Merge branch 'main' into ps/argon2-publish

.github/workflows/build-dotnet.yml

@@ -4,6 +4,10 @@ on:
   push:
     branches:
       - main
+      - rc
+      - hotfix-rc
+  pull_request:
+  workflow_dispatch:
 
 jobs:
   generate_schemas:
@@ -12,12 +16,31 @@ jobs:
   build_rust:
     uses: ./.github/workflows/build-rust-cross-platform.yml
 
+  version:
+    name: Get version
+    runs-on: ubuntu-22.04
+    outputs:
+      version: ${{ steps.version.outputs.version }}
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Install xmllint
+        run: sudo apt-get install -y libxml2-utils
+
+      - name: Get version
+        id: version
+        run: |
+          VERSION=$(xmllint --xpath 'string(/Project/PropertyGroup/Version)' languages/csharp/Bitwarden.Sdk/Bitwarden.Sdk.csproj)
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+
   build_dotnet:
     name: Build .NET
     runs-on: ubuntu-22.04
     needs:
       - generate_schemas
       - build_rust
+      - version
 
     steps:
       - name: Checkout Repository
@@ -58,21 +81,19 @@ jobs:
           name: libbitwarden_c_files-x86_64-pc-windows-msvc
           path: languages/csharp/Bitwarden.Sdk/windows-x64
 
-      - name: Build .NET 6 Project
+      - name: Build .NET Project
         working-directory: languages/csharp/Bitwarden.Sdk
         run: |
           dotnet restore
           dotnet build --configuration Release
 
       - name: Pack NuGet Package
-        env:
-          VERSION: 0.0.1
-        run: dotnet pack --configuration Release -p:PackageID=Bitwarden.Sdk -p:Version=${VERSION} --output ./nuget-output /nologo /v:n
+        run: dotnet pack --configuration Release --output ./nuget-output /nologo /v:n
         working-directory: languages/csharp/Bitwarden.Sdk
 
       - name: Upload NuGet package
         uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         with:
-          name: Bitwarden.Sdk.0.0.1.nupkg
+          name: Bitwarden.Sdk.${{ needs.version.outputs.version }}.nupkg
           path: |
             ./languages/csharp/Bitwarden.Sdk/nuget-output/*.nupkg

.github/workflows/publish-dotnet.yml

@@ -50,64 +50,14 @@ jobs:
     runs-on: ubuntu-22.04
     needs: validate
     steps:
-      - name: Checkout Repository
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-
-      - name: Download C# schemas artifact
-        uses: bitwarden/gh-actions/download-artifacts@main
-        with:
-          workflow: generate_schemas.yml
-          workflow_conclusion: success
-          branch: ${{ inputs.release_type == 'Dry Run' && 'main' ||  github.ref_name }}
-          artifacts: schemas.cs
-          path: languages/csharp/Bitwarden.Sdk
-
-      - name: Set up .NET Core
-        uses: actions/setup-dotnet@4d6c8fcf3c8f7a60068d26b594648e99df24cee3 # v4.0.0
-        with:
-          global-json-file: languages/csharp/global.json
-
-      - name: Download x86_64-apple-darwin files
-        uses: bitwarden/gh-actions/download-artifacts@main
-        with:
-          workflow: build-rust-cross-platform.yml
-          workflow_conclusion: success
-          branch: ${{ inputs.release_type == 'Dry Run' && 'main' ||  github.ref_name }}
-          artifacts: libbitwarden_c_files-x86_64-apple-darwin
-          path: languages/csharp/Bitwarden.Sdk/macos-x64
-
-      - name: Download aarch64-apple-darwin files
+      - name: Download NuGet package
         uses: bitwarden/gh-actions/download-artifacts@main
         with:
-          workflow: build-rust-cross-platform.yml
+          workflow: build-dotnet.yml
           workflow_conclusion: success
           branch: ${{ inputs.release_type == 'Dry Run' && 'main' ||  github.ref_name }}
-          artifacts: libbitwarden_c_files-aarch64-apple-darwin
-          path: languages/csharp/Bitwarden.Sdk/macos-arm64
-
-      - name: Download x86_64-unknown-linux-gnu files
-        uses: bitwarden/gh-actions/download-artifacts@main
-        with:
-          workflow: build-rust-cross-platform.yml
-          workflow_conclusion: success
-          branch: ${{ inputs.release_type == 'Dry Run' && 'main' ||  github.ref_name }}
-          artifacts: libbitwarden_c_files-x86_64-unknown-linux-gnu
-          path: languages/csharp/Bitwarden.Sdk/linux-x64
-
-      - name: Download x86_64-pc-windows-msvc files
-        uses: bitwarden/gh-actions/download-artifacts@main
-        with:
-          workflow: build-rust-cross-platform.yml
-          workflow_conclusion: success
-          branch: ${{ inputs.release_type == 'Dry Run' && 'main' ||  github.ref_name }}
-          artifacts: libbitwarden_c_files-x86_64-pc-windows-msvc
-          path: languages/csharp/Bitwarden.Sdk/windows-x64
-
-      - name: Pack NuGet Package
-        env:
-          VERSION: ${{ needs.validate.outputs.version }}
-        run: dotnet pack --configuration Release -p:PackageID=Bitwarden.Sdk -p:Version=${VERSION} --output ./nuget-output /nologo /v:n
-        working-directory: languages/csharp/Bitwarden.Sdk
+          artifacts: Bitwarden.Sdk.${{ needs.validate.outputs.version }}.nupkg
+          path: ./nuget-output
 
