* account v2 registration for key connector
* use new user repository functions
* test coverage
* integration test coverage
* documentation
* code review
* missing test coverage
* fix failing test
* failing test
* incorrect ticket number
* moved back request model to Api, created dedicated data class in Core
* sql stored procedure type mismatch, simplification
* key connector authorization handler
* Removed 2FA user interface from premium method signatures
* Added some more comments for clarity and small touchups.
* Add PremiumAccessCacheCheck feature flag to Constants.cs
* Add IPremiumAccessQuery interface and PremiumAccessQuery implementation for checking user premium access status
* Add unit tests for PremiumAccessQuery to validate user premium access logic
* Add XML documentation to Premium in OrganizationUserUserDetails and User classes
* Add PremiumAccessQueries to UserServiceCollectionExtensions
* Refactor TwoFactorIsEnabledQuery to incorporate PremiumAccessQuery and feature flag for premium access checks. Enhanced user premium status retrieval logic and improved handling of user details based on feature flag state.
* Mark methods in IUserRepository and IUserService as obsolete, directing users to new methods in IPremiumAccessQuery for premium access checks.
* Rename CanAccessPremiumBulkAsync to CanAccessPremiumAsync in IPremiumAccessQuery
* Update TwoFactorIsEnabledQuery to use CanAccessPremiumAsync for premium status checks
* Refactor TwoFactorIsEnabledQuery to introduce VNextAsync methods for improved premium access checks and user detail handling. Removed obsolete feature service dependency and enhanced test coverage for new functionality.
* Refactor IPremiumAccessQuery and PremiumAccessQuery to remove the overloaded CanAccessPremiumAsync method. Update related methods to streamline premium access checks using the User object directly. Enhance test coverage by removing obsolete tests and ensuring proper functionality with the new method signatures.
* Add new sync static method to determine if TwoFactor is enabled
* Enhance XML documentation for Premium property in OrganizationUserUserDetails and User classes to clarify its usage and limitations regarding personal and organizational premium access.
* Refactor IPremiumAccessQuery and PremiumAccessQuery to replace User parameter with Guid for user ID in CanAccessPremiumAsync methods. Update related methods and tests to streamline premium access checks and improve clarity in method signatures.
* Update feature flag references in IUserRepository and IUserService to use 'PremiumAccessQuery' instead of 'PremiumAccessCacheCheck'. Adjust related XML documentation for clarity on premium access methods.
* Rename IPremiumAccessQuery to IHasPremiumAccessQuery and move to Billing owned folder
* Remove unnecessary whitespace from IHasPremiumAccessQuery interface.
* Refactor HasPremiumAccessQuery to throw NotFoundException for null users
* Add NotFoundException handling in HasPremiumAccessQuery for mismatched user counts
* Refactor TwoFactorIsEnabledQuery to optimize premium access checks and improve two-factor provider handling. Introduced bulk fetching of premium status for users with only premium providers and streamlined the logic for determining if two-factor authentication is enabled.
* Refactor TwoFactorIsEnabledQueryTests to enhance clarity and optimize test scenarios. Consolidated test cases for two-factor authentication, improved naming conventions, and ensured premium access checks are only performed when necessary.
* Add UserPremiumAccess model to represent user premium access status from personal subscriptions and memberships
* Add User_ReadPremiumAccessByIds stored procedure and UserPremiumAccessView view to enhance premium access retrieval. Updated Organization table index to include UsersGetPremium for optimized queries.
* Add SQL migration script
* Add premium access retrieval methods to IUserRepository and implementations in UserRepository classes. Introduced GetPremiumAccessByIdsAsync and GetPremiumAccessAsync methods to fetch premium status for multiple users and a single user, respectively. Updated using directives to include necessary models.
* Refactor HasPremiumAccessQuery and IHasPremiumAccessQuery to streamline premium access checks. Updated method names for clarity and improved documentation. Adjusted test cases to reflect changes in user premium access retrieval logic.
