[PM-19279] Add prelogin response (#5511)

* Add prelogin response * Fix test * Fix more tests * Fix tests * Fix SQL warnings * Fix difference between migration and sql SP * Attempt to fix tests * Attempt to fix tests * Attempt to fix * Fix namespace * Attempt to fix error * Fix different SP / migration * Attempt to fix migration * Fix * Fix
2025-04-04 20:50:21 -05:00 · 2025-03-19 11:34:33 +01:00 · 2025-03-19 11:34:33 +01:00 · 7a8ee710da
commit 7a8ee710da
parent 2fd1b25580
13 changed files with 239 additions and 24 deletions
--- a/src/Api/Auth/Controllers/AccountsController.cs
+++ b/src/Api/Auth/Controllers/AccountsController.cs
@ -15,7 +15,6 @@ using Bit.Core.AdminConsole.Services;
 using Bit.Core.Auth.Entities;
 using Bit.Core.Auth.Models.Api.Request.Accounts;
 using Bit.Core.Auth.Models.Data;
-using Bit.Core.Auth.Services;
 using Bit.Core.Auth.UserFeatures.TdeOffboardingPassword.Interfaces;
 using Bit.Core.Auth.UserFeatures.UserMasterPassword.Interfaces;
 using Bit.Core.Entities;
@ -58,7 +57,6 @@ public class AccountsController : Controller
        _organizationUserValidator;
    private readonly IRotationValidator<IEnumerable<WebAuthnLoginRotateKeyRequestModel>, IEnumerable<WebAuthnLoginRotateKeyData>>
        _webauthnKeyValidator;
-    private readonly IOpaqueKeyExchangeService _opaqueKeyExchangeService;


    public AccountsController(
@ -78,8 +76,7 @@ public class AccountsController : Controller
            emergencyAccessValidator,
        IRotationValidator<IEnumerable<ResetPasswordWithOrgIdRequestModel>, IReadOnlyList<OrganizationUser>>
            organizationUserValidator,
-        IRotationValidator<IEnumerable<WebAuthnLoginRotateKeyRequestModel>, IEnumerable<WebAuthnLoginRotateKeyData>> webAuthnKeyValidator,
-        IOpaqueKeyExchangeService opaqueKeyExchangeService
+        IRotationValidator<IEnumerable<WebAuthnLoginRotateKeyRequestModel>, IEnumerable<WebAuthnLoginRotateKeyData>> webAuthnKeyValidator
        )
    {
        _organizationService = organizationService;
@ -97,7 +94,6 @@ public class AccountsController : Controller
        _emergencyAccessValidator = emergencyAccessValidator;
        _organizationUserValidator = organizationUserValidator;
        _webauthnKeyValidator = webAuthnKeyValidator;
-        _opaqueKeyExchangeService = opaqueKeyExchangeService;
    }


--- a/src/Identity/Controllers/AccountsController.cs
+++ b/src/Identity/Controllers/AccountsController.cs
@ -1,10 +1,13 @@
 using System.Diagnostics;
 using System.Text;
+using System.Text.Json;
 using Bit.Core;
 using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Models.Api.Request.Accounts;
+using Bit.Core.Auth.Models.Api.Request.Opaque;
 using Bit.Core.Auth.Models.Api.Response.Accounts;
 using Bit.Core.Auth.Models.Business.Tokenables;
+using Bit.Core.Auth.Repositories;
 using Bit.Core.Auth.Services;
 using Bit.Core.Auth.UserFeatures.Registration;
 using Bit.Core.Auth.UserFeatures.WebAuthnLogin;
@ -45,6 +48,7 @@ public class AccountsController : Controller
    private readonly IReferenceEventService _referenceEventService;
    private readonly IFeatureService _featureService;
    private readonly IDataProtectorTokenFactory<RegistrationEmailVerificationTokenable> _registrationEmailVerificationTokenDataFactory;
+    private readonly IOpaqueKeyExchangeCredentialRepository _opaqueKeyExchangeCredentialRepository;

