[PM-26057] Enforce session timeout policy (#17424)

* enforce session timeout policy

* better angular validation

* lint fix

* missing switch break

* fallback when timeout not supported with highest available timeout

* failing unit tests

* incorrect policy message

* vault timeout type adjustments

* fallback to "on browser refresh" for browser, when policy is set to "on system locked", but not available (Safari)

* docs, naming improvements

* fallback for current user session timeout to "on refresh", when policy is set to "on system locked", but not available.

* don't display policy message when the policy does not affect available timeout options

* 8 hours default when changing from non-numeric timeout to Custom.

* failing unit test

* missing locales, changing functions access to private, docs

* removal of redundant magic number

* missing await

* await once for available timeout options

* adjusted messaging

* unit test coverage

* vault timeout numeric module exports

* unit test coverage

apps/web/src/app/core/core.module.ts

@@ -69,6 +69,7 @@ import { ProcessReloadServiceAbstraction } from "@bitwarden/common/key-managemen
 import { CryptoFunctionService } from "@bitwarden/common/key-management/crypto/abstractions/crypto-function.service";
 import { EncryptService } from "@bitwarden/common/key-management/crypto/abstractions/encrypt.service";
 import { InternalMasterPasswordServiceAbstraction } from "@bitwarden/common/key-management/master-password/abstractions/master-password.service.abstraction";
+import { SessionTimeoutTypeService } from "@bitwarden/common/key-management/session-timeout";
 import {
   VaultTimeout,
   VaultTimeoutStringType,
@@ -124,7 +125,6 @@ import {
 import { SerializedMemoryStorageService } from "@bitwarden/storage-core";
 import { DefaultSshImportPromptService, SshImportPromptService } from "@bitwarden/vault";
 import { WebOrganizationInviteService } from "@bitwarden/web-vault/app/auth/core/services/organization-invite/web-organization-invite.service";
-import { WebSessionTimeoutSettingsComponentService } from "@bitwarden/web-vault/app/key-management/session-timeout/services/web-session-timeout-settings-component.service";
 import { WebVaultPremiumUpgradePromptService } from "@bitwarden/web-vault/app/vault/services/web-premium-upgrade-prompt.service";
 
 import { flagEnabled } from "../../utils/flags";
@@ -149,6 +149,7 @@ import { WebFileDownloadService } from "../core/web-file-download.service";
 import { UserKeyRotationService } from "../key-management/key-rotation/user-key-rotation.service";
 import { WebLockComponentService } from "../key-management/lock/services/web-lock-component.service";
 import { WebProcessReloadService } from "../key-management/services/web-process-reload.service";
+import { WebSessionTimeoutTypeService } from "../key-management/session-timeout/services/web-session-timeout-type.service";
 import { WebBiometricsService } from "../key-management/web-biometric.service";
 import { WebIpcService } from "../platform/ipc/web-ipc.service";
 import { WebEnvironmentService } from "../platform/web-environment.service";
@@ -469,10 +470,15 @@ const safeProviders: SafeProvider[] = [
     useClass: WebSystemService,
     deps: [],
   }),
+  safeProvider({
+    provide: SessionTimeoutTypeService,
+    useClass: WebSessionTimeoutTypeService,
+    deps: [PlatformUtilsService],
+  }),
   safeProvider({
     provide: SessionTimeoutSettingsComponentService,
-    useClass: WebSessionTimeoutSettingsComponentService,
-    deps: [I18nServiceAbstraction, PlatformUtilsService],
+    useClass: SessionTimeoutSettingsComponentService,
+    deps: [I18nServiceAbstraction, SessionTimeoutTypeService, PolicyService],
   }),
 ];
 

apps/web/src/app/key-management/session-timeout/services/web-session-timeout-settings-component.service.ts

@@ -1,39 +0,0 @@
-import { defer, Observable, of } from "rxjs";
-
-import {
-  VaultTimeout,
-  VaultTimeoutOption,
-  VaultTimeoutStringType,
-} from "@bitwarden/common/key-management/vault-timeout";
-import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
-import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
-import { SessionTimeoutSettingsComponentService } from "@bitwarden/key-management-ui";
-
-export class WebSessionTimeoutSettingsComponentService
-  implements SessionTimeoutSettingsComponentService
-{
-  availableTimeoutOptions$: Observable<VaultTimeoutOption[]> = defer(() => {
-    const options: VaultTimeoutOption[] = [
-      { name: this.i18nService.t("oneMinute"), value: 1 },
-      { name: this.i18nService.t("fiveMinutes"), value: 5 },
-      { name: this.i18nService.t("fifteenMinutes"), value: 15 },
-      { name: this.i18nService.t("thirtyMinutes"), value: 30 },
-      { name: this.i18nService.t("oneHour"), value: 60 },
-      { name: this.i18nService.t("fourHours"), value: 240 },
-      { name: this.i18nService.t("onRefresh"), value: VaultTimeoutStringType.OnRestart },
-    ];
-
-    if (this.platformUtilsService.isDev()) {
-      options.push({ name: this.i18nService.t("never"), value: VaultTimeoutStringType.Never });
-    }
-
-    return of(options);
-  });
-
-  constructor(
-    private readonly i18nService: I18nService,
-    private readonly platformUtilsService: PlatformUtilsService,
-  ) {}
-
-  onTimeoutSave(_: VaultTimeout): void {}
-}

apps/web/src/app/key-management/session-timeout/services/web-session-timeout-type.service.spec.ts

