[PM-10319] - Revoke Non Complaint Users for 2FA and Single Org Policy…

… Enablement (#5037) - Revoking users when enabling single org and 2fa policies. - Updated emails sent when users are revoked via 2FA or Single Organization policy enablement Co-authored-by: Matt Bishop <[email protected]> Co-authored-by: Rui Tomé <[email protected]>
bitwarden · Nov 26, 2024 · 1b75e35 · 1b75e35
1 parent 8f703a2
commit 1b75e35
Show file tree

Hide file tree

Showing 36 changed files with 1,074 additions and 73 deletions.
diff --git a/src/Core/AdminConsole/Enums/EventSystemUser.cs b/src/Core/AdminConsole/Enums/EventSystemUser.cs
@@ -2,6 +2,7 @@
 
 public enum EventSystemUser : byte
 {
+    Unknown = 0,
     SCIM = 1,
     DomainVerification = 2,
     PublicApi = 3,

diff --git a/src/Core/AdminConsole/Models/Data/IActingUser.cs b/src/Core/AdminConsole/Models/Data/IActingUser.cs
@@ -0,0 +1,10 @@
+using Bit.Core.Enums;
+
+namespace Bit.Core.AdminConsole.Models.Data;
+
+public interface IActingUser
+{
+    Guid? UserId { get; }
+    bool IsOrganizationOwnerOrProvider { get; }
+    EventSystemUser? SystemUserType { get; }
+}
diff --git a/src/Core/AdminConsole/Models/Data/StandardUser.cs b/src/Core/AdminConsole/Models/Data/StandardUser.cs
@@ -0,0 +1,16 @@
+using Bit.Core.Enums;
+
+namespace Bit.Core.AdminConsole.Models.Data;
+
+public class StandardUser : IActingUser
+{
+    public StandardUser(Guid userId, bool isOrganizationOwner)
+    {
+        UserId = userId;
+        IsOrganizationOwnerOrProvider = isOrganizationOwner;
+    }
+
+    public Guid? UserId { get; }
+    public bool IsOrganizationOwnerOrProvider { get; }
+    public EventSystemUser? SystemUserType => throw new Exception($"{nameof(StandardUser)} does not have a {nameof(SystemUserType)}");
+}
diff --git a/src/Core/AdminConsole/Models/Data/SystemUser.cs b/src/Core/AdminConsole/Models/Data/SystemUser.cs
@@ -0,0 +1,16 @@
+using Bit.Core.Enums;
+
+namespace Bit.Core.AdminConsole.Models.Data;
+
+public class SystemUser : IActingUser
+{
+    public SystemUser(EventSystemUser systemUser)
+    {
+        SystemUserType = systemUser;
+    }
+
+    public Guid? UserId => throw new Exception($"{nameof(SystemUserType)} does not have a {nameof(UserId)}.");
+
+    public bool IsOrganizationOwnerOrProvider => false;
+    public EventSystemUser? SystemUserType { get; }
+}
diff --git a/.../AdminConsole/OrganizationFeatures/OrganizationDomains/VerifyOrganizationDomainCommand.cs b/.../AdminConsole/OrganizationFeatures/OrganizationDomains/VerifyOrganizationDomainCommand.cs
@@ -1,7 +1,9 @@
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationDomains.Interfaces;
 using Bit.Core.AdminConsole.Services;
+using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
@@ -12,124 +14,121 @@
 
 namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationDomains;
 
-public class VerifyOrganizationDomainCommand : IVerifyOrganizationDomainCommand
+public class VerifyOrganizationDomainCommand(
+    IOrganizationDomainRepository organizationDomainRepository,
+    IDnsResolverService dnsResolverService,
+    IEventService eventService,
+    IGlobalSettings globalSettings,
+    IPolicyService policyService,
+    IFeatureService featureService,
+    ICurrentContext currentContext,
+    ILogger<VerifyOrganizationDomainCommand> logger)
+    : IVerifyOrganizationDomainCommand
 {
-    private readonly IOrganizationDomainRepository _organizationDomainRepository;
-    private readonly IDnsResolverService _dnsResolverService;
-    private readonly IEventService _eventService;
-    private readonly IGlobalSettings _globalSettings;
-    private readonly IPolicyService _policyService;
-    private readonly IFeatureService _featureService;
-    private readonly ILogger<VerifyOrganizationDomainCommand> _logger;
-
-    public VerifyOrganizationDomainCommand(
-        IOrganizationDomainRepository organizationDomainRepository,
-        IDnsResolverService dnsResolverService,
-        IEventService eventService,
-        IGlobalSettings globalSettings,
-        IPolicyService policyService,
-        IFeatureService featureService,
-        ILogger<VerifyOrganizationDomainCommand> logger)
-    {
-        _organizationDomainRepository = organizationDomainRepository;
-        _dnsResolverService = dnsResolverService;
-        _eventService = eventService;
-        _globalSettings = globalSettings;
-        _policyService = policyService;
-        _featureService = featureService;
-        _logger = logger;
-    }
 
