[PM-10311] Account Management: Create helper methods for checking against verified domains (#4636)

* Add HasVerifiedDomainsAsync method to IOrganizationDomainService * Add GetManagedUserIdsByOrganizationIdAsync method to IOrganizationUserRepository and the corresponding queries * Fix case on the sproc OrganizationUser_ReadManagedIdsByOrganizationId parameter * Update the EF query to use the Email from the User table * dotnet format * Fix IOrganizationDomainService.HasVerifiedDomainsAsync by checking that domains have been Verified and add unit tests * Rename IOrganizationUserRepository.GetManagedUserIdsByOrganizationAsync * Fix domain queries * Add OrganizationUserRepository integration tests * Add summary to IOrganizationDomainService.HasVerifiedDomainsAsync * chore: Rename IOrganizationUserRepository.GetManagedUserIdsByOrganizationAsync to GetManyIdsManagedByOrganizationIdAsync * Add IsManagedByAnyOrganizationAsync method to IUserRepository * Add integration tests for UserRepository.IsManagedByAnyOrganizationAsync * Refactor to IUserService.IsManagedByAnyOrganizationAsync and IOrganizationService.GetUsersOrganizationManagementStatusAsync * chore: Refactor IsManagedByAnyOrganizationAsync method in UserService * Refactor IOrganizationService.GetUsersOrganizationManagementStatusAsync to return IDictionary<Guid, bool> * Extract IOrganizationService.GetUsersOrganizationManagementStatusAsync into a query * Update comments in OrganizationDomainService to use proper capitalization * Move OrganizationDomainService to AdminConsole ownership and update namespace * feat: Add support for organization domains in enterprise plans * feat: Add HasOrganizationDomains property to OrganizationAbility class * refactor: Update GetOrganizationUsersManagementStatusQuery to use IApplicationCacheService * Remove HasOrganizationDomains and use UseSso to check if Organization can have Verified Domains * Refactor UserService.IsManagedByAnyOrganizationAsync to simply check the UseSso flag * Add TODO comment for replacing 'UseSso' organization ability on user verified domain checks * Bump date on migration script * Add indexes to OrganizationDomain table * Bump script migration date; Remove WITH ONLINE = ON from data migration.
2025-06-30 15:42:48 -05:00 · 2024-09-11 11:29:57 +01:00
parent 3f1127489d
commit f2180aa7b7
26 changed files with 692 additions and 17 deletions
--- a/src/Admin/Jobs/DeleteUnverifiedOrganizationDomainsJob.cs
+++ b/src/Admin/Jobs/DeleteUnverifiedOrganizationDomainsJob.cs
@ -1,6 +1,6 @@
 using Bit.Core;
+using Bit.Core.AdminConsole.Services;
 using Bit.Core.Jobs;
-using Bit.Core.Services;
 using Quartz;

 namespace Bit.Admin.Jobs;
--- a/src/Api/Jobs/ValidateOrganizationDomainJob.cs
+++ b/src/Api/Jobs/ValidateOrganizationDomainJob.cs
@ -1,6 +1,6 @@
 using Bit.Core;
+using Bit.Core.AdminConsole.Services;
 using Bit.Core.Jobs;
-using Bit.Core.Services;
 using Quartz;

