[AC-2302] Extract device approve/deny logic into a service (#8818)

* [AC-2302] Move organization-auth-request.service to bit-common folder

* [AC-2302] Rename organization-auth-request.service to organization-auth-request-api.service

* [AC-2302] Move logic from component to organization-auth-request.service

* [AC-2302] Fix import path in OrganizationAuthRequestService

* [AC-2302] Move imports to OrganizationsModule and delete unused CoreOrganizationModule

* [AC-2302] Move the call to get userResetPasswordDetails into OrganizationAuthRequestService

* [AC-2302] Remove @Injectable() and manually configure dependencies

* [AC-2302] Add OrganizationAuthRequestService unit tests first draft

* [AC-2302] Refactor device-approvals.component.ts to remove unused imports

* [AC-2302] Set up jest on bit-common and add unit tests for OrganizationAuthRequestService

* [AC-2302] Add bit-common to jest.config.js

* [AC-2302] Update organizations.module.ts to include safeProviders declared in variable

* [AC-2302] Remove services and views folders from bit-common

* [AC-2302] Define path mapping

* Adjust an import path

The import path of `PendingAuthRequestView` in
`OrganizationAuthRequestApiService` was pointing to the wrong place. I
think this file was just recently moved, and the import didn't get
updated.

* Get paths working

* Fix import

* Update jest config to use ts-jest adn jsdom

* Copy-paste path mappings from bit-web

* Remove unnecessary test setup file

* Undo unnecessary change

* Fix remaining path mappings

* Remove Bitwarden License mapping from OSS code

* Fix bit-web so it uses its own tsconfig

* Fix import path

* Remove web-bit entrypoint from OSS tsconfig

* Make DeviceApprovalsComponent standalone

* Remove organization-auth-request-api.service export

* Remove OrganizationsRoutingModule from DeviceApprovalsComponent imports

* Remove CoreOrganizationModule from OrganizationsModule imports

* Remove NoItemsModule from OrganizationsModule imports

* Use ApiService from JslibServicesModule

* Update providers in device-approvals.component.ts

---------

Co-authored-by: Addison Beck <hello@addisonbeck.com>
Co-authored-by: Thomas Rittson <trittson@bitwarden.com>
Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com>

bitwarden_license/bit-common/src/admin-console/auth-requests/organization-auth-request.service.ts

@@ -0,0 +1,81 @@
+import { OrganizationUserService } from "@bitwarden/common/admin-console/abstractions/organization-user/organization-user.service";
+import { OrganizationUserResetPasswordDetailsResponse } from "@bitwarden/common/admin-console/abstractions/organization-user/responses";
+import { CryptoService } from "@bitwarden/common/platform/abstractions/crypto.service";
+import { Utils } from "@bitwarden/common/platform/misc/utils";
+import { EncString } from "@bitwarden/common/platform/models/domain/enc-string";
+import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
+
+import { OrganizationAuthRequestApiService } from "./organization-auth-request-api.service";
+import { PendingAuthRequestView } from "./pending-auth-request.view";
+
+export class OrganizationAuthRequestService {
+  constructor(
+    private organizationAuthRequestApiService: OrganizationAuthRequestApiService,
+    private cryptoService: CryptoService,
+    private organizationUserService: OrganizationUserService,
+  ) {}
+
+  async listPendingRequests(organizationId: string): Promise<PendingAuthRequestView[]> {
+    return await this.organizationAuthRequestApiService.listPendingRequests(organizationId);
+  }
+
+  async denyPendingRequests(organizationId: string, ...requestIds: string[]): Promise<void> {
+    await this.organizationAuthRequestApiService.denyPendingRequests(organizationId, ...requestIds);
+  }
+
+  async approvePendingRequest(organizationId: string, authRequest: PendingAuthRequestView) {
+    const details = await this.organizationUserService.getOrganizationUserResetPasswordDetails(
+      organizationId,
+      authRequest.organizationUserId,
+    );
+
+    if (details == null || details.resetPasswordKey == null) {
+      throw new Error(
+        "The user must be enrolled in account recovery (password reset) in order for the request to be approved.",
+      );
+    }
+
+    const encryptedKey = await this.getEncryptedUserKey(
+      organizationId,
+      authRequest.publicKey,
+      details,
+    );
+
+    await this.organizationAuthRequestApiService.approvePendingRequest(
+      organizationId,
+      authRequest.id,
+      encryptedKey,
+    );
+  }
+
+  /**
+   * Creates a copy of the user key that has been encrypted with the provided device's public key.
+   * @param organizationId
+   * @param devicePublicKey
+   * @param resetPasswordDetails
+   * @private
+   */
+  private async getEncryptedUserKey(
+    organizationId: string,
+    devicePublicKey: string,
+    resetPasswordDetails: OrganizationUserResetPasswordDetailsResponse,
+  ): Promise<EncString> {
+    const encryptedUserKey = resetPasswordDetails.resetPasswordKey;
+    const encryptedOrgPrivateKey = resetPasswordDetails.encryptedPrivateKey;
+    const devicePubKey = Utils.fromB64ToArray(devicePublicKey);
+
+    // Decrypt Organization's encrypted Private Key with org key
+    const orgSymKey = await this.cryptoService.getOrgKey(organizationId);
+    const decOrgPrivateKey = await this.cryptoService.decryptToBytes(
+      new EncString(encryptedOrgPrivateKey),
+      orgSymKey,
+    );
+
+    // Decrypt user key with decrypted org private key
+    const decValue = await this.cryptoService.rsaDecrypt(encryptedUserKey, decOrgPrivateKey);
+    const userKey = new SymmetricCryptoKey(decValue);
+
+    // Re-encrypt user Key with the Device Public Key
+    return await this.cryptoService.rsaEncrypt(userKey.key, devicePubKey);
+  }
+}