bitwarden-server/src/Api/Startup.cs

using System;
using System.Security.Claims;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging;
using Microsoft.IdentityModel.Tokens;
using Bit.Api.Utilities;
using Bit.Core;
using Bit.Core.Identity;
using System.Linq;
using Microsoft.AspNetCore.Mvc.Formatters;
using Microsoft.Net.Http.Headers;
using Newtonsoft.Json.Serialization;
using AspNetCoreRateLimit;
using Bit.Api.Middleware;
using Serilog.Events;
using Stripe;
using Bit.Core.Utilities;
using IdentityModel;

namespace Bit.Api
{
    public class Startup
    {
        public Startup(IHostingEnvironment env)
        {
            var builder = new ConfigurationBuilder()
                .AddSettingsConfiguration(env, "bitwarden-Api");
            Configuration = builder.Build();
            Environment = env;
        }

        public IConfigurationRoot Configuration { get; private set; }
        public IHostingEnvironment Environment { get; set; }

        public void ConfigureServices(IServiceCollection services)
        {
            var provider = services.BuildServiceProvider();

            // Options
            services.AddOptions();

            // Settings
            var globalSettings = services.AddGlobalSettingsServices(Configuration);
            if(!globalSettings.SelfHosted)
            {
                services.Configure<IpRateLimitOptions>(Configuration.GetSection("IpRateLimitOptions"));
                services.Configure<IpRateLimitPolicies>(Configuration.GetSection("IpRateLimitPolicies"));
            }

            // Data Protection
            services.AddCustomDataProtectionServices(Environment, globalSettings);

            // Stripe Billing
            StripeConfiguration.SetApiKey(globalSettings.StripeApiKey);

            // Repositories
            services.AddSqlServerRepositories();

            // Context
            services.AddScoped<CurrentContext>();

            // Caching
            services.AddMemoryCache();

            if(!globalSettings.SelfHosted)
            {
                // Rate limiting
                services.AddSingleton<IIpPolicyStore, MemoryCacheIpPolicyStore>();
                services.AddSingleton<IRateLimitCounterStore, MemoryCacheRateLimitCounterStore>();
            }

            // Identity
            services.AddCustomIdentityServices(globalSettings);

            services.AddAuthorization(config =>
            {
                config.AddPolicy("Application", policy =>
                {
                    policy.AddAuthenticationSchemes("Bearer", "Bearer3");
                    policy.RequireAuthenticatedUser();
                    policy.RequireClaim(JwtClaimTypes.AuthenticationMethod, "Application");
                    policy.RequireClaim(JwtClaimTypes.Scope, "api");
                });
                config.AddPolicy("Web", policy =>
                {
                    policy.AddAuthenticationSchemes("Bearer", "Bearer3");
                    policy.RequireAuthenticatedUser();
                    policy.RequireClaim(JwtClaimTypes.AuthenticationMethod, "Application");
                    policy.RequireClaim(JwtClaimTypes.Scope, "api");
                    policy.RequireClaim(JwtClaimTypes.ClientId, "web");
                });
                config.AddPolicy("Push", policy =>
                {
                    policy.RequireAuthenticatedUser();
                    policy.RequireClaim(JwtClaimTypes.Scope, "api.push");
                });
            });

            services.AddScoped<AuthenticatorTokenProvider>();

            // Services
            services.AddBaseServices();
            services.AddDefaultServices(globalSettings);

            // Cors
            services.AddCors(config =>
            {
                config.AddPolicy("All", policy =>
                    policy.AllowAnyHeader().AllowAnyMethod().AllowAnyOrigin().SetPreflightMaxAge(TimeSpan.FromDays(1)));
            });

            // MVC
            services.AddMvc(config =>
            {
                config.Filters.Add(new ExceptionHandlerFilterAttribute());
                config.Filters.Add(new ModelStateValidationFilterAttribute());

