[PM-12995] Create UI elements for New Device Verification in Admin Portal (#5165)

* feat(NewDeviceVerification) : - Added constant to constants in Bit.Core because the cache key format needs to be shared between the Identity Server and the MVC project Admin. - Updated DeviceValidator class to handle checking cache for user information to allow pass through. - Updated and Added tests to handle new flow. - Adding exception flow to admin project. Added tests for new methods in UserService.
2025-04-05 13:08:17 -05:00 · 2025-01-09 18:10:54 -08:00 · 2025-01-09 18:10:54 -08:00 · ce2ecf9da0
commit ce2ecf9da0
parent 1988f1402e
6 changed files with 253 additions and 54 deletions
--- a/src/Admin/Controllers/UsersController.cs
+++ b/src/Admin/Controllers/UsersController.cs
@ -107,7 +107,8 @@ public class UsersController : Controller
        var billingHistoryInfo = await _paymentService.GetBillingHistoryAsync(user);
        var isTwoFactorEnabled = await _twoFactorIsEnabledQuery.TwoFactorIsEnabledAsync(user);
        var verifiedDomain = await AccountDeprovisioningEnabled(user.Id);
-        return View(new UserEditModel(user, isTwoFactorEnabled, ciphers, billingInfo, billingHistoryInfo, _globalSettings, verifiedDomain));
+        var deviceVerificationRequired = await _userService.ActiveNewDeviceVerificationException(user.Id);
        return View(new UserEditModel(user, isTwoFactorEnabled, ciphers, billingInfo, billingHistoryInfo, _globalSettings, verifiedDomain, deviceVerificationRequired));
    }
    [HttpPost]
@ -162,6 +163,22 @@ public class UsersController : Controller
        return RedirectToAction("Index");
    }
    [HttpPost]
    [ValidateAntiForgeryToken]
    [RequirePermission(Permission.User_GeneralDetails_View)]
    [RequireFeature(FeatureFlagKeys.NewDeviceVerification)]
    public async Task<IActionResult> ToggleNewDeviceVerification(Guid id)
    {
        var user = await _userRepository.GetByIdAsync(id);
        if (user == null)
        {
            return RedirectToAction("Index");
        }
        await _userService.ToggleNewDeviceVerificationException(user.Id);
        return RedirectToAction("Edit", new { id });
    }
    // TODO: Feature flag to be removed in PM-14207
    private async Task<bool?> AccountDeprovisioningEnabled(Guid userId)
    {
--- a/src/Admin/Models/UserEditModel.cs
+++ b/src/Admin/Models/UserEditModel.cs
@ -18,10 +18,13 @@ public class UserEditModel
        BillingInfo billingInfo,
        BillingHistoryInfo billingHistoryInfo,
        GlobalSettings globalSettings,
-        bool? claimedAccount)
+        bool? claimedAccount,
        bool? activeNewDeviceVerificationException)
    {
        User = UserViewModel.MapViewModel(user, isTwoFactorEnabled, ciphers, claimedAccount);
        ActiveNewDeviceVerificationException = activeNewDeviceVerificationException ?? false;
        BillingInfo = billingInfo;
        BillingHistoryInfo = billingHistoryInfo;
        BraintreeMerchantId = globalSettings.Braintree.MerchantId;
@ -44,6 +47,8 @@ public class UserEditModel
    public string RandomLicenseKey => CoreHelpers.SecureRandomString(20);
    public string OneYearExpirationDate => DateTime.Now.AddYears(1).ToString("yyyy-MM-ddTHH:mm");
    public string BraintreeMerchantId { get; init; }
    public bool ActiveNewDeviceVerificationException { get; init; }
    [Display(Name = "Name")]
    public string Name { get; init; }
--- a/src/Admin/Views/Users/Edit.cshtml
+++ b/src/Admin/Views/Users/Edit.cshtml
@ -1,11 +1,14 @@
@using Bit.Admin.Enums;
@inject Bit.Admin.Services.IAccessControlService AccessControlService
@inject Bit.Core.Services.IFeatureService FeatureService
@inject IWebHostEnvironment HostingEnvironment
@model UserEditModel
@{
    ViewData["Title"] = "User: " + Model.User.Email;
    var canViewUserInformation = AccessControlService.UserHasPermission(Permission.User_UserInformation_View);
    var canViewNewDeviceException = AccessControlService.UserHasPermission(Permission.User_UserInformation_View) &&
