Add revocation reasons (#7473)

Author: sven-bitwarden

bitwarden_license/src/Scim/Controllers/v2/UsersController.cs

@@ -106,7 +106,8 @@ public async Task<IActionResult> Put(Guid organizationId, Guid id, [FromBody] Sc
                 new RevokeOrganizationUsersRequest(
                     organizationId,
                     [id],
-                    new SystemUser(EventSystemUser.SCIM)));
+                    new SystemUser(EventSystemUser.SCIM),
+                    RevocationReason.Manual));
 
             var errors = results.Select(x => x.Result.Match(
                 y => $"{y.Message} for user {x.Id}",

bitwarden_license/src/Scim/Users/PatchUserCommand.cs

@@ -107,7 +107,7 @@ private async Task<bool> HandleActiveOperationAsync(Core.Entities.OrganizationUs
         }
         else if (!active && orgUser.Status != OrganizationUserStatusType.Revoked)
         {
-            await _revokeOrganizationUserCommand.RevokeUserAsync(orgUser, EventSystemUser.SCIM);
+            await _revokeOrganizationUserCommand.RevokeUserAsync(orgUser, EventSystemUser.SCIM, RevocationReason.Manual);
             return true;
         }
         return false;

bitwarden_license/test/Scim.Test/Users/PatchUserCommandTests.cs

@@ -102,7 +102,7 @@ public async Task PatchUser_RevokePath_Success(SutProvider<PatchUserCommand> sut
 
         await sutProvider.Sut.PatchUserAsync(organizationUser.OrganizationId, organizationUser.Id, scimPatchModel);
 
-        await sutProvider.GetDependency<IRevokeOrganizationUserCommand>().Received(1).RevokeUserAsync(organizationUser, EventSystemUser.SCIM);
+        await sutProvider.GetDependency<IRevokeOrganizationUserCommand>().Received(1).RevokeUserAsync(organizationUser, EventSystemUser.SCIM, RevocationReason.Manual);
     }
 
     [Theory]
@@ -130,7 +130,7 @@ public async Task PatchUser_RevokeValue_Success(SutProvider<PatchUserCommand> su
 
         await sutProvider.Sut.PatchUserAsync(organizationUser.OrganizationId, organizationUser.Id, scimPatchModel);
 
-        await sutProvider.GetDependency<IRevokeOrganizationUserCommand>().Received(1).RevokeUserAsync(organizationUser, EventSystemUser.SCIM);
+        await sutProvider.GetDependency<IRevokeOrganizationUserCommand>().Received(1).RevokeUserAsync(organizationUser, EventSystemUser.SCIM, RevocationReason.Manual);
     }
 
     [Theory]
@@ -150,7 +150,7 @@ public async Task PatchUser_NoAction_Success(SutProvider<PatchUserCommand> sutPr
         await sutProvider.Sut.PatchUserAsync(organizationUser.OrganizationId, organizationUser.Id, scimPatchModel);
 
         await sutProvider.GetDependency<IRestoreOrganizationUserCommand>().DidNotReceiveWithAnyArgs().RestoreUserAsync(default, EventSystemUser.SCIM);
-        await sutProvider.GetDependency<IRevokeOrganizationUserCommand>().DidNotReceiveWithAnyArgs().RevokeUserAsync(default, EventSystemUser.SCIM);
+        await sutProvider.GetDependency<IRevokeOrganizationUserCommand>().DidNotReceiveWithAnyArgs().RevokeUserAsync(default, EventSystemUser.SCIM, default);
     }
 
     [Theory]
@@ -380,7 +380,7 @@ public async Task PatchUser_UnsupportedOperation_LogsWarningAndSucceeds(SutProvi
 
         // Verify no restore or revoke operations were called
         await sutProvider.GetDependency<IRestoreOrganizationUserCommand>().DidNotReceiveWithAnyArgs().RestoreUserAsync(default, EventSystemUser.SCIM);
-        await sutProvider.GetDependency<IRevokeOrganizationUserCommand>().DidNotReceiveWithAnyArgs().RevokeUserAsync(default, EventSystemUser.SCIM);
+        await sutProvider.GetDependency<IRevokeOrganizationUserCommand>().DidNotReceiveWithAnyArgs().RevokeUserAsync(default, EventSystemUser.SCIM, default);
     }
 
     [Theory]
@@ -415,7 +415,7 @@ public async Task PatchUser_ActiveAndExternalIdFromValue_Success(SutProvider<Pat
         await sutProvider.Sut.PatchUserAsync(organizationUser.OrganizationId, organizationUser.Id, scimPatchModel);
 
