chore: update LastActivityDate on installation token refresh (#5081)

2025-04-04 20:50:21 -05:00 · 2025-01-06 16:22:03 -05:00 · 2025-01-06 16:22:03 -05:00 · 90f7bfe63d
commit 90f7bfe63d
parent cd7c4bf6ce
13 changed files with 229 additions and 7 deletions
--- a/src/Api/Platform/Installations/Controllers/InstallationsController.cs
+++ b/src/Api/Platform/Installations/Controllers/InstallationsController.cs
@ -6,6 +6,15 @@ using Microsoft.AspNetCore.Mvc;

 namespace Bit.Api.Platform.Installations;

+/// <summary>
+/// Routes used to manipulate `Installation` objects: a type used to manage
+/// a record of a self hosted installation.
+/// </summary>
+/// <remarks>
+/// This controller is not called from any clients. It's primarily referenced
+/// in the `Setup` project for creating a new self hosted installation.
+/// </remarks>
+/// <seealso>Bit.Setup.Program</seealso>
 [Route("installations")]
 [SelfHosted(NotSelfHostedOnly = true)]
 public class InstallationsController : Controller
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@ -165,6 +165,7 @@ public static class FeatureFlagKeys
    public const string AppReviewPrompt = "app-review-prompt";
    public const string ResellerManagedOrgAlert = "PM-15814-alert-owners-of-reseller-managed-orgs";
    public const string UsePricingService = "use-pricing-service";
+    public const string RecordInstallationLastActivityDate = "installation-last-activity-date";

    public static List<string> GetAllKeys()
    {
--- a/src/Core/Platform/Installations/Commands/UpdateInstallationActivityDateCommand/IUpdateInstallationCommand.cs
+++ b/src/Core/Platform/Installations/Commands/UpdateInstallationActivityDateCommand/IUpdateInstallationCommand.cs
@ -0,0 +1,14 @@
+namespace Bit.Core.Platform.Installations;
+
+/// <summary>
+/// Command interface responsible for updating data on an `Installation`
+/// record.
+/// </summary>
+/// <remarks>
+/// This interface is implemented by `UpdateInstallationCommand`
+/// </remarks>
+/// <seealso cref="Bit.Core.Platform.Installations.UpdateInstallationCommand"/>
+public interface IUpdateInstallationCommand
+{
+    Task UpdateLastActivityDateAsync(Guid installationId);
+}
--- a/src/Core/Platform/Installations/Commands/UpdateInstallationActivityDateCommand/UpdateInstallationCommand.cs
+++ b/src/Core/Platform/Installations/Commands/UpdateInstallationActivityDateCommand/UpdateInstallationCommand.cs
@ -0,0 +1,53 @@
+namespace Bit.Core.Platform.Installations;
+
+/// <summary>
+/// Commands responsible for updating an installation from
+/// `InstallationRepository`.
+/// </summary>
+/// <remarks>
+/// If referencing: you probably want the interface
+/// `IUpdateInstallationCommand` instead of directly calling this class.
+/// </remarks>
+/// <seealso cref="IUpdateInstallationCommand"/>
+public class UpdateInstallationCommand : IUpdateInstallationCommand
+{
+    private readonly IGetInstallationQuery _getInstallationQuery;
+    private readonly IInstallationRepository _installationRepository;
+    private readonly TimeProvider _timeProvider;
+
+    public UpdateInstallationCommand(
+        IGetInstallationQuery getInstallationQuery,
+        IInstallationRepository installationRepository,
+        TimeProvider timeProvider
+    )
+    {
+        _getInstallationQuery = getInstallationQuery;
+        _installationRepository = installationRepository;
+        _timeProvider = timeProvider;
+    }
+
+    public async Task UpdateLastActivityDateAsync(Guid installationId)
+    {
+        if (installationId == default)
+        {
+            throw new Exception
+            (
+              "Tried to update the last activity date for " +
+              "an installation, but an invalid installation id was " +
+              "provided."
+            );
+        }
+        var installation = await _getInstallationQuery.GetByIdAsync(installationId);
+        if (installation == null)
+        {
+            throw new Exception
+            (
+              "Tried to update the last activity date for " +
+              $"installation {installationId.ToString()}, but no " +
+              "installation was found for that id."
+            );
+        }
+        installation.LastActivityDate = _timeProvider.GetUtcNow().UtcDateTime;
+        await _installationRepository.UpsertAsync(installation);
+    }
+}
--- a/src/Core/Platform/Installations/Entities/Installation.cs
+++ b/src/Core/Platform/Installations/Entities/Installation.cs
@ -19,6 +19,7 @@ public class Installation : ITableObject<Guid>
    public string Key { get; set; } = null!;
    public bool Enabled { get; set; }
    public DateTime CreationDate { get; internal set; } = DateTime.UtcNow;
+    public DateTime? LastActivityDate { get; internal set; }

