Feature/self hosted families for enterprise (#1991)

* Families for enterprise/split up organization sponsorship service (#1829) * Split OrganizationSponsorshipService into commands * Use tokenable for token validation * Use interfaces to set up for DI * Use commands over services * Move service tests to command tests * Value types can't be null * Run dotnet format * Update src/Core/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/CancelSponsorshipCommand.cs Co-authored-by: Justin Baur <admin@justinbaur.com> * Fix controller tests Co-authored-by: Justin Baur <admin@justinbaur.com> * Families for enterprise/split up organization sponsorship service (#1875) * Split OrganizationSponsorshipService into commands * Use tokenable for token validation * Use interfaces to set up for DI * Use commands over services * Move service tests to command tests * Value types can't be null * Run dotnet format * Update src/Core/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/CancelSponsorshipCommand.cs Co-authored-by: Justin Baur <admin@justinbaur.com> * Fix controller tests * Split create and send sponsorships * Split up create sponsorship * Add self hosted commands to dependency injection * Add field to store cloud billing sync key on self host instances * Fix typo * Fix data protector purpose of sponsorship offers * Split cloud and selfhosted sponsorship offer tokenable * Generate offer from self hosted with all necessary auth data * Add Required properties to constructor * Split up cancel sponsorship command * Split revoke sponsorship command between cloud and self hosted * Fix/f4e multiple sponsorships (#1838) * Use sponosorship from validate to redeem * Update tests * Format * Remove sponsorship service * Run dotnet format * Fix self hosted only controller attribute * Clean up file structure and fixes * Remove unneeded tokenables * Remove obsolete commands * Do not require file/class prefix if unnecessary * Update Organizaiton sprocs * Remove unnecessary models * Fix tests * Generalize LicenseService path calculation Use async file read and deserialization * Use interfaces for testability * Remove unused usings * Correct test direction * Test license reading * remove unused usings * Format Co-authored-by: Justin Baur <admin@justinbaur.com> * Improve DataProtectorTokenFactory test coverage (#1884) * Add encstring to server * Test factory Co-authored-by: Carlos Muentes <cmuentes@bitwarden.com> * Format * Remove SymmetricKeyProtectedString Not needed * Set ForcInvalid Co-authored-by: Carlos Muentes <cmuentes@bitwarden.com> * Feature/self f4e/api keys (#1896) * Add in ApiKey * Work on API Key table * Work on apikey table * Fix response model * Work on information for UI * Work on last sync date * Work on sync status * Work on auth * Work on tokenable * Work on merge * Add custom requirement * Add policy * Run formatting * Work on EF Migrations * Work on OrganizationConnection * Work on database * Work on additional database table * Run formatting * Small fixes * More cleanup * Cleanup * Add RevisionDate * Add GO * Finish Sql project * Add newlines * Fix stored proc file * Fix sqlproj * Add newlines * Fix table * Add navigation property * Delete Connections when organization is deleted * Add connection validation * Start adding ID column * Work on ID column * Work on SQL migration * Work on migrations * Run formatting * Fix test build * Fix sprocs * Work on migrations * Fix Create table * Fix sproc * Add prints to migration * Add default value * Update EF migrations * Formatting * Add to integration tests * Minor fixes * Formatting * Cleanup * Address PR feedback * Address more PR feedback * Fix formatting * Fix formatting * Fix * Address PR feedback * Remove accidential change * Fix SQL build * Run formatting * Address PR feedback * Add sync data to OrganizationUserOrgDetails * Add comments * Remove OrganizationConnectionService interface * Remove unused using * Address PR feedback * Formatting * Minor fix * Feature/self f4e/update db (#1930) * Fix migration * Fix TimesRenewed * Add comments * Make two properties non-nullable * Remove need for SponsoredOrg on SH (#1934) * Remove need for SponsoredOrg on SH * Add Family prefix * Add check for enterprise org on BillingSync key (#1936) * [PS-10] Feature/sponsorships removed at end of term (#1938) * Rename commands to min unique names * Inject revoke command based on self hosting * WIP: Remove/Revoke marks to delete * Complete WIP * Improve remove/revoke tests * PR review * Fail validation if sponsorship has failed to sync for 6 months * Feature/do not accept old self host sponsorships (#1939) * Do not accept >6mo old self-hosted sponsorships * Give disabled grace period of 3 months * Fix issues of Sql.proj differing from migration outcome (#1942) * Fix issues of Sql.proj differing from migration outcome * Yoink int tests * Add missing assert helpers * Feature/org sponsorship sync (#1922) * Self-hosted side sync first pass TODO: * flush out org sponsorship model * implement cloud side * process cloud-side response and update self-hosted records * sync scaffolding second pass * remove list of Org User ids from sync and begin work on SelfHostedRevokeSponsorship * allow authenticated http calls from server to return a result * update models * add logic for sync and change offer email template * add billing sync key and hide CreateSponsorship without user * fix tests * add job scheduling * add authorize attributes to endpoints * separate models into data/model and request/response * batch sync more, add EnableCloudCommunication for testing * send emails in bulk * make userId and sponsorshipType non nullable * batch more on self hosted side of sync * remove TODOs and formatting * changed logic of cloud sync * let BaseIdentityClientService handle all logging * call sync from scheduled job on self host * create bulk db operations for OrganizationSponsorships * remove SponsoredOrgId from sync, return default from server http call * validate BillingSyncKey during sync revert changes to CreateSponsorshipCommand * revert changes to ICreateSponsorshipCommand * add some tests * add DeleteExpiredSponsorshipsJob * add cloud sync test * remove extra method * formatting * prevent new sponsorships from disabled orgs * update packages * - pulled out send sponsorship command dependency from sync on cloud - don't throw error when sponsorships are empty - formatting * formatting models * more formatting * remove licensingService dependency from selfhosted sync * use installation urls and formatting * create constructor for RequestModel and formatting * add date parameter to OrganizationSponsorship_DeleteExpired * add new migration * formatting * rename OrganizationCreateSponsorshipRequestModel to OrganizationSponsorshipCreateRequestModel * prevent whole sync from failing if one sponsorship type is unsupported * deserialize config and billingsynckey from org connection * alter log message when sync disabled * Add grace period to disabled orgs * return early on self hosted if there are no sponsorships in database * rename BillingSyncConfig * send sponsorship offers from controller * allow config to be a null object * better exception handling in sync scheduler * add ef migrations * formatting * fix tests * fix validate test Co-authored-by: Matt Gibson <mgibson@bitwarden.com> * Fix OrganizationApiKey issues (#1941) Co-authored-by: Justin Baur <admin@justinbaur.com> * Feature/org sponsorship self hosted tests (#1947) * Self-hosted side sync first pass TODO: * flush out org sponsorship model * implement cloud side * process cloud-side response and update self-hosted records * sync scaffolding second pass * remove list of Org User ids from sync and begin work on SelfHostedRevokeSponsorship * allow authenticated http calls from server to return a result * update models * add logic for sync and change offer email template * add billing sync key and hide CreateSponsorship without user * fix tests * add job scheduling * add authorize attributes to endpoints * separate models into data/model and request/response * batch sync more, add EnableCloudCommunication for testing * send emails in bulk * make userId and sponsorshipType non nullable * batch more on self hosted side of sync * remove TODOs and formatting * changed logic of cloud sync * let BaseIdentityClientService handle all logging * call sync from scheduled job on self host * create bulk db operations for OrganizationSponsorships * remove SponsoredOrgId from sync, return default from server http call * validate BillingSyncKey during sync revert changes to CreateSponsorshipCommand * revert changes to ICreateSponsorshipCommand * add some tests * add DeleteExpiredSponsorshipsJob * add cloud sync test * remove extra method * formatting * prevent new sponsorships from disabled orgs * update packages * - pulled out send sponsorship command dependency from sync on cloud - don't throw error when sponsorships are empty - formatting * formatting models * more formatting * remove licensingService dependency from selfhosted sync * use installation urls and formatting * create constructor for RequestModel and formatting * add date parameter to OrganizationSponsorship_DeleteExpired * add new migration * formatting * rename OrganizationCreateSponsorshipRequestModel to OrganizationSponsorshipCreateRequestModel * prevent whole sync from failing if one sponsorship type is unsupported * deserialize config and billingsynckey from org connection * add mockHttp nuget package and use httpclientfactory * fix current tests * WIP of creating tests * WIP of new self hosted tests * WIP self hosted tests * finish self hosted tests * formatting * format of interface * remove extra config file * added newlines Co-authored-by: Matt Gibson <mgibson@bitwarden.com> * Fix Organization_DeleteById (#1950) * Fix Organization_Delete * Fix L * [PS-4] block enterprise user from sponsoring itself (#1943) * [PS-248] Feature/add connections enabled endpoint (#1953) * Move Organization models to sub namespaces * Add Organization Connection api endpoints * Get all connections rather than just enabled ones * Add missing services to DI * pluralize private api endpoints * Add type protection to org connection request/response * Fix route * Use nullable Id to signify no connection * Test Get Connections enabled * Fix data discoverer * Also drop this sproc for rerunning * Id is the OUTPUT of create sprocs * Fix connection config parsing * Linter fixes * update sqlproj file name * Use param xdocs on methods * Simplify controller path attribute * Use JsonDocument to avoid escaped json in our response/request strings * Fix JsonDoc tests * Linter fixes * Fix ApiKey Command and add tests (#1949) * Fix ApiKey command * Formatting * Fix test failures introduced in #1943 (#1957) * Remove "Did you know?" copy from emails. (#1962) * Remove "Did you know" * Remove jsonIf helper * Feature/fix send single sponsorship offer email (#1956) * Fix sponsorship offer email * Do not sanitize org name * PR feedback * Feature/f4e sync event [PS-75] (#1963) * Create sponsorship sync event type * Add InstallationId to Event model * Add combinatorics-based test case generators * Log sponsorships sync event on sync * Linter and test fixes * Fix failing test * Migrate sprocs and view * Remove unused `using`s * [PS-190] Add manual sync trigger in self hosted (#1955) * WIP add button to admin project for billing sync * add connection table to view page * minor fixes for self hosted side of sync * fixes number of bugs for cloud side of sync * deserialize before returning for some reason * add json attributes to return models * list of sponsorships parameter is immutable, add secondary list * change sproc name * add error handling * Fix tests * modify call to connection * Update src/Admin/Controllers/OrganizationsController.cs Co-authored-by: Matt Gibson <mgibson@bitwarden.com> * undo change to sproc name * simplify logic * Update src/Core/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/Cloud/CloudSyncSponsorshipsCommand.cs Co-authored-by: Matt Gibson <mgibson@bitwarden.com> * register services despite if self hosted or cloud * remove json properties * revert merge conflict Co-authored-by: Matt Gibson <mgibson@bitwarden.com> * Update OrganizationSponsorship valid until when updating org expirati… (#1966) * Update OrganizationSponsorship valid until when updating org expiration date * Linter fixes * [PS-7] change revert email copy and add ValidUntil to sponsorship (#1965) * change revert email copy and add ValidUntil to sponsorship * add 15 days if no ValidUntil * Chore/merge/self hosted families for enterprise (#1972) * Log swallowed HttpRequestExceptions (#1866) Co-authored-by: Hinton <oscar@oscarhinton.com> * Allow for utilization of readonly db connection (#1937) * Bump the pin of the download-artifacts action to bypass the broken GitHub api (#1952) * Bumped version to 1.48.0 (#1958) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * [EC-160] Give Provider Users access to all org ciphers and collections (#1959) * Bumped version to 1.48.1 (#1961) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * Avoid sending "user need confirmation" emails when there are no org admins (#1960) * Remove noncompliant users for new policies (#1951) * [PS-284] Allow installation clients to not need a user. (#1968) * Allow installation clients to not need a user. * Run formatting Co-authored-by: Andrei <30410186+Manolachi@users.noreply.github.com> Co-authored-by: Hinton <oscar@oscarhinton.com> Co-authored-by: sneakernuts <671942+sneakernuts@users.noreply.github.com> Co-authored-by: Joseph Flinn <58369717+joseph-flinn@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com> Co-authored-by: Justin Baur <136baur@gmail.com> * Fix/license file not found (#1974) * Handle null license * Throw hint message if license is not found by the admin project. * Use CloudOrganizationId from Connection config * Change test to support change * Fix test Co-authored-by: Matt Gibson <mgibson@bitwarden.com> * Feature/f4e selfhosted rename migration to .sql (#1971) * rename migration to .sql * format * Add unit tests to self host F4E (#1975) * Work on tests * Added more tests * Run linting * Address PR feedback * Fix AssertRecent * Linting * Fixed empty tests * Fix/misc self hosted f4e (#1973) * Allow setting of ApiUri * Return updates sponsorshipsData objects * Bind arguments by name * Greedy load sponsorships to email. When upsert was called, it creates Ids on _all_ records, which meant that the lazy-evaluation from this call always returned an empty list. * add scope for sync command DI in job. simplify error logic * update the sync job to get CloudOrgId from the BillingSyncKey Co-authored-by: Jacob Fink <jfink@bitwarden.com> * Chore/merge/self hosted families for enterprise (#1987) * Log swallowed HttpRequestExceptions (#1866) Co-authored-by: Hinton <oscar@oscarhinton.com> * Allow for utilization of readonly db connection (#1937) * Bump the pin of the download-artifacts action to bypass the broken GitHub api (#1952) * Bumped version to 1.48.0 (#1958) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * [EC-160] Give Provider Users access to all org ciphers and collections (#1959) * Bumped version to 1.48.1 (#1961) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * Avoid sending "user need confirmation" emails when there are no org admins (#1960) * Remove noncompliant users for new policies (#1951) * [PS-284] Allow installation clients to not need a user. (#1968) * Allow installation clients to not need a user. * Run formatting * Use accept flow for sponsorship offers (#1964) * PS-82 check send 2FA email for new devices on TwoFactorController send-email-login (#1977) * [Bug] Skip WebAuthn 2fa event logs during login flow (#1978) * [Bug] Supress WebAuthn 2fa event logs during login process * Formatting * Simplified method call with new paramter input * Update RealIps Description (#1980) Describe the syntax of the real_ips configuration key with an example, to prevent type errors in the `setup` container when parsing `config.yml` * add proper URI validation to duo host (#1984) * captcha scores (#1967) * captcha scores * some api fixes * check bot on captcha attribute * Update src/Core/Services/Implementations/HCaptchaValidationService.cs Co-authored-by: e271828- <e271828-@users.noreply.github.com> Co-authored-by: Chad Scharf <3904944+cscharf@users.noreply.github.com> Co-authored-by: e271828- <e271828-@users.noreply.github.com> * ensure no path specific in duo host (#1985) Co-authored-by: Andrei <30410186+Manolachi@users.noreply.github.com> Co-authored-by: Hinton <oscar@oscarhinton.com> Co-authored-by: sneakernuts <671942+sneakernuts@users.noreply.github.com> Co-authored-by: Joseph Flinn <58369717+joseph-flinn@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com> Co-authored-by: Justin Baur <136baur@gmail.com> Co-authored-by: Federico Maccaroni <fedemkr@gmail.com> Co-authored-by: Vincent Salucci <26154748+vincentsalucci@users.noreply.github.com> Co-authored-by: Jordan Cooks <notnamed@users.noreply.github.com> Co-authored-by: Kyle Spearrin <kspearrin@users.noreply.github.com> Co-authored-by: Chad Scharf <3904944+cscharf@users.noreply.github.com> Co-authored-by: e271828- <e271828-@users.noreply.github.com> * Address feedback (#1990) Co-authored-by: Justin Baur <admin@justinbaur.com> Co-authored-by: Carlos Muentes <cmuentes@bitwarden.com> Co-authored-by: Jake Fink <jfink@bitwarden.com> Co-authored-by: Justin Baur <136baur@gmail.com> Co-authored-by: Andrei <30410186+Manolachi@users.noreply.github.com> Co-authored-by: Hinton <oscar@oscarhinton.com> Co-authored-by: sneakernuts <671942+sneakernuts@users.noreply.github.com> Co-authored-by: Joseph Flinn <58369717+joseph-flinn@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com> Co-authored-by: Federico Maccaroni <fedemkr@gmail.com> Co-authored-by: Vincent Salucci <26154748+vincentsalucci@users.noreply.github.com> Co-authored-by: Jordan Cooks <notnamed@users.noreply.github.com> Co-authored-by: Kyle Spearrin <kspearrin@users.noreply.github.com> Co-authored-by: Chad Scharf <3904944+cscharf@users.noreply.github.com> Co-authored-by: e271828- <e271828-@users.noreply.github.com>
2025-06-30 23:52:50 -05:00 · 2022-05-10 17:12:09 -04:00
parent e5a9d3dec2
commit c54c39b28c
304 changed files with 18514 additions and 1560 deletions
--- a/src/Api/Controllers/OrganizationConnectionsController.cs
+++ b/src/Api/Controllers/OrganizationConnectionsController.cs
@ -0,0 +1,162 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+using Bit.Api.Models.Request.Organizations;
+using Bit.Api.Models.Response.Organizations;
+using Bit.Core.Context;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.Models.OrganizationConnectionConfigs;
+using Bit.Core.OrganizationFeatures.OrganizationConnections.Interfaces;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Core.Settings;
+using Bit.Core.Utilities;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+
+namespace Bit.Api.Controllers
+{
+    [SelfHosted(SelfHostedOnly = true)]
+    [Authorize("Application")]
+    [Route("organizations/connections")]
+    public class OrganizationConnectionsController : Controller
+    {
+        private readonly ICreateOrganizationConnectionCommand _createOrganizationConnectionCommand;
+        private readonly IUpdateOrganizationConnectionCommand _updateOrganizationConnectionCommand;
+        private readonly IDeleteOrganizationConnectionCommand _deleteOrganizationConnectionCommand;
+        private readonly IOrganizationConnectionRepository _organizationConnectionRepository;
+        private readonly ICurrentContext _currentContext;
+        private readonly IGlobalSettings _globalSettings;
+        private readonly ILicensingService _licensingService;
+
+        public OrganizationConnectionsController(
+            ICreateOrganizationConnectionCommand createOrganizationConnectionCommand,
+            IUpdateOrganizationConnectionCommand updateOrganizationConnectionCommand,
+            IDeleteOrganizationConnectionCommand deleteOrganizationConnectionCommand,
+            IOrganizationConnectionRepository organizationConnectionRepository,
+            ICurrentContext currentContext,
+            IGlobalSettings globalSettings,
+            ILicensingService licensingService)
+        {
+            _createOrganizationConnectionCommand = createOrganizationConnectionCommand;
+            _updateOrganizationConnectionCommand = updateOrganizationConnectionCommand;
+            _deleteOrganizationConnectionCommand = deleteOrganizationConnectionCommand;
+            _organizationConnectionRepository = organizationConnectionRepository;
+            _currentContext = currentContext;
+            _globalSettings = globalSettings;
+            _licensingService = licensingService;
+        }
+
+        [HttpGet("enabled")]
+        public bool ConnectionsEnabled()
+        {
+            return _globalSettings.SelfHosted && _globalSettings.EnableCloudCommunication;
+        }
+
+        [HttpPost]
+        public async Task<OrganizationConnectionResponseModel> CreateConnection([FromBody] OrganizationConnectionRequestModel model)
+        {
+            if (!await HasPermissionAsync(model?.OrganizationId))
+            {
+                throw new BadRequestException("Only the owner of an organization can create a connection.");
+            }
+
+            if (await HasConnectionTypeAsync(model))
+            {
+                throw new BadRequestException($"The requested organization already has a connection of type {model.Type}. Only one of each connection type may exist per organization.");
+            }
+
+            switch (model.Type)
+            {
+                case OrganizationConnectionType.CloudBillingSync:
+                    var typedModel = new OrganizationConnectionRequestModel<BillingSyncConfig>(model);
+                    var license = await _licensingService.ReadOrganizationLicenseAsync(model.OrganizationId);
+                    typedModel.ParsedConfig.CloudOrganizationId = license.Id;
+                    var connection = await _createOrganizationConnectionCommand.CreateAsync(typedModel.ToData());
+                    return new OrganizationConnectionResponseModel(connection, typeof(BillingSyncConfig));
+                default:
+                    throw new BadRequestException($"Unknown Organization connection Type: {model.Type}");
+            }
+        }
+
+        [HttpPut("{organizationConnectionId}")]
+        public async Task<OrganizationConnectionResponseModel> UpdateConnection(Guid organizationConnectionId, [FromBody] OrganizationConnectionRequestModel model)
+        {
+            if (!await HasPermissionAsync(model?.OrganizationId))
+            {
+                throw new BadRequestException("Only the owner of an organization can update a connection.");
+            }
+
+            if (await HasConnectionTypeAsync(model, organizationConnectionId))
+            {
+                throw new BadRequestException($"The requested organization already has a connection of type {model.Type}. Only one of each connection type may exist per organization.");
+            }
+
+            switch (model.Type)
+            {
+                case OrganizationConnectionType.CloudBillingSync:
+                    var typedModel = new OrganizationConnectionRequestModel<BillingSyncConfig>(model);
+                    var connection = await _updateOrganizationConnectionCommand.UpdateAsync(typedModel.ToData(organizationConnectionId));
+                    return new OrganizationConnectionResponseModel(connection, typeof(BillingSyncConfig));
+                default:
+                    throw new BadRequestException($"Unkown Organization connection Type: {model.Type}");
+            }
+        }
+
+        [HttpGet("{organizationId}/{type}")]
+        public async Task<OrganizationConnectionResponseModel> GetConnection(Guid organizationId, OrganizationConnectionType type)
+        {
+            if (!await HasPermissionAsync(organizationId))
+            {
+                throw new BadRequestException("Only the owner of an organization can retrieve a connection.");
+            }
+
+            var connections = await GetConnectionsAsync(organizationId);
+            var connection = connections.FirstOrDefault(c => c.Type == type);
+
+            switch (type)
+            {
+                case OrganizationConnectionType.CloudBillingSync:
+                    return new OrganizationConnectionResponseModel(connection, typeof(BillingSyncConfig));
+                default:
+                    throw new BadRequestException($"Unkown Organization connection Type: {type}");
+            }
+
+        }
+
+        [HttpDelete("{organizationConnectionId}")]
+        [HttpPost("{organizationConnectionId}/delete")]
+        public async Task DeleteConnection(Guid organizationConnectionId)
+        {
+            var connection = await _organizationConnectionRepository.GetByIdAsync(organizationConnectionId);
+
+            if (connection == null)
+            {
+                throw new NotFoundException();
+            }
+
+            if (!await HasPermissionAsync(connection.OrganizationId))
+            {
+                throw new BadRequestException("Only the owner of an organization can remove a connection.");
+            }
+
+            await _deleteOrganizationConnectionCommand.DeleteAsync(connection);
+        }
+
+        private async Task<ICollection<OrganizationConnection>> GetConnectionsAsync(Guid organizationId) =>
+            await _organizationConnectionRepository.GetByOrganizationIdTypeAsync(organizationId, OrganizationConnectionType.CloudBillingSync);
+
+        private async Task<bool> HasConnectionTypeAsync(OrganizationConnectionRequestModel model, Guid? connectionId = null)
+        {
+            var existingConnections = await GetConnectionsAsync(model.OrganizationId);
+
+            return existingConnections.Any(c => c.Type == model.Type && (!connectionId.HasValue || c.Id != connectionId.Value));
+        }
+
+        private async Task<bool> HasPermissionAsync(Guid? organizationId) =>
+            organizationId.HasValue && await _currentContext.OrganizationOwner(organizationId.Value);
+    }
+}
--- a/src/Api/Controllers/OrganizationSponsorshipsController.cs
+++ b/src/Api/Controllers/OrganizationSponsorshipsController.cs
@ -1,9 +1,15 @@
 using System;
 using System.Threading.Tasks;
 using Bit.Api.Models.Request.Organizations;
+using Bit.Api.Models.Response.Organizations;
 using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Exceptions;
+using Bit.Core.Models.Api.Request.OrganizationSponsorships;
+using Bit.Core.Models.Api.Request.OrganizationSponsorships;
+using Bit.Core.Models.Api.Response.OrganizationSponsorships;
+using Bit.Core.Models.Api.Response.OrganizationSponsorships;
+using Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Utilities;
@ -13,42 +19,65 @@ using Microsoft.AspNetCore.Mvc;
 namespace Bit.Api.Controllers
 {
    [Route("organization/sponsorship")]
-    [Authorize("Application")]
    public class OrganizationSponsorshipsController : Controller
    {
-        private readonly IOrganizationSponsorshipService _organizationsSponsorshipService;
        private readonly IOrganizationSponsorshipRepository _organizationSponsorshipRepository;
        private readonly IOrganizationRepository _organizationRepository;
        private readonly IOrganizationUserRepository _organizationUserRepository;
+        private readonly IValidateRedemptionTokenCommand _validateRedemptionTokenCommand;
+        private readonly IValidateBillingSyncKeyCommand _validateBillingSyncKeyCommand;
+        private readonly ICreateSponsorshipCommand _createSponsorshipCommand;
+        private readonly ISendSponsorshipOfferCommand _sendSponsorshipOfferCommand;
+        private readonly ISetUpSponsorshipCommand _setUpSponsorshipCommand;
+        private readonly IRevokeSponsorshipCommand _revokeSponsorshipCommand;
+        private readonly IRemoveSponsorshipCommand _removeSponsorshipCommand;
+        private readonly ICloudSyncSponsorshipsCommand _syncSponsorshipsCommand;
        private readonly ICurrentContext _currentContext;
        private readonly IUserService _userService;