@@ -0,0 +1,115 @@
+import { mock } from "jest-mock-extended";
+
+import {
+  VaultTimeoutNumberType,
+  VaultTimeoutStringType,
+} from "@bitwarden/common/key-management/vault-timeout";
+import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
+
+import { WebSessionTimeoutTypeService } from "./web-session-timeout-type.service";
+
+describe("WebSessionTimeoutTypeService", () => {
+  let service: WebSessionTimeoutTypeService;
+  let mockPlatformUtilsService: jest.Mocked<PlatformUtilsService>;
+
+  beforeEach(() => {
+    mockPlatformUtilsService = mock<PlatformUtilsService>();
+    service = new WebSessionTimeoutTypeService(mockPlatformUtilsService);
+  });
+
+  describe("isAvailable", () => {
+    it("should return false for Immediately", async () => {
+      const result = await service.isAvailable(VaultTimeoutNumberType.Immediately);
+
+      expect(result).toBe(false);
+    });
+
+    it.each([VaultTimeoutStringType.OnRestart, VaultTimeoutStringType.Custom])(
+      "should return true for always available type: %s",
+      async (timeoutType) => {
+        const result = await service.isAvailable(timeoutType);
+
+        expect(result).toBe(true);
+      },
+    );
+
+    it.each([VaultTimeoutNumberType.OnMinute, VaultTimeoutNumberType.EightHours])(
+      "should return true for numeric timeout type: %s",
+      async (timeoutType) => {
+        const result = await service.isAvailable(timeoutType);
+
+        expect(result).toBe(true);
+      },
+    );
+
+    it.each([
+      VaultTimeoutStringType.OnIdle,
+      VaultTimeoutStringType.OnSleep,
+      VaultTimeoutStringType.OnLocked,
+    ])("should return false for unavailable timeout type: %s", async (timeoutType) => {
+      const result = await service.isAvailable(timeoutType);
+
+      expect(result).toBe(false);
+    });
+
+    describe("Never availability", () => {
+      it("should return true when in dev mode", async () => {
+        mockPlatformUtilsService.isDev.mockReturnValue(true);
+
+        const result = await service.isAvailable(VaultTimeoutStringType.Never);
+
+        expect(result).toBe(true);
+        expect(mockPlatformUtilsService.isDev).toHaveBeenCalled();
+      });
+
+      it("should return false when not in dev mode", async () => {
+        mockPlatformUtilsService.isDev.mockReturnValue(false);
+
+        const result = await service.isAvailable(VaultTimeoutStringType.Never);
+
+        expect(result).toBe(false);
+        expect(mockPlatformUtilsService.isDev).toHaveBeenCalled();
+      });
+    });
+  });
+
+  describe("getOrPromoteToAvailable", () => {
+    it.each([
+      VaultTimeoutNumberType.OnMinute,
+      VaultTimeoutNumberType.EightHours,
+      VaultTimeoutStringType.OnRestart,
+      VaultTimeoutStringType.Never,
+      VaultTimeoutStringType.Custom,
+    ])("should return the original type when it is available: %s", async (timeoutType) => {
+      jest.spyOn(service, "isAvailable").mockResolvedValue(true);
+
+      const result = await service.getOrPromoteToAvailable(timeoutType);
+
+      expect(result).toBe(timeoutType);
+      expect(service.isAvailable).toHaveBeenCalledWith(timeoutType);
+    });
+
+    it("should return OnMinute when Immediately is not available", async () => {
+      jest.spyOn(service, "isAvailable").mockResolvedValue(false);
+
+      const result = await service.getOrPromoteToAvailable(VaultTimeoutNumberType.Immediately);
+
+      expect(result).toBe(VaultTimeoutNumberType.OnMinute);
+      expect(service.isAvailable).toHaveBeenCalledWith(VaultTimeoutNumberType.Immediately);
+    });
+
+    it.each([
+      VaultTimeoutStringType.OnIdle,
+      VaultTimeoutStringType.OnSleep,
+      VaultTimeoutStringType.OnLocked,
+      VaultTimeoutStringType.Never,
+    ])("should return OnRestart when type is not available: %s", async (timeoutType) => {
+      jest.spyOn(service, "isAvailable").mockResolvedValue(false);
+
+      const result = await service.getOrPromoteToAvailable(timeoutType);
+
+      expect(result).toBe(VaultTimeoutStringType.OnRestart);
+      expect(service.isAvailable).toHaveBeenCalledWith(timeoutType);
+    });
+  });
+});

apps/web/src/app/key-management/session-timeout/services/web-session-timeout-type.service.ts

