nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-04-05 05:00:19 -05:00
Code

[PM-5216] User and Organization Duo Request and Response Model refactor (#4126)

Browse Source 
* inital changes

* add provider GatewayType migrations

* db provider migrations

* removed duo migrations added v2 metadata to duo response

* removed helper scripts

* remove signature from org duo

* added backward compatibility for Duo v2

* added tests for duo request + response models

* refactors to TwoFactorController

* updated test methods to be compartmentalized by usage

* fix organization add duo

* Assert.Empty() fix for validator
This commit is contained in:
Ike 2024-06-05 11:42:02 -07:00 committed by GitHub
parent a0a7654077
commit 97b3f3e7ee
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
19 changed files with 8504 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
src/Api/Auth/Controllers/TwoFactorController.cs
View File

@ -159,7 +159,16 @@ public class TwoFactorController : Controller
var user = await CheckAsync(model, true); var user = await CheckAsync(model, true);
try try
{ {
var duoApi = new DuoApi(model.IntegrationKey, model.SecretKey, model.Host); // for backwards compatibility - will be removed with PM-8107
DuoApi duoApi = null;
if (model.ClientId != null && model.ClientSecret != null)
{
duoApi = new DuoApi(model.ClientId, model.ClientSecret, model.Host);
}
else
{
duoApi = new DuoApi(model.IntegrationKey, model.SecretKey, model.Host);
}
await duoApi.JSONApiCall("GET", "/auth/v2/check"); await duoApi.JSONApiCall("GET", "/auth/v2/check");
} }
catch (DuoException) catch (DuoException)
@ -178,7 +187,7 @@ public class TwoFactorController : Controller
public async Task<TwoFactorDuoResponseModel> GetOrganizationDuo(string id, public async Task<TwoFactorDuoResponseModel> GetOrganizationDuo(string id,
[FromBody] SecretVerificationRequestModel model) [FromBody] SecretVerificationRequestModel model)
{ {
var user = await CheckAsync(model, false); await CheckAsync(model, false);
var orgIdGuid = new Guid(id); var orgIdGuid = new Guid(id);
if (!await _currentContext.ManagePolicies(orgIdGuid)) if (!await _currentContext.ManagePolicies(orgIdGuid))
@ -186,12 +195,7 @@ public class TwoFactorController : Controller
throw new NotFoundException(); throw new NotFoundException();
} }
var organization = await _organizationRepository.GetByIdAsync(orgIdGuid); var organization = await _organizationRepository.GetByIdAsync(orgIdGuid) ?? throw new NotFoundException();
if (organization == null)
{
throw new NotFoundException();
}
var response = new TwoFactorDuoResponseModel(organization); var response = new TwoFactorDuoResponseModel(organization);
return response; return response;
} }
@ -201,7 +205,7 @@ public class TwoFactorController : Controller
public async Task<TwoFactorDuoResponseModel> PutOrganizationDuo(string id, public async Task<TwoFactorDuoResponseModel> PutOrganizationDuo(string id,
[FromBody] UpdateTwoFactorDuoRequestModel model) [FromBody] UpdateTwoFactorDuoRequestModel model)
{ {
var user = await CheckAsync(model, false); await CheckAsync(model, false);
var orgIdGuid = new Guid(id); var orgIdGuid = new Guid(id);
if (!await _currentContext.ManagePolicies(orgIdGuid)) if (!await _currentContext.ManagePolicies(orgIdGuid))
@ -209,15 +213,19 @@ public class TwoFactorController : Controller
throw new NotFoundException(); throw new NotFoundException();
} }
var organization = await _organizationRepository.GetByIdAsync(orgIdGuid); var organization = await _organizationRepository.GetByIdAsync(orgIdGuid) ?? throw new NotFoundException();
if (organization == null)
{
throw new NotFoundException();
}
try try
{ {
var duoApi = new DuoApi(model.IntegrationKey, model.SecretKey, model.Host); // for backwards compatibility - will be removed with PM-8107
DuoApi duoApi = null;
if (model.ClientId != null && model.ClientSecret != null)
{
duoApi = new DuoApi(model.ClientId, model.ClientSecret, model.Host);
}
else
{
duoApi = new DuoApi(model.IntegrationKey, model.SecretKey, model.Host);
}
await duoApi.JSONApiCall("GET", "/auth/v2/check"); await duoApi.JSONApiCall("GET", "/auth/v2/check");
} }
catch (DuoException) catch (DuoException)
@ -439,7 +447,7 @@ public class TwoFactorController : Controller
throw new BadRequestException(string.Empty, "User verification failed."); throw new BadRequestException(string.Empty, "User verification failed.");
} }
if (premium && !(await _userService.CanAccessPremium(user))) if (premium && !await _userService.CanAccessPremium(user))
{ {
throw new BadRequestException("Premium status is required."); throw new BadRequestException("Premium status is required.");
} }

