nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-04-05 21:18:13 -05:00
Code

[Reset Password] Enterprise Policy (#1315)

Browse Source 
* [Reset Password] Enterprise Policy

* Created UI for policy/edit policy // Updated TODOs for policy dependent checks

* Updated reset password data model field name to be more descriptive

* Update title to Master Password Reset

* Updated PoliciesModel, Policy Model spacing, and strings
This commit is contained in:
Vincent Salucci 2021-05-12 14:47:00 -05:00 committed by GitHub
parent a47b86a995
commit ae38c33e05
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 111 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
bitwarden_license/src/Portal/Controllers/PoliciesController.cs
View File

@ -51,8 +51,7 @@ namespace Bit.Portal.Controllers
} }
var policies = await _policyRepository.GetManyByOrganizationIdAsync(orgId.Value); var policies = await _policyRepository.GetManyByOrganizationIdAsync(orgId.Value);
var selectedOrgUseSso = _enterprisePortalCurrentContext.SelectedOrganizationDetails.UseSso; return View(new PoliciesModel(policies, _enterprisePortalCurrentContext.SelectedOrganizationDetails));
return View(new PoliciesModel(policies, selectedOrgUseSso));
} }
[HttpGet("/edit/{type}")] [HttpGet("/edit/{type}")]
@ -138,6 +137,7 @@ namespace Bit.Portal.Controllers
case PolicyType.PersonalOwnership: case PolicyType.PersonalOwnership:
case PolicyType.DisableSend: case PolicyType.DisableSend:
case PolicyType.SendOptions: case PolicyType.SendOptions:
case PolicyType.ResetPassword:
break; break;
case PolicyType.SingleOrg: case PolicyType.SingleOrg:

11
bitwarden_license/src/Portal/Models/PoliciesModel.cs
View File

@ -2,13 +2,14 @@
using System.Collections.Generic; using System.Collections.Generic;
using System.Linq; using System.Linq;
using Bit.Core.Enums; using Bit.Core.Enums;
using Bit.Core.Models.Data;
using Bit.Core.Models.Table; using Bit.Core.Models.Table;
namespace Bit.Portal.Models namespace Bit.Portal.Models
{ {
public class PoliciesModel public class PoliciesModel
{ {
public PoliciesModel(ICollection<Policy> policies, bool useSso) public PoliciesModel(ICollection<Policy> policies, OrganizationUserOrganizationDetails selectedOrgDetails)
{ {
if (policies == null) if (policies == null)
{ {
@ -20,10 +21,16 @@ namespace Bit.Portal.Models
foreach (var type in Enum.GetValues(typeof(PolicyType)).Cast<PolicyType>()) foreach (var type in Enum.GetValues(typeof(PolicyType)).Cast<PolicyType>())
{ {
if (type == PolicyType.RequireSso && !useSso) if (type == PolicyType.RequireSso && !selectedOrgDetails.UseSso)
{ {
continue; continue;
} }
if (type == PolicyType.ResetPassword && !selectedOrgDetails.UseResetPassword)
{
continue;
}
var enabled = policyDict.ContainsKey(type) ? policyDict[type].Enabled : false; var enabled = policyDict.ContainsKey(type) ? policyDict[type].Enabled : false;
Policies.Add(new PolicyModel(type, enabled)); Policies.Add(new PolicyModel(type, enabled));
} }

14
bitwarden_license/src/Portal/Models/PolicyEditModel.cs
View File

@ -49,6 +49,10 @@ namespace Bit.Portal.Models
case PolicyType.SendOptions: case PolicyType.SendOptions:
SendOptionsDataModel = JsonSerializer.Deserialize<SendOptionsPolicyData>(model.Data, options); SendOptionsDataModel = JsonSerializer.Deserialize<SendOptionsPolicyData>(model.Data, options);
break; break;
case PolicyType.ResetPassword:
ResetPasswordDataModel =
JsonSerializer.Deserialize<ResetPasswordDataModel>(model.Data, options);
break;
default: default:
throw new ArgumentOutOfRangeException(); throw new ArgumentOutOfRangeException();
} }
@ -58,6 +62,7 @@ namespace Bit.Portal.Models
public MasterPasswordDataModel MasterPasswordDataModel { get; set; } public MasterPasswordDataModel MasterPasswordDataModel { get; set; }
public PasswordGeneratorDataModel PasswordGeneratorDataModel { get; set; } public PasswordGeneratorDataModel PasswordGeneratorDataModel { get; set; }
public SendOptionsPolicyData SendOptionsDataModel { get; set; } public SendOptionsPolicyData SendOptionsDataModel { get; set; }
public ResetPasswordDataModel ResetPasswordDataModel { get; set; }
public List<SelectListItem> Complexities { get; set; } public List<SelectListItem> Complexities { get; set; }
public List<SelectListItem> DefaultTypes { get; set; } public List<SelectListItem> DefaultTypes { get; set; }
public string EnableCheckboxText { get; set; } public string EnableCheckboxText { get; set; }
@ -87,15 +92,18 @@ namespace Bit.Portal.Models
case PolicyType.PasswordGenerator: case PolicyType.PasswordGenerator:
existingPolicy.Data = JsonSerializer.Serialize(PasswordGeneratorDataModel, options); existingPolicy.Data = JsonSerializer.Serialize(PasswordGeneratorDataModel, options);
break; break;
case PolicyType.SendOptions:
existingPolicy.Data = JsonSerializer.Serialize(SendOptionsDataModel, options);
break;
case PolicyType.ResetPassword:
existingPolicy.Data = JsonSerializer.Serialize(ResetPasswordDataModel, options);
break;
case PolicyType.SingleOrg: case PolicyType.SingleOrg:
case PolicyType.TwoFactorAuthentication: case PolicyType.TwoFactorAuthentication:
case PolicyType.RequireSso: case PolicyType.RequireSso:
case PolicyType.PersonalOwnership: case PolicyType.PersonalOwnership:
case PolicyType.DisableSend: case PolicyType.DisableSend:
break; break;
case PolicyType.SendOptions:
existingPolicy.Data = JsonSerializer.Serialize(SendOptionsDataModel, options);
break;
default: default:
throw new ArgumentOutOfRangeException(); throw new ArgumentOutOfRangeException();
} }

