Merge branch 'master' into DEVOPS-1525-swift-workflow-for-package-pub…

…lishing
bitwarden · Oct 5, 2023 · db8517b · db8517b
2 parents 378e04d + 969f03e
commit db8517b
Show file tree

Hide file tree

Showing 31 changed files with 266 additions and 254 deletions.
diff --git a/.github/workflows/build-android.yml b/.github/workflows/build-android.yml
@@ -102,7 +102,7 @@ jobs:
         run: ./build-schemas.sh
 
       - name: Publish
-        uses: gradle/gradle-build-action@b5126f31dbc19dd434c3269bf8c28c315e121da2 # v2.8.1
+        uses: gradle/gradle-build-action@842c587ad8aa4c68eeba24c396e15af4c2e9f30a # v2.9.0
         with:
           arguments: sdk:publish
           build-root-directory: languages/kotlin

diff --git a/.github/workflows/publish-rust-crates.yml b/.github/workflows/publish-rust-crates.yml
@@ -109,7 +109,7 @@ jobs:
 
       - name: Retrieve secrets
         id: retrieve-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@62d1bf7c3e31c458cc7236b1e69a475d235cd78f
+        uses: bitwarden/gh-actions/get-keyvault-secrets@f1125802b1ccae8c601d7c4f61ce39ea254b10c8
         with:
           keyvault: "bitwarden-ci"
           secrets: "cratesio-api-token"

diff --git a/.github/workflows/release-cli.yml b/.github/workflows/release-cli.yml
@@ -58,7 +58,7 @@ jobs:
 
       - name: Download all Release artifacts
         if: ${{ github.event.inputs.release_type != 'Dry Run' }}
-        uses: bitwarden/gh-actions/download-artifacts@62d1bf7c3e31c458cc7236b1e69a475d235cd78f
+        uses: bitwarden/gh-actions/download-artifacts@f1125802b1ccae8c601d7c4f61ce39ea254b10c8
         with:
           workflow: build-cli.yml
           path: packages
@@ -67,15 +67,15 @@ jobs:
 
       - name: Dry Run - Download all artifacts
         if: ${{ github.event.inputs.release_type == 'Dry Run' }}
-        uses: bitwarden/gh-actions/download-artifacts@62d1bf7c3e31c458cc7236b1e69a475d235cd78f
+        uses: bitwarden/gh-actions/download-artifacts@f1125802b1ccae8c601d7c4f61ce39ea254b10c8
         with:
           workflow: build-cli.yml
           path: packages
           workflow_conclusion: success
           branch: master
 
       - name: Get checksum files
-        uses: bitwarden/gh-actions/get-checksum@62d1bf7c3e31c458cc7236b1e69a475d235cd78f
+        uses: bitwarden/gh-actions/get-checksum@f1125802b1ccae8c601d7c4f61ce39ea254b10c8
         with:
           packages_dir: "packages"
           file_path: "packages/bws-sha256-checksums-${{ steps.version.outputs.version }}.txt"
@@ -134,7 +134,7 @@ jobs:
 
       - name: Retrieve secrets
         id: retrieve-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@62d1bf7c3e31c458cc7236b1e69a475d235cd78f
+        uses: bitwarden/gh-actions/get-keyvault-secrets@f1125802b1ccae8c601d7c4f61ce39ea254b10c8
         with:
           keyvault: "bitwarden-ci"
           secrets: "cratesio-api-token"

diff --git a/.github/workflows/release-napi.yml b/.github/workflows/release-napi.yml
@@ -47,7 +47,7 @@ jobs:
 
       - name: Check Release Version
         id: version
-        uses: bitwarden/gh-actions/release-version-check@62d1bf7c3e31c458cc7236b1e69a475d235cd78f
+        uses: bitwarden/gh-actions/release-version-check@f1125802b1ccae8c601d7c4f61ce39ea254b10c8
         with:
           release-type: ${{ github.event.inputs.release_type }}
           project-type: ts
@@ -101,7 +101,7 @@ jobs:
 
       - name: Download schemas
         if: ${{ github.event.inputs.release_type != 'Dry Run' }}
-        uses: bitwarden/gh-actions/download-artifacts@62d1bf7c3e31c458cc7236b1e69a475d235cd78f
+        uses: bitwarden/gh-actions/download-artifacts@f1125802b1ccae8c601d7c4f61ce39ea254b10c8
         with:
           workflow: build-napi.yml
           artifacts: schemas.ts
@@ -111,7 +111,7 @@ jobs:
 
