[AC-1192] Create endpoints for new Device Approvals page (#2993)

* [AC-1192] Create new OrganizationAuthRequestsController.cs

* [AC-1192] Introduce OrganizationAdminAuthRequest model

* [AC-1192] Add GetManyPendingByOrganizationId method to AuthRequest repository

* [AC-1192] Add new list pending organization auth requests endpoint

* [AC-1192] Add new GetManyAdminApprovalsByManyIdsAsync method to the AuthRequestRepository

* [AC-1192] Make the response device identifier optional for admin approval requests

* [AC-1192] Add endpoint for bulk denying admin device auth requests

* [AC-1192] Add OrganizationUserId to PendingOrganizationAuthRequestResponseModel

* [AC-1192] Add UpdateAuthRequest endpoint and logic to OrganizationAuthRequestsController

* [AC-1192] Secure new endpoints behind TDE feature flag

* [AC-1192] Formatting

* [AC-1192] Add sql migration script

* [AC-1192] Add optional OrganizationId column to AuthRequest entity

- Rename migration script to match existing formatting
- Add new column
- Add migration scripts
- Update new sprocs to filter/join on OrganizationId
- Update old sprocs to include OrganizationId

* [AC-1192] Format migration scripts

* [AC-1192] Fix failing AuthRequest EF unit test

* [AC-1192] Make OrganizationId optional in updated AuthRequest sprocs for backwards compatability

* [AC-1192] Fix missing comma in migration file

* [AC-1192] Rename Key to EncryptedUserKey to be more descriptive

* [AC-1192] Move request validation into helper method to reduce repetition

* [AC-1192] Return UnauthorizedAccessException instead of NotFound when user is missing permission

* [AC-1192] Introduce FeatureUnavailableException

* [AC-1192] Introduce RequireFeatureAttribute

* [AC-1192] Utilize the new RequireFeatureAttribute in the OrganizationAuthRequestsController

* [AC-1192] Attempt to fix out of sync database migration by moving new OrganizationId column

* [AC-1192] More attempts to sync database migrations

* [AC-1192] Formatting

* [AC-1192] Remove unused reference to FeatureService

* [AC-1192] Change Id types from String to Guid

* [AC-1192] Add EncryptedString attribute

* [AC-1192] Remove redundant OrganizationId property

* [AC-1192] Switch to projection for OrganizationAdminAuthRequest mapping

- Add new OrganizationUser relationship to EF entity
- Replace AuthRequest DBContext config with new IEntityTypeConfiguration
- Add navigation property to AuthRequest entity configuration for OrganizationUser
- Update EF AuthRequestRepository to use new mapping and navigation properties

* [AC-1192] Remove OrganizationUser navigation property

src/Api/Auth/Models/Request/AdminAuthRequestUpdateRequestModel.cs

@@ -0,0 +1,13 @@
+using System.ComponentModel.DataAnnotations;
+using Bit.Core.Utilities;
+
+namespace Bit.Api.Auth.Models.Request;
+
+public class AdminAuthRequestUpdateRequestModel
+{
+    [EncryptedString]
+    public string EncryptedUserKey { get; set; }
+
+    [Required]
+    public bool RequestApproved { get; set; }
+}

src/Api/Auth/Models/Request/BulkDenyAdminAuthRequestRequestModel.cs

@@ -0,0 +1,6 @@
+namespace Bit.Api.Auth.Models.Request;
+
+public class BulkDenyAdminAuthRequestRequestModel
+{
+    public IEnumerable<Guid> Ids { get; set; }
+}

src/Api/Auth/Models/Response/PendingOrganizationAuthRequestResponseModel.cs

@@ -0,0 +1,38 @@
+using System.ComponentModel.DataAnnotations;
+using System.Reflection;
+using Bit.Core.Auth.Models.Data;
+using Bit.Core.Models.Api;
+
+namespace Bit.Api.Auth.Models.Response;
+
+public class PendingOrganizationAuthRequestResponseModel : ResponseModel
+{
+    public PendingOrganizationAuthRequestResponseModel(OrganizationAdminAuthRequest authRequest, string obj = "pending-org-auth-request") : base(obj)
+    {
+        if (authRequest == null)
+        {
+            throw new ArgumentNullException(nameof(authRequest));
+        }
+
+        Id = authRequest.Id;
+        UserId = authRequest.UserId;
+        OrganizationUserId = authRequest.OrganizationUserId;
+        Email = authRequest.Email;
+        PublicKey = authRequest.PublicKey;
+        RequestDeviceIdentifier = authRequest.RequestDeviceIdentifier;
+        RequestDeviceType = authRequest.RequestDeviceType.GetType().GetMember(authRequest.RequestDeviceType.ToString())
+            .FirstOrDefault()?.GetCustomAttribute<DisplayAttribute>()?.GetName();
+        RequestIpAddress = authRequest.RequestIpAddress;
+        CreationDate = authRequest.CreationDate;
+    }
+
+    public Guid Id { get; set; }
+    public Guid UserId { get; set; }
+    public Guid OrganizationUserId { get; set; }
+    public string Email { get; set; }
+    public string PublicKey { get; set; }
+    public string RequestDeviceIdentifier { get; set; }
+    public string RequestDeviceType { get; set; }
+    public string RequestIpAddress { get; set; }
+    public DateTime CreationDate { get; set; }
+}

