Feature/self hosted families for enterprise (#1991)

* Families for enterprise/split up organization sponsorship service (#1829)

* Split OrganizationSponsorshipService into commands

* Use tokenable for token validation

* Use interfaces to set up for DI

* Use commands over services

* Move service tests to command tests

* Value types can't be null

* Run dotnet format

* Update src/Core/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/CancelSponsorshipCommand.cs

Co-authored-by: Justin Baur <admin@justinbaur.com>

* Fix controller tests

Co-authored-by: Justin Baur <admin@justinbaur.com>

* Families for enterprise/split up organization sponsorship service (#1875)

* Split OrganizationSponsorshipService into commands

* Use tokenable for token validation

* Use interfaces to set up for DI

* Use commands over services

* Move service tests to command tests

* Value types can't be null

* Run dotnet format

* Update src/Core/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/CancelSponsorshipCommand.cs

Co-authored-by: Justin Baur <admin@justinbaur.com>

* Fix controller tests

* Split create and send sponsorships

* Split up create sponsorship

* Add self hosted commands to dependency injection

* Add field to store cloud billing sync key on self host instances

* Fix typo

* Fix data protector purpose of sponsorship offers

* Split cloud and selfhosted sponsorship offer tokenable

* Generate offer from self hosted with all necessary auth data

* Add Required properties to constructor

* Split up cancel sponsorship command

* Split revoke sponsorship command between cloud and self hosted

* Fix/f4e multiple sponsorships (#1838)

* Use sponosorship from validate to redeem

* Update tests

* Format

* Remove sponsorship service

* Run dotnet format

* Fix self hosted only controller attribute

* Clean up file structure and fixes

* Remove unneeded tokenables

* Remove obsolete commands

* Do not require file/class prefix if unnecessary

* Update Organizaiton sprocs

* Remove unnecessary models

* Fix tests

* Generalize LicenseService path calculation

Use async file read and deserialization

* Use interfaces for testability

* Remove unused usings

* Correct test direction

* Test license reading

* remove unused usings

* Format

Co-authored-by: Justin Baur <admin@justinbaur.com>

* Improve DataProtectorTokenFactory test coverage (#1884)

* Add encstring to server

* Test factory

Co-authored-by: Carlos Muentes <cmuentes@bitwarden.com>

* Format

* Remove SymmetricKeyProtectedString

Not needed

* Set ForcInvalid

Co-authored-by: Carlos Muentes <cmuentes@bitwarden.com>

* Feature/self f4e/api keys (#1896)

* Add in ApiKey

* Work on API Key table

* Work on apikey table

* Fix response model

* Work on information for UI

* Work on last sync date

* Work on sync status

* Work on auth

* Work on tokenable

* Work on merge

* Add custom requirement

* Add policy

* Run formatting

* Work on EF Migrations

* Work on OrganizationConnection

* Work on database

* Work on additional database table

* Run formatting

* Small fixes

* More cleanup

* Cleanup

* Add RevisionDate

* Add GO

* Finish Sql project

* Add newlines

* Fix stored proc file

* Fix sqlproj

* Add newlines

* Fix table

* Add navigation property

* Delete Connections when organization is deleted

* Add connection validation

* Start adding ID column

* Work on ID column

* Work on SQL migration

* Work on migrations

* Run formatting

* Fix test build

* Fix sprocs

* Work on migrations

* Fix Create table

* Fix sproc

* Add prints to migration

* Add default value

* Update EF migrations

* Formatting

* Add to integration tests

* Minor fixes

* Formatting

* Cleanup

* Address PR feedback

* Address more PR feedback

* Fix formatting

* Fix formatting

* Fix

* Address PR feedback

* Remove accidential change

* Fix SQL build

* Run formatting

* Address PR feedback

* Add sync data to OrganizationUserOrgDetails

* Add comments

* Remove OrganizationConnectionService interface

* Remove unused using

* Address PR feedback

* Formatting

* Minor fix

* Feature/self f4e/update db (#1930)

* Fix migration

* Fix TimesRenewed

* Add comments

* Make two properties non-nullable

* Remove need for SponsoredOrg on SH (#1934)

* Remove need for SponsoredOrg on SH

* Add Family prefix

* Add check for enterprise org on BillingSync key (#1936)

* [PS-10] Feature/sponsorships removed at end of term (#1938)

* Rename commands to min unique names

* Inject revoke command based on self hosting

* WIP: Remove/Revoke marks to delete

* Complete WIP

* Improve remove/revoke tests

* PR review

* Fail validation if sponsorship has failed to sync for 6 months

* Feature/do not accept old self host sponsorships (#1939)

* Do not accept >6mo old self-hosted sponsorships

* Give disabled grace period of 3 months

* Fix issues of Sql.proj differing from migration outcome (#1942)

* Fix issues of Sql.proj differing from migration outcome

* Yoink int tests

* Add missing assert helpers

* Feature/org sponsorship sync (#1922)

* Self-hosted side sync first pass

TODO:
* flush out org sponsorship model
* implement cloud side
* process cloud-side response and update self-hosted records

* sync scaffolding second pass

* remove list of Org User ids from sync and begin work on SelfHostedRevokeSponsorship

* allow authenticated http calls from server to return a result

* update models

* add logic for sync and change offer email template

* add billing sync key and hide CreateSponsorship without user

* fix tests

* add job scheduling

* add authorize attributes to endpoints

* separate models into data/model and request/response

* batch sync more, add EnableCloudCommunication for testing

* send emails in bulk

* make userId and sponsorshipType non nullable

* batch more on self hosted side of sync

* remove TODOs and formatting

* changed logic of cloud sync

* let BaseIdentityClientService handle all logging

* call sync from scheduled job on self host

* create bulk db operations for OrganizationSponsorships

* remove SponsoredOrgId from sync, return default from server http call

* validate BillingSyncKey during sync

revert changes to CreateSponsorshipCommand

* revert changes to ICreateSponsorshipCommand

* add some tests

* add DeleteExpiredSponsorshipsJob

* add cloud sync test

* remove extra method

* formatting

* prevent new sponsorships from disabled orgs

* update packages

* - pulled out send sponsorship command dependency from sync on cloud
- don't throw error when sponsorships are empty
- formatting

* formatting models

* more formatting

* remove licensingService dependency from selfhosted sync

* use installation urls and formatting

* create constructor for RequestModel and formatting

* add date parameter to OrganizationSponsorship_DeleteExpired

* add new migration

* formatting

* rename OrganizationCreateSponsorshipRequestModel to OrganizationSponsorshipCreateRequestModel

* prevent whole sync from failing if one sponsorship type is unsupported

* deserialize config and billingsynckey from org connection

* alter log message when sync disabled

* Add grace period to disabled orgs

* return early on self hosted if there are no sponsorships in database

* rename BillingSyncConfig

* send sponsorship offers from controller

* allow config to be a null object

* better exception handling in sync scheduler

* add ef migrations

* formatting

* fix tests

* fix validate test

Co-authored-by: Matt Gibson <mgibson@bitwarden.com>

* Fix OrganizationApiKey issues (#1941)

Co-authored-by: Justin Baur <admin@justinbaur.com>

* Feature/org sponsorship self hosted tests (#1947)

* Self-hosted side sync first pass

TODO:
* flush out org sponsorship model
* implement cloud side
* process cloud-side response and update self-hosted records

* sync scaffolding second pass

* remove list of Org User ids from sync and begin work on SelfHostedRevokeSponsorship

* allow authenticated http calls from server to return a result

* update models

* add logic for sync and change offer email template

* add billing sync key and hide CreateSponsorship without user

* fix tests

* add job scheduling

* add authorize attributes to endpoints

* separate models into data/model and request/response

* batch sync more, add EnableCloudCommunication for testing

* send emails in bulk

* make userId and sponsorshipType non nullable

* batch more on self hosted side of sync

* remove TODOs and formatting

* changed logic of cloud sync

* let BaseIdentityClientService handle all logging

* call sync from scheduled job on self host

* create bulk db operations for OrganizationSponsorships

* remove SponsoredOrgId from sync, return default from server http call

* validate BillingSyncKey during sync

revert changes to CreateSponsorshipCommand

* revert changes to ICreateSponsorshipCommand

* add some tests

* add DeleteExpiredSponsorshipsJob

* add cloud sync test

* remove extra method

* formatting

* prevent new sponsorships from disabled orgs

* update packages

* - pulled out send sponsorship command dependency from sync on cloud
- don't throw error when sponsorships are empty
- formatting

* formatting models

* more formatting

* remove licensingService dependency from selfhosted sync

* use installation urls and formatting

* create constructor for RequestModel and formatting

* add date parameter to OrganizationSponsorship_DeleteExpired

* add new migration

* formatting

* rename OrganizationCreateSponsorshipRequestModel to OrganizationSponsorshipCreateRequestModel

* prevent whole sync from failing if one sponsorship type is unsupported

* deserialize config and billingsynckey from org connection

* add mockHttp nuget package and use httpclientfactory

* fix current tests

* WIP of creating tests

* WIP of new self hosted tests

* WIP self hosted tests

* finish self hosted tests

* formatting

* format of interface

* remove extra config file

* added newlines

Co-authored-by: Matt Gibson <mgibson@bitwarden.com>

* Fix Organization_DeleteById (#1950)

* Fix Organization_Delete

* Fix L

* [PS-4] block enterprise user from sponsoring itself (#1943)

* [PS-248] Feature/add connections enabled endpoint (#1953)

* Move Organization models to sub namespaces

* Add Organization Connection api endpoints

* Get all connections rather than just enabled ones

* Add missing services to DI

* pluralize private api endpoints

* Add type protection to org connection request/response

* Fix route

* Use nullable Id to signify no connection

* Test Get Connections enabled

* Fix data discoverer

* Also drop this sproc for rerunning

* Id is the OUTPUT of create sprocs

* Fix connection config parsing

* Linter fixes

* update sqlproj file name

* Use param xdocs on methods

* Simplify controller path attribute

* Use JsonDocument to avoid escaped json in our response/request strings

* Fix JsonDoc tests

* Linter fixes

* Fix ApiKey Command and add tests (#1949)

* Fix ApiKey command

* Formatting

* Fix test failures introduced in #1943 (#1957)

* Remove "Did you know?" copy from emails. (#1962)

* Remove "Did you know"

* Remove jsonIf helper

* Feature/fix send single sponsorship offer email (#1956)

* Fix sponsorship offer email

* Do not sanitize org name

* PR feedback

* Feature/f4e sync event [PS-75] (#1963)

* Create sponsorship sync event type

* Add InstallationId to Event model

* Add combinatorics-based test case generators

* Log sponsorships sync event on sync

* Linter and test fixes

* Fix failing test

* Migrate sprocs and view

* Remove unused `using`s

* [PS-190] Add manual sync trigger in self hosted (#1955)

* WIP add button to admin project for billing sync

* add connection table to view page

* minor fixes for self hosted side of sync

* fixes number of bugs for cloud side of sync

* deserialize before returning for some reason

* add json attributes to return models

* list of sponsorships parameter is immutable, add secondary list

* change sproc name

* add error handling

* Fix tests

* modify call to connection

* Update src/Admin/Controllers/OrganizationsController.cs

Co-authored-by: Matt Gibson <mgibson@bitwarden.com>

* undo change to sproc name

* simplify logic

* Update src/Core/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/Cloud/CloudSyncSponsorshipsCommand.cs

Co-authored-by: Matt Gibson <mgibson@bitwarden.com>

* register services despite if self hosted or cloud

* remove json properties

* revert merge conflict

Co-authored-by: Matt Gibson <mgibson@bitwarden.com>

* Update OrganizationSponsorship valid until when updating org expirati… (#1966)

* Update OrganizationSponsorship valid until when updating org expiration date

* Linter fixes

* [PS-7] change revert email copy and add ValidUntil to sponsorship (#1965)

* change revert email copy and add ValidUntil to sponsorship

* add 15 days if no ValidUntil

* Chore/merge/self hosted families for enterprise (#1972)

* Log swallowed HttpRequestExceptions (#1866)

Co-authored-by: Hinton <oscar@oscarhinton.com>

* Allow for utilization of  readonly db connection (#1937)

* Bump the pin of the download-artifacts action to bypass the broken GitHub api (#1952)

* Bumped version to 1.48.0 (#1958)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* [EC-160] Give Provider Users access to all org ciphers and collections (#1959)

* Bumped version to 1.48.1 (#1961)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Avoid sending "user need confirmation" emails when there are no org admins (#1960)

* Remove noncompliant users for new policies (#1951)

* [PS-284] Allow installation clients to not need a user. (#1968)

* Allow installation clients to not need a user.

* Run formatting

Co-authored-by: Andrei <30410186+Manolachi@users.noreply.github.com>
Co-authored-by: Hinton <oscar@oscarhinton.com>
Co-authored-by: sneakernuts <671942+sneakernuts@users.noreply.github.com>
Co-authored-by: Joseph Flinn <58369717+joseph-flinn@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com>
Co-authored-by: Justin Baur <136baur@gmail.com>

* Fix/license file not found (#1974)

* Handle null license

* Throw hint message if license is not found by the admin project.

* Use CloudOrganizationId from Connection config

* Change test to support change

* Fix test

Co-authored-by: Matt Gibson <mgibson@bitwarden.com>

* Feature/f4e selfhosted rename migration to .sql (#1971)

* rename migration to .sql

* format

* Add unit tests to self host F4E (#1975)

* Work on tests

* Added more tests

* Run linting

* Address PR feedback

* Fix AssertRecent

* Linting

* Fixed empty tests

* Fix/misc self hosted f4e (#1973)

* Allow setting of ApiUri

* Return updates sponsorshipsData objects

* Bind arguments by name

* Greedy load sponsorships to email.

When upsert was called, it creates Ids on _all_ records, which meant
that the lazy-evaluation from this call always returned an empty list.

* add scope for sync command DI in job. simplify error logic

* update the sync job to get CloudOrgId from the BillingSyncKey

Co-authored-by: Jacob Fink <jfink@bitwarden.com>

* Chore/merge/self hosted families for enterprise (#1987)

* Log swallowed HttpRequestExceptions (#1866)

Co-authored-by: Hinton <oscar@oscarhinton.com>

* Allow for utilization of  readonly db connection (#1937)

* Bump the pin of the download-artifacts action to bypass the broken GitHub api (#1952)

* Bumped version to 1.48.0 (#1958)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* [EC-160] Give Provider Users access to all org ciphers and collections (#1959)

* Bumped version to 1.48.1 (#1961)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Avoid sending "user need confirmation" emails when there are no org admins (#1960)

* Remove noncompliant users for new policies (#1951)

* [PS-284] Allow installation clients to not need a user. (#1968)

* Allow installation clients to not need a user.

* Run formatting

* Use accept flow for sponsorship offers (#1964)

* PS-82 check send 2FA email for new devices on TwoFactorController send-email-login (#1977)

* [Bug] Skip WebAuthn 2fa event logs during login flow (#1978)

* [Bug] Supress WebAuthn 2fa event logs during login process

* Formatting

* Simplified method call with new paramter input

* Update RealIps Description (#1980)

Describe the syntax of the real_ips configuration key with an example, to prevent type errors in the `setup` container when parsing `config.yml`

* add proper URI validation to duo host (#1984)

* captcha scores (#1967)

* captcha scores

* some api fixes

* check bot on captcha attribute

* Update src/Core/Services/Implementations/HCaptchaValidationService.cs

Co-authored-by: e271828- <e271828-@users.noreply.github.com>

Co-authored-by: Chad Scharf <3904944+cscharf@users.noreply.github.com>
Co-authored-by: e271828- <e271828-@users.noreply.github.com>

* ensure no path specific in duo host (#1985)

Co-authored-by: Andrei <30410186+Manolachi@users.noreply.github.com>
Co-authored-by: Hinton <oscar@oscarhinton.com>
Co-authored-by: sneakernuts <671942+sneakernuts@users.noreply.github.com>
Co-authored-by: Joseph Flinn <58369717+joseph-flinn@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com>
Co-authored-by: Justin Baur <136baur@gmail.com>
Co-authored-by: Federico Maccaroni <fedemkr@gmail.com>
Co-authored-by: Vincent Salucci <26154748+vincentsalucci@users.noreply.github.com>
Co-authored-by: Jordan Cooks <notnamed@users.noreply.github.com>
Co-authored-by: Kyle Spearrin <kspearrin@users.noreply.github.com>
Co-authored-by: Chad Scharf <3904944+cscharf@users.noreply.github.com>
Co-authored-by: e271828- <e271828-@users.noreply.github.com>

* Address feedback (#1990)

