nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-07-14 22:27:32 -05:00
Code Activity

Merge branch 'master' into feature/flexible-collections

Browse Source
This commit is contained in:
Vincent Salucci
2023-09-12 10:32:23 -05:00
parent 3c9c8acc22 0be766c98a
commit 4ac1b10fb1
21 changed files with 270 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/Api/SecretsManager/Controllers/ProjectsController.cs
View File

@ -79,8 +79,8 @@ public class ProjectsController : Controller
throw new NotFoundException();
}
var (max, atMax) = await _maxProjectsQuery.GetByOrgIdAsync(organizationId);
if (atMax != null && atMax.Value)
var (max, overMax) = await _maxProjectsQuery.GetByOrgIdAsync(organizationId, 1);
if (overMax != null && overMax.Value)
{
throw new BadRequestException($"You have reached the maximum number of projects ({max}) for this plan.");
}

17
src/Api/SecretsManager/Controllers/SecretsManagerPortingController.cs
View File

@ -4,6 +4,7 @@ using Bit.Core.Context;
using Bit.Core.Enums;
using Bit.Core.Exceptions;
using Bit.Core.SecretsManager.Commands.Porting.Interfaces;
using Bit.Core.SecretsManager.Queries.Projects.Interfaces;
using Bit.Core.SecretsManager.Repositories;
using Bit.Core.Services;
using Bit.Core.Utilities;
@ -19,14 +20,18 @@ public class SecretsManagerPortingController : Controller
private readonly ISecretRepository _secretRepository;
private readonly IProjectRepository _projectRepository;
private readonly IUserService _userService;
private readonly IMaxProjectsQuery _maxProjectsQuery;
private readonly IImportCommand _importCommand;
private readonly ICurrentContext _currentContext;
public SecretsManagerPortingController(ISecretRepository secretRepository, IProjectRepository projectRepository, IUserService userService, IImportCommand importCommand, ICurrentContext currentContext)
public SecretsManagerPortingController(ISecretRepository secretRepository, IProjectRepository projectRepository,
IUserService userService, IMaxProjectsQuery maxProjectsQuery, IImportCommand importCommand,
ICurrentContext currentContext)
{
_secretRepository = secretRepository;
_projectRepository = projectRepository;
_userService = userService;
_maxProjectsQuery = maxProjectsQuery;
_importCommand = importCommand;
_currentContext = currentContext;
}
@ -69,6 +74,16 @@ public class SecretsManagerPortingController : Controller
throw new BadRequestException("A secret can only be in one project at a time.");
}
var projectsToAdd = importRequest.Projects?.Count();
if (projectsToAdd is > 0)
{
var (max, overMax) = await _maxProjectsQuery.GetByOrgIdAsync(organizationId, projectsToAdd.Value);
if (overMax != null && overMax.Value)
{
throw new BadRequestException($"The maximum number of projects for this plan is ({max}).");
}
}
await _importCommand.ImportAsync(organizationId, importRequest.ToSMImport());
}
}

