diff --git a/src/Api/Auth/Controllers/AccountsController.cs b/src/Api/Auth/Controllers/AccountsController.cs
index ecf49c18c8..2576429259 100644
--- a/src/Api/Auth/Controllers/AccountsController.cs
+++ b/src/Api/Auth/Controllers/AccountsController.cs
@@ -18,6 +18,7 @@ using Bit.Core.Auth.UserFeatures.UserMasterPassword.Interfaces;
using Bit.Core.Enums;
using Bit.Core.Exceptions;
using Bit.Core.KeyManagement.Kdf;
+using Bit.Core.KeyManagement.Models.Data;
using Bit.Core.KeyManagement.Queries.Interfaces;
using Bit.Core.Models.Api.Response;
using Bit.Core.Repositories;
@@ -44,6 +45,7 @@ public class AccountsController : Controller
private readonly IUserAccountKeysQuery _userAccountKeysQuery;
private readonly ITwoFactorEmailService _twoFactorEmailService;
private readonly IChangeKdfCommand _changeKdfCommand;
+ private readonly IUserRepository _userRepository;
public AccountsController(
IOrganizationService organizationService,
@@ -57,7 +59,8 @@ public class AccountsController : Controller
IFeatureService featureService,
IUserAccountKeysQuery userAccountKeysQuery,
ITwoFactorEmailService twoFactorEmailService,
- IChangeKdfCommand changeKdfCommand
+ IChangeKdfCommand changeKdfCommand,
+ IUserRepository userRepository
)
{
_organizationService = organizationService;
@@ -72,6 +75,7 @@ public class AccountsController : Controller
_userAccountKeysQuery = userAccountKeysQuery;
_twoFactorEmailService = twoFactorEmailService;
_changeKdfCommand = changeKdfCommand;
+ _userRepository = userRepository;
}
@@ -440,8 +444,39 @@ public class AccountsController : Controller
}
}
- await _userService.SaveUserAsync(model.ToUser(user));
- return new KeysResponseModel(user);
+ if (model.AccountKeys != null)
+ {
+ if (model.AccountKeys.ToAccountKeysData().IsV2Encryption())
+ {
+ await _userRepository.SetV2AccountCryptographicStateAsync(user.Id, model.AccountKeys.ToAccountKeysData());
+ return new KeysResponseModel(model.AccountKeys?.ToAccountKeysData(), user.Key);
+ }
+ else
+ {
+ // Todo: Drop this after a transition period
+ await _userService.SaveUserAsync(model.ToUser(user));
+ return new KeysResponseModel(new UserAccountKeysData
+ {
+ PublicKeyEncryptionKeyPairData = new PublicKeyEncryptionKeyPairData(
+ user.PrivateKey,
+ user.PublicKey
+ )
+ }, user.Key);
+ }
+ }
+ else
+ {
+ // Todo: Drop this after a transition period
+ await _userService.SaveUserAsync(model.ToUser(user));
+ return new KeysResponseModel(new UserAccountKeysData
+ {
+ PublicKeyEncryptionKeyPairData = new PublicKeyEncryptionKeyPairData(
+ user.PrivateKey,
+ user.PublicKey
+ )
+ }, user.Key);
+ }
+
}
[HttpGet("keys")]
@@ -453,7 +488,8 @@ public class AccountsController : Controller
throw new UnauthorizedAccessException();
}
- return new KeysResponseModel(user);
+ var accountKeys = await _userAccountKeysQuery.Run(user);
+ return new KeysResponseModel(accountKeys, user.Key);
}
[HttpDelete]
diff --git a/src/Api/Models/Response/KeysResponseModel.cs b/src/Api/Models/Response/KeysResponseModel.cs
index cfc1a6a0a1..4c877e0bfc 100644
--- a/src/Api/Models/Response/KeysResponseModel.cs
+++ b/src/Api/Models/Response/KeysResponseModel.cs
@@ -1,27 +1,32 @@
-// FIXME: Update this file to be null safe and then delete the line below
-#nullable disable
-
-using Bit.Core.Entities;
+using Bit.Core.KeyManagement.Models.Api.Response;
+using Bit.Core.KeyManagement.Models.Data;
using Bit.Core.Models.Api;
namespace Bit.Api.Models.Response;
public class KeysResponseModel : ResponseModel
{
- public KeysResponseModel(User user)
+ public KeysResponseModel(UserAccountKeysData accountKeys, string? masterKeyWrappedUserKey)
: base("keys")
{
- if (user == null)
+ if (masterKeyWrappedUserKey != null)
{
- throw new ArgumentNullException(nameof(user));
+ Key = masterKeyWrappedUserKey;
}
- Key = user.Key;
- PublicKey = user.PublicKey;
- PrivateKey = user.PrivateKey;
+ PublicKey = accountKeys.PublicKeyEncryptionKeyPairData.PublicKey;
+ PrivateKey = accountKeys.PublicKeyEncryptionKeyPairData.WrappedPrivateKey;
+ AccountKeys = new PrivateKeysResponseModel(accountKeys);
}
- public string Key { get; set; }
+ ///
+ /// The master key wrapped user key. The master key can either be a master-password master key or a
+ /// key-connector master key.
