[PM-14406] Security Task Notifications

src/Api/Vault/Controllers/SecurityTaskController.cs

@@ -2,10 +2,16 @@
 using Bit.Api.Vault.Models.Request;
 using Bit.Api.Vault.Models.Response;
 using Bit.Core;
+using Bit.Core.Enums;
+using Bit.Core.NotificationCenter.Commands.Interfaces;
+using Bit.Core.NotificationCenter.Entities;
+using Bit.Core.NotificationCenter.Enums;
+using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Utilities;
 using Bit.Core.Vault.Commands.Interfaces;
 using Bit.Core.Vault.Enums;
+using Bit.Core.Vault.Models.Data;
 using Bit.Core.Vault.Queries;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
@@ -22,19 +28,31 @@
     private readonly IMarkTaskAsCompleteCommand _markTaskAsCompleteCommand;
     private readonly IGetTasksForOrganizationQuery _getTasksForOrganizationQuery;
     private readonly ICreateManyTasksCommand _createManyTasksCommand;
+    private readonly IGetSecurityTasksNotificationDetailsQuery _getSecurityTasksNotificationDetailsQuery;
+    private readonly IOrganizationRepository _organizationRepository;
+    private readonly IMailService _mailService;
+    private readonly ICreateNotificationCommand _createNotificationCommand;
 
     public SecurityTaskController(
         IUserService userService,
         IGetTaskDetailsForUserQuery getTaskDetailsForUserQuery,
         IMarkTaskAsCompleteCommand markTaskAsCompleteCommand,
         IGetTasksForOrganizationQuery getTasksForOrganizationQuery,
-        ICreateManyTasksCommand createManyTasksCommand)
+        ICreateManyTasksCommand createManyTasksCommand,
+        IGetSecurityTasksNotificationDetailsQuery getSecurityTasksNotificationDetailsQuery,
+        IOrganizationRepository organizationRepository,
+        IMailService mailService,
+        ICreateNotificationCommand createNotificationCommand)
     {
         _userService = userService;
         _getTaskDetailsForUserQuery = getTaskDetailsForUserQuery;
         _markTaskAsCompleteCommand = markTaskAsCompleteCommand;
         _getTasksForOrganizationQuery = getTasksForOrganizationQuery;
         _createManyTasksCommand = createManyTasksCommand;
+        _getSecurityTasksNotificationDetailsQuery = getSecurityTasksNotificationDetailsQuery;
+        _organizationRepository = organizationRepository;
+        _mailService = mailService;
+        _createNotificationCommand = createNotificationCommand;
     }
 
     /// <summary>
@@ -87,6 +105,37 @@
         [FromBody] BulkCreateSecurityTasksRequestModel model)
     {
         var securityTasks = await _createManyTasksCommand.CreateAsync(orgId, model.Tasks);
+
+        var securityTaskCiphers = await _getSecurityTasksNotificationDetailsQuery.GetNotificationDetailsByManyIds(orgId, securityTasks);
+
+        // Get the number of tasks for each user
+        var userTaskCount = securityTaskCiphers.GroupBy(x => x.UserId).Select(x => new
+        UserSecurityTasksCount
+        {
+            UserId = x.Key,
+            Email = x.First().Email,
+            TaskCount = x.Count()
+        }).ToList();
+
+        var organization = await _organizationRepository.GetByIdAsync(orgId);
+        await _mailService.SendBulkSecurityTaskNotificationsAsync(organization.Name, userTaskCount);
+
+        foreach (var userSecurityTaskCipher in securityTaskCiphers)
+        {
+            // Get the associated security task for the cipher
+            var securityTask = securityTasks.First(x => x.CipherId == userSecurityTaskCipher.CipherId);
+            // Create a notification for the user with the associated task
+            var notification = new Notification
+            {
+                UserId = userSecurityTaskCipher.UserId,
+                OrganizationId = orgId,
+                Priority = Priority.Informational,
+                ClientType = ClientType.Browser,
+                TaskId = securityTask.Id
+            };
+            await _createNotificationCommand.CreateAsync(notification);
+        }
+
         var response = securityTasks.Select(x => new SecurityTasksResponseModel(x)).ToList();
         return new ListResponseModel<SecurityTasksResponseModel>(response);
     }

