nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-07-02 08:32:50 -05:00
Code Activity

EC-262 - implement org user deactivated flag and behavior server (#2050)

Browse Source 
* SM-47 - Add Disabled status to enum + schema

* SM-47 - Enable and disable sprocs and repositories

* SM-47 - Organization service enble/disable user

* SM-47 - Fix lint errors

* SM-47 - add disable/enable endpoints to API

* SM-47 - Add bulk operations for enable/disable

* SM-47 - Fix linting errors, one of these days I'll do this first

* SM-47 - Codesense fix DRY warnings

* EC-262 - Code review changes, async cleanup

* EC-262 - Fix build issues, async refs

* EC-262 - Update controller param types

* EC-262 - Ensure mutable state is correct

* EC-262 - rename disabled to deactivated
This commit is contained in:
Chad Scharf
2022-06-16 15:59:57 -04:00
committed by GitHub
parent 8e79c20dce
commit b2a0aa2860
25 changed files with 2507 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

65
src/Api/Controllers/OrganizationUsersController.cs
View File

@ -6,6 +6,7 @@ using Bit.Api.Models.Request.Organizations;
using Bit.Api.Models.Response;
using Bit.Api.Models.Response.Organizations;
using Bit.Core.Context;
using Bit.Core.Entities;
using Bit.Core.Enums;
using Bit.Core.Exceptions;
using Bit.Core.Models.Business;
@ -375,5 +376,69 @@ namespace Bit.Api.Controllers
return new ListResponseModel<OrganizationUserBulkResponseModel>(result.Select(r =>
new OrganizationUserBulkResponseModel(r.Item1.Id, r.Item2)));
}
[HttpPatch("{id}/deactivate")]
[HttpPut("{id}/deactivate")]
public async Task Deactivate(Guid orgId, Guid id)
{
await ActivateOrDeactivateUserAsync(orgId, id, _organizationService.DeactivateUserAsync);
}
[HttpPatch("deactivate")]
[HttpPut("deactivate")]
public async Task<ListResponseModel<OrganizationUserBulkResponseModel>> BulkDeactivate(Guid orgId, [FromBody] OrganizationUserBulkRequestModel model)
{
return await ActivateOrDeactivateUsersAsync(orgId, model, _organizationService.DeactivateUsersAsync);
}
[HttpPatch("{id}/activate")]
[HttpPut("{id}/activate")]
public async Task Activate(Guid orgId, Guid id)
{
await ActivateOrDeactivateUserAsync(orgId, id, _organizationService.ActivateUserAsync);
}
[HttpPatch("activate")]
[HttpPut("activate")]
public async Task<ListResponseModel<OrganizationUserBulkResponseModel>> BulkActivate(Guid orgId, [FromBody] OrganizationUserBulkRequestModel model)
{
return await ActivateOrDeactivateUsersAsync(orgId, model, _organizationService.ActivateUsersAsync);
}
private async Task ActivateOrDeactivateUserAsync(
Guid orgId,
Guid id,
Func<OrganizationUser, Guid?, Task> statusAction)
{
if (!await _currentContext.ManageUsers(orgId))
{
throw new NotFoundException();
}
var userId = _userService.GetProperUserId(User);
var orgUser = await _organizationUserRepository.GetByIdAsync(id);
if (orgUser == null || orgUser.OrganizationId != orgId)
{
throw new NotFoundException();
}
await statusAction(orgUser, userId);
}
private async Task<ListResponseModel<OrganizationUserBulkResponseModel>> ActivateOrDeactivateUsersAsync(
Guid orgId,
OrganizationUserBulkRequestModel model,
Func<Guid, IEnumerable<Guid>, Guid?, Task<List<Tuple<OrganizationUser, string>>>> statusAction)
{
if (!await _currentContext.ManageUsers(orgId))
{
throw new NotFoundException();
}
var userId = _userService.GetProperUserId(User);
var result = await statusAction(orgId, model.Ids, userId.Value);
return new ListResponseModel<OrganizationUserBulkResponseModel>(result.Select(r =>
new OrganizationUserBulkResponseModel(r.Item1.Id, r.Item2)));
}
}
}

