[PM-1188] Server owner auth migration (#2825)

* [PM-1188] add sso project to auth * [PM-1188] move sso api models to auth * [PM-1188] fix sso api model namespace & imports * [PM-1188] move core files to auth * [PM-1188] fix core sso namespace & models * [PM-1188] move sso repository files to auth * [PM-1188] fix sso repo files namespace & imports * [PM-1188] move sso sql files to auth folder * [PM-1188] move sso test files to auth folders * [PM-1188] fix sso tests namespace & imports * [PM-1188] move auth api files to auth folder * [PM-1188] fix auth api files namespace & imports * [PM-1188] move auth core files to auth folder * [PM-1188] fix auth core files namespace & imports * [PM-1188] move auth email templates to auth folder * [PM-1188] move auth email folder back into shared directory * [PM-1188] fix auth email names * [PM-1188] move auth core models to auth folder * [PM-1188] fix auth model namespace & imports * [PM-1188] add entire Identity project to auth codeowners * [PM-1188] fix auth orm files namespace & imports * [PM-1188] move auth orm files to auth folder * [PM-1188] move auth sql files to auth folder * [PM-1188] move auth tests to auth folder * [PM-1188] fix auth test files namespace & imports * [PM-1188] move emergency access api files to auth folder * [PM-1188] fix emergencyaccess api files namespace & imports * [PM-1188] move emergency access core files to auth folder * [PM-1188] fix emergency access core files namespace & imports * [PM-1188] move emergency access orm files to auth folder * [PM-1188] fix emergency access orm files namespace & imports * [PM-1188] move emergency access sql files to auth folder * [PM-1188] move emergencyaccess test files to auth folder * [PM-1188] fix emergency access test files namespace & imports * [PM-1188] move captcha files to auth folder * [PM-1188] fix captcha files namespace & imports * [PM-1188] move auth admin files into auth folder * [PM-1188] fix admin auth files namespace & imports - configure mvc to look in auth folders for views * [PM-1188] remove extra imports and formatting * [PM-1188] fix ef auth model imports * [PM-1188] fix DatabaseContextModelSnapshot paths * [PM-1188] fix grant import in ef * [PM-1188] update sqlproj * [PM-1188] move missed sqlproj files * [PM-1188] move auth ef models out of auth folder * [PM-1188] fix auth ef models namespace * [PM-1188] remove auth ef models unused imports * [PM-1188] fix imports for auth ef models * [PM-1188] fix more ef model imports * [PM-1188] fix file encodings
2025-07-03 00:52:49 -05:00 · 2023-04-14 13:25:56 -04:00
parent 2529c5b36f
commit 88dd745070
332 changed files with 704 additions and 522 deletions
--- a/src/Api/Auth/Controllers/TwoFactorController.cs
+++ b/src/Api/Auth/Controllers/TwoFactorController.cs
@ -0,0 +1,441 @@
+using Bit.Api.Auth.Models.Request;
+using Bit.Api.Auth.Models.Request.Accounts;
+using Bit.Api.Auth.Models.Response.TwoFactor;
+using Bit.Api.Models.Request;
+using Bit.Api.Models.Response;
+using Bit.Core.Auth.Enums;
+using Bit.Core.Auth.LoginFeatures.PasswordlessLogin.Interfaces;
+using Bit.Core.Auth.Utilities;
+using Bit.Core.Context;
+using Bit.Core.Entities;
+using Bit.Core.Exceptions;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Core.Settings;
+using Bit.Core.Utilities;
+using Fido2NetLib;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.AspNetCore.Mvc;
+
+namespace Bit.Api.Auth.Controllers;
+
+[Route("two-factor")]
+[Authorize("Web")]
+public class TwoFactorController : Controller
+{
+    private readonly IUserService _userService;
+    private readonly IOrganizationRepository _organizationRepository;
+    private readonly IOrganizationService _organizationService;
+    private readonly GlobalSettings _globalSettings;
+    private readonly UserManager<User> _userManager;
+    private readonly ICurrentContext _currentContext;
