src/Identity/IdentityServer/ProfileService.cs

using System.Security.Claims;
using Bit.Core.AdminConsole.Repositories;
using Bit.Core.Context;
using Bit.Core.Identity;
using Bit.Core.Repositories;
using Bit.Core.Services;
using Bit.Core.Utilities;
using Duende.IdentityServer.Models;
using Duende.IdentityServer.Services;

namespace Bit.Identity.IdentityServer;

public class ProfileService : IProfileService
{
    private readonly IUserService _userService;
    private readonly IOrganizationUserRepository _organizationUserRepository;
    private readonly IProviderUserRepository _providerUserRepository;
    private readonly IProviderOrganizationRepository _providerOrganizationRepository;
    private readonly ILicensingService _licensingService;
    private readonly ICurrentContext _currentContext;

    public ProfileService(
        IUserService userService,
        IOrganizationUserRepository organizationUserRepository,
        IProviderUserRepository providerUserRepository,
        IProviderOrganizationRepository providerOrganizationRepository,
        ILicensingService licensingService,
        ICurrentContext currentContext)
    {
        _userService = userService;
        _organizationUserRepository = organizationUserRepository;
        _providerUserRepository = providerUserRepository;
        _providerOrganizationRepository = providerOrganizationRepository;
        _licensingService = licensingService;
        _currentContext = currentContext;
    }

    public async Task GetProfileDataAsync(ProfileDataRequestContext context)
    {
        var existingClaims = context.Subject.Claims;
        var newClaims = new List<Claim>();

        var user = await _userService.GetUserByPrincipalAsync(context.Subject);
        if (user != null)
        {
            var isPremium = await _licensingService.ValidateUserPremiumAsync(user);
            var orgs = await _currentContext.OrganizationMembershipAsync(_organizationUserRepository, user.Id);
            var providers = await _currentContext.ProviderMembershipAsync(_providerUserRepository, user.Id);
            foreach (var claim in CoreHelpers.BuildIdentityClaims(user, orgs, providers, isPremium))
            {
                var upperValue = claim.Value.ToUpperInvariant();
                var isBool = upperValue == "TRUE" || upperValue == "FALSE";
                newClaims.Add(isBool ?
                    new Claim(claim.Key, claim.Value, ClaimValueTypes.Boolean) :
                    new Claim(claim.Key, claim.Value)
                );
            }
        }

        // filter out any of the new claims
        var existingClaimsToKeep = existingClaims
            .Where(c => !c.Type.StartsWith("org") &&
                (newClaims.Count == 0 || !newClaims.Any(nc => nc.Type == c.Type)))
            .ToList();

        newClaims.AddRange(existingClaimsToKeep);
        if (newClaims.Any())
        {
            context.IssuedClaims.AddRange(newClaims);
        }
    }

    public async Task IsActiveAsync(IsActiveContext context)
    {
        var securityTokenClaim = context.Subject?.Claims.FirstOrDefault(c => c.Type == Claims.SecurityStamp);
        var user = await _userService.GetUserByPrincipalAsync(context.Subject);

        if (user != null && securityTokenClaim != null)
        {
            context.IsActive = string.Equals(user.SecurityStamp, securityTokenClaim.Value,
                StringComparison.InvariantCultureIgnoreCase);
            return;
        }
        else
        {
            context.IsActive = true;
        }
    }
}
-												Turn On `ImplicitUsings` (#2079)

* Turn on ImplicitUsings

* Fix formatting

* Run linter
											
										
										
											2022-06-29 19:46:41 -04:00
+								using System.Security.Claims;
-												[AC-1284] AC Team code ownership moves - Provider (#3359)


											
										
										
											2023-10-27 03:38:29 +10:00
+								using Bit.Core.AdminConsole.Repositories;
-												Add disable send policy (#1130)

* Add Disable Send policy

* Test DisableSend policy

* PR Review

* Update tests for using CurrentContext

This required making an interface for CurrentContext and mocking out
the members used. The interface can be expanded as needed for tests.

