diff --git a/src/Api/AdminConsole/Controllers/OrganizationAuthRequestsController.cs b/src/Api/AdminConsole/Controllers/OrganizationAuthRequestsController.cs index 36555a7d2a..cb06b62111 100644 --- a/src/Api/AdminConsole/Controllers/OrganizationAuthRequestsController.cs +++ b/src/Api/AdminConsole/Controllers/OrganizationAuthRequestsController.cs @@ -1,14 +1,12 @@ using Bit.Api.AdminConsole.Models.Request; using Bit.Api.AdminConsole.Models.Response; using Bit.Api.Models.Response; -using Bit.Core; using Bit.Core.AdminConsole.OrganizationAuth.Interfaces; using Bit.Core.Auth.Models.Api.Request.AuthRequest; using Bit.Core.Auth.Services; using Bit.Core.Context; using Bit.Core.Exceptions; using Bit.Core.Repositories; -using Bit.Core.Utilities; using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; @@ -16,7 +14,6 @@ namespace Bit.Api.AdminConsole.Controllers; [Route("organizations/{orgId}/auth-requests")] [Authorize("Application")] -[RequireFeature(FeatureFlagKeys.TrustedDeviceEncryption)] public class OrganizationAuthRequestsController : Controller { private readonly IAuthRequestRepository _authRequestRepository; diff --git a/src/Api/AdminConsole/Controllers/OrganizationsController.cs b/src/Api/AdminConsole/Controllers/OrganizationsController.cs index a7daeb735d..3293041a2b 100644 --- a/src/Api/AdminConsole/Controllers/OrganizationsController.cs +++ b/src/Api/AdminConsole/Controllers/OrganizationsController.cs @@ -764,12 +764,6 @@ public class OrganizationsController : Controller throw new NotFoundException(); } - if (model.Data.MemberDecryptionType == MemberDecryptionType.TrustedDeviceEncryption && - !_featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext)) - { - throw new BadRequestException(nameof(model.Data.MemberDecryptionType), "Invalid member decryption type."); - } - var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(id); ssoConfig = ssoConfig == null ? model.ToSsoConfig(id) : model.ToSsoConfig(ssoConfig); organization.Identifier = model.Identifier; diff --git a/src/Identity/IdentityServer/UserDecryptionOptionsBuilder.cs b/src/Identity/IdentityServer/UserDecryptionOptionsBuilder.cs index 4366ddbda3..b9fba5af22 100644 --- a/src/Identity/IdentityServer/UserDecryptionOptionsBuilder.cs +++ b/src/Identity/IdentityServer/UserDecryptionOptionsBuilder.cs @@ -1,12 +1,10 @@ -using Bit.Core; -using Bit.Core.Auth.Entities; +using Bit.Core.Auth.Entities; using Bit.Core.Auth.Enums; using Bit.Core.Auth.Models.Api.Response; using Bit.Core.Auth.Utilities; using Bit.Core.Context; using Bit.Core.Entities; using Bit.Core.Repositories; -using Bit.Core.Services; using Bit.Identity.Utilities; namespace Bit.Identity.IdentityServer; @@ -20,7 +18,6 @@ namespace Bit.Identity.IdentityServer; public class UserDecryptionOptionsBuilder : IUserDecryptionOptionsBuilder { private readonly ICurrentContext _currentContext; - private readonly IFeatureService _featureService; private readonly IDeviceRepository _deviceRepository; private readonly IOrganizationUserRepository _organizationUserRepository; @@ -31,13 +28,11 @@ public class UserDecryptionOptionsBuilder : IUserDecryptionOptionsBuilder public UserDecryptionOptionsBuilder( ICurrentContext currentContext, - IFeatureService featureService, IDeviceRepository deviceRepository, IOrganizationUserRepository organizationUserRepository ) { _currentContext = currentContext; - _featureService = featureService; _deviceRepository = deviceRepository; _organizationUserRepository = organizationUserRepository; } @@ -95,7 +90,7 @@ public class UserDecryptionOptionsBuilder : IUserDecryptionOptionsBuilder private async Task BuildTrustedDeviceOptions() { // TrustedDeviceEncryption only exists for SSO, if that changes then these guards should change - if (_ssoConfig == null || !_featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext)) + if (_ssoConfig == null) { return; } diff --git a/test/Identity.IntegrationTest/Endpoints/IdentityServerSsoTests.cs b/test/Identity.IntegrationTest/Endpoints/IdentityServerSsoTests.cs index 6821f4a1d3..70f6e5e1af 100644 --- a/test/Identity.IntegrationTest/Endpoints/IdentityServerSsoTests.cs +++ b/test/Identity.IntegrationTest/Endpoints/IdentityServerSsoTests.cs @@ -1,18 +1,15 @@ using System.Security.Claims; using System.Text.Json; -using Bit.Core; using Bit.Core.AdminConsole.Entities; using Bit.Core.Auth.Entities; using Bit.Core.Auth.Enums; using Bit.Core.Auth.Models.Api.Request.Accounts; using Bit.Core.Auth.Models.Data; using Bit.Core.Auth.Repositories; -using Bit.Core.Context; using Bit.Core.Entities; using Bit.Core.Enums; using Bit.Core.Models.Data; using Bit.Core.Repositories; -using Bit.Core.Services; using Bit.Core.Utilities; using Bit.IntegrationTestCommon.Factories; using Bit.Test.Common.Helpers; @@ -383,36 +380,6 @@ public class IdentityServerSsoTests } - - [Fact] - public async Task SsoLogin_TrustedDeviceEncryption_FlagTurnedOff_DoesNotReturnOption() - { - // This creates SsoConfig that HAS enabled trusted device encryption which should have only been - // done with the feature flag turned on but we are testing that even if they have done that, this will turn off - // if returning as an option if the flag has later been turned off. We should be very careful turning the flag - // back off. - using var responseBody = await RunSuccessTestAsync(async factory => - { - await UpdateUserAsync(factory, user => user.MasterPassword = null); - }, MemberDecryptionType.TrustedDeviceEncryption, trustedDeviceEnabled: false); - - // Assert - // If the organization has selected TrustedDeviceEncryption but the user still has their master password - // they can decrypt with either option - var root = responseBody.RootElement; - AssertHelper.AssertJsonProperty(root, "access_token", JsonValueKind.String); - var userDecryptionOptions = AssertHelper.AssertJsonProperty(root, "UserDecryptionOptions", JsonValueKind.Object); - - // Expected to look like: - // "UserDecryptionOptions": { - // "Object": "userDecryptionOptions" - // "HasMasterPassword": false - // } - - // Should only have 2 properties - Assert.Equal(2, userDecryptionOptions.EnumerateObject().Count()); - } - [Fact] public async Task SsoLogin_KeyConnector_ReturnsOptions() { @@ -511,12 +478,6 @@ public class IdentityServerSsoTests .Returns(authorizationCode); }); - factory.SubstitueService(service => - { - service.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, Arg.Any()) - .Returns(trustedDeviceEnabled); - }); - // This starts the server and finalizes services var registerResponse = await factory.RegisterAsync(new RegisterRequestModel { diff --git a/test/Identity.Test/IdentityServer/UserDecryptionOptionsBuilderTests.cs b/test/Identity.Test/IdentityServer/UserDecryptionOptionsBuilderTests.cs index 604c7709b7..fe2d4ad182 100644 --- a/test/Identity.Test/IdentityServer/UserDecryptionOptionsBuilderTests.cs +++ b/test/Identity.Test/IdentityServer/UserDecryptionOptionsBuilderTests.cs @@ -1,11 +1,9 @@ -using Bit.Core; -using Bit.Core.Auth.Entities; +using Bit.Core.Auth.Entities; using Bit.Core.Auth.Enums; using Bit.Core.Auth.Models.Data; using Bit.Core.Context; using Bit.Core.Entities; using Bit.Core.Repositories; -using Bit.Core.Services; using Bit.Identity.IdentityServer; using Bit.Identity.Utilities; using Bit.Test.Common.AutoFixture.Attributes; @@ -17,7 +15,6 @@ namespace Bit.Identity.Test.IdentityServer; public class UserDecryptionOptionsBuilderTests { private readonly