From e872b4df9df247daa4a79a9674390081d69e4227 Mon Sep 17 00:00:00 2001 From: Addison Beck Date: Tue, 20 Oct 2020 02:48:10 -0400 Subject: [PATCH] Only org policy (#962) * added OnlyOrg to PolicyType enum * blocked accepting new org invitations if OnlyOrg is relevant to the userOrg * blocked creating new orgs if already in an org with OnlyOrg enabled * created email alert for OnlyOrg policy * removed users & sent alerts when appropriate for the OnlyOrg policy * added method to noop mail service * cleanup for OnlyOrg policy server logic * blocked confirming new org users if they have violated the OnlyOrg policy since accepting * added localization strings needed for the OnlyOrg policy * allowed OnlyOrg policy configuration from the portal * used correct localization key for onlyorg * formatting and messaging changes for OnlyOrg * formatting * messaging change * code review changes for onlyorg * slimmed down a conditional * optimized getting many orgUser records from many userIds * removed a test file * sql formatting * weirdness * trying to resolve git diff formatting issues --- .../src/Portal/Models/PolicyEditModel.cs | 3 ++ .../src/Portal/Models/PolicyModel.cs | 5 ++ .../src/Portal/Views/Policies/Edit.cshtml | 11 ++++ .../Controllers/OrganizationsController.cs | 20 +++++++- src/Core/Enums/PolicyType.cs | 3 +- ...zationUserRemovedForPolicyOnlyOrg.html.hbs | 9 ++++ ...zationUserRemovedForPolicyOnlyOrg.text.hbs | 5 ++ ...ionUserRemovedForPolicyOnlyOrgViewModel.cs | 7 +++ .../IOrganizationUserRepository.cs | 1 + .../SqlServer/OrganizationUserRepository.cs | 13 +++++ src/Core/Resources/SharedResources.en.resx | 9 ++++ src/Core/Services/IMailService.cs | 1 + .../Implementations/HandlebarsMailService.cs | 14 +++++ .../Implementations/OrganizationService.cs | 38 +++++++++++++- .../Services/Implementations/PolicyService.cs | 51 +++++++++++++------ .../NoopImplementations/NoopMailService.cs | 5 ++ .../OrganizationUser_ReadByUserIds.sql | 18 +++++++ .../2020-10-14_00_OrgUserReadByUserIds.sql | 25 +++++++++ 18 files changed, 218 insertions(+), 20 deletions(-) create mode 100644 src/Core/MailTemplates/Handlebars/OrganizationUserRemovedForPolicyOnlyOrg.html.hbs create mode 100644 src/Core/MailTemplates/Handlebars/OrganizationUserRemovedForPolicyOnlyOrg.text.hbs create mode 100644 src/Core/Models/Mail/OrganizationUserRemovedForPolicyOnlyOrgViewModel.cs create mode 100644 src/Sql/dbo/Stored Procedures/OrganizationUser_ReadByUserIds.sql create mode 100644 util/Migrator/DbScripts/2020-10-14_00_OrgUserReadByUserIds.sql diff --git a/bitwarden_license/src/Portal/Models/PolicyEditModel.cs b/bitwarden_license/src/Portal/Models/PolicyEditModel.cs index f99f8dc9d9..94610d1605 100644 --- a/bitwarden_license/src/Portal/Models/PolicyEditModel.cs +++ b/bitwarden_license/src/Portal/Models/PolicyEditModel.cs @@ -81,6 +81,9 @@ namespace Bit.Portal.Models case PolicyType.PasswordGenerator: existingPolicy.Data = JsonSerializer.Serialize(PasswordGeneratorDataModel, options); break; + case PolicyType.OnlyOrg: + case PolicyType.TwoFactorAuthentication: + break; default: throw new ArgumentOutOfRangeException(); } diff --git a/bitwarden_license/src/Portal/Models/PolicyModel.cs b/bitwarden_license/src/Portal/Models/PolicyModel.cs index 16c1ed9ba7..01f24c595e 100644 --- a/bitwarden_license/src/Portal/Models/PolicyModel.cs +++ b/bitwarden_license/src/Portal/Models/PolicyModel.cs @@ -32,6 +32,11 @@ namespace Bit.Portal.Models DescriptionKey = "PasswordGeneratorDescription"; break; + case PolicyType.OnlyOrg: + NameKey = "OnlyOrganization"; + DescriptionKey = "OnlyOrganizationDescription"; + break; + default: throw new ArgumentOutOfRangeException(); } diff --git a/bitwarden_license/src/Portal/Views/Policies/Edit.cshtml b/bitwarden_license/src/Portal/Views/Policies/Edit.cshtml index 810c3e6135..0f389691c7 100644 --- a/bitwarden_license/src/Portal/Views/Policies/Edit.cshtml +++ b/bitwarden_license/src/Portal/Views/Policies/Edit.cshtml @@ -22,6 +22,17 @@ } + @if (Model.PolicyType == PolicyType.OnlyOrg) + { + + } +
diff --git a/src/Api/Controllers/OrganizationsController.cs b/src/Api/Controllers/OrganizationsController.cs index 310f3387d0..969a99d15a 100644 --- a/src/Api/Controllers/OrganizationsController.cs +++ b/src/Api/Controllers/OrganizationsController.cs @@ -4,6 +4,7 @@ using System.Threading.Tasks; using Microsoft.AspNetCore.Mvc; using Bit.Core.Repositories; using Microsoft.AspNetCore.Authorization; +using Bit.Core.Enums; using Bit.Core.Models.Api; using Bit.Core.Exceptions; using Bit.Core.Services; @@ -25,6 +26,7 @@ namespace Bit.Api.Controllers private readonly IPaymentService _paymentService; private readonly CurrentContext _currentContext; private readonly GlobalSettings _globalSettings; + private readonly IPolicyRepository _policyRepository; public OrganizationsController( IOrganizationRepository organizationRepository, @@ -33,7 +35,8 @@ namespace Bit.Api.Controllers IUserService userService, IPaymentService paymentService, CurrentContext currentContext, - GlobalSettings globalSettings) + GlobalSettings globalSettings, + IPolicyRepository policyRepository) { _organizationRepository = organizationRepository; _organizationUserRepository = organizationUserRepository; @@ -42,6 +45,7 @@ namespace Bit.Api.Controllers _paymentService = paymentService; _currentContext = currentContext; _globalSettings = globalSettings; + _policyRepository = policyRepository; } [HttpGet("{id}")] @@ -156,6 +160,13 @@ namespace Bit.Api.Controllers throw new Exception("Invalid plan selected."); } + var policies = await _policyRepository.GetManyByUserIdAsync(user.Id); + if (policies.Any(policy => policy.Type == PolicyType.OnlyOrg)) + { + throw new Exception("You may not create an organization. You belong to an organization " + + "which has a policy that prohibits you from being a member of any other organization."); + } + var organizationSignup = model.ToOrganizationSignup(user); var result = await _organizationService.SignUpAsync(organizationSignup); return new OrganizationResponseModel(result.Item1); @@ -177,6 +188,13 @@ namespace Bit.Api.Controllers throw new BadRequestException("Invalid license"); } + var policies = await _policyRepository.GetManyByUserIdAsync(user.Id); + if (policies.Any(policy => policy.Type == PolicyType.OnlyOrg)) + { + throw new Exception("You may not create an organization. You belong to an organization " + + "which has a policy that prohibits you from being a member of any other organization."); + } + var result = await _organizationService.SignUpAsync(license, user, model.Key, model.CollectionName); return new OrganizationResponseModel(result.Item1); } diff --git