* Update IUserRepository to reflect new method names for premium access retrieval. Changed obsolete method messages to point to GetPremiumAccessByIdsAsync and GetPremiumAccessAsync. Added internal use notes for IHasPremiumAccessQuery. Improved documentation for clarity.
* Refactor TwoFactorIsEnabledQuery to utilize IFeatureService for premium access checks.
* Enhance EF UserRepository to improve premium access retrieval by including related organization data.
* Add unit tests for premium access retrieval in UserRepositoryTests.
* Optimize HasPremiumAccessQuery to eliminate duplicate user IDs before checking premium access. Updated logic to ensure accurate comparison of premium users against distinct user IDs.
* Refactor TwoFactorIsEnabledQuery to improve handling of users without two-factor providers. Added early exit for users lacking providers and streamlined premium status checks for enabled two-factor authentication.
* Update HasPremiumAccessQueryTests to use simplified exception handling and improve test clarity
* Replaced fully qualified exception references with simplified ones.
* Refactored test setup to use individual user variables for better readability.
* Ensured assertions reflect the updated user variable structure.
* Enhance TwoFactorIsEnabledQuery to throw NotFoundException for non-existent users
* Updated TwoFactorIsEnabledQuery to throw NotFoundException when a user is not found instead of returning false.
* Added a new unit test to verify that the NotFoundException is thrown when a user is not found while premium access query is enabled.
* Move premium access query to Billing owned ServiceCollectionExtensions
* Refactor IUserService to enhance premium access checks
* Updated CanAccessPremium and HasPremiumFromOrganization methods to clarify usage with the new premium access query.
* Integrated IHasPremiumAccessQuery into UserService for improved premium access handling based on feature flag.
* Adjusted method documentation to reflect changes in premium access logic.
* Update IUserRepository to clarify usage of premium access methods
* Modified Obsolete attribute messages for GetManyWithCalculatedPremiumAsync and GetCalculatedPremiumAsync to indicate that callers should use the new methods when the 'PremiumAccessQuery' feature flag is enabled.
* Enhanced documentation to improve clarity regarding premium access handling.
* Update IUserRepository and IUserService to clarify deprecation of premium access methods
* Modified Obsolete attribute messages for GetManyWithCalculatedPremiumAsync and GetCalculatedPremiumAsync in IUserRepository to indicate these methods will be removed in a future version.
* Updated Obsolete attribute message for HasPremiumFromOrganization in IUserService to reflect the same deprecation notice.
* Refactor TwoFactorIsEnabledQuery to streamline user ID retrieval
* Consolidated user ID retrieval logic to avoid redundancy.
* Ensured consistent handling of user ID checks for premium access queries.
* Improved code readability by reducing duplicate code blocks.
* Rename migration script to fix the date
* Update migration script to create the index with DROP_EXISTING = ON
* Refactor UserPremiumAccessView to use LEFT JOINs and GROUP BY for improved performance and clarity
* Update HasPremiumAccessQueryTests to return null for GetPremiumAccessAsync instead of throwing NotFoundException
* Add unit tests for premium access scenarios in UserRepositoryTests
- Implement tests for GetPremiumAccessAsync to cover various user and organization premium access combinations.
- Validate behavior when users belong to multiple organizations, including cases with and without premium access.
- Update email generation for user creation to ensure uniqueness without specific prefixes.
- Enhance assertions to verify expected premium access results across different test cases.
* Bump date on migration script
* Update OrganizationEntityTypeConfiguration to include UsersGetPremium in index properties
* Add migration scripts for OrganizationUsersGetPremiumIndex across MySQL, PostgreSQL, and SQLite
- Introduced new migration files to create the OrganizationUsersGetPremiumIndex.
- Updated the DatabaseContextModelSnapshot to include UsersGetPremium in index properties for all database types.
- Ensured consistency in index creation across different database implementations.