48
src/Api/Auth/Models/Request/TwoFactorRequestModels.cs
View File

@ -42,10 +42,18 @@ public class UpdateTwoFactorAuthenticatorRequestModel : SecretVerificationReques
public class UpdateTwoFactorDuoRequestModel : SecretVerificationRequestModel, IValidatableObject public class UpdateTwoFactorDuoRequestModel : SecretVerificationRequestModel, IValidatableObject
{ {
[Required] /*
To support both v2 and v4 we need to remove the required annotation from the properties.
todo - the required annotation will be added back in PM-8107.
*/
[StringLength(50)]
public string ClientId { get; set; }
[StringLength(50)]
public string ClientSecret { get; set; }
//todo - will remove SKey and IKey with PM-8107
[StringLength(50)] [StringLength(50)]
public string IntegrationKey { get; set; } public string IntegrationKey { get; set; }
[Required] //todo - will remove SKey and IKey with PM-8107
[StringLength(50)] [StringLength(50)]
public string SecretKey { get; set; } public string SecretKey { get; set; }
[Required] [Required]
@ -64,12 +72,17 @@ public class UpdateTwoFactorDuoRequestModel : SecretVerificationRequestModel, IV
providers.Remove(TwoFactorProviderType.Duo); providers.Remove(TwoFactorProviderType.Duo);
} }
Temporary_SyncDuoParams();
providers.Add(TwoFactorProviderType.Duo, new TwoFactorProvider providers.Add(TwoFactorProviderType.Duo, new TwoFactorProvider
{ {
MetaData = new Dictionary<string, object> MetaData = new Dictionary<string, object>
{ {
//todo - will remove SKey and IKey with PM-8107
["SKey"] = SecretKey, ["SKey"] = SecretKey,
["IKey"] = IntegrationKey, ["IKey"] = IntegrationKey,
["ClientSecret"] = ClientSecret,
["ClientId"] = ClientId,
["Host"] = Host ["Host"] = Host
}, },
Enabled = true Enabled = true
@ -90,12 +103,17 @@ public class UpdateTwoFactorDuoRequestModel : SecretVerificationRequestModel, IV
providers.Remove(TwoFactorProviderType.OrganizationDuo); providers.Remove(TwoFactorProviderType.OrganizationDuo);
} }
Temporary_SyncDuoParams();
providers.Add(TwoFactorProviderType.OrganizationDuo, new TwoFactorProvider providers.Add(TwoFactorProviderType.OrganizationDuo, new TwoFactorProvider
{ {
MetaData = new Dictionary<string, object> MetaData = new Dictionary<string, object>
{ {
//todo - will remove SKey and IKey with PM-8107
["SKey"] = SecretKey, ["SKey"] = SecretKey,
["IKey"] = IntegrationKey, ["IKey"] = IntegrationKey,
["ClientSecret"] = ClientSecret,
["ClientId"] = ClientId,
["Host"] = Host ["Host"] = Host
}, },
Enabled = true Enabled = true
@ -108,7 +126,31 @@ public class UpdateTwoFactorDuoRequestModel : SecretVerificationRequestModel, IV
{ {
if (!DuoApi.ValidHost(Host)) if (!DuoApi.ValidHost(Host))
{ {
yield return new ValidationResult("Host is invalid.", new string[] { nameof(Host) }); yield return new ValidationResult("Host is invalid.", [nameof(Host)]);
}
if (string.IsNullOrWhiteSpace(ClientSecret) && string.IsNullOrWhiteSpace(ClientId) &&
string.IsNullOrWhiteSpace(SecretKey) && string.IsNullOrWhiteSpace(IntegrationKey))
{
yield return new ValidationResult("Neither v2 or v4 values are valid.", [nameof(IntegrationKey), nameof(SecretKey), nameof(ClientSecret), nameof(ClientId)]);
}
}
/*
use this method to ensure that both v2 params and v4 params are in sync
todo will be removed in pm-8107
*/
private void Temporary_SyncDuoParams()
{
// Even if IKey and SKey exist prioritize v4 params ClientId and ClientSecret
if (!string.IsNullOrWhiteSpace(ClientSecret) && !string.IsNullOrWhiteSpace(ClientId))
{
SecretKey = ClientSecret;
IntegrationKey = ClientId;
}
else if (!string.IsNullOrWhiteSpace(SecretKey) && !string.IsNullOrWhiteSpace(IntegrationKey))
{
ClientSecret = SecretKey;
ClientId = IntegrationKey;
} }
} }
} }

63
src/Api/Auth/Models/Response/TwoFactor/TwoFactorDuoResponseModel.cs
View File

@ -36,26 +36,54 @@ public class TwoFactorDuoResponseModel : ResponseModel
public bool Enabled { get; set; } public bool Enabled { get; set; }
public string Host { get; set; } public string Host { get; set; }
//TODO - will remove SecretKey with PM-8107
public string SecretKey { get; set; } public string SecretKey { get; set; }
//TODO - will remove IntegrationKey with PM-8107
public string IntegrationKey { get; set; } public string IntegrationKey { get; set; }
public string ClientSecret { get; set; }
public string ClientId { get; set; }
// updated build to assist in the EDD migration for the Duo 2FA provider
private void Build(TwoFactorProvider provider) private void Build(TwoFactorProvider provider)
{ {
if (provider?.MetaData != null && provider.MetaData.Count > 0) if (provider?.MetaData != null && provider.MetaData.Count > 0)
{ {
Enabled = provider.Enabled; Enabled = provider.Enabled;
if (provider.MetaData.ContainsKey("Host")) if (provider.MetaData.TryGetValue("Host", out var host))
{ {
Host = (string)provider.MetaData["Host"]; Host = (string)host;
} }
if (provider.MetaData.ContainsKey("SKey"))
//todo - will remove SKey and IKey with PM-8107
// check Skey and IKey first if they exist
if (provider.MetaData.TryGetValue("SKey", out var sKey))
{ {
SecretKey = (string)provider.MetaData["SKey"]; ClientSecret = (string)sKey;
SecretKey = (string)sKey;
} }
if (provider.MetaData.ContainsKey("IKey")) if (provider.MetaData.TryGetValue("IKey", out var iKey))
{ {
IntegrationKey = (string)provider.MetaData["IKey"]; IntegrationKey = (string)iKey;
ClientId = (string)iKey;
}
// Even if IKey and SKey exist prioritize v4 params ClientId and ClientSecret
if (provider.MetaData.TryGetValue("ClientSecret", out var clientSecret))
{
if (!string.IsNullOrWhiteSpace((string)clientSecret))
{
ClientSecret = (string)clientSecret;
SecretKey = (string)clientSecret;
}
}
if (provider.MetaData.TryGetValue("ClientId", out var clientId))
{
if (!string.IsNullOrWhiteSpace((string)clientId))
{
ClientId = (string)clientId;
IntegrationKey = (string)clientId;
}
} }
} }
else else
@ -63,4 +91,27 @@ public class TwoFactorDuoResponseModel : ResponseModel
Enabled = false; Enabled = false;
} }
} }
/*
use this method to ensure that both v2 params and v4 params are in sync
todo will be removed in pm-8107
*/
private void Temporary_SyncDuoParams()
{
// Even if IKey and SKey exist prioritize v4 params ClientId and ClientSecret
if (!string.IsNullOrWhiteSpace(ClientSecret) && !string.IsNullOrWhiteSpace(ClientId))
{
SecretKey = ClientSecret;
IntegrationKey = ClientId;
}
else if (!string.IsNullOrWhiteSpace(SecretKey) && !string.IsNullOrWhiteSpace(IntegrationKey))
{
ClientSecret = SecretKey;
ClientId = IntegrationKey;
}
else
{
throw new InvalidDataException("Invalid Duo parameters.");
}
}
} }