 
     public async Task<OrganizationDomain> UserVerifyOrganizationDomainAsync(OrganizationDomain organizationDomain)
     {
-        var domainVerificationResult = await VerifyOrganizationDomainAsync(organizationDomain);
+        if (currentContext.UserId is null)
+        {
+            throw new InvalidOperationException(
+                $"{nameof(UserVerifyOrganizationDomainAsync)} can only be called by a user. " +
+                $"Please call {nameof(SystemVerifyOrganizationDomainAsync)} for system users.");
+        }
 
-        await _eventService.LogOrganizationDomainEventAsync(domainVerificationResult,
+        var actingUser = new StandardUser(currentContext.UserId.Value, await currentContext.OrganizationOwner(organizationDomain.OrganizationId));
+
+        var domainVerificationResult = await VerifyOrganizationDomainAsync(organizationDomain, actingUser);
+
+        await eventService.LogOrganizationDomainEventAsync(domainVerificationResult,
             domainVerificationResult.VerifiedDate != null
                 ? EventType.OrganizationDomain_Verified
                 : EventType.OrganizationDomain_NotVerified);
 
-        await _organizationDomainRepository.ReplaceAsync(domainVerificationResult);
+        await organizationDomainRepository.ReplaceAsync(domainVerificationResult);
 
         return domainVerificationResult;
     }
 
     public async Task<OrganizationDomain> SystemVerifyOrganizationDomainAsync(OrganizationDomain organizationDomain)
     {
+        var actingUser = new SystemUser(EventSystemUser.DomainVerification);
+
         organizationDomain.SetJobRunCount();
 
-        var domainVerificationResult = await VerifyOrganizationDomainAsync(organizationDomain);
+        var domainVerificationResult = await VerifyOrganizationDomainAsync(organizationDomain, actingUser);
 
         if (domainVerificationResult.VerifiedDate is not null)
         {
-            _logger.LogInformation(Constants.BypassFiltersEventId, "Successfully validated domain");
+            logger.LogInformation(Constants.BypassFiltersEventId, "Successfully validated domain");
 
-            await _eventService.LogOrganizationDomainEventAsync(domainVerificationResult,
+            await eventService.LogOrganizationDomainEventAsync(domainVerificationResult,
                 EventType.OrganizationDomain_Verified,
                 EventSystemUser.DomainVerification);
         }
         else
         {
-            domainVerificationResult.SetNextRunDate(_globalSettings.DomainVerification.VerificationInterval);
+            domainVerificationResult.SetNextRunDate(globalSettings.DomainVerification.VerificationInterval);
 
-            await _eventService.LogOrganizationDomainEventAsync(domainVerificationResult,
+            await eventService.LogOrganizationDomainEventAsync(domainVerificationResult,
                 EventType.OrganizationDomain_NotVerified,
                 EventSystemUser.DomainVerification);
 
-            _logger.LogInformation(Constants.BypassFiltersEventId,
+            logger.LogInformation(Constants.BypassFiltersEventId,
                 "Verification for organization {OrgId} with domain {Domain} failed",
                 domainVerificationResult.OrganizationId, domainVerificationResult.DomainName);
         }
 
-        await _organizationDomainRepository.ReplaceAsync(domainVerificationResult);
+        await organizationDomainRepository.ReplaceAsync(domainVerificationResult);
 
         return domainVerificationResult;
     }
 
-    private async Task<OrganizationDomain> VerifyOrganizationDomainAsync(OrganizationDomain domain)
+    private async Task<OrganizationDomain> VerifyOrganizationDomainAsync(OrganizationDomain domain, IActingUser actingUser)
     {
         domain.SetLastCheckedDate();
 
         if (domain.VerifiedDate is not null)
         {
-            await _organizationDomainRepository.ReplaceAsync(domain);
+            await organizationDomainRepository.ReplaceAsync(domain);
             throw new ConflictException("Domain has already been verified.");
         }
 
         var claimedDomain =
-            await _organizationDomainRepository.GetClaimedDomainsByDomainNameAsync(domain.DomainName);
+            await organizationDomainRepository.GetClaimedDomainsByDomainNameAsync(domain.DomainName);
 
         if (claimedDomain.Count > 0)
         {
-            await _organizationDomainRepository.ReplaceAsync(domain);
+            await organizationDomainRepository.ReplaceAsync(domain);
             throw new ConflictException("The domain is not available to be claimed.");
         }
 
         try
         {
-            if (await _dnsResolverService.ResolveAsync(domain.DomainName, domain.Txt))
+            if (await dnsResolverService.ResolveAsync(domain.DomainName, domain.Txt))
             {
                 domain.SetVerifiedDate();
 
