Merge branch 'main' into jmccannon/ac/pm-27131-auto-confirm-req

src/Core/AdminConsole/OrganizationFeatures/OrganizationDomains/VerifyOrganizationDomainCommand.cs

@@ -4,7 +4,6 @@
 using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.Models.Data;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationDomains.Interfaces;
-using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies.Models;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyUpdateEvents.Interfaces;
 using Bit.Core.Context;
@@ -25,8 +24,6 @@ public class VerifyOrganizationDomainCommand(
     IEventService eventService,
     IGlobalSettings globalSettings,
     ICurrentContext currentContext,
-    IFeatureService featureService,
-    ISavePolicyCommand savePolicyCommand,
     IVNextSavePolicyCommand vNextSavePolicyCommand,
     IMailService mailService,
     IOrganizationUserRepository organizationUserRepository,
@@ -144,15 +141,8 @@ public class VerifyOrganizationDomainCommand(
             PerformedBy = actingUser
         };
 
-        if (featureService.IsEnabled(FeatureFlagKeys.PolicyValidatorsRefactor))
-        {
-            var savePolicyModel = new SavePolicyModel(policyUpdate, actingUser);
-            await vNextSavePolicyCommand.SaveAsync(savePolicyModel);
-        }
-        else
-        {
-            await savePolicyCommand.SaveAsync(policyUpdate);
-        }
+        var savePolicyModel = new SavePolicyModel(policyUpdate, actingUser);
+        await vNextSavePolicyCommand.SaveAsync(savePolicyModel);
     }
 
     private async Task SendVerifiedDomainUserEmailAsync(OrganizationDomain domain)

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/AutoConfirmUser/README.md

@@ -0,0 +1,22 @@
+# Automatic User Confirmation
+
+Owned by: admin-console
+
+Automatic confirmation requests are server driven events that are sent to the admin's client where via a background service the confirmation will occur. The basic model
+for the workflow is as follows:
+
+- The Api server sends an invite email to a user.
+- The user accepts the invite request, which is sent back to the Api server
+- The Api server sends a push-notification with the OrganizationId and UserId to a client admin session.
+- The Client performs the key exchange in the background and POSTs the ConfirmRequest back to the Api server
+- The Api server runs the OrgUser_Confirm sproc to confirm the user in the DB
+
+This Feature has the following security measures in place in order to achieve our security goals:
+
+- The single organization exemption for admins/owners is removed for this policy.
+  - This is enforced by preventing enabling the policy and organization plan feature if there are non-compliant users
+- Emergency access is removed for all organization users
+- Automatic confirmation will only apply to the User role (You cannot auto confirm admins/owners to an organization)
+- The organization has no members with the Provider user type.
+  - This will also prevent the policy and organization plan feature from being enabled
+  - This will prevent sending organization invites to provider users

src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyServiceCollectionExtensions.cs

@@ -38,6 +38,7 @@ public static class PolicyServiceCollectionExtensions
         services.AddScoped<IPolicyValidator, MaximumVaultTimeoutPolicyValidator>();
         services.AddScoped<IPolicyValidator, UriMatchDefaultPolicyValidator>();
         services.AddScoped<IPolicyValidator, FreeFamiliesForEnterprisePolicyValidator>();
+        services.AddScoped<IPolicyValidator, BlockClaimedDomainAccountCreationPolicyValidator>();
         services.AddScoped<IPolicyValidator, AutomaticUserConfirmationPolicyEventHandler>();
     }