mirror of
https://github.com/bitwarden/server.git
synced 2025-06-30 15:42:48 -05:00
[EC-343] Gate custom permissions behind enterprise plan (#2352)
* [EC-343] Added column 'UseCustomPermissions' to Organization table
* [EC-343] Added 'UseCustomPermissions' to Api responses
* [EC-343] Added 'UseCustomPermissions' to Admin view
* [EC-343] Add constraint to Organization table to have default UseCustomPermissions value
* [EC-343] Recreate OrganizationView to include UseCustomPermissions column
* [EC-343] Add MySql EF migrations
* [EC-343] Add Postgres EF migrations
* Revert "[EC-343] Add Postgres EF migrations"
This reverts commit 8f1654cb7d.
* [EC-343] Add Postgres migrations and script
* [EC-343] dotnet format
* [EC-343] Set 'Custom Permissions' feature as unchecked for teams plan
* [EC-343] Add CustomPermissions to plan upgrades
* [EC-343] Update CURRENT_LICENSE_FILE_VERSION
* [EC-343] Enable 'Custom Permissions' on Enterprise 2019 plan
* [EC-343] Updated migration script to include Enterprise 2019 plan
* [EC-343] Update CURRENT_LICENSE_FILE_VERSION to 10
* [EC-343] Move logic checking if Organization can use custom permissions to OrganizationService
* [EC-343] Add unit tests to validate UseCustomPermissions check
* [EC-343] Revert UseCustomPermissionsFlag migration
* [EC-343] Fix typo in OrganizationUserOrganizationDetailsViewQuery
* [EC-343] Add Postgres migrations without affecting other datetime column
* [EC-343] Create ValidateOrganizationCustomPermissionsEnabledAsync. Add more unit tests around CustomPermissions check
* [EC-343] Add curly brackets to if condition
* [EC-343] Rename unit tests
This commit is contained in:
Rui Tomé
@ -47,6 +47,7 @@ public class Organization : ITableObject<Guid>, ISubscriber, IStorable, IStorabl
|
||||
public bool UseResetPassword { get; set; }
|
||||
public bool SelfHost { get; set; }
|
||||
public bool UsersGetPremium { get; set; }
|
||||
public bool UseCustomPermissions { get; set; }
|
||||
public long? Storage { get; set; }
|
||||
public short? MaxStorageGb { get; set; }
|
||||
public GatewayType? Gateway { get; set; }
|
||||
|
||||
@ -45,6 +45,7 @@ public class OrganizationLicense : ILicense
|
||||
MaxStorageGb = org.MaxStorageGb;
|
||||
SelfHost = org.SelfHost;
|
||||
UsersGetPremium = org.UsersGetPremium;
|
||||
UseCustomPermissions = org.UseCustomPermissions;
|
||||
Issued = DateTime.UtcNow;
|
||||
|
||||
if (subscriptionInfo?.Subscription == null)
|
||||
@ -117,6 +118,7 @@ public class OrganizationLicense : ILicense
|
||||
public short? MaxStorageGb { get; set; }
|
||||
public bool SelfHost { get; set; }
|
||||
public bool UsersGetPremium { get; set; }
|
||||
public bool UseCustomPermissions { get; set; }
|
||||
public int Version { get; set; }
|
||||
public DateTime Issued { get; set; }
|
||||
public DateTime? Refresh { get; set; }
|
||||
@ -131,10 +133,10 @@ public class OrganizationLicense : ILicense
|
||||
/// <summary>
|
||||
/// Represents the current version of the license format. Should be updated whenever new fields are added.
