Auth/ps 2298 reorg auth (#4564)

* Move auth service factories to Auth team * Move authentication componenets to Auth team * Move auth guard services to Auth team * Move Duo content script to Auth team * Move auth CLI commands to Auth team * Move Desktop Account components to Auth Team * Move Desktop guards to Auth team * Move two-factor provider images to Auth team * Move web Accounts components to Auth Team * Move web settings components to Auth Team * Move web two factor images to Auth Team * Fix missed import changes for Auth Team * Fix Linting errors * Fix missed CLI imports * Fix missed Desktop imports * Revert images move * Fix missed imports in Web * Move angular lib components to Auth Team * Move angular auth guards to Auth team * Move strategy specs to Auth team * Update .eslintignore for new paths * Move lib common abstractions to Auth team * Move services to Auth team * Move common lib enums to Auth team * Move webauthn iframe to Auth team * Move lib common domain models to Auth team * Move common lib requests to Auth team * Move response models to Auth team * Clean up whitelist * Move bit web components to Auth team * Move SSO and SCIM files to Auth team * Revert move SCIM to Auth team SCIM belongs to Admin Console team * Move captcha to Auth team * Move key connector to Auth team * Move emergency access to auth team * Delete extra file * linter fixes * Move kdf config to auth team * Fix whitelist * Fix duo autoformat * Complete two factor provider request move * Fix whitelist names * Fix login capitalization * Revert hint dependency reordering * Revert hint dependency reordering * Revert hint component This components is being picked up as a move between clients * Move web hint component to Auth team * Move new files to auth team * Fix desktop build * Fix browser build
2025-12-22 11:13:46 +00:00 · 2023-02-06 16:53:37 -05:00
parent 084c89107e
commit cf972e784c
377 changed files with 1030 additions and 998 deletions
--- a/libs/common/src/auth/services/key-connector.service.ts
+++ b/libs/common/src/auth/services/key-connector.service.ts
@@ -0,0 +1,144 @@
+import { ApiService } from "../../abstractions/api.service";
+import { CryptoService } from "../../abstractions/crypto.service";
+import { CryptoFunctionService } from "../../abstractions/cryptoFunction.service";
+import { LogService } from "../../abstractions/log.service";
+import { OrganizationService } from "../../abstractions/organization/organization.service.abstraction";
+import { StateService } from "../../abstractions/state.service";
+import { OrganizationUserType } from "../../enums/organizationUserType";
+import { Utils } from "../../misc/utils";
+import { SymmetricCryptoKey } from "../../models/domain/symmetric-crypto-key";
+import { KeysRequest } from "../../models/request/keys.request";
+import { KeyConnectorService as KeyConnectorServiceAbstraction } from "../abstractions/key-connector.service";
+import { TokenService } from "../abstractions/token.service";
+import { KdfConfig } from "../models/domain/kdf-config";
+import { KeyConnectorUserKeyRequest } from "../models/request/key-connector-user-key.request";
+import { SetKeyConnectorKeyRequest } from "../models/request/set-key-connector-key.request";
+import { IdentityTokenResponse } from "../models/response/identity-token.response";
+
+export class KeyConnectorService implements KeyConnectorServiceAbstraction {
+  constructor(
+    private stateService: StateService,
+    private cryptoService: CryptoService,
+    private apiService: ApiService,
+    private tokenService: TokenService,
+    private logService: LogService,
+    private organizationService: OrganizationService,
+    private cryptoFunctionService: CryptoFunctionService,
+    private logoutCallback: (expired: boolean, userId?: string) => void
