src/Core/IdentityServer/ResourceOwnerPasswordValidator.cs

using Bit.Core.Models.Api;
using Bit.Core.Models.Table;
using Bit.Core.Enums;
using Bit.Core.Repositories;
using IdentityServer4.Models;
using IdentityServer4.Validation;
using Microsoft.AspNetCore.Identity;
using System;
using System.Collections.Generic;
using System.Security.Claims;
using System.Threading.Tasks;
using Bit.Core.Services;

namespace Bit.Core.IdentityServer
{
    public class ResourceOwnerPasswordValidator : IResourceOwnerPasswordValidator
    {
        private UserManager<User> _userManager;
        private readonly IDeviceRepository _deviceRepository;
        private readonly IDeviceService _deviceService;

        public ResourceOwnerPasswordValidator(
            UserManager<User> userManager,
            IDeviceRepository deviceRepository,
            IDeviceService deviceService)
        {
            _userManager = userManager;
            _deviceRepository = deviceRepository;
            _deviceService = deviceService;
        }

        public async Task ValidateAsync(ResourceOwnerPasswordValidationContext context)
        {
            var twoFactorToken = context.Request.Raw["TwoFactorToken"]?.ToString();
            var twoFactorProvider = context.Request.Raw["TwoFactorProvider"]?.ToString();
            var twoFactorRequest = !string.IsNullOrWhiteSpace(twoFactorToken) && !string.IsNullOrWhiteSpace(twoFactorProvider);

            if(!string.IsNullOrWhiteSpace(context.UserName))
            {
                var user = await _userManager.FindByEmailAsync(context.UserName.ToLowerInvariant());
                if(user != null)
                {
                    if(await _userManager.CheckPasswordAsync(user, context.Password))
                    {
                        TwoFactorProviderType twoFactorProviderType = TwoFactorProviderType.Authenticator; // Just defaulting it
                        if(!twoFactorRequest && await TwoFactorRequiredAsync(user))
                        {
                            BuildTwoFactorResult(user, context);
                            return;
                        }

                        if(twoFactorRequest && !Enum.TryParse(twoFactorProvider, out twoFactorProviderType))
                        {
                            BuildTwoFactorResult(user, context);
                            return;
                        }

                        if(!twoFactorRequest ||
                            await _userManager.VerifyTwoFactorTokenAsync(user, twoFactorProviderType.ToString(), twoFactorToken))
                        {
                            var device = await SaveDeviceAsync(user, context);
                            BuildSuccessResult(user, context, device);
                            return;
                        }
                    }
                }
            }

            await Task.Delay(2000); // Delay for brute force.
            BuildErrorResult(twoFactorRequest, context);
        }

        private void BuildSuccessResult(User user, ResourceOwnerPasswordValidationContext context, Device device)
        {
            var claims = new List<Claim>();

            if(device != null)
            {
                claims.Add(new Claim("device", device.Identifier));
            }

            var customResponse = new Dictionary<string, object>();
            if(!string.IsNullOrWhiteSpace(user.PrivateKey))
            {
                customResponse.Add("PrivateKey", user.PrivateKey);
            }

            if(!string.IsNullOrWhiteSpace(user.Key))
            {
                customResponse.Add("Key", user.Key);
            }

            context.Result = new GrantValidationResult(user.Id.ToString(), "Application",
                identityProvider: "bitwarden",
                claims: claims.Count > 0 ? claims : null,
                customResponse: customResponse);
        }

        private void BuildTwoFactorResult(User user, ResourceOwnerPasswordValidationContext context)
        {
            var providers = new List<byte>();
            if(user.TwoFactorProvider.HasValue)
            {
                providers.Add((byte)user.TwoFactorProvider.Value);
            }

            context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "Two factor required.",
                new Dictionary<string, object>
                {
                    { "TwoFactorProviders", providers },
                    { "TwoFactorProvider", (byte)user.TwoFactorProvider.Value }
                });
        }

        private void BuildErrorResult(bool twoFactorRequest, ResourceOwnerPasswordValidationContext context)
        {
            context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant,
                customResponse: new Dictionary<string, object>
                {{
                    "ErrorModel", new ErrorResponseModel(twoFactorRequest ?
                        "Code is not correct. Try again." : "Username or password is incorrect. Try again.")
                }});
        }

