nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-07-04 09:32:48 -05:00
Code Activity

[PM-3797 Part 5] Add reset password keys to key rotation (#3445)

Browse Source 
* Add reset password validator with tests

* add organization user rotation methods to repository
- move organization user TVP helper to admin console ownership

* rename account recovery to reset password

* formatting

* move registration of RotateUserKeyCommand to Core and make internal

* add admin console ValidatorServiceCollectionExtensions
This commit is contained in:
Jake Fink
2023-12-14 15:05:19 -05:00
committed by GitHub
parent da0bf77a39
commit b77ee017e3
15 changed files with 372 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/Api/AdminConsole/Models/Request/Organizations/OrganizationUserRequestModels.cs
View File

@ -118,3 +118,9 @@ public class OrganizationUserBulkRequestModel
[Required]
public IEnumerable<Guid> Ids { get; set; }
}
public class ResetPasswordWithOrgIdRequestModel : OrganizationUserResetPasswordEnrollmentRequestModel
{
[Required]
public Guid OrganizationId { get; set; }
}

64
src/Api/AdminConsole/Validators/OrganizationUserRotationValidator.cs Normal file
View File

@ -0,0 +1,64 @@
using Bit.Api.AdminConsole.Models.Request.Organizations;
using Bit.Api.Auth.Validators;
using Bit.Core.Entities;
using Bit.Core.Exceptions;
using Bit.Core.Repositories;
namespace Bit.Api.AdminConsole.Validators;
/// <summary>
/// Organization user implementation for <see cref="IRotationValidator{T,R}"/>
/// Currently responsible for validation of user reset password keys (used by admins to perform account recovery) during user key rotation
/// </summary>
public class OrganizationUserRotationValidator : IRotationValidator<IEnumerable<ResetPasswordWithOrgIdRequestModel>,
IReadOnlyList<OrganizationUser>>
{
private readonly IOrganizationUserRepository _organizationUserRepository;
public OrganizationUserRotationValidator(IOrganizationUserRepository organizationUserRepository) =>
_organizationUserRepository = organizationUserRepository;
public async Task<IReadOnlyList<OrganizationUser>> ValidateAsync(User user,
IEnumerable<ResetPasswordWithOrgIdRequestModel> resetPasswordKeys)
{
if (user == null)
{
throw new ArgumentNullException(nameof(user));
}
var result = new List<OrganizationUser>();
if (resetPasswordKeys == null || !resetPasswordKeys.Any())
{
return result;
}
var existing = await _organizationUserRepository.GetManyByUserAsync(user.Id);
if (existing == null || !existing.Any())
{
return result;
}
// Exclude any account recovery that do not have a key.
existing = existing.Where(o => o.ResetPasswordKey != null).ToList();
foreach (var ou in existing)
{
var organizationUser = resetPasswordKeys.FirstOrDefault(a => a.OrganizationId == ou.OrganizationId);
if (organizationUser == null)
{
throw new BadRequestException("All existing reset password keys must be included in the rotation.");
}
if (organizationUser.ResetPasswordKey == null)
{
throw new BadRequestException("Reset Password keys cannot be set to null during rotation.");
}
ou.ResetPasswordKey = organizationUser.ResetPasswordKey;
result.Add(ou);
}
return result;
}
}

