2015-12-09 04:57:38 +01:00
|
|
|
|
using System;
|
|
|
|
|
|
using System.Security.Claims;
|
2016-05-20 01:10:24 +02:00
|
|
|
|
using Microsoft.AspNetCore.Authentication.JwtBearer;
|
|
|
|
|
|
using Microsoft.AspNetCore.Builder;
|
|
|
|
|
|
using Microsoft.AspNetCore.Hosting;
|
2015-12-09 04:57:38 +01:00
|
|
|
|
using Microsoft.Extensions.Configuration;
|
|
|
|
|
|
using Microsoft.Extensions.DependencyInjection;
|
|
|
|
|
|
using Microsoft.Extensions.Logging;
|
2016-05-20 01:10:24 +02:00
|
|
|
|
using Microsoft.Extensions.Options;
|
|
|
|
|
|
using Microsoft.IdentityModel.Tokens;
|
2015-12-09 04:57:38 +01:00
|
|
|
|
using Bit.Api.Utilities;
|
|
|
|
|
|
using Bit.Core;
|
|
|
|
|
|
using Bit.Core.Identity;
|
2016-07-14 00:37:14 +02:00
|
|
|
|
using System.Linq;
|
|
|
|
|
|
using Microsoft.AspNetCore.Mvc.Formatters;
|
|
|
|
|
|
using Microsoft.Net.Http.Headers;
|
2016-07-14 01:24:26 +02:00
|
|
|
|
using Newtonsoft.Json.Serialization;
|
2016-11-13 00:43:32 +01:00
|
|
|
|
using AspNetCoreRateLimit;
|
|
|
|
|
|
using Bit.Api.Middleware;
|
2017-01-15 05:24:02 +01:00
|
|
|
|
using Serilog.Events;
|
2017-05-05 22:11:50 +02:00
|
|
|
|
using Bit.Core.IdentityServer;
|
2017-04-04 16:13:16 +02:00
|
|
|
|
using Stripe;
|
2017-05-06 02:57:33 +02:00
|
|
|
|
using Bit.Core.Utilities;
|
2015-12-09 04:57:38 +01:00
|
|
|
|
|
|
|
|
|
|
namespace Bit.Api
|
|
|
|
|
|
{
|
|
|
|
|
|
public class Startup
|
|
|
|
|
|
{
|
|
|
|
|
|
public Startup(IHostingEnvironment env)
|
|
|
|
|
|
{
|
|
|
|
|
|
var builder = new ConfigurationBuilder()
|
2016-05-20 01:10:24 +02:00
|
|
|
|
.SetBasePath(env.ContentRootPath)
|
2015-12-09 04:57:38 +01:00
|
|
|
|
.AddJsonFile("settings.json")
|
|
|
|
|
|
.AddJsonFile($"settings.{env.EnvironmentName}.json", optional: true);
|
|
|
|
|
|
|
|
|
|
|
|
if(env.IsDevelopment())
|
|
|
|
|
|
{
|
2017-03-09 03:38:37 +01:00
|
|
|
|
builder.AddUserSecrets<Startup>();
|
2015-12-09 04:57:38 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
builder.AddEnvironmentVariables();
|
|
|
|
|
|
|
|
|
|
|
|
Configuration = builder.Build();
|
2017-01-13 03:07:25 +01:00
|
|
|
|
Environment = env;
|
2015-12-09 04:57:38 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public IConfigurationRoot Configuration { get; private set; }
|
2017-01-13 03:07:25 +01:00
|
|
|
|
public IHostingEnvironment Environment { get; set; }
|
2015-12-09 04:57:38 +01:00
|
|
|
|
|
|
|
|
|
|
public void ConfigureServices(IServiceCollection services)
|
|
|
|
|
|
{
|
2016-05-20 01:10:24 +02:00
|
|
|
|
var provider = services.BuildServiceProvider();
|
2015-12-09 04:57:38 +01:00
|
|
|
|
|
|
|
|
|
|
// Options
|
|
|
|
|
|
services.AddOptions();
|
|
|
|
|
|
|
|
|
|
|
|
// Settings
|
2017-05-06 02:57:33 +02:00
|
|
|
|
var globalSettings = services.AddGlobalSettingsServices(Configuration);
|
2016-11-13 00:43:32 +01:00
|
|
|
|
services.Configure<IpRateLimitOptions>(Configuration.GetSection("IpRateLimitOptions"));
|
|
|
|
|
|
