Add-userid-to-encryption-methods (#278)

This is not the owning entity of the key, but the user that is unlocked
that triggered the request

## 🎟️ Tracking

<!-- Paste the link to the Jira or GitHub issue or otherwise describe /
point to where this change is coming from. -->

## 📔 Objective

<!-- Describe what the purpose of this PR is, for example what bug
you're fixing or new feature you're adding. -->

## ⏰ Reminders before review

- Contributor guidelines followed
- All formatters and local linters executed and passed
- Written new unit and / or integration tests where applicable
- Protected functional changes with optionality (feature flags)
- Used internationalization (i18n) for all UI strings
- CI builds passed
- Communicated to DevOps any deployment requirements
- Updated any necessary documentation (Confluence, contributing docs) or
informed the documentation
  team

## 🦮 Reviewer guidelines

<!-- Suggested interactions but feel free to use (or not) as you desire!
-->

- 👍 (`:+1:`) or similar for great changes
- 📝 (`:memo:`) or ℹ️ (`:information_source:`) for notes or general info
- ❓ (`:question:`) for questions
- 🤔 (`:thinking:`) or 💭 (`:thought_balloon:`) for more open inquiry
that's not quite a confirmed
  issue and could potentially benefit from discussion
- 🎨 (`:art:`) for suggestions / improvements
- ❌ (`:x:`) or ⚠️ (`:warning:`) for more significant problems or
concerns needing attention
- 🌱 (`:seedling:`) or ♻️ (`:recycle:`) for future improvements or
indications of technical debt
- ⛏ (`:pick:`) for minor or nitpick changes

Author: MGibson1

crates/bitwarden-core/src/auth/auth_request.rs

@@ -243,6 +243,7 @@ mod tests {
         new_device
             .crypto()
             .initialize_user_crypto(InitUserCryptoRequest {
+                user_id: Some(uuid::Uuid::new_v4()),
                 kdf_params: kdf,
                 email: email.to_owned(),
                 private_key: private_key.to_owned(),

crates/bitwarden-core/src/auth/login/auth_request.rs

@@ -115,6 +115,7 @@ pub(crate) async fn complete_auth_request(
         client
             .crypto()
             .initialize_user_crypto(InitUserCryptoRequest {
+                user_id: None,
                 kdf_params: kdf,
                 email: auth_req.email,
                 private_key: require!(r.private_key),

crates/bitwarden-core/src/client/client.rs

@@ -1,4 +1,4 @@
-use std::sync::{Arc, RwLock};
+use std::sync::{Arc, OnceLock, RwLock};
 
 use bitwarden_crypto::KeyStore;
 use reqwest::header::{self, HeaderValue};
@@ -75,6 +75,7 @@ impl Client {
 
         Self {
             internal: Arc::new(InternalClient {
+                user_id: OnceLock::new(),
                 tokens: RwLock::new(Tokens::default()),
                 login_method: RwLock::new(None),
                 #[cfg(feature = "internal")]

crates/bitwarden-core/src/client/encryption_settings.rs

@@ -6,6 +6,7 @@ use thiserror::Error;
 use uuid::Uuid;
 
 use crate::{
+    error::UserIdAlreadySetError,
     key_management::{AsymmetricKeyId, KeyIds, SymmetricKeyId},
     MissingPrivateKeyError, VaultLockedError,
 };
@@ -27,6 +28,9 @@ pub enum EncryptionSettingsError {
 
     #[error(transparent)]
     MissingPrivateKey(#[from] MissingPrivateKeyError),
+
+    #[error(transparent)]
+    UserIdAlreadySetError(#[from] UserIdAlreadySetError),
 }
 
 pub struct EncryptionSettings {}

crates/bitwarden-core/src/client/internal.rs

@@ -1,4 +1,4 @@
-use std::sync::{Arc, RwLock};
+use std::sync::{Arc, OnceLock, RwLock};
 
 use bitwarden_crypto::KeyStore;
 #[cfg(any(feature = "internal", feature = "secrets"))]
@@ -13,6 +13,7 @@ use super::login_method::ServiceAccountLoginMethod;
 use crate::{
     auth::renew::renew_token,
     client::{encryption_settings::EncryptionSettings, login_method::LoginMethod},
+    error::UserIdAlreadySetError,
     key_management::KeyIds,
     DeviceType,
 };
@@ -44,6 +45,7 @@ pub(crate) struct Tokens {
 
