From d5112cc8cba4121e689372246c59f6463bfbace1 Mon Sep 17 00:00:00 2001
From: Matt Gibson <mgibson@bitwarden.com>
Date: Wed, 8 Jun 2022 14:56:26 -0500
Subject: [PATCH] [PS-616] [PS-795] Fix/withdraw master password reset without
 user verification (#2845)

* Limit enroll MPR modal to enrolling

* Withdraw from MPR directly from org options

* [PS-795] Fix Automatic mpr enrollment.

Add reset password key to the accept request

* Linter

* Specify params type in accept components
---
 .../accounts/accept-emergency.component.ts    |  6 +-
 .../accounts/accept-organization.component.ts | 66 ++++++++-----------
 .../src/app/common/base.accept.component.ts   |  6 +-
 ...nroll-master-password-reset.component.html |  4 +-
 .../enroll-master-password-reset.component.ts | 55 ++++++----------
 .../organization-options.component.html       |  6 +-
 .../organization-options.component.ts         | 37 ++++++++---
 .../accept-family-sponsorship.component.ts    |  5 +-
 .../manage/accept-provider.component.ts       |  6 +-
 .../setup/setup-provider.component.ts         |  5 +-
 .../request/organizationUserAcceptRequest.ts  |  2 +
 11 files changed, 102 insertions(+), 96 deletions(-)

diff --git a/apps/web/src/app/accounts/accept-emergency.component.ts b/apps/web/src/app/accounts/accept-emergency.component.ts
index c790a924be..2083ebcac4 100644
--- a/apps/web/src/app/accounts/accept-emergency.component.ts
+++ b/apps/web/src/app/accounts/accept-emergency.component.ts
@@ -1,5 +1,5 @@
 import { Component } from "@angular/core";
-import { ActivatedRoute, Router } from "@angular/router";
+import { ActivatedRoute, Params, Router } from "@angular/router";
 
 import { ApiService } from "jslib-common/abstractions/api.service";
 import { I18nService } from "jslib-common/abstractions/i18n.service";
@@ -31,7 +31,7 @@ export class AcceptEmergencyComponent extends BaseAcceptComponent {
     super(router, platformUtilsService, i18nService, route, stateService);
   }
 
-  async authedHandler(qParams: any): Promise<void> {
+  async authedHandler(qParams: Params): Promise<void> {
     const request = new EmergencyAccessAcceptRequest();
     request.token = qParams.token;
     this.actionPromise = this.apiService.postEmergencyAccessAccept(qParams.id, request);
@@ -45,7 +45,7 @@ export class AcceptEmergencyComponent extends BaseAcceptComponent {
     this.router.navigate(["/vault"]);
   }
 
-  async unauthedHandler(qParams: any): Promise<void> {
+  async unauthedHandler(qParams: Params): Promise<void> {
     this.name = qParams.name;
     if (this.name != null) {
       // Fix URL encoding of space issue with Angular
diff --git a/apps/web/src/app/accounts/accept-organization.component.ts b/apps/web/src/app/accounts/accept-organization.component.ts
index 0d59562a66..541ca37461 100644
--- a/apps/web/src/app/accounts/accept-organization.component.ts
+++ b/apps/web/src/app/accounts/accept-organization.component.ts
@@ -1,5 +1,5 @@
 import { Component } from "@angular/core";
-import { ActivatedRoute, Router } from "@angular/router";
+import { ActivatedRoute, Params, Router } from "@angular/router";
 
 import { ApiService } from "jslib-common/abstractions/api.service";
 import { CryptoService } from "jslib-common/abstractions/crypto.service";
@@ -11,7 +11,6 @@ import { StateService } from "jslib-common/abstractions/state.service";
 import { Utils } from "jslib-common/misc/utils";
 import { Policy } from "jslib-common/models/domain/policy";
 import { OrganizationUserAcceptRequest } from "jslib-common/models/request/organizationUserAcceptRequest";
-import { OrganizationUserResetPasswordEnrollmentRequest } from "jslib-common/models/request/organizationUserResetPasswordEnrollmentRequest";
 
 import { BaseAcceptComponent } from "../common/base.accept.component";
 
@@ -38,44 +37,14 @@ export class AcceptOrganizationComponent extends BaseAcceptComponent {
     super(router, platformUtilsService, i18nService, route, stateService);
   }
 