       - name: Dry Run - Download schemas
         if: ${{ github.event.inputs.release_type == 'Dry Run' }}
-        uses: bitwarden/gh-actions/download-artifacts@62d1bf7c3e31c458cc7236b1e69a475d235cd78f
+        uses: bitwarden/gh-actions/download-artifacts@f1125802b1ccae8c601d7c4f61ce39ea254b10c8
         with:
           workflow: build-napi.yml
           artifacts: schemas.ts
@@ -132,14 +132,14 @@ jobs:
 
       - name: Retrieve secrets
         id: retrieve-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@62d1bf7c3e31c458cc7236b1e69a475d235cd78f
+        uses: bitwarden/gh-actions/get-keyvault-secrets@f1125802b1ccae8c601d7c4f61ce39ea254b10c8
         with:
           keyvault: "bitwarden-ci"
           secrets: "npm-api-key"
 
       - name: Download artifacts
         if: ${{ github.event.inputs.release_type != 'Dry Run' }}
-        uses: bitwarden/gh-actions/download-artifacts@62d1bf7c3e31c458cc7236b1e69a475d235cd78f
+        uses: bitwarden/gh-actions/download-artifacts@f1125802b1ccae8c601d7c4f61ce39ea254b10c8
         with:
           workflow: build-napi.yml
           path: ${{ github.workspace }}/crates/bitwarden-napi/artifacts
@@ -148,7 +148,7 @@ jobs:
 
       - name: Dry Run - Download artifacts
         if: ${{ github.event.inputs.release_type == 'Dry Run' }}
-        uses: bitwarden/gh-actions/download-artifacts@62d1bf7c3e31c458cc7236b1e69a475d235cd78f
+        uses: bitwarden/gh-actions/download-artifacts@f1125802b1ccae8c601d7c4f61ce39ea254b10c8
         with:
           workflow: build-napi.yml
           path: ${{ github.workspace }}/crates/bitwarden-napi/artifacts

diff --git a/.github/workflows/version-bump.yml b/.github/workflows/version-bump.yml
@@ -49,7 +49,7 @@ jobs:
 
       - name: Retrieve secrets
         id: retrieve-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@62d1bf7c3e31c458cc7236b1e69a475d235cd78f
+        uses: bitwarden/gh-actions/get-keyvault-secrets@f1125802b1ccae8c601d7c4f61ce39ea254b10c8
         with:
           keyvault: "bitwarden-ci"
           secrets: "github-gpg-private-key, github-gpg-private-key-passphrase"

diff --git a/crates/bitwarden-napi/src-ts/bitwarden_client/index.ts b/crates/bitwarden-napi/src-ts/bitwarden_client/index.ts
@@ -4,7 +4,6 @@ import {
   ClientSettings,
   Convert,
   ResponseForAPIKeyLoginResponse,
-  ResponseForPasswordLoginResponse,
   ResponseForSecretIdentifiersResponse,
   ResponseForSecretResponse,
   ResponseForSecretsDeleteResponse,
@@ -19,19 +18,6 @@ export class BitwardenClient {
     this.client = new rust.BitwardenClient(settingsJson, loggingLevel ?? LogLevel.Info);
   }
 
-  async login(email: string, password: string): Promise<ResponseForPasswordLoginResponse> {
-    const response = await this.client.runCommand(
-      Convert.commandToJson({
-        passwordLogin: {
-          email: email,
-          password: password,
-        },
-      }),
-    );
-
-    return Convert.toResponseForPasswordLoginResponse(response);
-  }
-
   async loginWithAccessToken(accessToken: string): Promise<ResponseForAPIKeyLoginResponse> {
     const commandInput = Convert.commandToJson({
       accessTokenLogin: {

diff --git a/crates/bitwarden-uniffi/src/auth/mod.rs b/crates/bitwarden-uniffi/src/auth/mod.rs
@@ -2,7 +2,7 @@ use std::sync::Arc;
 
 use bitwarden::{
     auth::{password::MasterPasswordPolicyOptions, RegisterKeyResponse},
-    client::auth_settings::Kdf,
+    client::kdf::Kdf,
 };
 
 use crate::{error::Result, Client};

