[PM-16251] Remove ActiveUserState from Policy Service (#13231)

* initial impl * rename file to fix linter error * Rename vNext-policy-state.ts to vnext-policy-state.ts * fix masterPasswordPolicyOptions$ * fix ts-strict errors, refactor policies$ and tests * cleanup * cleanup --------- Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com>
2025-12-06 00:13:28 +00:00 · 2025-02-24 10:16:25 -05:00
parent acbff6953c
commit 9a66aea1c9
4 changed files with 906 additions and 0 deletions
--- a/libs/common/src/admin-console/abstractions/policy/vnext-policy.service.ts
+++ b/libs/common/src/admin-console/abstractions/policy/vnext-policy.service.ts
@@ -0,0 +1,68 @@
+import { Observable } from "rxjs";
+
+import { UserId } from "../../../types/guid";
+import { PolicyType } from "../../enums";
+import { PolicyData } from "../../models/data/policy.data";
+import { MasterPasswordPolicyOptions } from "../../models/domain/master-password-policy-options";
+import { Policy } from "../../models/domain/policy";
+import { ResetPasswordPolicyOptions } from "../../models/domain/reset-password-policy-options";
+
+export abstract class vNextPolicyService {
+  /**
+   * All policies for the provided user from sync data.
+   * May include policies that are disabled or otherwise do not apply to the user. Be careful using this!
+   * Consider {@link policiesByType$} instead, which will only return policies that should be enforced against the user.
+   */
+  abstract policies$: (userId: UserId) => Observable<Policy[]>;
+
+  /**
+   * @returns all {@link Policy} objects of a given type that apply to the specified user.
+   * A policy "applies" if it is enabled and the user is not exempt (e.g. because they are an Owner).
+   * @param policyType the {@link PolicyType} to search for
+   * @param userId the {@link UserId} to search against
+   */
+  abstract policiesByType$: (policyType: PolicyType, userId: UserId) => Observable<Policy[]>;
+
+  /**
+   * @returns true if a policy of the specified type applies to the specified user, otherwise false.
+   * A policy "applies" if it is enabled and the user is not exempt (e.g. because they are an Owner).
+   * This does not take into account the policy's configuration - if that is important, use {@link policiesByType$} to get the
+   * {@link Policy} objects and then filter by Policy.data.
+   */
+  abstract policyAppliesToUser$: (policyType: PolicyType, userId: UserId) => Observable<boolean>;
+
+  // Policy specific interfaces
+
+  /**
+   * Combines all Master Password policies that apply to the user.
+   * @returns a set of options which represent the minimum Master Password settings that the user must
+   * comply with in order to comply with **all** Master Password policies.
+   */
+  abstract masterPasswordPolicyOptions$: (
+    userId: UserId,
+    policies?: Policy[],
+  ) => Observable<MasterPasswordPolicyOptions | undefined>;
+
+  /**
+   * Evaluates whether a proposed Master Password complies with all Master Password policies that apply to the user.
