mirror of
https://github.com/bitwarden/directory-connector
synced 2025-12-05 23:53:21 +00:00
Delete VaultTimeoutService
This commit is contained in:
Addison Beck
@@ -4,12 +4,10 @@ import { ActivatedRouteSnapshot, Router, RouterStateSnapshot } from "@angular/ro
|
||||
import { KeyConnectorService } from "@/jslib/common/src/abstractions/keyConnector.service";
|
||||
import { MessagingService } from "@/jslib/common/src/abstractions/messaging.service";
|
||||
import { StateService } from "@/jslib/common/src/abstractions/state.service";
|
||||
import { VaultTimeoutService } from "@/jslib/common/src/abstractions/vaultTimeout.service";
|
||||
|
||||
@Injectable()
|
||||
export class AuthGuardService {
|
||||
constructor(
|
||||
private vaultTimeoutService: VaultTimeoutService,
|
||||
private router: Router,
|
||||
private messagingService: MessagingService,
|
||||
private keyConnectorService: KeyConnectorService,
|
||||
@@ -23,15 +21,6 @@ export class AuthGuardService {
|
||||
return false;
|
||||
}
|
||||
|
||||
const locked = await this.vaultTimeoutService.isLocked();
|
||||
if (locked) {
|
||||
if (routerState != null) {
|
||||
this.messagingService.send("lockedUrl", { url: routerState.url });
|
||||
}
|
||||
this.router.navigate(["lock"], { queryParams: { promptBiometric: true } });
|
||||
return false;
|
||||
}
|
||||
|
||||
if (
|
||||
!routerState.url.includes("remove-password") &&
|
||||
(await this.keyConnectorService.getConvertAccountRequired())
|
||||
|
||||
@@ -28,7 +28,6 @@ import { SyncService as SyncServiceAbstraction } from "@/jslib/common/src/abstra
|
||||
import { TokenService as TokenServiceAbstraction } from "@/jslib/common/src/abstractions/token.service";
|
||||
import { TwoFactorService as TwoFactorServiceAbstraction } from "@/jslib/common/src/abstractions/twoFactor.service";
|
||||
import { UserVerificationService as UserVerificationServiceAbstraction } from "@/jslib/common/src/abstractions/userVerification.service";
|
||||
import { VaultTimeoutService as VaultTimeoutServiceAbstraction } from "@/jslib/common/src/abstractions/vaultTimeout.service";
|
||||
import { StateFactory } from "@/jslib/common/src/factories/stateFactory";
|
||||
import { Account } from "@/jslib/common/src/models/domain/account";
|
||||
import { GlobalState } from "@/jslib/common/src/models/domain/globalState";
|
||||
@@ -53,7 +52,6 @@ import { SyncService } from "@/jslib/common/src/services/sync.service";
|
||||
import { TokenService } from "@/jslib/common/src/services/token.service";
|
||||
import { TwoFactorService } from "@/jslib/common/src/services/twoFactor.service";
|
||||
import { UserVerificationService } from "@/jslib/common/src/services/userVerification.service";
|
||||
import { VaultTimeoutService } from "@/jslib/common/src/services/vaultTimeout.service";
|
||||
|
||||
import { AuthGuardService } from "./auth-guard.service";
|
||||
import { BroadcasterService } from "./broadcaster.service";
|
||||
@@ -194,42 +192,6 @@ import { ValidationService } from "./validation.service";
|
||||
useClass: SettingsService,
|
||||
deps: [StateServiceAbstraction],
|
||||
},
|
||||
{
|
||||
provide: VaultTimeoutServiceAbstraction,
|
||||
useFactory: (
|
||||
cryptoService: CryptoServiceAbstraction,
|
||||
platformUtilsService: PlatformUtilsServiceAbstraction,
|
||||
messagingService: MessagingServiceAbstraction,
|
||||
searchService: SearchServiceAbstraction,
|
||||
tokenService: TokenServiceAbstraction,
|
||||
policyService: PolicyServiceAbstraction,
|
||||
keyConnectorService: KeyConnectorServiceAbstraction,
|
||||
stateService: StateServiceAbstraction,
|
||||
) =>
|
||||
new VaultTimeoutService(
|
||||
cryptoService,
|
||||
platformUtilsService,
|
||||
messagingService,
|
||||
searchService,
|
||||
tokenService,
|
||||
policyService,
|
||||
keyConnectorService,
