[PM-5963] Fix tde offboarding vault corruption (#9480)

* Fix tde offboarding * Add tde offboarding password request * Add event for tde offboarding * Update libs/auth/src/common/models/domain/user-decryption-options.ts Co-authored-by: Jake Fink <jfink@bitwarden.com> * Update libs/common/src/services/api.service.ts Co-authored-by: Jake Fink <jfink@bitwarden.com> * Make tde offboarding take priority * Update tde offboarding message * Fix unit tests * Fix unit tests * Fix typo * Fix unit tests --------- Co-authored-by: Jake Fink <jfink@bitwarden.com>
2025-12-15 07:43:35 +00:00 · 2024-08-02 01:48:09 +02:00
parent d26ea1be5f
commit c6229abd12
19 changed files with 94 additions and 17 deletions
--- a/libs/common/src/abstractions/api.service.ts
+++ b/libs/common/src/abstractions/api.service.ts
@@ -48,6 +48,7 @@ import { TwoFactorEmailRequest } from "../auth/models/request/two-factor-email.r
 import { TwoFactorProviderRequest } from "../auth/models/request/two-factor-provider.request";
 import { TwoFactorRecoveryRequest } from "../auth/models/request/two-factor-recovery.request";
 import { UpdateProfileRequest } from "../auth/models/request/update-profile.request";
+import { UpdateTdeOffboardingPasswordRequest } from "../auth/models/request/update-tde-offboarding-password.request";
 import { UpdateTempPasswordRequest } from "../auth/models/request/update-temp-password.request";
 import { UpdateTwoFactorAuthenticatorRequest } from "../auth/models/request/update-two-factor-authenticator.request";
 import { UpdateTwoFactorDuoRequest } from "../auth/models/request/update-two-factor-duo.request";
@@ -181,6 +182,7 @@ export abstract class ApiService {
  postUserApiKey: (id: string, request: SecretVerificationRequest) => Promise<ApiKeyResponse>;
  postUserRotateApiKey: (id: string, request: SecretVerificationRequest) => Promise<ApiKeyResponse>;
  putUpdateTempPassword: (request: UpdateTempPasswordRequest) => Promise<any>;
+  putUpdateTdeOffboardingPassword: (request: UpdateTdeOffboardingPasswordRequest) => Promise<any>;
  postConvertToKeyConnector: () => Promise<void>;
  //passwordless
  postAuthRequest: (request: CreateAuthRequest) => Promise<AuthRequestResponse>;
--- a/libs/common/src/auth/models/domain/force-set-password-reason.ts
+++ b/libs/common/src/auth/models/domain/force-set-password-reason.ts
@@ -26,4 +26,9 @@ export enum ForceSetPasswordReason {
   * Set post login & decryption client side and by server in sync (to catch logged in users).
   */
  TdeUserWithoutPasswordHasPasswordResetPermission,
+
+  /**
+   * Occurs when TDE is disabled and master password has to be set.
+   */
+  TdeOffboarding,
 }
--- a/libs/common/src/auth/models/request/update-tde-offboarding-password.request.ts
+++ b/libs/common/src/auth/models/request/update-tde-offboarding-password.request.ts
@@ -0,0 +1,5 @@
+import { OrganizationUserResetPasswordRequest } from "../../../admin-console/abstractions/organization-user/requests";
+
+export class UpdateTdeOffboardingPasswordRequest extends OrganizationUserResetPasswordRequest {
+  masterPasswordHint: string;
+}
--- a/libs/common/src/auth/models/response/user-decryption-options/trusted-device-user-decryption-option.response.ts
+++ b/libs/common/src/auth/models/response/user-decryption-options/trusted-device-user-decryption-option.response.ts
@@ -5,6 +5,7 @@ export interface ITrustedDeviceUserDecryptionOptionServerResponse {
  HasAdminApproval: boolean;
  HasLoginApprovingDevice: boolean;
  HasManageResetPasswordPermission: boolean;
+  IsTdeOffboarding: boolean;
  EncryptedPrivateKey?: string;
  EncryptedUserKey?: string;
 }
@@ -13,6 +14,7 @@ export class TrustedDeviceUserDecryptionOptionResponse extends BaseResponse {
  hasAdminApproval: boolean;
  hasLoginApprovingDevice: boolean;
  hasManageResetPasswordPermission: boolean;
+  isTdeOffboarding: boolean;
  encryptedPrivateKey: EncString;
  encryptedUserKey: EncString;

@@ -25,6 +27,8 @@ export class TrustedDeviceUserDecryptionOptionResponse extends BaseResponse {
      "HasManageResetPasswordPermission",
    );

+    this.isTdeOffboarding = this.getResponseProperty("IsTdeOffboarding");
+
    if (response.EncryptedPrivateKey) {
      this.encryptedPrivateKey = new EncString(this.getResponseProperty("EncryptedPrivateKey"));
    }
--- a/libs/common/src/enums/event-type.enum.ts
+++ b/libs/common/src/enums/event-type.enum.ts
@@ -11,6 +11,7 @@ export enum EventType {
  User_UpdatedTempPassword = 1008,
  User_MigratedKeyToKeyConnector = 1009,
  User_RequestedDeviceApproval = 1010,
+  User_TdeOffboardingPasswordSet = 1011,

  Cipher_Created = 1100,
  Cipher_Updated = 1101,
--- a/libs/common/src/services/api.service.ts
+++ b/libs/common/src/services/api.service.ts
@@ -57,6 +57,7 @@ import { TwoFactorEmailRequest } from "../auth/models/request/two-factor-email.r
 import { TwoFactorProviderRequest } from "../auth/models/request/two-factor-provider.request";
 import { TwoFactorRecoveryRequest } from "../auth/models/request/two-factor-recovery.request";
 import { UpdateProfileRequest } from "../auth/models/request/update-profile.request";
+import { UpdateTdeOffboardingPasswordRequest } from "../auth/models/request/update-tde-offboarding-password.request";
 import { UpdateTempPasswordRequest } from "../auth/models/request/update-temp-password.request";
 import { UpdateTwoFactorAuthenticatorRequest } from "../auth/models/request/update-two-factor-authenticator.request";
 import { UpdateTwoFactorDuoRequest } from "../auth/models/request/update-two-factor-duo.request";
@@ -461,6 +462,10 @@ export class ApiService implements ApiServiceAbstraction {
    return this.send("PUT", "/accounts/update-temp-password", request, true, false);
  }

+  putUpdateTdeOffboardingPassword(request: UpdateTdeOffboardingPasswordRequest): Promise<void> {
+    return this.send("PUT", "/accounts/update-tde-offboarding-password", request, true, false);
+  }
+
  postConvertToKeyConnector(): Promise<void> {
    return this.send("POST", "/accounts/convert-to-key-connector", null, true, false);
  }