         // Verify both operations were processed
-        await sutProvider.GetDependency<IRevokeOrganizationUserCommand>().Received(1).RevokeUserAsync(organizationUser, EventSystemUser.SCIM);
+        await sutProvider.GetDependency<IRevokeOrganizationUserCommand>().Received(1).RevokeUserAsync(organizationUser, EventSystemUser.SCIM, RevocationReason.Manual);
         await sutProvider.GetDependency<IOrganizationUserRepository>().Received(1).ReplaceAsync(
             Arg.Is<OrganizationUser>(ou => ou.ExternalId == newExternalId));
     }

src/Api/AdminConsole/Controllers/OrganizationUsersController.cs

@@ -644,7 +644,7 @@ public async Task<ListResponseModel<OrganizationUserBulkResponseModel>> PostBulk
     [Authorize<ManageUsersRequirement>]
     public async Task RevokeAsync(Guid orgId, Guid id)
     {
-        await RestoreOrRevokeUserAsync(orgId, id, _revokeOrganizationUserCommand.RevokeUserAsync);
+        await RestoreOrRevokeUserAsync(orgId, id, (orgUser, userId) => _revokeOrganizationUserCommand.RevokeUserAsync(orgUser, userId, RevocationReason.Manual));
     }
 
     [HttpPut("revoke-self")]
@@ -683,7 +683,8 @@ public async Task<ListResponseModel<OrganizationUserBulkResponseModel>> BulkRevo
             new V2_RevokeOrganizationUserCommand.RevokeOrganizationUsersRequest(
                 orgId,
                 model.Ids.ToArray(),
-                new StandardUser(currentUserId.Value, await _currentContext.OrganizationOwner(orgId))));
+                new StandardUser(currentUserId.Value, await _currentContext.OrganizationOwner(orgId)),
+                RevocationReason.Manual));
 
         return new ListResponseModel<OrganizationUserBulkResponseModel>(results
             .Select(result => new OrganizationUserBulkResponseModel(result.Id,

src/Api/AdminConsole/Public/Controllers/MembersController.cs

@@ -339,7 +339,8 @@ public async Task<IActionResult> Revoke(Guid id)
         var request = new RevokeOrganizationUsersRequest(
             _currentContext.OrganizationId!.Value,
             [id],
-            new SystemUser(EventSystemUser.PublicApi)
+            new SystemUser(EventSystemUser.PublicApi),
+            RevocationReason.Manual
         );
 
         var results = await _revokeOrganizationUserCommandV2.RevokeUsersAsync(request);

src/Core/AdminConsole/OrganizationFeatures/AccountRecovery/v2/AdminRecoverAccountCommand.cs

@@ -125,7 +125,8 @@ await revokeNonCompliantOrganizationUserCommand.RevokeNonCompliantOrganizationUs
                     new RevokeOrganizationUsersRequest(
                         o.OrganizationId,
                         [new OrganizationUserUserDetails { Id = o.OrganizationUserId, OrganizationId = o.OrganizationId }],
-                        new SystemUser(EventSystemUser.TwoFactorDisabled)));
+                        new SystemUser(EventSystemUser.TwoFactorDisabled),
+                        RevocationReason.TwoFactorPolicyNonCompliance));
                 await mailService.SendOrganizationUserRevokedForTwoFactorPolicyEmailAsync(organization.DisplayName(), user.Email);
             }).ToArray();
 

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Requests/RevokeOrganizationUserRequest.cs

@@ -1,13 +1,15 @@
 using Bit.Core.AdminConsole.Models.Data;
+using Bit.Core.Enums;
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 
 namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Requests;
 
 public record RevokeOrganizationUsersRequest(
     Guid OrganizationId,
     IEnumerable<OrganizationUserUserDetails> OrganizationUsers,
-    IActingUser ActionPerformedBy)
+    IActingUser ActionPerformedBy,
+    RevocationReason RevocationReason)
 {
-    public RevokeOrganizationUsersRequest(Guid organizationId, OrganizationUserUserDetails organizationUser, IActingUser actionPerformedBy)
-        : this(organizationId, [organizationUser], actionPerformedBy) { }
+    public RevokeOrganizationUsersRequest(Guid organizationId, OrganizationUserUserDetails organizationUser, IActingUser actionPerformedBy, RevocationReason revocationReason)
+        : this(organizationId, [organizationUser], actionPerformedBy, revocationReason) { }
 }

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RevokeNonCompliantOrganizationUserCommand.cs

@@ -30,33 +30,42 @@ public async Task<CommandResult> RevokeNonCompliantOrganizationUsersAsync(Revoke
             return validationResult;
         }
 
-        await organizationUserRepository.RevokeManyAsync(request.OrganizationUsers.Select(x => x.Id));
+        await organizationUserRepository.RevokeManyAsync(request.OrganizationUsers.Select(x => x.Id), request.RevocationReason);
 
         var now = timeProvider.GetUtcNow();
 
