organization 2fa apis

src/Api/Controllers/TwoFactorController.cs

@@ -10,6 +10,7 @@ using Bit.Core.Models.Table;
 using Bit.Core.Enums;
 using System.Linq;
 using Bit.Core;
+using Bit.Core.Repositories;
 
 namespace Bit.Api.Controllers
 {
@@ -18,17 +19,26 @@ namespace Bit.Api.Controllers
     public class TwoFactorController : Controller
     {
         private readonly IUserService _userService;
+        private readonly IOrganizationRepository _organizationRepository;
+        private readonly IOrganizationService _organizationService;
         private readonly GlobalSettings _globalSettings;
         private readonly UserManager<User> _userManager;
+        private readonly CurrentContext _currentContext;
 
         public TwoFactorController(
             IUserService userService,
+            IOrganizationRepository organizationRepository,
+            IOrganizationService organizationService,
             GlobalSettings globalSettings,
-            UserManager<User> userManager)
+            UserManager<User> userManager,
+            CurrentContext currentContext)
         {
             _userService = userService;
+            _organizationRepository = organizationRepository;
+            _organizationService = organizationService;
             _globalSettings = globalSettings;
             _userManager = userManager;
+            _currentContext = currentContext;
         }
 
         [HttpGet("")]
@@ -40,7 +50,28 @@ namespace Bit.Api.Controllers
                 throw new UnauthorizedAccessException();
             }
 
-            var providers = user.GetTwoFactorProviders()?.Select(p => new TwoFactorProviderResponseModel(p.Key, p.Value));
+            var providers = user.GetTwoFactorProviders()?.Select(
+                p => new TwoFactorProviderResponseModel(p.Key, p.Value));
+            return new ListResponseModel<TwoFactorProviderResponseModel>(providers);
+        }
+
+        [HttpGet("~/organizations/{id}/two-factor")]
+        public async Task<ListResponseModel<TwoFactorProviderResponseModel>> GetOrganization(string id)
+        {
+            var orgIdGuid = new Guid(id);
+            if(!_currentContext.OrganizationAdmin(orgIdGuid))
+            {
+                throw new NotFoundException();
+            }
+
+            var organization = await _organizationRepository.GetByIdAsync(orgIdGuid);
+            if(organization == null)
+            {
+                throw new NotFoundException();
+            }
+
+            var providers = organization.GetTwoFactorProviders()?.Select(
+                p => new TwoFactorProviderResponseModel(p.Key, p.Value));
             return new ListResponseModel<TwoFactorProviderResponseModel>(providers);
         }
 
@@ -116,6 +147,54 @@ namespace Bit.Api.Controllers
             return response;
         }
 
+        [HttpPost("~/organizations/{id}/two-factor/get-duo")]
+        public async Task<TwoFactorDuoResponseModel> GetOrganizationDuo(string id,
+            [FromBody]TwoFactorRequestModel model)
+        {
+            var user = await CheckAsync(model.MasterPasswordHash, false);
+
+            var orgIdGuid = new Guid(id);
+            if(!_currentContext.OrganizationAdmin(orgIdGuid))
+            {
+                throw new NotFoundException();
+            }
+
+            var organization = await _organizationRepository.GetByIdAsync(orgIdGuid);
+            if(organization == null)
+            {
+                throw new NotFoundException();
+            }
+
+            var response = new TwoFactorDuoResponseModel(organization);
+            return response;
+        }
+
+        [HttpPut("~/organizations/{id}/two-factor/duo")]
+        [HttpPost("~/organizations/{id}/two-factor/duo")]
+        public async Task<TwoFactorDuoResponseModel> PutOrganizationDuo(string id,
+            [FromBody]UpdateTwoFactorDuoRequestModel model)
+        {
+            var user = await CheckAsync(model.MasterPasswordHash, false);
+
+            var orgIdGuid = new Guid(id);
+            if(!_currentContext.OrganizationAdmin(orgIdGuid))
+            {
+                throw new NotFoundException();
+            }
+
+            var organization = await _organizationRepository.GetByIdAsync(orgIdGuid);
+            if(organization == null)
+            {
+                throw new NotFoundException();
+            }
+
+            model.ToOrganization(organization);
+            await _organizationService.UpdateTwoFactorProviderAsync(organization,
+                TwoFactorProviderType.OrganizationDuo);
+            var response = new TwoFactorDuoResponseModel(organization);
+            return response;
+        }
+
         [HttpPost("get-u2f")]
         public async Task<TwoFactorU2fResponseModel> GetU2f([FromBody]TwoFactorRequestModel model)
         {
@@ -205,6 +284,30 @@ namespace Bit.Api.Controllers
             var response = new TwoFactorProviderResponseModel(model.Type.Value, user);
             return response;
         }
+        
+        [HttpPut("~/organizations/{id}/two-factor/disable")]
+        [HttpPost("~/organizations/{id}/two-factor/disable")]
+        public async Task<TwoFactorProviderResponseModel> PutOrganizationDisable(string id,
+            [FromBody]TwoFactorProviderRequestModel model)
+        {
+            var user = await CheckAsync(model.MasterPasswordHash, false);
+
+            var orgIdGuid = new Guid(id);
+            if(!_currentContext.OrganizationAdmin(orgIdGuid))
+            {
+                throw new NotFoundException();
+            }
+
+            var organization = await _organizationRepository.GetByIdAsync(orgIdGuid);
+            if(organization == null)
+            {
+                throw new NotFoundException();
+            }
+
+            await _organizationService.DisableTwoFactorProviderAsync(organization, model.Type.Value);
+            var response = new TwoFactorProviderResponseModel(model.Type.Value, organization);
+            return response;
+        }
 
