mirror of
https://github.com/bitwarden/server.git
synced 2025-07-01 08:02:49 -05:00
Merge branch 'master' into feature/flexible-collections
This commit is contained in:
Vincent Salucci
@ -2,7 +2,7 @@
|
||||
|
||||
<PropertyGroup>
|
||||
<TargetFramework>net6.0</TargetFramework>
|
||||
<Version>2023.8.2</Version>
|
||||
<Version>2023.8.3</Version>
|
||||
<RootNamespace>Bit.$(MSBuildProjectName)</RootNamespace>
|
||||
<RestorePackagesWithLockFile>true</RestorePackagesWithLockFile>
|
||||
<ImplicitUsings>enable</ImplicitUsings>
|
||||
|
||||
@ -20,7 +20,7 @@ public class MaxProjectsQuery : IMaxProjectsQuery
|
||||
_projectRepository = projectRepository;
|
||||
}
|
||||
|
||||
public async Task<(short? max, bool? atMax)> GetByOrgIdAsync(Guid organizationId)
|
||||
public async Task<(short? max, bool? overMax)> GetByOrgIdAsync(Guid organizationId, int projectsToAdd)
|
||||
{
|
||||
var org = await _organizationRepository.GetByIdAsync(organizationId);
|
||||
if (org == null)
|
||||
@ -37,7 +37,7 @@ public class MaxProjectsQuery : IMaxProjectsQuery
|
||||
if (plan.Type == PlanType.Free)
|
||||
{
|
||||
var projects = await _projectRepository.GetProjectCountByOrganizationIdAsync(organizationId);
|
||||
return projects >= plan.MaxProjects ? (plan.MaxProjects, true) : (plan.MaxProjects, false);
|
||||
return projects + projectsToAdd > plan.MaxProjects ? (plan.MaxProjects, true) : (plan.MaxProjects, false);
|
||||
}
|
||||
|
||||
return (null, null);
|
||||
|
||||
@ -22,7 +22,7 @@ public class MaxProjectsQueryTests
|
||||
{
|
||||
sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(default).ReturnsNull();
|
||||
|
||||
await Assert.ThrowsAsync<NotFoundException>(async () => await sutProvider.Sut.GetByOrgIdAsync(organizationId));
|
||||
await Assert.ThrowsAsync<NotFoundException>(async () => await sutProvider.Sut.GetByOrgIdAsync(organizationId, 1));
|
||||
|
||||
await sutProvider.GetDependency<IProjectRepository>().DidNotReceiveWithAnyArgs()
|
||||
.GetProjectCountByOrganizationIdAsync(organizationId);
|
||||
@ -43,7 +43,7 @@ public class MaxProjectsQueryTests
|
||||
sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
|
||||
|
||||
await Assert.ThrowsAsync<BadRequestException>(
|
||||
async () => await sutProvider.Sut.GetByOrgIdAsync(organization.Id));
|
||||
async () => await sutProvider.Sut.GetByOrgIdAsync(organization.Id, 1));
|
||||
|
||||
await sutProvider.GetDependency<IProjectRepository>().DidNotReceiveWithAnyArgs()
|
||||
.GetProjectCountByOrganizationIdAsync(organization.Id);
|
||||
@ -60,7 +60,7 @@ public class MaxProjectsQueryTests
|
||||
organization.PlanType = planType;
|
||||
sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
|
||||
|
||||
var (limit, overLimit) = await sutProvider.Sut.GetByOrgIdAsync(organization.Id);
|
||||
var (limit, overLimit) = await sutProvider.Sut.GetByOrgIdAsync(organization.Id, 1);
|
||||
|
||||
Assert.Null(limit);
|
||||
Assert.Null(overLimit);
|
||||
@ -70,13 +70,31 @@ public class MaxProjectsQueryTests
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(PlanType.Free, 0, false)]
|
||||
[BitAutoData(PlanType.Free, 1, false)]
|
||||
[BitAutoData(PlanType.Free, 2, false)]
|
||||
[BitAutoData(PlanType.Free, 3, true)]
|
||||
[BitAutoData(PlanType.Free, 4, true)]
|
||||
[BitAutoData(PlanType.Free, 40, true)]
|
||||
public async Task GetByOrgIdAsync_SmFreePlan_Success(PlanType planType, int projects, bool shouldBeAtMax,
|
||||
[BitAutoData(PlanType.Free, 0, 1, false)]
|
||||
[BitAutoData(PlanType.Free, 1, 1, false)]
|
||||
[BitAutoData(PlanType.Free, 2, 1, false)]
|
||||
[BitAutoData(PlanType.Free, 3, 1, true)]
|
||||
[BitAutoData(PlanType.Free, 4, 1, true)]
|
||||
