Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[AC-1435] Single Organization policy prerequisite for Account Recovery policy #3082

Merged
merged 7 commits into from
Jul 18, 2023

Conversation

shane-melton
Copy link
Member

@shane-melton shane-melton commented Jul 10, 2023

Type of change

- [ ] Bug fix
- [X] New feature development
- [ ] Tech debt (refactoring, code cleanup, dependency upgrades, etc)
- [ ] Build/deploy pipeline (DevOps)
- [ ] Other

Objective

Make the Single Organization policy a prerequisite for the Account Recovery policy and by extension Trusted Device Encryption.

See related copy/UI changes in Clients repo: bitwarden/clients#5774

Code changes

  • src/Core/Auth/Services/Implementations/SsoConfigService.cs: Whenever TDE is enabled, automatically turn on the Single Organization policy.
  • src/Core/Services/Implementations/PolicyService.cs: Add new dependency checks when modifying the Single Org and/or Account Recovery policies.
  • SsoConfigServiceTests and PolicyServiceTests: Add unit tests to ensure desired functionality

Before you submit

  • Please check for formatting errors (dotnet format --verify-no-changes) (required)
  • If making database changes - make sure you also update Entity Framework queries and/or migrations
  • Please add unit tests where it makes sense to do so (encouraged but not required)
  • If this change requires a documentation update - notify the documentation team
  • If this change has particular deployment requirements - notify the DevOps team

@bitwarden-bot
Copy link

bitwarden-bot commented Jul 10, 2023

Logo
Checkmarx One – Scan Summary & Details90cff02f-bc05-4336-8953-f79ba7b6710c

New Issues

Severity Issue Source File / Package Checkmarx Insight
HIGH Passwords And Secrets - Generic Password /bootstrap-local.yml: 20 Query to find passwords and secrets in infrastructure code.
HIGH Passwords And Secrets - Generic Password /bootstrap-hml.yml: 11 Query to find passwords and secrets in infrastructure code.
HIGH Passwords And Secrets - Generic Password /bootstrap.yml: 19 Query to find passwords and secrets in infrastructure code.

