[SM-678] ClientSecret migration (#2943)

* Init ClientSecret migration * Fix unit tests * Move to src/Sql/dbo_future * Formatting changes * Update migration date for next release * Swap to just executing sp_refreshview * Fix formatting * Add EF Migrations * Rename to ClientSecretHash * Fix unit test * EF column rename * Batch the migration * Fix formatting * Add deprecation notice to property * Move data migration * Swap to CREATE OR ALTER
2025-06-30 23:52:50 -05:00 · 2023-06-21 13:16:06 -05:00
parent 7f8b6c0bce
commit bb3a9daf98
24 changed files with 7011 additions and 41 deletions
--- a/src/Api/SecretsManager/Models/Response/AccessTokenCreationResponseModel.cs
+++ b/src/Api/SecretsManager/Models/Response/AccessTokenCreationResponseModel.cs
@ -1,6 +1,6 @@
 #nullable enable
 using Bit.Core.Models.Api;
-using Bit.Core.SecretsManager.Entities;
+using Bit.Core.SecretsManager.Models.Data;

 namespace Bit.Api.SecretsManager.Models.Response;

@ -8,14 +8,14 @@ public class AccessTokenCreationResponseModel : ResponseModel
 {
    private const string _objectName = "accessTokenCreation";

-    public AccessTokenCreationResponseModel(ApiKey apiKey) : base(_objectName)
+    public AccessTokenCreationResponseModel(ApiKeyClientSecretDetails details) : base(_objectName)
    {
-        Id = apiKey.Id;
-        Name = apiKey.Name;
-        ClientSecret = apiKey.ClientSecret;
-        ExpireAt = apiKey.ExpireAt;
-        CreationDate = apiKey.CreationDate;
-        RevisionDate = apiKey.RevisionDate;
+        Id = details.ApiKey.Id;
+        Name = details.ApiKey.Name;
+        ExpireAt = details.ApiKey.ExpireAt;
+        CreationDate = details.ApiKey.CreationDate;
+        RevisionDate = details.ApiKey.RevisionDate;
+        ClientSecret = details.ClientSecret;
    }

    public AccessTokenCreationResponseModel() : base(_objectName)
--- a/src/Core/SecretsManager/Commands/AccessTokens/Interfaces/ICreateAccessTokenCommand.cs
+++ b/src/Core/SecretsManager/Commands/AccessTokens/Interfaces/ICreateAccessTokenCommand.cs
@ -1,8 +1,9 @@
 using Bit.Core.SecretsManager.Entities;
+using Bit.Core.SecretsManager.Models.Data;

 namespace Bit.Core.SecretsManager.Commands.AccessTokens.Interfaces;

 public interface ICreateAccessTokenCommand
 {
-    Task<ApiKey> CreateAsync(ApiKey apiKey);
+    Task<ApiKeyClientSecretDetails> CreateAsync(ApiKey apiKey);
 }
--- a/src/Core/SecretsManager/Entities/ApiKey.cs
+++ b/src/Core/SecretsManager/Entities/ApiKey.cs
@ -10,8 +10,8 @@ public class ApiKey : ITableObject<Guid>
    public Guid? ServiceAccountId { get; set; }
    [MaxLength(200)]
    public string Name { get; set; }
-    [MaxLength(30)]
-    public string ClientSecret { get; set; }
+    [MaxLength(128)]
+    public string ClientSecretHash { get; set; }
    [MaxLength(4000)]
    public string Scope { get; set; }
    [MaxLength(4000)]
--- a/src/Core/SecretsManager/Models/Data/ApiKeyClientSecretDetails.cs
+++ b/src/Core/SecretsManager/Models/Data/ApiKeyClientSecretDetails.cs
@ -0,0 +1,9 @@
+using Bit.Core.SecretsManager.Entities;
+
+namespace Bit.Core.SecretsManager.Models.Data;
+
+public class ApiKeyClientSecretDetails
+{
+    public ApiKey ApiKey { get; set; }
+    public string ClientSecret { get; set; }
+}
--- a/src/Core/SecretsManager/Models/Data/ApiKeyDetails.cs
+++ b/src/Core/SecretsManager/Models/Data/ApiKeyDetails.cs
@ -4,6 +4,8 @@ namespace Bit.Core.SecretsManager.Models.Data;

