Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[PM-6760] Add support for URI checksums #662

Merged
merged 4 commits into from
Mar 21, 2024
Merged

[PM-6760] Add support for URI checksums #662

merged 4 commits into from
Mar 21, 2024

Conversation

dani-garcia
Copy link
Member

Type of change

- [ ] Bug fix
- [x] New feature development
- [ ] Tech debt (refactoring, code cleanup, dependency upgrades, etc)
- [ ] Build/deploy pipeline (DevOps)
- [ ] Other

Objective

Validate the URI checksums of ciphers. This is done in a similar way to the enable_cipher_key_encryption flag check

@dani-garcia dani-garcia changed the title Add support for URI checksums [PM-6760] Add support for URI checksums Mar 15, 2024
@bitwarden-bot
Copy link

Logo
Checkmarx One – Scan Summary & Detailsca272510-55e4-4fd0-8d49-e9922edf092b

No New Or Fixed Issues Found

@codecov Codecov
Copy link

codecov bot commented Mar 15, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 89.88764% with 9 lines in your changes are missing coverage. Please review.

Project coverage is 60.62%. Comparing base (b6d36ea) to head (9f31794).

Files Patch % Lines
crates/bitwarden/src/vault/cipher/login.rs 92.18% 5 Missing ⚠️
crates/bitwarden/src/vault/cipher/cipher.rs 84.00% 4 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #662      +/-   ##
==========================================
+ Coverage   60.39%   60.62%   +0.23%     
==========================================
  Files         172      172              
  Lines       10553    10638      +85     
==========================================
+ Hits         6373     6449      +76     
- Misses       4180     4189       +9

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@dani-garcia dani-garcia marked this pull request as ready for review March 15, 2024 15:56
@dani-garcia dani-garcia requested a review from Hinton March 15, 2024 15:56
Hinton
Hinton reviewed Mar 18, 2024
View reviewed changes
crates/bitwarden/src/mobile/vault/client_ciphers.rs Outdated
Comment on lines 28 to 30
if cipher_view.key.is_some() {
cipher_view.generate_checksums();
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should move into the cipher logic. This is not temporary behaviour, and I believe we could easily do this as part of the encyrpt operation?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, my thought was to group it with the cipher key behaviour and eventually when the flag was removed move both into the encrypt operation, but we can do it now with the checksums. I've updated the PR

Hinton
Hinton reviewed Mar 21, 2024
View reviewed changes
crates/bitwarden/src/vault/cipher/cipher.rs
@@ -139,10 +139,15 @@ pub struct CipherListView {
}

impl KeyEncryptable<SymmetricCryptoKey, Cipher> for CipherView {
fn encrypt_with_key(self, key: &SymmetricCryptoKey) -> Result<Cipher, CryptoError> {
fn encrypt_with_key(mut self, key: &SymmetricCryptoKey) -> Result<Cipher, CryptoError> {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to actually mutate self? We should be able to mutate just the URIs in login.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could change the mutability to only affect the login like this, but to me it seems harder to read:

This code will be nicer when moved to LoginUriView, but we can't do that until we decide to unconditionally generate the checksums, as the LoginUriView doesn't have knowledge of whether a cipher key is used or not.

    fn encrypt_with_key(self, key: &SymmetricCryptoKey) -> Result<Cipher, CryptoError> {
        let ciphers_key = Cipher::get_cipher_key(key, &self.key)?;
        let key = ciphers_key.as_ref().unwrap_or(key);

        let mut login = self.login;

        // For compatibility reasons, we only create checksums for ciphers that have a key
        if ciphers_key.is_some() {
            login.generate_checksums();
        }

        Ok(Cipher {
            id: self.id,
            organization_id: self.organization_id,
            ...
            login: login.encrypt_with_key(key)?,

Hinton
Hinton approved these changes Mar 21, 2024
View reviewed changes
Copy link
Member

@Hinton Hinton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is good enough for now. Once cipher key is the norm we can just lift in the checksum generation into LoginUri directly.

@dani-garcia dani-garcia merged commit 67e743f into main Mar 21, 2024
69 checks passed
@dani-garcia dani-garcia deleted the ps/PM-6760-uri-checksums branch March 21, 2024 18:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Hinton Hinton Hinton approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dani-garcia @bitwarden-bot @Hinton