[PM-14613] Remove account deprovisioning feature flag (#5676)

* Remove flag * Remove old tests * Remove old xmldoc referencing the flag * Remove old emails
2025-07-01 08:02:49 -05:00 · 2025-05-13 07:17:54 +10:00
parent 952967b8b3
commit a1b22e66e5
31 changed files with 49 additions and 1120 deletions
--- a/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/SingleOrgPolicyValidatorTests.cs
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/SingleOrgPolicyValidatorTests.cs
@ -122,9 +122,6 @@ public class SingleOrgPolicyValidatorTests
        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(savingUserId);
        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(policyUpdate.OrganizationId).Returns(organization);

-        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.AccountDeprovisioning)
-            .Returns(true);
-
        sutProvider.GetDependency<IRevokeNonCompliantOrganizationUserCommand>()
            .RevokeNonCompliantOrganizationUsersAsync(Arg.Any<RevokeOrganizationUsersRequest>())
            .Returns(new CommandResult());
@ -148,161 +145,4 @@ public class SingleOrgPolicyValidatorTests
            .Received(1)
            .SendOrganizationUserRevokedForPolicySingleOrgEmailAsync(organization.DisplayName(), nonCompliantUser.Email);
    }
-
-    [Theory, BitAutoData]
-    public async Task OnSaveSideEffectsAsync_RemovesNonCompliantUsers(
-        [PolicyUpdate(PolicyType.SingleOrg)] PolicyUpdate policyUpdate,
-        [Policy(PolicyType.SingleOrg, false)] Policy policy,
-        Guid savingUserId,
-        Guid nonCompliantUserId,
-        Organization organization, SutProvider<SingleOrgPolicyValidator> sutProvider)
-    {
-        policy.OrganizationId = organization.Id = policyUpdate.OrganizationId;
-
-        var compliantUser1 = new OrganizationUserUserDetails
-        {
-            Id = Guid.NewGuid(),
-            OrganizationId = organization.Id,
-            Type = OrganizationUserType.User,
-            Status = OrganizationUserStatusType.Confirmed,
-            UserId = new Guid(),
-            Email = "user1@example.com"
-        };
-
-        var compliantUser2 = new OrganizationUserUserDetails
-        {
-            Id = Guid.NewGuid(),
-            OrganizationId = organization.Id,
-            Type = OrganizationUserType.User,
-            Status = OrganizationUserStatusType.Confirmed,
-            UserId = new Guid(),
-            Email = "user2@example.com"
-        };
-
-        var nonCompliantUser = new OrganizationUserUserDetails
-        {
-            Id = Guid.NewGuid(),
-            OrganizationId = organization.Id,
-            Type = OrganizationUserType.User,
-            Status = OrganizationUserStatusType.Confirmed,
-            UserId = nonCompliantUserId,
-            Email = "user3@example.com"
-        };
-
-        sutProvider.GetDependency<IOrganizationUserRepository>()
-            .GetManyDetailsByOrganizationAsync(policyUpdate.OrganizationId)
-            .Returns([compliantUser1, compliantUser2, nonCompliantUser]);
-
-        var otherOrganizationUser = new OrganizationUser
-        {
-            Id = Guid.NewGuid(),
-            OrganizationId = new Guid(),
-            UserId = nonCompliantUserId,
-            Status = OrganizationUserStatusType.Confirmed
-        };
-
-        sutProvider.GetDependency<IOrganizationUserRepository>()
-            .GetManyByManyUsersAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.Contains(nonCompliantUserId)))
-            .Returns([otherOrganizationUser]);
-
-        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(savingUserId);
-        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(policyUpdate.OrganizationId).Returns(organization);
