fix(user-decryption-options) [PM-23174]: ManageAccountRecovery Permission Forces Master Password Set (#6230)

* fix(user-decryption-options): ManageAccountRecovery Permission Forces MP Set - Update tests, add OrganizationUser fixture customization for Permissions * fix(user-decryption-options): ManageAccountRecovery Permission Forces MP Set - Update hasManageResetPasswordPermission evaluation. * PM-23174 - Add TODO for endpoint per sync discussion with Dave * fix(user-decryption-options): ManageAccountRecovery Permission Forces MP Set - Clean up comments. * fix(user-decryption-options): ManageAccountRecovery Permission Forces MP Set - Remove an outdated comment. * fix(user-decryption-options): ManageAccountRecovery Permission Forces MP Set - Elaborate on comments around Organization User invite-time evaluation. * fix(user-decryption-options): Use currentContext for Provider relationships, update comments, and feature flag the change. * fix(user-decryption-options): Update test suite and provide additional comments for future flag removal. --------- Co-authored-by: Jared Snider <jsnider@bitwarden.com>
2025-12-06 00:03:34 +00:00 · 2025-09-25 13:37:36 -04:00
parent 222436589c
commit 6466c00acd
4 changed files with 172 additions and 31 deletions
--- a/test/Identity.Test/AutoFixture/OrganizationUserFixtures.cs
+++ b/test/Identity.Test/AutoFixture/OrganizationUserFixtures.cs
@@ -0,0 +1,26 @@
+using System.Reflection;
+using AutoFixture;
+using AutoFixture.Xunit2;
+using Bit.Core.Entities;
+using Bit.Core.Models.Data;
+using Bit.Core.Utilities;
+
+namespace Bit.Identity.Test.AutoFixture;
+
+internal class OrganizationUserWithDefaultPermissionsCustomization : ICustomization
+{
+    public void Customize(IFixture fixture)
+    {
+        fixture.Customize<OrganizationUser>(composer => composer
+            // On OrganizationUser, Permissions can be JSON data (as string) or sometimes null.
+            // Entity APIs should prevent it from being anything else.
+            // An un-modified fixture for OrganizationUser will return a bare string Permissions{guid}
+            // in the member, throwing a JsonException on deserialization of a bare string.
+            .With(organizationUser => organizationUser.Permissions, CoreHelpers.ClassToJsonData(new Permissions())));
+    }
+}
+
+public class OrganizationUserWithDefaultPermissionsAttribute : CustomizeAttribute
+{
+    public override ICustomization GetCustomization(ParameterInfo parameter) => new OrganizationUserWithDefaultPermissionsCustomization();
+}
--- a/test/Identity.Test/IdentityServer/UserDecryptionOptionsBuilderTests.cs
+++ b/test/Identity.Test/IdentityServer/UserDecryptionOptionsBuilderTests.cs
@@ -1,15 +1,20 @@
-using Bit.Core.Auth.Entities;
+using Bit.Core;
+using Bit.Core.Auth.Entities;
 using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Models.Data;
 using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
+using Bit.Core.Models.Data;
 using Bit.Core.Repositories;
+using Bit.Core.Services;
 using Bit.Identity.IdentityServer;
+using Bit.Identity.Test.AutoFixture;
 using Bit.Identity.Utilities;
 using Bit.Test.Common.AutoFixture.Attributes;
 using NSubstitute;
 using Xunit;
+using User = Bit.Core.Entities.User;

 namespace Bit.Identity.Test.IdentityServer;

@@ -20,6 +25,7 @@ public class UserDecryptionOptionsBuilderTests
    private readonly IOrganizationUserRepository _organizationUserRepository;
    private readonly ILoginApprovingClientTypes _loginApprovingClientTypes;
    private readonly UserDecryptionOptionsBuilder _builder;
+    private readonly IFeatureService _featureService;

    public UserDecryptionOptionsBuilderTests()
    {
@@ -27,7 +33,8 @@ public class UserDecryptionOptionsBuilderTests
        _deviceRepository = Substitute.For<IDeviceRepository>();
        _organizationUserRepository = Substitute.For<IOrganizationUserRepository>();
        _loginApprovingClientTypes = Substitute.For<ILoginApprovingClientTypes>();
-        _builder = new UserDecryptionOptionsBuilder(_currentContext, _deviceRepository, _organizationUserRepository, _loginApprovingClientTypes);
+        _featureService = Substitute.For<IFeatureService>();
+        _builder = new UserDecryptionOptionsBuilder(_currentContext, _deviceRepository, _organizationUserRepository, _loginApprovingClientTypes, _featureService);
        var user = new User();
        _builder.ForUser(user);
    }
@@ -220,19 +227,65 @@ public class UserDecryptionOptionsBuilderTests
        Assert.False(result.TrustedDeviceOption?.HasLoginApprovingDevice);
    }

