mirror of
https://github.com/bitwarden/browser
synced 2024-12-22 16:12:07 +01:00
07c2c2af20
* [EC-1070] Introduce flag for enforcing master password policy on login * [EC-1070] Update master password policy form Add the ability to toggle enforceOnLogin flag in web * [EC-1070] Add API method to retrieve all policies for the current user * [EC-1070] Refactor forcePasswordReset in state service to support more options - Use an options class to provide a reason and optional organization id - Use the OnDiskMemory storage location so the option persists between the same auth session * [AC-1070] Retrieve single master password policy from identity token response Additionally, store the policy in the login strategy for future use * [EC-1070] Introduce master password evaluation in the password login strategy - If a master password policy is returned from the identity result, evaluate the password. - If the password does not meet the requirements, save the forcePasswordReset options - Add support for 2FA by storing the results of the password evaluation on the login strategy instance - Add unit tests to password login strategy * [AC-1070] Modify admin password reset component to support update master password on login - Modify the warning message to depend on the reason - Use the forcePasswordResetOptions in the update temp password component * [EC-1070] Require current master password when updating weak mp on login - Inject user verification service to verify the user - Conditionally show the current master password field only when updating a weak mp. Admin reset does not require the current master password. * [EC-1070] Implement password policy check during vault unlock Checking the master password during unlock is the only applicable place to enforce the master password policy check for SSO users. * [EC-1070] CLI - Add ability to load MP policies on login Inject policyApi and organization services into the login command * [EC-1070] CLI - Refactor update temp password logic to support updating weak passwords - Introduce new shared method for collecting a valid and confirmed master password from the CLI and generating a new encryption key - Add separate methods for updating temp passwords and weak passwords. - Utilize those methods during login flow if not using an API key * [EC-1070] Add route guard to force password reset when required * [AC-1070] Use master password policy from verify password response in lock component * [EC-1070] Update labels in update password component * [AC-1070] Fix policy service tests * [AC-1070] CLI - Force sync before any password reset flow Move up the call to sync the vault before attempting to collect a new master password. Ensures the master password policies are available. * [AC-1070] Remove unused getAllPolicies method from policy api service * [AC-1070] Fix missing enforceOnLogin copy in policy service * [AC-1070] Include current master password on desktop/browser update password page templates * [AC-1070] Check for forced password reset on account switch in Desktop * [AC-1070] Rename WeakMasterPasswordOnLogin to WeakMasterPassword * [AC-1070] Update AuthServiceInitOptions * [AC-1070] Add None force reset password reason * [AC-1070] Remove redundant ForcePasswordResetOptions class and replace with ForcePasswordResetReason enum * [AC-1070] Rename ForceResetPasswordReason file * [AC-1070] Simplify conditional * [AC-1070] Refactor logic that saves password reset flag * [AC-1070] Remove redundant constructors * [AC-1070] Remove unnecessary state service call * [AC-1070] Update master password policy component - Use typed reactive form - Use CL form components - Remove bootstrap - Update error component to support min/max - Use Utils.minimumPasswordLength value for min value form validation * [AC-1070] Cleanup leftover html comment * [AC-1070] Remove overridden default values from MasterPasswordPolicyResponse * [AC-1070] Hide current master password input in browser for admin password reset * [AC-1070] Remove clientside user verification * [AC-1070] Update temp password web component to use CL - Use CL for form inputs in the Web component template - Remove most of the bootstrap classes in the Web component template - Use userVerificationService to build the password request - Remove redundant current master password null check * [AC-1070] Replace repeated user inputs email parsing helpers - Update passwordStrength() method to accept an optional email argument that will be parsed into separate user inputs for use with zxcvbn - Remove all other repeated getUserInput helper methods that parsed user emails and use the new passwordStrength signature * [AC-1070] Fix broken login command after forcePasswordReset enum refactor * [AC-1070] Reduce side effects in base login strategy - Remove masterPasswordPolicy property from base login.strategy.ts - Include an IdentityResponse in base startLogin() in addition to AuthResult - Use the new IdentityResponse to parse the master password policy info only in the PasswordLoginStrategy * [AC-1070] Cleanup password login strategy tests * [AC-1070] Remove unused field * [AC-1070] Strongly type postAccountVerifyPassword API service method - Remove redundant verify master password response - Use MasterPasswordPolicyResponse instead * [AC-1070] Use ForceResetPassword.None during account