2023-06-19 16:16:15 +02:00
|
|
|
|
using System.Security.Claims;
|
|
|
|
|
|
using System.Text.Json;
|
2023-11-29 00:18:08 +01:00
|
|
|
|
using Bit.Core.AdminConsole.Entities;
|
2024-02-09 21:08:22 +01:00
|
|
|
|
using Bit.Core.AdminConsole.Entities.Provider;
|
|
|
|
|
|
using Bit.Core.AdminConsole.Enums.Provider;
|
|
|
|
|
|
using Bit.Core.AdminConsole.Repositories;
|
2023-06-19 16:16:15 +02:00
|
|
|
|
using Bit.Core.Auth.Entities;
|
|
|
|
|
|
using Bit.Core.Auth.Enums;
|
|
|
|
|
|
using Bit.Core.Auth.Models.Data;
|
|
|
|
|
|
using Bit.Core.Auth.Repositories;
|
|
|
|
|
|
using Bit.Core.Entities;
|
|
|
|
|
|
using Bit.Core.Enums;
|
2023-08-17 22:03:06 +02:00
|
|
|
|
using Bit.Core.Models.Data;
|
2023-06-19 16:16:15 +02:00
|
|
|
|
using Bit.Core.Repositories;
|
|
|
|
|
|
using Bit.Core.Utilities;
|
2024-06-19 21:11:24 +02:00
|
|
|
|
using Bit.Identity.Models.Request.Accounts;
|
2023-06-19 16:16:15 +02:00
|
|
|
|
using Bit.IntegrationTestCommon.Factories;
|
|
|
|
|
|
using Bit.Test.Common.Helpers;
|
2023-11-20 22:32:23 +01:00
|
|
|
|
using Duende.IdentityServer.Models;
|
|
|
|
|
|
using Duende.IdentityServer.Stores;
|
2023-06-19 16:16:15 +02:00
|
|
|
|
using IdentityModel;
|
|
|
|
|
|
using Microsoft.EntityFrameworkCore;
|
|
|
|
|
|
using NSubstitute;
|
|
|
|
|
|
using Xunit;
|
|
|
|
|
|
|
|
|
|
|
|
#nullable enable
|
|
|
|
|
|
|
|
|
|
|
|
namespace Bit.Identity.IntegrationTest.Endpoints;
|
|
|
|
|
|
|
|
|
|
|
|
public class IdentityServerSsoTests
|
|
|
|
|
|
{
|
|
|
|
|
|
const string TestEmail = "sso_user@email.com";
|
|
|
|
|
|
|
|
|
|
|
|
[Fact]
|
|
|
|
|
|
public async Task Test_MasterPassword_DecryptionType()
|
|
|
|
|
|
{
|
|
|
|
|
|
// Arrange
|
2023-08-17 22:03:06 +02:00
|
|
|
|
using var responseBody = await RunSuccessTestAsync(MemberDecryptionType.MasterPassword);
|
2023-06-19 16:16:15 +02:00
|
|
|
|
|
|
|
|
|
|
// Assert
|
|
|
|
|
|
// If the organization has a member decryption type of MasterPassword that should be the only option in the reply
|
|
|
|
|
|
var root = responseBody.RootElement;
|
|
|
|
|
|
AssertHelper.AssertJsonProperty(root, "access_token", JsonValueKind.String);
|
|
|
|
|
|
var userDecryptionOptions = AssertHelper.AssertJsonProperty(root, "UserDecryptionOptions", JsonValueKind.Object);
|
|
|
|
|
|
|
|
|
|
|
|
// Expected to look like:
|
|
|
|
|
|
// "UserDecryptionOptions": {
|
|
|
|
|
|
// "Object": "userDecryptionOptions"
|
|
|
|
|
|
// "HasMasterPassword": true
|
|
|
|
|
|
// }
|
|
|
|
|
|
|
|
|
|
|
|
AssertHelper.AssertJsonProperty(userDecryptionOptions, "HasMasterPassword", JsonValueKind.True);
|
|
|
|
|
|
|
|
|
|
|
|
// One property for the Object and one for master password
|
|
|
|
|
|
Assert.Equal(2, userDecryptionOptions.EnumerateObject().Count());
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
[Fact]
|
|
|
|
|
|
public async Task SsoLogin_TrustedDeviceEncryption_ReturnsOptions()
|
|
|
|
|
|
{
|
|
|
|
|
|
// Arrange
|
2023-08-17 22:03:06 +02:00
|
|
|
|
using var responseBody = await RunSuccessTestAsync(MemberDecryptionType.TrustedDeviceEncryption);
|
2023-06-19 16:16:15 +02:00
|
|
|
|
|
|
|
|
|
|
// Assert
|
|
|
|
|
|
// If the organization has selected TrustedDeviceEncryption but the user still has their master password
|
|
|
|
|
|
// they can decrypt with either option
|
|
|
|
|
|
var root = responseBody.RootElement;
|
|
|
|
|
|
AssertHelper.AssertJsonProperty(root, "access_token", JsonValueKind.String);
|
|
|
|
|
|
var userDecryptionOptions = AssertHelper.AssertJsonProperty(root, "UserDecryptionOptions", JsonValueKind.Object);
|
|
|
|
|
|
|
|
|
|
|
|
// Expected to look like:
|
|
|
|
|
|
// "UserDecryptionOptions": {
|
|
|
|
|
|
// "Object": "userDecryptionOptions"
|
|
|
|
|
|
// "HasMasterPassword": true,
|
|
|
|
|
|
// "TrustedDeviceOption": {
|
|
|
|
|
|
// "HasAdminApproval": false
|
|
|
|
|
|
// }
|
|
|
|
|
|
// }
|
|
|
|
|
|
|
|
|
|
|
|
// Should have master password & one for trusted device with admin approval
|
|
|
|
|
|
AssertHelper.AssertJsonProperty(userDecryptionOptions, "HasMasterPassword", JsonValueKind.True);
|
|
|
|
|
|
|
|
|
|
|
|
var trustedDeviceOption = AssertHelper.AssertJsonProperty(userDecryptionOptions, "TrustedDeviceOption", JsonValueKind.Object);
|
|
|
|
|
|
AssertHelper.AssertJsonProperty(trustedDeviceOption, "HasAdminApproval", JsonValueKind.False);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