[BitAutoData(PlanType.Free, 40, 1, true)]
|
||||
[BitAutoData(PlanType.Free, 0, 2, false)]
|
||||
[BitAutoData(PlanType.Free, 1, 2, false)]
|
||||
[BitAutoData(PlanType.Free, 2, 2, true)]
|
||||
[BitAutoData(PlanType.Free, 3, 2, true)]
|
||||
[BitAutoData(PlanType.Free, 4, 2, true)]
|
||||
[BitAutoData(PlanType.Free, 40, 2, true)]
|
||||
[BitAutoData(PlanType.Free, 0, 3, false)]
|
||||
[BitAutoData(PlanType.Free, 1, 3, true)]
|
||||
[BitAutoData(PlanType.Free, 2, 3, true)]
|
||||
[BitAutoData(PlanType.Free, 3, 3, true)]
|
||||
[BitAutoData(PlanType.Free, 4, 3, true)]
|
||||
[BitAutoData(PlanType.Free, 40, 3, true)]
|
||||
[BitAutoData(PlanType.Free, 0, 4, true)]
|
||||
[BitAutoData(PlanType.Free, 1, 4, true)]
|
||||
[BitAutoData(PlanType.Free, 2, 4, true)]
|
||||
[BitAutoData(PlanType.Free, 3, 4, true)]
|
||||
[BitAutoData(PlanType.Free, 4, 4, true)]
|
||||
[BitAutoData(PlanType.Free, 40, 4, true)]
|
||||
public async Task GetByOrgIdAsync_SmFreePlan__Success(PlanType planType, int projects, int projectsToAdd, bool expectedOverMax,
|
||||
SutProvider<MaxProjectsQuery> sutProvider, Organization organization)
|
||||
{
|
||||
organization.PlanType = planType;
|
||||
@ -84,12 +102,12 @@ public class MaxProjectsQueryTests
|
||||
sutProvider.GetDependency<IProjectRepository>().GetProjectCountByOrganizationIdAsync(organization.Id)
|
||||
.Returns(projects);
|
||||
|
||||
var (max, atMax) = await sutProvider.Sut.GetByOrgIdAsync(organization.Id);
|
||||
var (max, overMax) = await sutProvider.Sut.GetByOrgIdAsync(organization.Id, projectsToAdd);
|
||||
|
||||
Assert.NotNull(max);
|
||||
Assert.NotNull(atMax);
|
||||
Assert.NotNull(overMax);
|
||||
Assert.Equal(3, max.Value);
|
||||
Assert.Equal(shouldBeAtMax, atMax);
|
||||
Assert.Equal(expectedOverMax, overMax);
|
||||
|
||||
await sutProvider.GetDependency<IProjectRepository>().Received(1)
|
||||
.GetProjectCountByOrganizationIdAsync(organization.Id);
|
||||
|
||||
@ -68,7 +68,7 @@ services:
|
||||
- mysql
|
||||
|
||||
idp:
|
||||
image: kenchan0130/simplesamlphp:1.19.3
|
||||
image: kenchan0130/simplesamlphp:1.19.8
|
||||
container_name: idp
|
||||
ports:
|
||||
- "8090:8080"
|
||||
|
||||
@ -79,8 +79,8 @@ public class ProjectsController : Controller
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
var (max, atMax) = await _maxProjectsQuery.GetByOrgIdAsync(organizationId);
|
||||
if (atMax != null && atMax.Value)
|
||||
var (max, overMax) = await _maxProjectsQuery.GetByOrgIdAsync(organizationId, 1);
|
||||
if (overMax != null && overMax.Value)
|
||||
{
|
||||
throw new BadRequestException($"You have reached the maximum number of projects ({max}) for this plan.");
|
||||
}
|
||||
|
||||
@ -4,6 +4,7 @@ using Bit.Core.Context;
|
||||
using Bit.Core.Enums;
|
||||
using Bit.Core.Exceptions;
|
||||
using Bit.Core.SecretsManager.Commands.Porting.Interfaces;
|
||||
using Bit.Core.SecretsManager.Queries.Projects.Interfaces;
|
||||
using Bit.Core.SecretsManager.Repositories;
|
||||
using Bit.Core.Services;
|
||||
using Bit.Core.Utilities;
|
||||
@ -19,14 +20,18 @@ public class SecretsManagerPortingController : Controller
|
||||
private readonly ISecretRepository _secretRepository;
|
||||
private readonly IProjectRepository _projectRepository;
|
||||
private readonly IUserService _userService;
|
||||
private readonly IMaxProjectsQuery _maxProjectsQuery;
|
||||
private readonly IImportCommand _importCommand;
|
||||
private readonly ICurrentContext _currentContext;
|
||||
|
||||
public SecretsManagerPortingController(ISecretRepository secretRepository, IProjectRepository projectRepository, IUserService userService, IImportCommand importCommand, ICurrentContext currentContext)
