1
0
mirror of https://github.com/bitwarden/server.git synced 2024-12-12 15:26:48 +01:00
bitwarden-server/src/Api/Startup.cs

251 lines
10 KiB
C#
Raw Normal View History

2015-12-09 04:57:38 +01:00
using System;
using System.Security.Claims;
2016-05-20 01:10:24 +02:00
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.Identity;
2015-12-09 04:57:38 +01:00
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging;
2016-05-20 01:10:24 +02:00
using Microsoft.Extensions.Options;
using Microsoft.IdentityModel.Tokens;
2015-12-09 04:57:38 +01:00
using Bit.Api.Utilities;
using Bit.Core;
using Bit.Core.Domains;
using Bit.Core.Identity;
using Bit.Core.Repositories;
using Bit.Core.Services;
using SqlServerRepos = Bit.Core.Repositories.SqlServer;
2016-05-20 01:10:24 +02:00
using System.Text;
2016-06-21 06:30:36 +02:00
using Loggr.Extensions.Logging;
using System.Linq;
using Microsoft.AspNetCore.Mvc.Formatters;
using Microsoft.Net.Http.Headers;
using Newtonsoft.Json.Serialization;
2016-11-13 00:43:32 +01:00
using AspNetCoreRateLimit;
using Bit.Api.Middleware;
using IdentityServer4.Validation;
using IdentityServer4.Services;
using IdentityModel.AspNetCore.OAuth2Introspection;
using IdentityServer4.Stores;
using Bit.Core.Utilities;
2015-12-09 04:57:38 +01:00
namespace Bit.Api
{
public class Startup
{
public Startup(IHostingEnvironment env)
{
var builder = new ConfigurationBuilder()
2016-05-20 01:10:24 +02:00
.SetBasePath(env.ContentRootPath)
2015-12-09 04:57:38 +01:00
.AddJsonFile("settings.json")
.AddJsonFile($"settings.{env.EnvironmentName}.json", optional: true);
if(env.IsDevelopment())
{
builder.AddUserSecrets();
2016-10-27 06:09:55 +02:00
builder.AddApplicationInsightsSettings(developerMode: true);
2015-12-09 04:57:38 +01:00
}
builder.AddEnvironmentVariables();
Configuration = builder.Build();
}
public IConfigurationRoot Configuration { get; private set; }
public void ConfigureServices(IServiceCollection services)
{
2016-10-27 06:09:55 +02:00
services.AddApplicationInsightsTelemetry(Configuration);
2016-05-20 01:10:24 +02:00
var provider = services.BuildServiceProvider();
2015-12-09 04:57:38 +01:00
// Options
services.AddOptions();
// Settings
2016-05-20 01:10:24 +02:00
var globalSettings = new GlobalSettings();
ConfigurationBinder.Bind(Configuration.GetSection("GlobalSettings"), globalSettings);
2015-12-09 04:57:38 +01:00
services.AddSingleton(s => globalSettings);
2016-11-13 00:43:32 +01:00
services.Configure<IpRateLimitOptions>(Configuration.GetSection("IpRateLimitOptions"));
services.Configure<IpRateLimitPolicies>(Configuration.GetSection("IpRateLimitPolicies"));
2015-12-09 04:57:38 +01:00
// Repositories
services.AddSingleton<IUserRepository, SqlServerRepos.UserRepository>();
services.AddSingleton<ICipherRepository, SqlServerRepos.CipherRepository>();
services.AddSingleton<IDeviceRepository, SqlServerRepos.DeviceRepository>();
services.AddSingleton<IGrantRepository, SqlServerRepos.GrantRepository>();
2015-12-09 04:57:38 +01:00
// Context
services.AddScoped<CurrentContext>();
2016-11-13 00:43:32 +01:00
// Caching
services.AddMemoryCache();
// Rate limiting
services.AddSingleton<IIpPolicyStore, MemoryCacheIpPolicyStore>();
services.AddSingleton<IRateLimitCounterStore, MemoryCacheRateLimitCounterStore>();
// IdentityServer
var identityServerCert = CoreHelpers.GetCertificate(globalSettings.IdentityServer.CertificateThumbprint);
services.AddIdentityServer()
.AddSigningCredential(identityServerCert)
.AddInMemoryApiResources(ApiResources.GetApiResources())
.AddInMemoryClients(Clients.GetClients());
services.AddSingleton<IResourceOwnerPasswordValidator, ResourceOwnerPasswordValidator>();
services.AddSingleton<IProfileService, ProfileService>();
services.AddSingleton<IPersistedGrantStore, PersistedGrantStore>();
2015-12-09 04:57:38 +01:00
// Identity
services.AddTransient<ILookupNormalizer, LowerInvariantLookupNormalizer>();
services.AddJwtBearerIdentity(options =>
{
options.User = new UserOptions
{
RequireUniqueEmail = true,
AllowedUserNameCharacters = null // all
};
options.Password = new PasswordOptions
{
RequireDigit = false,
RequireLowercase = false,
RequiredLength = 8,
2016-05-20 01:10:24 +02:00
RequireNonAlphanumeric = false,
2015-12-09 04:57:38 +01:00
RequireUppercase = false
};
options.ClaimsIdentity = new ClaimsIdentityOptions
{
SecurityStampClaimType = "securitystamp",
UserNameClaimType = ClaimTypes.Email
};
options.Tokens.ChangeEmailTokenProvider = TokenOptions.DefaultEmailProvider;
}, jwtBearerOptions =>
{
jwtBearerOptions.Audience = "bitwarden";