2
src/Core/Enums/EventType.cs
View File

@ -51,6 +51,8 @@
OrganizationUser_AdminResetPassword = 1508,
OrganizationUser_ResetSsoLink = 1509,
OrganizationUser_FirstSsoLogin = 1510,
OrganizationUser_Deactivated = 1511,
OrganizationUser_Activated = 1512,
Organization_Updated = 1600,
Organization_PurgedVault = 1601,

5
src/Core/Enums/OrganizationUserStatusType.cs
View File

@ -1,9 +1,10 @@
namespace Bit.Core.Enums
{
public enum OrganizationUserStatusType : byte
public enum OrganizationUserStatusType : short
{
Invited = 0,
Accepted = 1,
Confirmed = 2
Confirmed = 2,
Deactivated = -1,
}
}

2
src/Core/Repositories/IOrganizationUserRepository.cs
View File

@ -39,5 +39,7 @@ namespace Bit.Core.Repositories
Task<OrganizationUser> GetByOrganizationEmailAsync(Guid organizationId, string email);
Task<IEnumerable<OrganizationUserPublicKey>> GetManyPublicKeysByOrganizationUserAsync(Guid organizationId, IEnumerable<Guid> Ids);
Task<IEnumerable<OrganizationUserUserDetails>> GetManyByMinimumRoleAsync(Guid organizationId, OrganizationUserType minRole);
Task DeactivateAsync(Guid id);
Task ActivateAsync(Guid id, OrganizationUserStatusType status);
}
}

6
src/Core/Services/IOrganizationService.cs
View File

@ -61,5 +61,11 @@ namespace Bit.Core.Services
Task DeleteSsoUserAsync(Guid userId, Guid? organizationId);
Task<Organization> UpdateOrganizationKeysAsync(Guid orgId, string publicKey, string privateKey);
Task<bool> HasConfirmedOwnersExceptAsync(Guid organizationId, IEnumerable<Guid> organizationUsersId, bool includeProvider = true);
Task DeactivateUserAsync(OrganizationUser organizationUser, Guid? disablingUserId);
Task<List<Tuple<OrganizationUser, string>>> DeactivateUsersAsync(Guid organizationId,
IEnumerable<Guid> organizationUserIds, Guid? disablingUserId);
Task ActivateUserAsync(OrganizationUser organizationUser, Guid? enablingUserId);
Task<List<Tuple<OrganizationUser, string>>> ActivateUsersAsync(Guid organizationId,
IEnumerable<Guid> organizationUserIds, Guid? enablingUserId);
}
}

