nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-06-30 15:42:48 -05:00
Code Activity

[EC-343] Gate custom permissions behind enterprise plan (#2352)

Browse Source 
* [EC-343] Added column 'UseCustomPermissions' to Organization table

* [EC-343] Added 'UseCustomPermissions' to Api responses

* [EC-343] Added 'UseCustomPermissions' to Admin view

* [EC-343] Add constraint to Organization table to have default UseCustomPermissions value

* [EC-343] Recreate OrganizationView to include UseCustomPermissions column

* [EC-343] Add MySql EF migrations

* [EC-343] Add Postgres EF migrations

* Revert "[EC-343] Add Postgres EF migrations"

This reverts commit 8f1654cb7d.

* [EC-343] Add Postgres migrations and script

* [EC-343] dotnet format

* [EC-343] Set 'Custom Permissions' feature as unchecked for teams plan

* [EC-343] Add CustomPermissions to plan upgrades

* [EC-343] Update CURRENT_LICENSE_FILE_VERSION

* [EC-343] Enable 'Custom Permissions' on Enterprise 2019 plan

* [EC-343] Updated migration script to include Enterprise 2019 plan

* [EC-343] Update CURRENT_LICENSE_FILE_VERSION to 10

* [EC-343] Move logic checking if Organization can use custom permissions to OrganizationService

* [EC-343] Add unit tests to validate UseCustomPermissions check

* [EC-343] Revert UseCustomPermissionsFlag migration

* [EC-343] Fix typo in OrganizationUserOrganizationDetailsViewQuery

* [EC-343] Add Postgres migrations without affecting other datetime column

* [EC-343] Create ValidateOrganizationCustomPermissionsEnabledAsync. Add more unit tests around CustomPermissions check

* [EC-343] Add curly brackets to if condition

* [EC-343] Rename unit tests
This commit is contained in:
Rui Tomé
2022-12-06 09:50:08 +00:00
committed by GitHub
parent e0f37e514e
commit ae280a313c
33 changed files with 4135 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/Admin/Models/OrganizationEditModel.cs
View File

@ -42,6 +42,7 @@ public class OrganizationEditModel : OrganizationViewModel
UseResetPassword = org.UseResetPassword;
SelfHost = org.SelfHost;
UsersGetPremium = org.UsersGetPremium;
UseCustomPermissions = org.UseCustomPermissions;
MaxStorageGb = org.MaxStorageGb;
Gateway = org.Gateway;
GatewayCustomerId = org.GatewayCustomerId;
@ -101,6 +102,8 @@ public class OrganizationEditModel : OrganizationViewModel
public bool SelfHost { get; set; }
[Display(Name = "Users Get Premium")]
public bool UsersGetPremium { get; set; }
[Display(Name = "Custom Permissions")]
public bool UseCustomPermissions { get; set; }
[Display(Name = "Max. Storage GB")]
public short? MaxStorageGb { get; set; }
[Display(Name = "Gateway")]
@ -139,6 +142,7 @@ public class OrganizationEditModel : OrganizationViewModel
existingOrganization.UseResetPassword = UseResetPassword;
existingOrganization.SelfHost = SelfHost;
existingOrganization.UsersGetPremium = UsersGetPremium;
existingOrganization.UseCustomPermissions = UseCustomPermissions;
existingOrganization.MaxStorageGb = MaxStorageGb;
existingOrganization.Gateway = Gateway;
existingOrganization.GatewayCustomerId = GatewayCustomerId;

8
src/Admin/Views/Organizations/Edit.cshtml
View File

@ -27,6 +27,7 @@
document.getElementById('@(nameof(Model.UseDirectory))').checked = true;
document.getElementById('@(nameof(Model.UseEvents))').checked = true;
document.getElementById('@(nameof(Model.UsersGetPremium))').checked = true;
document.getElementById('@(nameof(Model.UseCustomPermissions))').checked = false;
document.getElementById('@(nameof(Model.UseTotp))').checked = true;
document.getElementById('@(nameof(Model.Use2fa))').checked = true;
document.getElementById('@(nameof(Model.UseApi))').checked = true;
@ -61,6 +62,7 @@
document.getElementById('@(nameof(Model.UseDirectory))').checked = true;
document.getElementById('@(nameof(Model.UseEvents))').checked = true;
document.getElementById('@(nameof(Model.UsersGetPremium))').checked = true;
document.getElementById('@(nameof(Model.UseCustomPermissions))').checked = true;
document.getElementById('@(nameof(Model.UseTotp))').checked = true;
document.getElementById('@(nameof(Model.Use2fa))').checked = true;
document.getElementById('@(nameof(Model.UseApi))').checked = true;
@ -237,10 +239,14 @@
<input type="checkbox" class="form-check-input" asp-for="UseResetPassword">
<label class="form-check-label" asp-for="UseResetPassword"></label>
</div>
<div class="form-check mb-3">
<div class="form-check">
<input type="checkbox" class="form-check-input" asp-for="UsersGetPremium">
<label class="form-check-label" asp-for="UsersGetPremium"></label>
</div>
<div class="form-check mb-3">
<input type="checkbox" class="form-check-input" asp-for="UseCustomPermissions">
<label class="form-check-label" asp-for="UseCustomPermissions"></label>
</div>
<h2>Licensing</h2>
<div class="row">
<div class="col-sm">

