[PM-29555] Add self-revoke endpoint for declining organization data ownership policy (#6739)

* Add OrganizationUser_SelfRevoked event type to EventType enum * Add SelfRevokeOrganizationUserCommand implementation and interface for user self-revocation from organizations * Add unit tests for SelfRevokeOrganizationUserCommand to validate user self-revocation logic, including success scenarios and various failure conditions. * Add ISelfRevokeOrganizationUserCommand registration to OrganizationServiceCollectionExtensions for user self-revocation functionality * Add self-revoke user functionality to OrganizationUsersController with new endpoint for user-initiated revocation * Add integration tests for self-revoke functionality in OrganizationUsersController, covering scenarios for eligible users, non-members, and users with owner/admin roles. * Add unit test for SelfRevokeOrganizationUserCommand to validate behavior when a user attempts to self-revoke without confirmation. This test checks for a BadRequestException with an appropriate message. * Add MemberRequirement class for organization membership authorization - Implemented MemberRequirement to check if a user is a member of the organization. - Added unit tests for MemberRequirement to validate authorization logic for different user types. * Update authorization requirement for self-revoke endpoint and add integration test for provider users - Changed authorization attribute from MemberOrProviderRequirement to MemberRequirement in the RevokeSelfAsync method. - Added a new integration test to verify that provider users who are not members receive a forbidden response when attempting to revoke themselves. * Add EligibleForSelfRevoke method to OrganizationDataOwnershipPolicyRequirement - Implemented the EligibleForSelfRevoke method to determine if a user can self-revoke their data ownership based on their membership status and policy state. - Added unit tests to validate the eligibility logic for confirmed, invited, and non-policy users, as well as for different organization IDs. * Refactor self-revoke user command to enhance eligibility checks - Updated the SelfRevokeOrganizationUserCommand to utilize policy requirements for determining user eligibility for self-revocation. - Implemented checks to prevent the last owner from revoking themselves, ensuring organizational integrity. - Modified unit tests to reflect changes in eligibility logic and added scenarios for confirmed owners and admins. - Removed deprecated policy checks and streamlined the command's dependencies. * Use CommandResult pattern in self-revoke command * Clearer documentation
2026-01-11 19:57:01 +00:00 · 2026-01-06 11:25:14 +00:00 · 2026-01-06 11:25:14 +00:00 · 1b17d99bfd
commit 1b17d99bfd
parent 35868c2a65
12 changed files with 660 additions and 1 deletions
--- a/src/Api/AdminConsole/Authorization/Requirements/MemberRequirement.cs
+++ b/src/Api/AdminConsole/Authorization/Requirements/MemberRequirement.cs
@ -0,0 +1,14 @@
+using Bit.Core.Context;
+
+namespace Bit.Api.AdminConsole.Authorization.Requirements;
+
+/// <summary>
+/// Requires that the user is a member of the organization.
+/// </summary>
+public class MemberRequirement : IOrganizationRequirement
+{
+    public Task<bool> AuthorizeAsync(
+        CurrentContextOrganization? organizationClaims,
+        Func<Task<bool>> isProviderUserForOrg)
+        => Task.FromResult(organizationClaims is not null);
+}
--- a/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
+++ b/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
@ -19,6 +19,7 @@ using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.DeleteClaimed
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RestoreUser.v1;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.SelfRevokeUser;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
 using Bit.Core.AdminConsole.Repositories;
@ -81,6 +82,7 @@ public class OrganizationUsersController : BaseAdminConsoleController
    private readonly IInitPendingOrganizationCommand _initPendingOrganizationCommand;
    private readonly V1_RevokeOrganizationUserCommand _revokeOrganizationUserCommand;
