Update decryptUserKeyWithMasterKey to requireUserId (#11560)

* Updated decryptUserKeyWithMasterKey to requireUserId * Removed unintended extra character. * Added dependency to LogService. * Fixed unlock command.
2024-11-21 11:35:34 +01:00 · 2024-11-01 11:21:18 -04:00 · 2024-11-01 11:21:18 -04:00 · a049b553a6
commit a049b553a6
parent 5eae599b81
19 changed files with 41 additions and 18 deletions
--- a/apps/browser/src/background/main.background.ts
+++ b/apps/browser/src/background/main.background.ts
@ -632,6 +632,7 @@ export default class MainBackground {
      this.stateService,
      this.keyGenerationService,
      this.encryptService,
+      this.logService,
    );

    this.i18nService = new I18nService(BrowserApi.getUILanguage(), this.globalStateProvider);
--- a/apps/cli/src/auth/commands/unlock.command.ts
+++ b/apps/cli/src/auth/commands/unlock.command.ts
@ -68,7 +68,7 @@ export class UnlockCommand {
      return Response.error(e.message);
    }

-    const userKey = await this.masterPasswordService.decryptUserKeyWithMasterKey(masterKey);
+    const userKey = await this.masterPasswordService.decryptUserKeyWithMasterKey(masterKey, userId);
    await this.keyService.setUserKey(userKey, userId);

    if (await this.keyConnectorService.getConvertAccountRequired()) {
--- a/apps/cli/src/service-container/service-container.ts
+++ b/apps/cli/src/service-container/service-container.ts
@ -404,6 +404,7 @@ export class ServiceContainer {
      this.stateService,
      this.keyGenerationService,
      this.encryptService,
+      this.logService,
    );

    this.kdfConfigService = new KdfConfigService(this.stateProvider);
--- a/apps/web/src/app/auth/settings/change-password.component.ts
+++ b/apps/web/src/app/auth/settings/change-password.component.ts
@ -194,7 +194,7 @@ export class ChangePasswordComponent
      HashPurpose.LocalAuthorization,
    );

-    const userKey = await this.masterPasswordService.decryptUserKeyWithMasterKey(masterKey);
+    const userKey = await this.masterPasswordService.decryptUserKeyWithMasterKey(masterKey, userId);
    if (userKey == null) {
      this.toastService.showToast({
        variant: "error",
--- a/libs/angular/src/auth/components/lock.component.ts
+++ b/libs/angular/src/auth/components/lock.component.ts
@ -267,6 +267,7 @@ export class LockComponent implements OnInit, OnDestroy {

    const userKey = await this.masterPasswordService.decryptUserKeyWithMasterKey(
      response.masterKey,
+      userId,
    );
    await this.setUserKeyAndContinue(userKey, userId, true);
  }
--- a/libs/angular/src/services/jslib-services.module.ts
+++ b/libs/angular/src/services/jslib-services.module.ts
@ -921,7 +921,13 @@ const safeProviders: SafeProvider[] = [
  safeProvider({
    provide: InternalMasterPasswordServiceAbstraction,
    useClass: MasterPasswordService,
-    deps: [StateProvider, StateServiceAbstraction, KeyGenerationServiceAbstraction, EncryptService],
+    deps: [
+      StateProvider,
+      StateServiceAbstraction,
+      KeyGenerationServiceAbstraction,
+      EncryptService,
+      LogService,
+    ],
  }),
  safeProvider({
    provide: MasterPasswordServiceAbstraction,
--- a/libs/auth/src/angular/lock/lock.component.ts
+++ b/libs/auth/src/angular/lock/lock.component.ts
@ -483,6 +483,7 @@ export class LockV2Component implements OnInit, OnDestroy {

