bitwarden · amorask-bitwarden · May 20, 2024 · Apr 23, 2024 · Apr 23, 2024 · Apr 23, 2024
@@ -14,17 +14,23 @@ namespace Bit.Scim.Users;
 
 public class PostUserCommand : IPostUserCommand
 {
+ private readonly IOrganizationRepository _organizationRepository;
  private readonly IOrganizationUserRepository _organizationUserRepository;
  private readonly IOrganizationService _organizationService;
+ private readonly IPaymentService _paymentService;
  private readonly IScimContext _scimContext;
 
  public PostUserCommand(
+ IOrganizationRepository organizationRepository,
  IOrganizationUserRepository organizationUserRepository,
  IOrganizationService organizationService,
+ IPaymentService paymentService,
  IScimContext scimContext)
  {
+ _organizationRepository = organizationRepository;
  _organizationUserRepository = organizationUserRepository;
  _organizationService = organizationService;
+ _paymentService = paymentService;
  _scimContext = scimContext;
  }
 
@@ -80,8 +86,13 @@ public async Task<OrganizationUserUserDetails> PostUserAsync(Guid organizationId
  throw new ConflictException();
  }
 
+ var organization = await _organizationRepository.GetByIdAsync(organizationId);
+
+ var hasStandaloneSecretsManager = await _paymentService.HasSecretsManagerStandalone(organization);
+
  var invitedOrgUser = await _organizationService.InviteUserAsync(organizationId, EventSystemUser.SCIM, email,
- OrganizationUserType.User, false, externalId, new List<CollectionAccessSelection>(), new List<Guid>());
+ OrganizationUserType.User, false, externalId, new List<CollectionAccessSelection>(), new List<Guid>(), hasStandaloneSecretsManager);
+
  var orgUser = await _organizationUserRepository.GetDetailsByIdAsync(invitedOrgUser.Id);
 
  return orgUser;

diff --git a/bitwarden_license/test/Scim.Test/Users/PostUserCommandTests.cs b/bitwarden_license/test/Scim.Test/Users/PostUserCommandTests.cs
@@ -1,4 +1,5 @@
-using Bit.Core.Enums;
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Data;
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
@@ -19,7 +20,7 @@ public class PostUserCommandTests
 {
  [Theory]
  [BitAutoData]
- public async Task PostUser_Success(SutProvider<PostUserCommand> sutProvider, string externalId, Guid organizationId, List<BaseScimUserModel.EmailModel> emails, ICollection<OrganizationUserUserDetails> organizationUsers, Core.Entities.OrganizationUser newUser)
+ public async Task PostUser_Success(SutProvider<PostUserCommand> sutProvider, string externalId, Guid organizationId, List<BaseScimUserModel.EmailModel> emails, ICollection<OrganizationUserUserDetails> organizationUsers, Core.Entities.OrganizationUser newUser, Organization organization)
  {
  var scimUserRequestModel = new ScimUserRequestModel
  {
@@ -33,16 +34,20 @@ public async Task PostUser_Success(SutProvider<PostUserCommand> sutProvider, str
  .GetManyDetailsByOrganizationAsync(organizationId)
  .Returns(organizationUsers);
 
+ sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organizationId).Returns(organization);
+
+ sutProvider.GetDependency<IPaymentService>().HasSecretsManagerStandalone(organization).Returns(true);
+
  sutProvider.GetDependency<IOrganizationService>()
  .InviteUserAsync(organizationId, EventSystemUser.SCIM, scimUserRequestModel.PrimaryEmail.ToLowerInvariant(),
  OrganizationUserType.User, false, externalId, Arg.Any<List<CollectionAccessSelection>>(),
- Arg.Any<List<Guid>>())
+ Arg.Any<List<Guid>>(), true)
  .Returns(newUser);
 
  var user = await sutProvider.Sut.PostUserAsync(organizationId, scimUserRequestModel);
 
  await sutProvider.GetDependency<IOrganizationService>().Received(1).InviteUserAsync(organizationId, EventSystemUser.SCIM, scimUserRequestModel.PrimaryEmail.ToLowerInvariant(),
- OrganizationUserType.User, false, scimUserRequestModel.ExternalId, Arg.Any<List<CollectionAccessSelection>>(), Arg.Any<List<Guid>>());
+ OrganizationUserType.User, false, scimUserRequestModel.ExternalId, Arg.Any<List<CollectionAccessSelection>>(), Arg.Any<List<Guid>>(), true);
  await sutProvider.GetDependency<IOrganizationUserRepository>().Received(1).GetDetailsByIdAsync(newUser.Id);
  }
 

