[PM-5963] Fix tde offboarding vault corruption (#9480)

* Fix tde offboarding * Add tde offboarding password request * Add event for tde offboarding * Update libs/auth/src/common/models/domain/user-decryption-options.ts Co-authored-by: Jake Fink <jfink@bitwarden.com> * Update libs/common/src/services/api.service.ts Co-authored-by: Jake Fink <jfink@bitwarden.com> * Make tde offboarding take priority * Update tde offboarding message * Fix unit tests * Fix unit tests * Fix typo * Fix unit tests --------- Co-authored-by: Jake Fink <jfink@bitwarden.com>
2025-12-11 13:53:34 +00:00 · 2024-08-02 01:48:09 +02:00
parent d26ea1be5f
commit c6229abd12
19 changed files with 94 additions and 17 deletions
--- a/libs/angular/src/auth/components/sso.component.spec.ts
+++ b/libs/angular/src/auth/components/sso.component.spec.ts
@@ -154,12 +154,12 @@ describe("SsoComponent", () => {
      }),
      withMasterPasswordAndTrustedDevice: new UserDecryptionOptions({
        hasMasterPassword: true,
-        trustedDeviceOption: new TrustedDeviceUserDecryptionOption(true, false, false),
+        trustedDeviceOption: new TrustedDeviceUserDecryptionOption(true, false, false, false),
        keyConnectorOption: undefined,
      }),
      withMasterPasswordAndTrustedDeviceWithManageResetPassword: new UserDecryptionOptions({
        hasMasterPassword: true,
-        trustedDeviceOption: new TrustedDeviceUserDecryptionOption(true, false, true),
+        trustedDeviceOption: new TrustedDeviceUserDecryptionOption(true, false, true, false),
        keyConnectorOption: undefined,
      }),
      withMasterPasswordAndKeyConnector: new UserDecryptionOptions({
@@ -169,12 +169,12 @@ describe("SsoComponent", () => {
      }),
      noMasterPasswordWithTrustedDevice: new UserDecryptionOptions({
        hasMasterPassword: false,
-        trustedDeviceOption: new TrustedDeviceUserDecryptionOption(true, false, false),
+        trustedDeviceOption: new TrustedDeviceUserDecryptionOption(true, false, false, false),
        keyConnectorOption: undefined,
      }),
      noMasterPasswordWithTrustedDeviceWithManageResetPassword: new UserDecryptionOptions({
        hasMasterPassword: false,
-        trustedDeviceOption: new TrustedDeviceUserDecryptionOption(true, false, true),
+        trustedDeviceOption: new TrustedDeviceUserDecryptionOption(true, false, true, false),
        keyConnectorOption: undefined,
      }),
      noMasterPasswordWithKeyConnector: new UserDecryptionOptions({
--- a/libs/angular/src/auth/components/sso.component.ts
+++ b/libs/angular/src/auth/components/sso.component.ts
@@ -287,8 +287,18 @@ export class SsoComponent {
    orgIdentifier: string,
    userDecryptionOpts: UserDecryptionOptions,
  ): Promise<void> {
-    // If user doesn't have a MP, but has reset password permission, they must set a MP
+    // Tde offboarding takes precedence
    if (
+      !userDecryptionOpts.hasMasterPassword &&
+      userDecryptionOpts.trustedDeviceOption.isTdeOffboarding
+    ) {
+      const userId = (await firstValueFrom(this.accountService.activeAccount$))?.id;
+      await this.masterPasswordService.setForceSetPasswordReason(
+        ForceSetPasswordReason.TdeOffboarding,
+        userId,
+      );
+    } else if (
+      // If user doesn't have a MP, but has reset password permission, they must set a MP
      !userDecryptionOpts.hasMasterPassword &&
      userDecryptionOpts.trustedDeviceOption.hasManageResetPasswordPermission
    ) {
--- a/libs/angular/src/auth/components/two-factor-auth/two-factor-auth.component.spec.ts
+++ b/libs/angular/src/auth/components/two-factor-auth/two-factor-auth.component.spec.ts
@@ -127,12 +127,12 @@ describe("TwoFactorComponent", () => {
      }),
      withMasterPasswordAndTrustedDevice: new UserDecryptionOptions({
        hasMasterPassword: true,
-        trustedDeviceOption: new TrustedDeviceUserDecryptionOption(true, false, false),
+        trustedDeviceOption: new TrustedDeviceUserDecryptionOption(true, false, false, false),
        keyConnectorOption: undefined,
      }),
      withMasterPasswordAndTrustedDeviceWithManageResetPassword: new UserDecryptionOptions({
        hasMasterPassword: true,
-        trustedDeviceOption: new TrustedDeviceUserDecryptionOption(true, false, true),
+        trustedDeviceOption: new TrustedDeviceUserDecryptionOption(true, false, true, false),
        keyConnectorOption: undefined,
      }),
      withMasterPasswordAndKeyConnector: new UserDecryptionOptions({
@@ -142,12 +142,12 @@ describe("TwoFactorComponent", () => {
      }),
      noMasterPasswordWithTrustedDevice: new UserDecryptionOptions({
        hasMasterPassword: false,
-        trustedDeviceOption: new TrustedDeviceUserDecryptionOption(true, false, false),
+        trustedDeviceOption: new TrustedDeviceUserDecryptionOption(true, false, false, false),
        keyConnectorOption: undefined,
      }),
      noMasterPasswordWithTrustedDeviceWithManageResetPassword: new UserDecryptionOptions({
        hasMasterPassword: false,
-        trustedDeviceOption: new TrustedDeviceUserDecryptionOption(true, false, true),
+        trustedDeviceOption: new TrustedDeviceUserDecryptionOption(true, false, true, false),
        keyConnectorOption: undefined,
      }),
      noMasterPasswordWithKeyConnector: new UserDecryptionOptions({
--- a/libs/angular/src/auth/components/two-factor.component.spec.ts
+++ b/libs/angular/src/auth/components/two-factor.component.spec.ts
@@ -120,12 +120,12 @@ describe("TwoFactorComponent", () => {
      }),
      withMasterPasswordAndTrustedDevice: new UserDecryptionOptions({
        hasMasterPassword: true,
-        trustedDeviceOption: new TrustedDeviceUserDecryptionOption(true, false, false),
+        trustedDeviceOption: new TrustedDeviceUserDecryptionOption(true, false, false, false),
        keyConnectorOption: undefined,
      }),
      withMasterPasswordAndTrustedDeviceWithManageResetPassword: new UserDecryptionOptions({
        hasMasterPassword: true,
-        trustedDeviceOption: new TrustedDeviceUserDecryptionOption(true, false, true),
+        trustedDeviceOption: new TrustedDeviceUserDecryptionOption(true, false, true, false),
        keyConnectorOption: undefined,
      }),
      withMasterPasswordAndKeyConnector: new UserDecryptionOptions({
@@ -135,12 +135,12 @@ describe("TwoFactorComponent", () => {
      }),
      noMasterPasswordWithTrustedDevice: new UserDecryptionOptions({
        hasMasterPassword: false,
-        trustedDeviceOption: new TrustedDeviceUserDecryptionOption(true, false, false),
+        trustedDeviceOption: new TrustedDeviceUserDecryptionOption(true, false, false, false),
        keyConnectorOption: undefined,
      }),
      noMasterPasswordWithTrustedDeviceWithManageResetPassword: new UserDecryptionOptions({
        hasMasterPassword: false,
-        trustedDeviceOption: new TrustedDeviceUserDecryptionOption(true, false, true),
+        trustedDeviceOption: new TrustedDeviceUserDecryptionOption(true, false, true, false),
        keyConnectorOption: undefined,
      }),
      noMasterPasswordWithKeyConnector: new UserDecryptionOptions({
--- a/libs/angular/src/auth/components/update-temp-password.component.ts
+++ b/libs/angular/src/auth/components/update-temp-password.component.ts
@@ -12,6 +12,7 @@ import { UserVerificationService } from "@bitwarden/common/auth/abstractions/use
 import { VerificationType } from "@bitwarden/common/auth/enums/verification-type";
 import { ForceSetPasswordReason } from "@bitwarden/common/auth/models/domain/force-set-password-reason";
 import { PasswordRequest } from "@bitwarden/common/auth/models/request/password.request";
+import { UpdateTdeOffboardingPasswordRequest } from "@bitwarden/common/auth/models/request/update-tde-offboarding-password.request";
 import { UpdateTempPasswordRequest } from "@bitwarden/common/auth/models/request/update-temp-password.request";
 import { MasterPasswordVerification } from "@bitwarden/common/auth/types/verification";
 import { CryptoService } from "@bitwarden/common/platform/abstractions/crypto.service";
@@ -97,9 +98,13 @@ export class UpdateTempPasswordComponent extends BaseChangePasswordComponent {
  }

