Merge branch 'refs/heads/main' into km/pm-10600

test/Admin.Test/Models/UserViewModelTests.cs

@@ -2,6 +2,7 @@
 
 using Bit.Admin.Models;
 using Bit.Core.Entities;
+using Bit.Core.Vault.Entities;
 using Bit.Test.Common.AutoFixture.Attributes;
 
 namespace Admin.Test.Models;
@@ -79,7 +80,7 @@ public class UserViewModelTests
     {
         var lookup = new List<(Guid, bool)> { (user.Id, true) };
 
-        var actual = UserViewModel.MapViewModel(user, lookup);
+        var actual = UserViewModel.MapViewModel(user, lookup, false);
 
         Assert.True(actual.TwoFactorEnabled);
     }
@@ -90,7 +91,7 @@ public class UserViewModelTests
     {
         var lookup = new List<(Guid, bool)> { (user.Id, false) };
 
-        var actual = UserViewModel.MapViewModel(user, lookup);
+        var actual = UserViewModel.MapViewModel(user, lookup, false);
 
         Assert.False(actual.TwoFactorEnabled);
     }
@@ -101,8 +102,44 @@ public class UserViewModelTests
     {
         var lookup = new List<(Guid, bool)> { (Guid.NewGuid(), true) };
 
-        var actual = UserViewModel.MapViewModel(user, lookup);
+        var actual = UserViewModel.MapViewModel(user, lookup, false);
 
         Assert.False(actual.TwoFactorEnabled);
     }
+
+    [Theory]
+    [BitAutoData]
+    public void MapUserViewModel_WithVerifiedDomain_ReturnsUserViewModel(User user)
+    {
+
+        var verifiedDomain = true;
+
+        var actual = UserViewModel.MapViewModel(user, true, Array.Empty<Cipher>(), verifiedDomain);
+
+        Assert.True(actual.DomainVerified);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public void MapUserViewModel_WithoutVerifiedDomain_ReturnsUserViewModel(User user)
+    {
+
+        var verifiedDomain = false;
+
+        var actual = UserViewModel.MapViewModel(user, true, Array.Empty<Cipher>(), verifiedDomain);
+
+        Assert.False(actual.DomainVerified);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public void MapUserViewModel_WithNullVerifiedDomain_ReturnsUserViewModel(User user)
+    {
+
+        var actual = UserViewModel.MapViewModel(user, true, Array.Empty<Cipher>(), null);
+
+        Assert.Null(actual.DomainVerified);
+    }
+
+
 }

test/Api.IntegrationTest/Controllers/AccountsControllerTest.cs

@@ -1,6 +1,15 @@
-using System.Net.Http.Headers;
+using System.Net;
+using System.Net.Http.Headers;
+using Bit.Api.Auth.Models.Request.Accounts;
 using Bit.Api.IntegrationTest.Factories;
+using Bit.Api.IntegrationTest.Helpers;
 using Bit.Api.Models.Response;
+using Bit.Core;
+using Bit.Core.Billing.Enums;
+using Bit.Core.Enums;
+using Bit.Core.Models.Data;
+using Bit.Core.Services;
+using NSubstitute;
 using Xunit;
 