-        public OrganizationSponsorshipsController(IOrganizationSponsorshipService organizationSponsorshipService,
+        public OrganizationSponsorshipsController(
            IOrganizationSponsorshipRepository organizationSponsorshipRepository,
            IOrganizationRepository organizationRepository,
            IOrganizationUserRepository organizationUserRepository,
+            IValidateRedemptionTokenCommand validateRedemptionTokenCommand,
+            IValidateBillingSyncKeyCommand validateBillingSyncKeyCommand,
+            ICreateSponsorshipCommand createSponsorshipCommand,
+            ISendSponsorshipOfferCommand sendSponsorshipOfferCommand,
+            ISetUpSponsorshipCommand setUpSponsorshipCommand,
+            IRevokeSponsorshipCommand revokeSponsorshipCommand,
+            IRemoveSponsorshipCommand removeSponsorshipCommand,
+            ICloudSyncSponsorshipsCommand syncSponsorshipsCommand,
            IUserService userService,
            ICurrentContext currentContext)
        {
-            _organizationsSponsorshipService = organizationSponsorshipService;
            _organizationSponsorshipRepository = organizationSponsorshipRepository;
            _organizationRepository = organizationRepository;
            _organizationUserRepository = organizationUserRepository;
+            _validateRedemptionTokenCommand = validateRedemptionTokenCommand;
+            _validateBillingSyncKeyCommand = validateBillingSyncKeyCommand;
+            _createSponsorshipCommand = createSponsorshipCommand;
+            _sendSponsorshipOfferCommand = sendSponsorshipOfferCommand;
+            _setUpSponsorshipCommand = setUpSponsorshipCommand;
+            _revokeSponsorshipCommand = revokeSponsorshipCommand;
+            _removeSponsorshipCommand = removeSponsorshipCommand;
+            _syncSponsorshipsCommand = syncSponsorshipsCommand;
            _userService = userService;
            _currentContext = currentContext;
        }