10
src/Core/Auth/Identity/TemporaryDuoWebV4SDKService.cs
View File

@ -110,8 +110,8 @@ public class TemporaryDuoWebV4SDKService : ITemporaryDuoWebV4SDKService
private bool HasProperMetaData(TwoFactorProvider provider) private bool HasProperMetaData(TwoFactorProvider provider)
{ {
return provider?.MetaData != null && provider.MetaData.ContainsKey("IKey") && return provider?.MetaData != null && provider.MetaData.ContainsKey("ClientId") &&
provider.MetaData.ContainsKey("SKey") && provider.MetaData.ContainsKey("Host"); provider.MetaData.ContainsKey("ClientSecret") && provider.MetaData.ContainsKey("Host");
} }
/// <summary> /// <summary>
@ -122,14 +122,14 @@ public class TemporaryDuoWebV4SDKService : ITemporaryDuoWebV4SDKService
private async Task<Duo.Client> BuildDuoClientAsync(TwoFactorProvider provider) private async Task<Duo.Client> BuildDuoClientAsync(TwoFactorProvider provider)
{ {
// Fetch Client name from header value since duo auth can be initiated from multiple clients and we want // Fetch Client name from header value since duo auth can be initiated from multiple clients and we want
// to redirect back to the correct client // to redirect back to the initiating client
_currentContext.HttpContext.Request.Headers.TryGetValue("Bitwarden-Client-Name", out var bitwardenClientName); _currentContext.HttpContext.Request.Headers.TryGetValue("Bitwarden-Client-Name", out var bitwardenClientName);
var redirectUri = string.Format("{0}/duo-redirect-connector.html?client={1}", var redirectUri = string.Format("{0}/duo-redirect-connector.html?client={1}",
_globalSettings.BaseServiceUri.Vault, bitwardenClientName.FirstOrDefault() ?? "web"); _globalSettings.BaseServiceUri.Vault, bitwardenClientName.FirstOrDefault() ?? "web");
var client = new Duo.ClientBuilder( var client = new Duo.ClientBuilder(
(string)provider.MetaData["IKey"], (string)provider.MetaData["ClientId"],
(string)provider.MetaData["SKey"], (string)provider.MetaData["ClientSecret"],
(string)provider.MetaData["Host"], (string)provider.MetaData["Host"],
redirectUri).Build(); redirectUri).Build();

19
src/Identity/IdentityServer/BaseRequestValidator.cs
View File

@ -483,7 +483,7 @@ public abstract class BaseRequestValidator<T> where T : class
case TwoFactorProviderType.WebAuthn: case TwoFactorProviderType.WebAuthn:
case TwoFactorProviderType.Email: case TwoFactorProviderType.Email:
case TwoFactorProviderType.YubiKey: case TwoFactorProviderType.YubiKey:
if (!(await _userService.TwoFactorProviderIsEnabledAsync(type, user))) if (!await _userService.TwoFactorProviderIsEnabledAsync(type, user))
{ {
return null; return null;
} }
@ -495,15 +495,9 @@ public abstract class BaseRequestValidator<T> where T : class
var duoResponse = new Dictionary<string, object> var duoResponse = new Dictionary<string, object>
{ {
["Host"] = provider.MetaData["Host"], ["Host"] = provider.MetaData["Host"],
["Signature"] = token ["AuthUrl"] = await _duoWebV4SDKService.GenerateAsync(provider, user),
}; };
// DUO SDK v4 Update: Duo-Redirect
if (FeatureService.IsEnabled(FeatureFlagKeys.DuoRedirect))
{
// Generate AuthUrl from DUO SDK v4 token provider
duoResponse.Add("AuthUrl", await _duoWebV4SDKService.GenerateAsync(provider, user));
}
return duoResponse; return duoResponse;
} }
else if (type == TwoFactorProviderType.WebAuthn) else if (type == TwoFactorProviderType.WebAuthn)
@ -531,14 +525,9 @@ public abstract class BaseRequestValidator<T> where T : class
var duoResponse = new Dictionary<string, object> var duoResponse = new Dictionary<string, object>
{ {
["Host"] = provider.MetaData["Host"], ["Host"] = provider.MetaData["Host"],
["Signature"] = await _organizationDuoWebTokenProvider.GenerateAsync(organization, user) ["AuthUrl"] = await _duoWebV4SDKService.GenerateAsync(provider, user),
}; };
// DUO SDK v4 Update: DUO-Redirect
if (FeatureService.IsEnabled(FeatureFlagKeys.DuoRedirect))
{
// Generate AuthUrl from DUO SDK v4 token provider
duoResponse.Add("AuthUrl", await _duoWebV4SDKService.GenerateAsync(provider, user));
}
return duoResponse; return duoResponse;
} }
return null; return null;

