2017-03-08 21:55:08 -05:00
|
|
|
|
using Bit.Core.Models.Api;
|
2017-03-08 21:45:08 -05:00
|
|
|
|
using Bit.Core.Models.Table;
|
2017-01-18 00:14:28 -05:00
|
|
|
|
using Bit.Core.Enums;
|
|
|
|
|
|
using Bit.Core.Repositories;
|
2017-01-11 00:34:16 -05:00
|
|
|
|
using IdentityServer4.Models;
|
|
|
|
|
|
using IdentityServer4.Validation;
|
|
|
|
|
|
using Microsoft.AspNetCore.Identity;
|
2017-01-18 00:14:28 -05:00
|
|
|
|
using System;
|
2017-01-21 23:12:28 -05:00
|
|
|
|
using System.Collections.Generic;
|
2017-01-11 00:34:16 -05:00
|
|
|
|
using System.Security.Claims;
|
|
|
|
|
|
using System.Threading.Tasks;
|
2017-05-26 00:50:27 -04:00
|
|
|
|
using Bit.Core.Services;
|
2017-06-20 14:50:12 -04:00
|
|
|
|
using System.Linq;
|
2017-06-21 12:13:18 -04:00
|
|
|
|
using Bit.Core.Models;
|
2018-04-03 14:31:33 -04:00
|
|
|
|
using Bit.Core.Identity;
|
|
|
|
|
|
using Bit.Core.Models.Data;
|
2018-12-19 22:27:45 -05:00
|
|
|
|
using Bit.Core.Utilities;
|
2017-01-11 00:34:16 -05:00
|
|
|
|
|
2017-05-05 16:11:50 -04:00
|
|
|
|
namespace Bit.Core.IdentityServer
|
2017-01-11 00:34:16 -05:00
|
|
|
|
{
|
|
|
|
|
|
public class ResourceOwnerPasswordValidator : IResourceOwnerPasswordValidator
|
|
|
|
|
|
{
|
2017-01-21 23:12:28 -05:00
|
|
|
|
private UserManager<User> _userManager;
|
2017-01-18 00:14:28 -05:00
|
|
|
|
private readonly IDeviceRepository _deviceRepository;
|
2017-05-26 00:50:27 -04:00
|
|
|
|
private readonly IDeviceService _deviceService;
|
2017-06-20 14:50:12 -04:00
|
|
|
|
private readonly IUserService _userService;
|
2017-12-01 10:07:14 -05:00
|
|
|
|
private readonly IEventService _eventService;
|
2018-04-03 14:31:33 -04:00
|
|
|
|
private readonly IOrganizationDuoWebTokenProvider _organizationDuoWebTokenProvider;
|
|
|
|
|
|
private readonly IOrganizationRepository _organizationRepository;
|
|
|
|
|
|
private readonly IOrganizationUserRepository _organizationUserRepository;
|
|
|
|
|
|
private readonly IApplicationCacheService _applicationCacheService;
|
|
|
|
|
|
private readonly CurrentContext _currentContext;
|
2017-01-11 00:34:16 -05:00
|
|
|
|
|
|
|
|
|
|
public ResourceOwnerPasswordValidator(
|
2017-01-25 22:31:14 -05:00
|
|
|
|
UserManager<User> userManager,
|
2017-05-26 00:50:27 -04:00
|
|
|
|
IDeviceRepository deviceRepository,
|
2017-06-20 14:50:12 -04:00
|
|
|
|
IDeviceService deviceService,
|
2017-12-01 10:07:14 -05:00
|
|
|
|
IUserService userService,
|
2018-04-03 14:31:33 -04:00
|
|
|
|
IEventService eventService,
|
|
|
|
|
|
IOrganizationDuoWebTokenProvider organizationDuoWebTokenProvider,
|
|
|
|
|
|
IOrganizationRepository organizationRepository,
|
|
|
|
|
|
IOrganizationUserRepository organizationUserRepository,
|
|
|
|
|
|
IApplicationCacheService applicationCacheService,
|
|
|
|
|
|
CurrentContext currentContext)
|
2017-01-11 00:34:16 -05:00
|
|
|
|
{
|
2017-01-25 22:31:14 -05:00
|
|
|
|
_userManager = userManager;
|
2017-01-18 00:14:28 -05:00
|
|
|
|
_deviceRepository = deviceRepository;
|
2017-05-26 00:50:27 -04:00
|
|
|
|
_deviceService = deviceService;
|
2017-06-20 14:50:12 -04:00
|
|
|
|
