nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-06-30 15:42:48 -05:00
Code Activity

CSA-2 - Require user interaction for SSO redirect (#1948)

Browse Source 
* CSA-2 - adding validation before redirecting for SSO login

* Updating server to use generated and signed JWT for SSO redirect

* Removing erroneous file

* Removing erroneous file

* Updating for PR feedback, adding domain_hint to Login and fixing invalid domain_hint name reference

* Some code styling changes from PR feedback

* Removing unnecessary JSON serialization

* Couple small changes from PR feedback

* Fixing linting errors

* Update formatting in AccountController.cs

* Remove unused dependency

* Add token lifetime to settings

* Use tokenable directly

* Return defined models

* Revert sso proj file changes

* Check expiration validity when validating org

* Show error message with expired token

* Formatting fixes

* Add SsoTokenLifetime to Sso settings

* Fix build errors

* Fix sql warnings

Co-authored-by: Carlos J. Muentes <cmuentes@bitwarden.com>
Co-authored-by: Chad Scharf <3904944+cscharf@users.noreply.github.com>
Co-authored-by: Matt Gibson <mgibson@bitwarden.com>
This commit is contained in:
Carlos J. Muentes
2022-06-01 13:23:52 -04:00
committed by GitHub
parent c27645265c
commit 14302efa2c
16 changed files with 267 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
src/Core/Models/Business/Tokenables/SsoTokenable.cs Normal file
View File

@ -0,0 +1,46 @@

using System;
using System.Text.Json.Serialization;
using Bit.Core.Entities;
using Bit.Core.Tokens;
namespace Bit.Core.Models.Business.Tokenables
{
public class SsoTokenable : ExpiringTokenable
{
public const string ClearTextPrefix = "BWUserPrefix_";
public const string DataProtectorPurpose = "SsoTokenDataProtector";
public const string TokenIdentifier = "ssoToken";
public Guid OrganizationId { get; set; }
public string DomainHint { get; set; }
public string Identifier { get; set; } = TokenIdentifier;
[JsonConstructor]
public SsoTokenable() { }
public SsoTokenable(Organization organization, double tokenLifetimeInSeconds) : this()
{
OrganizationId = organization?.Id ?? default;
DomainHint = organization?.Identifier;
ExpirationDate = DateTime.UtcNow.AddSeconds(tokenLifetimeInSeconds);
}
public bool TokenIsValid(Organization organization)
{
if (OrganizationId == default || DomainHint == default || organization == null || !Valid)
{
return false;
}
return organization.Identifier.Equals(DomainHint, StringComparison.InvariantCultureIgnoreCase)
&& organization.Id.Equals(OrganizationId);
}
// Validates deserialized
protected override bool TokenIsValid() =>
Identifier == TokenIdentifier
&& OrganizationId != default
&& !string.IsNullOrWhiteSpace(DomainHint);
}
}

6
src/Core/Resources/SharedResources.en.resx
View File

@ -679,4 +679,10 @@
<data name="IdpSingleSignOnServiceUrlInvalid" xml:space="preserve">
<value>Single sign on service URL contains illegal characters.</value>
</data>
<data name="SsoRedirectTokenValidationMissing" xml:space="preserve">
<value>Single sign on redirect token is missing from the request.</value>
</data>
<data name="InvalidSsoRedirectToken" xml:space="preserve">
<value>Single sign on redirect token is invalid or expired.</value>
</data>
</root>