  get masterPasswordWarningText(): string {
-    return this.reason == ForceSetPasswordReason.WeakMasterPassword
-      ? this.i18nService.t("updateWeakMasterPasswordWarning")
-      : this.i18nService.t("updateMasterPasswordWarning");
+    if (this.reason == ForceSetPasswordReason.WeakMasterPassword) {
+      return this.i18nService.t("weakMasterPasswordWarning");
+    } else if (this.reason == ForceSetPasswordReason.TdeOffboarding) {
+      return this.i18nService.t("tdeDisabledMasterPasswordRequired");
+    } else {
+      return this.i18nService.t("masterPasswordWarning");
+    }
  }

  togglePassword(confirmField: boolean) {
@@ -165,6 +170,9 @@ export class UpdateTempPasswordComponent extends BaseChangePasswordComponent {
        case ForceSetPasswordReason.WeakMasterPassword:
          this.formPromise = this.updatePassword(masterPasswordHash, userKey);
          break;
+        case ForceSetPasswordReason.TdeOffboarding:
+          this.formPromise = this.updateTdeOffboardingPassword(masterPasswordHash, userKey);
+          break;
      }

      await this.formPromise;
@@ -211,4 +219,16 @@ export class UpdateTempPasswordComponent extends BaseChangePasswordComponent {

    return this.apiService.postPassword(request);
  }
+
+  private async updateTdeOffboardingPassword(
+    masterPasswordHash: string,
+    userKey: [UserKey, EncString],
+  ) {
+    const request = new UpdateTdeOffboardingPasswordRequest();
+    request.key = userKey[1].encryptedString;
+    request.newMasterPasswordHash = masterPasswordHash;
+    request.masterPasswordHint = this.hint;
+
+    return this.apiService.putUpdateTdeOffboardingPassword(request);
+  }
 }