bitwarden_organization_invite_link/

invite_link_client.rs

use bitwarden_core::{
    Client, FromClient, OrganizationId,
    key_management::{KeySlotIds, SymmetricKeySlotId},
};
use bitwarden_crypto::KeyStore;
use bitwarden_error::bitwarden_error;
use bitwarden_organization_crypto::{
    InviteKeyBundle, InviteKeyBundleError, InviteKeyData, InviteKeyEnvelope,
};
use serde::{Deserialize, Serialize};
use thiserror::Error;
#[cfg(feature = "wasm")]
use tsify::Tsify;
#[cfg(feature = "wasm")]
use wasm_bindgen::prelude::wasm_bindgen;

/// Errors returned from [`InviteLinkClient`] operations.
#[bitwarden_error(flat)]
#[derive(Debug, Error)]
pub enum OrganizationInviteCryptoBundleError {
    /// Failed to generate the invite key bundle.
    #[error("Key bundle generation failed: {0}")]
    BundleGenerationFailed(#[from] InviteKeyBundleError),
    /// Failed to unseal the invite key envelope using the organization key.
    #[error("Failed to unseal invite key: {0}")]
    UnsealingFailed(InviteKeyBundleError),
}

/// The cryptographic bundle returned when generating an organization member invite link.
///
/// - `invite_key`: raw invite key encoded as base64Url. **MUST NOT be sent to the server.**
/// - `sealed_invite_key_envelope`: invite key sealed with the organization key, serialized as an
///   EncString. Safe to send to the server.
#[derive(Clone, Serialize, Deserialize)]
#[cfg_attr(feature = "wasm", derive(Tsify), tsify(into_wasm_abi, from_wasm_abi))]
#[serde(rename_all = "camelCase")]
pub struct OrganizationInviteCryptoBundle {
    /// Raw invite key. CRITICAL: MUST NOT be sent to the server.
    #[cfg_attr(feature = "wasm", tsify(type = "InviteKeyData"))]
    pub invite_key: InviteKeyData,
    /// Invite key sealed with the organization key. Safe to send to the server.
    #[cfg_attr(feature = "wasm", tsify(type = "InviteKeyEnvelope"))]
    pub sealed_invite_key_envelope: InviteKeyEnvelope,
}

/// Client for organization invite link cryptographic operations.
#[cfg_attr(feature = "wasm", wasm_bindgen)]
#[derive(FromClient)]
pub struct InviteLinkClient {
    pub(crate) key_store: KeyStore<KeySlotIds>,
}

#[cfg_attr(feature = "wasm", wasm_bindgen)]
impl InviteLinkClient {
    /// Generates a new [`OrganizationInviteCryptoBundle`] sealed with the organization's key.
    ///
    /// The organization key is looked up from the client's key store via
    /// [`SymmetricKeySlotId::Organization`]; the caller does not need to provide it directly.
    ///
    /// Each call produces a unique invite key sampled from a secure cryptographic source.
    ///
    /// # Security
    /// The returned `invite_key` MUST NOT be sent to the server.
    pub fn generate_invite_crypto_bundle(
        &self,
        organization_id: OrganizationId,
    ) -> Result<OrganizationInviteCryptoBundle, OrganizationInviteCryptoBundleError> {
        let mut ctx = self.key_store.context();
        let org_key = SymmetricKeySlotId::Organization(organization_id);
        let bundle = InviteKeyBundle::make(org_key, &mut ctx)?;
        Ok(OrganizationInviteCryptoBundle {
            invite_key: bundle.dangerous_get_raw_invite_key().clone(),
            sealed_invite_key_envelope: bundle.get_sealed_invite_key_envelope().clone(),
        })
    }

    /// Unseals a `sealed_invite_key_envelope` using the organization's key, returning the raw
    /// invite key as [`InviteKeyData`].
    pub fn unseal_invite_key(
        &self,
        organization_id: OrganizationId,
        sealed_invite_key_envelope: InviteKeyEnvelope,
    ) -> Result<InviteKeyData, OrganizationInviteCryptoBundleError> {
        let mut ctx = self.key_store.context();
        let org_key = SymmetricKeySlotId::Organization(organization_id);
        sealed_invite_key_envelope
            .unseal(org_key, &mut ctx)
            .map_err(OrganizationInviteCryptoBundleError::UnsealingFailed)
    }
}

