nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-07-01 08:02:49 -05:00
Code Activity

Add support for Key Connector OTP and account migration (#1663)

Browse Source 
Co-authored-by: Thomas Rittson <trittson@bitwarden.com>
This commit is contained in:
Oscar Hinton
2021-11-09 16:37:32 +01:00
committed by GitHub
parent f6bc35b2d0
commit fd37cb5a12
62 changed files with 3799 additions and 306 deletions
Download Patch File Download Diff File Expand all files Collapse all files

110
src/Api/Controllers/AccountsController.cs
View File

@ -16,7 +16,6 @@ using Microsoft.AspNetCore.Mvc;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using Bit.Core.Enums.Provider;
@ -46,7 +45,6 @@ namespace Bit.Api.Controllers
IOrganizationUserRepository organizationUserRepository,
IProviderUserRepository providerUserRepository,
IPaymentService paymentService,
ISsoUserRepository ssoUserRepository,
IUserRepository userRepository,
IUserService userService,
ISendRepository sendRepository,
@ -118,6 +116,11 @@ namespace Bit.Api.Controllers
throw new UnauthorizedAccessException();
}
if (user.UsesKeyConnector)
{
throw new BadRequestException("You cannot change your email when using Key Connector.");
}
if (!await _userService.CheckPasswordAsync(user, model.MasterPasswordHash))
{
await Task.Delay(2000);
@ -136,6 +139,11 @@ namespace Bit.Api.Controllers
throw new UnauthorizedAccessException();
}
if (user.UsesKeyConnector)
{
throw new BadRequestException("You cannot change your email when using Key Connector.");
}
var result = await _userService.ChangeEmailAsync(user, model.MasterPasswordHash, model.NewEmail,
model.NewMasterPasswordHash, model.Token, model.Key);
if (result.Succeeded)
@ -238,7 +246,7 @@ namespace Bit.Api.Controllers
}
[HttpPost("verify-password")]
public async Task PostVerifyPassword([FromBody]VerifyPasswordRequestModel model)
public async Task PostVerifyPassword([FromBody]SecretVerificationRequestModel model)
{
var user = await _userService.GetUserByPrincipalAsync(User);
if (user == null)
@ -256,8 +264,8 @@ namespace Bit.Api.Controllers
throw new BadRequestException(ModelState);
}
[HttpPost("set-crypto-agent-key")]
public async Task PostSetCryptoAgentKeyAsync([FromBody]SetCryptoAgentKeyRequestModel model)
[HttpPost("set-key-connector-key")]
public async Task PostSetKeyConnectorKeyAsync([FromBody]SetKeyConnectorKeyRequestModel model)
{
var user = await _userService.GetUserByPrincipalAsync(User);
if (user == null)
@ -265,7 +273,30 @@ namespace Bit.Api.Controllers
throw new UnauthorizedAccessException();
}
var result = await _userService.SetCryptoAgentKeyAsync(model.ToUser(user), model.Key, model.OrgIdentifier);
var result = await _userService.SetKeyConnectorKeyAsync(model.ToUser(user), model.Key, model.OrgIdentifier);
if (result.Succeeded)
{
return;
}
foreach (var error in result.Errors)
{
ModelState.AddModelError(string.Empty, error.Description);
}
throw new BadRequestException(ModelState);
}
[HttpPost("convert-to-key-connector")]
public async Task PostConvertToKeyConnector()
{
var user = await _userService.GetUserByPrincipalAsync(User);
if (user == null)
{
throw new UnauthorizedAccessException();
}
var result = await _userService.ConvertToKeyConnectorAsync(user);
if (result.Succeeded)
{
return;
@ -361,7 +392,7 @@ namespace Bit.Api.Controllers
}
[HttpPost("security-stamp")]
public async Task PostSecurityStamp([FromBody]SecurityStampRequestModel model)
public async Task PostSecurityStamp([FromBody]SecretVerificationRequestModel model)
{
var user = await _userService.GetUserByPrincipalAsync(User);
if (user == null)