 namespace Bit.Api.IntegrationTest.Controllers;
@@ -35,4 +44,82 @@ public class AccountsControllerTest : IClassFixture<ApiApplicationFactory>
         Assert.Null(content.PrivateKey);
         Assert.NotNull(content.SecurityStamp);
     }
+
+    [Fact]
+    public async Task PostEmailToken_WhenAccountDeprovisioningEnabled_WithManagedAccount_ThrowsBadRequest()
+    {
+        var email = await SetupOrganizationManagedAccount();
+
+        var tokens = await _factory.LoginAsync(email);
+        var client = _factory.CreateClient();
+
+        var model = new EmailTokenRequestModel
+        {
+            NewEmail = $"{Guid.NewGuid()}@example.com",
+            MasterPasswordHash = "master_password_hash"
+        };
+
+        using var message = new HttpRequestMessage(HttpMethod.Post, "/accounts/email-token")
+        {
+            Content = JsonContent.Create(model)
+        };
+        message.Headers.Authorization = new AuthenticationHeaderValue("Bearer", tokens.Token);
+        var response = await client.SendAsync(message);
+
+        Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);
+        var content = await response.Content.ReadAsStringAsync();
+        Assert.Contains("Cannot change emails for accounts owned by an organization", content);
+    }
+
+    [Fact]
+    public async Task PostEmail_WhenAccountDeprovisioningEnabled_WithManagedAccount_ThrowsBadRequest()
+    {
+        var email = await SetupOrganizationManagedAccount();
+
+        var tokens = await _factory.LoginAsync(email);
+        var client = _factory.CreateClient();
+
+        var model = new EmailRequestModel
+        {
+            NewEmail = $"{Guid.NewGuid()}@example.com",
+            MasterPasswordHash = "master_password_hash",
+            NewMasterPasswordHash = "master_password_hash",
+            Token = "validtoken",
+            Key = "key"
+        };
+
+        using var message = new HttpRequestMessage(HttpMethod.Post, "/accounts/email")
+        {
+            Content = JsonContent.Create(model)
+        };
+        message.Headers.Authorization = new AuthenticationHeaderValue("Bearer", tokens.Token);
+        var response = await client.SendAsync(message);
+
+        Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);
+        var content = await response.Content.ReadAsStringAsync();
+        Assert.Contains("Cannot change emails for accounts owned by an organization", content);
+    }
+
+    private async Task<string> SetupOrganizationManagedAccount()
+    {
+        _factory.SubstituteService<IFeatureService>(featureService =>
+            featureService.IsEnabled(FeatureFlagKeys.AccountDeprovisioning).Returns(true));
+
+        // Create the owner account
+        var ownerEmail = $"{Guid.NewGuid()}@bitwarden.com";
+        await _factory.LoginWithNewAccount(ownerEmail);
+
+        // Create the organization
+        var (_organization, _) = await OrganizationTestHelpers.SignUpAsync(_factory, plan: PlanType.EnterpriseAnnually2023,
+            ownerEmail: ownerEmail, passwordManagerSeats: 10, paymentMethod: PaymentMethodType.Card);
+
+        // Create a new organization member
+        var (email, orgUser) = await OrganizationTestHelpers.CreateNewUserWithAccountAsync(_factory, _organization.Id,
+            OrganizationUserType.Custom, new Permissions { AccessReports = true, ManageScim = true });
+
+        // Add a verified domain
+        await OrganizationTestHelpers.CreateVerifiedDomainAsync(_factory, _organization.Id, "bitwarden.com");
+
+        return email;
+    }
 }

test/Api.IntegrationTest/Helpers/OrganizationTestHelpers.cs

@@ -105,4 +105,22 @@ public static class OrganizationTestHelpers
 
         return (email, organizationUser);
     }
+
+    /// <summary>
+    /// Creates a VerifiedDomain for the specified organization.
+    /// </summary>
+    public static async Task CreateVerifiedDomainAsync(ApiApplicationFactory factory, Guid organizationId, string domain)
+    {
+        var organizationDomainRepository = factory.GetService<IOrganizationDomainRepository>();
+
+        var verifiedDomain = new OrganizationDomain
+        {
+            OrganizationId = organizationId,
+            DomainName = domain,
+            Txt = "btw+test18383838383"
+        };
+        verifiedDomain.SetVerifiedDate();
+
+        await organizationDomainRepository.CreateAsync(verifiedDomain);
+    }
 }

test/Api.Test/AdminConsole/Controllers/OrganizationUsersControllerTests.cs

@@ -1,7 +1,6 @@
 using System.Security.Claims;
 using Bit.Api.AdminConsole.Controllers;
 using Bit.Api.AdminConsole.Models.Request.Organizations;
-using Bit.Api.Auth.Models.Request.Accounts;
 using Bit.Api.Vault.AuthorizationHandlers.Collections;
 using Bit.Core;
 using Bit.Core.AdminConsole.Entities;
@@ -273,17 +272,12 @@ public class OrganizationUsersControllerTests
     [Theory]
     [BitAutoData]
     public async Task DeleteAccount_WhenUserCanManageUsers_Success(
-        Guid orgId,
-        Guid id,
-        SecretVerificationRequestModel model,
-        User currentUser,
-        SutProvider<OrganizationUsersController> sutProvider)
+        Guid orgId, Guid id, User currentUser, SutProvider<OrganizationUsersController> sutProvider)
     {
         sutProvider.GetDependency<ICurrentContext>().ManageUsers(orgId).Returns(true);
         sutProvider.GetDependency<IUserService>().GetUserByPrincipalAsync(default).ReturnsForAnyArgs(currentUser);
-        sutProvider.GetDependency<IUserService>().VerifySecretAsync(currentUser, model.Secret).Returns(true);
 
