nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-07-02 08:32:50 -05:00
Code Activity

move identityserver libs into core

Browse Source
This commit is contained in:
Kyle Spearrin
2017-05-05 16:11:50 -04:00
parent 7f3bc450fd
commit 49bee6935a
11 changed files with 13 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
src/Api/Api.csproj
View File

@ -39,7 +39,6 @@
<PackageReference Include="AspNetCoreRateLimit" Version="1.0.5" />
<PackageReference Include="Serilog.Extensions.Logging" Version="1.4.0" />
<PackageReference Include="Serilog.Sinks.AzureDocumentDb" Version="3.6.1" />
<PackageReference Include="IdentityServer4" Version="1.3.1" />
<PackageReference Include="IdentityServer4.AccessTokenValidation" Version="1.1.0" />
<PackageReference Include="System.Net.Http" Version="4.3.1" />
</ItemGroup>

13
src/Api/IdentityServer/AllowAllCorsPolicyService.cs
View File

@ -1,13 +0,0 @@
using IdentityServer4.Services;
using System.Threading.Tasks;
namespace Bit.Api.IdentityServer
{
public class AllowAllCorsPolicyService : ICorsPolicyService
{
public Task<bool> IsOriginAllowedAsync(string origin)
{
return Task.FromResult(true);
}
}
}

31
src/Api/IdentityServer/ApiResources.cs
View File

@ -1,31 +0,0 @@
using IdentityServer4.Models;
using System.Collections.Generic;
using System.Security.Claims;
namespace Bit.Api.IdentityServer
{
public class ApiResources
{
public static IEnumerable<ApiResource> GetApiResources()
{
return new List<ApiResource>
{
new ApiResource("api", new string[] {
ClaimTypes.AuthenticationMethod,
ClaimTypes.NameIdentifier,
ClaimTypes.Email,
"securitystamp",
"name",
"email",
"sstamp", // security stamp
"plan",
"device",
"orgowner",
"orgadmin",
"orguser"
})
};
}
}
}

47
src/Api/IdentityServer/Clients.cs
View File

@ -1,47 +0,0 @@
using IdentityServer4.Models;
using System.Collections.Generic;
namespace Bit.Api.IdentityServer
{
public class Clients
{
public static IEnumerable<Client> GetClients()
{
return new List<Client>
{
new ApiClient("mobile", 90, 1),
new ApiClient("web", 1, 1),
new ApiClient("browser", 30, 1),
new ApiClient("desktop", 30, 1)
};
}
public class ApiClient : Client
{
public ApiClient(
string id,
int refreshTokenSlidingDays,
int accessTokenLifetimeHours,
string[] additionalScopes = null)
{
ClientId = id;
RequireClientSecret = false;
AllowedGrantTypes = GrantTypes.ResourceOwnerPassword;
RefreshTokenExpiration = TokenExpiration.Sliding;
RefreshTokenUsage = TokenUsage.ReUse;
SlidingRefreshTokenLifetime = 86400 * refreshTokenSlidingDays;
AbsoluteRefreshTokenLifetime = int.MaxValue; // forever
UpdateAccessTokenClaimsOnRefresh = true;
AccessTokenLifetime = 3600 * accessTokenLifetimeHours;
AllowOfflineAccess = true;
var scopes = new List<string> { "api" };
if(additionalScopes != null)
{
scopes.AddRange(additionalScopes);
}
AllowedScopes = scopes;
}
}
}
}

90
src/Api/IdentityServer/PersistedGrantStore.cs
View File

@ -1,90 +0,0 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
using Bit.Core.Models.Table;
using Bit.Core.Repositories;
using IdentityServer4.Models;
using IdentityServer4.Stores;
namespace Bit.Api.IdentityServer
{
public class PersistedGrantStore : IPersistedGrantStore
{
private readonly IGrantRepository _grantRepository;
public PersistedGrantStore(
IGrantRepository grantRepository)
{
_grantRepository = grantRepository;
}
public async Task<IEnumerable<PersistedGrant>> GetAllAsync(string subjectId)
{
var grants = await _grantRepository.GetManyAsync(subjectId);
var pGrants = grants.Select(g => ToPersistedGrant(g));
return pGrants;
}
public async Task<PersistedGrant> GetAsync(string key)
{
var grant = await _grantRepository.GetByKeyAsync(key);
if(grant == null)
{
return null;
}
var pGrant = ToPersistedGrant(grant);
return pGrant;
}
public async Task RemoveAllAsync(string subjectId, string clientId)
{
await _grantRepository.DeleteAsync(subjectId, clientId);
}
public async Task RemoveAllAsync(string subjectId, string clientId, string type)
{
await _grantRepository.DeleteAsync(subjectId, clientId, type);
}
public async Task RemoveAsync(string key)
{
await _grantRepository.DeleteAsync(key);
}
public async Task StoreAsync(PersistedGrant pGrant)
{
var grant = ToGrant(pGrant);
await _grantRepository.SaveAsync(grant);
}
private Grant ToGrant(PersistedGrant pGrant)
{
return new Grant
{
Key = pGrant.Key,
Type = pGrant.Type,
SubjectId = pGrant.SubjectId,
ClientId = pGrant.ClientId,
CreationDate = pGrant.CreationTime,
ExpirationDate = pGrant.Expiration,
Data = pGrant.Data
};
}
private PersistedGrant ToPersistedGrant(Grant grant)
{
return new PersistedGrant
{
Key = grant.Key,
Type = grant.Type,
SubjectId = grant.SubjectId,
ClientId = grant.ClientId,
CreationTime = grant.CreationDate,
Expiration = grant.ExpirationDate,
Data = grant.Data
};
}
}
}