+        [Authorize("Application")]
        [HttpPost("{sponsoringOrgId}/families-for-enterprise")]
        [SelfHosted(NotSelfHostedOnly = true)]
-        public async Task CreateSponsorship(Guid sponsoringOrgId, [FromBody] OrganizationSponsorshipRequestModel model)
+        public async Task CreateSponsorship(Guid sponsoringOrgId, [FromBody] OrganizationSponsorshipCreateRequestModel model)
        {
-            await _organizationsSponsorshipService.OfferSponsorshipAsync(
+            var sponsorship = await _createSponsorshipCommand.CreateSponsorshipAsync(
                await _organizationRepository.GetByIdAsync(sponsoringOrgId),
                await _organizationUserRepository.GetByOrganizationAsync(sponsoringOrgId, _currentContext.UserId ?? default),
-                model.PlanSponsorshipType, model.SponsoredEmail, model.FriendlyName,
-                (await CurrentUser).Email);
+                model.PlanSponsorshipType, model.SponsoredEmail, model.FriendlyName);
+            await _sendSponsorshipOfferCommand.SendSponsorshipOfferAsync(sponsorship, (await CurrentUser).Email);
        }

+        [Authorize("Application")]
        [HttpPost("{sponsoringOrgId}/families-for-enterprise/resend")]
        [SelfHosted(NotSelfHostedOnly = true)]
        public async Task ResendSponsorshipOffer(Guid sponsoringOrgId)
@ -56,26 +85,27 @@ namespace Bit.Api.Controllers
            var sponsoringOrgUser = await _organizationUserRepository
                .GetByOrganizationAsync(sponsoringOrgId, _currentContext.UserId ?? default);

-            await _organizationsSponsorshipService.ResendSponsorshipOfferAsync(
+            await _sendSponsorshipOfferCommand.SendSponsorshipOfferAsync(
                await _organizationRepository.GetByIdAsync(sponsoringOrgId),
                sponsoringOrgUser,
                await _organizationSponsorshipRepository
-                    .GetBySponsoringOrganizationUserIdAsync(sponsoringOrgUser.Id),
-                (await CurrentUser).Email);
+                    .GetBySponsoringOrganizationUserIdAsync(sponsoringOrgUser.Id));
        }

+        [Authorize("Application")]
        [HttpPost("validate-token")]
        [SelfHosted(NotSelfHostedOnly = true)]
        public async Task<bool> PreValidateSponsorshipToken([FromQuery] string sponsorshipToken)
        {
-            return (await _organizationsSponsorshipService.ValidateRedemptionTokenAsync(sponsorshipToken, (await CurrentUser).Email)).valid;
+            return (await _validateRedemptionTokenCommand.ValidateRedemptionTokenAsync(sponsorshipToken, (await CurrentUser).Email)).valid;
        }

+        [Authorize("Application")]
        [HttpPost("redeem")]
        [SelfHosted(NotSelfHostedOnly = true)]
        public async Task RedeemSponsorship([FromQuery] string sponsorshipToken, [FromBody] OrganizationSponsorshipRedeemRequestModel model)
        {
-            var (valid, sponsorship) = await _organizationsSponsorshipService.ValidateRedemptionTokenAsync(sponsorshipToken, (await CurrentUser).Email);
+            var (valid, sponsorship) = await _validateRedemptionTokenCommand.ValidateRedemptionTokenAsync(sponsorshipToken, (await CurrentUser).Email);

            if (!valid)
            {
@ -87,12 +117,27 @@ namespace Bit.Api.Controllers
                throw new BadRequestException("Can only redeem sponsorship for an organization you own.");
            }

-            await _organizationsSponsorshipService.SetUpSponsorshipAsync(
+            await _setUpSponsorshipCommand.SetUpSponsorshipAsync(
                sponsorship,
-                // Check org to sponsor's product type
                await _organizationRepository.GetByIdAsync(model.SponsoredOrganizationId));
        }

