From cf73b168ee3b8024da563a38492fc76411aff551 Mon Sep 17 00:00:00 2001 From: Kyle Spearrin Date: Tue, 28 Aug 2018 17:40:08 -0400 Subject: [PATCH] More CanAccessPremium checks --- src/Admin/Models/UserEditModel.cs | 1 - src/Admin/Startup.cs | 1 + src/Admin/Views/Users/Index.cshtml | 3 +- src/Admin/Views/Users/_ViewInformation.cshtml | 3 +- src/Api/Controllers/AccountsController.cs | 7 +++-- src/Api/Controllers/SyncController.cs | 5 ++-- src/Core/Identity/DuoWebTokenProvider.cs | 20 ++++++------- .../ReadOnlyDatabaseIdentityUserStore.cs | 11 +++++-- src/Core/Identity/U2fTokenProvider.cs | 4 +-- src/Core/Identity/UserStore.cs | 9 ++++-- src/Core/Identity/YubicoOtpTokenProvider.cs | 2 +- .../Api/Response/ProfileResponseModel.cs | 6 ++-- .../Models/Api/Response/SyncResponseModel.cs | 3 +- src/Core/Models/Table/User.cs | 24 +++++++++++---- .../Services/Implementations/CipherService.cs | 9 ++++-- .../Utilities/ServiceCollectionExtensions.cs | 30 ++++++++++++------- 16 files changed, 90 insertions(+), 48 deletions(-) diff --git a/src/Admin/Models/UserEditModel.cs b/src/Admin/Models/UserEditModel.cs index 65bf0bc813..c2be10c26d 100644 --- a/src/Admin/Models/UserEditModel.cs +++ b/src/Admin/Models/UserEditModel.cs @@ -1,7 +1,6 @@ using System; using System.Collections.Generic; using System.ComponentModel.DataAnnotations; -using System.Linq; using Bit.Core; using Bit.Core.Models.Table; using Bit.Core.Utilities; diff --git a/src/Admin/Startup.cs b/src/Admin/Startup.cs index f526c9a8f4..7ab672d115 100644 --- a/src/Admin/Startup.cs +++ b/src/Admin/Startup.cs @@ -47,6 +47,7 @@ namespace Bit.Admin services.AddScoped(); // Identity + services.AddBasicCustomIdentityServices(globalSettings); services.AddPasswordlessIdentityServices(globalSettings); if(globalSettings.SelfHosted) { diff --git a/src/Admin/Views/Users/Index.cshtml b/src/Admin/Views/Users/Index.cshtml index 8304c90123..e55f5c8107 100644 --- a/src/Admin/Views/Users/Index.cshtml +++ b/src/Admin/Views/Users/Index.cshtml @@ -1,4 +1,5 @@ @model UsersModel +@inject Bit.Core.Services.IUserService userService @{ ViewData["Title"] = "Users"; } @@ -68,7 +69,7 @@ { } - @if(user.TwoFactorIsEnabled()) + @if(await user.TwoFactorIsEnabledAsync(userService)) { } diff --git a/src/Admin/Views/Users/_ViewInformation.cshtml b/src/Admin/Views/Users/_ViewInformation.cshtml index 428cc8c9af..7244dd6829 100644 --- a/src/Admin/Views/Users/_ViewInformation.cshtml +++ b/src/Admin/Views/Users/_ViewInformation.cshtml @@ -1,4 +1,5 @@ @model UserViewModel +@inject Bit.Core.Services.IUserService userService
Id
@Model.User.Id
@@ -13,7 +14,7 @@
@(Model.User.EmailVerified ? "Yes" : "No")
Using 2FA
-
@(Model.User.TwoFactorIsEnabled() ? "Yes" : "No")
+
@(await Model.User.TwoFactorIsEnabledAsync(userService) ? "Yes" : "No")
Items
@Model.CipherCount
diff --git a/src/Api/Controllers/AccountsController.cs b/src/Api/Controllers/AccountsController.cs index 12ff1d2a0b..0d78482311 100644 --- a/src/Api/Controllers/AccountsController.cs +++ b/src/Api/Controllers/AccountsController.cs @@ -282,7 +282,8 @@ namespace Bit.Api.Controllers var organizationUserDetails = await _organizationUserRepository.GetManyDetailsByUserAsync(user.Id, OrganizationUserStatusType.Confirmed); - var response = new ProfileResponseModel(user, organizationUserDetails); + var response = new ProfileResponseModel(user, organizationUserDetails, + await user.TwoFactorIsEnabledAsync(_userService)); return response; } @@ -307,7 +308,7 @@ namespace Bit.Api.Controllers } await _userService.SaveUserAsync(model.ToUser(user)); - var response = new ProfileResponseModel(user, null); + var response = new ProfileResponseModel(user, null, await