Merge branch 'main' into billing/PM-13834/provider-migration-no-clients

src/Admin/AdminConsole/Views/Organizations/_ViewInformation.cshtml

@@ -1,4 +1,6 @@
-@model OrganizationViewModel
+@inject Bit.Core.Services.IFeatureService FeatureService
+@model OrganizationViewModel
+
 <dl class="row">
  <dt class="col-sm-4 col-lg-3">Id</dt>
  <dd id="org-id" class="col-sm-8 col-lg-9"><code>@Model.Organization.Id</code></dd>
@@ -53,8 +55,19 @@
  <dt class="col-sm-4 col-lg-3">Administrators manage all collections</dt>
  <dd id="pm-manage-collections" class="col-sm-8 col-lg-9">@(Model.Organization.AllowAdminAccessToAllCollectionItems ? "On" : "Off")</dd>
 
- <dt class="col-sm-4 col-lg-3">Limit collection creation to administrators</dt>
- <dd id="pm-collection-creation" class="col-sm-8 col-lg-9">@(Model.Organization.LimitCollectionCreationDeletion ? "On" : "Off")</dd>
+ @if (!FeatureService.IsEnabled(Bit.Core.FeatureFlagKeys.LimitCollectionCreationDeletionSplit))
+ {
+ <dt class="col-sm-4 col-lg-3">Limit collection creation to administrators</dt>
+ <dd id="pm-collection-creation" class="col-sm-8 col-lg-9">@(Model.Organization.LimitCollectionCreationDeletion ? "On" : "Off")</dd>
+ }
+ else
+ {
+ <dt class="col-sm-4 col-lg-3">Limit collection creation to administrators</dt>
+ <dd id="pm-collection-creation" class="col-sm-8 col-lg-9">@(Model.Organization.LimitCollectionCreation ? "On" : "Off")</dd>
+
+ <dt class="col-sm-4 col-lg-3">Limit collection deletion to administrators</dt>
+ <dd id="pm-collection-deletion" class="col-sm-8 col-lg-9">@(Model.Organization.LimitCollectionDeletion ? "On" : "Off")</dd>
+ }
 </dl>
 
 <h2>Secrets Manager</h2>

src/Api/AdminConsole/Controllers/OrganizationsController.cs

@@ -520,9 +520,16 @@ public async Task<OrganizationSsoResponseModel> PostSso(Guid id, [FromBody] Orga
  }
 
  [HttpPut("{id}/collection-management")]
- [SelfHosted(NotSelfHostedOnly = true)]
  public async Task<OrganizationResponseModel> PutCollectionManagement(Guid id, [FromBody] OrganizationCollectionManagementUpdateRequestModel model)
  {
+ if (
+ _globalSettings.SelfHosted &&
+ !_featureService.IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit)
+ )
+ {
+ throw new BadRequestException("Only allowed when not self hosted.");
+ }
+
  var organization = await _organizationRepository.GetByIdAsync(id);
  if (organization == null)
  {
@@ -534,7 +541,7 @@ public async Task<OrganizationResponseModel> PutCollectionManagement(Guid id, [F
  throw new NotFoundException();
  }
 
- await _organizationService.UpdateAsync(model.ToOrganization(organization), eventType: EventType.Organization_CollectionManagement_Updated);
+ await _organizationService.UpdateAsync(model.ToOrganization(organization, _featureService), eventType: EventType.Organization_CollectionManagement_Updated);
  return new OrganizationResponseModel(organization);
  }
 }

