[AC-1435] Single Organization policy prerequisite for Account Recovery policy (#3082)

* [AC-1435] Automatically enable Single Org policy when selecting TDE

* [AC-1435] Add test for automatic policy enablement

* [AC-1435] Prevent disabling single org when account recovery is enabled

* [AC-1435] Require Single Org policy when enabling Account recovery

* [AC-1435] Add unit test to check for account recovery policy when attempting to disable single org

* [AC-1435] Add test to verify single org policy is enabled for account recovery policy

* [AC-1435] Fix failing test

src/Core/Services/Implementations/PolicyService.cs

@@ -61,6 +61,7 @@ public class PolicyService : IPolicyService
                     await RequiredBySsoAsync(org);
                     await RequiredByVaultTimeoutAsync(org);
                     await RequiredByKeyConnectorAsync(org);
+                    await RequiredByAccountRecoveryAsync(org);
                 }
                 break;
 
@@ -80,6 +81,11 @@ public class PolicyService : IPolicyService
                 {
                     await RequiredBySsoTrustedDeviceEncryptionAsync(org);
                 }
+
+                if (policy.Enabled)
+                {
+                    await DependsOnSingleOrgAsync(org);
+                }
                 break;
 
             case PolicyType.MaximumVaultTimeout:
@@ -244,6 +250,15 @@ public class PolicyService : IPolicyService
         }
     }
 
+    private async Task RequiredByAccountRecoveryAsync(Organization org)
+    {
+        var requireSso = await _policyRepository.GetByOrganizationIdTypeAsync(org.Id, PolicyType.ResetPassword);
+        if (requireSso?.Enabled == true)
+        {
+            throw new BadRequestException("Account recovery policy is enabled.");
+        }
+    }
+
     private async Task RequiredByVaultTimeoutAsync(Organization org)
     {
         var vaultTimeout = await _policyRepository.GetByOrganizationIdTypeAsync(org.Id, PolicyType.MaximumVaultTimeout);