Added check for provider users to auto confirm validator. Broke out interface into separate file.

2026-01-06 10:34:01 +00:00 · 2025-11-26 08:36:33 -06:00
parent d38e2c3859
commit 6e1ea8bbff
6 changed files with 45 additions and 29 deletions
--- a/src/Core/AdminConsole/OrganizationFeatures/Policies/Enforcement/AutoConfirm/AutomaticUserConfirmationPolicyEnforcementQuery.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/Enforcement/AutoConfirm/AutomaticUserConfirmationPolicyEnforcementQuery.cs
@@ -1,31 +1,11 @@
-using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.AutoConfirmUser;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
 using Bit.Core.AdminConsole.Utilities.v2.Validation;
 using Bit.Core.Repositories;
 using static Bit.Core.AdminConsole.Utilities.v2.Validation.ValidationResultHelpers;

 namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.Enforcement.AutoConfirm;

-/// <summary>
-/// Used to enforce the Automatic User Confirmation policy. It uses the <see cref="IPolicyRequirementQuery"/> to retrieve
-/// the <see cref="AutomaticUserConfirmationPolicyRequirement"/>. It is used to check to make sure the given user is
-/// valid for the Automatic User Confirmation policy. It also validates that the given user is not a provider
-/// or a member of another organization regardless of status or type.
-/// </summary>
-public interface IAutomaticUserConfirmationPolicyEnforcementQuery
-{
-
-    /// <summary>
-    /// Checks if the given user is compliant with the Automatic User Confirmation policy.
-    /// </summary>
-    /// <param name="request"></param>
-    /// <remarks>
-    /// This uses the validation result pattern to avoid throwing exceptions.
-    /// </remarks>
-    /// <returns>A validation result with the error message if applicable.</returns>
-    Task<ValidationResult<AutomaticUserConfirmationPolicyEnforcementRequest>> IsCompliantAsync(
-        AutomaticUserConfirmationPolicyEnforcementRequest request);
-}
-
 public class AutomaticUserConfirmationPolicyEnforcementQuery(
    IPolicyRequirementQuery policyRequirementQuery,
    IOrganizationUserRepository organizationUserRepository)
@@ -46,21 +26,20 @@ public class AutomaticUserConfirmationPolicyEnforcementQuery(

        if (automaticUserConfirmationPolicyRequirement.IsEnabledAndUserIsAProvider(organizationUser.OrganizationId))
        {
-            return Invalid(request, new AutoConfirmDoesNotAllowProviderUsers());
+            return Invalid(request, new ProviderUsersCannotJoin());
        }

-        // This is a shortcut to potentially save a database call
        if (automaticUserConfirmationPolicyRequirement.IsEnabledForOrganizationsOtherThan(organizationUser
                .OrganizationId))
        {
-            return Invalid(request, new AutoConfirmDoesNotAllowMembershipToOtherOrganizations());
+            return Invalid(request, new OrganizationEnforcesSingleOrgPolicy());
        }

        if (otherOrganizationsOrganizationUsers is { Count: > 0 }
            || (await organizationUserRepository.GetManyByUserAsync(user.Id))
            .Any(x => x.OrganizationId != organizationUser.OrganizationId))
        {
-            return Invalid(request, new AutoConfirmDoesNotAllowMembershipToOtherOrganizations());
+            return Invalid(request, new OtherOrganizationEnforcesSingleOrgPolicy());
        }

        return Valid(request);
--- a/src/Core/AdminConsole/OrganizationFeatures/Policies/Enforcement/AutoConfirm/Errors.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/Enforcement/AutoConfirm/Errors.cs
@@ -2,5 +2,4 @@

 namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.Enforcement.AutoConfirm;

-public record AutoConfirmDoesNotAllowProviderUsers() : BadRequestError("Organization has enabled Automatic User Confirmation policy and it does not support provider users.");
 public record AutoConfirmDoesNotAllowMembershipToOtherOrganizations() : BadRequestError("Automatic User Confirmation policy does not support membership to other organizations.");
--- a/src/Core/AdminConsole/OrganizationFeatures/Policies/Enforcement/AutoConfirm/IAutomaticUserConfirmationPolicyEnforcementQuery.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/Enforcement/AutoConfirm/IAutomaticUserConfirmationPolicyEnforcementQuery.cs
@@ -0,0 +1,26 @@
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+using Bit.Core.AdminConsole.Utilities.v2.Validation;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.Enforcement.AutoConfirm;
+
+/// <summary>
+/// Used to enforce the Automatic User Confirmation policy. It uses the <see cref="IPolicyRequirementQuery"/> to retrieve
+/// the <see cref="AutomaticUserConfirmationPolicyRequirement"/>. It is used to check to make sure the given user is
+/// valid for the Automatic User Confirmation policy. It also validates that the given user is not a provider
+/// or a member of another organization regardless of status or type.
+/// </summary>
+public interface IAutomaticUserConfirmationPolicyEnforcementQuery
+{
+
+    /// <summary>
+    /// Checks if the given user is compliant with the Automatic User Confirmation policy. To be compliant, the user must:
+    ///
+    ///
+    /// </summary>
+    /// <param name="request"></param>
+    /// <remarks>
+    /// This uses the validation result pattern to avoid throwing exceptions.
+    /// </remarks>
+    /// <returns>A validation result with the error message if applicable.</returns>
+    Task<ValidationResult<AutomaticUserConfirmationPolicyEnforcementRequest>> IsCompliantAsync(AutomaticUserConfirmationPolicyEnforcementRequest request);
+}