[PM-3797 Part 5] Add reset password keys to key rotation (#3445)

* Add reset password validator with tests * add organization user rotation methods to repository - move organization user TVP helper to admin console ownership * rename account recovery to reset password * formatting * move registration of RotateUserKeyCommand to Core and make internal * add admin console ValidatorServiceCollectionExtensions
2025-07-12 13:19:01 -05:00 · 2023-12-14 15:05:19 -05:00
parent da0bf77a39
commit b77ee017e3
15 changed files with 372 additions and 42 deletions
--- a/src/Api/AdminConsole/Models/Request/Organizations/OrganizationUserRequestModels.cs
+++ b/src/Api/AdminConsole/Models/Request/Organizations/OrganizationUserRequestModels.cs
@ -118,3 +118,9 @@ public class OrganizationUserBulkRequestModel
    [Required]
    public IEnumerable<Guid> Ids { get; set; }
 }
+
+public class ResetPasswordWithOrgIdRequestModel : OrganizationUserResetPasswordEnrollmentRequestModel
+{
+    [Required]
+    public Guid OrganizationId { get; set; }
+}
--- a/src/Api/AdminConsole/Validators/OrganizationUserRotationValidator.cs
+++ b/src/Api/AdminConsole/Validators/OrganizationUserRotationValidator.cs
@ -0,0 +1,64 @@
+using Bit.Api.AdminConsole.Models.Request.Organizations;
+using Bit.Api.Auth.Validators;
+using Bit.Core.Entities;
+using Bit.Core.Exceptions;
+using Bit.Core.Repositories;
+
+namespace Bit.Api.AdminConsole.Validators;
+
+/// <summary>
+/// Organization user implementation for <see cref="IRotationValidator{T,R}"/>
+/// Currently responsible for validation of user reset password keys (used by admins to perform account recovery) during user key rotation
+/// </summary>
+public class OrganizationUserRotationValidator : IRotationValidator<IEnumerable<ResetPasswordWithOrgIdRequestModel>,
+    IReadOnlyList<OrganizationUser>>
+{
+    private readonly IOrganizationUserRepository _organizationUserRepository;
+
+    public OrganizationUserRotationValidator(IOrganizationUserRepository organizationUserRepository) =>
+        _organizationUserRepository = organizationUserRepository;
+
+    public async Task<IReadOnlyList<OrganizationUser>> ValidateAsync(User user,
+        IEnumerable<ResetPasswordWithOrgIdRequestModel> resetPasswordKeys)
+    {
+        if (user == null)
+        {
+            throw new ArgumentNullException(nameof(user));
+        }
+
+        var result = new List<OrganizationUser>();
+        if (resetPasswordKeys == null || !resetPasswordKeys.Any())
+        {
+            return result;
+        }
+
+        var existing = await _organizationUserRepository.GetManyByUserAsync(user.Id);
+        if (existing == null || !existing.Any())
+        {
+            return result;
+        }
+
+        // Exclude any account recovery that do not have a key.
+        existing = existing.Where(o => o.ResetPasswordKey != null).ToList();
+
+
+        foreach (var ou in existing)
+        {
+            var organizationUser = resetPasswordKeys.FirstOrDefault(a => a.OrganizationId == ou.OrganizationId);
+            if (organizationUser == null)
+            {
+                throw new BadRequestException("All existing reset password keys must be included in the rotation.");
+            }
+
+            if (organizationUser.ResetPasswordKey == null)
+            {
+                throw new BadRequestException("Reset Password keys cannot be set to null during rotation.");
+            }
+
+            ou.ResetPasswordKey = organizationUser.ResetPasswordKey;
+            result.Add(ou);
+        }
+
+        return result;
+    }
+}