[PM-27278] add AccountKeysRequestModel to RegisterFinishRequestModel for account encryption v2 support

Author: eligrubb

src/Core/Auth/Models/Api/Request/Accounts/RegisterFinishRequestModel.cs

@@ -1,11 +1,12 @@
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
-using Bit.Core.KeyManagement.Models.Api.Request;
+using Bit.Core.KeyManagement.Models.Data;
 using Bit.Core.Utilities;
 
 namespace Bit.Core.Auth.Models.Api.Request.Accounts;
 using System.ComponentModel.DataAnnotations;
+using Bit.Core.KeyManagement.Models.Api.Request;
 
 public enum RegisterFinishTokenType : byte
 {
@@ -39,7 +40,12 @@ public class RegisterFinishRequestModel : IValidatableObject
     // in the MasterPasswordAuthenticationData.
     public string? UserSymmetricKey { get; set; }
 
-    public required KeysRequestModel UserAsymmetricKeys { get; set; }
+    // TODO Remove property below, deprecated due to new AccountKeys property
+    // https://bitwarden.atlassian.net/browse/PM-TBD
+    // Will throw error if both UserAsymmetricKeys and AccountKeys do not exist.
+    public KeysRequestModel? UserAsymmetricKeys { get; set; }
+
+    public AccountKeysRequestModel? AccountKeys { get; set; }
 
     // PM-28143 - Remove line below (made optional during migration to MasterPasswordUnlockData)
     public KdfType? Kdf { get; set; }
@@ -62,6 +68,8 @@ public class RegisterFinishRequestModel : IValidatableObject
 
     public Guid? ProviderUserId { get; set; }
 
+    // TODO remove with https://bitwarden.atlassian.net/browse/PM-TBD
+    [Obsolete("Use ToV2User instead")]
     public User ToUser()
     {
         var user = new User
@@ -80,11 +88,57 @@ public User ToUser()
             Key = MasterPasswordUnlock?.MasterKeyWrappedUserKey ?? UserSymmetricKey ?? throw new BadRequestException("MasterKeyWrappedUserKey couldn't be found on either the MasterPasswordUnlockData or the UserSymmetricKey property passed in."),
         };
 
-        UserAsymmetricKeys.ToUser(user);
+        user = UserAsymmetricKeys?.ToUser(user) ?? throw new Exception("User's public and private account keys couldn't be found in either AccountKeys or UserAsymmetricKeys");
 
         return user;
     }
 
+    public User ToV2User()
+    {
+        return new User
+        {
+            Email = Email,
+            MasterPasswordHint = MasterPasswordHint,
+        };
+    }
+
+    public RegisterFinishData ToData(string masterPasswordAuthenticationHash)
+    {
+        // TODO clean up flow once old fields are deprecated
+        // https://bitwarden.atlassian.net/browse/PM-TBD
+        return new RegisterFinishData
+        {
+            MasterPasswordUnlockData = MasterPasswordUnlock?.ToData() ?? 
+                new MasterPasswordUnlockData
+                {
+                    Kdf = new KdfSettings
+                    {
+                        KdfType = Kdf ?? throw new Exception("KdfType couldn't be found on either the MasterPasswordUnlockData or the Kdf property passed in."),
+                        Iterations = KdfIterations  ?? throw new Exception("KdfIterations couldn't be found on either the MasterPasswordUnlockData or the KdfIterations property passed in."),
+                        // KdfMemory and KdfParallelism are optional (only used for Argon2id)
+                        Memory = KdfMemory,
+                        Parallelism = KdfParallelism,
+                    },
+                    MasterKeyWrappedUserKey = UserSymmetricKey ?? throw new Exception("MasterKeyWrappedUserKey couldn't be found on either the MasterPasswordUnlockData or the UserSymmetricKey property passed in."),
+                    // PM-28827 To be added when MasterPasswordSalt is added to the user column
+                    Salt = Email.ToLower().Trim(),
+                },
+            UserAccountKeysData = AccountKeys?.ToAccountKeysData() ?? 
+                UserAsymmetricKeys?.AccountKeys.ToAccountKeysData() ?? 
+                new UserAccountKeysData
+                {
+                    PublicKeyEncryptionKeyPairData = new PublicKeyEncryptionKeyPairData
+                    (
+                        UserAsymmetricKeys?.EncryptedPrivateKey ?? 
+                            throw new Exception("WrappedPrivateKey couldn't be found in either AccountKeys or UserAsymmetricKeys."), 
+                        UserAsymmetricKeys?.PublicKey ?? 
+                            throw new Exception("PublicKey couldn't be found in either AccountKeys or UserAsymmetricKeys")
+                    ),
+                },
+                MasterPasswordAuthenticationHash = masterPasswordAuthenticationHash,
+        };
+    }
+
     public RegisterFinishTokenType GetTokenType()
     {
         if (!string.IsNullOrWhiteSpace(EmailVerificationToken))

