Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. Weโ€™ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[PM-12358] New Verified Organization Domain SSO Detail endpoint #4838

Open
wants to merge 16 commits into
base: main
Choose a base branch
from
+174 โˆ’0
Open

[PM-12358] New Verified Organization Domain SSO Detail endpoint #4838

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
39cd275
Added /domain/verified to organization controller
jrmccannon Sep 26, 2024
abb6b53
Added a couple tests similar to the orgdomain sso details
jrmccannon Sep 26, 2024
98484e9
Trimmed down verified org domain sso detail. Fixed up name.
jrmccannon Sep 30, 2024
4e5a9e6
Added placeholder feature flag key.
jrmccannon Sep 30, 2024
aac397b
Replaced placeholder with feature flag key.
jrmccannon Sep 30, 2024
0cc2512
Merge branch 'main' into pm-12358-verified-sso-domain
jrmccannon Oct 1, 2024
c22656e
Adding 00
jrmccannon Oct 1, 2024
fec6fb5
Adding go to end
jrmccannon Oct 1, 2024
2702d3e
Adding left join.
jrmccannon Oct 1, 2024
b3e1398
Restricting sproc to only return verified domains if the org has sso.โ€ฆ
jrmccannon Oct 2, 2024
9103f91
Merge branch 'main' into pm-12358-verified-sso-domain
jrmccannon Oct 2, 2024
7fd0ead
Merge branch 'main' into pm-12358-verified-sso-domain
jrmccannon Oct 3, 2024
43598a2
Adding the sproc definition to the SQL project
jrmccannon Oct 3, 2024
d95eab7
Fixing stored proc to only use SSO config instead of the policy.
jrmccannon Oct 4, 2024
04f0e2c
Merge branch 'main' into pm-12358-verified-sso-domain
jrmccannon Oct 4, 2024
b15e0a6
Forgot to add org name to response.
jrmccannon Oct 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions src/Api/AdminConsole/Controllers/OrganizationDomainController.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,13 @@
using Bit.Api.AdminConsole.Models.Request.Organizations;
using Bit.Api.AdminConsole.Models.Response.Organizations;
using Bit.Api.Models.Response;
using Bit.Core;
using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationDomains.Interfaces;
using Bit.Core.Context;
using Bit.Core.Entities;
using Bit.Core.Exceptions;
using Bit.Core.Repositories;
using Bit.Core.Utilities;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;

Expand Down Expand Up @@ -133,6 +135,20 @@ public async Task<OrganizationDomainSsoDetailsResponseModel> GetOrgDomainSsoDeta
return new OrganizationDomainSsoDetailsResponseModel(ssoResult);
}

[AllowAnonymous]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you explain to me why these need AllowAnonymous? I can see it on the method above too, but I don't immediately understand why. Claiming domains is done from authorized sessions in the admin console, isn't it?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a get for retrieving the claimed domains. It is used when attempting to log in via SSO. The user is not logged in at this point. This endpoint is retrieved in order to try to determine the org and domain needed for SSO login.

[HttpPost("domain/sso/verified")]
[RequireFeature(FeatureFlagKeys.VerifiedSsoDomainEndpoint)]
public async Task<VerifiedOrganizationDomainSsoDetailsResponseModel> GetVerifiedOrgDomainSsoDetailsAsync(
[FromBody] OrganizationDomainSsoDetailsRequestModel model)
{
var ssoResults = (await _organizationDomainRepository
.GetVerifiedOrganizationDomainSsoDetailsAsync(model.Email))
.ToList();

return new VerifiedOrganizationDomainSsoDetailsResponseModel(
ssoResults.Select(ssoResult => new VerifiedOrganizationDomainSsoDetailResponseModel(ssoResult)));
}

private async Task ValidateOrganizationAccessAsync(Guid orgIdGuid)
{
if (!await _currentContext.ManageSso(orgIdGuid))
Expand Down
23 changes: 23 additions & 0 deletions ...Console/Models/Response/Organizations/VerifiedOrganizationDomainSsoDetailResponseModel.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
๏ปฟusing Bit.Core.Models.Api;
using Bit.Core.Models.Data.Organizations;

namespace Bit.Api.AdminConsole.Models.Response.Organizations;

public class VerifiedOrganizationDomainSsoDetailResponseModel : ResponseModel
{
public VerifiedOrganizationDomainSsoDetailResponseModel(VerifiedOrganizationDomainSsoDetail data)
: base("verifiedOrganizationDomainSsoDetails")
{

