[PM-27120] cxp hide user account when remove individual export is enabled (#6089)

Author: aj-rosado

app/src/main/kotlin/com/x8bit/bitwarden/data/auth/manager/UserStateManagerImpl.kt

@@ -1,6 +1,8 @@
 package com.x8bit.bitwarden.data.auth.manager
 
 import com.bitwarden.data.manager.DispatcherManager
+import com.bitwarden.network.model.PolicyTypeJson
+import com.bitwarden.network.model.SyncResponseJson
 import com.x8bit.bitwarden.data.auth.datasource.disk.AuthDiskSource
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.OnboardingStatus
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.UserStateJson
@@ -19,6 +21,7 @@ import com.x8bit.bitwarden.data.auth.repository.util.userKeyConnectorStateList
 import com.x8bit.bitwarden.data.auth.repository.util.userOrganizationsList
 import com.x8bit.bitwarden.data.auth.repository.util.userOrganizationsListFlow
 import com.x8bit.bitwarden.data.platform.manager.FirstTimeActionManager
+import com.x8bit.bitwarden.data.platform.manager.PolicyManager
 import com.x8bit.bitwarden.data.platform.manager.model.FirstTimeState
 import com.x8bit.bitwarden.data.vault.manager.VaultLockManager
 import com.x8bit.bitwarden.data.vault.repository.model.VaultUnlockData
@@ -39,6 +42,7 @@ class UserStateManagerImpl(
     private val authDiskSource: AuthDiskSource,
     firstTimeActionManager: FirstTimeActionManager,
     vaultLockManager: VaultLockManager,
+    private val policyManager: PolicyManager,
     dispatcherManager: DispatcherManager,
 ) : UserStateManager {
     private val unconfinedScope = CoroutineScope(dispatcherManager.unconfined)
@@ -110,6 +114,7 @@ class UserStateManagerImpl(
             vaultUnlockTypeProvider = ::getVaultUnlockType,
             isDeviceTrustedProvider = ::isDeviceTrusted,
             firstTimeState = firstTimeState,
+            getUserPolicies = ::existingPolicies,
         )
     }
         .filterNot {
@@ -133,6 +138,7 @@ class UserStateManagerImpl(
                     vaultUnlockTypeProvider = ::getVaultUnlockType,
                     isDeviceTrustedProvider = ::isDeviceTrusted,
                     firstTimeState = firstTimeActionManager.currentOrDefaultUserFirstTimeState,
+                    getUserPolicies = ::existingPolicies,
                 ),
         )
 
@@ -159,4 +165,12 @@ class UserStateManagerImpl(
         .getPinProtectedUserKeyEnvelope(userId = userId)
         ?.let { VaultUnlockType.PIN }
         ?: VaultUnlockType.MASTER_PASSWORD
+
+    private fun existingPolicies(
+        userId: String,
+        policyType: PolicyTypeJson,
+    ): List<SyncResponseJson.Policy> = policyManager.getUserPolicies(
+        userId = userId,
+        type = policyType,
+    )
 }

app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/di/AuthRepositoryModule.kt

@@ -102,11 +102,13 @@ object AuthRepositoryModule {
         authDiskSource: AuthDiskSource,
         firstTimeActionManager: FirstTimeActionManager,
         vaultLockManager: VaultLockManager,
+        policyManager: PolicyManager,
         dispatcherManager: DispatcherManager,
     ): UserStateManager = UserStateManagerImpl(
         authDiskSource = authDiskSource,
         firstTimeActionManager = firstTimeActionManager,
         vaultLockManager = vaultLockManager,
+        policyManager = policyManager,
         dispatcherManager = dispatcherManager,
     )
 }

app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/model/UserState.kt

@@ -75,6 +75,7 @@ data class UserState(
         val isUsingKeyConnector: Boolean,
         val onboardingStatus: OnboardingStatus,
         val firstTimeState: FirstTimeState,
+        val isExportable: Boolean,
     ) {
         /**
          * Indicates that the user does or does not have a means to manually unlock the vault.

app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/util/UserStateJsonExtensions.kt

@@ -3,6 +3,7 @@ package com.x8bit.bitwarden.data.auth.repository.util
 import com.bitwarden.data.repository.util.toEnvironmentUrlsOrDefault
 import com.bitwarden.network.model.KdfTypeJson
 import com.bitwarden.network.model.OrganizationType
+import com.bitwarden.network.model.PolicyTypeJson
 import com.bitwarden.network.model.SyncResponseJson
 import com.bitwarden.network.model.UserDecryptionOptionsJson
 import com.bitwarden.ui.platform.base.util.toHexColorRepresentation
@@ -164,6 +165,7 @@ fun UserStateJson.toUserState(
     isBiometricsEnabledProvider: (userId: String) -> Boolean,
     vaultUnlockTypeProvider: (userId: String) -> VaultUnlockType,
     isDeviceTrustedProvider: (userId: String) -> Boolean,
+    getUserPolicies: (userId: String, policy: PolicyTypeJson) -> List<SyncResponseJson.Policy>,
 ): UserState =
     UserState(
         activeUserId = this.activeUserId,
@@ -203,6 +205,19 @@ fun UserStateJson.toUserState(
                     hasManageResetPasswordPermission.takeIf { trustedDevice != null }
                 val needsMasterPassword = decryptionOptions?.hasMasterPassword == false &&
                     (tdeUserNeedsMasterPassword ?: (keyConnectorOptions == null))
+
+                val hasPersonalOwnershipRestrictedOrg = getUserPolicies(
+                    userId,
+                    PolicyTypeJson.PERSONAL_OWNERSHIP,
+                )
+                    .any { it.isEnabled }
+
+                val hasPersonalVaultExportRestrictedOrg = getUserPolicies(
+                    userId,
+                    PolicyTypeJson.DISABLE_PERSONAL_VAULT_EXPORT,
+                )
+                    .any { it.isEnabled }
+
                 UserState.Account(
                     userId = userId,
                     name = profile.name,
@@ -231,6 +246,8 @@ fun UserStateJson.toUserState(
                     // using the app prior to the release of the onboarding flow.
                     onboardingStatus = onboardingStatus ?: OnboardingStatus.COMPLETE,
                     firstTimeState = firstTimeState,
+                    isExportable = !hasPersonalOwnershipRestrictedOrg &&
+                        !hasPersonalVaultExportRestrictedOrg,
                 )
             },
         hasPendingAccountAddition = hasPendingAccountAddition,