|
||||
public SecretsManagerPortingController(ISecretRepository secretRepository, IProjectRepository projectRepository,
|
||||
IUserService userService, IMaxProjectsQuery maxProjectsQuery, IImportCommand importCommand,
|
||||
ICurrentContext currentContext)
|
||||
{
|
||||
_secretRepository = secretRepository;
|
||||
_projectRepository = projectRepository;
|
||||
_userService = userService;
|
||||
_maxProjectsQuery = maxProjectsQuery;
|
||||
_importCommand = importCommand;
|
||||
_currentContext = currentContext;
|
||||
}
|
||||
@ -69,6 +74,16 @@ public class SecretsManagerPortingController : Controller
|
||||
throw new BadRequestException("A secret can only be in one project at a time.");
|
||||
}
|
||||
|
||||
var projectsToAdd = importRequest.Projects?.Count();
|
||||
if (projectsToAdd is > 0)
|
||||
{
|
||||
var (max, overMax) = await _maxProjectsQuery.GetByOrgIdAsync(organizationId, projectsToAdd.Value);
|
||||
if (overMax != null && overMax.Value)
|
||||
{
|
||||
throw new BadRequestException($"The maximum number of projects for this plan is ({max}).");
|
||||
}
|
||||
}
|
||||
|
||||
await _importCommand.ImportAsync(organizationId, importRequest.ToSMImport());
|
||||
}
|
||||
}
|
||||
|
||||
@ -82,34 +82,39 @@ public class AuthRequestService : IAuthRequestService
|
||||
/// </remarks>
|
||||
public async Task<AuthRequest> CreateAuthRequestAsync(AuthRequestCreateRequestModel model)
|
||||
{
|
||||
var user = await _userRepository.GetByEmailAsync(model.Email);
|
||||
if (user == null)
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
if (!_currentContext.DeviceType.HasValue)
|
||||
{
|
||||
throw new BadRequestException("Device type not provided.");
|
||||
}
|
||||
|
||||
if (_globalSettings.PasswordlessAuth.KnownDevicesOnly)
|
||||
var userNotFound = false;
|
||||
var user = await _userRepository.GetByEmailAsync(model.Email);
|
||||
if (user == null)
|
||||
{
|
||||
userNotFound = true;
|
||||
}
|
||||
else if (_globalSettings.PasswordlessAuth.KnownDevicesOnly)
|
||||
{
|
||||
var devices = await _deviceRepository.GetManyByUserIdAsync(user.Id);
|
||||
if (devices == null || !devices.Any(d => d.Identifier == model.DeviceIdentifier))
|
||||
{
|
||||
throw new BadRequestException(
|
||||
"Login with device is only available on devices that have been previously logged in.");
|
||||
userNotFound = true;
|
||||
}
|
||||
}
|
||||
|
||||
// Anonymous endpoints must not leak that a user exists or not
|
||||
if (userNotFound)
|
||||
{
|
||||
throw new BadRequestException("User or known device not found.");
|
||||
}
|
||||
|
||||
// AdminApproval requests require correlating the user and their organization
|
||||
if (model.Type == AuthRequestType.AdminApproval)
|
||||
{
|
||||
// TODO: When single org policy is turned on we should query for only a single organization from the current user
|
||||
// and create only an AuthRequest for that organization and return only that one
|
||||
|
||||
// This will send out the request to all organizations this user belongs to
|
||||
// This will send out the request to all organizations this user belongs to
|
||||
var organizationUsers = await _organizationUserRepository.GetManyByUserAsync(_currentContext.UserId!.Value);
|
||||
|
||||
if (organizationUsers.Count == 0)
|
||||
@ -173,7 +178,7 @@ public class AuthRequestService : IAuthRequestService
|
||||
switch (authRequest.Type)
|
||||
{
|
||||
case AuthRequestType.AdminApproval:
|
||||
// AdminApproval has a different expiration time, by default is 7 days compared to
|
||||
// AdminApproval has a different expiration time, by default is 7 days compared to
|
||||
// non-AdminApproval ones having a default of 15 minutes.