src/Core/MailTemplates/Handlebars/Layouts/SecurityTasks.html.hbs

@@ -0,0 +1,61 @@
+{{#>FullUpdatedHtmlLayout}}
+<table border="0" cellpadding="0" cellspacing="0" width="100%"
+  style="background-color: #175DDC;padding-top:25px;padding-bottom:15px;">
+  <tr>
+    <td align="center" valign="top" width="70%" class="templateColumnContainer">
+      <table border="0" cellpadding="0" cellspacing="0" width="100%"
+        style="padding-left:30px; padding-right: 5px; padding-top: 20px;">
+        <tr>
+          <td
+            style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 24px; color: #ffffff; line-height: 32px; font-weight: 500; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+            {{OrgName}} has identified {{TaskCount}} critical login{{#if TaskCountPlural}}s{{/if}} that require{{#unless
+            TaskCountPlural}}s{{/unless}} a
+            password change
+          </td>
+        </tr>
+      </table>
+    </td>
+    <td align="right" valign="bottom" class="templateColumnContainer" style="padding-right: 15px;">
+      <img width="140" height="140" align="right" valign="bottom"
+        style="width: 140px; height:140px; font-size: 0; vertical-align: bottom; text-align: right;" alt=''
+        src='https://assets.bitwarden.com/email/v1/business-warning.png' />
+    </td>
+  </tr>
+</table>
+
+{{>@partial-block}}
+
+<table width="100%" style="display:table; background-color: #FBFBFB; vertical-align: middle; padding:30px" border="0"
+  cellpadding="0" cellspacing="0" valign="middle">
+  <tr>
+    <td width="70%" class="footer-text" style="padding-right: 20px;">
+      <table align="left" border="0" cellpadding="0" cellspacing="0">
+        <tr>
+          <td
+            style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-style: normal; font-weight: 400; font-size: 16px; line-height: 24px;">
+            <p
+              style="margin: 0; padding: 0; margin-bottom: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-style: normal; font-weight: 600; font-size: 20px; line-height: 28px;">
+              We’re here for you!</p>
+            If you have any questions, search the Bitwarden <a
+              style="text-decoration: none; color: #175DDC; font-weight: 600;"
+              href="https://bitwarden.com/help/">Help</a> site or <a
+              style="text-decoration: none; color: #175DDC; font-weight: 600;"
+              href="https://bitwarden.com/contact/">contact us</a>.
+          </td>
+        </tr>
+      </table>
+    </td>
+    <td width="30%">
+      <table align="right" valign="bottom" class="footer-image" border="0" cellpadding="0" cellspacing="0"
+        style="padding-left: 40px;">
+        <tr>
+          <td>
+            <img width="94" height="77" src="https://assets.bitwarden.com/email/v1/chat.png"
+              style="width: 94px; height: 77px;" alt="" />
+          </td>
+        </tr>
+      </table>
+    </td>
+  </tr>
+</table>
+{{/FullUpdatedHtmlLayout}}

src/Core/MailTemplates/Handlebars/Layouts/SecurityTasks.text.hbs

@@ -0,0 +1,12 @@
+{{#>FullTextLayout}}
+{{OrgName}} has identified {{TaskCount}} critical login{{#if TaskCountPlural}}s{{/if}} that require{{#unless
+TaskCountPlural}}s{{/unless}} a
+password change
+
+{{>@partial-block}}
+
+We’re here for you!
+If you have any questions, search the Bitwarden Help site or contact us.
+- https://bitwarden.com/help/
+- https://bitwarden.com/contact/
+{{/FullTextLayout}}

src/Core/MailTemplates/Handlebars/SecurityTasksNotification.html.hbs

@@ -0,0 +1,28 @@
+{{#>SecurityTasksHtmlLayout}}
+<table width="100%" border="0" style="display: block; padding: 30px;" align="center" cellpadding="0" cellspacing="0">
+  <tr>
+    <td
+      style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-style: normal; font-weight: 400; font-size: 16px; line-height: 24px;">
+      Keep you and your organization's data safe by changing passwords that are weak, reused, or have been exposed in a
+      data breach.
+    </td>
+  </tr>
+  <tr>
+    <td
+      style="padding-top: 24px; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-style: normal; font-weight: 400; font-size: 16px; line-height: 24px;">
+      Launch the Bitwarden extension to review your at-risk passwords.
+    </td>
+  </tr>
+</table>
+<table width="100%" border="0" cellpadding="0" cellspacing="0"
+  style="display: table; width:100%; padding-bottom: 35px; text-align: center;" align="center">
+  <tr>
+    <td display="display: table-cell">
+      <a href="{{ReviewPasswordsUrl}}" clicktracking=off target="_blank"
+        style="display: inline-block; color: #ffffff; text-decoration: none; text-align: center; cursor: pointer; border-radius: 999px; background-color: #175DDC; border-color: #175DDC; border-style: solid; border-width: 10px 20px; margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+        Review at-risk passwords
+      </a>
+    </td>
+  </tr>
+</table>
+{{/SecurityTasksHtmlLayout}}

