Skip to main content

bitwarden_policies/
policy_overrides.rs

1//! Custom policy implementations that override the default rules.
2
3use bitwarden_organizations::OrganizationUserType;
4
5use crate::filter::{Policy, PolicyType};
6
7/// Master Password policy (type 1).
8///
9/// Applies to **everyone**, including Owners and Admins.
10pub struct MasterPasswordPolicy;
11
12impl Policy for MasterPasswordPolicy {
13    fn policy_type(&self) -> PolicyType {
14        PolicyType(1)
15    }
16
17    fn exempt_roles(&self) -> &[OrganizationUserType] {
18        &[]
19    }
20}
21
22/// Password Generator policy (type 2).
23///
24/// Applies to **everyone**, including Owners and Admins.
25pub struct PasswordGeneratorPolicy;
26
27impl Policy for PasswordGeneratorPolicy {
28    fn policy_type(&self) -> PolicyType {
29        PolicyType(2)
30    }
31
32    fn exempt_roles(&self) -> &[OrganizationUserType] {
33        &[]
34    }
35}
36
37/// Maximum Vault Timeout policy (type 9).
38///
39/// Applies to everyone **except Owners**. Admins are not exempt.
40pub struct MaximumVaultTimeoutPolicy;
41
42impl Policy for MaximumVaultTimeoutPolicy {
43    fn policy_type(&self) -> PolicyType {
44        PolicyType(9)
45    }
46
47    fn exempt_roles(&self) -> &[OrganizationUserType] {
48        &[OrganizationUserType::Owner]
49    }
50}
51
52/// Free Families Sponsorship policy (type 13).
53///
54/// Applies to **everyone**, including Owners and Admins.
55pub struct FreeFamiliesSponsorshipPolicy;
56
57impl Policy for FreeFamiliesSponsorshipPolicy {
58    fn policy_type(&self) -> PolicyType {
59        PolicyType(13)
60    }
61
62    fn exempt_roles(&self) -> &[OrganizationUserType] {
63        &[]
64    }
65}
66
67/// Remove Unlock with PIN policy (type 14).
68///
69/// Applies to **everyone**, including Owners and Admins.
70pub struct RemoveUnlockWithPinPolicy;
71
72impl Policy for RemoveUnlockWithPinPolicy {
73    fn policy_type(&self) -> PolicyType {
74        PolicyType(14)
75    }
76
77    fn exempt_roles(&self) -> &[OrganizationUserType] {
78        &[]
79    }
80}
81
82/// Restricted Item Types policy (type 15).
83///
84/// Applies to **everyone**, including Owners and Admins.
85pub struct RestrictedItemTypesPolicy;
86
87impl Policy for RestrictedItemTypesPolicy {
88    fn policy_type(&self) -> PolicyType {
89        PolicyType(15)
90    }
91
92    fn exempt_roles(&self) -> &[OrganizationUserType] {
93        &[]
94    }
95}
96
97/// Automatic User Confirmation policy (type 18).
98///
99/// Applies to **everyone**, including Owners and Admins.
100pub struct AutomaticUserConfirmationPolicy;
101
102impl Policy for AutomaticUserConfirmationPolicy {
103    fn policy_type(&self) -> PolicyType {
104        PolicyType(18)
105    }
106
107    fn exempt_roles(&self) -> &[OrganizationUserType] {
108        &[]
109    }
110}
111
112#[cfg(test)]
113mod tests {
114    use bitwarden_organizations::{
115        OrganizationUserStatusType, OrganizationUserType, ProfileOrganization,
116    };
117    use uuid::Uuid;
118
119    use super::*;
120    use crate::filter::{PolicyFilter, PolicyView};
121
122    fn policy_view(organization_id: Uuid, policy_type: u8) -> PolicyView {
123        PolicyView {
124            id: Uuid::new_v4(),
125            organization_id,
126            r#type: PolicyType(policy_type),
127            data: None,
128            enabled: true,
129        }
130    }
131
132    fn org(id: Uuid, user_type: OrganizationUserType) -> ProfileOrganization {
133        ProfileOrganization {
134            id,
135            r#type: user_type,
136            status: OrganizationUserStatusType::Confirmed,
137            use_policies: true,
138            is_provider_user: false,
139            ..Default::default()
140        }
141    }
142
143    // --- MasterPasswordPolicy ---
144
145    #[test]
146    fn master_password_applies_to_owner() {
147        let org_id = Uuid::new_v4();