src/Api/Controllers/OrganizationAuthRequestsController.cs

@@ -0,0 +1,83 @@
+using Bit.Api.Auth.Models.Request;
+using Bit.Api.Auth.Models.Response;
+using Bit.Api.Models.Response;
+using Bit.Core;
+using Bit.Core.Auth.Models.Api.Request.AuthRequest;
+using Bit.Core.Auth.Services;
+using Bit.Core.Context;
+using Bit.Core.Exceptions;
+using Bit.Core.Repositories;
+using Bit.Core.Utilities;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+
+namespace Bit.Api.Controllers;
+
+[Route("organizations/{orgId}/auth-requests")]
+[Authorize("Application")]
+[RequireFeature(FeatureFlagKeys.TrustedDeviceEncryption)]
+public class OrganizationAuthRequestsController : Controller
+{
+    private readonly IAuthRequestRepository _authRequestRepository;
+    private readonly ICurrentContext _currentContext;
+    private readonly IAuthRequestService _authRequestService;
+
+    public OrganizationAuthRequestsController(IAuthRequestRepository authRequestRepository,
+        ICurrentContext currentContext, IAuthRequestService authRequestService)
+    {
+        _authRequestRepository = authRequestRepository;
+        _currentContext = currentContext;
+        _authRequestService = authRequestService;
+    }
+
+    [HttpGet("")]
+    public async Task<ListResponseModel<PendingOrganizationAuthRequestResponseModel>> GetPendingRequests(Guid orgId)
+    {
+        await ValidateAdminRequest(orgId);
+
+        var authRequests = await _authRequestRepository.GetManyPendingByOrganizationIdAsync(orgId);
+        var responses = authRequests
+            .Select(a => new PendingOrganizationAuthRequestResponseModel(a))
+            .ToList();
+        return new ListResponseModel<PendingOrganizationAuthRequestResponseModel>(responses);
+    }
+
+    [HttpPost("{requestId}")]
+    public async Task UpdateAuthRequest(Guid orgId, Guid requestId, [FromBody] AdminAuthRequestUpdateRequestModel model)
+    {
+        await ValidateAdminRequest(orgId);
+
+        var authRequest =
+            (await _authRequestRepository.GetManyAdminApprovalRequestsByManyIdsAsync(orgId, new[] { requestId })).FirstOrDefault();
+
+        if (authRequest == null || authRequest.OrganizationId != orgId)
+        {
+            throw new NotFoundException();
+        }
+
+        await _authRequestService.UpdateAuthRequestAsync(authRequest.Id, authRequest.UserId,
+            new AuthRequestUpdateRequestModel { RequestApproved = model.RequestApproved, Key = model.EncryptedUserKey });
+    }
+
+    [HttpPost("deny")]
+    public async Task BulkDenyRequests(Guid orgId, [FromBody] BulkDenyAdminAuthRequestRequestModel model)
+    {
+        await ValidateAdminRequest(orgId);
+
+        var authRequests = await _authRequestRepository.GetManyAdminApprovalRequestsByManyIdsAsync(orgId, model.Ids);
+
+        foreach (var authRequest in authRequests)
+        {
+            await _authRequestService.UpdateAuthRequestAsync(authRequest.Id, authRequest.UserId,
+                new AuthRequestUpdateRequestModel { RequestApproved = false, });
+        }
+    }
+
+    private async Task ValidateAdminRequest(Guid orgId)
+    {
+        if (!await _currentContext.ManageResetPassword(orgId))
+        {
+            throw new UnauthorizedAccessException();
+        }
+    }
+}

src/Core/Auth/Entities/AuthRequest.cs

@@ -9,6 +9,7 @@ public class AuthRequest : ITableObject<Guid>
 {
     public Guid Id { get; set; }
     public Guid UserId { get; set; }
+    public Guid? OrganizationId { get; set; }
     public Enums.AuthRequestType Type { get; set; }
     [MaxLength(50)]
     public string RequestDeviceIdentifier { get; set; }

src/Core/Auth/Enums/AuthRequestType.cs

@@ -3,5 +3,6 @@
 public enum AuthRequestType : byte
 {
     AuthenticateAndUnlock = 0,
-    Unlock = 1
+    Unlock = 1,
+    AdminApproval = 2,
 }

src/Core/Auth/Models/Data/OrganizationAdminAuthRequest.cs

@@ -0,0 +1,18 @@
+using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Enums;
+
+namespace Bit.Core.Auth.Models.Data;
+
+/// <summary>
+/// Represents an <see cref="AuthRequestType.AdminApproval"/> AuthRequest.
+/// Includes additional user and organization information.
+/// </summary>
+public class OrganizationAdminAuthRequest : AuthRequest
+{
+    /// <summary>
+    /// Email address of the requesting user
+    /// </summary>
+    public string Email { get; set; }
+
+    public Guid OrganizationUserId { get; set; }
+}

src/Core/Auth/Repositories/IAuthRequestRepository.cs

@@ -1,4 +1,5 @@
 using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Models.Data;
 
 namespace Bit.Core.Repositories;
 
@@ -6,4 +7,6 @@ public interface IAuthRequestRepository : IRepository<AuthRequest, Guid>
 {
     Task<int> DeleteExpiredAsync();
     Task<ICollection<AuthRequest>> GetManyByUserIdAsync(Guid userId);
+    Task<ICollection<OrganizationAdminAuthRequest>> GetManyPendingByOrganizationIdAsync(Guid organizationId);
+    Task<ICollection<OrganizationAdminAuthRequest>> GetManyAdminApprovalRequestsByManyIdsAsync(Guid organizationId, IEnumerable<Guid> ids);
 }

src/Core/Auth/Services/Implementations/AuthRequestService.cs

@@ -1,4 +1,5 @@
 using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Exceptions;
 using Bit.Core.Auth.Models.Api.Request.AuthRequest;
 using Bit.Core.Context;
@@ -119,13 +120,17 @@ public class AuthRequestService : IAuthRequestService
             throw new DuplicateAuthRequestException();
         }
 
-        var device = await _deviceRepository.GetByIdentifierAsync(model.DeviceIdentifier, userId);
-        if (device == null)
+        // Admin approval responses are not tied to a specific device, so we don't need to validate it.
+        if (authRequest.Type != AuthRequestType.AdminApproval)
         {
-            throw new BadRequestException("Invalid device.");
+            var device = await _deviceRepository.GetByIdentifierAsync(model.DeviceIdentifier, userId);
+            if (device == null)
+            {
+                throw new BadRequestException("Invalid device.");
+            }
+            authRequest.ResponseDeviceId = device.Id;
         }
 
