mirror of
https://github.com/bitwarden/server.git
synced 2025-07-01 08:02:49 -05:00
Implement User-based API Keys (#981)
* added column ApiKey to dbo.User * added dbo.User.ApiKey to User_Update * added dbo.User.ApiKey to User_Create * wrote migration script for implementing dbo.User.ApiKey * Added ApiKey prop to the User table model * Created AccountsController method for getting a user's API Key * Created AccountsController method for rotating a user API key * Added support to ApiClient for passed-through ClientSecrets when the request comes from the cli * Added a new conditional to ClientStore to account for user API keys * Wrote unit tests for new user API Key methods * Added a refresh of dbo.UserView to new migration script for ApiKey * Let client_credentials grants into the custom token logic * Cleanup for ApiKey auth in the CLI feature * Created user API key on registration * Removed uneeded code for user API keys * Changed a .Contains() to a .StartsWith() in ClientStore * Changed index that an array is searched on * Added more claims to the user apikey clients * Moved some claim finding logic to a helper method
This commit is contained in:
Addison Beck
@ -1,4 +1,5 @@
|
||||
using IdentityServer4.Stores;
|
||||
using System.Linq;
|
||||
using IdentityServer4.Stores;
|
||||
using System.Threading.Tasks;
|
||||
using IdentityServer4.Models;
|
||||
using System.Collections.Generic;
|
||||
@ -6,6 +7,9 @@ using Bit.Core.Repositories;
|
||||
using System;
|
||||
using IdentityModel;
|
||||
using Bit.Core.Utilities;
|
||||
using System.Security.Claims;
|
||||
using Bit.Core.Services;
|
||||
using System.Collections.ObjectModel;
|
||||
|
||||
namespace Bit.Core.IdentityServer
|
||||
{
|
||||
@ -13,19 +17,31 @@ namespace Bit.Core.IdentityServer
|
||||
{
|
||||
private readonly IInstallationRepository _installationRepository;
|
||||
private readonly IOrganizationRepository _organizationRepository;
|
||||
private readonly IUserRepository _userRepository;
|
||||
private readonly GlobalSettings _globalSettings;
|
||||
private readonly StaticClientStore _staticClientStore;
|
||||
private readonly ILicensingService _licensingService;
|
||||
private readonly CurrentContext _currentContext;
|
||||
private readonly IOrganizationUserRepository _organizationUserRepository;
|
||||
|
||||
public ClientStore(
|
||||
IInstallationRepository installationRepository,
|
||||
IOrganizationRepository organizationRepository,
|
||||
IUserRepository userRepository,
|
||||
GlobalSettings globalSettings,
|
||||
StaticClientStore staticClientStore)
|
||||
StaticClientStore staticClientStore,
|
||||
ILicensingService licensingService,
|
||||
CurrentContext currentContext,
|
||||
IOrganizationUserRepository organizationUserRepository)
|
||||
{
|
||||
_installationRepository = installationRepository;
|
||||
_organizationRepository = organizationRepository;
|
||||
_userRepository = userRepository;
|
||||
_globalSettings = globalSettings;
|
||||
_staticClientStore = staticClientStore;
|
||||
_licensingService = licensingService;
|
||||
_currentContext = currentContext;
|
||||
_organizationUserRepository = organizationUserRepository;
|
||||
}
|
||||
|
||||
public async Task<Client> FindClientByIdAsync(string clientId)
|
||||
@ -106,6 +122,45 @@ namespace Bit.Core.IdentityServer
|
||||
}
|
||||
}
|
||||
}
|
||||
else if (clientId.StartsWith("user."))
