bitwarden_vault/cipher/

cipher.rs

use bitwarden_api_api::models::{
    CipherDetailsResponseModel, CipherMiniDetailsResponseModel, CipherMiniResponseModel,
    CipherRequestModel, CipherResponseModel, CipherWithIdRequestModel,
};
use bitwarden_collections::collection::CollectionId;
use bitwarden_core::{
    ApiError, MissingFieldError, OrganizationId, UserId,
    key_management::{KeySlotIds, MINIMUM_ENFORCE_ICON_URI_HASH_VERSION, SymmetricKeySlotId},
    require,
};
use bitwarden_crypto::{
    CompositeEncryptable, CryptoError, Decryptable, EncString, IdentifyKey, KeyStoreContext,
    PrimitiveEncryptable,
};
use bitwarden_error::bitwarden_error;
use bitwarden_state::repository::RepositoryError;
use bitwarden_uuid::uuid_newtype;
use chrono::{DateTime, SecondsFormat, Utc};
use serde::{Deserialize, Serialize};
use serde_repr::{Deserialize_repr, Serialize_repr};
use thiserror::Error;
use tracing::instrument;
#[cfg(feature = "wasm")]
use tsify::Tsify;
#[cfg(feature = "wasm")]
use wasm_bindgen::prelude::wasm_bindgen;

use super::{
    attachment, bank_account, card,
    card::CardListView,
    cipher_permissions::CipherPermissions,
    field, identity,
    local_data::{LocalData, LocalDataView},
    login::LoginListView,
    secure_note, ssh_key,
};
use crate::{
    AttachmentView, DecryptError, EncryptError, Fido2CredentialFullView, Fido2CredentialView,
    FieldView, FolderId, Login, LoginView, VaultParseError,
    password_history::{self, MAX_PASSWORD_HISTORY_ENTRIES},
};

uuid_newtype!(pub CipherId);

#[allow(missing_docs)]
#[bitwarden_error(flat)]
#[derive(Debug, Error)]
pub enum CipherError {
    #[error(transparent)]
    MissingField(#[from] MissingFieldError),
    #[error(transparent)]
    Crypto(#[from] CryptoError),
    #[error(transparent)]
    Decrypt(#[from] DecryptError),
    #[error(transparent)]
    Encrypt(#[from] EncryptError),
    #[error(
        "This cipher contains attachments without keys. Those attachments will need to be reuploaded to complete the operation"
    )]
    AttachmentsWithoutKeys,
    #[error("This cipher cannot be moved to the specified organization")]
    OrganizationAlreadySet,
    #[error(transparent)]
    Repository(#[from] RepositoryError),
    #[error(transparent)]
    Chrono(#[from] chrono::ParseError),
    #[error(transparent)]
    SerdeJson(#[from] serde_json::Error),
    #[error(transparent)]
    Api(#[from] ApiError),
}

impl<T> From<bitwarden_api_api::apis::Error<T>> for CipherError {
    fn from(value: bitwarden_api_api::apis::Error<T>) -> Self {
        Self::Api(value.into())
    }
}

/// Helper trait for operations on cipher types.
pub(super) trait CipherKind {
    /// Returns the item's subtitle.
    fn decrypt_subtitle(
        &self,
        ctx: &mut KeyStoreContext<KeySlotIds>,
        key: SymmetricKeySlotId,
    ) -> Result<String, CryptoError>;

    /// Returns a list of populated fields for the cipher.
    fn get_copyable_fields(&self, cipher: Option<&Cipher>) -> Vec<CopyableCipherFields>;
}

#[allow(missing_docs)]
#[derive(Clone, Copy, Serialize_repr, Deserialize_repr, Debug, PartialEq)]
#[repr(u8)]
#[cfg_attr(feature = "uniffi", derive(uniffi::Enum))]
#[cfg_attr(feature = "wasm", wasm_bindgen)]
pub enum CipherType {
    Login = 1,
    SecureNote = 2,
    Card = 3,
    Identity = 4,
    SshKey = 5,
    BankAccount = 6,
}

#[allow(missing_docs)]
#[derive(Clone, Copy, Default, Serialize_repr, Deserialize_repr, Debug, PartialEq)]
#[repr(u8)]
#[cfg_attr(feature = "uniffi", derive(uniffi::Enum))]
#[cfg_attr(feature = "wasm", wasm_bindgen)]
pub enum CipherRepromptType {
    #[default]
    None = 0,
    Password = 1,
}

#[allow(missing_docs)]
#[derive(Serialize, Deserialize, Debug, Clone)]
#[serde(rename_all = "camelCase", deny_unknown_fields)]
#[cfg_attr(feature = "uniffi", derive(uniffi::Record))]
#[cfg_attr(feature = "wasm", derive(Tsify), tsify(into_wasm_abi, from_wasm_abi))]
pub struct EncryptionContext {
    /// The Id of the user that encrypted the cipher. It should always represent a UserId, even for
    /// Organization-owned ciphers
    pub encrypted_for: UserId,
    pub cipher: Cipher,
}

impl TryFrom<EncryptionContext> for CipherWithIdRequestModel {
    type Error = CipherError;
    fn try_from(
        EncryptionContext {
            cipher,
            encrypted_for,
        }: EncryptionContext,
    ) -> Result<Self, Self::Error> {
        Ok(Self {
            id: require!(cipher.id).into(),
            encrypted_for: Some(encrypted_for.into()),
            r#type: Some(cipher.r#type.into()),
            organization_id: cipher.organization_id.map(|o| o.to_string()),
            folder_id: cipher.folder_id.as_ref().map(ToString::to_string),
            favorite: cipher.favorite.into(),
            reprompt: Some(cipher.reprompt.into()),
            key: cipher.key.map(|k| k.to_string()),
            name: cipher.name.to_string(),
            notes: cipher.notes.map(|n| n.to_string()),
            fields: Some(
                cipher
                    .fields
                    .into_iter()
                    .flatten()
                    .map(Into::into)
                    .collect(),
            ),
            password_history: Some(
                cipher
                    .password_history
                    .into_iter()
                    .flatten()
                    .map(Into::into)
                    .collect(),
            ),
            attachments: None,
            attachments2: Some(
                cipher
                    .attachments
                    .into_iter()
                    .flatten()
                    .filter_map(|a| {
                        a.id.map(|id| {
                            (
                                id,
                                bitwarden_api_api::models::CipherAttachmentModel {
                                    file_name: a.file_name.map(|n| n.to_string()),
                                    key: a.key.map(|k| k.to_string()),
                                },
                            )
                        })
                    })
                    .collect(),
            ),
            login: cipher.login.map(|l| Box::new(l.into())),
            card: cipher.card.map(|c| Box::new(c.into())),
            identity: cipher.identity.map(|i| Box::new(i.into())),
            secure_note: cipher.secure_note.map(|s| Box::new(s.into())),
            ssh_key: cipher.ssh_key.map(|s| Box::new(s.into())),
            bank_account: cipher.bank_account.map(|b| Box::new(b.into())),
            data: None, // TODO: Consume this instead of the individual fields above.
            last_known_revision_date: Some(
                cipher
                    .revision_date
                    .to_rfc3339_opts(SecondsFormat::Millis, true),
            ),
            archived_date: cipher
                .archived_date
                .map(|d| d.to_rfc3339_opts(SecondsFormat::Millis, true)),
        })
    }
}

impl From<EncryptionContext> for CipherRequestModel {
    fn from(
        EncryptionContext {
            cipher,
            encrypted_for,
        }: EncryptionContext,
    ) -> Self {
        Self {
            encrypted_for: Some(encrypted_for.into()),
            r#type: Some(cipher.r#type.into()),
            organization_id: cipher.organization_id.map(|o| o.to_string()),
            folder_id: cipher.folder_id.as_ref().map(ToString::to_string),
            favorite: cipher.favorite.into(),
            reprompt: Some(cipher.reprompt.into()),
            key: cipher.key.map(|k| k.to_string()),
            name: cipher.name.to_string(),
            notes: cipher.notes.map(|n| n.to_string()),
            fields: Some(
                cipher
                    .fields
                    .into_iter()
                    .flatten()
                    .map(Into::into)
                    .collect(),
            ),
            password_history: Some(
                cipher
                    .password_history
                    .into_iter()
                    .flatten()
                    .map(Into::into)
                    .collect(),
            ),
            attachments: None,
            attachments2: Some(
                cipher
                    .attachments
                    .into_iter()
                    .flatten()
                    .filter_map(|a| {
                        a.id.map(|id| {
                            (
                                id,
                                bitwarden_api_api::models::CipherAttachmentModel {
                                    file_name: a.file_name.map(|n| n.to_string()),
                                    key: a.key.map(|k| k.to_string()),
                                },
                            )
                        })
                    })
                    .collect(),
            ),
            login: cipher.login.map(|l| Box::new(l.into())),
            card: cipher.card.map(|c| Box::new(c.into())),
            identity: cipher.identity.map(|i| Box::new(i.into())),
            secure_note: cipher.secure_note.map(|s| Box::new(s.into())),
            ssh_key: cipher.ssh_key.map(|s| Box::new(s.into())),
            bank_account: cipher.bank_account.map(|b| Box::new(b.into())),
            data: None, // TODO: Consume this instead of the individual fields above.
            last_known_revision_date: Some(
                cipher
                    .revision_date
                    .to_rfc3339_opts(SecondsFormat::Millis, true),
            ),
            archived_date: cipher
                .archived_date
                .map(|d| d.to_rfc3339_opts(SecondsFormat::Millis, true)),
        }
    }
}

#[allow(missing_docs)]
#[derive(Serialize, Deserialize, Debug, Clone)]
#[serde(rename_all = "camelCase", deny_unknown_fields)]
#[cfg_attr(feature = "uniffi", derive(uniffi::Record))]
#[cfg_attr(feature = "wasm", derive(Tsify), tsify(into_wasm_abi, from_wasm_abi))]
pub struct Cipher {
    pub id: Option<CipherId>,
    pub organization_id: Option<OrganizationId>,
    pub folder_id: Option<FolderId>,
    pub collection_ids: Vec<CollectionId>,
    /// More recent ciphers uses individual encryption keys to encrypt the other fields of the
    /// Cipher.
    pub key: Option<EncString>,

    pub name: EncString,
    pub notes: Option<EncString>,

    pub r#type: CipherType,
    pub login: Option<Login>,
    pub identity: Option<identity::Identity>,
    pub card: Option<card::Card>,
    pub secure_note: Option<secure_note::SecureNote>,
    pub ssh_key: Option<ssh_key::SshKey>,
    pub bank_account: Option<bank_account::BankAccount>,

    pub favorite: bool,
    pub reprompt: CipherRepromptType,
    pub organization_use_totp: bool,
    pub edit: bool,
    pub permissions: Option<CipherPermissions>,
    pub view_password: bool,
    pub local_data: Option<LocalData>,

    pub attachments: Option<Vec<attachment::Attachment>>,
    pub fields: Option<Vec<field::Field>>,
    pub password_history: Option<Vec<password_history::PasswordHistory>>,

    pub creation_date: DateTime<Utc>,
    pub deleted_date: Option<DateTime<Utc>>,
    pub revision_date: DateTime<Utc>,
    pub archived_date: Option<DateTime<Utc>>,
    pub data: Option<String>,
}

/// Represents the result of re-wrapping a cipher key, which can be needed when changing the
/// ownership of a cipher or rotating keys.
pub enum CipherKeyRewrapError {
    NoCipherKey,
    DecryptionFailure,
    EncryptionFailure,
}

impl Cipher {
    /// Re-wraps the encrypted cipher-key. This should be done when moving the cipher to a new
    /// ownership (user to org), or when rotating the owning key. This mutates the cipher's key
    /// field if successful, otherwise returns an error. Data stays encrypted the same way and
    /// does not need to be re-uploaded to the server.
    pub fn rewrap_cipher_key(
        &mut self,
        old_key: SymmetricKeySlotId,
        new_key: SymmetricKeySlotId,
        ctx: &mut KeyStoreContext<KeySlotIds>,
    ) -> Result<(), CipherKeyRewrapError> {
        let new_cipher_key = self
            .key
            .as_ref()
            .ok_or(CipherKeyRewrapError::NoCipherKey)
            .and_then(|wrapped_cipher_key| {
                ctx.unwrap_symmetric_key(old_key, wrapped_cipher_key)
                    .map_err(|_| CipherKeyRewrapError::DecryptionFailure)
            })
            .and_then(|cipher_key| {
                ctx.wrap_symmetric_key(new_key, cipher_key)
                    .map_err(|_| CipherKeyRewrapError::EncryptionFailure)
            })?;
        self.key = Some(new_cipher_key);
        Ok(())
    }
}

bitwarden_state::register_repository_item!(CipherId => Cipher, "Cipher");

#[allow(missing_docs)]
#[derive(Serialize, Deserialize, Debug, Clone)]
#[serde(rename_all = "camelCase", deny_unknown_fields)]
#[cfg_attr(feature = "uniffi", derive(uniffi::Record))]
#[cfg_attr(feature = "wasm", derive(Tsify), tsify(into_wasm_abi, from_wasm_abi))]
pub struct CipherView {
    pub id: Option<CipherId>,
    pub organization_id: Option<OrganizationId>,
    pub folder_id: Option<FolderId>,
    pub collection_ids: Vec<CollectionId>,

