Upstream/bitwarden-server
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2024-11-25 12:45:18 +01:00
Code Issues Projects Releases Wiki Activity

Don't send default SsoConfigurationData to clients (#1879)

Browse Source
This commit is contained in:
Thomas Rittson 2022-03-04 07:09:55 +10:00 committed by GitHub
parent 5f613ebc44
commit 3443fe952b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 27 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
bitwarden_license/src/Sso/Utilities/DynamicAuthenticationSchemeProvider.cs
View File

@ -311,8 +311,8 @@ namespace Bit.Core.Business.Sso
NameClaimType = JwtClaimTypes.Name, NameClaimType = JwtClaimTypes.Name,
RoleClaimType = JwtClaimTypes.Role, RoleClaimType = JwtClaimTypes.Role,
}, },
CallbackPath = config.BuildCallbackPath(), CallbackPath = SsoConfigurationData.BuildCallbackPath(),
SignedOutCallbackPath = config.BuildSignedOutCallbackPath(), SignedOutCallbackPath = SsoConfigurationData.BuildSignedOutCallbackPath(),
MetadataAddress = config.MetadataAddress, MetadataAddress = config.MetadataAddress,
// Prevents URLs that go beyond 1024 characters which may break for some servers // Prevents URLs that go beyond 1024 characters which may break for some servers
AuthenticationMethod = config.RedirectBehavior, AuthenticationMethod = config.RedirectBehavior,
@ -356,7 +356,7 @@ namespace Bit.Core.Business.Sso
} }
var spEntityId = new Sustainsys.Saml2.Metadata.EntityId( var spEntityId = new Sustainsys.Saml2.Metadata.EntityId(
config.BuildSaml2ModulePath(_globalSettings.BaseServiceUri.Sso)); SsoConfigurationData.BuildSaml2ModulePath(_globalSettings.BaseServiceUri.Sso));
bool? allowCreate = null; bool? allowCreate = null;
if (config.SpNameIdFormat != Saml2NameIdFormat.Transient) if (config.SpNameIdFormat != Saml2NameIdFormat.Transient)
{ {
@ -365,7 +365,7 @@ namespace Bit.Core.Business.Sso
var spOptions = new SPOptions var spOptions = new SPOptions
{ {
EntityId = spEntityId, EntityId = spEntityId,
ModulePath = config.BuildSaml2ModulePath(null, name), ModulePath = SsoConfigurationData.BuildSaml2ModulePath(null, name),
NameIdPolicy = new Saml2NameIdPolicy(allowCreate, GetNameIdFormat(config.SpNameIdFormat)), NameIdPolicy = new Saml2NameIdPolicy(allowCreate, GetNameIdFormat(config.SpNameIdFormat)),
WantAssertionsSigned = config.SpWantAssertionsSigned, WantAssertionsSigned = config.SpWantAssertionsSigned,
AuthenticateRequestSigningBehavior = GetSigningBehavior(config.SpSigningBehavior), AuthenticateRequestSigningBehavior = GetSigningBehavior(config.SpSigningBehavior),