app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/PolicyManager.kt

@@ -17,4 +17,12 @@ interface PolicyManager {
      * Get all the policies of the given [type] that are enabled and applicable to the user.
      */
     fun getActivePolicies(type: PolicyTypeJson): List<SyncResponseJson.Policy>
+
+    /**
+     * Get all the policies of the given [type] that are enabled and applicable to the [userId].
+     */
+    fun getUserPolicies(
+        userId: String,
+        type: PolicyTypeJson,
+    ): List<SyncResponseJson.Policy>
 }

app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/PolicyManagerImpl.kt

@@ -54,6 +54,18 @@ class PolicyManagerImpl(
             }
             ?: emptyList()
 
+    override fun getUserPolicies(
+        userId: String,
+        type: PolicyTypeJson,
+    ): List<SyncResponseJson.Policy> =
+        this
+            .filterPolicies(
+                userId = userId,
+                type = type,
+                policies = authDiskSource.getPolicies(userId = userId),
+            )
+            .orEmpty()
+
     /**
      * A helper method to filter policies.
      */

app/src/main/kotlin/com/x8bit/bitwarden/data/vault/manager/VaultSyncManagerImpl.kt

@@ -315,6 +315,15 @@ class VaultSyncManagerImpl(
                     }
                 }
 
+                // Treat absent network policies as known empty data to
+                // distinguish between unknown null data.
+                // The user state update will trigger flows that depend on the latest policies.
+                // We must store the new policies first to prevent old data on UserState.
+                authDiskSource.storePolicies(
+                    userId = userId,
+                    policies = syncResponse.policies.orEmpty(),
+                )
+
                 // Update user information with additional information from sync response
                 authDiskSource.userState = authDiskSource.userState?.toUpdatedUserStateJson(
                     syncResponse = syncResponse,
@@ -323,12 +332,6 @@ class VaultSyncManagerImpl(
                 unlockVaultForOrganizationsIfNecessary(syncResponse = syncResponse)
                 storeProfileData(syncResponse = syncResponse)
 
-                // Treat absent network policies as known empty data to
-                // distinguish between unknown null data.
-                authDiskSource.storePolicies(
-                    userId = userId,
-                    policies = syncResponse.policies.orEmpty(),
-                )
                 settingsDiskSource.storeLastSyncTime(
                     userId = userId,
                     lastSyncTime = clock.instant(),

app/src/main/kotlin/com/x8bit/bitwarden/ui/platform/feature/rootnav/RootNavScreen.kt

@@ -297,6 +297,7 @@ fun RootNavScreen(
                 navController.navigateToVerifyPassword(
                     userId = currentState.userId,
                     navOptions = rootNavOptions,
+                    hasOtherAccounts = false,
                 )
             }
         }

app/src/main/kotlin/com/x8bit/bitwarden/ui/platform/feature/rootnav/RootNavViewModel.kt

@@ -89,9 +89,10 @@ class RootNavViewModel @Inject constructor(
             }
 
             specialCircumstance is SpecialCircumstance.CredentialExchangeExport -> {
-                if (userState.accounts.size == 1) {
+                val exportableAccounts = userState.accounts.filter { it.isExportable }
+                if (exportableAccounts.size == 1) {
                     RootNavState.CredentialExchangeExportSkipAccountSelection(
-                        userId = userState.accounts.first().userId,
+                        userId = exportableAccounts.first().userId,
                     )
                 } else {
                     RootNavState.CredentialExchangeExport

app/src/main/kotlin/com/x8bit/bitwarden/ui/vault/feature/exportitems/ExportItemsNavigation.kt

@@ -40,8 +40,11 @@ fun NavGraphBuilder.exportItemsGraph(
         startDestination = SelectAccountRoute,
     ) {
         selectAccountDestination(
-            onAccountSelected = {
-                navController.navigateToVerifyPassword(userId = it)
+            onAccountSelected = { userId, hasOtherAccounts ->
+                navController.navigateToVerifyPassword(
+                    userId = userId,
+                    hasOtherAccounts = hasOtherAccounts,
+                )
             },
         )
         verifyPasswordDestination(