@ -369,7 +400,7 @@ namespace Bit.Api.Controllers
throw new UnauthorizedAccessException();
}
var result = await _userService.RefreshSecurityStampAsync(user, model.MasterPasswordHash);
var result = await _userService.RefreshSecurityStampAsync(user, model.Secret);
if (result.Succeeded)
{
return;
@ -471,7 +502,7 @@ namespace Bit.Api.Controllers
[HttpDelete]
[HttpPost("delete")]
public async Task Delete([FromBody]DeleteAccountRequestModel model)
public async Task Delete([FromBody]SecretVerificationRequestModel model)
{
var user = await _userService.GetUserByPrincipalAsync(User);
if (user == null)
@ -479,9 +510,9 @@ namespace Bit.Api.Controllers
throw new UnauthorizedAccessException();
}
if (!await _userService.CheckPasswordAsync(user, model.MasterPasswordHash))
if (!await _userService.VerifySecretAsync(user, model.Secret))
{
ModelState.AddModelError("MasterPasswordHash", "Invalid password.");
ModelState.AddModelError(string.Empty, "User verification failed.");
await Task.Delay(2000);
}
else
@ -761,7 +792,7 @@ namespace Bit.Api.Controllers
}
[HttpPost("api-key")]
public async Task<ApiKeyResponseModel> ApiKey([FromBody]ApiKeyRequestModel model)
public async Task<ApiKeyResponseModel> ApiKey([FromBody]SecretVerificationRequestModel model)
{
var user = await _userService.GetUserByPrincipalAsync(User);
if (user == null)
@ -769,20 +800,17 @@ namespace Bit.Api.Controllers
throw new UnauthorizedAccessException();
}
if (!await _userService.CheckPasswordAsync(user, model.MasterPasswordHash))
if (!await _userService.VerifySecretAsync(user, model.Secret))
{
await Task.Delay(2000);
throw new BadRequestException("MasterPasswordHash", "Invalid password.");
}
else
{
var response = new ApiKeyResponseModel(user);
return response;
throw new BadRequestException(string.Empty, "User verification failed.");
}
return new ApiKeyResponseModel(user);
}
[HttpPost("rotate-api-key")]
public async Task<ApiKeyResponseModel> RotateApiKey([FromBody]ApiKeyRequestModel model)
public async Task<ApiKeyResponseModel> RotateApiKey([FromBody]SecretVerificationRequestModel model)
{
var user = await _userService.GetUserByPrincipalAsync(User);
if (user == null)
@ -790,17 +818,15 @@ namespace Bit.Api.Controllers
throw new UnauthorizedAccessException();
}
if (!await _userService.CheckPasswordAsync(user, model.MasterPasswordHash))
if (!await _userService.VerifySecretAsync(user, model.Secret))
{
await Task.Delay(2000);
throw new BadRequestException("MasterPasswordHash", "Invalid password.");
}
else
{
await _userService.RotateApiKeyAsync(user);
var response = new ApiKeyResponseModel(user);
return response;
throw new BadRequestException(string.Empty, "User verification failed.");
}
await _userService.RotateApiKeyAsync(user);
var response = new ApiKeyResponseModel(user);
return response;
}
[HttpPut("update-temp-password")]
@ -825,5 +851,33 @@ namespace Bit.Api.Controllers
throw new BadRequestException(ModelState);
}
[HttpPost("request-otp")]
public async Task PostRequestOTP()
{
var user = await _userService.GetUserByPrincipalAsync(User);
if (user is not { UsesKeyConnector: true })
{
throw new UnauthorizedAccessException();
}
await _userService.SendOTPAsync(user);
}
[HttpPost("verify-otp")]
public async Task VerifyOTP([FromBody]VerifyOTPRequestModel model)
{
var user = await _userService.GetUserByPrincipalAsync(User);
if (user is not { UsesKeyConnector: true })
{
throw new UnauthorizedAccessException();
}
if (!await _userService.VerifyOTPAsync(user, model.OTP))
{
await Task.Delay(2000);
throw new BadRequestException("Token", "Invalid token");
}
}
}
}