 #[derive(Debug)]
 pub struct InternalClient {
+    pub(crate) user_id: OnceLock<Uuid>,
     pub(crate) tokens: RwLock<Tokens>,
     pub(crate) login_method: RwLock<Option<Arc<LoginMethod>>>,
 
@@ -172,6 +174,14 @@ impl InternalClient {
         &self.key_store
     }
 
+    pub fn init_user_id(&self, user_id: Uuid) -> Result<(), UserIdAlreadySetError> {
+        self.user_id.set(user_id).map_err(|_| UserIdAlreadySetError)
+    }
+
+    pub fn get_user_id(&self) -> Option<Uuid> {
+        self.user_id.get().copied()
+    }
+
     #[cfg(feature = "internal")]
     pub(crate) fn initialize_user_crypto_master_key(
         &self,

crates/bitwarden-core/src/client/test_accounts.rs

@@ -117,6 +117,7 @@ pub struct TestAccount {
 pub fn test_bitwarden_com_account() -> TestAccount {
     TestAccount {
         user: InitUserCryptoRequest {
+            user_id: Some(uuid::uuid!("060000fb-0922-4dd3-b170-6e15cb5df8c8")),
             kdf_params: Kdf::PBKDF2 {
                 iterations: 600_000.try_into().unwrap(),
             },
@@ -174,6 +175,7 @@ pub fn test_bitwarden_com_account() -> TestAccount {
 pub fn test_legacy_user_key_account() -> TestAccount {
     TestAccount {
         user: InitUserCryptoRequest {
+            user_id: Some(uuid::uuid!("060000fb-0922-4dd3-b170-6e15cb5df8c8")),
             kdf_params: Kdf::PBKDF2 {
                 iterations: 600_000.try_into().unwrap(),
             },

crates/bitwarden-core/src/error.rs

@@ -48,6 +48,11 @@ impl_bitwarden_error!(IdentityError, ApiError);
 #[error("The client is not authenticated or the session has expired")]
 pub struct NotAuthenticatedError;
 
+/// Client's user ID is already set.
+#[derive(Debug, Error)]
+#[error("The client user ID is already set")]
+pub struct UserIdAlreadySetError;
+
 /// Missing required field.
 #[derive(Debug, Error)]
 #[error("The response received was missing a required field: {0}")]

crates/bitwarden-core/src/mobile/crypto.rs

@@ -39,6 +39,7 @@ pub enum MobileCryptoError {
 #[cfg_attr(feature = "uniffi", derive(uniffi::Record))]
 #[cfg_attr(feature = "wasm", derive(Tsify), tsify(into_wasm_abi, from_wasm_abi))]
 pub struct InitUserCryptoRequest {
+    pub user_id: Option<uuid::Uuid>,
     /// The user's KDF parameters, as received from the prelogin request
     pub kdf_params: Kdf,
     /// The user's email address
@@ -131,6 +132,10 @@ pub async fn initialize_user_crypto(
 
     let private_key: EncString = req.private_key.parse()?;
 
