[PM-18935] show key connector domain (#1529)

Author: aj-rosado

BitwardenShared/Core/Auth/Repositories/AuthRepository.swift

@@ -45,6 +45,10 @@ protocol AuthRepository: AnyObject {
     ///
     func clearPins() async throws
 
+    /// Convert new user to key connector.
+    ///
+    func convertNewUserToKeyConnector(keyConnectorURL: URL, orgIdentifier: String) async throws
+
     /// Create new account for a JIT sso user .
     ///
     func createNewSsoUser(orgIdentifier: String, rememberDevice: Bool) async throws
@@ -107,6 +111,12 @@ protocol AuthRepository: AnyObject {
     ///
     func isUserManagedByOrganization() async throws -> Bool
 
+    /// User leaves organization
+    ///
+    /// - Parameters:
+    ///   - organizationId: The ID of the organization the user is leaving.
+    func leaveOrganization(organizationId: String) async throws
+
     /// Locks the user's vault and clears decrypted data from memory
     /// - Parameters:
     ///   - userId: The userId of the account to lock. Defaults to active account if nil
@@ -565,6 +575,13 @@ extension DefaultAuthRepository: AuthRepository {
         }
     }
 
+    func convertNewUserToKeyConnector(keyConnectorURL: URL, orgIdentifier: String) async throws {
+        try await keyConnectorService.convertNewUserToKeyConnector(
+            keyConnectorUrl: keyConnectorURL,
+            orgIdentifier: orgIdentifier
+        )
+    }
+
     func createNewSsoUser(orgIdentifier: String, rememberDevice: Bool) async throws {
         let account = try await stateService.getActiveAccount()
         let enrollStatus = try await organizationAPIService.getOrganizationAutoEnrollStatus(identifier: orgIdentifier)
@@ -735,6 +752,10 @@ extension DefaultAuthRepository: AuthRepository {
         try await keyConnectorService.migrateUser(password: password)
     }
 
+    func leaveOrganization(organizationId: String) async throws {
+        try await organizationAPIService.leaveOrganization(organizationId: organizationId)
+    }
+
     func logout(userId: String?, userInitiated: Bool) async throws {
         let userId = try await stateService.getAccountIdOrActiveId(userId: userId)
 
@@ -952,18 +973,7 @@ extension DefaultAuthRepository: AuthRepository {
     func unlockVaultWithKeyConnectorKey(keyConnectorURL: URL, orgIdentifier: String) async throws {
         let account = try await stateService.getActiveAccount()
 
-        let encryptionKeys: AccountEncryptionKeys
-        do {
-            encryptionKeys = try await stateService.getAccountEncryptionKeys(userId: account.profile.userId)
-        } catch StateServiceError.noEncryptedPrivateKey {
-            // If the private key doesn't exist, this is a new user and we need to convert them to
-            // use key connector.
-            try await keyConnectorService.convertNewUserToKeyConnector(
-                keyConnectorUrl: keyConnectorURL,
-                orgIdentifier: orgIdentifier
-            )
-            encryptionKeys = try await stateService.getAccountEncryptionKeys(userId: account.profile.userId)
-        }
+        let encryptionKeys = try await stateService.getAccountEncryptionKeys(userId: account.profile.userId)
 
         guard let encryptedUserKey = encryptionKeys.encryptedUserKey else { throw StateServiceError.noEncUserKey }
 

BitwardenShared/Core/Auth/Repositories/AuthRepositoryTests.swift

@@ -1955,6 +1955,20 @@ class AuthRepositoryTests: BitwardenTestCase { // swiftlint:disable:this type_bo
         stateService.activeAccount = .fixture()
         stateService.getAccountEncryptionKeysError = StateServiceError.noEncryptedPrivateKey
 
+        await assertAsyncThrows(error: StateServiceError.noEncryptedPrivateKey) {
+            try await subject.unlockVaultWithKeyConnectorKey(
+                keyConnectorURL: URL(string: "https://example.com")!,
+                orgIdentifier: "org-id"
+            )
+        }
+
+        await assertAsyncDoesNotThrow {
+            try await subject.convertNewUserToKeyConnector(
+                keyConnectorURL: URL(string: "https://example.com")!,
+                orgIdentifier: "org-id"
+            )
+        }
+
         await assertAsyncDoesNotThrow {
             try await subject.unlockVaultWithKeyConnectorKey(
                 keyConnectorURL: URL(string: "https://example.com")!,
@@ -1975,6 +1989,33 @@ class AuthRepositoryTests: BitwardenTestCase { // swiftlint:disable:this type_bo
         XCTAssertTrue(vaultTimeoutService.unlockVaultHadUserInteraction)
     }
 