-  async authedHandler(qParams: any): Promise<void> {
-    const request = new OrganizationUserAcceptRequest();
-    request.token = qParams.token;
-    if (await this.performResetPasswordAutoEnroll(qParams)) {
-      this.actionPromise = this.apiService
-        .postOrganizationUserAccept(qParams.organizationId, qParams.organizationUserId, request)
-        .then(() => {
-          // Retrieve Public Key
-          return this.apiService.getOrganizationKeys(qParams.organizationId);
-        })
-        .then(async (response) => {
-          if (response == null) {
-            throw new Error(this.i18nService.t("resetPasswordOrgKeysError"));
-          }
-
-          const publicKey = Utils.fromB64ToArray(response.publicKey);
-
-          // RSA Encrypt user's encKey.key with organization public key
-          const encKey = await this.cryptoService.getEncKey();
-          const encryptedKey = await this.cryptoService.rsaEncrypt(encKey.key, publicKey.buffer);
-
-          // Create request and execute enrollment
-          const resetRequest = new OrganizationUserResetPasswordEnrollmentRequest();
-          resetRequest.resetPasswordKey = encryptedKey.encryptedString;
-
-          return this.apiService.putOrganizationUserResetPasswordEnrollment(
-            qParams.organizationId,
-            await this.stateService.getUserId(),
-            resetRequest
-          );
-        });
-    } else {
-      this.actionPromise = this.apiService.postOrganizationUserAccept(
+  async authedHandler(qParams: Params): Promise<void> {
+    this.actionPromise = this.prepareAcceptRequest(qParams).then(async (request) => {
+      await this.apiService.postOrganizationUserAccept(
         qParams.organizationId,
         qParams.organizationUserId,
         request
       );
-    }
+    });
 
     await this.actionPromise;
     this.platformUtilService.showToast(
@@ -89,7 +58,7 @@ export class AcceptOrganizationComponent extends BaseAcceptComponent {
     this.router.navigate(["/vault"]);
   }
 
-  async unauthedHandler(qParams: any): Promise<void> {
+  async unauthedHandler(qParams: Params): Promise<void> {
     this.orgName = qParams.organizationName;
     if (this.orgName != null) {
       // Fix URL encoding of space issue with Angular
@@ -98,6 +67,29 @@ export class AcceptOrganizationComponent extends BaseAcceptComponent {
     await this.stateService.setOrganizationInvitation(qParams);
   }
 
+  private async prepareAcceptRequest(qParams: Params): Promise<OrganizationUserAcceptRequest> {
+    const request = new OrganizationUserAcceptRequest();
+    request.token = qParams.token;
+
+    if (await this.performResetPasswordAutoEnroll(qParams)) {
+      const response = await this.apiService.getOrganizationKeys(qParams.organizationId);
+
+      if (response == null) {
+        throw new Error(this.i18nService.t("resetPasswordOrgKeysError"));
+      }
+
+      const publicKey = Utils.fromB64ToArray(response.publicKey);
+
+      // RSA Encrypt user's encKey.key with organization public key
+      const encKey = await this.cryptoService.getEncKey();
+      const encryptedKey = await this.cryptoService.rsaEncrypt(encKey.key, publicKey.buffer);
+
+      // Add reset password key to accept request
+      request.resetPasswordKey = encryptedKey.encryptedString;
+    }
+    return request;
+  }
+
   private async performResetPasswordAutoEnroll(qParams: any): Promise<boolean> {
     let policyList: Policy[] = null;
     try {
diff --git a/apps/web/src/app/common/base.accept.component.ts b/apps/web/src/app/common/base.accept.component.ts
index 36375fbd1e..7d6d753673 100644
--- a/apps/web/src/app/common/base.accept.component.ts
+++ b/apps/web/src/app/common/base.accept.component.ts
@@ -1,5 +1,5 @@
 import { Directive, OnInit } from "@angular/core";
-import { ActivatedRoute, Router } from "@angular/router";
+import { ActivatedRoute, Params, Router } from "@angular/router";
 import { first } from "rxjs/operators";
 
 import { I18nService } from "jslib-common/abstractions/i18n.service";
@@ -25,8 +25,8 @@ export abstract class BaseAcceptComponent implements OnInit {
     protected stateService: StateService
   ) {}
 
