Skip to content

[PM-20578] Encrypt Risk Insights report and send it to server #14659

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. Weโ€™ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
voommen-livefront wants to merge 14 commits into from
Closed

[PM-20578] Encrypt Risk Insights report and send it to server #14659

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
d4271b4
pm-20577 encrypt and save api
voommen-livefront May 6, 2025
9319dbc
PM-20577 updated encryption/decryption
voommen-livefront May 9, 2025
585c7b0
PM-20577 fixed failing unit tests
voommen-livefront May 9, 2025
09ac1c6
PM-20577 fixed errors
voommen-livefront May 9, 2025
45212c2
PM-20577 return a null from getRiskInsightsReport
voommen-livefront May 9, 2025
bc019ce
PM-20577 remove unwanted encryption
voommen-livefront May 12, 2025
c2719b4
PM-20577 Retrieve data from cache
voommen-livefront May 13, 2025
bdb5e9e
PM-20577 replace combineLatest with Zip
voommen-livefront May 15, 2025
e47bcb2
Merge branch 'main' into dirt/pm-20577/report-summmary-for-db
voommen-livefront Jun 20, 2025
ae4ab8a
PM-20577 save report summary to database
voommen-livefront Jun 20, 2025
02e0eb6
PM-20578 fix build errors and update variable types
voommen-livefront Jun 24, 2025
8960acb
PM-20578 retrieve report from DB
voommen-livefront Jun 24, 2025
9ef274a
PM-20578 renamed ReportDecipherService to risk-insights-encryption.seโ€ฆ
voommen-livefront Jun 24, 2025
5107ec2
PM-20578 removed commented liens
voommen-livefront Jun 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 36 additions & 0 deletions bitwarden_license/bit-common/src/dirt/reports/risk-insights/models/password-health.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -156,4 +156,40 @@ export enum DrawerType {
OrgAtRiskApps = 3,
}

export interface RiskInsightsReport {
organizationId: OrganizationId;
date: string;
reportData: string;
totalMembers: number;
Copy link
Contributor

@quexten quexten May 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question โ“ Will this report be automatically generated and submitted on a schedule, or manually created only? If the former, are we OK with this unencrypted metadata?

โš ๏ธโš ๏ธโš ๏ธ Assuming it can be run automated: I don't know the underlying security guarantees that are expected to be achieved here. From the fact that we encrypt reports, but do not encrypt summaries, I assume the underlying assumption here is that summaries do not leak individual data so it's "safe to store". That (assumed) assumption is not valid.

Unless not possible, I would recommend encrypting all metadata here. Specifically, reportData should be one blob including both the summary data and detail data. Below, I show a theoretical attack that may abuse the summary data to decrypt all org vault data remotely.

Specifically, the following attacks (non exhaustive, and non validated) may be made possible. I have not implemented or validated them, and they are purely on the basis of reading the code.

  • Assumption: There is a automated schedule / way to trigger the generation
  • Threat model: the attacker controls the API server.

Leak individiual item/application weakness status

Before every report generation, the server forces a sync to the client that will create the report, and present a false view of the ciphers, specifically, just show 1 cipher. The total will then reflect just that cipher, and thus the safety presumed by the use of summarized data is broken. This attack can be optimized to be much faster than a linear amount of queries.

Remote predicate evaluation on arbitrary org encrypted strings

Further, it allows the server to remotely run certain predicates such as findWeakPassword on any arbitrary org-key encrypted data (not just passwords) and obtain the result, by swapping encrypted strings within the cipher.

  • Possible full plaintext recovery, breaking organization e2e encryption: Doing a brief evaluation, without further validation, this.passwordStrengthService.getPasswordStrength( is called, which uses zxcvbn to compare a security score, of the password compared to, including the encrypted "username" field. If the server has access to known plaintext ciphertext pairs here, they may be able to create a decryption oracle capable of remotely decrypting all org vault data with this. NOTE: This is theoretical, I have not validated this thoroughly. Roughly, the attacker would remotely, via the previous attack make the client evaluate password strength. As the password, the server sets the target encstring. As the username, they set one of the known plaintext / ciphertext pairs. zxcvbn will return a different score based on the similarity of the two, and depending on if it reaches a threshold, it will be a cipher at risk. This can be used, given enough plaintext ciphertext pairs to fully recovery the target plaintext, thus making full decryption of all vault data possible. One would find a plaintext-ciphertext pair close to the threshold, then flip each character to figure out which character is the correct character for that position. However, this requires a lot of plaintext ciphertext pairs, or an encryption oracle.