        private async Task<bool> TwoFactorRequiredAsync(User user)
        {
            return _userManager.SupportsUserTwoFactor &&
                await _userManager.GetTwoFactorEnabledAsync(user) &&
                (await _userManager.GetValidTwoFactorProvidersAsync(user)).Count > 0;
        }

        private Device GetDeviceFromRequest(ResourceOwnerPasswordValidationContext context)
        {
            var deviceIdentifier = context.Request.Raw["DeviceIdentifier"]?.ToString();
            var deviceType = context.Request.Raw["DeviceType"]?.ToString();
            var deviceName = context.Request.Raw["DeviceName"]?.ToString();
            var devicePushToken = context.Request.Raw["DevicePushToken"]?.ToString();

            DeviceType type;
            if(string.IsNullOrWhiteSpace(deviceIdentifier) || string.IsNullOrWhiteSpace(deviceType) ||
                string.IsNullOrWhiteSpace(deviceName) || !Enum.TryParse(deviceType, out type))
            {
                return null;
            }

            return new Device
            {
                Identifier = deviceIdentifier,
                Name = deviceName,
                Type = type,
                PushToken = string.IsNullOrWhiteSpace(devicePushToken) ? null : devicePushToken
            };
        }

        private async Task<Device> SaveDeviceAsync(User user, ResourceOwnerPasswordValidationContext context)
        {
            var device = GetDeviceFromRequest(context);
            if(device != null)
            {
                var existingDevice = await _deviceRepository.GetByIdentifierAsync(device.Identifier, user.Id);
                if(existingDevice == null)
                {
                    device.UserId = user.Id;
                    await _deviceService.SaveAsync(device);
                    return device;
                }

                return existingDevice;
            }

            return null;
        }
    }
}
-												move all models into core

											
										
										
											2017-03-08 21:55:08 -05:00
+								using Bit.Core.Models.Api;
-												move domains to Models.Table

											
										
										
											2017-03-08 21:45:08 -05:00
+								using Bit.Core.Models.Table;
-												Two factor and device handling on identity token validation

											
										
										
											2017-01-18 00:14:28 -05:00
+								using Bit.Core.Enums;
 								using Bit.Core.Repositories;
-												WIP: Added IdentityServer4 to API via Bearer2 auth scheme

											
										
										
											2017-01-11 00:34:16 -05:00
+								using IdentityServer4.Models;
 								using IdentityServer4.Validation;
 								using Microsoft.AspNetCore.Identity;
-												Two factor and device handling on identity token validation

											
										
										
											2017-01-18 00:14:28 -05:00
+								using System;
-												validate old auth bearer tokens so that we can generate new identity ones

											
										
										
											2017-01-21 23:12:28 -05:00
+								using System.Collections.Generic;
-												WIP: Added IdentityServer4 to API via Bearer2 auth scheme

											
										
										
											2017-01-11 00:34:16 -05:00
+								using System.Security.Claims;
 								using System.Threading.Tasks;
-												notification hub push registration service

											
										
										
											2017-05-26 00:50:27 -04:00
+								using Bit.Core.Services;
-												WIP: Added IdentityServer4 to API via Bearer2 auth scheme

											
										
										
											2017-01-11 00:34:16 -05:00
-												move identityserver libs into core

											
										
										
											2017-05-05 16:11:50 -04:00
+								namespace Bit.Core.IdentityServer
-												WIP: Added IdentityServer4 to API via Bearer2 auth scheme

											
										
										
											2017-01-11 00:34:16 -05:00
+								{
 								    public class ResourceOwnerPasswordValidator : IResourceOwnerPasswordValidator
 								    {
-												validate old auth bearer tokens so that we can generate new identity ones

											
										
										
											2017-01-21 23:12:28 -05:00
+								        private UserManager<User> _userManager;
-												Two factor and device handling on identity token validation

											
										
										
											2017-01-18 00:14:28 -05:00
+								        private readonly IDeviceRepository _deviceRepository;
-												notification hub push registration service

											
										
