Merge branch 'main' into workflow-lint

Author: withinfocus

bitwarden_license/src/Commercial.Core/AdminConsole/Services/ProviderService.cs

@@ -515,7 +515,10 @@ await _organizationService.InviteUsersAsync(organization.Id, user.Id,
                     new OrganizationUserInvite
                     {
                         Emails = new[] { clientOwnerEmail },
-                        AccessAll = true,
+
+                        // If using Flexible Collections, AccessAll is deprecated and set to false.
+                        // If not using Flexible Collections, set AccessAll to true (previous behavior)
+                        AccessAll = !organization.FlexibleCollections,
                         Type = OrganizationUserType.Owner,
                         Permissions = null,
                         Collections = Array.Empty<CollectionAccessSelection>(),

bitwarden_license/test/Commercial.Core.Test/AdminConsole/Services/ProviderServiceTests.cs

@@ -12,6 +12,7 @@
 using Bit.Core.Models.Business;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
+using Bit.Core.Test.AutoFixture.OrganizationFixtures;
 using Bit.Core.Utilities;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
@@ -513,7 +514,7 @@ public async Task AddOrganizationsToReseller_WithMspProvider_Throws(Provider pro
         await sutProvider.GetDependency<IEventService>().DidNotReceiveWithAnyArgs().LogProviderOrganizationEventsAsync(default);
     }
 
-    [Theory, BitAutoData]
+    [Theory, OrganizationCustomize(FlexibleCollections = false), BitAutoData]
     public async Task CreateOrganizationAsync_Success(Provider provider, OrganizationSignup organizationSignup,
         Organization organization, string clientOwnerEmail, User user, SutProvider<ProviderService> sutProvider)
     {
@@ -541,6 +542,35 @@ await sutProvider.GetDependency<IOrganizationService>()
                 t.First().Item2 == null));
     }
 
+    [Theory, OrganizationCustomize(FlexibleCollections = true), BitAutoData]
+    public async Task CreateOrganizationAsync_WithFlexibleCollections_SetsAccessAllToFalse
+        (Provider provider, OrganizationSignup organizationSignup, Organization organization, string clientOwnerEmail,
+            User user, SutProvider<ProviderService> sutProvider)
+    {
+        organizationSignup.Plan = PlanType.EnterpriseAnnually;
+
+        sutProvider.GetDependency<IProviderRepository>().GetByIdAsync(provider.Id).Returns(provider);
+        var providerOrganizationRepository = sutProvider.GetDependency<IProviderOrganizationRepository>();
+        sutProvider.GetDependency<IOrganizationService>().SignUpAsync(organizationSignup, true)
+            .Returns(Tuple.Create(organization, null as OrganizationUser));
+
+        var providerOrganization =
+            await sutProvider.Sut.CreateOrganizationAsync(provider.Id, organizationSignup, clientOwnerEmail, user);
+
+        await providerOrganizationRepository.ReceivedWithAnyArgs().CreateAsync(default);
+        await sutProvider.GetDependency<IEventService>()
+            .Received().LogProviderOrganizationEventAsync(providerOrganization,
+                EventType.ProviderOrganization_Created);
+        await sutProvider.GetDependency<IOrganizationService>()
+            .Received().InviteUsersAsync(organization.Id, user.Id, Arg.Is<IEnumerable<(OrganizationUserInvite, string)>>(
+                t => t.Count() == 1 &&
+                t.First().Item1.Emails.Count() == 1 &&
+                t.First().Item1.Emails.First() == clientOwnerEmail &&
+                t.First().Item1.Type == OrganizationUserType.Owner &&
+                t.First().Item1.AccessAll == false &&
+                t.First().Item2 == null));
+    }
+
     [Theory, BitAutoData]
     public async Task AddOrganization_CreateAfterNov162023_PlanTypeDoesNotUpdated(Provider provider, Organization organization, string key,
         SutProvider<ProviderService> sutProvider)