+    /// `convertNewUserToKeyConnector()` converts a new user to use key connector.
+    func test_convertNewUserToKeyconnector() async {
+        clientService.mockCrypto.initializeUserCryptoResult = .success(())
+        keyConnectorService.convertNewUserToKeyConnectorHandler = { [weak self] in
+            self?.stateService.accountEncryptionKeys["1"] = AccountEncryptionKeys(
+                encryptedPrivateKey: "private",
+                encryptedUserKey: "user"
+            )
+            self?.stateService.getAccountEncryptionKeysError = nil
+        }
+        keyConnectorService.getMasterKeyFromKeyConnectorResult = .success("key")
+        stateService.activeAccount = .fixture()
+        stateService.getAccountEncryptionKeysError = StateServiceError.noEncryptedPrivateKey
+
+        await assertAsyncDoesNotThrow {
+            try await subject.convertNewUserToKeyConnector(
+                keyConnectorURL: URL(string: "https://example.com")!,
+                orgIdentifier: "org-id"
+            )
+        }
+        XCTAssertTrue(keyConnectorService.convertNewUserToKeyConnectorCalled)
+        XCTAssertEqual(keyConnectorService.convertNewUserToKeyConnectorOrganizationId,
+                       "org-id")
+        XCTAssertEqual(keyConnectorService.convertNewUserToKeyConnectorKeyConnectorUrl,
+                       URL(string: "https://example.com"))
+    }
+
     /// `unlockVaultWithKeyConnectorKey()` throws an error if the user is missing an encrypted user key.
     func test_unlockVaultWithKeyConnectorKey_missingEncryptedUserKey() async {
         stateService.activeAccount = .fixture()

BitwardenShared/Core/Auth/Repositories/TestHelpers/MockAuthRepository.swift

@@ -34,6 +34,9 @@ class MockAuthRepository: AuthRepository { // swiftlint:disable:this type_body_l
     var isPinUnlockAvailableResult: Result<Bool, Error> = .success(false)
     var isUserManagedByOrganizationResult: Result<Bool, Error> = .success(false)
     var pinUnlockAvailabilityResult: Result<[String: Bool], Error> = .success([:])
+    var leaveOrganizationCalled = false
+    var leaveOrganizationOrganizationId: String?
+    var leaveOrganizationResult: Result<Void, Error> = .success(())
     var lockVaultUserId: String?
     var logoutCalled = false
     var logoutUserId: String?
@@ -81,6 +84,11 @@ class MockAuthRepository: AuthRepository { // swiftlint:disable:this type_body_l
     var unlockVaultWithKeyConnectorKeyConnectorURL: URL? // swiftlint:disable:this identifier_name
     var unlockVaultWithKeyConnectorOrgIdentifier: String?
     var unlockVaultWithKeyConnectorKeyResult: Result<Void, Error> = .success(())
+
+    var convertNewUserToKeyConnectorKeyCalled = false
+    var convertNewUserToKeyConnectorKeyConnectorURL: URL? // swiftlint:disable:this identifier_name
+    var convertNewUserToKeyConnectorOrgIdentifier: String? // swiftlint:disable:this identifier_name
+    var convertNewUserToKeyConnectorKeyResult: Result<Void, Error> = .success(())
     var unlockVaultWithNeverlockKeyCalled = false
     var unlockVaultWithNeverlockResult: Result<Void, Error> = .success(())
     var verifyOtpOpt: String?
@@ -138,6 +146,13 @@ class MockAuthRepository: AuthRepository { // swiftlint:disable:this type_body_l
         clearPinsCalled = true
     }
 
+    func convertNewUserToKeyConnector(keyConnectorURL: URL, orgIdentifier: String) async throws {
+        convertNewUserToKeyConnectorKeyCalled = true
+        convertNewUserToKeyConnectorKeyConnectorURL = keyConnectorURL
+        convertNewUserToKeyConnectorOrgIdentifier = orgIdentifier
+        try convertNewUserToKeyConnectorKeyResult.get()
+    }
+
     func createNewSsoUser(orgIdentifier: String, rememberDevice: Bool) async throws {
         createNewSsoUserOrgIdentifier = orgIdentifier
         createNewSsoUserRememberDevice = rememberDevice
@@ -231,6 +246,12 @@ class MockAuthRepository: AuthRepository { // swiftlint:disable:this type_body_l
         return try passwordStrengthResult.get()
     }
 
+    func leaveOrganization(organizationId: String) async throws {
+        leaveOrganizationCalled = true
+        leaveOrganizationOrganizationId = organizationId
+        try leaveOrganizationResult.get()
+    }
+
     func lockVault(userId: String?, isManuallyLocking: Bool) async {
         lockVaultUserId = userId
         hasManuallyLocked = isManuallyLocking