148        let policies = [policy_view(org_id, 1)];
149        let orgs = [org(org_id, OrganizationUserType::Owner)];
150        assert_eq!(MasterPasswordPolicy.filter(&policies, &orgs).len(), 1);
151    }
152
153    #[test]
154    fn master_password_applies_to_admin() {
155        let org_id = Uuid::new_v4();
156        let policies = [policy_view(org_id, 1)];
157        let orgs = [org(org_id, OrganizationUserType::Admin)];
158        assert_eq!(MasterPasswordPolicy.filter(&policies, &orgs).len(), 1);
159    }
160
161    // --- PasswordGeneratorPolicy ---
162
163    #[test]
164    fn password_generator_applies_to_owner() {
165        let org_id = Uuid::new_v4();
166        let policies = [policy_view(org_id, 2)];
167        let orgs = [org(org_id, OrganizationUserType::Owner)];
168        assert_eq!(PasswordGeneratorPolicy.filter(&policies, &orgs).len(), 1);
169    }
170
171    #[test]
172    fn password_generator_applies_to_admin() {
173        let org_id = Uuid::new_v4();
174        let policies = [policy_view(org_id, 2)];
175        let orgs = [org(org_id, OrganizationUserType::Admin)];
176        assert_eq!(PasswordGeneratorPolicy.filter(&policies, &orgs).len(), 1);
177    }
178
179    // --- MaximumVaultTimeoutPolicy ---
180
181    #[test]
182    fn maximum_vault_timeout_exempts_owner() {
183        let org_id = Uuid::new_v4();
184        let policies = [policy_view(org_id, 9)];
185        let orgs = [org(org_id, OrganizationUserType::Owner)];
186        assert!(
187            MaximumVaultTimeoutPolicy
188                .filter(&policies, &orgs)
189                .is_empty()
190        );
191    }
192
193    #[test]
194    fn maximum_vault_timeout_applies_to_admin() {
195        let org_id = Uuid::new_v4();
196        let policies = [policy_view(org_id, 9)];
197        let orgs = [org(org_id, OrganizationUserType::Admin)];
198        assert_eq!(MaximumVaultTimeoutPolicy.filter(&policies, &orgs).len(), 1);
199    }
200
201    #[test]
202    fn maximum_vault_timeout_applies_to_user() {
203        let org_id = Uuid::new_v4();
204        let policies = [policy_view(org_id, 9)];
205        let orgs = [org(org_id, OrganizationUserType::User)];
206        assert_eq!(MaximumVaultTimeoutPolicy.filter(&policies, &orgs).len(), 1);
207    }
208
209    // --- FreeFamiliesSponsorshipPolicy ---
210
211    #[test]
212    fn free_families_applies_to_owner() {
213        let org_id = Uuid::new_v4();
214        let policies = [policy_view(org_id, 13)];
215        let orgs = [org(org_id, OrganizationUserType::Owner)];
216        assert_eq!(
217            FreeFamiliesSponsorshipPolicy.filter(&policies, &orgs).len(),
218            1
219        );
220    }
221
222    // --- RemoveUnlockWithPinPolicy ---
223
224    #[test]
225    fn remove_unlock_with_pin_applies_to_owner() {
226        let org_id = Uuid::new_v4();
227        let policies = [policy_view(org_id, 14)];
228        let orgs = [org(org_id, OrganizationUserType::Owner)];
229        assert_eq!(RemoveUnlockWithPinPolicy.filter(&policies, &orgs).len(), 1);
230    }
231
232    // --- RestrictedItemTypesPolicy ---
233
234    #[test]
235    fn restricted_item_types_applies_to_owner() {
236        let org_id = Uuid::new_v4();
237        let policies = [policy_view(org_id, 15)];
238        let orgs = [org(org_id, OrganizationUserType::Owner)];
239        assert_eq!(RestrictedItemTypesPolicy.filter(&policies, &orgs).len(), 1);
240    }
241
242    // --- AutomaticUserConfirmationPolicy ---
243
244    #[test]
245    fn automatic_user_confirmation_applies_to_owner() {
246        let org_id = Uuid::new_v4();
247        let policies = [policy_view(org_id, 18)];
248        let orgs = [org(org_id, OrganizationUserType::Owner)];
249        assert_eq!(
250            AutomaticUserConfirmationPolicy
251                .filter(&policies, &orgs)
252                .len(),
253            1
254        );
255    }
256}