[PM-31884] Add access control support to Send Controls policy

src/Core/AdminConsole/Models/Data/Organizations/Policies/SendControlsAllowedAccessControl.cs

@@ -0,0 +1,8 @@
+namespace Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+
+public enum SendWhoCanAccessType
+{
+  Any,
+  PasswordProtected,
+  SpecificPeople
+}

src/Core/AdminConsole/Models/Data/Organizations/Policies/SendControlsPolicyData.cs

@@ -8,4 +8,9 @@ public class SendControlsPolicyData : IPolicyDataModel
     public bool DisableSend { get; set; }
     [Display(Name = "DisableHideEmail")]
     public bool DisableHideEmail { get; set; }
+    [Display(Name = "AllowedAccessControl")]
+    public SendWhoCanAccessType? WhoCanAccess { get; set; }
+    [Display(Name = "AllowedDomains")]
+    [StringLength(1000)]
+    public string? AllowedDomains { get; set; }
 }

src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyEventHandlers/SendControlsSyncPolicyEvent.cs

@@ -4,6 +4,9 @@
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies.Models;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyUpdateEvents.Interfaces;
 using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.Tools.Enums;
+using Bit.Core.Tools.Repositories;
+using Bit.Core.Tools.Services;
 
 namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyEventHandlers;
 
@@ -13,7 +16,8 @@ namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyEventHandler
 /// </summary>
 public class SendControlsSyncPolicyEvent(
     IPolicyRepository policyRepository,
-    TimeProvider timeProvider) : IOnPolicyPostUpdateEvent
+    TimeProvider timeProvider,
+    ISendRepository sendRepository) : IOnPolicyPostUpdateEvent, IPolicyValidationEvent
 {
     public PolicyType Type => PolicyType.SendControls;
 
@@ -37,6 +41,8 @@ await UpsertLegacyPolicyAsync(
             PolicyType.SendOptions,
             enabled: postUpsertedPolicyState.Enabled && sendControlsPolicyData.DisableHideEmail,
             policyData: sendOptionsData);
+
+        await UpdateSendsByPolicyAsync(postUpsertedPolicyState, sendControlsPolicyData);
     }
 
     private async Task UpsertLegacyPolicyAsync<T>(
@@ -60,4 +66,49 @@ private async Task UpsertLegacyPolicyAsync<T>(
 
         await policyRepository.UpsertAsync(policy);
     }
+
+    public Task<string> ValidateAsync(SavePolicyModel policyRequest, Policy? currentPolicy)
+    {
+        var dataModel = policyRequest.PolicyUpdate.GetDataModel<SendControlsPolicyData>();
+        if (dataModel.AllowedDomains is not null && dataModel.WhoCanAccess != SendWhoCanAccessType.SpecificPeople)
+        {
+            return Task.FromResult("Allowed domains can only be set when the required access type is set to specific people");
+        }
+        return Task.FromResult(string.Empty);
+    }
+
+    private async Task UpdateSendsByPolicyAsync(Policy postUpsertedPolicyState, SendControlsPolicyData sendControlsPolicyData)
+    {
+        var orgSendIds = await sendRepository.GetIdsByOrganizationIdAsync(postUpsertedPolicyState.OrganizationId);
+        foreach (var sendIdsChunk in orgSendIds.Chunk(50))
+        {
+            var enabled = new List<Guid>();
+            var disabled = new List<Guid>();
+            var sendsChunk = await sendRepository.GetManyByIdsAsync(sendIdsChunk);
+            foreach (var send in sendsChunk)
+            {
+                if (
+                    // If the policy is disabled then we want to re-enable any Sends that were previously disabled
+                    postUpsertedPolicyState.Enabled && 
+                    (sendControlsPolicyData.DisableSend ||
+                    (sendControlsPolicyData.DisableHideEmail && (send.HideEmail ?? false)) ||
+                    (sendControlsPolicyData.WhoCanAccess == SendWhoCanAccessType.PasswordProtected && send.AuthType != AuthType.Password) ||
+                    (sendControlsPolicyData.WhoCanAccess == SendWhoCanAccessType.SpecificPeople && send.AuthType != AuthType.Email) ||
+                    (sendControlsPolicyData.WhoCanAccess == SendWhoCanAccessType.SpecificPeople && !SendValidationService.SendAllEmailsHaveAllowedDomains(send.Emails, sendControlsPolicyData.AllowedDomains))))
+                {
+                    disabled.Add(send.Id);
+                } else
+                {
+                    enabled.Add(send.Id);
+                }
+            }
+            if (enabled.Count > 0) {
+                await sendRepository.UpdateManyDisabledAsync(enabled, false);
+            }
+            if (disabled.Count > 0)
+            {
+                await sendRepository.UpdateManyDisabledAsync(disabled, true);
+            }
+        }
+    }
 }

src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/SendControlsPolicyRequirement.cs