|
||||
if (IsDateExpired(authRequest.CreationDate, _globalSettings.PasswordlessAuth.AdminRequestExpiration))
|
||||
{
|
||||
@ -213,7 +218,7 @@ public class AuthRequestService : IAuthRequestService
|
||||
|
||||
await _authRequestRepository.ReplaceAsync(authRequest);
|
||||
|
||||
// We only want to send an approval notification if the request is approved (or null),
|
||||
// We only want to send an approval notification if the request is approved (or null),
|
||||
// to not leak that it was denied to the originating client if it was originated by a malicious actor.
|
||||
if (authRequest.Approved ?? true)
|
||||
{
|
||||
|
||||
@ -358,7 +358,9 @@ public class CurrentContext : ICurrentContext
|
||||
|
||||
public async Task<bool> ViewAssignedCollections(Guid orgId)
|
||||
{
|
||||
return await EditAssignedCollections(orgId) || await DeleteAssignedCollections(orgId);
|
||||
return await CreateNewCollections(orgId) // Required to display the existing collections under which the new collection can be nested
|
||||
|| await EditAssignedCollections(orgId)
|
||||
|| await DeleteAssignedCollections(orgId);
|
||||
}
|
||||
|
||||
public async Task<bool> ManageGroups(Guid orgId)
|
||||
|
||||
@ -35,14 +35,23 @@ public class TaxInfo
|
||||
return _taxIdType;
|
||||
}
|
||||
|
||||
switch (BillingAddressCountry)
|
||||
switch (BillingAddressCountry.ToUpper())
|
||||
{
|
||||
case "AD":
|
||||
_taxIdType = "ad_nrt";
|
||||
break;
|
||||
case "AE":
|
||||
_taxIdType = "ae_trn";
|
||||
break;
|
||||
case "AR":
|
||||
_taxIdType = "ar_cuit";
|
||||
break;
|
||||
case "AU":
|
||||
_taxIdType = "au_abn";
|
||||
break;
|
||||
case "BO":
|
||||
_taxIdType = "bo_tin";
|
||||
break;
|
||||
case "BR":
|
||||
_taxIdType = "br_cnpj";
|
||||
break;
|
||||
@ -55,9 +64,45 @@ public class TaxInfo
|
||||
}
|
||||
_taxIdType = "ca_bn";
|
||||
break;
|
||||
case "CH":
|
||||
_taxIdType = "ch_vat";
|
||||
break;
|
||||
case "CL":
|
||||
_taxIdType = "cl_tin";
|
||||
break;
|
||||
case "CN":
|
||||
_taxIdType = "cn_tin";
|
||||
break;
|
||||
case "CO":
|
||||
_taxIdType = "co_nit";
|
||||
break;
|
||||
case "CR":
|
||||
_taxIdType = "cr_tin";
|
||||
break;
|
||||
case "DO":
|
||||
_taxIdType = "do_rcn";
|
||||
break;
|
||||
case "EC":
|
||||
_taxIdType = "ec_ruc";
|
||||
break;
|
||||
case "EG":
|
||||
_taxIdType = "eg_tin";
|
||||
break;
|
||||
case "GE":
|
||||
_taxIdType = "ge_vat";
|
||||
break;
|
||||
case "ID":
|
||||
_taxIdType = "id_npwp";
|
||||
break;
|
||||
case "IL":
|
||||
_taxIdType = "il_vat";
|
||||
break;
|
||||
case "IS":
|
||||
_taxIdType = "is_vat";
|
||||
break;
|
||||
case "KE":
|
||||
_taxIdType = "ke_pin";
|
||||
break;
|
||||
case "AT":
|
||||
case "BE":
|
||||
case "BG":
|
||||
@ -115,6 +160,15 @@ public class TaxInfo
|
||||
case "NZ":
|
||||
_taxIdType = "nz_gst";
|
||||
break;
|
||||
case "PE":
|
||||
_taxIdType = "pe_ruc";
|
||||
break;
|
||||
case "PH":
|
||||
_taxIdType = "ph_tin";
|
||||
break;
|
||||
case "RS":
|
||||
_taxIdType = "rs_pib";
|
||||
break;
|
||||
case "RU":
|
||||
_taxIdType = "ru_inn";
|
||||
break;
|
||||
@ -124,15 +178,33 @@ public class TaxInfo
|
||||
case "SG":
|
||||
_taxIdType = "sg_gst";
|
||||
break;
|
||||
case "SV":
|
||||
_taxIdType = "sv_nit";
|
||||
break;
|
||||
case "TH":
|
||||
_taxIdType = "th_vat";
|
||||
break;
|
||||
case "TR":
|
||||
_taxIdType = "tr_tin";
|
||||
break;
|
||||
case "TW":
|
||||
_taxIdType = "tw_vat";
|
||||
break;
|
||||
case "UA":
|
||||
_taxIdType = "ua_vat";
|
||||
break;
|
||||
case "US":
|
||||
_taxIdType = "us_ein";
|
||||
break;
|
||||
case "UY":
|
||||
_taxIdType = "uy_ruc";
|
||||
break;
|
||||
case "VE":
|
||||
_taxIdType = "ve_rif";
|
||||
break;
|
||||
case "VN":
|
||||
_taxIdType = "vn_tin";
|
||||
break;
|
||||
case "ZA":
|
||||
_taxIdType = "za_vat";
|
||||
break;
|
||||
|
||||
@ -2,5 +2,5 @@
|
||||
|
||||
public interface IMaxProjectsQuery
|
||||
{
|
||||
