[PM-21782] Pass encryptedFor to cipher functions (#5297)

Author: SaintPatrck

app/src/main/kotlin/com/x8bit/bitwarden/data/vault/datasource/sdk/VaultSdkSource.kt

@@ -22,6 +22,7 @@ import com.bitwarden.vault.CipherListView
 import com.bitwarden.vault.CipherView
 import com.bitwarden.vault.Collection
 import com.bitwarden.vault.CollectionView
+import com.bitwarden.vault.EncryptionContext
 import com.bitwarden.vault.Folder
 import com.bitwarden.vault.FolderView
 import com.bitwarden.vault.PasswordHistory
@@ -187,7 +188,7 @@ interface VaultSdkSource {
     suspend fun encryptCipher(
         userId: String,
         cipherView: CipherView,
-    ): Result<Cipher>
+    ): Result<EncryptionContext>
 
     /**
      * Decrypts a [Cipher] for the user with the given [userId], returning a [CipherView] wrapped
@@ -349,13 +350,13 @@ interface VaultSdkSource {
     ): Result<List<FolderView>>
 
     /**
-     * Decrypts a [cipher] [attachment] file found at [encryptedFilePath] saving it at
+     * Decrypts a [cipher] [attachmentView] file found at [encryptedFilePath] saving it at
      * [decryptedFilePath] for the user with the given [userId]
      */
     suspend fun decryptFile(
         userId: String,
         cipher: Cipher,
-        attachment: Attachment,
+        attachmentView: AttachmentView,
         encryptedFilePath: String,
         decryptedFilePath: String,
     ): Result<Unit>

app/src/main/kotlin/com/x8bit/bitwarden/data/vault/datasource/sdk/VaultSdkSourceImpl.kt

@@ -25,6 +25,7 @@ import com.bitwarden.vault.CipherListView
 import com.bitwarden.vault.CipherView
 import com.bitwarden.vault.Collection
 import com.bitwarden.vault.CollectionView
+import com.bitwarden.vault.EncryptionContext
 import com.bitwarden.vault.Folder
 import com.bitwarden.vault.FolderView
 import com.bitwarden.vault.PasswordHistory
@@ -269,7 +270,7 @@ class VaultSdkSourceImpl(
     override suspend fun encryptCipher(
         userId: String,
         cipherView: CipherView,
-    ): Result<Cipher> =
+    ): Result<EncryptionContext> =
         runCatchingWithLogs {
             getClient(userId = userId)
                 .vault()
@@ -389,7 +390,7 @@ class VaultSdkSourceImpl(
     override suspend fun decryptFile(
         userId: String,
         cipher: Cipher,
-        attachment: Attachment,
+        attachmentView: AttachmentView,
         encryptedFilePath: String,
         decryptedFilePath: String,
     ): Result<Unit> =
@@ -399,7 +400,7 @@ class VaultSdkSourceImpl(
                 .attachments()
                 .decryptFile(
                     cipher = cipher,
-                    attachment = attachment,
+                    attachment = attachmentView,
                     encryptedFilePath = encryptedFilePath,
                     decryptedFilePath = decryptedFilePath,
                 )

app/src/main/kotlin/com/x8bit/bitwarden/data/vault/datasource/sdk/model/Fido2CredentialStoreImpl.kt

@@ -3,9 +3,9 @@ package com.x8bit.bitwarden.data.vault.datasource.sdk.model
 import com.bitwarden.annotation.OmitFromCoverage
 import com.bitwarden.fido.Fido2CredentialAutofillView
 import com.bitwarden.sdk.Fido2CredentialStore
-import com.bitwarden.vault.Cipher
 import com.bitwarden.vault.CipherListView
 import com.bitwarden.vault.CipherView
+import com.bitwarden.vault.EncryptionContext
 import com.x8bit.bitwarden.data.auth.repository.AuthRepository
 import com.x8bit.bitwarden.data.autofill.util.isActiveWithFido2Credentials
 import com.x8bit.bitwarden.data.vault.datasource.sdk.VaultSdkSource
@@ -91,11 +91,12 @@ class Fido2CredentialStoreImpl(
     /**
      * Save the provided [cred] to the users vault.
      */
-    override suspend fun saveCredential(cred: Cipher) {
-        val userId = getActiveUserIdOrThrow()
-
+    override suspend fun saveCredential(cred: EncryptionContext) {
         vaultSdkSource
-            .decryptCipher(userId, cred)
+            .decryptCipher(
+                userId = cred.encryptedFor,
+                cipher = cred.cipher,
+            )
             .map { decryptedCipherView ->
                 decryptedCipherView.id
                     ?.let { vaultRepository.updateCipher(it, decryptedCipherView) }