         [HttpPost("get-recover")]
         public async Task<TwoFactorRecoverResponseModel> GetRecover([FromBody]TwoFactorRequestModel model)

src/Core/Enums/TwoFactorProviderType.cs

@@ -7,6 +7,7 @@
         Duo = 2,
         YubiKey = 3,
         U2f = 4,
-        Remember = 5
+        Remember = 5,
+        OrganizationDuo = 6
     }
 }

src/Core/Models/Api/Request/TwoFactorRequestModels.cs

@@ -2,7 +2,6 @@
 using Bit.Core.Models.Table;
 using System.Collections.Generic;
 using System.ComponentModel.DataAnnotations;
-using System;
 using System.Linq;
 
 namespace Bit.Core.Models.Api
@@ -76,6 +75,32 @@ namespace Bit.Core.Models.Api
             return extistingUser;
         }
 
+        public Organization ToOrganization(Organization extistingOrg)
+        {
+            var providers = extistingOrg.GetTwoFactorProviders();
+            if(providers == null)
+            {
+                providers = new Dictionary<TwoFactorProviderType, TwoFactorProvider>();
+            }
+            else if(providers.ContainsKey(TwoFactorProviderType.OrganizationDuo))
+            {
+                providers.Remove(TwoFactorProviderType.OrganizationDuo);
+            }
+
+            providers.Add(TwoFactorProviderType.OrganizationDuo, new TwoFactorProvider
+            {
+                MetaData = new Dictionary<string, object>
+                {
+                    ["SKey"] = SecretKey,
+                    ["IKey"] = IntegrationKey,
+                    ["Host"] = Host
+                },
+                Enabled = true
+            });
+            extistingOrg.SetTwoFactorProviders(providers);
+            return extistingOrg;
+        }
+
         public IEnumerable<ValidationResult> Validate(ValidationContext validationContext)
         {
             if(!Host.StartsWith("api-") || !Host.EndsWith(".duosecurity.com") || Host.Count(s => s == '.') != 2)
@@ -214,7 +239,7 @@ namespace Bit.Core.Models.Api
     public class TwoFactorProviderRequestModel : TwoFactorRequestModel
     {
         [Required]
-        public Enums.TwoFactorProviderType? Type { get; set; }
+        public TwoFactorProviderType? Type { get; set; }
     }
 
     public class TwoFactorRequestModel

src/Core/Models/Api/Response/TwoFactor/TwoFactorDuoResponseModel.cs

@@ -6,8 +6,10 @@ namespace Bit.Core.Models.Api
 {
     public class TwoFactorDuoResponseModel : ResponseModel
     {
+        private const string ResponseObj = "twoFactorDuo";
+
         public TwoFactorDuoResponseModel(User user)
-            : base("twoFactorDuo")
+            : base(ResponseObj)
         {
             if(user == null)
             {
@@ -15,6 +17,28 @@ namespace Bit.Core.Models.Api
             }
 