[Fact]
|
|
|
|
|
|
public async Task SsoLogin_TrustedDeviceEncryption_WithAdminResetPolicy_ReturnsOptions()
|
|
|
|
|
|
{
|
|
|
|
|
|
// Arrange
|
2023-08-17 22:03:06 +02:00
|
|
|
|
using var responseBody = await RunSuccessTestAsync(async factory =>
|
2023-06-19 16:16:15 +02:00
|
|
|
|
{
|
2023-08-17 22:03:06 +02:00
|
|
|
|
var database = factory.GetDatabaseContext();
|
2023-06-19 16:16:15 +02:00
|
|
|
|
|
2023-08-17 22:03:06 +02:00
|
|
|
|
var organization = await database.Organizations.SingleAsync();
|
2023-06-19 16:16:15 +02:00
|
|
|
|
|
2023-08-17 22:03:06 +02:00
|
|
|
|
var user = await database.Users.SingleAsync(u => u.Email == TestEmail);
|
2023-06-19 16:16:15 +02:00
|
|
|
|
|
2023-08-17 22:03:06 +02:00
|
|
|
|
var organizationUser = await database.OrganizationUsers.SingleAsync(
|
|
|
|
|
|
ou => ou.OrganizationId == organization.Id && ou.UserId == user.Id);
|
2023-06-19 16:16:15 +02:00
|
|
|
|
|
2023-08-17 22:03:06 +02:00
|
|
|
|
organizationUser.ResetPasswordKey = "something";
|
|
|
|
|
|
|
|
|
|
|
|
await database.SaveChangesAsync();
|
|
|
|
|
|
}, MemberDecryptionType.TrustedDeviceEncryption);
|
2023-06-19 16:16:15 +02:00
|
|
|
|
|
|
|
|
|
|
// Assert
|
|
|
|
|
|
// If the organization has selected TrustedDeviceEncryption but the user still has their master password
|
|
|
|
|
|
// they can decrypt with either option
|
|
|
|
|
|
var root = responseBody.RootElement;
|
|
|
|
|
|
AssertHelper.AssertJsonProperty(root, "access_token", JsonValueKind.String);
|
|
|
|
|
|
|
|
|
|
|
|
var userDecryptionOptions = AssertHelper.AssertJsonProperty(root, "UserDecryptionOptions", JsonValueKind.Object);
|
|
|
|
|
|
|
|
|
|
|
|
// Expected to look like:
|
|
|
|
|
|
// "UserDecryptionOptions": {
|
|
|
|
|
|
// "Object": "userDecryptionOptions"
|
|
|
|
|
|
// "HasMasterPassword": true,
|
|
|
|
|
|
// "TrustedDeviceOption": {
|
2023-08-17 22:03:06 +02:00
|
|
|
|
// "HasAdminApproval": true,
|
|
|
|
|
|
// "HasManageResetPasswordPermission": false
|
2023-06-19 16:16:15 +02:00
|
|
|
|
// }
|
|
|
|
|
|
// }
|
|
|
|
|
|
|
|
|
|
|
|
// Should have one item for master password & one for trusted device with admin approval
|
|
|
|
|
|
AssertHelper.AssertJsonProperty(userDecryptionOptions, "HasMasterPassword", JsonValueKind.True);
|
|
|
|
|
|
|
|
|
|
|
|
var trustedDeviceOption = AssertHelper.AssertJsonProperty(userDecryptionOptions, "TrustedDeviceOption", JsonValueKind.Object);
|
|
|
|
|
|
AssertHelper.AssertJsonProperty(trustedDeviceOption, "HasAdminApproval", JsonValueKind.True);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
[Fact]
|
|
|
|
|
|
public async Task SsoLogin_TrustedDeviceEncryptionAndNoMasterPassword_ReturnsOneOption()
|
2023-08-17 22:03:06 +02:00
|
|
|
|
{
|
|
|
|
|
|
using var responseBody = await RunSuccessTestAsync(async factory =>
|
|
|
|
|
|
{
|
|
|
|
|
|
await UpdateUserAsync(factory, user => user.MasterPassword = null);
|
|
|
|
|
|
|
|
|
|
|
|
}, MemberDecryptionType.TrustedDeviceEncryption);
|
|
|
|
|
|
|
|
|
|
|
|
// Assert
|
|
|
|
|
|
// If the organization has selected TrustedDeviceEncryption but the user still has their master password
|
|
|
|
|
|
// they can decrypt with either option
|
|
|
|
|
|
var root = responseBody.RootElement;
|
|
|
|
|
|
AssertHelper.AssertJsonProperty(root, "access_token", JsonValueKind.String);
|
|
|
|
|
|
var userDecryptionOptions = AssertHelper.AssertJsonProperty(root, "UserDecryptionOptions", JsonValueKind.Object);
|
|
|
|
|
|
|
|
|
|
|
|
// Expected to look like:
|
|
|
|
|
|
// "UserDecryptionOptions": {
|
|
|
|
|
|
// "Object": "userDecryptionOptions"
|
|
|
|
|
|
// "HasMasterPassword": false,
|
|
|
|
|
|
// "TrustedDeviceOption": {
|
|
|
|
|
|
// "HasAdminApproval": true,
|
|
|
|
|
|
// "HasLoginApprovingDevice": false,
|
|
|
|
|
|
// "HasManageResetPasswordPermission": false
|
|
|
|
|
|
// }
|
|
|
|
|
|
// }
|
|
|
|
|
|
|
|
|
|
|
|
var trustedDeviceOption = AssertHelper.AssertJsonProperty(userDecryptionOptions, "TrustedDeviceOption", JsonValueKind.Object);
|
|
|
|
|
|
AssertHelper.AssertJsonProperty(trustedDeviceOption, "HasAdminApproval", JsonValueKind.False);
|
|
|
|
|
|
AssertHelper.AssertJsonProperty(trustedDeviceOption, "HasManageResetPasswordPermission", JsonValueKind.False);
|
|
|
|
|
|
|
|
|
|
|
|
// This asserts that device keys are not coming back in the response because this should be a new device.