_userService = userService;
|
2017-12-01 10:07:14 -05:00
|
|
|
|
_eventService = eventService;
|
2018-04-03 14:31:33 -04:00
|
|
|
|
_organizationDuoWebTokenProvider = organizationDuoWebTokenProvider;
|
|
|
|
|
|
_organizationRepository = organizationRepository;
|
|
|
|
|
|
_organizationUserRepository = organizationUserRepository;
|
|
|
|
|
|
_applicationCacheService = applicationCacheService;
|
|
|
|
|
|
_currentContext = currentContext;
|
2017-01-11 00:34:16 -05:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public async Task ValidateAsync(ResourceOwnerPasswordValidationContext context)
|
|
|
|
|
|
{
|
2017-01-24 22:15:21 -05:00
|
|
|
|
var twoFactorToken = context.Request.Raw["TwoFactorToken"]?.ToString();
|
|
|
|
|
|
var twoFactorProvider = context.Request.Raw["TwoFactorProvider"]?.ToString();
|
2017-06-23 10:08:29 -04:00
|
|
|
|
var twoFactorRemember = context.Request.Raw["TwoFactorRemember"]?.ToString() == "1";
|
2018-04-03 14:31:33 -04:00
|
|
|
|
var twoFactorRequest = !string.IsNullOrWhiteSpace(twoFactorToken) &&
|
|
|
|
|
|
!string.IsNullOrWhiteSpace(twoFactorProvider);
|
2017-01-18 00:14:28 -05:00
|
|
|
|
|
2017-08-15 08:19:20 -04:00
|
|
|
|
if(string.IsNullOrWhiteSpace(context.UserName))
|
2017-01-21 23:12:28 -05:00
|
|
|
|
{
|
2017-12-01 10:07:14 -05:00
|
|
|
|
await BuildErrorResultAsync(false, context, null);
|
2017-08-15 08:19:20 -04:00
|
|
|
|
return;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
var user = await _userManager.FindByEmailAsync(context.UserName.ToLowerInvariant());
|
2018-04-17 08:10:17 -04:00
|
|
|
|
if(user == null || !await _userService.CheckPasswordAsync(user, context.Password))
|
2017-08-15 08:19:20 -04:00
|
|
|
|
{
|
2017-12-01 10:07:14 -05:00
|
|
|
|
await BuildErrorResultAsync(false, context, user);
|
2017-08-15 08:19:20 -04:00
|
|
|
|
return;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2018-04-03 14:31:33 -04:00
|
|
|
|
var twoFactorRequirement = await RequiresTwoFactorAsync(user);
|
|
|
|
|
|
if(twoFactorRequirement.Item1)
|
2017-08-15 08:19:20 -04:00
|
|
|
|
{
|
|
|
|
|
|
var twoFactorProviderType = TwoFactorProviderType.Authenticator; // Just defaulting it
|
|
|
|
|
|
if(!twoFactorRequest || !Enum.TryParse(twoFactorProvider, out twoFactorProviderType))
|
2017-01-21 23:12:28 -05:00
|
|
|
|
{
|
2018-04-03 14:31:33 -04:00
|
|
|
|
await BuildTwoFactorResultAsync(user, twoFactorRequirement.Item2, context);
|
2017-08-15 08:19:20 -04:00
|
|
|
|
return;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2018-04-03 14:31:33 -04:00
|
|
|
|
var verified = await VerifyTwoFactor(user, twoFactorRequirement.Item2,
|
|
|
|
|
|
twoFactorProviderType, twoFactorToken);
|
2017-08-15 08:19:20 -04:00
|
|
|
|
if(!verified && twoFactorProviderType != TwoFactorProviderType.Remember)
|
|
|
|
|
|
{
|
2017-12-01 10:07:14 -05:00
|
|
|
|
await BuildErrorResultAsync(true, context, user);
|
2017-08-15 08:19:20 -04:00
|
|
|
|
return;
|
|
|
|
|
|
}
|
|
|
|
|
|
else if(!verified && twoFactorProviderType == TwoFactorProviderType.Remember)
|
|
|
|
|
|
{
|
|
|
|
|
|
await Task.Delay(2000); // Delay for brute force.