                // Allow JSON of content type "text/plain" to avoid cors preflight
                var textPlainMediaType = MediaTypeHeaderValue.Parse("text/plain");
                foreach(var jsonFormatter in config.InputFormatters.OfType<JsonInputFormatter>())
                {
                    jsonFormatter.SupportedMediaTypes.Add(textPlainMediaType);
                }
            }).AddJsonOptions(options => options.SerializerSettings.ContractResolver = new DefaultContractResolver());
        }

        public void Configure(
            IApplicationBuilder app,
            IHostingEnvironment env,
            ILoggerFactory loggerFactory,
            IApplicationLifetime appLifetime,
            GlobalSettings globalSettings)
        {
            loggerFactory
                .AddSerilog(env, appLifetime, globalSettings, (e) =>
                {
                    var context = e.Properties["SourceContext"].ToString();
                    if(e.Exception != null && (e.Exception.GetType() == typeof(SecurityTokenValidationException) ||
                        e.Exception.Message == "Bad security stamp."))
                    {
                        return false;
                    }

                    if(context.Contains(typeof(IpRateLimitMiddleware).FullName) && e.Level == LogEventLevel.Information)
                    {
                        return true;
                    }

                    if(context.Contains("IdentityServer4.Validation.TokenRequestValidator"))
                    {
                        return e.Level > LogEventLevel.Error;
                    }

                    return e.Level >= LogEventLevel.Error;
                })
                .AddDebug();

            // Default Middleware
            app.UseDefaultMiddleware(env);

            if(!globalSettings.SelfHosted)
            {
                // Rate limiting
                app.UseMiddleware<CustomIpRateLimitMiddleware>();
            }

            // Add static files to the request pipeline.
            app.UseStaticFiles();

            // Add Cors
            app.UseCors("All");

            // Add IdentityServer to the request pipeline.
            app.UseIdentityServerAuthentication(GetIdentityOptions(env, globalSettings, string.Empty));
            app.UseIdentityServerAuthentication(GetIdentityOptions(env, globalSettings, "3"));

            // Add current context
            app.UseMiddleware<CurrentContextMiddleware>();

            // Add MVC to the request pipeline.
            app.UseMvc();
        }

        private IdentityServerAuthenticationOptions GetIdentityOptions(IHostingEnvironment env,
            GlobalSettings globalSettings, string suffix)
        {
            var options = new IdentityServerAuthenticationOptions
            {
                Authority = globalSettings.BaseServiceUri.InternalIdentity,
                AllowedScopes = new string[] { "api", "api.push" },
                RequireHttpsMetadata = !env.IsDevelopment() && globalSettings.BaseServiceUri.InternalIdentity.StartsWith("https"),
                NameClaimType = ClaimTypes.Email,
                // Suffix until we retire the old jwt schemes.
                AuthenticationScheme = $"Bearer{suffix}",
                TokenRetriever = TokenRetrieval.FromAuthorizationHeaderOrQueryString($"Bearer{suffix}", $"access_token{suffix}")
            };

            return options;
        }
    }
}
-												initial commit of source

											
										
										
											2015-12-09 04:57:38 +01:00
+								using System;
 								using System.Security.Claims;
-												Upgrade to ASP.NET Core RC2 release.

											
										
										
											2016-05-20 01:10:24 +02:00
+								using Microsoft.AspNetCore.Builder;
 								using Microsoft.AspNetCore.Hosting;
-												initial commit of source

											
										
										
											2015-12-09 04:57:38 +01:00
+								using Microsoft.Extensions.Configuration;
 								using Microsoft.Extensions.DependencyInjection;
 								using Microsoft.Extensions.Logging;
-												Upgrade to ASP.NET Core RC2 release.

											
										
										
											2016-05-20 01:10:24 +02:00
+								using Microsoft.IdentityModel.Tokens;
-												initial commit of source

											
										
										
											2015-12-09 04:57:38 +01:00
+								using Bit.Api.Utilities;
 								using Bit.Core;
 								using Bit.Core.Identity;
-												Things to get around CORS pre-flight request. Allow Jwt token to be passed via "access_token" query stirng param. Allow JSON body content to be parsed as "text/plain" content type.