Fixed Issues

Severity Issue Source File / Package Checkmarx Insight
HIGH Missing User Instruction /Dockerfile: 1 A user should be specified in the dockerfile, otherwise the image will run as root
HIGH Missing User Instruction /Dockerfile: 1 A user should be specified in the dockerfile, otherwise the image will run as root
HIGH Missing User Instruction /Dockerfile: 1 A user should be specified in the dockerfile, otherwise the image will run as root
HIGH Missing User Instruction /Dockerfile: 1 A user should be specified in the dockerfile, otherwise the image will run as root
HIGH Missing User Instruction /Dockerfile: 1 A user should be specified in the dockerfile, otherwise the image will run as root
HIGH Missing User Instruction /Dockerfile: 1 A user should be specified in the dockerfile, otherwise the image will run as root
HIGH Missing User Instruction /Dockerfile: 1 A user should be specified in the dockerfile, otherwise the image will run as root
HIGH Missing User Instruction /Dockerfile: 1 A user should be specified in the dockerfile, otherwise the image will run as root
HIGH Missing User Instruction /Dockerfile: 1 A user should be specified in the dockerfile, otherwise the image will run as root
HIGH Missing User Instruction /Dockerfile: 1 A user should be specified in the dockerfile, otherwise the image will run as root
HIGH Missing User Instruction /Dockerfile: 1 A user should be specified in the dockerfile, otherwise the image will run as root
HIGH Missing User Instruction /Dockerfile: 1 A user should be specified in the dockerfile, otherwise the image will run as root
HIGH Missing User Instruction /Dockerfile: 1 A user should be specified in the dockerfile, otherwise the image will run as root
HIGH Missing User Instruction /Dockerfile: 1 A user should be specified in the dockerfile, otherwise the image will run as root
HIGH Missing User Instruction /Dockerfile: 1 A user should be specified in the dockerfile, otherwise the image will run as root
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 7 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile-k8s: 8 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile-k8s: 8 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 7 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Container Traffic Not Bound To Host Interface /docker-compose.yml: 15 Incoming container traffic should be bound to a specific host interface
MEDIUM Container Traffic Not Bound To Host Interface /docker-compose.yml: 73 Incoming container traffic should be bound to a specific host interface
MEDIUM Container Traffic Not Bound To Host Interface /docker-compose.yml: 59 Incoming container traffic should be bound to a specific host interface
MEDIUM Container Traffic Not Bound To Host Interface /docker-compose.yml: 35 Incoming container traffic should be bound to a specific host interface
MEDIUM Container Traffic Not Bound To Host Interface /docker-compose.yml: 103 Incoming container traffic should be bound to a specific host interface
MEDIUM Container Traffic Not Bound To Host Interface /docker-compose.yml: 23 Incoming container traffic should be bound to a specific host interface
MEDIUM Container Traffic Not Bound To Host Interface /docker-compose.yml: 43 Incoming container traffic should be bound to a specific host interface
MEDIUM Container Traffic Not Bound To Host Interface /docker-compose.yml: 92 Incoming container traffic should be bound to a specific host interface
MEDIUM Healthcheck Not Set /docker-compose.yml: 4 Check containers periodically to see if they are running properly.
MEDIUM Healthcheck Not Set /docker-compose.yml: 98 Check containers periodically to see if they are running properly.
MEDIUM Healthcheck Not Set /docker-compose.yml: 33 Check containers periodically to see if they are running properly.
MEDIUM Healthcheck Not Set /docker-compose.yml: 84 Check containers periodically to see if they are running properly.
MEDIUM Healthcheck Not Set /docker-compose.yml: 70 Check containers periodically to see if they are running properly.
MEDIUM Healthcheck Not Set /docker-compose.yml: 56 Check containers periodically to see if they are running properly.
MEDIUM Healthcheck Not Set /docker-compose.yml: 41 Check containers periodically to see if they are running properly.
MEDIUM Healthcheck Not Set /docker-compose.yml: 21 Check containers periodically to see if they are running properly.
MEDIUM Host Namespace is Shared /docker-compose.yml: 98 The hosts process namespace should not be shared by containers
MEDIUM Host Namespace is Shared /docker-compose.yml: 56 The hosts process namespace should not be shared by containers
MEDIUM Host Namespace is Shared /docker-compose.yml: 41 The hosts process namespace should not be shared by containers
MEDIUM Host Namespace is Shared /docker-compose.yml: 4 The hosts process namespace should not be shared by containers
MEDIUM Host Namespace is Shared /docker-compose.yml: 70 The hosts process namespace should not be shared by containers
MEDIUM Host Namespace is Shared /docker-compose.yml: 33 The hosts process namespace should not be shared by containers
MEDIUM Host Namespace is Shared /docker-compose.yml: 21 The hosts process namespace should not be shared by containers
MEDIUM Host Namespace is Shared /docker-compose.yml: 84 The hosts process namespace should not be shared by containers
MEDIUM Memory Not Limited /docker-compose.yml: 21 Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than t...
MEDIUM Memory Not Limited /docker-compose.yml: 84 Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than t...
