[PM-14406] Security Task Notifications

src/Api/Vault/Controllers/SecurityTaskController.cs

@@ -1,6 +1,12 @@
 using Bit.Api.Models.Response;
+using Bit.Api.Vault.Models.Request;
 using Bit.Api.Vault.Models.Response;
 using Bit.Core;
+using Bit.Core.Enums;
+using Bit.Core.NotificationCenter.Commands.Interfaces;
+using Bit.Core.NotificationCenter.Entities;
+using Bit.Core.NotificationCenter.Enums;
+using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Utilities;
 using Bit.Core.Vault.Commands.Interfaces;
@@ -20,17 +26,32 @@
     private readonly IGetTaskDetailsForUserQuery _getTaskDetailsForUserQuery;
     private readonly IMarkTaskAsCompleteCommand _markTaskAsCompleteCommand;
     private readonly IGetTasksForOrganizationQuery _getTasksForOrganizationQuery;
+    private readonly ICreateManyTasksCommand _createManyTasksCommand;
+    private readonly IGetSecurityTasksNotificationDetailsQuery _getSecurityTasksNotificationDetailsQuery;
+    private readonly IOrganizationRepository _organizationRepository;
+    private readonly IMailService _mailService;
+    private readonly ICreateNotificationCommand _createNotificationCommand;
 
     public SecurityTaskController(
         IUserService userService,
         IGetTaskDetailsForUserQuery getTaskDetailsForUserQuery,
         IMarkTaskAsCompleteCommand markTaskAsCompleteCommand,
-        IGetTasksForOrganizationQuery getTasksForOrganizationQuery)
+        IGetTasksForOrganizationQuery getTasksForOrganizationQuery,
+        ICreateManyTasksCommand createManyTasksCommand,
+        IGetSecurityTasksNotificationDetailsQuery getSecurityTasksNotificationDetailsQuery,
+        IOrganizationRepository organizationRepository,
+        IMailService mailService,
+        ICreateNotificationCommand createNotificationCommand)
     {
         _userService = userService;
         _getTaskDetailsForUserQuery = getTaskDetailsForUserQuery;
         _markTaskAsCompleteCommand = markTaskAsCompleteCommand;
         _getTasksForOrganizationQuery = getTasksForOrganizationQuery;
+        _createManyTasksCommand = createManyTasksCommand;
+        _getSecurityTasksNotificationDetailsQuery = getSecurityTasksNotificationDetailsQuery;
+        _organizationRepository = organizationRepository;
+        _mailService = mailService;
+        _createNotificationCommand = createNotificationCommand;
     }
 
     /// <summary>
@@ -71,4 +92,35 @@
         var response = securityTasks.Select(x => new SecurityTasksResponseModel(x)).ToList();
         return new ListResponseModel<SecurityTasksResponseModel>(response);
     }
+
+    /// <summary>
+    /// Bulk create security tasks for an organization.
+    /// </summary>
+    /// <param name="orgId"></param>
+    /// <param name="model"></param>
+    /// <returns>A list response model containing the security tasks created for the organization.</returns>
+    [HttpPost("{orgId:guid}/bulk-create")]
+    public async Task<ListResponseModel<SecurityTasksResponseModel>> BulkCreateTasks(Guid orgId,
+        [FromBody] BulkCreateSecurityTasksRequestModel model)
+    {
+        var securityTasks = await _createManyTasksCommand.CreateAsync(orgId, model.Tasks);
+
+        var userTaskCount = await _getSecurityTasksNotificationDetailsQuery.GetNotificationDetailsByManyIds(orgId, securityTasks);
+        var organization = await _organizationRepository.GetByIdAsync(orgId);
+        await _mailService.SendBulkSecurityTaskNotificationsAsync(organization.Name, userTaskCount);
+        foreach (var task in userTaskCount)
+        {
+            var notification = new Notification
+            {
+                UserId = task.UserId,
+                OrganizationId = orgId,
+                Priority = Priority.Informational,
+                ClientType = ClientType.Browser,
+            };
+            await _createNotificationCommand.CreateAsync(notification);
+        }
+
+        var response = securityTasks.Select(x => new SecurityTasksResponseModel(x)).ToList();
+        return new ListResponseModel<SecurityTasksResponseModel>(response);
+    }
 }