Check warning on line 10 in src/Api/AdminConsole/Models/Response/Organizations/VerifiedOrganizationDomainSsoDetailResponseModel.cs

View check run for this annotation

Codecov / codecov/patch

src/Api/AdminConsole/Models/Response/Organizations/VerifiedOrganizationDomainSsoDetailResponseModel.cs#L9-L10 

Added lines #L9 - L10 were not covered by tests
if (data is null)
{
throw new ArgumentNullException(nameof(data));

Check warning on line 13 in src/Api/AdminConsole/Models/Response/Organizations/VerifiedOrganizationDomainSsoDetailResponseModel.cs

View check run for this annotation

Codecov / codecov/patch

src/Api/AdminConsole/Models/Response/Organizations/VerifiedOrganizationDomainSsoDetailResponseModel.cs#L12-L13 

Added lines #L12 - L13 were not covered by tests
}

DomainName = data.DomainName;
OrganizationIdentifier = data.OrganizationIdentifier;
OrganizationName = data.OrganizationName;
}
public string DomainName { get; }
public string OrganizationIdentifier { get; }
public string OrganizationName { get; }

Check warning on line 22 in src/Api/AdminConsole/Models/Response/Organizations/VerifiedOrganizationDomainSsoDetailResponseModel.cs

View check run for this annotation

Codecov / codecov/patch

src/Api/AdminConsole/Models/Response/Organizations/VerifiedOrganizationDomainSsoDetailResponseModel.cs#L16-L22 

Added lines #L16 - L22 were not covered by tests
}
8 changes: 8 additions & 0 deletions ...onsole/Models/Response/Organizations/VerifiedOrganizationDomainSsoDetailsResponseModel.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
๏ปฟusing Bit.Api.Models.Response;

namespace Bit.Api.AdminConsole.Models.Response.Organizations;

public class VerifiedOrganizationDomainSsoDetailsResponseModel(
IEnumerable<VerifiedOrganizationDomainSsoDetailResponseModel> data,
string continuationToken = null)
: ListResponseModel<VerifiedOrganizationDomainSsoDetailResponseModel>(data, continuationToken);
1 change: 1 addition & 0 deletions src/Core/Constants.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -144,6 +144,7 @@ public static class FeatureFlagKeys
public const string TrialPayment = "PM-8163-trial-payment";
public const string Pm3478RefactorOrganizationUserApi = "pm-3478-refactor-organizationuser-api";
public const string RemoveServerVersionHeader = "remove-server-version-header";
public const string VerifiedSsoDomainEndpoint = "pm-12337-refactor-sso-details-endpoint";

public static List<string> GetAllKeys()
{
Expand Down
22 changes: 22 additions & 0 deletions src/Core/Models/Data/Organizations/VerifiedOrganizationDomainSsoDetail.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
๏ปฟnamespace Bit.Core.Models.Data.Organizations;

public class VerifiedOrganizationDomainSsoDetail
{
public VerifiedOrganizationDomainSsoDetail()
{
}

public VerifiedOrganizationDomainSsoDetail(Guid organizationId, string organizationName, string domainName,
string organizationIdentifier)
{
OrganizationId = organizationId;
OrganizationName = organizationName;
DomainName = domainName;
OrganizationIdentifier = organizationIdentifier;
}

Check warning on line 16 in src/Core/Models/Data/Organizations/VerifiedOrganizationDomainSsoDetail.cs

