Merge branch 'main' of github.com:bitwarden/sdk-internal into arch/bw-uuid

# Conflicts:
#	crates/bitwarden-uniffi/src/vault/ciphers.rs
#	crates/bitwarden-wasm-internal/src/vault/ciphers.rs

Author: Hinton

.cargo/config.toml

@@ -6,6 +6,7 @@ rustflags = ["--cfg", "aes_armv8"]
 
 [target.wasm32-unknown-unknown]
 rustflags = ['--cfg', 'getrandom_backend="wasm_js"']
+runner = 'wasm-bindgen-test-runner'
 
 # Enable support for 16k pages on Android, JNA is using these same flags
 # https://android-developers.googleblog.com/2024/08/adding-16-kb-page-size-to-android.html

.github/workflows/build-wasm-internal.yml

@@ -60,6 +60,9 @@ jobs:
           RUST_TOOLCHAIN="$(grep -oP '^channel.*"(\K.*?)(?=")' ../../rust-toolchain.toml)"
           echo "RUST_TOOLCHAIN=${RUST_TOOLCHAIN}" | tee -a "${GITHUB_OUTPUT}"
 
+      - name: NPM setup
+        run: npm ci
+
       - name: Install rust
         uses: dtolnay/rust-toolchain@56f84321dbccf38fb67ce29ab63e4754056677e0 # stable
         with:

.github/workflows/rust-test.yml

@@ -45,6 +45,37 @@ jobs:
       - name: Test
         run: cargo test --workspace --all-features
 
+  test-wasm:
+    name: WASM
+    runs-on: ubuntu-24.04
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Set Rust Toolchain
+        id: toolchain
+        shell: bash
+        run: |
+          RUST_TOOLCHAIN="$(grep -oP '^channel.*"(\K.*?)(?=")' rust-toolchain.toml)"
+          echo "RUST_TOOLCHAIN=${RUST_TOOLCHAIN}" | tee -a "${GITHUB_OUTPUT}"
+
+      - name: Install rust
+        uses: dtolnay/rust-toolchain@56f84321dbccf38fb67ce29ab63e4754056677e0 # stable
+        with:
+          toolchain: "${{ steps.toolchain.outputs.RUST_TOOLCHAIN }}"
+          targets: wasm32-unknown-unknown
+          components: rust-src
+
+      - name: Cache cargo registry
+        uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3 # v2.7.7
+
+      - name: Install wasm-bindgen-cli
+        run: cargo install wasm-bindgen-cli --version 0.2.100
+
+      - name: Test WASM
+        run: cargo test --target wasm32-unknown-unknown -p bitwarden-wasm-internal -p bitwarden-threading -p bitwarden-error --all-features
+
   coverage:
     name: Coverage
     runs-on: ubuntu-24.04

Cargo.lock

@@ -31,6 +31,7 @@ bitwarden-fido = { path = "crates/bitwarden-fido", version = "=1.0.0" }
 bitwarden-generators = { path = "crates/bitwarden-generators", version = "=1.0.0" }
 bitwarden-ipc = { path = "crates/bitwarden-ipc", version = "=1.0.0" }
 bitwarden-send = { path = "crates/bitwarden-send", version = "=1.0.0" }
+bitwarden-threading = { path = "crates/bitwarden-threading", version = "=1.0.0" }
 bitwarden-sm = { path = "bitwarden_license/bitwarden-sm", version = "=1.0.0" }
 bitwarden-ssh = { path = "crates/bitwarden-ssh", version = "=1.0.0" }
 bitwarden-uuid = { path = "crates/bitwarden-uuid", version = "=1.0.0" }
@@ -68,6 +69,7 @@ uuid = { version = ">=1.3.3, <2.0", features = ["serde", "v4", "js"] }
 validator = { version = ">=0.18.1, <0.20", features = ["derive"] }
 wasm-bindgen = { version = ">=0.2.91, <0.3", features = ["serde-serialize"] }
 wasm-bindgen-futures = "0.4.41"
+wasm-bindgen-test = "0.3.45"
 
 # There is an incompatibility when using pkcs5 and chacha20 on wasm builds. This can be removed once a new
 # rustcrypto-formats crate version is released since the fix has been upstreamed.

