feat: added rotate keychain method for multi-user-key ofc wallet

alextse-bg · alextse-bg · commit 74a9b48b49f7 · 2025-11-24T10:45:33.000-05:00
added a new method to rotate ofc multi-user-key wallet's keychain TICKET: WP-6902
diff --git a/modules/bitgo/test/v2/unit/keychains.ts b/modules/bitgo/test/v2/unit/keychains.ts
@@ -9,9 +9,10 @@ import nock = require('nock');
 import should = require('should');
 import * as sinon from 'sinon';
 
-import { common, decodeOrElse, ECDSAUtils, EDDSAUtils, Keychains, OvcShare } from '@bitgo/sdk-core';
+import { common, decodeOrElse, ECDSAUtils, EDDSAUtils, Keychain, Keychains, OvcShare } from '@bitgo/sdk-core';
 import { TestBitGo } from '@bitgo/sdk-test';
 import { BitGo } from '../../../src/bitgo';
+import { SinonStub } from 'sinon';
 
 describe('V2 Keychains', function () {
   let bitgo;
@@ -171,9 +172,7 @@ describe('V2 Keychains', function () {
           'expected new password to be a string'
         );
 
-        (() => keychains.updateSingleKeychainPassword({ oldPassword: '1234', newPassword: 5678 })).should.throw(
-          'expected new password to be a string'
-        );
+        (() => keychains.updateSingleKeychainPassword({ oldPassword: '1234', newPassword: 5678 })).should.throw();
 
         (() => keychains.updateSingleKeychainPassword({ oldPassword: '1234', newPassword: '5678' })).should.throw(
           'expected keychain to be an object with an encryptedPrv property'
@@ -827,4 +826,79 @@ describe('V2 Keychains', function () {
     const decryptedPrv = bitgo.decrypt({ input: backup.encryptedPrv, password: 't3stSicretly!' });
     decryptedPrv.should.startWith('xprv');
   });
+
+  describe('Rotate OFC multi-user-key keychains', function () {
+    let ofcBaseCoin;
+    let ofcKeychains;
+    const mockOfcKeychain: Keychain = {
+      id: 'ofcKeychainId',
+      pub: 'ofcKeychainPub',
+      encryptedPrv: 'ofcEncryptedPrv',
+      source: 'user',
+      coinSpecific: {
+        ofc: {
+          features: ['multi-user-key'],
+        },
+      },
+      type: 'tss',
+    };
+    let nonOfcBaseCoin;
+    let nonOfcKeychains;
+    const mockNonOfcKeychain: Keychain = {
+      id: 'nonOfcKeychainId',
+      pub: 'nonOfcKeychainPub',
+      source: 'user',
+      type: 'tss',
+    };
+
+    const mockNewKeypair = {
+      pub: 'newPub',
+      prv: 'newPrv',
+    };
+
+    let sandbox;
+    let updateKeychainStub: SinonStub;
+    let createKeypairStub: SinonStub;
+    let encryptionStub: SinonStub;
+
+    beforeEach(function () {
+      ofcBaseCoin = bitgo.coin('ofc');
+      ofcKeychains = ofcBaseCoin.keychains();
+
+      nonOfcBaseCoin = bitgo.coin('hteth');
+      nonOfcKeychains = nonOfcBaseCoin.keychains();
+
+      sandbox = sinon.createSandbox();
+      updateKeychainStub = sandbox.stub().returns({ result: sandbox.stub().resolves() });
+      sandbox.stub(BitGo.prototype, 'put').returns({ send: updateKeychainStub });
+      createKeypairStub = sandbox.stub(ofcKeychains, 'create').returns(mockNewKeypair);
+      encryptionStub = sandbox.stub(BitGo.prototype, 'encrypt').returns('newEncryptedPrv');
+    });
+
+    afterEach(function () {
+      sandbox.restore();
+    });
+
+    it('should rotate ofc multi-user-key properly', async function () {
+      nock(bgUrl).get(`/api/v2/ofc/key/${mockOfcKeychain.id}`).query(true).reply(200, mockOfcKeychain);
+
+      await ofcKeychains.rotateKeychain({ id: mockOfcKeychain.id, password: '1234' });
+      sinon.assert.called(createKeypairStub);
+      sinon.assert.calledWith(encryptionStub, { input: mockNewKeypair.prv, password: '1234' });
+      sinon.assert.calledWith(updateKeychainStub, {
+        pub: mockNewKeypair.pub,
+        encryptedPrv: 'newEncryptedPrv',
+        reqId: undefined,
+      });
+    });
+
+    it('should throw when trying to rotate non-ofc keychain', async function () {
+      nock(bgUrl).get(`/api/v2/hteth/key/${mockNonOfcKeychain.id}`).query(true).reply(200, mockNonOfcKeychain);
+
+      await assert.rejects(
+        async () => await nonOfcKeychains.rotateKeychain({ id: mockNonOfcKeychain.id, password: '1234' }),
+        (err: Error) => err.message === 'rotateKeychain is only for ofc multi-user-key wallet'
+      );
+    });
+  });
 });
diff --git a/modules/express/src/clientRoutes.ts b/modules/express/src/clientRoutes.ts
@@ -21,6 +21,7 @@ import {
   encryptRsaWithAesGcm,
   GetNetworkPartnersResponse,
   GShare,
+  Keychains,
   MPCType,
   ShareType,
   SignShare,
@@ -1054,9 +1055,8 @@ export async function handleKeychainChangePassword(
     throw new ApiResponseError(`Keychain ${req.params.id} not found`, 404);
   }
 
