[PM-4371] Implement PRF key rotation (#4157)

* Send rotateable keyset on list webauthn keys * Implement basic prf key rotation * Add validator for webauthn rotation * Fix accounts controller tests * Add webauthn rotation validator tests * Introduce separate request model * Fix tests * Remove extra empty line * Remove filtering in validator * Don't send encrypted private key * Fix tests * Implement delegated webauthn db transactions * Add backward compatibility * Fix query not working * Update migration sql * Update dapper query * Remove unused helper * Rename webauthn to WebAuthnLogin * Fix linter errors * Fix tests * Fix tests
2025-07-05 18:12:48 -05:00 · 2024-06-17 20:46:57 +02:00
parent a556462685
commit 3ad4bc1cab
19 changed files with 347 additions and 11 deletions
--- a/src/Infrastructure.Dapper/Auth/Repositories/WebAuthnCredentialRepository.cs
+++ b/src/Infrastructure.Dapper/Auth/Repositories/WebAuthnCredentialRepository.cs
@ -1,7 +1,10 @@
 using System.Data;
 using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Models.Data;
 using Bit.Core.Auth.Repositories;
+using Bit.Core.Auth.UserFeatures.UserKey;
 using Bit.Core.Settings;
+using Bit.Core.Utilities;
 using Bit.Infrastructure.Dapper.Repositories;
 using Dapper;
 using Microsoft.Data.SqlClient;
@ -55,4 +58,37 @@ public class WebAuthnCredentialRepository : Repository<WebAuthnCredential, Guid>

        return affectedRows > 0;
    }
+
+    public UpdateEncryptedDataForKeyRotation UpdateKeysForRotationAsync(Guid userId, IEnumerable<WebAuthnLoginRotateKeyData> credentials)
+    {
+        return async (SqlConnection connection, SqlTransaction transaction) =>
+        {
+            const string sql = @"
+                UPDATE WC
+                SET
+                    WC.[EncryptedPublicKey] = UW.[encryptedPublicKey],
+                    WC.[EncryptedUserKey] = UW.[encryptedUserKey]
+                FROM
+                    [dbo].[WebAuthnCredential] WC
+                INNER JOIN
+                    OPENJSON(@JsonCredentials)
+                    WITH (
+                        id UNIQUEIDENTIFIER,
+                        encryptedPublicKey NVARCHAR(MAX),
+                        encryptedUserKey NVARCHAR(MAX)
+                    ) UW
+                    ON UW.id = WC.Id
+                WHERE
+                    WC.[UserId] = @UserId";
+
+            var jsonCredentials = CoreHelpers.ClassToJsonData(credentials);
+
+            await connection.ExecuteAsync(
+                sql,
+                new { UserId = userId, JsonCredentials = jsonCredentials },
+                transaction: transaction,
+                commandType: CommandType.Text);
+        };
+    }
+
 }