From 474b37d10ea859405c0255222f7eef9455983b1c Mon Sep 17 00:00:00 2001 From: Ike Kottlowski Date: Thu, 20 Mar 2025 18:00:43 -0400 Subject: [PATCH] fix : added feature flagging to method calls; removed some todos; cleaned up implementation in account service; registration lives in API to access Authorize middleware; Login lives in Identity; --- .../OpaqueKeyExchangeController.cs | 56 +++++++++++ .../OpaqueKeyExchangeService.cs | 95 ++++++++++--------- src/Core/Auth/Utilities/GuidUtilities.cs | 19 +++- .../Services/Implementations/UserService.cs | 26 +++-- .../Controllers/AccountsController.cs | 3 - .../OpaqueKeyExchangeController.cs | 41 +------- .../Controllers/AccountsControllerTests.cs | 3 - 7 files changed, 140 insertions(+), 103 deletions(-) create mode 100644 src/Api/Auth/Controllers/OpaqueKeyExchangeController.cs diff --git a/src/Api/Auth/Controllers/OpaqueKeyExchangeController.cs b/src/Api/Auth/Controllers/OpaqueKeyExchangeController.cs new file mode 100644 index 0000000000..2fcd85eeb1 --- /dev/null +++ b/src/Api/Auth/Controllers/OpaqueKeyExchangeController.cs @@ -0,0 +1,56 @@ +using Bit.Core; +using Bit.Core.Auth.Models.Api.Request.Opaque; +using Bit.Core.Auth.Models.Api.Response.Opaque; +using Bit.Core.Auth.Services; +using Bit.Core.Services; +using Bit.Core.Utilities; +using Microsoft.AspNetCore.Authorization; +using Microsoft.AspNetCore.Mvc; + +namespace Bit.Api.Auth.Controllers; + +[RequireFeature(FeatureFlagKeys.OpaqueKeyExchange)] +[Route("opaque-ke")] +[Authorize("Application")] +public class OpaqueKeyExchangeController( + IOpaqueKeyExchangeService opaqueKeyExchangeService, + IUserService userService + ) : Controller +{ + private readonly IOpaqueKeyExchangeService _opaqueKeyExchangeService = opaqueKeyExchangeService; + private readonly IUserService _userService = userService; + + [HttpPost("start-registration")] + public async Task StartRegistrationAsync( + [FromBody] OpaqueRegistrationStartRequest request) + { + var user = await _userService.GetUserByPrincipalAsync(User) + ?? throw new UnauthorizedAccessException(); + var result = await _opaqueKeyExchangeService.StartRegistration( + Convert.FromBase64String(request.RegistrationRequest), user, request.CipherConfiguration); + return result; + } + + [HttpPost("finish-registration")] + public async Task FinishRegistrationAsync([FromBody] OpaqueRegistrationFinishRequest request) + { + var user = await _userService.GetUserByPrincipalAsync(User) + ?? throw new UnauthorizedAccessException(); + if (!await _opaqueKeyExchangeService.FinishRegistration( + request.SessionId, Convert.FromBase64String(request.RegistrationUpload), user, request.KeySet)) + { + throw new InvalidOperationException("Failed to finish registration."); + } + } + + [HttpPost("set-registration-active")] + public async Task SetRegistrationActiveAsync([FromBody] OpaqueSetRegistrationActiveRequest request) + { + var user = await _userService.GetUserByPrincipalAsync(User) + ?? throw new UnauthorizedAccessException(); + if (!await _opaqueKeyExchangeService.WriteCacheCredentialToDatabase(request.SessionId, user)) + { + throw new InvalidOperationException("Failed to save credential."); + } + } +} diff --git a/src/Core/Auth/Services/Implementations/OpaqueKeyExchangeService.cs b/src/Core/Auth/Services/Implementations/OpaqueKeyExchangeService.cs index 45d4e7c88a..9490e715da 100644 --- a/src/Core/Auth/Services/Implementations/OpaqueKeyExchangeService.cs +++ b/src/Core/Auth/Services/Implementations/OpaqueKeyExchangeService.cs @@ -1,23 +1,22 @@ -using System.Security.Cryptography; -using System.Text; +using System.Text; using System.Text.Json; using Bit.Core.Auth.Entities; using Bit.Core.Auth.Models.Api.Request.Opaque; using Bit.Core.Auth.Models.Api.Response.Opaque; using Bit.Core.Auth.Models.Data; using Bit.Core.Auth.Repositories; +using Bit.Core.Auth.Utilities; using Bit.Core.Entities; using Bit.Core.Repositories; +using Bit.Core.Utilities; using Bitwarden.Opaque; using Microsoft.Extensions.Caching.Distributed; using Microsoft.Extensions.Logging; namespace Bit.Core.Auth.Services; -#nullable enable - -// TODO: feature flag this service // TODO: add test suite +[RequireFeature(FeatureFlagKeys.OpaqueKeyExchange)] public class OpaqueKeyExchangeService : IOpaqueKeyExchangeService { private readonly BitwardenOpaqueServer _bitwardenOpaque; @@ -25,6 +24,7 @@ public class OpaqueKeyExchangeService : IOpaqueKeyExchangeService private readonly IDistributedCache _distributedCache; private readonly IUserRepository _userRepository; private readonly ILogger _logger; + private readonly DistributedCacheEntryOptions _distributedCacheEntryOptions; const string REGISTRATION_SESSION_KEY = "opaque_register_session_{0}"; const string LOGIN_SESSION_KEY = "opaque_login_session_{0}"; @@ -41,6 +41,10 @@ public class OpaqueKeyExchangeService : IOpaqueKeyExchangeService _distributedCache = distributedCache; _userRepository = userRepository; _logger = logger; + _distributedCacheEntryOptions = new DistributedCacheEntryOptions() + { + AbsoluteExpirationRelativeToNow = TimeSpan.FromMinutes(1) + }; } public async Task StartRegistration( @@ -50,12 +54,20 @@ public class OpaqueKeyExchangeService : IOpaqueKeyExchangeService cipherConfiguration.ToNativeConfiguration(), null, request, user.Id.ToString()); // We must persist the registration session state to the cache so we can have the server setup and cipher - // Ïconfiguration available when the client finishes registration. + // configuration available when the client finishes registration. var registrationSessionId = Guid.NewGuid(); - var registrationSession = new OpaqueKeyExchangeRegistrationSession() { RegistrationSessionId = registrationSessionId, ServerSetup = registrationRequest.serverSetup, CipherConfiguration = cipherConfiguration, UserId = user.Id }; + var registrationSession = new OpaqueKeyExchangeRegistrationSession() + { + RegistrationSessionId = registrationSessionId, + ServerSetup = registrationRequest.serverSetup, + CipherConfiguration = cipherConfiguration, + UserId = user.Id + }; - // TODO: We need to audit this approach to make sure it works for all our use cases. We probably need a timeout to avoid persisting this indefinitely. - await _distributedCache.SetAsync(string.Format(REGISTRATION_SESSION_KEY, registrationSessionId), Encoding.ASCII.GetBytes(JsonSerializer.Serialize(registrationSession))); + await _distributedCache.SetAsync( + string.Format(REGISTRATION_SESSION_KEY, registrationSessionId), + Encoding.ASCII.GetBytes(JsonSerializer.Serialize(registrationSession)), + _distributedCacheEntryOptions); return new OpaqueRegistrationStartResponse(registrationSessionId, Convert.ToBase64String(registrationRequest.registrationResponse)); } @@ -74,19 +86,22 @@ public class OpaqueKeyExchangeService : IOpaqueKeyExchangeService // active, clients must call SetRegistrationActive or the user must change their password registrationSession.PasswordFile = registrationFinish.serverRegistration; registrationSession.KeySet = Encoding.ASCII.GetBytes(JsonSerializer.Serialize(keyset)); - await _distributedCache.SetAsync(string.Format(REGISTRATION_SESSION_KEY, sessionId), Encoding.ASCII.GetBytes(JsonSerializer.Serialize(registrationSession))); + await _distributedCache.SetAsync( + string.Format(REGISTRATION_SESSION_KEY, sessionId), + Encoding.ASCII.GetBytes(JsonSerializer.Serialize(registrationSession)), + _distributedCacheEntryOptions); return true; } catch (Exception e) { // If anything goes wrong, we need to remove the session from the cache - await ClearRegistrationSession(sessionId); + await ClearRegistrationSessionAsync(sessionId); _logger.LogError(e, "Error finishing registration for user {UserId}", user.Id); return false; } } - private async Task ClearRegistrationSession(Guid sessionId) + private async Task ClearRegistrationSessionAsync(Guid sessionId) { await _distributedCache.RemoveAsync(string.Format(REGISTRATION_SESSION_KEY, sessionId)); } @@ -111,7 +126,7 @@ public class OpaqueKeyExchangeService : IOpaqueKeyExchangeService var loginResponse = _bitwardenOpaque.StartLogin( cipherConfiguration.ToNativeConfiguration(), serverSetup, serverRegistration, request, user.Id.ToString()); - var sessionId = MakeCryptoGuid(); + var sessionId = GuidUtilities.MakeCryptoGuid(); var loginSession = new OpaqueKeyExchangeLoginSession() { UserId = user.Id, @@ -119,7 +134,11 @@ public class OpaqueKeyExchangeService : IOpaqueKeyExchangeService CipherConfiguration = cipherConfiguration, IsAuthenticated = false }; - await _distributedCache.SetAsync(string.Format(LOGIN_SESSION_KEY, sessionId), Encoding.ASCII.GetBytes(JsonSerializer.Serialize(loginSession))); + await _distributedCache.SetAsync( + string.Format(LOGIN_SESSION_KEY, sessionId), + Encoding.ASCII.GetBytes(JsonSerializer.Serialize(loginSession)), + _distributedCacheEntryOptions); + return (sessionId, loginResponse.credentialResponse); } catch (InvalidOperationException e) @@ -133,18 +152,12 @@ public class OpaqueKeyExchangeService : IOpaqueKeyExchangeService { try { - var serializedLoginSession = await _distributedCache.GetAsync(string.Format(LOGIN_SESSION_KEY, sessionId)); - if (serializedLoginSession == null) - { - throw new InvalidOperationException("Session not found"); - } + var serializedLoginSession = await _distributedCache.GetAsync(string.Format(LOGIN_SESSION_KEY, sessionId)) + ?? throw new InvalidOperationException("Session not found"); var loginSession = JsonSerializer.Deserialize(Encoding.ASCII.GetString(serializedLoginSession))!; - var credential = await _opaqueKeyExchangeCredentialRepository.GetByUserIdAsync(loginSession.UserId); - if (credential == null) - { - throw new InvalidOperationException("Credential not found"); - } + var credential = await _opaqueKeyExchangeCredentialRepository.GetByUserIdAsync(loginSession.UserId) + ?? throw new InvalidOperationException("Credential not found"); var loginState = loginSession.LoginState; var cipherConfiguration = loginSession.CipherConfiguration; @@ -152,18 +165,22 @@ public class OpaqueKeyExchangeService : IOpaqueKeyExchangeService var success = _bitwardenOpaque.FinishLogin(cipherConfiguration.ToNativeConfiguration(), loginState, credentialFinalization); loginSession.IsAuthenticated = true; - await _distributedCache.SetAsync(string.Format(LOGIN_SESSION_KEY, sessionId), Encoding.ASCII.GetBytes(JsonSerializer.Serialize(loginSession))); + await _distributedCache.SetAsync( + string.Format(LOGIN_SESSION_KEY, sessionId), + Encoding.ASCII.GetBytes(JsonSerializer.Serialize(loginSession)), + _distributedCacheEntryOptions); + return true; } - catch (Exception e) + catch (InvalidOperationException e) { - // print - Console.WriteLine(e.Message); + await ClearAuthenticationSession(sessionId); + _logger.LogError(e, "Error finishing login for session {SessionId}", sessionId); return false; } } - public async Task GetUserForAuthenticatedSession(Guid sessionId) + public async Task GetUserForAuthenticatedSession(Guid sessionId) { try { @@ -247,22 +264,6 @@ public class OpaqueKeyExchangeService : IOpaqueKeyExchangeService } } - // TODO: evaluate if this should live in a utility class and/or under KM control - /// - /// Creates a genuinely random GUID as the login session IDs for opaque need to be cryptographically secure. - /// - private static Guid MakeCryptoGuid() - { - // Get 16 cryptographically random bytes - var data = RandomNumberGenerator.GetBytes(16); - - // Mark it as a version 4 GUID - data[7] = (byte)((data[7] | (byte)0x40) & (byte)0x4f); - data[8] = (byte)((data[8] | (byte)0x80) & (byte)0xbf); - - return new Guid(data); - } - public async Task ClearAuthenticationSession(Guid sessionId) { await _distributedCache.RemoveAsync(string.Format(LOGIN_SESSION_KEY, sessionId)); @@ -280,8 +281,8 @@ public class OpaqueKeyExchangeRegistrationSession public required byte[] ServerSetup { get; set; } public required OpaqueKeyExchangeCipherConfiguration CipherConfiguration { get; set; } public required Guid UserId { get; set; } - public byte[]? PasswordFile { get; set; } - public byte[]? KeySet { get; set; } + public byte[] PasswordFile { get; set; } = null; + public byte[] KeySet { get; set; } = null; } /// diff --git a/src/Core/Auth/Utilities/GuidUtilities.cs b/src/Core/Auth/Utilities/GuidUtilities.cs index 043e326b12..b15b5462f9 100644 --- a/src/Core/Auth/Utilities/GuidUtilities.cs +++ b/src/Core/Auth/Utilities/GuidUtilities.cs @@ -1,4 +1,6 @@ -namespace Bit.Core.Auth.Utilities; +using System.Security.Cryptography; + +namespace Bit.Core.Auth.Utilities; public static class GuidUtilities { @@ -15,5 +17,20 @@ public static class GuidUtilities return false; } } + + /// + /// Creates a genuinely random GUID as the login session IDs for opaque need to be cryptographically secure. + /// + public static Guid MakeCryptoGuid() + { + // Get 16 cryptographically random bytes + var data = RandomNumberGenerator.GetBytes(16); + + // Mark it as a version 4 GUID + data[7] = (byte)((data[7] | (byte)0x40) & (byte)0x4f); + data[8] = (byte)((data[8] | (byte)0x80) & (byte)0xbf); + + return new Guid(data); + } } diff --git a/src/Core/Services/Implementations/UserService.cs b/src/Core/Services/Implementations/UserService.cs index b3f9441a90..2815926b03 100644 --- a/src/Core/Services/Implementations/UserService.cs +++ b/src/Core/Services/Implementations/UserService.cs @@ -668,14 +668,16 @@ public class UserService : UserManager, IUserService, IDisposable user.Key = key; user.MasterPasswordHint = passwordHint; - // TODO: feature flag this - if (opaqueSessionId != null) + if (_featureService.IsEnabled(FeatureFlagKeys.OpaqueKeyExchange)) { - await _opaqueKeyExchangeService.WriteCacheCredentialToDatabase((Guid)opaqueSessionId, user); - } - else - { - await _opaqueKeyExchangeService.RemoveUserOpaqueKeyExchangeCredential(user); + if (opaqueSessionId != null) + { + await _opaqueKeyExchangeService.WriteCacheCredentialToDatabase((Guid)opaqueSessionId, user); + } + else + { + await _opaqueKeyExchangeService.RemoveUserOpaqueKeyExchangeCredential(user); + } } await _userRepository.ReplaceAsync(user); await _eventService.LogUserEventAsync(user.Id, EventType.User_ChangedPassword); @@ -818,7 +820,10 @@ public class UserService : UserManager, IUserService, IDisposable user.Key = key; // TODO: Add Opaque-KE support - await _opaqueKeyExchangeService.RemoveUserOpaqueKeyExchangeCredential(user); + if (_featureService.IsEnabled(FeatureFlagKeys.OpaqueKeyExchange)) + { + await _opaqueKeyExchangeService.RemoveUserOpaqueKeyExchangeCredential(user); + } await _userRepository.ReplaceAsync(user); await _mailService.SendAdminResetPasswordEmailAsync(user.Email, user.Name, org.DisplayName()); await _eventService.LogOrganizationUserEventAsync(orgUser, EventType.OrganizationUser_AdminResetPassword); @@ -846,7 +851,10 @@ public class UserService : UserManager, IUserService, IDisposable user.MasterPasswordHint = hint; // TODO: Add Opaque-KE support - await _opaqueKeyExchangeService.RemoveUserOpaqueKeyExchangeCredential(user); + if (_featureService.IsEnabled(FeatureFlagKeys.OpaqueKeyExchange)) + { + await _opaqueKeyExchangeService.RemoveUserOpaqueKeyExchangeCredential(user); + } await _userRepository.ReplaceAsync(user); await _mailService.SendUpdatedTempPasswordEmailAsync(user.Email, user.Name); await _eventService.LogUserEventAsync(user.Id, EventType.User_UpdatedTempPassword); diff --git a/src/Identity/Controllers/AccountsController.cs b/src/Identity/Controllers/AccountsController.cs index 9c8a110be1..ec78046521 100644 --- a/src/Identity/Controllers/AccountsController.cs +++ b/src/Identity/Controllers/AccountsController.cs @@ -48,7 +48,6 @@ public class AccountsController : Controller private readonly IReferenceEventService _referenceEventService; private readonly IFeatureService _featureService; private readonly IDataProtectorTokenFactory _registrationEmailVerificationTokenDataFactory; - private readonly IOpaqueKeyExchangeService _opaqueKeyExchangeService; private readonly IOpaqueKeyExchangeCredentialRepository _opaqueKeyExchangeCredentialRepository; private readonly byte[] _defaultKdfHmacKey = null; @@ -99,7 +98,6 @@ public class AccountsController : Controller IFeatureService featureService, IDataProtectorTokenFactory registrationEmailVerificationTokenDataFactory, IOpaqueKeyExchangeCredentialRepository opaqueKeyExchangeCredentialRepository, - IOpaqueKeyExchangeService opaqueKeyExchangeService, GlobalSettings globalSettings ) { @@ -114,7 +112,6 @@ public class AccountsController : Controller _referenceEventService = referenceEventService; _featureService = featureService; _registrationEmailVerificationTokenDataFactory = registrationEmailVerificationTokenDataFactory; - _opaqueKeyExchangeService = opaqueKeyExchangeService; _opaqueKeyExchangeCredentialRepository = opaqueKeyExchangeCredentialRepository; if (CoreHelpers.SettingHasValue(globalSettings.KdfDefaultHashKey)) diff --git a/src/Identity/Controllers/OpaqueKeyExchangeController.cs b/src/Identity/Controllers/OpaqueKeyExchangeController.cs index 90a005d754..e4c08665b4 100644 --- a/src/Identity/Controllers/OpaqueKeyExchangeController.cs +++ b/src/Identity/Controllers/OpaqueKeyExchangeController.cs @@ -2,58 +2,20 @@ using Bit.Api.Auth.Models.Request.Opaque; using Bit.Api.Auth.Models.Response.Opaque; using Bit.Core; using Bit.Core.Auth.Models.Api.Request.Opaque; -using Bit.Core.Auth.Models.Api.Response.Opaque; using Bit.Core.Auth.Services; -using Bit.Core.Services; using