diff --git a/crates/bitwarden-uniffi/src/docs.rs b/crates/bitwarden-uniffi/src/docs.rs
@@ -1,6 +1,6 @@
 use bitwarden::{
     auth::password::MasterPasswordPolicyOptions,
-    client::auth_settings::Kdf,
+    client::kdf::Kdf,
     mobile::crypto::InitCryptoRequest,
     tool::{ExportFormat, PassphraseGeneratorRequest, PasswordGeneratorRequest},
     vault::{Cipher, CipherView, Collection, Folder, FolderView, Send, SendListView, SendView},

diff --git a/crates/bitwarden/src/auth/client_auth.rs b/crates/bitwarden/src/auth/client_auth.rs
@@ -3,7 +3,7 @@ use super::{
     register::{make_register_keys, register},
     RegisterKeyResponse, RegisterRequest,
 };
-use crate::{client::auth_settings::Kdf, error::Result, Client};
+use crate::{client::kdf::Kdf, error::Result, Client};
 
 pub struct ClientAuth<'a> {
     pub(crate) client: &'a mut crate::Client,

diff --git a/crates/bitwarden/src/auth/login/access_token.rs b/crates/bitwarden/src/auth/login/access_token.rs
@@ -9,7 +9,7 @@ use crate::{
         api::{request::AccessTokenRequest, response::IdentityTokenResponse},
         login::{response::two_factor::TwoFactorProviders, PasswordLoginResponse},
     },
-    client::{AccessToken, LoginMethod},
+    client::{AccessToken, LoginMethod, ServiceAccountLoginMethod},
     crypto::{EncString, SymmetricCryptoKey},
     error::{Error, Result},
     util::{decode_token, BASE64_ENGINE},
@@ -59,11 +59,11 @@ pub(crate) async fn access_token_login(
             r.access_token.clone(),
             r.refresh_token.clone(),
             r.expires_in,
-            LoginMethod::AccessToken {
+            LoginMethod::ServiceAccount(ServiceAccountLoginMethod::AccessToken {
                 service_account_id: access_token.service_account_id,
                 client_secret: access_token.client_secret,
                 organization_id,
-            },
+            }),
         );
 
         client.initialize_crypto_single_key(encryption_key);

diff --git a/crates/bitwarden/src/auth/login/api_key.rs b/crates/bitwarden/src/auth/login/api_key.rs
@@ -6,12 +6,9 @@ use serde::{Deserialize, Serialize};
 use crate::{
     auth::{
         api::{request::ApiTokenRequest, response::IdentityTokenResponse},
-        login::{
-            determine_password_hash, response::two_factor::TwoFactorProviders,
-            PasswordLoginResponse,
-        },
+        login::{response::two_factor::TwoFactorProviders, PasswordLoginResponse},
     },
-    client::LoginMethod,
+    client::{LoginMethod, UserLoginMethod},
     crypto::EncString,
     error::{Error, Result},
     util::decode_token,
@@ -28,24 +25,26 @@ pub(crate) async fn api_key_login(
     let response = request_api_identity_tokens(client, input).await?;
 
     if let IdentityTokenResponse::Authenticated(r) = &response {
-        client.set_tokens(
-            r.access_token.clone(),
-            r.refresh_token.clone(),
-            r.expires_in,
-            LoginMethod::ApiKey {
-                client_id: input.client_id.to_owned(),
-                client_secret: input.client_secret.to_owned(),
-            },
-        );
-
         let access_token_obj = decode_token(&r.access_token)?;
 
         // This should always be Some() when logging in with an api key
         let email = access_token_obj
             .email
             .ok_or(Error::Internal("Access token doesn't contain email"))?;
 
-        let _ = determine_password_hash(client, &email, &input.password).await?;
+        let kdf = client.prelogin(email.clone()).await?;
+
+        client.set_tokens(
+            r.access_token.clone(),
+            r.refresh_token.clone(),
+            r.expires_in,
+            LoginMethod::User(UserLoginMethod::ApiKey {
+                client_id: input.client_id.to_owned(),
+                client_secret: input.client_secret.to_owned(),
+                email,
+                kdf,
+            }),
+        );
 
         let user_key = EncString::from_str(r.key.as_deref().unwrap()).unwrap();
         let private_key = EncString::from_str(r.private_key.as_deref().unwrap()).unwrap();

diff --git a/crates/bitwarden/src/auth/login/mod.rs b/crates/bitwarden/src/auth/login/mod.rs
@@ -1,7 +1,7 @@
 #[cfg(feature = "internal")]
 use {
     crate::{
-        client::{auth_settings::AuthSettings, Client},
+        client::{kdf::Kdf, Client},
         error::Result,
     },
     bitwarden_api_identity::{
@@ -40,21 +40,18 @@ pub(crate) use access_token::access_token_login;
 pub use access_token::{AccessTokenLoginRequest, AccessTokenLoginResponse};
 
