[PM-2260] Remove TDE feature flag (#3614)

* Remove TDE feature flag.

* Removed references to feature service from decryption options builder.

* Removed redundant references.

* Removed test that is no longer valid, as it was testing the feature flag.

* Removed remainder of TDE feature check.

src/Api/AdminConsole/Controllers/OrganizationAuthRequestsController.cs

@@ -1,14 +1,12 @@
 using Bit.Api.AdminConsole.Models.Request;
 using Bit.Api.AdminConsole.Models.Response;
 using Bit.Api.Models.Response;
-using Bit.Core;
 using Bit.Core.AdminConsole.OrganizationAuth.Interfaces;
 using Bit.Core.Auth.Models.Api.Request.AuthRequest;
 using Bit.Core.Auth.Services;
 using Bit.Core.Context;
 using Bit.Core.Exceptions;
 using Bit.Core.Repositories;
-using Bit.Core.Utilities;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 
@@ -16,7 +14,6 @@ namespace Bit.Api.AdminConsole.Controllers;
 
 [Route("organizations/{orgId}/auth-requests")]
 [Authorize("Application")]
-[RequireFeature(FeatureFlagKeys.TrustedDeviceEncryption)]
 public class OrganizationAuthRequestsController : Controller
 {
     private readonly IAuthRequestRepository _authRequestRepository;

src/Api/AdminConsole/Controllers/OrganizationsController.cs

@@ -764,12 +764,6 @@ public class OrganizationsController : Controller
             throw new NotFoundException();
         }
 
-        if (model.Data.MemberDecryptionType == MemberDecryptionType.TrustedDeviceEncryption &&
-            !_featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext))
-        {
-            throw new BadRequestException(nameof(model.Data.MemberDecryptionType), "Invalid member decryption type.");
-        }
-
         var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(id);
         ssoConfig = ssoConfig == null ? model.ToSsoConfig(id) : model.ToSsoConfig(ssoConfig);
         organization.Identifier = model.Identifier;

src/Identity/IdentityServer/UserDecryptionOptionsBuilder.cs

@@ -1,12 +1,10 @@
-using Bit.Core;
-using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Entities;
 using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Models.Api.Response;
 using Bit.Core.Auth.Utilities;
 using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Repositories;
-using Bit.Core.Services;
 using Bit.Identity.Utilities;
 
 namespace Bit.Identity.IdentityServer;
@@ -20,7 +18,6 @@ namespace Bit.Identity.IdentityServer;
 public class UserDecryptionOptionsBuilder : IUserDecryptionOptionsBuilder
 {
     private readonly ICurrentContext _currentContext;
-    private readonly IFeatureService _featureService;
     private readonly IDeviceRepository _deviceRepository;
     private readonly IOrganizationUserRepository _organizationUserRepository;
 
@@ -31,13 +28,11 @@ public class UserDecryptionOptionsBuilder : IUserDecryptionOptionsBuilder
 
     public UserDecryptionOptionsBuilder(
         ICurrentContext currentContext,
-        IFeatureService featureService,
         IDeviceRepository deviceRepository,
         IOrganizationUserRepository organizationUserRepository
     )
     {
         _currentContext = currentContext;
-        _featureService = featureService;
         _deviceRepository = deviceRepository;
         _organizationUserRepository = organizationUserRepository;
     }
@@ -95,7 +90,7 @@ public class UserDecryptionOptionsBuilder : IUserDecryptionOptionsBuilder
     private async Task BuildTrustedDeviceOptions()
     {
         // TrustedDeviceEncryption only exists for SSO, if that changes then these guards should change
-        if (_ssoConfig == null || !_featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext))
+        if (_ssoConfig == null)
         {
             return;
         }

test/Identity.IntegrationTest/Endpoints/IdentityServerSsoTests.cs

@@ -1,18 +1,15 @@
 using System.Security.Claims;
 using System.Text.Json;
-using Bit.Core;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Auth.Entities;
 using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Models.Api.Request.Accounts;
 using Bit.Core.Auth.Models.Data;
 using Bit.Core.Auth.Repositories;
-using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Models.Data;
 using Bit.Core.Repositories;
-using Bit.Core.Services;
 using Bit.Core.Utilities;
 using Bit.IntegrationTestCommon.Factories;
 using Bit.Test.Common.Helpers;
@@ -383,36 +380,6 @@ public class IdentityServerSsoTests
 
     }
 
-
-    [Fact]
-    public async Task SsoLogin_TrustedDeviceEncryption_FlagTurnedOff_DoesNotReturnOption()
-    {
-        // This creates SsoConfig that HAS enabled trusted device encryption which should have only been
-        // done with the feature flag turned on but we are testing that even if they have done that, this will turn off
-        // if returning as an option if the flag has later been turned off.  We should be very careful turning the flag
-        // back off.
-        using var responseBody = await RunSuccessTestAsync(async factory =>
-        {
-            await UpdateUserAsync(factory, user => user.MasterPassword = null);
-        }, MemberDecryptionType.TrustedDeviceEncryption, trustedDeviceEnabled: false);
-
-        // Assert
-        // If the organization has selected TrustedDeviceEncryption but the user still has their master password
-        // they can decrypt with either option
-        var root = responseBody.RootElement;
-        AssertHelper.AssertJsonProperty(root, "access_token", JsonValueKind.String);
-        var userDecryptionOptions = AssertHelper.AssertJsonProperty(root, "UserDecryptionOptions", JsonValueKind.Object);
-
-        // Expected to look like:
-        // "UserDecryptionOptions": {
-        //   "Object": "userDecryptionOptions"
-        //   "HasMasterPassword": false
-        // }
-
-        // Should only have 2 properties
-        Assert.Equal(2, userDecryptionOptions.EnumerateObject().Count());
-    }
-
     [Fact]
     public async Task SsoLogin_KeyConnector_ReturnsOptions()
     {
@@ -511,12 +478,6 @@ public class IdentityServerSsoTests
                 .Returns(authorizationCode);
         });
 