I moved CurrentContext to a folder, which changes the namespace
and causes a lot of file touches, but most are just adding a reference

* Fix failing test

* Update exemption to include all exempt users

* Move all CurrentContext usages to ICurrentContext

* PR review. Match messaging with Web
											
										
										
											2021-02-04 12:54:21 -06:00
+								using Bit.Core.Context;
-												[SM-394] Secrets Manager (#2164)

Long lived feature branch for Secrets Manager

Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com>
Co-authored-by: cd-bitwarden <106776772+cd-bitwarden@users.noreply.github.com>
Co-authored-by: CarleyDiaz-Bitwarden <103955722+CarleyDiaz-Bitwarden@users.noreply.github.com>
Co-authored-by: Thomas Avery <tavery@bitwarden.com>
Co-authored-by: Colton Hurst <colton@coltonhurst.com>
											
										
										
											2023-01-13 15:02:53 +01:00
+								using Bit.Core.Identity;
-												WIP: Added IdentityServer4 to API via Bearer2 auth scheme

											
										
										
											2017-01-11 00:34:16 -05:00
+								using Bit.Core.Repositories;
 								using Bit.Core.Services;
-												Implement User-based API Keys (#981)

* added column ApiKey to dbo.User

* added dbo.User.ApiKey to User_Update

* added dbo.User.ApiKey to User_Create

* wrote migration script for implementing dbo.User.ApiKey

* Added ApiKey prop to the User table model

* Created AccountsController method for getting a user's API Key

* Created AccountsController method for rotating a user API key

* Added support to ApiClient for passed-through ClientSecrets when the request comes from the cli

* Added a new conditional to ClientStore to account for user API keys

* Wrote unit tests for new user API Key methods

* Added a refresh of dbo.UserView to new migration script for ApiKey

* Let client_credentials grants into the custom token logic

* Cleanup for ApiKey auth in the CLI feature

* Created user API key on registration

* Removed uneeded code for user API keys

* Changed a .Contains() to a .StartsWith() in ClientStore

* Changed index that an array is searched on

* Added more claims to the user apikey clients

* Moved some claim finding logic to a helper method
											
										
										
											2020-11-10 15:15:29 -05:00
+								using Bit.Core.Utilities;
-												[PM-3569] Upgrade to Duende.Identity (#3185)

* Upgrade to Duende.Identity

* Linting

* Get rid of last IdentityServer4 package

* Fix identity test since Duende returns additional configuration

* Use Configure

PostConfigure is ran after ASP.NET's PostConfigure
so ConfigurationManager was already configured and our HttpHandler wasn't
being respected.

* Regenerate lockfiles

* Move to 6.0.4 for patches

* fixes with testing

* Add additional grant type supported in 6.0.4 and beautify

* Lockfile refresh

* Reapply lockfiles

* Apply change to new WebAuthn logic

* When automated merging fails me

---------

Co-authored-by: Justin Baur <19896123+justindbaur@users.noreply.github.com>
Co-authored-by: Kyle Spearrin <kyle.spearrin@gmail.com>
											
										
										
											2023-11-20 16:32:23 -05:00
+								using Duende.IdentityServer.Models;
 								using Duende.IdentityServer.Services;
-												WIP: Added IdentityServer4 to API via Bearer2 auth scheme

											
										
										
											2017-01-11 00:34:16 -05:00
-												[SM-220] Move identity specific files to identity (#2279)


											
										
										
											2022-09-27 18:30:37 +02:00
+								namespace Bit.Identity.IdentityServer;
-												Run formatting (#2230)


											
										
										
											2022-08-29 16:06:55 -04:00
-												WIP: Added IdentityServer4 to API via Bearer2 auth scheme

											
										
										
											2017-01-11 00:34:16 -05:00
+								public class ProfileService : IProfileService
 								{
 								    private readonly IUserService _userService;
-												added user orgs to claims

											
										
										
											2017-04-05 15:31:33 -04:00
+								    private readonly IOrganizationUserRepository _organizationUserRepository;
-												WIP: Added IdentityServer4 to API via Bearer2 auth scheme

											
										
										
											2017-01-11 00:34:16 -05:00
+								    private readonly IProviderUserRepository _providerUserRepository;
-												[Provider] Create and access child organizations (#1427)


											
										
										
											2021-07-08 17:05:32 +02:00
+								    private readonly IProviderOrganizationRepository _providerOrganizationRepository;
-												WIP: Added IdentityServer4 to API via Bearer2 auth scheme

											
										
										
											2017-01-11 00:34:16 -05:00
+								    private readonly ILicensingService _licensingService;
-												Add disable send policy (#1130)

* Add Disable Send policy

* Test DisableSend policy

* PR Review

* Update tests for using CurrentContext

This required making an interface for CurrentContext and mocking out
the members used. The interface can be expanded as needed for tests.