src/Api/AdminConsole/Public/Controllers/GroupsController.cs

@@ -110,8 +110,8 @@ public async Task<IActionResult> List()
     public async Task<IActionResult> Post([FromBody] GroupCreateUpdateRequestModel model)
     {
         var group = model.ToGroup(_currentContext.OrganizationId.Value);
-        var associations = model.Collections?.Select(c => c.ToCollectionAccessSelection());
         var organization = await _organizationRepository.GetByIdAsync(_currentContext.OrganizationId.Value);
+        var associations = model.Collections?.Select(c => c.ToCollectionAccessSelection(organization.FlexibleCollections));
         await _createGroupCommand.CreateGroupAsync(group, organization, associations);
         var response = new GroupResponseModel(group, associations);
         return new JsonResult(response);
@@ -139,8 +139,8 @@ public async Task<IActionResult> Put(Guid id, [FromBody] GroupCreateUpdateReques
         }
 
         var updatedGroup = model.ToGroup(existingGroup);
-        var associations = model.Collections?.Select(c => c.ToCollectionAccessSelection());
         var organization = await _organizationRepository.GetByIdAsync(_currentContext.OrganizationId.Value);
+        var associations = model.Collections?.Select(c => c.ToCollectionAccessSelection(organization.FlexibleCollections));
         await _updateGroupCommand.UpdateGroupAsync(updatedGroup, organization, associations);
         var response = new GroupResponseModel(updatedGroup, associations);
         return new JsonResult(response);

src/Api/AdminConsole/Public/Controllers/MembersController.cs

@@ -23,21 +23,24 @@ public class MembersController : Controller
     private readonly IUserService _userService;
     private readonly ICurrentContext _currentContext;
     private readonly IUpdateOrganizationUserGroupsCommand _updateOrganizationUserGroupsCommand;
+    private readonly IApplicationCacheService _applicationCacheService;
 
     public MembersController(
         IOrganizationUserRepository organizationUserRepository,
         IGroupRepository groupRepository,
         IOrganizationService organizationService,
         IUserService userService,
         ICurrentContext currentContext,
-        IUpdateOrganizationUserGroupsCommand updateOrganizationUserGroupsCommand)
+        IUpdateOrganizationUserGroupsCommand updateOrganizationUserGroupsCommand,
+        IApplicationCacheService applicationCacheService)
     {
         _organizationUserRepository = organizationUserRepository;
         _groupRepository = groupRepository;
         _organizationService = organizationService;
         _userService = userService;
         _currentContext = currentContext;
         _updateOrganizationUserGroupsCommand = updateOrganizationUserGroupsCommand;
+        _applicationCacheService = applicationCacheService;
     }
 
     /// <summary>
@@ -119,7 +122,8 @@ public async Task<IActionResult> List()
     [ProducesResponseType(typeof(ErrorResponseModel), (int)HttpStatusCode.BadRequest)]
     public async Task<IActionResult> Post([FromBody] MemberCreateRequestModel model)
     {
-        var associations = model.Collections?.Select(c => c.ToCollectionAccessSelection());
+        var organizationAbility = await _applicationCacheService.GetOrganizationAbilityAsync(_currentContext.OrganizationId.Value);
+        var associations = model.Collections?.Select(c => c.ToCollectionAccessSelection(organizationAbility?.FlexibleCollections ?? false));
         var invite = new OrganizationUserInvite
         {
             Emails = new List<string> { model.Email },
@@ -154,7 +158,8 @@ public async Task<IActionResult> Put(Guid id, [FromBody] MemberUpdateRequestMode
             return new NotFoundResult();
         }
         var updatedUser = model.ToOrganizationUser(existingUser);
-        var associations = model.Collections?.Select(c => c.ToCollectionAccessSelection());
+        var organizationAbility = await _applicationCacheService.GetOrganizationAbilityAsync(_currentContext.OrganizationId.Value);
+        var associations = model.Collections?.Select(c => c.ToCollectionAccessSelection(organizationAbility?.FlexibleCollections ?? false));
         await _organizationService.SaveUserAsync(updatedUser, null, associations, model.Groups);
         MemberResponseModel response = null;
         if (existingUser.UserId.HasValue)

