[Pm 3797 Part 2] Add emergency access rotations (#3434)

## Type of change

<!-- (mark with an `X`) -->

```
- [ ] Bug fix
- [ ] New feature development
- [x] Tech debt (refactoring, code cleanup, dependency upgrades, etc)
- [ ] Build/deploy pipeline (DevOps)
- [ ] Other
```

## Objective
<!--Describe what the purpose of this PR is. For example: what bug you're fixing or what new feature you're adding-->
See #3425 for part 1 and background.

This PR adds emergency access to the rotation. All new code is hidden behind a feature flag.

The Accounts controller has also been moved to Auth ownership.

## Code changes
<!--Explain the changes you've made to each file or major component. This should help the reviewer understand your changes-->
<!--Also refer to any related changes or PRs in other repositories-->

* **file.ext:** Description of what was changed and why
* **AccountsController.cs:** Moved to Auth ownership. Emergency access validation was added (as well as initializing empty lists to avoid errors).
* **EmergencyAccessRotationValidator.cs:** Performs validation on the provided list of new emergency access keys.
* **EmergencyAccessRepository.cs:** Adds a method to rotate encryption keys. This is added to a list in the `RotateUserKeyCommand` that the `UserRepository` calls so it doesn't have to know about all the domains.

## Before you submit

- Please check for formatting errors (`dotnet format --verify-no-changes`) (required)
- If making database changes - make sure you also update Entity Framework queries and/or migrations
- Please add **unit tests** where it makes sense to do so (encouraged but not required)
- If this change requires a **documentation update** - notify the documentation team
- If this change has particular **deployment requirements** - notify the DevOps team

src/Api/Auth/Controllers/AccountsController.cs

@@ -1,5 +1,7 @@
 using Bit.Api.AdminConsole.Models.Response;
+using Bit.Api.Auth.Models.Request;
 using Bit.Api.Auth.Models.Request.Accounts;
+using Bit.Api.Auth.Validators;
 using Bit.Api.Models.Request;
 using Bit.Api.Models.Request.Accounts;
 using Bit.Api.Models.Response;
@@ -8,6 +10,7 @@ using Bit.Core;
 using Bit.Core.AdminConsole.Enums.Provider;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.AdminConsole.Services;
+using Bit.Core.Auth.Entities;
 using Bit.Core.Auth.Models.Api.Request.Accounts;
 using Bit.Core.Auth.Models.Api.Response.Accounts;
 using Bit.Core.Auth.Models.Data;
@@ -16,6 +19,7 @@ using Bit.Core.Auth.UserFeatures.UserKey;
 using Bit.Core.Auth.UserFeatures.UserMasterPassword.Interfaces;
 using Bit.Core.Auth.Utilities;
 using Bit.Core.Context;
+using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Api.Response;
@@ -34,7 +38,7 @@ using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
 
-namespace Bit.Api.Controllers;
+namespace Bit.Api.Auth.Controllers;
 
 [Route("accounts")]
 [Authorize("Application")]
@@ -61,6 +65,10 @@ public class AccountsController : Controller
     private bool UseFlexibleCollections =>
         _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollections, _currentContext);
 
+    private readonly IRotationValidator<IEnumerable<EmergencyAccessWithIdRequestModel>, IEnumerable<EmergencyAccess>>
+        _emergencyAccessValidator;
+
+
     public AccountsController(
         GlobalSettings globalSettings,
         ICipherRepository cipherRepository,
@@ -78,7 +86,9 @@ public class AccountsController : Controller
         ISetInitialMasterPasswordCommand setInitialMasterPasswordCommand,
         IRotateUserKeyCommand rotateUserKeyCommand,
         IFeatureService featureService,
-        ICurrentContext currentContext
+        ICurrentContext currentContext,
+        IRotationValidator<IEnumerable<EmergencyAccessWithIdRequestModel>, IEnumerable<EmergencyAccess>>
+            emergencyAccessValidator
         )
     {
         _cipherRepository = cipherRepository;
@@ -98,6 +108,7 @@ public class AccountsController : Controller
         _rotateUserKeyCommand = rotateUserKeyCommand;
         _featureService = featureService;
         _currentContext = currentContext;
+        _emergencyAccessValidator = emergencyAccessValidator;
     }
 
     #region DEPRECATED (Moved to Identity Service)
@@ -403,14 +414,14 @@ public class AccountsController : Controller
                 MasterPasswordHash = model.MasterPasswordHash,
                 Key = model.Key,
                 PrivateKey = model.PrivateKey,
-                // Ciphers = await _cipherValidator.ValidateAsync(user, model.Ciphers),
-                // Folders = await _folderValidator.ValidateAsync(user, model.Folders),
-                // Sends = await _sendValidator.ValidateAsync(user, model.Sends),
-                // EmergencyAccessKeys = await _emergencyAccessValidator.ValidateAsync(user, model.EmergencyAccessKeys),
-                // ResetPasswordKeys = await _accountRecoveryValidator.ValidateAsync(user, model.ResetPasswordKeys),
+                Ciphers = new List<Cipher>(),
+                Folders = new List<Folder>(),
+                Sends = new List<Send>(),
+                EmergencyAccessKeys = await _emergencyAccessValidator.ValidateAsync(user, model.EmergencyAccessKeys),
+                ResetPasswordKeys = new List<OrganizationUser>(),
             };
 
-            result = await _rotateUserKeyCommand.RotateUserKeyAsync(dataModel);
+            result = await _rotateUserKeyCommand.RotateUserKeyAsync(user, dataModel);
         }
         else
         {

src/Api/Auth/Models/Request/Accounts/UpdateKeyRequestModel.cs

@@ -17,7 +17,7 @@ public class UpdateKeyRequestModel
     public IEnumerable<CipherWithIdRequestModel> Ciphers { get; set; }
     public IEnumerable<FolderWithIdRequestModel> Folders { get; set; }
     public IEnumerable<SendWithIdRequestModel> Sends { get; set; }
-    public IEnumerable<EmergencyAccessUpdateRequestModel> EmergencyAccessKeys { get; set; }
+    public IEnumerable<EmergencyAccessWithIdRequestModel> EmergencyAccessKeys { get; set; }
     public IEnumerable<OrganizationUserUpdateRequestModel> ResetPasswordKeys { get; set; }
 
 }

src/Api/Auth/Models/Request/EmergencyAccessRequestModels.cs

@@ -46,3 +46,9 @@ public class EmergencyAccessPasswordRequestModel
     [Required]
     public string Key { get; set; }
 }
+
+public class EmergencyAccessWithIdRequestModel : EmergencyAccessUpdateRequestModel
+{
+    [Required]
+    public Guid Id { get; set; }
+}

src/Api/Auth/Validators/EmergencyAccessRotationValidator.cs

@@ -0,0 +1,58 @@
+using Bit.Api.Auth.Models.Request;
+using Bit.Core.Auth.Entities;
+using Bit.Core.Entities;
+using Bit.Core.Exceptions;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+
+namespace Bit.Api.Auth.Validators;
+
+public class EmergencyAccessRotationValidator : IRotationValidator<IEnumerable<EmergencyAccessWithIdRequestModel>,
+    IEnumerable<EmergencyAccess>>
+{
+    private readonly IEmergencyAccessRepository _emergencyAccessRepository;
+    private readonly IUserService _userService;
+
+    public EmergencyAccessRotationValidator(IEmergencyAccessRepository emergencyAccessRepository,
+        IUserService userService)
+    {
+        _emergencyAccessRepository = emergencyAccessRepository;
+        _userService = userService;
+    }
+
+    public async Task<IEnumerable<EmergencyAccess>> ValidateAsync(User user,
+        IEnumerable<EmergencyAccessWithIdRequestModel> emergencyAccessKeys)
+    {
+        var result = new List<EmergencyAccess>();
+        if (emergencyAccessKeys == null || !emergencyAccessKeys.Any())
+        {
+            return result;
+        }
+
+        var existing = await _emergencyAccessRepository.GetManyDetailsByGrantorIdAsync(user.Id);
+        if (existing == null || !existing.Any())
+        {
+            return result;
+        }
+        // Exclude any emergency access that has not been confirmed yet.
+        existing = existing.Where(ea => ea.KeyEncrypted != null).ToList();
+
+        foreach (var ea in existing)
+        {
+            var emergencyAccess = emergencyAccessKeys.FirstOrDefault(c => c.Id == ea.Id);
+            if (emergencyAccess == null)
+            {
+                throw new BadRequestException("All existing emergency access keys must be included in the rotation.");
+            }
+
+            if (emergencyAccess.KeyEncrypted == null)
+            {
+                throw new BadRequestException("Emergency access keys cannot be set to null during rotation.");
+            }
+
+            result.Add(emergencyAccess.ToEmergencyAccess(ea));
+        }
+
+        return result;
+    }
+}

src/Api/Auth/Validators/IRotationValidator.cs

@@ -0,0 +1,15 @@
+using Bit.Core.Entities;
+
+namespace Bit.Api.Auth.Validators;
+
+/// <summary>
+/// A consistent interface for domains to validate re-encrypted data before saved to database. Some examples are:<br/>
+/// - All available encrypted data is accounted for<br/>
+/// - All provided encrypted data belongs to the user
+/// </summary>
+/// <typeparam name="T">Request model</typeparam>
+/// <typeparam name="R">Domain model</typeparam>
+public interface IRotationValidator<T, R>
+{
+    Task<R> ValidateAsync(User user, T data);
+}

src/Api/Startup.cs

@@ -7,6 +7,9 @@ using Stripe;
 using Bit.Core.Utilities;
 using IdentityModel;
 using System.Globalization;
+using Bit.Api.Auth.Models.Request;
+using Bit.Api.Auth.Validators;
+using Bit.Core.Auth.Entities;
 using Bit.Core.IdentityServer;
 using Bit.SharedWeb.Health;
 using Microsoft.IdentityModel.Logging;
@@ -135,6 +138,9 @@ public class Startup
 
         // Key Rotation
         services.AddScoped<IRotateUserKeyCommand, RotateUserKeyCommand>();
+        services
+            .AddScoped<IRotationValidator<IEnumerable<EmergencyAccessWithIdRequestModel>, IEnumerable<EmergencyAccess>>,
+                EmergencyAccessRotationValidator>();
 
         // Services
         services.AddBaseServices(globalSettings);