[PM-18718] Refactor Bulk Revoke Users (#6601)

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RevokeUser/v1/IRevokeOrganizationUserCommand.cs

@@ -1,7 +1,7 @@
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 
-namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RevokeUser.v1;
 
 public interface IRevokeOrganizationUserCommand
 {

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RevokeUser/v1/RevokeOrganizationUserCommand.cs

@@ -7,7 +7,7 @@ using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 
-namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers;
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RevokeUser.v1;
 
 public class RevokeOrganizationUserCommand(
     IEventService eventService,

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RevokeUser/v2/Errors.cs

@@ -0,0 +1,8 @@
+using Bit.Core.AdminConsole.Utilities.v2;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RevokeUser.v2;
+
+public record UserAlreadyRevoked() : BadRequestError("Already revoked.");
+public record CannotRevokeYourself() : BadRequestError("You cannot revoke yourself.");
+public record OnlyOwnersCanRevokeOwners() : BadRequestError("Only owners can revoke other owners.");
+public record MustHaveConfirmedOwner() : BadRequestError("Organization must have at least one confirmed owner.");

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RevokeUser/v2/IRevokeOrganizationUserCommand.cs

@@ -0,0 +1,8 @@
+using Bit.Core.AdminConsole.Utilities.v2.Results;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RevokeUser.v2;
+
+public interface IRevokeOrganizationUserCommand
+{
+    Task<IEnumerable<BulkCommandResult>> RevokeUsersAsync(RevokeOrganizationUsersRequest request);
+}

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RevokeUser/v2/IRevokeOrganizationUserValidator.cs

@@ -0,0 +1,9 @@
+using Bit.Core.AdminConsole.Utilities.v2.Validation;
+using Bit.Core.Entities;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RevokeUser.v2;
+
+public interface IRevokeOrganizationUserValidator
+{
+    Task<ICollection<ValidationResult<OrganizationUser>>> ValidateAsync(RevokeOrganizationUsersValidationRequest request);
+}

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RevokeUser/v2/RevokeOrganizationUserCommand.cs