src/Core/Auth/UserFeatures/Registration/IRegisterUserCommand.cs

@@ -1,5 +1,6 @@
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Entities;
+using Bit.Core.KeyManagement.Models.Data;
 using Microsoft.AspNetCore.Identity;
 
 namespace Bit.Core.Auth.UserFeatures.Registration;
@@ -31,45 +32,45 @@ public interface IRegisterUserCommand
     /// If the organization has a 2FA required policy enabled, email verification will be enabled for the user.
     /// </summary>
     /// <param name="user">The <see cref="User"/> to create</param>
-    /// <param name="masterPasswordHash">The hashed master password the user entered</param>
+    /// <param name="registerFinishData">Cryptographic data for finishing user registration</param>
     /// <param name="orgInviteToken">The org invite token sent to the user via email</param>
     /// <param name="orgUserId">The associated org user guid that was created at the time of invite</param>
     /// <returns><see cref="IdentityResult"/></returns>
-    public Task<IdentityResult> RegisterUserViaOrganizationInviteToken(User user, string masterPasswordHash, string orgInviteToken, Guid? orgUserId);
+    public Task<IdentityResult> RegisterUserViaOrganizationInviteToken(User user, RegisterFinishData registerFinishData, string orgInviteToken, Guid? orgUserId);
 
     /// <summary>
     /// Creates a new user with a given master password hash, sends a welcome email, and raises the signup reference event.
     /// If a valid email verification token is provided, the user will be created with their email verified.
     /// An error will be thrown if the token is invalid or expired.
     /// </summary>
     /// <param name="user">The <see cref="User"/> to create</param>
-    /// <param name="masterPasswordHash">The hashed master password the user entered</param>
+    /// <param name="registerFinishData">Cryptographic data for finishing user registration</param>
     /// <param name="emailVerificationToken">The email verification token sent to the user via email</param>
     /// <returns><see cref="IdentityResult"/></returns>
-    public Task<IdentityResult> RegisterUserViaEmailVerificationToken(User user, string masterPasswordHash, string emailVerificationToken);
+    public Task<IdentityResult> RegisterUserViaEmailVerificationToken(User user, RegisterFinishData registerFinishData, string emailVerificationToken);
 
     /// <summary>
     /// Creates a new user with a given master password hash, sends a welcome email, and raises the signup reference event.
     /// If a valid org sponsored free family plan invite token is provided, the user will be created with their email verified.
     /// If the token is invalid or expired, an error will be thrown.
     /// </summary>
     /// <param name="user">The <see cref="User"/> to create</param>
-    /// <param name="masterPasswordHash">The hashed master password the user entered</param>
+    /// <param name="registerFinishData">Cryptographic data for finishing user registration</param>
     /// <param name="orgSponsoredFreeFamilyPlanInviteToken">The org sponsored free family plan invite token sent to the user via email</param>
     /// <returns><see cref="IdentityResult"/></returns>
-    public Task<IdentityResult> RegisterUserViaOrganizationSponsoredFreeFamilyPlanInviteToken(User user, string masterPasswordHash, string orgSponsoredFreeFamilyPlanInviteToken);
+    public Task<IdentityResult> RegisterUserViaOrganizationSponsoredFreeFamilyPlanInviteToken(User user, RegisterFinishData registerFinishData, string orgSponsoredFreeFamilyPlanInviteToken);
 
     /// <summary>
     /// Creates a new user with a given master password hash, sends a welcome email, and raises the signup reference event.
     /// If a valid token is provided, the user will be created with their email verified.
     /// If the token is invalid or expired, an error will be thrown.
     /// </summary>
     /// <param name="user">The <see cref="User"/> to create</param>
-    /// <param name="masterPasswordHash">The hashed master password the user entered</param>
+    /// <param name="registerFinishData">Cryptographic data for finishing user registration</param>
     /// <param name="acceptEmergencyAccessInviteToken">The emergency access invite token sent to the user via email</param>
     /// <param name="acceptEmergencyAccessId">The emergency access id (used to validate the token)</param>
     /// <returns><see cref="IdentityResult"/></returns>
-    public Task<IdentityResult> RegisterUserViaAcceptEmergencyAccessInviteToken(User user, string masterPasswordHash,
+    public Task<IdentityResult> RegisterUserViaAcceptEmergencyAccessInviteToken(User user, RegisterFinishData registerFinishData,
         string acceptEmergencyAccessInviteToken, Guid acceptEmergencyAccessId);
 
     /// <summary>
@@ -78,10 +79,10 @@ public Task<IdentityResult> RegisterUserViaAcceptEmergencyAccessInviteToken(User
     /// If the token is invalid or expired, an error will be thrown.
     /// </summary>
     /// <param name="user">The <see cref="User"/> to create</param>
-    /// <param name="masterPasswordHash">The hashed master password the user entered</param>
+    /// <param name="registerFinishData">Cryptographic data for finishing user registration</param>
     /// <param name="providerInviteToken">The provider invite token sent to the user via email</param>
     /// <param name="providerUserId">The provider user id which is used to validate the invite token</param>
     /// <returns><see cref="IdentityResult"/></returns>
-    public Task<IdentityResult> RegisterUserViaProviderInviteToken(User user, string masterPasswordHash, string providerInviteToken, Guid providerUserId);
+    public Task<IdentityResult> RegisterUserViaProviderInviteToken(User user, RegisterFinishData registerFinishData, string providerInviteToken, Guid providerUserId);
 
 }

src/Core/Auth/UserFeatures/Registration/Implementations/RegisterUserCommand.cs

@@ -8,6 +8,7 @@
 using Bit.Core.Billing.Extensions;
 using Bit.Core.Entities;
 using Bit.Core.Exceptions;
+using Bit.Core.KeyManagement.Models.Data;
 using Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
@@ -111,7 +112,7 @@ public async Task<IdentityResult> RegisterSSOAutoProvisionedUserAsync(User user,
         return result;
     }
 
-    public async Task<IdentityResult> RegisterUserViaOrganizationInviteToken(User user, string masterPasswordHash,
+    public async Task<IdentityResult> RegisterUserViaOrganizationInviteToken(User user, RegisterFinishData registerFinishData,
         string orgInviteToken, Guid? orgUserId)
     {
         TryValidateOrgInviteToken(orgInviteToken, orgUserId, user);
@@ -129,7 +130,7 @@ public async Task<IdentityResult> RegisterUserViaOrganizationInviteToken(User us
             user.EmailVerified = true;
         }
 
-        var result = await _userService.CreateUserAsync(user, masterPasswordHash);
+        var result = await _userService.CreateV2UserAsync(user, registerFinishData);
         var organization = await GetOrganizationUserOrganization(orgUserId ?? Guid.Empty, orgUser);
         if (result == IdentityResult.Success)
         {
@@ -280,7 +281,7 @@ private async Task SendAppropriateWelcomeEmailAsync(User user, string initiation
         }
     }
 
-    public async Task<IdentityResult> RegisterUserViaEmailVerificationToken(User user, string masterPasswordHash,
+    public async Task<IdentityResult> RegisterUserViaEmailVerificationToken(User user, RegisterFinishData registerFinishData,
         string emailVerificationToken)
     {
         ValidateOpenRegistrationAllowed();
@@ -292,7 +293,7 @@ public async Task<IdentityResult> RegisterUserViaEmailVerificationToken(User use
         user.Name = tokenable.Name;
         user.ApiKey = CoreHelpers.SecureRandomString(30); // API key can't be null.
 
