[PM-5363] PinService State Providers (#8244)

* move pinKeyEncryptedUserKey

* move pinKeyEncryptedUserKeyEphemeral

* remove comments, move docs

* cleanup

* use UserKeyDefinition

* refactor methods

* add migration

* fix browser dependency

* add tests for migration

* rename to pinService

* move state to PinService

* add PinService dep to CryptoService

* move protectedPin to state provider

* update service deps

* renaming

* move decryptUserKeyWithPin to pinService

* update service injection

* move more methods our of crypto service

* remove CryptoService dep from PinService and update service injection

* remove cryptoService reference

* add method to FakeMasterPasswordService

* fix circular dependency

* fix desktop service injection

* update browser dependencies

* add protectedPin to migrations

* move storePinKey to pinService

* update and clarify documentation

* more jsdoc updates

* update import paths

* refactor isPinLockSet method

* update state definitions

* initialize service before injecting into other services

* initialize service before injecting into other services (bw.ts)

* update clearOn and do additional cleanup

* clarify docs and naming

* assign abstract & private methods, add clarity to decryptAndMigrateOldPinKeyEncryptedMasterKey() method

* derived state (attempt)

* fix typos

* use accountService to get active user email

* use constant userId

* add derived state

* add get and clear for oldPinKeyEncryptedMasterKey

* require userId

* move pinProtected

* add clear methods

* remove pinProtected from account.ts and replace methods

* add methods to create and store pinKeyEncryptedUserKey

* add pinProtected/oldPinKeyEncrypterMasterKey to migration

* update migration tests

* update migration rollback tests

* update to systemService and decryptAndMigrate... method

* remove old test

* increase length of state definition name to meet test requirements

* rename 'TRANSIENT' to 'EPHEMERAL' for consistency

* fix tests for login strategies, vault-export, and fake MP service

* more updates to login-strategy tests

* write new tests for core pinKeyEncrypterUserKey methods and isPinSet

* write new tests for pinProtected and oldPinKeyEncryptedMasterKey methods

* minor test reformatting

* update test for decryptUserKeyWithPin()

* fix bug with oldPinKeyEncryptedMasterKey

* fix tests for vault-timeout-settings.service

* fix bitwarden-password-protected-importer test

* fix login strategy tests and auth-request.service test

* update pinService tests

* fix crypto service tests

* add jsdoc

* fix test file import

* update jsdocs for decryptAndMigrateOldPinKeyEncryptedMasterKey()

* update error messages and jsdocs

* add null checks, move userId retrievals

* update migration tests

* update stateService calls to require userId

* update test for decryptUserKeyWithPin()

* update oldPinKeyEncryptedMasterKey migration tests

* more test updates

* fix factory import

* update tests for isPinSet() and createProtectedPin()

* add test for makePinKey()

* add test for createPinKeyEncryptedUserKey()

* add tests for getPinLockType()

* consolidate userId verification tests

* add tests for storePinKeyEncryptedUserKey()

* fix service dep

* get email based on userId

* use MasterPasswordService instead of internal

* rename protectedPin to userKeyEncryptedPin

* rename to pinKeyEncryptedUserKeyPersistent

* update method params

* fix CryptoService tests

* jsdoc update

* use EncString for userKeyEncryptedPin

* remove comment

* use cryptoFunctionService.compareFast()

* update tests

* cleanup, remove comments

* resolve merge conflict

* fix DI of MasterPasswordService

* more DI fixes

apps/browser/src/auth/background/service-factories/master-password-service.factory.ts

@@ -4,20 +4,35 @@ import {
 } from "@bitwarden/common/auth/abstractions/master-password.service.abstraction";
 import { MasterPasswordService } from "@bitwarden/common/auth/services/master-password/master-password.service";
 
+import {
+  encryptServiceFactory,
+  EncryptServiceInitOptions,
+} from "../../../platform/background/service-factories/encrypt-service.factory";
 import {
   CachedServices,
   factory,
   FactoryOptions,
 } from "../../../platform/background/service-factories/factory-options";
+import {
+  keyGenerationServiceFactory,
+  KeyGenerationServiceInitOptions,
+} from "../../../platform/background/service-factories/key-generation-service.factory";
 import {
   stateProviderFactory,
   StateProviderInitOptions,
 } from "../../../platform/background/service-factories/state-provider.factory";
+import {
+  stateServiceFactory,
+  StateServiceInitOptions,
+} from "../../../platform/background/service-factories/state-service.factory";
 
 type MasterPasswordServiceFactoryOptions = FactoryOptions;
 
 export type MasterPasswordServiceInitOptions = MasterPasswordServiceFactoryOptions &
-  StateProviderInitOptions;
+  StateProviderInitOptions &
+  StateServiceInitOptions &
+  KeyGenerationServiceInitOptions &
+  EncryptServiceInitOptions;
 
