bitwarden · eliykat · Jan 27, 2025 · Jan 27, 2025 · Jan 27, 2025 · Jan 28, 2025
@@ -1,11 +1,13 @@
 using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
 using Bit.Core.Enums;
+using Bit.Core.Utilities;
 
 namespace Bit.Core.Models.Data.Organizations.OrganizationUsers;
 
 public class OrganizationUserPolicyDetails
 {
-    public Guid OrganizationUserId { get; set; }
+    public Guid? OrganizationUserId { get; set; }
 
     public Guid OrganizationId { get; set; }
 
@@ -22,4 +24,9 @@
     public string OrganizationUserPermissionsData { get; set; }
 
     public bool IsProvider { get; set; }
+
+    public T GetDataModel<T>() where T : IPolicyDataModel, new()
+    {
+        return CoreHelpers.LoadClassFromJsonData<T>(PolicyData);
+    }
 }
@@ -1,4 +1,6 @@
 using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
 using Bit.Core.AdminConsole.Services;
 using Bit.Core.Auth.Models.Business.Tokenables;
 using Bit.Core.Billing.Enums;
@@ -13,7 +15,7 @@
 using Bit.Core.Utilities;
 using Microsoft.AspNetCore.DataProtection;
 
-namespace Bit.Core.OrganizationFeatures.OrganizationUsers;
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers;
 
 public class AcceptOrgUserCommand : IAcceptOrgUserCommand
 {
@@ -25,6 +27,8 @@
     private readonly IMailService _mailService;
     private readonly IUserRepository _userRepository;
     private readonly IDataProtectorTokenFactory<OrgUserInviteTokenable> _orgUserInviteTokenDataFactory;
+    private readonly IPolicyRequirementQuery _policyRequirementQuery;
+    private readonly IFeatureService _featureService;
 
     public AcceptOrgUserCommand(
         IDataProtectionProvider dataProtectionProvider,
@@ -34,7 +38,9 @@
         IPolicyService policyService,
         IMailService mailService,
         IUserRepository userRepository,
-        IDataProtectorTokenFactory<OrgUserInviteTokenable> orgUserInviteTokenDataFactory)
+        IDataProtectorTokenFactory<OrgUserInviteTokenable> orgUserInviteTokenDataFactory,
+        IPolicyRequirementQuery policyRequirementQuery,
+        IFeatureService featureService)
     {
 
         // TODO: remove data protector when old token validation removed
@@ -46,8 +52,13 @@
         _mailService = mailService;
         _userRepository = userRepository;
         _orgUserInviteTokenDataFactory = orgUserInviteTokenDataFactory;
+        _policyRequirementQuery = policyRequirementQuery;
+        _featureService = featureService;
     }
 
+    public const string ErrorBlockedByThisSingleOrganizationPolicy = "You may not join this organization until you leave or remove all other organizations.";
+    public const string ErrorBlockedByOtherSingleOrganizationPolicy = "You cannot join this organization because you are a member of another organization which forbids it";
+
     public async Task<OrganizationUser> AcceptOrgUserByEmailTokenAsync(Guid organizationUserId, User user, string emailToken,
         IUserService userService)
     {
@@ -172,7 +183,35 @@
             }
         }
 
-        // Enforce Single Organization Policy of organization user is trying to join
+        if (_featureService.IsEnabled(FeatureFlagKeys.PolicyRequirements))
+        {
+            await EnforcePolicies_vNext(user, orgUser, userService);
+        }
+        else
+        {
+            await EnforcePolicies(user, orgUser, userService);
+        }
+
+        orgUser.Status = OrganizationUserStatusType.Accepted;
+        orgUser.UserId = user.Id;
+        orgUser.Email = null;
+
+        await _organizationUserRepository.ReplaceAsync(orgUser);
+
+        var admins = await _organizationUserRepository.GetManyByMinimumRoleAsync(orgUser.OrganizationId, OrganizationUserType.Admin);
+        var adminEmails = admins.Select(a => a.Email).Distinct().ToList();
+
+        if (adminEmails.Count > 0)
+        {
+            var organization = await _organizationRepository.GetByIdAsync(orgUser.OrganizationId);
+            await _mailService.SendOrganizationAcceptedEmailAsync(organization, user.Email, adminEmails);
+        }
+
+        return orgUser;
+    }
+
+    private async Task EnforcePolicies(User user, OrganizationUser orgUser, IUserService userService)
+    {
         var allOrgUsers = await _organizationUserRepository.GetManyByUserAsync(user.Id);
         var hasOtherOrgs = allOrgUsers.Any(ou => ou.OrganizationId != orgUser.OrganizationId);
         var invitedSingleOrgPolicies = await _policyService.GetPoliciesApplicableToUserAsync(user.Id,
@@ -201,23 +240,34 @@
                 throw new BadRequestException("You cannot join this organization until you enable two-step login on your user account.");
             }
         }
+    }
 