+   */
+  abstract evaluateMasterPassword: (
+    passwordStrength: number,
+    newPassword: string,
+    enforcedPolicyOptions?: MasterPasswordPolicyOptions,
+  ) => boolean;
+
+  /**
+   * @returns {@link ResetPasswordPolicyOptions} for the specified organization and a boolean indicating whether the policy
+   * is enabled
+   */
+  abstract getResetPasswordPolicyOptions: (
+    policies: Policy[],
+    orgId: string,
+  ) => [ResetPasswordPolicyOptions, boolean];
+}
+
+export abstract class vNextInternalPolicyService extends vNextPolicyService {
+  abstract upsert: (policy: PolicyData, userId: UserId) => Promise<void>;
+  abstract replace: (policies: { [id: string]: PolicyData }, userId: UserId) => Promise<void>;
+}
--- a/libs/common/src/admin-console/services/policy/default-vnext-policy.service.spec.ts
+++ b/libs/common/src/admin-console/services/policy/default-vnext-policy.service.spec.ts
@@ -0,0 +1,590 @@
+import { mock, MockProxy } from "jest-mock-extended";
+import { firstValueFrom, of } from "rxjs";
+
+import { FakeStateProvider, mockAccountServiceWith } from "../../../../spec";
+import { FakeSingleUserState } from "../../../../spec/fake-state";
+import {
+  OrganizationUserStatusType,
+  OrganizationUserType,
+  PolicyType,
+} from "../../../admin-console/enums";
+import { PermissionsApi } from "../../../admin-console/models/api/permissions.api";
+import { OrganizationData } from "../../../admin-console/models/data/organization.data";
+import { PolicyData } from "../../../admin-console/models/data/policy.data";
+import { MasterPasswordPolicyOptions } from "../../../admin-console/models/domain/master-password-policy-options";
+import { Organization } from "../../../admin-console/models/domain/organization";
+import { Policy } from "../../../admin-console/models/domain/policy";
+import { ResetPasswordPolicyOptions } from "../../../admin-console/models/domain/reset-password-policy-options";
+import { POLICIES } from "../../../admin-console/services/policy/policy.service";
+import { PolicyId, UserId } from "../../../types/guid";
+import { OrganizationService } from "../../abstractions/organization/organization.service.abstraction";
+
+import { DefaultvNextPolicyService, getFirstPolicy } from "./default-vnext-policy.service";
+
+describe("PolicyService", () => {
+  const userId = "userId" as UserId;
+  let stateProvider: FakeStateProvider;
+  let organizationService: MockProxy<OrganizationService>;
+  let singleUserState: FakeSingleUserState<Record<PolicyId, PolicyData>>;
+
+  let policyService: DefaultvNextPolicyService;
+
+  beforeEach(() => {
+    const accountService = mockAccountServiceWith(userId);
+    stateProvider = new FakeStateProvider(accountService);
+    organizationService = mock<OrganizationService>();
+    singleUserState = stateProvider.singleUser.getFake(userId, POLICIES);
+
+    const organizations$ = of([
+      // User
+      organization("org1", true, true, OrganizationUserStatusType.Confirmed, false),
+      // Owner
+      organization(
+        "org2",
+        true,
+        true,
+        OrganizationUserStatusType.Confirmed,
+        false,
+        OrganizationUserType.Owner,
+      ),
+      // Does not use policies
+      organization("org3", true, false, OrganizationUserStatusType.Confirmed, false),
+      // Another User
+      organization("org4", true, true, OrganizationUserStatusType.Confirmed, false),
+      // Another User
+      organization("org5", true, true, OrganizationUserStatusType.Confirmed, false),
+      // Can manage policies
+      organization("org6", true, true, OrganizationUserStatusType.Confirmed, true),
+    ]);
+
+    organizationService.organizations$.calledWith(userId).mockReturnValue(organizations$);
+
+    policyService = new DefaultvNextPolicyService(stateProvider, organizationService);
+  });
+
+  it("upsert", async () => {
+    singleUserState.nextState(
+      arrayToRecord([
+        policyData("1", "test-organization", PolicyType.MaximumVaultTimeout, true, { minutes: 14 }),
+      ]),
+    );
+
+    await policyService.upsert(
+      policyData("99", "test-organization", PolicyType.DisableSend, true),
+      userId,
+    );
+
+    expect(await firstValueFrom(policyService.policies$(userId))).toEqual([
