diff --git a/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs b/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs index cc5b76a241..fd8149454b 100644 --- a/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs +++ b/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs @@ -10,6 +10,8 @@ using Bit.Core.AdminConsole.Enums; using Bit.Core.AdminConsole.Models.Data.Organizations.Policies; using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces; using Bit.Core.AdminConsole.Repositories; +using Bit.Core.Auth.Enums; +using Bit.Core.Auth.Repositories; using Bit.Core.Context; using Bit.Core.Enums; using Bit.Core.Exceptions; @@ -46,6 +48,7 @@ public class OrganizationUsersController : Controller private readonly IAuthorizationService _authorizationService; private readonly IApplicationCacheService _applicationCacheService; private readonly IFeatureService _featureService; + private readonly ISsoConfigRepository _ssoConfigRepository; public OrganizationUsersController( IOrganizationRepository organizationRepository, @@ -63,7 +66,8 @@ public class OrganizationUsersController : Controller IAcceptOrgUserCommand acceptOrgUserCommand, IAuthorizationService authorizationService, IApplicationCacheService applicationCacheService, - IFeatureService featureService) + IFeatureService featureService, + ISsoConfigRepository ssoConfigRepository) { _organizationRepository = organizationRepository; _organizationUserRepository = organizationUserRepository; @@ -81,6 +85,7 @@ public class OrganizationUsersController : Controller _authorizationService = authorizationService; _applicationCacheService = applicationCacheService; _featureService = featureService; + _ssoConfigRepository = ssoConfigRepository; } [HttpGet("{id}")] @@ -456,7 +461,9 @@ public class OrganizationUsersController : Controller throw new UnauthorizedAccessException(); } - if (!string.IsNullOrWhiteSpace(model.ResetPasswordKey) && !await _userService.VerifySecretAsync(user, model.Secret)) + var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(orgId); + var isTdeEnrollment = ssoConfig != null && ssoConfig.GetData().MemberDecryptionType == MemberDecryptionType.TrustedDeviceEncryption; + if (!isTdeEnrollment && !string.IsNullOrWhiteSpace(model.ResetPasswordKey) && !await _userService.VerifySecretAsync(user, model.MasterPasswordHash)) { throw new BadRequestException("Incorrect password"); } diff --git a/src/Api/AdminConsole/Models/Request/Organizations/OrganizationUserRequestModels.cs b/src/Api/AdminConsole/Models/Request/Organizations/OrganizationUserRequestModels.cs index 44e9853bb2..40aa62c9d2 100644 --- a/src/Api/AdminConsole/Models/Request/Organizations/OrganizationUserRequestModels.cs +++ b/src/Api/AdminConsole/Models/Request/Organizations/OrganizationUserRequestModels.cs @@ -1,5 +1,4 @@ using System.ComponentModel.DataAnnotations; -using Bit.Api.Auth.Models.Request.Accounts; using Bit.Api.Models.Request; using Bit.Core.Entities; using Bit.Core.Enums; @@ -99,9 +98,10 @@ public class OrganizationUserUpdateRequestModel } } -public class OrganizationUserResetPasswordEnrollmentRequestModel : SecretVerificationRequestModel +public class OrganizationUserResetPasswordEnrollmentRequestModel { public string ResetPasswordKey { get; set; } + public string MasterPasswordHash { get; set; } } public class OrganizationUserBulkRequestModel diff --git a/test/Api.Test/AdminConsole/Controllers/OrganizationUsersControllerTests.cs b/test/Api.Test/AdminConsole/Controllers/OrganizationUsersControllerTests.cs index 80c458d697..f2898db2e4 100644 --- a/test/Api.Test/AdminConsole/Controllers/OrganizationUsersControllerTests.cs +++ b/test/Api.Test/AdminConsole/Controllers/OrganizationUsersControllerTests.cs @@ -9,6 +9,8 @@ using Bit.Core.AdminConsole.Enums; using Bit.Core.AdminConsole.Models.Data.Organizations.Policies; using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces; using Bit.Core.AdminConsole.Repositories; +using Bit.Core.Auth.Entities; +using Bit.Core.Auth.Repositories; using Bit.Core.Context; using Bit.Core.Entities; using Bit.Core.Enums; @@ -66,10 +68,12 @@ public class OrganizationUsersControllerTests [Theory] [BitAutoData] public async Task PutResetPasswordEnrollment_PasswordValidationFails_Throws(Guid orgId, Guid userId, OrganizationUserResetPasswordEnrollmentRequestModel model, - User user, SutProvider sutProvider) + User user, SutProvider sutProvider, OrganizationUser orgUser) { + orgUser.Status = OrganizationUserStatusType.Confirmed; model.MasterPasswordHash = "NotThePassword"; sutProvider.GetDependency().GetUserByPrincipalAsync(default).ReturnsForAnyArgs(user); + sutProvider.GetDependency().GetByOrganizationIdAsync(default).ReturnsForAnyArgs((SsoConfig)null); await Assert.ThrowsAsync(async () => await sutProvider.Sut.PutResetPasswordEnrollment(orgId, userId, model)); } @@ -79,7 +83,8 @@ public class OrganizationUsersControllerTests User user, OrganizationUser orgUser, SutProvider sutProvider) { sutProvider.GetDependency().GetUserByPrincipalAsync(default).ReturnsForAnyArgs(user); - sutProvider.GetDependency().VerifySecretAsync(user, model.Secret).Returns(true); + sutProvider.GetDependency().VerifySecretAsync(user, model.MasterPasswordHash).Returns(true); + sutProvider.GetDependency().GetByOrganizationIdAsync(default).ReturnsForAnyArgs((SsoConfig)null); sutProvider.GetDependency().GetByOrganizationAsync(default, default).ReturnsForAnyArgs(orgUser); await sutProvider.Sut.PutResetPasswordEnrollment(orgId, userId, model); await sutProvider.GetDependency().Received(1).UpdateUserResetPasswordEnrollmentAsync(