|
||||
stateService,
|
||||
null,
|
||||
async (userId?: string) =>
|
||||
messagingService.send("logout", { expired: false, userId: userId }),
|
||||
),
|
||||
deps: [
|
||||
CryptoServiceAbstraction,
|
||||
PlatformUtilsServiceAbstraction,
|
||||
MessagingServiceAbstraction,
|
||||
SearchServiceAbstraction,
|
||||
TokenServiceAbstraction,
|
||||
PolicyServiceAbstraction,
|
||||
KeyConnectorServiceAbstraction,
|
||||
StateServiceAbstraction,
|
||||
],
|
||||
},
|
||||
{
|
||||
provide: StateServiceAbstraction,
|
||||
useFactory: (
|
||||
@@ -276,7 +238,6 @@ import { ValidationService } from "./validation.service";
|
||||
syncService: SyncServiceAbstraction,
|
||||
appIdService: AppIdServiceAbstraction,
|
||||
apiService: ApiServiceAbstraction,
|
||||
vaultTimeoutService: VaultTimeoutServiceAbstraction,
|
||||
environmentService: EnvironmentServiceAbstraction,
|
||||
messagingService: MessagingServiceAbstraction,
|
||||
logService: LogService,
|
||||
@@ -286,7 +247,6 @@ import { ValidationService } from "./validation.service";
|
||||
syncService,
|
||||
appIdService,
|
||||
apiService,
|
||||
vaultTimeoutService,
|
||||
environmentService,
|
||||
async () => messagingService.send("logout", { expired: true }),
|
||||
logService,
|
||||
@@ -296,7 +256,6 @@ import { ValidationService } from "./validation.service";
|
||||
SyncServiceAbstraction,
|
||||
AppIdServiceAbstraction,
|
||||
ApiServiceAbstraction,
|
||||
VaultTimeoutServiceAbstraction,
|
||||
EnvironmentServiceAbstraction,
|
||||
MessagingServiceAbstraction,
|
||||
LogService,
|
||||
|
||||
@@ -2,23 +2,17 @@ import { Injectable } from "@angular/core";
|
||||
import { Router } from "@angular/router";
|
||||
|
||||
import { StateService } from "@/jslib/common/src/abstractions/state.service";
|
||||
import { VaultTimeoutService } from "@/jslib/common/src/abstractions/vaultTimeout.service";
|
||||
|
||||
@Injectable()
|
||||
export class LockGuardService {
|
||||
protected homepage = "vault";
|
||||
protected loginpage = "login";
|
||||
constructor(
|
||||
private vaultTimeoutService: VaultTimeoutService,
|
||||
private router: Router,
|
||||
private stateService: StateService,
|
||||
) {}
|
||||
|
||||
async canActivate() {
|
||||
if (await this.vaultTimeoutService.isLocked()) {
|
||||
return true;
|
||||
}
|
||||
|
||||
const redirectUrl = (await this.stateService.getIsAuthenticated())
|
||||
? [this.homepage]
|
||||
: [this.loginpage];
|
||||
|
||||
@@ -2,13 +2,11 @@ import { Injectable } from "@angular/core";
|
||||
import { Router } from "@angular/router";
|
||||
|
||||
import { StateService } from "@/jslib/common/src/abstractions/state.service";
|
||||
import { VaultTimeoutService } from "@/jslib/common/src/abstractions/vaultTimeout.service";
|
||||
|
||||
@Injectable()
|
||||
export class UnauthGuardService {
|
||||
protected homepage = "vault";
|
||||
constructor(
|
||||
private vaultTimeoutService: VaultTimeoutService,
|
||||
private router: Router,
|
||||
private stateService: StateService,
|
||||
) {}
|
||||
@@ -16,12 +14,7 @@ export class UnauthGuardService {
|
||||
async canActivate() {
|
||||
const isAuthed = await this.stateService.getIsAuthenticated();
|
||||
if (isAuthed) {
|
||||
const locked = await this.vaultTimeoutService.isLocked();
|
||||
if (locked) {
|
||||
this.router.navigate(["lock"]);
|
||||
} else {
|
||||
this.router.navigate([this.homepage]);
|
||||
}
|
||||
this.router.navigate([this.homepage]);
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
|
||||
@@ -1,11 +0,0 @@
|
||||
export abstract class VaultTimeoutService {
|
||||
isLocked: (userId?: string) => Promise<boolean>;
|
||||
checkVaultTimeout: () => Promise<void>;
|
||||
lock: (allowSoftLock?: boolean, userId?: string) => Promise<void>;
|
||||
logOut: (userId?: string) => Promise<void>;
|
||||
