bitwarden-estensione-browser/apps/cli/src/commands/unlock.command.ts

import { ApiService } from "jslib-common/abstractions/api.service";
import { CryptoService } from "jslib-common/abstractions/crypto.service";
import { CryptoFunctionService } from "jslib-common/abstractions/cryptoFunction.service";
import { EnvironmentService } from "jslib-common/abstractions/environment.service";
import { KeyConnectorService } from "jslib-common/abstractions/keyConnector.service";
import { StateService } from "jslib-common/abstractions/state.service";
import { SyncService } from "jslib-common/abstractions/sync.service";
import { HashPurpose } from "jslib-common/enums/hashPurpose";
import { Utils } from "jslib-common/misc/utils";
import { SecretVerificationRequest } from "jslib-common/models/request/secretVerificationRequest";
import { ConsoleLogService } from "jslib-common/services/consoleLog.service";
import { Response } from "jslib-node/cli/models/response";
import { MessageResponse } from "jslib-node/cli/models/response/messageResponse";

import { CliUtils } from "../utils";

import { ConvertToKeyConnectorCommand } from "./convertToKeyConnector.command";

export class UnlockCommand {
  constructor(
    private cryptoService: CryptoService,
    private stateService: StateService,
    private cryptoFunctionService: CryptoFunctionService,
    private apiService: ApiService,
    private logService: ConsoleLogService,
    private keyConnectorService: KeyConnectorService,
    private environmentService: EnvironmentService,
    private syncService: SyncService,
    private logout: () => Promise<void>
  ) {}

  async run(password: string, cmdOptions: Record<string, any>) {
    const normalizedOptions = new Options(cmdOptions);
    const passwordResult = await CliUtils.getPassword(password, normalizedOptions, this.logService);

    if (passwordResult instanceof Response) {
      return passwordResult;
    } else {
      password = passwordResult;
    }

    await this.setNewSessionKey();
    const email = await this.stateService.getEmail();
    const kdf = await this.stateService.getKdfType();
    const kdfIterations = await this.stateService.getKdfIterations();
    const key = await this.cryptoService.makeKey(password, email, kdf, kdfIterations);
    const storedKeyHash = await this.cryptoService.getKeyHash();

    let passwordValid = false;
    if (key != null) {
      if (storedKeyHash != null) {
        passwordValid = await this.cryptoService.compareAndUpdateKeyHash(password, key);
      } else {
        const serverKeyHash = await this.cryptoService.hashPassword(
          password,
          key,
          HashPurpose.ServerAuthorization
        );
        const request = new SecretVerificationRequest();
        request.masterPasswordHash = serverKeyHash;
        try {
          await this.apiService.postAccountVerifyPassword(request);
          passwordValid = true;
          const localKeyHash = await this.cryptoService.hashPassword(
            password,
            key,
            HashPurpose.LocalAuthorization
          );
          await this.cryptoService.setKeyHash(localKeyHash);
        } catch {
          // Ignore
        }
      }
    }

    if (passwordValid) {
      await this.cryptoService.setKey(key);

      if (await this.keyConnectorService.getConvertAccountRequired()) {
        const convertToKeyConnectorCommand = new ConvertToKeyConnectorCommand(
          this.apiService,
          this.keyConnectorService,
          this.environmentService,
          this.syncService,
          this.logout
        );
        const convertResponse = await convertToKeyConnectorCommand.run();
        if (!convertResponse.success) {
          return convertResponse;
        }
      }

      return this.successResponse();
    } else {
      return Response.error("Invalid master password.");
    }
  }

  private async setNewSessionKey() {
    const key = await this.cryptoFunctionService.randomBytes(64);
    process.env.BW_SESSION = Utils.fromBufferToB64(key);
  }

  private async successResponse() {
    const res = new MessageResponse(
      "Your vault is now unlocked!",
      "\n" +
        "To unlock your vault, set your session key to the `BW_SESSION` environment variable. ex:\n" +
        '$ export BW_SESSION="' +
        process.env.BW_SESSION +
        '"\n' +
        '> $env:BW_SESSION="' +
        process.env.BW_SESSION +
        '"\n\n' +
        "You can also pass the session key to any command with the `--session` option. ex:\n" +
        "$ bw list items --session " +
        process.env.BW_SESSION
    );
    res.raw = process.env.BW_SESSION;
    return Response.success(res);
  }
}

class Options {
  passwordEnv: string;
  passwordFile: string;