app/src/main/kotlin/com/x8bit/bitwarden/data/vault/manager/CipherManagerImpl.kt

@@ -12,8 +12,8 @@ import com.bitwarden.network.model.UpdateCipherCollectionsJsonRequest
 import com.bitwarden.network.model.UpdateCipherResponseJson
 import com.bitwarden.network.service.CiphersService
 import com.bitwarden.vault.AttachmentView
-import com.bitwarden.vault.Cipher
 import com.bitwarden.vault.CipherView
+import com.bitwarden.vault.EncryptionContext
 import com.x8bit.bitwarden.data.auth.datasource.disk.AuthDiskSource
 import com.x8bit.bitwarden.data.platform.error.NoActiveUserException
 import com.x8bit.bitwarden.data.platform.manager.ReviewPromptManager
@@ -80,10 +80,10 @@ class CipherManagerImpl(
                 userId = userId,
                 cipherView = cipherView,
             )
-            .flatMap { cipher ->
+            .flatMap {
                 ciphersService.createCipherInOrganization(
                     body = CreateCipherInOrganizationJsonRequest(
-                        cipher = cipher.toEncryptedNetworkCipher(),
+                        cipher = it.toEncryptedNetworkCipher(),
                         collectionIds = collectionIds,
                     ),
                 )
@@ -123,10 +123,15 @@ class CipherManagerImpl(
             ?: return DeleteCipherResult.Error(error = NoActiveUserException())
         return cipherView
             .encryptCipherAndCheckForMigration(userId = userId, cipherId = cipherId)
-            .flatMap { cipher ->
+            .flatMap { encryptionContext ->
                 ciphersService
                     .softDeleteCipher(cipherId = cipherId)
-                    .flatMap { vaultSdkSource.decryptCipher(userId = userId, cipher = cipher) }
+                    .flatMap {
+                        vaultSdkSource.decryptCipher(
+                            userId = userId,
+                            cipher = encryptionContext.cipher,
+                        )
+                    }
             }
             .flatMap {
                 vaultSdkSource.encryptCipher(
@@ -165,7 +170,7 @@ class CipherManagerImpl(
         cipherId: String,
         attachmentId: String,
         cipherView: CipherView,
-    ): Result<Cipher> {
+    ): Result<EncryptionContext> {
         val userId = activeUserId ?: return NoActiveUserException().asFailure()
         return ciphersService
             .deleteCipherAttachment(
@@ -181,10 +186,10 @@ class CipherManagerImpl(
                     )
                     .encryptCipherAndCheckForMigration(userId = userId, cipherId = cipherId)
             }
-            .onSuccess { cipher ->
+            .onSuccess { encryptionContext ->
                 vaultDiskSource.saveCipher(
                     userId = userId,
-                    cipher = cipher.toEncryptedNetworkCipherResponse(),
+                    cipher = encryptionContext.toEncryptedNetworkCipherResponse(),
                 )
             }
     }
@@ -220,10 +225,10 @@ class CipherManagerImpl(
                 userId = userId,
                 cipherView = cipherView,
             )
-            .flatMap { cipher ->
+            .flatMap {
                 ciphersService.updateCipher(
                     cipherId = cipherId,
-                    body = cipher.toEncryptedNetworkCipher(),
+                    body = it.toEncryptedNetworkCipher(),
                 )
             }
             .map { response ->
@@ -263,11 +268,11 @@ class CipherManagerImpl(
                 )
             }
             .flatMap { vaultSdkSource.encryptCipher(userId = userId, cipherView = it) }
-            .flatMap { cipher ->
+            .flatMap {
                 ciphersService.shareCipher(
                     cipherId = cipherId,
                     body = ShareCipherJsonRequest(
-                        cipher = cipher.toEncryptedNetworkCipher(),
+                        cipher = it.toEncryptedNetworkCipher(),
                         collectionIds = collectionIds,
                     ),
                 )
@@ -301,10 +306,10 @@ class CipherManagerImpl(
                     cipherView = cipherView.copy(collectionIds = collectionIds),
                 )
             }
-            .onSuccess { cipher ->
+            .onSuccess { encryptionContext ->
                 vaultDiskSource.saveCipher(
                     userId = userId,
-                    cipher = cipher.toEncryptedNetworkCipherResponse(),
+                    cipher = encryptionContext.toEncryptedNetworkCipherResponse(),
                 )
             }
             .fold(
@@ -362,14 +367,14 @@ class CipherManagerImpl(
                 userId = userId,
                 cipherId = requireNotNull(cipherView.id),
             )
-            .flatMap { cipher ->
+            .flatMap { encryptionContext ->
                 fileManager
                     .writeUriToCache(fileUri = fileUri)
                     .flatMap { cacheFile ->
                         vaultSdkSource
                             .encryptAttachment(
                                 userId = userId,
-                                cipher = cipher,
+                                cipher = encryptionContext.cipher,
                                 attachmentView = attachmentView,
                                 decryptedFilePath = cacheFile.absolutePath,
                                 encryptedFilePath = "${cacheFile.absolutePath}.enc",
@@ -447,10 +452,10 @@ class CipherManagerImpl(
                 cipherId = requireNotNull(cipherView.id),
             )
             .fold(
-                onSuccess = { it },
+                onSuccess = { it.cipher },
                 onFailure = { return it.asFailure() },
             )
-        val attachment = cipher.attachments?.find { it.id == attachmentId }
+        val attachmentView = cipherView.attachments?.find { it.id == attachmentId }
             ?: return IllegalStateException("No attachment to download").asFailure()
 
