[PM-13362] Add private key regeneration endpoint

src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs

@@ -0,0 +1,50 @@
+#nullable enable
+using Bit.Api.KeyManagement.Models.Requests;
+using Bit.Core;
+using Bit.Core.Exceptions;
+using Bit.Core.KeyManagement.Commands.Interfaces;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+
+namespace Bit.Api.KeyManagement.Controllers;
+
+[Route("accounts/key-management")]
+[Authorize("Application")]
+public class AccountsKeyManagementController : Controller
+{
+    private readonly IEmergencyAccessRepository _emergencyAccessRepository;
+    private readonly IFeatureService _featureService;
+    private readonly IOrganizationUserRepository _organizationUserRepository;
+    private readonly IRegenerateUserAsymmetricKeysCommand _regenerateUserAsymmetricKeysCommand;
+    private readonly IUserService _userService;
+
+    public AccountsKeyManagementController(IUserService userService,
+        IFeatureService featureService,
+        IOrganizationUserRepository organizationUserRepository,
+        IEmergencyAccessRepository emergencyAccessRepository,
+        IRegenerateUserAsymmetricKeysCommand regenerateUserAsymmetricKeysCommand)
+    {
+        _userService = userService;
+        _featureService = featureService;
+        _regenerateUserAsymmetricKeysCommand = regenerateUserAsymmetricKeysCommand;
+        _organizationUserRepository = organizationUserRepository;
+        _emergencyAccessRepository = emergencyAccessRepository;
+    }
+
+    [HttpPost("regenerate-keys")]
+    public async Task RegenerateKeysAsync([FromBody] KeyRegenerationRequestModel request)
+    {
+        if (!_featureService.IsEnabled(FeatureFlagKeys.PrivateKeyRegeneration))
+        {
+            throw new NotFoundException();
+        }
+
+        var user = await _userService.GetUserByPrincipalAsync(User) ?? throw new UnauthorizedAccessException();
+        var usersOrganizationAccounts = await _organizationUserRepository.GetManyByUserAsync(user.Id);
+        var designatedEmergencyAccess = await _emergencyAccessRepository.GetManyDetailsByGranteeIdAsync(user.Id);
+        await _regenerateUserAsymmetricKeysCommand.RegenerateKeysAsync(request.ToUserAsymmetricKeys(user.Id),
+            usersOrganizationAccounts, designatedEmergencyAccess);
+    }
+}

src/Api/KeyManagement/Models/Requests/KeyRegenerationRequestModel.cs

@@ -0,0 +1,26 @@
+#nullable enable
+using System.ComponentModel.DataAnnotations;
+using Bit.Core.KeyManagement.Models.Data;
+using Bit.Core.Utilities;
+
+namespace Bit.Api.KeyManagement.Models.Requests;
+
+public class KeyRegenerationRequestModel
+{
+    [Required]
+    public required string UserPublicKey { get; set; }
+
+    [Required]
+    [EncryptedString]
+    public required string UserKeyEncryptedUserPrivateKey { get; set; }
+
+    public UserAsymmetricKeys ToUserAsymmetricKeys(Guid userId)
+    {
+        return new UserAsymmetricKeys
+        {
+            UserId = userId,
+            PublicKey = UserPublicKey,
+            UserKeyEncryptedPrivateKey = UserKeyEncryptedUserPrivateKey,
+        };
+    }
+}

src/Core/Constants.cs

@@ -148,6 +148,7 @@ public static class FeatureFlagKeys
     public const string VerifiedSsoDomainEndpoint = "pm-12337-refactor-sso-details-endpoint";
     public const string Pm13322AddPolicyDefinitions = "pm-13322-add-policy-definitions";
     public const string LimitCollectionCreationDeletionSplit = "pm-10863-limit-collection-creation-deletion-split";
+    public const string PrivateKeyRegeneration = "pm-12241-private-key-regeneration";
 
     public static List<string> GetAllKeys()
     {

src/Core/KeyManagement/Commands/Interfaces/IRegenerateUserAsymmetricKeysCommand.cs