I moved CurrentContext to a folder, which changes the namespace
and causes a lot of file touches, but most are just adding a reference

* Fix failing test

* Update exemption to include all exempt users

* Move all CurrentContext usages to ICurrentContext

* PR review. Match messaging with Web
											
										
										
											2021-02-04 12:54:21 -06:00
+								    private readonly ICurrentContext _currentContext;
-												Run formatting (#2230)


											
										
										
											2022-08-29 16:06:55 -04:00
-												WIP: Added IdentityServer4 to API via Bearer2 auth scheme

											
										
										
											2017-01-11 00:34:16 -05:00
+								    public ProfileService(
-												Move claims issuance and security stamp checks out into profile service. moved context sets out of identity implementations and into get methods.

											
										
										
											2017-01-24 22:15:21 -05:00
+								        IUserService userService,
-												added user orgs to claims

											
										
										
											2017-04-05 15:31:33 -04:00
+								        IOrganizationUserRepository organizationUserRepository,
-												[Provider] Setup provider (#1378)


											
										
										
											2021-06-30 09:35:26 +02:00
+								        IProviderUserRepository providerUserRepository,
-												Add disable send policy (#1130)

* Add Disable Send policy

* Test DisableSend policy

* PR Review

* Update tests for using CurrentContext

This required making an interface for CurrentContext and mocking out
the members used. The interface can be expanded as needed for tests.

I moved CurrentContext to a folder, which changes the namespace
and causes a lot of file touches, but most are just adding a reference

* Fix failing test

* Update exemption to include all exempt users

* Move all CurrentContext usages to ICurrentContext

* PR review. Match messaging with Web
											
										
										
											2021-02-04 12:54:21 -06:00
+								        IProviderOrganizationRepository providerOrganizationRepository,
 								        ILicensingService licensingService,
-												WIP: Added IdentityServer4 to API via Bearer2 auth scheme

											
										
										
											2017-01-11 00:34:16 -05:00
+								        ICurrentContext currentContext)
 								    {
 								        _userService = userService;
-												added user orgs to claims

											
										
										
											2017-04-05 15:31:33 -04:00
+								        _organizationUserRepository = organizationUserRepository;
-												[Provider] Setup provider (#1378)


											
										
										
											2021-06-30 09:35:26 +02:00
+								        _providerUserRepository = providerUserRepository;
-												[Provider] Create and access child organizations (#1427)


											
										
										
											2021-07-08 17:05:32 +02:00
+								        _providerOrganizationRepository = providerOrganizationRepository;
-												verify and disable premium from license check

											
										
										
											2017-08-16 17:08:20 -04:00
+								        _licensingService = licensingService;
-												Add disable send policy (#1130)

* Add Disable Send policy

* Test DisableSend policy

* PR Review

* Update tests for using CurrentContext

This required making an interface for CurrentContext and mocking out
the members used. The interface can be expanded as needed for tests.

I moved CurrentContext to a folder, which changes the namespace
and causes a lot of file touches, but most are just adding a reference

* Fix failing test

* Update exemption to include all exempt users

* Move all CurrentContext usages to ICurrentContext

* PR review. Match messaging with Web
											
										
										
											2021-02-04 12:54:21 -06:00
+								        _currentContext = currentContext;
-												Run formatting (#2230)


											
										
										
											2022-08-29 16:06:55 -04:00
+								    }
-												WIP: Added IdentityServer4 to API via Bearer2 auth scheme

											
										
										
											2017-01-11 00:34:16 -05:00
-												Add disable send policy (#1130)

* Add Disable Send policy

* Test DisableSend policy

* PR Review

* Update tests for using CurrentContext

This required making an interface for CurrentContext and mocking out
the members used. The interface can be expanded as needed for tests.

