Update logic for handling the pin protected user key

Author: david-livefront

app/src/main/kotlin/com/x8bit/bitwarden/data/auth/datasource/disk/AuthDiskSourceImpl.kt

@@ -145,9 +145,6 @@ class AuthDiskSourceImpl(
         storeInvalidUnlockAttempts(userId = userId, invalidUnlockAttempts = null)
         storeUserKey(userId = userId, userKey = null)
         storeUserAutoUnlockKey(userId = userId, userAutoUnlockKey = null)
-        storePinProtectedUserKey(userId = userId, pinProtectedUserKey = null)
-        storePinProtectedUserKeyEnvelope(userId = userId, pinProtectedUserKeyEnvelope = null)
-        storeEncryptedPin(userId = userId, encryptedPin = null)
         storePrivateKey(userId = userId, privateKey = null)
         storeAccountKeys(userId = userId, accountKeys = null)
         storeOrganizationKeys(userId = userId, organizationKeys = null)
@@ -163,9 +160,13 @@ class AuthDiskSourceImpl(
         storeShowImportLogins(userId = userId, showImportLogins = null)
         storeLastLockTimestamp(userId = userId, lastLockTimestamp = null)
 
-        // Do not remove the DeviceKey or PendingAuthRequest on logout, these are persisted
-        // indefinitely unless the TDE flow explicitly removes them.
-        // Do not remove OnboardingStatus we want to keep track of this even after logout.
+        // Certain values are never removed as required by the feature requirements:
+        // * EncryptedPin
+        // * PinProtectedUserKey
+        // * PinProtectedUserKeyEnvelope
+        // * DeviceKey
+        // * PendingAuthRequest
+        // * OnboardingStatus
     }
 
     override fun getAuthenticatorSyncUnlockKey(userId: String): String? =

app/src/main/kotlin/com/x8bit/bitwarden/data/auth/manager/UserLogoutManagerImpl.kt

@@ -77,16 +77,10 @@ class UserLogoutManagerImpl(
         if (isExpired) {
             showToast(message = BitwardenString.login_expired)
         }
-        authDiskSource.storeAccountTokens(
-            userId = userId,
-            accountTokens = null,
-        )
 
         // Save any data that will still need to be retained after otherwise clearing all dat
         val vaultTimeoutInMinutes = settingsDiskSource.getVaultTimeoutInMinutes(userId = userId)
         val vaultTimeoutAction = settingsDiskSource.getVaultTimeoutAction(userId = userId)
-        val pinProtectedUserKeyEnvelope = authDiskSource
-            .getPinProtectedUserKeyEnvelope(userId = userId)
 
         switchUserIfAvailable(
             currentUserId = userId,
@@ -108,10 +102,6 @@ class UserLogoutManagerImpl(
                 vaultTimeoutAction = vaultTimeoutAction,
             )
         }
-        authDiskSource.storePinProtectedUserKeyEnvelope(
-            userId = userId,
-            pinProtectedUserKeyEnvelope = pinProtectedUserKeyEnvelope,
-        )
     }
 
     private fun clearData(userId: String) {

app/src/main/kotlin/com/x8bit/bitwarden/data/vault/manager/PinProtectedUserKeyManager.kt

@@ -0,0 +1,30 @@
+package com.x8bit.bitwarden.data.vault.manager
+
+/**
+ * Manager class to manage the pin-protected user key.
+ */
+interface PinProtectedUserKeyManager {
+    /**
+     * Checks if the given [userId] has an associated encrypted PIN key but not a pin-protected
+     * user key. This indicates a scenario in which a user has requested PIN unlocking but requires
+     * master-password unlocking on app restart. This function may then be called after such an
+     * unlock to derive a pin-protected user key and store it in memory for use for any subsequent
+     * unlocks during this current app session.
+     *
+     * If the user's vault has not yet been unlocked, this call will do nothing.
+     *
+     * @param userId The ID of the user to check.
+     */
+    suspend fun deriveTemporaryPinProtectedUserKeyIfNecessary(userId: String)
+
+    /**
+     * Migrates the PIN-protected user key for the given user if needed.
+     *
+     * If an encrypted PIN exists and no PIN-protected user key envelope is present, enrolls the
+     * PIN with the encrypted PIN and stores the resulting envelope.
+     * Optionally marks the envelope as in-memory only if the PIN-protected user key is not present.
+     *
+     * @param userId The ID of the user for whom to migrate the PIN-protected user key.
+     */
+    suspend fun migratePinProtectedUserKeyIfNeeded(userId: String)
+}

app/src/main/kotlin/com/x8bit/bitwarden/data/vault/manager/PinProtectedUserKeyManagerImpl.kt

