Add Org user revoke feature

This PR adds a the new v2022.8.x revoke feature which allows an
organization owner or admin to revoke access for one or more users.

This PR also fixes several permissions and policy checks which were faulty.

- Modified some functions to use DB Count features instead of iter/count aftwards.
- Rearanged some if statements (faster matching or just one if instead of nested if's)
- Added and fixed several policy checks where needed
- Some small updates on some response models
- Made some functions require an enum instead of an i32

src/api/admin.rs

@@ -418,15 +418,26 @@ async fn update_user_org_type(data: Json<UserOrgTypeData>, _token: AdminToken, c
     };
 
     if user_to_edit.atype == UserOrgType::Owner && new_type != UserOrgType::Owner {
-        // Removing owner permmission, check that there are at least another owner
-        let num_owners =
-            UserOrganization::find_by_org_and_type(&data.org_uuid, UserOrgType::Owner as i32, &conn).await.len();
-
-        if num_owners <= 1 {
+        // Removing owner permmission, check that there is at least one other confirmed owner
+        if UserOrganization::count_confirmed_by_org_and_type(&data.org_uuid, UserOrgType::Owner, &conn).await <= 1 {
             err!("Can't change the type of the last owner")
         }
     }
 
+    // This check is also done at api::organizations::{accept_invite(), _confirm_invite, _activate_user(), edit_user()}, update_user_org_type
+    // It returns different error messages per function.
+    if new_type < UserOrgType::Admin {
+        match OrgPolicy::is_user_allowed(&user_to_edit.user_uuid, &user_to_edit.org_uuid, true, &conn).await {
+            Ok(_) => {}
+            Err(OrgPolicyErr::TwoFactorMissing) => {
+                err!("You cannot modify this user to this type because it has no two-step login method activated");
+            }
+            Err(OrgPolicyErr::SingleOrgEnforced) => {
+                err!("You cannot modify this user to this type because it is a member of an organization which forbids it");
+            }
+        }
+    }
+
     user_to_edit.atype = new_type;
     user_to_edit.save(&conn).await
 }

src/api/core/ciphers.rs

@@ -328,7 +328,7 @@ async fn enforce_personal_ownership_policy(data: Option<&CipherData>, headers: &
     if data.is_none() || data.unwrap().OrganizationId.is_none() {
         let user_uuid = &headers.user.uuid;
         let policy_type = OrgPolicyType::PersonalOwnership;
-        if OrgPolicy::is_applicable_to_user(user_uuid, policy_type, conn).await {
+        if OrgPolicy::is_applicable_to_user(user_uuid, policy_type, None, conn).await {
             err!("Due to an Enterprise Policy, you are restricted from saving items to your personal vault.")
         }
     }

src/api/core/emergency_access.rs

@@ -258,7 +258,7 @@ async fn send_invite(data: JsonUpcase<EmergencyAccessInviteData>, headers: Heade
         match User::find_by_mail(&email, &conn).await {
             Some(user) => {
                 match accept_invite_process(user.uuid, new_emergency_access.uuid, Some(email), conn.borrow()).await {
-                    Ok(v) => (v),
+                    Ok(v) => v,
                     Err(e) => err!(e.to_string()),
                 }
             }
@@ -317,7 +317,7 @@ async fn resend_invite(emer_id: String, headers: Headers, conn: DbConn) -> Empty
         match accept_invite_process(grantee_user.uuid, emergency_access.uuid, emergency_access.email, conn.borrow())
             .await
         {
-            Ok(v) => (v),
+            Ok(v) => v,
             Err(e) => err!(e.to_string()),
         }
     }
@@ -363,7 +363,7 @@ async fn accept_invite(emer_id: String, data: JsonUpcase<AcceptData>, conn: DbCo
         && (claims.grantor_email.is_some() && grantor_user.email == claims.grantor_email.unwrap())
     {
         match accept_invite_process(grantee_user.uuid.clone(), emer_id, Some(grantee_user.email.clone()), &conn).await {
-            Ok(v) => (v),
+            Ok(v) => v,
             Err(e) => err!(e.to_string()),
         }
 

src/api/core/sends.rs

@@ -70,8 +70,9 @@ struct SendData {
 /// controls this policy globally.
 async fn enforce_disable_send_policy(headers: &Headers, conn: &DbConn) -> EmptyResult {
     let user_uuid = &headers.user.uuid;
-    let policy_type = OrgPolicyType::DisableSend;
-    if !CONFIG.sends_allowed() || OrgPolicy::is_applicable_to_user(user_uuid, policy_type, conn).await {
+    if !CONFIG.sends_allowed()
+        || OrgPolicy::is_applicable_to_user(user_uuid, OrgPolicyType::DisableSend, None, conn).await
+    {
         err!("Due to an Enterprise Policy, you are only able to delete an existing Send.")
     }
     Ok(())

