diff --git a/bitwarden_license/src/Sso/Controllers/AccountController.cs b/bitwarden_license/src/Sso/Controllers/AccountController.cs index c9db0290e0..420e0f7985 100644 --- a/bitwarden_license/src/Sso/Controllers/AccountController.cs +++ b/bitwarden_license/src/Sso/Controllers/AccountController.cs @@ -44,6 +44,7 @@ namespace Bit.Sso.Controllers private readonly IUserService _userService; private readonly II18nService _i18nService; private readonly UserManager _userManager; + private readonly Core.Services.IEventService _eventService; public AccountController( IAuthenticationSchemeProvider schemeProvider, @@ -58,7 +59,8 @@ namespace Bit.Sso.Controllers IPolicyRepository policyRepository, IUserService userService, II18nService i18nService, - UserManager userManager) + UserManager userManager, + Core.Services.IEventService eventService) { _schemeProvider = schemeProvider; _clientStore = clientStore; @@ -73,6 +75,7 @@ namespace Bit.Sso.Controllers _userService = userService; _i18nService = i18nService; _userManager = userManager; + _eventService = eventService; } [HttpGet] @@ -453,7 +456,10 @@ namespace Bit.Sso.Controllers // Org User is invited - they must manually accept the invite via email and authenticate with MP throw new Exception(_i18nService.T("UserAlreadyInvited", email, organization.Name)); } - + + // Delete existing SsoUser (if any) - avoids error if providerId has changed and the sso link is stale + await DeleteExistingSsoUserRecord(existingUser.Id, orgId, orgUser); + // Accepted or Confirmed - create SSO link and return; await CreateSsoUserRecord(providerUserId, existingUser.Id, orgId); return existingUser; @@ -513,6 +519,9 @@ namespace Bit.Sso.Controllers await _organizationUserRepository.ReplaceAsync(orgUser); } + // Delete any stale user record to be safe + await DeleteExistingSsoUserRecord(existingUser.Id, orgId, orgUser); + // Create sso user record await CreateSsoUserRecord(providerUserId, user.Id, orgId); @@ -565,6 +574,15 @@ namespace Bit.Sso.Controllers return null; } + private async Task DeleteExistingSsoUserRecord(Guid userId, Guid orgId, OrganizationUser orgUser) + { + var existingSsoUser = await _ssoUserRepository.GetByUserIdOrganizationIdAsync(orgId, userId); + if (existingSsoUser != null) + { + await _ssoUserRepository.DeleteAsync(userId, orgId); + await _eventService.LogOrganizationUserEventAsync(orgUser, EventType.OrganizationUser_ResetSsoLink); + } + } private async Task CreateSsoUserRecord(string providerUserId, Guid userId, Guid orgId) { var ssoUser = new SsoUser diff --git a/src/Core/Enums/EventType.cs b/src/Core/Enums/EventType.cs index 03c58bd8ad..bb6aca2c62 100644 --- a/src/Core/Enums/EventType.cs +++ b/src/Core/Enums/EventType.cs @@ -48,6 +48,7 @@ OrganizationUser_ResetPassword_Enroll = 1506, OrganizationUser_ResetPassword_Withdraw = 1507, OrganizationUser_AdminResetPassword = 1508, + OrganizationUser_ResetSsoLink = 1509, Organization_Updated = 1600, Organization_PurgedVault = 1601, diff --git a/src/Core/Repositories/EntityFramework/SsoUserRepository.cs b/src/Core/Repositories/EntityFramework/SsoUserRepository.cs index 6eacfa0afc..e8ad2b7363 100644 --- a/src/Core/Repositories/EntityFramework/SsoUserRepository.cs +++ b/src/Core/Repositories/EntityFramework/SsoUserRepository.cs @@ -24,5 +24,16 @@ namespace Bit.Core.Repositories.EntityFramework await dbContext.SaveChangesAsync(); } } + + public async Task