 #[cfg(feature = "internal")]
-async fn determine_password_hash(
-    client: &mut Client,
-    email: &str,
-    password: &str,
-) -> Result<String> {
-    let pre_login = request_prelogin(client, email.to_owned()).await?;
-    let auth_settings = AuthSettings::new(pre_login, email.to_owned());
-    let password_hash = auth_settings.derive_user_password_hash(password)?;
-    client.set_auth_settings(auth_settings);
+async fn determine_password_hash(email: &str, kdf: &Kdf, password: &str) -> Result<String> {
+    use crate::crypto::{HashPurpose, MasterKey};
 
-    Ok(password_hash)
+    let master_key = MasterKey::derive(password.as_bytes(), email.as_bytes(), kdf)?;
+    master_key.derive_master_key_hash(password.as_bytes(), HashPurpose::ServerAuthorization)
 }
 
 #[cfg(feature = "internal")]
-async fn request_prelogin(client: &mut Client, email: String) -> Result<PreloginResponseModel> {
+pub(crate) async fn request_prelogin(
+    client: &mut Client,
+    email: String,
+) -> Result<PreloginResponseModel> {
     let request_model = PreloginRequestModel::new(email);
     let config = client.get_api_configurations().await;
     Ok(accounts_prelogin_post(&config.identity, Some(request_model)).await?)

diff --git a/crates/bitwarden/src/auth/login/password.rs b/crates/bitwarden/src/auth/login/password.rs
@@ -12,7 +12,7 @@ use crate::{
         api::request::PasswordTokenRequest,
         login::{determine_password_hash, TwoFactorRequest},
     },
-    client::LoginMethod,
+    client::{kdf::Kdf, LoginMethod},
     crypto::EncString,
     Client,
 };
@@ -29,20 +29,24 @@ pub(crate) async fn password_login(
     client: &mut Client,
     input: &PasswordLoginRequest,
 ) -> Result<PasswordLoginResponse> {
+    use crate::client::UserLoginMethod;
+
     info!("password logging in");
     debug!("{:#?}, {:#?}", client, input);
 
-    let password_hash = determine_password_hash(client, &input.email, &input.password).await?;
+    let password_hash = determine_password_hash(&input.email, &input.kdf, &input.password).await?;
     let response = request_identity_tokens(client, input, &password_hash).await?;
 
     if let IdentityTokenResponse::Authenticated(r) = &response {
         client.set_tokens(
             r.access_token.clone(),
             r.refresh_token.clone(),
             r.expires_in,
-            LoginMethod::Username {
+            LoginMethod::User(UserLoginMethod::Username {
                 client_id: "web".to_owned(),
-            },
+                email: input.email.to_owned(),
+                kdf: input.kdf.to_owned(),
+            }),
         );
 
         let user_key = EncString::from_str(r.key.as_deref().unwrap()).unwrap();
@@ -77,6 +81,8 @@ pub struct PasswordLoginRequest {
     pub password: String,
     // Two-factor authentication
     pub two_factor: Option<TwoFactorRequest>,
+    /// Kdf from prelogin
+    pub kdf: Kdf,
 }
 
 #[derive(Serialize, Deserialize, Debug, JsonSchema)]

diff --git a/crates/bitwarden/src/auth/login/two_factor.rs b/crates/bitwarden/src/auth/login/two_factor.rs
@@ -19,7 +19,10 @@ pub(crate) async fn send_two_factor_email(
     client: &mut Client,
     input: &TwoFactorEmailRequest,
 ) -> Result<()> {
-    let password_hash = determine_password_hash(client, &input.email, &input.password).await?;
+    // TODO: This should be resolved from the client
+    let kdf = client.prelogin(input.email.clone()).await?;
+
+    let password_hash = determine_password_hash(&input.email, &kdf, &input.password).await?;
 
     let config = client.get_api_configurations().await;
     bitwarden_api_api::apis::two_factor_api::two_factor_send_email_login_post(

diff --git a/crates/bitwarden/src/auth/register.rs b/crates/bitwarden/src/auth/register.rs
@@ -6,7 +6,7 @@ use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 
 use crate::{
-    client::auth_settings::Kdf,
+    client::kdf::Kdf,
     crypto::{HashPurpose, MasterKey, RsaKeyPair},
     error::Result,
     util::default_pbkdf2_iterations,