mirror of
https://github.com/bitwarden/server.git
synced 2025-07-04 09:32:48 -05:00
[Provider] Server entities and models (#1370)
* Mock out provider models and service * Implement CreateAsync, CompleteSetupAsync, UpdateAsync, InviteUserAsync and ResendInvitesAsync * Implement AcceptUserAsync and ConfirmUsersAsync * Implement SaveUserAsync and DeleteUserAsync * Add email templates * Add admin operations for providers * Fix mail template names * Rename roles * Verify provider has provideradmin * Add self hosted check to admin controller * Resolve review comments * Update sql queries * Change create provider to use email instead of userId
This commit is contained in:
Oscar Hinton
@ -7,6 +7,7 @@ using System.Linq;
|
||||
using System.Collections.Generic;
|
||||
using Bit.Core.Models.Table;
|
||||
using Bit.Core.Context;
|
||||
using Bit.Core.Models.Table.Provider;
|
||||
using Bit.Core.Settings;
|
||||
|
||||
namespace Bit.Core.Services
|
||||
@ -222,6 +223,12 @@ namespace Bit.Core.Services
|
||||
await _eventWriteService.CreateAsync(e);
|
||||
}
|
||||
|
||||
// TODO: Implement this
|
||||
public Task LogProviderUserEventAsync(ProviderUser providerUser, EventType type, DateTime? date = null) => throw new NotImplementedException();
|
||||
|
||||
// TODO: Implement this
|
||||
public Task LogProviderUsersEventAsync(IEnumerable<(ProviderUser, EventType, DateTime?)> events) => throw new NotImplementedException();
|
||||
|
||||
private bool CanUseEvents(IDictionary<Guid, OrganizationAbility> orgAbilities, Guid orgId)
|
||||
{
|
||||
return orgAbilities != null && orgAbilities.ContainsKey(orgId) &&
|
||||
|
||||
@ -9,6 +9,8 @@ using System.Net;
|
||||
using Bit.Core.Utilities;
|
||||
using System.Linq;
|
||||
using System.Reflection;
|
||||
using Bit.Core.Models.Mail.Provider;
|
||||
using Bit.Core.Models.Table.Provider;
|
||||
using HandlebarsDotNet;
|
||||
|
||||
namespace Bit.Core.Services
|
||||
@ -646,5 +648,53 @@ namespace Bit.Core.Services
|
||||
message.Category = "EmergencyAccessRecoveryTimedOut";
|
||||
await _mailDeliveryService.SendEmailAsync(message);
|
||||
}
|
||||
|
||||
public async Task SendProviderSetupInviteEmailAsync(Provider provider, string token, string email)
|
||||
{
|
||||
var message = CreateDefaultMessage($"Create a Provider", email);
|
||||
var model = new ProviderSetupInviteViewModel
|
||||
{
|
||||
WebVaultUrl = _globalSettings.BaseServiceUri.VaultWithHash,
|
||||
SiteName = _globalSettings.SiteName,
|
||||
ProviderId = provider.Id.ToString(),
|
||||
Email = email,
|
||||
Token = token,
|
||||
};
|
||||
await AddMessageContentAsync(message, "Provider.ProviderSetupInvite", model);
|
||||
message.Category = "ProviderSetupInvite";
|
||||
await _mailDeliveryService.SendEmailAsync(message);
|
||||
}
|
||||
|
||||
public async Task SendProviderInviteEmailAsync(string providerName, ProviderUser providerUser, string token, string email)
|
||||
{
|
||||
var message = CreateDefaultMessage($"Join {providerName}", email);
|
||||
var model = new ProviderUserInvitedViewModel
|
||||
{
|
||||
ProviderName = CoreHelpers.SanitizeForEmail(providerName),
|
||||
Email = WebUtility.UrlDecode(providerUser.Email),
|
||||
ProviderId = providerUser.ProviderId.ToString(),
|
||||
ProviderUserId = providerUser.Id.ToString(),
|
||||
ProviderNameUrlEncoded = WebUtility.UrlEncode(providerName),
|
||||
WebVaultUrl = _globalSettings.BaseServiceUri.VaultWithHash,
|
||||
SiteName = _globalSettings.SiteName,
|
||||
};
|
||||