5
src/Core/Settings/GlobalSettings.cs
View File

@ -67,7 +67,7 @@ namespace Bit.Core.Settings
public virtual AmazonSettings Amazon { get; set; } = new AmazonSettings();
public virtual ServiceBusSettings ServiceBus { get; set; } = new ServiceBusSettings();
public virtual AppleIapSettings AppleIap { get; set; } = new AppleIapSettings();
public virtual SsoSettings Sso { get; set; } = new SsoSettings();
public virtual ISsoSettings Sso { get; set; } = new SsoSettings();
public virtual StripeSettings Stripe { get; set; } = new StripeSettings();
public virtual ITwoFactorAuthSettings TwoFactorAuth { get; set; } = new TwoFactorAuthSettings();
@ -461,9 +461,10 @@ namespace Bit.Core.Settings
public bool AppInReview { get; set; }
}
public class SsoSettings
public class SsoSettings : ISsoSettings
{
public int CacheLifetimeInSeconds { get; set; } = 60;
public double SsoTokenLifetimeInSeconds { get; set; } = 5;
}
public class CaptchaSettings

1
src/Core/Settings/IGlobalSettings.cs
View File

@ -14,5 +14,6 @@
IConnectionStringSettings Storage { get; set; }
IBaseServiceUriSettings BaseServiceUri { get; set; }
ITwoFactorAuthSettings TwoFactorAuth { get; set; }
ISsoSettings Sso { get; set; }
}
}

8
src/Core/Settings/ISsoSettings.cs Normal file
View File

@ -0,0 +1,8 @@
namespace Bit.Core.Settings
{
public interface ISsoSettings
{
int CacheLifetimeInSeconds { get; set; }
double SsoTokenLifetimeInSeconds { get; set; }
}
}

2
src/Icons/packages.lock.json
View File

@ -3368,4 +3368,4 @@
}
}
}
}
}

33
src/Identity/Controllers/SsoController.cs
View File

@ -6,6 +6,7 @@ using System.Security.Claims;
using System.Threading.Tasks;
using Bit.Core.Entities;
using Bit.Core.Models.Api;
using Bit.Core.Models.Business.Tokenables;
using Bit.Core.Repositories;
using Bit.Identity.Models;
using IdentityModel;
@ -59,14 +60,11 @@ namespace Bit.Identity.Controllers
var culture = requestCultureFeature.RequestCulture.Culture.Name;
var requestPath = $"/Account/PreValidate?domainHint={domainHint}&culture={culture}";
var httpClient = _clientFactory.CreateClient("InternalSso");
// Forward the internal SSO result
using var responseMessage = await httpClient.GetAsync(requestPath);
if (responseMessage.IsSuccessStatusCode)
{
// All is good!
return new EmptyResult();
}
Response.StatusCode = (int)responseMessage.StatusCode;
var responseJson = await responseMessage.Content.ReadAsStringAsync();
Response.StatusCode = (int)responseMessage.StatusCode;
return Content(responseJson, "application/json");
}
catch (Exception ex)
@ -89,6 +87,7 @@ namespace Bit.Identity.Controllers
var domainHint = context.Parameters.AllKeys.Contains("domain_hint") ?
context.Parameters["domain_hint"] : null;
var ssoToken = context.Parameters[SsoTokenable.TokenIdentifier];
if (string.IsNullOrWhiteSpace(domainHint))
{
@ -100,27 +99,28 @@ namespace Bit.Identity.Controllers
return RedirectToAction(nameof(ExternalChallenge), new
{
organizationIdentifier = domainHint,
domainHint = domainHint,
returnUrl,
userIdentifier
userIdentifier,
ssoToken,
});
}
[HttpGet]
public async Task<IActionResult> ExternalChallenge(string organizationIdentifier, string returnUrl,
string userIdentifier)
public async Task<IActionResult> ExternalChallenge(string domainHint, string returnUrl,
string userIdentifier, string ssoToken)
{
if (string.IsNullOrWhiteSpace(organizationIdentifier))
if (string.IsNullOrWhiteSpace(domainHint))
{
throw new Exception("Invalid organization reference id.");
}
var ssoConfig = await _ssoConfigRepository.GetByIdentifierAsync(organizationIdentifier);
var ssoConfig = await _ssoConfigRepository.GetByIdentifierAsync(domainHint);
if (ssoConfig == null || !ssoConfig.Enabled)
{
throw new Exception("Organization not found or SSO configuration not enabled");
}
var domainHint = ssoConfig.OrganizationId.ToString();
var organizationId = ssoConfig.OrganizationId.ToString();
var scheme = "sso";
var props = new AuthenticationProperties
@ -130,8 +130,13 @@ namespace Bit.Identity.Controllers
{
{ "return_url", returnUrl },
{ "domain_hint", domainHint },
{ "organizationId", organizationId },
{ "scheme", scheme },
},
Parameters =
{
{ "ssoToken", ssoToken },
}
};
if (!string.IsNullOrWhiteSpace(userIdentifier))
@ -173,7 +178,7 @@ namespace Bit.Identity.Controllers
IsPersistent = true,
ExpiresUtc = DateTimeOffset.UtcNow.AddMinutes(1)
};
if (result.Properties != null && result.Properties.Items.TryGetValue("domain_hint", out var organization))
if (result.Properties != null && result.Properties.Items.TryGetValue("organizationId", out var organization))
{
additionalLocalClaims.Add(new Claim("organizationId", organization));
}