@@ -49,7 +49,7 @@ public interface IOrganizationService
  Task<OrganizationUser> InviteUserAsync(Guid organizationId, Guid? invitingUserId, string email,
  OrganizationUserType type, bool accessAll, string externalId, ICollection<CollectionAccessSelection> collections, IEnumerable<Guid> groups);
  Task<OrganizationUser> InviteUserAsync(Guid organizationId, EventSystemUser systemUser, string email,
- OrganizationUserType type, bool accessAll, string externalId, IEnumerable<CollectionAccessSelection> collections, IEnumerable<Guid> groups);
+ OrganizationUserType type, bool accessAll, string externalId, IEnumerable<CollectionAccessSelection> collections, IEnumerable<Guid> groups, bool accessSecretsManager);
  Task<IEnumerable<Tuple<OrganizationUser, string>>> ResendInvitesAsync(Guid organizationId, Guid? invitingUserId, IEnumerable<Guid> organizationUsersId);
  Task ResendInviteAsync(Guid organizationId, Guid? invitingUserId, Guid organizationUserId, bool initOrganization = false);
  Task<OrganizationUser> ConfirmUserAsync(Guid organizationId, Guid organizationUserId, string key,

@@ -1673,22 +1673,23 @@ public async Task UpdateUserResetPasswordEnrollmentAsync(Guid organizationId, Gu
 
  public async Task<OrganizationUser> InviteUserAsync(Guid organizationId, EventSystemUser systemUser, string email,
  OrganizationUserType type, bool accessAll, string externalId, IEnumerable<CollectionAccessSelection> collections,
- IEnumerable<Guid> groups)
+ IEnumerable<Guid> groups, bool accessSecretsManager)
  {
  // Collection associations validation not required as they are always an empty list - created via system user (scim)
- return await SaveUserSendInviteAsync(organizationId, invitingUserId: null, systemUser, email, type, accessAll, externalId, collections, groups);
+ return await SaveUserSendInviteAsync(organizationId, invitingUserId: null, systemUser, email, type, accessAll, externalId, collections, groups, accessSecretsManager);
  }
 
  private async Task<OrganizationUser> SaveUserSendInviteAsync(Guid organizationId, Guid? invitingUserId, EventSystemUser? systemUser, string email,
- OrganizationUserType type, bool accessAll, string externalId, IEnumerable<CollectionAccessSelection> collections, IEnumerable<Guid> groups)
+ OrganizationUserType type, bool accessAll, string externalId, IEnumerable<CollectionAccessSelection> collections, IEnumerable<Guid> groups, bool accessSecretsManager = false)
  {
  var invite = new OrganizationUserInvite()
  {
  Emails = new List<string> { email },
  Type = type,
  AccessAll = accessAll,
  Collections = collections,
- Groups = groups
+ Groups = groups,
+ AccessSecretsManager = accessSecretsManager
  };
  var results = systemUser.HasValue ? await InviteUsersAsync(organizationId, systemUser.Value,
  new (OrganizationUserInvite, string)[] { (invite, externalId) }) : await InviteUsersAsync(organizationId, invitingUserId,
@@ -1787,6 +1788,8 @@ public async Task UpdateUserResetPasswordEnrollmentAsync(Guid organizationId, Gu
  enoughSeatsAvailable = seatsAvailable >= usersToAdd.Count;
  }
 
+ var hasStandaloneSecretsManager = await _paymentService.HasSecretsManagerStandalone(organization);
+
  var userInvites = new List<(OrganizationUserInvite, string)>();
  foreach (var user in newUsers)
  {
@@ -1803,6 +1806,7 @@ public async Task UpdateUserResetPasswordEnrollmentAsync(Guid organizationId, Gu
  Type = OrganizationUserType.User,
  AccessAll = false,
  Collections = new List<CollectionAccessSelection>(),
+ AccessSecretsManager = hasStandaloneSecretsManager
  };
  userInvites.Add((invite, user.ExternalId));
  }

diff --git a/src/Core/Services/IPaymentService.cs b/src/Core/Services/IPaymentService.cs
@@ -57,4 +57,5 @@ public interface IPaymentService
  Task<string> AddSecretsManagerToSubscription(Organization org, Plan plan, int additionalSmSeats,
  int additionalServiceAccount, DateTime? prorationDate = null);
  Task<bool> RisksSubscriptionFailure(Organization organization);
+ Task<bool> HasSecretsManagerStandalone(Organization organization);
 }
diff --git a/src/Core/Services/Implementations/StripePaymentService.cs b/src/Core/Services/Implementations/StripePaymentService.cs
@@ -1800,6 +1800,18 @@
  return paymentSource == null;
  }
 
+ public async Task<bool> HasSecretsManagerStandalone(Organization organization)
+ {
+ if (string.IsNullOrEmpty(organization.GatewayCustomerId))
+ {
+ return false;
+ }
+
+ var customer = await _stripeAdapter.CustomerGetAsync(organization.GatewayCustomerId);
+
+ return customer?.Discount?.Coupon?.Id == SecretsManagerStandaloneDiscountId;
+ }
+
  private PaymentMethod GetLatestCardPaymentMethod(string customerId)
  {
  var cardPaymentMethods = _stripeAdapter.PaymentMethodListAutoPaging(