src/Api/AdminConsole/Models/Response/Organizations/OrganizationResponseModel.cs

@@ -55,6 +55,9 @@ public OrganizationResponseModel(Organization organization, string obj = "organi
  SmServiceAccounts = organization.SmServiceAccounts;
  MaxAutoscaleSmSeats = organization.MaxAutoscaleSmSeats;
  MaxAutoscaleSmServiceAccounts = organization.MaxAutoscaleSmServiceAccounts;
+ LimitCollectionCreation = organization.LimitCollectionCreation;
+ LimitCollectionDeletion = organization.LimitCollectionDeletion;
+ // Deprecated: https://bitwarden.atlassian.net/browse/PM-10863
  LimitCollectionCreationDeletion = organization.LimitCollectionCreationDeletion;
  AllowAdminAccessToAllCollectionItems = organization.AllowAdminAccessToAllCollectionItems;
  }
@@ -98,6 +101,9 @@ public OrganizationResponseModel(Organization organization, string obj = "organi
  public int? SmServiceAccounts { get; set; }
  public int? MaxAutoscaleSmSeats { get; set; }
  public int? MaxAutoscaleSmServiceAccounts { get; set; }
+ public bool LimitCollectionCreation { get; set; }
+ public bool LimitCollectionDeletion { get; set; }
+ // Deperectated: https://bitwarden.atlassian.net/browse/PM-10863
  public bool LimitCollectionCreationDeletion { get; set; }
  public bool AllowAdminAccessToAllCollectionItems { get; set; }
 }

src/Api/AdminConsole/Models/Response/ProfileOrganizationResponseModel.cs

@@ -65,6 +65,9 @@ public ProfileOrganizationResponseModel(
  FamilySponsorshipToDelete = organization.FamilySponsorshipToDelete;
  FamilySponsorshipValidUntil = organization.FamilySponsorshipValidUntil;
  AccessSecretsManager = organization.AccessSecretsManager;
+ LimitCollectionCreation = organization.LimitCollectionCreation;
+ LimitCollectionDeletion = organization.LimitCollectionDeletion;
+ // Deprecated: https://bitwarden.atlassian.net/browse/PM-10863
  LimitCollectionCreationDeletion = organization.LimitCollectionCreationDeletion;
  AllowAdminAccessToAllCollectionItems = organization.AllowAdminAccessToAllCollectionItems;
  UserIsManagedByOrganization = organizationIdsManagingUser.Contains(organization.OrganizationId);
@@ -124,6 +127,9 @@ public ProfileOrganizationResponseModel(
  public DateTime? FamilySponsorshipValidUntil { get; set; }
  public bool? FamilySponsorshipToDelete { get; set; }
  public bool AccessSecretsManager { get; set; }
+ public bool LimitCollectionCreation { get; set; }
+ public bool LimitCollectionDeletion { get; set; }
+ // Deprecated: https://bitwarden.atlassian.net/browse/PM-10863
  public bool LimitCollectionCreationDeletion { get; set; }
  public bool AllowAdminAccessToAllCollectionItems { get; set; }
  /// <summary>

src/Api/AdminConsole/Models/Response/ProfileProviderOrganizationResponseModel.cs

@@ -44,6 +44,9 @@ public ProfileProviderOrganizationResponseModel(ProviderUserOrganizationDetails
  ProviderId = organization.ProviderId;
  ProviderName = organization.ProviderName;
  ProductTierType = StaticStore.GetPlan(organization.PlanType).ProductTier;
+ LimitCollectionCreation = organization.LimitCollectionCreation;
+ LimitCollectionDeletion = organization.LimitCollectionDeletion;
+ // https://bitwarden.atlassian.net/browse/PM-10863
  LimitCollectionCreationDeletion = organization.LimitCollectionCreationDeletion;
  AllowAdminAccessToAllCollectionItems = organization.AllowAdminAccessToAllCollectionItems;
  }

src/Api/Models/Request/Organizations/OrganizationCollectionManagementUpdateRequestModel.cs

@@ -1,15 +1,29 @@
-using Bit.Core.AdminConsole.Entities;
+using Bit.Core;
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Services;
 
 namespace Bit.Api.Models.Request.Organizations;
 
 public class OrganizationCollectionManagementUpdateRequestModel
 {
+ public bool LimitCollectionCreation { get; set; }
+ public bool LimitCollectionDeletion { get; set; }
+ // Deprecated: https://bitwarden.atlassian.net/browse/PM-10863
  public bool LimitCreateDeleteOwnerAdmin { get; set; }
  public bool AllowAdminAccessToAllCollectionItems { get; set; }
 
