Merge branch 'main' into ac/pm-35253/add-useinvitelinks-organization-ability

Author: r-tome

src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/MasterPasswordPolicyRequirement.cs

@@ -0,0 +1,57 @@
+#nullable enable
+
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+using Bit.Core.Enums;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+
+/// <summary>
+/// Policy requirements for the Master Password policy.
+/// </summary>
+public class MasterPasswordPolicyRequirement : IPolicyRequirement
+{
+    /// <summary>
+    /// The combined Master Password policy options enforced against the user, or null if no policy applies.
+    /// </summary>
+    public MasterPasswordPolicyData? EnforcedOptions { get; init; }
+}
+
+/// <summary>
+/// Factory for <see cref="MasterPasswordPolicyRequirement"/>.
+/// Invited and Revoked users are exempt (inherited default from <see cref="BasePolicyRequirementFactory{T}"/>),
+/// which is intentional: master password requirements are enforced at login/unlock for active members only.
+/// </summary>
+public class MasterPasswordPolicyRequirementFactory : BasePolicyRequirementFactory<MasterPasswordPolicyRequirement>
+{
+    public override PolicyType PolicyType => PolicyType.MasterPassword;
+
+    /// <summary>
+    /// No roles are exempt from the master password policy.
+    /// </summary>
+    protected override IEnumerable<OrganizationUserType> ExemptRoles { get; } = [];
+
+    public override MasterPasswordPolicyRequirement Create(IEnumerable<PolicyDetails> policyDetails)
+    {
+        var combined = policyDetails
+            .Select(p => p.GetDataModel<MasterPasswordPolicyData>())
+            .Aggregate(new MasterPasswordPolicyData(), (result, data) =>
+            {
+                result.CombineWith(data);
+                return result;
+            });
+
+        // Only set EnforcedOptions if at least one field has a meaningful value.
+        // A policy saved with no options set produces an all-null MasterPasswordPolicyData,
+        // and callers rely on EnforcedOptions == null to mean "no policy enforced".
+        var hasAnyOption = combined.MinComplexity.HasValue || combined.MinLength.HasValue ||
+            (combined.RequireLower ?? false) || (combined.RequireUpper ?? false) ||
+            (combined.RequireNumbers ?? false) || (combined.RequireSpecial ?? false) ||
+            (combined.EnforceOnLogin ?? false);
+
+        return new MasterPasswordPolicyRequirement
+        {
+            EnforcedOptions = hasAnyOption ? combined : null
+        };
+    }
+}

src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyServiceCollectionExtensions.cs

@@ -56,5 +56,6 @@ private static void AddPolicyRequirements(this IServiceCollection services)
         services.AddScoped<IPolicyRequirementFactory<IPolicyRequirement>, RequireTwoFactorPolicyRequirementFactory>();
         services.AddScoped<IPolicyRequirementFactory<IPolicyRequirement>, SingleOrganizationPolicyRequirementFactory>();
         services.AddScoped<IPolicyRequirementFactory<IPolicyRequirement>, AutomaticUserConfirmationPolicyRequirementFactory>();
+        services.AddScoped<IPolicyRequirementFactory<IPolicyRequirement>, MasterPasswordPolicyRequirementFactory>();
     }
 }

src/Core/AdminConsole/Services/Implementations/PolicyService.cs

@@ -3,7 +3,8 @@
 
 using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
-using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Models.Data.Organizations;
@@ -18,41 +19,25 @@ public class PolicyService : IPolicyService
 {
     private readonly IApplicationCacheService _applicationCacheService;
     private readonly IOrganizationUserRepository _organizationUserRepository;
-    private readonly IPolicyRepository _policyRepository;
+    private readonly IPolicyRequirementQuery _policyRequirementQuery;
     private readonly GlobalSettings _globalSettings;
 
     public PolicyService(
         IApplicationCacheService applicationCacheService,
         IOrganizationUserRepository organizationUserRepository,
-        IPolicyRepository policyRepository,
+        IPolicyRequirementQuery policyRequirementQuery,
         GlobalSettings globalSettings)
     {
         _applicationCacheService = applicationCacheService;
         _organizationUserRepository = organizationUserRepository;
-        _policyRepository = policyRepository;
+        _policyRequirementQuery = policyRequirementQuery;
         _globalSettings = globalSettings;
     }
 
     public async Task<MasterPasswordPolicyData> GetMasterPasswordPolicyForUserAsync(User user)
     {
-        var policies = (await _policyRepository.GetManyByUserIdAsync(user.Id))
-            .Where(p => p.Type == PolicyType.MasterPassword && p.Enabled)
-            .ToList();
-
-        if (!policies.Any())
-        {
-            return null;
-        }
-
-        var enforcedOptions = new MasterPasswordPolicyData();
-
-        foreach (var policy in policies)
-        {
-            enforcedOptions.CombineWith(policy.GetDataModel<MasterPasswordPolicyData>());
-        }
-
-        return enforcedOptions;
-
+        var requirement = await _policyRequirementQuery.GetAsyncVNext<MasterPasswordPolicyRequirement>(user.Id);
+        return requirement.EnforcedOptions;
     }
 
     public async Task<ICollection<OrganizationUserPolicyDetails>> GetPoliciesApplicableToUserAsync(Guid userId, PolicyType policyType, OrganizationUserStatusType minStatus = OrganizationUserStatusType.Accepted)

src/Sql/dbo/Stored Procedures/User_ReadBySsoUserOrganizationIdExternalId.sql

@@ -1,6 +1,6 @@
 CREATE PROCEDURE [dbo].[User_ReadBySsoUserOrganizationIdExternalId]
     @OrganizationId UNIQUEIDENTIFIER,
-    @ExternalId NVARCHAR(50)
+    @ExternalId NVARCHAR(300)
 AS
 BEGIN
     SET NOCOUNT ON

test/Core.IntegrationTest/Core.IntegrationTest.csproj

@@ -10,7 +10,7 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="coverlet.collector" Version="8.0.0" />
+    <PackageReference Include="coverlet.collector" Version="10.0.0" />
     <PackageReference Include="MartinCostello.Logging.XUnit" Version="0.7.0" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(MicrosoftNetTestSdkVersion)" />
     <PackageReference Include="Rnwood.SmtpServer" Version="3.1.0-ci0868" />

test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/MasterPasswordPolicyRequirementFactoryTests.cs

