diff --git a/bitwarden_license/src/Portal/Controllers/PoliciesController.cs b/bitwarden_license/src/Portal/Controllers/PoliciesController.cs index 73351a2b6f..7d2632c782 100644 --- a/bitwarden_license/src/Portal/Controllers/PoliciesController.cs +++ b/bitwarden_license/src/Portal/Controllers/PoliciesController.cs @@ -51,8 +51,7 @@ namespace Bit.Portal.Controllers } var policies = await _policyRepository.GetManyByOrganizationIdAsync(orgId.Value); - var selectedOrgUseSso = _enterprisePortalCurrentContext.SelectedOrganizationDetails.UseSso; - return View(new PoliciesModel(policies, selectedOrgUseSso)); + return View(new PoliciesModel(policies, _enterprisePortalCurrentContext.SelectedOrganizationDetails)); } [HttpGet("/edit/{type}")] @@ -138,6 +137,7 @@ namespace Bit.Portal.Controllers case PolicyType.PersonalOwnership: case PolicyType.DisableSend: case PolicyType.SendOptions: + case PolicyType.ResetPassword: break; case PolicyType.SingleOrg: diff --git a/bitwarden_license/src/Portal/Models/PoliciesModel.cs b/bitwarden_license/src/Portal/Models/PoliciesModel.cs index 10d3d4acc1..96f1748518 100644 --- a/bitwarden_license/src/Portal/Models/PoliciesModel.cs +++ b/bitwarden_license/src/Portal/Models/PoliciesModel.cs @@ -2,13 +2,14 @@ using System.Collections.Generic; using System.Linq; using Bit.Core.Enums; +using Bit.Core.Models.Data; using Bit.Core.Models.Table; namespace Bit.Portal.Models { public class PoliciesModel { - public PoliciesModel(ICollection policies, bool useSso) + public PoliciesModel(ICollection policies, OrganizationUserOrganizationDetails selectedOrgDetails) { if (policies == null) { @@ -20,10 +21,16 @@ namespace Bit.Portal.Models foreach (var type in Enum.GetValues(typeof(PolicyType)).Cast()) { - if (type == PolicyType.RequireSso && !useSso) + if (type == PolicyType.RequireSso && !selectedOrgDetails.UseSso) { continue; } + + if (type == PolicyType.ResetPassword && !selectedOrgDetails.UseResetPassword) + { + continue; + } + var enabled = policyDict.ContainsKey(type) ? policyDict[type].Enabled : false; Policies.Add(new PolicyModel(type, enabled)); } diff --git a/bitwarden_license/src/Portal/Models/PolicyEditModel.cs b/bitwarden_license/src/Portal/Models/PolicyEditModel.cs index 545caa02b1..0d7ae81ecd 100644 --- a/bitwarden_license/src/Portal/Models/PolicyEditModel.cs +++ b/bitwarden_license/src/Portal/Models/PolicyEditModel.cs @@ -49,6 +49,10 @@ namespace Bit.Portal.Models case PolicyType.SendOptions: SendOptionsDataModel = JsonSerializer.Deserialize(model.Data, options); break; + case PolicyType.ResetPassword: + ResetPasswordDataModel = + JsonSerializer.Deserialize(model.Data, options); + break; default: throw new ArgumentOutOfRangeException(); } @@ -58,6 +62,7 @@ namespace Bit.Portal.Models public MasterPasswordDataModel MasterPasswordDataModel { get; set; } public PasswordGeneratorDataModel PasswordGeneratorDataModel { get; set; } public SendOptionsPolicyData SendOptionsDataModel { get; set; } + public ResetPasswordDataModel ResetPasswordDataModel { get; set; } public List Complexities { get; set; } public List DefaultTypes { get; set; } public string EnableCheckboxText { get; set; } @@ -87,15 +92,18 @@ namespace Bit.Portal.Models case PolicyType.PasswordGenerator: existingPolicy.Data = JsonSerializer.Serialize(PasswordGeneratorDataModel, options); break; + case PolicyType.SendOptions: + existingPolicy.Data = JsonSerializer.Serialize(SendOptionsDataModel, options); + break; + case PolicyType.ResetPassword: + existingPolicy.Data = JsonSerializer.Serialize(ResetPasswordDataModel, options); + break; case PolicyType.SingleOrg: case PolicyType.TwoFactorAuthentication: case PolicyType.RequireSso: case PolicyType.PersonalOwnership: case PolicyType.DisableSend: break; - case PolicyType.SendOptions: - existingPolicy.Data = JsonSerializer.Serialize(SendOptionsDataModel, options); - break; default: throw new ArgumentOutOfRangeException(); } diff --git a/bitwarden_license/src/Portal/Models/PolicyModel.cs b/bitwarden_license/src/Portal/Models/PolicyModel.cs index a751c4c09a..49c0bea452 100644 --- a/bitwarden_license/src/Portal/Models/PolicyModel.cs +++ b/bitwarden_license/src/Portal/Models/PolicyModel.cs @@ -21,42 +21,38 @@ namespace Bit.Portal.Models NameKey = "TwoStepLogin"; DescriptionKey = "TwoStepLoginDescription"; break; - case PolicyType.MasterPassword: NameKey = "MasterPassword"; DescriptionKey = "MasterPasswordDescription"; break; - case PolicyType.PasswordGenerator: NameKey = "PasswordGenerator"; DescriptionKey = "PasswordGeneratorDescription"; break; - case PolicyType.SingleOrg: NameKey = "SingleOrganization"; DescriptionKey = "SingleOrganizationDescription"; break; - case PolicyType.RequireSso: NameKey = "RequireSso"; DescriptionKey = "RequireSsoDescription"; break; - case PolicyType.PersonalOwnership: NameKey = "PersonalOwnership"; DescriptionKey = "PersonalOwnershipDescription"; break; - case PolicyType.DisableSend: NameKey = "DisableSend"; DescriptionKey = "DisableSendDescription"; break; - case PolicyType.SendOptions: NameKey = "SendOptions"; DescriptionKey = "SendOptionsDescription"; break; - + case PolicyType.ResetPassword: + NameKey = "ResetPassword"; + DescriptionKey = "ResetPasswordDescription"; + break; default: throw new ArgumentOutOfRangeException(); } diff --git a/bitwarden_license/src/Portal/Models/ResetPasswordDataModel.cs b/bitwarden_license/src/Portal/Models/ResetPasswordDataModel.cs new file mode 100644 index 0000000000..583c413b38 --- /dev/null +++ b/bitwarden_license/src/Portal/Models/ResetPasswordDataModel.cs @@ -0,0 +1,10 @@ +using System.ComponentModel.DataAnnotations; + +namespace Bit.Portal.Models +{ + public class ResetPasswordDataModel + { + [Display(Name = "ResetPasswordAutoEnrollCheckbox")] + public bool AutoEnrollEnabled { get; set; } + } +} diff --git a/bitwarden_license/src/Portal/Views/Policies/Edit.cshtml b/bitwarden_license/src/Portal/Views/Policies/Edit.cshtml index 556feb101d..d894d71658 100644 --- a/bitwarden_license/src/Portal/Views/Policies/Edit.cshtml +++ b/bitwarden_license/src/Portal/Views/Policies/Edit.cshtml @@ -84,6 +84,17 @@ } + @if (Model.PolicyType == PolicyType.ResetPassword) + { + + } +
@@ -211,6 +222,27 @@
} + @if (Model.PolicyType == PolicyType.ResetPassword) + { +
+