|
|
|
|
|
|
// if we ever add new properties that come back from here it is fine to change the expected number of properties
|
|
|
|
|
|
// but it should still be asserted in some way that keys are not amongst them.
|
|
|
|
|
|
Assert.Collection(trustedDeviceOption.EnumerateObject(),
|
|
|
|
|
|
p =>
|
|
|
|
|
|
{
|
|
|
|
|
|
Assert.Equal("HasAdminApproval", p.Name);
|
|
|
|
|
|
Assert.Equal(JsonValueKind.False, p.Value.ValueKind);
|
|
|
|
|
|
},
|
|
|
|
|
|
p =>
|
|
|
|
|
|
{
|
|
|
|
|
|
Assert.Equal("HasLoginApprovingDevice", p.Name);
|
|
|
|
|
|
Assert.Equal(JsonValueKind.False, p.Value.ValueKind);
|
|
|
|
|
|
},
|
|
|
|
|
|
p =>
|
|
|
|
|
|
{
|
|
|
|
|
|
Assert.Equal("HasManageResetPasswordPermission", p.Name);
|
|
|
|
|
|
Assert.Equal(JsonValueKind.False, p.Value.ValueKind);
|
2024-07-23 20:53:08 +02:00
|
|
|
|
},
|
|
|
|
|
|
p =>
|
|
|
|
|
|
{
|
|
|
|
|
|
Assert.Equal("IsTdeOffboarding", p.Name);
|
|
|
|
|
|
Assert.Equal(JsonValueKind.False, p.Value.ValueKind);
|
2023-08-17 22:03:06 +02:00
|
|
|
|
});
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// <summary>
|
|
|
|
|
|
/// If a user has a device that is able to accept login with device requests, we should return that state
|
|
|
|
|
|
/// with the user decryption options.
|
|
|
|
|
|
/// </summary>
|
|
|
|
|
|
[Fact]
|
|
|
|
|
|
public async Task SsoLogin_TrustedDeviceEncryptionAndNoMasterPassword_HasLoginApprovingDevice_ReturnsTrue()
|
|
|
|
|
|
{
|
|
|
|
|
|
using var responseBody = await RunSuccessTestAsync(async factory =>
|
|
|
|
|
|
{
|
|
|
|
|
|
await UpdateUserAsync(factory, user => user.MasterPassword = null);
|
|
|
|
|
|
var userRepository = factory.Services.GetRequiredService<IUserRepository>();
|
|
|
|
|
|
var user = await userRepository.GetByEmailAsync(TestEmail);
|
|
|
|
|
|
|
2024-07-24 15:48:09 +02:00
|
|
|
|
Assert.NotNull(user);
|
|
|
|
|
|
|
2023-08-17 22:03:06 +02:00
|
|
|
|
var deviceRepository = factory.Services.GetRequiredService<IDeviceRepository>();
|
|
|
|
|
|
await deviceRepository.CreateAsync(new Device
|
|
|
|
|
|
{
|
|
|
|
|
|
Identifier = "my_other_device",
|
|
|
|
|
|
Type = DeviceType.Android,
|
|
|
|
|
|
Name = "Android",
|
|
|
|
|
|
UserId = user.Id,
|
|
|
|
|
|
});
|
|
|
|
|
|
}, MemberDecryptionType.TrustedDeviceEncryption);
|
|
|
|
|
|
|
|
|
|
|
|
// Assert
|
|
|
|
|
|
// If the organization has selected TrustedDeviceEncryption but the user still has their master password
|
|
|
|
|
|
// they can decrypt with either option
|
|
|
|
|
|
var root = responseBody.RootElement;
|
|
|
|
|
|
AssertHelper.AssertJsonProperty(root, "access_token", JsonValueKind.String);
|
|
|
|
|
|
var userDecryptionOptions = AssertHelper.AssertJsonProperty(root, "UserDecryptionOptions", JsonValueKind.Object);
|
|
|
|
|
|
|
|
|
|
|
|
// Expected to look like:
|
|
|
|
|
|
// "UserDecryptionOptions": {
|
|
|
|
|
|
// "Object": "userDecryptionOptions"
|
|
|
|
|
|
// "HasMasterPassword": false,
|
|
|
|
|
|
// "TrustedDeviceOption": {
|
|
|
|
|
|
// "HasAdminApproval": true,
|
|
|
|
|
|
// "HasLoginApprovingDevice": true,
|
|
|
|
|
|
// "HasManageResetPasswordPermission": false
|
2024-07-23 20:53:08 +02:00
|
|
|
|
// "IsTdeOffboarding": false
|
2023-08-17 22:03:06 +02:00
|
|
|
|
// }
|
|
|
|
|
|
// }
|
|
|
|
|
|
|
|
|
|
|
|
var trustedDeviceOption = AssertHelper.AssertJsonProperty(userDecryptionOptions, "TrustedDeviceOption", JsonValueKind.Object);
|
|
|
|
|
|
|
|
|
|
|
|
// This asserts that device keys are not coming back in the response because this should be a new device.
|
|
|
|
|
|
// if we ever add new properties that come back from here it is fine to change the expected number of properties
|
|
|
|
|
|
// but it should still be asserted in some way that keys are not amongst them.