											
										
										
											2016-07-14 00:37:14 +02:00
+								using System.Linq;
 								using Microsoft.AspNetCore.Mvc.Formatters;
 								using Microsoft.Net.Http.Headers;
-												DefaultContractResolver for pascal cased JSON. RTM moved to camelCase

											
										
										
											2016-07-14 01:24:26 +02:00
+								using Newtonsoft.Json.Serialization;
-												rate limiting APIs

											
										
										
											2016-11-13 00:43:32 +01:00
+								using AspNetCoreRateLimit;
 								using Bit.Api.Middleware;
-												replace loggr with serilog

											
										
										
											2017-01-15 05:24:02 +01:00
+								using Serilog.Events;
-												stripe subscription creation

											
										
										
											2017-04-04 16:13:16 +02:00
+								using Stripe;
-												centralize a lot of service registration

											
										
										
											2017-05-06 02:57:33 +02:00
+								using Bit.Core.Utilities;
-												remove deprecated jwt bearer authentication method

											
										
										
											2017-06-07 05:19:42 +02:00
+								using IdentityModel;
-												initial commit of source

											
										
										
											2015-12-09 04:57:38 +01:00
 								namespace Bit.Api
 								{
 								    public class Startup
 								    {
 								        public Startup(IHostingEnvironment env)
 								        {
 								            var builder = new ConfigurationBuilder()
-												standardize secrets id

											
										
										
											2017-05-08 14:32:06 +02:00
+								                .AddSettingsConfiguration(env, "bitwarden-Api");
-												initial commit of source

											
										
										
											2015-12-09 04:57:38 +01:00
+								            Configuration = builder.Build();
-												only load idserv cert in prod environment

											
										
										
											2017-01-13 03:07:25 +01:00
+								            Environment = env;
-												initial commit of source

											
										
										
											2015-12-09 04:57:38 +01:00
+								        }
 								        public IConfigurationRoot Configuration { get; private set; }
-												only load idserv cert in prod environment

											
										
										
											2017-01-13 03:07:25 +01:00
+								        public IHostingEnvironment Environment { get; set; }
-												initial commit of source

											
										
										
											2015-12-09 04:57:38 +01:00
 								        public void ConfigureServices(IServiceCollection services)
 								        {
-												Upgrade to ASP.NET Core RC2 release.

											
										
										
											2016-05-20 01:10:24 +02:00
+								            var provider = services.BuildServiceProvider();
-												initial commit of source

											
										
										
											2015-12-09 04:57:38 +01:00
 								            // Options
 								            services.AddOptions();
 								            // Settings
-												centralize a lot of service registration

											
										
										
											2017-05-06 02:57:33 +02:00
+								            var globalSettings = services.AddGlobalSettingsServices(Configuration);
-												only use rate limiting on non-self host

											
										
										
											2017-08-15 22:33:38 +02:00
+								            if(!globalSettings.SelfHosted)
 								            {
 								                services.Configure<IpRateLimitOptions>(Configuration.GetSection("IpRateLimitOptions"));
 								                services.Configure<IpRateLimitPolicies>(Configuration.GetSection("IpRateLimitPolicies"));
 								            }
-												initial commit of source

											
										
										
											2015-12-09 04:57:38 +01:00
-												manage data protection keys with azure and enc

											
										
										
											2017-03-24 03:02:55 +01:00
+								            // Data Protection
-												centralize a lot of service registration

											
										
										
											2017-05-06 02:57:33 +02:00
+								            services.AddCustomDataProtectionServices(Environment, globalSettings);
-												manage data protection keys with azure and enc

											
										
										
											2017-03-24 03:02:55 +01:00
-												stripe subscription creation

											
										
										
											2017-04-04 16:13:16 +02:00
+								            // Stripe Billing
 								            StripeConfiguration.SetApiKey(globalSettings.StripeApiKey);
-												initial commit of source

											
										
										
											2015-12-09 04:57:38 +01:00
+								            // Repositories
-												move repos and services reg out to core extensions

											
										
										
											2017-04-26 22:13:24 +02:00
+								            services.AddSqlServerRepositories();
-												initial commit of source

											
										
										
											2015-12-09 04:57:38 +01:00
 								            // Context
 								            services.AddScoped<CurrentContext>();
-												rate limiting APIs

											
										
										
											2016-11-13 00:43:32 +01:00
+								            // Caching
 								            services.AddMemoryCache();
-												only use rate limiting on non-self host

											
										