MEDIUM Memory Not Limited /docker-compose.yml: 41 Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than t...
MEDIUM Memory Not Limited /docker-compose.yml: 33 Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than t...
MEDIUM Memory Not Limited /docker-compose.yml: 98 Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than t...
MEDIUM Memory Not Limited /docker-compose.yml: 56 Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than t...
MEDIUM Memory Not Limited /docker-compose.yml: 4 Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than t...
MEDIUM Memory Not Limited /docker-compose.yml: 70 Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than t...
MEDIUM Networks Not Set /docker-compose.yml: 70 Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers.
MEDIUM Networks Not Set /docker-compose.yml: 84 Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers.
MEDIUM Networks Not Set /docker-compose.yml: 33 Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers.
MEDIUM Networks Not Set /docker-compose.yml: 4 Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers.
MEDIUM Networks Not Set /docker-compose.yml: 56 Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers.
MEDIUM Networks Not Set /docker-compose.yml: 21 Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers.
MEDIUM Networks Not Set /docker-compose.yml: 98 Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers.
MEDIUM Networks Not Set /docker-compose.yml: 41 Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers.
MEDIUM Privacy_Violation /src/Api/Controllers/OrganizationAuthRequestsController.cs: 62 Attack Vector
MEDIUM Privileged Ports Mapped In Container /docker-compose.yml: 92 Privileged ports (1 to 1023) should not be mapped. Also you should drop net_bind_service linux capability from the container unless you absolutely ...
MEDIUM Security Opt Not Set /docker-compose.yml: 98 Attribute 'security_opt' should be defined.
MEDIUM Security Opt Not Set /docker-compose.yml: 4 Attribute 'security_opt' should be defined.
MEDIUM Security Opt Not Set /docker-compose.yml: 33 Attribute 'security_opt' should be defined.
MEDIUM Security Opt Not Set /docker-compose.yml: 56 Attribute 'security_opt' should be defined.
MEDIUM Security Opt Not Set /docker-compose.yml: 70 Attribute 'security_opt' should be defined.
MEDIUM Security Opt Not Set /docker-compose.yml: 21 Attribute 'security_opt' should be defined.
MEDIUM Security Opt Not Set /docker-compose.yml: 41 Attribute 'security_opt' should be defined.
MEDIUM Security Opt Not Set /docker-compose.yml: 84 Attribute 'security_opt' should be defined.
LOW Container Capabilities Unrestricted /docker-compose.yml: 41 Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessa...
LOW Container Capabilities Unrestricted /docker-compose.yml: 33 Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessa...
LOW Container Capabilities Unrestricted /docker-compose.yml: 56 Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessa...
LOW Container Capabilities Unrestricted /docker-compose.yml: 84 Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessa...
LOW Container Capabilities Unrestricted /docker-compose.yml: 70 Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessa...
LOW Container Capabilities Unrestricted /docker-compose.yml: 98 Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessa...
LOW Container Capabilities Unrestricted /docker-compose.yml: 21 Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessa...
LOW Container Capabilities Unrestricted /docker-compose.yml: 4 Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessa...
LOW Cpus Not Limited /docker-compose.yml: 21 CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests
LOW Cpus Not Limited /docker-compose.yml: 33 CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests
LOW Cpus Not Limited /docker-compose.yml: 84 CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests
LOW Cpus Not Limited /docker-compose.yml: 98 CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests
LOW Cpus Not Limited /docker-compose.yml: 56 CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests
LOW Cpus Not Limited /docker-compose.yml: 70 CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests
LOW Cpus Not Limited /docker-compose.yml: 4 CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests
LOW Cpus Not Limited /docker-compose.yml: 41 CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests
LOW Healthcheck Instruction Missing /Dockerfile: 1 Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working
LOW Healthcheck Instruction Missing /Dockerfile: 1 Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working
LOW Healthcheck Instruction Missing /Dockerfile: 1 Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working
LOW Multiple RUN, ADD, COPY, Instructions Listed /Dockerfile-k8s: 17 Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers.
LOW Multiple RUN, ADD, COPY, Instructions Listed /Dockerfile: 11 Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers.
LOW Multiple RUN, ADD, COPY, Instructions Listed /Dockerfile: 13 Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers.

Copy link
Contributor

@JaredSnider-Bitwarden JaredSnider-Bitwarden left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work on this, and thank you for including thorough tests!

@shane-melton shane-melton requested a review from a team July 10, 2023 21:32
@vincentsalucci vincentsalucci merged commit a095e02 into master Jul 18, 2023
@vincentsalucci vincentsalucci deleted the ac/ac-1435/single-org-pre-req branch July 18, 2023 15:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants