[PM-27766] Add policy for blocking account creation from claimed domains. (#6537)

* Add policy for blocking account creation from claimed domains. * dotnet format * check as part of email verification * add feature flag * fix tests * try to fix dates on database integration tests * PR feedback from claude * remove claude local settings * pr feedback * format * fix test * create or alter * PR feedback * PR feedback * Update src/Core/Constants.cs Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com> * fix merge issues * fix tests --------- Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com>
2025-12-30 15:14:02 +00:00 · 2025-11-19 20:25:50 -05:00
parent 55fb80b2fc
commit c0700a6946
18 changed files with 1502 additions and 18 deletions
--- a/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/BlockClaimedDomainAccountCreationPolicyValidatorTests.cs
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/BlockClaimedDomainAccountCreationPolicyValidatorTests.cs
@@ -0,0 +1,189 @@
+namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.Policies.PolicyValidators;
+
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationDomains.Interfaces;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.Models;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyValidators;
+using Bit.Core.Services;
+using Bit.Core.Test.AdminConsole.AutoFixture;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+[SutProviderCustomize]
+public class BlockClaimedDomainAccountCreationPolicyValidatorTests
+{
+    [Theory, BitAutoData]
+    public async Task ValidateAsync_EnablingPolicy_NoVerifiedDomains_ValidationError(
+        [PolicyUpdate(PolicyType.BlockClaimedDomainAccountCreation, true)] PolicyUpdate policyUpdate,
+        SutProvider<BlockClaimedDomainAccountCreationPolicyValidator> sutProvider)
+    {
+        // Arrange
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.BlockClaimedDomainAccountCreation)
+            .Returns(true);
+
+        sutProvider.GetDependency<IOrganizationHasVerifiedDomainsQuery>()
+            .HasVerifiedDomainsAsync(policyUpdate.OrganizationId)
+            .Returns(false);
+
+        // Act
+        var result = await sutProvider.Sut.ValidateAsync(policyUpdate, null);
+
+        // Assert
+        Assert.Equal("You must claim at least one domain to turn on this policy", result);
+    }
+
+    [Theory, BitAutoData]
+    public async Task ValidateAsync_EnablingPolicy_HasVerifiedDomains_Success(
+        [PolicyUpdate(PolicyType.BlockClaimedDomainAccountCreation, true)] PolicyUpdate policyUpdate,
+        SutProvider<BlockClaimedDomainAccountCreationPolicyValidator> sutProvider)
+    {
+        // Arrange
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.BlockClaimedDomainAccountCreation)
+            .Returns(true);
+
+        sutProvider.GetDependency<IOrganizationHasVerifiedDomainsQuery>()
+            .HasVerifiedDomainsAsync(policyUpdate.OrganizationId)
+            .Returns(true);
+
+        // Act
+        var result = await sutProvider.Sut.ValidateAsync(policyUpdate, null);
+
+        // Assert
+        Assert.True(string.IsNullOrEmpty(result));
+    }
+
+    [Theory, BitAutoData]
+    public async Task ValidateAsync_DisablingPolicy_NoValidation(
+        [PolicyUpdate(PolicyType.BlockClaimedDomainAccountCreation, false)] PolicyUpdate policyUpdate,
+        SutProvider<BlockClaimedDomainAccountCreationPolicyValidator> sutProvider)
+    {
+        // Arrange
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.BlockClaimedDomainAccountCreation)
+            .Returns(true);
+
+        // Act
+        var result = await sutProvider.Sut.ValidateAsync(policyUpdate, null);
+
+        // Assert
+        Assert.True(string.IsNullOrEmpty(result));
+        await sutProvider.GetDependency<IOrganizationHasVerifiedDomainsQuery>()
+            .DidNotReceive()
+            .HasVerifiedDomainsAsync(Arg.Any<Guid>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task ValidateAsync_WithSavePolicyModel_EnablingPolicy_NoVerifiedDomains_ValidationError(