-  // OFC wallet supports multiple keys (one per spender) on a single keychain.
-  const isMultiUserKey = (keychain.coinSpecific?.[coinName]?.['features'] ?? []).includes('multi-user-key');
-  if (isMultiUserKey && !keychain.pub) {
+  // OFC wallet supports multiple keys (one per spender) on a single keychain
+  if (Keychains.isMultiUserKey(keychain) && !keychain.pub) {
     throw new ApiResponseError(`Bad Data: Keychain for ofc multi-user-key wallet missing pub`, 500);
   }
 
@@ -1068,7 +1068,7 @@ export async function handleKeychainChangePassword(
 
   return bitgo.put(coin.url(`/key/${updatedKeychain.id}`)).send({
     encryptedPrv: updatedKeychain.encryptedPrv,
-    pub: isMultiUserKey ? keychain.pub : undefined,
+    pub: Keychains.isMultiUserKey(keychain) ? keychain.pub : undefined,
   });
 }
 
diff --git a/modules/sdk-core/src/bitgo/keychain/iKeychains.ts b/modules/sdk-core/src/bitgo/keychain/iKeychains.ts
@@ -88,6 +88,12 @@ export interface UpdateSingleKeychainPasswordOptions {
   newPassword?: string;
 }
 
+export interface RotateKeychainOptions {
+  id: string;
+  password: string;
+  reqId?: IRequestTracer;
+}
+
 export interface AddKeychainOptions {
   pub?: string;
   commonPub?: string;
@@ -214,4 +220,5 @@ export interface IKeychains {
   recreateMpc(params: RecreateMpcOptions): Promise<KeychainsTriplet>;
   createTssBitGoKeyFromOvcShares(ovcOutput: OvcToBitGoJSON, enterprise?: string): Promise<BitGoKeyFromOvcShares>;
   createUserKeychain(userPassword: string): Promise<Keychain>;
+  rotateKeychain(params: RotateKeychainOptions): Promise<Keychain>;
 }
diff --git a/modules/sdk-core/src/bitgo/keychain/keychains.ts b/modules/sdk-core/src/bitgo/keychain/keychains.ts
@@ -19,6 +19,7 @@ import {
   ListKeychainOptions,
   ListKeychainsResult,
   RecreateMpcOptions,
+  RotateKeychainOptions,
   UpdatePasswordOptions,
   UpdateSingleKeychainPasswordOptions,
 } from './iKeychains';
@@ -517,4 +518,27 @@ export class Keychains implements IKeychains {
       prv: newKeychain.prv,
     };
   }
+
+  async rotateKeychain(params: RotateKeychainOptions): Promise<Keychain> {
+    const keyChain = await this.get({ id: params.id });
+    if (!Keychains.isMultiUserKey(keyChain)) {
+      throw new Error(`rotateKeychain is only for ofc multi-user-key wallet`);
+    }
+
+    const { pub, prv } = this.create();
+    const encryptedPrv = this.bitgo.encrypt({ input: prv, password: params.password });
+
+    return this.bitgo
+      .put(this.baseCoin.url(`/key/${params.id}`))
+      .send({
+        encryptedPrv,
+        pub,
+        reqId: params.reqId,
+      })
+      .result();
+  }
+
+  static isMultiUserKey(keychain: Keychain): boolean {
+    return (keychain.coinSpecific?.ofc?.['features'] ?? []).includes('multi-user-key');
+  }
 }
