[PM-5255, PM-3339] Refactor login strategy to use state providers (#7821)

* add key definition and StrategyData classes * use state providers for login strategies * serialize login data for cache * use state providers for auth request notification * fix registrations * add docs to abstraction * fix sso strategy * fix password login strategy tests * fix base login strategy tests * fix user api login strategy tests * PM-3339 add tests for admin auth request in sso strategy * fix auth request login strategy tests * fix webauthn login strategy tests * create login strategy state * use barrel file in common/spec * test login strategy cache deserialization * use global state provider * add test for login strategy service * fix auth request storage * add recursive prototype checking and json deserializers to nested objects * fix CLI * Create wrapper for login strategy cache * use behavior subjects in strategies instead of global state * rename userApi to userApiKey * pr feedback * fix tests * fix deserialization tests * fix tests --------- Co-authored-by: rr-bw <102181210+rr-bw@users.noreply.github.com>
2025-12-18 09:13:33 +00:00 · 2024-03-12 14:19:50 -04:00
parent 6b1da67f3a
commit a0e0637bb6
35 changed files with 1414 additions and 362 deletions
--- a/libs/auth/src/common/login-strategies/sso-login.strategy.spec.ts
+++ b/libs/auth/src/common/login-strategies/sso-login.strategy.spec.ts
@@ -5,8 +5,11 @@ import { DeviceTrustCryptoServiceAbstraction } from "@bitwarden/common/auth/abst
 import { KeyConnectorService } from "@bitwarden/common/auth/abstractions/key-connector.service";
 import { TokenService } from "@bitwarden/common/auth/abstractions/token.service";
 import { TwoFactorService } from "@bitwarden/common/auth/abstractions/two-factor.service";
+import { AdminAuthRequestStorable } from "@bitwarden/common/auth/models/domain/admin-auth-req-storable";
+import { AuthRequestResponse } from "@bitwarden/common/auth/models/response/auth-request.response";
 import { IdentityTokenResponse } from "@bitwarden/common/auth/models/response/identity-token.response";
 import { IUserDecryptionOptionsServerResponse } from "@bitwarden/common/auth/models/response/user-decryption-options/user-decryption-options.response";
+import { ErrorResponse } from "@bitwarden/common/models/response/error.response";
 import { AppIdService } from "@bitwarden/common/platform/abstractions/app-id.service";
 import { CryptoService } from "@bitwarden/common/platform/abstractions/crypto.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
@@ -25,9 +28,6 @@ import { SsoLoginCredentials } from "../models/domain/login-credentials";
 import { identityTokenResponseFactory } from "./login.strategy.spec";
 import { SsoLoginStrategy } from "./sso-login.strategy";

-// TODO: Add tests for new trySetUserKeyWithApprovedAdminRequestIfExists logic
-// https://bitwarden.atlassian.net/browse/PM-3339
-
 describe("SsoLoginStrategy", () => {
  let cryptoService: MockProxy<CryptoService>;
  let apiService: MockProxy<ApiService>;
@@ -74,6 +74,7 @@ describe("SsoLoginStrategy", () => {
    tokenService.decodeToken.mockResolvedValue({});

