Only org policy (#962)

* added OnlyOrg to PolicyType enum * blocked accepting new org invitations if OnlyOrg is relevant to the userOrg * blocked creating new orgs if already in an org with OnlyOrg enabled * created email alert for OnlyOrg policy * removed users & sent alerts when appropriate for the OnlyOrg policy * added method to noop mail service * cleanup for OnlyOrg policy server logic * blocked confirming new org users if they have violated the OnlyOrg policy since accepting * added localization strings needed for the OnlyOrg policy * allowed OnlyOrg policy configuration from the portal * used correct localization key for onlyorg * formatting and messaging changes for OnlyOrg * formatting * messaging change * code review changes for onlyorg * slimmed down a conditional * optimized getting many orgUser records from many userIds * removed a test file * sql formatting * weirdness * trying to resolve git diff formatting issues
2025-07-02 16:42:50 -05:00 · 2020-10-20 02:48:10 -04:00
parent 50cf16a3fb
commit e872b4df9d
18 changed files with 218 additions and 20 deletions
--- a/src/Core/Services/Implementations/PolicyService.cs
+++ b/src/Core/Services/Implementations/PolicyService.cs
@ -1,6 +1,8 @@
 using System;
+using System.Collections.Generic;
 using System.Linq;
 using System.Threading.Tasks;
+using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Table;
 using Bit.Core.Repositories;
@ -53,27 +55,44 @@ namespace Bit.Core.Services
                var currentPolicy = await _policyRepository.GetByIdAsync(policy.Id);
                if (!currentPolicy?.Enabled ?? true)
                {
-                    if (currentPolicy.Type == Enums.PolicyType.TwoFactorAuthentication)
+                    Organization organization = null;
+                    var orgUsers = await _organizationUserRepository.GetManyDetailsByOrganizationAsync(
+                        policy.OrganizationId);
+                    var removableOrgUsers = orgUsers.Where(ou =>
+                        ou.Status != Enums.OrganizationUserStatusType.Invited &&
+                        ou.Type != Enums.OrganizationUserType.Owner && ou.UserId != savingUserId);
+                    switch (currentPolicy.Type)
                    {
-                        Organization organization = null;
-                        var orgUsers = await _organizationUserRepository.GetManyDetailsByOrganizationAsync(
-                            policy.OrganizationId);
-                        foreach (var orgUser in orgUsers.Where(ou =>
-                            ou.Status != Enums.OrganizationUserStatusType.Invited &&
-                            ou.Type != Enums.OrganizationUserType.Owner))
-                        {
-                            if (orgUser.UserId != savingUserId && !await userService.TwoFactorIsEnabledAsync(orgUser))
+                        case Enums.PolicyType.TwoFactorAuthentication:
+                            foreach (var orgUser in removableOrgUsers)
                            {
-                                if (organization == null)
+                                if (!await userService.TwoFactorIsEnabledAsync(orgUser))
                                {
-                                    organization = await _organizationRepository.GetByIdAsync(policy.OrganizationId);
+                                    organization = organization ?? await _organizationRepository.GetByIdAsync(policy.OrganizationId);
+                                    await organizationService.DeleteUserAsync(policy.OrganizationId, orgUser.Id,
+                                        savingUserId);
+                                    await _mailService.SendOrganizationUserRemovedForPolicyTwoStepEmailAsync(
+                                        organization.Name, orgUser.Email);
                                }
-                                await organizationService.DeleteUserAsync(policy.OrganizationId, orgUser.Id,
-                                    savingUserId);
-                                await _mailService.SendOrganizationUserRemovedForPolicyTwoStepEmailAsync(
-                                    organization.Name, orgUser.Email);
                            }
-                        }
+                        break;
+                        case Enums.PolicyType.OnlyOrg:
+                            var userOrgs = await _organizationUserRepository.GetManyByManyUsersAsync(
+                                    removableOrgUsers.Select(ou => ou.UserId.Value));
+                            foreach (var orgUser in removableOrgUsers)
+                            {
+                                if (userOrgs.Any(ou => ou.UserId == orgUser.UserId && ou.Status != OrganizationUserStatusType.Invited))
+                                {
+                                    organization = organization ?? await _organizationRepository.GetByIdAsync(policy.OrganizationId);
+                                    await organizationService.DeleteUserAsync(policy.OrganizationId, orgUser.Id,
+                                        savingUserId);
+                                    await _mailService.SendOrganizationUserRemovedForPolicyOnlyOrgEmailAsync(
+                                        organization.Name, orgUser.Email);
+                                }
+                            }
+                        break;
+                        default:
+                        break;
                    }
                }
            }