    private readonly IAdminRecoverAccountCommand _adminRecoverAccountCommand;
+    private readonly ISelfRevokeOrganizationUserCommand _selfRevokeOrganizationUserCommand;

    public OrganizationUsersController(IOrganizationRepository organizationRepository,
        IOrganizationUserRepository organizationUserRepository,
@ -112,7 +114,8 @@ public class OrganizationUsersController : BaseAdminConsoleController
        IBulkResendOrganizationInvitesCommand bulkResendOrganizationInvitesCommand,
        IAdminRecoverAccountCommand adminRecoverAccountCommand,
        IAutomaticallyConfirmOrganizationUserCommand automaticallyConfirmOrganizationUserCommand,
-        V2_RevokeOrganizationUserCommand.IRevokeOrganizationUserCommand revokeOrganizationUserCommandVNext)
+        V2_RevokeOrganizationUserCommand.IRevokeOrganizationUserCommand revokeOrganizationUserCommandVNext,
+        ISelfRevokeOrganizationUserCommand selfRevokeOrganizationUserCommand)
    {
        _organizationRepository = organizationRepository;
        _organizationUserRepository = organizationUserRepository;
@ -145,6 +148,7 @@ public class OrganizationUsersController : BaseAdminConsoleController
        _initPendingOrganizationCommand = initPendingOrganizationCommand;
        _revokeOrganizationUserCommand = revokeOrganizationUserCommand;
        _adminRecoverAccountCommand = adminRecoverAccountCommand;
+        _selfRevokeOrganizationUserCommand = selfRevokeOrganizationUserCommand;
    }

    [HttpGet("{id}")]
@ -635,6 +639,20 @@ public class OrganizationUsersController : BaseAdminConsoleController
        await RestoreOrRevokeUserAsync(orgId, id, _revokeOrganizationUserCommand.RevokeUserAsync);
    }

+    [HttpPut("revoke-self")]
+    [Authorize<MemberRequirement>]
+    public async Task<IResult> RevokeSelfAsync(Guid orgId)
+    {
+        var userId = _userService.GetProperUserId(User);
+        if (!userId.HasValue)
+        {
+            throw new UnauthorizedAccessException();
+        }
+
+        var result = await _selfRevokeOrganizationUserCommand.SelfRevokeUserAsync(orgId, userId.Value);
+        return Handle(result);
+    }
+
    [HttpPatch("{id}/revoke")]
    [Obsolete("This endpoint is deprecated. Use PUT method instead")]
    [Authorize<ManageUsersRequirement>]
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/SelfRevokeUser/Errors.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/SelfRevokeUser/Errors.cs
@ -0,0 +1,7 @@
+using Bit.Core.AdminConsole.Utilities.v2;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.SelfRevokeUser;
+
+public record OrganizationUserNotFound() : NotFoundError("Organization user not found.");
+public record NotEligibleForSelfRevoke() : BadRequestError("User is not eligible for self-revocation. The organization data ownership policy must be enabled and the user must be a confirmed member.");
+public record LastOwnerCannotSelfRevoke() : BadRequestError("The last owner cannot revoke themselves.");
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/SelfRevokeUser/ISelfRevokeOrganizationUserCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/SelfRevokeUser/ISelfRevokeOrganizationUserCommand.cs
@ -0,0 +1,22 @@
+using Bit.Core.AdminConsole.Utilities.v2.Results;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.SelfRevokeUser;
+
+/// <summary>
+/// Allows users to revoke themselves from an organization when declining to migrate personal items
+/// under the OrganizationDataOwnership policy.
+/// </summary>
+public interface ISelfRevokeOrganizationUserCommand
+{
+    /// <summary>
+    /// Revokes a user from an organization.
+    /// </summary>
+    /// <param name="organizationId">The organization ID.</param>
+    /// <param name="userId">The user ID to revoke.</param>
+    /// <returns>A <see cref="CommandResult"/> indicating success or containing an error.</returns>
+    /// <remarks>
+    /// Validates the OrganizationDataOwnership policy is enabled and applies to the user (currently Owners/Admins are exempt),
+    /// the user is a confirmed member, and prevents the last owner from revoking themselves.