121
test/Api.Test/Auth/Models/Request/OrganizationTwoFactorDuoRequestModelTests.cs Normal file
View File

@ -0,0 +1,121 @@
using Bit.Api.Auth.Models.Request;
using Bit.Core.AdminConsole.Entities;
using Bit.Core.Auth.Enums;
using Bit.Core.Auth.Models;
using Xunit;
namespace Bit.Api.Test.Auth.Models.Request;
public class OrganizationTwoFactorDuoRequestModelTests
{
[Fact]
public void ShouldAddOrUpdateTwoFactorProvider_WhenExistingProviderDoesNotExist()
{
// Arrange
var existingOrg = new Organization();
var model = new UpdateTwoFactorDuoRequestModel
{
ClientId = "clientId",
ClientSecret = "clientSecret",
IntegrationKey = "integrationKey",
SecretKey = "secretKey",
Host = "example.com"
};
// Act
var result = model.ToOrganization(existingOrg);
// Assert
Assert.True(result.GetTwoFactorProviders().ContainsKey(TwoFactorProviderType.OrganizationDuo));
Assert.Equal("clientId", result.GetTwoFactorProviders()[TwoFactorProviderType.OrganizationDuo].MetaData["ClientId"]);
Assert.Equal("clientSecret", result.GetTwoFactorProviders()[TwoFactorProviderType.OrganizationDuo].MetaData["ClientSecret"]);
Assert.Equal("clientId", result.GetTwoFactorProviders()[TwoFactorProviderType.OrganizationDuo].MetaData["IKey"]);
Assert.Equal("clientSecret", result.GetTwoFactorProviders()[TwoFactorProviderType.OrganizationDuo].MetaData["SKey"]);
Assert.Equal("example.com", result.GetTwoFactorProviders()[TwoFactorProviderType.OrganizationDuo].MetaData["Host"]);
Assert.True(result.GetTwoFactorProviders()[TwoFactorProviderType.OrganizationDuo].Enabled);
}
[Fact]
public void ShouldUpdateTwoFactorProvider_WhenExistingProviderExists()
{
// Arrange
var existingOrg = new Organization();
existingOrg.SetTwoFactorProviders(new Dictionary<TwoFactorProviderType, TwoFactorProvider>
{
{ TwoFactorProviderType.OrganizationDuo, new TwoFactorProvider() }
});
var model = new UpdateTwoFactorDuoRequestModel
{
ClientId = "newClientId",
ClientSecret = "newClientSecret",
IntegrationKey = "newIntegrationKey",
SecretKey = "newSecretKey",
Host = "newExample.com"
};
// Act
var result = model.ToOrganization(existingOrg);
// Assert
Assert.True(result.GetTwoFactorProviders().ContainsKey(TwoFactorProviderType.OrganizationDuo));
Assert.Equal("newClientId", result.GetTwoFactorProviders()[TwoFactorProviderType.OrganizationDuo].MetaData["ClientId"]);
Assert.Equal("newClientSecret", result.GetTwoFactorProviders()[TwoFactorProviderType.OrganizationDuo].MetaData["ClientSecret"]);
Assert.Equal("newClientId", result.GetTwoFactorProviders()[TwoFactorProviderType.OrganizationDuo].MetaData["IKey"]);
Assert.Equal("newClientSecret", result.GetTwoFactorProviders()[TwoFactorProviderType.OrganizationDuo].MetaData["SKey"]);
Assert.Equal("newExample.com", result.GetTwoFactorProviders()[TwoFactorProviderType.OrganizationDuo].MetaData["Host"]);
Assert.True(result.GetTwoFactorProviders()[TwoFactorProviderType.OrganizationDuo].Enabled);
}
[Fact]
public void DuoV2ParamsSync_WhenExistingProviderDoesNotExist()
{
// Arrange
var existingOrg = new Organization();
var model = new UpdateTwoFactorDuoRequestModel
{
IntegrationKey = "integrationKey",
SecretKey = "secretKey",
Host = "example.com"
};
// Act
var result = model.ToOrganization(existingOrg);
// Assert
// IKey and SKey should be the same as ClientId and ClientSecret
Assert.True(result.GetTwoFactorProviders().ContainsKey(TwoFactorProviderType.OrganizationDuo));
Assert.Equal("integrationKey", result.GetTwoFactorProviders()[TwoFactorProviderType.OrganizationDuo].MetaData["ClientId"]);
Assert.Equal("secretKey", result.GetTwoFactorProviders()[TwoFactorProviderType.OrganizationDuo].MetaData["ClientSecret"]);
Assert.Equal("integrationKey", result.GetTwoFactorProviders()[TwoFactorProviderType.OrganizationDuo].MetaData["IKey"]);
Assert.Equal("secretKey", result.GetTwoFactorProviders()[TwoFactorProviderType.OrganizationDuo].MetaData["SKey"]);
Assert.Equal("example.com", result.GetTwoFactorProviders()[TwoFactorProviderType.OrganizationDuo].MetaData["Host"]);
Assert.True(result.GetTwoFactorProviders()[TwoFactorProviderType.OrganizationDuo].Enabled);
}
[Fact]
public void DuoV4ParamsSync_WhenExistingProviderDoesNotExist()
{
// Arrange
var existingOrg = new Organization();
var model = new UpdateTwoFactorDuoRequestModel
{
ClientId = "clientId",
ClientSecret = "clientSecret",
Host = "example.com"
};
// Act
var result = model.ToOrganization(existingOrg);
// Assert
// IKey and SKey should be the same as ClientId and ClientSecret
Assert.True(result.GetTwoFactorProviders().ContainsKey(TwoFactorProviderType.OrganizationDuo));
Assert.Equal("clientId", result.GetTwoFactorProviders()[TwoFactorProviderType.OrganizationDuo].MetaData["ClientId"]);
Assert.Equal("clientSecret", result.GetTwoFactorProviders()[TwoFactorProviderType.OrganizationDuo].MetaData["ClientSecret"]);
Assert.Equal("clientId", result.GetTwoFactorProviders()[TwoFactorProviderType.OrganizationDuo].MetaData["IKey"]);
Assert.Equal("clientSecret", result.GetTwoFactorProviders()[TwoFactorProviderType.OrganizationDuo].MetaData["SKey"]);
Assert.Equal("example.com", result.GetTwoFactorProviders()[TwoFactorProviderType.OrganizationDuo].MetaData["Host"]);
Assert.True(result.GetTwoFactorProviders()[TwoFactorProviderType.OrganizationDuo].Enabled);
}
}