    /// Temporary, required to support re-encrypting existing items.
    pub key: Option<EncString>,

    pub name: String,
    pub notes: Option<String>,

    pub r#type: CipherType,
    pub login: Option<LoginView>,
    pub identity: Option<identity::IdentityView>,
    pub card: Option<card::CardView>,
    pub secure_note: Option<secure_note::SecureNoteView>,
    pub ssh_key: Option<ssh_key::SshKeyView>,
    pub bank_account: Option<bank_account::BankAccountView>,

    pub favorite: bool,
    pub reprompt: CipherRepromptType,
    pub organization_use_totp: bool,
    pub edit: bool,
    pub permissions: Option<CipherPermissions>,
    pub view_password: bool,
    pub local_data: Option<LocalDataView>,

    pub attachments: Option<Vec<attachment::AttachmentView>>,
    /// Attachments that failed to decrypt. Only present when there are decryption failures.
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attachment_decryption_failures: Option<Vec<attachment::AttachmentView>>,
    pub fields: Option<Vec<field::FieldView>>,
    pub password_history: Option<Vec<password_history::PasswordHistoryView>>,
    pub creation_date: DateTime<Utc>,
    pub deleted_date: Option<DateTime<Utc>>,
    pub revision_date: DateTime<Utc>,
    pub archived_date: Option<DateTime<Utc>>,
}

#[allow(missing_docs)]
#[derive(Serialize, Deserialize, Debug, PartialEq)]
#[serde(rename_all = "camelCase", deny_unknown_fields)]
#[cfg_attr(feature = "uniffi", derive(uniffi::Enum))]
#[cfg_attr(feature = "wasm", derive(Tsify), tsify(into_wasm_abi, from_wasm_abi))]
pub enum CipherListViewType {
    Login(LoginListView),
    SecureNote,
    Card(CardListView),
    Identity,
    SshKey,
    BankAccount,
}

/// Available fields on a cipher and can be copied from a the list view in the UI.
#[derive(Serialize, Deserialize, Debug, PartialEq)]
#[cfg_attr(feature = "wasm", derive(Tsify), tsify(into_wasm_abi, from_wasm_abi))]
#[cfg_attr(feature = "uniffi", derive(uniffi::Enum))]
pub enum CopyableCipherFields {
    LoginUsername,
    LoginPassword,
    LoginTotp,
    CardNumber,
    CardSecurityCode,
    IdentityUsername,
    IdentityEmail,
    IdentityPhone,
    IdentityAddress,
    SshKey,
    SecureNotes,
    BankAccountAccountNumber,
    BankAccountRoutingNumber,
    BankAccountPin,
    BankAccountIban,
}

#[allow(missing_docs)]
#[derive(Serialize, Deserialize, Debug, PartialEq)]
#[serde(rename_all = "camelCase", deny_unknown_fields)]
#[cfg_attr(feature = "uniffi", derive(uniffi::Record))]
#[cfg_attr(feature = "wasm", derive(Tsify), tsify(into_wasm_abi, from_wasm_abi))]
pub struct CipherListView {
    pub id: Option<CipherId>,
    pub organization_id: Option<OrganizationId>,
    pub folder_id: Option<FolderId>,
    pub collection_ids: Vec<CollectionId>,

    /// Temporary, required to support calculating TOTP from CipherListView.
    pub key: Option<EncString>,

    pub name: String,
    pub subtitle: String,

    pub r#type: CipherListViewType,

    pub favorite: bool,
    pub reprompt: CipherRepromptType,
    pub organization_use_totp: bool,
    pub edit: bool,
    pub permissions: Option<CipherPermissions>,

    pub view_password: bool,

    /// The number of attachments
    pub attachments: u32,
    /// Indicates if the cipher has old attachments that need to be re-uploaded
    pub has_old_attachments: bool,

    pub creation_date: DateTime<Utc>,
    pub deleted_date: Option<DateTime<Utc>>,
    pub revision_date: DateTime<Utc>,
    pub archived_date: Option<DateTime<Utc>>,

    /// Hints for the presentation layer for which fields can be copied.
    pub copyable_fields: Vec<CopyableCipherFields>,

    pub local_data: Option<LocalDataView>,

    /// Decrypted cipher notes for search indexing.
    #[cfg(feature = "wasm")]
    pub notes: Option<String>,
    /// Decrypted cipher fields for search indexing.
    /// Only includes name and value (for text fields only).
    #[cfg(feature = "wasm")]
    pub fields: Option<Vec<field::FieldListView>>,
    /// Decrypted attachment filenames for search indexing.
    #[cfg(feature = "wasm")]
    pub attachment_names: Option<Vec<String>>,
}

/// Represents the result of decrypting a list of ciphers.
///
/// This struct contains two vectors: `successes` and `failures`.
/// `successes` contains the decrypted `CipherListView` objects,
/// while `failures` contains the original `Cipher` objects that failed to decrypt.
#[derive(Serialize, Deserialize, Debug)]
#[serde(rename_all = "camelCase", deny_unknown_fields)]
#[cfg_attr(feature = "uniffi", derive(uniffi::Record))]
#[cfg_attr(feature = "wasm", derive(Tsify), tsify(into_wasm_abi, from_wasm_abi))]
pub struct DecryptCipherListResult {
    /// The decrypted `CipherListView` objects.
    pub successes: Vec<CipherListView>,
    /// The original `Cipher` objects that failed to decrypt.
    pub failures: Vec<Cipher>,
}

/// Represents the result of decrypting a list of ciphers.
///
/// This struct contains two vectors: `successes` and `failures`.
/// `successes` contains the decrypted `CipherView` objects,
/// while `failures` contains the original `Cipher` objects that failed to decrypt.
#[derive(Serialize, Deserialize, Debug)]
#[serde(rename_all = "camelCase", deny_unknown_fields)]
#[cfg_attr(feature = "uniffi", derive(uniffi::Record))]
#[cfg_attr(feature = "wasm", derive(Tsify), tsify(into_wasm_abi, from_wasm_abi))]
pub struct DecryptCipherResult {
    /// The decrypted `CipherView` objects.
    pub successes: Vec<CipherView>,
    /// The original `Cipher` objects that failed to decrypt.
    pub failures: Vec<Cipher>,
}

/// Represents the result of fetching and decrypting all ciphers for an organization.
///
/// Contains the encrypted ciphers from the API alongside their decrypted list views.
#[derive(Serialize, Deserialize, Debug)]
#[serde(rename_all = "camelCase", deny_unknown_fields)]
#[cfg_attr(feature = "uniffi", derive(uniffi::Record))]
#[cfg_attr(feature = "wasm", derive(Tsify), tsify(into_wasm_abi, from_wasm_abi))]
pub struct ListOrganizationCiphersResult {
    /// All encrypted ciphers returned from the API.
    pub ciphers: Vec<Cipher>,
    /// Successfully decrypted `CipherListView` objects.
    pub list_views: Vec<CipherListView>,
}

impl CipherListView {
    pub(crate) fn get_totp_key(
        self,
        ctx: &mut KeyStoreContext<KeySlotIds>,
    ) -> Result<Option<String>, CryptoError> {
        let key = self.key_identifier();
        let ciphers_key = Cipher::decrypt_cipher_key(ctx, key, &self.key)?;

        let totp = match self.r#type {
            CipherListViewType::Login(LoginListView { totp, .. }) => {
                totp.map(|t| t.decrypt(ctx, ciphers_key)).transpose()?
            }
            _ => None,
        };

        Ok(totp)
    }
}

impl CompositeEncryptable<KeySlotIds, SymmetricKeySlotId, Cipher> for CipherView {
    fn encrypt_composite(
        &self,
        ctx: &mut KeyStoreContext<KeySlotIds>,
        key: SymmetricKeySlotId,
    ) -> Result<Cipher, CryptoError> {
        let ciphers_key = Cipher::decrypt_cipher_key(ctx, key, &self.key)?;

        let mut cipher_view = self.clone();
        cipher_view.generate_checksums();

        Ok(Cipher {
            id: cipher_view.id,
            organization_id: cipher_view.organization_id,
            folder_id: cipher_view.folder_id,
            collection_ids: cipher_view.collection_ids,
            key: cipher_view.key,
            name: cipher_view.name.encrypt(ctx, ciphers_key)?,
            notes: cipher_view.notes.encrypt(ctx, ciphers_key)?,
            r#type: cipher_view.r#type,
            login: cipher_view.login.encrypt_composite(ctx, ciphers_key)?,
            identity: cipher_view.identity.encrypt_composite(ctx, ciphers_key)?,
            card: cipher_view.card.encrypt_composite(ctx, ciphers_key)?,
            secure_note: cipher_view
                .secure_note
                .encrypt_composite(ctx, ciphers_key)?,
            ssh_key: cipher_view.ssh_key.encrypt_composite(ctx, ciphers_key)?,
            bank_account: cipher_view
                .bank_account
                .encrypt_composite(ctx, ciphers_key)?,
            favorite: cipher_view.favorite,
            reprompt: cipher_view.reprompt,
            organization_use_totp: cipher_view.organization_use_totp,
            edit: cipher_view.edit,
            view_password: cipher_view.view_password,
            local_data: cipher_view.local_data.encrypt_composite(ctx, ciphers_key)?,
            attachments: cipher_view
                .attachments
                .encrypt_composite(ctx, ciphers_key)?,
            fields: cipher_view.fields.encrypt_composite(ctx, ciphers_key)?,
            password_history: cipher_view
                .password_history
                .encrypt_composite(ctx, ciphers_key)?,
            creation_date: cipher_view.creation_date,
            deleted_date: cipher_view.deleted_date,
            revision_date: cipher_view.revision_date,
            permissions: cipher_view.permissions,
            archived_date: cipher_view.archived_date,
            data: None, // TODO: Do we need to repopulate this on this on the cipher?
        })
    }
}

impl Decryptable<KeySlotIds, SymmetricKeySlotId, CipherView> for Cipher {
    #[instrument(err, skip_all, fields(cipher_id = ?self.id, org_id = ?self.organization_id, kind = ?self.r#type))]
    fn decrypt(
        &self,
        ctx: &mut KeyStoreContext<KeySlotIds>,
        key: SymmetricKeySlotId,
    ) -> Result<CipherView, CryptoError> {
        let ciphers_key = Cipher::decrypt_cipher_key(ctx, key, &self.key)?;

        // Separate successful and failed attachment decryptions
        let (attachments, attachment_decryption_failures) =
            attachment::decrypt_attachments_with_failures(
                self.attachments.as_deref().unwrap_or_default(),
                ctx,
                ciphers_key,
            );

        let mut cipher = CipherView {
            id: self.id,
            organization_id: self.organization_id,
            folder_id: self.folder_id,
            collection_ids: self.collection_ids.clone(),
            key: self.key.clone(),
            name: self.name.decrypt(ctx, ciphers_key).ok().unwrap_or_default(),
            notes: self.notes.decrypt(ctx, ciphers_key).ok().flatten(),
            r#type: self.r#type,
            login: self.login.decrypt(ctx, ciphers_key).ok().flatten(),
            identity: self.identity.decrypt(ctx, ciphers_key).ok().flatten(),
            card: self.card.decrypt(ctx, ciphers_key).ok().flatten(),
            secure_note: self.secure_note.decrypt(ctx, ciphers_key).ok().flatten(),
            ssh_key: self.ssh_key.decrypt(ctx, ciphers_key).ok().flatten(),
            bank_account: self.bank_account.decrypt(ctx, ciphers_key).ok().flatten(),
            favorite: self.favorite,
            reprompt: self.reprompt,
            organization_use_totp: self.organization_use_totp,
            edit: self.edit,
            permissions: self.permissions,
            view_password: self.view_password,
            local_data: self.local_data.decrypt(ctx, ciphers_key).ok().flatten(),
            attachments: Some(attachments),
            attachment_decryption_failures: Some(attachment_decryption_failures),
            fields: self.fields.decrypt(ctx, ciphers_key).ok().flatten(),
            password_history: self
                .password_history
                .decrypt(ctx, ciphers_key)
                .ok()
                .flatten(),
            creation_date: self.creation_date,
            deleted_date: self.deleted_date,
            revision_date: self.revision_date,
            archived_date: self.archived_date,
        };

        // For compatibility we only remove URLs with invalid checksums if the cipher has a key
        // or the user is on Crypto V2
        if cipher.key.is_some()
            || ctx.get_security_state_version() >= MINIMUM_ENFORCE_ICON_URI_HASH_VERSION
        {
            cipher.remove_invalid_checksums();
        }

        Ok(cipher)
    }
}

impl Cipher {
    /// Decrypt the individual encryption key for this cipher into the provided [KeyStoreContext]
    /// and return it's identifier. Note that some ciphers do not have individual encryption
    /// keys, in which case this will return the provided key identifier instead
    ///
    /// # Arguments
    ///
    /// * `ctx` - The key store context where the cipher key will be decrypted, if it exists
    /// * `key` - The key to use to decrypt the cipher key, this should be the user or organization
    ///   key
    /// * `ciphers_key` - The encrypted cipher key
    #[instrument(err, skip_all)]
    pub(super) fn decrypt_cipher_key(
        ctx: &mut KeyStoreContext<KeySlotIds>,
        key: SymmetricKeySlotId,
        ciphers_key: &Option<EncString>,
    ) -> Result<SymmetricKeySlotId, CryptoError> {
        match ciphers_key {
            Some(ciphers_key) => ctx.unwrap_symmetric_key(key, ciphers_key),
            None => Ok(key),
        }
    }