-        await sutProvider.Sut.DeleteAccount(orgId, id, model);
+        await sutProvider.Sut.DeleteAccount(orgId, id);
 
         await sutProvider.GetDependency<IDeleteManagedOrganizationUserAccountCommand>()
             .Received(1)
@@ -293,60 +287,34 @@ public class OrganizationUsersControllerTests
     [Theory]
     [BitAutoData]
     public async Task DeleteAccount_WhenUserCannotManageUsers_ThrowsNotFoundException(
-        Guid orgId,
-        Guid id,
-        SecretVerificationRequestModel model,
-        SutProvider<OrganizationUsersController> sutProvider)
+        Guid orgId, Guid id, SutProvider<OrganizationUsersController> sutProvider)
     {
         sutProvider.GetDependency<ICurrentContext>().ManageUsers(orgId).Returns(false);
 
         await Assert.ThrowsAsync<NotFoundException>(() =>
-            sutProvider.Sut.DeleteAccount(orgId, id, model));
+            sutProvider.Sut.DeleteAccount(orgId, id));
     }
 
     [Theory]
     [BitAutoData]
     public async Task DeleteAccount_WhenCurrentUserNotFound_ThrowsUnauthorizedAccessException(
-        Guid orgId,
-        Guid id,
-        SecretVerificationRequestModel model,
-        SutProvider<OrganizationUsersController> sutProvider)
+        Guid orgId, Guid id, SutProvider<OrganizationUsersController> sutProvider)
     {
         sutProvider.GetDependency<ICurrentContext>().ManageUsers(orgId).Returns(true);
         sutProvider.GetDependency<IUserService>().GetUserByPrincipalAsync(default).ReturnsForAnyArgs((User)null);
 
         await Assert.ThrowsAsync<UnauthorizedAccessException>(() =>
-            sutProvider.Sut.DeleteAccount(orgId, id, model));
-    }
-
-    [Theory]
-    [BitAutoData]
-    public async Task DeleteAccount_WhenSecretVerificationFails_ThrowsBadRequestException(
-        Guid orgId,
-        Guid id,
-        SecretVerificationRequestModel model,
-        User currentUser,
-        SutProvider<OrganizationUsersController> sutProvider)
-    {
-        sutProvider.GetDependency<ICurrentContext>().ManageUsers(orgId).Returns(true);
-        sutProvider.GetDependency<IUserService>().GetUserByPrincipalAsync(default).ReturnsForAnyArgs(currentUser);
-        sutProvider.GetDependency<IUserService>().VerifySecretAsync(currentUser, model.Secret).Returns(false);
-
-        await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.DeleteAccount(orgId, id, model));
+            sutProvider.Sut.DeleteAccount(orgId, id));
     }
 
