Merge branch 'main' into brant/BITAU-152-handle-vault-lock-unlock

Author: brant-livefront

BitwardenShared/Core/Auth/Repositories/AuthRepository.swift

@@ -948,7 +948,6 @@ extension DefaultAuthRepository: AuthRepository {
             break
         }
 
-        try await configureBiometricUnlockIfRequired(method: method)
         try await configurePinUnlockIfNeeded(method: method)
 
         _ = try await trustDeviceService.trustDeviceIfNeeded()
@@ -1017,31 +1016,6 @@ extension DefaultAuthRepository: AuthRepository {
         return try await stateService.getActiveAccountId()
     }
 
-    /// This method checks the biometric unlock status, and if biometric unlock is available but not
-    /// fully configured (i.e., it doesn't have a valid integrity), it sets up biometric integrity and configures
-    /// the biometric unlock key.
-    ///
-    /// - Parameter method: The unlocking `InitUserCryptoMethod` method.
-    /// - Throws: An error if configuring biometric integrity or setting the biometric unlock key fails.
-    ///
-    private func configureBiometricUnlockIfRequired(method: InitUserCryptoMethod) async throws {
-        switch method {
-        case .authRequest,
-             .decryptedKey:
-            break
-        case .deviceKey,
-             .keyConnector,
-             .password,
-             .pin:
-            if case .available(_, true, false) = try? await biometricsRepository.getBiometricUnlockStatus() {
-                try await biometricsRepository.configureBiometricIntegrity()
-                try await biometricsRepository.setBiometricUnlockKey(
-                    authKey: clientService.crypto().getUserEncryptionKey()
-                )
-            }
-        }
-    }
-
     /// Configures PIN unlock if the user requires master password or biometrics after an app restart.
     ///
     /// - Parameter method: The unlocking `InitUserCryptoMethod` method.

BitwardenShared/Core/Auth/Repositories/AuthRepositoryTests.swift

@@ -1035,7 +1035,6 @@ class AuthRepositoryTests: BitwardenTestCase { // swiftlint:disable:this type_bo
             try await subject.unlockVaultWithNeverlockKey()
         }
         XCTAssertFalse(vaultTimeoutService.unlockVaultHadUserInteraction)
-        XCTAssertFalse(biometricsRepository.didConfigureBiometricIntegrity)
     }
 
     /// `test_unlockVaultWithDeviceKey` attempts to unlock the vault using the device key from the keychain.
@@ -1064,38 +1063,6 @@ class AuthRepositoryTests: BitwardenTestCase { // swiftlint:disable:this type_bo
         XCTAssertTrue(vaultTimeoutService.unlockVaultHadUserInteraction)
     }
 
-    /// `test_unlockVaultWithDeviceKey` attempts to unlock the vault using the device key from the keychain.
-    func test_unlockVaultWithDeviceKey_successWithBiometricsEnabled() async throws {
-        let active = Account.fixtureWithTDE()
-        stateService.activeAccount = active
-        keychainService.mockStorage = [
-            keychainService.formattedKey(
-                for: KeychainItem.deviceKey(
-                    userId: active.profile.userId
-                )
-            ):
-                "pasta",
-        ]
-
-        biometricsRepository.biometricUnlockStatus = .success(
-            .available(.faceID, enabled: true, hasValidIntegrity: false)
-        )
-
-        stateService.accountEncryptionKeys = [
-            active.profile.userId: .init(
-                encryptedPrivateKey: "secret",
-                encryptedUserKey: "recipe"
-            ),
-        ]
-        clientService.mockCrypto.getUserEncryptionKeyResult = .success("sauce")
-        clientService.mockCrypto.initializeUserCryptoResult = .success(())
-        await assertAsyncDoesNotThrow {
-            try await subject.unlockVaultWithDeviceKey()
-        }
-        XCTAssertTrue(vaultTimeoutService.unlockVaultHadUserInteraction)
-        XCTAssertTrue(biometricsRepository.didConfigureBiometricIntegrity)
-    }
-
     /// `test_unlockVaultWithDeviceKey` attempts to unlock the vault using the device key from the keychain.
     func test_unlockVaultWithDeviceKey_error() async throws {
         let active = Account.fixture()
@@ -1189,7 +1156,7 @@ class AuthRepositoryTests: BitwardenTestCase { // swiftlint:disable:this type_bo
         stateService.timeoutAction["1"] = .lock
         stateService.userHasMasterPassword["1"] = false
         biometricsRepository.biometricUnlockStatus = .success(
-            .available(.faceID, enabled: true, hasValidIntegrity: true)
+            .available(.faceID, enabled: true)
         )
 
