From e26b29f70ea4574c436582e8590d646bb4a28a3e Mon Sep 17 00:00:00 2001 From: Jared Snider Date: Thu, 15 May 2025 22:27:44 -0400 Subject: [PATCH] PM-20532 - (1) Move ApiClient into new StaticClients folder (2) Create SendClientBuilder as don't need to use inheritance w/ client (3) Register new SendClient using builder in StaticClientStore (4) StaticClientStore - update name of clients list to not be ApiClients and instead just be Clients. --- .../IdentityServer/DynamicClientStore.cs | 2 +- .../IdentityServer/StaticClientStore.cs | 8 +++-- .../{ => StaticClients}/ApiClient.cs | 0 .../StaticClients/SendClientBuilder.cs | 31 +++++++++++++++++++ 4 files changed, 37 insertions(+), 4 deletions(-) rename src/Identity/IdentityServer/{ => StaticClients}/ApiClient.cs (100%) create mode 100644 src/Identity/IdentityServer/StaticClients/SendClientBuilder.cs diff --git a/src/Identity/IdentityServer/DynamicClientStore.cs b/src/Identity/IdentityServer/DynamicClientStore.cs index 997ff64d0b..00e265f015 100644 --- a/src/Identity/IdentityServer/DynamicClientStore.cs +++ b/src/Identity/IdentityServer/DynamicClientStore.cs @@ -36,7 +36,7 @@ internal class DynamicClientStore : IClientStore if (firstPeriod == -1) { // No splitter, attempt but don't fail for a static client - if (_staticClientStore.ApiClients.TryGetValue(clientId, out var client)) + if (_staticClientStore.Clients.TryGetValue(clientId, out var client)) { return Task.FromResult(client); } diff --git a/src/Identity/IdentityServer/StaticClientStore.cs b/src/Identity/IdentityServer/StaticClientStore.cs index e6880b7670..cab7844f47 100644 --- a/src/Identity/IdentityServer/StaticClientStore.cs +++ b/src/Identity/IdentityServer/StaticClientStore.cs @@ -1,6 +1,7 @@ using System.Collections.Frozen; using Bit.Core.Enums; using Bit.Core.Settings; +using Bit.Identity.IdentityServer.StaticClients; using Duende.IdentityServer.Models; namespace Bit.Identity.IdentityServer; @@ -9,16 +10,17 @@ public class StaticClientStore { public StaticClientStore(GlobalSettings globalSettings) { - ApiClients = new List + Clients = new List { new ApiClient(globalSettings, BitwardenClient.Mobile, 60, 1), new ApiClient(globalSettings, BitwardenClient.Web, 7, 1), new ApiClient(globalSettings, BitwardenClient.Browser, 30, 1), new ApiClient(globalSettings, BitwardenClient.Desktop, 30, 1), new ApiClient(globalSettings, BitwardenClient.Cli, 30, 1), - new ApiClient(globalSettings, BitwardenClient.DirectoryConnector, 30, 24) + new ApiClient(globalSettings, BitwardenClient.DirectoryConnector, 30, 24), + SendClientBuilder.Build(globalSettings), }.ToFrozenDictionary(c => c.ClientId); } - public FrozenDictionary ApiClients { get; } + public FrozenDictionary Clients { get; } } diff --git a/src/Identity/IdentityServer/ApiClient.cs b/src/Identity/IdentityServer/StaticClients/ApiClient.cs similarity index 100% rename from src/Identity/IdentityServer/ApiClient.cs rename to src/Identity/IdentityServer/StaticClients/ApiClient.cs diff --git a/src/Identity/IdentityServer/StaticClients/SendClientBuilder.cs b/src/Identity/IdentityServer/StaticClients/SendClientBuilder.cs new file mode 100644 index 0000000000..55e5e9a1e9 --- /dev/null +++ b/src/Identity/IdentityServer/StaticClients/SendClientBuilder.cs @@ -0,0 +1,31 @@ +using Bit.Core.Enums; +using Bit.Core.IdentityServer; +using Bit.Core.Settings; +using Bit.Identity.IdentityServer.RequestValidators; +using Duende.IdentityServer.Models; + +namespace Bit.Identity.IdentityServer.StaticClients; +public static class SendClientBuilder +{ + public static Client Build(GlobalSettings globalSettings) + { + return new Client() + { + ClientId = BitwardenClient.Send, + AllowedGrantTypes = new[] { SendAccessGrantValidator.GrantType }, + AccessTokenLifetime = 60 * 5, // 5 minutes + + // Do not allow refresh tokens to be issued. + AllowOfflineAccess = false, + + // Send is a public anonymous client, so no secret is required (or really possible to use securely). + RequireClientSecret = false, + + // Allow web vault to use this client. + AllowedCorsOrigins = new[] { globalSettings.BaseServiceUri.Vault }, + + // Setup API scopes that the client can request in the scope property of the token request. + AllowedScopes = new string[] { ApiScopes.Send }, + }; + } +}