bitwarden_policies/
policy_overrides.rs

1//! Custom policy implementations that override the default rules.
2
3use bitwarden_organizations::OrganizationUserType;
4
5use crate::{PolicyType, filter::Policy};
6
7/// Master Password policy (type 1).
8///
9/// Applies to **everyone**, including Owners and Admins.
10pub struct MasterPasswordPolicy;
11
12impl Policy for MasterPasswordPolicy {
13    fn policy_type(&self) -> PolicyType {
14        PolicyType::MasterPassword
15    }
16
17    fn exempt_roles(&self) -> &[OrganizationUserType] {
18        &[]
19    }
20}
21
22/// Password Generator policy.
23///
24/// Applies to **everyone**, including Owners and Admins.
25pub struct PasswordGeneratorPolicy;
26
27impl Policy for PasswordGeneratorPolicy {
28    fn policy_type(&self) -> PolicyType {
29        PolicyType::PasswordGenerator
30    }
31
32    fn exempt_roles(&self) -> &[OrganizationUserType] {
33        &[]
34    }
35}
36
37/// Maximum Vault Timeout policy.
38///
39/// Applies to everyone **except Owners**. Admins are not exempt.
40pub struct MaximumVaultTimeoutPolicy;
41
42impl Policy for MaximumVaultTimeoutPolicy {
43    fn policy_type(&self) -> PolicyType {
44        PolicyType::MaximumVaultTimeout
45    }
46
47    fn exempt_roles(&self) -> &[OrganizationUserType] {
48        &[OrganizationUserType::Owner]
49    }
50}
51
52/// Free Families Sponsorship policy.
53///
54/// Applies to **everyone**, including Owners and Admins.
55pub struct FreeFamiliesSponsorshipPolicy;
56
57impl Policy for FreeFamiliesSponsorshipPolicy {
58    fn policy_type(&self) -> PolicyType {
59        PolicyType::FreeFamiliesSponsorship
60    }
61
62    fn exempt_roles(&self) -> &[OrganizationUserType] {
63        &[]
64    }
65}
66
67/// Remove Unlock with PIN policy.
68///
69/// Applies to **everyone**, including Owners and Admins.
70pub struct RemoveUnlockWithPinPolicy;
71
72impl Policy for RemoveUnlockWithPinPolicy {
73    fn policy_type(&self) -> PolicyType {
74        PolicyType::RemoveUnlockWithPin
75    }
76
77    fn exempt_roles(&self) -> &[OrganizationUserType] {
78        &[]
79    }
80}
81
82/// Restricted Item Types policy.
83///
84/// Applies to **everyone**, including Owners and Admins.
85pub struct RestrictedItemTypesPolicy;
86
87impl Policy for RestrictedItemTypesPolicy {
88    fn policy_type(&self) -> PolicyType {
89        PolicyType::RestrictedItemTypes
90    }
91
92    fn exempt_roles(&self) -> &[OrganizationUserType] {
93        &[]
94    }
95}
96
97/// Automatic User Confirmation policy.
98///
99/// Applies to **everyone**, including Owners and Admins.
100pub struct AutomaticUserConfirmationPolicy;
101
102impl Policy for AutomaticUserConfirmationPolicy {
103    fn policy_type(&self) -> PolicyType {
104        PolicyType::AutomaticUserConfirmation
105    }
106
107    fn exempt_roles(&self) -> &[OrganizationUserType] {
108        &[]
109    }
110}
111
112/// Organization User Notification policy.
113///
114/// Applies to **everyone**, including Owners and Admins.
115pub struct OrganizationUserNotificationPolicy;
116
117impl Policy for OrganizationUserNotificationPolicy {
118    fn policy_type(&self) -> PolicyType {
119        PolicyType::OrganizationUserNotification
120    }
121
122    fn exempt_roles(&self) -> &[OrganizationUserType] {
123        &[]
124    }
125}
126
127#[cfg(test)]
128mod tests {
129    use bitwarden_organizations::{OrganizationUserStatusType, OrganizationUserType};
130    use uuid::Uuid;
131
132    use super::*;
133    use crate::{OrganizationUserPolicyContext, PolicyView, filter::PolicyFilter};
134
135    fn policy_view(organization_id: Uuid, policy_type: PolicyType) -> PolicyView {
136        PolicyView {
137            id: Uuid::new_v4(),
138            organization_id,
139            r#type: policy_type,
140            data: None,
141            enabled: true,
142            revision_date: Default::default(),
143        }
144    }
145
146    fn org(id: Uuid, user_type: OrganizationUserType) -> OrganizationUserPolicyContext {
147        OrganizationUserPolicyContext {
148            id,
149            role: user_type,
150            status: OrganizationUserStatusType::Confirmed,
151            enabled: true,
152            use_policies: true,
153            is_provider_user: false,
154        }
155    }
156
157    // --- MasterPasswordPolicy ---
158
159    #[test]
160    fn master_password_applies_to_owner() {
161        let org_id = Uuid::new_v4();
162        let policies = [policy_view(org_id, PolicyType::MasterPassword)];
163        let orgs = [org(org_id, OrganizationUserType::Owner)];
164        assert_eq!(MasterPasswordPolicy.filter(&policies, &orgs).len(), 1);
165    }
166
167    #[test]
168    fn master_password_applies_to_admin() {
169        let org_id = Uuid::new_v4();
170        let policies = [policy_view(org_id, PolicyType::MasterPassword)];
171        let orgs = [org(org_id, OrganizationUserType::Admin)];