Co-authored-by: Justin Baur <admin@justinbaur.com>
Co-authored-by: Carlos Muentes <cmuentes@bitwarden.com>
Co-authored-by: Jake Fink <jfink@bitwarden.com>
Co-authored-by: Justin Baur <136baur@gmail.com>
Co-authored-by: Andrei <30410186+Manolachi@users.noreply.github.com>
Co-authored-by: Hinton <oscar@oscarhinton.com>
Co-authored-by: sneakernuts <671942+sneakernuts@users.noreply.github.com>
Co-authored-by: Joseph Flinn <58369717+joseph-flinn@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com>
Co-authored-by: Federico Maccaroni <fedemkr@gmail.com>
Co-authored-by: Vincent Salucci <26154748+vincentsalucci@users.noreply.github.com>
Co-authored-by: Jordan Cooks <notnamed@users.noreply.github.com>
Co-authored-by: Kyle Spearrin <kspearrin@users.noreply.github.com>
Co-authored-by: Chad Scharf <3904944+cscharf@users.noreply.github.com>
Co-authored-by: e271828- <e271828-@users.noreply.github.com>

src/Core/Entities/Event.cs

@@ -22,6 +22,7 @@ namespace Bit.Core.Entities
             PolicyId = e.PolicyId;
             GroupId = e.GroupId;
             OrganizationUserId = e.OrganizationUserId;
+            InstallationId = e.InstallationId;
             ProviderUserId = e.ProviderUserId;
             ProviderOrganizationId = e.ProviderOrganizationId;
             DeviceType = e.DeviceType;
@@ -34,6 +35,7 @@ namespace Bit.Core.Entities
         public EventType Type { get; set; }
         public Guid? UserId { get; set; }
         public Guid? OrganizationId { get; set; }
+        public Guid? InstallationId { get; set; }
         public Guid? ProviderId { get; set; }
         public Guid? CipherId { get; set; }
         public Guid? CollectionId { get; set; }

src/Core/Entities/Organization.cs

@@ -60,8 +60,6 @@ namespace Bit.Core.Entities
         public bool Enabled { get; set; } = true;
         [MaxLength(100)]
         public string LicenseKey { get; set; }
-        [MaxLength(30)]
-        public string ApiKey { get; set; }
         public string PublicKey { get; set; }
         public string PrivateKey { get; set; }
         public string TwoFactorProviders { get; set; }

src/Core/Entities/OrganizationApiKey.cs

@@ -0,0 +1,22 @@
+using System;
+using System.ComponentModel.DataAnnotations;
+using Bit.Core.Enums;
+using Bit.Core.Utilities;
+
+namespace Bit.Core.Entities
+{
+    public class OrganizationApiKey : ITableObject<Guid>
+    {
+        public Guid Id { get; set; }
+        public Guid OrganizationId { get; set; }
+        public OrganizationApiKeyType Type { get; set; }
+        [MaxLength(30)]
+        public string ApiKey { get; set; }
+        public DateTime RevisionDate { get; set; }
+
+        public void SetNewId()
+        {
+            Id = CoreHelpers.GenerateComb();
+        }
+    }
+}

src/Core/Entities/OrganizationConnection.cs

@@ -0,0 +1,47 @@
+using System;
+using System.Text.Json;
+using Bit.Core.Enums;
+using Bit.Core.Utilities;
+
+namespace Bit.Core.Entities
+{
+    public class OrganizationConnection<T> : OrganizationConnection where T : new()
+    {
+        public new T Config
+        {
+            get => base.GetConfig<T>();
+            set => base.SetConfig<T>(value);
+        }
+    }
+
+    public class OrganizationConnection : ITableObject<Guid>
+    {
+        public Guid Id { get; set; }
+        public OrganizationConnectionType Type { get; set; }
+        public Guid OrganizationId { get; set; }
+        public bool Enabled { get; set; }
+        public string Config { get; set; }
+
+        public void SetNewId()
+        {
+            Id = CoreHelpers.GenerateComb();
+        }
+
+        public T GetConfig<T>() where T : new()
+        {
+            try
+            {
+                return JsonSerializer.Deserialize<T>(Config);
+            }
+            catch (JsonException)
+            {
+                return default;
+            }
+        }
+
+        public void SetConfig<T>(T config) where T : new()
+        {
+            Config = JsonSerializer.Serialize(config);
+        }
+    }
+}

src/Core/Entities/OrganizationSponsorship.cs

@@ -8,20 +8,17 @@ namespace Bit.Core.Entities
     public class OrganizationSponsorship : ITableObject<Guid>
     {
         public Guid Id { get; set; }
-        public Guid? InstallationId { get; set; }
         public Guid? SponsoringOrganizationId { get; set; }
-        public Guid? SponsoringOrganizationUserId { get; set; }
+        public Guid SponsoringOrganizationUserId { get; set; }
         public Guid? SponsoredOrganizationId { get; set; }
         [MaxLength(256)]
         public string FriendlyName { get; set; }
         [MaxLength(256)]
         public string OfferedToEmail { get; set; }
         public PlanSponsorshipType? PlanSponsorshipType { get; set; }
-        [Required]
-        public bool CloudSponsor { get; set; }
         public DateTime? LastSyncDate { get; set; }
-        public byte TimesRenewedWithoutValidation { get; set; }
-        public DateTime? SponsorshipLapsedDate { get; set; }
+        public DateTime? ValidUntil { get; set; }
+        public bool ToDelete { get; set; }
 
         public void SetNewId()
         {

src/Core/Enums/EventType.cs

@@ -60,6 +60,7 @@
         Organization_DisabledSso = 1605,
         Organization_EnabledKeyConnector = 1606,
         Organization_DisabledKeyConnector = 1607,
+        Organization_SponsorshipsSynced = 1608,
 
         Policy_Updated = 1700,
 

src/Core/Enums/OrganizationApiKeyType.cs

@@ -0,0 +1,8 @@
+namespace Bit.Core.Enums
+{
+    public enum OrganizationApiKeyType : byte
+    {
+        Default,
+        BillingSync,
+    }
+}

src/Core/Enums/OrganizationConnectionType.cs

@@ -0,0 +1,7 @@
+namespace Bit.Core.Enums
+{
+    public enum OrganizationConnectionType : byte
+    {
+        CloudBillingSync = 1,
+    }
+}

src/Core/IdentityServer/ApiResources.cs

@@ -30,6 +30,7 @@ namespace Bit.Core.IdentityServer
                 new ApiResource("api.licensing", new string[] { JwtClaimTypes.Subject }),
                 new ApiResource("api.organization", new string[] { JwtClaimTypes.Subject }),
                 new ApiResource("api.provider", new string[] { JwtClaimTypes.Subject }),
+                new ApiResource("api.installation", new string[] { JwtClaimTypes.Subject }),
             };
         }
     }

src/Core/IdentityServer/ApiScopes.cs

@@ -13,6 +13,7 @@ namespace Bit.Core.IdentityServer
                 new ApiScope("api.push", "API Push Access"),
                 new ApiScope("api.licensing", "API Licensing Access"),
                 new ApiScope("api.organization", "API Organization Access"),
+                new ApiScope("api.installation", "API Installation Access"),
                 new ApiScope("internal", "Internal Access")
             };
         }

src/Core/IdentityServer/BaseRequestValidator.cs

@@ -12,8 +12,7 @@ using Bit.Core.Enums;
 using Bit.Core.Identity;
 using Bit.Core.Models;
 using Bit.Core.Models.Api;
-using Bit.Core.Models.Business;
-using Bit.Core.Models.Data;
+using Bit.Core.Models.Data.Organizations;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Settings;

src/Core/IdentityServer/ClientStore.cs

@@ -5,6 +5,7 @@ using System.Linq;
 using System.Security.Claims;
 using System.Threading.Tasks;
 using Bit.Core.Context;
+using Bit.Core.Enums;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Settings;
@@ -27,6 +28,7 @@ namespace Bit.Core.IdentityServer
         private readonly IOrganizationUserRepository _organizationUserRepository;
         private readonly IProviderUserRepository _providerUserRepository;
         private readonly IProviderOrganizationRepository _providerOrganizationRepository;
+        private readonly IOrganizationApiKeyRepository _organizationApiKeyRepository;
 
         public ClientStore(
             IInstallationRepository installationRepository,
@@ -38,7 +40,8 @@ namespace Bit.Core.IdentityServer
             ICurrentContext currentContext,
             IOrganizationUserRepository organizationUserRepository,
             IProviderUserRepository providerUserRepository,
-            IProviderOrganizationRepository providerOrganizationRepository)
+            IProviderOrganizationRepository providerOrganizationRepository,
+            IOrganizationApiKeyRepository organizationApiKeyRepository)
         {
             _installationRepository = installationRepository;
             _organizationRepository = organizationRepository;
@@ -50,6 +53,7 @@ namespace Bit.Core.IdentityServer
             _organizationUserRepository = organizationUserRepository;
             _providerUserRepository = providerUserRepository;
             _providerOrganizationRepository = providerOrganizationRepository;
+            _organizationApiKeyRepository = organizationApiKeyRepository;
         }
 
         public async Task<Client> FindClientByIdAsync(string clientId)
@@ -67,7 +71,7 @@ namespace Bit.Core.IdentityServer
                             ClientId = $"installation.{installation.Id}",
                             RequireClientSecret = true,
                             ClientSecrets = { new Secret(installation.Key.Sha256()) },
-                            AllowedScopes = new string[] { "api.push", "api.licensing" },
+                            AllowedScopes = new string[] { "api.push", "api.licensing", "api.installation" },
                             AllowedGrantTypes = GrantTypes.ClientCredentials,
                             AccessTokenLifetime = 3600 * 24,
                             Enabled = installation.Enabled,
@@ -113,11 +117,14 @@ namespace Bit.Core.IdentityServer
                     var org = await _organizationRepository.GetByIdAsync(id);
                     if (org != null)
                     {
+                        var orgApiKey = (await _organizationApiKeyRepository
+                            .GetManyByOrganizationIdTypeAsync(org.Id, OrganizationApiKeyType.Default))
+                            .First();
                         return new Client
                         {
                             ClientId = $"organization.{org.Id}",
                             RequireClientSecret = true,
-                            ClientSecrets = { new Secret(org.ApiKey.Sha256()) },
+                            ClientSecrets = { new Secret(orgApiKey.ApiKey.Sha256()) },
                             AllowedScopes = new string[] { "api.organization" },
                             AllowedGrantTypes = GrantTypes.ClientCredentials,
                             AccessTokenLifetime = 3600 * 1,

src/Core/MailTemplates/Handlebars/FamiliesForEnterprise/FamiliesForEnterpriseOfferExistingAccount.html.hbs

@@ -2,7 +2,7 @@
 <table width="100%" cellpadding="0" cellspacing="0" style="margin: 0; box-sizing: border-box; line-height: 25px; -webkit-text-size-adjust: none;">
     <tr style="margin: 0; box-sizing: border-box; line-height: 25px; -webkit-text-size-adjust: none;">
         <td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none;" valign="top">
-            A Bitwarden account, {{SponsorEmail}}, has sponsored a free Families subscription for you! To activate your complimentary subscription, click the link below.
+            A Bitwarden organization, {{SponsorOrgName}}, has sponsored a free Families subscription for you! To activate your complimentary subscription, click the link below.
         </td>
     </tr>
     <tr style="margin: 0; box-sizing: border-box; line-height: 25px; -webkit-text-size-adjust: none;">

src/Core/MailTemplates/Handlebars/FamiliesForEnterprise/FamiliesForEnterpriseOfferExistingAccount.text.hbs

@@ -1,5 +1,5 @@
 {{#>BasicTextLayout}}
-A Bitwarden account, {{SponsorEmail}}, has sponsored a free Families subscription for you! To activate your complimentary subscription, click the link below.
+A Bitwarden organization, {{SponsorOrgName}}, has sponsored a free Families subscription for you! To activate your complimentary subscription, click the link below.
 
 {{Url}}
 {{/BasicTextLayout}}

src/Core/MailTemplates/Handlebars/FamiliesForEnterprise/FamiliesForEnterpriseOfferNewAccount.html.hbs

@@ -2,7 +2,7 @@
 <table width="100%" cellpadding="0" cellspacing="0" style="margin: 0; box-sizing: border-box; color: #333; line-height: 25px; -webkit-text-size-adjust: none;">
     <tr style="margin: 0; box-sizing: border-box; color: #333; line-height: 25px; -webkit-text-size-adjust: none;">
         <td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none;" valign="top">
-            A Bitwarden account, {{SponsorEmail}}, has sponsored a free Families subscription for you! To accept your complimentary subscription, you will need to create an account with this email address.
+            A Bitwarden organization, {{SponsorOrgName}}, has sponsored a free Families subscription for you! To accept your complimentary subscription, you will need to create an account with this email address.
         </td>
     </tr>
     <tr style="margin: 0; box-sizing: border-box; line-height: 25px; -webkit-text-size-adjust: none;">

src/Core/MailTemplates/Handlebars/FamiliesForEnterprise/FamiliesForEnterpriseOfferNewAccount.text.hbs

@@ -1,5 +1,5 @@
 {{#>BasicTextLayout}}
-A Bitwarden account, {{SponsorEmail}}, has sponsored a free Families subscription for you! To accept your complimentary subscription, you will need to create an account with this email address. Click the link below.
+A Bitwarden organization, {{SponsorOrgName}}, has sponsored a free Families subscription for you! To accept your complimentary subscription, you will need to create an account with this email address. Click the link below.
 
 {{Url}}
 

src/Core/MailTemplates/Handlebars/FamiliesForEnterprise/FamiliesForEnterpriseSponsorshipReverting.html.hbs

@@ -2,7 +2,7 @@
 <table width="100%" cellpadding="0" cellspacing="0" style="margin: 0; box-sizing: border-box; line-height: 25px; -webkit-text-size-adjust: none;">
     <tr style="margin: 0; box-sizing: border-box; line-height: 25px; -webkit-text-size-adjust: none;">
         <td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none;" valign="top">
-            Your Families for Enterprise sponsorship will revert back to your existing payment method at the end of the current billing cycle.
+            Your Families subscription will remain sponsored until {{ExpirationDate}}. To continue your plan, make sure you have a current payment method for the subscription. Review or update your payment method under Settings in your Families Organization.
         </td>
     </tr>
 </table>

src/Core/MailTemplates/Handlebars/FamiliesForEnterprise/FamiliesForEnterpriseSponsorshipReverting.text.hbs

@@ -1,3 +1,3 @@
 {{#>BasicTextLayout}}
-Your Families for Enterprise sponsorship will revert back to your existing payment method at the end of the current billing cycle.
+Your Families subscription will remain sponsored until {{Date}}. To continue your plan, make sure you have a current payment method for the subscription. Review or update your payment method under Settings in your Families Organization.
 {{/BasicTextLayout}}

src/Core/MailTemplates/Handlebars/OrganizationUserInvited.html.hbs

@@ -15,16 +15,6 @@
     <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
         <td class="content-block last" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0; -webkit-text-size-adjust: none; text-align: center;" valign="top" align="center">
             If you do not wish to join this organization, you can safely ignore this email.
-            {{#jsonIf OrganizationCanSponsor}}
-            <p style="margin-top:10px">
-                <b
-                    style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
-                    Did you know?
-                </b>
-                Members of {{OrganizationName}} receive a complimentary Families subscription. Learn more at the
-                following link: https://bitwarden.com/help/article/families-for-enterprise/
-            </p>
-            {{/jsonIf}}
         </td>
     </tr>
 </table>

src/Core/MailTemplates/Handlebars/OrganizationUserInvited.text.hbs

@@ -6,7 +6,4 @@ You have been invited to join the {{OrganizationName}} organization. To accept t
 This link expires on {{ExpirationDate}}.
 
 If you do not wish to join this organization, you can safely ignore this email.
-{{#jsonIf OrganizationCanSponsor}}
-Did you know? Members of {{OrganizationName}} receive a complimentary Families subscription. Learn more here: https://bitwarden.com/help/article/families-for-enterprise/
-{{/jsonIf}}
 {{/BasicTextLayout}}

src/Core/Models/Api/Request/OrganizationSponsorships/OrganizationSponsorshipRequestModel.cs

@@ -0,0 +1,57 @@
+using System;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Models.Data.Organizations.OrganizationSponsorships;
+
+namespace Bit.Core.Models.Api.Request.OrganizationSponsorships
+{
+    public class OrganizationSponsorshipRequestModel
+    {
+        public Guid SponsoringOrganizationUserId { get; set; }
+        public string FriendlyName { get; set; }
+        public string OfferedToEmail { get; set; }
+        public PlanSponsorshipType PlanSponsorshipType { get; set; }
+        public DateTime? LastSyncDate { get; set; }
+        public DateTime? ValidUntil { get; set; }
+        public bool ToDelete { get; set; }
+
+        public OrganizationSponsorshipRequestModel() { }
+
+        public OrganizationSponsorshipRequestModel(OrganizationSponsorshipData sponsorshipData)
+        {
+            SponsoringOrganizationUserId = sponsorshipData.SponsoringOrganizationUserId;
+            FriendlyName = sponsorshipData.FriendlyName;
+            OfferedToEmail = sponsorshipData.OfferedToEmail;
+            PlanSponsorshipType = sponsorshipData.PlanSponsorshipType;
+            LastSyncDate = sponsorshipData.LastSyncDate;
+            ValidUntil = sponsorshipData.ValidUntil;
+            ToDelete = sponsorshipData.ToDelete;
+        }
+
+        public OrganizationSponsorshipRequestModel(OrganizationSponsorship sponsorship)
+        {
+            SponsoringOrganizationUserId = sponsorship.SponsoringOrganizationUserId;
+            FriendlyName = sponsorship.FriendlyName;
+            OfferedToEmail = sponsorship.OfferedToEmail;
+            PlanSponsorshipType = sponsorship.PlanSponsorshipType.GetValueOrDefault();
+            LastSyncDate = sponsorship.LastSyncDate;
+            ValidUntil = sponsorship.ValidUntil;
+            ToDelete = sponsorship.ToDelete;
+        }
+
+        public OrganizationSponsorshipData ToOrganizationSponsorship()
+        {
+            return new OrganizationSponsorshipData
+            {
+                SponsoringOrganizationUserId = SponsoringOrganizationUserId,
+                FriendlyName = FriendlyName,
+                OfferedToEmail = OfferedToEmail,
+                PlanSponsorshipType = PlanSponsorshipType,
+                LastSyncDate = LastSyncDate,
+                ValidUntil = ValidUntil,
+                ToDelete = ToDelete,
+            };
+
+        }
+    }
+}

src/Core/Models/Api/Request/OrganizationSponsorships/OrganizationSponsorshipSyncRequestModel.cs

@@ -0,0 +1,43 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using Bit.Core.Models.Data.Organizations.OrganizationSponsorships;
+
+namespace Bit.Core.Models.Api.Request.OrganizationSponsorships
+{
+    public class OrganizationSponsorshipSyncRequestModel
+    {
+        public string BillingSyncKey { get; set; }
+        public Guid SponsoringOrganizationCloudId { get; set; }
+        public IEnumerable<OrganizationSponsorshipRequestModel> SponsorshipsBatch { get; set; }
+
+        public OrganizationSponsorshipSyncRequestModel() { }
+
+        public OrganizationSponsorshipSyncRequestModel(IEnumerable<OrganizationSponsorshipRequestModel> sponsorshipsBatch)
+        {
+            SponsorshipsBatch = sponsorshipsBatch;
+        }
+
+        public OrganizationSponsorshipSyncRequestModel(OrganizationSponsorshipSyncData syncData)
+        {
+            if (syncData == null)
+            {
+                return;
+            }
+            BillingSyncKey = syncData.BillingSyncKey;
+            SponsoringOrganizationCloudId = syncData.SponsoringOrganizationCloudId;
+            SponsorshipsBatch = syncData.SponsorshipsBatch.Select(o => new OrganizationSponsorshipRequestModel(o));
+        }
+
+        public OrganizationSponsorshipSyncData ToOrganizationSponsorshipSync()
+        {
+            return new OrganizationSponsorshipSyncData()
+            {
+                BillingSyncKey = BillingSyncKey,
+                SponsoringOrganizationCloudId = SponsoringOrganizationCloudId,
+                SponsorshipsBatch = SponsorshipsBatch.Select(o => o.ToOrganizationSponsorship())
+            };
+        }
+
+    }
+}

src/Core/Models/Api/Response/OrganizationSponsorships/OrganizationSponsorshipResponseModel.cs

@@ -0,0 +1,50 @@
+using System;
+using System.Text.Json.Serialization;
+using Bit.Core.Enums;
+using Bit.Core.Models.Data.Organizations.OrganizationSponsorships;
+
+namespace Bit.Core.Models.Api.Response.OrganizationSponsorships
+{
+    public class OrganizationSponsorshipResponseModel
+    {
+        public Guid SponsoringOrganizationUserId { get; set; }
+        public string FriendlyName { get; set; }
+        public string OfferedToEmail { get; set; }
+        public PlanSponsorshipType PlanSponsorshipType { get; set; }
+        public DateTime? LastSyncDate { get; set; }
+        public DateTime? ValidUntil { get; set; }
+        public bool ToDelete { get; set; }
+
+        public bool CloudSponsorshipRemoved { get; set; }
+
+        public OrganizationSponsorshipResponseModel() { }
+
+        public OrganizationSponsorshipResponseModel(OrganizationSponsorshipData sponsorshipData)
+        {
+            SponsoringOrganizationUserId = sponsorshipData.SponsoringOrganizationUserId;
+            FriendlyName = sponsorshipData.FriendlyName;
+            OfferedToEmail = sponsorshipData.OfferedToEmail;
+            PlanSponsorshipType = sponsorshipData.PlanSponsorshipType;
+            LastSyncDate = sponsorshipData.LastSyncDate;
+            ValidUntil = sponsorshipData.ValidUntil;
+            ToDelete = sponsorshipData.ToDelete;
+            CloudSponsorshipRemoved = sponsorshipData.CloudSponsorshipRemoved;
+        }
+
+        public OrganizationSponsorshipData ToOrganizationSponsorship()
+        {
+            return new OrganizationSponsorshipData
+            {
+                SponsoringOrganizationUserId = SponsoringOrganizationUserId,
+                FriendlyName = FriendlyName,
+                OfferedToEmail = OfferedToEmail,
+                PlanSponsorshipType = PlanSponsorshipType,
+                LastSyncDate = LastSyncDate,
+                ValidUntil = ValidUntil,
+                ToDelete = ToDelete,
+                CloudSponsorshipRemoved = CloudSponsorshipRemoved
+            };
+
+        }
+    }
+}

src/Core/Models/Api/Response/OrganizationSponsorships/OrganizationSponsorshipSyncResponseModel.cs