 namespace Bit.Api.Jobs;
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/GetOrganizationUsersManagementStatusQuery.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/GetOrganizationUsersManagementStatusQuery.cs
@ -0,0 +1,41 @@
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers;
+
+public class GetOrganizationUsersManagementStatusQuery : IGetOrganizationUsersManagementStatusQuery
+{
+    private readonly IApplicationCacheService _applicationCacheService;
+    private readonly IOrganizationUserRepository _organizationUserRepository;
+
+    public GetOrganizationUsersManagementStatusQuery(
+        IApplicationCacheService applicationCacheService,
+        IOrganizationUserRepository organizationUserRepository)
+    {
+        _applicationCacheService = applicationCacheService;
+        _organizationUserRepository = organizationUserRepository;
+    }
+
+    public async Task<IDictionary<Guid, bool>> GetUsersOrganizationManagementStatusAsync(Guid organizationId, IEnumerable<Guid> organizationUserIds)
+    {
+        if (organizationUserIds.Any())
+        {
+            // Users can only be managed by an Organization that is enabled and can have organization domains
+            var organizationAbility = await _applicationCacheService.GetOrganizationAbilityAsync(organizationId);
+
+            // TODO: Replace "UseSso" with a new organization ability like "UseOrganizationDomains" (PM-11622).
+            // Verified domains were tied to SSO, so we currently check the "UseSso" organization ability.
+            if (organizationAbility is { Enabled: true, UseSso: true })
+            {
+                // Get all organization users with claimed domains by the organization
+                var organizationUsersWithClaimedDomain = await _organizationUserRepository.GetManyByOrganizationWithClaimedDomainsAsync(organizationId);
+
+                // Create a dictionary with the OrganizationUserId and a boolean indicating if the user is managed by the organization
+                return organizationUserIds.ToDictionary(ouId => ouId, ouId => organizationUsersWithClaimedDomain.Any(ou => ou.Id == ouId));
+            }
+        }
+
+        return organizationUserIds.ToDictionary(ouId => ouId, _ => false);
+    }
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Interfaces/IGetOrganizationUsersManagementStatusQuery.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Interfaces/IGetOrganizationUsersManagementStatusQuery.cs
@ -0,0 +1,19 @@
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+
+public interface IGetOrganizationUsersManagementStatusQuery
+{
+    /// <summary>
+    /// Checks whether each user in the provided list of organization user IDs is managed by the specified organization.
+    /// </summary>
+    /// <param name="organizationId">The unique identifier of the organization to check against.</param>
+    /// <param name="organizationUserIds">A list of OrganizationUserIds to be checked.</param>
+    /// <remarks>
+    /// A managed user is a user whose email domain matches one of the Organization's verified domains.
+    /// The organization must be enabled and be on an Enterprise plan.
+    /// </remarks>
+    /// <returns>
+    /// A dictionary containing the OrganizationUserId and a boolean indicating if the user is managed by the organization.
+    /// </returns>
+    Task<IDictionary<Guid, bool>> GetUsersOrganizationManagementStatusAsync(Guid organizationId,
+        IEnumerable<Guid> organizationUserIds);
+}
--- a/src/Core/AdminConsole/Repositories/IOrganizationRepository.cs
+++ b/src/Core/AdminConsole/Repositories/IOrganizationRepository.cs
@ -17,4 +17,9 @@ public interface IOrganizationRepository : IRepository<Organization, Guid>
    Task<SelfHostedOrganizationDetails?> GetSelfHostedOrganizationDetailsById(Guid id);
    Task<ICollection<Organization>> SearchUnassignedToProviderAsync(string name, string ownerEmail, int skip, int take);
    Task<IEnumerable<string>> GetOwnerEmailAddressesById(Guid organizationId);
+
+    /// <summary>
+    /// Gets the organization that has a claimed domain matching the user's email domain.
+    /// </summary>
+    Task<Organization> GetByClaimedUserDomainAsync(Guid userId);
 }
--- a/src/Core/AdminConsole/Repositories/IOrganizationUserRepository.cs
+++ b/src/Core/AdminConsole/Repositories/IOrganizationUserRepository.cs
@ -55,4 +55,8 @@ public interface IOrganizationUserRepository : IRepository<OrganizationUser, Gui
    UpdateEncryptedDataForKeyRotation UpdateForKeyRotation(Guid userId,
        IEnumerable<OrganizationUser> resetPasswordKeys);

+    /// <summary>
+    /// Returns a list of OrganizationUsers with email domains that match one of the Organization's claimed domains.
+    /// </summary>
+    Task<ICollection<OrganizationUser>> GetManyByOrganizationWithClaimedDomainsAsync(Guid organizationId);
 }
--- a/src/Core/AdminConsole/Services/IOrganizationDomainService.cs
+++ b/src/Core/AdminConsole/Services/IOrganizationDomainService.cs
@ -0,0 +1,11 @@
+namespace Bit.Core.AdminConsole.Services;
+
+public interface IOrganizationDomainService
+{
+    Task ValidateOrganizationsDomainAsync();
+    Task OrganizationDomainMaintenanceAsync();
+    /// <summary>
+    /// Indicates if the organization has any verified domains.
+    /// </summary>
+    Task<bool> HasVerifiedDomainsAsync(Guid orgId);
+}
--- a/src/Core/AdminConsole/Services/Implementations/OrganizationDomainService.cs
+++ b/src/Core/AdminConsole/Services/Implementations/OrganizationDomainService.cs
@ -1,9 +1,10 @@
 using Bit.Core.Enums;
 using Bit.Core.Repositories;
+using Bit.Core.Services;
 using Bit.Core.Settings;
 using Microsoft.Extensions.Logging;

