Add support for crypto agent (#520)

2024-11-27 12:36:14 +01:00 · 2021-10-25 18:21:40 +02:00 · 2021-10-25 18:21:40 +02:00 · 71f8ef601f
commit 71f8ef601f
parent bc55557052
10 changed files with 158 additions and 13 deletions
--- a/angular/src/components/sso.component.ts
+++ b/angular/src/components/sso.component.ts
@ -140,7 +140,7 @@ export class SsoComponent {
    private async logIn(code: string, codeVerifier: string, orgIdFromState: string) {
        this.loggingIn = true;
        try {
-            this.formPromise = this.authService.logInSso(code, codeVerifier, this.redirectUri);
+            this.formPromise = this.authService.logInSso(code, codeVerifier, this.redirectUri, orgIdFromState);
            const response = await this.formPromise;
            if (response.twoFactor) {
                if (this.onSuccessfulLoginTwoFactorNavigate != null) {
@ -183,6 +183,9 @@ export class SsoComponent {
            }
        } catch (e) {
            this.logService.error(e);
+            if (e.message === 'Unable to reach crypto agent') {
+                this.platformUtilsService.showToast('error', null, this.i18nService.t('ssoCryptoAgentUnavailable'));
+            }
        }
        this.loggingIn = false;
    }
--- a/common/src/abstractions/api.service.ts
+++ b/common/src/abstractions/api.service.ts
@ -1,4 +1,5 @@
 import { PolicyType } from '../enums/policyType';
+import { SetCryptoAgentKeyRequest } from '../models/request/account/setCryptoAgentKeyRequest';

 import { AttachmentRequest } from '../models/request/attachmentRequest';

@ -12,6 +13,7 @@ import { CipherCreateRequest } from '../models/request/cipherCreateRequest';
 import { CipherRequest } from '../models/request/cipherRequest';
 import { CipherShareRequest } from '../models/request/cipherShareRequest';
 import { CollectionRequest } from '../models/request/collectionRequest';
+import { CryptoAgentUserKeyRequest } from '../models/request/cryptoAgentUserKeyRequest';
 import { DeleteRecoverRequest } from '../models/request/deleteRecoverRequest';
 import { EmailRequest } from '../models/request/emailRequest';
 import { EmailTokenRequest } from '../models/request/emailTokenRequest';
@ -98,6 +100,7 @@ import {
    CollectionGroupDetailsResponse,
    CollectionResponse,
 } from '../models/response/collectionResponse';
+import { CryptoAgentUserKeyResponse } from '../models/response/cryptoAgentUserKeyResponse';
 import { DomainsResponse } from '../models/response/domainsResponse';
 import {
    EmergencyAccessGranteeDetailsResponse,
@ -172,6 +175,7 @@ export abstract class ApiService {
    postEmail: (request: EmailRequest) => Promise<any>;
    postPassword: (request: PasswordRequest) => Promise<any>;
    setPassword: (request: SetPasswordRequest) => Promise<any>;
+    postSetCryptoAgentKey: (request: SetCryptoAgentKeyRequest) => Promise<any>;
    postSecurityStamp: (request: PasswordVerificationRequest) => Promise<any>;
    deleteAccount: (request: PasswordVerificationRequest) => Promise<any>;
    getAccountRevisionDate: () => Promise<number>;
@ -444,4 +448,7 @@ export abstract class ApiService {
    nativeFetch: (request: Request) => Promise<Response>;

    preValidateSso: (identifier: string) => Promise<boolean>;
+
+    getUserKeyFromCryptoAgent: (cryptoAgentUrl: string) => Promise<CryptoAgentUserKeyResponse>;
+    postUserKeyToCryptoAgent: (cryptoAgentUrl: string, request: CryptoAgentUserKeyRequest) => Promise<void>;
 }
--- a/common/src/abstractions/auth.service.ts
+++ b/common/src/abstractions/auth.service.ts
@ -15,7 +15,7 @@ export abstract class AuthService {
    selectedTwoFactorProviderType: TwoFactorProviderType;