@@ -0,0 +1,33 @@
+using System.Collections.Generic;
+using System.Linq;
+using System.Text.Json.Serialization;
+using Bit.Core.Models.Data.Organizations.OrganizationSponsorships;
+
+namespace Bit.Core.Models.Api.Response.OrganizationSponsorships
+{
+    public class OrganizationSponsorshipSyncResponseModel
+    {
+        public IEnumerable<OrganizationSponsorshipResponseModel> SponsorshipsBatch { get; set; }
+
+        public OrganizationSponsorshipSyncResponseModel() { }
+
+        public OrganizationSponsorshipSyncResponseModel(OrganizationSponsorshipSyncData syncData)
+        {
+            if (syncData == null)
+            {
+                return;
+            }
+            SponsorshipsBatch = syncData.SponsorshipsBatch.Select(o => new OrganizationSponsorshipResponseModel(o));
+
+        }
+
+        public OrganizationSponsorshipSyncData ToOrganizationSponsorshipSync()
+        {
+            return new OrganizationSponsorshipSyncData()
+            {
+                SponsorshipsBatch = SponsorshipsBatch.Select(o => o.ToOrganizationSponsorship())
+            };
+        }
+
+    }
+}

src/Core/Models/Business/OrganizationLicense.cs

@@ -210,7 +210,7 @@ namespace Bit.Core.Models.Business
             }
         }
 
-        public bool VerifyData(Organization organization, GlobalSettings globalSettings)
+        public bool VerifyData(Organization organization, IGlobalSettings globalSettings)
         {
             if (Issued > DateTime.UtcNow || Expires < DateTime.UtcNow)
             {

src/Core/Models/Business/OrganizationUserInvite.cs

@@ -1,5 +1,6 @@
 using System.Collections.Generic;
 using Bit.Core.Models.Data;
+using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 
 namespace Bit.Core.Models.Business
 {

src/Core/Models/Business/Tokenables/OrganizationSponsorshipOfferTokenable.cs

@@ -0,0 +1,58 @@
+using System;
+using System.Text.Json.Serialization;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Tokens;
+
+namespace Bit.Core.Models.Business.Tokenables
+{
+    public class OrganizationSponsorshipOfferTokenable : Tokenable
+    {
+        public const string ClearTextPrefix = "BWOrganizationSponsorship_";
+        public const string DataProtectorPurpose = "OrganizationSponsorshipDataProtector";
+        public const string TokenIdentifier = "OrganizationSponsorshipOfferToken";
+        public string Identifier { get; set; } = TokenIdentifier;
+        public Guid Id { get; set; }
+        public PlanSponsorshipType SponsorshipType { get; set; }
+        public string Email { get; set; }
+
+        public override bool Valid => !string.IsNullOrWhiteSpace(Email) &&
+            Identifier == TokenIdentifier &&
+            Id != default;
+
+
+        [JsonConstructor]
+        public OrganizationSponsorshipOfferTokenable() { }
+
+        public OrganizationSponsorshipOfferTokenable(OrganizationSponsorship sponsorship)
+        {
+            if (string.IsNullOrWhiteSpace(sponsorship.OfferedToEmail))
+            {
+                throw new ArgumentException("Invalid OrganizationSponsorship to create a token, OfferedToEmail is required", nameof(sponsorship));
+            }
+            Email = sponsorship.OfferedToEmail;
+
+            if (!sponsorship.PlanSponsorshipType.HasValue)
+            {
+                throw new ArgumentException("Invalid OrganizationSponsorship to create a token, PlanSponsorshipType is required", nameof(sponsorship));
+            }
+            SponsorshipType = sponsorship.PlanSponsorshipType.Value;
+
+            if (sponsorship.Id == default)
+            {
+                throw new ArgumentException("Invalid OrganizationSponsorship to create a token, Id is required", nameof(sponsorship));
+            }
+            Id = sponsorship.Id;
+        }
+
+        public bool IsValid(OrganizationSponsorship sponsorship, string currentUserEmail) =>
+            sponsorship != null &&
+            sponsorship.PlanSponsorshipType.HasValue &&
+            SponsorshipType == sponsorship.PlanSponsorshipType.Value &&
+            Id == sponsorship.Id &&
+            !string.IsNullOrWhiteSpace(sponsorship.OfferedToEmail) &&
+            Email.Equals(currentUserEmail, StringComparison.InvariantCultureIgnoreCase) &&
+            Email.Equals(sponsorship.OfferedToEmail, StringComparison.InvariantCultureIgnoreCase);
+
+    }
+}

src/Core/Models/Data/EventMessage.cs

@@ -1,7 +1,6 @@
 using System;
 using Bit.Core.Context;
 using Bit.Core.Enums;
-using Bit.Core.Settings;
 
 namespace Bit.Core.Models.Data
 {
@@ -20,6 +19,7 @@ namespace Bit.Core.Models.Data
         public EventType Type { get; set; }
         public Guid? UserId { get; set; }
         public Guid? OrganizationId { get; set; }
+        public Guid? InstallationId { get; set; }
         public Guid? ProviderId { get; set; }
         public Guid? CipherId { get; set; }
         public Guid? CollectionId { get; set; }

src/Core/Models/Data/EventTableEntity.cs

@@ -16,6 +16,7 @@ namespace Bit.Core.Models.Data
             Type = e.Type;
             UserId = e.UserId;
             OrganizationId = e.OrganizationId;
+            InstallationId = e.InstallationId;
             ProviderId = e.ProviderId;
             CipherId = e.CipherId;
             CollectionId = e.CollectionId;
@@ -33,6 +34,7 @@ namespace Bit.Core.Models.Data
         public EventType Type { get; set; }
         public Guid? UserId { get; set; }
         public Guid? OrganizationId { get; set; }
+        public Guid? InstallationId { get; set; }
         public Guid? ProviderId { get; set; }
         public Guid? CipherId { get; set; }
         public Guid? CollectionId { get; set; }

src/Core/Models/Data/IEvent.cs

@@ -8,6 +8,7 @@ namespace Bit.Core.Models.Data
         EventType Type { get; set; }
         Guid? UserId { get; set; }
         Guid? OrganizationId { get; set; }
+        Guid? InstallationId { get; set; }
         Guid? ProviderId { get; set; }
         Guid? CipherId { get; set; }
         Guid? CollectionId { get; set; }

src/Core/Models/Data/Organizations/OrganizationAbility.cs

@@ -1,7 +1,7 @@
 using System;
 using Bit.Core.Entities;
 
-namespace Bit.Core.Models.Data
+namespace Bit.Core.Models.Data.Organizations
 {
     public class OrganizationAbility
     {

src/Core/Models/Data/Organizations/OrganizationConnections/OrganizationConnectionData.cs

@@ -0,0 +1,35 @@
+
+
+using System;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+
+namespace Bit.Core.Models.Data.Organizations.OrganizationConnections
+{
+    public class OrganizationConnectionData<T> where T : new()
+    {
+        public Guid? Id { get; set; }
+        public OrganizationConnectionType Type { get; set; }
+        public Guid OrganizationId { get; set; }
+        public bool Enabled { get; set; }
+        public T Config { get; set; }
+
+        public OrganizationConnection ToEntity()
+        {
+            var result = new OrganizationConnection()
+            {
+                Type = Type,
+                OrganizationId = OrganizationId,
+                Enabled = Enabled,
+            };
+            result.SetConfig(Config);
+
+            if (Id.HasValue)
+            {
+                result.Id = Id.Value;
+            }
+
+            return result;
+        }
+    }
+}

src/Core/Models/Data/Organizations/OrganizationSponsorships/OrganizationSponsorshipData.cs

@@ -0,0 +1,32 @@
+using System;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+
+namespace Bit.Core.Models.Data.Organizations.OrganizationSponsorships
+{
+    public class OrganizationSponsorshipData
+    {
+        public OrganizationSponsorshipData() { }
+        public OrganizationSponsorshipData(OrganizationSponsorship sponsorship)
+        {
+            SponsoringOrganizationUserId = sponsorship.SponsoringOrganizationUserId;
+            SponsoredOrganizationId = sponsorship.SponsoredOrganizationId;
+            FriendlyName = sponsorship.FriendlyName;
+            OfferedToEmail = sponsorship.OfferedToEmail;
+            PlanSponsorshipType = sponsorship.PlanSponsorshipType.GetValueOrDefault();
+            LastSyncDate = sponsorship.LastSyncDate;
+            ValidUntil = sponsorship.ValidUntil;
+            ToDelete = sponsorship.ToDelete;
+        }
+        public Guid SponsoringOrganizationUserId { get; set; }
+        public Guid? SponsoredOrganizationId { get; set; }
+        public string FriendlyName { get; set; }
+        public string OfferedToEmail { get; set; }
+        public PlanSponsorshipType PlanSponsorshipType { get; set; }
+        public DateTime? LastSyncDate { get; set; }
+        public DateTime? ValidUntil { get; set; }
+        public bool ToDelete { get; set; }
+
+        public bool CloudSponsorshipRemoved { get; set; }
+    }
+}

src/Core/Models/Data/Organizations/OrganizationSponsorships/OrganizationSponsorshipSyncData.cs

@@ -0,0 +1,12 @@
+using System;
+using System.Collections.Generic;
+
+namespace Bit.Core.Models.Data.Organizations.OrganizationSponsorships
+{
+    public class OrganizationSponsorshipSyncData
+    {
+        public string BillingSyncKey { get; set; }
+        public Guid SponsoringOrganizationCloudId { get; set; }
+        public IEnumerable<OrganizationSponsorshipData> SponsorshipsBatch { get; set; }
+    }
+}

src/Core/Models/Data/Organizations/OrganizationUsers/OrganizationUserInviteData.cs

@@ -1,7 +1,7 @@
 using System.Collections.Generic;
 using Bit.Core.Enums;
 
-namespace Bit.Core.Models.Data
+namespace Bit.Core.Models.Data.Organizations.OrganizationUsers
 {
     public class OrganizationUserInviteData
     {

src/Core/Models/Data/Organizations/OrganizationUsers/OrganizationUserOrganizationDetails.cs

@@ -1,6 +1,6 @@
 using System;
 
-namespace Bit.Core.Models.Data
+namespace Bit.Core.Models.Data.Organizations.OrganizationUsers
 {
     public class OrganizationUserOrganizationDetails
     {
@@ -37,5 +37,8 @@ namespace Bit.Core.Models.Data
         public string ProviderName { get; set; }
         public string FamilySponsorshipFriendlyName { get; set; }
         public string SsoConfig { get; set; }
+        public DateTime? FamilySponsorshipLastSyncDate { get; set; }
+        public DateTime? FamilySponsorshipValidUntil { get; set; }
+        public bool? FamilySponsorshipToDelete { get; set; }
     }
 }

src/Core/Models/Data/Organizations/OrganizationUsers/OrganizationUserPublicKey.cs

@@ -1,6 +1,6 @@
 using System;
 
-namespace Bit.Core.Models.Data
+namespace Bit.Core.Models.Data.Organizations.OrganizationUsers
 {
     public class OrganizationUserPublicKey
     {

src/Core/Models/Data/Organizations/OrganizationUsers/OrganizationUserResetPasswordDetails.cs

@@ -2,7 +2,7 @@
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 
-namespace Bit.Core.Models.Data
+namespace Bit.Core.Models.Data.Organizations.OrganizationUsers
 {
     public class OrganizationUserResetPasswordDetails
     {

src/Core/Models/Data/Organizations/OrganizationUsers/OrganizationUserUserDetails.cs

@@ -1,10 +1,9 @@
 using System;
 using System.Collections.Generic;
-using System.Text.Json;
 using Bit.Core.Enums;
 using Bit.Core.Utilities;
 
-namespace Bit.Core.Models.Data
+namespace Bit.Core.Models.Data.Organizations.OrganizationUsers
 {
     public class OrganizationUserUserDetails : IExternal, ITwoFactorProvidersUser
     {

src/Core/Models/Data/Organizations/OrganizationUsers/OrganizationUserWithCollections.cs

@@ -1,7 +1,7 @@
 using System.Data;
 using Bit.Core.Entities;
 
-namespace Bit.Core.Models.Data
+namespace Bit.Core.Models.Data.Organizations.OrganizationUsers
 {
     public class OrganizationUserWithCollections : OrganizationUser
     {

src/Core/Models/Mail/FamiliesForEnterprise/FamiliesForEnterpriseOfferViewModel.cs

@@ -2,7 +2,7 @@
 {
     public class FamiliesForEnterpriseOfferViewModel : BaseMailModel
     {
-        public string SponsorEmail { get; set; }
+        public string SponsorOrgName { get; set; }
         public string SponsoredEmail { get; set; }
         public string SponsorshipToken { get; set; }
         public bool ExistingAccount { get; set; }

src/Core/Models/Mail/FamiliesForEnterprise/FamiliesForEnterpriseSponsorshipRevertingViewModel.cs

@@ -1,7 +1,9 @@
-namespace Bit.Core.Models.Mail.FamiliesForEnterprise
+using System;
+
+namespace Bit.Core.Models.Mail.FamiliesForEnterprise
 {
     public class FamiliesForEnterpriseSponsorshipRevertingViewModel : BaseMailModel
     {
-        public string OrganizationName { get; set; }
+        public DateTime ExpirationDate { get; set; }
     }
 }

src/Core/Models/Mail/OrganizationUserInvitedViewModel.cs

@@ -11,7 +11,6 @@ namespace Bit.Core.Models.Mail
         public string OrganizationNameUrlEncoded { get; set; }
         public string Token { get; set; }
         public string ExpirationDate { get; set; }
-        public bool OrganizationCanSponsor { get; set; }
         public string Url => string.Format("{0}/accept-organization?organizationId={1}&" +
             "organizationUserId={2}&email={3}&organizationName={4}&token={5}",
             WebVaultUrl,

src/Core/Models/OrganizationConnectionConfigs/BillingSyncConfig.cs

@@ -0,0 +1,10 @@
+using System;
+
+namespace Bit.Core.Models.OrganizationConnectionConfigs
+{
+    public class BillingSyncConfig
+    {
+        public string BillingSyncKey { get; set; }
+        public Guid CloudOrganizationId { get; set; }
+    }
+}

src/Core/Models/StaticStore/SponsoredPlan.cs

@@ -1,6 +1,6 @@
 using System;
 using Bit.Core.Enums;
-using Bit.Core.Models.Data;
+using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 
 namespace Bit.Core.Models.StaticStore
 {

src/Core/OrganizationFeatures/OrganizationApiKeys/GetOrganizationApiKeyCommand.cs

@@ -0,0 +1,49 @@
+using System;
+using System.Linq;
+using System.Threading.Tasks;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.OrganizationFeatures.OrganizationApiKeys.Interfaces;
+using Bit.Core.Repositories;
+using Bit.Core.Utilities;
+
+namespace Bit.Core.OrganizationFeatures.OrganizationApiKeys
+{
+    public class GetOrganizationApiKeyCommand : IGetOrganizationApiKeyCommand
+    {
+        private readonly IOrganizationApiKeyRepository _organizationApiKeyRepository;
+
+        public GetOrganizationApiKeyCommand(IOrganizationApiKeyRepository organizationApiKeyRepository)
+        {
+            _organizationApiKeyRepository = organizationApiKeyRepository;
+        }
+
+        public async Task<OrganizationApiKey> GetOrganizationApiKeyAsync(Guid organizationId, OrganizationApiKeyType organizationApiKeyType)
+        {
+            if (!Enum.IsDefined(organizationApiKeyType))
+            {
+                throw new ArgumentOutOfRangeException(nameof(organizationApiKeyType), $"Invalid value for enum {nameof(OrganizationApiKeyType)}");
+            }
+
+            var apiKeys = await _organizationApiKeyRepository
+                .GetManyByOrganizationIdTypeAsync(organizationId, organizationApiKeyType);
+
+            if (apiKeys == null || !apiKeys.Any())
+            {
+                var apiKey = new OrganizationApiKey
+                {
+                    OrganizationId = organizationId,
+                    Type = organizationApiKeyType,
+                    ApiKey = CoreHelpers.SecureRandomString(30),
+                    RevisionDate = DateTime.UtcNow,
+                };
+
+                await _organizationApiKeyRepository.CreateAsync(apiKey);
+                return apiKey;
+            }
+
+            // NOTE: Currently we only allow one type of api key per organization
+            return apiKeys.Single();
+        }
+    }
+}

src/Core/OrganizationFeatures/OrganizationApiKeys/Interfaces/IGetOrganizationApiKeyCommand.cs

@@ -0,0 +1,12 @@
+using System;
+using System.Threading.Tasks;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+
+namespace Bit.Core.OrganizationFeatures.OrganizationApiKeys.Interfaces
+{
+    public interface IGetOrganizationApiKeyCommand
+    {
+        Task<OrganizationApiKey> GetOrganizationApiKeyAsync(Guid organizationId, OrganizationApiKeyType organizationApiKeyType);
+    }
+}

src/Core/OrganizationFeatures/OrganizationApiKeys/Interfaces/IRotateOrganizationApiKeyCommand.cs

@@ -0,0 +1,10 @@
+using System.Threading.Tasks;
+using Bit.Core.Entities;
+
+namespace Bit.Core.OrganizationFeatures.OrganizationApiKeys.Interfaces
+{
+    public interface IRotateOrganizationApiKeyCommand
+    {
+        Task<OrganizationApiKey> RotateApiKeyAsync(OrganizationApiKey organizationApiKey);
+    }
+}

src/Core/OrganizationFeatures/OrganizationApiKeys/RotateOrganizationApiKeyCommand.cs

@@ -0,0 +1,27 @@
+using System;
+using System.Threading.Tasks;
+using Bit.Core.Entities;
+using Bit.Core.OrganizationFeatures.OrganizationApiKeys.Interfaces;
+using Bit.Core.Repositories;
+using Bit.Core.Utilities;
+
+namespace Bit.Core.OrganizationFeatures.OrganizationApiKeys
+{
+    public class RotateOrganizationApiKeyCommand : IRotateOrganizationApiKeyCommand
+    {
+        private readonly IOrganizationApiKeyRepository _organizationApiKeyRepository;
+
+        public RotateOrganizationApiKeyCommand(IOrganizationApiKeyRepository organizationApiKeyRepository)
+        {
+            _organizationApiKeyRepository = organizationApiKeyRepository;
+        }
+
+        public async Task<OrganizationApiKey> RotateApiKeyAsync(OrganizationApiKey organizationApiKey)
+        {
+            organizationApiKey.ApiKey = CoreHelpers.SecureRandomString(30);
+            organizationApiKey.RevisionDate = DateTime.UtcNow;
+            await _organizationApiKeyRepository.UpsertAsync(organizationApiKey);
+            return organizationApiKey;
+        }
+    }
+}

src/Core/OrganizationFeatures/OrganizationConnections/CreateOrganizationConnectionCommand.cs