src/Api/AdminConsole/Public/Models/AssociationWithPermissionsBaseModel.cs

@@ -20,4 +20,9 @@ public abstract class AssociationWithPermissionsBaseModel
     /// This prevents easy copy-and-paste of hidden items, however it may not completely prevent user access.
     /// </summary>
     public bool? HidePasswords { get; set; }
+    /// <summary>
+    /// When true, the manage permission allows a user to both edit the ciphers within a collection and edit the users/groups that are assigned to the collection.
+    /// This field will not affect behavior until the Flexible Collections functionality is released in Q1, 2024.
+    /// </summary>
+    public bool? Manage { get; set; }
 }

src/Api/AdminConsole/Public/Models/Request/AssociationWithPermissionsRequestModel.cs

@@ -1,16 +1,27 @@
-using Bit.Core.Models.Data;
+using Bit.Core.Exceptions;
+using Bit.Core.Models.Data;
 
 namespace Bit.Api.AdminConsole.Public.Models.Request;
 
 public class AssociationWithPermissionsRequestModel : AssociationWithPermissionsBaseModel
 {
-    public CollectionAccessSelection ToCollectionAccessSelection()
+    public CollectionAccessSelection ToCollectionAccessSelection(bool migratedToFlexibleCollections)
     {
-        return new CollectionAccessSelection
+        var collectionAccessSelection = new CollectionAccessSelection
         {
             Id = Id.Value,
             ReadOnly = ReadOnly.Value,
-            HidePasswords = HidePasswords.GetValueOrDefault()
+            HidePasswords = HidePasswords.GetValueOrDefault(),
+            Manage = Manage.GetValueOrDefault()
         };
+
+        // Throws if the org has not migrated to use FC but has passed in a Manage value in the request
+        if (!migratedToFlexibleCollections && Manage.HasValue)
+        {
+            throw new BadRequestException(
+                "Your organization must be using the latest collection enhancements to use the Manage property.");
+        }
+
+        return collectionAccessSelection;
     }
 }

src/Api/AdminConsole/Public/Models/Response/AssociationWithPermissionsResponseModel.cs

@@ -13,5 +13,6 @@ public AssociationWithPermissionsResponseModel(CollectionAccessSelection selecti
         Id = selection.Id;
         ReadOnly = selection.ReadOnly;
         HidePasswords = selection.HidePasswords;
+        Manage = selection.Manage;
     }
 }

src/Api/Public/Controllers/CollectionsController.cs

@@ -16,15 +16,18 @@ public class CollectionsController : Controller
     private readonly ICollectionRepository _collectionRepository;
     private readonly ICollectionService _collectionService;
     private readonly ICurrentContext _currentContext;
+    private readonly IApplicationCacheService _applicationCacheService;
 
     public CollectionsController(
         ICollectionRepository collectionRepository,
         ICollectionService collectionService,
-        ICurrentContext currentContext)
+        ICurrentContext currentContext,
+        IApplicationCacheService applicationCacheService)
     {
         _collectionRepository = collectionRepository;
         _collectionService = collectionService;
         _currentContext = currentContext;
+        _applicationCacheService = applicationCacheService;
     }
 
     /// <summary>
@@ -89,7 +92,8 @@ public async Task<IActionResult> Put(Guid id, [FromBody] CollectionUpdateRequest
             return new NotFoundResult();
         }
         var updatedCollection = model.ToCollection(existingCollection);
-        var associations = model.Groups?.Select(c => c.ToCollectionAccessSelection());
+        var organizationAbility = await _applicationCacheService.GetOrganizationAbilityAsync(_currentContext.OrganizationId.Value);
+        var associations = model.Groups?.Select(c => c.ToCollectionAccessSelection(organizationAbility?.FlexibleCollections ?? false));
         await _collectionService.SaveAsync(updatedCollection, associations);
         var response = new CollectionResponseModel(updatedCollection, associations);
         return new JsonResult(response);