    const userKey = await this.masterPasswordService.decryptUserKeyWithMasterKey(
      masterPasswordVerificationResponse.masterKey,
+      this.activeAccount.id,
    );
    await this.setUserKeyAndContinue(userKey, true);
  }
--- a/libs/auth/src/common/login-strategies/auth-request-login.strategy.ts
+++ b/libs/auth/src/common/login-strategies/auth-request-login.strategy.ts
@ -114,7 +114,10 @@ export class AuthRequestLoginStrategy extends LoginStrategy {
  private async trySetUserKeyWithMasterKey(userId: UserId): Promise<void> {
    const masterKey = await firstValueFrom(this.masterPasswordService.masterKey$(userId));
    if (masterKey) {
-      const userKey = await this.masterPasswordService.decryptUserKeyWithMasterKey(masterKey);
+      const userKey = await this.masterPasswordService.decryptUserKeyWithMasterKey(
+        masterKey,
+        userId,
+      );
      await this.keyService.setUserKey(userKey, userId);
    }
  }
--- a/libs/auth/src/common/login-strategies/password-login.strategy.ts
+++ b/libs/auth/src/common/login-strategies/password-login.strategy.ts
@ -183,7 +183,10 @@ export class PasswordLoginStrategy extends LoginStrategy {

    const masterKey = await firstValueFrom(this.masterPasswordService.masterKey$(userId));
    if (masterKey) {
-      const userKey = await this.masterPasswordService.decryptUserKeyWithMasterKey(masterKey);
+      const userKey = await this.masterPasswordService.decryptUserKeyWithMasterKey(
+        masterKey,
+        userId,
+      );
      await this.keyService.setUserKey(userKey, userId);
    }
  }
--- a/libs/auth/src/common/login-strategies/sso-login.strategy.spec.ts
+++ b/libs/auth/src/common/login-strategies/sso-login.strategy.spec.ts
@ -496,7 +496,7 @@ describe("SsoLoginStrategy", () => {

      expect(masterPasswordService.mock.decryptUserKeyWithMasterKey).toHaveBeenCalledWith(
        masterKey,
-        undefined,
+        userId,
        undefined,
      );
      expect(keyService.setUserKey).toHaveBeenCalledWith(userKey, userId);
@ -552,7 +552,7 @@ describe("SsoLoginStrategy", () => {

      expect(masterPasswordService.mock.decryptUserKeyWithMasterKey).toHaveBeenCalledWith(
        masterKey,
-        undefined,
+        userId,
        undefined,
      );
      expect(keyService.setUserKey).toHaveBeenCalledWith(userKey, userId);
--- a/libs/auth/src/common/login-strategies/sso-login.strategy.ts
+++ b/libs/auth/src/common/login-strategies/sso-login.strategy.ts
@ -338,7 +338,7 @@ export class SsoLoginStrategy extends LoginStrategy {
      return;
    }

-    const userKey = await this.masterPasswordService.decryptUserKeyWithMasterKey(masterKey);
+    const userKey = await this.masterPasswordService.decryptUserKeyWithMasterKey(masterKey, userId);
    await this.keyService.setUserKey(userKey, userId);
  }

--- a/libs/auth/src/common/login-strategies/user-api-login.strategy.spec.ts
+++ b/libs/auth/src/common/login-strategies/user-api-login.strategy.spec.ts
@ -213,7 +213,7 @@ describe("UserApiLoginStrategy", () => {

    expect(masterPasswordService.mock.decryptUserKeyWithMasterKey).toHaveBeenCalledWith(
      masterKey,
-      undefined,
+      userId,
      undefined,
    );
    expect(keyService.setUserKey).toHaveBeenCalledWith(userKey, userId);
--- a/libs/auth/src/common/login-strategies/user-api-login.strategy.ts
+++ b/libs/auth/src/common/login-strategies/user-api-login.strategy.ts
@ -69,7 +69,10 @@ export class UserApiLoginStrategy extends LoginStrategy {
    if (response.apiUseKeyConnector) {
      const masterKey = await firstValueFrom(this.masterPasswordService.masterKey$(userId));
      if (masterKey) {
-        const userKey = await this.masterPasswordService.decryptUserKeyWithMasterKey(masterKey);
+        const userKey = await this.masterPasswordService.decryptUserKeyWithMasterKey(
+          masterKey,
+          userId,
+        );
        await this.keyService.setUserKey(userKey, userId);
      }
    }
--- a/libs/auth/src/common/services/auth-request/auth-request.service.spec.ts
+++ b/libs/auth/src/common/services/auth-request/auth-request.service.spec.ts
@ -200,7 +200,7 @@ describe("AuthRequestService", () => {
      );
      expect(masterPasswordService.mock.decryptUserKeyWithMasterKey).toHaveBeenCalledWith(
        mockDecryptedMasterKey,
-        undefined,
+        mockUserId,
        undefined,
      );
      expect(keyService.setUserKey).toHaveBeenCalledWith(mockDecryptedUserKey, mockUserId);
--- a/libs/auth/src/common/services/auth-request/auth-request.service.ts
+++ b/libs/auth/src/common/services/auth-request/auth-request.service.ts
@ -150,7 +150,7 @@ export class AuthRequestService implements AuthRequestServiceAbstraction {
    );