+    private readonly IVerifyAuthRequestCommand _verifyAuthRequestCommand;
+
+    public TwoFactorController(
+        IUserService userService,
+        IOrganizationRepository organizationRepository,
+        IOrganizationService organizationService,
+        GlobalSettings globalSettings,
+        UserManager<User> userManager,
+        ICurrentContext currentContext,
+        IVerifyAuthRequestCommand verifyAuthRequestCommand)
+    {
+        _userService = userService;
+        _organizationRepository = organizationRepository;
+        _organizationService = organizationService;
+        _globalSettings = globalSettings;
+        _userManager = userManager;
+        _currentContext = currentContext;
+        _verifyAuthRequestCommand = verifyAuthRequestCommand;
+    }
+
+    [HttpGet("")]
+    public async Task<ListResponseModel<TwoFactorProviderResponseModel>> Get()
+    {
+        var user = await _userService.GetUserByPrincipalAsync(User);
+        if (user == null)
+        {
+            throw new UnauthorizedAccessException();
+        }
+
+        var providers = user.GetTwoFactorProviders()?.Select(
+            p => new TwoFactorProviderResponseModel(p.Key, p.Value));
+        return new ListResponseModel<TwoFactorProviderResponseModel>(providers);
+    }
+
+    [HttpGet("~/organizations/{id}/two-factor")]
+    public async Task<ListResponseModel<TwoFactorProviderResponseModel>> GetOrganization(string id)
+    {
+        var orgIdGuid = new Guid(id);
+        if (!await _currentContext.OrganizationAdmin(orgIdGuid))
+        {
+            throw new NotFoundException();
+        }
+
+        var organization = await _organizationRepository.GetByIdAsync(orgIdGuid);
+        if (organization == null)
+        {
+            throw new NotFoundException();
+        }
+
+        var providers = organization.GetTwoFactorProviders()?.Select(
+            p => new TwoFactorProviderResponseModel(p.Key, p.Value));
+        return new ListResponseModel<TwoFactorProviderResponseModel>(providers);
+    }
+
+    [HttpPost("get-authenticator")]
+    public async Task<TwoFactorAuthenticatorResponseModel> GetAuthenticator([FromBody] SecretVerificationRequestModel model)
+    {
+        var user = await CheckAsync(model, false);
+        var response = new TwoFactorAuthenticatorResponseModel(user);
+        return response;
+    }
+
+    [HttpPut("authenticator")]
+    [HttpPost("authenticator")]
+    public async Task<TwoFactorAuthenticatorResponseModel> PutAuthenticator(
+        [FromBody] UpdateTwoFactorAuthenticatorRequestModel model)
+    {
+        var user = await CheckAsync(model, false);
+        model.ToUser(user);
+
+        if (!await _userManager.VerifyTwoFactorTokenAsync(user,
+            CoreHelpers.CustomProviderName(TwoFactorProviderType.Authenticator), model.Token))
+        {
+            await Task.Delay(2000);
+            throw new BadRequestException("Token", "Invalid token.");
+        }
+
+        await _userService.UpdateTwoFactorProviderAsync(user, TwoFactorProviderType.Authenticator);
+        var response = new TwoFactorAuthenticatorResponseModel(user);
+        return response;
+    }
+
+    [HttpPost("get-yubikey")]
+    public async Task<TwoFactorYubiKeyResponseModel> GetYubiKey([FromBody] SecretVerificationRequestModel model)
+    {
+        var user = await CheckAsync(model, true);
+        var response = new TwoFactorYubiKeyResponseModel(user);
+        return response;
+    }
+
+    [HttpPut("yubikey")]
+    [HttpPost("yubikey")]
+    public async Task<TwoFactorYubiKeyResponseModel> PutYubiKey([FromBody] UpdateTwoFactorYubicoOtpRequestModel model)
+    {
+        var user = await CheckAsync(model, true);
+        model.ToUser(user);
+
+        await ValidateYubiKeyAsync(user, nameof(model.Key1), model.Key1);
+        await ValidateYubiKeyAsync(user, nameof(model.Key2), model.Key2);