    /// Temporary helper to return a [CipherKind] instance based on the cipher type.
    fn get_kind(&self) -> Option<&dyn CipherKind> {
        match self.r#type {
            CipherType::Login => self.login.as_ref().map(|v| v as _),
            CipherType::Card => self.card.as_ref().map(|v| v as _),
            CipherType::Identity => self.identity.as_ref().map(|v| v as _),
            CipherType::SshKey => self.ssh_key.as_ref().map(|v| v as _),
            CipherType::SecureNote => self.secure_note.as_ref().map(|v| v as _),
            CipherType::BankAccount => self.bank_account.as_ref().map(|v| v as _),
        }
    }

    /// Returns the decrypted subtitle for the cipher, if applicable.
    fn decrypt_subtitle(
        &self,
        ctx: &mut KeyStoreContext<KeySlotIds>,
        key: SymmetricKeySlotId,
    ) -> Result<String, CryptoError> {
        self.get_kind()
            .map(|sub| sub.decrypt_subtitle(ctx, key))
            .unwrap_or_else(|| Ok(String::new()))
    }

    /// Returns a list of copyable field names for this cipher,
    /// based on the cipher type and populated properties.
    fn get_copyable_fields(&self) -> Vec<CopyableCipherFields> {
        self.get_kind()
            .map(|kind| kind.get_copyable_fields(Some(self)))
            .unwrap_or_default()
    }

    /// This replaces the values provided by the API in the `login`, `secure_note`, `card`,
    /// `identity`, and `ssh_key` fields, relying instead on client-side parsing of the
    /// `data` field.
    #[allow(unused)] // Will be used by future changes to support cipher versioning.
    pub(crate) fn populate_cipher_types(&mut self) -> Result<(), VaultParseError> {
        let data = self
            .data
            .as_ref()
            .ok_or(VaultParseError::MissingField(MissingFieldError("data")))?;

        match &self.r#type {
            crate::CipherType::Login => self.login = serde_json::from_str(data)?,
            crate::CipherType::SecureNote => self.secure_note = serde_json::from_str(data)?,
            crate::CipherType::Card => self.card = serde_json::from_str(data)?,
            crate::CipherType::Identity => self.identity = serde_json::from_str(data)?,
            crate::CipherType::SshKey => self.ssh_key = serde_json::from_str(data)?,
            crate::CipherType::BankAccount => self.bank_account = serde_json::from_str(data)?,
        }
        Ok(())
    }

    /// Marks the cipher as soft deleted by setting `deletion_date` to now.
    pub(crate) fn soft_delete(&mut self) {
        self.deleted_date = Some(Utc::now());
    }
}
impl CipherView {
    #[allow(missing_docs)]
    pub fn generate_cipher_key(
        &mut self,
        ctx: &mut KeyStoreContext<KeySlotIds>,
        wrapping_key: SymmetricKeySlotId,
    ) -> Result<(), CryptoError> {
        let old_unwrapping_key = self.key_identifier();
        let old_ciphers_key = Cipher::decrypt_cipher_key(ctx, old_unwrapping_key, &self.key)?;

        let new_key = ctx.generate_symmetric_key();

        self.reencrypt_attachment_keys(ctx, old_ciphers_key, new_key)?;
        self.reencrypt_fido2_credentials(ctx, old_ciphers_key, new_key)?;

        self.key = Some(ctx.wrap_symmetric_key(wrapping_key, new_key)?);
        Ok(())
    }

    #[allow(missing_docs)]
    pub fn generate_checksums(&mut self) {
        if let Some(l) = self.login.as_mut() {
            l.generate_checksums();
        }
    }

    #[allow(missing_docs)]
    pub fn remove_invalid_checksums(&mut self) {
        if let Some(uris) = self.login.as_mut().and_then(|l| l.uris.as_mut()) {
            uris.retain(|u| u.is_checksum_valid());
        }
    }

    fn reencrypt_attachment_keys(
        &mut self,
        ctx: &mut KeyStoreContext<KeySlotIds>,
        old_key: SymmetricKeySlotId,
        new_key: SymmetricKeySlotId,
    ) -> Result<(), CryptoError> {
        if let Some(attachments) = &mut self.attachments {
            AttachmentView::reencrypt_keys(attachments, ctx, old_key, new_key)?;
        }
        Ok(())
    }

    #[allow(missing_docs)]
    pub fn decrypt_fido2_credentials(
        &self,
        ctx: &mut KeyStoreContext<KeySlotIds>,
    ) -> Result<Vec<Fido2CredentialView>, CryptoError> {
        let key = self.key_identifier();
        let ciphers_key = Cipher::decrypt_cipher_key(ctx, key, &self.key)?;

        Ok(self
            .login
            .as_ref()
            .and_then(|l| l.fido2_credentials.as_ref())
            .map(|f| f.decrypt(ctx, ciphers_key))
            .transpose()?
            .unwrap_or_default())
    }

    fn reencrypt_fido2_credentials(
        &mut self,
        ctx: &mut KeyStoreContext<KeySlotIds>,
        old_key: SymmetricKeySlotId,
        new_key: SymmetricKeySlotId,
    ) -> Result<(), CryptoError> {
        if let Some(login) = self.login.as_mut() {
            login.reencrypt_fido2_credentials(ctx, old_key, new_key)?;
        }
        Ok(())
    }

    /// Moves the cipher to an organization by re-encrypting the cipher keys with the organization
    /// key and assigning the organization ID to the cipher.
    ///
    /// # Arguments
    /// * `ctx` - The key store context where the cipher keys will be re-encrypted
    /// * `organization_id` - The ID of the organization to move the cipher to
    pub fn move_to_organization(
        &mut self,
        ctx: &mut KeyStoreContext<KeySlotIds>,
        organization_id: OrganizationId,
    ) -> Result<(), CipherError> {
        let new_key = SymmetricKeySlotId::Organization(organization_id);

        self.reencrypt_cipher_keys(ctx, new_key)?;
        self.organization_id = Some(organization_id);

        Ok(())
    }

    /// Re-encrypt the cipher key(s) using a new wrapping key.
    ///
    /// If the cipher has a cipher key, it will be re-encrypted with the new wrapping key.
    /// Otherwise, the cipher will re-encrypt all attachment keys and FIDO2 credential keys
    pub fn reencrypt_cipher_keys(
        &mut self,
        ctx: &mut KeyStoreContext<KeySlotIds>,
        new_wrapping_key: SymmetricKeySlotId,
    ) -> Result<(), CipherError> {
        let old_key = self.key_identifier();

        // If any attachment is missing a key we can't reencrypt the attachment keys
        if self.attachments.iter().flatten().any(|a| a.key.is_none()) {
            return Err(CipherError::AttachmentsWithoutKeys);
        }

        // If the cipher has a key, reencrypt it with the new wrapping key
        if self.key.is_some() {
            // Decrypt the current cipher key using the existing wrapping key
            let cipher_key = Cipher::decrypt_cipher_key(ctx, old_key, &self.key)?;

            // Wrap the cipher key with the new wrapping key
            self.key = Some(ctx.wrap_symmetric_key(new_wrapping_key, cipher_key)?);
        } else {
            // The cipher does not have a key, we must reencrypt all attachment keys and FIDO2
            // credentials individually
            self.reencrypt_attachment_keys(ctx, old_key, new_wrapping_key)?;
            self.reencrypt_fido2_credentials(ctx, old_key, new_wrapping_key)?;
        }

        Ok(())
    }

    #[allow(missing_docs)]
    pub fn set_new_fido2_credentials(
        &mut self,
        ctx: &mut KeyStoreContext<KeySlotIds>,
        creds: Vec<Fido2CredentialFullView>,
    ) -> Result<(), CipherError> {
        let key = self.key_identifier();

        let ciphers_key = Cipher::decrypt_cipher_key(ctx, key, &self.key)?;

        require!(self.login.as_mut()).fido2_credentials =
            Some(creds.encrypt_composite(ctx, ciphers_key)?);

        Ok(())
    }

    #[allow(missing_docs)]
    pub fn get_fido2_credentials(
        &self,
        ctx: &mut KeyStoreContext<KeySlotIds>,
    ) -> Result<Vec<Fido2CredentialFullView>, CipherError> {
        let key = self.key_identifier();

        let ciphers_key = Cipher::decrypt_cipher_key(ctx, key, &self.key)?;

        let login = require!(self.login.as_ref());
        let creds = require!(login.fido2_credentials.as_ref());
        let res = creds.decrypt(ctx, ciphers_key)?;
        Ok(res)
    }

    #[allow(missing_docs)]
    pub fn decrypt_fido2_private_key(
        &self,
        ctx: &mut KeyStoreContext<KeySlotIds>,
    ) -> Result<String, CipherError> {
        let fido2_credential = self.get_fido2_credentials(ctx)?;

        Ok(fido2_credential[0].key_value.clone())
    }

    pub(crate) fn update_password_history(&mut self, original_cipher: &CipherView) {
        let changes = self
            .login
            .as_mut()
            .map_or(vec![], |login| {
                login.detect_password_change(&original_cipher.login)
            })
            .into_iter()
            .chain(self.fields.as_deref().map_or(vec![], |fields| {
                FieldView::detect_hidden_field_changes(
                    fields,
                    original_cipher.fields.as_deref().unwrap_or(&[]),
                )
            }))
            .rev()
            .chain(original_cipher.password_history.iter().flatten().cloned())
            .take(MAX_PASSWORD_HISTORY_ENTRIES)
            .collect();
        self.password_history = Some(changes)
    }
}

impl Decryptable<KeySlotIds, SymmetricKeySlotId, CipherListView> for Cipher {
    fn decrypt(
        &self,
        ctx: &mut KeyStoreContext<KeySlotIds>,
        key: SymmetricKeySlotId,
    ) -> Result<CipherListView, CryptoError> {
        let ciphers_key = Cipher::decrypt_cipher_key(ctx, key, &self.key)?;

        Ok(CipherListView {
            id: self.id,
            organization_id: self.organization_id,
            folder_id: self.folder_id,
            collection_ids: self.collection_ids.clone(),
            key: self.key.clone(),
            name: self.name.decrypt(ctx, ciphers_key).ok().unwrap_or_default(),
            subtitle: self
                .decrypt_subtitle(ctx, ciphers_key)
                .ok()
                .unwrap_or_default(),
            r#type: match self.r#type {
                CipherType::Login => {
                    let login = self
                        .login
                        .as_ref()
                        .ok_or(CryptoError::MissingField("login"))?;
                    CipherListViewType::Login(login.decrypt(ctx, ciphers_key)?)
                }
                CipherType::SecureNote => CipherListViewType::SecureNote,
                CipherType::Card => {
                    let card = self
                        .card
                        .as_ref()
                        .ok_or(CryptoError::MissingField("card"))?;
                    CipherListViewType::Card(card.decrypt(ctx, ciphers_key)?)
                }
                CipherType::Identity => CipherListViewType::Identity,
                CipherType::SshKey => CipherListViewType::SshKey,
                CipherType::BankAccount => CipherListViewType::BankAccount,
            },
            favorite: self.favorite,
            reprompt: self.reprompt,
            organization_use_totp: self.organization_use_totp,
            edit: self.edit,
            permissions: self.permissions,
            view_password: self.view_password,
            attachments: self
                .attachments
                .as_ref()
                .map(|a| a.len() as u32)
                .unwrap_or(0),
            has_old_attachments: self
                .attachments
                .as_ref()
                .map(|a| a.iter().any(|att| att.key.is_none()))
                .unwrap_or(false),
            creation_date: self.creation_date,
            deleted_date: self.deleted_date,
            revision_date: self.revision_date,
            copyable_fields: self.get_copyable_fields(),
            local_data: self.local_data.decrypt(ctx, ciphers_key)?,
            archived_date: self.archived_date,
            #[cfg(feature = "wasm")]
            notes: self.notes.decrypt(ctx, ciphers_key).ok().flatten(),
            #[cfg(feature = "wasm")]
            fields: self.fields.as_ref().map(|fields| {
                fields
                    .iter()
                    .filter_map(|f| {
                        f.decrypt(ctx, ciphers_key)
                            .ok()
                            .map(field::FieldListView::from)
                    })
                    .collect()
            }),
            #[cfg(feature = "wasm")]
            attachment_names: self.attachments.as_ref().map(|attachments| {
                attachments
                    .iter()
                    .filter_map(|a| a.file_name.decrypt(ctx, ciphers_key).ok().flatten())
                    .collect()
            }),
        })
    }
}

impl IdentifyKey<SymmetricKeySlotId> for Cipher {
    fn key_identifier(&self) -> SymmetricKeySlotId {
        match self.organization_id {
            Some(organization_id) => SymmetricKeySlotId::Organization(organization_id),
            None => SymmetricKeySlotId::User,
        }
    }
}

impl IdentifyKey<SymmetricKeySlotId> for CipherView {
    fn key_identifier(&self) -> SymmetricKeySlotId {
        match self.organization_id {
            Some(organization_id) => SymmetricKeySlotId::Organization(organization_id),
            None => SymmetricKeySlotId::User,
        }
    }
}

impl IdentifyKey<SymmetricKeySlotId> for CipherListView {
    fn key_identifier(&self) -> SymmetricKeySlotId {
        match self.organization_id {
            Some(organization_id) => SymmetricKeySlotId::Organization(organization_id),
            None => SymmetricKeySlotId::User,
        }
    }
}

