-
Notifications
You must be signed in to change notification settings - Fork 1.6k
[PM-33435] Add new user key rotation endpoint with MP support #7216
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
Show all changes
19 commits
Select commit
Hold shift + click to select a range
40d4d18
Refactor user key rotation to use base data composition
Thomas-Avery 60e0ece
Update tests
Thomas-Avery aa8ed9e
Add new user key rotation endpoint with MP support
Thomas-Avery 27a9f0f
Fix tests
Thomas-Avery 326671a
Increase test coverage
Thomas-Avery 5eb2f99
Migrate off of obsolete cipher login
Thomas-Avery bfbd17f
Fix CA2208
Thomas-Avery b0e5467
Merge branch 'main' into km/pm-33162
Thomas-Avery 919c3a4
Merge branch 'km/pm-33162' into km/pm-33435/new-endpoint
Thomas-Avery dab563e
Add UnlockMethod to request payload
Thomas-Avery bc6bfe5
Add note on request model
Thomas-Avery 271e7b3
Merge branch 'main' into km/pm-33162
Thomas-Avery b531b99
Merge branch 'km/pm-33162' into km/pm-33435/new-endpoint
Thomas-Avery 73f6b59
Fix tests
Thomas-Avery d67c1b0
Merge branch 'km/pm-33162' into km/pm-33435/new-endpoint
Thomas-Avery 827683f
Fix tests
Thomas-Avery 707595b
Merge branch 'main' into km/pm-33162
Thomas-Avery 6f372a6
Merge branch 'km/pm-33162' into km/pm-33435/new-endpoint
Thomas-Avery 6709a78
Merge branch 'main' into km/pm-33435/new-endpoint
Thomas-Avery File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| namespace Bit.Api.KeyManagement.Enums; | ||
|
|
||
| public enum UnlockMethod | ||
| { | ||
| Tde, | ||
| MasterPassword, | ||
| KeyConnector, | ||
| } |
15 changes: 15 additions & 0 deletions
15
src/Api/KeyManagement/Models/Requests/CommonUnlockDataRequestModel.cs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| using Bit.Api.AdminConsole.Models.Request.Organizations; | ||
| using Bit.Api.Auth.Models.Request; | ||
| using Bit.Api.Auth.Models.Request.WebAuthn; | ||
| using Bit.Core.Auth.Models.Api.Request; | ||
|
|
||
| namespace Bit.Api.KeyManagement.Models.Requests; | ||
|
|
||
| public class CommonUnlockDataRequestModel | ||
| { | ||
| public required IEnumerable<EmergencyAccessWithIdRequestModel> EmergencyAccessUnlockData { get; set; } | ||
| public required IEnumerable<ResetPasswordWithOrgIdRequestModel> OrganizationAccountRecoveryUnlockData { get; set; } | ||
| public required IEnumerable<WebAuthnLoginRotateKeyRequestModel> PasskeyUnlockData { get; set; } | ||
| public required IEnumerable<OtherDeviceKeysUpdateRequestModel> DeviceKeyUnlockData { get; set; } | ||
| public V2UpgradeTokenRequestModel? V2UpgradeToken { get; set; } | ||
| } |
9 changes: 9 additions & 0 deletions
9
src/Api/KeyManagement/Models/Requests/RotateUserKeysRequestModel.cs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| namespace Bit.Api.KeyManagement.Models.Requests; | ||
|
|
||
| public class RotateUserKeysRequestModel | ||
| { | ||
| public required WrappedAccountCryptographicStateRequestModel WrappedAccountCryptographicState { get; set; } | ||
| public required CommonUnlockDataRequestModel UnlockData { get; set; } | ||
| public required AccountDataRequestModel AccountData { get; set; } | ||
| public required UnlockMethodRequestModel UnlockMethodData { get; set; } | ||
| } |
47 changes: 47 additions & 0 deletions
47
src/Api/KeyManagement/Models/Requests/UnlockMethodRequestModel.cs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,47 @@ | ||
| using System.ComponentModel.DataAnnotations; | ||
| using Bit.Api.KeyManagement.Enums; | ||
| using Bit.Core.KeyManagement.Models.Api.Request; | ||
| using Bit.Core.Utilities; | ||
|
|
||
| namespace Bit.Api.KeyManagement.Models.Requests; | ||
|
|
||
| public class UnlockMethodRequestModel : IValidatableObject | ||
| { | ||
| [Required] | ||
| public required UnlockMethod UnlockMethod { get; init; } | ||
|
|
||
| // Master password user | ||
