[AC-2008] [AC-2123] [Pt 2] Transition PolicyService to use StateProvider (#7977)

* fully wire up StateProvider within PolicyService
* migrate old policy data to new location
* minor update to existing interfaces

libs/common/src/state-migrations/migrate.ts

@@ -25,6 +25,7 @@ import { BadgeSettingsMigrator } from "./migrations/27-move-badge-settings-to-st
 import { MoveBiometricUnlockToStateProviders } from "./migrations/28-move-biometric-unlock-to-state-providers";
 import { UserNotificationSettingsKeyMigrator } from "./migrations/29-move-user-notification-settings-to-state-provider";
 import { FixPremiumMigrator } from "./migrations/3-fix-premium";
+import { PolicyMigrator } from "./migrations/30-move-policy-state-to-state-provider";
 import { RemoveEverBeenUnlockedMigrator } from "./migrations/4-remove-ever-been-unlocked";
 import { AddKeyTypeToOrgKeysMigrator } from "./migrations/5-add-key-type-to-org-keys";
 import { RemoveLegacyEtmKeyMigrator } from "./migrations/6-remove-legacy-etm-key";
@@ -34,7 +35,7 @@ import { MoveBrowserSettingsToGlobal } from "./migrations/9-move-browser-setting
 import { MinVersionMigrator } from "./migrations/min-version";
 
 export const MIN_VERSION = 2;
-export const CURRENT_VERSION = 29;
+export const CURRENT_VERSION = 30;
 export type MinVersion = typeof MIN_VERSION;
 
 export function createMigrationBuilder() {
@@ -66,7 +67,8 @@ export function createMigrationBuilder() {
     .with(RevertLastSyncMigrator, 25, 26)
     .with(BadgeSettingsMigrator, 26, 27)
     .with(MoveBiometricUnlockToStateProviders, 27, 28)
-    .with(UserNotificationSettingsKeyMigrator, 28, CURRENT_VERSION);
+    .with(UserNotificationSettingsKeyMigrator, 28, 29)
+    .with(PolicyMigrator, 29, CURRENT_VERSION);
 }
 
 export async function currentVersion(

libs/common/src/state-migrations/migrations/30-move-policy-state-to-state-provider.spec.ts

@@ -0,0 +1,192 @@
+import { MockProxy, any } from "jest-mock-extended";
+
+import { MigrationHelper } from "../migration-helper";
+import { mockMigrationHelper } from "../migration-helper.spec";
+
+import { PolicyMigrator } from "./30-move-policy-state-to-state-provider";
+
+function exampleJSON() {
+  return {
+    global: {
+      otherStuff: "otherStuff1",
+    },
+    authenticatedAccounts: ["user-1", "user-2"],
+    "user-1": {
+      data: {
+        policies: {
+          encrypted: {
+            "policy-1": {
+              id: "policy-1",
+              organizationId: "fe1ff6ef-d2d4-49f3-9c07-b0c7013998f9",
+              type: 9, // max vault timeout
+              enabled: true,
+              data: {
+                hours: 1,
+                minutes: 30,
+                action: "lock",
+              },
+            },
+            "policy-2": {
+              id: "policy-2",
+              organizationId: "5f277723-6391-4b5c-add9-b0c200ee6967",
+              type: 3, // single org
+              enabled: true,
+            },
+          },
+        },
+        otherStuff: "otherStuff2",
+      },
+      otherStuff: "otherStuff3",
+    },
+    "user-2": {
+      data: {
+        otherStuff: "otherStuff4",
+      },
+      otherStuff: "otherStuff5",
+    },
+  };
+}
+
+function rollbackJSON() {
+  return {
+    "user_user-1_policies_policies": {
+      "policy-1": {
+        id: "policy-1",
+        organizationId: "fe1ff6ef-d2d4-49f3-9c07-b0c7013998f9",
+        type: 9,
+        enabled: true,
+        data: {
+          hours: 1,
+          minutes: 30,
+          action: "lock",
+        },
+      },
+      "policy-2": {
+        id: "policy-2",
+        organizationId: "5f277723-6391-4b5c-add9-b0c200ee6967",
+        type: 3,
+        enabled: true,
+      },
+    },
+    "user_user-2_policies_policies": null as any,
+    global: {
+      otherStuff: "otherStuff1",
+    },
+    authenticatedAccounts: ["user-1", "user-2"],
+    "user-1": {
+      data: {
+        otherStuff: "otherStuff2",
+      },
+      otherStuff: "otherStuff3",
+    },
+    "user-2": {
+      data: {
+        otherStuff: "otherStuff4",
+      },
+      otherStuff: "otherStuff5",
+    },
+  };
+}
+
+describe("PoliciesMigrator", () => {
+  let helper: MockProxy<MigrationHelper>;
+  let sut: PolicyMigrator;
+  const keyDefinitionLike = {
+    key: "policies",
+    stateDefinition: {
+      name: "policies",
+    },
+  };
+
+  describe("migrate", () => {
+    beforeEach(() => {
+      helper = mockMigrationHelper(exampleJSON(), 22);
+      sut = new PolicyMigrator(29, 30);
+    });
+
+    it("should remove policies from all old accounts", async () => {
+      await sut.migrate(helper);
+      expect(helper.set).toHaveBeenCalledWith("user-1", {
+        data: {
+          otherStuff: "otherStuff2",
+        },
+        otherStuff: "otherStuff3",
+      });
+    });
+
+    it("should set policies value in StateProvider framework for each account", async () => {
+      await sut.migrate(helper);
+
+      expect(helper.setToUser).toHaveBeenCalledWith("user-1", keyDefinitionLike, {
+        "policy-1": {
+          id: "policy-1",
+          organizationId: "fe1ff6ef-d2d4-49f3-9c07-b0c7013998f9",
+          type: 9,
+          enabled: true,
+          data: {
+            hours: 1,
+            minutes: 30,
+            action: "lock",
+          },
+        },
+        "policy-2": {
+          id: "policy-2",
+          organizationId: "5f277723-6391-4b5c-add9-b0c200ee6967",
+          type: 3,
+          enabled: true,
+        },
+      });
+    });
+  });
+
+  describe("rollback", () => {
+    beforeEach(() => {
+      helper = mockMigrationHelper(rollbackJSON(), 23);
+      sut = new PolicyMigrator(29, 30);
+    });
+
+    it.each(["user-1", "user-2"])("should null out new values", async (userId) => {
+      await sut.rollback(helper);
+      expect(helper.setToUser).toHaveBeenCalledWith(userId, keyDefinitionLike, null);
+    });
+
+    it("should add policy values back to accounts", async () => {
+      await sut.rollback(helper);
+
+      expect(helper.set).toHaveBeenCalled();
+      expect(helper.set).toHaveBeenCalledWith("user-1", {
+        data: {
+          policies: {
+            encrypted: {
+              "policy-1": {
+                id: "policy-1",
+                organizationId: "fe1ff6ef-d2d4-49f3-9c07-b0c7013998f9",
+                type: 9,
+                enabled: true,
+                data: {
+                  hours: 1,
+                  minutes: 30,
+                  action: "lock",
+                },
+              },
+              "policy-2": {
+                id: "policy-2",
+                organizationId: "5f277723-6391-4b5c-add9-b0c200ee6967",
+                type: 3,
+                enabled: true,
+              },
+            },
+          },
+          otherStuff: "otherStuff2",
+        },
+        otherStuff: "otherStuff3",
+      });
+    });
+
+    it("should not try to restore values to missing accounts", async () => {
+      await sut.rollback(helper);
+
+      expect(helper.set).not.toHaveBeenCalledWith("user-3", any());
+    });
+  });
+});