2
src/Api/Models/Response/Organizations/OrganizationResponseModel.cs
View File

@ -44,6 +44,7 @@ public class OrganizationResponseModel : ResponseModel
UseApi = organization.UseApi;
UseResetPassword = organization.UseResetPassword;
UsersGetPremium = organization.UsersGetPremium;
UseCustomPermissions = organization.UseCustomPermissions;
SelfHost = organization.SelfHost;
HasPublicAndPrivateKeys = organization.PublicKey != null && organization.PrivateKey != null;
}
@ -76,6 +77,7 @@ public class OrganizationResponseModel : ResponseModel
public bool UseApi { get; set; }
public bool UseResetPassword { get; set; }
public bool UsersGetPremium { get; set; }
public bool UseCustomPermissions { get; set; }
public bool SelfHost { get; set; }
public bool HasPublicAndPrivateKeys { get; set; }
}

2
src/Api/Models/Response/ProfileOrganizationResponseModel.cs
View File

@ -26,6 +26,7 @@ public class ProfileOrganizationResponseModel : ResponseModel
UseApi = organization.UseApi;
UseResetPassword = organization.UseResetPassword;
UsersGetPremium = organization.UsersGetPremium;
UseCustomPermissions = organization.UseCustomPermissions;
SelfHost = organization.SelfHost;
Seats = organization.Seats;
MaxCollections = organization.MaxCollections;
@ -73,6 +74,7 @@ public class ProfileOrganizationResponseModel : ResponseModel
public bool UseApi { get; set; }
public bool UseResetPassword { get; set; }
public bool UsersGetPremium { get; set; }
public bool UseCustomPermissions { get; set; }
public bool SelfHost { get; set; }
public int? Seats { get; set; }
public short? MaxCollections { get; set; }

1
src/Api/Models/Response/ProfileProviderOrganizationResponseModel.cs
View File

@ -22,6 +22,7 @@ public class ProfileProviderOrganizationResponseModel : ProfileOrganizationRespo
UseApi = organization.UseApi;
UseResetPassword = organization.UseResetPassword;
UsersGetPremium = organization.UsersGetPremium;
UseCustomPermissions = organization.UseCustomPermissions;
SelfHost = organization.SelfHost;
Seats = organization.Seats;
MaxCollections = organization.MaxCollections;

1
src/Core/Entities/Organization.cs
View File

@ -47,6 +47,7 @@ public class Organization : ITableObject<Guid>, ISubscriber, IStorable, IStorabl
public bool UseResetPassword { get; set; }
public bool SelfHost { get; set; }
public bool UsersGetPremium { get; set; }
public bool UseCustomPermissions { get; set; }
public long? Storage { get; set; }
public short? MaxStorageGb { get; set; }
public GatewayType? Gateway { get; set; }