src/Api/Vault/Models/Request/BulkCreateSecurityTasksRequestModel.cs

@@ -0,0 +1,8 @@
+using Bit.Core.Vault.Models.Api;
+
+namespace Bit.Api.Vault.Models.Request;
+
+public class BulkCreateSecurityTasksRequestModel
+{
+    public IEnumerable<SecurityTaskCreateRequest> Tasks { get; set; }
+}

src/Core/MailTemplates/Handlebars/Layouts/SecurityTasks.html.hbs

@@ -0,0 +1,61 @@
+{{#>FullUpdatedHtmlLayout}}
+<table border="0" cellpadding="0" cellspacing="0" width="100%"
+  style="background-color: #175DDC;padding-top:25px;padding-bottom:15px;">
+  <tr>
+    <td align="center" valign="top" width="70%" class="templateColumnContainer">
+      <table border="0" cellpadding="0" cellspacing="0" width="100%"
+        style="padding-left:30px; padding-right: 5px; padding-top: 20px;">
+        <tr>
+          <td
+            style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 24px; color: #ffffff; line-height: 32px; font-weight: 500; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+            {{OrgName}} has identified {{TaskCount}} critical login{{#if TaskCountPlural}}s{{/if}} that require{{#unless
+            TaskCountPlural}}s{{/unless}} a
+            password change
+          </td>
+        </tr>
+      </table>
+    </td>
+    <td align="right" valign="bottom" class="templateColumnContainer" style="padding-right: 15px;">
+      <img width="140" height="140" align="right" valign="bottom"
+        style="width: 140px; height:140px; font-size: 0; vertical-align: bottom; text-align: right;" alt=''
+        src='https://assets.bitwarden.com/email/v1/business-warning.png' />
+    </td>
+  </tr>
+</table>
+
+{{>@partial-block}}
+
+<table width="100%" style="display:table; background-color: #FBFBFB; vertical-align: middle; padding:30px" border="0"
+  cellpadding="0" cellspacing="0" valign="middle">
+  <tr>
+    <td width="70%" class="footer-text" style="padding-right: 20px;">
+      <table align="left" border="0" cellpadding="0" cellspacing="0">
+        <tr>
+          <td
+            style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-style: normal; font-weight: 400; font-size: 16px; line-height: 24px;">
+            <p
+              style="margin: 0; padding: 0; margin-bottom: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-style: normal; font-weight: 600; font-size: 20px; line-height: 28px;">
+              We’re here for you!</p>
+            If you have any questions, search the Bitwarden <a
+              style="text-decoration: none; color: #175DDC; font-weight: 600;"
+              href="https://bitwarden.com/help/">Help</a> site or <a
+              style="text-decoration: none; color: #175DDC; font-weight: 600;"
+              href="https://bitwarden.com/contact/">contact us</a>.
+          </td>
+        </tr>
+      </table>
+    </td>
+    <td width="30%">
+      <table align="right" valign="bottom" class="footer-image" border="0" cellpadding="0" cellspacing="0"
+        style="padding-left: 40px;">
+        <tr>
+          <td>
+            <img width="94" height="77" src="https://assets.bitwarden.com/email/v1/chat.png"
+              style="width: 94px; height: 77px;" alt="" />
+          </td>
+        </tr>
+      </table>
+    </td>
+  </tr>
+</table>
+{{/FullUpdatedHtmlLayout}}

src/Core/MailTemplates/Handlebars/Layouts/SecurityTasks.text.hbs

@@ -0,0 +1,12 @@
+{{#>FullTextLayout}}
+{{OrgName}} has identified {{TaskCount}} critical login{{#if TaskCountPlural}}s{{/if}} that require{{#unless
+TaskCountPlural}}s{{/unless}} a
+password change
+
+{{>@partial-block}}
+
+We’re here for you!
+If you have any questions, search the Bitwarden Help site or contact us.
+- https://bitwarden.com/help/
+- https://bitwarden.com/contact/
+{{/FullTextLayout}}

