Restrict Browser Integration to expose only specified group

[ekimd]

Summary

The Secret Service integration on Linux allows the user to select a group under which entries are exposed. The Browser Integration exposes all entries from the root. This request is to apply something similar to Browser Integration in order to limit exposure. It would also be nice to make the exposed group different for each Key so that access to groups could be limited by connecting browser.

Context

When there are multiple browsers or browser profiles, it would be helpful to restrict exposed entries to a specific connection, rather than having the entire database searchable.

I've cloned the repo and am happy to work on this, but could use a little bit of high level direction to ensure that it fits with the development paradigm.

[varjolintu]

The possibility to hide certain group from the extension already exists: #4180

[ekimd]

Thanks, varjolintu, on all your hard work! The community definitely appreciates all the time you've put into the browser integration.

I didn't realize that ability is there since it's to be included in upcoming 2.7. Is it safe for me to clone your add_bi_page_to_groups branch and run with that in production?

That works for restricting, but it still might be nice to specify the exposed group at the browser key level so that different browser profiles can have their passwords stored in the same db. (Right now the workaround is to store them each in their own db.) Super low priority though. May something just to keep in mind in the future.

[varjolintu]

@ekimd Thanks. Here the case is that do we want to restrict or allow all groups from the extension. The latter is a more common use case, this is why we took the path to restrict certain groups from it.

If you want just to test the feature, using the branch is ok, but actually using it, well, I'd suggest you wait for the merge and use the official snapshot release instead.

[varjolintu]

Of course this feature could be expanded in the future. For example allowing groups/entries only for certain (or all) ID's connected with the extension.

[ekimd]

That sounds great. Thanks again!

[DeividasJackus]

Came looking for this to manage credentials for multiple browser profiles while following the principle of least privilege.
Would love for this to see the light of day!

@varjolintu thank you for contributing to #4180 thus far as a step in that direction.

Of course this feature could be expanded in the future. For example allowing groups/entries only for certain (or all) ID's connected with the extension.

May I ask if that is something you would consider further contributing yourself, or if this is currently something that has zero traction?

[varjolintu]

May I ask if that is something you would consider further contributing yourself, or if this is currently something that has zero traction?

This could be something we might be do in the future. At least it's one way to do a restriction based on some some profile.

[droidmonkey]

If hyper segmentation is critical to your security then it is far easier to just use a separate database entirely. The group settings are an excellent high level compromise, anything further will become overly complicated very quickly.

[DeividasJackus]

If hyper segmentation is critical to your security then it is far easier to just use a separate database entirely. The group settings are an excellent high level compromise, anything further will become overly complicated very quickly.

Database-level separation has been the initial approach in my case. Unfortunately, when simultaneously working with / switching between 5+ profiles (and therefore DBs) this becomes unsustainable (with databases auto-locking), hence the wish for this segmentation.
Not critical to my case, but thanks for confirming these are the only current options nonetheless!