src/Core/Auth/Identity/DuoWebTokenProvider.cs

using Bit.Core.Auth.Enums;
using Bit.Core.Auth.Models;
using Bit.Core.Auth.Utilities.Duo;
using Bit.Core.Entities;
using Bit.Core.Services;
using Bit.Core.Settings;
using Microsoft.AspNetCore.Identity;
using Microsoft.Extensions.DependencyInjection;

namespace Bit.Core.Auth.Identity;

public class DuoWebTokenProvider : IUserTwoFactorTokenProvider<User>
{
    private readonly IServiceProvider _serviceProvider;
    private readonly GlobalSettings _globalSettings;

    public DuoWebTokenProvider(
        IServiceProvider serviceProvider,
        GlobalSettings globalSettings)
    {
        _serviceProvider = serviceProvider;
        _globalSettings = globalSettings;
    }

    public async Task<bool> CanGenerateTwoFactorTokenAsync(UserManager<User> manager, User user)
    {
        var userService = _serviceProvider.GetRequiredService<IUserService>();
        if (!(await userService.CanAccessPremium(user)))
        {
            return false;
        }

        var provider = user.GetTwoFactorProvider(TwoFactorProviderType.Duo);
        if (!HasProperMetaData(provider))
        {
            return false;
        }

        return await userService.TwoFactorProviderIsEnabledAsync(TwoFactorProviderType.Duo, user);
    }

    public async Task<string> GenerateAsync(string purpose, UserManager<User> manager, User user)
    {
        var userService = _serviceProvider.GetRequiredService<IUserService>();
        if (!(await userService.CanAccessPremium(user)))
        {
            return null;
        }

        var provider = user.GetTwoFactorProvider(TwoFactorProviderType.Duo);
        if (!HasProperMetaData(provider))
        {
            return null;
        }

        var signatureRequest = DuoWeb.SignRequest((string)provider.MetaData["IKey"],
            (string)provider.MetaData["SKey"], _globalSettings.Duo.AKey, user.Email);
        return signatureRequest;
    }

    public async Task<bool> ValidateAsync(string purpose, string token, UserManager<User> manager, User user)
    {
        var userService = _serviceProvider.GetRequiredService<IUserService>();
        if (!(await userService.CanAccessPremium(user)))
        {
            return false;
        }

        var provider = user.GetTwoFactorProvider(TwoFactorProviderType.Duo);
        if (!HasProperMetaData(provider))
        {
            return false;
        }

        var response = DuoWeb.VerifyResponse((string)provider.MetaData["IKey"], (string)provider.MetaData["SKey"],
            _globalSettings.Duo.AKey, token);

        return response == user.Email;
    }

    private bool HasProperMetaData(TwoFactorProvider provider)
    {
        return provider?.MetaData != null && provider.MetaData.ContainsKey("IKey") &&
            provider.MetaData.ContainsKey("SKey") && provider.MetaData.ContainsKey("Host");
    }
}
-												[PM-1188] Server owner auth migration (#2825)

* [PM-1188] add sso project to auth

* [PM-1188] move sso api models to auth

* [PM-1188] fix sso api model namespace & imports

* [PM-1188] move core files to auth

* [PM-1188] fix core sso namespace & models

* [PM-1188] move sso repository files to auth

* [PM-1188] fix sso repo files namespace & imports

* [PM-1188] move sso sql files to auth folder

* [PM-1188] move sso test files to auth folders

* [PM-1188] fix sso tests namespace & imports

* [PM-1188] move auth api files to auth folder

* [PM-1188] fix auth api files namespace & imports

* [PM-1188] move auth core files to auth folder

* [PM-1188] fix auth core files namespace & imports

* [PM-1188] move auth email templates to auth folder

* [PM-1188] move auth email folder back into shared directory

* [PM-1188] fix auth email names

* [PM-1188] move auth core models to auth folder

* [PM-1188] fix auth model namespace & imports

* [PM-1188] add entire Identity project to auth codeowners

* [PM-1188] fix auth orm files namespace & imports

* [PM-1188] move auth orm files to auth folder

* [PM-1188] move auth sql files to auth folder

* [PM-1188] move auth tests to auth folder

* [PM-1188] fix auth test files namespace & imports

* [PM-1188] move emergency access api files to auth folder

* [PM-1188] fix emergencyaccess api files namespace & imports

* [PM-1188] move emergency access core files to auth folder

* [PM-1188] fix emergency access core files namespace & imports

* [PM-1188] move emergency access orm files to auth folder

* [PM-1188] fix emergency access orm files namespace & imports

* [PM-1188] move emergency access sql files to auth folder

* [PM-1188] move emergencyaccess test files to auth folder

* [PM-1188] fix emergency access test files namespace & imports

* [PM-1188] move captcha files to auth folder

* [PM-1188] fix captcha files namespace & imports

* [PM-1188] move auth admin files into auth folder

* [PM-1188] fix admin auth files namespace & imports
- configure mvc to look in auth folders for views