@@ -0,0 +1,95 @@
+package com.x8bit.bitwarden.data.vault.manager
+
+import com.bitwarden.core.EnrollPinResponse
+import com.x8bit.bitwarden.data.auth.datasource.disk.AuthDiskSource
+import com.x8bit.bitwarden.data.vault.datasource.sdk.VaultSdkSource
+import timber.log.Timber
+
+/**
+ * The default implementation of the [PinProtectedUserKeyManager].
+ */
+internal class PinProtectedUserKeyManagerImpl(
+    private val authDiskSource: AuthDiskSource,
+    private val vaultSdkSource: VaultSdkSource,
+) : PinProtectedUserKeyManager {
+    override suspend fun deriveTemporaryPinProtectedUserKeyIfNecessary(userId: String) {
+        val encryptedPin = authDiskSource.getEncryptedPin(userId = userId) ?: return
+        if (authDiskSource.getPinProtectedUserKeyEnvelope(userId = userId) != null) return
+
+        this
+            .enrollPinWithEncryptedPin(
+                userId = userId,
+                encryptedPin = encryptedPin,
+                inMemoryOnly = true,
+            )
+            .onSuccess {
+                Timber.d("[Auth] Set PIN-protected user key in memory")
+            }
+    }
+
+    override suspend fun migratePinProtectedUserKeyIfNeeded(userId: String) {
+        val encryptedPin = authDiskSource.getEncryptedPin(userId = userId) ?: return
+        if (authDiskSource.getPinProtectedUserKeyEnvelope(userId = userId) != null) return
+
+        val inMemoryOnly = authDiskSource.getPinProtectedUserKey(userId = userId) == null
+        this
+            .enrollPinWithEncryptedPin(
+                userId = userId,
+                encryptedPin = encryptedPin,
+                inMemoryOnly = inMemoryOnly,
+            )
+            .onSuccess {
+                if (inMemoryOnly) {
+                    Timber.d("[Auth] Set PIN-protected user key in memory")
+                } else {
+                    Timber.d("[Auth] Migrated from legacy PIN to PIN-protected user key envelope")
+                }
+            }
+    }
+
+    private suspend fun enrollPinWithEncryptedPin(
+        userId: String,
+        encryptedPin: String,
+        inMemoryOnly: Boolean,
+    ): Result<EnrollPinResponse> =
+        vaultSdkSource
+            .enrollPinWithEncryptedPin(userId = userId, encryptedPin = encryptedPin)
+            .onSuccess { enrollPinResponse ->
+                storePinData(
+                    userId = userId,
+                    encryptedPin = enrollPinResponse.userKeyEncryptedPin,
+                    pinProtectedUserKeyEnvelope = enrollPinResponse.pinProtectedUserKeyEnvelope,
+                    inMemoryOnly = inMemoryOnly,
+                )
+            }
+            .onFailure {
+                storePinData(
+                    userId = userId,
+                    encryptedPin = null,
+                    pinProtectedUserKeyEnvelope = null,
+                    inMemoryOnly = false,
+                )
+            }
+
+    private fun storePinData(
+        userId: String,
+        encryptedPin: String?,
+        pinProtectedUserKeyEnvelope: String?,
+        inMemoryOnly: Boolean,
+    ) {
+        authDiskSource.storeEncryptedPin(userId = userId, encryptedPin = encryptedPin)
+        authDiskSource.storePinProtectedUserKeyEnvelope(
+            userId = userId,
+            pinProtectedUserKeyEnvelope = pinProtectedUserKeyEnvelope,
+            inMemoryOnly = inMemoryOnly,
+        )
+        // This property is deprecated and we should be migrated to the PinProtectedUserKeyEnvelope.
+        // Because of this, we always clear this value and it should always be cleared at the disk
+        // level, not the in-memory level.
+        authDiskSource.storePinProtectedUserKey(
+            userId = userId,
+            pinProtectedUserKey = null,
+            inMemoryOnly = false,
+        )
+    }
+}

app/src/main/kotlin/com/x8bit/bitwarden/data/vault/manager/VaultLockManagerImpl.kt

@@ -91,6 +91,7 @@ class VaultLockManagerImpl(
     private val userLogoutManager: UserLogoutManager,
     private val trustedDeviceManager: TrustedDeviceManager,
     private val kdfManager: KdfManager,
+    private val pinProtectedUserKeyManager: PinProtectedUserKeyManager,
     dispatcherManager: DispatcherManager,
     context: Context,
 ) : VaultLockManager {
@@ -234,7 +235,8 @@ class VaultLockManagerImpl(
                                         trustedDeviceManager
                                             .trustThisDeviceIfNecessary(userId = userId)
                                         updateKdfIfNeeded(initUserCryptoMethod)
-                                        migratePinProtectedUserKeyIfNeeded(userId = userId)
+                                        pinProtectedUserKeyManager
+                                            .migratePinProtectedUserKeyIfNeeded(userId = userId)
                                         setVaultToUnlocked(userId = userId)
                                     } else {
                                         incrementInvalidUnlockCount(userId = userId)
@@ -308,47 +310,6 @@ class VaultLockManagerImpl(
             )
     }
 