    private readonly byte[] _defaultKdfHmacKey = null;
    private static readonly List<UserKdfInformation> _defaultKdfResults =
@ -93,6 +97,7 @@ public class AccountsController : Controller
        IReferenceEventService referenceEventService,
        IFeatureService featureService,
        IDataProtectorTokenFactory<RegistrationEmailVerificationTokenable> registrationEmailVerificationTokenDataFactory,
+        IOpaqueKeyExchangeCredentialRepository opaqueKeyExchangeCredentialRepository,
        GlobalSettings globalSettings
        )
    {
@ -107,6 +112,7 @@ public class AccountsController : Controller
        _referenceEventService = referenceEventService;
        _featureService = featureService;
        _registrationEmailVerificationTokenDataFactory = registrationEmailVerificationTokenDataFactory;
+        _opaqueKeyExchangeCredentialRepository = opaqueKeyExchangeCredentialRepository;

        if (CoreHelpers.SettingHasValue(globalSettings.KdfDefaultHashKey))
        {
@ -255,11 +261,21 @@ public class AccountsController : Controller
    public async Task<PreloginResponseModel> PostPrelogin([FromBody] PreloginRequestModel model)
    {
        var kdfInformation = await _userRepository.GetKdfInformationByEmailAsync(model.Email);
-        if (kdfInformation == null)
+        var user = await _userRepository.GetByEmailAsync(model.Email);
+        if (kdfInformation == null || user == null)
        {
            kdfInformation = GetDefaultKdf(model.Email);
        }
-        return new PreloginResponseModel(kdfInformation);
+
+        var credential = await _opaqueKeyExchangeCredentialRepository.GetByUserIdAsync(user.Id);
+        if (credential != null)
+        {
+            return new PreloginResponseModel(kdfInformation, JsonSerializer.Deserialize<CipherConfiguration>(credential.CipherConfiguration)!);
+        }
+        else
+        {
+            return new PreloginResponseModel(kdfInformation, null);
+        }
    }

    [HttpGet("webauthn/assertion-options")]
--- a/src/Identity/Models/Response/Accounts/PreloginResponseModel.cs
+++ b/src/Identity/Models/Response/Accounts/PreloginResponseModel.cs
@ -1,20 +1,23 @@
-using Bit.Core.Enums;
+using Bit.Core.Auth.Models.Api.Request.Opaque;
+using Bit.Core.Enums;
 using Bit.Core.Models.Data;

 namespace Bit.Identity.Models.Response.Accounts;

 public class PreloginResponseModel
 {
-    public PreloginResponseModel(UserKdfInformation kdfInformation)
+    public PreloginResponseModel(UserKdfInformation kdfInformation, CipherConfiguration opaqueConfiguration)
    {
        Kdf = kdfInformation.Kdf;
        KdfIterations = kdfInformation.KdfIterations;
        KdfMemory = kdfInformation.KdfMemory;
        KdfParallelism = kdfInformation.KdfParallelism;
+        OpaqueConfiguration = opaqueConfiguration;
    }