6
src/Api/Controllers/CiphersController.cs
View File

@ -550,7 +550,7 @@ namespace Bit.Api.Controllers
}
[HttpPost("purge")]
public async Task PostPurge([FromBody]CipherPurgeRequestModel model, string organizationId = null)
public async Task PostPurge([FromBody]SecretVerificationRequestModel model, string organizationId = null)
{
var user = await _userService.GetUserByPrincipalAsync(User);
if (user == null)
@ -558,9 +558,9 @@ namespace Bit.Api.Controllers
throw new UnauthorizedAccessException();
}
if (!await _userService.CheckPasswordAsync(user, model.MasterPasswordHash))
if (!await _userService.VerifySecretAsync(user, model.Secret))
{
ModelState.AddModelError("MasterPasswordHash", "Invalid password.");
ModelState.AddModelError(string.Empty, "User verification failed.");
await Task.Delay(2000);
throw new BadRequestException(ModelState);
}

23
src/Api/Controllers/OrganizationsController.cs
View File

@ -390,7 +390,7 @@ namespace Bit.Api.Controllers
[HttpDelete("{id}")]
[HttpPost("{id}/delete")]
public async Task Delete(string id, [FromBody]OrganizationDeleteRequestModel model)
public async Task Delete(string id, [FromBody]SecretVerificationRequestModel model)
{
var orgIdGuid = new Guid(id);
if (!await _currentContext.OrganizationOwner(orgIdGuid))
@ -410,10 +410,10 @@ namespace Bit.Api.Controllers
throw new UnauthorizedAccessException();
}
if (!await _userService.CheckPasswordAsync(user, model.MasterPasswordHash))
if (!await _userService.VerifySecretAsync(user, model.Secret))
{
await Task.Delay(2000);
throw new BadRequestException("MasterPasswordHash", "Invalid password.");
throw new BadRequestException(string.Empty, "User verification failed.");
}
else
{
@ -466,7 +466,7 @@ namespace Bit.Api.Controllers
}
[HttpPost("{id}/api-key")]
public async Task<ApiKeyResponseModel> ApiKey(string id, [FromBody]ApiKeyRequestModel model)
public async Task<ApiKeyResponseModel> ApiKey(string id, [FromBody]SecretVerificationRequestModel model)
{
var orgIdGuid = new Guid(id);
if (!await _currentContext.OrganizationOwner(orgIdGuid))
@ -486,7 +486,7 @@ namespace Bit.Api.Controllers
throw new UnauthorizedAccessException();
}
if (!await _userService.CheckPasswordAsync(user, model.MasterPasswordHash))
if (!await _userService.VerifySecretAsync(user, model.Secret))
{
await Task.Delay(2000);
throw new BadRequestException("MasterPasswordHash", "Invalid password.");
@ -499,7 +499,7 @@ namespace Bit.Api.Controllers
}
[HttpPost("{id}/rotate-api-key")]
public async Task<ApiKeyResponseModel> RotateApiKey(string id, [FromBody]ApiKeyRequestModel model)
public async Task<ApiKeyResponseModel> RotateApiKey(string id, [FromBody]SecretVerificationRequestModel model)
{
var orgIdGuid = new Guid(id);
if (!await _currentContext.OrganizationOwner(orgIdGuid))
@ -519,7 +519,7 @@ namespace Bit.Api.Controllers
throw new UnauthorizedAccessException();
}
if (!await _userService.CheckPasswordAsync(user, model.MasterPasswordHash))
if (!await _userService.VerifySecretAsync(user, model.Secret))
{
await Task.Delay(2000);
throw new BadRequestException("MasterPasswordHash", "Invalid password.");
@ -640,14 +640,7 @@ namespace Bit.Api.Controllers
}
var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(id);
if (ssoConfig == null)
{
ssoConfig = model.ToSsoConfig(id);
}
else
{
ssoConfig = model.ToSsoConfig(ssoConfig);
}
ssoConfig = ssoConfig == null ? model.ToSsoConfig(id) : model.ToSsoConfig(ssoConfig);
await _ssoConfigService.SaveAsync(ssoConfig);

