[PM-25990] Add flight recorder logs for vault unlock method and PIN migration (#1994)

Co-authored-by: Katherine Bertelsen <kbertelsen@bitwarden.com>

Author: matt-livefront

BitwardenKit/Core/Platform/Extensions/Logger+Bitwarden.swift

@@ -9,6 +9,9 @@ public extension Logger {
     /// Logger instance for general application-level logs.
     static let application = Logger(subsystem: subsystem, category: "Application")
 
+    /// Logger instance for flight recorder logs.
+    static let flightRecorder = Logger(subsystem: subsystem, category: "FlightRecorder")
+
     /// Logger instance for use by processors in the application.
     static let processor = Logger(subsystem: subsystem, category: "Processor")
 

BitwardenShared/Core/Auth/Extensions/BitwardenSdk+Auth.swift

@@ -0,0 +1,25 @@
+// swiftlint:disable:this file_name
+
+import BitwardenSdk
+
+extension BitwardenSdk.InitUserCryptoMethod {
+    /// A safe string representation of the crypto method that excludes sensitive associated values.
+    var methodType: String {
+        switch self {
+        case .authRequest:
+            return "Auth Request"
+        case .password:
+            return "Password"
+        case .decryptedKey:
+            return "Decrypted Key (Never Lock/Biometrics)"
+        case .deviceKey:
+            return "Device Key"
+        case .keyConnector:
+            return "Key Connector"
+        case .pin:
+            return "PIN"
+        case .pinEnvelope:
+            return "PIN Envelope"
+        }
+    }
+}

BitwardenShared/Core/Auth/Repositories/AuthRepository.swift

@@ -435,6 +435,9 @@ class DefaultAuthRepository {
     /// The service used by the application to report non-fatal errors.
     private let errorReporter: ErrorReporter
 
+    /// The service used by the application for recording temporary debug logs.
+    private let flightRecorder: FlightRecorder
+
     /// The keychain service used by this repository.
     private let keychainService: KeychainRepository
 
@@ -476,6 +479,7 @@ class DefaultAuthRepository {
     ///   - configService: The service to get server-specified configuration.
     ///   - environmentService: The service used by the application to manage the environment settings.
     ///   - errorReporter: The service used by the application to report non-fatal errors.
+    ///   - flightRecorder: The service used by the application for recording temporary debug logs.
     ///   - keychainService: The keychain service used by the application.
     ///   - keyConnectorService: The service used by the application to manage Key Connector.
     ///   - organizationAPIService: The service used by the application to make organization-related API requests.
@@ -497,6 +501,7 @@ class DefaultAuthRepository {
         configService: ConfigService,
         environmentService: EnvironmentService,
         errorReporter: ErrorReporter,
+        flightRecorder: FlightRecorder,
         keychainService: KeychainRepository,
         keyConnectorService: KeyConnectorService,
         organizationAPIService: OrganizationAPIService,
@@ -516,6 +521,7 @@ class DefaultAuthRepository {
         self.configService = configService
         self.environmentService = environmentService
         self.errorReporter = errorReporter
+        self.flightRecorder = flightRecorder
         self.keychainService = keychainService
         self.keyConnectorService = keyConnectorService
         self.organizationAPIService = organizationAPIService
@@ -1109,6 +1115,8 @@ extension DefaultAuthRepository: AuthRepository {
             method: method
         )
 
+        await flightRecorder.log("[Auth] Vault unlocked, method: \(method.methodType)")
+
         switch method {
         case .authRequest:
             // Remove admin pending login request if exists
@@ -1236,6 +1244,7 @@ extension DefaultAuthRepository: AuthRepository {
                 enrollPinResponse: enrollPinResponse,
                 requirePasswordAfterRestart: stateService.pinUnlockRequiresPasswordAfterRestart()
             )
+            await flightRecorder.log("[Auth] Migrated from legacy PIN to PIN-protected user key envelope")
         case .decryptedKey,
              .password:
             // If the user has a pin, but requires master password after restart, set the pin
@@ -1245,6 +1254,7 @@ extension DefaultAuthRepository: AuthRepository {
                 encryptedPin: encryptedPin
             )
             try await stateService.setPinProtectedUserKeyToMemory(enrollPinResponse.pinProtectedUserKeyEnvelope)
+            await flightRecorder.log("[Auth] Set PIN-protected user key in memory")
         case .pinEnvelope:
             break
         }

