[PM-27145] - Block Auto Confirm Enable Admin Portal (#6981)

* Extracted policy compliance checking for the organization out and added a check when attempting to enable auto user confirm via Admin Portal * Moved injection order. Fixed error message.
2026-02-25 00:52:57 +00:00 · 2026-02-11 09:59:18 -06:00
parent 946a03233b
commit 0566de90d6
10 changed files with 863 additions and 385 deletions
--- a/test/Admin.Test/AdminConsole/Controllers/OrganizationsControllerTests.cs
+++ b/test/Admin.Test/AdminConsole/Controllers/OrganizationsControllerTests.cs
@@ -5,6 +5,7 @@ using Bit.Admin.Services;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Entities.Provider;
 using Bit.Core.AdminConsole.Enums.Provider;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.Enforcement.AutoConfirm;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Billing.Enums;
 using Bit.Core.Billing.Providers.Services;
@@ -12,7 +13,11 @@ using Bit.Core.Enums;
 using Bit.Core.Repositories;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.ViewFeatures;
 using NSubstitute;
+using static Bit.Core.AdminConsole.Utilities.v2.Validation.ValidationResultHelpers;

 namespace Admin.Test.AdminConsole.Controllers;

@@ -299,18 +304,164 @@ public class OrganizationsControllerTests
                .Returns(true);

        var organizationRepository = sutProvider.GetDependency<IOrganizationRepository>();
-
        organizationRepository.GetByIdAsync(organization.Id).Returns(organization);

+        var request = new AutomaticUserConfirmationOrganizationPolicyComplianceValidatorRequest(organization.Id);
+        sutProvider.GetDependency<IAutomaticUserConfirmationOrganizationPolicyComplianceValidator>()
+            .IsOrganizationCompliantAsync(Arg.Any<AutomaticUserConfirmationOrganizationPolicyComplianceValidatorRequest>())
+            .Returns(Valid(request));
+
        // Act
        _ = await sutProvider.Sut.Edit(organization.Id, update);

        // Assert
        await organizationRepository.Received(1).ReplaceAsync(Arg.Is<Organization>(o => o.Id == organization.Id
            && o.UseAutomaticUserConfirmation == true));
+    }

