[PM-21782] Pass encryptedFor to cipher functions

This commit updates several functions to accept an `encryptedFor` parameter, which specifies the user ID for whom the cipher is encrypted. This property is used by the server to verify the cipher is encrypted by the correct user. If verification fails the server responds with an appropriate error message.

This change affects the following:
- `toEncryptedNetworkCipher` and `toEncryptedNetworkCipherResponse` extension functions for `Cipher` now require an `encryptedFor` parameter.
- `CipherJsonRequest` and `SyncResponseJson.Cipher` now include an `encryptedFor` field.
- SDK functions like `encryptCipher` and `decryptFile` have been updated to align with these changes.

Additionally, this update includes the following SDK related changes:
- Adding the `encryptedFor` related logic (bitwarden/sdk-internal#278)
- Update in protocol and objects naming to have ``{foo}Client[Protocol]`` instead of `Client{foo}[Protocol]` (bitwarden/sdk-internal#224)
- Update attachments decryption to use `AttachmentView` instead of `Attachment` (bitwarden/sdk-internal#255)

Author: SaintPatrck

app/src/main/kotlin/com/x8bit/bitwarden/data/vault/datasource/sdk/VaultSdkSource.kt

@@ -22,6 +22,7 @@ import com.bitwarden.vault.CipherListView
 import com.bitwarden.vault.CipherView
 import com.bitwarden.vault.Collection
 import com.bitwarden.vault.CollectionView
+import com.bitwarden.vault.EncryptionContext
 import com.bitwarden.vault.Folder
 import com.bitwarden.vault.FolderView
 import com.bitwarden.vault.PasswordHistory
@@ -187,7 +188,7 @@ interface VaultSdkSource {
     suspend fun encryptCipher(
         userId: String,
         cipherView: CipherView,
-    ): Result<Cipher>
+    ): Result<EncryptionContext>
 
     /**
      * Decrypts a [Cipher] for the user with the given [userId], returning a [CipherView] wrapped
@@ -349,13 +350,13 @@ interface VaultSdkSource {
     ): Result<List<FolderView>>
 
     /**
-     * Decrypts a [cipher] [attachment] file found at [encryptedFilePath] saving it at
+     * Decrypts a [cipher] [attachmentView] file found at [encryptedFilePath] saving it at
      * [decryptedFilePath] for the user with the given [userId]
      */
     suspend fun decryptFile(
         userId: String,
         cipher: Cipher,
-        attachment: Attachment,
+        attachmentView: AttachmentView,
         encryptedFilePath: String,
         decryptedFilePath: String,
     ): Result<Unit>

app/src/main/kotlin/com/x8bit/bitwarden/data/vault/datasource/sdk/VaultSdkSourceImpl.kt

@@ -25,6 +25,7 @@ import com.bitwarden.vault.CipherListView
 import com.bitwarden.vault.CipherView
 import com.bitwarden.vault.Collection
 import com.bitwarden.vault.CollectionView
+import com.bitwarden.vault.EncryptionContext
 import com.bitwarden.vault.Folder
 import com.bitwarden.vault.FolderView
 import com.bitwarden.vault.PasswordHistory
@@ -269,7 +270,7 @@ class VaultSdkSourceImpl(
     override suspend fun encryptCipher(
         userId: String,
         cipherView: CipherView,
-    ): Result<Cipher> =
+    ): Result<EncryptionContext> =
         runCatchingWithLogs {
             getClient(userId = userId)
                 .vault()
@@ -389,7 +390,7 @@ class VaultSdkSourceImpl(
     override suspend fun decryptFile(
         userId: String,
         cipher: Cipher,
-        attachment: Attachment,
+        attachmentView: AttachmentView,
         encryptedFilePath: String,
         decryptedFilePath: String,
     ): Result<Unit> =
@@ -399,7 +400,7 @@ class VaultSdkSourceImpl(
                 .attachments()
                 .decryptFile(
                     cipher = cipher,
-                    attachment = attachment,
+                    attachment = attachmentView,
                     encryptedFilePath = encryptedFilePath,
                     decryptedFilePath = decryptedFilePath,
                 )

app/src/main/kotlin/com/x8bit/bitwarden/data/vault/datasource/sdk/model/Fido2CredentialStoreImpl.kt

