Remove encrypt from EncryptionSettings (#314)

## Type of change ``` - [ ] Bug fix - [ ] New feature development - [x] Tech debt (refactoring, code cleanup, dependency upgrades, etc) - [ ] Build/deploy pipeline (DevOps) - [ ] Other ``` ## Objective After #297, there were some places in the secrets manager parts of the code that used EncryptionSettings to encrypt directly, instead of dealing with the Encryptable/KeyEncryptable trait. This PR removes those uses so that all encryption opearations have to go through Encryptable/KeyEncryptable.
bitwarden · Nov 3, 2023 · 13a195c · 13a195c
1 parent 0dd1d95
commit 13a195c
Show file tree

Hide file tree

Showing 5 changed files with 50 additions and 36 deletions.
diff --git a/crates/bitwarden/src/client/encryption_settings.rs b/crates/bitwarden/src/client/encryption_settings.rs
@@ -4,14 +4,15 @@ use rsa::RsaPrivateKey;
 use uuid::Uuid;
 #[cfg(feature = "internal")]
 use {
-    crate::{client::UserLoginMethod, crypto::KeyDecryptable},
+    crate::{
+        client::UserLoginMethod,
+        crypto::{EncString, KeyDecryptable},
+        error::{CryptoError, Result},
+    },
     rsa::{pkcs8::DecodePrivateKey, Oaep},
 };
 
-use crate::{
-    crypto::{encrypt_aes256_hmac, EncString, SymmetricCryptoKey},
-    error::{CryptoError, Result},
-};
+use crate::crypto::SymmetricCryptoKey;
 
 pub struct EncryptionSettings {
     user_key: SymmetricCryptoKey,
@@ -109,11 +110,4 @@ impl EncryptionSettings {
             None => Some(&self.user_key),
         }
     }
-
-    pub(crate) fn encrypt(&self, data: &[u8], org_id: &Option<Uuid>) -> Result<EncString> {
-        let key = self.get_key(org_id).ok_or(CryptoError::NoKeyForOrg)?;
-
-        let dec = encrypt_aes256_hmac(data, key.mac_key.ok_or(CryptoError::InvalidMac)?, key.key)?;
-        Ok(dec)
-    }
 }
diff --git a/crates/bitwarden/src/secrets_manager/projects/create.rs b/crates/bitwarden/src/secrets_manager/projects/create.rs
@@ -4,7 +4,11 @@ use serde::{Deserialize, Serialize};
 use uuid::Uuid;
 
 use super::ProjectResponse;
-use crate::{client::Client, error::Result};
+use crate::{
+    client::Client,
+    crypto::KeyEncryptable,
+    error::{Error, Result},
+};
 
 #[derive(Serialize, Deserialize, Debug, JsonSchema)]
 #[serde(rename_all = "camelCase", deny_unknown_fields)]
@@ -19,12 +23,13 @@ pub(crate) async fn create_project(
     client: &mut Client,
     input: &ProjectCreateRequest,
 ) -> Result<ProjectResponse> {
-    let enc = client.get_encryption_settings()?;
-
-    let org_id = Some(input.organization_id);
+    let key = client
+        .get_encryption_settings()?
+        .get_key(&Some(input.organization_id))
+        .ok_or(Error::VaultLocked)?;
 
     let project = Some(ProjectCreateRequestModel {
-        name: enc.encrypt(input.name.as_bytes(), &org_id)?.to_string(),
+        name: input.name.clone().encrypt_with_key(key)?.to_string(),
     });
 
     let config = client.get_api_configurations().await;

diff --git a/crates/bitwarden/src/secrets_manager/projects/update.rs b/crates/bitwarden/src/secrets_manager/projects/update.rs
@@ -4,7 +4,11 @@ use serde::{Deserialize, Serialize};
 use uuid::Uuid;
 
 use super::ProjectResponse;
-use crate::{client::Client, error::Result};
+use crate::{
+    client::Client,
+    crypto::KeyEncryptable,
+    error::{Error, Result},
+};
 
