[AC-1192] Create endpoints for new Device Approvals page (#2993)

* [AC-1192] Create new OrganizationAuthRequestsController.cs

* [AC-1192] Introduce OrganizationAdminAuthRequest model

* [AC-1192] Add GetManyPendingByOrganizationId method to AuthRequest repository

* [AC-1192] Add new list pending organization auth requests endpoint

* [AC-1192] Add new GetManyAdminApprovalsByManyIdsAsync method to the AuthRequestRepository

* [AC-1192] Make the response device identifier optional for admin approval requests

* [AC-1192] Add endpoint for bulk denying admin device auth requests

* [AC-1192] Add OrganizationUserId to PendingOrganizationAuthRequestResponseModel

* [AC-1192] Add UpdateAuthRequest endpoint and logic to OrganizationAuthRequestsController

* [AC-1192] Secure new endpoints behind TDE feature flag

* [AC-1192] Formatting

* [AC-1192] Add sql migration script

* [AC-1192] Add optional OrganizationId column to AuthRequest entity

- Rename migration script to match existing formatting
- Add new column
- Add migration scripts
- Update new sprocs to filter/join on OrganizationId
- Update old sprocs to include OrganizationId

* [AC-1192] Format migration scripts

* [AC-1192] Fix failing AuthRequest EF unit test

* [AC-1192] Make OrganizationId optional in updated AuthRequest sprocs for backwards compatability

* [AC-1192] Fix missing comma in migration file

* [AC-1192] Rename Key to EncryptedUserKey to be more descriptive

* [AC-1192] Move request validation into helper method to reduce repetition

* [AC-1192] Return UnauthorizedAccessException instead of NotFound when user is missing permission

* [AC-1192] Introduce FeatureUnavailableException

* [AC-1192] Introduce RequireFeatureAttribute

* [AC-1192] Utilize the new RequireFeatureAttribute in the OrganizationAuthRequestsController

* [AC-1192] Attempt to fix out of sync database migration by moving new OrganizationId column

* [AC-1192] More attempts to sync database migrations

* [AC-1192] Formatting

* [AC-1192] Remove unused reference to FeatureService

* [AC-1192] Change Id types from String to Guid

* [AC-1192] Add EncryptedString attribute

* [AC-1192] Remove redundant OrganizationId property

* [AC-1192] Switch to projection for OrganizationAdminAuthRequest mapping

- Add new OrganizationUser relationship to EF entity
- Replace AuthRequest DBContext config with new IEntityTypeConfiguration
- Add navigation property to AuthRequest entity configuration for OrganizationUser
- Update EF AuthRequestRepository to use new mapping and navigation properties

* [AC-1192] Remove OrganizationUser navigation property

src/Core/Auth/Entities/AuthRequest.cs

@@ -9,6 +9,7 @@ public class AuthRequest : ITableObject<Guid>
 {
     public Guid Id { get; set; }
     public Guid UserId { get; set; }
+    public Guid? OrganizationId { get; set; }
     public Enums.AuthRequestType Type { get; set; }
     [MaxLength(50)]
     public string RequestDeviceIdentifier { get; set; }

src/Core/Auth/Enums/AuthRequestType.cs

@@ -3,5 +3,6 @@
 public enum AuthRequestType : byte
 {
     AuthenticateAndUnlock = 0,
-    Unlock = 1
+    Unlock = 1,
+    AdminApproval = 2,
 }

src/Core/Auth/Models/Data/OrganizationAdminAuthRequest.cs

@@ -0,0 +1,18 @@
+using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Enums;
+
+namespace Bit.Core.Auth.Models.Data;
+
+/// <summary>
+/// Represents an <see cref="AuthRequestType.AdminApproval"/> AuthRequest.
+/// Includes additional user and organization information.
+/// </summary>
+public class OrganizationAdminAuthRequest : AuthRequest
+{
+    /// <summary>
+    /// Email address of the requesting user
+    /// </summary>
+    public string Email { get; set; }
+
+    public Guid OrganizationUserId { get; set; }
+}

src/Core/Auth/Repositories/IAuthRequestRepository.cs

@@ -1,4 +1,5 @@
 using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Models.Data;
 
 namespace Bit.Core.Repositories;
 