										
											2017-08-15 22:33:38 +02:00
+								            if(!globalSettings.SelfHosted)
 								            {
 								                // Rate limiting
 								                services.AddSingleton<IIpPolicyStore, MemoryCacheIpPolicyStore>();
 								                services.AddSingleton<IRateLimitCounterStore, MemoryCacheRateLimitCounterStore>();
 								            }
-												rate limiting APIs

											
										
										
											2016-11-13 00:43:32 +01:00
-												initial commit of source

											
										
										
											2015-12-09 04:57:38 +01:00
+								            // Identity
-												centralize a lot of service registration

											
										
										
											2017-05-06 02:57:33 +02:00
+								            services.AddCustomIdentityServices(globalSettings);
-												initial commit of source

											
										
										
											2015-12-09 04:57:38 +01:00
-												comments and some name changes

											
										
										
											2015-12-31 00:49:43 +01:00
+								            services.AddAuthorization(config =>
-												initial commit of source

											
										
										
											2015-12-09 04:57:38 +01:00
+								            {
-												WIP: Added IdentityServer4 to API via Bearer2 auth scheme

											
										
										
											2017-01-11 06:34:16 +01:00
+								                config.AddPolicy("Application", policy =>
 								                {
-												bearer2 no longer supported

											
										
										
											2017-08-03 02:55:14 +02:00
+								                    policy.AddAuthenticationSchemes("Bearer", "Bearer3");
-												WIP: Added IdentityServer4 to API via Bearer2 auth scheme

											
										
										
											2017-01-11 06:34:16 +01:00
+								                    policy.RequireAuthenticatedUser();
-												remove deprecated jwt bearer authentication method

											
										
										
											2017-06-07 05:19:42 +02:00
+								                    policy.RequireClaim(JwtClaimTypes.AuthenticationMethod, "Application");
-												web policy for two factor apis

											
										
										
											2017-06-26 15:09:30 +02:00
+								                    policy.RequireClaim(JwtClaimTypes.Scope, "api");
 								                });
 								                config.AddPolicy("Web", policy =>
 								                {
-												bearer2 no longer supported

											
										
										
											2017-08-03 02:55:14 +02:00
+								                    policy.AddAuthenticationSchemes("Bearer", "Bearer3");
-												web policy for two factor apis

											
										
										
											2017-06-26 15:09:30 +02:00
+								                    policy.RequireAuthenticatedUser();
 								                    policy.RequireClaim(JwtClaimTypes.AuthenticationMethod, "Application");
 								                    policy.RequireClaim(JwtClaimTypes.Scope, "api");
 								                    policy.RequireClaim(JwtClaimTypes.ClientId, "web");
-												WIP: Added IdentityServer4 to API via Bearer2 auth scheme

											
										
										
											2017-01-11 06:34:16 +01:00
+								                });
-												added installations, push scoped tokens, push api

											
										
										
											2017-08-10 20:39:11 +02:00
+								                config.AddPolicy("Push", policy =>
 								                {
 								                    policy.RequireAuthenticatedUser();
 								                    policy.RequireClaim(JwtClaimTypes.Scope, "api.push");
 								                });
-												initial commit of source

											
										
										
											2015-12-09 04:57:38 +01:00
+								            });
 								            services.AddScoped<AuthenticatorTokenProvider>();
 								            // Services
-												move repos and services reg out to core extensions

											
										
										
											2017-04-26 22:13:24 +02:00
+								            services.AddBaseServices();
-												docker setup

											
										
										
											2017-08-07 22:31:00 +02:00
+								            services.AddDefaultServices(globalSettings);
-												initial commit of source

											
										
										
											2015-12-09 04:57:38 +01:00
 								            // Cors
-												comments and some name changes

											
										
										
											2015-12-31 00:49:43 +01:00
+								            services.AddCors(config =>
 								            {
-												Things to get around CORS pre-flight request. Allow Jwt token to be passed via "access_token" query stirng param. Allow JSON body content to be parsed as "text/plain" content type.

