bitwarden/browser
1
0
Fork 0
mirror of https://github.com/bitwarden/browser synced 2025-12-15 07:43:35 +00:00
Code Issues Releases Wiki Activity

[PM-5363] PinService State Providers (#8244)

Browse Source 
* move pinKeyEncryptedUserKey

* move pinKeyEncryptedUserKeyEphemeral

* remove comments, move docs

* cleanup

* use UserKeyDefinition

* refactor methods

* add migration

* fix browser dependency

* add tests for migration

* rename to pinService

* move state to PinService

* add PinService dep to CryptoService

* move protectedPin to state provider

* update service deps

* renaming

* move decryptUserKeyWithPin to pinService

* update service injection

* move more methods our of crypto service

* remove CryptoService dep from PinService and update service injection

* remove cryptoService reference

* add method to FakeMasterPasswordService

* fix circular dependency

* fix desktop service injection

* update browser dependencies

* add protectedPin to migrations

* move storePinKey to pinService

* update and clarify documentation

* more jsdoc updates

* update import paths

* refactor isPinLockSet method

* update state definitions

* initialize service before injecting into other services

* initialize service before injecting into other services (bw.ts)

* update clearOn and do additional cleanup

* clarify docs and naming

* assign abstract & private methods, add clarity to decryptAndMigrateOldPinKeyEncryptedMasterKey() method

* derived state (attempt)

* fix typos

* use accountService to get active user email

* use constant userId

* add derived state

* add get and clear for oldPinKeyEncryptedMasterKey

* require userId

* move pinProtected

* add clear methods

* remove pinProtected from account.ts and replace methods

* add methods to create and store pinKeyEncryptedUserKey

* add pinProtected/oldPinKeyEncrypterMasterKey to migration

* update migration tests

* update migration rollback tests

* update to systemService and decryptAndMigrate... method

* remove old test

* increase length of state definition name to meet test requirements

* rename 'TRANSIENT' to 'EPHEMERAL' for consistency

* fix tests for login strategies, vault-export, and fake MP service

* more updates to login-strategy tests

* write new tests for core pinKeyEncrypterUserKey methods and isPinSet

* write new tests for pinProtected and oldPinKeyEncryptedMasterKey methods

* minor test reformatting

* update test for decryptUserKeyWithPin()

* fix bug with oldPinKeyEncryptedMasterKey

* fix tests for vault-timeout-settings.service

* fix bitwarden-password-protected-importer test

* fix login strategy tests and auth-request.service test

* update pinService tests

* fix crypto service tests

* add jsdoc

* fix test file import

* update jsdocs for decryptAndMigrateOldPinKeyEncryptedMasterKey()

* update error messages and jsdocs

* add null checks, move userId retrievals

* update migration tests

* update stateService calls to require userId

* update test for decryptUserKeyWithPin()

* update oldPinKeyEncryptedMasterKey migration tests

* more test updates

* fix factory import

* update tests for isPinSet() and createProtectedPin()

* add test for makePinKey()

* add test for createPinKeyEncryptedUserKey()

* add tests for getPinLockType()

* consolidate userId verification tests

* add tests for storePinKeyEncryptedUserKey()

* fix service dep

* get email based on userId

* use MasterPasswordService instead of internal

* rename protectedPin to userKeyEncryptedPin

* rename to pinKeyEncryptedUserKeyPersistent

* update method params

* fix CryptoService tests

* jsdoc update

* use EncString for userKeyEncryptedPin

* remove comment

* use cryptoFunctionService.compareFast()

* update tests

* cleanup, remove comments

* resolve merge conflict

* fix DI of MasterPasswordService

* more DI fixes
This commit is contained in:
rr-bw
2024-05-08 11:34:47 -07:00
committed by GitHub
parent c2812fc21d
commit a42de41587
84 changed files with 2182 additions and 998 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
libs/common/src/state-migrations/migrate.ts
View File

