[PM-16603] Add userkey rotation v2 (#5204)

* Implement userkey rotation v2 * Update request models * Cleanup * Update tests * Improve test * Add tests * Fix formatting * Fix test * Remove whitespace * Fix namespace * Enable nullable on models * Fix build * Add tests and enable nullable on masterpasswordunlockdatamodel * Fix test * Remove rollback * Add tests * Make masterpassword hint optional * Update user query * Add EF test * Improve test * Cleanup * Set masterpassword hint * Remove connection close * Add tests for invalid kdf types * Update test/Core.Test/KeyManagement/UserKey/RotateUserAccountKeysCommandTests.cs Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com> * Fix formatting * Update src/Api/KeyManagement/Models/Requests/RotateAccountKeysAndDataRequestModel.cs Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com> * Update src/Api/Auth/Models/Request/Accounts/MasterPasswordUnlockDataModel.cs Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com> * Update src/Api/Auth/Models/Request/Accounts/MasterPasswordUnlockDataModel.cs Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com> * Update src/Api/KeyManagement/Models/Requests/AccountKeysRequestModel.cs Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com> * Fix imports * Fix tests * Remove null check * Add rollback --------- Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com>
2025-12-27 21:53:24 +00:00 · 2025-03-25 15:23:01 +01:00
parent 229aecb55c
commit 55980e8038
22 changed files with 906 additions and 9 deletions
--- a/src/Core/KeyManagement/Models/Data/MasterPasswordUnlockData.cs
+++ b/src/Core/KeyManagement/Models/Data/MasterPasswordUnlockData.cs
@@ -0,0 +1,34 @@
+#nullable enable
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+
+namespace Bit.Core.KeyManagement.Models.Data;
+
+public class MasterPasswordUnlockData
+{
+    public KdfType KdfType { get; set; }
+    public int KdfIterations { get; set; }
+    public int? KdfMemory { get; set; }
+    public int? KdfParallelism { get; set; }
+
+    public required string Email { get; set; }
+    public required string MasterKeyAuthenticationHash { get; set; }
+    public required string MasterKeyEncryptedUserKey { get; set; }
+    public string? MasterPasswordHint { get; set; }
+
+    public bool ValidateForUser(User user)
+    {
+        if (KdfType != user.Kdf || KdfMemory != user.KdfMemory || KdfParallelism != user.KdfParallelism || KdfIterations != user.KdfIterations)
+        {
+            return false;
+        }
+        else if (Email != user.Email)
+        {
+            return false;
+        }
+        else
+        {
+            return true;
+        }
+    }
+}
--- a/src/Core/KeyManagement/Models/Data/RotateUserAccountKeysData.cs
+++ b/src/Core/KeyManagement/Models/Data/RotateUserAccountKeysData.cs
@@ -0,0 +1,28 @@
+using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Models.Data;
+using Bit.Core.Entities;
+using Bit.Core.Tools.Entities;
+using Bit.Core.Vault.Entities;
+
+namespace Bit.Core.KeyManagement.Models.Data;
+
+public class RotateUserAccountKeysData
+{
+    // Authentication for this requests
+    public string OldMasterKeyAuthenticationHash { get; set; }
+
+    // Other keys encrypted by the userkey
+    public string UserKeyEncryptedAccountPrivateKey { get; set; }
+    public string AccountPublicKey { get; set; }
+
+    // All methods to get to the userkey
+    public MasterPasswordUnlockData MasterPasswordUnlockData { get; set; }
+    public IEnumerable<EmergencyAccess> EmergencyAccesses { get; set; }
+    public IReadOnlyList<OrganizationUser> OrganizationUsers { get; set; }
+    public IEnumerable<WebAuthnLoginRotateKeyData> WebAuthnKeys { get; set; }
+
+    // User vault data encrypted by the userkey
+    public IEnumerable<Cipher> Ciphers { get; set; }
+    public IEnumerable<Folder> Folders { get; set; }
+    public IReadOnlyList<Send> Sends { get; set; }
+}
--- a/src/Core/KeyManagement/UserKey/IRotateUserAccountKeysCommand.cs
+++ b/src/Core/KeyManagement/UserKey/IRotateUserAccountKeysCommand.cs
@@ -0,0 +1,20 @@
+using Bit.Core.Entities;
+using Bit.Core.KeyManagement.Models.Data;
+using Microsoft.AspNetCore.Identity;
+
+namespace Bit.Core.KeyManagement.UserKey;
+
+/// <summary>
+/// Responsible for rotation of a user key and updating database with re-encrypted data
+/// </summary>
+public interface IRotateUserAccountKeysCommand
+{
+    /// <summary>
+    /// Sets a new user key and updates all encrypted data.