---------
Co-authored-by: Todd Martin <tmartin@bitwarden.com>
Co-authored-by: Patrick Pimentel <ppimentel@bitwarden.com>
* Add user repository update function for account cryptographic state
* Remove comment
* Remove transaction logic
* Fix security version
* Apply feedback
* Update tests
* Add support for external actions
* feat: migrate DefaultUserCollection to SharedCollection during user deletion
- Implemented migration of DefaultUserCollection to SharedCollection in EF UserRepository before deleting organization users.
- Updated stored procedures User_DeleteById and User_DeleteByIds to include migration logic.
- Added new migration script for updating stored procedures.
* Add unit test for user deletion and DefaultUserCollection migration
- Implemented a new test to verify the migration of DefaultUserCollection to SharedCollection during user deletion in UserRepository.
- The test ensures that the user is deleted and the associated collection is updated correctly.
* Refactor user deletion process in UserRepository
- Moved migrating DefaultUserCollection to SharedCollection to happen before the deletion of user-related entities.
- Updated the deletion logic to use ExecuteDeleteAsync for improved performance and clarity.
- Ensured that all related entities are removed in a single transaction to maintain data integrity.
* Add unit test for DeleteManyAsync in UserRepository
- Implemented a new test to verify the deletion of multiple users and the migration of their DefaultUserCollections to SharedCollections.
- Ensured that both users are deleted and their associated collections are updated correctly in a single transaction.
* Refactor UserRepositoryTests to use test user creation methods and streamline collection creation
* Ensure changes are saved after deleting users in bulk
* Refactor UserRepository to simplify migration queries and remove unnecessary loops for better performance
* Refactor UserRepository to encapsulate DefaultUserCollection migration logic in a separate method
* Refactor UserRepository to optimize deletion queries by using joins instead of subqueries for improved performance
* Refactor UserRepositoryTest DeleteManyAsync_Works to ensure GroupUser and CollectionUser deletion
---------
Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com>
* fix : split out the interface from the TwoFactorAuthenticationValidator into separate file.
* fix: replacing IUserService.TwoFactorEnabled with ITwoFactorEnabledQuery
* fix: combined logic for both bulk and single user look ups for TwoFactorIsEnabledQuery.
* fix: return two factor provider enabled on CanGenerate() method.
* tech debt: modfifying MFA providers to call the database less to validate if two factor is enabled.
* tech debt: removed unused service from AuthenticatorTokenProvider
* doc: added documentation to ITwoFactorProviderUsers
* doc: updated comments for TwoFactorIsEnabled impl
* test: fixing tests for ITwoFactorIsEnabledQuery
* test: updating tests to have correct DI and removing test for automatic email of TOTP.
* test: adding better test coverage
* feat: Add stored procedure for reading organization user details with premium access by organization ID
The code changes include:
- Addition of a new stored procedure [dbo].[OrganizationUserUserDetailsWithPremiumAccess_ReadByOrganizationId] to read organization user details with premium access by organization ID
- Modification of the IUserService interface to include an optional parameter for checking two-factor authentication with premium access
- Modification of the UserService class to handle the new optional parameter in the TwoFactorIsEnabledAsync method
- Addition of a new method GetManyDetailsWithPremiumAccessByOrganizationAsync in the IOrganizationUserRepository interface to retrieve organization user details with premium access by organization ID
- Addition of a new view [dbo].[OrganizationUserUserDetailsWithPremiumAccessView] to retrieve organization user details with premium access
* Add IUserRepository.SearchDetailsAsync that includes the field HasPremiumAccess
* Check the feature flag on Admin.UsersController to see if the optimization runs
* Modify PolicyService to run query optimization if the feature flag is enabled
* Refactor the parameter check on UserService.TwoFactorIsEnabledAsync
* Run query optimization on public MembersController if feature flag is enabled