I moved CurrentContext to a folder, which changes the namespace
and causes a lot of file touches, but most are just adding a reference

* Fix failing test

* Update exemption to include all exempt users

* Move all CurrentContext usages to ICurrentContext

* PR review. Match messaging with Web
											
										
										
											2021-02-04 12:54:21 -06:00
+								    public async Task GetProfileDataAsync(ProfileDataRequestContext context)
-												WIP: Added IdentityServer4 to API via Bearer2 auth scheme

											
										
										
											2017-01-11 00:34:16 -05:00
+								    {
-												added org duo to 2fa flow

											
										
										
											2018-04-03 14:31:33 -04:00
+								        var existingClaims = context.Subject.Claims;
-												Moved identity implementations to scoped lifetime since they have dependencies on CurrentContext

											
										
										
											2017-01-25 22:31:14 -05:00
+								        var newClaims = new List<Claim>();
-												WIP: Added IdentityServer4 to API via Bearer2 auth scheme

											
										
										
											2017-01-11 00:34:16 -05:00
-												Move claims issuance and security stamp checks out into profile service. moved context sets out of identity implementations and into get methods.

											
										
										
											2017-01-24 22:15:21 -05:00
+								        var user = await _userService.GetUserByPrincipalAsync(context.Subject);
 								        if (user != null)
-												WIP: Added IdentityServer4 to API via Bearer2 auth scheme

											
										
										
											2017-01-11 00:34:16 -05:00
+								        {
-												Moved identity implementations to scoped lifetime since they have dependencies on CurrentContext

											
										
										
											2017-01-25 22:31:14 -05:00
+								            var isPremium = await _licensingService.ValidateUserPremiumAsync(user);
 								            var orgs = await _currentContext.OrganizationMembershipAsync(_organizationUserRepository, user.Id);
-												use GetUserByPrincipalAsync

											
										
										
											2017-01-25 00:38:09 -05:00
+								            var providers = await _currentContext.ProviderMembershipAsync(_providerUserRepository, user.Id);
-												Changed all C# control flow block statements to include space between keyword and open paren

											
										
										
											2020-03-27 14:36:37 -04:00
+								            foreach (var claim in CoreHelpers.BuildIdentityClaims(user, orgs, providers, isPremium))
-												Move claims issuance and security stamp checks out into profile service. moved context sets out of identity implementations and into get methods.

											
										
										
											2017-01-24 22:15:21 -05:00
+								            {
-												Implement User-based API Keys (#981)

* added column ApiKey to dbo.User

* added dbo.User.ApiKey to User_Update

* added dbo.User.ApiKey to User_Create

* wrote migration script for implementing dbo.User.ApiKey

* Added ApiKey prop to the User table model

* Created AccountsController method for getting a user's API Key

* Created AccountsController method for rotating a user API key

* Added support to ApiClient for passed-through ClientSecrets when the request comes from the cli

* Added a new conditional to ClientStore to account for user API keys

* Wrote unit tests for new user API Key methods

* Added a refresh of dbo.UserView to new migration script for ApiKey

* Let client_credentials grants into the custom token logic

* Cleanup for ApiKey auth in the CLI feature

* Created user API key on registration

* Removed uneeded code for user API keys

* Changed a .Contains() to a .StartsWith() in ClientStore

* Changed index that an array is searched on

* Added more claims to the user apikey clients

* Moved some claim finding logic to a helper method
											
										
										
											2020-11-10 15:15:29 -05:00
+								                var upperValue = claim.Value.ToUpperInvariant();
 								                var isBool = upperValue == "TRUE" || upperValue == "FALSE";
 								                newClaims.Add(isBool ?
 								                    new Claim(claim.Key, claim.Value, ClaimValueTypes.Boolean) :
 								                    new Claim(claim.Key, claim.Value)
 								                );
-												Move claims issuance and security stamp checks out into profile service. moved context sets out of identity implementations and into get methods.

											
										
										
											2017-01-24 22:15:21 -05:00
+								            }
-												Run formatting (#2230)


											
										
										
											2022-08-29 16:06:55 -04:00
+								        }
-												Move claims issuance and security stamp checks out into profile service. moved context sets out of identity implementations and into get methods.

											
										
										
											2017-01-24 22:15:21 -05:00
-												Moved identity implementations to scoped lifetime since they have dependencies on CurrentContext

											
										
										
											2017-01-25 22:31:14 -05:00
+								        // filter out any of the new claims
 								        var existingClaimsToKeep = existingClaims
-												upgrade identity server 4 to v4 (#842)

* upgrade identity server 4 to v4

* remove script ref
											
										
										
											2020-07-30 17:00:13 -04:00
+								            .Where(c => !c.Type.StartsWith("org") &&
 								                (newClaims.Count == 0 || !newClaims.Any(nc => nc.Type == c.Type)))
-												added user orgs to claims

											
										
										
											2017-04-05 15:31:33 -04:00
+								            .ToList();
-												Moved identity implementations to scoped lifetime since they have dependencies on CurrentContext

											
										
										
											2017-01-25 22:31:14 -05:00
 								        newClaims.AddRange(existingClaimsToKeep);
-												Changed all C# control flow block statements to include space between keyword and open paren

											
										
										
											2020-03-27 14:36:37 -04:00
+								        if (newClaims.Any())
-												Move claims issuance and security stamp checks out into profile service. moved context sets out of identity implementations and into get methods.