+    /// </remarks>
+    Task<CommandResult> SelfRevokeUserAsync(Guid organizationId, Guid userId);
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/SelfRevokeUser/SelfRevokeOrganizationUserCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/SelfRevokeUser/SelfRevokeOrganizationUserCommand.cs
@ -0,0 +1,56 @@
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+using Bit.Core.AdminConsole.Utilities.v2.Results;
+using Bit.Core.Enums;
+using Bit.Core.Platform.Push;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using OneOf.Types;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.SelfRevokeUser;
+
+public class SelfRevokeOrganizationUserCommand(
+    IOrganizationUserRepository organizationUserRepository,
+    IPolicyRequirementQuery policyRequirementQuery,
+    IHasConfirmedOwnersExceptQuery hasConfirmedOwnersExceptQuery,
+    IEventService eventService,
+    IPushNotificationService pushNotificationService)
+    : ISelfRevokeOrganizationUserCommand
+{
+    public async Task<CommandResult> SelfRevokeUserAsync(Guid organizationId, Guid userId)
+    {
+        var organizationUser = await organizationUserRepository.GetByOrganizationAsync(organizationId, userId);
+        if (organizationUser == null)
+        {
+            return new OrganizationUserNotFound();
+        }
+
+        var policyRequirement = await policyRequirementQuery.GetAsync<OrganizationDataOwnershipPolicyRequirement>(userId);
+
+        if (!policyRequirement.EligibleForSelfRevoke(organizationId))
+        {
+            return new NotEligibleForSelfRevoke();
+        }
+
+        // Prevent the last owner from revoking themselves, which would brick the organization
+        if (organizationUser.Type == OrganizationUserType.Owner)
+        {
+            var hasOtherOwner = await hasConfirmedOwnersExceptQuery.HasConfirmedOwnersExceptAsync(
+                organizationId,
+                [organizationUser.Id],
+                includeProvider: true);
+
+            if (!hasOtherOwner)
+            {
+                return new LastOwnerCannotSelfRevoke();
+            }
+        }
+
+        await organizationUserRepository.RevokeAsync(organizationUser.Id);
+        await eventService.LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_SelfRevoked);
+        await pushNotificationService.PushSyncOrgKeysAsync(organizationUser.UserId!.Value);
+
+        return new None();
+    }
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/OrganizationDataOwnershipPolicyRequirement.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/OrganizationDataOwnershipPolicyRequirement.cs
@ -83,6 +83,24 @@ public class OrganizationDataOwnershipPolicyRequirement : IPolicyRequirement
        return _policyDetails.Any(p => p.OrganizationId == organizationId &&
                                       p.OrganizationUserStatus == OrganizationUserStatusType.Confirmed);
    }
+
+    /// <summary>
+    /// Determines if a user is eligible for self-revocation under the Organization Data Ownership policy.
+    /// A user is eligible if they are a confirmed member of the organization and the policy is enabled.
+    /// This also handles exempt roles (Owner/Admin) and policy disabled state via the factory's Enforce predicate.
+    /// </summary>
+    /// <param name="organizationId">The organization ID to check.</param>
+    /// <returns>True if the user is eligible for self-revocation (policy applies to them), false otherwise.</returns>
+    /// <remarks>
+    /// Self-revoke is used to opt out of migrating the user's personal vault to the organization as required by this policy.
+    /// </remarks>
+    public bool EligibleForSelfRevoke(Guid organizationId)
+    {
+        var policyDetail = _policyDetails
+            .FirstOrDefault(p => p.OrganizationId == organizationId);
+
+        return policyDetail?.HasStatus([OrganizationUserStatusType.Confirmed]) ?? false;
+    }
 }

 public record DefaultCollectionRequest(Guid OrganizationUserId, bool ShouldCreateDefaultCollection)
--- a/src/Core/Dirt/Enums/EventType.cs
+++ b/src/Core/Dirt/Enums/EventType.cs
@ -61,6 +61,7 @@ public enum EventType : int
    OrganizationUser_Deleted = 1515, // Both user and organization user data were deleted
    OrganizationUser_Left = 1516,    // User voluntarily left the organization