Remote predicate evaluation - equality check

Using the same attack as above, the server can perform an equality check on any two arbitrary org-key encrypted org strings, by presenting 2 items, with the target encstrings set as the password.

Remote clustering of encrypted vault items by app

Further, it allows the server to cluster any ciphers and confirm if the are for the same domain. Example: Server provides cipher A, cipher B. If only one app is reported, then both are the same app and get clustered. This can be improved to be much faster than linear time.

(Out of scope note) Clusters / individual weak items can be tied to real domains

Combining this with a compromised icon server (out of scope) would allow tying encrypted ciphers to domains, and thus leak which accounts are weak.

Copy link
Contributor

@quexten quexten May 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will cc @mandreko-bitwarden, @jlf0dev on this, because these (presumed) attacks are security relevant, possibly threatening all of organization vault encryption confidentiality. I'm keeping these comments public because this is not released code, but just draft.

@jlf0dev I have not implemented these attacks because I looked at this as an early code review for the unrelated issue bellow, but it felt unethical not to look closer here. I don't know if it's worth to spend the time to confirm the validity of the attacks above. If we just encrypt the metadata, then all of them are invalid etiher way.

totalAtRiskMembers: number;
totalApplications: number;
totalAtRiskApplications: number;
totalCriticalApplications: number;
}

export interface ReportInsightsReportData {
data: string;
key: string;
}

export interface SaveRiskInsightsReportRequest {
data: RiskInsightsReport;
}

export interface SaveRiskInsightsReportResponse {
id: string;
}

export interface GetRiskInsightsReportResponse {
id: string;
organizationId: OrganizationId;
date: string;
reportData: string;
totalMembers: number;
totalAtRiskMembers: number;
totalApplications: number;
totalAtRiskApplications: number;
totalCriticalApplications: number;
}

export type PasswordHealthReportApplicationId = Opaque<string, "PasswordHealthReportApplicationId">;
4 changes: 4 additions & 0 deletions ...arden_license/bit-common/src/dirt/reports/risk-insights/services/critical-apps.service.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,10 @@ export class CriticalAppsService {

// Get a list of critical apps for a given organization
getAppsListForOrg(orgId: string): Observable<PasswordHealthReportApplicationsResponse[]> {
if (this.criticalAppsList.value.length === 0) {
return of([]);
}

return this.criticalAppsList
.asObservable()
.pipe(map((apps) => apps.filter((app) => app.organizationId === orgId)));
Expand Down
1 change: 1 addition & 0 deletions bitwarden_license/bit-common/src/dirt/reports/risk-insights/services/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,3 +4,4 @@ export * from "./critical-apps.service";
export * from "./critical-apps-api.service";
export * from "./risk-insights-report.service";
export * from "./risk-insights-data.service";
export * from "./risk-insights-api.service";
54 changes: 54 additions & 0 deletions ...ense/bit-common/src/dirt/reports/risk-insights/services/risk-insights-api.service.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
import { mock } from "jest-mock-extended";

import { ApiService } from "@bitwarden/common/abstractions/api.service";
import { OrganizationId } from "@bitwarden/common/types/guid";

import { SaveRiskInsightsReportRequest } from "../models/password-health";

import { RiskInsightsApiService } from "./risk-insights-api.service";

describe("RiskInsightsApiService", () => {
let service: RiskInsightsApiService;
const apiService = mock<ApiService>();

beforeEach(() => {
service = new RiskInsightsApiService(apiService);
});

it("should be created", () => {
expect(service).toBeTruthy();
});

it("should call apiService.send with correct parameters for saveRiskInsightsReport", (done) => {
const orgId = "org1" as OrganizationId;
const request: SaveRiskInsightsReportRequest = {
data: {
organizationId: orgId,
date: new Date().toISOString(),
reportData: "test",
totalMembers: 10,
totalAtRiskMembers: 5,
totalApplications: 100,
totalAtRiskApplications: 50,
totalCriticalApplications: 22,
},
};
const response = {
...request.data,
};

apiService.send.mockReturnValue(Promise.resolve(response));

service.saveRiskInsightsReport(orgId, request).subscribe((result) => {
expect(result).toEqual(response);
expect(apiService.send).toHaveBeenCalledWith(
"PUT",
`/reports/risk-insights-report/${orgId.toString()}`,
request.data,
true,
true,
);
done();
});
});
});
45 changes: 45 additions & 0 deletions ...n_license/bit-common/src/dirt/reports/risk-insights/services/risk-insights-api.service.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
import { from, Observable } from "rxjs";

import { ApiService } from "@bitwarden/common/abstractions/api.service";
import { OrganizationId } from "@bitwarden/common/types/guid";