+        [PolicyUpdate(PolicyType.BlockClaimedDomainAccountCreation, true)] PolicyUpdate policyUpdate,
+        SutProvider<BlockClaimedDomainAccountCreationPolicyValidator> sutProvider)
+    {
+        // Arrange
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.BlockClaimedDomainAccountCreation)
+            .Returns(true);
+
+        sutProvider.GetDependency<IOrganizationHasVerifiedDomainsQuery>()
+            .HasVerifiedDomainsAsync(policyUpdate.OrganizationId)
+            .Returns(false);
+
+        var savePolicyModel = new SavePolicyModel(policyUpdate, null, new EmptyMetadataModel());
+
+        // Act
+        var result = await sutProvider.Sut.ValidateAsync(savePolicyModel, null);
+
+        // Assert
+        Assert.Equal("You must claim at least one domain to turn on this policy", result);
+    }
+
+    [Theory, BitAutoData]
+    public async Task ValidateAsync_WithSavePolicyModel_EnablingPolicy_HasVerifiedDomains_Success(
+        [PolicyUpdate(PolicyType.BlockClaimedDomainAccountCreation, true)] PolicyUpdate policyUpdate,
+        SutProvider<BlockClaimedDomainAccountCreationPolicyValidator> sutProvider)
+    {
+        // Arrange
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.BlockClaimedDomainAccountCreation)
+            .Returns(true);
+
+        sutProvider.GetDependency<IOrganizationHasVerifiedDomainsQuery>()
+            .HasVerifiedDomainsAsync(policyUpdate.OrganizationId)
+            .Returns(true);
+
+        var savePolicyModel = new SavePolicyModel(policyUpdate, null, new EmptyMetadataModel());
+
+        // Act
+        var result = await sutProvider.Sut.ValidateAsync(savePolicyModel, null);
+
+        // Assert
+        Assert.True(string.IsNullOrEmpty(result));
+    }
+
+    [Theory, BitAutoData]
+    public async Task ValidateAsync_WithSavePolicyModel_DisablingPolicy_NoValidation(
+        [PolicyUpdate(PolicyType.BlockClaimedDomainAccountCreation, false)] PolicyUpdate policyUpdate,
+        SutProvider<BlockClaimedDomainAccountCreationPolicyValidator> sutProvider)
+    {
+        // Arrange
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.BlockClaimedDomainAccountCreation)
+            .Returns(true);
+
+        var savePolicyModel = new SavePolicyModel(policyUpdate, null, new EmptyMetadataModel());
+
+        // Act
+        var result = await sutProvider.Sut.ValidateAsync(savePolicyModel, null);
+
+        // Assert
+        Assert.True(string.IsNullOrEmpty(result));
+        await sutProvider.GetDependency<IOrganizationHasVerifiedDomainsQuery>()
+            .DidNotReceive()
+            .HasVerifiedDomainsAsync(Arg.Any<Guid>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task ValidateAsync_FeatureFlagDisabled_ReturnsError(
+        [PolicyUpdate(PolicyType.BlockClaimedDomainAccountCreation, true)] PolicyUpdate policyUpdate,
+        SutProvider<BlockClaimedDomainAccountCreationPolicyValidator> sutProvider)
+    {
+        // Arrange
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.BlockClaimedDomainAccountCreation)
+            .Returns(false);
+
+        // Act
+        var result = await sutProvider.Sut.ValidateAsync(policyUpdate, null);
+
+        // Assert
+        Assert.Equal("This feature is not enabled", result);
+        await sutProvider.GetDependency<IOrganizationHasVerifiedDomainsQuery>()
+            .DidNotReceive()
+            .HasVerifiedDomainsAsync(Arg.Any<Guid>());
+    }
+
+    [Fact]
+    public void Type_ReturnsBlockClaimedDomainAccountCreation()
+    {
+        // Arrange
+        var validator = new BlockClaimedDomainAccountCreationPolicyValidator(null, null);
+
+        // Act & Assert
+        Assert.Equal(PolicyType.BlockClaimedDomainAccountCreation, validator.Type);
+    }
+
+    [Fact]
+    public void RequiredPolicies_ReturnsEmpty()
+    {
+        // Arrange
+        var validator = new BlockClaimedDomainAccountCreationPolicyValidator(null, null);
+
+        // Act
+        var requiredPolicies = validator.RequiredPolicies.ToList();
+
+        // Assert
+        Assert.Empty(requiredPolicies);
+    }
+}