|
|
|
|
|
|
Assert.Collection(trustedDeviceOption.EnumerateObject(),
|
|
|
|
|
|
p =>
|
|
|
|
|
|
{
|
|
|
|
|
|
Assert.Equal("HasAdminApproval", p.Name);
|
|
|
|
|
|
Assert.Equal(JsonValueKind.False, p.Value.ValueKind);
|
|
|
|
|
|
},
|
|
|
|
|
|
p =>
|
|
|
|
|
|
{
|
|
|
|
|
|
Assert.Equal("HasLoginApprovingDevice", p.Name);
|
|
|
|
|
|
Assert.Equal(JsonValueKind.True, p.Value.ValueKind);
|
|
|
|
|
|
},
|
|
|
|
|
|
p =>
|
|
|
|
|
|
{
|
|
|
|
|
|
Assert.Equal("HasManageResetPasswordPermission", p.Name);
|
|
|
|
|
|
Assert.Equal(JsonValueKind.False, p.Value.ValueKind);
|
2024-07-23 20:53:08 +02:00
|
|
|
|
},
|
|
|
|
|
|
p =>
|
|
|
|
|
|
{
|
|
|
|
|
|
Assert.Equal("IsTdeOffboarding", p.Name);
|
|
|
|
|
|
Assert.Equal(JsonValueKind.False, p.Value.ValueKind);
|
2023-08-17 22:03:06 +02:00
|
|
|
|
});
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// <summary>
|
|
|
|
|
|
/// Story: When a user signs in with SSO on a device they have already signed in with we need to return the keys
|
|
|
|
|
|
/// back to them for the current device if it has been trusted before.
|
|
|
|
|
|
/// </summary>
|
|
|
|
|
|
[Fact]
|
|
|
|
|
|
public async Task SsoLogin_TrustedDeviceEncryptionAndNoMasterPassword_DeviceAlreadyTrusted_ReturnsOneOption()
|
2023-06-19 16:16:15 +02:00
|
|
|
|
{
|
|
|
|
|
|
// Arrange
|
|
|
|
|
|
var challenge = new string('c', 50);
|
|
|
|
|
|
var factory = await CreateFactoryAsync(new SsoConfigurationData
|
|
|
|
|
|
{
|
|
|
|
|
|
MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption,
|
|
|
|
|
|
}, challenge);
|
|
|
|
|
|
|
|
|
|
|
|
await UpdateUserAsync(factory, user => user.MasterPassword = null);
|
|
|
|
|
|
|
2023-08-17 22:03:06 +02:00
|
|
|
|
var deviceRepository = factory.Services.GetRequiredService<IDeviceRepository>();
|
|
|
|
|
|
|
|
|
|
|
|
var deviceIdentifier = $"test_id_{Guid.NewGuid()}";
|
|
|
|
|
|
|
|
|
|
|
|
var user = await factory.Services.GetRequiredService<IUserRepository>().GetByEmailAsync(TestEmail);
|
2024-07-24 15:48:09 +02:00
|
|
|
|
Assert.NotNull(user);
|
2023-08-17 22:03:06 +02:00
|
|
|
|
|
|
|
|
|
|
const string expectedPrivateKey = "2.QmFzZTY0UGFydA==|QmFzZTY0UGFydA==|QmFzZTY0UGFydA==";
|
|
|
|
|
|
const string expectedUserKey = "2.QmFzZTY0UGFydA==|QmFzZTY0UGFydA==|QmFzZTY0UGFydA==";
|
|
|
|
|
|
|
|
|
|
|
|
var device = await deviceRepository.CreateAsync(new Device
|
|
|
|
|
|
{
|
|
|
|
|
|
Type = DeviceType.FirefoxBrowser,
|
|
|
|
|
|
Identifier = deviceIdentifier,
|
|
|
|
|
|
Name = "Thing",
|
|
|
|
|
|
UserId = user.Id,
|
|
|
|
|
|
EncryptedPrivateKey = expectedPrivateKey,
|
|
|
|
|
|
EncryptedPublicKey = "2.QmFzZTY0UGFydA==|QmFzZTY0UGFydA==|QmFzZTY0UGFydA==",
|
|
|
|
|
|
EncryptedUserKey = expectedUserKey,
|
|
|
|
|
|
});
|
|
|
|
|
|
|
2023-06-19 16:16:15 +02:00
|
|
|
|
// Act
|
|
|
|
|
|
var context = await factory.Server.PostAsync("/connect/token", new FormUrlEncodedContent(new Dictionary<string, string>
|
|
|
|
|
|
{
|
|
|
|
|
|
{ "scope", "api offline_access" },
|
|
|
|
|
|
{ "client_id", "web" },
|
|
|
|
|
|
{ "deviceType", "10" },
|
2023-08-17 22:03:06 +02:00
|
|
|
|
{ "deviceIdentifier", deviceIdentifier },
|
2023-06-19 16:16:15 +02:00
|
|
|
|
{ "deviceName", "firefox" },
|
|
|
|
|
|
{ "twoFactorToken", "TEST"},
|
|
|
|
|
|
{ "twoFactorProvider", "5" }, // RememberMe Provider
|
|
|
|
|
|
{ "twoFactorRemember", "0" },
|
|
|
|
|
|
{ "grant_type", "authorization_code" },
|
|
|
|
|
|
{ "code", "test_code" },
|
|
|
|
|
|
{ "code_verifier", challenge },
|
|
|
|
|
|
{ "redirect_uri", "https://localhost:8080/sso-connector.html" }
|
|
|
|
|
|
}));
|
|
|
|
|
|
|
|
|
|
|
|
// Assert
|
|
|
|
|
|
// If the organization has selected TrustedDeviceEncryption but the user still has their master password
|
|
|
|
|
|
// they can decrypt with either option
|
|
|
|
|
|
Assert.Equal(StatusCodes.Status200OK, context.Response.StatusCode);
|
|
|
|
|
|
using var responseBody = await AssertHelper.AssertResponseTypeIs<JsonDocument>(context);
|
|
|
|
|
|
var root = responseBody.RootElement;
|
|
|
|
|
|
AssertHelper.AssertJsonProperty(root, "access_token", JsonValueKind.String);
|
|
|
|
|
|
var userDecryptionOptions = AssertHelper.AssertJsonProperty(root, "UserDecryptionOptions", JsonValueKind.Object);
|
|
|
|
|
|
