[PM-10311] Account Management: Create helper methods for checking against verified domains (#4636)

* Add HasVerifiedDomainsAsync method to IOrganizationDomainService

* Add GetManagedUserIdsByOrganizationIdAsync method to IOrganizationUserRepository and the corresponding queries

* Fix case on the sproc OrganizationUser_ReadManagedIdsByOrganizationId parameter

* Update the EF query to use the Email from the User table

* dotnet format

* Fix IOrganizationDomainService.HasVerifiedDomainsAsync by checking that domains have been Verified and add unit tests

* Rename IOrganizationUserRepository.GetManagedUserIdsByOrganizationAsync

* Fix domain queries

* Add OrganizationUserRepository integration tests

* Add summary to IOrganizationDomainService.HasVerifiedDomainsAsync

* chore: Rename IOrganizationUserRepository.GetManagedUserIdsByOrganizationAsync to GetManyIdsManagedByOrganizationIdAsync

* Add IsManagedByAnyOrganizationAsync method to IUserRepository

* Add integration tests for UserRepository.IsManagedByAnyOrganizationAsync

* Refactor to IUserService.IsManagedByAnyOrganizationAsync and IOrganizationService.GetUsersOrganizationManagementStatusAsync

* chore: Refactor IsManagedByAnyOrganizationAsync method in UserService

* Refactor IOrganizationService.GetUsersOrganizationManagementStatusAsync to return IDictionary<Guid, bool>

* Extract IOrganizationService.GetUsersOrganizationManagementStatusAsync into a query

* Update comments in OrganizationDomainService to use proper capitalization

* Move OrganizationDomainService to AdminConsole ownership and update namespace

* feat: Add support for organization domains in enterprise plans

* feat: Add HasOrganizationDomains property to OrganizationAbility class

* refactor: Update GetOrganizationUsersManagementStatusQuery to use IApplicationCacheService

* Remove HasOrganizationDomains and use UseSso to check if Organization can have Verified Domains

* Refactor UserService.IsManagedByAnyOrganizationAsync to simply check the UseSso flag

* Add TODO comment for replacing 'UseSso' organization ability on user verified domain checks

* Bump date on migration script

* Add indexes to OrganizationDomain table

* Bump script migration date; Remove WITH ONLINE = ON from data migration.

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/GetOrganizationUsersManagementStatusQuery.cs

@@ -0,0 +1,41 @@
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers;
+
+public class GetOrganizationUsersManagementStatusQuery : IGetOrganizationUsersManagementStatusQuery
+{
+    private readonly IApplicationCacheService _applicationCacheService;
+    private readonly IOrganizationUserRepository _organizationUserRepository;
+
+    public GetOrganizationUsersManagementStatusQuery(
+        IApplicationCacheService applicationCacheService,
+        IOrganizationUserRepository organizationUserRepository)
+    {
+        _applicationCacheService = applicationCacheService;
+        _organizationUserRepository = organizationUserRepository;
+    }
+
+    public async Task<IDictionary<Guid, bool>> GetUsersOrganizationManagementStatusAsync(Guid organizationId, IEnumerable<Guid> organizationUserIds)
+    {
+        if (organizationUserIds.Any())
+        {
+            // Users can only be managed by an Organization that is enabled and can have organization domains
+            var organizationAbility = await _applicationCacheService.GetOrganizationAbilityAsync(organizationId);
+
+            // TODO: Replace "UseSso" with a new organization ability like "UseOrganizationDomains" (PM-11622).
+            // Verified domains were tied to SSO, so we currently check the "UseSso" organization ability.
+            if (organizationAbility is { Enabled: true, UseSso: true })
+            {
+                // Get all organization users with claimed domains by the organization
+                var organizationUsersWithClaimedDomain = await _organizationUserRepository.GetManyByOrganizationWithClaimedDomainsAsync(organizationId);
+
+                // Create a dictionary with the OrganizationUserId and a boolean indicating if the user is managed by the organization
+                return organizationUserIds.ToDictionary(ouId => ouId, ouId => organizationUsersWithClaimedDomain.Any(ou => ou.Id == ouId));
+            }
+        }
+
+        return organizationUserIds.ToDictionary(ouId => ouId, _ => false);
+    }
+}

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Interfaces/IGetOrganizationUsersManagementStatusQuery.cs