       - name: Login to Azure - Prod Subscription
         uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
@@ -125,4 +75,4 @@ jobs:
         if: ${{ inputs.release_type != 'Dry Run' }}
         env:
           NUGET_API_KEY: ${{ steps.retrieve-secrets.outputs.nuget-api-key }}
-        run: dotnet nuget push ./languages/csharp/Bitwarden.Sdk/nuget-output/*.nupkg -k ${{ env.NUGET_API_KEY }} -s https://api.nuget.org/v3/index.json
+        run: dotnet nuget push ./nuget-output/*.nupkg -k ${{ env.NUGET_API_KEY }} -s https://api.nuget.org/v3/index.json

.github/workflows/release-go.yml

@@ -58,15 +58,6 @@ jobs:
         with:
           path: sdk
 
-      - name: Download artifacts
-        uses: bitwarden/gh-actions/download-artifacts@main
-        with:
-          workflow: generate_schemas.yml
-          path: sdk/languages/go/bitwarden_sdk_secrets/lib
-          workflow_conclusion: success
-          branch: ${{ inputs.release_type == 'Dry Run' && 'main' ||  github.ref_name }}
-          artifacts: schemas.go
-
       - name: Login to Azure - Prod Subscription
         uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
         with:
@@ -98,6 +89,15 @@ jobs:
           # Copy files to local sm-sdk-go repo path
           cp --verbose -rf sdk/languages/go/. sm-sdk-go
 
+      - name: Download artifacts
+        uses: bitwarden/gh-actions/download-artifacts@main
+        with:
+          workflow: generate_schemas.yml
+          path: sm-sdk-go
+          workflow_conclusion: success
+          branch: ${{ inputs.release_type == 'Dry Run' && 'main' ||  github.ref_name }}
+          artifacts: schemas.go
+
       - name: Replace repo name
         working-directory: sm-sdk-go
         run: |
@@ -194,10 +194,16 @@ jobs:
 
       - name: Rename build artifacts
         run: |
-          mv libbitwarden_c_files-x86_64-apple-darwin.zip libbitwarden_c_files-x86_64-apple-darwin-$_PKG_VERSION.zip
-          mv libbitwarden_c_files-aarch64-apple-darwin.zip libbitwarden_c_files-aarch64-apple-darwin-$_PKG_VERSION.zip
-          mv libbitwarden_c_files-x86_64-unknown-linux-gnu.zip libbitwarden_c_files-x86_64-unknown-linux-gnu-$_PKG_VERSION.zip
-          mv libbitwarden_c_files-x86_64-pc-windows-msvc.zip libbitwarden_c_files-x86_64-pc-windows-msvc-$_PKG_VERSION.zip
+          artifacts=("x86_64-apple-darwin" "aarch64-apple-darwin" "x86_64-unknown-linux-gnu" "x86_64-pc-windows-msvc") # aarch64-unknown-linux-gnu)
+          for value in "${artifacts[@]}"
+          do
+            unzip libbitwarden_c_files-$value.zip -d libbitwarden_c_files-$value
+            cd libbitwarden_c_files-$value
+            zip -Rj ../libbitwarden_c_files-$value-$_PKG_VERSION.zip 'libbitwarden_c.*'
+            cd ..
+          done
+
+          ls ./libbitwarden_c_files-x86_64-apple-darwin-$_PKG_VERSION -lRa
 