user.TwoFactorIsEnabledAsync(_userService)); return response; } @@ -437,7 +438,7 @@ namespace Bit.Api.Controllers await _userService.SignUpPremiumAsync(user, model.PaymentToken, model.AdditionalStorageGb.GetValueOrDefault(0), license); - return new ProfileResponseModel(user, null); + return new ProfileResponseModel(user, null, await user.TwoFactorIsEnabledAsync(_userService)); } [HttpGet("billing")] diff --git a/src/Api/Controllers/SyncController.cs b/src/Api/Controllers/SyncController.cs index 7f3ce3c04d..b272ec340d 100644 --- a/src/Api/Controllers/SyncController.cs +++ b/src/Api/Controllers/SyncController.cs @@ -69,8 +69,9 @@ namespace Bit.Api.Controllers collectionCiphersGroupDict = collectionCiphers.GroupBy(c => c.CipherId).ToDictionary(s => s.Key); } - var response = new SyncResponseModel(_globalSettings, user, organizationUserDetails, folders, - collections, ciphers, collectionCiphersGroupDict, excludeDomains); + var userTwoFactorEnabled = await user.TwoFactorIsEnabledAsync(_userService); + var response = new SyncResponseModel(_globalSettings, user, userTwoFactorEnabled, organizationUserDetails, + folders, collections, ciphers, collectionCiphersGroupDict, excludeDomains); return response; } } diff --git a/src/Core/Identity/DuoWebTokenProvider.cs b/src/Core/Identity/DuoWebTokenProvider.cs index bcda05be94..66abe896dc 100644 --- a/src/Core/Identity/DuoWebTokenProvider.cs +++ b/src/Core/Identity/DuoWebTokenProvider.cs @@ -37,41 +37,41 @@ namespace Bit.Core.Identity return await user.TwoFactorProviderIsEnabledAsync(TwoFactorProviderType.Duo, _userService); } - public Task GenerateAsync(string purpose, UserManager manager, User user) + public async Task GenerateAsync(string purpose, UserManager manager, User user) { - if(!user.Premium) + if(!(await _userService.CanAccessPremium(user))) { - return Task.FromResult(null); + return null; } var provider = user.GetTwoFactorProvider(TwoFactorProviderType.Duo); if(!HasProperMetaData(provider)) { - return Task.FromResult(null); + return null; } var signatureRequest = DuoWeb.SignRequest((string)provider.MetaData["IKey"], (string)provider.MetaData["SKey"], _globalSettings.Duo.AKey, user.Email); - return Task.FromResult(signatureRequest); + return signatureRequest; } - public Task ValidateAsync(string purpose, string token, UserManager manager, User user) + public async Task ValidateAsync(string purpose, string token, UserManager manager, User user) { - if(!user.Premium) + if(!(await _userService.CanAccessPremium(user))) { - return Task.FromResult(false); + return false; } var provider = user.GetTwoFactorProvider(TwoFactorProviderType.Duo); if(!HasProperMetaData(provider)) { - return Task.FromResult(false); + return false; } var response = DuoWeb.VerifyResponse((string)provider.MetaData["IKey"], (string)provider.MetaData["SKey"], _globalSettings.Duo.AKey, token); - return Task.FromResult(response == user.Email); + return response == user.Email; } private bool HasProperMetaData(TwoFactorProvider provider) diff --git a/src/Core/Identity/ReadOnlyDatabaseIdentityUserStore.cs b/src/Core/Identity/ReadOnlyDatabaseIdentityUserStore.cs index 3a795a6e12..adacc3a86e 100644 --- a/src/Core/Identity/ReadOnlyDatabaseIdentityUserStore.cs +++ b/src/Core/Identity/ReadOnlyDatabaseIdentityUserStore.cs @@ -3,15 +3,20 @@ using System.Threading; using System.Threading.Tasks; using Microsoft.AspNetCore.Identity; using Bit.Core.Repositories; +using Bit.Core.Services; namespace Bit.Core.Identity { public class ReadOnlyDatabaseIdentityUserStore : ReadOnlyIdentityUserStore { + private readonly IUserService _userService; private readonly IUserRepository _userRepository; - public