src/Core/MailTemplates/Handlebars/SecurityTasksNotification.html.hbs

@@ -0,0 +1,28 @@
+{{#>SecurityTasksHtmlLayout}}
+<table width="100%" border="0" style="display: block; padding: 30px;" align="center" cellpadding="0" cellspacing="0">
+  <tr>
+    <td
+      style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-style: normal; font-weight: 400; font-size: 16px; line-height: 24px;">
+      Keep you and your organization's data safe by changing passwords that are weak, reused, or have been exposed in a
+      data breach.
+    </td>
+  </tr>
+  <tr>
+    <td
+      style="padding-top: 24px; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-style: normal; font-weight: 400; font-size: 16px; line-height: 24px;">
+      Launch the Bitwarden extension to review your at-risk passwords.
+    </td>
+  </tr>
+</table>
+<table width="100%" border="0" cellpadding="0" cellspacing="0"
+  style="display: table; width:100%; padding-bottom: 35px; text-align: center;" align="center">
+  <tr>
+    <td display="display: table-cell">
+      <a href="{{ReviewPasswordsUrl}}" clicktracking=off target="_blank"
+        style="display: inline-block; color: #ffffff; text-decoration: none; text-align: center; cursor: pointer; border-radius: 999px; background-color: #175DDC; border-color: #175DDC; border-style: solid; border-width: 10px 20px; margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+        Review at-risk passwords
+      </a>
+    </td>
+  </tr>
+</table>
+{{/SecurityTasksHtmlLayout}}

src/Core/MailTemplates/Handlebars/SecurityTasksNotification.text.hbs

@@ -0,0 +1,8 @@
+{{#>SecurityTasksHtmlLayout}}
+Keep you and your organization's data safe by changing passwords that are weak, reused, or have been exposed in a data
+breach.
+
+Launch the Bitwarden extension to review your at-risk passwords.
+
+Review at-risk passwords ({{{ReviewPasswordsUrl}}})
+{{/SecurityTasksHtmlLayout}}

src/Core/Models/Mail/SecurityTaskNotificationViewModel.cs

@@ -0,0 +1,12 @@
+namespace Bit.Core.Models.Mail;
+
+public class SecurityTaskNotificationViewModel : BaseMailModel
+{
+    public string OrgName { get; set; }
+
+    public int TaskCount { get; set; }
+
+    public bool TaskCountPlural => TaskCount != 1;
+
+    public string ReviewPasswordsUrl => $"{WebVaultUrl}/browser-extension-prompt";
+}

src/Core/Services/IMailService.cs

@@ -5,6 +5,7 @@
 using Bit.Core.Entities;
 using Bit.Core.Models.Data.Organizations;
 using Bit.Core.Models.Mail;
+using Bit.Core.Vault.Models.Data;
 
 namespace Bit.Core.Services;
 
@@ -96,6 +97,6 @@ Task SendProviderUpdatePaymentMethod(
     Task SendFamiliesForEnterpriseRemoveSponsorshipsEmailAsync(string email, string offerAcceptanceDate, string organizationId,
         string organizationName);
     Task SendClaimedDomainUserEmailAsync(ManagedUserDomainClaimedEmails emailList);
+    Task SendBulkSecurityTaskNotificationsAsync(string orgName, IEnumerable<UserSecurityTasksCount> securityTaskNotificaitons);
     Task SendDeviceApprovalRequestedNotificationEmailAsync(IEnumerable<string> adminEmails, Guid organizationId, string email, string userName);
 }
-

src/Core/Services/Implementations/HandlebarsMailService.cs

@@ -15,6 +15,7 @@
 using Bit.Core.SecretsManager.Models.Mail;
 using Bit.Core.Settings;
 using Bit.Core.Utilities;
+using Bit.Core.Vault.Models.Data;
 using HandlebarsDotNet;
 
 namespace Bit.Core.Services;
@@ -644,6 +645,10 @@
         Handlebars.RegisterTemplate("TitleContactUsHtmlLayout", titleContactUsHtmlLayoutSource);
         var titleContactUsTextLayoutSource = await ReadSourceAsync("Layouts.TitleContactUs.text");
         Handlebars.RegisterTemplate("TitleContactUsTextLayout", titleContactUsTextLayoutSource);
+        var securityTasksHtmlLayoutSource = await ReadSourceAsync("Layouts.SecurityTasks.html");
+        Handlebars.RegisterTemplate("SecurityTasksHtmlLayout", securityTasksHtmlLayoutSource);
+        var securityTasksTextLayoutSource = await ReadSourceAsync("Layouts.SecurityTasks.text");
+        Handlebars.RegisterTemplate("SecurityTasksTextLayout", securityTasksTextLayoutSource);
 
         Handlebars.RegisterHelper("date", (writer, context, parameters) =>
         {
@@ -1169,6 +1174,24 @@
         await _mailDeliveryService.SendEmailAsync(message);
     }
 