ICurrentContext _currentContext; - private readonly IFeatureService _featureService; private readonly IDeviceRepository _deviceRepository; private readonly IOrganizationUserRepository _organizationUserRepository; private readonly UserDecryptionOptionsBuilder _builder; @@ -25,10 +22,9 @@ public class UserDecryptionOptionsBuilderTests public UserDecryptionOptionsBuilderTests() { _currentContext = Substitute.For(); - _featureService = Substitute.For(); _deviceRepository = Substitute.For(); _organizationUserRepository = Substitute.For(); - _builder = new UserDecryptionOptionsBuilder(_currentContext, _featureService, _deviceRepository, _organizationUserRepository); + _builder = new UserDecryptionOptionsBuilder(_currentContext, _deviceRepository, _organizationUserRepository); } [Theory] @@ -79,7 +75,6 @@ public class UserDecryptionOptionsBuilderTests [Theory, BitAutoData] public async Task Build_WhenTrustedDeviceIsEnabled_ShouldReturnTrustedDeviceOptions(SsoConfig ssoConfig, SsoConfigurationData configurationData, Device device) { - _featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext).Returns(true); configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption; ssoConfig.Data = configurationData.Serialize(); @@ -91,23 +86,9 @@ public class UserDecryptionOptionsBuilderTests Assert.False(result.TrustedDeviceOption!.HasManageResetPasswordPermission); } - // TODO: Remove when FeatureFlagKeys.TrustedDeviceEncryption is removed - [Theory, BitAutoData] - public async Task Build_WhenTrustedDeviceIsEnabledButFeatureFlagIsDisabled_ShouldNotReturnTrustedDeviceOptions(SsoConfig ssoConfig, SsoConfigurationData configurationData, Device device) - { - _featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext).Returns(false); - configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption; - ssoConfig.Data = configurationData.Serialize(); - - var result = await _builder.WithSso(ssoConfig).WithDevice(device).BuildAsync(); - - Assert.Null(result.TrustedDeviceOption); - } - [Theory, BitAutoData] public async Task Build_WhenDeviceIsTrusted_ShouldReturnKeys(SsoConfig ssoConfig, SsoConfigurationData configurationData, Device device) { - _featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext).Returns(true); configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption; ssoConfig.Data = configurationData.Serialize(); device.EncryptedPrivateKey = "encryptedPrivateKey"; @@ -123,7 +104,6 @@ public class UserDecryptionOptionsBuilderTests [Theory, BitAutoData] public async Task Build_WhenHasLoginApprovingDevice_ShouldApprovingDeviceTrue(SsoConfig ssoConfig, SsoConfigurationData configurationData, User user, Device device, Device approvingDevice) { - _featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext).Returns(true); configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption; ssoConfig.Data = configurationData.Serialize(); approvingDevice.Type = LoginApprovingDeviceTypes.Types.First(); @@ -140,7 +120,6 @@ public class UserDecryptionOptionsBuilderTests SsoConfigurationData configurationData, CurrentContextOrganization organization) { - _featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext).Returns(true); configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption; ssoConfig.Data = configurationData.Serialize(); ssoConfig.OrganizationId = organization.Id; @@ -159,7 +138,6 @@ public class UserDecryptionOptionsBuilderTests OrganizationUser organizationUser, User user) { - _featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext).Returns(true); configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption; ssoConfig.Data = configurationData.Serialize(); organizationUser.ResetPasswordKey = "resetPasswordKey";