2020-07-16 08:01:39 -04:00
|
|
|
|
using Bit.Core.Models.Table;
|
2017-01-18 00:14:28 -05:00
|
|
|
|
using Bit.Core.Repositories;
|
2017-01-11 00:34:16 -05:00
|
|
|
|
using IdentityServer4.Models;
|
|
|
|
|
|
using IdentityServer4.Validation;
|
|
|
|
|
|
using Microsoft.AspNetCore.Identity;
|
2017-01-21 23:12:28 -05:00
|
|
|
|
using System.Collections.Generic;
|
2017-01-11 00:34:16 -05:00
|
|
|
|
using System.Security.Claims;
|
|
|
|
|
|
using System.Threading.Tasks;
|
2017-05-26 00:50:27 -04:00
|
|
|
|
using Bit.Core.Services;
|
2018-04-03 14:31:33 -04:00
|
|
|
|
using Bit.Core.Identity;
|
2021-02-04 12:54:21 -06:00
|
|
|
|
using Bit.Core.Context;
|
2021-02-22 15:35:16 -06:00
|
|
|
|
using Bit.Core.Settings;
|
2019-11-22 07:30:32 -05:00
|
|
|
|
using Microsoft.Extensions.Logging;
|
2017-01-11 00:34:16 -05:00
|
|
|
|
|
2017-05-05 16:11:50 -04:00
|
|
|
|
namespace Bit.Core.IdentityServer
|
2017-01-11 00:34:16 -05:00
|
|
|
|
{
|
2020-07-16 08:01:39 -04:00
|
|
|
|
public class ResourceOwnerPasswordValidator : BaseRequestValidator<ResourceOwnerPasswordValidationContext>,
|
|
|
|
|
|
IResourceOwnerPasswordValidator
|
2017-01-11 00:34:16 -05:00
|
|
|
|
{
|
2017-01-21 23:12:28 -05:00
|
|
|
|
private UserManager<User> _userManager;
|
2017-06-20 14:50:12 -04:00
|
|
|
|
private readonly IUserService _userService;
|
2021-05-28 16:04:58 -04:00
|
|
|
|
private readonly ICurrentContext _currentContext;
|
2021-06-16 12:47:41 -04:00
|
|
|
|
private readonly ICaptchaValidationService _captchaValidationService;
|
2017-01-11 00:34:16 -05:00
|
|
|
|
|
|
|
|
|
|
public ResourceOwnerPasswordValidator(
|
2017-01-25 22:31:14 -05:00
|
|
|
|
UserManager<User> userManager,
|
2017-05-26 00:50:27 -04:00
|
|
|
|
IDeviceRepository deviceRepository,
|
2017-06-20 14:50:12 -04:00
|
|
|
|
IDeviceService deviceService,
|
2017-12-01 10:07:14 -05:00
|
|
|
|
IUserService userService,
|
2018-04-03 14:31:33 -04:00
|
|
|
|
IEventService eventService,
|
|
|
|
|
|
IOrganizationDuoWebTokenProvider organizationDuoWebTokenProvider,
|
|
|
|
|
|
IOrganizationRepository organizationRepository,
|
|
|
|
|
|
IOrganizationUserRepository organizationUserRepository,
|
|
|
|
|
|
IApplicationCacheService applicationCacheService,
|
2019-01-24 22:37:49 -05:00
|
|
|
|
IMailService mailService,
|
2019-11-22 07:30:32 -05:00
|
|
|
|
ILogger<ResourceOwnerPasswordValidator> logger,
|
2021-02-04 12:54:21 -06:00
|
|
|
|
ICurrentContext currentContext,
|
2020-10-26 11:56:16 -05:00
|
|
|
|
GlobalSettings globalSettings,
|
2021-06-16 12:47:41 -04:00
|
|
|
|
IPolicyRepository policyRepository,
|
|
|
|
|
|
ICaptchaValidationService captchaValidationService)
|
2020-07-16 08:01:39 -04:00
|
|
|
|
: base(userManager, deviceRepository, deviceService, userService, eventService,
|
|
|
|
|
|
organizationDuoWebTokenProvider, organizationRepository, organizationUserRepository,
|
2020-10-26 11:56:16 -05:00
|
|
|
|
applicationCacheService, mailService, logger, currentContext, globalSettings, policyRepository)
|
2017-01-11 00:34:16 -05:00
|
|
|
|
{
|
2017-01-25 22:31:14 -05:00
|
|
|
|
_userManager = userManager;
|
2017-06-20 14:50:12 -04:00
|
|
|
|
_userService = userService;
|
2021-05-28 16:04:58 -04:00
|
|
|
|
_currentContext = currentContext;
|
2021-06-16 12:47:41 -04:00
|
|
|
|
_captchaValidationService = captchaValidationService;
|
2017-01-11 00:34:16 -05:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public async Task ValidateAsync(ResourceOwnerPasswordValidationContext context)
|
|
|
|
|
|
{
|
2021-06-16 12:47:41 -04:00
|
|
|
|
// Uncomment whenever we want to require the `auth-email` header
|
|
|
|
|
|
//
|
|
|
|
|
|
//if (!_currentContext.HttpContext.Request.Headers.ContainsKey("Auth-Email") ||
|
|
|
|
|
|
// _currentContext.HttpContext.Request.Headers["Auth-Email"] != context.UserName)
