[PS-616] [PS-795] Fix/withdraw master password reset without user verification (#2845)

* Limit enroll MPR modal to enrolling * Withdraw from MPR directly from org options * [PS-795] Fix Automatic mpr enrollment. Add reset password key to the accept request * Linter * Specify params type in accept components
2024-11-25 12:15:18 +01:00 · 2022-06-08 14:56:26 -05:00 · 2022-06-08 14:56:26 -05:00 · d5112cc8cb
commit d5112cc8cb
parent a65d7370d4
11 changed files with 102 additions and 96 deletions
--- a/apps/web/src/app/accounts/accept-emergency.component.ts
+++ b/apps/web/src/app/accounts/accept-emergency.component.ts
@ -1,5 +1,5 @@
 import { Component } from "@angular/core";
-import { ActivatedRoute, Router } from "@angular/router";
+import { ActivatedRoute, Params, Router } from "@angular/router";

 import { ApiService } from "jslib-common/abstractions/api.service";
 import { I18nService } from "jslib-common/abstractions/i18n.service";
@ -31,7 +31,7 @@ export class AcceptEmergencyComponent extends BaseAcceptComponent {
    super(router, platformUtilsService, i18nService, route, stateService);
  }

-  async authedHandler(qParams: any): Promise<void> {
+  async authedHandler(qParams: Params): Promise<void> {
    const request = new EmergencyAccessAcceptRequest();
    request.token = qParams.token;
    this.actionPromise = this.apiService.postEmergencyAccessAccept(qParams.id, request);
@ -45,7 +45,7 @@ export class AcceptEmergencyComponent extends BaseAcceptComponent {
    this.router.navigate(["/vault"]);
  }

-  async unauthedHandler(qParams: any): Promise<void> {
+  async unauthedHandler(qParams: Params): Promise<void> {
    this.name = qParams.name;
    if (this.name != null) {
      // Fix URL encoding of space issue with Angular
--- a/apps/web/src/app/accounts/accept-organization.component.ts
+++ b/apps/web/src/app/accounts/accept-organization.component.ts
@ -1,5 +1,5 @@
 import { Component } from "@angular/core";
-import { ActivatedRoute, Router } from "@angular/router";
+import { ActivatedRoute, Params, Router } from "@angular/router";

 import { ApiService } from "jslib-common/abstractions/api.service";
 import { CryptoService } from "jslib-common/abstractions/crypto.service";
@ -11,7 +11,6 @@ import { StateService } from "jslib-common/abstractions/state.service";
 import { Utils } from "jslib-common/misc/utils";
 import { Policy } from "jslib-common/models/domain/policy";
 import { OrganizationUserAcceptRequest } from "jslib-common/models/request/organizationUserAcceptRequest";
-import { OrganizationUserResetPasswordEnrollmentRequest } from "jslib-common/models/request/organizationUserResetPasswordEnrollmentRequest";

 import { BaseAcceptComponent } from "../common/base.accept.component";

@ -38,44 +37,14 @@ export class AcceptOrganizationComponent extends BaseAcceptComponent {
    super(router, platformUtilsService, i18nService, route, stateService);
  }

-  async authedHandler(qParams: any): Promise<void> {
-    const request = new OrganizationUserAcceptRequest();
-    request.token = qParams.token;
-    if (await this.performResetPasswordAutoEnroll(qParams)) {
-      this.actionPromise = this.apiService
-        .postOrganizationUserAccept(qParams.organizationId, qParams.organizationUserId, request)
-        .then(() => {
-          // Retrieve Public Key
-          return this.apiService.getOrganizationKeys(qParams.organizationId);
-        })
-        .then(async (response) => {
-          if (response == null) {
-            throw new Error(this.i18nService.t("resetPasswordOrgKeysError"));
-          }
-
-          const publicKey = Utils.fromB64ToArray(response.publicKey);
-
-          // RSA Encrypt user's encKey.key with organization public key
-          const encKey = await this.cryptoService.getEncKey();
-          const encryptedKey = await this.cryptoService.rsaEncrypt(encKey.key, publicKey.buffer);
-
-          // Create request and execute enrollment
-          const resetRequest = new OrganizationUserResetPasswordEnrollmentRequest();
-          resetRequest.resetPasswordKey = encryptedKey.encryptedString;
-
-          return this.apiService.putOrganizationUserResetPasswordEnrollment(
-            qParams.organizationId,
-            await this.stateService.getUserId(),
-            resetRequest
-          );
-        });
-    } else {
-      this.actionPromise = this.apiService.postOrganizationUserAccept(
+  async authedHandler(qParams: Params): Promise<void> {
+    this.actionPromise = this.prepareAcceptRequest(qParams).then(async (request) => {
+      await this.apiService.postOrganizationUserAccept(
        qParams.organizationId,
        qParams.organizationUserId,
        request
      );
-    }
+    });

    await this.actionPromise;
    this.platformUtilService.showToast(
@ -89,7 +58,7 @@ export class AcceptOrganizationComponent extends BaseAcceptComponent {
    this.router.navigate(["/vault"]);
  }