* [PM-1188] remove extra imports and formatting

* [PM-1188] fix ef auth model imports

* [PM-1188] fix DatabaseContextModelSnapshot paths

* [PM-1188] fix grant import in ef

* [PM-1188] update sqlproj

* [PM-1188] move missed sqlproj files

* [PM-1188] move auth ef models out of auth folder

* [PM-1188] fix auth ef models namespace

* [PM-1188] remove auth ef models unused imports

* [PM-1188] fix imports for auth ef models

* [PM-1188] fix more ef model imports

* [PM-1188] fix file encodings
											
										
										
											2023-04-14 13:25:56 -04:00
+								using Bit.Core.Auth.Enums;
 								using Bit.Core.Auth.Models;
 								using Bit.Core.Auth.Utilities.Duo;
 								using Bit.Core.Entities;
-												CanAccessPremium checks instead of User.Premium

											
										
										
											2018-08-28 16:23:58 -04:00
+								using Bit.Core.Services;
-												Use sas token for attachment downloads (#1153)

* Get limited life attachment download URL

This change limits url download to a 1min lifetime.
This requires moving to a new container to allow for non-public blob
access.

Clients will have to call GetAttachmentData api function to receive the download
URL. For backwards compatibility, attachment URLs are still present, but will not
work for attachments stored in non-public access blobs.

* Make GlobalSettings interface for testing

* Test LocalAttachmentStorageService equivalence

* Remove comment

* Add missing globalSettings using

* Simplify default attachment container

* Default to attachments containe for existing methods

A new upload method will be made for uploading to attachments-v2.
For compatibility for clients which don't use these new methods, we need
to still use the old container. The new container will be used only for
new uploads

* Remove Default MetaData fixture.

* Keep attachments container blob-level security for all instances

* Close unclosed FileStream

* Favor default value for noop services
											
										
										
											2021-02-22 15:35:16 -06:00
+								using Bit.Core.Settings;
-												Duo WebSDK Token Provider

											
										
										
											2017-06-21 00:04:25 -04:00
+								using Microsoft.AspNetCore.Identity;
-												token providers cant inject userservice

											
										
										
											2018-08-28 22:21:13 -04:00
+								using Microsoft.Extensions.DependencyInjection;
-												Duo WebSDK Token Provider

											
										
										
											2017-06-21 00:04:25 -04:00
-												[PM-1188] Server owner auth migration (#2825)

* [PM-1188] add sso project to auth

* [PM-1188] move sso api models to auth

* [PM-1188] fix sso api model namespace & imports

* [PM-1188] move core files to auth

* [PM-1188] fix core sso namespace & models

* [PM-1188] move sso repository files to auth

* [PM-1188] fix sso repo files namespace & imports

* [PM-1188] move sso sql files to auth folder

* [PM-1188] move sso test files to auth folders

* [PM-1188] fix sso tests namespace & imports

* [PM-1188] move auth api files to auth folder

* [PM-1188] fix auth api files namespace & imports

* [PM-1188] move auth core files to auth folder

* [PM-1188] fix auth core files namespace & imports

* [PM-1188] move auth email templates to auth folder

* [PM-1188] move auth email folder back into shared directory

* [PM-1188] fix auth email names

* [PM-1188] move auth core models to auth folder

* [PM-1188] fix auth model namespace & imports

* [PM-1188] add entire Identity project to auth codeowners

* [PM-1188] fix auth orm files namespace & imports

* [PM-1188] move auth orm files to auth folder

* [PM-1188] move auth sql files to auth folder

* [PM-1188] move auth tests to auth folder

* [PM-1188] fix auth test files namespace & imports

* [PM-1188] move emergency access api files to auth folder

* [PM-1188] fix emergencyaccess api files namespace & imports

* [PM-1188] move emergency access core files to auth folder

* [PM-1188] fix emergency access core files namespace & imports

* [PM-1188] move emergency access orm files to auth folder

* [PM-1188] fix emergency access orm files namespace & imports

* [PM-1188] move emergency access sql files to auth folder

* [PM-1188] move emergencyaccess test files to auth folder

* [PM-1188] fix emergency access test files namespace & imports

* [PM-1188] move captcha files to auth folder

* [PM-1188] fix captcha files namespace & imports

* [PM-1188] move auth admin files into auth folder

* [PM-1188] fix admin auth files namespace & imports
- configure mvc to look in auth folders for views

