[PM-10311] Account Management: Create helper methods for checking against verified domains (#4636)

* Add HasVerifiedDomainsAsync method to IOrganizationDomainService * Add GetManagedUserIdsByOrganizationIdAsync method to IOrganizationUserRepository and the corresponding queries * Fix case on the sproc OrganizationUser_ReadManagedIdsByOrganizationId parameter * Update the EF query to use the Email from the User table * dotnet format * Fix IOrganizationDomainService.HasVerifiedDomainsAsync by checking that domains have been Verified and add unit tests * Rename IOrganizationUserRepository.GetManagedUserIdsByOrganizationAsync * Fix domain queries * Add OrganizationUserRepository integration tests * Add summary to IOrganizationDomainService.HasVerifiedDomainsAsync * chore: Rename IOrganizationUserRepository.GetManagedUserIdsByOrganizationAsync to GetManyIdsManagedByOrganizationIdAsync * Add IsManagedByAnyOrganizationAsync method to IUserRepository * Add integration tests for UserRepository.IsManagedByAnyOrganizationAsync * Refactor to IUserService.IsManagedByAnyOrganizationAsync and IOrganizationService.GetUsersOrganizationManagementStatusAsync * chore: Refactor IsManagedByAnyOrganizationAsync method in UserService * Refactor IOrganizationService.GetUsersOrganizationManagementStatusAsync to return IDictionary<Guid, bool> * Extract IOrganizationService.GetUsersOrganizationManagementStatusAsync into a query * Update comments in OrganizationDomainService to use proper capitalization * Move OrganizationDomainService to AdminConsole ownership and update namespace * feat: Add support for organization domains in enterprise plans * feat: Add HasOrganizationDomains property to OrganizationAbility class * refactor: Update GetOrganizationUsersManagementStatusQuery to use IApplicationCacheService * Remove HasOrganizationDomains and use UseSso to check if Organization can have Verified Domains * Refactor UserService.IsManagedByAnyOrganizationAsync to simply check the UseSso flag * Add TODO comment for replacing 'UseSso' organization ability on user verified domain checks * Bump date on migration script * Add indexes to OrganizationDomain table * Bump script migration date; Remove WITH ONLINE = ON from data migration.
2025-07-01 16:12:49 -05:00 · 2024-09-11 11:29:57 +01:00
parent 3f1127489d
commit f2180aa7b7
26 changed files with 692 additions and 17 deletions
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/GetOrganizationUsersManagementStatusQuery.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/GetOrganizationUsersManagementStatusQuery.cs
@ -0,0 +1,41 @@
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers;
+
+public class GetOrganizationUsersManagementStatusQuery : IGetOrganizationUsersManagementStatusQuery
+{
+    private readonly IApplicationCacheService _applicationCacheService;
+    private readonly IOrganizationUserRepository _organizationUserRepository;
+
+    public GetOrganizationUsersManagementStatusQuery(
+        IApplicationCacheService applicationCacheService,
+        IOrganizationUserRepository organizationUserRepository)
+    {
+        _applicationCacheService = applicationCacheService;
+        _organizationUserRepository = organizationUserRepository;
+    }
+
+    public async Task<IDictionary<Guid, bool>> GetUsersOrganizationManagementStatusAsync(Guid organizationId, IEnumerable<Guid> organizationUserIds)
+    {
+        if (organizationUserIds.Any())
+        {
+            // Users can only be managed by an Organization that is enabled and can have organization domains
+            var organizationAbility = await _applicationCacheService.GetOrganizationAbilityAsync(organizationId);
+
+            // TODO: Replace "UseSso" with a new organization ability like "UseOrganizationDomains" (PM-11622).
+            // Verified domains were tied to SSO, so we currently check the "UseSso" organization ability.
+            if (organizationAbility is { Enabled: true, UseSso: true })
+            {
+                // Get all organization users with claimed domains by the organization
+                var organizationUsersWithClaimedDomain = await _organizationUserRepository.GetManyByOrganizationWithClaimedDomainsAsync(organizationId);
+
+                // Create a dictionary with the OrganizationUserId and a boolean indicating if the user is managed by the organization
+                return organizationUserIds.ToDictionary(ouId => ouId, ouId => organizationUsersWithClaimedDomain.Any(ou => ou.Id == ouId));
+            }
+        }
+
+        return organizationUserIds.ToDictionary(ouId => ouId, _ => false);
+    }
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Interfaces/IGetOrganizationUsersManagementStatusQuery.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Interfaces/IGetOrganizationUsersManagementStatusQuery.cs
@ -0,0 +1,19 @@
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+
+public interface IGetOrganizationUsersManagementStatusQuery
+{
+    /// <summary>
+    /// Checks whether each user in the provided list of organization user IDs is managed by the specified organization.
+    /// </summary>
+    /// <param name="organizationId">The unique identifier of the organization to check against.</param>
+    /// <param name="organizationUserIds">A list of OrganizationUserIds to be checked.</param>
+    /// <remarks>
+    /// A managed user is a user whose email domain matches one of the Organization's verified domains.
+    /// The organization must be enabled and be on an Enterprise plan.
+    /// </remarks>
+    /// <returns>
+    /// A dictionary containing the OrganizationUserId and a boolean indicating if the user is managed by the organization.
+    /// </returns>
+    Task<IDictionary<Guid, bool>> GetUsersOrganizationManagementStatusAsync(Guid organizationId,
+        IEnumerable<Guid> organizationUserIds);
+}
--- a/src/Core/AdminConsole/Repositories/IOrganizationRepository.cs
+++ b/src/Core/AdminConsole/Repositories/IOrganizationRepository.cs
@ -17,4 +17,9 @@ public interface IOrganizationRepository : IRepository<Organization, Guid>
    Task<SelfHostedOrganizationDetails?> GetSelfHostedOrganizationDetailsById(Guid id);
    Task<ICollection<Organization>> SearchUnassignedToProviderAsync(string name, string ownerEmail, int skip, int take);
    Task<IEnumerable<string>> GetOwnerEmailAddressesById(Guid organizationId);
+
+    /// <summary>
+    /// Gets the organization that has a claimed domain matching the user's email domain.
+    /// </summary>
+    Task<Organization> GetByClaimedUserDomainAsync(Guid userId);
 }
--- a/src/Core/AdminConsole/Repositories/IOrganizationUserRepository.cs
+++ b/src/Core/AdminConsole/Repositories/IOrganizationUserRepository.cs
@ -55,4 +55,8 @@ public interface IOrganizationUserRepository : IRepository<OrganizationUser, Gui
    UpdateEncryptedDataForKeyRotation UpdateForKeyRotation(Guid userId,
        IEnumerable<OrganizationUser> resetPasswordKeys);

