From 477f679fc6243308153fc652f096a039ab2deab0 Mon Sep 17 00:00:00 2001 From: Vincent Salucci <26154748+vincentsalucci@users.noreply.github.com> Date: Tue, 20 Apr 2021 16:58:57 -0500 Subject: [PATCH] [Reset Password] Admin reset actions (#1272) * [Reset Password] Admin reset actions * Updated thrown except for permission collision * Updated GET/PUT password reset to use orgUser.Id for db operations --- .../OrganizationUsersController.cs | 69 +++++++++++++++++++ ...ganizationUserResetPasswordRequestModel.cs | 13 ++++ .../Response/OrganizationUserResponseModel.cs | 23 +++++++ .../ProfileOrganizationResponseModel.cs | 4 +- .../OrganizationUserResetPasswordDetails.cs | 29 ++++++++ src/Core/Services/IUserService.cs | 1 + .../Services/Implementations/UserService.cs | 18 +++++ 7 files changed, 155 insertions(+), 2 deletions(-) create mode 100644 src/Core/Models/Api/Request/Organizations/OrganizationUserResetPasswordRequestModel.cs create mode 100644 src/Core/Models/Data/OrganizationUserResetPasswordDetails.cs diff --git a/src/Api/Controllers/OrganizationUsersController.cs b/src/Api/Controllers/OrganizationUsersController.cs index 219a757e7b..f3de59616a 100644 --- a/src/Api/Controllers/OrganizationUsersController.cs +++ b/src/Api/Controllers/OrganizationUsersController.cs @@ -9,7 +9,9 @@ using Bit.Core.Exceptions; using Bit.Core.Services; using Bit.Core.Context; using System.Collections.Generic; +using Bit.Core.Enums; using Bit.Core.Models.Business; +using Bit.Core.Models.Data; namespace Bit.Api.Controllers { @@ -87,6 +89,33 @@ namespace Bit.Api.Controllers var responses = groupIds.Select(g => g.ToString()); return responses; } + + [HttpGet("{id}/reset-password-details")] + public async Task GetResetPasswordDetails(string orgId, string id) + { + // Make sure the calling user can reset passwords for this org + var orgGuidId = new Guid(orgId); + if (!_currentContext.ManageResetPassword(orgGuidId)) + { + throw new NotFoundException(); + } + + var organizationUser = await _organizationUserRepository.GetByIdAsync(new Guid(id)); + if (organizationUser == null || !organizationUser.UserId.HasValue) + { + throw new NotFoundException(); + } + + // Retrieve data necessary for response (KDF, KDF Iterations, ResetPasswordKey) + // TODO Revisit this and create SPROC to reduce DB calls + var user = await _userService.GetUserByIdAsync(organizationUser.UserId.Value); + if (user == null) + { + throw new NotFoundException(); + } + + return new OrganizationUserResetPasswordDetailsResponseModel(new OrganizationUserResetPasswordDetails(organizationUser, user)); + } [HttpPost("invite")] public async Task Invite(string orgId, [FromBody]OrganizationUserInviteRequestModel model) @@ -187,6 +216,46 @@ namespace Bit.Api.Controllers var callingUserId = _userService.GetProperUserId(User); await _organizationService.UpdateUserResetPasswordEnrollmentAsync(new Guid(orgId), new Guid(userId), model.ResetPasswordKey, callingUserId); } + + [HttpPut("{id}/reset-password")] + public async Task PutResetPassword(string orgId, string id, [FromBody]OrganizationUserResetPasswordRequestModel model) + { + var orgGuidId = new Guid(orgId); + // Calling user must have Manage Reset Password permission + if (!