-
-        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.AccountDeprovisioning)
-            .Returns(false);
-
-        sutProvider.GetDependency<IRevokeNonCompliantOrganizationUserCommand>()
-            .RevokeNonCompliantOrganizationUsersAsync(Arg.Any<RevokeOrganizationUsersRequest>())
-            .Returns(new CommandResult());
-
-        await sutProvider.Sut.OnSaveSideEffectsAsync(policyUpdate, policy);
-
-        await sutProvider.GetDependency<IRemoveOrganizationUserCommand>()
-            .DidNotReceive()
-            .RemoveUserAsync(policyUpdate.OrganizationId, compliantUser1.Id, savingUserId);
-        await sutProvider.GetDependency<IRemoveOrganizationUserCommand>()
-            .DidNotReceive()
-            .RemoveUserAsync(policyUpdate.OrganizationId, compliantUser2.Id, savingUserId);
-        await sutProvider.GetDependency<IRemoveOrganizationUserCommand>()
-            .Received(1)
-            .RemoveUserAsync(policyUpdate.OrganizationId, nonCompliantUser.Id, savingUserId);
-        await sutProvider.GetDependency<IMailService>()
-            .DidNotReceive()
-            .SendOrganizationUserRemovedForPolicySingleOrgEmailAsync(organization.DisplayName(), compliantUser1.Email);
-        await sutProvider.GetDependency<IMailService>()
-            .DidNotReceive()
-            .SendOrganizationUserRemovedForPolicySingleOrgEmailAsync(organization.DisplayName(), compliantUser2.Email);
-        await sutProvider.GetDependency<IMailService>()
-            .Received(1)
-            .SendOrganizationUserRemovedForPolicySingleOrgEmailAsync(organization.DisplayName(), nonCompliantUser.Email);
-    }
-
-    [Theory, BitAutoData]
-    public async Task OnSaveSideEffectsAsync_WhenAccountDeprovisioningIsEnabled_ThenUsersAreRevoked(
-        [PolicyUpdate(PolicyType.SingleOrg)] PolicyUpdate policyUpdate,
-        [Policy(PolicyType.SingleOrg, false)] Policy policy,
-        Guid savingUserId,
-        Guid nonCompliantUserId,
-        Organization organization, SutProvider<SingleOrgPolicyValidator> sutProvider)
-    {
-        policy.OrganizationId = organization.Id = policyUpdate.OrganizationId;
-
-        var compliantUser1 = new OrganizationUserUserDetails
-        {
-            OrganizationId = organization.Id,
-            Type = OrganizationUserType.User,
-            Status = OrganizationUserStatusType.Confirmed,
-            UserId = new Guid(),
-            Email = "user1@example.com"
-        };
-
-        var compliantUser2 = new OrganizationUserUserDetails
-        {
-            OrganizationId = organization.Id,
-            Type = OrganizationUserType.User,
-            Status = OrganizationUserStatusType.Confirmed,
-            UserId = new Guid(),
-            Email = "user2@example.com"
-        };
-
-        var nonCompliantUser = new OrganizationUserUserDetails
-        {
-            OrganizationId = organization.Id,
-            Type = OrganizationUserType.User,
-            Status = OrganizationUserStatusType.Confirmed,
-            UserId = nonCompliantUserId,
-            Email = "user3@example.com"
-        };
-
-        sutProvider.GetDependency<IOrganizationUserRepository>()
-            .GetManyDetailsByOrganizationAsync(policyUpdate.OrganizationId)
-            .Returns([compliantUser1, compliantUser2, nonCompliantUser]);
-
-        var otherOrganizationUser = new OrganizationUser
-        {
-            OrganizationId = new Guid(),
-            UserId = nonCompliantUserId,
-            Status = OrganizationUserStatusType.Confirmed
-        };
-
-        sutProvider.GetDependency<IOrganizationUserRepository>()
-            .GetManyByManyUsersAsync(Arg.Is<IEnumerable<Guid>>(ids => ids.Contains(nonCompliantUserId)))