+    /// </summary>
+    /// <param name="model">All necessary information for rotation. If data is not included, this will lead to the change being rejected.</param>
+    /// <returns>An IdentityResult for verification of the master password hash</returns>
+    /// <exception cref="ArgumentNullException">User must be provided.</exception>
+    /// <exception cref="InvalidOperationException">User KDF settings and email must match the model provided settings.</exception>
+    Task<IdentityResult> RotateUserAccountKeysAsync(User user, RotateUserAccountKeysData model);
+}
--- a/src/Core/KeyManagement/UserKey/Implementations/RotateUserAccountkeysCommand.cs
+++ b/src/Core/KeyManagement/UserKey/Implementations/RotateUserAccountkeysCommand.cs
@@ -0,0 +1,134 @@
+using Bit.Core.Auth.Repositories;
+using Bit.Core.Entities;
+using Bit.Core.KeyManagement.Models.Data;
+using Bit.Core.Platform.Push;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Core.Tools.Repositories;
+using Bit.Core.Vault.Repositories;
+using Microsoft.AspNetCore.Identity;
+
+namespace Bit.Core.KeyManagement.UserKey.Implementations;
+
+/// <inheritdoc />
+public class RotateUserAccountKeysCommand : IRotateUserAccountKeysCommand
+{
+    private readonly IUserService _userService;
+    private readonly IUserRepository _userRepository;
+    private readonly ICipherRepository _cipherRepository;
+    private readonly IFolderRepository _folderRepository;
+    private readonly ISendRepository _sendRepository;
+    private readonly IEmergencyAccessRepository _emergencyAccessRepository;
+    private readonly IOrganizationUserRepository _organizationUserRepository;
+    private readonly IPushNotificationService _pushService;
+    private readonly IdentityErrorDescriber _identityErrorDescriber;
+    private readonly IWebAuthnCredentialRepository _credentialRepository;
+    private readonly IPasswordHasher<User> _passwordHasher;
+
+    /// <summary>
+    /// Instantiates a new <see cref="RotateUserAccountKeysCommand"/>
+    /// </summary>
+    /// <param name="userService">Master password hash validation</param>
+    /// <param name="userRepository">Updates user keys and re-encrypted data if needed</param>
+    /// <param name="cipherRepository">Provides a method to update re-encrypted cipher data</param>
+    /// <param name="folderRepository">Provides a method to update re-encrypted folder data</param>
+    /// <param name="sendRepository">Provides a method to update re-encrypted send data</param>
+    /// <param name="emergencyAccessRepository">Provides a method to update re-encrypted emergency access data</param>
+    /// <param name="organizationUserRepository">Provides a method to update re-encrypted organization user data</param>
+    /// <param name="passwordHasher">Hashes the new master password</param>
+    /// <param name="pushService">Logs out user from other devices after successful rotation</param>
+    /// <param name="errors">Provides a password mismatch error if master password hash validation fails</param>
+    /// <param name="credentialRepository">Provides a method to update re-encrypted WebAuthn keys</param>
+    public RotateUserAccountKeysCommand(IUserService userService, IUserRepository userRepository,
+        ICipherRepository cipherRepository, IFolderRepository folderRepository, ISendRepository sendRepository,
+        IEmergencyAccessRepository emergencyAccessRepository, IOrganizationUserRepository organizationUserRepository,
+        IPasswordHasher<User> passwordHasher,