181
src/Core/Services/Implementations/OrganizationService.cs
View File

@ -2186,5 +2186,186 @@ namespace Bit.Core.Services
throw new BadRequestException("You cannot delete an Organization that is using Key Connector.");
}
}
public async Task DeactivateUserAsync(OrganizationUser organizationUser, Guid? disablingUserId)
{
if (organizationUser.Status == OrganizationUserStatusType.Deactivated)
{
throw new BadRequestException("Already deactivated.");
}
if (disablingUserId.HasValue && organizationUser.UserId == disablingUserId.Value)
{
throw new BadRequestException("You cannot deactivate yourself.");
}
if (organizationUser.Type == OrganizationUserType.Owner && disablingUserId.HasValue &&
!await _currentContext.OrganizationOwner(organizationUser.OrganizationId))
{
throw new BadRequestException("Only owners can deactivate other owners.");
}
if (!await HasConfirmedOwnersExceptAsync(organizationUser.OrganizationId, new[] { organizationUser.Id }))
{
throw new BadRequestException("Organization must have at least one confirmed owner.");
}
await _organizationUserRepository.DeactivateAsync(organizationUser.Id);
organizationUser.Status = OrganizationUserStatusType.Deactivated;
await _eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Deactivated);
}
public async Task<List<Tuple<OrganizationUser, string>>> DeactivateUsersAsync(Guid organizationId,
IEnumerable<Guid> organizationUserIds, Guid? disablingUserId)
{
var orgUsers = await _organizationUserRepository.GetManyAsync(organizationUserIds);
var filteredUsers = orgUsers.Where(u => u.OrganizationId == organizationId)
.ToList();
if (!filteredUsers.Any())
{
throw new BadRequestException("Users invalid.");
}
if (!await HasConfirmedOwnersExceptAsync(organizationId, organizationUserIds))
{
throw new BadRequestException("Organization must have at least one confirmed owner.");
}
var deletingUserIsOwner = false;
if (disablingUserId.HasValue)
{
deletingUserIsOwner = await _currentContext.OrganizationOwner(organizationId);
}
var result = new List<Tuple<OrganizationUser, string>>();
foreach (var organizationUser in filteredUsers)
{
try
{
if (disablingUserId.HasValue && organizationUser.UserId == disablingUserId)
{
throw new BadRequestException("You cannot deactivate yourself.");
}
if (organizationUser.Type == OrganizationUserType.Owner && disablingUserId.HasValue && !deletingUserIsOwner)
{
throw new BadRequestException("Only owners can deactivate other owners.");
}
await _organizationUserRepository.DeactivateAsync(organizationUser.Id);
organizationUser.Status = OrganizationUserStatusType.Deactivated;
await _eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Deactivated);
result.Add(Tuple.Create(organizationUser, ""));
}
catch (BadRequestException e)
{
result.Add(Tuple.Create(organizationUser, e.Message));
}
}
return result;
}
public async Task ActivateUserAsync(OrganizationUser organizationUser, Guid? enablingUserId)
{
if (organizationUser.Status != OrganizationUserStatusType.Deactivated)
{
throw new BadRequestException("Already active.");
}
if (enablingUserId.HasValue && organizationUser.UserId == enablingUserId.Value)
{
throw new BadRequestException("You cannot activate yourself.");
}
if (organizationUser.Type == OrganizationUserType.Owner && enablingUserId.HasValue &&
!await _currentContext.OrganizationOwner(organizationUser.OrganizationId))
{
throw new BadRequestException("Only owners can activate other owners.");
}
var status = GetPriorActiveOrganizationUserStatusType(organizationUser);
await _organizationUserRepository.ActivateAsync(organizationUser.Id, status);
organizationUser.Status = status;
await _eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Activated);
}
public async Task<List<Tuple<OrganizationUser, string>>> ActivateUsersAsync(Guid organizationId,
IEnumerable<Guid> organizationUserIds, Guid? enablingUserId)
{
var orgUsers = await _organizationUserRepository.GetManyAsync(organizationUserIds);
var filteredUsers = orgUsers.Where(u => u.OrganizationId == organizationId)
.ToList();
if (!filteredUsers.Any())
{
throw new BadRequestException("Users invalid.");
}
var deletingUserIsOwner = false;
if (enablingUserId.HasValue)
{
deletingUserIsOwner = await _currentContext.OrganizationOwner(organizationId);
}
var result = new List<Tuple<OrganizationUser, string>>();
foreach (var organizationUser in filteredUsers)
{
try
{
if (organizationUser.Status != OrganizationUserStatusType.Deactivated)
{
throw new BadRequestException("Already active.");
}
if (enablingUserId.HasValue && organizationUser.UserId == enablingUserId)
{
throw new BadRequestException("You cannot activate yourself.");
}
if (organizationUser.Type == OrganizationUserType.Owner && enablingUserId.HasValue && !deletingUserIsOwner)
{
throw new BadRequestException("Only owners can activate other owners.");
}
var status = GetPriorActiveOrganizationUserStatusType(organizationUser);
await _organizationUserRepository.ActivateAsync(organizationUser.Id, status);
organizationUser.Status = status;
await _eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Activated);
result.Add(Tuple.Create(organizationUser, ""));
}
catch (BadRequestException e)
{
result.Add(Tuple.Create(organizationUser, e.Message));
}
}
return result;
}
static OrganizationUserStatusType GetPriorActiveOrganizationUserStatusType(OrganizationUser organizationUser)
{
// Determine status to revert back to
var status = OrganizationUserStatusType.Invited;
if (organizationUser.UserId.HasValue && string.IsNullOrWhiteSpace(organizationUser.Email))
{
// Has UserId & Email is null, then Accepted
status = OrganizationUserStatusType.Accepted;
if (!string.IsNullOrWhiteSpace(organizationUser.Key))
{
// We have an org key for this user, user was confirmed
status = OrganizationUserStatusType.Confirmed;
}
}
return status;
}
}
}