* Restore refactor
* Reverted change used for development
* Add unit tests for OrganizationService.RestoreUser
* Separate new CheckPoliciesBeforeRestoreAsync optimization into new method
* Add more unit tests
* Apply refactor to bulk restore
* Add GetManyDetailsAsync method to IUserRepository. Add ConfirmUsersAsync_vNext method to IOrganizationService
* Add unit tests for ConfirmUser_vNext
* Refactor the optimization to use the new TwoFactorIsEnabledAsync method instead of changing the existing one
* Removed unused sql scripts and added migration script
* Remove unnecessary view
* chore: Remove unused SearchDetailsAsync method from IUserRepository and UserRepository
* refactor: Use UserDetails constructor in UserRepository
* Add summary to IUserRepository.GetManyDetailsAsync
* Add summary descriptions to IUserService.TwoFactorIsEnabledAsync
* Remove obsolete annotation from IUserRepository.UpdateUserKeyAndEncryptedDataAsync
* refactor: Rename UserDetails to UserWithCalculatedPremium across the codebase
* Extract IUserService.TwoFactorIsEnabledAsync into a new TwoFactorIsEnabledQuery class
* Add unit tests for TwoFactorIsEnabledQuery
* Update TwoFactorIsEnabledQueryTests to include additional provider types
* Refactor TwoFactorIsEnabledQuery
* Refactor TwoFactorIsEnabledQuery and update tests
* refactor: Update TwoFactorIsEnabledQueryTests to include test for null TwoFactorProviders
* refactor: Improve TwoFactorIsEnabledQuery and update tests
* refactor: Improve TwoFactorIsEnabledQuery and update tests
* Remove empty <returns> from summary
* Update User_ReadByIdsWithCalculatedPremium stored procedure to accept JSON array of IDs
* update Organization_DeleteById SPROC
* Add migration for user delete
* Updated delete methods for EF support
* added WITH RECOMPILE
* updating sprocs in sql project
* Add recompile
* PM-1658 - Create User_ReadByEmails stored proc
* PM-1658 - Update UserRepository.cs with dapper and EF implementations of GetManyByEmailsAsync using new stored proc
* PM-1658 - OrganizationService.cs - Proved out that the new GetManyByEmailsAsync along with a hash set will allow me to generate a a dict mapping org user ids to a bool representing if they have an org user account or not.
* PM-1658 - OrganizationService.cs - re-implement all send invites logic as part of rebase
* PM-1658 - Add new User_ReadByEmails stored proc to SQL project
* PM-1658 - HandlebarsMailService.cs - (1) Remove unnecessary SendOrganizationInviteEmailAsync method as we can simply use the bulk method for one or more emails (2) Refactor BulkSendOrganizationInviteEmailAsync parameters into new OrganizationInvitesInfo class
* PM-1658 - OrganizationService.cs - rebase commit 2
* PM-1658 - rebase commit 3 - org service + IMailService conflicts resolved
* PM-1658 - Update HandlebarsMailService.cs and OrganizationUserInvitedViewModel.cs to include new query params required client side for accelerating the user through the org invite accept process.
* dotnet format
* PM-1658 - rebase commit 4 - Fix broken OrganizationServiceTests.cs
* PM-1658 TODO cleanup
* PM-1658 - Remove noop for deleted method.
* rebase commit 5 - fix NoopMailService merge conflicts
* PM-1658 - Fix SQL formatting with proper indentations
* PM-1658 - Rename BulkSendOrganizationInviteEmailAsync to SendOrganizationInviteEmailsAsync per PR feedback
* PM-1658 - Per PR Feedback, refactor OrganizationUserInvitedViewModel creation to use new static factory function for better encapsulation of the creation process.
* PM-1658 - Rename OrganizationInvitesInfo.Invites to OrgUserTokenPairs b/c that just makes sense.
* PM-1658 - Per PR feedback, simplify query params sent down to client. Always include whether the user exists but only include the org sso identifier if it is meant to be used (b/c sso is enabled and sso required policy is on)
* dotnet format
* PM-1658 - OrganizationServiceTests.cs - Fix mysteriously failing tests - several tests were falling into logic which created n org users using the organizationUserRepository.CreateAsync instead of the organizationUserRepository.CreateManyAsync method. This meant that I had to add a new mock helper to ensure that those created org users had valid and distinct guids to avoid aggregate exceptions due to my added dict in the latter parts of the invite process.
