[PM-23229] Add extra validation to kdf changes + authentication data + unlock data (#6121)

* Added MasterPasswordUnlock to UserDecryptionOptions as part of identity response * Implement support for authentication data and unlock data in kdf change * Extract to kdf command and add tests * Fix namespace * Delete empty file * Fix build * Clean up tests * Fix tests * Add comments * Cleanup * Cleanup * Cleanup * Clean-up and fix build * Address feedback; force new parameters on KDF change request * Clean-up and add tests * Re-add logger * Update logger to interface * Clean up, remove Kdf Request Model * Remove kdf request model tests * Fix types in test * Address feedback to rename request model and re-add tests * Fix namespace * Move comments * Rename InnerKdfRequestModel to KdfRequestModel --------- Co-authored-by: Maciej Zieniuk <mzieniuk@bitwarden.com>
2025-12-15 07:43:54 +00:00 · 2025-09-24 05:10:46 +09:00
parent 744f11733d
commit ff092a031e
25 changed files with 729 additions and 173 deletions
--- a/src/Api/Auth/Models/Request/Accounts/MasterPasswordUnlockDataAndAuthenticationModel.cs
+++ b/src/Api/Auth/Models/Request/Accounts/MasterPasswordUnlockDataAndAuthenticationModel.cs
@@ -0,0 +1,66 @@
+#nullable enable
+
+using System.ComponentModel.DataAnnotations;
+using Bit.Core.Enums;
+using Bit.Core.KeyManagement.Models.Data;
+using Bit.Core.Utilities;
+
+namespace Bit.Api.Auth.Models.Request.Accounts;
+
+public class MasterPasswordUnlockAndAuthenticationDataModel : IValidatableObject
+{
+    public required KdfType KdfType { get; set; }
+    public required int KdfIterations { get; set; }
+    public int? KdfMemory { get; set; }
+    public int? KdfParallelism { get; set; }
+
+    [StrictEmailAddress]
+    [StringLength(256)]
+    public required string Email { get; set; }
+    [StringLength(300)]
+    public required string MasterKeyAuthenticationHash { get; set; }
+    [EncryptedString] public required string MasterKeyEncryptedUserKey { get; set; }
+    [StringLength(50)]
+    public string? MasterPasswordHint { get; set; }
+
+    public IEnumerable<ValidationResult> Validate(ValidationContext validationContext)
+    {
+        if (KdfType == KdfType.PBKDF2_SHA256)
+        {
+            if (KdfMemory.HasValue || KdfParallelism.HasValue)
+            {
+                yield return new ValidationResult("KdfMemory and KdfParallelism must be null for PBKDF2_SHA256", new[] { nameof(KdfMemory), nameof(KdfParallelism) });
+            }
+        }
+        else if (KdfType == KdfType.Argon2id)
+        {
+            if (!KdfMemory.HasValue || !KdfParallelism.HasValue)
+            {
+                yield return new ValidationResult("KdfMemory and KdfParallelism must have values for Argon2id", new[] { nameof(KdfMemory), nameof(KdfParallelism) });
+            }
+        }
+        else
+        {
+            yield return new ValidationResult("Invalid KdfType", new[] { nameof(KdfType) });
+        }
+    }
+
+    public MasterPasswordUnlockAndAuthenticationData ToUnlockData()
+    {
+        var data = new MasterPasswordUnlockAndAuthenticationData
+        {
+            KdfType = KdfType,
+            KdfIterations = KdfIterations,
+            KdfMemory = KdfMemory,
+            KdfParallelism = KdfParallelism,
+
+            Email = Email,
+
+            MasterKeyAuthenticationHash = MasterKeyAuthenticationHash,
+            MasterKeyEncryptedUserKey = MasterKeyEncryptedUserKey,
+            MasterPasswordHint = MasterPasswordHint
+        };
+        return data;
+    }
+
+}