  constructor(passedOptions: Record<string, any>) {
    this.passwordEnv = passedOptions?.passwordenv || passedOptions?.passwordEnv;
    this.passwordFile = passedOptions?.passwordfile || passedOptions?.passwordFile;
  }
}
Apply Prettier (#426) 2021-12-20 18:04:00 +01:00			`import { ApiService } from "jslib-common/abstractions/api.service";`
			`import { CryptoService } from "jslib-common/abstractions/crypto.service";`
			`import { CryptoFunctionService } from "jslib-common/abstractions/cryptoFunction.service";`
Fix migration to Key Connector (#452) * Move Key Connector check to subclass * Move authService.logout call to main program * Move Key Connector migration check to unlock command * Use get/setConvertAccountRequired flag * Move Key Connector convert to own command, set usesKeyConnector after conversion * Remove KC conversion check from syncCommand, fix callback * Make class service private * Fix naming convention * Update jslib and deps 2022-01-20 21:03:37 +01:00			`import { EnvironmentService } from "jslib-common/abstractions/environment.service";`
			`import { KeyConnectorService } from "jslib-common/abstractions/keyConnector.service";`
[refactor(Account Switching)] Implement StateService (#424) 2021-12-28 21:38:51 +01:00			`import { StateService } from "jslib-common/abstractions/state.service";`
Fix migration to Key Connector (#452) * Move Key Connector check to subclass * Move authService.logout call to main program * Move Key Connector migration check to unlock command * Use get/setConvertAccountRequired flag * Move Key Connector convert to own command, set usesKeyConnector after conversion * Remove KC conversion check from syncCommand, fix callback * Make class service private * Fix naming convention * Update jslib and deps 2022-01-20 21:03:37 +01:00			`import { SyncService } from "jslib-common/abstractions/sync.service";`
Add eslint (#496) 2022-03-03 18:24:41 +01:00			`import { HashPurpose } from "jslib-common/enums/hashPurpose";`
			`import { Utils } from "jslib-common/misc/utils";`
			`import { SecretVerificationRequest } from "jslib-common/models/request/secretVerificationRequest";`
			`import { ConsoleLogService } from "jslib-common/services/consoleLog.service";`
Apply Prettier (#426) 2021-12-20 18:04:00 +01:00			`import { Response } from "jslib-node/cli/models/response";`
			`import { MessageResponse } from "jslib-node/cli/models/response/messageResponse";`
lock/unlock commands 2018-05-16 16:25:25 +02:00
Feature/password protected export (#446) * Update jslib * Bumped version to 1.20.0 (#421) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> (cherry picked from commit 3e4aa8e476a70ad63e8d671b83590ca74b22414e) * password protected export * Run Prettier * Add importer to list of known file types * Improve launch.json settings * Turn on import from password protected file * Run prettier * Fix webpack source map path change * Update getPassword helper to use new options class * Prettier * Add client type * Remove master password requirement for export Alter password optional argument to indicating the file should be password protected rather than account protected * update jslib * Handle passwordProtected automagically * Remove passwordproteted type from import command * Update src/utils.ts Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com> * Update src/vault.program.ts Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com> * Use new util method * remove password protected format * Update jslib * Clarify export command * Run prettier Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Matt Gibson <gibson.matt10@gmail.com> Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com> 2022-02-23 22:47:32 +01:00			`import { CliUtils } from "../utils";`
lock/unlock commands 2018-05-16 16:25:25 +02:00
Fix migration to Key Connector (#452) * Move Key Connector check to subclass * Move authService.logout call to main program * Move Key Connector migration check to unlock command * Use get/setConvertAccountRequired flag * Move Key Connector convert to own command, set usesKeyConnector after conversion * Remove KC conversion check from syncCommand, fix callback * Make class service private * Fix naming convention * Update jslib and deps 2022-01-20 21:03:37 +01:00			`import { ConvertToKeyConnectorCommand } from "./convertToKeyConnector.command";`