@@ -58,13 +58,14 @@ import { RemoveRefreshTokenMigratedFlagMigrator } from "./migrations/58-remove-r
import { KdfConfigMigrator } from "./migrations/59-move-kdf-config-to-state-provider";
import { RemoveLegacyEtmKeyMigrator } from "./migrations/6-remove-legacy-etm-key";
import { KnownAccountsMigrator } from "./migrations/60-known-accounts";
import { PinStateMigrator } from "./migrations/61-move-pin-state-to-providers";
import { MoveBiometricAutoPromptToAccount } from "./migrations/7-move-biometric-auto-prompt-to-account";
import { MoveStateVersionMigrator } from "./migrations/8-move-state-version";
import { MoveBrowserSettingsToGlobal } from "./migrations/9-move-browser-settings-to-global";
import { MinVersionMigrator } from "./migrations/min-version";
export const MIN_VERSION = 3;
export const CURRENT_VERSION = 60;
export const CURRENT_VERSION = 61;
export type MinVersion = typeof MIN_VERSION;
export function createMigrationBuilder() {
@@ -126,7 +127,8 @@ export function createMigrationBuilder() {
.with(CipherServiceMigrator, 56, 57)
.with(RemoveRefreshTokenMigratedFlagMigrator, 57, 58)
.with(KdfConfigMigrator, 58, 59)
.with(KnownAccountsMigrator, 59, CURRENT_VERSION);
.with(KnownAccountsMigrator, 59, 60)
.with(PinStateMigrator, 60, CURRENT_VERSION);
}
export async function currentVersion(

176
libs/common/src/state-migrations/migrations/61-move-pin-state-to-providers.spec.ts Normal file
View File

