[PM-14406] Security Task Notifications

[nick-livefront]

🎟️ Tracking

PM-14406
Client side PR: bitwarden/clients#13135
Stacked on top of: #5188

📔 Objective

Adds notifications for newly created security tasks for all users within an organization that have manage permissions for the applicable ciphers.

• I tried to follow/pick up naming patterns, if I missed any please point them out 😄
• Adds an email template & a new security task layout.
  • A new layout might not be necessary and could be done later if we wish. I'd be happy to pull this into a single template. I figured that this could be the first of many emails sent out regarding security tasks.
  • The template currently links to a page that hasn't been built yet. That will be handled by PM-17564.
• Adds stored queries for finding all users that have Manage permissions for the ciphers that are associated with the security tasks.
  • The query returns the UserId, their Email and the applicable cipher id for the security task.
• Add push notification that is sent to the client side for handling
  • Client side PR. This only processes the notification, there is no handling as of yet. This is only to avoid any errors.
  • There is work slated to handle that in PM-10610

Edit: @shane-melton pointed me to some work that the KM team is doing and I have refactored to use their CreateNotificationCommand rather than the one that I put together.

📸 Screenshots

Steps in video

1. Bulk create endpoint is hit (work done in [PM-14381] Add POST /tasks/bulk-create endpoint #5188)
2. Email notifications received
3. Push notifications received No longer applicable

security-task-notification.mov

[codecov]

Codecov Report

Attention: Patch coverage is 4.85437% with 196 lines in your changes missing coverage. Please review.

Project coverage is 44.40%. Comparing base (f4c37df) to head (2b9bc05).
Report is 4 commits behind head on main.

Files with missing lines	Patch %	Lines
...ories/Queries/UserSecurityTasksByCipherIdsQuery.cs	0.00%	54 Missing ⚠️
...ult/Commands/CreateManyTaskNotificationsCommand.cs	0.00%	42 Missing ⚠️
...tyFramework/Vault/Repositories/CipherRepository.cs	0.00%	35 Missing ⚠️
...ture.Dapper/Vault/Repositories/CipherRepository.cs	0.00%	16 Missing ⚠️
.../Services/Implementations/HandlebarsMailService.cs	21.05%	15 Missing ⚠️
...ueries/GetSecurityTasksNotificationDetailsQuery.cs	0.00%	13 Missing ⚠️
...rc/Api/Vault/Controllers/SecurityTaskController.cs	0.00%	4 Missing ⚠️
...e/Models/Mail/SecurityTaskNotificationViewModel.cs	0.00%	4 Missing ⚠️
...c/Core/Vault/Models/Data/UserSecurityTaskCipher.cs	0.00%	4 Missing ⚠️
...re/Services/NoopImplementations/NoopMailService.cs	0.00%	3 Missing ⚠️
... and 2 more

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5344      +/-   ##
==========================================
- Coverage   44.56%   44.40%   -0.17%     
==========================================
  Files        1505     1514       +9     
  Lines       69896    70202     +306     
  Branches     6285     6310      +25     
==========================================
+ Hits        31150    31170      +20     
- Misses      37414    37699     +285     
- Partials     1332     1333       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[nick-livefront]

Moving to a draft while I hash out some of the overlap push notifications work.

[github-actions]

Checkmarx One – Scan Summary & Details – a5cd75c3-90ec-436c-8d0a-c2ed5bf8c641

New Issues (2)

Checkmarx found the following issues in this Pull Request

Severity	Issue	Source File / Package	Checkmarx Insight
	CSRF	/src/Api/Billing/Controllers/AccountsBillingController.cs: 83	details Method PreviewInvoiceAsync at line 83 of /src/Api/Billing/Controllers/AccountsBillingController.cs gets a parameter from a user request from Previe... Attack Vector
	Unsafe_Use_Of_Target_blank	/src/Core/MailTemplates/Handlebars/SecurityTasksNotification.html.hbs: 21	details Using <a href="{{ReviewPasswordsUrl}}" clicktracking=off target="_blank" style="display: inline-block; color: #ffffff; text-decoration: non... Attack Vector

[shane-melton]

This is looking really good, nice work! I just have a few suggestions and an change we'll need to make to the CreateNotificationCommand.

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
23.5% Duplication on New Code

See analysis details on SonarQube Cloud