test/Api.IntegrationTest/AdminConsole/Controllers/OrganizationUsersControllerSelfRevokeTests.cs

using System.Net;
using Bit.Api.IntegrationTest.Factories;
using Bit.Api.IntegrationTest.Helpers;
using Bit.Core.AdminConsole.Entities;
using Bit.Core.AdminConsole.Enums;
using Bit.Core.AdminConsole.Enums.Provider;
using Bit.Core.AdminConsole.Repositories;
using Bit.Core.Billing.Enums;
using Bit.Core.Enums;
using Bit.Core.Repositories;
using Xunit;

namespace Bit.Api.IntegrationTest.AdminConsole.Controllers;

public class OrganizationUsersControllerSelfRevokeTests : IClassFixture<ApiApplicationFactory>, IAsyncLifetime
{
    private readonly HttpClient _client;
    private readonly ApiApplicationFactory _factory;
    private readonly LoginHelper _loginHelper;

    private string _ownerEmail = null!;

    public OrganizationUsersControllerSelfRevokeTests(ApiApplicationFactory apiFactory)
    {
        _factory = apiFactory;
        _client = _factory.CreateClient();
        _loginHelper = new LoginHelper(_factory, _client);
    }

    public async Task InitializeAsync()
    {
        _ownerEmail = $"{Guid.NewGuid()}@example.com";
        await _factory.LoginWithNewAccount(_ownerEmail);
    }

    public Task DisposeAsync()
    {
        _client.Dispose();
        return Task.CompletedTask;
    }

    [Fact]
    public async Task SelfRevoke_WhenPolicyEnabledAndUserIsEligible_ReturnsOk()
    {
        var (organization, _) = await OrganizationTestHelpers.SignUpAsync(_factory, plan: PlanType.EnterpriseAnnually,
            ownerEmail: _ownerEmail, passwordManagerSeats: 5, paymentMethod: PaymentMethodType.Card);

        var policy = new Policy
        {
            OrganizationId = organization.Id,
            Type = PolicyType.OrganizationDataOwnership,
            Enabled = true,
            Data = null
        };
        await _factory.GetService<IPolicyRepository>().CreateAsync(policy);

        var (userEmail, _) = await OrganizationTestHelpers.CreateNewUserWithAccountAsync(
            _factory,
            organization.Id,
            OrganizationUserType.User);
        await _loginHelper.LoginAsync(userEmail);

        var result = await _client.PutAsync($"organizations/{organization.Id}/users/revoke-self", null);

        Assert.Equal(HttpStatusCode.NoContent, result.StatusCode);

        var organizationUserRepository = _factory.GetService<IOrganizationUserRepository>();
        var organizationUsers = await organizationUserRepository.GetManyDetailsByOrganizationAsync(organization.Id);
        var revokedUser = organizationUsers.FirstOrDefault(u => u.Email == userEmail);

        Assert.NotNull(revokedUser);
        Assert.Equal(OrganizationUserStatusType.Revoked, revokedUser.Status);
    }

    [Fact]
    public async Task SelfRevoke_WhenUserNotMemberOfOrganization_ReturnsForbidden()
    {
        var (organization, _) = await OrganizationTestHelpers.SignUpAsync(_factory, plan: PlanType.EnterpriseAnnually,
            ownerEmail: _ownerEmail, passwordManagerSeats: 5, paymentMethod: PaymentMethodType.Card);

        var policy = new Policy
        {
            OrganizationId = organization.Id,
            Type = PolicyType.OrganizationDataOwnership,
            Enabled = true,
            Data = null
        };
        await _factory.GetService<IPolicyRepository>().CreateAsync(policy);

        var nonMemberEmail = $"{Guid.NewGuid()}@example.com";
        await _factory.LoginWithNewAccount(nonMemberEmail);
        await _loginHelper.LoginAsync(nonMemberEmail);

        var result = await _client.PutAsync($"organizations/{organization.Id}/users/revoke-self", null);