-            .Returns([otherOrganizationUser]);
-
-        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(savingUserId);
-        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(policyUpdate.OrganizationId)
-            .Returns(organization);
-
-        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.AccountDeprovisioning).Returns(true);
-
-        sutProvider.GetDependency<IRevokeNonCompliantOrganizationUserCommand>()
-            .RevokeNonCompliantOrganizationUsersAsync(Arg.Any<RevokeOrganizationUsersRequest>())
-            .Returns(new CommandResult());
-
-        await sutProvider.Sut.OnSaveSideEffectsAsync(policyUpdate, policy);
-
-        await sutProvider.GetDependency<IRevokeNonCompliantOrganizationUserCommand>()
-            .Received()
-            .RevokeNonCompliantOrganizationUsersAsync(Arg.Any<RevokeOrganizationUsersRequest>());
-    }
 }
--- a/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/TwoFactorAuthenticationPolicyValidatorTests.cs
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/TwoFactorAuthenticationPolicyValidatorTests.cs
@ -6,7 +6,6 @@ using Bit.Core.AdminConsole.OrganizationFeatures.Policies.Models;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyValidators;
 using Bit.Core.AdminConsole.Utilities.Commands;
 using Bit.Core.Auth.UserFeatures.TwoFactorAuth.Interfaces;
-using Bit.Core.Context;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
@ -24,7 +23,7 @@ namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.Policies.PolicyValidat
 public class TwoFactorAuthenticationPolicyValidatorTests
 {
    [Theory, BitAutoData]
-    public async Task OnSaveSideEffectsAsync_RemovesNonCompliantUsers(
+    public async Task OnSaveSideEffectsAsync_GivenNonCompliantUsersWithoutMasterPassword_Throws(
        Organization organization,
        [PolicyUpdate(PolicyType.TwoFactorAuthentication)] PolicyUpdate policyUpdate,
        [Policy(PolicyType.TwoFactorAuthentication, false)] Policy policy,
@ -33,249 +32,6 @@ public class TwoFactorAuthenticationPolicyValidatorTests
        policy.OrganizationId = organization.Id = policyUpdate.OrganizationId;
        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);

-        var orgUserDetailUserInvited = new OrganizationUserUserDetails
-        {
-            Id = Guid.NewGuid(),
-            Status = OrganizationUserStatusType.Invited,
-            Type = OrganizationUserType.User,
-            // Needs to be different from what is passed in as the savingUserId to Sut.SaveAsync
-            Email = "user1@test.com",
-            Name = "TEST",
-            UserId = Guid.NewGuid(),
-            HasMasterPassword = false
-        };
-        var orgUserDetailUserAcceptedWith2FA = new OrganizationUserUserDetails
-        {
-            Id = Guid.NewGuid(),
-            Status = OrganizationUserStatusType.Accepted,
-            Type = OrganizationUserType.User,
-            // Needs to be different from what is passed in as the savingUserId to Sut.SaveAsync
-            Email = "user2@test.com",
-            Name = "TEST",
-            UserId = Guid.NewGuid(),
-            HasMasterPassword = true
-        };
-        var orgUserDetailUserAcceptedWithout2FA = new OrganizationUserUserDetails
-        {
-            Id = Guid.NewGuid(),
-            Status = OrganizationUserStatusType.Accepted,
-            Type = OrganizationUserType.User,
-            // Needs to be different from what is passed in as the savingUserId to Sut.SaveAsync
-            Email = "user3@test.com",
-            Name = "TEST",
-            UserId = Guid.NewGuid(),
-            HasMasterPassword = true
-        };
-        var orgUserDetailAdmin = new OrganizationUserUserDetails
-        {