@@ -0,0 +1,44 @@
+import { SessionTimeoutTypeService } from "@bitwarden/common/key-management/session-timeout";
+import {
+  isVaultTimeoutTypeNumeric,
+  VaultTimeout,
+  VaultTimeoutNumberType,
+  VaultTimeoutStringType,
+} from "@bitwarden/common/key-management/vault-timeout";
+import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
+
+export class WebSessionTimeoutTypeService implements SessionTimeoutTypeService {
+  constructor(private readonly platformUtilsService: PlatformUtilsService) {}
+
+  async isAvailable(type: VaultTimeout): Promise<boolean> {
+    switch (type) {
+      case VaultTimeoutNumberType.Immediately:
+        return false;
+      case VaultTimeoutStringType.OnRestart:
+      case VaultTimeoutStringType.Custom:
+        return true;
+      case VaultTimeoutStringType.Never:
+        return this.platformUtilsService.isDev();
+      default:
+        if (isVaultTimeoutTypeNumeric(type)) {
+          return true;
+        }
+        break;
+    }
+
+    return false;
+  }
+
+  async getOrPromoteToAvailable(type: VaultTimeout): Promise<VaultTimeout> {
+    const available = await this.isAvailable(type);
+    if (!available) {
+      switch (type) {
+        case VaultTimeoutNumberType.Immediately:
+          return VaultTimeoutNumberType.OnMinute;
+        default:
+          return VaultTimeoutStringType.OnRestart;
+      }
+    }
+    return type;
+  }
+}

apps/web/src/app/settings/preferences.component.html

@@ -17,12 +17,12 @@
         {{ "vaultTimeoutActionPolicyInEffect" | i18n: (policy.action | i18n) }}
       </span>
     </bit-callout>
-    <bit-session-timeout-input
+    <bit-session-timeout-input-legacy
       [vaultTimeoutOptions]="vaultTimeoutOptions"
       [formControl]="form.controls.vaultTimeout"
       ngDefaultControl
     >
-    </bit-session-timeout-input>
+    </bit-session-timeout-input-legacy>
     <ng-container *ngIf="availableVaultTimeoutActions$ | async as availableVaultTimeoutActions">
       <bit-radio-group
         formControlName="vaultTimeoutAction"

apps/web/src/app/settings/preferences.component.ts

@@ -33,7 +33,7 @@ import { Theme, ThemeTypes } from "@bitwarden/common/platform/enums";
 import { Utils } from "@bitwarden/common/platform/misc/utils";
 import { ThemeStateService } from "@bitwarden/common/platform/theming/theme-state.service";
 import { DialogService } from "@bitwarden/components";
-import { SessionTimeoutInputComponent } from "@bitwarden/key-management-ui";
+import { SessionTimeoutInputLegacyComponent } from "@bitwarden/key-management-ui";
 import { PermitCipherDetailsPopoverComponent } from "@bitwarden/vault";
 
 import { HeaderModule } from "../layouts/header/header.module";
@@ -52,8 +52,8 @@ import { SharedModule } from "../shared";
   imports: [
     SharedModule,
     HeaderModule,
-    SessionTimeoutInputComponent,
     PermitCipherDetailsPopoverComponent,
+    SessionTimeoutInputLegacyComponent,
   ],
 })
 export class PreferencesComponent implements OnInit, OnDestroy {

apps/web/src/locales/en/messages.json

@@ -12214,5 +12214,43 @@
   },
   "userVerificationFailed": {
     "message": "User verification failed."
+  },
+  "sessionTimeoutSettingsManagedByOrganization": {
+    "message": "This setting is managed by your organization."
+  },
+  "sessionTimeoutSettingsPolicySetMaximumTimeoutToHoursMinutes": {
+    "message": "Your organization has set the maximum session timeout to $HOURS$ hour(s) and $MINUTES$ minute(s).",
+    "placeholders": {
+      "hours": {
+        "content": "$1",
+        "example": "8"
+      },
+      "minutes": {
+        "content": "$2",
+        "example": "2"
+      }
+    }
+  },
+  "sessionTimeoutSettingsPolicySetDefaultTimeoutToOnRestart": {
+    "message": "Your organization has set the default session timeout to On browser refresh."
+  },
+  "sessionTimeoutSettingsPolicyMaximumError": {
+    "message": "Maximum timeout cannot exceed $HOURS$ hour(s) and $MINUTES$ minute(s)",
+    "placeholders": {
+      "hours": {
+        "content": "$1",
+        "example": "5"
+      },
+      "minutes": {
+        "content": "$2",
+        "example": "5"
+      }
+    }
+  },
+  "sessionTimeoutOnRestart": {
+    "message": "On browser refresh"
+  },
+  "sessionTimeoutSettingsSetUnlockMethodToChangeTimeoutAction": {
+    "message": "Set an unlock method to change your timeout action"
   }
 }