[PM-21033/PM-22863] User Encryption v2 (#14942)

* Add new encrypt service functions * Undo changes * Cleanup * Fix build * Fix comments * Switch encrypt service to use SDK functions * Move remaining functions to PureCrypto * Tests * Increase test coverage * Split up userkey rotation v2 and add tests * Fix eslint * Fix type errors * Fix tests * Implement signing keys * Fix sdk init * Remove key rotation v2 flag * Fix parsing when user does not have signing keys * Clear up trusted key naming * Split up getNewAccountKeys * Add trim and lowercase * Replace user.email with masterKeySalt * Add wasTrustDenied to verifyTrust in key rotation service * Move testable userkey rotation service code to testable class * Fix build * Add comments * Undo changes * Fix incorrect behavior on aborting key rotation and fix import * Fix tests * Make members of userkey rotation service protected * Fix type error * Cleanup and add injectable annotation * Fix tests * Update apps/web/src/app/key-management/key-rotation/user-key-rotation.service.ts Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com> * Remove v1 rotation request * Add upgrade to user encryption v2 * Fix types * Update sdk method calls * Update request models for new server api for rotation * Fix build * Update userkey rotation for new server API * Update crypto client call for new sdk changes * Fix rotation with signing keys * Cargo lock * Fix userkey rotation service * Fix types * Undo changes to feature flag service * Fix linting * [PM-22863] Account security state (#15309) * Add account security state * Update key rotation * Rename * Fix build * Cleanup * Further cleanup * Tests * Increase test coverage * Add test * Increase test coverage * Fix builds and update sdk * Fix build * Fix tests * Reset changes to encrypt service * Cleanup * Add comment * Cleanup * Cleanup * Rename model * Cleanup * Fix build * Clean up * Fix types * Cleanup * Cleanup * Cleanup * Add test * Simplify request model * Rename and add comments * Fix tests * Update responses to use less strict typing * Fix response parsing for v1 users * Update libs/common/src/key-management/keys/response/private-keys.response.ts Co-authored-by: Maciej Zieniuk <167752252+mzieniukbw@users.noreply.github.com> * Update libs/common/src/key-management/keys/response/private-keys.response.ts Co-authored-by: Maciej Zieniuk <167752252+mzieniukbw@users.noreply.github.com> * Fix build * Fix build * Fix build * Undo change * Fix attachments not encrypting for v2 users --------- Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com> Co-authored-by: Maciej Zieniuk <167752252+mzieniukbw@users.noreply.github.com>
2025-12-22 03:03:43 +00:00 · 2025-10-10 23:04:47 +02:00
parent 89eb60135f
commit cc8bd71775
36 changed files with 1693 additions and 327 deletions
--- a/libs/common/src/key-management/security-state/abstractions/security-state.service.ts
+++ b/libs/common/src/key-management/security-state/abstractions/security-state.service.ts
@@ -0,0 +1,21 @@
+import { Observable } from "rxjs";
+
+import { UserId } from "@bitwarden/common/types/guid";
+
+import { SignedSecurityState } from "../../types";
+
+export abstract class SecurityStateService {
+  /**
+   * Retrieves the security state for the provided user.
+   * Note: This state is not yet validated. To get a validated state, the SDK crypto client
+   * must be used. This security state is validated on initialization of the SDK.
+   */
+  abstract accountSecurityState$(userId: UserId): Observable<SignedSecurityState | null>;
+  /**
+   * Sets the security state for the provided user.
+   */
+  abstract setAccountSecurityState(
+    accountSecurityState: SignedSecurityState,
+    userId: UserId,
+  ): Promise<void>;
+}
--- a/libs/common/src/key-management/security-state/request/security-state.request.ts
+++ b/libs/common/src/key-management/security-state/request/security-state.request.ts
@@ -0,0 +1,8 @@
+import { SignedSecurityState } from "../../types";
+
+export class SecurityStateRequest {
+  constructor(
+    readonly securityState: SignedSecurityState,
+    readonly securityVersion: number,
+  ) {}
+}
--- a/libs/common/src/key-management/security-state/response/security-state.response.ts
+++ b/libs/common/src/key-management/security-state/response/security-state.response.ts
@@ -0,0 +1,16 @@
+import { SignedSecurityState } from "../../types";
+
+export class SecurityStateResponse {
+  readonly securityState: SignedSecurityState | null = null;
+
+  constructor(response: unknown) {
+    if (typeof response !== "object" || response == null) {
+      throw new TypeError("Response must be an object");
+    }
+
+    if (!("securityState" in response) || !(typeof response.securityState === "string")) {
+      throw new TypeError("Response must contain a valid securityState");
+    }
+    this.securityState = response.securityState as SignedSecurityState;
+  }
+}
--- a/libs/common/src/key-management/security-state/services/security-state.service.ts
+++ b/libs/common/src/key-management/security-state/services/security-state.service.ts
@@ -0,0 +1,26 @@
+import { Observable } from "rxjs";
+
+import { StateProvider } from "@bitwarden/common/platform/state";
+import { UserId } from "@bitwarden/common/types/guid";
+
+import { SignedSecurityState } from "../../types";
+import { SecurityStateService } from "../abstractions/security-state.service";
+import { ACCOUNT_SECURITY_STATE } from "../state/security-state.state";
+
+export class DefaultSecurityStateService implements SecurityStateService {
+  constructor(protected stateProvider: StateProvider) {}
+
+  // Emits the provided user's security state, or null if there is no security state present for the user.
+  accountSecurityState$(userId: UserId): Observable<SignedSecurityState | null> {
+    return this.stateProvider.getUserState$(ACCOUNT_SECURITY_STATE, userId);
+  }
+
+  // Sets the security state for the provided user.
+  // This is not yet validated, and is only validated upon SDK initialization.
+  async setAccountSecurityState(
+    accountSecurityState: SignedSecurityState,
+    userId: UserId,
+  ): Promise<void> {
+    await this.stateProvider.setUserState(ACCOUNT_SECURITY_STATE, accountSecurityState, userId);
+  }
+}
--- a/libs/common/src/key-management/security-state/state/security-state.state.ts
+++ b/libs/common/src/key-management/security-state/state/security-state.state.ts
@@ -0,0 +1,12 @@
+import { CRYPTO_DISK, UserKeyDefinition } from "@bitwarden/common/platform/state";
+
+import { SignedSecurityState } from "../../types";
+
+export const ACCOUNT_SECURITY_STATE = new UserKeyDefinition<SignedSecurityState>(
+  CRYPTO_DISK,
+  "accountSecurityState",
+  {
+    deserializer: (obj) => obj,
+    clearOn: ["logout"],
+  },
+);