src/Api/Controllers/HibpController.cs

using System;
using System.Linq;
using System.Net;
using System.Net.Http;
using System.Security.Cryptography;
using System.Threading.Tasks;
using Bit.Core.Context;
using Bit.Core.Exceptions;
using Bit.Core.Services;
using Bit.Core.Settings;
using Bit.Core.Utilities;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;

namespace Bit.Api.Controllers
{
    [Route("hibp")]
    [Authorize("Application")]
    public class HibpController : Controller
    {
        private const string HibpBreachApi = "https://haveibeenpwned.com/api/v3/breachedaccount/{0}" +
            "?truncateResponse=false&includeUnverified=false";
        private static HttpClient _httpClient;

        private readonly IUserService _userService;
        private readonly ICurrentContext _currentContext;
        private readonly GlobalSettings _globalSettings;
        private readonly string _userAgent;

        static HibpController()
        {
            _httpClient = new HttpClient();
        }

        public HibpController(
            IUserService userService,
            ICurrentContext currentContext,
            GlobalSettings globalSettings)
        {
            _userService = userService;
            _currentContext = currentContext;
            _globalSettings = globalSettings;
            _userAgent = _globalSettings.SelfHosted ? "Bitwarden Self-Hosted" : "Bitwarden";
        }

        [HttpGet("breach")]
        public async Task<IActionResult> Get(string username)
        {
            return await SendAsync(WebUtility.UrlEncode(username), true);
        }

        private async Task<IActionResult> SendAsync(string username, bool retry)
        {
            if (!CoreHelpers.SettingHasValue(_globalSettings.HibpApiKey))
            {
                throw new BadRequestException("HaveIBeenPwned API key not set.");
            }
            var request = new HttpRequestMessage(HttpMethod.Get, string.Format(HibpBreachApi, username));
            request.Headers.Add("hibp-api-key", _globalSettings.HibpApiKey);
            request.Headers.Add("hibp-client-id", GetClientId());
            request.Headers.Add("User-Agent", _userAgent);
            var response = await _httpClient.SendAsync(request);
            if (response.IsSuccessStatusCode)
            {
                var data = await response.Content.ReadAsStringAsync();
                return Content(data, "application/json");
            }
            else if (response.StatusCode == HttpStatusCode.NotFound)
            {
                return new NotFoundResult();
            }
            else if (response.StatusCode == HttpStatusCode.TooManyRequests && retry)
            {
                var delay = 2000;
                if (response.Headers.Contains("retry-after"))
                {
                    var vals = response.Headers.GetValues("retry-after");
                    if (vals.Any() && int.TryParse(vals.FirstOrDefault(), out var secDelay))
                    {
                        delay = (secDelay * 1000) + 200;
                    }
                }
                await Task.Delay(delay);
                return await SendAsync(username, false);
            }
            else
            {
                throw new BadRequestException("Request failed. Status code: " + response.StatusCode);
            }
        }

        private string GetClientId()
        {
            var userId = _userService.GetProperUserId(User).Value;
            using (var sha256 = SHA256.Create())
            {
                var hash = sha256.ComputeHash(userId.ToByteArray());
                return Convert.ToBase64String(hash);
            }
        }
    }
}
-												hibp breach api proxy

											
										
										
											2019-01-17 01:03:11 -05:00
+								using System;
 								using System.Linq;
 								using System.Net;
 								using System.Net.Http;
 								using System.Security.Cryptography;
 								using System.Threading.Tasks;
-												Add disable send policy (#1130)

* Add Disable Send policy

* Test DisableSend policy

* PR Review

* Update tests for using CurrentContext

This required making an interface for CurrentContext and mocking out
the members used. The interface can be expanded as needed for tests.

I moved CurrentContext to a folder, which changes the namespace
and causes a lot of file touches, but most are just adding a reference

* Fix failing test

* Update exemption to include all exempt users

* Move all CurrentContext usages to ICurrentContext

* PR review. Match messaging with Web
											
										
										
											2021-02-04 12:54:21 -06:00
+								using Bit.Core.Context;
-												hibp breach api proxy

											
										
										
											2019-01-17 01:03:11 -05:00
+								using Bit.Core.Exceptions;
-												HaveIBeenPwned API key not set.

