nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-07-02 08:32:50 -05:00
Code Activity

Add support for Key Connector OTP and account migration (#1663)

Browse Source 
Co-authored-by: Thomas Rittson <trittson@bitwarden.com>
This commit is contained in:
Oscar Hinton
2021-11-09 16:37:32 +01:00
committed by GitHub
parent f6bc35b2d0
commit fd37cb5a12
62 changed files with 3799 additions and 306 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
src/Core/Services/IMailService.cs
View File

@ -49,5 +49,6 @@ namespace Bit.Core.Services
Task SendProviderConfirmedEmailAsync(string providerName, string email);
Task SendProviderUserRemoved(string providerName, string email);
Task SendUpdatedTempPasswordEmailAsync(string email, string userName);
Task SendOTPEmailAsync(string email, string token);
}
}

6
src/Core/Services/IUserService.cs
View File

@ -34,7 +34,8 @@ namespace Bit.Core.Services
string token, string key);
Task<IdentityResult> ChangePasswordAsync(User user, string masterPassword, string newMasterPassword, string key);
Task<IdentityResult> SetPasswordAsync(User user, string newMasterPassword, string key, string orgIdentifier = null);
Task<IdentityResult> SetCryptoAgentKeyAsync(User user, string key, string orgIdentifier);
Task<IdentityResult> SetKeyConnectorKeyAsync(User user, string key, string orgIdentifier);
Task<IdentityResult> ConvertToKeyConnectorAsync(User user);
Task<IdentityResult> AdminResetPasswordAsync(OrganizationUserType type, Guid orgId, Guid id, string newMasterPassword, string key);
Task<IdentityResult> UpdateTempPasswordAsync(User user, string newMasterPassword, string key, string hint);
Task<IdentityResult> ChangeKdfAsync(User user, string masterPassword, string newMasterPassword, string key,
@ -74,5 +75,8 @@ namespace Bit.Core.Services
Task<string> GenerateSignInTokenAsync(User user, string purpose);
Task RotateApiKeyAsync(User user);
string GetUserName(ClaimsPrincipal principal);
Task SendOTPAsync(User user);
Task<bool> VerifyOTPAsync(User user, string token);
Task<bool> VerifySecretAsync(User user, string secret);
}
}

15
src/Core/Services/Implementations/HandlebarsMailService.cs
View File

@ -755,5 +755,20 @@ namespace Bit.Core.Services
message.Category = "UpdatedTempPassword";
await _mailDeliveryService.SendEmailAsync(message);
}
public async Task SendOTPEmailAsync(string email, string token)
{
var message = CreateDefaultMessage("Your Bitwarden Verification Code", email);
var model = new EmailTokenViewModel
{
Token = token,
WebVaultUrl = _globalSettings.BaseServiceUri.VaultWithHash,
SiteName = _globalSettings.SiteName,
};
await AddMessageContentAsync(message, "OTPEmail", model);
message.MetaData.Add("SendGridBypassListManagement", true);
message.Category = "OTP";
await _mailDeliveryService.SendEmailAsync(message);
}
}
}

11
src/Core/Services/Implementations/OrganizationService.cs
View File

@ -908,6 +908,8 @@ namespace Bit.Core.Services
public async Task DeleteAsync(Organization organization)
{
await ValidateDeleteOrganizationAsync(organization);
if (!string.IsNullOrWhiteSpace(organization.GatewaySubscriptionId))
{
try
@ -2135,5 +2137,14 @@ namespace Bit.Core.Services
throw new BadRequestException("Custom users can not manage Admins or Owners.");
}
}
private async Task ValidateDeleteOrganizationAsync(Organization organization)
{
var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(organization.Id);
if (ssoConfig?.GetData()?.UseKeyConnector == true)
{
throw new BadRequestException("You cannot delete an Organization that is using Key Connector.");
}
}
}
}