@@ -0,0 +1,13 @@
+#nullable enable
+using Bit.Core.Auth.Models.Data;
+using Bit.Core.Entities;
+using Bit.Core.KeyManagement.Models.Data;
+
+namespace Bit.Core.KeyManagement.Commands.Interfaces;
+
+public interface IRegenerateUserAsymmetricKeysCommand
+{
+    Task RegenerateKeysAsync(UserAsymmetricKeys userAsymmetricKeys,
+        ICollection<OrganizationUser> usersOrganizationAccounts,
+        ICollection<EmergencyAccessDetails> designatedEmergencyAccess);
+}

src/Core/KeyManagement/Commands/RegenerateUserAsymmetricKeysCommand.cs

@@ -0,0 +1,65 @@
+#nullable enable
+using Bit.Core.Auth.Enums;
+using Bit.Core.Auth.Models.Data;
+using Bit.Core.Context;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.KeyManagement.Commands.Interfaces;
+using Bit.Core.KeyManagement.Models.Data;
+using Bit.Core.KeyManagement.Repositories;
+using Microsoft.Extensions.Logging;
+
+namespace Bit.Core.KeyManagement.Commands;
+
+public class RegenerateUserAsymmetricKeysCommand : IRegenerateUserAsymmetricKeysCommand
+{
+    private readonly ICurrentContext _currentContext;
+    private readonly ILogger<RegenerateUserAsymmetricKeysCommand> _logger;
+    private readonly IUserAsymmetricKeysRepository _userAsymmetricKeysRepository;
+
+    public RegenerateUserAsymmetricKeysCommand(
+        ICurrentContext currentContext,
+        IUserAsymmetricKeysRepository userAsymmetricKeysRepository,
+        ILogger<RegenerateUserAsymmetricKeysCommand> logger)
+    {
+        _currentContext = currentContext;
+        _logger = logger;
+        _userAsymmetricKeysRepository = userAsymmetricKeysRepository;
+    }
+
+    public async Task RegenerateKeysAsync(UserAsymmetricKeys userAsymmetricKeys,
+        ICollection<OrganizationUser> usersOrganizationAccounts,
+        ICollection<EmergencyAccessDetails> designatedEmergencyAccess)
+    {
+        var userId = _currentContext.UserId;
+        if (!userId.HasValue ||
+            userAsymmetricKeys.UserId != userId.Value ||
+            usersOrganizationAccounts.Any(ou => ou.UserId != userId) ||
+            designatedEmergencyAccess.Any(dea => dea.GranteeId != userId))
+        {
+            throw new NotFoundException();
+        }
+
+        var inOrganizations = usersOrganizationAccounts.Any(ou =>
+            ou.Status is OrganizationUserStatusType.Confirmed or OrganizationUserStatusType.Revoked);
+        var hasDesignatedEmergencyAccess = designatedEmergencyAccess.Any(x =>
+            x.Status is EmergencyAccessStatusType.Confirmed or EmergencyAccessStatusType.RecoveryApproved
+                or EmergencyAccessStatusType.RecoveryInitiated);
+
+        _logger.LogInformation(
+            "User asymmetric keys regeneration requested. UserId: {userId} OrganizationMembership: {inOrganizations} DesignatedEmergencyAccess: {hasDesignatedEmergencyAccess} DeviceType: {deviceType}",
+            userAsymmetricKeys.UserId, inOrganizations, hasDesignatedEmergencyAccess, _currentContext.DeviceType);
+
+        // For now, don't regenerate asymmetric keys for user's with organization membership and designated emergency access.
+        if (inOrganizations || hasDesignatedEmergencyAccess)
+        {
+            throw new BadRequestException("Key regeneration not supported for this user.");
+        }
+
+        await _userAsymmetricKeysRepository.RegenerateUserAsymmetricKeysAsync(userAsymmetricKeys);
+        _logger.LogInformation(
+            "User's asymmetric keys regenerated. UserId: {userId} OrganizationMembership: {inOrganizations} DesignatedEmergencyAccess: {hasDesignatedEmergencyAccess} DeviceType: {deviceType}",
+            userAsymmetricKeys.UserId, inOrganizations, hasDesignatedEmergencyAccess, _currentContext.DeviceType);
+    }
+}

src/Core/KeyManagement/KeyManagementServiceCollectionExtensions.cs

@@ -0,0 +1,18 @@
+using Bit.Core.KeyManagement.Commands;
+using Bit.Core.KeyManagement.Commands.Interfaces;
+using Microsoft.Extensions.DependencyInjection;
+
+namespace Bit.Core.KeyManagement;
+
+public static class KeyManagementServiceCollectionExtensions
+{
+    public static void AddKeyManagementServices(this IServiceCollection services)
+    {
+        services.AddKeyManagementCommands();
+    }
+
+    private static void AddKeyManagementCommands(this IServiceCollection services)
+    {
+        services.AddScoped<IRegenerateUserAsymmetricKeysCommand, RegenerateUserAsymmetricKeysCommand>();
+    }
+}