|
||||
{
|
||||
var idParts = clientId.Split('.');
|
||||
if (idParts.Length > 1 && Guid.TryParse(idParts[1], out var id))
|
||||
{
|
||||
var user = await _userRepository.GetByIdAsync(id);
|
||||
if (user != null)
|
||||
{
|
||||
var claims = new Collection<ClientClaim>()
|
||||
{
|
||||
new ClientClaim(JwtClaimTypes.Subject, user.Id.ToString()),
|
||||
new ClientClaim(JwtClaimTypes.AuthenticationMethod, "Application", "external")
|
||||
};
|
||||
var orgs = await _currentContext.OrganizationMembershipAsync(_organizationUserRepository, user.Id);
|
||||
var isPremium = await _licensingService.ValidateUserPremiumAsync(user);
|
||||
foreach (var claim in CoreHelpers.BuildIdentityClaims(user, orgs, isPremium))
|
||||
{
|
||||
var upperValue = claim.Value.ToUpperInvariant();
|
||||
var isBool = upperValue == "TRUE" || upperValue == "FALSE";
|
||||
claims.Add(isBool ?
|
||||
new ClientClaim(claim.Key, claim.Value, ClaimValueTypes.Boolean) :
|
||||
new ClientClaim(claim.Key, claim.Value)
|
||||
);
|
||||
}
|
||||
|
||||
return new Client
|
||||
{
|
||||
ClientId = clientId,
|
||||
RequireClientSecret = true,
|
||||
ClientSecrets = { new Secret(user.ApiKey.Sha256()) },
|
||||
AllowedScopes = new string[] { "api" },
|
||||
AllowedGrantTypes = GrantTypes.ClientCredentials,
|
||||
AccessTokenLifetime = 3600 * 1,
|
||||
ClientClaimsPrefix = null,
|
||||
Claims = claims
|
||||
};
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return _staticClientStore.ApiClients.ContainsKey(clientId) ?
|
||||
_staticClientStore.ApiClients[clientId] : null;
|
||||
|
||||
@ -10,6 +10,7 @@ using System.Linq;
|
||||
using Bit.Core.Identity;
|
||||
using Microsoft.Extensions.Logging;
|
||||
using IdentityServer4.Extensions;
|
||||
using IdentityModel;
|
||||
|
||||
namespace Bit.Core.IdentityServer
|
||||
{
|
||||
@ -42,7 +43,8 @@ namespace Bit.Core.IdentityServer
|
||||
|
||||
public async Task ValidateAsync(CustomTokenRequestValidationContext context)
|
||||
{
|
||||
if (context.Result.ValidatedRequest.GrantType != "authorization_code")
|
||||
string[] allowedGrantTypes = { "authorization_code", "client_credentials" };
|
||||
if (!allowedGrantTypes.Contains(context.Result.ValidatedRequest.GrantType))
|
||||
{
|
||||
return;
|
||||
}
|
||||
@ -51,7 +53,9 @@ namespace Bit.Core.IdentityServer
|
||||
|
||||
protected async override Task<(User, bool)> ValidateContextAsync(CustomTokenRequestValidationContext context)
|
||||
{
|
||||
var user = await _userManager.FindByEmailAsync(context.Result.ValidatedRequest.Subject.GetDisplayName());
|
||||
var email = context.Result.ValidatedRequest.Subject?.GetDisplayName()
|
||||
?? context.Result.ValidatedRequest.ClientClaims.FirstOrDefault(claim => claim.Type == JwtClaimTypes.Email).Value;
|
||||
var user = await _userManager.FindByEmailAsync(email);
|
||||
return (user, user != null);
|
||||
}
|
||||
|
||||
|
||||
@ -8,6 +8,7 @@ using System.Collections.Generic;
|
||||
using System.Linq;
|
||||
using System;
|
||||
using IdentityModel;
|
||||
using Bit.Core.Utilities;
|
||||
|
||||
namespace Bit.Core.IdentityServer
|