@@ -19,6 +19,16 @@ public class SendControlsPolicyRequirement : IPolicyRequirement
     /// Indicates whether the user is prohibited from hiding their email from the recipient of a Send.
     /// </summary>
     public bool DisableHideEmail { get; init; }
+
+    /// <summary>
+    /// Indicates the access control that a user must specify on their Sends
+    /// </summary>
+    public SendWhoCanAccessType? WhoCanAccess { get; init; }
+
+    /// <summary>
+    /// Indicates the domains the emails of an email-protected Send must use
+    /// </summary>
+    public string? AllowedDomains { get; init; }
 }
 
 public class SendControlsPolicyRequirementFactory : BasePolicyRequirementFactory<SendControlsPolicyRequirement>
@@ -35,6 +45,8 @@ public override SendControlsPolicyRequirement Create(IEnumerable<PolicyDetails>
                 {
                     DisableSend = result.DisableSend || data.DisableSend,
                     DisableHideEmail = result.DisableHideEmail || data.DisableHideEmail,
+                    WhoCanAccess = result.WhoCanAccess ?? data.WhoCanAccess,
+                    AllowedDomains = result.AllowedDomains ?? data.AllowedDomains
                 });
     }
 }

src/Core/Tools/Repositories/ISendRepository.cs

@@ -78,4 +78,24 @@ public interface ISendRepository : IRepository<Send, Guid>
     /// <param name="sends">A list of sends with updated data</param>
     UpdateEncryptedDataForKeyRotation UpdateForKeyRotation(Guid userId,
         IEnumerable<Send> sends);
+
+    /// <summary>
+    /// Updates the 'Disabled' field for Sends by IDs in bulk
+    /// </summary>
+    /// <param name="ids">A list of Send IDs to update</param>
+    /// <param name="disabled">The value to set the 'Disabled' field to</param>
+    Task UpdateManyDisabledAsync(IEnumerable<Guid> ids, bool disabled);
+
+    /// <summary>
+    /// Fetches the IDs of all <see cref="Send"/>ss of all Users that are members of an Organization
+    /// </summary>
+    /// <param name="organizationId">The ID of the organization to fetch Sends for</param>
+    Task<IEnumerable<Guid>> GetIdsByOrganizationIdAsync(Guid organizationId);
+
+    /// <summary>
+    /// Load <see cref="Send"/>s in bulk by IDs
+    /// </summary>
+    /// <param name="ids">The IDs of the <see cref="Send"/>ss to load</param>
+    /// <returns></returns>
+    Task<ICollection<Send>> GetManyByIdsAsync(IEnumerable<Guid> ids);
 }

src/Core/Tools/SendFeatures/Services/SendValidationService.cs

@@ -1,7 +1,6 @@
 // FIXME: Update this file to be null safe and then delete the line below
 
-#nullable disable
-
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
 using Bit.Core.Billing.Pricing;
@@ -10,6 +9,7 @@
 using Bit.Core.Services;
 using Bit.Core.Settings;
 using Bit.Core.Tools.Entities;
+using Bit.Core.Utilities;
 
 namespace Bit.Core.Tools.Services;
 
@@ -48,13 +48,13 @@ public async Task ValidateUserCanSaveAsync(Guid? userId, Send send)
         }
 
         // Once data migration has run, query only SendControls
-        // var sendControlsTask = _policyRequirementQuery.GetAsync<SendControlsPolicyRequirement>(userId.Value);
+        var sendControlsTask = _policyRequirementQuery.GetAsync<SendControlsPolicyRequirement>(userId.Value);
         var disableSendTask = _policyRequirementQuery.GetAsync<DisableSendPolicyRequirement>(userId.Value);
         var sendOptionsTask = _policyRequirementQuery.GetAsync<SendOptionsPolicyRequirement>(userId.Value);
 
-        await Task.WhenAll(disableSendTask, sendOptionsTask);
+        await Task.WhenAll(sendControlsTask, disableSendTask, sendOptionsTask);
 
-        // var sendControlsRequirement = sendControlsTask.Result;
+        var sendControlsRequirement = sendControlsTask.Result;
         var disableSendRequirement = disableSendTask.Result;
         var sendOptionsRequirement = sendOptionsTask.Result;
 
