Merge branch 'main' into auth/pm-35393/master-password-service-auth-integration

Author: enmande

.github/workflows/build.yml

@@ -214,7 +214,7 @@ jobs:
           if [[ "$IMAGE_TAG" == "main" ]]; then
             IMAGE_TAG=dev
           fi
-          
+
           IMAGE_TAG=${IMAGE_TAG:0:128} # Limit image tags to 128 chars
           echo "image_tag=$IMAGE_TAG" >> "$GITHUB_OUTPUT"
           echo "### :mega: Docker Image Tag: $IMAGE_TAG" >> "$GITHUB_STEP_SUMMARY"
@@ -537,47 +537,14 @@ jobs:
     permissions:
       id-token: write
     steps:
-      - name: Log in to Azure
-        uses: bitwarden/gh-actions/azure-login@main
-        with:
-          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
-          client_id: ${{ secrets.AZURE_CLIENT_ID }}
-
-      - name: Get Azure Key Vault secrets
-        id: get-kv-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@main
-        with:
-          keyvault: gh-org-bitwarden
-          secrets: "BW-GHAPP-ID,BW-GHAPP-KEY"
-
-      - name: Log out from Azure
-        uses: bitwarden/gh-actions/azure-logout@main
-
-      - name: Generate GH App token
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
-        id: app-token
+      - name: Trigger deployment
+        uses: bitwarden/gh-actions/trigger-actions@main
         with:
-          app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }}
-          private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }}
-          owner: ${{ github.repository_owner }}
-          repositories: devops
-
-      - name: Trigger K8s deploy
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
-        with:
-          github-token: ${{ steps.app-token.outputs.token }}
-          script: |
-            await github.rest.actions.createWorkflowDispatch({
-              owner: 'bitwarden',
-              repo: 'devops',
-              workflow_id: 'deploy-k8s.yml',
-              ref: 'main',
-              inputs: {
-                environment: 'US-DEV Cloud',
-                tag: 'main'
-              }
-            })
+          azure_subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          azure_tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+          azure_client_id: ${{ secrets.AZURE_CLIENT_ID }}
+          task: deploy-server-dev
+          description: "Triggered by server build on main"
 
   setup-ephemeral-environment:
     name: Setup Ephemeral Environment

Directory.Build.props

@@ -1,7 +1,7 @@
 <Project>
 
   <PropertyGroup>
-    <TargetFramework>net8.0</TargetFramework>
+    <TargetFramework>net10.0</TargetFramework>
 
     <Version>2026.4.1</Version>
 
@@ -11,6 +11,7 @@
     <Nullable Condition="'$(Nullable)' == '' and '$(IsTestProject)' == 'true'">annotations</Nullable>
     <Nullable Condition="'$(Nullable)' == '' and '$(IsTestProject)' != 'true'">enable</Nullable>
     <TreatWarningsAsErrors Condition="'$(TreatWarningsAsErrors)' == ''">true</TreatWarningsAsErrors>
+    <NuGetAuditLevel>critical</NuGetAuditLevel>
   </PropertyGroup>
 
   <PropertyGroup>

bitwarden_license/src/Scim/Dockerfile

@@ -1,7 +1,7 @@
 ###############################################
 #                 Build stage                 #
 ###############################################
-FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:8.0-alpine3.21 AS build
+FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:10.0-alpine3.23 AS build
 
 # Docker buildx supplies the value for this arg
 ARG TARGETPLATFORM
@@ -37,7 +37,7 @@ RUN . /tmp/rid.txt && dotnet publish \
 ###############################################
 #                  App stage                  #
 ###############################################
-FROM mcr.microsoft.com/dotnet/aspnet:8.0-alpine3.21
+FROM mcr.microsoft.com/dotnet/aspnet:10.0-alpine3.23
 
 ARG TARGETPLATFORM
 LABEL com.bitwarden.product="bitwarden"

bitwarden_license/src/Scim/Models/ScimUserRequestModel.cs

@@ -1,8 +1,8 @@
 // FIXME: Update this file to be null safe and then delete the line below
 #nullable disable
 
+using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums;
-using Bit.Core.AdminConsole.Models.Business;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
@@ -34,7 +34,7 @@ public OrganizationUserInvite ToOrganizationUserInvite(ScimProviderType scimProv
 
     public InviteOrganizationUsersRequest ToRequest(
         ScimProviderType scimProvider,
-        InviteOrganization inviteOrganization,
+        Organization organization,
         DateTimeOffset performedAt)
     {
         var email = EmailForInvite(scimProvider);
@@ -52,7 +52,7 @@ public InviteOrganizationUsersRequest ToRequest(
                         externalId: ExternalIdForInvite()
                     )
             ],
-            inviteOrganization: inviteOrganization,
+            organization: organization,
             performedBy: Guid.Empty, // SCIM does not have a user id
             performedAt: performedAt);
     }

bitwarden_license/src/Scim/Users/PostUserCommand.cs

@@ -2,12 +2,10 @@
 
 using Bit.Core;
 using Bit.Core.AdminConsole.Enums;
-using Bit.Core.AdminConsole.Models.Business;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Errors;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
 using Bit.Core.AdminConsole.Utilities.Commands;
-using Bit.Core.Billing.Pricing;
 using Bit.Core.Billing.Services;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
@@ -29,8 +27,7 @@ public class PostUserCommand(
     IScimContext scimContext,
     IFeatureService featureService,
     IInviteOrganizationUsersCommand inviteOrganizationUsersCommand,
-    TimeProvider timeProvider,
-    IPricingClient pricingClient)
+    TimeProvider timeProvider)
     : IPostUserCommand
 {
     public async Task<OrganizationUserUserDetails?> PostUserAsync(Guid organizationId, ScimUserRequestModel model)
@@ -55,15 +52,13 @@ public class PostUserCommand(
             throw new NotFoundException();
         }
 
