[PM-14381] Add POST /tasks/bulk-create endpoint (#5188)

* [PM-14378] Introduce GetCipherPermissionsForOrganization query for Dapper CipherRepository

* [PM-14378] Introduce GetCipherPermissionsForOrganization method for Entity Framework

* [PM-14378] Add integration tests for new repository method

* [PM-14378] Introduce IGetCipherPermissionsForUserQuery CQRS query

* [PM-14378] Introduce SecurityTaskOperationRequirement

* [PM-14378] Introduce SecurityTaskAuthorizationHandler.cs

* [PM-14378] Introduce SecurityTaskOrganizationAuthorizationHandler.cs

* [PM-14378] Register new authorization handlers

* [PM-14378] Formatting

* [PM-14378] Add unit tests for GetCipherPermissionsForUserQuery

* [PM-15378] Cleanup SecurityTaskAuthorizationHandler and add tests

* [PM-14378] Add tests for SecurityTaskOrganizationAuthorizationHandler

* [PM-14378] Formatting

* [PM-14378] Update date in migration file

* [PM-14378] Add missing awaits

* Added bulk create request model

* Created sproc to create bulk security tasks

* Renamed tasks to SecurityTasksInput

* Added create many implementation for sqlserver and ef core

* removed trailing comma

* created ef implementatin for create many and added integration test

* Refactored request model

* Refactored request model

* created create many tasks command interface and class

* added security authorization handler work temp

* Added the implementation for the create manys tasks command

* Added comment

* Changed return to return list of created security tasks

* Registered command

* Completed bulk create action

* Added unit tests for the command

* removed hard coded table name

* Fixed lint issue

* Added JsonConverter attribute to allow enum value to be passed as string

* Removed makshift security task operations

* Fixed references

* Removed old migration

* Rebased

* [PM-14378] Introduce GetCipherPermissionsForOrganization query for Dapper CipherRepository

* [PM-14378] Introduce GetCipherPermissionsForOrganization method for Entity Framework

* [PM-14378] Add unit tests for GetCipherPermissionsForUserQuery

* Completed bulk create action

* bumped migration version

* Fixed lint issue

* Removed complex sql data type in favour of json string

* Register IGetTasksForOrganizationQuery

* Fixed lint issue

* Removed tasks grouping

* Fixed linting

* Removed unused code

* Removed unused code

* Aligned with client change

* Fixed linting

---------

Co-authored-by: Shane Melton <smelton@bitwarden.com>

src/Api/Vault/Controllers/SecurityTaskController.cs

@@ -1,4 +1,5 @@
 using Bit.Api.Models.Response;
+using Bit.Api.Vault.Models.Request;
 using Bit.Api.Vault.Models.Response;
 using Bit.Core;
 using Bit.Core.Services;
@@ -20,17 +21,20 @@ public class SecurityTaskController : Controller
     private readonly IGetTaskDetailsForUserQuery _getTaskDetailsForUserQuery;
     private readonly IMarkTaskAsCompleteCommand _markTaskAsCompleteCommand;
     private readonly IGetTasksForOrganizationQuery _getTasksForOrganizationQuery;
+    private readonly ICreateManyTasksCommand _createManyTasksCommand;
 
     public SecurityTaskController(
         IUserService userService,
         IGetTaskDetailsForUserQuery getTaskDetailsForUserQuery,
         IMarkTaskAsCompleteCommand markTaskAsCompleteCommand,
-        IGetTasksForOrganizationQuery getTasksForOrganizationQuery)
+        IGetTasksForOrganizationQuery getTasksForOrganizationQuery,
+        ICreateManyTasksCommand createManyTasksCommand)
     {
         _userService = userService;
         _getTaskDetailsForUserQuery = getTaskDetailsForUserQuery;
         _markTaskAsCompleteCommand = markTaskAsCompleteCommand;
         _getTasksForOrganizationQuery = getTasksForOrganizationQuery;
+        _createManyTasksCommand = createManyTasksCommand;
     }
 