    public KdfType Kdf { get; set; }
    public int KdfIterations { get; set; }
    public int? KdfMemory { get; set; }
    public int? KdfParallelism { get; set; }
+    public CipherConfiguration OpaqueConfiguration { get; set; }
 }
--- a/src/Infrastructure.EntityFramework/Auth/Repositories/OpaqueKeyExchangeCredentialRepository.cs
+++ b/src/Infrastructure.EntityFramework/Auth/Repositories/OpaqueKeyExchangeCredentialRepository.cs
@ -0,0 +1,24 @@
+using AutoMapper;
+using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Models.Data;
+using Bit.Core.Auth.Repositories;
+using Bit.Core.KeyManagement.UserKey;
+using Microsoft.Extensions.DependencyInjection;
+
+namespace Bit.Infrastructure.EntityFramework.Repositories;
+
+public class OpaqueKeyExchangeCredentialRepository : Repository<OpaqueKeyExchangeCredential, OpaqueKeyExchangeCredential, Guid>, IOpaqueKeyExchangeCredentialRepository
+{
+    public OpaqueKeyExchangeCredentialRepository(IServiceScopeFactory serviceScopeFactory, IMapper mapper) : base(serviceScopeFactory, mapper, (DatabaseContext context) => null)
+    {
+    }
+
+    public Task<OpaqueKeyExchangeCredential> GetByUserIdAsync(Guid userId)
+    {
+        return null;
+    }
+    public UpdateEncryptedDataForKeyRotation UpdateKeysForRotationAsync(Guid userId, IEnumerable<OpaqueKeyExchangeRotateKeyData> credentials)
+    {
+        return null;
+    }
+}
--- a/src/Infrastructure.EntityFramework/EntityFrameworkServiceCollectionExtensions.cs
+++ b/src/Infrastructure.EntityFramework/EntityFrameworkServiceCollectionExtensions.cs
@ -87,6 +87,7 @@ public static class EntityFrameworkServiceCollectionExtensions
        services.AddSingleton<IProviderUserRepository, ProviderUserRepository>();
        services.AddSingleton<ISendRepository, SendRepository>();
        services.AddSingleton<ISsoConfigRepository, SsoConfigRepository>();
+        services.AddSingleton<IOpaqueKeyExchangeCredentialRepository, OpaqueKeyExchangeCredentialRepository>();
        services.AddSingleton<ISsoUserRepository, SsoUserRepository>();
        services.AddSingleton<ITransactionRepository, TransactionRepository>();
        services.AddSingleton<IUserRepository, UserRepository>();
--- a/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
+++ b/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
@ -110,6 +110,7 @@ public static class ServiceCollectionExtensions
    public static void AddBaseServices(this IServiceCollection services, IGlobalSettings globalSettings)
    {
        services.AddScoped<ICipherService, CipherService>();
+        services.AddSingleton<IOpaqueKeyExchangeService, OpaqueKeyExchangeService>();
        services.AddUserServices(globalSettings);
        services.AddTrialInitiationServices();
        services.AddOrganizationServices(globalSettings);
@ -118,7 +119,6 @@ public static class ServiceCollectionExtensions
        services.AddScoped<IGroupService, GroupService>();
        services.AddScoped<IEventService, EventService>();
        services.AddScoped<IEmergencyAccessService, EmergencyAccessService>();
-        services.AddScoped<IOpaqueKeyExchangeService, OpaqueKeyExchangeService>();
        services.AddSingleton<IDeviceService, DeviceService>();
        services.AddScoped<ISsoConfigService, SsoConfigService>();
        services.AddScoped<IAuthRequestService, AuthRequestService>();
--- a/Procedures/OpaqueKeyExchangeCredential_Create.sql
+++ b/Procedures/OpaqueKeyExchangeCredential_Create.sql
@ -1,11 +1,11 @@
 CREATE PROCEDURE [dbo].[OpaqueKeyExchangeCredential_Create]
    @Id UNIQUEIDENTIFIER OUTPUT,
    @UserId UNIQUEIDENTIFIER,
-    @CipherConfiguration VARCHAR(MAX) NOT NULL,
-    @CredentialBlob VARCHAR(MAX) NOT NULL,
-    @EncryptedPublicKey VARCHAR(MAX) NOT NULL,
-    @EncryptedPrivateKey VARCHAR(MAX) NOT NULL,
-    @EncryptedUserKey VARCHAR(MAX) NOT NULL,
+    @CipherConfiguration VARCHAR(MAX),
+    @CredentialBlob VARCHAR(MAX),
+    @EncryptedPublicKey VARCHAR(MAX),
+    @EncryptedPrivateKey VARCHAR(MAX),
+    @EncryptedUserKey VARCHAR(MAX),
    @CreationDate DATETIME2(7)
 AS
 BEGIN
--- a/Procedures/OpaqueKeyExchangeCredential_DeleteById.sql
+++ b/Procedures/OpaqueKeyExchangeCredential_DeleteById.sql
@ -1,5 +1,5 @@
 CREATE PROCEDURE [dbo].[OpaqueKeyExchangeCredential_DeleteById]
-    @Id UNIQUEIDENTIFIER,
+    @Id UNIQUEIDENTIFIER
 AS
 BEGIN
    DELETE
--- a/Procedures/User_DeleteById.sql
+++ b/Procedures/User_DeleteById.sql
@ -29,7 +29,7 @@ BEGIN
    FROM
        [dbo].[OpaqueKeyExchangeCredential]
    WHERE
-        [UserId] = @UserId
+        [UserId] = @Id