    ssoLoginStrategy = new SsoLoginStrategy(
+      null,
      cryptoService,
      apiService,
      tokenService,
@@ -258,6 +259,114 @@ describe("SsoLoginStrategy", () => {
      // Assert
      expect(cryptoService.setUserKey).not.toHaveBeenCalled();
    });
+
+    describe("AdminAuthRequest", () => {
+      let tokenResponse: IdentityTokenResponse;
+
+      beforeEach(() => {
+        tokenResponse = identityTokenResponseFactory(null, {
+          HasMasterPassword: true,
+          TrustedDeviceOption: {
+            HasAdminApproval: true,
+            HasLoginApprovingDevice: false,
+            HasManageResetPasswordPermission: false,
+            EncryptedPrivateKey: mockEncDevicePrivateKey,
+            EncryptedUserKey: mockEncUserKey,
+          },
+        });
+
+        const adminAuthRequest = {
+          id: "1",
+          privateKey: "PRIVATE" as any,
+        } as AdminAuthRequestStorable;
+        stateService.getAdminAuthRequest.mockResolvedValue(
+          new AdminAuthRequestStorable(adminAuthRequest),
+        );
+      });
+
+      it("sets the user key using master key and hash from approved admin request if exists", async () => {
+        apiService.postIdentityToken.mockResolvedValue(tokenResponse);
+        cryptoService.hasUserKey.mockResolvedValue(true);
+        const adminAuthResponse = {
+          id: "1",
+          publicKey: "PRIVATE" as any,
+          key: "KEY" as any,
+          masterPasswordHash: "HASH" as any,
+          requestApproved: true,
+        };
+        apiService.getAuthRequest.mockResolvedValue(adminAuthResponse as AuthRequestResponse);
+
+        await ssoLoginStrategy.logIn(credentials);
+
+        expect(authRequestService.setKeysAfterDecryptingSharedMasterKeyAndHash).toHaveBeenCalled();
+        expect(deviceTrustCryptoService.decryptUserKeyWithDeviceKey).not.toHaveBeenCalled();
+      });
+
+      it("sets the user key from approved admin request if exists", async () => {
+        apiService.postIdentityToken.mockResolvedValue(tokenResponse);
+        cryptoService.hasUserKey.mockResolvedValue(true);
+        const adminAuthResponse = {
+          id: "1",
+          publicKey: "PRIVATE" as any,
+          key: "KEY" as any,
+          requestApproved: true,
+        };
+        apiService.getAuthRequest.mockResolvedValue(adminAuthResponse as AuthRequestResponse);
+
+        await ssoLoginStrategy.logIn(credentials);
+
+        expect(authRequestService.setUserKeyAfterDecryptingSharedUserKey).toHaveBeenCalled();
+        expect(deviceTrustCryptoService.decryptUserKeyWithDeviceKey).not.toHaveBeenCalled();
+      });
+
+      it("attempts to establish a trusted device if successful", async () => {
+        apiService.postIdentityToken.mockResolvedValue(tokenResponse);
+        cryptoService.hasUserKey.mockResolvedValue(true);
+        const adminAuthResponse = {
+          id: "1",
+          publicKey: "PRIVATE" as any,
+          key: "KEY" as any,
+          requestApproved: true,
+        };
+        apiService.getAuthRequest.mockResolvedValue(adminAuthResponse as AuthRequestResponse);
+
+        await ssoLoginStrategy.logIn(credentials);
+
+        expect(authRequestService.setUserKeyAfterDecryptingSharedUserKey).toHaveBeenCalled();
+        expect(deviceTrustCryptoService.trustDeviceIfRequired).toHaveBeenCalled();
+      });
+
+      it("clears the admin auth request if server returns a 404, meaning it was deleted", async () => {
+        apiService.postIdentityToken.mockResolvedValue(tokenResponse);
+        apiService.getAuthRequest.mockRejectedValue(new ErrorResponse(null, 404));
+
+        await ssoLoginStrategy.logIn(credentials);
+
+        expect(stateService.setAdminAuthRequest).toHaveBeenCalledWith(null);
+        expect(
+          authRequestService.setKeysAfterDecryptingSharedMasterKeyAndHash,
+        ).not.toHaveBeenCalled();
+        expect(authRequestService.setUserKeyAfterDecryptingSharedUserKey).not.toHaveBeenCalled();
+        expect(deviceTrustCryptoService.trustDeviceIfRequired).not.toHaveBeenCalled();
+      });
+
+      it("attempts to login with a trusted device if admin auth request isn't successful", async () => {
+        apiService.postIdentityToken.mockResolvedValue(tokenResponse);
+        const adminAuthResponse = {
+          id: "1",
+          publicKey: "PRIVATE" as any,
+          key: "KEY" as any,
+          requestApproved: true,
+        };
+        apiService.getAuthRequest.mockResolvedValue(adminAuthResponse as AuthRequestResponse);
+        cryptoService.hasUserKey.mockResolvedValue(false);
+        deviceTrustCryptoService.getDeviceKey.mockResolvedValue("DEVICE_KEY" as any);
+
+        await ssoLoginStrategy.logIn(credentials);
+
+        expect(deviceTrustCryptoService.decryptUserKeyWithDeviceKey).toHaveBeenCalled();
+      });
+    });
  });

  describe("Key Connector", () => {