src/db/models/mod.rs

@@ -19,7 +19,7 @@ pub use self::device::Device;
 pub use self::emergency_access::{EmergencyAccess, EmergencyAccessStatus, EmergencyAccessType};
 pub use self::favorite::Favorite;
 pub use self::folder::{Folder, FolderCipher};
-pub use self::org_policy::{OrgPolicy, OrgPolicyType};
+pub use self::org_policy::{OrgPolicy, OrgPolicyErr, OrgPolicyType};
 pub use self::organization::{Organization, UserOrgStatus, UserOrgType, UserOrganization};
 pub use self::send::{Send, SendType};
 pub use self::two_factor::{TwoFactor, TwoFactorType};

src/db/models/org_policy.rs

@@ -6,7 +6,7 @@ use crate::db::DbConn;
 use crate::error::MapResult;
 use crate::util::UpCase;
 
-use super::{UserOrgStatus, UserOrgType, UserOrganization};
+use super::{TwoFactor, UserOrgStatus, UserOrgType, UserOrganization};
 
 db_object! {
     #[derive(Identifiable, Queryable, Insertable, AsChangeset)]
@@ -21,25 +21,37 @@ db_object! {
     }
 }
 
+// https://github.com/bitwarden/server/blob/b86a04cef9f1e1b82cf18e49fc94e017c641130c/src/Core/Enums/PolicyType.cs
 #[derive(Copy, Clone, Eq, PartialEq, num_derive::FromPrimitive)]
 pub enum OrgPolicyType {
     TwoFactorAuthentication = 0,
     MasterPassword = 1,
     PasswordGenerator = 2,
     SingleOrg = 3,
-    // RequireSso = 4, // Not currently supported.
+    // RequireSso = 4, // Not supported
     PersonalOwnership = 5,
     DisableSend = 6,
     SendOptions = 7,
+    // ResetPassword = 8, // Not supported
+    // MaximumVaultTimeout = 9, // Not supported (Not AGPLv3 Licensed)
+    // DisablePersonalVaultExport = 10, // Not supported (Not AGPLv3 Licensed)
 }
 
-// https://github.com/bitwarden/server/blob/master/src/Core/Models/Data/SendOptionsPolicyData.cs
+// https://github.com/bitwarden/server/blob/5cbdee137921a19b1f722920f0fa3cd45af2ef0f/src/Core/Models/Data/Organizations/Policies/SendOptionsPolicyData.cs
 #[derive(Deserialize)]
 #[allow(non_snake_case)]
 pub struct SendOptionsPolicyData {
     pub DisableHideEmail: bool,
 }
 
+pub type OrgPolicyResult = Result<(), OrgPolicyErr>;
+
+#[derive(Debug)]
+pub enum OrgPolicyErr {
+    TwoFactorMissing,
+    SingleOrgEnforced,
+}
+
 /// Local methods
 impl OrgPolicy {
     pub fn new(org_uuid: String, atype: OrgPolicyType, data: String) -> Self {
@@ -160,11 +172,11 @@ impl OrgPolicy {
         }}
     }
 
-    pub async fn find_by_org_and_type(org_uuid: &str, atype: i32, conn: &DbConn) -> Option<Self> {
+    pub async fn find_by_org_and_type(org_uuid: &str, policy_type: OrgPolicyType, conn: &DbConn) -> Option<Self> {
         db_run! { conn: {
             org_policies::table
                 .filter(org_policies::org_uuid.eq(org_uuid))
-                .filter(org_policies::atype.eq(atype))
+                .filter(org_policies::atype.eq(policy_type as i32))
                 .first::<OrgPolicyDb>(conn)
                 .ok()
                 .from_db()
@@ -179,40 +191,128 @@ impl OrgPolicy {
         }}
     }
 