- public virtual Organization ToOrganization(Organization existingOrganization)
+ public virtual Organization ToOrganization(Organization existingOrganization, IFeatureService featureService)
  {
- existingOrganization.LimitCollectionCreationDeletion = LimitCreateDeleteOwnerAdmin;
+ if (featureService.IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit))
+ {
+ existingOrganization.LimitCollectionCreation = LimitCollectionCreation;
+ existingOrganization.LimitCollectionDeletion = LimitCollectionDeletion;
+ }
+ else
+ {
+ existingOrganization.LimitCollectionCreationDeletion = LimitCreateDeleteOwnerAdmin || LimitCollectionCreation || LimitCollectionDeletion;
+ }
+
  existingOrganization.AllowAdminAccessToAllCollectionItems = AllowAdminAccessToAllCollectionItems;
  return existingOrganization;
  }

src/Api/Vault/AuthorizationHandlers/Collections/BulkCollectionAuthorizationHandler.cs

@@ -1,5 +1,6 @@
 #nullable enable
 using System.Diagnostics;
+using Bit.Core;
 using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
@@ -101,7 +102,7 @@ protected override async Task HandleRequirementAsync(AuthorizationHandlerContext
  break;
 
  case null:
- // requirement isn't actually nullable but since we use the 
+ // requirement isn't actually nullable but since we use the
  // not null when trick it makes the compiler think that requirement
  // could actually be nullable.
  throw new UnreachableException();
@@ -123,10 +124,24 @@ private async Task<bool> CanCreateAsync(CurrentContextOrganization? org)
  return true;
  }
 
- // If the limit collection management setting is disabled, allow any user to create collections
- if (await GetOrganizationAbilityAsync(org) is { LimitCollectionCreationDeletion: false })
+ if (_featureService.IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit))
  {
- return true;
+ var userIsMemberOfOrg = org is not null;
+ var limitCollectionCreationEnabled = await GetOrganizationAbilityAsync(org) is { LimitCollectionCreation: true };
+ var userIsOrgOwnerOrAdmin = org is { Type: OrganizationUserType.Owner or OrganizationUserType.Admin };
+ // If the limit collection management setting is disabled, allow any user to create collections
+ if (userIsMemberOfOrg && (!limitCollectionCreationEnabled || userIsOrgOwnerOrAdmin))
+ {
+ return true;
+ }
+ }
+ else
+ {
+ // If the limit collection management setting is disabled, allow any user to create collections
+ if (await GetOrganizationAbilityAsync(org) is { LimitCollectionCreationDeletion: false })
+ {
+ return true;
+ }
  }
 
  // Allow provider users to create collections if they are a provider for the target organization
@@ -246,21 +261,35 @@ private async Task<bool> CanDeleteAsync(ICollection<Collection> resources, Curre
  return true;
  }
 
- // If AllowAdminAccessToAllCollectionItems is true, Owners and Admins can delete any collection, regardless of LimitCollectionCreationDeletion setting
+ // If AllowAdminAccessToAllCollectionItems is true, Owners and Admins can delete any collection, regardless of LimitCollectionDeletion setting
  if (await AllowAdminAccessToAllCollectionItems(org) && org is { Type: OrganizationUserType.Owner or OrganizationUserType.Admin })
  {
  return true;
  }
 
- // If LimitCollectionCreationDeletion is false, AllowAdminAccessToAllCollectionItems setting is irrelevant.
- // Ensure acting user has manage permissions for all collections being deleted
- // If LimitCollectionCreationDeletion is true, only Owners and Admins can delete collections they manage
- var organizationAbility = await GetOrganizationAbilityAsync(org);
- var canDeleteManagedCollections = organizationAbility is { LimitCollectionCreationDeletion: false } ||
- org is { Type: OrganizationUserType.Owner or OrganizationUserType.Admin };
- if (canDeleteManagedCollections && await CanManageCollectionsAsync(resources, org))
+ if (_featureService.IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit))
  {
- return true;
+ var userIsMemberOfOrg = org is not null;
+ var limitCollectionDeletionEnabled = await GetOrganizationAbilityAsync(org) is { LimitCollectionDeletion: true };
+ var userIsOrgOwnerOrAdmin = org is { Type: OrganizationUserType.Owner or OrganizationUserType.Admin };
+ // If the limit collection management setting is disabled, allow any user to delete collections
+ if (userIsMemberOfOrg && (!limitCollectionDeletionEnabled || userIsOrgOwnerOrAdmin) && await CanManageCollectionsAsync(resources, org))
+ {
+ return true;
+ }
+ }
+ else
+ {
+ // If LimitCollectionCreationDeletion is false, AllowAdminAccessToAllCollectionItems setting is irrelevant.
+ // Ensure acting user has manage permissions for all collections being deleted
+ // If LimitCollectionCreationDeletion is true, only Owners and Admins can delete collections they manage
+ var organizationAbility = await GetOrganizationAbilityAsync(org);
+ var canDeleteManagedCollections = organizationAbility is { LimitCollectionCreationDeletion: false } ||
+ org is { Type: OrganizationUserType.Owner or OrganizationUserType.Admin };
+ if (canDeleteManagedCollections && await CanManageCollectionsAsync(resources, org))
+ {
+ return true;
+ }
  }
 
