2024-04-18 11:42:30 +01:00
#nullable enable
using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces ;
2024-07-16 10:47:28 +10:00
using Bit.Core.AdminConsole.Repositories ;
2024-04-18 11:42:30 +01:00
using Bit.Core.Entities ;
using Bit.Core.Enums ;
using Bit.Core.Exceptions ;
using Bit.Core.Models.Business ;
using Bit.Core.Models.Data ;
using Bit.Core.OrganizationFeatures.OrganizationSubscriptions.Interface ;
using Bit.Core.Repositories ;
using Bit.Core.Services ;
namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers ;
public class UpdateOrganizationUserCommand : IUpdateOrganizationUserCommand
{
private readonly IEventService _eventService ;
private readonly IOrganizationService _organizationService ;
private readonly IOrganizationRepository _organizationRepository ;
private readonly IOrganizationUserRepository _organizationUserRepository ;
private readonly ICountNewSmSeatsRequiredQuery _countNewSmSeatsRequiredQuery ;
private readonly IUpdateSecretsManagerSubscriptionCommand _updateSecretsManagerSubscriptionCommand ;
2024-07-16 10:47:28 +10:00
private readonly ICollectionRepository _collectionRepository ;
private readonly IGroupRepository _groupRepository ;
2024-04-18 11:42:30 +01:00
public UpdateOrganizationUserCommand (
IEventService eventService ,
IOrganizationService organizationService ,
IOrganizationRepository organizationRepository ,
IOrganizationUserRepository organizationUserRepository ,
ICountNewSmSeatsRequiredQuery countNewSmSeatsRequiredQuery ,
2024-07-16 10:47:28 +10:00
IUpdateSecretsManagerSubscriptionCommand updateSecretsManagerSubscriptionCommand ,
ICollectionRepository collectionRepository ,
IGroupRepository groupRepository )
2024-04-18 11:42:30 +01:00
{
_eventService = eventService ;
_organizationService = organizationService ;
_organizationRepository = organizationRepository ;
_organizationUserRepository = organizationUserRepository ;
_countNewSmSeatsRequiredQuery = countNewSmSeatsRequiredQuery ;
_updateSecretsManagerSubscriptionCommand = updateSecretsManagerSubscriptionCommand ;
2024-07-16 10:47:28 +10:00
_collectionRepository = collectionRepository ;
_groupRepository = groupRepository ;
2024-04-18 11:42:30 +01:00
}
2024-07-16 10:47:28 +10:00
/// <summary>
/// Update an organization user.
/// </summary>
/// <param name="user">The modified user to save.</param>
/// <param name="savingUserId">The userId of the currently logged in user who is making the change.</param>
/// <param name="collectionAccess">The user's updated collection access. If set to null, this removes all collection access.</param>
/// <param name="groupAccess">The user's updated group access. If set to null, groups are not updated.</param>
/// <exception cref="BadRequestException"></exception>
2024-04-18 11:42:30 +01:00
public async Task UpdateUserAsync ( OrganizationUser user , Guid ? savingUserId ,
2024-07-16 10:47:28 +10:00
List < CollectionAccessSelection > ? collectionAccess , IEnumerable < Guid > ? groupAccess )
2024-04-18 11:42:30 +01:00
{
2024-07-16 10:47:28 +10:00
// Avoid multiple enumeration
collectionAccess = collectionAccess ? . ToList ( ) ;
groupAccess = groupAccess ? . ToList ( ) ;
2024-04-18 11:42:30 +01:00
if ( user . Id . Equals ( default ( Guid ) ) )
{
throw new BadRequestException ( "Invite the user first." ) ;
}
var originalUser = await _organizationUserRepository . GetByIdAsync ( user . Id ) ;
2024-07-16 10:47:28 +10:00
if ( originalUser = = null | | user . OrganizationId ! = originalUser . OrganizationId )
{
throw new NotFoundException ( ) ;
}
if ( collectionAccess ? . Any ( ) = = true )
{
await ValidateCollectionAccessAsync ( originalUser , collectionAccess . ToList ( ) ) ;
}
if ( groupAccess ? . Any ( ) = = true )
{
await ValidateGroupAccessAsync ( originalUser , groupAccess . ToList ( ) ) ;
}
2024-04-18 11:42:30 +01:00
if ( savingUserId . HasValue )
{
await _organizationService . ValidateOrganizationUserUpdatePermissions ( user . OrganizationId , user . Type , originalUser . Type , user . GetPermissions ( ) ) ;
}
await _organizationService . ValidateOrganizationCustomPermissionsEnabledAsync ( user . OrganizationId , user . Type ) ;
if ( user . Type ! = OrganizationUserType . Owner & &
