Merge branch 'main' into ac/pm-16812/shortcut-duplicate-group-patch-r…

…equests

src/Api/Billing/Controllers/OrganizationSponsorshipsController.cs

@@ -1,6 +1,5 @@
 using Bit.Api.Models.Request.Organizations;
 using Bit.Api.Models.Response.Organizations;
-using Bit.Core;
 using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationConnections.Interfaces;
 using Bit.Core.AdminConsole.Repositories;
@@ -107,7 +106,7 @@ public async Task<PreValidateSponsorshipResponseModel> PreValidateSponsorshipTok
     {
         var isFreeFamilyPolicyEnabled = false;
         var (isValid, sponsorship) = await _validateRedemptionTokenCommand.ValidateRedemptionTokenAsync(sponsorshipToken, (await CurrentUser).Email);
-        if (isValid && _featureService.IsEnabled(FeatureFlagKeys.DisableFreeFamiliesSponsorship) && sponsorship.SponsoringOrganizationId.HasValue)
+        if (isValid && sponsorship.SponsoringOrganizationId.HasValue)
         {
             var policy = await _policyRepository.GetByOrganizationIdTypeAsync(sponsorship.SponsoringOrganizationId.Value,
                 PolicyType.FreeFamiliesSponsorshipPolicy);

src/Api/Tools/Controllers/ImportCiphersController.cs

@@ -64,8 +64,9 @@ public async Task PostImport([FromQuery] string organizationId,
         [FromBody] ImportOrganizationCiphersRequestModel model)
     {
         if (!_globalSettings.SelfHosted &&
-            (model.Ciphers.Count() > 7000 || model.CollectionRelationships.Count() > 14000 ||
-                model.Collections.Count() > 2000))
+            (model.Ciphers.Count() > _globalSettings.ImportCiphersLimitation.CiphersLimit ||
+             model.CollectionRelationships.Count() > _globalSettings.ImportCiphersLimitation.CollectionRelationshipsLimit ||
+             model.Collections.Count() > _globalSettings.ImportCiphersLimitation.CollectionsLimit))
         {
             throw new BadRequestException("You cannot import this much data at once.");
         }

src/Api/Vault/Controllers/SecurityTaskController.cs

@@ -1,4 +1,5 @@
 using Bit.Api.Models.Response;
+using Bit.Api.Vault.Models.Request;
 using Bit.Api.Vault.Models.Response;
 using Bit.Core;
 using Bit.Core.Services;
@@ -20,17 +21,20 @@ public class SecurityTaskController : Controller
     private readonly IGetTaskDetailsForUserQuery _getTaskDetailsForUserQuery;
     private readonly IMarkTaskAsCompleteCommand _markTaskAsCompleteCommand;
     private readonly IGetTasksForOrganizationQuery _getTasksForOrganizationQuery;
+    private readonly ICreateManyTasksCommand _createManyTasksCommand;
 
     public SecurityTaskController(
         IUserService userService,
         IGetTaskDetailsForUserQuery getTaskDetailsForUserQuery,
         IMarkTaskAsCompleteCommand markTaskAsCompleteCommand,
-        IGetTasksForOrganizationQuery getTasksForOrganizationQuery)
+        IGetTasksForOrganizationQuery getTasksForOrganizationQuery,
+        ICreateManyTasksCommand createManyTasksCommand)
     {
         _userService = userService;
         _getTaskDetailsForUserQuery = getTaskDetailsForUserQuery;
         _markTaskAsCompleteCommand = markTaskAsCompleteCommand;
         _getTasksForOrganizationQuery = getTasksForOrganizationQuery;
+        _createManyTasksCommand = createManyTasksCommand;
     }
 
     /// <summary>
@@ -71,4 +75,19 @@ public async Task<ListResponseModel<SecurityTasksResponseModel>> ListForOrganiza
         var response = securityTasks.Select(x => new SecurityTasksResponseModel(x)).ToList();
         return new ListResponseModel<SecurityTasksResponseModel>(response);
     }
+
+    /// <summary>
+    /// Bulk create security tasks for an organization.
+    /// </summary>
+    /// <param name="orgId"></param>
+    /// <param name="model"></param>
+    /// <returns>A list response model containing the security tasks created for the organization.</returns>
+    [HttpPost("{orgId:guid}/bulk-create")]
+    public async Task<ListResponseModel<SecurityTasksResponseModel>> BulkCreateTasks(Guid orgId,
+        [FromBody] BulkCreateSecurityTasksRequestModel model)
+    {
+        var securityTasks = await _createManyTasksCommand.CreateAsync(orgId, model.Tasks);
+        var response = securityTasks.Select(x => new SecurityTasksResponseModel(x)).ToList();
+        return new ListResponseModel<SecurityTasksResponseModel>(response);
+    }
 }

