.DidNotReceiveWithAnyArgs()
|
|
||||||
.LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(), Arg.Any<EventSystemUser>());
|
|
||||||
await sutProvider.GetDependency<IPushNotificationService>()
|
|
||||||
.DidNotReceiveWithAnyArgs()
|
|
||||||
.PushSyncOrgKeysAsync(Arg.Any<Guid>());
|
|
||||||
}
|
|
||||||
|
|
||||||
[Theory]
|
|
||||||
[BitAutoData(OrganizationUserType.Admin)]
|
|
||||||
[BitAutoData(OrganizationUserType.Custom)]
|
|
||||||
public async Task RestoreUser_AdminRestoreOwner_Fails(OrganizationUserType restoringUserType,
|
|
||||||
Organization organization, [OrganizationUser(OrganizationUserStatusType.Confirmed)] OrganizationUser restoringUser,
|
|
||||||
[OrganizationUser(OrganizationUserStatusType.Revoked, OrganizationUserType.Owner)] OrganizationUser organizationUser, SutProvider<OrganizationService> sutProvider)
|
|
||||||
{
|
|
||||||
restoringUser.Type = restoringUserType;
|
|
||||||
RestoreRevokeUser_Setup(organization, restoringUser, organizationUser, sutProvider);
|
|
||||||
|
|
||||||
var exception = await Assert.ThrowsAsync<BadRequestException>(
|
|
||||||
() => sutProvider.Sut.RestoreUserAsync(organizationUser, restoringUser.Id));
|
|
||||||
|
|
||||||
Assert.Contains("only owners can restore other owners", exception.Message.ToLowerInvariant());
|
|
||||||
|
|
||||||
await sutProvider.GetDependency<IOrganizationUserRepository>()
|
|
||||||
.DidNotReceiveWithAnyArgs()
|
|
||||||
.RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
|
|
||||||
await sutProvider.GetDependency<IEventService>()
|
|
||||||
.DidNotReceiveWithAnyArgs()
|
|
||||||
.LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(), Arg.Any<EventSystemUser>());
|
|
||||||
await sutProvider.GetDependency<IPushNotificationService>()
|
|
||||||
.DidNotReceiveWithAnyArgs()
|
|
||||||
.PushSyncOrgKeysAsync(Arg.Any<Guid>());
|
|
||||||
}
|
|
||||||
|
|
||||||
[Theory]
|
|
||||||
[BitAutoData(OrganizationUserStatusType.Invited)]
|
|
||||||
[BitAutoData(OrganizationUserStatusType.Accepted)]
|
|
||||||
[BitAutoData(OrganizationUserStatusType.Confirmed)]
|
|
||||||
public async Task RestoreUser_WithStatusOtherThanRevoked_Fails(OrganizationUserStatusType userStatus, Organization organization, [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
|
|
||||||
[OrganizationUser] OrganizationUser organizationUser, SutProvider<OrganizationService> sutProvider)
|
|
||||||
{
|
|
||||||
organizationUser.Status = userStatus;
|
|
||||||
RestoreRevokeUser_Setup(organization, owner, organizationUser, sutProvider);
|
|
||||||
|
|
||||||
var exception = await Assert.ThrowsAsync<BadRequestException>(
|
|
||||||
() => sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id));
|
|
||||||
|
|
||||||
Assert.Contains("already active", exception.Message.ToLowerInvariant());
|
|
||||||
|
|
||||||
await sutProvider.GetDependency<IOrganizationUserRepository>()
|
|
||||||
.DidNotReceiveWithAnyArgs()
|
|
||||||
.RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
|
|
||||||
await sutProvider.GetDependency<IEventService>()
|
|
||||||
.DidNotReceiveWithAnyArgs()
|
|
||||||
.LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(), Arg.Any<EventSystemUser>());
|
|
||||||
await sutProvider.GetDependency<IPushNotificationService>()
|
|
||||||
.DidNotReceiveWithAnyArgs()
|
|
||||||
.PushSyncOrgKeysAsync(Arg.Any<Guid>());
|
|
||||||
}
|
|
||||||
|
|
||||||