     /// <summary>
@@ -71,4 +75,19 @@ public class SecurityTaskController : Controller
         var response = securityTasks.Select(x => new SecurityTasksResponseModel(x)).ToList();
         return new ListResponseModel<SecurityTasksResponseModel>(response);
     }
+
+    /// <summary>
+    /// Bulk create security tasks for an organization.
+    /// </summary>
+    /// <param name="orgId"></param>
+    /// <param name="model"></param>
+    /// <returns>A list response model containing the security tasks created for the organization.</returns>
+    [HttpPost("{orgId:guid}/bulk-create")]
+    public async Task<ListResponseModel<SecurityTasksResponseModel>> BulkCreateTasks(Guid orgId,
+        [FromBody] BulkCreateSecurityTasksRequestModel model)
+    {
+        var securityTasks = await _createManyTasksCommand.CreateAsync(orgId, model.Tasks);
+        var response = securityTasks.Select(x => new SecurityTasksResponseModel(x)).ToList();
+        return new ListResponseModel<SecurityTasksResponseModel>(response);
+    }
 }

src/Api/Vault/Models/Request/BulkCreateSecurityTasksRequestModel.cs

@@ -0,0 +1,8 @@
+using Bit.Core.Vault.Models.Api;
+
+namespace Bit.Api.Vault.Models.Request;
+
+public class BulkCreateSecurityTasksRequestModel
+{
+    public IEnumerable<SecurityTaskCreateRequest> Tasks { get; set; }
+}

src/Core/Vault/Authorization/SecurityTaskOperations.cs

@@ -1,16 +0,0 @@
-using Microsoft.AspNetCore.Authorization.Infrastructure;
-
-namespace Bit.Core.Vault.Authorization;
-
-public class SecurityTaskOperationRequirement : OperationAuthorizationRequirement
-{
-    public SecurityTaskOperationRequirement(string name)
-    {
-        Name = name;
-    }
-}
-
-public static class SecurityTaskOperations
-{
-    public static readonly SecurityTaskOperationRequirement Update = new(nameof(Update));
-}

src/Core/Vault/Commands/CreateManyTasksCommand.cs

@@ -0,0 +1,65 @@
+using Bit.Core.Context;
+using Bit.Core.Exceptions;
+using Bit.Core.Utilities;
+using Bit.Core.Vault.Authorization.SecurityTasks;
+using Bit.Core.Vault.Commands.Interfaces;
+using Bit.Core.Vault.Entities;
+using Bit.Core.Vault.Enums;
+using Bit.Core.Vault.Models.Api;
+using Bit.Core.Vault.Repositories;
+using Microsoft.AspNetCore.Authorization;
+
+namespace Bit.Core.Vault.Commands;
+
+public class CreateManyTasksCommand : ICreateManyTasksCommand
+{
+    private readonly IAuthorizationService _authorizationService;
+    private readonly ICurrentContext _currentContext;
+    private readonly ISecurityTaskRepository _securityTaskRepository;
+
+    public CreateManyTasksCommand(
+        ISecurityTaskRepository securityTaskRepository,
+        IAuthorizationService authorizationService,
+        ICurrentContext currentContext)
+    {
+        _securityTaskRepository = securityTaskRepository;
+        _authorizationService = authorizationService;
+        _currentContext = currentContext;
+    }
+
+    /// <inheritdoc />
+    public async Task<ICollection<SecurityTask>> CreateAsync(Guid organizationId,
+        IEnumerable<SecurityTaskCreateRequest> tasks)
+    {
+        if (!_currentContext.UserId.HasValue)
+        {
+            throw new NotFoundException();
+        }
+
+        var tasksList = tasks?.ToList();
+
+        if (tasksList is null || tasksList.Count == 0)
+        {
+            throw new BadRequestException("No tasks provided.");
+        }
+
+        var securityTasks = tasksList.Select(t => new SecurityTask
+        {
+            OrganizationId = organizationId,
+            CipherId = t.CipherId,
+            Type = t.Type,
+            Status = SecurityTaskStatus.Pending
+        }).ToList();
+
+        // Verify authorization for each task
+        foreach (var task in securityTasks)
+        {
+            await _authorizationService.AuthorizeOrThrowAsync(
+                _currentContext.HttpContext.User,
+                task,
+                SecurityTaskOperations.Create);
+        }
+
+        return await _securityTaskRepository.CreateManyAsync(securityTasks);
+    }
+}

