1
0
mirror of https://github.com/bitwarden/browser.git synced 2025-01-23 21:31:29 +01:00

Merge branch 'main' into autofill/pm-5189-fix-issues-present-with-inline-menu-rendering-in-iframes

This commit is contained in:
Cesar Gonzalez 2024-06-20 13:38:06 -05:00
commit 5e875b29b8
No known key found for this signature in database
GPG Key ID: 3381A5457F8CCECF
141 changed files with 1891 additions and 716 deletions

View File

@ -206,11 +206,29 @@
} }
}, },
{ {
"files": ["libs/tools/generator/extensions/src/**/*.ts"], "files": ["libs/tools/generator/extensions/history/src/**/*.ts"],
"rules": { "rules": {
"no-restricted-imports": [ "no-restricted-imports": [
"error", "error",
{ "patterns": ["@bitwarden/generator-extensions/*", "src/**/*"] } { "patterns": ["@bitwarden/generator-history/*", "src/**/*"] }
]
}
},
{
"files": ["libs/tools/generator/extensions/legacy/src/**/*.ts"],
"rules": {
"no-restricted-imports": [
"error",
{ "patterns": ["@bitwarden/generator-legacy/*", "src/**/*"] }
]
}
},
{
"files": ["libs/tools/generator/extensions/navigation/src/**/*.ts"],
"rules": {
"no-restricted-imports": [
"error",
{ "patterns": ["@bitwarden/generator-navigation/*", "src/**/*"] }
] ]
} }
}, },

View File

@ -1,6 +1,6 @@
{ {
"name": "@bitwarden/browser", "name": "@bitwarden/browser",
"version": "2024.6.2", "version": "2024.6.3",
"scripts": { "scripts": {
"build": "cross-env MANIFEST_VERSION=3 webpack", "build": "cross-env MANIFEST_VERSION=3 webpack",
"build:mv2": "webpack", "build:mv2": "webpack",

View File

@ -12,7 +12,7 @@ import { AuthenticationStatus } from "@bitwarden/common/auth/enums/authenticatio
import { BrowserRouterService } from "../../platform/popup/services/browser-router.service"; import { BrowserRouterService } from "../../platform/popup/services/browser-router.service";
/** /**
* This guard verifies the user's authetication status. * This guard verifies the user's authentication status.
* If "Locked", it saves the intended route in memory and redirects to the lock screen. Otherwise, the intended route is allowed. * If "Locked", it saves the intended route in memory and redirects to the lock screen. Otherwise, the intended route is allowed.
*/ */
export const fido2AuthGuard: CanActivateFn = async ( export const fido2AuthGuard: CanActivateFn = async (
@ -27,8 +27,10 @@ export const fido2AuthGuard: CanActivateFn = async (
if (authStatus === AuthenticationStatus.Locked) { if (authStatus === AuthenticationStatus.Locked) {
// Appending fromLock=true to the query params to indicate that the user is being redirected from the lock screen, this is used for user verification. // Appending fromLock=true to the query params to indicate that the user is being redirected from the lock screen, this is used for user verification.
const previousUrl = `${state.url}&fromLock=true`; // TODO: Revert to use previousUrl once user verification for passkeys is approved for production.
routerService.setPreviousUrl(previousUrl); // PM-4577 - https://github.com/bitwarden/clients/pull/8746
// const previousUrl = `${state.url}&fromLock=true`;
routerService.setPreviousUrl(state.url);
return router.createUrlTree(["/lock"], { queryParams: route.queryParams }); return router.createUrlTree(["/lock"], { queryParams: route.queryParams });
} }

View File

@ -2,7 +2,7 @@
"manifest_version": 2, "manifest_version": 2,
"name": "__MSG_extName__", "name": "__MSG_extName__",
"short_name": "__MSG_appName__", "short_name": "__MSG_appName__",
"version": "2024.6.2", "version": "2024.6.3",
"description": "__MSG_extDesc__", "description": "__MSG_extDesc__",
"default_locale": "en", "default_locale": "en",
"author": "Bitwarden Inc.", "author": "Bitwarden Inc.",

View File

@ -3,7 +3,7 @@
"minimum_chrome_version": "102.0", "minimum_chrome_version": "102.0",
"name": "__MSG_extName__", "name": "__MSG_extName__",
"short_name": "__MSG_appName__", "short_name": "__MSG_appName__",
"version": "2024.6.2", "version": "2024.6.3",
"description": "__MSG_extDesc__", "description": "__MSG_extDesc__",
"default_locale": "en", "default_locale": "en",
"author": "Bitwarden Inc.", "author": "Bitwarden Inc.",

View File

@ -27,6 +27,7 @@ import { LoginUriView } from "@bitwarden/common/vault/models/view/login-uri.view
import { LoginView } from "@bitwarden/common/vault/models/view/login.view"; import { LoginView } from "@bitwarden/common/vault/models/view/login.view";
import { SecureNoteView } from "@bitwarden/common/vault/models/view/secure-note.view"; import { SecureNoteView } from "@bitwarden/common/vault/models/view/secure-note.view";
import { DialogService } from "@bitwarden/components"; import { DialogService } from "@bitwarden/components";
import { PasswordRepromptService } from "@bitwarden/vault";
import { ZonedMessageListenerService } from "../../../../platform/browser/zoned-message-listener.service"; import { ZonedMessageListenerService } from "../../../../platform/browser/zoned-message-listener.service";
import { import {
@ -59,7 +60,6 @@ export class Fido2Component implements OnInit, OnDestroy {
protected data$: Observable<ViewData>; protected data$: Observable<ViewData>;
protected sessionId?: string; protected sessionId?: string;
protected senderTabId?: string; protected senderTabId?: string;
protected fromLock?: boolean;
protected ciphers?: CipherView[] = []; protected ciphers?: CipherView[] = [];
protected displayedCiphers?: CipherView[] = []; protected displayedCiphers?: CipherView[] = [];
protected loading = false; protected loading = false;
@ -78,6 +78,7 @@ export class Fido2Component implements OnInit, OnDestroy {
private logService: LogService, private logService: LogService,
private dialogService: DialogService, private dialogService: DialogService,
private browserMessagingApi: ZonedMessageListenerService, private browserMessagingApi: ZonedMessageListenerService,
private passwordRepromptService: PasswordRepromptService,
private fido2UserVerificationService: Fido2UserVerificationService, private fido2UserVerificationService: Fido2UserVerificationService,
) {} ) {}
@ -90,7 +91,6 @@ export class Fido2Component implements OnInit, OnDestroy {
sessionId: queryParamMap.get("sessionId"), sessionId: queryParamMap.get("sessionId"),
senderTabId: queryParamMap.get("senderTabId"), senderTabId: queryParamMap.get("senderTabId"),
senderUrl: queryParamMap.get("senderUrl"), senderUrl: queryParamMap.get("senderUrl"),
fromLock: queryParamMap.get("fromLock"),
})), })),
); );
@ -103,7 +103,6 @@ export class Fido2Component implements OnInit, OnDestroy {
this.sessionId = queryParams.sessionId; this.sessionId = queryParams.sessionId;
this.senderTabId = queryParams.senderTabId; this.senderTabId = queryParams.senderTabId;
this.url = queryParams.senderUrl; this.url = queryParams.senderUrl;
this.fromLock = queryParams.fromLock === "true";
// For a 'NewSessionCreatedRequest', abort if it doesn't belong to the current session. // For a 'NewSessionCreatedRequest', abort if it doesn't belong to the current session.
if ( if (
message.type === "NewSessionCreatedRequest" && message.type === "NewSessionCreatedRequest" &&
@ -213,11 +212,9 @@ export class Fido2Component implements OnInit, OnDestroy {
protected async submit() { protected async submit() {
const data = this.message$.value; const data = this.message$.value;
if (data?.type === "PickCredentialRequest") { if (data?.type === "PickCredentialRequest") {
const userVerified = await this.fido2UserVerificationService.handleUserVerification( // TODO: Revert to use fido2 user verification service once user verification for passkeys is approved for production.
data.userVerification, // PM-4577 - https://github.com/bitwarden/clients/pull/8746
this.cipher, const userVerified = await this.handleUserVerification(data.userVerification, this.cipher);
this.fromLock,
);
this.send({ this.send({
sessionId: this.sessionId, sessionId: this.sessionId,
@ -238,11 +235,9 @@ export class Fido2Component implements OnInit, OnDestroy {
} }
} }
const userVerified = await this.fido2UserVerificationService.handleUserVerification( // TODO: Revert to use fido2 user verification service once user verification for passkeys is approved for production.
data.userVerification, // PM-4577 - https://github.com/bitwarden/clients/pull/8746
this.cipher, const userVerified = await this.handleUserVerification(data.userVerification, this.cipher);
this.fromLock,
);
this.send({ this.send({
sessionId: this.sessionId, sessionId: this.sessionId,
@ -259,21 +254,16 @@ export class Fido2Component implements OnInit, OnDestroy {
const data = this.message$.value; const data = this.message$.value;
if (data?.type === "ConfirmNewCredentialRequest") { if (data?.type === "ConfirmNewCredentialRequest") {
const name = data.credentialName || data.rpId; const name = data.credentialName || data.rpId;
const userVerified = await this.fido2UserVerificationService.handleUserVerification( // TODO: Revert to check for user verification once user verification for passkeys is approved for production.
data.userVerification, // PM-4577 - https://github.com/bitwarden/clients/pull/8746
this.cipher,
this.fromLock,
);
if (!data.userVerification || userVerified) {
await this.createNewCipher(name); await this.createNewCipher(name);
}
// We are bypassing user verification pending approval.
this.send({ this.send({
sessionId: this.sessionId, sessionId: this.sessionId,
cipherId: this.cipher?.id, cipherId: this.cipher?.id,
type: "ConfirmNewCredentialResponse", type: "ConfirmNewCredentialResponse",
userVerified, userVerified: data.userVerification,
}); });
} }
@ -322,7 +312,6 @@ export class Fido2Component implements OnInit, OnDestroy {
uilocation: "popout", uilocation: "popout",
senderTabId: this.senderTabId, senderTabId: this.senderTabId,
sessionId: this.sessionId, sessionId: this.sessionId,
fromLock: this.fromLock,
userVerification: data.userVerification, userVerification: data.userVerification,
singleActionPopout: `${VaultPopoutType.fido2Popout}_${this.sessionId}`, singleActionPopout: `${VaultPopoutType.fido2Popout}_${this.sessionId}`,
}, },
@ -393,6 +382,20 @@ export class Fido2Component implements OnInit, OnDestroy {
} }
} }
// TODO: Remove and use fido2 user verification service once user verification for passkeys is approved for production.
private async handleUserVerification(
userVerificationRequested: boolean,
cipher: CipherView,
): Promise<boolean> {
const masterPasswordRepromptRequired = cipher && cipher.reprompt !== 0;
if (masterPasswordRepromptRequired) {
return await this.passwordRepromptService.showPasswordPrompt();
}
return userVerificationRequested;
}
private send(msg: BrowserFido2Message) { private send(msg: BrowserFido2Message) {
BrowserFido2UserInterfaceSession.sendMessage({ BrowserFido2UserInterfaceSession.sendMessage({
sessionId: this.sessionId, sessionId: this.sessionId,

View File

@ -144,6 +144,7 @@
appStopClick appStopClick
(click)="removePasskey()" (click)="removePasskey()"
appA11yTitle="{{ 'removePasskey' | i18n }}" appA11yTitle="{{ 'removePasskey' | i18n }}"
*ngIf="!(!cipher.edit && editMode)"
> >
<i class="bwi bwi-fw bwi-minus-circle bwi-lg" aria-hidden="true"></i> <i class="bwi bwi-fw bwi-minus-circle bwi-lg" aria-hidden="true"></i>
</button> </button>
@ -542,6 +543,7 @@
> >
<button <button
type="button" type="button"
*ngIf="!(!cipher.edit && editMode)"
appStopClick appStopClick
(click)="removeUri(u)" (click)="removeUri(u)"
appA11yTitle="{{ 'remove' | i18n }}" appA11yTitle="{{ 'remove' | i18n }}"
@ -558,6 +560,7 @@
[hidden]="$any(u).showUriOptionsInput === true" [hidden]="$any(u).showUriOptionsInput === true"
placeholder="{{ 'ex' | i18n }} https://google.com" placeholder="{{ 'ex' | i18n }} https://google.com"
inputmode="url" inputmode="url"
[readonly]="!cipher.edit && editMode"
appInputVerbatim appInputVerbatim
/> />
<label for="loginUriMatch{{ i }}" class="sr-only"> <label for="loginUriMatch{{ i }}" class="sr-only">
@ -607,6 +610,7 @@
appA11yTitle="{{ 'toggleOptions' | i18n }}" appA11yTitle="{{ 'toggleOptions' | i18n }}"
(click)="toggleUriOptions(u)" (click)="toggleUriOptions(u)"
[attr.aria-pressed]="$any(u).showOptions === true" [attr.aria-pressed]="$any(u).showOptions === true"
[disabled]="!cipher.edit && editMode"
> >
<i class="bwi bwi-fw bwi-lg bwi-cog" aria-hidden="true"></i> <i class="bwi bwi-fw bwi-lg bwi-cog" aria-hidden="true"></i>
</button> </button>

View File

@ -170,17 +170,14 @@ export class AddEditComponent extends BaseAddEditComponent {
async submit(): Promise<boolean> { async submit(): Promise<boolean> {
const fido2SessionData = await firstValueFrom(this.fido2PopoutSessionData$); const fido2SessionData = await firstValueFrom(this.fido2PopoutSessionData$);
const { isFido2Session, sessionId, userVerification, fromLock } = fido2SessionData; const { isFido2Session, sessionId, userVerification } = fido2SessionData;
const inFido2PopoutWindow = BrowserPopupUtils.inPopout(window) && isFido2Session; const inFido2PopoutWindow = BrowserPopupUtils.inPopout(window) && isFido2Session;
// TODO: Revert to use fido2 user verification service once user verification for passkeys is approved for production.
// PM-4577 - https://github.com/bitwarden/clients/pull/8746
if ( if (
inFido2PopoutWindow && inFido2PopoutWindow &&
userVerification && !(await this.handleFido2UserVerification(sessionId, userVerification))
!(await this.fido2UserVerificationService.handleUserVerification(
userVerification,
this.cipher,
fromLock,
))
) { ) {
return false; return false;
} }
@ -389,4 +386,13 @@ export class AddEditComponent extends BaseAddEditComponent {
this.load().catch((error) => this.logService.error(error)); this.load().catch((error) => this.logService.error(error));
} }
} }
// TODO: Remove and use fido2 user verification service once user verification for passkeys is approved for production.
private async handleFido2UserVerification(
sessionId: string,
userVerification: boolean,
): Promise<boolean> {
// We are bypassing user verification pending approval for production.
return true;
}
} }

View File

@ -21,7 +21,9 @@
"@bitwarden/components": ["../../libs/components/src"], "@bitwarden/components": ["../../libs/components/src"],
"@bitwarden/generator-components": ["../../libs/tools/generator/components/src"], "@bitwarden/generator-components": ["../../libs/tools/generator/components/src"],
"@bitwarden/generator-core": ["../../libs/tools/generator/core/src"], "@bitwarden/generator-core": ["../../libs/tools/generator/core/src"],
"@bitwarden/generator-extensions": ["../../libs/tools/generator/extensions/src"], "@bitwarden/generator-history": ["../../libs/tools/generator/extensions/history/src"],
"@bitwarden/generator-legacy": ["../../libs/tools/generator/extensions/legacy/src"],
"@bitwarden/generator-navigation": ["../../libs/tools/generator/extensions/navigation/src"],
"@bitwarden/vault-export-core": [ "@bitwarden/vault-export-core": [
"../../libs/tools/export/vault-export/vault-export-core/src" "../../libs/tools/export/vault-export/vault-export-core/src"
], ],

View File

@ -127,7 +127,7 @@
appStopClick appStopClick
(click)="removePasskey()" (click)="removePasskey()"
appA11yTitle="{{ 'removePasskey' | i18n }}" appA11yTitle="{{ 'removePasskey' | i18n }}"
[disabled]="!cipher.edit && editMode" *ngIf="!(!cipher.edit && editMode)"
> >
<i class="bwi bwi-fw bwi-minus-circle bwi-lg" aria-hidden="true"></i> <i class="bwi bwi-fw bwi-minus-circle bwi-lg" aria-hidden="true"></i>
</button> </button>
@ -488,7 +488,7 @@
appStopClick appStopClick
(click)="removeUri(u)" (click)="removeUri(u)"
appA11yTitle="{{ 'remove' | i18n }}" appA11yTitle="{{ 'remove' | i18n }}"
[disabled]="!cipher.edit && editMode" *ngIf="!(!cipher.edit && editMode)"
> >
<i class="bwi bwi-minus-circle bwi-lg" aria-hidden="true"></i> <i class="bwi bwi-minus-circle bwi-lg" aria-hidden="true"></i>
</button> </button>
@ -500,6 +500,7 @@
name="Login.Uris[{{ i }}].Uri" name="Login.Uris[{{ i }}].Uri"
[(ngModel)]="u.uri" [(ngModel)]="u.uri"
placeholder="{{ 'ex' | i18n }} https://google.com" placeholder="{{ 'ex' | i18n }} https://google.com"
[readonly]="!cipher.edit && editMode"
appInputVerbatim appInputVerbatim
/> />
<label for="loginUriMatch{{ i }}" class="sr-only"> <label for="loginUriMatch{{ i }}" class="sr-only">
@ -533,6 +534,7 @@
($any(u).showOptions == null && u.match == null) ($any(u).showOptions == null && u.match == null)
) )
" "
[disabled]="!cipher.edit && editMode"
> >
<i class="bwi bwi-lg bwi-cog" aria-hidden="true"></i> <i class="bwi bwi-lg bwi-cog" aria-hidden="true"></i>
</button> </button>

View File

@ -19,7 +19,9 @@
"@bitwarden/components": ["../../libs/components/src"], "@bitwarden/components": ["../../libs/components/src"],
"@bitwarden/generator-components": ["../../libs/tools/generator/components/src"], "@bitwarden/generator-components": ["../../libs/tools/generator/components/src"],
"@bitwarden/generator-core": ["../../libs/tools/generator/core/src"], "@bitwarden/generator-core": ["../../libs/tools/generator/core/src"],
"@bitwarden/generator-extensions": ["../../libs/tools/generator/extensions/src"], "@bitwarden/generator-history": ["../../libs/tools/generator/extensions/history/src"],
"@bitwarden/generator-legacy": ["../../libs/tools/generator/extensions/legacy/src"],
"@bitwarden/generator-navigation": ["../../libs/tools/generator/extensions/navigation/src"],
"@bitwarden/vault-export-core": [ "@bitwarden/vault-export-core": [
"../../libs/tools/export/vault-export/vault-export-core/src" "../../libs/tools/export/vault-export/vault-export-core/src"
], ],

View File

@ -3,9 +3,9 @@
<p class="tw-text-xl tw-text-center tw-mb-4">{{ "deleteOrganization" | i18n }}</p> <p class="tw-text-xl tw-text-center tw-mb-4">{{ "deleteOrganization" | i18n }}</p>
<div class="tw-rounded-md tw-border tw-border-solid tw-border-secondary-300 tw-bg-background"> <div class="tw-rounded-md tw-border tw-border-solid tw-border-secondary-300 tw-bg-background">
<div class="tw-p-5"> <div class="tw-p-5">
<app-callout type="warning">{{ <bit-callout type="warning">
"deletingOrganizationIsPermanentWarning" | i18n: name {{ "deletingOrganizationIsPermanentWarning" | i18n: name }}
}}</app-callout> </bit-callout>
<p class="tw-text-center"> <p class="tw-text-center">
<strong>{{ name }}</strong> <strong>{{ name }}</strong>
</p> </p>

View File

@ -1,11 +1,11 @@
<bit-dialog dialogSize="large" [title]="'confirmUsers' | i18n" [loading]="loading"> <bit-dialog dialogSize="large" [title]="'confirmUsers' | i18n" [loading]="loading">
<ng-container bitDialogContent> <ng-container bitDialogContent>
<app-callout type="danger" *ngIf="filteredUsers.length <= 0"> <bit-callout type="danger" *ngIf="filteredUsers.length <= 0">
{{ "noSelectedUsersApplicable" | i18n }} {{ "noSelectedUsersApplicable" | i18n }}
</app-callout> </bit-callout>
<app-callout type="error" *ngIf="error"> <bit-callout type="danger" [title]="'error' | i18n" *ngIf="error">
{{ error }} {{ error }}
</app-callout> </bit-callout>
<ng-container *ngIf="!loading && !done"> <ng-container *ngIf="!loading && !done">
<p bitTypography="body1"> <p bitTypography="body1">
{{ "fingerprintEnsureIntegrityVerify" | i18n }} {{ "fingerprintEnsureIntegrityVerify" | i18n }}

View File

@ -1,18 +1,18 @@
<bit-dialog dialogSize="large" [title]="'removeUsers' | i18n"> <bit-dialog dialogSize="large" [title]="'removeUsers' | i18n">
<ng-container bitDialogContent> <ng-container bitDialogContent>
<app-callout type="danger" *ngIf="users.length <= 0"> <bit-callout type="danger" *ngIf="users.length <= 0">
{{ "noSelectedUsersApplicable" | i18n }} {{ "noSelectedUsersApplicable" | i18n }}
</app-callout> </bit-callout>
<app-callout type="error" *ngIf="error"> <bit-callout type="danger" [title]="'error' | i18n" *ngIf="error">
{{ error }} {{ error }}
</app-callout> </bit-callout>
<ng-container *ngIf="!done"> <ng-container *ngIf="!done">
<app-callout type="warning" *ngIf="users.length > 0 && !error"> <bit-callout type="warning" *ngIf="users.length > 0 && !error">
<p bitTypography="body1">{{ removeUsersWarning }}</p> <p bitTypography="body1">{{ removeUsersWarning }}</p>
<p *ngIf="this.showNoMasterPasswordWarning" bitTypography="body1"> <p *ngIf="this.showNoMasterPasswordWarning" bitTypography="body1">
{{ "removeMembersWithoutMasterPasswordWarning" | i18n }} {{ "removeMembersWithoutMasterPasswordWarning" | i18n }}
</p> </p>
</app-callout> </bit-callout>
<bit-table> <bit-table>
<ng-container header> <ng-container header>
<tr> <tr>

View File

@ -48,14 +48,14 @@
<ng-container *ngIf="firstLoaded"> <ng-container *ngIf="firstLoaded">
<p *ngIf="!dataSource.filteredData.length">{{ "noMembersInList" | i18n }}</p> <p *ngIf="!dataSource.filteredData.length">{{ "noMembersInList" | i18n }}</p>
<ng-container *ngIf="dataSource.filteredData.length"> <ng-container *ngIf="dataSource.filteredData.length">
<app-callout <bit-callout
type="info" type="info"
title="{{ 'confirmUsers' | i18n }}" title="{{ 'confirmUsers' | i18n }}"
icon="bwi bwi-check-circle" icon="bwi-check-circle"
*ngIf="showConfirmUsers" *ngIf="showConfirmUsers"
> >
{{ "usersNeedConfirmed" | i18n }} {{ "usersNeedConfirmed" | i18n }}
</app-callout> </bit-callout>
<!-- The padding on the bottom of the cdk-virtual-scroll-viewport element is required to prevent table row content <!-- The padding on the bottom of the cdk-virtual-scroll-viewport element is required to prevent table row content
from overflowing the <main> element. --> from overflowing the <main> element. -->
<cdk-virtual-scroll-viewport scrollWindow [itemSize]="rowHeight" class="tw-pb-8"> <cdk-virtual-scroll-viewport scrollWindow [itemSize]="rowHeight" class="tw-pb-8">

