[PM-1188] Server owner auth migration (#2825)

* [PM-1188] add sso project to auth * [PM-1188] move sso api models to auth * [PM-1188] fix sso api model namespace & imports * [PM-1188] move core files to auth * [PM-1188] fix core sso namespace & models * [PM-1188] move sso repository files to auth * [PM-1188] fix sso repo files namespace & imports * [PM-1188] move sso sql files to auth folder * [PM-1188] move sso test files to auth folders * [PM-1188] fix sso tests namespace & imports * [PM-1188] move auth api files to auth folder * [PM-1188] fix auth api files namespace & imports * [PM-1188] move auth core files to auth folder * [PM-1188] fix auth core files namespace & imports * [PM-1188] move auth email templates to auth folder * [PM-1188] move auth email folder back into shared directory * [PM-1188] fix auth email names * [PM-1188] move auth core models to auth folder * [PM-1188] fix auth model namespace & imports * [PM-1188] add entire Identity project to auth codeowners * [PM-1188] fix auth orm files namespace & imports * [PM-1188] move auth orm files to auth folder * [PM-1188] move auth sql files to auth folder * [PM-1188] move auth tests to auth folder * [PM-1188] fix auth test files namespace & imports * [PM-1188] move emergency access api files to auth folder * [PM-1188] fix emergencyaccess api files namespace & imports * [PM-1188] move emergency access core files to auth folder * [PM-1188] fix emergency access core files namespace & imports * [PM-1188] move emergency access orm files to auth folder * [PM-1188] fix emergency access orm files namespace & imports * [PM-1188] move emergency access sql files to auth folder * [PM-1188] move emergencyaccess test files to auth folder * [PM-1188] fix emergency access test files namespace & imports * [PM-1188] move captcha files to auth folder * [PM-1188] fix captcha files namespace & imports * [PM-1188] move auth admin files into auth folder * [PM-1188] fix admin auth files namespace & imports - configure mvc to look in auth folders for views * [PM-1188] remove extra imports and formatting * [PM-1188] fix ef auth model imports * [PM-1188] fix DatabaseContextModelSnapshot paths * [PM-1188] fix grant import in ef * [PM-1188] update sqlproj * [PM-1188] move missed sqlproj files * [PM-1188] move auth ef models out of auth folder * [PM-1188] fix auth ef models namespace * [PM-1188] remove auth ef models unused imports * [PM-1188] fix imports for auth ef models * [PM-1188] fix more ef model imports * [PM-1188] fix file encodings
2025-12-12 14:23:38 +00:00 · 2023-04-14 13:25:56 -04:00
parent 2529c5b36f
commit 88dd745070
332 changed files with 704 additions and 522 deletions
--- a/src/Core/Auth/Services/Implementations/SsoConfigService.cs
+++ b/src/Core/Auth/Services/Implementations/SsoConfigService.cs
@@ -0,0 +1,109 @@
+using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Repositories;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+
+namespace Bit.Core.Auth.Services;
+
+public class SsoConfigService : ISsoConfigService
+{
+    private readonly ISsoConfigRepository _ssoConfigRepository;
+    private readonly IPolicyRepository _policyRepository;
+    private readonly IOrganizationRepository _organizationRepository;
+    private readonly IOrganizationUserRepository _organizationUserRepository;
+    private readonly IEventService _eventService;
+
+    public SsoConfigService(
+        ISsoConfigRepository ssoConfigRepository,
+        IPolicyRepository policyRepository,
+        IOrganizationRepository organizationRepository,
+        IOrganizationUserRepository organizationUserRepository,
+        IEventService eventService)
+    {
+        _ssoConfigRepository = ssoConfigRepository;
+        _policyRepository = policyRepository;
+        _organizationRepository = organizationRepository;
+        _organizationUserRepository = organizationUserRepository;
+        _eventService = eventService;
+    }
+
+    public async Task SaveAsync(SsoConfig config, Organization organization)
+    {
+        var now = DateTime.UtcNow;
+        config.RevisionDate = now;
+        if (config.Id == default)
+        {
+            config.CreationDate = now;
+        }
+
+        var useKeyConnector = config.GetData().KeyConnectorEnabled;
+        if (useKeyConnector)
+        {
+            await VerifyDependenciesAsync(config, organization);
+        }
+
+        var oldConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(config.OrganizationId);
+        var disabledKeyConnector = oldConfig?.GetData()?.KeyConnectorEnabled == true && !useKeyConnector;
+        if (disabledKeyConnector && await AnyOrgUserHasKeyConnectorEnabledAsync(config.OrganizationId))
+        {
+            throw new BadRequestException("Key Connector cannot be disabled at this moment.");
+        }
+
+        await LogEventsAsync(config, oldConfig);
+        await _ssoConfigRepository.UpsertAsync(config);
+    }
+
+    private async Task<bool> AnyOrgUserHasKeyConnectorEnabledAsync(Guid organizationId)
+    {
+        var userDetails =
+            await _organizationUserRepository.GetManyDetailsByOrganizationAsync(organizationId);
+        return userDetails.Any(u => u.UsesKeyConnector);
+    }
+
+    private async Task VerifyDependenciesAsync(SsoConfig config, Organization organization)
+    {
+        if (!organization.UseKeyConnector)
+        {
+            throw new BadRequestException("Organization cannot use Key Connector.");
+        }
+
+        var singleOrgPolicy = await _policyRepository.GetByOrganizationIdTypeAsync(config.OrganizationId, PolicyType.SingleOrg);
+        if (singleOrgPolicy is not { Enabled: true })
+        {
+            throw new BadRequestException("Key Connector requires the Single Organization policy to be enabled.");
+        }
+
+        var ssoPolicy = await _policyRepository.GetByOrganizationIdTypeAsync(config.OrganizationId, PolicyType.RequireSso);
+        if (ssoPolicy is not { Enabled: true })
+        {
+            throw new BadRequestException("Key Connector requires the Single Sign-On Authentication policy to be enabled.");
+        }
+
+        if (!config.Enabled)
+        {
+            throw new BadRequestException("You must enable SSO to use Key Connector.");
+        }
+    }
+
+    private async Task LogEventsAsync(SsoConfig config, SsoConfig oldConfig)
+    {
+        var organization = await _organizationRepository.GetByIdAsync(config.OrganizationId);
+        if (oldConfig?.Enabled != config.Enabled)
+        {
+            var e = config.Enabled ? EventType.Organization_EnabledSso : EventType.Organization_DisabledSso;
+            await _eventService.LogOrganizationEventAsync(organization, e);
+        }
+
+        var keyConnectorEnabled = config.GetData().KeyConnectorEnabled;
+        if (oldConfig?.GetData()?.KeyConnectorEnabled != keyConnectorEnabled)
+        {
+            var e = keyConnectorEnabled
+                ? EventType.Organization_EnabledKeyConnector
+                : EventType.Organization_DisabledKeyConnector;
+            await _eventService.LogOrganizationEventAsync(organization, e);
+        }
+    }
+}