-    /**
-     * Migrates the PIN-protected user key for the given user if needed.
-     *
-     * If an encrypted PIN exists and no PIN-protected user key envelope is present,
-     * enrolls the PIN with the encrypted PIN and stores the resulting envelope.
-     * Optionally marks the envelope as in-memory only if the PIN-protected user key is not present.
-     *
-     * @param userId The ID of the user for whom to migrate the PIN-protected user key.
-     */
-    private suspend fun migratePinProtectedUserKeyIfNeeded(
-        userId: String,
-    ) {
-        val encryptedPin = authDiskSource.getEncryptedPin(userId) ?: return
-        if (authDiskSource.getPinProtectedUserKeyEnvelope(userId) != null) return
-
-        val inMemoryOnly = authDiskSource.getPinProtectedUserKey(userId) == null
-
-        vaultSdkSource.enrollPinWithEncryptedPin(userId, encryptedPin)
-            .onSuccess { enrollPinResponse ->
-                authDiskSource.storeEncryptedPin(
-                    userId = userId,
-                    encryptedPin = enrollPinResponse.userKeyEncryptedPin,
-                )
-                authDiskSource.storePinProtectedUserKeyEnvelope(
-                    userId = userId,
-                    pinProtectedUserKeyEnvelope = enrollPinResponse.pinProtectedUserKeyEnvelope,
-                    inMemoryOnly = inMemoryOnly,
-                )
-                authDiskSource.storePinProtectedUserKey(
-                    userId = userId,
-                    pinProtectedUserKey = null,
-                    inMemoryOnly = inMemoryOnly,
-                )
-                if (inMemoryOnly) {
-                    Timber.d("[Auth] Set PIN-protected user key in memory")
-                } else {
-                    Timber.d("[Auth] Migrated from legacy PIN to PIN-protected user key envelope")
-                }
-            }
-    }
-
     /**
      * Increments the stored invalid unlock count for the given [userId] and automatically logs out
      * if this new value is greater than [MAXIMUM_INVALID_UNLOCK_ATTEMPTS].

app/src/main/kotlin/com/x8bit/bitwarden/data/vault/manager/di/VaultManagerModule.kt

@@ -31,6 +31,8 @@ import com.x8bit.bitwarden.data.vault.manager.FileManager
 import com.x8bit.bitwarden.data.vault.manager.FileManagerImpl
 import com.x8bit.bitwarden.data.vault.manager.FolderManager
 import com.x8bit.bitwarden.data.vault.manager.FolderManagerImpl
+import com.x8bit.bitwarden.data.vault.manager.PinProtectedUserKeyManager
+import com.x8bit.bitwarden.data.vault.manager.PinProtectedUserKeyManagerImpl
 import com.x8bit.bitwarden.data.vault.manager.SendManager
 import com.x8bit.bitwarden.data.vault.manager.SendManagerImpl
 import com.x8bit.bitwarden.data.vault.manager.TotpCodeManager
@@ -146,6 +148,7 @@ object VaultManagerModule {
         dispatcherManager: DispatcherManager,
         trustedDeviceManager: TrustedDeviceManager,
         kdfManager: KdfManager,
+        pinProtectedUserKeyManager: PinProtectedUserKeyManager,
     ): VaultLockManager =
         VaultLockManagerImpl(
             context = context,
@@ -160,6 +163,18 @@ object VaultManagerModule {
             dispatcherManager = dispatcherManager,
             trustedDeviceManager = trustedDeviceManager,
             kdfManager = kdfManager,
+            pinProtectedUserKeyManager = pinProtectedUserKeyManager,
+        )
+
+    @Provides
+    @Singleton
+    fun providePinProtectedUserKeyManager(
+        authDiskSource: AuthDiskSource,
+        vaultSdkSource: VaultSdkSource,
+    ): PinProtectedUserKeyManager =
+        PinProtectedUserKeyManagerImpl(
+            authDiskSource = authDiskSource,
+            vaultSdkSource = vaultSdkSource,
         )
 
     @Provides

app/src/main/kotlin/com/x8bit/bitwarden/data/vault/repository/VaultRepositoryImpl.kt

