feat(core): import_lastpass — TOTP base32 → TotpConfig

Successful base32 decode attaches a SHA1/6/30s Totp config to LoginCore.totp. Bad base32 emits a warning and imports the login without TOTP rather than skipping the row entirely. Refactors map_row to return (Option<Item>, Option<ImportWarning>) so a single row can produce both an item and a warning. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-29 23:02:16 -04:00
parent 16888d5a3a
commit c4905c5ee7
2 changed files with 123 additions and 14 deletions
--- a/crates/relicario-core/src/import_lastpass.rs
+++ b/crates/relicario-core/src/import_lastpass.rs
@@ -76,56 +76,108 @@ pub fn parse_lastpass_csv(csv_bytes: &[u8]) -> Result<(Vec<Item>, Vec<ImportWarn
            }
        };

-        match map_row(&record, row_num) {
-            Ok(item) => items.push(item),
-            Err(w) => warnings.push(w),
-        }
+        let (item, warn) = map_row(&record, row_num);
+        if let Some(it) = item { items.push(it); }
+        if let Some(w)  = warn  { warnings.push(w); }
    }

    Ok((items, warnings))
 }

-/// Map a single CSV record to either an `Item` or an `ImportWarning`.
-/// Column order is fixed by `EXPECTED_HEADER`.
-fn map_row(record: &csv::StringRecord, row: usize) -> std::result::Result<Item, ImportWarning> {
+/// Map a single CSV record. Returns:
+/// - `(Some(item), None)` for a fully-imported row.
+/// - `(Some(item), Some(warn))` for a partially-imported row (e.g.,
+///   bad TOTP base32 — login imported without TOTP).
+/// - `(None, Some(warn))` for a skipped row (missing required field).
+fn map_row(
+    record: &csv::StringRecord,
+    row: usize,
+) -> (Option<Item>, Option<ImportWarning>) {
    let url      = record.get(0).unwrap_or("").trim();
    let username = record.get(1).unwrap_or("").trim();
    let password = record.get(2).unwrap_or("");
-    let _totp    = record.get(3).unwrap_or(""); // populated in Task 4
+    let totp_raw = record.get(3).unwrap_or("").trim();
    let extra    = record.get(4).unwrap_or("");
    let name     = record.get(5).unwrap_or("").trim();
    let group    = record.get(6).unwrap_or("").trim();
    let fav      = record.get(7).unwrap_or("").trim();

    if name.is_empty() {
-        return Err(ImportWarning {
+        return (None, Some(ImportWarning {
            row,
            title: None,
            message: "missing `name` — skipped".into(),
-        });
+        }));
    }

    if password.is_empty() {
-        return Err(ImportWarning {
+        return (None, Some(ImportWarning {
            row,
            title: Some(name.to_string()),
            message: "missing `password` — skipped".into(),
-        });
+        }));
    }

    let parsed_url = if url.is_empty() { None } else { Url::parse(url).ok() };

+    let mut warning: Option<ImportWarning> = None;
+    let totp = if totp_raw.is_empty() {
+        None
+    } else {
+        match decode_base32_totp(totp_raw) {
+            Some(bytes) if !bytes.is_empty() => Some(crate::item_types::TotpConfig {
+                secret: Zeroizing::new(bytes),
+                algorithm: crate::item_types::TotpAlgorithm::Sha1,
+                digits: 6,
+                period_seconds: 30,
+                kind: crate::item_types::TotpKind::Totp,
+            }),
+            _ => {
+                warning = Some(ImportWarning {
+                    row,
+                    title: Some(name.to_string()),
+                    message: "invalid base32 TOTP secret — login imported without TOTP".into(),
+                });
+                None
+            }
+        }
+    };
+
    let mut item = Item::new(
        name.to_string(),
        ItemCore::Login(LoginCore {
            username: if username.is_empty() { None } else { Some(username.to_string()) },
            password: Some(Zeroizing::new(password.to_string())),
            url: parsed_url,
-            totp: None,
+            totp,
        }),
    );
    item.group    = if group.is_empty() { None } else { Some(group.to_string()) };
    item.favorite = fav == "1";
    item.notes    = if extra.is_empty() { None } else { Some(extra.to_string()) };
-    Ok(item)
+
+    (Some(item), warning)
+}
+
+/// Decode a base32-encoded TOTP secret per RFC 4648, case-insensitive,
+/// padding optional. Returns None if the input contains any non-alphabet
+/// character (after upper-casing). Used by the LastPass importer.
+fn decode_base32_totp(secret: &str) -> Option<Vec<u8>> {
+    const ALPHA: &[u8] = b"ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
+    let upper = secret.trim().trim_end_matches('=').to_ascii_uppercase();
+    if upper.is_empty() { return None; }
+
+    let mut out = Vec::with_capacity(upper.len() * 5 / 8);
+    let mut buffer: u32 = 0;
+    let mut bits: u32 = 0;
+    for ch in upper.bytes() {
+        let idx = ALPHA.iter().position(|&a| a == ch)?;
+        buffer = (buffer << 5) | (idx as u32);
+        bits += 5;
+        if bits >= 8 {
+            bits -= 8;
+            out.push(((buffer >> bits) & 0xFF) as u8);
+        }
+    }
+    Some(out)
 }