[PM-34909] Serve only validated report files from get-latest and self-hosted file endpoints#7465
Draft
[PM-34909] Serve only validated report files from get-latest and self-hosted file endpoints#7465
Conversation
…-access-intelligence
…-access-intelligence
…-access-intelligence
…elligence' of github.com:bitwarden/server into dirt/PM-31923-whole-report-data-v2-endpoints-access-intelligence
…-access-intelligence
…elligence' of github.com:bitwarden/server into dirt/PM-31923-whole-report-data-v2-endpoints-access-intelligence
…-access-intelligence
…-access-intelligence
* refactor(billing): update seat logic * test(billing): update tests for seat logic
…-access-intelligence
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
* Return WebAuthn credential record in create response * Make CreateWebAuthnLoginCredentialCommand null-safe
…#7123) * Remove emergency access from all organization users on policy enable, or when accepted/restored * Use correct policy save system * Add additional tests * Implement both PreUpsert and OnSave side effects
* Add coupon support to invoice preview and subscription creation * Fix the build lint error * Resolve the initial review comments * fix the failing test * fix the build lint error * Fix the failing test * Resolve the unaddressed issues * Fixed the deconstruction error * Fix the lint issue * Fix the lint error * Fix the lint error * Fix the build lint error * lint error resolved * remove the setting file * rename the variable name validatedCoupon * Remove the owner property * Update OrganizationBillingService tests to align with recent refactoring - Remove GetMetadata tests as method no longer exists - Remove Owner property references from OrganizationSale (removed in d761336) - Update coupon validation to use SubscriptionDiscountRepository instead of SubscriptionDiscountService - Add missing imports for SubscriptionDiscount entities - Rename test for clarity: Finalize_WithNullOwner_SkipsValidation → Finalize_WithCouponOutsideDateRange_IgnoresCouponAndProceeds All tests passing (14/14) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix the lint error * Making the owner non nullable * fix the failing unit test * Make the owner nullable * Fix the bug for coupon in Stripe with no audience restrictions(PM-32756) * Return validation message for invalid coupon * Update the valid token message * Fix the failing unit test * Remove the duplicate method * Fix the failing build and test * Resolve the failing test * Add delete of invalid coupon * Add the expired error message * Delete on invalid coupon in stripe * Fix the lint errors * return null if we get exception from stripe * remove the auto-delete change * fix the failing test * Fix the lint build error --------- Co-authored-by: Claude <noreply@anthropic.com>
feat: add MasterPasswordSalt column to User table - Add MasterPasswordSalt column to User table in both Dapper and EF implementations - Update User stored procedures (Create, Update, UpdateMasterPassword) to handle salt column - Add EF migrations and update UserView with dependent views - Set MaxLength constraint on MasterPasswordSalt column - Update UserRepository implementations to manage salt field - Add comprehensive test coverage for salt handling and normalization
…-access-intelligence
…elligence' of github.com:bitwarden/server into dirt/PM-31923-whole-report-data-v2-endpoints-access-intelligence
…-access-intelligence
…-access-intelligence
…-access-intelligence
…-access-intelligence
…-access-intelligence
…-access-intelligence
…-access-intelligence
Add @FilterByValidated parameter to OrganizationReport_GetLatestByOrganizationId. When set, uses JSON_VALUE to return only reports with validated files. Defaults to 0 for backwards compatibility. Includes migration script for deployment. [PM-34909]
Thread filterByValidated parameter through IOrganizationReportRepository, Dapper (passes to SP), and EF (string.Contains LINQ filter) implementations. Defaults to false for backwards compatibility. [PM-34909]
Pass the validated filter parameter from the controller through the query interface to the repository layer. [PM-34909]
- GetLatest: pass filterByValidated to query when flag is ON, ensuring only validated reports are returned - Download: reject unvalidated files when flag is ON - Upload: reject re-upload if file is already validated [PM-34909]
- Update existing GetLatest mock to pass filterByValidated=true - Add GetLatest filter parameter tests (flag ON/OFF) - Add download validation guard tests (flag ON validated/unvalidated, flag OFF) - Add upload re-upload guard test - Add query layer parameter threading tests [PM-34909]
The pre-commit hook incorrectly stripped required usings from files it touched (Dapper, SqlConnection, AutoMapper, LinqToDB, xUnit, NSubstitute). These imports are used by other methods in the same files. [PM-34909]
…linter [PM-34909]
- Upload test: set up DefaultHttpContext with multipart content type to reach the validated file guard past the content type check - Flag-OFF test: clear ReportFile to avoid JSON deserialization error from AutoFixture-generated random string - Add Microsoft.AspNetCore.Http import for DefaultHttpContext [PM-34909]
|
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #7465 +/- ##
==========================================
+ Coverage 58.49% 63.22% +4.72%
==========================================
Files 2063 2076 +13
Lines 91190 91527 +337
Branches 8130 8129 -1
==========================================
+ Hits 53342 57866 +4524
+ Misses 35949 31658 -4291
- Partials 1899 2003 +104 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Contributor
|
New Issues (9)Checkmarx found the following issues in this Pull Request
Fixed Issues (5)Great job! The following issues were fixed in this Pull Request
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🎟️ Tracking
https://bitwarden.atlassian.net/browse/PM-34909
📔 Objective
Closes three correctness gaps left by #7228 in the Access Intelligence report file storage endpoints, gated behind
pm-31920-access-intelligence-azure-file-storage:@FilterByValidatedparameter to theOrganizationReport_GetLatestByOrganizationIdstored procedure. When the flag is ON, the controller passesfilterByValidated=truethrough the query and repository layers so only reports with validated files are returned.|| fileData.Validated) to prevent overwriting an already-validated file, matching the existing pattern inRenewFileUploadUrlAsync.When the flag is OFF, all three endpoints behave exactly as they do today.
📸 Screenshots
Not applicable -- no UI changes.