nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-04-05 05:00:19 -05:00
Code

[Require SSO] Enterprise policy enforcement (#970)

Browse Source 
* Initial commit of require sso authentication policy enforcement

* Updated sproc to send UseSso flag // Updated base validator to send back error message // Added changes to EntityFramework (just so its there for the future

* Update policy name // adjusted conditional to demorgan's

* Updated sproc // Added migrator script

* Added .sql file extension to DeleteOrgUserWithOrg migrator script

* Added policy // edit // strings // validation to business portal

* Change requests from review // Added Owner & Admin exemption

* Updated repository function used to get org user's type

* Updated with requested changes
This commit is contained in:
Vincent Salucci 2020-10-26 11:56:16 -05:00 committed by GitHub
parent e872b4df9d
commit 66e44759f0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
15 changed files with 195 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
bitwarden_license/src/Portal/Controllers/PoliciesController.cs
View File

@ -1,4 +1,5 @@
using System.Threading.Tasks;
using System;
using System.Threading.Tasks;
using Bit.Core.Enums;
using Bit.Core.Models.Table;
using Bit.Core.Repositories;
@ -50,7 +51,8 @@ namespace Bit.Portal.Controllers
}
var policies = await _policyRepository.GetManyByOrganizationIdAsync(orgId.Value);
return View(new PoliciesModel(policies));
var selectedOrgUseSso = _enterprisePortalCurrentContext.SelectedOrganizationDetails.UseSso;
return View(new PoliciesModel(policies, selectedOrgUseSso));
}
[HttpGet("/edit/{type}")]
@ -88,6 +90,7 @@ namespace Bit.Portal.Controllers
return Redirect("~/");
}
await ValidateDependentPolicies(type, orgId, model.Enabled);
var policy = await _policyRepository.GetByOrganizationIdTypeAsync(orgId.Value, type);
if (!ModelState.IsValid)
{
@ -119,5 +122,37 @@ namespace Bit.Portal.Controllers
return View(new PolicyEditModel(policy, _i18nService));
}
}
private async Task ValidateDependentPolicies(PolicyType type, Guid? orgId, bool enabled)
{
if (orgId == null)
{
throw new ArgumentNullException(nameof(orgId), "OrgId cannot be null");
}
switch(type)
{
case PolicyType.MasterPassword:
case PolicyType.PasswordGenerator:
case PolicyType.TwoFactorAuthentication:
case PolicyType.OnlyOrg:
break;
case PolicyType.RequireSso:
if (!enabled)
{
break;
}
var singleOrg = await _policyRepository.GetByOrganizationIdTypeAsync(orgId.Value, type);
if (singleOrg?.Enabled != true)
{
ModelState.AddModelError(string.Empty, _i18nService.T("RequireSsoPolicyReqError"));
}
break;
default:
throw new ArgumentOutOfRangeException();
}
}
}
}

6
bitwarden_license/src/Portal/Models/PoliciesModel.cs
View File

@ -8,7 +8,7 @@ namespace Bit.Portal.Models
{
public class PoliciesModel
{
public PoliciesModel(ICollection<Policy> policies)
public PoliciesModel(ICollection<Policy> policies, bool useSso)
{
if (policies == null)
{
@ -20,6 +20,10 @@ namespace Bit.Portal.Models
foreach (var type in Enum.GetValues(typeof(PolicyType)).Cast<PolicyType>())
{
if (type == PolicyType.RequireSso && !useSso)
{
continue;
}
var enabled = policyDict.ContainsKey(type) ? policyDict[type].Enabled : false;
Policies.Add(new PolicyModel(type, enabled));
}

1
bitwarden_license/src/Portal/Models/PolicyEditModel.cs
View File

@ -83,6 +83,7 @@ namespace Bit.Portal.Models
break;
case PolicyType.OnlyOrg:
case PolicyType.TwoFactorAuthentication:
case PolicyType.RequireSso:
break;
default:
throw new ArgumentOutOfRangeException();