@@ -68,14 +68,42 @@ public async Task ValidateUserCanSaveAsync(Guid? userId, Send send)
             throw new BadRequestException(
                 "Due to an Enterprise Policy, you are not allowed to hide your email address from recipients when creating or editing a Send.");
         }
+
+        var passwordRequired = sendControlsRequirement.WhoCanAccess == SendWhoCanAccessType.PasswordProtected;
+        var emailsRequired = sendControlsRequirement.WhoCanAccess == SendWhoCanAccessType.SpecificPeople;
+        if ((passwordRequired && send.Password == null) || (emailsRequired && send.Emails == null))
+        {
+            var requiredAccessControl = passwordRequired ? "password" : emailsRequired ? "email verification" : "(cannot determine required auth)";
+            throw new BadRequestException($"Due to an Enterprise Policy your Sends must be protected by {requiredAccessControl}");
+        }
+
+        if (emailsRequired && sendControlsRequirement.AllowedDomains != null)
+        {
+            if (!SendAllEmailsHaveAllowedDomains(send.Emails, sendControlsRequirement.AllowedDomains))
+            {
+                throw new BadRequestException($"Due to an Enterprise Policy your Sends must be protected by email verification and access granted only to the following domain(s): {sendControlsRequirement.AllowedDomains}");
+            }
+        }
     }
 
+    public static bool SendAllEmailsHaveAllowedDomains(string? emailsString, string? domainsString)
+    {
+        var domains = (domainsString ?? "").Split(",", StringSplitOptions.TrimEntries | StringSplitOptions.RemoveEmptyEntries);
+        var emails = (emailsString ?? "").Split(",", StringSplitOptions.TrimEntries | StringSplitOptions.RemoveEmptyEntries);
+        return emails.All(email => domains.Any(domain =>
+        {
+            var emailDomain = EmailValidation.GetDomain(email);
+            return emailDomain.Equals(domain, StringComparison.OrdinalIgnoreCase)
+                || emailDomain.EndsWith("." + domain, StringComparison.OrdinalIgnoreCase);
+        }));
+    } 
+
     public async Task<long> StorageRemainingForSendAsync(Send send)
     {
         var storageBytesRemaining = 0L;
         if (send.UserId.HasValue)
         {
-            var user = await _userRepository.GetByIdAsync(send.UserId.Value);
+            var user = await _userRepository.GetByIdAsync(send.UserId.Value) ?? throw new NotFoundException("Send user not found");
             if (!await _userService.CanAccessPremium(user))
             {
                 throw new BadRequestException("You must have premium status to use file Sends.");
@@ -110,7 +138,7 @@ public async Task<long> StorageRemainingForSendAsync(Send send)
         }
         else if (send.OrganizationId.HasValue)
         {
-            var org = await _organizationRepository.GetByIdAsync(send.OrganizationId.Value);
+            var org = await _organizationRepository.GetByIdAsync(send.OrganizationId.Value) ?? throw new NotFoundException("Send organization not found");
             if (!org.MaxStorageGb.HasValue)
             {
                 throw new BadRequestException("This organization cannot use file sends.");

src/Infrastructure.Dapper/Tools/Repositories/SendRepository.cs

@@ -193,6 +193,37 @@ INNER JOIN
         };
     }
 
+    public async Task UpdateManyDisabledAsync(IEnumerable<Guid> ids, bool disabled)
+    {
+        using var connection = new SqlConnection(ConnectionString);
+        await connection.ExecuteAsync(
+            $"[{Schema}].[Send_UpdateDisabledByIds]",
+            new { Ids = ids.ToGuidIdArrayTVP(), Disabled = disabled },
+            commandType: CommandType.StoredProcedure);
+    }
+
+    public async Task<IEnumerable<Guid>> GetIdsByOrganizationIdAsync(Guid organizationId)
+    {
+        using var connection = new SqlConnection(ConnectionString);
+        var sendIds = await connection.QueryAsync<Guid>(
+            $"[{Schema}].[Send_ReadIdsByOrgId]",
+            new { Id = organizationId },
+            commandType: CommandType.StoredProcedure);
+        return sendIds;
+    }
+
+    public async Task<ICollection<Send>> GetManyByIdsAsync(IEnumerable<Guid> ids)
+    {
+        using var connection = new SqlConnection(ConnectionString);
+        var results = await connection.QueryAsync<Send>(
+            $"[{Schema}].[Send_ReadByIds]",
+            new { Ids = ids.ToGuidIdArrayTVP() },
+            commandType: CommandType.StoredProcedure);
+        var sends = results.ToList();
+        UnprotectData(sends);
+        return sends;
+    }
+
     private async Task ProtectDataAndSaveAsync(Send send, Func<Task> saveTask)
     {
         if (send == null)

src/Infrastructure.EntityFramework/Tools/Repositories/SendRepository.cs

@@ -132,4 +132,35 @@ public UpdateEncryptedDataForKeyRotation UpdateForKeyRotation(Guid userId,
         };
     }
 