|
2018-04-03 14:31:33 -04:00
|
|
|
|
await BuildTwoFactorResultAsync(user, twoFactorRequirement.Item2, context);
|
2017-08-15 08:19:20 -04:00
|
|
|
|
return;
|
2017-01-11 00:34:16 -05:00
|
|
|
|
}
|
|
|
|
|
|
}
|
2017-08-15 08:19:20 -04:00
|
|
|
|
else
|
|
|
|
|
|
{
|
|
|
|
|
|
twoFactorRequest = false;
|
|
|
|
|
|
twoFactorRemember = false;
|
|
|
|
|
|
twoFactorToken = null;
|
|
|
|
|
|
}
|
2017-01-11 00:34:16 -05:00
|
|
|
|
|
2017-08-15 08:19:20 -04:00
|
|
|
|
var device = await SaveDeviceAsync(user, context);
|
|
|
|
|
|
await BuildSuccessResultAsync(user, context, device, twoFactorRequest && twoFactorRemember);
|
|
|
|
|
|
return;
|
2017-01-18 00:14:28 -05:00
|
|
|
|
}
|
|
|
|
|
|
|
2017-08-15 08:19:20 -04:00
|
|
|
|
private async Task BuildSuccessResultAsync(User user, ResourceOwnerPasswordValidationContext context,
|
|
|
|
|
|
Device device, bool sendRememberToken)
|
2017-01-21 23:12:28 -05:00
|
|
|
|
{
|
2017-12-01 10:07:14 -05:00
|
|
|
|
await _eventService.LogUserEventAsync(user.Id, EventType.User_LoggedIn);
|
|
|
|
|
|
|
2017-06-06 23:19:42 -04:00
|
|
|
|
var claims = new List<Claim>();
|
2017-01-24 00:54:09 -05:00
|
|
|
|
|
|
|
|
|
|
if(device != null)
|
|
|
|
|
|
{
|
2017-01-24 22:15:21 -05:00
|
|
|
|
claims.Add(new Claim("device", device.Identifier));
|
2017-01-24 00:54:09 -05:00
|
|
|
|
}
|
|
|
|
|
|
|
2017-02-21 22:52:02 -05:00
|
|
|
|
var customResponse = new Dictionary<string, object>();
|
|
|
|
|
|
if(!string.IsNullOrWhiteSpace(user.PrivateKey))
|
|
|
|
|
|
{
|
2017-03-25 16:25:10 -04:00
|
|
|
|
customResponse.Add("PrivateKey", user.PrivateKey);
|
2017-02-21 22:52:02 -05:00
|
|
|
|
}
|
|
|
|
|
|
|
2017-05-31 10:10:08 -04:00
|
|
|
|
if(!string.IsNullOrWhiteSpace(user.Key))
|
|
|
|
|
|
{
|
|
|
|
|
|
customResponse.Add("Key", user.Key);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2017-08-15 08:19:20 -04:00
|
|
|
|
if(sendRememberToken)
|
2017-06-23 10:08:29 -04:00
|
|
|
|
{
|
2018-04-03 14:31:33 -04:00
|
|
|
|
var token = await _userManager.GenerateTwoFactorTokenAsync(user,
|
2018-12-19 22:27:45 -05:00
|
|
|
|
CoreHelpers.CustomProviderName(TwoFactorProviderType.Remember));
|
2017-06-23 10:08:29 -04:00
|
|
|
|
customResponse.Add("TwoFactorToken", token);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2017-02-11 23:00:55 -05:00
|
|
|
|
context.Result = new GrantValidationResult(user.Id.ToString(), "Application",
|
|
|
|
|
|
identityProvider: "bitwarden",
|
|
|
|
|
|
claims: claims.Count > 0 ? claims : null,
|
2017-02-21 22:52:02 -05:00
|
|
|
|
customResponse: customResponse);
|
2017-01-21 23:12:28 -05:00
|
|
|
|
}
|
|
|
|
|
|
|
2018-04-03 14:31:33 -04:00
|
|
|
|
private async Task BuildTwoFactorResultAsync(User user, Organization organization,
|
|
|
|
|
|
ResourceOwnerPasswordValidationContext context)
|
2017-01-25 00:28:18 -05:00
|
|
|
|
{
|
2017-06-20 14:50:12 -04:00
|
|
|
|
