feat(auth-validator): [Auth/PM-22975] Client Version Validator (#6588)

* feat(auth-validator): [PM-22975] Client Version Validator - Implementation. * test(auth-validator): [PM-22975] Client Version Validator - Added tests.
2026-02-25 17:03:22 +00:00 · 2026-02-23 10:00:10 -05:00
parent b5554c6030
commit 3dbd17f61d
27 changed files with 732 additions and 83 deletions
--- a/src/Core/KeyManagement/Constants.cs
+++ b/src/Core/KeyManagement/Constants.cs
@@ -0,0 +1,6 @@
+namespace Bit.Core.KeyManagement;
+
+public static class Constants
+{
+    public static readonly Version MinimumClientVersionForV2Encryption = new("2025.11.0");
+}
--- a/src/Core/KeyManagement/UserKey/Implementations/RotateUserAccountKeysCommand.cs
+++ b/src/Core/KeyManagement/UserKey/Implementations/RotateUserAccountKeysCommand.cs
@@ -6,6 +6,7 @@ using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.KeyManagement.Models.Data;
 using Bit.Core.KeyManagement.Repositories;
+using Bit.Core.KeyManagement.Utilities;
 using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
@@ -159,7 +160,7 @@ public class RotateUserAccountKeysCommand : IRotateUserAccountKeysCommand
        }
        else
        {
-            if (GetEncryptionType(model.AccountKeys.PublicKeyEncryptionKeyPairData.WrappedPrivateKey) != EncryptionType.AesCbc256_HmacSha256_B64)
+            if (EncryptionParsing.GetEncryptionType(model.AccountKeys.PublicKeyEncryptionKeyPairData.WrappedPrivateKey) != EncryptionType.AesCbc256_HmacSha256_B64)
            {
                throw new InvalidOperationException("The provided account private key was not wrapped with AES-256-CBC-HMAC");
            }
@@ -231,7 +232,7 @@ public class RotateUserAccountKeysCommand : IRotateUserAccountKeysCommand
    {
        // Returns whether the user is a V2 user based on the private key's encryption type.
        ArgumentNullException.ThrowIfNull(user);
-        var isPrivateKeyEncryptionV2 = GetEncryptionType(user.PrivateKey) == EncryptionType.XChaCha20Poly1305_B64;
+        var isPrivateKeyEncryptionV2 = EncryptionParsing.GetEncryptionType(user.PrivateKey) == EncryptionType.XChaCha20Poly1305_B64;
        return isPrivateKeyEncryptionV2;
    }

@@ -259,7 +260,7 @@ public class RotateUserAccountKeysCommand : IRotateUserAccountKeysCommand
        {
            throw new InvalidOperationException("Signature key pair data is required for V2 encryption.");
        }
-        if (GetEncryptionType(model.AccountKeys.SignatureKeyPairData.WrappedSigningKey) != EncryptionType.XChaCha20Poly1305_B64)
+        if (EncryptionParsing.GetEncryptionType(model.AccountKeys.SignatureKeyPairData.WrappedSigningKey) != EncryptionType.XChaCha20Poly1305_B64)
        {
            throw new InvalidOperationException("The provided signing key data is not wrapped with XChaCha20-Poly1305.");
        }
@@ -268,7 +269,7 @@ public class RotateUserAccountKeysCommand : IRotateUserAccountKeysCommand
            throw new InvalidOperationException("The provided signature key pair data does not contain a valid verifying key.");
        }

-        if (GetEncryptionType(model.AccountKeys.PublicKeyEncryptionKeyPairData.WrappedPrivateKey) != EncryptionType.XChaCha20Poly1305_B64)
+        if (EncryptionParsing.GetEncryptionType(model.AccountKeys.PublicKeyEncryptionKeyPairData.WrappedPrivateKey) != EncryptionType.XChaCha20Poly1305_B64)
        {
            throw new InvalidOperationException("The provided private key encryption key is not wrapped with XChaCha20-Poly1305.");
        }
@@ -281,24 +282,4 @@ public class RotateUserAccountKeysCommand : IRotateUserAccountKeysCommand
            throw new InvalidOperationException("No signed security state provider for V2 user");
        }
    }
-
-    /// <summary>
-    /// Helper method to convert an encryption type string to an enum value.
-    /// </summary>
-    private static EncryptionType GetEncryptionType(string encString)
-    {
-        var parts = encString.Split('.');
-        if (parts.Length == 1)
-        {
-            throw new ArgumentException("Invalid encryption type string.");
-        }
-        if (byte.TryParse(parts[0], out var encryptionTypeNumber))
-        {
-            if (Enum.IsDefined(typeof(EncryptionType), encryptionTypeNumber))
-            {
-                return (EncryptionType)encryptionTypeNumber;
-            }
-        }
-        throw new ArgumentException("Invalid encryption type string.");
-    }
 }
--- a/src/Core/KeyManagement/Utilities/EncryptionParsing.cs
+++ b/src/Core/KeyManagement/Utilities/EncryptionParsing.cs
@@ -0,0 +1,28 @@
+using Bit.Core.Enums;
+
+namespace Bit.Core.KeyManagement.Utilities;
+
+public static class EncryptionParsing
+{
+    /// <summary>
+    /// Helper method to convert an encryption type string to an enum value.
+    /// </summary>
+    public static EncryptionType GetEncryptionType(string? encString)
+    {
+        ArgumentNullException.ThrowIfNull(encString);
+
+        var parts = encString.Split('.');
+        if (parts.Length == 1)
+        {
+            throw new ArgumentException("Invalid encryption type string.");
+        }
+        if (byte.TryParse(parts[0], out var encryptionTypeNumber))
+        {
+            if (Enum.IsDefined(typeof(EncryptionType), encryptionTypeNumber))
+            {
+                return (EncryptionType)encryptionTypeNumber;
+            }
+        }
+        throw new ArgumentException("Invalid encryption type string.");
+    }
+}