+    /// <inheritdoc />  
+    public async Task UpdateManyDisabledAsync(IEnumerable<Guid> ids, bool disabled)
+    {
+        using var scope = ServiceScopeFactory.CreateScope();
+        var dbContext = GetDatabaseContext(scope);
+        var sends = dbContext.Sends.Where(s => ids.Contains(s.Id));
+        await sends.ExecuteUpdateAsync(setters => setters
+            .SetProperty(s => s.Disabled, disabled)
+            .SetProperty(s => s.RevisionDate, DateTime.UtcNow)
+        );
+        var userIds = await sends.Select(s => s.User.Id).ToArrayAsync() ?? [];
+        await dbContext.UserBumpManyAccountRevisionDatesAsync(userIds);
+        await dbContext.SaveChangesAsync();
+    }
+
+    public async Task<IEnumerable<Guid>> GetIdsByOrganizationIdAsync(Guid organizationId)
+    {
+        using var scope = ServiceScopeFactory.CreateScope();
+        var dbContext = GetDatabaseContext(scope);
+        var orgUsers = await dbContext.OrganizationUsers.Where(ou => ou.OrganizationId == organizationId).ToListAsync();
+        var orgUserSendIds = await dbContext.Sends.Where(s => orgUsers.Any(ou => ou.UserId == s.UserId)).Select(s => s.Id).ToListAsync();
+        return Mapper.Map<List<Guid>>(orgUserSendIds);
+    }
+
+    public async Task<ICollection<Core.Tools.Entities.Send>> GetManyByIdsAsync(IEnumerable<Guid> ids)
+    {
+        using var scope = ServiceScopeFactory.CreateScope();
+        var dbContext = GetDatabaseContext(scope);
+        var results = await dbContext.Sends.Where(s => ids.Contains(s.Id)).ToListAsync();
+        return Mapper.Map<List<Core.Tools.Entities.Send>>(results);
+    }
 }

src/Sql/dbo/Tools/Stored Procedures/Send_ReadByIds.sql

@@ -0,0 +1,13 @@
+CREATE PROCEDURE [dbo].[Send_ReadByIds]
+    @Ids AS [dbo].[GuidIdArray] READONLY
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    SELECT
+        *
+    FROM
+        [dbo].[SendView]
+    WHERE
+        [Id] IN (SELECT * FROM @Ids)
+END

src/Sql/dbo/Tools/Stored Procedures/Send_ReadIdsByOrgId.sql

@@ -0,0 +1,24 @@
+CREATE PROCEDURE [dbo].[Send_ReadIdsByOrgId]
+    @Id UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    -- Get the IDs of all users in an org --
+    DECLARE @OrgUserIds AS [GuidIdArray];
+    INSERT INTO @OrgUserIds
+    SELECT DISTINCT
+        UserId
+    FROM
+        [dbo].[OrganizationUserView]
+    WHERE
+        OrganizationId = @Id
+
+    -- Get the IDs of all Sends associated with those users --
+    SELECT
+        Id
+    FROM
+        [dbo].[SendView]
+    WHERE
+        UserId IN (SELECT [Id] FROM @OrgUserIds)
+END

src/Sql/dbo/Tools/Stored Procedures/Send_UpdateDisabledByIds.sql

@@ -0,0 +1,30 @@
+CREATE PROCEDURE [dbo].[Send_UpdateDisabledByIds]
+    @Ids AS [dbo].[GuidIdArray] READONLY,
+    @Disabled BIT
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    DECLARE @UserIds [dbo].[GuidIdarray]
+
+    -- Set field
+    UPDATE
+        [dbo].[Send]
+    SET
+        [Disabled] = @Disabled,
+        [RevisionDate] = GETUTCDATE()
+    WHERE
+        [Id] IN (SELECT * FROM @Ids)
+
+    INSERT INTO @UserIds
+    SELECT DISTINCT
+        UserId
+    FROM
+        [dbo].[Send]
+    WHERE
+        [Id] IN (SELECT * FROM @Ids)
+        AND [UserId] IS NOT NULL
+
+    -- Bump account revision dates
+    EXEC [dbo].[User_BumpManyAccountRevisionDates] @UserIds
+END