[PM-26636] - Auto Confirm Org User Command (#6488)

* Adding auto confirm endpoint and initial command work.

* Adding validator

* Finished command implementation.

* Enabled the feature renomved used method. Enabled the policy in the tests.

* Added extension functions to allow for railroad programming.

* Removed guid from route template. Added xml docs

* Added validation for command.

* Added default collection creation to command.

* formatting.

* Added additional error types and mapped to appropriate results.

* Added tests for auto confirm validator

* Adding tests

* fixing file name

* Cleaned up OrgUserController. Added integration tests.

* Consolidated CommandResult and validation result stuff into a v2 directory.

* changing result to match handle method.

* Moves validation thenasync method.

* Added brackets.

* Updated XML comment

* Adding idempotency comment.

* Fixed up merge problems. Fixed return types for handle.

* Renamed to ValidationRequest

* I added some methods for CommandResult to cover some future use cases. Added ApplyAsync method to execute multiple functions against CommandResult without an error stopping the workflow for side-effects.

* Fixed up logic around should create default colleciton. Added more methods for chaining ValidationResult together. Added logic for user type.

* Clearing nullable enable.

* Fixed up validator tests.

* Tests for auto confirm command

* Fixed up command result and AutoConfirmCommand.

* Removed some unused methods.

* Moved autoconfirm tests to their own class.

* Moved some stuff around. Need to clean up creation of accepted org user yet.

* Moved some more code around. Folded Key into accepted constructor. removed unneeded tests since key and accepted are now a part of AcceptedOrgUser Creation.

* Clean up clean up everybody everywhere. Clean up clean up everybody do your share.

* Another quick one

* Removed aggregate Errors.cs

* Cleaned up validator and fixed up tests.

* Fixed auto confirm repo

* Cleaned up command tests.

* Unused method.

* Restoring Bulk command back to what it was. deleted handle method for bulk.

* Remove unused method.

* removed unnecssary lines and comments

* fixed layout.

* Fixed test.

* fixed spelling mistake. removed unused import.

* Update test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/AutoConfirmUsers/AutomaticallyConfirmUsersCommandTests.cs

Co-authored-by: Rui Tomé <108268980+r-tome@users.noreply.github.com>

* Ensuring collection is created before full sync. Cleaning up tests and added a few more. Added check that the policy is enabled.

* Added org cleanup

* Lowering to 5 to see if  that helps the runner.

* 🤷

* Trying this

* Maybe this time will be different.

* seeing if awaiting and checking independently will work in ci

* I figured it out. Locally, it would be fast enough to all return NoContent, however in CI, its slow enough for it to return 400 due to the user already being confirmed via validation.

* Updated tests and validator

* Fixed name

---------

Co-authored-by: Rui Tomé <108268980+r-tome@users.noreply.github.com>

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/AutoConfirmUser/AutomaticallyConfirmOrganizationUserCommand.cs

