* PM-3659 - WebAuthnController.cs - Passkey Creation - Add RequireSSO login policy validation to prevent users from creating passkeys if require SSO applies to them.
* PM-3659 - per PR feedback, apply new require SSO validation to options call
* PM-3659 - Remove unneeded comment
* PM-3659 - Per PR feedback, add unit tests for new require SSO scenarios on both Post and Options endpoints on the WebAuthnController
* Remove duplicated line
* Remove extra whitespace
* Add ability to fetch events by service account
* Extract GetDateRange into ApiHelpers util
* Add dapper implementation
* Add EF repo implementation
* Add authz handler case
* unit + integration tests for controller
* swap to read check
* Adding comments
* Fix integration tests from merge
* Enabled SM events controller for self-hosting
* [PM-3779] Added IOrganizationDomainRepository.GetDomainByIdAndOrganizationIdAsync and SQL stored procedure
* [PM-3779] Changed GetOrganizationDomainByIdQuery to also take OrgId as a parameter. Updated existing unit tests and added new. Updated controller to match command changes
* [PM-3779] Removed type from url routes
* [PM-3779] Renamed IGetOrganizationDomainByIdAndOrganizationIdQuery to IGetOrganizationDomainByIdOrganizationIdQuery
* [PM-3779] Renamed GetOrganizationDomainByIdOrganizationIdQueryTests file and added more tests
* [AC-1654] Added IOrganizationConnectionRepository.GetByIdOrganizationIdAsync and modified OrganizationConnectionsController to use it to get a connection matching both Id and OrganizationId
* [AC-1654] Fixed unit tests
* Add feature flags for FlexibleCollections and BulkCollectionAccess
* Flag new routes and behaviour
---------
Co-authored-by: Rui Tomé <108268980+r-tome@users.noreply.github.com>
* refactor the plan and create new objects
* initial commit
* Add new plan types
* continue the refactoring by adding new plantypes
* changes for plans
* Refactoring continues
* making changes for plan
* Fixing the failing test
* Fixing whitespace
* Fix some in correct values
* Resolve the plan data
* rearranging the plan
* Make the plan more immutable
* Resolve the lint errors
* Fix the failing test
* Add custom plan
* Fix the failing test
* Fix the failing test
* resolve the failing addons after refactoring
* Refactoring
* Merge branch 'master' into ac-1451/refactor-staticstore-plans-and-consuming-logic
* merge from master
* Merge branch 'master' into ac-1451/refactor-staticstore-plans-and-consuming-logic
* format whitespace
* resolve the conflict
* Fix some pr comments
* Fixing some of the pr comments
* fixing some of the pr comments
* Resolve some pr comments
* Resolve pr comments
* Resolves some pr comments
* Resolving some or comments
* Resolve a failing test
* fix the failing test
* Resolving some pr comments
* Fix the failing test
* resolve pr comment
* add a using statement fir a failing test
---------
Co-authored-by: Thomas Rittson <trittson@bitwarden.com>
* restricting access to disabled orgs
* Unit Test Updates
* Update test/Api.IntegrationTest/SecretsManager/Controllers/AccessPoliciesControllerTests.cs
Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com>
* Covering all test cases
* making organization enabled NOT default
---------
Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com>
* [AC-1174] Introduce BulkAuthorizationHandler.cs
* [AC-1174] Introduce CollectionUserAuthorizationHandler
* [AC-1174] Add CreateForNewCollection CollectionUser requirement
* [AC-1174] Add some more details to CollectionCustomization
* [AC-1174] Formatting
* [AC-1174] Add CollectionGroupOperation.cs
* [AC-1174] Introduce CollectionGroupAuthorizationHandler.cs
* [AC-1174] Cleanup CollectionFixture customization
Implement and use re-usable extension method to support seeded Guids
* [AC-1174] Introduce WithValueFromList AutoFixtureExtensions
Modify CollectionCustomization to use multiple organization Ids for auto generated test data
* [AC-1174] Simplify CollectionUserAuthorizationHandler.cs
Modify the authorization handler to only perform authorization logic. Validation logic will need to be handled by any calling commands/controllers instead.
