From 3443fe952b433551c5c11b0197d4ea7931dce2c0 Mon Sep 17 00:00:00 2001 From: Thomas Rittson <31796059+eliykat@users.noreply.github.com> Date: Fri, 4 Mar 2022 07:09:55 +1000 Subject: [PATCH] Don't send default SsoConfigurationData to clients (#1879) --- .../DynamicAuthenticationSchemeProvider.cs | 8 ++--- .../Response/OrganizationSsoResponseModel.cs | 18 ++++------ src/Core/Models/Data/SsoConfigurationData.cs | 34 +++++++++---------- 3 files changed, 27 insertions(+), 33 deletions(-) diff --git a/bitwarden_license/src/Sso/Utilities/DynamicAuthenticationSchemeProvider.cs b/bitwarden_license/src/Sso/Utilities/DynamicAuthenticationSchemeProvider.cs index 82cbb3bdc..99e970ac1 100644 --- a/bitwarden_license/src/Sso/Utilities/DynamicAuthenticationSchemeProvider.cs +++ b/bitwarden_license/src/Sso/Utilities/DynamicAuthenticationSchemeProvider.cs @@ -311,8 +311,8 @@ namespace Bit.Core.Business.Sso NameClaimType = JwtClaimTypes.Name, RoleClaimType = JwtClaimTypes.Role, }, - CallbackPath = config.BuildCallbackPath(), - SignedOutCallbackPath = config.BuildSignedOutCallbackPath(), + CallbackPath = SsoConfigurationData.BuildCallbackPath(), + SignedOutCallbackPath = SsoConfigurationData.BuildSignedOutCallbackPath(), MetadataAddress = config.MetadataAddress, // Prevents URLs that go beyond 1024 characters which may break for some servers AuthenticationMethod = config.RedirectBehavior, @@ -356,7 +356,7 @@ namespace Bit.Core.Business.Sso } var spEntityId = new Sustainsys.Saml2.Metadata.EntityId( - config.BuildSaml2ModulePath(_globalSettings.BaseServiceUri.Sso)); + SsoConfigurationData.BuildSaml2ModulePath(_globalSettings.BaseServiceUri.Sso)); bool? allowCreate = null; if (config.SpNameIdFormat != Saml2NameIdFormat.Transient) { @@ -365,7 +365,7 @@ namespace Bit.Core.Business.Sso var spOptions = new SPOptions { EntityId = spEntityId, - ModulePath = config.BuildSaml2ModulePath(null, name), + ModulePath = SsoConfigurationData.BuildSaml2ModulePath(null, name), NameIdPolicy = new Saml2NameIdPolicy(allowCreate, GetNameIdFormat(config.SpNameIdFormat)), WantAssertionsSigned = config.SpWantAssertionsSigned, AuthenticateRequestSigningBehavior = GetSigningBehavior(config.SpSigningBehavior), diff --git a/src/Api/Models/Response/OrganizationSsoResponseModel.cs b/src/Api/Models/Response/OrganizationSsoResponseModel.cs index 0c9e8127f..2f1fe9a3d 100644 --- a/src/Api/Models/Response/OrganizationSsoResponseModel.cs +++ b/src/Api/Models/Response/OrganizationSsoResponseModel.cs @@ -15,12 +15,8 @@ namespace Bit.Api.Models.Response Enabled = config.Enabled; Data = config.GetData(); } - else - { - Data = new SsoConfigurationData(); - } - Urls = new SsoUrls(organization.Id.ToString(), Data, globalSettings); + Urls = new SsoUrls(organization.Id.ToString(), globalSettings); } public bool Enabled { get; set; } @@ -30,13 +26,13 @@ namespace Bit.Api.Models.Response public class SsoUrls { - public SsoUrls(string organizationId, SsoConfigurationData configurationData, GlobalSettings globalSettings) + public SsoUrls(string organizationId, GlobalSettings globalSettings) { - CallbackPath = configurationData.BuildCallbackPath(globalSettings.BaseServiceUri.Sso); - SignedOutCallbackPath = configurationData.BuildSignedOutCallbackPath(globalSettings.BaseServiceUri.Sso); - SpEntityId = configurationData.BuildSaml2ModulePath(globalSettings.BaseServiceUri.Sso); - SpMetadataUrl = configurationData.BuildSaml2MetadataUrl(globalSettings.BaseServiceUri.Sso, organizationId); - SpAcsUrl = configurationData.BuildSaml2AcsUrl(globalSettings.BaseServiceUri.Sso, organizationId); + CallbackPath = SsoConfigurationData.BuildCallbackPath(globalSettings.BaseServiceUri.Sso); + SignedOutCallbackPath = SsoConfigurationData.BuildSignedOutCallbackPath(globalSettings.BaseServiceUri.Sso); + SpEntityId = SsoConfigurationData.BuildSaml2ModulePath(globalSettings.BaseServiceUri.Sso); + SpMetadataUrl = SsoConfigurationData.BuildSaml2MetadataUrl(globalSettings.BaseServiceUri.Sso, organizationId); + SpAcsUrl = SsoConfigurationData.BuildSaml2AcsUrl(globalSettings.BaseServiceUri.Sso, organizationId); } public string CallbackPath { get; set; } diff --git a/src/Core/Models/Data/SsoConfigurationData.cs b/src/Core/Models/Data/SsoConfigurationData.cs index 5498b2e0b..149392146 