Use sas token for attachment downloads (#1153)

* Get limited life attachment download URL

This change limits url download to a 1min lifetime.
This requires moving to a new container to allow for non-public blob
access.

Clients will have to call GetAttachmentData api function to receive the download
URL. For backwards compatibility, attachment URLs are still present, but will not
work for attachments stored in non-public access blobs.

* Make GlobalSettings interface for testing

* Test LocalAttachmentStorageService equivalence

* Remove comment

* Add missing globalSettings using

* Simplify default attachment container

* Default to attachments containe for existing methods

A new upload method will be made for uploading to attachments-v2.
For compatibility for clients which don't use these new methods, we need
to still use the old container. The new container will be used only for
new uploads

* Remove Default MetaData fixture.

* Keep attachments container blob-level security for all instances

* Close unclosed FileStream

* Favor default value for noop services

src/Api/Controllers/AccountsController.cs

@@ -9,6 +9,7 @@ using Bit.Core.Models.Data;
 using Bit.Core.Models.Table;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
+using Bit.Core.Settings;
 using Bit.Core.Utilities;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;

src/Api/Controllers/CiphersController.cs

@@ -7,12 +7,12 @@ using Microsoft.AspNetCore.Authorization;
 using Bit.Core.Models.Api;
 using Bit.Core.Exceptions;
 using Bit.Core.Services;
-using Bit.Core;
 using Bit.Core.Context;
 using Bit.Api.Utilities;
-using Bit.Core.Utilities;
 using System.Collections.Generic;
 using Bit.Core.Models.Table;
+using Bit.Core.Settings;
+
 
 namespace Bit.Api.Controllers
 {
@@ -24,6 +24,7 @@ namespace Bit.Api.Controllers
         private readonly ICollectionCipherRepository _collectionCipherRepository;
         private readonly ICipherService _cipherService;
         private readonly IUserService _userService;
+        private readonly IAttachmentStorageService _attachmentStorageService;
         private readonly ICurrentContext _currentContext;
         private readonly GlobalSettings _globalSettings;
 
@@ -32,6 +33,7 @@ namespace Bit.Api.Controllers
             ICollectionCipherRepository collectionCipherRepository,
             ICipherService cipherService,
             IUserService userService,
+            IAttachmentStorageService attachmentStorageService,
             ICurrentContext currentContext,
             GlobalSettings globalSettings)
         {
@@ -39,6 +41,7 @@ namespace Bit.Api.Controllers
             _collectionCipherRepository = collectionCipherRepository;
             _cipherService = cipherService;
             _userService = userService;
+            _attachmentStorageService = attachmentStorageService;
             _currentContext = currentContext;
             _globalSettings = globalSettings;
         }
@@ -608,6 +611,27 @@ namespace Bit.Api.Controllers
             return new CipherMiniResponseModel(cipher, _globalSettings, cipher.OrganizationUseTotp);
         }
 
+        [HttpGet("{id}/attachment/{attachmentId}")]
+        public async Task<AttachmentResponseModel> GetAttachmentData(string id, string attachmentId)
+        {
+            var userId = _userService.GetProperUserId(User).Value;
+            var cipher = await _cipherRepository.GetByIdAsync(new Guid(id), userId);
+            var attachments = cipher.GetAttachments();
+
+            if (!attachments.ContainsKey(attachmentId))
+            {
+                throw new NotFoundException();
+            }
+
+            var data = attachments[attachmentId];
+            var response = new AttachmentResponseModel(attachmentId, data, cipher, _globalSettings)
+            {
+                Url = await _attachmentStorageService.GetAttachmentDownloadUrlAsync(cipher, data)
+            };
+
+            return response;
+        }
+
         [HttpPost("{id}/attachment/{attachmentId}/share")]
         [RequestSizeLimit(105_906_176)]
         [DisableFormValueModelBinding]

src/Api/Controllers/HibpController.cs

@@ -5,12 +5,12 @@ using Microsoft.AspNetCore.Authorization;
 using System.Net.Http;
 using System.Security.Cryptography;
 using Bit.Core.Services;
-using Bit.Core;
 using Bit.Core.Context;
 using System.Net;
 using Bit.Core.Exceptions;
 using System.Linq;
 using Bit.Core.Utilities;
+using Bit.Core.Settings;
 
