nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-04-05 05:00:19 -05:00
Code

Only org policy (#962)

Browse Source 
* added OnlyOrg to PolicyType enum

* blocked accepting new org invitations if OnlyOrg is relevant to the userOrg

* blocked creating new orgs if already in an org with OnlyOrg enabled

* created email alert for OnlyOrg policy

* removed users & sent alerts when appropriate for the OnlyOrg policy

* added method to noop mail service

* cleanup for OnlyOrg policy server logic

* blocked confirming new org users if they have violated the OnlyOrg policy since accepting

* added localization strings needed for the OnlyOrg policy

* allowed OnlyOrg policy configuration from the portal

* used correct localization key for onlyorg

* formatting and messaging changes for OnlyOrg

* formatting

* messaging change

* code review changes for onlyorg

* slimmed down a conditional

* optimized getting many orgUser records from many userIds

* removed a test file

* sql formatting

* weirdness

* trying to resolve git diff formatting issues
This commit is contained in:
Addison Beck 2020-10-20 02:48:10 -04:00 committed by GitHub
parent 50cf16a3fb
commit e872b4df9d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
18 changed files with 218 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
bitwarden_license/src/Portal/Models/PolicyEditModel.cs
View File

@ -81,6 +81,9 @@ namespace Bit.Portal.Models
case PolicyType.PasswordGenerator:
existingPolicy.Data = JsonSerializer.Serialize(PasswordGeneratorDataModel, options);
break;
case PolicyType.OnlyOrg:
case PolicyType.TwoFactorAuthentication:
break;
default:
throw new ArgumentOutOfRangeException();
}

5
bitwarden_license/src/Portal/Models/PolicyModel.cs
View File

@ -32,6 +32,11 @@ namespace Bit.Portal.Models
DescriptionKey = "PasswordGeneratorDescription";
break;
case PolicyType.OnlyOrg:
NameKey = "OnlyOrganization";
DescriptionKey = "OnlyOrganizationDescription";
break;
default:
throw new ArgumentOutOfRangeException();
}

11
bitwarden_license/src/Portal/Views/Policies/Edit.cshtml
View File

@ -22,6 +22,17 @@
</div>
}
@if (Model.PolicyType == PolicyType.OnlyOrg)
{
<div class="callout callout-warning" role="alert">
<h3 class="callout-heading">
<i class="fa fa-warning" *ngIf="icon" aria-hidden="true"></i>
@i18nService.T("Warning")
</h3>
@i18nService.T("OnlyOrganizationPolicyWarning")
</div>
}
<div class="form-group">
<div class="form-check">
<input class="form-check-input" type="checkbox" asp-for="Enabled">

20
src/Api/Controllers/OrganizationsController.cs
View File

@ -4,6 +4,7 @@ using System.Threading.Tasks;
using Microsoft.AspNetCore.Mvc;
using Bit.Core.Repositories;
using Microsoft.AspNetCore.Authorization;
using Bit.Core.Enums;
using Bit.Core.Models.Api;
using Bit.Core.Exceptions;
using Bit.Core.Services;
@ -25,6 +26,7 @@ namespace Bit.Api.Controllers
private readonly IPaymentService _paymentService;
private readonly CurrentContext _currentContext;
private readonly GlobalSettings _globalSettings;
private readonly IPolicyRepository _policyRepository;
public OrganizationsController(
IOrganizationRepository organizationRepository,
@ -33,7 +35,8 @@ namespace Bit.Api.Controllers
IUserService userService,
IPaymentService paymentService,
CurrentContext currentContext,
GlobalSettings globalSettings)
GlobalSettings globalSettings,
IPolicyRepository policyRepository)
{
_organizationRepository = organizationRepository;
_organizationUserRepository = organizationUserRepository;
@ -42,6 +45,7 @@ namespace Bit.Api.Controllers
_paymentService = paymentService;
_currentContext = currentContext;
_globalSettings = globalSettings;
_policyRepository = policyRepository;
}
[HttpGet("{id}")]
@ -156,6 +160,13 @@ namespace Bit.Api.Controllers
throw new Exception("Invalid plan selected.");
}
var policies = await _policyRepository.GetManyByUserIdAsync(user.Id);
if (policies.Any(policy => policy.Type == PolicyType.OnlyOrg))
{
throw new Exception("You may not create an organization. You belong to an organization " +
"which has a policy that prohibits you from being a member of any other organization.");
}
var organizationSignup = model.ToOrganizationSignup(user);
var result = await _organizationService.SignUpAsync(organizationSignup);
return new OrganizationResponseModel(result.Item1);
@ -177,6 +188,13 @@ namespace Bit.Api.Controllers
throw new BadRequestException("Invalid license");
}
var policies = await _policyRepository.GetManyByUserIdAsync(user.Id);
if (policies.Any(policy => policy.Type == PolicyType.OnlyOrg))
{
throw new Exception("You may not create an organization. You belong to an organization " +
"which has a policy that prohibits you from being a member of any other organization.");
}
var result = await _organizationService.SignUpAsync(license, user, model.Key, model.CollectionName);
return new OrganizationResponseModel(result.Item1);
}