67
test/Api.Test/Auth/Models/Request/TwoFactorDuoRequestModelValidationTests.cs Normal file
View File

@ -0,0 +1,67 @@
using System.ComponentModel.DataAnnotations;
using Bit.Api.Auth.Models.Request;
using Xunit;
namespace Bit.Api.Test.Auth.Models.Request;
public class TwoFactorDuoRequestModelValidationTests
{
[Fact]
public void ShouldReturnValidationError_WhenHostIsInvalid()
{
// Arrange
var model = new UpdateTwoFactorDuoRequestModel
{
Host = "invalidHost",
ClientId = "clientId",
ClientSecret = "clientSecret",
};
// Act
var result = model.Validate(new ValidationContext(model));
// Assert
Assert.Single(result);
Assert.Equal("Host is invalid.", result.First().ErrorMessage);
Assert.Equal("Host", result.First().MemberNames.First());
}
[Fact]
public void ShouldReturnValidationError_WhenValuesAreInvalid()
{
// Arrange
var model = new UpdateTwoFactorDuoRequestModel
{
Host = "api-12345abc.duosecurity.com"
};
// Act
var result = model.Validate(new ValidationContext(model));
// Assert
Assert.Single(result);
Assert.Equal("Neither v2 or v4 values are valid.", result.First().ErrorMessage);
Assert.Contains("ClientId", result.First().MemberNames);
Assert.Contains("ClientSecret", result.First().MemberNames);
Assert.Contains("IntegrationKey", result.First().MemberNames);
Assert.Contains("SecretKey", result.First().MemberNames);
}
[Fact]
public void ShouldReturnSuccess_WhenValuesAreValid()
{
// Arrange
var model = new UpdateTwoFactorDuoRequestModel
{
Host = "api-12345abc.duosecurity.com",
ClientId = "clientId",
ClientSecret = "clientSecret",
};
// Act
var result = model.Validate(new ValidationContext(model));
// Assert
Assert.Empty(result);
}
}

122
test/Api.Test/Auth/Models/Request/UserTwoFactorDuoRequestModelTests.cs Normal file
View File