@@ -0,0 +1,186 @@
+using Bit.Core.AdminConsole.Models.Data.OrganizationUsers;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Models.Data;
+using Bit.Core.Platform.Push;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Microsoft.Extensions.Logging;
+using OneOf.Types;
+using CommandResult = Bit.Core.AdminConsole.Utilities.v2.Results.CommandResult;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.AutoConfirmUser;
+
+public class AutomaticallyConfirmOrganizationUserCommand(IOrganizationUserRepository organizationUserRepository,
+    IOrganizationRepository organizationRepository,
+    IAutomaticallyConfirmOrganizationUsersValidator validator,
+    IEventService eventService,
+    IMailService mailService,
+    IUserRepository userRepository,
+    IPushRegistrationService pushRegistrationService,
+    IDeviceRepository deviceRepository,
+    IPushNotificationService pushNotificationService,
+    IPolicyRequirementQuery policyRequirementQuery,
+    ICollectionRepository collectionRepository,
+    TimeProvider timeProvider,
+    ILogger<AutomaticallyConfirmOrganizationUserCommand> logger) : IAutomaticallyConfirmOrganizationUserCommand
+{
+    public async Task<CommandResult> AutomaticallyConfirmOrganizationUserAsync(AutomaticallyConfirmOrganizationUserRequest request)
+    {
+        var validatorRequest = await RetrieveDataAsync(request);
+
+        var validatedData = await validator.ValidateAsync(validatorRequest);
+
+        return await validatedData.Match<Task<CommandResult>>(
+            error => Task.FromResult(new CommandResult(error)),
+            async _ =>
+            {
+                var userToConfirm = new AcceptedOrganizationUserToConfirm
+                {
+                    OrganizationUserId = validatedData.Request.OrganizationUser!.Id,
+                    UserId = validatedData.Request.OrganizationUser.UserId!.Value,
+                    Key = validatedData.Request.Key
+                };
+
+                // This operation is idempotent. If false, the user is already confirmed and no additional side effects are required.
+                if (!await organizationUserRepository.ConfirmOrganizationUserAsync(userToConfirm))
+                {
+                    return new None();
+                }
+
+                await CreateDefaultCollectionsAsync(validatedData.Request);
+
+                await Task.WhenAll(
+                    LogOrganizationUserConfirmedEventAsync(validatedData.Request),
+                    SendConfirmedOrganizationUserEmailAsync(validatedData.Request),
+                    SyncOrganizationKeysAsync(validatedData.Request)
+                );
+
+                return new None();
+            }
+        );
+    }
+
+    private async Task SyncOrganizationKeysAsync(AutomaticallyConfirmOrganizationUserValidationRequest request)
+    {
+        await DeleteDeviceRegistrationAsync(request);
+        await PushSyncOrganizationKeysAsync(request);
+    }
+
+    private async Task CreateDefaultCollectionsAsync(AutomaticallyConfirmOrganizationUserValidationRequest request)
+    {
+        try
+        {
+            if (!await ShouldCreateDefaultCollectionAsync(request))
+            {
+                return;
+            }
+
+            await collectionRepository.CreateAsync(
+                new Collection
+                {
+                    OrganizationId = request.Organization!.Id,
+                    Name = request.DefaultUserCollectionName,
+                    Type = CollectionType.DefaultUserCollection
+                },
+                groups: null,
+                [new CollectionAccessSelection
+                {
+                    Id = request.OrganizationUser!.Id,
+                    Manage = true
+                }]);
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to create default collection for user.");
+        }
+    }
+
+    /// <summary>
+    /// Determines whether a default collection should be created for an organization user during the confirmation process.
+    /// </summary>
+    /// <param name="request">
+    /// The validation request containing information about the user, organization, and collection settings.
+    /// </param>
+    /// <returns>The result is a boolean value indicating whether a default collection should be created.</returns>
+    private async Task<bool> ShouldCreateDefaultCollectionAsync(AutomaticallyConfirmOrganizationUserValidationRequest request) =>
+        !string.IsNullOrWhiteSpace(request.DefaultUserCollectionName)
+        && (await policyRequirementQuery.GetAsync<OrganizationDataOwnershipPolicyRequirement>(request.OrganizationUser!.UserId!.Value))
+            .RequiresDefaultCollectionOnConfirm(request.Organization!.Id);
+
+    private async Task PushSyncOrganizationKeysAsync(AutomaticallyConfirmOrganizationUserValidationRequest request)
+    {
+        try
+        {
+            await pushNotificationService.PushSyncOrgKeysAsync(request.OrganizationUser!.UserId!.Value);
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to push organization keys.");
+        }
+    }
+
+    private async Task LogOrganizationUserConfirmedEventAsync(AutomaticallyConfirmOrganizationUserValidationRequest request)
+    {
+        try
+        {
+            await eventService.LogOrganizationUserEventAsync(request.OrganizationUser,
+                EventType.OrganizationUser_AutomaticallyConfirmed,
+                timeProvider.GetUtcNow().UtcDateTime);
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to log OrganizationUser_AutomaticallyConfirmed event.");
+        }
+    }
+
+    private async Task SendConfirmedOrganizationUserEmailAsync(AutomaticallyConfirmOrganizationUserValidationRequest request)
+    {
+        try
+        {
+            var user = await userRepository.GetByIdAsync(request.OrganizationUser!.UserId!.Value);
+
+            await mailService.SendOrganizationConfirmedEmailAsync(request.Organization!.Name,
+                user!.Email,
+                request.OrganizationUser.AccessSecretsManager);
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to send OrganizationUserConfirmed.");
+        }
+    }
+
+    private async Task DeleteDeviceRegistrationAsync(AutomaticallyConfirmOrganizationUserValidationRequest request)
+    {
+        try
+        {
+            var devices = (await deviceRepository.GetManyByUserIdAsync(request.OrganizationUser!.UserId!.Value))
+                    .Where(d => !string.IsNullOrWhiteSpace(d.PushToken))
+                    .Select(d => d.Id.ToString());
+
+            await pushRegistrationService.DeleteUserRegistrationOrganizationAsync(devices, request.Organization!.Id.ToString());
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to delete device registration.");
+        }
+    }
+
+    private async Task<AutomaticallyConfirmOrganizationUserValidationRequest> RetrieveDataAsync(
+        AutomaticallyConfirmOrganizationUserRequest request)
+    {
+        return new AutomaticallyConfirmOrganizationUserValidationRequest
+        {
+            OrganizationUserId = request.OrganizationUserId,
+            OrganizationId = request.OrganizationId,
+            Key = request.Key,
+            DefaultUserCollectionName = request.DefaultUserCollectionName,
+            PerformedBy = request.PerformedBy,
+            OrganizationUser = await organizationUserRepository.GetByIdAsync(request.OrganizationUserId),
+            Organization = await organizationRepository.GetByIdAsync(request.OrganizationId)
+        };
+    }
+}