13
src/Core/Models/Business/OrganizationLicense.cs
View File

@ -45,6 +45,7 @@ public class OrganizationLicense : ILicense
MaxStorageGb = org.MaxStorageGb;
SelfHost = org.SelfHost;
UsersGetPremium = org.UsersGetPremium;
UseCustomPermissions = org.UseCustomPermissions;
Issued = DateTime.UtcNow;
if (subscriptionInfo?.Subscription == null)
@ -117,6 +118,7 @@ public class OrganizationLicense : ILicense
public short? MaxStorageGb { get; set; }
public bool SelfHost { get; set; }
public bool UsersGetPremium { get; set; }
public bool UseCustomPermissions { get; set; }
public int Version { get; set; }
public DateTime Issued { get; set; }
public DateTime? Refresh { get; set; }
@ -131,10 +133,10 @@ public class OrganizationLicense : ILicense
/// <summary>
/// Represents the current version of the license format. Should be updated whenever new fields are added.
/// </summary>
private const int CURRENT_LICENSE_FILE_VERSION = 9;
private const int CURRENT_LICENSE_FILE_VERSION = 10;
private bool ValidLicenseVersion
{
get => Version is >= 1 and <= 10;
get => Version is >= 1 and <= 11;
}
public byte[] GetDataBytes(bool forHash = false)
@ -166,6 +168,8 @@ public class OrganizationLicense : ILicense
(Version >= 9 || !p.Name.Equals(nameof(UseKeyConnector))) &&
// UseScim was added in Version 10
(Version >= 10 || !p.Name.Equals(nameof(UseScim))) &&
// UseCustomPermissions was added in Version 11
(Version >= 11 || !p.Name.Equals(nameof(UseCustomPermissions))) &&
(
!forHash ||
(
@ -279,6 +283,11 @@ public class OrganizationLicense : ILicense
valid = organization.UseScim == UseScim;
}
if (valid && Version >= 11)
{
valid = organization.UseCustomPermissions == UseCustomPermissions;
}
return valid;
}
else

2
src/Core/Models/Data/Organizations/OrganizationAbility.cs
View File

@ -19,6 +19,7 @@ public class OrganizationAbility
UseKeyConnector = organization.UseKeyConnector;
UseScim = organization.UseScim;
UseResetPassword = organization.UseResetPassword;
UseCustomPermissions = organization.UseCustomPermissions;
}
public Guid Id { get; set; }
@ -31,4 +32,5 @@ public class OrganizationAbility
public bool UseKeyConnector { get; set; }
public bool UseScim { get; set; }
public bool UseResetPassword { get; set; }
public bool UseCustomPermissions { get; set; }
}

1
src/Core/Models/Data/Organizations/OrganizationUsers/OrganizationUserOrganizationDetails.cs
View File

@ -18,6 +18,7 @@ public class OrganizationUserOrganizationDetails
public bool UseResetPassword { get; set; }
public bool SelfHost { get; set; }
public bool UsersGetPremium { get; set; }
public bool UseCustomPermissions { get; set; }
public int? Seats { get; set; }
public short? MaxCollections { get; set; }
public short? MaxStorageGb { get; set; }

1
src/Core/Models/Data/Provider/ProviderUserOrganizationDetails.cs
View File

@ -20,6 +20,7 @@ public class ProviderUserOrganizationDetails
public bool UseResetPassword { get; set; }
public bool SelfHost { get; set; }
public bool UsersGetPremium { get; set; }
public bool UseCustomPermissions { get; set; }
public int? Seats { get; set; }
public short? MaxCollections { get; set; }
public short? MaxStorageGb { get; set; }

1
src/Core/Models/StaticStore/Plan.cs
View File

@ -37,6 +37,7 @@ public class Plan
public bool HasScim { get; set; }
public bool HasResetPassword { get; set; }
public bool UsersGetPremium { get; set; }
public bool HasCustomPermissions { get; set; }
public int UpgradeSortOrder { get; set; }
public int DisplaySortOrder { get; set; }

