[Key Connector] Fix policy checks and other pre-reqs (#1711)

* Require SSO Policy to enable Key Connector

* Require that SSO is enabled to use Key Connector

* Fix error messages

"Key Connector" instead of "KeyConnector"

* Refactor dependent policy checks to handle expansion

* Block disabling Sso Policy if using Key Connector

* Update tests for policies required by Key Connector

* Fix tests

* Add test for Key Connector to require Sso Policy

* Add test: Sso config must be enabled to use Key Connector

src/Core/Services/Implementations/PolicyService.cs

@@ -54,37 +54,27 @@ namespace Bit.Core.Services
                 case PolicyType.SingleOrg:
                     if (!policy.Enabled)
                     {
-                        var requireSso =
-                            await _policyRepository.GetByOrganizationIdTypeAsync(org.Id, PolicyType.RequireSso);
-                        if (requireSso?.Enabled == true)
-                        {
-                            throw new BadRequestException("Single Sign-On Authentication policy is enabled.");
-                        }
-
-                        var vaultTimeout =
-                            await _policyRepository.GetByOrganizationIdTypeAsync(org.Id, PolicyType.MaximumVaultTimeout);
-                        if (vaultTimeout?.Enabled == true)
-                        {
-                            throw new BadRequestException("Maximum Vault Timeout policy is enabled.");
-                        }
-
-                        var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(org.Id);
-                        if (ssoConfig?.GetData()?.UseKeyConnector == true)
-                        {
-                            throw new BadRequestException("KeyConnector is enabled.");
-                        }
+                        await RequiredBySsoAsync(org);
+                        await RequiredByVaultTimeoutAsync(org);
+                        await RequiredByKeyConnectorAsync(org);
                     }
                     break;
                 
                case PolicyType.RequireSso:
+                   if (policy.Enabled)
+                    {
+                        await DependsOnSingleOrgAsync(org);
+                    }
+                    else
+                    {
+                        await RequiredByKeyConnectorAsync(org);
+                    }
+                    break;
+
                case PolicyType.MaximumVaultTimeout:
                    if (policy.Enabled)
                    {
-                       var singleOrg = await _policyRepository.GetByOrganizationIdTypeAsync(org.Id, PolicyType.SingleOrg);
-                       if (singleOrg?.Enabled != true)
-                       {
-                           throw new BadRequestException("Single Organization policy not enabled.");
-                       }
+                        await DependsOnSingleOrgAsync(org);
                    }
                    break;
             }
@@ -144,5 +134,42 @@ namespace Bit.Core.Services
             await _policyRepository.UpsertAsync(policy);
             await _eventService.LogPolicyEventAsync(policy, Enums.EventType.Policy_Updated);
         }
+
+        private async Task DependsOnSingleOrgAsync(Organization org)
+        {
+            var singleOrg = await _policyRepository.GetByOrganizationIdTypeAsync(org.Id, PolicyType.SingleOrg);
+            if (singleOrg?.Enabled != true)
+            {
+                throw new BadRequestException("Single Organization policy not enabled.");
+            }
+        }
+
+        private async Task RequiredBySsoAsync(Organization org)
+        {
+            var requireSso = await _policyRepository.GetByOrganizationIdTypeAsync(org.Id, PolicyType.RequireSso);
+            if (requireSso?.Enabled == true)
+            {
+                throw new BadRequestException("Single Sign-On Authentication policy is enabled.");
+            }
+        }
+
+        private async Task RequiredByKeyConnectorAsync(Organization org)
+        {
+
+            var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(org.Id);
+            if (ssoConfig?.GetData()?.UseKeyConnector == true)
+            {
+                throw new BadRequestException("Key Connector is enabled.");
+            }
+        }
+
+        private async Task RequiredByVaultTimeoutAsync(Organization org)
+        {
+            var vaultTimeout = await _policyRepository.GetByOrganizationIdTypeAsync(org.Id, PolicyType.MaximumVaultTimeout);
+            if (vaultTimeout?.Enabled == true)
+            {
+                throw new BadRequestException("Maximum Vault Timeout policy is enabled.");
+            }
+        }
     }
 }

src/Core/Services/Implementations/SsoConfigService.cs

@@ -65,10 +65,20 @@ namespace Bit.Core.Services
 
         private async Task VerifyDependenciesAsync(SsoConfig config)
         {
-            var policy = await _policyRepository.GetByOrganizationIdTypeAsync(config.OrganizationId, PolicyType.SingleOrg);
-            if (policy is not { Enabled: true })
+            var singleOrgPolicy = await _policyRepository.GetByOrganizationIdTypeAsync(config.OrganizationId, PolicyType.SingleOrg);
+            if (singleOrgPolicy is not { Enabled: true })
             {
-                throw new BadRequestException("KeyConnector requires Single Organization to be enabled.");
+                throw new BadRequestException("Key Connector requires the Single Organization policy to be enabled.");
+            }
+
+            var ssoPolicy = await _policyRepository.GetByOrganizationIdTypeAsync(config.OrganizationId, PolicyType.RequireSso);
+            if (ssoPolicy is not { Enabled: true })
+            {
+                throw new BadRequestException("Key Connector requires the Single Sign-On Authentication policy to be enabled.");
+            }
+
+            if (!config.Enabled) {
+                throw new BadRequestException("You must enable SSO to use Key Connector.");
             }
         }