[EC-787] Create a method in PolicyService to check if a policy applies to a user (#2537)

* [EC-787] Add new stored procedure OrganizationUser_ReadByUserIdWithPolicyDetails

* [EC-787] Add new method IOrganizationUserRepository.GetByUserIdWithPolicyDetailsAsync

* [EC-787] Add OrganizationUserPolicyDetails to represent policies applicable to a specific user

* [EC-787] Add method IPolicyService.GetPoliciesApplicableToUser to filter the obtained policy data

* [EC-787] Returning PolicyData on stored procedures

* [EC-787] Changed GetPoliciesApplicableToUserAsync to return ICollection

* [EC-787] Switched all usings of IPolicyRepository.GetManyByTypeApplicableToUserIdAsync to IPolicyService.GetPoliciesApplicableToUserAsync

* [EC-787] Removed policy logic from BaseRequestValidator and added usage of IPolicyService.GetPoliciesApplicableToUserAsync

* [EC-787] Added unit tests for IPolicyService.GetPoliciesApplicableToUserAsync

* [EC-787] Added unit tests for OrganizationUserRepository.GetByUserIdWithPolicyDetailsAsync

* [EC-787] Changed integration test to check for single result

* [EC-787] Marked IPolicyRepository methods GetManyByTypeApplicableToUserIdAsync and GetCountByTypeApplicableToUserIdAsync as obsolete

* [EC-787] Returning OrganizationUserId on OrganizationUser_ReadByUserIdWithPolicyDetails

* [EC-787] Remove deprecated stored procedures Policy_CountByTypeApplicableToUser, Policy_ReadByTypeApplicableToUser and function PolicyApplicableToUser

* [EC-787] Added method IPolicyService.AnyPoliciesApplicableToUserAsync

* [EC-787] Removed 'OrganizationUserType' parameter from queries

* [EC-787] Formatted OrganizationUserPolicyDetailsCompare

* [EC-787] Renamed SQL migration files

* [EC-787] Changed OrganizationUser_ReadByUserIdWithPolicyDetails to return Permissions json

* [EC-787] Refactored excluded user types for each Policy

* [EC-787] Updated dates on dbo_future files

* [EC-787] Remove dbo_future files from sql proj

* [EC-787] Added parameter PolicyType to IOrganizationUserRepository.GetByUserIdWithPolicyDetailsAsync

* [EC-787] Rewrote OrganizationUser_ReadByUserIdWithPolicyDetails and added parameter for PolicyType

* Update util/Migrator/DbScripts/2023-03-10_00_OrganizationUserReadByUserIdWithPolicyDetails.sql

Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com>

---------

Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com>

src/Core/Services/Implementations/PolicyService.cs

@@ -3,8 +3,10 @@ using Bit.Core.Auth.Repositories;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
+using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Core.Models.Data.Organizations.Policies;
 using Bit.Core.Repositories;
+using Bit.Core.Settings;
 
 namespace Bit.Core.Services;
 
@@ -16,6 +18,7 @@ public class PolicyService : IPolicyService
     private readonly IPolicyRepository _policyRepository;
     private readonly ISsoConfigRepository _ssoConfigRepository;
     private readonly IMailService _mailService;
+    private readonly GlobalSettings _globalSettings;
 
     public PolicyService(
         IEventService eventService,
@@ -23,7 +26,8 @@ public class PolicyService : IPolicyService
         IOrganizationUserRepository organizationUserRepository,
         IPolicyRepository policyRepository,
         ISsoConfigRepository ssoConfigRepository,
-        IMailService mailService)
+        IMailService mailService,
+        GlobalSettings globalSettings)
     {
         _eventService = eventService;
         _organizationRepository = organizationRepository;
@@ -31,6 +35,7 @@ public class PolicyService : IPolicyService
         _policyRepository = policyRepository;
         _ssoConfigRepository = ssoConfigRepository;
         _mailService = mailService;
+        _globalSettings = globalSettings;
     }
 
     public async Task SaveAsync(Policy policy, IUserService userService, IOrganizationService organizationService,
@@ -164,6 +169,47 @@ public class PolicyService : IPolicyService
         return enforcedOptions;
     }
 
+    public async Task<ICollection<OrganizationUserPolicyDetails>> GetPoliciesApplicableToUserAsync(Guid userId, PolicyType policyType, OrganizationUserStatusType minStatus = OrganizationUserStatusType.Accepted)
+    {
+        var result = await QueryOrganizationUserPolicyDetailsAsync(userId, policyType, minStatus);
+        return result.ToList();
+    }
+
+    public async Task<bool> AnyPoliciesApplicableToUserAsync(Guid userId, PolicyType policyType, OrganizationUserStatusType minStatus = OrganizationUserStatusType.Accepted)
+    {
+        var result = await QueryOrganizationUserPolicyDetailsAsync(userId, policyType, minStatus);
+        return result.Any();
+    }
+
+    private async Task<IEnumerable<OrganizationUserPolicyDetails>> QueryOrganizationUserPolicyDetailsAsync(Guid userId, PolicyType policyType, OrganizationUserStatusType minStatus = OrganizationUserStatusType.Accepted)
+    {
+        var organizationUserPolicyDetails = await _organizationUserRepository.GetByUserIdWithPolicyDetailsAsync(userId, policyType);
+        var excludedUserTypes = GetUserTypesExcludedFromPolicy(policyType);
+        return organizationUserPolicyDetails.Where(o =>
+            o.PolicyEnabled &&
+            !excludedUserTypes.Contains(o.OrganizationUserType) &&
+            o.OrganizationUserStatus >= minStatus &&
+            !o.IsProvider);
+    }
+
+    private OrganizationUserType[] GetUserTypesExcludedFromPolicy(PolicyType policyType)
+    {
+        switch (policyType)
+        {
+            case PolicyType.MasterPassword:
+                return Array.Empty<OrganizationUserType>();
+            case PolicyType.RequireSso:
+                // If 'EnforceSsoPolicyForAllUsers' is set to true then SSO policy applies to all user types otherwise it does not apply to Owner or Admin
+                if (_globalSettings.Sso.EnforceSsoPolicyForAllUsers)
+                {
+                    return Array.Empty<OrganizationUserType>();
+                }
+                break;
+        }
+
+        return new[] { OrganizationUserType.Owner, OrganizationUserType.Admin };
+    }
+
     private async Task DependsOnSingleOrgAsync(Organization org)
     {
         var singleOrg = await _policyRepository.GetByOrganizationIdTypeAsync(org.Id, PolicyType.SingleOrg);