+      {
+        id: "1",
+        organizationId: "test-organization",
+        type: PolicyType.MaximumVaultTimeout,
+        enabled: true,
+        data: { minutes: 14 },
+      },
+      {
+        id: "99",
+        organizationId: "test-organization",
+        type: PolicyType.DisableSend,
+        enabled: true,
+      },
+    ]);
+  });
+
+  it("replace", async () => {
+    singleUserState.nextState(
+      arrayToRecord([
+        policyData("1", "test-organization", PolicyType.MaximumVaultTimeout, true, { minutes: 14 }),
+      ]),
+    );
+
+    await policyService.replace(
+      {
+        "2": policyData("2", "test-organization", PolicyType.DisableSend, true),
+      },
+      userId,
+    );
+
+    expect(await firstValueFrom(policyService.policies$(userId))).toEqual([
+      {
+        id: "2",
+        organizationId: "test-organization",
+        type: PolicyType.DisableSend,
+        enabled: true,
+      },
+    ]);
+  });
+
+  describe("masterPasswordPolicyOptions", () => {
+    it("returns default policy options", async () => {
+      const data: any = {
+        minComplexity: 5,
+        minLength: 20,
+        requireUpper: true,
+      };
+      const model = [
+        new Policy(policyData("1", "test-organization-3", PolicyType.MasterPassword, true, data)),
+      ];
+      jest.spyOn(policyService as any, "policies$").mockReturnValue(of(model));
+
+      const result = await firstValueFrom(policyService.masterPasswordPolicyOptions$(userId));
+
+      expect(result).toEqual({
+        minComplexity: 5,
+        minLength: 20,
+        requireLower: false,
+        requireNumbers: false,
+        requireSpecial: false,
+        requireUpper: true,
+        enforceOnLogin: false,
+      });
+    });
+
+    it("returns undefined", async () => {
+      const data: any = {};
+      const model = [
+        new Policy(
+          policyData("3", "test-organization-3", PolicyType.DisablePersonalVaultExport, true, data),
+        ),
+        new Policy(
+          policyData("4", "test-organization-3", PolicyType.MaximumVaultTimeout, true, data),
+        ),
+      ];
+      jest.spyOn(policyService as any, "policies$").mockReturnValue(of(model));
+
+      const result = await firstValueFrom(policyService.masterPasswordPolicyOptions$(userId));
+
+      expect(result).toBeUndefined();
+    });
+
+    it("returns specified policy options", async () => {
+      const data: any = {
+        minLength: 14,
+      };
+      const model = [
+        new Policy(
+          policyData("3", "test-organization-3", PolicyType.DisablePersonalVaultExport, true, data),
+        ),
+        new Policy(policyData("4", "test-organization-3", PolicyType.MasterPassword, true, data)),
+      ];
+      jest.spyOn(policyService as any, "policies$").mockReturnValue(of(model));
+
+      const result = await firstValueFrom(policyService.masterPasswordPolicyOptions$(userId));
+
+      expect(result).toEqual({
+        minComplexity: 0,
+        minLength: 14,
+        requireLower: false,
+        requireNumbers: false,
+        requireSpecial: false,
+        requireUpper: false,
+        enforceOnLogin: false,
+      });
+    });
+  });
+
+  describe("evaluateMasterPassword", () => {
+    it("false", async () => {
+      const enforcedPolicyOptions = new MasterPasswordPolicyOptions();
+      enforcedPolicyOptions.minLength = 14;
+      const result = policyService.evaluateMasterPassword(10, "password", enforcedPolicyOptions);
+
+      expect(result).toEqual(false);
+    });
+
+    it("true", async () => {
+      const enforcedPolicyOptions = new MasterPasswordPolicyOptions();
+      const result = policyService.evaluateMasterPassword(0, "password", enforcedPolicyOptions);
+
+      expect(result).toEqual(true);
+    });
+  });
+
+  describe("getResetPasswordPolicyOptions", () => {
+    it("default", async () => {
+      const result = policyService.getResetPasswordPolicyOptions([], "");
+
+      expect(result).toEqual([new ResetPasswordPolicyOptions(), false]);
+    });
+
+    it("returns autoEnrollEnabled true", async () => {
+      const data: any = {
+        autoEnrollEnabled: true,
+      };
+      const policies = [
+        new Policy(policyData("5", "test-organization-3", PolicyType.ResetPassword, true, data)),