										
											2017-05-26 00:50:27 -04:00
+								        private readonly IDeviceService _deviceService;
-												WIP: Added IdentityServer4 to API via Bearer2 auth scheme

											
										
										
											2017-01-11 00:34:16 -05:00
 								        public ResourceOwnerPasswordValidator(
-												Moved identity implementations to scoped lifetime since they have dependencies on CurrentContext

											
										
										
											2017-01-25 22:31:14 -05:00
+								            UserManager<User> userManager,
-												notification hub push registration service

											
										
										
											2017-05-26 00:50:27 -04:00
+								            IDeviceRepository deviceRepository,
 								            IDeviceService deviceService)
-												WIP: Added IdentityServer4 to API via Bearer2 auth scheme

											
										
										
											2017-01-11 00:34:16 -05:00
+								        {
-												Moved identity implementations to scoped lifetime since they have dependencies on CurrentContext

											
										
										
											2017-01-25 22:31:14 -05:00
+								            _userManager = userManager;
-												Two factor and device handling on identity token validation

											
										
										
											2017-01-18 00:14:28 -05:00
+								            _deviceRepository = deviceRepository;
-												notification hub push registration service

											
										
										
											2017-05-26 00:50:27 -04:00
+								            _deviceService = deviceService;
-												WIP: Added IdentityServer4 to API via Bearer2 auth scheme

											
										
										
											2017-01-11 00:34:16 -05:00
+								        }
 								        public async Task ValidateAsync(ResourceOwnerPasswordValidationContext context)
 								        {
-												Move claims issuance and security stamp checks out into profile service. moved context sets out of identity implementations and into get methods.

											
										
										
											2017-01-24 22:15:21 -05:00
+								            var twoFactorToken = context.Request.Raw["TwoFactorToken"]?.ToString();
 								            var twoFactorProvider = context.Request.Raw["TwoFactorProvider"]?.ToString();
 								            var twoFactorRequest = !string.IsNullOrWhiteSpace(twoFactorToken) && !string.IsNullOrWhiteSpace(twoFactorProvider);
-												Two factor and device handling on identity token validation

											
										
										
											2017-01-18 00:14:28 -05:00
-												remove deprecated jwt bearer authentication method

											
										
										
											2017-06-06 23:19:42 -04:00
+								            if(!string.IsNullOrWhiteSpace(context.UserName))
-												validate old auth bearer tokens so that we can generate new identity ones

											
										
										
											2017-01-21 23:12:28 -05:00
+								            {
 								                var user = await _userManager.FindByEmailAsync(context.UserName.ToLowerInvariant());
 								                if(user != null)
 								                {
 								                    if(await _userManager.CheckPasswordAsync(user, context.Password))
-												Two factor and device handling on identity token validation

											
										
										
											2017-01-18 00:14:28 -05:00
+								                    {
-												Parse enum as to accept 0 values or full string values

											
										
										
											2017-01-28 17:28:28 -05:00
+								                        TwoFactorProviderType twoFactorProviderType = TwoFactorProviderType.Authenticator; // Just defaulting it
-												validate old auth bearer tokens so that we can generate new identity ones

											
										
										
											2017-01-21 23:12:28 -05:00
+								                        if(!twoFactorRequest && await TwoFactorRequiredAsync(user))
 								                        {
-												cleanup ResourceOwnerPasswordValidator

											
										
										
											2017-01-25 00:28:18 -05:00
+								                            BuildTwoFactorResult(user, context);
-												validate old auth bearer tokens so that we can generate new identity ones

											
										
										
											2017-01-21 23:12:28 -05:00
+								                            return;
 								                        }
-												Parse enum as to accept 0 values or full string values

											
										
										
											2017-01-28 17:28:28 -05:00
+								                        if(twoFactorRequest && !Enum.TryParse(twoFactorProvider, out twoFactorProviderType))
 								                        {
 								                            BuildTwoFactorResult(user, context);
 								                            return;
 								                        }
-												formatting

											
										
										
											2017-01-25 00:35:52 -05:00
+								                        if(!twoFactorRequest ||
-												Parse enum as to accept 0 values or full string values

											
										
										
											2017-01-28 17:28:28 -05:00
+								                            await _userManager.VerifyTwoFactorTokenAsync(user, twoFactorProviderType.ToString(), twoFactorToken))
-												validate old auth bearer tokens so that we can generate new identity ones