-  abstract authedHandler(qParams: any): Promise<void>;
-  abstract unauthedHandler(qParams: any): Promise<void>;
+  abstract authedHandler(qParams: Params): Promise<void>;
+  abstract unauthedHandler(qParams: Params): Promise<void>;
 
   ngOnInit() {
     this.route.queryParams.pipe(first()).subscribe(async (qParams) => {
diff --git a/apps/web/src/app/modules/organizations/users/enroll-master-password-reset.component.html b/apps/web/src/app/modules/organizations/users/enroll-master-password-reset.component.html
index c8d15a3956..e232a7987f 100644
--- a/apps/web/src/app/modules/organizations/users/enroll-master-password-reset.component.html
+++ b/apps/web/src/app/modules/organizations/users/enroll-master-password-reset.component.html
@@ -14,7 +14,7 @@
     >
       <div class="modal-header">
         <h2 class="modal-title" id="enrollMasterPasswordResetTitle">
-          {{ (isEnrolled ? "withdrawPasswordReset" : "enrollPasswordReset") | i18n }}
+          {{ "enrollPasswordReset" | i18n }}
         </h2>
         <button
           type="button"
@@ -26,7 +26,7 @@
         </button>
       </div>
       <div class="modal-body">
-        <app-callout type="warning" *ngIf="!isEnrolled">
+        <app-callout type="warning">
           {{ "resetPasswordEnrollmentWarning" | i18n }}
         </app-callout>
         <app-user-verification [(ngModel)]="verification" name="secret"> </app-user-verification>
diff --git a/apps/web/src/app/modules/organizations/users/enroll-master-password-reset.component.ts b/apps/web/src/app/modules/organizations/users/enroll-master-password-reset.component.ts
index b996493d85..29cf529039 100644
--- a/apps/web/src/app/modules/organizations/users/enroll-master-password-reset.component.ts
+++ b/apps/web/src/app/modules/organizations/users/enroll-master-password-reset.component.ts
@@ -47,39 +47,28 @@ export class EnrollMasterPasswordReset {
         // Set variables
         let keyString: string = null;
 
-        // Enrolling
-        if (!this.organization.resetPasswordEnrolled) {
-          // Retrieve Public Key
-          const orgKeys = await this.apiService.getOrganizationKeys(this.organization.id);
-          if (orgKeys == null) {
-            throw new Error(this.i18nService.t("resetPasswordOrgKeysError"));
-          }
-
-          const publicKey = Utils.fromB64ToArray(orgKeys.publicKey);
-
-          // RSA Encrypt user's encKey.key with organization public key
-          const encKey = await this.cryptoService.getEncKey();
-          const encryptedKey = await this.cryptoService.rsaEncrypt(encKey.key, publicKey.buffer);
-          keyString = encryptedKey.encryptedString;
-          toastStringRef = "enrollPasswordResetSuccess";
-
-          // Create request and execute enrollment
-          request.resetPasswordKey = keyString;
-          await this.apiService.putOrganizationUserResetPasswordEnrollment(
-            this.organization.id,
-            this.organization.userId,
-            request
-          );
-        } else {
-          // Withdrawal
-          request.resetPasswordKey = keyString;
-          await this.apiService.putOrganizationUserResetPasswordEnrollment(
-            this.organization.id,
-            this.organization.userId,
-            request
-          );
+        // Retrieve Public Key
+        const orgKeys = await this.apiService.getOrganizationKeys(this.organization.id);
+        if (orgKeys == null) {
+          throw new Error(this.i18nService.t("resetPasswordOrgKeysError"));
         }
 