View File

@ -13,6 +13,7 @@ import { EncryptionType, KdfType } from "@bitwarden/common/platform/enums";
import { EncString } from "@bitwarden/common/platform/models/domain/enc-string"; import { EncString } from "@bitwarden/common/platform/models/domain/enc-string";
import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key"; import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
import { CsprngArray } from "@bitwarden/common/types/csprng"; import { CsprngArray } from "@bitwarden/common/types/csprng";
import { UserId } from "@bitwarden/common/types/guid";
import { UserKey, OrgKey, MasterKey } from "@bitwarden/common/types/key"; import { UserKey, OrgKey, MasterKey } from "@bitwarden/common/types/key";
import { OrganizationUserResetPasswordService } from "./organization-user-reset-password.service"; import { OrganizationUserResetPasswordService } from "./organization-user-reset-password.service";
@ -157,7 +158,7 @@ describe("OrganizationUserResetPasswordService", () => {
}); });
}); });
describe("getRotatedKeys", () => { describe("getRotatedData", () => {
beforeEach(() => { beforeEach(() => {
organizationService.getAll.mockResolvedValue([ organizationService.getAll.mockResolvedValue([
createOrganization("1", "org1"), createOrganization("1", "org1"),
@ -175,12 +176,24 @@ describe("OrganizationUserResetPasswordService", () => {
}); });
it("should return all re-encrypted account recovery keys", async () => { it("should return all re-encrypted account recovery keys", async () => {
const result = await sut.getRotatedKeys( const result = await sut.getRotatedData(
new SymmetricCryptoKey(new Uint8Array(64)) as UserKey, new SymmetricCryptoKey(new Uint8Array(64)) as UserKey,
new SymmetricCryptoKey(new Uint8Array(64)) as UserKey,
"mockUserId" as UserId,
); );
expect(result).toHaveLength(2); expect(result).toHaveLength(2);
}); });
it("throws if the new user key is null", async () => {
await expect(
sut.getRotatedData(
new SymmetricCryptoKey(new Uint8Array(64)) as UserKey,
null,
"mockUserId" as UserId,
),
).rejects.toThrow("New user key is required for rotation.");
});
}); });
}); });

View File

@ -1,5 +1,6 @@
import { Injectable } from "@angular/core"; import { Injectable } from "@angular/core";
import { UserKeyRotationDataProvider } from "@bitwarden/auth/common";
import { OrganizationApiServiceAbstraction } from "@bitwarden/common/admin-console/abstractions/organization/organization-api.service.abstraction"; import { OrganizationApiServiceAbstraction } from "@bitwarden/common/admin-console/abstractions/organization/organization-api.service.abstraction";
import { OrganizationService } from "@bitwarden/common/admin-console/abstractions/organization/organization.service.abstraction"; import { OrganizationService } from "@bitwarden/common/admin-console/abstractions/organization/organization.service.abstraction";
import { OrganizationUserService } from "@bitwarden/common/admin-console/abstractions/organization-user/organization-user.service"; import { OrganizationUserService } from "@bitwarden/common/admin-console/abstractions/organization-user/organization-user.service";
@ -19,12 +20,15 @@ import { KdfType } from "@bitwarden/common/platform/enums";
import { Utils } from "@bitwarden/common/platform/misc/utils"; import { Utils } from "@bitwarden/common/platform/misc/utils";
import { EncryptedString, EncString } from "@bitwarden/common/platform/models/domain/enc-string"; import { EncryptedString, EncString } from "@bitwarden/common/platform/models/domain/enc-string";
import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key"; import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
import { UserId } from "@bitwarden/common/types/guid";
import { UserKey } from "@bitwarden/common/types/key"; import { UserKey } from "@bitwarden/common/types/key";
@Injectable({ @Injectable({
providedIn: "root", providedIn: "root",
}) })
export class OrganizationUserResetPasswordService { export class OrganizationUserResetPasswordService
implements UserKeyRotationDataProvider<OrganizationUserResetPasswordWithIdRequest>
{
constructor( constructor(
private cryptoService: CryptoService, private cryptoService: CryptoService,
private encryptService: EncryptService, private encryptService: EncryptService,
@ -129,11 +133,16 @@ export class OrganizationUserResetPasswordService {
/** /**
* Returns existing account recovery keys re-encrypted with the new user key. * Returns existing account recovery keys re-encrypted with the new user key.
* @param originalUserKey the original user key
* @param newUserKey the new user key * @param newUserKey the new user key
* @param userId the user id
* @throws Error if new user key is null * @throws Error if new user key is null
* @returns a list of account recovery keys that have been re-encrypted with the new user key
*/ */
async getRotatedKeys( async getRotatedData(
originalUserKey: UserKey,
newUserKey: UserKey, newUserKey: UserKey,
userId: UserId,
): Promise<OrganizationUserResetPasswordWithIdRequest[] | null> { ): Promise<OrganizationUserResetPasswordWithIdRequest[] | null> {
if (newUserKey == null) { if (newUserKey == null) {
throw new Error("New user key is required for rotation."); throw new Error("New user key is required for rotation.");

View File

@ -1,6 +1,6 @@
<app-callout type="warning"> <bit-callout type="warning">
{{ "disableSendExemption" | i18n }} {{ "disableSendExemption" | i18n }}
</app-callout> </bit-callout>
<bit-form-control> <bit-form-control>
<input type="checkbox" bitCheckbox [formControl]="enabled" id="enabled" /> <input type="checkbox" bitCheckbox [formControl]="enabled" id="enabled" />

View File

@ -1,6 +1,6 @@
<app-callout type="info" *ngIf="showKeyConnectorInfo"> <bit-callout type="info" *ngIf="showKeyConnectorInfo">
{{ "keyConnectorPolicyRestriction" | i18n }} {{ "keyConnectorPolicyRestriction" | i18n }}
</app-callout> </bit-callout>
<div [formGroup]="data"> <div [formGroup]="data">
<bit-form-control> <bit-form-control>

View File

@ -1,6 +1,6 @@
<app-callout type="warning"> <bit-callout type="warning">
{{ "personalOwnershipExemption" | i18n }} {{ "personalOwnershipExemption" | i18n }}
</app-callout> </bit-callout>
<div class="form-group"> <div class="form-group">
<div class="form-check"> <div class="form-check">

View File

@ -1,9 +1,9 @@
<app-callout type="tip" title="{{ 'prerequisite' | i18n }}"> <bit-callout type="info" title="{{ 'prerequisite' | i18n }}">
{{ "requireSsoPolicyReq" | i18n }} {{ "requireSsoPolicyReq" | i18n }}
</app-callout> </bit-callout>
<app-callout type="warning"> <bit-callout type="warning">
{{ "requireSsoExemption" | i18n }} {{ "requireSsoExemption" | i18n }}
</app-callout> </bit-callout>
<bit-form-control> <bit-form-control>
<input type="checkbox" bitCheckbox [formControl]="enabled" id="enabled" /> <input type="checkbox" bitCheckbox [formControl]="enabled" id="enabled" />

View File

@ -1,6 +1,6 @@
<app-callout type="warning"> <bit-callout type="warning">
{{ "sendOptionsExemption" | i18n }} {{ "sendOptionsExemption" | i18n }}
</app-callout> </bit-callout>
<bit-form-control> <bit-form-control>
<input type="checkbox" bitCheckbox [formControl]="enabled" id="enabled" /> <input type="checkbox" bitCheckbox [formControl]="enabled" id="enabled" />

View File

@ -1,6 +1,6 @@
<app-callout type="warning"> <bit-callout type="warning">
{{ "singleOrgPolicyWarning" | i18n }} {{ "singleOrgPolicyWarning" | i18n }}
</app-callout> </bit-callout>
<bit-form-control> <bit-form-control>
<input type="checkbox" bitCheckbox [formControl]="enabled" id="enabled" /> <input type="checkbox" bitCheckbox [formControl]="enabled" id="enabled" />

View File

@ -1,6 +1,6 @@
<app-callout type="warning"> <bit-callout type="warning">
{{ "twoStepLoginPolicyWarning" | i18n }} {{ "twoStepLoginPolicyWarning" | i18n }}
</app-callout> </bit-callout>
<bit-form-control> <bit-form-control>
<input type="checkbox" id="enabled" bitCheckbox [formControl]="enabled" /> <input type="checkbox" id="enabled" bitCheckbox [formControl]="enabled" />

View File

@ -2,9 +2,9 @@
<bit-dialog [loading]="!loaded"> <bit-dialog [loading]="!loaded">
<span bitDialogTitle>{{ "deleteOrganization" | i18n }}</span> <span bitDialogTitle>{{ "deleteOrganization" | i18n }}</span>
<div bitDialogContent> <div bitDialogContent>
<app-callout type="warning">{{ <bit-callout type="warning">
"deletingOrganizationIsPermanentWarning" | i18n: organization?.name {{ "deletingOrganizationIsPermanentWarning" | i18n: organization?.name }}
}}</app-callout> </bit-callout>
<p id="organizationDeleteDescription"> <p id="organizationDeleteDescription">
<ng-container <ng-container
*ngIf=" *ngIf="

View File

@ -190,7 +190,7 @@ describe("WebauthnAdminService", () => {
it("should throw when old userkey is null", async () => { it("should throw when old userkey is null", async () => {
const newUserKey = makeSymmetricCryptoKey(64) as UserKey; const newUserKey = makeSymmetricCryptoKey(64) as UserKey;
try { try {
await service.rotateWebAuthnKeys(null, newUserKey); await service.getRotatedData(null, newUserKey, null);
} catch (error) { } catch (error) {
expect(error).toEqual(new Error("oldUserKey is required")); expect(error).toEqual(new Error("oldUserKey is required"));
} }
@ -198,7 +198,7 @@ describe("WebauthnAdminService", () => {
it("should throw when new userkey is null", async () => { it("should throw when new userkey is null", async () => {
const oldUserKey = makeSymmetricCryptoKey(64) as UserKey; const oldUserKey = makeSymmetricCryptoKey(64) as UserKey;
try { try {
await service.rotateWebAuthnKeys(oldUserKey, null); await service.getRotatedData(oldUserKey, null, null);
} catch (error) { } catch (error) {
expect(error).toEqual(new Error("newUserKey is required")); expect(error).toEqual(new Error("newUserKey is required"));
} }
@ -222,7 +222,7 @@ describe("WebauthnAdminService", () => {
.mockResolvedValue( .mockResolvedValue(
new RotateableKeySet<PrfKey>(mockEncryptedUserKey, mockEncryptedPublicKey), new RotateableKeySet<PrfKey>(mockEncryptedUserKey, mockEncryptedPublicKey),
); );
await service.rotateWebAuthnKeys(oldUserKey, newUserKey); await service.getRotatedData(oldUserKey, newUserKey, null);
expect(rotateKeySetMock).toHaveBeenCalledWith( expect(rotateKeySetMock).toHaveBeenCalledWith(
expect.any(RotateableKeySet), expect.any(RotateableKeySet),
oldUserKey, oldUserKey,
@ -242,7 +242,7 @@ describe("WebauthnAdminService", () => {
], ],
} as any); } as any);
const rotateKeySetMock = jest.spyOn(rotateableKeySetService, "rotateKeySet"); const rotateKeySetMock = jest.spyOn(rotateableKeySetService, "rotateKeySet");
await service.rotateWebAuthnKeys(oldUserKey, newUserKey); await service.getRotatedData(oldUserKey, newUserKey, null);
expect(rotateKeySetMock).not.toHaveBeenCalled(); expect(rotateKeySetMock).not.toHaveBeenCalled();
}); });
}); });

View File

@ -1,7 +1,7 @@
import { Injectable, Optional } from "@angular/core"; import { Injectable, Optional } from "@angular/core";
import { BehaviorSubject, filter, from, map, Observable, shareReplay, switchMap, tap } from "rxjs"; import { BehaviorSubject, filter, from, map, Observable, shareReplay, switchMap, tap } from "rxjs";
import { PrfKeySet } from "@bitwarden/auth/common"; import { PrfKeySet, UserKeyRotationDataProvider } from "@bitwarden/auth/common";
import { UserVerificationService } from "@bitwarden/common/auth/abstractions/user-verification/user-verification.service.abstraction"; import { UserVerificationService } from "@bitwarden/common/auth/abstractions/user-verification/user-verification.service.abstraction";
import { WebAuthnLoginPrfCryptoServiceAbstraction } from "@bitwarden/common/auth/abstractions/webauthn/webauthn-login-prf-crypto.service.abstraction"; import { WebAuthnLoginPrfCryptoServiceAbstraction } from "@bitwarden/common/auth/abstractions/webauthn/webauthn-login-prf-crypto.service.abstraction";
import { WebauthnRotateCredentialRequest } from "@bitwarden/common/auth/models/request/webauthn-rotate-credential.request"; import { WebauthnRotateCredentialRequest } from "@bitwarden/common/auth/models/request/webauthn-rotate-credential.request";
@ -9,6 +9,7 @@ import { WebAuthnLoginCredentialAssertionOptionsView } from "@bitwarden/common/a
import { WebAuthnLoginCredentialAssertionView } from "@bitwarden/common/auth/models/view/webauthn-login/webauthn-login-credential-assertion.view"; import { WebAuthnLoginCredentialAssertionView } from "@bitwarden/common/auth/models/view/webauthn-login/webauthn-login-credential-assertion.view";
import { Verification } from "@bitwarden/common/auth/types/verification"; import { Verification } from "@bitwarden/common/auth/types/verification";
import { LogService } from "@bitwarden/common/platform/abstractions/log.service"; import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
import { UserId } from "@bitwarden/common/types/guid";
import { UserKey } from "@bitwarden/common/types/key"; import { UserKey } from "@bitwarden/common/types/key";
import { CredentialCreateOptionsView } from "../../views/credential-create-options.view"; import { CredentialCreateOptionsView } from "../../views/credential-create-options.view";
@ -25,7 +26,9 @@ import { WebAuthnLoginAdminApiService } from "./webauthn-login-admin-api.service
/** /**
* Service for managing WebAuthnLogin credentials. * Service for managing WebAuthnLogin credentials.
*/ */
export class WebauthnLoginAdminService { export class WebauthnLoginAdminService
implements UserKeyRotationDataProvider<WebauthnRotateCredentialRequest>
{
static readonly MaxCredentialCount = 5; static readonly MaxCredentialCount = 5;
private navigatorCredentials: CredentialsContainer; private navigatorCredentials: CredentialsContainer;
@ -283,11 +286,13 @@ export class WebauthnLoginAdminService {
* *
* @param oldUserKey The old user key * @param oldUserKey The old user key
* @param newUserKey The new user key * @param newUserKey The new user key
* @param userId The user id
* @returns A promise that returns an array of rotate credential requests when resolved. * @returns A promise that returns an array of rotate credential requests when resolved.
*/ */
async rotateWebAuthnKeys( async getRotatedData(
oldUserKey: UserKey, oldUserKey: UserKey,
newUserKey: UserKey, newUserKey: UserKey,
userId: UserId,
): Promise<WebauthnRotateCredentialRequest[]> { ): Promise<WebauthnRotateCredentialRequest[]> {
if (!oldUserKey) { if (!oldUserKey) {
throw new Error("oldUserKey is required"); throw new Error("oldUserKey is required");

View File

@ -11,6 +11,7 @@ import { EncryptionType, KdfType } from "@bitwarden/common/platform/enums";
import { EncString } from "@bitwarden/common/platform/models/domain/enc-string"; import { EncString } from "@bitwarden/common/platform/models/domain/enc-string";
import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key"; import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
import { CsprngArray } from "@bitwarden/common/types/csprng"; import { CsprngArray } from "@bitwarden/common/types/csprng";
import { UserId } from "@bitwarden/common/types/guid";
import { UserKey, MasterKey } from "@bitwarden/common/types/key"; import { UserKey, MasterKey } from "@bitwarden/common/types/key";
import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.service"; import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.service";
@ -223,8 +224,11 @@ describe("EmergencyAccessService", () => {
}); });
}); });
describe("getRotatedKeys", () => { describe("getRotatedData", () => {
let mockUserKey: UserKey; const mockRandomBytes = new Uint8Array(64) as CsprngArray;
const mockOriginalUserKey = new SymmetricCryptoKey(mockRandomBytes) as UserKey;
const mockNewUserKey = new SymmetricCryptoKey(mockRandomBytes) as UserKey;
const allowedStatuses = [ const allowedStatuses = [
EmergencyAccessStatusType.Confirmed, EmergencyAccessStatusType.Confirmed,
EmergencyAccessStatusType.RecoveryInitiated, EmergencyAccessStatusType.RecoveryInitiated,
@ -242,9 +246,6 @@ describe("EmergencyAccessService", () => {
} as ListResponse<EmergencyAccessGranteeDetailsResponse>; } as ListResponse<EmergencyAccessGranteeDetailsResponse>;
beforeEach(() => { beforeEach(() => {
const mockRandomBytes = new Uint8Array(64) as CsprngArray;
mockUserKey = new SymmetricCryptoKey(mockRandomBytes) as UserKey;
emergencyAccessApiService.getEmergencyAccessTrusted.mockResolvedValue(mockEmergencyAccess); emergencyAccessApiService.getEmergencyAccessTrusted.mockResolvedValue(mockEmergencyAccess);
apiService.getUserPublicKey.mockResolvedValue({ apiService.getUserPublicKey.mockResolvedValue({
userId: "mockUserId", userId: "mockUserId",
@ -259,10 +260,20 @@ describe("EmergencyAccessService", () => {
}); });
it("Only returns emergency accesses with allowed statuses", async () => { it("Only returns emergency accesses with allowed statuses", async () => {
const result = await emergencyAccessService.getRotatedKeys(mockUserKey); const result = await emergencyAccessService.getRotatedData(
mockOriginalUserKey,
mockNewUserKey,
"mockUserId" as UserId,
);
expect(result).toHaveLength(allowedStatuses.length); expect(result).toHaveLength(allowedStatuses.length);
}); });
it("throws if new user key is null", async () => {
await expect(
emergencyAccessService.getRotatedData(mockOriginalUserKey, null, "mockUserId" as UserId),
).rejects.toThrow("New user key is required for rotation.");
});
}); });
}); });

View File

@ -1,5 +1,6 @@
import { Injectable } from "@angular/core"; import { Injectable } from "@angular/core";
import { UserKeyRotationDataProvider } from "@bitwarden/auth/common";
import { ApiService } from "@bitwarden/common/abstractions/api.service"; import { ApiService } from "@bitwarden/common/abstractions/api.service";
import { PolicyData } from "@bitwarden/common/admin-console/models/data/policy.data"; import { PolicyData } from "@bitwarden/common/admin-console/models/data/policy.data";
import { Policy } from "@bitwarden/common/admin-console/models/domain/policy"; import { Policy } from "@bitwarden/common/admin-console/models/domain/policy";
@ -15,6 +16,7 @@ import { KdfType } from "@bitwarden/common/platform/enums";
import { Utils } from "@bitwarden/common/platform/misc/utils"; import { Utils } from "@bitwarden/common/platform/misc/utils";
import { EncryptedString } from "@bitwarden/common/platform/models/domain/enc-string"; import { EncryptedString } from "@bitwarden/common/platform/models/domain/enc-string";
import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key"; import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
import { UserId } from "@bitwarden/common/types/guid";
import { UserKey } from "@bitwarden/common/types/key"; import { UserKey } from "@bitwarden/common/types/key";
import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.service"; import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.service";
import { Cipher } from "@bitwarden/common/vault/models/domain/cipher"; import { Cipher } from "@bitwarden/common/vault/models/domain/cipher";
@ -35,7 +37,9 @@ import {
import { EmergencyAccessApiService } from "./emergency-access-api.service"; import { EmergencyAccessApiService } from "./emergency-access-api.service";
@Injectable() @Injectable()
export class EmergencyAccessService { export class EmergencyAccessService
implements UserKeyRotationDataProvider<EmergencyAccessWithIdRequest>
{
constructor( constructor(
private emergencyAccessApiService: EmergencyAccessApiService, private emergencyAccessApiService: EmergencyAccessApiService,
private apiService: ApiService, private apiService: ApiService,
@ -286,9 +290,21 @@ export class EmergencyAccessService {
/** /**
* Returns existing emergency access keys re-encrypted with new user key. * Returns existing emergency access keys re-encrypted with new user key.
* Intended for grantor. * Intended for grantor.
* @param originalUserKey the original user key
* @param newUserKey the new user key * @param newUserKey the new user key
* @param userId the user id
* @throws Error if newUserKey is nullish
* @returns an array of re-encrypted emergency access requests or an empty array if there are no requests
*/ */
async getRotatedKeys(newUserKey: UserKey): Promise<EmergencyAccessWithIdRequest[]> { async getRotatedData(
originalUserKey: UserKey,
newUserKey: UserKey,
userId: UserId,
): Promise<EmergencyAccessWithIdRequest[]> {
if (newUserKey == null) {
throw new Error("New user key is required for rotation.");
}
const requests: EmergencyAccessWithIdRequest[] = []; const requests: EmergencyAccessWithIdRequest[] = [];
const existingEmergencyAccess = const existingEmergencyAccess =
await this.emergencyAccessApiService.getEmergencyAccessTrusted(); await this.emergencyAccessApiService.getEmergencyAccessTrusted();