    public void SetNewId()
    {
--- a/src/Core/Platform/Installations/Queries/GetInstallationQuery/GetInstallationQuery.cs
+++ b/src/Core/Platform/Installations/Queries/GetInstallationQuery/GetInstallationQuery.cs
@ -0,0 +1,30 @@
+namespace Bit.Core.Platform.Installations;
+
+/// <summary>
+/// Queries responsible for fetching an installation from
+/// `InstallationRepository`.
+/// </summary>
+/// <remarks>
+/// If referencing: you probably want the interface `IGetInstallationQuery`
+/// instead of directly calling this class.
+/// </remarks>
+/// <seealso cref="IGetInstallationQuery"/>
+public class GetInstallationQuery : IGetInstallationQuery
+{
+    private readonly IInstallationRepository _installationRepository;
+
+    public GetInstallationQuery(IInstallationRepository installationRepository)
+    {
+        _installationRepository = installationRepository;
+    }
+
+    /// <inheritdoc cref="IGetInstallationQuery.GetByIdAsync"/>
+    public async Task<Installation> GetByIdAsync(Guid installationId)
+    {
+        if (installationId == default(Guid))
+        {
+            return null;
+        }
+        return await _installationRepository.GetByIdAsync(installationId);
+    }
+}
--- a/src/Core/Platform/Installations/Queries/GetInstallationQuery/IGetInstallationQuery.cs
+++ b/src/Core/Platform/Installations/Queries/GetInstallationQuery/IGetInstallationQuery.cs
@ -0,0 +1,20 @@
+namespace Bit.Core.Platform.Installations;
+
+/// <summary>
+/// Query interface responsible for fetching an installation from
+/// `InstallationRepository`.
+/// </summary>
+/// <remarks>
+/// This interface is implemented by `GetInstallationQuery`
+/// </remarks>
+/// <seealso cref="GetInstallationQuery"/>
+public interface IGetInstallationQuery
+{
+    /// <summary>
+    /// Retrieves an installation from the `InstallationRepository` by its id.
+    /// </summary>
+    /// <param name="installationId">The GUID id of the installation.</param>
+    /// <returns>A task containing an `Installation`.</returns>
+    /// <seealso cref="T:Bit.Core.Platform.Installations.Repositories.IInstallationRepository"/>
+    Task<Installation> GetByIdAsync(Guid installationId);
+}
--- a/src/Core/Platform/PlatformServiceCollectionExtensions.cs
+++ b/src/Core/Platform/PlatformServiceCollectionExtensions.cs
@ -0,0 +1,19 @@
+using Bit.Core.Platform.Installations;
+using Microsoft.Extensions.DependencyInjection;
+
+namespace Bit.Core.Platform;
+
+public static class PlatformServiceCollectionExtensions
+{
+    /// <summary>
+    /// Extend DI to include commands and queries exported from the Platform
+    /// domain.
+    /// </summary>
+    public static IServiceCollection AddPlatformServices(this IServiceCollection services)
+    {
+        services.AddScoped<IGetInstallationQuery, GetInstallationQuery>();
+        services.AddScoped<IUpdateInstallationCommand, UpdateInstallationCommand>();
+
+        return services;
+    }
+}
--- a/src/Core/Platform/Push/Services/RelayPushRegistrationService.cs
+++ b/src/Core/Platform/Push/Services/RelayPushRegistrationService.cs
@ -9,7 +9,6 @@ namespace Bit.Core.Platform.Push.Internal;

