[PM-23229] Add extra validation to kdf changes + authentication data + unlock data (#6121)

* Added MasterPasswordUnlock to UserDecryptionOptions as part of identity response * Implement support for authentication data and unlock data in kdf change * Extract to kdf command and add tests * Fix namespace * Delete empty file * Fix build * Clean up tests * Fix tests * Add comments * Cleanup * Cleanup * Cleanup * Clean-up and fix build * Address feedback; force new parameters on KDF change request * Clean-up and add tests * Re-add logger * Update logger to interface * Clean up, remove Kdf Request Model * Remove kdf request model tests * Fix types in test * Address feedback to rename request model and re-add tests * Fix namespace * Move comments * Rename InnerKdfRequestModel to KdfRequestModel --------- Co-authored-by: Maciej Zieniuk <mzieniuk@bitwarden.com>
2026-01-05 10:03:23 +00:00 · 2025-09-24 05:10:46 +09:00
parent 744f11733d
commit ff092a031e
25 changed files with 729 additions and 173 deletions
--- a/src/Api/Auth/Controllers/AccountsController.cs
+++ b/src/Api/Auth/Controllers/AccountsController.cs
@@ -16,6 +16,7 @@ using Bit.Core.Auth.UserFeatures.TwoFactorAuth.Interfaces;
 using Bit.Core.Auth.UserFeatures.UserMasterPassword.Interfaces;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
+using Bit.Core.KeyManagement.Kdf;
 using Bit.Core.Models.Api.Response;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
@@ -39,7 +40,7 @@ public class AccountsController : Controller
    private readonly ITwoFactorIsEnabledQuery _twoFactorIsEnabledQuery;
    private readonly IFeatureService _featureService;
    private readonly ITwoFactorEmailService _twoFactorEmailService;
-
+    private readonly IChangeKdfCommand _changeKdfCommand;

    public AccountsController(
        IOrganizationService organizationService,
@@ -51,7 +52,8 @@ public class AccountsController : Controller
        ITdeOffboardingPasswordCommand tdeOffboardingPasswordCommand,
        ITwoFactorIsEnabledQuery twoFactorIsEnabledQuery,
        IFeatureService featureService,
-        ITwoFactorEmailService twoFactorEmailService
+        ITwoFactorEmailService twoFactorEmailService,
+        IChangeKdfCommand changeKdfCommand
        )
    {
        _organizationService = organizationService;
@@ -64,7 +66,7 @@ public class AccountsController : Controller
        _twoFactorIsEnabledQuery = twoFactorIsEnabledQuery;
        _featureService = featureService;
        _twoFactorEmailService = twoFactorEmailService;
-
+        _changeKdfCommand = changeKdfCommand;
    }


@@ -256,7 +258,7 @@ public class AccountsController : Controller
    }

    [HttpPost("kdf")]
-    public async Task PostKdf([FromBody] KdfRequestModel model)
+    public async Task PostKdf([FromBody] PasswordRequestModel model)
    {
        var user = await _userService.GetUserByPrincipalAsync(User);
        if (user == null)
@@ -264,8 +266,12 @@ public class AccountsController : Controller
            throw new UnauthorizedAccessException();
        }

-        var result = await _userService.ChangeKdfAsync(user, model.MasterPasswordHash,
-            model.NewMasterPasswordHash, model.Key, model.Kdf.Value, model.KdfIterations.Value, model.KdfMemory, model.KdfParallelism);
+        if (model.AuthenticationData == null || model.UnlockData == null)
+        {
+            throw new BadRequestException("AuthenticationData and UnlockData must be provided.");
+        }
+
+        var result = await _changeKdfCommand.ChangeKdfAsync(user, model.MasterPasswordHash, model.AuthenticationData.ToData(), model.UnlockData.ToData());
        if (result.Succeeded)
        {
            return;
--- a/src/Api/Auth/Models/Request/Accounts/KdfRequestModel.cs
+++ b/src/Api/Auth/Models/Request/Accounts/KdfRequestModel.cs
@@ -1,25 +0,0 @@
-using System.ComponentModel.DataAnnotations;
-using Bit.Core.Enums;
-using Bit.Core.Utilities;
-
-namespace Bit.Api.Auth.Models.Request.Accounts;
-
-public class KdfRequestModel : PasswordRequestModel, IValidatableObject
-{
-    [Required]
-    public KdfType? Kdf { get; set; }
-    [Required]
-    public int? KdfIterations { get; set; }
-    public int? KdfMemory { get; set; }
-    public int? KdfParallelism { get; set; }
-
-    public override IEnumerable<ValidationResult> Validate(ValidationContext validationContext)
-    {
-        if (Kdf.HasValue && KdfIterations.HasValue)
-        {
-            return KdfSettingsValidator.Validate(Kdf.Value, KdfIterations.Value, KdfMemory, KdfParallelism);
-        }
-
-        return Enumerable.Empty<ValidationResult>();
-    }
-}
--- a/src/Api/Auth/Models/Request/Accounts/MasterPasswordUnlockDataAndAuthenticationModel.cs
+++ b/src/Api/Auth/Models/Request/Accounts/MasterPasswordUnlockDataAndAuthenticationModel.cs
@@ -7,7 +7,7 @@ using Bit.Core.Utilities;

 namespace Bit.Api.Auth.Models.Request.Accounts;

-public class MasterPasswordUnlockDataModel : IValidatableObject
+public class MasterPasswordUnlockAndAuthenticationDataModel : IValidatableObject
 {
    public required KdfType KdfType { get; set; }
    public required int KdfIterations { get; set; }
@@ -45,9 +45,9 @@ public class MasterPasswordUnlockDataModel : IValidatableObject
        }
    }