-        authRequest.ResponseDeviceId = device.Id;
         authRequest.ResponseDate = DateTime.UtcNow;
         authRequest.Approved = model.RequestApproved;
 

src/Core/Exceptions/FeatureUnavailableException.cs

@@ -0,0 +1,14 @@
+namespace Bit.Core.Exceptions;
+
+/// <summary>
+/// Exception to throw when a requested feature is not yet enabled/available for the requesting context.
+/// </summary>
+public class FeatureUnavailableException : NotFoundException
+{
+    public FeatureUnavailableException()
+    { }
+
+    public FeatureUnavailableException(string message)
+        : base(message)
+    { }
+}

src/Core/Utilities/RequireFeatureAttribute.cs

@@ -0,0 +1,36 @@
+using Bit.Core.Context;
+using Bit.Core.Exceptions;
+using Bit.Core.Services;
+using Microsoft.AspNetCore.Mvc.Filters;
+using Microsoft.Extensions.DependencyInjection;
+
+namespace Bit.Core.Utilities;
+
+/// <summary>
+/// Specifies that the class or method that this attribute is applied to requires the specified boolean feature flag
+/// to be enabled. If the feature flag is not enabled, a <see cref="FeatureUnavailableException"/> is thrown
+/// </summary>
+public class RequireFeatureAttribute : ActionFilterAttribute
+{
+    private readonly string _featureFlagKey;
+
+    /// <summary>
+    /// Initializes a new instance of the <see cref="RequireFeatureAttribute"/> class with the specified feature flag key.
+    /// </summary>
+    /// <param name="featureFlagKey">The name of the feature flag to require.</param>
+    public RequireFeatureAttribute(string featureFlagKey)
+    {
+        _featureFlagKey = featureFlagKey;
+    }
+
+    public override void OnActionExecuting(ActionExecutingContext context)
+    {
+        var currentContext = context.HttpContext.RequestServices.GetRequiredService<ICurrentContext>();
+        var featureService = context.HttpContext.RequestServices.GetRequiredService<IFeatureService>();
+
+        if (!featureService.IsEnabled(_featureFlagKey, currentContext))
+        {
+            throw new FeatureUnavailableException();
+        }
+    }
+}

src/Infrastructure.Dapper/Auth/Repositories/AuthRequestRepository.cs

@@ -1,5 +1,6 @@
 using System.Data;
 using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Models.Data;
 using Bit.Core.Repositories;
 using Bit.Core.Settings;
 using Bit.Infrastructure.Dapper.Repositories;
@@ -41,4 +42,30 @@ public class AuthRequestRepository : Repository<AuthRequest, Guid>, IAuthRequest
             return results.ToList();
         }
     }
+
+    public async Task<ICollection<OrganizationAdminAuthRequest>> GetManyPendingByOrganizationIdAsync(Guid organizationId)
+    {
+        using (var connection = new SqlConnection(ConnectionString))
+        {
+            var results = await connection.QueryAsync<OrganizationAdminAuthRequest>(
+                $"[{Schema}].[AuthRequest_ReadPendingByOrganizationId]",
+                new { OrganizationId = organizationId },
+                commandType: CommandType.StoredProcedure);
+
+            return results.ToList();
+        }
+    }
+
+    public async Task<ICollection<OrganizationAdminAuthRequest>> GetManyAdminApprovalRequestsByManyIdsAsync(Guid organizationId, IEnumerable<Guid> ids)
+    {
+        using (var connection = new SqlConnection(ConnectionString))
+        {
+            var results = await connection.QueryAsync<OrganizationAdminAuthRequest>(
+                $"[{Schema}].[AuthRequest_ReadAdminApprovalsByIds]",
+                new { OrganizationId = organizationId, Ids = ids.ToGuidIdArrayTVP() },
+                commandType: CommandType.StoredProcedure);
+
+            return results.ToList();
+        }
+    }
 }

src/Infrastructure.EntityFramework/Auth/Configurations/AuthRequestConfiguration.cs

@@ -0,0 +1,14 @@
+using Bit.Infrastructure.EntityFramework.Auth.Models;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Metadata.Builders;
+
+namespace Bit.Infrastructure.EntityFramework.Auth.Configurations;
+
+public class AuthRequestConfiguration : IEntityTypeConfiguration<AuthRequest>
+{
+    public void Configure(EntityTypeBuilder<AuthRequest> builder)
+    {
+        builder.Property(ar => ar.Id).ValueGeneratedNever();
+        builder.ToTable(nameof(AuthRequest));
+    }
+}

src/Infrastructure.EntityFramework/Auth/Models/AuthRequest.cs

@@ -1,4 +1,5 @@
 using AutoMapper;
+using Bit.Core.Auth.Models.Data;
 using Bit.Infrastructure.EntityFramework.Models;
 
 namespace Bit.Infrastructure.EntityFramework.Auth.Models;
@@ -7,6 +8,7 @@ public class AuthRequest : Core.Auth.Entities.AuthRequest
 {
     public virtual User User { get; set; }
     public virtual Device ResponseDevice { get; set; }
+    public virtual Organization Organization { get; set; }
 }
 
 public class AuthRequestMapperProfile : Profile
@@ -14,5 +16,9 @@ public class AuthRequestMapperProfile : Profile
     public AuthRequestMapperProfile()
     {
         CreateMap<Core.Auth.Entities.AuthRequest, AuthRequest>().ReverseMap();
+        CreateProjection<AuthRequest, OrganizationAdminAuthRequest>()
+            .ForMember(m => m.Email, opt => opt.MapFrom(t => t.User.Email))
+            .ForMember(m => m.OrganizationUserId, opt => opt.MapFrom(
+                t => t.User.OrganizationUsers.FirstOrDefault(ou => ou.OrganizationId == t.OrganizationId && ou.UserId == t.UserId).Id));
     }
 }