GetByUserIdOrganizationIdAsync(Guid organizationId, Guid userId) + { + using (var scope = ServiceScopeFactory.CreateScope()) + { + var dbContext = GetDatabaseContext(scope); + var entity = await GetDbSet(dbContext) + .FirstOrDefaultAsync(e => e.OrganizationId == organizationId && e.UserId == userId); + return entity; + } + } } } diff --git a/src/Core/Repositories/ISsoUserRepository.cs b/src/Core/Repositories/ISsoUserRepository.cs index 510c7982c2..350c153874 100644 --- a/src/Core/Repositories/ISsoUserRepository.cs +++ b/src/Core/Repositories/ISsoUserRepository.cs @@ -1,11 +1,12 @@ -using Bit.Core.Models.Table; -using System; -using System.Threading.Tasks; +using Bit.Core.Models.Table; +using System; +using System.Threading.Tasks; namespace Bit.Core.Repositories { public interface ISsoUserRepository : IRepository { Task DeleteAsync(Guid userId, Guid? organizationId); + Task GetByUserIdOrganizationIdAsync(Guid organizationId, Guid userId); } } diff --git a/src/Core/Repositories/SqlServer/SsoUserRepository.cs b/src/Core/Repositories/SqlServer/SsoUserRepository.cs index 8ce559355a..4f68c25a3f 100644 --- a/src/Core/Repositories/SqlServer/SsoUserRepository.cs +++ b/src/Core/Repositories/SqlServer/SsoUserRepository.cs @@ -5,6 +5,7 @@ using System; using System.Threading.Tasks; using System.Data.SqlClient; using System.Data; +using System.Linq; namespace Bit.Core.Repositories.SqlServer { @@ -28,5 +29,18 @@ namespace Bit.Core.Repositories.SqlServer commandType: CommandType.StoredProcedure); } } + + public async Task GetByUserIdOrganizationIdAsync(Guid organizationId, Guid userId) + { + using (var connection = new SqlConnection(ConnectionString)) + { + var results = await connection.QueryAsync( + $"[{Schema}].[SsoUser_ReadByUserIdOrganizationId]", + new { UserId = userId, OrganizationId = organizationId }, + commandType: CommandType.StoredProcedure); + + return results.SingleOrDefault(); + } + } } } diff --git a/src/Sql/Sql.sqlproj b/src/Sql/Sql.sqlproj index 4dda7402ef..17bc308d63 100644 --- a/src/Sql/Sql.sqlproj +++ b/src/Sql/Sql.sqlproj @@ -299,6 +299,7 @@ + diff --git a/src/Sql/dbo/Stored Procedures/SsoUser_ReadByUserIdOrganizationId.sql b/src/Sql/dbo/Stored Procedures/SsoUser_ReadByUserIdOrganizationId.sql new file mode 100644 index 0000000000..8e183b6c28 --- /dev/null +++ b/src/Sql/dbo/Stored Procedures/SsoUser_ReadByUserIdOrganizationId.sql @@ -0,0 +1,15 @@ +CREATE PROCEDURE [dbo].[SsoUser_ReadByUserIdOrganizationId] + @UserId UNIQUEIDENTIFIER, + @OrganizationId UNIQUEIDENTIFIER +AS +BEGIN + SET NOCOUNT ON + + SELECT + * + FROM + [dbo].[SsoUserView] + WHERE + [UserId] = @UserId + AND [OrganizationId] = @OrganizationId +END diff --git a/util/Migrator/DbScripts/2021-09-02_00_SsoUserReadyByUserIdOrganizationId.sql b/util/Migrator/DbScripts/2021-09-02_00_SsoUserReadyByUserIdOrganizationId.sql new file mode 100644 index 0000000000..6921a6f155 --- /dev/null +++ b/util/Migrator/DbScripts/2021-09-02_00_SsoUserReadyByUserIdOrganizationId.sql @@ -0,0 +1,21 @@ +IF OBJECT_ID('[dbo].[SsoUser_ReadByUserIdOrganizationId]') IS NOT NULL +BEGIN + DROP PROCEDURE [dbo].[SsoUser_ReadByUserIdOrganizationId] +END +GO + +CREATE PROCEDURE [dbo].[SsoUser_ReadByUserIdOrganizationId] + @UserId UNIQUEIDENTIFIER, + @OrganizationId UNIQUEIDENTIFIER +AS +BEGIN + SET NOCOUNT ON + + SELECT + * + FROM + [dbo].[SsoUserView] + WHERE + [UserId] = @UserId + AND [OrganizationId] = @OrganizationId +END