|
|
|
|
|
|
// Expected to look like:
|
|
|
|
|
|
// "UserDecryptionOptions": {
|
|
|
|
|
|
// "Object": "userDecryptionOptions"
|
|
|
|
|
|
// "HasMasterPassword": false,
|
|
|
|
|
|
// "TrustedDeviceOption": {
|
2023-08-17 22:03:06 +02:00
|
|
|
|
// "HasAdminApproval": true,
|
|
|
|
|
|
// "HasManageResetPasswordPermission": false,
|
|
|
|
|
|
// "EncryptedPrivateKey": "2.QmFzZTY0UGFydA==|QmFzZTY0UGFydA==|QmFzZTY0UGFydA==",
|
|
|
|
|
|
// "EncryptedUserKey": "2.QmFzZTY0UGFydA==|QmFzZTY0UGFydA==|QmFzZTY0UGFydA=="
|
2023-06-19 16:16:15 +02:00
|
|
|
|
// }
|
|
|
|
|
|
// }
|
|
|
|
|
|
|
|
|
|
|
|
var trustedDeviceOption = AssertHelper.AssertJsonProperty(userDecryptionOptions, "TrustedDeviceOption", JsonValueKind.Object);
|
|
|
|
|
|
AssertHelper.AssertJsonProperty(trustedDeviceOption, "HasAdminApproval", JsonValueKind.False);
|
2023-08-17 22:03:06 +02:00
|
|
|
|
AssertHelper.AssertJsonProperty(trustedDeviceOption, "HasManageResetPasswordPermission", JsonValueKind.False);
|
|
|
|
|
|
|
|
|
|
|
|
var actualPrivateKey = AssertHelper.AssertJsonProperty(trustedDeviceOption, "EncryptedPrivateKey", JsonValueKind.String).GetString();
|
|
|
|
|
|
Assert.Equal(expectedPrivateKey, actualPrivateKey);
|
|
|
|
|
|
var actualUserKey = AssertHelper.AssertJsonProperty(trustedDeviceOption, "EncryptedUserKey", JsonValueKind.String).GetString();
|
|
|
|
|
|
Assert.Equal(expectedUserKey, actualUserKey);
|
2023-06-19 16:16:15 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
2023-08-17 22:03:06 +02:00
|
|
|
|
// we should add a test case for JIT provisioned users. They don't have any orgs which caused
|
|
|
|
|
|
// an error in the UserHasManageResetPasswordPermission set logic.
|
|
|
|
|
|
|
|
|
|
|
|
/// <summary>
|
|
|
|
|
|
/// Story: When a user with TDE and the manage reset password permission signs in with SSO, we should return
|
|
|
|
|
|
/// TrustedDeviceEncryption.HasManageResetPasswordPermission as true
|
|
|
|
|
|
/// </summary>
|
2023-06-27 02:17:39 +02:00
|
|
|
|
[Fact]
|
2023-08-17 22:03:06 +02:00
|
|
|
|
public async Task SsoLogin_TrustedDeviceEncryption_UserHasManageResetPasswordPermission_ReturnsTrue()
|
2023-06-27 02:17:39 +02:00
|
|
|
|
{
|
|
|
|
|
|
// Arrange
|
|
|
|
|
|
var challenge = new string('c', 50);
|
|
|
|
|
|
|
2023-08-17 22:03:06 +02:00
|
|
|
|
// create user permissions with the ManageResetPassword permission
|
|
|
|
|
|
var permissionsWithManageResetPassword = new Permissions() { ManageResetPassword = true };
|
|
|
|
|
|
|
2023-06-27 02:17:39 +02:00
|
|
|
|
var factory = await CreateFactoryAsync(new SsoConfigurationData
|
|
|
|
|
|
{
|
|
|
|
|
|
MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption,
|
2023-08-17 22:03:06 +02:00
|
|
|
|
}, challenge, permissions: permissionsWithManageResetPassword);
|
2023-06-27 02:17:39 +02:00
|
|
|
|
|
|
|
|
|
|
// Act
|
|
|
|
|
|
var context = await factory.Server.PostAsync("/connect/token", new FormUrlEncodedContent(new Dictionary<string, string>
|
|
|
|
|
|
{
|
|
|
|
|
|
{ "scope", "api offline_access" },
|
|
|
|
|
|
{ "client_id", "web" },
|
|
|
|
|
|
{ "deviceType", "10" },
|
|
|
|
|
|
{ "deviceIdentifier", "test_id" },
|
|
|
|
|
|
{ "deviceName", "firefox" },
|
|
|
|
|
|
{ "twoFactorToken", "TEST"},
|
|
|
|
|
|
{ "twoFactorProvider", "5" }, // RememberMe Provider
|
|
|
|
|
|
{ "twoFactorRemember", "0" },
|
|
|
|
|
|
{ "grant_type", "authorization_code" },
|
|
|
|
|
|
{ "code", "test_code" },
|
|
|
|
|
|
{ "code_verifier", challenge },
|
|
|
|
|
|
{ "redirect_uri", "https://localhost:8080/sso-connector.html" }
|
|
|
|
|
|
}));
|
|
|
|
|
|
|
|
|
|
|
|
// Assert
|
|
|
|
|
|
// If the organization has selected TrustedDeviceEncryption but the user still has their master password
|
|
|
|
|
|
// they can decrypt with either option
|
|
|
|
|
|
Assert.Equal(StatusCodes.Status200OK, context.Response.StatusCode);
|
|
|
|
|
|
using var responseBody = await AssertHelper.AssertResponseTypeIs<JsonDocument>(context);
|
|
|
|
|
|
var root = responseBody.RootElement;
|
|
|
|
|
|
AssertHelper.AssertJsonProperty(root, "access_token", JsonValueKind.String);
|
2023-08-17 22:03:06 +02:00
|
|
|
|
|
|
|
|
|
|
var userDecryptionOptions = AssertHelper.AssertJsonProperty(root, "UserDecryptionOptions", JsonValueKind.Object);