@@ -3,9 +3,9 @@ package com.x8bit.bitwarden.data.vault.datasource.sdk.model
 import com.bitwarden.annotation.OmitFromCoverage
 import com.bitwarden.fido.Fido2CredentialAutofillView
 import com.bitwarden.sdk.Fido2CredentialStore
-import com.bitwarden.vault.Cipher
 import com.bitwarden.vault.CipherListView
 import com.bitwarden.vault.CipherView
+import com.bitwarden.vault.EncryptionContext
 import com.x8bit.bitwarden.data.auth.repository.AuthRepository
 import com.x8bit.bitwarden.data.autofill.util.isActiveWithFido2Credentials
 import com.x8bit.bitwarden.data.vault.datasource.sdk.VaultSdkSource
@@ -91,11 +91,12 @@ class Fido2CredentialStoreImpl(
     /**
      * Save the provided [cred] to the users vault.
      */
-    override suspend fun saveCredential(cred: Cipher) {
-        val userId = getActiveUserIdOrThrow()
-
+    override suspend fun saveCredential(cred: EncryptionContext) {
         vaultSdkSource
-            .decryptCipher(userId, cred)
+            .decryptCipher(
+                userId = cred.encryptedFor,
+                cipher = cred.cipher,
+            )
             .map { decryptedCipherView ->
                 decryptedCipherView.id
                     ?.let { vaultRepository.updateCipher(it, decryptedCipherView) }

app/src/main/kotlin/com/x8bit/bitwarden/data/vault/manager/CipherManagerImpl.kt

@@ -12,8 +12,8 @@ import com.bitwarden.network.model.UpdateCipherCollectionsJsonRequest
 import com.bitwarden.network.model.UpdateCipherResponseJson
 import com.bitwarden.network.service.CiphersService
 import com.bitwarden.vault.AttachmentView
-import com.bitwarden.vault.Cipher
 import com.bitwarden.vault.CipherView
+import com.bitwarden.vault.EncryptionContext
 import com.x8bit.bitwarden.data.auth.datasource.disk.AuthDiskSource
 import com.x8bit.bitwarden.data.platform.error.NoActiveUserException
 import com.x8bit.bitwarden.data.platform.manager.ReviewPromptManager
@@ -53,6 +53,7 @@ class CipherManagerImpl(
     override suspend fun createCipher(cipherView: CipherView): CreateCipherResult {
         val userId = activeUserId
             ?: return CreateCipherResult.Error(error = NoActiveUserException())
+
         return vaultSdkSource
             .encryptCipher(
                 userId = userId,
@@ -80,10 +81,10 @@ class CipherManagerImpl(
                 userId = userId,
                 cipherView = cipherView,
             )
-            .flatMap { cipher ->
+            .flatMap {
                 ciphersService.createCipherInOrganization(
                     body = CreateCipherInOrganizationJsonRequest(
-                        cipher = cipher.toEncryptedNetworkCipher(),
+                        cipher = it.toEncryptedNetworkCipher(),
                         collectionIds = collectionIds,
                     ),
                 )
@@ -123,10 +124,15 @@ class CipherManagerImpl(
             ?: return DeleteCipherResult.Error(error = NoActiveUserException())
         return cipherView
             .encryptCipherAndCheckForMigration(userId = userId, cipherId = cipherId)
-            .flatMap { cipher ->
+            .flatMap { encryptionContext ->
                 ciphersService
                     .softDeleteCipher(cipherId = cipherId)
-                    .flatMap { vaultSdkSource.decryptCipher(userId = userId, cipher = cipher) }
+                    .flatMap {
+                        vaultSdkSource.decryptCipher(
+                            userId = userId,
+                            cipher = encryptionContext.cipher,
+                        )
+                    }
             }
             .flatMap {
                 vaultSdkSource.encryptCipher(
@@ -165,7 +171,7 @@ class CipherManagerImpl(
         cipherId: String,
         attachmentId: String,
         cipherView: CipherView,
-    ): Result<Cipher> {
+    ): Result<EncryptionContext> {
         val userId = activeUserId ?: return NoActiveUserException().asFailure()
         return ciphersService
             .deleteCipherAttachment(
@@ -181,10 +187,10 @@ class CipherManagerImpl(
                     )
                     .encryptCipherAndCheckForMigration(userId = userId, cipherId = cipherId)
             }
-            .onSuccess { cipher ->
+            .onSuccess { encryptionContext ->
                 vaultDiskSource.saveCipher(
                     userId = userId,
-                    cipher = cipher.toEncryptedNetworkCipherResponse(),
+                    cipher = encryptionContext.toEncryptedNetworkCipherResponse(),
                 )
             }
     }
@@ -220,10 +226,10 @@ class CipherManagerImpl(
                 userId = userId,
                 cipherView = cipherView,
             )
-            .flatMap { cipher ->
+            .flatMap {
                 ciphersService.updateCipher(
                     cipherId = cipherId,
-                    body = cipher.toEncryptedNetworkCipher(),
+                    body = it.toEncryptedNetworkCipher(),
                 )
             }
             .map { response ->
@@ -263,11 +269,11 @@ class CipherManagerImpl(
                 )
             }
             .flatMap { vaultSdkSource.encryptCipher(userId = userId, cipherView = it) }
-            .flatMap { cipher ->
+            .flatMap {
                 ciphersService.shareCipher(
                     cipherId = cipherId,
                     body = ShareCipherJsonRequest(
-                        cipher = cipher.toEncryptedNetworkCipher(),
+                        cipher = it.toEncryptedNetworkCipher(),
                         collectionIds = collectionIds,
                     ),
                 )
@@ -301,10 +307,10 @@ class CipherManagerImpl(
                     cipherView = cipherView.copy(collectionIds = collectionIds),
                 )
             }
-            .onSuccess { cipher ->
+            .onSuccess { encryptionContext ->
                 vaultDiskSource.saveCipher(
                     userId = userId,
-                    cipher = cipher.toEncryptedNetworkCipherResponse(),
+                    cipher = encryptionContext.toEncryptedNetworkCipherResponse(),
                 )
             }
             .fold(
@@ -362,14 +368,14 @@ class CipherManagerImpl(
                 userId = userId,
                 cipherId = requireNotNull(cipherView.id),
             )
-            .flatMap { cipher ->
+            .flatMap { encryptionContext ->
                 fileManager
                     .writeUriToCache(fileUri = fileUri)
                     .flatMap { cacheFile ->
                         vaultSdkSource
                             .encryptAttachment(
                                 userId = userId,
-                                cipher = cipher,
+                                cipher = encryptionContext.cipher,
                                 attachmentView = attachmentView,
                                 decryptedFilePath = cacheFile.absolutePath,
                                 encryptedFilePath = "${cacheFile.absolutePath}.enc",
@@ -447,10 +453,10 @@ class CipherManagerImpl(
                 cipherId = requireNotNull(cipherView.id),
             )
             .fold(
-                onSuccess = { it },
+                onSuccess = { it.cipher },
                 onFailure = { return it.asFailure() },
             )
-        val attachment = cipher.attachments?.find { it.id == attachmentId }
+        val attachmentView = cipherView.attachments?.find { it.id == attachmentId }
             ?: return IllegalStateException("No attachment to download").asFailure()
 