5
bitwarden_license/src/Portal/Models/PolicyModel.cs
View File

@ -37,6 +37,11 @@ namespace Bit.Portal.Models
DescriptionKey = "OnlyOrganizationDescription";
break;
case PolicyType.RequireSso:
NameKey = "RequireSso";
DescriptionKey = "RequireSsoDescription";
break;
default:
throw new ArgumentOutOfRangeException();
}

13
bitwarden_license/src/Portal/Views/Policies/Edit.cshtml
View File

@ -33,6 +33,19 @@
</div>
}
@if (Model.PolicyType == PolicyType.RequireSso)
{
<div class="callout callout-success" role="alert">
<h3 class="callout-heading">
<i class="fa fa-lightbulb-o" *ngIf="icon" aria-hidden="true"></i>
@i18nService.T("Prerequisite")
</h3>
@i18nService.T("RequireSsoPolicyReq")
</div>
}
<div asp-validation-summary="ModelOnly" class="alert alert-danger"></div>
<div class="form-group">
<div class="form-check">
<input class="form-check-input" type="checkbox" asp-for="Enabled">

1
src/Core/Enums/PolicyType.cs
View File

@ -6,5 +6,6 @@
MasterPassword = 1,
PasswordGenerator = 2,
OnlyOrg = 3,
RequireSso = 4,
}
}

74
src/Core/IdentityServer/BaseRequestValidator.cs
View File

@ -35,6 +35,7 @@ namespace Bit.Core.IdentityServer
private readonly ILogger<ResourceOwnerPasswordValidator> _logger;
private readonly CurrentContext _currentContext;
private readonly GlobalSettings _globalSettings;
private readonly IPolicyRepository _policyRepository;
public BaseRequestValidator(
UserManager<User> userManager,
@ -49,7 +50,8 @@ namespace Bit.Core.IdentityServer
IMailService mailService,
ILogger<ResourceOwnerPasswordValidator> logger,
CurrentContext currentContext,
GlobalSettings globalSettings)
GlobalSettings globalSettings,
IPolicyRepository policyRepository)
{
_userManager = userManager;
_deviceRepository = deviceRepository;
@ -64,6 +66,7 @@ namespace Bit.Core.IdentityServer
_logger = logger;
_currentContext = currentContext;
_globalSettings = globalSettings;
_policyRepository = policyRepository;
}
protected async Task ValidateAsync(T context, ValidatedTokenRequest request)
@ -112,9 +115,18 @@ namespace Bit.Core.IdentityServer
twoFactorToken = null;
}
var device = await SaveDeviceAsync(user, request);
await BuildSuccessResultAsync(user, context, device, twoFactorRequest && twoFactorRemember);
return;
if (await IsValidAuthTypeAsync(user, request.GrantType)) // Returns true if can finish validation process
{
var device = await SaveDeviceAsync(user, request);
await BuildSuccessResultAsync(user, context, device, twoFactorRequest && twoFactorRemember);
}
else
{
SetSsoResult(context, new Dictionary<string, object>
{{