18
src/Api/Models/Response/OrganizationSsoResponseModel.cs
View File

@ -15,12 +15,8 @@ namespace Bit.Api.Models.Response
Enabled = config.Enabled; Enabled = config.Enabled;
Data = config.GetData(); Data = config.GetData();
} }
else
{
Data = new SsoConfigurationData();
}
Urls = new SsoUrls(organization.Id.ToString(), Data, globalSettings); Urls = new SsoUrls(organization.Id.ToString(), globalSettings);
} }
public bool Enabled { get; set; } public bool Enabled { get; set; }
@ -30,13 +26,13 @@ namespace Bit.Api.Models.Response
public class SsoUrls public class SsoUrls
{ {
public SsoUrls(string organizationId, SsoConfigurationData configurationData, GlobalSettings globalSettings) public SsoUrls(string organizationId, GlobalSettings globalSettings)
{ {
CallbackPath = configurationData.BuildCallbackPath(globalSettings.BaseServiceUri.Sso); CallbackPath = SsoConfigurationData.BuildCallbackPath(globalSettings.BaseServiceUri.Sso);
SignedOutCallbackPath = configurationData.BuildSignedOutCallbackPath(globalSettings.BaseServiceUri.Sso); SignedOutCallbackPath = SsoConfigurationData.BuildSignedOutCallbackPath(globalSettings.BaseServiceUri.Sso);
SpEntityId = configurationData.BuildSaml2ModulePath(globalSettings.BaseServiceUri.Sso); SpEntityId = SsoConfigurationData.BuildSaml2ModulePath(globalSettings.BaseServiceUri.Sso);
SpMetadataUrl = configurationData.BuildSaml2MetadataUrl(globalSettings.BaseServiceUri.Sso, organizationId); SpMetadataUrl = SsoConfigurationData.BuildSaml2MetadataUrl(globalSettings.BaseServiceUri.Sso, organizationId);
SpAcsUrl = configurationData.BuildSaml2AcsUrl(globalSettings.BaseServiceUri.Sso, organizationId); SpAcsUrl = SsoConfigurationData.BuildSaml2AcsUrl(globalSettings.BaseServiceUri.Sso, organizationId);
} }
public string CallbackPath { get; set; } public string CallbackPath { get; set; }