60
src/Api/Controllers/TwoFactorController.cs
View File

@ -80,9 +80,9 @@ namespace Bit.Api.Controllers
}
[HttpPost("get-authenticator")]
public async Task<TwoFactorAuthenticatorResponseModel> GetAuthenticator([FromBody]TwoFactorRequestModel model)
public async Task<TwoFactorAuthenticatorResponseModel> GetAuthenticator([FromBody]SecretVerificationRequestModel model)
{
var user = await CheckAsync(model.MasterPasswordHash, false);
var user = await CheckAsync(model, false);
var response = new TwoFactorAuthenticatorResponseModel(user);
return response;
}
@ -92,7 +92,7 @@ namespace Bit.Api.Controllers
public async Task<TwoFactorAuthenticatorResponseModel> PutAuthenticator(
[FromBody]UpdateTwoFactorAuthenticatorRequestModel model)
{
var user = await CheckAsync(model.MasterPasswordHash, false);
var user = await CheckAsync(model, false);
model.ToUser(user);
if (!await _userManager.VerifyTwoFactorTokenAsync(user,
@ -108,9 +108,9 @@ namespace Bit.Api.Controllers
}
[HttpPost("get-yubikey")]
public async Task<TwoFactorYubiKeyResponseModel> GetYubiKey([FromBody]TwoFactorRequestModel model)
public async Task<TwoFactorYubiKeyResponseModel> GetYubiKey([FromBody]SecretVerificationRequestModel model)
{
var user = await CheckAsync(model.MasterPasswordHash, true);
var user = await CheckAsync(model, true);
var response = new TwoFactorYubiKeyResponseModel(user);
return response;
}
@ -119,7 +119,7 @@ namespace Bit.Api.Controllers
[HttpPost("yubikey")]
public async Task<TwoFactorYubiKeyResponseModel> PutYubiKey([FromBody]UpdateTwoFactorYubicoOtpRequestModel model)
{
var user = await CheckAsync(model.MasterPasswordHash, true);
var user = await CheckAsync(model, true);
model.ToUser(user);
await ValidateYubiKeyAsync(user, nameof(model.Key1), model.Key1);
@ -134,9 +134,9 @@ namespace Bit.Api.Controllers
}
[HttpPost("get-duo")]
public async Task<TwoFactorDuoResponseModel> GetDuo([FromBody]TwoFactorRequestModel model)
public async Task<TwoFactorDuoResponseModel> GetDuo([FromBody]SecretVerificationRequestModel model)
{
var user = await CheckAsync(model.MasterPasswordHash, true);
var user = await CheckAsync(model, true);
var response = new TwoFactorDuoResponseModel(user);
return response;
}
@ -145,7 +145,7 @@ namespace Bit.Api.Controllers
[HttpPost("duo")]
public async Task<TwoFactorDuoResponseModel> PutDuo([FromBody]UpdateTwoFactorDuoRequestModel model)
{
var user = await CheckAsync(model.MasterPasswordHash, true);
var user = await CheckAsync(model, true);
try
{
var duoApi = new DuoApi(model.IntegrationKey, model.SecretKey, model.Host);
@ -164,9 +164,9 @@ namespace Bit.Api.Controllers
[HttpPost("~/organizations/{id}/two-factor/get-duo")]
public async Task<TwoFactorDuoResponseModel> GetOrganizationDuo(string id,
[FromBody]TwoFactorRequestModel model)
[FromBody]SecretVerificationRequestModel model)
{
var user = await CheckAsync(model.MasterPasswordHash, false);
var user = await CheckAsync(model, false);
var orgIdGuid = new Guid(id);
if (!await _currentContext.ManagePolicies(orgIdGuid))
@ -189,7 +189,7 @@ namespace Bit.Api.Controllers
public async Task<TwoFactorDuoResponseModel> PutOrganizationDuo(string id,
[FromBody]UpdateTwoFactorDuoRequestModel model)
{
var user = await CheckAsync(model.MasterPasswordHash, false);
var user = await CheckAsync(model, false);
var orgIdGuid = new Guid(id);
if (!await _currentContext.ManagePolicies(orgIdGuid))
@ -221,17 +221,17 @@ namespace Bit.Api.Controllers
}
[HttpPost("get-webauthn")]
public async Task<TwoFactorWebAuthnResponseModel> GetWebAuthn([FromBody]TwoFactorRequestModel model)
public async Task<TwoFactorWebAuthnResponseModel> GetWebAuthn([FromBody]SecretVerificationRequestModel model)
{
var user = await CheckAsync(model.MasterPasswordHash, true);
var user = await CheckAsync(model, true);
var response = new TwoFactorWebAuthnResponseModel(user);
return response;
}
[HttpPost("get-webauthn-challenge")]
public async Task<CredentialCreateOptions> GetWebAuthnChallenge([FromBody]TwoFactorRequestModel model)
public async Task<CredentialCreateOptions> GetWebAuthnChallenge([FromBody]SecretVerificationRequestModel model)
{
var user = await CheckAsync(model.MasterPasswordHash, true);
var user = await CheckAsync(model, true);
var reg = await _userService.StartWebAuthnRegistrationAsync(user);
return reg;
}
@ -240,7 +240,7 @@ namespace Bit.Api.Controllers