@@ -0,0 +1,114 @@
+using Bit.Core.AdminConsole.Models.Data;
+using Bit.Core.AdminConsole.Utilities.v2.Results;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Platform.Push;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Microsoft.Extensions.Logging;
+using OneOf.Types;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RevokeUser.v2;
+
+public class RevokeOrganizationUserCommand(
+    IOrganizationUserRepository organizationUserRepository,
+    IEventService eventService,
+    IPushNotificationService pushNotificationService,
+    IRevokeOrganizationUserValidator validator,
+    TimeProvider timeProvider,
+    ILogger<RevokeOrganizationUserCommand> logger)
+    : IRevokeOrganizationUserCommand
+{
+    public async Task<IEnumerable<BulkCommandResult>> RevokeUsersAsync(RevokeOrganizationUsersRequest request)
+    {
+        var validationRequest = await CreateValidationRequestsAsync(request);
+
+        var results = await validator.ValidateAsync(validationRequest);
+
+        var validUsers = results.Where(r => r.IsValid).Select(r => r.Request).ToList();
+
+        await RevokeValidUsersAsync(validUsers);
+
+        await Task.WhenAll(
+            LogRevokedOrganizationUsersAsync(validUsers, request.PerformedBy),
+            SendPushNotificationsAsync(validUsers)
+        );
+
+        return results.Select(r => r.Match(
+            error => new BulkCommandResult(r.Request.Id, error),
+            _ => new BulkCommandResult(r.Request.Id, new None())
+        ));
+    }
+
+    private async Task<RevokeOrganizationUsersValidationRequest> CreateValidationRequestsAsync(
+        RevokeOrganizationUsersRequest request)
+    {
+        var organizationUserToRevoke = await organizationUserRepository
+            .GetManyAsync(request.OrganizationUserIdsToRevoke);
+
+        return new RevokeOrganizationUsersValidationRequest(
+            request.OrganizationId,
+            request.OrganizationUserIdsToRevoke,
+            request.PerformedBy,
+            organizationUserToRevoke);
+    }
+
+    private async Task RevokeValidUsersAsync(ICollection<OrganizationUser> validUsers)
+    {
+        if (validUsers.Count == 0)
+        {
+            return;
+        }
+
+        await organizationUserRepository.RevokeManyByIdAsync(validUsers.Select(u => u.Id));
+    }
+
+    private async Task LogRevokedOrganizationUsersAsync(
+        ICollection<OrganizationUser> revokedUsers,
+        IActingUser actingUser)
+    {
+        if (revokedUsers.Count == 0)
+        {
+            return;
+        }
+
+        var eventDate = timeProvider.GetUtcNow().UtcDateTime;
+
+        if (actingUser is SystemUser { SystemUserType: not null })
+        {
+            var revokeEventsWithSystem = revokedUsers
+                .Select(user => (user, EventType.OrganizationUser_Revoked, actingUser.SystemUserType!.Value,
+                    (DateTime?)eventDate))
+                .ToList();
+            await eventService.LogOrganizationUserEventsAsync(revokeEventsWithSystem);
+        }
+        else
+        {
+            var revokeEvents = revokedUsers
+                .Select(user => (user, EventType.OrganizationUser_Revoked, (DateTime?)eventDate))
+                .ToList();
+            await eventService.LogOrganizationUserEventsAsync(revokeEvents);
+        }
+    }
+
+    private async Task SendPushNotificationsAsync(ICollection<OrganizationUser> revokedUsers)
+    {
+        var userIdsToNotify = revokedUsers
+            .Where(user => user.UserId.HasValue)
+            .Select(user => user.UserId!.Value)
+            .Distinct()
+            .ToList();
+
+        foreach (var userId in userIdsToNotify)
+        {
+            try
+            {
+                await pushNotificationService.PushSyncOrgKeysAsync(userId);
+            }
+            catch (Exception ex)
+            {
+                logger.LogWarning(ex, "Failed to send push notification for user {UserId}.", userId);
+            }
+        }
+    }
+}

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RevokeUser/v2/RevokeOrganizationUsersRequest.cs

@@ -0,0 +1,17 @@
+using Bit.Core.AdminConsole.Models.Data;
+using Bit.Core.Entities;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RevokeUser.v2;
+
+public record RevokeOrganizationUsersRequest(
+    Guid OrganizationId,
+    ICollection<Guid> OrganizationUserIdsToRevoke,
+    IActingUser PerformedBy
+);
+
+public record RevokeOrganizationUsersValidationRequest(
+    Guid OrganizationId,
+    ICollection<Guid> OrganizationUserIdsToRevoke,
+    IActingUser PerformedBy,
+    ICollection<OrganizationUser> OrganizationUsersToRevoke
+) : RevokeOrganizationUsersRequest(OrganizationId, OrganizationUserIdsToRevoke, PerformedBy);

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RevokeUser/v2/RevokeOrganizationUsersValidator.cs

