mirror of
https://github.com/bitwarden/server.git
synced 2025-05-20 11:04:31 -05:00
[Key Connector] Fix policy checks and other pre-reqs (#1711)
* Require SSO Policy to enable Key Connector * Require that SSO is enabled to use Key Connector * Fix error messages "Key Connector" instead of "KeyConnector" * Refactor dependent policy checks to handle expansion * Block disabling Sso Policy if using Key Connector * Update tests for policies required by Key Connector * Fix tests * Add test for Key Connector to require Sso Policy * Add test: Sso config must be enabled to use Key Connector
This commit is contained in:
Thomas Rittson
GitHub
parent
f1c41257b3
commit
c2975b003d
@ -54,37 +54,27 @@ namespace Bit.Core.Services
|
|||||||
case PolicyType.SingleOrg:
|
case PolicyType.SingleOrg:
|
||||||
if (!policy.Enabled)
|
if (!policy.Enabled)
|
||||||
{
|
{
|
||||||
var requireSso =
|
await RequiredBySsoAsync(org);
|
||||||
await _policyRepository.GetByOrganizationIdTypeAsync(org.Id, PolicyType.RequireSso);
|
await RequiredByVaultTimeoutAsync(org);
|
||||||
if (requireSso?.Enabled == true)
|
await RequiredByKeyConnectorAsync(org);
|
||||||
{
|
|
||||||
throw new BadRequestException("Single Sign-On Authentication policy is enabled.");
|
|
||||||
}
|
|
||||||
|
|
||||||
var vaultTimeout =
|
|
||||||
await _policyRepository.GetByOrganizationIdTypeAsync(org.Id, PolicyType.MaximumVaultTimeout);
|
|
||||||
if (vaultTimeout?.Enabled == true)
|
|
||||||
{
|
|
||||||
throw new BadRequestException("Maximum Vault Timeout policy is enabled.");
|
|
||||||
}
|
|
||||||
|
|
||||||
var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(org.Id);
|
|
||||||
if (ssoConfig?.GetData()?.UseKeyConnector == true)
|
|
||||||
{
|
|
||||||
throw new BadRequestException("KeyConnector is enabled.");
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case PolicyType.RequireSso:
|
case PolicyType.RequireSso:
|
||||||
|
if (policy.Enabled)
|
||||||
|
{
|
||||||
|
await DependsOnSingleOrgAsync(org);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
await RequiredByKeyConnectorAsync(org);
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
|
||||||
case PolicyType.MaximumVaultTimeout:
|
case PolicyType.MaximumVaultTimeout:
|
||||||
if (policy.Enabled)
|
if (policy.Enabled)
|
||||||
{
|
{
|
||||||
var singleOrg = await _policyRepository.GetByOrganizationIdTypeAsync(org.Id, PolicyType.SingleOrg);
|
await DependsOnSingleOrgAsync(org);
|
||||||
if (singleOrg?.Enabled != true)
|
|
||||||
{
|
|
||||||
throw new BadRequestException("Single Organization policy not enabled.");
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
@ -144,5 +134,42 @@ namespace Bit.Core.Services
|
|||||||
await _policyRepository.UpsertAsync(policy);
|
await _policyRepository.UpsertAsync(policy);
|
||||||
await _eventService.LogPolicyEventAsync(policy, Enums.EventType.Policy_Updated);
|
await _eventService.LogPolicyEventAsync(policy, Enums.EventType.Policy_Updated);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private async Task DependsOnSingleOrgAsync(Organization org)
|
||||||
|
{
|
||||||
|
var singleOrg = await _policyRepository.GetByOrganizationIdTypeAsync(org.Id, PolicyType.SingleOrg);
|
||||||
|
if (singleOrg?.Enabled != true)
|
||||||
|
{
|
||||||
|
throw new BadRequestException("Single Organization policy not enabled.");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
private async Task RequiredBySsoAsync(Organization org)
|
||||||
|
{
|
||||||
|
var requireSso = await _policyRepository.GetByOrganizationIdTypeAsync(org.Id, PolicyType.RequireSso);
|
||||||
|
if (requireSso?.Enabled == true)
|
||||||
|
{
|
||||||
|
throw new BadRequestException("Single Sign-On Authentication policy is enabled.");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
private async Task RequiredByKeyConnectorAsync(Organization org)