 export function internalMasterPasswordServiceFactory(
   cache: { masterPasswordService?: InternalMasterPasswordServiceAbstraction } & CachedServices,
@@ -27,7 +42,13 @@ export function internalMasterPasswordServiceFactory(
     cache,
     "masterPasswordService",
     opts,
-    async () => new MasterPasswordService(await stateProviderFactory(cache, opts)),
+    async () =>
+      new MasterPasswordService(
+        await stateProviderFactory(cache, opts),
+        await stateServiceFactory(cache, opts),
+        await keyGenerationServiceFactory(cache, opts),
+        await encryptServiceFactory(cache, opts),
+      ),
   );
 }
 

apps/browser/src/auth/background/service-factories/pin-service.factory.ts

@@ -0,0 +1,74 @@
+import { PinServiceAbstraction, PinService } from "@bitwarden/auth/common";
+
+import {
+  CryptoFunctionServiceInitOptions,
+  cryptoFunctionServiceFactory,
+} from "../../../platform/background/service-factories/crypto-function-service.factory";
+import {
+  EncryptServiceInitOptions,
+  encryptServiceFactory,
+} from "../../../platform/background/service-factories/encrypt-service.factory";
+import {
+  FactoryOptions,
+  CachedServices,
+  factory,
+} from "../../../platform/background/service-factories/factory-options";
+import {
+  KeyGenerationServiceInitOptions,
+  keyGenerationServiceFactory,
+} from "../../../platform/background/service-factories/key-generation-service.factory";
+import {
+  LogServiceInitOptions,
+  logServiceFactory,
+} from "../../../platform/background/service-factories/log-service.factory";
+import {
+  StateProviderInitOptions,
+  stateProviderFactory,
+} from "../../../platform/background/service-factories/state-provider.factory";
+import {
+  StateServiceInitOptions,
+  stateServiceFactory,
+} from "../../../platform/background/service-factories/state-service.factory";
+
+import { AccountServiceInitOptions, accountServiceFactory } from "./account-service.factory";
+import { KdfConfigServiceInitOptions, kdfConfigServiceFactory } from "./kdf-config-service.factory";
+import {
+  MasterPasswordServiceInitOptions,
+  masterPasswordServiceFactory,
+} from "./master-password-service.factory";
+
+type PinServiceFactoryOptions = FactoryOptions;
+
+export type PinServiceInitOptions = PinServiceFactoryOptions &
+  AccountServiceInitOptions &
+  CryptoFunctionServiceInitOptions &
+  EncryptServiceInitOptions &
+  KdfConfigServiceInitOptions &
+  KeyGenerationServiceInitOptions &
+  LogServiceInitOptions &
+  MasterPasswordServiceInitOptions &
+  StateProviderInitOptions &
+  StateServiceInitOptions;
+
+export function pinServiceFactory(
+  cache: { pinService?: PinServiceAbstraction } & CachedServices,
+  opts: PinServiceInitOptions,
+): Promise<PinServiceAbstraction> {
+  return factory(
+    cache,
+    "pinService",
+    opts,
+    async () =>
+      new PinService(
+        await accountServiceFactory(cache, opts),
+        await cryptoFunctionServiceFactory(cache, opts),
+        await encryptServiceFactory(cache, opts),
+        await kdfConfigServiceFactory(cache, opts),
+        await keyGenerationServiceFactory(cache, opts),
+        await logServiceFactory(cache, opts),
+        await masterPasswordServiceFactory(cache, opts),
+        await stateProviderFactory(cache, opts),
+        await stateServiceFactory(cache, opts),
+      ),
+  );
+}

apps/browser/src/auth/background/service-factories/user-verification-service.factory.ts

@@ -37,7 +37,7 @@ import {
   internalMasterPasswordServiceFactory,
   MasterPasswordServiceInitOptions,
 } from "./master-password-service.factory";
-import { PinCryptoServiceInitOptions, pinCryptoServiceFactory } from "./pin-crypto-service.factory";
+import { PinServiceInitOptions, pinServiceFactory } from "./pin-service.factory";
 import {
   userDecryptionOptionsServiceFactory,
   UserDecryptionOptionsServiceInitOptions,
@@ -57,7 +57,7 @@ export type UserVerificationServiceInitOptions = UserVerificationServiceFactoryO
   I18nServiceInitOptions &
   UserVerificationApiServiceInitOptions &
   UserDecryptionOptionsServiceInitOptions &
-  PinCryptoServiceInitOptions &
+  PinServiceInitOptions &
   LogServiceInitOptions &
   VaultTimeoutSettingsServiceInitOptions &
   PlatformUtilsServiceInitOptions &
@@ -80,7 +80,7 @@ export function userVerificationServiceFactory(
         await i18nServiceFactory(cache, opts),
         await userVerificationApiServiceFactory(cache, opts),
         await userDecryptionOptionsServiceFactory(cache, opts),
-        await pinCryptoServiceFactory(cache, opts),
+        await pinServiceFactory(cache, opts),
         await logServiceFactory(cache, opts),
         await vaultTimeoutSettingsServiceFactory(cache, opts),
         await platformUtilsServiceFactory(cache, opts),