src/Infrastructure.EntityFramework/Auth/Repositories/AuthRequestRepository.cs

@@ -1,4 +1,7 @@
 using AutoMapper;
+using AutoMapper.QueryableExtensions;
+using Bit.Core.Auth.Enums;
+using Bit.Core.Auth.Models.Data;
 using Bit.Core.Repositories;
 using Bit.Infrastructure.EntityFramework.Auth.Models;
 using Bit.Infrastructure.EntityFramework.Repositories;
@@ -33,4 +36,32 @@ public class AuthRequestRepository : Repository<Core.Auth.Entities.AuthRequest,
             return Mapper.Map<List<Core.Auth.Entities.AuthRequest>>(userAuthRequests);
         }
     }
+
+    public async Task<ICollection<OrganizationAdminAuthRequest>> GetManyPendingByOrganizationIdAsync(Guid organizationId)
+    {
+        using (var scope = ServiceScopeFactory.CreateScope())
+        {
+            var dbContext = GetDatabaseContext(scope);
+            var orgUserAuthRequests = await (from ar in dbContext.AuthRequests
+                                             where ar.OrganizationId.Equals(organizationId) && ar.ResponseDate == null && ar.Type == AuthRequestType.AdminApproval
+                                             select ar).ProjectTo<OrganizationAdminAuthRequest>(Mapper.ConfigurationProvider).ToListAsync();
+
+            return orgUserAuthRequests;
+        }
+    }
+
+    public async Task<ICollection<OrganizationAdminAuthRequest>> GetManyAdminApprovalRequestsByManyIdsAsync(
+        Guid organizationId,
+        IEnumerable<Guid> ids)
+    {
+        using (var scope = ServiceScopeFactory.CreateScope())
+        {
+            var dbContext = GetDatabaseContext(scope);
+            var orgUserAuthRequests = await (from ar in dbContext.AuthRequests
+                                             where ar.OrganizationId.Equals(organizationId) && ids.Contains(ar.Id) && ar.Type == AuthRequestType.AdminApproval
+                                             select ar).ProjectTo<OrganizationAdminAuthRequest>(Mapper.ConfigurationProvider).ToListAsync();
+
+            return orgUserAuthRequests;
+        }
+    }
 }

src/Infrastructure.EntityFramework/Repositories/DatabaseContext.cs

@@ -97,7 +97,6 @@ public class DatabaseContext : DbContext
         var eUser = builder.Entity<User>();
         var eOrganizationApiKey = builder.Entity<OrganizationApiKey>();
         var eOrganizationConnection = builder.Entity<OrganizationConnection>();
-        var eAuthRequest = builder.Entity<AuthRequest>();
         var eOrganizationDomain = builder.Entity<OrganizationDomain>();
 
         eCipher.Property(c => c.Id).ValueGeneratedNever();
@@ -119,7 +118,6 @@ public class DatabaseContext : DbContext
         eUser.Property(c => c.Id).ValueGeneratedNever();
         eOrganizationApiKey.Property(c => c.Id).ValueGeneratedNever();
         eOrganizationConnection.Property(c => c.Id).ValueGeneratedNever();
-        eAuthRequest.Property(ar => ar.Id).ValueGeneratedNever();
         eOrganizationDomain.Property(ar => ar.Id).ValueGeneratedNever();
 
         eCollectionCipher.HasKey(cc => new { cc.CollectionId, cc.CipherId });
@@ -171,7 +169,6 @@ public class DatabaseContext : DbContext
         eUser.ToTable(nameof(User));
         eOrganizationApiKey.ToTable(nameof(OrganizationApiKey));
         eOrganizationConnection.ToTable(nameof(OrganizationConnection));
-        eAuthRequest.ToTable(nameof(AuthRequest));
         eOrganizationDomain.ToTable(nameof(OrganizationDomain));
 
         ConfigureDateTimeUtcQueries(builder);

src/Sql/Auth/dbo/Stored Procedures/AuthRequest_Create.sql

@@ -1,6 +1,7 @@
 CREATE PROCEDURE [dbo].[AuthRequest_Create]
     @Id UNIQUEIDENTIFIER OUTPUT,
     @UserId UNIQUEIDENTIFIER,
+    @OrganizationId UNIQUEIDENTIFIER = NULL,
     @Type TINYINT,
     @RequestDeviceIdentifier NVARCHAR(50),
     @RequestDeviceType TINYINT,
@@ -22,6 +23,7 @@ BEGIN
     (
         [Id],
         [UserId],
+        [OrganizationId],
         [Type],
         [RequestDeviceIdentifier],
         [RequestDeviceType],
@@ -40,6 +42,7 @@ BEGIN
     (
         @Id,
         @UserId,
+        @OrganizationId,
         @Type,
         @RequestDeviceIdentifier,
         @RequestDeviceType,
@@ -54,4 +57,4 @@ BEGIN
         @ResponseDate,
         @AuthenticationDate
     )
-END
+END

src/Sql/Auth/dbo/Stored Procedures/AuthRequest_ReadAdminApprovalsByIds.sql

@@ -0,0 +1,20 @@
+CREATE PROCEDURE [dbo].[AuthRequest_ReadAdminApprovalsByIds]
+	@OrganizationId UNIQUEIDENTIFIER,
+	@Ids AS [dbo].[GuidIdArray] READONLY
+AS
+BEGIN
+    SET NOCOUNT ON
+
+SELECT
+    ar.*, ou.[Email], ou.[Id] AS [OrganizationUserId]
+FROM
+    [dbo].[AuthRequestView] ar
+    INNER JOIN
+        [dbo].[OrganizationUser] ou ON ou.[UserId] = ar.[UserId] AND ou.[OrganizationId] = ar.[OrganizationId]
+    WHERE
+        ar.[OrganizationId] = @OrganizationId
+    AND
+        ar.[Type] = 2 -- AdminApproval
+    AND
+        ar.[Id] IN (SELECT [Id] FROM @Ids)
+END

