PM-39006: Update the setPassword flow for TDE users

Author: david-livefront

app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/AuthRepositoryImpl.kt

@@ -2,6 +2,7 @@ package com.x8bit.bitwarden.data.auth.repository
 
 import com.bitwarden.core.AuthRequestMethod
 import com.bitwarden.core.InitUserCryptoMethod
+import com.bitwarden.core.MasterPasswordUnlockData
 import com.bitwarden.core.RegisterTdeKeyResponse
 import com.bitwarden.core.WrappedAccountCryptographicState
 import com.bitwarden.core.data.manager.dispatcher.DispatcherManager
@@ -1145,10 +1146,10 @@ class AuthRepositoryImpl(
         organizationIdentifier: String,
         password: String,
         passwordHint: String?,
-    ): SetPasswordResult {
+    ): SetPasswordResult = userStateManager.userStateTransaction {
         val profile = authDiskSource.userState?.activeAccount?.profile
-            ?: return SetPasswordResult.Error(error = NoActiveUserException())
-        return when (profile.forcePasswordResetReason) {
+            ?: return@userStateTransaction SetPasswordResult.Error(error = NoActiveUserException())
+        return@userStateTransaction when (profile.forcePasswordResetReason) {
             ForcePasswordResetReason.TDE_USER_WITHOUT_PASSWORD_HAS_PASSWORD_RESET_PERMISSION -> {
                 setUpdatedPassword(
                     profile = profile,
@@ -1196,30 +1197,25 @@ class AuthRepositoryImpl(
                             keys = null,
                         ),
                     )
-                    .map { response.passwordHash }
+                    .map { response }
             }
-            .flatMap { masterPasswordHash ->
-                when (val result = vaultRepository.unlockVaultWithMasterPassword(password)) {
-                    is VaultUnlockResult.Success -> {
-                        enrollUserInPasswordReset(
-                            userId = userId,
-                            organizationIdentifier = organizationIdentifier,
-                            passwordHash = masterPasswordHash,
-                        )
-                    }
-
-                    is VaultUnlockError -> {
-                        (result.error ?: IllegalStateException("Failed to unlock vault"))
-                            .asFailure()
-                    }
-                }
-            }
-            .onSuccess {
+            .onSuccess { response ->
                 authDiskSource.userState = authDiskSource.userState?.toUserStateJsonWithPassword(
-                    masterPasswordUnlock = null,
+                    masterPasswordUnlock = MasterPasswordUnlockData(
+                        kdf = profile.toSdkParams(),
+                        masterKeyWrappedUserKey = response.newKey,
+                        salt = profile.email,
+                    ),
                 )
                 this.organizationIdentifier = null
             }
+            .flatMap { response ->
+                enrollUserInPasswordReset(
+                    userId = userId,
+                    organizationIdentifier = organizationIdentifier,
+                    passwordHash = response.passwordHash,
+                )
+            }
             .fold(
                 onFailure = { SetPasswordResult.Error(error = it) },
                 onSuccess = { SetPasswordResult.Success },
@@ -1326,16 +1322,26 @@ class AuthRepositoryImpl(
                                 privateKey = response.keys.private,
                             ),
                         )
+                        authDiskSource.userState = authDiskSource
+                            .userState
+                            ?.toUserStateJsonWithPassword(
+                                masterPasswordUnlock = MasterPasswordUnlockData(
+                                    kdf = profile.toSdkParams(),
+                                    masterKeyWrappedUserKey = response.encryptedUserKey,
+                                    salt = profile.email,
+                                ),
+                            )
+                        this.organizationIdentifier = null
                     }
-                    .map { response.masterPasswordHash }
+                    .map { response }
             }
-            .flatMap { masterPasswordHash ->
+            .flatMap { response ->
                 when (val result = vaultRepository.unlockVaultWithMasterPassword(password)) {
                     is VaultUnlockResult.Success -> {
                         enrollUserInPasswordReset(
                             userId = userId,
                             organizationIdentifier = organizationIdentifier,
-                            passwordHash = masterPasswordHash,
+                            passwordHash = response.masterPasswordHash,
                         )
                     }
 