9
src/Core/Services/Implementations/PolicyService.cs
View File

@ -15,6 +15,7 @@ namespace Bit.Core.Services
private readonly IOrganizationRepository _organizationRepository;
private readonly IOrganizationUserRepository _organizationUserRepository;
private readonly IPolicyRepository _policyRepository;
private readonly ISsoConfigRepository _ssoConfigRepository;
private readonly IMailService _mailService;
public PolicyService(
@ -22,12 +23,14 @@ namespace Bit.Core.Services
IOrganizationRepository organizationRepository,
IOrganizationUserRepository organizationUserRepository,
IPolicyRepository policyRepository,
ISsoConfigRepository ssoConfigRepository,
IMailService mailService)
{
_eventService = eventService;
_organizationRepository = organizationRepository;
_organizationUserRepository = organizationUserRepository;
_policyRepository = policyRepository;
_ssoConfigRepository = ssoConfigRepository;
_mailService = mailService;
}
@ -64,6 +67,12 @@ namespace Bit.Core.Services
{
throw new BadRequestException("Maximum Vault Timeout policy is enabled.");
}
var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(org.Id);
if (ssoConfig?.GetData()?.UseKeyConnector == true)
{
throw new BadRequestException("KeyConnector is enabled.");
}
}
break;

55
src/Core/Services/Implementations/SsoConfigService.cs
View File

@ -1,5 +1,7 @@
using System;
using System.Threading.Tasks;
using Bit.Core.Enums;
using Bit.Core.Exceptions;
using Bit.Core.Models.Table;
using Bit.Core.Repositories;
@ -8,11 +10,20 @@ namespace Bit.Core.Services
public class SsoConfigService : ISsoConfigService
{
private readonly ISsoConfigRepository _ssoConfigRepository;
private readonly IPolicyRepository _policyRepository;
private readonly IOrganizationRepository _organizationRepository;
private readonly IEventService _eventService;
public SsoConfigService(
ISsoConfigRepository ssoConfigRepository)
ISsoConfigRepository ssoConfigRepository,
IPolicyRepository policyRepository,
IOrganizationRepository organizationRepository,
IEventService eventService)
{
_ssoConfigRepository = ssoConfigRepository;
_policyRepository = policyRepository;
_organizationRepository = organizationRepository;
_eventService = eventService;
}
public async Task SaveAsync(SsoConfig config)
@ -23,7 +34,49 @@ namespace Bit.Core.Services
{
config.CreationDate = now;
}
var useKeyConnector = config.GetData().UseKeyConnector;
if (useKeyConnector)
{
await VerifyDependenciesAsync(config);
}
var oldConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(config.OrganizationId);
if (oldConfig?.GetData()?.UseKeyConnector == true && !useKeyConnector)
{
throw new BadRequestException("KeyConnector cannot be disabled at this moment.");
}
await LogEventsAsync(config, oldConfig);
await _ssoConfigRepository.UpsertAsync(config);
}
private async Task VerifyDependenciesAsync(SsoConfig config)
{
var policy = await _policyRepository.GetByOrganizationIdTypeAsync(config.OrganizationId, PolicyType.SingleOrg);
if (policy is not { Enabled: true })
{
throw new BadRequestException("KeyConnector requires Single Organization to be enabled.");
}
}
private async Task LogEventsAsync(SsoConfig config, SsoConfig oldConfig)
{
var organization = await _organizationRepository.GetByIdAsync(config.OrganizationId);
if (oldConfig?.Enabled != config.Enabled)
{
var e = config.Enabled ? EventType.Organization_EnabledSso : EventType.Organization_DisabledSso;
await _eventService.LogOrganizationEventAsync(organization, e);
}
var useKeyConnector = config.GetData().UseKeyConnector;
if (oldConfig?.GetData()?.UseKeyConnector != useKeyConnector)
{
var e = useKeyConnector
? EventType.Organization_EnabledKeyConnector
: EventType.Organization_DisabledKeyConnector;
await _eventService.LogOrganizationEventAsync(organization, e);
}
}
}
}