@@ -0,0 +1,114 @@
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+using Bit.Core.Enums;
+using Bit.Core.Test.AdminConsole.AutoFixture;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Xunit;
+
+namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+
+[SutProviderCustomize]
+public class MasterPasswordPolicyRequirementFactoryTests
+{
+    [Theory]
+    [BitAutoData(OrganizationUserType.Owner)]
+    [BitAutoData(OrganizationUserType.Admin)]
+    [BitAutoData(OrganizationUserType.User)]
+    [BitAutoData(OrganizationUserType.Custom)]
+    public void Enforce_EnforcesAgainstAllRoles(
+        OrganizationUserType userType,
+        SutProvider<MasterPasswordPolicyRequirementFactory> sutProvider)
+    {
+        var policy = new PolicyDetails
+        {
+            PolicyType = PolicyType.MasterPassword,
+            OrganizationUserType = userType,
+            OrganizationUserStatus = OrganizationUserStatusType.Confirmed
+        };
+
+        Assert.True(sutProvider.Sut.Enforce(policy));
+    }
+
+
+    [Theory, BitAutoData]
+    public void Create_WithNoPolicies_EnforcedOptionsIsNull(SutProvider<MasterPasswordPolicyRequirementFactory> sutProvider)
+    {
+        var actual = sutProvider.Sut.Create([]);
+
+        Assert.Null(actual.EnforcedOptions);
+    }
+
+    [Theory, BitAutoData]
+    public void Create_WithAllNullOptions_EnforcedOptionsIsNull(
+        [PolicyDetails(PolicyType.MasterPassword)] PolicyDetails[] policies,
+        SutProvider<MasterPasswordPolicyRequirementFactory> sutProvider)
+    {
+        foreach (var policy in policies)
+        {
+            policy.SetDataModel(new MasterPasswordPolicyData());
+        }
+
+        var actual = sutProvider.Sut.Create(policies);
+
+        Assert.Null(actual.EnforcedOptions);
+    }
+
+    [Theory, BitAutoData]
+    public void Create_WithSinglePolicy_ReturnsEnforcedOptions(
+        [PolicyDetails(PolicyType.MasterPassword)] PolicyDetails[] policies,
+        SutProvider<MasterPasswordPolicyRequirementFactory> sutProvider)
+    {
+        policies[0].SetDataModel(new MasterPasswordPolicyData { MinLength = 12, RequireUpper = true });
+
+        var actual = sutProvider.Sut.Create([policies[0]]);
+
+        Assert.NotNull(actual.EnforcedOptions);
+        Assert.Equal(12, actual.EnforcedOptions.MinLength);
+        Assert.True(actual.EnforcedOptions.RequireUpper);
+    }
+
+    [Theory, BitAutoData]
+    public void Create_WithMultiplePolicies_TakesMaxMinComplexity(
+        [PolicyDetails(PolicyType.MasterPassword)] PolicyDetails[] policies,
+        SutProvider<MasterPasswordPolicyRequirementFactory> sutProvider)
+    {
+        policies[0].SetDataModel(new MasterPasswordPolicyData { MinComplexity = 2 });
+        policies[1].SetDataModel(new MasterPasswordPolicyData { MinComplexity = 4 });
+
+        var actual = sutProvider.Sut.Create([policies[0], policies[1]]);
+
+        Assert.NotNull(actual.EnforcedOptions);
+        Assert.Equal(4, actual.EnforcedOptions.MinComplexity);
+    }
+
+    [Theory, BitAutoData]
+    public void Create_WithMultiplePolicies_TakesMaxMinLength(
+        [PolicyDetails(PolicyType.MasterPassword)] PolicyDetails[] policies,
+        SutProvider<MasterPasswordPolicyRequirementFactory> sutProvider)
+    {
+        policies[0].SetDataModel(new MasterPasswordPolicyData { MinLength = 12 });
+        policies[1].SetDataModel(new MasterPasswordPolicyData { MinLength = 20 });
+
+        var actual = sutProvider.Sut.Create([policies[0], policies[1]]);
+
+        Assert.NotNull(actual.EnforcedOptions);
+        Assert.Equal(20, actual.EnforcedOptions.MinLength);
+    }
+
+    [Theory, BitAutoData]
+    public void Create_WithMultiplePolicies_OrsAllBooleanFlags(
+        [PolicyDetails(PolicyType.MasterPassword)] PolicyDetails[] policies,
+        SutProvider<MasterPasswordPolicyRequirementFactory> sutProvider)
+    {
+        policies[0].SetDataModel(new MasterPasswordPolicyData { RequireUpper = true });
+        policies[1].SetDataModel(new MasterPasswordPolicyData { RequireSpecial = true });
+
+        var actual = sutProvider.Sut.Create([policies[0], policies[1]]);
+
+        Assert.NotNull(actual.EnforcedOptions);
+        Assert.True(actual.EnforcedOptions.RequireUpper);
+        Assert.True(actual.EnforcedOptions.RequireSpecial);
+    }
+}