/// Generic wrapper that uses strict decryption: field decryption errors are propagated
/// instead of silently nulling out the affected fields.
///
/// This is a transitional type gated behind the `PM-34500-strict_cipher_decryption` feature flag.
/// It will eventually replace the default lenient [Decryptable] implementations.
///
/// TODO [PM-34531]: Remove StrictDecrypt and `PM-34500-strict_cipher_decryption` feature flag
/// after feature has fully rolled out.
pub(crate) struct StrictDecrypt<T>(pub(crate) T);

impl IdentifyKey<SymmetricKeySlotId> for StrictDecrypt<Cipher> {
    fn key_identifier(&self) -> SymmetricKeySlotId {
        self.0.key_identifier()
    }
}

impl Decryptable<KeySlotIds, SymmetricKeySlotId, CipherView> for StrictDecrypt<Cipher> {
    #[instrument(err, skip_all, fields(cipher_id = ?self.0.id, org_id = ?self.0.organization_id, kind = ?self.0.r#type))]
    fn decrypt(
        &self,
        ctx: &mut KeyStoreContext<KeySlotIds>,
        key: SymmetricKeySlotId,
    ) -> Result<CipherView, CryptoError> {
        let ciphers_key = Cipher::decrypt_cipher_key(ctx, key, &self.0.key)?;

        // Separate successful and failed attachment decryptions
        let (attachments, attachment_decryption_failures) =
            attachment::decrypt_attachments_with_failures(
                self.0.attachments.as_deref().unwrap_or_default(),
                ctx,
                ciphers_key,
            );

        let mut cipher = CipherView {
            id: self.0.id,
            organization_id: self.0.organization_id,
            folder_id: self.0.folder_id,
            collection_ids: self.0.collection_ids.clone(),
            key: self.0.key.clone(),
            name: self.0.name.decrypt(ctx, ciphers_key)?,
            notes: self.0.notes.decrypt(ctx, ciphers_key)?,
            r#type: self.0.r#type,
            login: self
                .0
                .login
                .as_ref()
                .map(|l| StrictDecrypt(l).decrypt(ctx, ciphers_key))
                .transpose()?,
            identity: self
                .0
                .identity
                .as_ref()
                .map(|i| StrictDecrypt(i).decrypt(ctx, ciphers_key))
                .transpose()?,
            card: self
                .0
                .card
                .as_ref()
                .map(|c| StrictDecrypt(c).decrypt(ctx, ciphers_key))
                .transpose()?,
            secure_note: self.0.secure_note.decrypt(ctx, ciphers_key)?,
            ssh_key: self.0.ssh_key.decrypt(ctx, ciphers_key)?,
            bank_account: self.0.bank_account.decrypt(ctx, ciphers_key)?,
            favorite: self.0.favorite,
            reprompt: self.0.reprompt,
            organization_use_totp: self.0.organization_use_totp,
            edit: self.0.edit,
            permissions: self.0.permissions,
            view_password: self.0.view_password,
            local_data: self.0.local_data.decrypt(ctx, ciphers_key)?,
            attachments: Some(attachments),
            attachment_decryption_failures: Some(attachment_decryption_failures),
            fields: self
                .0
                .fields
                .as_ref()
                .map(|fields| {
                    fields
                        .iter()
                        .map(|f| StrictDecrypt(f).decrypt(ctx, ciphers_key))
                        .collect::<Result<Vec<_>, _>>()
                })
                .transpose()?,
            password_history: self.0.password_history.decrypt(ctx, ciphers_key)?,
            creation_date: self.0.creation_date,
            deleted_date: self.0.deleted_date,
            revision_date: self.0.revision_date,
            archived_date: self.0.archived_date,
        };

        // For compatibility we only remove URLs with invalid checksums if the cipher has a key
        // or the user is on Crypto V2
        if cipher.key.is_some()
            || ctx.get_security_state_version() >= MINIMUM_ENFORCE_ICON_URI_HASH_VERSION
        {
            cipher.remove_invalid_checksums();
        }

        Ok(cipher)
    }
}

impl Decryptable<KeySlotIds, SymmetricKeySlotId, CipherListView> for StrictDecrypt<Cipher> {
    fn decrypt(
        &self,
        ctx: &mut KeyStoreContext<KeySlotIds>,
        key: SymmetricKeySlotId,
    ) -> Result<CipherListView, CryptoError> {
        let ciphers_key = Cipher::decrypt_cipher_key(ctx, key, &self.0.key)?;

        Ok(CipherListView {
            id: self.0.id,
            organization_id: self.0.organization_id,
            folder_id: self.0.folder_id,
            collection_ids: self.0.collection_ids.clone(),
            key: self.0.key.clone(),
            name: self.0.name.decrypt(ctx, ciphers_key)?,
            subtitle: self.0.decrypt_subtitle(ctx, ciphers_key)?,
            r#type: match self.0.r#type {
                CipherType::Login => {
                    let login = self
                        .0
                        .login
                        .as_ref()
                        .ok_or(CryptoError::MissingField("login"))?;
                    CipherListViewType::Login(StrictDecrypt(login).decrypt(ctx, ciphers_key)?)
                }
                CipherType::SecureNote => CipherListViewType::SecureNote,
                CipherType::Card => {
                    let card = self
                        .0
                        .card
                        .as_ref()
                        .ok_or(CryptoError::MissingField("card"))?;
                    CipherListViewType::Card(StrictDecrypt(card).decrypt(ctx, ciphers_key)?)
                }
                CipherType::Identity => CipherListViewType::Identity,
                CipherType::SshKey => CipherListViewType::SshKey,
                CipherType::BankAccount => CipherListViewType::BankAccount,
            },
            favorite: self.0.favorite,
            reprompt: self.0.reprompt,
            organization_use_totp: self.0.organization_use_totp,
            edit: self.0.edit,
            permissions: self.0.permissions,
            view_password: self.0.view_password,
            attachments: self
                .0
                .attachments
                .as_ref()
                .map(|a| a.len() as u32)
                .unwrap_or(0),
            has_old_attachments: self
                .0
                .attachments
                .as_ref()
                .map(|a| a.iter().any(|att| att.key.is_none()))
                .unwrap_or(false),
            creation_date: self.0.creation_date,
            deleted_date: self.0.deleted_date,
            revision_date: self.0.revision_date,
            copyable_fields: self.0.get_copyable_fields(),
            local_data: self.0.local_data.decrypt(ctx, ciphers_key)?,
            archived_date: self.0.archived_date,
            #[cfg(feature = "wasm")]
            notes: self.0.notes.decrypt(ctx, ciphers_key)?,
            #[cfg(feature = "wasm")]
            fields: self
                .0
                .fields
                .as_ref()
                .map(|fields| {
                    fields
                        .iter()
                        .map(|f| {
                            StrictDecrypt(f)
                                .decrypt(ctx, ciphers_key)
                                .map(field::FieldListView::from)
                        })
                        .collect::<Result<Vec<_>, _>>()
                })
                .transpose()?,
            #[cfg(feature = "wasm")]
            attachment_names: self
                .0
                .attachments
                .as_ref()
                .map(|attachments| {
                    attachments
                        .iter()
                        .map(|a| a.file_name.decrypt(ctx, ciphers_key))
                        .collect::<Result<Vec<_>, _>>()
                })
                .transpose()?
                .map(|names| names.into_iter().flatten().collect()),
        })
    }
}

impl TryFrom<CipherDetailsResponseModel> for Cipher {
    type Error = VaultParseError;

    fn try_from(cipher: CipherDetailsResponseModel) -> Result<Self, Self::Error> {
        Ok(Self {
            id: cipher.id.map(CipherId::new),
            organization_id: cipher.organization_id.map(OrganizationId::new),
            folder_id: cipher.folder_id.map(FolderId::new),
            collection_ids: cipher
                .collection_ids
                .unwrap_or_default()
                .into_iter()
                .map(CollectionId::new)
                .collect(),
            name: require!(EncString::try_from_optional(cipher.name)?),
            notes: EncString::try_from_optional(cipher.notes)?,
            r#type: require!(cipher.r#type).try_into()?,
            login: cipher.login.map(|l| (*l).try_into()).transpose()?,
            identity: cipher.identity.map(|i| (*i).try_into()).transpose()?,
            card: cipher.card.map(|c| (*c).try_into()).transpose()?,
            secure_note: cipher.secure_note.map(|s| (*s).try_into()).transpose()?,
            ssh_key: cipher.ssh_key.map(|s| (*s).try_into()).transpose()?,
            bank_account: cipher.bank_account.map(|b| (*b).try_into()).transpose()?,
            favorite: cipher.favorite.unwrap_or(false),
            reprompt: cipher
                .reprompt
                .map(|r| r.try_into())
                .transpose()?
                .unwrap_or(CipherRepromptType::None),
            organization_use_totp: cipher.organization_use_totp.unwrap_or(true),
            edit: cipher.edit.unwrap_or(true),
            permissions: cipher.permissions.map(|p| (*p).try_into()).transpose()?,
            view_password: cipher.view_password.unwrap_or(true),
            local_data: None, // Not sent from server
            attachments: cipher
                .attachments
                .map(|a| a.into_iter().map(|a| a.try_into()).collect())
                .transpose()?,
            fields: cipher
                .fields
                .map(|f| f.into_iter().map(|f| f.try_into()).collect())
                .transpose()?,
            password_history: cipher
                .password_history
                .map(|p| p.into_iter().map(|p| p.try_into()).collect())
                .transpose()?,
            creation_date: require!(cipher.creation_date).parse()?,
            deleted_date: cipher.deleted_date.map(|d| d.parse()).transpose()?,
            revision_date: require!(cipher.revision_date).parse()?,
            key: EncString::try_from_optional(cipher.key)?,
            archived_date: cipher.archived_date.map(|d| d.parse()).transpose()?,
            data: cipher.data,
        })
    }
}

impl PartialCipher for CipherDetailsResponseModel {
    fn merge_with_cipher(self, cipher: Option<Cipher>) -> Result<Cipher, VaultParseError> {
        Ok(Cipher {
            local_data: cipher.and_then(|c| c.local_data),
            ..self.try_into()?
        })
    }
}

impl TryFrom<bitwarden_api_api::models::CipherType> for CipherType {
    type Error = MissingFieldError;

    fn try_from(t: bitwarden_api_api::models::CipherType) -> Result<Self, Self::Error> {
        Ok(match t {
            bitwarden_api_api::models::CipherType::Login => CipherType::Login,
            bitwarden_api_api::models::CipherType::SecureNote => CipherType::SecureNote,
            bitwarden_api_api::models::CipherType::Card => CipherType::Card,
            bitwarden_api_api::models::CipherType::Identity => CipherType::Identity,
            bitwarden_api_api::models::CipherType::SSHKey => CipherType::SshKey,
            bitwarden_api_api::models::CipherType::BankAccount => CipherType::BankAccount,
            bitwarden_api_api::models::CipherType::__Unknown(_) => {
                return Err(MissingFieldError("type"));
            }
        })
    }
}

impl TryFrom<bitwarden_api_api::models::CipherRepromptType> for CipherRepromptType {
    type Error = MissingFieldError;

    fn try_from(t: bitwarden_api_api::models::CipherRepromptType) -> Result<Self, Self::Error> {
        Ok(match t {
            bitwarden_api_api::models::CipherRepromptType::None => CipherRepromptType::None,
            bitwarden_api_api::models::CipherRepromptType::Password => CipherRepromptType::Password,
            bitwarden_api_api::models::CipherRepromptType::__Unknown(_) => {
                return Err(MissingFieldError("reprompt"));
            }
        })
    }
}

