diff --git a/src/Api/Controllers/AccountsController.cs b/src/Api/Controllers/AccountsController.cs index bfab73a318..e122c49e5d 100644 --- a/src/Api/Controllers/AccountsController.cs +++ b/src/Api/Controllers/AccountsController.cs @@ -14,6 +14,7 @@ using Bit.Core.Models.Business; using Bit.Api.Utilities; using Bit.Core.Models.Table; using System.Collections.Generic; +using Bit.Core.Models.Api.Request.Accounts; using Bit.Core.Models.Data; namespace Bit.Api.Controllers @@ -194,6 +195,29 @@ namespace Bit.Api.Controllers await Task.Delay(2000); throw new BadRequestException(ModelState); } + + [HttpPost("set-password")] + public async Task SetPasswordAsync([FromBody]SetPasswordRequestModel model) + { + var user = await _userService.GetUserByPrincipalAsync(User); + if (user == null) + { + throw new UnauthorizedAccessException(); + } + + var result = await _userService.SetPasswordAsync(user, model.NewMasterPasswordHash, model.Key); + if (result.Succeeded) + { + return; + } + + foreach (var error in result.Errors) + { + ModelState.AddModelError(string.Empty, error.Description); + } + + throw new BadRequestException(ModelState); + } [HttpPost("verify-password")] public async Task PostVerifyPassword([FromBody]VerifyPasswordRequestModel model) diff --git a/src/Core/Enums/Saml2NameIdFormat.cs b/src/Core/Enums/Saml2NameIdFormat.cs new file mode 100644 index 0000000000..9ba83e58fd --- /dev/null +++ b/src/Core/Enums/Saml2NameIdFormat.cs @@ -0,0 +1,15 @@ +namespace Bit.Core.Enums +{ + public enum Saml2NameIdFormat : byte + { + NotConfigured = 0, + Unspecified = 1, + EmailAddress = 2, + X509SubjectName = 3, + WindowsDomainQualifiedName = 4, + KerberosPrincipalName = 5, + EntityIdentifier = 6, + Persistent = 7, + Transient = 8, + } +} diff --git a/src/Core/Models/Api/Request/Accounts/SetPasswordRequestModel.cs b/src/Core/Models/Api/Request/Accounts/SetPasswordRequestModel.cs new file mode 100644 index 0000000000..88e60d74bf --- /dev/null +++ b/src/Core/Models/Api/Request/Accounts/SetPasswordRequestModel.cs @@ -0,0 +1,13 @@ +using System.ComponentModel.DataAnnotations; + +namespace Bit.Core.Models.Api.Request.Accounts +{ + public class SetPasswordRequestModel + { + [Required] + [StringLength(300)] + public string NewMasterPasswordHash { get; set; } + [Required] + public string Key { get; set; } + } +} diff --git a/src/Core/Services/IUserService.cs b/src/Core/Services/IUserService.cs index ccea70a45b..1e87f3a5b0 100644 --- a/src/Core/Services/IUserService.cs +++ b/src/Core/Services/IUserService.cs @@ -31,6 +31,7 @@ namespace Bit.Core.Services Task ChangeEmailAsync(User user, string masterPassword, string newEmail, string newMasterPassword, string token, string key); Task ChangePasswordAsync(User user, string masterPassword, string newMasterPassword, string key); + Task SetPasswordAsync(User user, string newMasterPassword, string key); Task ChangeKdfAsync(User user, string masterPassword, string newMasterPassword, string key, KdfType kdf, int kdfIterations); Task UpdateKeyAsync(User user, string masterPassword, string key, string privateKey, diff --git a/src/Core/Services/Implementations/UserService.cs b/src/Core/Services/Implementations/UserService.cs index 06cd774f79..33b1b99131 100644 --- a/src/Core/Services/Implementations/UserService.cs +++ b/src/Core/Services/Implementations/UserService.cs @@ -567,6 +567,34 @@ namespace Bit.Core.Services Logger.LogWarning("Change password failed for user {userId}.", user.Id); return IdentityResult.Failed(_identityErrorDescriber.PasswordMismatch()); } + + public async Task SetPasswordAsync(User user, string newMasterPassword, string key) + { + if (user == null) + { + throw new ArgumentNullException(nameof(user)); + } + + if (!string.IsNullOrWhiteSpace(user.MasterPassword)) + { + Logger.LogWarning("Change password failed for user {userId} - already has password.", user.Id); + return IdentityResult.Failed(_identityErrorDescriber.UserAlreadyHasPassword()); + } + + var result = await UpdatePasswordHash(user, newMasterPassword); + if (!result.Succeeded) + { + return result; + } + + user.RevisionDate = user.AccountRevisionDate = DateTime.UtcNow; + user.Key = key; + + await _userRepository.ReplaceAsync(user); + await _eventService.LogUserEventAsync(user.Id, EventType.User_ChangedPassword); + + return IdentityResult.Success; + } public async Task ChangeKdfAsync(User user, string masterPassword, string newMasterPassword, string key, KdfType kdf, int kdfIterations) diff --git a/src/Identity/Controllers/AccountController.cs b/src/Identity/Controllers/AccountController.cs index 5bb294ed1b..ff38f0acc9 100644 --- a/src/Identity/Controllers/AccountController.cs +++ b/src/Identity/Controllers/AccountController.cs @@ -21,17 +21,20 @@ namespace Bit.Identity.Controllers { private readonly IIdentityServerInteractionService _interaction; private readonly IUserRepository _userRepository; + private readonly ISsoConfigRepository _ssoConfigRepository; private readonly IClientStore _clientStore; private readonly ILogger _logger; public AccountController( IIdentityServerInteractionService interaction, IUserRepository userRepository, + ISsoConfigRepository ssoConfigRepository, IClientStore clientStore, ILogger logger) { _interaction = interaction; _userRepository = userRepository; + _ssoConfigRepository = ssoConfigRepository; _clientStore = clientStore; _logger = logger; } @@ -53,36 +56,19 @@ namespace Bit.Identity.Controllers } [HttpGet] - public IActionResult ExternalChallenge(string organizationIdentifier, string returnUrl) + public async Task ExternalChallenge(string organizationIdentifier, string returnUrl) { if (string.IsNullOrWhiteSpace(organizationIdentifier)) { throw new Exception("Invalid organization reference id."); } - // TODO: Lookup sso config and create a domain hint - var domainHint = "oidc_okta"; - // Temp hardcoded orgs - if (organizationIdentifier == "org_oidc_okta") + var ssoConfig = await _ssoConfigRepository.GetByIdentifierAsync(organizationIdentifier); + if (ssoConfig == null || !ssoConfig.Enabled) { - domainHint = "oidc_okta"; - } - else if (organizationIdentifier == "org_oidc_onelogin") - { - domainHint = "oidc_onelogin"; - } - else if (organizationIdentifier == "org_saml2_onelogin") - { - domainHint = "saml2_onelogin"; - } - else if (organizationIdentifier == "org_saml2_sustainsys") - { - domainHint = "saml2_sustainsys"; - } - else - { - throw new Exception("Organization not found."); + throw new Exception("Organization not found or SSO configuration not enabled"); } + var domainHint = ssoConfig.OrganizationId.ToString(); var scheme = "sso"; var props = new AuthenticationProperties