-  async unauthedHandler(qParams: any): Promise<void> {
+  async unauthedHandler(qParams: Params): Promise<void> {
    this.orgName = qParams.organizationName;
    if (this.orgName != null) {
      // Fix URL encoding of space issue with Angular
@ -98,6 +67,29 @@ export class AcceptOrganizationComponent extends BaseAcceptComponent {
    await this.stateService.setOrganizationInvitation(qParams);
  }

+  private async prepareAcceptRequest(qParams: Params): Promise<OrganizationUserAcceptRequest> {
+    const request = new OrganizationUserAcceptRequest();
+    request.token = qParams.token;
+
+    if (await this.performResetPasswordAutoEnroll(qParams)) {
+      const response = await this.apiService.getOrganizationKeys(qParams.organizationId);
+
+      if (response == null) {
+        throw new Error(this.i18nService.t("resetPasswordOrgKeysError"));
+      }
+
+      const publicKey = Utils.fromB64ToArray(response.publicKey);
+
+      // RSA Encrypt user's encKey.key with organization public key
+      const encKey = await this.cryptoService.getEncKey();
+      const encryptedKey = await this.cryptoService.rsaEncrypt(encKey.key, publicKey.buffer);
+
+      // Add reset password key to accept request
+      request.resetPasswordKey = encryptedKey.encryptedString;
+    }
+    return request;
+  }
+
  private async performResetPasswordAutoEnroll(qParams: any): Promise<boolean> {
    let policyList: Policy[] = null;
    try {
--- a/apps/web/src/app/common/base.accept.component.ts
+++ b/apps/web/src/app/common/base.accept.component.ts
@ -1,5 +1,5 @@
 import { Directive, OnInit } from "@angular/core";
-import { ActivatedRoute, Router } from "@angular/router";
+import { ActivatedRoute, Params, Router } from "@angular/router";
 import { first } from "rxjs/operators";

 import { I18nService } from "jslib-common/abstractions/i18n.service";
@ -25,8 +25,8 @@ export abstract class BaseAcceptComponent implements OnInit {
    protected stateService: StateService
  ) {}

-  abstract authedHandler(qParams: any): Promise<void>;
-  abstract unauthedHandler(qParams: any): Promise<void>;
+  abstract authedHandler(qParams: Params): Promise<void>;
+  abstract unauthedHandler(qParams: Params): Promise<void>;

  ngOnInit() {
    this.route.queryParams.pipe(first()).subscribe(async (qParams) => {
--- a/apps/web/src/app/modules/organizations/users/enroll-master-password-reset.component.html
+++ b/apps/web/src/app/modules/organizations/users/enroll-master-password-reset.component.html
@ -14,7 +14,7 @@
    >
      <div class="modal-header">
        <h2 class="modal-title" id="enrollMasterPasswordResetTitle">
-          {{ (isEnrolled ? "withdrawPasswordReset" : "enrollPasswordReset") | i18n }}
+          {{ "enrollPasswordReset" | i18n }}
        </h2>
        <button
          type="button"
@ -26,7 +26,7 @@
        </button>
      </div>
      <div class="modal-body">
-        <app-callout type="warning" *ngIf="!isEnrolled">
+        <app-callout type="warning">
          {{ "resetPasswordEnrollmentWarning" | i18n }}
        </app-callout>
        <app-user-verification [(ngModel)]="verification" name="secret"> </app-user-verification>
--- a/apps/web/src/app/modules/organizations/users/enroll-master-password-reset.component.ts
+++ b/apps/web/src/app/modules/organizations/users/enroll-master-password-reset.component.ts
@ -47,39 +47,28 @@ export class EnrollMasterPasswordReset {
        // Set variables
        let keyString: string = null;