     [Theory]
     [BitAutoData]
     public async Task BulkDeleteAccount_WhenUserCanManageUsers_Success(
-        Guid orgId,
-        SecureOrganizationUserBulkRequestModel model,
-        User currentUser,
-        List<(Guid, string)> deleteResults,
-        SutProvider<OrganizationUsersController> sutProvider)
+        Guid orgId, OrganizationUserBulkRequestModel model, User currentUser,
+        List<(Guid, string)> deleteResults, SutProvider<OrganizationUsersController> sutProvider)
     {
         sutProvider.GetDependency<ICurrentContext>().ManageUsers(orgId).Returns(true);
         sutProvider.GetDependency<IUserService>().GetUserByPrincipalAsync(default).ReturnsForAnyArgs(currentUser);
-        sutProvider.GetDependency<IUserService>().VerifySecretAsync(currentUser, model.Secret).Returns(true);
         sutProvider.GetDependency<IDeleteManagedOrganizationUserAccountCommand>()
             .DeleteManyUsersAsync(orgId, model.Ids, currentUser.Id)
             .Returns(deleteResults);
@@ -363,9 +331,7 @@ public class OrganizationUsersControllerTests
     [Theory]
     [BitAutoData]
     public async Task BulkDeleteAccount_WhenUserCannotManageUsers_ThrowsNotFoundException(
-        Guid orgId,
-        SecureOrganizationUserBulkRequestModel model,
-        SutProvider<OrganizationUsersController> sutProvider)
+        Guid orgId, OrganizationUserBulkRequestModel model, SutProvider<OrganizationUsersController> sutProvider)
     {
         sutProvider.GetDependency<ICurrentContext>().ManageUsers(orgId).Returns(false);
 
@@ -376,9 +342,7 @@ public class OrganizationUsersControllerTests
     [Theory]
     [BitAutoData]
     public async Task BulkDeleteAccount_WhenCurrentUserNotFound_ThrowsUnauthorizedAccessException(
-        Guid orgId,
-        SecureOrganizationUserBulkRequestModel model,
-        SutProvider<OrganizationUsersController> sutProvider)
+        Guid orgId, OrganizationUserBulkRequestModel model, SutProvider<OrganizationUsersController> sutProvider)
     {
         sutProvider.GetDependency<ICurrentContext>().ManageUsers(orgId).Returns(true);
         sutProvider.GetDependency<IUserService>().GetUserByPrincipalAsync(default).ReturnsForAnyArgs((User)null);
@@ -387,21 +351,6 @@ public class OrganizationUsersControllerTests
             sutProvider.Sut.BulkDeleteAccount(orgId, model));
     }
 
-    [Theory]
-    [BitAutoData]
-    public async Task BulkDeleteAccount_WhenSecretVerificationFails_ThrowsBadRequestException(
-        Guid orgId,
-        SecureOrganizationUserBulkRequestModel model,
-        User currentUser,
-        SutProvider<OrganizationUsersController> sutProvider)
-    {
-        sutProvider.GetDependency<ICurrentContext>().ManageUsers(orgId).Returns(true);
-        sutProvider.GetDependency<IUserService>().GetUserByPrincipalAsync(default).ReturnsForAnyArgs(currentUser);
-        sutProvider.GetDependency<IUserService>().VerifySecretAsync(currentUser, model.Secret).Returns(false);
-
-        await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.BulkDeleteAccount(orgId, model));
-    }
-
     private void GetMany_Setup(OrganizationAbility organizationAbility,
         ICollection<OrganizationUserUserDetails> organizationUsers,
         SutProvider<OrganizationUsersController> sutProvider)

test/Api.Test/Auth/Controllers/AccountsControllerTests.cs

@@ -7,6 +7,7 @@ using Bit.Api.Auth.Models.Request.WebAuthn;
 using Bit.Api.Auth.Validators;
 using Bit.Api.Tools.Models.Request;
 using Bit.Api.Vault.Models.Request;
+using Bit.Core;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.AdminConsole.Services;
 using Bit.Core.Auth.Entities;
@@ -143,6 +144,21 @@ public class AccountsControllerTests : IDisposable
         await _userService.Received(1).InitiateEmailChangeAsync(user, newEmail);
     }
 
+    [Fact]
+    public async Task PostEmailToken_WithAccountDeprovisioningEnabled_WhenUserIsNotManagedByAnOrganization_ShouldInitiateEmailChange()
+    {
+        var user = GenerateExampleUser();
+        ConfigureUserServiceToReturnValidPrincipalFor(user);
+        ConfigureUserServiceToAcceptPasswordFor(user);
+        _featureService.IsEnabled(FeatureFlagKeys.AccountDeprovisioning).Returns(true);
+        _userService.IsManagedByAnyOrganizationAsync(user.Id).Returns(false);
+        var newEmail = "example@user.com";
+
+        await _sut.PostEmailToken(new EmailTokenRequestModel { NewEmail = newEmail });
+
+        await _userService.Received(1).InitiateEmailChangeAsync(user, newEmail);
+    }
+
     [Fact]
     public async Task PostEmailToken_WhenNotAuthorized_ShouldThrowUnauthorizedAccessException()
     {
@@ -165,6 +181,22 @@ public class AccountsControllerTests : IDisposable
         );
     }
 