_currentContext.ManageResetPassword(orgGuidId)) + { + throw new NotFoundException(); + } + + var orgUser = await _organizationUserRepository.GetByIdAsync(new Guid(id)); + if (orgUser == null || orgUser.Status != OrganizationUserStatusType.Confirmed || + orgUser.OrganizationId != orgGuidId || string.IsNullOrEmpty(orgUser.ResetPasswordKey) || + !orgUser.UserId.HasValue) + { + throw new BadRequestException("Organization User not valid"); + } + + var user = await _userService.GetUserByIdAsync(orgUser.UserId.Value); + if (user == null) + { + throw new NotFoundException(); + } + + + var result = await _userService.AdminResetPasswordAsync(user, model.NewMasterPasswordHash, model.Key); + if (result.Succeeded) + { + return; + } + + foreach (var error in result.Errors) + { + ModelState.AddModelError(string.Empty, error.Description); + } + + await Task.Delay(2000); + throw new BadRequestException(ModelState); + } [HttpDelete("{id}")] [HttpPost("{id}/delete")] diff --git a/src/Core/Models/Api/Request/Organizations/OrganizationUserResetPasswordRequestModel.cs b/src/Core/Models/Api/Request/Organizations/OrganizationUserResetPasswordRequestModel.cs new file mode 100644 index 0000000000..223bd39848 --- /dev/null +++ b/src/Core/Models/Api/Request/Organizations/OrganizationUserResetPasswordRequestModel.cs @@ -0,0 +1,13 @@ +using System.ComponentModel.DataAnnotations; + +namespace Bit.Core.Models.Api +{ + public class OrganizationUserResetPasswordRequestModel + { + [Required] + [StringLength(300)] + public string NewMasterPasswordHash { get; set; } + [Required] + public string Key { get; set; } + } +} diff --git a/src/Core/Models/Api/Response/OrganizationUserResponseModel.cs b/src/Core/Models/Api/Response/OrganizationUserResponseModel.cs index 4015de7856..8f029ae117 100644 --- a/src/Core/Models/Api/Response/OrganizationUserResponseModel.cs +++ b/src/Core/Models/Api/Response/OrganizationUserResponseModel.cs @@ -23,6 +23,7 @@ namespace Bit.Core.Models.Api Status = organizationUser.Status; AccessAll = organizationUser.AccessAll; Permissions = CoreHelpers.LoadClassFromJsonData(organizationUser.Permissions); + ResetPasswordEnrolled = !string.IsNullOrEmpty(organizationUser.ResetPasswordKey); } public OrganizationUserResponseModel(OrganizationUserUserDetails organizationUser, string obj = "organizationUser") @@ -39,6 +40,7 @@ namespace Bit.Core.Models.Api Status = organizationUser.Status; AccessAll = organizationUser.AccessAll; Permissions = CoreHelpers.LoadClassFromJsonData(organizationUser.Permissions); + ResetPasswordEnrolled = !string.IsNullOrEmpty(organizationUser.ResetPasswordKey); } public string Id { get; set; } @@ -47,6 +49,7 @@ namespace Bit.Core.Models.Api public OrganizationUserStatusType Status { get; set; } public bool AccessAll { get; set; } public Permissions Permissions { get; set; } + public bool ResetPasswordEnrolled { get; set; } } public class OrganizationUserDetailsResponseModel : OrganizationUserResponseModel @@ -83,4 +86,24 @@ namespace Bit.Core.Models.Api public bool TwoFactorEnabled { get; set; } public bool SsoBound { get; set; } } + + public class OrganizationUserResetPasswordDetailsResponseModel : ResponseModel + { + public OrganizationUserResetPasswordDetailsResponseModel(OrganizationUserResetPasswordDetails orgUser, + string obj = "organizationUserResetPasswordDetails") : base(obj) + { + if (orgUser == null) + { + throw new ArgumentNullException(nameof(orgUser)); + } + + Kdf = orgUser.Kdf; + KdfIterations = orgUser.KdfIterations; + ResetPasswordKey = orgUser.ResetPasswordKey; + } + + public KdfType Kdf { get; set; } + public int KdfIterations { get; set; } + public string ResetPasswordKey { get; set; } + } } diff --git a/src/Core/Models/Api/Response/ProfileOrganizationResponseModel.cs b/src/Core/Models/Api/Response/ProfileOrganizationResponseModel.cs index c28a6b753f..949bc0ce4f 