        Assert.Equal(HttpStatusCode.Forbidden, result.StatusCode);
    }

    [Theory]
    [InlineData(OrganizationUserType.Owner)]
    [InlineData(OrganizationUserType.Admin)]
    public async Task SelfRevoke_WhenUserIsOwnerOrAdmin_ReturnsBadRequest(OrganizationUserType userType)
    {
        var (organization, _) = await OrganizationTestHelpers.SignUpAsync(_factory, plan: PlanType.EnterpriseAnnually,
            ownerEmail: _ownerEmail, passwordManagerSeats: 5, paymentMethod: PaymentMethodType.Card);

        var policy = new Policy
        {
            OrganizationId = organization.Id,
            Type = PolicyType.OrganizationDataOwnership,
            Enabled = true,
            Data = null
        };
        await _factory.GetService<IPolicyRepository>().CreateAsync(policy);

        string userEmail;
        if (userType == OrganizationUserType.Owner)
        {
            userEmail = _ownerEmail;
        }
        else
        {
            (userEmail, _) = await OrganizationTestHelpers.CreateNewUserWithAccountAsync(
                _factory,
                organization.Id,
                userType);
        }

        await _loginHelper.LoginAsync(userEmail);

        var result = await _client.PutAsync($"organizations/{organization.Id}/users/revoke-self", null);

        Assert.Equal(HttpStatusCode.BadRequest, result.StatusCode);
    }

    [Fact]
    public async Task SelfRevoke_WhenUserIsProviderButNotMember_ReturnsForbidden()
    {
        var (organization, _) = await OrganizationTestHelpers.SignUpAsync(_factory, plan: PlanType.EnterpriseAnnually,
            ownerEmail: _ownerEmail, passwordManagerSeats: 5, paymentMethod: PaymentMethodType.Card);

        var policy = new Policy
        {
            OrganizationId = organization.Id,
            Type = PolicyType.OrganizationDataOwnership,
            Enabled = true,
            Data = null
        };
        await _factory.GetService<IPolicyRepository>().CreateAsync(policy);

        var provider = await ProviderTestHelpers.CreateProviderAndLinkToOrganizationAsync(
            _factory,
            organization.Id,
            ProviderType.Msp,
            ProviderStatusType.Billable);

        var providerUserEmail = $"{Guid.NewGuid()}@example.com";
        await _factory.LoginWithNewAccount(providerUserEmail);
        await ProviderTestHelpers.CreateProviderUserAsync(
            _factory,
            provider.Id,
            providerUserEmail,
            ProviderUserType.ProviderAdmin);

        await _loginHelper.LoginAsync(providerUserEmail);

        var result = await _client.PutAsync($"organizations/{organization.Id}/users/revoke-self", null);

        Assert.Equal(HttpStatusCode.Forbidden, result.StatusCode);
    }
}
-												[PM-29555] Add self-revoke endpoint for declining organization data ownership policy (#6739)

* Add OrganizationUser_SelfRevoked event type to EventType enum

* Add SelfRevokeOrganizationUserCommand implementation and interface for user self-revocation from organizations

* Add unit tests for SelfRevokeOrganizationUserCommand to validate user self-revocation logic, including success scenarios and various failure conditions.

* Add ISelfRevokeOrganizationUserCommand registration to OrganizationServiceCollectionExtensions for user self-revocation functionality

* Add self-revoke user functionality to OrganizationUsersController with new endpoint for user-initiated revocation

* Add integration tests for self-revoke functionality in OrganizationUsersController, covering scenarios for eligible users, non-members, and users with owner/admin roles.

* Add unit test for SelfRevokeOrganizationUserCommand to validate behavior when a user attempts to self-revoke without confirmation. This test checks for a BadRequestException with an appropriate message.

* Add MemberRequirement class for organization membership authorization

- Implemented MemberRequirement to check if a user is a member of the organization.
- Added unit tests for MemberRequirement to validate authorization logic for different user types.

* Update authorization requirement for self-revoke endpoint and add integration test for provider users

- Changed authorization attribute from MemberOrProviderRequirement to MemberRequirement in the RevokeSelfAsync method.
- Added a new integration test to verify that provider users who are not members receive a forbidden response when attempting to revoke themselves.

