[PS-616] [PS-795] Fix/auto enroll master password reset without user verification (#2038)

* Fix parameter name to match entity * Deserialize policy data in object * Add policy with config type to fixtures * Return policy with deserialized config * Use CoreHelper serializers * Add master password reset on accept request * Simplify policy data parsing * Linter
2025-06-30 23:52:50 -05:00 · 2022-06-08 08:44:28 -05:00
parent 194b76c13d
commit ef403b4362
18 changed files with 182 additions and 39 deletions
--- a/src/Core/Entities/Policy.cs
+++ b/src/Core/Entities/Policy.cs
@ -1,5 +1,6 @@
 using System;
 using Bit.Core.Enums;
+using Bit.Core.Models.Data.Organizations.Policies;
 using Bit.Core.Utilities;

 namespace Bit.Core.Entities
@ -18,5 +19,24 @@ namespace Bit.Core.Entities
        {
            Id = CoreHelpers.GenerateComb();
        }
+
+        public T GetDataModel<T>() where T : IPolicyDataModel, new()
+        {
+            return CoreHelpers.LoadClassFromJsonData<T>(Data);
+        }
+
+        public void SetDataModel<T>(T dataModel) where T : IPolicyDataModel, new()
+        {
+            Data = CoreHelpers.ClassToJsonData(dataModel);
+        }
+    }
+
+    public class Policy<T> : Policy where T : IPolicyDataModel, new()
+    {
+        public T DataModel
+        {
+            get => GetDataModel<T>();
+            set => SetDataModel(value);
+        }
    }
 }
--- a/src/Core/Models/Data/Organizations/Policies/IPolicyDataModel.cs
+++ b/src/Core/Models/Data/Organizations/Policies/IPolicyDataModel.cs
@ -0,0 +1,6 @@
+namespace Bit.Core.Models.Data.Organizations.Policies
+{
+    public interface IPolicyDataModel
+    {
+    }
+}
--- a/src/Core/Models/Data/Organizations/Policies/ResetPasswordDataModel.cs
+++ b/src/Core/Models/Data/Organizations/Policies/ResetPasswordDataModel.cs
@ -1,8 +1,8 @@
 using System.ComponentModel.DataAnnotations;

-namespace Bit.Core.Models.Data
+namespace Bit.Core.Models.Data.Organizations.Policies
 {
-    public class ResetPasswordDataModel
+    public class ResetPasswordDataModel : IPolicyDataModel
    {
        [Display(Name = "ResetPasswordAutoEnrollCheckbox")]
        public bool AutoEnrollEnabled { get; set; }
--- a/src/Core/Models/Data/Organizations/Policies/SendOptionsPolicyData.cs
+++ b/src/Core/Models/Data/Organizations/Policies/SendOptionsPolicyData.cs
@ -1,8 +1,8 @@
 using System.ComponentModel.DataAnnotations;

-namespace Bit.Core.Models.Data
+namespace Bit.Core.Models.Data.Organizations.Policies
 {
-    public class SendOptionsPolicyData
+    public class SendOptionsPolicyData : IPolicyDataModel
    {
        [Display(Name = "DisableHideEmail")]
        public bool DisableHideEmail { get; set; }
--- a/src/Core/Repositories/IPolicyRepository.cs
+++ b/src/Core/Repositories/IPolicyRepository.cs
@ -3,12 +3,14 @@ using System.Collections.Generic;
 using System.Threading.Tasks;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
+using Bit.Core.Models.Data.Organizations.Policies;