+        await ValidateYubiKeyAsync(user, nameof(model.Key3), model.Key3);
+        await ValidateYubiKeyAsync(user, nameof(model.Key4), model.Key4);
+        await ValidateYubiKeyAsync(user, nameof(model.Key5), model.Key5);
+
+        await _userService.UpdateTwoFactorProviderAsync(user, TwoFactorProviderType.YubiKey);
+        var response = new TwoFactorYubiKeyResponseModel(user);
+        return response;
+    }
+
+    [HttpPost("get-duo")]
+    public async Task<TwoFactorDuoResponseModel> GetDuo([FromBody] SecretVerificationRequestModel model)
+    {
+        var user = await CheckAsync(model, true);
+        var response = new TwoFactorDuoResponseModel(user);
+        return response;
+    }
+
+    [HttpPut("duo")]
+    [HttpPost("duo")]
+    public async Task<TwoFactorDuoResponseModel> PutDuo([FromBody] UpdateTwoFactorDuoRequestModel model)
+    {
+        var user = await CheckAsync(model, true);
+        try
+        {
+            var duoApi = new DuoApi(model.IntegrationKey, model.SecretKey, model.Host);
+            await duoApi.JSONApiCall("GET", "/auth/v2/check");
+        }
+        catch (DuoException)
+        {
+            throw new BadRequestException("Duo configuration settings are not valid. Please re-check the Duo Admin panel.");
+        }
+
+        model.ToUser(user);
+        await _userService.UpdateTwoFactorProviderAsync(user, TwoFactorProviderType.Duo);
+        var response = new TwoFactorDuoResponseModel(user);
+        return response;
+    }
+
+    [HttpPost("~/organizations/{id}/two-factor/get-duo")]
+    public async Task<TwoFactorDuoResponseModel> GetOrganizationDuo(string id,
+        [FromBody] SecretVerificationRequestModel model)
+    {
+        var user = await CheckAsync(model, false);
+
+        var orgIdGuid = new Guid(id);
+        if (!await _currentContext.ManagePolicies(orgIdGuid))
+        {
+            throw new NotFoundException();
+        }
+
+        var organization = await _organizationRepository.GetByIdAsync(orgIdGuid);
+        if (organization == null)
+        {
+            throw new NotFoundException();
+        }
+
+        var response = new TwoFactorDuoResponseModel(organization);
+        return response;
+    }
+
+    [HttpPut("~/organizations/{id}/two-factor/duo")]
+    [HttpPost("~/organizations/{id}/two-factor/duo")]
+    public async Task<TwoFactorDuoResponseModel> PutOrganizationDuo(string id,
+        [FromBody] UpdateTwoFactorDuoRequestModel model)
+    {
+        var user = await CheckAsync(model, false);
+
+        var orgIdGuid = new Guid(id);
+        if (!await _currentContext.ManagePolicies(orgIdGuid))
+        {
+            throw new NotFoundException();
+        }
+
+        var organization = await _organizationRepository.GetByIdAsync(orgIdGuid);
+        if (organization == null)
+        {
+            throw new NotFoundException();
+        }
+
+        try
+        {
+            var duoApi = new DuoApi(model.IntegrationKey, model.SecretKey, model.Host);
+            await duoApi.JSONApiCall("GET", "/auth/v2/check");
+        }
+        catch (DuoException)
+        {
+            throw new BadRequestException("Duo configuration settings are not valid. Please re-check the Duo Admin panel.");
+        }
+
+        model.ToOrganization(organization);
+        await _organizationService.UpdateTwoFactorProviderAsync(organization,
+            TwoFactorProviderType.OrganizationDuo);
+        var response = new TwoFactorDuoResponseModel(organization);
+        return response;
+    }
+
+    [HttpPost("get-webauthn")]
+    public async Task<TwoFactorWebAuthnResponseModel> GetWebAuthn([FromBody] SecretVerificationRequestModel model)
+    {
+        var user = await CheckAsync(model, true);
+        var response = new TwoFactorWebAuthnResponseModel(user);
+        return response;
+    }
+
+    [HttpPost("get-webauthn-challenge")]