+        const publicKey = Utils.fromB64ToArray(orgKeys.publicKey);
+
+        // RSA Encrypt user's encKey.key with organization public key
+        const encKey = await this.cryptoService.getEncKey();
+        const encryptedKey = await this.cryptoService.rsaEncrypt(encKey.key, publicKey.buffer);
+        keyString = encryptedKey.encryptedString;
+        toastStringRef = "enrollPasswordResetSuccess";
+
+        // Create request and execute enrollment
+        request.resetPasswordKey = keyString;
+        await this.apiService.putOrganizationUserResetPasswordEnrollment(
+          this.organization.id,
+          this.organization.userId,
+          request
+        );
+
         await this.syncService.fullSync(true);
       });
     try {
@@ -90,8 +79,4 @@ export class EnrollMasterPasswordReset {
       this.logService.error(e);
     }
   }
-
-  get isEnrolled(): boolean {
-    return this.organization.resetPasswordEnrolled;
-  }
 }
diff --git a/apps/web/src/app/modules/vault-filter/components/organization-options.component.html b/apps/web/src/app/modules/vault-filter/components/organization-options.component.html
index db95e56ecd..c6cf109e05 100644
--- a/apps/web/src/app/modules/vault-filter/components/organization-options.component.html
+++ b/apps/web/src/app/modules/vault-filter/components/organization-options.component.html
@@ -6,7 +6,11 @@
   ></i>
   <span class="sr-only">{{ "loading" | i18n }}</span>
 </ng-container>
-<div *ngIf="loaded" class="tw-max-w-[300px] tw-min-w-[200px] tw-flex tw-flex-col">
+<div
+  *ngIf="loaded"
+  class="tw-max-w-[300px] tw-min-w-[200px] tw-flex tw-flex-col"
+  [appApiAction]="actionPromise"
+>
   <button
     *ngIf="allowEnrollmentChanges(organization) && !organization.resetPasswordEnrolled"
     class="dropdown-item"
diff --git a/apps/web/src/app/modules/vault-filter/components/organization-options.component.ts b/apps/web/src/app/modules/vault-filter/components/organization-options.component.ts
index fb256acd58..cef11d0c38 100644
--- a/apps/web/src/app/modules/vault-filter/components/organization-options.component.ts
+++ b/apps/web/src/app/modules/vault-filter/components/organization-options.component.ts
@@ -10,6 +10,7 @@ import { SyncService } from "jslib-common/abstractions/sync.service";
 import { PolicyType } from "jslib-common/enums/policyType";
 import { Organization } from "jslib-common/models/domain/organization";
 import { Policy } from "jslib-common/models/domain/policy";
+import { OrganizationUserResetPasswordEnrollmentRequest } from "jslib-common/models/request/organizationUserResetPasswordEnrollmentRequest";
 
 import { EnrollMasterPasswordReset } from "../../organizations/users/enroll-master-password-reset.component";
 
@@ -82,7 +83,6 @@ export class OrganizationOptionsComponent {
       this.platformUtilsService.showToast("success", null, "Unlinked SSO");
       await this.load();
     } catch (e) {
-      this.platformUtilsService.showToast("error", this.i18nService.t("errorOccurred"), e.message);
       this.logService.error(e);
     }
   }
@@ -107,17 +107,38 @@ export class OrganizationOptionsComponent {
       this.platformUtilsService.showToast("success", null, this.i18nService.t("leftOrganization"));
       await this.load();
     } catch (e) {
-      this.platformUtilsService.showToast("error", this.i18nService.t("errorOccurred"), e.message);
       this.logService.error(e);
     }
   }
 
   async toggleResetPasswordEnrollment(org: Organization) {
-    this.modalService.open(EnrollMasterPasswordReset, {
-      allowMultipleModals: true,
-      data: {
-        organization: org,
-      },
-    });
+    if (!this.organization.resetPasswordEnrolled) {
+      this.modalService.open(EnrollMasterPasswordReset, {
+        allowMultipleModals: true,
+        data: {
+          organization: org,
+        },
+      });
+    } else {
+      const request = new OrganizationUserResetPasswordEnrollmentRequest();
+      request.masterPasswordHash = "ignored";
+      request.resetPasswordKey = null;
+      this.actionPromise = this.apiService.putOrganizationUserResetPasswordEnrollment(
+        this.organization.id,
+        this.organization.userId,
+        request
+      );
+      try {
+        await this.actionPromise;
+        this.platformUtilsService.showToast(
+          "success",
+          null,
+          this.i18nService.t("withdrawPasswordResetSuccess")
+        );
+        this.syncService.fullSync(true);
+      } catch (e) {
+        this.logService.error(e);
+      }
+    }
   }
 }
diff --git a/apps/web/src/app/organizations/sponsorships/accept-family-sponsorship.component.ts b/apps/web/src/app/organizations/sponsorships/accept-family-sponsorship.component.ts
index acbcaa85e5..0cfcc08359 100644
--- a/apps/web/src/app/organizations/sponsorships/accept-family-sponsorship.component.ts
+++ b/apps/web/src/app/organizations/sponsorships/accept-family-sponsorship.component.ts
@@ -1,4 +1,5 @@
 import { Component } from "@angular/core";
+import { Params } from "@angular/router";
 
 import { BaseAcceptComponent } from "src/app/common/base.accept.component";
 