+        IPushNotificationService pushService, IdentityErrorDescriber errors, IWebAuthnCredentialRepository credentialRepository)
+    {
+        _userService = userService;
+        _userRepository = userRepository;
+        _cipherRepository = cipherRepository;
+        _folderRepository = folderRepository;
+        _sendRepository = sendRepository;
+        _emergencyAccessRepository = emergencyAccessRepository;
+        _organizationUserRepository = organizationUserRepository;
+        _pushService = pushService;
+        _identityErrorDescriber = errors;
+        _credentialRepository = credentialRepository;
+        _passwordHasher = passwordHasher;
+    }
+
+    /// <inheritdoc />
+    public async Task<IdentityResult> RotateUserAccountKeysAsync(User user, RotateUserAccountKeysData model)
+    {
+        if (user == null)
+        {
+            throw new ArgumentNullException(nameof(user));
+        }
+
+        if (!await _userService.CheckPasswordAsync(user, model.OldMasterKeyAuthenticationHash))
+        {
+            return IdentityResult.Failed(_identityErrorDescriber.PasswordMismatch());
+        }
+
+        var now = DateTime.UtcNow;
+        user.RevisionDate = user.AccountRevisionDate = now;
+        user.LastKeyRotationDate = now;
+        user.SecurityStamp = Guid.NewGuid().ToString();
+
+        if (
+            !model.MasterPasswordUnlockData.ValidateForUser(user)
+        )
+        {
+            throw new InvalidOperationException("The provided master password unlock data is not valid for this user.");
+        }
+        if (
+            model.AccountPublicKey != user.PublicKey
+        )
+        {
+            throw new InvalidOperationException("The provided account public key does not match the user's current public key, and changing the account asymmetric keypair is currently not supported during key rotation.");
+        }
+
+        user.Key = model.MasterPasswordUnlockData.MasterKeyEncryptedUserKey;
+        user.PrivateKey = model.UserKeyEncryptedAccountPrivateKey;
+        user.MasterPassword = _passwordHasher.HashPassword(user, model.MasterPasswordUnlockData.MasterKeyAuthenticationHash);
+        user.MasterPasswordHint = model.MasterPasswordUnlockData.MasterPasswordHint;
+
+        List<UpdateEncryptedDataForKeyRotation> saveEncryptedDataActions = new();
+        if (model.Ciphers.Any())
+        {
+            saveEncryptedDataActions.Add(_cipherRepository.UpdateForKeyRotation(user.Id, model.Ciphers));
+        }
+
+        if (model.Folders.Any())
+        {
+            saveEncryptedDataActions.Add(_folderRepository.UpdateForKeyRotation(user.Id, model.Folders));
+        }
+
+        if (model.Sends.Any())
+        {
+            saveEncryptedDataActions.Add(_sendRepository.UpdateForKeyRotation(user.Id, model.Sends));
+        }
+
+        if (model.EmergencyAccesses.Any())
+        {
+            saveEncryptedDataActions.Add(
+                _emergencyAccessRepository.UpdateForKeyRotation(user.Id, model.EmergencyAccesses));
+        }
+
+        if (model.OrganizationUsers.Any())
+        {
+            saveEncryptedDataActions.Add(
+                _organizationUserRepository.UpdateForKeyRotation(user.Id, model.OrganizationUsers));
+        }
+
+        if (model.WebAuthnKeys.Any())
+        {
+            saveEncryptedDataActions.Add(_credentialRepository.UpdateKeysForRotationAsync(user.Id, model.WebAuthnKeys));
+        }
+
+        await _userRepository.UpdateUserKeyAndEncryptedDataV2Async(user, saveEncryptedDataActions);
+        await _pushService.PushLogOutAsync(user.Id);
+        return IdentityResult.Success;
+    }
+}