                                    FeatureService.IsEnabled(Bit.Core.FeatureFlagKeys.NewDeviceVerification);
    var canViewBillingInformation = AccessControlService.UserHasPermission(Permission.User_BillingInformation_View);
    var canViewGeneral = AccessControlService.UserHasPermission(Permission.User_GeneralDetails_View);
    var canViewPremium = AccessControlService.UserHasPermission(Permission.User_Premium_View);
@ -32,7 +35,11 @@
                // Premium
                document.getElementById('@(nameof(Model.MaxStorageGb))').value = '1';
                document.getElementById('@(nameof(Model.Premium))').checked = true;
    using Stripe.Entitlements;
                // Licensing
    using Bit.Core;
    using Stripe.Entitlements;
                using Microsoft.Identity.Client.Extensibility;
                document.getElementById('@(nameof(Model.LicenseKey))').value = '@Model.RandomLicenseKey';
                document.getElementById('@(nameof(Model.PremiumExpirationDate))').value =
                    '@Model.OneYearExpirationDate';
@ -47,13 +54,13 @@
                if (gateway.value === '@((byte)Bit.Core.Enums.GatewayType.Stripe)') {
                    const url = '@(HostingEnvironment.IsDevelopment()
-                                     ? "https://dashboard.stripe.com/test"
+                ? "https://dashboard.stripe.com/test"
-                                     : "https://dashboard.stripe.com")';
+                    : "https://dashboard.stripe.com")';
                    window.open(`${url}/customers/${customerId.value}/`, '_blank');
                } else if (gateway.value === '@((byte)Bit.Core.Enums.GatewayType.Braintree)') {
                    const url = '@(HostingEnvironment.IsDevelopment()
-                                     ? $"https://www.sandbox.braintreegateway.com/merchants/{Model.BraintreeMerchantId}"
+                ? $"https://www.sandbox.braintreegateway.com/merchants/{Model.BraintreeMerchantId}"
-                                     : $"https://www.braintreegateway.com/merchants/{Model.BraintreeMerchantId}")';
+                    : $"https://www.braintreegateway.com/merchants/{Model.BraintreeMerchantId}")';
                    window.open(`${url}/${customerId.value}`, '_blank');
                }
            });
@ -67,13 +74,13 @@
                if (gateway.value === '@((byte)Bit.Core.Enums.GatewayType.Stripe)') {
                    const url = '@(HostingEnvironment.IsDevelopment() || HostingEnvironment.IsEnvironment("QA")
-                                     ? "https://dashboard.stripe.com/test"
+                ? "https://dashboard.stripe.com/test"
-                                     : "https://dashboard.stripe.com")'
+                    : "https://dashboard.stripe.com")'
                    window.open(`${url}/subscriptions/${subId.value}`, '_blank');
                } else if (gateway.value === '@((byte)Bit.Core.Enums.GatewayType.Braintree)') {
                    const url = '@(HostingEnvironment.IsDevelopment() || HostingEnvironment.IsEnvironment("QA")
-                                     ? $"https://www.sandbox.braintreegateway.com/merchants/{Model.BraintreeMerchantId}"
+                ? $"https://www.sandbox.braintreegateway.com/merchants/{Model.BraintreeMerchantId}"
-                                     : $"https://www.braintreegateway.com/merchants/{Model.BraintreeMerchantId}")';
+                    : $"https://www.braintreegateway.com/merchants/{Model.BraintreeMerchantId}")';
                    window.open(`${url}/subscriptions/${subId.value}`, '_blank');
                }
            });
@ -88,11 +95,40 @@
    <h2>User Information</h2>
    @await Html.PartialAsync("_ViewInformation", Model.User)
 }
@if (canViewNewDeviceException)
 {
    <h2>New Device Verification </h2>
    <dl class="row">
        <dt class="col d-flex">
