Skip to content

[PM-25819] Migrate cipher sharing operations to SDK #490

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 10 commits into
base: main
Choose a base branch
from
Draft

[PM-25819] Migrate cipher sharing operations to SDK #490

wants to merge 10 commits into from

Conversation

nikwithak
Copy link
Contributor

🎟️ Tracking

📔 Objective

⏰ Reminders before review

  • Contributor guidelines followed
  • All formatters and local linters executed and passed
  • Written new unit and / or integration tests where applicable
  • Protected functional changes with optionality (feature flags)
  • Used internationalization (i18n) for all UI strings
  • CI builds passed
  • Communicated to DevOps any deployment requirements
  • Updated any necessary documentation (Confluence, contributing docs) or informed the documentation
    team

🦮 Reviewer guidelines

  • 👍 (:+1:) or similar for great changes
  • 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
  • ❓ (:question:) for questions
  • 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed
    issue and could potentially benefit from discussion
  • 🎨 (:art:) for suggestions / improvements
  • ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
  • 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
  • ⛏ (:pick:) for minor or nitpick changes

@github-actions
Copy link
Contributor

github-actions bot commented Oct 3, 2025
edited
Loading

Logo
Checkmarx One – Scan Summary & Details215e99c8-e803-478a-8c52-e9c855e52b2e

Great job! No new security vulnerabilities introduced in this pull request

@nikwithak nikwithak requested a review from gbubemismith October 8, 2025 20:06
@claude
Copy link

claude bot commented Oct 21, 2025
edited
Loading

Claude finished @nikwithak's task —— View job

Code Review Complete

Reviewed PR #490: Migrate cipher sharing operations to SDK

Summary of Changes

This PR migrates cipher sharing operations from clients into the SDK by:

  • Adding new share_cipher() and share_ciphers_bulk() methods to CiphersClient
  • Creating conversion implementations (TryFrom/From) for CipherRequestModel and CipherWithIdRequestModel
  • Adding new error variants for sharing operations
  • Implementing repository updates after bulk share operations
  • Modifying Cargo.toml workspace dependencies (removed bitwarden-commercial-vault, added bitwarden-state-migrations)

Critical Issues

1. ⚠️ Unused Parameter in Public API

Location: share_cipher.rs:38

pub async fn share_cipher(
    &self,
    mut cipher_view: CipherView,
    organization_id: OrganizationId,
    collection_ids: Vec<CollectionId>,
    _original_cipher: Option<Cipher>,  // ❌ Unused parameter
) -> Result<Cipher, CipherError>

Issue: The _original_cipher parameter is prefixed with underscore indicating it's intentionally unused, but it appears in a public API. This suggests either:

  • Incomplete implementation
  • Parameter added for future use
  • Leftover from refactoring

Recommendation: Either use the parameter for validation/comparison, or remove it if truly unnecessary. If keeping for future use, add a comment explaining why.

2. ⚠️ Silent Data Loss Risk in Bulk Share Response

Location: share_cipher.rs:182-196

edit: orig_cipher.as_ref().map(|c| c.edit).unwrap_or_default(),
favorite: orig_cipher.as_ref().map(|c| c.favorite).unwrap_or_default(),
folder_id: orig_cipher.as_ref().map(|c| c.folder_id).unwrap_or_default(),
permissions: orig_cipher.as_ref().map(|c| c.permissions).unwrap_or_default(),
view_password: orig_cipher.as_ref().map(|c| c.view_password).unwrap_or_default(),
local_data: orig_cipher.map(|c| c.local_data).unwrap_or_default(),

Issue: If repo.get() returns None (cipher not found in repository), these fields silently default to false/None. This could:

  • Lose user preferences (favorite status, folder assignments)
  • Drop permission information
  • Discard local metadata

Recommendation: Consider failing the operation if orig_cipher is None, or at minimum log a warning. The comment at line 197-198 questions collection_ids server confirmation - similar concerns apply to all these fallback fields.

3. ⚠️ Unvalidated Server Response

Location: share_cipher.rs:197-198

collection_ids: collection_ids.clone(), /* Should we have confirmation from the
                                         * server that these were set?? */

Issue: The comment correctly identifies a trust issue - the code assumes collection assignment succeeded without server confirmation. If the server failed to assign collections (partial failure), local state would be inconsistent.

Recommendation: Either:

  • Use server's returned collection data if available in the response
  • Add a verification step after bulk share
  • Document this as a known limitation

4. ❌ Redundant Reference Creation

Location: share_cipher.rs:22

let organization_id = &organization_id;

Issue: This creates a reference to organization_id but the parameter is already Copy, so this adds no value and makes the code confusing. Line 27 dereferences it with *organization_id.

Recommendation: Remove this line and use organization_id directly.

Security & Crypto Concerns

5. ✅ Encryption Handled Correctly

The sharing operations properly:

  • Re-encrypt ciphers for the target organization using encrypt()
  • Check for attachments without keys via existing validation
  • Use the crypto subsystem appropriately without direct crypto operations

No direct crypto changes were made (adheres to CLAUDE.md guidelines ✓).

6. ❓ No Sensitive Data in Errors

Observation: Error types added (PutShare, PutShareMany) wrap API errors. Need to verify these don't leak sensitive cipher data in error messages.