* [AC-1174] Introduce shared CollectionAccessAuthorizationHandlerBase
A shared base authorization handler was created for both CollectionUser and CollectionGroup resources, as they share the same underlying management authorization logic.
* [AC-1174] Update CollectionUserAuthorizationHandler and CollectionGroupAuthorizationHandler to use the new CollectionAccessAuthorizationHandlerBase class
* [AC-1174] Formatting
* [AC-1174] Cleanup typo and redundant ToList() call
* [AC-1174] Add check for provider users
* [AC-1174] Reduce nested loops
* [AC-1174] Introduce ICollectionAccess.cs
* [AC-1174] Remove individual CollectionGroup and CollectionUser auth handlers and use base class instead
* [AC-1174] Tweak unit test to fail minimally
* [AC-1174] Reorganize authorization handlers in Core project
* [AC-1174] Introduce new AddCoreAuthorizationHandlers() extension method
* [AC-1174] Move CollectionAccessAuthorizationHandler into Api project
* [AC-1174] Move CollectionFixture to Vault folder
* [AC-1174] Rename operation to CreateUpdateDelete
* [AC-1174] Require single organization for collection access authorization handler
- Add requirement that all target collections must belong to the same organization
- Simplify logic related to multiple organizations
- Update tests and helpers
- Use ToHashSet to improve lookup time
* [AC-1174] Fix null reference exception
* [AC-1174] Throw bad request exception when collections belong to different organizations
* [AC-1174] Switch to CollectionAuthorizationHandler instead of CollectionAccessAuthorizationHandler to reduce complexity
* Add ProjectLimitQuery
* Add query to DI
* Add unit tests
* Add query to controller
* Add controller unit tests
* add integration tests
* rename query and variables
* More renaming
* Add support CanReadSecret authorization
* Extract base response model for secret
* Add support for SA bulk fetching event logging
* secret repository bug fix
* Add endpoint and request for bulk fetching secrets
* Swap to original reference event
* Add unit tests
* Add integration tests
* Add unit tests for authz handler
* update authz handler tests
---------
* Remove UpdateSecretsManagerSubscriptionCommand.AdjustServiceAccounts interface
* Rewrite tests and use autofixture customizations
* Reduce method nesting in the command, simplify parameters
* Fix capitalization and wording of error messages
* Add checks for existing SM beta enrolment etc
* [PM-1203] feat: allow verification for all passwordless accounts (#3038)
* [PM-1033] Org invite user creation flow 1 (#3028)
* [PM-1033] feat: remove user verification from password enrollment
* [PM-1033] feat: auto accept invitation when enrolling into password reset
* [PM-1033] fix: controller tests
* [PM-1033] refactor: `UpdateUserResetPasswordEnrollmentCommand`
* [PM-1033] refactor(wip): make `AcceptUserCommand`
* Revert "[PM-1033] refactor(wip): make `AcceptUserCommand`"
This reverts commit dc1319e7fa.
* Revert "[PM-1033] refactor: `UpdateUserResetPasswordEnrollmentCommand`"
This reverts commit 43df689c7f.
* [PM-1033] refactor: move invite accept to controller
This avoids creating yet another method that depends on having `IUserService` passed in as a parameter
* [PM-1033] fix: add missing changes
* [PM-1381] Add Trusted Device Keys to Auth Response (#3066)
* Return Keys for Trusted Device
- Check whether the current logging in device is trusted
- Return their keys on successful login
* Formatting
* Address PR Feedback
* Add Remarks Comment
* [PM-1338] `AuthRequest` Event Logs (#3046)
* Update AuthRequestController
- Only allow AdminApproval Requests to be created from authed endpoint
- Add endpoint that has authentication to be able to create admin approval
* Add PasswordlessAuthSettings
- Add settings for customizing expiration times
* Add new EventTypes
* Add Logic for AdminApproval Type
- Add logic for validating AdminApproval expiration
- Add event logging for Approval/Disapproval of AdminApproval
- Add logic for creating AdminApproval types
* Add Test Helpers
- Change BitAutoData to allow you to use string representations of common types.