            <form asp-action="ToggleNewDeviceVerification" asp-route-id="@Model.User.Id" method="post">
                @if (Model.ActiveNewDeviceVerificationException)
                {
                    <p>Status: Bypassed</p>
                    <button type="submit" class="btn btn-success" id="new-device-verification-exception">Require New
                        Device Verification</button>
                }
                else
                {
                    <p>Status: Required</p>
                    <button type="submit" class="btn btn-outline-danger" id="new-device-verification-exception">Bypass New
                        Device Verification</button>
                }
            </form>
        </dt>
    </dl>
 }
@if (canViewBillingInformation)
 {
    <h2>Billing Information</h2>
    @await Html.PartialAsync("_BillingInformation",
-        new BillingInformationModel { BillingInfo = Model.BillingInfo, BillingHistoryInfo = Model.BillingHistoryInfo, UserId = Model.User.Id, Entity = "User" })
+        new BillingInformationModel
 {
    BillingInfo = Model.BillingInfo,
    BillingHistoryInfo = Model.BillingHistoryInfo,
    UserId = Model.User.Id,
    Entity = "User"
 })
 }
@if (canViewGeneral)
 {
@ -109,7 +145,7 @@
        <label class="form-check-label" asp-for="EmailVerified"></label>
    </div>
 }
-    <form method="post" id="edit-form">
+<form method="post" id="edit-form">
    @if (canViewPremium)
    {
        <h2>Premium</h2>
@ -139,54 +175,56 @@
            <div class="col-sm">
                <div class="mb-3">
                    <label asp-for="PremiumExpirationDate" class="form-label"></label>
-                    <input type="datetime-local" class="form-control" asp-for="PremiumExpirationDate" readonly='@(!canEditLicensing)'>
+                    <input type="datetime-local" class="form-control" asp-for="PremiumExpirationDate"
                        readonly='@(!canEditLicensing)'>
                </div>
            </div>
        </div>
    }
-@if (canViewBilling)
+    @if (canViewBilling)
-{
+    {
-    <h2>Billing</h2>
+        <h2>Billing</h2>
-    <div class="row">
+        <div class="row">
-        <div class="col-md">
+            <div class="col-md">
-            <div class="mb-3">
+                <div class="mb-3">
-                <label asp-for="Gateway" class="form-label"></label>
+                    <label asp-for="Gateway" class="form-label"></label>
-                <select class="form-select" asp-for="Gateway" disabled='@(canEditBilling ? null : "disabled")'
+                    <select class="form-select" asp-for="Gateway" disabled='@(canEditBilling ? null : "disabled")'
                        asp-items="Html.GetEnumSelectList<Bit.Core.Enums.GatewayType>()">
-                    <option value="">--</option>
+                        <option value="">--</option>
-                </select>
+                    </select>
                </div>
            </div>
-        </div>
+            <div class="col-md">
-        <div class="col-md">
+                <div class="mb-3">
-            <div class="mb-3">
+                    <label asp-for="GatewayCustomerId" class="form-label"></label>
-                <label asp-for="GatewayCustomerId" class="form-label"></label>
+                    <div class="input-group">
-                <div class="input-group">
+                        <input type="text" class="form-control" asp-for="GatewayCustomerId" readonly='@(!canEditBilling)'>
-                    <input type="text" class="form-control" asp-for="GatewayCustomerId" readonly='@(!canEditBilling)'>
+                        @if (canLaunchGateway)
-                    @if (canLaunchGateway)
+                        {
-                    {
+                            <button class="btn btn-secondary" type="button" id="gateway-customer-link">
-                        <button class="btn btn-secondary" type="button" id="gateway-customer-link">