-namespace Bit.Core.Services;
+namespace Bit.Core.AdminConsole.Services.Implementations;

 public class OrganizationDomainService : IOrganizationDomainService
 {
@ -53,7 +54,7 @@ public class OrganizationDomainService : IOrganizationDomainService
                {
                    _logger.LogInformation(Constants.BypassFiltersEventId, "Successfully validated domain");

-                    //update entry on OrganizationDomain table 
+                    // Update entry on OrganizationDomain table
                    domain.SetLastCheckedDate();
                    domain.SetVerifiedDate();
                    domain.SetJobRunCount();
@ -64,7 +65,7 @@ public class OrganizationDomainService : IOrganizationDomainService
                }
                else
                {
-                    //update entry on OrganizationDomain table 
+                    // Update entry on OrganizationDomain table
                    domain.SetLastCheckedDate();
                    domain.SetJobRunCount();
                    domain.SetNextRunDate(_globalSettings.DomainVerification.VerificationInterval);
@ -78,7 +79,7 @@ public class OrganizationDomainService : IOrganizationDomainService
            }
            catch (Exception ex)
            {
-                //update entry on OrganizationDomain table 
+                // Update entry on OrganizationDomain table
                domain.SetLastCheckedDate();
                domain.SetJobRunCount();
                domain.SetNextRunDate(_globalSettings.DomainVerification.VerificationInterval);
@ -117,7 +118,7 @@ public class OrganizationDomainService : IOrganizationDomainService

                _logger.LogInformation(Constants.BypassFiltersEventId, "Expired domain: {domainName}", domain.DomainName);
            }
-            //delete domains that have not been verified within 7 days 
+            // Delete domains that have not been verified within 7 days
            var status = await _domainRepository.DeleteExpiredAsync(_globalSettings.DomainVerification.ExpirationPeriod);
            _logger.LogInformation(Constants.BypassFiltersEventId, "Delete status {status}", status);
        }
@ -127,6 +128,12 @@ public class OrganizationDomainService : IOrganizationDomainService
        }
    }

+    public async Task<bool> HasVerifiedDomainsAsync(Guid orgId)
+    {
+        var orgDomains = await _domainRepository.GetDomainsByOrganizationIdAsync(orgId);
+        return orgDomains.Any(od => od.VerifiedDate != null);
+    }
+
    private async Task<List<string>> GetAdminEmailsAsync(Guid organizationId)
    {
        var orgUsers = await _organizationUserRepository.GetManyDetailsByOrganizationAsync(organizationId);
--- a/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs
+++ b/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs
@ -139,6 +139,7 @@ public static class OrganizationServiceCollectionExtensions
        services.AddScoped<ICountNewSmSeatsRequiredQuery, CountNewSmSeatsRequiredQuery>();
        services.AddScoped<IAcceptOrgUserCommand, AcceptOrgUserCommand>();
        services.AddScoped<IOrganizationUserUserDetailsQuery, OrganizationUserUserDetailsQuery>();
+        services.AddScoped<IGetOrganizationUsersManagementStatusQuery, GetOrganizationUsersManagementStatusQuery>();
    }

    // TODO: move to OrganizationSubscriptionServiceCollectionExtensions when OrganizationUser methods are moved out of
--- a/src/Core/Services/IOrganizationDomainService.cs
+++ b/src/Core/Services/IOrganizationDomainService.cs
@ -1,7 +0,0 @@
-namespace Bit.Core.Services;
-
-public interface IOrganizationDomainService
-{
-    Task ValidateOrganizationsDomainAsync();
-    Task OrganizationDomainMaintenanceAsync();
-}
--- a/src/Core/Services/IUserService.cs
+++ b/src/Core/Services/IUserService.cs
@ -86,4 +86,13 @@ public interface IUserService
    /// We force these users to the web to migrate their encryption scheme.
    /// </summary>
    Task<bool> IsLegacyUser(string userId);
+
+    /// <summary>
+    /// Indicates if the user is managed by any organization.
+    /// </summary>
+    /// <remarks>
+    /// A managed user is a user whose email domain matches one of the Organization's verified domains.
+    /// The organization must be enabled and be on an Enterprise plan.
+    /// </remarks>
+    Task<bool> IsManagedByAnyOrganizationAsync(Guid userId);
 }
--- a/src/Core/Services/Implementations/UserService.cs
+++ b/src/Core/Services/Implementations/UserService.cs
@ -1244,6 +1244,16 @@ public class UserService : UserManager<User>, IUserService, IDisposable
        return IsLegacyUser(user);
    }

