bitwarden · jrmccannon · Jan 31, 2025 · Feb 6, 2025 · Feb 6, 2025 · Feb 6, 2025
@@ -1,4 +1,8 @@
-using Bit.Core.Enums;
+using Bit.Core;
+using Bit.Core.AdminConsole.Models.Business;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Requests;
+using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Core.Repositories;
@@ -9,31 +13,20 @@
 
 namespace Bit.Scim.Users;
 
-public class PostUserCommand : IPostUserCommand
+public class PostUserCommand(
+    IOrganizationRepository organizationRepository,
+    IOrganizationUserRepository organizationUserRepository,
+    IOrganizationService organizationService,
+    IPaymentService paymentService,
+    IScimContext scimContext,
+    IFeatureService featureService,
+    IInviteOrganizationUsersCommand inviteOrganizationUsersCommand,
+    TimeProvider timeProvider)
+    : IPostUserCommand
 {
-    private readonly IOrganizationRepository _organizationRepository;
-    private readonly IOrganizationUserRepository _organizationUserRepository;
-    private readonly IOrganizationService _organizationService;
-    private readonly IPaymentService _paymentService;
-    private readonly IScimContext _scimContext;
-
-    public PostUserCommand(
-        IOrganizationRepository organizationRepository,
-        IOrganizationUserRepository organizationUserRepository,
-        IOrganizationService organizationService,
-        IPaymentService paymentService,
-        IScimContext scimContext)
-    {
-        _organizationRepository = organizationRepository;
-        _organizationUserRepository = organizationUserRepository;
-        _organizationService = organizationService;
-        _paymentService = paymentService;
-        _scimContext = scimContext;
-    }
-
     public async Task<OrganizationUserUserDetails> PostUserAsync(Guid organizationId, ScimUserRequestModel model)
     {
-        var scimProvider = _scimContext.RequestScimProvider;
+        var scimProvider = scimContext.RequestScimProvider;
         var invite = model.ToOrganizationUserInvite(scimProvider);
 
         var email = invite.Emails.Single();
@@ -44,27 +37,38 @@
             throw new BadRequestException();
         }
 
-        var orgUsers = await _organizationUserRepository.GetManyDetailsByOrganizationAsync(organizationId);
-        var orgUserByEmail = orgUsers.FirstOrDefault(ou => ou.Email?.ToLowerInvariant() == email);
-        if (orgUserByEmail != null)
+        var existingUsers = await organizationUserRepository.GetManyDetailsByOrganizationAsync(organizationId);
+
+        if (existingUsers.Any(ou => ou.Email?.ToLowerInvariant() == email || ou.ExternalId == externalId))
         {
             throw new ConflictException();
         }
 
-        var orgUserByExternalId = orgUsers.FirstOrDefault(ou => ou.ExternalId == externalId);
-        if (orgUserByExternalId != null)
+        var organization = await organizationRepository.GetByIdAsync(organizationId);
+
+        var hasStandaloneSecretsManager = await paymentService.HasSecretsManagerStandalone(organization);
+        invite.AccessSecretsManager = hasStandaloneSecretsManager;
+
+        if (featureService.IsEnabled(FeatureFlagKeys.ScimCreateUserRefactor))
         {
-            throw new ConflictException();
+            var organizationUser = (await inviteOrganizationUsersCommand.InviteScimOrganizationUserAsync(
+                InviteScimOrganizationUserRequest.Create(
+                    OrganizationUserSingleEmailInvite.Create(
+                        email,
+                        invite.Collections,
+                        externalId, invite.Type ?? OrganizationUserType.User,
+                        invite.Permissions,
+                        invite.AccessSecretsManager),
+                    OrganizationDto.FromOrganization(organization),
+                    timeProvider.GetUtcNow()))).Data;
+
+            return await organizationUserRepository.GetDetailsByIdAsync(organizationUser.Id);
         }
 
-        var organization = await _organizationRepository.GetByIdAsync(organizationId);
-        var hasStandaloneSecretsManager = await _paymentService.HasSecretsManagerStandalone(organization);
-        invite.AccessSecretsManager = hasStandaloneSecretsManager;
+        var orgUser = await organizationService.InviteUserAsync(organizationId, null, EventSystemUser.SCIM, invite,
+            externalId);
 
-        var invitedOrgUser = await _organizationService.InviteUserAsync(organizationId, invitingUserId: null, EventSystemUser.SCIM,
-            invite, externalId);
-        var orgUser = await _organizationUserRepository.GetDetailsByIdAsync(invitedOrgUser.Id);
+        return await organizationUserRepository.GetDetailsByIdAsync(orgUser.Id);
 