"ErrorModel", new ErrorResponseModel("SSO authentication is required.")
}});
}
}
protected abstract Task<(User, bool)> ValidateContextAsync(T context);
@ -230,6 +242,8 @@ namespace Bit.Core.IdentityServer
protected abstract void SetTwoFactorResult(T context, Dictionary<string, object> customResponse);
protected abstract void SetSsoResult(T context, Dictionary<string, object> customResponse);
protected abstract void SetSuccessResult(T context, User user, List<Claim> claims,
Dictionary<string, object> customResponse);
@ -259,12 +273,64 @@ namespace Bit.Core.IdentityServer
return new Tuple<bool, Organization>(individualRequired || firstEnabledOrg != null, firstEnabledOrg);
}
private async Task<bool> IsValidAuthTypeAsync(User user, string grantType)
{
if (grantType == "authorization_code")
{
return true; // Already using SSO to authorize, finish successfully
}
// Is user apart of any orgs? Use cache for initial checks.
var orgs = (await _currentContext.OrganizationMembershipAsync(_organizationUserRepository, user.Id))
.ToList();
if (orgs.Any())
{
// Get all org abilities
var orgAbilities = await _applicationCacheService.GetOrganizationAbilitiesAsync();
// Parse all user orgs that are enabled and have the ability to use sso
var ssoOrgs = orgs.Where(o => OrgCanUseSso(orgAbilities, o.Id));
if (ssoOrgs.Any())
{
// Parse users orgs and determine if require sso policy is enabled
var userOrgs = await _organizationRepository.GetManyByUserIdAsync(user.Id);
foreach (var org in userOrgs)
{
if (!(org.Enabled && org.UseSso))
{
continue;
}
var orgPolicy = await _policyRepository.GetByOrganizationIdTypeAsync(org.Id, PolicyType.RequireSso);
if (orgPolicy != null && orgPolicy.Enabled)
{
var userType = await _organizationUserRepository.GetByOrganizationAsync(org.Id, user.Id);
// Owners and Admins are exempt from this policy
if (userType != null
&& userType.Type != OrganizationUserType.Owner
&& userType.Type != OrganizationUserType.Admin)
{
return false;
}
}
}
}
}
return true; // Default - continue validation process
}
private bool OrgUsing2fa(IDictionary<Guid, OrganizationAbility> orgAbilities, Guid orgId)
{
return orgAbilities != null && orgAbilities.ContainsKey(orgId) &&
orgAbilities[orgId].Enabled && orgAbilities[orgId].Using2fa;
}
private bool OrgCanUseSso(IDictionary<Guid, OrganizationAbility> orgAbilities, Guid orgId)
{
return orgAbilities != null && orgAbilities.ContainsKey(orgId) &&
orgAbilities[orgId].Enabled && orgAbilities[orgId].UseSso;
}
private Device GetDeviceFromRequest(ValidatedRequest request)
{
var deviceIdentifier = request.Raw["DeviceIdentifier"]?.ToString();