await AddMessageContentAsync(message, "Provider.ProviderUserInvited", model);
|
||||
message.Category = "ProviderSetupInvite";
|
||||
await _mailDeliveryService.SendEmailAsync(message);
|
||||
}
|
||||
|
||||
public async Task SendProviderConfirmedEmailAsync(string providerName, string email)
|
||||
{
|
||||
var message = CreateDefaultMessage($"You Have Been Confirmed To {providerName}", email);
|
||||
var model = new ProviderUserConfirmedViewModel
|
||||
{
|
||||
ProviderName = CoreHelpers.SanitizeForEmail(providerName),
|
||||
WebVaultUrl = _globalSettings.BaseServiceUri.VaultWithHash,
|
||||
SiteName = _globalSettings.SiteName
|
||||
};
|
||||
await AddMessageContentAsync(message, "Provider.ProviderUserConfirmed", model);
|
||||
message.Category = "ProviderUserConfirmed";
|
||||
await _mailDeliveryService.SendEmailAsync(message);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
348
src/Core/Services/Implementations/ProviderService.cs
Normal file
348
src/Core/Services/Implementations/ProviderService.cs
Normal file
@ -0,0 +1,348 @@
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.Linq;
|
||||
using System.Text.Json;
|
||||
using System.Threading.Tasks;
|
||||
using Bit.Core.Enums;
|
||||
using Bit.Core.Enums.Provider;
|
||||
using Bit.Core.Exceptions;
|
||||
using Bit.Core.Models.Business.Provider;
|
||||
using Bit.Core.Models.Table;
|
||||
using Bit.Core.Models.Table.Provider;
|
||||
using Bit.Core.Repositories;
|
||||
using Bit.Core.Settings;
|
||||
using Bit.Core.Utilities;
|
||||
using Microsoft.AspNetCore.DataProtection;
|
||||
|
||||
namespace Bit.Core.Services
|
||||
{
|
||||
public class ProviderService : IProviderService
|
||||
{
|
||||
private readonly IDataProtector _dataProtector;
|
||||
private readonly IMailService _mailService;
|
||||
private readonly IEventService _eventService;
|
||||
private readonly GlobalSettings _globalSettings;
|
||||
private readonly IProviderRepository _providerRepository;
|
||||
private readonly IProviderUserRepository _providerUserRepository;
|
||||
private readonly IUserRepository _userRepository;
|
||||
private readonly IUserService _userService;
|
||||
|
||||
public ProviderService(IProviderRepository providerRepository, IProviderUserRepository providerUserRepository,
|
||||
IUserRepository userRepository, IUserService userService, IMailService mailService,
|
||||
IDataProtectionProvider dataProtectionProvider, IEventService eventService, GlobalSettings globalSettings)
|
||||
{
|
||||
_providerRepository = providerRepository;
|
||||
_providerUserRepository = providerUserRepository;
|
||||
_userRepository = userRepository;
|
||||
_userService = userService;
|
||||
_mailService = mailService;
|
||||
_eventService = eventService;
|
||||
_globalSettings = globalSettings;
|
||||
_dataProtector = dataProtectionProvider.CreateProtector("ProviderServiceDataProtector");
|
||||
}
|
||||
|
||||
public async Task CreateAsync(string ownerEmail)
|
||||
{
|
||||
var owner = await _userRepository.GetByEmailAsync(ownerEmail);
|
||||
if (owner == null)
|
||||
{
|
||||
throw new BadRequestException("Invalid owner.");
|
||||
}
|
||||
|
||||
var provider = new Provider
|
||||
{
|
||||
Status = ProviderStatusType.Pending,
|
||||
Enabled = true,
|
||||
};
|
||||
await _providerRepository.CreateAsync(provider);
|
||||
|
||||
var token = _dataProtector.Protect($"ProviderSetupInvite {provider.Id} {owner.Email} {CoreHelpers.ToEpocMilliseconds(DateTime.UtcNow)}");
|
||||