@@ -0,0 +1,23 @@
+using System.Threading.Tasks;
+using Bit.Core.Entities;
+using Bit.Core.Models.Data.Organizations.OrganizationConnections;
+using Bit.Core.OrganizationFeatures.OrganizationConnections.Interfaces;
+using Bit.Core.Repositories;
+
+namespace Bit.Core.OrganizationFeatures.OrganizationConnections
+{
+    public class CreateOrganizationConnectionCommand : ICreateOrganizationConnectionCommand
+    {
+        private readonly IOrganizationConnectionRepository _organizationConnectionRepository;
+
+        public CreateOrganizationConnectionCommand(IOrganizationConnectionRepository organizationConnectionRepository)
+        {
+            _organizationConnectionRepository = organizationConnectionRepository;
+        }
+
+        public async Task<OrganizationConnection> CreateAsync<T>(OrganizationConnectionData<T> connectionData) where T : new()
+        {
+            return await _organizationConnectionRepository.CreateAsync(connectionData.ToEntity());
+        }
+    }
+}

src/Core/OrganizationFeatures/OrganizationConnections/DeleteOrganizationConnectionCommand.cs

@@ -0,0 +1,22 @@
+using System.Threading.Tasks;
+using Bit.Core.Entities;
+using Bit.Core.OrganizationFeatures.OrganizationConnections.Interfaces;
+using Bit.Core.Repositories;
+
+namespace Bit.Core.OrganizationFeatures.OrganizationConnections
+{
+    public class DeleteOrganizationConnectionCommand : IDeleteOrganizationConnectionCommand
+    {
+        private readonly IOrganizationConnectionRepository _organizationConnectionRepository;
+
+        public DeleteOrganizationConnectionCommand(IOrganizationConnectionRepository organizationConnectionRepository)
+        {
+            _organizationConnectionRepository = organizationConnectionRepository;
+        }
+
+        public async Task DeleteAsync(OrganizationConnection connection)
+        {
+            await _organizationConnectionRepository.DeleteAsync(connection);
+        }
+    }
+}

src/Core/OrganizationFeatures/OrganizationConnections/Interfaces/ICreateOrganizationConnectionCommand.cs

@@ -0,0 +1,11 @@
+using System.Threading.Tasks;
+using Bit.Core.Entities;
+using Bit.Core.Models.Data.Organizations.OrganizationConnections;
+
+namespace Bit.Core.OrganizationFeatures.OrganizationConnections.Interfaces
+{
+    public interface ICreateOrganizationConnectionCommand
+    {
+        Task<OrganizationConnection> CreateAsync<T>(OrganizationConnectionData<T> connectionData) where T : new();
+    }
+}

src/Core/OrganizationFeatures/OrganizationConnections/Interfaces/IDeleteOrganizationConnectionCommand.cs

@@ -0,0 +1,10 @@
+using System.Threading.Tasks;
+using Bit.Core.Entities;
+
+namespace Bit.Core.OrganizationFeatures.OrganizationConnections.Interfaces
+{
+    public interface IDeleteOrganizationConnectionCommand
+    {
+        Task DeleteAsync(OrganizationConnection connection);
+    }
+}

src/Core/OrganizationFeatures/OrganizationConnections/Interfaces/IUpdateOrganizationConnectionCommand.cs

@@ -0,0 +1,11 @@
+using System.Threading.Tasks;
+using Bit.Core.Entities;
+using Bit.Core.Models.Data.Organizations.OrganizationConnections;
+
+namespace Bit.Core.OrganizationFeatures.OrganizationConnections.Interfaces
+{
+    public interface IUpdateOrganizationConnectionCommand
+    {
+        Task<OrganizationConnection> UpdateAsync<T>(OrganizationConnectionData<T> connectionData) where T : new();
+    }
+}

src/Core/OrganizationFeatures/OrganizationConnections/UpdateOrganizationConnectionCommand.cs

@@ -0,0 +1,39 @@
+using System;
+using System.Threading.Tasks;
+using Bit.Core.Entities;
+using Bit.Core.Exceptions;
+using Bit.Core.Models.Data.Organizations.OrganizationConnections;
+using Bit.Core.OrganizationFeatures.OrganizationConnections.Interfaces;
+using Bit.Core.Repositories;
+
+namespace Bit.Core.OrganizationFeatures.OrganizationConnections
+{
+    public class UpdateOrganizationConnectionCommand : IUpdateOrganizationConnectionCommand
+    {
+        private readonly IOrganizationConnectionRepository _organizationConnectionRepository;
+
+        public UpdateOrganizationConnectionCommand(IOrganizationConnectionRepository organizationConnectionRepository)
+        {
+            _organizationConnectionRepository = organizationConnectionRepository;
+        }
+
+        public async Task<OrganizationConnection> UpdateAsync<T>(OrganizationConnectionData<T> connectionData) where T : new()
+        {
+            if (!connectionData.Id.HasValue)
+            {
+                throw new Exception("Cannot update connection, Connection does not exist.");
+            }
+
+            var connection = await _organizationConnectionRepository.GetByIdAsync(connectionData.Id.Value);
+
+            if (connection == null)
+            {
+                throw new NotFoundException();
+            }
+
+            var entity = connectionData.ToEntity();
+            await _organizationConnectionRepository.UpsertAsync(entity);
+            return entity;
+        }
+    }
+}

src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs

@@ -0,0 +1,77 @@
+using Bit.Core.Models.Business.Tokenables;
+using Bit.Core.OrganizationFeatures.OrganizationApiKeys;
+using Bit.Core.OrganizationFeatures.OrganizationApiKeys.Interfaces;
+using Bit.Core.OrganizationFeatures.OrganizationConnections;
+using Bit.Core.OrganizationFeatures.OrganizationConnections.Interfaces;
+using Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise;
+using Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Cloud;
+using Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces;
+using Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.SelfHosted;
+using Bit.Core.Services;
+using Bit.Core.Settings;
+using Bit.Core.Tokens;
+using Microsoft.AspNetCore.DataProtection;
+using Microsoft.Extensions.DependencyInjection;
+
+namespace Bit.Core.OrganizationFeatures
+{
+    public static class OrganizationServiceCollectionExtensions
+    {
+        public static void AddOrganizationServices(this IServiceCollection services, IGlobalSettings globalSettings)
+        {
+            services.AddScoped<IOrganizationService, OrganizationService>();
+            services.AddTokenizers();
+            services.AddOrganizationConnectionCommands();
+            services.AddOrganizationSponsorshipCommands(globalSettings);
+            services.AddOrganizationApiKeyCommands();
+        }
+
+        private static void AddOrganizationConnectionCommands(this IServiceCollection services)
+        {
+            services.AddScoped<ICreateOrganizationConnectionCommand, CreateOrganizationConnectionCommand>();
+            services.AddScoped<IDeleteOrganizationConnectionCommand, DeleteOrganizationConnectionCommand>();
+            services.AddScoped<IUpdateOrganizationConnectionCommand, UpdateOrganizationConnectionCommand>();
+        }
+
+        private static void AddOrganizationSponsorshipCommands(this IServiceCollection services, IGlobalSettings globalSettings)
+        {
+            services.AddScoped<ICreateSponsorshipCommand, CreateSponsorshipCommand>();
+            services.AddScoped<IRemoveSponsorshipCommand, RemoveSponsorshipCommand>();
+            services.AddScoped<ISendSponsorshipOfferCommand, SendSponsorshipOfferCommand>();
+            services.AddScoped<ISetUpSponsorshipCommand, SetUpSponsorshipCommand>();
+            services.AddScoped<IValidateRedemptionTokenCommand, ValidateRedemptionTokenCommand>();
+            services.AddScoped<IValidateSponsorshipCommand, ValidateSponsorshipCommand>();
+            services.AddScoped<IValidateBillingSyncKeyCommand, ValidateBillingSyncKeyCommand>();
+            services.AddScoped<IOrganizationSponsorshipRenewCommand, OrganizationSponsorshipRenewCommand>();
+            services.AddScoped<ICloudSyncSponsorshipsCommand, CloudSyncSponsorshipsCommand>();
+            services.AddScoped<ISelfHostedSyncSponsorshipsCommand, SelfHostedSyncSponsorshipsCommand>();
+            services.AddScoped<ISelfHostedSyncSponsorshipsCommand, SelfHostedSyncSponsorshipsCommand>();
+            services.AddScoped<ICloudSyncSponsorshipsCommand, CloudSyncSponsorshipsCommand>();
+            services.AddScoped<IValidateBillingSyncKeyCommand, ValidateBillingSyncKeyCommand>();
+            if (globalSettings.SelfHosted)
+            {
+                services.AddScoped<IRevokeSponsorshipCommand, SelfHostedRevokeSponsorshipCommand>();
+            }
+            else
+            {
+                services.AddScoped<IRevokeSponsorshipCommand, CloudRevokeSponsorshipCommand>();
+            }
+        }
+
+        private static void AddOrganizationApiKeyCommands(this IServiceCollection services)
+        {
+            services.AddScoped<IGetOrganizationApiKeyCommand, GetOrganizationApiKeyCommand>();
+            services.AddScoped<IRotateOrganizationApiKeyCommand, RotateOrganizationApiKeyCommand>();
+        }
+
+        private static void AddTokenizers(this IServiceCollection services)
+        {
+            services.AddSingleton<IDataProtectorTokenFactory<OrganizationSponsorshipOfferTokenable>>(serviceProvider =>
+                new DataProtectorTokenFactory<OrganizationSponsorshipOfferTokenable>(
+                    OrganizationSponsorshipOfferTokenable.ClearTextPrefix,
+                    OrganizationSponsorshipOfferTokenable.DataProtectorPurpose,
+                    serviceProvider.GetDataProtectionProvider())
+            );
+        }
+    }
+}

src/Core/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/CancelSponsorshipCommand.cs

@@ -0,0 +1,42 @@
+using System;
+using System.Threading.Tasks;
+using Bit.Core.Entities;
+using Bit.Core.Exceptions;
+using Bit.Core.Repositories;
+
+namespace Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise
+{
+    public abstract class CancelSponsorshipCommand
+    {
+        protected readonly IOrganizationSponsorshipRepository _organizationSponsorshipRepository;
+        protected readonly IOrganizationRepository _organizationRepository;
+
+        public CancelSponsorshipCommand(IOrganizationSponsorshipRepository organizationSponsorshipRepository,
+            IOrganizationRepository organizationRepository)
+        {
+            _organizationSponsorshipRepository = organizationSponsorshipRepository;
+            _organizationRepository = organizationRepository;
+        }
+
+        protected virtual async Task DeleteSponsorshipAsync(OrganizationSponsorship sponsorship = null)
+        {
+            if (sponsorship == null)
+            {
+                return;
+            }
+
+            await _organizationSponsorshipRepository.DeleteAsync(sponsorship);
+        }
+
+        protected async Task MarkToDeleteSponsorshipAsync(OrganizationSponsorship sponsorship)
+        {
+            if (sponsorship == null)
+            {
+                throw new BadRequestException("The sponsorship you are trying to cancel does not exist");
+            }
+
+            sponsorship.ToDelete = true;
+            await _organizationSponsorshipRepository.UpsertAsync(sponsorship);
+        }
+    }
+}

src/Core/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/Cloud/CloudRevokeSponsorshipCommand.cs

@@ -0,0 +1,34 @@
+using System.Threading.Tasks;
+using Bit.Core.Entities;
+using Bit.Core.Exceptions;
+using Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces;
+using Bit.Core.Repositories;
+
+namespace Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Cloud
+{
+    public class CloudRevokeSponsorshipCommand : CancelSponsorshipCommand, IRevokeSponsorshipCommand
+    {
+        public CloudRevokeSponsorshipCommand(
+            IOrganizationSponsorshipRepository organizationSponsorshipRepository,
+            IOrganizationRepository organizationRepository) : base(organizationSponsorshipRepository, organizationRepository)
+        {
+        }
+
+        public async Task RevokeSponsorshipAsync(OrganizationSponsorship sponsorship)
+        {
+            if (sponsorship == null)
+            {
+                throw new BadRequestException("You are not currently sponsoring an organization.");
+            }
+
+            if (sponsorship.SponsoredOrganizationId == null)
+            {
+                await base.DeleteSponsorshipAsync(sponsorship);
+            }
+            else
+            {
+                await MarkToDeleteSponsorshipAsync(sponsorship);
+            }
+        }
+    }
+}

src/Core/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/Cloud/CloudSyncSponsorshipsCommand.cs

@@ -0,0 +1,138 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.Models.Data.Organizations.OrganizationSponsorships;
+using Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Core.Utilities;
+
+namespace Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Cloud
+{
+    public class CloudSyncSponsorshipsCommand : ICloudSyncSponsorshipsCommand
+    {
+        private readonly IOrganizationSponsorshipRepository _organizationSponsorshipRepository;
+        private readonly IEventService _eventService;
+
+        public CloudSyncSponsorshipsCommand(
+        IOrganizationSponsorshipRepository organizationSponsorshipRepository,
+        IEventService eventService)
+        {
+            _organizationSponsorshipRepository = organizationSponsorshipRepository;
+            _eventService = eventService;
+        }
+
+        public async Task<(OrganizationSponsorshipSyncData, IEnumerable<OrganizationSponsorship>)> SyncOrganization(Organization sponsoringOrg, IEnumerable<OrganizationSponsorshipData> sponsorshipsData)
+        {
+            if (sponsoringOrg == null)
+            {
+                throw new BadRequestException("Failed to sync sponsorship - missing organization.");
+            }
+
+            var (processedSponsorshipsData, sponsorshipsToEmailOffer) = sponsorshipsData.Any() ?
+                await DoSyncAsync(sponsoringOrg, sponsorshipsData) :
+                (sponsorshipsData, Array.Empty<OrganizationSponsorship>());
+
+            await RecordEvent(sponsoringOrg);
+
+            return (new OrganizationSponsorshipSyncData
+            {
+                SponsorshipsBatch = processedSponsorshipsData
+            }, sponsorshipsToEmailOffer);
+        }
+
+        private async Task<(IEnumerable<OrganizationSponsorshipData> data, IEnumerable<OrganizationSponsorship> toOffer)> DoSyncAsync(Organization sponsoringOrg, IEnumerable<OrganizationSponsorshipData> sponsorshipsData)
+        {
+            var existingSponsorshipsDict = (await _organizationSponsorshipRepository.GetManyBySponsoringOrganizationAsync(sponsoringOrg.Id))
+                .ToDictionary(i => i.SponsoringOrganizationUserId);
+
+            var sponsorshipsToUpsert = new List<OrganizationSponsorship>();
+            var sponsorshipIdsToDelete = new List<Guid>();
+            var sponsorshipsToReturn = new List<OrganizationSponsorshipData>();
+
+            foreach (var selfHostedSponsorship in sponsorshipsData)
+            {
+                var requiredSponsoringProductType = StaticStore.GetSponsoredPlan(selfHostedSponsorship.PlanSponsorshipType)?.SponsoringProductType;
+                if (requiredSponsoringProductType == null
+                    || StaticStore.GetPlan(sponsoringOrg.PlanType).Product != requiredSponsoringProductType.Value)
+                {
+                    continue; // prevent unsupported sponsorships
+                }
+
+                if (!existingSponsorshipsDict.TryGetValue(selfHostedSponsorship.SponsoringOrganizationUserId, out var cloudSponsorship))
+                {
+                    if (selfHostedSponsorship.ToDelete && selfHostedSponsorship.LastSyncDate == null)
+                    {
+                        continue; // prevent invalid sponsorships in cloud. These should have been deleted by self hosted
+                    }
+                    if (OrgDisabledForMoreThanGracePeriod(sponsoringOrg))
+                    {
+                        continue; // prevent new sponsorships from disabled orgs
+                    }
+                    cloudSponsorship = new OrganizationSponsorship
+                    {
+                        SponsoringOrganizationId = sponsoringOrg.Id,
+                        SponsoringOrganizationUserId = selfHostedSponsorship.SponsoringOrganizationUserId,
+                        FriendlyName = selfHostedSponsorship.FriendlyName,
+                        OfferedToEmail = selfHostedSponsorship.OfferedToEmail,
+                        PlanSponsorshipType = selfHostedSponsorship.PlanSponsorshipType,
+                        LastSyncDate = DateTime.UtcNow,
+                    };
+                }
+                else
+                {
+                    cloudSponsorship.LastSyncDate = DateTime.UtcNow;
+                }
+
+                if (selfHostedSponsorship.ToDelete)
+                {
+                    if (cloudSponsorship.SponsoredOrganizationId == null)
+                    {
+                        sponsorshipIdsToDelete.Add(cloudSponsorship.Id);
+                        selfHostedSponsorship.CloudSponsorshipRemoved = true;
+                    }
+                    else
+                    {
+                        cloudSponsorship.ToDelete = true;
+                    }
+                }
+                sponsorshipsToUpsert.Add(cloudSponsorship);
+
+                selfHostedSponsorship.ValidUntil = cloudSponsorship.ValidUntil;
+                selfHostedSponsorship.LastSyncDate = DateTime.UtcNow;
+                sponsorshipsToReturn.Add(selfHostedSponsorship);
+            }
+            var sponsorshipsToEmailOffer = sponsorshipsToUpsert.Where(s => s.Id == default).ToArray();
+            if (sponsorshipsToUpsert.Any())
+            {
+                await _organizationSponsorshipRepository.UpsertManyAsync(sponsorshipsToUpsert);
+            }
+            if (sponsorshipIdsToDelete.Any())
+            {
+                await _organizationSponsorshipRepository.DeleteManyAsync(sponsorshipIdsToDelete);
+            }
+
+            return (sponsorshipsToReturn, sponsorshipsToEmailOffer);
+        }
+
+        /// <summary>
+        /// True if Organization is disabled and the expiration date is more than three months ago
+        /// </summary>
+        /// <param name="organization"></param>
+        private bool OrgDisabledForMoreThanGracePeriod(Organization organization) =>
+            !organization.Enabled &&
+            (
+                !organization.ExpirationDate.HasValue ||
+                DateTime.UtcNow.Subtract(organization.ExpirationDate.Value).TotalDays > 93
+            );
+
+        private async Task RecordEvent(Organization organization)
+        {
+            await _eventService.LogOrganizationEventAsync(organization, EventType.Organization_SponsorshipsSynced);
+        }
+    }
+}

src/Core/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/Cloud/OrganizationSponsorshipRenewCommand.cs

