[PM-22236] Fix invited accounts stuck in intermediate claimed status (#6810)

* Exclude invited users from claimed domain checks.
  These users should be excluded by the JOIN on
  UserId, but it's a known issue that some invited
  users have this FK set.

test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationUserRepository/GetManyByOrganizationWithClaimedDomainsAsyncTests.cs

@@ -0,0 +1,197 @@
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Repositories;
+using Xunit;
+
+namespace Bit.Infrastructure.IntegrationTest.AdminConsole.Repositories.OrganizationUserRepository;
+
+public class GetManyByOrganizationWithClaimedDomainsAsyncTests
+{
+    [Theory, DatabaseData]
+    public async Task WithVerifiedDomain_WithOneMatchingEmailDomain_ReturnsSingle(
+        IUserRepository userRepository,
+        IOrganizationRepository organizationRepository,
+        IOrganizationUserRepository organizationUserRepository,
+        IOrganizationDomainRepository organizationDomainRepository)
+    {
+        var id = Guid.NewGuid();
+        var domainName = $"{id}.example.com";
+
+        var user1 = await userRepository.CreateAsync(new User
+        {
+            Name = "Test User 1",
+            Email = $"test+{id}@{domainName}",
+            ApiKey = "TEST",
+            SecurityStamp = "stamp",
+            Kdf = KdfType.PBKDF2_SHA256,
+            KdfIterations = 1,
+            KdfMemory = 2,
+            KdfParallelism = 3
+        });
+
+        var user2 = await userRepository.CreateAsync(new User
+        {
+            Name = "Test User 2",
+            Email = $"test+{id}@x-{domainName}", // Different domain
+            ApiKey = "TEST",
+            SecurityStamp = "stamp",
+            Kdf = KdfType.PBKDF2_SHA256,
+            KdfIterations = 1,
+            KdfMemory = 2,
+            KdfParallelism = 3
+        });
+
+        var user3 = await userRepository.CreateAsync(new User
+        {
+            Name = "Test User 3",
+            Email = $"test+{id}@{domainName}.example.com", // Different domain
+            ApiKey = "TEST",
+            SecurityStamp = "stamp",
+            Kdf = KdfType.PBKDF2_SHA256,
+            KdfIterations = 1,
+            KdfMemory = 2,
+            KdfParallelism = 3
+        });
+
+        var organization = await organizationRepository.CreateTestOrganizationAsync();
+
+        var organizationDomain = new OrganizationDomain
+        {
+            OrganizationId = organization.Id,
+            DomainName = domainName,
+            Txt = "btw+12345",
+        };
+        organizationDomain.SetVerifiedDate();
+        organizationDomain.SetNextRunDate(12);
+        organizationDomain.SetJobRunCount();
+        await organizationDomainRepository.CreateAsync(organizationDomain);
+
+        var orgUser1 = await organizationUserRepository.CreateConfirmedTestOrganizationUserAsync(organization, user1);
+        await organizationUserRepository.CreateConfirmedTestOrganizationUserAsync(organization, user2);
+        await organizationUserRepository.CreateConfirmedTestOrganizationUserAsync(organization, user3);
+
+        var result = await organizationUserRepository.GetManyByOrganizationWithClaimedDomainsAsync(organization.Id);
+
+        Assert.NotNull(result);
+        Assert.Single(result);
+        Assert.Equal(orgUser1.Id, result.Single().Id);
+    }
+
+    [Theory, DatabaseData]
+    public async Task WithNoVerifiedDomain_ReturnsEmpty(
+        IUserRepository userRepository,
+        IOrganizationRepository organizationRepository,
+        IOrganizationUserRepository organizationUserRepository,
+        IOrganizationDomainRepository organizationDomainRepository)
+    {
+        var id = Guid.NewGuid();
+        var domainName = $"{id}.example.com";
+
+        var user = await userRepository.CreateAsync(new User
+        {
+            Name = "Test User",
+            Email = $"test+{id}@{domainName}",
+            ApiKey = "TEST",
+            SecurityStamp = "stamp",
+            Kdf = KdfType.PBKDF2_SHA256,
+            KdfIterations = 1,
+            KdfMemory = 2,
+            KdfParallelism = 3
+        });
+
