[AC-1192] Create endpoints for new Device Approvals page (#2993)

* [AC-1192] Create new OrganizationAuthRequestsController.cs

* [AC-1192] Introduce OrganizationAdminAuthRequest model

* [AC-1192] Add GetManyPendingByOrganizationId method to AuthRequest repository

* [AC-1192] Add new list pending organization auth requests endpoint

* [AC-1192] Add new GetManyAdminApprovalsByManyIdsAsync method to the AuthRequestRepository

* [AC-1192] Make the response device identifier optional for admin approval requests

* [AC-1192] Add endpoint for bulk denying admin device auth requests

* [AC-1192] Add OrganizationUserId to PendingOrganizationAuthRequestResponseModel

* [AC-1192] Add UpdateAuthRequest endpoint and logic to OrganizationAuthRequestsController

* [AC-1192] Secure new endpoints behind TDE feature flag

* [AC-1192] Formatting

* [AC-1192] Add sql migration script

* [AC-1192] Add optional OrganizationId column to AuthRequest entity

- Rename migration script to match existing formatting
- Add new column
- Add migration scripts
- Update new sprocs to filter/join on OrganizationId
- Update old sprocs to include OrganizationId

* [AC-1192] Format migration scripts

* [AC-1192] Fix failing AuthRequest EF unit test

* [AC-1192] Make OrganizationId optional in updated AuthRequest sprocs for backwards compatability

* [AC-1192] Fix missing comma in migration file

* [AC-1192] Rename Key to EncryptedUserKey to be more descriptive

* [AC-1192] Move request validation into helper method to reduce repetition

* [AC-1192] Return UnauthorizedAccessException instead of NotFound when user is missing permission

* [AC-1192] Introduce FeatureUnavailableException

* [AC-1192] Introduce RequireFeatureAttribute

* [AC-1192] Utilize the new RequireFeatureAttribute in the OrganizationAuthRequestsController

* [AC-1192] Attempt to fix out of sync database migration by moving new OrganizationId column

* [AC-1192] More attempts to sync database migrations

* [AC-1192] Formatting

* [AC-1192] Remove unused reference to FeatureService

* [AC-1192] Change Id types from String to Guid

* [AC-1192] Add EncryptedString attribute

* [AC-1192] Remove redundant OrganizationId property

* [AC-1192] Switch to projection for OrganizationAdminAuthRequest mapping

- Add new OrganizationUser relationship to EF entity
- Replace AuthRequest DBContext config with new IEntityTypeConfiguration
- Add navigation property to AuthRequest entity configuration for OrganizationUser
- Update EF AuthRequestRepository to use new mapping and navigation properties

* [AC-1192] Remove OrganizationUser navigation property

test/Core.Test/Utilities/RequireFeatureAttributeTests.cs

@@ -0,0 +1,85 @@
+using Bit.Core.Context;
+using Bit.Core.Exceptions;
+using Bit.Core.Services;
+using Bit.Core.Utilities;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.Abstractions;
+using Microsoft.AspNetCore.Mvc.Filters;
+using Microsoft.AspNetCore.Routing;
+using Microsoft.Extensions.DependencyInjection;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.Utilities;
+
+public class RequireFeatureAttributeTests
+{
+    private const string _testFeature = "test-feature";
+
+    [Fact]
+    public void Throws_When_Feature_Disabled()
+    {
+        // Arrange
+        var rfa = new RequireFeatureAttribute(_testFeature);
+
+        // Act & Assert
+        Assert.Throws<FeatureUnavailableException>(() => rfa.OnActionExecuting(GetContext(enabled: false)));
+    }
+
+    [Fact]
+    public void Throws_When_Feature_Not_Found()
+    {
+        // Arrange
+        var rfa = new RequireFeatureAttribute("missing-feature");
+
+        // Act & Assert
+        Assert.Throws<FeatureUnavailableException>(() => rfa.OnActionExecuting(GetContext(enabled: false)));
+    }
+
+    [Fact]
+    public void Success_When_Feature_Enabled()
+    {
+        // Arrange
+        var rfa = new RequireFeatureAttribute(_testFeature);
+
+        // Act
+        rfa.OnActionExecuting(GetContext(enabled: true));
+
+        // Assert
+        // The Assert here is NOT throwing an exception
+    }
+
+
+    /// <summary>
+    /// Generates a ActionExecutingContext with the necessary services registered to test
+    /// the <see cref="RequireFeatureAttribute"/>
+    /// </summary>
+    /// <param name="enabled">Mock value for the <see cref="_testFeature"/> flag</param>
+    /// <returns></returns>
+    private static ActionExecutingContext GetContext(bool enabled)
+    {
+        IServiceCollection services = new ServiceCollection();
+
+        var featureService = Substitute.For<IFeatureService>();
+        var currentContext = Substitute.For<ICurrentContext>();
+
+        featureService.IsEnabled(_testFeature, Arg.Any<ICurrentContext>()).Returns(enabled);
+
+        services.AddSingleton(featureService);
+        services.AddSingleton(currentContext);
+
+        var httpContext = new DefaultHttpContext();
+        httpContext.RequestServices = services.BuildServiceProvider();
+
+        var context = Substitute.For<ActionExecutingContext>(
+            Substitute.For<ActionContext>(httpContext,
+                new RouteData(),
+                Substitute.For<ActionDescriptor>()),
+            new List<IFilterMetadata>(),
+            new Dictionary<string, object>(),
+            Substitute.For<Controller>());
+
+        return context;
+    }
+}