| public MasterPasswordUnlockDataRequestModel? MasterPasswordUnlockData { get; init; } | ||
|
|
||
| // Key Connector user. | ||
| [EncryptedString] | ||
| public string? KeyConnectorKeyWrappedUserKey { get; init; } | ||
|
|
||
| public IEnumerable<ValidationResult> Validate(ValidationContext validationContext) | ||
| { | ||
| switch (UnlockMethod) | ||
| { | ||
| case UnlockMethod.MasterPassword: | ||
| if (MasterPasswordUnlockData == null || KeyConnectorKeyWrappedUserKey != null) | ||
| { | ||
| yield return new ValidationResult("Invalid MasterPassword unlock method request, MasterPasswordUnlockData must be provided and KeyConnectorKeyWrappedUserKey must be null"); | ||
| } | ||
| break; | ||
| case UnlockMethod.Tde: | ||
| if (MasterPasswordUnlockData != null || KeyConnectorKeyWrappedUserKey != null) | ||
| { | ||
| yield return new ValidationResult("Invalid Tde unlock method request, MasterPasswordUnlockData must be null and KeyConnectorKeyWrappedUserKey must be null"); | ||
| } | ||
| break; | ||
| case UnlockMethod.KeyConnector: | ||
| if (KeyConnectorKeyWrappedUserKey == null || MasterPasswordUnlockData != null) | ||
| { | ||
| yield return new ValidationResult("Invalid KeyConnector unlock method request, KeyConnectorKeyWrappedUserKey must be provided and MasterPasswordUnlockData must be null"); | ||
| } | ||
| break; | ||
| default: | ||
| yield return new ValidationResult("Unrecognized unlock method"); | ||
| break; | ||
| } | ||
| } | ||
| } |
22 changes: 22 additions & 0 deletions
22
src/Api/KeyManagement/Models/Requests/WrappedAccountCryptographicStateRequestModel.cs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| using Bit.Core.KeyManagement.Models.Api.Request; | ||
| using Bit.Core.KeyManagement.Models.Data; | ||
|
|
||
| namespace Bit.Api.KeyManagement.Models.Requests; | ||
|
|
||
| // This request model is meant to be used when the user will be submitting a v2 encryption WrappedAccountCryptographicState payload. | ||
| public class WrappedAccountCryptographicStateRequestModel | ||
|
Thomas-Avery marked this conversation as resolved.
|
||
| { | ||
| public required PublicKeyEncryptionKeyPairRequestModel PublicKeyEncryptionKeyPair { get; set; } | ||
| public required SignatureKeyPairRequestModel SignatureKeyPair { get; set; } | ||
| public required SecurityStateModel SecurityState { get; set; } | ||
|
|
||
| public UserAccountKeysData ToAccountKeysData() | ||
| { | ||
| return new UserAccountKeysData | ||
| { | ||
| PublicKeyEncryptionKeyPairData = PublicKeyEncryptionKeyPair.ToPublicKeyEncryptionKeyPairData(), | ||
| SignatureKeyPairData = SignatureKeyPair.ToSignatureKeyPairData(), | ||
| SecurityStateData = SecurityState.ToSecurityState() | ||
| }; | ||
| } | ||
| } | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
23 changes: 23 additions & 0 deletions
23
src/Core/KeyManagement/UserKey/Models/Data/MasterPasswordRotateUserAccountKeysData.cs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| using Bit.Core.Entities; | ||
| using Bit.Core.Exceptions; | ||
| using Bit.Core.KeyManagement.Models.Data; | ||
|
|
||
| namespace Bit.Core.KeyManagement.UserKey.Models.Data; | ||
|
|
||
| public class MasterPasswordRotateUserAccountKeysData | ||
| { | ||
| public required MasterPasswordUnlockData MasterPasswordUnlockData { get; init; } | ||
| public required BaseRotateUserAccountKeysData BaseData { get; init; } | ||
|
|
||
| public void ValidateForUser(User user) | ||
| { | ||
| var isMasterPasswordUser = user is { Key: not null, MasterPassword: not null }; | ||
| if (!isMasterPasswordUser) | ||
| { | ||
| throw new BadRequestException("User is in an invalid state for master password key rotation."); | ||
| } | ||
|
|
||
| MasterPasswordUnlockData.ValidateSaltUnchangedForUser(user); | ||
| MasterPasswordUnlockData.Kdf.ValidateUnchangedForUser(user); | ||
| } | ||
| } |
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.