lock/unlock commands 2018-05-16 16:25:25 +02:00			`export class UnlockCommand {`
Apply Prettier (#426) 2021-12-20 18:04:00 +01:00			`constructor(`
			`private cryptoService: CryptoService,`
[refactor(Account Switching)] Implement StateService (#424) 2021-12-28 21:38:51 +01:00			`private stateService: StateService,`
Apply Prettier (#426) 2021-12-20 18:04:00 +01:00			`private cryptoFunctionService: CryptoFunctionService,`
			`private apiService: ApiService,`
Fix migration to Key Connector (#452) * Move Key Connector check to subclass * Move authService.logout call to main program * Move Key Connector migration check to unlock command * Use get/setConvertAccountRequired flag * Move Key Connector convert to own command, set usesKeyConnector after conversion * Remove KC conversion check from syncCommand, fix callback * Make class service private * Fix naming convention * Update jslib and deps 2022-01-20 21:03:37 +01:00			`private logService: ConsoleLogService,`
			`private keyConnectorService: KeyConnectorService,`
			`private environmentService: EnvironmentService,`
			`private syncService: SyncService,`
			`private logout: () => Promise<void>`
Apply Prettier (#426) 2021-12-20 18:04:00 +01:00			`) {}`
lock/unlock commands 2018-05-16 16:25:25 +02:00
serve command (#451) 2022-01-19 16:45:14 +01:00			`async run(password: string, cmdOptions: Record<string, any>) {`
			`const normalizedOptions = new Options(cmdOptions);`
Feature/password protected export (#446) * Update jslib * Bumped version to 1.20.0 (#421) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> (cherry picked from commit 3e4aa8e476a70ad63e8d671b83590ca74b22414e) * password protected export * Run Prettier * Add importer to list of known file types * Improve launch.json settings * Turn on import from password protected file * Run prettier * Fix webpack source map path change * Update getPassword helper to use new options class * Prettier * Add client type * Remove master password requirement for export Alter password optional argument to indicating the file should be password protected rather than account protected * update jslib * Handle passwordProtected automagically * Remove passwordproteted type from import command * Update src/utils.ts Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com> * Update src/vault.program.ts Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com> * Use new util method * remove password protected format * Update jslib * Clarify export command * Run prettier Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Matt Gibson <gibson.matt10@gmail.com> Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com> 2022-02-23 22:47:32 +01:00			`const passwordResult = await CliUtils.getPassword(password, normalizedOptions, this.logService);`
`--passwordenv` doesn't work for for unlock (#347) * - Add passwordenv parameter to unlock command - Add passwordfile parameter to unlock command - Adapt help message * Remove newline * Add warning if passwordenv var not found * Appease the linter * Refactor * Undo last commit 2021-07-02 22:04:07 +02:00
Feature/password protected export (#446) * Update jslib * Bumped version to 1.20.0 (#421) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> (cherry picked from commit 3e4aa8e476a70ad63e8d671b83590ca74b22414e) * password protected export * Run Prettier * Add importer to list of known file types * Improve launch.json settings * Turn on import from password protected file * Run prettier * Fix webpack source map path change * Update getPassword helper to use new options class * Prettier * Add client type * Remove master password requirement for export Alter password optional argument to indicating the file should be password protected rather than account protected * update jslib * Handle passwordProtected automagically * Remove passwordproteted type from import command * Update src/utils.ts Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com> * Update src/vault.program.ts Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com> * Use new util method * remove password protected format * Update jslib * Clarify export command * Run prettier Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Matt Gibson <gibson.matt10@gmail.com> Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com> 2022-02-23 22:47:32 +01:00			`if (passwordResult instanceof Response) {`
			`return passwordResult;`
			`} else {`
			`password = passwordResult;`
Apply Prettier (#426) 2021-12-20 18:04:00 +01:00			`}`
SSO login (#154) * support sso login * update jslib * set clientid in base login command 2020-08-03 18:30:32 +02:00
Fix/lock lowdb file (#470) * Lock data.json while running * Await floating promises * Increase retry frequency and attempt count for lock file * tweak lock retry times 2022-02-10 17:24:41 +01:00			`await this.setNewSessionKey();`
[refactor(Account Switching)] Implement StateService (#424) 2021-12-28 21:38:51 +01:00			`const email = await this.stateService.getEmail();`
			`const kdf = await this.stateService.getKdfType();`
			`const kdfIterations = await this.stateService.getKdfIterations();`
Apply Prettier (#426) 2021-12-20 18:04:00 +01:00			`const key = await this.cryptoService.makeKey(password, email, kdf, kdfIterations);`
			`const storedKeyHash = await this.cryptoService.getKeyHash();`
SSO login (#154) * support sso login * update jslib * set clientid in base login command 2020-08-03 18:30:32 +02:00
Apply Prettier (#426) 2021-12-20 18:04:00 +01:00			`let passwordValid = false;`
			`if (key != null) {`
			`if (storedKeyHash != null) {`
			`passwordValid = await this.cryptoService.compareAndUpdateKeyHash(password, key);`
			`} else {`
			`const serverKeyHash = await this.cryptoService.hashPassword(`
			`password,`
			`key,`
			`HashPurpose.ServerAuthorization`
			`);`
			`const request = new SecretVerificationRequest();`
			`request.masterPasswordHash = serverKeyHash;`
			`try {`
			`await this.apiService.postAccountVerifyPassword(request);`
			`passwordValid = true;`
			`const localKeyHash = await this.cryptoService.hashPassword(`
			`password,`
			`key,`
			`HashPurpose.LocalAuthorization`
			`);`
			`await this.cryptoService.setKeyHash(localKeyHash);`
Add eslint (#496) 2022-03-03 18:24:41 +01:00			`} catch {`
			`// Ignore`
			`}`
Apply Prettier (#426) 2021-12-20 18:04:00 +01:00			`}`
lock/unlock commands 2018-05-16 16:25:25 +02:00			`}`

