[PM-23809] Add simplified interface to MP service (#15631)

* Add new mp service api

* Fix tests

* Add test coverage

* Add newline

* Fix type

* Rename to "unwrapUserKeyFromMasterPasswordUnlockData"

* Fix build

* Fix build on cli

* Fix linting

* Re-sort spec

* Add tests

* Fix test and build issues

* Fix build

* Clean up

* Remove introduced function

* Clean up comments

* Fix abstract class types

* Fix comments

* Cleanup

* Cleanup

* Update libs/common/src/key-management/master-password/types/master-password.types.ts

Co-authored-by: Thomas Avery <[email protected]>

* Update libs/common/src/key-management/master-password/services/master-password.service.ts

Co-authored-by: Thomas Avery <[email protected]>

* Update libs/common/src/key-management/master-password/abstractions/master-password.service.abstraction.ts

Co-authored-by: Thomas Avery <[email protected]>

* Update libs/common/src/key-management/master-password/types/master-password.types.ts

Co-authored-by: Thomas Avery <[email protected]>

* Update libs/common/src/key-management/master-password/abstractions/master-password.service.abstraction.ts

Co-authored-by: Thomas Avery <[email protected]>

* Add comments

* Fix build

* Add arg null check

* Cleanup

* Fix build

* Fix build on browser

* Update libs/common/src/key-management/master-password/abstractions/master-password.service.abstraction.ts

Co-authored-by: Thomas Avery <[email protected]>

* Update libs/common/src/key-management/master-password/abstractions/master-password.service.abstraction.ts

Co-authored-by: Thomas Avery <[email protected]>

* Update libs/common/src/key-management/master-password/abstractions/master-password.service.abstraction.ts

Co-authored-by: Thomas Avery <[email protected]>

* Add tests for null params

* Cleanup and deprecate more functions

* Fix formatting

* Prettier

* Clean up

* Update libs/key-management/src/abstractions/key.service.ts

Co-authored-by: Thomas Avery <[email protected]>

* Make emailToSalt private and expose abstract saltForUser

* Add tests

* Add docs

* Update libs/common/src/key-management/master-password/abstractions/master-password.service.abstraction.ts

Co-authored-by: Thomas Avery <[email protected]>

* Update libs/common/src/key-management/master-password/abstractions/master-password.service.abstraction.ts

Co-authored-by: Thomas Avery <[email protected]>

---------

Co-authored-by: Thomas Avery <[email protected]>

Author: quexten

apps/browser/src/background/main.background.ts

@@ -668,6 +668,8 @@ export default class MainBackground {
       this.keyGenerationService,
       this.encryptService,
       this.logService,
+      this.cryptoFunctionService,
+      this.accountService,
     );
 
     this.i18nService = new I18nService(BrowserApi.getUILanguage(), this.globalStateProvider);

apps/cli/src/service-container/service-container.ts

@@ -431,16 +431,17 @@ export class ServiceContainer {
       migrationRunner,
     );
 
+    this.kdfConfigService = new DefaultKdfConfigService(this.stateProvider);
     this.masterPasswordService = new MasterPasswordService(
       this.stateProvider,
       this.stateService,
       this.keyGenerationService,
       this.encryptService,
       this.logService,
+      this.cryptoFunctionService,
+      this.accountService,
     );
 
-    this.kdfConfigService = new DefaultKdfConfigService(this.stateProvider);
-
     this.pinService = new PinService(
       this.accountService,
       this.cryptoFunctionService,

libs/angular/src/services/jslib-services.module.ts

@@ -1021,6 +1021,8 @@ const safeProviders: SafeProvider[] = [
       KeyGenerationServiceAbstraction,
       EncryptService,
       LogService,
+      CryptoFunctionServiceAbstraction,
+      AccountServiceAbstraction,
     ],
   }),
   safeProvider({

libs/common/src/key-management/master-password/abstractions/master-password.service.abstraction.ts

@@ -1,9 +1,17 @@
 import { Observable } from "rxjs";
 
