[AC-1145] Add trusted devices option to SSO Config Data (#2909)

* [AC-1145] Add TDE feature flag

* [AC-1145] Update .gitignore to ignore flags.json in the Api project

* [AC-1145] Introduce MemberDecryptionType property on SsoConfigurationData

* [AC-1145] Add MemberDecryptionType to the SsoConfigurationDataRequest model

* [AC-1145] Automatically enable password reset policy on TDE selection

* [AC-1145] Remove references to obsolete KeyConnectorEnabled field

* [AC-1145] Formatting

* [AC-1145] Update XML doc reference to MemberDecryptionType

src/Core/Auth/Enums/MemberDecryptionType.cs

@@ -0,0 +1,8 @@
+namespace Bit.Core.Auth.Enums;
+
+public enum MemberDecryptionType
+{
+    MasterPassword = 0,
+    KeyConnector = 1,
+    TrustedDeviceEncryption = 2
+}

src/Core/Auth/Models/Data/SsoConfigurationData.cs

@@ -22,7 +22,25 @@ public class SsoConfigurationData
 
     public SsoType ConfigType { get; set; }
 
-    public bool KeyConnectorEnabled { get; set; }
+    public MemberDecryptionType MemberDecryptionType { get; set; }
+
+    /// <summary>
+    /// Legacy property to determine if KeyConnector was enabled.
+    /// Kept for backwards compatibility with old configs that will not have
+    /// the new <see cref="MemberDecryptionType"/> when deserialized from the database.
+    /// </summary>
+    [Obsolete("Use MemberDecryptionType instead")]
+    public bool KeyConnectorEnabled
+    {
+        get => MemberDecryptionType == MemberDecryptionType.KeyConnector;
+        set
+        {
+            if (value)
+            {
+                MemberDecryptionType = MemberDecryptionType.KeyConnector;
+            }
+        }
+    }
     public string KeyConnectorUrl { get; set; }
 
     // OIDC

src/Core/Auth/Services/Implementations/SsoConfigService.cs

@@ -1,8 +1,10 @@
 using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Repositories;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
+using Bit.Core.Models.Data.Organizations.Policies;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 
@@ -12,21 +14,30 @@ public class SsoConfigService : ISsoConfigService
 {
     private readonly ISsoConfigRepository _ssoConfigRepository;
     private readonly IPolicyRepository _policyRepository;
+    private readonly IPolicyService _policyService;
     private readonly IOrganizationRepository _organizationRepository;
     private readonly IOrganizationUserRepository _organizationUserRepository;
+    private readonly IUserService _userService;
+    private readonly IOrganizationService _organizationService;
     private readonly IEventService _eventService;
 
     public SsoConfigService(
         ISsoConfigRepository ssoConfigRepository,
         IPolicyRepository policyRepository,
+        IPolicyService policyService,
         IOrganizationRepository organizationRepository,
         IOrganizationUserRepository organizationUserRepository,
+        IUserService userService,
+        IOrganizationService organizationService,
         IEventService eventService)
     {
         _ssoConfigRepository = ssoConfigRepository;
         _policyRepository = policyRepository;
+        _policyService = policyService;
         _organizationRepository = organizationRepository;
         _organizationUserRepository = organizationUserRepository;
+        _userService = userService;
+        _organizationService = organizationService;
         _eventService = eventService;
     }
 
@@ -39,19 +50,31 @@ public class SsoConfigService : ISsoConfigService
             config.CreationDate = now;
         }
 
-        var useKeyConnector = config.GetData().KeyConnectorEnabled;
+        var useKeyConnector = config.GetData().MemberDecryptionType == MemberDecryptionType.KeyConnector;
         if (useKeyConnector)
         {
             await VerifyDependenciesAsync(config, organization);
         }
 
         var oldConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(config.OrganizationId);
-        var disabledKeyConnector = oldConfig?.GetData()?.KeyConnectorEnabled == true && !useKeyConnector;
+        var disabledKeyConnector = oldConfig?.GetData()?.MemberDecryptionType == MemberDecryptionType.KeyConnector && !useKeyConnector;
         if (disabledKeyConnector && await AnyOrgUserHasKeyConnectorEnabledAsync(config.OrganizationId))
         {
             throw new BadRequestException("Key Connector cannot be disabled at this moment.");
         }
 
+        // Automatically enable reset password policy if trusted device encryption is selected
+        if (config.GetData().MemberDecryptionType == MemberDecryptionType.TrustedDeviceEncryption)
+        {
+            var resetPolicy = await _policyRepository.GetByOrganizationIdTypeAsync(config.OrganizationId, PolicyType.ResetPassword) ??
+                              new Policy { OrganizationId = config.OrganizationId, Type = PolicyType.ResetPassword, };
+
+            resetPolicy.Enabled = true;
+            resetPolicy.SetDataModel(new ResetPasswordDataModel { AutoEnrollEnabled = true });
+
+            await _policyService.SaveAsync(resetPolicy, _userService, _organizationService, null);
+        }
+
         await LogEventsAsync(config, oldConfig);
         await _ssoConfigRepository.UpsertAsync(config);
     }
@@ -97,8 +120,9 @@ public class SsoConfigService : ISsoConfigService
             await _eventService.LogOrganizationEventAsync(organization, e);
         }
 
-        var keyConnectorEnabled = config.GetData().KeyConnectorEnabled;
-        if (oldConfig?.GetData()?.KeyConnectorEnabled != keyConnectorEnabled)
+        var keyConnectorEnabled = config.GetData().MemberDecryptionType == MemberDecryptionType.KeyConnector;
+        var oldKeyConnectorEnabled = oldConfig?.GetData()?.MemberDecryptionType == MemberDecryptionType.KeyConnector;
+        if (oldKeyConnectorEnabled != keyConnectorEnabled)
         {
             var e = keyConnectorEnabled
                 ? EventType.Organization_EnabledKeyConnector