Expand biometrics to describe differences between operating system

Co-authored-by: Bernd Schoolmann <contact@schoolmann.dev>
2026-02-06 11:43:51 +00:00 · 2025-07-30 09:52:38 -07:00
parent f0d5efda9c
commit bd6941c46c
5 changed files with 788 additions and 181 deletions
--- a/docs/bitwarden_system.dsl
+++ b/docs/bitwarden_system.dsl
@@ -1,4 +1,4 @@
-workspace "Bitwarden Server System" {
+workspace "Bitwarden Clients System" {

  !identifiers hierarchical

--- a/docs/bitwarden_system.json
+++ b/docs/bitwarden_system.json
--- a/docs/key_management/desktop_biometric/models.dsl
+++ b/docs/key_management/desktop_biometric/models.dsl
@@ -1,16 +1,80 @@
 !element clients.desktop {
-  biometric = component "Biometric Authentication" {
-    description "Handles biometric authentication for the Bitwarden desktop application."
+  encrypt_service = component "Encrypt Service" {
+    description "Service that handles encryption and decryption of sensitive data in the Bitwarden desktop application."
  }

+  biometric_renderer_service = component "Biometric Renderer Service" {
+    description "Service that handles biometric authentication for the Bitwarden desktop application."
+    technology "Electron"
+  }
+
+  biometric_main_service = component "Biometric Main Service" {
+    description "Main service for biometric authentication in the Bitwarden desktop application."
+    technology "Electron"
+  }
+
+  macos_biometric_service = component "MacOS Biometric Service" {
+    description "Service that handles MacOS-specific biometric authentication."
+    tags "MacOS"
+    technology "Electron"
+  }
+
+  windows_biometric_service = component "Windows Biometric Service" {
+    description "Service that handles Windows-specific biometric authentication."
+    tags "Windows"
+    technology "Electron"
+  }
+
+  linux_biometric_service = component "Linux Biometric Service" {
+    description "Service that handles Linux-specific biometric authentication."
+    tags "Linux"
+    technology "Electron"
+  }
+
+
+  biometric_main_service -> macos_biometric_service "Handles macOS biometric unlock requests" {
+    tags "MacOS"
+  }
+
+  biometric_main_service -> windows_biometric_service "Handles Windows biometric unlock requests" {
+    tags "Windows"
+  }
+
+  biometric_main_service -> linux_biometric_service "Handles Linux biometric unlock requests" {
+    tags "Linux"
+  }
+  
  password = component "OS Password Management Native Module" {
    description "CRUD operations on keys-values stored by the OS."
    technology "rust module"
  }

-  ipc = component "IPC" {
-    description "Inter-process communication between the desktop application and the browser extension."
-    technology "Sockets"
+  group ipc {
+    ipc_external = component "IPC" {
+      description "External IPC for communication with the desktop application."
+      technology "Sockets"
+    }
+
+    electron_ipc = component "Electron IPC" {
+      description "Communication between renderer and main electron processes."
+      technology "Electron"
+    }
+  }
+
+  biometric_renderer_service -> electron_ipc "Requests biometric authentication" {
+    tags "MacOS", "Windows", "Linux"
+  }
+
+  electron_ipc -> biometric_main_service "Relays biometric authentication requests to" {
+    tags "MacOS", "Windows", "Linux"
+  }
+
+  linux_biometric_service -> encrypt_service "Encrypts/Decrypts user key with client key half" {
+    tags "Linux"
+  }
+
+  windows_biometric_service -> encrypt_service "Encrypts/Decrypts user key with client key half" {
+    tags "Windows"
  }
 }

@@ -19,19 +83,50 @@ os_secure_storage = softwareSystem "OS Secure Storage" {
  description "The operating system's secure storage for sensitive data, such as Windows Credential Locker or macOS Keychain."
 }

+// windows_hello = softwareSystem "Windows Hello" {
+//   tags "External" "windows"
+//   description "Windows Hello is a biometric authentication feature in Windows 10 and later that allows users to log in using facial recognition, fingerprint scanning, or a PIN."
+// }
+
+// macos_touch_id = softwareSystem "macOS Touch ID" {
+//   tags "External" "macos"
+//   description "Touch ID is a fingerprint recognition feature on Apple devices that allows users to unlock their devices and make purchases using their fingerprint."
+// }
+
+// linux_polkit = softwareSystem "Linux Polkit" {
+//   tags "External" "linux"
+//   description "Polkit is a system service that allows non-privileged processes to communicate with privileged processes in Linux, often used for user authentication."
+// }
+
 os_user_verification = softwareSystem "OS User Verification" {
  tags "External"
  description "The operating system's user verification system, such as Windows Hello or macOS Touch ID."
 }

-windows_hello_signer = softwareSystem "Windows Hello Signer" {
-  tags "External" "Windows-Biometric"
-  description "A Windows Hello signer that can be used to sign requests for the Bitwarden desktop application."
+
+clients.browser_extension -> clients.desktop.ipc_external "Connects to IPC to request biometric authentication" 
+
+clients.desktop.ipc_external -> clients.desktop.biometric_renderer_service "Relays biometric authentication requests to"
+
+clients.desktop.password -> os_secure_storage "CRUD operations on keys stored in the OS secure storage"
+
+clients.desktop.macos_biometric_service -> os_user_verification "Requests user verification for biometric authentication" "Electron Integration with TouchId" {
+  tags "MacOS"
+}
+clients.desktop.linux_biometric_service -> os_user_verification "Requests user verification for biometric authentication" "Custom Polkit policy" {
+  tags "Linux"
+}
+clients.desktop.windows_biometric_service -> os_user_verification "Requests user verification for biometric authentication" "Windows Hello" {
+  tags "Windows"
 }

-clients.browser_extension -> clients.desktop.ipc "Connects to IPC to request biometric authentication"
-clients.desktop.ipc -> clients.desktop.biometric "Relays biometric authentication requests to"
+clients.desktop.macos_biometric_service -> clients.desktop.password "Saves the user key directly" "" {
+  tags "MacOS"
+}
+clients.desktop.linux_biometric_service -> clients.desktop.password "Saves the user key encrypted with the client key half" "Custom Polkit policy" {
+  tags "Linux"
+}
+clients.desktop.windows_biometric_service -> clients.desktop.password "Saves the user key encrypted with the client key half" "Windows Hello" {
+  tags "Windows"
+}

-clients.desktop.biometric -> clients.desktop.password "Read/Write user keys" "Napi Rust FFI"
-clients.desktop.password -> os_secure_storage "CRUD operations on keys stored in the OS secure storage"
-clients.desktop.biometric -> os_user_verification "Requests user verification for biometric authentication"
--- a/docs/key_management/desktop_biometric/relationships.dsl
+++ b/docs/key_management/desktop_biometric/relationships.dsl
--- a/docs/key_management/desktop_biometric/views.dsl
+++ b/docs/key_management/desktop_biometric/views.dsl
@@ -1,6 +1,21 @@
+component clients.desktop "desktop_biometrics" {
+  include *
+}
+
 component clients.desktop "desktop_biometrics_macos" {
  include *
-  include os_user_verification
-  autoLayout tb
+  exclude "element.tag==Windows"
+  exclude "element.tag==Linux"
+}
+
+component clients.desktop "desktop_biometrics_windows" {
+  include *
+  exclude "element.tag==MacOS"
+  exclude "element.tag==Linux"
+}
+
+component clients.desktop "desktop_biometrics_linux" {
+  include *
+  exclude "element.tag==Windows"
+  exclude "element.tag==MacOS"
 }
-// TODO: Add Windows and Linux, excluding relevant Tags