Cargo.toml

@@ -243,6 +243,7 @@ mod tests {
         new_device
             .crypto()
             .initialize_user_crypto(InitUserCryptoRequest {
+                user_id: Some(uuid::Uuid::new_v4()),
                 kdf_params: kdf,
                 email: email.to_owned(),
                 private_key: private_key.to_owned(),

crates/bitwarden-core/src/auth/auth_request.rs

@@ -115,6 +115,7 @@ pub(crate) async fn complete_auth_request(
         client
             .crypto()
             .initialize_user_crypto(InitUserCryptoRequest {
+                user_id: None,
                 kdf_params: kdf,
                 email: auth_req.email,
                 private_key: require!(r.private_key),

crates/bitwarden-core/src/auth/login/auth_request.rs

@@ -1,4 +1,4 @@
-use std::sync::{Arc, RwLock};
+use std::sync::{Arc, OnceLock, RwLock};
 
 use bitwarden_crypto::KeyStore;
 use reqwest::header::{self, HeaderValue};
@@ -75,6 +75,7 @@ impl Client {
 
         Self {
             internal: Arc::new(InternalClient {
+                user_id: OnceLock::new(),
                 tokens: RwLock::new(Tokens::default()),
                 login_method: RwLock::new(None),
                 #[cfg(feature = "internal")]

crates/bitwarden-core/src/client/client.rs

@@ -6,6 +6,7 @@ use thiserror::Error;
 use uuid::Uuid;
 
 use crate::{
+    error::UserIdAlreadySetError,
     key_management::{AsymmetricKeyId, KeyIds, SymmetricKeyId},
     MissingPrivateKeyError, VaultLockedError,
 };
@@ -27,6 +28,9 @@ pub enum EncryptionSettingsError {
 
     #[error(transparent)]
     MissingPrivateKey(#[from] MissingPrivateKeyError),
+
+    #[error(transparent)]
+    UserIdAlreadySetError(#[from] UserIdAlreadySetError),
 }
 
 pub struct EncryptionSettings {}

crates/bitwarden-core/src/client/encryption_settings.rs

@@ -1,4 +1,4 @@
-use std::sync::{Arc, RwLock};
+use std::sync::{Arc, OnceLock, RwLock};
 
 use bitwarden_crypto::KeyStore;
 #[cfg(any(feature = "internal", feature = "secrets"))]
@@ -13,6 +13,7 @@ use super::login_method::ServiceAccountLoginMethod;
 use crate::{
     auth::renew::renew_token,
     client::{encryption_settings::EncryptionSettings, login_method::LoginMethod},
+    error::UserIdAlreadySetError,
     key_management::KeyIds,
     DeviceType,
 };
@@ -44,6 +45,7 @@ pub(crate) struct Tokens {
 
 #[derive(Debug)]
 pub struct InternalClient {
+    pub(crate) user_id: OnceLock<Uuid>,
     pub(crate) tokens: RwLock<Tokens>,
     pub(crate) login_method: RwLock<Option<Arc<LoginMethod>>>,
 
@@ -172,6 +174,14 @@ impl InternalClient {
         &self.key_store
     }
 
+    pub fn init_user_id(&self, user_id: Uuid) -> Result<(), UserIdAlreadySetError> {
+        self.user_id.set(user_id).map_err(|_| UserIdAlreadySetError)
+    }
+
+    pub fn get_user_id(&self) -> Option<Uuid> {
+        self.user_id.get().copied()
+    }
+
     #[cfg(feature = "internal")]
     pub(crate) fn initialize_user_crypto_master_key(
         &self,

crates/bitwarden-core/src/client/internal.rs

@@ -117,6 +117,7 @@ pub struct TestAccount {
 pub fn test_bitwarden_com_account() -> TestAccount {
     TestAccount {
         user: InitUserCryptoRequest {
+            user_id: Some(uuid::uuid!("060000fb-0922-4dd3-b170-6e15cb5df8c8")),
             kdf_params: Kdf::PBKDF2 {
                 iterations: 600_000.try_into().unwrap(),
             },
@@ -174,6 +175,7 @@ pub fn test_bitwarden_com_account() -> TestAccount {
 pub fn test_legacy_user_key_account() -> TestAccount {
     TestAccount {
         user: InitUserCryptoRequest {
+            user_id: Some(uuid::uuid!("060000fb-0922-4dd3-b170-6e15cb5df8c8")),
             kdf_params: Kdf::PBKDF2 {
                 iterations: 600_000.try_into().unwrap(),
             },