+                                <i class="fa fa-external-link"></i>
-                            <i class="fa fa-external-link"></i>
+                            </button>
-                        </button>
+                        }
-                    }
+                    </div>
                </div>
            </div>
            <div class="col-md">
                <div class="mb-3">
                    <label asp-for="GatewaySubscriptionId" class="form-label"></label>
                    <div class="input-group">
                        <input type="text" class="form-control" asp-for="GatewaySubscriptionId"
                            readonly='@(!canEditBilling)'>
                        @if (canLaunchGateway)
                        {
                            <button class="btn btn-secondary" type="button" id="gateway-subscription-link">
                                <i class="fa fa-external-link"></i>
                            </button>
                        }
                    </div>
                </div>
            </div>
        </div>
-        <div class="col-md">
+    }
            <div class="mb-3">
                <label asp-for="GatewaySubscriptionId" class="form-label"></label>
                <div class="input-group">
                    <input type="text" class="form-control" asp-for="GatewaySubscriptionId" readonly='@(!canEditBilling)'>
                    @if (canLaunchGateway)
                    {
                        <button class="btn btn-secondary" type="button" id="gateway-subscription-link">
                            <i class="fa fa-external-link"></i>
                        </button>
                    }
                </div>
            </div>
        </div>
    </div>
 }
 </form>
 <div class="d-flex mt-4">
    <button type="submit" class="btn btn-primary" form="edit-form">Save</button>
--- a/src/Core/Services/IUserService.cs
+++ b/src/Core/Services/IUserService.cs
@ -77,6 +77,17 @@ public interface IUserService
    Task<bool> VerifyOTPAsync(User user, string token);
    Task<bool> VerifySecretAsync(User user, string secret, bool isSettingMFA = false);
    Task ResendNewDeviceVerificationEmail(string email, string secret);
    /// <summary>
    /// We use this method to check if the user has an active new device verification bypass
    /// </summary>
    /// <param name="userId">self</param>
    /// <returns>returns true if the value is found in the cache</returns>
    Task<bool> ActiveNewDeviceVerificationException(Guid userId);
    /// <summary>
    /// We use this method to toggle the new device verification bypass
    /// </summary>
    /// <param name="userId">Id of user bypassing new device verification</param>
    Task ToggleNewDeviceVerificationException(Guid userId);
    void SetTwoFactorProvider(User user, TwoFactorProviderType type, bool setEnabled = true);
--- a/src/Core/Services/Implementations/UserService.cs
+++ b/src/Core/Services/Implementations/UserService.cs
@ -31,6 +31,7 @@ using Fido2NetLib;
 using Fido2NetLib.Objects;
 using Microsoft.AspNetCore.DataProtection;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.Extensions.Caching.Distributed;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 using File = System.IO.File;
@ -72,6 +73,7 @@ public class UserService : UserManager<User>, IUserService, IDisposable
    private readonly IPremiumUserBillingService _premiumUserBillingService;
    private readonly IRemoveOrganizationUserCommand _removeOrganizationUserCommand;
    private readonly IRevokeNonCompliantOrganizationUserCommand _revokeNonCompliantOrganizationUserCommand;
    private readonly IDistributedCache _distributedCache;
    public UserService(
        IUserRepository userRepository,
@ -107,7 +109,8 @@ public class UserService : UserManager<User>, IUserService, IDisposable
        IFeatureService featureService,
        IPremiumUserBillingService premiumUserBillingService,
        IRemoveOrganizationUserCommand removeOrganizationUserCommand,
