[PM-5693] Migrate SDK to KeyStore (#8)

## 🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-5693

## 📔 Objective

Migrated from bitwarden/sdk-sm#1117

Migrate the codebase to the new KeyStore introduced in
#7.

EncryptionSettings was removed from Client, though it is still used to
initialize the KeyStore. Ideally we'd move that initialization code over
directly into the crypto crate but this PR is big enough as it is.

There are still some things using keys directly and
KeyEncryptable/KeyDecryptable, like MasterKey, PinKey, DeviceKey,
private key fingerprint. Those would need to be migrated over on a
separate PR.

We need to remove the rest of the uses of SymmetricCryptoKey from the
client crates, then we can remove the internal boxing they are doing, as
the keys would be protected by the KeyStore instead.


Secrets Manager code should be moved to using the
Encryptable/Decryptable interface, as it's encrypting fields one by one,
I'll look into doing that on a separate PR.

## ⏰ Reminders before review

- Contributor guidelines followed
- All formatters and local linters executed and passed
- Written new unit and / or integration tests where applicable
- Protected functional changes with optionality (feature flags)
- Used internationalization (i18n) for all UI strings
- CI builds passed
- Communicated to DevOps any deployment requirements
- Updated any necessary documentation (Confluence, contributing docs) or
informed the documentation
  team

## 🦮 Reviewer guidelines

<!-- Suggested interactions but feel free to use (or not) as you desire!
-->

- 👍 (`:+1:`) or similar for great changes
- 📝 (`:memo:`) or ℹ️ (`:information_source:`) for notes or general info
- ❓ (`:question:`) for questions
- 🤔 (`:thinking:`) or 💭 (`:thought_balloon:`) for more open inquiry
that's not quite a confirmed
  issue and could potentially benefit from discussion
- 🎨 (`:art:`) for suggestions / improvements
- ❌ (`:x:`) or ⚠️ (`:warning:`) for more significant problems or
concerns needing attention
- 🌱 (`:seedling:`) or ♻️ (`:recycle:`) for future improvements or
indications of technical debt
- ⛏ (`:pick:`) for minor or nitpick changes

Author: dani-garcia

bitwarden_license/bitwarden-sm/src/projects/create.rs

@@ -1,6 +1,6 @@
 use bitwarden_api_api::models::ProjectCreateRequestModel;
-use bitwarden_core::Client;
-use bitwarden_crypto::KeyEncryptable;
+use bitwarden_core::{key_management::SymmetricKeyId, Client};
+use bitwarden_crypto::Encryptable;
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 use uuid::Uuid;
@@ -26,11 +26,16 @@ pub(crate) async fn create_project(
 ) -> Result<ProjectResponse, SecretsManagerError> {
     input.validate()?;
 
-    let enc = client.internal.get_encryption_settings()?;
-    let key = enc.get_key(&Some(input.organization_id))?;
+    let key_store = client.internal.get_key_store();
+    let key = SymmetricKeyId::Organization(input.organization_id);
 
     let project = Some(ProjectCreateRequestModel {
-        name: input.name.clone().trim().encrypt_with_key(key)?.to_string(),
+        name: input
+            .name
+            .clone()
+            .trim()
+            .encrypt(&mut key_store.context(), key)?
+            .to_string(),
     });
 
     let config = client.internal.get_api_configurations().await;
@@ -41,7 +46,7 @@ pub(crate) async fn create_project(
     )
     .await?;
 
-    ProjectResponse::process_response(res, &enc)
+    ProjectResponse::process_response(res, &mut key_store.context())
 }
 
 #[cfg(test)]

bitwarden_license/bitwarden-sm/src/projects/get.rs

@@ -20,7 +20,7 @@ pub(crate) async fn get_project(
 
     let res = bitwarden_api_api::apis::projects_api::projects_id_get(&config.api, input.id).await?;
 
-    let enc = client.internal.get_encryption_settings()?;
+    let key_store = client.internal.get_key_store();
 
-    ProjectResponse::process_response(res, &enc)
+    ProjectResponse::process_response(res, &mut key_store.context())
 }

bitwarden_license/bitwarden-sm/src/projects/list.rs

@@ -1,5 +1,6 @@
 use bitwarden_api_api::models::ProjectResponseModelListResponseModel;
-use bitwarden_core::client::{encryption_settings::EncryptionSettings, Client};
+use bitwarden_core::{client::Client, key_management::KeyIds};
+use bitwarden_crypto::KeyStoreContext;
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 use uuid::Uuid;
@@ -24,9 +25,9 @@ pub(crate) async fn list_projects(
     )
     .await?;
 