BitwardenShared/Core/Auth/Services/API/Organization/OrganizationAPIService.swift

@@ -27,6 +27,15 @@ protocol OrganizationAPIService {
     /// - Parameter email: The user's email address
     /// - Returns: A `SingleSignOnDomainsVerifiedResponse` with the verified domains list.
     func getSingleSignOnVerifiedDomains(email: String) async throws -> SingleSignOnDomainsVerifiedResponse
+
+    /// Performs the API request to leave an organization.
+    ///
+    /// - Parameters:
+    ///   - organizationId: The organization identifier for the organization the user wants to leave.
+    ///
+    func leaveOrganization(
+        organizationId: String
+    ) async throws
 }
 
 extension APIService: OrganizationAPIService {
@@ -45,4 +54,10 @@ extension APIService: OrganizationAPIService {
     func getSingleSignOnVerifiedDomains(email: String) async throws -> SingleSignOnDomainsVerifiedResponse {
         try await apiUnauthenticatedService.send(SingleSignOnDomainsVerifiedRequest(email: email))
     }
+
+    func leaveOrganization(organizationId: String) async throws {
+        _ = try await apiService.send(
+            OrganizationLeaveRequest(identifier: organizationId)
+        )
+    }
 }

BitwardenShared/Core/Auth/Services/API/Organization/OrganizationAPIServiceTests.swift

@@ -93,4 +93,13 @@ class OrganizationAPIServiceTests: BitwardenTestCase {
             )
         )
     }
+
+    /// `leaveOrganization(organizationId:)` successfully runs the leaveOrganization
+    func test_leaveOrganization() async throws {
+        client.result = .httpSuccess(testData: .emptyResponse)
+
+        await assertAsyncDoesNotThrow {
+            try await subject.leaveOrganization(organizationId: "ORG_IDENTIFIER")
+        }
+    }
 }

BitwardenShared/Core/Auth/Services/API/Organization/Requests/OrganizationLeaveRequest.swift

@@ -0,0 +1,19 @@
+import Networking
+
+// MARK: - OrganizationLeaveRequest
+
+/// A networking request to leave an organization.
+struct OrganizationLeaveRequest: Request {
+    typealias Response = EmptyResponse
+
+    // MARK: Properties
+
+    /// The identifier for the organization.
+    let identifier: String
+
+    /// The HTTP method for this request.
+    var method: HTTPMethod { .post }
+
+    /// The URL path for this request.
+    var path: String { "/organizations/\(identifier)/leave" }
+}

BitwardenShared/Core/Platform/Services/TestHelpers/MockKeyConnectorService.swift

@@ -6,6 +6,8 @@ class MockKeyConnectorService: KeyConnectorService {
     var convertNewUserToKeyConnectorCalled = false
     var convertNewUserToKeyConnectorHandler: (() -> Void)?
     var convertNewUserToKeyConnectorResult: Result<Void, Error> = .success(())
+    var convertNewUserToKeyConnectorKeyConnectorUrl: URL?
+    var convertNewUserToKeyConnectorOrganizationId: String?
 
     var getManagingOrganizationResult: Result<Organization?, Error> = .success(nil)
 
@@ -18,6 +20,8 @@ class MockKeyConnectorService: KeyConnectorService {
 
     func convertNewUserToKeyConnector(keyConnectorUrl: URL, orgIdentifier: String) async throws {
         convertNewUserToKeyConnectorCalled = true
+        convertNewUserToKeyConnectorKeyConnectorUrl = keyConnectorUrl
+        convertNewUserToKeyConnectorOrganizationId = orgIdentifier
         convertNewUserToKeyConnectorHandler?()
         return try convertNewUserToKeyConnectorResult.get()
     }

BitwardenShared/Core/Vault/Services/SyncService.swift

@@ -81,10 +81,13 @@ protocol SyncServiceDelegate: AnyObject {
 
     /// The user needs to remove their master password so they can be migrated to use Key Connector.
     ///
-    /// - Parameter organizationName: The organization's name that requires Key Connector.
+    /// - Parameters:
+    ///   - organizationName: The organization's name that requires Key Connector.
+    ///   - organizationId: The organization's id that requires Key Connector.
+    ///   - keyConnectorUrl: The organization's Key Connector domain.
     ///
     @MainActor
-    func removeMasterPassword(organizationName: String)
+    func removeMasterPassword(organizationName: String, organizationId: String, keyConnectorUrl: String)
 