+    /// <summary>
+    /// Returns a list of OrganizationUsers with email domains that match one of the Organization's claimed domains.
+    /// </summary>
+    Task<ICollection<OrganizationUser>> GetManyByOrganizationWithClaimedDomainsAsync(Guid organizationId);
 }
--- a/src/Core/AdminConsole/Services/IOrganizationDomainService.cs
+++ b/src/Core/AdminConsole/Services/IOrganizationDomainService.cs
@ -0,0 +1,11 @@
+namespace Bit.Core.AdminConsole.Services;
+
+public interface IOrganizationDomainService
+{
+    Task ValidateOrganizationsDomainAsync();
+    Task OrganizationDomainMaintenanceAsync();
+    /// <summary>
+    /// Indicates if the organization has any verified domains.
+    /// </summary>
+    Task<bool> HasVerifiedDomainsAsync(Guid orgId);
+}
--- a/src/Core/AdminConsole/Services/Implementations/OrganizationDomainService.cs
+++ b/src/Core/AdminConsole/Services/Implementations/OrganizationDomainService.cs
@ -1,9 +1,10 @@
 using Bit.Core.Enums;
 using Bit.Core.Repositories;
+using Bit.Core.Services;
 using Bit.Core.Settings;
 using Microsoft.Extensions.Logging;

-namespace Bit.Core.Services;
+namespace Bit.Core.AdminConsole.Services.Implementations;

 public class OrganizationDomainService : IOrganizationDomainService
 {
@ -53,7 +54,7 @@ public class OrganizationDomainService : IOrganizationDomainService
                {
                    _logger.LogInformation(Constants.BypassFiltersEventId, "Successfully validated domain");

