Individual Vault Item Encryption Feature (#3256)

* [SG-966] [SG-967] Add new cipher properties, update DB objects and create migrations (#2681) * Updated cipher entity with two new columns * Added sqlserver mifgration and updated applicable stored procedures and table * Added EF Migrations * Made changes to response model to include new column properties * Fixed formatting * Modified scripts to reflect suggestions made on PR * Added column to cipher table using default * Include constraint in create cipher table script * Added key and forcerotatekey property to request model (#2716) * Added key update on the Cipher_UpdateWithCollection stored procedure, ef (#2855) * Added key and forceKeyRotation to BuildCiphersTable method (#2893) * [PM-2211] Remove forceKeyRotation column (#2921) * Removed forceKeyRotation column * Adjusted date for migrtaion file * Passed key column to update cipher script to update cipher key when it is rotated (#2967) * [PM-2448] Update CipherDetails_Update SP to update attachment column (#2992) * Updated the cipherdetails_update stored procedure to update the attachement column when encrypted with the cipher key * Moved migration and renamed old migration file * Fixed lint issues * Fixed lint issues * renamed sqlserver migration to have a more recent date * [PM-2548] Added validation to edit and add attachments methods (#3130) * PM-2548 Added validation to edit and add attachments methods * PM-2548 Moved the validation to a private method * PM-2548 Minor refactor * Bumped up minimum version * Bumped up minimum version * Changed version for tests purposes * Bumped up minimum version * Updated encryption minimum version to match clients for QA. * PM-3976 Passed Key column to update cipher on bulk edit (#3299) * Updated minimum client version in preparation for release. * Renamed migration with current date. (#3303) --------- Co-authored-by: SmithThe4th <gsmith@bitwarden.com> Co-authored-by: gbubemismith <gsmithwalter@gmail.com> Co-authored-by: Carlos Gonçalves <cgoncalves@bitwarden.com> Co-authored-by: Carlos Gonçalves <carlosmaccam@gmail.com>
2025-06-30 23:52:50 -05:00 · 2023-09-28 08:45:13 -04:00
parent 464dac8f4d
commit 7ede956c32
28 changed files with 6990 additions and 17 deletions
--- a/src/Api/Vault/Controllers/CiphersController.cs
+++ b/src/Api/Vault/Controllers/CiphersController.cs
@ -36,6 +36,7 @@ public class CiphersController : Controller
    private readonly ICurrentContext _currentContext;
    private readonly ILogger<CiphersController> _logger;
    private readonly GlobalSettings _globalSettings;
+    private readonly Version _cipherKeyEncryptionMinimumVersion = new Version(Constants.CipherKeyEncryptionMinimumVersion);

    public CiphersController(
        ICipherRepository cipherRepository,
@ -177,6 +178,8 @@ public class CiphersController : Controller
            throw new NotFoundException();
        }

+        ValidateItemLevelEncryptionIsAvailable(cipher);
+
        var collectionIds = (await _collectionCipherRepository.GetManyByUserIdCipherIdAsync(userId, id)).Select(c => c.CollectionId).ToList();
        var modelOrgId = string.IsNullOrWhiteSpace(model.OrganizationId) ?
            (Guid?)null : new Guid(model.OrganizationId);
@ -198,6 +201,9 @@ public class CiphersController : Controller
    {
        var userId = _userService.GetProperUserId(User).Value;
        var cipher = await _cipherRepository.GetOrganizationDetailsByIdAsync(id);
+
+        ValidateItemLevelEncryptionIsAvailable(cipher);
+
        if (cipher == null || !cipher.OrganizationId.HasValue ||
            !await _currentContext.EditAnyCollection(cipher.OrganizationId.Value))
        {
@ -576,6 +582,8 @@ public class CiphersController : Controller
            throw new NotFoundException();
        }

+        ValidateItemLevelEncryptionIsAvailable(cipher);
+
        if (request.FileSize > CipherService.MAX_FILE_SIZE)
        {
            throw new BadRequestException($"Max file size is {CipherService.MAX_FILE_SIZE_READABLE}.");
@ -795,4 +803,12 @@ public class CiphersController : Controller
            throw new BadRequestException("Invalid content.");
        }
    }
+
+    private void ValidateItemLevelEncryptionIsAvailable(Cipher cipher)
+    {
+        if (cipher.Key != null && _currentContext.ClientVersion < _cipherKeyEncryptionMinimumVersion)
+        {
+            throw new BadRequestException("Cannot edit item. Update to the latest version of Bitwarden and try again.");
+        }
+    }
 }
--- a/src/Api/Vault/Models/Request/CipherRequestModel.cs
+++ b/src/Api/Vault/Models/Request/CipherRequestModel.cs
@ -18,6 +18,7 @@ public class CipherRequestModel
    public string FolderId { get; set; }
    public bool Favorite { get; set; }
    public CipherRepromptType Reprompt { get; set; }
+    public string Key { get; set; }
    [Required]
    [EncryptedString]
    [EncryptedStringLength(1000)]
@ -86,6 +87,7 @@ public class CipherRequestModel
        }

        existingCipher.Reprompt = Reprompt;
+        existingCipher.Key = Key;

        var hasAttachments2 = (Attachments2?.Count ?? 0) > 0;
        var hasAttachments = (Attachments?.Count ?? 0) > 0;
--- a/src/Api/Vault/Models/Response/CipherResponseModel.cs
+++ b/src/Api/Vault/Models/Response/CipherResponseModel.cs
@ -63,6 +63,7 @@ public class CipherMiniResponseModel : ResponseModel
        CreationDate = cipher.CreationDate;
        DeletedDate = cipher.DeletedDate;
        Reprompt = cipher.Reprompt.GetValueOrDefault(CipherRepromptType.None);
+        Key = cipher.Key;
    }

    public Guid Id { get; set; }
@ -83,6 +84,7 @@ public class CipherMiniResponseModel : ResponseModel
    public DateTime CreationDate { get; set; }
    public DateTime? DeletedDate { get; set; }
    public CipherRepromptType Reprompt { get; set; }
+    public string Key { get; set; }
 }

 public class CipherResponseModel : CipherMiniResponseModel