-    let enc = client.internal.get_encryption_settings()?;
+    let key_store = client.internal.get_key_store();
 
-    ProjectsResponse::process_response(res, &enc)
+    ProjectsResponse::process_response(res, &mut key_store.context())
 }
 
 #[derive(Serialize, Deserialize, Debug, JsonSchema)]
@@ -38,14 +39,14 @@ pub struct ProjectsResponse {
 impl ProjectsResponse {
     pub(crate) fn process_response(
         response: ProjectResponseModelListResponseModel,
-        enc: &EncryptionSettings,
+        ctx: &mut KeyStoreContext<KeyIds>,
     ) -> Result<Self, SecretsManagerError> {
         let data = response.data.unwrap_or_default();
 
         Ok(ProjectsResponse {
             data: data
                 .into_iter()
-                .map(|r| ProjectResponse::process_response(r, enc))
+                .map(|r| ProjectResponse::process_response(r, ctx))
                 .collect::<Result<_, _>>()?,
         })
     }

bitwarden_license/bitwarden-sm/src/projects/project_response.rs

@@ -1,6 +1,9 @@
 use bitwarden_api_api::models::ProjectResponseModel;
-use bitwarden_core::{client::encryption_settings::EncryptionSettings, require};
-use bitwarden_crypto::{EncString, KeyDecryptable};
+use bitwarden_core::{
+    key_management::{KeyIds, SymmetricKeyId},
+    require,
+};
+use bitwarden_crypto::{Decryptable, EncString, KeyStoreContext};
 use chrono::{DateTime, Utc};
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
@@ -21,14 +24,14 @@ pub struct ProjectResponse {
 impl ProjectResponse {
     pub(crate) fn process_response(
         response: ProjectResponseModel,
-        enc: &EncryptionSettings,
+        ctx: &mut KeyStoreContext<KeyIds>,
     ) -> Result<Self, SecretsManagerError> {
         let organization_id = require!(response.organization_id);
-        let enc_key = enc.get_key(&Some(organization_id))?;
+        let key = SymmetricKeyId::Organization(organization_id);
 
         let name = require!(response.name)
             .parse::<EncString>()?
-            .decrypt_with_key(enc_key)?;
+            .decrypt(ctx, key)?;
 
         Ok(ProjectResponse {
             id: require!(response.id),

bitwarden_license/bitwarden-sm/src/projects/update.rs

@@ -1,6 +1,6 @@
 use bitwarden_api_api::models::ProjectUpdateRequestModel;
-use bitwarden_core::Client;
-use bitwarden_crypto::KeyEncryptable;
+use bitwarden_core::{key_management::SymmetricKeyId, Client};
+use bitwarden_crypto::Encryptable;
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 use uuid::Uuid;
@@ -28,19 +28,24 @@ pub(crate) async fn update_project(
 ) -> Result<ProjectResponse, SecretsManagerError> {
     input.validate()?;
 
-    let enc = client.internal.get_encryption_settings()?;
-    let key = enc.get_key(&Some(input.organization_id))?;
+    let key_store = client.internal.get_key_store();
+    let key = SymmetricKeyId::Organization(input.organization_id);
 
     let project = Some(ProjectUpdateRequestModel {
-        name: input.name.clone().trim().encrypt_with_key(key)?.to_string(),
+        name: input
+            .name
+            .clone()
+            .trim()
+            .encrypt(&mut key_store.context(), key)?
+            .to_string(),
     });
 
     let config = client.internal.get_api_configurations().await;
     let res =
         bitwarden_api_api::apis::projects_api::projects_id_put(&config.api, input.id, project)
             .await?;
 
-    ProjectResponse::process_response(res, &enc)
+    ProjectResponse::process_response(res, &mut key_store.context())
 }
 
 #[cfg(test)]

bitwarden_license/bitwarden-sm/src/secrets/create.rs

@@ -1,6 +1,6 @@
 use bitwarden_api_api::models::SecretCreateRequestModel;
-use bitwarden_core::Client;
-use bitwarden_crypto::KeyEncryptable;
+use bitwarden_core::{key_management::SymmetricKeyId, Client};
+use bitwarden_crypto::Encryptable;
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 use uuid::Uuid;
@@ -34,16 +34,24 @@ pub(crate) async fn create_secret(
 ) -> Result<SecretResponse, SecretsManagerError> {
     input.validate()?;
 