											
										
										
											2017-01-24 22:15:21 -05:00
+								        {
-												upgrade identity server 4 to v4 (#842)

* upgrade identity server 4 to v4

* remove script ref
											
										
										
											2020-07-30 17:00:13 -04:00
+								            context.IssuedClaims.AddRange(newClaims);
-												Move claims issuance and security stamp checks out into profile service. moved context sets out of identity implementations and into get methods.

											
										
										
											2017-01-24 22:15:21 -05:00
+								        }
-												Run formatting (#2230)


											
										
										
											2022-08-29 16:06:55 -04:00
+								    }
-												Move claims issuance and security stamp checks out into profile service. moved context sets out of identity implementations and into get methods.

											
										
										
											2017-01-24 22:15:21 -05:00
 								    public async Task IsActiveAsync(IsActiveContext context)
 								    {
-												[SM-394] Secrets Manager (#2164)

Long lived feature branch for Secrets Manager

Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com>
Co-authored-by: cd-bitwarden <106776772+cd-bitwarden@users.noreply.github.com>
Co-authored-by: CarleyDiaz-Bitwarden <103955722+CarleyDiaz-Bitwarden@users.noreply.github.com>
Co-authored-by: Thomas Avery <tavery@bitwarden.com>
Co-authored-by: Colton Hurst <colton@coltonhurst.com>
											
										
										
											2023-01-13 15:02:53 +01:00
+								        var securityTokenClaim = context.Subject?.Claims.FirstOrDefault(c => c.Type == Claims.SecurityStamp);
-												use GetUserByPrincipalAsync

											
										
										
											2017-01-25 00:38:09 -05:00
+								        var user = await _userService.GetUserByPrincipalAsync(context.Subject);
-												Revert filescoped (#2227)

* Revert "Add git blame entry (#2226)"

This reverts commit 239286737d15cb84a893703ee5a8b33a2d67ad3d.

* Revert "Turn on file scoped namespaces (#2225)"

This reverts commit 34fb4cca2aa78deb84d4cbc359992a7c6bba7ea5.
											
										
										
											2022-08-29 15:53:48 -04:00
-												Changed all C# control flow block statements to include space between keyword and open paren

											
										
										
											2020-03-27 14:36:37 -04:00
+								        if (user != null && securityTokenClaim != null)
-												Revert filescoped (#2227)

* Revert "Add git blame entry (#2226)"

This reverts commit 239286737d15cb84a893703ee5a8b33a2d67ad3d.

* Revert "Turn on file scoped namespaces (#2225)"

This reverts commit 34fb4cca2aa78deb84d4cbc359992a7c6bba7ea5.
											
										
										
											2022-08-29 15:53:48 -04:00
+								        {
-												Move claims issuance and security stamp checks out into profile service. moved context sets out of identity implementations and into get methods.

											
										
										
											2017-01-24 22:15:21 -05:00
+								            context.IsActive = string.Equals(user.SecurityStamp, securityTokenClaim.Value,
 								                StringComparison.InvariantCultureIgnoreCase);
-												Revert filescoped (#2227)

* Revert "Add git blame entry (#2226)"

This reverts commit 239286737d15cb84a893703ee5a8b33a2d67ad3d.

* Revert "Turn on file scoped namespaces (#2225)"

This reverts commit 34fb4cca2aa78deb84d4cbc359992a7c6bba7ea5.
											
										
										
											2022-08-29 15:53:48 -04:00
+								            return;
 								        }
 								        else
 								        {
-												Move claims issuance and security stamp checks out into profile service. moved context sets out of identity implementations and into get methods.

											
										
										
											2017-01-24 22:15:21 -05:00
+								            context.IsActive = true;
-												WIP: Added IdentityServer4 to API via Bearer2 auth scheme

											
										
										
											2017-01-11 00:34:16 -05:00
+								        }
 								    }
 								}