[PM-23580] Security Task Metrics (#6164)

* add metrics endpoint for an organization to return completed and total security tasks

* refactor metrics fetch to use sql sproc for efficiency rather than having to pull all security task data

* add separate response model for security task metrics endpoint

* Pascal Case to match existing implementations

* refactor org to organization for consistency with other methods

* alter security task endpoint:
- remove "count" from variable naming
- update sproc naming

* remove enablement check

* replace orgId with organizationId

src/Api/Vault/Controllers/SecurityTaskController.cs

@@ -24,6 +24,7 @@ public class SecurityTaskController : Controller
     private readonly IGetTasksForOrganizationQuery _getTasksForOrganizationQuery;
     private readonly ICreateManyTasksCommand _createManyTasksCommand;
     private readonly ICreateManyTaskNotificationsCommand _createManyTaskNotificationsCommand;
+    private readonly IGetTaskMetricsForOrganizationQuery _getTaskMetricsForOrganizationQuery;
 
     public SecurityTaskController(
         IUserService userService,
@@ -31,7 +32,8 @@ public class SecurityTaskController : Controller
         IMarkTaskAsCompleteCommand markTaskAsCompleteCommand,
         IGetTasksForOrganizationQuery getTasksForOrganizationQuery,
         ICreateManyTasksCommand createManyTasksCommand,
-        ICreateManyTaskNotificationsCommand createManyTaskNotificationsCommand)
+        ICreateManyTaskNotificationsCommand createManyTaskNotificationsCommand,
+        IGetTaskMetricsForOrganizationQuery getTaskMetricsForOrganizationQuery)
     {
         _userService = userService;
         _getTaskDetailsForUserQuery = getTaskDetailsForUserQuery;
@@ -39,6 +41,7 @@ public class SecurityTaskController : Controller
         _getTasksForOrganizationQuery = getTasksForOrganizationQuery;
         _createManyTasksCommand = createManyTasksCommand;
         _createManyTaskNotificationsCommand = createManyTaskNotificationsCommand;
+        _getTaskMetricsForOrganizationQuery = getTaskMetricsForOrganizationQuery;
     }
 
     /// <summary>
@@ -80,6 +83,18 @@ public class SecurityTaskController : Controller
         return new ListResponseModel<SecurityTasksResponseModel>(response);
     }
 
+    /// <summary>
+    /// Retrieves security task metrics for an organization.
+    /// </summary>
+    /// <param name="organizationId">The organization Id</param>
+    [HttpGet("{organizationId:guid}/metrics")]
+    public async Task<SecurityTaskMetricsResponseModel> GetTaskMetricsForOrganization([FromRoute] Guid organizationId)
+    {
+        var metrics = await _getTaskMetricsForOrganizationQuery.GetTaskMetrics(organizationId);
+
+        return new SecurityTaskMetricsResponseModel(metrics.CompletedTasks, metrics.TotalTasks);
+    }
+
     /// <summary>
     /// Bulk create security tasks for an organization.
     /// </summary>

src/Api/Vault/Models/Response/SecurityTaskMetricsResponseModel.cs

@@ -0,0 +1,21 @@
+namespace Bit.Api.Vault.Models.Response;
+
+public class SecurityTaskMetricsResponseModel
+{
+
+    public SecurityTaskMetricsResponseModel(int completedTasks, int totalTasks)
+    {
+        CompletedTasks = completedTasks;
+        TotalTasks = totalTasks;
+    }
+
+    /// <summary>
+    /// Number of tasks that have been completed in the organization.
+    /// </summary>
+    public int CompletedTasks { get; set; }
+
+    /// <summary>
+    /// Total number of tasks in the organization, regardless of their status.
+    /// </summary>
+    public int TotalTasks { get; set; }
+}

src/Core/Vault/Entities/SecurityTaskMetrics.cs

@@ -0,0 +1,13 @@
+namespace Bit.Core.Vault.Entities;
+
+public class SecurityTaskMetrics
+{
+    public SecurityTaskMetrics(int completedTasks, int totalTasks)
+    {
+        CompletedTasks = completedTasks;
+        TotalTasks = totalTasks;
+    }
+
+    public int CompletedTasks { get; set; }
+    public int TotalTasks { get; set; }
+}