src/Core/Vault/Commands/Interfaces/ICreateManyTasksCommand.cs

@@ -0,0 +1,17 @@
+using Bit.Core.Vault.Entities;
+using Bit.Core.Vault.Models.Api;
+
+namespace Bit.Core.Vault.Commands.Interfaces;
+
+public interface ICreateManyTasksCommand
+{
+    /// <summary>
+    /// Creates multiple security tasks for an organization.
+    /// Each task must be authorized and the user must have the Create permission
+    /// and associated ciphers must belong to the organization.
+    /// </summary>
+    /// <param name="organizationId">The </param>
+    /// <param name="tasks"></param>
+    /// <returns>Collection of created security tasks</returns>
+    Task<ICollection<SecurityTask>> CreateAsync(Guid organizationId, IEnumerable<SecurityTaskCreateRequest> tasks);
+}

src/Core/Vault/Commands/MarkTaskAsCompletedCommand.cs

@@ -1,7 +1,7 @@
 using Bit.Core.Context;
 using Bit.Core.Exceptions;
 using Bit.Core.Utilities;
-using Bit.Core.Vault.Authorization;
+using Bit.Core.Vault.Authorization.SecurityTasks;
 using Bit.Core.Vault.Commands.Interfaces;
 using Bit.Core.Vault.Enums;
 using Bit.Core.Vault.Repositories;

src/Core/Vault/Models/Api/SecurityTaskCreateRequest.cs

@@ -0,0 +1,9 @@
+using Bit.Core.Vault.Enums;
+
+namespace Bit.Core.Vault.Models.Api;
+
+public class SecurityTaskCreateRequest
+{
+    public SecurityTaskType Type { get; set; }
+    public Guid? CipherId { get; set; }
+}

src/Core/Vault/Repositories/ISecurityTaskRepository.cs

@@ -21,4 +21,11 @@ public interface ISecurityTaskRepository : IRepository<SecurityTask, Guid>
     /// <param name="status">Optional filter for task status. If not provided, returns tasks of all statuses</param>
     /// <returns></returns>
     Task<ICollection<SecurityTask>> GetManyByOrganizationIdStatusAsync(Guid organizationId, SecurityTaskStatus? status = null);
+
+    /// <summary>
+    ///  Creates bulk security tasks for an organization.
+    /// </summary>
+    /// <param name="tasks">Collection of tasks to create</param>
+    /// <returns>Collection of created security tasks</returns>
+    Task<ICollection<SecurityTask>> CreateManyAsync(IEnumerable<SecurityTask> tasks);
 }

src/Core/Vault/VaultServiceCollectionExtensions.cs

@@ -21,5 +21,6 @@ public static class VaultServiceCollectionExtensions
         services.AddScoped<IMarkTaskAsCompleteCommand, MarkTaskAsCompletedCommand>();
         services.AddScoped<IGetCipherPermissionsForUserQuery, GetCipherPermissionsForUserQuery>();
         services.AddScoped<IGetTasksForOrganizationQuery, GetTasksForOrganizationQuery>();
+        services.AddScoped<ICreateManyTasksCommand, CreateManyTasksCommand>();
     }
 }

src/Infrastructure.Dapper/DapperHelpers.cs

@@ -81,7 +81,7 @@ public class DataTableBuilder<T>
             return true;
         }
 