133
src/Core/Services/Implementations/UserService.cs
View File

@ -1,26 +1,27 @@
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Security.Claims;
using System.Threading.Tasks;
using Bit.Core.Context;
using Bit.Core.Enums;
using Bit.Core.Exceptions;
using Bit.Core.Models;
using Bit.Core.Models.Business;
using Bit.Core.Models.Table;
using Bit.Core.Repositories;
using Bit.Core.Settings;
using Bit.Core.Utilities;
using Fido2NetLib;
using Fido2NetLib.Objects;
using Microsoft.AspNetCore.DataProtection;
using Microsoft.AspNetCore.Identity;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using Bit.Core.Models.Table;
using Bit.Core.Repositories;
using System.Linq;
using Bit.Core.Enums;
using System.Security.Claims;
using Bit.Core.Models;
using Bit.Core.Models.Business;
using U2fLib = U2F.Core.Crypto.U2F;
using Bit.Core.Context;
using Bit.Core.Exceptions;
using Bit.Core.Utilities;
using Bit.Core.Settings;
using System.IO;
using Newtonsoft.Json;
using Microsoft.AspNetCore.DataProtection;
using Fido2NetLib;
using Fido2NetLib.Objects;
using File = System.IO.File;
using U2fLib = U2F.Core.Crypto.U2F;
namespace Bit.Core.Services
{
@ -602,7 +603,7 @@ namespace Bit.Core.Services
return IdentityResult.Failed(_identityErrorDescriber.PasswordMismatch());
}
public async Task<IdentityResult> SetPasswordAsync(User user, string masterPassword, string key,
public async Task<IdentityResult> SetPasswordAsync(User user, string masterPassword, string key,
string orgIdentifier = null)
{
if (user == null)
@ -627,42 +628,63 @@ namespace Bit.Core.Services
await _userRepository.ReplaceAsync(user);
await _eventService.LogUserEventAsync(user.Id, EventType.User_ChangedPassword);
if (!string.IsNullOrWhiteSpace(orgIdentifier))
{
await _organizationService.AcceptUserAsync(orgIdentifier, user, this);
}
return IdentityResult.Success;
}
public async Task<IdentityResult> SetCryptoAgentKeyAsync(User user, string key, string orgIdentifier)
public async Task<IdentityResult> SetKeyConnectorKeyAsync(User user, string key, string orgIdentifier)
{
if (user == null)
{
throw new ArgumentNullException(nameof(user));
}
if (user.UsesCryptoAgent)
if (user.UsesKeyConnector)
{
Logger.LogWarning("Already uses crypto agent.");
Logger.LogWarning("Already uses key connector.");
return IdentityResult.Failed(_identityErrorDescriber.UserAlreadyHasPassword());
}
user.RevisionDate = user.AccountRevisionDate = DateTime.UtcNow;
user.Key = key;
user.UsesCryptoAgent = true;
user.UsesKeyConnector = true;
await _userRepository.ReplaceAsync(user);
// TODO: Use correct event
await _eventService.LogUserEventAsync(user.Id, EventType.User_ChangedPassword);
await _eventService.LogUserEventAsync(user.Id, EventType.User_MigratedKeyToKeyConnector);
await _organizationService.AcceptUserAsync(orgIdentifier, user, this);
return IdentityResult.Success;
}
public async Task<IdentityResult> ConvertToKeyConnectorAsync(User user)
{
if (user == null)
{
throw new ArgumentNullException(nameof(user));
}
if (user.UsesKeyConnector)
{
Logger.LogWarning("Already uses key connector.");
return IdentityResult.Failed(_identityErrorDescriber.UserAlreadyHasPassword());
}
user.RevisionDate = user.AccountRevisionDate = DateTime.UtcNow;
user.MasterPassword = null;
user.UsesKeyConnector = true;
await _userRepository.ReplaceAsync(user);
await _eventService.LogUserEventAsync(user.Id, EventType.User_MigratedKeyToKeyConnector);
return IdentityResult.Success;
}
public async Task<IdentityResult> AdminResetPasswordAsync(OrganizationUserType callingUserType, Guid orgId, Guid id, string newMasterPassword, string key)
{
// Org must be able to use reset password
@ -671,15 +693,15 @@ namespace Bit.Core.Services
{
throw new BadRequestException("Organization does not allow password reset.");
}
// Enterprise policy must be enabled
// Enterprise policy must be enabled
