nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-05-15 00:19:11 -05:00
Code

Auth/pm 17111/add browser to list of approving clients (#5792)

Browse Source 
* feat(update-auth-approving-clients): [PM-17111] Add Browser to List of Approving Clients - Initial changes.

* feat(update-auth-approving-clients): [PM-17111] Add Browser to List of Approving Clients - Updated tests.

* test(update-auth-approving-clients): [PM-17111] Add Browser to List of Approving Clients - Strengthened tests.
This commit is contained in:
Patrick-Pimentel-Bitwarden 2025-05-13 15:43:11 -04:00 committed by GitHub
parent 5700347e08
commit dd2ea41b74
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 74 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/Identity/IdentityServer/UserDecryptionOptionsBuilder.cs
View File

@ -6,6 +6,7 @@ using Bit.Core.Context;
using Bit.Core.Entities; using Bit.Core.Entities;
using Bit.Core.Enums; using Bit.Core.Enums;
using Bit.Core.Repositories; using Bit.Core.Repositories;
using Bit.Core.Utilities;
using Bit.Identity.Utilities; using Bit.Identity.Utilities;
namespace Bit.Identity.IdentityServer; namespace Bit.Identity.IdentityServer;
@ -24,7 +25,7 @@ public class UserDecryptionOptionsBuilder : IUserDecryptionOptionsBuilder
private UserDecryptionOptions _options = new UserDecryptionOptions(); private UserDecryptionOptions _options = new UserDecryptionOptions();
private User? _user; private User? _user;
private Core.Auth.Entities.SsoConfig? _ssoConfig; private SsoConfig? _ssoConfig;
private Device? _device; private Device? _device;
public UserDecryptionOptionsBuilder( public UserDecryptionOptionsBuilder(
@ -45,7 +46,7 @@ public class UserDecryptionOptionsBuilder : IUserDecryptionOptionsBuilder
return this; return this;
} }
public IUserDecryptionOptionsBuilder WithSso(Core.Auth.Entities.SsoConfig ssoConfig) public IUserDecryptionOptionsBuilder WithSso(SsoConfig ssoConfig)
{ {
_ssoConfig = ssoConfig; _ssoConfig = ssoConfig;
return this; return this;
@ -119,8 +120,7 @@ public class UserDecryptionOptionsBuilder : IUserDecryptionOptionsBuilder
// their current device. // their current device.
// NOTE: this doesn't check for if the users have configured the devices to be capable of approving requests as that is a client side setting. // NOTE: this doesn't check for if the users have configured the devices to be capable of approving requests as that is a client side setting.
hasLoginApprovingDevice = allDevices hasLoginApprovingDevice = allDevices
.Where(d => d.Identifier != _device.Identifier && LoginApprovingDeviceTypes.Types.Contains(d.Type)) .Any(d => d.Identifier != _device.Identifier && LoginApprovingClientTypes.TypesThatCanApprove.Contains(DeviceTypes.ToClientType(d.Type)));
.Any();
} }
// Determine if user has manage reset password permission as post sso logic requires it for forcing users with this permission to set a MP // Determine if user has manage reset password permission as post sso logic requires it for forcing users with this permission to set a MP

22
src/Identity/Utilities/LoginApprovingClientTypes.cs Normal file
View File

@ -0,0 +1,22 @@
using Bit.Core.Enums;
namespace Bit.Identity.Utilities;
public static class LoginApprovingClientTypes
{
private static readonly IReadOnlyCollection<ClientType> _clientTypesThatCanApprove;
static LoginApprovingClientTypes()
{
var clientTypes = new List<ClientType>
{
ClientType.Desktop,
ClientType.Mobile,
ClientType.Web,
ClientType.Browser,
};
_clientTypesThatCanApprove = clientTypes.AsReadOnly();
}
public static IReadOnlyCollection<ClientType> TypesThatCanApprove => _clientTypesThatCanApprove;
}

20
src/Identity/Utilities/LoginApprovingDeviceTypes.cs
View File

@ -1,20 +0,0 @@
using Bit.Core.Enums;
using Bit.Core.Utilities;
namespace Bit.Identity.Utilities;
public static class LoginApprovingDeviceTypes
{
private static readonly IReadOnlyCollection<DeviceType> _deviceTypes;
static LoginApprovingDeviceTypes()
{
var deviceTypes = new List<DeviceType>();
deviceTypes.AddRange(DeviceTypes.DesktopTypes);
deviceTypes.AddRange(DeviceTypes.MobileTypes);
deviceTypes.AddRange(DeviceTypes.BrowserTypes);
_deviceTypes = deviceTypes.AsReadOnly();
}
public static IReadOnlyCollection<DeviceType> Types => _deviceTypes;
}

52
test/Identity.Test/IdentityServer/UserDecryptionOptionsBuilderTests.cs
View File