    logIn: (email: string, masterPassword: string, captchaToken?: string) => Promise<AuthResult>;
-    logInSso: (code: string, codeVerifier: string, redirectUrl: string) => Promise<AuthResult>;
+    logInSso: (code: string, codeVerifier: string, redirectUrl: string, orgId: string) => Promise<AuthResult>;
    logInApiKey: (clientId: string, clientSecret: string) => Promise<AuthResult>;
    logInTwoFactor: (twoFactorProvider: TwoFactorProviderType, twoFactorToken: string,
        remember?: boolean) => Promise<AuthResult>;
--- a/common/src/models/api/ssoConfigApi.ts
+++ b/common/src/models/api/ssoConfigApi.ts
@ -37,6 +37,9 @@ enum Saml2SigningBehavior {
 export class SsoConfigApi extends BaseResponse {
    configType: SsoType;

+    useCryptoAgent: boolean;
+    cryptoAgentUrl: string;
+
    // OpenId
    authority: string;
    clientId: string;
@ -78,6 +81,9 @@ export class SsoConfigApi extends BaseResponse {

        this.configType = this.getResponseProperty('ConfigType');

+        this.useCryptoAgent = this.getResponseProperty('UseCryptoAgent');
+        this.cryptoAgentUrl = this.getResponseProperty('CryptoAgentUrl');
+
        this.authority = this.getResponseProperty('Authority');
        this.clientId = this.getResponseProperty('ClientId');
        this.clientSecret = this.getResponseProperty('ClientSecret');
--- a/common/src/models/request/account/setCryptoAgentKeyRequest.ts
+++ b/common/src/models/request/account/setCryptoAgentKeyRequest.ts
@ -0,0 +1,19 @@
+import { KeysRequest } from '../keysRequest';
+
+import { KdfType } from '../../../enums/kdfType';
+
+export class SetCryptoAgentKeyRequest {
+    key: string;
+    keys: KeysRequest;
+    kdf: KdfType;
+    kdfIterations: number;
+    orgIdentifier: string;
+
+    constructor(key: string, kdf: KdfType, kdfIterations: number, orgIdentifier: string, keys: KeysRequest) {
+        this.key = key;
+        this.kdf = kdf;
+        this.kdfIterations = kdfIterations;
+        this.orgIdentifier = orgIdentifier;
+        this.keys = keys;
+    }
+}
--- a/common/src/models/request/cryptoAgentUserKeyRequest.ts
+++ b/common/src/models/request/cryptoAgentUserKeyRequest.ts
@ -0,0 +1,7 @@
+export class CryptoAgentUserKeyRequest {
+    key: string;
+
+    constructor(key: string) {
+        this.key = key;
+    }
+}
--- a/common/src/models/response/cryptoAgentUserKeyResponse.ts
+++ b/common/src/models/response/cryptoAgentUserKeyResponse.ts
@ -0,0 +1,10 @@
+import { BaseResponse } from './baseResponse';
+
+export class CryptoAgentUserKeyResponse extends BaseResponse {
+    key: string;
+
+    constructor(response: any) {
+        super(response);
+        this.key = this.getResponseProperty('Key');
+    }
+}
--- a/common/src/models/response/identityTokenResponse.ts
+++ b/common/src/models/response/identityTokenResponse.ts
@ -15,6 +15,7 @@ export class IdentityTokenResponse extends BaseResponse {
    kdf: KdfType;
    kdfIterations: number;
    forcePasswordReset: boolean;
+    cryptoAgentUrl: string;

    constructor(response: any) {
        super(response);
@ -30,5 +31,6 @@ export class IdentityTokenResponse extends BaseResponse {
        this.kdf = this.getResponseProperty('Kdf');
        this.kdfIterations = this.getResponseProperty('KdfIterations');
        this.forcePasswordReset = this.getResponseProperty('ForcePasswordReset');
+        this.cryptoAgentUrl = this.getResponseProperty('CryptoAgentUrl');
    }
 }
--- a/common/src/services/api.service.ts
+++ b/common/src/services/api.service.ts
@ -166,6 +166,9 @@ import { ChallengeResponse } from '../models/response/twoFactorWebAuthnResponse'
 import { TwoFactorYubiKeyResponse } from '../models/response/twoFactorYubiKeyResponse';
 import { UserKeyResponse } from '../models/response/userKeyResponse';