         val attachmentData = ciphersService
@@ -479,7 +485,7 @@ class CipherManagerImpl(
             .decryptFile(
                 userId = userId,
                 cipher = cipher,
-                attachment = attachment,
+                attachmentView = attachmentView,
                 encryptedFilePath = encryptedFile.path,
                 decryptedFilePath = decryptedFile.path,
             )
@@ -494,17 +500,17 @@ class CipherManagerImpl(
     private suspend fun CipherView.encryptCipherAndCheckForMigration(
         userId: String,
         cipherId: String,
-    ): Result<Cipher> =
+    ): Result<EncryptionContext> =
         vaultSdkSource
             .encryptCipher(userId = userId, cipherView = this)
-            .flatMap {
+            .flatMap { encryptionContext ->
                 // We only migrate the cipher if the original cipher did not have a key and the
                 // new cipher does. This means the SDK created the key and migration is required.
-                if (it.key != null && this.key == null) {
+                if (encryptionContext.cipher.key != null && this.key == null) {
                     ciphersService
                         .updateCipher(
                             cipherId = cipherId,
-                            body = it.toEncryptedNetworkCipher(),
+                            body = encryptionContext.toEncryptedNetworkCipher(),
                         )
                         .flatMap { response ->
                             when (response) {
@@ -520,12 +526,16 @@ class CipherManagerImpl(
                                         userId = userId,
                                         cipher = response.cipher,
                                     )
-                                    response.cipher.toEncryptedSdkCipher().asSuccess()
+                                    EncryptionContext(
+                                        encryptedFor = encryptionContext.encryptedFor,
+                                        cipher = response.cipher.toEncryptedSdkCipher(),
+                                    )
+                                        .asSuccess()
                                 }
                             }
                         }
                 } else {
-                    it.asSuccess()
+                    encryptionContext.asSuccess()
                 }
             }
 
