[PM-21681] Handle automatic timeout logout in BWA (#1659)

Author: KatherineInCode

AuthenticatorBridgeKit/AuthenticatorBridgeItemService.swift

@@ -1,5 +1,6 @@
 import BitwardenKit
 import Combine
+import CoreData
 import Foundation
 
 // MARK: - AuthenticatorBridgeItemService
@@ -93,6 +94,9 @@ public class DefaultAuthenticatorBridgeItemService: AuthenticatorBridgeItemServi
     /// The keychain repository for working with the shared key.
     let sharedKeychainRepository: SharedKeychainRepository
 
+    /// A service that manages account timeout between apps.
+    let sharedTimeoutService: SharedTimeoutService
+
     // MARK: Initialization
 
     /// Initialize a `DefaultAuthenticatorBridgeItemService`
@@ -101,13 +105,16 @@ public class DefaultAuthenticatorBridgeItemService: AuthenticatorBridgeItemServi
     ///   - cryptoService: Cryptography service for encrypting/decrypting items.
     ///   - dataStore: The CoreData store for working with shared data
     ///   - sharedKeychainRepository: The keychain repository for working with the shared key.
+    ///   - sharedTimeoutService: The shared timeout service for managing session timeouts.
     ///
     public init(cryptoService: SharedCryptographyService,
                 dataStore: AuthenticatorBridgeDataStore,
-                sharedKeychainRepository: SharedKeychainRepository) {
+                sharedKeychainRepository: SharedKeychainRepository,
+                sharedTimeoutService: SharedTimeoutService) {
         self.cryptoService = cryptoService
         self.dataStore = dataStore
         self.sharedKeychainRepository = sharedKeychainRepository
+        self.sharedTimeoutService = sharedTimeoutService
     }
 
     // MARK: Methods
@@ -192,6 +199,7 @@ public class DefaultAuthenticatorBridgeItemService: AuthenticatorBridgeItemServi
 
     public func sharedItemsPublisher() async throws ->
         AnyPublisher<[AuthenticatorBridgeItemDataView], any Error> {
+        try await checkForLogout()
         let fetchRequest = AuthenticatorBridgeItemData.fetchRequest(
             predicate: NSPredicate(
                 format: "userId != %@", DefaultAuthenticatorBridgeItemService.temporaryUserId
@@ -210,4 +218,25 @@ public class DefaultAuthenticatorBridgeItemService: AuthenticatorBridgeItemServi
         }
         .eraseToAnyPublisher()
     }
+
+    // MARK: Private Functions
+
+    /// Iterates through all of the users with shared items and determines if they've passed their
+    /// logout timeout. If so, then their shared items are deleted.
+    ///
+    private func checkForLogout() async throws {
+        let fetchRequest = NSFetchRequest<NSDictionary>(entityName: AuthenticatorBridgeItemData.entityName)
+        fetchRequest.propertiesToFetch = ["userId"]
+        fetchRequest.returnsDistinctResults = true
+        fetchRequest.resultType = .dictionaryResultType
+
+        let results = try dataStore.persistentContainer.viewContext.fetch(fetchRequest)
+        let userIds = results.compactMap { ($0 as? [String: Any])?["userId"] as? String }
+
+        try await userIds.asyncForEach { userId in
+            if try await sharedTimeoutService.hasPassedTimeout(userId: userId) {
+                try await deleteAllForUserId(userId)
+            }
+        }
+    }
 }

