[PM-2199] Implement userkey rotation for all TDE devices (#13576)

* Implement key rotation v2 * Pass through masterpassword hint * Properly split old and new code * Mark legacy rotation as deprecated * Throw when data is null * Cleanup * Add tests * Fix build * Update libs/key-management/src/key.service.spec.ts Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com> * Update apps/web/src/app/auth/settings/change-password.component.ts Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com> * Add documentation * Centralize loading logic * Add proof-of-concept for tde rotation * Fix build * Only include trusted devices in rotation request * Undo featureflag change * Fix tests * Prettier format * Fix build * Undo changes to migrate legacy component * Address feedback & add tests --------- Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com>
2025-12-16 00:03:56 +00:00 · 2025-03-31 18:16:11 +02:00
parent 753875219a
commit 6849d3aa98
9 changed files with 164 additions and 30 deletions
--- a/libs/common/src/auth/abstractions/devices-api.service.abstraction.ts
+++ b/libs/common/src/auth/abstractions/devices-api.service.abstraction.ts
@@ -2,7 +2,6 @@
 // @ts-strict-ignore
 import { ListResponse } from "../../models/response/list.response";
 import { DeviceResponse } from "../abstractions/devices/responses/device.response";
-import { SecretVerificationRequest } from "../models/request/secret-verification.request";
 import { UpdateDevicesTrustRequest } from "../models/request/update-devices-trust.request";
 import { ProtectedDeviceResponse } from "../models/response/protected-device.response";

@@ -25,10 +24,7 @@ export abstract class DevicesApiServiceAbstraction {
    deviceIdentifier: string,
  ) => Promise<void>;

-  getDeviceKeys: (
-    deviceIdentifier: string,
-    secretVerificationRequest: SecretVerificationRequest,
-  ) => Promise<ProtectedDeviceResponse>;
+  getDeviceKeys: (deviceIdentifier: string) => Promise<ProtectedDeviceResponse>;

  /**
   * Notifies the server that the device has a device key, but didn't receive any associated decryption keys.
--- a/libs/common/src/auth/models/request/update-devices-trust.request.ts
+++ b/libs/common/src/auth/models/request/update-devices-trust.request.ts
@@ -13,5 +13,5 @@ export class DeviceKeysUpdateRequest {
 }

 export class OtherDeviceKeysUpdateRequest extends DeviceKeysUpdateRequest {
-  id: string;
+  deviceId: string;
 }
--- a/libs/common/src/auth/models/response/protected-device.response.ts
+++ b/libs/common/src/auth/models/response/protected-device.response.ts
@@ -2,6 +2,8 @@
 // @ts-strict-ignore
 import { Jsonify } from "type-fest";

+import { RotateableKeySet } from "@bitwarden/auth/common";
+
 import { DeviceType } from "../../../enums";
 import { BaseResponse } from "../../../models/response/base.response";
 import { EncString } from "../../../platform/models/domain/enc-string";
@@ -38,4 +40,12 @@ export class ProtectedDeviceResponse extends BaseResponse {
   * This enabled a user to rotate the keys for all of their devices.
   */
  encryptedPublicKey: EncString;
+
+  getRotateableKeyset(): RotateableKeySet {
+    return new RotateableKeySet(this.encryptedUserKey, this.encryptedPublicKey);
+  }
+
+  isTrusted(): boolean {
+    return this.encryptedUserKey != null && this.encryptedPublicKey != null;
+  }
 }
--- a/libs/common/src/auth/services/devices-api.service.implementation.ts
+++ b/libs/common/src/auth/services/devices-api.service.implementation.ts
@@ -5,7 +5,6 @@ import { ListResponse } from "../../models/response/list.response";
 import { Utils } from "../../platform/misc/utils";
 import { DeviceResponse } from "../abstractions/devices/responses/device.response";
 import { DevicesApiServiceAbstraction } from "../abstractions/devices-api.service.abstraction";
-import { SecretVerificationRequest } from "../models/request/secret-verification.request";
 import { UpdateDevicesTrustRequest } from "../models/request/update-devices-trust.request";
 import { ProtectedDeviceResponse } from "../models/response/protected-device.response";

@@ -90,14 +89,11 @@ export class DevicesApiServiceImplementation implements DevicesApiServiceAbstrac
    );
  }

-  async getDeviceKeys(
-    deviceIdentifier: string,
-    secretVerificationRequest: SecretVerificationRequest,
-  ): Promise<ProtectedDeviceResponse> {
+  async getDeviceKeys(deviceIdentifier: string): Promise<ProtectedDeviceResponse> {
    const result = await this.apiService.send(
      "POST",
      `/devices/${deviceIdentifier}/retrieve-keys`,
-      secretVerificationRequest,
+      null,
      true,
      true,
    );