Merge branch 'main' into SM-1592-API

Author: cd-bitwarden

.github/renovate.json5

@@ -41,6 +41,10 @@
       matchUpdateTypes: ["patch"],
       dependencyDashboardApproval: false,
     },
+    {
+      matchSourceUrls: ["https://github.com/bitwarden/sdk-internal"],
+      groupName: "sdk-internal",
+    },
     {
       matchManagers: ["dockerfile", "docker-compose"],
       commitMessagePrefix: "[deps] BRE:",

bitwarden_license/src/Sso/Controllers/AccountController.cs

@@ -74,17 +74,6 @@ private static IAuthenticationService SetupHttpContextWithAuth(
         return resolvedAuthService;
     }
 
-    private static void InvokeEnsureOrgUserStatusAllowed(
-        AccountController controller,
-        OrganizationUserStatusType status)
-    {
-        var method = typeof(AccountController).GetMethod(
-            "EnsureAcceptedOrConfirmedOrgUserStatus",
-            BindingFlags.Instance | BindingFlags.NonPublic);
-        Assert.NotNull(method);
-        method.Invoke(controller, [status, "Org"]);
-    }
-
     private static AuthenticateResult BuildSuccessfulExternalAuth(Guid orgId, string providerUserId, string email)
     {
         var claims = new[]
@@ -241,82 +230,6 @@ private async Task<LookupCounts> MeasureCountsForScenarioAsync(
         return counts;
     }
 
-    [Theory, BitAutoData]
-    public void EnsureOrgUserStatusAllowed_AllowsAcceptedAndConfirmed(
-        SutProvider<AccountController> sutProvider)
-    {
-        // Arrange
-        sutProvider.GetDependency<II18nService>()
-            .T(Arg.Any<string>(), Arg.Any<object?[]>())
-            .Returns(ci => (string)ci[0]!);
-
-        // Act
-        var ex1 = Record.Exception(() =>
-            InvokeEnsureOrgUserStatusAllowed(sutProvider.Sut, OrganizationUserStatusType.Accepted));
-        var ex2 = Record.Exception(() =>
-            InvokeEnsureOrgUserStatusAllowed(sutProvider.Sut, OrganizationUserStatusType.Confirmed));
-
-        // Assert
-        Assert.Null(ex1);
-        Assert.Null(ex2);
-    }
-
-    [Theory, BitAutoData]
-    public void EnsureOrgUserStatusAllowed_Invited_ThrowsAcceptInvite(
-        SutProvider<AccountController> sutProvider)
-    {
-        // Arrange
-        sutProvider.GetDependency<II18nService>()
-            .T(Arg.Any<string>(), Arg.Any<object?[]>())
-            .Returns(ci => (string)ci[0]!);
-
-        // Act
-        var ex = Assert.Throws<TargetInvocationException>(() =>
-            InvokeEnsureOrgUserStatusAllowed(sutProvider.Sut, OrganizationUserStatusType.Invited));
-
-        // Assert
-        Assert.IsType<Exception>(ex.InnerException);
-        Assert.Equal("AcceptInviteBeforeUsingSSO", ex.InnerException!.Message);
-    }
-
-    [Theory, BitAutoData]
-    public void EnsureOrgUserStatusAllowed_Revoked_ThrowsAccessRevoked(
-        SutProvider<AccountController> sutProvider)
-    {
-        // Arrange
-        sutProvider.GetDependency<II18nService>()
-            .T(Arg.Any<string>(), Arg.Any<object?[]>())
-            .Returns(ci => (string)ci[0]!);
-
-        // Act
-        var ex = Assert.Throws<TargetInvocationException>(() =>
-            InvokeEnsureOrgUserStatusAllowed(sutProvider.Sut, OrganizationUserStatusType.Revoked));
-
-        // Assert
-        Assert.IsType<Exception>(ex.InnerException);
-        Assert.Equal("OrganizationUserAccessRevoked", ex.InnerException!.Message);
-    }
-
-    [Theory, BitAutoData]
-    public void EnsureOrgUserStatusAllowed_UnknownStatus_ThrowsUnknown(
-        SutProvider<AccountController> sutProvider)
-    {
-        // Arrange
-        sutProvider.GetDependency<II18nService>()
-            .T(Arg.Any<string>(), Arg.Any<object?[]>())
-            .Returns(ci => (string)ci[0]!);
-
-        var unknown = (OrganizationUserStatusType)999;
-
-        // Act
-        var ex = Assert.Throws<TargetInvocationException>(() =>
-            InvokeEnsureOrgUserStatusAllowed(sutProvider.Sut, unknown));
-
-        // Assert
-        Assert.IsType<Exception>(ex.InnerException);
-        Assert.Equal("OrganizationUserUnknownStatus", ex.InnerException!.Message);
-    }
-
     [Theory, BitAutoData]
     public async Task ExternalCallback_PreventNonCompliantTrue_ExistingUser_NoOrgUser_ThrowsCouldNotFindOrganizationUser(
         SutProvider<AccountController> sutProvider)
@@ -357,7 +270,7 @@ public async Task ExternalCallback_PreventNonCompliantTrue_ExistingUser_NoOrgUse
     }
 