+        [Authorize("Installation")]
+        [HttpPost("sync")]
+        public async Task<OrganizationSponsorshipSyncResponseModel> Sync([FromBody] OrganizationSponsorshipSyncRequestModel model)
+        {
+            var sponsoringOrg = await _organizationRepository.GetByIdAsync(model.SponsoringOrganizationCloudId);
+            if (!await _validateBillingSyncKeyCommand.ValidateBillingSyncKeyAsync(sponsoringOrg, model.BillingSyncKey))
+            {
+                throw new BadRequestException("Invalid Billing Sync Key");
+            }
+
+            var (syncResponseData, offersToSend) = await _syncSponsorshipsCommand.SyncOrganization(sponsoringOrg, model.ToOrganizationSponsorshipSync().SponsorshipsBatch);
+            await _sendSponsorshipOfferCommand.BulkSendSponsorshipOfferAsync(sponsoringOrg.Name, offersToSend);
+            return new OrganizationSponsorshipSyncResponseModel(syncResponseData);
+        }
+
+        [Authorize("Application")]
        [HttpDelete("{sponsoringOrganizationId}")]
        [HttpPost("{sponsoringOrganizationId}/delete")]
        [SelfHosted(NotSelfHostedOnly = true)]
@ -108,12 +153,10 @@ namespace Bit.Api.Controllers
            var existingOrgSponsorship = await _organizationSponsorshipRepository
                .GetBySponsoringOrganizationUserIdAsync(orgUser.Id);

-            await _organizationsSponsorshipService.RevokeSponsorshipAsync(
-                await _organizationRepository
-                    .GetByIdAsync(existingOrgSponsorship.SponsoredOrganizationId ?? default),
-                existingOrgSponsorship);
+            await _revokeSponsorshipCommand.RevokeSponsorshipAsync(existingOrgSponsorship);
        }

+        [Authorize("Application")]
        [HttpDelete("sponsored/{sponsoredOrgId}")]
        [HttpPost("sponsored/{sponsoredOrgId}/remove")]
        [SelfHosted(NotSelfHostedOnly = true)]
@ -128,10 +171,21 @@ namespace Bit.Api.Controllers
            var existingOrgSponsorship = await _organizationSponsorshipRepository
                .GetBySponsoredOrganizationIdAsync(sponsoredOrgId);

-            await _organizationsSponsorshipService.RemoveSponsorshipAsync(
-                await _organizationRepository
-                    .GetByIdAsync(existingOrgSponsorship.SponsoredOrganizationId.Value),
-                existingOrgSponsorship);
+            await _removeSponsorshipCommand.RemoveSponsorshipAsync(existingOrgSponsorship);
+        }
+
+        [HttpGet("{sponsoringOrgId}/sync-status")]
+        public async Task<object> GetSyncStatus(Guid sponsoringOrgId)
+        {
+            var sponsoringOrg = await _organizationRepository.GetByIdAsync(sponsoringOrgId);
+
+            if (!await _currentContext.OrganizationOwner(sponsoringOrg.Id))
+            {
+                throw new NotFoundException();
+            }
+
+            var lastSyncDate = await _organizationSponsorshipRepository.GetLatestSyncDateBySponsoringOrganizationIdAsync(sponsoringOrg.Id);
+            return new OrganizationSponsorshipSyncStatusResponseModel(lastSyncDate);
        }

        private Task<User> CurrentUser => _userService.GetUserByIdAsync(_currentContext.UserId.Value);
--- a/src/Api/Controllers/OrganizationUsersController.cs
+++ b/src/Api/Controllers/OrganizationUsersController.cs
@ -4,11 +4,12 @@ using System.Linq;
 using System.Threading.Tasks;
 using Bit.Api.Models.Request.Organizations;
 using Bit.Api.Models.Response;
+using Bit.Api.Models.Response.Organizations;
 using Bit.Core.Context;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Business;
-using Bit.Core.Models.Data;
+using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Microsoft.AspNetCore.Authorization;
--- a/src/Api/Controllers/OrganizationsController.cs
+++ b/src/Api/Controllers/OrganizationsController.cs
@ -6,12 +6,14 @@ using Bit.Api.Models.Request;
 using Bit.Api.Models.Request.Accounts;
 using Bit.Api.Models.Request.Organizations;
 using Bit.Api.Models.Response;
+using Bit.Api.Models.Response.Organizations;
 using Bit.Api.Utilities;
 using Bit.Core.Context;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Business;
 using Bit.Core.Models.Data;
+using Bit.Core.OrganizationFeatures.OrganizationApiKeys.Interfaces;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Settings;
@ -34,6 +36,9 @@ namespace Bit.Api.Controllers
        private readonly ICurrentContext _currentContext;
        private readonly ISsoConfigRepository _ssoConfigRepository;
        private readonly ISsoConfigService _ssoConfigService;
+        private readonly IGetOrganizationApiKeyCommand _getOrganizationApiKeyCommand;
+        private readonly IRotateOrganizationApiKeyCommand _rotateOrganizationApiKeyCommand;
+        private readonly IOrganizationApiKeyRepository _organizationApiKeyRepository;
        private readonly GlobalSettings _globalSettings;

        public OrganizationsController(
@ -46,6 +51,9 @@ namespace Bit.Api.Controllers
            ICurrentContext currentContext,
            ISsoConfigRepository ssoConfigRepository,
            ISsoConfigService ssoConfigService,
+            IGetOrganizationApiKeyCommand getOrganizationApiKeyCommand,
+            IRotateOrganizationApiKeyCommand rotateOrganizationApiKeyCommand,
+            IOrganizationApiKeyRepository organizationApiKeyRepository,
            GlobalSettings globalSettings)
        {
            _organizationRepository = organizationRepository;
@ -57,6 +65,9 @@ namespace Bit.Api.Controllers
            _currentContext = currentContext;
            _ssoConfigRepository = ssoConfigRepository;
            _ssoConfigService = ssoConfigService;
+            _getOrganizationApiKeyCommand = getOrganizationApiKeyCommand;
+            _rotateOrganizationApiKeyCommand = rotateOrganizationApiKeyCommand;
+            _organizationApiKeyRepository = organizationApiKeyRepository;
            _globalSettings = globalSettings;
        }

@ -482,7 +493,7 @@ namespace Bit.Api.Controllers
        }

        [HttpPost("{id}/api-key")]
-        public async Task<ApiKeyResponseModel> ApiKey(string id, [FromBody] SecretVerificationRequestModel model)
+        public async Task<ApiKeyResponseModel> ApiKey(string id, [FromBody] OrganizationApiKeyRequestModel model)
        {
            var orgIdGuid = new Guid(id);
            if (!await _currentContext.OrganizationOwner(orgIdGuid))
@ -496,6 +507,19 @@ namespace Bit.Api.Controllers
                throw new NotFoundException();
            }

+            if (model.Type == OrganizationApiKeyType.BillingSync)
+            {
+                // Non-enterprise orgs should not be able to create or view an apikey of billing sync key type
+                var plan = StaticStore.GetPlan(organization.PlanType);
+                if (plan.Product != ProductType.Enterprise)
+                {
+                    throw new NotFoundException();
+                }
+            }
+
+            var organizationApiKey = await _getOrganizationApiKeyCommand
+                .GetOrganizationApiKeyAsync(organization.Id, model.Type);
+
            var user = await _userService.GetUserByPrincipalAsync(User);
            if (user == null)
            {
@ -509,13 +533,27 @@ namespace Bit.Api.Controllers
            }
            else
            {
-                var response = new ApiKeyResponseModel(organization);
+                var response = new ApiKeyResponseModel(organizationApiKey);
                return response;
            }
        }