124
src/Api/IdentityServer/ProfileService.cs
View File

@ -1,124 +0,0 @@
using IdentityServer4.Services;
using System.Threading.Tasks;
using IdentityServer4.Models;
using Bit.Core.Repositories;
using Bit.Core.Services;
using System.Security.Claims;
using System.Collections.Generic;
using Microsoft.AspNetCore.Builder;
using System.Linq;
using Microsoft.Extensions.Options;
using System;
namespace Bit.Api.IdentityServer
{
public class ProfileService : IProfileService
{
private readonly IUserService _userService;
private readonly IUserRepository _userRepository;
private readonly IOrganizationUserRepository _organizationUserRepository;
private IdentityOptions _identityOptions;
public ProfileService(
IUserRepository userRepository,
IUserService userService,
IOrganizationUserRepository organizationUserRepository,
IOptions<IdentityOptions> identityOptionsAccessor)
{
_userRepository = userRepository;
_userService = userService;
_organizationUserRepository = organizationUserRepository;
_identityOptions = identityOptionsAccessor?.Value ?? new IdentityOptions();
}
public async Task GetProfileDataAsync(ProfileDataRequestContext context)
{
var existingClaims = context.Subject.Claims;
var newClaims = new List<Claim>();
var user = await _userService.GetUserByPrincipalAsync(context.Subject);
if(user != null)
{
newClaims.AddRange(new List<Claim>
{
new Claim("plan", "0"), // free plan hard coded for now
new Claim("sstamp", user.SecurityStamp),
new Claim("email", user.Email),
// Deprecated claims for backwards compatability
new Claim(_identityOptions.ClaimsIdentity.UserNameClaimType, user.Email),
new Claim(_identityOptions.ClaimsIdentity.SecurityStampClaimType, user.SecurityStamp)
});
if(!string.IsNullOrWhiteSpace(user.Name))
{
newClaims.Add(new Claim("name", user.Name));
}
// Orgs that this user belongs to
var orgs = await _organizationUserRepository.GetManyByUserAsync(user.Id);
if(orgs.Any())
{
var groupedOrgs = orgs.Where(o => o.Status == Core.Enums.OrganizationUserStatusType.Confirmed)
.GroupBy(o => o.Type);
foreach(var group in groupedOrgs)
{
switch(group.Key)
{
case Core.Enums.OrganizationUserType.Owner:
foreach(var org in group)
{
newClaims.Add(new Claim("orgowner", org.OrganizationId.ToString()));
}
break;
case Core.Enums.OrganizationUserType.Admin:
foreach(var org in group)
{
newClaims.Add(new Claim("orgadmin", org.OrganizationId.ToString()));
}
break;
case Core.Enums.OrganizationUserType.User:
foreach(var org in group)
{
newClaims.Add(new Claim("orguser", org.OrganizationId.ToString()));
}
break;
default:
break;
}
}
}
}
// filter out any of the new claims
var existingClaimsToKeep = existingClaims
.Where(c => !c.Type.StartsWith("org") && (newClaims.Count == 0 || !newClaims.Any(nc => nc.Type == c.Type)))
.ToList();
newClaims.AddRange(existingClaimsToKeep);
if(newClaims.Any())
{
context.AddFilteredClaims(newClaims);
}
}
public async Task IsActiveAsync(IsActiveContext context)
{
var securityTokenClaim = context.Subject?.Claims.FirstOrDefault(c =>
c.Type == _identityOptions.ClaimsIdentity.SecurityStampClaimType);
var user = await _userService.GetUserByPrincipalAsync(context.Subject);
if(user != null && securityTokenClaim != null)
{
context.IsActive = string.Equals(user.SecurityStamp, securityTokenClaim.Value,
StringComparison.InvariantCultureIgnoreCase);
return;
}
else
{
context.IsActive = true;
}
}
}
}

