[PM-20508] Centralize passkey credential entry creation (#5033)

Author: SaintPatrck

app/src/main/java/com/x8bit/bitwarden/data/autofill/fido2/di/Fido2ProviderModule.kt

@@ -16,6 +16,8 @@ import com.x8bit.bitwarden.data.autofill.fido2.processor.Fido2ProviderProcessorI
 import com.x8bit.bitwarden.data.platform.manager.AssetManager
 import com.x8bit.bitwarden.data.platform.manager.BiometricsEncryptionManager
 import com.x8bit.bitwarden.data.platform.manager.FeatureFlagManager
+import com.x8bit.bitwarden.data.platform.repository.EnvironmentRepository
+import com.x8bit.bitwarden.data.platform.repository.SettingsRepository
 import com.x8bit.bitwarden.data.vault.datasource.sdk.VaultSdkSource
 import com.x8bit.bitwarden.data.vault.repository.VaultRepository
 import com.x8bit.bitwarden.ui.platform.manager.intent.IntentManager
@@ -41,8 +43,6 @@ object Fido2ProviderModule {
     fun provideCredentialProviderProcessor(
         @ApplicationContext context: Context,
         authRepository: AuthRepository,
-        vaultRepository: VaultRepository,
-        fido2CredentialStore: Fido2CredentialStore,
         fido2CredentialManager: Fido2CredentialManager,
         dispatcherManager: DispatcherManager,
         intentManager: IntentManager,
@@ -53,8 +53,6 @@ object Fido2ProviderModule {
         Fido2ProviderProcessorImpl(
             context,
             authRepository,
-            vaultRepository,
-            fido2CredentialStore,
             fido2CredentialManager,
             intentManager,
             clock,
@@ -66,14 +64,29 @@ object Fido2ProviderModule {
     @Provides
     @Singleton
     fun provideFido2CredentialManager(
+        @ApplicationContext context: Context,
+        intentManager: IntentManager,
+        featureFlagManager: FeatureFlagManager,
+        biometricsEncryptionManager: BiometricsEncryptionManager,
         vaultSdkSource: VaultSdkSource,
         fido2CredentialStore: Fido2CredentialStore,
         json: Json,
+        environmentRepository: EnvironmentRepository,
+        settingsRepository: SettingsRepository,
+        vaultRepository: VaultRepository,
+        dispatcherManager: DispatcherManager,
     ): Fido2CredentialManager =
         Fido2CredentialManagerImpl(
+            context = context,
             vaultSdkSource = vaultSdkSource,
             fido2CredentialStore = fido2CredentialStore,
+            intentManager = intentManager,
+            featureFlagManager = featureFlagManager,
+            biometricsEncryptionManager = biometricsEncryptionManager,
             json = json,
+            environmentRepository = environmentRepository,
+            vaultRepository = vaultRepository,
+            dispatcherManager = dispatcherManager,
         )
 
     @Provides

app/src/main/java/com/x8bit/bitwarden/data/autofill/fido2/manager/Fido2CredentialManager.kt

@@ -2,7 +2,9 @@ package com.x8bit.bitwarden.data.autofill.fido2.manager
 
 import androidx.credentials.CreatePublicKeyCredentialRequest
 import androidx.credentials.GetPublicKeyCredentialOption
+import androidx.credentials.provider.BeginGetPublicKeyCredentialOption
 import androidx.credentials.provider.CallingAppInfo
+import androidx.credentials.provider.CredentialEntry
 import androidx.credentials.provider.ProviderGetCredentialRequest
 import com.bitwarden.vault.CipherView
 import com.x8bit.bitwarden.data.autofill.fido2.model.Fido2CredentialAssertionResult
@@ -94,4 +96,13 @@ interface Fido2CredentialManager {
         request: CreatePublicKeyCredentialRequest,
         fallbackRequirement: UserVerificationRequirement = UserVerificationRequirement.REQUIRED,
     ): UserVerificationRequirement
+
+    /**
+     * Retrieve a list of [CredentialEntry] objects representing vault items matching the given
+     * request [option].
+     */
+    suspend fun getPublicKeyCredentialEntries(
+        userId: String,
+        option: BeginGetPublicKeyCredentialOption,
+    ): Result<List<CredentialEntry>>
 }

app/src/main/java/com/x8bit/bitwarden/data/autofill/fido2/manager/Fido2CredentialManagerImpl.kt