import {
GetRiskInsightsReportResponse,
SaveRiskInsightsReportRequest,
SaveRiskInsightsReportResponse,
} from "../models/password-health";

export class RiskInsightsApiService {
constructor(private apiService: ApiService) {}

saveRiskInsightsReport(
orgId: OrganizationId,
request: SaveRiskInsightsReportRequest,
): Observable<SaveRiskInsightsReportResponse> {
const dbResponse = this.apiService.send(
"PUT",
`/reports/risk-insights-report/${orgId.toString()}`,
request.data,
true,
true,
);

return from(dbResponse as Promise<SaveRiskInsightsReportResponse>);
}

getRiskInsightsReport(orgId: OrganizationId): Observable<GetRiskInsightsReportResponse | null> {
const dbResponse = this.apiService
.send("GET", `/reports/risk-insights-report/${orgId.toString()}`, null, true, true)
.catch((error: any): any => {
if (error.statusCode === 404) {
return null; // Handle 404 by returning null or an appropriate default value
}
throw error; // Re-throw other errors
});

if (dbResponse instanceof Error) {
return null;
}
return from(dbResponse as Promise<GetRiskInsightsReportResponse>);
}
}
12 changes: 12 additions & 0 deletions ...e/bit-common/src/dirt/reports/risk-insights/services/risk-insights-report.service.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,14 @@ import { firstValueFrom } from "rxjs";
import { ZXCVBNResult } from "zxcvbn";

import { AuditService } from "@bitwarden/common/abstractions/audit.service";
import { EncryptService } from "@bitwarden/common/key-management/crypto/abstractions/encrypt.service";
import { KeyGenerationService } from "@bitwarden/common/platform/abstractions/key-generation.service";
import { PasswordStrengthServiceAbstraction } from "@bitwarden/common/tools/password-strength";
import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.service";
import { KeyService } from "@bitwarden/key-management";

import { mockCiphers } from "./ciphers.mock";
import { CriticalAppsService } from "./critical-apps.service";
import { MemberCipherDetailsApiService } from "./member-cipher-details-api.service";
import { mockMemberCipherDetails } from "./member-cipher-details-api.service.spec";
import { RiskInsightsReportService } from "./risk-insights-report.service";
Expand All @@ -17,6 +21,10 @@ describe("RiskInsightsReportService", () => {
const auditService = mock<AuditService>();
const cipherService = mock<CipherService>();
const memberCipherDetailsService = mock<MemberCipherDetailsApiService>();
const keyService = mock<KeyService>();
const encryptService = mock<EncryptService>();
const criticalAppsService = mock<CriticalAppsService>();
const keyGenerationService = mock<KeyGenerationService>();

beforeEach(() => {
pwdStrengthService.getPasswordStrength.mockImplementation((password: string) => {
Expand All @@ -37,6 +45,10 @@ describe("RiskInsightsReportService", () => {
auditService,
cipherService,
memberCipherDetailsService,
keyService,
encryptService,
criticalAppsService,
keyGenerationService,
);
});

Expand Down
114 changes: 113 additions & 1 deletion ...icense/bit-common/src/dirt/reports/risk-insights/services/risk-insights-report.service.ts
View file
Open in desktop
Copy link
Contributor

@ttalty ttalty Jun 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

โ›๏ธ I think we should take the encryption/decryption logic and move it to a new service risk-insights-encryption.service The logic is only accessed from the risk-insights-data.service right now and not directly used in the risk-insights-report.service

The report service logic should just contain the logic for calculating the risk insights report. I think adding the encryption decryption adds too much to this service.

Copy link
Collaborator Author

@voommen-livefront voommen-livefront Jun 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As advised - I moved the encryption/decryption to its own service

Original file line number Diff line number Diff line change
@@ -1,13 +1,18 @@
// FIXME: Update this file to be type safe
// @ts-strict-ignore
import { concatMap, first, from, map, Observable, zip } from "rxjs";
import { concatMap, first, firstValueFrom, from, map, Observable, takeWhile, zip } from "rxjs";

import { AuditService } from "@bitwarden/common/abstractions/audit.service";
import { EncryptService } from "@bitwarden/common/key-management/crypto/abstractions/encrypt.service";
import { KeyGenerationService } from "@bitwarden/common/platform/abstractions/key-generation.service";
import { Utils } from "@bitwarden/common/platform/misc/utils";
import { EncString } from "@bitwarden/common/platform/models/domain/enc-string";
import { PasswordStrengthServiceAbstraction } from "@bitwarden/common/tools/password-strength";
import { OrganizationId } from "@bitwarden/common/types/guid";
import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.service";
import { CipherType } from "@bitwarden/common/vault/enums";
import { CipherView } from "@bitwarden/common/vault/models/view/cipher.view";
import { KeyService } from "@bitwarden/key-management";