var providerKeys = new List<byte>();
|
|
|
|
|
|
var providers = new Dictionary<byte, Dictionary<string, object>>();
|
2018-04-03 14:31:33 -04:00
|
|
|
|
|
|
|
|
|
|
var enabledProviders = new List<KeyValuePair<TwoFactorProviderType, TwoFactorProvider>>();
|
|
|
|
|
|
if(organization?.GetTwoFactorProviders() != null)
|
|
|
|
|
|
{
|
|
|
|
|
|
enabledProviders.AddRange(organization.GetTwoFactorProviders().Where(
|
|
|
|
|
|
p => organization.TwoFactorProviderIsEnabled(p.Key)));
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if(user.GetTwoFactorProviders() != null)
|
|
|
|
|
|
{
|
2018-08-28 16:23:58 -04:00
|
|
|
|
foreach(var p in user.GetTwoFactorProviders())
|
|
|
|
|
|
{
|
2018-12-19 10:47:53 -05:00
|
|
|
|
if(await _userService.TwoFactorProviderIsEnabledAsync(p.Key, user))
|
2018-08-28 16:23:58 -04:00
|
|
|
|
{
|
|
|
|
|
|
enabledProviders.Add(p);
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
2018-04-03 14:31:33 -04:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if(!enabledProviders.Any())
|
2017-06-24 09:20:12 -04:00
|
|
|
|
{
|
2017-12-01 10:07:14 -05:00
|
|
|
|
await BuildErrorResultAsync(false, context, user);
|
2017-06-24 09:20:12 -04:00
|
|
|
|
return;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
foreach(var provider in enabledProviders)
|
2017-01-25 00:28:18 -05:00
|
|
|
|
{
|
2017-06-20 14:50:12 -04:00
|
|
|
|
providerKeys.Add((byte)provider.Key);
|
2018-04-03 14:31:33 -04:00
|
|
|
|
var infoDict = await BuildTwoFactorParams(organization, user, provider.Key, provider.Value);
|
2017-06-21 12:13:18 -04:00
|
|
|
|
providers.Add((byte)provider.Key, infoDict);
|
2017-01-25 00:28:18 -05:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "Two factor required.",
|
|
|
|
|
|
new Dictionary<string, object>
|
|
|
|
|
|
{
|
2017-06-20 14:50:12 -04:00
|
|
|
|
{ "TwoFactorProviders", providers.Keys },
|
|
|
|
|
|
{ "TwoFactorProviders2", providers }
|
2017-01-25 00:28:18 -05:00
|
|
|
|
});
|
2017-06-24 09:20:12 -04:00
|
|
|
|
|
|
|
|
|
|
if(enabledProviders.Count() == 1 && enabledProviders.First().Key == TwoFactorProviderType.Email)
|
|
|
|
|
|
{
|
|
|
|
|
|
// Send email now if this is their only 2FA method
|
|
|
|
|
|
await _userService.SendTwoFactorEmailAsync(user);
|
|
|
|
|
|
}
|
2017-01-25 00:28:18 -05:00
|
|
|
|
}
|
|
|
|
|
|
|
2017-12-01 10:07:14 -05:00
|
|
|
|
private async Task BuildErrorResultAsync(bool twoFactorRequest,
|
|
|
|
|
|
ResourceOwnerPasswordValidationContext context, User user)
|
2017-01-25 00:28:18 -05:00
|
|
|
|
{
|
2017-12-01 10:07:14 -05:00
|
|
|
|
if(user != null)
|
|
|
|
|
|
{
|
|
|
|
|
|
await _eventService.LogUserEventAsync(user.Id,
|
|
|
|
|
|
twoFactorRequest ? EventType.User_FailedLogIn2fa : EventType.User_FailedLogIn);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2017-08-15 08:19:20 -04:00
|
|
|
|
await Task.Delay(2000); // Delay for brute force.