test/Infrastructure.EFIntegration.Test/Auth/AutoFixture/AuthRequestFixtures.cs

@@ -41,9 +41,11 @@ internal class EfAuthRequest : ICustomization
         fixture.Customizations.Add(new GlobalSettingsBuilder());
         fixture.Customizations.Add(new AuthRequestBuilder());
         fixture.Customizations.Add(new DeviceBuilder());
+        fixture.Customizations.Add(new OrganizationBuilder());
         fixture.Customizations.Add(new UserBuilder());
         fixture.Customizations.Add(new EfRepositoryListBuilder<AuthRequestRepository>());
         fixture.Customizations.Add(new EfRepositoryListBuilder<DeviceRepository>());
+        fixture.Customizations.Add(new EfRepositoryListBuilder<OrganizationRepository>());
         fixture.Customizations.Add(new EfRepositoryListBuilder<UserRepository>());
     }
 }

test/Infrastructure.EFIntegration.Test/Auth/Repositories/AuthRequestRepositoryTests.cs

@@ -19,9 +19,12 @@ public class AuthRequestRepositoryTests
         AuthRequestCompare equalityComparer,
         List<EfAuthRepo.AuthRequestRepository> suts,
         SqlAuthRepo.AuthRequestRepository sqlAuthRequestRepo,
+        Organization organization,
         User user,
         List<EfRepo.UserRepository> efUserRepos,
-        SqlRepo.UserRepository sqlUserRepo
+        List<EfRepo.OrganizationRepository> efOrgRepos,
+        SqlRepo.UserRepository sqlUserRepo,
+        SqlRepo.OrganizationRepository sqlOrgRepo
         )
     {
         authRequest.ResponseDeviceId = null;
@@ -34,6 +37,10 @@ public class AuthRequestRepositoryTests
             sut.ClearChangeTracking();
             authRequest.UserId = efUser.Id;
 
+            var efOrg = await efOrgRepos[i].CreateAsync(organization);
+            sut.ClearChangeTracking();
+            authRequest.OrganizationId = efOrg.Id;
+
             var postEfAuthRequest = await sut.CreateAsync(authRequest);
             sut.ClearChangeTracking();
 
@@ -43,6 +50,8 @@ public class AuthRequestRepositoryTests
 
         var sqlUser = await sqlUserRepo.CreateAsync(user);
         authRequest.UserId = sqlUser.Id;
+        var sqlOrg = await sqlOrgRepo.CreateAsync(organization);
+        authRequest.OrganizationId = sqlOrg.Id;
         var sqlAuthRequest = await sqlAuthRequestRepo.CreateAsync(authRequest);
         var savedSqlAuthRequest = await sqlAuthRequestRepo.GetByIdAsync(sqlAuthRequest.Id);
         savedAuthRequests.Add(savedSqlAuthRequest);