initial commit for structurizr in clients

2026-02-06 03:33:30 +00:00 · 2025-07-28 14:38:29 -07:00
parent 1cacae9bcc
commit f0d5efda9c
16 changed files with 529 additions and 1412 deletions
--- a/docs/admin_console/models.dsl
+++ b/docs/admin_console/models.dsl
@@ -5,10 +5,3 @@ provider = person "MSP" "And employee of a managed service provider" {
  tags "MSP"
 }

-!element server {
-  scim = container "SCIM" {
-    tags "SCIM"
-  }
-}
-
-directory_connector -> server.api "Syncs users and groups to Bitwarden"
--- a/docs/admin_console/relationships.dsl
+++ b/docs/admin_console/relationships.dsl
@@ -1 +0,0 @@
-server.scim -> server.database "Queries"
--- a/docs/auth/models.dsl
+++ b/docs/auth/models.dsl
@@ -2,7 +2,4 @@
  identity = container "Identity" {
    tags "Auth"
  }
-  sso = container "SSO" {
-    tags "Auth"
-  }
 }
--- a/docs/auth/relationships.dsl
+++ b/docs/auth/relationships.dsl
@@ -1,2 +0,0 @@
-server.identity -> server.database "Queries"
-server.sso -> server.database "Queries"
--- a/docs/billing/relationships.dsl
+++ b/docs/billing/relationships.dsl
@@ -1,4 +0,0 @@
-# High-level provider relationships
-server.api.billing -> stripe "Requests payments for customers"
-server.api.billing -> braintree "Requests payments for customers"
-stripe -> server.api.billing "Sends subscription events to"
--- a/docs/bitwarden_system.dsl
+++ b/docs/bitwarden_system.dsl
@@ -46,7 +46,7 @@ workspace "Bitwarden Server System" {
      include *
    }

-    container server "Bitwarden_Server" {
+    container clients "bitwarden_js_clients" {
      include *
    }