  // Allow providers to delete collections if they are a provider for the target organization

src/Core/AdminConsole/Entities/Organization.cs

@@ -7,6 +7,7 @@
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Models.Business;
+using Bit.Core.Services;
 using Bit.Core.Tools.Entities;
 using Bit.Core.Utilities;
 
@@ -93,7 +94,20 @@ public class Organization : ITableObject<Guid>, IStorableSubscriber, IRevisable,
  /// If set to false, any organization member can create a collection, and any member can delete a collection that
  /// they have Can Manage permissions for.
  /// </summary>
- public bool LimitCollectionCreationDeletion { get; set; }
+ public bool LimitCollectionCreation { get; set; }
+ public bool LimitCollectionDeletion { get; set; }
+ // Deprecated by https://bitwarden.atlassian.net/browse/PM-10863. This
+ // was replaced with `LimitCollectionCreation` and
+ // `LimitCollectionDeletion`.
+ public bool LimitCollectionCreationDeletion
+ {
+ get => LimitCollectionCreation || LimitCollectionDeletion;
+ set
+ {
+ LimitCollectionCreation = value;
+ LimitCollectionDeletion = value;
+ }
+ }
 
  /// <summary>
  /// If set to true, admins, owners, and some custom users can read/write all collections and items in the Admin Console.
@@ -265,7 +279,7 @@ public bool TwoFactorIsEnabled()
  return providers[provider];
  }
 
- public void UpdateFromLicense(OrganizationLicense license)
+ public void UpdateFromLicense(OrganizationLicense license, IFeatureService featureService)
  {
  // The following properties are intentionally excluded from being updated:
  // - Id - self-hosted org will have its own unique Guid
@@ -300,7 +314,11 @@ public void UpdateFromLicense(OrganizationLicense license)
  UseSecretsManager = license.UseSecretsManager;
  SmSeats = license.SmSeats;
  SmServiceAccounts = license.SmServiceAccounts;
- LimitCollectionCreationDeletion = license.LimitCollectionCreationDeletion;
- AllowAdminAccessToAllCollectionItems = license.AllowAdminAccessToAllCollectionItems;
+
+ if (!featureService.IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit))
+ {
+ LimitCollectionCreationDeletion = license.LimitCollectionCreationDeletion;
+ AllowAdminAccessToAllCollectionItems = license.AllowAdminAccessToAllCollectionItems;
+ }
  }
 }

src/Core/AdminConsole/Models/Data/Organizations/OrganizationAbility.cs

@@ -21,6 +21,9 @@ public OrganizationAbility(Organization organization)
  UseResetPassword = organization.UseResetPassword;
  UseCustomPermissions = organization.UseCustomPermissions;
  UsePolicies = organization.UsePolicies;
+ LimitCollectionCreation = organization.LimitCollectionCreation;
+ LimitCollectionDeletion = organization.LimitCollectionDeletion;
+ // Deprecated: https://bitwarden.atlassian.net/browse/PM-10863
  LimitCollectionCreationDeletion = organization.LimitCollectionCreationDeletion;
  AllowAdminAccessToAllCollectionItems = organization.AllowAdminAccessToAllCollectionItems;
  }
@@ -37,6 +40,9 @@ public OrganizationAbility(Organization organization)
  public bool UseResetPassword { get; set; }
  public bool UseCustomPermissions { get; set; }
  public bool UsePolicies { get; set; }
+ public bool LimitCollectionCreation { get; set; }
+ public bool LimitCollectionDeletion { get; set; }
+ // Deprecated: https://bitwarden.atlassian.net/browse/PM-10863
  public bool LimitCollectionCreationDeletion { get; set; }
  public bool AllowAdminAccessToAllCollectionItems { get; set; }
 }

src/Core/AdminConsole/Models/Data/Organizations/OrganizationUsers/OrganizationUserOrganizationDetails.cs