    OrganizationUser_AutomaticallyConfirmed = 1517,
+    OrganizationUser_SelfRevoked = 1518, // User self-revoked due to declining organization data ownership policy

    Organization_Updated = 1600,
    Organization_PurgedVault = 1601,
--- a/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs
+++ b/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs
@ -24,6 +24,7 @@ using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.V
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.Organization;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation.PasswordManager;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RestoreUser.v1;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.SelfRevokeUser;
 using Bit.Core.Models.Business.Tokenables;
 using Bit.Core.OrganizationFeatures.OrganizationCollections;
 using Bit.Core.OrganizationFeatures.OrganizationCollections.Interfaces;
@ -150,6 +151,8 @@ public static class OrganizationServiceCollectionExtensions

        services.AddScoped<V2_RevokeUsersCommand.IRevokeOrganizationUserCommand, V2_RevokeUsersCommand.RevokeOrganizationUserCommand>();
        services.AddScoped<V2_RevokeUsersCommand.IRevokeOrganizationUserValidator, V2_RevokeUsersCommand.RevokeOrganizationUsersValidator>();
+
+        services.AddScoped<ISelfRevokeOrganizationUserCommand, SelfRevokeOrganizationUserCommand>();
    }

    private static void AddOrganizationApiKeyCommandsQueries(this IServiceCollection services)
--- a/test/Api.IntegrationTest/AdminConsole/Controllers/OrganizationUsersControllerSelfRevokeTests.cs
+++ b/test/Api.IntegrationTest/AdminConsole/Controllers/OrganizationUsersControllerSelfRevokeTests.cs
@ -0,0 +1,171 @@
+using System.Net;
+using Bit.Api.IntegrationTest.Factories;
+using Bit.Api.IntegrationTest.Helpers;
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Enums.Provider;
+using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.Billing.Enums;
+using Bit.Core.Enums;
+using Bit.Core.Repositories;
+using Xunit;
+
+namespace Bit.Api.IntegrationTest.AdminConsole.Controllers;
+
+public class OrganizationUsersControllerSelfRevokeTests : IClassFixture<ApiApplicationFactory>, IAsyncLifetime
+{
+    private readonly HttpClient _client;
+    private readonly ApiApplicationFactory _factory;
+    private readonly LoginHelper _loginHelper;
+
+    private string _ownerEmail = null!;
+
+    public OrganizationUsersControllerSelfRevokeTests(ApiApplicationFactory apiFactory)
+    {
+        _factory = apiFactory;
+        _client = _factory.CreateClient();
+        _loginHelper = new LoginHelper(_factory, _client);
+    }
+
+    public async Task InitializeAsync()
+    {
+        _ownerEmail = $"{Guid.NewGuid()}@example.com";
+        await _factory.LoginWithNewAccount(_ownerEmail);
+    }
+
+    public Task DisposeAsync()
+    {
+        _client.Dispose();
+        return Task.CompletedTask;
+    }
+
+    [Fact]
+    public async Task SelfRevoke_WhenPolicyEnabledAndUserIsEligible_ReturnsOk()
+    {
+        var (organization, _) = await OrganizationTestHelpers.SignUpAsync(_factory, plan: PlanType.EnterpriseAnnually,
+            ownerEmail: _ownerEmail, passwordManagerSeats: 5, paymentMethod: PaymentMethodType.Card);
+
+        var policy = new Policy
+        {
+            OrganizationId = organization.Id,
+            Type = PolicyType.OrganizationDataOwnership,
+            Enabled = true,
+            Data = null
+        };
+        await _factory.GetService<IPolicyRepository>().CreateAsync(policy);
+
+        var (userEmail, _) = await OrganizationTestHelpers.CreateNewUserWithAccountAsync(
+            _factory,
+            organization.Id,
+            OrganizationUserType.User);
+        await _loginHelper.LoginAsync(userEmail);
+
+        var result = await _client.PutAsync($"organizations/{organization.Id}/users/revoke-self", null);
+
+        Assert.Equal(HttpStatusCode.NoContent, result.StatusCode);
+
+        var organizationUserRepository = _factory.GetService<IOrganizationUserRepository>();
+        var organizationUsers = await organizationUserRepository.GetManyDetailsByOrganizationAsync(organization.Id);
+        var revokedUser = organizationUsers.FirstOrDefault(u => u.Email == userEmail);
+
+        Assert.NotNull(revokedUser);
+        Assert.Equal(OrganizationUserStatusType.Revoked, revokedUser.Status);