View File

@ -1,37 +1,30 @@
import { mock, MockProxy } from "jest-mock-extended"; import { mock, MockProxy } from "jest-mock-extended";
import { BehaviorSubject, of } from "rxjs"; import { BehaviorSubject } from "rxjs";
import { OrganizationUserResetPasswordWithIdRequest } from "@bitwarden/common/admin-console/abstractions/organization-user/requests";
import { DeviceTrustServiceAbstraction } from "@bitwarden/common/auth/abstractions/device-trust.service.abstraction"; import { DeviceTrustServiceAbstraction } from "@bitwarden/common/auth/abstractions/device-trust.service.abstraction";
import { KdfConfigService } from "@bitwarden/common/auth/abstractions/kdf-config.service"; import { KdfConfigService } from "@bitwarden/common/auth/abstractions/kdf-config.service";
import { WebauthnRotateCredentialRequest } from "@bitwarden/common/auth/models/request/webauthn-rotate-credential.request";
import { FakeMasterPasswordService } from "@bitwarden/common/auth/services/master-password/fake-master-password.service"; import { FakeMasterPasswordService } from "@bitwarden/common/auth/services/master-password/fake-master-password.service";
import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service"; import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
import { CryptoService } from "@bitwarden/common/platform/abstractions/crypto.service"; import { CryptoService } from "@bitwarden/common/platform/abstractions/crypto.service";
import { EncryptService } from "@bitwarden/common/platform/abstractions/encrypt.service"; import { EncryptService } from "@bitwarden/common/platform/abstractions/encrypt.service";
import { EncryptionType } from "@bitwarden/common/platform/enums";
import { Utils } from "@bitwarden/common/platform/misc/utils";
import { EncString } from "@bitwarden/common/platform/models/domain/enc-string";
import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key"; import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
import { Send } from "@bitwarden/common/tools/send/models/domain/send"; import { SendWithIdRequest } from "@bitwarden/common/tools/send/models/request/send-with-id.request";
import { SendService } from "@bitwarden/common/tools/send/services/send.service.abstraction"; import { SendService } from "@bitwarden/common/tools/send/services/send.service.abstraction";
import { UserId } from "@bitwarden/common/types/guid"; import { UserId } from "@bitwarden/common/types/guid";
import { UserKey } from "@bitwarden/common/types/key"; import { UserKey, UserPrivateKey } from "@bitwarden/common/types/key";
import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.service"; import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.service";
import { FolderService } from "@bitwarden/common/vault/abstractions/folder/folder.service.abstraction"; import { FolderService } from "@bitwarden/common/vault/abstractions/folder/folder.service.abstraction";
import { SyncService } from "@bitwarden/common/vault/abstractions/sync/sync.service.abstraction"; import { SyncService } from "@bitwarden/common/vault/abstractions/sync/sync.service.abstraction";
import { CipherType } from "@bitwarden/common/vault/enums/cipher-type"; import { CipherType } from "@bitwarden/common/vault/enums";
import { Cipher } from "@bitwarden/common/vault/models/domain/cipher"; import { CipherWithIdRequest } from "@bitwarden/common/vault/models/request/cipher-with-id.request";
import { Folder } from "@bitwarden/common/vault/models/domain/folder"; import { FolderWithIdRequest } from "@bitwarden/common/vault/models/request/folder-with-id.request";
import { CipherView } from "@bitwarden/common/vault/models/view/cipher.view";
import { FolderView } from "@bitwarden/common/vault/models/view/folder.view";
import {
FakeAccountService,
mockAccountServiceWith,
} from "../../../../../../libs/common/spec/fake-account-service";
import { OrganizationUserResetPasswordService } from "../../admin-console/organizations/members/services/organization-user-reset-password/organization-user-reset-password.service"; import { OrganizationUserResetPasswordService } from "../../admin-console/organizations/members/services/organization-user-reset-password/organization-user-reset-password.service";
import { StateService } from "../../core";
import { WebauthnLoginAdminService } from "../core"; import { WebauthnLoginAdminService } from "../core";
import { EmergencyAccessService } from "../emergency-access"; import { EmergencyAccessService } from "../emergency-access";
import { EmergencyAccessWithIdRequest } from "../emergency-access/request/emergency-access-update.request";
import { UserKeyRotationApiService } from "./user-key-rotation-api.service"; import { UserKeyRotationApiService } from "./user-key-rotation-api.service";
import { UserKeyRotationService } from "./user-key-rotation.service"; import { UserKeyRotationService } from "./user-key-rotation.service";
@ -48,16 +41,19 @@ describe("KeyRotationService", () => {
let mockDeviceTrustService: MockProxy<DeviceTrustServiceAbstraction>; let mockDeviceTrustService: MockProxy<DeviceTrustServiceAbstraction>;
let mockCryptoService: MockProxy<CryptoService>; let mockCryptoService: MockProxy<CryptoService>;
let mockEncryptService: MockProxy<EncryptService>; let mockEncryptService: MockProxy<EncryptService>;
let mockStateService: MockProxy<StateService>;
let mockConfigService: MockProxy<ConfigService>; let mockConfigService: MockProxy<ConfigService>;
let mockKdfConfigService: MockProxy<KdfConfigService>; let mockKdfConfigService: MockProxy<KdfConfigService>;
let mockSyncService: MockProxy<SyncService>; let mockSyncService: MockProxy<SyncService>;
let mockWebauthnLoginAdminService: MockProxy<WebauthnLoginAdminService>; let mockWebauthnLoginAdminService: MockProxy<WebauthnLoginAdminService>;
const mockUserId = Utils.newGuid() as UserId;
const mockAccountService: FakeAccountService = mockAccountServiceWith(mockUserId);
let mockMasterPasswordService: FakeMasterPasswordService = new FakeMasterPasswordService(); let mockMasterPasswordService: FakeMasterPasswordService = new FakeMasterPasswordService();
const mockUser = {
id: "mockUserId" as UserId,
email: "mockEmail",
emailVerified: true,
name: "mockName",
};
beforeAll(() => { beforeAll(() => {
mockMasterPasswordService = new FakeMasterPasswordService(); mockMasterPasswordService = new FakeMasterPasswordService();
mockApiService = mock<UserKeyRotationApiService>(); mockApiService = mock<UserKeyRotationApiService>();
@ -69,7 +65,6 @@ describe("KeyRotationService", () => {
mockDeviceTrustService = mock<DeviceTrustServiceAbstraction>(); mockDeviceTrustService = mock<DeviceTrustServiceAbstraction>();
mockCryptoService = mock<CryptoService>(); mockCryptoService = mock<CryptoService>();
mockEncryptService = mock<EncryptService>(); mockEncryptService = mock<EncryptService>();
mockStateService = mock<StateService>();
mockConfigService = mock<ConfigService>(); mockConfigService = mock<ConfigService>();
mockKdfConfigService = mock<KdfConfigService>(); mockKdfConfigService = mock<KdfConfigService>();
mockSyncService = mock<SyncService>(); mockSyncService = mock<SyncService>();
@ -86,8 +81,6 @@ describe("KeyRotationService", () => {
mockDeviceTrustService, mockDeviceTrustService,
mockCryptoService, mockCryptoService,
mockEncryptService, mockEncryptService,
mockStateService,
mockAccountService,
mockKdfConfigService, mockKdfConfigService,
mockSyncService, mockSyncService,
mockWebauthnLoginAdminService, mockWebauthnLoginAdminService,
@ -98,91 +91,82 @@ describe("KeyRotationService", () => {
jest.clearAllMocks(); jest.clearAllMocks();
}); });
it("instantiates", () => {
expect(keyRotationService).not.toBeFalsy();
});
describe("rotateUserKeyAndEncryptedData", () => { describe("rotateUserKeyAndEncryptedData", () => {
let folderViews: BehaviorSubject<FolderView[]>; let privateKey: BehaviorSubject<UserPrivateKey>;
let sends: BehaviorSubject<Send[]>;
beforeAll(() => { beforeEach(() => {
mockCryptoService.makeMasterKey.mockResolvedValue("mockMasterKey" as any); mockCryptoService.makeMasterKey.mockResolvedValue("mockMasterKey" as any);
mockCryptoService.makeUserKey.mockResolvedValue([ mockCryptoService.makeUserKey.mockResolvedValue([
new SymmetricCryptoKey(new Uint8Array(64)) as UserKey, new SymmetricCryptoKey(new Uint8Array(64)) as UserKey,
{ {
encryptedString: "mockEncryptedUserKey", encryptedString: "mockNewUserKey",
} as any, } as any,
]); ]);
mockCryptoService.hashMasterKey.mockResolvedValue("mockMasterPasswordHash"); mockCryptoService.hashMasterKey.mockResolvedValue("mockMasterPasswordHash");
mockConfigService.getFeatureFlag.mockResolvedValue(true); mockConfigService.getFeatureFlag.mockResolvedValue(true);
// Mock private key
mockCryptoService.getPrivateKey.mockResolvedValue("MockPrivateKey" as any);
mockCryptoService.userKey$.mockReturnValue(
of(new SymmetricCryptoKey(new Uint8Array(64)) as UserKey),
);
// Mock ciphers
const mockCiphers = [createMockCipher("1", "Cipher 1"), createMockCipher("2", "Cipher 2")];
mockCipherService.getAllDecrypted.mockResolvedValue(mockCiphers);
// Mock folders
const mockFolders = [createMockFolder("1", "Folder 1"), createMockFolder("2", "Folder 2")];
folderViews = new BehaviorSubject<FolderView[]>(mockFolders);
mockFolderService.folderViews$ = folderViews;
// Mock sends
const mockSends = [createMockSend("1", "Send 1"), createMockSend("2", "Send 2")];
sends = new BehaviorSubject<Send[]>(mockSends);
mockSendService.sends$ = sends;
mockWebauthnLoginAdminService.rotateWebAuthnKeys.mockResolvedValue([]);
// Mock encryption methods
mockEncryptService.encrypt.mockResolvedValue({ mockEncryptService.encrypt.mockResolvedValue({
encryptedString: "mockEncryptedData", encryptedString: "mockEncryptedData",
} as any); } as any);
mockFolderService.encrypt.mockImplementation((folder, userKey) => { // Mock user key
const encryptedFolder = new Folder(); mockCryptoService.userKey$.mockReturnValue(new BehaviorSubject("mockOriginalUserKey" as any));
encryptedFolder.id = folder.id;
encryptedFolder.name = new EncString(
EncryptionType.AesCbc256_HmacSha256_B64,
"Encrypted: " + folder.name,
);
return Promise.resolve(encryptedFolder);
});
mockCipherService.encrypt.mockImplementation((cipher, userKey) => { // Mock private key
const encryptedCipher = new Cipher(); privateKey = new BehaviorSubject("mockPrivateKey" as any);
encryptedCipher.id = cipher.id; mockCryptoService.userPrivateKeyWithLegacySupport$.mockReturnValue(privateKey);
encryptedCipher.name = new EncString(
EncryptionType.AesCbc256_HmacSha256_B64, // Mock ciphers
"Encrypted: " + cipher.name, const mockCiphers = [createMockCipher("1", "Cipher 1"), createMockCipher("2", "Cipher 2")];
); mockCipherService.getRotatedData.mockResolvedValue(mockCiphers);
return Promise.resolve(encryptedCipher);
}); // Mock folders
const mockFolders = [createMockFolder("1", "Folder 1"), createMockFolder("2", "Folder 2")];
mockFolderService.getRotatedData.mockResolvedValue(mockFolders);
// Mock sends
const mockSends = [createMockSend("1", "Send 1"), createMockSend("2", "Send 2")];
mockSendService.getRotatedData.mockResolvedValue(mockSends);
// Mock emergency access
const emergencyAccess = [createMockEmergencyAccess("13")];
mockEmergencyAccessService.getRotatedData.mockResolvedValue(emergencyAccess);
// Mock reset password
const resetPassword = [createMockResetPassword("12")];
mockResetPasswordService.getRotatedData.mockResolvedValue(resetPassword);
// Mock Webauthn
const webauthn = [createMockWebauthn("13"), createMockWebauthn("14")];
mockWebauthnLoginAdminService.getRotatedData.mockResolvedValue(webauthn);
}); });
it("rotates the user key and encrypted data", async () => { it("rotates the user key and encrypted data", async () => {
await keyRotationService.rotateUserKeyAndEncryptedData("mockMasterPassword"); await keyRotationService.rotateUserKeyAndEncryptedData("mockMasterPassword", mockUser);
expect(mockApiService.postUserKeyUpdate).toHaveBeenCalled(); expect(mockApiService.postUserKeyUpdate).toHaveBeenCalled();
const arg = mockApiService.postUserKeyUpdate.mock.calls[0][0]; const arg = mockApiService.postUserKeyUpdate.mock.calls[0][0];
expect(arg.key).toBe("mockNewUserKey");
expect(arg.privateKey).toBe("mockEncryptedData");
expect(arg.ciphers.length).toBe(2); expect(arg.ciphers.length).toBe(2);
expect(arg.folders.length).toBe(2); expect(arg.folders.length).toBe(2);
expect(arg.sends.length).toBe(2);
expect(arg.emergencyAccessKeys.length).toBe(1);
expect(arg.resetPasswordKeys.length).toBe(1);
expect(arg.webauthnKeys.length).toBe(2);
}); });
it("throws if master password provided is falsey", async () => { it("throws if master password provided is falsey", async () => {
await expect(keyRotationService.rotateUserKeyAndEncryptedData("")).rejects.toThrow(); await expect(
keyRotationService.rotateUserKeyAndEncryptedData("", mockUser),
).rejects.toThrow();
}); });
it("throws if master key creation fails", async () => { it("throws if master key creation fails", async () => {
mockCryptoService.makeMasterKey.mockResolvedValueOnce(null); mockCryptoService.makeMasterKey.mockResolvedValueOnce(null);
await expect( await expect(
keyRotationService.rotateUserKeyAndEncryptedData("mockMasterPassword"), keyRotationService.rotateUserKeyAndEncryptedData("mockMasterPassword", mockUser),
).rejects.toThrow(); ).rejects.toThrow();
}); });
@ -190,16 +174,24 @@ describe("KeyRotationService", () => {
mockCryptoService.makeUserKey.mockResolvedValueOnce([null, null]); mockCryptoService.makeUserKey.mockResolvedValueOnce([null, null]);
await expect( await expect(
keyRotationService.rotateUserKeyAndEncryptedData("mockMasterPassword"), keyRotationService.rotateUserKeyAndEncryptedData("mockMasterPassword", mockUser),
).rejects.toThrow();
});
it("throws if no private key is found", async () => {
privateKey.next(null);
await expect(
keyRotationService.rotateUserKeyAndEncryptedData("mockMasterPassword", mockUser),
).rejects.toThrow(); ).rejects.toThrow();
}); });
it("saves the master key in state after creation", async () => { it("saves the master key in state after creation", async () => {
await keyRotationService.rotateUserKeyAndEncryptedData("mockMasterPassword"); await keyRotationService.rotateUserKeyAndEncryptedData("mockMasterPassword", mockUser);
expect(mockMasterPasswordService.mock.setMasterKey).toHaveBeenCalledWith( expect(mockMasterPasswordService.mock.setMasterKey).toHaveBeenCalledWith(
"mockMasterKey" as any, "mockMasterKey" as any,
mockUserId, mockUser.id,
); );
}); });
@ -207,30 +199,51 @@ describe("KeyRotationService", () => {
mockApiService.postUserKeyUpdate.mockRejectedValueOnce(new Error("mockError")); mockApiService.postUserKeyUpdate.mockRejectedValueOnce(new Error("mockError"));
await expect( await expect(
keyRotationService.rotateUserKeyAndEncryptedData("mockMasterPassword"), keyRotationService.rotateUserKeyAndEncryptedData("mockMasterPassword", mockUser),
).rejects.toThrow(); ).rejects.toThrow();
}); });
}); });
}); });
function createMockFolder(id: string, name: string): FolderView { function createMockFolder(id: string, name: string): FolderWithIdRequest {
const folder = new FolderView(); return {
folder.id = id; id: id,
folder.name = name; name: name,
return folder; } as FolderWithIdRequest;
} }
function createMockCipher(id: string, name: string): CipherView { function createMockCipher(id: string, name: string): CipherWithIdRequest {
const cipher = new CipherView(); return {
cipher.id = id; id: id,
cipher.name = name; name: name,
cipher.type = CipherType.Login; type: CipherType.Login,
return cipher; } as CipherWithIdRequest;
} }
function createMockSend(id: string, name: string): Send { function createMockSend(id: string, name: string): SendWithIdRequest {
const send = new Send(); return {
send.id = id; id: id,
send.name = new EncString(EncryptionType.AesCbc256_HmacSha256_B64, name); name: name,
return send; } as SendWithIdRequest;
}
function createMockEmergencyAccess(id: string): EmergencyAccessWithIdRequest {
return {
id: id,
type: 0,
waitTimeDays: 5,
} as EmergencyAccessWithIdRequest;
}
function createMockResetPassword(id: string): OrganizationUserResetPasswordWithIdRequest {
return {
organizationId: id,
resetPasswordKey: "mockResetPasswordKey",
} as OrganizationUserResetPasswordWithIdRequest;
}
function createMockWebauthn(id: string): any {
return {
id: id,
} as WebauthnRotateCredentialRequest;
} }

View File

@ -1,21 +1,19 @@
import { Injectable } from "@angular/core"; import { Injectable } from "@angular/core";
import { firstValueFrom, map } from "rxjs"; import { firstValueFrom } from "rxjs";
import { AccountService } from "@bitwarden/common/auth/abstractions/account.service"; import { AccountInfo } from "@bitwarden/common/auth/abstractions/account.service";
import { DeviceTrustServiceAbstraction } from "@bitwarden/common/auth/abstractions/device-trust.service.abstraction"; import { DeviceTrustServiceAbstraction } from "@bitwarden/common/auth/abstractions/device-trust.service.abstraction";
import { KdfConfigService } from "@bitwarden/common/auth/abstractions/kdf-config.service"; import { KdfConfigService } from "@bitwarden/common/auth/abstractions/kdf-config.service";
import { InternalMasterPasswordServiceAbstraction } from "@bitwarden/common/auth/abstractions/master-password.service.abstraction"; import { InternalMasterPasswordServiceAbstraction } from "@bitwarden/common/auth/abstractions/master-password.service.abstraction";
import { CryptoService } from "@bitwarden/common/platform/abstractions/crypto.service"; import { CryptoService } from "@bitwarden/common/platform/abstractions/crypto.service";
import { EncryptService } from "@bitwarden/common/platform/abstractions/encrypt.service"; import { EncryptService } from "@bitwarden/common/platform/abstractions/encrypt.service";
import { StateService } from "@bitwarden/common/platform/abstractions/state.service";
import { EncryptedString } from "@bitwarden/common/platform/models/domain/enc-string"; import { EncryptedString } from "@bitwarden/common/platform/models/domain/enc-string";
import { SendService } from "@bitwarden/common/tools/send/services/send.service.abstraction"; import { SendService } from "@bitwarden/common/tools/send/services/send.service.abstraction";
import { UserId } from "@bitwarden/common/types/guid";
import { UserKey } from "@bitwarden/common/types/key"; import { UserKey } from "@bitwarden/common/types/key";
import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.service"; import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.service";
import { FolderService } from "@bitwarden/common/vault/abstractions/folder/folder.service.abstraction"; import { FolderService } from "@bitwarden/common/vault/abstractions/folder/folder.service.abstraction";
import { SyncService } from "@bitwarden/common/vault/abstractions/sync/sync.service.abstraction"; import { SyncService } from "@bitwarden/common/vault/abstractions/sync/sync.service.abstraction";
import { CipherWithIdRequest } from "@bitwarden/common/vault/models/request/cipher-with-id.request";
import { FolderWithIdRequest } from "@bitwarden/common/vault/models/request/folder-with-id.request";
import { OrganizationUserResetPasswordService } from "../../admin-console/organizations/members/services/organization-user-reset-password/organization-user-reset-password.service"; import { OrganizationUserResetPasswordService } from "../../admin-console/organizations/members/services/organization-user-reset-password/organization-user-reset-password.service";
import { WebauthnLoginAdminService } from "../core"; import { WebauthnLoginAdminService } from "../core";
@ -37,8 +35,6 @@ export class UserKeyRotationService {
private deviceTrustService: DeviceTrustServiceAbstraction, private deviceTrustService: DeviceTrustServiceAbstraction,
private cryptoService: CryptoService, private cryptoService: CryptoService,
private encryptService: EncryptService, private encryptService: EncryptService,
private stateService: StateService,
private accountService: AccountService,
private kdfConfigService: KdfConfigService, private kdfConfigService: KdfConfigService,
private syncService: SyncService, private syncService: SyncService,
private webauthnLoginAdminService: WebauthnLoginAdminService, private webauthnLoginAdminService: WebauthnLoginAdminService,
@ -48,7 +44,10 @@ export class UserKeyRotationService {
* Creates a new user key and re-encrypts all required data with the it. * Creates a new user key and re-encrypts all required data with the it.
* @param masterPassword current master password (used for validation) * @param masterPassword current master password (used for validation)
*/ */
async rotateUserKeyAndEncryptedData(masterPassword: string): Promise<void> { async rotateUserKeyAndEncryptedData(
masterPassword: string,
user: { id: UserId } & AccountInfo,
): Promise<void> {
if (!masterPassword) { if (!masterPassword) {
throw new Error("Invalid master password"); throw new Error("Invalid master password");
} }
@ -62,7 +61,7 @@ export class UserKeyRotationService {
// Create master key to validate the master password // Create master key to validate the master password
const masterKey = await this.cryptoService.makeMasterKey( const masterKey = await this.cryptoService.makeMasterKey(
masterPassword, masterPassword,
await firstValueFrom(this.accountService.activeAccount$.pipe(map((a) => a?.email))), user.email,
await this.kdfConfigService.getKdfConfig(), await this.kdfConfigService.getKdfConfig(),
); );
@ -71,9 +70,7 @@ export class UserKeyRotationService {
} }
// Set master key again in case it was lost (could be lost on refresh) // Set master key again in case it was lost (could be lost on refresh)
const userId = (await firstValueFrom(this.accountService.activeAccount$))?.id; await this.masterPasswordService.setMasterKey(masterKey, user.id);
const oldUserKey = await firstValueFrom(this.cryptoService.userKey$(userId));
await this.masterPasswordService.setMasterKey(masterKey, userId);
const [newUserKey, newEncUserKey] = await this.cryptoService.makeUserKey(masterKey); const [newUserKey, newEncUserKey] = await this.cryptoService.makeUserKey(masterKey);
if (!newUserKey || !newEncUserKey) { if (!newUserKey || !newEncUserKey) {
@ -90,61 +87,86 @@ export class UserKeyRotationService {
const masterPasswordHash = await this.cryptoService.hashMasterKey(masterPassword, masterKey); const masterPasswordHash = await this.cryptoService.hashMasterKey(masterPassword, masterKey);
request.masterPasswordHash = masterPasswordHash; request.masterPasswordHash = masterPasswordHash;
// Get original user key
// Note: We distribute the legacy key, but not all domains actually use it. If any of those
// domains break their legacy support it will break the migration process for legacy users.
const originalUserKey = await this.cryptoService.getUserKeyWithLegacySupport(user.id);
// Add re-encrypted data // Add re-encrypted data
request.privateKey = await this.encryptPrivateKey(newUserKey); request.privateKey = await this.encryptPrivateKey(newUserKey, user.id);
request.ciphers = await this.encryptCiphers(newUserKey);
request.folders = await this.encryptFolders(newUserKey); const rotatedCiphers = await this.cipherService.getRotatedData(
request.sends = await this.sendService.getRotatedKeys(newUserKey); originalUserKey,
request.emergencyAccessKeys = await this.emergencyAccessService.getRotatedKeys(newUserKey);
request.resetPasswordKeys = await this.resetPasswordService.getRotatedKeys(newUserKey);
request.webauthnKeys = await this.webauthnLoginAdminService.rotateWebAuthnKeys(
oldUserKey,
newUserKey, newUserKey,
user.id,
); );
if (rotatedCiphers != null) {
request.ciphers = rotatedCiphers;
}
const rotatedFolders = await this.folderService.getRotatedData(
originalUserKey,
newUserKey,
user.id,
);
if (rotatedFolders != null) {
request.folders = rotatedFolders;
}
const rotatedSends = await this.sendService.getRotatedData(
originalUserKey,
newUserKey,
user.id,
);
if (rotatedSends != null) {
request.sends = rotatedSends;
}
const rotatedEmergencyAccessKeys = await this.emergencyAccessService.getRotatedData(
originalUserKey,
newUserKey,
user.id,
);
if (rotatedEmergencyAccessKeys != null) {
request.emergencyAccessKeys = rotatedEmergencyAccessKeys;
}
// Note: Reset password keys request model has user verification
// properties, but the rotation endpoint uses its own MP hash.
const rotatedResetPasswordKeys = await this.resetPasswordService.getRotatedData(
originalUserKey,
newUserKey,
user.id,
);
if (rotatedResetPasswordKeys != null) {
request.resetPasswordKeys = rotatedResetPasswordKeys;
}
const rotatedWebauthnKeys = await this.webauthnLoginAdminService.getRotatedData(
originalUserKey,
newUserKey,
user.id,
);
if (rotatedWebauthnKeys != null) {
request.webauthnKeys = rotatedWebauthnKeys;
}
await this.apiService.postUserKeyUpdate(request); await this.apiService.postUserKeyUpdate(request);
const activeAccount = await firstValueFrom(this.accountService.activeAccount$); // TODO PM-2199: Add device trust rotation support to the user key rotation endpoint
await this.deviceTrustService.rotateDevicesTrust( await this.deviceTrustService.rotateDevicesTrust(user.id, newUserKey, masterPasswordHash);
activeAccount.id,
newUserKey,
masterPasswordHash,
);
} }
private async encryptPrivateKey(newUserKey: UserKey): Promise<EncryptedString | null> { private async encryptPrivateKey(
const privateKey = await this.cryptoService.getPrivateKey(); newUserKey: UserKey,
userId: UserId,
): Promise<EncryptedString | null> {
const privateKey = await firstValueFrom(
this.cryptoService.userPrivateKeyWithLegacySupport$(userId),
);
if (!privateKey) { if (!privateKey) {
return; throw new Error("No private key found for user key rotation");
} }
return (await this.encryptService.encrypt(privateKey, newUserKey)).encryptedString; return (await this.encryptService.encrypt(privateKey, newUserKey)).encryptedString;
} }
private async encryptCiphers(newUserKey: UserKey): Promise<CipherWithIdRequest[]> {
const ciphers = await this.cipherService.getAllDecrypted();
if (!ciphers) {
// Must return an empty array for backwards compatibility
return [];
}
return await Promise.all(
ciphers.map(async (cipher) => {
const encryptedCipher = await this.cipherService.encrypt(cipher, newUserKey);
return new CipherWithIdRequest(encryptedCipher);
}),
);
}
private async encryptFolders(newUserKey: UserKey): Promise<FolderWithIdRequest[]> {
const folders = await firstValueFrom(this.folderService.folderViews$);
if (!folders) {
// Must return an empty array for backwards compatibility
return [];
}
return await Promise.all(
folders.map(async (folder) => {
const encryptedFolder = await this.folderService.encrypt(folder, newUserKey);
return new FolderWithIdRequest(encryptedFolder);
}),
);
}
} }