src/Core/Vault/Queries/GetTaskMetricsForOrganizationQuery.cs

@@ -0,0 +1,42 @@
+using Bit.Core.Context;
+using Bit.Core.Exceptions;
+using Bit.Core.Utilities;
+using Bit.Core.Vault.Authorization.SecurityTasks;
+using Bit.Core.Vault.Entities;
+using Bit.Core.Vault.Repositories;
+using Microsoft.AspNetCore.Authorization;
+
+namespace Bit.Core.Vault.Queries;
+
+public class GetTaskMetricsForOrganizationQuery : IGetTaskMetricsForOrganizationQuery
+{
+    private readonly ISecurityTaskRepository _securityTaskRepository;
+    private readonly IAuthorizationService _authorizationService;
+    private readonly ICurrentContext _currentContext;
+
+    public GetTaskMetricsForOrganizationQuery(
+        ISecurityTaskRepository securityTaskRepository,
+        IAuthorizationService authorizationService,
+        ICurrentContext currentContext
+    )
+    {
+        _securityTaskRepository = securityTaskRepository;
+        _authorizationService = authorizationService;
+        _currentContext = currentContext;
+    }
+
+    public async Task<SecurityTaskMetrics> GetTaskMetrics(Guid organizationId)
+    {
+        var organization = _currentContext.GetOrganization(organizationId);
+        var userId = _currentContext.UserId;
+
+        if (organization == null || !userId.HasValue)
+        {
+            throw new NotFoundException();
+        }
+
+        await _authorizationService.AuthorizeOrThrowAsync(_currentContext.HttpContext.User, organization, SecurityTaskOperations.ListAllForOrganization);
+
+        return await _securityTaskRepository.GetTaskMetricsAsync(organizationId);
+    }
+}

src/Core/Vault/Queries/IGetTaskMetricsForOrganizationQuery.cs

@@ -0,0 +1,13 @@
+using Bit.Core.Vault.Entities;
+
+namespace Bit.Core.Vault.Queries;
+
+public interface IGetTaskMetricsForOrganizationQuery
+{
+    /// <summary>
+    /// Retrieves security task metrics for an organization.
+    /// </summary>
+    /// <param name="organizationId">The Id of the organization</param>
+    /// <returns>Metrics for all security tasks within an organization.</returns>
+    Task<SecurityTaskMetrics> GetTaskMetrics(Guid organizationId);
+}

src/Core/Vault/Repositories/ISecurityTaskRepository.cs

@@ -28,4 +28,11 @@ public interface ISecurityTaskRepository : IRepository<SecurityTask, Guid>
     /// <param name="tasks">Collection of tasks to create</param>
     /// <returns>Collection of created security tasks</returns>
     Task<ICollection<SecurityTask>> CreateManyAsync(IEnumerable<SecurityTask> tasks);
+
+    /// <summary>
+    /// Retrieves security task metrics for an organization.
+    /// </summary>
+    /// <param name="organizationId">The id of the organization</param>
+    /// <returns>A collection of security task metrics</returns>
+    Task<SecurityTaskMetrics> GetTaskMetricsAsync(Guid organizationId);
 }

src/Core/Vault/VaultServiceCollectionExtensions.cs

@@ -25,5 +25,6 @@ public static class VaultServiceCollectionExtensions
         services.AddScoped<ICreateManyTaskNotificationsCommand, CreateManyTaskNotificationsCommand>();
         services.AddScoped<ICreateManyTasksCommand, CreateManyTasksCommand>();
         services.AddScoped<IMarkNotificationsForTaskAsDeletedCommand, MarkNotificationsForTaskAsDeletedCommand>();
+        services.AddScoped<IGetTaskMetricsForOrganizationQuery, GetTaskMetricsForOrganizationQuery>();
     }
 }

src/Infrastructure.Dapper/Vault/Repositories/SecurityTaskRepository.cs

@@ -48,6 +48,19 @@ public class SecurityTaskRepository : Repository<SecurityTask, Guid>, ISecurityT
         return results.ToList();
     }
 
+    /// <inheritdoc />
+    public async Task<SecurityTaskMetrics> GetTaskMetricsAsync(Guid organizationId)
+    {
+        await using var connection = new SqlConnection(ConnectionString);
+
+        var result = await connection.QueryAsync<SecurityTaskMetrics>(
+            $"[{Schema}].[SecurityTask_ReadMetricsByOrganizationId]",
+            new { OrganizationId = organizationId },
+            commandType: CommandType.StoredProcedure);
+
+        return result.FirstOrDefault() ?? new SecurityTaskMetrics(0, 0);
+    }
+
     /// <inheritdoc />
     public async Task<ICollection<SecurityTask>> CreateManyAsync(IEnumerable<SecurityTask> tasks)
     {

src/Infrastructure.EntityFramework/Vault/Repositories/SecurityTaskRepository.cs

@@ -76,4 +76,24 @@ public class SecurityTaskRepository : Repository<Core.Vault.Entities.SecurityTas
 
         return tasksList;
     }
+
+    /// <inheritdoc />
+    public async Task<Core.Vault.Entities.SecurityTaskMetrics> GetTaskMetricsAsync(Guid organizationId)
+    {
+        using var scope = ServiceScopeFactory.CreateScope();
+        var dbContext = GetDatabaseContext(scope);
+
+        var metrics = await (from st in dbContext.SecurityTasks
+                             join o in dbContext.Organizations on st.OrganizationId equals o.Id
+                             where st.OrganizationId == organizationId && o.Enabled
+                             select st)
+                           .GroupBy(x => 1)
+                           .Select(g => new Core.Vault.Entities.SecurityTaskMetrics(
+                               g.Count(x => x.Status == SecurityTaskStatus.Completed),
+                               g.Count()
+                           ))
+                           .FirstOrDefaultAsync();
+
+        return metrics ?? new Core.Vault.Entities.SecurityTaskMetrics(0, 0);
+    }
 }

src/Sql/dbo/Vault/Stored Procedures/SecurityTask/SecurityTask_ReadMetricsByOrganizationId.sql