-            Id = Guid.NewGuid(),
-            Status = OrganizationUserStatusType.Confirmed,
-            Type = OrganizationUserType.Admin,
-            // Needs to be different from what is passed in as the savingUserId to Sut.SaveAsync
-            Email = "admin@test.com",
-            Name = "ADMIN",
-            UserId = Guid.NewGuid(),
-            HasMasterPassword = false
-        };
-
-        sutProvider.GetDependency<IOrganizationUserRepository>()
-            .GetManyDetailsByOrganizationAsync(policyUpdate.OrganizationId)
-            .Returns(new List<OrganizationUserUserDetails>
-            {
-                orgUserDetailUserInvited,
-                orgUserDetailUserAcceptedWith2FA,
-                orgUserDetailUserAcceptedWithout2FA,
-                orgUserDetailAdmin
-            });
-
-        sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
-            .TwoFactorIsEnabledAsync(Arg.Any<IEnumerable<OrganizationUserUserDetails>>())
-            .Returns(new List<(OrganizationUserUserDetails user, bool hasTwoFactor)>()
-            {
-                (orgUserDetailUserInvited, false),
-                (orgUserDetailUserAcceptedWith2FA, true),
-                (orgUserDetailUserAcceptedWithout2FA, false),
-                (orgUserDetailAdmin, false),
-            });
-
-        var savingUserId = Guid.NewGuid();
-        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(savingUserId);
-
-        await sutProvider.Sut.OnSaveSideEffectsAsync(policyUpdate, policy);
-
-        var removeOrganizationUserCommand = sutProvider.GetDependency<IRemoveOrganizationUserCommand>();
-
-        await removeOrganizationUserCommand.Received()
-            .RemoveUserAsync(policy.OrganizationId, orgUserDetailUserAcceptedWithout2FA.Id, savingUserId);
-        await sutProvider.GetDependency<IMailService>().Received()
-            .SendOrganizationUserRemovedForPolicyTwoStepEmailAsync(organization.DisplayName(), orgUserDetailUserAcceptedWithout2FA.Email);
-
-        await removeOrganizationUserCommand.DidNotReceive()
-            .RemoveUserAsync(policy.OrganizationId, orgUserDetailUserInvited.Id, savingUserId);
-        await sutProvider.GetDependency<IMailService>().DidNotReceive()
-            .SendOrganizationUserRemovedForPolicyTwoStepEmailAsync(organization.DisplayName(), orgUserDetailUserInvited.Email);
-        await removeOrganizationUserCommand.DidNotReceive()
-            .RemoveUserAsync(policy.OrganizationId, orgUserDetailUserAcceptedWith2FA.Id, savingUserId);
-        await sutProvider.GetDependency<IMailService>().DidNotReceive()
-            .SendOrganizationUserRemovedForPolicyTwoStepEmailAsync(organization.DisplayName(), orgUserDetailUserAcceptedWith2FA.Email);
-        await removeOrganizationUserCommand.DidNotReceive()
-            .RemoveUserAsync(policy.OrganizationId, orgUserDetailAdmin.Id, savingUserId);
-        await sutProvider.GetDependency<IMailService>().DidNotReceive()
-            .SendOrganizationUserRemovedForPolicyTwoStepEmailAsync(organization.DisplayName(), orgUserDetailAdmin.Email);
-    }
-
-    [Theory, BitAutoData]
-    public async Task OnSaveSideEffectsAsync_UsersToBeRemovedDontHaveMasterPasswords_Throws(
-        Organization organization,
-        [PolicyUpdate(PolicyType.TwoFactorAuthentication)] PolicyUpdate policyUpdate,
-        [Policy(PolicyType.TwoFactorAuthentication, false)] Policy policy,
-        SutProvider<TwoFactorAuthenticationPolicyValidator> sutProvider)
-    {
-        policy.OrganizationId = organization.Id = policyUpdate.OrganizationId;
-
-        var orgUserDetailUserWith2FAAndMP = new OrganizationUserUserDetails
-        {
-            Id = Guid.NewGuid(),
-            Status = OrganizationUserStatusType.Confirmed,