@ -0,0 +1,122 @@
using Bit.Api.Auth.Models.Request;
using Bit.Core.Auth.Enums;
using Bit.Core.Auth.Models;
using Bit.Core.Entities;
using Xunit;
namespace Bit.Api.Test.Auth.Models.Request;
public class UserTwoFactorDuoRequestModelTests
{
[Fact]
public void ShouldAddOrUpdateTwoFactorProvider_WhenExistingProviderDoesNotExist()
{
// Arrange
var existingUser = new User();
var model = new UpdateTwoFactorDuoRequestModel
{
ClientId = "clientId",
ClientSecret = "clientSecret",
IntegrationKey = "integrationKey",
SecretKey = "secretKey",
Host = "example.com"
};
// Act
var result = model.ToUser(existingUser);
// Assert
// IKey and SKey should be the same as ClientId and ClientSecret
Assert.True(result.GetTwoFactorProviders().ContainsKey(TwoFactorProviderType.Duo));
Assert.Equal("clientId", result.GetTwoFactorProviders()[TwoFactorProviderType.Duo].MetaData["ClientId"]);
Assert.Equal("clientSecret", result.GetTwoFactorProviders()[TwoFactorProviderType.Duo].MetaData["ClientSecret"]);
Assert.Equal("clientId", result.GetTwoFactorProviders()[TwoFactorProviderType.Duo].MetaData["IKey"]);
Assert.Equal("clientSecret", result.GetTwoFactorProviders()[TwoFactorProviderType.Duo].MetaData["SKey"]);
Assert.Equal("example.com", result.GetTwoFactorProviders()[TwoFactorProviderType.Duo].MetaData["Host"]);
Assert.True(result.GetTwoFactorProviders()[TwoFactorProviderType.Duo].Enabled);
}
[Fact]
public void ShouldUpdateTwoFactorProvider_WhenExistingProviderExists()
{
// Arrange
var existingUser = new User();
existingUser.SetTwoFactorProviders(new Dictionary<TwoFactorProviderType, TwoFactorProvider>
{
{ TwoFactorProviderType.Duo, new TwoFactorProvider() }
});
var model = new UpdateTwoFactorDuoRequestModel
{
ClientId = "newClientId",
ClientSecret = "newClientSecret",
IntegrationKey = "newIntegrationKey",
SecretKey = "newSecretKey",
Host = "newExample.com"
};
// Act
var result = model.ToUser(existingUser);
// Assert
// IKey and SKey should be the same as ClientId and ClientSecret
Assert.True(result.GetTwoFactorProviders().ContainsKey(TwoFactorProviderType.Duo));
Assert.Equal("newClientId", result.GetTwoFactorProviders()[TwoFactorProviderType.Duo].MetaData["ClientId"]);
Assert.Equal("newClientSecret", result.GetTwoFactorProviders()[TwoFactorProviderType.Duo].MetaData["ClientSecret"]);
Assert.Equal("newClientId", result.GetTwoFactorProviders()[TwoFactorProviderType.Duo].MetaData["IKey"]);
Assert.Equal("newClientSecret", result.GetTwoFactorProviders()[TwoFactorProviderType.Duo].MetaData["SKey"]);
Assert.Equal("newExample.com", result.GetTwoFactorProviders()[TwoFactorProviderType.Duo].MetaData["Host"]);
Assert.True(result.GetTwoFactorProviders()[TwoFactorProviderType.Duo].Enabled);
}
[Fact]
public void DuoV2ParamsSync_WhenExistingProviderDoesNotExist()
{
// Arrange
var existingUser = new User();
var model = new UpdateTwoFactorDuoRequestModel
{
IntegrationKey = "integrationKey",
SecretKey = "secretKey",
Host = "example.com"
};
// Act
var result = model.ToUser(existingUser);
// Assert
// IKey and SKey should be the same as ClientId and ClientSecret
Assert.True(result.GetTwoFactorProviders().ContainsKey(TwoFactorProviderType.Duo));
Assert.Equal("integrationKey", result.GetTwoFactorProviders()[TwoFactorProviderType.Duo].MetaData["ClientId"]);
Assert.Equal("secretKey", result.GetTwoFactorProviders()[TwoFactorProviderType.Duo].MetaData["ClientSecret"]);
Assert.Equal("integrationKey", result.GetTwoFactorProviders()[TwoFactorProviderType.Duo].MetaData["IKey"]);
Assert.Equal("secretKey", result.GetTwoFactorProviders()[TwoFactorProviderType.Duo].MetaData["SKey"]);
Assert.Equal("example.com", result.GetTwoFactorProviders()[TwoFactorProviderType.Duo].MetaData["Host"]);
Assert.True(result.GetTwoFactorProviders()[TwoFactorProviderType.Duo].Enabled);
}
[Fact]
public void DuoV4ParamsSync_WhenExistingProviderDoesNotExist()
{
// Arrange
var existingUser = new User();
var model = new UpdateTwoFactorDuoRequestModel
{
ClientId = "clientId",
ClientSecret = "clientSecret",
Host = "example.com"
};
// Act
var result = model.ToUser(existingUser);
// Assert
// IKey and SKey should be the same as ClientId and ClientSecret
Assert.True(result.GetTwoFactorProviders().ContainsKey(TwoFactorProviderType.Duo));
Assert.Equal("clientId", result.GetTwoFactorProviders()[TwoFactorProviderType.Duo].MetaData["ClientId"]);
Assert.Equal("clientSecret", result.GetTwoFactorProviders()[TwoFactorProviderType.Duo].MetaData["ClientSecret"]);
Assert.Equal("clientId", result.GetTwoFactorProviders()[TwoFactorProviderType.Duo].MetaData["IKey"]);
Assert.Equal("clientSecret", result.GetTwoFactorProviders()[TwoFactorProviderType.Duo].MetaData["SKey"]);
Assert.Equal("example.com", result.GetTwoFactorProviders()[TwoFactorProviderType.Duo].MetaData["Host"]);
Assert.True(result.GetTwoFactorProviders()[TwoFactorProviderType.Duo].Enabled);
}
}

107
test/Api.Test/Auth/Models/Response/OrganizationTwoFactorDuoResponseModelTests.cs Normal file
View File