235
src/Api/IdentityServer/ResourceOwnerPasswordValidator.cs
View File

@ -1,235 +0,0 @@
using Bit.Core.Models.Api;
using Bit.Core.Models.Table;
using Bit.Core.Enums;
using Bit.Core.Identity;
using Bit.Core.Repositories;
using IdentityServer4.Models;
using IdentityServer4.Validation;
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Http.Authentication;
using Microsoft.AspNetCore.Identity;
using Microsoft.Extensions.Options;
using Microsoft.IdentityModel.Tokens;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Security.Claims;
using System.Threading.Tasks;
namespace Bit.Api.IdentityServer
{
public class ResourceOwnerPasswordValidator : IResourceOwnerPasswordValidator
{
private UserManager<User> _userManager;
private IdentityOptions _identityOptions;
private JwtBearerOptions _jwtBearerOptions;
private JwtBearerIdentityOptions _jwtBearerIdentityOptions;
private readonly IDeviceRepository _deviceRepository;
public ResourceOwnerPasswordValidator(
UserManager<User> userManager,
IOptions<IdentityOptions> identityOptionsAccessor,
IOptions<JwtBearerIdentityOptions> jwtIdentityOptionsAccessor,
IDeviceRepository deviceRepository)
{
_userManager = userManager;
_identityOptions = identityOptionsAccessor?.Value ?? new IdentityOptions();
_jwtBearerIdentityOptions = jwtIdentityOptionsAccessor?.Value;
_jwtBearerOptions = Core.Identity.JwtBearerAppBuilderExtensions.BuildJwtBearerOptions(_jwtBearerIdentityOptions);
_deviceRepository = deviceRepository;
}
public async Task ValidateAsync(ResourceOwnerPasswordValidationContext context)
{
var oldAuthBearer = context.Request.Raw["OldAuthBearer"]?.ToString();
var twoFactorToken = context.Request.Raw["TwoFactorToken"]?.ToString();
var twoFactorProvider = context.Request.Raw["TwoFactorProvider"]?.ToString();
var twoFactorRequest = !string.IsNullOrWhiteSpace(twoFactorToken) && !string.IsNullOrWhiteSpace(twoFactorProvider);
if(!string.IsNullOrWhiteSpace(oldAuthBearer) && _jwtBearerOptions != null)
{
// support transferring the old auth bearer token
var ticket = ValidateOldAuthBearer(oldAuthBearer);
if(ticket != null && ticket.Principal != null)
{
var idClaim = ticket.Principal.Claims
.FirstOrDefault(c => c.Type == _identityOptions.ClaimsIdentity.UserIdClaimType);
var securityTokenClaim = ticket.Principal.Claims
.FirstOrDefault(c => c.Type == _identityOptions.ClaimsIdentity.SecurityStampClaimType);
if(idClaim != null && securityTokenClaim != null)
{
var user = await _userManager.FindByIdAsync(idClaim.Value);
if(user != null && user.SecurityStamp == securityTokenClaim.Value)
{
var device = await SaveDeviceAsync(user, context);
BuildSuccessResult(user, context, device);
return;
}
}
}
}
else if(!string.IsNullOrWhiteSpace(context.UserName))
{
var user = await _userManager.FindByEmailAsync(context.UserName.ToLowerInvariant());
if(user != null)
{
if(await _userManager.CheckPasswordAsync(user, context.Password))
{
TwoFactorProviderType twoFactorProviderType = TwoFactorProviderType.Authenticator; // Just defaulting it
if(!twoFactorRequest && await TwoFactorRequiredAsync(user))
{
BuildTwoFactorResult(user, context);
return;
}
if(twoFactorRequest && !Enum.TryParse(twoFactorProvider, out twoFactorProviderType))
{
BuildTwoFactorResult(user, context);
return;
}
if(!twoFactorRequest ||
await _userManager.VerifyTwoFactorTokenAsync(user, twoFactorProviderType.ToString(), twoFactorToken))
{
var device = await SaveDeviceAsync(user, context);
BuildSuccessResult(user, context, device);
return;
}
}
}
}
await Task.Delay(2000); // Delay for brute force.
BuildErrorResult(twoFactorRequest, context);
}
private void BuildSuccessResult(User user, ResourceOwnerPasswordValidationContext context, Device device)
{
var claims = new List<Claim>
{
// Deprecated claims for backwards compatability
new Claim(ClaimTypes.AuthenticationMethod, "Application"),
new Claim(_identityOptions.ClaimsIdentity.UserIdClaimType, user.Id.ToString())
};
if(device != null)
{
claims.Add(new Claim("device", device.Identifier));
}
