[PM-29555] Add self-revoke endpoint for declining organization data ownership policy (#6739)

* Add OrganizationUser_SelfRevoked event type to EventType enum

* Add SelfRevokeOrganizationUserCommand implementation and interface for user self-revocation from organizations

* Add unit tests for SelfRevokeOrganizationUserCommand to validate user self-revocation logic, including success scenarios and various failure conditions.

* Add ISelfRevokeOrganizationUserCommand registration to OrganizationServiceCollectionExtensions for user self-revocation functionality

* Add self-revoke user functionality to OrganizationUsersController with new endpoint for user-initiated revocation

* Add integration tests for self-revoke functionality in OrganizationUsersController, covering scenarios for eligible users, non-members, and users with owner/admin roles.

* Add unit test for SelfRevokeOrganizationUserCommand to validate behavior when a user attempts to self-revoke without confirmation. This test checks for a BadRequestException with an appropriate message.

* Add MemberRequirement class for organization membership authorization

- Implemented MemberRequirement to check if a user is a member of the organization.
- Added unit tests for MemberRequirement to validate authorization logic for different user types.

* Update authorization requirement for self-revoke endpoint and add integration test for provider users

- Changed authorization attribute from MemberOrProviderRequirement to MemberRequirement in the RevokeSelfAsync method.
- Added a new integration test to verify that provider users who are not members receive a forbidden response when attempting to revoke themselves.

* Add EligibleForSelfRevoke method to OrganizationDataOwnershipPolicyRequirement

- Implemented the EligibleForSelfRevoke method to determine if a user can self-revoke their data ownership based on their membership status and policy state.
- Added unit tests to validate the eligibility logic for confirmed, invited, and non-policy users, as well as for different organization IDs.

* Refactor self-revoke user command to enhance eligibility checks

- Updated the SelfRevokeOrganizationUserCommand to utilize policy requirements for determining user eligibility for self-revocation.
- Implemented checks to prevent the last owner from revoking themselves, ensuring organizational integrity.
- Modified unit tests to reflect changes in eligibility logic and added scenarios for confirmed owners and admins.
- Removed deprecated policy checks and streamlined the command's dependencies.

* Use CommandResult pattern in self-revoke command

* Clearer documentation

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/SelfRevokeUser/Errors.cs

@@ -0,0 +1,7 @@
+using Bit.Core.AdminConsole.Utilities.v2;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.SelfRevokeUser;
+
+public record OrganizationUserNotFound() : NotFoundError("Organization user not found.");
+public record NotEligibleForSelfRevoke() : BadRequestError("User is not eligible for self-revocation. The organization data ownership policy must be enabled and the user must be a confirmed member.");
+public record LastOwnerCannotSelfRevoke() : BadRequestError("The last owner cannot revoke themselves.");

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/SelfRevokeUser/ISelfRevokeOrganizationUserCommand.cs

@@ -0,0 +1,22 @@
+using Bit.Core.AdminConsole.Utilities.v2.Results;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.SelfRevokeUser;
+
+/// <summary>
+/// Allows users to revoke themselves from an organization when declining to migrate personal items
+/// under the OrganizationDataOwnership policy.
+/// </summary>
+public interface ISelfRevokeOrganizationUserCommand
+{
+    /// <summary>
+    /// Revokes a user from an organization.
+    /// </summary>
+    /// <param name="organizationId">The organization ID.</param>
+    /// <param name="userId">The user ID to revoke.</param>
+    /// <returns>A <see cref="CommandResult"/> indicating success or containing an error.</returns>
+    /// <remarks>
+    /// Validates the OrganizationDataOwnership policy is enabled and applies to the user (currently Owners/Admins are exempt),
+    /// the user is a confirmed member, and prevents the last owner from revoking themselves.
+    /// </remarks>
+    Task<CommandResult> SelfRevokeUserAsync(Guid organizationId, Guid userId);
+}

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/SelfRevokeUser/SelfRevokeOrganizationUserCommand.cs

@@ -0,0 +1,56 @@
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+using Bit.Core.AdminConsole.Utilities.v2.Results;
+using Bit.Core.Enums;
+using Bit.Core.Platform.Push;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using OneOf.Types;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.SelfRevokeUser;
+
+public class SelfRevokeOrganizationUserCommand(
+    IOrganizationUserRepository organizationUserRepository,
+    IPolicyRequirementQuery policyRequirementQuery,
+    IHasConfirmedOwnersExceptQuery hasConfirmedOwnersExceptQuery,
+    IEventService eventService,
+    IPushNotificationService pushNotificationService)
+    : ISelfRevokeOrganizationUserCommand
+{
+    public async Task<CommandResult> SelfRevokeUserAsync(Guid organizationId, Guid userId)
+    {
+        var organizationUser = await organizationUserRepository.GetByOrganizationAsync(organizationId, userId);
+        if (organizationUser == null)
+        {
+            return new OrganizationUserNotFound();
+        }
+
+        var policyRequirement = await policyRequirementQuery.GetAsync<OrganizationDataOwnershipPolicyRequirement>(userId);
+
+        if (!policyRequirement.EligibleForSelfRevoke(organizationId))
+        {
+            return new NotEligibleForSelfRevoke();
+        }
+
+        // Prevent the last owner from revoking themselves, which would brick the organization
+        if (organizationUser.Type == OrganizationUserType.Owner)
+        {
+            var hasOtherOwner = await hasConfirmedOwnersExceptQuery.HasConfirmedOwnersExceptAsync(
+                organizationId,
+                [organizationUser.Id],
+                includeProvider: true);
+
+            if (!hasOtherOwner)
+            {
+                return new LastOwnerCannotSelfRevoke();
+            }
+        }
+
+        await organizationUserRepository.RevokeAsync(organizationUser.Id);
+        await eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_SelfRevoked);
+        await pushNotificationService.PushSyncOrgKeysAsync(organizationUser.UserId!.Value);
+
+        return new None();
+    }
+}

src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/OrganizationDataOwnershipPolicyRequirement.cs

@@ -83,6 +83,24 @@ public class OrganizationDataOwnershipPolicyRequirement : IPolicyRequirement
         return _policyDetails.Any(p => p.OrganizationId == organizationId &&
                                        p.OrganizationUserStatus == OrganizationUserStatusType.Confirmed);
     }
+
+    /// <summary>
+    /// Determines if a user is eligible for self-revocation under the Organization Data Ownership policy.
+    /// A user is eligible if they are a confirmed member of the organization and the policy is enabled.
+    /// This also handles exempt roles (Owner/Admin) and policy disabled state via the factory's Enforce predicate.
+    /// </summary>
+    /// <param name="organizationId">The organization ID to check.</param>
+    /// <returns>True if the user is eligible for self-revocation (policy applies to them), false otherwise.</returns>
+    /// <remarks>
+    /// Self-revoke is used to opt out of migrating the user's personal vault to the organization as required by this policy.
+    /// </remarks>
+    public bool EligibleForSelfRevoke(Guid organizationId)
+    {
+        var policyDetail = _policyDetails
+            .FirstOrDefault(p => p.OrganizationId == organizationId);
+
+        return policyDetail?.HasStatus([OrganizationUserStatusType.Confirmed]) ?? false;
+    }
 }
 
 public record DefaultCollectionRequest(Guid OrganizationUserId, bool ShouldCreateDefaultCollection)