Merge branch 'main' into feat/pm-14496-non-root-self-hosted-images

.github/CODEOWNERS

@@ -43,8 +43,16 @@ src/Core/IdentityServer @bitwarden/team-auth-dev
 # Key Management team
 **/KeyManagement @bitwarden/team-key-management-dev
 
+# Tools team
 **/Tools @bitwarden/team-tools-dev
 
+# Dirt (Data Insights & Reporting) team
+src/Api/Controllers/Dirt @bitwarden/team-data-insights-and-reporting-dev
+src/Core/Dirt @bitwarden/team-data-insights-and-reporting-dev
+src/Infrastructure.Dapper/Dirt @bitwarden/team-data-insights-and-reporting-dev
+test/Api.Test/Dirt @bitwarden/team-data-insights-and-reporting-dev
+test/Core.Test/Dirt @bitwarden/team-data-insights-and-reporting-dev
+
 # Vault team
 **/Vault @bitwarden/team-vault-dev
 **/Vault/AuthorizationHandlers @bitwarden/team-vault-dev @bitwarden/team-admin-console-dev  # joint ownership over authorization handlers that affect organization users

Directory.Build.props

@@ -3,7 +3,7 @@
   <PropertyGroup>
     <TargetFramework>net8.0</TargetFramework>
 
-    <Version>2025.4.3</Version>
+    <Version>2025.5.0</Version>
 
     <RootNamespace>Bit.$(MSBuildProjectName)</RootNamespace>
     <ImplicitUsings>enable</ImplicitUsings>

bitwarden_license/src/Commercial.Core/SecretsManager/Queries/Projects/MaxProjectsQuery.cs

@@ -1,9 +1,14 @@
-using Bit.Core.Billing.Enums;
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Billing.Enums;
+using Bit.Core.Billing.Licenses;
+using Bit.Core.Billing.Licenses.Extensions;
+using Bit.Core.Billing.Pricing;
 using Bit.Core.Exceptions;
 using Bit.Core.Repositories;
 using Bit.Core.SecretsManager.Queries.Projects.Interfaces;
 using Bit.Core.SecretsManager.Repositories;
-using Bit.Core.Utilities;
+using Bit.Core.Services;
+using Bit.Core.Settings;
 
 namespace Bit.Commercial.Core.SecretsManager.Queries.Projects;
 
@@ -11,13 +16,22 @@ public class MaxProjectsQuery : IMaxProjectsQuery
 {
     private readonly IOrganizationRepository _organizationRepository;
     private readonly IProjectRepository _projectRepository;
+    private readonly IGlobalSettings _globalSettings;
+    private readonly ILicensingService _licensingService;
+    private readonly IPricingClient _pricingClient;
 
     public MaxProjectsQuery(
         IOrganizationRepository organizationRepository,
-        IProjectRepository projectRepository)
+        IProjectRepository projectRepository,
+        IGlobalSettings globalSettings,
+        ILicensingService licensingService,
+        IPricingClient pricingClient)
     {
         _organizationRepository = organizationRepository;
         _projectRepository = projectRepository;
+        _globalSettings = globalSettings;
+        _licensingService = licensingService;
+        _pricingClient = pricingClient;
     }
 
     public async Task<(short? max, bool? overMax)> GetByOrgIdAsync(Guid organizationId, int projectsToAdd)
@@ -28,19 +42,47 @@ public class MaxProjectsQuery : IMaxProjectsQuery
             throw new NotFoundException();
         }
 
-        // TODO: PRICING -> https://bitwarden.atlassian.net/browse/PM-17122
+        var (planType, maxProjects) = await GetPlanTypeAndMaxProjectsAsync(org);
-        var plan = StaticStore.GetPlan(org.PlanType);
+
-        if (plan?.SecretsManager == null)
+        if (planType != PlanType.Free)
         {
-            throw new BadRequestException("Existing plan not found.");
+            return (null, null);
         }
 
-        if (plan.Type == PlanType.Free)
+        var projects = await _projectRepository.GetProjectCountByOrganizationIdAsync(organizationId);
+        return ((short? max, bool? overMax))(projects + projectsToAdd > maxProjects ? (maxProjects, true) : (maxProjects, false));
+    }
+
+    private async Task<(PlanType planType, int maxProjects)> GetPlanTypeAndMaxProjectsAsync(Organization organization)
+    {
+        if (_globalSettings.SelfHosted)
         {
-            var projects = await _projectRepository.GetProjectCountByOrganizationIdAsync(organizationId);
+            var license = await _licensingService.ReadOrganizationLicenseAsync(organization);
-            return ((short? max, bool? overMax))(projects + projectsToAdd > plan.SecretsManager.MaxProjects ? (plan.SecretsManager.MaxProjects, true) : (plan.SecretsManager.MaxProjects, false));
+
+            if (license == null)
+            {
+                throw new BadRequestException("License not found.");
+            }
+
+            var claimsPrincipal = _licensingService.GetClaimsPrincipalFromLicense(license);
+            var maxProjects = claimsPrincipal.GetValue<int?>(OrganizationLicenseConstants.SmMaxProjects);
+
+            if (!maxProjects.HasValue)
+            {
+                throw new BadRequestException("License does not contain a value for max Secrets Manager projects");
+            }
+
+            var planType = claimsPrincipal.GetValue<PlanType>(OrganizationLicenseConstants.PlanType);
+            return (planType, maxProjects.Value);
         }
 
-        return (null, null);
+        var plan = await _pricingClient.GetPlan(organization.PlanType);
+
+        if (plan is { SupportsSecretsManager: true })
+        {
+            return (plan.Type, plan.SecretsManager.MaxProjects);
+        }
+
+        throw new BadRequestException("Existing plan not found.");
     }
 }

bitwarden_license/test/Commercial.Core.Test/SecretsManager/Queries/Projects/MaxProjectsQueryTests.cs

@@ -1,9 +1,16 @@
-using Bit.Commercial.Core.SecretsManager.Queries.Projects;
+using System.Security.Claims;
+using Bit.Commercial.Core.SecretsManager.Queries.Projects;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Billing.Enums;
+using Bit.Core.Billing.Licenses;
+using Bit.Core.Billing.Pricing;
 using Bit.Core.Exceptions;
+using Bit.Core.Models.Business;
 using Bit.Core.Repositories;
 using Bit.Core.SecretsManager.Repositories;
+using Bit.Core.Services;
+using Bit.Core.Settings;
+using Bit.Core.Utilities;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
 using NSubstitute;
@@ -32,7 +39,7 @@ public class MaxProjectsQueryTests
     [BitAutoData(PlanType.FamiliesAnnually2019)]
     [BitAutoData(PlanType.Custom)]
     [BitAutoData(PlanType.FamiliesAnnually)]
-    public async Task GetByOrgIdAsync_SmPlanIsNull_ThrowsBadRequest(PlanType planType,
+    public async Task GetByOrgIdAsync_Cloud_SmPlanIsNull_ThrowsBadRequest(PlanType planType,
         SutProvider<MaxProjectsQuery> sutProvider, Organization organization)
     {
         organization.PlanType = planType;
@@ -40,6 +47,34 @@ public class MaxProjectsQueryTests
             .GetByIdAsync(organization.Id)
             .Returns(organization);
 