/// A trait for merging partial cipher data into a full cipher.
/// Used to convert from API response models to full Cipher structs,
/// without losing local data that may not be present in the API response.
pub(crate) trait PartialCipher {
    fn merge_with_cipher(self, cipher: Option<Cipher>) -> Result<Cipher, VaultParseError>;
}

impl From<CipherType> for bitwarden_api_api::models::CipherType {
    fn from(t: CipherType) -> Self {
        match t {
            CipherType::Login => bitwarden_api_api::models::CipherType::Login,
            CipherType::SecureNote => bitwarden_api_api::models::CipherType::SecureNote,
            CipherType::Card => bitwarden_api_api::models::CipherType::Card,
            CipherType::Identity => bitwarden_api_api::models::CipherType::Identity,
            CipherType::SshKey => bitwarden_api_api::models::CipherType::SSHKey,
            CipherType::BankAccount => bitwarden_api_api::models::CipherType::BankAccount,
        }
    }
}

impl From<CipherRepromptType> for bitwarden_api_api::models::CipherRepromptType {
    fn from(t: CipherRepromptType) -> Self {
        match t {
            CipherRepromptType::None => bitwarden_api_api::models::CipherRepromptType::None,
            CipherRepromptType::Password => bitwarden_api_api::models::CipherRepromptType::Password,
        }
    }
}

impl PartialCipher for CipherResponseModel {
    fn merge_with_cipher(self, cipher: Option<Cipher>) -> Result<Cipher, VaultParseError> {
        Ok(Cipher {
            collection_ids: cipher
                .as_ref()
                .map(|c| c.collection_ids.clone())
                .unwrap_or_default(),
            local_data: cipher.and_then(|c| c.local_data),
            id: self.id.map(CipherId::new),
            organization_id: self.organization_id.map(OrganizationId::new),
            folder_id: self.folder_id.map(FolderId::new),
            name: require!(self.name).parse()?,
            notes: EncString::try_from_optional(self.notes)?,
            r#type: require!(self.r#type).try_into()?,
            login: self.login.map(|l| (*l).try_into()).transpose()?,
            identity: self.identity.map(|i| (*i).try_into()).transpose()?,
            card: self.card.map(|c| (*c).try_into()).transpose()?,
            secure_note: self.secure_note.map(|s| (*s).try_into()).transpose()?,
            ssh_key: self.ssh_key.map(|s| (*s).try_into()).transpose()?,
            bank_account: self.bank_account.map(|b| (*b).try_into()).transpose()?,
            favorite: self.favorite.unwrap_or(false),
            reprompt: self
                .reprompt
                .map(|r| r.try_into())
                .transpose()?
                .unwrap_or(CipherRepromptType::None),
            organization_use_totp: self.organization_use_totp.unwrap_or(false),
            edit: self.edit.unwrap_or(false),
            permissions: self.permissions.map(|p| (*p).try_into()).transpose()?,
            view_password: self.view_password.unwrap_or(true),
            attachments: self
                .attachments
                .map(|a| a.into_iter().map(|a| a.try_into()).collect())
                .transpose()?,
            fields: self
                .fields
                .map(|f| f.into_iter().map(|f| f.try_into()).collect())
                .transpose()?,
            password_history: self
                .password_history
                .map(|p| p.into_iter().map(|p| p.try_into()).collect())
                .transpose()?,
            creation_date: require!(self.creation_date).parse()?,
            deleted_date: self.deleted_date.map(|d| d.parse()).transpose()?,
            revision_date: require!(self.revision_date).parse()?,
            key: EncString::try_from_optional(self.key)?,
            archived_date: self.archived_date.map(|d| d.parse()).transpose()?,
            data: self.data,
        })
    }
}

impl PartialCipher for CipherMiniResponseModel {
    fn merge_with_cipher(self, cipher: Option<Cipher>) -> Result<Cipher, VaultParseError> {
        let cipher = cipher.as_ref();
        Ok(Cipher {
            id: self.id.map(CipherId::new),
            organization_id: self.organization_id.map(OrganizationId::new),
            key: EncString::try_from_optional(self.key)?,
            name: require!(EncString::try_from_optional(self.name)?),
            notes: EncString::try_from_optional(self.notes)?,
            r#type: require!(self.r#type).try_into()?,
            login: self.login.map(|l| (*l).try_into()).transpose()?,
            identity: self.identity.map(|i| (*i).try_into()).transpose()?,
            card: self.card.map(|c| (*c).try_into()).transpose()?,
            secure_note: self.secure_note.map(|s| (*s).try_into()).transpose()?,
            ssh_key: self.ssh_key.map(|s| (*s).try_into()).transpose()?,
            bank_account: self.bank_account.map(|b| (*b).try_into()).transpose()?,
            reprompt: self
                .reprompt
                .map(|r| r.try_into())
                .transpose()?
                .unwrap_or(CipherRepromptType::None),
            organization_use_totp: self.organization_use_totp.unwrap_or(true),
            attachments: self
                .attachments
                .map(|a| a.into_iter().map(|a| a.try_into()).collect())
                .transpose()?,
            fields: self
                .fields
                .map(|f| f.into_iter().map(|f| f.try_into()).collect())
                .transpose()?,
            password_history: self
                .password_history
                .map(|p| p.into_iter().map(|p| p.try_into()).collect())
                .transpose()?,
            creation_date: require!(self.creation_date)
                .parse()
                .map_err(Into::<VaultParseError>::into)?,
            deleted_date: self
                .deleted_date
                .map(|d| d.parse())
                .transpose()
                .map_err(Into::<VaultParseError>::into)?,
            revision_date: require!(self.revision_date)
                .parse()
                .map_err(Into::<VaultParseError>::into)?,
            archived_date: cipher.map_or(Default::default(), |c| c.archived_date),
            folder_id: cipher.map_or(Default::default(), |c| c.folder_id),
            favorite: cipher.map_or(Default::default(), |c| c.favorite),
            edit: cipher.map_or(Default::default(), |c| c.edit),
            permissions: cipher.map_or(Default::default(), |c| c.permissions),
            view_password: cipher.map_or(Default::default(), |c| c.view_password),
            local_data: cipher.map_or(Default::default(), |c| c.local_data.clone()),
            data: cipher.map_or(Default::default(), |c| c.data.clone()),
            collection_ids: cipher.map_or(Default::default(), |c| c.collection_ids.clone()),
        })
    }
}

impl PartialCipher for CipherMiniDetailsResponseModel {
    fn merge_with_cipher(self, cipher: Option<Cipher>) -> Result<Cipher, VaultParseError> {
        let cipher = cipher.as_ref();
        Ok(Cipher {
            id: self.id.map(CipherId::new),
            organization_id: self.organization_id.map(OrganizationId::new),
            key: EncString::try_from_optional(self.key)?,
            name: require!(EncString::try_from_optional(self.name)?),
            notes: EncString::try_from_optional(self.notes)?,
            r#type: require!(self.r#type).try_into()?,
            login: self.login.map(|l| (*l).try_into()).transpose()?,
            identity: self.identity.map(|i| (*i).try_into()).transpose()?,
            card: self.card.map(|c| (*c).try_into()).transpose()?,
            secure_note: self.secure_note.map(|s| (*s).try_into()).transpose()?,
            ssh_key: self.ssh_key.map(|s| (*s).try_into()).transpose()?,
            bank_account: self.bank_account.map(|b| (*b).try_into()).transpose()?,
            reprompt: self
                .reprompt
                .map(|r| r.try_into())
                .transpose()?
                .unwrap_or(CipherRepromptType::None),
            organization_use_totp: self.organization_use_totp.unwrap_or(true),
            attachments: self
                .attachments
                .map(|a| a.into_iter().map(|a| a.try_into()).collect())
                .transpose()?,
            fields: self
                .fields
                .map(|f| f.into_iter().map(|f| f.try_into()).collect())
                .transpose()?,
            password_history: self
                .password_history
                .map(|p| p.into_iter().map(|p| p.try_into()).collect())
                .transpose()?,
            creation_date: require!(self.creation_date)
                .parse()
                .map_err(Into::<VaultParseError>::into)?,
            deleted_date: self
                .deleted_date
                .map(|d| d.parse())
                .transpose()
                .map_err(Into::<VaultParseError>::into)?,
            revision_date: require!(self.revision_date)
                .parse()
                .map_err(Into::<VaultParseError>::into)?,
            collection_ids: self
                .collection_ids
                .into_iter()
                .flatten()
                .map(CollectionId::new)
                .collect(),
            archived_date: cipher.map_or(Default::default(), |c| c.archived_date),
            folder_id: cipher.map_or(Default::default(), |c| c.folder_id),
            favorite: cipher.map_or(Default::default(), |c| c.favorite),
            edit: cipher.map_or(Default::default(), |c| c.edit),
            permissions: cipher.map_or(Default::default(), |c| c.permissions),
            view_password: cipher.map_or(Default::default(), |c| c.view_password),
            data: cipher.map_or(Default::default(), |c| c.data.clone()),
            local_data: cipher.map_or(Default::default(), |c| c.local_data.clone()),
        })
    }
}

#[cfg(test)]
mod tests {

    use attachment::AttachmentView;
    use bitwarden_core::key_management::{
        create_test_crypto_with_user_and_org_key, create_test_crypto_with_user_key,
    };
    use bitwarden_crypto::SymmetricCryptoKey;

    use super::*;
    use crate::{Fido2Credential, PasswordHistoryView, login::Fido2CredentialListView};

    // Test constants for encrypted strings
    const TEST_ENC_STRING_1: &str = "2.xzDCDWqRBpHm42EilUvyVw==|nIrWV3l/EeTbWTnAznrK0Q==|sUj8ol2OTgvvTvD86a9i9XUP58hmtCEBqhck7xT5YNk=";
    const TEST_ENC_STRING_2: &str = "2.M7ZJ7EuFDXCq66gDTIyRIg==|B1V+jroo6+m/dpHx6g8DxA==|PIXPBCwyJ1ady36a7jbcLg346pm/7N/06W4UZxc1TUo=";
    const TEST_ENC_STRING_3: &str = "2.d3rzo0P8rxV9Hs1m1BmAjw==|JOwna6i0zs+K7ZghwrZRuw==|SJqKreLag1ID+g6H1OdmQr0T5zTrVWKzD6hGy3fDqB0=";
    const TEST_ENC_STRING_4: &str = "2.EBNGgnaMHeO/kYnI3A0jiA==|9YXlrgABP71ebZ5umurCJQ==|GDk5jxiqTYaU7e2AStCFGX+a1kgCIk8j0NEli7Jn0L4=";
    const TEST_ENC_STRING_5: &str = "2.hqdioUAc81FsKQmO1XuLQg==|oDRdsJrQjoFu9NrFVy8tcJBAFKBx95gHaXZnWdXbKpsxWnOr2sKipIG43pKKUFuq|3gKZMiboceIB5SLVOULKg2iuyu6xzos22dfJbvx0EHk=";
    const TEST_CIPHER_NAME: &str = "2.d3rzo0P8rxV9Hs1m1BmAjw==|JOwna6i0zs+K7ZghwrZRuw==|SJqKreLag1ID+g6H1OdmQr0T5zTrVWKzD6hGy3fDqB0=";
    const TEST_UUID: &str = "fd411a1a-fec8-4070-985d-0e6560860e69";

    fn generate_cipher() -> CipherView {
        let test_id = "fd411a1a-fec8-4070-985d-0e6560860e69".parse().unwrap();
        CipherView {
            r#type: CipherType::Login,
            login: Some(LoginView {
                username: Some("test_username".to_string()),
                password: Some("test_password".to_string()),
                password_revision_date: None,
                uris: None,
                totp: None,
                autofill_on_page_load: None,
                fido2_credentials: None,
            }),
            id: Some(test_id),
            organization_id: None,
            folder_id: None,
            collection_ids: vec![],
            key: None,
            name: "My test login".to_string(),
            notes: None,
            identity: None,
            card: None,
            secure_note: None,
            ssh_key: None,
            bank_account: None,
            favorite: false,
            reprompt: CipherRepromptType::None,
            organization_use_totp: true,
            edit: true,
            permissions: None,
            view_password: true,
            local_data: None,
            attachments: None,
            attachment_decryption_failures: None,
            fields: None,
            password_history: None,
            creation_date: "2024-01-30T17:55:36.150Z".parse().unwrap(),
            deleted_date: None,
            revision_date: "2024-01-30T17:55:36.150Z".parse().unwrap(),
            archived_date: None,
        }
    }

    fn generate_fido2(
        ctx: &mut KeyStoreContext<KeySlotIds>,
        key: SymmetricKeySlotId,
    ) -> Fido2Credential {
        Fido2Credential {
            credential_id: "123".to_string().encrypt(ctx, key).unwrap(),
            key_type: "public-key".to_string().encrypt(ctx, key).unwrap(),
            key_algorithm: "ECDSA".to_string().encrypt(ctx, key).unwrap(),
            key_curve: "P-256".to_string().encrypt(ctx, key).unwrap(),
            key_value: "123".to_string().encrypt(ctx, key).unwrap(),
            rp_id: "123".to_string().encrypt(ctx, key).unwrap(),
            user_handle: None,
            user_name: None,
            counter: "123".to_string().encrypt(ctx, key).unwrap(),
            rp_name: None,
            user_display_name: None,
            discoverable: "true".to_string().encrypt(ctx, key).unwrap(),
            creation_date: "2024-06-07T14:12:36.150Z".parse().unwrap(),
        }
    }