@@ -0,0 +1,19 @@
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+
+public interface IGetOrganizationUsersManagementStatusQuery
+{
+    /// <summary>
+    /// Checks whether each user in the provided list of organization user IDs is managed by the specified organization.
+    /// </summary>
+    /// <param name="organizationId">The unique identifier of the organization to check against.</param>
+    /// <param name="organizationUserIds">A list of OrganizationUserIds to be checked.</param>
+    /// <remarks>
+    /// A managed user is a user whose email domain matches one of the Organization's verified domains.
+    /// The organization must be enabled and be on an Enterprise plan.
+    /// </remarks>
+    /// <returns>
+    /// A dictionary containing the OrganizationUserId and a boolean indicating if the user is managed by the organization.
+    /// </returns>
+    Task<IDictionary<Guid, bool>> GetUsersOrganizationManagementStatusAsync(Guid organizationId,
+        IEnumerable<Guid> organizationUserIds);
+}

src/Core/AdminConsole/Repositories/IOrganizationRepository.cs

@@ -17,4 +17,9 @@ public interface IOrganizationRepository : IRepository<Organization, Guid>
     Task<SelfHostedOrganizationDetails?> GetSelfHostedOrganizationDetailsById(Guid id);
     Task<ICollection<Organization>> SearchUnassignedToProviderAsync(string name, string ownerEmail, int skip, int take);
     Task<IEnumerable<string>> GetOwnerEmailAddressesById(Guid organizationId);
+
+    /// <summary>
+    /// Gets the organization that has a claimed domain matching the user's email domain.
+    /// </summary>
+    Task<Organization> GetByClaimedUserDomainAsync(Guid userId);
 }

src/Core/AdminConsole/Repositories/IOrganizationUserRepository.cs

@@ -55,4 +55,8 @@ public interface IOrganizationUserRepository : IRepository<OrganizationUser, Gui
     UpdateEncryptedDataForKeyRotation UpdateForKeyRotation(Guid userId,
         IEnumerable<OrganizationUser> resetPasswordKeys);
 
+    /// <summary>
+    /// Returns a list of OrganizationUsers with email domains that match one of the Organization's claimed domains.
+    /// </summary>
+    Task<ICollection<OrganizationUser>> GetManyByOrganizationWithClaimedDomainsAsync(Guid organizationId);
 }

src/Core/AdminConsole/Services/IOrganizationDomainService.cs

@@ -0,0 +1,11 @@
+namespace Bit.Core.AdminConsole.Services;
+
+public interface IOrganizationDomainService
+{
+    Task ValidateOrganizationsDomainAsync();
+    Task OrganizationDomainMaintenanceAsync();
+    /// <summary>
+    /// Indicates if the organization has any verified domains.
+    /// </summary>
+    Task<bool> HasVerifiedDomainsAsync(Guid orgId);
+}