29
src/Core/Auth/Services/Implementations/AuthRequestService.cs
View File

@ -82,34 +82,39 @@ public class AuthRequestService : IAuthRequestService
/// </remarks>
public async Task<AuthRequest> CreateAuthRequestAsync(AuthRequestCreateRequestModel model)
{
var user = await _userRepository.GetByEmailAsync(model.Email);
if (user == null)
{
throw new NotFoundException();
}
if (!_currentContext.DeviceType.HasValue)
{
throw new BadRequestException("Device type not provided.");
}
if (_globalSettings.PasswordlessAuth.KnownDevicesOnly)
var userNotFound = false;
var user = await _userRepository.GetByEmailAsync(model.Email);
if (user == null)
{
userNotFound = true;
}
else if (_globalSettings.PasswordlessAuth.KnownDevicesOnly)
{
var devices = await _deviceRepository.GetManyByUserIdAsync(user.Id);
if (devices == null || !devices.Any(d => d.Identifier == model.DeviceIdentifier))
{
throw new BadRequestException(
"Login with device is only available on devices that have been previously logged in.");
userNotFound = true;
}
}
// Anonymous endpoints must not leak that a user exists or not
if (userNotFound)
{
throw new BadRequestException("User or known device not found.");
}
// AdminApproval requests require correlating the user and their organization
if (model.Type == AuthRequestType.AdminApproval)
{
// TODO: When single org policy is turned on we should query for only a single organization from the current user
// and create only an AuthRequest for that organization and return only that one
// This will send out the request to all organizations this user belongs to
// This will send out the request to all organizations this user belongs to
var organizationUsers = await _organizationUserRepository.GetManyByUserAsync(_currentContext.UserId!.Value);
if (organizationUsers.Count == 0)
@ -173,7 +178,7 @@ public class AuthRequestService : IAuthRequestService
switch (authRequest.Type)
{
case AuthRequestType.AdminApproval:
// AdminApproval has a different expiration time, by default is 7 days compared to
// AdminApproval has a different expiration time, by default is 7 days compared to
// non-AdminApproval ones having a default of 15 minutes.
if (IsDateExpired(authRequest.CreationDate, _globalSettings.PasswordlessAuth.AdminRequestExpiration))
{
@ -213,7 +218,7 @@ public class AuthRequestService : IAuthRequestService
await _authRequestRepository.ReplaceAsync(authRequest);
// We only want to send an approval notification if the request is approved (or null),
// We only want to send an approval notification if the request is approved (or null),
// to not leak that it was denied to the originating client if it was originated by a malicious actor.
if (authRequest.Approved ?? true)
{

4
src/Core/Context/CurrentContext.cs
View File

@ -358,7 +358,9 @@ public class CurrentContext : ICurrentContext
public async Task<bool> ViewAssignedCollections(Guid orgId)
{
return await EditAssignedCollections(orgId) || await DeleteAssignedCollections(orgId);
return await CreateNewCollections(orgId) // Required to display the existing collections under which the new collection can be nested
|| await EditAssignedCollections(orgId)
|| await DeleteAssignedCollections(orgId);
}
public async Task<bool> ManageGroups(Guid orgId)

74
src/Core/Models/Business/TaxInfo.cs
View File

@ -35,14 +35,23 @@ public class TaxInfo
return _taxIdType;
}
switch (BillingAddressCountry)
switch (BillingAddressCountry.ToUpper())
{
case "AD":
_taxIdType = "ad_nrt";
break;
case "AE":
_taxIdType = "ae_trn";
break;
case "AR":
_taxIdType = "ar_cuit";
break;
case "AU":
_taxIdType = "au_abn";
break;
case "BO":
_taxIdType = "bo_tin";
break;
case "BR":
_taxIdType = "br_cnpj";
break;
@ -55,9 +64,45 @@ public class TaxInfo
}
_taxIdType = "ca_bn";
break;
case "CH":
_taxIdType = "ch_vat";
break;
case "CL":
_taxIdType = "cl_tin";
break;
case "CN":
_taxIdType = "cn_tin";
break;
case "CO":
_taxIdType = "co_nit";
break;
case "CR":
_taxIdType = "cr_tin";
break;
case "DO":
_taxIdType = "do_rcn";
break;
case "EC":
_taxIdType = "ec_ruc";
break;
case "EG":
_taxIdType = "eg_tin";
break;
case "GE":
_taxIdType = "ge_vat";
break;
case "ID":
_taxIdType = "id_npwp";
break;
case "IL":
_taxIdType = "il_vat";
break;
case "IS":
_taxIdType = "is_vat";
break;
case "KE":
_taxIdType = "ke_pin";
break;
case "AT":
case "BE":
case "BG":
@ -115,6 +160,15 @@ public class TaxInfo
case "NZ":
_taxIdType = "nz_gst";
break;
case "PE":
_taxIdType = "pe_ruc";
break;
case "PH":
_taxIdType = "ph_tin";
break;
case "RS":
_taxIdType = "rs_pib";
break;
case "RU":
_taxIdType = "ru_inn";
break;
@ -124,15 +178,33 @@ public class TaxInfo
case "SG":
_taxIdType = "sg_gst";
break;
case "SV":
_taxIdType = "sv_nit";
break;
case "TH":
_taxIdType = "th_vat";
break;
case "TR":
_taxIdType = "tr_tin";
break;
case "TW":
_taxIdType = "tw_vat";
break;
case "UA":
_taxIdType = "ua_vat";
break;
case "US":
_taxIdType = "us_ein";
break;
case "UY":
_taxIdType = "uy_ruc";
break;
case "VE":
_taxIdType = "ve_rif";
break;
case "VN":
_taxIdType = "vn_tin";
break;
case "ZA":
_taxIdType = "za_vat";
break;