     [Theory, BitAutoData]
-    public async Task ExternalCallback_PreventNonCompliantTrue_ExistingUser_OrgUserInvited_ThrowsAcceptInvite(
+    public async Task ExternalCallback_PreventNonCompliantTrue_ExistingUser_OrgUserInvited_AllowsLogin(
         SutProvider<AccountController> sutProvider)
     {
         // Arrange
@@ -374,7 +287,7 @@ public async Task ExternalCallback_PreventNonCompliantTrue_ExistingUser_OrgUserI
         };
 
         var authResult = BuildSuccessfulExternalAuth(orgId, providerUserId, user.Email!);
-        SetupHttpContextWithAuth(sutProvider, authResult);
+        var authService = SetupHttpContextWithAuth(sutProvider, authResult);
 
         sutProvider.GetDependency<II18nService>()
             .T(Arg.Any<string>(), Arg.Any<object?[]>())
@@ -392,9 +305,23 @@ public async Task ExternalCallback_PreventNonCompliantTrue_ExistingUser_OrgUserI
         sutProvider.GetDependency<IIdentityServerInteractionService>()
             .GetAuthorizationContextAsync("~/").Returns((AuthorizationRequest?)null);
 
-        // Act + Assert
-        var ex = await Assert.ThrowsAsync<Exception>(() => sutProvider.Sut.ExternalCallback());
-        Assert.Equal("AcceptInviteBeforeUsingSSO", ex.Message);
+        // Act
+        var result = await sutProvider.Sut.ExternalCallback();
+
+        // Assert
+        var redirect = Assert.IsType<RedirectResult>(result);
+        Assert.Equal("~/", redirect.Url);
+
+        await authService.Received().SignInAsync(
+            Arg.Any<HttpContext>(),
+            Arg.Any<string?>(),
+            Arg.Any<ClaimsPrincipal>(),
+            Arg.Any<AuthenticationProperties>());
+
+        await authService.Received().SignOutAsync(
+            Arg.Any<HttpContext>(),
+            AuthenticationSchemes.BitwardenExternalCookieAuthenticationScheme,
+            Arg.Any<AuthenticationProperties>());
     }
 
     [Theory, BitAutoData]
@@ -930,13 +857,13 @@ public async Task ExternalCallback_PreventNonCompliantFalse_JitProvision_Measure
     }
 
     [Theory, BitAutoData]
-    public async Task AutoProvisionUserAsync_WithExistingAcceptedUser_CreatesSsoLinkAndReturnsUser(
+    public async Task CreateUserAndOrgUserConditionallyAsync_WithExistingAcceptedUser_CreatesSsoLinkAndReturnsUser(
         SutProvider<AccountController> sutProvider)
     {
         // Arrange
         var orgId = Guid.NewGuid();
-        var providerUserId = "ext-456";
-        var email = "jit@example.com";
+        var providerUserId = "provider-user-id";
+        var email = "user@example.com";
         var existingUser = new User { Id = Guid.NewGuid(), Email = email };
         var organization = new Organization { Id = orgId, Name = "Org" };
         var orgUser = new OrganizationUser
@@ -965,12 +892,12 @@ public async Task AutoProvisionUserAsync_WithExistingAcceptedUser_CreatesSsoLink
         var config = new SsoConfigurationData();
 
         var method = typeof(AccountController).GetMethod(
-            "AutoProvisionUserAsync",
+            "CreateUserAndOrgUserConditionallyAsync",
             BindingFlags.Instance | BindingFlags.NonPublic);
         Assert.NotNull(method);
 
         // Act
-        var task = (Task<(User user, Organization organization, OrganizationUser orgUser)>)method!.Invoke(sutProvider.Sut, new object[]
+        var task = (Task<(User user, Organization organization, OrganizationUser orgUser)>)method.Invoke(sutProvider.Sut, new object[]
         {
             orgId.ToString(),
             providerUserId,
@@ -992,6 +919,61 @@ await sutProvider.GetDependency<ISsoUserRepository>().Received().CreateAsync(Arg
             EventType.OrganizationUser_FirstSsoLogin);
     }
 