-    let enc = client.internal.get_encryption_settings()?;
-    let key = enc.get_key(&Some(input.organization_id))?;
-
-    let secret = Some(SecretCreateRequestModel {
-        key: input.key.clone().trim().encrypt_with_key(key)?.to_string(),
-        value: input.value.clone().encrypt_with_key(key)?.to_string(),
-        note: input.note.clone().trim().encrypt_with_key(key)?.to_string(),
-        project_ids: input.project_ids.clone(),
-        access_policies_requests: None,
-    });
+    let key_store = client.internal.get_key_store();
+    let key = SymmetricKeyId::Organization(input.organization_id);
+
+    let secret = {
+        let mut ctx = key_store.context();
+        Some(SecretCreateRequestModel {
+            key: input.key.clone().trim().encrypt(&mut ctx, key)?.to_string(),
+            value: input.value.clone().encrypt(&mut ctx, key)?.to_string(),
+            note: input
+                .note
+                .clone()
+                .trim()
+                .encrypt(&mut ctx, key)?
+                .to_string(),
+            project_ids: input.project_ids.clone(),
+            access_policies_requests: None,
+        })
+    };
 
     let config = client.internal.get_api_configurations().await;
     let res = bitwarden_api_api::apis::secrets_api::organizations_organization_id_secrets_post(
@@ -53,7 +61,7 @@ pub(crate) async fn create_secret(
     )
     .await?;
 
-    SecretResponse::process_response(res, &enc)
+    SecretResponse::process_response(res, &mut key_store.context())
 }
 
 #[cfg(test)]

bitwarden_license/bitwarden-sm/src/secrets/get.rs

@@ -19,7 +19,7 @@ pub(crate) async fn get_secret(
     let config = client.internal.get_api_configurations().await;
     let res = bitwarden_api_api::apis::secrets_api::secrets_id_get(&config.api, input.id).await?;
 
-    let enc = client.internal.get_encryption_settings()?;
+    let key_store = client.internal.get_key_store();
 
-    SecretResponse::process_response(res, &enc)
+    SecretResponse::process_response(res, &mut key_store.context())
 }

bitwarden_license/bitwarden-sm/src/secrets/get_by_ids.rs

@@ -24,7 +24,7 @@ pub(crate) async fn get_secrets_by_ids(
     let res =
         bitwarden_api_api::apis::secrets_api::secrets_get_by_ids_post(&config.api, request).await?;
 
-    let enc = client.internal.get_encryption_settings()?;
+    let key_store = client.internal.get_key_store();
 
-    SecretsResponse::process_response(res, &enc)
+    SecretsResponse::process_response(res, &mut key_store.context())
 }

bitwarden_license/bitwarden-sm/src/secrets/list.rs

@@ -2,10 +2,11 @@ use bitwarden_api_api::models::{
     SecretWithProjectsListResponseModel, SecretsWithProjectsInnerSecret,
 };
 use bitwarden_core::{
-    client::{encryption_settings::EncryptionSettings, Client},
+    client::Client,
+    key_management::{KeyIds, SymmetricKeyId},
     require,
 };
-use bitwarden_crypto::{EncString, KeyDecryptable};
+use bitwarden_crypto::{Decryptable, EncString, KeyStoreContext};
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 use uuid::Uuid;
@@ -30,9 +31,9 @@ pub(crate) async fn list_secrets(
     )
     .await?;
 
-    let enc = client.internal.get_encryption_settings()?;
+    let key_store = client.internal.get_key_store();
 
-    SecretIdentifiersResponse::process_response(res, &enc)
+    SecretIdentifiersResponse::process_response(res, &mut key_store.context())
 }
 
 #[derive(Serialize, Deserialize, Debug, JsonSchema)]
@@ -53,9 +54,9 @@ pub(crate) async fn list_secrets_by_project(
     )
     .await?;
 
-    let enc = client.internal.get_encryption_settings()?;
+    let key_store = client.internal.get_key_store();
 
-    SecretIdentifiersResponse::process_response(res, &enc)
+    SecretIdentifiersResponse::process_response(res, &mut key_store.context())
 }
 
