[PM-37486] Remove IPolicyService and associated dead code

[r-tome]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-37486

📔 Objective

Migrate remaining IPolicyService callers to use IPolicyRequirementQuery and subsequently delete `IPolicyService.

[github-actions]

Bitwarden Claude Code Review

Overall Assessment: APPROVE

This PR completes the migration from the legacy IPolicyService to IPolicyRequirementQuery, deletes the orphaned service, its OrganizationUserPolicyDetails model, the GetByUserIdWithPolicyDetailsAsync repository method on both Dapper and EF implementations, and the associated AutoFixture types and integration tests. The five remaining call sites in AccountsController, InitPendingOrganizationValidator, and the Identity request validators (BaseRequestValidator, CustomTokenRequestValidator, ResourceOwnerPasswordValidator, SsoRequestValidator, WebAuthnGrantValidator) have been switched over with semantically equivalent replacements — SingleOrganizationPolicyRequirement.CanCreateOrganization() for the SingleOrg check (filters [Accepted, Confirmed], matching the prior minStatus = Accepted behavior) and MasterPasswordPolicyRequirement.EnforcedOptions for the master-password policy (same role exemptions as the deleted PolicyService path).

Prior reviewer concerns are addressed: the orphaned EfPolicyApplicableToUser/EfPolicyApplicableToUserInlineAutoDataAttribute fixtures are removed from PolicyFixtures.cs, and the stored-procedure DROP migration that risked a rollback-incompatible deployment has been reverted, leaving OrganizationUser_ReadByUserIdWithPolicyDetails and PolicyDetails_ReadByUserId in place for a safer cleanup PR once this deployment is hardened.

Code Review Details

No new findings.

[codecov]

Codecov Report

❌ Patch coverage is 75.00000% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 64.82%. Comparing base (7180015) to head (7e8ab19).

Files with missing lines	Patch %	Lines
src/Api/Auth/Controllers/AccountsController.cs	50.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7672      +/-   ##
==========================================
+ Coverage   60.43%   64.82%   +4.38%     
==========================================
  Files        2140     2138       -2     
  Lines       94622    94507     -115     
  Branches     8443     8440       -3     
==========================================
+ Hits        57188    61262    +4074     
+ Misses      35429    31151    -4278     
- Partials     2005     2094      +89     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[mkincaid-bw]

It looks like the C# code that calls this proc is being removed in this PR. If the deployment requires a server code rollback, this DROP would cause issues since DB changes are not reverted. This DROP should be moved to another PR to be done at a later date once this server deployment is hardened.

[r-tome]

Thanks for calling this out! I have reverted the SQL changes in this branch. I will create a separate task to drop the stored procedures in a future release.

[eliykat]

🧹

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[JaredSnider-Bitwarden]

These changes LGTM!

The expected behavior is intended to be the same but since this isn't feature flagged, I would like to request the following flows be QA tested from an auth perspective:

1. Login master-password policy — log in as a member of an org with the Master Password policy configured; confirm the client picks up the correct rules on the direct login response. Repeat for a user in two orgs with conflicting settings — strictest values should win.

2. /accounts/verify-password reprompt - As the same user, perform any master-password reprompt action (Export vault is easiest); confirm the client receives the same policy block. Also verify a user in no org can successfully hit this endpoint and gets a default/empty policy block (no 500).

3. Accept org invite under Single Org policy

• User already Confirmed in Org A (Single Org policy ON) must be blocked from accepting Org B's invite.
• User only Invited (not yet Accepted) in Org A must still be able to accept Org B's invite.
• User Revoked in Org A must be able to accept Org B's invite.
• Provider-exempt user must be able to accept.

[eliykat]

@JaredSnider-Bitwarden

1. Login master-password policy — log in as a member of an org with the Master Password policy configured; confirm the client picks up the correct rules on the direct login response. Repeat for a user in two orgs with conflicting settings — strictest values should win.

I take it this is the change in BaseRequestValidator. It was calling PolicyService.GetMasterPasswordPolicyForUserAsync, but that already used PolicyRequirementQuery.GetAsyncVNext<MasterPasswordPolicyRequirement> under the hood. This PR is just removing the indirection; no change in the actual implementation code.

2. /accounts/verify-password reprompt - As the same user, perform any master-password reprompt action (Export vault is easiest); confirm the client receives the same policy block. Also verify a user in no org can successfully hit this endpoint and gets a default/empty policy block (no 500).

Same as above.

3. Accept org invite under Single Org policy

This has not been changed here. Maybe you're looking at the InitPendingOrganizationValidator? That is responsible for initializing a reseller organization created via the Bitwarden Portal. In this case, we are already using the SingleOrganizationPolicyRequirement in all the other accept/confirm flows, so we're comfortable with it here.

Let me know if I've missed or misunderstood anything.

[JaredSnider-Bitwarden]

@JaredSnider-Bitwarden

1. Login master-password policy — log in as a member of an org with the Master Password policy configured; confirm the client picks up the correct rules on the direct login response. Repeat for a user in two orgs with conflicting settings — strictest values should win.

I take it this is the change in BaseRequestValidator. It was calling PolicyService.GetMasterPasswordPolicyForUserAsync, but that already used PolicyRequirementQuery.GetAsyncVNext<MasterPasswordPolicyRequirement> under the hood. This PR is just removing the indirection; no change in the actual implementation code.

2. /accounts/verify-password reprompt - As the same user, perform any master-password reprompt action (Export vault is easiest); confirm the client receives the same policy block. Also verify a user in no org can successfully hit this endpoint and gets a default/empty policy block (no 500).

Same as above.

3. Accept org invite under Single Org policy

This has not been changed here. Maybe you're looking at the InitPendingOrganizationValidator? That is responsible for initializing a reseller organization created via the Bitwarden Portal. In this case, we are already using the SingleOrganizationPolicyRequirement in all the other accept/confirm flows, so we're comfortable with it here.

Let me know if I've missed or misunderstood anything.

@eliykat
Oh, ok, I'm sorry that I missed that it was already using that under the hood. Request for smoke tests retracted. Also, the last one was my mistake with vetting claude output - I apologize.