+import { SetCryptoAgentKeyRequest } from '../models/request/account/setCryptoAgentKeyRequest';
+import { CryptoAgentUserKeyRequest } from '../models/request/cryptoAgentUserKeyRequest';
+import { CryptoAgentUserKeyResponse } from '../models/response/cryptoAgentUserKeyResponse';
 import { SendAccessView } from '../models/view/sendAccessView';

 export class ApiService implements ApiServiceAbstraction {
@ -289,6 +292,10 @@ export class ApiService implements ApiServiceAbstraction {
        return this.send('POST', '/accounts/set-password', request, true, false);
    }

+    postSetCryptoAgentKey(request: SetCryptoAgentKeyRequest): Promise<any> {
+        return this.send('POST', '/accounts/set-crypto-agent-key', request, true, false);
+    }
+
    postSecurityStamp(request: PasswordVerificationRequest): Promise<any> {
        return this.send('POST', '/accounts/security-stamp', request, true, false);
    }
@ -1429,6 +1436,49 @@ export class ApiService implements ApiServiceAbstraction {
        return r as string;
    }

+    // Crypto Agent
+
+    async getUserKeyFromCryptoAgent(cryptoAgentUrl: string): Promise<CryptoAgentUserKeyResponse> {
+        const authHeader = await this.getActiveBearerToken();
+
+        const response = await this.fetch(new Request(cryptoAgentUrl + '/user-keys', {
+            cache: 'no-store',
+            method: 'GET',
+            headers: new Headers({
+                'Accept': 'application/json',
+                'Authorization': 'Bearer ' + authHeader,
+            }),
+        }));
+
+        if (response.status !== 200) {
+            const error = await this.handleError(response, false, true);
+            return Promise.reject(error);
+        }
+
+        return new CryptoAgentUserKeyResponse(await response.json());
+    }
+
+    async postUserKeyToCryptoAgent(cryptoAgentUrl: string, request: CryptoAgentUserKeyRequest): Promise<void> {
+        const authHeader = await this.getActiveBearerToken();
+
+        const response = await this.fetch(new Request(cryptoAgentUrl + '/user-keys', {
+            cache: 'no-store',
+            method: 'POST',
+            headers: new Headers({
+                'Accept': 'application/json',
+                'Authorization': 'Bearer ' + authHeader,
+                'Content-Type': 'application/json; charset=utf-8',
+            }),
+            body: JSON.stringify(request),
+        }));
+
+        if (response.status !== 200) {
+            const error = await this.handleError(response, false, true);
+            return Promise.reject(error);
+        }
+    }
+
+
    // Helpers

    async getActiveBearerToken(): Promise<string> {
--- a/common/src/services/auth.service.ts
+++ b/common/src/services/auth.service.ts
@ -5,6 +5,8 @@ import { TwoFactorProviderType } from '../enums/twoFactorProviderType';
 import { AuthResult } from '../models/domain/authResult';
 import { SymmetricCryptoKey } from '../models/domain/symmetricCryptoKey';

+import { SetCryptoAgentKeyRequest } from '../models/request/account/setCryptoAgentKeyRequest';
+import { CryptoAgentUserKeyRequest } from '../models/request/cryptoAgentUserKeyRequest';
 import { DeviceRequest } from '../models/request/deviceRequest';
 import { KeysRequest } from '../models/request/keysRequest';
 import { PreloginRequest } from '../models/request/preloginRequest';
@ -17,6 +19,7 @@ import { ApiService } from '../abstractions/api.service';
 import { AppIdService } from '../abstractions/appId.service';
 import { AuthService as AuthServiceAbstraction } from '../abstractions/auth.service';
 import { CryptoService } from '../abstractions/crypto.service';
+import { CryptoFunctionService } from '../abstractions/cryptoFunction.service';
 import { I18nService } from '../abstractions/i18n.service';
 import { LogService } from '../abstractions/log.service';
 import { MessagingService } from '../abstractions/messaging.service';
@ -25,6 +28,8 @@ import { TokenService } from '../abstractions/token.service';
 import { UserService } from '../abstractions/user.service';
 import { VaultTimeoutService } from '../abstractions/vaultTimeout.service';