services.Configure<IpRateLimitPolicies>(Configuration.GetSection("IpRateLimitPolicies"));
|
2015-12-09 04:57:38 +01:00
|
|
|
|
|
2017-03-24 03:02:55 +01:00
|
|
|
|
// Data Protection
|
2017-05-06 02:57:33 +02:00
|
|
|
|
services.AddCustomDataProtectionServices(Environment, globalSettings);
|
2017-03-24 03:02:55 +01:00
|
|
|
|
|
2017-04-04 16:13:16 +02:00
|
|
|
|
// Stripe Billing
|
|
|
|
|
|
StripeConfiguration.SetApiKey(globalSettings.StripeApiKey);
|
|
|
|
|
|
|
2015-12-09 04:57:38 +01:00
|
|
|
|
// Repositories
|
2017-04-26 22:13:24 +02:00
|
|
|
|
services.AddSqlServerRepositories();
|
2015-12-09 04:57:38 +01:00
|
|
|
|
|
|
|
|
|
|
// Context
|
|
|
|
|
|
services.AddScoped<CurrentContext>();
|
|
|
|
|
|
|
2016-11-13 00:43:32 +01:00
|
|
|
|
// Caching
|
|
|
|
|
|
services.AddMemoryCache();
|
|
|
|
|
|
|
|
|
|
|
|
// Rate limiting
|
|
|
|
|
|
services.AddSingleton<IIpPolicyStore, MemoryCacheIpPolicyStore>();
|
|
|
|
|
|
services.AddSingleton<IRateLimitCounterStore, MemoryCacheRateLimitCounterStore>();
|
|
|
|
|
|
|
2017-01-11 06:34:16 +01:00
|
|
|
|
// IdentityServer
|
2017-05-06 02:57:33 +02:00
|
|
|
|
services.AddCustomIdentityServerServices(Environment, globalSettings);
|
2017-01-11 06:34:16 +01:00
|
|
|
|
|
2015-12-09 04:57:38 +01:00
|
|
|
|
// Identity
|
2017-05-06 02:57:33 +02:00
|
|
|
|
services.AddCustomIdentityServices(globalSettings);
|
2015-12-09 04:57:38 +01:00
|
|
|
|
|
|
|
|
|
|
var jwtIdentityOptions = provider.GetRequiredService<IOptions<JwtBearerIdentityOptions>>().Value;
|
2015-12-31 00:49:43 +01:00
|
|
|
|
services.AddAuthorization(config =>
|
2015-12-09 04:57:38 +01:00
|
|
|
|
{
|
2017-01-11 06:34:16 +01:00
|
|
|
|
config.AddPolicy("Application", policy =>
|
|
|
|
|
|
{
|
2017-05-06 03:39:30 +02:00
|
|
|
|
policy.AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme, "Bearer2", "Bearer3");
|
2017-01-11 06:34:16 +01:00
|
|
|
|
policy.RequireAuthenticatedUser();
|
|
|
|
|
|
policy.RequireClaim(ClaimTypes.AuthenticationMethod, jwtIdentityOptions.AuthenticationMethod);
|
|
|
|
|
|
});
|
2015-12-09 04:57:38 +01:00
|
|
|
|
|
2017-01-11 06:34:16 +01:00
|
|
|
|
config.AddPolicy("TwoFactor", policy =>
|
|
|
|
|
|
{
|
2017-05-06 03:39:30 +02:00
|
|
|
|
policy.AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme, "Bearer2", "Bearer3");
|
2017-01-11 06:34:16 +01:00
|
|
|
|
policy.RequireAuthenticatedUser();
|
|
|
|
|
|
policy.RequireClaim(ClaimTypes.AuthenticationMethod, jwtIdentityOptions.TwoFactorAuthenticationMethod);
|
|
|
|
|
|
});
|
2015-12-09 04:57:38 +01:00
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
services.AddScoped<AuthenticatorTokenProvider>();
|
|
|
|
|
|
|
|
|
|
|
|
// Services
|
2017-04-26 22:13:24 +02:00
|
|
|
|
services.AddBaseServices();
|
|
|
|
|
|
services.AddDefaultServices();
|
2015-12-09 04:57:38 +01:00
|
|
|
|
|
|
|
|
|
|
// Cors
|
2015-12-31 00:49:43 +01:00
|
|
|
|
services.AddCors(config =>
|
|
|
|
|
|
{
|
2016-07-14 00:37:14 +02:00
|
|
|
|