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/AutoConfirmUser/AutomaticallyConfirmOrganizationUserRequest.cs

@@ -0,0 +1,29 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Models.Data;
+using Bit.Core.Entities;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.AutoConfirmUser;
+
+/// <summary>
+/// Automatically Confirm User Command Request
+/// </summary>
+public record AutomaticallyConfirmOrganizationUserRequest
+{
+    public required Guid OrganizationUserId { get; init; }
+    public required Guid OrganizationId { get; init; }
+    public required string Key { get; init; }
+    public required string DefaultUserCollectionName { get; init; }
+    public required IActingUser PerformedBy { get; init; }
+}
+
+/// <summary>
+/// Automatically Confirm User Validation Request
+/// </summary>
+/// <remarks>
+/// This is used to hold retrieved data and pass it to the validator
+/// </remarks>
+public record AutomaticallyConfirmOrganizationUserValidationRequest : AutomaticallyConfirmOrganizationUserRequest
+{
+    public OrganizationUser? OrganizationUser { get; set; }
+    public Organization? Organization { get; set; }
+}

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/AutoConfirmUser/AutomaticallyConfirmOrganizationUsersValidator.cs

@@ -0,0 +1,116 @@
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.DeleteClaimedAccount;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.AdminConsole.Utilities.v2;
+using Bit.Core.AdminConsole.Utilities.v2.Validation;
+using Bit.Core.Auth.UserFeatures.TwoFactorAuth.Interfaces;
+using Bit.Core.Enums;
+using Bit.Core.Repositories;
+using static Bit.Core.AdminConsole.Utilities.v2.Validation.ValidationResultHelpers;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.AutoConfirmUser;
+
+public class AutomaticallyConfirmOrganizationUsersValidator(
+    IOrganizationUserRepository organizationUserRepository,
+    ITwoFactorIsEnabledQuery twoFactorIsEnabledQuery,
+    IPolicyRequirementQuery policyRequirementQuery,
+    IPolicyRepository policyRepository) : IAutomaticallyConfirmOrganizationUsersValidator
+{
+    public async Task<ValidationResult<AutomaticallyConfirmOrganizationUserValidationRequest>> ValidateAsync(
+        AutomaticallyConfirmOrganizationUserValidationRequest request)
+    {
+        // User must exist
+        if (request is { OrganizationUser: null } || request.OrganizationUser is { UserId: null })
+        {
+            return Invalid(request, new UserNotFoundError());
+        }
+
+        // Organization must exist
+        if (request is { Organization: null })
+        {
+            return Invalid(request, new OrganizationNotFound());
+        }
+
+        // User must belong to the organization
+        if (request.OrganizationUser.OrganizationId != request.Organization.Id)
+        {
+            return Invalid(request, new OrganizationUserIdIsInvalid());
+        }
+
+        // User must be accepted
+        if (request is { OrganizationUser.Status: not OrganizationUserStatusType.Accepted })
+        {
+            return Invalid(request, new UserIsNotAccepted());
+        }
+
+        // User must be of type User
+        if (request is { OrganizationUser.Type: not OrganizationUserType.User })
+        {
+            return Invalid(request, new UserIsNotUserType());
+        }
+
+        if (!await OrganizationHasAutomaticallyConfirmUsersPolicyEnabledAsync(request))
+        {
+            return Invalid(request, new AutomaticallyConfirmUsersPolicyIsNotEnabled());
+        }
+
+        if (!await OrganizationUserConformsToTwoFactorRequiredPolicyAsync(request))
+        {