|
2017-02-11 23:00:55 -05:00
|
|
|
|
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant,
|
|
|
|
|
|
customResponse: new Dictionary<string, object>
|
2017-01-25 00:28:18 -05:00
|
|
|
|
{{
|
|
|
|
|
|
"ErrorModel", new ErrorResponseModel(twoFactorRequest ?
|
2017-06-29 12:34:10 -04:00
|
|
|
|
"Two-step token is invalid. Try again." : "Username or password is incorrect. Try again.")
|
2017-01-25 00:28:18 -05:00
|
|
|
|
}});
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2018-04-03 14:31:33 -04:00
|
|
|
|
public async Task<Tuple<bool, Organization>> RequiresTwoFactorAsync(User user)
|
2017-01-18 00:14:28 -05:00
|
|
|
|
{
|
2018-04-03 14:31:33 -04:00
|
|
|
|
var individualRequired = _userManager.SupportsUserTwoFactor &&
|
2017-01-18 00:14:28 -05:00
|
|
|
|
await _userManager.GetTwoFactorEnabledAsync(user) &&
|
|
|
|
|
|
(await _userManager.GetValidTwoFactorProvidersAsync(user)).Count > 0;
|
2018-04-03 14:31:33 -04:00
|
|
|
|
|
|
|
|
|
|
Organization firstEnabledOrg = null;
|
|
|
|
|
|
var orgs = (await _currentContext.OrganizationMembershipAsync(_organizationUserRepository, user.Id))
|
2018-08-31 17:05:27 -04:00
|
|
|
|
.ToList();
|
2018-04-03 14:31:33 -04:00
|
|
|
|
if(orgs.Any())
|
|
|
|
|
|
{
|
|
|
|
|
|
var orgAbilities = await _applicationCacheService.GetOrganizationAbilitiesAsync();
|
2018-08-31 17:05:27 -04:00
|
|
|
|
var twoFactorOrgs = orgs.Where(o => OrgUsing2fa(orgAbilities, o.Id));
|
2018-04-03 14:31:33 -04:00
|
|
|
|
if(twoFactorOrgs.Any())
|
|
|
|
|
|
{
|
|
|
|
|
|
var userOrgs = await _organizationRepository.GetManyByUserIdAsync(user.Id);
|
|
|
|
|
|
firstEnabledOrg = userOrgs.FirstOrDefault(
|
2018-08-31 17:05:27 -04:00
|
|
|
|
o => orgs.Any(om => om.Id == o.Id) && o.TwoFactorIsEnabled());
|
2018-04-03 14:31:33 -04:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return new Tuple<bool, Organization>(individualRequired || firstEnabledOrg != null, firstEnabledOrg);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
private bool OrgUsing2fa(IDictionary<Guid, OrganizationAbility> orgAbilities, Guid orgId)
|
|
|
|
|
|
{
|
|
|
|
|
|
return orgAbilities != null && orgAbilities.ContainsKey(orgId) &&
|
|
|
|
|
|
orgAbilities[orgId].Enabled && orgAbilities[orgId].Using2fa;
|
2017-01-18 00:14:28 -05:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
private Device GetDeviceFromRequest(ResourceOwnerPasswordValidationContext context)
|
|
|
|
|
|
{
|
2017-01-25 23:03:07 -05:00
|
|
|
|
var deviceIdentifier = context.Request.Raw["DeviceIdentifier"]?.ToString();
|
|
|
|
|
|
var deviceType = context.Request.Raw["DeviceType"]?.ToString();
|
|
|
|
|
|
var deviceName = context.Request.Raw["DeviceName"]?.ToString();
|
|
|
|
|
|
var devicePushToken = context.Request.Raw["DevicePushToken"]?.ToString();
|
2017-01-18 00:14:28 -05:00
|
|
|
|
|
|
|
|
|
|
if(string.IsNullOrWhiteSpace(deviceIdentifier) || string.IsNullOrWhiteSpace(deviceType) ||
|
2017-12-01 12:14:46 -05:00
|
|
|
|
string.IsNullOrWhiteSpace(deviceName) || !Enum.TryParse(deviceType, out DeviceType type))
|
2017-01-18 00:14:28 -05:00
|
|
|
|
{
|
|
|
|
|
|
return null;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return new Device
|
|
|
|
|
|
{
|
|
|
|
|
|