Apply Prettier (#426) 2021-12-20 18:04:00 +01:00			`if (passwordValid) {`
			`await this.cryptoService.setKey(key);`
Fix migration to Key Connector (#452) * Move Key Connector check to subclass * Move authService.logout call to main program * Move Key Connector migration check to unlock command * Use get/setConvertAccountRequired flag * Move Key Connector convert to own command, set usesKeyConnector after conversion * Remove KC conversion check from syncCommand, fix callback * Make class service private * Fix naming convention * Update jslib and deps 2022-01-20 21:03:37 +01:00
			`if (await this.keyConnectorService.getConvertAccountRequired()) {`
			`const convertToKeyConnectorCommand = new ConvertToKeyConnectorCommand(`
			`this.apiService,`
			`this.keyConnectorService,`
			`this.environmentService,`
			`this.syncService,`
			`this.logout`
			`);`
			`const convertResponse = await convertToKeyConnectorCommand.run();`
			`if (!convertResponse.success) {`
			`return convertResponse;`
			`}`
			`}`

			`return this.successResponse();`
Apply Prettier (#426) 2021-12-20 18:04:00 +01:00			`} else {`
			`return Response.error("Invalid master password.");`
lock/unlock commands 2018-05-16 16:25:25 +02:00			`}`
Apply Prettier (#426) 2021-12-20 18:04:00 +01:00			`}`

			`private async setNewSessionKey() {`
			`const key = await this.cryptoFunctionService.randomBytes(64);`
			`process.env.BW_SESSION = Utils.fromBufferToB64(key);`
			`}`
Fix migration to Key Connector (#452) * Move Key Connector check to subclass * Move authService.logout call to main program * Move Key Connector migration check to unlock command * Use get/setConvertAccountRequired flag * Move Key Connector convert to own command, set usesKeyConnector after conversion * Remove KC conversion check from syncCommand, fix callback * Make class service private * Fix naming convention * Update jslib and deps 2022-01-20 21:03:37 +01:00
			`private async successResponse() {`
			`const res = new MessageResponse(`
			`"Your vault is now unlocked!",`
			`"\n" +`
			"To unlock your vault, set your session key to the `BW_SESSION` environment variable. ex:\n" +
			`'$ export BW_SESSION="' +`
			`process.env.BW_SESSION +`
			`'"\n' +`
			`'> $env:BW_SESSION="' +`
			`process.env.BW_SESSION +`
			`'"\n\n' +`
			"You can also pass the session key to any command with the `--session` option. ex:\n" +
			`"$ bw list items --session " +`
			`process.env.BW_SESSION`
			`);`
			`res.raw = process.env.BW_SESSION;`
			`return Response.success(res);`
			`}`
lock/unlock commands 2018-05-16 16:25:25 +02:00			`}`
serve command (#451) 2022-01-19 16:45:14 +01:00
			`class Options {`
			`passwordEnv: string;`
			`passwordFile: string;`

			`constructor(passedOptions: Record<string, any>) {`
Fix/bitwarden serve (#454) * Handle null passedOptions * Require authentication to use `bs serve` 2022-01-26 17:28:56 +01:00			`this.passwordEnv = passedOptions?.passwordenv \|\| passedOptions?.passwordEnv;`
			`this.passwordFile = passedOptions?.passwordfile \|\| passedOptions?.passwordFile;`
serve command (#451) 2022-01-19 16:45:14 +01:00			`}`
			`}`