[PM-29556] Fix: changing organization plan nulls out public and private keys (#6738)

Main fix: only assign new key value where old keys are not set
and new keys have been provided.

Refactors:
- use consistent DTO model for keypairs
- delete duplicate property assignment for new orgs

Author: eliykat

src/Api/AdminConsole/Controllers/ProviderClientsController.cs

@@ -57,8 +57,7 @@ public async Task<IResult> CreateAsync(
             Owner = user,
             BillingEmail = provider.BillingEmail,
             OwnerKey = requestBody.Key,
-            PublicKey = requestBody.KeyPair.PublicKey,
-            PrivateKey = requestBody.KeyPair.EncryptedPrivateKey,
+            Keys = requestBody.KeyPair.ToPublicKeyEncryptionKeyPairData(),
             CollectionName = requestBody.CollectionName,
             IsFromProvider = true
         };

src/Api/AdminConsole/Models/Request/Organizations/OrganizationCreateRequestModel.cs

@@ -113,11 +113,10 @@ public virtual OrganizationSignup ToOrganizationSignup(User user)
                 BillingAddressCountry = BillingAddressCountry,
             },
             InitiationPath = InitiationPath,
-            SkipTrial = SkipTrial
+            SkipTrial = SkipTrial,
+            Keys = Keys?.ToPublicKeyEncryptionKeyPairData()
         };
 
-        Keys?.ToOrganizationSignup(orgSignup);
-
         return orgSignup;
     }
 

src/Api/AdminConsole/Models/Request/Organizations/OrganizationKeysRequestModel.cs

@@ -2,8 +2,7 @@
 #nullable disable
 
 using System.ComponentModel.DataAnnotations;
-using Bit.Core.AdminConsole.Entities;
-using Bit.Core.Models.Business;
+using Bit.Core.KeyManagement.Models.Data;
 
 namespace Bit.Api.AdminConsole.Models.Request.Organizations;
 
@@ -14,48 +13,10 @@ public class OrganizationKeysRequestModel
     [Required]
     public string EncryptedPrivateKey { get; set; }
 
-    public OrganizationSignup ToOrganizationSignup(OrganizationSignup existingSignup)
+    public PublicKeyEncryptionKeyPairData ToPublicKeyEncryptionKeyPairData()
     {
-        if (string.IsNullOrWhiteSpace(existingSignup.PublicKey))
-        {
-            existingSignup.PublicKey = PublicKey;
-        }
-
-        if (string.IsNullOrWhiteSpace(existingSignup.PrivateKey))
-        {
-            existingSignup.PrivateKey = EncryptedPrivateKey;
-        }
-
-        return existingSignup;
-    }
-
-    public OrganizationUpgrade ToOrganizationUpgrade(OrganizationUpgrade existingUpgrade)
-    {
-        if (string.IsNullOrWhiteSpace(existingUpgrade.PublicKey))
-        {
-            existingUpgrade.PublicKey = PublicKey;
-        }
-
-        if (string.IsNullOrWhiteSpace(existingUpgrade.PrivateKey))
-        {
-            existingUpgrade.PrivateKey = EncryptedPrivateKey;
-        }
-
-        return existingUpgrade;
-    }
-
-    public Organization ToOrganization(Organization existingOrg)
-    {
-        if (string.IsNullOrWhiteSpace(existingOrg.PublicKey))
-        {
-            existingOrg.PublicKey = PublicKey;
-        }
-
-        if (string.IsNullOrWhiteSpace(existingOrg.PrivateKey))
-        {
-            existingOrg.PrivateKey = EncryptedPrivateKey;
-        }
-
-        return existingOrg;
+        return new PublicKeyEncryptionKeyPairData(
+            wrappedPrivateKey: EncryptedPrivateKey,
+            publicKey: PublicKey);
     }
 }

src/Api/AdminConsole/Models/Request/Organizations/OrganizationNoPaymentCreateRequest.cs

@@ -110,10 +110,9 @@ public virtual OrganizationSignup ToOrganizationSignup(User user)
                 BillingAddressCountry = BillingAddressCountry,
             },
             InitiationPath = InitiationPath,
+            Keys = Keys?.ToPublicKeyEncryptionKeyPairData()
         };
 
-        Keys?.ToOrganizationSignup(orgSignup);
-
         return orgSignup;
     }
 }

src/Api/AdminConsole/Models/Request/Organizations/OrganizationUpdateRequestModel.cs