-        // Annul
-        await organizationRepository.DeleteAsync(organization);
+    [BitAutoData]
+    [SutProviderCustomize]
+    [Theory]
+    public async Task Edit_EnableUseAutomaticUserConfirmation_ValidationFails_RedirectsWithError(
+        Organization organization,
+        SutProvider<OrganizationsController> sutProvider)
+    {
+        // Arrange
+        var update = new OrganizationEditModel
+        {
+            PlanType = PlanType.TeamsMonthly,
+            UseAutomaticUserConfirmation = true
+        };
+
+        organization.UseAutomaticUserConfirmation = false;
+
+        sutProvider.GetDependency<IAccessControlService>()
+            .UserHasPermission(Permission.Org_Plan_Edit)
+            .Returns(true);
+
+        var organizationRepository = sutProvider.GetDependency<IOrganizationRepository>();
+        organizationRepository.GetByIdAsync(organization.Id).Returns(organization);
+
+        var request = new AutomaticUserConfirmationOrganizationPolicyComplianceValidatorRequest(organization.Id);
+        sutProvider.GetDependency<IAutomaticUserConfirmationOrganizationPolicyComplianceValidator>()
+            .IsOrganizationCompliantAsync(Arg.Any<AutomaticUserConfirmationOrganizationPolicyComplianceValidatorRequest>())
+            .Returns(Invalid(request, new UserNotCompliantWithSingleOrganization()));
+
+        sutProvider.Sut.TempData = new TempDataDictionary(new DefaultHttpContext(), Substitute.For<ITempDataProvider>());
+
+        // Act
+        var result = await sutProvider.Sut.Edit(organization.Id, update);
+
+        // Assert
+        var redirectResult = Assert.IsType<RedirectToActionResult>(result);
+        Assert.Equal("Edit", redirectResult.ActionName);
+        Assert.Equal(organization.Id, redirectResult.RouteValues!["id"]);
+
+        await organizationRepository.DidNotReceive().ReplaceAsync(Arg.Any<Organization>());
+    }
+
+    [BitAutoData]
+    [SutProviderCustomize]
+    [Theory]
+    public async Task Edit_EnableUseAutomaticUserConfirmation_ProviderValidationFails_RedirectsWithError(
+        Organization organization,
+        SutProvider<OrganizationsController> sutProvider)
+    {
+        // Arrange
+        var update = new OrganizationEditModel
+        {
+            PlanType = PlanType.TeamsMonthly,
+            UseAutomaticUserConfirmation = true
+        };
+
+        organization.UseAutomaticUserConfirmation = false;
+
+        sutProvider.GetDependency<IAccessControlService>()
+            .UserHasPermission(Permission.Org_Plan_Edit)
+            .Returns(true);
+
+        var organizationRepository = sutProvider.GetDependency<IOrganizationRepository>();
+        organizationRepository.GetByIdAsync(organization.Id).Returns(organization);
+
+        var request = new AutomaticUserConfirmationOrganizationPolicyComplianceValidatorRequest(organization.Id);
+        sutProvider.GetDependency<IAutomaticUserConfirmationOrganizationPolicyComplianceValidator>()
+            .IsOrganizationCompliantAsync(Arg.Any<AutomaticUserConfirmationOrganizationPolicyComplianceValidatorRequest>())
+            .Returns(Invalid(request, new ProviderExistsInOrganization()));
+
+        sutProvider.Sut.TempData = new TempDataDictionary(new DefaultHttpContext(), Substitute.For<ITempDataProvider>());
+
+        // Act
+        var result = await sutProvider.Sut.Edit(organization.Id, update);
+
+        // Assert
+        var redirectResult = Assert.IsType<RedirectToActionResult>(result);
+        Assert.Equal("Edit", redirectResult.ActionName);
+
+        await organizationRepository.DidNotReceive().ReplaceAsync(Arg.Any<Organization>());
+    }
+
+    [BitAutoData]
+    [SutProviderCustomize]
+    [Theory]
+    public async Task Edit_UseAutomaticUserConfirmation_NotChanged_DoesNotCallValidator(
+        SutProvider<OrganizationsController> sutProvider)
+    {
+        // Arrange
+        var organizationId = new Guid();
+        var update = new OrganizationEditModel
+        {
+            UseSecretsManager = false,
+            UseAutomaticUserConfirmation = false
+        };
+
+        var organization = new Organization
+        {
+            Id = organizationId,
+            UseAutomaticUserConfirmation = false
+        };
+
+        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organizationId)
+            .Returns(organization);
+
+        // Act
+        _ = await sutProvider.Sut.Edit(organizationId, update);
+
+        // Assert
+        await sutProvider.GetDependency<IAutomaticUserConfirmationOrganizationPolicyComplianceValidator>()
+            .DidNotReceive()
+            .IsOrganizationCompliantAsync(Arg.Any<AutomaticUserConfirmationOrganizationPolicyComplianceValidatorRequest>());
+    }
+
+    [BitAutoData]
+    [SutProviderCustomize]
+    [Theory]
+    public async Task Edit_UseAutomaticUserConfirmation_AlreadyEnabled_DoesNotCallValidator(
+        SutProvider<OrganizationsController> sutProvider)
+    {
+        // Arrange
+        var organizationId = new Guid();
+        var update = new OrganizationEditModel
+        {
+            UseSecretsManager = false,
+            UseAutomaticUserConfirmation = true
+        };
+
+        var organization = new Organization
+        {
+            Id = organizationId,
+            UseAutomaticUserConfirmation = true
+        };
+
+        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organizationId)
+            .Returns(organization);
+
+        // Act
+        _ = await sutProvider.Sut.Edit(organizationId, update);
+
+        // Assert
+        await sutProvider.GetDependency<IAutomaticUserConfirmationOrganizationPolicyComplianceValidator>()
+            .DidNotReceive()
+            .IsOrganizationCompliantAsync(Arg.Any<AutomaticUserConfirmationOrganizationPolicyComplianceValidatorRequest>());
    }

    #endregion