@@ -1345,12 +1351,6 @@ class AuthRepositoryImpl(
                     }
                 }
             }
-            .onSuccess {
-                authDiskSource.userState = authDiskSource.userState?.toUserStateJsonWithPassword(
-                    masterPasswordUnlock = null,
-                )
-                this.organizationIdentifier = null
-            }
             .fold(
                 onFailure = { SetPasswordResult.Error(error = it) },
                 onSuccess = { SetPasswordResult.Success },

app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/util/UserStateJsonExtensions.kt

@@ -10,6 +10,7 @@ import com.bitwarden.network.model.UserDecryptionOptionsJson
 import com.bitwarden.policies.PolicyType
 import com.bitwarden.policies.PolicyView
 import com.bitwarden.ui.platform.base.util.toHexColorRepresentation
+import com.x8bit.bitwarden.data.auth.datasource.disk.model.ForcePasswordResetReason
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.OnboardingStatus
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.UserStateJson
 import com.x8bit.bitwarden.data.auth.datasource.sdk.util.toKdfRequestModel
@@ -84,56 +85,69 @@ fun UserStateJson.toUpdatedUserStateJson(
         }
         ?: profile
             .userDecryptionOptions
-            ?.copy(masterPasswordUnlock = null)
-
-    val updatedProfile = profile
-        .copy(
-            avatarColorHex = syncProfile.avatarColor,
-            stamp = syncProfile.securityStamp,
-            hasPremiumPersonally = syncProfile.isPremium,
-            hasPremiumFromOrganization = syncProfile.isPremiumFromOrganization,
-            isTwoFactorEnabled = syncProfile.isTwoFactorEnabled,
-            creationDate = syncProfile.creationDate,
-            userDecryptionOptions = userDecryptionOptions,
-            kdfType = masterPasswordUnlockKdf?.kdfType
-                ?: profile.kdfType,
-            kdfIterations = masterPasswordUnlockKdf?.iterations
-                ?: profile.kdfIterations,
-            kdfMemory = masterPasswordUnlockKdf?.memory
-                ?: profile.kdfMemory,
-            kdfParallelism = masterPasswordUnlockKdf?.parallelism
-                ?: profile.kdfParallelism,
-        )
+            ?.copy(
+                hasMasterPassword = false,
+                masterPasswordUnlock = null,
+            )
+    val forcePasswordResetReason = syncProfile.getForcePasswordResetReason(
+        userDecryptionOptions = userDecryptionOptions,
+        previousForcePasswordResetReason = profile.forcePasswordResetReason,
+    )
+    val updatedProfile = profile.copy(
+        forcePasswordResetReason = forcePasswordResetReason,
+        avatarColorHex = syncProfile.avatarColor,
+        stamp = syncProfile.securityStamp,
+        hasPremiumPersonally = syncProfile.isPremium,
+        hasPremiumFromOrganization = syncProfile.isPremiumFromOrganization,
+        isTwoFactorEnabled = syncProfile.isTwoFactorEnabled,
+        creationDate = syncProfile.creationDate,
+        userDecryptionOptions = userDecryptionOptions,
+        kdfType = masterPasswordUnlockKdf?.kdfType ?: profile.kdfType,
+        kdfIterations = masterPasswordUnlockKdf?.iterations ?: profile.kdfIterations,
+        kdfMemory = masterPasswordUnlockKdf?.memory ?: profile.kdfMemory,
+        kdfParallelism = masterPasswordUnlockKdf?.parallelism ?: profile.kdfParallelism,
+    )
     val updatedAccount = account.copy(profile = updatedProfile)
-    return this
-        .copy(
-            accounts = accounts
-                .toMutableMap()
-                .apply {
-                    replace(userId, updatedAccount)
-                },
-        )
+    return this.copy(
+        accounts = accounts
+            .toMutableMap()
+            .apply { replace(userId, updatedAccount) },
+    )
+}
+
+private fun SyncResponseJson.Profile.getForcePasswordResetReason(
+    userDecryptionOptions: UserDecryptionOptionsJson?,
+    previousForcePasswordResetReason: ForcePasswordResetReason?,
+): ForcePasswordResetReason? {
+    val hasManageResetPasswordPermission = this.organizations.orEmpty().any {
+        it.type == OrganizationType.OWNER ||
+            it.type == OrganizationType.ADMIN ||
+            it.permissions.shouldManageResetPassword
+    }
+    return ForcePasswordResetReason
+        .TDE_USER_WITHOUT_PASSWORD_HAS_PASSWORD_RESET_PERMISSION
+        .takeIf {
+            userDecryptionOptions?.hasMasterPassword == false &&
+                hasManageResetPasswordPermission
+        }
+        ?: previousForcePasswordResetReason
 }
 