|
||||||
|
{
|
||||||
|
|
||||||
|
var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(org.Id);
|
||||||
|
if (ssoConfig?.GetData()?.UseKeyConnector == true)
|
||||||
|
{
|
||||||
|
throw new BadRequestException("Key Connector is enabled.");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
private async Task RequiredByVaultTimeoutAsync(Organization org)
|
||||||
|
{
|
||||||
|
var vaultTimeout = await _policyRepository.GetByOrganizationIdTypeAsync(org.Id, PolicyType.MaximumVaultTimeout);
|
||||||
|
if (vaultTimeout?.Enabled == true)
|
||||||
|
{
|
||||||
|
throw new BadRequestException("Maximum Vault Timeout policy is enabled.");
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -65,10 +65,20 @@ namespace Bit.Core.Services
|
|||||||
|
|
||||||
private async Task VerifyDependenciesAsync(SsoConfig config)
|
private async Task VerifyDependenciesAsync(SsoConfig config)
|
||||||
{
|
{
|
||||||
var policy = await _policyRepository.GetByOrganizationIdTypeAsync(config.OrganizationId, PolicyType.SingleOrg);
|
var singleOrgPolicy = await _policyRepository.GetByOrganizationIdTypeAsync(config.OrganizationId, PolicyType.SingleOrg);
|
||||||
if (policy is not { Enabled: true })
|
if (singleOrgPolicy is not { Enabled: true })
|
||||||
{
|
{
|
||||||
throw new BadRequestException("KeyConnector requires Single Organization to be enabled.");
|
throw new BadRequestException("Key Connector requires the Single Organization policy to be enabled.");
|
||||||
|
}
|
||||||
|
|
||||||
|
var ssoPolicy = await _policyRepository.GetByOrganizationIdTypeAsync(config.OrganizationId, PolicyType.RequireSso);
|
||||||
|
if (ssoPolicy is not { Enabled: true })
|
||||||
|
{
|
||||||
|
throw new BadRequestException("Key Connector requires the Single Sign-On Authentication policy to be enabled.");
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!config.Enabled) {
|
||||||
|
throw new BadRequestException("You must enable SSO to use Key Connector.");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -126,12 +126,16 @@ namespace Bit.Core.Test.Services
|
|||||||
.UpsertAsync(default);
|
.UpsertAsync(default);
|
||||||
}
|
}
|
||||||
|
|
||||||
[Theory, CustomAutoData(typeof(SutProviderCustomization))]
|
[Theory]
|
||||||
public async Task SaveAsync_SingleOrg_KeyConnectorEnabled_ThrowsBadRequest(
|
[InlineCustomAutoData(new[] { typeof(SutProviderCustomization) }, Enums.PolicyType.SingleOrg)]
|
||||||
[PolicyFixtures.Policy(Enums.PolicyType.SingleOrg)] Core.Models.Table.Policy policy,
|
[InlineCustomAutoData(new[] { typeof(SutProviderCustomization) }, Enums.PolicyType.RequireSso)]
|
||||||
|
public async Task SaveAsync_PolicyRequiredByKeyConnector_DisablePolicy_ThrowsBadRequest(
|
||||||
|
Enums.PolicyType policyType,
|
||||||
|
Policy policy,
|
||||||
SutProvider<PolicyService> sutProvider)
|
SutProvider<PolicyService> sutProvider)
|
||||||
{
|
{
|
||||||
policy.Enabled = false;
|
policy.Enabled = false;
|
||||||
|
policy.Type = policyType;
|
||||||
|
|
||||||
SetupOrg(sutProvider, policy.OrganizationId, new Organization
|
SetupOrg(sutProvider, policy.OrganizationId, new Organization
|
||||||
{
|
{
|
||||||
@ -153,7 +157,7 @@ namespace Bit.Core.Test.Services
|
|||||||
Substitute.For<IOrganizationService>(),
|
Substitute.For<IOrganizationService>(),
|
||||||
Guid.NewGuid()));
|
Guid.NewGuid()));
|
||||||
|
|
||||||
Assert.Contains("KeyConnector is enabled.", badRequestException.Message, StringComparison.OrdinalIgnoreCase);
|
Assert.Contains("Key Connector is enabled.", badRequestException.Message, StringComparison.OrdinalIgnoreCase);
|
||||||
|
|
||||||
await sutProvider.GetDependency<IPolicyRepository>()
|
await sutProvider.GetDependency<IPolicyRepository>()
|
||||||
.DidNotReceiveWithAnyArgs()
|
.DidNotReceiveWithAnyArgs()
|
||||||
