[PM-10314] Update Warnings for Verifying Domains and Single Org Polic…

…y Auto Enable (#11688)

* Updated description and warning for single org policy.

* Added check for verified domains in disabling single org.

apps/web/src/app/admin-console/organizations/policies/policy-edit.component.html

@@ -15,7 +15,7 @@
       </div>
     </ng-container>
     <ng-container bitDialogFooter>
-      <button bitButton buttonType="primary" bitFormButton type="submit">
+      <button bitButton buttonType="primary" [disabled]="saveDisabled" bitFormButton type="submit">
         {{ "save" | i18n }}
       </button>
       <button bitButton buttonType="secondary" bitDialogClose type="button">

apps/web/src/app/admin-console/organizations/policies/policy-edit.component.ts

@@ -42,6 +42,7 @@ export class PolicyEditComponent implements AfterViewInit {
   policyType = PolicyType;
   loading = true;
   enabled = false;
+  saveDisabled = false;
   defaultTypes: any[];
   policyComponent: BasePolicyComponent;
 
@@ -72,6 +73,8 @@ export class PolicyEditComponent implements AfterViewInit {
     this.policyComponent.policy = this.data.policy;
     this.policyComponent.policyResponse = this.policyResponse;
 
+    this.saveDisabled = !this.policyResponse.canToggleState;
+
     this.cdr.detectChanges();
   }
 

apps/web/src/app/admin-console/organizations/policies/single-org.component.html

@@ -1,6 +1,11 @@
-<bit-callout type="warning">
-  {{ "singleOrgPolicyWarning" | i18n }}
+<bit-callout *ngIf="accountDeprovisioningEnabled$ | async; else disabledBlock" type="warning">
+  {{ "singleOrgPolicyMemberWarning" | i18n }}
 </bit-callout>
+<ng-template #disabledBlock>
+  <bit-callout type="warning">
+    {{ "singleOrgPolicyWarning" | i18n }}
+  </bit-callout>
+</ng-template>
 
 <bit-form-control>
   <input type="checkbox" bitCheckbox [formControl]="enabled" id="enabled" />

apps/web/src/app/admin-console/organizations/policies/single-org.component.ts

@@ -1,4 +1,5 @@
-import { Component } from "@angular/core";
+import { Component, OnInit } from "@angular/core";
+import { firstValueFrom, Observable } from "rxjs";
 
 import { PolicyType } from "@bitwarden/common/admin-console/enums";
 import { PolicyRequest } from "@bitwarden/common/admin-console/models/request/policy.request";
@@ -19,14 +20,31 @@ export class SingleOrgPolicy extends BasePolicy {
   selector: "policy-single-org",
   templateUrl: "single-org.component.html",
 })
-export class SingleOrgPolicyComponent extends BasePolicyComponent {
+export class SingleOrgPolicyComponent extends BasePolicyComponent implements OnInit {
   constructor(
     private i18nService: I18nService,
     private configService: ConfigService,
   ) {
     super();
   }
 
+  protected accountDeprovisioningEnabled$: Observable<boolean> = this.configService.getFeatureFlag$(
+    FeatureFlag.AccountDeprovisioning,
+  );
+
+  async ngOnInit() {
+    super.ngOnInit();
+
+    const isAccountDeprovisioningEnabled = await firstValueFrom(this.accountDeprovisioningEnabled$);
+    this.policy.description = isAccountDeprovisioningEnabled
+      ? "singleOrgPolicyDesc"
+      : "singleOrgDesc";
+
+    if (!this.policyResponse.canToggleState) {
+      this.enabled.disable();
+    }
+  }
+
   async buildRequest(policiesEnabledMap: Map<PolicyType, boolean>): Promise<PolicyRequest> {
     if (await this.configService.getFeatureFlag(FeatureFlag.Pm13322AddPolicyDefinitions)) {
       // We are now relying on server-side validation only
@@ -48,6 +66,15 @@ export class SingleOrgPolicyComponent extends BasePolicyComponent {
           ),
         );
       }
+
+      if (
+        (await firstValueFrom(this.accountDeprovisioningEnabled$)) &&
+        !this.policyResponse.canToggleState
+      ) {
+        throw new Error(
+          this.i18nService.t("disableRequiredError", this.i18nService.t("singleOrg")),
+        );
+      }
     }
 
     return super.buildRequest(policiesEnabledMap);

