[Pm 3797 Part 2] Add emergency access rotations (#3434)

## Type of change

<!-- (mark with an `X`) -->

```
- [ ] Bug fix
- [ ] New feature development
- [x] Tech debt (refactoring, code cleanup, dependency upgrades, etc)
- [ ] Build/deploy pipeline (DevOps)
- [ ] Other
```

## Objective
<!--Describe what the purpose of this PR is. For example: what bug you're fixing or what new feature you're adding-->
See #3425 for part 1 and background.

This PR adds emergency access to the rotation. All new code is hidden behind a feature flag.

The Accounts controller has also been moved to Auth ownership.

## Code changes
<!--Explain the changes you've made to each file or major component. This should help the reviewer understand your changes-->
<!--Also refer to any related changes or PRs in other repositories-->

* **file.ext:** Description of what was changed and why
* **AccountsController.cs:** Moved to Auth ownership. Emergency access validation was added (as well as initializing empty lists to avoid errors).
* **EmergencyAccessRotationValidator.cs:** Performs validation on the provided list of new emergency access keys.
* **EmergencyAccessRepository.cs:** Adds a method to rotate encryption keys. This is added to a list in the `RotateUserKeyCommand` that the `UserRepository` calls so it doesn't have to know about all the domains.

## Before you submit

- Please check for formatting errors (`dotnet format --verify-no-changes`) (required)
- If making database changes - make sure you also update Entity Framework queries and/or migrations
- Please add **unit tests** where it makes sense to do so (encouraged but not required)
- If this change requires a **documentation update** - notify the documentation team
- If this change has particular **deployment requirements** - notify the DevOps team

src/Core/Auth/UserFeatures/UserKey/IRotateUserKeyCommand.cs

@@ -1,4 +1,5 @@
 using Bit.Core.Auth.Models.Data;
+using Bit.Core.Entities;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.Data.SqlClient;
 
@@ -12,7 +13,14 @@ public interface IRotateUserKeyCommand
     /// <param name="model">All necessary information for rotation. Warning: Any encrypted data not included will be lost.</param>
     /// <returns>An IdentityResult for verification of the master password hash</returns>
     /// <exception cref="ArgumentNullException">User must be provided.</exception>
-    Task<IdentityResult> RotateUserKeyAsync(RotateUserKeyData model);
+    Task<IdentityResult> RotateUserKeyAsync(User user, RotateUserKeyData model);
 }
 
-public delegate Task UpdateEncryptedDataForKeyRotation(SqlTransaction transaction = null);
+/// <summary>
+/// A type used to implement updates to the database for key rotations. Each domain that requires an update of encrypted
+/// data during a key rotation should use this to implement its own database call. The user repository loops through
+/// these during a key rotation.
+/// <para>Note: connection and transaction are only used for Dapper. They won't be available in EF</para>
+/// </summary>
+public delegate Task UpdateEncryptedDataForKeyRotation(SqlConnection connection = null,
+    SqlTransaction transaction = null);

src/Core/Auth/UserFeatures/UserKey/Implementations/RotateUserKeyCommand.cs

@@ -1,4 +1,5 @@
 using Bit.Core.Auth.Models.Data;
+using Bit.Core.Entities;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Microsoft.AspNetCore.Identity;
@@ -9,37 +10,40 @@ public class RotateUserKeyCommand : IRotateUserKeyCommand
 {
     private readonly IUserService _userService;
     private readonly IUserRepository _userRepository;
+    private readonly IEmergencyAccessRepository _emergencyAccessRepository;
     private readonly IPushNotificationService _pushService;
     private readonly IdentityErrorDescriber _identityErrorDescriber;
 
     public RotateUserKeyCommand(IUserService userService, IUserRepository userRepository,
+        IEmergencyAccessRepository emergencyAccessRepository,
         IPushNotificationService pushService, IdentityErrorDescriber errors)
     {
         _userService = userService;
         _userRepository = userRepository;
+        _emergencyAccessRepository = emergencyAccessRepository;
         _pushService = pushService;
         _identityErrorDescriber = errors;
     }
 
     /// <inheritdoc />
-    public async Task<IdentityResult> RotateUserKeyAsync(RotateUserKeyData model)
+    public async Task<IdentityResult> RotateUserKeyAsync(User user, RotateUserKeyData model)
     {
-        if (model.User == null)
+        if (user == null)
         {
-            throw new ArgumentNullException(nameof(model.User));
+            throw new ArgumentNullException(nameof(user));
         }
 
-        if (!await _userService.CheckPasswordAsync(model.User, model.MasterPasswordHash))
+        if (!await _userService.CheckPasswordAsync(user, model.MasterPasswordHash))
         {
             return IdentityResult.Failed(_identityErrorDescriber.PasswordMismatch());
         }
 
         var now = DateTime.UtcNow;
-        model.User.RevisionDate = model.User.AccountRevisionDate = now;
-        model.User.LastKeyRotationDate = now;
-        model.User.SecurityStamp = Guid.NewGuid().ToString();
-        model.User.Key = model.Key;
-        model.User.PrivateKey = model.PrivateKey;
+        user.RevisionDate = user.AccountRevisionDate = now;
+        user.LastKeyRotationDate = now;
+        user.SecurityStamp = Guid.NewGuid().ToString();
+        user.Key = model.Key;
+        user.PrivateKey = model.PrivateKey;
         if (model.Ciphers.Any() || model.Folders.Any() || model.Sends.Any() || model.EmergencyAccessKeys.Any() ||
             model.ResetPasswordKeys.Any())
         {
@@ -48,14 +52,20 @@ public class RotateUserKeyCommand : IRotateUserKeyCommand
             // {
             //      saveEncryptedDataActions.Add(_cipherRepository.SaveRotatedData);
             // }
-            await _userRepository.UpdateUserKeyAndEncryptedDataAsync(model.User, saveEncryptedDataActions);
+            if (model.EmergencyAccessKeys.Any())
+            {
+                saveEncryptedDataActions.Add(
+                    _emergencyAccessRepository.UpdateForKeyRotation(user.Id, model.EmergencyAccessKeys));
+            }
+
+            await _userRepository.UpdateUserKeyAndEncryptedDataAsync(user, saveEncryptedDataActions);
         }
         else
         {
-            await _userRepository.ReplaceAsync(model.User);
+            await _userRepository.ReplaceAsync(user);
         }
 
-        await _pushService.PushLogOutAsync(model.User.Id, excludeCurrentContextFromPush: true);
+        await _pushService.PushLogOutAsync(user.Id, excludeCurrentContextFromPush: true);
         return IdentityResult.Success;
     }
 }