@@ -541,7 +551,7 @@ class CipherManagerImpl(
             ?: return IllegalStateException("CipherView must have an ID").asFailure()
         var migratedCipherView = cipherView
             .encryptCipherAndCheckForMigration(userId = userId, cipherId = cipherViewId)
-            .flatMap { vaultSdkSource.decryptCipher(userId = userId, cipher = it) }
+            .flatMap { vaultSdkSource.decryptCipher(userId = userId, cipher = it.cipher) }
             .getOrElse { return it.asFailure() }
 
         attachmentViewsToMigrate
@@ -574,7 +584,12 @@ class CipherManagerImpl(
                                     cipherId = cipherViewId,
                                 )
                             }
-                            .flatMap { vaultSdkSource.decryptCipher(userId = userId, cipher = it) }
+                            .flatMap {
+                                vaultSdkSource.decryptCipher(
+                                    userId = userId,
+                                    cipher = it.cipher,
+                                )
+                            }
                             .onSuccess { migratedCipherView = it }
                     }
                     ?: IllegalStateException("AttachmentView must have an ID").asFailure()

app/src/main/kotlin/com/x8bit/bitwarden/data/vault/manager/VaultLockManagerImpl.kt

@@ -181,6 +181,7 @@ class VaultLockManagerImpl(
                             email = email,
                             privateKey = privateKey,
                             method = initUserCryptoMethod,
+                            userId = userId,
                         ),
                     )
                     .flatMap { result ->

app/src/main/kotlin/com/x8bit/bitwarden/data/vault/repository/util/VaultSdkCipherExtensions.kt

@@ -20,6 +20,7 @@ import com.bitwarden.vault.CipherPermissions
 import com.bitwarden.vault.CipherRepromptType
 import com.bitwarden.vault.CipherType
 import com.bitwarden.vault.CipherView
+import com.bitwarden.vault.EncryptionContext
 import com.bitwarden.vault.Fido2Credential
 import com.bitwarden.vault.Field
 import com.bitwarden.vault.FieldType
@@ -37,8 +38,12 @@ import java.time.ZonedDateTime
 /**
  * Converts a Bitwarden SDK [Cipher] object to a corresponding
  * [SyncResponseJson.Cipher] object.
+ *
+ * @param encryptedFor The ID of the user who this cipher is encrypted for.
  */
-fun Cipher.toEncryptedNetworkCipher(): CipherJsonRequest =
+fun Cipher.toEncryptedNetworkCipher(
+    encryptedFor: String,
+): CipherJsonRequest =
     CipherJsonRequest(
         notes = notes,
         attachments = attachments
@@ -59,13 +64,18 @@ fun Cipher.toEncryptedNetworkCipher(): CipherJsonRequest =
         card = card?.toEncryptedNetworkCard(),
         key = key,
         sshKey = sshKey?.toEncryptedNetworkSshKey(),
+        encryptedFor = encryptedFor,
     )
 
 /**
  * Converts a Bitwarden SDK [Cipher] object to a corresponding
  * [SyncResponseJson.Cipher] object.
+ *
+ * @param encryptedFor The ID of the user who this cipher is encrypted for.
  */
-fun Cipher.toEncryptedNetworkCipherResponse(): SyncResponseJson.Cipher =
+fun Cipher.toEncryptedNetworkCipherResponse(
+    encryptedFor: String,
+): SyncResponseJson.Cipher =
     SyncResponseJson.Cipher(
         notes = notes,
         reprompt = reprompt.toNetworkRepromptType(),
@@ -92,6 +102,7 @@ fun Cipher.toEncryptedNetworkCipherResponse(): SyncResponseJson.Cipher =
         id = id.orEmpty(),
         shouldViewPassword = viewPassword,
         key = key,
+        encryptedFor = encryptedFor,
     )
 
 /**
@@ -626,3 +637,17 @@ fun List<CipherListView>.sortAlphabetically(): List<CipherListView> {
         },
     )
 }
+
+/**
+ * Converts a Bitwarden SDK [EncryptionContext] object to a corresponding [CipherJsonRequest]
+ * object.
+ */
+fun EncryptionContext.toEncryptedNetworkCipher(): CipherJsonRequest =
+    cipher.toEncryptedNetworkCipher(encryptedFor = encryptedFor)
+
+/**
+ * Converts a Bitwarden SDK [EncryptionContext] object to a corresponding [SyncResponseJson.Cipher]
+ * object.
+ */
+fun EncryptionContext.toEncryptedNetworkCipherResponse(): SyncResponseJson.Cipher =
+    cipher.toEncryptedNetworkCipherResponse(encryptedFor = encryptedFor)

app/src/test/kotlin/com/x8bit/bitwarden/data/vault/datasource/disk/VaultDiskSourceTest.kt

@@ -419,7 +419,8 @@ private const val CIPHER_JSON = """
     "publicKey": "mockPublicKey-1",
     "privateKey": "mockPrivateKey-1",
     "keyFingerprint": "mockKeyFingerprint-1"
-  }
+  },
+  "encryptedFor": "mockEncryptedFor-1"
 }
 """