mirror of
https://github.com/bitwarden/server.git
synced 2025-06-30 15:42:48 -05:00
[PM-4371] Implement PRF key rotation (#4157)
* Send rotateable keyset on list webauthn keys * Implement basic prf key rotation * Add validator for webauthn rotation * Fix accounts controller tests * Add webauthn rotation validator tests * Introduce separate request model * Fix tests * Remove extra empty line * Remove filtering in validator * Don't send encrypted private key * Fix tests * Implement delegated webauthn db transactions * Add backward compatibility * Fix query not working * Update migration sql * Update dapper query * Remove unused helper * Rename webauthn to WebAuthnLogin * Fix linter errors * Fix tests * Fix tests
This commit is contained in:
Bernd Schoolmann
@ -2,6 +2,7 @@
|
||||
using Bit.Api.AdminConsole.Models.Response;
|
||||
using Bit.Api.Auth.Models.Request;
|
||||
using Bit.Api.Auth.Models.Request.Accounts;
|
||||
using Bit.Api.Auth.Models.Request.WebAuthn;
|
||||
using Bit.Api.Auth.Validators;
|
||||
using Bit.Api.Models.Request;
|
||||
using Bit.Api.Models.Request.Accounts;
|
||||
@ -81,6 +82,8 @@ public class AccountsController : Controller
|
||||
private readonly IRotationValidator<IEnumerable<ResetPasswordWithOrgIdRequestModel>,
|
||||
IReadOnlyList<OrganizationUser>>
|
||||
_organizationUserValidator;
|
||||
private readonly IRotationValidator<IEnumerable<WebAuthnLoginRotateKeyRequestModel>, IEnumerable<WebAuthnLoginRotateKeyData>>
|
||||
_webauthnKeyValidator;
|
||||
|
||||
|
||||
public AccountsController(
|
||||
@ -109,7 +112,8 @@ public class AccountsController : Controller
|
||||
IRotationValidator<IEnumerable<EmergencyAccessWithIdRequestModel>, IEnumerable<EmergencyAccess>>
|
||||
emergencyAccessValidator,
|
||||
IRotationValidator<IEnumerable<ResetPasswordWithOrgIdRequestModel>, IReadOnlyList<OrganizationUser>>
|
||||
organizationUserValidator
|
||||
organizationUserValidator,
|
||||
IRotationValidator<IEnumerable<WebAuthnLoginRotateKeyRequestModel>, IEnumerable<WebAuthnLoginRotateKeyData>> webAuthnKeyValidator
|
||||
)
|
||||
{
|
||||
_cipherRepository = cipherRepository;
|
||||
@ -136,6 +140,7 @@ public class AccountsController : Controller
|
||||
_sendValidator = sendValidator;
|
||||
_emergencyAccessValidator = emergencyAccessValidator;
|
||||
_organizationUserValidator = organizationUserValidator;
|
||||
_webauthnKeyValidator = webAuthnKeyValidator;
|
||||
}
|
||||
|
||||
#region DEPRECATED (Moved to Identity Service)
|
||||
@ -442,7 +447,8 @@ public class AccountsController : Controller
|
||||
Folders = await _folderValidator.ValidateAsync(user, model.Folders),
|
||||
Sends = await _sendValidator.ValidateAsync(user, model.Sends),
|
||||
EmergencyAccesses = await _emergencyAccessValidator.ValidateAsync(user, model.EmergencyAccessKeys),
|
||||
OrganizationUsers = await _organizationUserValidator.ValidateAsync(user, model.ResetPasswordKeys)
|
||||
OrganizationUsers = await _organizationUserValidator.ValidateAsync(user, model.ResetPasswordKeys),
|
||||
WebAuthnKeys = await _webauthnKeyValidator.ValidateAsync(user, model.WebAuthnKeys)
|
||||
};
|
||||
|
||||
var result = await _rotateUserKeyCommand.RotateUserKeyAsync(user, dataModel);
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
