From 81424a8526e4a22561597c98ae43fb8f2948596a Mon Sep 17 00:00:00 2001 From: Kyle Spearrin Date: Wed, 19 Feb 2020 14:56:16 -0500 Subject: [PATCH] Enforce 2fa policy (#654) --- .../OrganizationUsersController.cs | 2 +- src/Api/Controllers/PoliciesController.cs | 9 ++++++- src/Api/Controllers/TwoFactorController.cs | 2 +- .../Public/Controllers/PoliciesController.cs | 8 +++++- .../Models/Api/Response/SyncResponseModel.cs | 2 +- src/Core/Services/IOrganizationService.cs | 11 +++++--- src/Core/Services/IPolicyService.cs | 6 +++-- src/Core/Services/IUserService.cs | 3 ++- .../Implementations/OrganizationService.cs | 13 +++++++++- .../Services/Implementations/PolicyService.cs | 26 ++++++++++++++++++- .../Services/Implementations/UserService.cs | 25 +++++++++++++++++- .../Stored Procedures/Policy_ReadByUserId.sql | 4 +++ ...etup.sql => 2020-02-18_00_PolicySetup.sql} | 4 +++ 13 files changed, 100 insertions(+), 15 deletions(-) rename util/Migrator/DbScripts/{2020-01-28_00_PolicySetup.sql => 2020-02-18_00_PolicySetup.sql} (98%) diff --git a/src/Api/Controllers/OrganizationUsersController.cs b/src/Api/Controllers/OrganizationUsersController.cs index 9b4b5a9a40..bc64bd9676 100644 --- a/src/Api/Controllers/OrganizationUsersController.cs +++ b/src/Api/Controllers/OrganizationUsersController.cs @@ -120,7 +120,7 @@ namespace Bit.Api.Controllers throw new UnauthorizedAccessException(); } - var result = await _organizationService.AcceptUserAsync(new Guid(id), user, model.Token); + var result = await _organizationService.AcceptUserAsync(new Guid(id), user, model.Token, _userService); } [HttpPost("{id}/confirm")] diff --git a/src/Api/Controllers/PoliciesController.cs b/src/Api/Controllers/PoliciesController.cs index dfed165952..00b52283ff 100644 --- a/src/Api/Controllers/PoliciesController.cs +++ b/src/Api/Controllers/PoliciesController.cs @@ -18,15 +18,21 @@ namespace Bit.Api.Controllers { private readonly IPolicyRepository _policyRepository; private readonly IPolicyService _policyService; + private readonly IOrganizationService _organizationService; + private readonly IUserService _userService; private readonly CurrentContext _currentContext; public PoliciesController( IPolicyRepository policyRepository, IPolicyService policyService, + IOrganizationService organizationService, + IUserService userService, CurrentContext currentContext) { _policyRepository = policyRepository; _policyService = policyService; + _organizationService = organizationService; + _userService = userService; _currentContext = currentContext; } @@ -79,7 +85,8 @@ namespace Bit.Api.Controllers policy = model.ToPolicy(policy); } - await _policyService.SaveAsync(policy); + var userId = _userService.GetProperUserId(User); + await _policyService.SaveAsync(policy, _userService, _organizationService, userId); return new PolicyResponseModel(policy); } } diff --git a/src/Api/Controllers/TwoFactorController.cs b/src/Api/Controllers/TwoFactorController.cs index e8122cff4d..cf785987e1 100644 --- a/src/Api/Controllers/TwoFactorController.cs +++ b/src/Api/Controllers/TwoFactorController.cs @@ -318,7 +318,7 @@ namespace Bit.Api.Controllers public async Task PutDisable([FromBody]TwoFactorProviderRequestModel model) { var user = await CheckAsync(model.MasterPasswordHash, false); - await _userService.DisableTwoFactorProviderAsync(user, model.Type.Value); + await _userService.DisableTwoFactorProviderAsync(user, model.Type.Value, _organizationService); var response = new TwoFactorProviderResponseModel(model.Type.Value, user); return response; } diff --git a/src/Api/Public/Controllers/PoliciesController.cs b/src/Api/Public/Controllers/PoliciesController.cs index 667bcdf591..819f7b423b 100644 --- a/src/Api/Public/Controllers/PoliciesController.cs +++ b/src/Api/Public/Controllers/PoliciesController.cs @@ -18,15 +18,21 @@ namespace Bit.Api.Public.Controllers { private