From 389512d51ea94f61fdb7ba3300e0b718208f423d Mon Sep 17 00:00:00 2001 From: Kyle Spearrin Date: Tue, 3 Apr 2018 14:31:33 -0400 Subject: [PATCH] added org duo to 2fa flow --- src/Core/CurrentContext.cs | 19 ++- .../IOrganizationTwoFactorTokenProvider.cs | 12 ++ .../OrganizationDuoWebTokenProvider.cs | 76 ++++++++++ src/Core/IdentityServer/ProfileService.cs | 7 +- .../ResourceOwnerPasswordValidator.cs | 131 ++++++++++++++---- src/Core/Models/Data/OrganizationAbility.cs | 3 + src/Core/Models/Table/Organization.cs | 7 + .../Services/Implementations/EventService.cs | 2 +- .../Utilities/ServiceCollectionExtensions.cs | 1 + .../Organization_ReadAbilities.sql | 6 + util/Setup/DbScripts/2018-04-02_00_Org2fa.sql | 6 + 11 files changed, 239 insertions(+), 31 deletions(-) create mode 100644 src/Core/Identity/IOrganizationTwoFactorTokenProvider.cs create mode 100644 src/Core/Identity/OrganizationDuoWebTokenProvider.cs diff --git a/src/Core/CurrentContext.cs b/src/Core/CurrentContext.cs index 6391b5cb6b..4d31ff4f14 100644 --- a/src/Core/CurrentContext.cs +++ b/src/Core/CurrentContext.cs @@ -4,13 +4,16 @@ using System.Linq; using Bit.Core.Models.Table; using Bit.Core.Enums; using Microsoft.AspNetCore.Http; -using Microsoft.Extensions.Primitives; +using Bit.Core.Repositories; +using System.Threading.Tasks; namespace Bit.Core { public class CurrentContext { private string _ip; + private Dictionary> _orgUsers = + new Dictionary>(); public virtual HttpContext HttpContext { get; set; } public virtual Guid? UserId { get; set; } @@ -18,7 +21,8 @@ namespace Bit.Core public virtual string DeviceIdentifier { get; set; } public virtual DeviceType? DeviceType { get; set; } public virtual string IpAddress => GetRequestIp(); - public virtual List Organizations { get; set; } = new List(); + public virtual List Organizations { get; set; } = + new List(); public virtual Guid? InstallationId { get; set; } public bool OrganizationUser(Guid orgId) @@ -35,6 +39,17 @@ namespace Bit.Core return Organizations.Any(o => o.Id == orgId && o.Type == OrganizationUserType.Owner); } + public async Task> OrganizationMembershipAsync( + IOrganizationUserRepository organizationUserRepository, Guid userId) + { + if(!_orgUsers.ContainsKey(userId)) + { + _orgUsers.Add(userId, await organizationUserRepository.GetManyByUserAsync(userId)); + } + + return _orgUsers[userId]; + } + private string GetRequestIp() { if(!string.IsNullOrWhiteSpace(_ip)) diff --git a/src/Core/Identity/IOrganizationTwoFactorTokenProvider.cs b/src/Core/Identity/IOrganizationTwoFactorTokenProvider.cs new file mode 100644 index 0000000000..cda8c2ede3 --- /dev/null +++ b/src/Core/Identity/IOrganizationTwoFactorTokenProvider.cs @@ -0,0 +1,12 @@ +using System.Threading.Tasks; +using Bit.Core.Models.Table; + +namespace Bit.Core.Identity +{ + public interface IOrganizationTwoFactorTokenProvider + { + Task CanGenerateTwoFactorTokenAsync(Organization organization); + Task GenerateAsync(Organization organization, User user); + Task ValidateAsync(string token, Organization organization, User user); + } +} diff --git a/src/Core/Identity/OrganizationDuoWebTokenProvider.cs b/src/Core/Identity/OrganizationDuoWebTokenProvider.cs new file mode 100644 index 0000000000..02b0b99aad --- /dev/null +++ b/src/Core/Identity/OrganizationDuoWebTokenProvider.cs @@ -0,0 +1,76 @@ +using System.Threading.Tasks; +using Bit.Core.Models.Table; +using Bit.Core.Enums; +using Bit.Core.Utilities.Duo; +using Bit.Core.Models; + +namespace Bit.Core.Identity +{ + public interface IOrganizationDuoWebTokenProvider : IOrganizationTwoFactorTokenProvider { } + + public class OrganizationDuoWebTokenProvider : IOrganizationDuoWebTokenProvider + { + private readonly GlobalSettings _globalSettings; + + public OrganizationDuoWebTokenProvider(GlobalSettings globalSettings) + { + _globalSettings = globalSettings; + } + + public Task CanGenerateTwoFactorTokenAsync(Organization organization) + { + if(organization == null || !organization.Enabled || !organization.Use2fa) + { + return Task.FromResult(false); + } + + var provider = organization.GetTwoFactorProvider(TwoFactorProviderType.OrganizationDuo); + var canGenerate = organization.TwoFactorProviderIsEnabled(TwoFactorProviderType.OrganizationDuo) + && HasProperMetaData(provider); + return Task.FromResult(canGenerate); + } + + public Task GenerateAsync(Organization organization, User user) + { + if(organization == null || !organization.Enabled || !organization.Use2fa) + { + return Task.FromResult(null); + } + + var provider = organization.GetTwoFactorProvider(TwoFactorProviderType.OrganizationDuo); + if(!HasProperMetaData(provider)) + { + return Task.FromResult(null); + } + + var signatureRequest = DuoWeb.SignRequest((string)provider.MetaData["IKey"], + (string)provider.MetaData["SKey"], _globalSettings.Duo.AKey, user.Email); + return Task.FromResult(signatureRequest); + } + + public Task ValidateAsync(string token, Organization organization, User user) + { + if(organization == null || !organization.Enabled || !organization.Use2fa) + { + return Task.FromResult(false); + } + + var provider = organization.GetTwoFactorProvider(TwoFactorProviderType.OrganizationDuo); + if(!HasProperMetaData(provider)) + { + return Task.FromResult(false); + } + + var response = DuoWeb.VerifyResponse((string)provider.MetaData["IKey"], + (string)provider.MetaData["SKey"], _globalSettings.Duo.AKey, token); + + return Task.FromResult(response == user.Email); + } + + private bool HasProperMetaData(TwoFactorProvider provider) + { + return provider?.MetaData != null && provider.MetaData.ContainsKey("IKey") && + provider.MetaData.ContainsKey("SKey") && provider.MetaData.ContainsKey("Host"); + } + } +} diff --git a/src/Core/IdentityServer/ProfileService.cs b/src/Core/IdentityServer/ProfileService.cs index bf47e42d2a..2ea7ad81a5 100644 --- a/src/Core/IdentityServer/ProfileService.cs +++ b/src/Core/IdentityServer/ProfileService.cs @@ -17,17 +17,20 @@ namespace Bit.Core.IdentityServer private readonly IUserRepository _userRepository; private readonly IOrganizationUserRepository _organizationUserRepository; private readonly ILicensingService _licensingService; + private readonly CurrentContext _currentContext; public ProfileService( IUserRepository userRepository, IUserService userService, IOrganizationUserRepository organizationUserRepository, - ILicensingService licensingService) + ILicensingService licensingService, + CurrentContext currentContext) { _userRepository = userRepository; _userService = userService; _organizationUserRepository = organizationUserRepository; _licensingService = licensingService; + _currentContext = currentContext; } public async Task GetProfileDataAsync(ProfileDataRequestContext context) @@ -53,7 +56,7 @@ namespace Bit.Core.IdentityServer } // Orgs that this user belongs to - var orgs = await _organizationUserRepository.GetManyByUserAsync(user.Id); + var orgs = await _currentContext.OrganizationMembershipAsync(_organizationUserRepository, user.Id); if(orgs.Any()) { var groupedOrgs = orgs.Where(o => o.Status == Enums.OrganizationUserStatusType.Confirmed) diff --git a/src/Core/IdentityServer/ResourceOwnerPasswordValidator.cs b/src/Core/IdentityServer/ResourceOwnerPasswordValidator.cs index 34eba65142..4931cbb2a9 100644 --- a/src/Core/IdentityServer/ResourceOwnerPasswordValidator.cs +++ b/src/Core/IdentityServer/ResourceOwnerPasswordValidator.cs @@ -12,6 +12,8 @@ using System.Threading.Tasks; using Bit.Core.Services; using System.Linq; using Bit.Core.Models; +using Bit.Core.Identity; +using Bit.Core.Models.Data; namespace Bit.Core.IdentityServer { @@ -22,19 +24,34 @@ namespace Bit.Core.IdentityServer private readonly IDeviceService _deviceService; private readonly IUserService _userService; private readonly IEventService _eventService; + private readonly IOrganizationDuoWebTokenProvider _organizationDuoWebTokenProvider; + private