+      ];
+      const result = policyService.getResetPasswordPolicyOptions(policies, "test-organization-3");
+
+      expect(result).toEqual([{ autoEnrollEnabled: true }, true]);
+    });
+  });
+
+  describe("policiesByType$", () => {
+    it("returns the specified PolicyType", async () => {
+      singleUserState.nextState(
+        arrayToRecord([
+          policyData("policy1", "org1", PolicyType.ActivateAutofill, true),
+          policyData("policy2", "org1", PolicyType.DisablePersonalVaultExport, true),
+        ]),
+      );
+
+      const result = await firstValueFrom(
+        policyService
+          .policiesByType$(PolicyType.DisablePersonalVaultExport, userId)
+          .pipe(getFirstPolicy),
+      );
+
+      expect(result).toEqual({
+        id: "policy2",
+        organizationId: "org1",
+        type: PolicyType.DisablePersonalVaultExport,
+        enabled: true,
+      });
+    });
+
+    it("does not return disabled policies", async () => {
+      singleUserState.nextState(
+        arrayToRecord([
+          policyData("policy1", "org1", PolicyType.ActivateAutofill, true),
+          policyData("policy2", "org1", PolicyType.DisablePersonalVaultExport, false),
+        ]),
+      );
+
+      const result = await firstValueFrom(
+        policyService
+          .policiesByType$(PolicyType.DisablePersonalVaultExport, userId)
+          .pipe(getFirstPolicy),
+      );
+
+      expect(result).toBeUndefined();
+    });
+
+    it("does not return policies that do not apply to the user because the user's role is exempt", async () => {
+      singleUserState.nextState(
+        arrayToRecord([
+          policyData("policy1", "org1", PolicyType.ActivateAutofill, true),
+          policyData("policy2", "org2", PolicyType.DisablePersonalVaultExport, false),
+        ]),
+      );
+
+      const result = await firstValueFrom(
+        policyService
+          .policiesByType$(PolicyType.DisablePersonalVaultExport, userId)
+          .pipe(getFirstPolicy),
+      );
+      expect(result).toBeUndefined();
+    });
+
+    it.each([
+      ["owners", "org2"],
+      ["administrators", "org6"],
+    ])("returns the password generator policy for %s", async (_, organization) => {
+      singleUserState.nextState(
+        arrayToRecord([
+          policyData("policy1", "org1", PolicyType.ActivateAutofill, false),
+          policyData("policy2", organization, PolicyType.PasswordGenerator, true),
+        ]),
+      );
+
+      const result = await firstValueFrom(
+        policyService.policiesByType$(PolicyType.PasswordGenerator, userId).pipe(getFirstPolicy),
+      );
+
+      expect(result).toBeTruthy();
+    });
+
+    it("does not return policies for organizations that do not use policies", async () => {
+      singleUserState.nextState(
+        arrayToRecord([
+          policyData("policy1", "org3", PolicyType.ActivateAutofill, true),
+          policyData("policy2", "org2", PolicyType.DisablePersonalVaultExport, true),
+        ]),
+      );
+
+      const result = await firstValueFrom(
+        policyService.policiesByType$(PolicyType.ActivateAutofill, userId).pipe(getFirstPolicy),
+      );
+
+      expect(result).toBeUndefined();
+    });
+  });
+
+  describe("policies$", () => {
+    it("returns all policies when none are disabled", async () => {
+      singleUserState.nextState(
+        arrayToRecord([
+          policyData("policy1", "org4", PolicyType.DisablePersonalVaultExport, true),
+          policyData("policy2", "org1", PolicyType.ActivateAutofill, true),
+          policyData("policy3", "org5", PolicyType.DisablePersonalVaultExport, true),
+          policyData("policy4", "org1", PolicyType.DisablePersonalVaultExport, true),
+        ]),
+      );
+
+      const result = await firstValueFrom(policyService.policies$(userId));
+
+      expect(result).toEqual([
+        {
+          id: "policy1",
+          organizationId: "org4",
+          type: PolicyType.DisablePersonalVaultExport,
+          enabled: true,
+        },
+        {
+          id: "policy2",
+          organizationId: "org1",
+          type: PolicyType.ActivateAutofill,
+          enabled: true,
+        },
+        {
+          id: "policy3",