|
|
|
|
|
|
|
|
|
|
|
|
var trustedDeviceOption = AssertHelper.AssertJsonProperty(userDecryptionOptions, "TrustedDeviceOption", JsonValueKind.Object);
|
|
|
|
|
|
AssertHelper.AssertJsonProperty(trustedDeviceOption, "HasAdminApproval", JsonValueKind.False);
|
|
|
|
|
|
AssertHelper.AssertJsonProperty(trustedDeviceOption, "HasManageResetPasswordPermission", JsonValueKind.True);
|
|
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2024-02-09 21:08:22 +01:00
|
|
|
|
[Fact]
|
|
|
|
|
|
public async Task SsoLogin_TrustedDeviceEncryption_ProviderUserHasManageResetPassword_ReturnsCorrectOptions()
|
|
|
|
|
|
{
|
|
|
|
|
|
var challenge = new string('c', 50);
|
|
|
|
|
|
|
|
|
|
|
|
var factory = await CreateFactoryAsync(new SsoConfigurationData
|
|
|
|
|
|
{
|
|
|
|
|
|
MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption,
|
|
|
|
|
|
}, challenge);
|
|
|
|
|
|
|
|
|
|
|
|
var user = await factory.Services.GetRequiredService<IUserRepository>().GetByEmailAsync(TestEmail);
|
2024-07-24 15:48:09 +02:00
|
|
|
|
Assert.NotNull(user);
|
2024-02-09 21:08:22 +01:00
|
|
|
|
var providerRepository = factory.Services.GetRequiredService<IProviderRepository>();
|
|
|
|
|
|
var provider = await providerRepository.CreateAsync(new Provider
|
|
|
|
|
|
{
|
|
|
|
|
|
Name = "Test Provider",
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
var providerUserRepository = factory.Services.GetRequiredService<IProviderUserRepository>();
|
|
|
|
|
|
await providerUserRepository.CreateAsync(new ProviderUser
|
|
|
|
|
|
{
|
|
|
|
|
|
ProviderId = provider.Id,
|
|
|
|
|
|
UserId = user.Id,
|
|
|
|
|
|
Status = ProviderUserStatusType.Confirmed,
|
|
|
|
|
|
Permissions = CoreHelpers.ClassToJsonData(new Permissions
|
|
|
|
|
|
{
|
|
|
|
|
|
ManageResetPassword = true,
|
|
|
|
|
|
}),
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
var organizationUserRepository = factory.Services.GetRequiredService<IOrganizationUserRepository>();
|
|
|
|
|
|
var organizationUser = (await organizationUserRepository.GetManyByUserAsync(user.Id)).Single();
|
|
|
|
|
|
|
|
|
|
|
|
var providerOrganizationRepository = factory.Services.GetRequiredService<IProviderOrganizationRepository>();
|
|
|
|
|
|
await providerOrganizationRepository.CreateAsync(new ProviderOrganization
|
|
|
|
|
|
{
|
|
|
|
|
|
ProviderId = provider.Id,
|
|
|
|
|
|
OrganizationId = organizationUser.OrganizationId,
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
// Act
|
|
|
|
|
|
var context = await factory.Server.PostAsync("/connect/token", new FormUrlEncodedContent(new Dictionary<string, string>
|
|
|
|
|
|
{
|
|
|
|
|
|
{ "scope", "api offline_access" },
|
|
|
|
|
|
{ "client_id", "web" },
|
|
|
|
|
|
{ "deviceType", "10" },
|
|
|
|
|
|
{ "deviceIdentifier", "test_id" },
|
|
|
|
|
|
{ "deviceName", "firefox" },
|
|
|
|
|
|
{ "twoFactorToken", "TEST"},
|
|
|
|
|
|
{ "twoFactorProvider", "5" }, // RememberMe Provider
|
|
|
|
|
|
{ "twoFactorRemember", "0" },
|
|
|
|
|
|
{ "grant_type", "authorization_code" },
|
|
|
|
|
|
{ "code", "test_code" },
|
|
|
|
|
|
{ "code_verifier", challenge },
|
|
|
|
|
|
{ "redirect_uri", "https://localhost:8080/sso-connector.html" }
|
|
|
|
|
|
}));
|
|
|
|
|
|
|
|
|
|
|
|
Assert.Equal(StatusCodes.Status200OK, context.Response.StatusCode);
|
|
|
|
|
|
using var responseBody = await AssertHelper.AssertResponseTypeIs<JsonDocument>(context);
|
|
|
|
|
|
var root = responseBody.RootElement;
|
|
|
|
|
|
AssertHelper.AssertJsonProperty(root, "access_token", JsonValueKind.String);
|
|
|
|
|
|
|
|
|
|
|
|
var userDecryptionOptions = AssertHelper.AssertJsonProperty(root, "UserDecryptionOptions", JsonValueKind.Object);
|
|
|
|
|
|
|
|
|
|
|
|
var trustedDeviceOption = AssertHelper.AssertJsonProperty(userDecryptionOptions, "TrustedDeviceOption", JsonValueKind.Object);
|
|
|
|
|
|
AssertHelper.AssertJsonProperty(trustedDeviceOption, "HasAdminApproval", JsonValueKind.False);
|
|
|
|
|
|
AssertHelper.AssertJsonProperty(trustedDeviceOption, "HasManageResetPasswordPermission", JsonValueKind.True);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2023-06-19 16:16:15 +02:00
|
|
|
|
[Fact]
|
|
|
|
|
|
public async Task SsoLogin_KeyConnector_ReturnsOptions()
|
|
|
|
|