* Add EligibleForSelfRevoke method to OrganizationDataOwnershipPolicyRequirement

- Implemented the EligibleForSelfRevoke method to determine if a user can self-revoke their data ownership based on their membership status and policy state.
- Added unit tests to validate the eligibility logic for confirmed, invited, and non-policy users, as well as for different organization IDs.

* Refactor self-revoke user command to enhance eligibility checks

- Updated the SelfRevokeOrganizationUserCommand to utilize policy requirements for determining user eligibility for self-revocation.
- Implemented checks to prevent the last owner from revoking themselves, ensuring organizational integrity.
- Modified unit tests to reflect changes in eligibility logic and added scenarios for confirmed owners and admins.
- Removed deprecated policy checks and streamlined the command's dependencies.

* Use CommandResult pattern in self-revoke command

* Clearer documentation
											
										
										
											2026-01-06 11:25:14 +00:00
+								using System.Net;
 								using Bit.Api.IntegrationTest.Factories;
 								using Bit.Api.IntegrationTest.Helpers;
 								using Bit.Core.AdminConsole.Entities;
 								using Bit.Core.AdminConsole.Enums;
 								using Bit.Core.AdminConsole.Enums.Provider;
 								using Bit.Core.AdminConsole.Repositories;
 								using Bit.Core.Billing.Enums;
 								using Bit.Core.Enums;
 								using Bit.Core.Repositories;
 								using Xunit;
 								namespace Bit.Api.IntegrationTest.AdminConsole.Controllers;
 								public class OrganizationUsersControllerSelfRevokeTests : IClassFixture<ApiApplicationFactory>, IAsyncLifetime
 								{
 								    private readonly HttpClient _client;
 								    private readonly ApiApplicationFactory _factory;
 								    private readonly LoginHelper _loginHelper;
 								    private string _ownerEmail = null!;
 								    public OrganizationUsersControllerSelfRevokeTests(ApiApplicationFactory apiFactory)
 								    {
 								        _factory = apiFactory;
 								        _client = _factory.CreateClient();
 								        _loginHelper = new LoginHelper(_factory, _client);
 								    }
 								    public async Task InitializeAsync()
 								    {
 								        _ownerEmail = $"{Guid.NewGuid()}@example.com";
 								        await _factory.LoginWithNewAccount(_ownerEmail);
 								    }
 								    public Task DisposeAsync()
 								    {
 								        _client.Dispose();
 								        return Task.CompletedTask;
 								    }
 								    [Fact]
 								    public async Task SelfRevoke_WhenPolicyEnabledAndUserIsEligible_ReturnsOk()
 								    {
 								        var (organization, _) = await OrganizationTestHelpers.SignUpAsync(_factory, plan: PlanType.EnterpriseAnnually,
 								            ownerEmail: _ownerEmail, passwordManagerSeats: 5, paymentMethod: PaymentMethodType.Card);
 								        var policy = new Policy
 								        {
 								            OrganizationId = organization.Id,
 								            Type = PolicyType.OrganizationDataOwnership,
 								            Enabled = true,
 								            Data = null
 								        };
 								        await _factory.GetService<IPolicyRepository>().CreateAsync(policy);
 								        var (userEmail, _) = await OrganizationTestHelpers.CreateNewUserWithAccountAsync(
 								            _factory,
 								            organization.Id,
 								            OrganizationUserType.User);
 								        await _loginHelper.LoginAsync(userEmail);
 								        var result = await _client.PutAsync($"organizations/{organization.Id}/users/revoke-self", null);
 								        Assert.Equal(HttpStatusCode.NoContent, result.StatusCode);
 								        var organizationUserRepository = _factory.GetService<IOrganizationUserRepository>();
 								        var organizationUsers = await organizationUserRepository.GetManyDetailsByOrganizationAsync(organization.Id);
 								        var revokedUser = organizationUsers.FirstOrDefault(u => u.Email == userEmail);
 								        Assert.NotNull(revokedUser);
 								        Assert.Equal(OrganizationUserStatusType.Revoked, revokedUser.Status);
 								    }
 								    [Fact]
 								    public async Task SelfRevoke_WhenUserNotMemberOfOrganization_ReturnsForbidden()