-        // Enrolling
-        if (!this.organization.resetPasswordEnrolled) {
-          // Retrieve Public Key
-          const orgKeys = await this.apiService.getOrganizationKeys(this.organization.id);
-          if (orgKeys == null) {
-            throw new Error(this.i18nService.t("resetPasswordOrgKeysError"));
-          }
-
-          const publicKey = Utils.fromB64ToArray(orgKeys.publicKey);
-
-          // RSA Encrypt user's encKey.key with organization public key
-          const encKey = await this.cryptoService.getEncKey();
-          const encryptedKey = await this.cryptoService.rsaEncrypt(encKey.key, publicKey.buffer);
-          keyString = encryptedKey.encryptedString;
-          toastStringRef = "enrollPasswordResetSuccess";
-
-          // Create request and execute enrollment
-          request.resetPasswordKey = keyString;
-          await this.apiService.putOrganizationUserResetPasswordEnrollment(
-            this.organization.id,
-            this.organization.userId,
-            request
-          );
-        } else {
-          // Withdrawal
-          request.resetPasswordKey = keyString;
-          await this.apiService.putOrganizationUserResetPasswordEnrollment(
-            this.organization.id,
-            this.organization.userId,
-            request
-          );
+        // Retrieve Public Key
+        const orgKeys = await this.apiService.getOrganizationKeys(this.organization.id);
+        if (orgKeys == null) {
+          throw new Error(this.i18nService.t("resetPasswordOrgKeysError"));
        }

+        const publicKey = Utils.fromB64ToArray(orgKeys.publicKey);
+
+        // RSA Encrypt user's encKey.key with organization public key
+        const encKey = await this.cryptoService.getEncKey();
+        const encryptedKey = await this.cryptoService.rsaEncrypt(encKey.key, publicKey.buffer);
+        keyString = encryptedKey.encryptedString;
+        toastStringRef = "enrollPasswordResetSuccess";
+
+        // Create request and execute enrollment
+        request.resetPasswordKey = keyString;
+        await this.apiService.putOrganizationUserResetPasswordEnrollment(
+          this.organization.id,
+          this.organization.userId,
+          request
+        );
+
        await this.syncService.fullSync(true);
      });
    try {
@ -90,8 +79,4 @@ export class EnrollMasterPasswordReset {
      this.logService.error(e);
    }
  }
-
-  get isEnrolled(): boolean {
-    return this.organization.resetPasswordEnrolled;
-  }
 }
--- a/apps/web/src/app/modules/vault-filter/components/organization-options.component.html
+++ b/apps/web/src/app/modules/vault-filter/components/organization-options.component.html
@ -6,7 +6,11 @@
  ></i>
  <span class="sr-only">{{ "loading" | i18n }}</span>
 </ng-container>
-<div *ngIf="loaded" class="tw-max-w-[300px] tw-min-w-[200px] tw-flex tw-flex-col">
+<div
+  *ngIf="loaded"
+  class="tw-max-w-[300px] tw-min-w-[200px] tw-flex tw-flex-col"
+  [appApiAction]="actionPromise"
+>
  <button
    *ngIf="allowEnrollmentChanges(organization) && !organization.resetPasswordEnrolled"
    class="dropdown-item"
--- a/apps/web/src/app/modules/vault-filter/components/organization-options.component.ts
+++ b/apps/web/src/app/modules/vault-filter/components/organization-options.component.ts
@ -10,6 +10,7 @@ import { SyncService } from "jslib-common/abstractions/sync.service";
 import { PolicyType } from "jslib-common/enums/policyType";
 import { Organization } from "jslib-common/models/domain/organization";
 import { Policy } from "jslib-common/models/domain/policy";
+import { OrganizationUserResetPasswordEnrollmentRequest } from "jslib-common/models/request/organizationUserResetPasswordEnrollmentRequest";

 import { EnrollMasterPasswordReset } from "../../organizations/users/enroll-master-password-reset.component";

