mirror of
https://github.com/bitwarden/browser
synced 2025-12-15 15:53:27 +00:00
Add logging for userkey / device trust rotation (#11682)
* Add logging for userkey rotation * Fix tests
This commit is contained in:
Bernd Schoolmann
GitHub
@@ -7,6 +7,7 @@ import { UserVerificationService } from "@bitwarden/common/auth/abstractions/use
|
||||
import { WebauthnRotateCredentialRequest } from "@bitwarden/common/auth/models/request/webauthn-rotate-credential.request";
|
||||
import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
|
||||
import { EncryptService } from "@bitwarden/common/platform/abstractions/encrypt.service";
|
||||
import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
|
||||
import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
|
||||
import { SendWithIdRequest } from "@bitwarden/common/tools/send/models/request/send-with-id.request";
|
||||
import { SendService } from "@bitwarden/common/tools/send/services/send.service.abstraction";
|
||||
@@ -44,6 +45,7 @@ describe("KeyRotationService", () => {
|
||||
let mockConfigService: MockProxy<ConfigService>;
|
||||
let mockSyncService: MockProxy<SyncService>;
|
||||
let mockWebauthnLoginAdminService: MockProxy<WebauthnLoginAdminService>;
|
||||
let mockLogService: MockProxy<LogService>;
|
||||
|
||||
const mockUser = {
|
||||
id: "mockUserId" as UserId,
|
||||
@@ -66,6 +68,7 @@ describe("KeyRotationService", () => {
|
||||
mockConfigService = mock<ConfigService>();
|
||||
mockSyncService = mock<SyncService>();
|
||||
mockWebauthnLoginAdminService = mock<WebauthnLoginAdminService>();
|
||||
mockLogService = mock<LogService>();
|
||||
|
||||
keyRotationService = new UserKeyRotationService(
|
||||
mockUserVerificationService,
|
||||
@@ -80,6 +83,7 @@ describe("KeyRotationService", () => {
|
||||
mockEncryptService,
|
||||
mockSyncService,
|
||||
mockWebauthnLoginAdminService,
|
||||
mockLogService,
|
||||
);
|
||||
});
|
||||
|
||||
|
||||
@@ -7,6 +7,7 @@ import { UserVerificationService } from "@bitwarden/common/auth/abstractions/use
|
||||
import { VerificationType } from "@bitwarden/common/auth/enums/verification-type";
|
||||
import { MasterPasswordVerification } from "@bitwarden/common/auth/types/verification";
|
||||
import { EncryptService } from "@bitwarden/common/platform/abstractions/encrypt.service";
|
||||
import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
|
||||
import { EncryptedString } from "@bitwarden/common/platform/models/domain/enc-string";
|
||||
import { SendService } from "@bitwarden/common/tools/send/services/send.service.abstraction";
|
||||
import { UserId } from "@bitwarden/common/types/guid";
|
||||
@@ -38,6 +39,7 @@ export class UserKeyRotationService {
|
||||
private encryptService: EncryptService,
|
||||
private syncService: SyncService,
|
||||
private webauthnLoginAdminService: WebauthnLoginAdminService,
|
||||
private logService: LogService,
|
||||
) {}
|
||||
|
||||
/**
|
||||
@@ -48,11 +50,14 @@ export class UserKeyRotationService {
|
||||
masterPassword: string,
|
||||
user: { id: UserId } & AccountInfo,
|
||||
): Promise<void> {
|
||||
this.logService.info("[Userkey rotation] Starting user key rotation...");
|
||||
if (!masterPassword) {
|
||||
this.logService.info("[Userkey rotation] Invalid master password provided. Aborting!");
|
||||
throw new Error("Invalid master password");
|
||||
}
|
||||
|
||||
if ((await this.syncService.getLastSync()) === null) {
|
||||
this.logService.info("[Userkey rotation] Client was never synced. Aborting!");
|
||||
throw new Error(
|
||||
"The local vault is de-synced and the keys cannot be rotated. Please log out and log back in to resolve this issue.",
|
||||
);
|
||||
@@ -74,6 +79,7 @@ export class UserKeyRotationService {
|
||||
const [newUserKey, newEncUserKey] = await this.keyService.makeUserKey(masterKey);
|
||||
|
||||
if (!newUserKey || !newEncUserKey) {
|
||||
this.logService.info("[Userkey rotation] User key could not be created. Aborting!");
|
||||
throw new Error("User key could not be created");
|
||||
}
|
||||
|
||||
@@ -91,6 +97,9 @@ export class UserKeyRotationService {
|
||||
// Note: We distribute the legacy key, but not all domains actually use it. If any of those
|
||||
// domains break their legacy support it will break the migration process for legacy users.
|
||||
const originalUserKey = await this.keyService.getUserKeyWithLegacySupport(user.id);
|
||||
const isMasterKey =
|
||||
(await firstValueFrom(this.keyService.userKey$(user.id))) != originalUserKey;
|
||||
this.logService.info("[Userkey rotation] Is legacy user: " + isMasterKey);
|
||||
|
||||
// Add re-encrypted data
|
||||
request.privateKey = await this.encryptPrivateKey(newUserKey, user.id);
|
||||
@@ -151,10 +160,14 @@ export class UserKeyRotationService {
|
||||
request.webauthnKeys = rotatedWebauthnKeys;
|
||||
}
|
||||
|
||||
this.logService.info("[Userkey rotation] Posting user key rotation request to server");
|
||||
await this.apiService.postUserKeyUpdate(request);
|
||||
this.logService.info("[Userkey rotation] Userkey rotation request posted to server");
|
||||
|
||||
// TODO PM-2199: Add device trust rotation support to the user key rotation endpoint
|
||||
this.logService.info("[Userkey rotation] Rotating device trust...");
|
||||
await this.deviceTrustService.rotateDevicesTrust(user.id, newUserKey, masterPasswordHash);
|
||||
this.logService.info("[Userkey rotation] Device trust rotation completed");
|
||||
}
|
||||
|
||||
private async encryptPrivateKey(
|
||||
|
||||
Reference in New Issue
Block a user