+    [Fact]
+    public async Task PostEmailToken_WithAccountDeprovisioningEnabled_WhenUserIsManagedByAnOrganization_ShouldThrowBadRequestException()
+    {
+        var user = GenerateExampleUser();
+        ConfigureUserServiceToReturnValidPrincipalFor(user);
+        ConfigureUserServiceToAcceptPasswordFor(user);
+        _featureService.IsEnabled(FeatureFlagKeys.AccountDeprovisioning).Returns(true);
+        _userService.IsManagedByAnyOrganizationAsync(user.Id).Returns(true);
+
+        var result = await Assert.ThrowsAsync<BadRequestException>(
+            () => _sut.PostEmailToken(new EmailTokenRequestModel())
+        );
+
+        Assert.Equal("Cannot change emails for accounts owned by an organization. Contact your organization administrator for additional details.", result.Message);
+    }
+
     [Fact]
     public async Task PostEmail_ShouldChangeUserEmail()
     {
@@ -178,6 +210,21 @@ public class AccountsControllerTests : IDisposable
         await _userService.Received(1).ChangeEmailAsync(user, default, default, default, default, default);
     }
 
+    [Fact]
+    public async Task PostEmail_WithAccountDeprovisioningEnabled_WhenUserIsNotManagedByAnOrganization_ShouldChangeUserEmail()
+    {
+        var user = GenerateExampleUser();
+        ConfigureUserServiceToReturnValidPrincipalFor(user);
+        _userService.ChangeEmailAsync(user, default, default, default, default, default)
+                    .Returns(Task.FromResult(IdentityResult.Success));
+        _featureService.IsEnabled(FeatureFlagKeys.AccountDeprovisioning).Returns(true);
+        _userService.IsManagedByAnyOrganizationAsync(user.Id).Returns(false);
+
+        await _sut.PostEmail(new EmailRequestModel());
+
+        await _userService.Received(1).ChangeEmailAsync(user, default, default, default, default, default);
+    }
+
     [Fact]
     public async Task PostEmail_WhenNotAuthorized_ShouldThrownUnauthorizedAccessException()
     {
@@ -201,6 +248,21 @@ public class AccountsControllerTests : IDisposable
         );
     }
 
+    [Fact]
+    public async Task PostEmail_WithAccountDeprovisioningEnabled_WhenUserIsManagedByAnOrganization_ShouldThrowBadRequestException()
+    {
+        var user = GenerateExampleUser();
+        ConfigureUserServiceToReturnValidPrincipalFor(user);
+        _featureService.IsEnabled(FeatureFlagKeys.AccountDeprovisioning).Returns(true);
+        _userService.IsManagedByAnyOrganizationAsync(user.Id).Returns(true);
+
+        var result = await Assert.ThrowsAsync<BadRequestException>(
+            () => _sut.PostEmail(new EmailRequestModel())
+        );
+
+        Assert.Equal("Cannot change emails for accounts owned by an organization. Contact your organization administrator for additional details.", result.Message);
+    }
+
     [Fact]
     public async Task PostVerifyEmail_ShouldSendEmailVerification()
     {
@@ -472,6 +534,34 @@ public class AccountsControllerTests : IDisposable
         await Assert.ThrowsAsync<BadRequestException>(() => _sut.PostSetPasswordAsync(model));
     }
 