readonly IPolicyRepository _policyRepository; private readonly IPolicyService _policyService; + private readonly IUserService _userService; + private readonly IOrganizationService _organizationService; private readonly CurrentContext _currentContext; public PoliciesController( IPolicyRepository policyRepository, IPolicyService policyService, + IUserService userService, + IOrganizationService organizationService, CurrentContext currentContext) { _policyRepository = policyRepository; _policyService = policyService; + _userService = userService; + _organizationService = organizationService; _currentContext = currentContext; } @@ -93,7 +99,7 @@ namespace Bit.Api.Public.Controllers { policy = model.ToPolicy(policy); } - await _policyService.SaveAsync(policy); + await _policyService.SaveAsync(policy, _userService, _organizationService, null); var response = new PolicyResponseModel(policy); return new JsonResult(response); } diff --git a/src/Core/Models/Api/Response/SyncResponseModel.cs b/src/Core/Models/Api/Response/SyncResponseModel.cs index a55e31d3fb..0b7c9acfd0 100644 --- a/src/Core/Models/Api/Response/SyncResponseModel.cs +++ b/src/Core/Models/Api/Response/SyncResponseModel.cs @@ -28,7 +28,7 @@ namespace Bit.Core.Models.Api Collections = collections?.Select( c => new CollectionDetailsResponseModel(c)) ?? new List(); Domains = excludeDomains ? null : new DomainsResponseModel(user, false); - Policies = policies.Select(p => new PolicyResponseModel(p)); + Policies = policies?.Select(p => new PolicyResponseModel(p)); } public ProfileResponseModel Profile { get; set; } diff --git a/src/Core/Services/IOrganizationService.cs b/src/Core/Services/IOrganizationService.cs index c59472d037..a08b1d2ec8 100644 --- a/src/Core/Services/IOrganizationService.cs +++ b/src/Core/Services/IOrganizationService.cs @@ -31,11 +31,14 @@ namespace Bit.Core.Services Task DisableTwoFactorProviderAsync(Organization organization, TwoFactorProviderType type); Task InviteUserAsync(Guid organizationId, Guid? invitingUserId, string email, OrganizationUserType type, bool accessAll, string externalId, IEnumerable collections); - Task> InviteUserAsync(Guid organizationId, Guid? invitingUserId, IEnumerable emails, - OrganizationUserType type, bool accessAll, string externalId, IEnumerable collections); + Task> InviteUserAsync(Guid organizationId, Guid? invitingUserId, + IEnumerable emails, OrganizationUserType type, bool accessAll, string externalId, + IEnumerable collections); Task ResendInviteAsync(Guid organizationId, Guid? invitingUserId, Guid organizationUserId); - Task AcceptUserAsync(Guid organizationUserId, User user, string token); - Task ConfirmUserAsync(Guid organizationId, Guid organizationUserId, string key, Guid confirmingUserId); + Task AcceptUserAsync(Guid organizationUserId, User user, string token, + IUserService userService); + Task ConfirmUserAsync(Guid organizationId, Guid organizationUserId, string key, + Guid confirmingUserId); Task SaveUserAsync(OrganizationUser user, Guid? savingUserId, IEnumerable collections); Task DeleteUserAsync(Guid organizationId, Guid organizationUserId, Guid? deletingUserId); Task DeleteUserAsync(Guid organizationId, Guid userId); diff --git a/src/Core/Services/IPolicyService.cs b/src/Core/Services/IPolicyService.cs index c4375d312e..1b95911063 100644 --- a/src/Core/Services/IPolicyService.cs +++ b/src/Core/Services/IPolicyService.cs @@ -1,10 +1,12 @@ -using System.Threading.Tasks; +using System; +using System.Threading.Tasks; using Bit.Core.Models.Table; namespace Bit.Core.Services { public interface IPolicyService { - Task SaveAsync(Policy policy); + Task SaveAsync(Policy policy, IUserService userService, IOrganizationService organizationService, + Guid? savingUserId); } } diff --git a/src/Core/Services/IUserService.cs b/src/Core/Services/IUserService.cs index 00368acec7..ee7e9f8af9 100644 --- a/src/Core/Services/IUserService.cs +++ b/src/Core/Services/IUserService.cs @@ -37,7 +37,8 @@ namespace Bit.Core.Services IEnumerable ciphers, IEnumerable folders); Task RefreshSecurityStampAsync(User user, string masterPasswordHash); Task UpdateTwoFactorProviderAsync(User user, TwoFactorProviderType type); - Task DisableTwoFactorProviderAsync(User user, TwoFactorProviderType type); + Task DisableTwoFactorProviderAsync(User user, TwoFactorProviderType type, + IOrganizationService organizationService); Task RecoverTwoFactorAsync(string email, string masterPassword, string recoveryCode); Task GenerateUserTokenAsync(User user, string tokenProvider, string purpose); Task DeleteAsync(User user); diff --git a/src/Core/Services/Implementations/OrganizationService.cs b/src/Core/Services/Implementations/OrganizationService.cs index c7a759dddf..e571ca6984 100644 --- a/src/Core/Services/Implementations/OrganizationService.cs +++ b/src/Core/Services/Implementations/OrganizationService.cs @@ -960,7 +960,8 @@ namespace Bit.Core.Services await _mailService.SendOrganizationInviteEmailAsync(org.Name, orgUser, token); } - public async Task AcceptUserAsync(Guid organizationUserId, User user, string token) + public async Task AcceptUserAsync(Guid organizationUserId, User user, string token, + IUserService userService) { var orgUser = await _organizationUserRepository.GetByIdAsync(organizationUserId); if(orgUser == null) @@ -1005,6 +1006,16 @@ namespace Bit.Core.Services throw new BadRequestException("Invalid token."); } + if(!await userService.TwoFactorIsEnabledAsync(user)) + { + var policies = await _policyRepository.GetManyByOrganizationIdAsync(orgUser.OrganizationId); + if(policies.Any(p => p.Type == PolicyType.TwoFactorAuthentication && p.Enabled)) + { + throw new BadRequestException("You cannot join this organization until you enable " + + "two-step login on your user account."); + } + } + orgUser.Status = OrganizationUserStatusType.Accepted; orgUser.UserId = user.Id; orgUser.Email = null; diff --git a/src/Core/Services/Implementations/PolicyService.cs b/src/Core/Services/Implementations/PolicyService.cs index e62d42cc51..3619662765 100644 --- a/src/Core/Services/Implementations/PolicyService.cs +++ b/src/Core/Services/Implementations/PolicyService.cs @@ -1,4 +1,5 @@ using System; +using System.Linq; using System.Threading.Tasks; using Bit.Core.Exceptions; using Bit.Core.Models.Table; @@ -25,7 +26,8 @@ namespace Bit.Core.Services _policyRepository = policyRepository; } - public async Task SaveAsync(Policy policy) + public async Task SaveAsync(Policy policy, IUserService userService, IOrganizationService organizationService, + Guid? savingUserId) { var org = await _organizationRepository.GetByIdAsync(policy.OrganizationId); if(org == null) @@ -43,6 +45,28 @@ namespace Bit.Core.Services { policy.CreationDate = now; } + else if(policy.Enabled) + { + var currentPolicy = await _policyRepository.GetByIdAsync(policy.Id); + if(!currentPolicy?.Enabled ?? true) + { + if(currentPolicy.Type == Enums.PolicyType.TwoFactorAuthentication) + { + var orgUsers = await _organizationUserRepository.GetManyDetailsByOrganizationAsync( + policy.OrganizationId); + foreach(var orgUser in orgUsers.Where(ou => + ou.Status != Enums.OrganizationUserStatusType.Invited && + ou.Type != Enums.OrganizationUserType.Owner)) + { + if(orgUser.UserId != savingUserId && !await userService.TwoFactorIsEnabledAsync(orgUser)) + { + await organizationService.DeleteUserAsync(policy.OrganizationId, orgUser.Id, + savingUserId); + } + } + } + } + } policy.RevisionDate = DateTime.UtcNow; await _policyRepository.UpsertAsync(policy); await _eventService.LogPolicyEventAsync(policy, Enums.EventType.Policy_Updated); diff --git a/src/Core/Services/Implementations/UserService.cs b/src/Core/Services/Implementations/UserService.cs index 5e0885a20a..ce221b6727 100644 --- a/src/Core/Services/Implementations/UserService.cs +++ b/src/Core/Services/Implementations/UserService.cs @@ -43,6 +43,7 @@ namespace Bit.Core.Services private readonly IEventService _eventService; private readonly IApplicationCacheService _applicationCacheService; private readonly IPaymentService _paymentService; + private readonly IPolicyRepository _policyRepository; private readonly IDataProtector _organizationServiceDataProtector; private readonly CurrentContext _currentContext; private readonly GlobalSettings _globalSettings; @@ -69,6 +70,7 @@ namespace Bit.Core.Services IApplicationCacheService applicationCacheService, IDataProtectionProvider dataProtectionProvider, IPaymentService paymentService, + IPolicyRepository policyRepository, CurrentContext currentContext, GlobalSettings globalSettings) : base( @@ -97,6 +99,7 @@ namespace Bit.Core.Services _eventService = eventService; _applicationCacheService = applicationCacheService; _paymentService = paymentService; + _policyRepository = policyRepository; _organizationServiceDataProtector = dataProtectionProvider.CreateProtector( "OrganizationServiceDataProtector"); _currentContext = currentContext; @@ -638,7 +641,8 @@ namespace Bit.Core.Services await _eventService.LogUserEventAsync(user.Id, EventType.User_Updated2fa); } - public async Task DisableTwoFactorProviderAsync(User user, TwoFactorProviderType type) + public async Task DisableTwoFactorProviderAsync(User user, TwoFactorProviderType type, + IOrganizationService organizationService) { var providers = user.GetTwoFactorProviders(); if(!providers?.ContainsKey(type) ?? true) @@ -650,6 +654,25 @@ namespace Bit.Core.Services user.SetTwoFactorProviders(providers); await SaveUserAsync(user); await _eventService.LogUserEventAsync(user.Id, EventType.User_Disabled2fa); + + if(!await TwoFactorIsEnabledAsync(user)) + { + var policies = await _policyRepository.GetManyByUserIdAsync(user.Id); + var twoFactorPolicies = policies.Where(p => p.Type == PolicyType.TwoFactorAuthentication && p.Enabled); + if(twoFactorPolicies.Any()) + { + var userOrgs = await _organizationUserRepository.GetManyByUserAsync(user.Id); + var ownerOrgs = userOrgs.Where(o => o.Type == OrganizationUserType.Owner) + .Select(o => o.Id).ToHashSet(); + foreach(var policy in twoFactorPolicies) + { + if(!ownerOrgs.Contains(policy.OrganizationId)) + { + await organizationService.DeleteUserAsync(policy.OrganizationId, user.Id); + } + } + } + } } public async Task RecoverTwoFactorAsync(string email, string masterPassword, string recoveryCode) diff --git a/src/Sql/dbo/Stored Procedures/Policy_ReadByUserId.sql b/src/Sql/dbo/Stored Procedures/Policy_ReadByUserId.sql index 872a4d319b..58e98670ac 100644 --- a/src/Sql/dbo/Stored Procedures/Policy_ReadByUserId.sql +++ b/src/Sql/dbo/Stored Procedures/Policy_ReadByUserId.sql @@ -10,6 +10,10 @@ BEGIN [dbo].[PolicyView] P INNER JOIN [dbo].[OrganizationUser] OU ON P.[OrganizationId] = OU.[OrganizationId] + INNER JOIN + [dbo].[Organization] O ON OU.[OrganizationId] = O.[Id] WHERE OU.[UserId] = @UserId + AND OU.[Status] = 2 -- 2 = Confirmed + AND O.[Enabled] = 1 END \ No newline at end of file diff --git a/util/Migrator/DbScripts/2020-01-28_00_PolicySetup.sql b/util/Migrator/DbScripts/2020-02-18_00_PolicySetup.sql similarity index 98% rename from util/Migrator/DbScripts/2020-01-28_00_PolicySetup.sql rename to util/Migrator/DbScripts/2020-02-18_00_PolicySetup.sql index 8d25ffdd69..db6812e4a8 100644 --- a/util/Migrator/DbScripts/2020-01-28_00_PolicySetup.sql +++ b/util/Migrator/DbScripts/2020-02-18_00_PolicySetup.sql @@ -576,7 +576,11 @@ BEGIN [dbo].[PolicyView] P INNER JOIN [dbo].[OrganizationUser] OU ON P.[OrganizationId] = OU.[OrganizationId] + INNER JOIN + [dbo].[Organization] O ON OU.[OrganizationId] = O.[Id] WHERE OU.[UserId] = @UserId + AND OU.[Status] = 2 -- 2 = Confirmed + AND O.[Enabled] = 1 END GO