+    pub async fn find_accepted_and_confirmed_by_user_and_active_policy(
+        user_uuid: &str,
+        policy_type: OrgPolicyType,
+        conn: &DbConn,
+    ) -> Vec<Self> {
+        db_run! { conn: {
+            org_policies::table
+                .inner_join(
+                    users_organizations::table.on(
+                        users_organizations::org_uuid.eq(org_policies::org_uuid)
+                            .and(users_organizations::user_uuid.eq(user_uuid)))
+                )
+                .filter(
+                    users_organizations::status.eq(UserOrgStatus::Accepted as i32)
+                )
+                .or_filter(
+                    users_organizations::status.eq(UserOrgStatus::Confirmed as i32)
+                )
+                .filter(org_policies::atype.eq(policy_type as i32))
+                .filter(org_policies::enabled.eq(true))
+                .select(org_policies::all_columns)
+                .load::<OrgPolicyDb>(conn)
+                .expect("Error loading org_policy")
+                .from_db()
+        }}
+    }
+
+    pub async fn find_confirmed_by_user_and_active_policy(
+        user_uuid: &str,
+        policy_type: OrgPolicyType,
+        conn: &DbConn,
+    ) -> Vec<Self> {
+        db_run! { conn: {
+            org_policies::table
+                .inner_join(
+                    users_organizations::table.on(
+                        users_organizations::org_uuid.eq(org_policies::org_uuid)
+                            .and(users_organizations::user_uuid.eq(user_uuid)))
+                )
+                .filter(
+                    users_organizations::status.eq(UserOrgStatus::Confirmed as i32)
+                )
+                .filter(org_policies::atype.eq(policy_type as i32))
+                .filter(org_policies::enabled.eq(true))
+                .select(org_policies::all_columns)
+                .load::<OrgPolicyDb>(conn)
+                .expect("Error loading org_policy")
+                .from_db()
+        }}
+    }
+
     /// Returns true if the user belongs to an org that has enabled the specified policy type,
     /// and the user is not an owner or admin of that org. This is only useful for checking
     /// applicability of policy types that have these particular semantics.
-    pub async fn is_applicable_to_user(user_uuid: &str, policy_type: OrgPolicyType, conn: &DbConn) -> bool {
-        // TODO: Should check confirmed and accepted users
-        for policy in OrgPolicy::find_confirmed_by_user(user_uuid, conn).await {
-            if policy.enabled && policy.has_type(policy_type) {
-                let org_uuid = &policy.org_uuid;
-                if let Some(user) = UserOrganization::find_by_user_and_org(user_uuid, org_uuid, conn).await {
-                    if user.atype < UserOrgType::Admin {
-                        return true;
-                    }
+    pub async fn is_applicable_to_user(
+        user_uuid: &str,
+        policy_type: OrgPolicyType,
+        exclude_org_uuid: Option<&str>,
+        conn: &DbConn,
+    ) -> bool {
+        for policy in
+            OrgPolicy::find_accepted_and_confirmed_by_user_and_active_policy(user_uuid, policy_type, conn).await
+        {
+            // Check if we need to skip this organization.
+            if exclude_org_uuid.is_some() && exclude_org_uuid.unwrap() == policy.org_uuid {
+                continue;
+            }
+
+            if let Some(user) = UserOrganization::find_by_user_and_org(user_uuid, &policy.org_uuid, conn).await {
+                if user.atype < UserOrgType::Admin {
+                    return true;
                 }
             }
         }
         false
     }
 
+    pub async fn is_user_allowed(
+        user_uuid: &str,
+        org_uuid: &str,
+        exclude_current_org: bool,
+        conn: &DbConn,
+    ) -> OrgPolicyResult {
+        // Enforce TwoFactor/TwoStep login
+        if TwoFactor::find_by_user(user_uuid, conn).await.is_empty() {
+            match Self::find_by_org_and_type(org_uuid, OrgPolicyType::TwoFactorAuthentication, conn).await {
+                Some(p) if p.enabled => {
+                    return Err(OrgPolicyErr::TwoFactorMissing);
+                }
+                _ => {}
+            };
+        }
+
+        // Enforce Single Organization Policy of other organizations user is a member of
+        // This check here needs to exclude this current org-id, else an accepted user can not be confirmed.
+        let exclude_org = if exclude_current_org {
+            Some(org_uuid)
+        } else {
+            None
+        };
+        if Self::is_applicable_to_user(user_uuid, OrgPolicyType::SingleOrg, exclude_org, conn).await {
+            return Err(OrgPolicyErr::SingleOrgEnforced);
+        }
+
+        Ok(())
+    }
+
     /// Returns true if the user belongs to an org that has enabled the `DisableHideEmail`
     /// option of the `Send Options` policy, and the user is not an owner or admin of that org.
     pub async fn is_hide_email_disabled(user_uuid: &str, conn: &DbConn) -> bool {
-        for policy in OrgPolicy::find_confirmed_by_user(user_uuid, conn).await {
-            if policy.enabled && policy.has_type(OrgPolicyType::SendOptions) {
-                let org_uuid = &policy.org_uuid;
-                if let Some(user) = UserOrganization::find_by_user_and_org(user_uuid, org_uuid, conn).await {
-                    if user.atype < UserOrgType::Admin {
-                        match serde_json::from_str::<UpCase<SendOptionsPolicyData>>(&policy.data) {
-                            Ok(opts) => {
-                                if opts.data.DisableHideEmail {
-                                    return true;
-                                }
+        for policy in
+            OrgPolicy::find_confirmed_by_user_and_active_policy(user_uuid, OrgPolicyType::SendOptions, conn).await
+        {
+            if let Some(user) = UserOrganization::find_by_user_and_org(user_uuid, &policy.org_uuid, conn).await {
+                if user.atype < UserOrgType::Admin {
+                    match serde_json::from_str::<UpCase<SendOptionsPolicyData>>(&policy.data) {
+                        Ok(opts) => {
+                            if opts.data.DisableHideEmail {
+                                return true;
                             }
-                            _ => error!("Failed to deserialize policy data: {}", policy.data),
                         }
+                        _ => error!("Failed to deserialize SendOptionsPolicyData: {}", policy.data),
                     }
                 }
             }