-                await EnableSingleOrganizationPolicyAsync(domain.OrganizationId);
+                await EnableSingleOrganizationPolicyAsync(domain.OrganizationId, actingUser);
             }
         }
         catch (Exception e)
         {
-            _logger.LogError("Error verifying Organization domain: {domain}. {errorMessage}",
+            logger.LogError("Error verifying Organization domain: {domain}. {errorMessage}",
                 domain.DomainName, e.Message);
         }
 
         return domain;
     }
 
-    private async Task EnableSingleOrganizationPolicyAsync(Guid organizationId)
+    private async Task EnableSingleOrganizationPolicyAsync(Guid organizationId, IActingUser actingUser)
     {
-        if (_featureService.IsEnabled(FeatureFlagKeys.AccountDeprovisioning))
+        if (featureService.IsEnabled(FeatureFlagKeys.AccountDeprovisioning))
         {
-            await _policyService.SaveAsync(
-                new Policy { OrganizationId = organizationId, Type = PolicyType.SingleOrg, Enabled = true }, null);
+            await policyService.SaveAsync(
+                new Policy { OrganizationId = organizationId, Type = PolicyType.SingleOrg, Enabled = true },
+                savingUserId: actingUser is StandardUser standardUser ? standardUser.UserId : null,
+                eventSystemUser: actingUser is SystemUser systemUser ? systemUser.SystemUserType : null);
         }
     }
 }
diff --git a/...zationFeatures/OrganizationUsers/Interfaces/IRevokeNonCompliantOrganizationUserCommand.cs b/...zationFeatures/OrganizationUsers/Interfaces/IRevokeNonCompliantOrganizationUserCommand.cs
@@ -0,0 +1,9 @@
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Requests;
+using Bit.Core.Models.Commands;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+
+public interface IRevokeNonCompliantOrganizationUserCommand
+{
+    Task<CommandResult> RevokeNonCompliantOrganizationUsersAsync(RevokeOrganizationUsersRequest request);
+}
diff --git a/...nConsole/OrganizationFeatures/OrganizationUsers/Requests/RevokeOrganizationUserRequest.cs b/...nConsole/OrganizationFeatures/OrganizationUsers/Requests/RevokeOrganizationUserRequest.cs
@@ -0,0 +1,13 @@
+using Bit.Core.AdminConsole.Models.Data;
+using Bit.Core.Models.Data.Organizations.OrganizationUsers;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Requests;
+
+public record RevokeOrganizationUsersRequest(
+    Guid OrganizationId,
+    IEnumerable<OrganizationUserUserDetails> OrganizationUsers,
+    IActingUser ActionPerformedBy)
+{
+    public RevokeOrganizationUsersRequest(Guid organizationId, OrganizationUserUserDetails organizationUser, IActingUser actionPerformedBy)
+        : this(organizationId, [organizationUser], actionPerformedBy) { }
+}
diff --git a/...nsole/OrganizationFeatures/OrganizationUsers/RevokeNonCompliantOrganizationUserCommand.cs b/...nsole/OrganizationFeatures/OrganizationUsers/RevokeNonCompliantOrganizationUserCommand.cs
@@ -0,0 +1,112 @@
+using Bit.Core.AdminConsole.Models.Data;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Requests;
+using Bit.Core.Enums;
+using Bit.Core.Models.Commands;
+using Bit.Core.Models.Data.Organizations.OrganizationUsers;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers;
+
+public class RevokeNonCompliantOrganizationUserCommand(IOrganizationUserRepository organizationUserRepository,
+    IEventService eventService,
+    IHasConfirmedOwnersExceptQuery confirmedOwnersExceptQuery,
+    TimeProvider timeProvider) : IRevokeNonCompliantOrganizationUserCommand
+{
+    public const string ErrorCannotRevokeSelf = "You cannot revoke yourself.";
+    public const string ErrorOnlyOwnersCanRevokeOtherOwners = "Only owners can revoke other owners.";
+    public const string ErrorUserAlreadyRevoked = "User is already revoked.";
+    public const string ErrorOrgMustHaveAtLeastOneOwner = "Organization must have at least one confirmed owner.";
+    public const string ErrorInvalidUsers = "Invalid users.";
+    public const string ErrorRequestedByWasNotValid = "Action was performed by an unexpected type.";
+
+    public async Task<CommandResult> RevokeNonCompliantOrganizationUsersAsync(RevokeOrganizationUsersRequest request)
+    {
+        var validationResult = await ValidateAsync(request);
+
+        if (validationResult.HasErrors)
+        {
