[Require SSO] Enterprise policy enforcement (#970)

* Initial commit of require sso authentication policy enforcement * Updated sproc to send UseSso flag // Updated base validator to send back error message // Added changes to EntityFramework (just so its there for the future * Update policy name // adjusted conditional to demorgan's * Updated sproc // Added migrator script * Added .sql file extension to DeleteOrgUserWithOrg migrator script * Added policy // edit // strings // validation to business portal * Change requests from review // Added Owner & Admin exemption * Updated repository function used to get org user's type * Updated with requested changes
2025-12-20 02:03:46 +00:00 · 2020-10-26 11:56:16 -05:00
parent e872b4df9d
commit 66e44759f0
15 changed files with 195 additions and 11 deletions
--- a/bitwarden_license/src/Portal/Controllers/PoliciesController.cs
+++ b/bitwarden_license/src/Portal/Controllers/PoliciesController.cs
@@ -1,4 +1,5 @@
-using System.Threading.Tasks;
+using System;
+using System.Threading.Tasks;
 using Bit.Core.Enums;
 using Bit.Core.Models.Table;
 using Bit.Core.Repositories;
@@ -50,7 +51,8 @@ namespace Bit.Portal.Controllers
            }
            
            var policies = await _policyRepository.GetManyByOrganizationIdAsync(orgId.Value);
-            return View(new PoliciesModel(policies));
+            var selectedOrgUseSso = _enterprisePortalCurrentContext.SelectedOrganizationDetails.UseSso;
+            return View(new PoliciesModel(policies, selectedOrgUseSso));
        }
        
        [HttpGet("/edit/{type}")]
@@ -88,6 +90,7 @@ namespace Bit.Portal.Controllers
                return Redirect("~/");
            }

+            await ValidateDependentPolicies(type, orgId, model.Enabled);
            var policy = await _policyRepository.GetByOrganizationIdTypeAsync(orgId.Value, type);
            if (!ModelState.IsValid)
            {
@@ -119,5 +122,37 @@ namespace Bit.Portal.Controllers
                return View(new PolicyEditModel(policy, _i18nService));
            }
        }
+
+        private async Task ValidateDependentPolicies(PolicyType type, Guid? orgId, bool enabled)
+        {
+            if (orgId == null)
+            {
+                throw new ArgumentNullException(nameof(orgId), "OrgId cannot be null");
+            }
+            
+            switch(type)
+            {
+                case PolicyType.MasterPassword:
+                case PolicyType.PasswordGenerator:
+                case PolicyType.TwoFactorAuthentication:
+                case PolicyType.OnlyOrg:
+                    break;
+                
+                case PolicyType.RequireSso:
+                    if (!enabled)
+                    {
+                        break;
+                    }
+                    var singleOrg = await _policyRepository.GetByOrganizationIdTypeAsync(orgId.Value, type);
+                    if (singleOrg?.Enabled != true)
+                    {
+                        ModelState.AddModelError(string.Empty, _i18nService.T("RequireSsoPolicyReqError"));
+                    }
+                    break;
+                
+                default:
+                    throw new ArgumentOutOfRangeException();
+            }
+        }
    }
 }