12
bitwarden_license/src/Portal/Models/PolicyModel.cs
View File

@ -21,42 +21,38 @@ namespace Bit.Portal.Models
NameKey = "TwoStepLogin"; NameKey = "TwoStepLogin";
DescriptionKey = "TwoStepLoginDescription"; DescriptionKey = "TwoStepLoginDescription";
break; break;
case PolicyType.MasterPassword: case PolicyType.MasterPassword:
NameKey = "MasterPassword"; NameKey = "MasterPassword";
DescriptionKey = "MasterPasswordDescription"; DescriptionKey = "MasterPasswordDescription";
break; break;
case PolicyType.PasswordGenerator: case PolicyType.PasswordGenerator:
NameKey = "PasswordGenerator"; NameKey = "PasswordGenerator";
DescriptionKey = "PasswordGeneratorDescription"; DescriptionKey = "PasswordGeneratorDescription";
break; break;
case PolicyType.SingleOrg: case PolicyType.SingleOrg:
NameKey = "SingleOrganization"; NameKey = "SingleOrganization";
DescriptionKey = "SingleOrganizationDescription"; DescriptionKey = "SingleOrganizationDescription";
break; break;
case PolicyType.RequireSso: case PolicyType.RequireSso:
NameKey = "RequireSso"; NameKey = "RequireSso";
DescriptionKey = "RequireSsoDescription"; DescriptionKey = "RequireSsoDescription";
break; break;
case PolicyType.PersonalOwnership: case PolicyType.PersonalOwnership:
NameKey = "PersonalOwnership"; NameKey = "PersonalOwnership";
DescriptionKey = "PersonalOwnershipDescription"; DescriptionKey = "PersonalOwnershipDescription";
break; break;
case PolicyType.DisableSend: case PolicyType.DisableSend:
NameKey = "DisableSend"; NameKey = "DisableSend";
DescriptionKey = "DisableSendDescription"; DescriptionKey = "DisableSendDescription";
break; break;
case PolicyType.SendOptions: case PolicyType.SendOptions:
NameKey = "SendOptions"; NameKey = "SendOptions";
DescriptionKey = "SendOptionsDescription"; DescriptionKey = "SendOptionsDescription";
break; break;
case PolicyType.ResetPassword:
NameKey = "ResetPassword";
DescriptionKey = "ResetPasswordDescription";
break;
default: default:
throw new ArgumentOutOfRangeException(); throw new ArgumentOutOfRangeException();
} }

10
bitwarden_license/src/Portal/Models/ResetPasswordDataModel.cs Normal file
View File

@ -0,0 +1,10 @@
using System.ComponentModel.DataAnnotations;
namespace Bit.Portal.Models
{
public class ResetPasswordDataModel
{
[Display(Name = "ResetPasswordAutoEnrollCheckbox")]
public bool AutoEnrollEnabled { get; set; }
}
}

