feat(emergency-access): [PM-29585] Prevent New EA Invitations or Acceptance (#6940)

Patrick-Pimentel-Bitwarden · web-flow · commit e0a08710a8de · 2026-03-12T16:48:19.000Z
* feat(emergency-access): [PM-29585] Prevent New EA Invitations or Acceptance - Initial implementation

* fix(emergency-access): [PM-29585] Prevent New EA Invitations or Acceptance - Changes in a good place. Need to write tests.

* test(emergency-access): [PM-29585] Prevent New EA Invitations or Acceptance - Service tests have been added.

* fix(emergency-access): [PM-29585] Prevent New EA Invitations or Acceptance - Fixed comment.
diff --git a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/AutomaticUserConfirmationPolicyRequirement.cs b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/AutomaticUserConfirmationPolicyRequirement.cs
@@ -19,7 +19,25 @@ namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements
 /// <param name="policyDetails">Collection of policy details that apply to this user id</param>
 public class AutomaticUserConfirmationPolicyRequirement(IEnumerable<PolicyDetails> policyDetails) : IPolicyRequirement
 {
-    public bool CannotHaveEmergencyAccess() => policyDetails.Any();
+    /// <summary>
+    /// Returns true if the user cannot invite to emergency access because they are in an
+    /// auto-confirm organization with status Accepted, Confirmed, or Revoked.
+    /// </summary>
+    public bool GrantorCannotInviteToEmergencyAccess() => policyDetails.Any(p =>
+        p.OrganizationUserStatus is
+            OrganizationUserStatusType.Accepted or
+            OrganizationUserStatusType.Confirmed or
+            OrganizationUserStatusType.Revoked);
+
+    /// <summary>
+    /// Returns true if the user cannot accept emergency access because they are in an
+    /// auto-confirm organization with status Accepted, Confirmed, or Revoked.
+    /// </summary>
+    public bool GranteeCannotAcceptEmergencyAccess() => policyDetails.Any(p =>
+        p.OrganizationUserStatus is
+            OrganizationUserStatusType.Accepted or
+            OrganizationUserStatusType.Confirmed or
+            OrganizationUserStatusType.Revoked);
 
     public bool CannotJoinProvider() => policyDetails.Any();
 
diff --git a/src/Core/Auth/UserFeatures/EmergencyAccess/EmergencyAccessService.cs b/src/Core/Auth/UserFeatures/EmergencyAccess/EmergencyAccessService.cs
@@ -3,6 +3,8 @@
 
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Models.Business.Tokenables;
@@ -33,6 +35,8 @@ public class EmergencyAccessService : IEmergencyAccessService
     private readonly GlobalSettings _globalSettings;
     private readonly IDataProtectorTokenFactory<EmergencyAccessInviteTokenable> _dataProtectorTokenizer;
     private readonly IRemoveOrganizationUserCommand _removeOrganizationUserCommand;
+    private readonly IFeatureService _featureService;
+    private readonly IPolicyRequirementQuery _policyRequirementQuery;
 
     public EmergencyAccessService(
         IEmergencyAccessRepository emergencyAccessRepository,
@@ -45,7 +49,9 @@ public EmergencyAccessService(
         IUserService userService,
         GlobalSettings globalSettings,
         IDataProtectorTokenFactory<EmergencyAccessInviteTokenable> dataProtectorTokenizer,
-        IRemoveOrganizationUserCommand removeOrganizationUserCommand)
+        IRemoveOrganizationUserCommand removeOrganizationUserCommand,
+        IFeatureService featureService,
+        IPolicyRequirementQuery policyRequirementQuery)
     {
         _emergencyAccessRepository = emergencyAccessRepository;
         _organizationUserRepository = organizationUserRepository;
@@ -58,6 +64,8 @@ public EmergencyAccessService(
         _globalSettings = globalSettings;
         _dataProtectorTokenizer = dataProtectorTokenizer;
         _removeOrganizationUserCommand = removeOrganizationUserCommand;
+        _featureService = featureService;
+        _policyRequirementQuery = policyRequirementQuery;
     }
 
     public async Task<Entities.EmergencyAccess> InviteAsync(User grantorUser, string emergencyContactEmail, EmergencyAccessType accessType, int waitTime)
@@ -72,6 +80,17 @@ public EmergencyAccessService(
             throw new BadRequestException("You cannot use Emergency Access Takeover because you are using Key Connector.");
         }
 
