bitwarden/browser
1
0
Fork 0
mirror of https://github.com/bitwarden/browser synced 2025-12-20 02:03:39 +00:00
Code Issues Releases Wiki Activity

Auth/PM-3515 - Lock component Tech Debt Clean up (#10332)

Browse Source 
* PM-3515 - Lock component - remove isUnlocked check on lock comp load b/c lock guard should cover all cases with its existing logic for all clients.

* PM-3515 - VaultTimeoutSettingsSvc - Add new canLock method

* PM-3515 - Refactor logic out of lock component that belongs in lock guard. Update lock guard to reject route activation if a user can't lock whereas we used to log the user out when they landed on the lock comp.

* PM-3515 - WIP on testing all lock guard scenarios

* PM-3515 - Refactor lock guard tests + add more tests

* PM-3515 - LockGuard - if TDE user that is authN directly navigates from login-init to lock for whatever reason (only possible on web with url bar), reject that navigation directly instead of throwing them up to the redirect guard

* PM-3515 - More LockGuard tests

* PM-3515 - Update comment
This commit is contained in:
Jared Snider
2024-08-12 15:51:57 -04:00
committed by GitHub
parent d5cc2d6518
commit 0d829b7398
6 changed files with 297 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

235
libs/angular/src/auth/guards/lock.guard.spec.ts Normal file
View File

@@ -0,0 +1,235 @@
import { TestBed } from "@angular/core/testing";
import { Router } from "@angular/router";
import { RouterTestingModule } from "@angular/router/testing";
import { MockProxy, mock } from "jest-mock-extended";
import { BehaviorSubject, of } from "rxjs";
import { EmptyComponent } from "@bitwarden/angular/platform/guard/feature-flag.guard.spec";
import { VaultTimeoutSettingsService } from "@bitwarden/common/abstractions/vault-timeout/vault-timeout-settings.service";
import { AccountInfo, AccountService } from "@bitwarden/common/auth/abstractions/account.service";
import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
import { DeviceTrustServiceAbstraction } from "@bitwarden/common/auth/abstractions/device-trust.service.abstraction";
import { UserVerificationService } from "@bitwarden/common/auth/abstractions/user-verification/user-verification.service.abstraction";
import { AuthenticationStatus } from "@bitwarden/common/auth/enums/authentication-status";
import { ClientType } from "@bitwarden/common/enums";
import { CryptoService } from "@bitwarden/common/platform/abstractions/crypto.service";
import { MessagingService } from "@bitwarden/common/platform/abstractions/messaging.service";
import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
import { UserId } from "@bitwarden/common/types/guid";
import { lockGuard } from "./lock.guard";
interface SetupParams {
authStatus: AuthenticationStatus;
canLock?: boolean;
isLegacyUser?: boolean;
clientType?: ClientType;
everHadUserKey?: boolean;
supportsDeviceTrust?: boolean;
hasMasterPassword?: boolean;
}
describe("lockGuard", () => {
const setup = (setupParams: SetupParams) => {
const authService: MockProxy<AuthService> = mock<AuthService>();
authService.authStatusFor$.mockReturnValue(of(setupParams.authStatus));
const vaultTimeoutSettingsService: MockProxy<VaultTimeoutSettingsService> =
mock<VaultTimeoutSettingsService>();
vaultTimeoutSettingsService.canLock.mockResolvedValue(setupParams.canLock);
const cryptoService: MockProxy<CryptoService> = mock<CryptoService>();
cryptoService.isLegacyUser.mockResolvedValue(setupParams.isLegacyUser);
cryptoService.everHadUserKey$ = of(setupParams.everHadUserKey);
const platformUtilService: MockProxy<PlatformUtilsService> = mock<PlatformUtilsService>();
platformUtilService.getClientType.mockReturnValue(setupParams.clientType);
const messagingService: MockProxy<MessagingService> = mock<MessagingService>();
const deviceTrustService: MockProxy<DeviceTrustServiceAbstraction> =
mock<DeviceTrustServiceAbstraction>();
deviceTrustService.supportsDeviceTrust$ = of(setupParams.supportsDeviceTrust);
const userVerificationService: MockProxy<UserVerificationService> =
mock<UserVerificationService>();
userVerificationService.hasMasterPassword.mockResolvedValue(setupParams.hasMasterPassword);
const accountService: MockProxy<AccountService> = mock<AccountService>();
const activeAccountSubject = new BehaviorSubject<{ id: UserId } & AccountInfo>(null);
accountService.activeAccount$ = activeAccountSubject;
activeAccountSubject.next(
Object.assign(
{
name: "Test User 1",
email: "test@email.com",
emailVerified: true,
} as AccountInfo,
{ id: "test-id" as UserId },
),
);
const testBed = TestBed.configureTestingModule({
imports: [
RouterTestingModule.withRoutes([