+    }
+
+    [Fact]
+    public async Task SelfRevoke_WhenUserNotMemberOfOrganization_ReturnsForbidden()
+    {
+        var (organization, _) = await OrganizationTestHelpers.SignUpAsync(_factory, plan: PlanType.EnterpriseAnnually,
+            ownerEmail: _ownerEmail, passwordManagerSeats: 5, paymentMethod: PaymentMethodType.Card);
+
+        var policy = new Policy
+        {
+            OrganizationId = organization.Id,
+            Type = PolicyType.OrganizationDataOwnership,
+            Enabled = true,
+            Data = null
+        };
+        await _factory.GetService<IPolicyRepository>().CreateAsync(policy);
+
+        var nonMemberEmail = $"{Guid.NewGuid()}@example.com";
+        await _factory.LoginWithNewAccount(nonMemberEmail);
+        await _loginHelper.LoginAsync(nonMemberEmail);
+
+        var result = await _client.PutAsync($"organizations/{organization.Id}/users/revoke-self", null);
+
+        Assert.Equal(HttpStatusCode.Forbidden, result.StatusCode);
+    }
+
+    [Theory]
+    [InlineData(OrganizationUserType.Owner)]
+    [InlineData(OrganizationUserType.Admin)]
+    public async Task SelfRevoke_WhenUserIsOwnerOrAdmin_ReturnsBadRequest(OrganizationUserType userType)
+    {
+        var (organization, _) = await OrganizationTestHelpers.SignUpAsync(_factory, plan: PlanType.EnterpriseAnnually,
+            ownerEmail: _ownerEmail, passwordManagerSeats: 5, paymentMethod: PaymentMethodType.Card);
+
+        var policy = new Policy
+        {
+            OrganizationId = organization.Id,
+            Type = PolicyType.OrganizationDataOwnership,
+            Enabled = true,
+            Data = null
+        };
+        await _factory.GetService<IPolicyRepository>().CreateAsync(policy);
+
+        string userEmail;
+        if (userType == OrganizationUserType.Owner)
+        {
+            userEmail = _ownerEmail;
+        }
+        else
+        {
+            (userEmail, _) = await OrganizationTestHelpers.CreateNewUserWithAccountAsync(
+                _factory,
+                organization.Id,
+                userType);
+        }
+
+        await _loginHelper.LoginAsync(userEmail);
+
+        var result = await _client.PutAsync($"organizations/{organization.Id}/users/revoke-self", null);
+
+        Assert.Equal(HttpStatusCode.BadRequest, result.StatusCode);
+    }
+
+    [Fact]
+    public async Task SelfRevoke_WhenUserIsProviderButNotMember_ReturnsForbidden()
+    {
+        var (organization, _) = await OrganizationTestHelpers.SignUpAsync(_factory, plan: PlanType.EnterpriseAnnually,
+            ownerEmail: _ownerEmail, passwordManagerSeats: 5, paymentMethod: PaymentMethodType.Card);
+
+        var policy = new Policy
+        {
+            OrganizationId = organization.Id,
+            Type = PolicyType.OrganizationDataOwnership,
+            Enabled = true,
+            Data = null
+        };
+        await _factory.GetService<IPolicyRepository>().CreateAsync(policy);
+
+        var provider = await ProviderTestHelpers.CreateProviderAndLinkToOrganizationAsync(
+            _factory,
+            organization.Id,
+            ProviderType.Msp,
+            ProviderStatusType.Billable);
+
+        var providerUserEmail = $"{Guid.NewGuid()}@example.com";
+        await _factory.LoginWithNewAccount(providerUserEmail);
+        await ProviderTestHelpers.CreateProviderUserAsync(
+            _factory,
+            provider.Id,
+            providerUserEmail,
+            ProviderUserType.ProviderAdmin);
+
+        await _loginHelper.LoginAsync(providerUserEmail);
+
+        var result = await _client.PutAsync($"organizations/{organization.Id}/users/revoke-self", null);
+
+        Assert.Equal(HttpStatusCode.Forbidden, result.StatusCode);
+    }
+}
--- a/test/Api.Test/AdminConsole/Authorization/Requirements/MemberRequirementTests.cs
+++ b/test/Api.Test/AdminConsole/Authorization/Requirements/MemberRequirementTests.cs
@ -0,0 +1,49 @@
+using Bit.Api.AdminConsole.Authorization.Requirements;
+using Bit.Core.Context;
+using Bit.Core.Enums;
+using Bit.Core.Test.AdminConsole.AutoFixture;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Xunit;
+
+namespace Bit.Api.Test.AdminConsole.Authorization.Requirements;
+
+[SutProviderCustomize]
+public class MemberRequirementTests
+{
+    [Theory]
+    [CurrentContextOrganizationCustomize]