src/Core/KeyManagement/Models/Data/UserAsymmetricKeys.cs

@@ -0,0 +1,9 @@
+#nullable enable
+namespace Bit.Core.KeyManagement.Models.Data;
+
+public class UserAsymmetricKeys
+{
+    public Guid UserId { get; set; }
+    public required string PublicKey { get; set; }
+    public required string UserKeyEncryptedPrivateKey { get; set; }
+}

src/Core/KeyManagement/Repositories/IUserAsymmetricKeysRepository.cs

@@ -0,0 +1,9 @@
+#nullable enable
+using Bit.Core.KeyManagement.Models.Data;
+
+namespace Bit.Core.KeyManagement.Repositories;
+
+public interface IUserAsymmetricKeysRepository
+{
+    Task RegenerateUserAsymmetricKeysAsync(UserAsymmetricKeys userAsymmetricKeys);
+}

src/Infrastructure.Dapper/DapperServiceCollectionExtensions.cs

@@ -1,6 +1,7 @@
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Auth.Repositories;
 using Bit.Core.Billing.Repositories;
+using Bit.Core.KeyManagement.Repositories;
 using Bit.Core.NotificationCenter.Repositories;
 using Bit.Core.Repositories;
 using Bit.Core.SecretsManager.Repositories;
@@ -9,6 +10,7 @@
 using Bit.Infrastructure.Dapper.AdminConsole.Repositories;
 using Bit.Infrastructure.Dapper.Auth.Repositories;
 using Bit.Infrastructure.Dapper.Billing.Repositories;
+using Bit.Infrastructure.Dapper.KeyManagement.Repositories;
 using Bit.Infrastructure.Dapper.NotificationCenter.Repositories;
 using Bit.Infrastructure.Dapper.Repositories;
 using Bit.Infrastructure.Dapper.SecretsManager.Repositories;
@@ -58,6 +60,7 @@ public static void AddDapperRepositories(this IServiceCollection services, bool
         services.AddSingleton<INotificationStatusRepository, NotificationStatusRepository>();
         services
             .AddSingleton<IClientOrganizationMigrationRecordRepository, ClientOrganizationMigrationRecordRepository>();
+        services.AddSingleton<IUserAsymmetricKeysRepository, UserAsymmetricKeysRepository>();
 
         if (selfHosted)
         {

src/Infrastructure.Dapper/KeyManagement/Repositories/UserAsymmetricKeysRepository.cs

@@ -0,0 +1,36 @@
+#nullable enable
+using System.Data;
+using Bit.Core.KeyManagement.Models.Data;
+using Bit.Core.KeyManagement.Repositories;
+using Bit.Core.Settings;
+using Bit.Infrastructure.Dapper.Repositories;
+using Dapper;
+using Microsoft.Data.SqlClient;
+
+namespace Bit.Infrastructure.Dapper.KeyManagement.Repositories;
+
+public class UserAsymmetricKeysRepository : BaseRepository, IUserAsymmetricKeysRepository
+{
+    public UserAsymmetricKeysRepository(GlobalSettings globalSettings)
+        : this(globalSettings.SqlServer.ConnectionString, globalSettings.SqlServer.ReadOnlyConnectionString)
+    {
+    }
+
+    public UserAsymmetricKeysRepository(string connectionString, string readOnlyConnectionString) : base(
+        connectionString, readOnlyConnectionString)
+    {
+    }
+
+    public async Task RegenerateUserAsymmetricKeysAsync(UserAsymmetricKeys userAsymmetricKeys)
+    {
+        await using var connection = new SqlConnection(ConnectionString);
+
+        await connection.ExecuteAsync("[dbo].[UserAsymmetricKeys_Regenerate]",
+            new
+            {
+                userAsymmetricKeys.UserId,
+                userAsymmetricKeys.PublicKey,
+                PrivateKey = userAsymmetricKeys.UserKeyEncryptedPrivateKey
+            }, commandType: CommandType.StoredProcedure);
+    }
+}