Identifier = deviceIdentifier,
|
|
|
|
|
|
Name = deviceName,
|
|
|
|
|
|
Type = type,
|
2017-01-25 23:03:07 -05:00
|
|
|
|
PushToken = string.IsNullOrWhiteSpace(devicePushToken) ? null : devicePushToken
|
2017-01-18 00:14:28 -05:00
|
|
|
|
};
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2018-04-03 14:31:33 -04:00
|
|
|
|
private async Task<bool> VerifyTwoFactor(User user, Organization organization, TwoFactorProviderType type,
|
|
|
|
|
|
string token)
|
2017-06-20 14:50:12 -04:00
|
|
|
|
{
|
|
|
|
|
|
switch(type)
|
|
|
|
|
|
{
|
|
|
|
|
|
case TwoFactorProviderType.Authenticator:
|
2018-12-19 22:27:45 -05:00
|
|
|
|
case TwoFactorProviderType.Email:
|
2017-06-20 14:50:12 -04:00
|
|
|
|
case TwoFactorProviderType.Duo:
|
|
|
|
|
|
case TwoFactorProviderType.YubiKey:
|
2017-06-21 21:46:52 -04:00
|
|
|
|
case TwoFactorProviderType.U2f:
|
2017-06-23 10:08:29 -04:00
|
|
|
|
case TwoFactorProviderType.Remember:
|
2018-08-28 16:23:58 -04:00
|
|
|
|
if(type != TwoFactorProviderType.Remember &&
|
2018-12-19 10:47:53 -05:00
|
|
|
|
!(await _userService.TwoFactorProviderIsEnabledAsync(type, user)))
|
2018-04-03 14:31:33 -04:00
|
|
|
|
{
|
|
|
|
|
|
return false;
|
|
|
|
|
|
}
|
2018-12-19 22:27:45 -05:00
|
|
|
|
return await _userManager.VerifyTwoFactorTokenAsync(user,
|
|
|
|
|
|
CoreHelpers.CustomProviderName(type), token);
|
2018-04-03 14:31:33 -04:00
|
|
|
|
case TwoFactorProviderType.OrganizationDuo:
|
|
|
|
|
|
if(!organization?.TwoFactorProviderIsEnabled(type) ?? true)
|
|
|
|
|
|
{
|
|
|
|
|
|
return false;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return await _organizationDuoWebTokenProvider.ValidateAsync(token, organization, user);
|
2017-06-20 14:50:12 -04:00
|
|
|
|
default:
|
|
|
|
|
|
return false;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2018-04-03 14:31:33 -04:00
|
|
|
|
private async Task<Dictionary<string, object>> BuildTwoFactorParams(Organization organization, User user,
|
|
|
|
|
|
TwoFactorProviderType type, TwoFactorProvider provider)
|
2017-06-21 12:13:18 -04:00
|
|
|
|
{
|
|
|
|
|
|
switch(type)
|
|
|
|
|
|
{
|
|
|
|
|
|
case TwoFactorProviderType.Duo:
|
2017-06-21 21:46:52 -04:00
|
|
|
|
case TwoFactorProviderType.U2f:
|
2017-06-24 11:50:20 -04:00
|
|
|
|
case TwoFactorProviderType.Email:
|
2017-06-29 12:34:10 -04:00
|
|
|
|
case TwoFactorProviderType.YubiKey:
|
2018-12-19 10:47:53 -05:00
|
|
|
|
if(!(await _userService.TwoFactorProviderIsEnabledAsync(type, user)))
|
2018-04-03 14:31:33 -04:00
|
|
|
|
{
|
|
|
|
|
|
return null;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2018-12-19 22:27:45 -05:00
|
|
|
|
var token = await _userManager.GenerateTwoFactorTokenAsync(user,
|
|
|
|
|
|
CoreHelpers.CustomProviderName(type));
|
2017-06-21 12:13:18 -04:00
|
|
|
|
if(type == TwoFactorProviderType.Duo)
|
|
|
|
|
|
{
|
|
|
|
|
|
return new Dictionary<string, object>
|
|
|
|
|
|
{
|
|
|
|
|
|
["Host"] = provider.MetaData["Host"],
|
|
|
|
|
|
["Signature"] = token
|
|
|
|
|
|
};
|
|
|
|
|
|
}
|
2017-06-21 21:46:52 -04:00
|
|
|
|
else if(type == TwoFactorProviderType.U2f)
|
2017-06-21 12:13:18 -04:00
|
|
|
|
{
|
2018-10-10 17:51:38 -04:00
|
|
|
|
// TODO: Remove "Challenges" in a future update. Deprecated.