             var provider = user.GetTwoFactorProvider(TwoFactorProviderType.Duo);
+            Build(provider);
+        }
+
+        public TwoFactorDuoResponseModel(Organization org)
+            : base(ResponseObj)
+        {
+            if(org == null)
+            {
+                throw new ArgumentNullException(nameof(org));
+            }
+
+            var provider = org.GetTwoFactorProvider(TwoFactorProviderType.OrganizationDuo);
+            Build(provider);
+        }
+
+        public bool Enabled { get; set; }
+        public string Host { get; set; }
+        public string SecretKey { get; set; }
+        public string IntegrationKey { get; set; }
+
+        private void Build(TwoFactorProvider provider)
+        {
             if(provider?.MetaData != null && provider.MetaData.Count > 0)
             {
                 Enabled = provider.Enabled;
@@ -37,10 +61,5 @@ namespace Bit.Core.Models.Api
                 Enabled = false;
             }
         }
-
-        public bool Enabled { get; set; }
-        public string Host { get; set; }
-        public string SecretKey { get; set; }
-        public string IntegrationKey { get; set; }
     }
 }

src/Core/Models/Api/Response/TwoFactor/TwoFactorProviderResponseModel.cs

@@ -6,8 +6,10 @@ namespace Bit.Core.Models.Api
 {
     public class TwoFactorProviderResponseModel : ResponseModel
     {
+        private const string ResponseObj = "twoFactorProvider";
+
         public TwoFactorProviderResponseModel(TwoFactorProviderType type, TwoFactorProvider provider)
-            : base("twoFactorProvider")
+            : base(ResponseObj)
         {
             if(provider == null)
             {
@@ -19,7 +21,7 @@ namespace Bit.Core.Models.Api
         }
 
         public TwoFactorProviderResponseModel(TwoFactorProviderType type, User user)
-            : base("twoFactorProvider")
+            : base(ResponseObj)
         {
             if(user == null)
             {
@@ -31,6 +33,19 @@ namespace Bit.Core.Models.Api
             Type = type;
         }
 
+        public TwoFactorProviderResponseModel(TwoFactorProviderType type, Organization organization)
+            : base(ResponseObj)
+        {
+            if(organization == null)
+            {
+                throw new ArgumentNullException(nameof(organization));
+            }
+
+            var provider = organization.GetTwoFactorProvider(type);
+            Enabled = provider?.Enabled ?? false;
+            Type = type;
+        }
+
         public bool Enabled { get; set; }
         public TwoFactorProviderType Type { get; set; }
     }

src/Core/Services/IOrganizationService.cs

@@ -26,6 +26,8 @@ namespace Bit.Core.Services
         Task UpdateExpirationDateAsync(Guid organizationId, DateTime? expirationDate);
         Task EnableAsync(Guid organizationId);
         Task UpdateAsync(Organization organization, bool updateBilling = false);
+        Task UpdateTwoFactorProviderAsync(Organization organization, TwoFactorProviderType type);
+        Task DisableTwoFactorProviderAsync(Organization organization, TwoFactorProviderType type);
         Task<OrganizationUser> InviteUserAsync(Guid organizationId, Guid? invitingUserId, string email,
             OrganizationUserType type, bool accessAll, string externalId, IEnumerable<SelectionReadOnly> collections);
         Task<List<OrganizationUser>> InviteUserAsync(Guid organizationId, Guid? invitingUserId, IEnumerable<string> emails,

src/Core/Services/Implementations/OrganizationService.cs

@@ -832,6 +832,47 @@ namespace Bit.Core.Services
             }
         }
 
+        public async Task UpdateTwoFactorProviderAsync(Organization organization, TwoFactorProviderType type)
+        {
+            if(!type.ToString().StartsWith("Organization"))
+            {
+                throw new ArgumentException("Not an organization provider type.");
+            }
+
+            if(!organization.Use2fa)
+            {
+                throw new BadRequestException("Organization cannot use 2FA.");
+            }
+
+            var providers = organization.GetTwoFactorProviders();
+            if(!providers?.ContainsKey(type) ?? true)
+            {
+                return;
+            }
+
+            providers[type].Enabled = true;
+            organization.SetTwoFactorProviders(providers);
+            await UpdateAsync(organization);
+        }
+
+        public async Task DisableTwoFactorProviderAsync(Organization organization, TwoFactorProviderType type)
+        {
+            if(!type.ToString().StartsWith("Organization"))
+            {
+                throw new ArgumentException("Not an organization provider type.");
+            }
+
+            var providers = organization.GetTwoFactorProviders();
+            if(!providers?.ContainsKey(type) ?? true)
+            {
+                return;
+            }
+
+            providers.Remove(type);
+            organization.SetTwoFactorProviders(providers);
+            await UpdateAsync(organization);
+        }
+
         public async Task<OrganizationUser> InviteUserAsync(Guid organizationId, Guid? invitingUserId, string email,
             OrganizationUserType type, bool accessAll, string externalId, IEnumerable<SelectionReadOnly> collections)
         {