[AC-1011] Admin Console / Billing code ownership (#4973)

* refactor: move SCIM component to admin-console, refs EC-1011 * refactor: move scimProviderType to admin-console, refs EC-1011 * refactor: move scim-config.api to admin-console, refs EC-1011 * refactor: create models folder and nest existing api contents, refs EC-1011 * refactor: move scim-config to admin-console models, refs EC-1011 * refactor: move billing.component to billing, refs EC-1011 * refactor: remove nested app folder from new billing structure, refs EC-1011 * refactor: move organizations/billing to billing, refs EC-1011 * refactor: move add-credit and adjust-payment to billing/settings, refs EC-1011 * refactor: billing history/sync to billing, refs EC-1011 * refactor: move org plans, payment/method to billing/settings, refs EC-1011 * fix: update legacy file paths for payment-method and tax-info, refs EC-1011 * fix: update imports for scim component, refs EC-1011 * refactor: move subscription and tax-info into billing, refs EC-1011 * refactor: move user-subscription to billing, refs EC-1011 * refactor: move images/cards to billing and update base path, refs EC-1011 * refactor: move payment-method, plan subscription, and plan to billing, refs EC-1011 * refactor: move transaction-type to billing, refs EC-1011 * refactor: move billing-sync-config to billing, refs EC-1011 * refactor: move billing-sync and bit-pay-invoice request to billing, refs EC-1011 * refactor: move org subscription and tax info update requests to billing, refs EC-1011 * fix: broken paths to billing, refs EC-1011 * refactor: move payment request to billing, refs EC-1011 * fix: update remaining imports for payment-request, refs EC-1011 * refactor: move tax-info-update to billing, refs EC-1011 * refactor: move billing-payment, billing-history, and billing responses to billing, refs EC-1011 * refactor: move organization-subscription-responset to billing, refs EC-1011 * refactor: move payment and plan responses to billing, refs EC-1011 * refactor: move subscription response to billing ,refs EC-1011 * refactor: move tax info and rate responses to billing, refs EC-1011 * fix: update remaining path to base response for tax-rate response, refs EC-1011 * refactor: (browser) move organization-service to admin-console, refs EC-1011 * refactor: (browser) move organizaiton-service to admin-console, refs EC-1011 * refactor: (cli) move share command to admin-console, refs EC-1011 * refactor: move organization-collect request model to admin-console, refs EC-1011 * refactor: (web) move organization, collection/user responses to admin-console, refs EC-1011 * refactor: (cli) move selection-read-only to admin-console, refs EC-1011 * refactor: (desktop) move organization-filter to admin-console, refs EC-1011 * refactor: (web) move organization-switcher to admin-console, refs EC-1011 * refactor: (web) move access-selector to admin-console, refs EC-1011 * refactor: (web) move create folder to admin-console, refs EC-1011 * refactor: (web) move org guards folder to admin-console, refs EC-1011 * refactor: (web) move org layout to admin-console, refs EC-1011 * refactor: move manage collections to admin console, refs EC-1011 * refactor: (web) move collection-dialog to admin-console, refs EC-1011 * refactor: (web) move entity users/events and events component to admin-console, refs EC-1011 * refactor: (web) move groups/group-add-edit to admin-console, refs EC-1011 * refactor: (web) move manage, org-manage module, and user-confirm to admin-console, refs EC-1011 * refactor: (web) move people to admin-console, refs EC-1011 * refactor: (web) move reset-password to admin-console, refs EC-1011 * refactor: (web) move organization-routing and module to admin-console, refs EC-1011 * refactor: move admin-console and billing within app scope, refs EC-1011 * fix: update leftover merge conflicts, refs EC-1011 * refactor: (web) member-dialog to admin-console, refs EC-1011 * refactor: (web) move policies to admin-console, refs EC-1011 * refactor: (web) move reporting to admin-console, refs EC-1011 * refactor: (web) move settings to admin-console, refs EC-1011 * refactor: (web) move sponsorships to admin-console, refs EC-1011 * refactor: (web) move tools to admin-console, refs EC-1011 * refactor: (web) move users to admin-console, refs EC-1011 * refactor: (web) move collections to admin-console, refs EC-1011 * refactor: (web) move create-organization to admin-console, refs EC-1011 * refactor: (web) move licensed components to