-            Type = OrganizationUserType.User,
-            // Needs to be different from what is passed in as the savingUserId to Sut.SaveAsync
-            Email = "user1@test.com",
-            Name = "TEST",
-            UserId = Guid.NewGuid(),
-            HasMasterPassword = true
-        };
-        var orgUserDetailUserWith2FANoMP = new OrganizationUserUserDetails
-        {
-            Id = Guid.NewGuid(),
-            Status = OrganizationUserStatusType.Confirmed,
-            Type = OrganizationUserType.User,
-            // Needs to be different from what is passed in as the savingUserId to Sut.SaveAsync
-            Email = "user2@test.com",
-            Name = "TEST",
-            UserId = Guid.NewGuid(),
-            HasMasterPassword = false
-        };
-        var orgUserDetailUserWithout2FA = new OrganizationUserUserDetails
-        {
-            Id = Guid.NewGuid(),
-            Status = OrganizationUserStatusType.Confirmed,
-            Type = OrganizationUserType.User,
-            // Needs to be different from what is passed in as the savingUserId to Sut.SaveAsync
-            Email = "user3@test.com",
-            Name = "TEST",
-            UserId = Guid.NewGuid(),
-            HasMasterPassword = false
-        };
-        var orgUserDetailAdmin = new OrganizationUserUserDetails
-        {
-            Id = Guid.NewGuid(),
-            Status = OrganizationUserStatusType.Confirmed,
-            Type = OrganizationUserType.Admin,
-            // Needs to be different from what is passed in as the savingUserId to Sut.SaveAsync
-            Email = "admin@test.com",
-            Name = "ADMIN",
-            UserId = Guid.NewGuid(),
-            HasMasterPassword = false
-        };
-
-        sutProvider.GetDependency<IFeatureService>()
-            .IsEnabled(FeatureFlagKeys.AccountDeprovisioning)
-            .Returns(false);
-
-        sutProvider.GetDependency<IOrganizationUserRepository>()
-            .GetManyDetailsByOrganizationAsync(policy.OrganizationId)
-            .Returns(new List<OrganizationUserUserDetails>
-            {
-                orgUserDetailUserWith2FAAndMP,
-                orgUserDetailUserWith2FANoMP,
-                orgUserDetailUserWithout2FA,
-                orgUserDetailAdmin
-            });
-
-        sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
-            .TwoFactorIsEnabledAsync(Arg.Is<IEnumerable<Guid>>(ids =>
-                ids.Contains(orgUserDetailUserWith2FANoMP.UserId.Value)
-                && ids.Contains(orgUserDetailUserWithout2FA.UserId.Value)
-                && ids.Contains(orgUserDetailAdmin.UserId.Value)))
-            .Returns(new List<(Guid userId, bool hasTwoFactor)>()
-            {
-                (orgUserDetailUserWith2FANoMP.UserId.Value, true),
-                (orgUserDetailUserWithout2FA.UserId.Value, false),
-                (orgUserDetailAdmin.UserId.Value, false),
-            });
-
-        var badRequestException = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.OnSaveSideEffectsAsync(policyUpdate, policy));
-
-        Assert.Equal(TwoFactorAuthenticationPolicyValidator.NonCompliantMembersWillLoseAccessMessage, badRequestException.Message);
-
-        await sutProvider.GetDependency<IRemoveOrganizationUserCommand>().DidNotReceiveWithAnyArgs()
-            .RemoveUserAsync(organizationId: default, organizationUserId: default, deletingUserId: default);
-    }
-
-    [Theory, BitAutoData]
-    public async Task OnSaveSideEffectsAsync_GivenUpdateTo2faPolicy_WhenAccountProvisioningIsDisabled_ThenRevokeUserCommandShouldNotBeCalled(
-            Organization organization,
-            [PolicyUpdate(PolicyType.TwoFactorAuthentication)]