    #[test]
    fn test_decrypt_cipher_list_view() {
        let key: SymmetricCryptoKey = "w2LO+nwV4oxwswVYCxlOfRUseXfvU03VzvKQHrqeklPgiMZrspUe6sOBToCnDn9Ay0tuCBn8ykVVRb7PWhub2Q==".to_string().try_into().unwrap();
        let key_store = create_test_crypto_with_user_key(key);

        let cipher = Cipher {
            id: Some("090c19ea-a61a-4df6-8963-262b97bc6266".parse().unwrap()),
            organization_id: None,
            folder_id: None,
            collection_ids: vec![],
            key: None,
            name: TEST_CIPHER_NAME.parse().unwrap(),
            notes: None,
            r#type: CipherType::Login,
            login: Some(Login {
                username: Some("2.EBNGgnaMHeO/kYnI3A0jiA==|9YXlrgABP71ebZ5umurCJQ==|GDk5jxiqTYaU7e2AStCFGX+a1kgCIk8j0NEli7Jn0L4=".parse().unwrap()),
                password: Some("2.M7ZJ7EuFDXCq66gDTIyRIg==|B1V+jroo6+m/dpHx6g8DxA==|PIXPBCwyJ1ady36a7jbcLg346pm/7N/06W4UZxc1TUo=".parse().unwrap()),
                password_revision_date: None,
                uris: None,
                totp: Some("2.hqdioUAc81FsKQmO1XuLQg==|oDRdsJrQjoFu9NrFVy8tcJBAFKBx95gHaXZnWdXbKpsxWnOr2sKipIG43pKKUFuq|3gKZMiboceIB5SLVOULKg2iuyu6xzos22dfJbvx0EHk=".parse().unwrap()),
                autofill_on_page_load: None,
                fido2_credentials: Some(vec![generate_fido2(&mut key_store.context(), SymmetricKeySlotId::User)]),
            }),
            identity: None,
            card: None,
            secure_note: None,
            ssh_key: None,
            bank_account: None,
            favorite: false,
            reprompt: CipherRepromptType::None,
            organization_use_totp: false,
            edit: true,
            permissions: Some(CipherPermissions {
                delete: false,
                restore: false
            }),
            view_password: true,
            local_data: None,
            attachments: None,
            fields: None,
            password_history: None,
            creation_date: "2024-01-30T17:55:36.150Z".parse().unwrap(),
            deleted_date: None,
            revision_date: "2024-01-30T17:55:36.150Z".parse().unwrap(),
            archived_date: None,
            data: None,
        };

        let view: CipherListView = key_store.decrypt(&cipher).unwrap();

        assert_eq!(
            view,
            CipherListView {
                id: cipher.id,
                organization_id: cipher.organization_id,
                folder_id: cipher.folder_id,
                collection_ids: cipher.collection_ids,
                key: cipher.key,
                name: "My test login".to_string(),
                subtitle: "test_username".to_string(),
                r#type: CipherListViewType::Login(LoginListView {
                    fido2_credentials: Some(vec![Fido2CredentialListView {
                        credential_id: "123".to_string(),
                        rp_id: "123".to_string(),
                        user_handle: None,
                        user_name: None,
                        user_display_name: None,
                        counter: "123".to_string(),
                    }]),
                    has_fido2: true,
                    username: Some("test_username".to_string()),
                    totp: cipher.login.as_ref().unwrap().totp.clone(),
                    uris: None,
                }),
                favorite: cipher.favorite,
                reprompt: cipher.reprompt,
                organization_use_totp: cipher.organization_use_totp,
                edit: cipher.edit,
                permissions: cipher.permissions,
                view_password: cipher.view_password,
                attachments: 0,
                has_old_attachments: false,
                creation_date: cipher.creation_date,
                deleted_date: cipher.deleted_date,
                revision_date: cipher.revision_date,
                copyable_fields: vec![
                    CopyableCipherFields::LoginUsername,
                    CopyableCipherFields::LoginPassword,
                    CopyableCipherFields::LoginTotp
                ],
                local_data: None,
                archived_date: cipher.archived_date,
                #[cfg(feature = "wasm")]
                notes: None,
                #[cfg(feature = "wasm")]
                fields: None,
                #[cfg(feature = "wasm")]
                attachment_names: None,
            }
        )
    }

    #[test]
    fn test_decrypt_cipher_fails_with_invalid_name() {
        let key_store =
            create_test_crypto_with_user_key(SymmetricCryptoKey::make_aes256_cbc_hmac_key());

        // Encrypt a valid cipher, then swap name with an EncString from a different key
        let cipher = key_store.encrypt(generate_cipher()).unwrap();
        let cipher = Cipher {
            name: TEST_CIPHER_NAME.parse().unwrap(), // encrypted with a different key
            ..cipher
        };

        // Default (lenient) decryption swallows the error, yielding an empty name
        let lenient_result: Result<CipherView, _> = key_store.decrypt(&cipher);
        assert!(
            lenient_result.is_ok(),
            "Lenient decryption should succeed even when name is encrypted with a different key"
        );
        assert_eq!(
            lenient_result.unwrap().name,
            String::new(),
            "Lenient decryption should yield an empty name on error"
        );

        // Strict decryption propagates the error
        let strict_result: Result<CipherView, _> = key_store.decrypt(&StrictDecrypt(cipher));
        assert!(
            strict_result.is_err(),
            "Strict decryption should fail when name is encrypted with a different key"
        );
    }

    #[test]
    fn test_decrypt_cipher_fails_with_invalid_login() {
        let key_store =
            create_test_crypto_with_user_key(SymmetricCryptoKey::make_aes256_cbc_hmac_key());

        // Encrypt a valid cipher, then corrupt the login username
        let cipher = key_store.encrypt(generate_cipher()).unwrap();
        let cipher = Cipher {
            login: Some(Login {
                username: Some(TEST_CIPHER_NAME.parse().unwrap()), // encrypted with a different key
                ..cipher.login.unwrap()
            }),
            ..cipher
        };

        // Default (lenient) decryption swallows the error, yielding None for the username field
        let lenient_result: Result<CipherView, _> = key_store.decrypt(&cipher);
        assert!(
            lenient_result.is_ok(),
            "Lenient decryption should succeed even when login username is encrypted with a different key"
        );
        let lenient_view = lenient_result.unwrap();
        assert!(
            lenient_view.login.is_some(),
            "Lenient decryption should still return the login object"
        );
        assert!(
            lenient_view.login.unwrap().username.is_none(),
            "Lenient decryption should null out the failing username field"
        );

        // Strict decryption propagates the error
        let strict_result: Result<CipherView, _> = key_store.decrypt(&StrictDecrypt(cipher));
        assert!(
            strict_result.is_err(),
            "Strict decryption should fail when login username is encrypted with a different key"
        );
    }

    #[test]
    fn test_generate_cipher_key() {
        let key = SymmetricCryptoKey::make_aes256_cbc_hmac_key();
        let key_store = create_test_crypto_with_user_key(key);

        let original_cipher = generate_cipher();

        // Check that the cipher gets encrypted correctly without it's own key
        let cipher = generate_cipher();
        let no_key_cipher_enc = key_store.encrypt(cipher).unwrap();
        let no_key_cipher_dec: CipherView = key_store.decrypt(&no_key_cipher_enc).unwrap();
        assert!(no_key_cipher_dec.key.is_none());
        assert_eq!(no_key_cipher_dec.name, original_cipher.name);

        let mut cipher = generate_cipher();
        cipher
            .generate_cipher_key(&mut key_store.context(), cipher.key_identifier())
            .unwrap();

        // Check that the cipher gets encrypted correctly when it's assigned it's own key
        let key_cipher_enc = key_store.encrypt(cipher).unwrap();
        let key_cipher_dec: CipherView = key_store.decrypt(&key_cipher_enc).unwrap();
        assert!(key_cipher_dec.key.is_some());
        assert_eq!(key_cipher_dec.name, original_cipher.name);
    }

    #[test]
    fn test_generate_cipher_key_when_a_cipher_key_already_exists() {
        let key = SymmetricCryptoKey::make_aes256_cbc_hmac_key();
        let key_store = create_test_crypto_with_user_key(key);

        let mut original_cipher = generate_cipher();
        {
            let mut ctx = key_store.context();
            let cipher_key = ctx.generate_symmetric_key();

            original_cipher.key = Some(
                ctx.wrap_symmetric_key(SymmetricKeySlotId::User, cipher_key)
                    .unwrap(),
            );
        }

        original_cipher
            .generate_cipher_key(&mut key_store.context(), original_cipher.key_identifier())
            .unwrap();

        // Make sure that the cipher key is decryptable
        let wrapped_key = original_cipher.key.unwrap();
        let mut ctx = key_store.context();
        let _ = ctx
            .unwrap_symmetric_key(SymmetricKeySlotId::User, &wrapped_key)
            .unwrap();
    }

    #[test]
    fn test_generate_cipher_key_ignores_attachments_without_key() {
        let key = SymmetricCryptoKey::make_aes256_cbc_hmac_key();
        let key_store = create_test_crypto_with_user_key(key);

        let mut cipher = generate_cipher();
        let attachment = AttachmentView {
            id: None,
            url: None,
            size: None,
            size_name: None,
            file_name: Some("Attachment test name".into()),
            key: None,
            #[cfg(feature = "wasm")]
            decrypted_key: None,
        };
        cipher.attachments = Some(vec![attachment]);

        cipher
            .generate_cipher_key(&mut key_store.context(), cipher.key_identifier())
            .unwrap();
        assert!(cipher.attachments.unwrap()[0].key.is_none());
    }

    #[test]
    fn test_reencrypt_cipher_key() {
        let old_key = SymmetricCryptoKey::make_aes256_cbc_hmac_key();
        let new_key = SymmetricCryptoKey::make_aes256_cbc_hmac_key();
        let key_store = create_test_crypto_with_user_key(old_key);
        let mut ctx = key_store.context_mut();

        let mut cipher = generate_cipher();
        cipher
            .generate_cipher_key(&mut ctx, cipher.key_identifier())
            .unwrap();

        // Re-encrypt the cipher key with a new wrapping key
        let new_key_id = ctx.add_local_symmetric_key(new_key);

        cipher.reencrypt_cipher_keys(&mut ctx, new_key_id).unwrap();

        // Check that the cipher key can be unwrapped with the new key
        assert!(cipher.key.is_some());
        assert!(
            ctx.unwrap_symmetric_key(new_key_id, &cipher.key.unwrap())
                .is_ok()
        );
    }

    #[test]
    fn test_reencrypt_cipher_key_ignores_missing_key() {
        let key = SymmetricCryptoKey::make_aes256_cbc_hmac_key();
        let key_store = create_test_crypto_with_user_key(key);
        let mut ctx = key_store.context_mut();
        let mut cipher = generate_cipher();

        // The cipher does not have a key, so re-encryption should not add one
        let new_cipher_key = ctx.generate_symmetric_key();
        cipher
            .reencrypt_cipher_keys(&mut ctx, new_cipher_key)
            .unwrap();

        // Check that the cipher key is still None
        assert!(cipher.key.is_none());
    }

    #[test]
    fn test_move_user_cipher_to_org() {
        let org = OrganizationId::new_v4();
        let key = SymmetricCryptoKey::make_aes256_cbc_hmac_key();
        let org_key = SymmetricCryptoKey::make_aes256_cbc_hmac_key();
        let key_store = create_test_crypto_with_user_and_org_key(key, org, org_key);

        // Create a cipher with a user key
        let mut cipher = generate_cipher();
        cipher
            .generate_cipher_key(&mut key_store.context(), cipher.key_identifier())
            .unwrap();

        cipher
            .move_to_organization(&mut key_store.context(), org)
            .unwrap();
        assert_eq!(cipher.organization_id, Some(org));

        // Check that the cipher can be encrypted/decrypted with the new org key
        let cipher_enc = key_store.encrypt(cipher).unwrap();
        let cipher_dec: CipherView = key_store.decrypt(&cipher_enc).unwrap();

        assert_eq!(cipher_dec.name, "My test login");
    }

    #[test]
    fn test_move_user_cipher_to_org_manually() {
        let org = OrganizationId::new_v4();
        let key = SymmetricCryptoKey::make_aes256_cbc_hmac_key();
        let org_key = SymmetricCryptoKey::make_aes256_cbc_hmac_key();
        let key_store = create_test_crypto_with_user_and_org_key(key, org, org_key);

        // Create a cipher with a user key
        let mut cipher = generate_cipher();
        cipher
            .generate_cipher_key(&mut key_store.context(), cipher.key_identifier())
            .unwrap();

        cipher.organization_id = Some(org);

        // Check that the cipher can not be encrypted, as the
        // cipher key is tied to the user key and not the org key
        assert!(key_store.encrypt(cipher).is_err());
    }

    #[test]
    fn test_move_user_cipher_with_attachment_without_key_to_org() {
        let org = OrganizationId::new_v4();
        let key = SymmetricCryptoKey::make_aes256_cbc_hmac_key();
        let org_key = SymmetricCryptoKey::make_aes256_cbc_hmac_key();
        let key_store = create_test_crypto_with_user_and_org_key(key, org, org_key);

        let mut cipher = generate_cipher();
        let attachment = AttachmentView {
            id: None,
            url: None,
            size: None,
            size_name: None,
            file_name: Some("Attachment test name".into()),
            key: None,
            #[cfg(feature = "wasm")]
            decrypted_key: None,
        };
        cipher.attachments = Some(vec![attachment]);

        // Neither cipher nor attachment have keys, so the cipher can't be moved
        assert!(
            cipher
                .move_to_organization(&mut key_store.context(), org)
                .is_err()
        );
    }

    #[test]
    fn test_move_user_cipher_with_attachment_with_key_to_org() {
        let org = OrganizationId::new_v4();
        let key = SymmetricCryptoKey::make_aes256_cbc_hmac_key();
        let org_key = SymmetricCryptoKey::make_aes256_cbc_hmac_key();
        let key_store = create_test_crypto_with_user_and_org_key(key, org, org_key);
        let org_key = SymmetricKeySlotId::Organization(org);

