Update UserDecryptionOptions.cs to add BuildOpaqueOption

2025-04-05 05:00:19 -05:00 · 2025-03-20 14:18:35 -04:00 · 2025-03-20 14:18:35 -04:00 · 2741b04e88
commit 2741b04e88
parent 9b7c14c2df
2 changed files with 61 additions and 4 deletions
--- a/src/Core/Auth/Models/Api/Response/UserDecryptionOptions.cs
+++ b/src/Core/Auth/Models/Api/Response/UserDecryptionOptions.cs
@ -5,7 +5,6 @@ using Bit.Core.Models.Api;

 namespace Bit.Core.Auth.Models.Api.Response;

-// TODO: in order to support opaque decryption via export key, we must update this to have a new option for opaque
 public class UserDecryptionOptions : ResponseModel
 {
    public UserDecryptionOptions() : base("userDecryptionOptions")
@ -30,10 +29,16 @@ public class UserDecryptionOptions : ResponseModel
    public TrustedDeviceUserDecryptionOption? TrustedDeviceOption { get; set; }

    /// <summary>
-    /// Gets or set information about the current users KeyConnector setup.
+    /// Gets or sets information about the current users KeyConnector setup.
    /// </summary>
    [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
    public KeyConnectorUserDecryptionOption? KeyConnectorOption { get; set; }
+
+    /// <summary>
+    /// Gets or sets information about the current OPAQUE setup.
+    /// </summary>
+    [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
+    public OpaqueUserDecryptionOption? OpaqueOption { get; set; }
 }

 public class WebAuthnPrfDecryptionOption
@ -84,3 +89,18 @@ public class KeyConnectorUserDecryptionOption
        KeyConnectorUrl = keyConnectorUrl;
    }
 }
+
+
+public class OpaqueUserDecryptionOption
+{
+    public string EncryptedPrivateKey { get; }
+    public string EncryptedUserKey { get; }
+
+    public OpaqueUserDecryptionOption(
+        string encryptedPrivateKey,
+        string encryptedUserKey)
+    {
+        EncryptedPrivateKey = encryptedPrivateKey;
+        EncryptedUserKey = encryptedUserKey;
+    }
+}
--- a/src/Identity/IdentityServer/UserDecryptionOptionsBuilder.cs
+++ b/src/Identity/IdentityServer/UserDecryptionOptionsBuilder.cs
@ -1,11 +1,14 @@
-using Bit.Core.Auth.Entities;
+using Bit.Core;
+using Bit.Core.Auth.Entities;
 using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Models.Api.Response;
+using Bit.Core.Auth.Repositories;
 using Bit.Core.Auth.Utilities;
 using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Repositories;
+using Bit.Core.Services;
 using Bit.Identity.Utilities;

 namespace Bit.Identity.IdentityServer;
@ -21,6 +24,8 @@ public class UserDecryptionOptionsBuilder : IUserDecryptionOptionsBuilder
    private readonly ICurrentContext _currentContext;
    private readonly IDeviceRepository _deviceRepository;
    private readonly IOrganizationUserRepository _organizationUserRepository;
+    private readonly IFeatureService _featureService;
+    private readonly IOpaqueKeyExchangeCredentialRepository _opaqueKeyExchangeCredentialRepository;

    private UserDecryptionOptions _options = new UserDecryptionOptions();
    private User? _user;
@ -30,12 +35,16 @@ public class UserDecryptionOptionsBuilder : IUserDecryptionOptionsBuilder
    public UserDecryptionOptionsBuilder(
        ICurrentContext currentContext,
        IDeviceRepository deviceRepository,
-        IOrganizationUserRepository organizationUserRepository
+        IOrganizationUserRepository organizationUserRepository,
+        IFeatureService featureService,
+        IOpaqueKeyExchangeCredentialRepository opaqueKeyExchangeCredentialRepository
    )
    {
        _currentContext = currentContext;
        _deviceRepository = deviceRepository;
        _organizationUserRepository = organizationUserRepository;
+        _featureService = featureService;
+        _opaqueKeyExchangeCredentialRepository = opaqueKeyExchangeCredentialRepository;
    }

    public IUserDecryptionOptionsBuilder ForUser(User user)
@ -70,6 +79,7 @@ public class UserDecryptionOptionsBuilder : IUserDecryptionOptionsBuilder
    {
        BuildKeyConnectorOptions();
        await BuildTrustedDeviceOptions();
+        await BuildOpaqueOption();

        return _options;
    }
@ -151,4 +161,31 @@ public class UserDecryptionOptionsBuilder : IUserDecryptionOptionsBuilder
            encryptedPrivateKey,
            encryptedUserKey);
    }
+
+    private async Task BuildOpaqueOption()
+    {
+
+        if (!_featureService.IsEnabled(FeatureFlagKeys.OpaqueKeyExchange))
+        {
+            return;
+        }
+
+        if (_user == null)
+        {
+            return;
+        }
+
+        var credential = await _opaqueKeyExchangeCredentialRepository.GetByUserIdAsync(_user.Id);
+
+        if (credential == null)
+        {
+            return;
+        }
+
+        _options.OpaqueOption = new OpaqueUserDecryptionOption(
+            credential.EncryptedPrivateKey,
+            credential.EncryptedUserKey
+        );
+
+    }
 }