From 8dffb27667c2181fdbc14a125cf4b35580e98a41 Mon Sep 17 00:00:00 2001
From: Matt Gibson <mgibson@bitwarden.com>
Date: Wed, 24 Nov 2021 14:18:52 -0600
Subject: [PATCH] Families for enterprise/add sponsorship prevalidate (#1734)

* Add sponsorship prevalidate endpoint

* Test pre validate endpoint

* Fix tests

* Rename variable
---
 .../OrganizationSponsorshipsController.cs     | 11 +++++--
 .../IOrganizationSponsorshipService.cs        |  2 +-
 .../OrganizationSponsorshipService.cs         |  8 +++--
 ...OrganizationSponsorshipsControllerTests.cs | 33 +++++++++++++++----
 4 files changed, 41 insertions(+), 13 deletions(-)

diff --git a/src/Api/Controllers/OrganizationSponsorshipsController.cs b/src/Api/Controllers/OrganizationSponsorshipsController.cs
index 40fd4e6fac..b537d963aa 100644
--- a/src/Api/Controllers/OrganizationSponsorshipsController.cs
+++ b/src/Api/Controllers/OrganizationSponsorshipsController.cs
@@ -1,8 +1,6 @@
 using System;
-using System.Linq;
 using System.Threading.Tasks;
 using Bit.Core.Context;
-using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Api;
 using Bit.Core.Models.Api.Request;
@@ -67,11 +65,18 @@ namespace Bit.Api.Controllers
                 (await CurrentUser).Email);
         }
 
+        [HttpPost("validate-token")]
+        [SelfHosted(NotSelfHostedOnly = true)]
+        public async Task<bool> PreValidateSponsorshipToken([FromQuery] string sponsorshipToken)
+        {
+            return await _organizationsSponsorshipService.ValidateRedemptionTokenAsync(sponsorshipToken, (await CurrentUser).Email);
+        }
+
         [HttpPost("redeem")]
         [SelfHosted(NotSelfHostedOnly = true)]
         public async Task RedeemSponsorship([FromQuery] string sponsorshipToken, [FromBody] OrganizationSponsorshipRedeemRequestModel model)
         {
-            if (!await _organizationsSponsorshipService.ValidateRedemptionTokenAsync(sponsorshipToken))
+            if (!await _organizationsSponsorshipService.ValidateRedemptionTokenAsync(sponsorshipToken, (await CurrentUser).Email))
             {
                 throw new BadRequestException("Failed to parse sponsorship token.");
             }
diff --git a/src/Core/Services/IOrganizationSponsorshipService.cs b/src/Core/Services/IOrganizationSponsorshipService.cs
index ec86688d21..06391b9ca5 100644
--- a/src/Core/Services/IOrganizationSponsorshipService.cs
+++ b/src/Core/Services/IOrganizationSponsorshipService.cs
@@ -7,7 +7,7 @@ namespace Bit.Core.Services
 {
     public interface IOrganizationSponsorshipService
     {
-        Task<bool> ValidateRedemptionTokenAsync(string encryptedToken);
+        Task<bool> ValidateRedemptionTokenAsync(string encryptedToken, string currentUserEmail);
         Task OfferSponsorshipAsync(Organization sponsoringOrg, OrganizationUser sponsoringOrgUser,
             PlanSponsorshipType sponsorshipType, string sponsoredEmail, string friendlyName, string sponsoringUserEmail);
         Task ResendSponsorshipOfferAsync(Organization sponsoringOrg, OrganizationUser sponsoringOrgUser,
diff --git a/src/Core/Services/Implementations/OrganizationSponsorshipService.cs b/src/Core/Services/Implementations/OrganizationSponsorshipService.cs
index 20bcb8aff5..faf1967979 100644
--- a/src/Core/Services/Implementations/OrganizationSponsorshipService.cs
+++ b/src/Core/Services/Implementations/OrganizationSponsorshipService.cs
@@ -37,9 +37,9 @@ namespace Bit.Core.Services
             _dataProtector = dataProtectionProvider.CreateProtector("OrganizationSponsorshipServiceDataProtector");
         }
 