+          organizationId: "org5",
+          type: PolicyType.DisablePersonalVaultExport,
+          enabled: true,
+        },
+        {
+          id: "policy4",
+          organizationId: "org1",
+          type: PolicyType.DisablePersonalVaultExport,
+          enabled: true,
+        },
+      ]);
+    });
+
+    it("returns all policies when some are disabled", async () => {
+      singleUserState.nextState(
+        arrayToRecord([
+          policyData("policy1", "org4", PolicyType.DisablePersonalVaultExport, true),
+          policyData("policy2", "org1", PolicyType.ActivateAutofill, true),
+          policyData("policy3", "org5", PolicyType.DisablePersonalVaultExport, false), // disabled
+          policyData("policy4", "org1", PolicyType.DisablePersonalVaultExport, true),
+        ]),
+      );
+
+      const result = await firstValueFrom(policyService.policies$(userId));
+
+      expect(result).toEqual([
+        {
+          id: "policy1",
+          organizationId: "org4",
+          type: PolicyType.DisablePersonalVaultExport,
+          enabled: true,
+        },
+        {
+          id: "policy2",
+          organizationId: "org1",
+          type: PolicyType.ActivateAutofill,
+          enabled: true,
+        },
+        {
+          id: "policy3",
+          organizationId: "org5",
+          type: PolicyType.DisablePersonalVaultExport,
+          enabled: false,
+        },
+        {
+          id: "policy4",
+          organizationId: "org1",
+          type: PolicyType.DisablePersonalVaultExport,
+          enabled: true,
+        },
+      ]);
+    });
+
+    it("returns policies that do not apply to the user because the user's role is exempt", async () => {
+      singleUserState.nextState(
+        arrayToRecord([
+          policyData("policy1", "org4", PolicyType.DisablePersonalVaultExport, true),
+          policyData("policy2", "org1", PolicyType.ActivateAutofill, true),
+          policyData("policy3", "org5", PolicyType.DisablePersonalVaultExport, true),
+          policyData("policy4", "org2", PolicyType.DisablePersonalVaultExport, true), // owner
+        ]),
+      );
+
+      const result = await firstValueFrom(policyService.policies$(userId));
+
+      expect(result).toEqual([
+        {
+          id: "policy1",
+          organizationId: "org4",
+          type: PolicyType.DisablePersonalVaultExport,
+          enabled: true,
+        },
+        {
+          id: "policy2",
+          organizationId: "org1",
+          type: PolicyType.ActivateAutofill,
+          enabled: true,
+        },
+        {
+          id: "policy3",
+          organizationId: "org5",
+          type: PolicyType.DisablePersonalVaultExport,
+          enabled: true,
+        },
+        {
+          id: "policy4",
+          organizationId: "org2",
+          type: PolicyType.DisablePersonalVaultExport,
+          enabled: true,
+        },
+      ]);
+    });
+
+    it("does not return policies for organizations that do not use policies", async () => {
+      singleUserState.nextState(
+        arrayToRecord([
+          policyData("policy1", "org4", PolicyType.DisablePersonalVaultExport, true),
+          policyData("policy2", "org1", PolicyType.ActivateAutofill, true),
+          policyData("policy3", "org3", PolicyType.DisablePersonalVaultExport, true), // does not use policies
+          policyData("policy4", "org1", PolicyType.DisablePersonalVaultExport, true),
+        ]),
+      );
+
+      const result = await firstValueFrom(policyService.policies$(userId));
+
+      expect(result).toEqual([
+        {
+          id: "policy1",
+          organizationId: "org4",
+          type: PolicyType.DisablePersonalVaultExport,
+          enabled: true,
+        },
+        {
+          id: "policy2",
+          organizationId: "org1",
+          type: PolicyType.ActivateAutofill,
+          enabled: true,
+        },
+        {
+          id: "policy3",
+          organizationId: "org3",
+          type: PolicyType.DisablePersonalVaultExport,
+          enabled: true,
+        },
+        {
+          id: "policy4",
+          organizationId: "org1",
+          type: PolicyType.DisablePersonalVaultExport,
+          enabled: true,
+        },
+      ]);
+    });