crates/bitwarden-core/src/client/test_accounts.rs

@@ -48,6 +48,11 @@ impl_bitwarden_error!(IdentityError, ApiError);
 #[error("The client is not authenticated or the session has expired")]
 pub struct NotAuthenticatedError;
 
+/// Client's user ID is already set.
+#[derive(Debug, Error)]
+#[error("The client user ID is already set")]
+pub struct UserIdAlreadySetError;
+
 /// Missing required field.
 #[derive(Debug, Error)]
 #[error("The response received was missing a required field: {0}")]

crates/bitwarden-core/src/error.rs

@@ -39,6 +39,7 @@ pub enum MobileCryptoError {
 #[cfg_attr(feature = "uniffi", derive(uniffi::Record))]
 #[cfg_attr(feature = "wasm", derive(Tsify), tsify(into_wasm_abi, from_wasm_abi))]
 pub struct InitUserCryptoRequest {
+    pub user_id: Option<uuid::Uuid>,
     /// The user's KDF parameters, as received from the prelogin request
     pub kdf_params: Kdf,
     /// The user's email address
@@ -131,6 +132,10 @@ pub async fn initialize_user_crypto(
 
     let private_key: EncString = req.private_key.parse()?;
 
+    if let Some(user_id) = req.user_id {
+        client.internal.init_user_id(user_id)?;
+    }
+
     match req.method {
         InitUserCryptoMethod::Password { password, user_key } => {
             let user_key: EncString = user_key.parse()?;
@@ -564,6 +569,7 @@ mod tests {
         initialize_user_crypto(
             & client,
             InitUserCryptoRequest {
+                user_id: Some(uuid::Uuid::new_v4()),
                 kdf_params: kdf.clone(),
                 email: "[email protected]".into(),
                 private_key: priv_key.to_owned(),
@@ -583,6 +589,7 @@ mod tests {
         initialize_user_crypto(
             &client2,
             InitUserCryptoRequest {
+                user_id: Some(uuid::Uuid::new_v4()),
                 kdf_params: kdf.clone(),
                 email: "[email protected]".into(),
                 private_key: priv_key.to_owned(),
@@ -638,6 +645,7 @@ mod tests {
         initialize_user_crypto(
             & client,
             InitUserCryptoRequest {
+                user_id: Some(uuid::Uuid::new_v4()),
                 kdf_params: Kdf::PBKDF2 {
                     iterations: 100_000.try_into().unwrap(),
                 },
@@ -659,6 +667,7 @@ mod tests {
         initialize_user_crypto(
             &client2,
             InitUserCryptoRequest {
+                user_id: Some(uuid::Uuid::new_v4()),
                 kdf_params: Kdf::PBKDF2 {
                     iterations: 100_000.try_into().unwrap(),
                 },
@@ -701,6 +710,7 @@ mod tests {
         initialize_user_crypto(
             &client3,
             InitUserCryptoRequest {
+                user_id: Some(uuid::Uuid::new_v4()),
                 kdf_params: Kdf::PBKDF2 {
                     iterations: 100_000.try_into().unwrap(),
                 },

crates/bitwarden-core/src/mobile/crypto.rs

@@ -29,6 +29,7 @@ async fn test_register_initialize_crypto() {
     client
         .crypto()
         .initialize_user_crypto(InitUserCryptoRequest {
+            user_id: Some(uuid::Uuid::new_v4()),
             kdf_params: kdf,
             email: email.to_owned(),
             private_key: register_response.keys.private.to_string(),

crates/bitwarden-core/tests/register.rs

@@ -34,4 +34,4 @@ workspace = true
 [dev-dependencies]
 serde.workspace = true
 trybuild = "1.0.101"
-wasm-bindgen-test = "0.3.45"
+wasm-bindgen-test = { workspace = true }