         var timeoutAction = try await subject.sessionTimeoutAction()
@@ -1339,43 +1306,9 @@ class AuthRepositoryTests: BitwardenTestCase { // swiftlint:disable:this type_bo
         XCTAssertEqual(authService.hashPasswordPassword, "password")
         XCTAssertEqual(stateService.accountVolatileData["1"]?.pinProtectedUserKey, "ENCRYPTED_USER_KEY")
         XCTAssertEqual(stateService.masterPasswordHashes["1"], "hashed")
-        XCTAssertFalse(biometricsRepository.didConfigureBiometricIntegrity)
         XCTAssertTrue(vaultTimeoutService.unlockVaultHadUserInteraction)
     }
 
-    /// `unlockVaultWithPassword(password:)` configures biometric integrity refreshes.
-    func test_unlockVault_integrityRefresh() async throws {
-        stateService.activeAccount = .fixture()
-        stateService.accountEncryptionKeys = [
-            "1": AccountEncryptionKeys(
-                encryptedPrivateKey: "PRIVATE_KEY",
-                encryptedUserKey: "USER_KEY"
-            ),
-        ]
-        biometricsRepository.biometricUnlockStatus = .success(
-            .available(.faceID, enabled: true, hasValidIntegrity: false)
-        )
-
-        await assertAsyncDoesNotThrow {
-            try await subject.unlockVaultWithPassword(password: "password")
-        }
-
-        XCTAssertEqual(
-            clientService.mockCrypto.initializeUserCryptoRequest,
-            InitUserCryptoRequest(
-                kdfParams: .pbkdf2(iterations: UInt32(Constants.pbkdf2Iterations)),
-                email: "[email protected]",
-                privateKey: "PRIVATE_KEY",
-                method: .password(password: "password", userKey: "USER_KEY")
-            )
-        )
-        XCTAssertFalse(vaultTimeoutService.isLocked(userId: "1"))
-        XCTAssertTrue(organizationService.initializeOrganizationCryptoCalled)
-        XCTAssertEqual(authService.hashPasswordPassword, "password")
-        XCTAssertEqual(stateService.masterPasswordHashes["1"], "hashed")
-        XCTAssertTrue(biometricsRepository.didConfigureBiometricIntegrity)
-    }
-
     /// `unlockVaultWithBiometrics()` throws an error if the vault is unable to be unlocked.
     func test_unlockVaultWithBiometrics_error_cryptoFail() async {
         stateService.accountEncryptionKeys = [
@@ -1505,43 +1438,6 @@ class AuthRepositoryTests: BitwardenTestCase { // swiftlint:disable:this type_bo
         )
         XCTAssertFalse(keyConnectorService.convertNewUserToKeyConnectorCalled)
         XCTAssertTrue(vaultTimeoutService.unlockVaultHadUserInteraction)
-        XCTAssertFalse(biometricsRepository.didConfigureBiometricIntegrity)
-    }
-
-    /// `unlockVaultWithKeyConnectorKey()` unlocks the user's vault with their key connector key.
-    func test_unlockVaultWithKeyConnectorKeyWithBiometricsEnabled() async {
-        clientService.mockCrypto.initializeUserCryptoResult = .success(())
-        keyConnectorService.getMasterKeyFromKeyConnectorResult = .success("key")
-        stateService.accountEncryptionKeys = [
-            "1": AccountEncryptionKeys(
-                encryptedPrivateKey: "private",
-                encryptedUserKey: "user"
-            ),
-        ]
-        stateService.activeAccount = .fixture()
-        biometricsRepository.biometricUnlockStatus = .success(
-            .available(.faceID, enabled: true, hasValidIntegrity: false)
-        )
-
-        await assertAsyncDoesNotThrow {
-            try await subject.unlockVaultWithKeyConnectorKey(
-                keyConnectorURL: URL(string: "https://example.com")!,
-                orgIdentifier: "org-id"
-            )
-        }
-
-        XCTAssertEqual(
-            clientService.mockCrypto.initializeUserCryptoRequest,
-            InitUserCryptoRequest(
-                kdfParams: KdfConfig().sdkKdf,
-                email: "[email protected]",
-                privateKey: "private",
-                method: .keyConnector(masterKey: "key", userKey: "user")
-            )
-        )
-        XCTAssertFalse(keyConnectorService.convertNewUserToKeyConnectorCalled)
-        XCTAssertTrue(vaultTimeoutService.unlockVaultHadUserInteraction)
-        XCTAssertTrue(biometricsRepository.didConfigureBiometricIntegrity)
     }
 
