[PM-27119] Prevent import card data when ITEM_RESTRICT_TYPES policy is active (#6123)

Author: aj-rosado

app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/util/PolicyManagerExtensions.kt

@@ -43,3 +43,9 @@ inline fun <reified T : PolicyInformation> getPolicyTypeJson(): PolicyTypeJson =
             )
         }
     }
+/**
+ * Helper method for verifying if user has enabled the restrict item policy.
+ */
+fun PolicyManager.hasRestrictItemTypes(): Boolean =
+    getActivePolicies(type = PolicyTypeJson.RESTRICT_ITEM_TYPES)
+        .any { it.isEnabled }

app/src/main/kotlin/com/x8bit/bitwarden/data/vault/manager/CredentialExchangeImportManagerImpl.kt

@@ -12,6 +12,9 @@ import com.bitwarden.network.model.ImportCiphersJsonRequest
 import com.bitwarden.network.model.ImportCiphersResponseJson
 import com.bitwarden.network.service.CiphersService
 import com.bitwarden.network.util.base64UrlDecodeOrNull
+import com.bitwarden.vault.CipherType
+import com.x8bit.bitwarden.data.platform.manager.PolicyManager
+import com.x8bit.bitwarden.data.platform.manager.util.hasRestrictItemTypes
 import com.x8bit.bitwarden.data.vault.datasource.sdk.VaultSdkSource
 import com.x8bit.bitwarden.data.vault.manager.model.ImportCxfPayloadResult
 import com.x8bit.bitwarden.data.vault.manager.model.SyncVaultDataResult
@@ -34,6 +37,7 @@ class CredentialExchangeImportManagerImpl(
     private val vaultSdkSource: VaultSdkSource,
     private val ciphersService: CiphersService,
     private val vaultSyncManager: VaultSyncManager,
+    private val policyManager: PolicyManager,
     private val json: Json,
 ) : CredentialExchangeImportManager {
 
@@ -83,7 +87,9 @@ class CredentialExchangeImportManagerImpl(
         }
 
         val accountsJson = try {
-            json.encodeToString(exportResponse.accounts.firstOrNull())
+            json.encodeToString(
+                value = exportResponse.accounts.firstOrNull(),
+            )
         } catch (_: SerializationException) {
             return ImportCxfPayloadResult.Error(
                 ImportCredentialsInvalidJsonException("Unable to re-encode accounts."),
@@ -95,15 +101,22 @@ class CredentialExchangeImportManagerImpl(
                 payload = accountsJson,
             )
             .flatMap { cipherList ->
-                if (cipherList.isEmpty()) {
+                // Filter out card ciphers if RESTRICT_ITEM_TYPES policy is active
+                val filteredCipherList = if (policyManager.hasRestrictItemTypes()) {
+                    cipherList.filter { cipher -> cipher.type != CipherType.CARD }
+                } else {
+                    cipherList
+                }
+
+                if (filteredCipherList.isEmpty()) {
                     // If no ciphers were returned, we can skip the remaining steps and return the
                     // appropriate result.
                     return ImportCxfPayloadResult.NoItems
                 }
                 ciphersService
                     .importCiphers(
                         request = ImportCiphersJsonRequest(
-                            ciphers = cipherList.map {
+                            ciphers = filteredCipherList.map {
                                 it.toEncryptedNetworkCipher(
                                     encryptedFor = userId,
                                 )
@@ -120,7 +133,7 @@ class CredentialExchangeImportManagerImpl(
 
                             ImportCiphersResponseJson.Success -> {
                                 ImportCxfPayloadResult
-                                    .Success(itemCount = cipherList.size)
+                                    .Success(itemCount = filteredCipherList.size)
                                     .asSuccess()
                             }
                         }

app/src/main/kotlin/com/x8bit/bitwarden/data/vault/manager/di/VaultManagerModule.kt

@@ -17,6 +17,7 @@ import com.x8bit.bitwarden.data.auth.manager.UserStateManager
 import com.x8bit.bitwarden.data.platform.datasource.disk.SettingsDiskSource
 import com.x8bit.bitwarden.data.platform.manager.AppStateManager
 import com.x8bit.bitwarden.data.platform.manager.DatabaseSchemeManager
+import com.x8bit.bitwarden.data.platform.manager.PolicyManager
 import com.x8bit.bitwarden.data.platform.manager.PushManager
 import com.x8bit.bitwarden.data.platform.manager.ReviewPromptManager
 import com.x8bit.bitwarden.data.platform.repository.SettingsRepository
@@ -210,11 +211,13 @@ object VaultManagerModule {
         vaultSdkSource: VaultSdkSource,
         ciphersService: CiphersService,
         vaultSyncManager: VaultSyncManager,
+        policyManager: PolicyManager,
         json: Json,
     ): CredentialExchangeImportManager = CredentialExchangeImportManagerImpl(
         vaultSdkSource = vaultSdkSource,
         ciphersService = ciphersService,
         vaultSyncManager = vaultSyncManager,
+        policyManager = policyManager,
         json = json,
     )
 }

app/src/main/kotlin/com/x8bit/bitwarden/ui/platform/feature/settings/exportvault/ExportVaultViewModel.kt

