SSO support (#862)

* [SSO] Added change password API (#836)

* Created API for updating password with no current comparison

* Changed name of method and request // Added user has password error flow

* Updated user service method name // Updated string null/empty check

* Replaced hardcoded sso domain hints with config loader (#850)

* Replaced hardcoded sso domain hints with config loader

* use async/await for sso config loader

* Update AccountsController.cs

Co-authored-by: Vincent Salucci <26154748+vincentsalucci@users.noreply.github.com>
Co-authored-by: Matt Portune <mportune@bitwarden.com>
Co-authored-by: Matt Portune <59324545+mportune-bw@users.noreply.github.com>

src/Api/Controllers/AccountsController.cs

@@ -14,6 +14,7 @@ using Bit.Core.Models.Business;
 using Bit.Api.Utilities;
 using Bit.Core.Models.Table;
 using System.Collections.Generic;
+using Bit.Core.Models.Api.Request.Accounts;
 using Bit.Core.Models.Data;
 
 namespace Bit.Api.Controllers
@@ -194,6 +195,29 @@ namespace Bit.Api.Controllers
             await Task.Delay(2000);
             throw new BadRequestException(ModelState);
         }
+        
+        [HttpPost("set-password")]
+        public async Task SetPasswordAsync([FromBody]SetPasswordRequestModel model)
+        {
+            var user = await _userService.GetUserByPrincipalAsync(User);
+            if (user == null)
+            {
+                throw new UnauthorizedAccessException();
+            }
+
+            var result = await _userService.SetPasswordAsync(user, model.NewMasterPasswordHash, model.Key);
+            if (result.Succeeded)
+            {
+                return;
+            }
+
+            foreach (var error in result.Errors)
+            {
+                ModelState.AddModelError(string.Empty, error.Description);
+            }
+
+            throw new BadRequestException(ModelState);
+        }
 
         [HttpPost("verify-password")]
         public async Task PostVerifyPassword([FromBody]VerifyPasswordRequestModel model)

src/Core/Enums/Saml2NameIdFormat.cs

@@ -0,0 +1,15 @@
+namespace Bit.Core.Enums
+{
+    public enum Saml2NameIdFormat : byte
+    {
+        NotConfigured = 0,
+        Unspecified = 1,
+        EmailAddress = 2,
+        X509SubjectName = 3,
+        WindowsDomainQualifiedName = 4,
+        KerberosPrincipalName = 5,
+        EntityIdentifier = 6,
+        Persistent = 7,
+        Transient = 8,
+    }
+}

src/Core/Models/Api/Request/Accounts/SetPasswordRequestModel.cs

@@ -0,0 +1,13 @@
+using System.ComponentModel.DataAnnotations;
+
+namespace Bit.Core.Models.Api.Request.Accounts
+{
+    public class SetPasswordRequestModel
+    {
+        [Required]
+        [StringLength(300)]
+        public string NewMasterPasswordHash { get; set; }
+        [Required]
+        public string Key { get; set; }
+    }
+}

src/Core/Services/IUserService.cs

@@ -31,6 +31,7 @@ namespace Bit.Core.Services
         Task<IdentityResult> ChangeEmailAsync(User user, string masterPassword, string newEmail, string newMasterPassword,
             string token, string key);
         Task<IdentityResult> ChangePasswordAsync(User user, string masterPassword, string newMasterPassword, string key);
+        Task<IdentityResult> SetPasswordAsync(User user, string newMasterPassword, string key);
         Task<IdentityResult> ChangeKdfAsync(User user, string masterPassword, string newMasterPassword, string key,
             KdfType kdf, int kdfIterations);
         Task<IdentityResult> UpdateKeyAsync(User user, string masterPassword, string key, string privateKey,

src/Core/Services/Implementations/UserService.cs

@@ -567,6 +567,34 @@ namespace Bit.Core.Services
             Logger.LogWarning("Change password failed for user {userId}.", user.Id);
             return IdentityResult.Failed(_identityErrorDescriber.PasswordMismatch());
         }
+        
+        public async Task<IdentityResult> SetPasswordAsync(User user, string newMasterPassword, string key)
+        {
+            if (user == null)
+            {
+                throw new ArgumentNullException(nameof(user));
+            }
+
+            if (!string.IsNullOrWhiteSpace(user.MasterPassword))
+            {
+                Logger.LogWarning("Change password failed for user {userId} - already has password.", user.Id);
+                return IdentityResult.Failed(_identityErrorDescriber.UserAlreadyHasPassword());
+            }
+            
+            var result = await UpdatePasswordHash(user, newMasterPassword);
+            if (!result.Succeeded)
+            {
+                return result;
+            }
+
+            user.RevisionDate = user.AccountRevisionDate = DateTime.UtcNow;
+            user.Key = key;
+
+            await _userRepository.ReplaceAsync(user);
+            await _eventService.LogUserEventAsync(user.Id, EventType.User_ChangedPassword);
+
+            return IdentityResult.Success;
+        }
 
         public async Task<IdentityResult> ChangeKdfAsync(User user, string masterPassword, string newMasterPassword,
             string key, KdfType kdf, int kdfIterations)

src/Identity/Controllers/AccountController.cs

@@ -21,17 +21,20 @@ namespace Bit.Identity.Controllers
     {
         private readonly IIdentityServerInteractionService _interaction;
         private readonly IUserRepository _userRepository;
+        private readonly ISsoConfigRepository _ssoConfigRepository;
         private readonly IClientStore _clientStore;
         private readonly ILogger<AccountController> _logger;
 
         public AccountController(
             IIdentityServerInteractionService interaction,
             IUserRepository userRepository,
+            ISsoConfigRepository ssoConfigRepository,
             IClientStore clientStore,
             ILogger<AccountController> logger)
         {
             _interaction = interaction;
             _userRepository = userRepository;
+            _ssoConfigRepository = ssoConfigRepository;
             _clientStore = clientStore;
             _logger = logger;
         }
@@ -53,36 +56,19 @@ namespace Bit.Identity.Controllers
         }
 
         [HttpGet]
-        public IActionResult ExternalChallenge(string organizationIdentifier, string returnUrl)
+        public async Task<IActionResult> ExternalChallenge(string organizationIdentifier, string returnUrl)
         {
             if (string.IsNullOrWhiteSpace(organizationIdentifier))
             {
                 throw new Exception("Invalid organization reference id.");
             }
 
-            // TODO: Lookup sso config and create a domain hint
+            var ssoConfig = await _ssoConfigRepository.GetByIdentifierAsync(organizationIdentifier);
-            var domainHint = "oidc_okta";
+            if (ssoConfig == null || !ssoConfig.Enabled)
-            // Temp hardcoded orgs
-            if (organizationIdentifier == "org_oidc_okta")
             {
-                domainHint = "oidc_okta";
+                throw new Exception("Organization not found or SSO configuration not enabled");
-            }
-            else if (organizationIdentifier == "org_oidc_onelogin")
-            {
-                domainHint = "oidc_onelogin";
-            }
-            else if (organizationIdentifier == "org_saml2_onelogin")
-            {
-                domainHint = "saml2_onelogin";
-            }
-            else if (organizationIdentifier == "org_saml2_sustainsys")
-            {
-                domainHint = "saml2_sustainsys";
-            }
-            else
-            {
-                throw new Exception("Organization not found.");
             }
+            var domainHint = ssoConfig.OrganizationId.ToString();
 
             var scheme = "sso";
             var props = new AuthenticationProperties