[PM-7742] Set hasManageResetPasswordPermission for owner and admin invitees (#4528)

* Set hasManageResetPasswordPermission for owner and admin invitees

* Make userdecryptionoptionsbuilder ignore orgusertype if orguser is null

src/Identity/IdentityServer/UserDecryptionOptionsBuilder.cs

@@ -4,6 +4,7 @@ using Bit.Core.Auth.Models.Api.Response;
 using Bit.Core.Auth.Utilities;
 using Bit.Core.Context;
 using Bit.Core.Entities;
+using Bit.Core.Enums;
 using Bit.Core.Repositories;
 using Bit.Identity.Utilities;
 
@@ -137,6 +138,7 @@ public class UserDecryptionOptionsBuilder : IUserDecryptionOptionsBuilder
             // If sso configuration data is not null then I know for sure that ssoConfiguration isn't null
             var organizationUser = await _organizationUserRepository.GetByOrganizationAsync(_ssoConfig.OrganizationId, _user.Id);
 
+            hasManageResetPasswordPermission |= organizationUser != null && (organizationUser.Type == OrganizationUserType.Owner || organizationUser.Type == OrganizationUserType.Admin);
             // They are only able to be approved by an admin if they have enrolled is reset password
             hasAdminApproval = organizationUser != null && !string.IsNullOrEmpty(organizationUser.ResetPasswordKey);
         }

test/Identity.Test/IdentityServer/UserDecryptionOptionsBuilderTests.cs

@@ -3,6 +3,7 @@ using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Models.Data;
 using Bit.Core.Context;
 using Bit.Core.Entities;
+using Bit.Core.Enums;
 using Bit.Core.Repositories;
 using Bit.Identity.IdentityServer;
 using Bit.Identity.Utilities;
@@ -131,6 +132,40 @@ public class UserDecryptionOptionsBuilderTests
         Assert.True(result.TrustedDeviceOption?.HasManageResetPasswordPermission);
     }
 
+    [Theory, BitAutoData]
+    public async Task Build_WhenIsOwnerInvite_ShouldReturnHasManageResetPasswordPermissionTrue(
+        SsoConfig ssoConfig,
+        SsoConfigurationData configurationData,
+        OrganizationUser organizationUser,
+        User user)
+    {
+        configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption;
+        ssoConfig.Data = configurationData.Serialize();
+        organizationUser.Type = OrganizationUserType.Owner;
+        _organizationUserRepository.GetByOrganizationAsync(ssoConfig.OrganizationId, user.Id).Returns(organizationUser);
+
+        var result = await _builder.ForUser(user).WithSso(ssoConfig).BuildAsync();
+
+        Assert.True(result.TrustedDeviceOption?.HasManageResetPasswordPermission);
+    }
+
+    [Theory, BitAutoData]
+    public async Task Build_WhenIsAdminInvite_ShouldReturnHasManageResetPasswordPermissionTrue(
+        SsoConfig ssoConfig,
+        SsoConfigurationData configurationData,
+        OrganizationUser organizationUser,
+        User user)
+    {
+        configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption;
+        ssoConfig.Data = configurationData.Serialize();
+        organizationUser.Type = OrganizationUserType.Admin;
+        _organizationUserRepository.GetByOrganizationAsync(ssoConfig.OrganizationId, user.Id).Returns(organizationUser);
+
+        var result = await _builder.ForUser(user).WithSso(ssoConfig).BuildAsync();
+
+        Assert.True(result.TrustedDeviceOption?.HasManageResetPasswordPermission);
+    }
+
     [Theory, BitAutoData]
     public async Task Build_WhenUserHasEnrolledIntoPasswordReset_ShouldReturnHasAdminApprovalTrue(
         SsoConfig ssoConfig,