+        var organization = await organizationRepository.CreateTestOrganizationAsync();
+
+        // Create domain but do NOT verify it
+        var organizationDomain = new OrganizationDomain
+        {
+            OrganizationId = organization.Id,
+            DomainName = domainName,
+            Txt = "btw+12345",
+        };
+        organizationDomain.SetNextRunDate(12);
+        // Note: NOT calling SetVerifiedDate()
+        await organizationDomainRepository.CreateAsync(organizationDomain);
+
+        await organizationUserRepository.CreateConfirmedTestOrganizationUserAsync(organization, user);
+
+        var result = await organizationUserRepository.GetManyByOrganizationWithClaimedDomainsAsync(organization.Id);
+
+        Assert.NotNull(result);
+        Assert.Empty(result);
+    }
+
+    /// <summary>
+    /// Tests an edge case where some invited users are created linked to a UserId.
+    /// This is defective behavior, but will take longer to fix - for now, we are defensive and expressly
+    /// exclude such users from the results without relying on the inner join only.
+    /// Invited-revoked users linked to a UserId remain intentionally unhandled for now as they have not caused
+    /// any issues to date and we want to minimize edge cases.
+    /// We will fix the underlying issue going forward: https://bitwarden.atlassian.net/browse/PM-22405
+    /// </summary>
+    [Theory, DatabaseData]
+    public async Task WithVerifiedDomain_ExcludesInvitedUsers(
+        IUserRepository userRepository,
+        IOrganizationRepository organizationRepository,
+        IOrganizationUserRepository organizationUserRepository,
+        IOrganizationDomainRepository organizationDomainRepository)
+    {
+        var id = Guid.NewGuid();
+        var domainName = $"{id}.example.com";
+
+        var invitedUser = await userRepository.CreateAsync(new User
+        {
+            Name = "Invited User",
+            Email = $"invited+{id}@{domainName}",
+            ApiKey = "TEST",
+            SecurityStamp = "stamp",
+            Kdf = KdfType.PBKDF2_SHA256,
+            KdfIterations = 1,
+            KdfMemory = 2,
+            KdfParallelism = 3
+        });
+
+        var confirmedUser = await userRepository.CreateAsync(new User
+        {
+            Name = "Confirmed User",
+            Email = $"confirmed+{id}@{domainName}",
+            ApiKey = "TEST",
+            SecurityStamp = "stamp",
+            Kdf = KdfType.PBKDF2_SHA256,
+            KdfIterations = 1,
+            KdfMemory = 2,
+            KdfParallelism = 3
+        });
+
+        var organization = await organizationRepository.CreateTestOrganizationAsync();
+
+        var organizationDomain = new OrganizationDomain
+        {
+            OrganizationId = organization.Id,
+            DomainName = domainName,
+            Txt = "btw+12345",
+        };
+        organizationDomain.SetVerifiedDate();
+        organizationDomain.SetNextRunDate(12);
+        organizationDomain.SetJobRunCount();
+        await organizationDomainRepository.CreateAsync(organizationDomain);
+
+        // Create invited user with UserId set (edge case - should be excluded even with UserId linked)
+        var invitedOrgUser = await organizationUserRepository.CreateAsync(new OrganizationUser
+        {
+            OrganizationId = organization.Id,
+            UserId = invitedUser.Id, // Edge case: invited user with UserId set
+            Email = invitedUser.Email,
+            Status = OrganizationUserStatusType.Invited,
+            Type = OrganizationUserType.User
+        });
+
+        // Create confirmed user linked by UserId only (no Email field set)
+        var confirmedOrgUser = await organizationUserRepository.CreateConfirmedTestOrganizationUserAsync(organization, confirmedUser);
+
+        var result = await organizationUserRepository.GetManyByOrganizationWithClaimedDomainsAsync(organization.Id);
+
+        Assert.NotNull(result);
+        var claimedUser = Assert.Single(result);
+        Assert.Equal(confirmedOrgUser.Id, claimedUser.Id);
+    }
+}

test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationUserRepository/OrganizationUserRepositoryTests.cs