config.AddPolicy("All", policy =>
|
|
|
|
|
|
policy.AllowAnyHeader().AllowAnyMethod().AllowAnyOrigin().SetPreflightMaxAge(TimeSpan.FromDays(1)));
|
2015-12-31 00:49:43 +01:00
|
|
|
|
});
|
2015-12-09 04:57:38 +01:00
|
|
|
|
|
|
|
|
|
|
// MVC
|
2015-12-31 00:49:43 +01:00
|
|
|
|
services.AddMvc(config =>
|
2015-12-09 04:57:38 +01:00
|
|
|
|
{
|
2015-12-31 00:49:43 +01:00
|
|
|
|
config.Filters.Add(new ExceptionHandlerFilterAttribute());
|
|
|
|
|
|
config.Filters.Add(new ModelStateValidationFilterAttribute());
|
2016-07-14 00:42:57 +02:00
|
|
|
|
|
2016-07-14 00:37:14 +02:00
|
|
|
|
// Allow JSON of content type "text/plain" to avoid cors preflight
|
2016-07-14 00:42:57 +02:00
|
|
|
|
var textPlainMediaType = MediaTypeHeaderValue.Parse("text/plain");
|
|
|
|
|
|
foreach(var jsonFormatter in config.InputFormatters.OfType<JsonInputFormatter>())
|
|
|
|
|
|
{
|
|
|
|
|
|
jsonFormatter.SupportedMediaTypes.Add(textPlainMediaType);
|
|
|
|
|
|
}
|
2017-01-29 04:23:25 +01:00
|
|
|
|
}).AddJsonOptions(options => options.SerializerSettings.ContractResolver = new DefaultContractResolver());
|
2015-12-09 04:57:38 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
2016-02-07 05:45:33 +01:00
|
|
|
|
public void Configure(
|
|
|
|
|
|
IApplicationBuilder app,
|
|
|
|
|
|
IHostingEnvironment env,
|
|
|
|
|
|
ILoggerFactory loggerFactory,
|
2017-01-15 05:24:02 +01:00
|
|
|
|
IApplicationLifetime appLifetime,
|
2016-02-07 05:45:33 +01:00
|
|
|
|
GlobalSettings globalSettings)
|
2015-12-09 04:57:38 +01:00
|
|
|
|
{
|
2017-05-06 02:57:33 +02:00
|
|
|
|
loggerFactory
|
|
|
|
|
|
.AddSerilog(env, appLifetime, globalSettings, (e) =>
|
2017-01-15 05:24:02 +01:00
|
|
|
|
{
|
|
|
|
|
|
var context = e.Properties["SourceContext"].ToString();
|
2017-04-26 19:33:39 +02:00
|
|
|
|
if(e.Exception != null && (e.Exception.GetType() == typeof(SecurityTokenValidationException) ||
|
|
|
|
|
|
e.Exception.Message == "Bad security stamp."))
|
2016-10-29 08:59:17 +02:00
|
|
|
|
{
|
2017-01-15 05:24:02 +01:00
|
|
|
|
return false;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2017-04-26 19:33:39 +02:00
|
|
|
|
if(context.Contains(typeof(IpRateLimitMiddleware).FullName) && e.Level == LogEventLevel.Information)
|
2017-01-15 05:24:02 +01:00
|
|
|
|
{
|
|
|
|
|
|
return true;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2017-04-28 22:07:06 +02:00
|
|
|
|
if(context.Contains("IdentityServer4.Validation.TokenRequestValidator"))
|
|
|
|
|
|
{
|
|
|
|
|
|
return e.Level > LogEventLevel.Error;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2017-01-15 05:24:02 +01:00
|
|
|
|
return e.Level >= LogEventLevel.Error;
|
2017-05-06 02:57:33 +02:00
|
|
|
|
})
|
|
|
|
|
|
.AddDebug();
|
2017-01-15 05:24:02 +01:00
|
|
|
|
|
2016-11-13 00:43:32 +01:00
|
|
|
|
// Rate limiting
|
|
|
|
|
|
app.UseMiddleware<CustomIpRateLimitMiddleware>();
|
|
|
|
|
|
|
2015-12-09 04:57:38 +01:00
|
|
|
|
// Add static files to the request pipeline.
