bitwarden
[PM-10394] Add new item type ssh key
đī¸ Tracking
Server: https://github.com/bitwarden/server/pull/4575 Add Item Type: https://github.com/bitwarden/clients/pull/10360 Add SSH Agent: https://github.com/bitwarden/clients/pull/10293 Add Import/Export: https://github.com/bitwarden/clients/pull/10529
Jira: https://bitwarden.atlassian.net/browse/PM-10395
đ Objective
Add server support for the new ssh key cipher type. This is mostly copy paste from the other cipher types, with the one exception that we are filtering out ssh keys for older clients, using SSHKeyCipherMinimumVersion. We will update this once we know which release ssh keys will be in.
đ¸ Screenshots
â° Reminders before review
- Contributor guidelines followed
- All formatters and local linters executed and passed
- Written new unit and / or integration tests where applicable
- Protected functional changes with optionality (feature flags)
- Used internationalization (i18n) for all UI strings
- CI builds passed
- Communicated to DevOps any deployment requirements
- Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team
đĻŽ Reviewer guidelines
- đ (
:+1:) or similar for great changes - đ (
:memo:) or âšī¸ (:information_source:) for notes or general info - â (
:question:) for questions - đ¤ (
:thinking:) or đ (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion - đ¨ (
:art:) for suggestions / improvements - â (
:x:) or â ī¸ (:warning:) for more significant problems or concerns needing attention - đą (
:seedling:) or âģī¸ (:recycle:) for future improvements or indications of technical debt - â (
:pick:) for minor or nitpick changes
Codecov Report
Attention: Patch coverage is 29.16667% with 34 lines in your changes missing coverage. Please review.
Project coverage is 42.53%. Comparing base (
50f7fa0) to head (bc50cf3). Report is 1 commits behind head on main.
Additional details and impacted files
@@ Coverage Diff @@
## main #4575 +/- ##
==========================================
- Coverage 42.54% 42.53% -0.02%
==========================================
Files 1389 1391 +2
Lines 64745 64792 +47
Branches 5943 5945 +2
==========================================
+ Hits 27548 27561 +13
- Misses 35975 36008 +33
- Partials 1222 1223 +1
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}
Checkmarx One â Scan Summary & Details â 8b17816a-e0c3-4c7a-8707-99a10fd7f974
New Issues
| Severity | Issue | Source File / Package | Checkmarx Insight |
|---|---|---|---|
 |
Unpinned Actions Full Length Commit SHA | /repository-management.yml: 119 | Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps... |
|
Unpinned Actions Full Length Commit SHA | /repository-management.yml: 104 | Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps... |
|
Unpinned Actions Full Length Commit SHA | /repository-management.yml: 111 | Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps... |
|
Unpinned Actions Full Length Commit SHA | /repository-management.yml: 60 | Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps... |
 |
Unpinned Actions Full Length Commit SHA | /repository-management.yml: 119 | Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps... |
|
Unpinned Actions Full Length Commit SHA | /repository-management.yml: 111 | Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps... |
|
Unpinned Actions Full Length Commit SHA | /repository-management.yml: 104 | Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps... |
|
Unpinned Actions Full Length Commit SHA | /repository-management.yml: 60 | Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps... |
Fixed Issues
| Severity | Issue | Source File / Package |
|---|---|---|
|
CSRF | /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 105 |
|
CSRF | /src/Billing/Controllers/RecoveryController.cs: 38 |
|
CSRF | /src/Billing/Controllers/StripeController.cs: 164 |
|
CSRF | /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 237 |
|
CSRF | /src/Api/Auth/Controllers/AccountsController.cs: 685 |
|
CSRF | /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 263 |
|
CSRF | /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 361 |
|
CSRF | /src/Api/Auth/Controllers/AccountsController.cs: 469 |
|
CSRF | /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 344 |
|
CSRF | /src/Api/Auth/Controllers/AccountsController.cs: 839 |
|
CSRF | /src/Api/Auth/Controllers/AccountsController.cs: 712 |
|
Unpinned Actions Full Length Commit SHA | /repository-management.yml: 147 |
|
Unpinned Actions Full Length Commit SHA | /repository-management.yml: 154 |
|
Unpinned Actions Full Length Commit SHA | /repository-management.yml: 162 |
|
Unpinned Actions Full Length Commit SHA | /repository-management.yml: 97 |
|
Unpinned Actions Full Length Commit SHA | /repository-management.yml: 147 |
|
Unpinned Actions Full Length Commit SHA | /repository-management.yml: 97 |
|
Unpinned Actions Full Length Commit SHA | /repository-management.yml: 162 |
|
Unpinned Actions Full Length Commit SHA | /repository-management.yml: 154 |
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Setting this to ready for review, but it will not be merged until all ssh of the ssh key features are ready.
LaunchDarkly flag references
:mag: 2 flags added or modified
| Name | Key | Aliases found | Info |
|---|---|---|---|
| ssh agent | ssh-agent |
||
| SSH Key Vault Item | ssh-key-vault-item |
I tested the feature as a potential replacement for 1Password, but I encountered two issues:
- I copied the SSH key to my clipboard and clicked the "Import Key from Clipboard" option after creating a new item. However, nothing happened.
- Subsequently, I received an "An error occurred" message when syncing to my iOS devices.
Notably, all other devices and browser extensions worked fine, and the server logs showed the following response:
[INFO] (sync) GET /api/sync?<data..> => 200 OK
To restore syncing functionality, I had to manually delete the key from the Trash.
@justspacedog Could you please note: Your desktop version, your iOS version, and are you using a self-hosted server (if so which one at what version).
macOS: 2024.12.1 iOS: Version: 2024.12.0 (1740) server: selfhosted vaultwarden latest (I know not official) as docker on a synology
@justspacedog Might be related to this PR in vaultwarden: https://github.com/dani-garcia/vaultwarden/pull/5339
@quexten don't mean to necro-bump this PR, but I wanted to be sure where the reported issue should be considered under the "client" repos, or likely this "server" repo as I would imagine there is something specific which would be required on the SSH Key item type in the server code.
Currently I see that SSH Key item types hold password history like all other vault items, similarly Hidden type custom fields are included in the item's Password history
Though what I would imagine should be considered another "important secret" would be the private key as an integral portion of the SSH key pair. I understand there has been a specific discussion based around removing the option to regenerate the private key for these items exception upon initial creation.
Removed the "regenerate" button, after this came up as a potential confusing point in a meeting. So ssh keys are now only generated when creating a new item.
So while there is little chance of editing over the existing private key, and consistent backups to an external location are highly critical for end user to perform, the Desktop application does currently provide the ability for an SSH Key type to be overwritten on edit using the Import key from clipboard method.
Which is not currently captured in the item's Password history
So I suppose this could be handled in likely one of the following methods,
- Either the SSH Key item type can support password history for Private key field, similarly to Login type supports in Password field
- Easy workaround can be simply disable Import key from clipboard option in Desktop app on Editing vault item and only allow on initial creation
@cksapp I guess the best place for this kind of feedback would be to post a comment on the community forum https://community.bitwarden.com/latest