 #[derive(Serialize, Deserialize, Debug, JsonSchema)]
 #[serde(rename_all = "camelCase", deny_unknown_fields)]
@@ -21,12 +25,13 @@ pub(crate) async fn update_project(
     client: &mut Client,
     input: &ProjectPutRequest,
 ) -> Result<ProjectResponse> {
-    let enc = client.get_encryption_settings()?;
-
-    let org_id = Some(input.organization_id);
+    let key = client
+        .get_encryption_settings()?
+        .get_key(&Some(input.organization_id))
+        .ok_or(Error::VaultLocked)?;
 
     let project = Some(ProjectUpdateRequestModel {
-        name: enc.encrypt(input.name.as_bytes(), &org_id)?.to_string(),
+        name: input.name.clone().encrypt_with_key(key)?.to_string(),
     });
 
     let config = client.get_api_configurations().await;

diff --git a/crates/bitwarden/src/secrets_manager/secrets/create.rs b/crates/bitwarden/src/secrets_manager/secrets/create.rs
@@ -4,7 +4,11 @@ use serde::{Deserialize, Serialize};
 use uuid::Uuid;
 
 use super::SecretResponse;
-use crate::{error::Result, Client};
+use crate::{
+    crypto::KeyEncryptable,
+    error::{Error, Result},
+    Client,
+};
 
 #[derive(Serialize, Deserialize, Debug, JsonSchema)]
 #[serde(rename_all = "camelCase", deny_unknown_fields)]
@@ -24,14 +28,15 @@ pub(crate) async fn create_secret(
     client: &mut Client,
     input: &SecretCreateRequest,
 ) -> Result<SecretResponse> {
-    let enc = client.get_encryption_settings()?;
-
-    let org_id = Some(input.organization_id);
+    let key = client
+        .get_encryption_settings()?
+        .get_key(&Some(input.organization_id))
+        .ok_or(Error::VaultLocked)?;
 
     let secret = Some(SecretCreateRequestModel {
-        key: enc.encrypt(input.key.as_bytes(), &org_id)?.to_string(),
-        value: enc.encrypt(input.value.as_bytes(), &org_id)?.to_string(),
-        note: enc.encrypt(input.note.as_bytes(), &org_id)?.to_string(),
+        key: input.key.clone().encrypt_with_key(key)?.to_string(),
+        value: input.value.clone().encrypt_with_key(key)?.to_string(),
+        note: input.note.clone().encrypt_with_key(key)?.to_string(),
         project_ids: input.project_ids.clone(),
     });
 

diff --git a/crates/bitwarden/src/secrets_manager/secrets/update.rs b/crates/bitwarden/src/secrets_manager/secrets/update.rs
@@ -4,7 +4,11 @@ use serde::{Deserialize, Serialize};
 use uuid::Uuid;
 
 use super::SecretResponse;
-use crate::{client::Client, error::Result};
+use crate::{
+    client::Client,
+    crypto::KeyEncryptable,
+    error::{Error, Result},
+};
 
 #[derive(Serialize, Deserialize, Debug, JsonSchema)]
 #[serde(rename_all = "camelCase", deny_unknown_fields)]
@@ -24,14 +28,15 @@ pub(crate) async fn update_secret(
     client: &mut Client,
     input: &SecretPutRequest,
 ) -> Result<SecretResponse> {
-    let enc = client.get_encryption_settings()?;
-
-    let org_id = Some(input.organization_id);
+    let key = client
+        .get_encryption_settings()?
+        .get_key(&Some(input.organization_id))
+        .ok_or(Error::VaultLocked)?;
 
     let secret = Some(SecretUpdateRequestModel {
-        key: enc.encrypt(input.key.as_bytes(), &org_id)?.to_string(),
-        value: enc.encrypt(input.value.as_bytes(), &org_id)?.to_string(),
-        note: enc.encrypt(input.note.as_bytes(), &org_id)?.to_string(),
+        key: input.key.clone().encrypt_with_key(key)?.to_string(),
+        value: input.value.clone().encrypt_with_key(key)?.to_string(),
+        note: input.note.clone().encrypt_with_key(key)?.to_string(),
         project_ids: input.project_ids.clone(),
     });