@i18nService.T("ResetPasswordAutoEnroll")

+

@i18nService.T("ResetPasswordAutoEnrollDescription")

+ +
+
+ + +
+
+
+ } +
@i18nService.T("Cancel") diff --git a/src/Core/Enums/PolicyType.cs b/src/Core/Enums/PolicyType.cs index 72804ca407..253be18a36 100644 --- a/src/Core/Enums/PolicyType.cs +++ b/src/Core/Enums/PolicyType.cs @@ -10,5 +10,6 @@ PersonalOwnership = 5, DisableSend = 6, SendOptions = 7, + ResetPassword = 8, } } diff --git a/src/Core/Resources/SharedResources.en.resx b/src/Core/Resources/SharedResources.en.resx index df876e3aad..836f2b3567 100644 --- a/src/Core/Resources/SharedResources.en.resx +++ b/src/Core/Resources/SharedResources.en.resx @@ -652,4 +652,25 @@ Expected authentication context class reference (acr) was not returned with the authentication response or is invalid. 'acr' is an explicit OIDC claim type, see https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.2 (acr). It should not be translated. + + Master Password Reset + + + Allow administrators in the organization to reset organization users' master password. + + + Users in the organization will need to self-enroll or be auto-enrolled before administrators can reset their master password. + + + Automatic Enrollment + + + All users will be automatically enrolled in password reset once their invite is accepted. + + + Users already in the organization will not be retroactively enrolled in password reset. They will need to self-enroll before administrators can reset their master password. + + + Automatically enroll new users + diff --git a/src/Core/Services/Implementations/OrganizationService.cs b/src/Core/Services/Implementations/OrganizationService.cs index 59d47d208d..b5816d9565 100644 --- a/src/Core/Services/Implementations/OrganizationService.cs +++ b/src/Core/Services/Implementations/OrganizationService.cs @@ -238,7 +238,16 @@ namespace Bit.Core.Services } } - // TODO Reset Password - Throw error if policy enabled and new pland doesn't allow + if (!newPlan.HasResetPassword && organization.UseResetPassword) + { + var resetPasswordPolicy = + await _policyRepository.GetByOrganizationIdTypeAsync(organization.Id, PolicyType.ResetPassword); + if (resetPasswordPolicy != null && resetPasswordPolicy.Enabled) + { + throw new BadRequestException("Your new plan does not allow the Password Reset feature. " + + "Disable your Password Reset policy."); + } + } // TODO: Check storage? @@ -825,8 +834,16 @@ namespace Bit.Core.Services } } - // TODO Reset Password - If the license does not allow reset password, but the organization currently does - // TODO Reset Password - Pull Reset Password policy and make sure its disabled. + if (!license.UseResetPassword && organization.UseResetPassword) + { + var resetPasswordPolicy = + await _policyRepository.GetByOrganizationIdTypeAsync(organization.Id, PolicyType.ResetPassword); + if (resetPasswordPolicy != null && resetPasswordPolicy.Enabled) + { + throw new BadRequestException("Your new license does not allow the Password Reset feature. " + + "Disable your Password Reset policy."); + } + } var dir = $"{_globalSettings.LicenseDirectory}/organization"; Directory.CreateDirectory(dir); @@ -1424,7 +1441,7 @@ namespace Bit.Core.Services throw new BadRequestException("User not valid."); } - // TODO - Block certain org types from using this feature? + // TODO Reset Password - Block certain org types from using this feature? orgUser.ResetPasswordKey = resetPasswordKey; await _organizationUserRepository.ReplaceAsync(orgUser);