src/Api/Vault/Models/Request/BulkCreateSecurityTasksRequestModel.cs

@@ -0,0 +1,8 @@
+using Bit.Core.Vault.Models.Api;
+
+namespace Bit.Api.Vault.Models.Request;
+
+public class BulkCreateSecurityTasksRequestModel
+{
+    public IEnumerable<SecurityTaskCreateRequest> Tasks { get; set; }
+}

src/Api/appsettings.json

@@ -56,6 +56,11 @@
       "publicKey": "SECRET",
       "privateKey": "SECRET"
     },
+    "importCiphersLimitation": {
+      "ciphersLimit": 40000,
+      "collectionRelationshipsLimit": 80000,
+      "collectionsLimit": 2000
+    },
     "bitPay": {
       "production": false,
       "token": "SECRET",

src/Core/AdminConsole/Repositories/IOrganizationUserRepository.cs

@@ -60,4 +60,12 @@ UpdateEncryptedDataForKeyRotation UpdateForKeyRotation(Guid userId,
     Task<ICollection<OrganizationUser>> GetManyByOrganizationWithClaimedDomainsAsync(Guid organizationId);
 
     Task RevokeManyByIdAsync(IEnumerable<Guid> organizationUserIds);
+
+    /// <summary>
+    /// Returns a list of OrganizationUsersUserDetails with the specified role.
+    /// </summary>
+    /// <param name="organizationId">The organization to search within</param>
+    /// <param name="role">The role to search for</param>
+    /// <returns>A list of OrganizationUsersUserDetails with the specified role</returns>
+    Task<IEnumerable<OrganizationUserUserDetails>> GetManyDetailsByRoleAsync(Guid organizationId, OrganizationUserType role);
 }

src/Core/Auth/Services/Implementations/AuthRequestService.cs

@@ -297,10 +297,34 @@ private async Task NotifyAdminsOfDeviceApprovalRequestAsync(OrganizationUser org
             return;
         }
 
-        var admins = await _organizationUserRepository.GetManyByMinimumRoleAsync(
+        var adminEmails = await GetAdminAndAccountRecoveryEmailsAsync(organizationUser.OrganizationId);
+
+        await _mailService.SendDeviceApprovalRequestedNotificationEmailAsync(
+            adminEmails,
             organizationUser.OrganizationId,
+            user.Email,
+            user.Name);
+    }
+
+    /// <summary>
+    /// Returns a list of emails for admins and custom users with the ManageResetPassword permission.
+    /// </summary>
+    /// <param name="organizationId">The organization to search within</param>
+    private async Task<List<string>> GetAdminAndAccountRecoveryEmailsAsync(Guid organizationId)
+    {
+        var admins = await _organizationUserRepository.GetManyByMinimumRoleAsync(
+            organizationId,
             OrganizationUserType.Admin);
-        var adminEmails = admins.Select(a => a.Email).Distinct().ToList();
-        await _mailService.SendDeviceApprovalRequestedNotificationEmailAsync(adminEmails, organizationUser.OrganizationId, user.Email, user.Name);
+
+        var customUsers = await _organizationUserRepository.GetManyDetailsByRoleAsync(
+            organizationId,
+            OrganizationUserType.Custom);
+
+        return admins.Select(a => a.Email)
+            .Concat(customUsers
+                .Where(a => a.GetPermissions().ManageResetPassword)
+                .Select(a => a.Email))
+            .Distinct()
+            .ToList();
     }
 }

src/Core/Constants.cs

@@ -113,7 +113,6 @@ public static class FeatureFlagKeys
     /* Tools Team */
     public const string ItemShare = "item-share";
     public const string GeneratorToolsModernization = "generator-tools-modernization";
-    public const string MemberAccessReport = "ac-2059-member-access-report";
     public const string RiskInsightsCriticalApplication = "pm-14466-risk-insights-critical-application";
     public const string EnableRiskInsightsNotifications = "enable-risk-insights-notifications";
 
@@ -156,7 +155,6 @@ public static class FeatureFlagKeys
     public const string NewDeviceVerificationTemporaryDismiss = "new-device-temporary-dismiss";
     public const string NewDeviceVerificationPermanentDismiss = "new-device-permanent-dismiss";
     public const string SecurityTasks = "security-tasks";
-    public const string DisableFreeFamiliesSponsorship = "PM-12274-disable-free-families-sponsorship";
     public const string MacOsNativeCredentialSync = "macos-native-credential-sync";
     public const string PM9111ExtensionPersistAddEditForm = "pm-9111-extension-persist-add-edit-form";
     public const string InlineMenuTotp = "inline-menu-totp";
@@ -176,6 +174,7 @@ public static class FeatureFlagKeys
     public const string SingleTapPasskeyAuthentication = "single-tap-passkey-authentication";
     public const string EnablePMAuthenticatorSync = "enable-pm-bwa-sync";
     public const string P15179_AddExistingOrgsFromProviderPortal = "pm-15179-add-existing-orgs-from-provider-portal";
+    public const string AndroidMutualTls = "mutual-tls";
 