@@ -0,0 +1,30 @@
+using System;
+using System.Threading.Tasks;
+using Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces;
+using Bit.Core.Repositories;
+
+namespace Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Cloud
+{
+    public class OrganizationSponsorshipRenewCommand : IOrganizationSponsorshipRenewCommand
+    {
+        private readonly IOrganizationSponsorshipRepository _organizationSponsorshipRepository;
+
+        public OrganizationSponsorshipRenewCommand(IOrganizationSponsorshipRepository organizationSponsorshipRepository)
+        {
+            _organizationSponsorshipRepository = organizationSponsorshipRepository;
+        }
+
+        public async Task UpdateExpirationDateAsync(Guid organizationId, DateTime expireDate)
+        {
+            var sponsorship = await _organizationSponsorshipRepository.GetBySponsoredOrganizationIdAsync(organizationId);
+
+            if (sponsorship == null)
+            {
+                return;
+            }
+
+            sponsorship.ValidUntil = expireDate;
+            await _organizationSponsorshipRepository.UpsertAsync(sponsorship);
+        }
+    }
+}

src/Core/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/Cloud/RemoveSponsorshipCommand.cs

@@ -0,0 +1,27 @@
+using System.Threading.Tasks;
+using Bit.Core.Entities;
+using Bit.Core.Exceptions;
+using Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces;
+using Bit.Core.Repositories;
+
+namespace Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Cloud
+{
+    public class RemoveSponsorshipCommand : CancelSponsorshipCommand, IRemoveSponsorshipCommand
+    {
+        public RemoveSponsorshipCommand(
+            IOrganizationSponsorshipRepository organizationSponsorshipRepository,
+            IOrganizationRepository organizationRepository) : base(organizationSponsorshipRepository, organizationRepository)
+        {
+        }
+
+        public async Task RemoveSponsorshipAsync(OrganizationSponsorship sponsorship)
+        {
+            if (sponsorship == null || sponsorship.SponsoredOrganizationId == null)
+            {
+                throw new BadRequestException("The requested organization is not currently being sponsored.");
+            }
+
+            await MarkToDeleteSponsorshipAsync(sponsorship);
+        }
+    }
+}

src/Core/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/Cloud/SendSponsorshipOfferCommand.cs

@@ -0,0 +1,72 @@
+using System.Collections.Generic;
+using System.Threading.Tasks;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.Models.Business.Tokenables;
+using Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Core.Tokens;
+
+namespace Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Cloud
+{
+    public class SendSponsorshipOfferCommand : ISendSponsorshipOfferCommand
+    {
+        private readonly IUserRepository _userRepository;
+        private readonly IMailService _mailService;
+        private readonly IDataProtectorTokenFactory<OrganizationSponsorshipOfferTokenable> _tokenFactory;
+
+        public SendSponsorshipOfferCommand(IUserRepository userRepository,
+            IMailService mailService,
+            IDataProtectorTokenFactory<OrganizationSponsorshipOfferTokenable> tokenFactory)
+        {
+            _userRepository = userRepository;
+            _mailService = mailService;
+            _tokenFactory = tokenFactory;
+        }
+
+        public async Task BulkSendSponsorshipOfferAsync(string sponsoringOrgName, IEnumerable<OrganizationSponsorship> sponsorships)
+        {
+            var invites = new List<(string, bool, string)>();
+            foreach (var sponsorship in sponsorships)
+            {
+                var user = await _userRepository.GetByEmailAsync(sponsorship.OfferedToEmail);
+                var isExistingAccount = user != null;
+                invites.Add((sponsorship.OfferedToEmail, user != null, _tokenFactory.Protect(new OrganizationSponsorshipOfferTokenable(sponsorship))));
+            }
+
+            await _mailService.BulkSendFamiliesForEnterpriseOfferEmailAsync(sponsoringOrgName, invites);
+        }
+
+        public async Task SendSponsorshipOfferAsync(OrganizationSponsorship sponsorship, string sponsoringOrgName)
+        {
+            var user = await _userRepository.GetByEmailAsync(sponsorship.OfferedToEmail);
+            var isExistingAccount = user != null;
+
+            await _mailService.SendFamiliesForEnterpriseOfferEmailAsync(sponsoringOrgName, sponsorship.OfferedToEmail,
+                isExistingAccount, _tokenFactory.Protect(new OrganizationSponsorshipOfferTokenable(sponsorship)));
+        }
+
+        public async Task SendSponsorshipOfferAsync(Organization sponsoringOrg, OrganizationUser sponsoringOrgUser,
+            OrganizationSponsorship sponsorship)
+        {
+            if (sponsoringOrg == null)
+            {
+                throw new BadRequestException("Cannot find the requested sponsoring organization.");
+            }
+
+            if (sponsoringOrgUser == null || sponsoringOrgUser.Status != OrganizationUserStatusType.Confirmed)
+            {
+                throw new BadRequestException("Only confirmed users can sponsor other organizations.");
+            }
+
+            if (sponsorship == null || sponsorship.OfferedToEmail == null)
+            {
+                throw new BadRequestException("Cannot find an outstanding sponsorship offer for this organization.");
+            }
+
+            await SendSponsorshipOfferAsync(sponsorship, sponsoringOrg.Name);
+        }
+    }
+}

src/Core/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/Cloud/SetUpSponsorshipCommand.cs

@@ -0,0 +1,69 @@
+using System;
+using System.Threading.Tasks;
+using Bit.Core.Entities;
+using Bit.Core.Exceptions;
+using Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Core.Utilities;
+
+namespace Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Cloud
+{
+    public class SetUpSponsorshipCommand : ISetUpSponsorshipCommand
+    {
+        private readonly IOrganizationSponsorshipRepository _organizationSponsorshipRepository;
+        private readonly IOrganizationRepository _organizationRepository;
+        private readonly IPaymentService _paymentService;
+
+        public SetUpSponsorshipCommand(IOrganizationSponsorshipRepository organizationSponsorshipRepository, IOrganizationRepository organizationRepository, IPaymentService paymentService)
+        {
+            _organizationSponsorshipRepository = organizationSponsorshipRepository;
+            _organizationRepository = organizationRepository;
+            _paymentService = paymentService;
+        }
+
+        public async Task SetUpSponsorshipAsync(OrganizationSponsorship sponsorship,
+            Organization sponsoredOrganization)
+        {
+            if (sponsorship == null)
+            {
+                throw new BadRequestException("No unredeemed sponsorship offer exists for you.");
+            }
+
+            var existingOrgSponsorship = await _organizationSponsorshipRepository
+                .GetBySponsoredOrganizationIdAsync(sponsoredOrganization.Id);
+            if (existingOrgSponsorship != null)
+            {
+                throw new BadRequestException("Cannot redeem a sponsorship offer for an organization that is already sponsored. Revoke existing sponsorship first.");
+            }
+
+            if (sponsorship.PlanSponsorshipType == null)
+            {
+                throw new BadRequestException("Cannot set up sponsorship without a known sponsorship type.");
+            }
+
+            // Do not allow self-hosted sponsorships that haven't been synced for > 0.5 year
+            if (sponsorship.LastSyncDate != null && DateTime.UtcNow.Subtract(sponsorship.LastSyncDate.Value).TotalDays > 182.5)
+            {
+                await _organizationSponsorshipRepository.DeleteAsync(sponsorship);
+                throw new BadRequestException("This sponsorship offer is more than 6 months old and has expired.");
+            }
+
+            // Check org to sponsor's product type
+            var requiredSponsoredProductType = StaticStore.GetSponsoredPlan(sponsorship.PlanSponsorshipType.Value)?.SponsoredProductType;
+            if (requiredSponsoredProductType == null ||
+                sponsoredOrganization == null ||
+                StaticStore.GetPlan(sponsoredOrganization.PlanType).Product != requiredSponsoredProductType.Value)
+            {
+                throw new BadRequestException("Can only redeem sponsorship offer on families organizations.");
+            }
+
+            await _paymentService.SponsorOrganizationAsync(sponsoredOrganization, sponsorship);
+            await _organizationRepository.UpsertAsync(sponsoredOrganization);
+
+            sponsorship.SponsoredOrganizationId = sponsoredOrganization.Id;
+            sponsorship.OfferedToEmail = null;
+            await _organizationSponsorshipRepository.UpsertAsync(sponsorship);
+        }
+    }
+}

src/Core/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/Cloud/ValidateBillingSyncKeyCommand.cs

@@ -0,0 +1,43 @@
+using System;
+using System.Linq;
+using System.Threading.Tasks;
+using Bit.Core.Entities;
+using Bit.Core.Exceptions;
+using Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces;
+using Bit.Core.Repositories;
+
+namespace Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Cloud
+{
+    public class ValidateBillingSyncKeyCommand : IValidateBillingSyncKeyCommand
+    {
+        private readonly IOrganizationSponsorshipRepository _organizationSponsorshipRepository;
+        private readonly IOrganizationApiKeyRepository _apiKeyRepository;
+
+        public ValidateBillingSyncKeyCommand(
+            IOrganizationSponsorshipRepository organizationSponsorshipRepository,
+            IOrganizationApiKeyRepository organizationApiKeyRepository)
+        {
+            _organizationSponsorshipRepository = organizationSponsorshipRepository;
+            _apiKeyRepository = organizationApiKeyRepository;
+        }
+
+        public async Task<bool> ValidateBillingSyncKeyAsync(Organization organization, string billingSyncKey)
+        {
+            if (organization == null)
+            {
+                throw new BadRequestException("Invalid organization");
+            }
+            if (string.IsNullOrWhiteSpace(billingSyncKey))
+            {
+                return false;
+            }
+
+            var orgApiKey = (await _apiKeyRepository.GetManyByOrganizationIdTypeAsync(organization.Id, Enums.OrganizationApiKeyType.BillingSync)).FirstOrDefault();
+            if (string.Equals(orgApiKey.ApiKey, billingSyncKey))
+            {
+                return true;
+            }
+            return false;
+        }
+    }
+}

src/Core/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/Cloud/ValidateRedemptionTokenCommand.cs

@@ -0,0 +1,38 @@
+using System.Threading.Tasks;
+using Bit.Core.Entities;
+using Bit.Core.Models.Business.Tokenables;
+using Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces;
+using Bit.Core.Repositories;
+using Bit.Core.Tokens;
+
+namespace Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Cloud
+{
+    public class ValidateRedemptionTokenCommand : IValidateRedemptionTokenCommand
+    {
+        private readonly IOrganizationSponsorshipRepository _organizationSponsorshipRepository;
+        private readonly IDataProtectorTokenFactory<OrganizationSponsorshipOfferTokenable> _dataProtectorTokenFactory;
+
+        public ValidateRedemptionTokenCommand(IOrganizationSponsorshipRepository organizationSponsorshipRepository,
+            IDataProtectorTokenFactory<OrganizationSponsorshipOfferTokenable> dataProtectorTokenFactory)
+        {
+            _organizationSponsorshipRepository = organizationSponsorshipRepository;
+            _dataProtectorTokenFactory = dataProtectorTokenFactory;
+        }
+
+        public async Task<(bool valid, OrganizationSponsorship sponsorship)> ValidateRedemptionTokenAsync(string encryptedToken, string sponsoredUserEmail)
+        {
+
+            if (!_dataProtectorTokenFactory.TryUnprotect(encryptedToken, out var tokenable))
+            {
+                return (false, null);
+            }
+
+            var sponsorship = await _organizationSponsorshipRepository.GetByIdAsync(tokenable.Id);
+            if (!tokenable.IsValid(sponsorship, sponsoredUserEmail))
+            {
+                return (false, sponsorship);
+            }
+            return (true, sponsorship);
+        }
+    }
+}

src/Core/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/Cloud/ValidateSponsorshipCommand.cs

@@ -0,0 +1,117 @@
+using System;
+using System.Threading.Tasks;
+using Bit.Core.Entities;
+using Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Microsoft.Extensions.Logging;
+
+namespace Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Cloud
+{
+    public class ValidateSponsorshipCommand : CancelSponsorshipCommand, IValidateSponsorshipCommand
+    {
+        private readonly IPaymentService _paymentService;
+        private readonly IMailService _mailService;
+        private readonly ILogger<ValidateSponsorshipCommand> _logger;
+
+        public ValidateSponsorshipCommand(
+            IOrganizationSponsorshipRepository organizationSponsorshipRepository,
+            IOrganizationRepository organizationRepository,
+            IPaymentService paymentService,
+            IMailService mailService,
+            ILogger<ValidateSponsorshipCommand> logger) : base(organizationSponsorshipRepository, organizationRepository)
+        {
+            _paymentService = paymentService;
+            _mailService = mailService;
+            _logger = logger;
+        }
+
+        public async Task<bool> ValidateSponsorshipAsync(Guid sponsoredOrganizationId)
+        {
+            var sponsoredOrganization = await _organizationRepository.GetByIdAsync(sponsoredOrganizationId);
+            if (sponsoredOrganization == null)
+            {
+                return false;
+            }
+
+            var existingSponsorship = await _organizationSponsorshipRepository
+                .GetBySponsoredOrganizationIdAsync(sponsoredOrganizationId);
+
+            if (existingSponsorship == null)
+            {
+                await CancelSponsorshipAsync(sponsoredOrganization, null);
+                return false;
+            }
+
+            if (existingSponsorship.SponsoringOrganizationId == null || existingSponsorship.SponsoringOrganizationUserId == default || existingSponsorship.PlanSponsorshipType == null)
+            {
+                await CancelSponsorshipAsync(sponsoredOrganization, existingSponsorship);
+                return false;
+            }
+            var sponsoredPlan = Utilities.StaticStore.GetSponsoredPlan(existingSponsorship.PlanSponsorshipType.Value);
+
+            var sponsoringOrganization = await _organizationRepository
+                .GetByIdAsync(existingSponsorship.SponsoringOrganizationId.Value);
+            if (sponsoringOrganization == null)
+            {
+                await CancelSponsorshipAsync(sponsoredOrganization, existingSponsorship);
+                return false;
+            }
+
+            var sponsoringOrgPlan = Utilities.StaticStore.GetPlan(sponsoringOrganization.PlanType);
+            if (OrgDisabledForMoreThanGracePeriod(sponsoringOrganization) ||
+                sponsoredPlan.SponsoringProductType != sponsoringOrgPlan.Product ||
+                existingSponsorship.ToDelete ||
+                SponsorshipIsSelfHostedOutOfSync(existingSponsorship))
+            {
+                await CancelSponsorshipAsync(sponsoredOrganization, existingSponsorship);
+                return false;
+            }
+
+            return true;
+        }
+
+        protected async Task CancelSponsorshipAsync(Organization sponsoredOrganization, OrganizationSponsorship sponsorship = null)
+        {
+            if (sponsoredOrganization != null)
+            {
+                await _paymentService.RemoveOrganizationSponsorshipAsync(sponsoredOrganization, sponsorship);
+                await _organizationRepository.UpsertAsync(sponsoredOrganization);
+
+                try
+                {
+                    if (sponsorship != null)
+                    {
+                        await _mailService.SendFamiliesForEnterpriseSponsorshipRevertingEmailAsync(
+                            sponsoredOrganization.BillingEmailAddress(),
+                            sponsorship.ValidUntil ?? DateTime.UtcNow.AddDays(15));
+                    }
+                }
+                catch (Exception e)
+                {
+                    _logger.LogError("Error sending Family sponsorship removed email.", e);
+                }
+            }
+            await base.DeleteSponsorshipAsync(sponsorship);
+        }
+
+        /// <summary>
+        /// True if Sponsorship is from a self-hosted instance that has failed to sync for more than 6 months
+        /// </summary>
+        /// <param name="sponsorship"></param>
+        private bool SponsorshipIsSelfHostedOutOfSync(OrganizationSponsorship sponsorship) =>
+            sponsorship.LastSyncDate.HasValue &&
+            DateTime.UtcNow.Subtract(sponsorship.LastSyncDate.Value).TotalDays > 182.5;
+
+        /// <summary>
+        /// True if Organization is disabled and the expiration date is more than three months ago
+        /// </summary>
+        /// <param name="organization"></param>
+        private bool OrgDisabledForMoreThanGracePeriod(Organization organization) =>
+            !organization.Enabled &&
+            (
+                !organization.ExpirationDate.HasValue ||
+                DateTime.UtcNow.Subtract(organization.ExpirationDate.Value).TotalDays > 93
+            );
+    }
+}

src/Core/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/CreateSponsorshipCommand.cs

@@ -0,0 +1,84 @@
+using System.Threading.Tasks;
+using Bit.Core.Context;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Core.Utilities;
+
+namespace Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise
+{
+    public class CreateSponsorshipCommand : ICreateSponsorshipCommand
+    {
+        private readonly IOrganizationSponsorshipRepository _organizationSponsorshipRepository;
+        private readonly IUserService _userService;
+
+        public CreateSponsorshipCommand(IOrganizationSponsorshipRepository organizationSponsorshipRepository,
+        IUserService userService)
+        {
+            _organizationSponsorshipRepository = organizationSponsorshipRepository;
+            _userService = userService;
+        }
+
+        public async Task<OrganizationSponsorship> CreateSponsorshipAsync(Organization sponsoringOrg, OrganizationUser sponsoringOrgUser,
+            PlanSponsorshipType sponsorshipType, string sponsoredEmail, string friendlyName)
+        {
+            var sponsoringUser = await _userService.GetUserByIdAsync(sponsoringOrgUser.UserId.Value);
+            if (sponsoringUser == null || string.Equals(sponsoringUser.Email, sponsoredEmail, System.StringComparison.InvariantCultureIgnoreCase))
+            {
+                throw new BadRequestException("Cannot offer a Families Organization Sponsorship to yourself. Choose a different email.");
+            }
+
+            var requiredSponsoringProductType = StaticStore.GetSponsoredPlan(sponsorshipType)?.SponsoringProductType;
+            if (requiredSponsoringProductType == null ||
+                sponsoringOrg == null ||
+                StaticStore.GetPlan(sponsoringOrg.PlanType).Product != requiredSponsoringProductType.Value)
+            {
+                throw new BadRequestException("Specified Organization cannot sponsor other organizations.");
+            }
+
+            if (sponsoringOrgUser == null || sponsoringOrgUser.Status != OrganizationUserStatusType.Confirmed)
+            {
+                throw new BadRequestException("Only confirmed users can sponsor other organizations.");
+            }
+
+            var existingOrgSponsorship = await _organizationSponsorshipRepository
+                .GetBySponsoringOrganizationUserIdAsync(sponsoringOrgUser.Id);
+            if (existingOrgSponsorship?.SponsoredOrganizationId != null)
+            {
+                throw new BadRequestException("Can only sponsor one organization per Organization User.");
+            }
+
+            var sponsorship = new OrganizationSponsorship
+            {
+                SponsoringOrganizationId = sponsoringOrg.Id,
+                SponsoringOrganizationUserId = sponsoringOrgUser.Id,
+                FriendlyName = friendlyName,
+                OfferedToEmail = sponsoredEmail,
+                PlanSponsorshipType = sponsorshipType,
+            };
+
+            if (existingOrgSponsorship != null)
+            {
+                // Replace existing invalid offer with our new sponsorship offer
+                sponsorship.Id = existingOrgSponsorship.Id;
+            }
+
+            try
+            {
+                await _organizationSponsorshipRepository.UpsertAsync(sponsorship);
+                return sponsorship;
+            }
+            catch
+            {
+                if (sponsorship.Id != default)
+                {
+                    await _organizationSponsorshipRepository.DeleteAsync(sponsorship);
+                }
+                throw;
+            }
+        }
+    }
+}

src/Core/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/Interfaces/ICreateSponsorshipCommand.cs