|
{
|
2023-08-17 22:03:06 +02:00
|
|
|
|
using var responseBody = await RunSuccessTestAsync(async factory =>
|
2023-06-19 16:16:15 +02:00
|
|
|
|
{
|
2023-08-17 22:03:06 +02:00
|
|
|
|
await UpdateUserAsync(factory, user => user.MasterPassword = null);
|
|
|
|
|
|
}, MemberDecryptionType.KeyConnector, "https://key_connector.com");
|
2023-06-19 16:16:15 +02:00
|
|
|
|
|
|
|
|
|
|
var root = responseBody.RootElement;
|
|
|
|
|
|
AssertHelper.AssertJsonProperty(root, "access_token", JsonValueKind.String);
|
|
|
|
|
|
|
|
|
|
|
|
var userDecryptionOptions = AssertHelper.AssertJsonProperty(root, "UserDecryptionOptions", JsonValueKind.Object);
|
|
|
|
|
|
|
|
|
|
|
|
// Expected to look like:
|
|
|
|
|
|
// "UserDecryptionOptions": {
|
|
|
|
|
|
// "Object": "userDecryptionOptions"
|
|
|
|
|
|
// "KeyConnectorOption": {
|
|
|
|
|
|
// "KeyConnectorUrl": "https://key_connector.com"
|
|
|
|
|
|
// }
|
|
|
|
|
|
// }
|
|
|
|
|
|
|
|
|
|
|
|
var keyConnectorOption = AssertHelper.AssertJsonProperty(userDecryptionOptions, "KeyConnectorOption", JsonValueKind.Object);
|
|
|
|
|
|
|
|
|
|
|
|
var keyConnectorUrl = AssertHelper.AssertJsonProperty(keyConnectorOption, "KeyConnectorUrl", JsonValueKind.String).GetString();
|
|
|
|
|
|
Assert.Equal("https://key_connector.com", keyConnectorUrl);
|
|
|
|
|
|
|
|
|
|
|
|
// For backwards compatibility reasons the url should also be on the root
|
|
|
|
|
|
keyConnectorUrl = AssertHelper.AssertJsonProperty(root, "KeyConnectorUrl", JsonValueKind.String).GetString();
|
|
|
|
|
|
Assert.Equal("https://key_connector.com", keyConnectorUrl);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2023-08-17 22:03:06 +02:00
|
|
|
|
private static async Task<JsonDocument> RunSuccessTestAsync(MemberDecryptionType memberDecryptionType)
|
|
|
|
|
|
{
|
|
|
|
|
|
return await RunSuccessTestAsync(factory => Task.CompletedTask, memberDecryptionType);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
private static async Task<JsonDocument> RunSuccessTestAsync(Func<IdentityApplicationFactory, Task> configureFactory,
|
|
|
|
|
|
MemberDecryptionType memberDecryptionType,
|
|
|
|
|
|
string? keyConnectorUrl = null,
|
|
|
|
|
|
bool trustedDeviceEnabled = true)
|
|
|
|
|
|
{
|
|
|
|
|
|
var challenge = new string('c', 50);
|
|
|
|
|
|
var factory = await CreateFactoryAsync(new SsoConfigurationData
|
|
|
|
|
|
{
|
|
|
|
|
|
MemberDecryptionType = memberDecryptionType,
|
|
|
|
|
|
KeyConnectorUrl = keyConnectorUrl,
|
|
|
|
|
|
}, challenge, trustedDeviceEnabled);
|
|
|
|
|
|
|
|
|
|
|
|
await configureFactory(factory);
|
|
|
|
|
|
var context = await factory.Server.PostAsync("/connect/token", new FormUrlEncodedContent(new Dictionary<string, string>
|
|
|
|
|
|
{
|
|
|
|
|
|
{ "scope", "api offline_access" },
|
|
|
|
|
|
{ "client_id", "web" },
|
|
|
|
|
|
{ "deviceType", "10" },
|
|
|
|
|
|
{ "deviceIdentifier", "test_id" },
|
|
|
|
|
|
{ "deviceName", "firefox" },
|
|
|
|
|
|
{ "twoFactorToken", "TEST"},
|
|
|
|
|
|
{ "twoFactorProvider", "5" }, // RememberMe Provider
|
|
|
|
|
|
{ "twoFactorRemember", "0" },
|
|
|
|
|
|
{ "grant_type", "authorization_code" },
|
|
|
|
|
|
{ "code", "test_code" },
|
|
|
|
|
|
{ "code_verifier", challenge },
|
|
|
|
|
|
{ "redirect_uri", "https://localhost:8080/sso-connector.html" }
|
|
|
|
|
|
}));
|
|
|
|
|
|
|
|
|
|
|
|
// Only calls that result in a 200 OK should call this helper
|
|
|
|
|
|
Assert.Equal(StatusCodes.Status200OK, context.Response.StatusCode);
|
|
|
|
|
|
|
|
|
|
|
|
return await AssertHelper.AssertResponseTypeIs<JsonDocument>(context);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
private static async Task<IdentityApplicationFactory> CreateFactoryAsync(
|
|
|
|
|
|
SsoConfigurationData ssoConfigurationData,
|
|
|
|
|
|
string challenge,
|
|
|
|
|
|
bool trustedDeviceEnabled = true,
|
|
|
|
|
|
Permissions? permissions = null)
|
2023-06-19 16:16:15 +02:00
|
|
|
|
{
|
|
|
|
|
|
var factory = new IdentityApplicationFactory();
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
var authorizationCode = new AuthorizationCode
|
|
|
|
|
|
{
|
|
|
|
|
|
ClientId = "web",
|
|
|
|
|
|
CreationTime = DateTime.UtcNow,
|
|
|
|
|
|
Lifetime = (int)TimeSpan.FromMinutes(5).TotalSeconds,
|
|
|