AuthenticatorBridgeKit/Mocks/MockAuthenticatorBridgeItemService.swift

@@ -0,0 +1,59 @@
+import AuthenticatorBridgeKit
+import Combine
+
+public class MockAuthenticatorBridgeItemService: AuthenticatorBridgeItemService {
+    public var errorToThrow: Error?
+    public var replaceAllCalled = false
+    public var sharedItemsSubject = CurrentValueSubject<[AuthenticatorBridgeItemDataView], Error>([])
+    public var storedItems: [String: [AuthenticatorBridgeItemDataView]] = [:]
+    public var syncOn = false
+    public var tempItem: AuthenticatorBridgeItemDataView?
+
+    public init() {}
+
+    public func checkForLogout() async throws {
+
+    }
+
+    public func deleteAllForUserId(_ userId: String) async throws {
+        guard errorToThrow == nil else { throw errorToThrow! }
+        storedItems[userId] = []
+    }
+
+    public func fetchAllForUserId(_ userId: String) async throws -> [AuthenticatorBridgeItemDataView] {
+        guard errorToThrow == nil else { throw errorToThrow! }
+        return storedItems[userId] ?? []
+    }
+
+    public func fetchTemporaryItem() async throws -> AuthenticatorBridgeItemDataView? {
+        guard errorToThrow == nil else { throw errorToThrow! }
+        return tempItem
+    }
+
+    public func insertTemporaryItem(_ item: AuthenticatorBridgeItemDataView) async throws {
+        guard errorToThrow == nil else { throw errorToThrow! }
+        tempItem = item
+    }
+
+    public func insertItems(_ items: [AuthenticatorBridgeItemDataView], forUserId userId: String) async throws {
+        guard errorToThrow == nil else { throw errorToThrow! }
+        storedItems[userId] = items
+    }
+
+    public func isSyncOn() async -> Bool {
+        syncOn
+    }
+
+    public func replaceAllItems(with items: [AuthenticatorBridgeItemDataView], forUserId userId: String) async throws {
+        guard errorToThrow == nil else { throw errorToThrow! }
+        storedItems[userId] = items
+        replaceAllCalled = true
+    }
+
+    public func sharedItemsPublisher() async throws ->
+        AnyPublisher<[AuthenticatorBridgeKit.AuthenticatorBridgeItemDataView], any Error> {
+        guard errorToThrow == nil else { throw errorToThrow! }
+
+        return sharedItemsSubject.eraseToAnyPublisher()
+    }
+}

AuthenticatorBridgeKit/Mocks/MockSharedTimeoutService.swift

@@ -0,0 +1,39 @@
+import AuthenticatorBridgeKit
+import BitwardenKit
+import Foundation
+
+public final class MockSharedTimeoutService: SharedTimeoutService {
+    public var clearTimeoutUserIds = [String]()
+    public var clearTimeoutError: Error?
+    public var hasPassedTimeoutResult: Result<[String: Bool], Error> = .success([:])
+    public var updateTimeoutUserId: String?
+    public var updateTimeoutLastActiveDate: Date?
+    public var updateTimeoutTimeoutLength: SessionTimeoutValue?
+    public var updateTimeoutError: Error?
+
+    public init() {}
+
+    public func clearTimeout(forUserId userId: String) async throws {
+        if let clearTimeoutError {
+            throw clearTimeoutError
+        }
+        clearTimeoutUserIds.append(userId)
+    }
+
+    public func hasPassedTimeout(userId: String) async throws -> Bool {
+        try hasPassedTimeoutResult.get()[userId] ?? false
+    }
+
+    public func updateTimeout(
+        forUserId userId: String,
+        lastActiveDate: Date?,
+        timeoutLength: SessionTimeoutValue
+    ) async throws {
+        if let updateTimeoutError {
+            throw updateTimeoutError
+        }
+        updateTimeoutUserId = userId
+        updateTimeoutLastActiveDate = lastActiveDate
+        updateTimeoutTimeoutLength = timeoutLength
+    }
+}

AuthenticatorBridgeKit/SharedKeychain/SharedKeychainStorage.swift

@@ -107,16 +107,18 @@ public class DefaultSharedKeychainStorage: SharedKeychainStorage {
         )
 
         guard let resultDictionary = foundItem as? [String: Any],
-              let data = resultDictionary[kSecValueData as String] as? T else {
+              let data = resultDictionary[kSecValueData as String] as? Data else {
             throw SharedKeychainServiceError.keyNotFound(item)
         }
 
-        return data
+        let object = try JSONDecoder.defaultDecoder.decode(T.self, from: data)
+        return object
     }
 
     public func setValue<T: Codable>(_ value: T, for item: SharedKeychainItem) async throws {
+        let valueData = try JSONEncoder.defaultEncoder.encode(value)
         let query = [
-            kSecValueData: value,
+            kSecValueData: valueData,
             kSecAttrAccessible: kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly,
             kSecAttrAccessGroup: sharedAppGroupIdentifier,
             kSecAttrAccount: item.unformattedKey,

AuthenticatorBridgeKit/SharedKeychain/SharedKeychainStorageTests.swift

@@ -52,8 +52,9 @@ final class SharedKeychainStorageTests: BitwardenTestCase {
     func test_getValue_success() async throws {
         let key = SymmetricKey(size: .bits256)
         let data = key.withUnsafeBytes { Data(Array($0)) }
+        let encodedData = try JSONEncoder.defaultEncoder.encode(data)
 