+            return Invalid(request, new UserDoesNotHaveTwoFactorEnabled());
+        }
+
+        if (await OrganizationUserConformsToSingleOrgPolicyAsync(request) is { } error)
+        {
+            return Invalid(request, error);
+        }
+
+        return Valid(request);
+    }
+
+    private async Task<bool> OrganizationHasAutomaticallyConfirmUsersPolicyEnabledAsync(
+            AutomaticallyConfirmOrganizationUserValidationRequest request) =>
+        await policyRepository.GetByOrganizationIdTypeAsync(request.OrganizationId,
+            PolicyType.AutomaticUserConfirmation) is { Enabled: true }
+        && request.Organization is { UseAutomaticUserConfirmation: true };
+
+    private async Task<bool> OrganizationUserConformsToTwoFactorRequiredPolicyAsync(AutomaticallyConfirmOrganizationUserValidationRequest request)
+    {
+        if ((await twoFactorIsEnabledQuery.TwoFactorIsEnabledAsync([request.OrganizationUser!.UserId!.Value]))
+            .Any(x => x.userId == request.OrganizationUser.UserId && x.twoFactorIsEnabled))
+        {
+            return true;
+        }
+
+        return !(await policyRequirementQuery.GetAsync<RequireTwoFactorPolicyRequirement>(request.OrganizationUser.UserId!.Value))
+            .IsTwoFactorRequiredForOrganization(request.Organization!.Id);
+    }
+
+    private async Task<Error?> OrganizationUserConformsToSingleOrgPolicyAsync(
+        AutomaticallyConfirmOrganizationUserValidationRequest request)
+    {
+        var allOrganizationUsersForUser = await organizationUserRepository
+            .GetManyByUserAsync(request.OrganizationUser!.UserId!.Value);
+
+        if (allOrganizationUsersForUser.Count == 1)
+        {
+            return null;
+        }
+
+        var policyRequirement = await policyRequirementQuery
+            .GetAsync<SingleOrganizationPolicyRequirement>(request.OrganizationUser!.UserId!.Value);
+
+        if (policyRequirement.IsSingleOrgEnabledForThisOrganization(request.Organization!.Id))
+        {
+            return new OrganizationEnforcesSingleOrgPolicy();
+        }
+
+        if (policyRequirement.IsSingleOrgEnabledForOrganizationsOtherThan(request.Organization.Id))
+        {
+            return new OtherOrganizationEnforcesSingleOrgPolicy();
+        }
+
+        return null;
+    }
+}

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/AutoConfirmUser/Errors.cs

@@ -0,0 +1,13 @@
+using Bit.Core.AdminConsole.Utilities.v2;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.AutoConfirmUser;
+
+public record OrganizationNotFound() : NotFoundError("Invalid organization");
+public record FailedToWriteToEventLog() : InternalError("Failed to write to event log");
+public record UserIsNotUserType() : BadRequestError("Only organization users with the User role can be automatically confirmed");
+public record UserIsNotAccepted() : BadRequestError("Cannot confirm user that has not accepted the invitation.");
+public record OrganizationUserIdIsInvalid() : BadRequestError("Invalid organization user id.");
+public record UserDoesNotHaveTwoFactorEnabled() : BadRequestError("User does not have two-step login enabled.");
+public record OrganizationEnforcesSingleOrgPolicy() : BadRequestError("Cannot confirm this member to the organization until they leave or remove all other organizations");
+public record OtherOrganizationEnforcesSingleOrgPolicy() : BadRequestError("Cannot confirm this member to the organization because they are in another organization which forbids it.");
+public record AutomaticallyConfirmUsersPolicyIsNotEnabled() : BadRequestError("Cannot confirm this member because the Automatically Confirm Users policy is not enabled.");