+        [HttpGet("{id}/api-key-information")]
+        public async Task<ListResponseModel<OrganizationApiKeyInformation>> ApiKeyInformation(Guid id)
+        {
+            if (!await _currentContext.OrganizationOwner(id))
+            {
+                throw new NotFoundException();
+            }
+
+            var apiKeys = await _organizationApiKeyRepository.GetManyByOrganizationIdTypeAsync(id);
+
+            return new ListResponseModel<OrganizationApiKeyInformation>(
+                apiKeys.Select(k => new OrganizationApiKeyInformation(k)));
+        }
+
        [HttpPost("{id}/rotate-api-key")]
-        public async Task<ApiKeyResponseModel> RotateApiKey(string id, [FromBody] SecretVerificationRequestModel model)
+        public async Task<ApiKeyResponseModel> RotateApiKey(string id, [FromBody] OrganizationApiKeyRequestModel model)
        {
            var orgIdGuid = new Guid(id);
            if (!await _currentContext.OrganizationOwner(orgIdGuid))
@ -529,6 +567,9 @@ namespace Bit.Api.Controllers
                throw new NotFoundException();
            }

+            var organizationApiKey = await _getOrganizationApiKeyCommand
+                .GetOrganizationApiKeyAsync(organization.Id, model.Type);
+
            var user = await _userService.GetUserByPrincipalAsync(User);
            if (user == null)
            {
@ -542,8 +583,8 @@ namespace Bit.Api.Controllers
            }
            else
            {
-                await _organizationService.RotateApiKeyAsync(organization);
-                var response = new ApiKeyResponseModel(organization);
+                await _rotateOrganizationApiKeyCommand.RotateApiKeyAsync(organizationApiKey);
+                var response = new ApiKeyResponseModel(organizationApiKey);
                return response;
            }
        }
--- a/src/Api/Controllers/SelfHosted/SelfHostedOrganizationSponsorshipsController.cs
+++ b/src/Api/Controllers/SelfHosted/SelfHostedOrganizationSponsorshipsController.cs
@ -0,0 +1,69 @@
+using System;
+using System.Threading.Tasks;
+using Bit.Api.Models.Request.Organizations;
+using Bit.Core.Context;
+using Bit.Core.Exceptions;
+using Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces;
+using Bit.Core.Repositories;
+using Bit.Core.Utilities;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+
+namespace Bit.Api.Controllers.SelfHosted
+{
+    [Route("organization/sponsorship/self-hosted")]
+    [Authorize("Application")]
+    [SelfHosted(SelfHostedOnly = true)]
+    public class SelfHostedOrganizationSponsorshipsController : Controller
+    {
+        private readonly IOrganizationRepository _organizationRepository;
+        private readonly IOrganizationUserRepository _organizationUserRepository;
+        private readonly IOrganizationSponsorshipRepository _organizationSponsorshipRepository;
+        private readonly ICreateSponsorshipCommand _offerSponsorshipCommand;
+        private readonly IRevokeSponsorshipCommand _revokeSponsorshipCommand;
+        private readonly ICurrentContext _currentContext;
+
+        public SelfHostedOrganizationSponsorshipsController(
+            ICreateSponsorshipCommand offerSponsorshipCommand,
+            IRevokeSponsorshipCommand revokeSponsorshipCommand,
+            IOrganizationRepository organizationRepository,
+            IOrganizationSponsorshipRepository organizationSponsorshipRepository,
+            IOrganizationUserRepository organizationUserRepository,
+            ICurrentContext currentContext
+        )
+        {
+            _offerSponsorshipCommand = offerSponsorshipCommand;
+            _revokeSponsorshipCommand = revokeSponsorshipCommand;
+            _organizationRepository = organizationRepository;
+            _organizationSponsorshipRepository = organizationSponsorshipRepository;
+            _organizationUserRepository = organizationUserRepository;
+            _currentContext = currentContext;
+        }
+
+        [HttpPost("{sponsoringOrgId}/families-for-enterprise")]
+        public async Task CreateSponsorship(Guid sponsoringOrgId, [FromBody] OrganizationSponsorshipCreateRequestModel model)
+        {
+            await _offerSponsorshipCommand.CreateSponsorshipAsync(
+                await _organizationRepository.GetByIdAsync(sponsoringOrgId),
+                await _organizationUserRepository.GetByOrganizationAsync(sponsoringOrgId, _currentContext.UserId ?? default),
+                model.PlanSponsorshipType, model.SponsoredEmail, model.FriendlyName);
+        }
+
+        [HttpDelete("{sponsoringOrgId}")]
+        [HttpPost("{sponsoringOrgId}/delete")]
+        public async Task RevokeSponsorship(Guid sponsoringOrgId)
+        {
+            var orgUser = await _organizationUserRepository.GetByOrganizationAsync(sponsoringOrgId, _currentContext.UserId ?? default);
+
+            if (orgUser == null)
+            {
+                throw new BadRequestException("Unknown Organization User");
+            }
+
+            var existingOrgSponsorship = await _organizationSponsorshipRepository
+                .GetBySponsoringOrganizationUserIdAsync(orgUser.Id);
+
+            await _revokeSponsorshipCommand.RevokeSponsorshipAsync(existingOrgSponsorship);
+        }
+    }
+}
--- a/src/Api/Jobs/JobsHostedService.cs
+++ b/src/Api/Jobs/JobsHostedService.cs
@ -46,8 +46,15 @@ namespace Bit.Api.Jobs
                .StartNow()
                .WithCronSchedule("0 30 */12 * * ?")
                .Build();
+            var randomDailySponsorshipSyncTrigger = TriggerBuilder.Create()
+                .WithIdentity("RandomDailySponsorshipSyncTrigger")
+                .StartAt(DateBuilder.FutureDate(new Random().Next(24), IntervalUnit.Hour))
+                .WithSimpleSchedule(x => x
+                    .WithIntervalInHours(24)
+                    .RepeatForever())
+                .Build();

-            Jobs = new List<Tuple<Type, ITrigger>>
+            var jobs = new List<Tuple<Type, ITrigger>>
            {
                new Tuple<Type, ITrigger>(typeof(AliveJob), everyTopOfTheHourTrigger),
                new Tuple<Type, ITrigger>(typeof(EmergencyAccessNotificationJob), emergencyAccessNotificationTrigger),
@ -56,11 +63,22 @@ namespace Bit.Api.Jobs
                new Tuple<Type, ITrigger>(typeof(ValidateOrganizationsJob), everyTwelfthHourAndThirtyMinutesTrigger)
            };

+            if (_globalSettings.SelfHosted && _globalSettings.EnableCloudCommunication)
+            {
+                jobs.Add(new Tuple<Type, ITrigger>(typeof(SelfHostedSponsorshipSyncJob), randomDailySponsorshipSyncTrigger));
+            }
+
+            Jobs = jobs;
+
            await base.StartAsync(cancellationToken);
        }