8
src/Core/IdentityServer/CustomTokenRequestValidator.cs
View File

@ -31,10 +31,11 @@ namespace Bit.Core.IdentityServer
IMailService mailService,
ILogger<ResourceOwnerPasswordValidator> logger,
CurrentContext currentContext,
GlobalSettings globalSettings)
GlobalSettings globalSettings,
IPolicyRepository policyRepository)
: base(userManager, deviceRepository, deviceService, userService, eventService,
organizationDuoWebTokenProvider, organizationRepository, organizationUserRepository,
applicationCacheService, mailService, logger, currentContext, globalSettings)
applicationCacheService, mailService, logger, currentContext, globalSettings, policyRepository)
{
_userManager = userManager;
}
@ -78,6 +79,9 @@ namespace Bit.Core.IdentityServer
context.Result.CustomResponse = customResponse;
}
protected override void SetSsoResult(CustomTokenRequestValidationContext context,
Dictionary<string, object> customResponse) => throw new System.NotImplementedException();
protected override void SetErrorResult(CustomTokenRequestValidationContext context,
Dictionary<string, object> customResponse)
{

12
src/Core/IdentityServer/ResourceOwnerPasswordValidator.cs
View File

@ -31,10 +31,11 @@ namespace Bit.Core.IdentityServer
IMailService mailService,
ILogger<ResourceOwnerPasswordValidator> logger,
CurrentContext currentContext,
GlobalSettings globalSettings)
GlobalSettings globalSettings,
IPolicyRepository policyRepository)
: base(userManager, deviceRepository, deviceService, userService, eventService,
organizationDuoWebTokenProvider, organizationRepository, organizationUserRepository,
applicationCacheService, mailService, logger, currentContext, globalSettings)
applicationCacheService, mailService, logger, currentContext, globalSettings, policyRepository)
{
_userManager = userManager;
_userService = userService;
@ -77,6 +78,13 @@ namespace Bit.Core.IdentityServer
customResponse);
}
protected override void SetSsoResult(ResourceOwnerPasswordValidationContext context,
Dictionary<string, object> customResponse)
{
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "Sso authentication required.",
customResponse);
}
protected override void SetErrorResult(ResourceOwnerPasswordValidationContext context,
Dictionary<string, object> customResponse)
{

2
src/Core/Models/Data/OrganizationAbility.cs
View File

@ -16,6 +16,7 @@ namespace Bit.Core.Models.Data
organization.TwoFactorProviders != "{}";
UsersGetPremium = organization.UsersGetPremium;
Enabled = organization.Enabled;
UseSso = organization.UseSso;
}
public Guid Id { get; set; }
@ -24,5 +25,6 @@ namespace Bit.Core.Models.Data
public bool Using2fa { get; set; }
public bool UsersGetPremium { get; set; }
public bool Enabled { get; set; }
public bool UseSso { get; set; }
}
}

1
src/Core/Repositories/EntityFramework/OrganizationRepository.cs
View File

@ -99,6 +99,7 @@ namespace Bit.Core.Repositories.EntityFramework
UseEvents = e.UseEvents,
UsersGetPremium = e.UsersGetPremium,
Using2fa = e.Use2fa && e.TwoFactorProviders != null,
UseSso = e.UseSso,
}).ToListAsync();
}
}

15
src/Core/Resources/SharedResources.en.resx
View File

@ -548,4 +548,19 @@
<data name="OnlyOrganizationPolicyWarning" xml:space="preserve">
<value>Organization members who are already a part of another organization will be removed from this organization and will receive an email notifying them about the change.</value>
</data>
<data name="RequireSso" xml:space="preserve">
<value>Single Sign-On Authentication</value>
</data>
<data name="RequireSsoDescription" xml:space="preserve">
<value>Require users to log in with the Enterprise Single Sign-On method.</value>
</data>
<data name="Prerequisite" xml:space="preserve">
<value>Prerequisite</value>
</data>
<data name="RequireSsoPolicyReq" xml:space="preserve">
<value>The Single Organization enterprise policy must be enabled before activating this policy.</value>
</data>
<data name="RequireSsoPolicyReqError" xml:space="preserve">
<value>Single Organization policy not enabled.</value>
</data>
</root>

1
src/Sql/dbo/Stored Procedures/Organization_ReadAbilities.sql
View File

@ -14,6 +14,7 @@ BEGIN
0
END AS [Using2fa],
[UsersGetPremium],
[UseSso],
[Enabled]
FROM
[dbo].[Organization]

0
util/Migrator/DbScripts/2020-10-08_00_DeleteOrgUserWithOrg → util/Migrator/DbScripts/2020-10-08_00_DeleteOrgUserWithOrg.sql
View File

28
util/Migrator/DbScripts/2020-10-20_00_OrgReadAbilities.sql Normal file
View File

@ -0,0 +1,28 @@
IF OBJECT_ID('[dbo].[Organization_ReadAbilities]') IS NOT NULL
BEGIN
DROP PROCEDURE [dbo].[Organization_ReadAbilities]
END
GO
CREATE PROCEDURE [dbo].[Organization_ReadAbilities]
AS
BEGIN
SET NOCOUNT ON
SELECT
[Id],
[UseEvents],
[Use2fa],
CASE
WHEN [Use2fa] = 1 AND [TwoFactorProviders] IS NOT NULL AND [TwoFactorProviders] != '{}' THEN
1
ELSE
0
END AS [Using2fa],
[UsersGetPremium],
[UseSso],
[Enabled]
FROM
[dbo].[Organization]
END
GO