View check run for this annotation

Codecov / codecov/patch

src/Core/Models/Data/Organizations/VerifiedOrganizationDomainSsoDetail.cs#L9-L16 

Added lines #L9 - L16 were not covered by tests

public Guid OrganizationId { get; init; }
public string OrganizationName { get; init; }
public string DomainName { get; init; }
public string OrganizationIdentifier { get; init; }
}
1 change: 1 addition & 0 deletions src/Core/Repositories/IOrganizationDomainRepository.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ public interface IOrganizationDomainRepository : IRepository<OrganizationDomain,
Task<ICollection<OrganizationDomain>> GetDomainsByOrganizationIdAsync(Guid orgId);
Task<ICollection<OrganizationDomain>> GetManyByNextRunDateAsync(DateTime date);
Task<OrganizationDomainSsoDetailsData?> GetOrganizationDomainSsoDetailsAsync(string email);
Task<IEnumerable<VerifiedOrganizationDomainSsoDetail>> GetVerifiedOrganizationDomainSsoDetailsAsync(string email);
Task<OrganizationDomain?> GetDomainByIdOrganizationIdAsync(Guid id, Guid organizationId);
Task<OrganizationDomain?> GetDomainByOrgIdAndDomainNameAsync(Guid orgId, string domainName);
Task<ICollection<OrganizationDomain>> GetExpiredOrganizationDomainsAsync();
Expand Down
11 changes: 11 additions & 0 deletions src/Infrastructure.Dapper/Repositories/OrganizationDomainRepository.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,17 @@
}
}

public async Task<IEnumerable<VerifiedOrganizationDomainSsoDetail>> GetVerifiedOrganizationDomainSsoDetailsAsync(string email)
{
await using var connection = new SqlConnection(ConnectionString);

Check warning on line 76 in src/Infrastructure.Dapper/Repositories/OrganizationDomainRepository.cs

View check run for this annotation

Codecov / codecov/patch

src/Infrastructure.Dapper/Repositories/OrganizationDomainRepository.cs#L75-L76 

Added lines #L75 - L76 were not covered by tests

return await connection
.QueryAsync<VerifiedOrganizationDomainSsoDetail>(
$"[{Schema}].[VerifiedOrganizationDomainSsoDetails_ReadByEmail]",
new { Email = email },
commandType: CommandType.StoredProcedure);
}

Check warning on line 83 in src/Infrastructure.Dapper/Repositories/OrganizationDomainRepository.cs

View check run for this annotation

Codecov / codecov/patch

src/Infrastructure.Dapper/Repositories/OrganizationDomainRepository.cs#L79-L83 

Added lines #L79 - L83 were not covered by tests

public async Task<OrganizationDomain?> GetDomainByIdOrganizationIdAsync(Guid id, Guid orgId)
{
using (var connection = new SqlConnection(ConnectionString))
Expand Down
23 changes: 23 additions & 0 deletions src/Infrastructure.EntityFramework/Repositories/OrganizationDomainRepository.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,29 @@
return ssoDetails;
}

public async Task<IEnumerable<VerifiedOrganizationDomainSsoDetail>> GetVerifiedOrganizationDomainSsoDetailsAsync(string email)
{
var domainName = new MailAddress(email).Host;

Check warning on line 100 in src/Infrastructure.EntityFramework/Repositories/OrganizationDomainRepository.cs

View check run for this annotation

Codecov / codecov/patch

src/Infrastructure.EntityFramework/Repositories/OrganizationDomainRepository.cs#L99-L100 

Added lines #L99 - L100 were not covered by tests

using var scope = ServiceScopeFactory.CreateScope();
var dbContext = GetDatabaseContext(scope);
return await (from o in dbContext.Organizations
from od in o.Domains
join s in dbContext.SsoConfigs on o.Id equals s.OrganizationId into sJoin
from s in sJoin.DefaultIfEmpty()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want the same join on policy here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Policy is unneeded for this. The original join to Policy was about checking if SSO was required...which isn't a restraint we need for this query.

where od.DomainName == domainName
&& o.Enabled
&& s.Enabled
&& od.VerifiedDate != null
Comment on lines +108 to +111
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is missing some of the conditions from its MSSQL equivalent, like directly checking that the SSO policy is enabled for the organization.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point. I looked over what I had in the sproc compared to what was being used, and I see that it doesn't actually care about the policy of SSO Required. It just cares if SSO is available (if they have a sso config). So, I adjusted the sproc to reflect that, and that matches the EF query.

select new VerifiedOrganizationDomainSsoDetail(
o.Id,
o.Name,
od.DomainName,
o.Identifier))
.AsNoTracking()
.ToListAsync();
}

Check warning on line 119 in src/Infrastructure.EntityFramework/Repositories/OrganizationDomainRepository.cs

View check run for this annotation

Codecov / codecov/patch

src/Infrastructure.EntityFramework/Repositories/OrganizationDomainRepository.cs#L102-L119 