+import { Utils } from '../misc/utils';
+
 export const TwoFactorProviders = {
    [TwoFactorProviderType.Authenticator]: {
        type: TwoFactorProviderType.Authenticator,
@ -96,7 +101,7 @@ export class AuthService implements AuthServiceAbstraction {
        protected appIdService: AppIdService, private i18nService: I18nService,
        protected platformUtilsService: PlatformUtilsService, private messagingService: MessagingService,
        private vaultTimeoutService: VaultTimeoutService, private logService: LogService,
-        private setCryptoKeys = true) {
+        private cryptoFunctionService: CryptoFunctionService, private setCryptoKeys = true) {
    }

    init() {
@ -128,26 +133,26 @@ export class AuthService implements AuthServiceAbstraction {
        const localHashedPassword = await this.cryptoService.hashPassword(masterPassword, key,
            HashPurpose.LocalAuthorization);
        return await this.logInHelper(email, hashedPassword, localHashedPassword, null, null, null, null, null,
-            key, null, null, null, captchaToken);
+            key, null, null, null, captchaToken, null);
    }

-    async logInSso(code: string, codeVerifier: string, redirectUrl: string): Promise<AuthResult> {
+    async logInSso(code: string, codeVerifier: string, redirectUrl: string, orgId: string): Promise<AuthResult> {
        this.selectedTwoFactorProviderType = null;
        return await this.logInHelper(null, null, null, code, codeVerifier, redirectUrl, null, null,
-            null, null, null, null);
+            null, null, null, null, null, orgId);
    }

    async logInApiKey(clientId: string, clientSecret: string): Promise<AuthResult> {
        this.selectedTwoFactorProviderType = null;
        return await this.logInHelper(null, null, null, null, null, null, clientId, clientSecret,
-            null, null, null, null);
+            null, null, null, null, null, null);
    }

    async logInTwoFactor(twoFactorProvider: TwoFactorProviderType, twoFactorToken: string,
        remember?: boolean): Promise<AuthResult> {
        return await this.logInHelper(this.email, this.masterPasswordHash, this.localMasterPasswordHash, this.code,
            this.codeVerifier, this.ssoRedirectUrl, this.clientId, this.clientSecret, this.key, twoFactorProvider,
-            twoFactorToken, remember, this.captchaToken);
+            twoFactorToken, remember, this.captchaToken, null);
    }

    async logInComplete(email: string, masterPassword: string, twoFactorProvider: TwoFactorProviderType,
@ -158,21 +163,21 @@ export class AuthService implements AuthServiceAbstraction {
        const localHashedPassword = await this.cryptoService.hashPassword(masterPassword, key,
            HashPurpose.LocalAuthorization);
        return await this.logInHelper(email, hashedPassword, localHashedPassword, null, null, null, null, null, key,
-            twoFactorProvider, twoFactorToken, remember, captchaToken);
+            twoFactorProvider, twoFactorToken, remember, captchaToken, null);
    }

    async logInSsoComplete(code: string, codeVerifier: string, redirectUrl: string,
        twoFactorProvider: TwoFactorProviderType, twoFactorToken: string, remember?: boolean): Promise<AuthResult> {
        this.selectedTwoFactorProviderType = null;
        return await this.logInHelper(null, null, null, code, codeVerifier, redirectUrl, null,
-            null, null, twoFactorProvider, twoFactorToken, remember);
+            null, null, twoFactorProvider, twoFactorToken, remember, null, null);
    }