         val attachmentData = ciphersService
@@ -479,7 +484,7 @@ class CipherManagerImpl(
             .decryptFile(
                 userId = userId,
                 cipher = cipher,
-                attachment = attachment,
+                attachmentView = attachmentView,
                 encryptedFilePath = encryptedFile.path,
                 decryptedFilePath = decryptedFile.path,
             )
@@ -494,17 +499,17 @@ class CipherManagerImpl(
     private suspend fun CipherView.encryptCipherAndCheckForMigration(
         userId: String,
         cipherId: String,
-    ): Result<Cipher> =
+    ): Result<EncryptionContext> =
         vaultSdkSource
             .encryptCipher(userId = userId, cipherView = this)
-            .flatMap {
+            .flatMap { encryptionContext ->
                 // We only migrate the cipher if the original cipher did not have a key and the
                 // new cipher does. This means the SDK created the key and migration is required.
-                if (it.key != null && this.key == null) {
+                if (encryptionContext.cipher.key != null && this.key == null) {
                     ciphersService
                         .updateCipher(
                             cipherId = cipherId,
-                            body = it.toEncryptedNetworkCipher(),
+                            body = encryptionContext.toEncryptedNetworkCipher(),
                         )
                         .flatMap { response ->
                             when (response) {
@@ -520,12 +525,14 @@ class CipherManagerImpl(
                                         userId = userId,
                                         cipher = response.cipher,
                                     )
-                                    response.cipher.toEncryptedSdkCipher().asSuccess()
+                                    encryptionContext
+                                        .copy(cipher = response.cipher.toEncryptedSdkCipher())
+                                        .asSuccess()
                                 }
                             }
                         }
                 } else {
-                    it.asSuccess()
+                    encryptionContext.asSuccess()
                 }
             }
 
@@ -541,7 +548,7 @@ class CipherManagerImpl(
             ?: return IllegalStateException("CipherView must have an ID").asFailure()
         var migratedCipherView = cipherView
             .encryptCipherAndCheckForMigration(userId = userId, cipherId = cipherViewId)
-            .flatMap { vaultSdkSource.decryptCipher(userId = userId, cipher = it) }
+            .flatMap { vaultSdkSource.decryptCipher(userId = userId, cipher = it.cipher) }
             .getOrElse { return it.asFailure() }
 
         attachmentViewsToMigrate
@@ -574,7 +581,12 @@ class CipherManagerImpl(
                                     cipherId = cipherViewId,
                                 )
                             }
-                            .flatMap { vaultSdkSource.decryptCipher(userId = userId, cipher = it) }
+                            .flatMap {
+                                vaultSdkSource.decryptCipher(
+                                    userId = userId,
+                                    cipher = it.cipher,
+                                )
+                            }
                             .onSuccess { migratedCipherView = it }
                     }
                     ?: IllegalStateException("AttachmentView must have an ID").asFailure()

app/src/main/kotlin/com/x8bit/bitwarden/data/vault/manager/VaultLockManagerImpl.kt