 public class ApiKeyDetails : ApiKey
 {
+    public string ClientSecret { get; set; } // Deprecated as of 2023-05-17
+
    protected ApiKeyDetails() { }

    protected ApiKeyDetails(ApiKey apiKey)
@ -11,7 +13,7 @@ public class ApiKeyDetails : ApiKey
        Id = apiKey.Id;
        ServiceAccountId = apiKey.ServiceAccountId;
        Name = apiKey.Name;
-        ClientSecret = apiKey.ClientSecret;
+        ClientSecretHash = apiKey.ClientSecretHash;
        Scope = apiKey.Scope;
        EncryptedPayload = apiKey.EncryptedPayload;
        Key = apiKey.Key;
--- a/src/Identity/IdentityServer/ClientStore.cs
+++ b/src/Identity/IdentityServer/ClientStore.cs
@ -107,11 +107,16 @@ public class ClientStore : IClientStore
                break;
        }

+        if (string.IsNullOrEmpty(apiKey.ClientSecretHash))
+        {
+            apiKey.ClientSecretHash = apiKey.ClientSecret.Sha256();
+        }
+
        var client = new Client
        {
            ClientId = clientId,
            RequireClientSecret = true,
-            ClientSecrets = { new Secret(apiKey.ClientSecret.Sha256()) },
+            ClientSecrets = { new Secret(apiKey.ClientSecretHash) },
            AllowedScopes = apiKey.GetScopes(),
            AllowedGrantTypes = GrantTypes.ClientCredentials,
            AccessTokenLifetime = 3600 * 1,
--- a/Procedures/ApiKey/ApiKey_Create.sql
+++ b/Procedures/ApiKey/ApiKey_Create.sql
@ -2,7 +2,8 @@ CREATE PROCEDURE [dbo].[ApiKey_Create]
    @Id UNIQUEIDENTIFIER OUTPUT,
    @ServiceAccountId UNIQUEIDENTIFIER,
    @Name VARCHAR(200),
-    @ClientSecret VARCHAR(30),
+    @ClientSecret VARCHAR(30) = 'migrated', -- Deprecated as of 2023-05-17
+    @ClientSecretHash VARCHAR(128) = NULL,
    @Scope NVARCHAR(4000),
    @EncryptedPayload NVARCHAR(4000),
    @Key VARCHAR(MAX),
@ -13,12 +14,19 @@ AS
 BEGIN
    SET NOCOUNT ON

