From d6c419bad82dade847d719e4b58386054c349a3a Mon Sep 17 00:00:00 2001
From: Oscar Hinton <oscar@oscarhinton.com>
Date: Wed, 17 Nov 2021 12:11:20 +0100
Subject: [PATCH] Disable key connector when org doesn't have the feature
 (#1301)

---
 .../app/organizations/manage/sso.component.html   | 13 ++++++++++---
 .../src/app/organizations/manage/sso.component.ts | 11 +++++++++--
 jslib                                             |  2 +-
 .../policies/master-password.component.ts         |  2 +-
 .../policies/reset-password.component.ts          |  2 +-
 src/locales/en/messages.json                      | 15 +++++++++------
 6 files changed, 31 insertions(+), 14 deletions(-)

diff --git a/bitwarden_license/src/app/organizations/manage/sso.component.html b/bitwarden_license/src/app/organizations/manage/sso.component.html
index 6f03b034..ddcf4f2f 100644
--- a/bitwarden_license/src/app/organizations/manage/sso.component.html
+++ b/bitwarden_license/src/app/organizations/manage/sso.component.html
@@ -12,6 +12,8 @@
         {{'ssoPolicyHelpStart' | i18n}}
         <a routerLink="../policies">{{'ssoPolicyHelpLink' | i18n}}</a>
         {{'ssoPolicyHelpEnd' | i18n}}
+        <br>
+        {{'ssoPolicyHelpKeyConnector' | i18n}}
     </p>
     
     <div class="form-group">
@@ -25,22 +27,27 @@
     <div class="form-group">
         <label>{{'memberDecryptionOption' | i18n}}</label>
         <div class="form-check form-check-block">
-            <input class="form-check-input" type="radio" id="memberDecryptionPass" [value]="false" formControlName="useKeyConnector">
+            <input class="form-check-input" type="radio" id="memberDecryptionPass" [value]="false" formControlName="keyConnectorEnabled">
             <label class="form-check-label" for="memberDecryptionPass">
                 {{'masterPass' | i18n}}
                 <small>{{'memberDecryptionPassDesc' | i18n}}</small>
             </label>
         </div>
         <div class="form-check mt-2 form-check-block">
-            <input class="form-check-input" type="radio" id="memberDecryptionKey" [value]="true" formControlName="useKeyConnector">
+            <input class="form-check-input" type="radio" id="memberDecryptionKey" [value]="true" formControlName="keyConnectorEnabled"
+                [attr.disabled]="!organization.useKeyConnector || null">
             <label class="form-check-label" for="memberDecryptionKey">
                 {{'keyConnector' | i18n}}
+                <a target="_blank" rel="noopener" appA11yTitle="{{'learnMore' | i18n}}"
+                    href="https://bitwarden.com/help/article/about-key-connector/">
+                    <i class="fa fa-question-circle-o" aria-hidden="true"></i>
+                </a>
                 <small>{{'memberDecryptionKeyConnectorDesc' | i18n}}</small>
             </label>
         </div>
     </div>
 
-    <ng-container *ngIf="data.value.useKeyConnector">
+    <ng-container *ngIf="data.value.keyConnectorEnabled">
         <app-callout type="warning" [useAlertRole]="true">
             {{'keyConnectorWarning' | i18n}}
         </app-callout>
diff --git a/bitwarden_license/src/app/organizations/manage/sso.component.ts b/bitwarden_license/src/app/organizations/manage/sso.component.ts
index 1b711909..706d88af 100644
--- a/bitwarden_license/src/app/organizations/manage/sso.component.ts
+++ b/bitwarden_license/src/app/organizations/manage/sso.component.ts
@@ -8,6 +8,10 @@ import { ActivatedRoute } from '@angular/router';
 import { ApiService } from 'jslib-common/abstractions/api.service';
 import { I18nService } from 'jslib-common/abstractions/i18n.service';
 import { PlatformUtilsService } from 'jslib-common/abstractions/platformUtils.service';
+import { UserService } from 'jslib-common/abstractions/user.service';
+
+import { Organization } from 'jslib-common/models/domain/organization';
+
 import { OrganizationSsoRequest } from 'jslib-common/models/request/organization/organizationSsoRequest';
 
 @Component({
@@ -25,6 +29,7 @@ export class SsoComponent implements OnInit {
 
     loading = true;
     organizationId: string;
+    organization: Organization;
     formPromise: Promise<any>;
 
     callbackPath: string;
@@ -37,7 +42,7 @@ export class SsoComponent implements OnInit {
     data = this.fb.group({
         configType: [],
 
-        useKeyConnector: [],
+        keyConnectorEnabled: [],
         keyConnectorUrl: [],
 