 namespace Bit.Core.Repositories
 {
    public interface IPolicyRepository : IRepository<Policy, Guid>
    {
        Task<Policy> GetByOrganizationIdTypeAsync(Guid organizationId, PolicyType type);
+        Task<Policy<T>> GetByOrganizationIdTypeAsync<T>(Guid organizationId, PolicyType type) where T : IPolicyDataModel, new();
        Task<ICollection<Policy>> GetManyByOrganizationIdAsync(Guid organizationId);
        Task<ICollection<Policy>> GetManyByUserIdAsync(Guid userId);
        Task<ICollection<Policy>> GetManyByTypeApplicableToUserIdAsync(Guid userId, PolicyType policyType,
--- a/src/Core/Services/IOrganizationService.cs
+++ b/src/Core/Services/IOrganizationService.cs
@ -51,7 +51,7 @@ namespace Bit.Core.Services
        Task<List<Tuple<OrganizationUser, string>>> DeleteUsersAsync(Guid organizationId,
            IEnumerable<Guid> organizationUserIds, Guid? deletingUserId);
        Task UpdateUserGroupsAsync(OrganizationUser organizationUser, IEnumerable<Guid> groupIds, Guid? loggedInUserId);
-        Task UpdateUserResetPasswordEnrollmentAsync(Guid organizationId, Guid organizationUserId, string resetPasswordKey, Guid? callingUserId);
+        Task UpdateUserResetPasswordEnrollmentAsync(Guid organizationId, Guid userId, string resetPasswordKey, Guid? callingUserId);
        Task<OrganizationLicense> GenerateLicenseAsync(Guid organizationId, Guid installationId);
        Task<OrganizationLicense> GenerateLicenseAsync(Organization organization, Guid installationId,
            int? version = null);
--- a/src/Core/Services/Implementations/OrganizationService.cs
+++ b/src/Core/Services/Implementations/OrganizationService.cs
@ -10,6 +10,7 @@ using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Business;
 using Bit.Core.Models.Data;
+using Bit.Core.Models.Data.Organizations.Policies;
 using Bit.Core.Repositories;
 using Bit.Core.Settings;
 using Bit.Core.Utilities;
@ -1751,10 +1752,10 @@ namespace Bit.Core.Services
                EventType.OrganizationUser_UpdatedGroups);
        }

-        public async Task UpdateUserResetPasswordEnrollmentAsync(Guid organizationId, Guid organizationUserId, string resetPasswordKey, Guid? callingUserId)
+        public async Task UpdateUserResetPasswordEnrollmentAsync(Guid organizationId, Guid userId, string resetPasswordKey, Guid? callingUserId)
        {
            // Org User must be the same as the calling user and the organization ID associated with the user must match passed org ID
-            var orgUser = await _organizationUserRepository.GetByOrganizationAsync(organizationId, organizationUserId);
+            var orgUser = await _organizationUserRepository.GetByOrganizationAsync(organizationId, userId);
            if (!callingUserId.HasValue || orgUser == null || orgUser.UserId != callingUserId.Value ||
                orgUser.OrganizationId != organizationId)
            {
--- a/src/Core/Services/Implementations/PolicyService.cs
+++ b/src/Core/Services/Implementations/PolicyService.cs
@ -1,5 +1,4 @@
 using System;
-using System.Collections.Generic;
 using System.Linq;
 using System.Threading.Tasks;
 using Bit.Core.Entities;
--- a/src/Core/Services/Implementations/SendService.cs
+++ b/src/Core/Services/Implementations/SendService.cs
@ -9,6 +9,7 @@ using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Business;
 using Bit.Core.Models.Data;
+using Bit.Core.Models.Data.Organizations.Policies;
 using Bit.Core.Repositories;
 using Bit.Core.Settings;
 using Bit.Core.Utilities;
@ -291,14 +292,9 @@ namespace Bit.Core.Services
            if (send.HideEmail.GetValueOrDefault())
            {
                var sendOptionsPolicies = await _policyRepository.GetManyByTypeApplicableToUserIdAsync(userId.Value, PolicyType.SendOptions);
-                foreach (var policy in sendOptionsPolicies)
+                if (sendOptionsPolicies.Any(p => p.GetDataModel<SendOptionsPolicyData>()?.DisableHideEmail ?? false))
                {
-                    var data = CoreHelpers.LoadClassFromJsonData<SendOptionsPolicyData>(policy.Data);
-                    if (data?.DisableHideEmail ?? false)
-                    {
-                        throw new BadRequestException("Due to an Enterprise Policy, you are not allowed to hide your email address from recipients when creating or editing a Send.");
-                    }
-
+                    throw new BadRequestException("Due to an Enterprise Policy, you are not allowed to hide your email address from recipients when creating or editing a Send.");
                }
            }
        }