Task<(short? max, bool? atMax)> GetByOrgIdAsync(Guid organizationId);
|
||||
Task<(short? max, bool? overMax)> GetByOrgIdAsync(Guid organizationId, int projectsToAdd);
|
||||
}
|
||||
|
||||
@ -39,6 +39,12 @@ public interface IOrganizationService
|
||||
OrganizationUserType type, bool accessAll, string externalId, IEnumerable<CollectionAccessSelection> collections, IEnumerable<Guid> groups);
|
||||
Task<IEnumerable<Tuple<OrganizationUser, string>>> ResendInvitesAsync(Guid organizationId, Guid? invitingUserId, IEnumerable<Guid> organizationUsersId);
|
||||
Task ResendInviteAsync(Guid organizationId, Guid? invitingUserId, Guid organizationUserId, bool initOrganization = false);
|
||||
/// <summary>
|
||||
/// Moves an OrganizationUser into the Accepted status and marks their email as verified.
|
||||
/// This method is used where the user has clicked the invitation link sent by email.
|
||||
/// </summary>
|
||||
/// <param name="token">The token embedded in the email invitation link</param>
|
||||
/// <returns>The accepted OrganizationUser.</returns>
|
||||
Task<OrganizationUser> AcceptUserAsync(Guid organizationUserId, User user, string token, IUserService userService);
|
||||
Task<OrganizationUser> AcceptUserAsync(string orgIdentifier, User user, IUserService userService);
|
||||
Task<OrganizationUser> AcceptUserAsync(Guid organizationId, User user, IUserService userService);
|
||||
|
||||
@ -1093,7 +1093,15 @@ public class OrganizationService : IOrganizationService
|
||||
throw new BadRequestException("User email does not match invite.");
|
||||
}
|
||||
|
||||
return await AcceptUserAsync(orgUser, user, userService);
|
||||
var organizationUser = await AcceptUserAsync(orgUser, user, userService);
|
||||
|
||||
if (user.EmailVerified == false)
|
||||
{
|
||||
user.EmailVerified = true;
|
||||
await _userRepository.ReplaceAsync(user);
|
||||
}
|
||||
|
||||
return organizationUser;
|
||||
}
|
||||
|
||||
public async Task<OrganizationUser> AcceptUserAsync(string orgIdentifier, User user, IUserService userService)
|
||||
|
||||
@ -26,6 +26,7 @@ using Bit.Core.Utilities;
|
||||
using Bit.Identity.Utilities;
|
||||
using IdentityServer4.Validation;
|
||||
using Microsoft.AspNetCore.Identity;
|
||||
using Microsoft.Extensions.Caching.Distributed;
|
||||
|
||||
namespace Bit.Identity.IdentityServer;
|
||||
|
||||
@ -45,6 +46,8 @@ public abstract class BaseRequestValidator<T> where T : class
|
||||
private readonly GlobalSettings _globalSettings;
|
||||
private readonly IUserRepository _userRepository;
|
||||
private readonly IDataProtectorTokenFactory<SsoEmail2faSessionTokenable> _tokenDataFactory;
|
||||
private readonly IDistributedCache _distributedCache;
|
||||
private readonly DistributedCacheEntryOptions _cacheEntryOptions;
|
||||
|
||||
protected ICurrentContext CurrentContext { get; }
|
||||
protected IPolicyService PolicyService { get; }
|
||||
@ -69,7 +72,8 @@ public abstract class BaseRequestValidator<T> where T : class
|
||||
IPolicyService policyService,
|
||||
IDataProtectorTokenFactory<SsoEmail2faSessionTokenable> tokenDataFactory,
|
||||
IFeatureService featureService,
|
||||
ISsoConfigRepository ssoConfigRepository)
|
||||
ISsoConfigRepository ssoConfigRepository,
|
||||
IDistributedCache distributedCache)
|
||||
{
|
||||
_userManager = userManager;
|
||||
_deviceRepository = deviceRepository;
|
||||
@ -89,6 +93,14 @@ public abstract class BaseRequestValidator<T> where T : class
|
||||
_tokenDataFactory = tokenDataFactory;
|
||||
FeatureService = featureService;
|
||||
SsoConfigRepository = ssoConfigRepository;
|
||||
_distributedCache = distributedCache;
|
||||
_cacheEntryOptions = new DistributedCacheEntryOptions
|
||||
{
|
||||
// This sets the time an item is cached to 15 minutes. This value is hard coded
|
||||
// to 15 because to it covers all time-out windows for both Authenticators and
|
||||
// Email TOTP.