+        if (_featureService.IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers))
+        {
+            var requirement = await _policyRequirementQuery
+                .GetAsync<AutomaticUserConfirmationPolicyRequirement>(grantorUser.Id);
+
+            if (requirement.GrantorCannotInviteToEmergencyAccess())
+            {
+                throw new BadRequestException("You cannot invite emergency contacts because you are a member of an organization that uses Automatic User Confirmation.");
+            }
+        }
+
         var emergencyAccess = new Entities.EmergencyAccess
         {
             GrantorId = grantorUser.Id,
@@ -130,6 +149,17 @@ public async Task ResendInviteAsync(User grantorUser, Guid emergencyAccessId)
             throw new BadRequestException("Invalid token.");
         }
 
+        if (_featureService.IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers))
+        {
+            var requirement = await _policyRequirementQuery
+                .GetAsync<AutomaticUserConfirmationPolicyRequirement>(granteeUser.Id);
+
+            if (requirement.GranteeCannotAcceptEmergencyAccess())
+            {
+                throw new BadRequestException("You cannot accept emergency access invitations because you are a member of an organization that uses Automatic User Confirmation.");
+            }
+        }
+
         if (emergencyAccess.Status == EmergencyAccessStatusType.Accepted)
         {
             throw new BadRequestException("Invitation already accepted. You will receive an email when the grantor confirms you as an emergency access contact.");
@@ -161,7 +191,7 @@ public async Task ResendInviteAsync(User grantorUser, Guid emergencyAccessId)
         return emergencyAccess;
     }
 
