Implement master password policy requirement (#7537)

* implement master password policy requirement

* revert unrelated chagned files

* fix aggregate pattern in factory, move away from ctor

* remove admin/owner exemption

* revert mp exemption in policyService

Author: BTreston

src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/MasterPasswordPolicyRequirement.cs

@@ -0,0 +1,57 @@
+#nullable enable
+
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+using Bit.Core.Enums;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+
+/// <summary>
+/// Policy requirements for the Master Password policy.
+/// </summary>
+public class MasterPasswordPolicyRequirement : IPolicyRequirement
+{
+    /// <summary>
+    /// The combined Master Password policy options enforced against the user, or null if no policy applies.
+    /// </summary>
+    public MasterPasswordPolicyData? EnforcedOptions { get; init; }
+}
+
+/// <summary>
+/// Factory for <see cref="MasterPasswordPolicyRequirement"/>.
+/// Invited and Revoked users are exempt (inherited default from <see cref="BasePolicyRequirementFactory{T}"/>),
+/// which is intentional: master password requirements are enforced at login/unlock for active members only.
+/// </summary>
+public class MasterPasswordPolicyRequirementFactory : BasePolicyRequirementFactory<MasterPasswordPolicyRequirement>
+{
+    public override PolicyType PolicyType => PolicyType.MasterPassword;
+
+    /// <summary>
+    /// No roles are exempt from the master password policy.
+    /// </summary>
+    protected override IEnumerable<OrganizationUserType> ExemptRoles { get; } = [];
+
+    public override MasterPasswordPolicyRequirement Create(IEnumerable<PolicyDetails> policyDetails)
+    {
+        var combined = policyDetails
+            .Select(p => p.GetDataModel<MasterPasswordPolicyData>())
+            .Aggregate(new MasterPasswordPolicyData(), (result, data) =>
+            {
+                result.CombineWith(data);
+                return result;
+            });
+
+        // Only set EnforcedOptions if at least one field has a meaningful value.
+        // A policy saved with no options set produces an all-null MasterPasswordPolicyData,
+        // and callers rely on EnforcedOptions == null to mean "no policy enforced".
+        var hasAnyOption = combined.MinComplexity.HasValue || combined.MinLength.HasValue ||
+            (combined.RequireLower ?? false) || (combined.RequireUpper ?? false) ||
+            (combined.RequireNumbers ?? false) || (combined.RequireSpecial ?? false) ||
+            (combined.EnforceOnLogin ?? false);
+
+        return new MasterPasswordPolicyRequirement
+        {
+            EnforcedOptions = hasAnyOption ? combined : null
+        };
+    }
+}

src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyServiceCollectionExtensions.cs

@@ -56,5 +56,6 @@ private static void AddPolicyRequirements(this IServiceCollection services)
         services.AddScoped<IPolicyRequirementFactory<IPolicyRequirement>, RequireTwoFactorPolicyRequirementFactory>();
         services.AddScoped<IPolicyRequirementFactory<IPolicyRequirement>, SingleOrganizationPolicyRequirementFactory>();
         services.AddScoped<IPolicyRequirementFactory<IPolicyRequirement>, AutomaticUserConfirmationPolicyRequirementFactory>();
+        services.AddScoped<IPolicyRequirementFactory<IPolicyRequirement>, MasterPasswordPolicyRequirementFactory>();
     }
 }

src/Core/AdminConsole/Services/Implementations/PolicyService.cs

@@ -3,7 +3,8 @@
 
 using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
-using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Models.Data.Organizations;
@@ -18,41 +19,25 @@ public class PolicyService : IPolicyService
 {
     private readonly IApplicationCacheService _applicationCacheService;
     private readonly IOrganizationUserRepository _organizationUserRepository;
-    private readonly IPolicyRepository _policyRepository;
+    private readonly IPolicyRequirementQuery _policyRequirementQuery;
     private readonly GlobalSettings _globalSettings;
 
     public PolicyService(
         IApplicationCacheService applicationCacheService,
         IOrganizationUserRepository organizationUserRepository,
-        IPolicyRepository policyRepository,
+        IPolicyRequirementQuery policyRequirementQuery,
         GlobalSettings globalSettings)
     {
         _applicationCacheService = applicationCacheService;
         _organizationUserRepository = organizationUserRepository;
-        _policyRepository = policyRepository;
+        _policyRequirementQuery = policyRequirementQuery;
         _globalSettings = globalSettings;
     }
 