-        orgUser.Status = OrganizationUserStatusType.Accepted;
-        orgUser.UserId = user.Id;
-        orgUser.Email = null;
-
-        await _organizationUserRepository.ReplaceAsync(orgUser);
-
-        var admins = await _organizationUserRepository.GetManyByMinimumRoleAsync(orgUser.OrganizationId, OrganizationUserType.Admin);
-        var adminEmails = admins.Select(a => a.Email).Distinct().ToList();
+    private async Task EnforcePolicies_vNext(User user, OrganizationUser orgUser, IUserService userService)
+    {
+        var singleOrganizationRequirement =
+            await _policyRequirementQuery.GetAsync<SingleOrganizationPolicyRequirement>(user.Id);
 
-        if (adminEmails.Count > 0)
+        switch (singleOrganizationRequirement.CanJoinOrganization(orgUser.OrganizationId))
         {
-            var organization = await _organizationRepository.GetByIdAsync(orgUser.OrganizationId);
-            await _mailService.SendOrganizationAcceptedEmailAsync(organization, user.Email, adminEmails);
+            case SingleOrganizationRequirementResult.BlockedByThisOrganization:
+                throw new BadRequestException(ErrorBlockedByThisSingleOrganizationPolicy);
+            case SingleOrganizationRequirementResult.BlockedByOtherOrganization:
+                throw new BadRequestException(ErrorBlockedByOtherSingleOrganizationPolicy);
+            case SingleOrganizationRequirementResult.Ok:
+            default:
+                break;
         }
 