22
src/Infrastructure.Dapper/Repositories/OrganizationUserRepository.cs
View File

@ -409,5 +409,27 @@ namespace Bit.Infrastructure.Dapper.Repositories
return results.ToList();
}
}
public async Task DeactivateAsync(Guid id)
{
using (var connection = new SqlConnection(ConnectionString))
{
var results = await connection.ExecuteAsync(
$"[{Schema}].[{Table}_Deactivate]",
new { Id = id },
commandType: CommandType.StoredProcedure);
}
}
public async Task ActivateAsync(Guid id, OrganizationUserStatusType status)
{
using (var connection = new SqlConnection(ConnectionString))
{
var results = await connection.ExecuteAsync(
$"[{Schema}].[{Table}_Activate]",
new { Id = id, Status = status },
commandType: CommandType.StoredProcedure);
}
}
}
}

38
src/Infrastructure.EntityFramework/Repositories/OrganizationUserRepository.cs
View File

@ -427,5 +427,43 @@ namespace Bit.Infrastructure.EntityFramework.Repositories
return await query.ToListAsync();
}
}
public async Task DeactivateAsync(Guid id)
{
using (var scope = ServiceScopeFactory.CreateScope())
{
var dbContext = GetDatabaseContext(scope);
var orgUser = await GetDbSet(dbContext).FindAsync(id);
if (orgUser != null)
{
dbContext.Update(orgUser);
orgUser.Status = OrganizationUserStatusType.Deactivated;
await dbContext.SaveChangesAsync();
if (orgUser.UserId.HasValue)
{
await UserBumpAccountRevisionDate(orgUser.UserId.Value);
}
}
}
}
public async Task ActivateAsync(Guid id, OrganizationUserStatusType status)
{
using (var scope = ServiceScopeFactory.CreateScope())
{
var dbContext = GetDatabaseContext(scope);
var orgUser = await GetDbSet(dbContext).FindAsync(id);
if (orgUser != null)
{
dbContext.Update(orgUser);
orgUser.Status = status;
await dbContext.SaveChangesAsync();
if (orgUser.UserId.HasValue)
{
await UserBumpAccountRevisionDate(orgUser.UserId.Value);
}
}
}
}
}
}

2
src/Sql/Sql.sqlproj
View File

@ -122,6 +122,8 @@
<Build Include="dbo\Stored Procedures\Grant_DeleteByKey.sql" />
<Build Include="dbo\Stored Procedures\OrganizationUser_DeleteById.sql" />
<Build Include="dbo\Stored Procedures\OrganizationUser_DeleteByIds.sql" />
<Build Include="dbo\Stored Procedures\OrganizationUser_Deactivate.sql" />
<Build Include="dbo\Stored Procedures\OrganizationUser_Activate.sql" />
<Build Include="dbo\Stored Procedures\Grant_Delete.sql" />
<Build Include="dbo\Stored Procedures\OrganizationUser_ReadById.sql" />
<Build Include="dbo\Stored Procedures\OrganizationUser_ReadByIds.sql" />

2
src/Sql/dbo/Functions/PolicyApplicableToUser.sql
View File

@ -2,7 +2,7 @@ CREATE FUNCTION [dbo].[PolicyApplicableToUser]
(
@UserId UNIQUEIDENTIFIER,
@PolicyType TINYINT,
@MinimumStatus TINYINT
@MinimumStatus SMALLINT
)
RETURNS TABLE
AS RETURN

2
src/Sql/dbo/Stored Procedures/OrganizationUserOrganizationDetails_ReadByUserIdStatus.sql
View File

@ -1,6 +1,6 @@
CREATE PROCEDURE [dbo].[OrganizationUserOrganizationDetails_ReadByUserIdStatus]
@UserId UNIQUEIDENTIFIER,
@Status TINYINT
@Status SMALLINT
AS
BEGIN
SET NOCOUNT ON

2
src/Sql/dbo/Stored Procedures/OrganizationUserOrganizationDetails_ReadByUserIdStatusOrganizationId.sql
View File