32
bitwarden_license/src/Portal/Views/Policies/Edit.cshtml
View File

@ -84,6 +84,17 @@
</div> </div>
} }
@if (Model.PolicyType == PolicyType.ResetPassword)
{
<div class="callout callout-warning" role="alert">
<h3 class="callout-heading">
<i class="fa fa-warning" *ngIf="icon" aria-hidden="true"></i>
@i18nService.T("Warning")
</h3>
@i18nService.T("ResetPasswordWarning")
</div>
}
<div asp-validation-summary="ModelOnly" class="alert alert-danger"></div> <div asp-validation-summary="ModelOnly" class="alert alert-danger"></div>
<div class="form-group"> <div class="form-group">
@ -211,6 +222,27 @@
</div> </div>
} }
@if (Model.PolicyType == PolicyType.ResetPassword)
{
<div class="config-section">
<h2>@i18nService.T("ResetPasswordAutoEnroll")</h2>
<p>@i18nService.T("ResetPasswordAutoEnrollDescription")</p>
<div class="callout callout-warning" role="alert">
<h3 class="callout-heading">
<i class="fa fa-warning" *ngIf="icon" aria-hidden="true"></i>
@i18nService.T("Warning")
</h3>
@i18nService.T("ResetPasswordAutoEnrollWarning")
</div>
<div class="form-group">
<div class="form-check">
<input class="form-check-input" type="checkbox" asp-for="ResetPasswordDataModel.AutoEnrollEnabled">
<label class="form-check-label" asp-for="ResetPasswordDataModel.AutoEnrollEnabled"></label>
</div>
</div>
</div>
}
<div class="d-flex"> <div class="d-flex">
<button type="submit" class="btn btn-primary">@i18nService.T("Save")</button> <button type="submit" class="btn btn-primary">@i18nService.T("Save")</button>
<a class="btn btn-outline-secondary ml-1" asp-controller="Policies" asp-action="Index">@i18nService.T("Cancel")</a> <a class="btn btn-outline-secondary ml-1" asp-controller="Policies" asp-action="Index">@i18nService.T("Cancel")</a>

1
src/Core/Enums/PolicyType.cs
View File

@ -10,5 +10,6 @@
PersonalOwnership = 5, PersonalOwnership = 5,
DisableSend = 6, DisableSend = 6,
SendOptions = 7, SendOptions = 7,
ResetPassword = 8,
} }
} }

21
src/Core/Resources/SharedResources.en.resx
View File

@ -652,4 +652,25 @@
<value>Expected authentication context class reference (acr) was not returned with the authentication response or is invalid.</value> <value>Expected authentication context class reference (acr) was not returned with the authentication response or is invalid.</value>
<comment>'acr' is an explicit OIDC claim type, see https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.2 (acr). It should not be translated.</comment> <comment>'acr' is an explicit OIDC claim type, see https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.2 (acr). It should not be translated.</comment>
</data> </data>
<data name="ResetPassword" xml:space="preserve">
<value>Master Password Reset</value>
</data>
<data name="ResetPasswordDescription" xml:space="preserve">
<value>Allow administrators in the organization to reset organization users' master password.</value>
</data>
<data name="ResetPasswordWarning" xml:space="preserve">
<value>Users in the organization will need to self-enroll or be auto-enrolled before administrators can reset their master password.</value>
</data>
<data name="ResetPasswordAutoEnroll" xml:space="preserve">
<value>Automatic Enrollment</value>
</data>
<data name="ResetPasswordAutoEnrollDescription" xml:space="preserve">
<value>All users will be automatically enrolled in password reset once their invite is accepted.</value>
</data>
<data name="ResetPasswordAutoEnrollWarning" xml:space="preserve">
<value>Users already in the organization will not be retroactively enrolled in password reset. They will need to self-enroll before administrators can reset their master password.</value>
</data>
<data name="ResetPasswordAutoEnrollCheckbox" xml:space="preserve">
<value>Automatically enroll new users</value>
</data>
</root> </root>

25
src/Core/Services/Implementations/OrganizationService.cs
View File

@ -238,7 +238,16 @@ namespace Bit.Core.Services
} }
} }
// TODO Reset Password - Throw error if policy enabled and new pland doesn't allow if (!newPlan.HasResetPassword && organization.UseResetPassword)
{
var resetPasswordPolicy =
await _policyRepository.GetByOrganizationIdTypeAsync(organization.Id, PolicyType.ResetPassword);
if (resetPasswordPolicy != null && resetPasswordPolicy.Enabled)
{
throw new BadRequestException("Your new plan does not allow the Password Reset feature. " +
"Disable your Password Reset policy.");
}
}
// TODO: Check storage? // TODO: Check storage?
@ -825,8 +834,16 @@ namespace Bit.Core.Services
} }
} }
// TODO Reset Password - If the license does not allow reset password, but the organization currently does if (!license.UseResetPassword && organization.UseResetPassword)
// TODO Reset Password - Pull Reset Password policy and make sure its disabled. {
var resetPasswordPolicy =
await _policyRepository.GetByOrganizationIdTypeAsync(organization.Id, PolicyType.ResetPassword);
if (resetPasswordPolicy != null && resetPasswordPolicy.Enabled)
{
throw new BadRequestException("Your new license does not allow the Password Reset feature. "
+ "Disable your Password Reset policy.");
}
}
var dir = $"{_globalSettings.LicenseDirectory}/organization"; var dir = $"{_globalSettings.LicenseDirectory}/organization";
Directory.CreateDirectory(dir); Directory.CreateDirectory(dir);
@ -1424,7 +1441,7 @@ namespace Bit.Core.Services
throw new BadRequestException("User not valid."); throw new BadRequestException("User not valid.");
} }
// TODO - Block certain org types from using this feature? // TODO Reset Password - Block certain org types from using this feature?
orgUser.ResetPasswordKey = resetPasswordKey; orgUser.ResetPasswordKey = resetPasswordKey;
await _organizationUserRepository.ReplaceAsync(orgUser); await _organizationUserRepository.ReplaceAsync(orgUser);