       - name: Create release
         if: ${{ inputs.release_type != 'Dry Run' }}

.github/workflows/scan.yml

@@ -10,8 +10,6 @@ on:
   pull_request_target:
     types: [opened, synchronize]
 
-permissions: read-all
-
 jobs:
   check-run:
     name: Check PR run
@@ -22,6 +20,8 @@ jobs:
     runs-on: ubuntu-22.04
     needs: check-run
     permissions:
+      contents: read
+      pull-requests: write
       security-events: write
 
     steps:
@@ -43,14 +43,17 @@ jobs:
           additional_params: --report-format sarif --output-path . ${{ env.INCREMENTAL }}
 
       - name: Upload Checkmarx results to GitHub
-        uses: github/codeql-action/upload-sarif@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
+        uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
         with:
           sarif_file: cx_result.sarif
 
   quality:
     name: Quality scan
     runs-on: ubuntu-22.04
     needs: check-run
+    permissions:
+      contents: read
+      pull-requests: write
 
     steps:
       - name: Check out repo

README.md

@@ -86,6 +86,9 @@ This project uses customized templates which lives in the `support/openapi-templ
 These templates resolves some outstanding issues we've experienced with the rust generator. But we
 strive towards modifying the templates as little as possible to ease future upgrades.
 
+Note: If you don't have the nightly toolchain installed, the `build-api.sh` script will install it
+for you.
+
 ## Tests
 
 Many of the SDK tests are based on encrypted data provided by the other Bitwarden clients. In order

crates/bitwarden-crypto/src/keys/master_key.rs

@@ -5,7 +5,7 @@ use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 
 use super::utils::{derive_kdf_key, stretch_kdf_key};
-use crate::{util, EncString, KeyDecryptable, Result, SymmetricCryptoKey, UserKey};
+use crate::{util, CryptoError, EncString, KeyDecryptable, Result, SymmetricCryptoKey, UserKey};
 
 #[derive(Serialize, Deserialize, Debug, JsonSchema, Clone)]
 #[serde(rename_all = "camelCase", deny_unknown_fields)]
@@ -68,7 +68,10 @@ impl MasterKey {
 
         EncString::encrypt_aes256_hmac(
             user_key.to_vec().as_slice(),
-            stretched_key.mac_key.as_ref().unwrap(),
+            stretched_key
+                .mac_key
+                .as_ref()
+                .ok_or(CryptoError::InvalidMac)?,
             &stretched_key.key,
         )
     }

crates/bitwarden-crypto/src/rsa.rs

@@ -36,8 +36,11 @@ pub(crate) fn make_key_pair(key: &SymmetricCryptoKey) -> Result<RsaKeyPair> {
         .to_pkcs8_der()
         .map_err(|_| RsaError::CreatePrivateKey)?;
 
-    let protected =
-        EncString::encrypt_aes256_hmac(pkcs.as_bytes(), key.mac_key.as_ref().unwrap(), &key.key)?;
+    let protected = EncString::encrypt_aes256_hmac(
+        pkcs.as_bytes(),
+        key.mac_key.as_ref().ok_or(CryptoError::InvalidMac)?,
+        &key.key,
+    )?;
 
     Ok(RsaKeyPair {
         public: b64,

crates/bitwarden-uniffi/src/auth/mod.rs

@@ -2,6 +2,7 @@ use std::sync::Arc;
 
 use bitwarden::auth::{
     password::MasterPasswordPolicyOptions, AuthRequestResponse, RegisterKeyResponse,
+    RegisterTdeKeyResponse,
 };
 use bitwarden_crypto::{AsymmetricEncString, HashPurpose, Kdf, TrustDeviceResponse};
 
@@ -78,6 +79,21 @@ impl ClientAuth {
             .make_register_keys(email, password, kdf)?)
     }
 
