[Reset Password] Admin reset actions (#1272)

* [Reset Password] Admin reset actions

* Updated thrown except for permission collision

* Updated GET/PUT password reset to use orgUser.Id for db operations

src/Api/Controllers/OrganizationUsersController.cs

@@ -9,7 +9,9 @@ using Bit.Core.Exceptions;
 using Bit.Core.Services;
 using Bit.Core.Context;
 using System.Collections.Generic;
+using Bit.Core.Enums;
 using Bit.Core.Models.Business;
+using Bit.Core.Models.Data;
 
 namespace Bit.Api.Controllers
 {
@@ -87,6 +89,33 @@ namespace Bit.Api.Controllers
             var responses = groupIds.Select(g => g.ToString());
             return responses;
         }
+        
+        [HttpGet("{id}/reset-password-details")]
+        public async Task<OrganizationUserResetPasswordDetailsResponseModel> GetResetPasswordDetails(string orgId, string id)
+        {
+            // Make sure the calling user can reset passwords for this org
+            var orgGuidId = new Guid(orgId);
+            if (!_currentContext.ManageResetPassword(orgGuidId))
+            {
+                throw new NotFoundException();
+            }
+
+            var organizationUser = await _organizationUserRepository.GetByIdAsync(new Guid(id));
+            if (organizationUser == null || !organizationUser.UserId.HasValue)
+            {
+                throw new NotFoundException();
+            }
+
+            // Retrieve data necessary for response (KDF, KDF Iterations, ResetPasswordKey)
+            // TODO Revisit this and create SPROC to reduce DB calls
+            var user = await _userService.GetUserByIdAsync(organizationUser.UserId.Value);
+            if (user == null)
+            {
+                throw new NotFoundException();
+            }
+
+            return new OrganizationUserResetPasswordDetailsResponseModel(new OrganizationUserResetPasswordDetails(organizationUser, user));
+        }
 
         [HttpPost("invite")]
         public async Task Invite(string orgId, [FromBody]OrganizationUserInviteRequestModel model)
@@ -187,6 +216,46 @@ namespace Bit.Api.Controllers
             var callingUserId = _userService.GetProperUserId(User);
             await _organizationService.UpdateUserResetPasswordEnrollmentAsync(new Guid(orgId), new Guid(userId), model.ResetPasswordKey, callingUserId);
         }
+        
+        [HttpPut("{id}/reset-password")]
+        public async Task PutResetPassword(string orgId, string id, [FromBody]OrganizationUserResetPasswordRequestModel model)
+        {
+            var orgGuidId = new Guid(orgId);
+            // Calling user must have Manage Reset Password permission
+            if (!_currentContext.ManageResetPassword(orgGuidId))
+            {
+                throw new NotFoundException();
+            }
+            
+            var orgUser = await _organizationUserRepository.GetByIdAsync(new Guid(id));
+            if (orgUser == null || orgUser.Status != OrganizationUserStatusType.Confirmed ||
+                orgUser.OrganizationId != orgGuidId || string.IsNullOrEmpty(orgUser.ResetPasswordKey) ||
+                !orgUser.UserId.HasValue)
+            {
+                throw new BadRequestException("Organization User not valid");
+            }
+
+            var user = await _userService.GetUserByIdAsync(orgUser.UserId.Value);
+            if (user == null)
+            {
+                throw new NotFoundException();
+            }
+
+
+            var result = await _userService.AdminResetPasswordAsync(user, model.NewMasterPasswordHash, model.Key);
+            if (result.Succeeded)
+            {
+                return;
+            }
+
+            foreach (var error in result.Errors)
+            {
+                ModelState.AddModelError(string.Empty, error.Description);
+            }
+
+            await Task.Delay(2000);
+            throw new BadRequestException(ModelState);
+            }
 
         [HttpDelete("{id}")]
         [HttpPost("{id}/delete")]

src/Core/Models/Api/Request/Organizations/OrganizationUserResetPasswordRequestModel.cs

@@ -0,0 +1,13 @@
+using System.ComponentModel.DataAnnotations;
+
+namespace Bit.Core.Models.Api
+{
+    public class OrganizationUserResetPasswordRequestModel
+    {
+        [Required]
+        [StringLength(300)]
+        public string NewMasterPasswordHash { get; set; }
+        [Required]
+        public string Key { get; set; }
+    }
+}

src/Core/Models/Api/Response/OrganizationUserResponseModel.cs

@@ -23,6 +23,7 @@ namespace Bit.Core.Models.Api
             Status = organizationUser.Status;
             AccessAll = organizationUser.AccessAll;
             Permissions = CoreHelpers.LoadClassFromJsonData<Permissions>(organizationUser.Permissions);
+            ResetPasswordEnrolled = !string.IsNullOrEmpty(organizationUser.ResetPasswordKey);
         }
 
         public OrganizationUserResponseModel(OrganizationUserUserDetails organizationUser, string obj = "organizationUser")
@@ -39,6 +40,7 @@ namespace Bit.Core.Models.Api
             Status = organizationUser.Status;
             AccessAll = organizationUser.AccessAll;
             Permissions = CoreHelpers.LoadClassFromJsonData<Permissions>(organizationUser.Permissions);
+            ResetPasswordEnrolled = !string.IsNullOrEmpty(organizationUser.ResetPasswordKey);
         }
 