ReadOnlyDatabaseIdentityUserStore(IUserRepository userRepository) + public ReadOnlyDatabaseIdentityUserStore( + IUserService userService, + IUserRepository userRepository) { + _userService = userService; _userRepository = userRepository; } @@ -19,7 +24,7 @@ namespace Bit.Core.Identity CancellationToken cancellationToken = default(CancellationToken)) { var user = await _userRepository.GetByEmailAsync(normalizedEmail); - return user?.ToIdentityUser(); + return user?.ToIdentityUser(await user.TwoFactorIsEnabledAsync(_userService)); } public override async Task FindByIdAsync(string userId, @@ -31,7 +36,7 @@ namespace Bit.Core.Identity } var user = await _userRepository.GetByIdAsync(userIdGuid); - return user?.ToIdentityUser(); + return user?.ToIdentityUser(await user.TwoFactorIsEnabledAsync(_userService)); } } } diff --git a/src/Core/Identity/U2fTokenProvider.cs b/src/Core/Identity/U2fTokenProvider.cs index 737546c158..5f9a8f504e 100644 --- a/src/Core/Identity/U2fTokenProvider.cs +++ b/src/Core/Identity/U2fTokenProvider.cs @@ -49,7 +49,7 @@ namespace Bit.Core.Identity public async Task GenerateAsync(string purpose, UserManager manager, User user) { - if(!user.Premium) + if(!(await _userService.CanAccessPremium(user))) { return null; } @@ -108,7 +108,7 @@ namespace Bit.Core.Identity public async Task ValidateAsync(string purpose, string token, UserManager manager, User user) { - if(!user.Premium || string.IsNullOrWhiteSpace(token)) + if(!(await _userService.CanAccessPremium(user)) || string.IsNullOrWhiteSpace(token)) { return false; } diff --git a/src/Core/Identity/UserStore.cs b/src/Core/Identity/UserStore.cs index 7278028d41..33096fa0b2 100644 --- a/src/Core/Identity/UserStore.cs +++ b/src/Core/Identity/UserStore.cs @@ -4,6 +4,8 @@ using System.Threading.Tasks; using Microsoft.AspNetCore.Identity; using Bit.Core.Models.Table; using Bit.Core.Repositories; +using Bit.Core.Services; +using Microsoft.Extensions.DependencyInjection; namespace Bit.Core.Identity { @@ -14,13 +16,16 @@ namespace Bit.Core.Identity IUserTwoFactorStore, IUserSecurityStampStore { + private readonly IServiceProvider _serviceProvider; private readonly IUserRepository _userRepository; private readonly CurrentContext _currentContext; public UserStore( + IServiceProvider serviceProvider, IUserRepository userRepository, CurrentContext currentContext) { + _serviceProvider = serviceProvider; _userRepository = userRepository; _currentContext = currentContext; } @@ -162,9 +167,9 @@ namespace Bit.Core.Identity return Task.FromResult(0); } - public Task GetTwoFactorEnabledAsync(User user, CancellationToken cancellationToken) + public async Task GetTwoFactorEnabledAsync(User user, CancellationToken cancellationToken) { - return Task.FromResult(user.TwoFactorIsEnabled()); + return await user.TwoFactorIsEnabledAsync(_serviceProvider.GetRequiredService()); } public Task SetSecurityStampAsync(User user, string stamp, CancellationToken cancellationToken) diff --git a/src/Core/Identity/YubicoOtpTokenProvider.cs b/src/Core/Identity/YubicoOtpTokenProvider.cs index 1fe7fb0a9c..63a2294610 100644 --- a/src/Core/Identity/YubicoOtpTokenProvider.cs +++ b/src/Core/Identity/YubicoOtpTokenProvider.cs @@ -44,7 +44,7 @@ namespace Bit.Core.Identity public async Task ValidateAsync(string purpose, string token, UserManager manager, User user) { - if(!user.Premium) + if(!