src/Core/AdminConsole/OrganizationFeatures/Groups/CreateGroupCommand.cs

@@ -39,7 +39,7 @@ public async Task CreateGroupAsync(Group group, Organization organization,
         IEnumerable<CollectionAccessSelection> collections = null,
         IEnumerable<Guid> users = null)
     {
-        Validate(organization);
+        Validate(organization, group);
         await GroupRepositoryCreateGroupAsync(group, organization, collections);
 
         if (users != null)
@@ -54,7 +54,7 @@ public async Task CreateGroupAsync(Group group, Organization organization, Event
         IEnumerable<CollectionAccessSelection> collections = null,
         IEnumerable<Guid> users = null)
     {
-        Validate(organization);
+        Validate(organization, group);
         await GroupRepositoryCreateGroupAsync(group, organization, collections);
 
         if (users != null)
@@ -103,7 +103,7 @@ await _eventService.LogOrganizationUserEventsAsync(users.Select(u =>
         }
     }
 
-    private static void Validate(Organization organization)
+    private static void Validate(Organization organization, Group group)
     {
         if (organization == null)
         {
@@ -114,5 +114,10 @@ private static void Validate(Organization organization)
         {
             throw new BadRequestException("This organization cannot use groups.");
         }
+
+        if (organization.FlexibleCollections && group.AccessAll)
+        {
+            throw new BadRequestException("The AccessAll property has been deprecated by collection enhancements. Assign the group to collections instead.");
+        }
     }
 }

src/Core/AdminConsole/OrganizationFeatures/Groups/UpdateGroupCommand.cs

@@ -29,7 +29,7 @@ public async Task UpdateGroupAsync(Group group, Organization organization,
         IEnumerable<CollectionAccessSelection> collections = null,
         IEnumerable<Guid> userIds = null)
     {
-        Validate(organization);
+        Validate(organization, group);
         await GroupRepositoryUpdateGroupAsync(group, collections);
 
         if (userIds != null)
@@ -44,7 +44,7 @@ public async Task UpdateGroupAsync(Group group, Organization organization, Event
         IEnumerable<CollectionAccessSelection> collections = null,
         IEnumerable<Guid> userIds = null)
     {
-        Validate(organization);
+        Validate(organization, group);
         await GroupRepositoryUpdateGroupAsync(group, collections);
 
         if (userIds != null)
@@ -97,7 +97,7 @@ await _eventService.LogOrganizationUserEventsAsync(users.Select(u =>
         }
     }
 
-    private static void Validate(Organization organization)
+    private static void Validate(Organization organization, Group group)
     {
         if (organization == null)
         {
@@ -108,5 +108,10 @@ private static void Validate(Organization organization)
         {
             throw new BadRequestException("This organization cannot use groups.");
         }
+
+        if (organization.FlexibleCollections && group.AccessAll)
+        {
+            throw new BadRequestException("The AccessAll property has been deprecated by collection enhancements. Assign the group to collections instead.");
+        }
     }
 }

src/Core/AdminConsole/Services/Implementations/OrganizationService.cs

@@ -673,7 +673,10 @@ await _organizationApiKeyRepository.CreateAsync(new OrganizationApiKey
                     AccessSecretsManager = organization.UseSecretsManager,
                     Type = OrganizationUserType.Owner,
                     Status = OrganizationUserStatusType.Confirmed,
-                    AccessAll = true,
+
+                    // If using Flexible Collections, AccessAll is deprecated and set to false.
+                    // If not using Flexible Collections, set AccessAll to true (previous behavior)
+                    AccessAll = !organization.FlexibleCollections,
                     CreationDate = organization.CreationDate,
                     RevisionDate = organization.CreationDate
                 };
@@ -885,6 +888,18 @@ public async Task<List<OrganizationUser>> InviteUsersAsync(Guid organizationId,
             throw new NotFoundException();
         }
 
