bitwarden-core 3.0.0

Internal crate for the bitwarden crate. Do not use.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133

#[cfg(any(feature = "internal", feature = "secrets"))]
use bitwarden_crypto::KeyStore;
#[cfg(feature = "secrets")]
use bitwarden_crypto::SymmetricCryptoKey;
#[cfg(feature = "internal")]
use bitwarden_crypto::UnsignedSharedKey;
use bitwarden_error::bitwarden_error;
use thiserror::Error;
#[cfg(feature = "internal")]
use tracing::{info, instrument};

#[cfg(any(feature = "secrets", feature = "internal"))]
use crate::OrganizationId;
#[cfg(any(feature = "internal", feature = "secrets"))]
use crate::key_management::{KeySlotIds, SymmetricKeySlotId};
use crate::{MissingPrivateKeyError, error::UserIdAlreadySetError};

#[allow(missing_docs)]
#[bitwarden_error(flat)]
#[derive(Debug, Error)]
pub enum EncryptionSettingsError {
    #[error("Cryptography error, {0}")]
    Crypto(#[from] bitwarden_crypto::CryptoError),

    #[error("Cryptography Initialization error")]
    CryptoInitialization,

    #[error(transparent)]
    MissingPrivateKey(#[from] MissingPrivateKeyError),

    #[error(transparent)]
    UserIdAlreadySet(#[from] UserIdAlreadySetError),

    #[error("Wrong Pin")]
    WrongPin,

    /// The user-key could not be set to the state, and the sdk will remain locked
    #[error("Unable to set user-key to state")]
    UserKeyStateUpdateFailed,

    #[error("Unable to retrieve user-key from state")]
    UserKeyStateRetrievalFailed,

    #[error("Invalid upgrade token")]
    InvalidUpgradeToken,

    /// Retrieval of the key-connector-key from key-connector failed
    #[error("Key connector retrieval failed")]
    KeyConnectorRetrievalFailed,

    /// The local user data key could not be initialized.
    #[error("Unable to initialize local user data key")]
    LocalUserDataKeyInitFailed,

    /// The local user data key could not be loaded into the key store context.
    #[error("Unable to load local user data key into key store")]
    LocalUserDataKeyLoadFailed,
}

#[allow(missing_docs)]
pub struct EncryptionSettings {}

impl EncryptionSettings {
    /// Initialize the encryption settings with only a single decrypted organization key.
    /// This is used only for logging in Secrets Manager with an access token
    #[cfg(feature = "secrets")]
    pub(crate) fn new_single_org_key(
        organization_id: OrganizationId,
        key: SymmetricCryptoKey,
        store: &KeyStore<KeySlotIds>,
    ) {
        // FIXME: [PM-18098] When this is part of crypto we won't need to use deprecated methods
        #[allow(deprecated)]
        store
            .context_mut()
            .set_symmetric_key(SymmetricKeySlotId::Organization(organization_id), key)
            .expect("Mutable context");
    }

    #[cfg(feature = "internal")]
    #[instrument(err, skip_all)]
    pub(crate) fn set_org_keys(
        org_enc_keys: Vec<(OrganizationId, UnsignedSharedKey)>,
        store: &KeyStore<KeySlotIds>,
    ) -> Result<(), EncryptionSettingsError> {
        use crate::key_management::PrivateKeySlotId;

        let mut ctx = store.context_mut();

        // FIXME: [PM-11690] - Early abort to handle private key being corrupt
        if org_enc_keys.is_empty() {
            info!("No organization keys to set");
            return Ok(());
        }

        if !ctx.has_private_key(PrivateKeySlotId::UserPrivateKey) {
            info!("User private key is missing, cannot set organization keys");
            return Err(MissingPrivateKeyError.into());
        }

        // Make sure we only keep the keys given in the arguments and not any of the previous
        // ones, which might be from organizations that the user is no longer a part of anymore
        ctx.retain_symmetric_keys(|key_ref| {
            !matches!(key_ref, SymmetricKeySlotId::Organization(_))
        });

        info!("Decrypting organization keys");
        // Decrypt the org keys with the private key
        for (org_id, org_enc_key) in org_enc_keys {
            let _span =
                tracing::span!(tracing::Level::INFO, "decapsulate_org_key", org_id = %org_id)
                    .entered();
            match org_enc_key.decapsulate(PrivateKeySlotId::UserPrivateKey, &mut ctx) {
                Err(e) => {
                    tracing::error!("Failed to decapsulate organization key: {}", e);
                    return Err(e.into());
                }
                Ok(org_symmetric_key) => {
                    tracing::info!(
                        org_id = %org_id,
                        "Successfully decapsulated organization key for org",
                    );
                    ctx.persist_symmetric_key(
                        org_symmetric_key,
                        SymmetricKeySlotId::Organization(org_id),
                    )?;
                }
            }
        }

        Ok(())
    }
}