Added lines #L102 - L119 were not covered by tests

public async Task<Core.Entities.OrganizationDomain?> GetDomainByIdOrganizationIdAsync(Guid id, Guid orgId)
{
using var scope = ServiceScopeFactory.CreateScope();
Expand Down
23 changes: 23 additions & 0 deletions src/Sql/dbo/Stored Procedures/VerfiedOrganaizationDomainSsoDetails_ReadByEmail.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
CREATE PROCEDURE [dbo].[VerifiedOrganizationDomainSsoDetails_ReadByEmail]
@Email NVARCHAR(256)
AS
BEGIN
SET NOCOUNT ON

DECLARE @Domain NVARCHAR(256)

SELECT @Domain = SUBSTRING(@Email, CHARINDEX( '@', @Email) + 1, LEN(@Email))

SELECT
O.Id AS OrganizationId,
O.Name AS OrganizationName,
O.Identifier AS OrganizationIdentifier,
OD.DomainName
FROM [dbo].[OrganizationView] O
INNER JOIN [dbo].[OrganizationDomainView] OD ON O.Id = OD.OrganizationId
LEFT JOIN [dbo].[Ssoconfig] S ON O.Id = S.OrganizationId
WHERE OD.DomainName = @Domain
AND O.Enabled = 1
AND OD.VerifiedDate IS NOT NULL
AND S.Enabled = 1
END
22 changes: 22 additions & 0 deletions test/Api.Test/AdminConsole/Controllers/OrganizationDomainControllerTests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -316,4 +316,26 @@ public async Task GetOrgDomainSsoDetails_ShouldReturnOrganizationDomainSsoDetail

Assert.IsType<OrganizationDomainSsoDetailsResponseModel>(result);
}

[Theory, BitAutoData]
public async Task GetVerifiedOrgDomainSsoDetails_ShouldThrowNotFound_WhenEmailHasNotClaimedDomain(
OrganizationDomainSsoDetailsRequestModel model, SutProvider<OrganizationDomainController> sutProvider)
{
sutProvider.GetDependency<IOrganizationDomainRepository>()
.GetVerifiedOrganizationDomainSsoDetailsAsync(model.Email).Returns(Array.Empty<VerifiedOrganizationDomainSsoDetail>());

await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.GetOrgDomainSsoDetails(model));
}

[Theory, BitAutoData]
public async Task GetVerifiedOrgDomainSsoDetails_ShouldReturnOrganizationDomainSsoDetails_WhenEmailHasClaimedDomain(
OrganizationDomainSsoDetailsRequestModel model, IEnumerable<VerifiedOrganizationDomainSsoDetail> ssoDetailsData, SutProvider<OrganizationDomainController> sutProvider)
{
sutProvider.GetDependency<IOrganizationDomainRepository>()
.GetVerifiedOrganizationDomainSsoDetailsAsync(model.Email).Returns(ssoDetailsData);

var result = await sutProvider.Sut.GetVerifiedOrgDomainSsoDetailsAsync(model);

Assert.IsType<VerifiedOrganizationDomainSsoDetailsResponseModel>(result);
}
}
24 changes: 24 additions & 0 deletions .../Migrator/DbScripts/2024-09-26_00_AddVerifiedOrganizationDomainSsoDetails_ReadByEmail.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
CREATE OR ALTER PROCEDURE [dbo].[VerifiedOrganizationDomainSsoDetails_ReadByEmail]
@Email NVARCHAR(256)
AS
BEGIN
SET NOCOUNT ON

DECLARE @Domain NVARCHAR(256)

SELECT @Domain = SUBSTRING(@Email, CHARINDEX( '@', @Email) + 1, LEN(@Email))

SELECT
O.Id AS OrganizationId,
O.Name AS OrganizationName,
O.Identifier AS OrganizationIdentifier,
OD.DomainName
FROM [dbo].[OrganizationView] O
INNER JOIN [dbo].[OrganizationDomainView] OD ON O.Id = OD.OrganizationId
LEFT JOIN [dbo].[Ssoconfig] S ON O.Id = S.OrganizationId
WHERE OD.DomainName = @Domain
AND O.Enabled = 1
AND OD.VerifiedDate IS NOT NULL
AND S.Enabled = 1
END
GO
Loading