-    public MasterPasswordUnlockData ToUnlockData()
+    public MasterPasswordUnlockAndAuthenticationData ToUnlockData()
    {
-        var data = new MasterPasswordUnlockData
+        var data = new MasterPasswordUnlockAndAuthenticationData
        {
            KdfType = KdfType,
            KdfIterations = KdfIterations,
--- a/src/Api/Auth/Models/Request/Accounts/PasswordRequestModel.cs
+++ b/src/Api/Auth/Models/Request/Accounts/PasswordRequestModel.cs
@@ -1,7 +1,7 @@
-// FIXME: Update this file to be null safe and then delete the line below
-#nullable disable
+#nullable enable

 using System.ComponentModel.DataAnnotations;
+using Bit.Api.KeyManagement.Models.Requests;

 namespace Bit.Api.Auth.Models.Request.Accounts;

@@ -9,9 +9,13 @@ public class PasswordRequestModel : SecretVerificationRequestModel
 {
    [Required]
    [StringLength(300)]
-    public string NewMasterPasswordHash { get; set; }
+    public required string NewMasterPasswordHash { get; set; }
    [StringLength(50)]
-    public string MasterPasswordHint { get; set; }
+    public string? MasterPasswordHint { get; set; }
    [Required]
-    public string Key { get; set; }
+    public required string Key { get; set; }
+
+    // Note: These will eventually become required, but not all consumers are moved over yet.
+    public MasterPasswordAuthenticationDataRequestModel? AuthenticationData { get; set; }
+    public MasterPasswordUnlockDataRequestModel? UnlockData { get; set; }
 }
--- a/src/Api/KeyManagement/Models/Requests/KdfRequestModel.cs
+++ b/src/Api/KeyManagement/Models/Requests/KdfRequestModel.cs
@@ -0,0 +1,26 @@
+using System.ComponentModel.DataAnnotations;
+using Bit.Core.Enums;
+using Bit.Core.KeyManagement.Models.Data;
+
+namespace Bit.Api.KeyManagement.Models.Requests;
+
+public class KdfRequestModel
+{
+    [Required]
+    public required KdfType KdfType { get; init; }
+    [Required]
+    public required int Iterations { get; init; }
+    public int? Memory { get; init; }
+    public int? Parallelism { get; init; }
+
+    public KdfSettings ToData()
+    {
+        return new KdfSettings
+        {
+            KdfType = KdfType,
+            Iterations = Iterations,
+            Memory = Memory,
+            Parallelism = Parallelism
+        };
+    }
+}
--- a/src/Api/KeyManagement/Models/Requests/MasterPasswordAuthenticationDataRequestModel.cs
+++ b/src/Api/KeyManagement/Models/Requests/MasterPasswordAuthenticationDataRequestModel.cs
@@ -0,0 +1,21 @@
+using System.ComponentModel.DataAnnotations;
+using Bit.Core.KeyManagement.Models.Data;
+
+namespace Bit.Api.KeyManagement.Models.Requests;
+
+public class MasterPasswordAuthenticationDataRequestModel
+{
+    public required KdfRequestModel Kdf { get; init; }
+    public required string MasterPasswordAuthenticationHash { get; init; }
+    [StringLength(256)] public required string Salt { get; init; }
+
+    public MasterPasswordAuthenticationData ToData()
+    {
+        return new MasterPasswordAuthenticationData
+        {
+            Kdf = Kdf.ToData(),
+            MasterPasswordAuthenticationHash = MasterPasswordAuthenticationHash,
+            Salt = Salt
+        };
+    }
+}
--- a/src/Api/KeyManagement/Models/Requests/MasterPasswordUnlockDataRequestModel.cs
+++ b/src/Api/KeyManagement/Models/Requests/MasterPasswordUnlockDataRequestModel.cs
@@ -0,0 +1,22 @@
+using System.ComponentModel.DataAnnotations;
+using Bit.Core.KeyManagement.Models.Data;
+using Bit.Core.Utilities;
+
+namespace Bit.Api.KeyManagement.Models.Requests;
+
+public class MasterPasswordUnlockDataRequestModel
+{
+    public required KdfRequestModel Kdf { get; init; }
+    [EncryptedString] public required string MasterKeyWrappedUserKey { get; init; }
+    [StringLength(256)] public required string Salt { get; init; }
+
+    public MasterPasswordUnlockData ToData()
+    {
+        return new MasterPasswordUnlockData
+        {
+            Kdf = Kdf.ToData(),
+            MasterKeyWrappedUserKey = MasterKeyWrappedUserKey,
+            Salt = Salt
+        };
+    }
+}
--- a/src/Api/KeyManagement/Models/Requests/UnlockDataRequestModel.cs
+++ b/src/Api/KeyManagement/Models/Requests/UnlockDataRequestModel.cs
@@ -10,7 +10,7 @@ namespace Bit.Api.KeyManagement.Models.Requests;
 public class UnlockDataRequestModel
 {
    // All methods to get to the userkey
-    public required MasterPasswordUnlockDataModel MasterPasswordUnlockData { get; set; }
+    public required MasterPasswordUnlockAndAuthenticationDataModel MasterPasswordUnlockData { get; set; }
    public required IEnumerable<EmergencyAccessWithIdRequestModel> EmergencyAccessUnlockData { get; set; }
    public required IEnumerable<ResetPasswordWithOrgIdRequestModel> OrganizationAccountRecoveryUnlockData { get; set; }
    public required IEnumerable<WebAuthnLoginRotateKeyRequestModel> PasskeyUnlockData { get; set; }