import {
ApplicationHealthReportDetail,
Expand All @@ -20,8 +25,11 @@ import {
MemberDetailsFlat,
WeakPasswordDetail,
WeakPasswordScore,
RiskInsightsReport,
GetRiskInsightsReportResponse,
} from "../models/password-health";

import { CriticalAppsService } from "./critical-apps.service";
import { MemberCipherDetailsApiService } from "./member-cipher-details-api.service";

export class RiskInsightsReportService {
Expand All @@ -30,6 +38,10 @@ export class RiskInsightsReportService {
private auditService: AuditService,
private cipherService: CipherService,
private memberCipherDetailsApiService: MemberCipherDetailsApiService,
private keyService: KeyService,
private encryptService: EncryptService,
private criticalAppsService: CriticalAppsService,
private keyGeneratorService: KeyGenerationService,
) {}

/**
Expand Down Expand Up @@ -162,6 +174,106 @@ export class RiskInsightsReportService {
};
}

async generateEncryptedRiskInsightsReport(
organizationId: OrganizationId,
details: ApplicationHealthReportDetail[],
summary: ApplicationHealthReportSummary,
): Promise<RiskInsightsReport> {
const orgKey = await this.keyService.getOrgKey(organizationId as string);
if (orgKey === null) {
throw new Error("Organization key not found");
}

const reportContentEncryptionKey = await this.keyGeneratorService.createKey(512);
Copy link
Contributor

@quexten quexten May 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

note/thought (non-actionable): I believe this is a pattern that other teams (in this case DIRT) have to implement over and over, and should really live in KM domain.

So, specifically, the use-case is "I want to encrypt blobs of data (attachment/report/cipherblob/etc.) safely, and be able to easily update the encryption".

I believe in the future KM should/may provide a high level API similar to:

Encrypt:

const { wrappedContentEncryptionKey, sealedData } = this.encryptService.sealDataEnvelope(MyReport, orgKey);

Decrypt:

const { unsealedData } = this.encryptService.unsealDataEnvelope(sealedData, wrappedContentEncryptionKey, orgKey);

Which would eliminate most cryptographic code that this team (dirt) is forced to currently think about, but at the same time enforce correct usage of a content encryption key.

@Thomas-Avery do we want to discuss this in KM dev sync first or do I make a tech debt ticket for us to provide a better interface, and ask for the ticket to be put in this section of code to serve as a reminder?

const reportEncrypted = await this.encryptService.encryptString(
JSON.stringify(details),
reportContentEncryptionKey,
);

const wrappedReportContentEncryptionKey = await this.encryptService.wrapSymmetricKey(
reportContentEncryptionKey,
orgKey,
);

const reportDataWithWrappedKey = {
data: reportEncrypted.encryptedString,
key: wrappedReportContentEncryptionKey.encryptedString,
};

const encryptedReportDataWithWrappedKey = await this.encryptService.encryptString(
JSON.stringify(reportDataWithWrappedKey),
orgKey,
);
Copy link
Contributor

@quexten quexten May 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
const reportDataWithWrappedKey = {
data: reportEncrypted.encryptedString,
key: wrappedReportContentEncryptionKey.encryptedString,
};
const encryptedReportDataWithWrappedKey = await this.encryptService.encryptString(
JSON.stringify(reportDataWithWrappedKey),
orgKey,
);

I don't think this is right. This is effectively adds a second layer of encryption around already encrypted data, wrapping all data again with the org key. As far as I can tell, you can send data, key directly to the server, without another layer of encryption because:

  • data is encrypted by reportContentEncryptionKey
  • key (reportContentEncryptionKey) is wrapped (encrypted) with orgKey

The above is basically creating: orgKey({contentKey(data),orgKey(data)})
where you just need {contentKey(data),orgKey(data)}.

Copy link
Collaborator Author

@voommen-livefront voommen-livefront Jun 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Implemented as advised. This makes the encryption much less confusing.


const criticalApps = await firstValueFrom(
this.criticalAppsService
.getAppsListForOrg(organizationId)
.pipe(takeWhile((apps) => apps !== null && apps.length > 0)),
);

const riskInsightReport = {
organizationId: organizationId,
date: new Date().toISOString(),
reportData: encryptedReportDataWithWrappedKey.encryptedString,
Copy link
Contributor

@quexten quexten May 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
reportData: encryptedReportDataWithWrappedKey.encryptedString,
reportData: reportEncrypted.encryptedString,
reportKey: wrappedReportContentEncryptionKey.encryptedString,