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/AutoConfirmUser/IAutomaticallyConfirmOrganizationUsersValidator.cs

@@ -0,0 +1,9 @@
+using Bit.Core.AdminConsole.Utilities.v2.Validation;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.AutoConfirmUser;
+
+public interface IAutomaticallyConfirmOrganizationUsersValidator
+{
+    Task<ValidationResult<AutomaticallyConfirmOrganizationUserValidationRequest>> ValidateAsync(
+        AutomaticallyConfirmOrganizationUserValidationRequest request);
+}

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteClaimedAccount/CommandResult.cs

@@ -1,42 +0,0 @@
-using OneOf;
-using OneOf.Types;
-
-namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.DeleteClaimedAccount;
-
-/// <summary>
-/// Represents the result of a command.
-/// This is a <see cref="OneOf{Error, T}"/> type that contains an Error if the command execution failed, or the result of the command if it succeeded.
-/// </summary>
-/// <typeparam name="T">The type of the successful result. If there is no successful result (void), use <see cref="BulkCommandResult"/>.</typeparam>
-
-public class CommandResult<T>(OneOf<Error, T> result) : OneOfBase<Error, T>(result)
-{
-    public bool IsError => IsT0;
-    public bool IsSuccess => IsT1;
-    public Error AsError => AsT0;
-    public T AsSuccess => AsT1;
-
-    public static implicit operator CommandResult<T>(T value) => new(value);
-    public static implicit operator CommandResult<T>(Error error) => new(error);
-}
-
-/// <summary>
-/// Represents the result of a command where successful execution returns no value (void).
-/// See <see cref="CommandResult{T}"/> for more information.
-/// </summary>
-public class CommandResult(OneOf<Error, None> result) : CommandResult<None>(result)
-{
-    public static implicit operator CommandResult(None none) => new(none);
-    public static implicit operator CommandResult(Error error) => new(error);
-}
-
-/// <summary>
-/// A wrapper for <see cref="CommandResult{T}"/> with an ID, to identify the result in bulk operations.
-/// </summary>
-public record BulkCommandResult<T>(Guid Id, CommandResult<T> Result);
-
-/// <summary>
-/// A wrapper for <see cref="CommandResult"/> with an ID, to identify the result in bulk operations.
-/// </summary>
-public record BulkCommandResult(Guid Id, CommandResult Result);
-

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteClaimedAccount/DeleteClaimedOrganizationUserAccountCommand.cs

@@ -1,4 +1,6 @@
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.AdminConsole.Utilities.v2.Results;
+using Bit.Core.AdminConsole.Utilities.v2.Validation;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteClaimedAccount/DeleteClaimedOrganizationUserAccountValidator.cs

@@ -1,8 +1,9 @@
 using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.AdminConsole.Utilities.v2.Validation;
 using Bit.Core.Context;
 using Bit.Core.Enums;
 using Bit.Core.Repositories;
-using static Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.DeleteClaimedAccount.ValidationResultHelpers;
+using static Bit.Core.AdminConsole.Utilities.v2.Validation.ValidationResultHelpers;
 
 namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.DeleteClaimedAccount;
 

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteClaimedAccount/Errors.cs

@@ -1,15 +1,6 @@
-namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.DeleteClaimedAccount;
+using Bit.Core.AdminConsole.Utilities.v2;
 
-/// <summary>
-/// A strongly typed error containing a reason that an action failed.
-/// This is used for business logic validation and other expected errors, not exceptions.
-/// </summary>
-public abstract record Error(string Message);
-/// <summary>
-/// An <see cref="Error"/> type that maps to a NotFoundResult at the api layer.
-/// </summary>
-/// <param name="Message"></param>
-public abstract record NotFoundError(string Message) : Error(Message);
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.DeleteClaimedAccount;
 
 public record UserNotFoundError() : NotFoundError("Invalid user.");
 public record UserNotClaimedError() : Error("Member is not claimed by the organization.");