View File

@ -1,6 +1,8 @@
import { Component } from "@angular/core"; import { Component } from "@angular/core";
import { FormControl, FormGroup, Validators } from "@angular/forms"; import { FormControl, FormGroup, Validators } from "@angular/forms";
import { firstValueFrom } from "rxjs";
import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
import { CryptoService } from "@bitwarden/common/platform/abstractions/crypto.service"; import { CryptoService } from "@bitwarden/common/platform/abstractions/crypto.service";
import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service"; import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
import { LogService } from "@bitwarden/common/platform/abstractions/log.service"; import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
@ -25,6 +27,7 @@ export class MigrateFromLegacyEncryptionComponent {
}); });
constructor( constructor(
private accountService: AccountService,
private keyRotationService: UserKeyRotationService, private keyRotationService: UserKeyRotationService,
private i18nService: I18nService, private i18nService: I18nService,
private platformUtilsService: PlatformUtilsService, private platformUtilsService: PlatformUtilsService,
@ -41,7 +44,9 @@ export class MigrateFromLegacyEncryptionComponent {
return; return;
} }
const hasUserKey = await this.cryptoService.hasUserKey(); const activeUser = await firstValueFrom(this.accountService.activeAccount$);
const hasUserKey = await this.cryptoService.hasUserKey(activeUser.id);
if (hasUserKey) { if (hasUserKey) {
this.messagingService.send("logout"); this.messagingService.send("logout");
throw new Error("User key already exists, cannot migrate legacy encryption."); throw new Error("User key already exists, cannot migrate legacy encryption.");
@ -52,7 +57,7 @@ export class MigrateFromLegacyEncryptionComponent {
try { try {
await this.syncService.fullSync(false, true); await this.syncService.fullSync(false, true);
await this.keyRotationService.rotateUserKeyAndEncryptedData(masterPassword); await this.keyRotationService.rotateUserKeyAndEncryptedData(masterPassword, activeUser);
this.platformUtilsService.showToast( this.platformUtilsService.showToast(
"success", "success",

View File

@ -14,7 +14,7 @@
bitButton bitButton
type="button" type="button"
buttonType="primary" buttonType="primary"
class="tw-w-full" class="tw-w-full tw-mb-2"
[bitAction]="convert" [bitAction]="convert"
[block]="true" [block]="true"
> >

View File

@ -4,9 +4,6 @@
<i class="bwi bwi-spinner bwi-spin" title="{{ 'loading' | i18n }}" aria-hidden="true"></i> <i class="bwi bwi-spinner bwi-spin" title="{{ 'loading' | i18n }}" aria-hidden="true"></i>
{{ "loading" | i18n }} {{ "loading" | i18n }}
</div> </div>
<app-callout type="error" *ngIf="error">
{{ error }}
</app-callout>
<p class="tw-text-lg">{{ "pickAnAvatarColor" | i18n }}</p> <p class="tw-text-lg">{{ "pickAnAvatarColor" | i18n }}</p>
<div class="tw-flex tw-flex-wrap tw-justify-center tw-gap-8"> <div class="tw-flex tw-flex-wrap tw-justify-center tw-gap-8">
<ng-container *ngFor="let c of defaultColorPalette"> <ng-container *ngFor="let c of defaultColorPalette">

View File

@ -31,7 +31,6 @@ export class ChangeAvatarDialogComponent implements OnInit, OnDestroy {
@ViewChild("colorPicker") colorPickerElement: ElementRef<HTMLElement>; @ViewChild("colorPicker") colorPickerElement: ElementRef<HTMLElement>;
loading = false; loading = false;
error: string;
defaultColorPalette: NamedAvatarColor[] = [ defaultColorPalette: NamedAvatarColor[] = [
{ name: "brightBlue", color: "#16cbfc" }, { name: "brightBlue", color: "#16cbfc" },
{ name: "green", color: "#94cc4b" }, { name: "green", color: "#94cc4b" },

View File

@ -1,7 +1,7 @@
<form [formGroup]="formGroup" [bitSubmit]="submit"> <form [formGroup]="formGroup" [bitSubmit]="submit">
<app-callout type="warning" *ngIf="showTwoFactorEmailWarning"> <bit-callout type="warning" *ngIf="showTwoFactorEmailWarning">
{{ "changeEmailTwoFactorWarning" | i18n }} {{ "changeEmailTwoFactorWarning" | i18n }}
</app-callout> </bit-callout>
<div class="tw-w-1/2 tw-pr-2" formGroupName="step1"> <div class="tw-w-1/2 tw-pr-2" formGroupName="step1">
<bit-form-field> <bit-form-field>
@ -29,7 +29,7 @@
<ng-container *ngIf="tokenSent"> <ng-container *ngIf="tokenSent">
<hr /> <hr />
<p>{{ "changeEmailDesc" | i18n: formGroup.controls.step1.value.newEmail }}</p> <p>{{ "changeEmailDesc" | i18n: formGroup.controls.step1.value.newEmail }}</p>
<app-callout type="warning">{{ "loggedOutWarning" | i18n }}</app-callout> <bit-callout type="warning">{{ "loggedOutWarning" | i18n }}</bit-callout>
<div class="tw-w-1/2 tw-pr-2"> <div class="tw-w-1/2 tw-pr-2">
<bit-form-field> <bit-form-field>

View File

@ -20,7 +20,7 @@
</div> </div>
<div class="modal-body"> <div class="modal-body">
<p>{{ "deauthorizeSessionsDesc" | i18n }}</p> <p>{{ "deauthorizeSessionsDesc" | i18n }}</p>
<app-callout type="warning">{{ "deauthorizeSessionsWarning" | i18n }}</app-callout> <bit-callout type="warning">{{ "deauthorizeSessionsWarning" | i18n }}</bit-callout>
<app-user-verification [(ngModel)]="masterPassword" ngDefaultControl name="secret"> <app-user-verification [(ngModel)]="masterPassword" ngDefaultControl name="secret">
</app-user-verification> </app-user-verification>
</div> </div>

View File

@ -2,7 +2,7 @@
<bit-dialog dialogSize="default" [title]="'deleteAccount' | i18n"> <bit-dialog dialogSize="default" [title]="'deleteAccount' | i18n">
<ng-container bitDialogContent> <ng-container bitDialogContent>
<p bitTypography="body1">{{ "deleteAccountDesc" | i18n }}</p> <p bitTypography="body1">{{ "deleteAccountDesc" | i18n }}</p>
<app-callout type="warning">{{ "deleteAccountWarning" | i18n }}</app-callout> <bit-callout type="warning">{{ "deleteAccountWarning" | i18n }}</bit-callout>
<app-user-verification-form-input <app-user-verification-form-input
formControlName="verification" formControlName="verification"
name="verification" name="verification"

View File

@ -220,6 +220,7 @@ export class ChangePasswordComponent extends BaseChangePasswordComponent {
} }
private async updateKey() { private async updateKey() {
await this.keyRotationService.rotateUserKeyAndEncryptedData(this.masterPassword); const user = await firstValueFrom(this.accountService.activeAccount$);
await this.keyRotationService.rotateUserKeyAndEncryptedData(this.masterPassword, user);
} }
} }

View File

@ -5,7 +5,7 @@
<small class="tw-text-muted" *ngIf="params.name">{{ params.name }}</small> <small class="tw-text-muted" *ngIf="params.name">{{ params.name }}</small>
</span> </span>
<div bitDialogContent> <div bitDialogContent>
<app-callout type="warning">{{ "loggedOutWarning" | i18n }}</app-callout> <bit-callout type="warning">{{ "loggedOutWarning" | i18n }}</bit-callout>
<auth-password-callout [policy]="enforcedPolicyOptions" *ngIf="enforcedPolicyOptions"> <auth-password-callout [policy]="enforcedPolicyOptions" *ngIf="enforcedPolicyOptions">
</auth-password-callout> </auth-password-callout>
<div class="tw-w-full tw-flex tw-gap-4"> <div class="tw-w-full tw-flex tw-gap-4">

View File

@ -5,11 +5,11 @@
<p bitTypography="body1">{{ data.apiKeyDescription | i18n }}</p> <p bitTypography="body1">{{ data.apiKeyDescription | i18n }}</p>
<app-user-verification-form-input formControlName="masterPassword" *ngIf="!clientSecret"> <app-user-verification-form-input formControlName="masterPassword" *ngIf="!clientSecret">
</app-user-verification-form-input> </app-user-verification-form-input>
<app-callout type="warning" *ngIf="clientSecret">{{ data.apiKeyWarning | i18n }}</app-callout> <bit-callout type="warning" *ngIf="clientSecret">{{ data.apiKeyWarning | i18n }}</bit-callout>
<app-callout <bit-callout
type="info" type="info"
title="{{ 'oauth2ClientCredentials' | i18n }}" title="{{ 'oauth2ClientCredentials' | i18n }}"
icon="bwi bwi-key" icon="bwi-key"
*ngIf="clientSecret" *ngIf="clientSecret"
> >
<p bitTypography="body1" class="tw-mb-1"> <p bitTypography="body1" class="tw-mb-1">
@ -28,7 +28,7 @@
<strong>grant_type:</strong><br /> <strong>grant_type:</strong><br />
<code>{{ data.grantType }}</code> <code>{{ data.grantType }}</code>
</p> </p>
</app-callout> </bit-callout>
</div> </div>
<div bitDialogFooter> <div bitDialogFooter>
<button type="submit" buttonType="primary" *ngIf="!clientSecret" bitButton bitFormButton> <button type="submit" buttonType="primary" *ngIf="!clientSecret" bitButton bitFormButton>

View File

@ -1,7 +1,7 @@
<form *ngIf="authed" [formGroup]="formGroup" [bitSubmit]="submit"> <form *ngIf="authed" [formGroup]="formGroup" [bitSubmit]="submit">
<bit-dialog dialogSize="default"> <bit-dialog dialogSize="default">
<span bitDialogTitle <span bitDialogTitle>
>{{ "twoStepLogin" | i18n }} {{ "twoStepLogin" | i18n }}
<span bitTypography="body1">{{ "authenticatorAppTitle" | i18n }}</span> <span bitTypography="body1">{{ "authenticatorAppTitle" | i18n }}</span>
</span> </span>
<ng-container bitDialogContent> <ng-container bitDialogContent>
@ -13,10 +13,10 @@
</p> </p>
</ng-container> </ng-container>
<ng-container *ngIf="enabled"> <ng-container *ngIf="enabled">
<app-callout type="success" title="{{ 'enabled' | i18n }}" icon="bwi bwi-check-circle"> <bit-callout type="success" title="{{ 'enabled' | i18n }}" icon="bwi-check-circle">
<p bitTypography="body1">{{ "twoStepLoginProviderEnabled" | i18n }}</p> <p bitTypography="body1">{{ "twoStepLoginProviderEnabled" | i18n }}</p>
{{ "twoStepAuthenticatorReaddDesc" | i18n }} {{ "twoStepAuthenticatorReaddDesc" | i18n }}
</app-callout> </bit-callout>
<img class="float-right mfaType0" alt="Authenticator app logo" /> <img class="float-right mfaType0" alt="Authenticator app logo" />
<p bitTypography="body1">{{ "twoStepAuthenticatorNeedApp" | i18n }}</p> <p bitTypography="body1">{{ "twoStepAuthenticatorNeedApp" | i18n }}</p>
</ng-container> </ng-container>

View File

@ -6,9 +6,9 @@
</span> </span>
<ng-container bitDialogContent> <ng-container bitDialogContent>
<ng-container *ngIf="enabled"> <ng-container *ngIf="enabled">
<app-callout type="success" title="{{ 'enabled' | i18n }}" icon="bwi bwi-check-circle"> <bit-callout type="success" title="{{ 'enabled' | i18n }}" icon="bwi-check-circle">
{{ "twoStepLoginProviderEnabled" | i18n }} {{ "twoStepLoginProviderEnabled" | i18n }}
</app-callout> </bit-callout>
<strong>{{ "email" | i18n }}:</strong> {{ email }} <strong>{{ "email" | i18n }}:</strong> {{ email }}
</ng-container> </ng-container>
<ng-container *ngIf="!enabled"> <ng-container *ngIf="!enabled">

View File

@ -455,7 +455,9 @@
</ng-container> </ng-container>
</bit-section> </bit-section>
<bit-section *ngIf="singleOrgPolicyBlock"> <bit-section *ngIf="singleOrgPolicyBlock">
<app-callout [type]="'error'">{{ "singleOrgBlockCreateMessage" | i18n }}</app-callout> <bit-callout type="danger" [title]="'error' | i18n">
{{ "singleOrgBlockCreateMessage" | i18n }}
</bit-callout>
</bit-section> </bit-section>
<bit-section> <bit-section>
<button <button

View File

@ -63,9 +63,9 @@
</div> </div>
</ng-container> </ng-container>
<ng-container *ngIf="showMethods && method === paymentMethodType.BankAccount"> <ng-container *ngIf="showMethods && method === paymentMethodType.BankAccount">
<app-callout type="warning" title="{{ 'verifyBankAccount' | i18n }}"> <bit-callout type="warning" title="{{ 'verifyBankAccount' | i18n }}">
{{ "verifyBankAccountInitialDesc" | i18n }} {{ "verifyBankAccountFailureWarning" | i18n }} {{ "verifyBankAccountInitialDesc" | i18n }} {{ "verifyBankAccountFailureWarning" | i18n }}
</app-callout> </bit-callout>
<div class="tw-grid tw-grid-cols-12 tw-gap-4" formGroupName="bank"> <div class="tw-grid tw-grid-cols-12 tw-gap-4" formGroupName="bank">
<bit-form-field class="tw-col-span-6"> <bit-form-field class="tw-col-span-6">
<bit-label>{{ "routingNumber" | i18n }}</bit-label> <bit-label>{{ "routingNumber" | i18n }}</bit-label>
@ -106,8 +106,8 @@
</div> </div>
</ng-container> </ng-container>
<ng-container *ngIf="showMethods && method === paymentMethodType.Credit"> <ng-container *ngIf="showMethods && method === paymentMethodType.Credit">
<app-callout type="note"> <bit-callout>
{{ "makeSureEnoughCredit" | i18n }} {{ "makeSureEnoughCredit" | i18n }}
</app-callout> </bit-callout>
</ng-container> </ng-container>
</div> </div>

View File

@ -3,7 +3,7 @@
<bit-container> <bit-container>
<p bitTypography="body1">{{ "preferencesDesc" | i18n }}</p> <p bitTypography="body1">{{ "preferencesDesc" | i18n }}</p>
<form [formGroup]="form" [bitSubmit]="submit" class="tw-w-1/2"> <form [formGroup]="form" [bitSubmit]="submit" class="tw-w-1/2">
<app-callout type="info" *ngIf="vaultTimeoutPolicyCallout | async as policy"> <bit-callout type="info" *ngIf="vaultTimeoutPolicyCallout | async as policy">
<span *ngIf="policy.timeout && policy.action"> <span *ngIf="policy.timeout && policy.action">
{{ {{
"vaultTimeoutPolicyWithActionInEffect" "vaultTimeoutPolicyWithActionInEffect"
@ -16,7 +16,7 @@
<span *ngIf="!policy.timeout && policy.action"> <span *ngIf="!policy.timeout && policy.action">
{{ "vaultTimeoutActionPolicyInEffect" | i18n: (policy.action | i18n) }} {{ "vaultTimeoutActionPolicyInEffect" | i18n: (policy.action | i18n) }}
</span> </span>
</app-callout> </bit-callout>
<app-vault-timeout-input <app-vault-timeout-input
[vaultTimeoutOptions]="vaultTimeoutOptions" [vaultTimeoutOptions]="vaultTimeoutOptions"
[formControl]="form.controls.vaultTimeout" [formControl]="form.controls.vaultTimeout"

View File

@ -20,9 +20,9 @@
</button> </button>
</div> </div>
<div class="modal-body" *ngIf="cipher"> <div class="modal-body" *ngIf="cipher">
<app-callout type="info" *ngIf="allowOwnershipAssignment() && !allowPersonal"> <bit-callout type="info" *ngIf="allowOwnershipAssignment() && !allowPersonal">
{{ "personalOwnershipPolicyInEffect" | i18n }} {{ "personalOwnershipPolicyInEffect" | i18n }}
</app-callout> </bit-callout>
<div class="row" *ngIf="!editMode && !viewOnly"> <div class="row" *ngIf="!editMode && !viewOnly">
<div class="col-6 form-group"> <div class="col-6 form-group">
<label for="type">{{ "whatTypeOfItem" | i18n }}</label> <label for="type">{{ "whatTypeOfItem" | i18n }}</label>

View File

@ -94,6 +94,7 @@ export class AddEditComponent extends BaseAddEditComponent implements OnInit, On
async ngOnInit() { async ngOnInit() {
await super.ngOnInit(); await super.ngOnInit();
await this.load(); await this.load();
this.viewOnly = !this.cipher.edit && this.editMode;
// remove when all the title for all clients are updated to New Item // remove when all the title for all clients are updated to New Item
if (this.cloneMode || !this.editMode) { if (this.cloneMode || !this.editMode) {
this.title = this.i18nService.t("newItem"); this.title = this.i18nService.t("newItem");

View File

@ -33,9 +33,9 @@
</div> </div>
</div> </div>
<div class="tw-basis-3/4 tw-max-w-3/4 tw-px-2.5"> <div class="tw-basis-3/4 tw-max-w-3/4 tw-px-2.5">
<app-callout type="warning" *ngIf="activeFilter.isDeleted" icon="bwi-exclamation-triangle"> <bit-callout type="warning" *ngIf="activeFilter.isDeleted">
{{ trashCleanupWarning }} {{ trashCleanupWarning }}
</app-callout> </bit-callout>
<app-vault-items <app-vault-items
[ciphers]="ciphers" [ciphers]="ciphers"
[collections]="collections" [collections]="collections"

View File

@ -41,9 +41,9 @@
{{ "addAccess" | i18n }} {{ "addAccess" | i18n }}
</bit-toggle> </bit-toggle>
</bit-toggle-group> </bit-toggle-group>
<app-callout type="warning" *ngIf="activeFilter.isDeleted" icon="bwi bwi-exclamation-triangle"> <bit-callout type="warning" *ngIf="activeFilter.isDeleted">
{{ trashCleanupWarning }} {{ trashCleanupWarning }}
</app-callout> </bit-callout>
<app-vault-items <app-vault-items
[ciphers]="ciphers" [ciphers]="ciphers"
[collections]="collections" [collections]="collections"

View File

@ -4,7 +4,7 @@
<p bitTypography="body1"> <p bitTypography="body1">
{{ (organizationId ? "purgeOrgVaultDesc" : "purgeVaultDesc") | i18n }} {{ (organizationId ? "purgeOrgVaultDesc" : "purgeVaultDesc") | i18n }}
</p> </p>
<app-callout type="warning">{{ "purgeVaultWarning" | i18n }}</app-callout> <bit-callout type="warning">{{ "purgeVaultWarning" | i18n }}</bit-callout>
<app-user-verification formControlName="masterPassword"></app-user-verification> <app-user-verification formControlName="masterPassword"></app-user-verification>
</ng-container> </ng-container>
<ng-container bitDialogFooter> <ng-container bitDialogFooter>

View File

@ -8429,5 +8429,23 @@
}, },
"providerReinstate":{ "providerReinstate":{
"message": " Contact Customer Support to reinstate your subscription." "message": " Contact Customer Support to reinstate your subscription."
},
"secretPeopleDescription": {
"message": "Grant groups or people access to this secret. Permissions set for people will override permissions set by groups."
},
"secretPeopleEmptyMessage": {
"message": "Add people or groups to share access to this secret"
},
"secretMachineAccountsDescription": {
"message": "Grant machine accounts access to this secret."
},
"secretMachineAccountsEmptyMessage": {
"message": "Add machine accounts to grant access to this secret"
},
"smAccessRemovalWarningSecretTitle": {
"message": "Remove access to this secret"
},
"smAccessRemovalSecretMessage": {
"message": "This action will remove your access to this secret."
} }
} }

View File

@ -14,7 +14,9 @@
"@bitwarden/components": ["../../libs/components/src"], "@bitwarden/components": ["../../libs/components/src"],
"@bitwarden/generator-components": ["../../libs/tools/generator/components/src"], "@bitwarden/generator-components": ["../../libs/tools/generator/components/src"],
"@bitwarden/generator-core": ["../../libs/tools/generator/core/src"], "@bitwarden/generator-core": ["../../libs/tools/generator/core/src"],
"@bitwarden/generator-extensions": ["../../libs/tools/generator/extensions/src"], "@bitwarden/generator-history": ["../../libs/tools/generator/extensions/history/src"],
"@bitwarden/generator-legacy": ["../../libs/tools/generator/extensions/legacy/src"],
"@bitwarden/generator-navigation": ["../../libs/tools/generator/extensions/navigation/src"],
"@bitwarden/vault-export-core": [ "@bitwarden/vault-export-core": [
"../../libs/tools/export/vault-export/vault-export-core/src" "../../libs/tools/export/vault-export/vault-export-core/src"
], ],

View File

@ -13,7 +13,9 @@
"@bitwarden/components": ["../../libs/components/src"], "@bitwarden/components": ["../../libs/components/src"],
"@bitwarden/generator-components": ["../../libs/tools/generator/components/src"], "@bitwarden/generator-components": ["../../libs/tools/generator/components/src"],
"@bitwarden/generator-core": ["../../libs/tools/generator/core/src"], "@bitwarden/generator-core": ["../../libs/tools/generator/core/src"],
"@bitwarden/generator-extensions": ["../../libs/tools/generator/extensions/src"], "@bitwarden/generator-history": ["../../libs/tools/generator/extensions/history/src"],
"@bitwarden/generator-legacy": ["../../libs/tools/generator/extensions/legacy/src"],
"@bitwarden/generator-navigation": ["../../libs/tools/generator/extensions/navigation/src"],
"@bitwarden/vault-export-core": [ "@bitwarden/vault-export-core": [
"../../libs/tools/export/vault-export/vault-export-core/src" "../../libs/tools/export/vault-export/vault-export-core/src"
], ],