@@ -22,7 +22,6 @@ public class OrganizationUpdateRequestModel
         OrganizationId = organizationId,
         Name = Name,
         BillingEmail = BillingEmail,
-        PublicKey = Keys?.PublicKey,
-        EncryptedPrivateKey = Keys?.EncryptedPrivateKey
+        Keys = Keys?.ToPublicKeyEncryptionKeyPairData()
     };
 }

src/Api/AdminConsole/Models/Request/Organizations/OrganizationUpgradeRequestModel.cs

@@ -43,11 +43,10 @@ public OrganizationUpgrade ToOrganizationUpgrade()
             {
                 BillingAddressCountry = BillingAddressCountry,
                 BillingAddressPostalCode = BillingAddressPostalCode
-            }
+            },
+            Keys = Keys?.ToPublicKeyEncryptionKeyPairData()
         };
 
-        Keys?.ToOrganizationUpgrade(orgUpgrade);
-
         return orgUpgrade;
     }
 }

src/Api/Billing/Models/Requests/KeyPairRequestBody.cs

@@ -2,6 +2,7 @@
 #nullable disable
 
 using System.ComponentModel.DataAnnotations;
+using Bit.Core.KeyManagement.Models.Data;
 
 namespace Bit.Api.Billing.Models.Requests;
 
@@ -12,4 +13,11 @@ public class KeyPairRequestBody
     public string PublicKey { get; set; }
     [Required(ErrorMessage = "'encryptedPrivateKey' must be provided")]
     public string EncryptedPrivateKey { get; set; }
+
+    public PublicKeyEncryptionKeyPairData ToPublicKeyEncryptionKeyPairData()
+    {
+        return new PublicKeyEncryptionKeyPairData(
+            wrappedPrivateKey: EncryptedPrivateKey,
+            publicKey: PublicKey);
+    }
 }

src/Core/AdminConsole/OrganizationFeatures/Organizations/CloudOrganizationSignUpCommand.cs

@@ -99,8 +99,8 @@ public async Task<SignUpOrganizationResponse> SignUpOrganizationAsync(Organizati
             ReferenceData = signup.Owner.ReferenceData,
             Enabled = true,
             LicenseKey = CoreHelpers.SecureRandomString(20),
-            PublicKey = signup.PublicKey,
-            PrivateKey = signup.PrivateKey,
+            PublicKey = signup.Keys?.PublicKey,
+            PrivateKey = signup.Keys?.WrappedPrivateKey,
             CreationDate = DateTime.UtcNow,
             RevisionDate = DateTime.UtcNow,
             Status = OrganizationStatusType.Created,

src/Core/AdminConsole/OrganizationFeatures/Organizations/OrganizationExtensions.cs

@@ -0,0 +1,28 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.KeyManagement.Models.Data;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.Organizations;
+
+public static class OrganizationExtensions
+{
+    /// <summary>
+    /// Updates the organization public and private keys if provided and not already set.
+    /// This is legacy code for old organizations that were not created with a public/private keypair.
+    /// It is a soft migration that will silently migrate organizations when they perform certain actions,
+    /// e.g. change their details or upgrade their plan.
+    /// </summary>
+    public static void BackfillPublicPrivateKeys(this Organization organization, PublicKeyEncryptionKeyPairData? keyPair)
+    {
+        // Only backfill if both new keys are provided and both old keys are missing.
+        if (string.IsNullOrWhiteSpace(keyPair?.PublicKey) ||
+            string.IsNullOrWhiteSpace(keyPair.WrappedPrivateKey) ||
+            !string.IsNullOrWhiteSpace(organization.PublicKey) ||
+            !string.IsNullOrWhiteSpace(organization.PrivateKey))
+        {
+            return;
+        }
+
+        organization.PublicKey = keyPair.PublicKey;
+        organization.PrivateKey = keyPair.WrappedPrivateKey;
+    }
+}

src/Core/AdminConsole/OrganizationFeatures/Organizations/ProviderClientOrganizationSignUpCommand.cs

@@ -93,8 +93,8 @@ public async Task<ProviderClientOrganizationSignUpResponse> SignUpClientOrganiza
             ReferenceData = signup.Owner.ReferenceData,
             Enabled = true,
             LicenseKey = CoreHelpers.SecureRandomString(20),
-            PublicKey = signup.PublicKey,
-            PrivateKey = signup.PrivateKey,
+            PublicKey = signup.Keys?.PublicKey,
+            PrivateKey = signup.Keys?.WrappedPrivateKey,
             CreationDate = DateTime.UtcNow,
             RevisionDate = DateTime.UtcNow,
             Status = OrganizationStatusType.Created,