--- a/docs/bitwarden_system.json
+++ b/docs/bitwarden_system.json
--- a/docs/key_management/desktop_biometric/models.dsl
+++ b/docs/key_management/desktop_biometric/models.dsl
@@ -0,0 +1,37 @@
+!element clients.desktop {
+  biometric = component "Biometric Authentication" {
+    description "Handles biometric authentication for the Bitwarden desktop application."
+  }
+
+  password = component "OS Password Management Native Module" {
+    description "CRUD operations on keys-values stored by the OS."
+    technology "rust module"
+  }
+
+  ipc = component "IPC" {
+    description "Inter-process communication between the desktop application and the browser extension."
+    technology "Sockets"
+  }
+}
+
+os_secure_storage = softwareSystem "OS Secure Storage" {
+  tags "External"
+  description "The operating system's secure storage for sensitive data, such as Windows Credential Locker or macOS Keychain."
+}
+
+os_user_verification = softwareSystem "OS User Verification" {
+  tags "External"
+  description "The operating system's user verification system, such as Windows Hello or macOS Touch ID."
+}
+
+windows_hello_signer = softwareSystem "Windows Hello Signer" {
+  tags "External" "Windows-Biometric"
+  description "A Windows Hello signer that can be used to sign requests for the Bitwarden desktop application."
+}
+
+clients.browser_extension -> clients.desktop.ipc "Connects to IPC to request biometric authentication"
+clients.desktop.ipc -> clients.desktop.biometric "Relays biometric authentication requests to"
+
+clients.desktop.biometric -> clients.desktop.password "Read/Write user keys" "Napi Rust FFI"
+clients.desktop.password -> os_secure_storage "CRUD operations on keys stored in the OS secure storage"
+clients.desktop.biometric -> os_user_verification "Requests user verification for biometric authentication"
--- a/docs/key_management/desktop_biometric/views.dsl
+++ b/docs/key_management/desktop_biometric/views.dsl
@@ -0,0 +1,6 @@
+component clients.desktop "desktop_biometrics_macos" {
+  include *
+  include os_user_verification
+  autoLayout tb
+}
+// TODO: Add Windows and Linux, excluding relevant Tags
--- a/docs/key_management/models.dsl
+++ b/docs/key_management/models.dsl
@@ -0,0 +1 @@
+!include "desktop_biometric/models.dsl"
--- a/docs/key_management/views.dsl
+++ b/docs/key_management/views.dsl
@@ -0,0 +1 @@
+!include "desktop_biometric/views.dsl"
--- a/docs/platform/icons/models.dsl
+++ b/docs/platform/icons/models.dsl
@@ -1,46 +1,7 @@
 !element server {
  icons = container "Icons" {
-    !docs "threat_model.md"
-    icons_controller = component "IconsController" {
-      description "IconsController"
-      technology "C# ASP.NET Core"
-      
-    }
-    info_controller = component "InfoController" {
-      description "Provides information about the deployed icon service. Allow for health checks."
-      technology "C# ASP.NET Core"
-      tags "Info" "HealthCheck"
-    }
-    icon_determination = component "IconDetermination" {
-      description "Resolves a single source for a website icon and downloads it."
-    }
-    icon_cache = component "IconCache" {
-      description "Caches icons for a given domain"
-      tags "Cache"
-      technology "C# MemoryCache"
-    }
-
-    clients -> icons_controller "Requests icons for cleartext urls from" {
-      perspectives {
-        "Security" "\
-        Icons 1.2.1 Broken SSL communication exposes vault contents to network administrators \n\n\
-        Icons 1.2.2 Tracking of user vault contents by ip correlation between identity and icons services \n\n\
-        Icons 1.2.3 No SLA offered on Icons service, graceful degradation of features needed if it goes down \n\n\
-        Icons 1.2.4 SSRF through crafted input resolving to a location the server has elevated privileges in\
-        "
-      }
-    }
-    icons_controller -> icon_determination "Requests icons from"
-    icons_controller -> icon_cache "Caches icons in" {
-      perspectives {
-        "Security" "\
-        Icons 1.3.1 Aggregate vault content leak through timing attack on cache \n\n\
-        Icons 1.3.2 Possible injection attack through cache key \n\n\
-        Icons 1.3.3 & Icons 1.3.4 Cache bloat leading to DoS \n\n\
-        Icons 1.3.5 Cache poisoning leading to incorrect icon storage \
-        "
-      }
-    }
+    description "The Icons service provides favicons for websites."
+    clients -> server.icons "Requests icons for cleartext urls from" 
  }
 }