a/src/Core/Enums/PolicyType.cs b/src/Core/Enums/PolicyType.cs index ebed30b323..7735470373 100644 --- a/src/Core/Enums/PolicyType.cs +++ b/src/Core/Enums/PolicyType.cs @@ -4,6 +4,7 @@ { TwoFactorAuthentication = 0, MasterPassword = 1, - PasswordGenerator = 2 + PasswordGenerator = 2, + OnlyOrg = 3, } } diff --git a/src/Core/MailTemplates/Handlebars/OrganizationUserRemovedForPolicyOnlyOrg.html.hbs b/src/Core/MailTemplates/Handlebars/OrganizationUserRemovedForPolicyOnlyOrg.html.hbs new file mode 100644 index 0000000000..bd2e4eb946 --- /dev/null +++ b/src/Core/MailTemplates/Handlebars/OrganizationUserRemovedForPolicyOnlyOrg.html.hbs @@ -0,0 +1,9 @@ +{{#>FullHtmlLayout}} + + + + +
+ Your user account has been removed from the {{OrganizationName}} organization because you are a part of another organization. The {{OrganizationName}} organization has enabled a policy that prevents users from being a part of multiple organizations. Before you can re-join this organization you need to leave all other organizations or join with a different account. +
+{{/FullHtmlLayout}} diff --git a/src/Core/MailTemplates/Handlebars/OrganizationUserRemovedForPolicyOnlyOrg.text.hbs b/src/Core/MailTemplates/Handlebars/OrganizationUserRemovedForPolicyOnlyOrg.text.hbs new file mode 100644 index 0000000000..44ef628a90 --- /dev/null +++ b/src/Core/MailTemplates/Handlebars/OrganizationUserRemovedForPolicyOnlyOrg.text.hbs @@ -0,0 +1,5 @@ +{{#>BasicTextLayout}} +Your user account has been removed from the {{OrganizationName}} organization because you are a part of another +organization. The {{OrganizationName}} has enabled a policy that prevents users from being a part of multiple organizations. Before you can re-join this organization you need to leave all other organizations, or join with a +new account. +{{/BasicTextLayout}} diff --git a/src/Core/Models/Mail/OrganizationUserRemovedForPolicyOnlyOrgViewModel.cs b/src/Core/Models/Mail/OrganizationUserRemovedForPolicyOnlyOrgViewModel.cs new file mode 100644 index 0000000000..d1425d00fd --- /dev/null +++ b/src/Core/Models/Mail/OrganizationUserRemovedForPolicyOnlyOrgViewModel.cs @@ -0,0 +1,7 @@ +namespace Bit.Core.Models.Mail +{ + public class OrganizationUserRemovedForPolicyOnlyOrgViewModel : BaseMailModel + { + public string OrganizationName { get; set; } + } +} diff --git a/src/Core/Repositories/IOrganizationUserRepository.cs b/src/Core/Repositories/IOrganizationUserRepository.cs index a911e6b5ef..6bd3abf783 100644 --- a/src/Core/Repositories/IOrganizationUserRepository.cs +++ b/src/Core/Repositories/IOrganizationUserRepository.cs @@ -26,5 +26,6 @@ namespace Bit.Core.Repositories Task UpdateGroupsAsync(Guid orgUserId, IEnumerable groupIds); Task CreateAsync(OrganizationUser obj, IEnumerable collections); Task ReplaceAsync(OrganizationUser obj, IEnumerable collections); + Task> GetManyByManyUsersAsync(IEnumerable userIds); } } diff --git a/src/Core/Repositories/SqlServer/OrganizationUserRepository.cs b/src/Core/Repositories/SqlServer/OrganizationUserRepository.cs index bfc6a494a1..45db606312 100644 --- a/src/Core/Repositories/SqlServer/OrganizationUserRepository.cs +++ b/src/Core/Repositories/SqlServer/OrganizationUserRepository.cs @@ -231,5 +231,18 @@ namespace Bit.Core.Repositories.SqlServer { public DataTable Collections { get; set; } } + + public async Task> GetManyByManyUsersAsync(IEnumerable userIds) + { + using (var connection = new SqlConnection(ConnectionString)) + { + var results = await connection.QueryAsync( + "[dbo].