+    public async Task<bool> IsManagedByAnyOrganizationAsync(Guid userId)
+    {
+        // Users can only be managed by an Organization that is enabled and can have organization domains
+        var organization = await _organizationRepository.GetByClaimedUserDomainAsync(userId);
+
+        // TODO: Replace "UseSso" with a new organization ability like "UseOrganizationDomains" (PM-11622).
+        // Verified domains were tied to SSO, so we currently check the "UseSso" organization ability.
+        return organization is { Enabled: true, UseSso: true };
+    }
+
    /// <inheritdoc cref="IsLegacyUser(string)"/>
    public static bool IsLegacyUser(User user)
    {
--- a/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationRepository.cs
+++ b/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationRepository.cs
@ -167,4 +167,17 @@ public class OrganizationRepository : Repository<Organization, Guid>, IOrganizat
            new { OrganizationId = organizationId },
            commandType: CommandType.StoredProcedure);
    }
+
+    public async Task<Organization> GetByClaimedUserDomainAsync(Guid userId)
+    {
+        using (var connection = new SqlConnection(ConnectionString))
+        {
+            var result = await connection.QueryAsync<Organization>(
+                "[dbo].[Organization_ReadByClaimedUserEmailDomain]",
+                new { UserId = userId },
+                commandType: CommandType.StoredProcedure);
+
+            return result.SingleOrDefault();
+        }
+    }
 }
--- a/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationUserRepository.cs
+++ b/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationUserRepository.cs
@ -545,4 +545,17 @@ public class OrganizationUserRepository : Repository<OrganizationUser, Guid>, IO
                transaction: transaction,
                commandType: CommandType.StoredProcedure);
    }
+
+    public async Task<ICollection<OrganizationUser>> GetManyByOrganizationWithClaimedDomainsAsync(Guid organizationId)
+    {
+        using (var connection = new SqlConnection(ConnectionString))
+        {
+            var results = await connection.QueryAsync<OrganizationUser>(
+                $"[{Schema}].[OrganizationUser_ReadByOrganizationIdWithClaimedDomains]",
+                new { OrganizationId = organizationId },
+                commandType: CommandType.StoredProcedure);
+
+            return results.ToList();
+        }
+    }
 }
--- a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs
+++ b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs
@ -271,6 +271,25 @@ public class OrganizationRepository : Repository<Core.AdminConsole.Entities.Orga
        return await query.ToListAsync();
    }

+    public async Task<Core.AdminConsole.Entities.Organization> GetByClaimedUserDomainAsync(Guid userId)
+    {
+        using (var scope = ServiceScopeFactory.CreateScope())
+        {
+            var dbContext = GetDatabaseContext(scope);
+
+            var query = from u in dbContext.Users
+                        join ou in dbContext.OrganizationUsers on u.Id equals ou.UserId
+                        join o in dbContext.Organizations on ou.OrganizationId equals o.Id
+                        join od in dbContext.OrganizationDomains on ou.OrganizationId equals od.OrganizationId
+                        where u.Id == userId
+                              && od.VerifiedDate != null
+                              && u.Email.ToLower().EndsWith("@" + od.DomainName.ToLower())
+                        select o;
+
+            return await query.FirstOrDefaultAsync();
+        }
+    }
+
    public Task EnableCollectionEnhancements(Guid organizationId)
    {
        throw new NotImplementedException("Collection enhancements migration is not yet supported for Entity Framework.");
--- a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationUserRepository.cs
+++ b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationUserRepository.cs
@ -711,4 +711,14 @@ public class OrganizationUserRepository : Repository<Core.Entities.OrganizationU
        };
    }

