From a7a39fb54d8276f8419628328ae4c123a494a6bf Mon Sep 17 00:00:00 2001
From: Chad Scharf <3904944+cscharf@users.noreply.github.com>
Date: Mon, 28 Feb 2022 13:43:49 -0500
Subject: [PATCH] CSA-6 Fix/remove artifact binding (#1885)

* Remove artifact binding, add validation

* Re-add JSON properties but eviscerate them
---
 .../DynamicAuthenticationSchemeProvider.cs       |  6 +-----
 .../Sso/Utilities/SsoAuthenticationMiddleware.cs |  6 ++++++
 .../Organizations/OrganizationSsoRequestModel.cs | 16 ++--------------
 src/Core/Enums/Saml2BindingType.cs               |  1 -
 src/Core/Models/Data/SsoConfigurationData.cs     |  2 +-
 5 files changed, 10 insertions(+), 21 deletions(-)

diff --git a/bitwarden_license/src/Sso/Utilities/DynamicAuthenticationSchemeProvider.cs b/bitwarden_license/src/Sso/Utilities/DynamicAuthenticationSchemeProvider.cs
index e8628fd6b3..82cbb3bdc8 100644
--- a/bitwarden_license/src/Sso/Utilities/DynamicAuthenticationSchemeProvider.cs
+++ b/bitwarden_license/src/Sso/Utilities/DynamicAuthenticationSchemeProvider.cs
@@ -400,10 +400,6 @@ namespace Bit.Core.Business.Sso
             {
                 idp.SingleLogoutServiceUrl = new Uri(config.IdpSingleLogoutServiceUrl);
             }
-            if (!string.IsNullOrWhiteSpace(config.IdpArtifactResolutionServiceUrl))
-            {
-                idp.ArtifactResolutionServiceUrls.TryAdd(0, new Uri(config.IdpArtifactResolutionServiceUrl));
-            }
             if (!string.IsNullOrWhiteSpace(config.IdpOutboundSigningAlgorithm))
             {
                 idp.OutboundSigningAlgorithm = config.IdpOutboundSigningAlgorithm;
@@ -413,6 +409,7 @@ namespace Bit.Core.Business.Sso
                 var cert = CoreHelpers.Base64UrlDecode(config.IdpX509PublicCert);
                 idp.SigningKeys.AddConfiguredKey(new X509Certificate2(cert));
             }
+            idp.ArtifactResolutionServiceUrls.Clear();
             // This must happen last since it calls Validate() internally.
             idp.LoadMetadata = false;
 
@@ -461,7 +458,6 @@ namespace Bit.Core.Business.Sso
             {
                 Saml2BindingType.HttpRedirect => Sustainsys.Saml2.WebSso.Saml2BindingType.HttpRedirect,
                 Saml2BindingType.HttpPost => Sustainsys.Saml2.WebSso.Saml2BindingType.HttpPost,
-                Saml2BindingType.Artifact => Sustainsys.Saml2.WebSso.Saml2BindingType.Artifact,
                 _ => Sustainsys.Saml2.WebSso.Saml2BindingType.HttpPost,
             };
         }
diff --git a/bitwarden_license/src/Sso/Utilities/SsoAuthenticationMiddleware.cs b/bitwarden_license/src/Sso/Utilities/SsoAuthenticationMiddleware.cs
index 68c81a1389..2013a44c43 100644
--- a/bitwarden_license/src/Sso/Utilities/SsoAuthenticationMiddleware.cs
+++ b/bitwarden_license/src/Sso/Utilities/SsoAuthenticationMiddleware.cs
@@ -23,6 +23,12 @@ namespace Bit.Sso.Utilities
 
         public async Task Invoke(HttpContext context)
         {
+            if ((context.Request.Method == "GET" && context.Request.Query.ContainsKey("SAMLart"))
+                || (context.Request.Method == "POST" && context.Request.Form.ContainsKey("SAMLart")))
+            {
+                throw new Exception("SAMLart parameter detected. SAML Artifact binding is not allowed.");
+            }
+
             context.Features.Set<IAuthenticationFeature>(new AuthenticationFeature
             {
                 OriginalPath = context.Request.Path,
diff --git a/src/Api/Models/Request/Organizations/OrganizationSsoRequestModel.cs b/src/Api/Models/Request/Organizations/OrganizationSsoRequestModel.cs
index ae10ce78d9..6444118bd8 100644
--- a/src/Api/Models/Request/Organizations/OrganizationSsoRequestModel.cs
+++ b/src/Api/Models/Request/Organizations/OrganizationSsoRequestModel.cs
@@ -72,7 +72,7 @@ namespace Bit.Api.Models.Request.Organizations
         public Saml2BindingType IdpBindingType { get; set; }
         public string IdpSingleSignOnServiceUrl { get; set; }
         public string IdpSingleLogoutServiceUrl { get; set; }
-        public string IdpArtifactResolutionServiceUrl { get; set; }
+        public string IdpArtifactResolutionServiceUrl { get => null; set { /*IGNORE*/ } }
         public string IdpX509PublicCert { get; set; }
         public string IdpOutboundSigningAlgorithm { get; set; }
         public bool? IdpAllowUnsolicitedAuthnResponse { get; set; }
@@ -111,12 +111,6 @@ namespace Bit.Api.Models.Request.Organizations
                         new[] { nameof(IdpEntityId) });
                 }
 