 								    {
 								        var (organization, _) = await OrganizationTestHelpers.SignUpAsync(_factory, plan: PlanType.EnterpriseAnnually,
 								            ownerEmail: _ownerEmail, passwordManagerSeats: 5, paymentMethod: PaymentMethodType.Card);
 								        var policy = new Policy
 								        {
 								            OrganizationId = organization.Id,
 								            Type = PolicyType.OrganizationDataOwnership,
 								            Enabled = true,
 								            Data = null
 								        };
 								        await _factory.GetService<IPolicyRepository>().CreateAsync(policy);
 								        var nonMemberEmail = $"{Guid.NewGuid()}@example.com";
 								        await _factory.LoginWithNewAccount(nonMemberEmail);
 								        await _loginHelper.LoginAsync(nonMemberEmail);
 								        var result = await _client.PutAsync($"organizations/{organization.Id}/users/revoke-self", null);
 								        Assert.Equal(HttpStatusCode.Forbidden, result.StatusCode);
 								    }
 								    [Theory]
 								    [InlineData(OrganizationUserType.Owner)]
 								    [InlineData(OrganizationUserType.Admin)]
 								    public async Task SelfRevoke_WhenUserIsOwnerOrAdmin_ReturnsBadRequest(OrganizationUserType userType)
 								    {
 								        var (organization, _) = await OrganizationTestHelpers.SignUpAsync(_factory, plan: PlanType.EnterpriseAnnually,
 								            ownerEmail: _ownerEmail, passwordManagerSeats: 5, paymentMethod: PaymentMethodType.Card);
 								        var policy = new Policy
 								        {
 								            OrganizationId = organization.Id,
 								            Type = PolicyType.OrganizationDataOwnership,
 								            Enabled = true,
 								            Data = null
 								        };
 								        await _factory.GetService<IPolicyRepository>().CreateAsync(policy);
 								        string userEmail;
 								        if (userType == OrganizationUserType.Owner)
 								        {
 								            userEmail = _ownerEmail;
 								        }
 								        else
 								        {
 								            (userEmail, _) = await OrganizationTestHelpers.CreateNewUserWithAccountAsync(
 								                _factory,
 								                organization.Id,
 								                userType);
 								        }
 								        await _loginHelper.LoginAsync(userEmail);
 								        var result = await _client.PutAsync($"organizations/{organization.Id}/users/revoke-self", null);
 								        Assert.Equal(HttpStatusCode.BadRequest, result.StatusCode);
 								    }
 								    [Fact]
 								    public async Task SelfRevoke_WhenUserIsProviderButNotMember_ReturnsForbidden()
 								    {
 								        var (organization, _) = await OrganizationTestHelpers.SignUpAsync(_factory, plan: PlanType.EnterpriseAnnually,
 								            ownerEmail: _ownerEmail, passwordManagerSeats: 5, paymentMethod: PaymentMethodType.Card);
 								        var policy = new Policy
 								        {
 								            OrganizationId = organization.Id,
 								            Type = PolicyType.OrganizationDataOwnership,
 								            Enabled = true,
 								            Data = null
 								        };
 								        await _factory.GetService<IPolicyRepository>().CreateAsync(policy);
 								        var provider = await ProviderTestHelpers.CreateProviderAndLinkToOrganizationAsync(
 								            _factory,
 								            organization.Id,
 								            ProviderType.Msp,
 								            ProviderStatusType.Billable);
 								        var providerUserEmail = $"{Guid.NewGuid()}@example.com";
 								        await _factory.LoginWithNewAccount(providerUserEmail);
 								        await ProviderTestHelpers.CreateProviderUserAsync(
 								            _factory,
 								            provider.Id,
 								            providerUserEmail,
 								            ProviderUserType.ProviderAdmin);
 								        await _loginHelper.LoginAsync(providerUserEmail);
 								        var result = await _client.PutAsync($"organizations/{organization.Id}/users/revoke-self", null);
 								        Assert.Equal(HttpStatusCode.Forbidden, result.StatusCode);
 								    }
 								}