{ path: "", component: EmptyComponent },
{ path: "lock", component: EmptyComponent, canActivate: [lockGuard()] },
{ path: "non-lock-route", component: EmptyComponent },
{ path: "migrate-legacy-encryption", component: EmptyComponent },
]),
],
providers: [
{ provide: AuthService, useValue: authService },
{ provide: MessagingService, useValue: messagingService },
{ provide: AccountService, useValue: accountService },
{ provide: VaultTimeoutSettingsService, useValue: vaultTimeoutSettingsService },
{ provide: CryptoService, useValue: cryptoService },
{ provide: PlatformUtilsService, useValue: platformUtilService },
{ provide: DeviceTrustServiceAbstraction, useValue: deviceTrustService },
{ provide: UserVerificationService, useValue: userVerificationService },
],
});
return {
router: testBed.inject(Router),
messagingService,
};
};
it("should be created", () => {
const { router } = setup({
authStatus: AuthenticationStatus.Locked,
});
expect(router).toBeTruthy();
});
it("should redirect to the root route when the user is Unlocked", async () => {
const { router } = setup({
authStatus: AuthenticationStatus.Unlocked,
});
await router.navigate(["lock"]);
expect(router.url).toBe("/");
});
it("should redirect to the root route when the user is LoggedOut", async () => {
const { router } = setup({
authStatus: AuthenticationStatus.LoggedOut,
});
await router.navigate(["lock"]);
expect(router.url).toBe("/");
});
it("should allow navigation to the lock route when the user is Locked and they can lock", async () => {
const { router } = setup({
authStatus: AuthenticationStatus.Locked,
canLock: true,
});
await router.navigate(["lock"]);
expect(router.url).toBe("/lock");
});
it("should allow navigation to the lock route when the user is locked, they can lock, and device trust is not supported", async () => {
const { router } = setup({
authStatus: AuthenticationStatus.Locked,
canLock: true,
supportsDeviceTrust: false,
});
await router.navigate(["lock"]);
expect(router.url).toBe("/lock");
});
it("should not allow navigation to the lock route when canLock is false", async () => {
const { router } = setup({
authStatus: AuthenticationStatus.Locked,
canLock: false,
});
await router.navigate(["lock"]);
expect(router.url).toBe("/");
});
it("should log user out if they are a legacy user on a desktop client", async () => {
const { router, messagingService } = setup({
authStatus: AuthenticationStatus.Locked,
canLock: true,
isLegacyUser: true,
clientType: ClientType.Desktop,
});
await router.navigate(["lock"]);
expect(router.url).toBe("/");
expect(messagingService.send).toHaveBeenCalledWith("logout");
});
it("should log user out if they are a legacy user on a browser extension client", async () => {
const { router, messagingService } = setup({
authStatus: AuthenticationStatus.Locked,
canLock: true,
isLegacyUser: true,
clientType: ClientType.Browser,
});
await router.navigate(["lock"]);
expect(router.url).toBe("/");
expect(messagingService.send).toHaveBeenCalledWith("logout");
});
it("should send the user to migrate-legacy-encryption if they are a legacy user on a web client", async () => {
const { router } = setup({
authStatus: AuthenticationStatus.Locked,
canLock: true,
isLegacyUser: true,
clientType: ClientType.Web,
});
await router.navigate(["lock"]);
expect(router.url).toBe("/migrate-legacy-encryption");
});
it("should allow navigation to the lock route when device trust is supported, the user has a MP, and the user is coming from the login-initiated page", async () => {
const { router } = setup({
authStatus: AuthenticationStatus.Locked,
canLock: true,
isLegacyUser: false,
clientType: ClientType.Web,
everHadUserKey: false,
supportsDeviceTrust: true,
hasMasterPassword: true,
});
await router.navigate(["lock"], { queryParams: { from: "login-initiated" } });
expect(router.url).toBe("/lock?from=login-initiated");
});
it("should allow navigation to the lock route when TDE is disabled, the user doesn't have a MP, and the user has had a user key", async () => {
const { router } = setup({
authStatus: AuthenticationStatus.Locked,
canLock: true,
supportsDeviceTrust: false,
hasMasterPassword: false,
everHadUserKey: true,
});
await router.navigate(["lock"]);
expect(router.url).toBe("/lock");
});
it("should not allow navigation to the lock route when device trust is supported and the user has not ever had a user key", async () => {
const { router } = setup({
authStatus: AuthenticationStatus.Locked,
canLock: true,
isLegacyUser: false,
clientType: ClientType.Web,
everHadUserKey: false,
supportsDeviceTrust: true,
hasMasterPassword: false,
});
await router.navigate(["lock"]);
expect(router.url).toBe("/");
});
});