+    [ApiExplorerSettings(IgnoreApi = true)] // Disable Swagger due to CredentialCreateOptions not converting properly
+    public async Task<CredentialCreateOptions> GetWebAuthnChallenge([FromBody] SecretVerificationRequestModel model)
+    {
+        var user = await CheckAsync(model, true);
+        var reg = await _userService.StartWebAuthnRegistrationAsync(user);
+        return reg;
+    }
+
+    [HttpPut("webauthn")]
+    [HttpPost("webauthn")]
+    public async Task<TwoFactorWebAuthnResponseModel> PutWebAuthn([FromBody] TwoFactorWebAuthnRequestModel model)
+    {
+        var user = await CheckAsync(model, true);
+
+        var success = await _userService.CompleteWebAuthRegistrationAsync(
+            user, model.Id.Value, model.Name, model.DeviceResponse);
+        if (!success)
+        {
+            throw new BadRequestException("Unable to complete WebAuthn registration.");
+        }
+        var response = new TwoFactorWebAuthnResponseModel(user);
+        return response;
+    }
+
+    [HttpDelete("webauthn")]
+    public async Task<TwoFactorWebAuthnResponseModel> DeleteWebAuthn([FromBody] TwoFactorWebAuthnDeleteRequestModel model)
+    {
+        var user = await CheckAsync(model, true);
+        await _userService.DeleteWebAuthnKeyAsync(user, model.Id.Value);
+        var response = new TwoFactorWebAuthnResponseModel(user);
+        return response;
+    }
+
+    [HttpPost("get-email")]
+    public async Task<TwoFactorEmailResponseModel> GetEmail([FromBody] SecretVerificationRequestModel model)
+    {
+        var user = await CheckAsync(model, false);
+        var response = new TwoFactorEmailResponseModel(user);
+        return response;
+    }
+
+    [HttpPost("send-email")]
+    public async Task SendEmail([FromBody] TwoFactorEmailRequestModel model)
+    {
+        var user = await CheckAsync(model, false);
+        model.ToUser(user);
+        await _userService.SendTwoFactorEmailAsync(user);
+    }
+
+    [AllowAnonymous]
+    [HttpPost("send-email-login")]
+    public async Task SendEmailLogin([FromBody] TwoFactorEmailRequestModel model)
+    {
+        var user = await _userManager.FindByEmailAsync(model.Email.ToLowerInvariant());
+        if (user != null)
+        {
+            // check if 2FA email is from passwordless
+            if (!string.IsNullOrEmpty(model.AuthRequestAccessCode))
+            {
+                if (await _verifyAuthRequestCommand
+                        .VerifyAuthRequestAsync(new Guid(model.AuthRequestId), model.AuthRequestAccessCode))
+                {
+                    await _userService.SendTwoFactorEmailAsync(user);
+                    return;
+                }
+            }
+            else if (await _userService.VerifySecretAsync(user, model.Secret))
+            {
+                await _userService.SendTwoFactorEmailAsync(user);
+                return;
+            }
+        }
+
+        await Task.Delay(2000);
+        throw new BadRequestException("Cannot send two-factor email.");
+    }
+
+    [HttpPut("email")]
+    [HttpPost("email")]
+    public async Task<TwoFactorEmailResponseModel> PutEmail([FromBody] UpdateTwoFactorEmailRequestModel model)
+    {
+        var user = await CheckAsync(model, false);
+        model.ToUser(user);
+
+        if (!await _userManager.VerifyTwoFactorTokenAsync(user,
+            CoreHelpers.CustomProviderName(TwoFactorProviderType.Email), model.Token))
+        {
+            await Task.Delay(2000);
+            throw new BadRequestException("Token", "Invalid token.");
+        }
+
+        await _userService.UpdateTwoFactorProviderAsync(user, TwoFactorProviderType.Email);
+        var response = new TwoFactorEmailResponseModel(user);
+        return response;
+    }
+
+    [HttpPut("disable")]
+    [HttpPost("disable")]
+    public async Task<TwoFactorProviderResponseModel> PutDisable([FromBody] TwoFactorProviderRequestModel model)