|
|||||||
@ -145,7 +145,7 @@ namespace Bit.Core.Test.Services
|
|||||||
}
|
}
|
||||||
|
|
||||||
[Theory, CustomAutoData(typeof(SutProviderCustomization))]
|
[Theory, CustomAutoData(typeof(SutProviderCustomization))]
|
||||||
public async Task SaveAsync_KeyConnector_SingleOrgNotEnabled(SutProvider<SsoConfigService> sutProvider)
|
public async Task SaveAsync_KeyConnector_SingleOrgNotEnabled_Throws(SutProvider<SsoConfigService> sutProvider)
|
||||||
{
|
{
|
||||||
var utcNow = DateTime.UtcNow;
|
var utcNow = DateTime.UtcNow;
|
||||||
|
|
||||||
@ -162,7 +162,67 @@ namespace Bit.Core.Test.Services
|
|||||||
var exception = await Assert.ThrowsAsync<BadRequestException>(
|
var exception = await Assert.ThrowsAsync<BadRequestException>(
|
||||||
() => sutProvider.Sut.SaveAsync(ssoConfig));
|
() => sutProvider.Sut.SaveAsync(ssoConfig));
|
||||||
|
|
||||||
Assert.Contains("KeyConnector requires Single Organization to be enabled.", exception.Message);
|
Assert.Contains("Key Connector requires the Single Organization policy to be enabled.", exception.Message);
|
||||||
|
|
||||||
|
await sutProvider.GetDependency<ISsoConfigRepository>().DidNotReceiveWithAnyArgs()
|
||||||
|
.UpsertAsync(default);
|
||||||
|
}
|
||||||
|
|
||||||
|
[Theory, CustomAutoData(typeof(SutProviderCustomization))]
|
||||||
|
public async Task SaveAsync_KeyConnector_SsoPolicyNotEnabled_Throws(SutProvider<SsoConfigService> sutProvider)
|
||||||
|
{
|
||||||
|
var utcNow = DateTime.UtcNow;
|
||||||
|
|
||||||
|
var ssoConfig = new SsoConfig
|
||||||
|
{
|
||||||
|
Id = default,
|
||||||
|
Data = "{\"useKeyConnector\": true}",
|
||||||
|
Enabled = true,
|
||||||
|
OrganizationId = Guid.NewGuid(),
|
||||||
|
CreationDate = utcNow.AddDays(-10),
|
||||||
|
RevisionDate = utcNow.AddDays(-10),
|
||||||
|
};
|
||||||
|
|
||||||
|
sutProvider.GetDependency<IPolicyRepository>().GetByOrganizationIdTypeAsync(
|
||||||
|
Arg.Any<Guid>(), Enums.PolicyType.SingleOrg).Returns(new Policy
|
||||||
|
{
|
||||||
|
Enabled = true
|
||||||
|
});
|
||||||
|
|
||||||
|
var exception = await Assert.ThrowsAsync<BadRequestException>(
|
||||||
|
() => sutProvider.Sut.SaveAsync(ssoConfig));
|
||||||
|
|
||||||
|
Assert.Contains("Key Connector requires the Single Sign-On Authentication policy to be enabled.", exception.Message);
|
||||||
|
|
||||||
|
await sutProvider.GetDependency<ISsoConfigRepository>().DidNotReceiveWithAnyArgs()
|
||||||
|
.UpsertAsync(default);
|
||||||
|
}
|
||||||
|
|
||||||
|
[Theory, CustomAutoData(typeof(SutProviderCustomization))]
|
||||||
|
public async Task SaveAsync_KeyConnector_SsoConfigNotEnabled_Throws(SutProvider<SsoConfigService> sutProvider)
|
||||||
|
{
|
||||||
|
var utcNow = DateTime.UtcNow;
|
||||||
|
|
||||||
|
var ssoConfig = new SsoConfig
|
||||||
|
{
|
||||||
|
Id = default,
|
||||||
|
Data = "{\"useKeyConnector\": true}",
|
||||||
|
Enabled = false,
|
||||||
|
OrganizationId = Guid.NewGuid(),
|
||||||
|
CreationDate = utcNow.AddDays(-10),
|
||||||
|
RevisionDate = utcNow.AddDays(-10),
|
||||||
|
};
|
||||||
|
|
||||||
|
sutProvider.GetDependency<IPolicyRepository>().GetByOrganizationIdTypeAsync(
|
||||||
|
Arg.Any<Guid>(), Arg.Any<Enums.PolicyType>()).Returns(new Policy
|
||||||
|
{
|
||||||
|
Enabled = true
|
||||||
|
});
|
||||||
|
|
||||||
|
var exception = await Assert.ThrowsAsync<BadRequestException>(
|
||||||
|
() => sutProvider.Sut.SaveAsync(ssoConfig));
|
||||||
|
|
||||||
|
Assert.Contains("You must enable SSO to use Key Connector.", exception.Message);
|
||||||
|
|
||||||
await sutProvider.GetDependency<ISsoConfigRepository>().DidNotReceiveWithAnyArgs()
|
await sutProvider.GetDependency<ISsoConfigRepository>().DidNotReceiveWithAnyArgs()
|
||||||
.UpsertAsync(default);
|
.UpsertAsync(default);
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user