 #[derive(Serialize, Deserialize, Debug, JsonSchema)]
@@ -67,14 +68,14 @@ pub struct SecretIdentifiersResponse {
 impl SecretIdentifiersResponse {
     pub(crate) fn process_response(
         response: SecretWithProjectsListResponseModel,
-        enc: &EncryptionSettings,
+        ctx: &mut KeyStoreContext<KeyIds>,
     ) -> Result<SecretIdentifiersResponse, SecretsManagerError> {
         Ok(SecretIdentifiersResponse {
             data: response
                 .secrets
                 .unwrap_or_default()
                 .into_iter()
-                .map(|r| SecretIdentifierResponse::process_response(r, enc))
+                .map(|r| SecretIdentifierResponse::process_response(r, ctx))
                 .collect::<Result<_, _>>()?,
         })
     }
@@ -92,14 +93,14 @@ pub struct SecretIdentifierResponse {
 impl SecretIdentifierResponse {
     pub(crate) fn process_response(
         response: SecretsWithProjectsInnerSecret,
-        enc: &EncryptionSettings,
+        ctx: &mut KeyStoreContext<KeyIds>,
     ) -> Result<SecretIdentifierResponse, SecretsManagerError> {
         let organization_id = require!(response.organization_id);
-        let enc_key = enc.get_key(&Some(organization_id))?;
+        let enc_key = SymmetricKeyId::Organization(organization_id);
 
         let key = require!(response.key)
             .parse::<EncString>()?
-            .decrypt_with_key(enc_key)?;
+            .decrypt(ctx, enc_key)?;
 
         Ok(SecretIdentifierResponse {
             id: require!(response.id),

bitwarden_license/bitwarden-sm/src/secrets/secret_response.rs

@@ -1,8 +1,11 @@
 use bitwarden_api_api::models::{
     BaseSecretResponseModel, BaseSecretResponseModelListResponseModel, SecretResponseModel,
 };
-use bitwarden_core::{client::encryption_settings::EncryptionSettings, require};
-use bitwarden_crypto::{EncString, KeyDecryptable};
+use bitwarden_core::{
+    key_management::{KeyIds, SymmetricKeyId},
+    require,
+};
+use bitwarden_crypto::{Decryptable, EncString, KeyStoreContext};
 use chrono::{DateTime, Utc};
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
@@ -28,7 +31,7 @@ pub struct SecretResponse {
 impl SecretResponse {
     pub(crate) fn process_response(
         response: SecretResponseModel,
-        enc: &EncryptionSettings,
+        ctx: &mut KeyStoreContext<KeyIds>,
     ) -> Result<SecretResponse, SecretsManagerError> {
         let base = BaseSecretResponseModel {
             object: response.object,
@@ -41,24 +44,26 @@ impl SecretResponse {
             revision_date: response.revision_date,
             projects: response.projects,
         };
-        Self::process_base_response(base, enc)
+        Self::process_base_response(base, ctx)
     }
     pub(crate) fn process_base_response(
         response: BaseSecretResponseModel,
-        enc: &EncryptionSettings,
+        ctx: &mut KeyStoreContext<KeyIds>,
     ) -> Result<SecretResponse, SecretsManagerError> {
-        let org_id = response.organization_id;
-        let enc_key = enc.get_key(&org_id)?;
+        let organization_id = require!(response.organization_id);
+        let enc_key = SymmetricKeyId::Organization(organization_id);
 
         let key = require!(response.key)
             .parse::<EncString>()?
-            .decrypt_with_key(enc_key)?;
+            .decrypt(ctx, enc_key)?;
+
         let value = require!(response.value)
             .parse::<EncString>()?
-            .decrypt_with_key(enc_key)?;
+            .decrypt(ctx, enc_key)?;
+
         let note = require!(response.note)
             .parse::<EncString>()?
-            .decrypt_with_key(enc_key)?;
+            .decrypt(ctx, enc_key)?;
 
         let project = response
             .projects
@@ -67,7 +72,7 @@ impl SecretResponse {
 
         Ok(SecretResponse {
             id: require!(response.id),
-            organization_id: require!(org_id),
+            organization_id,
             project_id: project,
             key,
             value,
@@ -88,14 +93,14 @@ pub struct SecretsResponse {
 impl SecretsResponse {
     pub(crate) fn process_response(
         response: BaseSecretResponseModelListResponseModel,
-        enc: &EncryptionSettings,
+        ctx: &mut KeyStoreContext<KeyIds>,
     ) -> Result<SecretsResponse, SecretsManagerError> {
         Ok(SecretsResponse {
             data: response
                 .data
                 .unwrap_or_default()
                 .into_iter()
-                .map(|r| SecretResponse::process_base_response(r, enc))
+                .map(|r| SecretResponse::process_base_response(r, ctx))
                 .collect::<Result<_, _>>()?,
         })
     }