        // Attachment has a key that is encrypted with the user key, as the cipher has no key itself
        let (attachment_key_enc, attachment_key_val) = {
            let mut ctx = key_store.context();
            let attachment_key = ctx.generate_symmetric_key();
            let attachment_key_enc = ctx
                .wrap_symmetric_key(SymmetricKeySlotId::User, attachment_key)
                .unwrap();
            #[allow(deprecated)]
            let attachment_key_val = ctx
                .dangerous_get_symmetric_key(attachment_key)
                .unwrap()
                .clone();

            (attachment_key_enc, attachment_key_val)
        };

        let mut cipher = generate_cipher();
        let attachment = AttachmentView {
            id: None,
            url: None,
            size: None,
            size_name: None,
            file_name: Some("Attachment test name".into()),
            key: Some(attachment_key_enc),
            #[cfg(feature = "wasm")]
            decrypted_key: None,
        };
        cipher.attachments = Some(vec![attachment]);
        let cred = generate_fido2(&mut key_store.context(), SymmetricKeySlotId::User);
        cipher.login.as_mut().unwrap().fido2_credentials = Some(vec![cred]);

        cipher
            .move_to_organization(&mut key_store.context(), org)
            .unwrap();

        assert!(cipher.key.is_none());

        // Check that the attachment key has been re-encrypted with the org key,
        // and the value matches with the original attachment key
        let new_attachment_key = cipher.attachments.unwrap()[0].key.clone().unwrap();
        let mut ctx = key_store.context();
        let new_attachment_key_id = ctx
            .unwrap_symmetric_key(org_key, &new_attachment_key)
            .unwrap();
        #[allow(deprecated)]
        let new_attachment_key_dec = ctx
            .dangerous_get_symmetric_key(new_attachment_key_id)
            .unwrap();

        assert_eq!(*new_attachment_key_dec, attachment_key_val);

        let cred2: Fido2CredentialFullView = cipher
            .login
            .unwrap()
            .fido2_credentials
            .unwrap()
            .first()
            .unwrap()
            .decrypt(&mut key_store.context(), org_key)
            .unwrap();

        assert_eq!(cred2.credential_id, "123");
    }

    #[test]
    fn test_move_user_cipher_with_key_with_attachment_with_key_to_org() {
        let org = OrganizationId::new_v4();
        let key = SymmetricCryptoKey::make_aes256_cbc_hmac_key();
        let org_key = SymmetricCryptoKey::make_aes256_cbc_hmac_key();
        let key_store = create_test_crypto_with_user_and_org_key(key, org, org_key);
        let org_key = SymmetricKeySlotId::Organization(org);

        let mut ctx = key_store.context();

        let cipher_key = ctx.generate_symmetric_key();
        let cipher_key_enc = ctx
            .wrap_symmetric_key(SymmetricKeySlotId::User, cipher_key)
            .unwrap();

        // Attachment has a key that is encrypted with the cipher key
        let attachment_key = ctx.generate_symmetric_key();
        let attachment_key_enc = ctx.wrap_symmetric_key(cipher_key, attachment_key).unwrap();

        let mut cipher = generate_cipher();
        cipher.key = Some(cipher_key_enc);

        let attachment = AttachmentView {
            id: None,
            url: None,
            size: None,
            size_name: None,
            file_name: Some("Attachment test name".into()),
            key: Some(attachment_key_enc.clone()),
            #[cfg(feature = "wasm")]
            decrypted_key: None,
        };
        cipher.attachments = Some(vec![attachment]);

        let cred = generate_fido2(&mut ctx, cipher_key);
        cipher.login.as_mut().unwrap().fido2_credentials = Some(vec![cred.clone()]);

        cipher.move_to_organization(&mut ctx, org).unwrap();

        // Check that the cipher key has been re-encrypted with the org key,
        let wrapped_new_cipher_key = cipher.key.clone().unwrap();
        let new_cipher_key_dec = ctx
            .unwrap_symmetric_key(org_key, &wrapped_new_cipher_key)
            .unwrap();
        #[allow(deprecated)]
        let new_cipher_key_dec = ctx.dangerous_get_symmetric_key(new_cipher_key_dec).unwrap();
        #[allow(deprecated)]
        let cipher_key_val = ctx.dangerous_get_symmetric_key(cipher_key).unwrap();

        assert_eq!(new_cipher_key_dec, cipher_key_val);

        // Check that the attachment key hasn't changed
        assert_eq!(
            cipher.attachments.unwrap()[0]
                .key
                .as_ref()
                .unwrap()
                .to_string(),
            attachment_key_enc.to_string()
        );

        let cred2: Fido2Credential = cipher
            .login
            .unwrap()
            .fido2_credentials
            .unwrap()
            .first()
            .unwrap()
            .clone();

        assert_eq!(
            cred2.credential_id.to_string(),
            cred.credential_id.to_string()
        );
    }

    #[test]
    fn test_decrypt_fido2_private_key() {
        let key_store =
            create_test_crypto_with_user_key(SymmetricCryptoKey::make_aes256_cbc_hmac_key());
        let mut ctx = key_store.context();

        let mut cipher_view = generate_cipher();
        cipher_view
            .generate_cipher_key(&mut ctx, cipher_view.key_identifier())
            .unwrap();

        let key_id = cipher_view.key_identifier();
        let ciphers_key = Cipher::decrypt_cipher_key(&mut ctx, key_id, &cipher_view.key).unwrap();

        let fido2_credential = generate_fido2(&mut ctx, ciphers_key);

        cipher_view.login.as_mut().unwrap().fido2_credentials =
            Some(vec![fido2_credential.clone()]);

        let decrypted_key_value = cipher_view.decrypt_fido2_private_key(&mut ctx).unwrap();
        assert_eq!(decrypted_key_value, "123");
    }

    #[test]
    fn test_password_history_on_password_change() {
        use chrono::Utc;

        let original_cipher = generate_cipher();
        let mut new_cipher = generate_cipher();

        // Change password
        if let Some(ref mut login) = new_cipher.login {
            login.password = Some("new_password123".to_string());
        }

        let start = Utc::now();
        new_cipher.update_password_history(&original_cipher);
        let end = Utc::now();

        assert!(new_cipher.password_history.is_some());
        let history = new_cipher.password_history.unwrap();
        assert_eq!(history.len(), 1);
        assert_eq!(history[0].password, "test_password");
        assert!(
            history[0].last_used_date >= start && history[0].last_used_date <= end,
            "last_used_date was not set properly"
        );
    }

    #[test]
    fn test_password_history_on_unchanged_password() {
        let original_cipher = generate_cipher();
        let mut new_cipher = generate_cipher();

        new_cipher.update_password_history(&original_cipher);

        // Password history should be empty since password didn't change
        assert!(
            new_cipher.password_history.is_none()
                || new_cipher.password_history.as_ref().unwrap().is_empty()
        );
    }

    #[test]
    fn test_password_history_is_preserved() {
        use chrono::TimeZone;

        let mut original_cipher = generate_cipher();
        original_cipher.password_history = Some(
            (0..4)
                .map(|i| PasswordHistoryView {
                    password: format!("old_password_{}", i),
                    last_used_date: chrono::Utc
                        .with_ymd_and_hms(2025, i + 1, i + 1, i, i, i)
                        .unwrap(),
                })
                .collect(),
        );

        let mut new_cipher = generate_cipher();

        new_cipher.update_password_history(&original_cipher);

        assert!(new_cipher.password_history.is_some());
        let history = new_cipher.password_history.unwrap();
        assert_eq!(history.len(), 4);

        assert_eq!(history[0].password, "old_password_0");
        assert_eq!(
            history[0].last_used_date,
            chrono::Utc.with_ymd_and_hms(2025, 1, 1, 0, 0, 0).unwrap()
        );
        assert_eq!(history[1].password, "old_password_1");
        assert_eq!(
            history[1].last_used_date,
            chrono::Utc.with_ymd_and_hms(2025, 2, 2, 1, 1, 1).unwrap()
        );
        assert_eq!(history[2].password, "old_password_2");
        assert_eq!(
            history[2].last_used_date,
            chrono::Utc.with_ymd_and_hms(2025, 3, 3, 2, 2, 2).unwrap()
        );
        assert_eq!(history[3].password, "old_password_3");
        assert_eq!(
            history[3].last_used_date,
            chrono::Utc.with_ymd_and_hms(2025, 4, 4, 3, 3, 3).unwrap()
        );
    }

    #[test]
    fn test_populate_cipher_types_login_with_valid_data() {
        let mut cipher = Cipher {
            id: Some(TEST_UUID.parse().unwrap()),
            organization_id: None,
            folder_id: None,
            collection_ids: vec![],
            key: None,
            name: TEST_CIPHER_NAME.parse().unwrap(),
            notes: None,
            r#type: CipherType::Login,
            login: None,
            identity: None,
            card: None,
            secure_note: None,
            ssh_key: None,
            bank_account: None,
            favorite: false,
            reprompt: CipherRepromptType::None,
            organization_use_totp: false,
            edit: true,
            view_password: true,
            permissions: None,
            local_data: None,
            attachments: None,
            fields: None,
            password_history: None,
            creation_date: "2024-01-30T17:55:36.150Z".parse().unwrap(),
            deleted_date: None,
            revision_date: "2024-01-30T17:55:36.150Z".parse().unwrap(),
            archived_date: None,
            data: Some(format!(
                r#"{{"version": 2, "username": "{}", "password": "{}", "organizationUseTotp": true, "favorite": false, "deletedDate": null}}"#,
                TEST_ENC_STRING_1, TEST_ENC_STRING_2
            )),
        };

        cipher
            .populate_cipher_types()
            .expect("populate_cipher_types failed");

        assert!(cipher.login.is_some());
        let login = cipher.login.unwrap();
        assert_eq!(login.username.unwrap().to_string(), TEST_ENC_STRING_1);
        assert_eq!(login.password.unwrap().to_string(), TEST_ENC_STRING_2);
    }

    #[test]
    fn test_populate_cipher_types_secure_note() {
        let mut cipher = Cipher {
            id: Some(TEST_UUID.parse().unwrap()),
            organization_id: None,
            folder_id: None,
            collection_ids: vec![],
            key: None,
            name: TEST_CIPHER_NAME.parse().unwrap(),
            notes: None,
            r#type: CipherType::SecureNote,
            login: None,
            identity: None,
            card: None,
            secure_note: None,
            ssh_key: None,
            bank_account: None,
            favorite: false,
            reprompt: CipherRepromptType::None,
            organization_use_totp: false,
            edit: true,
            view_password: true,
            permissions: None,
            local_data: None,
            attachments: None,
            fields: None,
            password_history: None,
            creation_date: "2024-01-30T17:55:36.150Z".parse().unwrap(),
            deleted_date: None,
            revision_date: "2024-01-30T17:55:36.150Z".parse().unwrap(),
            archived_date: None,
            data: Some(r#"{"type": 0, "organizationUseTotp": false, "favorite": false, "deletedDate": null}"#.to_string()),
        };

        cipher
            .populate_cipher_types()
            .expect("populate_cipher_types failed");

        assert!(cipher.secure_note.is_some());
    }

    #[test]
    fn test_populate_cipher_types_card() {
        let mut cipher = Cipher {
            id: Some(TEST_UUID.parse().unwrap()),
            organization_id: None,
            folder_id: None,
            collection_ids: vec![],
            key: None,
            name: TEST_CIPHER_NAME.parse().unwrap(),
            notes: None,
            r#type: CipherType::Card,
            login: None,
            identity: None,
            card: None,
            secure_note: None,
            ssh_key: None,
            bank_account: None,
            favorite: false,
            reprompt: CipherRepromptType::None,
            organization_use_totp: false,
            edit: true,
            view_password: true,
            permissions: None,
            local_data: None,
            attachments: None,
            fields: None,
            password_history: None,
            creation_date: "2024-01-30T17:55:36.150Z".parse().unwrap(),
            deleted_date: None,
            revision_date: "2024-01-30T17:55:36.150Z".parse().unwrap(),
            archived_date: None,
            data: Some(format!(
                r#"{{"cardholderName": "{}", "number": "{}", "expMonth": "{}", "expYear": "{}", "code": "{}", "brand": "{}", "organizationUseTotp": true, "favorite": false, "deletedDate": null}}"#,
                TEST_ENC_STRING_1,
                TEST_ENC_STRING_2,
                TEST_ENC_STRING_3,
                TEST_ENC_STRING_4,
                TEST_ENC_STRING_5,
                TEST_ENC_STRING_1
            )),
        };

        cipher
            .populate_cipher_types()
            .expect("populate_cipher_types failed");

        assert!(cipher.card.is_some());
        let card = cipher.card.unwrap();
        assert_eq!(
            card.cardholder_name.as_ref().unwrap().to_string(),
            TEST_ENC_STRING_1
        );
        assert_eq!(card.number.as_ref().unwrap().to_string(), TEST_ENC_STRING_2);
        assert_eq!(
            card.exp_month.as_ref().unwrap().to_string(),
            TEST_ENC_STRING_3
        );
        assert_eq!(
            card.exp_year.as_ref().unwrap().to_string(),
            TEST_ENC_STRING_4
        );
        assert_eq!(card.code.as_ref().unwrap().to_string(), TEST_ENC_STRING_5);
        assert_eq!(card.brand.as_ref().unwrap().to_string(), TEST_ENC_STRING_1);
    }