||||
{
|
||||
@ -39,56 +40,15 @@ namespace Bit.Core.IdentityServer
|
||||
if (user != null)
|
||||
{
|
||||
var isPremium = await _licensingService.ValidateUserPremiumAsync(user);
|
||||
newClaims.AddRange(new List<Claim>
|
||||
{
|
||||
new Claim("premium", isPremium ? "true" : "false", ClaimValueTypes.Boolean),
|
||||
new Claim(JwtClaimTypes.Email, user.Email),
|
||||
new Claim(JwtClaimTypes.EmailVerified, user.EmailVerified ? "true" : "false",
|
||||
ClaimValueTypes.Boolean),
|
||||
new Claim("sstamp", user.SecurityStamp)
|
||||
});
|
||||
|
||||
if (!string.IsNullOrWhiteSpace(user.Name))
|
||||
{
|
||||
newClaims.Add(new Claim(JwtClaimTypes.Name, user.Name));
|
||||
}
|
||||
|
||||
// Orgs that this user belongs to
|
||||
var orgs = await _currentContext.OrganizationMembershipAsync(_organizationUserRepository, user.Id);
|
||||
if (orgs.Any())
|
||||
foreach (var claim in CoreHelpers.BuildIdentityClaims(user, orgs, isPremium))
|
||||
{
|
||||
foreach (var group in orgs.GroupBy(o => o.Type))
|
||||
{
|
||||
switch (group.Key)
|
||||
{
|
||||
case Enums.OrganizationUserType.Owner:
|
||||
foreach (var org in group)
|
||||
{
|
||||
newClaims.Add(new Claim("orgowner", org.Id.ToString()));
|
||||
}
|
||||
break;
|
||||
case Enums.OrganizationUserType.Admin:
|
||||
foreach (var org in group)
|
||||
{
|
||||
newClaims.Add(new Claim("orgadmin", org.Id.ToString()));
|
||||
}
|
||||
break;
|
||||
case Enums.OrganizationUserType.Manager:
|
||||
foreach (var org in group)
|
||||
{
|
||||
newClaims.Add(new Claim("orgmanager", org.Id.ToString()));
|
||||
}
|
||||
break;
|
||||
case Enums.OrganizationUserType.User:
|
||||
foreach (var org in group)
|
||||
{
|
||||
newClaims.Add(new Claim("orguser", org.Id.ToString()));
|
||||
}
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
}
|
||||
var upperValue = claim.Value.ToUpperInvariant();
|
||||
var isBool = upperValue == "TRUE" || upperValue == "FALSE";
|
||||
newClaims.Add(isBool ?
|
||||
new Claim(claim.Key, claim.Value, ClaimValueTypes.Boolean) :
|
||||
new Claim(claim.Key, claim.Value)
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -15,6 +15,16 @@ namespace Bit.Core.Models.Api
|
||||
ApiKey = organization.ApiKey;
|
||||
}
|
||||
|
||||
public ApiKeyResponseModel(User user, string obj = "apiKey")
|
||||
: base(obj)
|
||||
{
|
||||
if (user == null)
|
||||
{
|
||||
throw new ArgumentNullException(nameof(user));
|
||||
}
|
||||
ApiKey = user.ApiKey;
|
||||
}
|
||||
|
||||
public string ApiKey { get; set; }
|
||||
}
|
||||
}
|
||||
|
||||
@ -3,8 +3,6 @@ using Bit.Core.Enums;
|
||||
using Bit.Core.Utilities;
|
||||
using System.Collections.Generic;
|
||||
using Newtonsoft.Json;
|
||||
using Bit.Core.Services;
|
||||
using Bit.Core.Exceptions;
|
||||
using Microsoft.AspNetCore.Identity;
|
||||
|
||||
namespace Bit.Core.Models.Table
|
||||
@ -39,6 +37,7 @@ namespace Bit.Core.Models.Table
|
||||
public string GatewaySubscriptionId { get; set; }
|
||||
public string ReferenceData { get; set; }
|
||||
public string LicenseKey { get; set; }
|
||||
public string ApiKey { get; set; }
|
||||