-        return orgUser;
     }
 }
@@ -2,7 +2,11 @@
 using Bit.Api.AdminConsole.Public.Models.Request;
 using Bit.Api.AdminConsole.Public.Models.Response;
 using Bit.Api.Models.Public.Response;
+using Bit.Core;
+using Bit.Core.AdminConsole.Models.Business;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Requests;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Auth.UserFeatures.TwoFactorAuth.Interfaces;
 using Bit.Core.Context;
@@ -29,6 +33,9 @@
     private readonly IOrganizationRepository _organizationRepository;
     private readonly ITwoFactorIsEnabledQuery _twoFactorIsEnabledQuery;
     private readonly IRemoveOrganizationUserCommand _removeOrganizationUserCommand;
+    private readonly IInviteOrganizationUsersCommand _inviteOrganizationUsersCommand;
+    private readonly IFeatureService _featureService;
+    private readonly TimeProvider _timeProvider;
 
     public MembersController(
         IOrganizationUserRepository organizationUserRepository,
@@ -42,7 +49,10 @@
         IPaymentService paymentService,
         IOrganizationRepository organizationRepository,
         ITwoFactorIsEnabledQuery twoFactorIsEnabledQuery,
-        IRemoveOrganizationUserCommand removeOrganizationUserCommand)
+        IRemoveOrganizationUserCommand removeOrganizationUserCommand,
+        IInviteOrganizationUsersCommand inviteOrganizationUsersCommand,
+        IFeatureService featureService,
+        TimeProvider timeProvider)
     {
         _organizationUserRepository = organizationUserRepository;
         _groupRepository = groupRepository;
@@ -56,6 +66,9 @@
         _organizationRepository = organizationRepository;
         _twoFactorIsEnabledQuery = twoFactorIsEnabledQuery;
         _removeOrganizationUserCommand = removeOrganizationUserCommand;
+        _inviteOrganizationUsersCommand = inviteOrganizationUsersCommand;
+        _featureService = featureService;
+        _timeProvider = timeProvider;
     }
 
     /// <summary>
@@ -151,8 +164,27 @@
 
         invite.AccessSecretsManager = hasStandaloneSecretsManager;
 
+        if (_featureService.IsEnabled(FeatureFlagKeys.ScimCreateUserRefactor))
+        {
+            var invitedUserResult = await _inviteOrganizationUsersCommand.InvitePublicApiOrganizationUserAsync(
+                InviteOrganizationUserRequest.Create(
+                    model.ToOrganizationUserSingleEmailInvite(hasStandaloneSecretsManager),
+                    OrganizationDto.FromOrganization(organization),
+                    Guid.Empty,
+                    _timeProvider.GetUtcNow()
+                ));
+
+            if (invitedUserResult is { Success: true })
+            {
+                return new JsonResult(new MemberResponseModel(invitedUserResult.Data, invite.Collections));
+            }
+
+            return new EmptyResult();  // TODO figure out something better to put here
+        }
+
         var user = await _organizationService.InviteUserAsync(_currentContext.OrganizationId.Value, null,
             systemUser: null, invite, model.ExternalId);
+
         var response = new MemberResponseModel(user, invite.Collections);
         return new JsonResult(response);
     }

@@ -1,8 +1,10 @@
 using System.ComponentModel.DataAnnotations;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Requests;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
-using Bit.Core.Models.Business;
+using Bit.Core.Models.Data;
 using Bit.Core.Utilities;
+using OrganizationUserInvite = Bit.Core.Models.Business.OrganizationUserInvite;
 
 namespace Bit.Api.AdminConsole.Public.Models.Request;
 
@@ -40,4 +42,13 @@
 
         return invite;
     }
+
+    public OrganizationUserSingleEmailInvite ToOrganizationUserSingleEmailInvite(bool hasSecretsManager) =>
+        OrganizationUserSingleEmailInvite.Create(
+            Email,
+            Collections.Select(c => c.ToCollectionAccessSelection()).ToArray(),
+            string.Empty,
+            Type.Value,
+            Type is OrganizationUserType.Custom && Permissions is not null ? Permissions.ToData() : new Permissions(),
+            hasSecretsManager);
 }
@@ -0,0 +1,57 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Models.StaticStore;
+using Bit.Core.Utilities;
+
+namespace Bit.Core.AdminConsole.Models.Business;
+
+public record OrganizationDto(
+    Guid OrganizationId,
+    bool UseCustomPermissions,
+    int? Seats,
+    int? MaxAutoScaleSeats,
+    int? SmSeats,
+    int? SmMaxAutoScaleSeats,
+    Plan Plan,
+    string GatewayCustomerId,
+    string GatewaySubscriptionId,
+    bool UseSecretsManager
+) : ISubscriber
+{
+    public Guid Id => OrganizationId;
+    public GatewayType? Gateway { get; set; }
+    public string GatewayCustomerId { get; set; } = GatewayCustomerId;
+    public string GatewaySubscriptionId { get; set; } = GatewaySubscriptionId;
+    public string BillingEmailAddress() => throw new NotImplementedException();
+
+    public string BillingName() => throw new NotImplementedException();
+
+    public string SubscriberName() => throw new NotImplementedException();
+
+    public string BraintreeCustomerIdPrefix() => throw new NotImplementedException();
+
+    public string BraintreeIdField() => throw new NotImplementedException();
+
+    public string BraintreeCloudRegionField() => throw new NotImplementedException();
+
+    public bool IsOrganization() => throw new NotImplementedException();
+
+    public bool IsUser() => throw new NotImplementedException();
+
+    public string SubscriberType() => throw new NotImplementedException();
+
+    public bool IsExpired() => throw new NotImplementedException();
+
+    public static OrganizationDto FromOrganization(Organization organization) =>
+        new(organization.Id,
+            organization.UseCustomPermissions,
+            organization.Seats,
+            organization.MaxAutoscaleSeats,
+            organization.SmSeats,
+            organization.MaxAutoscaleSmSeats,
+            StaticStore.GetPlan(organization.PlanType),
+            organization.GatewayCustomerId,
+            organization.GatewaySubscriptionId,
+            organization.UseSecretsManager);
+}