[Theory, BitAutoData]
|
|
||||||
public async Task RestoreUser_WithOtherOrganizationSingleOrgPolicyEnabled_Fails(
|
|
||||||
Organization organization,
|
|
||||||
[OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
|
|
||||||
[OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser,
|
|
||||||
SutProvider<OrganizationService> sutProvider)
|
|
||||||
{
|
|
||||||
organizationUser.Email = null; // this is required to mock that the user as had already been confirmed before the revoke
|
|
||||||
RestoreRevokeUser_Setup(organization, owner, organizationUser, sutProvider);
|
|
||||||
|
|
||||||
sutProvider.GetDependency<IPolicyService>()
|
|
||||||
.AnyPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.SingleOrg, Arg.Any<OrganizationUserStatusType>())
|
|
||||||
.Returns(true);
|
|
||||||
|
|
||||||
var user = new User();
|
|
||||||
user.Email = "test@bitwarden.com";
|
|
||||||
sutProvider.GetDependency<IUserRepository>().GetByIdAsync(organizationUser.UserId.Value).Returns(user);
|
|
||||||
|
|
||||||
var exception = await Assert.ThrowsAsync<BadRequestException>(
|
|
||||||
() => sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id));
|
|
||||||
|
|
||||||
Assert.Contains("test@bitwarden.com belongs to an organization that doesn't allow them to join multiple organizations", exception.Message.ToLowerInvariant());
|
|
||||||
|
|
||||||
await sutProvider.GetDependency<IOrganizationUserRepository>()
|
|
||||||
.DidNotReceiveWithAnyArgs()
|
|
||||||
.RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
|
|
||||||
await sutProvider.GetDependency<IEventService>()
|
|
||||||
.DidNotReceiveWithAnyArgs()
|
|
||||||
.LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(), Arg.Any<EventSystemUser>());
|
|
||||||
await sutProvider.GetDependency<IPushNotificationService>()
|
|
||||||
.DidNotReceiveWithAnyArgs()
|
|
||||||
.PushSyncOrgKeysAsync(Arg.Any<Guid>());
|
|
||||||
}
|
|
||||||
|
|
||||||
[Theory, BitAutoData]
|
|
||||||
public async Task RestoreUser_With2FAPolicyEnabled_WithoutUser2FAConfigured_Fails(
|
|
||||||
Organization organization,
|
|
||||||
[OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
|
|
||||||
[OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser,
|
|
||||||
SutProvider<OrganizationService> sutProvider)
|
|
||||||
{
|
|
||||||
organizationUser.Email = null;
|
|
||||||
|
|
||||||
sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
|
|
||||||
.TwoFactorIsEnabledAsync(Arg.Is<IEnumerable<Guid>>(i => i.Contains(organizationUser.UserId.Value)))
|
|
||||||
.Returns(new List<(Guid userId, bool twoFactorIsEnabled)>() { (organizationUser.UserId.Value, false) });
|
|
||||||
|
|
||||||
RestoreRevokeUser_Setup(organization, owner, organizationUser, sutProvider);
|
|
||||||
|
|
||||||
sutProvider.GetDependency<IPolicyService>()
|
|
||||||
.GetPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.TwoFactorAuthentication, Arg.Any<OrganizationUserStatusType>())
|
|
||||||
.Returns(new[] { new OrganizationUserPolicyDetails { OrganizationId = organizationUser.OrganizationId, PolicyType = PolicyType.TwoFactorAuthentication } });
|
|
||||||
|
|
||||||
var user = new User();
|
|
||||||
user.Email = "test@bitwarden.com";
|
|
||||||
sutProvider.GetDependency<IUserRepository>().GetByIdAsync(organizationUser.UserId.Value).Returns(user);
|
|
||||||
|
|
||||||
var exception = await Assert.ThrowsAsync<BadRequestException>(
