1
0
mirror of https://github.com/bitwarden/browser.git synced 2024-12-22 16:29:09 +01:00

Auth/pm 8882/Add TDE Logging (#9673)

* Added logging behind feature flag.

* Added default for new flag.

* Additional logging changes.

* Consolidated log messages.

* Removed unneccessary log.

* Fixed test error.

* Fixed linting.

* Fixed constructor on test.

* Updated to remove flag

* Moved service.

* Added logging to redirect guard.
This commit is contained in:
Todd Martin 2024-06-17 12:37:05 -04:00 committed by GitHub
parent 6f91ecf41b
commit fe1c432e03
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 52 additions and 2 deletions

View File

@ -6,6 +6,7 @@ import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
import { DeviceTrustServiceAbstraction } from "@bitwarden/common/auth/abstractions/device-trust.service.abstraction";
import { AuthenticationStatus } from "@bitwarden/common/auth/enums/authentication-status";
import { CryptoService } from "@bitwarden/common/platform/abstractions/crypto.service";
import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
export interface RedirectRoutes {
loggedIn: string;
@ -32,6 +33,7 @@ export function redirectGuard(overrides: Partial<RedirectRoutes> = {}): CanActiv
const authService = inject(AuthService);
const cryptoService = inject(CryptoService);
const deviceTrustService = inject(DeviceTrustServiceAbstraction);
const logService = inject(LogService);
const router = inject(Router);
const authStatus = await authService.getAuthStatus();
@ -49,6 +51,12 @@ export function redirectGuard(overrides: Partial<RedirectRoutes> = {}): CanActiv
const tdeEnabled = await firstValueFrom(deviceTrustService.supportsDeviceTrust$);
const everHadUserKey = await firstValueFrom(cryptoService.everHadUserKey$);
if (authStatus === AuthenticationStatus.Locked && tdeEnabled && !everHadUserKey) {
logService.info(
"Sending user to TDE decryption options. AuthStatus is %s. TDE support is %s. Ever had user key is %s.",
AuthenticationStatus[authStatus],
tdeEnabled,
everHadUserKey,
);
return router.createUrlTree([routes.notDecrypted], { queryParams: route.queryParams });
}

View File

@ -11,6 +11,7 @@ import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
import { DeviceTrustServiceAbstraction } from "@bitwarden/common/auth/abstractions/device-trust.service.abstraction";
import { AuthenticationStatus } from "@bitwarden/common/auth/enums/authentication-status";
import { CryptoService } from "@bitwarden/common/platform/abstractions/crypto.service";
import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
/**
* Only allow access to this route if the vault is locked and has never been decrypted.
@ -23,15 +24,30 @@ export function tdeDecryptionRequiredGuard(): CanActivateFn {
const authService = inject(AuthService);
const cryptoService = inject(CryptoService);
const deviceTrustService = inject(DeviceTrustServiceAbstraction);
const logService = inject(LogService);
const router = inject(Router);
const authStatus = await authService.getAuthStatus();
const tdeEnabled = await firstValueFrom(deviceTrustService.supportsDeviceTrust$);
const everHadUserKey = await firstValueFrom(cryptoService.everHadUserKey$);
// We need to determine if we should bypass the decryption options and send the user to the vault.
// The ONLY time that we want to send a user to the decryption options is when:
// 1. The user's auth status is Locked, AND
// 2. TDE is enabled, AND
// 3. The user has never had a user key in state since last logout.
// The inverse of this is when we should send the user to the vault.
if (authStatus !== AuthenticationStatus.Locked || !tdeEnabled || everHadUserKey) {
return router.createUrlTree(["/"]);
}
logService.info(
"Sending user to TDE decryption options. AuthStatus is %s. TDE support is %s. Ever had user key is %s.",
AuthenticationStatus[authStatus],
tdeEnabled,
everHadUserKey,
);
return true;
};
}

View File

@ -87,12 +87,16 @@ export class SsoLoginStrategy extends LoginStrategy {
data.userEnteredEmail = credentials.email;
const deviceRequest = await this.buildDeviceRequest();
this.logService.info("Logging in with appId %s.", deviceRequest.identifier);
data.tokenRequest = new SsoTokenRequest(
credentials.code,
credentials.codeVerifier,
credentials.redirectUrl,
await this.buildTwoFactor(credentials.twoFactor, credentials.email),
await this.buildDeviceRequest(),
deviceRequest,
);
this.cache.next(data);
@ -195,12 +199,18 @@ export class SsoLoginStrategy extends LoginStrategy {
// Note: TDE and key connector are mutually exclusive
if (userDecryptionOptions?.trustedDeviceOption) {
this.logService.info("Attempting to set user key with approved admin auth request.");
// Try to use the user key from an approved admin request if it exists.
// Using it will clear it from state and future requests will use the device key.
await this.trySetUserKeyWithApprovedAdminRequestIfExists(userId);
const hasUserKey = await this.cryptoService.hasUserKey(userId);
// Only try to set user key with device key if admin approval request was not successful
// Only try to set user key with device key if admin approval request was not successful.
if (!hasUserKey) {
this.logService.info("Attempting to set user key with device key.");
await this.trySetUserKeyWithDeviceKey(tokenResponse, userId);
}
} else if (
@ -275,11 +285,27 @@ export class SsoLoginStrategy extends LoginStrategy {
): Promise<void> {
const trustedDeviceOption = tokenResponse.userDecryptionOptions?.trustedDeviceOption;
if (!trustedDeviceOption) {
this.logService.error("Unable to set user key due to missing trustedDeviceOption.");
return;
}
const deviceKey = await this.deviceTrustService.getDeviceKey(userId);
const encDevicePrivateKey = trustedDeviceOption?.encryptedPrivateKey;
const encUserKey = trustedDeviceOption?.encryptedUserKey;
if (!deviceKey || !encDevicePrivateKey || !encUserKey) {
if (!deviceKey) {
await this.logService.warning("Unable to set user key due to missing device key.");
}
if (!encDevicePrivateKey) {
await this.logService.warning(
"Unable to set user key due to missing encrypted device private key.",
);
}
if (!encUserKey) {
await this.logService.warning("Unable to set user key due to missing encrypted user key.");
}
return;
}