+    [BitAutoData(OrganizationUserType.Owner)]
+    [BitAutoData(OrganizationUserType.Admin)]
+    [BitAutoData(OrganizationUserType.User)]
+    [BitAutoData(OrganizationUserType.Custom)]
+    public async Task AuthorizeAsync_WhenUserIsOrganizationMember_ThenRequestShouldBeAuthorized(
+        OrganizationUserType type,
+        CurrentContextOrganization organization,
+        SutProvider<MemberRequirement> sutProvider)
+    {
+        organization.Type = type;
+
+        var actual = await sutProvider.Sut.AuthorizeAsync(organization, () => Task.FromResult(false));
+
+        Assert.True(actual);
+    }
+
+    [Theory, BitAutoData]
+    public async Task AuthorizeAsync_WhenUserIsNotOrganizationMember_ThenRequestShouldBeDenied(
+        SutProvider<MemberRequirement> sutProvider)
+    {
+        var actual = await sutProvider.Sut.AuthorizeAsync(null, () => Task.FromResult(false));
+
+        Assert.False(actual);
+    }
+
+    [Theory, BitAutoData]
+    public async Task AuthorizeAsync_WhenUserIsProviderButNotMember_ThenRequestShouldBeDenied(
+        SutProvider<MemberRequirement> sutProvider)
+    {
+        var actual = await sutProvider.Sut.AuthorizeAsync(null, () => Task.FromResult(true));
+
+        Assert.False(actual);
+    }
+}
--- a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/SelfRevokeUser/SelfRevokeOrganizationUserCommandTests.cs
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/SelfRevokeUser/SelfRevokeOrganizationUserCommandTests.cs
@ -0,0 +1,233 @@
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.SelfRevokeUser;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Platform.Push;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Core.Test.AutoFixture.OrganizationUserFixtures;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.OrganizationUsers.SelfRevokeUser;
+
+[SutProviderCustomize]
+public class SelfRevokeOrganizationUserCommandTests
+{
+    [Theory]
+    [BitAutoData(OrganizationUserType.User)]
+    [BitAutoData(OrganizationUserType.Custom)]
+    [BitAutoData(OrganizationUserType.Admin)]
+    public async Task SelfRevokeUser_Success(
+        OrganizationUserType userType,
+        Guid organizationId,
+        Guid userId,
+        [OrganizationUser(OrganizationUserStatusType.Confirmed)] OrganizationUser organizationUser,
+        SutProvider<SelfRevokeOrganizationUserCommand> sutProvider)
+    {
+        // Arrange
+        organizationUser.Type = userType;
+        organizationUser.OrganizationId = organizationId;
+        organizationUser.UserId = userId;
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetByOrganizationAsync(organizationId, userId)
+            .Returns(organizationUser);
+
+        // Create policy requirement with confirmed user
+        var policyDetails = new List<PolicyDetails>
+        {
+            new()
+            {
+                OrganizationId = organizationId,
+                OrganizationUserId = organizationUser.Id,
+                OrganizationUserStatus = OrganizationUserStatusType.Confirmed,
+                OrganizationUserType = userType,
+                PolicyType = PolicyType.OrganizationDataOwnership
+            }
+        };
+        var policyRequirement = new OrganizationDataOwnershipPolicyRequirement(
+            OrganizationDataOwnershipState.Enabled,
+            policyDetails);
+
+        sutProvider.GetDependency<IPolicyRequirementQuery>()
+            .GetAsync<OrganizationDataOwnershipPolicyRequirement>(userId)
+            .Returns(policyRequirement);
+
+        // Act
+        var result = await sutProvider.Sut.SelfRevokeUserAsync(organizationId, userId);
+
+        // Assert
+        Assert.True(result.IsSuccess);
+
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .Received(1)
+            .RevokeAsync(organizationUser.Id);
+
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
+            .LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_SelfRevoked);
+
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(1)
+            .PushSyncOrgKeysAsync(userId);
+    }
+
+    [Theory, BitAutoData]
+    public async Task SelfRevokeUser_WhenUserNotFound_ReturnsNotFoundError(
+        Guid organizationId,
+        Guid userId,
+        SutProvider<SelfRevokeOrganizationUserCommand> sutProvider)
+    {
+        // Arrange