-        // Value type properties will implicitly box into the object so 
+        // Value type properties will implicitly box into the object so
         // we need to look past the Convert expression
         // i => (System.Object?)i.Id
         if (

src/Infrastructure.Dapper/Vault/Repositories/SecurityTaskRepository.cs

@@ -1,4 +1,5 @@
 using System.Data;
+using System.Text.Json;
 using Bit.Core.Settings;
 using Bit.Core.Vault.Entities;
 using Bit.Core.Vault.Enums;
@@ -46,4 +47,29 @@ public class SecurityTaskRepository : Repository<SecurityTask, Guid>, ISecurityT
 
         return results.ToList();
     }
+
+    /// <inheritdoc />
+    public async Task<ICollection<SecurityTask>> CreateManyAsync(IEnumerable<SecurityTask> tasks)
+    {
+        var tasksList = tasks?.ToList();
+        if (tasksList is null || tasksList.Count == 0)
+        {
+            return Array.Empty<SecurityTask>();
+        }
+
+        foreach (var task in tasksList)
+        {
+            task.SetNewId();
+        }
+
+        var tasksJson = JsonSerializer.Serialize(tasksList);
+
+        await using var connection = new SqlConnection(ConnectionString);
+        await connection.ExecuteAsync(
+            $"[{Schema}].[{Table}_CreateMany]",
+            new { SecurityTasksJson = tasksJson },
+            commandType: CommandType.StoredProcedure);
+
+        return tasksList;
+    }
 }

src/Infrastructure.EntityFramework/Vault/Repositories/SecurityTaskRepository.cs

@@ -52,4 +52,28 @@ public class SecurityTaskRepository : Repository<Core.Vault.Entities.SecurityTas
 
         return await query.OrderByDescending(st => st.CreationDate).ToListAsync();
     }
+
+    /// <inheritdoc />
+    public async Task<ICollection<Core.Vault.Entities.SecurityTask>> CreateManyAsync(
+        IEnumerable<Core.Vault.Entities.SecurityTask> tasks)
+    {
+        var tasksList = tasks?.ToList();
+        if (tasksList is null || tasksList.Count == 0)
+        {
+            return Array.Empty<SecurityTask>();
+        }
+
+        foreach (var task in tasksList)
+        {
+            task.SetNewId();
+        }
+
+        using var scope = ServiceScopeFactory.CreateScope();
+        var dbContext = GetDatabaseContext(scope);
+        var entities = Mapper.Map<List<SecurityTask>>(tasksList);
+        await dbContext.AddRangeAsync(entities);
+        await dbContext.SaveChangesAsync();
+
+        return tasksList;
+    }
 }

src/Sql/Vault/dbo/Stored Procedures/SecurityTask/SecurityTask_CreateMany.sql

@@ -0,0 +1,55 @@
+CREATE PROCEDURE [dbo].[SecurityTask_CreateMany]
+    @SecurityTasksJson NVARCHAR(MAX)
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    CREATE TABLE #TempSecurityTasks
+    (
+        [Id]             UNIQUEIDENTIFIER,
+        [OrganizationId] UNIQUEIDENTIFIER,
+        [CipherId]       UNIQUEIDENTIFIER,
+        [Type]           TINYINT,
+        [Status]         TINYINT,
+        [CreationDate]   DATETIME2(7),
+        [RevisionDate]   DATETIME2(7)
+    )
+
+    INSERT INTO #TempSecurityTasks
+    ([Id],
+     [OrganizationId],
+     [CipherId],
+     [Type],
+     [Status],
+     [CreationDate],
+     [RevisionDate])
+    SELECT CAST(JSON_VALUE([value], '$.Id') AS UNIQUEIDENTIFIER),
+           CAST(JSON_VALUE([value], '$.OrganizationId') AS UNIQUEIDENTIFIER),
+           CAST(JSON_VALUE([value], '$.CipherId') AS UNIQUEIDENTIFIER),
+           CAST(JSON_VALUE([value], '$.Type') AS TINYINT),
+           CAST(JSON_VALUE([value], '$.Status') AS TINYINT),
+           CAST(JSON_VALUE([value], '$.CreationDate') AS DATETIME2(7)),
+           CAST(JSON_VALUE([value], '$.RevisionDate') AS DATETIME2(7))
+    FROM OPENJSON(@SecurityTasksJson) ST
+
+    INSERT INTO [dbo].[SecurityTask]
+    (
+        [Id],
+        [OrganizationId],
+        [CipherId],
+        [Type],
+        [Status],
+        [CreationDate],
+        [RevisionDate]
+    )
+    SELECT [Id],
+           [OrganizationId],
+           [CipherId],
+           [Type],
+           [Status],
+           [CreationDate],
+           [RevisionDate]
+    FROM #TempSecurityTasks
+
+    DROP TABLE #TempSecurityTasks
+END

