[AC-1638] Disallow Secrets Manager for MSP-managed organizations (#3297)

* Block MSPs from creating orgs with SM

* Block MSPs from adding SM to a managed org

* Prevent manually adding SM to an MSP-managed org

* Revert "Prevent manually adding SM to an MSP-managed org"

This change is no longer required

This reverts commit 51b086243b.

* Block provider from adding org with SM

* Update error message when adding existing org with SM to provider

* Update check to match client

* Revert "Update check to match client"

This reverts commit f195c1c1f6.

test/Core.Test/OrganizationFeatures/OrganizationSubscriptionUpdate/AddSecretsManagerSubscriptionCommandTests.cs

@@ -1,9 +1,12 @@
 using Bit.Core.Entities;
+using Bit.Core.Entities.Provider;
 using Bit.Core.Enums;
+using Bit.Core.Enums.Provider;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Business;
 using Bit.Core.Models.StaticStore;
 using Bit.Core.OrganizationFeatures.OrganizationSubscriptions;
+using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Utilities;
 using Bit.Test.Common.AutoFixture;
@@ -127,6 +130,25 @@ public class AddSecretsManagerSubscriptionCommandTests
         await VerifyDependencyNotCalledAsync(sutProvider);
     }
 
+    [Theory]
+    [BitAutoData]
+    public async Task SignUpAsync_ThrowsException_WhenOrganizationIsManagedByMSP(
+        SutProvider<AddSecretsManagerSubscriptionCommand> sutProvider,
+        Organization organization,
+        Provider provider)
+    {
+        organization.UseSecretsManager = false;
+        organization.SecretsManagerBeta = false;
+        provider.Type = ProviderType.Msp;
+        sutProvider.GetDependency<IProviderRepository>().GetByOrganizationIdAsync(organization.Id).Returns(provider);
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.SignUpAsync(organization, 10, 10));
+
+        Assert.Contains("Organizations with a Managed Service Provider do not support Secrets Manager.", exception.Message);
+        await VerifyDependencyNotCalledAsync(sutProvider);
+    }
+
     private static async Task VerifyDependencyNotCalledAsync(SutProvider<AddSecretsManagerSubscriptionCommand> sutProvider)
     {
         await sutProvider.GetDependency<IPaymentService>().DidNotReceive()

test/Core.Test/Services/OrganizationServiceTests.cs

@@ -263,6 +263,22 @@ public class OrganizationServiceTests
         );
     }
 
+    [Theory]
+    [BitAutoData(PlanType.EnterpriseAnnually)]
+    public async Task SignUp_SM_Throws_WhenManagedByMSP(PlanType planType, OrganizationSignup signup, SutProvider<OrganizationService> sutProvider)
+    {
+        signup.Plan = planType;
+        signup.UseSecretsManager = true;
+        signup.AdditionalSeats = 15;
+        signup.AdditionalSmSeats = 10;
+        signup.AdditionalServiceAccounts = 20;
+        signup.PaymentMethodType = PaymentMethodType.Card;
+        signup.PremiumAccessAddon = false;
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.SignUpAsync(signup, true));
+        Assert.Contains("Organizations with a Managed Service Provider do not support Secrets Manager.", exception.Message);
+    }
+
     [Theory]
     [BitAutoData]
     public async Task SignUpAsync_SecretManager_AdditionalServiceAccounts_NotAllowedByPlan_ShouldThrowException(OrganizationSignup signup, SutProvider<OrganizationService> sutProvider)