     public async Task<MasterPasswordPolicyData> GetMasterPasswordPolicyForUserAsync(User user)
     {
-        var policies = (await _policyRepository.GetManyByUserIdAsync(user.Id))
-            .Where(p => p.Type == PolicyType.MasterPassword && p.Enabled)
-            .ToList();
-
-        if (!policies.Any())
-        {
-            return null;
-        }
-
-        var enforcedOptions = new MasterPasswordPolicyData();
-
-        foreach (var policy in policies)
-        {
-            enforcedOptions.CombineWith(policy.GetDataModel<MasterPasswordPolicyData>());
-        }
-
-        return enforcedOptions;
-
+        var requirement = await _policyRequirementQuery.GetAsyncVNext<MasterPasswordPolicyRequirement>(user.Id);
+        return requirement.EnforcedOptions;
     }
 
     public async Task<ICollection<OrganizationUserPolicyDetails>> GetPoliciesApplicableToUserAsync(Guid userId, PolicyType policyType, OrganizationUserStatusType minStatus = OrganizationUserStatusType.Accepted)

test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/MasterPasswordPolicyRequirementFactoryTests.cs

@@ -0,0 +1,114 @@
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+using Bit.Core.Enums;
+using Bit.Core.Test.AdminConsole.AutoFixture;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Xunit;
+
+namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+
+[SutProviderCustomize]
+public class MasterPasswordPolicyRequirementFactoryTests
+{
+    [Theory]
+    [BitAutoData(OrganizationUserType.Owner)]
+    [BitAutoData(OrganizationUserType.Admin)]
+    [BitAutoData(OrganizationUserType.User)]
+    [BitAutoData(OrganizationUserType.Custom)]
+    public void Enforce_EnforcesAgainstAllRoles(
+        OrganizationUserType userType,
+        SutProvider<MasterPasswordPolicyRequirementFactory> sutProvider)
+    {
+        var policy = new PolicyDetails
+        {
+            PolicyType = PolicyType.MasterPassword,
+            OrganizationUserType = userType,
+            OrganizationUserStatus = OrganizationUserStatusType.Confirmed
+        };
+
+        Assert.True(sutProvider.Sut.Enforce(policy));
+    }
+
+
+    [Theory, BitAutoData]
+    public void Create_WithNoPolicies_EnforcedOptionsIsNull(SutProvider<MasterPasswordPolicyRequirementFactory> sutProvider)
+    {
+        var actual = sutProvider.Sut.Create([]);
+
+        Assert.Null(actual.EnforcedOptions);
+    }
+
+    [Theory, BitAutoData]
+    public void Create_WithAllNullOptions_EnforcedOptionsIsNull(
+        [PolicyDetails(PolicyType.MasterPassword)] PolicyDetails[] policies,
+        SutProvider<MasterPasswordPolicyRequirementFactory> sutProvider)
+    {
+        foreach (var policy in policies)
+        {
+            policy.SetDataModel(new MasterPasswordPolicyData());
+        }
+
+        var actual = sutProvider.Sut.Create(policies);
+
+        Assert.Null(actual.EnforcedOptions);
+    }
+
+    [Theory, BitAutoData]
+    public void Create_WithSinglePolicy_ReturnsEnforcedOptions(
+        [PolicyDetails(PolicyType.MasterPassword)] PolicyDetails[] policies,
+        SutProvider<MasterPasswordPolicyRequirementFactory> sutProvider)
+    {
+        policies[0].SetDataModel(new MasterPasswordPolicyData { MinLength = 12, RequireUpper = true });
+
+        var actual = sutProvider.Sut.Create([policies[0]]);
+
+        Assert.NotNull(actual.EnforcedOptions);
+        Assert.Equal(12, actual.EnforcedOptions.MinLength);
+        Assert.True(actual.EnforcedOptions.RequireUpper);
+    }
+
+    [Theory, BitAutoData]
+    public void Create_WithMultiplePolicies_TakesMaxMinComplexity(
+        [PolicyDetails(PolicyType.MasterPassword)] PolicyDetails[] policies,
+        SutProvider<MasterPasswordPolicyRequirementFactory> sutProvider)
+    {
+        policies[0].SetDataModel(new MasterPasswordPolicyData { MinComplexity = 2 });
+        policies[1].SetDataModel(new MasterPasswordPolicyData { MinComplexity = 4 });
+
+        var actual = sutProvider.Sut.Create([policies[0], policies[1]]);
+
+        Assert.NotNull(actual.EnforcedOptions);
+        Assert.Equal(4, actual.EnforcedOptions.MinComplexity);
+    }
+
+    [Theory, BitAutoData]
+    public void Create_WithMultiplePolicies_TakesMaxMinLength(
+        [PolicyDetails(PolicyType.MasterPassword)] PolicyDetails[] policies,
+        SutProvider<MasterPasswordPolicyRequirementFactory> sutProvider)
+    {
+        policies[0].SetDataModel(new MasterPasswordPolicyData { MinLength = 12 });
+        policies[1].SetDataModel(new MasterPasswordPolicyData { MinLength = 20 });
+
+        var actual = sutProvider.Sut.Create([policies[0], policies[1]]);
+
+        Assert.NotNull(actual.EnforcedOptions);
+        Assert.Equal(20, actual.EnforcedOptions.MinLength);
+    }
+
+    [Theory, BitAutoData]
+    public void Create_WithMultiplePolicies_OrsAllBooleanFlags(
+        [PolicyDetails(PolicyType.MasterPassword)] PolicyDetails[] policies,
+        SutProvider<MasterPasswordPolicyRequirementFactory> sutProvider)
+    {
+        policies[0].SetDataModel(new MasterPasswordPolicyData { RequireUpper = true });
+        policies[1].SetDataModel(new MasterPasswordPolicyData { RequireSpecial = true });
+
+        var actual = sutProvider.Sut.Create([policies[0], policies[1]]);
+
+        Assert.NotNull(actual.EnforcedOptions);
+        Assert.True(actual.EnforcedOptions.RequireUpper);
+        Assert.True(actual.EnforcedOptions.RequireSpecial);
+    }
+}