+    /// Generate keys needed for TDE process
+    pub async fn make_register_tde_keys(
+        &self,
+        org_public_key: String,
+        remember_device: bool,
+    ) -> Result<RegisterTdeKeyResponse> {
+        Ok(self
+            .0
+             .0
+            .write()
+            .await
+            .auth()
+            .make_register_tde_keys(org_public_key, remember_device)?)
+    }
+
     /// Validate the user password
     ///
     /// To retrieve the user's password hash, use [`ClientAuth::hash_password`] with

crates/bitwarden/src/auth/client_auth.rs

@@ -20,6 +20,7 @@ use crate::{
             MasterPasswordPolicyOptions,
         },
         register::{make_register_keys, register},
+        tde::{make_register_tde_keys, RegisterTdeKeyResponse},
         AuthRequestResponse, RegisterKeyResponse, RegisterRequest,
     },
     client::Kdf,
@@ -73,6 +74,14 @@ impl<'a> ClientAuth<'a> {
         make_register_keys(email, password, kdf)
     }
 
+    pub fn make_register_tde_keys(
+        &mut self,
+        org_public_key: String,
+        remember_device: bool,
+    ) -> Result<RegisterTdeKeyResponse> {
+        make_register_tde_keys(self.client, org_public_key, remember_device)
+    }
+
     pub async fn register(&mut self, input: &RegisterRequest) -> Result<()> {
         register(self.client, input).await
     }

crates/bitwarden/src/auth/login/api_key.rs

@@ -9,7 +9,7 @@ use crate::{
         JWTToken,
     },
     client::{LoginMethod, UserLoginMethod},
-    error::Result,
+    error::{Error, Result},
     Client,
 };
 
@@ -44,8 +44,12 @@ pub(crate) async fn login_api_key(
             kdf,
         }));
 
-        let user_key: EncString = r.key.as_deref().unwrap().parse().unwrap();
-        let private_key: EncString = r.private_key.as_deref().unwrap().parse().unwrap();
+        let user_key: EncString = r.key.as_deref().ok_or(Error::MissingFields)?.parse()?;
+        let private_key: EncString = r
+            .private_key
+            .as_deref()
+            .ok_or(Error::MissingFields)?
+            .parse()?;
 
         client.initialize_user_crypto(&input.password, user_key, private_key)?;
     }

crates/bitwarden/src/auth/login/auth_request.rs

@@ -13,7 +13,7 @@ use crate::{
         auth_request::new_auth_request,
     },
     client::{LoginMethod, UserLoginMethod},
-    error::Result,
+    error::{Error, Result},
     mobile::crypto::{AuthRequestMethod, InitUserCryptoMethod, InitUserCryptoRequest},
     Client,
 };
@@ -50,7 +50,7 @@ pub(crate) async fn send_new_auth_request(
         fingerprint: auth.fingerprint,
         email,
         device_identifier,
-        auth_request_id: res.id.unwrap(),
+        auth_request_id: res.id.ok_or(Error::MissingFields)?,
         access_code: auth.access_code,
         private_key: auth.private_key,
     })
@@ -103,11 +103,11 @@ pub(crate) async fn complete_auth_request(
 
         let method = match res.master_password_hash {
             Some(_) => AuthRequestMethod::MasterKey {
-                protected_master_key: res.key.unwrap().parse().unwrap(),
-                auth_request_key: r.key.unwrap().parse().unwrap(),
+                protected_master_key: res.key.ok_or(Error::MissingFields)?.parse()?,
+                auth_request_key: r.key.ok_or(Error::MissingFields)?.parse()?,
             },
             None => AuthRequestMethod::UserKey {
-                protected_user_key: res.key.unwrap().parse().unwrap(),
+                protected_user_key: res.key.ok_or(Error::MissingFields)?.parse()?,
             },
         };
 
@@ -116,7 +116,7 @@ pub(crate) async fn complete_auth_request(
             .initialize_user_crypto(InitUserCryptoRequest {
                 kdf_params: kdf,
                 email: auth_req.email,
-                private_key: r.private_key.unwrap(),
+                private_key: r.private_key.ok_or(Error::MissingFields)?,
                 method: InitUserCryptoMethod::AuthRequest {
                     request_private_key: auth_req.private_key,
                     method,