+  });
+
+  describe("policyAppliesToUser$", () => {
+    it("returns true when the policyType applies to the user", async () => {
+      singleUserState.nextState(
+        arrayToRecord([
+          policyData("policy1", "org4", PolicyType.DisablePersonalVaultExport, true),
+          policyData("policy2", "org1", PolicyType.ActivateAutofill, true),
+          policyData("policy3", "org5", PolicyType.DisablePersonalVaultExport, true),
+          policyData("policy4", "org1", PolicyType.DisablePersonalVaultExport, true),
+        ]),
+      );
+
+      const result = await firstValueFrom(
+        policyService.policyAppliesToUser$(PolicyType.DisablePersonalVaultExport, userId),
+      );
+
+      expect(result).toBe(true);
+    });
+
+    it("returns false when policyType is disabled", async () => {
+      singleUserState.nextState(
+        arrayToRecord([
+          policyData("policy2", "org1", PolicyType.ActivateAutofill, true),
+          policyData("policy3", "org5", PolicyType.DisablePersonalVaultExport, false), // disabled
+        ]),
+      );
+
+      const result = await firstValueFrom(
+        policyService.policyAppliesToUser$(PolicyType.DisablePersonalVaultExport, userId),
+      );
+
+      expect(result).toBe(false);
+    });
+
+    it("returns false when the policyType does not apply to the user because the user's role is exempt", async () => {
+      singleUserState.nextState(
+        arrayToRecord([
+          policyData("policy2", "org1", PolicyType.ActivateAutofill, true),
+          policyData("policy4", "org2", PolicyType.DisablePersonalVaultExport, true), // owner
+        ]),
+      );
+
+      const result = await firstValueFrom(
+        policyService.policyAppliesToUser$(PolicyType.DisablePersonalVaultExport, userId),
+      );
+
+      expect(result).toBe(false);
+    });
+
+    it("returns false for organizations that do not use policies", async () => {
+      singleUserState.nextState(
+        arrayToRecord([
+          policyData("policy2", "org1", PolicyType.ActivateAutofill, true),
+          policyData("policy3", "org3", PolicyType.DisablePersonalVaultExport, true), // does not use policies
+        ]),
+      );
+
+      const result = await firstValueFrom(
+        policyService.policyAppliesToUser$(PolicyType.DisablePersonalVaultExport, userId),
+      );
+
+      expect(result).toBe(false);
+    });
+  });
+
+  function policyData(
+    id: string,
+    organizationId: string,
+    type: PolicyType,
+    enabled: boolean,
+    data?: any,
+  ) {
+    const policyData = new PolicyData({} as any);
+    policyData.id = id as PolicyId;
+    policyData.organizationId = organizationId;
+    policyData.type = type;
+    policyData.enabled = enabled;
+    policyData.data = data;
+
+    return policyData;
+  }
+
+  function organizationData(
+    id: string,
+    enabled: boolean,
+    usePolicies: boolean,
+    status: OrganizationUserStatusType,
+    managePolicies: boolean,
+    type: OrganizationUserType = OrganizationUserType.User,
+  ) {
+    const organizationData = new OrganizationData({} as any, {} as any);
+    organizationData.id = id;
+    organizationData.enabled = enabled;
+    organizationData.usePolicies = usePolicies;
+    organizationData.status = status;
+    organizationData.permissions = new PermissionsApi({ managePolicies: managePolicies } as any);
+    organizationData.type = type;
+    return organizationData;
+  }
+
+  function organization(
+    id: string,
+    enabled: boolean,
+    usePolicies: boolean,
+    status: OrganizationUserStatusType,
+    managePolicies: boolean,
+    type: OrganizationUserType = OrganizationUserType.User,
+  ) {
+    return new Organization(
+      organizationData(id, enabled, usePolicies, status, managePolicies, type),
+    );
+  }
+
+  function arrayToRecord(input: PolicyData[]): Record<PolicyId, PolicyData> {
+    return Object.fromEntries(input.map((i) => [i.id, i]));
+  }
+});
--- a/libs/common/src/admin-console/services/policy/default-vnext-policy.service.ts
+++ b/libs/common/src/admin-console/services/policy/default-vnext-policy.service.ts
@@ -0,0 +1,240 @@
+import { combineLatest, map, Observable, of } from "rxjs";
+
+import { StateProvider } from "../../../platform/state";