@@ -21,6 +21,7 @@ import com.x8bit.bitwarden.data.auth.repository.model.VerifyOtpResult
 import com.x8bit.bitwarden.data.platform.manager.PolicyManager
 import com.x8bit.bitwarden.data.platform.manager.event.OrganizationEventManager
 import com.x8bit.bitwarden.data.platform.manager.model.OrganizationEvent
+import com.x8bit.bitwarden.data.platform.manager.util.hasRestrictItemTypes
 import com.x8bit.bitwarden.data.vault.manager.FileManager
 import com.x8bit.bitwarden.data.vault.repository.VaultRepository
 import com.x8bit.bitwarden.data.vault.repository.model.ExportVaultDataResult
@@ -464,10 +465,7 @@ class ExportVaultViewModel @Inject constructor(
     }
 
     private fun getRestrictedItemTypes(): List<CipherType> {
-        val hasActiveRestrictItemTypesPolicy = policyManager
-            .getActivePolicies(type = PolicyTypeJson.RESTRICT_ITEM_TYPES)
-            .isNotEmpty()
-        return if (!hasActiveRestrictItemTypesPolicy) {
+        return if (!policyManager.hasRestrictItemTypes()) {
             emptyList()
         } else {
             listOf(CipherType.CARD)

app/src/main/kotlin/com/x8bit/bitwarden/ui/vault/feature/importitems/ImportItemsViewModel.kt

@@ -13,6 +13,8 @@ import com.bitwarden.ui.platform.resource.BitwardenString
 import com.bitwarden.ui.util.Text
 import com.bitwarden.ui.util.asPluralsText
 import com.bitwarden.ui.util.asText
+import com.x8bit.bitwarden.data.platform.manager.PolicyManager
+import com.x8bit.bitwarden.data.platform.manager.util.hasRestrictItemTypes
 import com.x8bit.bitwarden.data.vault.manager.model.SyncVaultDataResult
 import com.x8bit.bitwarden.data.vault.repository.VaultRepository
 import com.x8bit.bitwarden.data.vault.repository.model.ImportCredentialsResult
@@ -32,6 +34,7 @@ private const val KEY_STATE = "state"
 class ImportItemsViewModel @Inject constructor(
     savedStateHandle: SavedStateHandle,
     private val vaultRepository: VaultRepository,
+    private val policyManager: PolicyManager,
 ) : BaseViewModel<ImportItemsState, ImportItemsEvent, ImportItemsAction>(
     initialState = savedStateHandle[KEY_STATE] ?: ImportItemsState(),
 ) {
@@ -117,24 +120,29 @@ class ImportItemsViewModel @Inject constructor(
     }
 
     private fun handleImportFromAnotherAppClick() {
+        val credentialTypes = buildList {
+            add(CredentialTypes.CREDENTIAL_TYPE_BASIC_AUTH)
+            add(CredentialTypes.CREDENTIAL_TYPE_PUBLIC_KEY)
+            add(CredentialTypes.CREDENTIAL_TYPE_ADDRESS)
+            add(CredentialTypes.CREDENTIAL_TYPE_API_KEY)
+            // Only include credit card type if policy doesn't restrict it
+            if (!policyManager.hasRestrictItemTypes()) {
+                add(CredentialTypes.CREDENTIAL_TYPE_CREDIT_CARD)
+            }
+            add(CredentialTypes.CREDENTIAL_TYPE_CUSTOM_FIELDS)
+            add(CredentialTypes.CREDENTIAL_TYPE_DRIVERS_LICENSE)
+            add(CredentialTypes.CREDENTIAL_TYPE_IDENTITY_DOCUMENT)
+            add(CredentialTypes.CREDENTIAL_TYPE_NOTE)
+            add(CredentialTypes.CREDENTIAL_TYPE_PASSPORT)
+            add(CredentialTypes.CREDENTIAL_TYPE_PERSON_NAME)
+            add(CredentialTypes.CREDENTIAL_TYPE_SSH_KEY)
+            add(CredentialTypes.CREDENTIAL_TYPE_TOTP)
+            add(CredentialTypes.CREDENTIAL_TYPE_WIFI)
+        }
+
         sendEvent(
             ImportItemsEvent.ShowRegisteredImportSources(
-                credentialTypes = listOf(
-                    CredentialTypes.CREDENTIAL_TYPE_BASIC_AUTH,
-                    CredentialTypes.CREDENTIAL_TYPE_PUBLIC_KEY,
-                    CredentialTypes.CREDENTIAL_TYPE_ADDRESS,
-                    CredentialTypes.CREDENTIAL_TYPE_API_KEY,
-                    CredentialTypes.CREDENTIAL_TYPE_CREDIT_CARD,
-                    CredentialTypes.CREDENTIAL_TYPE_CUSTOM_FIELDS,
-                    CredentialTypes.CREDENTIAL_TYPE_DRIVERS_LICENSE,
-                    CredentialTypes.CREDENTIAL_TYPE_IDENTITY_DOCUMENT,
-                    CredentialTypes.CREDENTIAL_TYPE_NOTE,
-                    CredentialTypes.CREDENTIAL_TYPE_PASSPORT,
-                    CredentialTypes.CREDENTIAL_TYPE_PERSON_NAME,
-                    CredentialTypes.CREDENTIAL_TYPE_SSH_KEY,
-                    CredentialTypes.CREDENTIAL_TYPE_TOTP,
-                    CredentialTypes.CREDENTIAL_TYPE_WIFI,
-                ),
+                credentialTypes = credentialTypes,
             ),
         )
     }