@@ -599,136 +599,6 @@ public class OrganizationUserRepositoryTests
         Assert.Null(orgWithoutSsoDetails.SsoConfig);
     }
 
-    [DatabaseTheory, DatabaseData]
-    public async Task GetManyByOrganizationWithClaimedDomainsAsync_WithVerifiedDomain_WithOneMatchingEmailDomain_ReturnsSingle(
-        IUserRepository userRepository,
-        IOrganizationRepository organizationRepository,
-        IOrganizationUserRepository organizationUserRepository,
-        IOrganizationDomainRepository organizationDomainRepository)
-    {
-        var id = Guid.NewGuid();
-        var domainName = $"{id}.example.com";
-
-        var user1 = await userRepository.CreateAsync(new User
-        {
-            Name = "Test User 1",
-            Email = $"test+{id}@{domainName}",
-            ApiKey = "TEST",
-            SecurityStamp = "stamp",
-            Kdf = KdfType.PBKDF2_SHA256,
-            KdfIterations = 1,
-            KdfMemory = 2,
-            KdfParallelism = 3
-        });
-
-        var user2 = await userRepository.CreateAsync(new User
-        {
-            Name = "Test User 2",
-            Email = $"test+{id}@x-{domainName}", // Different domain
-            ApiKey = "TEST",
-            SecurityStamp = "stamp",
-            Kdf = KdfType.PBKDF2_SHA256,
-            KdfIterations = 1,
-            KdfMemory = 2,
-            KdfParallelism = 3
-        });
-
-        var user3 = await userRepository.CreateAsync(new User
-        {
-            Name = "Test User 2",
-            Email = $"test+{id}@{domainName}.example.com", // Different domain
-            ApiKey = "TEST",
-            SecurityStamp = "stamp",
-            Kdf = KdfType.PBKDF2_SHA256,
-            KdfIterations = 1,
-            KdfMemory = 2,
-            KdfParallelism = 3
-        });
-
-        var organization = await organizationRepository.CreateAsync(new Organization
-        {
-            Name = $"Test Org {id}",
-            BillingEmail = user1.Email, // TODO: EF does not enforce this being NOT NULL
-            Plan = "Test", // TODO: EF does not enforce this being NOT NULL
-            PrivateKey = "privatekey",
-            UsePolicies = false,
-            UseSso = false,
-            UseKeyConnector = false,
-            UseScim = false,
-            UseGroups = false,
-            UseDirectory = false,
-            UseEvents = false,
-            UseTotp = false,
-            Use2fa = false,
-            UseApi = false,
-            UseResetPassword = false,
-            UseSecretsManager = false,
-            SelfHost = false,
-            UsersGetPremium = false,
-            UseCustomPermissions = false,
-            Enabled = true,
-            UsePasswordManager = false,
-            LimitCollectionCreation = false,
-            LimitCollectionDeletion = false,
-            LimitItemDeletion = false,
-            AllowAdminAccessToAllCollectionItems = false,
-            UseRiskInsights = false,
-            UseAdminSponsoredFamilies = false,
-            UsePhishingBlocker = false,
-            UseDisableSmAdsForUsers = false,
-        });
-
-        var organizationDomain = new OrganizationDomain
-        {
-            OrganizationId = organization.Id,
-            DomainName = domainName,
-            Txt = "btw+12345",
-        };
-        organizationDomain.SetVerifiedDate();
-        organizationDomain.SetNextRunDate(12);
-        organizationDomain.SetJobRunCount();
-        await organizationDomainRepository.CreateAsync(organizationDomain);
-
-        var orgUser1 = await organizationUserRepository.CreateAsync(new OrganizationUser
-        {
-            Id = CoreHelpers.GenerateComb(),
-            OrganizationId = organization.Id,
-            UserId = user1.Id,
-            Status = OrganizationUserStatusType.Confirmed,
-            Type = OrganizationUserType.Owner,
-            ResetPasswordKey = "resetpasswordkey1",
-            AccessSecretsManager = false
-        });
-
-        await organizationUserRepository.CreateAsync(new OrganizationUser
-        {
-            Id = CoreHelpers.GenerateComb(),
-            OrganizationId = organization.Id,
-            UserId = user2.Id,
-            Status = OrganizationUserStatusType.Confirmed,
-            Type = OrganizationUserType.User,
-            ResetPasswordKey = "resetpasswordkey1",
-            AccessSecretsManager = false
-        });
-
-        await organizationUserRepository.CreateAsync(new OrganizationUser
-        {
-            Id = CoreHelpers.GenerateComb(),
-            OrganizationId = organization.Id,
-            UserId = user3.Id,
-            Status = OrganizationUserStatusType.Confirmed,
-            Type = OrganizationUserType.User,
-            ResetPasswordKey = "resetpasswordkey1",
-            AccessSecretsManager = false
-        });
-
-        var responseModel = await organizationUserRepository.GetManyByOrganizationWithClaimedDomainsAsync(organization.Id);
-
-        Assert.NotNull(responseModel);
-        Assert.Single(responseModel);
-        Assert.Equal(orgUser1.Id, responseModel.Single().Id);
-    }
-
     [DatabaseTheory, DatabaseData]
     public async Task CreateManyAsync_NoId_Works(IOrganizationRepository organizationRepository,
         IUserRepository userRepository,
@@ -1237,70 +1107,6 @@ public class OrganizationUserRepositoryTests
         Assert.DoesNotContain(user1Result.Collections, c => c.Id == defaultUserCollection.Id);
     }
 
