From bc4b3f3d7460cd30ac5cefc5240c703dee9cf3c4 Mon Sep 17 00:00:00 2001
From: Jacob Fink <jfink@bitwarden.com>
Date: Tue, 23 May 2023 16:57:31 -0400
Subject: [PATCH] add storage for master key encrypted user symmetric key

---
 .../platform/abstractions/state.service.ts    |  6 +-
 .../src/platform/models/domain/account.ts     |  3 +-
 .../src/platform/services/state.service.ts    | 68 ++++++++++++++-----
 3 files changed, 57 insertions(+), 20 deletions(-)

diff --git a/libs/common/src/platform/abstractions/state.service.ts b/libs/common/src/platform/abstractions/state.service.ts
index cc0540ab23b..5e2ad1b0acb 100644
--- a/libs/common/src/platform/abstractions/state.service.ts
+++ b/libs/common/src/platform/abstractions/state.service.ts
@@ -78,10 +78,12 @@ export abstract class StateService<T extends Account = Account> {
   setConvertAccountToKeyConnector: (value: boolean, options?: StorageOptions) => Promise<void>;
 
   // new keys
-  getMasterKey: (options?: StorageOptions) => Promise<MasterKey>;
-  setMasterKey: (value: MasterKey, options?: StorageOptions) => Promise<void>;
   getUserSymKey: (options?: StorageOptions) => Promise<UserSymKey>;
   setUserSymKey: (value: UserSymKey, options?: StorageOptions) => Promise<void>;
+  getMasterKey: (options?: StorageOptions) => Promise<MasterKey>;
+  setMasterKey: (value: MasterKey, options?: StorageOptions) => Promise<void>;
+  getUserSymKeyMasterKey: (options?: StorageOptions) => Promise<string>;
+  setUserSymKeyMasterKey: (value: string, options?: StorageOptions) => Promise<void>;
   getUserSymKeyAuto: (options?: StorageOptions) => Promise<string>;
   setUserSymKeyAuto: (value: string, options?: StorageOptions) => Promise<void>;
   getUserSymKeyBiometric: (options?: StorageOptions) => Promise<string>;
diff --git a/libs/common/src/platform/models/domain/account.ts b/libs/common/src/platform/models/domain/account.ts
index 7a132c88135..4da1a890c45 100644
--- a/libs/common/src/platform/models/domain/account.ts
+++ b/libs/common/src/platform/models/domain/account.ts
@@ -100,8 +100,9 @@ export class AccountData {
 
 export class AccountKeys {
   // new keys
-  masterKey?: MasterKey;
   userSymKey?: UserSymKey;
+  masterKey?: MasterKey;
+  userSymKeyMasterKey?: string;
   userSymKeyAuto?: string;
   userSymKeyBiometric?: string;
   // end new keys
diff --git a/libs/common/src/platform/services/state.service.ts b/libs/common/src/platform/services/state.service.ts
index 2d776ed7c83..d5a5b2a84fb 100644
--- a/libs/common/src/platform/services/state.service.ts
+++ b/libs/common/src/platform/services/state.service.ts
@@ -557,23 +557,6 @@ export class StateService<
     }
   }
 
-  async getMasterKey(options?: StorageOptions): Promise<MasterKey> {
-    const account = await this.getAccount(
-      this.reconcileOptions(options, await this.defaultInMemoryOptions())
-    );
-    return account?.keys?.masterKey;
-  }
-  async setMasterKey(value: MasterKey, options?: StorageOptions): Promise<void> {
-    const account = await this.getAccount(
-      this.reconcileOptions(options, await this.defaultInMemoryOptions())
-    );
-    account.keys.masterKey = value;
-    await this.saveAccount(
-      account,
-      this.reconcileOptions(options, await this.defaultInMemoryOptions())
-    );
-  }
-
   /**
    * User's symmetric key used to encrypt/decrypt data
    */
@@ -607,6 +590,57 @@ export class StateService<
     }
   }
 
+  /**
+   * User's master key derived from MP, saved only if we decrypted with MP
+   */
+  async getMasterKey(options?: StorageOptions): Promise<MasterKey> {
+    const account = await this.getAccount(
+      this.reconcileOptions(options, await this.defaultInMemoryOptions())
+    );
+    return account?.keys?.masterKey;
+  }
+
+  /**
+   * User's master key derived from MP, saved only if we decrypted with MP
+   */
+  async setMasterKey(value: MasterKey, options?: StorageOptions): Promise<void> {
+    const account = await this.getAccount(
+      this.reconcileOptions(options, await this.defaultInMemoryOptions())
+    );
+    account.keys.masterKey = value;
+    await this.saveAccount(
+      account,
+      this.reconcileOptions(options, await this.defaultInMemoryOptions())
+    );
+  }
+
+  /**
+   * The master key encrypted User symmetric key, saved on every auth
+   * so we can unlock with MP offline
+   */
+  async getUserSymKeyMasterKey(options?: StorageOptions): Promise<string> {
+    // TODO: defaultOnDiskOptions? Other's are saved in secure storage
+    return (
+      await this.getAccount(this.reconcileOptions(options, await this.defaultOnDiskOptions()))
+    )?.keys.userSymKeyMasterKey;
+  }
+
+  /**
+   * The master key encrypted User symmetric key, saved on every auth
+   * so we can unlock with MP offline
+   */
+  async setUserSymKeyMasterKey(value: string, options?: StorageOptions): Promise<void> {
+    // TODO: defaultOnDiskOptions? Other's are saved in secure storage
+    const account = await this.getAccount(
+      this.reconcileOptions(options, await this.defaultOnDiskOptions())
+    );
+    account.keys.userSymKeyMasterKey = value;
+    await this.saveAccount(
+      account,
+      this.reconcileOptions(options, await this.defaultOnDiskOptions())
+    );
+  }
+
   /**
    * User's symmetric key when using the "never" option of vault timeout
    */