100644 --- a/src/Core/Models/Api/Response/ProfileOrganizationResponseModel.cs +++ b/src/Core/Models/Api/Response/ProfileOrganizationResponseModel.cs @@ -30,7 +30,7 @@ namespace Bit.Core.Models.Api SsoBound = !string.IsNullOrWhiteSpace(organization.SsoExternalId); Identifier = organization.Identifier; Permissions = CoreHelpers.LoadClassFromJsonData(organization.Permissions); - ResetPasswordKey = organization.ResetPasswordKey; + ResetPasswordEnrolled = organization.ResetPasswordKey != null; UserId = organization.UserId?.ToString(); } @@ -57,7 +57,7 @@ namespace Bit.Core.Models.Api public bool SsoBound { get; set; } public string Identifier { get; set; } public Permissions Permissions { get; set; } - public string ResetPasswordKey { get; set; } + public bool ResetPasswordEnrolled { get; set; } public string UserId { get; set; } } } diff --git a/src/Core/Models/Data/OrganizationUserResetPasswordDetails.cs b/src/Core/Models/Data/OrganizationUserResetPasswordDetails.cs new file mode 100644 index 0000000000..40ec1408d4 --- /dev/null +++ b/src/Core/Models/Data/OrganizationUserResetPasswordDetails.cs @@ -0,0 +1,29 @@ +using System; +using Bit.Core.Enums; +using Bit.Core.Models.Table; + +namespace Bit.Core.Models.Data +{ + public class OrganizationUserResetPasswordDetails + { + public OrganizationUserResetPasswordDetails(OrganizationUser orgUser, User user) + { + if (orgUser == null) + { + throw new ArgumentNullException(nameof(orgUser)); + } + + if (user == null) + { + throw new ArgumentNullException(nameof(user)); + } + + Kdf = user.Kdf; + KdfIterations = user.KdfIterations; + ResetPasswordKey = orgUser.ResetPasswordKey; + } + public KdfType Kdf { get; set; } + public int KdfIterations { get; set; } + public string ResetPasswordKey { get; set; } + } +} diff --git a/src/Core/Services/IUserService.cs b/src/Core/Services/IUserService.cs index 2b695690e6..ebc18dd2eb 100644 --- a/src/Core/Services/IUserService.cs +++ b/src/Core/Services/IUserService.cs @@ -34,6 +34,7 @@ namespace Bit.Core.Services string token, string key); Task ChangePasswordAsync(User user, string masterPassword, string newMasterPassword, string key); Task SetPasswordAsync(User user, string newMasterPassword, string key, string orgIdentifier = null); + Task AdminResetPasswordAsync(User user, string newMasterPassword, string key); Task ChangeKdfAsync(User user, string masterPassword, string newMasterPassword, string key, KdfType kdf, int kdfIterations); Task UpdateKeyAsync(User user, string masterPassword, string key, string privateKey, diff --git a/src/Core/Services/Implementations/UserService.cs b/src/Core/Services/Implementations/UserService.cs index 268288ffe1..013b3755cd 100644 --- a/src/Core/Services/Implementations/UserService.cs +++ b/src/Core/Services/Implementations/UserService.cs @@ -600,6 +600,24 @@ namespace Bit.Core.Services return IdentityResult.Success; } + + public async Task AdminResetPasswordAsync(User user, string newMasterPassword, string key) + { + var result = await UpdatePasswordHash(user, newMasterPassword); + if (!result.Succeeded) + { + return result; + } + + user.RevisionDate = user.AccountRevisionDate = DateTime.UtcNow; + user.Key = key; + + await _userRepository.ReplaceAsync(user); + await _eventService.LogUserEventAsync(user.Id, EventType.User_ChangedPassword); + await _pushService.PushLogOutAsync(user.Id); + + return IdentityResult.Success; + } public async Task ChangeKdfAsync(User user, string masterPassword, string newMasterPassword, string key, KdfType kdf, int kdfIterations)