|
|
|
RedirectUri = "https://localhost:8080/sso-connector.html",
|
|
|
|
|
|
RequestedScopes = new[] { "api", "offline_access" },
|
|
|
|
|
|
CodeChallenge = challenge.Sha256(),
|
2023-08-17 22:03:06 +02:00
|
|
|
|
CodeChallengeMethod = "plain", //
|
2024-07-24 15:48:09 +02:00
|
|
|
|
Subject = null!, // Temporarily set it to null
|
2023-06-19 16:16:15 +02:00
|
|
|
|
};
|
|
|
|
|
|
|
2024-07-02 23:03:36 +02:00
|
|
|
|
factory.SubstituteService<IAuthorizationCodeStore>(service =>
|
2023-06-19 16:16:15 +02:00
|
|
|
|
{
|
|
|
|
|
|
service.GetAuthorizationCodeAsync("test_code")
|
|
|
|
|
|
.Returns(authorizationCode);
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
// This starts the server and finalizes services
|
|
|
|
|
|
var registerResponse = await factory.RegisterAsync(new RegisterRequestModel
|
|
|
|
|
|
{
|
|
|
|
|
|
Email = TestEmail,
|
|
|
|
|
|
MasterPasswordHash = "master_password_hash",
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
var userRepository = factory.Services.GetRequiredService<IUserRepository>();
|
|
|
|
|
|
var user = await userRepository.GetByEmailAsync(TestEmail);
|
2024-07-24 15:48:09 +02:00
|
|
|
|
Assert.NotNull(user);
|
2023-06-19 16:16:15 +02:00
|
|
|
|
|
|
|
|
|
|
var organizationRepository = factory.Services.GetRequiredService<IOrganizationRepository>();
|
|
|
|
|
|
var organization = await organizationRepository.CreateAsync(new Organization
|
|
|
|
|
|
{
|
|
|
|
|
|
Name = "Test Org",
|
2024-07-05 03:14:37 +02:00
|
|
|
|
BillingEmail = "billing-email@example.com",
|
|
|
|
|
|
Plan = "Enterprise",
|
|
|
|
|
|
UsePolicies = true,
|
2023-06-19 16:16:15 +02:00
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
var organizationUserRepository = factory.Services.GetRequiredService<IOrganizationUserRepository>();
|
2023-08-17 22:03:06 +02:00
|
|
|
|
|
|
|
|
|
|
var orgUserPermissions =
|
|
|
|
|
|
(permissions == null) ? null : JsonSerializer.Serialize(permissions, JsonHelpers.CamelCase);
|
|
|
|
|
|
|
2023-06-19 16:16:15 +02:00
|
|
|
|
var organizationUser = await organizationUserRepository.CreateAsync(new OrganizationUser
|
|
|
|
|
|
{
|
|
|
|
|
|
UserId = user.Id,
|
|
|
|
|
|
OrganizationId = organization.Id,
|
|
|
|
|
|
Status = OrganizationUserStatusType.Confirmed,
|
|
|
|
|
|
Type = OrganizationUserType.User,
|
2023-08-17 22:03:06 +02:00
|
|
|
|
Permissions = orgUserPermissions
|
2023-06-19 16:16:15 +02:00
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
var ssoConfigRepository = factory.Services.GetRequiredService<ISsoConfigRepository>();
|
|
|
|
|
|
await ssoConfigRepository.CreateAsync(new SsoConfig
|
|
|
|
|
|
{
|
|
|
|
|
|
OrganizationId = organization.Id,
|
|
|
|
|
|
Enabled = true,
|
|
|
|
|
|
Data = JsonSerializer.Serialize(ssoConfigurationData, JsonHelpers.CamelCase),
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
var subject = new ClaimsPrincipal(new ClaimsIdentity(new[]
|
|
|
|
|
|
{
|
|
|
|
|
|
new Claim(JwtClaimTypes.Subject, user.Id.ToString()), // Get real user id
|
|
|
|
|
|
new Claim(JwtClaimTypes.Name, TestEmail),
|
|
|
|
|
|
new Claim(JwtClaimTypes.IdentityProvider, "sso"),
|
|
|
|
|
|
new Claim("organizationId", organization.Id.ToString()),
|
|
|
|
|
|
new Claim(JwtClaimTypes.SessionId, "SOMETHING"),
|
|
|
|
|
|
new Claim(JwtClaimTypes.AuthenticationMethod, "external"),
|
|
|
|
|
|
new Claim(JwtClaimTypes.AuthenticationTime, DateTime.UtcNow.AddMinutes(-1).ToEpochTime().ToString())
|
2023-11-20 22:32:23 +01:00
|
|
|
|
}, "Duende.IdentityServer", JwtClaimTypes.Name, JwtClaimTypes.Role));
|
2023-06-19 16:16:15 +02:00
|
|
|
|
|
|
|
|
|
|
authorizationCode.Subject = subject;
|
|
|
|
|
|
|
|
|
|
|
|
return factory;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
private static async Task UpdateUserAsync(IdentityApplicationFactory factory, Action<User> changeUser)
|
|
|
|
|
|
{
|
|
|
|
|
|
var userRepository = factory.Services.GetRequiredService<IUserRepository>();
|
|
|
|
|
|
var user = await userRepository.GetByEmailAsync(TestEmail);
|
2024-07-24 15:48:09 +02:00
|
|
|
|
Assert.NotNull(user);
|
2023-06-19 16:16:15 +02:00
|
|
|
|
changeUser(user);
|
|
|
|
|
|
|
|
|
|
|
|
await userRepository.ReplaceAsync(user);
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