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteClaimedAccount/IDeleteClaimedOrganizationUserAccountCommand.cs

@@ -1,4 +1,6 @@
-namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.DeleteClaimedAccount;
+using Bit.Core.AdminConsole.Utilities.v2.Results;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.DeleteClaimedAccount;
 
 public interface IDeleteClaimedOrganizationUserAccountCommand
 {

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteClaimedAccount/IDeleteClaimedOrganizationUserAccountValidator.cs

@@ -1,4 +1,6 @@
-namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.DeleteClaimedAccount;
+using Bit.Core.AdminConsole.Utilities.v2.Validation;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.DeleteClaimedAccount;
 
 public interface IDeleteClaimedOrganizationUserAccountValidator
 {

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteClaimedAccount/ValidationResult.cs

@@ -1,41 +0,0 @@
-using OneOf;
-using OneOf.Types;
-
-namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.DeleteClaimedAccount;
-
-/// <summary>
-/// Represents the result of validating a request.
-/// This is for use within the Core layer, e.g. validating a command request.
-/// </summary>
-/// <param name="request">The request that has been validated.</param>
-/// <param name="error">A <see cref="OneOf{Error, None}"/> type that contains an Error if validation failed.</param>
-/// <typeparam name="TRequest">The request type.</typeparam>
-public class ValidationResult<TRequest>(TRequest request, OneOf<Error, None> error) : OneOfBase<Error, None>(error)
-{
-    public TRequest Request { get; } = request;
-
-    public bool IsError => IsT0;
-    public bool IsValid => IsT1;
-    public Error AsError => AsT0;
-}
-
-public static class ValidationResultHelpers
-{
-    /// <summary>
-    /// Creates a successful <see cref="ValidationResult{TRequest}"/> with no error set.
-    /// </summary>
-    public static ValidationResult<T> Valid<T>(T request) => new(request, new None());
-    /// <summary>
-    /// Creates a failed <see cref="ValidationResult{TRequest}"/> with the specified error.
-    /// </summary>
-    public static ValidationResult<T> Invalid<T>(T request, Error error) => new(request, error);
-
-    /// <summary>
-    /// Extracts successfully validated requests from a sequence of <see cref="ValidationResult{TRequest}"/>.
-    /// </summary>
-    public static List<T> ValidRequests<T>(this IEnumerable<ValidationResult<T>> results) =>
-        results
-            .Where(r => r.IsValid)
-            .Select(r => r.Request)
-            .ToList();
-}

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Interfaces/IAutomaticallyConfirmOrganizationUserCommand.cs

@@ -0,0 +1,40 @@
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.AutoConfirmUser;
+using Bit.Core.AdminConsole.Utilities.v2.Results;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+
+/// <summary>
+/// Command to automatically confirm an organization user.
+/// </summary>
+/// <remarks>
+/// The auto-confirm feature enables eligible client apps to confirm OrganizationUsers
+/// automatically via push notifications, eliminating the need for manual administrator
+/// intervention. Client apps receive a push notification, perform the required key exchange,
+/// and submit an auto-confirm request to the server. This command processes those
+/// client-initiated requests and should only be used in that specific context.
+/// </remarks>
+public interface IAutomaticallyConfirmOrganizationUserCommand
+{
+    /// <summary>
+    /// Automatically confirms the organization user based on the provided request data.
+    /// </summary>
+    /// <param name="request">The request containing necessary information to confirm the organization user.</param>
+    /// <remarks>
+    /// This action has side effects. The side effects are
+    /// <ul>
+    ///   <li>Creating an event log entry.</li>
+    ///   <li>Syncing organization keys with the user.</li>
+    ///   <li>Deleting any registered user devices for the organization.</li>
+    ///   <li>Sending an email to the confirmed user.</li>
+    ///   <li>Creating the default collection if applicable.</li>
+    /// </ul>
+    ///
+    /// Each of these actions is performed independently of each other and not guaranteed to be performed in any order.
+    /// Errors will be reported back for the actions that failed in a consolidated error message.
+    /// </remarks>
+    /// <returns>
+    /// The result of the command. If there was an error, the result will contain a typed error describing the problem
+    /// that occurred.
+    /// </returns>
+    Task<CommandResult> AutomaticallyConfirmOrganizationUserAsync(AutomaticallyConfirmOrganizationUserRequest request);
+}

src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/SingleOrganizationPolicyRequirement.cs