using Bit.Api.Auth.Models.Request.Accounts;
|
||||
using Bit.Api.Auth.Models.Request.Webauthn;
|
||||
using Bit.Api.Auth.Models.Request.WebAuthn;
|
||||
using Bit.Api.Auth.Models.Response.WebAuthn;
|
||||
using Bit.Api.Models.Response;
|
||||
using Bit.Core;
|
||||
|
||||
@ -1,5 +1,6 @@
|
||||
using System.ComponentModel.DataAnnotations;
|
||||
using Bit.Api.AdminConsole.Models.Request.Organizations;
|
||||
using Bit.Api.Auth.Models.Request.WebAuthn;
|
||||
using Bit.Api.Tools.Models.Request;
|
||||
using Bit.Api.Vault.Models.Request;
|
||||
|
||||
@ -19,5 +20,6 @@ public class UpdateKeyRequestModel
|
||||
public IEnumerable<SendWithIdRequestModel> Sends { get; set; }
|
||||
public IEnumerable<EmergencyAccessWithIdRequestModel> EmergencyAccessKeys { get; set; }
|
||||
public IEnumerable<ResetPasswordWithOrgIdRequestModel> ResetPasswordKeys { get; set; }
|
||||
public IEnumerable<WebAuthnLoginRotateKeyRequestModel> WebAuthnKeys { get; set; }
|
||||
|
||||
}
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
using Bit.Core.Utilities;
|
||||
using Fido2NetLib;
|
||||
|
||||
namespace Bit.Api.Auth.Models.Request.Webauthn;
|
||||
namespace Bit.Api.Auth.Models.Request.WebAuthn;
|
||||
|
||||
public class WebAuthnLoginCredentialCreateRequestModel
|
||||
{
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
using Bit.Core.Utilities;
|
||||
using Fido2NetLib;
|
||||
|
||||
namespace Bit.Api.Auth.Models.Request.Webauthn;
|
||||
namespace Bit.Api.Auth.Models.Request.WebAuthn;
|
||||
|
||||
public class WebAuthnLoginCredentialUpdateRequestModel
|
||||
{
|
||||
|
||||
@ -0,0 +1,32 @@
|
||||
using System.ComponentModel.DataAnnotations;
|
||||
using Bit.Core.Auth.Models.Data;
|
||||
using Bit.Core.Utilities;
|
||||
|
||||
namespace Bit.Api.Auth.Models.Request.WebAuthn;
|
||||
|
||||
public class WebAuthnLoginRotateKeyRequestModel
|
||||
{
|
||||
[Required]
|
||||
public Guid Id { get; set; }
|
||||
|
||||
[Required]
|
||||
[EncryptedString]
|
||||
[EncryptedStringLength(2000)]
|
||||
public string EncryptedUserKey { get; set; }
|
||||
|
||||
[Required]
|
||||
[EncryptedString]
|
||||
[EncryptedStringLength(2000)]
|
||||
public string EncryptedPublicKey { get; set; }
|
||||
|
||||
public WebAuthnLoginRotateKeyData ToWebAuthnRotateKeyData()
|
||||
{
|
||||
return new WebAuthnLoginRotateKeyData
|
||||
{
|
||||
Id = Id,
|
||||
EncryptedUserKey = EncryptedUserKey,
|
||||
EncryptedPublicKey = EncryptedPublicKey
|
||||
};
|
||||
}
|
||||
|
||||
}
|
||||
@ -1,6 +1,7 @@
|
||||
using Bit.Core.Auth.Entities;
|
||||
using Bit.Core.Auth.Enums;
|
||||
using Bit.Core.Models.Api;
|
||||
using Bit.Core.Utilities;
|
||||
|
||||
namespace Bit.Api.Auth.Models.Response.WebAuthn;
|
||||
|
||||
@ -13,9 +14,17 @@ public class WebAuthnCredentialResponseModel : ResponseModel
|
||||
Id = credential.Id.ToString();
|
||||
Name = credential.Name;
|
||||
PrfStatus = credential.GetPrfStatus();
|
||||
EncryptedUserKey = credential.EncryptedUserKey;
|
||||
EncryptedPublicKey = credential.EncryptedPublicKey;
|
||||
}
|
||||
|
||||
public string Id { get; set; }
|
||||
public string Name { get; set; }
|
||||
public WebAuthnPrfStatus PrfStatus { get; set; }
|
||||
[EncryptedString]
|
||||
[EncryptedStringLength(2000)]
|
||||
public string EncryptedUserKey { get; set; }