src/Sql/Auth/dbo/Stored Procedures/AuthRequest_ReadPendingByOrganizationId.sql

@@ -0,0 +1,19 @@
+CREATE PROCEDURE [dbo].[AuthRequest_ReadPendingByOrganizationId]
+    @OrganizationId UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+
+SELECT
+    ar.*, ou.[Email], ou.[OrganizationId], ou.[Id] AS [OrganizationUserId]
+FROM
+    [dbo].[AuthRequestView] ar
+    INNER JOIN
+        [dbo].[OrganizationUser] ou ON ou.[UserId] = ar.[UserId] AND ou.[OrganizationId] = ar.[OrganizationId]
+    WHERE
+        ar.[OrganizationId] = @OrganizationId 
+    AND 
+        ar.[ResponseDate] IS NULL
+    AND
+        ar.[Type] = 2 -- AdminApproval
+END

src/Sql/Auth/dbo/Stored Procedures/AuthRequest_Update.sql

@@ -1,6 +1,7 @@
 CREATE PROCEDURE [dbo].[AuthRequest_Update]
     @Id UNIQUEIDENTIFIER OUTPUT,
     @UserId UNIQUEIDENTIFIER,
+    @OrganizationId UNIQUEIDENTIFIER = NULL,
     @Type SMALLINT, 
     @RequestDeviceIdentifier NVARCHAR(50),
     @RequestDeviceType SMALLINT,
@@ -23,6 +24,7 @@ BEGIN
     SET
         [UserId] = @UserId,
         [Type] = @Type,
+        [OrganizationId] = @OrganizationId,
         [RequestDeviceIdentifier] = @RequestDeviceIdentifier,
         [RequestDeviceType] = @RequestDeviceType,
         [RequestIpAddress] = @RequestIpAddress,

src/Sql/Auth/dbo/Tables/AuthRequest.sql

@@ -14,9 +14,11 @@
     [CreationDate]              DATETIME2 (7)    NOT NULL,
     [ResponseDate]              DATETIME2 (7)    NULL,
     [AuthenticationDate]        DATETIME2 (7)    NULL,
+    [OrganizationId]            UNIQUEIDENTIFIER NULL,
     CONSTRAINT [PK_AuthRequest] PRIMARY KEY CLUSTERED ([Id] ASC),
     CONSTRAINT [FK_AuthRequest_User] FOREIGN KEY ([UserId]) REFERENCES [dbo].[User] ([Id]),
-    CONSTRAINT [FK_AuthRequest_ResponseDevice] FOREIGN KEY ([ResponseDeviceId]) REFERENCES [dbo].[Device] ([Id])
+    CONSTRAINT [FK_AuthRequest_ResponseDevice] FOREIGN KEY ([ResponseDeviceId]) REFERENCES [dbo].[Device] ([Id]),
+    CONSTRAINT [FK_AuthRequest_Organization] FOREIGN KEY ([OrganizationId]) REFERENCES [dbo].[Organization] ([Id])
 );
 
 

test/Core.Test/Utilities/RequireFeatureAttributeTests.cs

@@ -0,0 +1,85 @@
+using Bit.Core.Context;
+using Bit.Core.Exceptions;
+using Bit.Core.Services;
+using Bit.Core.Utilities;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.Abstractions;
+using Microsoft.AspNetCore.Mvc.Filters;
+using Microsoft.AspNetCore.Routing;
+using Microsoft.Extensions.DependencyInjection;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.Utilities;
+
+public class RequireFeatureAttributeTests
+{
+    private const string _testFeature = "test-feature";
+
+    [Fact]
+    public void Throws_When_Feature_Disabled()
+    {
+        // Arrange
+        var rfa = new RequireFeatureAttribute(_testFeature);
+
+        // Act & Assert
+        Assert.Throws<FeatureUnavailableException>(() => rfa.OnActionExecuting(GetContext(enabled: false)));
+    }
+
+    [Fact]
+    public void Throws_When_Feature_Not_Found()
+    {
+        // Arrange
+        var rfa = new RequireFeatureAttribute("missing-feature");
+
+        // Act & Assert
+        Assert.Throws<FeatureUnavailableException>(() => rfa.OnActionExecuting(GetContext(enabled: false)));
+    }
+
+    [Fact]
+    public void Success_When_Feature_Enabled()
+    {
+        // Arrange
+        var rfa = new RequireFeatureAttribute(_testFeature);
+
+        // Act
+        rfa.OnActionExecuting(GetContext(enabled: true));
+
+        // Assert
+        // The Assert here is NOT throwing an exception
+    }
+
+
+    /// <summary>
+    /// Generates a ActionExecutingContext with the necessary services registered to test
+    /// the <see cref="RequireFeatureAttribute"/>
+    /// </summary>
+    /// <param name="enabled">Mock value for the <see cref="_testFeature"/> flag</param>
+    /// <returns></returns>
+    private static ActionExecutingContext GetContext(bool enabled)
+    {
+        IServiceCollection services = new ServiceCollection();
+
+        var featureService = Substitute.For<IFeatureService>();
+        var currentContext = Substitute.For<ICurrentContext>();
+
+        featureService.IsEnabled(_testFeature, Arg.Any<ICurrentContext>()).Returns(enabled);
+
+        services.AddSingleton(featureService);
+        services.AddSingleton(currentContext);
+
+        var httpContext = new DefaultHttpContext();
+        httpContext.RequestServices = services.BuildServiceProvider();
+
+        var context = Substitute.For<ActionExecutingContext>(
+            Substitute.For<ActionContext>(httpContext,
+                new RouteData(),
+                Substitute.For<ActionDescriptor>()),
+            new List<IFilterMetadata>(),
+            new Dictionary<string, object>(),
+            Substitute.For<Controller>());
+
+        return context;
+    }
+}