    -- Delete WebAuthnCredentials
    DELETE
--- a/test/Api.Test/Auth/Controllers/AccountsControllerTests.cs
+++ b/test/Api.Test/Auth/Controllers/AccountsControllerTests.cs
@ -291,12 +291,12 @@ public class AccountsControllerTests : IDisposable
    {
        var user = GenerateExampleUser();
        ConfigureUserServiceToReturnValidPrincipalFor(user);
-        _userService.ChangePasswordAsync(user, default, default, default, default)
+        _userService.ChangePasswordAsync(user, default, default, default, default, null)
                    .Returns(Task.FromResult(IdentityResult.Success));

        await _sut.PostPassword(new PasswordRequestModel());

-        await _userService.Received(1).ChangePasswordAsync(user, default, default, default, default);
+        await _userService.Received(1).ChangePasswordAsync(user, default, default, default, default, null);
    }

    [Fact]
@ -314,7 +314,7 @@ public class AccountsControllerTests : IDisposable
    {
        var user = GenerateExampleUser();
        ConfigureUserServiceToReturnValidPrincipalFor(user);
-        _userService.ChangePasswordAsync(user, default, default, default, default)
+        _userService.ChangePasswordAsync(user, default, default, default, default, null)
                    .Returns(Task.FromResult(IdentityResult.Failed()));

        await Assert.ThrowsAsync<BadRequestException>(
--- a/test/Core.Test/Services/UserServiceTests.cs
+++ b/test/Core.Test/Services/UserServiceTests.cs
@ -9,6 +9,7 @@ using Bit.Core.AdminConsole.Services;
 using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Models;
 using Bit.Core.Auth.Models.Business.Tokenables;
+using Bit.Core.Auth.Services;
 using Bit.Core.Billing.Services;
 using Bit.Core.Context;
 using Bit.Core.Entities;
@ -324,7 +325,8 @@ public class UserServiceTests
            sutProvider.GetDependency<IPremiumUserBillingService>(),
            sutProvider.GetDependency<IRemoveOrganizationUserCommand>(),
            sutProvider.GetDependency<IRevokeNonCompliantOrganizationUserCommand>(),
-            sutProvider.GetDependency<IDistributedCache>()
+            sutProvider.GetDependency<IDistributedCache>(),
+            sutProvider.GetDependency<IOpaqueKeyExchangeService>()
            );

        var actualIsVerified = await sut.VerifySecretAsync(user, secret);
@ -911,7 +913,8 @@ public class UserServiceTests
            sutProvider.GetDependency<IPremiumUserBillingService>(),
            sutProvider.GetDependency<IRemoveOrganizationUserCommand>(),
            sutProvider.GetDependency<IRevokeNonCompliantOrganizationUserCommand>(),
-            sutProvider.GetDependency<IDistributedCache>()
+            sutProvider.GetDependency<IDistributedCache>(),
+            sutProvider.GetDependency<IOpaqueKeyExchangeService>()
            );
    }
 }
--- a/test/Identity.Test/Controllers/AccountsControllerTests.cs
+++ b/test/Identity.Test/Controllers/AccountsControllerTests.cs
@ -3,6 +3,7 @@ using System.Text;
 using Bit.Core;
 using Bit.Core.Auth.Models.Api.Request.Accounts;
 using Bit.Core.Auth.Models.Business.Tokenables;
+using Bit.Core.Auth.Repositories;
 using Bit.Core.Auth.Services;
 using Bit.Core.Auth.UserFeatures.Registration;
 using Bit.Core.Auth.UserFeatures.WebAuthnLogin;
@ -45,6 +46,7 @@ public class AccountsControllerTests : IDisposable
    private readonly IReferenceEventService _referenceEventService;
    private readonly IFeatureService _featureService;
    private readonly IDataProtectorTokenFactory<RegistrationEmailVerificationTokenable> _registrationEmailVerificationTokenDataFactory;
+    private readonly IOpaqueKeyExchangeCredentialRepository _opaqueKeyExchangeCredentialRepository;
    private readonly GlobalSettings _globalSettings;