@ -0,0 +1,107 @@

using Bit.Api.Auth.Models.Response.TwoFactor;
using Bit.Core.AdminConsole.Entities;
using Bit.Test.Common.AutoFixture.Attributes;
using Xunit;
namespace Bit.Api.Test.Auth.Models.Response;
public class OrganizationTwoFactorDuoResponseModelTests
{
[Theory]
[BitAutoData]
public void Organization_WithDuoV4_ShouldBuildModel(Organization organization)
{
// Arrange
organization.TwoFactorProviders = GetTwoFactorOrganizationDuoV4ProvidersJson();
// Act
var model = new TwoFactorDuoResponseModel(organization);
// Assert if v4 data Ikey and Skey are set to clientId and clientSecret
Assert.NotNull(model);
Assert.Equal("clientId", model.ClientId);
Assert.Equal("clientSecret", model.ClientSecret);
Assert.Equal("clientId", model.IntegrationKey);
Assert.Equal("clientSecret", model.SecretKey);
}
[Theory]
[BitAutoData]
public void Organization_WithDuoV2_ShouldBuildModel(Organization organization)
{
// Arrange
organization.TwoFactorProviders = GetTwoFactorOrganizationDuoV2ProvidersJson();
// Act
var model = new TwoFactorDuoResponseModel(organization);
// Assert if only v2 data clientId and clientSecret are set to Ikey and Sk
Assert.NotNull(model);
Assert.Equal("IKey", model.ClientId);
Assert.Equal("SKey", model.ClientSecret);
Assert.Equal("IKey", model.IntegrationKey);
Assert.Equal("SKey", model.SecretKey);
}
[Theory]
[BitAutoData]
public void Organization_WithDuo_ShouldBuildModel(Organization organization)
{
// Arrange
organization.TwoFactorProviders = GetTwoFactorOrganizationDuoProvidersJson();
// Act
var model = new TwoFactorDuoResponseModel(organization);
/// Assert Even if both versions are present priority is given to v4 data
Assert.NotNull(model);
Assert.Equal("clientId", model.ClientId);
Assert.Equal("clientSecret", model.ClientSecret);
Assert.Equal("clientId", model.IntegrationKey);
Assert.Equal("clientSecret", model.SecretKey);
}
[Theory]
[BitAutoData]
public void Organization_WithDuoEmpty_ShouldFail(Organization organization)
{
// Arrange
organization.TwoFactorProviders = "{\"6\" : {}}";
// Act
var model = new TwoFactorDuoResponseModel(organization);
/// Assert
Assert.False(model.Enabled);
}
[Theory]
[BitAutoData]
public void Organization_WithTwoFactorProvidersNull_ShouldFail(Organization organization)
{
// Arrange
organization.TwoFactorProviders = "{\"6\" : {}}";
// Act
var model = new TwoFactorDuoResponseModel(organization);
/// Assert
Assert.False(model.Enabled);
}
private string GetTwoFactorOrganizationDuoProvidersJson()
{
return "{\"6\":{\"Enabled\":true,\"MetaData\":{\"SKey\":\"SKey\",\"IKey\":\"IKey\",\"ClientSecret\":\"clientSecret\",\"ClientId\":\"clientId\",\"Host\":\"example.com\"}}}";
}
private string GetTwoFactorOrganizationDuoV4ProvidersJson()
{
return "{\"6\":{\"Enabled\":true,\"MetaData\":{\"ClientSecret\":\"clientSecret\",\"ClientId\":\"clientId\",\"Host\":\"example.com\"}}}";
}
private string GetTwoFactorOrganizationDuoV2ProvidersJson()
{
return "{\"6\":{\"Enabled\":true,\"MetaData\":{\"SKey\":\"SKey\",\"IKey\":\"IKey\",\"Host\":\"example.com\"}}}";
}
}

107
test/Api.Test/Auth/Models/Response/UserTwoFactorDuoResponseModelTests.cs Normal file
View File

@ -0,0 +1,107 @@

using Bit.Api.Auth.Models.Response.TwoFactor;
using Bit.Core.Entities;
using Bit.Test.Common.AutoFixture.Attributes;
using Xunit;
namespace Bit.Api.Test.Auth.Models.Response;
public class UserTwoFactorDuoResponseModelTests
{
[Theory]
[BitAutoData]
public void User_WithDuoV4_ShouldBuildModel(User user)
{
// Arrange
user.TwoFactorProviders = GetTwoFactorDuoV4ProvidersJson();
// Act
var model = new TwoFactorDuoResponseModel(user);
// Assert if v4 data Ikey and Skey are set to clientId and clientSecret
Assert.NotNull(model);
Assert.Equal("clientId", model.ClientId);
Assert.Equal("clientSecret", model.ClientSecret);
Assert.Equal("clientId", model.IntegrationKey);
Assert.Equal("clientSecret", model.SecretKey);
}
[Theory]
[BitAutoData]
public void User_WithDuov2_ShouldBuildModel(User user)
{
// Arrange
user.TwoFactorProviders = GetTwoFactorDuoV2ProvidersJson();
// Act
var model = new TwoFactorDuoResponseModel(user);
// Assert if only v2 data clientId and clientSecret are set to Ikey and Skey
Assert.NotNull(model);
Assert.Equal("IKey", model.ClientId);
Assert.Equal("SKey", model.ClientSecret);
Assert.Equal("IKey", model.IntegrationKey);
Assert.Equal("SKey", model.SecretKey);
}
[Theory]
[BitAutoData]
public void User_WithDuo_ShouldBuildModel(User user)
{
// Arrange
user.TwoFactorProviders = GetTwoFactorDuoProvidersJson();
// Act
var model = new TwoFactorDuoResponseModel(user);
// Assert Even if both versions are present priority is given to v4 data
Assert.NotNull(model);
Assert.Equal("clientId", model.ClientId);
Assert.Equal("clientSecret", model.ClientSecret);
Assert.Equal("clientId", model.IntegrationKey);
Assert.Equal("clientSecret", model.SecretKey);
}
[Theory]
[BitAutoData]
public void User_WithDuoEmpty_ShouldFail(User user)
{
// Arrange
user.TwoFactorProviders = "{\"2\" : {}}";
// Act
var model = new TwoFactorDuoResponseModel(user);
/// Assert
Assert.False(model.Enabled);
}
[Theory]
[BitAutoData]
public void User_WithTwoFactorProvidersNull_ShouldFail(User user)
{
// Arrange
user.TwoFactorProviders = null;
// Act
var model = new TwoFactorDuoResponseModel(user);
/// Assert
Assert.False(model.Enabled);
}
private string GetTwoFactorDuoProvidersJson()
{
return "{\"2\":{\"Enabled\":true,\"MetaData\":{\"SKey\":\"SKey\",\"IKey\":\"IKey\",\"ClientSecret\":\"clientSecret\",\"ClientId\":\"clientId\",\"Host\":\"example.com\"}}}";
}
private string GetTwoFactorDuoV4ProvidersJson()
{
return "{\"2\":{\"Enabled\":true,\"MetaData\":{\"ClientSecret\":\"clientSecret\",\"ClientId\":\"clientId\",\"Host\":\"example.com\"}}}";
}
private string GetTwoFactorDuoV2ProvidersJson()
{
return "{\"2\":{\"Enabled\":true,\"MetaData\":{\"SKey\":\"SKey\",\"IKey\":\"IKey\",\"Host\":\"example.com\"}}}";
}
}