+import { UserId } from "../../../types/guid";
+import { OrganizationService } from "../../abstractions/organization/organization.service.abstraction";
+import { vNextPolicyService } from "../../abstractions/policy/vnext-policy.service";
+import { OrganizationUserStatusType, PolicyType } from "../../enums";
+import { PolicyData } from "../../models/data/policy.data";
+import { MasterPasswordPolicyOptions } from "../../models/domain/master-password-policy-options";
+import { Organization } from "../../models/domain/organization";
+import { Policy } from "../../models/domain/policy";
+import { ResetPasswordPolicyOptions } from "../../models/domain/reset-password-policy-options";
+
+import { POLICIES } from "./vnext-policy-state";
+
+export function policyRecordToArray(policiesMap: { [id: string]: PolicyData }) {
+  return Object.values(policiesMap || {}).map((f) => new Policy(f));
+}
+
+export const getFirstPolicy = map<Policy[], Policy | undefined>((policies) => {
+  return policies.at(0) ?? undefined;
+});
+
+export class DefaultvNextPolicyService implements vNextPolicyService {
+  constructor(
+    private stateProvider: StateProvider,
+    private organizationService: OrganizationService,
+  ) {}
+
+  private policyState(userId: UserId) {
+    return this.stateProvider.getUser(userId, POLICIES);
+  }
+
+  private policyData$(userId: UserId) {
+    return this.policyState(userId).state$.pipe(map((policyData) => policyData ?? {}));
+  }
+
+  policies$(userId: UserId) {
+    return this.policyData$(userId).pipe(map((policyData) => policyRecordToArray(policyData)));
+  }
+
+  policiesByType$(policyType: PolicyType, userId: UserId) {
+    const filteredPolicies$ = this.policies$(userId).pipe(
+      map((policies) => policies.filter((p) => p.type === policyType)),
+    );
+
+    if (!userId) {
+      throw new Error("No userId provided");
+    }
+
+    const organizations$ = this.organizationService.organizations$(userId);
+
+    return combineLatest([filteredPolicies$, organizations$]).pipe(
+      map(([policies, organizations]) => this.enforcedPolicyFilter(policies, organizations)),
+    );
+  }
+
+  policyAppliesToUser$(policyType: PolicyType, userId: UserId) {
+    return this.policiesByType$(policyType, userId).pipe(
+      getFirstPolicy,
+      map((policy) => !!policy),
+    );
+  }
+
+  private enforcedPolicyFilter(policies: Policy[], organizations: Organization[]) {
+    const orgDict = Object.fromEntries(organizations.map((o) => [o.id, o]));
+    return policies.filter((policy) => {
+      const organization = orgDict[policy.organizationId];
+
+      // This shouldn't happen, i.e. the user should only have policies for orgs they are a member of
+      // But if it does, err on the side of enforcing the policy
+      if (!organization) {
+        return true;
+      }
+
+      return (
+        policy.enabled &&
+        organization.status >= OrganizationUserStatusType.Accepted &&
+        organization.usePolicies &&
+        !this.isExemptFromPolicy(policy.type, organization)
+      );
+    });
+  }
+
+  masterPasswordPolicyOptions$(
+    userId: UserId,
+    policies?: Policy[],
+  ): Observable<MasterPasswordPolicyOptions | undefined> {
+    const policies$ = policies ? of(policies) : this.policies$(userId);
+    return policies$.pipe(
+      map((obsPolicies) => {
+        const enforcedOptions: MasterPasswordPolicyOptions = new MasterPasswordPolicyOptions();
+        const filteredPolicies =
+          obsPolicies.filter((p) => p.type === PolicyType.MasterPassword) ?? [];
+
+        if (filteredPolicies.length === 0) {
+          return;
+        }
+
+        filteredPolicies.forEach((currentPolicy) => {
+          if (!currentPolicy.enabled || !currentPolicy.data) {
+            return;
+          }
+
+          if (
+            currentPolicy.data.minComplexity != null &&
+            currentPolicy.data.minComplexity > enforcedOptions.minComplexity
+          ) {
+            enforcedOptions.minComplexity = currentPolicy.data.minComplexity;
+          }
+
+          if (
+            currentPolicy.data.minLength != null &&
+            currentPolicy.data.minLength > enforcedOptions.minLength
+          ) {
+            enforcedOptions.minLength = currentPolicy.data.minLength;