@@ -1,43 +1,92 @@
 package com.x8bit.bitwarden.data.autofill.fido2.manager
 
+import android.content.Context
+import android.os.Build
+import androidx.annotation.RequiresApi
+import androidx.annotation.WorkerThread
+import androidx.biometric.BiometricManager
+import androidx.biometric.BiometricPrompt
+import androidx.core.graphics.drawable.IconCompat
 import androidx.credentials.CreatePublicKeyCredentialRequest
 import androidx.credentials.GetPublicKeyCredentialOption
+import androidx.credentials.exceptions.GetCredentialUnknownException
+import androidx.credentials.provider.BeginGetPublicKeyCredentialOption
+import androidx.credentials.provider.BiometricPromptData
 import androidx.credentials.provider.CallingAppInfo
+import androidx.credentials.provider.CredentialEntry
 import androidx.credentials.provider.ProviderGetCredentialRequest
+import androidx.credentials.provider.PublicKeyCredentialEntry
+import com.bitwarden.core.annotation.OmitFromCoverage
+import com.bitwarden.core.data.repository.model.DataState
+import com.bitwarden.core.data.repository.util.takeUntilLoaded
+import com.bitwarden.core.data.util.asFailure
+import com.bitwarden.core.data.util.asSuccess
+import com.bitwarden.data.manager.DispatcherManager
+import com.bitwarden.data.repository.util.baseIconUrl
 import com.bitwarden.fido.ClientData
+import com.bitwarden.fido.Fido2CredentialAutofillView
 import com.bitwarden.fido.Origin
 import com.bitwarden.fido.UnverifiedAssetLink
 import com.bitwarden.sdk.Fido2CredentialStore
 import com.bitwarden.vault.CipherView
+import com.bumptech.glide.Glide
+import com.x8bit.bitwarden.R
 import com.x8bit.bitwarden.data.autofill.fido2.model.Fido2CredentialAssertionResult
 import com.x8bit.bitwarden.data.autofill.fido2.model.Fido2RegisterCredentialResult
 import com.x8bit.bitwarden.data.autofill.fido2.model.PasskeyAssertionOptions
 import com.x8bit.bitwarden.data.autofill.fido2.model.PasskeyAttestationOptions
 import com.x8bit.bitwarden.data.autofill.fido2.model.UserVerificationRequirement
+import com.x8bit.bitwarden.data.autofill.fido2.processor.GET_PASSKEY_INTENT
+import com.x8bit.bitwarden.data.autofill.util.isActiveWithFido2Credentials
+import com.x8bit.bitwarden.data.platform.manager.BiometricsEncryptionManager
+import com.x8bit.bitwarden.data.platform.manager.FeatureFlagManager
+import com.x8bit.bitwarden.data.platform.manager.model.FlagKey
+import com.x8bit.bitwarden.data.platform.repository.EnvironmentRepository
 import com.x8bit.bitwarden.data.platform.util.getAppOrigin
 import com.x8bit.bitwarden.data.platform.util.getAppSigningSignatureFingerprint
 import com.x8bit.bitwarden.data.platform.util.getSignatureFingerprintAsHexString
+import com.x8bit.bitwarden.data.platform.util.isBuildVersionBelow
 import com.x8bit.bitwarden.data.vault.datasource.sdk.VaultSdkSource
 import com.x8bit.bitwarden.data.vault.datasource.sdk.model.AuthenticateFido2CredentialRequest
 import com.x8bit.bitwarden.data.vault.datasource.sdk.model.RegisterFido2CredentialRequest
 import com.x8bit.bitwarden.data.vault.datasource.sdk.util.toAndroidAttestationResponse
 import com.x8bit.bitwarden.data.vault.datasource.sdk.util.toAndroidFido2PublicKeyCredential
+import com.x8bit.bitwarden.data.vault.repository.VaultRepository
+import com.x8bit.bitwarden.data.vault.repository.model.DecryptFido2CredentialAutofillViewResult
 import com.x8bit.bitwarden.ui.platform.base.util.prefixHttpsIfNecessaryOrNull
+import com.x8bit.bitwarden.ui.platform.components.model.IconData
+import com.x8bit.bitwarden.ui.platform.manager.intent.IntentManager
+import com.x8bit.bitwarden.ui.vault.feature.vault.util.toLoginIconData
+import kotlinx.coroutines.CoroutineScope
+import kotlinx.coroutines.flow.fold
+import kotlinx.coroutines.withContext
 import kotlinx.serialization.SerializationException
 import kotlinx.serialization.json.Json
 import timber.log.Timber
+import java.util.concurrent.ExecutionException
+import javax.crypto.Cipher
+import kotlin.random.Random
 