! await _organizationService . HasConfirmedOwnersExceptAsync ( user . OrganizationId , new [ ] { user . Id } ) )
{
throw new BadRequestException ( "Organization must have at least one confirmed owner." ) ;
}
2024-07-16 10:47:28 +10:00
if ( collectionAccess ? . Count > 0 )
2024-04-18 11:42:30 +01:00
{
2024-07-16 10:47:28 +10:00
var invalidAssociations = collectionAccess . Where ( cas = > cas . Manage & & ( cas . ReadOnly | | cas . HidePasswords ) ) ;
2024-04-18 11:42:30 +01:00
if ( invalidAssociations . Any ( ) )
{
throw new BadRequestException ( "The Manage property is mutually exclusive and cannot be true while the ReadOnly or HidePasswords properties are also true." ) ;
}
}
// Only autoscale (if required) after all validation has passed so that we know it's a valid request before
// updating Stripe
if ( ! originalUser . AccessSecretsManager & & user . AccessSecretsManager )
{
var additionalSmSeatsRequired = await _countNewSmSeatsRequiredQuery . CountNewSmSeatsRequiredAsync ( user . OrganizationId , 1 ) ;
if ( additionalSmSeatsRequired > 0 )
{
[AC-2646] Remove FC MVP dead code from Core (#4281)
* chore: remove fc refs in CreateGroup and UpdateGroup commands, refs AC-2646
* chore: remove fc refs and update interface to represent usage/get rid of double enumeration warnings, refs AC-2646
* chore: remove org/provider service fc callers, refs AC-2646
* chore: remove collection service fc callers, refs AC-2646
* chore: remove cipher service import ciphers fc callers, refs AC-2646
* fix: UpdateOrganizationUserCommandTests collections to list, refs AC-2646
* fix: update CreateGroupCommandTests, refs AC-2646
* fix: adjust UpdateGroupCommandTests, refs AC-2646
* fix: adjust UpdateOrganizationUserCommandTests for FC always true, refs AC-2646
* fix: update CollectionServiceTests, refs AC-2646
* fix: remove unnecessary test with fc disabled, refs AC-2646
* fix: update tests to account for AccessAll removal and Manager removal, refs AC-2646
* chore: remove dependence on FC flag for tests, refs AC-2646
2024-07-12 12:25:04 -05:00
var organization = await _organizationRepository . GetByIdAsync ( user . OrganizationId ) ;
2024-04-18 11:42:30 +01:00
var update = new SecretsManagerSubscriptionUpdate ( organization , true )
. AdjustSeats ( additionalSmSeatsRequired ) ;
await _updateSecretsManagerSubscriptionCommand . UpdateSubscriptionAsync ( update ) ;
}
}
2024-07-16 10:47:28 +10:00
await _organizationUserRepository . ReplaceAsync ( user , collectionAccess ) ;
2024-04-18 11:42:30 +01:00
2024-07-16 10:47:28 +10:00
if ( groupAccess ! = null )
2024-04-18 11:42:30 +01:00
{
2024-07-16 10:47:28 +10:00
await _organizationUserRepository . UpdateGroupsAsync ( user . Id , groupAccess ) ;
2024-04-18 11:42:30 +01:00
}
await _eventService . LogOrganizationUserEventAsync ( user , EventType . OrganizationUser_Updated ) ;
}
2024-07-16 10:47:28 +10:00
private async Task ValidateCollectionAccessAsync ( OrganizationUser originalUser ,
ICollection < CollectionAccessSelection > collectionAccess )
{
var collections = await _collectionRepository
. GetManyByManyIdsAsync ( collectionAccess . Select ( c = > c . Id ) ) ;
var collectionIds = collections . Select ( c = > c . Id ) ;
var missingCollection = collectionAccess
. FirstOrDefault ( cas = > ! collectionIds . Contains ( cas . Id ) ) ;
if ( missingCollection ! = default )
{
throw new NotFoundException ( ) ;
}
var invalidCollection = collections . FirstOrDefault ( c = > c . OrganizationId ! = originalUser . OrganizationId ) ;
if ( invalidCollection ! = default )
{
// Use generic error message to avoid enumeration
throw new NotFoundException ( ) ;
}
}
private async Task ValidateGroupAccessAsync ( OrganizationUser originalUser ,
ICollection < Guid > groupAccess )
{
var groups = await _groupRepository . GetManyByManyIds ( groupAccess ) ;
var groupIds = groups . Select ( g = > g . Id ) ;
var missingGroupId = groupAccess . FirstOrDefault ( gId = > ! groupIds . Contains ( gId ) ) ;
if ( missingGroupId ! = default )
{
throw new NotFoundException ( ) ;
}
var invalidGroup = groups . FirstOrDefault ( g = > g . OrganizationId ! = originalUser . OrganizationId ) ;
if ( invalidGroup ! = default )
{
// Use generic error message to avoid enumeration
throw new NotFoundException ( ) ;
}
}
2024-04-18 11:42:30 +01:00
}
