[PM-27766] Add policy for blocking account creation from claimed domains (#17211)

* Added policy for blocking account creation for claimed domains.

* add feature flag

* fix desc

* learn more link

* fix localization key to learnMore

* onpush change detection

apps/web/src/locales/en/messages.json

@@ -12122,6 +12122,15 @@
   "startFreeFamiliesTrial": {
     "message": "Start free Families trial"
   },
+  "blockClaimedDomainAccountCreation": {
+    "message": "Block account creation for claimed domains"
+  },
+  "blockClaimedDomainAccountCreationDesc": {
+    "message": "Prevent users from creating accounts outside of your organization using email addresses from claimed domains."
+  },
+  "blockClaimedDomainAccountCreationPrerequisite": {
+    "message": "A domain must be claimed before activating this policy."
+  },
   "unlockMethodNeededToChangeTimeoutActionDesc": {
     "message": "Set up an unlock method to change your vault timeout action."
   },

bitwarden_license/bit-web/src/app/admin-console/policies/policy-edit-definitions/block-claimed-domain-account-creation.component.html

@@ -0,0 +1,15 @@
+<bit-callout type="info" title="{{ 'prerequisite' | i18n }}">
+  {{ "blockClaimedDomainAccountCreationPrerequisite" | i18n }}
+  <a
+    bitLink
+    href="https://bitwarden.com/help/domain-verification/"
+    target="_blank"
+    rel="noreferrer"
+    >{{ "learnMore" | i18n }}</a
+  >
+</bit-callout>
+
+<bit-form-control>
+  <input type="checkbox" id="enabled" bitCheckbox [formControl]="enabled" />
+  <bit-label>{{ "turnOn" | i18n }}</bit-label>
+</bit-form-control>

bitwarden_license/bit-web/src/app/admin-console/policies/policy-edit-definitions/block-claimed-domain-account-creation.component.ts

@@ -0,0 +1,32 @@
+import { ChangeDetectionStrategy, Component } from "@angular/core";
+import { map, Observable } from "rxjs";
+
+import { PolicyType } from "@bitwarden/common/admin-console/enums";
+import { Organization } from "@bitwarden/common/admin-console/models/domain/organization";
+import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
+import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
+import {
+  BasePolicyEditDefinition,
+  BasePolicyEditComponent,
+} from "@bitwarden/web-vault/app/admin-console/organizations/policies";
+import { SharedModule } from "@bitwarden/web-vault/app/shared";
+
+export class BlockClaimedDomainAccountCreationPolicy extends BasePolicyEditDefinition {
+  name = "blockClaimedDomainAccountCreation";
+  description = "blockClaimedDomainAccountCreationDesc";
+  type = PolicyType.BlockClaimedDomainAccountCreation;
+  component = BlockClaimedDomainAccountCreationPolicyComponent;
+
+  override display$(organization: Organization, configService: ConfigService): Observable<boolean> {
+    return configService
+      .getFeatureFlag$(FeatureFlag.BlockClaimedDomainAccountCreation)
+      .pipe(map((enabled) => enabled && organization.useOrganizationDomains));
+  }
+}
+
+@Component({
+  changeDetection: ChangeDetectionStrategy.OnPush,
+  templateUrl: "block-claimed-domain-account-creation.component.html",
+  imports: [SharedModule],
+})
+export class BlockClaimedDomainAccountCreationPolicyComponent extends BasePolicyEditComponent {}

bitwarden_license/bit-web/src/app/admin-console/policies/policy-edit-definitions/index.ts

@@ -1,3 +1,4 @@
 export { ActivateAutofillPolicy } from "./activate-autofill.component";
 export { AutomaticAppLoginPolicy } from "./automatic-app-login.component";
+export { BlockClaimedDomainAccountCreationPolicy } from "./block-claimed-domain-account-creation.component";
 export { DisablePersonalVaultExportPolicy } from "./disable-personal-vault-export.component";

bitwarden_license/bit-web/src/app/admin-console/policies/policy-edit-register.ts

@@ -9,6 +9,7 @@ import { SessionTimeoutPolicy } from "../../key-management/policies/session-time
 import {
   ActivateAutofillPolicy,
   AutomaticAppLoginPolicy,
+  BlockClaimedDomainAccountCreationPolicy,
   DisablePersonalVaultExportPolicy,
 } from "./policy-edit-definitions";
 
@@ -23,6 +24,7 @@ const policyEditRegister: BasePolicyEditDefinition[] = [
   new FreeFamiliesSponsorshipPolicy(),
   new ActivateAutofillPolicy(),
   new AutomaticAppLoginPolicy(),
+  new BlockClaimedDomainAccountCreationPolicy(),
 ];
 
 export const bitPolicyEditRegister = ossPolicyEditRegister.concat(policyEditRegister);

libs/common/src/admin-console/enums/policy-type.enum.ts

@@ -20,4 +20,5 @@ export enum PolicyType {
   UriMatchDefaults = 16, // Sets the default URI matching strategy for all users within an organization
   AutotypeDefaultSetting = 17, // Sets the default autotype setting for desktop app
   AutoConfirm = 18, // Enables the auto confirmation feature for admins to enable in their client
+  BlockClaimedDomainAccountCreation = 19, // Prevents users from creating personal accounts using email addresses from verified domains
 }

libs/common/src/enums/feature-flag.enum.ts

@@ -13,6 +13,7 @@ export enum FeatureFlag {
   /* Admin Console Team */
   CreateDefaultLocation = "pm-19467-create-default-location",
   AutoConfirm = "pm-19934-auto-confirm-organization-users",
+  BlockClaimedDomainAccountCreation = "block-claimed-domain-account-creation",
 
   /* Auth */
   PM22110_DisableAlternateLoginMethods = "pm-22110-disable-alternate-login-methods",
@@ -91,6 +92,7 @@ export const DefaultFeatureFlagValue = {
   /* Admin Console Team */
   [FeatureFlag.CreateDefaultLocation]: FALSE,
   [FeatureFlag.AutoConfirm]: FALSE,
+  [FeatureFlag.BlockClaimedDomainAccountCreation]: FALSE,
 
   /* Autofill */
   [FeatureFlag.MacOsNativeCredentialSync]: FALSE,