    async logInApiKeyComplete(clientId: string, clientSecret: string, twoFactorProvider: TwoFactorProviderType,
        twoFactorToken: string, remember?: boolean): Promise<AuthResult> {
        this.selectedTwoFactorProviderType = null;
        return await this.logInHelper(null, null, null, null, null, null, clientId, clientSecret, null,
-            twoFactorProvider, twoFactorToken, remember);
+            twoFactorProvider, twoFactorToken, remember, null, null);
    }

    logOut(callback: Function) {
@ -273,7 +278,8 @@ export class AuthService implements AuthServiceAbstraction {

    private async logInHelper(email: string, hashedPassword: string, localHashedPassword: string, code: string,
        codeVerifier: string, redirectUrl: string, clientId: string, clientSecret: string, key: SymmetricCryptoKey,
-        twoFactorProvider?: TwoFactorProviderType, twoFactorToken?: string, remember?: boolean, captchaToken?: string): Promise<AuthResult> {
+        twoFactorProvider?: TwoFactorProviderType, twoFactorToken?: string, remember?: boolean, captchaToken?: string,
+        orgId?: string): Promise<AuthResult> {
        const storedTwoFactorToken = await this.tokenService.getTwoFactorToken(email);
        const appId = await this.appIdService.getAppId();
        const deviceRequest = new DeviceRequest(appId, this.platformUtilsService);
@ -358,6 +364,19 @@ export class AuthService implements AuthServiceAbstraction {

            // Skip this step during SSO new user flow. No key is returned from server.
            if (code == null || tokenResponse.key != null) {
+
+                if (tokenResponse.cryptoAgentUrl != null) {
+                    try {
+                        const userKeyResponse = await this.apiService.getUserKeyFromCryptoAgent(tokenResponse.cryptoAgentUrl);
+                        const keyArr = Utils.fromB64ToArray(userKeyResponse.key);
+                        const k = new SymmetricCryptoKey(keyArr);
+                        await this.cryptoService.setKey(k);
+                    } catch (e) {
+                        this.logService.error(e);
+                        throw new Error('Unable to reach crypto agent');
+                    }
+                }
+
                await this.cryptoService.setEncKey(tokenResponse.key);

                // User doesn't have a key pair yet (old account), let's generate one for them
@ -367,12 +386,34 @@ export class AuthService implements AuthServiceAbstraction {
                        await this.apiService.postAccountKeys(new KeysRequest(keyPair[0], keyPair[1].encryptedString));
                        tokenResponse.privateKey = keyPair[1].encryptedString;
                    } catch (e) {
-                        // tslint:disable-next-line
                        this.logService.error(e);
                    }
                }

                await this.cryptoService.setEncPrivateKey(tokenResponse.privateKey);
+            } else if (tokenResponse.cryptoAgentUrl != null) {
+                const password = await this.cryptoFunctionService.randomBytes(64);
+
+                const k = await this.cryptoService.makeKey(Utils.fromBufferToB64(password), this.tokenService.getEmail(), tokenResponse.kdf, tokenResponse.kdfIterations);
+                const cryptoAgentRequest = new CryptoAgentUserKeyRequest(k.encKeyB64);
+                await this.cryptoService.setKey(k);
+
+                const encKey = await this.cryptoService.makeEncKey(k);
+                await this.cryptoService.setEncKey(encKey[1].encryptedString);
+
+                const [pubKey, privKey] = await this.cryptoService.makeKeyPair();
+
+                try {
+                    await this.apiService.postUserKeyToCryptoAgent(tokenResponse.cryptoAgentUrl, cryptoAgentRequest);
+                } catch (e) {
+                    throw new Error('Unable to reach crypto agent');
+                }
+
+                const keys = new KeysRequest(pubKey, privKey.encryptedString);
+                const setPasswordRequest = new SetCryptoAgentKeyRequest(
+                    encKey[1].encryptedString, tokenResponse.kdf, tokenResponse.kdfIterations, orgId, keys
+                );
+                await this.apiService.postSetCryptoAgentKey(setPasswordRequest);
            }
        }