src/Core/MailTemplates/Handlebars/SecurityTasksNotification.text.hbs

@@ -0,0 +1,8 @@
+{{#>SecurityTasksHtmlLayout}}
+Keep you and your organization's data safe by changing passwords that are weak, reused, or have been exposed in a data
+breach.
+
+Launch the Bitwarden extension to review your at-risk passwords.
+
+Review at-risk passwords ({{{ReviewPasswordsUrl}}})
+{{/SecurityTasksHtmlLayout}}

src/Core/Models/Mail/SecurityTaskNotificationViewModel.cs

@@ -0,0 +1,12 @@
+namespace Bit.Core.Models.Mail;
+
+public class SecurityTaskNotificationViewModel : BaseMailModel
+{
+    public string OrgName { get; set; }
+
+    public int TaskCount { get; set; }
+
+    public bool TaskCountPlural => TaskCount != 1;
+
+    public string ReviewPasswordsUrl => $"{WebVaultUrl}/browser-extension-prompt";
+}

src/Core/Services/IMailService.cs

@@ -5,6 +5,7 @@
 using Bit.Core.Entities;
 using Bit.Core.Models.Data.Organizations;
 using Bit.Core.Models.Mail;
+using Bit.Core.Vault.Models.Data;
 
 namespace Bit.Core.Services;
 
@@ -97,5 +98,5 @@ Task SendFamiliesForEnterpriseRemoveSponsorshipsEmailAsync(string email, string
         string organizationName);
     Task SendClaimedDomainUserEmailAsync(ManagedUserDomainClaimedEmails emailList);
     Task SendDeviceApprovalRequestedNotificationEmailAsync(IEnumerable<string> adminEmails, Guid organizationId, string email, string userName);
+    Task SendBulkSecurityTaskNotificationsAsync(string orgName, IEnumerable<UserSecurityTasksCount> securityTaskNotificaitons);
 }
-

src/Core/Services/Implementations/HandlebarsMailService.cs

@@ -15,6 +15,7 @@
 using Bit.Core.SecretsManager.Models.Mail;
 using Bit.Core.Settings;
 using Bit.Core.Utilities;
+using Bit.Core.Vault.Models.Data;
 using HandlebarsDotNet;
 
 namespace Bit.Core.Services;
@@ -644,6 +645,10 @@
         Handlebars.RegisterTemplate("TitleContactUsHtmlLayout", titleContactUsHtmlLayoutSource);
         var titleContactUsTextLayoutSource = await ReadSourceAsync("Layouts.TitleContactUs.text");
         Handlebars.RegisterTemplate("TitleContactUsTextLayout", titleContactUsTextLayoutSource);
+        var securityTasksHtmlLayoutSource = await ReadSourceAsync("Layouts.SecurityTasks.html");
+        Handlebars.RegisterTemplate("SecurityTasksHtmlLayout", securityTasksHtmlLayoutSource);
+        var securityTasksTextLayoutSource = await ReadSourceAsync("Layouts.SecurityTasks.text");
+        Handlebars.RegisterTemplate("SecurityTasksTextLayout", securityTasksTextLayoutSource);
 
         Handlebars.RegisterHelper("date", (writer, context, parameters) =>
         {
@@ -1186,9 +1191,26 @@
         await _mailDeliveryService.SendEmailAsync(message);
     }
 
+    public async Task SendBulkSecurityTaskNotificationsAsync(string orgName, IEnumerable<UserSecurityTasksCount> securityTaskNotificaitons)
+    {
+        MailQueueMessage CreateMessage(UserSecurityTasksCount notification)
+        {
+            var message = CreateDefaultMessage($"{orgName} has identified {notification.TaskCount} at-risk password{(notification.TaskCount.Equals(1) ? "" : "s")}", notification.Email);
+            var model = new SecurityTaskNotificationViewModel
+            {
+                OrgName = orgName,
+                TaskCount = notification.TaskCount,
+                WebVaultUrl = _globalSettings.BaseServiceUri.VaultWithHash,
+            };
+            message.Category = "SecurityTasksNotification";
+            return new MailQueueMessage(message, "SecurityTasksNotification", model);
+        }
+        var messageModels = securityTaskNotificaitons.Select(CreateMessage);
+        await EnqueueMailAsync(messageModels.ToList());
+    }
+
     private static string GetUserIdentifier(string email, string userName)
     {
         return string.IsNullOrEmpty(userName) ? email : CoreHelpers.SanitizeForEmail(userName, false);
     }
 }
-

src/Core/Services/NoopImplementations/NoopMailService.cs

@@ -5,6 +5,7 @@
 using Bit.Core.Entities;
 using Bit.Core.Models.Data.Organizations;
 using Bit.Core.Models.Mail;
+using Bit.Core.Vault.Models.Data;
 
 namespace Bit.Core.Services;
 