3
src/Core/Enums/PolicyType.cs
View File

@ -4,6 +4,7 @@
{
TwoFactorAuthentication = 0,
MasterPassword = 1,
PasswordGenerator = 2
PasswordGenerator = 2,
OnlyOrg = 3,
}
}

9
src/Core/MailTemplates/Handlebars/OrganizationUserRemovedForPolicyOnlyOrg.html.hbs Normal file
View File

@ -0,0 +1,9 @@
{{#>FullHtmlLayout}}
<table width="100%" cellpadding="0" cellspacing="0" style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
<tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
<td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none;" valign="top" align="left">
Your user account has been removed from the <b style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">{{OrganizationName}}</b> organization because you are a part of another organization. The {{OrganizationName}} organization has enabled a policy that prevents users from being a part of multiple organizations. Before you can re-join this organization you need to leave all other organizations or join with a different account.
</td>
</tr>
</table>
{{/FullHtmlLayout}}

5
src/Core/MailTemplates/Handlebars/OrganizationUserRemovedForPolicyOnlyOrg.text.hbs Normal file
View File

@ -0,0 +1,5 @@
{{#>BasicTextLayout}}
Your user account has been removed from the {{OrganizationName}} organization because you are a part of another
organization. The {{OrganizationName}} has enabled a policy that prevents users from being a part of multiple organizations. Before you can re-join this organization you need to leave all other organizations, or join with a
new account.
{{/BasicTextLayout}}

7
src/Core/Models/Mail/OrganizationUserRemovedForPolicyOnlyOrgViewModel.cs Normal file
View File

@ -0,0 +1,7 @@
namespace Bit.Core.Models.Mail
{
public class OrganizationUserRemovedForPolicyOnlyOrgViewModel : BaseMailModel
{
public string OrganizationName { get; set; }
}
}

1
src/Core/Repositories/IOrganizationUserRepository.cs
View File

@ -26,5 +26,6 @@ namespace Bit.Core.Repositories
Task UpdateGroupsAsync(Guid orgUserId, IEnumerable<Guid> groupIds);
Task CreateAsync(OrganizationUser obj, IEnumerable<SelectionReadOnly> collections);
Task ReplaceAsync(OrganizationUser obj, IEnumerable<SelectionReadOnly> collections);
Task<ICollection<OrganizationUser>> GetManyByManyUsersAsync(IEnumerable<Guid> userIds);
}
}

13
src/Core/Repositories/SqlServer/OrganizationUserRepository.cs
View File

@ -231,5 +231,18 @@ namespace Bit.Core.Repositories.SqlServer
{
public DataTable Collections { get; set; }
}
public async Task<ICollection<OrganizationUser>> GetManyByManyUsersAsync(IEnumerable<Guid> userIds)
{
using (var connection = new SqlConnection(ConnectionString))
{
var results = await connection.QueryAsync<OrganizationUser>(
"[dbo].[OrganizationUser_ReadByUserIds]",
new { UserIds = userIds.ToGuidIdArrayTVP() },
commandType: CommandType.StoredProcedure);
return results.ToList();
}
}
}
}

9
src/Core/Resources/SharedResources.en.resx
View File

@ -539,4 +539,13 @@
<data name="RedirectBehavior" xml:space="preserve">
<value>OIDC Redirect Behavior</value>
</data>
<data name="OnlyOrganization" xml:space="preserve">
<value>Only Organization</value>
</data>
<data name="OnlyOrganizationDescription" xml:space="preserve">
<value>Restrict users from being able to join any other organizations.</value>
</data>
<data name="OnlyOrganizationPolicyWarning" xml:space="preserve">
<value>Organization members who are already a part of another organization will be removed from this organization and will receive an email notifying them about the change.</value>
</data>
</root>