switch check * [AC-1070] Fix check for forcePasswordReset reason after addition of None * [AC-1070] Redirect a user home if on the update temp password page without a reason * [AC-1070] Use bit-select and bit-option * [AC-1070] Reduce explicit form control definitions for readability * [AC-1070] Import SelectModule in Shared web module * [AC-1070] Add check for missing 'at' symbol * [AC-1070] Remove redundant unpacking and null coalescing * [AC-1070] Update passwordStrength signature and add jsdocs * [AC-1070] Remove variable abbreviation * [AC-1070] Restore Id attributes on form inputs * [AC-1070] Clarify input value min/max error messages * [AC-1070] Add input min/max value example to storybook * [AC-1070] Add missing spinner to update temp password form * [AC-1070] Add missing ids to form elements * [AC-1070] Remove duplicate force sync and update comment * [AC-1070] Switch backticks to quotation marks --------- Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com>
148 lines
4.5 KiB
TypeScript
148 lines
4.5 KiB
TypeScript
// eslint-disable-next-line no-restricted-imports
|
|
import { Arg, Substitute, SubstituteOf } from "@fluffy-spoon/substitute";
|
|
|
|
import { AbstractStorageService } from "@bitwarden/common/abstractions/storage.service";
|
|
import { StateVersion } from "@bitwarden/common/enums";
|
|
import { StateFactory } from "@bitwarden/common/factories/stateFactory";
|
|
import { Account } from "@bitwarden/common/models/domain/account";
|
|
import { GlobalState } from "@bitwarden/common/models/domain/global-state";
|
|
import { StateMigrationService } from "@bitwarden/common/services/stateMigration.service";
|
|
|
|
const userId = "USER_ID";
|
|
|
|
// Note: each test calls the private migration method for that migration,
|
|
// so that we don't accidentally run all following migrations as well
|
|
|
|
describe("State Migration Service", () => {
|
|
let storageService: SubstituteOf<AbstractStorageService>;
|
|
let secureStorageService: SubstituteOf<AbstractStorageService>;
|
|
let stateFactory: SubstituteOf<StateFactory>;
|
|
|
|
let stateMigrationService: StateMigrationService;
|
|
|
|
beforeEach(() => {
|
|
storageService = Substitute.for<AbstractStorageService>();
|
|
secureStorageService = Substitute.for<AbstractStorageService>();
|
|
stateFactory = Substitute.for<StateFactory>();
|
|
|
|
stateMigrationService = new StateMigrationService(
|
|
storageService,
|
|
secureStorageService,
|
|
stateFactory
|
|
);
|
|
});
|
|
|
|
describe("StateVersion 3 to 4 migration", () => {
|
|
beforeEach(() => {
|
|
const globalVersion3: Partial<GlobalState> = {
|
|
stateVersion: StateVersion.Three,
|
|
};
|
|
|
|
storageService.get("global", Arg.any()).resolves(globalVersion3);
|
|
storageService.get("authenticatedAccounts", Arg.any()).resolves([userId]);
|
|
});
|
|
|
|
it("clears everBeenUnlocked", async () => {
|
|
const accountVersion3: Account = {
|
|
profile: {
|
|
apiKeyClientId: null,
|
|
convertAccountToKeyConnector: null,
|
|
email: "EMAIL",
|
|
emailVerified: true,
|
|
everBeenUnlocked: true,
|
|
hasPremiumPersonally: false,
|
|
kdfIterations: 100000,
|
|
kdfType: 0,
|
|
keyHash: "KEY_HASH",
|
|
lastSync: "LAST_SYNC",
|
|
userId: userId,
|
|
usesKeyConnector: false,
|
|
forcePasswordResetReason: null,
|
|
},
|
|
};
|
|
|
|
const expectedAccountVersion4: Account = {
|
|
profile: {
|
|
...accountVersion3.profile,
|
|
},
|
|
};
|
|
delete expectedAccountVersion4.profile.everBeenUnlocked;
|
|
|
|
storageService.get(userId, Arg.any()).resolves(accountVersion3);
|
|
|
|
await (stateMigrationService as any).migrateStateFrom3To4();
|
|
|
|
storageService.received(1).save(userId, expectedAccountVersion4, Arg.any());
|
|
});
|
|
|
|
it("updates StateVersion number", async () => {
|
|
await (stateMigrationService as any).migrateStateFrom3To4();
|
|
|
|
storageService.received(1).save(
|
|
"global",
|
|
Arg.is((globals: GlobalState) => globals.stateVersion === StateVersion.Four),
|
|
Arg.any()
|
|
);
|
|
});
|
|
});
|
|
|
|
describe("StateVersion 4 to 5 migration", () => {
|
|
it("migrates organization keys to new format", async () => {
|
|
const accountVersion4 = new Account({
|
|
keys: {
|
|
organizationKeys: {
|
|
encrypted: {
|
|
orgOneId: "orgOneEncKey",
|
|
orgTwoId: "orgTwoEncKey",
|
|
orgThreeId: "orgThreeEncKey",
|
|
},
|
|
},
|
|
},
|
|
} as any);
|
|
|
|
const expectedAccount = new Account({
|
|
keys: {
|
|
organizationKeys: {
|
|
encrypted: {
|
|
orgOneId: {
|
|
type: "organization",
|
|
key: "orgOneEncKey",
|
|
},
|
|
orgTwoId: {
|
|
type: "organization",
|
|
key: "orgTwoEncKey",
|
|
},
|
|
orgThreeId: {
|
|
type: "organization",
|
|
key: "orgThreeEncKey",
|
|
},
|
|
},
|
|
} as any,
|
|
} as any,
|
|
});
|
|
|
|
const migratedAccount = await (stateMigrationService as any).migrateAccountFrom4To5(
|
|
accountVersion4
|
|
);
|
|
|
|
expect(migratedAccount).toEqual(expectedAccount);
|
|
});
|
|
});
|
|
|
|
describe("StateVersion 5 to 6 migration", () => {
|
|
it("deletes account.keys.legacyEtmKey value", async () => {
|
|
const accountVersion5 = new Account({
|
|
keys: {
|
|
legacyEtmKey: "legacy key",
|
|
},
|
|
} as any);
|
|
|
|
const migratedAccount = await (stateMigrationService as any).migrateAccountFrom5To6(
|
|
accountVersion5
|
|
);
|
|
|
|
expect(migratedAccount.keys.legacyEtmKey).toBeUndefined();
|
|
});
|
|
});
|
|
});
|