await _mailService.SendProviderSetupInviteEmailAsync(provider, token, owner.Email);
|
||||
}
|
||||
|
||||
public async Task CompleteSetupAsync(Provider provider, Guid ownerUserId, string token, string key)
|
||||
{
|
||||
var owner = await _userService.GetUserByIdAsync(ownerUserId);
|
||||
if (owner == null)
|
||||
{
|
||||
throw new BadRequestException("Invalid owner.");
|
||||
}
|
||||
|
||||
if (!CoreHelpers.TokenIsValid("ProviderSetupInvite", _dataProtector, token, owner.Email, provider.Id, _globalSettings))
|
||||
{
|
||||
throw new BadRequestException("Invalid token.");
|
||||
}
|
||||
|
||||
await _providerRepository.UpsertAsync(provider);
|
||||
|
||||
var providerUser = new ProviderUser
|
||||
{
|
||||
ProviderId = provider.Id,
|
||||
UserId = owner.Id,
|
||||
Key = key,
|
||||
Status = ProviderUserStatusType.Confirmed,
|
||||
Type = ProviderUserType.ProviderAdmin,
|
||||
};
|
||||
|
||||
await _providerUserRepository.CreateAsync(providerUser);
|
||||
}
|
||||
|
||||
public async Task UpdateAsync(Provider provider, bool updateBilling = false)
|
||||
{
|
||||
if (provider.Id == default)
|
||||
{
|
||||
throw new ApplicationException("Cannot create provider this way.");
|
||||
}
|
||||
|
||||
await _providerRepository.ReplaceAsync(provider);
|
||||
}
|
||||
|
||||
public async Task<List<ProviderUser>> InviteUserAsync(Guid providerId, Guid invitingUserId,
|
||||
ProviderUserInvite invite)
|
||||
{
|
||||
var provider = await _providerRepository.GetByIdAsync(providerId);
|
||||
if (provider == null || invite?.Emails == null || !invite.Emails.Any())
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
var providerUsers = new List<ProviderUser>();
|
||||
foreach (var email in invite.Emails)
|
||||
{
|
||||
// Make sure user is not already invited
|
||||
var existingProviderUserCount =
|
||||
await _providerUserRepository.GetCountByProviderAsync(providerId, email, false);
|
||||
if (existingProviderUserCount > 0)
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
var providerUser = new ProviderUser
|
||||
{
|
||||
ProviderId = providerId,
|
||||
UserId = null,
|
||||
Email = email.ToLowerInvariant(),
|
||||
Key = null,
|
||||
Type = invite.Type,
|
||||
Status = ProviderUserStatusType.Invited,
|
||||
CreationDate = DateTime.UtcNow,
|
||||
RevisionDate = DateTime.UtcNow,
|
||||
};
|
||||
|
||||
if (invite.Permissions != null)
|
||||
{
|
||||
providerUser.Permissions = JsonSerializer.Serialize(invite.Permissions, new JsonSerializerOptions
|
||||
{
|
||||
PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
|
||||
});
|
||||
}
|
||||
|
||||
await _providerUserRepository.CreateAsync(providerUser);
|
||||
|
||||
await SendInviteAsync(providerUser, provider);
|
||||
providerUsers.Add(providerUser);
|
||||
}
|
||||
|
||||
await _eventService.LogProviderUsersEventAsync(providerUsers.Select(pu => (pu, EventType.ProviderUser_Invited, null as DateTime?)));
|
||||
|
||||
return providerUsers;
|
||||
}
|
||||
|
||||
public async Task<List<Tuple<ProviderUser, string>>> ResendInvitesAsync(Guid providerId, Guid invitingUserId,
|
||||
IEnumerable<Guid> providerUsersId)
|
||||
{
|
||||
var providerUsers = await _providerUserRepository.GetManyAsync(providerUsersId);
|
||||
var provider = await _providerRepository.GetByIdAsync(providerId);
|
||||
|
||||
var result = new List<Tuple<ProviderUser, string>>();
|
||||
foreach (var providerUser in providerUsers)
|
||||
{
|
||||
if (providerUser.Status != ProviderUserStatusType.Invited || providerUser.ProviderId != providerId)