    // Decrypt and set user key in state
-    const userKey = await this.masterPasswordService.decryptUserKeyWithMasterKey(masterKey);
+    const userKey = await this.masterPasswordService.decryptUserKeyWithMasterKey(masterKey, userId);

    // Set masterKey + masterKeyHash in state after decryption (in case decryption fails)
    await this.masterPasswordService.setMasterKey(masterKey, userId);
--- a/libs/auth/src/common/services/pin/pin.service.implementation.ts
+++ b/libs/auth/src/common/services/pin/pin.service.implementation.ts
@ -418,6 +418,7 @@ export class PinService implements PinServiceAbstraction {

    const userKey = await this.masterPasswordService.decryptUserKeyWithMasterKey(
      masterKey,
+      userId,
      encUserKey ? new EncString(encUserKey) : undefined,
    );

--- a/libs/common/src/auth/abstractions/master-password.service.abstraction.ts
+++ b/libs/common/src/auth/abstractions/master-password.service.abstraction.ts
@ -33,16 +33,16 @@ export abstract class MasterPasswordServiceAbstraction {
  /**
   * Decrypts the user key with the provided master key
   * @param masterKey The user's master key
+   *    * @param userId The desired user
   * @param userKey The user's encrypted symmetric key
-   * @param userId The desired user
   * @throws If either the MasterKey or UserKey are not resolved, or if the UserKey encryption type
   *         is neither AesCbc256_B64 nor AesCbc256_HmacSha256_B64
   * @returns The user key
   */
  abstract decryptUserKeyWithMasterKey: (
    masterKey: MasterKey,
+    userId: string,
    userKey?: EncString,
-    userId?: string,
  ) => Promise<UserKey>;
 }

--- a/libs/common/src/auth/services/master-password/fake-master-password.service.ts
+++ b/libs/common/src/auth/services/master-password/fake-master-password.service.ts
@ -64,9 +64,9 @@ export class FakeMasterPasswordService implements InternalMasterPasswordServiceA

  decryptUserKeyWithMasterKey(
    masterKey: MasterKey,
+    userId: string,
    userKey?: EncString,
-    userId?: string,
  ): Promise<UserKey> {
-    return this.mock.decryptUserKeyWithMasterKey(masterKey, userKey, userId);
+    return this.mock.decryptUserKeyWithMasterKey(masterKey, userId, userKey);
  }
 }
--- a/libs/common/src/auth/services/master-password/master-password.service.ts
+++ b/libs/common/src/auth/services/master-password/master-password.service.ts
@ -1,5 +1,7 @@
 import { firstValueFrom, map, Observable } from "rxjs";

+import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
+
 import { EncryptService } from "../../../platform/abstractions/encrypt.service";
 import { KeyGenerationService } from "../../../platform/abstractions/key-generation.service";
 import { StateService } from "../../../platform/abstractions/state.service";
@ -55,6 +57,7 @@ export class MasterPasswordService implements InternalMasterPasswordServiceAbstr
    private stateService: StateService,
    private keyGenerationService: KeyGenerationService,
    private encryptService: EncryptService,
+    private logService: LogService,
  ) {}

  masterKey$(userId: UserId): Observable<MasterKey> {
@ -149,10 +152,9 @@ export class MasterPasswordService implements InternalMasterPasswordServiceAbstr

  async decryptUserKeyWithMasterKey(
    masterKey: MasterKey,
+    userId: UserId,
    userKey?: EncString,
-    userId?: UserId,
  ): Promise<UserKey> {
-    userId ??= await firstValueFrom(this.stateProvider.activeUserId$);
    userKey ??= await this.getMasterKeyEncryptedUserKey(userId);
    masterKey ??= await firstValueFrom(this.masterKey$(userId));

@ -185,6 +187,7 @@ export class MasterPasswordService implements InternalMasterPasswordServiceAbstr
    }

    if (decUserKey == null) {
+      this.logService.warning("Failed to decrypt user key with master key.");
      return null;
    }