-                if (IdpBindingType == Saml2BindingType.Artifact && string.IsNullOrWhiteSpace(IdpArtifactResolutionServiceUrl))
-                {
-                    yield return new ValidationResult(i18nService.GetLocalizedHtmlString("Saml2BindingTypeValidationError"),
-                        new[] { nameof(IdpArtifactResolutionServiceUrl) });
-                }
-
                 if (!Uri.IsWellFormedUriString(IdpEntityId, UriKind.Absolute) && string.IsNullOrWhiteSpace(IdpSingleSignOnServiceUrl))
                 {
                     yield return new ValidationResult(i18nService.GetLocalizedHtmlString("IdpSingleSignOnServiceUrlValidationError"),
@@ -129,12 +123,6 @@ namespace Bit.Api.Models.Request.Organizations
                         new[] { nameof(IdpSingleSignOnServiceUrl) });
                 }
 
-                if (InvalidServiceUrl(IdpArtifactResolutionServiceUrl))
-                {
-                    yield return new ValidationResult(i18nService.GetLocalizedHtmlString("IdpArtifactResolutionServiceUrlInvalid"),
-                        new[] { nameof(IdpArtifactResolutionServiceUrl) });
-                }
-
                 if (InvalidServiceUrl(IdpSingleLogoutServiceUrl))
                 {
                     yield return new ValidationResult(i18nService.GetLocalizedHtmlString("IdpSingleLogoutServiceUrlInvalid"),
@@ -190,7 +178,7 @@ namespace Bit.Api.Models.Request.Organizations
                 IdpBindingType = IdpBindingType,
                 IdpSingleSignOnServiceUrl = IdpSingleSignOnServiceUrl,
                 IdpSingleLogoutServiceUrl = IdpSingleLogoutServiceUrl,
-                IdpArtifactResolutionServiceUrl = IdpArtifactResolutionServiceUrl,
+                IdpArtifactResolutionServiceUrl = null,
                 IdpX509PublicCert = StripPemCertificateElements(IdpX509PublicCert),
                 IdpOutboundSigningAlgorithm = IdpOutboundSigningAlgorithm,
                 IdpAllowUnsolicitedAuthnResponse = IdpAllowUnsolicitedAuthnResponse.GetValueOrDefault(),
diff --git a/src/Core/Enums/Saml2BindingType.cs b/src/Core/Enums/Saml2BindingType.cs
index be9ed1e315..0c0882bc48 100644
--- a/src/Core/Enums/Saml2BindingType.cs
+++ b/src/Core/Enums/Saml2BindingType.cs
@@ -4,6 +4,5 @@
     {
         HttpRedirect = 1,
         HttpPost = 2,
-        Artifact = 4
     }
 }
diff --git a/src/Core/Models/Data/SsoConfigurationData.cs b/src/Core/Models/Data/SsoConfigurationData.cs
index 23375a6e0e..5498b2e0b3 100644
--- a/src/Core/Models/Data/SsoConfigurationData.cs
+++ b/src/Core/Models/Data/SsoConfigurationData.cs
@@ -51,7 +51,7 @@ namespace Bit.Core.Models.Data
         public string IdpX509PublicCert { get; set; }
         public Saml2BindingType IdpBindingType { get; set; } = Saml2BindingType.HttpRedirect;
         public bool IdpAllowUnsolicitedAuthnResponse { get; set; }
-        public string IdpArtifactResolutionServiceUrl { get; set; }
+        public string IdpArtifactResolutionServiceUrl { get => null; set { /*IGNORE*/ } }
         public bool IdpDisableOutboundLogoutRequests { get; set; }
         public string IdpOutboundSigningAlgorithm { get; set; } = SamlSigningAlgorithms.Sha256;
         public bool IdpWantAuthnRequestsSigned { get; set; }