+        // If the organization is using Flexible Collections, prevent use of any deprecated permissions
+        if (organization.FlexibleCollections && invites.Any(i => i.invite.Type is OrganizationUserType.Manager))
+        {
+            throw new BadRequestException("The Manager role has been deprecated by collection enhancements. Use the collection Can Manage permission instead.");
+        }
+
+        if (organization.FlexibleCollections && invites.Any(i => i.invite.AccessAll))
+        {
+            throw new BadRequestException("The AccessAll property has been deprecated by collection enhancements. Assign the user to collections instead.");
+        }
+        // End Flexible Collections
+
         var existingEmails = new HashSet<string>(await _organizationUserRepository.SelectKnownEmailsAsync(
             organizationId, invites.SelectMany(i => i.invite.Emails), false), StringComparer.InvariantCultureIgnoreCase);
 
@@ -1377,6 +1392,19 @@ public async Task SaveUserAsync(OrganizationUser user, Guid? savingUserId,
             throw new BadRequestException("Organization must have at least one confirmed owner.");
         }
 
+        // If the organization is using Flexible Collections, prevent use of any deprecated permissions
+        var organizationAbility = await _applicationCacheService.GetOrganizationAbilityAsync(user.OrganizationId);
+        if (organizationAbility?.FlexibleCollections == true && user.Type == OrganizationUserType.Manager)
+        {
+            throw new BadRequestException("The Manager role has been deprecated by collection enhancements. Use the collection Can Manage permission instead.");
+        }
+
+        if (organizationAbility?.FlexibleCollections == true && user.AccessAll)
+        {
+            throw new BadRequestException("The AccessAll property has been deprecated by collection enhancements. Assign the user to collections instead.");
+        }
+        // End Flexible Collections
+
         // Only autoscale (if required) after all validation has passed so that we know it's a valid request before
         // updating Stripe
         if (!originalUser.AccessSecretsManager && user.AccessSecretsManager)
@@ -2027,15 +2055,6 @@ public async Task ValidateOrganizationUserUpdatePermissions(Guid organizationId,
         {
             throw new BadRequestException("Custom users can only grant the same custom permissions that they have.");
         }
-
-        // TODO: pass in the whole organization object when this is refactored into a command/query
-        // See AC-2036
-        var organizationAbility = await _applicationCacheService.GetOrganizationAbilityAsync(organizationId);
-        var flexibleCollectionsEnabled = organizationAbility?.FlexibleCollections ?? false;
-        if (flexibleCollectionsEnabled && newType == OrganizationUserType.Manager && oldType is not OrganizationUserType.Manager)
-        {
-            throw new BadRequestException("Manager role is deprecated after Flexible Collections.");
-        }
     }
 
     private async Task ValidateOrganizationCustomPermissionsEnabledAsync(Guid organizationId, OrganizationUserType newType)
@@ -2451,7 +2470,10 @@ public async Task CreatePendingOrganization(Organization organization, string ow
             Key = null,
             Type = OrganizationUserType.Owner,
             Status = OrganizationUserStatusType.Invited,
-            AccessAll = true
+
+            // If using Flexible Collections, AccessAll is deprecated and set to false.
+            // If not using Flexible Collections, set AccessAll to true (previous behavior)
+            AccessAll = !organization.FlexibleCollections,
         };
         await _organizationUserRepository.CreateAsync(ownerOrganizationUser);
 

src/Core/Services/Implementations/CollectionService.cs

@@ -56,7 +56,7 @@ public async Task SaveAsync(Collection collection, IEnumerable<CollectionAccessS
         var usersList = users?.ToList();
 
         // If using Flexible Collections - a collection should always have someone with Can Manage permissions
-        if (_featureService.IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1))
+        if (org.FlexibleCollections && _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1))
         {
             var groupHasManageAccess = groupsList?.Any(g => g.Manage) ?? false;
             var userHasManageAccess = usersList?.Any(u => u.Manage) ?? false;