Bit.Core.Utilities; -using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; namespace Bit.Identity.Controllers; [RequireFeature(FeatureFlagKeys.OpaqueKeyExchange)] [Route("opaque-ke")] -[Authorize("Application")] public class OpaqueKeyExchangeController( - IOpaqueKeyExchangeService opaqueKeyExchangeService, - IUserService userService + IOpaqueKeyExchangeService opaqueKeyExchangeService ) : Controller { private readonly IOpaqueKeyExchangeService _opaqueKeyExchangeService = opaqueKeyExchangeService; - private readonly IUserService _userService = userService; - [HttpPost("start-registration")] - public async Task StartRegistrationAsync( - [FromBody] OpaqueRegistrationStartRequest request) - { - var user = await _userService.GetUserByPrincipalAsync(User) - ?? throw new UnauthorizedAccessException(); - var result = await _opaqueKeyExchangeService.StartRegistration( - Convert.FromBase64String(request.RegistrationRequest), user, request.CipherConfiguration); - return result; - } - - [HttpPost("finish-registration")] - public async Task FinishRegistrationAsync([FromBody] OpaqueRegistrationFinishRequest request) - { - var user = await _userService.GetUserByPrincipalAsync(User) - ?? throw new UnauthorizedAccessException(); - // todo check response - - await _opaqueKeyExchangeService.FinishRegistration( - request.SessionId, Convert.FromBase64String(request.RegistrationUpload), user, request.KeySet); - } - - [HttpPost("set-registration-active")] - public async Task SetRegistrationActiveAsync([FromBody] OpaqueSetRegistrationActiveRequest request) - { - var user = await _userService.GetUserByPrincipalAsync(User) - ?? throw new UnauthorizedAccessException(); - // todo check response - await _opaqueKeyExchangeService.WriteCacheCredentialToDatabase(request.SessionId, user); - } - - [AllowAnonymous] [HttpPost("start-login")] public async Task StartOpaqueLoginAsync([FromBody] OpaqueLoginStartRequest request) { @@ -61,7 +23,6 @@ public class OpaqueKeyExchangeController( return new OpaqueLoginStartResponse(result.Item1, Convert.ToBase64String(result.Item2)); } - [AllowAnonymous] [HttpPost("finish-login")] public async Task FinishLoginAsync([FromBody] OpaqueLoginFinishRequest request) { diff --git a/test/Identity.Test/Controllers/AccountsControllerTests.cs b/test/Identity.Test/Controllers/AccountsControllerTests.cs index ade07ce049..4928d08316 100644 --- a/test/Identity.Test/Controllers/AccountsControllerTests.cs +++ b/test/Identity.Test/Controllers/AccountsControllerTests.cs @@ -47,7 +47,6 @@ public class AccountsControllerTests : IDisposable private readonly IFeatureService _featureService; private readonly IDataProtectorTokenFactory _registrationEmailVerificationTokenDataFactory; private readonly IOpaqueKeyExchangeCredentialRepository _opaqueKeyExchangeCredentialRepository; - private readonly IOpaqueKeyExchangeService _opaqueKeyExchangeService; private readonly GlobalSettings _globalSettings; @@ -65,7 +64,6 @@ public class AccountsControllerTests : IDisposable _featureService = Substitute.For(); _registrationEmailVerificationTokenDataFactory = Substitute.For>(); _opaqueKeyExchangeCredentialRepository = Substitute.For(); - _opaqueKeyExchangeService = Substitute.For(); _globalSettings = Substitute.For(); _sut = new AccountsController( @@ -81,7 +79,6 @@ public class AccountsControllerTests : IDisposable _featureService, _registrationEmailVerificationTokenDataFactory, _opaqueKeyExchangeCredentialRepository, - _opaqueKeyExchangeService, _globalSettings ); }