    #[test]
    fn test_populate_cipher_types_identity() {
        let mut cipher = Cipher {
            id: Some(TEST_UUID.parse().unwrap()),
            organization_id: None,
            folder_id: None,
            collection_ids: vec![],
            key: None,
            name: TEST_CIPHER_NAME.parse().unwrap(),
            notes: None,
            r#type: CipherType::Identity,
            login: None,
            identity: None,
            card: None,
            secure_note: None,
            ssh_key: None,
            bank_account: None,
            favorite: false,
            reprompt: CipherRepromptType::None,
            organization_use_totp: false,
            edit: true,
            view_password: true,
            permissions: None,
            local_data: None,
            attachments: None,
            fields: None,
            password_history: None,
            creation_date: "2024-01-30T17:55:36.150Z".parse().unwrap(),
            deleted_date: None,
            revision_date: "2024-01-30T17:55:36.150Z".parse().unwrap(),
            archived_date: None,
            data: Some(format!(
                r#"{{"firstName": "{}", "lastName": "{}", "email": "{}", "phone": "{}", "company": "{}", "address1": "{}", "city": "{}", "state": "{}", "postalCode": "{}", "country": "{}", "organizationUseTotp": false, "favorite": true, "deletedDate": null}}"#,
                TEST_ENC_STRING_1,
                TEST_ENC_STRING_2,
                TEST_ENC_STRING_3,
                TEST_ENC_STRING_4,
                TEST_ENC_STRING_5,
                TEST_ENC_STRING_1,
                TEST_ENC_STRING_2,
                TEST_ENC_STRING_3,
                TEST_ENC_STRING_4,
                TEST_ENC_STRING_5
            )),
        };

        cipher
            .populate_cipher_types()
            .expect("populate_cipher_types failed");

        assert!(cipher.identity.is_some());
        let identity = cipher.identity.unwrap();
        assert_eq!(
            identity.first_name.as_ref().unwrap().to_string(),
            TEST_ENC_STRING_1
        );
        assert_eq!(
            identity.last_name.as_ref().unwrap().to_string(),
            TEST_ENC_STRING_2
        );
        assert_eq!(
            identity.email.as_ref().unwrap().to_string(),
            TEST_ENC_STRING_3
        );
        assert_eq!(
            identity.phone.as_ref().unwrap().to_string(),
            TEST_ENC_STRING_4
        );
        assert_eq!(
            identity.company.as_ref().unwrap().to_string(),
            TEST_ENC_STRING_5
        );
        assert_eq!(
            identity.address1.as_ref().unwrap().to_string(),
            TEST_ENC_STRING_1
        );
        assert_eq!(
            identity.city.as_ref().unwrap().to_string(),
            TEST_ENC_STRING_2
        );
        assert_eq!(
            identity.state.as_ref().unwrap().to_string(),
            TEST_ENC_STRING_3
        );
        assert_eq!(
            identity.postal_code.as_ref().unwrap().to_string(),
            TEST_ENC_STRING_4
        );
        assert_eq!(
            identity.country.as_ref().unwrap().to_string(),
            TEST_ENC_STRING_5
        );
    }

    #[test]

    fn test_password_history_with_hidden_fields() {
        let mut original_cipher = generate_cipher();
        original_cipher.fields = Some(vec![FieldView {
            name: Some("Secret Key".to_string()),
            value: Some("old_secret_value".to_string()),
            r#type: crate::FieldType::Hidden,
            linked_id: None,
        }]);

        let mut new_cipher = generate_cipher();
        new_cipher.fields = Some(vec![FieldView {
            name: Some("Secret Key".to_string()),
            value: Some("new_secret_value".to_string()),
            r#type: crate::FieldType::Hidden,
            linked_id: None,
        }]);

        new_cipher.update_password_history(&original_cipher);

        assert!(new_cipher.password_history.is_some());
        let history = new_cipher.password_history.unwrap();
        assert_eq!(history.len(), 1);
        assert_eq!(history[0].password, "Secret Key: old_secret_value");
    }

    #[test]
    fn test_password_history_length_limit() {
        use crate::password_history::MAX_PASSWORD_HISTORY_ENTRIES;

        let mut original_cipher = generate_cipher();
        original_cipher.password_history = Some(
            (0..10)
                .map(|i| PasswordHistoryView {
                    password: format!("old_password_{}", i),
                    last_used_date: chrono::Utc::now(),
                })
                .collect(),
        );

        let mut new_cipher = original_cipher.clone();
        // Change password
        if let Some(ref mut login) = new_cipher.login {
            login.password = Some("brand_new_password".to_string());
        }

        new_cipher.update_password_history(&original_cipher);

        assert!(new_cipher.password_history.is_some());
        let history = new_cipher.password_history.unwrap();

        // Should be limited to MAX_PASSWORD_HISTORY_ENTRIES
        assert_eq!(history.len(), MAX_PASSWORD_HISTORY_ENTRIES);

        // Most recent change (original password) should be first
        assert_eq!(history[0].password, "test_password");
        // Followed by the oldest entries from the existing history
        assert_eq!(history[1].password, "old_password_0");
        assert_eq!(history[2].password, "old_password_1");
        assert_eq!(history[3].password, "old_password_2");
        assert_eq!(history[4].password, "old_password_3");
    }

    #[test]
    fn test_populate_cipher_types_ssh_key() {
        let mut cipher = Cipher {
            id: Some(TEST_UUID.parse().unwrap()),
            organization_id: None,
            folder_id: None,
            collection_ids: vec![],
            key: None,
            name: TEST_CIPHER_NAME.parse().unwrap(),
            notes: None,
            r#type: CipherType::SshKey,
            login: None,
            identity: None,
            card: None,
            secure_note: None,
            ssh_key: None,
            bank_account: None,
            favorite: false,
            reprompt: CipherRepromptType::None,
            organization_use_totp: false,
            edit: true,
            view_password: true,
            permissions: None,
            local_data: None,
            attachments: None,
            fields: None,
            password_history: None,
            creation_date: "2024-01-30T17:55:36.150Z".parse().unwrap(),
            deleted_date: None,
            revision_date: "2024-01-30T17:55:36.150Z".parse().unwrap(),
            archived_date: None,
            data: Some(format!(
                r#"{{"privateKey": "{}", "publicKey": "{}", "fingerprint": "{}", "organizationUseTotp": true, "favorite": false, "deletedDate": null}}"#,
                TEST_ENC_STRING_1, TEST_ENC_STRING_2, TEST_ENC_STRING_3
            )),
        };

        cipher
            .populate_cipher_types()
            .expect("populate_cipher_types failed");

        assert!(cipher.ssh_key.is_some());
        let ssh_key = cipher.ssh_key.unwrap();
        assert_eq!(ssh_key.private_key.to_string(), TEST_ENC_STRING_1);
        assert_eq!(ssh_key.public_key.to_string(), TEST_ENC_STRING_2);
        assert_eq!(ssh_key.fingerprint.to_string(), TEST_ENC_STRING_3);
    }

    #[test]
    fn test_populate_cipher_types_with_null_data() {
        let mut cipher = Cipher {
            id: Some(TEST_UUID.parse().unwrap()),
            organization_id: None,
            folder_id: None,
            collection_ids: vec![],
            key: None,
            name: TEST_CIPHER_NAME.parse().unwrap(),
            notes: None,
            r#type: CipherType::Login,
            login: None,
            identity: None,
            card: None,
            secure_note: None,
            ssh_key: None,
            bank_account: None,
            favorite: false,
            reprompt: CipherRepromptType::None,
            organization_use_totp: false,
            edit: true,
            view_password: true,
            permissions: None,
            local_data: None,
            attachments: None,
            fields: None,
            password_history: None,
            creation_date: "2024-01-30T17:55:36.150Z".parse().unwrap(),
            deleted_date: None,
            revision_date: "2024-01-30T17:55:36.150Z".parse().unwrap(),
            archived_date: None,
            data: None,
        };

        let result = cipher.populate_cipher_types();
        assert!(matches!(
            result,
            Err(VaultParseError::MissingField(MissingFieldError("data")))
        ));
    }

    #[test]
    fn test_populate_cipher_types_with_invalid_json() {
        let mut cipher = Cipher {
            id: Some(TEST_UUID.parse().unwrap()),
            organization_id: None,
            folder_id: None,
            collection_ids: vec![],
            key: None,
            name: TEST_CIPHER_NAME.parse().unwrap(),
            notes: None,
            r#type: CipherType::Login,
            login: None,
            identity: None,
            card: None,
            secure_note: None,
            ssh_key: None,
            bank_account: None,
            favorite: false,
            reprompt: CipherRepromptType::None,
            organization_use_totp: false,
            edit: true,
            view_password: true,
            permissions: None,
            local_data: None,
            attachments: None,
            fields: None,
            password_history: None,
            creation_date: "2024-01-30T17:55:36.150Z".parse().unwrap(),
            deleted_date: None,
            revision_date: "2024-01-30T17:55:36.150Z".parse().unwrap(),
            archived_date: None,
            data: Some("invalid json".to_string()),
        };

        let result = cipher.populate_cipher_types();

        assert!(matches!(result, Err(VaultParseError::SerdeJson(_))));
    }

    #[test]
    fn test_decrypt_cipher_with_mixed_attachments() {
        let user_key: SymmetricCryptoKey = "w2LO+nwV4oxwswVYCxlOfRUseXfvU03VzvKQHrqeklPgiMZrspUe6sOBToCnDn9Ay0tuCBn8ykVVRb7PWhub2Q==".to_string().try_into().unwrap();
        let key_store = create_test_crypto_with_user_key(user_key);

        // Create properly encrypted attachments
        let mut ctx = key_store.context();
        let valid1 = "valid_file_1.txt"
            .encrypt(&mut ctx, SymmetricKeySlotId::User)
            .unwrap();
        let valid2 = "valid_file_2.txt"
            .encrypt(&mut ctx, SymmetricKeySlotId::User)
            .unwrap();

        // Create corrupted attachment by encrypting with a random different key
        let wrong_key: SymmetricCryptoKey = "QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQ==".to_string().try_into().unwrap();
        let wrong_key_store = create_test_crypto_with_user_key(wrong_key);
        let mut wrong_ctx = wrong_key_store.context();
        let corrupted = "corrupted_file.txt"
            .encrypt(&mut wrong_ctx, SymmetricKeySlotId::User)
            .unwrap();

        let cipher = Cipher {
            id: Some("090c19ea-a61a-4df6-8963-262b97bc6266".parse().unwrap()),
            organization_id: None,
            folder_id: None,
            collection_ids: vec![],
            key: None,
            name: TEST_CIPHER_NAME.parse().unwrap(),
            notes: None,
            r#type: CipherType::Login,
            login: None,
            identity: None,
            card: None,
            secure_note: None,
            ssh_key: None,
            bank_account: None,
            favorite: false,
            reprompt: CipherRepromptType::None,
            organization_use_totp: false,
            edit: true,
            permissions: None,
            view_password: true,
            local_data: None,
            attachments: Some(vec![
                // Valid attachment
                attachment::Attachment {
                    id: Some("valid-attachment".to_string()),
                    url: Some("https://example.com/valid".to_string()),
                    size: Some("100".to_string()),
                    size_name: Some("100 Bytes".to_string()),
                    file_name: Some(valid1),
                    key: None,
                },
                // Corrupted attachment
                attachment::Attachment {
                    id: Some("corrupted-attachment".to_string()),
                    url: Some("https://example.com/corrupted".to_string()),
                    size: Some("200".to_string()),
                    size_name: Some("200 Bytes".to_string()),
                    file_name: Some(corrupted),
                    key: None,
                },
                // Another valid attachment
                attachment::Attachment {
                    id: Some("valid-attachment-2".to_string()),
                    url: Some("https://example.com/valid2".to_string()),
                    size: Some("150".to_string()),
                    size_name: Some("150 Bytes".to_string()),
                    file_name: Some(valid2),
                    key: None,
                },
            ]),
            fields: None,
            password_history: None,
            creation_date: "2024-01-30T17:55:36.150Z".parse().unwrap(),
            deleted_date: None,
            revision_date: "2024-01-30T17:55:36.150Z".parse().unwrap(),
            archived_date: None,
            data: None,
        };

        let view: CipherView = key_store.decrypt(&cipher).unwrap();

        // Should have 2 successful attachments
        assert!(view.attachments.is_some());
        let successes = view.attachments.as_ref().unwrap();
        assert_eq!(successes.len(), 2);
        assert_eq!(successes[0].id, Some("valid-attachment".to_string()));
        assert_eq!(successes[1].id, Some("valid-attachment-2".to_string()));

        // Should have 1 failed attachment
        assert!(view.attachment_decryption_failures.is_some());
        let failures = view.attachment_decryption_failures.as_ref().unwrap();
        assert_eq!(failures.len(), 1);
        assert_eq!(failures[0].id, Some("corrupted-attachment".to_string()));
        assert_eq!(failures[0].file_name, None);
    }
}