 namespace Bit.Api.Controllers
 {

src/Api/Controllers/MiscController.cs

@@ -4,7 +4,7 @@ using Bit.Core.Models.Api;
 using System.Threading.Tasks;
 using Bit.Core.Utilities;
 using Microsoft.AspNetCore.Authorization;
-using Bit.Core;
+using Bit.Core.Settings;
 using Stripe;
 using System.Linq;
 using System.Collections.Generic;

src/Api/Controllers/OrganizationsController.cs

@@ -8,11 +8,11 @@ using Bit.Core.Enums;
 using Bit.Core.Models.Api;
 using Bit.Core.Exceptions;
 using Bit.Core.Services;
-using Bit.Core;
 using Bit.Core.Context;
 using Bit.Api.Utilities;
 using Bit.Core.Models.Business;
 using Bit.Core.Utilities;
+using Bit.Core.Settings;
 
 namespace Bit.Api.Controllers
 {

src/Api/Controllers/PoliciesController.cs

@@ -7,10 +7,10 @@ using Microsoft.AspNetCore.Authorization;
 using Bit.Core.Models.Api;
 using Bit.Core.Exceptions;
 using Bit.Core.Services;
-using Bit.Core;
 using Bit.Core.Context;
 using Bit.Core.Enums;
 using Bit.Core.Utilities;
+using Bit.Core.Settings;
 using Microsoft.AspNetCore.DataProtection;
 
 namespace Bit.Api.Controllers

src/Api/Controllers/PushController.cs

@@ -10,6 +10,7 @@ using System.Linq;
 using Microsoft.AspNetCore.Hosting;
 using Bit.Api.Utilities;
 using Bit.Core.Utilities;
+using Bit.Core.Settings;
 using Microsoft.Extensions.Hosting;
 
 namespace Bit.Api.Controllers

src/Api/Controllers/SendsController.cs

@@ -7,10 +7,10 @@ using Microsoft.AspNetCore.Authorization;
 using Bit.Core.Models.Api;
 using Bit.Core.Exceptions;
 using Bit.Core.Services;
-using Bit.Core;
 using Bit.Api.Utilities;
 using Bit.Core.Models.Table;
 using Bit.Core.Utilities;
+using Bit.Core.Settings;
 
 namespace Bit.Api.Controllers
 {

src/Api/Controllers/SyncController.cs

@@ -5,13 +5,13 @@ using Microsoft.AspNetCore.Mvc;
 using Bit.Core.Models.Api;
 using Bit.Core.Services;
 using Bit.Core.Repositories;
-using Bit.Core;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using System.Linq;
 using Bit.Core.Models.Table;
 using System.Collections.Generic;
 using Bit.Core.Models.Data;
+using Bit.Core.Settings;
 
 namespace Bit.Api.Controllers
 {

src/Api/Controllers/TwoFactorController.cs

@@ -9,11 +9,11 @@ using Microsoft.AspNetCore.Identity;
 using Bit.Core.Models.Table;
 using Bit.Core.Enums;
 using System.Linq;
-using Bit.Core;
 using Bit.Core.Context;
 using Bit.Core.Repositories;
 using Bit.Core.Utilities;
 using Bit.Core.Utilities.Duo;
+using Bit.Core.Settings;
 
 namespace Bit.Api.Controllers
 {

src/Api/Jobs/JobsHostedService.cs

@@ -2,8 +2,8 @@
 using System.Collections.Generic;
 using System.Threading;
 using System.Threading.Tasks;
-using Bit.Core;
 using Bit.Core.Jobs;
+using Bit.Core.Settings;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
 using Quartz;

src/Api/Public/Controllers/OrganizationController.cs

@@ -1,11 +1,11 @@
 using System.Linq;
 using System.Net;
 using System.Threading.Tasks;
-using Bit.Core;
 using Bit.Core.Context;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Api.Public;
 using Bit.Core.Services;
+using Bit.Core.Settings;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 

src/Api/Startup.cs

@@ -7,6 +7,7 @@ using Bit.Api.Utilities;
 using Bit.Core;
 using Bit.Core.Context;
 using Bit.Core.Identity;
+using Bit.Core.Settings;
 using Newtonsoft.Json.Serialization;
 using AspNetCoreRateLimit;
 using Stripe;

src/Api/Utilities/ServiceCollectionExtensions.cs

@@ -1,7 +1,7 @@
 using System;
 using System.Collections.Generic;
 using System.IO;
-using Bit.Core;
+using Bit.Core.Settings;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.OpenApi.Models;