* [PM-1188] remove extra imports and formatting

* [PM-1188] fix ef auth model imports

* [PM-1188] fix DatabaseContextModelSnapshot paths

* [PM-1188] fix grant import in ef

* [PM-1188] update sqlproj

* [PM-1188] move missed sqlproj files

* [PM-1188] move auth ef models out of auth folder

* [PM-1188] fix auth ef models namespace

* [PM-1188] remove auth ef models unused imports

* [PM-1188] fix imports for auth ef models

* [PM-1188] fix more ef model imports

* [PM-1188] fix file encodings
											
										
										
											2023-04-14 13:25:56 -04:00
+								namespace Bit.Core.Auth.Identity;
-												Run formatting (#2230)


											
										
										
											2022-08-29 16:06:55 -04:00
-												Duo WebSDK Token Provider

											
										
										
											2017-06-21 00:04:25 -04:00
+								public class DuoWebTokenProvider : IUserTwoFactorTokenProvider<User>
 								{
 								    private readonly IServiceProvider _serviceProvider;
 								    private readonly GlobalSettings _globalSettings;
-												Run formatting (#2230)


											
										
										
											2022-08-29 16:06:55 -04:00
-												Duo WebSDK Token Provider

											
										
										
											2017-06-21 00:04:25 -04:00
+								    public DuoWebTokenProvider(
-												token providers cant inject userservice

											
										
										
											2018-08-28 22:21:13 -04:00
+								        IServiceProvider serviceProvider,
-												CanAccessPremium checks instead of User.Premium

											
										
										
											2018-08-28 16:23:58 -04:00
+								        GlobalSettings globalSettings)
-												Duo WebSDK Token Provider

											
										
										
											2017-06-21 00:04:25 -04:00
+								    {
-												token providers cant inject userservice

											
										
										
											2018-08-28 22:21:13 -04:00
+								        _serviceProvider = serviceProvider;
-												Duo WebSDK Token Provider

											
										
										
											2017-06-21 00:04:25 -04:00
+								        _globalSettings = globalSettings;
-												Run formatting (#2230)


											
										
										
											2022-08-29 16:06:55 -04:00
+								    }
-												Duo WebSDK Token Provider

											
										
										
											2017-06-21 00:04:25 -04:00
-												CanAccessPremium checks instead of User.Premium

											
										
										
											2018-08-28 16:23:58 -04:00
+								    public async Task<bool> CanGenerateTwoFactorTokenAsync(UserManager<User> manager, User user)
-												Run formatting (#2230)


											
										
										
											2022-08-29 16:06:55 -04:00
+								    {
-												token providers cant inject userservice

											
										
										
											2018-08-28 22:21:13 -04:00
+								        var userService = _serviceProvider.GetRequiredService<IUserService>();
-												CanAccessPremium checks instead of User.Premium

											
										
										
											2018-08-28 16:23:58 -04:00
+								        if (!(await userService.CanAccessPremium(user)))
-												Duo WebSDK Token Provider

											
										
										
											2017-06-21 00:04:25 -04:00
+								        {
 								            return false;
 								        }
-												CanAccessPremium checks instead of User.Premium

											
										
										
											2018-08-28 16:23:58 -04:00
+								        var provider = user.GetTwoFactorProvider(TwoFactorProviderType.Duo);
 								        if (!HasProperMetaData(provider))
-												Duo WebSDK Token Provider

											
										
										
											2017-06-21 00:04:25 -04:00
+								        {
-												CanAccessPremium checks instead of User.Premium

											
										
										
											2018-08-28 16:23:58 -04:00
+								            return false;
-												premium checks on 2fa providers

											
										
										
											2017-07-06 16:56:12 -04:00
+								        }
-												Duo WebSDK Token Provider

											
										
										
											2017-06-21 00:04:25 -04:00
+								        return await userService.TwoFactorProviderIsEnabledAsync(TwoFactorProviderType.Duo, user);
-												CanAccessPremium checks instead of User.Premium

											
										
										
											2018-08-28 16:23:58 -04:00
+								    }
-												move some 2fa logic functions to userService

											
										
										
											2018-12-19 10:47:53 -05:00
+								    public async Task<string> GenerateAsync(string purpose, UserManager<User> manager, User user)
-												Run formatting (#2230)


											
										
										
											2022-08-29 16:06:55 -04:00
+								    {
-												move some 2fa logic functions to userService

											
										
										
											2018-12-19 10:47:53 -05:00
+								        var userService = _serviceProvider.GetRequiredService<IUserService>();
 								        if (!(await userService.CanAccessPremium(user)))
-												Run formatting (#2230)


											
										
