mirror of
https://github.com/bitwarden/server.git
synced 2025-06-06 11:10:32 -05:00
80740aa4ba
* [PM-2032] feat: add assertion options tokenable * [PM-2032] feat: add request and response models * [PM-2032] feat: implement `assertion-options` identity endpoint * [PM-2032] feat: implement authentication with passkey * [PM-2032] chore: rename to `WebAuthnGrantValidator` * [PM-2032] fix: add missing subsitute * [PM-2032] feat: start adding builder * [PM-2032] feat: add support for KeyConnector * [PM-2032] feat: add first version of TDE * [PM-2032] chore: refactor WithSso * [PM-2023] feat: add support for TDE feature flag * [PM-2023] feat: add support for approving devices * [PM-2023] feat: add support for hasManageResetPasswordPermission * [PM-2032] feat: add support for hasAdminApproval * [PM-2032] chore: don't supply device if not necessary * [PM-2032] chore: clean up imports * [PM-2023] feat: extract interface * [PM-2023] chore: add clarifying comment * [PM-2023] feat: use new builder in production code * [PM-2032] feat: add support for PRF * [PM-2032] chore: clean-up todos * [PM-2023] chore: remove token which is no longer used * [PM-2032] chore: remove todo * [PM-2032] feat: improve assertion error handling * [PM-2032] fix: linting issues * [PM-2032] fix: revert changes to `launchSettings.json` * [PM-2023] chore: clean up assertion endpoint * [PM-2032] feat: bypass 2FA * [PM-2032] fix: rename prf option to singular * [PM-2032] fix: lint * [PM-2032] fix: typo * [PM-2032] chore: improve builder tests Co-authored-by: Jared Snider <116684653+JaredSnider-Bitwarden@users.noreply.github.com> * [PM-2032] chore: clarify why we don't require 2FA * [PM-2023] feat: move `identityProvider` constant to common class * [PM-2032] fix: lint * [PM-2023] fix: move `IdentityProvider` to core.Constants * [PM-2032] fix: missing import * [PM-2032] chore: refactor token timespan to use `TimeSpan` * [PM-2032] chore: make `StartWebAuthnLoginAssertion` sync * [PM-2032] chore: use `FromMinutes` * [PM-2032] fix: change to 17 minutes to cover webauthn assertion * [PM-2032] chore: do not use `async void` * [PM-2032] fix: comment saying wrong amount of minutes * [PM-2032] feat: put validator behind feature flag * [PM-2032] fix: lint --------- Co-authored-by: Jared Snider <116684653+JaredSnider-Bitwarden@users.noreply.github.com>
156 lines
5.9 KiB
C#
156 lines
5.9 KiB
C#
using Bit.Core;
|
|
using Bit.Core.Auth.Entities;
|
|
using Bit.Core.Auth.Enums;
|
|
using Bit.Core.Auth.Models.Api.Response;
|
|
using Bit.Core.Auth.Utilities;
|
|
using Bit.Core.Context;
|
|
using Bit.Core.Entities;
|
|
using Bit.Core.Repositories;
|
|
using Bit.Core.Services;
|
|
using Bit.Identity.Utilities;
|
|
|
|
namespace Bit.Identity.IdentityServer;
|
|
|
|
#nullable enable
|
|
/// <summary>
|
|
/// Used to create a list of all possible ways the newly authenticated user can decrypt their vault contents
|
|
///
|
|
/// Note: Do not use this as an injected service if you intend to build multiple independent UserDecryptionOptions
|
|
/// </summary>
|
|
public class UserDecryptionOptionsBuilder : IUserDecryptionOptionsBuilder
|
|
{
|
|
private readonly ICurrentContext _currentContext;
|
|
private readonly IFeatureService _featureService;
|
|
private readonly IDeviceRepository _deviceRepository;
|
|
private readonly IOrganizationUserRepository _organizationUserRepository;
|
|
|
|
private UserDecryptionOptions _options = new UserDecryptionOptions();
|
|
private User? _user;
|
|
private Core.Auth.Entities.SsoConfig? _ssoConfig;
|
|
private Device? _device;
|
|
|
|
public UserDecryptionOptionsBuilder(
|
|
ICurrentContext currentContext,
|
|
IFeatureService featureService,
|
|
IDeviceRepository deviceRepository,
|
|
IOrganizationUserRepository organizationUserRepository
|
|
)
|
|
{
|
|
_currentContext = currentContext;
|
|
_featureService = featureService;
|
|
_deviceRepository = deviceRepository;
|
|
_organizationUserRepository = organizationUserRepository;
|
|
}
|
|
|
|
public IUserDecryptionOptionsBuilder ForUser(User user)