Recommendation: Review error messages from the API layer to ensure no vault secrets appear in logs.

Code Quality Issues

7. ⚠️ Missing Unit Tests

Location: share_cipher.rs

Issue: The new share_cipher.rs module has no unit tests. Given this handles:

  • Organization ownership transfer
  • Collection assignment
  • Repository updates
  • API orchestration
  • Complex error cases

Testing is critical to prevent regressions.

Recommendation: Add tests covering:

  • Happy path: successful single cipher share
  • Happy path: successful bulk share
  • Error: cipher already in organization
  • Error: attachments without keys
  • Error: API failures
  • Edge case: empty collection_ids
  • Edge case: repository read failures during bulk operations

8. 📝 Inconsistent Documentation

Location: share_cipher.rs:32, 75

/// Moves a cipher into an organization and collections.
pub async fn share_cipher(...)

#[allow(missing_docs)]
pub async fn share_ciphers_bulk(...)

Issue: share_cipher has a doc comment but share_ciphers_bulk uses #[allow(missing_docs)].

Recommendation: Document share_ciphers_bulk with similar detail, including:

  • What it does
  • Parameters
  • Return value
  • Potential errors

9. 🔄 Duplicate Collection ID Cloning

Location: share_cipher.rs:41, 84, 92

// Line 41 in share_cipher
self.move_to_collections(cipher_view, organization_id, collection_ids.clone())?;

// Line 84 in share_ciphers_bulk  
.map(|cv| self.move_to_collections(cv, organization_id, collection_ids.clone()))

// Line 92 in request building
collection_ids.iter().map(...).collect()

Issue: collection_ids is cloned multiple times - once per cipher in the bulk operation. For large bulk operations, this could add unnecessary allocations.

Recommendation: Consider passing &[CollectionId] to move_to_collections to avoid clones, or clone once before the loop.

10. ⛏ Minor: Unnecessary Turbofish

Location: share_cipher.rs:49

.map(<CollectionId as ToString>::to_string)

Issue: The explicit <CollectionId as ToString> syntax is unnecessary; the compiler can infer this.

Recommendation: Simplify to .map(ToString::to_string) (same at line 93).

Design & Architecture

11. 💭 Repository Access Pattern

Location: share_cipher.rs:68, 125

Observation: Both methods call get_repository() which can fail. The error handling is correct, but the pattern means repository issues are discovered during the operation rather than upfront.

Consideration: For bulk operations especially, validating repository access before starting work could provide better error messages and avoid partial state.

12. 🤔 State Consistency During Bulk Failures

Location: share_cipher.rs:126-204

Issue: The update_repository_from_bulk_share_response method updates the repository one cipher at a time in a loop. If a repository write fails mid-loop:

  • Some ciphers will be updated in local storage
  • Some won't
  • No rollback mechanism exists

This could leave the repository in an inconsistent state if repo.set() fails partway through.

Recommendation: Consider transaction-like semantics, or at minimum document this limitation. Alternatively, collect all updates first, then apply atomically if the repository supports batch operations.

Adherence to Repository Guidelines

CLAUDE.md Compliance:

  • ✓ No changes to bitwarden-crypto core
  • ✓ No unsafe blocks
  • ✓ Business logic in feature crate (bitwarden-vault), not WASM
  • ✓ No auto-generated API code modifications
  • ✓ Proper error propagation (no unwraps in production code)

Cargo.toml Changes:
The PR modifies workspace dependencies:

  • Removes: bitwarden-commercial-vault
  • Adds: bitwarden-state-migrations

Question: Are these changes intentional to this PR? The PR description mentions cipher sharing operations but doesn't explain these dependency changes. This might be cleanup from a merge, but should be explicitly noted in the PR description.

Good Practices Observed

  • Proper async/await usage
  • Consistent error propagation with ?
  • Type-safe IDs (CipherId, OrganizationId, CollectionId)
  • Appropriate use of existing encryption infrastructure
  • Clone usage documented where needed

Action Items for Author

High Priority:

  1. Remove or justify the unused _original_cipher parameter in share_cipher()
  2. Add proper error handling for missing orig_cipher in update_repository_from_bulk_share_response
  3. Fix redundant reference on line 22
  4. Add unit tests for the new sharing functionality

Medium Priority:
5. Document share_ciphers_bulk() method
6. Address the collection_ids server confirmation question (line 197-198)
7. Consider repository state consistency during bulk failures
8. Verify API errors don't leak sensitive data
9. Explain Cargo.toml changes in PR description

Low Priority (Polish):
10. Remove unnecessary turbofish syntax
11. Optimize collection_ids cloning in bulk operations

Tasks:

  • Review PR changes and file modifications
  • Analyze new share_cipher.rs module
  • Check cipher.rs modifications
  • Evaluate security implications
  • Verify adherence to repo guidelines
  • Provide comprehensive feedback

@nikwithak nikwithak force-pushed the vault/PM-25819/sharing-operations branch from c08c48d to 1732bf3 Compare October 21, 2025 22:41
@sonarqubecloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
30.9% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gbubemismith gbubemismith Awaiting requested review from gbubemismith

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nikwithak @gbubemismith