setVaultTimeoutOptions: (vaultTimeout: number, vaultTimeoutAction: string) => Promise<void>;
|
||||
getVaultTimeout: () => Promise<number>;
|
||||
isPinLockSet: () => Promise<[boolean, boolean]>;
|
||||
isBiometricLockSet: () => Promise<boolean>;
|
||||
clear: (userId?: string) => Promise<any>;
|
||||
}
|
||||
@@ -8,7 +8,6 @@ import { LogService } from "../abstractions/log.service";
|
||||
import { NotificationsService as NotificationsServiceAbstraction } from "../abstractions/notifications.service";
|
||||
import { StateService } from "../abstractions/state.service";
|
||||
import { SyncService } from "../abstractions/sync.service";
|
||||
import { VaultTimeoutService } from "../abstractions/vaultTimeout.service";
|
||||
import { NotificationType } from "../enums/notificationType";
|
||||
import {
|
||||
NotificationResponse,
|
||||
@@ -26,7 +25,6 @@ export class NotificationsService implements NotificationsServiceAbstraction {
|
||||
private syncService: SyncService,
|
||||
private appIdService: AppIdService,
|
||||
private apiService: ApiService,
|
||||
private vaultTimeoutService: VaultTimeoutService,
|
||||
private environmentService: EnvironmentService,
|
||||
private logoutCallback: () => Promise<void>,
|
||||
private logService: LogService,
|
||||
@@ -182,11 +180,7 @@ export class NotificationsService implements NotificationsServiceAbstraction {
|
||||
}
|
||||
|
||||
private async isAuthedAndUnlocked() {
|
||||
if (await this.stateService.getIsAuthenticated()) {
|
||||
const locked = await this.vaultTimeoutService.isLocked();
|
||||
return !locked;
|
||||
}
|
||||
return false;
|
||||
return await this.stateService.getIsAuthenticated()
|
||||
}
|
||||
|
||||
private random(min: number, max: number) {
|
||||
|
||||
@@ -1,215 +0,0 @@
|
||||
import { firstValueFrom } from "rxjs";
|
||||
|
||||
import { CryptoService } from "../abstractions/crypto.service";
|
||||
import { KeyConnectorService } from "../abstractions/keyConnector.service";
|
||||
import { MessagingService } from "../abstractions/messaging.service";
|
||||
import { PlatformUtilsService } from "../abstractions/platformUtils.service";
|
||||
import { PolicyService } from "../abstractions/policy.service";
|
||||
import { SearchService } from "../abstractions/search.service";
|
||||
import { StateService } from "../abstractions/state.service";
|
||||
import { TokenService } from "../abstractions/token.service";
|
||||
import { VaultTimeoutService as VaultTimeoutServiceAbstraction } from "../abstractions/vaultTimeout.service";
|
||||
import { KeySuffixOptions } from "../enums/keySuffixOptions";
|
||||
import { PolicyType } from "../enums/policyType";
|
||||
|
||||
export class VaultTimeoutService implements VaultTimeoutServiceAbstraction {
|
||||
private inited = false;
|
||||
|
||||
constructor(
|
||||
private cryptoService: CryptoService,
|
||||
protected platformUtilsService: PlatformUtilsService,
|
||||
private messagingService: MessagingService,
|
||||
private searchService: SearchService,
|
||||
private tokenService: TokenService,
|
||||
private policyService: PolicyService,
|
||||
private keyConnectorService: KeyConnectorService,
|
||||
private stateService: StateService,
|
||||
private lockedCallback: (userId?: string) => Promise<void> = null,
|
||||
private loggedOutCallback: (userId?: string) => Promise<void> = null,
|
||||
) {}
|
||||
|
||||
init(checkOnInterval: boolean) {
|
||||
if (this.inited) {
|
||||
return;
|
||||
}
|
||||
|
||||
this.inited = true;
|
||||
if (checkOnInterval) {
|
||||
this.startCheck();
|
||||
}
|
||||
}
|
||||
|
||||
startCheck() {
|
||||
this.checkVaultTimeout();
|
||||
setInterval(() => this.checkVaultTimeout(), 10 * 1000); // check every 10 seconds
|
||||
}
|
||||
|
||||
// Keys aren't stored for a device that is locked or logged out.