											
										
										
											2019-07-27 12:29:20 -04:00
+								using Bit.Core.Services;
-												Use sas token for attachment downloads (#1153)

* Get limited life attachment download URL

This change limits url download to a 1min lifetime.
This requires moving to a new container to allow for non-public blob
access.

Clients will have to call GetAttachmentData api function to receive the download
URL. For backwards compatibility, attachment URLs are still present, but will not
work for attachments stored in non-public access blobs.

* Make GlobalSettings interface for testing

* Test LocalAttachmentStorageService equivalence

* Remove comment

* Add missing globalSettings using

* Simplify default attachment container

* Default to attachments containe for existing methods

A new upload method will be made for uploading to attachments-v2.
For compatibility for clients which don't use these new methods, we need
to still use the old container. The new container will be used only for
new uploads

* Remove Default MetaData fixture.

* Keep attachments container blob-level security for all instances

* Close unclosed FileStream

* Favor default value for noop services
											
										
										
											2021-02-22 15:35:16 -06:00
+								using Bit.Core.Settings;
-												hibp breach api proxy

											
										
										
											2019-01-17 01:03:11 -05:00
+								using Bit.Core.Utilities;
 								using Microsoft.AspNetCore.Authorization;
 								using Microsoft.AspNetCore.Mvc;
 								namespace Bit.Api.Controllers
 								{
 								    [Route("hibp")]
 								    [Authorize("Application")]
 								    public class HibpController : Controller
 								    {
-												hibp api v3

											
										
										
											2019-07-22 21:23:09 -04:00
+								        private const string HibpBreachApi = "https://haveibeenpwned.com/api/v3/breachedaccount/{0}" +
 								            "?truncateResponse=false&includeUnverified=false";
-												hibp breach api proxy

											
										
										
											2019-01-17 01:03:11 -05:00
+								        private static HttpClient _httpClient;
 								        private readonly IUserService _userService;
-												Add disable send policy (#1130)

* Add Disable Send policy

* Test DisableSend policy

* PR Review

* Update tests for using CurrentContext

This required making an interface for CurrentContext and mocking out
the members used. The interface can be expanded as needed for tests.

I moved CurrentContext to a folder, which changes the namespace
and causes a lot of file touches, but most are just adding a reference

* Fix failing test

* Update exemption to include all exempt users

* Move all CurrentContext usages to ICurrentContext

* PR review. Match messaging with Web
											
										
										
											2021-02-04 12:54:21 -06:00
+								        private readonly ICurrentContext _currentContext;
-												hibp breach api proxy

											
										
										
											2019-01-17 01:03:11 -05:00
+								        private readonly GlobalSettings _globalSettings;
-												hibp api v3

											
										
										
											2019-07-22 21:23:09 -04:00
+								        private readonly string _userAgent;
-												hibp breach api proxy

											
										
										
											2019-01-17 01:03:11 -05:00
 								        static HibpController()
 								        {
 								            _httpClient = new HttpClient();
 								        }
 								        public HibpController(
 								            IUserService userService,
-												Add disable send policy (#1130)

* Add Disable Send policy

* Test DisableSend policy

* PR Review

* Update tests for using CurrentContext

This required making an interface for CurrentContext and mocking out
the members used. The interface can be expanded as needed for tests.

I moved CurrentContext to a folder, which changes the namespace
and causes a lot of file touches, but most are just adding a reference

* Fix failing test

* Update exemption to include all exempt users

* Move all CurrentContext usages to ICurrentContext

* PR review. Match messaging with Web
											
										
										
											2021-02-04 12:54:21 -06:00
+								            ICurrentContext currentContext,
-												hibp breach api proxy

											
										
										
											2019-01-17 01:03:11 -05:00
+								            GlobalSettings globalSettings)
 								        {
 								            _userService = userService;
 								            _currentContext = currentContext;
 								            _globalSettings = globalSettings;
-												hibp api v3

											
										
										
											2019-07-22 21:23:09 -04:00
+								            _userAgent = _globalSettings.SelfHosted ? "Bitwarden Self-Hosted" : "Bitwarden";
-												hibp breach api proxy

											
										
										
											2019-01-17 01:03:11 -05:00
+								        }
 								        [HttpGet("breach")]
-												change to username

											
										
										
											2019-01-17 01:06:03 -05:00
+								        public async Task<IActionResult> Get(string username)
-												hibp breach api proxy

											
										