+        sutProvider.GetDependency<IGlobalSettings>().SelfHosted.Returns(false);
+        var plan = StaticStore.GetPlan(planType);
+        sutProvider.GetDependency<IPricingClient>().GetPlan(organization.PlanType).Returns(plan);
+
+        await Assert.ThrowsAsync<BadRequestException>(
+            async () => await sutProvider.Sut.GetByOrgIdAsync(organization.Id, 1));
+
+        await sutProvider.GetDependency<IProjectRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .GetProjectCountByOrganizationIdAsync(organization.Id);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task GetByOrgIdAsync_SelfHosted_NoMaxProjectsClaim_ThrowsBadRequest(
+        SutProvider<MaxProjectsQuery> sutProvider, Organization organization)
+    {
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(organization.Id)
+            .Returns(organization);
+
+        sutProvider.GetDependency<IGlobalSettings>().SelfHosted.Returns(true);
+
+        var license = new OrganizationLicense();
+        var claimsPrincipal = new ClaimsPrincipal();
+        sutProvider.GetDependency<ILicensingService>().ReadOrganizationLicenseAsync(organization).Returns(license);
+        sutProvider.GetDependency<ILicensingService>().GetClaimsPrincipalFromLicense(license).Returns(claimsPrincipal);
+
         await Assert.ThrowsAsync<BadRequestException>(
             async () => await sutProvider.Sut.GetByOrgIdAsync(organization.Id, 1));
 
@@ -62,12 +97,58 @@ public class MaxProjectsQueryTests
     [BitAutoData(PlanType.EnterpriseAnnually2019)]
     [BitAutoData(PlanType.EnterpriseAnnually2020)]
     [BitAutoData(PlanType.EnterpriseAnnually)]
-    public async Task GetByOrgIdAsync_SmNoneFreePlans_ReturnsNull(PlanType planType,
+    public async Task GetByOrgIdAsync_Cloud_SmNoneFreePlans_ReturnsNull(PlanType planType,
         SutProvider<MaxProjectsQuery> sutProvider, Organization organization)
     {
         organization.PlanType = planType;
         sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
 
+        sutProvider.GetDependency<IGlobalSettings>().SelfHosted.Returns(false);
+        var plan = StaticStore.GetPlan(planType);
+        sutProvider.GetDependency<IPricingClient>().GetPlan(organization.PlanType).Returns(plan);
+
+        var (limit, overLimit) = await sutProvider.Sut.GetByOrgIdAsync(organization.Id, 1);
+
+        Assert.Null(limit);
+        Assert.Null(overLimit);
+
+        await sutProvider.GetDependency<IProjectRepository>().DidNotReceiveWithAnyArgs()
+            .GetProjectCountByOrganizationIdAsync(organization.Id);
+    }
+
+    [Theory]
+    [BitAutoData(PlanType.TeamsMonthly2019)]
+    [BitAutoData(PlanType.TeamsMonthly2020)]
+    [BitAutoData(PlanType.TeamsMonthly)]
+    [BitAutoData(PlanType.TeamsAnnually2019)]
+    [BitAutoData(PlanType.TeamsAnnually2020)]
+    [BitAutoData(PlanType.TeamsAnnually)]
+    [BitAutoData(PlanType.TeamsStarter)]
+    [BitAutoData(PlanType.EnterpriseMonthly2019)]
+    [BitAutoData(PlanType.EnterpriseMonthly2020)]
+    [BitAutoData(PlanType.EnterpriseMonthly)]
+    [BitAutoData(PlanType.EnterpriseAnnually2019)]
+    [BitAutoData(PlanType.EnterpriseAnnually2020)]
+    [BitAutoData(PlanType.EnterpriseAnnually)]
+    public async Task GetByOrgIdAsync_SelfHosted_SmNoneFreePlans_ReturnsNull(PlanType planType,
+        SutProvider<MaxProjectsQuery> sutProvider, Organization organization)
+    {
+        organization.PlanType = planType;
+        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IGlobalSettings>().SelfHosted.Returns(true);
+
+        var license = new OrganizationLicense();
+        var plan = StaticStore.GetPlan(planType);
+        var claims = new List<Claim>
+        {
+            new (nameof(OrganizationLicenseConstants.PlanType), organization.PlanType.ToString()),
+            new (nameof(OrganizationLicenseConstants.SmMaxProjects), plan.SecretsManager.MaxProjects.ToString())
+        };
+        var identity = new ClaimsIdentity(claims, "TestAuthenticationType");
+        var claimsPrincipal = new ClaimsPrincipal(identity);
+        sutProvider.GetDependency<ILicensingService>().ReadOrganizationLicenseAsync(organization).Returns(license);
+        sutProvider.GetDependency<ILicensingService>().GetClaimsPrincipalFromLicense(license).Returns(claimsPrincipal);
+
         var (limit, overLimit) = await sutProvider.Sut.GetByOrgIdAsync(organization.Id, 1);
 
         Assert.Null(limit);
@@ -102,7 +183,7 @@ public class MaxProjectsQueryTests
     [BitAutoData(PlanType.Free, 3, 4, true)]
     [BitAutoData(PlanType.Free, 4, 4, true)]
     [BitAutoData(PlanType.Free, 40, 4, true)]
-    public async Task GetByOrgIdAsync_SmFreePlan__Success(PlanType planType, int projects, int projectsToAdd, bool expectedOverMax,
+    public async Task GetByOrgIdAsync_Cloud_SmFreePlan__Success(PlanType planType, int projects, int projectsToAdd, bool expectedOverMax,
         SutProvider<MaxProjectsQuery> sutProvider, Organization organization)
     {
         organization.PlanType = planType;
@@ -110,6 +191,67 @@ public class MaxProjectsQueryTests
         sutProvider.GetDependency<IProjectRepository>().GetProjectCountByOrganizationIdAsync(organization.Id)
             .Returns(projects);
 
+        sutProvider.GetDependency<IGlobalSettings>().SelfHosted.Returns(false);
+        var plan = StaticStore.GetPlan(planType);
+        sutProvider.GetDependency<IPricingClient>().GetPlan(organization.PlanType).Returns(plan);
+
+        var (max, overMax) = await sutProvider.Sut.GetByOrgIdAsync(organization.Id, projectsToAdd);
+
+        Assert.NotNull(max);
+        Assert.NotNull(overMax);
+        Assert.Equal(3, max.Value);
+        Assert.Equal(expectedOverMax, overMax);
+
+        await sutProvider.GetDependency<IProjectRepository>().Received(1)
+            .GetProjectCountByOrganizationIdAsync(organization.Id);
+    }
+
+    [Theory]
+    [BitAutoData(PlanType.Free, 0, 1, false)]
+    [BitAutoData(PlanType.Free, 1, 1, false)]
+    [BitAutoData(PlanType.Free, 2, 1, false)]
+    [BitAutoData(PlanType.Free, 3, 1, true)]
+    [BitAutoData(PlanType.Free, 4, 1, true)]
+    [BitAutoData(PlanType.Free, 40, 1, true)]
+    [BitAutoData(PlanType.Free, 0, 2, false)]
+    [BitAutoData(PlanType.Free, 1, 2, false)]
+    [BitAutoData(PlanType.Free, 2, 2, true)]
+    [BitAutoData(PlanType.Free, 3, 2, true)]
+    [BitAutoData(PlanType.Free, 4, 2, true)]
+    [BitAutoData(PlanType.Free, 40, 2, true)]
+    [BitAutoData(PlanType.Free, 0, 3, false)]
+    [BitAutoData(PlanType.Free, 1, 3, true)]
+    [BitAutoData(PlanType.Free, 2, 3, true)]
+    [BitAutoData(PlanType.Free, 3, 3, true)]
+    [BitAutoData(PlanType.Free, 4, 3, true)]
+    [BitAutoData(PlanType.Free, 40, 3, true)]
+    [BitAutoData(PlanType.Free, 0, 4, true)]
+    [BitAutoData(PlanType.Free, 1, 4, true)]
+    [BitAutoData(PlanType.Free, 2, 4, true)]
+    [BitAutoData(PlanType.Free, 3, 4, true)]
+    [BitAutoData(PlanType.Free, 4, 4, true)]
+    [BitAutoData(PlanType.Free, 40, 4, true)]
+    public async Task GetByOrgIdAsync_SelfHosted_SmFreePlan__Success(PlanType planType, int projects, int projectsToAdd, bool expectedOverMax,
+        SutProvider<MaxProjectsQuery> sutProvider, Organization organization)
+    {
+        organization.PlanType = planType;
+        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IProjectRepository>().GetProjectCountByOrganizationIdAsync(organization.Id)
+            .Returns(projects);
+        sutProvider.GetDependency<IGlobalSettings>().SelfHosted.Returns(true);
+
+        var license = new OrganizationLicense();
+        var plan = StaticStore.GetPlan(planType);
+        var claims = new List<Claim>
+        {
+            new (nameof(OrganizationLicenseConstants.PlanType), organization.PlanType.ToString()),
+            new (nameof(OrganizationLicenseConstants.SmMaxProjects), plan.SecretsManager.MaxProjects.ToString())
+        };
+        var identity = new ClaimsIdentity(claims, "TestAuthenticationType");
+        var claimsPrincipal = new ClaimsPrincipal(identity);
+        sutProvider.GetDependency<ILicensingService>().ReadOrganizationLicenseAsync(organization).Returns(license);
+        sutProvider.GetDependency<ILicensingService>().GetClaimsPrincipalFromLicense(license).Returns(claimsPrincipal);
+
         var (max, overMax) = await sutProvider.Sut.GetByOrgIdAsync(organization.Id, projectsToAdd);
 
         Assert.NotNull(max);

src/Api/Billing/Controllers/OrganizationSponsorshipsController.cs

@@ -116,7 +116,7 @@ public class OrganizationSponsorshipsController : Controller
     [Authorize("Application")]
     [HttpPost("{sponsoringOrgId}/families-for-enterprise/resend")]
     [SelfHosted(NotSelfHostedOnly = true)]
-    public async Task ResendSponsorshipOffer(Guid sponsoringOrgId)
+    public async Task ResendSponsorshipOffer(Guid sponsoringOrgId, [FromQuery] string sponsoredFriendlyName)
     {
         var freeFamiliesSponsorshipPolicy = await _policyRepository.GetByOrganizationIdTypeAsync(sponsoringOrgId,
             PolicyType.FreeFamiliesSponsorshipPolicy);
@@ -129,11 +129,14 @@ public class OrganizationSponsorshipsController : Controller
         var sponsoringOrgUser = await _organizationUserRepository
             .GetByOrganizationAsync(sponsoringOrgId, _currentContext.UserId ?? default);
 
-        await _sendSponsorshipOfferCommand.SendSponsorshipOfferAsync(
+        var sponsorships = await _organizationSponsorshipRepository.GetManyBySponsoringOrganizationAsync(sponsoringOrgId);
-            await _organizationRepository.GetByIdAsync(sponsoringOrgId),
+        var filteredSponsorship = sponsorships.FirstOrDefault(s => s.FriendlyName != null && s.FriendlyName.Equals(sponsoredFriendlyName, StringComparison.OrdinalIgnoreCase));
-            sponsoringOrgUser,
+        if (filteredSponsorship != null)
-            await _organizationSponsorshipRepository
+        {
-                .GetBySponsoringOrganizationUserIdAsync(sponsoringOrgUser.Id));
+            await _sendSponsorshipOfferCommand.SendSponsorshipOfferAsync(
+                await _organizationRepository.GetByIdAsync(sponsoringOrgId),
+                sponsoringOrgUser, filteredSponsorship);
+        }
     }
 
     [Authorize("Application")]

src/Api/Vault/Controllers/CiphersController.cs

@@ -1241,6 +1241,20 @@ public class CiphersController : Controller
         return new CipherMiniResponseModel(cipher, _globalSettings, cipher.OrganizationUseTotp);
     }
 
+    [HttpGet("{id}/attachment/{attachmentId}/admin")]
+    public async Task<AttachmentResponseModel> GetAttachmentDataAdmin(Guid id, string attachmentId)
+    {
+        var cipher = await _cipherRepository.GetOrganizationDetailsByIdAsync(id);
+        if (cipher == null || !cipher.OrganizationId.HasValue ||
+            !await CanEditCipherAsAdminAsync(cipher.OrganizationId.Value, new[] { cipher.Id }))
+        {
+            throw new NotFoundException();
+        }
+
+        var result = await _cipherService.GetAttachmentDownloadDataAsync(cipher, attachmentId);
+        return new AttachmentResponseModel(result);
+    }
+
     [HttpGet("{id}/attachment/{attachmentId}")]
     public async Task<AttachmentResponseModel> GetAttachmentData(Guid id, string attachmentId)
     {
@@ -1287,18 +1301,17 @@ public class CiphersController : Controller
 
     [HttpDelete("{id}/attachment/{attachmentId}/admin")]
     [HttpPost("{id}/attachment/{attachmentId}/delete-admin")]
-    public async Task DeleteAttachmentAdmin(string id, string attachmentId)
+    public async Task<DeleteAttachmentResponseData> DeleteAttachmentAdmin(Guid id, string attachmentId)
     {
-        var idGuid = new Guid(id);
         var userId = _userService.GetProperUserId(User).Value;
-        var cipher = await _cipherRepository.GetByIdAsync(idGuid);
+        var cipher = await _cipherRepository.GetByIdAsync(id);
         if (cipher == null || !cipher.OrganizationId.HasValue ||
             !await CanEditCipherAsAdminAsync(cipher.OrganizationId.Value, new[] { cipher.Id }))
         {
             throw new NotFoundException();
         }
 
-        await _cipherService.DeleteAttachmentAsync(cipher, attachmentId, userId, true);
+        return await _cipherService.DeleteAttachmentAsync(cipher, attachmentId, userId, true);
     }
 
     [AllowAnonymous]

src/Core/AdminConsole/Models/Data/Integrations/IntegrationTemplateContext.cs

@@ -0,0 +1,37 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+
+#nullable enable
+
+namespace Bit.Core.Models.Data.Integrations;
+
+public class IntegrationTemplateContext(EventMessage eventMessage)
+{
+    public EventMessage Event { get; } = eventMessage;
+
+    public string DomainName => Event.DomainName;
+    public string IpAddress => Event.IpAddress;
+    public DeviceType? DeviceType => Event.DeviceType;
+    public Guid? ActingUserId => Event.ActingUserId;
+    public Guid? OrganizationUserId => Event.OrganizationUserId;
+    public DateTime Date => Event.Date;
+    public EventType Type => Event.Type;
+    public Guid? UserId => Event.UserId;
+    public Guid? OrganizationId => Event.OrganizationId;
+    public Guid? CipherId => Event.CipherId;
+    public Guid? CollectionId => Event.CollectionId;
+    public Guid? GroupId => Event.GroupId;
+    public Guid? PolicyId => Event.PolicyId;
+
+    public User? User { get; set; }
+    public string? UserName => User?.Name;
+    public string? UserEmail => User?.Email;
+
+    public User? ActingUser { get; set; }
+    public string? ActingUserName => ActingUser?.Name;
+    public string? ActingUserEmail => ActingUser?.Email;
+
+    public Organization? Organization { get; set; }
+    public string? OrganizationName => Organization?.DisplayName();
+}

src/Core/AdminConsole/Services/Implementations/EventRouteService.cs

@@ -0,0 +1,34 @@
+using Bit.Core.Models.Data;
+using Microsoft.Extensions.DependencyInjection;
+
+namespace Bit.Core.Services;
+
+public class EventRouteService(
+    [FromKeyedServices("broadcast")] IEventWriteService broadcastEventWriteService,
+    [FromKeyedServices("storage")] IEventWriteService storageEventWriteService,
+    IFeatureService _featureService) : IEventWriteService
+{
+    public async Task CreateAsync(IEvent e)
+    {
+        if (_featureService.IsEnabled(FeatureFlagKeys.EventBasedOrganizationIntegrations))
+        {
+            await broadcastEventWriteService.CreateAsync(e);
+        }
+        else
+        {
+            await storageEventWriteService.CreateAsync(e);
+        }
+    }
+
+    public async Task CreateManyAsync(IEnumerable<IEvent> e)
+    {
+        if (_featureService.IsEnabled(FeatureFlagKeys.EventBasedOrganizationIntegrations))
+        {
+            await broadcastEventWriteService.CreateManyAsync(e);
+        }
+        else
+        {
+            await storageEventWriteService.CreateManyAsync(e);
+        }
+    }
+}

src/Core/AdminConsole/Services/Implementations/IntegrationEventHandlerBase.cs

@@ -0,0 +1,66 @@
+using System.Text.Json.Nodes;
+using Bit.Core.AdminConsole.Utilities;
+using Bit.Core.Enums;
+using Bit.Core.Models.Data;
+using Bit.Core.Models.Data.Integrations;
+using Bit.Core.Repositories;
+
+namespace Bit.Core.Services;
+
+public abstract class IntegrationEventHandlerBase(
+    IUserRepository userRepository,
+    IOrganizationRepository organizationRepository,
+    IOrganizationIntegrationConfigurationRepository configurationRepository)
+    : IEventMessageHandler
+{
+    public async Task HandleEventAsync(EventMessage eventMessage)
+    {
+        var organizationId = eventMessage.OrganizationId ?? Guid.Empty;
+        var configurations = await configurationRepository.GetConfigurationDetailsAsync(
+            organizationId,
+            GetIntegrationType(),
+            eventMessage.Type);
+
+        foreach (var configuration in configurations)
+        {
+            var context = await BuildContextAsync(eventMessage, configuration.Template);
+            var renderedTemplate = IntegrationTemplateProcessor.ReplaceTokens(configuration.Template, context);
+
+            await ProcessEventIntegrationAsync(configuration.MergedConfiguration, renderedTemplate);
+        }
+    }
+
+    public async Task HandleManyEventsAsync(IEnumerable<EventMessage> eventMessages)
+    {
+        foreach (var eventMessage in eventMessages)
+        {
+            await HandleEventAsync(eventMessage);
+        }
+    }
+
+    private async Task<IntegrationTemplateContext> BuildContextAsync(EventMessage eventMessage, string template)
+    {
+        var context = new IntegrationTemplateContext(eventMessage);
+
+        if (IntegrationTemplateProcessor.TemplateRequiresUser(template) && eventMessage.UserId.HasValue)
+        {
+            context.User = await userRepository.GetByIdAsync(eventMessage.UserId.Value);
+        }
+
+        if (IntegrationTemplateProcessor.TemplateRequiresActingUser(template) && eventMessage.ActingUserId.HasValue)
+        {
+            context.ActingUser = await userRepository.GetByIdAsync(eventMessage.ActingUserId.Value);
+        }
+
+        if (IntegrationTemplateProcessor.TemplateRequiresOrganization(template) && eventMessage.OrganizationId.HasValue)
+        {
+            context.Organization = await organizationRepository.GetByIdAsync(eventMessage.OrganizationId.Value);
+        }
+
+        return context;
+    }
+
+    protected abstract IntegrationType GetIntegrationType();
+
+    protected abstract Task ProcessEventIntegrationAsync(JsonObject mergedConfiguration, string renderedTemplate);
+}

src/Core/AdminConsole/Services/Implementations/SlackEventHandler.cs

@@ -1,46 +1,35 @@
 using System.Text.Json;
-using Bit.Core.AdminConsole.Utilities;
+using System.Text.Json.Nodes;
 using Bit.Core.Enums;
-using Bit.Core.Models.Data;
 using Bit.Core.Models.Data.Integrations;
 using Bit.Core.Repositories;
 
+#nullable enable
+
 namespace Bit.Core.Services;
 
 public class SlackEventHandler(
+    IUserRepository userRepository,
+    IOrganizationRepository organizationRepository,
     IOrganizationIntegrationConfigurationRepository configurationRepository,
     ISlackService slackService)
-    : IEventMessageHandler
+    : IntegrationEventHandlerBase(userRepository, organizationRepository, configurationRepository)
 {
-    public async Task HandleEventAsync(EventMessage eventMessage)
+    protected override IntegrationType GetIntegrationType() => IntegrationType.Slack;
+
+    protected override async Task ProcessEventIntegrationAsync(JsonObject mergedConfiguration,
+        string renderedTemplate)
     {
-        var organizationId = eventMessage.OrganizationId ?? Guid.Empty;
+        var config = mergedConfiguration.Deserialize<SlackIntegrationConfigurationDetails>();
-        var configurations = await configurationRepository.GetConfigurationDetailsAsync(
+        if (config is null)
-            organizationId,
-            IntegrationType.Slack,
-            eventMessage.Type);
-
-        foreach (var configuration in configurations)
         {
-            var config = configuration.MergedConfiguration.Deserialize<SlackIntegrationConfigurationDetails>();
+            return;
-            if (config is null)
-            {
-                continue;
-            }
-
-            await slackService.SendSlackMessageByChannelIdAsync(
-                config.token,
-                IntegrationTemplateProcessor.ReplaceTokens(configuration.Template, eventMessage),
-                config.channelId
-            );
         }
-    }
 
-    public async Task HandleManyEventsAsync(IEnumerable<EventMessage> eventMessages)
+        await slackService.SendSlackMessageByChannelIdAsync(
-    {
+            config.token,
-        foreach (var eventMessage in eventMessages)
+            renderedTemplate,
-        {
+            config.channelId
-            await HandleEventAsync(eventMessage);
+        );
-        }
     }
 }

src/Core/AdminConsole/Services/Implementations/WebhookEventHandler.cs

@@ -1,8 +1,7 @@
 using System.Text;
 using System.Text.Json;
-using Bit.Core.AdminConsole.Utilities;
+using System.Text.Json.Nodes;
 using Bit.Core.Enums;
-using Bit.Core.Models.Data;
 using Bit.Core.Models.Data.Integrations;
 using Bit.Core.Repositories;
 
@@ -12,46 +11,28 @@ namespace Bit.Core.Services;
 
 public class WebhookEventHandler(
     IHttpClientFactory httpClientFactory,
+    IUserRepository userRepository,
+    IOrganizationRepository organizationRepository,
     IOrganizationIntegrationConfigurationRepository configurationRepository)
-    : IEventMessageHandler
+    : IntegrationEventHandlerBase(userRepository, organizationRepository, configurationRepository)
 {
     private readonly HttpClient _httpClient = httpClientFactory.CreateClient(HttpClientName);
 
     public const string HttpClientName = "WebhookEventHandlerHttpClient";
 
-    public async Task HandleEventAsync(EventMessage eventMessage)
+    protected override IntegrationType GetIntegrationType() => IntegrationType.Webhook;
+
+    protected override async Task ProcessEventIntegrationAsync(JsonObject mergedConfiguration,
+        string renderedTemplate)
     {
-        var organizationId = eventMessage.OrganizationId ?? Guid.Empty;
+        var config = mergedConfiguration.Deserialize<WebhookIntegrationConfigurationDetils>();
-        var configurations = await configurationRepository.GetConfigurationDetailsAsync(
+        if (config is null || string.IsNullOrEmpty(config.url))
-            organizationId,
-            IntegrationType.Webhook,
-            eventMessage.Type);
-
-        foreach (var configuration in configurations)
         {
-            var config = configuration.MergedConfiguration.Deserialize<WebhookIntegrationConfigurationDetils>();
+            return;
-            if (config is null || string.IsNullOrEmpty(config.url))
-            {
-                continue;
-            }
-
-            var content = new StringContent(
-                IntegrationTemplateProcessor.ReplaceTokens(configuration.Template, eventMessage),
-                Encoding.UTF8,
-                "application/json"
-            );
-            var response = await _httpClient.PostAsync(
-                config.url,
-                content);
-            response.EnsureSuccessStatusCode();
         }
-    }
 
-    public async Task HandleManyEventsAsync(IEnumerable<EventMessage> eventMessages)
+        var content = new StringContent(renderedTemplate, Encoding.UTF8, "application/json");
-    {
+        var response = await _httpClient.PostAsync(config.url, content);
-        foreach (var eventMessage in eventMessages)
+        response.EnsureSuccessStatusCode();
-        {
-            await HandleEventAsync(eventMessage);
-        }
     }
 }

src/Core/AdminConsole/Utilities/IntegrationTemplateProcessor.cs

@@ -10,8 +10,9 @@ public static partial class IntegrationTemplateProcessor
     public static string ReplaceTokens(string template, object values)
     {
         if (string.IsNullOrEmpty(template) || values == null)
+        {
             return template;
-
+        }
         var type = values.GetType();
         return TokenRegex().Replace(template, match =>
         {
@@ -20,4 +21,36 @@ public static partial class IntegrationTemplateProcessor
             return property?.GetValue(values)?.ToString() ?? match.Value;
         });
     }
+
+    public static bool TemplateRequiresUser(string template)
+    {
+        if (string.IsNullOrEmpty(template))
+        {
+            return false;
+        }
+
+        return template.Contains("#UserName#", StringComparison.Ordinal)
+               || template.Contains("#UserEmail#", StringComparison.Ordinal);
+    }
+
+    public static bool TemplateRequiresActingUser(string template)
+    {
+        if (string.IsNullOrEmpty(template))
+        {
+            return false;
+        }
+
+        return template.Contains("#ActingUserName#", StringComparison.Ordinal)
+               || template.Contains("#ActingUserEmail#", StringComparison.Ordinal);
+    }
+
+    public static bool TemplateRequiresOrganization(string template)
+    {
+        if (string.IsNullOrEmpty(template))
+        {
+            return false;
+        }
+
+        return template.Contains("#OrganizationName#", StringComparison.Ordinal);
+    }
 }

src/Core/Billing/Licenses/LicenseConstants.cs

@@ -34,6 +34,7 @@ public static class OrganizationLicenseConstants
     public const string UseSecretsManager = nameof(UseSecretsManager);
     public const string SmSeats = nameof(SmSeats);
     public const string SmServiceAccounts = nameof(SmServiceAccounts);
+    public const string SmMaxProjects = nameof(SmMaxProjects);
     public const string LimitCollectionCreationDeletion = nameof(LimitCollectionCreationDeletion);
     public const string AllowAdminAccessToAllCollectionItems = nameof(AllowAdminAccessToAllCollectionItems);
     public const string UseRiskInsights = nameof(UseRiskInsights);

src/Core/Billing/Licenses/Models/LicenseContext.cs

@@ -7,4 +7,5 @@ public class LicenseContext
 {
     public Guid? InstallationId { get; init; }
     public required SubscriptionInfo SubscriptionInfo { get; init; }
+    public int? SmMaxProjects { get; set; }
 }

src/Core/Billing/Licenses/Services/Implementations/OrganizationLicenseClaimsFactory.cs

@@ -112,6 +112,11 @@ public class OrganizationLicenseClaimsFactory : ILicenseClaimsFactory<Organizati
         }
         claims.Add(new Claim(nameof(OrganizationLicenseConstants.UseAdminSponsoredFamilies), entity.UseAdminSponsoredFamilies.ToString()));
 
+        if (licenseContext.SmMaxProjects.HasValue)
+        {
+            claims.Add(new Claim(nameof(OrganizationLicenseConstants.SmMaxProjects), licenseContext.SmMaxProjects.ToString()));
+        }
+
         return Task.FromResult(claims);
     }
 

src/Core/OrganizationFeatures/OrganizationLicenses/Cloud/CloudGetOrganizationLicenseQuery.cs

@@ -1,5 +1,6 @@
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.Billing.Pricing;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Business;
@@ -16,19 +17,22 @@ public class CloudGetOrganizationLicenseQuery : ICloudGetOrganizationLicenseQuer
     private readonly ILicensingService _licensingService;
     private readonly IProviderRepository _providerRepository;
     private readonly IFeatureService _featureService;
+    private readonly IPricingClient _pricingClient;
 
     public CloudGetOrganizationLicenseQuery(
         IInstallationRepository installationRepository,
         IPaymentService paymentService,
         ILicensingService licensingService,
         IProviderRepository providerRepository,
-        IFeatureService featureService)
+        IFeatureService featureService,
+        IPricingClient pricingClient)
     {
         _installationRepository = installationRepository;
         _paymentService = paymentService;
         _licensingService = licensingService;
         _providerRepository = providerRepository;
         _featureService = featureService;
+        _pricingClient = pricingClient;
     }
 
     public async Task<OrganizationLicense> GetLicenseAsync(Organization organization, Guid installationId,
@@ -42,7 +46,11 @@ public class CloudGetOrganizationLicenseQuery : ICloudGetOrganizationLicenseQuer
 
         var subscriptionInfo = await GetSubscriptionAsync(organization);
         var license = new OrganizationLicense(organization, subscriptionInfo, installationId, _licensingService, version);
-        license.Token = await _licensingService.CreateOrganizationTokenAsync(organization, installationId, subscriptionInfo);
+        var plan = await _pricingClient.GetPlan(organization.PlanType);
+        int? smMaxProjects = plan?.SupportsSecretsManager ?? false
+            ? plan.SecretsManager.MaxProjects
+            : null;
+        license.Token = await _licensingService.CreateOrganizationTokenAsync(organization, installationId, subscriptionInfo, smMaxProjects);
 
         return license;
     }

src/Core/Services/ILicensingService.cs

@@ -21,7 +21,8 @@ public interface ILicensingService
     Task<string?> CreateOrganizationTokenAsync(
         Organization organization,
         Guid installationId,
-        SubscriptionInfo subscriptionInfo);
+        SubscriptionInfo subscriptionInfo,
+        int? smMaxProjects);
 
     Task<string?> CreateUserTokenAsync(User user, SubscriptionInfo subscriptionInfo);
 }

src/Core/Services/Implementations/LicensingService.cs

@@ -339,12 +339,13 @@ public class LicensingService : ILicensingService
         }
     }
 
-    public async Task<string> CreateOrganizationTokenAsync(Organization organization, Guid installationId, SubscriptionInfo subscriptionInfo)
+    public async Task<string> CreateOrganizationTokenAsync(Organization organization, Guid installationId, SubscriptionInfo subscriptionInfo, int? smMaxProjects)
     {
         var licenseContext = new LicenseContext
         {
             InstallationId = installationId,
             SubscriptionInfo = subscriptionInfo,
+            SmMaxProjects = smMaxProjects
         };
 
         var claims = await _organizationLicenseClaimsFactory.GenerateClaims(organization, licenseContext);

src/Core/Services/NoopImplementations/NoopLicensingService.cs

@@ -62,7 +62,7 @@ public class NoopLicensingService : ILicensingService
         return null;
     }
 
-    public Task<string?> CreateOrganizationTokenAsync(Organization organization, Guid installationId, SubscriptionInfo subscriptionInfo)
+    public Task<string?> CreateOrganizationTokenAsync(Organization organization, Guid installationId, SubscriptionInfo subscriptionInfo, int? smMaxProjects)
     {
         return Task.FromResult<string?>(null);
     }

src/Core/Vault/Services/Implementations/CipherService.cs

@@ -379,7 +379,7 @@ public class CipherService : ICipherService
         if (!valid || realSize > MAX_FILE_SIZE)
         {
             // File reported differs in size from that promised. Must be a rogue client. Delete Send
-            await DeleteAttachmentAsync(cipher, attachmentData);
+            await DeleteAttachmentAsync(cipher, attachmentData, false);
             return false;
         }
         // Update Send data if necessary
@@ -483,7 +483,7 @@ public class CipherService : ICipherService
             throw new NotFoundException();
         }
 
-        return await DeleteAttachmentAsync(cipher, cipher.GetAttachments()[attachmentId]);
+        return await DeleteAttachmentAsync(cipher, cipher.GetAttachments()[attachmentId], orgAdmin);
     }
 
     public async Task PurgeAsync(Guid organizationId)
@@ -877,7 +877,7 @@ public class CipherService : ICipherService
         }
     }
 
-    private async Task<DeleteAttachmentResponseData> DeleteAttachmentAsync(Cipher cipher, CipherAttachment.MetaData attachmentData)
+    private async Task<DeleteAttachmentResponseData> DeleteAttachmentAsync(Cipher cipher, CipherAttachment.MetaData attachmentData, bool orgAdmin)
     {
         if (attachmentData == null || string.IsNullOrWhiteSpace(attachmentData.AttachmentId))
         {
@@ -891,7 +891,7 @@ public class CipherService : ICipherService
 
         // Update the revision date when an attachment is deleted
         cipher.RevisionDate = DateTime.UtcNow;
-        await _cipherRepository.ReplaceAsync((CipherDetails)cipher);
+        await _cipherRepository.ReplaceAsync(orgAdmin ? cipher : (CipherDetails)cipher);
 
         // push
         await _pushService.PushSyncCipherUpdateAsync(cipher, null);

src/Events/Startup.cs

@@ -1,5 +1,4 @@
 using System.Globalization;
-using Bit.Core;
 using Bit.Core.AdminConsole.Services.Implementations;
 using Bit.Core.AdminConsole.Services.NoopImplementations;
 using Bit.Core.Context;
@@ -94,13 +93,7 @@ public class Startup
                 services.AddKeyedSingleton<IEventWriteService, NoopEventWriteService>("broadcast");
             }
         }
-        services.AddScoped<IEventWriteService>(sp =>
+        services.AddScoped<IEventWriteService, EventRouteService>();
-        {
-            var featureService = sp.GetRequiredService<IFeatureService>();
-            var key = featureService.IsEnabled(FeatureFlagKeys.EventBasedOrganizationIntegrations)
-                ? "broadcast" : "storage";
-            return sp.GetRequiredKeyedService<IEventWriteService>(key);
-        });
         services.AddScoped<IEventService, EventService>();
 
         services.AddOptionality();

src/SharedWeb/Utilities/ServiceCollectionExtensions.cs

@@ -5,7 +5,6 @@ using System.Security.Claims;
 using System.Security.Cryptography.X509Certificates;
 using AspNetCoreRateLimit;
 using Azure.Storage.Queues;
-using Bit.Core;
 using Bit.Core.AdminConsole.Models.Business.Tokenables;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
 using Bit.Core.AdminConsole.Services;
@@ -367,13 +366,7 @@ public static class ServiceCollectionExtensions
             services.AddKeyedSingleton<IEventWriteService, NoopEventWriteService>("storage");
             services.AddKeyedSingleton<IEventWriteService, NoopEventWriteService>("broadcast");
         }
-        services.AddScoped<IEventWriteService>(sp =>
+        services.AddScoped<IEventWriteService, EventRouteService>();
-        {
-            var featureService = sp.GetRequiredService<IFeatureService>();
-            var key = featureService.IsEnabled(FeatureFlagKeys.EventBasedOrganizationIntegrations)
-                ? "broadcast" : "storage";
-            return sp.GetRequiredKeyedService<IEventWriteService>(key);
-        });
 
         if (CoreHelpers.SettingHasValue(globalSettings.Attachment.ConnectionString))
         {

test/Core.Test/AdminConsole/Services/EventRouteServiceTests.cs

@@ -0,0 +1,65 @@
+using Bit.Core.Models.Data;
+using Bit.Core.Services;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.Services;
+
+[SutProviderCustomize]
+public class EventRouteServiceTests
+{
+    private readonly IEventWriteService _broadcastEventWriteService = Substitute.For<IEventWriteService>();
+    private readonly IEventWriteService _storageEventWriteService = Substitute.For<IEventWriteService>();
+    private readonly IFeatureService _featureService = Substitute.For<IFeatureService>();
+    private readonly EventRouteService Subject;
+
+    public EventRouteServiceTests()
+    {
+        Subject = new EventRouteService(_broadcastEventWriteService, _storageEventWriteService, _featureService);
+    }
+
+    [Theory, BitAutoData]
+    public async Task CreateAsync_FlagDisabled_EventSentToStorageService(EventMessage eventMessage)
+    {
+        _featureService.IsEnabled(FeatureFlagKeys.EventBasedOrganizationIntegrations).Returns(false);
+
+        await Subject.CreateAsync(eventMessage);
+
+        _broadcastEventWriteService.DidNotReceiveWithAnyArgs().CreateAsync(Arg.Any<EventMessage>());
+        _storageEventWriteService.Received(1).CreateAsync(eventMessage);
+    }
+
+    [Theory, BitAutoData]
+    public async Task CreateAsync_FlagEnabled_EventSentToBroadcastService(EventMessage eventMessage)
+    {
+        _featureService.IsEnabled(FeatureFlagKeys.EventBasedOrganizationIntegrations).Returns(true);
+
+        await Subject.CreateAsync(eventMessage);
+
+        _broadcastEventWriteService.Received(1).CreateAsync(eventMessage);
+        _storageEventWriteService.DidNotReceiveWithAnyArgs().CreateAsync(Arg.Any<EventMessage>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task CreateManyAsync_FlagDisabled_EventsSentToStorageService(IEnumerable<EventMessage> eventMessages)
+    {
+        _featureService.IsEnabled(FeatureFlagKeys.EventBasedOrganizationIntegrations).Returns(false);
+
+        await Subject.CreateManyAsync(eventMessages);
+
+        _broadcastEventWriteService.DidNotReceiveWithAnyArgs().CreateManyAsync(Arg.Any<IEnumerable<EventMessage>>());
+        _storageEventWriteService.Received(1).CreateManyAsync(eventMessages);
+    }
+
+    [Theory, BitAutoData]
+    public async Task CreateManyAsync_FlagEnabled_EventsSentToBroadcastService(IEnumerable<EventMessage> eventMessages)
+    {
+        _featureService.IsEnabled(FeatureFlagKeys.EventBasedOrganizationIntegrations).Returns(true);
+
+        await Subject.CreateManyAsync(eventMessages);
+
+        _broadcastEventWriteService.Received(1).CreateManyAsync(eventMessages);
+        _storageEventWriteService.DidNotReceiveWithAnyArgs().CreateManyAsync(Arg.Any<IEnumerable<EventMessage>>());
+    }
+}

test/Core.Test/AdminConsole/Services/IntegrationEventHandlerBaseTests.cs

@@ -0,0 +1,219 @@
+using System.Text.Json;
+using System.Text.Json.Nodes;
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Models.Data;
+using Bit.Core.Models.Data.Organizations;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.Services;
+
+[SutProviderCustomize]
+public class IntegrationEventHandlerBaseEventHandlerTests
+{
+    private const string _templateBase = "Date: #Date#, Type: #Type#, UserId: #UserId#";
+    private const string _templateWithOrganization = "Org: #OrganizationName#";
+    private const string _templateWithUser = "#UserName#, #UserEmail#";
+    private const string _templateWithActingUser = "#ActingUserName#, #ActingUserEmail#";
+    private const string _url = "https://localhost";
+
+    private SutProvider<TestIntegrationEventHandlerBase> GetSutProvider(
+        List<OrganizationIntegrationConfigurationDetails> configurations)
+    {
+        var configurationRepository = Substitute.For<IOrganizationIntegrationConfigurationRepository>();
+        configurationRepository.GetConfigurationDetailsAsync(Arg.Any<Guid>(),
+            IntegrationType.Webhook, Arg.Any<EventType>()).Returns(configurations);
+
+        return new SutProvider<TestIntegrationEventHandlerBase>()
+            .SetDependency(configurationRepository)
+            .Create();
+    }
+
+    private static List<OrganizationIntegrationConfigurationDetails> NoConfigurations()
+    {
+        return [];
+    }
+
+    private static List<OrganizationIntegrationConfigurationDetails> OneConfiguration(string template)
+    {
+        var config = Substitute.For<OrganizationIntegrationConfigurationDetails>();
+        config.Configuration = null;
+        config.IntegrationConfiguration = JsonSerializer.Serialize(new { url = _url });
+        config.Template = template;
+
+        return [config];
+    }
+
+    private static List<OrganizationIntegrationConfigurationDetails> TwoConfigurations(string template)
+    {
+        var config = Substitute.For<OrganizationIntegrationConfigurationDetails>();
+        config.Configuration = null;
+        config.IntegrationConfiguration = JsonSerializer.Serialize(new { url = _url });
+        config.Template = template;
+        var config2 = Substitute.For<OrganizationIntegrationConfigurationDetails>();
+        config2.Configuration = null;
+        config2.IntegrationConfiguration = JsonSerializer.Serialize(new { url = _url });
+        config2.Template = template;
+
+        return [config, config2];
+    }
+
+    [Theory, BitAutoData]
+    public async Task HandleEventAsync_BaseTemplateNoConfigurations_DoesNothing(EventMessage eventMessage)
+    {
+        var sutProvider = GetSutProvider(NoConfigurations());
+
+        await sutProvider.Sut.HandleEventAsync(eventMessage);
+        Assert.Empty(sutProvider.Sut.CapturedCalls);
+    }
+
+    [Theory, BitAutoData]
+    public async Task HandleEventAsync_BaseTemplateOneConfiguration_CallsProcessEventIntegrationAsync(EventMessage eventMessage)
+    {
+        var sutProvider = GetSutProvider(OneConfiguration(_templateBase));
+
+        await sutProvider.Sut.HandleEventAsync(eventMessage);
+
+        Assert.Single(sutProvider.Sut.CapturedCalls);
+
+        var expectedTemplate = $"Date: {eventMessage.Date}, Type: {eventMessage.Type}, UserId: {eventMessage.UserId}";
+
+        Assert.Equal(expectedTemplate, sutProvider.Sut.CapturedCalls.Single().RenderedTemplate);
+        await sutProvider.GetDependency<IOrganizationRepository>().DidNotReceiveWithAnyArgs().GetByIdAsync(Arg.Any<Guid>());
+        await sutProvider.GetDependency<IUserRepository>().DidNotReceiveWithAnyArgs().GetByIdAsync(Arg.Any<Guid>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task HandleEventAsync_ActingUserTemplate_LoadsUserFromRepository(EventMessage eventMessage)
+    {
+        var sutProvider = GetSutProvider(OneConfiguration(_templateWithActingUser));
+        var user = Substitute.For<User>();
+        user.Email = "test@example.com";
+        user.Name = "Test";
+
+        sutProvider.GetDependency<IUserRepository>().GetByIdAsync(Arg.Any<Guid>()).Returns(user);
+        await sutProvider.Sut.HandleEventAsync(eventMessage);
+
+        Assert.Single(sutProvider.Sut.CapturedCalls);
+
+        var expectedTemplate = $"{user.Name}, {user.Email}";
+        Assert.Equal(expectedTemplate, sutProvider.Sut.CapturedCalls.Single().RenderedTemplate);
+        await sutProvider.GetDependency<IOrganizationRepository>().DidNotReceiveWithAnyArgs().GetByIdAsync(Arg.Any<Guid>());
+        await sutProvider.GetDependency<IUserRepository>().Received(1).GetByIdAsync(eventMessage.ActingUserId ?? Guid.Empty);
+    }
+
+    [Theory, BitAutoData]
+    public async Task HandleEventAsync_OrganizationTemplate_LoadsOrganizationFromRepository(EventMessage eventMessage)
+    {
+        var sutProvider = GetSutProvider(OneConfiguration(_templateWithOrganization));
+        var organization = Substitute.For<Organization>();
+        organization.Name = "Test";
+
+        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(Arg.Any<Guid>()).Returns(organization);
+        await sutProvider.Sut.HandleEventAsync(eventMessage);
+
+        Assert.Single(sutProvider.Sut.CapturedCalls);
+
+        var expectedTemplate = $"Org: {organization.Name}";
+        Assert.Equal(expectedTemplate, sutProvider.Sut.CapturedCalls.Single().RenderedTemplate);
+        await sutProvider.GetDependency<IOrganizationRepository>().Received(1).GetByIdAsync(eventMessage.OrganizationId ?? Guid.Empty);
+        await sutProvider.GetDependency<IUserRepository>().DidNotReceiveWithAnyArgs().GetByIdAsync(Arg.Any<Guid>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task HandleEventAsync_UserTemplate_LoadsUserFromRepository(EventMessage eventMessage)
+    {
+        var sutProvider = GetSutProvider(OneConfiguration(_templateWithUser));
+        var user = Substitute.For<User>();
+        user.Email = "test@example.com";
+        user.Name = "Test";
+
+        sutProvider.GetDependency<IUserRepository>().GetByIdAsync(Arg.Any<Guid>()).Returns(user);
+        await sutProvider.Sut.HandleEventAsync(eventMessage);
+
+        Assert.Single(sutProvider.Sut.CapturedCalls);
+
+        var expectedTemplate = $"{user.Name}, {user.Email}";
+        Assert.Equal(expectedTemplate, sutProvider.Sut.CapturedCalls.Single().RenderedTemplate);
+        await sutProvider.GetDependency<IOrganizationRepository>().DidNotReceiveWithAnyArgs().GetByIdAsync(Arg.Any<Guid>());
+        await sutProvider.GetDependency<IUserRepository>().Received(1).GetByIdAsync(eventMessage.UserId ?? Guid.Empty);
+    }
+
+    [Theory, BitAutoData]
+    public async Task HandleManyEventsAsync_BaseTemplateNoConfigurations_DoesNothing(List<EventMessage> eventMessages)
+    {
+        var sutProvider = GetSutProvider(NoConfigurations());
+
+        await sutProvider.Sut.HandleManyEventsAsync(eventMessages);
+        Assert.Empty(sutProvider.Sut.CapturedCalls);
+    }
+
+    [Theory, BitAutoData]
+    public async Task HandleManyEventsAsync_BaseTemplateOneConfiguration_CallsProcessEventIntegrationAsync(List<EventMessage> eventMessages)
+    {
+        var sutProvider = GetSutProvider(OneConfiguration(_templateBase));
+
+        await sutProvider.Sut.HandleManyEventsAsync(eventMessages);
+
+        Assert.Equal(eventMessages.Count, sutProvider.Sut.CapturedCalls.Count);
+        var index = 0;
+        foreach (var call in sutProvider.Sut.CapturedCalls)
+        {
+            var expected = eventMessages[index];
+            var expectedTemplate = $"Date: {expected.Date}, Type: {expected.Type}, UserId: {expected.UserId}";
+
+            Assert.Equal(expectedTemplate, call.RenderedTemplate);
+            index++;
+        }
+    }
+
+    [Theory, BitAutoData]
+    public async Task HandleManyEventsAsync_BaseTemplateTwoConfigurations_CallsProcessEventIntegrationAsyncMultipleTimes(
+        List<EventMessage> eventMessages)
+    {
+        var sutProvider = GetSutProvider(TwoConfigurations(_templateBase));
+
+        await sutProvider.Sut.HandleManyEventsAsync(eventMessages);
+
+        Assert.Equal(eventMessages.Count * 2, sutProvider.Sut.CapturedCalls.Count);
+
+        var capturedCalls = sutProvider.Sut.CapturedCalls.GetEnumerator();
+        foreach (var eventMessage in eventMessages)
+        {
+            var expectedTemplate = $"Date: {eventMessage.Date}, Type: {eventMessage.Type}, UserId: {eventMessage.UserId}";
+
+            Assert.True(capturedCalls.MoveNext());
+            var call = capturedCalls.Current;
+            Assert.Equal(expectedTemplate, call.RenderedTemplate);
+
+            Assert.True(capturedCalls.MoveNext());
+            call = capturedCalls.Current;
+            Assert.Equal(expectedTemplate, call.RenderedTemplate);
+        }
+    }
+
+    private class TestIntegrationEventHandlerBase : IntegrationEventHandlerBase
+    {
+        public TestIntegrationEventHandlerBase(IUserRepository userRepository,
+            IOrganizationRepository organizationRepository,
+            IOrganizationIntegrationConfigurationRepository configurationRepository)
+            : base(userRepository, organizationRepository, configurationRepository)
+        { }
+
+        public List<(JsonObject MergedConfiguration, string RenderedTemplate)> CapturedCalls { get; } = new();
+
+        protected override IntegrationType GetIntegrationType() => IntegrationType.Webhook;
+
+        protected override Task ProcessEventIntegrationAsync(JsonObject mergedConfiguration, string renderedTemplate)
+        {
+            CapturedCalls.Add((mergedConfiguration, renderedTemplate));
+            return Task.CompletedTask;
+        }
+    }
+}

test/Core.Test/AdminConsole/Utilities/IntegrationTemplateProcessorTests.cs

@@ -89,4 +89,61 @@ public class IntegrationTemplateProcessorTests
 
         Assert.Equal(expected, result);
     }
+
+    [Theory]
+    [InlineData("User name is #UserName#")]
+    [InlineData("Email: #UserEmail#")]
+    public void TemplateRequiresUser_ContainingKeys_ReturnsTrue(string template)
+    {
+        var result = IntegrationTemplateProcessor.TemplateRequiresUser(template);
+        Assert.True(result);
+    }
+
+    [Theory]
+    [InlineData("#UserId#")]  // This is on the base class, not fetched, so should be false
+    [InlineData("No User Tokens")]
+    [InlineData("")]
+    public void TemplateRequiresUser_EmptyInputOrNoMatchingKeys_ReturnsFalse(string template)
+    {
+        var result = IntegrationTemplateProcessor.TemplateRequiresUser(template);
+        Assert.False(result);
+    }
+
+    [Theory]
+    [InlineData("Acting user is #ActingUserName#")]
+    [InlineData("Acting user's email is #ActingUserEmail#")]
+    public void TemplateRequiresActingUser_ContainingKeys_ReturnsTrue(string template)
+    {
+        var result = IntegrationTemplateProcessor.TemplateRequiresActingUser(template);
+        Assert.True(result);
+    }
+
+    [Theory]
+    [InlineData("No ActiveUser tokens")]
+    [InlineData("#ActiveUserId#")]  // This is on the base class, not fetched, so should be false
+    [InlineData("")]
+    public void TemplateRequiresActingUser_EmptyInputOrNoMatchingKeys_ReturnsFalse(string template)
+    {
+        var result = IntegrationTemplateProcessor.TemplateRequiresActingUser(template);
+        Assert.False(result);
+    }
+
+    [Theory]
+    [InlineData("Organization: #OrganizationName#")]
+    [InlineData("Welcome to #OrganizationName#")]
+    public void TemplateRequiresOrganization_ContainingKeys_ReturnsTrue(string template)
+    {
+        var result = IntegrationTemplateProcessor.TemplateRequiresOrganization(template);
+        Assert.True(result);
+    }
+
+    [Theory]
+    [InlineData("No organization tokens")]
+    [InlineData("#OrganizationId#")]  // This is on the base class, not fetched, so should be false
+    [InlineData("")]
+    public void TemplateRequiresOrganization_EmptyInputOrNoMatchingKeys_ReturnsFalse(string template)
+    {
+        var result = IntegrationTemplateProcessor.TemplateRequiresOrganization(template);
+        Assert.False(result);
+    }
 }

test/Core.Test/OrganizationFeatures/OrganizationLicenses/CloudGetOrganizationLicenseQueryTests.cs

@@ -1,6 +1,7 @@
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Entities.Provider;
 using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.Billing.Pricing;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Business;
@@ -8,6 +9,7 @@ using Bit.Core.OrganizationFeatures.OrganizationLicenses;
 using Bit.Core.Platform.Installations;
 using Bit.Core.Services;
 using Bit.Core.Test.AutoFixture;
+using Bit.Core.Utilities;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
 using NSubstitute;
@@ -76,8 +78,10 @@ public class CloudGetOrganizationLicenseQueryTests
         sutProvider.GetDependency<IInstallationRepository>().GetByIdAsync(installationId).Returns(installation);
         sutProvider.GetDependency<IPaymentService>().GetSubscriptionAsync(organization).Returns(subInfo);
         sutProvider.GetDependency<ILicensingService>().SignLicense(Arg.Any<ILicense>()).Returns(licenseSignature);
+        var plan = StaticStore.GetPlan(organization.PlanType);
+        sutProvider.GetDependency<IPricingClient>().GetPlan(organization.PlanType).Returns(plan);
         sutProvider.GetDependency<ILicensingService>()
-            .CreateOrganizationTokenAsync(organization, installationId, subInfo)
+            .CreateOrganizationTokenAsync(organization, installationId, subInfo, plan.SecretsManager.MaxProjects)
             .Returns(token);
 
         var result = await sutProvider.Sut.GetLicenseAsync(organization, installationId);