[OrganizationUser_ReadByUserIds]", + new { UserIds = userIds.ToGuidIdArrayTVP() }, + commandType: CommandType.StoredProcedure); + + return results.ToList(); + } + } } } diff --git a/src/Core/Resources/SharedResources.en.resx b/src/Core/Resources/SharedResources.en.resx index 3df8e72c00..b751d85821 100644 --- a/src/Core/Resources/SharedResources.en.resx +++ b/src/Core/Resources/SharedResources.en.resx @@ -539,4 +539,13 @@ OIDC Redirect Behavior + + Only Organization + + + Restrict users from being able to join any other organizations. + + + Organization members who are already a part of another organization will be removed from this organization and will receive an email notifying them about the change. + diff --git a/src/Core/Services/IMailService.cs b/src/Core/Services/IMailService.cs index d4c84b39f3..9b22da00f0 100644 --- a/src/Core/Services/IMailService.cs +++ b/src/Core/Services/IMailService.cs @@ -28,5 +28,6 @@ namespace Bit.Core.Services Task SendLicenseExpiredAsync(IEnumerable emails, string organizationName = null); Task SendNewDeviceLoggedInEmail(string email, string deviceType, DateTime timestamp, string ip); Task SendRecoverTwoFactorEmail(string email, DateTime timestamp, string ip); + Task SendOrganizationUserRemovedForPolicyOnlyOrgEmailAsync(string organizationName, string email); } } diff --git a/src/Core/Services/Implementations/HandlebarsMailService.cs b/src/Core/Services/Implementations/HandlebarsMailService.cs index da5ab933a0..289153b09b 100644 --- a/src/Core/Services/Implementations/HandlebarsMailService.cs +++ b/src/Core/Services/Implementations/HandlebarsMailService.cs @@ -326,6 +326,20 @@ namespace Bit.Core.Services await _mailDeliveryService.SendEmailAsync(message); } + public async Task SendOrganizationUserRemovedForPolicyOnlyOrgEmailAsync(string organizationName, string email) + { + var message = CreateDefaultMessage($"You have been removed from {organizationName}", email); + var model = new OrganizationUserRemovedForPolicyOnlyOrgViewModel + { + OrganizationName = CoreHelpers.SanitizeForEmail(organizationName), + WebVaultUrl = _globalSettings.BaseServiceUri.VaultWithHash, + SiteName = _globalSettings.SiteName + }; + await AddMessageContentAsync(message, "OrganizationUserRemovedForPolicyOnlyOrg", model); + message.Category = "OrganizationUserRemovedForPolicyOnlyOrg"; + await _mailDeliveryService.SendEmailAsync(message); + } + private MailMessage CreateDefaultMessage(string subject, string toEmail) { return CreateDefaultMessage(subject, new List { toEmail }); diff --git a/src/Core/Services/Implementations/OrganizationService.cs b/src/Core/Services/Implementations/OrganizationService.cs index 42e0da22b5..0342f66e24 100644 --- a/src/Core/Services/Implementations/OrganizationService.cs +++ b/src/Core/Services/Implementations/OrganizationService.cs @@ -1135,10 +1135,34 @@ namespace Bit.Core.Services } } + ICollection orgPolicies = null; + ICollection userPolicies = null; + async Task hasPolicyAsync(PolicyType policyType, bool useUserPolicies = false) + { + var policies = useUserPolicies ? + userPolicies = userPolicies ?? await _policyRepository.GetManyByUserIdAsync(user.Id) : + orgPolicies = orgPolicies ?? await _policyRepository.GetManyByOrganizationIdAsync(orgUser.OrganizationId); + + return policies.Any(p => p.Type == policyType && p.Enabled); + } + var userOrgs = await _organizationUserRepository.GetManyByUserAsync(user.Id); + if (userOrgs.Any(ou => ou.OrganizationId != orgUser.OrganizationId && ou.Status != OrganizationUserStatusType.Invited)) + { + if (await hasPolicyAsync(PolicyType.OnlyOrg)) + { + throw new BadRequestException("You may not join this organization until you leave or remove " + + "all other organizations."); + } + if (await hasPolicyAsync(PolicyType.OnlyOrg, true)) + { + throw new BadRequestException("You cannot join this organization because you are a member of " + + "an organization which forbids it"); + } + } + if (!await userService.TwoFactorIsEnabledAsync(user)) { - var policies = await _policyRepository.GetManyByOrganizationIdAsync(orgUser.OrganizationId); - if (policies.Any(p => p.Type == PolicyType.TwoFactorAuthentication && p.Enabled)) + if (await hasPolicyAsync(PolicyType.TwoFactorAuthentication)) { throw new BadRequestException("You cannot join this organization until you enable " + "two-step login on your user account."); @@ -1185,6 +1209,16 @@ namespace Bit.Core.Services throw new BadRequestException("User does not have two-step login enabled."); } + var usingOnlyOrgPolicy = policies.Any(p => p.Type == PolicyType.OnlyOrg && p.Enabled); + if (usingOnlyOrgPolicy) + { + var userOrgs = await _organizationUserRepository.GetManyByUserAsync(user.Id); + if (userOrgs.Any(ou => ou.OrganizationId != organizationId && ou.Status != OrganizationUserStatusType.Invited)) + { + throw new BadRequestException("User is a member of another organization."); + } + } + orgUser.Status = OrganizationUserStatusType.Confirmed; orgUser.Key = key; orgUser.Email = null; diff --git a/src/Core/Services/Implementations/PolicyService.cs b/src/Core/Services/Implementations/PolicyService.cs index 8d0fb9b4dd..a9a59cdc30 100644 --- a/src/Core/Services/Implementations/PolicyService.cs +++ b/src/Core/Services/Implementations/PolicyService.cs @@ -1,6 +1,8 @@ using System; +using System.Collections.Generic; using System.Linq; using System.Threading.Tasks; +using Bit.Core.Enums; using Bit.Core.Exceptions; using Bit.Core.Models.Table; using Bit.Core.Repositories; @@ -53,27 +55,44 @@ namespace Bit.Core.Services var currentPolicy = await _policyRepository.GetByIdAsync(policy.Id); if (!currentPolicy?.Enabled ?? true) { - if (currentPolicy.Type == Enums.PolicyType.TwoFactorAuthentication) + Organization organization = null; + var orgUsers = await _organizationUserRepository.GetManyDetailsByOrganizationAsync( + policy.OrganizationId); + var removableOrgUsers = orgUsers.Where(ou => + ou.Status != Enums.OrganizationUserStatusType.Invited && + ou.Type != Enums.OrganizationUserType.Owner && ou.UserId != savingUserId); + switch (currentPolicy.Type) { - Organization organization = null; - var orgUsers = await _organizationUserRepository.GetManyDetailsByOrganizationAsync( - policy.OrganizationId); - foreach (var orgUser in orgUsers.Where(ou => - ou.Status != Enums.OrganizationUserStatusType.Invited && - ou.Type != Enums.OrganizationUserType.Owner)) - { - if (orgUser.UserId != savingUserId && !await userService.TwoFactorIsEnabledAsync(orgUser)) + case