-        var plan = await pricingClient.GetPlanOrThrow(organization.PlanType);
-
         var request = model.ToRequest(
             scimProvider: scimProvider,
-            inviteOrganization: new InviteOrganization(organization, plan),
+            organization: organization,
             performedAt: timeProvider.GetUtcNow());
 
         var orgUsers = await organizationUserRepository
-            .GetManyDetailsByOrganizationAsync(request.InviteOrganization.OrganizationId);
+            .GetManyDetailsByOrganizationAsync(request.Organization.Id);
 
         if (orgUsers.Any(existingUser =>
                 request.Invites.First().Email.Equals(existingUser.Email, StringComparison.OrdinalIgnoreCase) ||

bitwarden_license/src/Sso/Dockerfile

@@ -1,7 +1,7 @@
 ###############################################
 #                 Build stage                 #
 ###############################################
-FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:8.0-alpine3.21 AS build
+FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:10.0-alpine3.23 AS build
 
 # Docker buildx supplies the value for this arg
 ARG TARGETPLATFORM
@@ -37,7 +37,7 @@ RUN . /tmp/rid.txt && dotnet publish \
 ###############################################
 #                  App stage                  #
 ###############################################
-FROM mcr.microsoft.com/dotnet/aspnet:8.0-alpine3.21
+FROM mcr.microsoft.com/dotnet/aspnet:10.0-alpine3.23
 
 ARG TARGETPLATFORM
 LABEL com.bitwarden.product="bitwarden"

bitwarden_license/src/Sso/Sso.csproj

@@ -8,9 +8,6 @@
   <PropertyGroup Condition=" '$(RunConfiguration)' == 'Sso' " />
   <PropertyGroup Condition=" '$(RunConfiguration)' == 'Sso-SelfHost' " />
   <ItemGroup>
-    <!-- This is a transitive dependency to Sustainsys.Saml2.AspNetCore2 -->
-    <PackageReference Include="Microsoft.AspNetCore.Http" Version="2.2.2" />
-
     <PackageReference Include="Sustainsys.Saml2.AspNetCore2" Version="2.11.0" />
   </ItemGroup>
 

bitwarden_license/src/Sso/Utilities/DynamicAuthenticationSchemeProvider.cs

@@ -406,7 +406,7 @@ private DynamicAuthenticationScheme GetSaml2AuthenticationScheme(string name, Ss
         if (!string.IsNullOrWhiteSpace(config.IdpX509PublicCert))
         {
             var cert = CoreHelpers.Base64UrlDecode(config.IdpX509PublicCert);
-            idp.SigningKeys.AddConfiguredKey(new X509Certificate2(cert));
+            idp.SigningKeys.AddConfiguredKey(X509CertificateLoader.LoadCertificate(cert));
         }
         idp.ArtifactResolutionServiceUrls.Clear();
         // This must happen last since it calls Validate() internally.

bitwarden_license/test/Commercial.Core.Test/SecretsManager/Queries/ServiceAccounts/ServiceAccountSecretsDetailsQueryTests.cs

@@ -38,13 +38,13 @@ public async Task GetManyByOrganizationId_CallsDifferentRepoMethods(
         if (includeAccessToSecrets)
         {
             await sutProvider.GetDependency<IServiceAccountRepository>().Received(1)
-                .GetManyByOrganizationIdWithSecretsDetailsAsync(Arg.Is(AssertHelper.AssertPropertyEqual(mockSaDetails.ServiceAccount.OrganizationId)),
+                .GetManyByOrganizationIdWithSecretsDetailsAsync(Arg.Is(AssertHelper.AssertPropertyEqual(organizationId)),
                     Arg.Any<Guid>(), Arg.Any<AccessClientType>());
         }
         else
         {
             await sutProvider.GetDependency<IServiceAccountRepository>().Received(1)
-                .GetManyByOrganizationIdAsync(Arg.Is(AssertHelper.AssertPropertyEqual(mockSa.OrganizationId)),
+                .GetManyByOrganizationIdAsync(Arg.Is(AssertHelper.AssertPropertyEqual(organizationId)),
                     Arg.Any<Guid>(), Arg.Any<AccessClientType>());
             Assert.Equal(0, result.First().AccessToSecrets);
         }

bitwarden_license/test/SSO.Test/SSO.Test.csproj

@@ -1,7 +1,6 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
     <PropertyGroup>
-        <TargetFramework>net8.0</TargetFramework>
         <ImplicitUsings>enable</ImplicitUsings>
         <Nullable>enable</Nullable>