         public string Id { get; set; }
@@ -47,6 +49,7 @@ namespace Bit.Core.Models.Api
         public OrganizationUserStatusType Status { get; set; }
         public bool AccessAll { get; set; }
         public Permissions Permissions { get; set; }
+        public bool ResetPasswordEnrolled { get; set; }
     }
 
     public class OrganizationUserDetailsResponseModel : OrganizationUserResponseModel
@@ -83,4 +86,24 @@ namespace Bit.Core.Models.Api
         public bool TwoFactorEnabled { get; set; }
         public bool SsoBound { get; set; }
     }
+
+    public class OrganizationUserResetPasswordDetailsResponseModel : ResponseModel
+    {
+        public OrganizationUserResetPasswordDetailsResponseModel(OrganizationUserResetPasswordDetails orgUser,
+            string obj = "organizationUserResetPasswordDetails") : base(obj)
+        {
+            if (orgUser == null)
+            {
+                throw new ArgumentNullException(nameof(orgUser));
+            }
+
+            Kdf = orgUser.Kdf;
+            KdfIterations = orgUser.KdfIterations;
+            ResetPasswordKey = orgUser.ResetPasswordKey;
+        }
+        
+        public KdfType Kdf { get; set; }
+        public int KdfIterations { get; set; }
+        public string ResetPasswordKey { get; set; }
+    }
 }

src/Core/Models/Api/Response/ProfileOrganizationResponseModel.cs

@@ -30,7 +30,7 @@ namespace Bit.Core.Models.Api
             SsoBound = !string.IsNullOrWhiteSpace(organization.SsoExternalId);
             Identifier = organization.Identifier;
             Permissions = CoreHelpers.LoadClassFromJsonData<Permissions>(organization.Permissions);
-            ResetPasswordKey = organization.ResetPasswordKey;
+            ResetPasswordEnrolled = organization.ResetPasswordKey != null;
             UserId = organization.UserId?.ToString();
         }
 
@@ -57,7 +57,7 @@ namespace Bit.Core.Models.Api
         public bool SsoBound { get; set; }
         public string Identifier { get; set; }
         public Permissions Permissions { get; set; }
-        public string ResetPasswordKey { get; set; }
+        public bool ResetPasswordEnrolled { get; set; }
         public string UserId { get; set; }
     }
 }

src/Core/Models/Data/OrganizationUserResetPasswordDetails.cs

@@ -0,0 +1,29 @@
+using System;
+using Bit.Core.Enums;
+using Bit.Core.Models.Table;
+
+namespace Bit.Core.Models.Data
+{
+    public class OrganizationUserResetPasswordDetails
+    {
+        public OrganizationUserResetPasswordDetails(OrganizationUser orgUser, User user)
+        {
+            if (orgUser == null)
+            {
+                throw new ArgumentNullException(nameof(orgUser));
+            }
+            
+            if (user == null)
+            {
+                throw new ArgumentNullException(nameof(user));
+            }
+
+            Kdf = user.Kdf;
+            KdfIterations = user.KdfIterations;
+            ResetPasswordKey = orgUser.ResetPasswordKey;
+        }
+        public KdfType Kdf { get; set; }
+        public int KdfIterations { get; set; }
+        public string ResetPasswordKey { get; set; }
+    }
+}

src/Core/Services/IUserService.cs

@@ -34,6 +34,7 @@ namespace Bit.Core.Services
             string token, string key);
         Task<IdentityResult> ChangePasswordAsync(User user, string masterPassword, string newMasterPassword, string key);
         Task<IdentityResult> SetPasswordAsync(User user, string newMasterPassword, string key, string orgIdentifier = null);
+        Task<IdentityResult> AdminResetPasswordAsync(User user, string newMasterPassword, string key);
         Task<IdentityResult> ChangeKdfAsync(User user, string masterPassword, string newMasterPassword, string key,
             KdfType kdf, int kdfIterations);
         Task<IdentityResult> UpdateKeyAsync(User user, string masterPassword, string key, string privateKey,

src/Core/Services/Implementations/UserService.cs

@@ -600,6 +600,24 @@ namespace Bit.Core.Services
             
             return IdentityResult.Success;
         }
+        
+        public async Task<IdentityResult> AdminResetPasswordAsync(User user, string newMasterPassword, string key)
+        {
+            var result = await UpdatePasswordHash(user, newMasterPassword);
+            if (!result.Succeeded)
+            {
+                return result;
+            }
+
+            user.RevisionDate = user.AccountRevisionDate = DateTime.UtcNow;
+            user.Key = key;
+
+            await _userRepository.ReplaceAsync(user);
+            await _eventService.LogUserEventAsync(user.Id, EventType.User_ChangedPassword);
+            await _pushService.PushLogOutAsync(user.Id);
+
+            return IdentityResult.Success;
+        }
 
         public async Task<IdentityResult> ChangeKdfAsync(User user, string masterPassword, string newMasterPassword,
             string key, KdfType kdf, int kdfIterations)