											
										
										
											2017-01-21 23:12:28 -05:00
+								                        {
-												adjusted claims

											
										
										
											2017-01-24 00:54:09 -05:00
+								                            var device = await SaveDeviceAsync(user, context);
 								                            BuildSuccessResult(user, context, device);
-												validate old auth bearer tokens so that we can generate new identity ones

											
										
										
											2017-01-21 23:12:28 -05:00
+								                            return;
 								                        }
-												Two factor and device handling on identity token validation

											
										
										
											2017-01-18 00:14:28 -05:00
+								                    }
-												WIP: Added IdentityServer4 to API via Bearer2 auth scheme

											
										
										
											2017-01-11 00:34:16 -05:00
+								                }
 								            }
-												cleanup ResourceOwnerPasswordValidator

											
										
										
											2017-01-25 00:28:18 -05:00
+								            await Task.Delay(2000); // Delay for brute force.
 								            BuildErrorResult(twoFactorRequest, context);
-												Two factor and device handling on identity token validation

											
										
										
											2017-01-18 00:14:28 -05:00
+								        }
-												adjusted claims

											
										
										
											2017-01-24 00:54:09 -05:00
+								        private void BuildSuccessResult(User user, ResourceOwnerPasswordValidationContext context, Device device)
-												validate old auth bearer tokens so that we can generate new identity ones

											
										
										
											2017-01-21 23:12:28 -05:00
+								        {
-												remove deprecated jwt bearer authentication method

											
										
										
											2017-06-06 23:19:42 -04:00
+								            var claims = new List<Claim>();
-												adjusted claims

											
										
										
											2017-01-24 00:54:09 -05:00
 								            if(device != null)
 								            {
-												Move claims issuance and security stamp checks out into profile service. moved context sets out of identity implementations and into get methods.

											
										
										
											2017-01-24 22:15:21 -05:00
+								                claims.Add(new Claim("device", device.Identifier));
-												adjusted claims

											
										
										
											2017-01-24 00:54:09 -05:00
+								            }
-												return share information with cipher API response

											
										
										
											2017-02-21 22:52:02 -05:00
+								            var customResponse = new Dictionary<string, object>();
 								            if(!string.IsNullOrWhiteSpace(user.PrivateKey))
 								            {
-												validation checks on cipher move

											
										
										
											2017-03-25 16:25:10 -04:00
+								                customResponse.Add("PrivateKey", user.PrivateKey);
-												return share information with cipher API response

											
										
										
											2017-02-21 22:52:02 -05:00
+								            }
-												add key to login response from identity

											
										
										
											2017-05-31 10:10:08 -04:00
+								            if(!string.IsNullOrWhiteSpace(user.Key))
 								            {
 								                customResponse.Add("Key", user.Key);
 								            }
-												public and private keys added to db and user domain. added account APIs got getting and putting keys.

											
										
										
											2017-02-11 23:00:55 -05:00
+								            context.Result = new GrantValidationResult(user.Id.ToString(), "Application",
 								                identityProvider: "bitwarden",
 								                claims: claims.Count > 0 ? claims : null,
-												return share information with cipher API response

											
										
										
											2017-02-21 22:52:02 -05:00
+								                customResponse: customResponse);
-												validate old auth bearer tokens so that we can generate new identity ones

											
										
										
											2017-01-21 23:12:28 -05:00
+								        }
-												cleanup ResourceOwnerPasswordValidator

											
										
										
											2017-01-25 00:28:18 -05:00
+								        private void BuildTwoFactorResult(User user, ResourceOwnerPasswordValidationContext context)
 								        {
 								            var providers = new List<byte>();
 								            if(user.TwoFactorProvider.HasValue)
 								            {
 								                providers.Add((byte)user.TwoFactorProvider.Value);
 								            }
 								            context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "Two factor required.",
 								                new Dictionary<string, object>
 								                {
-												Duo API and token provider

											
										
										
											2017-06-12 21:22:46 -04:00
+								                    { "TwoFactorProviders", providers },
 								                    { "TwoFactorProvider", (byte)user.TwoFactorProvider.Value }
-												cleanup ResourceOwnerPasswordValidator

											
										
										
											2017-01-25 00:28:18 -05:00
+								                });
 								        }
 								        private void BuildErrorResult(bool twoFactorRequest, ResourceOwnerPasswordValidationContext context)
 								        {
-												public and private keys added to db and user domain. added account APIs got getting and putting keys.