-        IRevokeNonCompliantOrganizationUserCommand revokeNonCompliantOrganizationUserCommand)
+        IRevokeNonCompliantOrganizationUserCommand revokeNonCompliantOrganizationUserCommand,
        IDistributedCache distributedCache)
        : base(
              store,
              optionsAccessor,
@ -149,6 +152,7 @@ public class UserService : UserManager<User>, IUserService, IDisposable
        _premiumUserBillingService = premiumUserBillingService;
        _removeOrganizationUserCommand = removeOrganizationUserCommand;
        _revokeNonCompliantOrganizationUserCommand = revokeNonCompliantOrganizationUserCommand;
        _distributedCache = distributedCache;
    }
    public Guid? GetProperUserId(ClaimsPrincipal principal)
@ -1471,6 +1475,30 @@ public class UserService : UserManager<User>, IUserService, IDisposable
        }
    }
    public async Task<bool> ActiveNewDeviceVerificationException(Guid userId)
    {
        var cacheKey = string.Format(AuthConstants.NewDeviceVerificationExceptionCacheKeyFormat, userId.ToString());
        var cacheValue = await _distributedCache.GetAsync(cacheKey);
        return cacheValue != null;
    }
    public async Task ToggleNewDeviceVerificationException(Guid userId)
    {
        var cacheKey = string.Format(AuthConstants.NewDeviceVerificationExceptionCacheKeyFormat, userId.ToString());
        var cacheValue = await _distributedCache.GetAsync(cacheKey);
        if (cacheValue != null)
        {
            await _distributedCache.RemoveAsync(cacheKey);
        }
        else
        {
            await _distributedCache.SetAsync(cacheKey, new byte[1], new DistributedCacheEntryOptions
            {
                AbsoluteExpirationRelativeToNow = TimeSpan.FromHours(24)
            });
        }
    }
    private async Task SendAppropriateWelcomeEmailAsync(User user, string initiationPath)
    {
        var isFromMarketingWebsite = initiationPath.Contains("Secrets Manager trial");
--- a/test/Core.Test/Services/UserServiceTests.cs
+++ b/test/Core.Test/Services/UserServiceTests.cs
@ -32,6 +32,7 @@ using Bit.Test.Common.Helpers;
 using Fido2NetLib;
 using Microsoft.AspNetCore.DataProtection;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.Extensions.Caching.Distributed;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 using NSubstitute;
@ -242,7 +243,43 @@ public class UserServiceTests
            });
        // HACK: SutProvider is being weird about not injecting the IPasswordHasher that I configured
-        var sut = RebuildSut(sutProvider);
+        var sut = new UserService(
            sutProvider.GetDependency<IUserRepository>(),
            sutProvider.GetDependency<ICipherRepository>(),
            sutProvider.GetDependency<IOrganizationUserRepository>(),
            sutProvider.GetDependency<IOrganizationRepository>(),
            sutProvider.GetDependency<IMailService>(),
            sutProvider.GetDependency<IPushNotificationService>(),
            sutProvider.GetDependency<IUserStore<User>>(),
            sutProvider.GetDependency<IOptions<IdentityOptions>>(),
            sutProvider.GetDependency<IPasswordHasher<User>>(),
            sutProvider.GetDependency<IEnumerable<IUserValidator<User>>>(),
            sutProvider.GetDependency<IEnumerable<IPasswordValidator<User>>>(),
            sutProvider.GetDependency<ILookupNormalizer>(),
            sutProvider.GetDependency<IdentityErrorDescriber>(),
            sutProvider.GetDependency<IServiceProvider>(),
            sutProvider.GetDependency<ILogger<UserManager<User>>>(),
            sutProvider.GetDependency<ILicensingService>(),
            sutProvider.GetDependency<IEventService>(),
            sutProvider.GetDependency<IApplicationCacheService>(),
            sutProvider.GetDependency<IDataProtectionProvider>(),
            sutProvider.GetDependency<IPaymentService>(),
            sutProvider.GetDependency<IPolicyRepository>(),