|
||||
[EncryptedString]
|
||||
[EncryptedStringLength(2000)]
|
||||
public string EncryptedPublicKey { get; set; }
|
||||
}
|
||||
|
||||
55
src/Api/Auth/Validators/WebAuthnLoginKeyRotationValidator.cs
Normal file
55
src/Api/Auth/Validators/WebAuthnLoginKeyRotationValidator.cs
Normal file
@ -0,0 +1,55 @@
|
||||
using Bit.Api.Auth.Models.Request.WebAuthn;
|
||||
using Bit.Core.Auth.Models.Data;
|
||||
using Bit.Core.Auth.Repositories;
|
||||
using Bit.Core.Entities;
|
||||
using Bit.Core.Exceptions;
|
||||
|
||||
namespace Bit.Api.Auth.Validators;
|
||||
|
||||
public class WebAuthnLoginKeyRotationValidator : IRotationValidator<IEnumerable<WebAuthnLoginRotateKeyRequestModel>, IEnumerable<WebAuthnLoginRotateKeyData>>
|
||||
{
|
||||
private readonly IWebAuthnCredentialRepository _webAuthnCredentialRepository;
|
||||
|
||||
public WebAuthnLoginKeyRotationValidator(IWebAuthnCredentialRepository webAuthnCredentialRepository)
|
||||
{
|
||||
_webAuthnCredentialRepository = webAuthnCredentialRepository;
|
||||
}
|
||||
|
||||
public async Task<IEnumerable<WebAuthnLoginRotateKeyData>> ValidateAsync(User user, IEnumerable<WebAuthnLoginRotateKeyRequestModel> keysToRotate)
|
||||
{
|
||||
// 2024-06: Remove after 3 releases, for backward compatibility
|
||||
if (keysToRotate == null)
|
||||
{
|
||||
return new List<WebAuthnLoginRotateKeyData>();
|
||||
}
|
||||
|
||||
var result = new List<WebAuthnLoginRotateKeyData>();
|
||||
var existing = await _webAuthnCredentialRepository.GetManyByUserIdAsync(user.Id);
|
||||
if (existing == null || !existing.Any())
|
||||
{
|
||||
return result;
|
||||
}
|
||||
|
||||
foreach (var ea in existing)
|
||||
{
|
||||
var keyToRotate = keysToRotate.FirstOrDefault(c => c.Id == ea.Id);
|
||||
if (keyToRotate == null)
|
||||
{
|
||||
throw new BadRequestException("All existing webauthn prf keys must be included in the rotation.");
|
||||
}
|
||||
|
||||
if (keyToRotate.EncryptedUserKey == null)
|
||||
{
|
||||
throw new BadRequestException("WebAuthn prf keys must have user-key during rotation.");
|
||||
}
|
||||
if (keyToRotate.EncryptedPublicKey == null)
|
||||
{
|
||||
throw new BadRequestException("WebAuthn prf keys must have public-key during rotation.");
|
||||
}
|
||||
|
||||
result.Add(keyToRotate.ToWebAuthnRotateKeyData());
|
||||
}
|
||||
|
||||
return result;
|
||||
}
|
||||
}
|
||||
@ -30,6 +30,8 @@ using Bit.Core.Billing.Extensions;
|
||||
using Bit.Core.OrganizationFeatures.OrganizationSubscriptions;
|
||||
using Bit.Core.Tools.Entities;
|
||||
using Bit.Core.Vault.Entities;
|
||||
using Bit.Api.Auth.Models.Request.WebAuthn;
|
||||
using Bit.Core.Auth.Models.Data;
|
||||
|
||||
#if !OSS
|
||||
using Bit.Commercial.Core.SecretsManager;
|
||||
@ -163,7 +165,9 @@ public class Startup
|
||||
.AddScoped<IRotationValidator<IEnumerable<ResetPasswordWithOrgIdRequestModel>,
|
||||
IReadOnlyList<OrganizationUser>>
|
||||
, OrganizationUserRotationValidator>();
|
||||
|
||||
services
|
||||
.AddScoped<IRotationValidator<IEnumerable<WebAuthnLoginRotateKeyRequestModel>, IEnumerable<WebAuthnLoginRotateKeyData>>,
|
||||
WebAuthnLoginKeyRotationValidator>();
|
||||
|
||||
// Services
|
||||
services.AddBaseServices(globalSettings);
|
||||
|
||||
Reference in New Issue
Block a user