											
										
										
											2017-02-11 23:00:55 -05:00
+								            context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant,
 								                customResponse: new Dictionary<string, object>
-												cleanup ResourceOwnerPasswordValidator

											
										
										
											2017-01-25 00:28:18 -05:00
+								                {{
 								                    "ErrorModel", new ErrorResponseModel(twoFactorRequest ?
 								                        "Code is not correct. Try again." : "Username or password is incorrect. Try again.")
 								                }});
 								        }
-												Two factor and device handling on identity token validation

											
										
										
											2017-01-18 00:14:28 -05:00
+								        private async Task<bool> TwoFactorRequiredAsync(User user)
 								        {
 								            return _userManager.SupportsUserTwoFactor &&
 								                await _userManager.GetTwoFactorEnabledAsync(user) &&
 								                (await _userManager.GetValidTwoFactorProvidersAsync(user)).Count > 0;
 								        }
 								        private Device GetDeviceFromRequest(ResourceOwnerPasswordValidationContext context)
 								        {
-												device registration on auth bearer migration

											
										
										
											2017-01-25 23:03:07 -05:00
+								            var deviceIdentifier = context.Request.Raw["DeviceIdentifier"]?.ToString();
 								            var deviceType = context.Request.Raw["DeviceType"]?.ToString();
 								            var deviceName = context.Request.Raw["DeviceName"]?.ToString();
 								            var devicePushToken = context.Request.Raw["DevicePushToken"]?.ToString();
-												Two factor and device handling on identity token validation

											
										
										
											2017-01-18 00:14:28 -05:00
 								            DeviceType type;
 								            if(string.IsNullOrWhiteSpace(deviceIdentifier) || string.IsNullOrWhiteSpace(deviceType) ||
 								                string.IsNullOrWhiteSpace(deviceName) || !Enum.TryParse(deviceType, out type))
 								            {
 								                return null;
 								            }
 								            return new Device
 								            {
 								                Identifier = deviceIdentifier,
 								                Name = deviceName,
 								                Type = type,
-												device registration on auth bearer migration

											
										
										
											2017-01-25 23:03:07 -05:00
+								                PushToken = string.IsNullOrWhiteSpace(devicePushToken) ? null : devicePushToken
-												Two factor and device handling on identity token validation

											
										
										
											2017-01-18 00:14:28 -05:00
+								            };
 								        }
-												adjusted claims

											
										
										
											2017-01-24 00:54:09 -05:00
+								        private async Task<Device> SaveDeviceAsync(User user, ResourceOwnerPasswordValidationContext context)
-												Two factor and device handling on identity token validation

											
										
										
											2017-01-18 00:14:28 -05:00
+								        {
 								            var device = GetDeviceFromRequest(context);
 								            if(device != null)
 								            {
 								                var existingDevice = await _deviceRepository.GetByIdentifierAsync(device.Identifier, user.Id);
 								                if(existingDevice == null)
 								                {
 								                    device.UserId = user.Id;
-												notification hub push registration service

											
										
										
											2017-05-26 00:50:27 -04:00
+								                    await _deviceService.SaveAsync(device);
-												adjusted claims

											
										
										
											2017-01-24 00:54:09 -05:00
+								                    return device;
-												Two factor and device handling on identity token validation

											
										
										
											2017-01-18 00:14:28 -05:00
+								                }
-												return existing device for token

											
										
										
											2017-02-07 21:33:25 -05:00
 								                return existingDevice;
-												Two factor and device handling on identity token validation

											
										
										
											2017-01-18 00:14:28 -05:00
+								            }
-												adjusted claims

											
										
										
											2017-01-24 00:54:09 -05:00
 								            return null;
-												WIP: Added IdentityServer4 to API via Bearer2 auth scheme

											
										
										
											2017-01-11 00:34:16 -05:00
+								        }
 								    }
 								}