|
||||
AbsoluteExpirationRelativeToNow = new TimeSpan(0, 15, 0)
|
||||
};
|
||||
}
|
||||
|
||||
protected async Task ValidateAsync(T context, ValidatedTokenRequest request,
|
||||
@ -135,6 +147,15 @@ public abstract class BaseRequestValidator<T> where T : class
|
||||
var verified = await VerifyTwoFactor(user, twoFactorOrganization,
|
||||
twoFactorProviderType, twoFactorToken);
|
||||
|
||||
var cacheKey = "TOTP_" + user.Email;
|
||||
|
||||
var isOtpCached = Core.Utilities.DistributedCacheExtensions.TryGetValue(_distributedCache, cacheKey, out string _);
|
||||
if (isOtpCached)
|
||||
{
|
||||
await BuildErrorResultAsync("Two-step token is invalid. Try again.", true, context, user);
|
||||
return;
|
||||
}
|
||||
|
||||
if ((!verified || isBot) && twoFactorProviderType != TwoFactorProviderType.Remember)
|
||||
{
|
||||
await UpdateFailedAuthDetailsAsync(user, true, !validatorContext.KnownDevice);
|
||||
@ -148,6 +169,7 @@ public abstract class BaseRequestValidator<T> where T : class
|
||||
await BuildTwoFactorResultAsync(user, twoFactorOrganization, context);
|
||||
return;
|
||||
}
|
||||
await Core.Utilities.DistributedCacheExtensions.SetAsync(_distributedCache, cacheKey, twoFactorToken, _cacheEntryOptions);
|
||||
}
|
||||
else
|
||||
{
|
||||
|
||||
@ -14,6 +14,7 @@ using IdentityModel;
|
||||
using IdentityServer4.Extensions;
|
||||
using IdentityServer4.Validation;
|
||||
using Microsoft.AspNetCore.Identity;
|
||||
using Microsoft.Extensions.Caching.Distributed;
|
||||
|
||||
#nullable enable
|
||||
|
||||
@ -42,11 +43,13 @@ public class CustomTokenRequestValidator : BaseRequestValidator<CustomTokenReque
|
||||
IUserRepository userRepository,
|
||||
IPolicyService policyService,
|
||||
IDataProtectorTokenFactory<SsoEmail2faSessionTokenable> tokenDataFactory,
|
||||
IFeatureService featureService)
|
||||
IFeatureService featureService,
|
||||
IDistributedCache distributedCache)
|
||||
: base(userManager, deviceRepository, deviceService, userService, eventService,
|
||||
organizationDuoWebTokenProvider, organizationRepository, organizationUserRepository,
|
||||
applicationCacheService, mailService, logger, currentContext, globalSettings,
|
||||
userRepository, policyService, tokenDataFactory, featureService, ssoConfigRepository)
|
||||
userRepository, policyService, tokenDataFactory, featureService, ssoConfigRepository,
|
||||
distributedCache)
|
||||
{
|
||||
_userManager = userManager;
|
||||
}
|
||||
|
||||
@ -13,6 +13,7 @@ using Bit.Core.Utilities;
|
||||
using IdentityServer4.Models;
|
||||
using IdentityServer4.Validation;
|
||||
using Microsoft.AspNetCore.Identity;
|
||||
using Microsoft.Extensions.Caching.Distributed;
|
||||
|
||||
namespace Bit.Identity.IdentityServer;
|
||||
|
||||
@ -44,11 +45,12 @@ public class ResourceOwnerPasswordValidator : BaseRequestValidator<ResourceOwner
|
||||
IPolicyService policyService,
|
||||
IDataProtectorTokenFactory<SsoEmail2faSessionTokenable> tokenDataFactory,
|
||||
IFeatureService featureService,
|
||||
ISsoConfigRepository ssoConfigRepository)
|
||||
ISsoConfigRepository ssoConfigRepository,
|
||||
IDistributedCache distributedCache)
|
||||
: base(userManager, deviceRepository, deviceService, userService, eventService,
|
||||
organizationDuoWebTokenProvider, organizationRepository, organizationUserRepository,
|
||||
applicationCacheService, mailService, logger, currentContext, globalSettings, userRepository, policyService,
|
||||
tokenDataFactory, featureService, ssoConfigRepository)
|
||||
tokenDataFactory, featureService, ssoConfigRepository, distributedCache)
|
||||
{
|
||||
_userManager = userManager;
|
||||
_userService = userService;
|
||||
|
||||