2
src/Core/SecretsManager/Queries/Projects/Interfaces/IMaxProjectsQuery.cs
View File

@ -2,5 +2,5 @@
public interface IMaxProjectsQuery
{
Task<(short? max, bool? atMax)> GetByOrgIdAsync(Guid organizationId);
Task<(short? max, bool? overMax)> GetByOrgIdAsync(Guid organizationId, int projectsToAdd);
}

6
src/Core/Services/IOrganizationService.cs
View File

@ -39,6 +39,12 @@ public interface IOrganizationService
OrganizationUserType type, bool accessAll, string externalId, IEnumerable<CollectionAccessSelection> collections, IEnumerable<Guid> groups);
Task<IEnumerable<Tuple<OrganizationUser, string>>> ResendInvitesAsync(Guid organizationId, Guid? invitingUserId, IEnumerable<Guid> organizationUsersId);
Task ResendInviteAsync(Guid organizationId, Guid? invitingUserId, Guid organizationUserId, bool initOrganization = false);
/// <summary>
/// Moves an OrganizationUser into the Accepted status and marks their email as verified.
/// This method is used where the user has clicked the invitation link sent by email.
/// </summary>
/// <param name="token">The token embedded in the email invitation link</param>
/// <returns>The accepted OrganizationUser.</returns>
Task<OrganizationUser> AcceptUserAsync(Guid organizationUserId, User user, string token, IUserService userService);
Task<OrganizationUser> AcceptUserAsync(string orgIdentifier, User user, IUserService userService);
Task<OrganizationUser> AcceptUserAsync(Guid organizationId, User user, IUserService userService);

10
src/Core/Services/Implementations/OrganizationService.cs
View File

@ -1093,7 +1093,15 @@ public class OrganizationService : IOrganizationService
throw new BadRequestException("User email does not match invite.");
}
return await AcceptUserAsync(orgUser, user, userService);
var organizationUser = await AcceptUserAsync(orgUser, user, userService);
if (user.EmailVerified == false)
{
user.EmailVerified = true;
await _userRepository.ReplaceAsync(user);
}
return organizationUser;
}
public async Task<OrganizationUser> AcceptUserAsync(string orgIdentifier, User user, IUserService userService)