     /// `unlockVaultWithKeyConnectorKey()` converts a new user to use key connector and unlocks the
@@ -1748,37 +1644,6 @@ class AuthRepositoryTests: BitwardenTestCase { // swiftlint:disable:this type_bo
         )
         XCTAssertFalse(vaultTimeoutService.isLocked(userId: "1"))
         XCTAssertTrue(vaultTimeoutService.unlockVaultHadUserInteraction)
-        XCTAssertFalse(biometricsRepository.didConfigureBiometricIntegrity)
-    }
-
-    /// `unlockVaultWithPIN(_:)` unlocks the vault with the user's PIN and configures biometric
-    /// integrity if needed.
-    func test_unlockVaultWithPIN_configuresBiometrics() async throws {
-        let account = Account.fixture()
-        stateService.activeAccount = account
-        stateService.accountEncryptionKeys = [
-            "1": AccountEncryptionKeys(encryptedPrivateKey: "PRIVATE_KEY", encryptedUserKey: "USER_KEY"),
-        ]
-        stateService.encryptedPinByUserId[account.profile.userId] = "123"
-        stateService.pinProtectedUserKeyValue[account.profile.userId] = "123"
-        biometricsRepository.biometricUnlockStatus = .success(
-            .available(.faceID, enabled: true, hasValidIntegrity: false)
-        )
-
-        try await subject.unlockVaultWithPIN(pin: "123")
-
-        XCTAssertEqual(
-            clientService.mockCrypto.initializeUserCryptoRequest,
-            InitUserCryptoRequest(
-                kdfParams: .pbkdf2(iterations: UInt32(Constants.pbkdf2Iterations)),
-                email: "[email protected]",
-                privateKey: "PRIVATE_KEY",
-                method: .pin(pin: "123", pinProtectedUserKey: "123")
-            )
-        )
-        XCTAssertFalse(vaultTimeoutService.isLocked(userId: "1"))
-        XCTAssertTrue(vaultTimeoutService.unlockVaultHadUserInteraction)
-        XCTAssertTrue(biometricsRepository.didConfigureBiometricIntegrity)
     }
 
     /// `unlockVaultWithPIN(_:)` throws an error if there's no pin.

BitwardenShared/Core/Auth/Services/Biometrics/BiometricsRepository.swift

@@ -5,7 +5,7 @@ import LocalAuthentication
 
 enum BiometricsUnlockStatus: Equatable {
     /// Biometric Unlock is available.
-    case available(BiometricAuthenticationType, enabled: Bool, hasValidIntegrity: Bool)
+    case available(BiometricAuthenticationType, enabled: Bool)
 
     /// Biometric Unlock is not available.
     case notAvailable
@@ -14,7 +14,7 @@ enum BiometricsUnlockStatus: Equatable {
 
     /// Whether biometric unlock is both available and enabled.
     var isEnabled: Bool {
-        guard case let .available(_, enabled, _) = self else {
+        guard case let .available(_, enabled) = self else {
             return false
         }
         return enabled
@@ -26,10 +26,6 @@ enum BiometricsUnlockStatus: Equatable {
 /// A protocol for returning the available authentication policies and access controls for the user's device.
 ///
 protocol BiometricsRepository: AnyObject {
-    /// Configures the device Biometric Integrity state.
-    ///     Should be called following a successful launch when biometric unlock is enabled.
-    func configureBiometricIntegrity() async throws
-
     /// Returns the device BiometricAuthenticationType.
     ///
     /// - Returns: The `BiometricAuthenticationType`.
@@ -69,7 +65,7 @@ class DefaultBiometricsRepository: BiometricsRepository {
     /// A service used to store the UserAuthKey key/value pair.
     var keychainRepository: KeychainRepository
 