@@ -321,5 +322,9 @@
     {
         return Task.FromResult(0);
     }
-}
 
+    public Task SendBulkSecurityTaskNotificationsAsync(string orgName, IEnumerable<UserSecurityTasksCount> securityTaskNotificaitons)
+    {
+        return Task.FromResult(0);
+    }
+}

src/Core/Vault/Models/Data/UserSecurityTaskCipher.cs

@@ -0,0 +1,22 @@
+namespace Bit.Core.Vault.Models.Data;
+
+/// <summary>
+/// Data model that represents a User and the associated cipher for a security task.
+/// </summary>
+public class UserSecurityTaskCipher
+{
+    /// <summary>
+    /// The user's Id.
+    /// </summary>
+    public Guid UserId { get; set; }
+
+    /// <summary>
+    /// The user's email.
+    /// </summary>
+    public string Email { get; set; }
+
+    /// <summary>
+    /// The cipher Id of the security task.
+    /// </summary>
+    public Guid CipherId { get; set; }
+}

src/Core/Vault/Models/Data/UserSecurityTasksCount.cs

@@ -0,0 +1,22 @@
+namespace Bit.Core.Vault.Models.Data;
+
+/// <summary>
+/// Data model that represents a User and the amount of actionable security tasks.
+/// </summary>
+public class UserSecurityTasksCount
+{
+    /// <summary>
+    /// The user's Id.
+    /// </summary>
+    public Guid UserId { get; set; }
+
+    /// <summary>
+    /// The user's email.
+    /// </summary>
+    public string Email { get; set; }
+
+    /// <summary>
+    /// The number of actionable security tasks for the respective users.
+    /// </summary>
+    public int TaskCount { get; set; }
+}

src/Core/Vault/Queries/GetSecurityTasksNotificationDetailsQuery.cs

@@ -0,0 +1,37 @@
+using Bit.Core.Context;
+using Bit.Core.Exceptions;
+using Bit.Core.Vault.Entities;
+using Bit.Core.Vault.Models.Data;
+using Bit.Core.Vault.Repositories;
+
+namespace Bit.Core.Vault.Queries;
+
+public class GetSecurityTasksNotificationDetailsQuery : IGetSecurityTasksNotificationDetailsQuery
+{
+    private readonly ICurrentContext _currentContext;
+    private readonly ICipherRepository _cipherRepository;
+
+    public GetSecurityTasksNotificationDetailsQuery(ICurrentContext currentContext, ICipherRepository cipherRepository)
+    {
+        _currentContext = currentContext;
+        _cipherRepository = cipherRepository;
+    }
+
+    public async Task<ICollection<UserSecurityTaskCipher>> GetNotificationDetailsByManyIds(Guid organizationId, IEnumerable<SecurityTask> tasks)
+    {
+        var org = _currentContext.GetOrganization(organizationId);
+        var cipherIds = tasks
+            .Where(task => task.CipherId.HasValue)
+            .Select(task => task.CipherId.Value)
+            .ToList();
+
+        if (org == null)
+        {
+            throw new NotFoundException();
+        }
+
+        var userSecurityTaskCiphers = await _cipherRepository.GetUserSecurityTasksByCipherIdsAsync(organizationId, cipherIds);
+
+        return userSecurityTaskCiphers;
+    }
+}

src/Core/Vault/Queries/IGetSecurityTasksNotificationDetailsQuery.cs

@@ -0,0 +1,16 @@
+using Bit.Core.Vault.Entities;
+using Bit.Core.Vault.Models.Data;
+
+namespace Bit.Core.Vault.Queries;
+
+public interface IGetSecurityTasksNotificationDetailsQuery
+{
+    /// <summary>
+    /// Retrieves all users within the given organization that are applicable to the given security tasks.
+    ///
+    /// <param name="organizationId"></param>
+    /// <param name="tasks"></param>
+    /// <returns>A dictionary of UserIds and the corresponding amount of security tasks applicable to them.</returns>
+    /// </summary>
+    public Task<ICollection<UserSecurityTaskCipher>> GetNotificationDetailsByManyIds(Guid organizationId, IEnumerable<SecurityTask> tasks);
+}