|
|
{
|
|
_options.HasMasterPassword = user.HasMasterPassword();
|
|
_user = user;
|
|
return this;
|
|
}
|
|
|
|
public IUserDecryptionOptionsBuilder WithSso(Core.Auth.Entities.SsoConfig ssoConfig)
|
|
{
|
|
_ssoConfig = ssoConfig;
|
|
return this;
|
|
}
|
|
|
|
public IUserDecryptionOptionsBuilder WithDevice(Device device)
|
|
{
|
|
_device = device;
|
|
return this;
|
|
}
|
|
|
|
public IUserDecryptionOptionsBuilder WithWebAuthnLoginCredential(WebAuthnCredential credential)
|
|
{
|
|
if (credential.GetPrfStatus() == WebAuthnPrfStatus.Enabled)
|
|
{
|
|
_options.WebAuthnPrfOption = new WebAuthnPrfDecryptionOption(credential.EncryptedPrivateKey, credential.EncryptedUserKey);
|
|
}
|
|
return this;
|
|
}
|
|
|
|
public async Task<UserDecryptionOptions> BuildAsync()
|
|
{
|
|
BuildKeyConnectorOptions();
|
|
await BuildTrustedDeviceOptions();
|
|
|
|
return _options;
|
|
}
|
|
|
|
private void BuildKeyConnectorOptions()
|
|
{
|
|
if (_ssoConfig == null)
|
|
{
|
|
return;
|
|
}
|
|
|
|
var ssoConfigurationData = _ssoConfig.GetData();
|
|
if (ssoConfigurationData is { MemberDecryptionType: MemberDecryptionType.KeyConnector } && !string.IsNullOrEmpty(ssoConfigurationData.KeyConnectorUrl))
|
|
{
|
|
_options.KeyConnectorOption = new KeyConnectorUserDecryptionOption(ssoConfigurationData.KeyConnectorUrl);
|
|
}
|
|
}
|
|
|
|
private async Task BuildTrustedDeviceOptions()
|
|
{
|
|
// TrustedDeviceEncryption only exists for SSO, if that changes then these guards should change
|
|
if (_ssoConfig == null || !_featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext))
|
|
{
|
|
return;
|
|
}
|
|
|
|
var ssoConfigurationData = _ssoConfig.GetData();
|
|
if (ssoConfigurationData is not { MemberDecryptionType: MemberDecryptionType.TrustedDeviceEncryption })
|
|
{
|
|
return;
|
|
}
|
|
|
|
string? encryptedPrivateKey = null;
|
|
string? encryptedUserKey = null;
|
|
if (_device != null && _device.IsTrusted())
|
|
{
|
|
encryptedPrivateKey = _device.EncryptedPrivateKey;
|
|
encryptedUserKey = _device.EncryptedUserKey;
|
|
}
|
|
|
|
var hasLoginApprovingDevice = false;
|
|
if (_device != null && _user != null)
|
|
{
|
|
var allDevices = await _deviceRepository.GetManyByUserIdAsync(_user.Id);
|
|
// Checks if the current user has any devices that are capable of approving login with device requests except for
|
|
// their current device.
|
|
// NOTE: this doesn't check for if the users have configured the devices to be capable of approving requests as that is a client side setting.
|
|
hasLoginApprovingDevice = allDevices
|
|
.Where(d => d.Identifier != _device.Identifier && LoginApprovingDeviceTypes.Types.Contains(d.Type))
|
|
.Any();
|
|
}
|
|
|
|
// Determine if user has manage reset password permission as post sso logic requires it for forcing users with this permission to set a MP
|
|
var hasManageResetPasswordPermission = false;
|
|
// when a user is being created via JIT provisioning, they will not have any orgs so we can't assume we will have orgs here
|
|
if (_currentContext.Organizations != null && _currentContext.Organizations.Any(o => o.Id == _ssoConfig.OrganizationId))
|
|
{
|
|
// TDE requires single org so grabbing first org & id is fine.
|
|
hasManageResetPasswordPermission = await _currentContext.ManageResetPassword(_ssoConfig!.OrganizationId);
|
|
}
|
|
|
|
var hasAdminApproval = false;
|
|
if (_user != null)
|
|
{
|
|
// If sso configuration data is not null then I know for sure that ssoConfiguration isn't null
|
|
var organizationUser = await _organizationUserRepository.GetByOrganizationAsync(_ssoConfig.OrganizationId, _user.Id);
|
|
|
|
// They are only able to be approved by an admin if they have enrolled is reset password
|
|
hasAdminApproval = organizationUser != null && !string.IsNullOrEmpty(organizationUser.ResetPasswordKey);
|
|
}
|
|
|
|
_options.TrustedDeviceOption = new TrustedDeviceUserDecryptionOption(
|
|
hasAdminApproval,
|
|
hasLoginApprovingDevice,
|
|
hasManageResetPasswordPermission,
|
|
encryptedPrivateKey,
|
|
encryptedUserKey);
|
|
}
|
|
}
|