-        var result = await _userService.CreateUserAsync(user, masterPasswordHash);
+        var result = await _userService.CreateV2UserAsync(user, registerFinishData);
         if (result == IdentityResult.Success)
         {
             await SendWelcomeEmailAsync(user);
@@ -301,7 +302,7 @@ public async Task<IdentityResult> RegisterUserViaEmailVerificationToken(User use
         return result;
     }
 
-    public async Task<IdentityResult> RegisterUserViaOrganizationSponsoredFreeFamilyPlanInviteToken(User user, string masterPasswordHash,
+    public async Task<IdentityResult> RegisterUserViaOrganizationSponsoredFreeFamilyPlanInviteToken(User user, RegisterFinishData registerFinishData,
         string orgSponsoredFreeFamilyPlanInviteToken)
     {
         ValidateOpenRegistrationAllowed();
@@ -311,7 +312,7 @@ public async Task<IdentityResult> RegisterUserViaOrganizationSponsoredFreeFamily
         user.EmailVerified = true;
         user.ApiKey = CoreHelpers.SecureRandomString(30); // API key can't be null.
 
-        var result = await _userService.CreateUserAsync(user, masterPasswordHash);
+        var result = await _userService.CreateV2UserAsync(user, registerFinishData);
         if (result == IdentityResult.Success)
         {
             await SendWelcomeEmailAsync(user);
@@ -322,7 +323,7 @@ public async Task<IdentityResult> RegisterUserViaOrganizationSponsoredFreeFamily
 
 
     // TODO: in future, consider how we can consolidate base registration logic to reduce code duplication
-    public async Task<IdentityResult> RegisterUserViaAcceptEmergencyAccessInviteToken(User user, string masterPasswordHash,
+    public async Task<IdentityResult> RegisterUserViaAcceptEmergencyAccessInviteToken(User user, RegisterFinishData registerFinishData,
         string acceptEmergencyAccessInviteToken, Guid acceptEmergencyAccessId)
     {
         ValidateOpenRegistrationAllowed();
@@ -332,7 +333,7 @@ public async Task<IdentityResult> RegisterUserViaAcceptEmergencyAccessInviteToke
         user.EmailVerified = true;
         user.ApiKey = CoreHelpers.SecureRandomString(30); // API key can't be null.
 
-        var result = await _userService.CreateUserAsync(user, masterPasswordHash);
+        var result = await _userService.CreateV2UserAsync(user, registerFinishData);
         if (result == IdentityResult.Success)
         {
             await SendWelcomeEmailAsync(user);
@@ -341,7 +342,7 @@ public async Task<IdentityResult> RegisterUserViaAcceptEmergencyAccessInviteToke
         return result;
     }
 
-    public async Task<IdentityResult> RegisterUserViaProviderInviteToken(User user, string masterPasswordHash,
+    public async Task<IdentityResult> RegisterUserViaProviderInviteToken(User user, RegisterFinishData registerFinishData,
         string providerInviteToken, Guid providerUserId)
     {
         ValidateOpenRegistrationAllowed();
@@ -351,7 +352,7 @@ public async Task<IdentityResult> RegisterUserViaProviderInviteToken(User user,
         user.EmailVerified = true;
         user.ApiKey = CoreHelpers.SecureRandomString(30); // API key can't be null.
 
-        var result = await _userService.CreateUserAsync(user, masterPasswordHash);
+        var result = await _userService.CreateV2UserAsync(user, registerFinishData);
         if (result == IdentityResult.Success)
         {
             await SendWelcomeEmailAsync(user);

src/Core/Constants.cs

@@ -212,6 +212,7 @@ public static class FeatureFlagKeys
     public const string V2RegistrationTDEJIT = "pm-27279-v2-registration-tde-jit";
     public const string DataRecoveryTool = "pm-28813-data-recovery-tool";
     public const string EnableAccountEncryptionV2KeyConnectorRegistration = "enable-account-encryption-v2-key-connector-registration";
+    public const string EnableAccountEncryptionV2PasswordRegistration = "pm-27278-v2-password-registration";
 
     /* Mobile Team */
     public const string AndroidImportLoginsFlow = "import-logins-flow";

src/Core/KeyManagement/Models/Data/RegisterFinishData.cs

@@ -0,0 +1,13 @@
+namespace Bit.Core.KeyManagement.Models.Data;
+
+public class RegisterFinishData
+{
+    public required MasterPasswordUnlockData MasterPasswordUnlockData { get; set; }
+    public required UserAccountKeysData UserAccountKeysData { get; set; }
+    public required string MasterPasswordAuthenticationHash { get; init; }
+
+    public bool IsV2Encryption()
+    {
+        return UserAccountKeysData.IsV2Encryption();
+    }
+}

src/Core/Repositories/IUserRepository.cs

@@ -74,6 +74,7 @@ Task SetV2AccountCryptographicStateAsync(
     Task DeleteManyAsync(IEnumerable<User> users);
 
     UpdateUserData SetKeyConnectorUserKey(Guid userId, string keyConnectorWrappedUserKey);
+    UpdateUserData SetRegisterFinishUserData(Guid userId, RegisterFinishData registerFinishData);
 }
 
 public delegate Task UpdateUserData(Microsoft.Data.SqlClient.SqlConnection? connection = null,

src/Core/Services/IUserService.cs

@@ -7,6 +7,7 @@
 using Bit.Core.Billing.Models.Business;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
+using Bit.Core.KeyManagement.Models.Data;
 using Bit.Core.Models.Business;
 using Fido2NetLib;
 using Microsoft.AspNetCore.Identity;
@@ -23,6 +24,7 @@ public interface IUserService
     Task SaveUserAsync(User user, bool push = false);
     Task<IdentityResult> CreateUserAsync(User user);
     Task<IdentityResult> CreateUserAsync(User user, string masterPasswordHash);
+    Task<IdentityResult> CreateV2UserAsync(User user, RegisterFinishData registerFinishData);
     Task SendMasterPasswordHintAsync(string email);
     Task<CredentialCreateOptions> StartWebAuthnRegistrationAsync(User user);
     Task<bool> DeleteWebAuthnKeyAsync(User user, int id);

src/Core/Services/Implementations/UserService.cs

@@ -25,6 +25,7 @@
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
+using Bit.Core.KeyManagement.Models.Data;
 using Bit.Core.Models.Business;
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Core.OrganizationFeatures.OrganizationUsers.Interfaces;
@@ -326,6 +327,27 @@ public async Task<IdentityResult> CreateUserAsync(User user, string masterPasswo
         return await CreateAsync(user, masterPasswordHash);
     }
 
+    public async Task<IdentityResult> CreateV2UserAsync(User user, RegisterFinishData registerFinishData)
+    {
+        // TODO remove logic below after a compatibility period - once V2 accounts are fully supported
+        // https://bitwarden.atlassian.net/browse/PM-TBD
+        if (!registerFinishData.IsV2Encryption())
+        {
+            return await CreateUserAsync(user, registerFinishData.MasterPasswordAuthenticationHash);
+        }
+
+        var result = await CreateAsync(user, registerFinishData.MasterPasswordAuthenticationHash);
+        if (result.Succeeded)
+        {
+            // call new task for setting remaining user data
+            var setRegisterFinishUserDataTask = _userRepository.SetRegisterFinishUserData(user.Id, registerFinishData);
+            // call task as part of v2 account state set call
+            await _userRepository.SetV2AccountCryptographicStateAsync(user.Id, registerFinishData.UserAccountKeysData, [setRegisterFinishUserDataTask]);
+            // if this call fails, we need to delete the user we created.
+        }
+        return result;
+    }
+
     public async Task SendMasterPasswordHintAsync(string email)
     {
         var user = await _userRepository.GetByEmailAsync(email);