 public class RelayPushRegistrationService : BaseIdentityClientService, IPushRegistrationService
 {
-
    public RelayPushRegistrationService(
        IHttpClientFactory httpFactory,
        GlobalSettings globalSettings,
--- a/src/Identity/IdentityServer/RequestValidators/CustomTokenRequestValidator.cs
+++ b/src/Identity/IdentityServer/RequestValidators/CustomTokenRequestValidator.cs
@ -1,11 +1,13 @@
 using System.Diagnostics;
 using System.Security.Claims;
+using Bit.Core;
 using Bit.Core.AdminConsole.Services;
 using Bit.Core.Auth.Models.Api.Response;
 using Bit.Core.Auth.Repositories;
 using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.IdentityServer;
+using Bit.Core.Platform.Installations;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Settings;
@ -23,6 +25,7 @@ public class CustomTokenRequestValidator : BaseRequestValidator<CustomTokenReque
    ICustomTokenRequestValidator
 {
    private readonly UserManager<User> _userManager;
+    private readonly IUpdateInstallationCommand _updateInstallationCommand;

    public CustomTokenRequestValidator(
        UserManager<User> userManager,
@ -39,7 +42,8 @@ public class CustomTokenRequestValidator : BaseRequestValidator<CustomTokenReque
        IPolicyService policyService,
        IFeatureService featureService,
        ISsoConfigRepository ssoConfigRepository,
-        IUserDecryptionOptionsBuilder userDecryptionOptionsBuilder
+        IUserDecryptionOptionsBuilder userDecryptionOptionsBuilder,
+        IUpdateInstallationCommand updateInstallationCommand
        )
        : base(
            userManager,
@ -59,6 +63,7 @@ public class CustomTokenRequestValidator : BaseRequestValidator<CustomTokenReque
            userDecryptionOptionsBuilder)
    {
        _userManager = userManager;
+        _updateInstallationCommand = updateInstallationCommand;
    }

    public async Task ValidateAsync(CustomTokenRequestValidationContext context)
@ -76,16 +81,24 @@ public class CustomTokenRequestValidator : BaseRequestValidator<CustomTokenReque
        }

        string[] allowedGrantTypes = ["authorization_code", "client_credentials"];
+        string clientId = context.Result.ValidatedRequest.ClientId;
        if (!allowedGrantTypes.Contains(context.Result.ValidatedRequest.GrantType)
-            || context.Result.ValidatedRequest.ClientId.StartsWith("organization")
-            || context.Result.ValidatedRequest.ClientId.StartsWith("installation")
-            || context.Result.ValidatedRequest.ClientId.StartsWith("internal")
+            || clientId.StartsWith("organization")
+            || clientId.StartsWith("installation")
+            || clientId.StartsWith("internal")
            || context.Result.ValidatedRequest.Client.AllowedScopes.Contains(ApiScopes.ApiSecrets))
        {
            if (context.Result.ValidatedRequest.Client.Properties.TryGetValue("encryptedPayload", out var payload) &&
                !string.IsNullOrWhiteSpace(payload))
            {
                context.Result.CustomResponse = new Dictionary<string, object> { { "encrypted_payload", payload } };
+
+            }
+            if (FeatureService.IsEnabled(FeatureFlagKeys.RecordInstallationLastActivityDate)
+                && context.Result.ValidatedRequest.ClientId.StartsWith("installation"))
+            {
+                var installationIdPart = clientId.Split(".")[1];
+                await RecordActivityForInstallation(clientId.Split(".")[1]);
            }
            return;
        }
@ -152,6 +165,7 @@ public class CustomTokenRequestValidator : BaseRequestValidator<CustomTokenReque
            context.Result.CustomResponse["KeyConnectorUrl"] = userDecryptionOptions.KeyConnectorOption.KeyConnectorUrl;
            context.Result.CustomResponse["ResetMasterPassword"] = false;
        }
+
        return Task.CompletedTask;
    }