+    [Theory, BitAutoData]
+    public async Task CreateUserAndOrgUserConditionallyAsync_WithExistingInvitedUser_ThrowsAcceptInviteBeforeUsingSSO(
+        SutProvider<AccountController> sutProvider)
+    {
+        // Arrange
+        var orgId = Guid.NewGuid();
+        var providerUserId = "provider-user-id";
+        var email = "[email protected]";
+        var existingUser = new User { Id = Guid.NewGuid(), Email = email, UsesKeyConnector = false };
+        var organization = new Organization { Id = orgId, Name = "Org" };
+        var orgUser = new OrganizationUser
+        {
+            OrganizationId = orgId,
+            UserId = existingUser.Id,
+            Status = OrganizationUserStatusType.Invited,
+            Type = OrganizationUserType.User
+        };
+
+        // i18n returns the key so we can assert on message contents
+        sutProvider.GetDependency<II18nService>()
+            .T(Arg.Any<string>(), Arg.Any<object?[]>())
+            .Returns(ci => (string)ci[0]!);
+
+        // Arrange repository expectations for the flow
+        sutProvider.GetDependency<IUserRepository>().GetByEmailAsync(email).Returns(existingUser);
+        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(orgId).Returns(organization);
+        sutProvider.GetDependency<IOrganizationUserRepository>().GetManyByUserAsync(existingUser.Id)
+            .Returns(new List<OrganizationUser> { orgUser });
+
+        var claims = new[]
+        {
+            new Claim(JwtClaimTypes.Email, email),
+            new Claim(JwtClaimTypes.Name, "Invited User")
+        } as IEnumerable<Claim>;
+        var config = new SsoConfigurationData();
+
+        var method = typeof(AccountController).GetMethod(
+            "CreateUserAndOrgUserConditionallyAsync",
+            BindingFlags.Instance | BindingFlags.NonPublic);
+        Assert.NotNull(method);
+
+        // Act + Assert
+        var task = (Task<(User user, Organization organization, OrganizationUser orgUser)>)method.Invoke(sutProvider.Sut, new object[]
+        {
+            orgId.ToString(),
+            providerUserId,
+            claims,
+            null!,
+            config
+        })!;
+
+        var ex = await Assert.ThrowsAsync<Exception>(async () => await task);
+        Assert.Equal("AcceptInviteBeforeUsingSSO", ex.Message);
+    }
+
     /// <summary>
     /// PM-24579: Temporary comparison test to ensure the feature flag ON does not
     /// regress lookup counts compared to OFF. When removing the flag, delete this

bitwarden_license/test/SSO.Test/Controllers/AccountControllerTest.cs

@@ -12,11 +12,11 @@ public static void AddAdminConsoleAuthorizationHandlers(this IServiceCollection
         services.TryAddScoped<IOrganizationContext, OrganizationContext>();
 
         services.TryAddEnumerable([
-                ServiceDescriptor.Scoped<IAuthorizationHandler, BulkCollectionAuthorizationHandler>(),
-                ServiceDescriptor.Scoped<IAuthorizationHandler, CollectionAuthorizationHandler>(),
-                ServiceDescriptor.Scoped<IAuthorizationHandler, GroupAuthorizationHandler>(),
-                ServiceDescriptor.Scoped<IAuthorizationHandler, OrganizationRequirementHandler>(),
-                ServiceDescriptor.Scoped<IAuthorizationHandler, RecoverAccountAuthorizationHandler>(),
-            ]);
+            ServiceDescriptor.Scoped<IAuthorizationHandler, BulkCollectionAuthorizationHandler>(),
+            ServiceDescriptor.Scoped<IAuthorizationHandler, CollectionAuthorizationHandler>(),
+            ServiceDescriptor.Scoped<IAuthorizationHandler, GroupAuthorizationHandler>(),
+            ServiceDescriptor.Scoped<IAuthorizationHandler, OrganizationRequirementHandler>(),
+            ServiceDescriptor.Scoped<IAuthorizationHandler, RecoverAccountAuthorizationHandler>(),
+        ]);
     }
 }

src/Api/AdminConsole/Authorization/AuthorizationHandlerCollectionExtensions.cs

@@ -12,6 +12,7 @@
 using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationDomains.Interfaces;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyUpdateEvents.Interfaces;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Auth.Models.Business.Tokenables;
 using Bit.Core.Context;
@@ -41,8 +42,9 @@ public class PoliciesController : Controller
     private readonly IDataProtectorTokenFactory<OrgUserInviteTokenable> _orgUserInviteTokenDataFactory;
     private readonly IPolicyRepository _policyRepository;
     private readonly IUserService _userService;
-
+    private readonly IFeatureService _featureService;
     private readonly ISavePolicyCommand _savePolicyCommand;
+    private readonly IVNextSavePolicyCommand _vNextSavePolicyCommand;
 