-    // TODO: remove with PM-31327 when we migrate to the command. 
+    // TODO: remove with PM-31327 when we migrate to the command.
     public async Task DeleteAsync(Guid emergencyAccessId, Guid userId)
     {
         var emergencyAccess = await _emergencyAccessRepository.GetByIdAsync(emergencyAccessId);
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/AutomaticUserConfirmationPolicyRequirementTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/AutomaticUserConfirmationPolicyRequirementTests.cs
@@ -0,0 +1,152 @@
+﻿using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+using Bit.Core.Enums;
+using Xunit;
+
+namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+
+public class AutomaticUserConfirmationPolicyRequirementTests
+{
+    [Theory]
+    [InlineData(OrganizationUserStatusType.Accepted)]
+    [InlineData(OrganizationUserStatusType.Confirmed)]
+    [InlineData(OrganizationUserStatusType.Revoked)]
+    public void CannotGrantEmergencyAccess_WithActiveStatus_ReturnsTrue(OrganizationUserStatusType status)
+    {
+        var policyDetails = new[]
+        {
+            new PolicyDetails
+            {
+                OrganizationId = Guid.NewGuid(),
+                PolicyType = PolicyType.AutomaticUserConfirmation,
+                OrganizationUserStatus = status
+            }
+        };
+
+        var sut = new AutomaticUserConfirmationPolicyRequirement(policyDetails);
+
+        Assert.True(sut.GrantorCannotInviteToEmergencyAccess());
+    }
+
+    [Fact]
+    public void CannotGrantEmergencyAccess_WithInvitedStatus_ReturnsFalse()
+    {
+        var policyDetails = new[]
+        {
+            new PolicyDetails
+            {
+                OrganizationId = Guid.NewGuid(),
+                PolicyType = PolicyType.AutomaticUserConfirmation,
+                OrganizationUserStatus = OrganizationUserStatusType.Invited
+            }
+        };
+
+        var sut = new AutomaticUserConfirmationPolicyRequirement(policyDetails);
+
+        Assert.False(sut.GrantorCannotInviteToEmergencyAccess());
+    }
+
+    [Fact]
+    public void CannotGrantEmergencyAccess_WithNoPolicies_ReturnsFalse()
+    {
+        var sut = new AutomaticUserConfirmationPolicyRequirement([]);
+
+        Assert.False(sut.GrantorCannotInviteToEmergencyAccess());
+    }
+
+    [Theory]
+    [InlineData(OrganizationUserStatusType.Accepted)]
+    [InlineData(OrganizationUserStatusType.Confirmed)]
+    [InlineData(OrganizationUserStatusType.Revoked)]
+    public void CannotBeGrantedEmergencyAccess_WithActiveStatus_ReturnsTrue(OrganizationUserStatusType status)
+    {
+        var policyDetails = new[]
+        {
+            new PolicyDetails
+            {
+                OrganizationId = Guid.NewGuid(),
+                PolicyType = PolicyType.AutomaticUserConfirmation,
+                OrganizationUserStatus = status
+            }
+        };
+
+        var sut = new AutomaticUserConfirmationPolicyRequirement(policyDetails);
+
+        Assert.True(sut.GranteeCannotAcceptEmergencyAccess());
+    }
+
+    [Fact]
+    public void CannotBeGrantedEmergencyAccess_WithInvitedStatus_ReturnsFalse()
+    {
+        var policyDetails = new[]
+        {
+            new PolicyDetails
+            {
+                OrganizationId = Guid.NewGuid(),
+                PolicyType = PolicyType.AutomaticUserConfirmation,
+                OrganizationUserStatus = OrganizationUserStatusType.Invited
+            }
+        };
+
+        var sut = new AutomaticUserConfirmationPolicyRequirement(policyDetails);
+
+        Assert.False(sut.GranteeCannotAcceptEmergencyAccess());
+    }
+
+    [Fact]
+    public void CannotBeGrantedEmergencyAccess_WithNoPolicies_ReturnsFalse()
+    {
+        var sut = new AutomaticUserConfirmationPolicyRequirement([]);
+
+        Assert.False(sut.GranteeCannotAcceptEmergencyAccess());
+    }
+
+    [Fact]
+    public void CannotGrantEmergencyAccess_WithMultiplePolicies_OneActive_ReturnsTrue()
+    {
+        var policyDetails = new[]
+        {
+            new PolicyDetails
+            {
+                OrganizationId = Guid.NewGuid(),
+                PolicyType = PolicyType.AutomaticUserConfirmation,
+                OrganizationUserStatus = OrganizationUserStatusType.Invited
+            },
+            new PolicyDetails
+            {
+                OrganizationId = Guid.NewGuid(),
+                PolicyType = PolicyType.AutomaticUserConfirmation,
+                OrganizationUserStatus = OrganizationUserStatusType.Confirmed
+            }
+        };
+
+        var sut = new AutomaticUserConfirmationPolicyRequirement(policyDetails);
+
+        Assert.True(sut.GrantorCannotInviteToEmergencyAccess());
+    }
+
+    [Fact]
+    public void CannotBeGrantedEmergencyAccess_WithMultiplePolicies_OneActive_ReturnsTrue()
+    {
+        var policyDetails = new[]
+        {
+            new PolicyDetails
+            {
+                OrganizationId = Guid.NewGuid(),
+                PolicyType = PolicyType.AutomaticUserConfirmation,
+                OrganizationUserStatus = OrganizationUserStatusType.Invited
+            },
+            new PolicyDetails
+            {
+                OrganizationId = Guid.NewGuid(),
+                PolicyType = PolicyType.AutomaticUserConfirmation,
+                OrganizationUserStatus = OrganizationUserStatusType.Confirmed
+            }
+        };
+
+        var sut = new AutomaticUserConfirmationPolicyRequirement(policyDetails);
+
+        Assert.True(sut.GranteeCannotAcceptEmergencyAccess());
+    }
+}
diff --git a/test/Core.Test/Auth/UserFeatures/EmergencyAccess/EmergencyAccessServiceTests.cs b/test/Core.Test/Auth/UserFeatures/EmergencyAccess/EmergencyAccessServiceTests.cs