172        assert_eq!(MasterPasswordPolicy.filter(&policies, &orgs).len(), 1);
173    }
174
175    // --- PasswordGeneratorPolicy ---
176
177    #[test]
178    fn password_generator_applies_to_owner() {
179        let org_id = Uuid::new_v4();
180        let policies = [policy_view(org_id, PolicyType::PasswordGenerator)];
181        let orgs = [org(org_id, OrganizationUserType::Owner)];
182        assert_eq!(PasswordGeneratorPolicy.filter(&policies, &orgs).len(), 1);
183    }
184
185    #[test]
186    fn password_generator_applies_to_admin() {
187        let org_id = Uuid::new_v4();
188        let policies = [policy_view(org_id, PolicyType::PasswordGenerator)];
189        let orgs = [org(org_id, OrganizationUserType::Admin)];
190        assert_eq!(PasswordGeneratorPolicy.filter(&policies, &orgs).len(), 1);
191    }
192
193    // --- MaximumVaultTimeoutPolicy ---
194
195    #[test]
196    fn maximum_vault_timeout_exempts_owner() {
197        let org_id = Uuid::new_v4();
198        let policies = [policy_view(org_id, PolicyType::MaximumVaultTimeout)];
199        let orgs = [org(org_id, OrganizationUserType::Owner)];
200        assert!(
201            MaximumVaultTimeoutPolicy
202                .filter(&policies, &orgs)
203                .is_empty()
204        );
205    }
206
207    #[test]
208    fn maximum_vault_timeout_applies_to_admin() {
209        let org_id = Uuid::new_v4();
210        let policies = [policy_view(org_id, PolicyType::MaximumVaultTimeout)];
211        let orgs = [org(org_id, OrganizationUserType::Admin)];
212        assert_eq!(MaximumVaultTimeoutPolicy.filter(&policies, &orgs).len(), 1);
213    }
214
215    #[test]
216    fn maximum_vault_timeout_applies_to_user() {
217        let org_id = Uuid::new_v4();
218        let policies = [policy_view(org_id, PolicyType::MaximumVaultTimeout)];
219        let orgs = [org(org_id, OrganizationUserType::User)];
220        assert_eq!(MaximumVaultTimeoutPolicy.filter(&policies, &orgs).len(), 1);
221    }
222
223    // --- FreeFamiliesSponsorshipPolicy ---
224
225    #[test]
226    fn free_families_applies_to_owner() {
227        let org_id = Uuid::new_v4();
228        let policies = [policy_view(org_id, PolicyType::FreeFamiliesSponsorship)];
229        let orgs = [org(org_id, OrganizationUserType::Owner)];
230        assert_eq!(
231            FreeFamiliesSponsorshipPolicy.filter(&policies, &orgs).len(),
232            1
233        );
234    }
235
236    // --- RemoveUnlockWithPinPolicy ---
237
238    #[test]
239    fn remove_unlock_with_pin_applies_to_owner() {
240        let org_id = Uuid::new_v4();
241        let policies = [policy_view(org_id, PolicyType::RemoveUnlockWithPin)];
242        let orgs = [org(org_id, OrganizationUserType::Owner)];
243        assert_eq!(RemoveUnlockWithPinPolicy.filter(&policies, &orgs).len(), 1);
244    }
245
246    // --- RestrictedItemTypesPolicy ---
247
248    #[test]
249    fn restricted_item_types_applies_to_owner() {
250        let org_id = Uuid::new_v4();
251        let policies = [policy_view(org_id, PolicyType::RestrictedItemTypes)];
252        let orgs = [org(org_id, OrganizationUserType::Owner)];
253        assert_eq!(RestrictedItemTypesPolicy.filter(&policies, &orgs).len(), 1);
254    }
255
256    // --- AutomaticUserConfirmationPolicy ---
257
258    #[test]
259    fn automatic_user_confirmation_applies_to_owner() {
260        let org_id = Uuid::new_v4();
261        let policies = [policy_view(org_id, PolicyType::AutomaticUserConfirmation)];
262        let orgs = [org(org_id, OrganizationUserType::Owner)];
263        assert_eq!(
264            AutomaticUserConfirmationPolicy
265                .filter(&policies, &orgs)
266                .len(),
267            1
268        );
269    }
270
271    // --- OrganizationUserNotificationPolicy ---
272
273    #[test]
274    fn organization_user_notification_applies_to_owner() {
275        let org_id = Uuid::new_v4();
276        let policies = [policy_view(
277            org_id,
278            PolicyType::OrganizationUserNotification,
279        )];
280        let orgs = [org(org_id, OrganizationUserType::Owner)];
281        assert_eq!(
282            OrganizationUserNotificationPolicy
283                .filter(&policies, &orgs)
284                .len(),
285            1
286        );
287    }
288
289    #[test]
290    fn organization_user_notification_applies_to_admin() {
291        let org_id = Uuid::new_v4();
292        let policies = [policy_view(
293            org_id,
294            PolicyType::OrganizationUserNotification,
295        )];
296        let orgs = [org(org_id, OrganizationUserType::Admin)];
297        assert_eq!(
298            OrganizationUserNotificationPolicy
299                .filter(&policies, &orgs)
300                .len(),
301            1
302        );
303    }
304}
bitwarden_policies/policy_overrides.rs

bitwarden_policies/
policy_overrides.rs