@ -61,6 +63,7 @@ public class AccountsControllerTests : IDisposable
        _referenceEventService = Substitute.For<IReferenceEventService>();
        _featureService = Substitute.For<IFeatureService>();
        _registrationEmailVerificationTokenDataFactory = Substitute.For<IDataProtectorTokenFactory<RegistrationEmailVerificationTokenable>>();
+        _opaqueKeyExchangeCredentialRepository = Substitute.For<IOpaqueKeyExchangeCredentialRepository>();
        _globalSettings = Substitute.For<GlobalSettings>();

        _sut = new AccountsController(
@ -75,6 +78,7 @@ public class AccountsControllerTests : IDisposable
            _referenceEventService,
            _featureService,
            _registrationEmailVerificationTokenDataFactory,
+            _opaqueKeyExchangeCredentialRepository,
            _globalSettings
        );
    }
@ -93,6 +97,11 @@ public class AccountsControllerTests : IDisposable
            KdfIterations = AuthConstants.PBKDF2_ITERATIONS.Default
        };
        _userRepository.GetKdfInformationByEmailAsync(Arg.Any<string>()).Returns(userKdfInfo);
+        var mockUser = new User
+        {
+            Email = "user@example.com"
+        };
+        _userRepository.GetByEmailAsync(Arg.Any<string>()).Returns(mockUser);

        var response = await _sut.PostPrelogin(new PreloginRequestModel { Email = "user@example.com" });

@ -105,6 +114,11 @@ public class AccountsControllerTests : IDisposable
    {
        SetDefaultKdfHmacKey(null);
        _userRepository.GetKdfInformationByEmailAsync(Arg.Any<string>()).Returns(Task.FromResult<UserKdfInformation?>(null));
+        var mockUser = new User
+        {
+            Email = "user@example.com"
+        };
+        _userRepository.GetByEmailAsync(Arg.Any<string>()).Returns(mockUser);

        var response = await _sut.PostPrelogin(new PreloginRequestModel { Email = "user@example.com" });

@ -121,6 +135,11 @@ public class AccountsControllerTests : IDisposable
        SetDefaultKdfHmacKey(defaultKey);

        _userRepository.GetKdfInformationByEmailAsync(Arg.Any<string>()).Returns(Task.FromResult<UserKdfInformation?>(null));
+        var mockUser = new User
+        {
+            Email = "user@example.com"
+        };
+        _userRepository.GetByEmailAsync(Arg.Any<string>()).Returns(mockUser);

        var fieldInfo = typeof(AccountsController).GetField("_defaultKdfResults", BindingFlags.NonPublic | BindingFlags.Static);
        if (fieldInfo == null)
--- a/util/Migrator/DbScripts/2025-03-12_00_CreateOpaqueKeyExchangeCredential.sql
+++ b/util/Migrator/DbScripts/2025-03-12_00_CreateOpaqueKeyExchangeCredential.sql
@ -25,7 +25,7 @@ CREATE OR ALTER PROCEDURE [dbo].[OpaqueKeyExchangeCredential_Create]
    @CipherConfiguration VARCHAR(MAX),
    @CredentialBlob VARCHAR(MAX),
    @EncryptedPublicKey VARCHAR(MAX),
-    @EncryptedPrivateKey TINYINT,
+    @EncryptedPrivateKey VARCHAR(MAX),
    @EncryptedUserKey VARCHAR(MAX),
    @CreationDate DATETIME2(7)
 AS
@ -127,4 +127,157 @@ BEGIN
        [Id] = @Id
 END