admin-console, refs EC-1011 * refactor: (web) move bit organization modules to admin-console, refs EC-1011 * fix: update leftover import statements for organizations.module, refs EC-1011 * refactor: (web) move personal vault and max timeout to admin-console, refs EC-1011 * refactor: (web) move providers to admin-console, refs EC-1011 * refactor: (libs) move organization service to admin-console, refs EC-1011 * refactor: (libs) move profile org/provider responses and other misc org responses to admin-console, refs EC-1011 * refactor: (libs) move provider request and selectionion-read-only request to admin-console, refs EC-1011 * fix: update missed import path for provider-user-update request, refs EC-1011 * refactor: (libs) move abstractions to admin-console, refs EC-1011 * refactor: (libs) move org/provider enums to admin-console, refs EC-1011 * fix: update downstream import statements from libs changes, refs EC-1011 * refactor: (libs) move data files to admin-console, refs EC-1011 * refactor: (libs) move domain to admin-console, refs EC-1011 * refactor: (libs) move request objects to admin-console, refs EC-1011 * fix: update downstream import changes from libs, refs EC-1011 * refactor: move leftover provider files to admin-console, refs EC-1011 * refactor: (browser) move group policy environment to admin-console, refs EC-1011 * fix: (browser) update downstream import statements, refs EC-1011 * fix: (desktop) update downstream libs moves, refs EC-1011 * fix: (cli) update downstream import changes from libs, refs EC-1011 * refactor: move org-auth related files to admin-console, refs EC-1011 * refactor: (libs) move request objects to admin-console, refs EC-1011 * refactor: move persmissions to admin-console, refs EC-1011 * refactor: move sponsored families to admin-console and fix libs changes, refs EC-1011 * refactor: move collections to admin-console, refs EC-1011 * refactor: move spec file back to spec scope, refs EC-1011 * fix: update downstream imports due to libs changes, refs EC-1011 * fix: udpate downstream import changes due to libs, refs EC-1011 * fix: update downstream imports due to libs changes, refs EC-1011 * fix: update downstream imports from libs changes, refs EC-1011 * fix: update path malformation in jslib-services.module, refs EC-1011 * fix: lint errors from improper casing, refs AC-1011 * fix: update downstream filename changes, refs AC-1011 * fix: (cli) update downstream filename changes, refs AC-1011 * fix: (desktop) update downstream filename changes, refs AC-1011 * fix: (browser) update downstream filename changes, refs AC-1011 * fix: lint errors, refs AC-1011 * fix: prettier, refs AC-1011 * fix: lint fixes for import order, refs AC-1011 * fix: update import path for provider user type, refs AC-1011 * fix: update new codes import paths for admin console structure, refs AC-1011 * fix: lint/prettier, refs AC-1011 * fix: update layout stories path, refs AC-1011 * fix: update comoponents card icons base variable in styles, refs AC-1011 * fix: update provider service path in permissions guard spec, refs AC-1011 * fix: update provider permission guard path, refs AC-1011 * fix: remove unecessary TODO for shared index export statement, refs AC-1011 * refactor: move browser-organization service and cli organization-user response out of admin-console, refs AC-1011 * refactor: move web/browser/desktop collections component to vault domain, refs AC-1011 * refactor: move organization.module out of admin-console scope, refs AC-1011 * fix: prettier, refs AC-1011 * refactor: move organizations-api-key.request out of admin-console scope, refs AC-1011
2026-01-08 11:33:28 +00:00 · 2023-03-22 10:03:50 -05:00
parent a7fea2ff3a
commit 780a563ce0
557 changed files with 1260 additions and 1246 deletions
--- a/apps/web/src/app/admin-console/organizations/guards/org-permissions.guard.spec.ts
+++ b/apps/web/src/app/admin-console/organizations/guards/org-permissions.guard.spec.ts
@@ -0,0 +1,163 @@
+import {
+  ActivatedRouteSnapshot,
+  convertToParamMap,
+  Router,
+  RouterStateSnapshot,
+} from "@angular/router";
+import { mock, MockProxy } from "jest-mock-extended";
+
+import { I18nService } from "@bitwarden/common/abstractions/i18n.service";
+import { PlatformUtilsService } from "@bitwarden/common/abstractions/platformUtils.service";
+import { OrganizationService } from "@bitwarden/common/admin-console/abstractions/organization/organization.service.abstraction";
+import { OrganizationUserType } from "@bitwarden/common/admin-console/enums/organization-user-type";