Copy link
Collaborator Author

@voommen-livefront voommen-livefront Jun 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for pointing this out - I have this fixed.

totalMembers: summary.totalMemberCount,
totalAtRiskMembers: summary.totalAtRiskMemberCount,
totalApplications: summary.totalApplicationCount,
totalAtRiskApplications: summary.totalAtRiskApplicationCount,
totalCriticalApplications: criticalApps.length,
};

return riskInsightReport;
}

async decryptRiskInsightsReport(
organizationId: OrganizationId,
riskInsightsReportResponse: GetRiskInsightsReportResponse,
): Promise<[ApplicationHealthReportDetail[], ApplicationHealthReportSummary]> {
try {
const orgKey = await this.keyService.getOrgKey(organizationId as string);
if (orgKey === null) {
throw new Error("Organization key not found");
}

const decryptedReportDataWithWrappedKey = await this.encryptService.decryptString(
new EncString(riskInsightsReportResponse.reportData),
orgKey,
);

const reportDataInJson = JSON.parse(decryptedReportDataWithWrappedKey);
const reportEncrypted = reportDataInJson.data;
const wrappedReportContentEncryptionKey = reportDataInJson.key;
Copy link
Contributor

@quexten quexten May 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
const decryptedReportDataWithWrappedKey = await this.encryptService.decryptString(
new EncString(riskInsightsReportResponse.reportData),
orgKey,
);
const reportDataInJson = JSON.parse(decryptedReportDataWithWrappedKey);
const reportEncrypted = reportDataInJson.data;
const wrappedReportContentEncryptionKey = reportDataInJson.key;
const wrappedReportContentEncryptionKey = riskInsightsReportResponse.reportKey;
const reportEncrypted = riskInsightsReportResponse.reportData;

With the same reasoning as above, I don't think we need two layers of encryption here?


const freshWrappedReportContentEncryptionKey = new EncString(
wrappedReportContentEncryptionKey,
);

const unwrappedReportContentEncryptionKey = await this.encryptService.unwrapSymmetricKey(
freshWrappedReportContentEncryptionKey,
orgKey,
);

const reportUnencrypted = await this.encryptService.decryptString(
new EncString(reportEncrypted),
unwrappedReportContentEncryptionKey,
);

const reportJson: ApplicationHealthReportDetail[] = JSON.parse(reportUnencrypted);

const summary: ApplicationHealthReportSummary = {
totalMemberCount: riskInsightsReportResponse.totalMembers,
totalAtRiskMemberCount: riskInsightsReportResponse.totalAtRiskMembers,
totalApplicationCount: riskInsightsReportResponse.totalApplications,
totalAtRiskApplicationCount: riskInsightsReportResponse.totalAtRiskApplications,
};

return [reportJson, summary];
} catch {
// console.error("Error decrypting risk insights report :", error);
return [null, null];
}
}

/**
* Associates the members with the ciphers they have access to. Calculates the password health.
* Finds the trimmed uris.
Expand Down
10 changes: 10 additions & 0 deletions bitwarden_license/bit-web/src/app/dirt/access-intelligence/access-intelligence.module.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,14 @@ import { CriticalAppsService } from "@bitwarden/bit-common/dirt/reports/risk-ins
import {
CriticalAppsApiService,
MemberCipherDetailsApiService,
RiskInsightsApiService,
RiskInsightsDataService,
RiskInsightsReportService,
} from "@bitwarden/bit-common/dirt/reports/risk-insights/services";
import { ApiService } from "@bitwarden/common/abstractions/api.service";
import { AuditService } from "@bitwarden/common/abstractions/audit.service";
import { EncryptService } from "@bitwarden/common/key-management/crypto/abstractions/encrypt.service";
import { KeyGenerationService } from "@bitwarden/common/platform/abstractions/key-generation.service";
import { PasswordStrengthServiceAbstraction } from "@bitwarden/common/tools/password-strength/password-strength.service.abstraction";
import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.service";
import { KeyService } from "@bitwarden/key-management";
Expand All @@ -32,6 +34,10 @@ import { RiskInsightsComponent } from "./risk-insights.component";
AuditService,
CipherService,
MemberCipherDetailsApiService,
KeyService,
EncryptService,
CriticalAppsService,
KeyGenerationService,
],
},
{
Expand All @@ -48,6 +54,10 @@ import { RiskInsightsComponent } from "./risk-insights.component";
useClass: CriticalAppsApiService,
deps: [ApiService],
}),
safeProvider({
provide: RiskInsightsApiService,
deps: [ApiService],
}),
],
})
export class AccessIntelligenceModule {}
Loading
Loading