readonly IOrganizationRepository _organizationRepository; + private readonly IOrganizationUserRepository _organizationUserRepository; + private readonly IApplicationCacheService _applicationCacheService; + private readonly CurrentContext _currentContext; public ResourceOwnerPasswordValidator( UserManager userManager, IDeviceRepository deviceRepository, IDeviceService deviceService, IUserService userService, - IEventService eventService) + IEventService eventService, + IOrganizationDuoWebTokenProvider organizationDuoWebTokenProvider, + IOrganizationRepository organizationRepository, + IOrganizationUserRepository organizationUserRepository, + IApplicationCacheService applicationCacheService, + CurrentContext currentContext) { _userManager = userManager; _deviceRepository = deviceRepository; _deviceService = deviceService; _userService = userService; _eventService = eventService; + _organizationDuoWebTokenProvider = organizationDuoWebTokenProvider; + _organizationRepository = organizationRepository; + _organizationUserRepository = organizationUserRepository; + _applicationCacheService = applicationCacheService; + _currentContext = currentContext; } public async Task ValidateAsync(ResourceOwnerPasswordValidationContext context) @@ -42,7 +59,8 @@ namespace Bit.Core.IdentityServer var twoFactorToken = context.Request.Raw["TwoFactorToken"]?.ToString(); var twoFactorProvider = context.Request.Raw["TwoFactorProvider"]?.ToString(); var twoFactorRemember = context.Request.Raw["TwoFactorRemember"]?.ToString() == "1"; - var twoFactorRequest = !string.IsNullOrWhiteSpace(twoFactorToken) && !string.IsNullOrWhiteSpace(twoFactorProvider); + var twoFactorRequest = !string.IsNullOrWhiteSpace(twoFactorToken) && + !string.IsNullOrWhiteSpace(twoFactorProvider); if(string.IsNullOrWhiteSpace(context.UserName)) { @@ -57,16 +75,18 @@ namespace Bit.Core.IdentityServer return; } - if(await TwoFactorRequiredAsync(user)) + var twoFactorRequirement = await RequiresTwoFactorAsync(user); + if(twoFactorRequirement.Item1) { var twoFactorProviderType = TwoFactorProviderType.Authenticator; // Just defaulting it if(!twoFactorRequest || !Enum.TryParse(twoFactorProvider, out twoFactorProviderType)) { - await BuildTwoFactorResultAsync(user, context); + await BuildTwoFactorResultAsync(user, twoFactorRequirement.Item2, context); return; } - var verified = await VerifyTwoFactor(user, twoFactorProviderType, twoFactorToken); + var verified = await VerifyTwoFactor(user, twoFactorRequirement.Item2, + twoFactorProviderType, twoFactorToken); if(!verified && twoFactorProviderType != TwoFactorProviderType.Remember) { await BuildErrorResultAsync(true, context, user); @@ -75,7 +95,7 @@ namespace Bit.Core.IdentityServer else if(!verified && twoFactorProviderType == TwoFactorProviderType.Remember) { await Task.Delay(2000); // Delay for brute force. - await BuildTwoFactorResultAsync(user, context); + await BuildTwoFactorResultAsync(user, twoFactorRequirement.Item2, context); return; } } @@ -116,7 +136,8 @@ namespace Bit.Core.IdentityServer if(sendRememberToken) { - var token = await _userManager.GenerateTwoFactorTokenAsync(user, TwoFactorProviderType.Remember.ToString()); + var token = await _userManager.GenerateTwoFactorTokenAsync(user, + TwoFactorProviderType.Remember.ToString()); customResponse.Add("TwoFactorToken", token); } @@ -126,12 +147,26 @@ namespace Bit.Core.IdentityServer customResponse: customResponse); } - private async Task BuildTwoFactorResultAsync(User user, ResourceOwnerPasswordValidationContext context) + private async Task BuildTwoFactorResultAsync(User user, Organization organization, + ResourceOwnerPasswordValidationContext context) { var providerKeys = new List(); var providers = new Dictionary>(); - var enabledProviders = user.GetTwoFactorProviders()?.Where(p => user.TwoFactorProviderIsEnabled(p.Key)); - if(enabledProviders == null) + + var enabledProviders = new