15
src/Api/Auth/Controllers/AccountsController.cs
View File

@ -1,4 +1,5 @@
using Bit.Api.AdminConsole.Models.Response;
using Bit.Api.AdminConsole.Models.Request.Organizations;
using Bit.Api.AdminConsole.Models.Response;
using Bit.Api.Auth.Models.Request;
using Bit.Api.Auth.Models.Request.Accounts;
using Bit.Api.Auth.Validators;
@ -72,6 +73,9 @@ public class AccountsController : Controller
private readonly IRotationValidator<IEnumerable<SendWithIdRequestModel>, IReadOnlyList<Send>> _sendValidator;
private readonly IRotationValidator<IEnumerable<EmergencyAccessWithIdRequestModel>, IEnumerable<EmergencyAccess>>
_emergencyAccessValidator;
private readonly IRotationValidator<IEnumerable<ResetPasswordWithOrgIdRequestModel>,
IReadOnlyList<OrganizationUser>>
_organizationUserValidator;
public AccountsController(
@ -96,7 +100,9 @@ public class AccountsController : Controller
IRotationValidator<IEnumerable<FolderWithIdRequestModel>, IEnumerable<Folder>> folderValidator,
IRotationValidator<IEnumerable<SendWithIdRequestModel>, IReadOnlyList<Send>> sendValidator,
IRotationValidator<IEnumerable<EmergencyAccessWithIdRequestModel>, IEnumerable<EmergencyAccess>>
emergencyAccessValidator
emergencyAccessValidator,
IRotationValidator<IEnumerable<ResetPasswordWithOrgIdRequestModel>, IReadOnlyList<OrganizationUser>>
organizationUserValidator
)
{
_cipherRepository = cipherRepository;
@ -120,6 +126,7 @@ public class AccountsController : Controller
_folderValidator = folderValidator;
_sendValidator = sendValidator;
_emergencyAccessValidator = emergencyAccessValidator;
_organizationUserValidator = organizationUserValidator;
}
#region DEPRECATED (Moved to Identity Service)
@ -428,8 +435,8 @@ public class AccountsController : Controller
Ciphers = await _cipherValidator.ValidateAsync(user, model.Ciphers),
Folders = await _folderValidator.ValidateAsync(user, model.Folders),
Sends = await _sendValidator.ValidateAsync(user, model.Sends),
EmergencyAccessKeys = await _emergencyAccessValidator.ValidateAsync(user, model.EmergencyAccessKeys),
ResetPasswordKeys = new List<OrganizationUser>(),
EmergencyAccesses = await _emergencyAccessValidator.ValidateAsync(user, model.EmergencyAccessKeys),
OrganizationUsers = await _organizationUserValidator.ValidateAsync(user, model.ResetPasswordKeys)
};
result = await _rotateUserKeyCommand.RotateUserKeyAsync(user, dataModel);

2
src/Api/Auth/Models/Request/Accounts/UpdateKeyRequestModel.cs
View File

@ -18,6 +18,6 @@ public class UpdateKeyRequestModel
public IEnumerable<FolderWithIdRequestModel> Folders { get; set; }
public IEnumerable<SendWithIdRequestModel> Sends { get; set; }
public IEnumerable<EmergencyAccessWithIdRequestModel> EmergencyAccessKeys { get; set; }
public IEnumerable<OrganizationUserUpdateRequestModel> ResetPasswordKeys { get; set; }
public IEnumerable<ResetPasswordWithOrgIdRequestModel> ResetPasswordKeys { get; set; }
}

13
src/Api/Startup.cs
View File

@ -7,6 +7,8 @@ using Stripe;
using Bit.Core.Utilities;
using IdentityModel;
using System.Globalization;
using Bit.Api.AdminConsole.Models.Request.Organizations;
using Bit.Api.AdminConsole.Validators;
using Bit.Api.Auth.Models.Request;
using Bit.Api.Auth.Validators;
using Bit.Api.Tools.Models.Request;
@ -22,8 +24,8 @@ using Bit.SharedWeb.Utilities;
using Microsoft.AspNetCore.Diagnostics.HealthChecks;
using Microsoft.Extensions.DependencyInjection.Extensions;
using Bit.Core.Auth.Identity;
using Bit.Core.Auth.UserFeatures.UserKey;
using Bit.Core.Auth.UserFeatures.UserKey.Implementations;
using Bit.Core.Auth.UserFeatures;
using Bit.Core.Entities;
using Bit.Core.OrganizationFeatures.OrganizationSubscriptions;
using Bit.Core.Tools.Entities;
using Bit.Core.Vault.Entities;
@ -143,7 +145,7 @@ public class Startup
services.AddScoped<AuthenticatorTokenProvider>();
// Key Rotation
services.AddScoped<IRotateUserKeyCommand, RotateUserKeyCommand>();
services.AddUserKeyCommands(globalSettings);
services
.AddScoped<IRotationValidator<IEnumerable<CipherWithIdRequestModel>, IEnumerable<Cipher>>,
CipherRotationValidator>();
@ -156,6 +158,11 @@ public class Startup
services
.AddScoped<IRotationValidator<IEnumerable<EmergencyAccessWithIdRequestModel>, IEnumerable<EmergencyAccess>>,
EmergencyAccessRotationValidator>();
services
.AddScoped<IRotationValidator<IEnumerable<ResetPasswordWithOrgIdRequestModel>,
IReadOnlyList<OrganizationUser>>
, OrganizationUserRotationValidator>();
// Services
services.AddBaseServices(globalSettings);