@@ -0,0 +1,12 @@
+using System.Threading.Tasks;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+
+namespace Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces
+{
+    public interface ICreateSponsorshipCommand
+    {
+        Task<OrganizationSponsorship> CreateSponsorshipAsync(Organization sponsoringOrg, OrganizationUser sponsoringOrgUser,
+            PlanSponsorshipType sponsorshipType, string sponsoredEmail, string friendlyName);
+    }
+}

src/Core/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/Interfaces/IOrganizationSponsorshipRenewCommand.cs

@@ -0,0 +1,10 @@
+using System;
+using System.Threading.Tasks;
+
+namespace Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces
+{
+    public interface IOrganizationSponsorshipRenewCommand
+    {
+        Task UpdateExpirationDateAsync(Guid organizationId, DateTime expireDate);
+    }
+}

src/Core/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/Interfaces/IRemoveSponsorshipCommand.cs

@@ -0,0 +1,10 @@
+using System.Threading.Tasks;
+using Bit.Core.Entities;
+
+namespace Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces
+{
+    public interface IRemoveSponsorshipCommand
+    {
+        Task RemoveSponsorshipAsync(OrganizationSponsorship sponsorship);
+    }
+}

src/Core/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/Interfaces/IRevokeSponsorshipCommand.cs

@@ -0,0 +1,10 @@
+using System.Threading.Tasks;
+using Bit.Core.Entities;
+
+namespace Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces
+{
+    public interface IRevokeSponsorshipCommand
+    {
+        Task RevokeSponsorshipAsync(OrganizationSponsorship sponsorship);
+    }
+}

src/Core/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/Interfaces/ISendSponsorshipOfferCommand.cs

@@ -0,0 +1,14 @@
+using System.Collections.Generic;
+using System.Threading.Tasks;
+using Bit.Core.Entities;
+
+namespace Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces
+{
+    public interface ISendSponsorshipOfferCommand
+    {
+        Task BulkSendSponsorshipOfferAsync(string sponsoringOrgName, IEnumerable<OrganizationSponsorship> invites);
+        Task SendSponsorshipOfferAsync(OrganizationSponsorship sponsorship, string sponsoringOrgName);
+        Task SendSponsorshipOfferAsync(Organization sponsoringOrg, OrganizationUser sponsoringOrgUser,
+            OrganizationSponsorship sponsorship);
+    }
+}

src/Core/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/Interfaces/ISetUpSponsorshipCommand.cs

@@ -0,0 +1,11 @@
+using System.Threading.Tasks;
+using Bit.Core.Entities;
+
+namespace Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces
+{
+    public interface ISetUpSponsorshipCommand
+    {
+        Task SetUpSponsorshipAsync(OrganizationSponsorship sponsorship,
+            Organization sponsoredOrganization);
+    }
+}

src/Core/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/Interfaces/ISyncOrganizationSponsorshipsCommand.cs

@@ -0,0 +1,18 @@
+using System;
+using System.Collections.Generic;
+using System.Threading.Tasks;
+using Bit.Core.Entities;
+using Bit.Core.Models.Data.Organizations.OrganizationSponsorships;
+
+namespace Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces
+{
+    public interface ISelfHostedSyncSponsorshipsCommand
+    {
+        Task SyncOrganization(Guid organizationId, Guid cloudOrganizationId, OrganizationConnection billingSyncConnection);
+    }
+
+    public interface ICloudSyncSponsorshipsCommand
+    {
+        Task<(OrganizationSponsorshipSyncData, IEnumerable<OrganizationSponsorship>)> SyncOrganization(Organization sponsoringOrg, IEnumerable<OrganizationSponsorshipData> sponsorshipsData);
+    }
+}

src/Core/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/Interfaces/IValidateBillingSyncKeyCommand.cs

@@ -0,0 +1,11 @@
+using System;
+using System.Threading.Tasks;
+using Bit.Core.Entities;
+
+namespace Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces
+{
+    public interface IValidateBillingSyncKeyCommand
+    {
+        Task<bool> ValidateBillingSyncKeyAsync(Organization organization, string billingSyncKey);
+    }
+}

src/Core/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/Interfaces/IValidateRedemptionTokenCommand.cs

@@ -0,0 +1,10 @@
+using System.Threading.Tasks;
+using Bit.Core.Entities;
+
+namespace Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces
+{
+    public interface IValidateRedemptionTokenCommand
+    {
+        Task<(bool valid, OrganizationSponsorship sponsorship)> ValidateRedemptionTokenAsync(string encryptedToken, string sponsoredUserEmail);
+    }
+}

src/Core/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/Interfaces/IValidateSponsorshipCommand.cs

@@ -0,0 +1,10 @@
+using System;
+using System.Threading.Tasks;
+
+namespace Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces
+{
+    public interface IValidateSponsorshipCommand
+    {
+        Task<bool> ValidateSponsorshipAsync(Guid sponsoredOrganizationId);
+    }
+}

src/Core/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/SelfHosted/SelfHostedRevokeSponsorshipCommand.cs

@@ -0,0 +1,34 @@
+using System.Threading.Tasks;
+using Bit.Core.Entities;
+using Bit.Core.Exceptions;
+using Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces;
+using Bit.Core.Repositories;
+
+namespace Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.SelfHosted
+{
+    public class SelfHostedRevokeSponsorshipCommand : CancelSponsorshipCommand, IRevokeSponsorshipCommand
+    {
+        public SelfHostedRevokeSponsorshipCommand(
+            IOrganizationSponsorshipRepository organizationSponsorshipRepository,
+            IOrganizationRepository organizationRepository) : base(organizationSponsorshipRepository, organizationRepository)
+        {
+        }
+
+        public async Task RevokeSponsorshipAsync(OrganizationSponsorship sponsorship)
+        {
+            if (sponsorship == null)
+            {
+                throw new BadRequestException("You are not currently sponsoring an organization.");
+            }
+
+            if (sponsorship.LastSyncDate == null)
+            {
+                await base.DeleteSponsorshipAsync(sponsorship);
+            }
+            else
+            {
+                await MarkToDeleteSponsorshipAsync(sponsorship);
+            }
+        }
+    }
+}

src/Core/OrganizationFeatures/OrganizationSponsorships/FamiliesForEnterprise/SelfHosted/SelfHostedSyncSponsorshipsCommand.cs

@@ -0,0 +1,135 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Net.Http;
+using System.Threading.Tasks;
+using Bit.Core.Entities;
+using Bit.Core.Exceptions;
+using Bit.Core.Models.Api.Request.OrganizationSponsorships;
+using Bit.Core.Models.Api.Response.OrganizationSponsorships;
+using Bit.Core.Models.Data.Organizations.OrganizationSponsorships;
+using Bit.Core.Models.OrganizationConnectionConfigs;
+using Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Core.Settings;
+using Bit.Core.Utilities;
+using Microsoft.Extensions.Logging;
+
+namespace Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.SelfHosted
+{
+    public class SelfHostedSyncSponsorshipsCommand : BaseIdentityClientService, ISelfHostedSyncSponsorshipsCommand
+    {
+        private readonly IGlobalSettings _globalSettings;
+        private readonly IOrganizationSponsorshipRepository _organizationSponsorshipRepository;
+        private readonly IOrganizationUserRepository _organizationUserRepository;
+        private readonly IOrganizationConnectionRepository _organizationConnectionRepository;
+
+        public SelfHostedSyncSponsorshipsCommand(
+        IHttpClientFactory httpFactory,
+        IOrganizationSponsorshipRepository organizationSponsorshipRepository,
+        IOrganizationUserRepository organizationUserRepository,
+        IOrganizationConnectionRepository organizationConnectionRepository,
+        IGlobalSettings globalSettings,
+        ILogger<SelfHostedSyncSponsorshipsCommand> logger)
+        : base(
+            httpFactory,
+            globalSettings.Installation.ApiUri,
+            globalSettings.Installation.IdentityUri,
+            "api.installation",
+            $"installation.{globalSettings.Installation.Id}",
+            globalSettings.Installation.Key,
+            logger)
+        {
+            _globalSettings = globalSettings;
+            _organizationUserRepository = organizationUserRepository;
+            _organizationSponsorshipRepository = organizationSponsorshipRepository;
+            _organizationConnectionRepository = organizationConnectionRepository;
+        }
+
+        public async Task SyncOrganization(Guid organizationId, Guid cloudOrganizationId, OrganizationConnection billingSyncConnection)
+        {
+            if (!_globalSettings.EnableCloudCommunication)
+            {
+                throw new BadRequestException("Failed to sync instance with cloud - Cloud communication is disabled in global settings");
+            }
+            if (!billingSyncConnection.Enabled)
+            {
+                throw new BadRequestException($"Billing Sync Key disabled for organization {organizationId}");
+            }
+            if (string.IsNullOrWhiteSpace(billingSyncConnection.Config))
+            {
+                throw new BadRequestException($"No Billing Sync Key known for organization {organizationId}");
+            }
+            var billingSyncConfig = billingSyncConnection.GetConfig<BillingSyncConfig>();
+            if (billingSyncConfig == null || string.IsNullOrWhiteSpace(billingSyncConfig.BillingSyncKey))
+            {
+                throw new BadRequestException($"Failed to get Billing Sync Key for organization {organizationId}");
+            }
+
+            var organizationSponsorshipsDict = (await _organizationSponsorshipRepository.GetManyBySponsoringOrganizationAsync(organizationId))
+                .ToDictionary(i => i.SponsoringOrganizationUserId);
+            if (!organizationSponsorshipsDict.Any())
+            {
+                _logger.LogInformation($"No existing sponsorships to sync for organization {organizationId}");
+                return;
+            }
+            var syncedSponsorships = new List<OrganizationSponsorshipData>();
+
+            foreach (var orgSponsorshipsBatch in CoreHelpers.Batch(organizationSponsorshipsDict.Values, 1000))
+            {
+                var response = await SendAsync<OrganizationSponsorshipSyncRequestModel, OrganizationSponsorshipSyncResponseModel>(HttpMethod.Post, "organization/sponsorship/sync", new OrganizationSponsorshipSyncRequestModel
+                {
+                    BillingSyncKey = billingSyncConfig.BillingSyncKey,
+                    SponsoringOrganizationCloudId = cloudOrganizationId,
+                    SponsorshipsBatch = orgSponsorshipsBatch.Select(s => new OrganizationSponsorshipRequestModel(s))
+                });
+
+                if (response == null)
+                {
+                    throw new BadRequestException("Organization sync failed");
+                }
+
+                syncedSponsorships.AddRange(response.ToOrganizationSponsorshipSync().SponsorshipsBatch);
+            }
+
+            var sponsorshipsToDelete = syncedSponsorships.Where(s => s.CloudSponsorshipRemoved).Select(i => organizationSponsorshipsDict[i.SponsoringOrganizationUserId].Id);
+            var sponsorshipsToUpsert = syncedSponsorships.Where(s => !s.CloudSponsorshipRemoved).Select(i =>
+            {
+                var existingSponsorship = organizationSponsorshipsDict[i.SponsoringOrganizationUserId];
+                if (existingSponsorship != null)
+                {
+                    existingSponsorship.LastSyncDate = i.LastSyncDate;
+                    existingSponsorship.ValidUntil = i.ValidUntil;
+                    existingSponsorship.ToDelete = i.ToDelete;
+                }
+                else
+                {
+                    // shouldn't occur, added in case self hosted loses a sponsorship
+                    existingSponsorship = new OrganizationSponsorship
+                    {
+                        SponsoringOrganizationId = organizationId,
+                        SponsoringOrganizationUserId = i.SponsoringOrganizationUserId,
+                        FriendlyName = i.FriendlyName,
+                        OfferedToEmail = i.OfferedToEmail,
+                        PlanSponsorshipType = i.PlanSponsorshipType,
+                        LastSyncDate = i.LastSyncDate,
+                        ValidUntil = i.ValidUntil,
+                        ToDelete = i.ToDelete
+                    };
+                }
+                return existingSponsorship;
+            });
+
+            if (sponsorshipsToDelete.Any())
+            {
+                await _organizationSponsorshipRepository.DeleteManyAsync(sponsorshipsToDelete);
+            }
+            if (sponsorshipsToUpsert.Any())
+            {
+                await _organizationSponsorshipRepository.UpsertManyAsync(sponsorshipsToUpsert);
+            }
+        }
+
+    }
+}

src/Core/Repositories/IMaintenanceRepository.cs

@@ -1,4 +1,5 @@
-using System.Threading.Tasks;
+using System;
+using System.Threading.Tasks;
 
 namespace Bit.Core.Repositories
 {
@@ -8,5 +9,6 @@ namespace Bit.Core.Repositories
         Task DisableCipherAutoStatsAsync();
         Task RebuildIndexesAsync();
         Task DeleteExpiredGrantsAsync();
+        Task DeleteExpiredSponsorshipsAsync(DateTime validUntilBeforeDate);
     }
 }

src/Core/Repositories/IOrganizationApiKeyRepository.cs

@@ -0,0 +1,13 @@
+using System;
+using System.Collections.Generic;
+using System.Threading.Tasks;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+
+namespace Bit.Core.Repositories
+{
+    public interface IOrganizationApiKeyRepository : IRepository<OrganizationApiKey, Guid>
+    {
+        Task<IEnumerable<OrganizationApiKey>> GetManyByOrganizationIdTypeAsync(Guid organizationId, OrganizationApiKeyType? type = null);
+    }
+}

src/Core/Repositories/IOrganizationConnectionRepository.cs

@@ -0,0 +1,14 @@
+using System;
+using System.Collections.Generic;
+using System.Threading.Tasks;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+
+namespace Bit.Core.Repositories
+{
+    public interface IOrganizationConnectionRepository : IRepository<OrganizationConnection, Guid>
+    {
+        Task<ICollection<OrganizationConnection>> GetByOrganizationIdTypeAsync(Guid organizationId, OrganizationConnectionType type);
+        Task<ICollection<OrganizationConnection>> GetEnabledByOrganizationIdTypeAsync(Guid organizationId, OrganizationConnectionType type);
+    }
+}

src/Core/Repositories/IOrganizationRepository.cs

@@ -2,7 +2,7 @@
 using System.Collections.Generic;
 using System.Threading.Tasks;
 using Bit.Core.Entities;
-using Bit.Core.Models.Data;
+using Bit.Core.Models.Data.Organizations;
 
 namespace Bit.Core.Repositories
 {

src/Core/Repositories/IOrganizationSponsorshipRepository.cs

@@ -1,5 +1,4 @@
 using System;
-using System.Collections;
 using System.Collections.Generic;
 using System.Threading.Tasks;
 using Bit.Core.Entities;
@@ -8,7 +7,13 @@ namespace Bit.Core.Repositories
 {
     public interface IOrganizationSponsorshipRepository : IRepository<OrganizationSponsorship, Guid>
     {
+        Task<ICollection<Guid>> CreateManyAsync(IEnumerable<OrganizationSponsorship> organizationSponsorships);
+        Task ReplaceManyAsync(IEnumerable<OrganizationSponsorship> organizationSponsorships);
+        Task UpsertManyAsync(IEnumerable<OrganizationSponsorship> organizationSponsorships);
+        Task DeleteManyAsync(IEnumerable<Guid> organizationSponsorshipIds);
+        Task<ICollection<OrganizationSponsorship>> GetManyBySponsoringOrganizationAsync(Guid sponsoringOrganizationId);
         Task<OrganizationSponsorship> GetBySponsoringOrganizationUserIdAsync(Guid sponsoringOrganizationUserId);
         Task<OrganizationSponsorship> GetBySponsoredOrganizationIdAsync(Guid sponsoredOrganizationId);
+        Task<DateTime?> GetLatestSyncDateBySponsoringOrganizationIdAsync(Guid sponsoringOrganizationId);
     }
 }

src/Core/Repositories/IOrganizationUserRepository.cs

@@ -4,6 +4,7 @@ using System.Threading.Tasks;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Models.Data;
+using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 
 namespace Bit.Core.Repositories
 {

src/Core/Services/IApplicationCacheService.cs

@@ -4,6 +4,7 @@ using System.Threading.Tasks;
 using Bit.Core.Entities;
 using Bit.Core.Entities.Provider;
 using Bit.Core.Models.Data;
+using Bit.Core.Models.Data.Organizations;
 
 namespace Bit.Core.Services
 {

src/Core/Services/ILicensingService.cs

@@ -1,4 +1,5 @@
-using System.Threading.Tasks;
+using System;
+using System.Threading.Tasks;
 using Bit.Core.Entities;
 using Bit.Core.Models.Business;
 
