Upstream/bitwarden-server
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2024-11-21 12:05:42 +01:00
Code Issues Projects Releases Wiki Activity

Don't send default SsoConfigurationData to clients (#1879)

Browse Source
This commit is contained in:
Thomas Rittson 2022-03-04 07:09:55 +10:00 committed by GitHub
parent 5f613ebc44
commit 3443fe952b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 27 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
bitwarden_license/src/Sso/Utilities/DynamicAuthenticationSchemeProvider.cs
View File

@ -311,8 +311,8 @@ namespace Bit.Core.Business.Sso
NameClaimType = JwtClaimTypes.Name,
RoleClaimType = JwtClaimTypes.Role,
},
CallbackPath = config.BuildCallbackPath(),
SignedOutCallbackPath = config.BuildSignedOutCallbackPath(),
CallbackPath = SsoConfigurationData.BuildCallbackPath(),
SignedOutCallbackPath = SsoConfigurationData.BuildSignedOutCallbackPath(),
MetadataAddress = config.MetadataAddress,
// Prevents URLs that go beyond 1024 characters which may break for some servers
AuthenticationMethod = config.RedirectBehavior,
@ -356,7 +356,7 @@ namespace Bit.Core.Business.Sso
}
var spEntityId = new Sustainsys.Saml2.Metadata.EntityId(
config.BuildSaml2ModulePath(_globalSettings.BaseServiceUri.Sso));
SsoConfigurationData.BuildSaml2ModulePath(_globalSettings.BaseServiceUri.Sso));
bool? allowCreate = null;
if (config.SpNameIdFormat != Saml2NameIdFormat.Transient)
{
@ -365,7 +365,7 @@ namespace Bit.Core.Business.Sso
var spOptions = new SPOptions
{
EntityId = spEntityId,
ModulePath = config.BuildSaml2ModulePath(null, name),
ModulePath = SsoConfigurationData.BuildSaml2ModulePath(null, name),
NameIdPolicy = new Saml2NameIdPolicy(allowCreate, GetNameIdFormat(config.SpNameIdFormat)),
WantAssertionsSigned = config.SpWantAssertionsSigned,
AuthenticateRequestSigningBehavior = GetSigningBehavior(config.SpSigningBehavior),

18
src/Api/Models/Response/OrganizationSsoResponseModel.cs
View File

@ -15,12 +15,8 @@ namespace Bit.Api.Models.Response
Enabled = config.Enabled;
Data = config.GetData();
}
else
{
Data = new SsoConfigurationData();
}
Urls = new SsoUrls(organization.Id.ToString(), Data, globalSettings);
Urls = new SsoUrls(organization.Id.ToString(), globalSettings);
}
public bool Enabled { get; set; }
@ -30,13 +26,13 @@ namespace Bit.Api.Models.Response
public class SsoUrls
{
public SsoUrls(string organizationId, SsoConfigurationData configurationData, GlobalSettings globalSettings)
public SsoUrls(string organizationId, GlobalSettings globalSettings)
{
CallbackPath = configurationData.BuildCallbackPath(globalSettings.BaseServiceUri.Sso);
SignedOutCallbackPath = configurationData.BuildSignedOutCallbackPath(globalSettings.BaseServiceUri.Sso);
SpEntityId = configurationData.BuildSaml2ModulePath(globalSettings.BaseServiceUri.Sso);
SpMetadataUrl = configurationData.BuildSaml2MetadataUrl(globalSettings.BaseServiceUri.Sso, organizationId);
SpAcsUrl = configurationData.BuildSaml2AcsUrl(globalSettings.BaseServiceUri.Sso, organizationId);
CallbackPath = SsoConfigurationData.BuildCallbackPath(globalSettings.BaseServiceUri.Sso);
SignedOutCallbackPath = SsoConfigurationData.BuildSignedOutCallbackPath(globalSettings.BaseServiceUri.Sso);
SpEntityId = SsoConfigurationData.BuildSaml2ModulePath(globalSettings.BaseServiceUri.Sso);
SpMetadataUrl = SsoConfigurationData.BuildSaml2MetadataUrl(globalSettings.BaseServiceUri.Sso, organizationId);
SpAcsUrl = SsoConfigurationData.BuildSaml2AcsUrl(globalSettings.BaseServiceUri.Sso, organizationId);
}
public string CallbackPath { get; set; }