test/Core.Test/Vault/Commands/CreateManyTasksCommandTest.cs

@@ -0,0 +1,85 @@
+using System.Security.Claims;
+using Bit.Core.Context;
+using Bit.Core.Exceptions;
+using Bit.Core.Test.Vault.AutoFixture;
+using Bit.Core.Vault.Authorization.SecurityTasks;
+using Bit.Core.Vault.Commands;
+using Bit.Core.Vault.Entities;
+using Bit.Core.Vault.Models.Api;
+using Bit.Core.Vault.Repositories;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Microsoft.AspNetCore.Authorization;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.Vault.Commands;
+
+[SutProviderCustomize]
+[SecurityTaskCustomize]
+public class CreateManyTasksCommandTest
+{
+    private static void Setup(SutProvider<CreateManyTasksCommand> sutProvider, Guid? userId,
+        bool authorizedCreate = false)
+    {
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+        sutProvider.GetDependency<IAuthorizationService>()
+            .AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), Arg.Any<object>(),
+                Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs =>
+                    reqs.Contains(SecurityTaskOperations.Create)))
+            .Returns(authorizedCreate ? AuthorizationResult.Success() : AuthorizationResult.Failed());
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task CreateAsync_NotLoggedIn_NotFoundException(
+        SutProvider<CreateManyTasksCommand> sutProvider,
+        Guid organizationId,
+        IEnumerable<SecurityTaskCreateRequest> tasks)
+    {
+        Setup(sutProvider, null, true);
+
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.CreateAsync(organizationId, tasks));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task CreateAsync_NoTasksProvided_BadRequestException(
+        SutProvider<CreateManyTasksCommand> sutProvider,
+        Guid organizationId)
+    {
+        Setup(sutProvider, Guid.NewGuid());
+
+        await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.CreateAsync(organizationId, null));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task CreateAsync_AuthorizationFailed_NotFoundException(
+        SutProvider<CreateManyTasksCommand> sutProvider,
+        Guid organizationId,
+        IEnumerable<SecurityTaskCreateRequest> tasks)
+    {
+        Setup(sutProvider, Guid.NewGuid());
+
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.CreateAsync(organizationId, tasks));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task CreateAsync_AuthorizationSucceeded_ReturnsSecurityTasks(
+        SutProvider<CreateManyTasksCommand> sutProvider,
+        Guid organizationId,
+        IEnumerable<SecurityTaskCreateRequest> tasks,
+        ICollection<SecurityTask> securityTasks)
+    {
+        Setup(sutProvider, Guid.NewGuid(), true);
+        sutProvider.GetDependency<ISecurityTaskRepository>()
+            .CreateManyAsync(Arg.Any<ICollection<SecurityTask>>())
+            .Returns(securityTasks);
+
+        var result = await sutProvider.Sut.CreateAsync(organizationId, tasks);
+
+        Assert.Equal(securityTasks, result);
+    }
+}

test/Core.Test/Vault/Commands/MarkTaskAsCompletedCommandTest.cs

@@ -3,7 +3,7 @@ using System.Security.Claims;
 using Bit.Core.Context;
 using Bit.Core.Exceptions;
 using Bit.Core.Test.Vault.AutoFixture;
-using Bit.Core.Vault.Authorization;
+using Bit.Core.Vault.Authorization.SecurityTasks;
 using Bit.Core.Vault.Commands;
 using Bit.Core.Vault.Entities;
 using Bit.Core.Vault.Repositories;

test/Infrastructure.IntegrationTest/Vault/Repositories/SecurityTaskRepositoryTests.cs