         // OpenId
@@ -75,7 +80,8 @@ export class SsoComponent implements OnInit {
     });
 
     constructor(private fb: FormBuilder, private route: ActivatedRoute, private apiService: ApiService,
-        private platformUtilsService: PlatformUtilsService, private i18nService: I18nService) { }
+        private platformUtilsService: PlatformUtilsService, private i18nService: I18nService,
+        private userService: UserService) { }
 
     async ngOnInit() {
         this.route.parent.parent.params.subscribe(async params => {
@@ -85,6 +91,7 @@ export class SsoComponent implements OnInit {
     }
 
     async load() {
+        this.organization = await this.userService.getOrganization(this.organizationId);
         const ssoSettings = await this.apiService.getOrganizationSso(this.organizationId);
 
         this.data.patchValue(ssoSettings.data);
diff --git a/jslib b/jslib
index 72096747..e1b1efee 160000
--- a/jslib
+++ b/jslib
@@ -1 +1 @@
-Subproject commit 720967475b37d635c18a1eb74bb3702445647b4d
+Subproject commit e1b1efeea2074254017909423ad628508508b736
diff --git a/src/app/organizations/policies/master-password.component.ts b/src/app/organizations/policies/master-password.component.ts
index 36f368ce..2f2b2299 100644
--- a/src/app/organizations/policies/master-password.component.ts
+++ b/src/app/organizations/policies/master-password.component.ts
@@ -49,6 +49,6 @@ export class MasterPasswordPolicyComponent extends BasePolicyComponent {
     async ngOnInit() {
         super.ngOnInit();
         const organization = await this.userService.getOrganization(this.policyResponse.organizationId);
-        this.showKeyConnectorInfo = organization.usesKeyConnector;
+        this.showKeyConnectorInfo = organization.keyConnectorEnabled;
     }
 }
diff --git a/src/app/organizations/policies/reset-password.component.ts b/src/app/organizations/policies/reset-password.component.ts
index 5ebebbc5..0c3ee267 100644
--- a/src/app/organizations/policies/reset-password.component.ts
+++ b/src/app/organizations/policies/reset-password.component.ts
@@ -39,6 +39,6 @@ export class ResetPasswordPolicyComponent extends BasePolicyComponent {
     async ngOnInit() {
         super.ngOnInit();
         const organization = await this.userService.getOrganization(this.policyResponse.organizationId);
-        this.showKeyConnectorInfo = organization.usesKeyConnector;
+        this.showKeyConnectorInfo = organization.keyConnectorEnabled;
     }
 }
diff --git a/src/locales/en/messages.json b/src/locales/en/messages.json
index 06da5eee..5f09d05d 100644
--- a/src/locales/en/messages.json
+++ b/src/locales/en/messages.json
@@ -4511,15 +4511,18 @@
   },
   "ssoPolicyHelpStart": {
     "message": "Enable the",
-    "description": "This will be used as part of a larger sentence, broken up to include links. The full sentence will read 'Enable the SSO Policy to require all members to log in with SSO.'"
+    "description": "This will be used as part of a larger sentence, broken up to include links. The full sentence will read 'Enable the SSO Authentication policy to require all members to log in with SSO.'"
   },
   "ssoPolicyHelpLink": {
-    "message": "SSO Policy",
-    "description": "This will be used as part of a larger sentence, broken up to include links. The full sentence will read 'Enable the SSO Policy to require all members to log in with SSO.'"
+    "message": "SSO Authentication policy",
+    "description": "This will be used as part of a larger sentence, broken up to include links. The full sentence will read 'Enable the SSO Authentication policy to require all members to log in with SSO.'"
   },
   "ssoPolicyHelpEnd": {
     "message": "to require all members to log in with SSO.",
-    "description": "This will be used as part of a larger sentence, broken up to include links. The full sentence will read 'Enable the SSO Policy to require all members to log in with SSO.'"
+    "description": "This will be used as part of a larger sentence, broken up to include links. The full sentence will read 'Enable the SSO Authentication policy to require all members to log in with SSO.'"
+  },
+  "ssoPolicyHelpKeyConnector": {
+    "message": "SSO Authentication and Single Organization policies are required to set up Key Connector decryption."
   },
   "memberDecryptionOption": {
     "message": "Member Decryption Options"
@@ -4531,7 +4534,7 @@
     "message": "Key Connector"
   },
   "memberDecryptionKeyConnectorDesc": {
-    "message": "Connect Login with SSO to your self-hosted decryption key server. Using this option, members won’t need to use their Master Passwords to decrypt vault data."
+    "message": "Connect Login with SSO to your self-hosted decryption key server. Using this option, members won’t need to use their Master Passwords to decrypt vault data. Contact Bitwarden Support for set up assistance."
   },
   "keyConnectorPolicyRestriction": {
     "message": "\"Login with SSO and Key Connector Decryption\" is enabled. This policy will only apply to Owners and Admins."
@@ -4549,7 +4552,7 @@
     "message": "Disabled Key Connector"
   },
   "keyConnectorWarning": {
-    "message": "Once Key Connector is set up, Member Decryption Options cannot be changed."
+    "message": "Once members begin using Key Connector, your Organization cannot revert to Master Password decryption. Proceed only if you are comfortable deploying and managing a key server."
   },
   "migratedKeyConnector": {
     "message": "Migrated to Key Connector"