View File

@ -1,9 +1,9 @@
<app-callout type="warning"> <bit-callout type="warning">
{{ "experimentalFeature" | i18n }} {{ "experimentalFeature" | i18n }}
<a href="https://bitwarden.com/help/auto-fill-browser/" target="_blank" rel="noreferrer">{{ <a href="https://bitwarden.com/help/auto-fill-browser/" target="_blank" rel="noreferrer">{{
"learnMoreAboutAutofill" | i18n "learnMoreAboutAutofill" | i18n
}}</a> }}</a>
</app-callout> </bit-callout>
<bit-form-control> <bit-form-control>
<input type="checkbox" id="enabled" bitCheckbox [formControl]="enabled" /> <input type="checkbox" id="enabled" bitCheckbox [formControl]="enabled" />

View File

@ -1,6 +1,6 @@
<app-callout type="tip" title="{{ 'prerequisite' | i18n }}"> <bit-callout title="{{ 'prerequisite' | i18n }}">
{{ "requireSsoPolicyReq" | i18n }} {{ "requireSsoPolicyReq" | i18n }}
</app-callout> </bit-callout>
<bit-form-control> <bit-form-control>
<input type="checkbox" id="enabled" bitCheckbox [formControl]="enabled" /> <input type="checkbox" id="enabled" bitCheckbox [formControl]="enabled" />

View File

@ -106,9 +106,9 @@
showKeyConnectorOptions showKeyConnectorOptions
" "
> >
<app-callout type="warning" [useAlertRole]="true"> <bit-callout type="warning" [useAlertRole]="true">
{{ "keyConnectorWarning" | i18n }} {{ "keyConnectorWarning" | i18n }}
</app-callout> </bit-callout>
<bit-form-field> <bit-form-field>
<bit-label>{{ "keyConnectorUrl" | i18n }}</bit-label> <bit-label>{{ "keyConnectorUrl" | i18n }}</bit-label>

View File

@ -1,16 +1,17 @@
<form [formGroup]="formGroup" [bitSubmit]="submit"> <form [formGroup]="formGroup" [bitSubmit]="submit">
<bit-dialog dialogSize="large"> <bit-dialog
<ng-container bitDialogTitle>{{ title | i18n }}</ng-container> dialogSize="large"
<div bitDialogContent class="tw-relative"> [disablePadding]="true"
<div [loading]="loading"
*ngIf="showSpinner" [title]="title | i18n"
class="tw-absolute tw-flex tw-h-full tw-w-full tw-items-center tw-justify-center tw-bg-text-contrast" [subtitle]="subtitle"
> >
<i class="bwi bwi-spinner bwi-spin bwi-3x"></i> <div bitDialogContent class="tw-relative">
</div> <bit-tab-group [(selectedIndex)]="tabIndex">
<bit-tab label="{{ 'nameValuePair' | i18n }}">
<div class="tw-flex tw-gap-4 tw-pt-4"> <div class="tw-flex tw-gap-4 tw-pt-4">
<bit-form-field class="tw-w-1/3"> <bit-form-field class="tw-w-1/3">
<bit-label for="secret-name">{{ "name" | i18n }}</bit-label> <bit-label>{{ "name" | i18n }}</bit-label>
<input appAutofocus formControlName="name" bitInput /> <input appAutofocus formControlName="name" bitInput />
</bit-form-field> </bit-form-field>
<bit-form-field class="tw-w-full"> <bit-form-field class="tw-w-full">
@ -43,29 +44,59 @@
<bit-label>{{ "projectName" | i18n }}</bit-label> <bit-label>{{ "projectName" | i18n }}</bit-label>
<input formControlName="newProjectName" bitInput /> <input formControlName="newProjectName" bitInput />
</bit-form-field> </bit-form-field>
</bit-tab>
<bit-tab label="{{ 'people' | i18n }}">
<p>
{{ "secretPeopleDescription" | i18n }}
</p>
<sm-access-policy-selector
formControlName="peopleAccessPolicies"
[addButtonMode]="false"
[items]="peopleAccessPolicyItems"
[label]="'people' | i18n"
[hint]="'projectPeopleSelectHint' | i18n"
[columnTitle]="'name' | i18n"
[emptyMessage]="'secretPeopleEmptyMessage' | i18n"
>
</sm-access-policy-selector>
</bit-tab>
<bit-tab label="{{ 'machineAccounts' | i18n }}">
<p>
{{ "secretMachineAccountsDescription" | i18n }}
</p>
<sm-access-policy-selector
formControlName="serviceAccountAccessPolicies"
[addButtonMode]="false"
[items]="serviceAccountAccessPolicyItems"
[label]="'machineAccounts' | i18n"
[hint]="'projectMachineAccountsSelectHint' | i18n"
[columnTitle]="'machineAccounts' | i18n"
[emptyMessage]="'secretMachineAccountsEmptyMessage' | i18n"
>
</sm-access-policy-selector>
</bit-tab>
</bit-tab-group>
</div> </div>
<ng-container bitDialogFooter> <ng-container bitDialogFooter>
<button type="submit" bitButton buttonType="primary" bitFormButton> <button [loading]="loading" type="submit" bitButton buttonType="primary" bitFormButton>
{{ "save" | i18n }} {{ "save" | i18n }}
</button> </button>
<button <button bitButton buttonType="secondary" type="button" bitDialogClose>
type="button"
bitButton
buttonType="secondary"
bitFormButton
bitDialogClose
[disabled]="false"
>
{{ "cancel" | i18n }} {{ "cancel" | i18n }}
</button> </button>
<button <button
*ngIf="deleteButtonIsVisible" *ngIf="deleteButtonIsVisible"
class="tw-ml-auto" class="tw-ml-auto"
[disabled]="loading"
type="button" type="button"
bitIconButton="bwi-trash"
buttonType="danger" buttonType="danger"
bitIconButton="bwi-trash"
bitFormButton bitFormButton
(click)="openDeleteSecretDialog()" [appA11yTitle]="'delete' | i18n"
[bitAction]="delete"
></button> ></button>
</ng-container> </ng-container>
</bit-dialog> </bit-dialog>

View File

@ -1,5 +1,5 @@
import { DialogRef, DIALOG_DATA } from "@angular/cdk/dialog"; import { DialogRef, DIALOG_DATA } from "@angular/cdk/dialog";
import { Component, Inject, OnInit } from "@angular/core"; import { ChangeDetectorRef, Component, Inject, OnInit } from "@angular/core";
import { FormControl, FormGroup, Validators } from "@angular/forms"; import { FormControl, FormGroup, Validators } from "@angular/forms";
import { lastValueFrom, Subject, takeUntil } from "rxjs"; import { lastValueFrom, Subject, takeUntil } from "rxjs";
@ -9,12 +9,25 @@ import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/pl
import { Utils } from "@bitwarden/common/platform/misc/utils"; import { Utils } from "@bitwarden/common/platform/misc/utils";
import { DialogService, BitValidators } from "@bitwarden/components"; import { DialogService, BitValidators } from "@bitwarden/components";
import { SecretAccessPoliciesView } from "../../models/view/access-policies/secret-access-policies.view";
import { ProjectListView } from "../../models/view/project-list.view"; import { ProjectListView } from "../../models/view/project-list.view";
import { ProjectView } from "../../models/view/project.view"; import { ProjectView } from "../../models/view/project.view";
import { SecretListView } from "../../models/view/secret-list.view"; import { SecretListView } from "../../models/view/secret-list.view";
import { SecretProjectView } from "../../models/view/secret-project.view"; import { SecretProjectView } from "../../models/view/secret-project.view";
import { SecretView } from "../../models/view/secret.view"; import { SecretView } from "../../models/view/secret.view";
import { ProjectService } from "../../projects/project.service"; import { ProjectService } from "../../projects/project.service";
import { AccessPolicySelectorService } from "../../shared/access-policies/access-policy-selector/access-policy-selector.service";
import {
ApItemValueType,
convertToSecretAccessPoliciesView,
} from "../../shared/access-policies/access-policy-selector/models/ap-item-value.type";
import {
ApItemViewType,
convertPotentialGranteesToApItemViewType,
convertSecretAccessPoliciesToApItemViews,
} from "../../shared/access-policies/access-policy-selector/models/ap-item-view.type";
import { ApItemEnum } from "../../shared/access-policies/access-policy-selector/models/enums/ap-item.enum";
import { AccessPolicyService } from "../../shared/access-policies/access-policy.service";
import { SecretService } from "../secret.service"; import { SecretService } from "../secret.service";
import { SecretDeleteDialogComponent, SecretDeleteOperation } from "./secret-delete.component"; import { SecretDeleteDialogComponent, SecretDeleteOperation } from "./secret-delete.component";
@ -24,6 +37,12 @@ export enum OperationType {
Edit, Edit,
} }
export enum SecretDialogTabType {
NameValuePair = 0,
People = 1,
ServiceAccounts = 2,
}
export interface SecretOperation { export interface SecretOperation {
organizationId: string; organizationId: string;
operation: OperationType; operation: OperationType;
@ -36,6 +55,12 @@ export interface SecretOperation {
templateUrl: "./secret-dialog.component.html", templateUrl: "./secret-dialog.component.html",
}) })
export class SecretDialogComponent implements OnInit { export class SecretDialogComponent implements OnInit {
loading = true;
projects: ProjectListView[];
addNewProject = false;
newProjectGuid = Utils.newGuid();
tabIndex: SecretDialogTabType = SecretDialogTabType.NameValuePair;
protected formGroup = new FormGroup({ protected formGroup = new FormGroup({
name: new FormControl("", { name: new FormControl("", {
validators: [Validators.required, Validators.maxLength(500), BitValidators.trimValidator], validators: [Validators.required, Validators.maxLength(500), BitValidators.trimValidator],
@ -51,77 +76,60 @@ export class SecretDialogComponent implements OnInit {
validators: [Validators.maxLength(500), BitValidators.trimValidator], validators: [Validators.maxLength(500), BitValidators.trimValidator],
updateOn: "submit", updateOn: "submit",
}), }),
peopleAccessPolicies: new FormControl([] as ApItemValueType[]),
serviceAccountAccessPolicies: new FormControl([] as ApItemValueType[]),
}); });
protected peopleAccessPolicyItems: ApItemViewType[];
protected serviceAccountAccessPolicyItems: ApItemViewType[];
private destroy$ = new Subject<void>(); private destroy$ = new Subject<void>();
private loading = true; private currentPeopleAccessPolicies: ApItemViewType[];
projects: ProjectListView[];
addNewProject = false;
newProjectGuid = Utils.newGuid();
constructor( constructor(
public dialogRef: DialogRef, public dialogRef: DialogRef,
@Inject(DIALOG_DATA) private data: SecretOperation, @Inject(DIALOG_DATA) private data: SecretOperation,
private secretService: SecretService, private secretService: SecretService,
private changeDetectorRef: ChangeDetectorRef,
private i18nService: I18nService, private i18nService: I18nService,
private platformUtilsService: PlatformUtilsService, private platformUtilsService: PlatformUtilsService,
private projectService: ProjectService, private projectService: ProjectService,
private dialogService: DialogService, private dialogService: DialogService,
private organizationService: OrganizationService, private organizationService: OrganizationService,
private accessPolicyService: AccessPolicyService,
private accessPolicySelectorService: AccessPolicySelectorService,
) {} ) {}
get title() {
return this.data.operation === OperationType.Add ? "newSecret" : "editSecret";
}
get subtitle(): string | undefined {
if (this.data.operation === OperationType.Edit) {
return this.formGroup.get("name").value;
}
}
get deleteButtonIsVisible(): boolean {
return this.data.operation === OperationType.Edit;
}
async ngOnInit() { async ngOnInit() {
this.loading = true;
if (this.data.operation === OperationType.Edit && this.data.secretId) { if (this.data.operation === OperationType.Edit && this.data.secretId) {
await this.loadData(); await this.loadEditDialog();
} else if (this.data.operation !== OperationType.Add) { } else if (this.data.operation !== OperationType.Add) {
this.dialogRef.close(); this.dialogRef.close();
throw new Error(`The secret dialog was not called with the appropriate operation values.`); throw new Error(`The secret dialog was not called with the appropriate operation values.`);
} else if (this.data.operation == OperationType.Add) { } else if (this.data.operation === OperationType.Add) {
await this.loadProjects(true); await this.loadAddDialog();
if (this.data.projectId == null || this.data.projectId == "") {
this.addNewProjectOptionToProjectsDropDown();
}
}
if (this.data.projectId) {
this.formGroup.get("project").setValue(this.data.projectId);
} }
if ((await this.organizationService.get(this.data.organizationId))?.isAdmin) { if ((await this.organizationService.get(this.data.organizationId))?.isAdmin) {
this.formGroup.get("project").removeValidators(Validators.required); this.formGroup.get("project").removeValidators(Validators.required);
this.formGroup.get("project").updateValueAndValidity(); this.formGroup.get("project").updateValueAndValidity();
} }
}
async loadData() {
this.formGroup.disable();
const secret: SecretView = await this.secretService.getBySecretId(this.data.secretId);
await this.loadProjects(secret.write);
this.formGroup.setValue({
name: secret.name,
value: secret.value,
notes: secret.note,
project: secret.projects[0]?.id ?? "",
newProjectName: "",
});
this.loading = false; this.loading = false;
if (secret.write) {
this.formGroup.enable();
}
}
async loadProjects(filterByPermission: boolean) {
this.projects = await this.projectService
.getProjects(this.data.organizationId)
.then((projects) => projects.sort((a, b) => a.name.localeCompare(b.name)));
if (filterByPermission) {
this.projects = this.projects.filter((p) => p.write);
}
} }
ngOnDestroy(): void { ngOnDestroy(): void {
@ -129,6 +137,152 @@ export class SecretDialogComponent implements OnInit {
this.destroy$.complete(); this.destroy$.complete();
} }
submit = async () => {
if (!this.data.organizationEnabled) {
this.platformUtilsService.showToast("error", null, this.i18nService.t("secretsCannotCreate"));
return;
}
if (this.isFormInvalid()) {
return;
}
const secretView = this.getSecretView();
const secretAccessPoliciesView = convertToSecretAccessPoliciesView([
...this.formGroup.value.peopleAccessPolicies,
...this.formGroup.value.serviceAccountAccessPolicies,
]);
const showAccessRemovalWarning =
this.data.operation === OperationType.Edit &&
(await this.accessPolicySelectorService.showSecretAccessRemovalWarning(
this.data.organizationId,
this.currentPeopleAccessPolicies,
this.formGroup.value.peopleAccessPolicies,
));
if (showAccessRemovalWarning) {
const confirmed = await this.showWarning();
if (!confirmed) {
return;
}
}
if (this.addNewProject) {
const newProject = await this.createProject(this.getNewProjectView());
secretView.projects = [newProject];
}
if (this.data.operation === OperationType.Add) {
await this.createSecret(secretView, secretAccessPoliciesView);
} else {
secretView.id = this.data.secretId;
await this.updateSecret(secretView, secretAccessPoliciesView);
}
this.dialogRef.close();
};
delete = async () => {
const secretListView: SecretListView[] = this.getSecretListView();
const dialogRef = this.dialogService.open<unknown, SecretDeleteOperation>(
SecretDeleteDialogComponent,
{
data: {
secrets: secretListView,
},
},
);
await lastValueFrom(dialogRef.closed).then(
(closeData) => closeData !== undefined && this.dialogRef.close(),
);
};
private async loadEditDialog() {
const secret = await this.secretService.getBySecretId(this.data.secretId);
await this.loadProjects(secret.projects);
const currentAccessPolicies = await this.getCurrentAccessPolicies(
this.data.organizationId,
this.data.secretId,
);
this.currentPeopleAccessPolicies = currentAccessPolicies.filter(
(p) => p.type === ApItemEnum.User || p.type === ApItemEnum.Group,
);
const currentServiceAccountPolicies = currentAccessPolicies.filter(
(p) => p.type === ApItemEnum.ServiceAccount,
);
this.peopleAccessPolicyItems = await this.getPeoplePotentialGrantees(this.data.organizationId);
this.serviceAccountAccessPolicyItems = await this.getServiceAccountItems(
this.data.organizationId,
currentServiceAccountPolicies,
);
// Must detect changes so that AccessSelector @Inputs() are aware of the latest
// potentialGrantees, otherwise no selected values will be patched below
this.changeDetectorRef.detectChanges();
this.formGroup.patchValue({
name: secret.name,
value: secret.value,
notes: secret.note,
project: secret.projects[0]?.id ?? "",
newProjectName: "",
peopleAccessPolicies: this.currentPeopleAccessPolicies.map((m) => ({
type: m.type,
id: m.id,
permission: m.permission,
currentUser: m.type === ApItemEnum.User ? m.currentUser : null,
currentUserInGroup: m.type === ApItemEnum.Group ? m.currentUserInGroup : null,
})),
serviceAccountAccessPolicies: currentServiceAccountPolicies.map((m) => ({
type: m.type,
id: m.id,
permission: m.permission,
})),
});
}
private async loadAddDialog() {
await this.loadProjects();
this.peopleAccessPolicyItems = await this.getPeoplePotentialGrantees(this.data.organizationId);
this.serviceAccountAccessPolicyItems = await this.getServiceAccountItems(
this.data.organizationId,
);
if (
this.data.projectId === null ||
this.data.projectId === "" ||
this.data.projectId === undefined
) {
this.addNewProjectOptionToProjectsDropDown();
}
if (this.data.projectId) {
this.formGroup.get("project").setValue(this.data.projectId);
}
}
private async loadProjects(currentProjects?: SecretProjectView[]) {
this.projects = await this.projectService
.getProjects(this.data.organizationId)
.then((projects) => projects.filter((p) => p.write));
if (currentProjects?.length > 0) {
const currentProject = currentProjects?.[0];
if (this.projects.find((p) => p.id === currentProject.id) === undefined) {
const listView = new ProjectListView();
listView.id = currentProject.id;
listView.name = currentProject.name;
this.projects.push(listView);
}
}
this.projects = this.projects.sort((a, b) => a.name.localeCompare(b.name));
}
private addNewProjectOptionToProjectsDropDown() { private addNewProjectOptionToProjectsDropDown() {
this.formGroup this.formGroup
.get("project") .get("project")
@ -155,70 +309,15 @@ export class SecretDialogComponent implements OnInit {
this.formGroup.get("newProjectName").updateValueAndValidity(); this.formGroup.get("newProjectName").updateValueAndValidity();
} }
get title() {
return this.data.operation === OperationType.Add ? "newSecret" : "editSecret";
}
get showSpinner() {
return this.data.operation === OperationType.Edit && this.loading;
}
submit = async () => {
if (!this.data.organizationEnabled) {
this.platformUtilsService.showToast("error", null, this.i18nService.t("secretsCannotCreate"));
return;
}
this.formGroup.markAllAsTouched();
if (this.formGroup.invalid) {
return;
}
const secretView = this.getSecretView();
if (this.addNewProject) {
const newProject = await this.createProject(this.getNewProjectView());
secretView.projects = [newProject];
}
if (this.data.operation === OperationType.Add) {
await this.createSecret(secretView);
} else {
secretView.id = this.data.secretId;
await this.updateSecret(secretView);
}
this.dialogRef.close();
};
get deleteButtonIsVisible(): boolean {
return this.data.operation === OperationType.Edit;
}
private async createProject(projectView: ProjectView) { private async createProject(projectView: ProjectView) {
return await this.projectService.create(this.data.organizationId, projectView); return await this.projectService.create(this.data.organizationId, projectView);
} }
protected async openDeleteSecretDialog() { private async createSecret(
const secretListView: SecretListView[] = this.getSecretListView(); secretView: SecretView,
secretAccessPoliciesView: SecretAccessPoliciesView,
const dialogRef = this.dialogService.open<unknown, SecretDeleteOperation>( ) {
SecretDeleteDialogComponent, await this.secretService.create(this.data.organizationId, secretView, secretAccessPoliciesView);
{
data: {
secrets: secretListView,
},
},
);
// If the secret is deleted, chain close this dialog after the delete dialog
await lastValueFrom(dialogRef.closed).then(
(closeData) => closeData !== undefined && this.dialogRef.close(),
);
}
private async createSecret(secretView: SecretView) {
await this.secretService.create(this.data.organizationId, secretView);
this.platformUtilsService.showToast("success", null, this.i18nService.t("secretCreated")); this.platformUtilsService.showToast("success", null, this.i18nService.t("secretCreated"));
} }
@ -229,8 +328,11 @@ export class SecretDialogComponent implements OnInit {
return projectView; return projectView;
} }
private async updateSecret(secretView: SecretView) { private async updateSecret(
await this.secretService.update(this.data.organizationId, secretView); secretView: SecretView,
secretAccessPoliciesView: SecretAccessPoliciesView,
) {
await this.secretService.update(this.data.organizationId, secretView, secretAccessPoliciesView);
this.platformUtilsService.showToast("success", null, this.i18nService.t("secretEdited")); this.platformUtilsService.showToast("success", null, this.i18nService.t("secretEdited"));
} }
@ -265,4 +367,63 @@ export class SecretDialogComponent implements OnInit {
secretListViews.push(secretListView); secretListViews.push(secretListView);
return secretListViews; return secretListViews;
} }
private async getCurrentAccessPolicies(
organizationId: string,
secretId: string,
): Promise<ApItemViewType[]> {
return convertSecretAccessPoliciesToApItemViews(
await this.accessPolicyService.getSecretAccessPolicies(organizationId, secretId),
);
}
private async getPeoplePotentialGrantees(organizationId: string): Promise<ApItemViewType[]> {
return convertPotentialGranteesToApItemViewType(
await this.accessPolicyService.getPeoplePotentialGrantees(organizationId),
);
}
private async getServiceAccountItems(
organizationId: string,
currentAccessPolicies?: ApItemViewType[],
): Promise<ApItemViewType[]> {
const potentialGrantees = convertPotentialGranteesToApItemViewType(
await this.accessPolicyService.getServiceAccountsPotentialGrantees(organizationId),
);
const items = [...potentialGrantees];
if (currentAccessPolicies) {
for (const policy of currentAccessPolicies) {
const exists = potentialGrantees.some((grantee) => grantee.id === policy.id);
if (!exists) {
items.push(policy);
}
}
}
return items;
}
private async showWarning(): Promise<boolean> {
const confirmed = await this.dialogService.openSimpleDialog({
title: { key: "smAccessRemovalWarningSecretTitle" },
content: { key: "smAccessRemovalSecretMessage" },
acceptButtonText: { key: "removeAccess" },
cancelButtonText: { key: "cancel" },
type: "warning",
});
return confirmed;
}
private isFormInvalid(): boolean {
this.formGroup.markAllAsTouched();
if (this.formGroup.invalid && this.tabIndex !== SecretDialogTabType.NameValuePair) {
this.platformUtilsService.showToast(
"error",
null,
this.i18nService.t("fieldOnTabRequiresAttention", this.i18nService.t("nameValuePair")),
);
}
return this.formGroup.invalid;
}
} }

View File

@ -1,6 +1,9 @@
import { SecretAccessPoliciesRequest } from "../../shared/access-policies/models/requests/secret-access-policies.request";
export class SecretRequest { export class SecretRequest {
key: string; key: string;
value: string; value: string;
note: string; note: string;
projectIds?: string[]; projectIds?: string[];
accessPoliciesRequests: SecretAccessPoliciesRequest;
} }