-        public static void AddJobsServices(IServiceCollection services)
+        public static void AddJobsServices(IServiceCollection services, bool selfHosted)
        {
+            if (selfHosted)
+            {
+                services.AddTransient<SelfHostedSponsorshipSyncJob>();
+            }
            services.AddTransient<AliveJob>();
            services.AddTransient<EmergencyAccessNotificationJob>();
            services.AddTransient<EmergencyAccessTimeoutJob>();
--- a/src/Api/Jobs/SelfHostedSponsorshipSyncJob.cs
+++ b/src/Api/Jobs/SelfHostedSponsorshipSyncJob.cs
@ -0,0 +1,73 @@
+using System;
+using System.Linq;
+using System.Threading.Tasks;
+using Bit.Core.Enums;
+using Bit.Core.Jobs;
+using Bit.Core.Models.OrganizationConnectionConfigs;
+using Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Core.Settings;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
+using Quartz;
+
+namespace Bit.Api.Jobs
+{
+    public class SelfHostedSponsorshipSyncJob : BaseJob
+    {
+        private readonly IServiceProvider _serviceProvider;
+        private IOrganizationRepository _organizationRepository;
+        private IOrganizationConnectionRepository _organizationConnectionRepository;
+        private readonly ILicensingService _licensingService;
+        private GlobalSettings _globalSettings;
+
+        public SelfHostedSponsorshipSyncJob(
+            IServiceProvider serviceProvider,
+            IOrganizationRepository organizationRepository,
+            IOrganizationConnectionRepository organizationConnectionRepository,
+            ILicensingService licensingService,
+            ILogger<SelfHostedSponsorshipSyncJob> logger,
+            GlobalSettings globalSettings)
+            : base(logger)
+        {
+            _serviceProvider = serviceProvider;
+            _organizationRepository = organizationRepository;
+            _organizationConnectionRepository = organizationConnectionRepository;
+            _licensingService = licensingService;
+            _globalSettings = globalSettings;
+        }
+
+        protected override async Task ExecuteJobAsync(IJobExecutionContext context)
+        {
+            if (!_globalSettings.EnableCloudCommunication)
+            {
+                _logger.LogInformation("Skipping Organization sync with cloud - Cloud communication is disabled in global settings");
+                return;
+            }
+
+            var organizations = await _organizationRepository.GetManyByEnabledAsync();
+
+            using (var scope = _serviceProvider.CreateScope())
+            {
+                var syncCommand = scope.ServiceProvider.GetRequiredService<ISelfHostedSyncSponsorshipsCommand>();
+                foreach (var org in organizations)
+                {
+                    var connection = (await _organizationConnectionRepository.GetEnabledByOrganizationIdTypeAsync(org.Id, OrganizationConnectionType.CloudBillingSync)).FirstOrDefault();
+                    if (connection != null)
+                    {
+                        try
+                        {
+                            var config = connection.GetConfig<BillingSyncConfig>();
+                            await syncCommand.SyncOrganization(org.Id, config.CloudOrganizationId, connection);
+                        }
+                        catch (Exception ex)
+                        {
+                            _logger.LogError(ex, $"Sponsorship sync for organization {org.Name} Failed");
+                        }
+                    }
+                }
+            }
+        }
+    }
+}
--- a/src/Api/Models/Public/MemberBaseModel.cs
+++ b/src/Api/Models/Public/MemberBaseModel.cs
@ -2,7 +2,7 @@
 using System.ComponentModel.DataAnnotations;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
-using Bit.Core.Models.Data;
+using Bit.Core.Models.Data.Organizations.OrganizationUsers;

 namespace Bit.Api.Models.Public
 {
--- a/src/Api/Models/Public/Response/MemberResponseModel.cs
+++ b/src/Api/Models/Public/Response/MemberResponseModel.cs
@ -5,6 +5,7 @@ using System.Linq;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Models.Data;
+using Bit.Core.Models.Data.Organizations.OrganizationUsers;

 namespace Bit.Api.Models.Public.Response
 {
--- a/src/Api/Models/Request/Accounts/OrganizationApiKeyRequestModel.cs
+++ b/src/Api/Models/Request/Accounts/OrganizationApiKeyRequestModel.cs
@ -0,0 +1,9 @@
+using Bit.Core.Enums;
+
+namespace Bit.Api.Models.Request.Accounts
+{
+    public class OrganizationApiKeyRequestModel : SecretVerificationRequestModel
+    {
+        public OrganizationApiKeyType Type { get; set; }
+    }
+}
--- a/src/Api/Models/Request/Organizations/OrganizationConnectionRequestModel.cs
+++ b/src/Api/Models/Request/Organizations/OrganizationConnectionRequestModel.cs
@ -0,0 +1,52 @@
+using System;
+using System.Text.Json;
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.Models.Data.Organizations.OrganizationConnections;
+using Bit.Core.Utilities;
+
+namespace Bit.Api.Models.Request.Organizations
+{
+    public class OrganizationConnectionRequestModel
+    {
+        public OrganizationConnectionType Type { get; set; }
+        public Guid OrganizationId { get; set; }
+        public bool Enabled { get; set; }
+        public JsonDocument Config { get; set; }
+
+        public OrganizationConnectionRequestModel() { }
+    }
+
+
+    public class OrganizationConnectionRequestModel<T> : OrganizationConnectionRequestModel where T : new()
+    {
+        public T ParsedConfig { get; private set; }
+
+        public OrganizationConnectionRequestModel(OrganizationConnectionRequestModel model)
+        {
+            Type = model.Type;
+            OrganizationId = model.OrganizationId;
+            Enabled = model.Enabled;
+            Config = model.Config;
+
+            try
+            {
+                ParsedConfig = model.Config.ToObject<T>(JsonHelpers.IgnoreCase);
+            }
+            catch (JsonException)
+            {
+                throw new BadRequestException("Organization Connection configuration malformed");
+            }
+        }
+
+        public OrganizationConnectionData<T> ToData(Guid? id = null) =>
+            new()
+            {
+                Id = id,
+                Type = Type,
+                OrganizationId = OrganizationId,
+                Enabled = Enabled,
+                Config = ParsedConfig,
+            };
+    }
+}
--- a/src/Api/Models/Request/Organizations/OrganizationSponsorshipCreateRequestModel.cs
+++ b/src/Api/Models/Request/Organizations/OrganizationSponsorshipCreateRequestModel.cs
@ -4,7 +4,7 @@ using Bit.Core.Utilities;

 namespace Bit.Api.Models.Request.Organizations
 {
-    public class OrganizationSponsorshipRequestModel
+    public class OrganizationSponsorshipCreateRequestModel
    {
        [Required]
        public PlanSponsorshipType PlanSponsorshipType { get; set; }
--- a/src/Api/Models/Request/Organizations/OrganizationUserRequestModels.cs
+++ b/src/Api/Models/Request/Organizations/OrganizationUserRequestModels.cs
@ -6,6 +6,7 @@ using System.Text.Json;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Models.Data;
+using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Core.Utilities;

 namespace Bit.Api.Models.Request.Organizations
--- a/src/Api/Models/Response/ApiKeyResponseModel.cs
+++ b/src/Api/Models/Response/ApiKeyResponseModel.cs
@ -6,14 +6,15 @@ namespace Bit.Api.Models.Response
 {
    public class ApiKeyResponseModel : ResponseModel
    {
-        public ApiKeyResponseModel(Organization organization, string obj = "apiKey")
+        public ApiKeyResponseModel(OrganizationApiKey organizationApiKey, string obj = "apiKey")
            : base(obj)
        {
-            if (organization == null)
+            if (organizationApiKey == null)
            {
-                throw new ArgumentNullException(nameof(organization));
+                throw new ArgumentNullException(nameof(organizationApiKey));
            }
-            ApiKey = organization.ApiKey;
+            ApiKey = organizationApiKey.ApiKey;
+            RevisionDate = organizationApiKey.RevisionDate;
        }

        public ApiKeyResponseModel(User user, string obj = "apiKey")
@ -24,8 +25,10 @@ namespace Bit.Api.Models.Response
                throw new ArgumentNullException(nameof(user));
            }
            ApiKey = user.ApiKey;
+            RevisionDate = user.RevisionDate;
        }

        public string ApiKey { get; set; }
+        public DateTime RevisionDate { get; set; }
    }
 }
--- a/src/Api/Models/Response/Organizations/OrganizationApiKeyInformationResponseModel.cs
+++ b/src/Api/Models/Response/Organizations/OrganizationApiKeyInformationResponseModel.cs
@ -0,0 +1,19 @@
+using System;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Models.Api;
+
+namespace Bit.Api.Models.Response.Organizations
+{
+    public class OrganizationApiKeyInformation : ResponseModel
+    {
+        public OrganizationApiKeyInformation(OrganizationApiKey key) : base("keyInformation")
+        {
+            KeyType = key.Type;
+            RevisionDate = key.RevisionDate;
+        }
+
+        public OrganizationApiKeyType KeyType { get; set; }
+        public DateTime RevisionDate { get; set; }
+    }
+}
--- a/src/Api/Models/Response/Organizations/OrganizationAutoEnrollStatusResponseModel.cs
+++ b/src/Api/Models/Response/Organizations/OrganizationAutoEnrollStatusResponseModel.cs
@ -1,7 +1,7 @@
 using System;
 using Bit.Core.Models.Api;