jwtBearerOptions.Issuer = "bitwarden";
jwtBearerOptions.TokenLifetime = TimeSpan.FromDays(10 * 365);
jwtBearerOptions.TwoFactorTokenLifetime = TimeSpan.FromMinutes(10);
2016-05-20 01:10:24 +02:00
var keyBytes = Encoding.ASCII.GetBytes(globalSettings.JwtSigningKey);
jwtBearerOptions.SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(keyBytes), SecurityAlgorithms.HmacSha256);
2015-12-09 04:57:38 +01:00
})
.AddUserStore<UserStore>()
.AddRoleStore<RoleStore>()
.AddTokenProvider<AuthenticatorTokenProvider>("Authenticator")
.AddTokenProvider<EmailTokenProvider<User>>(TokenOptions.DefaultEmailProvider);
var jwtIdentityOptions = provider.GetRequiredService<IOptions<JwtBearerIdentityOptions>>().Value;
2015-12-31 00:49:43 +01:00
services.AddAuthorization(config =>
2015-12-09 04:57:38 +01:00
{
config.AddPolicy("Application", policy =>
{
policy.AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme, "Bearer2");
policy.RequireAuthenticatedUser();
policy.RequireClaim(ClaimTypes.AuthenticationMethod, jwtIdentityOptions.AuthenticationMethod);
});
2015-12-09 04:57:38 +01:00
config.AddPolicy("TwoFactor", policy =>
{
policy.AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme, "Bearer2");
policy.RequireAuthenticatedUser();
policy.RequireClaim(ClaimTypes.AuthenticationMethod, jwtIdentityOptions.TwoFactorAuthenticationMethod);
});
2015-12-09 04:57:38 +01:00
});
services.AddScoped<AuthenticatorTokenProvider>();
// Services
2016-12-03 05:37:08 +01:00
services.AddSingleton<IMailService, SendGridMailService>();
services.AddSingleton<ICipherService, CipherService>();
2015-12-09 04:57:38 +01:00
services.AddScoped<IUserService, UserService>();
2016-12-03 05:37:08 +01:00
services.AddScoped<IPushService, PushSharpPushService>();
services.AddScoped<IDeviceService, DeviceService>();
2016-12-03 05:37:08 +01:00
services.AddScoped<IBlockIpService, AzureQueueBlockIpService>();
2015-12-09 04:57:38 +01:00
// Cors
2015-12-31 00:49:43 +01:00
services.AddCors(config =>
{
config.AddPolicy("All", policy =>
policy.AllowAnyHeader().AllowAnyMethod().AllowAnyOrigin().SetPreflightMaxAge(TimeSpan.FromDays(1)));
2015-12-31 00:49:43 +01:00
});
2015-12-09 04:57:38 +01:00
// MVC
2015-12-31 00:49:43 +01:00
services.AddMvc(config =>
2015-12-09 04:57:38 +01:00
{
2015-12-31 00:49:43 +01:00
config.Filters.Add(new ExceptionHandlerFilterAttribute());
config.Filters.Add(new ModelStateValidationFilterAttribute());
// Allow JSON of content type "text/plain" to avoid cors preflight
var textPlainMediaType = MediaTypeHeaderValue.Parse("text/plain");
foreach(var jsonFormatter in config.InputFormatters.OfType<JsonInputFormatter>())
{
jsonFormatter.SupportedMediaTypes.Add(textPlainMediaType);
}
}).AddJsonOptions(options => options.SerializerSettings.ContractResolver = new DefaultContractResolver()); ;
2015-12-09 04:57:38 +01:00
}
public void Configure(
IApplicationBuilder app,
IHostingEnvironment env,
ILoggerFactory loggerFactory,
GlobalSettings globalSettings)
2015-12-09 04:57:38 +01:00
{
loggerFactory.AddConsole();
loggerFactory.AddDebug();
if(!env.IsDevelopment())
{
2016-06-21 06:30:36 +02:00
loggerFactory.AddLoggr(
(category, logLevel, eventId) =>
{
// Bad security stamp exception
if(category == typeof(JwtBearerMiddleware).FullName && eventId.Id == 3 && logLevel == LogLevel.Error)
{
return false;
}
2016-12-03 06:04:51 +01:00
// IP blocks
if(category == typeof(IpRateLimitMiddleware).FullName && logLevel >= LogLevel.Information)
{
return true;
}
return logLevel >= LogLevel.Error;
},
2016-06-21 06:30:36 +02:00
globalSettings.Loggr.LogKey,
globalSettings.Loggr.ApiKey);
}
2016-11-13 00:43:32 +01:00
// Rate limiting
app.UseMiddleware<CustomIpRateLimitMiddleware>();
// Insights
2016-10-27 06:09:55 +02:00
app.UseApplicationInsightsRequestTelemetry();
app.UseApplicationInsightsExceptionTelemetry();
2015-12-09 04:57:38 +01:00
// Add static files to the request pipeline.
app.UseStaticFiles();
// Add Cors
app.UseCors("All");
// Add IdentityServer to the request pipeline.
app.UseIdentityServer();
app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
{
AllowedScopes = new string[] { "api" },
Authority = env.IsProduction() ? "https://api.bitwarden.com" : "http://localhost:4000",
RequireHttpsMetadata = env.IsProduction(),
ApiName = "Vault API",
AuthenticationScheme = "Bearer2",
TokenRetriever = TokenRetrieval.FromAuthorizationHeader("Bearer2")
});
2015-12-09 04:57:38 +01:00
// Add Jwt authentication to the request pipeline.
app.UseJwtBearerIdentity();
// Add MVC to the request pipeline.
app.UseMvc();
}
}
}