Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[PM-3797] Client changes to use new key rotation process #6881

Merged
merged 19 commits into from
Dec 22, 2023
Merged

[PM-3797] Client changes to use new key rotation process #6881

merged 19 commits into from
Dec 22, 2023

Conversation

jlf0dev
Copy link
Member

@jlf0dev jlf0dev commented Nov 13, 2023
edited
Loading

Type of change

- [ ] Bug fix
- [ ] New feature development
- [x] Tech debt (refactoring, code cleanup, dependency upgrades, etc)
- [ ] Build/deploy pipeline (DevOps)
- [ ] Other

Objective

Final Client changes for Key Rotation Improvements.

  • Introduces a new KeyRotationService that is responsible for owning rotation process.
  • Moves Send re-encryption to the SendService (KeyRotationService shouldn't have knowledge about how domains are encrypted).
  • Moves EmergencyAccess re-encryption to the EmergencyAccessService.
  • Renames AccountRecoveryService to OrganizationUserResetPasswordService after feedback from Admin Console

Code changes

Auth

  • emergency-access-update.request.ts: New request model for domain updates that includes Id
  • emergency-access.service.ts: Moved EmergencyAccess re-encryption to the EmergencyAccessService. Add deprecated method for legacy key rotations if feature flag is off
  • key-rotation.service/api/spec/module: New key rotation service for owning the rotation process. Added api service, module, and spec file.
  • update-key.request.ts: Moved to Auth ownership. Also added new properties for including other domains.
  • migrate-legacy-encryption.component.ts: Use new key rotation service instead of old component specific service. Delete old service.
  • change-password.component.ts: Use new key rotation service.
  • settings.module.ts: Import key rotation module.

Admin Console

  • organization-user-reset-password.service.ts/spec: Responsible for re-encryption of reset password keys during key rotation. Added tests.
  • organization-user-reset-password-enrollment.request.ts: New request model for key rotations
  • reset-password.component.ts: Update AccountRecoveryService to OrganizationUserResetPasswordService
  • enroll-master-password-reset.component.ts: Update AccountRecoveryService to OrganizationUserResetPasswordService

Tools

  • send.service/spec.ts: Responsible only for re-encryption of sends during key rotation. Added tests.

Other

  • api.service.ts: Move postAccountKey to KeyRotationApiService
  • feature-flag.enum.ts: add new feature flag

Screenshots

Before you submit

  • Please add unit tests where it makes sense to do so (encouraged but not required)
  • If this change requires a documentation update - notify the documentation team
  • If this change has particular deployment requirements - notify the DevOps team
  • Ensure that all UI additions follow WCAG AA requirements

@jlf0dev jlf0dev force-pushed the auth/pm-3797/admin-recovery-service branch from 82a5755 to 4417214 Compare November 28, 2023 17:40
@jlf0dev jlf0dev force-pushed the auth/pm-3797/key-rotation-upgrades branch from b3f4ff3 to 0664ced Compare November 28, 2023 17:40
@jlf0dev jlf0dev mentioned this pull request Nov 28, 2023
Merged
@jlf0dev Graphite App
Copy link
Member Author

jlf0dev commented Nov 28, 2023
edited
Loading

Current dependencies on/for this PR:

This stack of pull requests is managed by Graphite.

@jlf0dev jlf0dev force-pushed the auth/pm-3797/admin-recovery-service branch 2 times, most recently from 953e7d4 to 9620161 Compare November 30, 2023 22:24
@jlf0dev jlf0dev force-pushed the auth/pm-3797/key-rotation-upgrades branch from 0664ced to 88a064c Compare November 30, 2023 22:24
@jlf0dev jlf0dev force-pushed the auth/pm-3797/admin-recovery-service branch from 9620161 to 2c4a5d6 Compare November 30, 2023 22:32
@jlf0dev jlf0dev force-pushed the auth/pm-3797/key-rotation-upgrades branch from 88a064c to b834845 Compare November 30, 2023 22:32
Base automatically changed from auth/pm-3797/admin-recovery-service to master December 1, 2023 22:21
jlf0dev added 15 commits December 12, 2023 14:45
@jlf0dev
create key rotation api service
1e973e3
@jlf0dev
update account recovery service to return re-encrypted keys for rotation
a4b37a5
@jlf0dev
add request model for account recovery rotation requests
55beeb9
@jlf0dev
update emergency access service for new rotation logic
8f90a42
@jlf0dev
create key rotation service
63165b0
@jlf0dev
delete RotateUserKeyRequest since we're using old model
87b7c42
@jlf0dev
move UpdateKeyRequest to web
80d1e49 
- wasn't caught as rename since diff is too different
@jlf0dev
rename orgId to organizationId on resetPasswordRequestModel
3f62348
@jlf0dev
add GetRotatedKeys to send service
d301830
@jlf0dev
stop emergency access service getRotatedKeys from returning null
12373e1
@jlf0dev
remove new api endpoint from key rotation api service
99a4177
@jlf0dev
various fixes to key rotation service
c21bde2 
- use old request model and endpoint for new key rotation
- return empty arrays instead of null when building request
- call new send service logic for getRotatedKeys
@jlf0dev
delete migrate legacy encryption service and tests
9c631bc
@jlf0dev
update migrate legacy component to use new key rotation service
d9ba820
@jlf0dev
use new key rotation service on change password component
785430d
@jlf0dev jlf0dev force-pushed the auth/pm-3797/key-rotation-upgrades branch from b834845 to 59f6a0a Compare December 12, 2023 19:45
@bitwarden-bot
Copy link