|
||||
/// </summary>
|
||||
private const int CURRENT_LICENSE_FILE_VERSION = 9;
|
||||
private const int CURRENT_LICENSE_FILE_VERSION = 10;
|
||||
private bool ValidLicenseVersion
|
||||
{
|
||||
get => Version is >= 1 and <= 10;
|
||||
get => Version is >= 1 and <= 11;
|
||||
}
|
||||
|
||||
public byte[] GetDataBytes(bool forHash = false)
|
||||
@ -166,6 +168,8 @@ public class OrganizationLicense : ILicense
|
||||
(Version >= 9 || !p.Name.Equals(nameof(UseKeyConnector))) &&
|
||||
// UseScim was added in Version 10
|
||||
(Version >= 10 || !p.Name.Equals(nameof(UseScim))) &&
|
||||
// UseCustomPermissions was added in Version 11
|
||||
(Version >= 11 || !p.Name.Equals(nameof(UseCustomPermissions))) &&
|
||||
(
|
||||
!forHash ||
|
||||
(
|
||||
@ -279,6 +283,11 @@ public class OrganizationLicense : ILicense
|
||||
valid = organization.UseScim == UseScim;
|
||||
}
|
||||
|
||||
if (valid && Version >= 11)
|
||||
{
|
||||
valid = organization.UseCustomPermissions == UseCustomPermissions;
|
||||
}
|
||||
|
||||
return valid;
|
||||
}
|
||||
else
|
||||
|
||||
@ -19,6 +19,7 @@ public class OrganizationAbility
|
||||
UseKeyConnector = organization.UseKeyConnector;
|
||||
UseScim = organization.UseScim;
|
||||
UseResetPassword = organization.UseResetPassword;
|
||||
UseCustomPermissions = organization.UseCustomPermissions;
|
||||
}
|
||||
|
||||
public Guid Id { get; set; }
|
||||
@ -31,4 +32,5 @@ public class OrganizationAbility
|
||||
public bool UseKeyConnector { get; set; }
|
||||
public bool UseScim { get; set; }
|
||||
public bool UseResetPassword { get; set; }
|
||||
public bool UseCustomPermissions { get; set; }
|
||||
}
|
||||
|
||||
@ -18,6 +18,7 @@ public class OrganizationUserOrganizationDetails
|
||||
public bool UseResetPassword { get; set; }
|
||||
public bool SelfHost { get; set; }
|
||||
public bool UsersGetPremium { get; set; }
|
||||
public bool UseCustomPermissions { get; set; }
|
||||
public int? Seats { get; set; }
|
||||
public short? MaxCollections { get; set; }
|
||||
public short? MaxStorageGb { get; set; }
|
||||
|
||||
@ -20,6 +20,7 @@ public class ProviderUserOrganizationDetails
|
||||
public bool UseResetPassword { get; set; }
|
||||
public bool SelfHost { get; set; }
|
||||
public bool UsersGetPremium { get; set; }
|
||||
public bool UseCustomPermissions { get; set; }
|
||||
public int? Seats { get; set; }
|
||||
public short? MaxCollections { get; set; }
|
||||
public short? MaxStorageGb { get; set; }
|
||||
|
||||
@ -37,6 +37,7 @@ public class Plan
|
||||
public bool HasScim { get; set; }
|
||||
public bool HasResetPassword { get; set; }
|
||||
public bool UsersGetPremium { get; set; }
|
||||
public bool HasCustomPermissions { get; set; }
|
||||
|
||||
public int UpgradeSortOrder { get; set; }
|
||||
public int DisplaySortOrder { get; set; }
|
||||
|
||||
@ -280,6 +280,18 @@ public class OrganizationService : IOrganizationService
|
||||
}
|
||||
}
|
||||
|
||||
if (!newPlan.HasCustomPermissions && organization.UseCustomPermissions)
|
||||
{
|
||||
var organizationCustomUsers =
|
||||
await _organizationUserRepository.GetManyByOrganizationAsync(organization.Id,
|
||||
OrganizationUserType.Custom);
|
||||
if (organizationCustomUsers.Any())
|
||||
{
|
||||
throw new BadRequestException("Your new plan does not allow the Custom Permissions feature. " +
|
||||
"Disable your Custom Permissions configuration.");
|
||||
}
|
||||
}
|
||||
|
||||
// TODO: Check storage?
|
||||
|
||||
string paymentIntentClientSecret = null;
|
||||
@ -322,6 +334,7 @@ public class OrganizationService : IOrganizationService
|
||||
organization.UseResetPassword = newPlan.HasResetPassword;
|
||||
organization.SelfHost = newPlan.HasSelfHost;
|
||||
organization.UsersGetPremium = newPlan.UsersGetPremium || upgrade.PremiumAccessAddon;
|
||||
organization.UseCustomPermissions = newPlan.HasCustomPermissions;
|
||||
organization.Plan = newPlan.Name;
|
||||
organization.Enabled = success;
|
||||
organization.PublicKey = upgrade.PublicKey;
|
||||
@ -621,6 +634,7 @@ public class OrganizationService : IOrganizationService
|
||||
UseResetPassword = plan.HasResetPassword,
|
||||
SelfHost = plan.HasSelfHost,
|
||||
UsersGetPremium = plan.UsersGetPremium || signup.PremiumAccessAddon,
|
||||
UseCustomPermissions = plan.HasCustomPermissions,