50
src/Core/Services/Implementations/OrganizationService.cs
View File

@ -280,6 +280,18 @@ public class OrganizationService : IOrganizationService
}
}
if (!newPlan.HasCustomPermissions && organization.UseCustomPermissions)
{
var organizationCustomUsers =
await _organizationUserRepository.GetManyByOrganizationAsync(organization.Id,
OrganizationUserType.Custom);
if (organizationCustomUsers.Any())
{
throw new BadRequestException("Your new plan does not allow the Custom Permissions feature. " +
"Disable your Custom Permissions configuration.");
}
}
// TODO: Check storage?
string paymentIntentClientSecret = null;
@ -322,6 +334,7 @@ public class OrganizationService : IOrganizationService
organization.UseResetPassword = newPlan.HasResetPassword;
organization.SelfHost = newPlan.HasSelfHost;
organization.UsersGetPremium = newPlan.UsersGetPremium || upgrade.PremiumAccessAddon;
organization.UseCustomPermissions = newPlan.HasCustomPermissions;
organization.Plan = newPlan.Name;
organization.Enabled = success;
organization.PublicKey = upgrade.PublicKey;
@ -621,6 +634,7 @@ public class OrganizationService : IOrganizationService
UseResetPassword = plan.HasResetPassword,
SelfHost = plan.HasSelfHost,
UsersGetPremium = plan.UsersGetPremium || signup.PremiumAccessAddon,
UseCustomPermissions = plan.HasCustomPermissions,
UseScim = plan.HasScim,
Plan = plan.Name,
Gateway = null,
@ -730,6 +744,7 @@ public class OrganizationService : IOrganizationService
Plan = license.Plan,
SelfHost = license.SelfHost,
UsersGetPremium = license.UsersGetPremium,
UseCustomPermissions = license.UseCustomPermissions,
Gateway = null,
GatewayCustomerId = null,
GatewaySubscriptionId = null,
@ -931,6 +946,18 @@ public class OrganizationService : IOrganizationService
}
}
if (!license.UseCustomPermissions && organization.UseCustomPermissions)
{
var organizationCustomUsers =
await _organizationUserRepository.GetManyByOrganizationAsync(organization.Id,
OrganizationUserType.Custom);
if (organizationCustomUsers.Any())
{
throw new BadRequestException("Your new plan does not allow the Custom Permissions feature. " +
"Disable your Custom Permissions configuration.");
}
}
if (!license.UseResetPassword && organization.UseResetPassword)
{
var resetPasswordPolicy =
@ -966,6 +993,7 @@ public class OrganizationService : IOrganizationService
organization.UseResetPassword = license.UseResetPassword;
organization.SelfHost = license.SelfHost;
organization.UsersGetPremium = license.UsersGetPremium;
organization.UseCustomPermissions = license.UseCustomPermissions;
organization.Plan = license.Plan;
organization.Enabled = license.Enabled;
organization.ExpirationDate = license.Expires;
@ -1122,6 +1150,7 @@ public class OrganizationService : IOrganizationService
foreach (var type in inviteTypes)
{
await ValidateOrganizationUserUpdatePermissions(organizationId, type, null);
await ValidateOrganizationCustomPermissionsEnabledAsync(organizationId, type);
}
}
@ -1648,6 +1677,8 @@ public class OrganizationService : IOrganizationService
await ValidateOrganizationUserUpdatePermissions(user.OrganizationId, user.Type, originalUser.Type);
}
await ValidateOrganizationCustomPermissionsEnabledAsync(user.OrganizationId, user.Type);
if (user.Type != OrganizationUserType.Owner &&
!await HasConfirmedOwnersExceptAsync(user.OrganizationId, new[] { user.Id }))
{
@ -2256,6 +2287,25 @@ public class OrganizationService : IOrganizationService
}
}
private async Task ValidateOrganizationCustomPermissionsEnabledAsync(Guid organizationId, OrganizationUserType newType)
{
if (newType != OrganizationUserType.Custom)
{
return;
}
var organization = await _organizationRepository.GetByIdAsync(organizationId);
if (organization == null)
{
throw new NotFoundException();
}
if (!organization.UseCustomPermissions)
{
throw new BadRequestException("To enable custom permissions the organization must be on an Enterprise plan.");
}
}
private async Task ValidateDeleteOrganizationAsync(Organization organization)
{
var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(organization.Id);

4
src/Core/Utilities/StaticStore.cs
View File

@ -241,6 +241,7 @@ public class StaticStore
Has2fa = true,
HasApi = true,
UsersGetPremium = true,
HasCustomPermissions = true,
UpgradeSortOrder = 3,
DisplaySortOrder = 3,
@ -279,6 +280,7 @@ public class StaticStore
HasApi = true,
HasSelfHost = true,
UsersGetPremium = true,
HasCustomPermissions = true,
UpgradeSortOrder = 3,
DisplaySortOrder = 3,
@ -418,6 +420,7 @@ public class StaticStore
HasScim = true,
HasResetPassword = true,
UsersGetPremium = true,
HasCustomPermissions = true,
UpgradeSortOrder = 3,
DisplaySortOrder = 3,
@ -458,6 +461,7 @@ public class StaticStore
HasScim = true,
HasResetPassword = true,
UsersGetPremium = true,
HasCustomPermissions = true,
UpgradeSortOrder = 3,
DisplaySortOrder = 3,

1
src/Infrastructure.EntityFramework/Repositories/OrganizationRepository.cs
View File

@ -85,6 +85,7 @@ public class OrganizationRepository : Repository<Core.Entities.Organization, Org
UseKeyConnector = e.UseKeyConnector,
UseResetPassword = e.UseResetPassword,
UseScim = e.UseScim,
UseCustomPermissions = e.UseCustomPermissions
}).ToListAsync();
}
}

1
src/Infrastructure.EntityFramework/Repositories/Queries/OrganizationUserOrganizationDetailsViewQuery.cs
View File