@@ -0,0 +1,39 @@
+using Bit.Core.AdminConsole.Models.Data;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.AdminConsole.Utilities.v2.Validation;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using static Bit.Core.AdminConsole.Utilities.v2.Validation.ValidationResultHelpers;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RevokeUser.v2;
+
+public class RevokeOrganizationUsersValidator(IHasConfirmedOwnersExceptQuery hasConfirmedOwnersExceptQuery)
+    : IRevokeOrganizationUserValidator
+{
+    public async Task<ICollection<ValidationResult<OrganizationUser>>> ValidateAsync(
+        RevokeOrganizationUsersValidationRequest request)
+    {
+        var hasRemainingOwner = await hasConfirmedOwnersExceptQuery.HasConfirmedOwnersExceptAsync(request.OrganizationId,
+            request.OrganizationUsersToRevoke.Select(x => x.Id) // users excluded because they are going to be revoked
+            );
+
+        return request.OrganizationUsersToRevoke.Select(x =>
+        {
+            return x switch
+            {
+                _ when request.PerformedBy is not SystemUser
+                       && x.UserId is not null
+                       && x.UserId == request.PerformedBy.UserId =>
+                    Invalid(x, new CannotRevokeYourself()),
+                { Status: OrganizationUserStatusType.Revoked } =>
+                    Invalid(x, new UserAlreadyRevoked()),
+                { Type: OrganizationUserType.Owner } when !hasRemainingOwner =>
+                    Invalid(x, new MustHaveConfirmedOwner()),
+                { Type: OrganizationUserType.Owner } when !request.PerformedBy.IsOrganizationOwnerOrProvider =>
+                    Invalid(x, new OnlyOwnersCanRevokeOwners()),
+
+                _ => Valid(x)
+            };
+        }).ToList();
+    }
+}

src/Core/Constants.cs

@@ -142,6 +142,7 @@ public static class FeatureFlagKeys
     public const string PM23845_VNextApplicationCache = "pm-24957-refactor-memory-application-cache";
     public const string BlockClaimedDomainAccountCreation = "pm-28297-block-uninvited-claimed-domain-registration";
     public const string IncreaseBulkReinviteLimitForCloud = "pm-28251-increase-bulk-reinvite-limit-for-cloud";
+    public const string BulkRevokeUsersV2 = "pm-28456-bulk-revoke-users-v2";
 
     /* Architecture */
     public const string DesktopMigrationMilestone1 = "desktop-ui-migration-milestone-1";

src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs

@@ -45,6 +45,9 @@ using Microsoft.AspNetCore.DataProtection;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
 
+using V1_RevokeUsersCommand = Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RevokeUser.v1;
+using V2_RevokeUsersCommand = Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RevokeUser.v2;
+
 namespace Bit.Core.OrganizationFeatures;
 
 public static class OrganizationServiceCollectionExtensions
@@ -133,7 +136,6 @@ public static class OrganizationServiceCollectionExtensions
     {
         services.AddScoped<IRemoveOrganizationUserCommand, RemoveOrganizationUserCommand>();
         services.AddScoped<IRevokeNonCompliantOrganizationUserCommand, RevokeNonCompliantOrganizationUserCommand>();
-        services.AddScoped<IRevokeOrganizationUserCommand, RevokeOrganizationUserCommand>();
         services.AddScoped<IUpdateOrganizationUserCommand, UpdateOrganizationUserCommand>();
         services.AddScoped<IUpdateOrganizationUserGroupsCommand, UpdateOrganizationUserGroupsCommand>();
         services.AddScoped<IConfirmOrganizationUserCommand, ConfirmOrganizationUserCommand>();
@@ -143,6 +145,11 @@ public static class OrganizationServiceCollectionExtensions
 
         services.AddScoped<IDeleteClaimedOrganizationUserAccountCommand, DeleteClaimedOrganizationUserAccountCommand>();
         services.AddScoped<IDeleteClaimedOrganizationUserAccountValidator, DeleteClaimedOrganizationUserAccountValidator>();
+
+        services.AddScoped<V1_RevokeUsersCommand.IRevokeOrganizationUserCommand, V1_RevokeUsersCommand.RevokeOrganizationUserCommand>();
+
+        services.AddScoped<V2_RevokeUsersCommand.IRevokeOrganizationUserCommand, V2_RevokeUsersCommand.RevokeOrganizationUserCommand>();
+        services.AddScoped<V2_RevokeUsersCommand.IRevokeOrganizationUserValidator, V2_RevokeUsersCommand.RevokeOrganizationUsersValidator>();
     }
 
     private static void AddOrganizationApiKeyCommandsQueries(this IServiceCollection services)