List>(); + if(organization?.GetTwoFactorProviders() != null) + { + enabledProviders.AddRange(organization.GetTwoFactorProviders().Where( + p => organization.TwoFactorProviderIsEnabled(p.Key))); + } + + if(user.GetTwoFactorProviders() != null) + { + enabledProviders.AddRange( + user.GetTwoFactorProviders().Where(p => user.TwoFactorProviderIsEnabled(p.Key))); + } + + if(!enabledProviders.Any()) { await BuildErrorResultAsync(false, context, user); return; @@ -140,7 +175,7 @@ namespace Bit.Core.IdentityServer foreach(var provider in enabledProviders) { providerKeys.Add((byte)provider.Key); - var infoDict = await BuildTwoFactorParams(user, provider.Key, provider.Value); + var infoDict = await BuildTwoFactorParams(organization, user, provider.Key, provider.Value); providers.Add((byte)provider.Key, infoDict); } @@ -176,11 +211,34 @@ namespace Bit.Core.IdentityServer }}); } - private async Task TwoFactorRequiredAsync(User user) + public async Task> RequiresTwoFactorAsync(User user) { - return _userManager.SupportsUserTwoFactor && + var individualRequired = _userManager.SupportsUserTwoFactor && await _userManager.GetTwoFactorEnabledAsync(user) && (await _userManager.GetValidTwoFactorProvidersAsync(user)).Count > 0; + + Organization firstEnabledOrg = null; + var orgs = (await _currentContext.OrganizationMembershipAsync(_organizationUserRepository, user.Id)) + .Where(o => o.Status == OrganizationUserStatusType.Confirmed).ToList(); + if(orgs.Any()) + { + var orgAbilities = await _applicationCacheService.GetOrganizationAbilitiesAsync(); + var twoFactorOrgs = orgs.Where(o => OrgUsing2fa(orgAbilities, o.OrganizationId)); + if(twoFactorOrgs.Any()) + { + var userOrgs = await _organizationRepository.GetManyByUserIdAsync(user.Id); + firstEnabledOrg = userOrgs.FirstOrDefault( + o => orgs.Any(om => om.OrganizationId == o.Id) && o.TwoFactorIsEnabled()); + } + } + + return new Tuple(individualRequired || firstEnabledOrg != null, firstEnabledOrg); + } + + private bool OrgUsing2fa(IDictionary orgAbilities, Guid orgId) + { + return orgAbilities != null && orgAbilities.ContainsKey(orgId) && + orgAbilities[orgId].Enabled && orgAbilities[orgId].Using2fa; } private Device GetDeviceFromRequest(ResourceOwnerPasswordValidationContext context) @@ -205,13 +263,9 @@ namespace Bit.Core.IdentityServer }; } - private async Task VerifyTwoFactor(User user, TwoFactorProviderType type, string token) + private async Task VerifyTwoFactor(User user, Organization organization, TwoFactorProviderType type, + string token) { - if(type != TwoFactorProviderType.Remember && !user.TwoFactorProviderIsEnabled(type)) - { - return false; - } - switch(type) { case TwoFactorProviderType.Authenticator: @@ -219,28 +273,43 @@ namespace Bit.Core.IdentityServer case TwoFactorProviderType.YubiKey: case TwoFactorProviderType.U2f: case TwoFactorProviderType.Remember: + if(type != TwoFactorProviderType.Remember && !user.TwoFactorProviderIsEnabled(type)) + { + return false; + } return await _userManager.VerifyTwoFactorTokenAsync(user, type.ToString(), token); case TwoFactorProviderType.Email: + if(!user.TwoFactorProviderIsEnabled(type)) + { + return false; + } return await _userService.VerifyTwoFactorEmailAsync(user, token); + case TwoFactorProviderType.OrganizationDuo: + if(!organization?.TwoFactorProviderIsEnabled(type) ?? true) + { + return false; + } + + return await _organizationDuoWebTokenProvider.ValidateAsync(token, organization, user); default: return false; } } - private async Task> BuildTwoFactorParams(User user, TwoFactorProviderType type, - TwoFactorProvider provider) + private async Task> BuildTwoFactorParams(Organization organization, User user, + TwoFactorProviderType type, TwoFactorProvider provider) { - if(!user.TwoFactorProviderIsEnabled(type)) - { - return null; - } - switch(type) { case TwoFactorProviderType.Duo: case TwoFactorProviderType.U2f: case TwoFactorProviderType.Email: case TwoFactorProviderType.YubiKey: + if(!user.TwoFactorProviderIsEnabled(type)) + { + return