|
||||
{
|
||||
result.Add(Tuple.Create(providerUser, "User invalid."));
|
||||
continue;
|
||||
}
|
||||
|
||||
await SendInviteAsync(providerUser, provider);
|
||||
result.Add(Tuple.Create(providerUser, ""));
|
||||
}
|
||||
|
||||
return result;
|
||||
}
|
||||
|
||||
public async Task<ProviderUser> AcceptUserAsync(Guid providerUserId, User user, string token)
|
||||
{
|
||||
var providerUser = await _providerUserRepository.GetByIdAsync(providerUserId);
|
||||
if (providerUser == null)
|
||||
{
|
||||
throw new BadRequestException("User invalid.");
|
||||
}
|
||||
|
||||
if (providerUser.Status != ProviderUserStatusType.Invited)
|
||||
{
|
||||
throw new BadRequestException("Already accepted.");
|
||||
}
|
||||
|
||||
if (!CoreHelpers.TokenIsValid("ProviderUserInvite", _dataProtector, token, user.Email, providerUser.Id, _globalSettings))
|
||||
{
|
||||
throw new BadRequestException("Invalid token.");
|
||||
}
|
||||
|
||||
if (string.IsNullOrWhiteSpace(providerUser.Email) ||
|
||||
!providerUser.Email.Equals(user.Email, StringComparison.InvariantCultureIgnoreCase))
|
||||
{
|
||||
throw new BadRequestException("User email does not match invite.");
|
||||
}
|
||||
|
||||
providerUser.Status = ProviderUserStatusType.Accepted;
|
||||
providerUser.UserId = user.Id;
|
||||
providerUser.Email = null;
|
||||
|
||||
await _providerUserRepository.ReplaceAsync(providerUser);
|
||||
|
||||
return providerUser;
|
||||
}
|
||||
|
||||
public async Task<List<Tuple<ProviderUser, string>>> ConfirmUsersAsync(Guid providerId, Dictionary<Guid, string> keys,
|
||||
Guid confirmingUserId)
|
||||
{
|
||||
var providerUsers = await _providerUserRepository.GetManyAsync(keys.Keys);
|
||||
var validProviderUsers = providerUsers
|
||||
.Where(u => u.UserId != null)
|
||||
.ToList();
|
||||
|
||||
if (!validProviderUsers.Any())
|
||||
{
|
||||
return new List<Tuple<ProviderUser, string>>();
|
||||
}
|
||||
|
||||
var validOrganizationUserIds = validProviderUsers.Select(u => u.UserId.Value).ToList();
|
||||
|
||||
var provider = await _providerRepository.GetByIdAsync(providerId);
|
||||
var users = await _userRepository.GetManyAsync(validOrganizationUserIds);
|
||||
|
||||
var keyedFilteredUsers = validProviderUsers.ToDictionary(u => u.UserId.Value, u => u);
|
||||
|
||||
var result = new List<Tuple<ProviderUser, string>>();
|
||||
var events = new List<(ProviderUser, EventType, DateTime?)>();
|
||||
|
||||
foreach (var user in users)
|
||||
{
|
||||
if (!keyedFilteredUsers.ContainsKey(user.Id))
|
||||
{
|
||||
continue;
|
||||
}
|
||||
var providerUser = keyedFilteredUsers[user.Id];
|
||||
try
|
||||
{
|
||||
if (providerUser.Status != ProviderUserStatusType.Accepted || providerUser.ProviderId != providerId)
|
||||
{
|
||||
throw new BadRequestException("Invalid user.");
|
||||
}
|
||||
|
||||
providerUser.Status = ProviderUserStatusType.Confirmed;
|
||||
providerUser.Key = keys[providerUser.Id];
|
||||
providerUser.Email = null;
|
||||
|
||||
await _providerUserRepository.ReplaceAsync(providerUser);
|
||||
events.Add((providerUser, EventType.ProviderUser_Confirmed, null));
|
||||
await _mailService.SendOrganizationConfirmedEmailAsync(provider.Name, user.Email);
|
||||
result.Add(Tuple.Create(providerUser, ""));
|
||||
}
|
||||
catch (BadRequestException e)
|
||||
{
|
||||
result.Add(Tuple.Create(providerUser, e.Message));
|
||||
}
|
||||
}
|
||||
|
||||
await _eventService.LogProviderUsersEventAsync(events);
|
||||
|
||||
return result;
|
