[Pm 3797 Part 2] Add emergency access rotations (#3434)

## Type of change  ``` - [ ] Bug fix - [ ] New feature development - [x] Tech debt (refactoring, code cleanup, dependency upgrades, etc) - [ ] Build/deploy pipeline (DevOps) - [ ] Other ``` ## Objective  See #3425 for part 1 and background. This PR adds emergency access to the rotation. All new code is hidden behind a feature flag. The Accounts controller has also been moved to Auth ownership. ## Code changes   * **file.ext:** Description of what was changed and why * **AccountsController.cs:** Moved to Auth ownership. Emergency access validation was added (as well as initializing empty lists to avoid errors). * **EmergencyAccessRotationValidator.cs:** Performs validation on the provided list of new emergency access keys. * **EmergencyAccessRepository.cs:** Adds a method to rotate encryption keys. This is added to a list in the `RotateUserKeyCommand` that the `UserRepository` calls so it doesn't have to know about all the domains. ## Before you submit - Please check for formatting errors (`dotnet format --verify-no-changes`) (required) - If making database changes - make sure you also update Entity Framework queries and/or migrations - Please add **unit tests** where it makes sense to do so (encouraged but not required) - If this change requires a **documentation update** - notify the documentation team - If this change has particular **deployment requirements** - notify the DevOps team
2025-06-30 23:52:50 -05:00 · 2023-12-05 12:05:51 -05:00
parent eedc96263a
commit 989603ddd3
19 changed files with 423 additions and 39 deletions
--- a/test/Api.Test/Auth/Controllers/AccountsControllerTests.cs
+++ b/test/Api.Test/Auth/Controllers/AccountsControllerTests.cs
@ -1,9 +1,12 @@
 using System.Security.Claims;
+using Bit.Api.Auth.Controllers;
+using Bit.Api.Auth.Models.Request;
 using Bit.Api.Auth.Models.Request.Accounts;
-using Bit.Api.Controllers;
+using Bit.Api.Auth.Validators;
 using Bit.Core;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.AdminConsole.Services;
+using Bit.Core.Auth.Entities;
 using Bit.Core.Auth.Models.Api.Request.Accounts;
 using Bit.Core.Auth.Services;
 using Bit.Core.Auth.UserFeatures.UserKey;
@ -24,7 +27,7 @@ using Microsoft.AspNetCore.Identity;
 using NSubstitute;
 using Xunit;

-namespace Bit.Api.Test.Controllers;
+namespace Bit.Api.Test.Auth.Controllers;

 public class AccountsControllerTests : IDisposable
 {
@ -48,6 +51,9 @@ public class AccountsControllerTests : IDisposable
    private readonly IFeatureService _featureService;
    private readonly ICurrentContext _currentContext;

+    private readonly IRotationValidator<IEnumerable<EmergencyAccessWithIdRequestModel>, IEnumerable<EmergencyAccess>>
+        _emergencyAccessValidator;
+

    public AccountsControllerTests()
    {
@ -68,6 +74,8 @@ public class AccountsControllerTests : IDisposable
        _rotateUserKeyCommand = Substitute.For<IRotateUserKeyCommand>();
        _featureService = Substitute.For<IFeatureService>();
        _currentContext = Substitute.For<ICurrentContext>();
+        _emergencyAccessValidator = Substitute.For<IRotationValidator<IEnumerable<EmergencyAccessWithIdRequestModel>,
+            IEnumerable<EmergencyAccess>>>();

        _sut = new AccountsController(
            _globalSettings,
@ -86,7 +94,8 @@ public class AccountsControllerTests : IDisposable
            _setInitialMasterPasswordCommand,
            _rotateUserKeyCommand,
            _featureService,
-            _currentContext
+            _currentContext,
+            _emergencyAccessValidator
        );
    }