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetByOrganizationAsync(organizationId, userId)
+            .Returns((OrganizationUser)null);
+
+        // Act
+        var result = await sutProvider.Sut.SelfRevokeUserAsync(organizationId, userId);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.IsType<OrganizationUserNotFound>(result.AsError);
+    }
+
+    [Theory, BitAutoData]
+    public async Task SelfRevokeUser_WhenNotEligible_ReturnsBadRequestError(
+        Guid organizationId,
+        Guid userId,
+        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.User)] OrganizationUser organizationUser,
+        SutProvider<SelfRevokeOrganizationUserCommand> sutProvider)
+    {
+        // Arrange
+        organizationUser.OrganizationId = organizationId;
+        organizationUser.UserId = userId;
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetByOrganizationAsync(organizationId, userId)
+            .Returns(organizationUser);
+
+        // Policy requirement with no policies (disabled)
+        var policyRequirement = new OrganizationDataOwnershipPolicyRequirement(
+            OrganizationDataOwnershipState.Disabled,
+            Enumerable.Empty<PolicyDetails>());
+
+        sutProvider.GetDependency<IPolicyRequirementQuery>()
+            .GetAsync<OrganizationDataOwnershipPolicyRequirement>(userId)
+            .Returns(policyRequirement);
+
+        // Act
+        var result = await sutProvider.Sut.SelfRevokeUserAsync(organizationId, userId);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.IsType<NotEligibleForSelfRevoke>(result.AsError);
+    }
+
+    [Theory, BitAutoData]
+    public async Task SelfRevokeUser_WhenLastOwner_ReturnsBadRequestError(
+        Guid organizationId,
+        Guid userId,
+        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser organizationUser,
+        SutProvider<SelfRevokeOrganizationUserCommand> sutProvider)
+    {
+        // Arrange
+        organizationUser.OrganizationId = organizationId;
+        organizationUser.UserId = userId;
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetByOrganizationAsync(organizationId, userId)
+            .Returns(organizationUser);
+
+        // Create policy requirement with confirmed owner
+        var policyDetails = new List<PolicyDetails>
+        {
+            new()
+            {
+                OrganizationId = organizationId,
+                OrganizationUserId = organizationUser.Id,
+                OrganizationUserStatus = OrganizationUserStatusType.Confirmed,
+                OrganizationUserType = OrganizationUserType.Owner,
+                PolicyType = PolicyType.OrganizationDataOwnership
+            }
+        };
+        var policyRequirement = new OrganizationDataOwnershipPolicyRequirement(
+            OrganizationDataOwnershipState.Enabled,
+            policyDetails);
+
+        sutProvider.GetDependency<IPolicyRequirementQuery>()
+            .GetAsync<OrganizationDataOwnershipPolicyRequirement>(userId)
+            .Returns(policyRequirement);
+
+        sutProvider.GetDependency<IHasConfirmedOwnersExceptQuery>()
+            .HasConfirmedOwnersExceptAsync(organizationId, Arg.Any<IEnumerable<Guid>>(), true)
+            .Returns(false);
+
+        // Act
+        var result = await sutProvider.Sut.SelfRevokeUserAsync(organizationId, userId);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.IsType<LastOwnerCannotSelfRevoke>(result.AsError);
+    }
+
+    [Theory, BitAutoData]
+    public async Task SelfRevokeUser_WhenOwnerButNotLastOwner_Success(
+        Guid organizationId,
+        Guid userId,
+        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Owner)] OrganizationUser organizationUser,
+        SutProvider<SelfRevokeOrganizationUserCommand> sutProvider)
+    {
+        // Arrange
+        organizationUser.OrganizationId = organizationId;
+        organizationUser.UserId = userId;
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetByOrganizationAsync(organizationId, userId)
+            .Returns(organizationUser);
+
+        // Create policy requirement with confirmed owner
+        var policyDetails = new List<PolicyDetails>
+        {
+            new()
+            {
+                OrganizationId = organizationId,
+                OrganizationUserId = organizationUser.Id,
