[PM-15957] Fix: Domain Claim fails to enable Single Organization Policy, sends no emails and Revokes all users (#5147)

* Add JSON-based stored procedure for updating account revision dates and modify existing procedure to use it

* Refactor SingleOrgPolicyValidator to revoke only non-compliant organization users and update related tests

src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/SingleOrgPolicyValidator.cs

@@ -97,15 +97,22 @@ public class SingleOrgPolicyValidator : IPolicyValidator
             return;
         }
 
+        var allRevocableUserOrgs = await _organizationUserRepository.GetManyByManyUsersAsync(
+            currentActiveRevocableOrganizationUsers.Select(ou => ou.UserId!.Value));
+        var usersToRevoke = currentActiveRevocableOrganizationUsers.Where(ou =>
+            allRevocableUserOrgs.Any(uo => uo.UserId == ou.UserId &&
+                uo.OrganizationId != organizationId &&
+                uo.Status != OrganizationUserStatusType.Invited)).ToList();
+
         var commandResult = await _revokeNonCompliantOrganizationUserCommand.RevokeNonCompliantOrganizationUsersAsync(
-            new RevokeOrganizationUsersRequest(organizationId, currentActiveRevocableOrganizationUsers, performedBy));
+            new RevokeOrganizationUsersRequest(organizationId, usersToRevoke, performedBy));
 
         if (commandResult.HasErrors)
         {
             throw new BadRequestException(string.Join(", ", commandResult.ErrorMessages));
         }
 
-        await Task.WhenAll(currentActiveRevocableOrganizationUsers.Select(x =>
+        await Task.WhenAll(usersToRevoke.Select(x =>
             _mailService.SendOrganizationUserRevokedForPolicySingleOrgEmailAsync(organization.DisplayName(), x.Email)));
     }
 

src/Sql/dbo/Stored Procedures/OrganizationUser_SetStatusForUsersById.sql

@@ -24,6 +24,6 @@ BEGIN
     SET [Status] = @Status
     WHERE [Id] IN (SELECT Id from @ParsedIds)
 
-    EXEC [dbo].[User_BumpAccountRevisionDateByOrganizationUserIds] @OrganizationUserIds
+    EXEC [dbo].[User_BumpAccountRevisionDateByOrganizationUserIdsJson] @OrganizationUserIds
 END
 

src/Sql/dbo/Stored Procedures/User_BumpAccountRevisionDateByOrganizationUserIdsJson.sql

@@ -0,0 +1,33 @@
+CREATE PROCEDURE [dbo].[User_BumpAccountRevisionDateByOrganizationUserIdsJson]
+    @OrganizationUserIds NVARCHAR(MAX)
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    CREATE TABLE #UserIds
+    (
+        UserId UNIQUEIDENTIFIER NOT NULL
+    );
+
+    INSERT INTO #UserIds (UserId)
+    SELECT
+        OU.UserId
+    FROM
+        [dbo].[OrganizationUser] OU
+    INNER JOIN
+        (SELECT [value] as Id FROM OPENJSON(@OrganizationUserIds)) AS OUIds
+        ON OUIds.Id = OU.Id
+    WHERE
+        OU.[Status] = 2 -- Confirmed
+
+    UPDATE
+        U
+    SET
+        U.[AccountRevisionDate] = GETUTCDATE()
+    FROM
+        [dbo].[User] U
+    INNER JOIN
+        #UserIds ON U.[Id] = #UserIds.[UserId]
+
+    DROP TABLE #UserIds
+END

test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/SingleOrgPolicyValidatorTests.cs