apps/web/src/locales/en/messages.json

@@ -4684,12 +4684,18 @@
   "singleOrgDesc": {
     "message": "Restrict members from joining other organizations."
   },
+  "singleOrgPolicyDesc": {
+    "message": "Restrict members from joining other organizations. This policy is required for organizations that have enabled domain verification."
+  },
   "singleOrgBlockCreateMessage": {
     "message": "Your current organization has a policy that does not allow you to join more than one organization. Please contact your organization admins or sign up from a different Bitwarden account."
   },
   "singleOrgPolicyWarning": {
     "message": "Organization members who are not owners or admins and are already a member of another organization will be removed from your organization."
   },
+  "singleOrgPolicyMemberWarning": {
+    "message": "Non-compliant members will be placed in revoked status until they leave all other organizations. Administrators are exempt and can restore members once compliance is met."
+  },
   "requireSso": {
     "message": "Require single sign-on authentication"
   },
@@ -9531,5 +9537,11 @@
   },
   "selfHostingTitleProper": {
     "message": "Self-Hosting"
+  },
+  "verified-domain-single-org-warning" : {
+    "message": "Verifying a domain will turn on the single organization policy."
+  },
+  "single-org-revoked-user-warning": {
+    "message": "Non-compliant members will be revoked. Administrators can restore members once they leave all other organizations."
   }
 }

bitwarden_license/bit-web/src/app/admin-console/organizations/manage/domain-verification/domain-verification.component.ts

@@ -1,14 +1,24 @@
 import { Component, OnDestroy, OnInit } from "@angular/core";
 import { ActivatedRoute, Params } from "@angular/router";
-import { concatMap, Observable, Subject, take, takeUntil } from "rxjs";
+import {
+  concatMap,
+  firstValueFrom,
+  map,
+  Observable,
+  Subject,
+  take,
+  takeUntil,
+  withLatestFrom,
+} from "rxjs";
 
 import { OrgDomainApiServiceAbstraction } from "@bitwarden/common/admin-console/abstractions/organization-domain/org-domain-api.service.abstraction";
 import { OrgDomainServiceAbstraction } from "@bitwarden/common/admin-console/abstractions/organization-domain/org-domain.service.abstraction";
 import { OrganizationDomainResponse } from "@bitwarden/common/admin-console/abstractions/organization-domain/responses/organization-domain.response";
 import { HttpStatusCode } from "@bitwarden/common/enums";
+import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
 import { ErrorResponse } from "@bitwarden/common/models/response/error.response";
+import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
-import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
 import { ValidationService } from "@bitwarden/common/platform/abstractions/validation.service";
 import { DialogService, ToastService } from "@bitwarden/components";
 
@@ -31,13 +41,13 @@ export class DomainVerificationComponent implements OnInit, OnDestroy {
 
   constructor(
     private route: ActivatedRoute,
-    private platformUtilsService: PlatformUtilsService,
     private i18nService: I18nService,
     private orgDomainApiService: OrgDomainApiServiceAbstraction,
     private orgDomainService: OrgDomainServiceAbstraction,
     private dialogService: DialogService,
     private validationService: ValidationService,
     private toastService: ToastService,
+    private configService: ConfigService,
   ) {}
 
   // eslint-disable-next-line @typescript-eslint/no-empty-function
@@ -64,13 +74,38 @@ export class DomainVerificationComponent implements OnInit, OnDestroy {
     this.loading = false;
   }
 
-  addDomain() {
+  async addDomain() {
     const domainAddEditDialogData: DomainAddEditDialogData = {
       organizationId: this.organizationId,
       orgDomain: null,
       existingDomainNames: this.getExistingDomainNames(),
     };
 
+    await firstValueFrom(
+      this.configService.getFeatureFlag$(FeatureFlag.AccountDeprovisioning).pipe(
+        withLatestFrom(this.orgDomains$),
+        map(async ([accountDeprovisioningEnabled, organizationDomains]) => {
+          if (
+            accountDeprovisioningEnabled &&
+            organizationDomains.every((domain) => domain.verifiedDate === null)
+          ) {
+            await this.dialogService.openSimpleDialog({
+              title: { key: "verified-domain-single-org-warning" },
+              content: { key: "single-org-revoked-user-warning" },
+              cancelButtonText: { key: "cancel" },
+              acceptButtonText: { key: "confirm" },
+              acceptAction: () => this.openAddDomainDialog(domainAddEditDialogData),
+              type: "info",
+            });
+          } else {
+            await this.openAddDomainDialog(domainAddEditDialogData);
+          }
+        }),
+      ),
+    );
+  }
+
+  private async openAddDomainDialog(domainAddEditDialogData: DomainAddEditDialogData) {
     this.dialogService.open(DomainAddEditDialogComponent, {
       data: domainAddEditDialogData,
     });

libs/common/src/admin-console/models/response/policy.response.ts

@@ -8,6 +8,7 @@ export class PolicyResponse extends BaseResponse {
   type: PolicyType;
   data: any;
   enabled: boolean;
+  canToggleState: boolean;
 
   constructor(response: any) {
     super(response);
@@ -16,5 +17,6 @@ export class PolicyResponse extends BaseResponse {
     this.type = this.getResponseProperty("Type");
     this.data = this.getResponseProperty("Data");
     this.enabled = this.getResponseProperty("Enabled");
+    this.canToggleState = this.getResponseProperty("CanToggleState") ?? true;
   }
 }