[PM-10311] Account Management: Create helper methods for checking against verified domains (#4636)

* Add HasVerifiedDomainsAsync method to IOrganizationDomainService

* Add GetManagedUserIdsByOrganizationIdAsync method to IOrganizationUserRepository and the corresponding queries

* Fix case on the sproc OrganizationUser_ReadManagedIdsByOrganizationId parameter

* Update the EF query to use the Email from the User table

* dotnet format

* Fix IOrganizationDomainService.HasVerifiedDomainsAsync by checking that domains have been Verified and add unit tests

* Rename IOrganizationUserRepository.GetManagedUserIdsByOrganizationAsync

* Fix domain queries

* Add OrganizationUserRepository integration tests

* Add summary to IOrganizationDomainService.HasVerifiedDomainsAsync

* chore: Rename IOrganizationUserRepository.GetManagedUserIdsByOrganizationAsync to GetManyIdsManagedByOrganizationIdAsync

* Add IsManagedByAnyOrganizationAsync method to IUserRepository

* Add integration tests for UserRepository.IsManagedByAnyOrganizationAsync

* Refactor to IUserService.IsManagedByAnyOrganizationAsync and IOrganizationService.GetUsersOrganizationManagementStatusAsync

* chore: Refactor IsManagedByAnyOrganizationAsync method in UserService

* Refactor IOrganizationService.GetUsersOrganizationManagementStatusAsync to return IDictionary<Guid, bool>

* Extract IOrganizationService.GetUsersOrganizationManagementStatusAsync into a query

* Update comments in OrganizationDomainService to use proper capitalization

* Move OrganizationDomainService to AdminConsole ownership and update namespace

* feat: Add support for organization domains in enterprise plans

* feat: Add HasOrganizationDomains property to OrganizationAbility class

* refactor: Update GetOrganizationUsersManagementStatusQuery to use IApplicationCacheService

* Remove HasOrganizationDomains and use UseSso to check if Organization can have Verified Domains

* Refactor UserService.IsManagedByAnyOrganizationAsync to simply check the UseSso flag

* Add TODO comment for replacing 'UseSso' organization ability on user verified domain checks

* Bump date on migration script

* Add indexes to OrganizationDomain table

* Bump script migration date; Remove WITH ONLINE = ON from data migration.

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/GetOrganizationUsersManagementStatusQuery.cs

@@ -0,0 +1,41 @@
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers;
+
+public class GetOrganizationUsersManagementStatusQuery : IGetOrganizationUsersManagementStatusQuery
+{
+    private readonly IApplicationCacheService _applicationCacheService;
+    private readonly IOrganizationUserRepository _organizationUserRepository;
+
+    public GetOrganizationUsersManagementStatusQuery(
+        IApplicationCacheService applicationCacheService,
+        IOrganizationUserRepository organizationUserRepository)
+    {
+        _applicationCacheService = applicationCacheService;
+        _organizationUserRepository = organizationUserRepository;
+    }
+
+    public async Task<IDictionary<Guid, bool>> GetUsersOrganizationManagementStatusAsync(Guid organizationId, IEnumerable<Guid> organizationUserIds)
+    {
+        if (organizationUserIds.Any())
+        {
+            // Users can only be managed by an Organization that is enabled and can have organization domains
+            var organizationAbility = await _applicationCacheService.GetOrganizationAbilityAsync(organizationId);
+
+            // TODO: Replace "UseSso" with a new organization ability like "UseOrganizationDomains" (PM-11622).
+            // Verified domains were tied to SSO, so we currently check the "UseSso" organization ability.
+            if (organizationAbility is { Enabled: true, UseSso: true })
+            {
+                // Get all organization users with claimed domains by the organization
+                var organizationUsersWithClaimedDomain = await _organizationUserRepository.GetManyByOrganizationWithClaimedDomainsAsync(organizationId);
+
+                // Create a dictionary with the OrganizationUserId and a boolean indicating if the user is managed by the organization
+                return organizationUserIds.ToDictionary(ouId => ouId, ouId => organizationUsersWithClaimedDomain.Any(ou => ou.Id == ouId));
+            }
+        }
+
+        return organizationUserIds.ToDictionary(ouId => ouId, _ => false);
+    }
+}

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Interfaces/IGetOrganizationUsersManagementStatusQuery.cs

@@ -0,0 +1,19 @@
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+
+public interface IGetOrganizationUsersManagementStatusQuery
+{
+    /// <summary>
+    /// Checks whether each user in the provided list of organization user IDs is managed by the specified organization.
+    /// </summary>
+    /// <param name="organizationId">The unique identifier of the organization to check against.</param>
+    /// <param name="organizationUserIds">A list of OrganizationUserIds to be checked.</param>
+    /// <remarks>
+    /// A managed user is a user whose email domain matches one of the Organization's verified domains.
+    /// The organization must be enabled and be on an Enterprise plan.
+    /// </remarks>
+    /// <returns>
+    /// A dictionary containing the OrganizationUserId and a boolean indicating if the user is managed by the organization.
+    /// </returns>
+    Task<IDictionary<Guid, bool>> GetUsersOrganizationManagementStatusAsync(Guid organizationId,
+        IEnumerable<Guid> organizationUserIds);
+}