-GO
+GO
+
+ALTER PROCEDURE [dbo].[User_DeleteById]
+    @Id UNIQUEIDENTIFIER
+WITH
+    RECOMPILE
+AS
+BEGIN
+    SET NOCOUNT ON
+    DECLARE @BatchSize INT = 100
+
+    -- Delete ciphers
+    WHILE @BatchSize > 0
+    BEGIN
+        BEGIN TRANSACTION User_DeleteById_Ciphers
+
+        DELETE TOP(@BatchSize)
+        FROM
+            [dbo].[Cipher]
+        WHERE
+            [UserId] = @Id
+
+        SET @BatchSize = @@ROWCOUNT
+
+        COMMIT TRANSACTION User_DeleteById_Ciphers
+    END
+
+    BEGIN TRANSACTION User_DeleteById
+    -- Delete OpaqueKeyExchangeCredentials
+    DELETE
+    FROM
+        [dbo].[OpaqueKeyExchangeCredential]
+    WHERE
+        [UserId] = @Id
+
+    -- Delete WebAuthnCredentials
+    DELETE
+    FROM
+        [dbo].[WebAuthnCredential]
+    WHERE
+        [UserId] = @Id
+
+    -- Delete folders
+    DELETE
+    FROM
+        [dbo].[Folder]
+    WHERE
+        [UserId] = @Id
+
+    -- Delete AuthRequest, must be before Device
+    DELETE
+    FROM
+        [dbo].[AuthRequest]
+    WHERE
+        [UserId] = @Id
+
+    -- Delete devices
+    DELETE
+    FROM
+        [dbo].[Device]
+    WHERE
+        [UserId] = @Id
+
+    -- Delete collection users
+    DELETE
+        CU
+    FROM
+        [dbo].[CollectionUser] CU
+        INNER JOIN
+        [dbo].[OrganizationUser] OU ON OU.[Id] = CU.[OrganizationUserId]
+    WHERE
+        OU.[UserId] = @Id
+
+    -- Delete group users
+    DELETE
+        GU
+    FROM
+        [dbo].[GroupUser] GU
+        INNER JOIN
+        [dbo].[OrganizationUser] OU ON OU.[Id] = GU.[OrganizationUserId]
+    WHERE
+        OU.[UserId] = @Id
+
+    -- Delete AccessPolicy
+    DELETE
+        AP
+    FROM
+        [dbo].[AccessPolicy] AP
+        INNER JOIN
+        [dbo].[OrganizationUser] OU ON OU.[Id] = AP.[OrganizationUserId]
+    WHERE
+        [UserId] = @Id
+
+    -- Delete organization users
+    DELETE
+    FROM
+        [dbo].[OrganizationUser]
+    WHERE
+        [UserId] = @Id
+
+    -- Delete provider users
+    DELETE
+    FROM
+        [dbo].[ProviderUser]
+    WHERE
+        [UserId] = @Id
+
+    -- Delete SSO Users
+    DELETE
+    FROM
+        [dbo].[SsoUser]
+    WHERE
+        [UserId] = @Id
+
+    -- Delete Emergency Accesses
+    DELETE
+    FROM
+        [dbo].[EmergencyAccess]
+    WHERE
+        [GrantorId] = @Id
+        OR
+        [GranteeId] = @Id
+
+    -- Delete Sends
+    DELETE
+    FROM
+        [dbo].[Send]
+    WHERE
+        [UserId] = @Id
+
+    -- Delete Notification Status
+    DELETE
+    FROM
+        [dbo].[NotificationStatus]
+    WHERE
+        [UserId] = @Id
+
+    -- Delete Notification
+    DELETE
+    FROM
+        [dbo].[Notification]
+    WHERE
+        [UserId] = @Id
+
+    -- Finally, delete the user
+    DELETE
+    FROM
+        [dbo].[User]
+    WHERE
+        [Id] = @Id
+
+    COMMIT TRANSACTION User_DeleteById
+END
+GO