[PM 34174]Do not show renewal reminder banners to exempt organizations

[cyprain-okeke]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-34174

📔 Objective

Suppress billing renewal reminder banners and subscription status callouts for organizations that are exempt from billing
automation.

Reseller-managed organizations marked as exempt (exemptFromBillingAutomation = true) should not see renewal cycle notifications or
warning callouts related to past due, unpaid, pending cancellation, or canceled subscription statuses.

Changes

• Added exemptFromBillingAutomation field to the organization model pipeline (ProfileOrganizationResponse → OrganizationData →
  Organization)
• Gated getResellerRenewalWarning$() in OrganizationWarningsService to return null for exempt organizations, skipping the API call
  entirely
• Added exempt input to SubscriptionStatusComponent to suppress warning callouts (past_due, unpaid, pending_cancellation, canceled)
  while preserving status and date display
• Passed userOrg.exemptFromBillingAutomation to the SubscriptionStatusComponent from the cloud subscription template

Screenshots & Testing
Testing

• Verified exempt organizations do not see reseller renewal banners
• Verified exempt organizations do not see subscription status callouts
• Verified non-exempt organizations continue to see all warnings as before
• Unit tests added for both OrganizationWarningsService and SubscriptionStatusComponent

📸 Screenshots

[github-actions]

Checkmarx One – Scan Summary & Details – 1e9c3966-f606-4847-a10f-9162689760d6

---

New Issues (2)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		CSRF	src/Api/Vault/Controllers/CiphersController.cs: 1558	details Method at line 1558 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector
2		CSRF	src/Api/Vault/Controllers/CiphersController.cs: 1385	details Method at line 1385 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 59.84%. Comparing base (dd19dd8) to head (2e9beb7).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #7483   +/-   ##
=======================================
  Coverage   59.83%   59.84%           
=======================================
  Files        2103     2103           
  Lines       92788    92794    +6     
  Branches     8266     8268    +2     
=======================================
+ Hits        55523    55529    +6     
  Misses      35295    35295           
  Partials     1970     1970           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[amorask-bitwarden]

I understand this has already gone through QA, but I'm curious as to why we didn't just check that column value in the GetOrganizationWarningsQuery? That would have prevented at least 9 file changes and a SQL migration done as part of this PR. Additionally, it would likely prevent the need for the clients PR entirely because the warning would never make it to the organization-warnings.service in the first place.

[amorask-bitwarden]

Sorry, meant to put a block on this prior. I would like you to look into the simplicity gain we'd get from just seeing if we can drop the warning at the GetOrganizationWarningsQuery level. If that works and it doesn't surfaces the warning and allows us to drop the clients PR entirely, that's the route we should go to avoid adding unnecessary complexity.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[amorask-bitwarden]

Looks great - thank you for making the change.