Block MSPs from creating orgs with SM

src/Core/OrganizationFeatures/OrganizationSubscriptions/AddSecretsManagerSubscriptionCommand.cs

@@ -1,8 +1,10 @@
 using Bit.Core.Entities;
 using Bit.Core.Enums;
+using Bit.Core.Enums.Provider;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Business;
 using Bit.Core.OrganizationFeatures.OrganizationSubscriptions.Interface;
+using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Utilities;
 
@@ -12,17 +14,21 @@ public class AddSecretsManagerSubscriptionCommand : IAddSecretsManagerSubscripti
 {
     private readonly IPaymentService _paymentService;
     private readonly IOrganizationService _organizationService;
+    private readonly IProviderRepository _providerRepository;
+
     public AddSecretsManagerSubscriptionCommand(
         IPaymentService paymentService,
-        IOrganizationService organizationService)
+        IOrganizationService organizationService,
+        IProviderRepository providerRepository)
     {
         _paymentService = paymentService;
         _organizationService = organizationService;
+        _providerRepository = providerRepository;
     }
     public async Task SignUpAsync(Organization organization, int additionalSmSeats,
         int additionalServiceAccounts)
     {
-        ValidateOrganization(organization);
+        await ValidateOrganization(organization);
 
         var plan = StaticStore.GetSecretsManagerPlan(organization.PlanType);
         var signup = SetOrganizationUpgrade(organization, additionalSmSeats, additionalServiceAccounts);
@@ -55,7 +61,7 @@ public class AddSecretsManagerSubscriptionCommand : IAddSecretsManagerSubscripti
         return signup;
     }
 
-    private static void ValidateOrganization(Organization organization)
+    private async Task ValidateOrganization(Organization organization)
     {
         if (organization == null)
         {
@@ -83,5 +89,12 @@ public class AddSecretsManagerSubscriptionCommand : IAddSecretsManagerSubscripti
         {
             throw new BadRequestException("No subscription found.");
         }
+
+        var provider = await _providerRepository.GetByOrganizationIdAsync(organization.Id);
+        if (provider is { Type: ProviderType.Msp })
+        {
+            throw new BadRequestException(
+                "Organizations with a Managed Service Provider do not support Secrets Manager.");
+        }
     }
 }

test/Core.Test/OrganizationFeatures/OrganizationSubscriptionUpdate/AddSecretsManagerSubscriptionCommandTests.cs

@@ -1,9 +1,12 @@
 using Bit.Core.Entities;
+using Bit.Core.Entities.Provider;
 using Bit.Core.Enums;
+using Bit.Core.Enums.Provider;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Business;
 using Bit.Core.Models.StaticStore;
 using Bit.Core.OrganizationFeatures.OrganizationSubscriptions;
+using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Utilities;
 using Bit.Test.Common.AutoFixture;
@@ -127,6 +130,25 @@ public class AddSecretsManagerSubscriptionCommandTests
         await VerifyDependencyNotCalledAsync(sutProvider);
     }
 
+    [Theory]
+    [BitAutoData]
+    public async Task SignUpAsync_ThrowsException_WhenOrganizationIsManagedByMSP(
+        SutProvider<AddSecretsManagerSubscriptionCommand> sutProvider,
+        Organization organization,
+        Provider provider)
+    {
+        organization.UseSecretsManager = false;
+        organization.SecretsManagerBeta = false;
+        provider.Type = ProviderType.Msp;
+        sutProvider.GetDependency<IProviderRepository>().GetByOrganizationIdAsync(organization.Id).Returns(provider);
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.SignUpAsync(organization, 10, 10));
+
+        Assert.Contains("Organizations with a Managed Service Provider do not support Secrets Manager.", exception.Message);
+        await VerifyDependencyNotCalledAsync(sutProvider);
+    }
+
     private static async Task VerifyDependencyNotCalledAsync(SutProvider<AddSecretsManagerSubscriptionCommand> sutProvider)
     {
         await sutProvider.GetDependency<IPaymentService>().DidNotReceive()