+ ///
+ public string? Key { get; set; }
+ [Obsolete("Use AccountKeys.PublicKeyEncryptionKeyPair.PublicKey instead")]
public string PublicKey { get; set; }
+ [Obsolete("Use AccountKeys.PublicKeyEncryptionKeyPair.WrappedPrivateKey instead")]
public string PrivateKey { get; set; }
+ public PrivateKeysResponseModel AccountKeys { get; set; }
}
diff --git a/src/Core/Auth/Models/Api/Request/Accounts/KeysRequestModel.cs b/src/Core/Auth/Models/Api/Request/Accounts/KeysRequestModel.cs
index f89b67f3c5..85ddef44ce 100644
--- a/src/Core/Auth/Models/Api/Request/Accounts/KeysRequestModel.cs
+++ b/src/Core/Auth/Models/Api/Request/Accounts/KeysRequestModel.cs
@@ -3,17 +3,22 @@
using System.ComponentModel.DataAnnotations;
using Bit.Core.Entities;
+using Bit.Core.KeyManagement.Models.Api.Request;
using Bit.Core.Utilities;
namespace Bit.Core.Auth.Models.Api.Request.Accounts;
public class KeysRequestModel
{
+ [Obsolete("Use AccountKeys.AccountPublicKey instead")]
[Required]
public string PublicKey { get; set; }
+ [Obsolete("Use AccountKeys.UserKeyEncryptedAccountPrivateKey instead")]
[Required]
public string EncryptedPrivateKey { get; set; }
+ public AccountKeysRequestModel AccountKeys { get; set; }
+ [Obsolete("Use SetAccountKeysForUserCommand instead")]
public User ToUser(User existingUser)
{
if (string.IsNullOrWhiteSpace(PublicKey) || string.IsNullOrWhiteSpace(EncryptedPrivateKey))
diff --git a/test/Api.Test/Auth/Controllers/AccountsControllerTests.cs b/test/Api.Test/Auth/Controllers/AccountsControllerTests.cs
index f1aa11d068..64af5078b5 100644
--- a/test/Api.Test/Auth/Controllers/AccountsControllerTests.cs
+++ b/test/Api.Test/Auth/Controllers/AccountsControllerTests.cs
@@ -11,6 +11,7 @@ using Bit.Core.Auth.UserFeatures.UserMasterPassword.Interfaces;
using Bit.Core.Entities;
using Bit.Core.Exceptions;
using Bit.Core.KeyManagement.Kdf;
+using Bit.Core.KeyManagement.Models.Api.Request;
using Bit.Core.KeyManagement.Models.Data;
using Bit.Core.KeyManagement.Queries.Interfaces;
using Bit.Core.Repositories;
@@ -38,6 +39,7 @@ public class AccountsControllerTests : IDisposable
private readonly IUserAccountKeysQuery _userAccountKeysQuery;
private readonly ITwoFactorEmailService _twoFactorEmailService;
private readonly IChangeKdfCommand _changeKdfCommand;
+ private readonly IUserRepository _userRepository;
public AccountsControllerTests()
{
@@ -53,6 +55,7 @@ public class AccountsControllerTests : IDisposable
_userAccountKeysQuery = Substitute.For();
_twoFactorEmailService = Substitute.For();
_changeKdfCommand = Substitute.For();
+ _userRepository = Substitute.For();
_sut = new AccountsController(
_organizationService,
@@ -66,7 +69,8 @@ public class AccountsControllerTests : IDisposable
_featureService,
_userAccountKeysQuery,
_twoFactorEmailService,
- _changeKdfCommand
+ _changeKdfCommand,
+ _userRepository
);
}
@@ -738,5 +742,62 @@ public class AccountsControllerTests : IDisposable
_userService.GetUserByIdAsync(Arg.Any())
.Returns(Task.FromResult((User)null));
}
+
+ [Theory, BitAutoData]
+ public async Task PostKeys_WithAccountKeys_CallsSetV2AccountCryptographicState(
+ User user,
+ KeysRequestModel model)
+ {
+ // Arrange
+ user.PublicKey = null;
+ user.PrivateKey = null;
+ model.AccountKeys = new AccountKeysRequestModel
+ {
+ UserKeyEncryptedAccountPrivateKey = "wrapped-private-key",
+ AccountPublicKey = "public-key"
+ };
+
+ _userService.GetUserByPrincipalAsync(Arg.Any()).Returns(user);
+ _featureService.IsEnabled(Bit.Core.FeatureFlagKeys.ReturnErrorOnExistingKeypair).Returns(false);
+
+ // Act
+ var result = await _sut.PostKeys(model);
+
+ // Assert
+ await _userRepository.Received(1).SetV2AccountCryptographicStateAsync(
+ user.Id,
+ Arg.Any());
+ await _userService.DidNotReceiveWithAnyArgs().SaveUserAsync(Arg.Any());
+ Assert.NotNull(result);
+ Assert.Equal("keys", result.Object);
+ }
+
+ [Theory, BitAutoData]
+ public async Task PostKeys_WithoutAccountKeys_CallsSaveUser(
+ User user,
+ KeysRequestModel model)
+ {
+ // Arrange
+ user.PublicKey = null;
+ user.PrivateKey = null;
+ model.AccountKeys = null;
+ model.PublicKey = "public-key";
+ model.EncryptedPrivateKey = "encrypted-private-key";
+
+ _userService.GetUserByPrincipalAsync(Arg.Any()).Returns(user);
+ _featureService.IsEnabled(Bit.Core.FeatureFlagKeys.ReturnErrorOnExistingKeypair).Returns(false);
+
+ // Act
+ var result = await _sut.PostKeys(model);
+
+ // Assert
+ await _userService.Received(1).SaveUserAsync(Arg.Is(u =>
+ u.PublicKey == model.PublicKey &&
+ u.PrivateKey == model.EncryptedPrivateKey));
+ await _userRepository.DidNotReceiveWithAnyArgs()
+ .SetV2AccountCryptographicStateAsync(Arg.Any(), Arg.Any());
+ Assert.NotNull(result);
+ Assert.Equal("keys", result.Object);
+ }
}