@@ -11,5 +12,8 @@ namespace Bit.Core.Services
         Task<bool> ValidateUserPremiumAsync(User user);
         bool VerifyLicense(ILicense license);
         byte[] SignLicense(ILicense license);
+        Task<OrganizationLicense> ReadOrganizationLicenseAsync(Organization organization);
+        Task<OrganizationLicense> ReadOrganizationLicenseAsync(Guid organizationId);
+
     }
 }

src/Core/Services/IMailService.cs

@@ -19,8 +19,8 @@ namespace Bit.Core.Services
         Task SendNewDeviceLoginTwoFactorEmailAsync(string email, string token);
         Task SendNoMasterPasswordHintEmailAsync(string email);
         Task SendMasterPasswordHintEmailAsync(string email, string hint);
-        Task SendOrganizationInviteEmailAsync(string organizationName, bool orgCanSponsor, OrganizationUser orgUser, ExpiringToken token);
-        Task BulkSendOrganizationInviteEmailAsync(string organizationName, bool orgCanSponsor, IEnumerable<(OrganizationUser orgUser, ExpiringToken token)> invites);
+        Task SendOrganizationInviteEmailAsync(string organizationName, OrganizationUser orgUser, ExpiringToken token);
+        Task BulkSendOrganizationInviteEmailAsync(string organizationName, IEnumerable<(OrganizationUser orgUser, ExpiringToken token)> invites);
         Task SendOrganizationMaxSeatLimitReachedEmailAsync(Organization organization, int maxSeatCount, IEnumerable<string> ownerEmails);
         Task SendOrganizationAutoscaledEmailAsync(Organization organization, int initialSeatCount, IEnumerable<string> ownerEmails);
         Task SendOrganizationAcceptedEmailAsync(Organization organization, string userIdentifier, IEnumerable<string> adminEmails);
@@ -50,9 +50,10 @@ namespace Bit.Core.Services
         Task SendProviderConfirmedEmailAsync(string providerName, string email);
         Task SendProviderUserRemoved(string providerName, string email);
         Task SendUpdatedTempPasswordEmailAsync(string email, string userName);
-        Task SendFamiliesForEnterpriseOfferEmailAsync(string email, string sponsorEmail, bool existingAccount, string token);
+        Task SendFamiliesForEnterpriseOfferEmailAsync(string sponsorOrgName, string email, bool existingAccount, string token);
+        Task BulkSendFamiliesForEnterpriseOfferEmailAsync(string SponsorOrgName, IEnumerable<(string Email, bool ExistingAccount, string Token)> invites);
         Task SendFamiliesForEnterpriseRedeemedEmailsAsync(string familyUserEmail, string sponsorEmail);
-        Task SendFamiliesForEnterpriseSponsorshipRevertingEmailAsync(string email, string familyOrgName);
+        Task SendFamiliesForEnterpriseSponsorshipRevertingEmailAsync(string email, DateTime expirationDate);
         Task SendOTPEmailAsync(string email, string token);
         Task SendFailedLoginAttemptsEmailAsync(string email, DateTime utcNow, string ip);
         Task SendFailedTwoFactorAttemptsEmailAsync(string email, DateTime utcNow, string ip);

src/Core/Services/IOrganizationService.cs

@@ -58,7 +58,6 @@ namespace Bit.Core.Services
         Task ImportAsync(Guid organizationId, Guid? importingUserId, IEnumerable<ImportedGroup> groups,
             IEnumerable<ImportedOrganizationUser> newUsers, IEnumerable<string> removeUserExternalIds,
             bool overwriteExisting);
-        Task RotateApiKeyAsync(Organization organization);
         Task DeleteSsoUserAsync(Guid userId, Guid? organizationId);
         Task<Organization> UpdateOrganizationKeysAsync(Guid orgId, string publicKey, string privateKey);
         Task<bool> HasConfirmedOwnersExceptAsync(Guid organizationId, IEnumerable<Guid> organizationUsersId, bool includeProvider = true);

src/Core/Services/IOrganizationSponsorshipService.cs

@@ -1,22 +0,0 @@
-using System;
-using System.Threading.Tasks;
-using Bit.Core.Entities;
-using Bit.Core.Enums;
-
-namespace Bit.Core.Services
-{
-    public interface IOrganizationSponsorshipService
-    {
-        Task<(bool valid, OrganizationSponsorship sponsorship)> ValidateRedemptionTokenAsync(string encryptedToken, string currentUserEmail);
-        Task OfferSponsorshipAsync(Organization sponsoringOrg, OrganizationUser sponsoringOrgUser,
-            PlanSponsorshipType sponsorshipType, string sponsoredEmail, string friendlyName, string sponsoringUserEmail);
-        Task ResendSponsorshipOfferAsync(Organization sponsoringOrg, OrganizationUser sponsoringOrgUser,
-            OrganizationSponsorship sponsorship, string sponsoringUserEmail);
-        Task SendSponsorshipOfferAsync(OrganizationSponsorship sponsorship, string sponsoringOrgUserEmail);
-        Task SetUpSponsorshipAsync(OrganizationSponsorship sponsorship,
-            Organization sponsoredOrganization);
-        Task<bool> ValidateSponsorshipAsync(Guid sponsoredOrganizationId);
-        Task RevokeSponsorshipAsync(Organization sponsoredOrganization, OrganizationSponsorship sponsorship);
-        Task RemoveSponsorshipAsync(Organization sponsoredOrganization, OrganizationSponsorship sponsorship);
-    }
-}

src/Core/Services/Implementations/BaseIdentityClientService.cs

@@ -4,7 +4,6 @@ using System.Net;
 using System.Net.Http;
 using System.Net.Http.Headers;
 using System.Net.Http.Json;
-using System.Text;
 using System.Text.Json;
 using System.Threading.Tasks;
 using Bit.Core.Utilities;
@@ -14,15 +13,17 @@ namespace Bit.Core.Services
 {
     public abstract class BaseIdentityClientService : IDisposable
     {
+        private readonly IHttpClientFactory _httpFactory;
         private readonly string _identityScope;
         private readonly string _identityClientId;
         private readonly string _identityClientSecret;
-        private readonly ILogger<BaseIdentityClientService> _logger;
+        protected readonly ILogger<BaseIdentityClientService> _logger;
 
         private JsonDocument _decodedToken;
         private DateTime? _nextAuthAttempt = null;
 
         public BaseIdentityClientService(
+            IHttpClientFactory httpFactory,
             string baseClientServerUri,
             string baseIdentityServerUri,
             string identityScope,
@@ -30,21 +31,18 @@ namespace Bit.Core.Services
             string identityClientSecret,
             ILogger<BaseIdentityClientService> logger)
         {
+            _httpFactory = httpFactory;
             _identityScope = identityScope;
             _identityClientId = identityClientId;
             _identityClientSecret = identityClientSecret;
             _logger = logger;
 
-            Client = new HttpClient
-            {
-                BaseAddress = new Uri(baseClientServerUri)
-            };
+            Client = _httpFactory.CreateClient("client");
+            Client.BaseAddress = new Uri(baseClientServerUri);
             Client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
 
-            IdentityClient = new HttpClient
-            {
-                BaseAddress = new Uri(baseIdentityServerUri)
-            };
+            IdentityClient = _httpFactory.CreateClient("identity");
+            IdentityClient.BaseAddress = new Uri(baseIdentityServerUri);
             IdentityClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
         }
 
@@ -52,12 +50,18 @@ namespace Bit.Core.Services
         protected HttpClient IdentityClient { get; private set; }
         protected string AccessToken { get; private set; }
 
-        protected async Task SendAsync(HttpMethod method, string path, object requestModel = null)
+        protected Task SendAsync(HttpMethod method, string path) =>
+            SendAsync<object, object>(method, path, null);
+
+        protected Task SendAsync<TRequest>(HttpMethod method, string path, TRequest body) =>
+            SendAsync<TRequest, object>(method, path, body);
+
+        protected async Task<TResult> SendAsync<TRequest, TResult>(HttpMethod method, string path, TRequest requestModel)
         {
             var tokenStateResponse = await HandleTokenStateAsync();
             if (!tokenStateResponse)
             {
-                return;
+                return default;
             }
 
             var message = new TokenHttpRequestMessage(requestModel, AccessToken)
@@ -65,14 +69,15 @@ namespace Bit.Core.Services
                 Method = method,
                 RequestUri = new Uri(string.Concat(Client.BaseAddress, path))
             };
-
             try
             {
                 var response = await Client.SendAsync(message);
+                return await response.Content.ReadFromJsonAsync<TResult>();
             }
             catch (Exception e)
             {
                 _logger.LogError(12334, e, "Failed to send to {0}.", message.RequestUri.ToString());
+                return default;
             }
         }
 
@@ -192,7 +197,7 @@ namespace Bit.Core.Services
 
         public void Dispose()
         {
-            _decodedToken.Dispose();
+            _decodedToken?.Dispose();
         }
     }
 }

src/Core/Services/Implementations/EventService.cs

@@ -7,6 +7,7 @@ using Bit.Core.Entities;
 using Bit.Core.Entities.Provider;
 using Bit.Core.Enums;
 using Bit.Core.Models.Data;
+using Bit.Core.Models.Data.Organizations;
 using Bit.Core.Repositories;
 using Bit.Core.Settings;
 
@@ -241,7 +242,8 @@ namespace Bit.Core.Services
                 ProviderId = await GetProviderIdAsync(organization.Id),
                 Type = type,
                 ActingUserId = _currentContext?.UserId,
-                Date = date.GetValueOrDefault(DateTime.UtcNow)
+                Date = date.GetValueOrDefault(DateTime.UtcNow),
+                InstallationId = GetInstallationId(),
             };
             await _eventWriteService.CreateAsync(e);
         }
@@ -305,6 +307,16 @@ namespace Bit.Core.Services
             return await _currentContext.ProviderIdForOrg(orgId.Value);
         }
 
+        private Guid? GetInstallationId()
+        {
+            if (_currentContext == null)
+            {
+                return null;
+            }
+
+            return _currentContext.InstallationId;
+        }
+
         private bool CanUseEvents(IDictionary<Guid, OrganizationAbility> orgAbilities, Guid orgId)
         {
             return orgAbilities != null && orgAbilities.ContainsKey(orgId) &&

src/Core/Services/Implementations/HandlebarsMailService.cs

@@ -221,10 +221,10 @@ namespace Bit.Core.Services
             await _mailDeliveryService.SendEmailAsync(message);
         }
 
-        public Task SendOrganizationInviteEmailAsync(string organizationName, bool orgCanSponsor, OrganizationUser orgUser, ExpiringToken token) =>
-            BulkSendOrganizationInviteEmailAsync(organizationName, orgCanSponsor, new[] { (orgUser, token) });
+        public Task SendOrganizationInviteEmailAsync(string organizationName, OrganizationUser orgUser, ExpiringToken token) =>
+            BulkSendOrganizationInviteEmailAsync(organizationName, new[] { (orgUser, token) });
 
-        public async Task BulkSendOrganizationInviteEmailAsync(string organizationName, bool organizationCanSponsor, IEnumerable<(OrganizationUser orgUser, ExpiringToken token)> invites)
+        public async Task BulkSendOrganizationInviteEmailAsync(string organizationName, IEnumerable<(OrganizationUser orgUser, ExpiringToken token)> invites)
         {
             MailQueueMessage CreateMessage(string email, object model)
             {
@@ -244,7 +244,6 @@ namespace Bit.Core.Services
                     OrganizationNameUrlEncoded = WebUtility.UrlEncode(organizationName),
                     WebVaultUrl = _globalSettings.BaseServiceUri.VaultWithHash,
                     SiteName = _globalSettings.SiteName,
-                    OrganizationCanSponsor = organizationCanSponsor,
                 }
             ));
 
@@ -581,35 +580,6 @@ namespace Bit.Core.Services
                 var clickTrackingText = (clickTrackingOff ? "clicktracking=off" : string.Empty);
                 writer.WriteSafeString($"<a href=\"{href}\" target=\"_blank\" {clickTrackingText}>{text}</a>");
             });
-
-            Handlebars.RegisterHelper("jsonIf", (output, options, context, arguments) =>
-            {
-                // Special case for JsonElement
-                if (arguments[0] is JsonElement jsonElement
-                    && (jsonElement.ValueKind == JsonValueKind.True || jsonElement.ValueKind == JsonValueKind.False))
-                {
-                    if (jsonElement.GetBoolean())
-                    {
-                        options.Template(output, context);
-                    }
-                    else
-                    {
-                        options.Inverse(output, context);
-                    }
-
-                    return;
-                }
-
-                // Fallback to normal
-                if (HandlebarsUtils.IsTruthy(arguments[0]))
-                {
-                    options.Template(output, context);
-                }
-                else
-                {
-                    options.Inverse(output, context);
-                }
-            });
         }
 
         public async Task SendEmergencyAccessInviteEmailAsync(EmergencyAccess emergencyAccess, string name, string token)
@@ -803,27 +773,32 @@ namespace Bit.Core.Services
             await _mailDeliveryService.SendEmailAsync(message);
         }
 
-        public async Task SendFamiliesForEnterpriseOfferEmailAsync(string email, string sponsorEmail, bool existingAccount, string token)
+        public async Task SendFamiliesForEnterpriseOfferEmailAsync(string sponsorOrgName, string email, bool existingAccount, string token) =>
+            await BulkSendFamiliesForEnterpriseOfferEmailAsync(sponsorOrgName, new[] { (email, existingAccount, token) });
+
+        public async Task BulkSendFamiliesForEnterpriseOfferEmailAsync(string sponsorOrgName, IEnumerable<(string Email, bool ExistingAccount, string Token)> invites)
         {
-            var message = CreateDefaultMessage("Accept Your Free Families Subscription", email);
-
-            var model = new FamiliesForEnterpriseOfferViewModel
+            MailQueueMessage CreateMessage((string Email, bool ExistingAccount, string Token) invite)
             {
-                SponsorEmail = CoreHelpers.ObfuscateEmail(sponsorEmail),
-                SponsoredEmail = WebUtility.UrlEncode(email),
-                ExistingAccount = existingAccount,
-                WebVaultUrl = _globalSettings.BaseServiceUri.VaultWithHash,
-                SiteName = _globalSettings.SiteName,
-                SponsorshipToken = token,
-            };
-            var templateName = existingAccount ?
-                "FamiliesForEnterprise.FamiliesForEnterpriseOfferExistingAccount" :
-                "FamiliesForEnterprise.FamiliesForEnterpriseOfferNewAccount";
+                var message = CreateDefaultMessage("Accept Your Free Families Subscription", invite.Email);
+                message.Category = "FamiliesForEnterpriseOffer";
+                var model = new FamiliesForEnterpriseOfferViewModel
+                {
+                    SponsorOrgName = sponsorOrgName,
+                    SponsoredEmail = WebUtility.UrlEncode(invite.Email),
+                    ExistingAccount = invite.ExistingAccount,
+                    WebVaultUrl = _globalSettings.BaseServiceUri.VaultWithHash,
+                    SiteName = _globalSettings.SiteName,
+                    SponsorshipToken = invite.Token,
+                };
+                var templateName = invite.ExistingAccount ?
+                    "FamiliesForEnterprise.FamiliesForEnterpriseOfferExistingAccount" :
+                    "FamiliesForEnterprise.FamiliesForEnterpriseOfferNewAccount";
 
-            await AddMessageContentAsync(message, templateName, model);
-
-            message.Category = "FamiliesForEnterpriseOffer";
-            await _mailDeliveryService.SendEmailAsync(message);
+                return new MailQueueMessage(message, templateName, model);
+            }
+            var messageModels = invites.Select(invite => CreateMessage(invite));
+            await EnqueueMailAsync(messageModels);
         }
 
         public async Task SendFamiliesForEnterpriseRedeemedEmailsAsync(string familyUserEmail, string sponsorEmail)
@@ -851,12 +826,12 @@ namespace Bit.Core.Services
             await _mailDeliveryService.SendEmailAsync(message);
         }
 
-        public async Task SendFamiliesForEnterpriseSponsorshipRevertingEmailAsync(string email, string familyOrgName)
+        public async Task SendFamiliesForEnterpriseSponsorshipRevertingEmailAsync(string email, DateTime expirationDate)
         {
-            var message = CreateDefaultMessage($"{familyOrgName} Organization Sponsorship Is No Longer Valid", email);
+            var message = CreateDefaultMessage("Your Families Sponsorship was Removed", email);
             var model = new FamiliesForEnterpriseSponsorshipRevertingViewModel
             {
-                OrganizationName = CoreHelpers.SanitizeForEmail(familyOrgName, false),
+                ExpirationDate = expirationDate,
             };
             await AddMessageContentAsync(message, "FamiliesForEnterprise.FamiliesForEnterpriseSponsorshipReverting", model);
             message.Category = "FamiliesForEnterpriseSponsorshipReverting";

src/Core/Services/Implementations/InMemoryApplicationCacheService.cs

@@ -5,6 +5,7 @@ using System.Threading.Tasks;
 using Bit.Core.Entities;
 using Bit.Core.Entities.Provider;
 using Bit.Core.Models.Data;
+using Bit.Core.Models.Data.Organizations;
 using Bit.Core.Repositories;
 
 namespace Bit.Core.Services

src/Core/Services/Implementations/LicensingService.cs

@@ -20,7 +20,7 @@ namespace Bit.Core.Services
     public class LicensingService : ILicensingService
     {
         private readonly X509Certificate2 _certificate;
-        private readonly GlobalSettings _globalSettings;
+        private readonly IGlobalSettings _globalSettings;
         private readonly IUserRepository _userRepository;
         private readonly IOrganizationRepository _organizationRepository;
         private readonly IOrganizationUserRepository _organizationUserRepository;
@@ -36,7 +36,7 @@ namespace Bit.Core.Services
             IMailService mailService,
             IWebHostEnvironment environment,
             ILogger<LicensingService> logger,
-            GlobalSettings globalSettings)
+            IGlobalSettings globalSettings)
         {
             _userRepository = userRepository;
             _organizationRepository = organizationRepository;
@@ -90,7 +90,7 @@ namespace Bit.Core.Services
 
             foreach (var org in enabledOrgs)
             {
-                var license = ReadOrganizationLicense(org);
+                var license = await ReadOrganizationLicenseAsync(org);
                 if (license == null)
                 {
                     await DisableOrganizationAsync(org, null, "No license file.");
@@ -249,16 +249,18 @@ namespace Bit.Core.Services
             return JsonSerializer.Deserialize<UserLicense>(data);
         }
 
-        private OrganizationLicense ReadOrganizationLicense(Organization organization)
+        public Task<OrganizationLicense> ReadOrganizationLicenseAsync(Organization organization) =>
+            ReadOrganizationLicenseAsync(organization.Id);
+        public async Task<OrganizationLicense> ReadOrganizationLicenseAsync(Guid organizationId)
         {
-            var filePath = $"{_globalSettings.LicenseDirectory}/organization/{organization.Id}.json";
+            var filePath = Path.Combine(_globalSettings.LicenseDirectory, "organization", $"{organizationId}.json");
             if (!File.Exists(filePath))
             {
                 return null;
             }
 
-            var data = File.ReadAllText(filePath, Encoding.UTF8);
-            return JsonSerializer.Deserialize<OrganizationLicense>(data);
+            using var fs = File.OpenRead(filePath);
+            return await JsonSerializer.DeserializeAsync<OrganizationLicense>(fs);
         }
     }
 }

src/Core/Services/Implementations/MultiServicePushNotificationService.cs

@@ -1,5 +1,6 @@
 using System;
 using System.Collections.Generic;
+using System.Net.Http;
 using System.Threading.Tasks;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
@@ -17,6 +18,7 @@ namespace Bit.Core.Services
         private readonly ILogger<MultiServicePushNotificationService> _logger;
 
         public MultiServicePushNotificationService(
+            IHttpClientFactory httpFactory,
             IDeviceRepository deviceRepository,
             IInstallationDeviceRepository installationDeviceRepository,
             GlobalSettings globalSettings,
@@ -31,14 +33,14 @@ namespace Bit.Core.Services
                     globalSettings.Installation?.Id != null &&
                     CoreHelpers.SettingHasValue(globalSettings.Installation?.Key))
                 {
-                    _services.Add(new RelayPushNotificationService(deviceRepository, globalSettings,
+                    _services.Add(new RelayPushNotificationService(httpFactory, deviceRepository, globalSettings,
                         httpContextAccessor, relayLogger));
                 }
                 if (CoreHelpers.SettingHasValue(globalSettings.InternalIdentityKey) &&
                     CoreHelpers.SettingHasValue(globalSettings.BaseServiceUri.InternalNotifications))
                 {
                     _services.Add(new NotificationsApiPushNotificationService(
-                        globalSettings, httpContextAccessor, hubLogger));
+                        httpFactory, globalSettings, httpContextAccessor, hubLogger));
                 }
             }
             else

src/Core/Services/Implementations/NotificationsApiPushNotificationService.cs

@@ -18,16 +18,18 @@ namespace Bit.Core.Services
         private readonly IHttpContextAccessor _httpContextAccessor;
 
         public NotificationsApiPushNotificationService(
+            IHttpClientFactory httpFactory,
             GlobalSettings globalSettings,
             IHttpContextAccessor httpContextAccessor,
             ILogger<NotificationsApiPushNotificationService> logger)
             : base(
-                 globalSettings.BaseServiceUri.InternalNotifications,
-                 globalSettings.BaseServiceUri.InternalIdentity,
-                 "internal",
-                 $"internal.{globalSettings.ProjectName}",
-                 globalSettings.InternalIdentityKey,
-                 logger)
+                httpFactory,
+                globalSettings.BaseServiceUri.InternalNotifications,
+                globalSettings.BaseServiceUri.InternalIdentity,
+                "internal",
+                $"internal.{globalSettings.ProjectName}",
+                globalSettings.InternalIdentityKey,
+                logger)
         {
             _globalSettings = globalSettings;
             _httpContextAccessor = httpContextAccessor;

src/Core/Services/Implementations/OrganizationService.cs

@@ -42,6 +42,7 @@ namespace Bit.Core.Services
         private readonly IReferenceEventService _referenceEventService;
         private readonly IGlobalSettings _globalSettings;
         private readonly ITaxRateRepository _taxRateRepository;
+        private readonly IOrganizationApiKeyRepository _organizationApiKeyRepository;
         private readonly ICurrentContext _currentContext;
         private readonly ILogger<OrganizationService> _logger;
 