* Add/Update AuthRequestService Tests
* Run Formatting
* Switch to 7 Days
* Add Test Covering ResponseDate Being Set
* Address PR Feedback
- Create helper for checking if date is expired
- Move validation logic into smaller methods
* Switch to User Event Type
- Make RequestDeviceApproval user type
- User types will log for each org user is in
* [PM-2998] Move Approving Device Check (#3101)
* Move Check for Approving Devices
- Exclude currently logging in device
- Remove old way of checking
- Add tests asserting behavior
* Update DeviceType list
* Update Naming & Address PR Feedback
* Fix Tests
* Address PR Feedback
* Formatting
* Now Fully Update Naming?
* Feature/auth/pm 2759/add can reset password to user decryption options (#3113)
* PM-2759 - BaseRequestValidator.cs - CreateUserDecryptionOptionsAsync - Add new hasManageResetPasswordPermission for post SSO redirect logic required on client.
* PM-2759 - Update IdentityServerSsoTests.cs to all pass based on the addition of HasManageResetPasswordPermission to TrustedDeviceUserDecryptionOption
* IdentityServerSsoTests.cs - fix typo in test name: LoggingApproval --> LoginApproval
* PM1259 - Add test case for verifying that TrustedDeviceOption.hasManageResetPasswordPermission is set properly based on user permission
* dotnet format run
* Feature/auth/pm 2759/add can reset password to user decryption options fix jit users (#3120)
* PM-2759 - IdentityServer - CreateUserDecryptionOptionsAsync - hasManageResetPasswordPermission set logic was broken for JIT provisioned users as I assumed we would always have a list of at least 1 org during the SSO process. Added TODO for future test addition but getting this out there now as QA is blocked by being unable to create JIT provisioned users.
* dotnet format
* Tiny tweak
* [PM-1339] Allow Rotating Device Keys (#3096)
* Allow Rotation of Trusted Device Keys
- Add endpoint for getting keys relating to rotation
- Add endpoint for rotating your current device
- In the same endpoint allow a list of other devices to rotate
* Formatting
* Use Extension Method
* Add Tests from PR
Co-authored-by: Jared Snider <jsnider@bitwarden.com>
---------
Co-authored-by: Jared Snider <jsnider@bitwarden.com>
* Check the user directly if they have the ResetPasswordKey (#3153)
* PM-3327 - UpdateKeyAsync must exempt the currently calling device from the logout notification in order to prevent prematurely logging the user out before the client side key rotation process can complete. The calling device will log itself out once it is done. (#3170)
* Allow OTP Requests When Users Are On TDE (#3184)
* [PM-3356][PM-3292] Allow OTP For All (#3188)
* Allow OTP For All
- On a trusted device isn't a good check because a user might be using a trusted device locally but not trusted it long term
- The logic wasn't working for KC users anyways
* Remove Old Comment
* [AC-1601] Added RequireSso policy as a dependency of TDE (#3209)
* Added RequireSso policy as a dependency of TDE.
* Added test for RequireSso for TDE.
* Added save.
* Fixed policy name.
---------
Co-authored-by: Andreas Coroiu <acoroiu@bitwarden.com>
Co-authored-by: Justin Baur <19896123+justindbaur@users.noreply.github.com>
Co-authored-by: Vincent Salucci <vincesalucci21@gmail.com>
Co-authored-by: Jared Snider <116684653+JaredSnider-Bitwarden@users.noreply.github.com>
Co-authored-by: Jared Snider <jsnider@bitwarden.com>
* [AC-1443] Changed CurrentContext.ViewAllCollections to only check if the user can edit or delete any collection
* [AC-1443] Renamed ICollectionService.GetOrganizationCollections to GetOrganizationCollectionsAsync
* [AC-1443] Changed CollectionService.GetOrganizationCollectionsAsync to first check CurrentContext.ViewAssignedCollections instead Added unit tests
* [AC-1443] Added new unit test to check for Exception when user does not have permission