@ -132,7 +132,7 @@ public class ProjectsControllerTests
|
||||
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), data.ToProject(orgId),
|
||||
Arg.Any<IEnumerable<IAuthorizationRequirement>>()).ReturnsForAnyArgs(AuthorizationResult.Success());
|
||||
sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(Guid.NewGuid());
|
||||
sutProvider.GetDependency<IMaxProjectsQuery>().GetByOrgIdAsync(orgId).Returns(((short)3, true));
|
||||
sutProvider.GetDependency<IMaxProjectsQuery>().GetByOrgIdAsync(orgId, 1).Returns(((short)3, true));
|
||||
|
||||
|
||||
await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.CreateAsync(orgId, data));
|
||||
|
||||
@ -142,15 +142,19 @@ public class AuthRequestServiceTests
|
||||
}
|
||||
|
||||
[Theory, BitAutoData]
|
||||
public async Task CreateAuthRequestAsync_NoUser_ThrowsNotFound(
|
||||
public async Task CreateAuthRequestAsync_NoUser_ThrowsBadRequest(
|
||||
SutProvider<AuthRequestService> sutProvider,
|
||||
AuthRequestCreateRequestModel createModel)
|
||||
{
|
||||
sutProvider.GetDependency<ICurrentContext>()
|
||||
.DeviceType
|
||||
.Returns(DeviceType.Android);
|
||||
|
||||
sutProvider.GetDependency<IUserRepository>()
|
||||
.GetByEmailAsync(createModel.Email)
|
||||
.Returns((User?)null);
|
||||
|
||||
await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.CreateAuthRequestAsync(createModel));
|
||||
await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.CreateAuthRequestAsync(createModel));
|
||||
}
|
||||
|
||||
[Theory, BitAutoData]
|
||||
@ -253,7 +257,7 @@ public class AuthRequestServiceTests
|
||||
|
||||
/// <summary>
|
||||
/// Story: If a user happens to exist to more than one organization, we will send the device approval request to
|
||||
/// each of them.
|
||||
/// each of them.
|
||||
/// </summary>
|
||||
[Theory, BitAutoData]
|
||||
public async Task CreateAuthRequestAsync_AdminApproval_CreatesForEachOrganization(
|
||||
@ -627,8 +631,8 @@ public class AuthRequestServiceTests
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Story: An admin approves a request for one of their org users. For auditing purposes we need to
|
||||
/// log an event that correlates the action for who the request was approved for. On approval we also need to
|
||||
/// Story: An admin approves a request for one of their org users. For auditing purposes we need to
|
||||
/// log an event that correlates the action for who the request was approved for. On approval we also need to
|
||||
/// push the notification to the user.
|
||||
/// </summary>
|
||||
[Theory, BitAutoData]
|
||||
|
||||
@ -10,6 +10,7 @@ using Bit.Core.Models.Data;
|
||||
using Bit.Core.Utilities;
|
||||
using Bit.Test.Common.AutoFixture;
|
||||
using Bit.Test.Common.AutoFixture.Attributes;
|
||||
using Microsoft.AspNetCore.DataProtection;
|
||||
|
||||
namespace Bit.Core.Test.AutoFixture.OrganizationFixtures;
|
||||
|
||||
@ -187,3 +188,31 @@ internal class SecretsManagerOrganizationCustomizeAttribute : BitCustomizeAttrib
|
||||
public override ICustomization GetCustomization() =>
|
||||
new SecretsManagerOrganizationCustomization();
|
||||
}
|
||||
|
||||
internal class EphemeralDataProtectionCustomization : ICustomization
|
||||
{
|
||||
public void Customize(IFixture fixture)
|
||||
{
|
||||
fixture.Customizations.Add(new EphemeralDataProtectionProviderBuilder());
|
||||
}
|
||||
|
||||
private class EphemeralDataProtectionProviderBuilder : ISpecimenBuilder
|
||||
{
|
||||
public object Create(object request, ISpecimenContext context)
|
||||
{
|
||||
var type = request as Type;
|
||||
if (type == null || type != typeof(IDataProtectionProvider))
|
||||
{
|
||||
return new NoSpecimen();
|
||||
}
|
||||
|
||||