@@ -75,6 +75,7 @@ public class SingleOrgPolicyValidatorTests
 
         var compliantUser1 = new OrganizationUserUserDetails
         {
+            Id = Guid.NewGuid(),
             OrganizationId = organization.Id,
             Type = OrganizationUserType.User,
             Status = OrganizationUserStatusType.Confirmed,
@@ -84,6 +85,7 @@ public class SingleOrgPolicyValidatorTests
 
         var compliantUser2 = new OrganizationUserUserDetails
         {
+            Id = Guid.NewGuid(),
             OrganizationId = organization.Id,
             Type = OrganizationUserType.User,
             Status = OrganizationUserStatusType.Confirmed,
@@ -93,6 +95,7 @@ public class SingleOrgPolicyValidatorTests
 
         var nonCompliantUser = new OrganizationUserUserDetails
         {
+            Id = Guid.NewGuid(),
             OrganizationId = organization.Id,
             Type = OrganizationUserType.User,
             Status = OrganizationUserStatusType.Confirmed,
@@ -106,6 +109,7 @@ public class SingleOrgPolicyValidatorTests
 
         var otherOrganizationUser = new OrganizationUser
         {
+            Id = Guid.NewGuid(),
             OrganizationId = new Guid(),
             UserId = nonCompliantUserId,
             Status = OrganizationUserStatusType.Confirmed
@@ -129,11 +133,20 @@ public class SingleOrgPolicyValidatorTests
 
         await sutProvider.GetDependency<IRevokeNonCompliantOrganizationUserCommand>()
             .Received(1)
-            .RevokeNonCompliantOrganizationUsersAsync(Arg.Any<RevokeOrganizationUsersRequest>());
+            .RevokeNonCompliantOrganizationUsersAsync(
+                Arg.Is<RevokeOrganizationUsersRequest>(r =>
+                    r.OrganizationId == organization.Id &&
+                    r.OrganizationUsers.Count() == 1 &&
+                    r.OrganizationUsers.First().Id == nonCompliantUser.Id));
+        await sutProvider.GetDependency<IMailService>()
+            .DidNotReceive()
+            .SendOrganizationUserRevokedForPolicySingleOrgEmailAsync(organization.DisplayName(), compliantUser1.Email);
+        await sutProvider.GetDependency<IMailService>()
+            .DidNotReceive()
+            .SendOrganizationUserRevokedForPolicySingleOrgEmailAsync(organization.DisplayName(), compliantUser2.Email);
         await sutProvider.GetDependency<IMailService>()
             .Received(1)
-            .SendOrganizationUserRevokedForPolicySingleOrgEmailAsync(organization.DisplayName(),
+            .SendOrganizationUserRevokedForPolicySingleOrgEmailAsync(organization.DisplayName(), nonCompliantUser.Email);
-                "user3@example.com");
     }
 
     [Theory, BitAutoData]
@@ -148,6 +161,7 @@ public class SingleOrgPolicyValidatorTests
 
         var compliantUser1 = new OrganizationUserUserDetails
         {
+            Id = Guid.NewGuid(),
             OrganizationId = organization.Id,
             Type = OrganizationUserType.User,
             Status = OrganizationUserStatusType.Confirmed,
@@ -157,6 +171,7 @@ public class SingleOrgPolicyValidatorTests
 
         var compliantUser2 = new OrganizationUserUserDetails
         {
+            Id = Guid.NewGuid(),
             OrganizationId = organization.Id,
             Type = OrganizationUserType.User,
             Status = OrganizationUserStatusType.Confirmed,
@@ -166,6 +181,7 @@ public class SingleOrgPolicyValidatorTests
 
         var nonCompliantUser = new OrganizationUserUserDetails
         {
+            Id = Guid.NewGuid(),
             OrganizationId = organization.Id,
             Type = OrganizationUserType.User,
             Status = OrganizationUserStatusType.Confirmed,
@@ -179,6 +195,7 @@ public class SingleOrgPolicyValidatorTests
 
         var otherOrganizationUser = new OrganizationUser
         {
+            Id = Guid.NewGuid(),
             OrganizationId = new Guid(),
             UserId = nonCompliantUserId,
             Status = OrganizationUserStatusType.Confirmed
@@ -200,13 +217,24 @@ public class SingleOrgPolicyValidatorTests
 
         await sutProvider.Sut.OnSaveSideEffectsAsync(policyUpdate, policy);
 