|
|
|
|
|
|
var tokens = token?.Split('|');
|
2017-06-22 09:09:51 -04:00
|
|
|
|
return new Dictionary<string, object>
|
|
|
|
|
|
{
|
2018-10-13 16:06:54 -04:00
|
|
|
|
["Challenge"] = tokens != null && tokens.Length > 0 ? tokens[0] : null,
|
|
|
|
|
|
["Challenges"] = tokens != null && tokens.Length > 1 ? tokens[1] : null
|
2017-06-22 09:09:51 -04:00
|
|
|
|
};
|
2017-06-21 12:13:18 -04:00
|
|
|
|
}
|
2017-06-24 11:50:20 -04:00
|
|
|
|
else if(type == TwoFactorProviderType.Email)
|
|
|
|
|
|
{
|
|
|
|
|
|
return new Dictionary<string, object>
|
|
|
|
|
|
{
|
2018-12-19 22:27:45 -05:00
|
|
|
|
["Email"] = token
|
2017-06-24 11:50:20 -04:00
|
|
|
|
};
|
|
|
|
|
|
}
|
2017-06-29 12:34:10 -04:00
|
|
|
|
else if(type == TwoFactorProviderType.YubiKey)
|
|
|
|
|
|
{
|
|
|
|
|
|
return new Dictionary<string, object>
|
|
|
|
|
|
{
|
|
|
|
|
|
["Nfc"] = (bool)provider.MetaData["Nfc"]
|
|
|
|
|
|
};
|
|
|
|
|
|
}
|
2017-06-21 12:13:18 -04:00
|
|
|
|
return null;
|
2018-04-03 14:31:33 -04:00
|
|
|
|
case TwoFactorProviderType.OrganizationDuo:
|
|
|
|
|
|
if(await _organizationDuoWebTokenProvider.CanGenerateTwoFactorTokenAsync(organization))
|
|
|
|
|
|
{
|
|
|
|
|
|
return new Dictionary<string, object>
|
|
|
|
|
|
{
|
|
|
|
|
|
["Host"] = provider.MetaData["Host"],
|
|
|
|
|
|
["Signature"] = await _organizationDuoWebTokenProvider.GenerateAsync(organization, user)
|
|
|
|
|
|
};
|
|
|
|
|
|
}
|
|
|
|
|
|
return null;
|
2017-06-21 12:13:18 -04:00
|
|
|
|
default:
|
|
|
|
|
|
return null;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2017-01-24 00:54:09 -05:00
|
|
|
|
private async Task<Device> SaveDeviceAsync(User user, ResourceOwnerPasswordValidationContext context)
|
2017-01-18 00:14:28 -05:00
|
|
|
|
{
|
|
|
|
|
|
var device = GetDeviceFromRequest(context);
|
|
|
|
|
|
if(device != null)
|
|
|
|
|
|
{
|
|
|
|
|
|
var existingDevice = await _deviceRepository.GetByIdentifierAsync(device.Identifier, user.Id);
|
|
|
|
|
|
if(existingDevice == null)
|
|
|
|
|
|
{
|
|
|
|
|
|
device.UserId = user.Id;
|
2017-05-26 00:50:27 -04:00
|
|
|
|
await _deviceService.SaveAsync(device);
|
2017-01-24 00:54:09 -05:00
|
|
|
|
return device;
|
2017-01-18 00:14:28 -05:00
|
|
|
|
}
|
2017-02-07 21:33:25 -05:00
|
|
|
|
|
|
|
|
|
|
return existingDevice;
|
2017-01-18 00:14:28 -05:00
|
|
|
|
}
|
2017-01-24 00:54:09 -05:00
|
|
|
|
|
|
|
|
|
|
return null;
|
2017-01-11 00:34:16 -05:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