--- a/test/Api.Test/Auth/Validators/EmergencyAccessRotationValidatorTests.cs
+++ b/test/Api.Test/Auth/Validators/EmergencyAccessRotationValidatorTests.cs
@ -0,0 +1,136 @@
+using Bit.Api.Auth.Models.Request;
+using Bit.Api.Auth.Validators;
+using Bit.Core.Auth.Models.Data;
+using Bit.Core.Entities;
+using Bit.Core.Exceptions;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Api.Test.Auth.Validators;
+
+[SutProviderCustomize]
+public class EmergencyAccessRotationValidatorTests
+{
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_MissingEmergencyAccess_Throws(
+        SutProvider<EmergencyAccessRotationValidator> sutProvider, User user,
+        IEnumerable<EmergencyAccessWithIdRequestModel> emergencyAccessKeys)
+    {
+        sutProvider.GetDependency<IUserService>().CanAccessPremium(user).Returns(true);
+        var userEmergencyAccess = emergencyAccessKeys.Select(e => new EmergencyAccessDetails
+        {
+            Id = e.Id,
+            GrantorName = user.Name,
+            GrantorEmail = user.Email,
+            KeyEncrypted = e.KeyEncrypted,
+            Type = e.Type
+        }).ToList();
+        userEmergencyAccess.Add(new EmergencyAccessDetails { Id = Guid.NewGuid(), KeyEncrypted = "TestKey" });
+        sutProvider.GetDependency<IEmergencyAccessRepository>().GetManyDetailsByGrantorIdAsync(user.Id)
+            .Returns(userEmergencyAccess);
+
+        await Assert.ThrowsAsync<BadRequestException>(async () =>
+            await sutProvider.Sut.ValidateAsync(user, emergencyAccessKeys));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_EmergencyAccessDoesNotBelongToUser_NotIncluded(
+        SutProvider<EmergencyAccessRotationValidator> sutProvider, User user,
+        IEnumerable<EmergencyAccessWithIdRequestModel> emergencyAccessKeys)
+    {
+        sutProvider.GetDependency<IUserService>().CanAccessPremium(user).Returns(true);
+        var userEmergencyAccess = emergencyAccessKeys.Select(e => new EmergencyAccessDetails
+        {
+            Id = e.Id,
+            GrantorName = user.Name,
+            GrantorEmail = user.Email,
+            KeyEncrypted = e.KeyEncrypted,
+            Type = e.Type
+        }).ToList();
+        userEmergencyAccess.RemoveAt(0);
+        sutProvider.GetDependency<IEmergencyAccessRepository>().GetManyDetailsByGrantorIdAsync(user.Id)
+            .Returns(userEmergencyAccess);
+
+        var result = await sutProvider.Sut.ValidateAsync(user, emergencyAccessKeys);
+
+        Assert.DoesNotContain(result, c => c.Id == emergencyAccessKeys.First().Id);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_UserNotPremium_Success(
+        SutProvider<EmergencyAccessRotationValidator> sutProvider, User user,
+        IEnumerable<EmergencyAccessWithIdRequestModel> emergencyAccessKeys)
+    {
+        // We want to allow users who have lost premium to rotate their key for any existing emergency access, as long
+        // as we restrict it to existing records and don't let them alter data
+        user.Premium = false;
+        var userEmergencyAccess = emergencyAccessKeys.Select(e => new EmergencyAccessDetails
+        {
+            Id = e.Id,
+            GrantorName = user.Name,
+            GrantorEmail = user.Email,
+            KeyEncrypted = e.KeyEncrypted,
+            Type = e.Type
+        }).ToList();
+        sutProvider.GetDependency<IEmergencyAccessRepository>().GetManyDetailsByGrantorIdAsync(user.Id)
+            .Returns(userEmergencyAccess);
+
+        var result = await sutProvider.Sut.ValidateAsync(user, emergencyAccessKeys);
+
+        Assert.Equal(userEmergencyAccess, result);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_NonConfirmedEmergencyAccess_NotReturned(
+        SutProvider<EmergencyAccessRotationValidator> sutProvider, User user,
+        IEnumerable<EmergencyAccessWithIdRequestModel> emergencyAccessKeys)
+    {
+        emergencyAccessKeys.First().KeyEncrypted = null;
+        sutProvider.GetDependency<IUserService>().CanAccessPremium(user).Returns(true);
+        var userEmergencyAccess = emergencyAccessKeys.Select(e => new EmergencyAccessDetails
+        {
+            Id = e.Id,
+            GrantorName = user.Name,
+            GrantorEmail = user.Email,
+            KeyEncrypted = e.KeyEncrypted,
+            Type = e.Type
+        }).ToList();
+        sutProvider.GetDependency<IEmergencyAccessRepository>().GetManyDetailsByGrantorIdAsync(user.Id)
+            .Returns(userEmergencyAccess);
+
+        var result = await sutProvider.Sut.ValidateAsync(user, emergencyAccessKeys);
+
+        Assert.DoesNotContain(result, c => c.Id == emergencyAccessKeys.First().Id);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_AttemptToSetKeyToNull_Throws(
+        SutProvider<EmergencyAccessRotationValidator> sutProvider, User user,
+        IEnumerable<EmergencyAccessWithIdRequestModel> emergencyAccessKeys)
+    {
+        sutProvider.GetDependency<IUserService>().CanAccessPremium(user).Returns(true);
+        var userEmergencyAccess = emergencyAccessKeys.Select(e => new EmergencyAccessDetails
+        {
+            Id = e.Id,
+            GrantorName = user.Name,
+            GrantorEmail = user.Email,
+            KeyEncrypted = e.KeyEncrypted,
+            Type = e.Type
+        }).ToList();
+        sutProvider.GetDependency<IEmergencyAccessRepository>().GetManyDetailsByGrantorIdAsync(user.Id)
+            .Returns(userEmergencyAccess);
+        emergencyAccessKeys.First().KeyEncrypted = null;
+
+        await Assert.ThrowsAsync<BadRequestException>(async () =>
+            await sutProvider.Sut.ValidateAsync(user, emergencyAccessKeys));
+    }
+}
--- a/test/Core.Test/Auth/UserFeatures/UserKey/RotateUserKeyCommandTests.cs
+++ b/test/Core.Test/Auth/UserFeatures/UserKey/RotateUserKeyCommandTests.cs
@ -1,5 +1,6 @@
 using Bit.Core.Auth.Models.Data;
 using Bit.Core.Auth.UserFeatures.UserKey.Implementations;
+using Bit.Core.Entities;
 using Bit.Core.Services;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
@ -13,36 +14,37 @@ namespace Bit.Core.Test.Auth.UserFeatures.UserKey;
 public class RotateUserKeyCommandTests
 {
    [Theory, BitAutoData]
-    public async Task RotateUserKeyAsync_Success(SutProvider<RotateUserKeyCommand> sutProvider, RotateUserKeyData model)
+    public async Task RotateUserKeyAsync_Success(SutProvider<RotateUserKeyCommand> sutProvider, User user,
+        RotateUserKeyData model)
    {
-        sutProvider.GetDependency<IUserService>().CheckPasswordAsync(model.User, model.MasterPasswordHash)
+        sutProvider.GetDependency<IUserService>().CheckPasswordAsync(user, model.MasterPasswordHash)
            .Returns(true);