@@ -0,0 +1,21 @@
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+
+public class SingleOrganizationPolicyRequirement(IEnumerable<PolicyDetails> policyDetails) : IPolicyRequirement
+{
+    public bool IsSingleOrgEnabledForThisOrganization(Guid organizationId) =>
+        policyDetails.Any(p => p.OrganizationId == organizationId);
+
+    public bool IsSingleOrgEnabledForOrganizationsOtherThan(Guid organizationId) =>
+        policyDetails.Any(p => p.OrganizationId != organizationId);
+}
+
+public class SingleOrganizationPolicyRequirementFactory : BasePolicyRequirementFactory<SingleOrganizationPolicyRequirement>
+{
+    public override PolicyType PolicyType => PolicyType.SingleOrg;
+
+    public override SingleOrganizationPolicyRequirement Create(IEnumerable<PolicyDetails> policyDetails) =>
+        new(policyDetails);
+}

src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyServiceCollectionExtensions.cs

@@ -65,5 +65,6 @@ public static class PolicyServiceCollectionExtensions
         services.AddScoped<IPolicyRequirementFactory<IPolicyRequirement>, RequireSsoPolicyRequirementFactory>();
         services.AddScoped<IPolicyRequirementFactory<IPolicyRequirement>, RequireTwoFactorPolicyRequirementFactory>();
         services.AddScoped<IPolicyRequirementFactory<IPolicyRequirement>, MasterPasswordPolicyRequirementFactory>();
+        services.AddScoped<IPolicyRequirementFactory<IPolicyRequirement>, SingleOrganizationPolicyRequirementFactory>();
     }
 }

src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/SingleOrgPolicyValidator.cs

@@ -1,6 +1,4 @@
-#nullable enable
-
-using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.Models.Data;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationDomains.Interfaces;
@@ -29,8 +27,6 @@ public class SingleOrgPolicyValidator : IPolicyValidator, IPolicyValidationEvent
     private readonly IOrganizationRepository _organizationRepository;
     private readonly ISsoConfigRepository _ssoConfigRepository;
     private readonly ICurrentContext _currentContext;
-    private readonly IFeatureService _featureService;
-    private readonly IRemoveOrganizationUserCommand _removeOrganizationUserCommand;
     private readonly IOrganizationHasVerifiedDomainsQuery _organizationHasVerifiedDomainsQuery;
     private readonly IRevokeNonCompliantOrganizationUserCommand _revokeNonCompliantOrganizationUserCommand;
 
@@ -40,8 +36,6 @@ public class SingleOrgPolicyValidator : IPolicyValidator, IPolicyValidationEvent
         IOrganizationRepository organizationRepository,
         ISsoConfigRepository ssoConfigRepository,
         ICurrentContext currentContext,
-        IFeatureService featureService,
-        IRemoveOrganizationUserCommand removeOrganizationUserCommand,
         IOrganizationHasVerifiedDomainsQuery organizationHasVerifiedDomainsQuery,
         IRevokeNonCompliantOrganizationUserCommand revokeNonCompliantOrganizationUserCommand)
     {
@@ -50,8 +44,6 @@ public class SingleOrgPolicyValidator : IPolicyValidator, IPolicyValidationEvent
         _organizationRepository = organizationRepository;
         _ssoConfigRepository = ssoConfigRepository;
         _currentContext = currentContext;
-        _featureService = featureService;
-        _removeOrganizationUserCommand = removeOrganizationUserCommand;
         _organizationHasVerifiedDomainsQuery = organizationHasVerifiedDomainsQuery;
         _revokeNonCompliantOrganizationUserCommand = revokeNonCompliantOrganizationUserCommand;
     }