Added check for provider users to auto confirm validator. Broke out interface into separate file.

2025-12-24 04:03:25 +00:00 · 2025-11-26 08:36:33 -06:00
parent d38e2c3859
commit 6e1ea8bbff
6 changed files with 45 additions and 29 deletions
--- a/bitwarden_license/src/Commercial.Core/AdminConsole/Services/ProviderService.cs
+++ b/bitwarden_license/src/Commercial.Core/AdminConsole/Services/ProviderService.cs
@@ -9,8 +9,8 @@ using Bit.Core.AdminConsole.Enums.Provider;
 using Bit.Core.AdminConsole.Models.Business.Provider;
 using Bit.Core.AdminConsole.Models.Business.Tokenables;
 using Bit.Core.AdminConsole.OrganizationFeatures.Organizations;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.AutoConfirmUser;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
-using Bit.Core.AdminConsole.OrganizationFeatures.Policies.Enforcement.AutoConfirm;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.AdminConsole.Services;
@@ -425,7 +425,7 @@ public class ProviderService : IProviderService

            if (organizationAutoConfirmPolicyRequirement.Any())
            {
-                throw new BadRequestException(new AutoConfirmDoesNotAllowProviderUsers().Message);
+                throw new BadRequestException(new ProviderUsersCannotJoin().Message);
            }
        }

--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/AutoConfirmUser/AutomaticallyConfirmOrganizationUsersValidator.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/AutoConfirmUser/AutomaticallyConfirmOrganizationUsersValidator.cs
@@ -20,6 +20,7 @@ public class AutomaticallyConfirmOrganizationUsersValidator(
    IPolicyRequirementQuery policyRequirementQuery,
    IAutomaticUserConfirmationPolicyEnforcementQuery automaticUserConfirmationPolicyEnforcementQuery,
    IUserService userService,
+    IProviderUserRepository providerUserRepository,
    IPolicyRepository policyRepository) : IAutomaticallyConfirmOrganizationUsersValidator
 {
    public async Task<ValidationResult<AutomaticallyConfirmOrganizationUserValidationRequest>> ValidateAsync(
@@ -70,9 +71,17 @@ public class AutomaticallyConfirmOrganizationUsersValidator(
            return Invalid(request, error);
        }

+        if (await OrganizationUserIsProviderAsync(request))
+        {
+            return Invalid(request, new ProviderUsersCannotJoin());
+        }
+
        return Valid(request);
    }

+    private async Task<bool> OrganizationUserIsProviderAsync(AutomaticallyConfirmOrganizationUserValidationRequest request) =>
+        (await providerUserRepository.GetManyByUserAsync(request.OrganizationUser!.UserId!.Value)).Count != 0;
+
    private async Task<bool> OrganizationHasAutomaticallyConfirmUsersPolicyEnabledAsync(
            AutomaticallyConfirmOrganizationUserValidationRequest request) =>
        await policyRepository.GetByOrganizationIdTypeAsync(request.OrganizationId,
@@ -114,4 +123,6 @@ public class AutomaticallyConfirmOrganizationUsersValidator(
                _ => null
            );
    }
+
+
 }
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/AutoConfirmUser/Errors.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/AutoConfirmUser/Errors.cs
@@ -11,3 +11,4 @@ public record UserDoesNotHaveTwoFactorEnabled() : BadRequestError("User does not
 public record OrganizationEnforcesSingleOrgPolicy() : BadRequestError("Cannot confirm this member to the organization until they leave or remove all other organizations");
 public record OtherOrganizationEnforcesSingleOrgPolicy() : BadRequestError("Cannot confirm this member to the organization because they are in another organization which forbids it.");
 public record AutomaticallyConfirmUsersPolicyIsNotEnabled() : BadRequestError("Cannot confirm this member because the Automatically Confirm Users policy is not enabled.");
+public record ProviderUsersCannotJoin() : BadRequestError("Organization has enabled Automatic User Confirmation policy and it does not support provider users.");
--- a/src/Core/AdminConsole/OrganizationFeatures/Policies/Enforcement/AutoConfirm/AutomaticUserConfirmationPolicyEnforcementQuery.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/Enforcement/AutoConfirm/AutomaticUserConfirmationPolicyEnforcementQuery.cs
@@ -1,31 +1,11 @@
-using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.AutoConfirmUser;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
 using Bit.Core.AdminConsole.Utilities.v2.Validation;
 using Bit.Core.Repositories;
 using static Bit.Core.AdminConsole.Utilities.v2.Validation.ValidationResultHelpers;

 namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.Enforcement.AutoConfirm;