apps/browser/src/auth/popup/components/set-pin.component.html

@@ -12,8 +12,16 @@
         <input class="tw-font-mono" bitInput type="password" formControlName="pin" />
         <button type="button" bitIconButton bitSuffix bitPasswordInputToggle></button>
       </bit-form-field>
-      <label class="tw-flex tw-items-start tw-gap-2" *ngIf="showMasterPassOnRestart">
-        <input class="tw-mt-1" type="checkbox" bitCheckbox formControlName="masterPassOnRestart" />
+      <label
+        class="tw-flex tw-items-start tw-gap-2"
+        *ngIf="showMasterPasswordOnClientRestartOption"
+      >
+        <input
+          class="tw-mt-1"
+          type="checkbox"
+          bitCheckbox
+          formControlName="requireMasterPasswordOnClientRestart"
+        />
         <span>{{ "lockWithMasterPassOnRestart" | i18n }}</span>
       </label>
     </div>

apps/browser/src/auth/popup/lock.component.ts

@@ -3,7 +3,7 @@ import { Router } from "@angular/router";
 import { firstValueFrom } from "rxjs";
 
 import { LockComponent as BaseLockComponent } from "@bitwarden/angular/auth/components/lock.component";
-import { PinCryptoServiceAbstraction } from "@bitwarden/auth/common";
+import { PinServiceAbstraction } from "@bitwarden/auth/common";
 import { ApiService } from "@bitwarden/common/abstractions/api.service";
 import { VaultTimeoutSettingsService } from "@bitwarden/common/abstractions/vault-timeout/vault-timeout-settings.service";
 import { VaultTimeoutService } from "@bitwarden/common/abstractions/vault-timeout/vault-timeout.service";
@@ -63,7 +63,7 @@ export class LockComponent extends BaseLockComponent {
     dialogService: DialogService,
     deviceTrustService: DeviceTrustServiceAbstraction,
     userVerificationService: UserVerificationService,
-    pinCryptoService: PinCryptoServiceAbstraction,
+    pinService: PinServiceAbstraction,
     private routerService: BrowserRouterService,
     biometricStateService: BiometricStateService,
     accountService: AccountService,
@@ -89,7 +89,7 @@ export class LockComponent extends BaseLockComponent {
       dialogService,
       deviceTrustService,
       userVerificationService,
-      pinCryptoService,
+      pinService,
       biometricStateService,
       accountService,
       authService,

apps/browser/src/auth/popup/settings/account-security.component.ts

@@ -16,6 +16,7 @@ import {
 } from "rxjs";
 
 import { FingerprintDialogComponent } from "@bitwarden/auth/angular";
+import { PinServiceAbstraction } from "@bitwarden/auth/common";
 import { VaultTimeoutSettingsService } from "@bitwarden/common/abstractions/vault-timeout/vault-timeout-settings.service";
 import { VaultTimeoutService } from "@bitwarden/common/abstractions/vault-timeout/vault-timeout.service";
 import { PolicyService } from "@bitwarden/common/admin-console/abstractions/policy/policy.service.abstraction";
@@ -71,6 +72,7 @@ export class AccountSecurityComponent implements OnInit {
 
   constructor(
     private accountService: AccountService,
+    private pinService: PinServiceAbstraction,
     private policyService: PolicyService,
     private formBuilder: FormBuilder,
     private platformUtilsService: PlatformUtilsService,
@@ -131,7 +133,6 @@ export class AccountSecurityComponent implements OnInit {
     if (timeout === -2 && !showOnLocked) {
       timeout = -1;
     }
-    const pinStatus = await this.vaultTimeoutSettingsService.isPinLockSet();
 
     this.form.controls.vaultTimeout.valueChanges
       .pipe(
@@ -153,12 +154,14 @@ export class AccountSecurityComponent implements OnInit {
       )
       .subscribe();
 
+    const userId = (await firstValueFrom(this.accountService.activeAccount$))?.id;
+
     const initialValues = {
       vaultTimeout: timeout,
       vaultTimeoutAction: await firstValueFrom(
         this.vaultTimeoutSettingsService.vaultTimeoutAction$(),
       ),
-      pin: pinStatus !== "DISABLED",
+      pin: await this.pinService.isPinSet(userId),
       biometric: await this.vaultTimeoutSettingsService.isBiometricLockSet(),
       enableAutoBiometricsPrompt: await firstValueFrom(
         this.biometricStateService.promptAutomatically$,