||||
}
|
||||
|
||||
public async Task SaveUserAsync(ProviderUser user, Guid savingUserId)
|
||||
{
|
||||
if (user.Id.Equals(default))
|
||||
{
|
||||
throw new BadRequestException("Invite the user first.");
|
||||
}
|
||||
|
||||
if (user.Type != ProviderUserType.ProviderAdmin &&
|
||||
!await HasConfirmedProviderAdminExceptAsync(user.ProviderId, new[] {user.Id}))
|
||||
{
|
||||
throw new BadRequestException("Provider must have at least one confirmed ProviderAdmin.");
|
||||
}
|
||||
|
||||
await _providerUserRepository.ReplaceAsync(user);
|
||||
await _eventService.LogProviderUserEventAsync(user, EventType.ProviderUser_Updated);
|
||||
}
|
||||
|
||||
public async Task<List<Tuple<ProviderUser, string>>> DeleteUsersAsync(Guid providerId,
|
||||
IEnumerable<Guid> providerUserIds, Guid deletingUserId)
|
||||
{
|
||||
var providerUsers = await _providerUserRepository.GetManyAsync(providerUserIds);
|
||||
|
||||
if (!await HasConfirmedProviderAdminExceptAsync(providerId, providerUserIds))
|
||||
{
|
||||
throw new BadRequestException("Provider must have at least one confirmed ProviderAdmin.");
|
||||
}
|
||||
|
||||
var result = new List<Tuple<ProviderUser, string>>();
|
||||
var deletedUserIds = new List<Guid>();
|
||||
var events = new List<(ProviderUser, EventType, DateTime?)>();
|
||||
|
||||
foreach (var providerUser in providerUsers)
|
||||
{
|
||||
try
|
||||
{
|
||||
if (providerUser.ProviderId != providerId)
|
||||
{
|
||||
throw new BadRequestException("Invalid user.");
|
||||
}
|
||||
if (providerUser.UserId == deletingUserId)
|
||||
{
|
||||
throw new BadRequestException("You cannot remove yourself.");
|
||||
}
|
||||
|
||||
events.Add((providerUser, EventType.ProviderUser_Removed, null));
|
||||
|
||||
result.Add(Tuple.Create(providerUser, ""));
|
||||
deletedUserIds.Add(providerUser.Id);
|
||||
}
|
||||
catch (BadRequestException e)
|
||||
{
|
||||
result.Add(Tuple.Create(providerUser, e.Message));
|
||||
}
|
||||
|
||||
await _providerUserRepository.DeleteManyAsync(deletedUserIds);
|
||||
}
|
||||
|
||||
await _eventService.LogProviderUsersEventAsync(events);
|
||||
|
||||
return result;
|
||||
}
|
||||
|
||||
// TODO: Implement this
|
||||
public Task AddOrganization(Guid providerId, Guid organizationId, Guid addingUserId, string key) => throw new NotImplementedException();
|
||||
|
||||
// TODO: Implement this
|
||||
public Task RemoveOrganization(Guid providerOrganizationId, Guid removingUserId) => throw new NotImplementedException();
|
||||
|
||||
private async Task SendInviteAsync(ProviderUser providerUser, Provider provider)
|
||||
{
|
||||
var nowMillis = CoreHelpers.ToEpocMilliseconds(DateTime.UtcNow);
|
||||
var token = _dataProtector.Protect(
|
||||
$"ProviderUserInvite {providerUser.Id} {providerUser.Email} {nowMillis}");
|
||||
await _mailService.SendProviderInviteEmailAsync(provider.Name, providerUser, token, providerUser.Email);
|
||||
}
|
||||
|
||||
private async Task<bool> HasConfirmedProviderAdminExceptAsync(Guid providerId, IEnumerable<Guid> providerUserIds)
|
||||
{
|
||||
var providerAdmins = await _providerUserRepository.GetManyByProviderAsync(providerId,
|
||||
ProviderUserType.ProviderAdmin);
|
||||
var confirmedOwners = providerAdmins.Where(o => o.Status == ProviderUserStatusType.Confirmed);
|
||||
var confirmedOwnersIds = confirmedOwners.Select(u => u.Id);
|
||||
return confirmedOwnersIds.Except(providerUserIds).Any();
|
||||
}
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user