View File

@ -0,0 +1,125 @@
import { mock } from "jest-mock-extended";
import { ApiService } from "@bitwarden/common/abstractions/api.service";
import { CryptoService } from "@bitwarden/common/platform/abstractions/crypto.service";
import { EncryptService } from "@bitwarden/common/platform/abstractions/encrypt.service";
import { EncString } from "@bitwarden/common/platform/models/domain/enc-string";
import { SecretAccessPoliciesView } from "../models/view/access-policies/secret-access-policies.view";
import { SecretView } from "../models/view/secret.view";
import { AccessPolicyService } from "../shared/access-policies/access-policy.service";
import { SecretService } from "./secret.service";
describe("SecretService", () => {
let sut: SecretService;
const cryptoService = mock<CryptoService>();
const apiService = mock<ApiService>();
const encryptService = mock<EncryptService>();
const accessPolicyService = mock<AccessPolicyService>();
beforeEach(() => {
jest.resetAllMocks();
sut = new SecretService(cryptoService, apiService, encryptService, accessPolicyService);
encryptService.encrypt.mockResolvedValue({
encryptedString: "mockEncryptedString",
} as EncString);
encryptService.decryptToUtf8.mockResolvedValue(mockUnencryptedData);
});
it("instantiates", () => {
expect(sut).not.toBeFalsy();
});
describe("create", () => {
it("emits the secret created", async () => {
apiService.send.mockResolvedValue(mockedSecretResponse);
sut.secret$.subscribe((secret) => {
expect(secret).toBeDefined();
expect(secret).toEqual(expectedSecretView);
});
await sut.create("organizationId", secretView, secretAccessPoliciesView);
});
});
describe("update", () => {
it("emits the secret updated", async () => {
apiService.send.mockResolvedValue(mockedSecretResponse);
sut.secret$.subscribe((secret) => {
expect(secret).toBeDefined();
expect(secret).toEqual(expectedSecretView);
});
await sut.update("organizationId", secretView, secretAccessPoliciesView);
});
});
});
const mockedSecretResponse: any = {
id: "001f835c-aa41-4f25-bfbf-b18d0103a1db",
organizationId: "da0eea55-8604-4307-8a24-b187015e3071",
key: "mockEncryptedString",
value: "mockEncryptedString",
note: "mockEncryptedString",
creationDate: "2024-07-12T15:45:17.49823Z",
revisionDate: "2024-07-12T15:45:17.49823Z",
projects: [
{
id: "502d93ae-a084-490a-8a64-b187015eb69c",
name: "mockEncryptedString",
},
],
read: true,
write: true,
object: "secret",
};
const secretView: SecretView = {
id: "001f835c-aa41-4f25-bfbf-b18d0103a1db",
organizationId: "da0eea55-8604-4307-8a24-b187015e3071",
name: "key",
value: "value",
note: "note",
creationDate: "2024-06-12T15:45:17.49823Z",
revisionDate: "2024-06-12T15:45:17.49823Z",
projects: [
{
id: "502d93ae-a084-490a-8a64-b187015eb69c",
name: "project-name",
},
],
read: true,
write: true,
};
const secretAccessPoliciesView: SecretAccessPoliciesView = {
userAccessPolicies: [],
groupAccessPolicies: [],
serviceAccountAccessPolicies: [],
};
const mockUnencryptedData = "mockUnEncryptedString";
const expectedSecretView: SecretView = {
id: "001f835c-aa41-4f25-bfbf-b18d0103a1db",
organizationId: "da0eea55-8604-4307-8a24-b187015e3071",
name: mockUnencryptedData,
value: mockUnencryptedData,
note: mockUnencryptedData,
creationDate: "2024-07-12T15:45:17.49823Z",
revisionDate: "2024-07-12T15:45:17.49823Z",
projects: [
{
id: "502d93ae-a084-490a-8a64-b187015eb69c",
name: mockUnencryptedData,
},
],
read: true,
write: true,
};

View File

@ -7,9 +7,11 @@ import { EncryptService } from "@bitwarden/common/platform/abstractions/encrypt.
import { EncString } from "@bitwarden/common/platform/models/domain/enc-string"; import { EncString } from "@bitwarden/common/platform/models/domain/enc-string";
import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key"; import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
import { SecretAccessPoliciesView } from "../models/view/access-policies/secret-access-policies.view";
import { SecretListView } from "../models/view/secret-list.view"; import { SecretListView } from "../models/view/secret-list.view";
import { SecretProjectView } from "../models/view/secret-project.view"; import { SecretProjectView } from "../models/view/secret-project.view";
import { SecretView } from "../models/view/secret.view"; import { SecretView } from "../models/view/secret.view";
import { AccessPolicyService } from "../shared/access-policies/access-policy.service";
import { BulkOperationStatus } from "../shared/dialogs/bulk-status-dialog.component"; import { BulkOperationStatus } from "../shared/dialogs/bulk-status-dialog.component";
import { SecretRequest } from "./requests/secret.request"; import { SecretRequest } from "./requests/secret.request";
@ -30,6 +32,7 @@ export class SecretService {
private cryptoService: CryptoService, private cryptoService: CryptoService,
private apiService: ApiService, private apiService: ApiService,
private encryptService: EncryptService, private encryptService: EncryptService,
private accessPolicyService: AccessPolicyService,
) {} ) {}
async getBySecretId(secretId: string): Promise<SecretView> { async getBySecretId(secretId: string): Promise<SecretView> {
@ -65,8 +68,16 @@ export class SecretService {
return await this.createSecretsListView(organizationId, results); return await this.createSecretsListView(organizationId, results);
} }
async create(organizationId: string, secretView: SecretView) { async create(
const request = await this.getSecretRequest(organizationId, secretView); organizationId: string,
secretView: SecretView,
secretAccessPoliciesView: SecretAccessPoliciesView,
) {
const request = await this.getSecretRequest(
organizationId,
secretView,
secretAccessPoliciesView,
);
const r = await this.apiService.send( const r = await this.apiService.send(
"POST", "POST",
"/organizations/" + organizationId + "/secrets", "/organizations/" + organizationId + "/secrets",
@ -77,8 +88,16 @@ export class SecretService {
this._secret.next(await this.createSecretView(new SecretResponse(r))); this._secret.next(await this.createSecretView(new SecretResponse(r)));
} }
async update(organizationId: string, secretView: SecretView) { async update(
const request = await this.getSecretRequest(organizationId, secretView); organizationId: string,
secretView: SecretView,
secretAccessPoliciesView: SecretAccessPoliciesView,
) {
const request = await this.getSecretRequest(
organizationId,
secretView,
secretAccessPoliciesView,
);
const r = await this.apiService.send("PUT", "/secrets/" + secretView.id, request, true, true); const r = await this.apiService.send("PUT", "/secrets/" + secretView.id, request, true, true);
this._secret.next(await this.createSecretView(new SecretResponse(r))); this._secret.next(await this.createSecretView(new SecretResponse(r)));
} }
@ -140,6 +159,7 @@ export class SecretService {
private async getSecretRequest( private async getSecretRequest(
organizationId: string, organizationId: string,
secretView: SecretView, secretView: SecretView,
secretAccessPoliciesView: SecretAccessPoliciesView,
): Promise<SecretRequest> { ): Promise<SecretRequest> {
const orgKey = await this.getOrganizationKey(organizationId); const orgKey = await this.getOrganizationKey(organizationId);
const request = new SecretRequest(); const request = new SecretRequest();
@ -155,6 +175,9 @@ export class SecretService {
secretView.projects?.forEach((e) => request.projectIds.push(e.id)); secretView.projects?.forEach((e) => request.projectIds.push(e.id));
request.accessPoliciesRequests =
this.accessPolicyService.getSecretAccessPoliciesRequest(secretAccessPoliciesView);
return request; return request;
} }

View File

@ -2,9 +2,9 @@
<form [formGroup]="formGroup" [bitSubmit]="submit"> <form [formGroup]="formGroup" [bitSubmit]="submit">
<div class="tw-my-4 tw-max-w-xl"> <div class="tw-my-4 tw-max-w-xl">
<app-callout type="info" title="{{ 'exportingOrganizationSecretDataTitle' | i18n }}"> <bit-callout type="info" title="{{ 'exportingOrganizationSecretDataTitle' | i18n }}">
{{ "exportingOrganizationSecretDataDescription" | i18n: orgName }} {{ "exportingOrganizationSecretDataDescription" | i18n: orgName }}
</app-callout> </bit-callout>
</div> </div>
<bit-form-field class="tw-max-w-sm"> <bit-form-field class="tw-max-w-sm">

View File

@ -64,10 +64,12 @@ describe("AccessPolicySelectorService", () => {
const selectedPolicyValues: ApItemValueType[] = []; const selectedPolicyValues: ApItemValueType[] = [];
selectedPolicyValues.push( selectedPolicyValues.push(
createApItemValueType({ createApItemValueType(
{
permission: ApPermissionEnum.CanRead, permission: ApPermissionEnum.CanRead,
currentUser: true, },
}), true,
),
); );
const result = await sut.showAccessRemovalWarning(org.id, selectedPolicyValues); const result = await sut.showAccessRemovalWarning(org.id, selectedPolicyValues);
@ -80,15 +82,17 @@ describe("AccessPolicySelectorService", () => {
organizationService.get.calledWith(org.id).mockResolvedValue(org); organizationService.get.calledWith(org.id).mockResolvedValue(org);
const selectedPolicyValues: ApItemValueType[] = [ const selectedPolicyValues: ApItemValueType[] = [
createApItemValueType({ createApItemValueType(
{
permission: ApPermissionEnum.CanReadWrite, permission: ApPermissionEnum.CanReadWrite,
currentUser: true, },
}), true,
),
]; ];
const result = await sut.showAccessRemovalWarning(org.id, selectedPolicyValues); const result = await sut.showAccessRemovalWarning(org.id, selectedPolicyValues);
expect(result).toBe(true); expect(result).toBe(false);
}); });
it("returns true when current user isn't owner/admin and a group Read policy is submitted that the user is a member of", async () => { it("returns true when current user isn't owner/admin and a group Read policy is submitted that the user is a member of", async () => {
@ -96,12 +100,15 @@ describe("AccessPolicySelectorService", () => {
organizationService.get.calledWith(org.id).mockResolvedValue(org); organizationService.get.calledWith(org.id).mockResolvedValue(org);
const selectedPolicyValues: ApItemValueType[] = [ const selectedPolicyValues: ApItemValueType[] = [
createApItemValueType({ createApItemValueType(
{
id: "groupId", id: "groupId",
type: ApItemEnum.Group, type: ApItemEnum.Group,
permission: ApPermissionEnum.CanRead, permission: ApPermissionEnum.CanRead,
currentUserInGroup: true, },
}), false,
true,
),
]; ];
const result = await sut.showAccessRemovalWarning(org.id, selectedPolicyValues); const result = await sut.showAccessRemovalWarning(org.id, selectedPolicyValues);
@ -114,12 +121,15 @@ describe("AccessPolicySelectorService", () => {
organizationService.get.calledWith(org.id).mockResolvedValue(org); organizationService.get.calledWith(org.id).mockResolvedValue(org);
const selectedPolicyValues: ApItemValueType[] = [ const selectedPolicyValues: ApItemValueType[] = [
createApItemValueType({ createApItemValueType(
{
id: "groupId", id: "groupId",
type: ApItemEnum.Group, type: ApItemEnum.Group,
permission: ApPermissionEnum.CanReadWrite, permission: ApPermissionEnum.CanReadWrite,
currentUserInGroup: true, },
}), false,
true,
),
]; ];
const result = await sut.showAccessRemovalWarning(org.id, selectedPolicyValues); const result = await sut.showAccessRemovalWarning(org.id, selectedPolicyValues);
@ -132,12 +142,15 @@ describe("AccessPolicySelectorService", () => {
organizationService.get.calledWith(org.id).mockResolvedValue(org); organizationService.get.calledWith(org.id).mockResolvedValue(org);
const selectedPolicyValues: ApItemValueType[] = [ const selectedPolicyValues: ApItemValueType[] = [
createApItemValueType({ createApItemValueType(
{
id: "groupId", id: "groupId",
type: ApItemEnum.Group, type: ApItemEnum.Group,
permission: ApPermissionEnum.CanReadWrite, permission: ApPermissionEnum.CanReadWrite,
currentUserInGroup: false, },
}), false,
false,
),
]; ];
const result = await sut.showAccessRemovalWarning(org.id, selectedPolicyValues); const result = await sut.showAccessRemovalWarning(org.id, selectedPolicyValues);
@ -150,16 +163,21 @@ describe("AccessPolicySelectorService", () => {
organizationService.get.calledWith(org.id).mockResolvedValue(org); organizationService.get.calledWith(org.id).mockResolvedValue(org);
const selectedPolicyValues: ApItemValueType[] = [ const selectedPolicyValues: ApItemValueType[] = [
createApItemValueType({ createApItemValueType(
{
permission: ApPermissionEnum.CanRead, permission: ApPermissionEnum.CanRead,
currentUser: true, },
}), true,
createApItemValueType({ ),
createApItemValueType(
{
id: "groupId", id: "groupId",
type: ApItemEnum.Group, type: ApItemEnum.Group,
permission: ApPermissionEnum.CanReadWrite, permission: ApPermissionEnum.CanReadWrite,
currentUserInGroup: true, },
}), false,
true,
),
]; ];
const result = await sut.showAccessRemovalWarning(org.id, selectedPolicyValues); const result = await sut.showAccessRemovalWarning(org.id, selectedPolicyValues);
@ -172,16 +190,21 @@ describe("AccessPolicySelectorService", () => {
organizationService.get.calledWith(org.id).mockResolvedValue(org); organizationService.get.calledWith(org.id).mockResolvedValue(org);
const selectedPolicyValues: ApItemValueType[] = [ const selectedPolicyValues: ApItemValueType[] = [
createApItemValueType({ createApItemValueType(
{
permission: ApPermissionEnum.CanRead, permission: ApPermissionEnum.CanRead,
currentUser: true, },
}), true,
createApItemValueType({ ),
createApItemValueType(
{
id: "groupId", id: "groupId",
type: ApItemEnum.Group, type: ApItemEnum.Group,
permission: ApPermissionEnum.CanReadWrite, permission: ApPermissionEnum.CanReadWrite,
currentUserInGroup: false, },
}), false,
false,
),
]; ];
const result = await sut.showAccessRemovalWarning(org.id, selectedPolicyValues); const result = await sut.showAccessRemovalWarning(org.id, selectedPolicyValues);
@ -194,16 +217,21 @@ describe("AccessPolicySelectorService", () => {
organizationService.get.calledWith(org.id).mockResolvedValue(org); organizationService.get.calledWith(org.id).mockResolvedValue(org);
const selectedPolicyValues: ApItemValueType[] = [ const selectedPolicyValues: ApItemValueType[] = [
createApItemValueType({ createApItemValueType(
{
permission: ApPermissionEnum.CanRead, permission: ApPermissionEnum.CanRead,
currentUser: true, },
}), true,
createApItemValueType({ ),
createApItemValueType(
{
id: "groupId", id: "groupId",
type: ApItemEnum.Group, type: ApItemEnum.Group,
permission: ApPermissionEnum.CanRead, permission: ApPermissionEnum.CanRead,
currentUserInGroup: true, },
}), false,
true,
),
]; ];
const result = await sut.showAccessRemovalWarning(org.id, selectedPolicyValues); const result = await sut.showAccessRemovalWarning(org.id, selectedPolicyValues);
@ -211,6 +239,246 @@ describe("AccessPolicySelectorService", () => {
expect(result).toBe(true); expect(result).toBe(true);
}); });
}); });
describe("showSecretAccessRemovalWarning", () => {
it("returns false when there are no current access policies", async () => {
const org = orgFactory();
organizationService.get.calledWith(org.id).mockResolvedValue(org);
const currentAccessPolicies: ApItemViewType[] = [];
const selectedPolicyValues: ApItemValueType[] = [];
const result = await sut.showSecretAccessRemovalWarning(
org.id,
currentAccessPolicies,
selectedPolicyValues,
);
expect(result).toBe(false);
});
it("returns false when current user is admin", async () => {
const org = orgFactory();
organizationService.get.calledWith(org.id).mockResolvedValue(org);
const currentAccessPolicies: ApItemViewType[] = [
createApItemViewType(
{
id: "example",
permission: ApPermissionEnum.CanRead,
},
true,
),
];
const selectedPolicyValues: ApItemValueType[] = [];
const result = await sut.showSecretAccessRemovalWarning(
org.id,
currentAccessPolicies,
selectedPolicyValues,
);
expect(result).toBe(false);
});
it("returns false when current user is owner", async () => {
const org = orgFactory();
org.type = OrganizationUserType.Owner;
organizationService.get.calledWith(org.id).mockResolvedValue(org);
const currentAccessPolicies: ApItemViewType[] = [
createApItemViewType(
{
id: "example",
permission: ApPermissionEnum.CanRead,
},
true,
),
];
const selectedPolicyValues: ApItemValueType[] = [];
const result = await sut.showSecretAccessRemovalWarning(
org.id,
currentAccessPolicies,
selectedPolicyValues,
);
expect(result).toBe(false);
});
it("returns false when current non-admin user doesn't have Read, Write access with current access policies -- user policy", async () => {
const org = setupUserOrg();
organizationService.get.calledWith(org.id).mockResolvedValue(org);
const currentAccessPolicies: ApItemViewType[] = [
createApItemViewType(
{
id: "example",
permission: ApPermissionEnum.CanRead,
},
true,
),
];
const selectedPolicyValues: ApItemValueType[] = [];
const result = await sut.showSecretAccessRemovalWarning(
org.id,
currentAccessPolicies,
selectedPolicyValues,
);
expect(result).toBe(false);
});
it("returns false when current non-admin user doesn't have Read, Write access with current access policies -- group policy", async () => {
const org = setupUserOrg();
organizationService.get.calledWith(org.id).mockResolvedValue(org);
const currentAccessPolicies: ApItemViewType[] = [
createApItemViewType(
{
id: "example",
type: ApItemEnum.Group,
permission: ApPermissionEnum.CanRead,
},
false,
true,
),
];
const selectedPolicyValues: ApItemValueType[] = [];
const result = await sut.showSecretAccessRemovalWarning(
org.id,
currentAccessPolicies,
selectedPolicyValues,
);
expect(result).toBe(false);
});
it("returns true when current non-admin user has Read, Write access with current access policies and doesn't with selected -- user policy", async () => {
const org = setupUserOrg();
organizationService.get.calledWith(org.id).mockResolvedValue(org);
const currentAccessPolicies: ApItemViewType[] = [
createApItemViewType(
{
id: "example",
permission: ApPermissionEnum.CanReadWrite,
},
true,
),
];
const selectedPolicyValues: ApItemValueType[] = [
createApItemValueType({
type: ApItemEnum.User,
permission: ApPermissionEnum.CanRead,
currentUser: true,
}),
];
const result = await sut.showSecretAccessRemovalWarning(
org.id,
currentAccessPolicies,
selectedPolicyValues,
);
expect(result).toBe(true);
});
it("returns true when current non-admin user has Read, Write access with current access policies and doesn't with selected -- group policy", async () => {
const org = setupUserOrg();
organizationService.get.calledWith(org.id).mockResolvedValue(org);
const currentAccessPolicies: ApItemViewType[] = [
createApItemViewType(
{
id: "example",
type: ApItemEnum.Group,
permission: ApPermissionEnum.CanReadWrite,
},
false,
true,
),
];
const selectedPolicyValues: ApItemValueType[] = [
createApItemValueType(
{
type: ApItemEnum.Group,
permission: ApPermissionEnum.CanRead,
},
false,
true,
),
];
const result = await sut.showSecretAccessRemovalWarning(
org.id,
currentAccessPolicies,
selectedPolicyValues,
);
expect(result).toBe(true);
});
it("returns false when current non-admin user has Read, Write access with current access policies and does with selected -- user policy", async () => {
const org = setupUserOrg();
organizationService.get.calledWith(org.id).mockResolvedValue(org);
const currentAccessPolicies: ApItemViewType[] = [
createApItemViewType(
{
id: "example",
permission: ApPermissionEnum.CanReadWrite,
},
true,
),
];
const selectedPolicyValues: ApItemValueType[] = [
createApItemValueType(
{
type: ApItemEnum.User,
permission: ApPermissionEnum.CanReadWrite,
},
true,
),
];
const result = await sut.showSecretAccessRemovalWarning(
org.id,
currentAccessPolicies,
selectedPolicyValues,
);
expect(result).toBe(false);
});
it("returns false when current non-admin user has Read, Write access with current access policies and does with selected -- group policy", async () => {
const org = setupUserOrg();
organizationService.get.calledWith(org.id).mockResolvedValue(org);
const currentAccessPolicies: ApItemViewType[] = [
createApItemViewType(
{
id: "example",
type: ApItemEnum.Group,
permission: ApPermissionEnum.CanReadWrite,
},
false,
true,
),
];
const selectedPolicyValues: ApItemValueType[] = [
createApItemValueType(
{
type: ApItemEnum.Group,
permission: ApPermissionEnum.CanReadWrite,
},
false,
true,
),
];
const result = await sut.showSecretAccessRemovalWarning(
org.id,
currentAccessPolicies,
selectedPolicyValues,
);
expect(result).toBe(false);
});
});
describe("isAccessRemoval", () => { describe("isAccessRemoval", () => {
it("returns false when there are no previous policies and no selected policies", async () => { it("returns false when there are no previous policies and no selected policies", async () => {
const currentAccessPolicies: ApItemViewType[] = []; const currentAccessPolicies: ApItemViewType[] = [];
@ -223,11 +491,13 @@ describe("AccessPolicySelectorService", () => {
it("returns false when there are no previous policies", async () => { it("returns false when there are no previous policies", async () => {
const currentAccessPolicies: ApItemViewType[] = []; const currentAccessPolicies: ApItemViewType[] = [];
const selectedPolicyValues: ApItemValueType[] = [ const selectedPolicyValues: ApItemValueType[] = [
createApItemValueType({ createApItemValueType(
{
id: "example", id: "example",
permission: ApPermissionEnum.CanRead, permission: ApPermissionEnum.CanRead,
currentUser: true, },
}), true,
),
]; ];
const result = sut.isAccessRemoval(currentAccessPolicies, selectedPolicyValues); const result = sut.isAccessRemoval(currentAccessPolicies, selectedPolicyValues);
@ -236,18 +506,22 @@ describe("AccessPolicySelectorService", () => {
}); });
it("returns false when previous policies and selected policies are the same", async () => { it("returns false when previous policies and selected policies are the same", async () => {
const currentAccessPolicies: ApItemViewType[] = [ const currentAccessPolicies: ApItemViewType[] = [
createApItemViewType({ createApItemViewType(
{
id: "example", id: "example",
permission: ApPermissionEnum.CanRead, permission: ApPermissionEnum.CanRead,
currentUser: true, },
}), true,
),
]; ];
const selectedPolicyValues: ApItemValueType[] = [ const selectedPolicyValues: ApItemValueType[] = [
createApItemValueType({ createApItemValueType(
{
id: "example", id: "example",
permission: ApPermissionEnum.CanRead, permission: ApPermissionEnum.CanRead,
currentUser: true, },
}), true,
),
]; ];
const result = sut.isAccessRemoval(currentAccessPolicies, selectedPolicyValues); const result = sut.isAccessRemoval(currentAccessPolicies, selectedPolicyValues);
@ -256,23 +530,29 @@ describe("AccessPolicySelectorService", () => {
}); });
it("returns false when previous policies are still selected", async () => { it("returns false when previous policies are still selected", async () => {
const currentAccessPolicies: ApItemViewType[] = [ const currentAccessPolicies: ApItemViewType[] = [
createApItemViewType({ createApItemViewType(
{
id: "example", id: "example",
permission: ApPermissionEnum.CanRead, permission: ApPermissionEnum.CanRead,
currentUser: true, },
}), true,
),
]; ];
const selectedPolicyValues: ApItemValueType[] = [ const selectedPolicyValues: ApItemValueType[] = [
createApItemValueType({ createApItemValueType(
{
id: "example", id: "example",
permission: ApPermissionEnum.CanRead, permission: ApPermissionEnum.CanRead,
currentUser: true, },
}), true,
createApItemValueType({ ),
createApItemValueType(
{
id: "example-2", id: "example-2",
permission: ApPermissionEnum.CanRead, permission: ApPermissionEnum.CanRead,
currentUser: true, },
}), true,
),
]; ];
const result = sut.isAccessRemoval(currentAccessPolicies, selectedPolicyValues); const result = sut.isAccessRemoval(currentAccessPolicies, selectedPolicyValues);
@ -281,23 +561,29 @@ describe("AccessPolicySelectorService", () => {
}); });
it("returns true when previous policies are not selected", async () => { it("returns true when previous policies are not selected", async () => {
const currentAccessPolicies: ApItemViewType[] = [ const currentAccessPolicies: ApItemViewType[] = [
createApItemViewType({ createApItemViewType(
{
id: "example", id: "example",
permission: ApPermissionEnum.CanRead, permission: ApPermissionEnum.CanRead,
currentUser: true, },
}), true,
),
]; ];
const selectedPolicyValues: ApItemValueType[] = [ const selectedPolicyValues: ApItemValueType[] = [
createApItemValueType({ createApItemValueType(
{
id: "test", id: "test",
permission: ApPermissionEnum.CanRead, permission: ApPermissionEnum.CanRead,
currentUser: true, },
}), true,
createApItemValueType({ ),
createApItemValueType(
{
id: "example-2", id: "example-2",
permission: ApPermissionEnum.CanRead, permission: ApPermissionEnum.CanRead,
currentUser: true, },
}), true,
),
]; ];
const result = sut.isAccessRemoval(currentAccessPolicies, selectedPolicyValues); const result = sut.isAccessRemoval(currentAccessPolicies, selectedPolicyValues);
@ -306,10 +592,12 @@ describe("AccessPolicySelectorService", () => {
}); });
it("returns true when there are previous policies and nothing was selected", async () => { it("returns true when there are previous policies and nothing was selected", async () => {
const currentAccessPolicies: ApItemViewType[] = [ const currentAccessPolicies: ApItemViewType[] = [
createApItemViewType({ createApItemViewType(
{
permission: ApPermissionEnum.CanRead, permission: ApPermissionEnum.CanRead,
currentUser: true, },
}), true,
),
]; ];
const selectedPolicyValues: ApItemValueType[] = []; const selectedPolicyValues: ApItemValueType[] = [];
@ -331,17 +619,31 @@ const orgFactory = (props: Partial<Organization> = {}) =>
props, props,
); );
function createApItemValueType(options: Partial<ApItemValueType> = {}) { function createApItemValueType(
return { options: Partial<ApItemValueType> = {},
currentUser = false,
currentUserInGroup = false,
) {
const item: ApItemValueType = {
id: options?.id ?? "test", id: options?.id ?? "test",
type: options?.type ?? ApItemEnum.User, type: options?.type ?? ApItemEnum.User,
permission: options?.permission ?? ApPermissionEnum.CanRead, permission: options?.permission ?? ApPermissionEnum.CanRead,
currentUserInGroup: options?.currentUserInGroup ?? false,
}; };
if (item.type === ApItemEnum.User) {
item.currentUser = currentUser;
}
if (item.type === ApItemEnum.Group) {
item.currentUserInGroup = currentUserInGroup;
}
return item;
} }
function createApItemViewType(options: Partial<ApItemViewType> = {}) { function createApItemViewType(
return { options: Partial<ApItemViewType> = {},
currentUser = false,
currentUserInGroup = false,
) {
const item: ApItemViewType = {
id: options?.id ?? "test", id: options?.id ?? "test",
listName: options?.listName ?? "test", listName: options?.listName ?? "test",
labelName: options?.labelName ?? "test", labelName: options?.labelName ?? "test",
@ -349,6 +651,13 @@ function createApItemViewType(options: Partial<ApItemViewType> = {}) {
permission: options?.permission ?? ApPermissionEnum.CanRead, permission: options?.permission ?? ApPermissionEnum.CanRead,
readOnly: options?.readOnly ?? false, readOnly: options?.readOnly ?? false,
}; };
if (item.type === ApItemEnum.User) {
item.currentUser = currentUser;
}
if (item.type === ApItemEnum.Group) {
item.currentUserInGroup = currentUserInGroup;
}
return item;
} }
function setupUserOrg() { function setupUserOrg() {