34
src/Core/Models/Data/SsoConfigurationData.cs
View File

@ -1,9 +1,7 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text.Json;
using Bit.Core.Enums;
using Bit.Core.Sso;
using Bit.Core.Utilities;
using Microsoft.AspNetCore.Authentication.OpenIdConnect;
@ -11,9 +9,9 @@ namespace Bit.Core.Models.Data
{
public class SsoConfigurationData
{
private const string _oidcSigninPath = "/oidc-signin";
private const string _oidcSignedOutPath = "/oidc-signedout";
private const string _saml2ModulePath = "/saml2";
private static string _oidcSigninPath = "/oidc-signin";
private static string _oidcSignedOutPath = "/oidc-signedout";
private static string _saml2ModulePath = "/saml2";
public static SsoConfigurationData Deserialize(string data)
{
@ -35,7 +33,7 @@ namespace Bit.Core.Models.Data
public string ClientId { get; set; }
public string ClientSecret { get; set; }
public string MetadataAddress { get; set; }
public OpenIdConnectRedirectBehavior RedirectBehavior { get; set; } = OpenIdConnectRedirectBehavior.FormPost;
public OpenIdConnectRedirectBehavior RedirectBehavior { get; set; }
public bool GetClaimsFromUserInfoEndpoint { get; set; }
public string AdditionalScopes { get; set; }
public string AdditionalUserIdClaimTypes { get; set; }
@ -49,43 +47,43 @@ namespace Bit.Core.Models.Data
public string IdpSingleSignOnServiceUrl { get; set; }
public string IdpSingleLogoutServiceUrl { get; set; }
public string IdpX509PublicCert { get; set; }
public Saml2BindingType IdpBindingType { get; set; } = Saml2BindingType.HttpRedirect;
public Saml2BindingType IdpBindingType { get; set; }
public bool IdpAllowUnsolicitedAuthnResponse { get; set; }
public string IdpArtifactResolutionServiceUrl { get => null; set { /*IGNORE*/ } }
public bool IdpDisableOutboundLogoutRequests { get; set; }
public string IdpOutboundSigningAlgorithm { get; set; } = SamlSigningAlgorithms.Sha256;
public string IdpOutboundSigningAlgorithm { get; set; }
public bool IdpWantAuthnRequestsSigned { get; set; }
// SAML2 SP
public Saml2NameIdFormat SpNameIdFormat { get; set; } = Saml2NameIdFormat.Persistent;
public string SpOutboundSigningAlgorithm { get; set; } = SamlSigningAlgorithms.Sha256;
public Saml2SigningBehavior SpSigningBehavior { get; set; } = Saml2SigningBehavior.IfIdpWantAuthnRequestsSigned;
public Saml2NameIdFormat SpNameIdFormat { get; set; }
public string SpOutboundSigningAlgorithm { get; set; }
public Saml2SigningBehavior SpSigningBehavior { get; set; }
public bool SpWantAssertionsSigned { get; set; }
public bool SpValidateCertificates { get; set; }
public string SpMinIncomingSigningAlgorithm { get; set; } = SamlSigningAlgorithms.Sha256;
public string SpMinIncomingSigningAlgorithm { get; set; }
public string BuildCallbackPath(string ssoUri = null)
public static string BuildCallbackPath(string ssoUri = null)
{
return BuildSsoUrl(_oidcSigninPath, ssoUri);
}
public string BuildSignedOutCallbackPath(string ssoUri = null)
public static string BuildSignedOutCallbackPath(string ssoUri = null)
{
return BuildSsoUrl(_oidcSignedOutPath, ssoUri);
}
public string BuildSaml2ModulePath(string ssoUri = null, string scheme = null)
public static string BuildSaml2ModulePath(string ssoUri = null, string scheme = null)
{
return string.Concat(BuildSsoUrl(_saml2ModulePath, ssoUri),
string.IsNullOrWhiteSpace(scheme) ? string.Empty : $"/{scheme}");
}
public string BuildSaml2AcsUrl(string ssoUri = null, string scheme = null)
public static string BuildSaml2AcsUrl(string ssoUri = null, string scheme = null)
{
return string.Concat(BuildSaml2ModulePath(ssoUri, scheme), "/Acs");
}
public string BuildSaml2MetadataUrl(string ssoUri = null, string scheme = null)
public static string BuildSaml2MetadataUrl(string ssoUri = null, string scheme = null)
{
return BuildSaml2ModulePath(ssoUri, scheme);
}
@ -114,7 +112,7 @@ namespace Bit.Core.Models.Data
.Select(c => c.Trim()) ??
Array.Empty<string>();
private string BuildSsoUrl(string relativePath, string ssoUri)
private static string BuildSsoUrl(string relativePath, string ssoUri)
{
if (string.IsNullOrWhiteSpace(ssoUri) ||
!Uri.IsWellFormedUriString(ssoUri, UriKind.Absolute))