@ -6,7 +6,6 @@ using Bit.Core.Entities;
using Bit.Core.Enums; using Bit.Core.Enums;
using Bit.Core.Repositories; using Bit.Core.Repositories;
using Bit.Identity.IdentityServer; using Bit.Identity.IdentityServer;
using Bit.Identity.Utilities;
using Bit.Test.Common.AutoFixture.Attributes; using Bit.Test.Common.AutoFixture.Attributes;
using NSubstitute; using NSubstitute;
using Xunit; using Xunit;
@ -102,12 +101,39 @@ public class UserDecryptionOptionsBuilderTests
Assert.Equal(device.EncryptedUserKey, result.TrustedDeviceOption?.EncryptedUserKey); Assert.Equal(device.EncryptedUserKey, result.TrustedDeviceOption?.EncryptedUserKey);
} }
[Theory, BitAutoData] [Theory]
public async Task Build_WhenHasLoginApprovingDevice_ShouldApprovingDeviceTrue(SsoConfig ssoConfig, SsoConfigurationData configurationData, User user, Device device, Device approvingDevice) // Desktop
[BitAutoData(DeviceType.LinuxDesktop)]
[BitAutoData(DeviceType.MacOsDesktop)]
[BitAutoData(DeviceType.WindowsDesktop)]
[BitAutoData(DeviceType.UWP)]
// Mobile
[BitAutoData(DeviceType.Android)]
[BitAutoData(DeviceType.iOS)]
[BitAutoData(DeviceType.AndroidAmazon)]
// Web
[BitAutoData(DeviceType.ChromeBrowser)]
[BitAutoData(DeviceType.FirefoxBrowser)]
[BitAutoData(DeviceType.OperaBrowser)]
[BitAutoData(DeviceType.EdgeBrowser)]
[BitAutoData(DeviceType.IEBrowser)]
[BitAutoData(DeviceType.SafariBrowser)]
[BitAutoData(DeviceType.VivaldiBrowser)]
[BitAutoData(DeviceType.UnknownBrowser)]
// Extension
[BitAutoData(DeviceType.ChromeExtension)]
[BitAutoData(DeviceType.FirefoxExtension)]
[BitAutoData(DeviceType.OperaExtension)]
[BitAutoData(DeviceType.EdgeExtension)]
[BitAutoData(DeviceType.VivaldiExtension)]
[BitAutoData(DeviceType.SafariExtension)]
public async Task Build_WhenHasLoginApprovingDevice_ShouldApprovingDeviceTrue(
DeviceType deviceType,
SsoConfig ssoConfig, SsoConfigurationData configurationData, User user, Device device, Device approvingDevice)
{ {
configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption; configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption;
ssoConfig.Data = configurationData.Serialize(); ssoConfig.Data = configurationData.Serialize();
approvingDevice.Type = LoginApprovingDeviceTypes.Types.First(); approvingDevice.Type = deviceType;
_deviceRepository.GetManyByUserIdAsync(user.Id).Returns(new Device[] { approvingDevice }); _deviceRepository.GetManyByUserIdAsync(user.Id).Returns(new Device[] { approvingDevice });
var result = await _builder.ForUser(user).WithSso(ssoConfig).WithDevice(device).BuildAsync(); var result = await _builder.ForUser(user).WithSso(ssoConfig).WithDevice(device).BuildAsync();
@ -115,6 +141,24 @@ public class UserDecryptionOptionsBuilderTests
Assert.True(result.TrustedDeviceOption?.HasLoginApprovingDevice); Assert.True(result.TrustedDeviceOption?.HasLoginApprovingDevice);
} }
[Theory]
[BitAutoData(DeviceType.WindowsCLI)]
[BitAutoData(DeviceType.MacOsCLI)]
[BitAutoData(DeviceType.LinuxCLI)]
public async Task Build_WhenHasLoginApprovingDevice_ShouldApprovingDeviceFalse(
DeviceType deviceType,
SsoConfig ssoConfig, SsoConfigurationData configurationData, User user, Device device, Device approvingDevice)
{
configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption;
ssoConfig.Data = configurationData.Serialize();
approvingDevice.Type = deviceType;
_deviceRepository.GetManyByUserIdAsync(user.Id).Returns(new Device[] { approvingDevice });
var result = await _builder.ForUser(user).WithSso(ssoConfig).WithDevice(device).BuildAsync();
Assert.False(result.TrustedDeviceOption?.HasLoginApprovingDevice);
}
[Theory, BitAutoData] [Theory, BitAutoData]
public async Task Build_WhenManageResetPasswordPermissions_ShouldReturnHasManageResetPasswordPermissionTrue( public async Task Build_WhenManageResetPasswordPermissions_ShouldReturnHasManageResetPasswordPermissionTrue(
SsoConfig ssoConfig, SsoConfig ssoConfig,