@@ -48,12 +9,3 @@ dns = softwareSystem "DNS" {
  tags "External"
  tags "Icons"
 }
-
-server.icons.icon_determination -> dns "Resolves IP addresses for domain names from"
-
-external_websites = softwareSystem "External Websites" {
-  tags "External"
-  tags "Icons"
-}
-
-server.icons.icon_determination -> external_websites "Retrieves icons from"
--- a/docs/platform/icons/threat_model.md
+++ b/docs/platform/icons/threat_model.md
@@ -1,167 +0,0 @@
-## Threat Model
-
-### Example Model or Relationship
-
-#### Example Threat
-
- **Type**: type
- **Priority**: TBD/Low/Medium/High/Critical
- **Likelihood**: TBD/Low/Medium/High/Critical
- **Impact**: TBD/Low/Medium/High/Critical
-
-description of the threat.
-
-##### Example Threat Mitigations
-
-describe the mitigations for the threat.
-
-### Clients -> IconsController
-
-Communication from clients to the icons component. This is an unauthenticated endpoint with minimal input validation.
-
-#### SSL termination exposes vault contents to network administrators
-
- **Type**: Information Disclosure
- **Priority**: TBD
- **Likelihood**: TBD
- **Impact**: TBD
-
-A machine with SSL terminating proxies cannot rely on encrypted query parameters hiding vault contents from network administrators.
-
-##### Mitigations
-
- <span style="color:red">Not Implemented</span>: Establish encrypted pipe communication with Icons service prior to requesting icon resolution
-
-#### Cleartext transmission of vault contents to Server
-
- **Type**: Information Disclosure
- **Priority**: TBD
- **Likelihood**: TBD
- **Impact**: TBD
-
-Server-side after TLS by necessity to lookup a favicon. However, to maintain our promises as a no-log proxy, we need to be sure not to maintain ip records for icon service requests
-
-##### Mitigations
-
- <span style="color:red">Unconfirmed</span>: Configure network edge and datadog to drop this identifying data.
-
-#### No SLA offered on Icons service
-
- **Type**: Denial of Service
- **Priority**: TBD
- **Likelihood**: TBD
- **Impact**: TBD
-
-We do not offer SLA on up time of icons service. Clients may be unable to resolve icons, and we need to determine a graceful degradation strategy.
-
-##### Mitigations
-
- <span style="color:green">Done</span>: Default icon fallback (globe)
- <span style="color:red">Not Implemented, Not Prioritized</span>: Local cache of retrieved icons
-
-#### SSRF by proxied requests
-
- **Type**: Elevation of Privilege / Information Disclosure
- **Priority**: TBD
- **Likelihood**: TBD
- **Impact**: TBD
-
-The service is designed to proxy requests to arbitrary URLs. This can be used to access internal network resources.
-
-If a site redirects to an internal network address, the internal network topography may be exposed to the client.
-
-##### Mitigations
-
- <span style="color:green">Done</span>: Isolation of the icons component from the rest of the system intranet.
- <span style="color:green">Done</span>: Avoid fetching by domain name. All requests must be first resolved to an IP address and filtered against internal network ranges, defined as:
-
-  - `::1`, `::`, `::ffff:`
-  - IPv6 and starting with `fc`, `fd`, `fe`, or `ff`
-  - IPv4 and starting with `0.`, `10.`, `100.`, `127.`, `169.254`, `172.16-31`, or `192.168`
-
-  This is done in the `IconDetermination` component
-
-### IconsController -> IconCache
-
-Communication from the icons controller to a mem cache of previously retrieved icons, keyed by original domain requested.
-
-#### Cache determination through timing measurements
-
- **Type**: Information Disclosure
- **Priority**: Low
- **Likelihood**: Low
- **Impact**: Low
-
-By measuring the time it takes to retrieve an icon, an attacker may be able to determine if a domain has been previously requested by another user, revealing that some user on the service has that domain in their vault.
-
-##### Mitigations
-
-<span style="color:red">None identified</span>
-
-#### Unescaped storage of user-input data in cache
-
- **Type**: Tampering
- **Priority**: Low
- **Likelihood**: Low
- **Impact**: Low
-
-Unescaped user input data may be stored as keys in the cache. This input data is not executed, but if the storage method is changed in the future, this may lead to some injection attack.
-
-##### Mitigations
-
-<span style="color:red">None identified</span>
-
-#### Cache bloat through intentionally large icons
-
- **Type**: Denial of Service
- **Priority**: TBD
- **Likelihood**: TBD
- **Impact**: TBD
-
-User request may intentionally resolve to very large icons, bloating the cache and increasing memory requirements.
-
-<span style="color:red">Open question</span>: Should we also limit the size of icons fetched?
-
-##### Mitigations
-
-<span style="color:green">Done</span>: Limit size of icons stored in cache
-
-#### Cache bloat through many unique domain requests
-
- **Type**: Denial of Service
- **Priority**: TBD
- **Likelihood**: TBD
- **Impact**: TBD
-
-User request may intentionally resolve many unique domains to resolve that may or may not exist, bloating the cache and increasing memory requirements.
-
-##### Mitigations
-
-<span style="color:red">Unconfirmed</span>: Rate limit requests to the icons service
-
-#### Storage of potentially sensitive data as keys or values in cache
-
- **Type**: Information Disclosure
- **Priority**: TBD
- **Likelihood**: TBD
- **Impact**: TBD
-
-Upload of urls is automatic to our icon service. If our filters for upload are incorrect, we may store sensitive data in our cache. For example, onion addresses.
-
-##### Mitigations
-
-<span style="color:green">Done</span>: Avoid filter known sensitive urls
-<span style="color:red">Not implemented, Not prioritized</span>: Add client-side setting to disable icon request for a given url or pattern
-
-#### Cache poisoning via dns poisoning
-
- **Type**: Tampering
- **Priority**: Low
- **Likelihood**: Low
- **Impact**: Low
-
-DNS poisoning would lead to incorrect icons being cached for a given domain.
-
-##### Mitigations
-
-<span style="color:red">None Identified</span>
--- a/docs/platform/views.dsl
+++ b/docs/platform/views.dsl
@@ -1,3 +0,0 @@
-component server.icons "icons_service" {
-  include *
-}
--- a/docs/shared.models.dsl
+++ b/docs/shared.models.dsl
@@ -23,40 +23,11 @@ bw_controlled = group "Bitwarden Controlled" {
      tags "Events"
    }
    notifications = container "Notifications"
-    portal = container "Bitwarden Portal" {
-      tags "Web"
-    }
-    events_processor = container "Events Processor" {
-      tags "Events"
-    }
-
-    # Data stores
-    database = container "Database" {
-      tags "Database"
-    }
-    events_queue = container "Events Queue" {
-      tags "Queue"
-      tags "Azure"
-    }
-    mail_queue = container "Mail Queue" {
-      tags "Queue"
-      tags "Azure"
-    }
-    notifications_queue = container "Notifications Queue" {
-      tags "Queue"
-      tags "Azure"
-    }
  }
  clients = softwareSystem "Clients" {
    web = container "Web Application" {
      tags "Web"
    }
-    ios = container "iOS Application" {
-      tags "Mobile"
-    }
-    android = container "Android Application" {
-      tags "Mobile"
-    }
    browser_extension = container "Browser Extension" {
      tags "Browser"
    }
@@ -67,11 +38,6 @@ bw_controlled = group "Bitwarden Controlled" {
      tags "Desktop"
    }
  }
-  directory_connector = softwareSystem "Directory Connector" {
-    tags "Directory"
-    tags "LDAP"
-    tags "Self-Hosted"
-  }
  key_connector = softwareSystem "Key Connector" 
 }