|
||||
UseScim = plan.HasScim,
|
||||
Plan = plan.Name,
|
||||
Gateway = null,
|
||||
@ -730,6 +744,7 @@ public class OrganizationService : IOrganizationService
|
||||
Plan = license.Plan,
|
||||
SelfHost = license.SelfHost,
|
||||
UsersGetPremium = license.UsersGetPremium,
|
||||
UseCustomPermissions = license.UseCustomPermissions,
|
||||
Gateway = null,
|
||||
GatewayCustomerId = null,
|
||||
GatewaySubscriptionId = null,
|
||||
@ -931,6 +946,18 @@ public class OrganizationService : IOrganizationService
|
||||
}
|
||||
}
|
||||
|
||||
if (!license.UseCustomPermissions && organization.UseCustomPermissions)
|
||||
{
|
||||
var organizationCustomUsers =
|
||||
await _organizationUserRepository.GetManyByOrganizationAsync(organization.Id,
|
||||
OrganizationUserType.Custom);
|
||||
if (organizationCustomUsers.Any())
|
||||
{
|
||||
throw new BadRequestException("Your new plan does not allow the Custom Permissions feature. " +
|
||||
"Disable your Custom Permissions configuration.");
|
||||
}
|
||||
}
|
||||
|
||||
if (!license.UseResetPassword && organization.UseResetPassword)
|
||||
{
|
||||
var resetPasswordPolicy =
|
||||
@ -966,6 +993,7 @@ public class OrganizationService : IOrganizationService
|
||||
organization.UseResetPassword = license.UseResetPassword;
|
||||
organization.SelfHost = license.SelfHost;
|
||||
organization.UsersGetPremium = license.UsersGetPremium;
|
||||
organization.UseCustomPermissions = license.UseCustomPermissions;
|
||||
organization.Plan = license.Plan;
|
||||
organization.Enabled = license.Enabled;
|
||||
organization.ExpirationDate = license.Expires;
|
||||
@ -1122,6 +1150,7 @@ public class OrganizationService : IOrganizationService
|
||||
foreach (var type in inviteTypes)
|
||||
{
|
||||
await ValidateOrganizationUserUpdatePermissions(organizationId, type, null);
|
||||
await ValidateOrganizationCustomPermissionsEnabledAsync(organizationId, type);
|
||||
}
|
||||
}
|
||||
|
||||
@ -1648,6 +1677,8 @@ public class OrganizationService : IOrganizationService
|
||||
await ValidateOrganizationUserUpdatePermissions(user.OrganizationId, user.Type, originalUser.Type);
|
||||
}
|
||||
|
||||
await ValidateOrganizationCustomPermissionsEnabledAsync(user.OrganizationId, user.Type);
|
||||
|
||||
if (user.Type != OrganizationUserType.Owner &&
|
||||
!await HasConfirmedOwnersExceptAsync(user.OrganizationId, new[] { user.Id }))
|
||||
{
|
||||
@ -2256,6 +2287,25 @@ public class OrganizationService : IOrganizationService
|
||||
}
|
||||
}
|
||||
|
||||
private async Task ValidateOrganizationCustomPermissionsEnabledAsync(Guid organizationId, OrganizationUserType newType)
|
||||
{
|
||||
if (newType != OrganizationUserType.Custom)
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
var organization = await _organizationRepository.GetByIdAsync(organizationId);
|
||||
if (organization == null)
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
if (!organization.UseCustomPermissions)
|
||||
{
|
||||
throw new BadRequestException("To enable custom permissions the organization must be on an Enterprise plan.");
|
||||
}
|
||||
}
|
||||
|
||||
private async Task ValidateDeleteOrganizationAsync(Organization organization)
|
||||
{
|
||||
var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(organization.Id);
|
||||
|
||||
@ -241,6 +241,7 @@ public class StaticStore
|
||||
Has2fa = true,
|
||||
HasApi = true,
|
||||
UsersGetPremium = true,
|
||||
HasCustomPermissions = true,
|
||||
|
||||
UpgradeSortOrder = 3,
|
||||
DisplaySortOrder = 3,
|
||||
@ -279,6 +280,7 @@ public class StaticStore
|
||||
HasApi = true,
|
||||
HasSelfHost = true,
|
||||
UsersGetPremium = true,
|
||||
HasCustomPermissions = true,
|
||||
|
||||
UpgradeSortOrder = 3,
|
||||
DisplaySortOrder = 3,
|
||||
@ -418,6 +420,7 @@ public class StaticStore
|
||||
HasScim = true,
|
||||
HasResetPassword = true,
|
||||
UsersGetPremium = true,
|
||||
HasCustomPermissions = true,
|
||||
|
||||
UpgradeSortOrder = 3,
|
||||
DisplaySortOrder = 3,
|
||||
@ -458,6 +461,7 @@ public class StaticStore
|
||||
HasScim = true,
|
||||
HasResetPassword = true,
|
||||
UsersGetPremium = true,
|
||||
HasCustomPermissions = true,
|
||||
|
||||
UpgradeSortOrder = 3,
|
||||
DisplaySortOrder = 3,
|
||||
|
||||
Reference in New Issue
Block a user