-
Notifications
You must be signed in to change notification settings - Fork 844
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[PM-16157] Support self-host servers using TLS with Client Authentication (mTLS) #4486
base: main
Are you sure you want to change the base?
Conversation
Thank you for your contribution! We've added this to our internal Community PR board for review. |
👋🏾 Looking great, thanks for your contribution! We may only be able to action after the holiday season but have some preliminary questions:
|
67060f7
to
5cf6919
Compare
Hey @vvolkgang , thanks for the quick feedback! To your questions:
screen-20241218-193902.mp4Screen recording when no client certificate is installed. In this case Android displays nothing. To avoid confusing the user too much, I updated the description text. screen-20241218-194202.mp4
|
5cf6919
to
61b9170
Compare
Is anyone working on the same feature for iOS? |
61b9170
to
5ec0c10
Compare
Any progress on this? This would be a great enhancement. |
is there any ETA for the next version with this feature? |
@vvolkgang might know. Initially it was potentially going to be reviewed after the holiday season which I assume would be now? |
Eagerly waiting for this as mTLS is an important security feature for self hosted instances. |
Looking forward to this one. |
Hi @rohm1 Thank you for getting this started! I'm going to begin pushing commits to your PR to match our patterns and guidelines. I'm going to reduce the scope a bit and extract some changes to separate pull requests so they're easier to review. If at any point you have questions or suggestions don't hesitate to let us know. |
These errors are preventing me from committing locally because detekt is run as a pre-commit hook. We use `detekt` to enforce code style. It can be run from command-line (`./gradlew detekt`) or from the Gradle window in Android Studio.
Great job, no security vulnerabilities found in this Pull Request |
…certificate # Conflicts: # app/src/main/java/com/x8bit/bitwarden/ui/auth/feature/environment/EnvironmentScreen.kt
dayum, can't wait |
Because `KeyChain.choosePrivateKeyAlias` is reliant on `Activity` we extract the private key alias selection logic from `KeyChainRepository` to `KeyChainManager`. `KeyChainManager` is made available to Composables via `LocalManagerProvider` so that `Activity` context can be safely injected. `ChoosePrivateKeyAliasCallback` and its implementation are no longer needed and have been removed.
All translations are managed through Crowdin. The configuration we uses will overwrite any translations manually added to the source files. Translations can be added after the changes are merged into our default branch (`main`).
…/mTLS-client-certificate # Conflicts: # app/src/main/res/values/strings.xml
🎟️ Tracking
#4416
📔 Objective
This PR adds a "Client certificate" menu to the custom environment menu. By clicking on a "Choose" button, the native certificate selection menu will open. User can choose a certificate that will be used for connections to a self-hosted instance.
Other apps implement some dynamic logic: if the sever requires mTLS, the user is prompted to select a certificate. While this behavior is more flexible for the user, it is more complicated to implement. With the chosen approach, the app settings must be cleared and a new server must be set up. As users generally do not enable/disable mTLS on a regular basis, I think the tradeoff is acceptable. Additionally the only information that is saved is the certificate name (key alias). If a user update/renew a certificate, as long as the certificate name does not change, the new certificate will be used and there is no need to reset the app. This issue could also be worked around by adding a certificate selection menu to the settings.
📸 Screenshots
Manual tests I did
Tested on Android 15 (Pixel 6) and Android 14 (Samsung Galaxy Note 20 Ultra 5G)
🦮 Reviewer guidelines