@@ -80,3 +46,8 @@ self_hosted_instances = softwareSystem "Self-Hosted Instances" {
  tags "External"
  description "Self-hosted instances of Bitwarden servers"
 }
+
+external_websites = softwareSystem "External Websites" {
+  tags "External"
+  tags "Icons"
+}
--- a/docs/shared.relationships.dsl
+++ b/docs/shared.relationships.dsl
@@ -1,26 +1,17 @@
 # User Relationships
 user -> clients.web "Uses"
-user -> clients.ios "Uses"
-user -> clients.android "Uses"
 user -> clients.browser_extension "Uses"
 user -> clients.cli "Uses"
 user -> clients.desktop "Uses"
 admin -> clients.web "Administers Organizations"
-provider -> server.portal "Completes Provider registration with"
 provider -> clients.web "Administers Providers and Organizations"
-customer_success -> server.portal "Inspects and supports"
-system_admin -> server.portal "Administers System"

 # High-level Client Relationships
 clients.web -> server.api "Makes requests to"
-clients.ios -> server.api "Makes requests to"
-clients.android -> server.api "Makes requests to"
 clients.browser_extension -> server.api "Makes requests to"
 clients.cli -> server.api "Makes requests to"
 clients.desktop -> server.api "Makes requests to"
 clients.web -> server.identity "Authenticates with"
-clients.ios -> server.identity "Authenticates With"
-clients.android -> server.identity "Authenticates With"
 clients.browser_extension -> server.identity "Authenticates With"
 clients.cli -> server.identity "Authenticates With"
 clients.desktop -> server.identity "Authenticates With"
@@ -29,19 +20,5 @@ server.api -> server.identity "Validates JWTs with" {
 }
 clients -> server.events "Posts local usage events to"

-# Database Relationships
-
-server.api -> server.database "Queries"
-server.portal -> server.database "Queries"
-
-# queue Relationships
-server.api -> server.events_queue "Sends events to"
-server.events -> server.events_queue "Sends events to"
-server.api -> server.mail_queue "Sends emails to"
-server.api -> server.notifications_queue "Sends notifications to"
-server.notifications -> server.notifications_queue "Sends notifications to"
-server.events_queue -> server.events_processor "Processes events from"
-server.mail_queue -> server.portal "Processes emails from"
-
 # self host phone home
 self_hosted_instances -> server.notifications "Sends push notification proxy requests to"