|
|
||||||
() => sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id));
|
|
||||||
|
|
||||||
Assert.Contains("test@bitwarden.com is not compliant with the two-step login policy", exception.Message.ToLowerInvariant());
|
|
||||||
|
|
||||||
await sutProvider.GetDependency<IOrganizationUserRepository>()
|
|
||||||
.DidNotReceiveWithAnyArgs()
|
|
||||||
.RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
|
|
||||||
await sutProvider.GetDependency<IEventService>()
|
|
||||||
.DidNotReceiveWithAnyArgs()
|
|
||||||
.LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(), Arg.Any<EventSystemUser>());
|
|
||||||
await sutProvider.GetDependency<IPushNotificationService>()
|
|
||||||
.DidNotReceiveWithAnyArgs()
|
|
||||||
.PushSyncOrgKeysAsync(Arg.Any<Guid>());
|
|
||||||
}
|
|
||||||
|
|
||||||
[Theory, BitAutoData]
|
|
||||||
public async Task RestoreUser_With2FAPolicyEnabled_WithUser2FAConfigured_Success(
|
|
||||||
Organization organization,
|
|
||||||
[OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
|
|
||||||
[OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser,
|
|
||||||
SutProvider<OrganizationService> sutProvider)
|
|
||||||
{
|
|
||||||
organizationUser.Email = null; // this is required to mock that the user as had already been confirmed before the revoke
|
|
||||||
RestoreRevokeUser_Setup(organization, owner, organizationUser, sutProvider);
|
|
||||||
|
|
||||||
sutProvider.GetDependency<IPolicyService>()
|
|
||||||
.GetPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.TwoFactorAuthentication, Arg.Any<OrganizationUserStatusType>())
|
|
||||||
.Returns(new[] { new OrganizationUserPolicyDetails { OrganizationId = organizationUser.OrganizationId, PolicyType = PolicyType.TwoFactorAuthentication } });
|
|
||||||
sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
|
|
||||||
.TwoFactorIsEnabledAsync(Arg.Is<IEnumerable<Guid>>(i => i.Contains(organizationUser.UserId.Value)))
|
|
||||||
.Returns(new List<(Guid userId, bool twoFactorIsEnabled)>() { (organizationUser.UserId.Value, true) });
|
|
||||||
|
|
||||||
await sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id);
|
|
||||||
|
|
||||||
await sutProvider.GetDependency<IOrganizationUserRepository>()
|
|
||||||
.Received(1)
|
|
||||||
.RestoreAsync(organizationUser.Id, OrganizationUserStatusType.Confirmed);
|
|
||||||
await sutProvider.GetDependency<IEventService>()
|
|
||||||
.Received(1)
|
|
||||||
.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored);
|
|
||||||
}
|
|
||||||
|
|
||||||
[Theory, BitAutoData]
|
|
||||||
public async Task RestoreUser_WithSingleOrgPolicyEnabled_Fails(
|
|
||||||
Organization organization,
|
|
||||||
[OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
|
|
||||||
[OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser,
|
|
||||||
[OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser secondOrganizationUser,
|
|
||||||
SutProvider<OrganizationService> sutProvider)
|
|
||||||
{
|
|
||||||
organizationUser.Email = null; // this is required to mock that the user as had already been confirmed before the revoke
|
|
||||||
secondOrganizationUser.UserId = organizationUser.UserId;
|
|
||||||
RestoreRevokeUser_Setup(organization, owner, organizationUser, sutProvider);
|
|
||||||
|
|
||||||
sutProvider.GetDependency<IOrganizationUserRepository>()
|
|
||||||
.GetManyByUserAsync(organizationUser.UserId.Value)