libs/common/src/state-migrations/migrations/30-move-policy-state-to-state-provider.ts

@@ -0,0 +1,76 @@
+import { KeyDefinitionLike, MigrationHelper } from "../migration-helper";
+import { Migrator } from "../migrator";
+
+enum PolicyType {
+  TwoFactorAuthentication = 0, // Requires users to have 2fa enabled
+  MasterPassword = 1, // Sets minimum requirements for master password complexity
+  PasswordGenerator = 2, // Sets minimum requirements/default type for generated passwords/passphrases
+  SingleOrg = 3, // Allows users to only be apart of one organization
+  RequireSso = 4, // Requires users to authenticate with SSO
+  PersonalOwnership = 5, // Disables personal vault ownership for adding/cloning items
+  DisableSend = 6, // Disables the ability to create and edit Bitwarden Sends
+  SendOptions = 7, // Sets restrictions or defaults for Bitwarden Sends
+  ResetPassword = 8, // Allows orgs to use reset password : also can enable auto-enrollment during invite flow
+  MaximumVaultTimeout = 9, // Sets the maximum allowed vault timeout
+  DisablePersonalVaultExport = 10, // Disable personal vault export
+  ActivateAutofill = 11, // Activates autofill with page load on the browser extension
+}
+
+type PolicyDataType = {
+  id: string;
+  organizationId: string;
+  type: PolicyType;
+  data: Record<string, string | number | boolean>;
+  enabled: boolean;
+};
+
+type ExpectedAccountType = {
+  data?: {
+    policies?: {
+      encrypted?: Record<string, PolicyDataType>;
+    };
+  };
+};
+
+const POLICIES_KEY: KeyDefinitionLike = {
+  key: "policies",
+  stateDefinition: {
+    name: "policies",
+  },
+};
+
+export class PolicyMigrator extends Migrator<29, 30> {
+  async migrate(helper: MigrationHelper): Promise<void> {
+    const accounts = await helper.getAccounts<ExpectedAccountType>();
+
+    async function migrateAccount(userId: string, account: ExpectedAccountType): Promise<void> {
+      const value = account?.data?.policies?.encrypted;
+      if (value != null) {
+        await helper.setToUser(userId, POLICIES_KEY, value);
+        delete account.data.policies;
+        await helper.set(userId, account);
+      }
+    }
+
+    await Promise.all(accounts.map(({ userId, account }) => migrateAccount(userId, account)));
+  }
+
+  async rollback(helper: MigrationHelper): Promise<void> {
+    const accounts = await helper.getAccounts<ExpectedAccountType>();
+
+    async function rollbackAccount(userId: string, account: ExpectedAccountType): Promise<void> {
+      const value = await helper.getFromUser(userId, POLICIES_KEY);
+      if (account) {
+        account.data = Object.assign(account.data ?? {}, {
+          policies: {
+            encrypted: value,
+          },
+        });
+
+        await helper.set(userId, account);
+      }
+      await helper.setToUser(userId, POLICIES_KEY, null);
+    }
+    await Promise.all(accounts.map(({ userId, account }) => rollbackAccount(userId, account)));
+  }
+}