+    [Fact]
+    public async Task Delete_WhenAccountDeprovisioningIsEnabled_WithUserManagedByAnOrganization_ThrowsBadRequestException()
+    {
+        var user = GenerateExampleUser();
+        ConfigureUserServiceToReturnValidPrincipalFor(user);
+        ConfigureUserServiceToAcceptPasswordFor(user);
+        _featureService.IsEnabled(FeatureFlagKeys.AccountDeprovisioning).Returns(true);
+        _userService.IsManagedByAnyOrganizationAsync(user.Id).Returns(true);
+
+        var result = await Assert.ThrowsAsync<BadRequestException>(() => _sut.Delete(new SecretVerificationRequestModel()));
+
+        Assert.Equal("Cannot delete accounts owned by an organization. Contact your organization administrator for additional details.", result.Message);
+    }
+
+    [Fact]
+    public async Task Delete_WhenAccountDeprovisioningIsEnabled_WithUserNotManagedByAnOrganization_ShouldSucceed()
+    {
+        var user = GenerateExampleUser();
+        ConfigureUserServiceToReturnValidPrincipalFor(user);
+        ConfigureUserServiceToAcceptPasswordFor(user);
+        _featureService.IsEnabled(FeatureFlagKeys.AccountDeprovisioning).Returns(true);
+        _userService.IsManagedByAnyOrganizationAsync(user.Id).Returns(false);
+        _userService.DeleteAsync(user).Returns(IdentityResult.Success);
+
+        await _sut.Delete(new SecretVerificationRequestModel());
+
+        await _userService.Received(1).DeleteAsync(user);
+    }
 
     // Below are helper functions that currently belong to this
     // test class, but ultimately may need to be split out into

test/Api.Test/Billing/Controllers/OrganizationBillingControllerTests.cs

@@ -37,7 +37,7 @@ public class OrganizationBillingControllerTests
         Guid organizationId,
         SutProvider<OrganizationBillingController> sutProvider)
     {
-        sutProvider.GetDependency<ICurrentContext>().AccessMembersTab(organizationId).Returns(true);
+        sutProvider.GetDependency<ICurrentContext>().OrganizationUser(organizationId).Returns(true);
         sutProvider.GetDependency<IOrganizationBillingService>().GetMetadata(organizationId).Returns((OrganizationMetadata)null);
 
         var result = await sutProvider.Sut.GetMetadataAsync(organizationId);
@@ -50,18 +50,20 @@ public class OrganizationBillingControllerTests
         Guid organizationId,
         SutProvider<OrganizationBillingController> sutProvider)
     {
-        sutProvider.GetDependency<ICurrentContext>().AccessMembersTab(organizationId).Returns(true);
+        sutProvider.GetDependency<ICurrentContext>().OrganizationUser(organizationId).Returns(true);
         sutProvider.GetDependency<IOrganizationBillingService>().GetMetadata(organizationId)
-            .Returns(new OrganizationMetadata(true, true));
+            .Returns(new OrganizationMetadata(true, true, true, true));
 
         var result = await sutProvider.Sut.GetMetadataAsync(organizationId);
 
         Assert.IsType<Ok<OrganizationMetadataResponse>>(result);
 
-        var organizationMetadataResponse = ((Ok<OrganizationMetadataResponse>)result).Value;
+        var response = ((Ok<OrganizationMetadataResponse>)result).Value;
 
-        Assert.True(organizationMetadataResponse.IsEligibleForSelfHost);
-        Assert.True(organizationMetadataResponse.IsOnSecretsManagerStandalone);
+        Assert.True(response.IsEligibleForSelfHost);
+        Assert.True(response.IsManaged);
+        Assert.True(response.IsOnSecretsManagerStandalone);
+        Assert.True(response.IsSubscriptionUnpaid);
     }
 
     [Theory, BitAutoData]