@ -39,6 +39,7 @@ public class OrganizationUserOrganizationDetailsViewQuery : IQuery<OrganizationU
UseResetPassword = o.UseResetPassword,
SelfHost = o.SelfHost,
UsersGetPremium = o.UsersGetPremium,
UseCustomPermissions = o.UseCustomPermissions,
Seats = o.Seats,
MaxCollections = o.MaxCollections,
MaxStorageGb = o.MaxStorageGb,

1
src/Infrastructure.EntityFramework/Repositories/Queries/ProviderUserOrganizationDetailsViewQuery.cs
View File

@ -29,6 +29,7 @@ public class ProviderUserOrganizationDetailsViewQuery : IQuery<ProviderUserOrgan
UseApi = x.o.UseApi,
SelfHost = x.o.SelfHost,
UsersGetPremium = x.o.UsersGetPremium,
UseCustomPermissions = x.o.UseCustomPermissions,
Seats = x.o.Seats,
MaxCollections = x.o.MaxCollections,
MaxStorageGb = x.o.MaxStorageGb,

9
src/Sql/dbo/Stored Procedures/Organization_Create.sql
View File

@ -41,7 +41,8 @@
@OwnersNotifiedOfAutoscaling DATETIME2(7),
@MaxAutoscaleSeats INT,
@UseKeyConnector BIT = 0,
@UseScim BIT = 0
@UseScim BIT = 0,
@UseCustomPermissions BIT = 0
AS
BEGIN
SET NOCOUNT ON
@ -90,7 +91,8 @@ BEGIN
[OwnersNotifiedOfAutoscaling],
[MaxAutoscaleSeats],
[UseKeyConnector],
[UseScim]
[UseScim],
[UseCustomPermissions]
)
VALUES
(
@ -136,6 +138,7 @@ BEGIN
@OwnersNotifiedOfAutoscaling,
@MaxAutoscaleSeats,
@UseKeyConnector,
@UseScim
@UseScim,
@UseCustomPermissions
)
END

1
src/Sql/dbo/Stored Procedures/Organization_ReadAbilities.sql
View File

@ -14,6 +14,7 @@ BEGIN
0
END AS [Using2fa],
[UsersGetPremium],
[UseCustomPermissions],
[UseSso],
[UseKeyConnector],
[UseScim],

6
src/Sql/dbo/Stored Procedures/Organization_Update.sql
View File

@ -41,7 +41,8 @@
@OwnersNotifiedOfAutoscaling DATETIME2(7),
@MaxAutoscaleSeats INT,
@UseKeyConnector BIT = 0,
@UseScim BIT = 0
@UseScim BIT = 0,
@UseCustomPermissions BIT = 0
AS
BEGIN
SET NOCOUNT ON
@ -90,7 +91,8 @@ BEGIN
[OwnersNotifiedOfAutoscaling] = @OwnersNotifiedOfAutoscaling,
[MaxAutoscaleSeats] = @MaxAutoscaleSeats,
[UseKeyConnector] = @UseKeyConnector,
[UseScim] = @UseScim
[UseScim] = @UseScim,
[UseCustomPermissions] = @UseCustomPermissions
WHERE
[Id] = @Id
END

1
src/Sql/dbo/Tables/Organization.sql
View File

@ -42,6 +42,7 @@
[MaxAutoscaleSeats] INT NULL,
[UseKeyConnector] BIT NOT NULL,
[UseScim] BIT NOT NULL CONSTRAINT [DF_Organization_UseScim] DEFAULT (0),
[UseCustomPermissions] BIT NOT NULL CONSTRAINT [DF_Organization_UseCustomPermissions] DEFAULT (0),
CONSTRAINT [PK_Organization] PRIMARY KEY CLUSTERED ([Id] ASC)
);

1
src/Sql/dbo/Views/OrganizationUserOrganizationDetailsView.sql
View File

@ -19,6 +19,7 @@ SELECT
O.[UseResetPassword],
O.[SelfHost],
O.[UsersGetPremium],
O.[UseCustomPermissions],
O.[Seats],
O.[MaxCollections],
O.[MaxStorageGb],

1
src/Sql/dbo/Views/ProviderUserProviderOrganizationDetailsView.sql
View File

@ -18,6 +18,7 @@ SELECT
O.[UseResetPassword],
O.[SelfHost],
O.[UsersGetPremium],
O.[UseCustomPermissions],
O.[Seats],
O.[MaxCollections],
O.[MaxStorageGb],