-    [DatabaseTheory, DatabaseData]
-    public async Task GetManyByOrganizationWithClaimedDomainsAsync_WithNoVerifiedDomain_ReturnsEmpty(
-        IUserRepository userRepository,
-        IOrganizationRepository organizationRepository,
-        IOrganizationUserRepository organizationUserRepository,
-        IOrganizationDomainRepository organizationDomainRepository)
-    {
-        var id = Guid.NewGuid();
-        var domainName = $"{id}.example.com";
-        var requestTime = DateTime.UtcNow;
-
-        var user1 = await userRepository.CreateAsync(new User
-        {
-            Id = CoreHelpers.GenerateComb(),
-            Name = "Test User 1",
-            Email = $"test+{id}@{domainName}",
-            ApiKey = "TEST",
-            SecurityStamp = "stamp",
-            CreationDate = requestTime,
-            RevisionDate = requestTime,
-            AccountRevisionDate = requestTime
-        });
-
-        var organization = await organizationRepository.CreateAsync(new Organization
-        {
-            Id = CoreHelpers.GenerateComb(),
-            Name = $"Test Org {id}",
-            BillingEmail = user1.Email,
-            Plan = "Test",
-            Enabled = true,
-            CreationDate = requestTime,
-            RevisionDate = requestTime
-        });
-
-        // Create domain but do NOT verify it
-        var organizationDomain = new OrganizationDomain
-        {
-            Id = CoreHelpers.GenerateComb(),
-            OrganizationId = organization.Id,
-            DomainName = domainName,
-            Txt = "btw+12345",
-            CreationDate = requestTime
-        };
-        organizationDomain.SetNextRunDate(12);
-        // Note: NOT calling SetVerifiedDate()
-        await organizationDomainRepository.CreateAsync(organizationDomain);
-
-        await organizationUserRepository.CreateAsync(new OrganizationUser
-        {
-            Id = CoreHelpers.GenerateComb(),
-            OrganizationId = organization.Id,
-            UserId = user1.Id,
-            Status = OrganizationUserStatusType.Confirmed,
-            Type = OrganizationUserType.Owner,
-            CreationDate = requestTime,
-            RevisionDate = requestTime
-        });
-
-        var responseModel = await organizationUserRepository.GetManyByOrganizationWithClaimedDomainsAsync(organization.Id);
-
-        Assert.NotNull(responseModel);
-        Assert.Empty(responseModel);
-    }
-
     [DatabaseTheory, DatabaseData]
     public async Task DeleteAsync_WithNullEmail_DoesNotSetDefaultUserCollectionEmail(IUserRepository userRepository,
         ICollectionRepository collectionRepository,