+// eslint-disable-next-line no-restricted-imports
+import { KdfConfig } from "@bitwarden/key-management";
+
 import { ForceSetPasswordReason } from "../../../auth/models/domain/force-set-password-reason";
 import { UserId } from "../../../types/guid";
 import { MasterKey, UserKey } from "../../../types/key";
 import { EncString } from "../../crypto/models/enc-string";
+import {
+  MasterPasswordAuthenticationData,
+  MasterPasswordSalt,
+  MasterPasswordUnlockData,
+} from "../types/master-password.types";
 
 export abstract class MasterPasswordServiceAbstraction {
   /**
@@ -12,14 +20,23 @@ export abstract class MasterPasswordServiceAbstraction {
    * @throws If the user ID is missing.
    */
   abstract forceSetPasswordReason$: (userId: UserId) => Observable<ForceSetPasswordReason>;
+  /**
+   * An observable that emits the master password salt for the user.
+   * @param userId The user ID.
+   * @throws If the user ID is missing.
+   * @throws If the user ID is provided, but the user is not found.
+   */
+  abstract saltForUser$: (userId: UserId) => Observable<MasterPasswordSalt>;
   /**
    * An observable that emits the master key for the user.
+   * @deprecated Interacting with the master-key directly is deprecated. Please use {@link makeMasterPasswordUnlockData}, {@link makeMasterPasswordAuthenticationData} or {@link unwrapUserKeyFromMasterPasswordUnlockData} instead.
    * @param userId The user ID.
    * @throws If the user ID is missing.
    */
   abstract masterKey$: (userId: UserId) => Observable<MasterKey>;
   /**
    * An observable that emits the master key hash for the user.
+   * @deprecated Interacting with the master-key directly is deprecated. Please use {@link makeMasterPasswordAuthenticationData}.
    * @param userId The user ID.
    * @throws If the user ID is missing.
    */
@@ -32,6 +49,7 @@ export abstract class MasterPasswordServiceAbstraction {
   abstract getMasterKeyEncryptedUserKey: (userId: UserId) => Promise<EncString>;
   /**
    * Decrypts the user key with the provided master key
+   * @deprecated Interacting with the master-key directly is deprecated. Please use {@link unwrapUserKeyFromMasterPasswordUnlockData} instead.
    * @param masterKey The user's master key
    *    * @param userId The desired user
    * @param userKey The user's encrypted symmetric key
@@ -44,33 +62,76 @@ export abstract class MasterPasswordServiceAbstraction {
     userId: string,
     userKey?: EncString,
   ) => Promise<UserKey | null>;
+
+  /**
+   * Makes the authentication hash for authenticating to the server with the master password.
+   * @param password The master password.
+   * @param kdf The KDF configuration.
+   * @param salt The master password salt to use. See {@link saltForUser$} for current salt.
+   * @throws If password, KDF or salt are null or undefined.
+   */
+  abstract makeMasterPasswordAuthenticationData: (
+    password: string,
+    kdf: KdfConfig,
+    salt: MasterPasswordSalt,
+  ) => Promise<MasterPasswordAuthenticationData>;
+
+  /**
+   * Creates a MasterPasswordUnlockData bundle that encrypts the user-key with a key derived from the password. The
+   * bundle also contains the KDF settings and salt used to derive the key, which are required to decrypt the user-key later.
+   * @param password The master password.
+   * @param kdf The KDF configuration.
+   * @param salt The master password salt to use. See {@link saltForUser$} for current salt.
+   * @param userKey The user's userKey to encrypt.
+   * @throws If password, KDF, salt, or userKey are null or undefined.
+   */
+  abstract makeMasterPasswordUnlockData: (
+    password: string,
+    kdf: KdfConfig,
+    salt: MasterPasswordSalt,
+    userKey: UserKey,
+  ) => Promise<MasterPasswordUnlockData>;
+
+  /**
+   * Unwraps a user-key that was wrapped with a password provided KDF settings. The same KDF settings and salt must be provided to unwrap the user-key, otherwise it will fail to decrypt.
+   * @throws If the encryption type is not supported.
+   * @throws If the password, KDF, or salt don't match the original wrapping parameters.
+   */
+  abstract unwrapUserKeyFromMasterPasswordUnlockData: (
+    password: string,
+    masterPasswordUnlockData: MasterPasswordUnlockData,
+  ) => Promise<UserKey>;
 }
 
