[AC-1435] Single Organization policy prerequisite for Account Recovery policy (#3082)

* [AC-1435] Automatically enable Single Org policy when selecting TDE * [AC-1435] Add test for automatic policy enablement * [AC-1435] Prevent disabling single org when account recovery is enabled * [AC-1435] Require Single Org policy when enabling Account recovery * [AC-1435] Add unit test to check for account recovery policy when attempting to disable single org * [AC-1435] Add test to verify single org policy is enabled for account recovery policy * [AC-1435] Fix failing test
2025-06-30 23:52:50 -05:00 · 2023-07-18 08:00:49 -07:00
parent fe570cb6c8
commit a095e02e86
4 changed files with 129 additions and 1 deletions
--- a/src/Core/Auth/Services/Implementations/SsoConfigService.cs
+++ b/src/Core/Auth/Services/Implementations/SsoConfigService.cs
@ -63,9 +63,16 @@ public class SsoConfigService : ISsoConfigService
            throw new BadRequestException("Key Connector cannot be disabled at this moment.");
        }

-        // Automatically enable reset password policy if trusted device encryption is selected
+        // Automatically enable account recovery and single org policies if trusted device encryption is selected
        if (config.GetData().MemberDecryptionType == MemberDecryptionType.TrustedDeviceEncryption)
        {
+            var singleOrgPolicy = await _policyRepository.GetByOrganizationIdTypeAsync(config.OrganizationId, PolicyType.SingleOrg) ??
+                                  new Policy { OrganizationId = config.OrganizationId, Type = PolicyType.SingleOrg };
+
+            singleOrgPolicy.Enabled = true;
+
+            await _policyService.SaveAsync(singleOrgPolicy, _userService, _organizationService, null);
+
            var resetPolicy = await _policyRepository.GetByOrganizationIdTypeAsync(config.OrganizationId, PolicyType.ResetPassword) ??
                              new Policy { OrganizationId = config.OrganizationId, Type = PolicyType.ResetPassword, };

--- a/src/Core/Services/Implementations/PolicyService.cs
+++ b/src/Core/Services/Implementations/PolicyService.cs
@ -61,6 +61,7 @@ public class PolicyService : IPolicyService
                    await RequiredBySsoAsync(org);
                    await RequiredByVaultTimeoutAsync(org);
                    await RequiredByKeyConnectorAsync(org);
+                    await RequiredByAccountRecoveryAsync(org);
                }
                break;

@ -80,6 +81,11 @@ public class PolicyService : IPolicyService
                {
                    await RequiredBySsoTrustedDeviceEncryptionAsync(org);
                }
+
+                if (policy.Enabled)
+                {
+                    await DependsOnSingleOrgAsync(org);
+                }
                break;

            case PolicyType.MaximumVaultTimeout:
@ -244,6 +250,15 @@ public class PolicyService : IPolicyService
        }
    }

+    private async Task RequiredByAccountRecoveryAsync(Organization org)
+    {
+        var requireSso = await _policyRepository.GetByOrganizationIdTypeAsync(org.Id, PolicyType.ResetPassword);
+        if (requireSso?.Enabled == true)
+        {
+            throw new BadRequestException("Account recovery policy is enabled.");
+        }
+    }
+
    private async Task RequiredByVaultTimeoutAsync(Organization org)
    {
        var vaultTimeout = await _policyRepository.GetByOrganizationIdTypeAsync(org.Id, PolicyType.MaximumVaultTimeout);