@@ -28,6 +28,7 @@ import com.x8bit.bitwarden.data.vault.datasource.sdk.VaultSdkSource
 import com.x8bit.bitwarden.data.vault.manager.CipherManager
 import com.x8bit.bitwarden.data.vault.manager.CredentialExchangeImportManager
 import com.x8bit.bitwarden.data.vault.manager.FolderManager
+import com.x8bit.bitwarden.data.vault.manager.PinProtectedUserKeyManager
 import com.x8bit.bitwarden.data.vault.manager.SendManager
 import com.x8bit.bitwarden.data.vault.manager.TotpCodeManager
 import com.x8bit.bitwarden.data.vault.manager.VaultLockManager
@@ -40,7 +41,6 @@ import com.x8bit.bitwarden.data.vault.repository.model.GenerateTotpResult
 import com.x8bit.bitwarden.data.vault.repository.model.ImportCredentialsResult
 import com.x8bit.bitwarden.data.vault.repository.model.TotpCodeResult
 import com.x8bit.bitwarden.data.vault.repository.model.VaultUnlockResult
-import com.x8bit.bitwarden.data.vault.repository.util.logTag
 import com.x8bit.bitwarden.data.vault.repository.util.toEncryptedSdkCipher
 import com.x8bit.bitwarden.data.vault.repository.util.toEncryptedSdkFolder
 import com.x8bit.bitwarden.data.vault.repository.util.toSdkAccount
@@ -79,6 +79,7 @@ class VaultRepositoryImpl(
     private val totpCodeManager: TotpCodeManager,
     private val vaultSyncManager: VaultSyncManager,
     private val credentialExchangeImportManager: CredentialExchangeImportManager,
+    private val pinProtectedUserKeyManager: PinProtectedUserKeyManager,
     dispatcherManager: DispatcherManager,
 ) : VaultRepository,
     CipherManager by cipherManager,
@@ -328,11 +329,8 @@ class VaultRepositoryImpl(
                         )
                         authDiskSource.storeUserBiometricInitVector(userId = userId, iv = cipher.iv)
                     }
-                    deriveTemporaryPinProtectedUserKeyIfNecessary(
+                    pinProtectedUserKeyManager.deriveTemporaryPinProtectedUserKeyIfNecessary(
                         userId = userId,
-                        initUserCryptoMethod = InitUserCryptoMethod.DecryptedKey(
-                            decryptedUserKey = decryptedUserKey,
-                        ),
                     )
                 }
             }
@@ -369,9 +367,8 @@ class VaultRepositoryImpl(
             )
             .also {
                 if (it is VaultUnlockResult.Success) {
-                    deriveTemporaryPinProtectedUserKeyIfNecessary(
+                    pinProtectedUserKeyManager.deriveTemporaryPinProtectedUserKeyIfNecessary(
                         userId = userId,
-                        initUserCryptoMethod = initUserCryptoMethod,
                     )
                 }
             }
@@ -530,54 +527,6 @@ class VaultRepositoryImpl(
             )
     }
 
-    /**
-     * Checks if the given [userId] has an associated encrypted PIN key but not a pin-protected user
-     * key. This indicates a scenario in which a user has requested PIN unlocking but requires
-     * master-password unlocking on app restart. This function may then be called after such an
-     * unlock to derive a pin-protected user key and store it in memory for use for any subsequent
-     * unlocks during this current app session.
-     *
-     * If the user's vault has not yet been unlocked, this call will do nothing.
-     *
-     * @param userId The ID of the user to check.
-     * @param initUserCryptoMethod The method used to initialize the user's crypto.
-     */
-    private suspend fun deriveTemporaryPinProtectedUserKeyIfNecessary(
-        userId: String,
-        initUserCryptoMethod: InitUserCryptoMethod,
-    ) {
-        Timber.d("[Auth] Vault unlocked, method: ${initUserCryptoMethod.logTag}")
-        val encryptedPin = authDiskSource.getEncryptedPin(userId = userId) ?: return
-        val existingPinProtectedUserKeyEnvelope = authDiskSource
-            .getPinProtectedUserKeyEnvelope(
-                userId = userId,
-            )
-        if (existingPinProtectedUserKeyEnvelope != null) return
-
-        vaultSdkSource
-            .enrollPinWithEncryptedPin(
-                userId = userId,
-                encryptedPin = encryptedPin,
-            )
-            .onSuccess { enrollPinResponse ->
-                authDiskSource.storeEncryptedPin(
-                    userId = userId,
-                    encryptedPin = enrollPinResponse.userKeyEncryptedPin,
-                )
-                authDiskSource.storePinProtectedUserKeyEnvelope(
-                    userId = userId,
-                    pinProtectedUserKeyEnvelope = enrollPinResponse.pinProtectedUserKeyEnvelope,
-                    inMemoryOnly = true,
-                )
-                authDiskSource.storePinProtectedUserKey(
-                    userId = userId,
-                    pinProtectedUserKey = null,
-                    inMemoryOnly = true,
-                )
-                Timber.d("[Auth] Set PIN-protected user key in memory")
-            }
-    }
-
     private suspend fun unlockVaultForUser(
         userId: String,
         initUserCryptoMethod: InitUserCryptoMethod,