-    /// A service used to store the Biometric Integrity Source key/value pair.
+    /// A service used to update user preferences.
     var stateService: StateService
 
     // MARK: Initialization
@@ -91,13 +87,6 @@ class DefaultBiometricsRepository: BiometricsRepository {
         self.stateService = stateService
     }
 
-    func configureBiometricIntegrity() async throws {
-        if let state = biometricsService.getBiometricIntegrityState() {
-            let base64State = state.base64EncodedString()
-            try await stateService.setBiometricIntegrityState(base64State)
-        }
-    }
-
     func getBiometricAuthenticationType() -> BiometricAuthenticationType? {
         biometricsService.getBiometricAuthenticationType()
     }
@@ -106,13 +95,11 @@ class DefaultBiometricsRepository: BiometricsRepository {
         guard let authKey,
               try await biometricsService.evaluateBiometricPolicy() else {
             try await stateService.setBiometricAuthenticationEnabled(false)
-            try await stateService.setBiometricIntegrityState(nil)
             try? await deleteUserAuthKey()
             return
         }
 
         try await setUserBiometricAuthKey(value: authKey)
-        try await configureBiometricIntegrity()
         try await stateService.setBiometricAuthenticationEnabled(true)
     }
 
@@ -122,14 +109,9 @@ class DefaultBiometricsRepository: BiometricsRepository {
             throw BiometricsServiceError.biometryLocked
         }
         let hasEnabledBiometricUnlock = try await stateService.getBiometricAuthenticationEnabled()
-        let hasValidIntegrityState = await isBiometricIntegrityValid()
         switch biometryStatus {
         case let .authorized(type):
-            return .available(
-                type,
-                enabled: hasEnabledBiometricUnlock,
-                hasValidIntegrity: hasValidIntegrityState
-            )
+            return .available(type, enabled: hasEnabledBiometricUnlock)
         case .denied,
              .lockedOut,
              .noBiometrics,
@@ -149,10 +131,6 @@ class DefaultBiometricsRepository: BiometricsRepository {
             guard !string.isEmpty else {
                 throw BiometricsServiceError.getAuthKeyFailed
             }
-            if let state = biometricsService.getBiometricIntegrityState() {
-                let base64State = state.base64EncodedString()
-                try await stateService.setBiometricIntegrityState(base64State)
-            }
             return string
         } catch let error as KeychainServiceError {
             switch error {
@@ -169,6 +147,8 @@ class DefaultBiometricsRepository: BiometricsRepository {
                      kLAErrorSystemCancel,
                      kLAErrorUserCancel:
                     throw BiometricsServiceError.biometryCancelled
+                case errSecItemNotFound:
+                    throw BiometricsServiceError.getAuthKeyFailed
                 case kLAErrorBiometryDisconnected,
                      kLAErrorUserFallback:
                     throw BiometricsServiceError.biometryFailed
@@ -195,20 +175,6 @@ extension DefaultBiometricsRepository {
         }
     }
 
-    /// Checks if the device evaluatedPolicyDomainState matches the data saved to user defaults.
-    ///
-    /// - Returns: A `Bool` indicating if the stored Data matches the current data.
-    ///     If no data is stored to the device, `true` is returned by default.
-    ///
-    private func isBiometricIntegrityValid() async -> Bool {
-        guard let data = biometricsService.getBiometricIntegrityState() else {
-            // Fallback for devices unable to retrieve integrity state.
-            return true
-        }
-        let integrityString: String? = try? await stateService.getBiometricIntegrityState()
-        return data.base64EncodedString() == integrityString
-    }
-
     /// Attempts to save an auth key to the keychain with biometrics.
     ///
     /// - Parameter value: The key to be stored.