+    public async Task<ICollection<Core.Entities.OrganizationUser>> GetManyByOrganizationWithClaimedDomainsAsync(Guid organizationId)
+    {
+        using (var scope = ServiceScopeFactory.CreateScope())
+        {
+            var dbContext = GetDatabaseContext(scope);
+            var query = new OrganizationUserReadByClaimedOrganizationDomainsQuery(organizationId);
+            var data = await query.Run(dbContext).ToListAsync();
+            return data;
+        }
+    }
 }
--- a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/Queries/OrganizationUserReadByClaimedOrganizationDomainsQuery.cs
+++ b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/Queries/OrganizationUserReadByClaimedOrganizationDomainsQuery.cs
@ -0,0 +1,27 @@
+using Bit.Core.Entities;
+
+namespace Bit.Infrastructure.EntityFramework.Repositories.Queries;
+
+public class OrganizationUserReadByClaimedOrganizationDomainsQuery : IQuery<OrganizationUser>
+{
+    private readonly Guid _organizationId;
+
+    public OrganizationUserReadByClaimedOrganizationDomainsQuery(Guid organizationId)
+    {
+        _organizationId = organizationId;
+    }
+
+    public IQueryable<OrganizationUser> Run(DatabaseContext dbContext)
+    {
+        var query = from ou in dbContext.OrganizationUsers
+                    join u in dbContext.Users on ou.UserId equals u.Id
+                    where ou.OrganizationId == _organizationId
+                          && dbContext.OrganizationDomains
+                              .Any(od => od.OrganizationId == _organizationId &&
+                                         od.VerifiedDate != null &&
+                                         u.Email.ToLower().EndsWith("@" + od.DomainName.ToLower()))
+                    select ou;
+
+        return query;
+    }
+}
--- a/Procedures/OrganizationUser_ReadByOrganizationIdWithClaimedDomains.sql
+++ b/Procedures/OrganizationUser_ReadByOrganizationIdWithClaimedDomains.sql
@ -0,0 +1,18 @@
+CREATE PROCEDURE [dbo].[OrganizationUser_ReadByOrganizationIdWithClaimedDomains]
+    @OrganizationId UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON;
+
+    SELECT OU.*
+    FROM [dbo].[OrganizationUserView] OU
+    INNER JOIN [dbo].[UserView] U ON OU.[UserId] = U.[Id]
+    WHERE OU.[OrganizationId] = @OrganizationId
+        AND EXISTS (
+            SELECT 1
+            FROM [dbo].[OrganizationDomainView] OD
+            WHERE OD.[OrganizationId] = @OrganizationId
+                AND OD.[VerifiedDate] IS NOT NULL
+                AND U.[Email] LIKE '%@' + OD.[DomainName]
+        );
+END
--- a/Procedures/Organization_ReadByClaimedUserEmailDomain.sql
+++ b/Procedures/Organization_ReadByClaimedUserEmailDomain.sql
@ -0,0 +1,15 @@
+CREATE PROCEDURE [dbo].[Organization_ReadByClaimedUserEmailDomain]
+    @UserId UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON;
+
+    SELECT O.*
+    FROM [dbo].[UserView] U
+    INNER JOIN [dbo].[OrganizationUserView] OU ON U.[Id] = OU.[UserId]
+    INNER JOIN [dbo].[OrganizationView] O ON OU.[OrganizationId] = O.[Id]
+    INNER JOIN [dbo].[OrganizationDomainView] OD ON OU.[OrganizationId] = OD.[OrganizationId]
+    WHERE U.[Id] = @UserId
+        AND OD.[VerifiedDate] IS NOT NULL
+        AND U.[Email] LIKE '%@' + OD.[DomainName];
+END
--- a/src/Sql/dbo/Tables/OrganizationDomain.sql
+++ b/src/Sql/dbo/Tables/OrganizationDomain.sql
@ -12,4 +12,13 @@ CREATE TABLE [dbo].[OrganizationDomain] (
    CONSTRAINT [FK_OrganzationDomain_Organization] FOREIGN KEY ([OrganizationId]) REFERENCES [dbo].[Organization] ([Id])
 );

-GO
+GO
+
+CREATE NONCLUSTERED INDEX [IX_OrganizationDomain_OrganizationIdVerifiedDate]
+    ON [dbo].[OrganizationDomain] ([OrganizationId],[VerifiedDate]);
+GO
+
+CREATE NONCLUSTERED INDEX [IX_OrganizationDomain_VerifiedDate]
+    ON [dbo].[OrganizationDomain] ([VerifiedDate])
+    INCLUDE ([OrganizationId],[DomainName]);
+GO