CSA-6 Fix/remove artifact binding (#1885)

* Remove artifact binding, add validation

* Re-add JSON properties but eviscerate them

bitwarden_license/src/Sso/Utilities/DynamicAuthenticationSchemeProvider.cs

@@ -400,10 +400,6 @@ namespace Bit.Core.Business.Sso
             {
                 idp.SingleLogoutServiceUrl = new Uri(config.IdpSingleLogoutServiceUrl);
             }
-            if (!string.IsNullOrWhiteSpace(config.IdpArtifactResolutionServiceUrl))
-            {
-                idp.ArtifactResolutionServiceUrls.TryAdd(0, new Uri(config.IdpArtifactResolutionServiceUrl));
-            }
             if (!string.IsNullOrWhiteSpace(config.IdpOutboundSigningAlgorithm))
             {
                 idp.OutboundSigningAlgorithm = config.IdpOutboundSigningAlgorithm;
@@ -413,6 +409,7 @@ namespace Bit.Core.Business.Sso
                 var cert = CoreHelpers.Base64UrlDecode(config.IdpX509PublicCert);
                 idp.SigningKeys.AddConfiguredKey(new X509Certificate2(cert));
             }
+            idp.ArtifactResolutionServiceUrls.Clear();
             // This must happen last since it calls Validate() internally.
             idp.LoadMetadata = false;
 
@@ -461,7 +458,6 @@ namespace Bit.Core.Business.Sso
             {
                 Saml2BindingType.HttpRedirect => Sustainsys.Saml2.WebSso.Saml2BindingType.HttpRedirect,
                 Saml2BindingType.HttpPost => Sustainsys.Saml2.WebSso.Saml2BindingType.HttpPost,
-                Saml2BindingType.Artifact => Sustainsys.Saml2.WebSso.Saml2BindingType.Artifact,
                 _ => Sustainsys.Saml2.WebSso.Saml2BindingType.HttpPost,
             };
         }

bitwarden_license/src/Sso/Utilities/SsoAuthenticationMiddleware.cs

@@ -23,6 +23,12 @@ namespace Bit.Sso.Utilities
 
         public async Task Invoke(HttpContext context)
         {
+            if ((context.Request.Method == "GET" && context.Request.Query.ContainsKey("SAMLart"))
+                || (context.Request.Method == "POST" && context.Request.Form.ContainsKey("SAMLart")))
+            {
+                throw new Exception("SAMLart parameter detected. SAML Artifact binding is not allowed.");
+            }
+
             context.Features.Set<IAuthenticationFeature>(new AuthenticationFeature
             {
                 OriginalPath = context.Request.Path,

src/Api/Models/Request/Organizations/OrganizationSsoRequestModel.cs

@@ -72,7 +72,7 @@ namespace Bit.Api.Models.Request.Organizations
         public Saml2BindingType IdpBindingType { get; set; }
         public string IdpSingleSignOnServiceUrl { get; set; }
         public string IdpSingleLogoutServiceUrl { get; set; }
-        public string IdpArtifactResolutionServiceUrl { get; set; }
+        public string IdpArtifactResolutionServiceUrl { get => null; set { /*IGNORE*/ } }
         public string IdpX509PublicCert { get; set; }
         public string IdpOutboundSigningAlgorithm { get; set; }
         public bool? IdpAllowUnsolicitedAuthnResponse { get; set; }
@@ -111,12 +111,6 @@ namespace Bit.Api.Models.Request.Organizations
                         new[] { nameof(IdpEntityId) });
                 }
 
-                if (IdpBindingType == Saml2BindingType.Artifact && string.IsNullOrWhiteSpace(IdpArtifactResolutionServiceUrl))
-                {
-                    yield return new ValidationResult(i18nService.GetLocalizedHtmlString("Saml2BindingTypeValidationError"),
-                        new[] { nameof(IdpArtifactResolutionServiceUrl) });
-                }
-
                 if (!Uri.IsWellFormedUriString(IdpEntityId, UriKind.Absolute) && string.IsNullOrWhiteSpace(IdpSingleSignOnServiceUrl))
                 {
                     yield return new ValidationResult(i18nService.GetLocalizedHtmlString("IdpSingleSignOnServiceUrlValidationError"),
@@ -129,12 +123,6 @@ namespace Bit.Api.Models.Request.Organizations
                         new[] { nameof(IdpSingleSignOnServiceUrl) });
                 }
 
-                if (InvalidServiceUrl(IdpArtifactResolutionServiceUrl))
-                {
-                    yield return new ValidationResult(i18nService.GetLocalizedHtmlString("IdpArtifactResolutionServiceUrlInvalid"),
-                        new[] { nameof(IdpArtifactResolutionServiceUrl) });
-                }
-
                 if (InvalidServiceUrl(IdpSingleLogoutServiceUrl))
                 {
                     yield return new ValidationResult(i18nService.GetLocalizedHtmlString("IdpSingleLogoutServiceUrlInvalid"),
@@ -190,7 +178,7 @@ namespace Bit.Api.Models.Request.Organizations
                 IdpBindingType = IdpBindingType,
                 IdpSingleSignOnServiceUrl = IdpSingleSignOnServiceUrl,
                 IdpSingleLogoutServiceUrl = IdpSingleLogoutServiceUrl,
-                IdpArtifactResolutionServiceUrl = IdpArtifactResolutionServiceUrl,
+                IdpArtifactResolutionServiceUrl = null,
                 IdpX509PublicCert = StripPemCertificateElements(IdpX509PublicCert),
                 IdpOutboundSigningAlgorithm = IdpOutboundSigningAlgorithm,
                 IdpAllowUnsolicitedAuthnResponse = IdpAllowUnsolicitedAuthnResponse.GetValueOrDefault(),

src/Core/Enums/Saml2BindingType.cs

@@ -4,6 +4,5 @@
     {
         HttpRedirect = 1,
         HttpPost = 2,
-        Artifact = 4
     }
 }

src/Core/Models/Data/SsoConfigurationData.cs

@@ -51,7 +51,7 @@ namespace Bit.Core.Models.Data
         public string IdpX509PublicCert { get; set; }
         public Saml2BindingType IdpBindingType { get; set; } = Saml2BindingType.HttpRedirect;
         public bool IdpAllowUnsolicitedAuthnResponse { get; set; }
-        public string IdpArtifactResolutionServiceUrl { get; set; }
+        public string IdpArtifactResolutionServiceUrl { get => null; set { /*IGNORE*/ } }
         public bool IdpDisableOutboundLogoutRequests { get; set; }
         public string IdpOutboundSigningAlgorithm { get; set; } = SamlSigningAlgorithms.Sha256;
         public bool IdpWantAuthnRequestsSigned { get; set; }