     public static List<string> GetAllKeys()
     {

src/Core/Core.csproj

@@ -51,7 +51,6 @@
     <PackageReference Include="Microsoft.Extensions.Configuration.UserSecrets" Version="8.0.0" />
     <PackageReference Include="Microsoft.Extensions.Identity.Stores" Version="8.0.10" />
     <PackageReference Include="OneOf" Version="3.0.271" />
-    <PackageReference Include="Quartz" Version="3.13.1" />
     <PackageReference Include="SendGrid" Version="9.29.3" />
     <PackageReference Include="Serilog.AspNetCore" Version="8.0.3" />
     <PackageReference Include="Serilog.Extensions.Logging" Version="8.0.0" />
@@ -73,6 +72,11 @@
     <PackageReference Include="RabbitMQ.Client" Version="7.0.0" />
   </ItemGroup>
 
+  <ItemGroup Label="Pinned transitive dependencies">
+    <PackageReference Include="System.Text.Json" Version="8.0.5" />
+    <PackageReference Include="Microsoft.Extensions.Caching.Memory" Version="8.0.1" />
+  </ItemGroup>
+
   <ItemGroup>
     <Protobuf Include="Billing\Pricing\Protos\password-manager.proto" GrpcServices="Client" />
   </ItemGroup>

src/Core/Settings/GlobalSettings.cs

@@ -70,6 +70,7 @@ public virtual string LicenseDirectory
     public virtual YubicoSettings Yubico { get; set; } = new YubicoSettings();
     public virtual DuoSettings Duo { get; set; } = new DuoSettings();
     public virtual BraintreeSettings Braintree { get; set; } = new BraintreeSettings();
+    public virtual ImportCiphersLimitationSettings ImportCiphersLimitation { get; set; } = new ImportCiphersLimitationSettings();
     public virtual BitPaySettings BitPay { get; set; } = new BitPaySettings();
     public virtual AmazonSettings Amazon { get; set; } = new AmazonSettings();
     public virtual ServiceBusSettings ServiceBus { get; set; } = new ServiceBusSettings();
@@ -521,6 +522,13 @@ public class BraintreeSettings
         public string PrivateKey { get; set; }
     }
 
+    public class ImportCiphersLimitationSettings
+    {
+        public int CiphersLimit { get; set; }
+        public int CollectionRelationshipsLimit { get; set; }
+        public int CollectionsLimit { get; set; }
+    }
+
     public class BitPaySettings
     {
         public bool Production { get; set; }

src/Core/Vault/Commands/CreateManyTasksCommand.cs

@@ -0,0 +1,65 @@
+using Bit.Core.Context;
+using Bit.Core.Exceptions;
+using Bit.Core.Utilities;
+using Bit.Core.Vault.Authorization.SecurityTasks;
+using Bit.Core.Vault.Commands.Interfaces;
+using Bit.Core.Vault.Entities;
+using Bit.Core.Vault.Enums;
+using Bit.Core.Vault.Models.Api;
+using Bit.Core.Vault.Repositories;
+using Microsoft.AspNetCore.Authorization;
+
+namespace Bit.Core.Vault.Commands;
+
+public class CreateManyTasksCommand : ICreateManyTasksCommand
+{
+    private readonly IAuthorizationService _authorizationService;
+    private readonly ICurrentContext _currentContext;
+    private readonly ISecurityTaskRepository _securityTaskRepository;
+
+    public CreateManyTasksCommand(
+        ISecurityTaskRepository securityTaskRepository,
+        IAuthorizationService authorizationService,
+        ICurrentContext currentContext)
+    {
+        _securityTaskRepository = securityTaskRepository;
+        _authorizationService = authorizationService;
+        _currentContext = currentContext;
+    }
+
+    /// <inheritdoc />
+    public async Task<ICollection<SecurityTask>> CreateAsync(Guid organizationId,
+        IEnumerable<SecurityTaskCreateRequest> tasks)
+    {
+        if (!_currentContext.UserId.HasValue)
+        {
+            throw new NotFoundException();
+        }
+
+        var tasksList = tasks?.ToList();
+
+        if (tasksList is null || tasksList.Count == 0)
+        {
+            throw new BadRequestException("No tasks provided.");
+        }
+
+        var securityTasks = tasksList.Select(t => new SecurityTask
+        {
+            OrganizationId = organizationId,
+            CipherId = t.CipherId,
+            Type = t.Type,
+            Status = SecurityTaskStatus.Pending
+        }).ToList();
+
+        // Verify authorization for each task
+        foreach (var task in securityTasks)
+        {
+            await _authorizationService.AuthorizeOrThrowAsync(
+                _currentContext.HttpContext.User,
+                task,
+                SecurityTaskOperations.Create);
+        }
+
+        return await _securityTaskRepository.CreateManyAsync(securityTasks);
+    }
+}