@ -202,4 +216,25 @@ public class CustomTokenRequestValidator : BaseRequestValidator<CustomTokenReque
        context.Result.ErrorDescription = requestContext.ValidationErrorResult.ErrorDescription;
        context.Result.CustomResponse = requestContext.CustomResponse;
    }
+
+    /// <summary>
+    /// To help mentally separate organizations that self host from abandoned
+    /// organizations we hook in to the token refresh event for installations
+    /// to write a simple `DateTime.Now` to the database.
+    /// </summary>
+    /// <remarks>
+    /// This works well because installations don't phone home very often.
+    /// Currently self hosted installations only refresh tokens every 24
+    /// hours or so for the sake of hooking in to cloud's push relay service.
+    /// If installations ever start refreshing tokens more frequently we may need to
+    /// adjust this to avoid making a bunch of unnecessary database calls!
+    /// </remarks>
+    private async Task RecordActivityForInstallation(string? installationIdString)
+    {
+        if (!Guid.TryParse(installationIdString, out var installationId))
+        {
+            return;
+        }
+        await _updateInstallationCommand.UpdateLastActivityDateAsync(installationId);
+    }
 }
--- a/src/Identity/IdentityServer/RequestValidators/WebAuthnGrantValidator.cs
+++ b/src/Identity/IdentityServer/RequestValidators/WebAuthnGrantValidator.cs
@ -44,8 +44,7 @@ public class WebAuthnGrantValidator : BaseRequestValidator<ExtensionGrantValidat
        IDataProtectorTokenFactory<WebAuthnLoginAssertionOptionsTokenable> assertionOptionsDataProtector,
        IFeatureService featureService,
        IUserDecryptionOptionsBuilder userDecryptionOptionsBuilder,
-        IAssertWebAuthnLoginCredentialCommand assertWebAuthnLoginCredentialCommand
-        )
+        IAssertWebAuthnLoginCredentialCommand assertWebAuthnLoginCredentialCommand)
        : base(
            userManager,
            userService,
--- a/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
+++ b/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
@ -30,6 +30,7 @@ using Bit.Core.KeyManagement;
 using Bit.Core.NotificationCenter;
 using Bit.Core.NotificationHub;
 using Bit.Core.OrganizationFeatures;
+using Bit.Core.Platform;
 using Bit.Core.Platform.Push;
 using Bit.Core.Platform.Push.Internal;
 using Bit.Core.Repositories;
@ -126,6 +127,7 @@ public static class ServiceCollectionExtensions
        services.AddReportingServices();
        services.AddKeyManagementServices();
        services.AddNotificationCenterServices();
+        services.AddPlatformServices();
    }

    public static void AddTokenizers(this IServiceCollection services)
--- a/test/Core.Test/Platform/Installations/Commands/UpdateInstallationCommandTests.cs
+++ b/test/Core.Test/Platform/Installations/Commands/UpdateInstallationCommandTests.cs
@ -0,0 +1,40 @@
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Microsoft.Extensions.Time.Testing;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Platform.Installations.Tests;
+
+[SutProviderCustomize]
+public class UpdateInstallationCommandTests
+{
+    [Theory]
+    [BitAutoData]
+    public async Task UpdateLastActivityDateAsync_ShouldUpdateLastActivityDate(
+        Installation installation
+    )
+    {
+        // Arrange
+        var sutProvider = new SutProvider<UpdateInstallationCommand>()
+            .WithFakeTimeProvider()
+            .Create();
+
+        var someDate = new DateTime(2014, 11, 3, 18, 27, 0, DateTimeKind.Utc);
+        sutProvider.GetDependency<FakeTimeProvider>().SetUtcNow(someDate);
+
+        sutProvider
+            .GetDependency<IGetInstallationQuery>()
+            .GetByIdAsync(installation.Id)
+            .Returns(installation);
+
+        // Act
+        await sutProvider.Sut.UpdateLastActivityDateAsync(installation.Id);
+
+        // Assert
+        await sutProvider
+            .GetDependency<IInstallationRepository>()
+            .Received(1)
+            .UpsertAsync(Arg.Is<Installation>(inst => inst.LastActivityDate == someDate));
+    }
+}