From 133d30ba97739ef050c1a1918c5918cee812be98 Mon Sep 17 00:00:00 2001
From: Vincent Salucci <26154748+vincentsalucci@users.noreply.github.com>
Date: Thu, 8 Apr 2021 11:09:06 -0500
Subject: [PATCH] [Reset Password] Rotate encryption key (#916)

* [Reset Password] Rotate encryption key

* Added logic for updating reset password key only if necessary

* Updated user's resetPasswordKey for each confirmed organization on key rotation
---
 src/app/settings/change-password.component.ts | 26 ++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)

diff --git a/src/app/settings/change-password.component.ts b/src/app/settings/change-password.component.ts
index 420eea9e5f..cdab066323 100644
--- a/src/app/settings/change-password.component.ts
+++ b/src/app/settings/change-password.component.ts
@@ -25,6 +25,7 @@ import { SymmetricCryptoKey } from 'jslib/models/domain/symmetricCryptoKey';
 import { CipherWithIdRequest } from 'jslib/models/request/cipherWithIdRequest';
 import { EmergencyAccessUpdateRequest } from 'jslib/models/request/emergencyAccessUpdateRequest';
 import { FolderWithIdRequest } from 'jslib/models/request/folderWithIdRequest';
+import { OrganizationUserResetPasswordEnrollmentRequest } from 'jslib/models/request/organizationUserResetPasswordEnrollmentRequest';
 import { PasswordRequest } from 'jslib/models/request/passwordRequest';
 import { UpdateKeyRequest } from 'jslib/models/request/updateKeyRequest';
 
@@ -41,7 +42,7 @@ export class ChangePasswordComponent extends BaseChangePasswordComponent {
         userService: UserService, passwordGenerationService: PasswordGenerationService,
         platformUtilsService: PlatformUtilsService, policyService: PolicyService,
         private folderService: FolderService, private cipherService: CipherService,
-        private syncService: SyncService, private apiService: ApiService ) {
+        private syncService: SyncService, private apiService: ApiService) {
         super(i18nService, cryptoService, messagingService, userService, passwordGenerationService,
             platformUtilsService, policyService);
     }
@@ -166,6 +167,8 @@ export class ChangePasswordComponent extends BaseChangePasswordComponent {
         await this.apiService.postAccountKey(request);
 
         await this.updateEmergencyAccesses(encKey[0]);
+
+        await this.updateAllResetPasswordKeys(encKey[0]);
     }
 
     private async updateEmergencyAccesses(encKey: SymmetricCryptoKey) {
@@ -192,4 +195,25 @@ export class ChangePasswordComponent extends BaseChangePasswordComponent {
             await this.apiService.putEmergencyAccess(details.id, updateRequest);
         }
     }
+
+    private async updateAllResetPasswordKeys(encKey: SymmetricCryptoKey) {
+        const orgs = await this.userService.getAllOrganizations();
+
+        for (const org of orgs) {
+            // If not already enrolled, skip
+            if (!org.isResetPasswordEnrolled) {
+                continue;
+            }
+
+            // Re-enroll - encrpyt user's encKey.key with organization key
+            const orgSymKey = await this.cryptoService.getOrgKey(org.id);
+            const encryptedKey = await this.cryptoService.encrypt(encKey.key, orgSymKey);
+
+            // Create/Execute request
+            const request = new OrganizationUserResetPasswordEnrollmentRequest();
+            request.resetPasswordKey = encryptedKey.encryptedString;
+
+            await this.apiService.putOrganizationUserResetPasswordEnrollment(org.id, org.userId, request);
+        }
+    }
 }