|
||||
async isLocked(userId?: string): Promise<boolean> {
|
||||
const neverLock =
|
||||
(await this.cryptoService.hasKeyStored(KeySuffixOptions.Auto, userId)) &&
|
||||
!(await this.stateService.getEverBeenUnlocked({ userId: userId }));
|
||||
if (neverLock) {
|
||||
// TODO: This also _sets_ the key so when we check memory in the next line it finds a key.
|
||||
// We should refactor here.
|
||||
await this.cryptoService.getKey(KeySuffixOptions.Auto, userId);
|
||||
}
|
||||
|
||||
return !(await this.cryptoService.hasKeyInMemory(userId));
|
||||
}
|
||||
|
||||
async checkVaultTimeout(): Promise<void> {
|
||||
if (await this.platformUtilsService.isViewOpen()) {
|
||||
return;
|
||||
}
|
||||
|
||||
const accounts = await firstValueFrom(this.stateService.accounts$);
|
||||
for (const userId in accounts) {
|
||||
if (userId != null && (await this.shouldLock(userId))) {
|
||||
await this.executeTimeoutAction(userId);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
async lock(allowSoftLock = false, userId?: string): Promise<void> {
|
||||
const authed = await this.stateService.getIsAuthenticated({ userId: userId });
|
||||
if (!authed) {
|
||||
return;
|
||||
}
|
||||
|
||||
if (await this.keyConnectorService.getUsesKeyConnector()) {
|
||||
const pinSet = await this.isPinLockSet();
|
||||
const pinLock =
|
||||
(pinSet[0] && (await this.stateService.getDecryptedPinProtected()) != null) || pinSet[1];
|
||||
|
||||
if (!pinLock && !(await this.isBiometricLockSet())) {
|
||||
await this.logOut(userId);
|
||||
}
|
||||
}
|
||||
|
||||
if (userId == null || userId === (await this.stateService.getUserId())) {
|
||||
this.searchService.clearIndex();
|
||||
}
|
||||
|
||||
await this.stateService.setEverBeenUnlocked(true, { userId: userId });
|
||||
await this.stateService.setBiometricLocked(true, { userId: userId });
|
||||
await this.stateService.setCryptoMasterKeyAuto(null, { userId: userId });
|
||||
|
||||
await this.cryptoService.clearKey(false, userId);
|
||||
await this.cryptoService.clearOrgKeys(true, userId);
|
||||
await this.cryptoService.clearKeyPair(true, userId);
|
||||
await this.cryptoService.clearEncKey(true, userId);
|
||||
|
||||
this.messagingService.send("locked", { userId: userId });
|
||||
|
||||
if (this.lockedCallback != null) {
|
||||
await this.lockedCallback(userId);
|
||||
}
|
||||
}
|
||||
|
||||
async logOut(userId?: string): Promise<void> {
|
||||
if (this.loggedOutCallback != null) {
|
||||
await this.loggedOutCallback(userId);
|
||||
}
|
||||
}
|
||||
|
||||
async setVaultTimeoutOptions(timeout: number, action: string): Promise<void> {
|
||||
await this.stateService.setVaultTimeout(timeout);
|
||||
|
||||
// We swap these tokens from being on disk for lock actions, and in memory for logout actions
|
||||
// Get them here to set them to their new location after changing the timeout action and clearing if needed
|
||||
const token = await this.tokenService.getToken();
|
||||
const refreshToken = await this.tokenService.getRefreshToken();
|
||||
const clientId = await this.tokenService.getClientId();
|
||||
const clientSecret = await this.tokenService.getClientSecret();
|
||||
|
||||
const currentAction = await this.stateService.getVaultTimeoutAction();
|
||||
if ((timeout != null || timeout === 0) && action === "logOut" && action !== currentAction) {
|
||||
// if we have a vault timeout and the action is log out, reset tokens