src/Infrastructure.EntityFramework/EntityFrameworkServiceCollectionExtensions.cs

@@ -2,6 +2,7 @@
 using Bit.Core.Auth.Repositories;
 using Bit.Core.Billing.Repositories;
 using Bit.Core.Enums;
+using Bit.Core.KeyManagement.Repositories;
 using Bit.Core.NotificationCenter.Repositories;
 using Bit.Core.Repositories;
 using Bit.Core.SecretsManager.Repositories;
@@ -10,6 +11,7 @@
 using Bit.Infrastructure.EntityFramework.AdminConsole.Repositories;
 using Bit.Infrastructure.EntityFramework.Auth.Repositories;
 using Bit.Infrastructure.EntityFramework.Billing.Repositories;
+using Bit.Infrastructure.EntityFramework.KeyManagement.Repositories;
 using Bit.Infrastructure.EntityFramework.NotificationCenter.Repositories;
 using Bit.Infrastructure.EntityFramework.Repositories;
 using Bit.Infrastructure.EntityFramework.SecretsManager.Repositories;
@@ -95,6 +97,7 @@ public static void AddPasswordManagerEFRepositories(this IServiceCollection serv
         services.AddSingleton<INotificationStatusRepository, NotificationStatusRepository>();
         services
             .AddSingleton<IClientOrganizationMigrationRecordRepository, ClientOrganizationMigrationRecordRepository>();
+        services.AddSingleton<IUserAsymmetricKeysRepository, UserAsymmetricKeysRepository>();
 
         if (selfHosted)
         {

src/Infrastructure.EntityFramework/KeyManagement/Repositories/UserAsymmetricKeysRepository.cs

@@ -0,0 +1,34 @@
+#nullable enable
+using AutoMapper;
+using Bit.Core.KeyManagement.Models.Data;
+using Bit.Core.KeyManagement.Repositories;
+using Bit.Infrastructure.EntityFramework.Repositories;
+using Microsoft.Extensions.DependencyInjection;
+
+namespace Bit.Infrastructure.EntityFramework.KeyManagement.Repositories;
+
+public class UserAsymmetricKeysRepository : BaseEntityFrameworkRepository, IUserAsymmetricKeysRepository
+{
+    public UserAsymmetricKeysRepository(IServiceScopeFactory serviceScopeFactory, IMapper mapper) : base(
+        serviceScopeFactory,
+        mapper)
+    {
+    }
+
+    public async Task RegenerateUserAsymmetricKeysAsync(UserAsymmetricKeys userAsymmetricKeys)
+    {
+        await using var scope = ServiceScopeFactory.CreateAsyncScope();
+        var dbContext = GetDatabaseContext(scope);
+
+        var entity = await dbContext.Users.FindAsync(userAsymmetricKeys.UserId);
+        if (entity != null)
+        {
+            var utcNow = DateTime.UtcNow;
+            entity.PublicKey = userAsymmetricKeys.PublicKey;
+            entity.PrivateKey = userAsymmetricKeys.UserKeyEncryptedPrivateKey;
+            entity.RevisionDate = utcNow;
+            entity.AccountRevisionDate = utcNow;
+            await dbContext.SaveChangesAsync();
+        }
+    }
+}

src/SharedWeb/Utilities/ServiceCollectionExtensions.cs

@@ -25,6 +25,7 @@
 using Bit.Core.HostedServices;
 using Bit.Core.Identity;
 using Bit.Core.IdentityServer;
+using Bit.Core.KeyManagement;
 using Bit.Core.NotificationHub;
 using Bit.Core.OrganizationFeatures;
 using Bit.Core.Repositories;
@@ -116,6 +117,7 @@ public static void AddBaseServices(this IServiceCollection services, IGlobalSett
         services.AddLoginServices();
         services.AddScoped<IOrganizationDomainService, OrganizationDomainService>();
         services.AddVaultServices();
+        services.AddKeyManagementServices();
     }
 
     public static void AddTokenizers(this IServiceCollection services)

src/Sql/KeyManagement/dbo/Stored Procedures/UserAsymmetricKeys_Regenerate.sql

@@ -0,0 +1,16 @@
+CREATE PROCEDURE [dbo].[UserAsymmetricKeys_Regenerate]
+    @UserId UNIQUEIDENTIFIER,
+    @PublicKey VARCHAR(MAX),
+    @PrivateKey VARCHAR(MAX)
+AS
+BEGIN
+    SET NOCOUNT ON
+    DECLARE @UtcNow DATETIME2(7) = GETUTCDATE();
+
+    UPDATE [dbo].[User]
+    SET [PublicKey] = @PublicKey,
+        [PrivateKey] = @PrivateKey,
+        [RevisionDate] = @UtcNow,
+        [AccountRevisionDate] = @UtcNow
+    WHERE [Id] = @UserId
+END

test/Api.IntegrationTest/Helpers/LoginHelper.cs

@@ -16,6 +16,12 @@ public LoginHelper(ApiApplicationFactory factory, HttpClient client)
         _client = client;
     }
 
+    public async Task LoginAsync(string email)
+    {
+        var tokens = await _factory.LoginAsync(email);
+        _client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", tokens.Token);
+    }
+
     public async Task LoginWithOrganizationApiKeyAsync(Guid organizationId)
     {
         var (clientId, apiKey) = await GetOrganizationApiKey(_factory, organizationId);