test/Core.Test/AdminConsole/Services/PolicyServiceTests.cs

@@ -1,7 +1,7 @@
-using Bit.Core.AdminConsole.Entities;
-using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
-using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
 using Bit.Core.AdminConsole.Services.Implementations;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
@@ -125,123 +125,31 @@ public async Task AnyPoliciesApplicableToUserAsync_WithDisableSendTypeFilter_Wit
     [Theory, BitAutoData]
     public async Task GetMasterPasswordPolicyForUserAsync_ReturnsEnforcedOptions(User user, SutProvider<PolicyService> sutProvider)
     {
-        // Arrange: Create three policies with different requirements to test combining behavior
-        var policy1 = new Policy
-        {
-            Id = Guid.NewGuid(),
-            OrganizationId = Guid.NewGuid(),
-            Type = PolicyType.MasterPassword,
-            Enabled = true
-        };
-        policy1.SetDataModel(new MasterPasswordPolicyData
-        {
-            MinComplexity = 3,
-            MinLength = 12,
-            RequireLower = true,
-            RequireUpper = false,
-            RequireNumbers = true,
-            RequireSpecial = false,
-            EnforceOnLogin = true
-        });
-
-        var policy2 = new Policy
-        {
-            Id = Guid.NewGuid(),
-            OrganizationId = Guid.NewGuid(),
-            Type = PolicyType.MasterPassword,
-            Enabled = true
-        };
-        policy2.SetDataModel(new MasterPasswordPolicyData
-        {
-            MinComplexity = 4,
-            MinLength = 10,
-            RequireLower = false,
-            RequireUpper = true,
-            RequireNumbers = false,
-            RequireSpecial = true,
-            EnforceOnLogin = false
-        });
-
-        var policy3 = new Policy
-        {
-            Id = Guid.NewGuid(),
-            OrganizationId = Guid.NewGuid(),
-            Type = PolicyType.MasterPassword,
-            Enabled = true
-        };
-        policy3.SetDataModel(new MasterPasswordPolicyData
-        {
-            MinComplexity = 2,
-            MinLength = 15,
-            RequireLower = false,
-            RequireUpper = false,
-            RequireNumbers = false,
-            RequireSpecial = false,
-            EnforceOnLogin = false
-        });
-
-        sutProvider.GetDependency<IPolicyRepository>()
-            .GetManyByUserIdAsync(user.Id)
-            .Returns([policy1, policy2, policy3]);
-
-        // Act
-        var result = await sutProvider.Sut.GetMasterPasswordPolicyForUserAsync(user);
+        var enforcedOptions = new MasterPasswordPolicyData { MinLength = 12, RequireUpper = true };
+        var requirement = new MasterPasswordPolicyRequirement { EnforcedOptions = enforcedOptions };
 