@@ -54,6 +54,9 @@ public class OrganizationUserOrganizationDetails
  public bool UsePasswordManager { get; set; }
  public int? SmSeats { get; set; }
  public int? SmServiceAccounts { get; set; }
+ public bool LimitCollectionCreation { get; set; }
+ public bool LimitCollectionDeletion { get; set; }
+ // Deprecated: https://bitwarden.atlassian.net/browse/PM-10863
  public bool LimitCollectionCreationDeletion { get; set; }
  public bool AllowAdminAccessToAllCollectionItems { get; set; }
 }

src/Core/AdminConsole/Models/Data/Organizations/SelfHostedOrganizationDetails.cs

@@ -144,6 +144,9 @@ public Organization ToOrganization()
  RevisionDate = RevisionDate,
  MaxAutoscaleSeats = MaxAutoscaleSeats,
  OwnersNotifiedOfAutoscaling = OwnersNotifiedOfAutoscaling,
+ LimitCollectionCreation = LimitCollectionCreation,
+ LimitCollectionDeletion = LimitCollectionDeletion,
+ // Deprecated: https://bitwarden.atlassian.net/browse/PM-10863
  LimitCollectionCreationDeletion = LimitCollectionCreationDeletion,
  AllowAdminAccessToAllCollectionItems = AllowAdminAccessToAllCollectionItems,
  Status = Status

src/Core/AdminConsole/Models/Data/Provider/ProviderUserOrganizationDetails.cs

@@ -40,6 +40,8 @@ public class ProviderUserOrganizationDetails
  [JsonConverter(typeof(HtmlEncodingStringConverter))]
  public string ProviderName { get; set; }
  public PlanType PlanType { get; set; }
+ public bool LimitCollectionCreation { get; set; }
+ public bool LimitCollectionDeletion { get; set; }
  public bool LimitCollectionCreationDeletion { get; set; }
  public bool AllowAdminAccessToAllCollectionItems { get; set; }
 }

src/Core/AdminConsole/Services/Implementations/OrganizationService.cs

@@ -708,10 +708,16 @@ private async Task ValidateSignUpPoliciesAsync(Guid ownerId)
  UseSecretsManager = license.UseSecretsManager,
  SmSeats = license.SmSeats,
  SmServiceAccounts = license.SmServiceAccounts,
- LimitCollectionCreationDeletion = license.LimitCollectionCreationDeletion,
- AllowAdminAccessToAllCollectionItems = license.AllowAdminAccessToAllCollectionItems,
  };
 
+ // These fields are being removed from consideration when processing
+ // licenses.
+ if (!_featureService.IsEnabled(FeatureFlagKeys.LimitCollectionCreationDeletionSplit))
+ {
+ organization.LimitCollectionCreationDeletion = license.LimitCollectionCreationDeletion;
+ organization.AllowAdminAccessToAllCollectionItems = license.AllowAdminAccessToAllCollectionItems;
+ }
+
  var result = await SignUpAsync(organization, owner.Id, ownerKey, collectionName, false);
 
  var dir = $"{_globalSettings.LicenseDirectory}/organization";

src/Core/Constants.cs

@@ -146,6 +146,7 @@ public static class FeatureFlagKeys
  public const string RemoveServerVersionHeader = "remove-server-version-header";
  public const string AccessIntelligence = "pm-13227-access-intelligence";
  public const string VerifiedSsoDomainEndpoint = "pm-12337-refactor-sso-details-endpoint";
+ public const string LimitCollectionCreationDeletionSplit = "pm-10863-limit-collection-creation-deletion-split";
 
  public static List<string> GetAllKeys()
  {