|
|
||||||
.Returns(new[] { organizationUser, secondOrganizationUser });
|
|
||||||
sutProvider.GetDependency<IPolicyService>()
|
|
||||||
.GetPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.SingleOrg, Arg.Any<OrganizationUserStatusType>())
|
|
||||||
.Returns(new[]
|
|
||||||
{
|
|
||||||
new OrganizationUserPolicyDetails { OrganizationId = organizationUser.OrganizationId, PolicyType = PolicyType.SingleOrg, OrganizationUserStatus = OrganizationUserStatusType.Revoked }
|
|
||||||
});
|
|
||||||
|
|
||||||
var user = new User();
|
|
||||||
user.Email = "test@bitwarden.com";
|
|
||||||
sutProvider.GetDependency<IUserRepository>().GetByIdAsync(organizationUser.UserId.Value).Returns(user);
|
|
||||||
|
|
||||||
var exception = await Assert.ThrowsAsync<BadRequestException>(
|
|
||||||
() => sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id));
|
|
||||||
|
|
||||||
Assert.Contains("test@bitwarden.com is not compliant with the single organization policy", exception.Message.ToLowerInvariant());
|
|
||||||
|
|
||||||
await sutProvider.GetDependency<IOrganizationUserRepository>()
|
|
||||||
.DidNotReceiveWithAnyArgs()
|
|
||||||
.RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
|
|
||||||
await sutProvider.GetDependency<IEventService>()
|
|
||||||
.DidNotReceiveWithAnyArgs()
|
|
||||||
.LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(), Arg.Any<EventSystemUser>());
|
|
||||||
await sutProvider.GetDependency<IPushNotificationService>()
|
|
||||||
.DidNotReceiveWithAnyArgs()
|
|
||||||
.PushSyncOrgKeysAsync(Arg.Any<Guid>());
|
|
||||||
}
|
|
||||||
|
|
||||||
[Theory, BitAutoData]
|
|
||||||
public async Task RestoreUser_vNext_WithOtherOrganizationSingleOrgPolicyEnabled_Fails(
|
|
||||||
Organization organization,
|
|
||||||
[OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
|
|
||||||
[OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser,
|
|
||||||
[OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser secondOrganizationUser,
|
|
||||||
SutProvider<OrganizationService> sutProvider)
|
|
||||||
{
|
|
||||||
organizationUser.Email = null; // this is required to mock that the user as had already been confirmed before the revoke
|
|
||||||
secondOrganizationUser.UserId = organizationUser.UserId;
|
|
||||||
RestoreRevokeUser_Setup(organization, owner, organizationUser, sutProvider);
|
|
||||||
|
|
||||||
sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
|
|
||||||
.TwoFactorIsEnabledAsync(Arg.Is<IEnumerable<Guid>>(i => i.Contains(organizationUser.UserId.Value)))
|
|
||||||
.Returns(new List<(Guid userId, bool twoFactorIsEnabled)>() { (organizationUser.UserId.Value, true) });
|
|
||||||
|
|
||||||
sutProvider.GetDependency<IPolicyService>()
|
|
||||||
.AnyPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.SingleOrg, Arg.Any<OrganizationUserStatusType>())
|
|
||||||
.Returns(true);
|
|
||||||
|
|
||||||
var user = new User();
|
|
||||||
user.Email = "test@bitwarden.com";
|
|
||||||
sutProvider.GetDependency<IUserRepository>().GetByIdAsync(organizationUser.UserId.Value).Returns(user);
|
|
||||||
|
|
||||||
var exception = await Assert.ThrowsAsync<BadRequestException>(
|
|
||||||
() => sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id));
|
|
||||||
|
|
||||||
Assert.Contains("test@bitwarden.com belongs to an organization that doesn't allow them to join multiple organizations", exception.Message.ToLowerInvariant());