24
src/Identity/IdentityServer/BaseRequestValidator.cs
View File

@ -26,6 +26,7 @@ using Bit.Core.Utilities;
using Bit.Identity.Utilities;
using IdentityServer4.Validation;
using Microsoft.AspNetCore.Identity;
using Microsoft.Extensions.Caching.Distributed;
namespace Bit.Identity.IdentityServer;
@ -45,6 +46,8 @@ public abstract class BaseRequestValidator<T> where T : class
private readonly GlobalSettings _globalSettings;
private readonly IUserRepository _userRepository;
private readonly IDataProtectorTokenFactory<SsoEmail2faSessionTokenable> _tokenDataFactory;
private readonly IDistributedCache _distributedCache;
private readonly DistributedCacheEntryOptions _cacheEntryOptions;
protected ICurrentContext CurrentContext { get; }
protected IPolicyService PolicyService { get; }
@ -69,7 +72,8 @@ public abstract class BaseRequestValidator<T> where T : class
IPolicyService policyService,
IDataProtectorTokenFactory<SsoEmail2faSessionTokenable> tokenDataFactory,
IFeatureService featureService,
ISsoConfigRepository ssoConfigRepository)
ISsoConfigRepository ssoConfigRepository,
IDistributedCache distributedCache)
{
_userManager = userManager;
_deviceRepository = deviceRepository;
@ -89,6 +93,14 @@ public abstract class BaseRequestValidator<T> where T : class
_tokenDataFactory = tokenDataFactory;
FeatureService = featureService;
SsoConfigRepository = ssoConfigRepository;
_distributedCache = distributedCache;
_cacheEntryOptions = new DistributedCacheEntryOptions
{
// This sets the time an item is cached to 15 minutes. This value is hard coded
// to 15 because to it covers all time-out windows for both Authenticators and
// Email TOTP.
AbsoluteExpirationRelativeToNow = new TimeSpan(0, 15, 0)
};
}
protected async Task ValidateAsync(T context, ValidatedTokenRequest request,
@ -135,6 +147,15 @@ public abstract class BaseRequestValidator<T> where T : class
var verified = await VerifyTwoFactor(user, twoFactorOrganization,
twoFactorProviderType, twoFactorToken);
var cacheKey = "TOTP_" + user.Email;
var isOtpCached = Core.Utilities.DistributedCacheExtensions.TryGetValue(_distributedCache, cacheKey, out string _);
if (isOtpCached)
{
await BuildErrorResultAsync("Two-step token is invalid. Try again.", true, context, user);
return;
}
if ((!verified || isBot) && twoFactorProviderType != TwoFactorProviderType.Remember)
{
await UpdateFailedAuthDetailsAsync(user, true, !validatorContext.KnownDevice);
@ -148,6 +169,7 @@ public abstract class BaseRequestValidator<T> where T : class
await BuildTwoFactorResultAsync(user, twoFactorOrganization, context);
return;
}
await Core.Utilities.DistributedCacheExtensions.SetAsync(_distributedCache, cacheKey, twoFactorToken, _cacheEntryOptions);
}
else
{

7
src/Identity/IdentityServer/CustomTokenRequestValidator.cs
View File

@ -14,6 +14,7 @@ using IdentityModel;
using IdentityServer4.Extensions;
using IdentityServer4.Validation;
using Microsoft.AspNetCore.Identity;
using Microsoft.Extensions.Caching.Distributed;
#nullable enable
@ -42,11 +43,13 @@ public class CustomTokenRequestValidator : BaseRequestValidator<CustomTokenReque
IUserRepository userRepository,
IPolicyService policyService,
IDataProtectorTokenFactory<SsoEmail2faSessionTokenable> tokenDataFactory,
IFeatureService featureService)
IFeatureService featureService,
IDistributedCache distributedCache)
: base(userManager, deviceRepository, deviceService, userService, eventService,
organizationDuoWebTokenProvider, organizationRepository, organizationUserRepository,
applicationCacheService, mailService, logger, currentContext, globalSettings,
userRepository, policyService, tokenDataFactory, featureService, ssoConfigRepository)
userRepository, policyService, tokenDataFactory, featureService, ssoConfigRepository,
distributedCache)
{
_userManager = userManager;
}

6
src/Identity/IdentityServer/ResourceOwnerPasswordValidator.cs
View File

@ -13,6 +13,7 @@ using Bit.Core.Utilities;
using IdentityServer4.Models;
using IdentityServer4.Validation;
using Microsoft.AspNetCore.Identity;
using Microsoft.Extensions.Caching.Distributed;
namespace Bit.Identity.IdentityServer;
@ -44,11 +45,12 @@ public class ResourceOwnerPasswordValidator : BaseRequestValidator<ResourceOwner
IPolicyService policyService,
IDataProtectorTokenFactory<SsoEmail2faSessionTokenable> tokenDataFactory,
IFeatureService featureService,
ISsoConfigRepository ssoConfigRepository)
ISsoConfigRepository ssoConfigRepository,
IDistributedCache distributedCache)
: base(userManager, deviceRepository, deviceService, userService, eventService,
organizationDuoWebTokenProvider, organizationRepository, organizationUserRepository,
applicationCacheService, mailService, logger, currentContext, globalSettings, userRepository, policyService,
tokenDataFactory, featureService, ssoConfigRepository)
tokenDataFactory, featureService, ssoConfigRepository, distributedCache)
{
_userManager = userManager;
_userService = userService;