[Pm 3797 Part 2] Add emergency access rotations (#3434)

## Type of change

<!-- (mark with an `X`) -->

```
- [ ] Bug fix
- [ ] New feature development
- [x] Tech debt (refactoring, code cleanup, dependency upgrades, etc)
- [ ] Build/deploy pipeline (DevOps)
- [ ] Other
```

## Objective
<!--Describe what the purpose of this PR is. For example: what bug you're fixing or what new feature you're adding-->
See #3425 for part 1 and background.

This PR adds emergency access to the rotation. All new code is hidden behind a feature flag.

The Accounts controller has also been moved to Auth ownership.

## Code changes
<!--Explain the changes you've made to each file or major component. This should help the reviewer understand your changes-->
<!--Also refer to any related changes or PRs in other repositories-->

* **file.ext:** Description of what was changed and why
* **AccountsController.cs:** Moved to Auth ownership. Emergency access validation was added (as well as initializing empty lists to avoid errors).
* **EmergencyAccessRotationValidator.cs:** Performs validation on the provided list of new emergency access keys.
* **EmergencyAccessRepository.cs:** Adds a method to rotate encryption keys. This is added to a list in the `RotateUserKeyCommand` that the `UserRepository` calls so it doesn't have to know about all the domains.

## Before you submit

- Please check for formatting errors (`dotnet format --verify-no-changes`) (required)
- If making database changes - make sure you also update Entity Framework queries and/or migrations
- Please add **unit tests** where it makes sense to do so (encouraged but not required)
- If this change requires a **documentation update** - notify the documentation team
- If this change has particular **deployment requirements** - notify the DevOps team

src/Infrastructure.Dapper/Auth/Helpers/EmergencyAccessHelpers.cs

@@ -0,0 +1,30 @@
+using System.Data;
+using Bit.Core.Auth.Entities;
+
+namespace Bit.Infrastructure.Dapper.Auth.Helpers;
+
+public static class EmergencyAccessHelpers
+{
+    public static DataTable ToDataTable(this IEnumerable<EmergencyAccess> emergencyAccesses)
+    {
+        var emergencyAccessTable = new DataTable();
+
+        var columnData = new List<(string name, Type type, Func<EmergencyAccess, object> getter)>
+        {
+            (nameof(EmergencyAccess.Id), typeof(Guid), c => c.Id),
+            (nameof(EmergencyAccess.GrantorId), typeof(Guid), c => c.GrantorId),
+            (nameof(EmergencyAccess.GranteeId), typeof(Guid), c => c.GranteeId),
+            (nameof(EmergencyAccess.Email), typeof(string), c => c.Email),
+            (nameof(EmergencyAccess.KeyEncrypted), typeof(string), c => c.KeyEncrypted),
+            (nameof(EmergencyAccess.WaitTimeDays), typeof(int), c => c.WaitTimeDays),
+            (nameof(EmergencyAccess.Type), typeof(short), c => c.Type),
+            (nameof(EmergencyAccess.Status), typeof(short), c => c.Status),
+            (nameof(EmergencyAccess.RecoveryInitiatedDate), typeof(DateTime), c => c.RecoveryInitiatedDate),
+            (nameof(EmergencyAccess.LastNotificationDate), typeof(DateTime), c => c.LastNotificationDate),
+            (nameof(EmergencyAccess.CreationDate), typeof(DateTime), c => c.CreationDate),
+            (nameof(EmergencyAccess.RevisionDate), typeof(DateTime), c => c.RevisionDate),
+        };
+
+        return emergencyAccesses.BuildTable(emergencyAccessTable, columnData);
+    }
+}

src/Infrastructure.Dapper/Auth/Repositories/EmergencyAccessRepository.cs

@@ -1,8 +1,10 @@
 using System.Data;
 using Bit.Core.Auth.Entities;
 using Bit.Core.Auth.Models.Data;
+using Bit.Core.Auth.UserFeatures.UserKey;
 using Bit.Core.Repositories;
 using Bit.Core.Settings;
+using Bit.Infrastructure.Dapper.Auth.Helpers;
 using Bit.Infrastructure.Dapper.Repositories;
 using Dapper;
 using Microsoft.Data.SqlClient;
@@ -94,4 +96,58 @@ public class EmergencyAccessRepository : Repository<EmergencyAccess, Guid>, IEme
             return results.ToList();
         }
     }
+
+    /// <inheritdoc />
+    public UpdateEncryptedDataForKeyRotation UpdateForKeyRotation(
+        Guid grantorId, IEnumerable<EmergencyAccess> emergencyAccessKeys)
+    {
+        return async (SqlConnection connection, SqlTransaction transaction) =>
+        {
+            // Create temp table
+            var sqlCreateTemp = @"
+                            SELECT TOP 0 *
+                            INTO #TempEmergencyAccess
+                            FROM [dbo].[EmergencyAccess]";
+
+            await using (var cmd = new SqlCommand(sqlCreateTemp, connection, transaction))
+            {
+                cmd.ExecuteNonQuery();
+            }
+
+            // Bulk copy data into temp table
+            using (var bulkCopy = new SqlBulkCopy(connection, SqlBulkCopyOptions.KeepIdentity, transaction))
+            {
+                bulkCopy.DestinationTableName = "#TempEmergencyAccess";
+                var emergencyAccessTable = emergencyAccessKeys.ToDataTable();
+                foreach (DataColumn col in emergencyAccessTable.Columns)
+                {
+                    bulkCopy.ColumnMappings.Add(col.ColumnName, col.ColumnName);
+                }
+
+                emergencyAccessTable.PrimaryKey = new DataColumn[] { emergencyAccessTable.Columns[0] };
+                await bulkCopy.WriteToServerAsync(emergencyAccessTable);
+            }
+
+            // Update emergency access table from temp table
+            var sql = @"
+                UPDATE
+                    [dbo].[EmergencyAccess]
+                SET
+                    [KeyEncrypted] = TE.[KeyEncrypted]
+                FROM
+                    [dbo].[EmergencyAccess] E
+                INNER JOIN
+                    #TempEmergencyAccess TE ON E.Id = TE.Id
+                WHERE
+                    E.[GrantorId] = @GrantorId
+
+                DROP TABLE #TempEmergencyAccess";
+
+            await using (var cmd = new SqlCommand(sql, connection, transaction))
+            {
+                cmd.Parameters.Add("@GrantorId", SqlDbType.UniqueIdentifier).Value = grantorId;
+                cmd.ExecuteNonQuery();
+            }
+        };
+    }
 }

src/Infrastructure.Dapper/DapperHelpers.cs

@@ -107,7 +107,8 @@ public static class DapperHelpers
         return organizationSponsorships.BuildTable(table, columnData);
     }
 
-    private static DataTable BuildTable<T>(this IEnumerable<T> entities, DataTable table, List<(string name, Type type, Func<T, object> getter)> columnData)
+    public static DataTable BuildTable<T>(this IEnumerable<T> entities, DataTable table,
+        List<(string name, Type type, Func<T, object> getter)> columnData)
     {
         foreach (var (name, type, getter) in columnData)
         {

src/Infrastructure.Dapper/Repositories/UserRepository.cs

@@ -209,7 +209,7 @@ public class UserRepository : Repository<User, Guid>, IUserRepository
             //  Update re-encrypted data
             foreach (var action in updateDataActions)
             {
-                await action(transaction);
+                await action(connection, transaction);
             }
 
             transaction.Commit();