|
||||
await this.tokenService.clearToken();
|
||||
}
|
||||
|
||||
await this.stateService.setVaultTimeoutAction(action);
|
||||
|
||||
await this.tokenService.setToken(token);
|
||||
await this.tokenService.setRefreshToken(refreshToken);
|
||||
await this.tokenService.setClientId(clientId);
|
||||
await this.tokenService.setClientSecret(clientSecret);
|
||||
|
||||
await this.cryptoService.toggleKey();
|
||||
}
|
||||
|
||||
async isPinLockSet(): Promise<[boolean, boolean]> {
|
||||
const protectedPin = await this.stateService.getProtectedPin();
|
||||
const pinProtectedKey = await this.stateService.getEncryptedPinProtected();
|
||||
return [protectedPin != null, pinProtectedKey != null];
|
||||
}
|
||||
|
||||
async isBiometricLockSet(): Promise<boolean> {
|
||||
return await this.stateService.getBiometricUnlock();
|
||||
}
|
||||
|
||||
async getVaultTimeout(userId?: string): Promise<number> {
|
||||
const vaultTimeout = await this.stateService.getVaultTimeout({ userId: userId });
|
||||
|
||||
if (
|
||||
await this.policyService.policyAppliesToUser(PolicyType.MaximumVaultTimeout, null, userId)
|
||||
) {
|
||||
const policy = await this.policyService.getAll(PolicyType.MaximumVaultTimeout, userId);
|
||||
// Remove negative values, and ensure it's smaller than maximum allowed value according to policy
|
||||
let timeout = Math.min(vaultTimeout, policy[0].data.minutes);
|
||||
|
||||
if (vaultTimeout == null || timeout < 0) {
|
||||
timeout = policy[0].data.minutes;
|
||||
}
|
||||
|
||||
// We really shouldn't need to set the value here, but multiple services relies on this value being correct.
|
||||
if (vaultTimeout !== timeout) {
|
||||
await this.stateService.setVaultTimeout(timeout, { userId: userId });
|
||||
}
|
||||
|
||||
return timeout;
|
||||
}
|
||||
|
||||
return vaultTimeout;
|
||||
}
|
||||
|
||||
async clear(userId?: string): Promise<void> {
|
||||
await this.stateService.setEverBeenUnlocked(false, { userId: userId });
|
||||
await this.stateService.setDecryptedPinProtected(null, { userId: userId });
|
||||
await this.stateService.setProtectedPin(null, { userId: userId });
|
||||
}
|
||||
|
||||
private async isLoggedOut(userId?: string): Promise<boolean> {
|
||||
return !(await this.stateService.getIsAuthenticated({ userId: userId }));
|
||||
}
|
||||
|
||||
private async shouldLock(userId: string): Promise<boolean> {
|
||||
if (await this.isLoggedOut(userId)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if (await this.isLocked(userId)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
const vaultTimeout = await this.getVaultTimeout(userId);
|
||||
if (vaultTimeout == null || vaultTimeout < 0) {
|
||||
return false;
|
||||
}
|
||||
|
||||
const lastActive = await this.stateService.getLastActive({ userId: userId });
|
||||
if (lastActive == null) {
|
||||
return false;
|
||||
}
|
||||
|
||||
const vaultTimeoutSeconds = vaultTimeout * 60;
|
||||
const diffSeconds = (new Date().getTime() - lastActive) / 1000;
|
||||
return diffSeconds >= vaultTimeoutSeconds;
|
||||
}
|
||||
|
||||
private async executeTimeoutAction(userId: string): Promise<void> {
|
||||
const timeoutAction = await this.stateService.getVaultTimeoutAction({ userId: userId });
|
||||
timeoutAction === "logOut" ? await this.logOut(userId) : await this.lock(true, userId);
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user