crates/bitwarden-error/Cargo.toml

@@ -2,7 +2,7 @@ use std::sync::Mutex;
 
 use bitwarden_core::{Client, VaultLockedError};
 use bitwarden_crypto::CryptoError;
-use bitwarden_vault::{CipherError, CipherView};
+use bitwarden_vault::{CipherError, CipherView, EncryptionContext};
 use itertools::Itertools;
 use log::error;
 use passkey::{
@@ -431,6 +431,8 @@ impl passkey::authenticator::CredentialStore for CredentialStoreImpl<'_> {
     ) -> Result<(), StatusCode> {
         #[derive(Debug, Error)]
         enum InnerError {
+            #[error("Client User Id has not been set")]
+            MissingUserId,
             #[error(transparent)]
             VaultLocked(#[from] VaultLockedError),
             #[error(transparent)]
@@ -454,6 +456,12 @@ impl passkey::authenticator::CredentialStore for CredentialStoreImpl<'_> {
             rp: passkey::types::ctap2::make_credential::PublicKeyCredentialRpEntity,
             options: passkey::types::ctap2::get_assertion::Options,
         ) -> Result<(), InnerError> {
+            let user_id = this
+                .authenticator
+                .client
+                .internal
+                .get_user_id()
+                .ok_or(InnerError::MissingUserId)?;
             let cred = try_from_credential_full(cred, user, rp, options)?;
 
             // Get the previously selected cipher and add the new credential to it
@@ -481,7 +489,10 @@ impl passkey::authenticator::CredentialStore for CredentialStoreImpl<'_> {
 
             this.authenticator
                 .credential_store
-                .save_credential(encrypted)
+                .save_credential(EncryptionContext {
+                    cipher: encrypted,
+                    encrypted_for: user_id,
+                })
                 .await?;
 
             Ok(())
@@ -498,6 +509,8 @@ impl passkey::authenticator::CredentialStore for CredentialStoreImpl<'_> {
     async fn update_credential(&mut self, cred: Passkey) -> Result<(), StatusCode> {
         #[derive(Debug, Error)]
         enum InnerError {
+            #[error("Client User Id has not been set")]
+            MissingUserId,
             #[error(transparent)]
             VaultLocked(#[from] VaultLockedError),
             #[error(transparent)]
@@ -521,6 +534,12 @@ impl passkey::authenticator::CredentialStore for CredentialStoreImpl<'_> {
             this: &mut CredentialStoreImpl<'_>,
             cred: Passkey,
         ) -> Result<(), InnerError> {
+            let user_id = this
+                .authenticator
+                .client
+                .internal
+                .get_user_id()
+                .ok_or(InnerError::MissingUserId)?;
             // Get the previously selected cipher and update the credential
             let selected = this.authenticator.get_selected_credential()?;
 
@@ -550,7 +569,10 @@ impl passkey::authenticator::CredentialStore for CredentialStoreImpl<'_> {
 
             this.authenticator
                 .credential_store
-                .save_credential(encrypted)
+                .save_credential(EncryptionContext {
+                    cipher: encrypted,
+                    encrypted_for: user_id,
+                })
                 .await?;
 
             Ok(())

crates/bitwarden-fido/src/authenticator.rs

@@ -1,4 +1,4 @@
-use bitwarden_vault::{Cipher, CipherListView, CipherView, Fido2CredentialNewView};
+use bitwarden_vault::{CipherListView, CipherView, EncryptionContext, Fido2CredentialNewView};
 use passkey::authenticator::UIHint;
 use thiserror::Error;
 
@@ -43,7 +43,7 @@ pub trait Fido2CredentialStore: Send + Sync {
 
     async fn all_credentials(&self) -> Result<Vec<CipherListView>, Fido2CallbackError>;
 
-    async fn save_credential(&self, cred: Cipher) -> Result<(), Fido2CallbackError>;
+    async fn save_credential(&self, cred: EncryptionContext) -> Result<(), Fido2CallbackError>;
 }
 
 #[derive(Clone)]

crates/bitwarden-fido/src/traits.rs

@@ -0,0 +1,2 @@
+[target.wasm32-unknown-unknown]
+runner = 'wasm-bindgen-test-runner'