@@ -68,6 +69,7 @@ namespace Bit.Core.Services
             IReferenceEventService referenceEventService,
             IGlobalSettings globalSettings,
             ITaxRateRepository taxRateRepository,
+            IOrganizationApiKeyRepository organizationApiKeyRepository,
             ICurrentContext currentContext,
             ILogger<OrganizationService> logger)
         {
@@ -92,6 +94,7 @@ namespace Bit.Core.Services
             _referenceEventService = referenceEventService;
             _globalSettings = globalSettings;
             _taxRateRepository = taxRateRepository;
+            _organizationApiKeyRepository = organizationApiKeyRepository;
             _currentContext = currentContext;
             _logger = logger;
         }
@@ -611,7 +614,6 @@ namespace Bit.Core.Services
                 ReferenceData = signup.Owner.ReferenceData,
                 Enabled = true,
                 LicenseKey = CoreHelpers.SecureRandomString(20),
-                ApiKey = CoreHelpers.SecureRandomString(30),
                 PublicKey = signup.PublicKey,
                 PrivateKey = signup.PrivateKey,
                 CreationDate = DateTime.UtcNow,
@@ -721,7 +723,6 @@ namespace Bit.Core.Services
                 Enabled = license.Enabled,
                 ExpirationDate = license.Expires,
                 LicenseKey = license.LicenseKey,
-                ApiKey = CoreHelpers.SecureRandomString(30),
                 PublicKey = publicKey,
                 PrivateKey = privateKey,
                 CreationDate = DateTime.UtcNow,
@@ -743,6 +744,13 @@ namespace Bit.Core.Services
             try
             {
                 await _organizationRepository.CreateAsync(organization);
+                await _organizationApiKeyRepository.CreateAsync(new OrganizationApiKey
+                {
+                    OrganizationId = organization.Id,
+                    ApiKey = CoreHelpers.SecureRandomString(30),
+                    Type = OrganizationApiKeyType.Default,
+                    RevisionDate = DateTime.UtcNow,
+                });
                 await _applicationCacheService.UpsertOrganizationAbilityAsync(organization);
 
                 if (!string.IsNullOrWhiteSpace(collectionName))
@@ -1271,7 +1279,7 @@ namespace Bit.Core.Services
             string MakeToken(OrganizationUser orgUser) =>
                 _dataProtector.Protect($"OrganizationUserInvite {orgUser.Id} {orgUser.Email} {CoreHelpers.ToEpocMilliseconds(DateTime.UtcNow)}");
 
-            await _mailService.BulkSendOrganizationInviteEmailAsync(organization.Name, CheckOrganizationCanSponsor(organization),
+            await _mailService.BulkSendOrganizationInviteEmailAsync(organization.Name,
                 orgUsers.Select(o => (o, new ExpiringToken(MakeToken(o), DateTime.UtcNow.AddDays(5)))));
         }
 
@@ -1282,14 +1290,7 @@ namespace Bit.Core.Services
             var token = _dataProtector.Protect(
                 $"OrganizationUserInvite {orgUser.Id} {orgUser.Email} {nowMillis}");
 
-            await _mailService.SendOrganizationInviteEmailAsync(organization.Name, CheckOrganizationCanSponsor(organization), orgUser, new ExpiringToken(token, now.AddDays(5)));
-        }
-
-
-        private bool CheckOrganizationCanSponsor(Organization organization)
-        {
-            return StaticStore.GetPlan(organization.PlanType).Product == ProductType.Enterprise
-                && !_globalSettings.SelfHosted;
+            await _mailService.SendOrganizationInviteEmailAsync(organization.Name, orgUser, new ExpiringToken(token, now.AddDays(5)));
         }
 
         public async Task<OrganizationUser> AcceptUserAsync(Guid organizationUserId, User user, string token,
@@ -2016,13 +2017,6 @@ namespace Bit.Core.Services
                 new ReferenceEvent(ReferenceEventType.DirectorySynced, organization));
         }
 
-        public async Task RotateApiKeyAsync(Organization organization)
-        {
-            organization.ApiKey = CoreHelpers.SecureRandomString(30);
-            organization.RevisionDate = DateTime.UtcNow;
-            await ReplaceAndUpdateCache(organization);
-        }
-
         public async Task DeleteSsoUserAsync(Guid userId, Guid? organizationId)
         {
             await _ssoUserRepository.DeleteAsync(userId, organizationId);

src/Core/Services/Implementations/OrganizationSponsorshipService.cs

@@ -1,318 +0,0 @@
-using System;
-using System.Threading.Tasks;
-using Bit.Core.Entities;
-using Bit.Core.Enums;
-using Bit.Core.Exceptions;
-using Bit.Core.Repositories;
-using Bit.Core.Utilities;
-using Microsoft.AspNetCore.DataProtection;
-
-namespace Bit.Core.Services
-{
-    public class OrganizationSponsorshipService : IOrganizationSponsorshipService
-    {
-        private const string FamiliesForEnterpriseTokenName = "FamiliesForEnterpriseToken";
-        private const string TokenClearTextPrefix = "BWOrganizationSponsorship_";
-
-        private readonly IOrganizationSponsorshipRepository _organizationSponsorshipRepository;
-        private readonly IOrganizationRepository _organizationRepository;
-        private readonly IUserRepository _userRepository;
-        private readonly IPaymentService _paymentService;
-        private readonly IMailService _mailService;
-
-        private readonly IDataProtector _dataProtector;
-
-        public OrganizationSponsorshipService(IOrganizationSponsorshipRepository organizationSponsorshipRepository,
-            IOrganizationRepository organizationRepository,
-            IUserRepository userRepository,
-            IPaymentService paymentService,
-            IMailService mailService,
-            IDataProtectionProvider dataProtectionProvider)
-        {
-            _organizationSponsorshipRepository = organizationSponsorshipRepository;
-            _organizationRepository = organizationRepository;
-            _userRepository = userRepository;
-            _paymentService = paymentService;
-            _mailService = mailService;
-            _dataProtector = dataProtectionProvider.CreateProtector("OrganizationSponsorshipServiceDataProtector");
-        }
-
-        public async Task<(bool valid, OrganizationSponsorship sponsorship)> ValidateRedemptionTokenAsync(string encryptedToken, string sponsoredUserEmail)
-        {
-            if (!encryptedToken.StartsWith(TokenClearTextPrefix) || sponsoredUserEmail == null)
-            {
-                return (false, null);
-            }
-
-            var decryptedToken = _dataProtector.Unprotect(encryptedToken[TokenClearTextPrefix.Length..]);
-            var dataParts = decryptedToken.Split(' ');
-
-            if (dataParts.Length != 3)
-            {
-                return (false, null);
-            }
-
-            if (dataParts[0].Equals(FamiliesForEnterpriseTokenName))
-            {
-                if (!Guid.TryParse(dataParts[1], out Guid sponsorshipId) ||
-                    !Enum.TryParse<PlanSponsorshipType>(dataParts[2], true, out var sponsorshipType))
-                {
-                    return (false, null);
-                }
-
-                var sponsorship = await _organizationSponsorshipRepository.GetByIdAsync(sponsorshipId);
-                if (sponsorship == null ||
-                    sponsorship.PlanSponsorshipType != sponsorshipType ||
-                    sponsorship.OfferedToEmail != sponsoredUserEmail)
-                {
-                    return (false, sponsorship);
-                }
-
-                return (true, sponsorship);
-            }
-
-            return (false, null);
-        }
-
-        private string RedemptionToken(Guid sponsorshipId, PlanSponsorshipType sponsorshipType) =>
-            string.Concat(
-                TokenClearTextPrefix,
-                _dataProtector.Protect($"{FamiliesForEnterpriseTokenName} {sponsorshipId} {sponsorshipType}")
-            );
-
-        public async Task OfferSponsorshipAsync(Organization sponsoringOrg, OrganizationUser sponsoringOrgUser,
-            PlanSponsorshipType sponsorshipType, string sponsoredEmail, string friendlyName, string sponsoringUserEmail)
-        {
-            var requiredSponsoringProductType = StaticStore.GetSponsoredPlan(sponsorshipType)?.SponsoringProductType;
-            if (requiredSponsoringProductType == null ||
-                sponsoringOrg == null ||
-                StaticStore.GetPlan(sponsoringOrg.PlanType).Product != requiredSponsoringProductType.Value)
-            {
-                throw new BadRequestException("Specified Organization cannot sponsor other organizations.");
-            }
-
-            if (sponsoringOrgUser == null || sponsoringOrgUser.Status != OrganizationUserStatusType.Confirmed)
-            {
-                throw new BadRequestException("Only confirmed users can sponsor other organizations.");
-            }
-
-            var existingOrgSponsorship = await _organizationSponsorshipRepository
-                .GetBySponsoringOrganizationUserIdAsync(sponsoringOrgUser.Id);
-            if (existingOrgSponsorship?.SponsoredOrganizationId != null)
-            {
-                throw new BadRequestException("Can only sponsor one organization per Organization User.");
-            }
-
-            var sponsorship = new OrganizationSponsorship
-            {
-                SponsoringOrganizationId = sponsoringOrg.Id,
-                SponsoringOrganizationUserId = sponsoringOrgUser.Id,
-                FriendlyName = friendlyName,
-                OfferedToEmail = sponsoredEmail,
-                PlanSponsorshipType = sponsorshipType,
-                CloudSponsor = true,
-            };
-
-            if (existingOrgSponsorship != null)
-            {
-                // Replace existing invalid offer with our new sponsorship offer
-                sponsorship.Id = existingOrgSponsorship.Id;
-            }
-
-            try
-            {
-                await _organizationSponsorshipRepository.UpsertAsync(sponsorship);
-
-                await SendSponsorshipOfferAsync(sponsorship, sponsoringUserEmail);
-            }
-            catch
-            {
-                if (sponsorship.Id != default)
-                {
-                    await _organizationSponsorshipRepository.DeleteAsync(sponsorship);
-                }
-                throw;
-            }
-        }
-
-        public async Task ResendSponsorshipOfferAsync(Organization sponsoringOrg, OrganizationUser sponsoringOrgUser,
-            OrganizationSponsorship sponsorship, string sponsoringUserEmail)
-        {
-            if (sponsoringOrg == null)
-            {
-                throw new BadRequestException("Cannot find the requested sponsoring organization.");
-            }
-
-            if (sponsoringOrgUser == null || sponsoringOrgUser.Status != OrganizationUserStatusType.Confirmed)
-            {
-                throw new BadRequestException("Only confirmed users can sponsor other organizations.");
-            }
-
-            if (sponsorship == null || sponsorship.OfferedToEmail == null)
-            {
-                throw new BadRequestException("Cannot find an outstanding sponsorship offer for this organization.");
-            }
-
-            await SendSponsorshipOfferAsync(sponsorship, sponsoringUserEmail);
-        }
-
-        public async Task SendSponsorshipOfferAsync(OrganizationSponsorship sponsorship, string sponsoringEmail)
-        {
-            var user = await _userRepository.GetByEmailAsync(sponsorship.OfferedToEmail);
-            var isExistingAccount = user != null;
-
-            await _mailService.SendFamiliesForEnterpriseOfferEmailAsync(sponsorship.OfferedToEmail, sponsoringEmail,
-                isExistingAccount, RedemptionToken(sponsorship.Id, sponsorship.PlanSponsorshipType.Value));
-        }
-
-        public async Task SetUpSponsorshipAsync(OrganizationSponsorship sponsorship,
-            Organization sponsoredOrganization)
-        {
-            if (sponsorship == null)
-            {
-                throw new BadRequestException("No unredeemed sponsorship offer exists for you.");
-            }
-
-            var existingOrgSponsorship = await _organizationSponsorshipRepository
-                .GetBySponsoredOrganizationIdAsync(sponsoredOrganization.Id);
-            if (existingOrgSponsorship != null)
-            {
-                throw new BadRequestException("Cannot redeem a sponsorship offer for an organization that is already sponsored. Revoke existing sponsorship first.");
-            }
-
-            if (sponsorship.PlanSponsorshipType == null)
-            {
-                throw new BadRequestException("Cannot set up sponsorship without a known sponsorship type.");
-            }
-
-            // Check org to sponsor's product type
-            var requiredSponsoredProductType = StaticStore.GetSponsoredPlan(sponsorship.PlanSponsorshipType.Value)?.SponsoredProductType;
-            if (requiredSponsoredProductType == null ||
-                sponsoredOrganization == null ||
-                StaticStore.GetPlan(sponsoredOrganization.PlanType).Product != requiredSponsoredProductType.Value)
-            {
-                throw new BadRequestException("Can only redeem sponsorship offer on families organizations.");
-            }
-
-            await _paymentService.SponsorOrganizationAsync(sponsoredOrganization, sponsorship);
-            await _organizationRepository.UpsertAsync(sponsoredOrganization);
-
-            sponsorship.SponsoredOrganizationId = sponsoredOrganization.Id;
-            sponsorship.OfferedToEmail = null;
-            await _organizationSponsorshipRepository.UpsertAsync(sponsorship);
-        }
-
-        public async Task<bool> ValidateSponsorshipAsync(Guid sponsoredOrganizationId)
-        {
-            var sponsoredOrganization = await _organizationRepository.GetByIdAsync(sponsoredOrganizationId);
-            if (sponsoredOrganization == null)
-            {
-                return false;
-            }
-
-            var existingSponsorship = await _organizationSponsorshipRepository
-                .GetBySponsoredOrganizationIdAsync(sponsoredOrganizationId);
-
-            if (existingSponsorship == null)
-            {
-                await DoRemoveSponsorshipAsync(sponsoredOrganization, null);
-                return false;
-            }
-
-            if (existingSponsorship.SponsoringOrganizationId == null || existingSponsorship.SponsoringOrganizationUserId == null || existingSponsorship.PlanSponsorshipType == null)
-            {
-                await DoRemoveSponsorshipAsync(sponsoredOrganization, existingSponsorship);
-                return false;
-            }
-            var sponsoredPlan = Utilities.StaticStore.GetSponsoredPlan(existingSponsorship.PlanSponsorshipType.Value);
-
-            var sponsoringOrganization = await _organizationRepository
-                .GetByIdAsync(existingSponsorship.SponsoringOrganizationId.Value);
-            if (sponsoringOrganization == null)
-            {
-                await DoRemoveSponsorshipAsync(sponsoredOrganization, existingSponsorship);
-                return false;
-            }
-
-            var sponsoringOrgPlan = Utilities.StaticStore.GetPlan(sponsoringOrganization.PlanType);
-            if (!sponsoringOrganization.Enabled || sponsoredPlan.SponsoringProductType != sponsoringOrgPlan.Product)
-            {
-                await DoRemoveSponsorshipAsync(sponsoredOrganization, existingSponsorship);
-                return false;
-            }
-
-            return true;
-        }
-
-        public async Task RevokeSponsorshipAsync(Organization sponsoredOrg, OrganizationSponsorship sponsorship)
-        {
-            if (sponsorship == null)
-            {
-                throw new BadRequestException("You are not currently sponsoring an organization.");
-            }
-
-            if (sponsorship.SponsoredOrganizationId == null)
-            {
-                await DoRemoveSponsorshipAsync(null, sponsorship);
-                return;
-            }
-
-            if (sponsoredOrg == null)
-            {
-                throw new BadRequestException("Unable to find the sponsored Organization.");
-            }
-
-            await DoRemoveSponsorshipAsync(sponsoredOrg, sponsorship);
-        }
-
-        public async Task RemoveSponsorshipAsync(Organization sponsoredOrg, OrganizationSponsorship sponsorship)
-        {
-            if (sponsorship == null || sponsorship.SponsoredOrganizationId == null)
-            {
-                throw new BadRequestException("The requested organization is not currently being sponsored.");
-            }
-
-            if (sponsoredOrg == null)
-            {
-                throw new BadRequestException("Unable to find the sponsored Organization.");
-            }
-
-            await DoRemoveSponsorshipAsync(sponsoredOrg, sponsorship);
-        }
-
-        internal async Task DoRemoveSponsorshipAsync(Organization sponsoredOrganization, OrganizationSponsorship sponsorship = null)
-        {
-            if (sponsoredOrganization != null)
-            {
-                await _paymentService.RemoveOrganizationSponsorshipAsync(sponsoredOrganization, sponsorship);
-                await _organizationRepository.UpsertAsync(sponsoredOrganization);
-
-                await _mailService.SendFamiliesForEnterpriseSponsorshipRevertingEmailAsync(
-                    sponsoredOrganization.BillingEmailAddress(),
-                    sponsoredOrganization.Name);
-            }
-
-            if (sponsorship == null)
-            {
-                return;
-            }
-
-            // Initialize the record as available
-            sponsorship.SponsoredOrganizationId = null;
-            sponsorship.FriendlyName = null;
-            sponsorship.OfferedToEmail = null;
-            sponsorship.PlanSponsorshipType = null;
-            sponsorship.TimesRenewedWithoutValidation = 0;
-            sponsorship.SponsorshipLapsedDate = null;
-
-            if (sponsorship.CloudSponsor || sponsorship.SponsorshipLapsedDate.HasValue)
-            {
-                await _organizationSponsorshipRepository.DeleteAsync(sponsorship);
-            }
-            else
-            {
-                await _organizationSponsorshipRepository.UpsertAsync(sponsorship);
-            }
-        }
-    }
-}

src/Core/Services/Implementations/RelayPushNotificationService.cs

@@ -18,24 +18,24 @@ namespace Bit.Core.Services
     {
         private readonly IDeviceRepository _deviceRepository;
         private readonly IHttpContextAccessor _httpContextAccessor;
-        private readonly ILogger<RelayPushNotificationService> _logger;
 
         public RelayPushNotificationService(
+            IHttpClientFactory httpFactory,
             IDeviceRepository deviceRepository,
             GlobalSettings globalSettings,
             IHttpContextAccessor httpContextAccessor,
             ILogger<RelayPushNotificationService> logger)
             : base(
-                  globalSettings.PushRelayBaseUri,
-                  globalSettings.Installation.IdentityUri,
-                  "api.push",
-                  $"installation.{globalSettings.Installation.Id}",
-                  globalSettings.Installation.Key,
-                  logger)
+                httpFactory,
+                globalSettings.PushRelayBaseUri,
+                globalSettings.Installation.IdentityUri,
+                "api.push",
+                $"installation.{globalSettings.Installation.Id}",
+                globalSettings.Installation.Key,
+                logger)
         {
             _deviceRepository = deviceRepository;
             _httpContextAccessor = httpContextAccessor;
-            _logger = logger;
         }
 
         public async Task PushSyncCipherCreateAsync(Cipher cipher, IEnumerable<Guid> collectionIds)