-/// <summary>
-/// Used to enforce the Automatic User Confirmation policy. It uses the <see cref="IPolicyRequirementQuery"/> to retrieve
-/// the <see cref="AutomaticUserConfirmationPolicyRequirement"/>. It is used to check to make sure the given user is
-/// valid for the Automatic User Confirmation policy. It also validates that the given user is not a provider
-/// or a member of another organization regardless of status or type.
-/// </summary>
-public interface IAutomaticUserConfirmationPolicyEnforcementQuery
-{
-
-    /// <summary>
-    /// Checks if the given user is compliant with the Automatic User Confirmation policy.
-    /// </summary>
-    /// <param name="request"></param>
-    /// <remarks>
-    /// This uses the validation result pattern to avoid throwing exceptions.
-    /// </remarks>
-    /// <returns>A validation result with the error message if applicable.</returns>
-    Task<ValidationResult<AutomaticUserConfirmationPolicyEnforcementRequest>> IsCompliantAsync(
-        AutomaticUserConfirmationPolicyEnforcementRequest request);
-}
-
 public class AutomaticUserConfirmationPolicyEnforcementQuery(
    IPolicyRequirementQuery policyRequirementQuery,
    IOrganizationUserRepository organizationUserRepository)
@@ -46,21 +26,20 @@ public class AutomaticUserConfirmationPolicyEnforcementQuery(

        if (automaticUserConfirmationPolicyRequirement.IsEnabledAndUserIsAProvider(organizationUser.OrganizationId))
        {
-            return Invalid(request, new AutoConfirmDoesNotAllowProviderUsers());
+            return Invalid(request, new ProviderUsersCannotJoin());
        }

-        // This is a shortcut to potentially save a database call
        if (automaticUserConfirmationPolicyRequirement.IsEnabledForOrganizationsOtherThan(organizationUser
                .OrganizationId))
        {
-            return Invalid(request, new AutoConfirmDoesNotAllowMembershipToOtherOrganizations());
+            return Invalid(request, new OrganizationEnforcesSingleOrgPolicy());
        }

        if (otherOrganizationsOrganizationUsers is { Count: > 0 }
            || (await organizationUserRepository.GetManyByUserAsync(user.Id))
            .Any(x => x.OrganizationId != organizationUser.OrganizationId))
        {
-            return Invalid(request, new AutoConfirmDoesNotAllowMembershipToOtherOrganizations());
+            return Invalid(request, new OtherOrganizationEnforcesSingleOrgPolicy());
        }

        return Valid(request);
--- a/src/Core/AdminConsole/OrganizationFeatures/Policies/Enforcement/AutoConfirm/Errors.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/Enforcement/AutoConfirm/Errors.cs
@@ -2,5 +2,4 @@

 namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.Enforcement.AutoConfirm;

-public record AutoConfirmDoesNotAllowProviderUsers() : BadRequestError("Organization has enabled Automatic User Confirmation policy and it does not support provider users.");
 public record AutoConfirmDoesNotAllowMembershipToOtherOrganizations() : BadRequestError("Automatic User Confirmation policy does not support membership to other organizations.");
--- a/src/Core/AdminConsole/OrganizationFeatures/Policies/Enforcement/AutoConfirm/IAutomaticUserConfirmationPolicyEnforcementQuery.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/Enforcement/AutoConfirm/IAutomaticUserConfirmationPolicyEnforcementQuery.cs
@@ -0,0 +1,26 @@
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+using Bit.Core.AdminConsole.Utilities.v2.Validation;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.Enforcement.AutoConfirm;
+
+/// <summary>
+/// Used to enforce the Automatic User Confirmation policy. It uses the <see cref="IPolicyRequirementQuery"/> to retrieve
+/// the <see cref="AutomaticUserConfirmationPolicyRequirement"/>. It is used to check to make sure the given user is
+/// valid for the Automatic User Confirmation policy. It also validates that the given user is not a provider
+/// or a member of another organization regardless of status or type.
+/// </summary>
+public interface IAutomaticUserConfirmationPolicyEnforcementQuery
+{
+
+    /// <summary>
+    /// Checks if the given user is compliant with the Automatic User Confirmation policy. To be compliant, the user must:
+    ///
+    ///
+    /// </summary>
+    /// <param name="request"></param>
+    /// <remarks>
+    /// This uses the validation result pattern to avoid throwing exceptions.
+    /// </remarks>
+    /// <returns>A validation result with the error message if applicable.</returns>
+    Task<ValidationResult<AutomaticUserConfirmationPolicyEnforcementRequest>> IsCompliantAsync(AutomaticUserConfirmationPolicyEnforcementRequest request);
+}