-    [Theory, BitAutoData]
+    /// <summary>
+    /// This logic has been flagged as part of PM-23174.
+    /// When removing the server flag, please also remove this test, and remove the FeatureService
+    /// dependency from this suite and the following test.
+    /// </summary>
+    /// <param name="organizationUserType"></param>
+    /// <param name="ssoConfig"></param>
+    /// <param name="configurationData"></param>
+    /// <param name="organization"></param>
+    /// <param name="organizationUser"></param>
+    /// <param name="user"></param>
+    [Theory]
+    [BitAutoData(OrganizationUserType.Custom)]
    public async Task Build_WhenManageResetPasswordPermissions_ShouldReturnHasManageResetPasswordPermissionTrue(
+        OrganizationUserType organizationUserType,
        SsoConfig ssoConfig,
        SsoConfigurationData configurationData,
-        CurrentContextOrganization organization)
+        CurrentContextOrganization organization,
+        [OrganizationUserWithDefaultPermissions] OrganizationUser organizationUser,
+        User user)
    {
        configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption;
        ssoConfig.Data = configurationData.Serialize();
        ssoConfig.OrganizationId = organization.Id;
-        _currentContext.Organizations.Returns(new List<CurrentContextOrganization>(new CurrentContextOrganization[] { organization }));
+        _currentContext.Organizations.Returns([organization]);
        _currentContext.ManageResetPassword(organization.Id).Returns(true);
+        organizationUser.Type = organizationUserType;
+        organizationUser.OrganizationId = organization.Id;
+        organizationUser.UserId = user.Id;
+        organizationUser.SetPermissions(new Permissions() { ManageResetPassword = true });
+        _organizationUserRepository.GetByOrganizationAsync(ssoConfig.OrganizationId, user.Id).Returns(organizationUser);

-        var result = await _builder.WithSso(ssoConfig).BuildAsync();
+        var result = await _builder.ForUser(user).WithSso(ssoConfig).BuildAsync();
+
+        Assert.True(result.TrustedDeviceOption?.HasManageResetPasswordPermission);
+    }
+
+    [Theory]
+    [BitAutoData(OrganizationUserType.Custom)]
+    public async Task Build_WhenManageResetPasswordPermissions_ShouldFetchUserFromRepositoryAndReturnHasManageResetPasswordPermissionTrue(
+        OrganizationUserType organizationUserType,
+        SsoConfig ssoConfig,
+        SsoConfigurationData configurationData,
+        CurrentContextOrganization organization,
+        [OrganizationUserWithDefaultPermissions] OrganizationUser organizationUser,
+        User user)
+    {
+        _featureService.IsEnabled(FeatureFlagKeys.PM23174ManageAccountRecoveryPermissionDrivesTheNeedToSetMasterPassword)
+            .Returns(true);
+        configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption;
+        ssoConfig.Data = configurationData.Serialize();
+        ssoConfig.OrganizationId = organization.Id;
+        organizationUser.Type = organizationUserType;
+        organizationUser.OrganizationId = organization.Id;
+        organizationUser.UserId = user.Id;
+        organizationUser.SetPermissions(new Permissions() { ManageResetPassword = true });
+        _organizationUserRepository.GetByOrganizationAsync(ssoConfig.OrganizationId, user.Id).Returns(organizationUser);
+
+        var result = await _builder.ForUser(user).WithSso(ssoConfig).BuildAsync();

        Assert.True(result.TrustedDeviceOption?.HasManageResetPasswordPermission);
    }
@@ -241,7 +294,7 @@ public class UserDecryptionOptionsBuilderTests
    public async Task Build_WhenIsOwnerInvite_ShouldReturnHasManageResetPasswordPermissionTrue(
        SsoConfig ssoConfig,
        SsoConfigurationData configurationData,
-        OrganizationUser organizationUser,
+        [OrganizationUserWithDefaultPermissions] OrganizationUser organizationUser,
        User user)
    {
        configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption;
@@ -258,7 +311,7 @@ public class UserDecryptionOptionsBuilderTests
    public async Task Build_WhenIsAdminInvite_ShouldReturnHasManageResetPasswordPermissionTrue(
        SsoConfig ssoConfig,
        SsoConfigurationData configurationData,
-        OrganizationUser organizationUser,
+        [OrganizationUserWithDefaultPermissions] OrganizationUser organizationUser,
        User user)
    {
        configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption;
@@ -275,7 +328,7 @@ public class UserDecryptionOptionsBuilderTests
    public async Task Build_WhenUserHasEnrolledIntoPasswordReset_ShouldReturnHasAdminApprovalTrue(
        SsoConfig ssoConfig,
        SsoConfigurationData configurationData,
-        OrganizationUser organizationUser,
+        [OrganizationUserWithDefaultPermissions] OrganizationUser organizationUser,
        User user)
    {
        configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption;