Add CreateCollectionCommand and associated interface with validation logic

* Implement CreateCollectionCommand to handle collection creation with organization checks and access permissions.
* Introduce ICreateCollectionCommand interface for defining the collection creation contract.
* Add unit tests for CreateCollectionCommand to validate various scenarios including permission checks and error handling.

src/Core/OrganizationFeatures/OrganizationCollections/CreateCollectionCommand.cs

@@ -0,0 +1,70 @@
+using Bit.Core.Entities;
+using Bit.Core.Exceptions;
+using Bit.Core.Models.Data;
+using Bit.Core.OrganizationFeatures.OrganizationCollections.Interfaces;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+
+namespace Bit.Core.OrganizationFeatures.OrganizationCollections;
+
+public class CreateCollectionCommand : ICreateCollectionCommand
+{
+    private readonly IEventService _eventService;
+    private readonly IOrganizationRepository _organizationRepository;
+    private readonly ICollectionRepository _collectionRepository;
+
+    public CreateCollectionCommand(
+        IEventService eventService,
+        IOrganizationRepository organizationRepository,
+        ICollectionRepository collectionRepository)
+    {
+        _eventService = eventService;
+        _organizationRepository = organizationRepository;
+        _collectionRepository = collectionRepository;
+    }
+
+    public async Task<Collection> CreateAsync(Collection collection, IEnumerable<CollectionAccessSelection> groups = null,
+        IEnumerable<CollectionAccessSelection> users = null)
+    {
+        var org = await _organizationRepository.GetByIdAsync(collection.OrganizationId);
+        if (org == null)
+        {
+            throw new BadRequestException("Organization not found");
+        }
+
+        var groupsList = groups?.ToList();
+        var usersList = users?.ToList();
+
+        // Cannot use Manage with ReadOnly/HidePasswords permissions
+        var invalidAssociations = groupsList?.Where(cas => cas.Manage && (cas.ReadOnly || cas.HidePasswords));
+        if (invalidAssociations?.Any() ?? false)
+        {
+            throw new BadRequestException("The Manage property is mutually exclusive and cannot be true while the ReadOnly or HidePasswords properties are also true.");
+        }
+
+        // A collection should always have someone with Can Manage permissions
+        var groupHasManageAccess = groupsList?.Any(g => g.Manage) ?? false;
+        var userHasManageAccess = usersList?.Any(u => u.Manage) ?? false;
+        if (!groupHasManageAccess && !userHasManageAccess && !org.AllowAdminAccessToAllCollectionItems)
+        {
+            throw new BadRequestException(
+                "At least one member or group must have can manage permission.");
+        }
+
+        // Check max collections limit
+        if (org.MaxCollections.HasValue)
+        {
+            var collectionCount = await _collectionRepository.GetCountByOrganizationIdAsync(org.Id);
+            if (org.MaxCollections.Value <= collectionCount)
+            {
+                throw new BadRequestException("You have reached the maximum number of collections " +
+                $"({org.MaxCollections.Value}) for this organization.");
+            }
+        }
+
+        await _collectionRepository.CreateAsync(collection, org.UseGroups ? groupsList : null, usersList);
+        await _eventService.LogCollectionEventAsync(collection, Enums.EventType.Collection_Created);
+
+        return collection;
+    }
+}

src/Core/OrganizationFeatures/OrganizationCollections/Interfaces/ICreateCollectionCommand.cs

@@ -0,0 +1,17 @@
+using Bit.Core.Entities;
+using Bit.Core.Models.Data;
+
+namespace Bit.Core.OrganizationFeatures.OrganizationCollections.Interfaces;
+
+public interface ICreateCollectionCommand
+{
+    /// <summary>
+    /// Creates a new collection.
+    /// </summary>
+    /// <param name="collection">The collection to create.</param>
+    /// <param name="groups">(Optional) The groups that will have access to the collection.</param>
+    /// <param name="users">(Optional) The users that will have access to the collection.</param>
+    /// <returns>The created collection.</returns>
+    Task<Collection> CreateAsync(Collection collection, IEnumerable<CollectionAccessSelection> groups = null,
+        IEnumerable<CollectionAccessSelection> users = null);
+}

test/Core.Test/OrganizationFeatures/OrganizationCollections/CreateCollectionCommandTests.cs

@@ -0,0 +1,202 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.Models.Data;
+using Bit.Core.OrganizationFeatures.OrganizationCollections;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Core.Test.AutoFixture;
+using Bit.Core.Test.AutoFixture.OrganizationFixtures;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.OrganizationFeatures.OrganizationCollections;
+
+[SutProviderCustomize]
+[OrganizationCustomize]
+public class CreateCollectionCommandTests
+{
+    [Theory, BitAutoData]
+    public async Task CreateAsync_WithoutGroupsAndUsers_CreatesCollection(
+        Organization organization, Collection collection,
+        SutProvider<CreateCollectionCommand> sutProvider)
+    {
+        collection.Id = default;
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(organization.Id)
+            .Returns(organization);
+        var utcNow = DateTime.UtcNow;
+
+        await sutProvider.Sut.CreateAsync(collection, null, null);
+
+        await sutProvider.GetDependency<ICollectionRepository>()
+            .Received(1)
+            .CreateAsync(
+                collection,
+                Arg.Is<List<CollectionAccessSelection>>(l => l == null),
+                Arg.Is<List<CollectionAccessSelection>>(l => l == null));
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
+            .LogCollectionEventAsync(collection, EventType.Collection_Created);
+        Assert.True(collection.CreationDate - utcNow < TimeSpan.FromSeconds(1));
+        Assert.True(collection.RevisionDate - utcNow < TimeSpan.FromSeconds(1));
+    }
+
+    [Theory, BitAutoData]
+    public async Task CreateAsync_WithGroupsAndUsers_CreatesCollectionWithGroupsAndUsers(
+        Organization organization, Collection collection,
+        [CollectionAccessSelectionCustomize(true)] IEnumerable<CollectionAccessSelection> groups,
+        IEnumerable<CollectionAccessSelection> users,
+        SutProvider<CreateCollectionCommand> sutProvider)
+    {
+        collection.Id = default;
+        organization.UseGroups = true;
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(organization.Id)
+            .Returns(organization);
+        var utcNow = DateTime.UtcNow;
+
+        await sutProvider.Sut.CreateAsync(collection, groups, users);
+
+        await sutProvider.GetDependency<ICollectionRepository>()
+            .Received(1)
+            .CreateAsync(
+                collection,
+                Arg.Is<List<CollectionAccessSelection>>(l => l.Any(i => i.Manage == true)),
+                Arg.Any<List<CollectionAccessSelection>>());
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
+            .LogCollectionEventAsync(collection, EventType.Collection_Created);
+        Assert.True(collection.CreationDate - utcNow < TimeSpan.FromSeconds(1));
+        Assert.True(collection.RevisionDate - utcNow < TimeSpan.FromSeconds(1));
+    }
+
+    [Theory, BitAutoData]
+    public async Task CreateAsync_WithOrganizationUseGroupDisabled_CreatesCollectionWithoutGroups(
+        Organization organization, Collection collection,
+        [CollectionAccessSelectionCustomize] IEnumerable<CollectionAccessSelection> groups,
+        [CollectionAccessSelectionCustomize(true)] IEnumerable<CollectionAccessSelection> users,
+        SutProvider<CreateCollectionCommand> sutProvider)
+    {
+        collection.Id = default;
+        organization.UseGroups = false;
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(organization.Id)
+            .Returns(organization);
+        var utcNow = DateTime.UtcNow;
+
+        await sutProvider.Sut.CreateAsync(collection, groups, users);
+
+        await sutProvider.GetDependency<ICollectionRepository>()
+            .Received(1)
+            .CreateAsync(
+                collection,
+                Arg.Is<List<CollectionAccessSelection>>(l => l == null),
+                Arg.Is<List<CollectionAccessSelection>>(l => l.Any(i => i.Manage == true)));
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
+            .LogCollectionEventAsync(collection, EventType.Collection_Created);
+        Assert.True(collection.CreationDate - utcNow < TimeSpan.FromSeconds(1));
+        Assert.True(collection.RevisionDate - utcNow < TimeSpan.FromSeconds(1));
+    }
+
+    [Theory, BitAutoData]
+    public async Task CreateAsync_WithNonExistingOrganizationId_ThrowsBadRequest(
+        Collection collection, SutProvider<CreateCollectionCommand> sutProvider)
+    {
+        collection.Id = default;
+        var ex = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.CreateAsync(collection));
+        Assert.Contains("Organization not found", ex.Message);
+        await sutProvider.GetDependency<ICollectionRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .CreateAsync(default);
+        await sutProvider.GetDependency<ICollectionRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .CreateAsync(default, default, default);
+        await sutProvider.GetDependency<IEventService>()
+            .DidNotReceiveWithAnyArgs()
+            .LogCollectionEventAsync(default, default);
+    }
+
+    [Theory, BitAutoData]
+    public async Task CreateAsync_WithoutManageAccess_ThrowsBadRequest(
+        Organization organization, Collection collection,
+        [CollectionAccessSelectionCustomize] IEnumerable<CollectionAccessSelection> users,
+        SutProvider<CreateCollectionCommand> sutProvider)
+    {
+        collection.Id = default;
+        organization.AllowAdminAccessToAllCollectionItems = false;
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(organization.Id)
+            .Returns(organization);
+
+        var ex = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.CreateAsync(collection, null, users));
+        Assert.Contains("At least one member or group must have can manage permission.", ex.Message);
+        await sutProvider.GetDependency<ICollectionRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .CreateAsync(default);
+        await sutProvider.GetDependency<ICollectionRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .CreateAsync(default, default, default);
+        await sutProvider.GetDependency<IEventService>()
+            .DidNotReceiveWithAnyArgs()
+            .LogCollectionEventAsync(default, default);
+    }
+
+    [Theory, BitAutoData]
+    public async Task CreateAsync_WithExceedsOrganizationMaxCollections_ThrowsBadRequest(
+        Organization organization, Collection collection,
+        [CollectionAccessSelectionCustomize(true)] IEnumerable<CollectionAccessSelection> users,
+        SutProvider<CreateCollectionCommand> sutProvider)
+    {
+        collection.Id = default;
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(organization.Id)
+            .Returns(organization);
+        sutProvider.GetDependency<ICollectionRepository>()
+            .GetCountByOrganizationIdAsync(organization.Id)
+            .Returns(organization.MaxCollections.Value);
+
+        var ex = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.CreateAsync(collection, null, users));
+        Assert.Equal($@"You have reached the maximum number of collections ({organization.MaxCollections.Value}) for this organization.", ex.Message);
+        await sutProvider.GetDependency<ICollectionRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .CreateAsync(default);
+        await sutProvider.GetDependency<ICollectionRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .CreateAsync(default, default, default);
+        await sutProvider.GetDependency<IEventService>()
+            .DidNotReceiveWithAnyArgs()
+            .LogCollectionEventAsync(default, default);
+    }
+
+    [Theory, BitAutoData]
+    public async Task CreateAsync_WithInvalidManageAssociations_ThrowsBadRequest(
+        Organization organization, Collection collection, SutProvider<CreateCollectionCommand> sutProvider)
+    {
+        collection.Id = default;
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(organization.Id)
+            .Returns(organization);
+
+        var invalidGroups = new List<CollectionAccessSelection>
+        {
+            new() { Id = Guid.NewGuid(), Manage = true, ReadOnly = true }
+        };
+
+        var ex = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.CreateAsync(collection, invalidGroups, null));
+        Assert.Contains("The Manage property is mutually exclusive and cannot be true while the ReadOnly or HidePasswords properties are also true.", ex.Message);
+        await sutProvider.GetDependency<ICollectionRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .CreateAsync(default);
+        await sutProvider.GetDependency<ICollectionRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .CreateAsync(default, default, default);
+        await sutProvider.GetDependency<IEventService>()
+            .DidNotReceiveWithAnyArgs()
+            .LogCollectionEventAsync(default, default);
+    }
+}