@@ -0,0 +1,176 @@
import { MockProxy } from "jest-mock-extended";
import { MigrationHelper } from "../migration-helper";
import { mockMigrationHelper } from "../migration-helper.spec";
import {
OLD_PIN_KEY_ENCRYPTED_MASTER_KEY,
PIN_KEY_ENCRYPTED_USER_KEY_PERSISTENT,
USER_KEY_ENCRYPTED_PIN,
PinStateMigrator,
} from "./61-move-pin-state-to-providers";
function preMigrationState() {
return {
global: {
otherStuff: "otherStuff1",
},
global_account_accounts: {
// prettier-ignore
"AccountOne": {
email: "account-one@email.com",
name: "Account One",
},
// prettier-ignore
"AccountTwo": {
email: "account-two@email.com",
name: "Account Two",
},
},
// prettier-ignore
"AccountOne": {
settings: {
pinKeyEncryptedUserKey: "AccountOne_pinKeyEncryptedUserKeyPersistent",
protectedPin: "AccountOne_userKeyEncryptedPin", // note the name change
pinProtected: {
encrypted: "AccountOne_oldPinKeyEncryptedMasterKey", // note the name change
},
otherStuff: "otherStuff2",
},
otherStuff: "otherStuff3",
},
// prettier-ignore
"AccountTwo": {
settings: {
otherStuff: "otherStuff4",
},
},
};
}
function postMigrationState() {
return {
user_AccountOne_pinUnlock_pinKeyEncryptedUserKeyPersistent:
"AccountOne_pinKeyEncryptedUserKeyPersistent",
user_AccountOne_pinUnlock_userKeyEncryptedPin: "AccountOne_userKeyEncryptedPin",
user_AccountOne_pinUnlock_oldPinKeyEncryptedMasterKey: "AccountOne_oldPinKeyEncryptedMasterKey",
authenticatedAccounts: ["AccountOne", "AccountTwo"],
global: {
otherStuff: "otherStuff1",
},
global_account_accounts: {
// prettier-ignore
"AccountOne": {
email: "account-one@email.com",
name: "Account One",
},
// prettier-ignore
"AccountTwo": {
email: "account-two@email.com",
name: "Account Two",
},
},
// prettier-ignore
"AccountOne": {
settings: {
otherStuff: "otherStuff2",
},
otherStuff: "otherStuff3",
},
// prettier-ignore
"AccountTwo": {
settings: {
otherStuff: "otherStuff4",
},
},
};
}
describe("PinStateMigrator", () => {
let helper: MockProxy<MigrationHelper>;
let sut: PinStateMigrator;
describe("migrate", () => {
beforeEach(() => {
helper = mockMigrationHelper(preMigrationState(), 61);
sut = new PinStateMigrator(60, 61);
});
it("should remove properties (pinKeyEncryptedUserKey, protectedPin, pinProtected) from existing accounts", async () => {
await sut.migrate(helper);
expect(helper.set).toHaveBeenCalledWith("AccountOne", {
settings: {
otherStuff: "otherStuff2",
},
otherStuff: "otherStuff3",
});
expect(helper.set).not.toHaveBeenCalledWith("AccountTwo");
});
it("should set the properties (pinKeyEncryptedUserKeyPersistent, userKeyEncryptedPin, oldPinKeyEncryptedMasterKey) under the new key definitions", async () => {
await sut.migrate(helper);
expect(helper.setToUser).toHaveBeenCalledWith(
"AccountOne",
PIN_KEY_ENCRYPTED_USER_KEY_PERSISTENT,
"AccountOne_pinKeyEncryptedUserKeyPersistent",
);
expect(helper.setToUser).toHaveBeenCalledWith(
"AccountOne",
USER_KEY_ENCRYPTED_PIN,
"AccountOne_userKeyEncryptedPin",
);
expect(helper.setToUser).toHaveBeenCalledWith(
"AccountOne",
OLD_PIN_KEY_ENCRYPTED_MASTER_KEY,
"AccountOne_oldPinKeyEncryptedMasterKey",
);
expect(helper.setToUser).not.toHaveBeenCalledWith("AccountTwo");
});
});
describe("rollback", () => {
beforeEach(() => {
helper = mockMigrationHelper(postMigrationState(), 61);
sut = new PinStateMigrator(60, 61);
});
it("should null out the previously migrated values (pinKeyEncryptedUserKeyPersistent, userKeyEncryptedPin, oldPinKeyEncryptedMasterKey)", async () => {
await sut.rollback(helper);
expect(helper.setToUser).toHaveBeenCalledWith(
"AccountOne",
PIN_KEY_ENCRYPTED_USER_KEY_PERSISTENT,
null,
);
expect(helper.setToUser).toHaveBeenCalledWith("AccountOne", USER_KEY_ENCRYPTED_PIN, null);
expect(helper.setToUser).toHaveBeenCalledWith(
"AccountOne",
OLD_PIN_KEY_ENCRYPTED_MASTER_KEY,
null,
);
});
it("should set back the original account properties (pinKeyEncryptedUserKey, protectedPin, pinProtected)", async () => {
await sut.rollback(helper);
expect(helper.set).toHaveBeenCalledTimes(1);
expect(helper.set).toHaveBeenCalledWith("AccountOne", {
settings: {
pinKeyEncryptedUserKey: "AccountOne_pinKeyEncryptedUserKeyPersistent",
protectedPin: "AccountOne_userKeyEncryptedPin",
pinProtected: {
encrypted: "AccountOne_oldPinKeyEncryptedMasterKey",
},
otherStuff: "otherStuff2",
},
otherStuff: "otherStuff3",
});
});
});
});

129
libs/common/src/state-migrations/migrations/61-move-pin-state-to-providers.ts Normal file
View File