8
src/Identity/Startup.cs
View File

@ -5,6 +5,7 @@ using System.Threading.Tasks;
using AspNetCoreRateLimit;
using Bit.Core;
using Bit.Core.Context;
using Bit.Core.Models.Business.Tokenables;
using Bit.Core.Settings;
using Bit.Core.Utilities;
using Bit.Identity.Utilities;
@ -110,10 +111,17 @@ namespace Bit.Identity
{
// Pass domain_hint onto the sso idp
context.ProtocolMessage.DomainHint = context.Properties.Items["domain_hint"];
context.ProtocolMessage.Parameters.Add("organizationId", context.Properties.Items["organizationId"]);
if (context.Properties.Items.ContainsKey("user_identifier"))
{
context.ProtocolMessage.SessionState = context.Properties.Items["user_identifier"];
}
if (context.Properties.Parameters.Count > 0 && context.Properties.Parameters.ContainsKey(SsoTokenable.TokenIdentifier))
{
var token = context.Properties.Parameters[SsoTokenable.TokenIdentifier].ToString();
context.ProtocolMessage.Parameters.Add(SsoTokenable.TokenIdentifier, token);
}
return Task.FromResult(0);
}
};

5
src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
View File

@ -121,6 +121,11 @@ namespace Bit.SharedWeb.Utilities
HCaptchaTokenable.DataProtectorPurpose,
serviceProvider.GetDataProtectionProvider())
);
services.AddSingleton<IDataProtectorTokenFactory<SsoTokenable>>(serviceProvider =>
new DataProtectorTokenFactory<SsoTokenable>(
SsoTokenable.ClearTextPrefix,
SsoTokenable.DataProtectorPurpose,
serviceProvider.GetDataProtectionProvider()));
}
public static void AddDefaultServices(this IServiceCollection services, GlobalSettings globalSettings)

2
src/SharedWeb/packages.lock.json
View File

@ -3351,4 +3351,4 @@
}
}
}
}
}

2
src/Sql/dbo/Stored Procedures/OrganizationSponsorship_OrganizationUserDeleted.sql
View File

@ -11,6 +11,6 @@ BEGIN
FROM
[dbo].[OrganizationSponsorship] OS
WHERE
[SponsoringOrganizationUserId] = @OrganizationUserId
[SponsoringOrganizationUserID] = @OrganizationUserId
END
GO

2
src/Sql/dbo/Stored Procedures/OrganizationSponsorship_OrganizationUsersDeleted.sql
View File

@ -11,6 +11,6 @@ BEGIN
FROM
[dbo].[OrganizationSponsorship] OS
INNER JOIN
@SponsoringOrganizationUserIds I ON I.Id = OS.SponsoringOrganizationUserId
@SponsoringOrganizationUserIds I ON I.Id = OS.SponsoringOrganizationUserID
END
GO