var customResponse = new Dictionary<string, object>();
if(!string.IsNullOrWhiteSpace(user.PrivateKey))
{
customResponse.Add("PrivateKey", user.PrivateKey);
}
context.Result = new GrantValidationResult(user.Id.ToString(), "Application",
identityProvider: "bitwarden",
claims: claims.Count > 0 ? claims : null,
customResponse: customResponse);
}
private void BuildTwoFactorResult(User user, ResourceOwnerPasswordValidationContext context)
{
var providers = new List<byte>();
if(user.TwoFactorProvider.HasValue)
{
providers.Add((byte)user.TwoFactorProvider.Value);
}
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "Two factor required.",
new Dictionary<string, object>
{
{ "TwoFactorProviders", providers }
});
}
private void BuildErrorResult(bool twoFactorRequest, ResourceOwnerPasswordValidationContext context)
{
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant,
customResponse: new Dictionary<string, object>
{{
"ErrorModel", new ErrorResponseModel(twoFactorRequest ?
"Code is not correct. Try again." : "Username or password is incorrect. Try again.")
}});
}
private AuthenticationTicket ValidateOldAuthBearer(string token)
{
SecurityToken validatedToken;
foreach(var validator in _jwtBearerOptions.SecurityTokenValidators)
{
if(validator.CanReadToken(token))
{
ClaimsPrincipal principal;
try
{
principal = validator.ValidateToken(token,
_jwtBearerOptions.TokenValidationParameters, out validatedToken);
}
catch
{
continue;
}
var ticket = new AuthenticationTicket(principal, new AuthenticationProperties(),
_jwtBearerOptions.AuthenticationScheme);
return ticket;
}
}
return null;
}
private async Task<bool> TwoFactorRequiredAsync(User user)
{
return _userManager.SupportsUserTwoFactor &&
await _userManager.GetTwoFactorEnabledAsync(user) &&
(await _userManager.GetValidTwoFactorProvidersAsync(user)).Count > 0;
}
private Device GetDeviceFromRequest(ResourceOwnerPasswordValidationContext context)
{
var deviceIdentifier = context.Request.Raw["DeviceIdentifier"]?.ToString();
var deviceType = context.Request.Raw["DeviceType"]?.ToString();
var deviceName = context.Request.Raw["DeviceName"]?.ToString();
var devicePushToken = context.Request.Raw["DevicePushToken"]?.ToString();
DeviceType type;
if(string.IsNullOrWhiteSpace(deviceIdentifier) || string.IsNullOrWhiteSpace(deviceType) ||
string.IsNullOrWhiteSpace(deviceName) || !Enum.TryParse(deviceType, out type))
{
return null;
}
return new Device
{
Identifier = deviceIdentifier,
Name = deviceName,
Type = type,
PushToken = string.IsNullOrWhiteSpace(devicePushToken) ? null : devicePushToken
};
}
private async Task<Device> SaveDeviceAsync(User user, ResourceOwnerPasswordValidationContext context)
{
var device = GetDeviceFromRequest(context);
if(device != null)
{
var existingDevice = await _deviceRepository.GetByIdentifierAsync(device.Identifier, user.Id);
if(existingDevice == null)
{
device.UserId = user.Id;
await _deviceRepository.CreateAsync(device);
return device;
}
return existingDevice;
}
return null;
}
}
}

30
src/Api/IdentityServer/TokenRetrieval.cs
View File

@ -1,30 +0,0 @@
using Microsoft.AspNetCore.Http;
using System;
using System.Linq;
namespace Bit.Api.IdentityServer
{
public static class TokenRetrieval
{
public static Func<HttpRequest, string> FromAuthorizationHeaderOrQueryString(string headerScheme = "Bearer",
string qsName = "account_token")
{
return (request) =>
{
string authorization = request.Headers["Authorization"].FirstOrDefault();
if(string.IsNullOrWhiteSpace(authorization))
{
return request.Query[qsName].FirstOrDefault();
}
if(authorization.StartsWith(headerScheme + " ", StringComparison.OrdinalIgnoreCase))
{
return authorization.Substring(headerScheme.Length + 1).Trim();
}
return null;
};
}
}
}

2
src/Api/Startup.cs
View File

@ -26,7 +26,7 @@ using IdentityServer4.Stores;
using Bit.Core.Utilities;
using Serilog;
using Serilog.Events;
using Bit.Api.IdentityServer;
using Bit.Core.IdentityServer;
using Bit.Core.Enums;
using Microsoft.AspNetCore.DataProtection;
using Microsoft.WindowsAzure.Storage;