+    {
+        var user = await CheckAsync(model, false);
+        await _userService.DisableTwoFactorProviderAsync(user, model.Type.Value, _organizationService);
+        var response = new TwoFactorProviderResponseModel(model.Type.Value, user);
+        return response;
+    }
+
+    [HttpPut("~/organizations/{id}/two-factor/disable")]
+    [HttpPost("~/organizations/{id}/two-factor/disable")]
+    public async Task<TwoFactorProviderResponseModel> PutOrganizationDisable(string id,
+        [FromBody] TwoFactorProviderRequestModel model)
+    {
+        var user = await CheckAsync(model, false);
+
+        var orgIdGuid = new Guid(id);
+        if (!await _currentContext.ManagePolicies(orgIdGuid))
+        {
+            throw new NotFoundException();
+        }
+
+        var organization = await _organizationRepository.GetByIdAsync(orgIdGuid);
+        if (organization == null)
+        {
+            throw new NotFoundException();
+        }
+
+        await _organizationService.DisableTwoFactorProviderAsync(organization, model.Type.Value);
+        var response = new TwoFactorProviderResponseModel(model.Type.Value, organization);
+        return response;
+    }
+
+    [HttpPost("get-recover")]
+    public async Task<TwoFactorRecoverResponseModel> GetRecover([FromBody] SecretVerificationRequestModel model)
+    {
+        var user = await CheckAsync(model, false);
+        var response = new TwoFactorRecoverResponseModel(user);
+        return response;
+    }
+
+    [HttpPost("recover")]
+    [AllowAnonymous]
+    public async Task PostRecover([FromBody] TwoFactorRecoveryRequestModel model)
+    {
+        if (!await _userService.RecoverTwoFactorAsync(model.Email, model.MasterPasswordHash, model.RecoveryCode,
+            _organizationService))
+        {
+            await Task.Delay(2000);
+            throw new BadRequestException(string.Empty, "Invalid information. Try again.");
+        }
+    }
+
+    [Obsolete("Leaving this for backwards compatibilty on clients")]
+    [HttpGet("get-device-verification-settings")]
+    public Task<DeviceVerificationResponseModel> GetDeviceVerificationSettings()
+    {
+        return Task.FromResult(new DeviceVerificationResponseModel(false, false));
+    }
+
+    [Obsolete("Leaving this for backwards compatibilty on clients")]
+    [HttpPut("device-verification-settings")]
+    public Task<DeviceVerificationResponseModel> PutDeviceVerificationSettings([FromBody] DeviceVerificationRequestModel model)
+    {
+        return Task.FromResult(new DeviceVerificationResponseModel(false, false));
+    }
+
+    private async Task<User> CheckAsync(SecretVerificationRequestModel model, bool premium)
+    {
+        var user = await _userService.GetUserByPrincipalAsync(User);
+        if (user == null)
+        {
+            throw new UnauthorizedAccessException();
+        }
+
+        if (!await _userService.VerifySecretAsync(user, model.Secret))
+        {
+            await Task.Delay(2000);
+            throw new BadRequestException(string.Empty, "User verification failed.");
+        }
+
+        if (premium && !(await _userService.CanAccessPremium(user)))
+        {
+            throw new BadRequestException("Premium status is required.");
+        }
+
+        return user;
+    }
+
+    private async Task ValidateYubiKeyAsync(User user, string name, string value)
+    {
+        if (string.IsNullOrWhiteSpace(value) || value.Length == 12)
+        {
+            return;
+        }
+
+        if (!await _userManager.VerifyTwoFactorTokenAsync(user,
+            CoreHelpers.CustomProviderName(TwoFactorProviderType.YubiKey), value))
+        {
+            await Task.Delay(2000);
+            throw new BadRequestException(name, $"{name} is invalid.");
+        }
+        else
+        {
+            await Task.Delay(500);
+        }
+    }
+}