|
|
||||||
|
|
||||||
await sutProvider.GetDependency<IOrganizationUserRepository>()
|
|
||||||
.DidNotReceiveWithAnyArgs()
|
|
||||||
.RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
|
|
||||||
await sutProvider.GetDependency<IEventService>()
|
|
||||||
.DidNotReceiveWithAnyArgs()
|
|
||||||
.LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(), Arg.Any<EventSystemUser>());
|
|
||||||
await sutProvider.GetDependency<IPushNotificationService>()
|
|
||||||
.DidNotReceiveWithAnyArgs()
|
|
||||||
.PushSyncOrgKeysAsync(Arg.Any<Guid>());
|
|
||||||
}
|
|
||||||
|
|
||||||
[Theory, BitAutoData]
|
|
||||||
public async Task RestoreUser_WithSingleOrgPolicyEnabled_And_2FA_Policy_Fails(
|
|
||||||
Organization organization,
|
|
||||||
[OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
|
|
||||||
[OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser,
|
|
||||||
[OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser secondOrganizationUser,
|
|
||||||
SutProvider<OrganizationService> sutProvider)
|
|
||||||
{
|
|
||||||
organizationUser.Email = null; // this is required to mock that the user as had already been confirmed before the revoke
|
|
||||||
secondOrganizationUser.UserId = organizationUser.UserId;
|
|
||||||
RestoreRevokeUser_Setup(organization, owner, organizationUser, sutProvider);
|
|
||||||
|
|
||||||
sutProvider.GetDependency<IOrganizationUserRepository>()
|
|
||||||
.GetManyByUserAsync(organizationUser.UserId.Value)
|
|
||||||
.Returns(new[] { organizationUser, secondOrganizationUser });
|
|
||||||
sutProvider.GetDependency<IPolicyService>()
|
|
||||||
.GetPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.SingleOrg, Arg.Any<OrganizationUserStatusType>())
|
|
||||||
.Returns(new[]
|
|
||||||
{
|
|
||||||
new OrganizationUserPolicyDetails { OrganizationId = organizationUser.OrganizationId, PolicyType = PolicyType.SingleOrg, OrganizationUserStatus = OrganizationUserStatusType.Revoked }
|
|
||||||
});
|
|
||||||
|
|
||||||
sutProvider.GetDependency<IPolicyService>()
|
|
||||||
.GetPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.TwoFactorAuthentication, Arg.Any<OrganizationUserStatusType>())
|
|
||||||
.Returns(new[]
|
|
||||||
{
|
|
||||||
new OrganizationUserPolicyDetails { OrganizationId = organizationUser.OrganizationId, PolicyType = PolicyType.TwoFactorAuthentication, OrganizationUserStatus = OrganizationUserStatusType.Revoked }
|
|
||||||
});
|
|
||||||
|
|
||||||
var user = new User();
|
|
||||||
user.Email = "test@bitwarden.com";
|
|
||||||
sutProvider.GetDependency<IUserRepository>().GetByIdAsync(organizationUser.UserId.Value).Returns(user);
|
|
||||||
|
|
||||||
var exception = await Assert.ThrowsAsync<BadRequestException>(
|
|
||||||
() => sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id));
|
|
||||||
|
|
||||||
Assert.Contains("test@bitwarden.com is not compliant with the single organization and two-step login polciy", exception.Message.ToLowerInvariant());
|
|
||||||
|
|
||||||
await sutProvider.GetDependency<IOrganizationUserRepository>()
|
|
||||||
.DidNotReceiveWithAnyArgs()
|
|
||||||
.RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
|
|
||||||
await sutProvider.GetDependency<IEventService>()
|
|
||||||
.DidNotReceiveWithAnyArgs()
|
|
||||||
.LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(), Arg.Any<EventSystemUser>());