View File

@ -22,26 +22,29 @@ export class AccessPolicySelectorService {
return false; return false;
} }
const selectedUserReadWritePolicy = selectedPoliciesValues.find( if (!this.userHasReadWriteAccess(selectedPoliciesValues)) {
(s) =>
s.type === ApItemEnum.User &&
s.currentUser &&
s.permission === ApPermissionEnum.CanReadWrite,
);
const selectedGroupReadWritePolicies = selectedPoliciesValues.filter(
(s) =>
s.type === ApItemEnum.Group &&
s.permission == ApPermissionEnum.CanReadWrite &&
s.currentUserInGroup,
);
if (selectedGroupReadWritePolicies == null || selectedGroupReadWritePolicies.length == 0) {
if (selectedUserReadWritePolicy == null) {
return true; return true;
} else { }
return false; return false;
} }
async showSecretAccessRemovalWarning(
organizationId: string,
current: ApItemViewType[],
selectedPoliciesValues: ApItemValueType[],
): Promise<boolean> {
if (current.length === 0) {
return false;
}
const organization = await this.organizationService.get(organizationId);
if (organization.isOwner || organization.isAdmin || !this.userHasReadWriteAccess(current)) {
return false;
}
if (!this.userHasReadWriteAccess(selectedPoliciesValues)) {
return true;
} }
return false; return false;
@ -67,4 +70,25 @@ export class AccessPolicySelectorService {
const selectedIds = selected.map((x) => x.id); const selectedIds = selected.map((x) => x.id);
return !currentIds.every((id) => selectedIds.includes(id)); return !currentIds.every((id) => selectedIds.includes(id));
} }
private userHasReadWriteAccess(policies: ApItemValueType[] | ApItemViewType[]): boolean {
const userReadWritePolicy = (policies as Array<ApItemValueType | ApItemViewType>).find(
(s) =>
s.type === ApItemEnum.User &&
s.currentUser &&
s.permission === ApPermissionEnum.CanReadWrite,
);
const groupReadWritePolicies = (policies as Array<ApItemValueType | ApItemViewType>).filter(
(s) =>
s.type === ApItemEnum.Group &&
s.permission === ApPermissionEnum.CanReadWrite &&
s.currentUserInGroup,
);
if (groupReadWritePolicies.length > 0 || userReadWritePolicy !== undefined) {
return true;
}
return false;
}
} }

View File

@ -27,6 +27,7 @@ import { ServiceAccountGrantedPoliciesRequest } from "../access-policies/models/
import { AccessPolicyRequest } from "./models/requests/access-policy.request"; import { AccessPolicyRequest } from "./models/requests/access-policy.request";
import { ProjectServiceAccountsAccessPoliciesRequest } from "./models/requests/project-service-accounts-access-policies.request"; import { ProjectServiceAccountsAccessPoliciesRequest } from "./models/requests/project-service-accounts-access-policies.request";
import { SecretAccessPoliciesRequest } from "./models/requests/secret-access-policies.request";
import { import {
GroupAccessPolicyResponse, GroupAccessPolicyResponse,
UserAccessPolicyResponse, UserAccessPolicyResponse,
@ -233,6 +234,20 @@ export class AccessPolicyService {
return await this.createPotentialGranteeViews(organizationId, results.data); return await this.createPotentialGranteeViews(organizationId, results.data);
} }
getSecretAccessPoliciesRequest(view: SecretAccessPoliciesView): SecretAccessPoliciesRequest {
return {
userAccessPolicyRequests: view.userAccessPolicies.map((ap) => {
return this.getAccessPolicyRequest(ap.organizationUserId, ap);
}),
groupAccessPolicyRequests: view.groupAccessPolicies.map((ap) => {
return this.getAccessPolicyRequest(ap.groupId, ap);
}),
serviceAccountAccessPolicyRequests: view.serviceAccountAccessPolicies.map((ap) => {
return this.getAccessPolicyRequest(ap.serviceAccountId, ap);
}),
};
}
private async getOrganizationKey(organizationId: string): Promise<SymmetricCryptoKey> { private async getOrganizationKey(organizationId: string): Promise<SymmetricCryptoKey> {
return await this.cryptoService.getOrgKey(organizationId); return await this.cryptoService.getOrgKey(organizationId);
} }

View File

@ -0,0 +1,7 @@
import { AccessPolicyRequest } from "./access-policy.request";
export class SecretAccessPoliciesRequest {
userAccessPolicyRequests: AccessPolicyRequest[];
groupAccessPolicyRequests: AccessPolicyRequest[];
serviceAccountAccessPolicyRequests: AccessPolicyRequest[];
}

View File

@ -14,7 +14,9 @@
"@bitwarden/components": ["../../libs/components/src"], "@bitwarden/components": ["../../libs/components/src"],
"@bitwarden/generator-components": ["../../libs/tools/generator/components/src"], "@bitwarden/generator-components": ["../../libs/tools/generator/components/src"],
"@bitwarden/generator-core": ["../../libs/tools/generator/core/src"], "@bitwarden/generator-core": ["../../libs/tools/generator/core/src"],
"@bitwarden/generator-extensions": ["../../libs/tools/generator/extensions/src"], "@bitwarden/generator-history": ["../../libs/tools/generator/extensions/history/src"],
"@bitwarden/generator-legacy": ["../../libs/tools/generator/extensions/legacy/src"],
"@bitwarden/generator-navigation": ["../../libs/tools/generator/extensions/navigation/src"],
"@bitwarden/vault-export-core": [ "@bitwarden/vault-export-core": [
"../../libs/tools/export/vault-export/vault-export-core/src" "../../libs/tools/export/vault-export/vault-export-core/src"
], ],

View File

@ -32,6 +32,9 @@ module.exports = {
"<rootDir>/libs/components/jest.config.js", "<rootDir>/libs/components/jest.config.js",
"<rootDir>/libs/tools/export/vault-export/vault-export-core/jest.config.js", "<rootDir>/libs/tools/export/vault-export/vault-export-core/jest.config.js",
"<rootDir>/libs/tools/generator/core/jest.config.js", "<rootDir>/libs/tools/generator/core/jest.config.js",
"<rootDir>/libs/tools/generator/extensions/history/jest.config.js",
"<rootDir>/libs/tools/generator/extensions/legacy/jest.config.js",
"<rootDir>/libs/tools/generator/extensions/navigation/jest.config.js",
"<rootDir>/libs/importer/jest.config.js", "<rootDir>/libs/importer/jest.config.js",
"<rootDir>/libs/platform/jest.config.js", "<rootDir>/libs/platform/jest.config.js",
"<rootDir>/libs/node/jest.config.js", "<rootDir>/libs/node/jest.config.js",

View File

@ -41,7 +41,7 @@ export class RemovePasswordComponent implements OnInit {
this.loading = false; this.loading = false;
} }
async convert() { convert = async () => {
this.continuing = true; this.continuing = true;
this.actionPromise = this.keyConnectorService.migrateUser(); this.actionPromise = this.keyConnectorService.migrateUser();
@ -59,9 +59,9 @@ export class RemovePasswordComponent implements OnInit {
} catch (e) { } catch (e) {
this.platformUtilsService.showToast("error", this.i18nService.t("errorOccurred"), e.message); this.platformUtilsService.showToast("error", this.i18nService.t("errorOccurred"), e.message);
} }
} };
async leave() { leave = async () => {
const confirmed = await this.dialogService.openSimpleDialog({ const confirmed = await this.dialogService.openSimpleDialog({
title: this.organization.name, title: this.organization.name,
content: { key: "leaveOrganizationConfirmation" }, content: { key: "leaveOrganizationConfirmation" },
@ -84,5 +84,5 @@ export class RemovePasswordComponent implements OnInit {
} catch (e) { } catch (e) {
this.platformUtilsService.showToast("error", this.i18nService.t("errorOccurred"), e); this.platformUtilsService.showToast("error", this.i18nService.t("errorOccurred"), e);
} }
} };
} }

View File

@ -3,3 +3,4 @@ export * from "./login-email.service";
export * from "./login-strategy.service"; export * from "./login-strategy.service";
export * from "./user-decryption-options.service.abstraction"; export * from "./user-decryption-options.service.abstraction";
export * from "./auth-request.service.abstraction"; export * from "./auth-request.service.abstraction";
export * from "./user-key-rotation-data-provider.abstraction";

View File

@ -0,0 +1,23 @@
import { UserId } from "@bitwarden/common/types/guid";
import { UserKey } from "@bitwarden/common/types/key";
/**
* Constructs key rotation requests for data encryption by the user key.
* @typeparam TRequest A request model that contains re-encrypted data, must have an id property
*/
export interface UserKeyRotationDataProvider<
TRequest extends { id: string } | { organizationId: string },
> {
/**
* Provides re-encrypted data for the user key rotation process
* @param originalUserKey The original user key, useful for decrypting data
* @param newUserKey The new user key to use for re-encryption
* @param userId The owner of the data, useful for fetching data
* @returns A list of data that has been re-encrypted with the new user key
*/
getRotatedData(
originalUserKey: UserKey,
newUserKey: UserKey,
userId: UserId,
): Promise<TRequest[]>;
}

View File

@ -269,6 +269,15 @@ export abstract class CryptoService {
*/ */
abstract userPrivateKey$(userId: UserId): Observable<UserPrivateKey>; abstract userPrivateKey$(userId: UserId): Observable<UserPrivateKey>;
/**
* Gets an observable stream of the given users decrypted private key with legacy support,
* will emit null if the user doesn't have a UserKey to decrypt the encrypted private key
* or null if the user doesn't have an encrypted private key at all.
*
* @param userId The user id of the user to get the data for.
*/
abstract userPrivateKeyWithLegacySupport$(userId: UserId): Observable<UserPrivateKey>;
/** /**
* Generates a fingerprint phrase for the user based on their public key * Generates a fingerprint phrase for the user based on their public key
* @param fingerprintMaterial Fingerprint material * @param fingerprintMaterial Fingerprint material

View File

@ -929,6 +929,10 @@ export class CryptoService implements CryptoServiceAbstraction {
return this.userPrivateKeyHelper$(userId, false).pipe(map((keys) => keys?.userPrivateKey)); return this.userPrivateKeyHelper$(userId, false).pipe(map((keys) => keys?.userPrivateKey));
} }
userPrivateKeyWithLegacySupport$(userId: UserId): Observable<UserPrivateKey> {
return this.userPrivateKeyHelper$(userId, true).pipe(map((keys) => keys?.userPrivateKey));
}
private userPrivateKeyHelper$(userId: UserId, legacySupport: boolean) { private userPrivateKeyHelper$(userId: UserId, legacySupport: boolean) {
const userKey$ = legacySupport ? this.userKeyWithLegacySupport$(userId) : this.userKey$(userId); const userKey$ = legacySupport ? this.userKeyWithLegacySupport$(userId) : this.userKey$(userId);
return userKey$.pipe( return userKey$.pipe(
@ -1010,7 +1014,7 @@ export class CryptoService implements CryptoServiceAbstraction {
} }
orgKeys$(userId: UserId) { orgKeys$(userId: UserId) {
return this.cipherDecryptionKeys$(userId).pipe(map((keys) => keys?.orgKeys)); return this.cipherDecryptionKeys$(userId, true).pipe(map((keys) => keys?.orgKeys));
} }
cipherDecryptionKeys$( cipherDecryptionKeys$(

View File

@ -1,14 +1,17 @@
import { Observable } from "rxjs"; import { Observable } from "rxjs";
import { UserKeyRotationDataProvider } from "@bitwarden/auth/common";
import { EncArrayBuffer } from "../../../platform/models/domain/enc-array-buffer"; import { EncArrayBuffer } from "../../../platform/models/domain/enc-array-buffer";
import { SymmetricCryptoKey } from "../../../platform/models/domain/symmetric-crypto-key"; import { SymmetricCryptoKey } from "../../../platform/models/domain/symmetric-crypto-key";
import { UserId } from "../../../types/guid";
import { UserKey } from "../../../types/key"; import { UserKey } from "../../../types/key";
import { SendData } from "../models/data/send.data"; import { SendData } from "../models/data/send.data";
import { Send } from "../models/domain/send"; import { Send } from "../models/domain/send";
import { SendWithIdRequest } from "../models/request/send-with-id.request"; import { SendWithIdRequest } from "../models/request/send-with-id.request";
import { SendView } from "../models/view/send.view"; import { SendView } from "../models/view/send.view";
export abstract class SendService { export abstract class SendService implements UserKeyRotationDataProvider<SendWithIdRequest> {
sends$: Observable<Send[]>; sends$: Observable<Send[]>;
sendViews$: Observable<SendView[]>; sendViews$: Observable<SendView[]>;
@ -31,7 +34,11 @@ export abstract class SendService {
* @throws Error if the new user key is null or undefined * @throws Error if the new user key is null or undefined
* @returns A list of user sends that have been re-encrypted with the new user key * @returns A list of user sends that have been re-encrypted with the new user key
*/ */
getRotatedKeys: (newUserKey: UserKey) => Promise<SendWithIdRequest[]>; getRotatedData: (
originalUserKey: UserKey,
newUserKey: UserKey,
userId: UserId,
) => Promise<SendWithIdRequest[]>;
/** /**
* @deprecated Do not call this, use the sends$ observable collection * @deprecated Do not call this, use the sends$ observable collection
*/ */

View File

@ -400,8 +400,11 @@ describe("SendService", () => {
expect(sends[0]).toMatchObject(testSendViewData("1", "Test Send")); expect(sends[0]).toMatchObject(testSendViewData("1", "Test Send"));
}); });
describe("getRotatedKeys", () => { describe("getRotatedData", () => {
const originalUserKey = new SymmetricCryptoKey(new Uint8Array(32)) as UserKey;
const newUserKey = new SymmetricCryptoKey(new Uint8Array(32)) as UserKey;
let encryptedKey: EncString; let encryptedKey: EncString;
beforeEach(() => { beforeEach(() => {
encryptService.decryptToBytes.mockResolvedValue(new Uint8Array(32)); encryptService.decryptToBytes.mockResolvedValue(new Uint8Array(32));
encryptedKey = new EncString("Re-encrypted Send Key"); encryptedKey = new EncString("Re-encrypted Send Key");
@ -409,27 +412,30 @@ describe("SendService", () => {
}); });
it("returns re-encrypted user sends", async () => { it("returns re-encrypted user sends", async () => {
const newUserKey = new SymmetricCryptoKey(new Uint8Array(32)) as UserKey; const result = await sendService.getRotatedData(originalUserKey, newUserKey, mockUserId);
const result = await sendService.getRotatedKeys(newUserKey);
expect(result).toMatchObject([{ id: "1", key: "Re-encrypted Send Key" }]); expect(result).toMatchObject([{ id: "1", key: "Re-encrypted Send Key" }]);
}); });
it("returns null if there are no sends", async () => { it("returns empty array if there are no sends", async () => {
// FIXME: Verify that this floating promise is intentional. If it is, add an explanatory comment and ensure there is proper error handling. await sendService.replace(null);
// eslint-disable-next-line @typescript-eslint/no-floating-promises
sendService.replace(null);
await awaitAsync(); await awaitAsync();
const newUserKey = new SymmetricCryptoKey(new Uint8Array(32)) as UserKey; const newUserKey = new SymmetricCryptoKey(new Uint8Array(32)) as UserKey;
const result = await sendService.getRotatedKeys(newUserKey); const result = await sendService.getRotatedData(originalUserKey, newUserKey, mockUserId);
expect(result).toEqual([]); expect(result).toEqual([]);
}); });
it("throws if the original user key is null", async () => {
await expect(sendService.getRotatedData(null, newUserKey, mockUserId)).rejects.toThrow(
"Original user key is required for rotation.",
);
});
it("throws if the new user key is null", async () => { it("throws if the new user key is null", async () => {
await expect(sendService.getRotatedKeys(null)).rejects.toThrowError( await expect(sendService.getRotatedData(originalUserKey, null, mockUserId)).rejects.toThrow(
"New user key is required for rotation.", "New user key is required for rotation.",
); );
}); });

View File

@ -9,6 +9,7 @@ import { Utils } from "../../../platform/misc/utils";
import { EncArrayBuffer } from "../../../platform/models/domain/enc-array-buffer"; import { EncArrayBuffer } from "../../../platform/models/domain/enc-array-buffer";
import { EncString } from "../../../platform/models/domain/enc-string"; import { EncString } from "../../../platform/models/domain/enc-string";
import { SymmetricCryptoKey } from "../../../platform/models/domain/symmetric-crypto-key"; import { SymmetricCryptoKey } from "../../../platform/models/domain/symmetric-crypto-key";
import { UserId } from "../../../types/guid";
import { UserKey } from "../../../types/key"; import { UserKey } from "../../../types/key";
import { SendType } from "../enums/send-type"; import { SendType } from "../enums/send-type";
import { SendData } from "../models/data/send.data"; import { SendData } from "../models/data/send.data";
@ -258,12 +259,17 @@ export class SendService implements InternalSendServiceAbstraction {
await this.stateProvider.setEncryptedSends(sends); await this.stateProvider.setEncryptedSends(sends);
} }
async getRotatedKeys(newUserKey: UserKey): Promise<SendWithIdRequest[]> { async getRotatedData(
originalUserKey: UserKey,
newUserKey: UserKey,
userId: UserId,
): Promise<SendWithIdRequest[]> {
if (newUserKey == null) { if (newUserKey == null) {
throw new Error("New user key is required for rotation."); throw new Error("New user key is required for rotation.");
} }
if (originalUserKey == null) {
const originalUserKey = await this.cryptoService.getUserKey(); throw new Error("Original user key is required for rotation.");
}
const req = await firstValueFrom( const req = await firstValueFrom(
this.sends$.pipe( this.sends$.pipe(

View File

@ -1,19 +1,22 @@
import { Observable } from "rxjs"; import { Observable } from "rxjs";
import { UserKeyRotationDataProvider } from "@bitwarden/auth/common";
import { LocalData } from "@bitwarden/common/vault/models/data/local.data"; import { LocalData } from "@bitwarden/common/vault/models/data/local.data";
import { UriMatchStrategySetting } from "../../models/domain/domain-service"; import { UriMatchStrategySetting } from "../../models/domain/domain-service";
import { SymmetricCryptoKey } from "../../platform/models/domain/symmetric-crypto-key"; import { SymmetricCryptoKey } from "../../platform/models/domain/symmetric-crypto-key";
import { CipherId, CollectionId, OrganizationId } from "../../types/guid"; import { CipherId, CollectionId, OrganizationId, UserId } from "../../types/guid";
import { UserKey } from "../../types/key";
import { CipherType } from "../enums/cipher-type"; import { CipherType } from "../enums/cipher-type";
import { CipherData } from "../models/data/cipher.data"; import { CipherData } from "../models/data/cipher.data";
import { Cipher } from "../models/domain/cipher"; import { Cipher } from "../models/domain/cipher";
import { Field } from "../models/domain/field"; import { Field } from "../models/domain/field";
import { CipherWithIdRequest } from "../models/request/cipher-with-id.request";
import { CipherView } from "../models/view/cipher.view"; import { CipherView } from "../models/view/cipher.view";
import { FieldView } from "../models/view/field.view"; import { FieldView } from "../models/view/field.view";
import { AddEditCipherInfo } from "../types/add-edit-cipher-info"; import { AddEditCipherInfo } from "../types/add-edit-cipher-info";
export abstract class CipherService { export abstract class CipherService implements UserKeyRotationDataProvider<CipherWithIdRequest> {
cipherViews$: Observable<Record<CipherId, CipherView>>; cipherViews$: Observable<Record<CipherId, CipherView>>;
ciphers$: Observable<Record<CipherId, CipherData>>; ciphers$: Observable<Record<CipherId, CipherData>>;
localData$: Observable<Record<CipherId, LocalData>>; localData$: Observable<Record<CipherId, LocalData>>;
@ -146,4 +149,17 @@ export abstract class CipherService {
restoreManyWithServer: (ids: string[], orgId?: string) => Promise<void>; restoreManyWithServer: (ids: string[], orgId?: string) => Promise<void>;
getKeyForCipherKeyDecryption: (cipher: Cipher) => Promise<any>; getKeyForCipherKeyDecryption: (cipher: Cipher) => Promise<any>;
setAddEditCipherInfo: (value: AddEditCipherInfo) => Promise<void>; setAddEditCipherInfo: (value: AddEditCipherInfo) => Promise<void>;
/**
* Returns user ciphers re-encrypted with the new user key.
* @param originalUserKey the original user key
* @param newUserKey the new user key
* @param userId the user id
* @throws Error if new user key is null
* @returns a list of user ciphers that have been re-encrypted with the new user key
*/
getRotatedData: (
originalUserKey: UserKey,
newUserKey: UserKey,
userId: UserId,
) => Promise<CipherWithIdRequest[]>;
} }