-        var result = await sutProvider.Sut.RotateUserKeyAsync(model);
+        var result = await sutProvider.Sut.RotateUserKeyAsync(user, model);

        Assert.Equal(IdentityResult.Success, result);
    }

    [Theory, BitAutoData]
    public async Task RotateUserKeyAsync_InvalidMasterPasswordHash_ReturnsFailedIdentityResult(
-        SutProvider<RotateUserKeyCommand> sutProvider, RotateUserKeyData model)
+        SutProvider<RotateUserKeyCommand> sutProvider, User user, RotateUserKeyData model)
    {
-        sutProvider.GetDependency<IUserService>().CheckPasswordAsync(model.User, model.MasterPasswordHash)
+        sutProvider.GetDependency<IUserService>().CheckPasswordAsync(user, model.MasterPasswordHash)
            .Returns(false);

-        var result = await sutProvider.Sut.RotateUserKeyAsync(model);
+        var result = await sutProvider.Sut.RotateUserKeyAsync(user, model);

        Assert.False(result.Succeeded);
    }

    [Theory, BitAutoData]
    public async Task RotateUserKeyAsync_LogsOutUser(
-        SutProvider<RotateUserKeyCommand> sutProvider, RotateUserKeyData model)
+        SutProvider<RotateUserKeyCommand> sutProvider, User user, RotateUserKeyData model)
    {
-        sutProvider.GetDependency<IUserService>().CheckPasswordAsync(model.User, model.MasterPasswordHash)
+        sutProvider.GetDependency<IUserService>().CheckPasswordAsync(user, model.MasterPasswordHash)
            .Returns(true);

-        await sutProvider.Sut.RotateUserKeyAsync(model);
+        await sutProvider.Sut.RotateUserKeyAsync(user, model);

        await sutProvider.GetDependency<IPushNotificationService>().ReceivedWithAnyArgs()
            .PushLogOutAsync(default, default);