21
libs/angular/src/auth/guards/lock.guard.ts
View File

@@ -7,6 +7,8 @@ import {
} from "@angular/router";
import { firstValueFrom } from "rxjs";
import { VaultTimeoutSettingsService } from "@bitwarden/common/abstractions/vault-timeout/vault-timeout-settings.service";
import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
import { DeviceTrustServiceAbstraction } from "@bitwarden/common/auth/abstractions/device-trust.service.abstraction";
import { UserVerificationService } from "@bitwarden/common/auth/abstractions/user-verification/user-verification.service.abstraction";
@@ -19,7 +21,7 @@ import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/pl
/**
* Only allow access to this route if the vault is locked.
* If TDE is enabled then the user must also have had a user key at some point.
* Otherwise redirect to root.
* Otherwise reject navigation.
*
* TODO: This should return Observable<boolean | UrlTree> once we can remove all the promises
*/
@@ -35,12 +37,22 @@ export function lockGuard(): CanActivateFn {
const messagingService = inject(MessagingService);
const router = inject(Router);
const userVerificationService = inject(UserVerificationService);
const vaultTimeoutSettingsService = inject(VaultTimeoutSettingsService);
const accountService = inject(AccountService);
const authStatus = await authService.getAuthStatus();
const activeUser = await firstValueFrom(accountService.activeAccount$);
const authStatus = await firstValueFrom(authService.authStatusFor$(activeUser.id));
if (authStatus !== AuthenticationStatus.Locked) {
return router.createUrlTree(["/"]);
}
// if user can't lock, they can't access the lock screen
const canLock = await vaultTimeoutSettingsService.canLock(activeUser.id);
if (!canLock) {
return false;
}
// If legacy user on web, redirect to migration page
if (await cryptoService.isLegacyUser()) {
if (platformUtilService.getClientType() === ClientType.Web) {
@@ -65,11 +77,10 @@ export function lockGuard(): CanActivateFn {
return true;
}
// If authN user with TDE directly navigates to lock, kick them upwards so redirect guard can
// properly route them to the login decryption options component.
// If authN user with TDE directly navigates to lock, reject that navigation
const everHadUserKey = await firstValueFrom(cryptoService.everHadUserKey$);
if (tdeEnabled && !everHadUserKey) {
return router.createUrlTree(["/"]);
return false;
}
return true;