+    if let Some(user_id) = req.user_id {
+        client.internal.init_user_id(user_id)?;
+    }
+
     match req.method {
         InitUserCryptoMethod::Password { password, user_key } => {
             let user_key: EncString = user_key.parse()?;
@@ -564,6 +569,7 @@ mod tests {
         initialize_user_crypto(
             & client,
             InitUserCryptoRequest {
+                user_id: Some(uuid::Uuid::new_v4()),
                 kdf_params: kdf.clone(),
                 email: "[email protected]".into(),
                 private_key: priv_key.to_owned(),
@@ -583,6 +589,7 @@ mod tests {
         initialize_user_crypto(
             &client2,
             InitUserCryptoRequest {
+                user_id: Some(uuid::Uuid::new_v4()),
                 kdf_params: kdf.clone(),
                 email: "[email protected]".into(),
                 private_key: priv_key.to_owned(),
@@ -638,6 +645,7 @@ mod tests {
         initialize_user_crypto(
             & client,
             InitUserCryptoRequest {
+                user_id: Some(uuid::Uuid::new_v4()),
                 kdf_params: Kdf::PBKDF2 {
                     iterations: 100_000.try_into().unwrap(),
                 },
@@ -659,6 +667,7 @@ mod tests {
         initialize_user_crypto(
             &client2,
             InitUserCryptoRequest {
+                user_id: Some(uuid::Uuid::new_v4()),
                 kdf_params: Kdf::PBKDF2 {
                     iterations: 100_000.try_into().unwrap(),
                 },
@@ -701,6 +710,7 @@ mod tests {
         initialize_user_crypto(
             &client3,
             InitUserCryptoRequest {
+                user_id: Some(uuid::Uuid::new_v4()),
                 kdf_params: Kdf::PBKDF2 {
                     iterations: 100_000.try_into().unwrap(),
                 },

crates/bitwarden-core/tests/register.rs

@@ -29,6 +29,7 @@ async fn test_register_initialize_crypto() {
     client
         .crypto()
         .initialize_user_crypto(InitUserCryptoRequest {
+            user_id: Some(uuid::Uuid::new_v4()),
             kdf_params: kdf,
             email: email.to_owned(),
             private_key: register_response.keys.private.to_string(),

crates/bitwarden-fido/src/authenticator.rs

@@ -2,7 +2,7 @@ use std::sync::Mutex;
 
 use bitwarden_core::{Client, VaultLockedError};
 use bitwarden_crypto::CryptoError;
-use bitwarden_vault::{CipherError, CipherView};
+use bitwarden_vault::{CipherError, CipherView, EncryptionContext};
 use itertools::Itertools;
 use log::error;
 use passkey::{
@@ -431,6 +431,8 @@ impl passkey::authenticator::CredentialStore for CredentialStoreImpl<'_> {
     ) -> Result<(), StatusCode> {
         #[derive(Debug, Error)]
         enum InnerError {
+            #[error("Client User Id has not been set")]
+            MissingUserId,
             #[error(transparent)]
             VaultLocked(#[from] VaultLockedError),
             #[error(transparent)]
@@ -454,6 +456,12 @@ impl passkey::authenticator::CredentialStore for CredentialStoreImpl<'_> {
             rp: passkey::types::ctap2::make_credential::PublicKeyCredentialRpEntity,
             options: passkey::types::ctap2::get_assertion::Options,
         ) -> Result<(), InnerError> {
+            let user_id = this
+                .authenticator
+                .client
+                .internal
+                .get_user_id()
+                .ok_or(InnerError::MissingUserId)?;
             let cred = try_from_credential_full(cred, user, rp, options)?;
 
             // Get the previously selected cipher and add the new credential to it
@@ -481,7 +489,10 @@ impl passkey::authenticator::CredentialStore for CredentialStoreImpl<'_> {
 
             this.authenticator
                 .credential_store
-                .save_credential(encrypted)
+                .save_credential(EncryptionContext {
+                    cipher: encrypted,
+                    encrypted_for: user_id,
+                })
                 .await?;
 