@@ -223,4 +223,47 @@ public class SecurityTaskRepositoryTests
         Assert.DoesNotContain(task1, completedTasks, new SecurityTaskComparer());
         Assert.DoesNotContain(task3, completedTasks, new SecurityTaskComparer());
     }
+
+    [DatabaseTheory, DatabaseData]
+    public async Task CreateManyAsync(
+        IOrganizationRepository organizationRepository,
+        ICipherRepository cipherRepository,
+        ISecurityTaskRepository securityTaskRepository)
+    {
+        var organization = await organizationRepository.CreateAsync(new Organization
+        {
+            Name = "Test Org",
+            PlanType = PlanType.EnterpriseAnnually,
+            Plan = "Test Plan",
+            BillingEmail = ""
+        });
+
+        var cipher1 = new Cipher { Type = CipherType.Login, OrganizationId = organization.Id, Data = "", };
+        await cipherRepository.CreateAsync(cipher1);
+
+        var cipher2 = new Cipher { Type = CipherType.Login, OrganizationId = organization.Id, Data = "", };
+        await cipherRepository.CreateAsync(cipher2);
+
+        var tasks = new List<SecurityTask>
+        {
+            new()
+            {
+                OrganizationId = organization.Id,
+                CipherId = cipher1.Id,
+                Status = SecurityTaskStatus.Pending,
+                Type = SecurityTaskType.UpdateAtRiskCredential,
+            },
+            new()
+            {
+                OrganizationId = organization.Id,
+                CipherId = cipher2.Id,
+                Status = SecurityTaskStatus.Completed,
+                Type = SecurityTaskType.UpdateAtRiskCredential,
+            }
+        };
+
+        var taskIds = await securityTaskRepository.CreateManyAsync(tasks);
+
+        Assert.Equal(2, taskIds.Count);
+    }
 }

util/Migrator/DbScripts/2025-01-22_00_SecurityTaskCreateMany.sql

@@ -0,0 +1,55 @@
+-- SecurityTask_CreateMany
+CREATE OR ALTER PROCEDURE [dbo].[SecurityTask_CreateMany]
+    @SecurityTasksJson NVARCHAR(MAX)
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    CREATE TABLE #TempSecurityTasks
+    (
+        [Id]             UNIQUEIDENTIFIER,
+        [OrganizationId] UNIQUEIDENTIFIER,
+        [CipherId]       UNIQUEIDENTIFIER,
+        [Type]           TINYINT,
+        [Status]         TINYINT,
+        [CreationDate]   DATETIME2(7),
+        [RevisionDate]   DATETIME2(7)
+    )
+
+    INSERT INTO #TempSecurityTasks
+    ([Id],
+     [OrganizationId],
+     [CipherId],
+     [Type],
+     [Status],
+     [CreationDate],
+     [RevisionDate])
+    SELECT CAST(JSON_VALUE([value], '$.Id') AS UNIQUEIDENTIFIER),
+           CAST(JSON_VALUE([value], '$.OrganizationId') AS UNIQUEIDENTIFIER),
+           CAST(JSON_VALUE([value], '$.CipherId') AS UNIQUEIDENTIFIER),
+           CAST(JSON_VALUE([value], '$.Type') AS TINYINT),
+           CAST(JSON_VALUE([value], '$.Status') AS TINYINT),
+           CAST(JSON_VALUE([value], '$.CreationDate') AS DATETIME2(7)),
+           CAST(JSON_VALUE([value], '$.RevisionDate') AS DATETIME2(7))
+    FROM OPENJSON(@SecurityTasksJson) ST
+
+    INSERT INTO [dbo].[SecurityTask]
+    ([Id],
+     [OrganizationId],
+     [CipherId],
+     [Type],
+     [Status],
+     [CreationDate],
+     [RevisionDate])
+    SELECT [Id],
+           [OrganizationId],
+           [CipherId],
+           [Type],
+           [Status],
+           [CreationDate],
+           [RevisionDate]
+    FROM #TempSecurityTasks
+
+    DROP TABLE #TempSecurityTasks
+END
+GO