										
											2019-01-17 01:03:11 -05:00
+								        {
-												hibp api v3

											
										
										
											2019-07-22 21:23:09 -04:00
+								            return await SendAsync(WebUtility.UrlEncode(username), true);
 								        }
 								        private async Task<IActionResult> SendAsync(string username, bool retry)
 								        {
-												Changed all C# control flow block statements to include space between keyword and open paren

											
										
										
											2020-03-27 14:36:37 -04:00
+								            if (!CoreHelpers.SettingHasValue(_globalSettings.HibpApiKey))
-												hibp breach api proxy

											
										
										
											2019-01-17 01:03:11 -05:00
+								            {
-												HaveIBeenPwned API key not set.

											
										
										
											2019-07-27 12:29:20 -04:00
+								                throw new BadRequestException("HaveIBeenPwned API key not set.");
-												hibp breach api proxy

											
										
										
											2019-01-17 01:03:11 -05:00
+								            }
-												HaveIBeenPwned API key not set.

											
										
										
											2019-07-27 12:29:20 -04:00
+								            var request = new HttpRequestMessage(HttpMethod.Get, string.Format(HibpBreachApi, username));
 								            request.Headers.Add("hibp-api-key", _globalSettings.HibpApiKey);
-												hibp api v3

											
										
										
											2019-07-22 21:23:09 -04:00
+								            request.Headers.Add("hibp-client-id", GetClientId());
 								            request.Headers.Add("User-Agent", _userAgent);
-												hibp breach api proxy

											
										
										
											2019-01-17 01:03:11 -05:00
+								            var response = await _httpClient.SendAsync(request);
-												Changed all C# control flow block statements to include space between keyword and open paren

											
										
										
											2020-03-27 14:36:37 -04:00
+								            if (response.IsSuccessStatusCode)
-												hibp breach api proxy

											
										
										
											2019-01-17 01:03:11 -05:00
+								            {
 								                var data = await response.Content.ReadAsStringAsync();
 								                return Content(data, "application/json");
 								            }
-												Changed all C# control flow block statements to include space between keyword and open paren

											
										
										
											2020-03-27 14:36:37 -04:00
+								            else if (response.StatusCode == HttpStatusCode.NotFound)
-												hibp breach api proxy

											
										
										
											2019-01-17 01:03:11 -05:00
+								            {
 								                return new NotFoundResult();
 								            }
-												Changed all C# control flow block statements to include space between keyword and open paren

											
										
										
											2020-03-27 14:36:37 -04:00
+								            else if (response.StatusCode == HttpStatusCode.TooManyRequests && retry)
-												hibp api v3

											
										
										
											2019-07-22 21:23:09 -04:00
+								            {
 								                var delay = 2000;
-												Changed all C# control flow block statements to include space between keyword and open paren

											
										
										
											2020-03-27 14:36:37 -04:00
+								                if (response.Headers.Contains("retry-after"))
-												hibp api v3

											
										
										
											2019-07-22 21:23:09 -04:00
+								                {
 								                    var vals = response.Headers.GetValues("retry-after");
-												Changed all C# control flow block statements to include space between keyword and open paren

											
										
										
											2020-03-27 14:36:37 -04:00
+								                    if (vals.Any() && int.TryParse(vals.FirstOrDefault(), out var secDelay))
-												hibp api v3

											
										
										
											2019-07-22 21:23:09 -04:00
+								                    {
 								                        delay = (secDelay * 1000) + 200;
 								                    }
 								                }
 								                await Task.Delay(delay);
 								                return await SendAsync(username, false);
 								            }
-												hibp breach api proxy

											
										
										
											2019-01-17 01:03:11 -05:00
+								            else
 								            {
 								                throw new BadRequestException("Request failed. Status code: " + response.StatusCode);
 								            }
 								        }
 								        private string GetClientId()
 								        {
 								            var userId = _userService.GetProperUserId(User).Value;
-												Changed all C# control flow block statements to include space between keyword and open paren

											
										
										
											2020-03-27 14:36:37 -04:00
+								            using (var sha256 = SHA256.Create())
-												hibp breach api proxy

											
										
										
											2019-01-17 01:03:11 -05:00
+								            {
 								                var hash = sha256.ComputeHash(userId.ToByteArray());
 								                return Convert.ToBase64String(hash);
 								            }
 								        }
 								    }
 								}