             Ok(())
@@ -498,6 +509,8 @@ impl passkey::authenticator::CredentialStore for CredentialStoreImpl<'_> {
     async fn update_credential(&mut self, cred: Passkey) -> Result<(), StatusCode> {
         #[derive(Debug, Error)]
         enum InnerError {
+            #[error("Client User Id has not been set")]
+            MissingUserId,
             #[error(transparent)]
             VaultLocked(#[from] VaultLockedError),
             #[error(transparent)]
@@ -521,6 +534,12 @@ impl passkey::authenticator::CredentialStore for CredentialStoreImpl<'_> {
             this: &mut CredentialStoreImpl<'_>,
             cred: Passkey,
         ) -> Result<(), InnerError> {
+            let user_id = this
+                .authenticator
+                .client
+                .internal
+                .get_user_id()
+                .ok_or(InnerError::MissingUserId)?;
             // Get the previously selected cipher and update the credential
             let selected = this.authenticator.get_selected_credential()?;
 
@@ -550,7 +569,10 @@ impl passkey::authenticator::CredentialStore for CredentialStoreImpl<'_> {
 
             this.authenticator
                 .credential_store
-                .save_credential(encrypted)
+                .save_credential(EncryptionContext {
+                    cipher: encrypted,
+                    encrypted_for: user_id,
+                })
                 .await?;
 
             Ok(())

crates/bitwarden-fido/src/traits.rs

@@ -1,4 +1,4 @@
-use bitwarden_vault::{Cipher, CipherListView, CipherView, Fido2CredentialNewView};
+use bitwarden_vault::{CipherListView, CipherView, EncryptionContext, Fido2CredentialNewView};
 use passkey::authenticator::UIHint;
 use thiserror::Error;
 
@@ -43,7 +43,7 @@ pub trait Fido2CredentialStore: Send + Sync {
 
     async fn all_credentials(&self) -> Result<Vec<CipherListView>, Fido2CallbackError>;
 
-    async fn save_credential(&self, cred: Cipher) -> Result<(), Fido2CallbackError>;
+    async fn save_credential(&self, cred: EncryptionContext) -> Result<(), Fido2CallbackError>;
 }
 
 #[derive(Clone)]

crates/bitwarden-uniffi/kotlin/app/src/main/java/com/bitwarden/myapplication/MainActivity.kt

@@ -250,6 +250,7 @@ class MainActivity : FragmentActivity() {
 
         client.crypto().initializeUserCrypto(
             InitUserCryptoRequest(
+                userId = null,
                 kdfParams = kdf,
                 email = EMAIL,
                 privateKey = loginBody.PrivateKey,
@@ -334,6 +335,7 @@ class MainActivity : FragmentActivity() {
             GlobalScope.launch {
                 client.crypto().initializeUserCrypto(
                     InitUserCryptoRequest(
+                        userId = null,
                         kdfParams = kdf,
                         email = EMAIL,
                         privateKey = privateKey!!,
@@ -371,6 +373,7 @@ class MainActivity : FragmentActivity() {
         GlobalScope.launch {
             client.crypto().initializeUserCrypto(
                 InitUserCryptoRequest(
+                    userId = null,
                     kdfParams = kdf,
                     email = EMAIL,
                     privateKey = privateKey!!,

crates/bitwarden-uniffi/src/platform/fido2.rs

@@ -7,7 +7,7 @@ use bitwarden_fido::{
     PublicKeyCredentialAuthenticatorAttestationResponse, PublicKeyCredentialRpEntity,
     PublicKeyCredentialUserEntity,
 };
-use bitwarden_vault::{Cipher, CipherListView, CipherView, Fido2CredentialNewView};
+use bitwarden_vault::{CipherListView, CipherView, EncryptionContext, Fido2CredentialNewView};
 
 use crate::error::{Error, Result};
 
@@ -245,7 +245,7 @@ pub trait Fido2CredentialStore: Send + Sync {
 
     async fn all_credentials(&self) -> Result<Vec<CipherListView>, Fido2CallbackError>;
 
-    async fn save_credential(&self, cred: Cipher) -> Result<(), Fido2CallbackError>;
+    async fn save_credential(&self, cred: EncryptionContext) -> Result<(), Fido2CallbackError>;
 }
 