(await _userService.CanAccessPremium(user))) { return false; } diff --git a/src/Core/Models/Api/Response/ProfileResponseModel.cs b/src/Core/Models/Api/Response/ProfileResponseModel.cs index 61262d7e4d..20b8eac91c 100644 --- a/src/Core/Models/Api/Response/ProfileResponseModel.cs +++ b/src/Core/Models/Api/Response/ProfileResponseModel.cs @@ -3,12 +3,14 @@ using Bit.Core.Models.Table; using System.Collections.Generic; using System.Linq; using Bit.Core.Models.Data; +using Bit.Core.Services; namespace Bit.Core.Models.Api { public class ProfileResponseModel : ResponseModel { - public ProfileResponseModel(User user, IEnumerable organizationsUserDetails) + public ProfileResponseModel(User user, + IEnumerable organizationsUserDetails, bool twoFactorEnabled) : base("profile") { if(user == null) @@ -23,7 +25,7 @@ namespace Bit.Core.Models.Api Premium = user.Premium; MasterPasswordHint = string.IsNullOrWhiteSpace(user.MasterPasswordHint) ? null : user.MasterPasswordHint; Culture = user.Culture; - TwoFactorEnabled = user.TwoFactorIsEnabled(); + TwoFactorEnabled = twoFactorEnabled; Key = user.Key; PrivateKey = user.PrivateKey; SecurityStamp = user.SecurityStamp; diff --git a/src/Core/Models/Api/Response/SyncResponseModel.cs b/src/Core/Models/Api/Response/SyncResponseModel.cs index 38e80caf5b..7e196d229b 100644 --- a/src/Core/Models/Api/Response/SyncResponseModel.cs +++ b/src/Core/Models/Api/Response/SyncResponseModel.cs @@ -12,6 +12,7 @@ namespace Bit.Core.Models.Api public SyncResponseModel( GlobalSettings globalSettings, User user, + bool userTwoFactorEnabled, IEnumerable organizationUserDetails, IEnumerable folders, IEnumerable collections, @@ -20,7 +21,7 @@ namespace Bit.Core.Models.Api bool excludeDomains) : base("sync") { - Profile = new ProfileResponseModel(user, organizationUserDetails); + Profile = new ProfileResponseModel(user, organizationUserDetails, userTwoFactorEnabled); Folders = folders.Select(f => new FolderResponseModel(f)); Ciphers = ciphers.Select(c => new CipherDetailsResponseModel(c, globalSettings, collectionCiphersDict)); Collections = collections?.Select( diff --git a/src/Core/Models/Table/User.cs b/src/Core/Models/Table/User.cs index a976aa0e99..b156108e7a 100644 --- a/src/Core/Models/Table/User.cs +++ b/src/Core/Models/Table/User.cs @@ -3,7 +3,6 @@ using Bit.Core.Enums; using Bit.Core.Utilities; using System.Collections.Generic; using Newtonsoft.Json; -using System.Linq; using Bit.Core.Services; using Bit.Core.Exceptions; using Microsoft.AspNetCore.Identity; @@ -110,7 +109,7 @@ namespace Bit.Core.Models.Table return await userService.CanAccessPremium(this); } - public bool TwoFactorIsEnabled() + public async Task TwoFactorIsEnabledAsync(IUserService userService) { var providers = GetTwoFactorProviders(); if(providers == null) @@ -118,8 +117,21 @@ namespace Bit.Core.Models.Table return false; } - return providers.Any(p => (p.Value?.Enabled ?? false) && - (Premium || !TwoFactorProvider.RequiresPremium(p.Key))); + foreach(var p in providers) + { + if(p.Value?.Enabled ?? false) + { + if(!TwoFactorProvider.RequiresPremium(p.Key)) + { + return true; + } + if(await userService.CanAccessPremium(this)) + { + return true; + } + } + } + return false; } public TwoFactorProvider GetTwoFactorProvider(TwoFactorProviderType provider) @@ -177,7 +189,7 @@ namespace Bit.Core.Models.Table return paymentService; } - public IdentityUser ToIdentityUser() + public IdentityUser ToIdentityUser(bool twoFactorEnabled) { return new IdentityUser { @@ -187,7 +199,7 @@ namespace Bit.Core.Models.Table EmailConfirmed = EmailVerified, UserName = Email, NormalizedUserName = Email, - TwoFactorEnabled = TwoFactorIsEnabled(), + TwoFactorEnabled = twoFactorEnabled, SecurityStamp = SecurityStamp }; } diff --git a/src/Core/Services/Implementations/CipherService.cs b/src/Core/Services/Implementations/CipherService.cs index 88fa19b2b8..8a0f960ffb 100644 --- a/src/Core/Services/Implementations/CipherService.cs +++ b/src/Core/Services/Implementations/CipherService.cs @@ -24,6 +24,7 @@ namespace Bit.Core.Services private readonly IPushNotificationService _pushService; private readonly IAttachmentStorageService _attachmentStorageService; private readonly IEventService _eventService; + private readonly IUserService _userService; public CipherService( ICipherRepository cipherRepository, @@ -35,7 +36,8 @@ namespace Bit.Core.Services ICollectionCipherRepository collectionCipherRepository, IPushNotificationService pushService, IAttachmentStorageService attachmentStorageService, - IEventService eventService) + IEventService eventService, + IUserService userService) { _cipherRepository = cipherRepository; _folderRepository = folderRepository; @@ -47,6 +49,7 @@ namespace Bit.Core.Services _pushService = pushService; _attachmentStorageService = attachmentStorageService; _eventService = eventService; + _userService = userService; } public async Task SaveAsync(Cipher cipher, Guid savingUserId, bool orgAdmin = false) @@ -125,9 +128,9 @@ namespace Bit.Core.Services if(cipher.UserId.HasValue) { var user = await _userRepository.GetByIdAsync(cipher.UserId.Value); - if(!user.Premium) + if(!(await _userService.CanAccessPremium(user))) { - throw new BadRequestException("You must be a premium user to use attachments."); + throw new BadRequestException("You must have premium status to use attachments."); } storageBytesRemaining = user.StorageBytesRemaining(); diff --git a/src/Core/Utilities/ServiceCollectionExtensions.cs b/src/Core/Utilities/ServiceCollectionExtensions.cs index cddb5c38d5..add85a8c6e 100644 --- a/src/Core/Utilities/ServiceCollectionExtensions.cs +++ b/src/Core/Utilities/ServiceCollectionExtensions.cs @@ -153,16 +153,13 @@ namespace Bit.Core.Utilities public static IdentityBuilder AddCustomIdentityServices( this IServiceCollection services, GlobalSettings globalSettings) { - services.AddTransient(); services.AddSingleton(); - - services.Configure(options => options.IterationCount = 75000); services.Configure(options => { options.TokenLifespan = TimeSpan.FromDays(30); }); - var identityBuilder = services.AddIdentityWithoutCookieAuth(options => + var identityBuilder = services.AddBasicCustomIdentityServices(globalSettings, options => { options.User = new UserOptions { @@ -187,9 +184,6 @@ namespace Bit.Core.Utilities }); identityBuilder - .AddUserStore() - .AddRoleStore() - .AddTokenProvider>(TokenOptions.DefaultProvider) .AddTokenProvider(TwoFactorProviderType.Authenticator.ToString()) .AddTokenProvider(TwoFactorProviderType.YubiKey.ToString()) .AddTokenProvider(TwoFactorProviderType.Duo.ToString()) @@ -200,11 +194,27 @@ namespace Bit.Core.Utilities return identityBuilder; } - public static IdentityBuilder AddPasswordlessIdentityServices( - this IServiceCollection services, GlobalSettings globalSettings) where TUserStore : class + public static IdentityBuilder AddBasicCustomIdentityServices( + this IServiceCollection services, GlobalSettings globalSettings, + Action setAction = null) { - services.AddTransient(); + services.TryAddTransient(); + services.Configure(options => options.IterationCount = 75000); + var identityBuilder = services.AddIdentityWithoutCookieAuth(setAction); + + identityBuilder + .AddUserStore() + .AddRoleStore() + .AddTokenProvider>(TokenOptions.DefaultProvider); + + return identityBuilder; + } + + public static IdentityBuilder AddPasswordlessIdentityServices( + this IServiceCollection services, GlobalSettings globalSettings) where TUserStore : class + { + services.TryAddTransient(); services.Configure(options => { options.TokenLifespan = TimeSpan.FromMinutes(15);