-        return orgUser;
+        // TODO: this will be rewritten once a requirement is added
+        // Enforce Two Factor Authentication Policy of organization user is trying to join
+        if (!await userService.TwoFactorIsEnabledAsync(user))
+        {
+            var invitedTwoFactorPolicies = await _policyService.GetPoliciesApplicableToUserAsync(user.Id,
+                PolicyType.TwoFactorAuthentication, OrganizationUserStatusType.Invited);
+            if (invitedTwoFactorPolicies.Any(p => p.OrganizationId == orgUser.OrganizationId))
+            {
+                throw new BadRequestException("You cannot join this organization until you enable two-step login on your user account.");
+            }
+        }
     }
-
 }
@@ -0,0 +1,8 @@
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+
+public interface IPolicyRequirementQuery
+{
+    Task<T> GetAsync<T>(Guid userId) where T : IPolicyRequirement;
+}
@@ -0,0 +1,55 @@
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.Models.Data.Organizations.OrganizationUsers;
+using Bit.Core.Settings;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.Implementations;
+
+public class PolicyRequirementQuery : IPolicyRequirementQuery
+{
+    private readonly IPolicyRepository _policyRepository;
+    private readonly PolicyRequirementRegistry _policyRequirements = new();
+
+    public PolicyRequirementQuery(IPolicyRepository policyRepository)
+    {
+        _policyRepository = policyRepository;
+
+        // Register Policy Requirement factory functions below
+        _policyRequirements.Add(SingleOrganizationPolicyRequirement.Create);
+    }
+
+    public async Task<T> GetAsync<T>(Guid userId) where T : IPolicyRequirement
+        => _policyRequirements.Get<T>()(await GetPolicyDetails(userId));
+
+    private Task<IEnumerable<OrganizationUserPolicyDetails>> GetPolicyDetails(Guid userId) =>
+        _policyRepository.GetPolicyDetailsByUserId(userId);
+
+    /// <summary>
+    /// Helper class used to register and retrieve Policy Requirement factories by type.
+    /// </summary>
+    private class PolicyRequirementRegistry
+    {
+        private readonly Dictionary<Type, CreateRequirement<IPolicyRequirement>> _registry = new();
+
+        public void Add<T>(CreateRequirement<T> factory) where T : IPolicyRequirement
+        {
+            // Explicitly convert T to an IPolicyRequirement (C# doesn't do this automatically).
+            IPolicyRequirement Converted(IEnumerable<OrganizationUserPolicyDetails> up) => factory(up);
+            _registry.Add(typeof(T), Converted);
+        }
+
+        public CreateRequirement<T> Get<T>() where T : IPolicyRequirement
+        {
+            if (!_registry.TryGetValue(typeof(T), out var factory))
+            {
+                throw new NotImplementedException("No Policy Requirement found for " + typeof(T));
+            }
+
+            // Explicitly convert IPolicyRequirement back to T (C# doesn't do this automatically).
+            // The cast here relies on the Register method correctly associating the type and factory function.
+            T Converted(IEnumerable<OrganizationUserPolicyDetails> up) => (T)factory(up);
+            return Converted;
+        }
+    }
+}
+
@@ -0,0 +1,8 @@
+using Bit.Core.Models.Data.Organizations.OrganizationUsers;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+
+public interface IPolicyRequirement;
+
+public delegate T CreateRequirement<T>(IEnumerable<OrganizationUserPolicyDetails> userPolicyDetails)
+    where T : IPolicyRequirement;
@@ -0,0 +1,29 @@
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.Enums;
+using Bit.Core.Models.Data.Organizations.OrganizationUsers;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+
+public static class PolicyRequirementHelpers
+{
+    public static IEnumerable<OrganizationUserPolicyDetails> GetPolicyType(
+        this IEnumerable<OrganizationUserPolicyDetails> userPolicyDetails,
+        PolicyType type) =>
+            userPolicyDetails.Where(x => x.PolicyType == type);
+
+    public static IEnumerable<OrganizationUserPolicyDetails> ExcludeOwnersAndAdmins(
+        this IEnumerable<OrganizationUserPolicyDetails> userPolicyDetails) =>
+            userPolicyDetails.Where(x => x.OrganizationUserType != OrganizationUserType.Owner);
-            userPolicyDetails.Where(x => x.OrganizationUserType != OrganizationUserType.Owner);
+            userPolicyDetails.Where(x => x.OrganizationUserType is not OrganizationUserType.Owner and not OrganizationUserType.Admin);
-            userPolicyDetails.Where(x => x.OrganizationUserType != OrganizationUserType.Owner);
+            userPolicyDetails.Where(x => x.OrganizationUserType is not OrganizationUserType.Owner and not OrganizationUserType.Admin);
+
+    public static IEnumerable<OrganizationUserPolicyDetails> ExcludeProviders(
+        this IEnumerable<OrganizationUserPolicyDetails> userPolicyDetails) =>
+            userPolicyDetails.Where(x => !x.IsProvider);
+
+    public static IEnumerable<OrganizationUserPolicyDetails> ExcludeRevokedAndInvitedUsers(
+        this IEnumerable<OrganizationUserPolicyDetails> userPolicyDetails) =>
+            userPolicyDetails.Where(x => x.OrganizationUserStatus >= OrganizationUserStatusType.Accepted);
+
+    public static IEnumerable<OrganizationUserPolicyDetails> ExcludeRevokedUsers(
+        this IEnumerable<OrganizationUserPolicyDetails> userPolicyDetails) =>
+            userPolicyDetails.Where(x => x.OrganizationUserStatus >= OrganizationUserStatusType.Invited);
+}
@@ -0,0 +1,51 @@
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.Enums;
+using Bit.Core.Models.Data.Organizations.OrganizationUsers;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+
+public enum SingleOrganizationRequirementResult
+{
+    Ok = 1,
+    BlockedByThisOrganization = 2,
+    BlockedByOtherOrganization = 3
+}
+
+public class SingleOrganizationPolicyRequirement : IPolicyRequirement
+{
+    /// <summary>
+    /// Single organization policy details filtered by user role but not status.
+    /// This lets us check whether a user is compliant before being accepted/restored.
+    /// </summary>
+    private IEnumerable<OrganizationUserPolicyDetails> PolicyDetails { get; init; }
+
+    public static SingleOrganizationPolicyRequirement Create(IEnumerable<OrganizationUserPolicyDetails> userPolicyDetails)
+        => new()
+        {
+            PolicyDetails = userPolicyDetails
+                .GetPolicyType(PolicyType.SingleOrg)
+                .ExcludeOwnersAndAdmins()
+                .ExcludeProviders()
+                .ToList()
+        };
+
+    public SingleOrganizationRequirementResult CanJoinOrganization(Guid organizationId)
+    {
+        // Check for the org the user is trying to join; status doesn't matter
+        if (PolicyDetails.Any(x => x.OrganizationId == organizationId))
+        {
+            return SingleOrganizationRequirementResult.BlockedByThisOrganization;
+        }
+
+        // Check for other orgs the user might already be a member of (accepted or confirmed status only)
+        if (PolicyDetails.ExcludeRevokedAndInvitedUsers().Any())
+        {
+            return SingleOrganizationRequirementResult.BlockedByOtherOrganization;
+        }
+
+        return SingleOrganizationRequirementResult.Ok;
+    }
+
+    public SingleOrganizationRequirementResult CanBeRestoredToOrganization(Guid organizationId) =>
+        CanJoinOrganization(organizationId);
+}
@@ -12,6 +12,7 @@ public static void AddPolicyServices(this IServiceCollection services)
     {
         services.AddScoped<IPolicyService, PolicyService>();
         services.AddScoped<ISavePolicyCommand, SavePolicyCommand>();
+        services.AddScoped<IPolicyRequirementQuery, PolicyRequirementQuery>();
 