+            return validationResult;
+        }
+
+        await organizationUserRepository.RevokeManyByIdAsync(request.OrganizationUsers.Select(x => x.Id));
+
+        var now = timeProvider.GetUtcNow();
+
+        switch (request.ActionPerformedBy)
+        {
+            case StandardUser:
+                await eventService.LogOrganizationUserEventsAsync(
+                    request.OrganizationUsers.Select(x => GetRevokedUserEventTuple(x, now)));
+                break;
+            case SystemUser { SystemUserType: not null } loggableSystem:
+                await eventService.LogOrganizationUserEventsAsync(
+                    request.OrganizationUsers.Select(x =>
+                        GetRevokedUserEventBySystemUserTuple(x, loggableSystem.SystemUserType.Value, now)));
+                break;
+        }
+
+        return validationResult;
+    }
+
+    private static (OrganizationUserUserDetails organizationUser, EventType eventType, DateTime? time) GetRevokedUserEventTuple(
+        OrganizationUserUserDetails organizationUser, DateTimeOffset dateTimeOffset) =>
+        new(organizationUser, EventType.OrganizationUser_Revoked, dateTimeOffset.UtcDateTime);
+
+    private static (OrganizationUserUserDetails organizationUser, EventType eventType, EventSystemUser eventSystemUser, DateTime? time) GetRevokedUserEventBySystemUserTuple(
+        OrganizationUserUserDetails organizationUser, EventSystemUser systemUser, DateTimeOffset dateTimeOffset) => new(organizationUser,
+        EventType.OrganizationUser_Revoked, systemUser, dateTimeOffset.UtcDateTime);
+
+    private async Task<CommandResult> ValidateAsync(RevokeOrganizationUsersRequest request)
+    {
+        if (!PerformedByIsAnExpectedType(request.ActionPerformedBy))
+        {
+            return new CommandResult(ErrorRequestedByWasNotValid);
+        }
+
+        if (request.ActionPerformedBy is StandardUser user
+            && request.OrganizationUsers.Any(x => x.UserId == user.UserId))
+        {
+            return new CommandResult(ErrorCannotRevokeSelf);
+        }
+
+        if (request.OrganizationUsers.Any(x => x.OrganizationId != request.OrganizationId))
+        {
+            return new CommandResult(ErrorInvalidUsers);
+        }
+
+        if (!await confirmedOwnersExceptQuery.HasConfirmedOwnersExceptAsync(
+                    request.OrganizationId,
+                    request.OrganizationUsers.Select(x => x.Id)))
+        {
+            return new CommandResult(ErrorOrgMustHaveAtLeastOneOwner);
+        }
+
+        return request.OrganizationUsers.Aggregate(new CommandResult(), (result, userToRevoke) =>
+        {
+            if (IsAlreadyRevoked(userToRevoke))
+            {
+                result.ErrorMessages.Add($"{ErrorUserAlreadyRevoked} Id: {userToRevoke.Id}");
+                return result;
+            }
+
+            if (NonOwnersCannotRevokeOwners(userToRevoke, request.ActionPerformedBy))
+            {
+                result.ErrorMessages.Add($"{ErrorOnlyOwnersCanRevokeOtherOwners}");
+                return result;
+            }
+
+            return result;
+        });
+    }
+
+    private static bool PerformedByIsAnExpectedType(IActingUser entity) => entity is SystemUser or StandardUser;
+
+    private static bool IsAlreadyRevoked(OrganizationUserUserDetails organizationUser) =>
+        organizationUser is { Status: OrganizationUserStatusType.Revoked };
+
+    private static bool NonOwnersCannotRevokeOwners(OrganizationUserUserDetails organizationUser,
+        IActingUser actingUser) =>
+        actingUser is StandardUser { IsOrganizationOwnerOrProvider: false } && organizationUser.Type == OrganizationUserType.Owner;
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/Policies/Models/PolicyUpdate.cs b/src/Core/AdminConsole/OrganizationFeatures/Policies/Models/PolicyUpdate.cs
@@ -1,6 +1,7 @@
 #nullable enable
 
 using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data;
 using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
 using Bit.Core.Utilities;
 
@@ -15,6 +16,7 @@ public record PolicyUpdate
     public PolicyType Type { get; set; }
     public string? Data { get; set; }
     public bool Enabled { get; set; }
+    public IActingUser? PerformedBy { get; set; }
 
     public T GetDataModel<T>() where T : IPolicyDataModel, new()
     {