            sutProvider.GetDependency<IPolicyService>(),
            sutProvider.GetDependency<IReferenceEventService>(),
            sutProvider.GetDependency<IFido2>(),
            sutProvider.GetDependency<ICurrentContext>(),
            sutProvider.GetDependency<IGlobalSettings>(),
            sutProvider.GetDependency<IAcceptOrgUserCommand>(),
            sutProvider.GetDependency<IProviderUserRepository>(),
            sutProvider.GetDependency<IStripeSyncService>(),
            new FakeDataProtectorTokenFactory<OrgUserInviteTokenable>(),
            sutProvider.GetDependency<IFeatureService>(),
            sutProvider.GetDependency<IPremiumUserBillingService>(),
            sutProvider.GetDependency<IRemoveOrganizationUserCommand>(),
            sutProvider.GetDependency<IRevokeNonCompliantOrganizationUserCommand>(),
            sutProvider.GetDependency<IDistributedCache>()
            );
        var actualIsVerified = await sut.VerifySecretAsync(user, secret);
@ -582,6 +619,68 @@ public class UserServiceTests
        }
    }
    [Theory, BitAutoData]
    public async Task ActiveNewDeviceVerificationException_UserNotInCache_ReturnsFalseAsync(
        SutProvider<UserService> sutProvider)
    {
        sutProvider.GetDependency<IDistributedCache>()
            .GetAsync(Arg.Any<string>())
            .Returns(null as byte[]);
        var result = await sutProvider.Sut.ActiveNewDeviceVerificationException(Guid.NewGuid());
        Assert.False(result);
    }
    [Theory, BitAutoData]
    public async Task ActiveNewDeviceVerificationException_UserInCache_ReturnsTrueAsync(
        SutProvider<UserService> sutProvider)
    {
        sutProvider.GetDependency<IDistributedCache>()
            .GetAsync(Arg.Any<string>())
            .Returns([1]);
        var result = await sutProvider.Sut.ActiveNewDeviceVerificationException(Guid.NewGuid());
        Assert.True(result);
    }
    [Theory, BitAutoData]
    public async Task ToggleNewDeviceVerificationException_UserInCache_RemovesUserFromCache(
        SutProvider<UserService> sutProvider)
    {
        sutProvider.GetDependency<IDistributedCache>()
            .GetAsync(Arg.Any<string>())
            .Returns([1]);
        await sutProvider.Sut.ToggleNewDeviceVerificationException(Guid.NewGuid());
        await sutProvider.GetDependency<IDistributedCache>()
                .DidNotReceive()
                .SetAsync(Arg.Any<string>(), Arg.Any<byte[]>(), Arg.Any<DistributedCacheEntryOptions>());
        await sutProvider.GetDependency<IDistributedCache>()
                .Received(1)
                .RemoveAsync(Arg.Any<string>());
    }
    [Theory, BitAutoData]
    public async Task ToggleNewDeviceVerificationException_UserNotInCache_AddsUserToCache(
        SutProvider<UserService> sutProvider)
    {
        sutProvider.GetDependency<IDistributedCache>()
            .GetAsync(Arg.Any<string>())
            .Returns(null as byte[]);
        await sutProvider.Sut.ToggleNewDeviceVerificationException(Guid.NewGuid());
        await sutProvider.GetDependency<IDistributedCache>()
                .Received(1)
                .SetAsync(Arg.Any<string>(), Arg.Any<byte[]>(), Arg.Any<DistributedCacheEntryOptions>());
        await sutProvider.GetDependency<IDistributedCache>()
                .DidNotReceive()
                .RemoveAsync(Arg.Any<string>());
    }
    private static void SetupUserAndDevice(User user,
        bool shouldHavePassword)
    {
@ -670,7 +769,8 @@ public class UserServiceTests
            sutProvider.GetDependency<IFeatureService>(),
            sutProvider.GetDependency<IPremiumUserBillingService>(),
            sutProvider.GetDependency<IRemoveOrganizationUserCommand>(),
-            sutProvider.GetDependency<IRevokeNonCompliantOrganizationUserCommand>()
+            sutProvider.GetDependency<IRevokeNonCompliantOrganizationUserCommand>(),
            sutProvider.GetDependency<IDistributedCache>()
            );
    }
 }