|
|
|
|
|
|
app.UseStaticFiles();
|
|
|
|
|
|
|
|
|
|
|
|
// Add Cors
|
|
|
|
|
|
app.UseCors("All");
|
|
|
|
|
|
|
2017-01-11 06:34:16 +01:00
|
|
|
|
// Add IdentityServer to the request pipeline.
|
|
|
|
|
|
app.UseIdentityServer();
|
2017-05-06 03:39:30 +02:00
|
|
|
|
app.UseIdentityServerAuthentication(
|
|
|
|
|
|
GetIdentityOptions(env, IdentityServerAuthority(env, "api", "4000"), "2"));
|
|
|
|
|
|
app.UseIdentityServerAuthentication(
|
|
|
|
|
|
GetIdentityOptions(env, IdentityServerAuthority(env, "identity", "33656"), "3"));
|
2017-04-19 22:01:34 +02:00
|
|
|
|
|
|
|
|
|
|
// Add Jwt authentication to the request pipeline.
|
|
|
|
|
|
app.UseJwtBearerIdentity();
|
|
|
|
|
|
|
|
|
|
|
|
// Add current context
|
|
|
|
|
|
app.UseMiddleware<CurrentContextMiddleware>();
|
|
|
|
|
|
|
|
|
|
|
|
// Add MVC to the request pipeline.
|
|
|
|
|
|
app.UseMvc();
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2017-05-06 03:39:30 +02:00
|
|
|
|
private IdentityServerAuthenticationOptions GetIdentityOptions(IHostingEnvironment env,
|
|
|
|
|
|
string authority, string suffix)
|
2017-04-19 22:01:34 +02:00
|
|
|
|
{
|
|
|
|
|
|
var options = new IdentityServerAuthenticationOptions
|
2017-01-11 06:34:16 +01:00
|
|
|
|
{
|
2017-05-06 03:39:30 +02:00
|
|
|
|
Authority = authority,
|
2017-01-11 06:34:16 +01:00
|
|
|
|
AllowedScopes = new string[] { "api" },
|
2017-04-19 05:08:47 +02:00
|
|
|
|
RequireHttpsMetadata = env.IsProduction(),
|
2017-03-10 02:30:19 +01:00
|
|
|
|
ApiName = "api",
|
2017-01-17 04:02:12 +01:00
|
|
|
|
NameClaimType = ClaimTypes.Email,
|
2017-05-06 03:39:30 +02:00
|
|
|
|
// Suffix until we retire the old jwt schemes.
|
|
|
|
|
|
AuthenticationScheme = $"Bearer{suffix}",
|
|
|
|
|
|
TokenRetriever = TokenRetrieval.FromAuthorizationHeaderOrQueryString(
|
|
|
|
|
|
$"Bearer{suffix}", $"access_token{suffix}")
|
2017-04-19 22:01:34 +02:00
|
|
|
|
};
|
2015-12-09 04:57:38 +01:00
|
|
|
|
|
2017-05-06 03:39:30 +02:00
|
|
|
|
return options;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
private string IdentityServerAuthority(IHostingEnvironment env, string subdomain, string port)
|
|
|
|
|
|
{
|
2017-04-19 22:01:34 +02:00
|
|
|
|
if(env.IsProduction())
|
|
|
|
|
|
{
|
2017-05-06 03:39:30 +02:00
|
|
|
|
return $"https://{subdomain}.bitwarden.com";
|
2017-04-19 22:01:34 +02:00
|
|
|
|
}
|
|
|
|
|
|
else if(env.IsEnvironment("Preview"))
|
|
|
|
|
|
{
|
2017-05-06 03:39:30 +02:00
|
|
|
|
return $"https://preview-{subdomain}.bitwarden.com";
|
2017-04-19 22:01:34 +02:00
|
|
|
|
}
|
|
|
|
|
|
else
|
|
|
|
|
|
{
|
2017-05-06 03:39:30 +02:00
|
|
|
|
return $"http://localhost:{port}";
|
|
|
|
|
|
//return $"http://192.168.1.8:{port}"; // Desktop external
|
2017-04-19 22:01:34 +02:00
|
|
|
|
}
|
2015-12-09 04:57:38 +01:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