null; + } + var token = await _userManager.GenerateTwoFactorTokenAsync(user, type.ToString()); if(type == TwoFactorProviderType.Duo) { @@ -272,6 +341,16 @@ namespace Bit.Core.IdentityServer }; } return null; + case TwoFactorProviderType.OrganizationDuo: + if(await _organizationDuoWebTokenProvider.CanGenerateTwoFactorTokenAsync(organization)) + { + return new Dictionary + { + ["Host"] = provider.MetaData["Host"], + ["Signature"] = await _organizationDuoWebTokenProvider.GenerateAsync(organization, user) + }; + } + return null; default: return null; } diff --git a/src/Core/Models/Data/OrganizationAbility.cs b/src/Core/Models/Data/OrganizationAbility.cs index 1d13dcabdf..36d50b8eea 100644 --- a/src/Core/Models/Data/OrganizationAbility.cs +++ b/src/Core/Models/Data/OrganizationAbility.cs @@ -12,12 +12,15 @@ namespace Bit.Core.Models.Data Id = organization.Id; UseEvents = organization.UseEvents; Use2fa = organization.Use2fa; + Using2fa = organization.Use2fa && organization.TwoFactorProviders != null && + organization.TwoFactorProviders != "{}"; Enabled = organization.Enabled; } public Guid Id { get; set; } public bool UseEvents { get; set; } public bool Use2fa { get; set; } + public bool Using2fa { get; set; } public bool Enabled { get; set; } } } diff --git a/src/Core/Models/Table/Organization.cs b/src/Core/Models/Table/Organization.cs index d13ac885ee..f398d3908d 100644 --- a/src/Core/Models/Table/Organization.cs +++ b/src/Core/Models/Table/Organization.cs @@ -133,6 +133,13 @@ namespace Bit.Core.Models.Table public void SetTwoFactorProviders(Dictionary providers) { + if(!providers.Any()) + { + TwoFactorProviders = null; + _twoFactorProviders = null; + return; + } + TwoFactorProviders = JsonConvert.SerializeObject(providers, new JsonSerializerSettings { ContractResolver = new EnumKeyResolver() diff --git a/src/Core/Services/Implementations/EventService.cs b/src/Core/Services/Implementations/EventService.cs index a36f0d3856..de3e7034d1 100644 --- a/src/Core/Services/Implementations/EventService.cs +++ b/src/Core/Services/Implementations/EventService.cs @@ -62,7 +62,7 @@ namespace Bit.Core.Services } else { - var orgs = await _organizationUserRepository.GetManyByUserAsync(userId); + var orgs = await _currentContext.OrganizationMembershipAsync(_organizationUserRepository, userId); orgEvents = orgs .Where(o => o.Status == OrganizationUserStatusType.Confirmed && CanUseEvents(orgAbilities, o.OrganizationId)) diff --git a/src/Core/Utilities/ServiceCollectionExtensions.cs b/src/Core/Utilities/ServiceCollectionExtensions.cs index c4dd133ccd..ea00c242ed 100644 --- a/src/Core/Utilities/ServiceCollectionExtensions.cs +++ b/src/Core/Utilities/ServiceCollectionExtensions.cs @@ -155,6 +155,7 @@ namespace Bit.Core.Utilities this IServiceCollection services, GlobalSettings globalSettings) { services.AddTransient(); + services.AddSingleton(); services.Configure(options => { diff --git a/src/Sql/dbo/Stored Procedures/Organization_ReadAbilities.sql b/src/Sql/dbo/Stored Procedures/Organization_ReadAbilities.sql index bad960a63f..e2cefcb038 100644 --- a/src/Sql/dbo/Stored Procedures/Organization_ReadAbilities.sql +++ b/src/Sql/dbo/Stored Procedures/Organization_ReadAbilities.sql @@ -7,6 +7,12 @@ BEGIN [Id], [UseEvents], [Use2fa], + CASE + WHEN [Use2fa] = 1 AND [TwoFactorProviders] IS NOT NULL AND [TwoFactorProviders] != '{}' THEN + 1 + ELSE + 0 + END AS [Using2fa], [Enabled] FROM [dbo].[Organization] diff --git a/util/Setup/DbScripts/2018-04-02_00_Org2fa.sql b/util/Setup/DbScripts/2018-04-02_00_Org2fa.sql index 5d1e862566..7b9ac7e5e7 100644 --- a/util/Setup/DbScripts/2018-04-02_00_Org2fa.sql +++ b/util/Setup/DbScripts/2018-04-02_00_Org2fa.sql @@ -236,6 +236,12 @@ BEGIN [Id], [UseEvents], [Use2fa], + CASE + WHEN [Use2fa] = 1 AND [TwoFactorProviders] IS NOT NULL AND [TwoFactorProviders] != '{}' THEN + 1 + ELSE + 0 + END AS [Using2fa], [Enabled] FROM [dbo].[Organization]