											
										
										
											2016-07-14 00:37:14 +02:00
+								                config.AddPolicy("All", policy =>
 								                    policy.AllowAnyHeader().AllowAnyMethod().AllowAnyOrigin().SetPreflightMaxAge(TimeSpan.FromDays(1)));
-												comments and some name changes

											
										
										
											2015-12-31 00:49:43 +01:00
+								            });
-												initial commit of source

											
										
										
											2015-12-09 04:57:38 +01:00
 								            // MVC
-												comments and some name changes

											
										
										
											2015-12-31 00:49:43 +01:00
+								            services.AddMvc(config =>
-												initial commit of source

											
										
										
											2015-12-09 04:57:38 +01:00
+								            {
-												comments and some name changes

											
										
										
											2015-12-31 00:49:43 +01:00
+								                config.Filters.Add(new ExceptionHandlerFilterAttribute());
 								                config.Filters.Add(new ModelStateValidationFilterAttribute());
-												Add text/plain media type for all json input formatters

											
										
										
											2016-07-14 00:42:57 +02:00
-												Things to get around CORS pre-flight request. Allow Jwt token to be passed via "access_token" query stirng param. Allow JSON body content to be parsed as "text/plain" content type.

											
										
										
											2016-07-14 00:37:14 +02:00
+								                // Allow JSON of content type "text/plain" to avoid cors preflight
-												Add text/plain media type for all json input formatters

											
										
										
											2016-07-14 00:42:57 +02:00
+								                var textPlainMediaType = MediaTypeHeaderValue.Parse("text/plain");
 								                foreach(var jsonFormatter in config.InputFormatters.OfType<JsonInputFormatter>())
 								                {
 								                    jsonFormatter.SupportedMediaTypes.Add(textPlainMediaType);
 								                }
-												remove extra ;

											
										
										
											2017-01-29 04:23:25 +01:00
+								            }).AddJsonOptions(options => options.SerializerSettings.ContractResolver = new DefaultContractResolver());
-												initial commit of source

											
										
										
											2015-12-09 04:57:38 +01:00
+								        }
-												Added loggr logging for production environment.

											
										
										
											2016-02-07 05:45:33 +01:00
+								        public void Configure(
 								            IApplicationBuilder app,
 								            IHostingEnvironment env,
 								            ILoggerFactory loggerFactory,
-												replace loggr with serilog

											
										
										
											2017-01-15 05:24:02 +01:00
+								            IApplicationLifetime appLifetime,
-												Added loggr logging for production environment.

											
										
										
											2016-02-07 05:45:33 +01:00
+								            GlobalSettings globalSettings)
-												initial commit of source

											
										
										
											2015-12-09 04:57:38 +01:00
+								        {
-												centralize a lot of service registration

											
										
										
											2017-05-06 02:57:33 +02:00
+								            loggerFactory
 								                .AddSerilog(env, appLifetime, globalSettings, (e) =>
-												replace loggr with serilog

											
										
										
											2017-01-15 05:24:02 +01:00
+								                {
 								                    var context = e.Properties["SourceContext"].ToString();
-												Fix logging filter for IpRateLimitMiddleware

											
										
										
											2017-04-26 19:33:39 +02:00
+								                    if(e.Exception != null && (e.Exception.GetType() == typeof(SecurityTokenValidationException) ||
 								                        e.Exception.Message == "Bad security stamp."))
-												recompile user delete sproc and extend timeout. filer out security stamp errors from logger.

											
										
										
											2016-10-29 08:59:17 +02:00
+								                    {
-												replace loggr with serilog

											
										
										
											2017-01-15 05:24:02 +01:00
+								                        return false;
 								                    }
-												Fix logging filter for IpRateLimitMiddleware

											
										
										
											2017-04-26 19:33:39 +02:00
+								                    if(context.Contains(typeof(IpRateLimitMiddleware).FullName) && e.Level == LogEventLevel.Information)
-												replace loggr with serilog

											
										
										
											2017-01-15 05:24:02 +01:00
+								                    {
 								                        return true;
 								                    }
-												filter out identity errors from logs

											
										
										
											2017-04-28 22:07:06 +02:00
+								                    if(context.Contains("IdentityServer4.Validation.TokenRequestValidator"))
 								                    {
 								                        return e.Level > LogEventLevel.Error;
 								                    }
-												replace loggr with serilog

											
										
										
											2017-01-15 05:24:02 +01:00
+								                    return e.Level >= LogEventLevel.Error;
-												centralize a lot of service registration