+import { Organization } from "@bitwarden/common/admin-console/models/domain/organization";
+import { SyncService } from "@bitwarden/common/vault/abstractions/sync/sync.service.abstraction";
+
+import { OrganizationPermissionsGuard } from "./org-permissions.guard";
+
+const orgFactory = (props: Partial<Organization> = {}) =>
+  Object.assign(
+    new Organization(),
+    {
+      id: "myOrgId",
+      enabled: true,
+      type: OrganizationUserType.Admin,
+    },
+    props
+  );
+
+describe("Organization Permissions Guard", () => {
+  let router: MockProxy<Router>;
+  let organizationService: MockProxy<OrganizationService>;
+  let state: MockProxy<RouterStateSnapshot>;
+  let route: MockProxy<ActivatedRouteSnapshot>;
+
+  let organizationPermissionsGuard: OrganizationPermissionsGuard;
+
+  beforeEach(() => {
+    router = mock<Router>();
+    organizationService = mock<OrganizationService>();
+    state = mock<RouterStateSnapshot>();
+    route = mock<ActivatedRouteSnapshot>({
+      params: {
+        organizationId: orgFactory().id,
+      },
+      data: {
+        organizationPermissions: null,
+      },
+    });
+
+    organizationPermissionsGuard = new OrganizationPermissionsGuard(
+      router,
+      organizationService,
+      mock<PlatformUtilsService>(),
+      mock<I18nService>(),
+      mock<SyncService>()
+    );
+  });
+
+  it("blocks navigation if organization does not exist", async () => {
+    organizationService.get.mockReturnValue(null);
+
+    const actual = await organizationPermissionsGuard.canActivate(route, state);
+
+    expect(actual).not.toBe(true);
+  });
+
+  it("permits navigation if no permissions are specified", async () => {
+    const org = orgFactory();
+    organizationService.get.calledWith(org.id).mockReturnValue(org);
+
+    const actual = await organizationPermissionsGuard.canActivate(route, state);
+
+    expect(actual).toBe(true);
+  });
+
+  it("permits navigation if the user has permissions", async () => {
+    const permissionsCallback = jest.fn();
+    permissionsCallback.mockImplementation((org) => true);
+    route.data = {
+      organizationPermissions: permissionsCallback,
+    };
+
+    const org = orgFactory();
+    organizationService.get.calledWith(org.id).mockReturnValue(org);
+
+    const actual = await organizationPermissionsGuard.canActivate(route, state);
+
+    expect(permissionsCallback).toHaveBeenCalled();
+    expect(actual).toBe(true);
+  });
+
+  describe("if the user does not have permissions", () => {
+    it("and there is no Item ID, block navigation", async () => {
+      const permissionsCallback = jest.fn();
+      permissionsCallback.mockImplementation((org) => false);
+      route.data = {
+        organizationPermissions: permissionsCallback,
+      };
+
+      state = mock<RouterStateSnapshot>({
+        root: mock<ActivatedRouteSnapshot>({
+          queryParamMap: convertToParamMap({}),
+        }),
+      });
+
+      const org = orgFactory();
+      organizationService.get.calledWith(org.id).mockReturnValue(org);
+
+      const actual = await organizationPermissionsGuard.canActivate(route, state);
+
+      expect(permissionsCallback).toHaveBeenCalled();
+      expect(actual).not.toBe(true);
+    });
+
+    it("and there is an Item ID, redirect to the item in the individual vault", async () => {
+      route.data = {
+        organizationPermissions: (org: Organization) => false,
+      };
+      state = mock<RouterStateSnapshot>({
+        root: mock<ActivatedRouteSnapshot>({
+          queryParamMap: convertToParamMap({
+            itemId: "myItemId",
+          }),
+        }),
+      });
+      const org = orgFactory();
+      organizationService.get.calledWith(org.id).mockReturnValue(org);
+
+      const actual = await organizationPermissionsGuard.canActivate(route, state);
+
+      expect(router.createUrlTree).toHaveBeenCalledWith(["/vault"], {
+        queryParams: { itemId: "myItemId" },
+      });
+      expect(actual).not.toBe(true);
+    });
+  });
+
+  describe("given a disabled organization", () => {
+    it("blocks navigation if user is not an owner", async () => {
+      const org = orgFactory({
+        type: OrganizationUserType.Admin,
+        enabled: false,
+      });
+      organizationService.get.calledWith(org.id).mockReturnValue(org);
+
+      const actual = await organizationPermissionsGuard.canActivate(route, state);
+
+      expect(actual).not.toBe(true);
+    });
+
+    it("permits navigation if user is an owner", async () => {
+      const org = orgFactory({
+        type: OrganizationUserType.Owner,
+        enabled: false,
+      });
+      organizationService.get.calledWith(org.id).mockReturnValue(org);
+
+      const actual = await organizationPermissionsGuard.canActivate(route, state);
+
+      expect(actual).toBe(true);
+    });
+  });
+});
--- a/apps/web/src/app/admin-console/organizations/guards/org-permissions.guard.ts
+++ b/apps/web/src/app/admin-console/organizations/guards/org-permissions.guard.ts
@@ -0,0 +1,70 @@
+import { Injectable } from "@angular/core";
+import { ActivatedRouteSnapshot, CanActivate, Router, RouterStateSnapshot } from "@angular/router";
+
+import { I18nService } from "@bitwarden/common/abstractions/i18n.service";
+import { PlatformUtilsService } from "@bitwarden/common/abstractions/platformUtils.service";
+import {
+  canAccessOrgAdmin,
+  OrganizationService,
+} from "@bitwarden/common/admin-console/abstractions/organization/organization.service.abstraction";
+import { Organization } from "@bitwarden/common/admin-console/models/domain/organization";
+import { SyncService } from "@bitwarden/common/vault/abstractions/sync/sync.service.abstraction";
+
+@Injectable({
+  providedIn: "root",
+})
+export class OrganizationPermissionsGuard implements CanActivate {
+  constructor(
+    private router: Router,
+    private organizationService: OrganizationService,
+    private platformUtilsService: PlatformUtilsService,
+    private i18nService: I18nService,
+    private syncService: SyncService
+  ) {}
+
+  async canActivate(route: ActivatedRouteSnapshot, state: RouterStateSnapshot) {
+    // TODO: We need to fix this issue once and for all.
+    if ((await this.syncService.getLastSync()) == null) {
+      await this.syncService.fullSync(false);
+    }
+
+    const org = this.organizationService.get(route.params.organizationId);
+    if (org == null) {
+      return this.router.createUrlTree(["/"]);
+    }
+
+    if (!org.isOwner && !org.enabled) {
+      this.platformUtilsService.showToast(
+        "error",
+        null,
+        this.i18nService.t("organizationIsDisabled")
+      );
+      return this.router.createUrlTree(["/"]);
+    }
+
+    const permissionsCallback: (organization: Organization) => boolean =
+      route.data?.organizationPermissions;
+    const hasPermissions = permissionsCallback == null || permissionsCallback(org);
+
+    if (!hasPermissions) {
+      // Handle linkable ciphers for organizations the user only has view access to
+      // https://bitwarden.atlassian.net/browse/EC-203
+      const cipherId =
+        state.root.queryParamMap.get("itemId") || state.root.queryParamMap.get("cipherId");
+      if (cipherId) {
+        return this.router.createUrlTree(["/vault"], {
+          queryParams: {
+            itemId: cipherId,
+          },
+        });
+      }
+
+      this.platformUtilsService.showToast("error", null, this.i18nService.t("accessDenied"));
+      return canAccessOrgAdmin(org)
+        ? this.router.createUrlTree(["/organizations", org.id])
+        : this.router.createUrlTree(["/"]);
+    }
+
+    return true;
+  }
+}
--- a/apps/web/src/app/admin-console/organizations/guards/org-redirect.guard.ts
+++ b/apps/web/src/app/admin-console/organizations/guards/org-redirect.guard.ts
@@ -0,0 +1,32 @@
+import { Injectable } from "@angular/core";
+import { ActivatedRouteSnapshot, CanActivate, Router, RouterStateSnapshot } from "@angular/router";
+
+import {
+  canAccessOrgAdmin,
+  OrganizationService,
+} from "@bitwarden/common/admin-console/abstractions/organization/organization.service.abstraction";
+
+@Injectable({
+  providedIn: "root",
+})
+export class OrganizationRedirectGuard implements CanActivate {
+  constructor(private router: Router, private organizationService: OrganizationService) {}
+
+  async canActivate(route: ActivatedRouteSnapshot, state: RouterStateSnapshot) {
+    const org = this.organizationService.get(route.params.organizationId);
+
+    const customRedirect = route.data?.autoRedirectCallback;
+    if (customRedirect) {
+      let redirectPath = customRedirect(org);
+      if (typeof redirectPath === "string") {
+        redirectPath = [redirectPath];
+      }
+      return this.router.createUrlTree([state.url, ...redirectPath]);
+    }
+
+    if (canAccessOrgAdmin(org)) {
+      return this.router.createUrlTree(["/organizations", org.id]);
+    }
+    return this.router.createUrlTree(["/"]);
+  }
+}