 export abstract class InternalMasterPasswordServiceAbstraction extends MasterPasswordServiceAbstraction {
   /**
    * Set the master key for the user.
    * Note: Use {@link clearMasterKey} to clear the master key.
+   * @deprecated Interacting with the master-key directly is deprecated.
    * @param masterKey The master key.
    * @param userId The user ID.
    * @throws If the user ID or master key is missing.
    */
   abstract setMasterKey: (masterKey: MasterKey, userId: UserId) => Promise<void>;
   /**
    * Clear the master key for the user.
+   * @deprecated Interacting with the master-key directly is deprecated.
    * @param userId The user ID.
    * @throws If the user ID is missing.
    */
   abstract clearMasterKey: (userId: UserId) => Promise<void>;
   /**
    * Set the master key hash for the user.
    * Note: Use {@link clearMasterKeyHash} to clear the master key hash.
+   * @deprecated Interacting with the master-key directly is deprecated.
    * @param masterKeyHash The master key hash.
    * @param userId The user ID.
    * @throws If the user ID or master key hash is missing.
    */
   abstract setMasterKeyHash: (masterKeyHash: string, userId: UserId) => Promise<void>;
   /**
    * Clear the master key hash for the user.
+   * @deprecated Interacting with the master-key directly is deprecated.
    * @param userId The user ID.
    * @throws If the user ID is missing.
    */

libs/common/src/key-management/master-password/services/fake-master-password.service.ts

@@ -3,11 +3,20 @@
 import { mock } from "jest-mock-extended";
 import { ReplaySubject, Observable } from "rxjs";
 
+// FIXME: Update this file to be type safe and remove this and next line
+// eslint-disable-next-line no-restricted-imports
+import { KdfConfig } from "@bitwarden/key-management";
+
 import { ForceSetPasswordReason } from "../../../auth/models/domain/force-set-password-reason";
 import { UserId } from "../../../types/guid";
 import { MasterKey, UserKey } from "../../../types/key";
 import { EncString } from "../../crypto/models/enc-string";
 import { InternalMasterPasswordServiceAbstraction } from "../abstractions/master-password.service.abstraction";
+import {
+  MasterPasswordAuthenticationData,
+  MasterPasswordSalt,
+  MasterPasswordUnlockData,
+} from "../types/master-password.types";
 
 export class FakeMasterPasswordService implements InternalMasterPasswordServiceAbstraction {
   mock = mock<InternalMasterPasswordServiceAbstraction>();
@@ -24,6 +33,10 @@ export class FakeMasterPasswordService implements InternalMasterPasswordServiceA
     this.masterKeyHashSubject.next(initialMasterKeyHash);
   }
 
+  saltForUser$(userId: UserId): Observable<MasterPasswordSalt> {
+    return this.mock.saltForUser$(userId);
+  }
+
   masterKey$(userId: UserId): Observable<MasterKey> {
     return this.masterKeySubject.asObservable();
   }
@@ -71,4 +84,28 @@ export class FakeMasterPasswordService implements InternalMasterPasswordServiceA
   ): Promise<UserKey> {
     return this.mock.decryptUserKeyWithMasterKey(masterKey, userId, userKey);
   }
+
+  makeMasterPasswordAuthenticationData(
+    password: string,
+    kdf: KdfConfig,
+    salt: MasterPasswordSalt,
+  ): Promise<MasterPasswordAuthenticationData> {
+    return this.mock.makeMasterPasswordAuthenticationData(password, kdf, salt);
+  }
+
+  makeMasterPasswordUnlockData(
+    password: string,
+    kdf: KdfConfig,
+    salt: MasterPasswordSalt,
+    userKey: UserKey,
+  ): Promise<MasterPasswordUnlockData> {
+    return this.mock.makeMasterPasswordUnlockData(password, kdf, salt, userKey);
+  }
+
+  unwrapUserKeyFromMasterPasswordUnlockData(
+    password: string,
+    masterPasswordUnlockData: MasterPasswordUnlockData,
+  ): Promise<UserKey> {
+    return this.mock.unwrapUserKeyFromMasterPasswordUnlockData(password, masterPasswordUnlockData);
+  }
 }