 /**
  * Updates the [UserStateJson] to set the `hasMasterPassword` value to `true` after a user sets
  * their password.
  */
 fun UserStateJson.toUserStateJsonWithPassword(
-    masterPasswordUnlock: MasterPasswordUnlockData?,
+    masterPasswordUnlock: MasterPasswordUnlockData,
 ): UserStateJson {
     val account = this.activeAccount
     val profile = account.profile
     val userDecryptionOptions = profile.userDecryptionOptions
-    val masterPasswordUnlockJson = masterPasswordUnlock
-        ?.let {
-            MasterPasswordUnlockDataJson(
-                salt = it.salt,
-                kdf = it.kdf.toKdfRequestModel(),
-                masterKeyWrappedUserKey = it.masterKeyWrappedUserKey,
-            )
-        }
-        ?: userDecryptionOptions?.masterPasswordUnlock
+    val masterPasswordUnlockJson = MasterPasswordUnlockDataJson(
+        salt = masterPasswordUnlock.salt,
+        kdf = masterPasswordUnlock.kdf.toKdfRequestModel(),
+        masterKeyWrappedUserKey = masterPasswordUnlock.masterKeyWrappedUserKey,
+    )
     val updatedProfile = profile
         .copy(
             forcePasswordResetReason = null,

app/src/test/kotlin/com/x8bit/bitwarden/data/auth/repository/AuthRepositoryTest.kt

@@ -5795,9 +5795,6 @@ class AuthRepositoryTest {
                 userId = profile.userId,
             )
         } returns resetPasswordKey.asSuccess()
-        coEvery {
-            vaultRepository.unlockVaultWithMasterPassword(password)
-        } returns VaultUnlockResult.Success
 
         val result = repository.setPassword(
             organizationIdentifier = organizationIdentifier,
@@ -5822,7 +5819,6 @@ class AuthRepositoryTest {
                 passwordHash = passwordHash,
                 resetPasswordKey = resetPasswordKey,
             )
-            vaultRepository.unlockVaultWithMasterPassword(password)
             vaultSdkSource.getResetPasswordKey(
                 orgPublicKey = publicOrgKey,
                 userId = profile.userId,
@@ -7481,7 +7477,7 @@ class AuthRepositoryTest {
                 masterPasswordUnlock = MasterPasswordUnlockDataJson(
                     kdf = BASE_PROFILE_1.toSdkParams().toKdfRequestModel(),
                     masterKeyWrappedUserKey = ENCRYPTED_USER_KEY,
-                    salt = "mockSalt",
+                    salt = EMAIL,
                 ),
             ),
         )
@@ -7533,7 +7529,7 @@ class AuthRepositoryTest {
                             masterPasswordUnlock = MasterPasswordUnlockDataJson(
                                 kdf = BASE_PROFILE_1.toSdkParams().toKdfRequestModel(),
                                 masterKeyWrappedUserKey = ENCRYPTED_USER_KEY,
-                                salt = "mockSalt",
+                                salt = EMAIL,
                             ),
                         ),
                     ),