test/Infrastructure.EFIntegration.Test/Auth/AutoFixture/AuthRequestFixtures.cs

@@ -41,9 +41,11 @@ internal class EfAuthRequest : ICustomization
         fixture.Customizations.Add(new GlobalSettingsBuilder());
         fixture.Customizations.Add(new AuthRequestBuilder());
         fixture.Customizations.Add(new DeviceBuilder());
+        fixture.Customizations.Add(new OrganizationBuilder());
         fixture.Customizations.Add(new UserBuilder());
         fixture.Customizations.Add(new EfRepositoryListBuilder<AuthRequestRepository>());
         fixture.Customizations.Add(new EfRepositoryListBuilder<DeviceRepository>());
+        fixture.Customizations.Add(new EfRepositoryListBuilder<OrganizationRepository>());
         fixture.Customizations.Add(new EfRepositoryListBuilder<UserRepository>());
     }
 }

test/Infrastructure.EFIntegration.Test/Auth/Repositories/AuthRequestRepositoryTests.cs

@@ -19,9 +19,12 @@ public class AuthRequestRepositoryTests
         AuthRequestCompare equalityComparer,
         List<EfAuthRepo.AuthRequestRepository> suts,
         SqlAuthRepo.AuthRequestRepository sqlAuthRequestRepo,
+        Organization organization,
         User user,
         List<EfRepo.UserRepository> efUserRepos,
-        SqlRepo.UserRepository sqlUserRepo
+        List<EfRepo.OrganizationRepository> efOrgRepos,
+        SqlRepo.UserRepository sqlUserRepo,
+        SqlRepo.OrganizationRepository sqlOrgRepo
         )
     {
         authRequest.ResponseDeviceId = null;
@@ -34,6 +37,10 @@ public class AuthRequestRepositoryTests
             sut.ClearChangeTracking();
             authRequest.UserId = efUser.Id;
 
+            var efOrg = await efOrgRepos[i].CreateAsync(organization);
+            sut.ClearChangeTracking();
+            authRequest.OrganizationId = efOrg.Id;
+
             var postEfAuthRequest = await sut.CreateAsync(authRequest);
             sut.ClearChangeTracking();
 
@@ -43,6 +50,8 @@ public class AuthRequestRepositoryTests
 
         var sqlUser = await sqlUserRepo.CreateAsync(user);
         authRequest.UserId = sqlUser.Id;
+        var sqlOrg = await sqlOrgRepo.CreateAsync(organization);
+        authRequest.OrganizationId = sqlOrg.Id;
         var sqlAuthRequest = await sqlAuthRequestRepo.CreateAsync(authRequest);
         var savedSqlAuthRequest = await sqlAuthRequestRepo.GetByIdAsync(sqlAuthRequest.Id);
         savedAuthRequests.Add(savedSqlAuthRequest);