-        factory.SubstitueService<IFeatureService>(service =>
-        {
-            service.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, Arg.Any<ICurrentContext>())
-                .Returns(trustedDeviceEnabled);
-        });
-
         // This starts the server and finalizes services
         var registerResponse = await factory.RegisterAsync(new RegisterRequestModel
         {

test/Identity.Test/IdentityServer/UserDecryptionOptionsBuilderTests.cs

@@ -1,11 +1,9 @@
-using Bit.Core;
-using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Entities;
 using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Models.Data;
 using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Repositories;
-using Bit.Core.Services;
 using Bit.Identity.IdentityServer;
 using Bit.Identity.Utilities;
 using Bit.Test.Common.AutoFixture.Attributes;
@@ -17,7 +15,6 @@ namespace Bit.Identity.Test.IdentityServer;
 public class UserDecryptionOptionsBuilderTests
 {
     private readonly ICurrentContext _currentContext;
-    private readonly IFeatureService _featureService;
     private readonly IDeviceRepository _deviceRepository;
     private readonly IOrganizationUserRepository _organizationUserRepository;
     private readonly UserDecryptionOptionsBuilder _builder;
@@ -25,10 +22,9 @@ public class UserDecryptionOptionsBuilderTests
     public UserDecryptionOptionsBuilderTests()
     {
         _currentContext = Substitute.For<ICurrentContext>();
-        _featureService = Substitute.For<IFeatureService>();
         _deviceRepository = Substitute.For<IDeviceRepository>();
         _organizationUserRepository = Substitute.For<IOrganizationUserRepository>();
-        _builder = new UserDecryptionOptionsBuilder(_currentContext, _featureService, _deviceRepository, _organizationUserRepository);
+        _builder = new UserDecryptionOptionsBuilder(_currentContext, _deviceRepository, _organizationUserRepository);
     }
 
     [Theory]
@@ -79,7 +75,6 @@ public class UserDecryptionOptionsBuilderTests
     [Theory, BitAutoData]
     public async Task Build_WhenTrustedDeviceIsEnabled_ShouldReturnTrustedDeviceOptions(SsoConfig ssoConfig, SsoConfigurationData configurationData, Device device)
     {
-        _featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext).Returns(true);
         configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption;
         ssoConfig.Data = configurationData.Serialize();
 
@@ -91,23 +86,9 @@ public class UserDecryptionOptionsBuilderTests
         Assert.False(result.TrustedDeviceOption!.HasManageResetPasswordPermission);
     }
 
-    // TODO: Remove when FeatureFlagKeys.TrustedDeviceEncryption is removed
-    [Theory, BitAutoData]
-    public async Task Build_WhenTrustedDeviceIsEnabledButFeatureFlagIsDisabled_ShouldNotReturnTrustedDeviceOptions(SsoConfig ssoConfig, SsoConfigurationData configurationData, Device device)
-    {
-        _featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext).Returns(false);
-        configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption;
-        ssoConfig.Data = configurationData.Serialize();
-
-        var result = await _builder.WithSso(ssoConfig).WithDevice(device).BuildAsync();
-
-        Assert.Null(result.TrustedDeviceOption);
-    }
-
     [Theory, BitAutoData]
     public async Task Build_WhenDeviceIsTrusted_ShouldReturnKeys(SsoConfig ssoConfig, SsoConfigurationData configurationData, Device device)
     {
-        _featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext).Returns(true);
         configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption;
         ssoConfig.Data = configurationData.Serialize();
         device.EncryptedPrivateKey = "encryptedPrivateKey";
@@ -123,7 +104,6 @@ public class UserDecryptionOptionsBuilderTests
     [Theory, BitAutoData]
     public async Task Build_WhenHasLoginApprovingDevice_ShouldApprovingDeviceTrue(SsoConfig ssoConfig, SsoConfigurationData configurationData, User user, Device device, Device approvingDevice)
     {
-        _featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext).Returns(true);
         configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption;
         ssoConfig.Data = configurationData.Serialize();
         approvingDevice.Type = LoginApprovingDeviceTypes.Types.First();
@@ -140,7 +120,6 @@ public class UserDecryptionOptionsBuilderTests
         SsoConfigurationData configurationData,
         CurrentContextOrganization organization)
     {
-        _featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext).Returns(true);
         configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption;
         ssoConfig.Data = configurationData.Serialize();
         ssoConfig.OrganizationId = organization.Id;
@@ -159,7 +138,6 @@ public class UserDecryptionOptionsBuilderTests
         OrganizationUser organizationUser,
         User user)
     {
-        _featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext).Returns(true);
         configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption;
         ssoConfig.Data = configurationData.Serialize();
         organizationUser.ResetPasswordKey = "resetPasswordKey";