mirror of
https://github.com/bitwarden/server.git
synced 2026-02-11 03:13:16 +08:00
5537470703
* Get limited life attachment download URL This change limits url download to a 1min lifetime. This requires moving to a new container to allow for non-public blob access. Clients will have to call GetAttachmentData api function to receive the download URL. For backwards compatibility, attachment URLs are still present, but will not work for attachments stored in non-public access blobs. * Make GlobalSettings interface for testing * Test LocalAttachmentStorageService equivalence * Remove comment * Add missing globalSettings using * Simplify default attachment container * Default to attachments containe for existing methods A new upload method will be made for uploading to attachments-v2. For compatibility for clients which don't use these new methods, we need to still use the old container. The new container will be used only for new uploads * Remove Default MetaData fixture. * Keep attachments container blob-level security for all instances * Close unclosed FileStream * Favor default value for noop services
97 lines
3.9 KiB
C#
97 lines
3.9 KiB
C#
using Bit.Core.Models.Table;
|
|
using Bit.Core.Repositories;
|
|
using IdentityServer4.Models;
|
|
using IdentityServer4.Validation;
|
|
using Microsoft.AspNetCore.Identity;
|
|
using System.Collections.Generic;
|
|
using System.Security.Claims;
|
|
using System.Threading.Tasks;
|
|
using Bit.Core.Services;
|
|
using Bit.Core.Identity;
|
|
using Bit.Core.Context;
|
|
using Bit.Core.Settings;
|
|
using Microsoft.Extensions.Logging;
|
|
|
|
namespace Bit.Core.IdentityServer
|
|
{
|
|
public class ResourceOwnerPasswordValidator : BaseRequestValidator<ResourceOwnerPasswordValidationContext>,
|
|
IResourceOwnerPasswordValidator
|
|
{
|
|
private UserManager<User> _userManager;
|
|
private readonly IUserService _userService;
|
|
|
|
public ResourceOwnerPasswordValidator(
|
|
UserManager<User> userManager,
|
|
IDeviceRepository deviceRepository,
|
|
IDeviceService deviceService,
|
|
IUserService userService,
|
|
IEventService eventService,
|
|
IOrganizationDuoWebTokenProvider organizationDuoWebTokenProvider,
|
|
IOrganizationRepository organizationRepository,
|
|
IOrganizationUserRepository organizationUserRepository,
|
|
IApplicationCacheService applicationCacheService,
|
|
IMailService mailService,
|
|
ILogger<ResourceOwnerPasswordValidator> logger,
|
|
ICurrentContext currentContext,
|
|
GlobalSettings globalSettings,
|
|
IPolicyRepository policyRepository)
|
|
: base(userManager, deviceRepository, deviceService, userService, eventService,
|
|
organizationDuoWebTokenProvider, organizationRepository, organizationUserRepository,
|
|
applicationCacheService, mailService, logger, currentContext, globalSettings, policyRepository)
|
|
{
|
|
_userManager = userManager;
|
|
_userService = userService;
|
|
}
|
|
|
|
public async Task ValidateAsync(ResourceOwnerPasswordValidationContext context)
|
|
{
|
|
await ValidateAsync(context, context.Request);
|
|
}
|
|
|
|
protected async override Task<(User, bool)> ValidateContextAsync(ResourceOwnerPasswordValidationContext context)
|
|
{
|
|
if (string.IsNullOrWhiteSpace(context.UserName))
|
|
{
|
|
return (null, false);
|
|
}
|
|
|
|
var user = await _userManager.FindByEmailAsync(context.UserName.ToLowerInvariant());
|
|
if (user == null || !await _userService.CheckPasswordAsync(user, context.Password))
|
|
{
|
|
return (user, false);
|
|
}
|
|
|
|
return (user, true);
|
|
}
|
|
|
|
protected override void SetSuccessResult(ResourceOwnerPasswordValidationContext context, User user,
|
|
List<Claim> claims, Dictionary<string, object> customResponse)
|
|
{
|
|
context.Result = new GrantValidationResult(user.Id.ToString(), "Application",
|
|
identityProvider: "bitwarden",
|
|
claims: claims.Count > 0 ? claims : null,
|
|
customResponse: customResponse);
|
|
}
|
|
|
|
protected override void SetTwoFactorResult(ResourceOwnerPasswordValidationContext context,
|
|
Dictionary<string, object> customResponse)
|
|
{
|
|
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "Two factor required.",
|
|
customResponse);
|
|
}
|
|
|
|
protected override void SetSsoResult(ResourceOwnerPasswordValidationContext context,
|
|
Dictionary<string, object> customResponse)
|
|
{
|
|
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "Sso authentication required.",
|
|
customResponse);
|
|
}
|
|
|
|
protected override void SetErrorResult(ResourceOwnerPasswordValidationContext context,
|
|
Dictionary<string, object> customResponse)
|
|
{
|
|
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, customResponse: customResponse);
|
|
}
|
|
}
|
|
}
|