BitwardenShared/Core/Auth/Repositories/AuthRepositoryTests.swift

@@ -21,6 +21,7 @@ class AuthRepositoryTests: BitwardenTestCase { // swiftlint:disable:this type_bo
     var configService: MockConfigService!
     var environmentService: MockEnvironmentService!
     var errorReporter: MockErrorReporter!
+    var flightRecorder: MockFlightRecorder!
     var keyConnectorService: MockKeyConnectorService!
     var keychainService: MockKeychainRepository!
     var organizationService: MockOrganizationService!
@@ -101,6 +102,7 @@ class AuthRepositoryTests: BitwardenTestCase { // swiftlint:disable:this type_bo
         configService = MockConfigService()
         environmentService = MockEnvironmentService()
         errorReporter = MockErrorReporter()
+        flightRecorder = MockFlightRecorder()
         keyConnectorService = MockKeyConnectorService()
         keychainService = MockKeychainRepository()
         organizationService = MockOrganizationService()
@@ -119,6 +121,7 @@ class AuthRepositoryTests: BitwardenTestCase { // swiftlint:disable:this type_bo
             configService: configService,
             environmentService: environmentService,
             errorReporter: errorReporter,
+            flightRecorder: flightRecorder,
             keychainService: keychainService,
             keyConnectorService: keyConnectorService,
             organizationAPIService: APIService(client: client),

BitwardenShared/Core/Platform/Services/FlightRecorder.swift

@@ -202,7 +202,7 @@ actor DefaultFlightRecorder {
                         // timer's sleep time is slightly off from the true expiration.
                         let sleepSeconds = max(Double(seconds), UI.duration(1))
 
-                        Logger.application.debug(
+                        Logger.flightRecorder.debug(
                             """
                             FlightRecorder: next log lifecycle: \(nextLogLifecycleDate), \
                             sleeping for \(sleepSeconds) seconds
@@ -252,14 +252,14 @@ actor DefaultFlightRecorder {
 
         // Check if the active log should be disabled after its duration has elapsed.
         if let activeLog = data.activeLog, activeLog.endDate <= timeProvider.presentTime {
-            Logger.application.debug("FlightRecorder: active log reached end date, deactivating")
+            Logger.flightRecorder.debug("FlightRecorder: active log reached end date, deactivating")
             data.activeLog = nil
         }
 
         for (index, log) in data.inactiveLogs.enumerated() {
             guard log.expirationDate <= timeProvider.presentTime else { continue }
 
-            Logger.application.debug(
+            Logger.flightRecorder.debug(
                 "FlightRecorder: removing expired log \(log.startDate) \(log.duration.shortDescription)"
             )
 
@@ -433,6 +433,7 @@ extension DefaultFlightRecorder: FlightRecorder {
 
     func log(_ message: String, file: String, line: UInt) async {
         guard var data = await getFlightRecorderData(), let log = data.activeLog else { return }
+        Logger.flightRecorder.debug("\(message)")
         do {
             let timestampedMessage = "\(dateFormatter.string(from: timeProvider.presentTime)): \(message)\n"
             try await append(message: timestampedMessage, to: log)

BitwardenShared/Core/Platform/Services/ServiceContainer.swift

@@ -654,6 +654,7 @@ public class ServiceContainer: Services { // swiftlint:disable:this type_body_le
             configService: configService,
             environmentService: environmentService,
             errorReporter: errorReporter,
+            flightRecorder: flightRecorder,
             keychainService: keychainRepository,
             keyConnectorService: keyConnectorService,
             organizationAPIService: apiService,