 /**
  * Primary implementation of [Fido2CredentialManager].
  */
-@Suppress("TooManyFunctions")
+@Suppress("TooManyFunctions", "LongParameterList")
 class Fido2CredentialManagerImpl(
+    private val context: Context,
     private val vaultSdkSource: VaultSdkSource,
     private val fido2CredentialStore: Fido2CredentialStore,
+    private val intentManager: IntentManager,
+    private val featureFlagManager: FeatureFlagManager,
+    private val biometricsEncryptionManager: BiometricsEncryptionManager,
     private val json: Json,
+    private val vaultRepository: VaultRepository,
+    private val environmentRepository: EnvironmentRepository,
+    dispatcherManager: DispatcherManager,
 ) : Fido2CredentialManager,
     Fido2CredentialStore by fido2CredentialStore {
 
+    private val ioScope = CoroutineScope(dispatcherManager.io)
+
     override var isUserVerified: Boolean = false
 
     override var authenticationAttempts: Int = 0
@@ -166,6 +215,168 @@ class Fido2CredentialManagerImpl(
         ?.userVerification
         ?: fallbackRequirement
 
+    override suspend fun getPublicKeyCredentialEntries(
+        userId: String,
+        option: BeginGetPublicKeyCredentialOption,
+    ): Result<List<CredentialEntry>> = withContext(ioScope.coroutineContext) {
+        val options = getPasskeyAssertionOptionsOrNull(option.requestJson)
+            ?: return@withContext GetCredentialUnknownException("Invalid data.").asFailure()
+        val relyingPartyId = options.relyingPartyId
+            ?: return@withContext GetCredentialUnknownException("Invalid data.").asFailure()
+
+        val cipherViews = vaultRepository
+            .ciphersStateFlow
+            .takeUntilLoaded()
+            .fold(initial = emptyList<CipherView>()) { initial, dataState ->
+                when (dataState) {
+                    is DataState.Loaded -> {
+                        dataState.data.filter { it.isActiveWithFido2Credentials }
+                    }
+
+                    else -> emptyList()
+                }
+            }
+
+        if (cipherViews.isEmpty()) {
+            return@withContext emptyList<CredentialEntry>().asSuccess()
+        }
+
+        val decryptResult = vaultRepository
+            .getDecryptedFido2CredentialAutofillViews(cipherViews)
+        when (decryptResult) {
+            is DecryptFido2CredentialAutofillViewResult.Error -> {
+                GetCredentialUnknownException("Error decrypting credentials.")
+                    .asFailure()
+            }
+
+            is DecryptFido2CredentialAutofillViewResult.Success -> {
+                val baseIconUrl = environmentRepository
+                    .environment
+                    .environmentUrlData
+                    .baseIconUrl
+                val autofillViews = decryptResult.fido2CredentialAutofillViews
+                    .filter { it.rpId == relyingPartyId }
+                if (autofillViews.isEmpty()) {
+                    return@withContext emptyList<CredentialEntry>().asSuccess()
+                }
+                val cipherIdsToMatch = autofillViews
+                    .map { it.cipherId }
+                    .toSet()
+
+                cipherViews
+                    .filter { cipherView -> cipherView.id in cipherIdsToMatch }
+                    .associateWith { cipherView ->
+                        autofillViews.first { it.cipherId == cipherView.id }
+                    }
+                    .toPublicKeyCredentialEntryList(
+                        baseIconUrl = baseIconUrl,
+                        userId = userId,
+                        option = option,
+                    )
+                    .asSuccess()
+            }
+        }
+    }
+
+    private suspend fun Map<CipherView, Fido2CredentialAutofillView>.toPublicKeyCredentialEntryList(
+        baseIconUrl: String,
+        userId: String,