-                    //update entry on OrganizationDomain table 
+                    // Update entry on OrganizationDomain table
                    domain.SetLastCheckedDate();
                    domain.SetVerifiedDate();
                    domain.SetJobRunCount();
@ -64,7 +65,7 @@ public class OrganizationDomainService : IOrganizationDomainService
                }
                else
                {
-                    //update entry on OrganizationDomain table 
+                    // Update entry on OrganizationDomain table
                    domain.SetLastCheckedDate();
                    domain.SetJobRunCount();
                    domain.SetNextRunDate(_globalSettings.DomainVerification.VerificationInterval);
@ -78,7 +79,7 @@ public class OrganizationDomainService : IOrganizationDomainService
            }
            catch (Exception ex)
            {
-                //update entry on OrganizationDomain table 
+                // Update entry on OrganizationDomain table
                domain.SetLastCheckedDate();
                domain.SetJobRunCount();
                domain.SetNextRunDate(_globalSettings.DomainVerification.VerificationInterval);
@ -117,7 +118,7 @@ public class OrganizationDomainService : IOrganizationDomainService

                _logger.LogInformation(Constants.BypassFiltersEventId, "Expired domain: {domainName}", domain.DomainName);
            }
-            //delete domains that have not been verified within 7 days 
+            // Delete domains that have not been verified within 7 days
            var status = await _domainRepository.DeleteExpiredAsync(_globalSettings.DomainVerification.ExpirationPeriod);
            _logger.LogInformation(Constants.BypassFiltersEventId, "Delete status {status}", status);
        }
@ -127,6 +128,12 @@ public class OrganizationDomainService : IOrganizationDomainService
        }
    }

+    public async Task<bool> HasVerifiedDomainsAsync(Guid orgId)
+    {
+        var orgDomains = await _domainRepository.GetDomainsByOrganizationIdAsync(orgId);
+        return orgDomains.Any(od => od.VerifiedDate != null);
+    }
+
    private async Task<List<string>> GetAdminEmailsAsync(Guid organizationId)
    {
        var orgUsers = await _organizationUserRepository.GetManyDetailsByOrganizationAsync(organizationId);
--- a/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs
+++ b/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs
@ -139,6 +139,7 @@ public static class OrganizationServiceCollectionExtensions
        services.AddScoped<ICountNewSmSeatsRequiredQuery, CountNewSmSeatsRequiredQuery>();
        services.AddScoped<IAcceptOrgUserCommand, AcceptOrgUserCommand>();
        services.AddScoped<IOrganizationUserUserDetailsQuery, OrganizationUserUserDetailsQuery>();
+        services.AddScoped<IGetOrganizationUsersManagementStatusQuery, GetOrganizationUsersManagementStatusQuery>();
    }

    // TODO: move to OrganizationSubscriptionServiceCollectionExtensions when OrganizationUser methods are moved out of
--- a/src/Core/Services/IOrganizationDomainService.cs
+++ b/src/Core/Services/IOrganizationDomainService.cs
@ -1,7 +0,0 @@
-namespace Bit.Core.Services;
-
-public interface IOrganizationDomainService
-{
-    Task ValidateOrganizationsDomainAsync();
-    Task OrganizationDomainMaintenanceAsync();
-}
--- a/src/Core/Services/IUserService.cs
+++ b/src/Core/Services/IUserService.cs
@ -86,4 +86,13 @@ public interface IUserService
    /// We force these users to the web to migrate their encryption scheme.
    /// </summary>
    Task<bool> IsLegacyUser(string userId);
+
+    /// <summary>
+    /// Indicates if the user is managed by any organization.
+    /// </summary>
+    /// <remarks>
+    /// A managed user is a user whose email domain matches one of the Organization's verified domains.
+    /// The organization must be enabled and be on an Enterprise plan.
+    /// </remarks>
+    Task<bool> IsManagedByAnyOrganizationAsync(Guid userId);
 }
--- a/src/Core/Services/Implementations/UserService.cs
+++ b/src/Core/Services/Implementations/UserService.cs
@ -1244,6 +1244,16 @@ public class UserService : UserManager<User>, IUserService, IDisposable
        return IsLegacyUser(user);
    }

+    public async Task<bool> IsManagedByAnyOrganizationAsync(Guid userId)
+    {
+        // Users can only be managed by an Organization that is enabled and can have organization domains
+        var organization = await _organizationRepository.GetByClaimedUserDomainAsync(userId);
+
+        // TODO: Replace "UseSso" with a new organization ability like "UseOrganizationDomains" (PM-11622).
+        // Verified domains were tied to SSO, so we currently check the "UseSso" organization ability.
+        return organization is { Enabled: true, UseSso: true };
+    }
+
    /// <inheritdoc cref="IsLegacyUser(string)"/>
    public static bool IsLegacyUser(User user)
    {