mirror of
https://github.com/bitwarden/server.git
synced 2025-07-01 08:02:49 -05:00
[PM-10311] Account Management: Create helper methods for checking against verified domains (#4636)
* Add HasVerifiedDomainsAsync method to IOrganizationDomainService * Add GetManagedUserIdsByOrganizationIdAsync method to IOrganizationUserRepository and the corresponding queries * Fix case on the sproc OrganizationUser_ReadManagedIdsByOrganizationId parameter * Update the EF query to use the Email from the User table * dotnet format * Fix IOrganizationDomainService.HasVerifiedDomainsAsync by checking that domains have been Verified and add unit tests * Rename IOrganizationUserRepository.GetManagedUserIdsByOrganizationAsync * Fix domain queries * Add OrganizationUserRepository integration tests * Add summary to IOrganizationDomainService.HasVerifiedDomainsAsync * chore: Rename IOrganizationUserRepository.GetManagedUserIdsByOrganizationAsync to GetManyIdsManagedByOrganizationIdAsync * Add IsManagedByAnyOrganizationAsync method to IUserRepository * Add integration tests for UserRepository.IsManagedByAnyOrganizationAsync * Refactor to IUserService.IsManagedByAnyOrganizationAsync and IOrganizationService.GetUsersOrganizationManagementStatusAsync * chore: Refactor IsManagedByAnyOrganizationAsync method in UserService * Refactor IOrganizationService.GetUsersOrganizationManagementStatusAsync to return IDictionary<Guid, bool> * Extract IOrganizationService.GetUsersOrganizationManagementStatusAsync into a query * Update comments in OrganizationDomainService to use proper capitalization * Move OrganizationDomainService to AdminConsole ownership and update namespace * feat: Add support for organization domains in enterprise plans * feat: Add HasOrganizationDomains property to OrganizationAbility class * refactor: Update GetOrganizationUsersManagementStatusQuery to use IApplicationCacheService * Remove HasOrganizationDomains and use UseSso to check if Organization can have Verified Domains * Refactor UserService.IsManagedByAnyOrganizationAsync to simply check the UseSso flag * Add TODO comment for replacing 'UseSso' organization ability on user verified domain checks * Bump date on migration script * Add indexes to OrganizationDomain table * Bump script migration date; Remove WITH ONLINE = ON from data migration.
This commit is contained in:
Rui Tomé
@ -1,7 +0,0 @@
|
||||
namespace Bit.Core.Services;
|
||||
|
||||
public interface IOrganizationDomainService
|
||||
{
|
||||
Task ValidateOrganizationsDomainAsync();
|
||||
Task OrganizationDomainMaintenanceAsync();
|
||||
}
|
||||
@ -86,4 +86,13 @@ public interface IUserService
|
||||
/// We force these users to the web to migrate their encryption scheme.
|
||||
/// </summary>
|
||||
Task<bool> IsLegacyUser(string userId);
|
||||
|
||||
/// <summary>
|
||||
/// Indicates if the user is managed by any organization.
|
||||
/// </summary>
|
||||
/// <remarks>
|
||||
/// A managed user is a user whose email domain matches one of the Organization's verified domains.
|
||||
/// The organization must be enabled and be on an Enterprise plan.
|
||||
/// </remarks>
|
||||
Task<bool> IsManagedByAnyOrganizationAsync(Guid userId);
|
||||
}
|
||||
|
||||
@ -1,139 +0,0 @@
|
||||
using Bit.Core.Enums;
|
||||
using Bit.Core.Repositories;
|
||||
using Bit.Core.Settings;
|
||||
using Microsoft.Extensions.Logging;
|
||||
|
||||
namespace Bit.Core.Services;
|
||||
|
||||
public class OrganizationDomainService : IOrganizationDomainService
|
||||
{
|
||||
private readonly IOrganizationDomainRepository _domainRepository;
|
||||
private readonly IOrganizationUserRepository _organizationUserRepository;
|
||||
private readonly IDnsResolverService _dnsResolverService;
|
||||
private readonly IEventService _eventService;
|
||||
private readonly IMailService _mailService;
|
||||
private readonly ILogger<OrganizationDomainService> _logger;
|
||||
private readonly IGlobalSettings _globalSettings;
|
||||
|
||||
public OrganizationDomainService(
|
||||
IOrganizationDomainRepository domainRepository,
|
||||
IOrganizationUserRepository organizationUserRepository,
|
||||
IDnsResolverService dnsResolverService,
|
||||
IEventService eventService,
|
||||
IMailService mailService,
|
||||
ILogger<OrganizationDomainService> logger,
|
||||
IGlobalSettings globalSettings)
|
||||
{
|
||||
_domainRepository = domainRepository;
|
||||
_organizationUserRepository = organizationUserRepository;
|
||||
_dnsResolverService = dnsResolverService;
|
||||
_eventService = eventService;
|
||||
_mailService = mailService;
|
||||
_logger = logger;
|
||||
_globalSettings = globalSettings;
|
||||
}
|
||||
|
||||
public async Task ValidateOrganizationsDomainAsync()
|
||||
{
|
||||
//Date should be set 1 hour behind to ensure it selects all domains that should be verified
|
||||
var runDate = DateTime.UtcNow.AddHours(-1);
|
||||
|
||||
var verifiableDomains = await _domainRepository.GetManyByNextRunDateAsync(runDate);
|
||||
|
||||