1
src/Core/Services/IMailService.cs
View File

@ -28,5 +28,6 @@ namespace Bit.Core.Services
Task SendLicenseExpiredAsync(IEnumerable<string> emails, string organizationName = null);
Task SendNewDeviceLoggedInEmail(string email, string deviceType, DateTime timestamp, string ip);
Task SendRecoverTwoFactorEmail(string email, DateTime timestamp, string ip);
Task SendOrganizationUserRemovedForPolicyOnlyOrgEmailAsync(string organizationName, string email);
}
}

14
src/Core/Services/Implementations/HandlebarsMailService.cs
View File

@ -326,6 +326,20 @@ namespace Bit.Core.Services
await _mailDeliveryService.SendEmailAsync(message);
}
public async Task SendOrganizationUserRemovedForPolicyOnlyOrgEmailAsync(string organizationName, string email)
{
var message = CreateDefaultMessage($"You have been removed from {organizationName}", email);
var model = new OrganizationUserRemovedForPolicyOnlyOrgViewModel
{
OrganizationName = CoreHelpers.SanitizeForEmail(organizationName),
WebVaultUrl = _globalSettings.BaseServiceUri.VaultWithHash,
SiteName = _globalSettings.SiteName
};
await AddMessageContentAsync(message, "OrganizationUserRemovedForPolicyOnlyOrg", model);
message.Category = "OrganizationUserRemovedForPolicyOnlyOrg";
await _mailDeliveryService.SendEmailAsync(message);
}
private MailMessage CreateDefaultMessage(string subject, string toEmail)
{
return CreateDefaultMessage(subject, new List<string> { toEmail });

38
src/Core/Services/Implementations/OrganizationService.cs
View File

@ -1135,10 +1135,34 @@ namespace Bit.Core.Services
}
}
ICollection<Policy> orgPolicies = null;
ICollection<Policy> userPolicies = null;
async Task<bool> hasPolicyAsync(PolicyType policyType, bool useUserPolicies = false)
{
var policies = useUserPolicies ?
userPolicies = userPolicies ?? await _policyRepository.GetManyByUserIdAsync(user.Id) :
orgPolicies = orgPolicies ?? await _policyRepository.GetManyByOrganizationIdAsync(orgUser.OrganizationId);
return policies.Any(p => p.Type == policyType && p.Enabled);
}
var userOrgs = await _organizationUserRepository.GetManyByUserAsync(user.Id);
if (userOrgs.Any(ou => ou.OrganizationId != orgUser.OrganizationId && ou.Status != OrganizationUserStatusType.Invited))
{
if (await hasPolicyAsync(PolicyType.OnlyOrg))
{
throw new BadRequestException("You may not join this organization until you leave or remove " +
"all other organizations.");
}
if (await hasPolicyAsync(PolicyType.OnlyOrg, true))
{
throw new BadRequestException("You cannot join this organization because you are a member of " +
"an organization which forbids it");
}
}
if (!await userService.TwoFactorIsEnabledAsync(user))
{
var policies = await _policyRepository.GetManyByOrganizationIdAsync(orgUser.OrganizationId);
if (policies.Any(p => p.Type == PolicyType.TwoFactorAuthentication && p.Enabled))
if (await hasPolicyAsync(PolicyType.TwoFactorAuthentication))
{
throw new BadRequestException("You cannot join this organization until you enable " +
"two-step login on your user account.");
@ -1185,6 +1209,16 @@ namespace Bit.Core.Services
throw new BadRequestException("User does not have two-step login enabled.");
}
var usingOnlyOrgPolicy = policies.Any(p => p.Type == PolicyType.OnlyOrg && p.Enabled);
if (usingOnlyOrgPolicy)
{
var userOrgs = await _organizationUserRepository.GetManyByUserAsync(user.Id);
if (userOrgs.Any(ou => ou.OrganizationId != organizationId && ou.Status != OrganizationUserStatusType.Invited))
{
throw new BadRequestException("User is a member of another organization.");
}
}
orgUser.Status = OrganizationUserStatusType.Confirmed;
orgUser.Key = key;
orgUser.Email = null;