View File

@ -1,11 +1,16 @@
import { Observable } from "rxjs"; import { Observable } from "rxjs";
import { UserKeyRotationDataProvider } from "@bitwarden/auth/common";
import { SymmetricCryptoKey } from "../../../platform/models/domain/symmetric-crypto-key"; import { SymmetricCryptoKey } from "../../../platform/models/domain/symmetric-crypto-key";
import { UserId } from "../../../types/guid";
import { UserKey } from "../../../types/key";
import { FolderData } from "../../models/data/folder.data"; import { FolderData } from "../../models/data/folder.data";
import { Folder } from "../../models/domain/folder"; import { Folder } from "../../models/domain/folder";
import { FolderWithIdRequest } from "../../models/request/folder-with-id.request";
import { FolderView } from "../../models/view/folder.view"; import { FolderView } from "../../models/view/folder.view";
export abstract class FolderService { export abstract class FolderService implements UserKeyRotationDataProvider<FolderWithIdRequest> {
folders$: Observable<Folder[]>; folders$: Observable<Folder[]>;
folderViews$: Observable<FolderView[]>; folderViews$: Observable<FolderView[]>;
@ -22,6 +27,19 @@ export abstract class FolderService {
*/ */
getAllDecryptedFromState: () => Promise<FolderView[]>; getAllDecryptedFromState: () => Promise<FolderView[]>;
decryptFolders: (folders: Folder[]) => Promise<FolderView[]>; decryptFolders: (folders: Folder[]) => Promise<FolderView[]>;
/**
* Returns user folders re-encrypted with the new user key.
* @param originalUserKey the original user key
* @param newUserKey the new user key
* @param userId the user id
* @throws Error if new user key is null
* @returns a list of user folders that have been re-encrypted with the new user key
*/
getRotatedData: (
originalUserKey: UserKey,
newUserKey: UserKey,
userId: UserId,
) => Promise<FolderWithIdRequest[]>;
} }
export abstract class InternalFolderService extends FolderService { export abstract class InternalFolderService extends FolderService {

View File

@ -1,5 +1,5 @@
import { mock } from "jest-mock-extended"; import { mock } from "jest-mock-extended";
import { of } from "rxjs"; import { BehaviorSubject, of } from "rxjs";
import { FakeAccountService, mockAccountServiceWith } from "../../../spec/fake-account-service"; import { FakeAccountService, mockAccountServiceWith } from "../../../spec/fake-account-service";
import { FakeStateProvider } from "../../../spec/fake-state-provider"; import { FakeStateProvider } from "../../../spec/fake-state-provider";
@ -10,7 +10,7 @@ import { AutofillSettingsService } from "../../autofill/services/autofill-settin
import { DomainSettingsService } from "../../autofill/services/domain-settings.service"; import { DomainSettingsService } from "../../autofill/services/domain-settings.service";
import { UriMatchStrategy } from "../../models/domain/domain-service"; import { UriMatchStrategy } from "../../models/domain/domain-service";
import { ConfigService } from "../../platform/abstractions/config/config.service"; import { ConfigService } from "../../platform/abstractions/config/config.service";
import { CryptoService } from "../../platform/abstractions/crypto.service"; import { CipherDecryptionKeys, CryptoService } from "../../platform/abstractions/crypto.service";
import { EncryptService } from "../../platform/abstractions/encrypt.service"; import { EncryptService } from "../../platform/abstractions/encrypt.service";
import { I18nService } from "../../platform/abstractions/i18n.service"; import { I18nService } from "../../platform/abstractions/i18n.service";
import { StateService } from "../../platform/abstractions/state.service"; import { StateService } from "../../platform/abstractions/state.service";
@ -19,8 +19,8 @@ import { EncArrayBuffer } from "../../platform/models/domain/enc-array-buffer";
import { EncString } from "../../platform/models/domain/enc-string"; import { EncString } from "../../platform/models/domain/enc-string";
import { SymmetricCryptoKey } from "../../platform/models/domain/symmetric-crypto-key"; import { SymmetricCryptoKey } from "../../platform/models/domain/symmetric-crypto-key";
import { ContainerService } from "../../platform/services/container.service"; import { ContainerService } from "../../platform/services/container.service";
import { UserId } from "../../types/guid"; import { CipherId, UserId } from "../../types/guid";
import { CipherKey, OrgKey } from "../../types/key"; import { CipherKey, OrgKey, UserKey } from "../../types/key";
import { CipherFileUploadService } from "../abstractions/file-upload/cipher-file-upload.service"; import { CipherFileUploadService } from "../abstractions/file-upload/cipher-file-upload.service";
import { FieldType } from "../enums"; import { FieldType } from "../enums";
import { CipherRepromptType } from "../enums/cipher-reprompt-type"; import { CipherRepromptType } from "../enums/cipher-reprompt-type";
@ -331,6 +331,64 @@ describe("Cipher Service", () => {
}); });
}); });
}); });
describe("getRotatedData", () => {
const originalUserKey = new SymmetricCryptoKey(new Uint8Array(32)) as UserKey;
const newUserKey = new SymmetricCryptoKey(new Uint8Array(32)) as UserKey;
let decryptedCiphers: BehaviorSubject<Record<CipherId, CipherView>>;
let encryptedKey: EncString;
beforeEach(() => {
setEncryptionKeyFlag(true);
configService.checkServerMeetsVersionRequirement$.mockReturnValue(of(true));
searchService.indexedEntityId$ = of(null);
stateService.getUserId.mockResolvedValue(mockUserId);
const keys = {
userKey: originalUserKey,
} as CipherDecryptionKeys;
cryptoService.cipherDecryptionKeys$.mockReturnValue(of(keys));
const cipher1 = new CipherView(cipherObj);
cipher1.id = "Cipher 1";
const cipher2 = new CipherView(cipherObj);
cipher2.id = "Cipher 2";
decryptedCiphers = new BehaviorSubject({
Cipher1: cipher1,
Cipher2: cipher2,
});
cipherService.cipherViews$ = decryptedCiphers;
encryptService.decryptToBytes.mockResolvedValue(new Uint8Array(32));
encryptedKey = new EncString("Re-encrypted Cipher Key");
encryptService.encrypt.mockResolvedValue(encryptedKey);
cryptoService.makeCipherKey.mockResolvedValue(
new SymmetricCryptoKey(new Uint8Array(32)) as CipherKey,
);
});
it("returns re-encrypted user ciphers", async () => {
const result = await cipherService.getRotatedData(originalUserKey, newUserKey, mockUserId);
expect(result[0]).toMatchObject({ id: "Cipher 1", key: "Re-encrypted Cipher Key" });
expect(result[1]).toMatchObject({ id: "Cipher 2", key: "Re-encrypted Cipher Key" });
});
it("throws if the original user key is null", async () => {
await expect(cipherService.getRotatedData(null, newUserKey, mockUserId)).rejects.toThrow(
"Original user key is required to rotate ciphers",
);
});
it("throws if the new user key is null", async () => {
await expect(cipherService.getRotatedData(originalUserKey, null, mockUserId)).rejects.toThrow(
"New user key is required to rotate ciphers",
);
});
});
}); });
function setEncryptionKeyFlag(value: boolean) { function setEncryptionKeyFlag(value: boolean) {

View File

@ -56,6 +56,7 @@ import { CipherCollectionsRequest } from "../models/request/cipher-collections.r
import { CipherCreateRequest } from "../models/request/cipher-create.request"; import { CipherCreateRequest } from "../models/request/cipher-create.request";
import { CipherPartialRequest } from "../models/request/cipher-partial.request"; import { CipherPartialRequest } from "../models/request/cipher-partial.request";
import { CipherShareRequest } from "../models/request/cipher-share.request"; import { CipherShareRequest } from "../models/request/cipher-share.request";
import { CipherWithIdRequest } from "../models/request/cipher-with-id.request";
import { CipherRequest } from "../models/request/cipher.request"; import { CipherRequest } from "../models/request/cipher.request";
import { CipherResponse } from "../models/response/cipher.response"; import { CipherResponse } from "../models/response/cipher.response";
import { AttachmentView } from "../models/view/attachment.view"; import { AttachmentView } from "../models/view/attachment.view";
@ -1168,6 +1169,34 @@ export class CipherService implements CipherServiceAbstraction {
}); });
} }
async getRotatedData(
originalUserKey: UserKey,
newUserKey: UserKey,
userId: UserId,
): Promise<CipherWithIdRequest[]> {
if (originalUserKey == null) {
throw new Error("Original user key is required to rotate ciphers");
}
if (newUserKey == null) {
throw new Error("New user key is required to rotate ciphers");
}
let encryptedCiphers: CipherWithIdRequest[] = [];
const ciphers = await this.getAllDecrypted();
if (!ciphers || ciphers.length === 0) {
return encryptedCiphers;
}
encryptedCiphers = await Promise.all(
ciphers.map(async (cipher) => {
const encryptedCipher = await this.encrypt(cipher, newUserKey, originalUserKey);
return new CipherWithIdRequest(encryptedCipher);
}),
);
return encryptedCiphers;
}
// Helpers // Helpers
// In the case of a cipher that is being shared with an organization, we want to decrypt the // In the case of a cipher that is being shared with an organization, we want to decrypt the

View File

@ -178,6 +178,29 @@ describe("Folder Service", () => {
// }); // });
}); });
describe("getRotatedData", () => {
const originalUserKey = new SymmetricCryptoKey(new Uint8Array(32)) as UserKey;
const newUserKey = new SymmetricCryptoKey(new Uint8Array(32)) as UserKey;
let encryptedKey: EncString;
beforeEach(() => {
encryptedKey = new EncString("Re-encrypted Folder");
cryptoService.encrypt.mockResolvedValue(encryptedKey);
});
it("returns re-encrypted user folders", async () => {
const result = await folderService.getRotatedData(originalUserKey, newUserKey, mockUserId);
expect(result[0]).toMatchObject({ id: "1", name: "Re-encrypted Folder" });
});
it("throws if the new user key is null", async () => {
await expect(folderService.getRotatedData(originalUserKey, null, mockUserId)).rejects.toThrow(
"New user key is required for rotation.",
);
});
});
function folderData(id: string, name: string) { function folderData(id: string, name: string) {
const data = new FolderData({} as any); const data = new FolderData({} as any);
data.id = id; data.id = id;

View File

@ -6,12 +6,14 @@ import { Utils } from "../../../platform/misc/utils";
import { SymmetricCryptoKey } from "../../../platform/models/domain/symmetric-crypto-key"; import { SymmetricCryptoKey } from "../../../platform/models/domain/symmetric-crypto-key";
import { ActiveUserState, DerivedState, StateProvider } from "../../../platform/state"; import { ActiveUserState, DerivedState, StateProvider } from "../../../platform/state";
import { UserId } from "../../../types/guid"; import { UserId } from "../../../types/guid";
import { UserKey } from "../../../types/key";
import { CipherService } from "../../../vault/abstractions/cipher.service"; import { CipherService } from "../../../vault/abstractions/cipher.service";
import { InternalFolderService as InternalFolderServiceAbstraction } from "../../../vault/abstractions/folder/folder.service.abstraction"; import { InternalFolderService as InternalFolderServiceAbstraction } from "../../../vault/abstractions/folder/folder.service.abstraction";
import { FolderData } from "../../../vault/models/data/folder.data"; import { FolderData } from "../../../vault/models/data/folder.data";
import { Folder } from "../../../vault/models/domain/folder"; import { Folder } from "../../../vault/models/domain/folder";
import { FolderView } from "../../../vault/models/view/folder.view"; import { FolderView } from "../../../vault/models/view/folder.view";
import { Cipher } from "../../models/domain/cipher"; import { Cipher } from "../../models/domain/cipher";
import { FolderWithIdRequest } from "../../models/request/folder-with-id.request";
import { FOLDER_DECRYPTED_FOLDERS, FOLDER_ENCRYPTED_FOLDERS } from "../key-state/folder.state"; import { FOLDER_DECRYPTED_FOLDERS, FOLDER_ENCRYPTED_FOLDERS } from "../key-state/folder.state";
export class FolderService implements InternalFolderServiceAbstraction { export class FolderService implements InternalFolderServiceAbstraction {
@ -170,4 +172,27 @@ export class FolderService implements InternalFolderServiceAbstraction {
decryptedFolders.push(noneFolder); decryptedFolders.push(noneFolder);
return decryptedFolders; return decryptedFolders;
} }
async getRotatedData(
originalUserKey: UserKey,
newUserKey: UserKey,
userId: UserId,
): Promise<FolderWithIdRequest[]> {
if (newUserKey == null) {
throw new Error("New user key is required for rotation.");
}
let encryptedFolders: FolderWithIdRequest[] = [];
const folders = await firstValueFrom(this.folderViews$);
if (!folders) {
return encryptedFolders;
}
encryptedFolders = await Promise.all(
folders.map(async (folder) => {
const encryptedFolder = await this.encrypt(folder, newUserKey);
return new FolderWithIdRequest(encryptedFolder);
}),
);
return encryptedFolders;
}
} }

View File

@ -10,12 +10,14 @@ export type Sort = {
fn?: SortFn; fn?: SortFn;
}; };
export type FilterFn<T> = (data: T) => boolean;
// Loosely based on CDK TableDataSource // Loosely based on CDK TableDataSource
// https://github.com/angular/components/blob/main/src/material/table/table-data-source.ts // https://github.com/angular/components/blob/main/src/material/table/table-data-source.ts
export class TableDataSource<T> extends DataSource<T> { export class TableDataSource<T> extends DataSource<T> {
private readonly _data: BehaviorSubject<T[]>; private readonly _data: BehaviorSubject<T[]>;
private readonly _sort: BehaviorSubject<Sort>; private readonly _sort: BehaviorSubject<Sort>;
private readonly _filter = new BehaviorSubject<string>(""); private readonly _filter = new BehaviorSubject<string | FilterFn<T>>(null);
private readonly _renderData = new BehaviorSubject<T[]>([]); private readonly _renderData = new BehaviorSubject<T[]>([]);
private _renderChangesSubscription: Subscription | null = null; private _renderChangesSubscription: Subscription | null = null;
@ -55,11 +57,15 @@ export class TableDataSource<T> extends DataSource<T> {
return this._sort.value; return this._sort.value;
} }
/**
* Filter to apply to the `data`.
*
* If a string is provided, it will be converted to a filter using {@link simpleStringFilter}
**/
get filter() { get filter() {
return this._filter.value; return this._filter.value;
} }
set filter(filter: string | FilterFn<T>) {
set filter(filter: string) {
this._filter.next(filter); this._filter.next(filter);
// Normally the `filteredData` is updated by the re-render // Normally the `filteredData` is updated by the re-render
// subscription, but that won't happen if it's inactive. // subscription, but that won't happen if it's inactive.
@ -95,10 +101,11 @@ export class TableDataSource<T> extends DataSource<T> {
} }
private filterData(data: T[]): T[] { private filterData(data: T[]): T[] {
this.filteredData = const filter =
this.filter == null || this.filter === "" typeof this.filter === "string"
? data ? TableDataSource.simpleStringFilter(this.filter)
: data.filter((obj) => this.filterPredicate(obj, this.filter)); : this.filter;
this.filteredData = this.filter == null ? data : data.filter((obj) => filter(obj));
return this.filteredData; return this.filteredData;
} }
@ -207,20 +214,22 @@ export class TableDataSource<T> extends DataSource<T> {
} }
/** /**
* Copied from https://github.com/angular/components/blob/main/src/material/table/table-data-source.ts * Modified from https://github.com/angular/components/blob/main/src/material/table/table-data-source.ts
* License: MIT * License: MIT
* Copyright (c) 2022 Google LLC. * Copyright (c) 2022 Google LLC.
* *
* Checks if a data object matches the data source's filter string. By default, each data object * @param filter the string to search for
* @returns a function that checks if a data object matches the provided `filter` string. Each data object
* is converted to a string of its properties and returns true if the filter has * is converted to a string of its properties and returns true if the filter has
* at least one occurrence in that string. By default, the filter string has its whitespace * at least one occurrence in that string. The filter string has its whitespace
* trimmed and the match is case-insensitive. May be overridden for a custom implementation of * trimmed and the match is case-insensitive.
* filter matching.
* @param data Data object used to check against the filter.
* @param filter Filter string that has been set on the data source.
* @returns Whether the filter matches against the data
*/ */
protected filterPredicate(data: T, filter: string): boolean { static readonly simpleStringFilter = <T>(filter: string): FilterFn<T> => {
return (data: T): boolean => {
if (!filter) {
return true;
}
// Transform the data into a lowercase string of all property values. // Transform the data into a lowercase string of all property values.
const dataStr = Object.keys(data as unknown as Record<string, any>) const dataStr = Object.keys(data as unknown as Record<string, any>)
.reduce((currentTerm: string, key: string) => { .reduce((currentTerm: string, key: string) => {
@ -238,5 +247,6 @@ export class TableDataSource<T> extends DataSource<T> {
const transformedFilter = filter.trim().toLowerCase(); const transformedFilter = filter.trim().toLowerCase();
return dataStr.indexOf(transformedFilter) != -1; return dataStr.indexOf(transformedFilter) != -1;
} };
};
} }

View File

@ -121,11 +121,20 @@ const sortFn = (a: T, b: T) => (a.id > b.id ? 1 : -1);
### Filtering ### Filtering
The `TableDataSource` supports a rudimentary filtering capability most commonly used to implement a Filtering is supported by passing a filter predicate to `filter`.
search function. It works by converting each entry into a string of it's properties. The string is
then compared against the filter value using a simple `indexOf`check.
```ts ```ts
dataSource.filter = (data) => data.orgType === "family";
```
Rudimentary string filtering is supported out of the box with `TableDataSource.simpleStringFilter`.
It works by converting each entry into a string of it's properties. The provided string is then
compared against the filter value using a simple `indexOf` check. For convienence, you can also just
pass a string directly.
```ts
dataSource.filter = TableDataSource.simpleStringFilter("search value");
// or
dataSource.filter = "search value"; dataSource.filter = "search value";
``` ```

View File

@ -12,7 +12,9 @@
"@bitwarden/components": ["../components/src"], "@bitwarden/components": ["../components/src"],
"@bitwarden/generator-components": ["../tools/generator/components/src"], "@bitwarden/generator-components": ["../tools/generator/components/src"],
"@bitwarden/generator-core": ["../tools/generator/core/src"], "@bitwarden/generator-core": ["../tools/generator/core/src"],
"@bitwarden/generator-extensions": ["../tools/generator/extensions/src"], "@bitwarden/generator-history": ["../tools/generator/extensions/history/src"],
"@bitwarden/generator-legacy": ["../tools/generator/extensions/legacy/src"],
"@bitwarden/generator-navigation": ["../tools/generator/extensions/navigation/src"],
"@bitwarden/vault-export-core": ["../tools/export/vault-export/vault-export-core/src"], "@bitwarden/vault-export-core": ["../tools/export/vault-export/vault-export-core/src"],
"@bitwarden/vault-export-ui": ["../tools/export/vault-export/vault-export-ui/src"], "@bitwarden/vault-export-ui": ["../tools/export/vault-export/vault-export-ui/src"],
"@bitwarden/importer/core": ["../importer/src"], "@bitwarden/importer/core": ["../importer/src"],

View File

@ -1,7 +1,7 @@
{ {
"name": "@bitwarden/generator-components", "name": "@bitwarden/generator-components",
"version": "0.0.0", "version": "0.0.0",
"description": "Angular components for the Bitwarden generators", "description": "Angular components for the Bitwarden credential generators",
"keywords": [ "keywords": [
"bitwarden" "bitwarden"
], ],

View File

@ -1,7 +1,7 @@
{ {
"name": "@bitwarden/generator-core", "name": "@bitwarden/generator-core",
"version": "0.0.0", "version": "0.0.0",
"description": "TODO", "description": "Common Bitwarden credential generation logic",
"keywords": [ "keywords": [
"bitwarden" "bitwarden"
], ],

View File

@ -1,5 +1,3 @@
export { GeneratorHistoryService } from "../../../extensions/src/history/generator-history.abstraction";
export { GeneratorNavigationService } from "../../../extensions/src/navigation/generator-navigation.service.abstraction";
export { GeneratorService } from "./generator.service.abstraction"; export { GeneratorService } from "./generator.service.abstraction";
export { GeneratorStrategy } from "./generator-strategy.abstraction"; export { GeneratorStrategy } from "./generator-strategy.abstraction";
export { PolicyEvaluator } from "./policy-evaluator.abstraction"; export { PolicyEvaluator } from "./policy-evaluator.abstraction";

View File

@ -1,13 +1,13 @@
const { pathsToModuleNameMapper } = require("ts-jest"); const { pathsToModuleNameMapper } = require("ts-jest");
const { compilerOptions } = require("../../../shared/tsconfig.libs"); const { compilerOptions } = require("../../../../shared/tsconfig.libs");
/** @type {import('jest').Config} */ /** @type {import('jest').Config} */
module.exports = { module.exports = {
testMatch: ["**/+(*.)+(spec).+(ts)"], testMatch: ["**/+(*.)+(spec).+(ts)"],
preset: "ts-jest", preset: "ts-jest",
testEnvironment: "../../../shared/test.environment.ts", testEnvironment: "../../../../shared/test.environment.ts",
moduleNameMapper: pathsToModuleNameMapper(compilerOptions?.paths || {}, { moduleNameMapper: pathsToModuleNameMapper(compilerOptions?.paths || {}, {
prefix: "<rootDir>/../../", prefix: "<rootDir>/../../../",
}), }),
}; };

View File

@ -1,7 +1,7 @@
{ {
"name": "@bitwarden/generator-extensions", "name": "@bitwarden/generator-history",
"version": "0.0.0", "version": "0.0.0",
"description": "TODO", "description": "Bitwarden credential generator history service",
"keywords": [ "keywords": [
"bitwarden" "bitwarden"
], ],

View File

@ -1,4 +1,4 @@
import { GeneratorCategory, GeneratedCredential } from "./"; import { GeneratorCategory, GeneratedCredential } from ".";
describe("GeneratedCredential", () => { describe("GeneratedCredential", () => {
describe("constructor", () => { describe("constructor", () => {

Some files were not shown because too many files have changed in this diff Show More