-            PolicyUpdate policyUpdate,
-            [Policy(PolicyType.TwoFactorAuthentication, false)]
-            Policy policy,
-            SutProvider<TwoFactorAuthenticationPolicyValidator> sutProvider)
-    {
-        policy.OrganizationId = organization.Id = policyUpdate.OrganizationId;
-        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
-
-        sutProvider.GetDependency<IFeatureService>()
-            .IsEnabled(FeatureFlagKeys.AccountDeprovisioning)
-            .Returns(false);
-
-        var orgUserDetailUserAcceptedWithout2Fa = new OrganizationUserUserDetails
-        {
-            Id = Guid.NewGuid(),
-            Status = OrganizationUserStatusType.Accepted,
-            Type = OrganizationUserType.User,
-            Email = "user3@test.com",
-            Name = "TEST",
-            UserId = Guid.NewGuid(),
-            HasMasterPassword = true
-        };
-
-        sutProvider.GetDependency<IOrganizationUserRepository>()
-            .GetManyDetailsByOrganizationAsync(policyUpdate.OrganizationId)
-            .Returns(new List<OrganizationUserUserDetails>
-            {
-                orgUserDetailUserAcceptedWithout2Fa
-            });
-
-
-        sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
-            .TwoFactorIsEnabledAsync(Arg.Any<IEnumerable<OrganizationUserUserDetails>>())
-            .Returns(new List<(OrganizationUserUserDetails user, bool hasTwoFactor)>()
-            {
-                (orgUserDetailUserAcceptedWithout2Fa, false),
-            });
-
-        await sutProvider.Sut.OnSaveSideEffectsAsync(policyUpdate, policy);
-
-        await sutProvider.GetDependency<IRevokeNonCompliantOrganizationUserCommand>()
-            .DidNotReceive()
-            .RevokeNonCompliantOrganizationUsersAsync(Arg.Any<RevokeOrganizationUsersRequest>());
-    }
-
-    [Theory, BitAutoData]
-    public async Task OnSaveSideEffectsAsync_GivenUpdateTo2faPolicy_WhenAccountProvisioningIsEnabledAndUserDoesNotHaveMasterPassword_ThenNonCompliantMembersErrorMessageWillReturn(
-        Organization organization,
-        [PolicyUpdate(PolicyType.TwoFactorAuthentication)] PolicyUpdate policyUpdate,
-        [Policy(PolicyType.TwoFactorAuthentication, false)] Policy policy,
-        SutProvider<TwoFactorAuthenticationPolicyValidator> sutProvider)
-    {
-        policy.OrganizationId = organization.Id = policyUpdate.OrganizationId;
-        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
-
-        sutProvider.GetDependency<IFeatureService>()
-            .IsEnabled(FeatureFlagKeys.AccountDeprovisioning)
-            .Returns(true);
-
        var orgUserDetailUserWithout2Fa = new OrganizationUserUserDetails
        {
            Id = Guid.NewGuid(),
@ -304,7 +60,7 @@ public class TwoFactorAuthenticationPolicyValidatorTests
    }

    [Theory, BitAutoData]
-    public async Task OnSaveSideEffectsAsync_WhenAccountProvisioningIsEnabledAndUserHasMasterPassword_ThenUserWillBeRevoked(
+    public async Task OnSaveSideEffectsAsync_RevokesNonCompliantUsers(
        Organization organization,
        [PolicyUpdate(PolicyType.TwoFactorAuthentication)] PolicyUpdate policyUpdate,
        [Policy(PolicyType.TwoFactorAuthentication, false)] Policy policy,
@ -313,10 +69,6 @@ public class TwoFactorAuthenticationPolicyValidatorTests
        policy.OrganizationId = organization.Id = policyUpdate.OrganizationId;
        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);

-        sutProvider.GetDependency<IFeatureService>()
-            .IsEnabled(FeatureFlagKeys.AccountDeprovisioning)
-            .Returns(true);
-
        var orgUserDetailUserWithout2Fa = new OrganizationUserUserDetails
        {
            Id = Guid.NewGuid(),