+                OrganizationUserStatus = OrganizationUserStatusType.Confirmed,
+                OrganizationUserType = OrganizationUserType.Owner,
+                PolicyType = PolicyType.OrganizationDataOwnership
+            }
+        };
+        var policyRequirement = new OrganizationDataOwnershipPolicyRequirement(
+            OrganizationDataOwnershipState.Enabled,
+            policyDetails);
+
+        sutProvider.GetDependency<IPolicyRequirementQuery>()
+            .GetAsync<OrganizationDataOwnershipPolicyRequirement>(userId)
+            .Returns(policyRequirement);
+
+        sutProvider.GetDependency<IHasConfirmedOwnersExceptQuery>()
+            .HasConfirmedOwnersExceptAsync(organizationId, Arg.Any<IEnumerable<Guid>>(), true)
+            .Returns(true);
+
+        // Act
+        var result = await sutProvider.Sut.SelfRevokeUserAsync(organizationId, userId);
+
+        // Assert
+        Assert.True(result.IsSuccess);
+
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .Received(1)
+            .RevokeAsync(organizationUser.Id);
+
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
+            .LogOrganizationUserEventAsync(organizationUser, EventType.OrganizationUser_SelfRevoked);
+    }
+}
--- a/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/OrganizationDataOwnershipPolicyRequirementFactoryTests.cs
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/OrganizationDataOwnershipPolicyRequirementFactoryTests.cs
@ -36,6 +36,73 @@ public class OrganizationDataOwnershipPolicyRequirementFactoryTests
        Assert.Equal(PolicyType.OrganizationDataOwnership, sutProvider.Sut.PolicyType);
    }

+    [Theory, BitAutoData]
+    public void EligibleForSelfRevoke_WithConfirmedUser_ReturnsTrue(
+        Guid organizationId,
+        [PolicyDetails(PolicyType.OrganizationDataOwnership, userStatus: OrganizationUserStatusType.Confirmed)] PolicyDetails[] policies,
+        SutProvider<OrganizationDataOwnershipPolicyRequirementFactory> sutProvider)
+    {
+        // Arrange
+        policies[0].OrganizationId = organizationId;
+        var requirement = sutProvider.Sut.Create(policies);
+
+        // Act
+        var result = requirement.EligibleForSelfRevoke(organizationId);
+
+        // Assert
+        Assert.True(result);
+    }
+
+    [Theory, BitAutoData]
+    public void EligibleForSelfRevoke_WithInvitedUser_ReturnsFalse(
+        Guid organizationId,
+        [PolicyDetails(PolicyType.OrganizationDataOwnership, userStatus: OrganizationUserStatusType.Invited)] PolicyDetails[] policies,
+        SutProvider<OrganizationDataOwnershipPolicyRequirementFactory> sutProvider)
+    {
+        // Arrange
+        policies[0].OrganizationId = organizationId;
+        var requirement = sutProvider.Sut.Create(policies);
+
+        // Act
+        var result = requirement.EligibleForSelfRevoke(organizationId);
+
+        // Assert
+        Assert.False(result);
+    }
+
+    [Theory, BitAutoData]
+    public void EligibleForSelfRevoke_WithNoPolicies_ReturnsFalse(
+        Guid organizationId,
+        SutProvider<OrganizationDataOwnershipPolicyRequirementFactory> sutProvider)
+    {
+        // Arrange
+        var requirement = sutProvider.Sut.Create([]);
+
+        // Act
+        var result = requirement.EligibleForSelfRevoke(organizationId);
+
+        // Assert
+        Assert.False(result);
+    }
+
+    [Theory, BitAutoData]
+    public void EligibleForSelfRevoke_WithDifferentOrganization_ReturnsFalse(
+        Guid organizationId,
+        Guid differentOrganizationId,
+        [PolicyDetails(PolicyType.OrganizationDataOwnership, userStatus: OrganizationUserStatusType.Confirmed)] PolicyDetails[] policies,
+        SutProvider<OrganizationDataOwnershipPolicyRequirementFactory> sutProvider)
+    {
+        // Arrange
+        policies[0].OrganizationId = differentOrganizationId;
+        var requirement = sutProvider.Sut.Create(policies);
+
+        // Act
+        var result = requirement.EligibleForSelfRevoke(organizationId);
+
+        // Assert
+        Assert.False(result);
+    }
+
    [Theory, BitAutoData]
    public void GetDefaultCollectionRequestOnPolicyEnable_WithConfirmedUser_ReturnsTrue(
    [PolicyDetails(PolicyType.OrganizationDataOwnership, userStatus: OrganizationUserStatusType.Confirmed)] PolicyDetails[] policies,