Enums.PolicyType.TwoFactorAuthentication: + foreach (var orgUser in removableOrgUsers) { - if (organization == null) + if (!await userService.TwoFactorIsEnabledAsync(orgUser)) { - organization = await _organizationRepository.GetByIdAsync(policy.OrganizationId); + organization = organization ?? await _organizationRepository.GetByIdAsync(policy.OrganizationId); + await organizationService.DeleteUserAsync(policy.OrganizationId, orgUser.Id, + savingUserId); + await _mailService.SendOrganizationUserRemovedForPolicyTwoStepEmailAsync( + organization.Name, orgUser.Email); } - await organizationService.DeleteUserAsync(policy.OrganizationId, orgUser.Id, - savingUserId); - await _mailService.SendOrganizationUserRemovedForPolicyTwoStepEmailAsync( - organization.Name, orgUser.Email); } - } + break; + case Enums.PolicyType.OnlyOrg: + var userOrgs = await _organizationUserRepository.GetManyByManyUsersAsync( + removableOrgUsers.Select(ou => ou.UserId.Value)); + foreach (var orgUser in removableOrgUsers) + { + if (userOrgs.Any(ou => ou.UserId == orgUser.UserId && ou.Status != OrganizationUserStatusType.Invited)) + { + organization = organization ?? await _organizationRepository.GetByIdAsync(policy.OrganizationId); + await organizationService.DeleteUserAsync(policy.OrganizationId, orgUser.Id, + savingUserId); + await _mailService.SendOrganizationUserRemovedForPolicyOnlyOrgEmailAsync( + organization.Name, orgUser.Email); + } + } + break; + default: + break; } } } diff --git a/src/Core/Services/NoopImplementations/NoopMailService.cs b/src/Core/Services/NoopImplementations/NoopMailService.cs index 0ccf7740bf..86634f4cd0 100644 --- a/src/Core/Services/NoopImplementations/NoopMailService.cs +++ b/src/Core/Services/NoopImplementations/NoopMailService.cs @@ -102,5 +102,10 @@ namespace Bit.Core.Services { return Task.FromResult(0); } + + public Task SendOrganizationUserRemovedForPolicyOnlyOrgEmailAsync(string organizationName, string email) + { + return Task.FromResult(0); + } } } diff --git a/src/Sql/dbo/Stored Procedures/OrganizationUser_ReadByUserIds.sql b/src/Sql/dbo/Stored Procedures/OrganizationUser_ReadByUserIds.sql new file mode 100644 index 0000000000..f4acc82d88 --- /dev/null +++ b/src/Sql/dbo/Stored Procedures/OrganizationUser_ReadByUserIds.sql @@ -0,0 +1,18 @@ +CREATE PROCEDURE [dbo].[OrganizationUser_ReadByUserIds] + @UserIds AS [dbo].[GuidIdArray] READONLY +AS +BEGIN + SET NOCOUNT ON + + IF (SELECT COUNT(1) FROM @UserIds) < 1 + BEGIN + RETURN(-1) + END + + SELECT + * + FROM + [dbo].[OrganizationUserView] + WHERE + [UserId] IN (SELECT [Id] FROM @UserIds) +END diff --git a/util/Migrator/DbScripts/2020-10-14_00_OrgUserReadByUserIds.sql b/util/Migrator/DbScripts/2020-10-14_00_OrgUserReadByUserIds.sql new file mode 100644 index 0000000000..ea7e2e51a7 --- /dev/null +++ b/util/Migrator/DbScripts/2020-10-14_00_OrgUserReadByUserIds.sql @@ -0,0 +1,25 @@ +IF OBJECT_ID('[dbo].[OrganizationUser_ReadByUserIds]') IS NOT NULL +BEGIN + DROP PROCEDURE [dbo].[OrganizationUser_ReadByUserIds] +END +GO + +CREATE PROCEDURE [dbo].[OrganizationUser_ReadByUserIds] + @UserIds AS [dbo].[GuidIdArray] READONLY +AS +BEGIN + SET NOCOUNT ON + + IF (SELECT COUNT(1) FROM @UserIds) < 1 + BEGIN + RETURN(-1) + END + + SELECT + * + FROM + [dbo].[OrganizationUserView] + WHERE + [UserId] IN (SELECT [Id] FROM @UserIds) +END +GO