util/Migrator/DbScripts/2023-06-01_00_TdeAdminApproval.sql

@@ -0,0 +1,193 @@
+--Add OrganizationId Column and Foreign Key
+IF COL_LENGTH('[dbo].[AuthRequest]', 'OrganizationId') IS NULL
+BEGIN
+ALTER TABLE
+    [dbo].[AuthRequest]
+    ADD [OrganizationId] UNIQUEIDENTIFIER NULL;
+    ALTER TABLE 
+    [dbo].[AuthRequest]
+    ADD CONSTRAINT [FK_AuthRequest_Organization] FOREIGN KEY ([OrganizationId]) REFERENCES [dbo].[Organization] ([Id])
+END
+GO
+
+-- Drop and recreate view
+IF EXISTS(SELECT * FROM sys.views WHERE [Name] = 'AuthRequestView')
+    BEGIN
+        DROP VIEW [dbo].[AuthRequestView]
+    END
+GO
+    
+CREATE VIEW [dbo].[AuthRequestView]
+AS
+SELECT
+    *
+FROM
+    [dbo].[AuthRequest]
+GO
+
+--Drop existing SPROC
+IF OBJECT_ID('[dbo].[AuthRequest_Update]') IS NOT NULL
+    BEGIN
+        DROP PROCEDURE [dbo].[AuthRequest_Update]
+    END
+GO
+
+--Create SPROC with OrganizationId column
+CREATE PROCEDURE [dbo].[AuthRequest_Update]
+    @Id UNIQUEIDENTIFIER OUTPUT,
+    @UserId UNIQUEIDENTIFIER,
+    @OrganizationId UNIQUEIDENTIFIER = NULL,
+    @Type SMALLINT, 
+    @RequestDeviceIdentifier NVARCHAR(50),
+    @RequestDeviceType SMALLINT,
+    @RequestIpAddress VARCHAR(50),
+    @ResponseDeviceId UNIQUEIDENTIFIER,
+    @AccessCode VARCHAR(25),
+    @PublicKey VARCHAR(MAX),
+    @Key VARCHAR(MAX),
+    @MasterPasswordHash VARCHAR(MAX),
+    @Approved BIT,
+    @CreationDate DATETIME2 (7),
+    @ResponseDate DATETIME2 (7),
+    @AuthenticationDate DATETIME2 (7)    
+AS
+BEGIN
+    SET NOCOUNT ON
+
+UPDATE
+    [dbo].[AuthRequest]
+SET
+    [UserId] = @UserId,
+    [Type] = @Type,
+    [OrganizationId] = @OrganizationId,
+    [RequestDeviceIdentifier] = @RequestDeviceIdentifier,
+    [RequestDeviceType] = @RequestDeviceType,
+    [RequestIpAddress] = @RequestIpAddress,
+    [ResponseDeviceId] = @ResponseDeviceId,
+    [AccessCode] = @AccessCode,
+    [PublicKey] = @PublicKey,
+    [Key] = @Key,
+    [MasterPasswordHash] = @MasterPasswordHash,
+    [Approved] = @Approved,
+    [CreationDate] = @CreationDate,
+    [ResponseDate] = @ResponseDate,
+    [AuthenticationDate] = @AuthenticationDate
+WHERE
+    [Id] = @Id
+END
+GO
+    
+--Drop existing SPROC
+IF OBJECT_ID('[dbo].[AuthRequest_Create]') IS NOT NULL
+BEGIN
+        DROP PROCEDURE [dbo].[AuthRequest_Create]
+END
+GO
+    
+--Create SPROC with OrganizationId column
+CREATE PROCEDURE [dbo].[AuthRequest_Create]
+    @Id UNIQUEIDENTIFIER OUTPUT,
+    @UserId UNIQUEIDENTIFIER,
+    @OrganizationId UNIQUEIDENTIFIER = NULL,
+    @Type TINYINT,
+    @RequestDeviceIdentifier NVARCHAR(50),
+    @RequestDeviceType TINYINT,
+    @RequestIpAddress VARCHAR(50),
+    @ResponseDeviceId UNIQUEIDENTIFIER,
+    @AccessCode VARCHAR(25),
+    @PublicKey VARCHAR(MAX),
+    @Key VARCHAR(MAX),
+    @MasterPasswordHash VARCHAR(MAX),
+    @Approved BIT,
+    @CreationDate DATETIME2(7),
+    @ResponseDate DATETIME2(7),
+    @AuthenticationDate DATETIME2(7)
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    INSERT INTO [dbo].[AuthRequest]
+    (
+        [Id],
+        [UserId],
+        [OrganizationId],
+        [Type],
+        [RequestDeviceIdentifier],
+        [RequestDeviceType],
+        [RequestIpAddress],
+        [ResponseDeviceId],
+        [AccessCode],
+        [PublicKey],
+        [Key],
+        [MasterPasswordHash],
+        [Approved],
+        [CreationDate],
+        [ResponseDate],
+        [AuthenticationDate]
+    )
+    VALUES
+    (
+        @Id,
+        @UserId,
+        @OrganizationId,
+        @Type,
+        @RequestDeviceIdentifier,
+        @RequestDeviceType,
+        @RequestIpAddress,
+        @ResponseDeviceId,
+        @AccessCode,
+        @PublicKey,
+        @Key,
+        @MasterPasswordHash,
+        @Approved,
+        @CreationDate,
+        @ResponseDate,
+        @AuthenticationDate
+    )
+END
+Go
+    
+-- New SPROC
+CREATE OR ALTER PROCEDURE [dbo].[AuthRequest_ReadAdminApprovalsByIds]
+	@OrganizationId UNIQUEIDENTIFIER,
+	@Ids AS [dbo].[GuidIdArray] READONLY
+AS
+BEGIN
+    SET NOCOUNT ON
+
+SELECT
+    ar.*, ou.[Email], ou.[Id] AS [OrganizationUserId]
+FROM
+    [dbo].[AuthRequestView] ar
+    INNER JOIN
+        [dbo].[OrganizationUser] ou ON ou.[UserId] = ar.[UserId] AND ou.[OrganizationId] = ar.[OrganizationId]
+    WHERE
+        ar.[OrganizationId] = @OrganizationId
+    AND
+        ar.[Type] = 2 -- AdminApproval
+    AND
+        ar.[Id] IN (SELECT [Id] FROM @Ids)
+END
+GO
+
+-- New SPROC
+CREATE OR ALTER PROCEDURE [dbo].[AuthRequest_ReadPendingByOrganizationId]
+    @OrganizationId UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+
+SELECT
+    ar.*, ou.[Email], ou.[OrganizationId], ou.[Id] AS [OrganizationUserId]
+FROM
+    [dbo].[AuthRequestView] ar
+    INNER JOIN
+        [dbo].[OrganizationUser] ou ON ou.[UserId] = ar.[UserId] AND ou.[OrganizationId] = ar.[OrganizationId]
+    WHERE
+        ar.[OrganizationId] = @OrganizationId
+    AND
+        ar.[ResponseDate] IS NULL
+    AND
+        ar.[Type] = 2 -- AdminApproval
+END
+GO

util/MySqlMigrations/Migrations/20230605183142_TdeAdminApproval.cs

@@ -0,0 +1,45 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Bit.MySqlMigrations.Migrations;
+
+public partial class TdeAdminApproval : Migration
+{
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.AddColumn<Guid>(
+            name: "OrganizationId",
+            table: "AuthRequest",
+            type: "char(36)",
+            nullable: true,
+            collation: "ascii_general_ci");
+
+        migrationBuilder.CreateIndex(
+            name: "IX_AuthRequest_OrganizationId",
+            table: "AuthRequest",
+            column: "OrganizationId");
+
+        migrationBuilder.AddForeignKey(
+            name: "FK_AuthRequest_Organization_OrganizationId",
+            table: "AuthRequest",
+            column: "OrganizationId",
+            principalTable: "Organization",
+            principalColumn: "Id");
+    }
+
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.DropForeignKey(
+            name: "FK_AuthRequest_Organization_OrganizationId",
+            table: "AuthRequest");
+
+        migrationBuilder.DropIndex(
+            name: "IX_AuthRequest_OrganizationId",
+            table: "AuthRequest");
+
+        migrationBuilder.DropColumn(
+            name: "OrganizationId",
+            table: "AuthRequest");
+    }
+}

util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs

@@ -43,6 +43,9 @@ namespace Bit.MySqlMigrations.Migrations
                     b.Property<string>("MasterPasswordHash")
                         .HasColumnType("longtext");
 
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("char(36)");
+
                     b.Property<string>("PublicKey")
                         .HasColumnType("longtext");
 