[HttpPost("webauthn")]
public async Task<TwoFactorWebAuthnResponseModel> PutWebAuthn([FromBody]TwoFactorWebAuthnRequestModel model)
{
var user = await CheckAsync(model.MasterPasswordHash, true);
var user = await CheckAsync(model, true);
var success = await _userService.CompleteWebAuthRegistrationAsync(
user, model.Id.Value, model.Name, model.DeviceResponse);
@ -255,16 +255,16 @@ namespace Bit.Api.Controllers
[HttpDelete("webauthn")]
public async Task<TwoFactorWebAuthnResponseModel> DeleteWebAuthn([FromBody]TwoFactorWebAuthnDeleteRequestModel model)
{
var user = await CheckAsync(model.MasterPasswordHash, true);
var user = await CheckAsync(model, true);
await _userService.DeleteWebAuthnKeyAsync(user, model.Id.Value);
var response = new TwoFactorWebAuthnResponseModel(user);
return response;
}
[HttpPost("get-email")]
public async Task<TwoFactorEmailResponseModel> GetEmail([FromBody]TwoFactorRequestModel model)
public async Task<TwoFactorEmailResponseModel> GetEmail([FromBody]SecretVerificationRequestModel model)
{
var user = await CheckAsync(model.MasterPasswordHash, false);
var user = await CheckAsync(model, false);
var response = new TwoFactorEmailResponseModel(user);
return response;
}
@ -272,7 +272,7 @@ namespace Bit.Api.Controllers
[HttpPost("send-email")]
public async Task SendEmail([FromBody]TwoFactorEmailRequestModel model)
{
var user = await CheckAsync(model.MasterPasswordHash, false);
var user = await CheckAsync(model, false);
model.ToUser(user);
await _userService.SendTwoFactorEmailAsync(user);
}
@ -284,7 +284,7 @@ namespace Bit.Api.Controllers
var user = await _userManager.FindByEmailAsync(model.Email.ToLowerInvariant());
if (user != null)
{
if (await _userService.CheckPasswordAsync(user, model.MasterPasswordHash))
if (await _userService.VerifySecretAsync(user, model.Secret))
{
await _userService.SendTwoFactorEmailAsync(user);
return;
@ -299,7 +299,7 @@ namespace Bit.Api.Controllers
[HttpPost("email")]
public async Task<TwoFactorEmailResponseModel> PutEmail([FromBody]UpdateTwoFactorEmailRequestModel model)
{
var user = await CheckAsync(model.MasterPasswordHash, false);
var user = await CheckAsync(model, false);
model.ToUser(user);
if (!await _userManager.VerifyTwoFactorTokenAsync(user,
@ -318,7 +318,7 @@ namespace Bit.Api.Controllers
[HttpPost("disable")]
public async Task<TwoFactorProviderResponseModel> PutDisable([FromBody]TwoFactorProviderRequestModel model)
{
var user = await CheckAsync(model.MasterPasswordHash, false);
var user = await CheckAsync(model, false);
await _userService.DisableTwoFactorProviderAsync(user, model.Type.Value, _organizationService);
var response = new TwoFactorProviderResponseModel(model.Type.Value, user);
return response;
@ -329,7 +329,7 @@ namespace Bit.Api.Controllers
public async Task<TwoFactorProviderResponseModel> PutOrganizationDisable(string id,
[FromBody]TwoFactorProviderRequestModel model)
{
var user = await CheckAsync(model.MasterPasswordHash, false);
var user = await CheckAsync(model, false);
var orgIdGuid = new Guid(id);
if (!await _currentContext.ManagePolicies(orgIdGuid))
@ -349,9 +349,9 @@ namespace Bit.Api.Controllers
}
[HttpPost("get-recover")]
public async Task<TwoFactorRecoverResponseModel> GetRecover([FromBody]TwoFactorRequestModel model)
public async Task<TwoFactorRecoverResponseModel> GetRecover([FromBody]SecretVerificationRequestModel model)
{
var user = await CheckAsync(model.MasterPasswordHash, false);
var user = await CheckAsync(model, false);
var response = new TwoFactorRecoverResponseModel(user);
return response;
}
@ -368,7 +368,7 @@ namespace Bit.Api.Controllers
}
}
private async Task<User> CheckAsync(string masterPasswordHash, bool premium)
private async Task<User> CheckAsync(SecretVerificationRequestModel model, bool premium)
{
var user = await _userService.GetUserByPrincipalAsync(User);
if (user == null)
@ -376,10 +376,10 @@ namespace Bit.Api.Controllers
throw new UnauthorizedAccessException();
}
if (!await _userService.CheckPasswordAsync(user, masterPasswordHash))
if (!await _userService.VerifySecretAsync(user, model.Secret))
{
await Task.Delay(2000);
throw new BadRequestException("MasterPasswordHash", "Invalid password.");
throw new BadRequestException(string.Empty, "User verification failed.");
}
if (premium && !(await _userService.CanAccessPremium(user)))