src/Core/AdminConsole/Services/Implementations/OrganizationDomainService.cs

@@ -0,0 +1,146 @@
+using Bit.Core.Enums;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Core.Settings;
+using Microsoft.Extensions.Logging;
+
+namespace Bit.Core.AdminConsole.Services.Implementations;
+
+public class OrganizationDomainService : IOrganizationDomainService
+{
+    private readonly IOrganizationDomainRepository _domainRepository;
+    private readonly IOrganizationUserRepository _organizationUserRepository;
+    private readonly IDnsResolverService _dnsResolverService;
+    private readonly IEventService _eventService;
+    private readonly IMailService _mailService;
+    private readonly ILogger<OrganizationDomainService> _logger;
+    private readonly IGlobalSettings _globalSettings;
+
+    public OrganizationDomainService(
+        IOrganizationDomainRepository domainRepository,
+        IOrganizationUserRepository organizationUserRepository,
+        IDnsResolverService dnsResolverService,
+        IEventService eventService,
+        IMailService mailService,
+        ILogger<OrganizationDomainService> logger,
+        IGlobalSettings globalSettings)
+    {
+        _domainRepository = domainRepository;
+        _organizationUserRepository = organizationUserRepository;
+        _dnsResolverService = dnsResolverService;
+        _eventService = eventService;
+        _mailService = mailService;
+        _logger = logger;
+        _globalSettings = globalSettings;
+    }
+
+    public async Task ValidateOrganizationsDomainAsync()
+    {
+        //Date should be set 1 hour behind to ensure it selects all domains that should be verified
+        var runDate = DateTime.UtcNow.AddHours(-1);
+
+        var verifiableDomains = await _domainRepository.GetManyByNextRunDateAsync(runDate);
+
+        _logger.LogInformation(Constants.BypassFiltersEventId, "Validating {verifiableDomainsCount} domains.", verifiableDomains.Count);
+
+        foreach (var domain in verifiableDomains)
+        {
+            try
+            {
+                _logger.LogInformation(Constants.BypassFiltersEventId, "Attempting verification for organization {OrgId} with domain {Domain}", domain.OrganizationId, domain.DomainName);
+
+                var status = await _dnsResolverService.ResolveAsync(domain.DomainName, domain.Txt);
+                if (status)
+                {
+                    _logger.LogInformation(Constants.BypassFiltersEventId, "Successfully validated domain");
+
+                    // Update entry on OrganizationDomain table
+                    domain.SetLastCheckedDate();
+                    domain.SetVerifiedDate();
+                    domain.SetJobRunCount();
+                    await _domainRepository.ReplaceAsync(domain);
+
+                    await _eventService.LogOrganizationDomainEventAsync(domain, EventType.OrganizationDomain_Verified,
+                        EventSystemUser.DomainVerification);
+                }
+                else
+                {
+                    // Update entry on OrganizationDomain table
+                    domain.SetLastCheckedDate();
+                    domain.SetJobRunCount();
+                    domain.SetNextRunDate(_globalSettings.DomainVerification.VerificationInterval);
+                    await _domainRepository.ReplaceAsync(domain);
+
+                    await _eventService.LogOrganizationDomainEventAsync(domain, EventType.OrganizationDomain_NotVerified,
+                        EventSystemUser.DomainVerification);
+                    _logger.LogInformation(Constants.BypassFiltersEventId, "Verification for organization {OrgId} with domain {Domain} failed",
+                        domain.OrganizationId, domain.DomainName);
+                }
+            }
+            catch (Exception ex)
+            {
+                // Update entry on OrganizationDomain table
+                domain.SetLastCheckedDate();
+                domain.SetJobRunCount();
+                domain.SetNextRunDate(_globalSettings.DomainVerification.VerificationInterval);
+                await _domainRepository.ReplaceAsync(domain);
+
+                await _eventService.LogOrganizationDomainEventAsync(domain, EventType.OrganizationDomain_NotVerified,
+                    EventSystemUser.DomainVerification);
+
+                _logger.LogError(ex, "Verification for organization {OrgId} with domain {Domain} threw an exception: {errorMessage}",
+                    domain.OrganizationId, domain.DomainName, ex.Message);
+            }
+        }
+    }
+
+    public async Task OrganizationDomainMaintenanceAsync()
+    {
+        try
+        {
+            //Get domains that have not been verified within 72 hours
+            var expiredDomains = await _domainRepository.GetExpiredOrganizationDomainsAsync();
+
+            _logger.LogInformation(Constants.BypassFiltersEventId,
+                "Attempting email reminder for {expiredDomainCount} expired domains.", expiredDomains.Count);
+
+            foreach (var domain in expiredDomains)
+            {
+                //get admin emails of organization
+                var adminEmails = await GetAdminEmailsAsync(domain.OrganizationId);
+
+                //Send email to administrators
+                if (adminEmails.Count > 0)
+                {
+                    await _mailService.SendUnverifiedOrganizationDomainEmailAsync(adminEmails,
+                        domain.OrganizationId.ToString(), domain.DomainName);
+                }
+
+                _logger.LogInformation(Constants.BypassFiltersEventId, "Expired domain: {domainName}", domain.DomainName);
+            }
+            // Delete domains that have not been verified within 7 days
+            var status = await _domainRepository.DeleteExpiredAsync(_globalSettings.DomainVerification.ExpirationPeriod);
+            _logger.LogInformation(Constants.BypassFiltersEventId, "Delete status {status}", status);
+        }
+        catch (Exception ex)
+        {
+            _logger.LogError(ex, "Organization domain maintenance failed");
+        }
+    }
+
+    public async Task<bool> HasVerifiedDomainsAsync(Guid orgId)
+    {
+        var orgDomains = await _domainRepository.GetDomainsByOrganizationIdAsync(orgId);
+        return orgDomains.Any(od => od.VerifiedDate != null);
+    }
+
+    private async Task<List<string>> GetAdminEmailsAsync(Guid organizationId)
+    {
+        var orgUsers = await _organizationUserRepository.GetManyDetailsByOrganizationAsync(organizationId);
+        var emailList = orgUsers.Where(o => o.Type <= OrganizationUserType.Admin
+                                        || o.GetPermissions()?.ManageSso == true)
+            .Select(a => a.Email).Distinct().ToList();
+
+        return emailList;
+    }
+}