|
|
||||||
await sutProvider.GetDependency<IPushNotificationService>()
|
|
||||||
.DidNotReceiveWithAnyArgs()
|
|
||||||
.PushSyncOrgKeysAsync(Arg.Any<Guid>());
|
|
||||||
}
|
|
||||||
|
|
||||||
[Theory, BitAutoData]
|
|
||||||
public async Task RestoreUser_vNext_With2FAPolicyEnabled_WithoutUser2FAConfigured_Fails(
|
|
||||||
Organization organization,
|
|
||||||
[OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
|
|
||||||
[OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser,
|
|
||||||
SutProvider<OrganizationService> sutProvider)
|
|
||||||
{
|
|
||||||
organizationUser.Email = null;
|
|
||||||
|
|
||||||
RestoreRevokeUser_Setup(organization, owner, organizationUser, sutProvider);
|
|
||||||
|
|
||||||
sutProvider.GetDependency<IPolicyService>()
|
|
||||||
.GetPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.TwoFactorAuthentication, Arg.Any<OrganizationUserStatusType>())
|
|
||||||
.Returns(new[] { new OrganizationUserPolicyDetails { OrganizationId = organizationUser.OrganizationId, PolicyType = PolicyType.TwoFactorAuthentication } });
|
|
||||||
|
|
||||||
var user = new User();
|
|
||||||
user.Email = "test@bitwarden.com";
|
|
||||||
sutProvider.GetDependency<IUserRepository>().GetByIdAsync(organizationUser.UserId.Value).Returns(user);
|
|
||||||
|
|
||||||
var exception = await Assert.ThrowsAsync<BadRequestException>(
|
|
||||||
() => sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id));
|
|
||||||
|
|
||||||
Assert.Contains("test@bitwarden.com is not compliant with the two-step login policy", exception.Message.ToLowerInvariant());
|
|
||||||
|
|
||||||
await sutProvider.GetDependency<IOrganizationUserRepository>()
|
|
||||||
.DidNotReceiveWithAnyArgs()
|
|
||||||
.RestoreAsync(Arg.Any<Guid>(), Arg.Any<OrganizationUserStatusType>());
|
|
||||||
await sutProvider.GetDependency<IEventService>()
|
|
||||||
.DidNotReceiveWithAnyArgs()
|
|
||||||
.LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(), Arg.Any<EventSystemUser>());
|
|
||||||
await sutProvider.GetDependency<IPushNotificationService>()
|
|
||||||
.DidNotReceiveWithAnyArgs()
|
|
||||||
.PushSyncOrgKeysAsync(Arg.Any<Guid>());
|
|
||||||
}
|
|
||||||
|
|
||||||
[Theory, BitAutoData]
|
|
||||||
public async Task RestoreUser_vNext_With2FAPolicyEnabled_WithUser2FAConfigured_Success(
|
|
||||||
Organization organization,
|
|
||||||
[OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
|
|
||||||
[OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser,
|
|
||||||
SutProvider<OrganizationService> sutProvider)
|
|
||||||
{
|
|
||||||
organizationUser.Email = null; // this is required to mock that the user as had already been confirmed before the revoke
|
|
||||||
RestoreRevokeUser_Setup(organization, owner, organizationUser, sutProvider);
|
|
||||||
|
|
||||||
sutProvider.GetDependency<IPolicyService>()
|
|
||||||
.GetPoliciesApplicableToUserAsync(organizationUser.UserId.Value, PolicyType.TwoFactorAuthentication, Arg.Any<OrganizationUserStatusType>())
|
|
||||||
.Returns(new[] { new OrganizationUserPolicyDetails { OrganizationId = organizationUser.OrganizationId, PolicyType = PolicyType.TwoFactorAuthentication } });
|
|
||||||
|
|
||||||
sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
|
|
||||||
.TwoFactorIsEnabledAsync(Arg.Is<IEnumerable<Guid>>(i => i.Contains(organizationUser.UserId.Value)))
|
|
||||||