test/Api.Test/Controllers/PoliciesControllerTests.cs

@@ -3,8 +3,10 @@ using System.Text.Json;
 using Bit.Api.AdminConsole.Controllers;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Api.Response;
 using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
 using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Exceptions;
 using Bit.Core.Repositories;
@@ -132,4 +134,71 @@ public class PoliciesControllerTests
         // Act & Assert
         await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.GetMasterPasswordPolicy(orgId));
     }
+
+    [Theory]
+    [BitAutoData]
+    public async Task Get_WhenUserCanManagePolicies_WithExistingType_ReturnsExistingPolicy(
+        SutProvider<PoliciesController> sutProvider, Guid orgId, Policy policy, int type)
+    {
+        // Arrange
+        sutProvider.GetDependency<ICurrentContext>()
+        .ManagePolicies(orgId)
+        .Returns(true);
+
+        policy.Type = (PolicyType)type;
+        policy.Enabled = true;
+        policy.Data = null;
+
+        sutProvider.GetDependency<IPolicyRepository>()
+        .GetByOrganizationIdTypeAsync(orgId, (PolicyType)type)
+        .Returns(policy);
+
+        // Act
+        var result = await sutProvider.Sut.Get(orgId, type);
+
+        // Assert
+        Assert.IsType<PolicyResponseModel>(result);
+        Assert.Equal(policy.Id, result.Id);
+        Assert.Equal(policy.Type, result.Type);
+        Assert.Equal(policy.Enabled, result.Enabled);
+        Assert.Equal(policy.OrganizationId, result.OrganizationId);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task Get_WhenUserCanManagePolicies_WithNonExistingType_ReturnsDefaultPolicy(
+        SutProvider<PoliciesController> sutProvider, Guid orgId, int type)
+    {
+        // Arrange
+        sutProvider.GetDependency<ICurrentContext>()
+        .ManagePolicies(orgId)
+        .Returns(true);
+
+        sutProvider.GetDependency<IPolicyRepository>()
+        .GetByOrganizationIdTypeAsync(orgId, (PolicyType)type)
+        .Returns((Policy)null);
+
+        // Act
+        var result = await sutProvider.Sut.Get(orgId, type);
+
+        // Assert
+        Assert.IsType<PolicyResponseModel>(result);
+        Assert.Equal(result.Type, (PolicyType)type);
+        Assert.False(result.Enabled);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task Get_WhenUserCannotManagePolicies_ThrowsNotFoundException(
+        SutProvider<PoliciesController> sutProvider, Guid orgId, int type)
+    {
+        // Arrange
+        sutProvider.GetDependency<ICurrentContext>()
+        .ManagePolicies(orgId)
+        .Returns(false);
+
+        // Act & Assert
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.Get(orgId, type));
+    }
+
 }

test/Identity.IntegrationTest/Identity.IntegrationTest.csproj

@@ -10,7 +10,7 @@
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
       <PrivateAssets>all</PrivateAssets>
     </PackageReference>
-    <PackageReference Include="Microsoft.AspNetCore.Mvc.Testing" Version="8.0.8" />
+    <PackageReference Include="Microsoft.AspNetCore.Mvc.Testing" Version="8.0.10" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(MicrosoftNetTestSdkVersion)" />
     <PackageReference Include="NSubstitute" Version="$(NSubstituteVersion)" />
     <PackageReference Include="xunit" Version="$(XUnitVersion)" />

test/Infrastructure.IntegrationTest/Infrastructure.IntegrationTest.csproj

@@ -1,4 +1,4 @@
-<Project Sdk="Microsoft.NET.Sdk">
+<Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
     <Nullable>enable</Nullable>
@@ -8,10 +8,10 @@
 
   <ItemGroup>
     <PackageReference Include="Microsoft.Extensions.Configuration" Version="8.0.0" />
-    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="8.0.0" />
-    <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="8.0.1" />
-    <PackageReference Include="Microsoft.Extensions.Logging" Version="8.0.0" />
-    <PackageReference Include="Microsoft.Extensions.TimeProvider.Testing" Version="8.9.1" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="8.0.1" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="8.0.2" />
+    <PackageReference Include="Microsoft.Extensions.Logging" Version="8.0.1" />
+    <PackageReference Include="Microsoft.Extensions.TimeProvider.Testing" Version="8.10.0" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(MicrosoftNetTestSdkVersion)" />
     <PackageReference Include="xunit" Version="$(XUnitVersion)" />
     <PackageReference Include="xunit.runner.visualstudio" Version="$(XUnitRunnerVisualStudioVersion)">

test/IntegrationTestCommon/IntegrationTestCommon.csproj

@@ -5,7 +5,7 @@
   </PropertyGroup>
   
   <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.Mvc.Testing" Version="8.0.8" />
+    <PackageReference Include="Microsoft.AspNetCore.Mvc.Testing" Version="8.0.10" />
     <PackageReference Include="Microsoft.Extensions.Configuration" Version="8.0.0" />
   </ItemGroup>