@ -1,6 +1,6 @@
CREATE PROCEDURE [dbo].[OrganizationUserOrganizationDetails_ReadByUserIdStatusOrganizationId]
@UserId UNIQUEIDENTIFIER,
@Status TINYINT,
@Status SMALLINT,
@OrganizationId UNIQUEIDENTIFIER
AS
BEGIN

17
src/Sql/dbo/Stored Procedures/OrganizationUser_Activate.sql Normal file
View File

@ -0,0 +1,17 @@
CREATE PROCEDURE [dbo].[OrganizationUser_Activate]
@Id UNIQUEIDENTIFIER,
@Status SMALLINT
AS
BEGIN
SET NOCOUNT ON
UPDATE
[dbo].[OrganizationUser]
SET
[Status] = @Status
WHERE
[Id] = @Id
AND [Status] = -1 -- Deactivated
EXEC [dbo].[User_BumpAccountRevisionDateByOrganizationUserId] @Id
END

2
src/Sql/dbo/Stored Procedures/OrganizationUser_Create.sql
View File

@ -4,7 +4,7 @@
@UserId UNIQUEIDENTIFIER,
@Email NVARCHAR(256),
@Key VARCHAR(MAX),
@Status TINYINT,
@Status SMALLINT,
@Type TINYINT,
@AccessAll BIT,
@ExternalId NVARCHAR(300),

2
src/Sql/dbo/Stored Procedures/OrganizationUser_CreateWithCollections.sql
View File

@ -4,7 +4,7 @@
@UserId UNIQUEIDENTIFIER,
@Email NVARCHAR(256),
@Key VARCHAR(MAX),
@Status TINYINT,
@Status SMALLINT,
@Type TINYINT,
@AccessAll BIT,
@ExternalId NVARCHAR(300),

15
src/Sql/dbo/Stored Procedures/OrganizationUser_Deactivate.sql Normal file
View File

@ -0,0 +1,15 @@
CREATE PROCEDURE [dbo].[OrganizationUser_Deactivate]
@Id UNIQUEIDENTIFIER
AS
BEGIN
SET NOCOUNT ON
UPDATE
[dbo].[OrganizationUser]
SET
[Status] = -1 -- Deactivated
WHERE
[Id] = @Id
EXEC [dbo].[User_BumpAccountRevisionDateByOrganizationUserId] @Id
END

2
src/Sql/dbo/Stored Procedures/OrganizationUser_Update.sql
View File

@ -4,7 +4,7 @@
@UserId UNIQUEIDENTIFIER,
@Email NVARCHAR(256),
@Key VARCHAR(MAX),
@Status TINYINT,
@Status SMALLINT,
@Type TINYINT,
@AccessAll BIT,
@ExternalId NVARCHAR(300),

2
src/Sql/dbo/Stored Procedures/OrganizationUser_UpdateWithCollections.sql
View File

@ -4,7 +4,7 @@
@UserId UNIQUEIDENTIFIER,
@Email NVARCHAR(256),
@Key VARCHAR(MAX),
@Status TINYINT,
@Status SMALLINT,
@Type TINYINT,
@AccessAll BIT,
@ExternalId NVARCHAR(300),

2
src/Sql/dbo/Tables/OrganizationUser.sql
View File

@ -5,7 +5,7 @@
[Email] NVARCHAR (256) NULL,
[Key] VARCHAR (MAX) NULL,
[ResetPasswordKey] VARCHAR (MAX) NULL,
[Status] TINYINT NOT NULL,
[Status] SMALLINT NOT NULL,
[Type] TINYINT NOT NULL,
[AccessAll] BIT NOT NULL,
[ExternalId] NVARCHAR (300) NULL,

2
src/Sql/dbo/User Defined Types/OrganizationUserType.sql
View File

@ -4,7 +4,7 @@ CREATE TYPE [dbo].[OrganizationUserType] AS TABLE(
[UserId] UNIQUEIDENTIFIER,
[Email] NVARCHAR(256),
[Key] VARCHAR(MAX),
[Status] TINYINT,
[Status] SMALLINT,
[Type] TINYINT,
[AccessAll] BIT,
[ExternalId] NVARCHAR(300),