_logger.LogInformation(Constants.BypassFiltersEventId, "Validating {verifiableDomainsCount} domains.", verifiableDomains.Count);
|
||||
|
||||
foreach (var domain in verifiableDomains)
|
||||
{
|
||||
try
|
||||
{
|
||||
_logger.LogInformation(Constants.BypassFiltersEventId, "Attempting verification for organization {OrgId} with domain {Domain}", domain.OrganizationId, domain.DomainName);
|
||||
|
||||
var status = await _dnsResolverService.ResolveAsync(domain.DomainName, domain.Txt);
|
||||
if (status)
|
||||
{
|
||||
_logger.LogInformation(Constants.BypassFiltersEventId, "Successfully validated domain");
|
||||
|
||||
//update entry on OrganizationDomain table
|
||||
domain.SetLastCheckedDate();
|
||||
domain.SetVerifiedDate();
|
||||
domain.SetJobRunCount();
|
||||
await _domainRepository.ReplaceAsync(domain);
|
||||
|
||||
await _eventService.LogOrganizationDomainEventAsync(domain, EventType.OrganizationDomain_Verified,
|
||||
EventSystemUser.DomainVerification);
|
||||
}
|
||||
else
|
||||
{
|
||||
//update entry on OrganizationDomain table
|
||||
domain.SetLastCheckedDate();
|
||||
domain.SetJobRunCount();
|
||||
domain.SetNextRunDate(_globalSettings.DomainVerification.VerificationInterval);
|
||||
await _domainRepository.ReplaceAsync(domain);
|
||||
|
||||
await _eventService.LogOrganizationDomainEventAsync(domain, EventType.OrganizationDomain_NotVerified,
|
||||
EventSystemUser.DomainVerification);
|
||||
_logger.LogInformation(Constants.BypassFiltersEventId, "Verification for organization {OrgId} with domain {Domain} failed",
|
||||
domain.OrganizationId, domain.DomainName);
|
||||
}
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
//update entry on OrganizationDomain table
|
||||
domain.SetLastCheckedDate();
|
||||
domain.SetJobRunCount();
|
||||
domain.SetNextRunDate(_globalSettings.DomainVerification.VerificationInterval);
|
||||
await _domainRepository.ReplaceAsync(domain);
|
||||
|
||||
await _eventService.LogOrganizationDomainEventAsync(domain, EventType.OrganizationDomain_NotVerified,
|
||||
EventSystemUser.DomainVerification);
|
||||
|
||||
_logger.LogError(ex, "Verification for organization {OrgId} with domain {Domain} threw an exception: {errorMessage}",
|
||||
domain.OrganizationId, domain.DomainName, ex.Message);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
public async Task OrganizationDomainMaintenanceAsync()
|
||||
{
|
||||
try
|
||||
{
|
||||
//Get domains that have not been verified within 72 hours
|
||||
var expiredDomains = await _domainRepository.GetExpiredOrganizationDomainsAsync();
|
||||
|
||||
_logger.LogInformation(Constants.BypassFiltersEventId,
|
||||
"Attempting email reminder for {expiredDomainCount} expired domains.", expiredDomains.Count);
|
||||
|
||||
foreach (var domain in expiredDomains)
|
||||
{
|
||||
//get admin emails of organization
|
||||
var adminEmails = await GetAdminEmailsAsync(domain.OrganizationId);
|
||||
|
||||
//Send email to administrators
|
||||
if (adminEmails.Count > 0)
|
||||
{
|
||||
await _mailService.SendUnverifiedOrganizationDomainEmailAsync(adminEmails,
|
||||
domain.OrganizationId.ToString(), domain.DomainName);
|
||||
}
|
||||
|
||||
_logger.LogInformation(Constants.BypassFiltersEventId, "Expired domain: {domainName}", domain.DomainName);
|
||||
}
|
||||
//delete domains that have not been verified within 7 days
|
||||
var status = await _domainRepository.DeleteExpiredAsync(_globalSettings.DomainVerification.ExpirationPeriod);
|
||||
_logger.LogInformation(Constants.BypassFiltersEventId, "Delete status {status}", status);
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
_logger.LogError(ex, "Organization domain maintenance failed");
|
||||
}
|
||||
}
|
||||
|
||||
private async Task<List<string>> GetAdminEmailsAsync(Guid organizationId)
|
||||
{
|
||||
var orgUsers = await _organizationUserRepository.GetManyDetailsByOrganizationAsync(organizationId);
|
||||
var emailList = orgUsers.Where(o => o.Type <= OrganizationUserType.Admin
|
||||
|| o.GetPermissions()?.ManageSso == true)
|
||||
.Select(a => a.Email).Distinct().ToList();
|
||||
|
||||
return emailList;
|
||||
}
|
||||
}
|
||||
@ -1244,6 +1244,16 @@ public class UserService : UserManager<User>, IUserService, IDisposable
|
||||
return IsLegacyUser(user);
|
||||
}
|
||||
|
||||
public async Task<bool> IsManagedByAnyOrganizationAsync(Guid userId)
|
||||
{
|
||||
// Users can only be managed by an Organization that is enabled and can have organization domains
|
||||
var organization = await _organizationRepository.GetByClaimedUserDomainAsync(userId);
|
||||
|
||||
// TODO: Replace "UseSso" with a new organization ability like "UseOrganizationDomains" (PM-11622).
|
||||
// Verified domains were tied to SSO, so we currently check the "UseSso" organization ability.
|
||||
return organization is { Enabled: true, UseSso: true };
|
||||
}
|
||||
|
||||
/// <inheritdoc cref="IsLegacyUser(string)"/>
|
||||
public static bool IsLegacyUser(User user)
|
||||
{
|
||||
|
||||
Reference in New Issue
Block a user