Logo
Checkmarx One – Scan Summary & Details0c2378e3-d0a1-49f6-afc1-9926975f695a

New Issues

Severity Issue Source File / Package Checkmarx Insight
LOW Use_Of_Hardcoded_Password /apps/web/src/app/admin-console/organizations/members/services/organization-user-reset-password/organization-user-reset-password.service.spec.ts: 112 Attack Vector
LOW Use_Of_Hardcoded_Password /apps/web/src/app/admin-console/organizations/members/services/organization-user-reset-password/organization-user-reset-password.service.spec.ts: 112 Attack Vector
LOW Use_Of_Hardcoded_Password /apps/web/src/app/auth/key-rotation/key-rotation.service.spec.ts: 180 Attack Vector
LOW Use_Of_Hardcoded_Password /apps/web/src/app/auth/key-rotation/key-rotation.service.spec.ts: 169 Attack Vector
LOW Use_Of_Hardcoded_Password /apps/web/src/app/auth/key-rotation/key-rotation.service.spec.ts: 161 Attack Vector
LOW Use_Of_Hardcoded_Password /apps/web/src/app/auth/key-rotation/key-rotation.service.spec.ts: 156 Attack Vector
LOW Use_Of_Hardcoded_Password /apps/web/src/app/auth/key-rotation/key-rotation.service.spec.ts: 148 Attack Vector
LOW Use_Of_Hardcoded_Password /apps/web/src/app/auth/key-rotation/key-rotation.service.spec.ts: 180 Attack Vector
LOW Use_Of_Hardcoded_Password /apps/web/src/app/auth/key-rotation/key-rotation.service.spec.ts: 169 Attack Vector
LOW Use_Of_Hardcoded_Password /apps/web/src/app/auth/key-rotation/key-rotation.service.spec.ts: 161 Attack Vector
LOW Use_Of_Hardcoded_Password /apps/web/src/app/auth/key-rotation/key-rotation.service.spec.ts: 156 Attack Vector
LOW Use_Of_Hardcoded_Password /apps/web/src/app/auth/key-rotation/key-rotation.service.spec.ts: 148 Attack Vector

Fixed Issues

Severity Issue Source File / Package
LOW Use_Of_Hardcoded_Password /apps/web/src/app/admin-console/organizations/members/services/account-recovery/account-recovery.service.spec.ts: 112
LOW Use_Of_Hardcoded_Password /apps/web/src/app/admin-console/organizations/members/services/account-recovery/account-recovery.service.spec.ts: 112
LOW Use_Of_Hardcoded_Password /apps/web/src/app/auth/migrate-encryption/migrate-legacy-encryption.service.spec.ts: 70
LOW Use_Of_Hardcoded_Password /apps/web/src/app/auth/migrate-encryption/migrate-legacy-encryption.service.spec.ts: 91

@jlf0dev jlf0dev force-pushed the auth/pm-3797/key-rotation-upgrades branch from 59f6a0a to 45985a8 Compare December 13, 2023 15:24
@jlf0dev jlf0dev force-pushed the auth/pm-3797/key-rotation-upgrades branch from 45985a8 to f7b2d82 Compare December 14, 2023 14:28
@jlf0dev jlf0dev changed the title Auth/pm 3797/key rotation upgrades [PM-3797] Client changes to use new key rotation process Dec 14, 2023
@jlf0dev jlf0dev marked this pull request as ready for review December 14, 2023 16:14
@jlf0dev jlf0dev requested review from a team as code owners December 14, 2023 16:14
ike-kottlowski
ike-kottlowski previously approved these changes Dec 15, 2023
View reviewed changes
Copy link
Contributor

@ike-kottlowski ike-kottlowski left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A mighty improvement. Excellent work.

audreyality
audreyality reviewed Dec 19, 2023
View reviewed changes
Copy link
Member

@audreyality audreyality left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just one nit ⛏️ . Thank you for documenting the new function! ❤️

libs/common/src/tools/send/services/send.service.spec.ts Outdated
});

it("throws if the new user key is null", async () => {
await expect(sendService.getRotatedKeys(null)).rejects.toThrow();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⛏️ The throw should check to ensure that the message is correct.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added!

audreyality
audreyality reviewed Dec 19, 2023
View reviewed changes
libs/common/src/tools/send/services/send.service.ts Outdated
throw new Error("New user key is required for rotation.");
}

return await Promise.all(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry. Took a closer look and found one more nit:

⛏️ Could you break out the result of the promise.all(...) call into a separate variable? The combination of asynchronous code and the inlined map call will make this a little difficult to step through with a debugger.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, I've definitely had frustrating debugging sessions dealing with the same thing. Updated!

@jlf0dev
address PR feedback
f987153 
- add easier debuggin
- check for specific error in tests
audreyality
audreyality approved these changes Dec 19, 2023
View reviewed changes
Copy link
Member

@audreyality audreyality left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Great work! 👍🏻

@jlf0dev jlf0dev merged commit a62f8cd into main Dec 22, 2023
74 checks passed
@jlf0dev jlf0dev deleted the auth/pm-3797/key-rotation-upgrades branch December 22, 2023 15:31
@stefan0xC stefan0xC mentioned this pull request Mar 23, 2024
Merged
@quexten quexten mentioned this pull request Mar 24, 2024
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ike-kottlowski ike-kottlowski ike-kottlowski approved these changes

@addisonbeck addisonbeck addisonbeck approved these changes

@audreyality audreyality audreyality approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@jlf0dev @bitwarden-bot @audreyality @addisonbeck @ike-kottlowski