.Returns(new List<(Guid userId, bool twoFactorIsEnabled)>() { (organizationUser.UserId.Value, true) });
|
|
||||||
|
|
||||||
await sutProvider.Sut.RestoreUserAsync(organizationUser, owner.Id);
|
|
||||||
|
|
||||||
await sutProvider.GetDependency<IOrganizationUserRepository>()
|
|
||||||
.Received(1)
|
|
||||||
.RestoreAsync(organizationUser.Id, OrganizationUserStatusType.Confirmed);
|
|
||||||
await sutProvider.GetDependency<IEventService>()
|
|
||||||
.Received(1)
|
|
||||||
.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Restored);
|
|
||||||
}
|
|
||||||
|
|
||||||
[Theory]
|
[Theory]
|
||||||
[BitAutoData(PlanType.TeamsAnnually)]
|
[BitAutoData(PlanType.TeamsAnnually)]
|
||||||
[BitAutoData(PlanType.TeamsMonthly)]
|
[BitAutoData(PlanType.TeamsMonthly)]
|
||||||
@ -2292,107 +1847,4 @@ OrganizationUserInvite invite, SutProvider<OrganizationService> sutProvider)
|
|||||||
}
|
}
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
[Theory, BitAutoData]
|
|
||||||
public async Task RestoreUsers_Success(Organization organization,
|
|
||||||
[OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
|
|
||||||
[OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser orgUser1,
|
|
||||||
[OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser orgUser2,
|
|
||||||
SutProvider<OrganizationService> sutProvider)
|
|
||||||
{
|
|
||||||
// Arrange
|
|
||||||
RestoreRevokeUser_Setup(organization, owner, orgUser1, sutProvider);
|
|
||||||
var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
|
|
||||||
var eventService = sutProvider.GetDependency<IEventService>();
|
|
||||||
var twoFactorIsEnabledQuery = sutProvider.GetDependency<ITwoFactorIsEnabledQuery>();
|
|
||||||
var userService = Substitute.For<IUserService>();
|
|
||||||
|
|
||||||
orgUser1.Email = orgUser2.Email = null; // Mock that users were previously confirmed
|
|
||||||
orgUser1.OrganizationId = orgUser2.OrganizationId = organization.Id;
|
|
||||||
organizationUserRepository
|
|
||||||
.GetManyAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.Contains(orgUser1.Id) && ids.Contains(orgUser2.Id)))
|
|
||||||
.Returns(new[] { orgUser1, orgUser2 });
|
|
||||||
|
|
||||||
twoFactorIsEnabledQuery
|
|
||||||
.TwoFactorIsEnabledAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.Contains(orgUser1.UserId!.Value) && ids.Contains(orgUser2.UserId!.Value)))
|
|
||||||
.Returns(new List<(Guid userId, bool twoFactorIsEnabled)>
|
|
||||||
{
|
|
||||||
(orgUser1.UserId!.Value, true),
|
|
||||||
(orgUser2.UserId!.Value, false)
|
|
||||||
});
|
|
||||||
|
|
||||||
// Act
|
|
||||||
var result = await sutProvider.Sut.RestoreUsersAsync(organization.Id, new[] { orgUser1.Id, orgUser2.Id }, owner.Id, userService);
|
|
||||||
|
|
||||||
// Assert
|
|
||||||
Assert.Equal(2, result.Count);
|
|
||||||
Assert.All(result, r => Assert.Empty(r.Item2)); // No error messages
|
|
||||||
await organizationUserRepository
|
|
||||||
.Received(1)
|
|
||||||
.RestoreAsync(orgUser1.Id, OrganizationUserStatusType.Confirmed);
|
|
||||||
await organizationUserRepository
|
|
||||||
.Received(1)
|
|
||||||
.RestoreAsync(orgUser2.Id, OrganizationUserStatusType.Confirmed);
|
|
||||||
await eventService.Received(1)
|
|
||||||
.LogOrganizationUserEventAsync(orgUser1, EventType.OrganizationUser_Restored);
|
|
||||||
await eventService.Received(1)
|
|
||||||