         services.AddScoped<IPolicyValidator, TwoFactorAuthenticationPolicyValidator>();
         services.AddScoped<IPolicyValidator, SingleOrgPolicyValidator>();

@@ -1,5 +1,6 @@
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums;
+using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Core.Repositories;
 
 #nullable enable
@@ -11,4 +12,5 @@ public interface IPolicyRepository : IRepository<Policy, Guid>
     Task<Policy?> GetByOrganizationIdTypeAsync(Guid organizationId, PolicyType type);
     Task<ICollection<Policy>> GetManyByOrganizationIdAsync(Guid organizationId);
     Task<ICollection<Policy>> GetManyByUserIdAsync(Guid userId);
+    Task<IEnumerable<OrganizationUserPolicyDetails>> GetPolicyDetailsByUserId(Guid userId);
 }
diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
@@ -109,6 +109,7 @@ public static class FeatureFlagKeys
     public const string DeviceApprovalRequestAdminNotifications = "pm-15637-device-approval-request-admin-notifications";
     public const string LimitItemDeletion = "pm-15493-restrict-item-deletion-to-can-manage-permission";
     public const string PushSyncOrgKeysOnRevokeRestore = "pm-17168-push-sync-org-keys-on-revoke-restore";
+    public const string PolicyRequirements = "pm-14439-policy-requirements";
 
     /* Tools Team */
     public const string ItemShare = "item-share";

diff --git a/src/Core/Services/Implementations/UserService.cs b/src/Core/Services/Implementations/UserService.cs
@@ -1372,7 +1372,7 @@ private async Task CheckPoliciesOnTwoFactorRemovalAsync(User user)
                 await _revokeNonCompliantOrganizationUserCommand.RevokeNonCompliantOrganizationUsersAsync(
                     new RevokeOrganizationUsersRequest(
                         p.OrganizationId,
-                        [new OrganizationUserUserDetails { Id = p.OrganizationUserId, OrganizationId = p.OrganizationId }],
+                        [new OrganizationUserUserDetails { Id = p.OrganizationUserId!.Value, OrganizationId = p.OrganizationId }],
                         new SystemUser(EventSystemUser.TwoFactorDisabled)));
                 await _mailService.SendOrganizationUserRevokedForTwoFactorPolicyEmailAsync(organization.DisplayName(), user.Email);
             }

@@ -2,6 +2,7 @@
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Core.Settings;
 using Bit.Infrastructure.Dapper.Repositories;
 using Dapper;
@@ -59,4 +60,17 @@
             return results.ToList();
         }
     }
+
+    public async Task<IEnumerable<OrganizationUserPolicyDetails>> GetPolicyDetailsByUserId(Guid userId)
+    {
+        using (var connection = new SqlConnection(ConnectionString))
+        {
+            var results = await connection.QueryAsync<OrganizationUserPolicyDetails>(
+                $"[{Schema}].[PolicyDetails_ReadByUserId]",
+                new { UserId = userId },
+                commandType: CommandType.StoredProcedure);
+
+            return results.ToList();
+        }
+    }
 }
@@ -1,6 +1,7 @@
 using AutoMapper;
 using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Infrastructure.EntityFramework.AdminConsole.Models;
 using Bit.Infrastructure.EntityFramework.AdminConsole.Repositories.Queries;
 using Bit.Infrastructure.EntityFramework.Repositories;
@@ -50,4 +51,6 @@
             return Mapper.Map<List<AdminConsoleEntities.Policy>>(results);
         }
     }
+
+    public Task<IEnumerable<OrganizationUserPolicyDetails>> GetPolicyDetailsByUserId(Guid userId) => throw new NotImplementedException();
 }