/// Extension trait that exposes [`InviteLinkClient`] on [`Client`].
pub trait InviteLinkClientExt {
    /// Returns an [`InviteLinkClient`] backed by this client's key store.
    fn invite_link(&self) -> InviteLinkClient;
}

impl InviteLinkClientExt for Client {
    fn invite_link(&self) -> InviteLinkClient {
        InviteLinkClient::from_client(self)
    }
}

#[cfg(test)]
mod tests {
    use bitwarden_core::key_management::create_test_crypto_with_user_and_org_key;
    use bitwarden_crypto::{SymmetricCryptoKey, SymmetricKeyAlgorithm};

    use super::*;

    fn make_client(org_id: OrganizationId) -> InviteLinkClient {
        let user_key = SymmetricCryptoKey::make(SymmetricKeyAlgorithm::Aes256CbcHmac);
        let org_key = SymmetricCryptoKey::make(SymmetricKeyAlgorithm::Aes256CbcHmac);
        let key_store = create_test_crypto_with_user_and_org_key(user_key, org_id, org_key);
        InviteLinkClient { key_store }
    }

    #[test]
    fn generate_invite_crypto_bundle_returns_non_empty_fields() {
        let org_id = OrganizationId::new_v4();
        let client = make_client(org_id);

        let bundle = client.generate_invite_crypto_bundle(org_id).unwrap();

        assert!(!String::from(&bundle.invite_key).is_empty());
        assert!(!String::from(&bundle.sealed_invite_key_envelope).is_empty());
    }

    #[test]
    fn envelope_unseals_to_raw_invite_key() {
        let org_id = OrganizationId::new_v4();
        let client = make_client(org_id);

        let bundle = client.generate_invite_crypto_bundle(org_id).unwrap();
        let unsealed = client
            .unseal_invite_key(org_id, bundle.sealed_invite_key_envelope.clone())
            .unwrap();

        assert_eq!(bundle.invite_key, unsealed);
    }

    #[test]
    fn two_calls_produce_different_invite_keys() {
        let org_id = OrganizationId::new_v4();
        let client = make_client(org_id);

        let bundle1 = client.generate_invite_crypto_bundle(org_id).unwrap();
        let bundle2 = client.generate_invite_crypto_bundle(org_id).unwrap();

        assert_ne!(
            String::from(&bundle1.invite_key),
            String::from(&bundle2.invite_key)
        );
    }

    #[test]
    fn sealed_envelope_serializes_as_encstring_text_format() {
        // The server validates EncryptedInviteKey as a Bitwarden EncString text
        // format (e.g. "2.iv|data|mac").
        let org_id = OrganizationId::new_v4();
        let client = make_client(org_id);

        let bundle = client.generate_invite_crypto_bundle(org_id).unwrap();
        let envelope_str = String::from(&bundle.sealed_invite_key_envelope);

        assert!(
            envelope_str.parse::<bitwarden_crypto::EncString>().is_ok(),
            "sealed_invite_key_envelope must parse as a valid EncString, got: {envelope_str}"
        );
    }

    #[test]
    fn unseal_with_wrong_organization_id_fails() {
        let org_id = OrganizationId::new_v4();
        let other_org_id = OrganizationId::new_v4();
        let client = make_client(org_id);

        let bundle = client.generate_invite_crypto_bundle(org_id).unwrap();
        let result = client.unseal_invite_key(other_org_id, bundle.sealed_invite_key_envelope);

        assert!(matches!(
            result,
            Err(OrganizationInviteCryptoBundleError::UnsealingFailed(_))
        ));
    }

    #[test]
    fn generate_with_unknown_organization_id_fails() {
        let org_id = OrganizationId::new_v4();
        let other_org_id = OrganizationId::new_v4();
        let client = make_client(org_id);

        let result = client.generate_invite_crypto_bundle(other_org_id);

        assert!(matches!(
            result,
            Err(OrganizationInviteCryptoBundleError::BundleGenerationFailed(
                _
            ))
        ));
    }
}