-namespace Bit.Api.Models.Response
+namespace Bit.Api.Models.Response.Organizations
 {
    public class OrganizationAutoEnrollStatusResponseModel : ResponseModel
    {
--- a/src/Api/Models/Response/Organizations/OrganizationConnectionResponseModel.cs
+++ b/src/Api/Models/Response/Organizations/OrganizationConnectionResponseModel.cs
@ -0,0 +1,30 @@
+using System;
+using System.Text.Json;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+
+namespace Bit.Api.Models.Response.Organizations
+{
+    public class OrganizationConnectionResponseModel
+    {
+        public Guid? Id { get; set; }
+        public OrganizationConnectionType Type { get; set; }
+        public Guid OrganizationId { get; set; }
+        public bool Enabled { get; set; }
+        public JsonDocument Config { get; set; }
+
+        public OrganizationConnectionResponseModel(OrganizationConnection connection, Type configType)
+        {
+            if (connection == null)
+            {
+                return;
+            }
+
+            Id = connection.Id;
+            Type = connection.Type;
+            OrganizationId = connection.OrganizationId;
+            Enabled = connection.Enabled;
+            Config = JsonDocument.Parse(connection.Config);
+        }
+    }
+}
--- a/src/Api/Models/Response/Organizations/OrganizationKeysResponseModel.cs
+++ b/src/Api/Models/Response/Organizations/OrganizationKeysResponseModel.cs
@ -2,7 +2,7 @@
 using Bit.Core.Entities;
 using Bit.Core.Models.Api;

-namespace Bit.Api.Models.Response
+namespace Bit.Api.Models.Response.Organizations
 {
    public class OrganizationKeysResponseModel : ResponseModel
    {
--- a/src/Api/Models/Response/Organizations/OrganizationResponseModel.cs
+++ b/src/Api/Models/Response/Organizations/OrganizationResponseModel.cs
@ -6,7 +6,7 @@ using Bit.Core.Models.Api;
 using Bit.Core.Models.Business;
 using Bit.Core.Utilities;

-namespace Bit.Api.Models.Response
+namespace Bit.Api.Models.Response.Organizations
 {
    public class OrganizationResponseModel : ResponseModel
    {
--- a/src/Api/Models/Response/Organizations/OrganizationSponsorshipSyncStatusResponseModel.cs
+++ b/src/Api/Models/Response/Organizations/OrganizationSponsorshipSyncStatusResponseModel.cs
@ -0,0 +1,16 @@
+using System;
+using Bit.Core.Models.Api;
+
+namespace Bit.Api.Models.Response.Organizations
+{
+    public class OrganizationSponsorshipSyncStatusResponseModel : ResponseModel
+    {
+        public OrganizationSponsorshipSyncStatusResponseModel(DateTime? lastSyncDate)
+            : base("syncStatus")
+        {
+            LastSyncDate = lastSyncDate;
+        }
+
+        public DateTime? LastSyncDate { get; set; }
+    }
+}
--- a/src/Api/Models/Response/Organizations/OrganizationSsoResponseModel.cs
+++ b/src/Api/Models/Response/Organizations/OrganizationSsoResponseModel.cs
@ -3,7 +3,7 @@ using Bit.Core.Models.Api;
 using Bit.Core.Models.Data;
 using Bit.Core.Settings;

-namespace Bit.Api.Models.Response
+namespace Bit.Api.Models.Response.Organizations
 {
    public class OrganizationSsoResponseModel : ResponseModel
    {
--- a/src/Api/Models/Response/Organizations/OrganizationUserResponseModel.cs
+++ b/src/Api/Models/Response/Organizations/OrganizationUserResponseModel.cs
@ -5,9 +5,10 @@ using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Models.Api;
 using Bit.Core.Models.Data;
+using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Core.Utilities;

-namespace Bit.Api.Models.Response
+namespace Bit.Api.Models.Response.Organizations
 {
    public class OrganizationUserResponseModel : ResponseModel
    {
--- a/src/Api/Models/Response/ProfileOrganizationResponseModel.cs
+++ b/src/Api/Models/Response/ProfileOrganizationResponseModel.cs
@ -1,6 +1,8 @@
-using Bit.Core.Enums;
+using System;
+using Bit.Core.Enums;
 using Bit.Core.Models.Api;
 using Bit.Core.Models.Data;
+using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Core.Utilities;

 namespace Bit.Api.Models.Response
@ -45,6 +47,9 @@ namespace Bit.Api.Models.Response
                StaticStore.GetSponsoredPlan(PlanSponsorshipType.FamiliesForEnterprise)
                .UsersCanSponsor(organization);
            PlanProductType = StaticStore.GetPlan(organization.PlanType).Product;
+            FamilySponsorshipLastSyncDate = organization.FamilySponsorshipLastSyncDate;
+            FamilySponsorshipToDelete = organization.FamilySponsorshipToDelete;
+            FamilySponsorshipValidUntil = organization.FamilySponsorshipValidUntil;

            if (organization.SsoConfig != null)
            {
@ -88,5 +93,8 @@ namespace Bit.Api.Models.Response
        public ProductType PlanProductType { get; set; }
        public bool KeyConnectorEnabled { get; set; }
        public string KeyConnectorUrl { get; set; }
+        public DateTime? FamilySponsorshipLastSyncDate { get; set; }
+        public DateTime? FamilySponsorshipValidUntil { get; set; }
+        public bool? FamilySponsorshipToDelete { get; set; }
    }
 }
--- a/src/Api/Models/Response/ProfileResponseModel.cs
+++ b/src/Api/Models/Response/ProfileResponseModel.cs
@ -5,6 +5,7 @@ using Bit.Api.Models.Response.Providers;
 using Bit.Core.Entities;
 using Bit.Core.Models.Api;
 using Bit.Core.Models.Data;
+using Bit.Core.Models.Data.Organizations.OrganizationUsers;

 namespace Bit.Api.Models.Response
 {
--- a/src/Api/Models/Response/SyncResponseModel.cs
+++ b/src/Api/Models/Response/SyncResponseModel.cs
@ -4,6 +4,7 @@ using System.Linq;
 using Bit.Core.Entities;
 using Bit.Core.Models.Api;
 using Bit.Core.Models.Data;
+using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Core.Settings;
 using Core.Models.Data;

--- a/src/Api/Startup.cs
+++ b/src/Api/Startup.cs
@ -114,12 +114,17 @@ namespace Bit.Api
                    policy.RequireAuthenticatedUser();
                    policy.RequireClaim(JwtClaimTypes.Scope, "api.organization");
                });
+                config.AddPolicy("Installation", policy =>
+                {
+                    policy.RequireAuthenticatedUser();
+                    policy.RequireClaim(JwtClaimTypes.Scope, "api.installation");
+                });
            });

            services.AddScoped<AuthenticatorTokenProvider>();

            // Services
-            services.AddBaseServices();
+            services.AddBaseServices(globalSettings);
            services.AddDefaultServices(globalSettings);
            services.AddCoreLocalizationServices();

@ -137,15 +142,9 @@ namespace Bit.Api
            });

            services.AddSwagger(globalSettings);
-            Jobs.JobsHostedService.AddJobsServices(services);
+            Jobs.JobsHostedService.AddJobsServices(services, globalSettings.SelfHosted);
            services.AddHostedService<Jobs.JobsHostedService>();

-            if (globalSettings.SelfHosted)
-            {
-                // Jobs service
-                Jobs.JobsHostedService.AddJobsServices(services);
-                services.AddHostedService<Jobs.JobsHostedService>();
-            }
            if (CoreHelpers.SettingHasValue(globalSettings.ServiceBus.ConnectionString) &&
                CoreHelpers.SettingHasValue(globalSettings.ServiceBus.ApplicationCacheTopicName))
            {