35
src/Core/Services/Implementations/PolicyService.cs
View File

@ -1,6 +1,8 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
using Bit.Core.Enums;
using Bit.Core.Exceptions;
using Bit.Core.Models.Table;
using Bit.Core.Repositories;
@ -52,28 +54,45 @@ namespace Bit.Core.Services
{
var currentPolicy = await _policyRepository.GetByIdAsync(policy.Id);
if (!currentPolicy?.Enabled ?? true)
{
if (currentPolicy.Type == Enums.PolicyType.TwoFactorAuthentication)
{
Organization organization = null;
var orgUsers = await _organizationUserRepository.GetManyDetailsByOrganizationAsync(
policy.OrganizationId);
foreach (var orgUser in orgUsers.Where(ou =>
var removableOrgUsers = orgUsers.Where(ou =>
ou.Status != Enums.OrganizationUserStatusType.Invited &&
ou.Type != Enums.OrganizationUserType.Owner))
ou.Type != Enums.OrganizationUserType.Owner && ou.UserId != savingUserId);
switch (currentPolicy.Type)
{
if (orgUser.UserId != savingUserId && !await userService.TwoFactorIsEnabledAsync(orgUser))
case Enums.PolicyType.TwoFactorAuthentication:
foreach (var orgUser in removableOrgUsers)
{
if (organization == null)
if (!await userService.TwoFactorIsEnabledAsync(orgUser))
{
organization = await _organizationRepository.GetByIdAsync(policy.OrganizationId);
}
organization = organization ?? await _organizationRepository.GetByIdAsync(policy.OrganizationId);
await organizationService.DeleteUserAsync(policy.OrganizationId, orgUser.Id,
savingUserId);
await _mailService.SendOrganizationUserRemovedForPolicyTwoStepEmailAsync(
organization.Name, orgUser.Email);
}
}
break;
case Enums.PolicyType.OnlyOrg:
var userOrgs = await _organizationUserRepository.GetManyByManyUsersAsync(
removableOrgUsers.Select(ou => ou.UserId.Value));
foreach (var orgUser in removableOrgUsers)
{
if (userOrgs.Any(ou => ou.UserId == orgUser.UserId && ou.Status != OrganizationUserStatusType.Invited))
{
organization = organization ?? await _organizationRepository.GetByIdAsync(policy.OrganizationId);
await organizationService.DeleteUserAsync(policy.OrganizationId, orgUser.Id,
savingUserId);
await _mailService.SendOrganizationUserRemovedForPolicyOnlyOrgEmailAsync(
organization.Name, orgUser.Email);
}
}
break;
default:
break;
}
}
}

5
src/Core/Services/NoopImplementations/NoopMailService.cs
View File

@ -102,5 +102,10 @@ namespace Bit.Core.Services
{
return Task.FromResult(0);
}
public Task SendOrganizationUserRemovedForPolicyOnlyOrgEmailAsync(string organizationName, string email)
{
return Task.FromResult(0);
}
}
}

18
src/Sql/dbo/Stored Procedures/OrganizationUser_ReadByUserIds.sql Normal file
View File

@ -0,0 +1,18 @@
CREATE PROCEDURE [dbo].[OrganizationUser_ReadByUserIds]
@UserIds AS [dbo].[GuidIdArray] READONLY
AS
BEGIN
SET NOCOUNT ON
IF (SELECT COUNT(1) FROM @UserIds) < 1
BEGIN
RETURN(-1)
END
SELECT
*
FROM
[dbo].[OrganizationUserView]
WHERE
[UserId] IN (SELECT [Id] FROM @UserIds)
END

25
util/Migrator/DbScripts/2020-10-14_00_OrgUserReadByUserIds.sql Normal file
View File

@ -0,0 +1,25 @@
IF OBJECT_ID('[dbo].[OrganizationUser_ReadByUserIds]') IS NOT NULL
BEGIN
DROP PROCEDURE [dbo].[OrganizationUser_ReadByUserIds]
END
GO
CREATE PROCEDURE [dbo].[OrganizationUser_ReadByUserIds]
@UserIds AS [dbo].[GuidIdArray] READONLY
AS
BEGIN
SET NOCOUNT ON
IF (SELECT COUNT(1) FROM @UserIds) < 1
BEGIN
RETURN(-1)
END
SELECT
*
FROM
[dbo].[OrganizationUserView]
WHERE
[UserId] IN (SELECT [Id] FROM @UserIds)
END
GO