public KdfType Kdf { get; set; } = KdfType.PBKDF2_SHA256;
|
||||
public int KdfIterations { get; set; } = 5000;
|
||||
public DateTime CreationDate { get; internal set; } = DateTime.UtcNow;
|
||||
|
||||
@ -69,5 +69,6 @@ namespace Bit.Core.Services
|
||||
Task<bool> TwoFactorProviderIsEnabledAsync(TwoFactorProviderType provider, ITwoFactorProvidersUser user);
|
||||
Task<string> GenerateEnterprisePortalSignInTokenAsync(User user);
|
||||
Task<string> GenerateSignInTokenAsync(User user, string purpose);
|
||||
Task RotateApiKeyAsync(User user);
|
||||
}
|
||||
}
|
||||
|
||||
@ -292,6 +292,7 @@ namespace Bit.Core.Services
|
||||
}
|
||||
}
|
||||
|
||||
user.ApiKey = CoreHelpers.SecureRandomString(30);
|
||||
var result = await base.CreateAsync(user, masterPassword);
|
||||
if (result == IdentityResult.Success)
|
||||
{
|
||||
@ -1204,5 +1205,12 @@ namespace Bit.Core.Services
|
||||
}
|
||||
return result;
|
||||
}
|
||||
|
||||
public async Task RotateApiKeyAsync(User user)
|
||||
{
|
||||
user.ApiKey = CoreHelpers.SecureRandomString(30);
|
||||
user.RevisionDate = DateTime.UtcNow;
|
||||
await _userRepository.ReplaceAsync(user);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -18,6 +18,8 @@ using Bit.Core.Enums;
|
||||
using System.Threading.Tasks;
|
||||
using Microsoft.Azure.Storage;
|
||||
using Microsoft.Azure.Storage.Blob;
|
||||
using Bit.Core.Models.Table;
|
||||
using IdentityModel;
|
||||
|
||||
namespace Bit.Core.Utilities
|
||||
{
|
||||
@ -670,5 +672,59 @@ namespace Bit.Core.Utilities
|
||||
}
|
||||
return configDict;
|
||||
}
|
||||
|
||||
public static Dictionary<string, string> BuildIdentityClaims(User user, ICollection<CurrentContext.CurrentContentOrganization> orgs, bool isPremium)
|
||||
{
|
||||
var claims = new Dictionary<string, string>()
|
||||
{
|
||||
{"premium", isPremium ? "true" : "false"},
|
||||
{JwtClaimTypes.Email, user.Email},
|
||||
{JwtClaimTypes.EmailVerified, user.EmailVerified ? "true" : "false"},
|
||||
{"sstamp", user.SecurityStamp}
|
||||
};
|
||||
|
||||
if (!string.IsNullOrWhiteSpace(user.Name))
|
||||
{
|
||||
claims.Add(JwtClaimTypes.Name, user.Name);
|
||||
}
|
||||
|
||||
// Orgs that this user belongs to
|
||||
if (orgs.Any())
|
||||
{
|
||||
foreach (var group in orgs.GroupBy(o => o.Type))
|
||||
{
|
||||
switch (group.Key)
|
||||
{
|
||||
case Enums.OrganizationUserType.Owner:
|
||||
foreach (var org in group)
|
||||
{
|
||||
claims.Add("orgowner", org.Id.ToString());
|
||||
}
|
||||
break;
|
||||
case Enums.OrganizationUserType.Admin:
|
||||
foreach (var org in group)
|
||||
{
|
||||
claims.Add("orgadmin", org.Id.ToString());
|
||||
}
|
||||
break;
|
||||
case Enums.OrganizationUserType.Manager:
|
||||
foreach (var org in group)
|
||||
{
|
||||
claims.Add("orgmanager", org.Id.ToString());
|
||||
}
|
||||
break;
|
||||
case Enums.OrganizationUserType.User:
|
||||
foreach (var org in group)
|
||||
{
|
||||
claims.Add("orguser", org.Id.ToString());
|
||||
}
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
return claims;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user