										
											2022-08-29 16:06:55 -04:00
+								        {
-												move some 2fa logic functions to userService

											
										
										
											2018-12-19 10:47:53 -05:00
+								            return null;
-												Duo WebSDK Token Provider

											
										
										
											2017-06-21 00:04:25 -04:00
+								        }
-												More CanAccessPremium checks

											
										
										
											2018-08-28 17:40:08 -04:00
+								        var provider = user.GetTwoFactorProvider(TwoFactorProviderType.Duo);
 								        if (!HasProperMetaData(provider))
-												Duo WebSDK Token Provider

											
										
										
											2017-06-21 00:04:25 -04:00
+								        {
-												More CanAccessPremium checks

											
										
										
											2018-08-28 17:40:08 -04:00
+								            return null;
-												premium checks on 2fa providers

											
										
										
											2017-07-06 16:56:12 -04:00
+								        }
-												Duo WebSDK Token Provider

											
										
										
											2017-06-21 00:04:25 -04:00
+								        var signatureRequest = DuoWeb.SignRequest((string)provider.MetaData["IKey"],
 								            (string)provider.MetaData["SKey"], _globalSettings.Duo.AKey, user.Email);
-												More CanAccessPremium checks

											
										
										
											2018-08-28 17:40:08 -04:00
+								        return signatureRequest;
-												Duo WebSDK Token Provider

											
										
										
											2017-06-21 00:04:25 -04:00
+								    }
-												formatting

											
										
										
											2019-01-11 09:44:49 -05:00
+								    public async Task<bool> ValidateAsync(string purpose, string token, UserManager<User> manager, User user)
-												Run formatting (#2230)


											
										
										
											2022-08-29 16:06:55 -04:00
+								    {
-												formatting

											
										
										
											2019-01-11 09:44:49 -05:00
+								        var userService = _serviceProvider.GetRequiredService<IUserService>();
-												More CanAccessPremium checks

											
										
										
											2018-08-28 17:40:08 -04:00
+								        if (!(await userService.CanAccessPremium(user)))
-												Run formatting (#2230)


											
										
										
											2022-08-29 16:06:55 -04:00
+								        {
-												More CanAccessPremium checks

											
										
										
											2018-08-28 17:40:08 -04:00
+								            return false;
-												Duo WebSDK Token Provider

											
										
										
											2017-06-21 00:04:25 -04:00
+								        }
-												More CanAccessPremium checks

											
										
										
											2018-08-28 17:40:08 -04:00
+								        var provider = user.GetTwoFactorProvider(TwoFactorProviderType.Duo);
 								        if (!HasProperMetaData(provider))
-												Duo WebSDK Token Provider

											
										
										
											2017-06-21 00:04:25 -04:00
+								        {
-												More CanAccessPremium checks

											
										
										
											2018-08-28 17:40:08 -04:00
+								            return false;
-												Revert filescoped (#2227)

* Revert "Add git blame entry (#2226)"

This reverts commit 239286737d15cb84a893703ee5a8b33a2d67ad3d.

* Revert "Turn on file scoped namespaces (#2225)"

This reverts commit 34fb4cca2aa78deb84d4cbc359992a7c6bba7ea5.
											
										
										
											2022-08-29 15:53:48 -04:00
+								        }
-												Duo WebSDK Token Provider

											
										
										
											2017-06-21 00:04:25 -04:00
-												More CanAccessPremium checks

											
										
										
											2018-08-28 17:40:08 -04:00
+								        var response = DuoWeb.VerifyResponse((string)provider.MetaData["IKey"], (string)provider.MetaData["SKey"],
 								            _globalSettings.Duo.AKey, token);
-												Duo WebSDK Token Provider

											
										
										
											2017-06-21 00:04:25 -04:00
-												More CanAccessPremium checks

											
										
										
											2018-08-28 17:40:08 -04:00
+								        return response == user.Email;
-												Revert filescoped (#2227)

* Revert "Add git blame entry (#2226)"

This reverts commit 239286737d15cb84a893703ee5a8b33a2d67ad3d.

* Revert "Turn on file scoped namespaces (#2225)"

This reverts commit 34fb4cca2aa78deb84d4cbc359992a7c6bba7ea5.
											
										
										
											2022-08-29 15:53:48 -04:00
+								    }
-												Duo WebSDK Token Provider

											
										
										
											2017-06-21 00:04:25 -04:00
+								    private bool HasProperMetaData(TwoFactorProvider provider)
 								    {
 								        return provider?.MetaData != null && provider.MetaData.ContainsKey("IKey") &&
 								            provider.MetaData.ContainsKey("SKey") && provider.MetaData.ContainsKey("Host");
 								    }
 								}