+        option: BeginGetPublicKeyCredentialOption,
+    ): List<PublicKeyCredentialEntry> = this.map { (cipherView, autofillView) ->
+        val loginIconData = cipherView.login
+            ?.uris
+            .toLoginIconData(
+                // TODO: [PM-20176] Enable web icons in passkey credential entries
+                // Leave web icons disabled until CredentialManager TransactionTooLargeExceptions
+                // are addressed. See https://issuetracker.google.com/issues/355141766 for details.
+                isIconLoadingDisabled = true,
+                baseIconUrl = baseIconUrl,
+                usePasskeyDefaultIcon = true,
+            )
+        val iconCompat = when (loginIconData) {
+            is IconData.Local -> {
+                IconCompat.createWithResource(context, loginIconData.iconRes)
+            }
+
+            is IconData.Network -> {
+                loginIconData.toIconCompat()
+            }
+        }
+
+        val pkEntryBuilder = PublicKeyCredentialEntry
+            .Builder(
+                context = context,
+                username = autofillView.userNameForUi
+                    ?: context.getString(R.string.no_username),
+                pendingIntent = intentManager
+                    .createFido2GetCredentialPendingIntent(
+                        action = GET_PASSKEY_INTENT,
+                        userId = userId,
+                        credentialId = autofillView.credentialId.toString(),
+                        cipherId = autofillView.cipherId,
+                        isUserVerified = isUserVerified,
+                        requestCode = Random.nextInt(),
+                    ),
+                beginGetPublicKeyCredentialOption = option,
+            )
+            .setIcon(iconCompat.toIcon(context))
+
+        if (featureFlagManager.getFeatureFlag(FlagKey.SingleTapPasskeyAuthentication)) {
+            biometricsEncryptionManager
+                .getOrCreateCipher(userId)
+                ?.let { cipher ->
+                    pkEntryBuilder
+                        .setBiometricPromptDataIfSupported(cipher = cipher)
+                }
+        }
+
+        pkEntryBuilder.build()
+    }
+
+    private fun PublicKeyCredentialEntry.Builder.setBiometricPromptDataIfSupported(
+        cipher: Cipher,
+    ): PublicKeyCredentialEntry.Builder =
+        if (isBuildVersionBelow(Build.VERSION_CODES.VANILLA_ICE_CREAM)) {
+            this
+        } else {
+            setBiometricPromptData(
+                biometricPromptData = buildPromptDataWithCipher(cipher),
+            )
+        }
+
+    @RequiresApi(Build.VERSION_CODES.VANILLA_ICE_CREAM)
+    private fun buildPromptDataWithCipher(
+        cipher: Cipher,
+    ): BiometricPromptData = BiometricPromptData.Builder()
+        .setAllowedAuthenticators(BiometricManager.Authenticators.BIOMETRIC_STRONG)
+        .setCryptoObject(BiometricPrompt.CryptoObject(cipher))
+        .build()
+
+    /**
+     * Converts a network icon to an [IconCompat]. Performs a blocking network request to fetch the
+     * icon, so only call this method from a background thread or coroutine.
+     */
+    @OmitFromCoverage
+    @WorkerThread
+    private suspend fun IconData.Network.toIconCompat(): IconCompat = try {
+        val futureTargetBitmap = Glide
+            .with(context)
+            .asBitmap()
+            .load(this.uri)
+            .placeholder(R.drawable.ic_bw_passkey)
+            .submit()
+
+        IconCompat.createWithBitmap(futureTargetBitmap.get())
+    } catch (_: ExecutionException) {
+        null
+    } catch (_: InterruptedException) {
+        null
+    }
+        ?: IconCompat.createWithResource(
+            context,
+            this.fallbackIconRes,
+        )
+
     private suspend fun registerFido2CredentialForUnprivilegedApp(
         userId: String,
         callingAppInfo: CallingAppInfo,