@@ -6,4 +7,6 @@ public interface IAuthRequestRepository : IRepository<AuthRequest, Guid>
 {
     Task<int> DeleteExpiredAsync();
     Task<ICollection<AuthRequest>> GetManyByUserIdAsync(Guid userId);
+    Task<ICollection<OrganizationAdminAuthRequest>> GetManyPendingByOrganizationIdAsync(Guid organizationId);
+    Task<ICollection<OrganizationAdminAuthRequest>> GetManyAdminApprovalRequestsByManyIdsAsync(Guid organizationId, IEnumerable<Guid> ids);
 }

src/Core/Auth/Services/Implementations/AuthRequestService.cs

@@ -1,4 +1,5 @@
 using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Exceptions;
 using Bit.Core.Auth.Models.Api.Request.AuthRequest;
 using Bit.Core.Context;
@@ -119,13 +120,17 @@ public class AuthRequestService : IAuthRequestService
             throw new DuplicateAuthRequestException();
         }
 
-        var device = await _deviceRepository.GetByIdentifierAsync(model.DeviceIdentifier, userId);
-        if (device == null)
+        // Admin approval responses are not tied to a specific device, so we don't need to validate it.
+        if (authRequest.Type != AuthRequestType.AdminApproval)
         {
-            throw new BadRequestException("Invalid device.");
+            var device = await _deviceRepository.GetByIdentifierAsync(model.DeviceIdentifier, userId);
+            if (device == null)
+            {
+                throw new BadRequestException("Invalid device.");
+            }
+            authRequest.ResponseDeviceId = device.Id;
         }
 
-        authRequest.ResponseDeviceId = device.Id;
         authRequest.ResponseDate = DateTime.UtcNow;
         authRequest.Approved = model.RequestApproved;
 

src/Core/Exceptions/FeatureUnavailableException.cs

@@ -0,0 +1,14 @@
+namespace Bit.Core.Exceptions;
+
+/// <summary>
+/// Exception to throw when a requested feature is not yet enabled/available for the requesting context.
+/// </summary>
+public class FeatureUnavailableException : NotFoundException
+{
+    public FeatureUnavailableException()
+    { }
+
+    public FeatureUnavailableException(string message)
+        : base(message)
+    { }
+}

src/Core/Utilities/RequireFeatureAttribute.cs

@@ -0,0 +1,36 @@
+using Bit.Core.Context;
+using Bit.Core.Exceptions;
+using Bit.Core.Services;
+using Microsoft.AspNetCore.Mvc.Filters;
+using Microsoft.Extensions.DependencyInjection;
+
+namespace Bit.Core.Utilities;
+
+/// <summary>
+/// Specifies that the class or method that this attribute is applied to requires the specified boolean feature flag
+/// to be enabled. If the feature flag is not enabled, a <see cref="FeatureUnavailableException"/> is thrown
+/// </summary>
+public class RequireFeatureAttribute : ActionFilterAttribute
+{
+    private readonly string _featureFlagKey;
+
+    /// <summary>
+    /// Initializes a new instance of the <see cref="RequireFeatureAttribute"/> class with the specified feature flag key.
+    /// </summary>
+    /// <param name="featureFlagKey">The name of the feature flag to require.</param>
+    public RequireFeatureAttribute(string featureFlagKey)
+    {
+        _featureFlagKey = featureFlagKey;
+    }
+
+    public override void OnActionExecuting(ActionExecutingContext context)
+    {
+        var currentContext = context.HttpContext.RequestServices.GetRequiredService<ICurrentContext>();
+        var featureService = context.HttpContext.RequestServices.GetRequiredService<IFeatureService>();
+
+        if (!featureService.IsEnabled(_featureFlagKey, currentContext))
+        {
+            throw new FeatureUnavailableException();
+        }
+    }
+}