@ -82,7 +83,6 @@ export class OrganizationOptionsComponent {
      this.platformUtilsService.showToast("success", null, "Unlinked SSO");
      await this.load();
    } catch (e) {
-      this.platformUtilsService.showToast("error", this.i18nService.t("errorOccurred"), e.message);
      this.logService.error(e);
    }
  }
@ -107,17 +107,38 @@ export class OrganizationOptionsComponent {
      this.platformUtilsService.showToast("success", null, this.i18nService.t("leftOrganization"));
      await this.load();
    } catch (e) {
-      this.platformUtilsService.showToast("error", this.i18nService.t("errorOccurred"), e.message);
      this.logService.error(e);
    }
  }

  async toggleResetPasswordEnrollment(org: Organization) {
-    this.modalService.open(EnrollMasterPasswordReset, {
-      allowMultipleModals: true,
-      data: {
-        organization: org,
-      },
-    });
+    if (!this.organization.resetPasswordEnrolled) {
+      this.modalService.open(EnrollMasterPasswordReset, {
+        allowMultipleModals: true,
+        data: {
+          organization: org,
+        },
+      });
+    } else {
+      const request = new OrganizationUserResetPasswordEnrollmentRequest();
+      request.masterPasswordHash = "ignored";
+      request.resetPasswordKey = null;
+      this.actionPromise = this.apiService.putOrganizationUserResetPasswordEnrollment(
+        this.organization.id,
+        this.organization.userId,
+        request
+      );
+      try {
+        await this.actionPromise;
+        this.platformUtilsService.showToast(
+          "success",
+          null,
+          this.i18nService.t("withdrawPasswordResetSuccess")
+        );
+        this.syncService.fullSync(true);
+      } catch (e) {
+        this.logService.error(e);
+      }
+    }
  }
 }
--- a/apps/web/src/app/organizations/sponsorships/accept-family-sponsorship.component.ts
+++ b/apps/web/src/app/organizations/sponsorships/accept-family-sponsorship.component.ts
@ -1,4 +1,5 @@
 import { Component } from "@angular/core";
+import { Params } from "@angular/router";

 import { BaseAcceptComponent } from "src/app/common/base.accept.component";

@ -12,11 +13,11 @@ export class AcceptFamilySponsorshipComponent extends BaseAcceptComponent {

  requiredParameters = ["email", "token"];

-  async authedHandler(qParams: any) {
+  async authedHandler(qParams: Params) {
    this.router.navigate(["/setup/families-for-enterprise"], { queryParams: qParams });
  }

-  async unauthedHandler(qParams: any) {
+  async unauthedHandler(qParams: Params) {
    if (!qParams.register) {
      this.router.navigate(["/login"], { queryParams: { email: qParams.email } });
    } else {
--- a/bitwarden_license/bit-web/src/app/providers/manage/accept-provider.component.ts
+++ b/bitwarden_license/bit-web/src/app/providers/manage/accept-provider.component.ts
@ -1,5 +1,5 @@
 import { Component } from "@angular/core";
-import { ActivatedRoute, Router } from "@angular/router";
+import { ActivatedRoute, Params, Router } from "@angular/router";

 import { ApiService } from "jslib-common/abstractions/api.service";
 import { I18nService } from "jslib-common/abstractions/i18n.service";
@ -31,7 +31,7 @@ export class AcceptProviderComponent extends BaseAcceptComponent {
    super(router, platformUtilService, i18nService, route, stateService);
  }

-  async authedHandler(qParams: any) {
+  async authedHandler(qParams: Params) {
    const request = new ProviderUserAcceptRequest();
    request.token = qParams.token;

@ -49,7 +49,7 @@ export class AcceptProviderComponent extends BaseAcceptComponent {
    this.router.navigate(["/vault"]);
  }

-  async unauthedHandler(qParams: any) {
+  async unauthedHandler(qParams: Params) {
    this.providerName = qParams.providerName;
  }
 }
--- a/bitwarden_license/bit-web/src/app/providers/setup/setup-provider.component.ts
+++ b/bitwarden_license/bit-web/src/app/providers/setup/setup-provider.component.ts
@ -1,4 +1,5 @@
 import { Component } from "@angular/core";
+import { Params } from "@angular/router";

 import { BaseAcceptComponent } from "src/app/common/base.accept.component";

@ -12,11 +13,11 @@ export class SetupProviderComponent extends BaseAcceptComponent {

  requiredParameters = ["providerId", "email", "token"];

-  async authedHandler(qParams: any) {
+  async authedHandler(qParams: Params) {
    this.router.navigate(["/providers/setup"], { queryParams: qParams });
  }

-  async unauthedHandler(qParams: any) {
+  async unauthedHandler(qParams: Params) {
    // Empty
  }
 }
--- a/libs/common/src/models/request/organizationUserAcceptRequest.ts
+++ b/libs/common/src/models/request/organizationUserAcceptRequest.ts
@ -1,3 +1,5 @@
 export class OrganizationUserAcceptRequest {
  token: string;
+  // Used to auto-enroll in master password reset
+  resetPasswordKey: string;
 }