-        public async Task<bool> ValidateRedemptionTokenAsync(string encryptedToken)
+        public async Task<bool> ValidateRedemptionTokenAsync(string encryptedToken, string sponsoredUserEmail)
         {
-            if (!encryptedToken.StartsWith(TokenClearTextPrefix))
+            if (!encryptedToken.StartsWith(TokenClearTextPrefix) || sponsoredUserEmail == null)
             {
                 return false;
             }
@@ -61,7 +61,9 @@ namespace Bit.Core.Services
                 }
 
                 var sponsorship = await _organizationSponsorshipRepository.GetByIdAsync(sponsorshipId);
-                if (sponsorship == null || sponsorship.PlanSponsorshipType != sponsorshipType)
+                if (sponsorship == null ||
+                    sponsorship.PlanSponsorshipType != sponsorshipType ||
+                    sponsorship.OfferedToEmail != sponsoredUserEmail)
                 {
                     return false;
                 }
diff --git a/test/Api.Test/Controllers/OrganizationSponsorshipsControllerTests.cs b/test/Api.Test/Controllers/OrganizationSponsorshipsControllerTests.cs
index 949b6d48b1..b0d832de3d 100644
--- a/test/Api.Test/Controllers/OrganizationSponsorshipsControllerTests.cs
+++ b/test/Api.Test/Controllers/OrganizationSponsorshipsControllerTests.cs
@@ -39,11 +39,14 @@ namespace Bit.Api.Test.Controllers
 
         [Theory]
         [BitAutoData]
-        public async Task RedeemSponsorship_BadToken_ThrowsBadRequest(string sponsorshipToken,
+        public async Task RedeemSponsorship_BadToken_ThrowsBadRequest(string sponsorshipToken, User user,
             OrganizationSponsorshipRedeemRequestModel model, SutProvider<OrganizationSponsorshipsController> sutProvider)
         {
-            sutProvider.GetDependency<IOrganizationSponsorshipService>().ValidateRedemptionTokenAsync(sponsorshipToken)
-                .Returns(false);
+            sutProvider.GetDependency<ICurrentContext>().UserId.Returns(user.Id);
+            sutProvider.GetDependency<IUserService>().GetUserByIdAsync(user.Id)
+                .Returns(user);
+            sutProvider.GetDependency<IOrganizationSponsorshipService>().ValidateRedemptionTokenAsync(sponsorshipToken,
+                user.Email).Returns(false);
 
             var exception = await Assert.ThrowsAsync<BadRequestException>(() =>
                 sutProvider.Sut.RedeemSponsorship(sponsorshipToken, model));
@@ -56,11 +59,14 @@ namespace Bit.Api.Test.Controllers
 
         [Theory]
         [BitAutoData]
-        public async Task RedeemSponsorship_NotSponsoredOrgOwner_ThrowsBadRequest(string sponsorshipToken,
+        public async Task RedeemSponsorship_NotSponsoredOrgOwner_ThrowsBadRequest(string sponsorshipToken, User user,
             OrganizationSponsorshipRedeemRequestModel model, SutProvider<OrganizationSponsorshipsController> sutProvider)
         {
-            sutProvider.GetDependency<IOrganizationSponsorshipService>().ValidateRedemptionTokenAsync(sponsorshipToken)
-                .Returns(true);
+            sutProvider.GetDependency<ICurrentContext>().UserId.Returns(user.Id);
+            sutProvider.GetDependency<IUserService>().GetUserByIdAsync(user.Id)
+                .Returns(user);
+            sutProvider.GetDependency<IOrganizationSponsorshipService>().ValidateRedemptionTokenAsync(sponsorshipToken,
+                user.Email).Returns(true);
             sutProvider.GetDependency<ICurrentContext>().OrganizationOwner(model.SponsoredOrganizationId).Returns(false);
 
             var exception = await Assert.ThrowsAsync<BadRequestException>(() =>
@@ -72,6 +78,21 @@ namespace Bit.Api.Test.Controllers
                 .SetUpSponsorshipAsync(default, default);
         }
 
+        [Theory]
+        [BitAutoData]
+        public async Task PreValidateSponsorshipToken_ValidatesToken_Success(string sponsorshipToken, User user,
+            SutProvider<OrganizationSponsorshipsController> sutProvider)
+        {
+            sutProvider.GetDependency<ICurrentContext>().UserId.Returns(user.Id);
+            sutProvider.GetDependency<IUserService>().GetUserByIdAsync(user.Id)
+                .Returns(user);
+
+            await sutProvider.Sut.PreValidateSponsorshipToken(sponsorshipToken);
+
+            await sutProvider.GetDependency<IOrganizationSponsorshipService>().Received(1)
+                .ValidateRedemptionTokenAsync(sponsorshipToken, user.Email);
+        }
+
         [Theory]
         [BitAutoData]
         public async Task RevokeSponsorship_WrongSponsoringUser_ThrowsBadRequest(OrganizationUser sponsoringOrgUser,