return new EphemeralDataProtectionProvider();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
internal class EphemeralDataProtectionAutoDataAttribute : CustomAutoDataAttribute
|
||||
{
|
||||
public EphemeralDataProtectionAutoDataAttribute() : base(new SutProviderCustomization(), new EphemeralDataProtectionCustomization())
|
||||
{ }
|
||||
}
|
||||
|
||||
@ -28,6 +28,7 @@ using Bit.Core.Tools.Services;
|
||||
using Bit.Core.Utilities;
|
||||
using Bit.Test.Common.AutoFixture;
|
||||
using Bit.Test.Common.AutoFixture.Attributes;
|
||||
using Microsoft.AspNetCore.DataProtection;
|
||||
using NSubstitute;
|
||||
using NSubstitute.ExceptionExtensions;
|
||||
using Xunit;
|
||||
@ -1835,6 +1836,42 @@ public class OrganizationServiceTests
|
||||
sutProvider.Sut.ValidateSecretsManagerPlan(plan, signup);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[EphemeralDataProtectionAutoData]
|
||||
public async Task AcceptUserAsync_Success([OrganizationUser(OrganizationUserStatusType.Invited)] OrganizationUser organizationUser,
|
||||
User user, SutProvider<OrganizationService> sutProvider)
|
||||
{
|
||||
var token = SetupAcceptUserAsyncTest(sutProvider, user, organizationUser);
|
||||
var userService = Substitute.For<IUserService>();
|
||||
|
||||
await sutProvider.Sut.AcceptUserAsync(organizationUser.Id, user, token, userService);
|
||||
|
||||
await sutProvider.GetDependency<IOrganizationUserRepository>().Received(1).ReplaceAsync(
|
||||
Arg.Is<OrganizationUser>(ou => ou.Id == organizationUser.Id && ou.Status == OrganizationUserStatusType.Accepted));
|
||||
await sutProvider.GetDependency<IUserRepository>().Received(1).ReplaceAsync(
|
||||
Arg.Is<User>(u => u.Id == user.Id && u.Email == user.Email && user.EmailVerified == true));
|
||||
}
|
||||
|
||||
private string SetupAcceptUserAsyncTest(SutProvider<OrganizationService> sutProvider, User user,
|
||||
OrganizationUser organizationUser)
|
||||
{
|
||||
user.Email = organizationUser.Email;
|
||||
user.EmailVerified = false;
|
||||
|
||||
var dataProtector = sutProvider.GetDependency<IDataProtectionProvider>()
|
||||
.CreateProtector("OrganizationServiceDataProtector");
|
||||
// Token matching the format used in OrganizationService.InviteUserAsync
|
||||
var token = dataProtector.Protect(
|
||||
$"OrganizationUserInvite {organizationUser.Id} {organizationUser.Email} {CoreHelpers.ToEpocMilliseconds(DateTime.UtcNow)}");
|
||||
|
||||
sutProvider.GetDependency<IGlobalSettings>().OrganizationInviteExpirationHours.Returns(24);
|
||||
|
||||
sutProvider.GetDependency<IOrganizationUserRepository>().GetByIdAsync(organizationUser.Id)
|
||||
.Returns(organizationUser);
|
||||
|
||||
return token;
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[OrganizationInviteCustomize(
|
||||
InviteeUserType = OrganizationUserType.Owner,
|
||||
|
||||
@ -6,14 +6,6 @@ The final migration is in util/Migrator/DbScripts/2023-08-10_01_RemoveClientSecr
|
||||
IF COL_LENGTH('[dbo].[ApiKey]', 'ClientSecretHash') IS NOT NULL AND COL_LENGTH('[dbo].[ApiKey]', 'ClientSecret') IS NOT NULL
|
||||
BEGIN
|
||||
|
||||
-- Add index
|
||||
IF NOT EXISTS(SELECT name FROM sys.indexes WHERE name = 'IX_ApiKey_ClientSecretHash')
|
||||
BEGIN
|
||||
CREATE NONCLUSTERED INDEX [IX_ApiKey_ClientSecretHash]
|
||||
ON [dbo].[ApiKey]([ClientSecretHash] ASC)
|
||||
WITH (ONLINE = ON)
|
||||
END
|
||||
|
||||
-- Data Migration
|
||||
DECLARE @BatchSize INT = 10000
|
||||
WHILE @BatchSize > 0
|
||||
@ -34,9 +26,5 @@ BEGIN
|
||||
COMMIT TRANSACTION Migrate_ClientSecretHash
|
||||
END
|
||||
|
||||
-- Drop index
|
||||
DROP INDEX IF EXISTS [IX_ApiKey_ClientSecretHash]
|
||||
ON [dbo].[ApiKey];
|
||||
|
||||
END
|
||||
GO
|
||||
|
||||
Reference in New Issue
Block a user