[PM-1270] Throw error when removing master password reset policy with TDE enabled (#2964)

* [PM-1270] Updated PolicyService to throw an exception in case TDE is enabled and the user is trying to turn off the master password reset policy or tries to remove auto-enrollment

* [PM-1270] Added unit tests around the checks for turning off the master password reset policy or removing auto-enrollment

* [PM-1270] Fixed existing unit test SaveAsync_NewPolicy_Created

* [PM-1270] Removed unused method mock on unit test

src/Core/Services/Implementations/PolicyService.cs

@@ -75,6 +75,13 @@ public class PolicyService : IPolicyService
                 }
                 break;
 
+            case PolicyType.ResetPassword:
+                if (!policy.Enabled || policy.GetDataModel<ResetPasswordDataModel>()?.AutoEnrollEnabled == false)
+                {
+                    await RequiredBySsoTrustedDeviceEncryptionAsync(org);
+                }
+                break;
+
             case PolicyType.MaximumVaultTimeout:
                 if (policy.Enabled)
                 {
@@ -230,7 +237,6 @@ public class PolicyService : IPolicyService
 
     private async Task RequiredByKeyConnectorAsync(Organization org)
     {
-
         var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(org.Id);
         if (ssoConfig?.GetData()?.MemberDecryptionType == MemberDecryptionType.KeyConnector)
         {
@@ -254,4 +260,13 @@ public class PolicyService : IPolicyService
             throw new BadRequestException("This policy is only available to 2020 Enterprise plans.");
         }
     }
+
+    private async Task RequiredBySsoTrustedDeviceEncryptionAsync(Organization org)
+    {
+        var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(org.Id);
+        if (ssoConfig?.GetData()?.MemberDecryptionType == MemberDecryptionType.TrustedDeviceEncryption)
+        {
+            throw new BadRequestException("Trusted device encryption is on and requires this policy.");
+        }
+    }
 }