+  ) {}
+
+  setUsesKeyConnector(usesKeyConnector: boolean) {
+    return this.stateService.setUsesKeyConnector(usesKeyConnector);
+  }
+
+  async getUsesKeyConnector(): Promise<boolean> {
+    return await this.stateService.getUsesKeyConnector();
+  }
+
+  async userNeedsMigration() {
+    const loggedInUsingSso = await this.tokenService.getIsExternal();
+    const requiredByOrganization = (await this.getManagingOrganization()) != null;
+    const userIsNotUsingKeyConnector = !(await this.getUsesKeyConnector());
+
+    return loggedInUsingSso && requiredByOrganization && userIsNotUsingKeyConnector;
+  }
+
+  async migrateUser() {
+    const organization = await this.getManagingOrganization();
+    const key = await this.cryptoService.getKey();
+    const keyConnectorRequest = new KeyConnectorUserKeyRequest(key.encKeyB64);
+
+    try {
+      await this.apiService.postUserKeyToKeyConnector(
+        organization.keyConnectorUrl,
+        keyConnectorRequest
+      );
+    } catch (e) {
+      this.handleKeyConnectorError(e);
+    }
+
+    await this.apiService.postConvertToKeyConnector();
+  }
+
+  async getAndSetKey(url: string) {
+    try {
+      const userKeyResponse = await this.apiService.getUserKeyFromKeyConnector(url);
+      const keyArr = Utils.fromB64ToArray(userKeyResponse.key);
+      const k = new SymmetricCryptoKey(keyArr);
+      await this.cryptoService.setKey(k);
+    } catch (e) {
+      this.handleKeyConnectorError(e);
+    }
+  }
+
+  async getManagingOrganization() {
+    const orgs = await this.organizationService.getAll();
+    return orgs.find(
+      (o) =>
+        o.keyConnectorEnabled &&
+        o.type !== OrganizationUserType.Admin &&
+        o.type !== OrganizationUserType.Owner &&
+        !o.isProviderUser
+    );
+  }
+
+  async convertNewSsoUserToKeyConnector(tokenResponse: IdentityTokenResponse, orgId: string) {
+    const { kdf, kdfIterations, kdfMemory, kdfParallelism, keyConnectorUrl } = tokenResponse;
+    const password = await this.cryptoFunctionService.randomBytes(64);
+    const kdfConfig = new KdfConfig(kdfIterations, kdfMemory, kdfParallelism);
+
+    const k = await this.cryptoService.makeKey(
+      Utils.fromBufferToB64(password),
+      await this.tokenService.getEmail(),
+      kdf,
+      kdfConfig
+    );
+    const keyConnectorRequest = new KeyConnectorUserKeyRequest(k.encKeyB64);
+    await this.cryptoService.setKey(k);
+
+    const encKey = await this.cryptoService.makeEncKey(k);
+    await this.cryptoService.setEncKey(encKey[1].encryptedString);
+
+    const [pubKey, privKey] = await this.cryptoService.makeKeyPair();
+
+    try {
+      await this.apiService.postUserKeyToKeyConnector(keyConnectorUrl, keyConnectorRequest);
+    } catch (e) {
+      this.handleKeyConnectorError(e);
+    }
+
+    const keys = new KeysRequest(pubKey, privKey.encryptedString);
+    const setPasswordRequest = new SetKeyConnectorKeyRequest(
+      encKey[1].encryptedString,
+      kdf,
+      kdfConfig,
+      orgId,
+      keys
+    );
+    await this.apiService.postSetKeyConnectorKey(setPasswordRequest);
+  }
+
+  async setConvertAccountRequired(status: boolean) {
+    await this.stateService.setConvertAccountToKeyConnector(status);
+  }
+
+  async getConvertAccountRequired(): Promise<boolean> {
+    return await this.stateService.getConvertAccountToKeyConnector();
+  }
+
+  async removeConvertAccountRequired() {
+    await this.stateService.setConvertAccountToKeyConnector(null);
+  }
+
+  async clear() {
+    await this.removeConvertAccountRequired();
+  }
+
+  private handleKeyConnectorError(e: any) {
+    this.logService.error(e);
+    if (this.logoutCallback != null) {
+      this.logoutCallback(false);
+    }
+    throw new Error("Key Connector error");
+  }
+}