     /// The user's security stamp changed.
     ///
@@ -223,6 +226,11 @@ class DefaultSyncService: SyncService {
         guard !forceSync, let lastSyncTime = try await stateService.getLastSyncTime(userId: userId) else {
             return true
         }
+
+        if try await keyConnectorService.userNeedsMigration() {
+            return true
+        }
+
         guard lastSyncTime.addingTimeInterval(Constants.minimumSyncInterval) < timeProvider.presentTime else {
             return false
         }
@@ -292,8 +300,13 @@ extension DefaultSyncService {
         try await checkVaultTimeoutPolicy()
 
         if try await keyConnectorService.userNeedsMigration(),
-           let organization = try await keyConnectorService.getManagingOrganization() {
-            await delegate?.removeMasterPassword(organizationName: organization.name)
+           let organization = try await keyConnectorService.getManagingOrganization(),
+           let keyConnectorUrl = organization.keyConnectorUrl {
+            await delegate?.removeMasterPassword(
+                organizationName: organization.name,
+                organizationId: organization.id,
+                keyConnectorUrl: keyConnectorUrl
+            )
         }
 
         await delegate?.onFetchSyncSucceeded(userId: userId)

BitwardenShared/Core/Vault/Services/SyncServiceTests.swift

@@ -208,6 +208,7 @@ class SyncServiceTests: BitwardenTestCase {
         let priorSyncDate = Date(year: 2022, month: 1, day: 1)
         stateService.lastSyncTimeByUserId["1"] = priorSyncDate
         cipherService.replaceCiphersError = BitwardenTestError.example
+        keyConnectorService.userNeedsMigrationResult = .success(false)
 
         await assertAsyncThrows(error: BitwardenTestError.example) {
             try await subject.fetchSync(forceSync: false)
@@ -253,6 +254,7 @@ class SyncServiceTests: BitwardenTestCase {
         stateService.lastSyncTimeByUserId["1"] = try XCTUnwrap(
             lastSync
         )
+        keyConnectorService.userNeedsMigrationResult = .success(false)
 
         try await subject.fetchSync(forceSync: false)
 
@@ -274,6 +276,7 @@ class SyncServiceTests: BitwardenTestCase {
         client.result = .httpFailure(BitwardenTestError.example)
         stateService.activeAccount = .fixture()
         stateService.lastSyncTimeByUserId["1"] = lastSyncTime
+        keyConnectorService.userNeedsMigrationResult = .success(false)
 
         try await subject.fetchSync(forceSync: false)
 
@@ -296,6 +299,7 @@ class SyncServiceTests: BitwardenTestCase {
         stateService.lastSyncTimeByUserId["1"] = try XCTUnwrap(
             lastSync
         )
+        keyConnectorService.userNeedsMigrationResult = .success(false)
 
         try await subject.fetchSync(forceSync: false)
 
@@ -315,6 +319,7 @@ class SyncServiceTests: BitwardenTestCase {
         stateService.lastSyncTimeByUserId["1"] = try XCTUnwrap(
             timeProvider.presentTime.addingTimeInterval(-(Constants.minimumSyncInterval - 1))
         )
+        keyConnectorService.userNeedsMigrationResult = .success(false)
 
         try await subject.fetchSync(forceSync: false)
 
@@ -444,14 +449,16 @@ class SyncServiceTests: BitwardenTestCase {
     /// Connector.
     func test_fetchSync_removeMasterPassword() async throws {
         client.result = .httpSuccess(testData: .syncWithProfile)
-        keyConnectorService.getManagingOrganizationResult = .success(.fixture(name: "Example Org"))
+        keyConnectorService.getManagingOrganizationResult = .success(
+            .fixture(keyConnectorUrl: "htttp://example.com/", name: "Example Org"))
         keyConnectorService.userNeedsMigrationResult = .success(true)
         stateService.activeAccount = .fixture()
 
         try await subject.fetchSync(forceSync: false)
 
         XCTAssertTrue(syncServiceDelegate.removeMasterPasswordCalled)
         XCTAssertEqual(syncServiceDelegate.removeMasterPasswordOrganizationName, "Example Org")
+        XCTAssertEqual(syncServiceDelegate.removeMasterPasswordKeyConnectorUrl, "htttp://example.com/")
     }
 
     /// `fetchSync()` throws an error if checking if the user needs to be migrated fails.
@@ -775,13 +782,17 @@ class MockSyncServiceDelegate: SyncServiceDelegate {
     var securityStampChangedUserId: String?
     var setMasterPasswordCalled = false
     var setMasterPasswordOrgId: String?
+    var removeMasterPasswordOrganizationId: String?
+    var removeMasterPasswordKeyConnectorUrl: String?
 
     func onFetchSyncSucceeded(userId: String) async {
         onFetchSyncSucceededCalledWithuserId = userId
     }
 
-    func removeMasterPassword(organizationName: String) {
+    func removeMasterPassword(organizationName: String, organizationId: String, keyConnectorUrl: String) {
         removeMasterPasswordOrganizationName = organizationName
+        removeMasterPasswordOrganizationId = organizationId
+        removeMasterPasswordKeyConnectorUrl = keyConnectorUrl
         removeMasterPasswordCalled = true
     }