-        keychainService.setSearchResultData(data)
+        keychainService.setSearchResultData(encodedData)
 
         let returnData: Data = try await subject.getValue(for: .authenticatorKey)
         XCTAssertEqual(returnData, data)
@@ -113,6 +114,7 @@ final class SharedKeychainStorageTests: BitwardenTestCase {
     func test_setAuthenticatorKey_success() async throws {
         let key = SymmetricKey(size: .bits256)
         let data = key.withUnsafeBytes { Data(Array($0)) }
+        let encodedData = try JSONEncoder.defaultEncoder.encode(data)
         try await subject.setValue(data, for: .authenticatorKey)
 
         let attributes = try XCTUnwrap(keychainService.addAttributes as? [CFString: Any])
@@ -123,6 +125,6 @@ final class SharedKeychainStorageTests: BitwardenTestCase {
                            SharedKeychainItem.authenticatorKey.unformattedKey)
         try XCTAssertEqual(XCTUnwrap(attributes[kSecClass] as? String),
                            String(kSecClassGenericPassword))
-        try XCTAssertEqual(XCTUnwrap(attributes[kSecValueData] as? Data), data)
+        try XCTAssertEqual(XCTUnwrap(attributes[kSecValueData] as? Data), encodedData)
     }
 }

AuthenticatorBridgeKit/SharedTimeoutService.swift

@@ -0,0 +1,81 @@
+import BitwardenKit
+import Foundation
+
+// MARK: - HasSharedTimeoutService
+
+/// Protocol for an object that provides a `SharedTimeoutService`
+///
+public protocol HasSharedTimeoutService {
+    /// The service for managing account timeout between apps.
+    var sharedTimeoutService: SharedTimeoutService { get }
+}
+
+// MARK: - SharedTimeoutService
+
+/// A service that manages account timeout between apps.
+///
+public protocol SharedTimeoutService {
+    /// Clears the shared timeout for a user.
+    /// - Parameters:
+    ///   - userId: The user's ID
+    func clearTimeout(forUserId userId: String) async throws
+
+    /// Determines if a user has passed their timeout, using the current time and the saved shared time.
+    /// If the current time is equal to the timeout time, then it is considered passed. If there is no
+    /// saved time, then this will always return false.
+    /// - Parameters:
+    ///   - userId: The user's ID
+    /// - Returns: whether or not the user has passed their timeout
+    func hasPassedTimeout(userId: String) async throws -> Bool
+
+    /// Updates the shared timeout for a user.
+    /// - Parameters:
+    ///   - userId: The user's ID
+    ///   - lastActiveDate: The last time the user was active
+    ///   - timeoutLength: The user's preferred timeout length
+    func updateTimeout(forUserId userId: String, lastActiveDate: Date?, timeoutLength: SessionTimeoutValue) async throws
+}
+
+// MARK: - DefaultTimeoutService
+
+public final class DefaultSharedTimeoutService: SharedTimeoutService {
+    /// A repository for managing keychain items to be shared between Password Manager and Authenticator.
+    private let sharedKeychainRepository: SharedKeychainRepository
+
+    /// A service for providing the current time.
+    private let timeProvider: TimeProvider
+
+    public init(
+        sharedKeychainRepository: SharedKeychainRepository,
+        timeProvider: TimeProvider
+    ) {
+        self.sharedKeychainRepository = sharedKeychainRepository
+        self.timeProvider = timeProvider
+    }
+
+    public func clearTimeout(forUserId userId: String) async throws {
+        try await sharedKeychainRepository.setAccountAutoLogoutTime(nil, userId: userId)
+    }
+
+    public func hasPassedTimeout(userId: String) async throws -> Bool {
+        guard let autoLogoutTime = try await sharedKeychainRepository.getAccountAutoLogoutTime(userId: userId) else {
+            return false
+        }
+        return timeProvider.presentTime >= autoLogoutTime
+    }
+
+    public func updateTimeout(
+        forUserId userId: String,
+        lastActiveDate: Date?,
+        timeoutLength: SessionTimeoutValue
+    ) async throws {
+        guard let lastActiveDate else {
+            try await clearTimeout(forUserId: userId)
+            return
+        }
+
+        let timeout = lastActiveDate.addingTimeInterval(TimeInterval(timeoutLength.seconds))
+
+        try await sharedKeychainRepository.setAccountAutoLogoutTime(timeout, userId: userId)
+    }
+}