Auth/pm 8882/Add TDE Logging (#9673)

* Added logging behind feature flag.

* Added default for new flag.

* Additional logging changes.

* Consolidated log messages.

* Removed unneccessary log.

* Fixed test error.

* Fixed linting.

* Fixed constructor on test.

* Updated to remove flag

* Moved service.

* Added logging to redirect guard.

libs/angular/src/auth/guards/redirect.guard.ts

@@ -6,6 +6,7 @@ import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
 import { DeviceTrustServiceAbstraction } from "@bitwarden/common/auth/abstractions/device-trust.service.abstraction";
 import { AuthenticationStatus } from "@bitwarden/common/auth/enums/authentication-status";
 import { CryptoService } from "@bitwarden/common/platform/abstractions/crypto.service";
+import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
 
 export interface RedirectRoutes {
   loggedIn: string;
@@ -32,6 +33,7 @@ export function redirectGuard(overrides: Partial<RedirectRoutes> = {}): CanActiv
     const authService = inject(AuthService);
     const cryptoService = inject(CryptoService);
     const deviceTrustService = inject(DeviceTrustServiceAbstraction);
+    const logService = inject(LogService);
     const router = inject(Router);
 
     const authStatus = await authService.getAuthStatus();
@@ -49,6 +51,12 @@ export function redirectGuard(overrides: Partial<RedirectRoutes> = {}): CanActiv
     const tdeEnabled = await firstValueFrom(deviceTrustService.supportsDeviceTrust$);
     const everHadUserKey = await firstValueFrom(cryptoService.everHadUserKey$);
     if (authStatus === AuthenticationStatus.Locked && tdeEnabled && !everHadUserKey) {
+      logService.info(
+        "Sending user to TDE decryption options. AuthStatus is %s. TDE support is %s. Ever had user key is %s.",
+        AuthenticationStatus[authStatus],
+        tdeEnabled,
+        everHadUserKey,
+      );
       return router.createUrlTree([routes.notDecrypted], { queryParams: route.queryParams });
     }
 

libs/angular/src/auth/guards/tde-decryption-required.guard.ts

@@ -11,6 +11,7 @@ import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
 import { DeviceTrustServiceAbstraction } from "@bitwarden/common/auth/abstractions/device-trust.service.abstraction";
 import { AuthenticationStatus } from "@bitwarden/common/auth/enums/authentication-status";
 import { CryptoService } from "@bitwarden/common/platform/abstractions/crypto.service";
+import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
 
 /**
  * Only allow access to this route if the vault is locked and has never been decrypted.
@@ -23,15 +24,30 @@ export function tdeDecryptionRequiredGuard(): CanActivateFn {
     const authService = inject(AuthService);
     const cryptoService = inject(CryptoService);
     const deviceTrustService = inject(DeviceTrustServiceAbstraction);
+    const logService = inject(LogService);
     const router = inject(Router);
 
     const authStatus = await authService.getAuthStatus();
     const tdeEnabled = await firstValueFrom(deviceTrustService.supportsDeviceTrust$);
     const everHadUserKey = await firstValueFrom(cryptoService.everHadUserKey$);
+
+    // We need to determine if we should bypass the decryption options and send the user to the vault.
+    // The ONLY time that we want to send a user to the decryption options is when:
+    // 1. The user's auth status is Locked, AND
+    // 2. TDE is enabled, AND
+    // 3. The user has never had a user key in state since last logout.
+    // The inverse of this is when we should send the user to the vault.
     if (authStatus !== AuthenticationStatus.Locked || !tdeEnabled || everHadUserKey) {
       return router.createUrlTree(["/"]);
     }
 
+    logService.info(
+      "Sending user to TDE decryption options. AuthStatus is %s. TDE support is %s. Ever had user key is %s.",
+      AuthenticationStatus[authStatus],
+      tdeEnabled,
+      everHadUserKey,
+    );
+
     return true;
   };
 }