* PM-1658 - Resolve errors from mistakes made during rebase merge conflict resolutions
* PM-1658 - OrganizationServiceTests.cs - fix new test with mock to make guids unique.
* dotnet format
---------
Co-authored-by: Matt Bishop <mbishop@bitwarden.com>
## Type of change
<!-- (mark with an `X`) -->
```
- [ ] Bug fix
- [ ] New feature development
- [x] Tech debt (refactoring, code cleanup, dependency upgrades, etc)
- [ ] Build/deploy pipeline (DevOps)
- [ ] Other
```
## Objective
<!--Describe what the purpose of this PR is. For example: what bug you're fixing or what new feature you're adding-->
Previous PR: #3434
Adds ciphers and folders to the new key rotation.
## Code changes
<!--Explain the changes you've made to each file or major component. This should help the reviewer understand your changes-->
<!--Also refer to any related changes or PRs in other repositories-->
* **file.ext:** Description of what was changed and why
## Before you submit
- Please check for formatting errors (`dotnet format --verify-no-changes`) (required)
- If making database changes - make sure you also update Entity Framework queries and/or migrations
- Please add **unit tests** where it makes sense to do so (encouraged but not required)
- If this change requires a **documentation update** - notify the documentation team
- If this change has particular **deployment requirements** - notify the DevOps team
## Type of change
<!-- (mark with an `X`) -->
```
- [ ] Bug fix
- [ ] New feature development
- [x] Tech debt (refactoring, code cleanup, dependency upgrades, etc)
- [ ] Build/deploy pipeline (DevOps)
- [ ] Other
```
## Objective
<!--Describe what the purpose of this PR is. For example: what bug you're fixing or what new feature you're adding-->
See #3425 for part 1 and background.
This PR adds emergency access to the rotation. All new code is hidden behind a feature flag.
The Accounts controller has also been moved to Auth ownership.
## Code changes
<!--Explain the changes you've made to each file or major component. This should help the reviewer understand your changes-->
<!--Also refer to any related changes or PRs in other repositories-->
* **file.ext:** Description of what was changed and why
* **AccountsController.cs:** Moved to Auth ownership. Emergency access validation was added (as well as initializing empty lists to avoid errors).
* **EmergencyAccessRotationValidator.cs:** Performs validation on the provided list of new emergency access keys.
* **EmergencyAccessRepository.cs:** Adds a method to rotate encryption keys. This is added to a list in the `RotateUserKeyCommand` that the `UserRepository` calls so it doesn't have to know about all the domains.
## Before you submit
- Please check for formatting errors (`dotnet format --verify-no-changes`) (required)
- If making database changes - make sure you also update Entity Framework queries and/or migrations
- Please add **unit tests** where it makes sense to do so (encouraged but not required)
- If this change requires a **documentation update** - notify the documentation team
- If this change has particular **deployment requirements** - notify the DevOps team
* layout new key rotation methods
- add endpoint with request model
- add command with data model
- add repository method
* layout new key rotation methods
- add endpoint with request model
- add command with data model
- add repository method
* formatting
* rename account recovery to reset password
* fix tests
* remove extra endpoint
* rename account recovery to reset password
* fix tests and formatting
* register db calls in command, removing list from user repo
* formatting
* Add KdfMemory and KDFParallelism fields
* Revise argon2 support
This pull request makes the new attribues for argon2, kdfMemory and
kdfParallelism optional. Furthermore it adds checks for the argon2
parametrs and improves the database migration script.
* Add validation for argon2 in RegisterRequestModel
* update validation messages
* update sql scripts
* register data protection with migration factories
* add ef migrations
* update kdf option validation
* adjust validation
* Centralize and Test KDF Validation
Co-authored-by: Kyle Spearrin <kspearrin@users.noreply.github.com>
Co-authored-by: Kyle Spearrin <kyle.spearrin@gmail.com>
Co-authored-by: Justin Baur <19896123+justindbaur@users.noreply.github.com>