     public PoliciesController(IPolicyRepository policyRepository,
         IOrganizationUserRepository organizationUserRepository,
@@ -53,7 +55,9 @@ public PoliciesController(IPolicyRepository policyRepository,
         IDataProtectorTokenFactory<OrgUserInviteTokenable> orgUserInviteTokenDataFactory,
         IOrganizationHasVerifiedDomainsQuery organizationHasVerifiedDomainsQuery,
         IOrganizationRepository organizationRepository,
-        ISavePolicyCommand savePolicyCommand)
+        IFeatureService featureService,
+        ISavePolicyCommand savePolicyCommand,
+        IVNextSavePolicyCommand vNextSavePolicyCommand)
     {
         _policyRepository = policyRepository;
         _organizationUserRepository = organizationUserRepository;
@@ -65,7 +69,9 @@ public PoliciesController(IPolicyRepository policyRepository,
         _organizationRepository = organizationRepository;
         _orgUserInviteTokenDataFactory = orgUserInviteTokenDataFactory;
         _organizationHasVerifiedDomainsQuery = organizationHasVerifiedDomainsQuery;
+        _featureService = featureService;
         _savePolicyCommand = savePolicyCommand;
+        _vNextSavePolicyCommand = vNextSavePolicyCommand;
     }
 
     [HttpGet("{type}")]
@@ -221,7 +227,9 @@ public async Task<PolicyResponseModel> PutVNext(Guid orgId, [FromBody] SavePolic
     {
         var savePolicyRequest = await model.ToSavePolicyModelAsync(orgId, _currentContext);
 
-        var policy = await _savePolicyCommand.VNextSaveAsync(savePolicyRequest);
+        var policy = _featureService.IsEnabled(FeatureFlagKeys.PolicyValidatorsRefactor) ?
+            await _vNextSavePolicyCommand.SaveAsync(savePolicyRequest) :
+            await _savePolicyCommand.VNextSaveAsync(savePolicyRequest);
 
         return new PolicyResponseModel(policy);
     }

src/Api/AdminConsole/Controllers/PoliciesController.cs

@@ -5,11 +5,15 @@
 using Bit.Api.AdminConsole.Public.Models.Request;
 using Bit.Api.AdminConsole.Public.Models.Response;
 using Bit.Api.Models.Public.Response;
+using Bit.Core;
+using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyUpdateEvents.Interfaces;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.AdminConsole.Services;
 using Bit.Core.Context;
+using Bit.Core.Services;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 
@@ -22,18 +26,24 @@ public class PoliciesController : Controller
     private readonly IPolicyRepository _policyRepository;
     private readonly IPolicyService _policyService;
     private readonly ICurrentContext _currentContext;
+    private readonly IFeatureService _featureService;
     private readonly ISavePolicyCommand _savePolicyCommand;
+    private readonly IVNextSavePolicyCommand _vNextSavePolicyCommand;
 
     public PoliciesController(
         IPolicyRepository policyRepository,
         IPolicyService policyService,
         ICurrentContext currentContext,
-        ISavePolicyCommand savePolicyCommand)
+        IFeatureService featureService,
+        ISavePolicyCommand savePolicyCommand,
+        IVNextSavePolicyCommand vNextSavePolicyCommand)
     {
         _policyRepository = policyRepository;
         _policyService = policyService;
         _currentContext = currentContext;
+        _featureService = featureService;
         _savePolicyCommand = savePolicyCommand;
+        _vNextSavePolicyCommand = vNextSavePolicyCommand;
     }
 
     /// <summary>
@@ -87,8 +97,17 @@ public async Task<IActionResult> List()
     [ProducesResponseType((int)HttpStatusCode.NotFound)]
     public async Task<IActionResult> Put(PolicyType type, [FromBody] PolicyUpdateRequestModel model)
     {
-        var policyUpdate = model.ToPolicyUpdate(_currentContext.OrganizationId!.Value, type);
-        var policy = await _savePolicyCommand.SaveAsync(policyUpdate);
+        Policy policy;
+        if (_featureService.IsEnabled(FeatureFlagKeys.PolicyValidatorsRefactor))
+        {
+            var savePolicyModel = model.ToSavePolicyModel(_currentContext.OrganizationId!.Value, type);
+            policy = await _vNextSavePolicyCommand.SaveAsync(savePolicyModel);
+        }
+        else
+        {
+            var policyUpdate = model.ToPolicyUpdate(_currentContext.OrganizationId!.Value, type);
+            policy = await _savePolicyCommand.SaveAsync(policyUpdate);
+        }
 
         var response = new PolicyResponseModel(policy);
         return new JsonResult(response);