+    IF (@ClientSecretHash IS NULL)
+    BEGIN
+      DECLARE @hb VARBINARY(128) = HASHBYTES('SHA2_256', @ClientSecret);
+      SET @ClientSecretHash = CAST(N'' as xml).value('xs:base64Binary(sql:variable("@hb"))', 'VARCHAR(128)');
+    END
+
    INSERT INTO [dbo].[ApiKey] 
    (
        [Id],
        [ServiceAccountId],
        [Name],
        [ClientSecret],
+        [ClientSecretHash],
        [Scope],
        [EncryptedPayload],
        [Key],
@ -32,6 +40,7 @@ BEGIN
        @ServiceAccountId,
        @Name,
        @ClientSecret,
+        @ClientSecretHash,
        @Scope,
        @EncryptedPayload,
        @Key,
--- a/src/Sql/SecretsManager/dbo/Tables/ApiKey.sql
+++ b/src/Sql/SecretsManager/dbo/Tables/ApiKey.sql
@ -1,14 +1,15 @@
 CREATE TABLE [dbo].[ApiKey] (
-    [Id]               UNIQUEIDENTIFIER,
-    [ServiceAccountId] UNIQUEIDENTIFIER NULL,
-    [Name]             VARCHAR(200) NOT NULL,
-    [ClientSecret]     VARCHAR(30) NOT NULL,
-    [Scope]            NVARCHAR (4000) NOT NULL,
-    [EncryptedPayload] NVARCHAR (4000) NOT NULL,
-    [Key]              VARCHAR (MAX) NOT NULL,
-    [ExpireAt]         DATETIME2(7) NULL,
-    [CreationDate]     DATETIME2(7) NOT NULL,
-    [RevisionDate]     DATETIME2(7) NOT NULL,
+    [Id]                    UNIQUEIDENTIFIER,
+    [ServiceAccountId]      UNIQUEIDENTIFIER NULL,
+    [Name]                  VARCHAR(200) NOT NULL,
+    [ClientSecret]          VARCHAR(30) NOT NULL,
+    [ClientSecretHash]      VARCHAR(128) NULL,
+    [Scope]                 NVARCHAR (4000) NOT NULL,
+    [EncryptedPayload]      NVARCHAR (4000) NOT NULL,
+    [Key]                   VARCHAR (MAX) NOT NULL,
+    [ExpireAt]              DATETIME2(7) NULL,
+    [CreationDate]          DATETIME2(7) NOT NULL,
+    [RevisionDate]          DATETIME2(7) NOT NULL,
    CONSTRAINT [PK_ApiKey] PRIMARY KEY CLUSTERED ([Id] ASC),
    CONSTRAINT [FK_ApiKey_ServiceAccountId] FOREIGN KEY ([ServiceAccountId]) REFERENCES [dbo].[ServiceAccount] ([Id])
 );
--- a/Procedures/ApiKey_Create.sql
+++ b/Procedures/ApiKey_Create.sql
@ -0,0 +1,42 @@
+CREATE PROCEDURE [dbo].[ApiKey_Create]
+    @Id UNIQUEIDENTIFIER OUTPUT,
+    @ServiceAccountId UNIQUEIDENTIFIER,
+    @Name VARCHAR(200),
+    @ClientSecretHash VARCHAR(128),
+    @Scope NVARCHAR(4000),
+    @EncryptedPayload NVARCHAR(4000),
+    @Key VARCHAR(MAX),
+    @ExpireAt DATETIME2(7),
+    @CreationDate DATETIME2(7),
+    @RevisionDate DATETIME2(7)
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    INSERT INTO [dbo].[ApiKey] 
+    (
+        [Id],
+        [ServiceAccountId],
+        [Name],
+        [ClientSecretHash],
+        [Scope],
+        [EncryptedPayload],
+        [Key],
+        [ExpireAt],
+        [CreationDate],
+        [RevisionDate]
+    )
+    VALUES 
+    (
+        @Id,
+        @ServiceAccountId,
+        @Name,
+        @ClientSecretHash,
+        @Scope,
+        @EncryptedPayload,
+        @Key,
+        @ExpireAt,
+        @CreationDate,
+        @RevisionDate
+    )
+END
--- a/src/Sql/dbo_future/Tables/ApiKey.sql
+++ b/src/Sql/dbo_future/Tables/ApiKey.sql
@ -0,0 +1,18 @@
+CREATE TABLE [dbo].[ApiKey] (
+    [Id]               UNIQUEIDENTIFIER,
+    [ServiceAccountId] UNIQUEIDENTIFIER NULL,
+    [Name]             VARCHAR(200) NOT NULL,
+    [ClientSecretHash] VARCHAR(128) NULL,
+    [Scope]            NVARCHAR (4000) NOT NULL,
+    [EncryptedPayload] NVARCHAR (4000) NOT NULL,
+    [Key]              VARCHAR (MAX) NOT NULL,
+    [ExpireAt]         DATETIME2(7) NULL,
+    [CreationDate]     DATETIME2(7) NOT NULL,
+    [RevisionDate]     DATETIME2(7) NOT NULL,
+    CONSTRAINT [PK_ApiKey] PRIMARY KEY CLUSTERED ([Id] ASC),
+    CONSTRAINT [FK_ApiKey_ServiceAccountId] FOREIGN KEY ([ServiceAccountId]) REFERENCES [dbo].[ServiceAccount] ([Id])
+);
+
+GO
+CREATE NONCLUSTERED INDEX [IX_ApiKey_ServiceAccountId]
+    ON [dbo].[ApiKey]([ServiceAccountId] ASC);