[PM-10319] - Revoke Non Complaint Users for 2FA and Single Org Policy Enablement

[jrmccannon]

🎟️ Tracking

PM-10319

📔 Objective

This change revokes non-compliant users when 2FA or Single Org policies are enabled. This adds the a RevokeNonCompliantOrganizationUserCommand along with a bulk set status stored procedure. It also adds two new email templates to be sent when a user is revoked from an organization.

📸 Screenshots

Two FA Policy Revocation Email

Single Org Policy Email

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[github-actions]

Checkmarx One – Scan Summary & Details – a1ced24f-c026-464d-9c9e-c2d1a2e0dc6d

New Issues

Severity	Issue	Source File / Package	Checkmarx Insight
	Missing_HSTS_Header	/src/Admin/Views/Home/Index.cshtml: 14	Attack Vector
	Log_Forging	/src/Api/Auth/Controllers/TwoFactorController.cs: 406	Attack Vector
	Missing_CSP_Header	/src/Core/MailTemplates/Handlebars/FamiliesForEnterprise/FamiliesForEnterpriseRemovedFromFamilyUser.html.hbs: 5	Attack Vector
	Unsafe_Use_Of_Target_blank	/src/Core/MailTemplates/Handlebars/AdminConsole/OrganizationUserRevokedForTwoFactorPolicy.html.hbs: 11	Attack Vector

Fixed Issues

Severity	Issue	Source File / Package
	CSRF	/src/Api/AdminConsole/Public/Controllers/MembersController.cs: 95
	CSRF	/src/Api/AdminConsole/Controllers/OrganizationsController.cs: 122
	CSRF	/src/Admin/AdminConsole/Controllers/OrganizationsController.cs: 372
	Log_Forging	/src/Api/AdminConsole/Controllers/ProvidersController.cs: 72
	Log_Forging	/src/Api/AdminConsole/Controllers/ProvidersController.cs: 72
	Log_Forging	/src/Api/AdminConsole/Controllers/ProvidersController.cs: 72

[codecov]

Codecov Report

Attention: Patch coverage is 67.03704% with 89 lines in your changes missing coverage. Please review.

Project coverage is 43.13%. Comparing base (92b94fd) to head (66d5831).

Files with missing lines	Patch %	Lines
.../Services/Implementations/HandlebarsMailService.cs	4.00%	24 Missing ⚠️
...icies/PolicyValidators/SingleOrgPolicyValidator.cs	68.88%	8 Missing and 6 partials ⚠️
...Users/RevokeNonCompliantOrganizationUserCommand.cs	81.35%	6 Missing and 5 partials ⚠️
...lidators/TwoFactorAuthenticationPolicyValidator.cs	82.14%	4 Missing and 6 partials ⚠️
...Console/Repositories/OrganizationUserRepository.cs	0.00%	7 Missing ⚠️
...Console/Repositories/OrganizationUserRepository.cs	0.00%	7 Missing ⚠️
...nizationDomains/VerifyOrganizationDomainCommand.cs	87.50%	3 Missing and 1 partial ⚠️
...nConsole/Services/Implementations/PolicyService.cs	42.85%	4 Missing ⚠️
src/Core/AdminConsole/Models/Data/SystemUser.cs	57.14%	3 Missing ⚠️
...re/Services/NoopImplementations/NoopMailService.cs	0.00%	2 Missing ⚠️
... and 3 more

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5037      +/-   ##
==========================================
+ Coverage   43.09%   43.13%   +0.04%     
==========================================
  Files        1414     1421       +7     
  Lines       64808    65014     +206     
  Branches     5925     5955      +30     
==========================================
+ Hits        27929    28045     +116     
- Misses      35645    35716      +71     
- Partials     1234     1253      +19     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

---

🚨 Try these New Features:

• Flaky Tests Detection - Detect and resolve failed and flaky tests
• JS Bundle Analysis - Avoid shipping oversized bundles

[r-tome]

Looks good, left some suggestions

[r-tome]

Why pass an empty Guid and not the nullable Guid in the first parameter?

[jrmccannon]

I'd rather not have null. I could throw at this point instead of using Guid.Empty. I was just defaulting to Guid.Empty in the event that a caller hasn't initialized the CurrentContext.

Do we know which applications would call this method without the CurrentContext populated with a user?

[eliykat]

I'm not sure about this method specifically, but generally:

• the Public API and SCIM - CurrentContext.UserId is null because it's the organization that's authenticated, not the user
• a system call (jobs) - also not tied to a user

A regular call from a client through the private api will always have UserId populated (to my knowledge) because CurrentContext is always initialized in the middleware and the private api always requires user authentication.

What this means for you here I'm not sure. This method seems specifically designed to be called by a user, so throwing if there is no UserId available seems reasonable. And if the UserId is null for some reason, then _currentContext.OrganizationOwner is probably not going to be accurate either (as this is also user specific). Really it seems like an invalid state.

[r-tome]

TODO no longer needed?

[jrmccannon]

This TODO will get addressed with a subsequent story.

[eliykat]

I can do this when I remove the policy definition feature flag shortly. Callers will have to construct their own PolicyUpdate objects, so I'll need to pass in the right ActingUser at that time.