@@ -71,6 +74,8 @@ namespace Bit.MySqlMigrations.Migrations
 
                     b.HasKey("Id");
 
+                    b.HasIndex("OrganizationId");
+
                     b.HasIndex("ResponseDeviceId");
 
                     b.HasIndex("UserId");
@@ -1658,6 +1663,10 @@ namespace Bit.MySqlMigrations.Migrations
 
             modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
                 {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
                     b.HasOne("Bit.Infrastructure.EntityFramework.Models.Device", "ResponseDevice")
                         .WithMany()
                         .HasForeignKey("ResponseDeviceId");
@@ -1668,6 +1677,8 @@ namespace Bit.MySqlMigrations.Migrations
                         .OnDelete(DeleteBehavior.Cascade)
                         .IsRequired();
 
+                    b.Navigation("Organization");
+
                     b.Navigation("ResponseDevice");
 
                     b.Navigation("User");

util/PostgresMigrations/Migrations/20230605182609_TdeAdminApproval.cs

@@ -0,0 +1,44 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Bit.PostgresMigrations.Migrations;
+
+public partial class TdeAdminApproval : Migration
+{
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.AddColumn<Guid>(
+            name: "OrganizationId",
+            table: "AuthRequest",
+            type: "uuid",
+            nullable: true);
+
+        migrationBuilder.CreateIndex(
+            name: "IX_AuthRequest_OrganizationId",
+            table: "AuthRequest",
+            column: "OrganizationId");
+
+        migrationBuilder.AddForeignKey(
+            name: "FK_AuthRequest_Organization_OrganizationId",
+            table: "AuthRequest",
+            column: "OrganizationId",
+            principalTable: "Organization",
+            principalColumn: "Id");
+    }
+
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.DropForeignKey(
+            name: "FK_AuthRequest_Organization_OrganizationId",
+            table: "AuthRequest");
+
+        migrationBuilder.DropIndex(
+            name: "IX_AuthRequest_OrganizationId",
+            table: "AuthRequest");
+
+        migrationBuilder.DropColumn(
+            name: "OrganizationId",
+            table: "AuthRequest");
+    }
+}

util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs

@@ -47,6 +47,9 @@ namespace Bit.PostgresMigrations.Migrations
                     b.Property<string>("MasterPasswordHash")
                         .HasColumnType("text");
 
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("uuid");
+
                     b.Property<string>("PublicKey")
                         .HasColumnType("text");
 
@@ -75,6 +78,8 @@ namespace Bit.PostgresMigrations.Migrations
 
                     b.HasKey("Id");
 
+                    b.HasIndex("OrganizationId");
+
                     b.HasIndex("ResponseDeviceId");
 
                     b.HasIndex("UserId");
@@ -1669,6 +1674,10 @@ namespace Bit.PostgresMigrations.Migrations
 
             modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
                 {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
                     b.HasOne("Bit.Infrastructure.EntityFramework.Models.Device", "ResponseDevice")
                         .WithMany()
                         .HasForeignKey("ResponseDeviceId");
@@ -1679,6 +1688,8 @@ namespace Bit.PostgresMigrations.Migrations
                         .OnDelete(DeleteBehavior.Cascade)
                         .IsRequired();
 
+                    b.Navigation("Organization");
+
                     b.Navigation("ResponseDevice");
 
                     b.Navigation("User");

util/SqliteMigrations/Migrations/20230605182605_TdeAdminApproval.cs

@@ -0,0 +1,44 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Bit.SqliteMigrations.Migrations;
+
+public partial class TdeAdminApproval : Migration
+{
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.AddColumn<Guid>(
+            name: "OrganizationId",
+            table: "AuthRequest",
+            type: "TEXT",
+            nullable: true);
+
+        migrationBuilder.CreateIndex(
+            name: "IX_AuthRequest_OrganizationId",
+            table: "AuthRequest",
+            column: "OrganizationId");
+
+        migrationBuilder.AddForeignKey(
+            name: "FK_AuthRequest_Organization_OrganizationId",
+            table: "AuthRequest",
+            column: "OrganizationId",
+            principalTable: "Organization",
+            principalColumn: "Id");
+    }
+
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.DropForeignKey(
+            name: "FK_AuthRequest_Organization_OrganizationId",
+            table: "AuthRequest");
+
+        migrationBuilder.DropIndex(
+            name: "IX_AuthRequest_OrganizationId",
+            table: "AuthRequest");
+
+        migrationBuilder.DropColumn(
+            name: "OrganizationId",
+            table: "AuthRequest");
+    }
+}

util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs

@@ -41,6 +41,9 @@ namespace Bit.SqliteMigrations.Migrations
                     b.Property<string>("MasterPasswordHash")
                         .HasColumnType("TEXT");
 
+                    b.Property<Guid?>("OrganizationId")
+                        .HasColumnType("TEXT");
+
                     b.Property<string>("PublicKey")
                         .HasColumnType("TEXT");
 
@@ -69,6 +72,8 @@ namespace Bit.SqliteMigrations.Migrations
 
                     b.HasKey("Id");
 
+                    b.HasIndex("OrganizationId");
+
                     b.HasIndex("ResponseDeviceId");
 
                     b.HasIndex("UserId");
@@ -1656,6 +1661,10 @@ namespace Bit.SqliteMigrations.Migrations
 
             modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
                 {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Organization", "Organization")
+                        .WithMany()
+                        .HasForeignKey("OrganizationId");
+
                     b.HasOne("Bit.Infrastructure.EntityFramework.Models.Device", "ResponseDevice")
                         .WithMany()
                         .HasForeignKey("ResponseDeviceId");
@@ -1666,6 +1675,8 @@ namespace Bit.SqliteMigrations.Migrations
                         .OnDelete(DeleteBehavior.Cascade)
                         .IsRequired();
 
+                    b.Navigation("Organization");
+
                     b.Navigation("ResponseDevice");
 
                     b.Navigation("User");