@@ -181,6 +181,7 @@ class VaultLockManagerImpl(
                             email = email,
                             privateKey = privateKey,
                             method = initUserCryptoMethod,
+                            userId = userId,
                         ),
                     )
                     .flatMap { result ->

app/src/main/kotlin/com/x8bit/bitwarden/data/vault/repository/util/VaultSdkCipherExtensions.kt

@@ -20,6 +20,7 @@ import com.bitwarden.vault.CipherPermissions
 import com.bitwarden.vault.CipherRepromptType
 import com.bitwarden.vault.CipherType
 import com.bitwarden.vault.CipherView
+import com.bitwarden.vault.EncryptionContext
 import com.bitwarden.vault.Fido2Credential
 import com.bitwarden.vault.Field
 import com.bitwarden.vault.FieldType
@@ -37,8 +38,12 @@ import java.time.ZonedDateTime
 /**
  * Converts a Bitwarden SDK [Cipher] object to a corresponding
  * [SyncResponseJson.Cipher] object.
+ *
+ * @param encryptedFor The ID of the user who this cipher is encrypted by.
  */
-fun Cipher.toEncryptedNetworkCipher(): CipherJsonRequest =
+fun Cipher.toEncryptedNetworkCipher(
+    encryptedFor: String,
+): CipherJsonRequest =
     CipherJsonRequest(
         notes = notes,
         attachments = attachments
@@ -59,13 +64,18 @@ fun Cipher.toEncryptedNetworkCipher(): CipherJsonRequest =
         card = card?.toEncryptedNetworkCard(),
         key = key,
         sshKey = sshKey?.toEncryptedNetworkSshKey(),
+        encryptedFor = encryptedFor,
     )
 
 /**
  * Converts a Bitwarden SDK [Cipher] object to a corresponding
  * [SyncResponseJson.Cipher] object.
+ *
+ * @param encryptedFor The ID of the user who this cipher is encrypted by.
  */
-fun Cipher.toEncryptedNetworkCipherResponse(): SyncResponseJson.Cipher =
+fun Cipher.toEncryptedNetworkCipherResponse(
+    encryptedFor: String,
+): SyncResponseJson.Cipher =
     SyncResponseJson.Cipher(
         notes = notes,
         reprompt = reprompt.toNetworkRepromptType(),
@@ -92,6 +102,7 @@ fun Cipher.toEncryptedNetworkCipherResponse(): SyncResponseJson.Cipher =
         id = id.orEmpty(),
         shouldViewPassword = viewPassword,
         key = key,
+        encryptedFor = encryptedFor,
     )
 
 /**
@@ -626,3 +637,17 @@ fun List<CipherListView>.sortAlphabetically(): List<CipherListView> {
         },
     )
 }
+
+/**
+ * Converts a Bitwarden SDK [EncryptionContext] object to a corresponding [CipherJsonRequest]
+ * object.
+ */
+fun EncryptionContext.toEncryptedNetworkCipher(): CipherJsonRequest =
+    cipher.toEncryptedNetworkCipher(encryptedFor = encryptedFor)
+
+/**
+ * Converts a Bitwarden SDK [EncryptionContext] object to a corresponding [SyncResponseJson.Cipher]
+ * object.
+ */
+fun EncryptionContext.toEncryptedNetworkCipherResponse(): SyncResponseJson.Cipher =
+    cipher.toEncryptedNetworkCipherResponse(encryptedFor = encryptedFor)

app/src/test/kotlin/com/x8bit/bitwarden/data/vault/datasource/disk/VaultDiskSourceTest.kt

@@ -419,7 +419,8 @@ private const val CIPHER_JSON = """
     "publicKey": "mockPublicKey-1",
     "privateKey": "mockPrivateKey-1",
     "keyFingerprint": "mockKeyFingerprint-1"
-  }
+  },
+  "encryptedFor": "mockEncryptedFor-1"
 }
 """