+        await sutProvider.GetDependency<IRemoveOrganizationUserCommand>()
+            .DidNotReceive()
+            .RemoveUserAsync(policyUpdate.OrganizationId, compliantUser1.Id, savingUserId);
+        await sutProvider.GetDependency<IRemoveOrganizationUserCommand>()
+            .DidNotReceive()
+            .RemoveUserAsync(policyUpdate.OrganizationId, compliantUser2.Id, savingUserId);
         await sutProvider.GetDependency<IRemoveOrganizationUserCommand>()
             .Received(1)
             .RemoveUserAsync(policyUpdate.OrganizationId, nonCompliantUser.Id, savingUserId);
+        await sutProvider.GetDependency<IMailService>()
+            .DidNotReceive()
+            .SendOrganizationUserRemovedForPolicySingleOrgEmailAsync(organization.DisplayName(), compliantUser1.Email);
+        await sutProvider.GetDependency<IMailService>()
+            .DidNotReceive()
+            .SendOrganizationUserRemovedForPolicySingleOrgEmailAsync(organization.DisplayName(), compliantUser2.Email);
         await sutProvider.GetDependency<IMailService>()
             .Received(1)
-            .SendOrganizationUserRemovedForPolicySingleOrgEmailAsync(organization.DisplayName(),
+            .SendOrganizationUserRemovedForPolicySingleOrgEmailAsync(organization.DisplayName(), nonCompliantUser.Email);
-                "user3@example.com");
     }
 
     [Theory, BitAutoData]

util/Migrator/DbScripts/2024-12-11-00_BumpAccountRevisionDateJsonIds.sql

@@ -0,0 +1,64 @@
+CREATE OR ALTER PROCEDURE [dbo].[User_BumpAccountRevisionDateByOrganizationUserIdsJson]
+    @OrganizationUserIds NVARCHAR(MAX)
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    CREATE TABLE #UserIds
+    (
+        UserId UNIQUEIDENTIFIER NOT NULL
+    );
+
+    INSERT INTO #UserIds (UserId)
+    SELECT
+        OU.UserId
+    FROM
+        [dbo].[OrganizationUser] OU
+    INNER JOIN
+        (SELECT [value] as Id FROM OPENJSON(@OrganizationUserIds)) AS OUIds
+        ON OUIds.Id = OU.Id
+    WHERE
+        OU.[Status] = 2 -- Confirmed
+
+    UPDATE
+        U
+    SET
+        U.[AccountRevisionDate] = GETUTCDATE()
+    FROM
+        [dbo].[User] U
+    INNER JOIN
+        #UserIds ON U.[Id] = #UserIds.[UserId]
+
+    DROP TABLE #UserIds
+END
+GO
+
+CREATE OR ALTER PROCEDURE [dbo].[OrganizationUser_SetStatusForUsersById]
+    @OrganizationUserIds AS NVARCHAR(MAX),
+    @Status SMALLINT
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    -- Declare a table variable to hold the parsed JSON data
+    DECLARE @ParsedIds TABLE (Id UNIQUEIDENTIFIER);
+
+    -- Parse the JSON input into the table variable
+    INSERT INTO @ParsedIds (Id)
+    SELECT value
+    FROM OPENJSON(@OrganizationUserIds);
+
+    -- Check if the input table is empty
+    IF (SELECT COUNT(1) FROM @ParsedIds) < 1
+    BEGIN
+        RETURN(-1);
+    END
+
+    UPDATE
+        [dbo].[OrganizationUser]
+    SET [Status] = @Status
+    WHERE [Id] IN (SELECT Id from @ParsedIds)
+
+    EXEC [dbo].[User_BumpAccountRevisionDateByOrganizationUserIdsJson] @OrganizationUserIds
+END
+GO