feature: Support single organization policy #1991
Conversation
| @@ -0,0 +1,7 @@ | |||
| Removed from {{{org_name}}} | |||
| <!----------------> | |||
| You have been removed from organization *{{org_name}}* because you a member of multiple organizations, but it requires you to be a member of only it. | |||
There was a problem hiding this comment.
The "it" part is unclear
There was a problem hiding this comment.
You should probably review the relevant upstream PRs:
- Only org policy bitwarden/server#962
- Exempt owners and admins from single org and 2FA policy bitwarden/server#1171
- Extract single-org policy check to OrganizationService bitwarden/server#1410
Email notification:
Error messages:
- https://github.com/bitwarden/server/blob/dac3b3e8939504959d94c2e2fd13789723ab2d57/src/Core/Services/Implementations/OrganizationService.cs#L653-L654
- https://github.com/bitwarden/server/blob/dac3b3e8939504959d94c2e2fd13789723ab2d57/src/Core/Services/Implementations/OrganizationService.cs#L1342-L1343
- https://github.com/bitwarden/server/blob/dac3b3e8939504959d94c2e2fd13789723ab2d57/src/Core/Services/Implementations/OrganizationService.cs#L1357-L1358
src/api/core/organizations.rs
Outdated
| /// enabled isn't allowed to create new organizations or join other organizations | ||
| /// | ||
| /// Ref: https://bitwarden.com/help/article/policies/#single-organization | ||
| fn enforce_single_organization_policy(user_uuid: &String, conn: &DbConn) -> EmptyResult { |
There was a problem hiding this comment.
Given that this function is called from a couple of places, it would probably be better located near the top of the file.
There was a problem hiding this comment.
I ended up inlining this function - given it's really just one very simple if statement and an error message (that needs to change depending on context) that seems to be the more sensible way. Also saw this other PR review comment that suggested we prefer inlining very small functions.
src/api/core/organizations.rs
Outdated
| @@ -102,6 +102,7 @@ fn create_organization(headers: Headers, data: JsonUpcase<OrgData>, conn: DbConn | |||
| if !CONFIG.is_org_creation_allowed(&headers.user.email) { | |||
| err!("User not allowed to create organizations") | |||
| } | |||
| enforce_single_organization_policy(&headers.user.uuid, &conn)?; | |||
There was a problem hiding this comment.
This currently returns an error message about joining an org, not creating one.
There was a problem hiding this comment.
Good catch - have updated the error message to match upstream.
| @@ -0,0 +1,7 @@ | |||
| Removed from {{{org_name}}} | |||
There was a problem hiding this comment.
Consider keeping these messages the same as upstream if possible. The message you have below is missing a word anyway ("because you are a member").
There was a problem hiding this comment.
I've made this match upstream, seems like the sensible thing to do 👍
src/api/core/organizations.rs
Outdated
| @@ -747,6 +748,8 @@ fn accept_invite(_org_id: String, _org_user_id: String, data: JsonUpcase<AcceptD | |||
| err!("You cannot join this organization until you enable two-step login on your user account.") | |||
| } | |||
|
|
|||
| enforce_single_organization_policy(&user_org.user_uuid, &conn)?; | |||
There was a problem hiding this comment.
Upstream actually does two checks in the accept flow:
-
If the org the user is joining has the single org policy enabled and the user isn't joining as an owner/admin, then reject the acceptance if the user is already a member of any other org. This check isn't implemented currently AFAICT.
-
Otherwise, if the user is an accepted or confirmed member of an org with the single org policy enabled, then reject the acceptance. This is what the current check does, except it only checks for confirmed users instead of accepted users as well. That's sort of an edge case and maybe we can let it slide for now, given that some of our other policy implementations would have the same issue.
There was a problem hiding this comment.
Correct, I missed check 1 and have now implemented it. One thing that might be worth noting is that like upstream, I have included invited org users (checks allOrgUsers are the same org, and the query doesn't filter out invites).
On 2, yes this is an issue which is shared by many of the policy checks - I've renamed a couple methods to make it more explicit about what they're checking and added a TODO to check against accepted users too like upstream. I think this may be best in a separate PR as it'll probably require updating the way many of the policy checks are done.
Another thing to note is that because we auto-accept users when email is disabled without running through these checks, they are not enforced there. Again, this is a problem with all the checks but I'm not sure the most sensible way to go about resolving this?
There was a problem hiding this comment.
AFAIK having no email service is not a configuration that's expected or designed for in upstream Bitwarden, so people who don't bother configuring it shouldn't expect things to work completely normally.
src/api/core/organizations.rs
Outdated
| let org_list = UserOrganization::find_by_org(&org_id, &conn); | ||
|
|
||
| for user_org in org_list.into_iter() { | ||
| if user_org.atype < UserOrgType::Admin { |
There was a problem hiding this comment.
This should also filter out users in Invited state: https://github.com/bitwarden/server/blob/dac3b3e8939504959d94c2e2fd13789723ab2d57/src/Core/Services/Implementations/PolicyService.cs#L88
Those users will just get the appropriate error message when they try to accept.
There was a problem hiding this comment.
Have updated.
FYI I think the 2FA organization policy also misses this. I can raise a PR to fix that if you'd like?
vaultwarden: https://github.com/dani-garcia/vaultwarden/blob/main/src/api/core/organizations.rs#L1210
upstream (bitwarden/server): https://github.com/bitwarden/server/blob/dac3b3e8939504959d94c2e2fd13789723ab2d57/src/Core/Services/Implementations/PolicyService.cs#L93
There was a problem hiding this comment.
The 2FA org policy isn't my code anyway, but if there's something that can be fixed or improved, feel free.
| @@ -1219,6 +1248,29 @@ fn put_policy( | |||
| } | |||
| } | |||
|
|
|||
| if pol_type_enum == OrgPolicyType::SingleOrg && data.enabled { | |||
There was a problem hiding this comment.
Some comments that summarize what this code is trying to do would be nice, but I think it would read more clearly with org_list renamed to org_members and user_org renamed to member.
There was a problem hiding this comment.
Good feedback, have renamed variables as suggested and added explanatory comments
src/api/core/organizations.rs
Outdated
| if user_org.atype < UserOrgType::Admin { | ||
| let is_member_of_another_org = UserOrganization::find_any_state_by_user(&user_org.user_uuid, &conn) | ||
| .into_iter() | ||
| .filter(|uo| uo.org_uuid != user_org.org_uuid) |
There was a problem hiding this comment.
This should also filter out users in Invited state: https://github.com/bitwarden/server/blob/dac3b3e8939504959d94c2e2fd13789723ab2d57/src/Core/Services/Implementations/PolicyService.cs#L112
Otherwise users will be dropped from this single org even if they didn't intend to join the other org they were invited to.
There was a problem hiding this comment.
Good catch, fixed 👍
This adds back-end support for the [single organization policy](https://bitwarden.com/help/article/policies/#single-organization).
domdomegg
force-pushed
the
domdomegg/single-organization-policy
branch
from
af74de0
to
d014eed
Compare
|
Thanks @jjlin for your detailed, timely and valuable feedback on this. And thanks @dani-garcia for merging 🙌 |
The single organization is now supported by vaultwarden, as per dani-garcia/vaultwarden#1991 We can therefore stop hiding the setting in the web UI.
This adds back-end support for the single organization policy.
This is listed on the wiki as a feature in scope for Vaultwarden that a contribution would be welcome for.
NB: this is not already done by #1955, despite that PR enabling the enum for it (it only implements the RequireSso policy).