@@ -12,11 +13,11 @@ export class AcceptFamilySponsorshipComponent extends BaseAcceptComponent {
 
   requiredParameters = ["email", "token"];
 
-  async authedHandler(qParams: any) {
+  async authedHandler(qParams: Params) {
     this.router.navigate(["/setup/families-for-enterprise"], { queryParams: qParams });
   }
 
-  async unauthedHandler(qParams: any) {
+  async unauthedHandler(qParams: Params) {
     if (!qParams.register) {
       this.router.navigate(["/login"], { queryParams: { email: qParams.email } });
     } else {
diff --git a/bitwarden_license/bit-web/src/app/providers/manage/accept-provider.component.ts b/bitwarden_license/bit-web/src/app/providers/manage/accept-provider.component.ts
index f27e68f9f6..4266f93c8a 100644
--- a/bitwarden_license/bit-web/src/app/providers/manage/accept-provider.component.ts
+++ b/bitwarden_license/bit-web/src/app/providers/manage/accept-provider.component.ts
@@ -1,5 +1,5 @@
 import { Component } from "@angular/core";
-import { ActivatedRoute, Router } from "@angular/router";
+import { ActivatedRoute, Params, Router } from "@angular/router";
 
 import { ApiService } from "jslib-common/abstractions/api.service";
 import { I18nService } from "jslib-common/abstractions/i18n.service";
@@ -31,7 +31,7 @@ export class AcceptProviderComponent extends BaseAcceptComponent {
     super(router, platformUtilService, i18nService, route, stateService);
   }
 
-  async authedHandler(qParams: any) {
+  async authedHandler(qParams: Params) {
     const request = new ProviderUserAcceptRequest();
     request.token = qParams.token;
 
@@ -49,7 +49,7 @@ export class AcceptProviderComponent extends BaseAcceptComponent {
     this.router.navigate(["/vault"]);
   }
 
-  async unauthedHandler(qParams: any) {
+  async unauthedHandler(qParams: Params) {
     this.providerName = qParams.providerName;
   }
 }
diff --git a/bitwarden_license/bit-web/src/app/providers/setup/setup-provider.component.ts b/bitwarden_license/bit-web/src/app/providers/setup/setup-provider.component.ts
index f34db73612..248133fbf9 100644
--- a/bitwarden_license/bit-web/src/app/providers/setup/setup-provider.component.ts
+++ b/bitwarden_license/bit-web/src/app/providers/setup/setup-provider.component.ts
@@ -1,4 +1,5 @@
 import { Component } from "@angular/core";
+import { Params } from "@angular/router";
 
 import { BaseAcceptComponent } from "src/app/common/base.accept.component";
 
@@ -12,11 +13,11 @@ export class SetupProviderComponent extends BaseAcceptComponent {
 
   requiredParameters = ["providerId", "email", "token"];
 
-  async authedHandler(qParams: any) {
+  async authedHandler(qParams: Params) {
     this.router.navigate(["/providers/setup"], { queryParams: qParams });
   }
 
-  async unauthedHandler(qParams: any) {
+  async unauthedHandler(qParams: Params) {
     // Empty
   }
 }
diff --git a/libs/common/src/models/request/organizationUserAcceptRequest.ts b/libs/common/src/models/request/organizationUserAcceptRequest.ts
index c4b2a4d31e..e2aada131f 100644
--- a/libs/common/src/models/request/organizationUserAcceptRequest.ts
+++ b/libs/common/src/models/request/organizationUserAcceptRequest.ts
@@ -1,3 +1,5 @@
 export class OrganizationUserAcceptRequest {
   token: string;
+  // Used to auto-enroll in master password reset
+  resetPasswordKey: string;
 }