.LogOrganizationUserEventAsync(orgUser2, EventType.OrganizationUser_Restored);
|
|
||||||
}
|
|
||||||
|
|
||||||
[Theory, BitAutoData]
|
|
||||||
public async Task RestoreUsers_With2FAPolicy_BlocksNonCompliantUser(Organization organization,
|
|
||||||
[OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser owner,
|
|
||||||
[OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser orgUser1,
|
|
||||||
[OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser orgUser2,
|
|
||||||
[OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser orgUser3,
|
|
||||||
SutProvider<OrganizationService> sutProvider)
|
|
||||||
{
|
|
||||||
// Arrange
|
|
||||||
RestoreRevokeUser_Setup(organization, owner, orgUser1, sutProvider);
|
|
||||||
var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
|
|
||||||
var userRepository = sutProvider.GetDependency<IUserRepository>();
|
|
||||||
var policyService = sutProvider.GetDependency<IPolicyService>();
|
|
||||||
var userService = Substitute.For<IUserService>();
|
|
||||||
|
|
||||||
orgUser1.Email = orgUser2.Email = null;
|
|
||||||
orgUser3.UserId = null;
|
|
||||||
orgUser3.Key = null;
|
|
||||||
orgUser1.OrganizationId = orgUser2.OrganizationId = orgUser3.OrganizationId = organization.Id;
|
|
||||||
organizationUserRepository
|
|
||||||
.GetManyAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.Contains(orgUser1.Id) && ids.Contains(orgUser2.Id) && ids.Contains(orgUser3.Id)))
|
|
||||||
.Returns(new[] { orgUser1, orgUser2, orgUser3 });
|
|
||||||
|
|
||||||
userRepository.GetByIdAsync(orgUser2.UserId!.Value).Returns(new User { Email = "test@example.com" });
|
|
||||||
|
|
||||||
// Setup 2FA policy
|
|
||||||
policyService.GetPoliciesApplicableToUserAsync(Arg.Any<Guid>(), PolicyType.TwoFactorAuthentication, Arg.Any<OrganizationUserStatusType>())
|
|
||||||
.Returns(new[] { new OrganizationUserPolicyDetails { OrganizationId = organization.Id, PolicyType = PolicyType.TwoFactorAuthentication } });
|
|
||||||
|
|
||||||
// User1 has 2FA, User2 doesn't
|
|
||||||
sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
|
|
||||||
.TwoFactorIsEnabledAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.Contains(orgUser1.UserId!.Value) && ids.Contains(orgUser2.UserId!.Value)))
|
|
||||||
.Returns(new List<(Guid userId, bool twoFactorIsEnabled)>
|
|
||||||
{
|
|
||||||
(orgUser1.UserId!.Value, true),
|
|
||||||
(orgUser2.UserId!.Value, false)
|
|
||||||
});
|
|
||||||
|
|
||||||
// Act
|
|
||||||
var result = await sutProvider.Sut.RestoreUsersAsync(organization.Id, new[] { orgUser1.Id, orgUser2.Id, orgUser3.Id }, owner.Id, userService);
|
|
||||||
|
|
||||||
// Assert
|
|
||||||
Assert.Equal(3, result.Count);
|
|
||||||
Assert.Empty(result[0].Item2); // First user should succeed
|
|
||||||
Assert.Contains("two-step login", result[1].Item2); // Second user should fail
|
|
||||||
Assert.Empty(result[2].Item2); // Third user should succeed
|
|
||||||
await organizationUserRepository
|
|
||||||
.Received(1)
|
|
||||||
.RestoreAsync(orgUser1.Id, OrganizationUserStatusType.Confirmed);
|
|
||||||
await organizationUserRepository
|
|
||||||
.DidNotReceive()
|
|
||||||
.RestoreAsync(orgUser2.Id, Arg.Any<OrganizationUserStatusType>());
|
|
||||||
await organizationUserRepository
|
|
||||||
.Received(1)
|
|
||||||
.RestoreAsync(orgUser3.Id, OrganizationUserStatusType.Invited);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user