2580
util/MySqlMigrations/Migrations/20240507185445_UpdateProviderGatewayType.Designer.cs generated Normal file
View File

File diff suppressed because it is too large Load Diff

27
util/MySqlMigrations/Migrations/20240507185445_UpdateProviderGatewayType.cs Normal file
View File

@ -0,0 +1,27 @@
using Microsoft.EntityFrameworkCore.Migrations;
#nullable disable
namespace Bit.MySqlMigrations.Migrations;
/// <inheritdoc />
public partial class UpdateProviderGatewayType : Migration
{
/// <inheritdoc />
protected override void Up(MigrationBuilder migrationBuilder)
{
migrationBuilder.RenameColumn(
name: "GatewayType",
table: "Provider",
newName: "Gateway");
}
/// <inheritdoc />
protected override void Down(MigrationBuilder migrationBuilder)
{
migrationBuilder.RenameColumn(
name: "Gateway",
table: "Provider",
newName: "GatewayType");
}
}

6
util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs
View File

@ -276,15 +276,15 @@ namespace Bit.MySqlMigrations.Migrations
b.Property<bool>("Enabled") b.Property<bool>("Enabled")
.HasColumnType("tinyint(1)"); .HasColumnType("tinyint(1)");
b.Property<byte?>("Gateway")
.HasColumnType("tinyint unsigned");
b.Property<string>("GatewayCustomerId") b.Property<string>("GatewayCustomerId")
.HasColumnType("longtext"); .HasColumnType("longtext");
b.Property<string>("GatewaySubscriptionId") b.Property<string>("GatewaySubscriptionId")
.HasColumnType("longtext"); .HasColumnType("longtext");
b.Property<byte?>("GatewayType")
.HasColumnType("tinyint unsigned");
b.Property<string>("Name") b.Property<string>("Name")
.HasColumnType("longtext"); .HasColumnType("longtext");

2596
util/PostgresMigrations/Migrations/20240507185430_UpdateProviderGatewayType.Designer.cs generated Normal file
View File

File diff suppressed because it is too large Load Diff

27
util/PostgresMigrations/Migrations/20240507185430_UpdateProviderGatewayType.cs Normal file
View File

@ -0,0 +1,27 @@
using Microsoft.EntityFrameworkCore.Migrations;
#nullable disable
namespace Bit.PostgresMigrations.Migrations;
/// <inheritdoc />
public partial class UpdateProviderGatewayType : Migration
{
/// <inheritdoc />
protected override void Up(MigrationBuilder migrationBuilder)
{
migrationBuilder.RenameColumn(
name: "GatewayType",
table: "Provider",
newName: "Gateway");
}
/// <inheritdoc />
protected override void Down(MigrationBuilder migrationBuilder)
{
migrationBuilder.RenameColumn(
name: "Gateway",
table: "Provider",
newName: "GatewayType");
}
}

6
util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs
View File

@ -282,15 +282,15 @@ namespace Bit.PostgresMigrations.Migrations
b.Property<bool>("Enabled") b.Property<bool>("Enabled")
.HasColumnType("boolean"); .HasColumnType("boolean");
b.Property<byte?>("Gateway")
.HasColumnType("smallint");
b.Property<string>("GatewayCustomerId") b.Property<string>("GatewayCustomerId")
.HasColumnType("text"); .HasColumnType("text");
b.Property<string>("GatewaySubscriptionId") b.Property<string>("GatewaySubscriptionId")
.HasColumnType("text"); .HasColumnType("text");
b.Property<byte?>("GatewayType")
.HasColumnType("smallint");
b.Property<string>("Name") b.Property<string>("Name")
.HasColumnType("text"); .HasColumnType("text");

2578
util/SqliteMigrations/Migrations/20240507185438_UpdateProviderGatewayType.Designer.cs generated Normal file
View File

File diff suppressed because it is too large Load Diff

27
util/SqliteMigrations/Migrations/20240507185438_UpdateProviderGatewayType.cs Normal file
View File

@ -0,0 +1,27 @@
using Microsoft.EntityFrameworkCore.Migrations;
#nullable disable
namespace Bit.SqliteMigrations.Migrations;
/// <inheritdoc />
public partial class UpdateProviderGatewayType : Migration
{
/// <inheritdoc />
protected override void Up(MigrationBuilder migrationBuilder)
{
migrationBuilder.RenameColumn(
name: "GatewayType",
table: "Provider",
newName: "Gateway");
}
/// <inheritdoc />
protected override void Down(MigrationBuilder migrationBuilder)
{
migrationBuilder.RenameColumn(
name: "Gateway",
table: "Provider",
newName: "GatewayType");
}
}

6
util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs
View File

@ -274,15 +274,15 @@ namespace Bit.SqliteMigrations.Migrations
b.Property<bool>("Enabled") b.Property<bool>("Enabled")
.HasColumnType("INTEGER"); .HasColumnType("INTEGER");
b.Property<byte?>("Gateway")
.HasColumnType("INTEGER");
b.Property<string>("GatewayCustomerId") b.Property<string>("GatewayCustomerId")
.HasColumnType("TEXT"); .HasColumnType("TEXT");
b.Property<string>("GatewaySubscriptionId") b.Property<string>("GatewaySubscriptionId")
.HasColumnType("TEXT"); .HasColumnType("TEXT");
b.Property<byte?>("GatewayType")
.HasColumnType("INTEGER");
b.Property<string>("Name") b.Property<string>("Name")
.HasColumnType("TEXT"); .HasColumnType("TEXT");