+        var eventType = MapRevocationReasonToEventType(request.RevocationReason);
+
         switch (request.ActionPerformedBy)
         {
             case StandardUser:
                 await eventService.LogOrganizationUserEventsAsync(
-                    request.OrganizationUsers.Select(x => GetRevokedUserEventTuple(x, now)));
+                    request.OrganizationUsers.Select(x => GetRevokedUserEventTuple(x, eventType, now)));
                 break;
             case SystemUser { SystemUserType: not null } loggableSystem:
                 await eventService.LogOrganizationUserEventsAsync(
                     request.OrganizationUsers.Select(x =>
-                        GetRevokedUserEventBySystemUserTuple(x, loggableSystem.SystemUserType.Value, now)));
+                        GetRevokedUserEventBySystemUserTuple(x, eventType, loggableSystem.SystemUserType.Value, now)));
                 break;
         }
 
         return validationResult;
     }
 
+    private static EventType MapRevocationReasonToEventType(RevocationReason reason) => reason switch
+    {
+        RevocationReason.TwoFactorPolicyNonCompliance => EventType.OrganizationUser_Revoked_TwoFactorNonCompliance,
+        RevocationReason.SingleOrgPolicyNonCompliance => EventType.OrganizationUser_Revoked_SingleOrganizationNonCompliance,
+        _ => EventType.OrganizationUser_Revoked
+    };
+
     private static (OrganizationUserUserDetails organizationUser, EventType eventType, DateTime? time) GetRevokedUserEventTuple(
-        OrganizationUserUserDetails organizationUser, DateTimeOffset dateTimeOffset) =>
-        new(organizationUser, EventType.OrganizationUser_Revoked, dateTimeOffset.UtcDateTime);
+        OrganizationUserUserDetails organizationUser, EventType eventType, DateTimeOffset dateTimeOffset) =>
+        new(organizationUser, eventType, dateTimeOffset.UtcDateTime);
 
     private static (OrganizationUserUserDetails organizationUser, EventType eventType, EventSystemUser eventSystemUser, DateTime? time) GetRevokedUserEventBySystemUserTuple(
-        OrganizationUserUserDetails organizationUser, EventSystemUser systemUser, DateTimeOffset dateTimeOffset) => new(organizationUser,
-        EventType.OrganizationUser_Revoked, systemUser, dateTimeOffset.UtcDateTime);
+        OrganizationUserUserDetails organizationUser, EventType eventType, EventSystemUser systemUser, DateTimeOffset dateTimeOffset) => new(organizationUser,
+        eventType, systemUser, dateTimeOffset.UtcDateTime);
 
     private async Task<CommandResult> ValidateAsync(RevokeOrganizationUsersRequest request)
     {

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RevokeUser/v1/IRevokeOrganizationUserCommand.cs

@@ -5,6 +5,6 @@ namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RevokeUse
 
 public interface IRevokeOrganizationUserCommand
 {
-    Task RevokeUserAsync(OrganizationUser organizationUser, Guid? revokingUserId);
-    Task RevokeUserAsync(OrganizationUser organizationUser, EventSystemUser systemUser);
+    Task RevokeUserAsync(OrganizationUser organizationUser, Guid? revokingUserId, RevocationReason reason);
+    Task RevokeUserAsync(OrganizationUser organizationUser, EventSystemUser systemUser, RevocationReason reason);
 }

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/RevokeUser/v1/RevokeOrganizationUserCommand.cs

@@ -17,7 +17,7 @@ public class RevokeOrganizationUserCommand(
     IHasConfirmedOwnersExceptQuery hasConfirmedOwnersExceptQuery)
     : IRevokeOrganizationUserCommand
 {
-    public async Task RevokeUserAsync(OrganizationUser organizationUser, Guid? revokingUserId)
+    public async Task RevokeUserAsync(OrganizationUser organizationUser, Guid? revokingUserId, RevocationReason reason)
     {
         if (revokingUserId.HasValue && organizationUser.UserId == revokingUserId.Value)
         {
@@ -30,7 +30,7 @@ public async Task RevokeUserAsync(OrganizationUser organizationUser, Guid? revok
             throw new BadRequestException("Only owners can revoke other owners.");
         }
 
-        await RepositoryRevokeUserAsync(organizationUser);
+        await RepositoryRevokeUserAsync(organizationUser, reason);
         await eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Revoked);
 
         if (organizationUser.UserId.HasValue)
@@ -40,9 +40,9 @@ public async Task RevokeUserAsync(OrganizationUser organizationUser, Guid? revok
     }
 
     public async Task RevokeUserAsync(OrganizationUser organizationUser,
-        EventSystemUser systemUser)
+        EventSystemUser systemUser, RevocationReason reason)
     {
-        await RepositoryRevokeUserAsync(organizationUser);
+        await RepositoryRevokeUserAsync(organizationUser, reason);
         await eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_Revoked,
             systemUser);
 
@@ -52,7 +52,7 @@ await eventService.LogOrganizationUserEventAsync(organizationUser, EventType.Org
         }
     }
 
-    private async Task RepositoryRevokeUserAsync(OrganizationUser organizationUser)
+    private async Task RepositoryRevokeUserAsync(OrganizationUser organizationUser, RevocationReason reason)
     {
         if (organizationUser.Status == OrganizationUserStatusType.Revoked)
         {
@@ -65,7 +65,8 @@ private async Task RepositoryRevokeUserAsync(OrganizationUser organizationUser)
             throw new BadRequestException("Organization must have at least one confirmed owner.");
         }
 
-        await organizationUserRepository.RevokeAsync(organizationUser.Id);
+        await organizationUserRepository.RevokeAsync(organizationUser.Id, reason);
         organizationUser.Status = OrganizationUserStatusType.Revoked;
+        organizationUser.RevocationReason = reason;
     }
 }