+          }
+
+          if (currentPolicy.data.requireUpper) {
+            enforcedOptions.requireUpper = true;
+          }
+
+          if (currentPolicy.data.requireLower) {
+            enforcedOptions.requireLower = true;
+          }
+
+          if (currentPolicy.data.requireNumbers) {
+            enforcedOptions.requireNumbers = true;
+          }
+
+          if (currentPolicy.data.requireSpecial) {
+            enforcedOptions.requireSpecial = true;
+          }
+
+          if (currentPolicy.data.enforceOnLogin) {
+            enforcedOptions.enforceOnLogin = true;
+          }
+        });
+
+        return enforcedOptions;
+      }),
+    );
+  }
+
+  evaluateMasterPassword(
+    passwordStrength: number,
+    newPassword: string,
+    enforcedPolicyOptions?: MasterPasswordPolicyOptions,
+  ): boolean {
+    if (!enforcedPolicyOptions) {
+      return true;
+    }
+
+    if (
+      enforcedPolicyOptions.minComplexity > 0 &&
+      enforcedPolicyOptions.minComplexity > passwordStrength
+    ) {
+      return false;
+    }
+
+    if (
+      enforcedPolicyOptions.minLength > 0 &&
+      enforcedPolicyOptions.minLength > newPassword.length
+    ) {
+      return false;
+    }
+
+    if (enforcedPolicyOptions.requireUpper && newPassword.toLocaleLowerCase() === newPassword) {
+      return false;
+    }
+
+    if (enforcedPolicyOptions.requireLower && newPassword.toLocaleUpperCase() === newPassword) {
+      return false;
+    }
+
+    if (enforcedPolicyOptions.requireNumbers && !/[0-9]/.test(newPassword)) {
+      return false;
+    }
+
+    // eslint-disable-next-line
+    if (enforcedPolicyOptions.requireSpecial && !/[!@#$%\^&*]/g.test(newPassword)) {
+      return false;
+    }
+
+    return true;
+  }
+
+  getResetPasswordPolicyOptions(
+    policies: Policy[],
+    orgId: string,
+  ): [ResetPasswordPolicyOptions, boolean] {
+    const resetPasswordPolicyOptions = new ResetPasswordPolicyOptions();
+
+    if (!policies || !orgId) {
+      return [resetPasswordPolicyOptions, false];
+    }
+
+    const policy = policies.find(
+      (p) => p.organizationId === orgId && p.type === PolicyType.ResetPassword && p.enabled,
+    );
+    resetPasswordPolicyOptions.autoEnrollEnabled = policy?.data?.autoEnrollEnabled ?? false;
+
+    return [resetPasswordPolicyOptions, policy?.enabled ?? false];
+  }
+
+  async upsert(policy: PolicyData, userId: UserId): Promise<void> {
+    await this.policyState(userId).update((policies) => {
+      policies ??= {};
+      policies[policy.id] = policy;
+      return policies;
+    });
+  }
+
+  async replace(policies: { [id: string]: PolicyData }, userId: UserId): Promise<void> {
+    await this.stateProvider.setUserState(POLICIES, policies, userId);
+  }
+
+  /**
+   * Determines whether an orgUser is exempt from a specific policy because of their role
+   * Generally orgUsers who can manage policies are exempt from them, but some policies are stricter
+   */
+  private isExemptFromPolicy(policyType: PolicyType, organization: Organization) {
+    switch (policyType) {
+      case PolicyType.MaximumVaultTimeout:
+        // Max Vault Timeout applies to everyone except owners
+        return organization.isOwner;
+      case PolicyType.PasswordGenerator:
+        // password generation policy applies to everyone
+        return false;
+      case PolicyType.PersonalOwnership:
+        // individual vault policy applies to everyone except admins and owners
+        return organization.isAdmin;
+      case PolicyType.FreeFamiliesSponsorshipPolicy:
+        // free Bitwarden families policy applies to everyone
+        return false;
+      default:
+        return organization.canManagePolicies;
+    }
+  }
+}
--- a/libs/common/src/admin-console/services/policy/vnext-policy-state.ts
+++ b/libs/common/src/admin-console/services/policy/vnext-policy-state.ts
@@ -0,0 +1,8 @@
+import { POLICIES_DISK, UserKeyDefinition } from "../../../platform/state";
+import { PolicyId } from "../../../types/guid";
+import { PolicyData } from "../../models/data/policy.data";
+
+export const POLICIES = UserKeyDefinition.record<PolicyData, PolicyId>(POLICIES_DISK, "policies", {
+  deserializer: (policyData) => policyData,
+  clearOn: ["logout"],
+});