|
|
|
|
|
|
//{
|
|
|
|
|
|
// context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant,
|
|
|
|
|
|
// "Auth-Email header invalid.");
|
|
|
|
|
|
// return;
|
|
|
|
|
|
//}
|
|
|
|
|
|
|
|
|
|
|
|
if (_captchaValidationService.ServiceEnabled && _currentContext.IsBot)
|
|
|
|
|
|
{
|
|
|
|
|
|
var captchaResponse = context.Request.Raw["CaptchaResponse"]?.ToString();
|
|
|
|
|
|
if (string.IsNullOrWhiteSpace(captchaResponse))
|
|
|
|
|
|
{
|
|
|
|
|
|
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "Captcha required.");
|
|
|
|
|
|
return;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
var captchaValid = await _captchaValidationService.ValidateCaptchaResponseAsync(captchaResponse,
|
|
|
|
|
|
_currentContext.IpAddress);
|
|
|
|
|
|
if (!captchaValid)
|
|
|
|
|
|
{
|
|
|
|
|
|
await BuildErrorResultAsync("Captcha is invalid.", false, context, null);
|
|
|
|
|
|
return;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2020-07-16 08:01:39 -04:00
|
|
|
|
await ValidateAsync(context, context.Request);
|
|
|
|
|
|
}
|
2017-01-18 00:14:28 -05:00
|
|
|
|
|
2020-07-16 08:01:39 -04:00
|
|
|
|
protected async override Task<(User, bool)> ValidateContextAsync(ResourceOwnerPasswordValidationContext context)
|
|
|
|
|
|
{
|
2020-03-27 14:36:37 -04:00
|
|
|
|
if (string.IsNullOrWhiteSpace(context.UserName))
|
2017-01-21 23:12:28 -05:00
|
|
|
|
{
|
2020-07-16 08:01:39 -04:00
|
|
|
|
return (null, false);
|
2017-08-15 08:19:20 -04:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
var user = await _userManager.FindByEmailAsync(context.UserName.ToLowerInvariant());
|
2020-03-27 14:36:37 -04:00
|
|
|
|
if (user == null || !await _userService.CheckPasswordAsync(user, context.Password))
|
2017-08-15 08:19:20 -04:00
|
|
|
|
{
|
2020-07-16 08:01:39 -04:00
|
|
|
|
return (user, false);
|
2017-08-15 08:19:20 -04:00
|
|
|
|
}
|
|
|
|
|
|
|
2020-07-16 08:01:39 -04:00
|
|
|
|
return (user, true);
|
2017-01-18 00:14:28 -05:00
|
|
|
|
}
|
|
|
|
|
|
|
2020-07-16 08:01:39 -04:00
|
|
|
|
protected override void SetSuccessResult(ResourceOwnerPasswordValidationContext context, User user,
|
|
|
|
|
|
List<Claim> claims, Dictionary<string, object> customResponse)
|
2017-01-21 23:12:28 -05:00
|
|
|
|
{
|
2017-02-11 23:00:55 -05:00
|
|
|
|
context.Result = new GrantValidationResult(user.Id.ToString(), "Application",
|
|
|
|
|
|
identityProvider: "bitwarden",
|
|
|
|
|
|
claims: claims.Count > 0 ? claims : null,
|
2017-02-21 22:52:02 -05:00
|
|
|
|
customResponse: customResponse);
|
2017-01-21 23:12:28 -05:00
|
|
|
|
}
|
|
|
|
|
|
|
2020-07-16 08:01:39 -04:00
|
|
|
|
protected override void SetTwoFactorResult(ResourceOwnerPasswordValidationContext context,
|
|
|
|
|
|
Dictionary<string, object> customResponse)
|
2017-01-25 00:28:18 -05:00
|
|
|
|
{
|
|
|
|
|
|
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "Two factor required.",
|
2020-07-16 08:01:39 -04:00
|
|
|
|
customResponse);
|
2017-01-25 00:28:18 -05:00
|
|
|
|
}
|
|
|
|
|
|
|
2020-10-26 11:56:16 -05:00
|
|
|
|
protected override void SetSsoResult(ResourceOwnerPasswordValidationContext context,
|
|
|
|
|
|
Dictionary<string, object> customResponse)
|
|
|
|
|
|
{
|
|
|
|
|
|
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "Sso authentication required.",
|
|
|
|
|
|
customResponse);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2020-07-16 08:01:39 -04:00
|
|
|
|
protected override void SetErrorResult(ResourceOwnerPasswordValidationContext context,
|
|
|
|
|
|
Dictionary<string, object> customResponse)
|
2017-01-18 00:14:28 -05:00
|
|
|
|
{
|
2020-07-16 08:01:39 -04:00
|
|
|
|
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, customResponse: customResponse);
|
2017-01-11 00:34:16 -05:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
