Add UpdateAccountCryptographicState repository function (#6669)

* Add user repository update function for account cryptographic state * Remove comment * Remove transaction logic * Fix security version * Apply feedback * Update tests * Add support for external actions
2025-12-31 15:43:16 +00:00 · 2025-12-11 12:10:50 +01:00
parent 1aad410128
commit 919d0be6d2
7 changed files with 374 additions and 3 deletions
--- a/src/Core/KeyManagement/Models/Data/UserAccountKeysData.cs
+++ b/src/Core/KeyManagement/Models/Data/UserAccountKeysData.cs
@@ -1,9 +1,34 @@
 namespace Bit.Core.KeyManagement.Models.Data;

-
+/// <summary>
+/// Represents an expanded account cryptographic state for a user. Expanded here means
+/// that it does not only contain the (wrapped) private / signing key, but also the public
+/// key / verifying key. The client side only needs a subset of this data to unlock
+/// their vault and the public parts can be derived.
+/// </summary>
 public class UserAccountKeysData
 {
    public required PublicKeyEncryptionKeyPairData PublicKeyEncryptionKeyPairData { get; set; }
    public SignatureKeyPairData? SignatureKeyPairData { get; set; }
    public SecurityStateData? SecurityStateData { get; set; }
+
+    /// <summary>
+    /// Checks whether the account cryptographic state is for a V1 encryption user or a V2 encryption user.
+    /// Throws if the state is invalid
+    /// </summary>
+    public bool IsV2Encryption()
+    {
+        if (PublicKeyEncryptionKeyPairData.SignedPublicKey != null && SignatureKeyPairData != null && SecurityStateData != null)
+        {
+            return true;
+        }
+        else if (PublicKeyEncryptionKeyPairData.SignedPublicKey == null && SignatureKeyPairData == null && SecurityStateData == null)
+        {
+            return false;
+        }
+        else
+        {
+            throw new InvalidOperationException("Invalid account cryptographic state: V2 encryption fields must be either all present or all absent.");
+        }
+    }
 }
--- a/src/Core/Repositories/IUserRepository.cs
+++ b/src/Core/Repositories/IUserRepository.cs
@@ -1,4 +1,5 @@
 using Bit.Core.Entities;
+using Bit.Core.KeyManagement.Models.Data;
 using Bit.Core.KeyManagement.UserKey;
 using Bit.Core.Models.Data;

@@ -44,5 +45,17 @@ public interface IUserRepository : IRepository<User, Guid>
        IEnumerable<UpdateEncryptedDataForKeyRotation> updateDataActions);
    Task UpdateUserKeyAndEncryptedDataV2Async(User user,
        IEnumerable<UpdateEncryptedDataForKeyRotation> updateDataActions);
+    /// <summary>
+    /// Sets the account cryptographic state to a user in a single transaction. The provided
+    /// MUST be a V2 encryption state. Passing in a V1 encryption state will throw.
+    /// Extra actions can be passed in case other user data needs to be updated in the same transaction.
+    /// </summary>
+    Task SetV2AccountCryptographicStateAsync(
+        Guid userId,
+        UserAccountKeysData accountKeysData,
+        IEnumerable<UpdateUserData>? updateUserDataActions = null);
    Task DeleteManyAsync(IEnumerable<User> users);
 }
+
+public delegate Task UpdateUserData(Microsoft.Data.SqlClient.SqlConnection? connection = null,
+    Microsoft.Data.SqlClient.SqlTransaction? transaction = null);