 // Because uniffi doesn't support external traits, we have to make a copy of the trait here.
@@ -271,7 +271,7 @@ impl bitwarden_fido::Fido2CredentialStore for UniffiTraitBridge<&dyn Fido2Creden
         self.0.all_credentials().await.map_err(Into::into)
     }
 
-    async fn save_credential(&self, cred: Cipher) -> Result<(), BitFido2CallbackError> {
+    async fn save_credential(&self, cred: EncryptionContext) -> Result<(), BitFido2CallbackError> {
         self.0.save_credential(cred).await.map_err(Into::into)
     }
 }

crates/bitwarden-uniffi/src/vault/ciphers.rs

@@ -1,4 +1,4 @@
-use bitwarden_vault::{Cipher, CipherListView, CipherView, Fido2CredentialView};
+use bitwarden_vault::{Cipher, CipherListView, CipherView, EncryptionContext, Fido2CredentialView};
 use uuid::Uuid;
 
 use crate::{error::Error, Result};
@@ -9,7 +9,7 @@ pub struct CiphersClient(pub(crate) bitwarden_vault::CiphersClient);
 #[uniffi::export]
 impl CiphersClient {
     /// Encrypt cipher
-    pub fn encrypt(&self, cipher_view: CipherView) -> Result<Cipher> {
+    pub fn encrypt(&self, cipher_view: CipherView) -> Result<EncryptionContext> {
         Ok(self.0.encrypt(cipher_view).map_err(Error::Encrypt)?)
     }
 

crates/bitwarden-uniffi/swift/iOS/App/ContentView.swift

@@ -189,6 +189,7 @@ struct ContentView: View {
 
         try await clientCrypto.initializeUserCrypto(
             req: InitUserCryptoRequest(
+                userId: nil,
                 kdfParams: kdf,
                 email: EMAIL,
                 privateKey: loginData.PrivateKey,
@@ -246,6 +247,7 @@ struct ContentView: View {
         let key = biometricRetrieveValue()!
 
         try await clientCrypto.initializeUserCrypto(req: InitUserCryptoRequest(
+            userId: nil,
             kdfParams: kdf,
             email: EMAIL,
             privateKey: privateKey,
@@ -272,6 +274,7 @@ struct ContentView: View {
         let pinProtectedUserKey = defaults.string(forKey: "pinProtectedUserKey")!
 
         try await clientCrypto.initializeUserCrypto(req: InitUserCryptoRequest(
+            userId: nil,
             kdfParams: kdf,
             email: EMAIL,
             privateKey: privateKey,
@@ -417,7 +420,7 @@ class Fido2CredentialStoreImpl: Fido2CredentialStore {
         abort()
     }
 
-    func saveCredential(cred: BitwardenSdk.Cipher) async throws {
+    func saveCredential(cred: BitwardenSdk.EncryptionContext) async throws {
         print("SAVED CREDENTIAL")
     }
 }

crates/bitwarden-vault/src/cipher/cipher.rs

@@ -64,6 +64,17 @@ pub enum CipherRepromptType {
     Password = 1,
 }
 
+#[derive(Serialize, Deserialize, Debug, Clone)]
+#[serde(rename_all = "camelCase", deny_unknown_fields)]
+#[cfg_attr(feature = "uniffi", derive(uniffi::Record))]
+#[cfg_attr(feature = "wasm", derive(Tsify), tsify(into_wasm_abi, from_wasm_abi))]
+pub struct EncryptionContext {
+    /// The Id of the user that encrypted the cipher. It should always represent a UserId, even for
+    /// Organization-owned ciphers
+    pub encrypted_for: Uuid,
+    pub cipher: Cipher,
+}
+
 #[derive(Serialize, Deserialize, Debug, Clone)]
 #[serde(rename_all = "camelCase", deny_unknown_fields)]
 #[cfg_attr(feature = "uniffi", derive(uniffi::Record))]