100644 --- a/src/Core/Models/Data/SsoConfigurationData.cs +++ b/src/Core/Models/Data/SsoConfigurationData.cs @@ -1,9 +1,7 @@ using System; using System.Collections.Generic; using System.Linq; -using System.Text.Json; using Bit.Core.Enums; -using Bit.Core.Sso; using Bit.Core.Utilities; using Microsoft.AspNetCore.Authentication.OpenIdConnect; @@ -11,9 +9,9 @@ namespace Bit.Core.Models.Data { public class SsoConfigurationData { - private const string _oidcSigninPath = "/oidc-signin"; - private const string _oidcSignedOutPath = "/oidc-signedout"; - private const string _saml2ModulePath = "/saml2"; + private static string _oidcSigninPath = "/oidc-signin"; + private static string _oidcSignedOutPath = "/oidc-signedout"; + private static string _saml2ModulePath = "/saml2"; public static SsoConfigurationData Deserialize(string data) { @@ -35,7 +33,7 @@ namespace Bit.Core.Models.Data public string ClientId { get; set; } public string ClientSecret { get; set; } public string MetadataAddress { get; set; } - public OpenIdConnectRedirectBehavior RedirectBehavior { get; set; } = OpenIdConnectRedirectBehavior.FormPost; + public OpenIdConnectRedirectBehavior RedirectBehavior { get; set; } public bool GetClaimsFromUserInfoEndpoint { get; set; } public string AdditionalScopes { get; set; } public string AdditionalUserIdClaimTypes { get; set; } @@ -49,43 +47,43 @@ namespace Bit.Core.Models.Data public string IdpSingleSignOnServiceUrl { get; set; } public string IdpSingleLogoutServiceUrl { get; set; } public string IdpX509PublicCert { get; set; } - public Saml2BindingType IdpBindingType { get; set; } = Saml2BindingType.HttpRedirect; + public Saml2BindingType IdpBindingType { get; set; } public bool IdpAllowUnsolicitedAuthnResponse { get; set; } public string IdpArtifactResolutionServiceUrl { get => null; set { /*IGNORE*/ } } public bool IdpDisableOutboundLogoutRequests { get; set; } - public string IdpOutboundSigningAlgorithm { get; set; } = SamlSigningAlgorithms.Sha256; + public string IdpOutboundSigningAlgorithm { get; set; } public bool IdpWantAuthnRequestsSigned { get; set; } // SAML2 SP - public Saml2NameIdFormat SpNameIdFormat { get; set; } = Saml2NameIdFormat.Persistent; - public string SpOutboundSigningAlgorithm { get; set; } = SamlSigningAlgorithms.Sha256; - public Saml2SigningBehavior SpSigningBehavior { get; set; } = Saml2SigningBehavior.IfIdpWantAuthnRequestsSigned; + public Saml2NameIdFormat SpNameIdFormat { get; set; } + public string SpOutboundSigningAlgorithm { get; set; } + public Saml2SigningBehavior SpSigningBehavior { get; set; } public bool SpWantAssertionsSigned { get; set; } public bool SpValidateCertificates { get; set; } - public string SpMinIncomingSigningAlgorithm { get; set; } = SamlSigningAlgorithms.Sha256; + public string SpMinIncomingSigningAlgorithm { get; set; } - public string BuildCallbackPath(string ssoUri = null) + public static string BuildCallbackPath(string ssoUri = null) { return BuildSsoUrl(_oidcSigninPath, ssoUri); } - public string BuildSignedOutCallbackPath(string ssoUri = null) + public static string BuildSignedOutCallbackPath(string ssoUri = null) { return BuildSsoUrl(_oidcSignedOutPath, ssoUri); } - public string BuildSaml2ModulePath(string ssoUri = null, string scheme = null) + public static string BuildSaml2ModulePath(string ssoUri = null, string scheme = null) { return string.Concat(BuildSsoUrl(_saml2ModulePath, ssoUri), string.IsNullOrWhiteSpace(scheme) ? string.Empty : $"/{scheme}"); } - public string BuildSaml2AcsUrl(string ssoUri = null, string scheme = null) + public static string BuildSaml2AcsUrl(string ssoUri = null, string scheme = null) { return string.Concat(BuildSaml2ModulePath(ssoUri, scheme), "/Acs"); } - public string BuildSaml2MetadataUrl(string ssoUri = null, string scheme = null) + public static string BuildSaml2MetadataUrl(string ssoUri = null, string scheme = null) { return BuildSaml2ModulePath(ssoUri, scheme); } @@ -114,7 +112,7 @@ namespace Bit.Core.Models.Data .Select(c => c.Trim()) ?? Array.Empty(); - private string BuildSsoUrl(string relativePath, string ssoUri) + private static string BuildSsoUrl(string relativePath, string ssoUri) { if (string.IsNullOrWhiteSpace(ssoUri) || !Uri.IsWellFormedUriString(ssoUri, UriKind.Absolute))