@@ -0,0 +1,14 @@
+CREATE PROCEDURE [dbo].[SecurityTask_ReadMetricsByOrganizationId]
+    @OrganizationId UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    SELECT
+        COUNT(CASE WHEN st.[Status] = 1 THEN 1 END) AS CompletedTasks,
+        COUNT(*) AS TotalTasks
+    FROM
+        [dbo].[SecurityTaskView] st
+    WHERE
+        st.[OrganizationId] = @OrganizationId
+END

test/Infrastructure.IntegrationTest/Vault/Repositories/SecurityTaskRepositoryTests.cs

@@ -266,4 +266,83 @@ public class SecurityTaskRepositoryTests
 
         Assert.Equal(2, taskIds.Count);
     }
+
+    [DatabaseTheory, DatabaseData]
+    public async Task GetTaskMetricsAsync(
+        IOrganizationRepository organizationRepository,
+        ICipherRepository cipherRepository,
+        ISecurityTaskRepository securityTaskRepository)
+    {
+        var organization = await organizationRepository.CreateAsync(new Organization
+        {
+            Name = "Test Org",
+            PlanType = PlanType.EnterpriseAnnually,
+            Plan = "Test Plan",
+            BillingEmail = ""
+        });
+
+        var cipher1 = new Cipher { Type = CipherType.Login, OrganizationId = organization.Id, Data = "", };
+        await cipherRepository.CreateAsync(cipher1);
+
+        var cipher2 = new Cipher { Type = CipherType.Login, OrganizationId = organization.Id, Data = "", };
+        await cipherRepository.CreateAsync(cipher2);
+
+        var tasks = new List<SecurityTask>
+        {
+            new()
+            {
+                OrganizationId = organization.Id,
+                CipherId = cipher1.Id,
+                Status = SecurityTaskStatus.Pending,
+                Type = SecurityTaskType.UpdateAtRiskCredential,
+            },
+            new()
+            {
+                OrganizationId = organization.Id,
+                CipherId = cipher1.Id,
+                Status = SecurityTaskStatus.Completed,
+                Type = SecurityTaskType.UpdateAtRiskCredential,
+            },
+            new()
+            {
+                OrganizationId = organization.Id,
+                CipherId = cipher2.Id,
+                Status = SecurityTaskStatus.Completed,
+                Type = SecurityTaskType.UpdateAtRiskCredential,
+            },
+            new()
+            {
+                OrganizationId = organization.Id,
+                CipherId = cipher2.Id,
+                Status = SecurityTaskStatus.Pending,
+                Type = SecurityTaskType.UpdateAtRiskCredential,
+            }
+        };
+
+        await securityTaskRepository.CreateManyAsync(tasks);
+
+        var metrics = await securityTaskRepository.GetTaskMetricsAsync(organization.Id);
+
+        Assert.Equal(2, metrics.CompletedTasks);
+        Assert.Equal(4, metrics.TotalTasks);
+    }
+
+    [DatabaseTheory, DatabaseData]
+    public async Task GetZeroTaskMetricsAsync(
+        IOrganizationRepository organizationRepository,
+        ISecurityTaskRepository securityTaskRepository)
+    {
+        var organization = await organizationRepository.CreateAsync(new Organization
+        {
+            Name = "Test Org",
+            PlanType = PlanType.EnterpriseAnnually,
+            Plan = "Test Plan",
+            BillingEmail = ""
+        });
+
+        var metrics = await securityTaskRepository.GetTaskMetricsAsync(organization.Id);
+
+        Assert.Equal(0, metrics.CompletedTasks);
+        Assert.Equal(0, metrics.TotalTasks);
+    }
 }

util/Migrator/DbScripts/2025-08-12_00_SecurityTaskMetrics.sql

@@ -0,0 +1,15 @@
+CREATE OR ALTER PROCEDURE [dbo].[SecurityTask_ReadMetricsByOrganizationId]
+    @OrganizationId UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    SELECT
+        COUNT(CASE WHEN st.[Status] = 1 THEN 1 END) AS CompletedTasks,
+        COUNT(*) AS TotalTasks
+    FROM
+        [dbo].[SecurityTaskView] st
+    WHERE
+        st.[OrganizationId] = @OrganizationId
+END
+GO