@@ -0,0 +1,129 @@
import { KeyDefinitionLike, MigrationHelper, StateDefinitionLike } from "../migration-helper";
import { Migrator } from "../migrator";
type ExpectedAccountState = {
settings?: {
pinKeyEncryptedUserKey?: string; // EncryptedString
protectedPin?: string; // EncryptedString
pinProtected?: {
encrypted?: string;
};
};
};
export const PIN_STATE: StateDefinitionLike = { name: "pinUnlock" };
export const PIN_KEY_ENCRYPTED_USER_KEY_PERSISTENT: KeyDefinitionLike = {
stateDefinition: PIN_STATE,
key: "pinKeyEncryptedUserKeyPersistent",
};
export const USER_KEY_ENCRYPTED_PIN: KeyDefinitionLike = {
stateDefinition: PIN_STATE,
key: "userKeyEncryptedPin",
};
export const OLD_PIN_KEY_ENCRYPTED_MASTER_KEY: KeyDefinitionLike = {
stateDefinition: PIN_STATE,
key: "oldPinKeyEncryptedMasterKey",
};
export class PinStateMigrator extends Migrator<60, 61> {
async migrate(helper: MigrationHelper): Promise<void> {
const legacyAccounts = await helper.getAccounts<ExpectedAccountState>();
let updatedAccount = false;
async function migrateAccount(userId: string, account: ExpectedAccountState) {
// Migrate pinKeyEncryptedUserKey (to `pinKeyEncryptedUserKeyPersistent`)
if (account?.settings?.pinKeyEncryptedUserKey != null) {
await helper.setToUser(
userId,
PIN_KEY_ENCRYPTED_USER_KEY_PERSISTENT,
account.settings.pinKeyEncryptedUserKey,
);
delete account.settings.pinKeyEncryptedUserKey;
updatedAccount = true;
}
// Migrate protectedPin (to `userKeyEncryptedPin`)
if (account?.settings?.protectedPin != null) {
await helper.setToUser(userId, USER_KEY_ENCRYPTED_PIN, account.settings.protectedPin);
delete account.settings.protectedPin;
updatedAccount = true;
}
// Migrate pinProtected (to `oldPinKeyEncryptedMasterKey`)
if (account?.settings?.pinProtected?.encrypted != null) {
await helper.setToUser(
userId,
OLD_PIN_KEY_ENCRYPTED_MASTER_KEY,
account.settings.pinProtected.encrypted,
);
delete account.settings.pinProtected;
updatedAccount = true;
}
if (updatedAccount) {
await helper.set(userId, account);
}
}
await Promise.all([
...legacyAccounts.map(({ userId, account }) => migrateAccount(userId, account)),
]);
}
async rollback(helper: MigrationHelper): Promise<void> {
const accounts = await helper.getAccounts<ExpectedAccountState>();
async function rollbackAccount(userId: string, account: ExpectedAccountState) {
let updatedAccount = false;
const accountPinKeyEncryptedUserKeyPersistent = await helper.getFromUser<string>(
userId,
PIN_KEY_ENCRYPTED_USER_KEY_PERSISTENT,
);
const accountUserKeyEncryptedPin = await helper.getFromUser<string>(
userId,
USER_KEY_ENCRYPTED_PIN,
);
const accountOldPinKeyEncryptedMasterKey = await helper.getFromUser<string>(
userId,
OLD_PIN_KEY_ENCRYPTED_MASTER_KEY,
);
if (!account) {
account = {};
}
if (accountPinKeyEncryptedUserKeyPersistent != null) {
account.settings.pinKeyEncryptedUserKey = accountPinKeyEncryptedUserKeyPersistent;
await helper.setToUser(userId, PIN_KEY_ENCRYPTED_USER_KEY_PERSISTENT, null);
updatedAccount = true;
}
if (accountUserKeyEncryptedPin != null) {
account.settings.protectedPin = accountUserKeyEncryptedPin;
await helper.setToUser(userId, USER_KEY_ENCRYPTED_PIN, null);
updatedAccount = true;
}
if (accountOldPinKeyEncryptedMasterKey != null) {
account.settings = Object.assign(account.settings ?? {}, {
pinProtected: {
encrypted: accountOldPinKeyEncryptedMasterKey,
},
});
await helper.setToUser(userId, OLD_PIN_KEY_ENCRYPTED_MASTER_KEY, null);
updatedAccount = true;
}
if (updatedAccount) {
await helper.set(userId, account);
}
}
await Promise.all(accounts.map(({ userId, account }) => rollbackAccount(userId, account)));
}
}