Move policy checks within policyService (#466)

* Move policy logic within policyService * Remove unneeded import * Clean up unused code * Fix linting * Enforce policies from accepting org invite * Only exempt owner or admin from policies * Use canManagePolicies as exemption criteria * Make orgUser status check more semantic Co-authored-by: Addison Beck <abeck@bitwarden.com> Co-authored-by: Addison Beck <abeck@bitwarden.com>
2025-12-16 00:03:56 +00:00 · 2021-08-31 06:52:57 +10:00
parent f02720a1c6
commit 30419a625f
6 changed files with 49 additions and 44 deletions
--- a/common/src/abstractions/policy.service.ts
+++ b/common/src/abstractions/policy.service.ts
@@ -4,16 +4,17 @@ import { MasterPasswordPolicyOptions } from '../models/domain/masterPasswordPoli
 import { Policy } from '../models/domain/policy';
 import { ResetPasswordPolicyOptions } from '../models/domain/resetPasswordPolicyOptions';

-import { PolicyType } from '../enums/policyType';
-
 import { ListResponse } from '../models/response/listResponse';
 import { PolicyResponse } from '../models/response/policyResponse';

+import { PolicyType } from '../enums/policyType';
+
 export abstract class PolicyService {
    policyCache: Policy[];

    clearCache: () => void;
    getAll: (type?: PolicyType) => Promise<Policy[]>;
+    getPolicyForOrganization: (policyType: PolicyType, organizationId: string) => Promise<Policy>;
    replace: (policies: { [id: string]: PolicyData; }) => Promise<any>;
    clear: (userId: string) => Promise<any>;
    getMasterPasswordPolicyOptions: (policies?: Policy[]) => Promise<MasterPasswordPolicyOptions>;
@@ -21,4 +22,5 @@ export abstract class PolicyService {
        enforcedPolicyOptions?: MasterPasswordPolicyOptions) => boolean;
    getResetPasswordPolicyOptions: (policies: Policy[], orgId: string) => [ResetPasswordPolicyOptions, boolean];
    mapPoliciesFromToken: (policiesResponse: ListResponse<PolicyResponse>) => Policy[];
+    policyAppliesToUser: (policyType: PolicyType, policyFilter?: (policy: Policy) => boolean) => Promise<boolean>;
 }
--- a/common/src/models/domain/organization.ts
+++ b/common/src/models/domain/organization.ts
@@ -135,4 +135,8 @@ export class Organization {
    get canManageUsersPassword() {
        return this.isAdmin || this.permissions.manageResetPassword;
    }
+
+    get isExemptFromPolicies() {
+        return this.canManagePolicies;
+    }
 }
--- a/common/src/services/policy.service.ts
+++ b/common/src/services/policy.service.ts
@@ -8,6 +8,7 @@ import { MasterPasswordPolicyOptions } from '../models/domain/masterPasswordPoli
 import { Policy } from '../models/domain/policy';
 import { ResetPasswordPolicyOptions } from '../models/domain/resetPasswordPolicyOptions';

+import { OrganizationUserStatusType } from '../enums/organizationUserStatusType';
 import { PolicyType } from '../enums/policyType';

 import { ListResponse } from '../models/response/listResponse';
@@ -47,6 +48,11 @@ export class PolicyService implements PolicyServiceAbstraction {
        }
    }

+    async getPolicyForOrganization(policyType: PolicyType, organizationId: string): Promise<Policy> {
+        const policies = await this.getAll(policyType);
+        return policies.find(p => p.organizationId === organizationId);
+    }
+
    async replace(policies: { [id: string]: PolicyData; }): Promise<any> {
        const userId = await this.userService.getUserId();
        await this.storageService.save(Keys.policiesPrefix + userId, policies);
@@ -164,4 +170,29 @@ export class PolicyService implements PolicyServiceAbstraction {
        const policiesData = policiesResponse.data.map(p => new PolicyData(p));
        return policiesData.map(p => new Policy(p));
    }
+
+    async policyAppliesToUser(policyType: PolicyType, policyFilter?: (policy: Policy) => boolean) {
+        if (policyFilter == null) {
+            policyFilter = (policy: Policy) => true;
+        }
+
+        const policies = await this.getAll(policyType);
+        const organizations = await this.userService.getAllOrganizations();
+
+        const filteredPolicies = policies
+            .filter(p =>
+                p.enabled &&
+                p.type === policyType &&
+                policyFilter(p))
+            .map(p => p.organizationId);
+
+        const policySet = new Set(filteredPolicies);
+
+        return organizations.some(o =>
+            o.enabled &&
+            o.status >= OrganizationUserStatusType.Accepted &&
+            o.usePolicies &&
+            !o.isExemptFromPolicies &&
+            policySet.has(o.id));
+    }
 }