											
										
										
											2017-05-06 02:57:33 +02:00
+								                })
 								                .AddDebug();
-												replace loggr with serilog

											
										
										
											2017-01-15 05:24:02 +01:00
-												version info in response headers

											
										
										
											2017-08-25 14:57:43 +02:00
+								            // Default Middleware
 								            app.UseDefaultMiddleware(env);
-												UseForwardedHeadersForAzure

											
										
										
											2017-07-21 18:53:26 +02:00
-												only use rate limiting on non-self host

											
										
										
											2017-08-15 22:33:38 +02:00
+								            if(!globalSettings.SelfHosted)
 								            {
 								                // Rate limiting
 								                app.UseMiddleware<CustomIpRateLimitMiddleware>();
 								            }
-												rate limiting APIs

											
										
										
											2016-11-13 00:43:32 +01:00
-												initial commit of source

											
										
										
											2015-12-09 04:57:38 +01:00
+								            // Add static files to the request pipeline.
 								            app.UseStaticFiles();
 								            // Add Cors
 								            app.UseCors("All");
-												WIP: Added IdentityServer4 to API via Bearer2 auth scheme

											
										
										
											2017-01-11 06:34:16 +01:00
+								            // Add IdentityServer to the request pipeline.
-												deprec. api identity, set base uris from settings

											
										
										
											2017-08-02 22:57:32 +02:00
+								            app.UseIdentityServerAuthentication(GetIdentityOptions(env, globalSettings, string.Empty));
 								            app.UseIdentityServerAuthentication(GetIdentityOptions(env, globalSettings, "3"));
-												config updates for identity startup

											
										
										
											2017-04-19 22:01:34 +02:00
 								            // Add current context
 								            app.UseMiddleware<CurrentContextMiddleware>();
 								            // Add MVC to the request pipeline.
 								            app.UseMvc();
 								        }
-												UseForwardedHeadersForAzure

											
										
										
											2017-07-21 18:53:26 +02:00
+								        private IdentityServerAuthenticationOptions GetIdentityOptions(IHostingEnvironment env,
-												deprec. api identity, set base uris from settings

											
										
										
											2017-08-02 22:57:32 +02:00
+								            GlobalSettings globalSettings, string suffix)
-												config updates for identity startup

											
										
										
											2017-04-19 22:01:34 +02:00
+								        {
 								            var options = new IdentityServerAuthenticationOptions
-												WIP: Added IdentityServer4 to API via Bearer2 auth scheme

											
										
										
											2017-01-11 06:34:16 +01:00
+								            {
-												new uri settings

											
										
										
											2017-08-04 05:12:05 +02:00
+								                Authority = globalSettings.BaseServiceUri.InternalIdentity,
-												added installations, push scoped tokens, push api

											
										
										
											2017-08-10 20:39:11 +02:00
+								                AllowedScopes = new string[] { "api", "api.push" },
-												fix internalidentity setting

											
										
										
											2017-08-10 04:56:28 +02:00
+								                RequireHttpsMetadata = !env.IsDevelopment() && globalSettings.BaseServiceUri.InternalIdentity.StartsWith("https"),
-												fire up events for identityserver validation scheme

											
										
										
											2017-01-17 04:02:12 +01:00
+								                NameClaimType = ClaimTypes.Email,
-												helper methods for multiple auth schemes

											
										
										
											2017-05-06 03:39:30 +02:00
+								                // Suffix until we retire the old jwt schemes.
 								                AuthenticationScheme = $"Bearer{suffix}",
-												deprec. api identity, set base uris from settings

											
										
										
											2017-08-02 22:57:32 +02:00
+								                TokenRetriever = TokenRetrieval.FromAuthorizationHeaderOrQueryString($"Bearer{suffix}", $"access_token{suffix}")
-												config updates for identity startup

											
										
										
											2017-04-19 22:01:34 +02:00
+								            };
-												initial commit of source

											
										
										
											2015-12-09 04:57:38 +01:00
-												helper methods for multiple auth schemes

											
										
										
											2017-05-06 03:39:30 +02:00
+								            return options;
 								        }
-												initial commit of source

											
										
										
											2015-12-09 04:57:38 +01:00
+								    }
 								}