src/Core/Vault/Commands/Interfaces/ICreateManyTasksCommand.cs

@@ -0,0 +1,17 @@
+using Bit.Core.Vault.Entities;
+using Bit.Core.Vault.Models.Api;
+
+namespace Bit.Core.Vault.Commands.Interfaces;
+
+public interface ICreateManyTasksCommand
+{
+    /// <summary>
+    /// Creates multiple security tasks for an organization.
+    /// Each task must be authorized and the user must have the Create permission
+    /// and associated ciphers must belong to the organization.
+    /// </summary>
+    /// <param name="organizationId">The </param>
+    /// <param name="tasks"></param>
+    /// <returns>Collection of created security tasks</returns>
+    Task<ICollection<SecurityTask>> CreateAsync(Guid organizationId, IEnumerable<SecurityTaskCreateRequest> tasks);
+}

src/Core/Vault/Commands/MarkTaskAsCompletedCommand.cs

@@ -1,7 +1,7 @@
 using Bit.Core.Context;
 using Bit.Core.Exceptions;
 using Bit.Core.Utilities;
-using Bit.Core.Vault.Authorization;
+using Bit.Core.Vault.Authorization.SecurityTasks;
 using Bit.Core.Vault.Commands.Interfaces;
 using Bit.Core.Vault.Enums;
 using Bit.Core.Vault.Repositories;

src/Core/Vault/Models/Api/SecurityTaskCreateRequest.cs

@@ -0,0 +1,9 @@
+using Bit.Core.Vault.Enums;
+
+namespace Bit.Core.Vault.Models.Api;
+
+public class SecurityTaskCreateRequest
+{
+    public SecurityTaskType Type { get; set; }
+    public Guid? CipherId { get; set; }
+}

src/Core/Vault/Repositories/ISecurityTaskRepository.cs

@@ -21,4 +21,11 @@ public interface ISecurityTaskRepository : IRepository<SecurityTask, Guid>
     /// <param name="status">Optional filter for task status. If not provided, returns tasks of all statuses</param>
     /// <returns></returns>
     Task<ICollection<SecurityTask>> GetManyByOrganizationIdStatusAsync(Guid organizationId, SecurityTaskStatus? status = null);
+
+    /// <summary>
+    ///  Creates bulk security tasks for an organization.
+    /// </summary>
+    /// <param name="tasks">Collection of tasks to create</param>
+    /// <returns>Collection of created security tasks</returns>
+    Task<ICollection<SecurityTask>> CreateManyAsync(IEnumerable<SecurityTask> tasks);
 }

src/Core/Vault/VaultServiceCollectionExtensions.cs

@@ -21,5 +21,6 @@ private static void AddVaultQueries(this IServiceCollection services)
         services.AddScoped<IMarkTaskAsCompleteCommand, MarkTaskAsCompletedCommand>();
         services.AddScoped<IGetCipherPermissionsForUserQuery, GetCipherPermissionsForUserQuery>();
         services.AddScoped<IGetTasksForOrganizationQuery, GetTasksForOrganizationQuery>();
+        services.AddScoped<ICreateManyTasksCommand, CreateManyTasksCommand>();
     }
 }

src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationUserRepository.cs

@@ -567,4 +567,17 @@ await connection.ExecuteAsync(
             new { OrganizationUserIds = JsonSerializer.Serialize(organizationUserIds), Status = OrganizationUserStatusType.Revoked },
             commandType: CommandType.StoredProcedure);
     }
+
+    public async Task<IEnumerable<OrganizationUserUserDetails>> GetManyDetailsByRoleAsync(Guid organizationId, OrganizationUserType role)
+    {
+        using (var connection = new SqlConnection(ConnectionString))
+        {
+            var results = await connection.QueryAsync<OrganizationUserUserDetails>(
+                "[dbo].[OrganizationUser_ReadManyDetailsByRole]",
+                new { OrganizationId = organizationId, Role = role },
+                commandType: CommandType.StoredProcedure);
+
+            return results.ToList();
+        }
+    }
 }

src/Infrastructure.Dapper/DapperHelpers.cs

@@ -81,7 +81,7 @@ private static bool TryGetPropertyInfo(Expression<Func<T, object?>> columnExpres
             return true;
         }
 
-        // Value type properties will implicitly box into the object so 
+        // Value type properties will implicitly box into the object so
         // we need to look past the Convert expression
         // i => (System.Object?)i.Id
         if (