+    public async Task SendBulkSecurityTaskNotificationsAsync(string orgName, IEnumerable<UserSecurityTasksCount> securityTaskNotificaitons)
+    {
+        MailQueueMessage CreateMessage(UserSecurityTasksCount notification)
+        {
+            var message = CreateDefaultMessage($"{orgName} has identified {notification.TaskCount} at-risk password{(notification.TaskCount.Equals(1) ? "" : "s")}", notification.Email);
+            var model = new SecurityTaskNotificationViewModel
+            {
+                OrgName = orgName,
+                TaskCount = notification.TaskCount,
+                WebVaultUrl = _globalSettings.BaseServiceUri.VaultWithHash,
+            };
+            message.Category = "SecurityTasksNotification";
+            return new MailQueueMessage(message, "SecurityTasksNotification", model);
+        }
+        var messageModels = securityTaskNotificaitons.Select(CreateMessage);
+        await EnqueueMailAsync(messageModels.ToList());
+    }
+
     public async Task SendDeviceApprovalRequestedNotificationEmailAsync(IEnumerable<string> adminEmails, Guid organizationId, string email, string userName)
     {
         var templateName = _globalSettings.SelfHosted ?
@@ -1191,4 +1214,3 @@
         return string.IsNullOrEmpty(userName) ? email : CoreHelpers.SanitizeForEmail(userName, false);
     }
 }
-

src/Core/Services/NoopImplementations/NoopMailService.cs

@@ -5,6 +5,7 @@
 using Bit.Core.Entities;
 using Bit.Core.Models.Data.Organizations;
 using Bit.Core.Models.Mail;
+using Bit.Core.Vault.Models.Data;
 
 namespace Bit.Core.Services;
 
@@ -321,5 +322,9 @@
     {
         return Task.FromResult(0);
     }
-}
 
+    public Task SendBulkSecurityTaskNotificationsAsync(string orgName, IEnumerable<UserSecurityTasksCount> securityTaskNotificaitons)
+    {
+        return Task.FromResult(0);
+    }
+}

src/Core/Vault/Commands/CreateManyTasksCommand.cs

@@ -0,0 +1,65 @@
+using Bit.Core.Context;
+using Bit.Core.Exceptions;
+using Bit.Core.Utilities;
+using Bit.Core.Vault.Authorization.SecurityTasks;
+using Bit.Core.Vault.Commands.Interfaces;
+using Bit.Core.Vault.Entities;
+using Bit.Core.Vault.Enums;
+using Bit.Core.Vault.Models.Api;
+using Bit.Core.Vault.Repositories;
+using Microsoft.AspNetCore.Authorization;
+
+namespace Bit.Core.Vault.Commands;
+
+public class CreateManyTasksCommand : ICreateManyTasksCommand
+{
+    private readonly IAuthorizationService _authorizationService;
+    private readonly ICurrentContext _currentContext;
+    private readonly ISecurityTaskRepository _securityTaskRepository;
+
+    public CreateManyTasksCommand(
+        ISecurityTaskRepository securityTaskRepository,
+        IAuthorizationService authorizationService,
+        ICurrentContext currentContext)
+    {
+        _securityTaskRepository = securityTaskRepository;
+        _authorizationService = authorizationService;
+        _currentContext = currentContext;
+    }
+
+    /// <inheritdoc />
+    public async Task<ICollection<SecurityTask>> CreateAsync(Guid organizationId,
+        IEnumerable<SecurityTaskCreateRequest> tasks)
+    {
+        if (!_currentContext.UserId.HasValue)
+        {
+            throw new NotFoundException();
+        }
+
+        var tasksList = tasks?.ToList();
+
+        if (tasksList is null || tasksList.Count == 0)
+        {
+            throw new BadRequestException("No tasks provided.");
+        }
+
+        var securityTasks = tasksList.Select(t => new SecurityTask
+        {
+            OrganizationId = organizationId,
+            CipherId = t.CipherId,
+            Type = t.Type,
+            Status = SecurityTaskStatus.Pending
+        }).ToList();
+
+        // Verify authorization for each task
+        foreach (var task in securityTasks)
+        {
+            await _authorizationService.AuthorizeOrThrowAsync(
+                _currentContext.HttpContext.User,
+                task,
+                SecurityTaskOperations.Create);
+        }
+
+        return await _securityTaskRepository.CreateManyAsync(securityTasks);
+    }
+}