var resetPasswordPolicy =
await _policyRepository.GetByOrganizationIdTypeAsync(orgId, PolicyType.ResetPassword);
if (resetPasswordPolicy == null || !resetPasswordPolicy.Enabled)
{
throw new BadRequestException("Organization does not have the password reset policy enabled.");
}
// Org User must be confirmed and have a ResetPasswordKey
var orgUser = await _organizationUserRepository.GetByIdAsync(id);
if (orgUser == null || orgUser.Status != OrganizationUserStatusType.Confirmed ||
@ -688,7 +710,7 @@ namespace Bit.Core.Services
{
throw new BadRequestException("Organization User not valid");
}
// Calling User must be of higher/equal user type to reset user's password
var canAdjustPassword = false;
switch (callingUserType)
@ -715,7 +737,12 @@ namespace Bit.Core.Services
{
throw new NotFoundException();
}
if (user.UsesKeyConnector)
{
throw new BadRequestException("Cannot reset password of a user with key connector.");
}
var result = await UpdatePasswordHash(user, newMasterPassword);
if (!result.Succeeded)
{
@ -733,14 +760,14 @@ namespace Bit.Core.Services
return IdentityResult.Success;
}
public async Task<IdentityResult> UpdateTempPasswordAsync(User user, string newMasterPassword, string key, string hint)
{
if (!user.ForcePasswordReset)
{
throw new BadRequestException("User does not have a temporary password to update.");
}
var result = await UpdatePasswordHash(user, newMasterPassword);
if (!result.Succeeded)
{
@ -820,14 +847,14 @@ namespace Bit.Core.Services
return IdentityResult.Failed(_identityErrorDescriber.PasswordMismatch());
}
public async Task<IdentityResult> RefreshSecurityStampAsync(User user, string masterPassword)
public async Task<IdentityResult> RefreshSecurityStampAsync(User user, string secret)
{
if (user == null)
{
throw new ArgumentNullException(nameof(user));
}
if (await CheckPasswordAsync(user, masterPassword))
if (await VerifySecretAsync(user, secret))
{
var result = await base.UpdateSecurityStampAsync(user);
if (!result.Succeeded)
@ -878,7 +905,7 @@ namespace Bit.Core.Services
}
}
public async Task<bool> RecoverTwoFactorAsync(string email, string masterPassword, string recoveryCode,
public async Task<bool> RecoverTwoFactorAsync(string email, string secret, string recoveryCode,
IOrganizationService organizationService)
{
var user = await _userRepository.GetByEmailAsync(email);
@ -888,7 +915,7 @@ namespace Bit.Core.Services
return false;
}
if (!await CheckPasswordAsync(user, masterPassword))
if (!await VerifySecretAsync(user, secret))
{
return false;
}
@ -1253,7 +1280,7 @@ namespace Bit.Core.Services
purpose);
return token;
}
private async Task<IdentityResult> UpdatePasswordHash(User user, string newPassword,
bool validatePassword = true, bool refreshStamp = true)
{
@ -1350,5 +1377,35 @@ namespace Bit.Core.Services
user.RevisionDate = DateTime.UtcNow;
await _userRepository.ReplaceAsync(user);
}
public async Task SendOTPAsync(User user)
{
if (user.Email == null)
{
throw new BadRequestException("No user email.");
}
if (!user.UsesKeyConnector)
{
throw new BadRequestException("Not using key connector.");
}
var token = await base.GenerateUserTokenAsync(user, TokenOptions.DefaultEmailProvider,
"otp:" + user.Email);
await _mailService.SendOTPEmailAsync(user.Email, token);
}
public Task<bool> VerifyOTPAsync(User user, string token)
{
return base.VerifyUserTokenAsync(user, TokenOptions.DefaultEmailProvider,
"otp:" + user.Email, token);
}
public async Task<bool> VerifySecretAsync(User user, string secret)
{
return user.UsesKeyConnector
? await VerifyOTPAsync(user, secret)
: await CheckPasswordAsync(user, secret);
}
}
}

5
src/Core/Services/NoopImplementations/NoopMailService.cs
View File

@ -200,5 +200,10 @@ namespace Bit.Core.Services
{
return Task.FromResult(0);
}
public Task SendOTPEmailAsync(string email, string token)
{
return Task.FromResult(0);
}
}
}