-        // Assert: Verify that policies were combined correctly
-        Assert.NotNull(result);
+        sutProvider.GetDependency<IPolicyRequirementQuery>()
+            .GetAsyncVNext<MasterPasswordPolicyRequirement>(user.Id)
+            .Returns(requirement);
 
-        // MinComplexity and MinLength should take the highest values
-        Assert.Equal(4, result.MinComplexity); // highest from policy2
-        Assert.Equal(15, result.MinLength); // highest from policy3
+        var result = await sutProvider.Sut.GetMasterPasswordPolicyForUserAsync(user);
 
-        // Boolean flags should use OR logic (true if any policy has true)
-        Assert.True(result.RequireLower); // true from policy1
-        Assert.True(result.RequireUpper); // true from policy2
-        Assert.True(result.RequireNumbers); // true from policy1
-        Assert.True(result.RequireSpecial); // true from policy2
-        Assert.True(result.EnforceOnLogin); // true from policy1
+        Assert.NotNull(result);
+        Assert.Equal(12, result.MinLength);
+        Assert.True(result.RequireUpper);
     }
 
     [Theory, BitAutoData]
     public async Task GetMasterPasswordPolicyForUserAsync_WithNoPolicies_ReturnsNull(User user, SutProvider<PolicyService> sutProvider)
     {
-        // Arrange: No enabled policies
-        sutProvider.GetDependency<IPolicyRepository>()
-            .GetManyByUserIdAsync(user.Id)
-            .Returns(new List<Policy>());
+        var requirement = new MasterPasswordPolicyRequirement();
 
-        // Act
-        var result = await sutProvider.Sut.GetMasterPasswordPolicyForUserAsync(user);
+        sutProvider.GetDependency<IPolicyRequirementQuery>()
+            .GetAsyncVNext<MasterPasswordPolicyRequirement>(user.Id)
+            .Returns(requirement);
 
-        // Assert
-        Assert.Null(result);
-    }
-
-    [Theory, BitAutoData]
-    public async Task GetMasterPasswordPolicyForUserAsync_WithDisabledPolicies_ReturnsNull(User user, SutProvider<PolicyService> sutProvider)
-    {
-        // Arrange: Policies exist but are disabled
-        var disabledPolicy = new Policy
-        {
-            Id = Guid.NewGuid(),
-            OrganizationId = Guid.NewGuid(),
-            Type = PolicyType.MasterPassword,
-            Enabled = false
-        };
-        disabledPolicy.SetDataModel(new MasterPasswordPolicyData
-        {
-            MinComplexity = 3,
-            MinLength = 12
-        });
-
-        sutProvider.GetDependency<IPolicyRepository>()
-            .GetManyByUserIdAsync(user.Id)
-            .Returns(new List<Policy> { disabledPolicy });
-
-        // Act
         var result = await sutProvider.Sut.GetMasterPasswordPolicyForUserAsync(user);
 
-        // Assert
         Assert.Null(result);
     }
 
@@ -277,13 +185,6 @@ await sutProvider.GetDependency<IApplicationCacheService>()
                 !ids.Contains(excludedOrgId)));
     }
 
-    private static void SetupOrg(SutProvider<PolicyService> sutProvider, Guid organizationId, Organization organization)
-    {
-        sutProvider.GetDependency<IOrganizationRepository>()
-            .GetByIdAsync(organizationId)
-            .Returns(Task.FromResult(organization));
-    }
-
     private static void SetupUserPolicies(Guid userId, SutProvider<PolicyService> sutProvider)
     {
         sutProvider.GetDependency<IOrganizationUserRepository>()