34
src/Core/Models/Data/SsoConfigurationData.cs
View File

@ -1,9 +1,7 @@
using System; using System;
using System.Collections.Generic; using System.Collections.Generic;
using System.Linq; using System.Linq;
using System.Text.Json;
using Bit.Core.Enums; using Bit.Core.Enums;
using Bit.Core.Sso;
using Bit.Core.Utilities; using Bit.Core.Utilities;
using Microsoft.AspNetCore.Authentication.OpenIdConnect; using Microsoft.AspNetCore.Authentication.OpenIdConnect;
@ -11,9 +9,9 @@ namespace Bit.Core.Models.Data
{ {
public class SsoConfigurationData public class SsoConfigurationData
{ {
private const string _oidcSigninPath = "/oidc-signin"; private static string _oidcSigninPath = "/oidc-signin";
private const string _oidcSignedOutPath = "/oidc-signedout"; private static string _oidcSignedOutPath = "/oidc-signedout";
private const string _saml2ModulePath = "/saml2"; private static string _saml2ModulePath = "/saml2";
public static SsoConfigurationData Deserialize(string data) public static SsoConfigurationData Deserialize(string data)
{ {
@ -35,7 +33,7 @@ namespace Bit.Core.Models.Data
public string ClientId { get; set; } public string ClientId { get; set; }
public string ClientSecret { get; set; } public string ClientSecret { get; set; }
public string MetadataAddress { get; set; } public string MetadataAddress { get; set; }
public OpenIdConnectRedirectBehavior RedirectBehavior { get; set; } = OpenIdConnectRedirectBehavior.FormPost; public OpenIdConnectRedirectBehavior RedirectBehavior { get; set; }
public bool GetClaimsFromUserInfoEndpoint { get; set; } public bool GetClaimsFromUserInfoEndpoint { get; set; }
public string AdditionalScopes { get; set; } public string AdditionalScopes { get; set; }
public string AdditionalUserIdClaimTypes { get; set; } public string AdditionalUserIdClaimTypes { get; set; }
@ -49,43 +47,43 @@ namespace Bit.Core.Models.Data
public string IdpSingleSignOnServiceUrl { get; set; } public string IdpSingleSignOnServiceUrl { get; set; }
public string IdpSingleLogoutServiceUrl { get; set; } public string IdpSingleLogoutServiceUrl { get; set; }
public string IdpX509PublicCert { get; set; } public string IdpX509PublicCert { get; set; }
public Saml2BindingType IdpBindingType { get; set; } = Saml2BindingType.HttpRedirect; public Saml2BindingType IdpBindingType { get; set; }
public bool IdpAllowUnsolicitedAuthnResponse { get; set; } public bool IdpAllowUnsolicitedAuthnResponse { get; set; }
public string IdpArtifactResolutionServiceUrl { get => null; set { /*IGNORE*/ } } public string IdpArtifactResolutionServiceUrl { get => null; set { /*IGNORE*/ } }
public bool IdpDisableOutboundLogoutRequests { get; set; } public bool IdpDisableOutboundLogoutRequests { get; set; }
public string IdpOutboundSigningAlgorithm { get; set; } = SamlSigningAlgorithms.Sha256; public string IdpOutboundSigningAlgorithm { get; set; }
public bool IdpWantAuthnRequestsSigned { get; set; } public bool IdpWantAuthnRequestsSigned { get; set; }
// SAML2 SP // SAML2 SP
public Saml2NameIdFormat SpNameIdFormat { get; set; } = Saml2NameIdFormat.Persistent; public Saml2NameIdFormat SpNameIdFormat { get; set; }
public string SpOutboundSigningAlgorithm { get; set; } = SamlSigningAlgorithms.Sha256; public string SpOutboundSigningAlgorithm { get; set; }
public Saml2SigningBehavior SpSigningBehavior { get; set; } = Saml2SigningBehavior.IfIdpWantAuthnRequestsSigned; public Saml2SigningBehavior SpSigningBehavior { get; set; }
public bool SpWantAssertionsSigned { get; set; } public bool SpWantAssertionsSigned { get; set; }
public bool SpValidateCertificates { get; set; } public bool SpValidateCertificates { get; set; }
public string SpMinIncomingSigningAlgorithm { get; set; } = SamlSigningAlgorithms.Sha256; public string SpMinIncomingSigningAlgorithm { get; set; }
public string BuildCallbackPath(string ssoUri = null) public static string BuildCallbackPath(string ssoUri = null)
{ {
return BuildSsoUrl(_oidcSigninPath, ssoUri); return BuildSsoUrl(_oidcSigninPath, ssoUri);
} }
public string BuildSignedOutCallbackPath(string ssoUri = null) public static string BuildSignedOutCallbackPath(string ssoUri = null)
{ {
return BuildSsoUrl(_oidcSignedOutPath, ssoUri); return BuildSsoUrl(_oidcSignedOutPath, ssoUri);
} }
public string BuildSaml2ModulePath(string ssoUri = null, string scheme = null) public static string BuildSaml2ModulePath(string ssoUri = null, string scheme = null)
{ {
return string.Concat(BuildSsoUrl(_saml2ModulePath, ssoUri), return string.Concat(BuildSsoUrl(_saml2ModulePath, ssoUri),
string.IsNullOrWhiteSpace(scheme) ? string.Empty : $"/{scheme}"); string.IsNullOrWhiteSpace(scheme) ? string.Empty : $"/{scheme}");
} }
public string BuildSaml2AcsUrl(string ssoUri = null, string scheme = null) public static string BuildSaml2AcsUrl(string ssoUri = null, string scheme = null)
{ {
return string.Concat(BuildSaml2ModulePath(ssoUri, scheme), "/Acs"); return string.Concat(BuildSaml2ModulePath(ssoUri, scheme), "/Acs");
} }
public string BuildSaml2MetadataUrl(string ssoUri = null, string scheme = null) public static string BuildSaml2MetadataUrl(string ssoUri = null, string scheme = null)
{ {
return BuildSaml2ModulePath(ssoUri, scheme); return BuildSaml2ModulePath(ssoUri, scheme);
} }
@ -114,7 +112,7 @@ namespace Bit.Core.Models.Data
.Select(c => c.Trim()) ?? .Select(c => c.Trim()) ??
Array.Empty<string>(); Array.Empty<string>();
private string BuildSsoUrl(string relativePath, string ssoUri) private static string BuildSsoUrl(string relativePath, string ssoUri)
{ {
if (string.IsNullOrWhiteSpace(ssoUri) || if (string.IsNullOrWhiteSpace(ssoUri) ||
!Uri.IsWellFormedUriString(ssoUri, UriKind.Absolute)) !Uri.IsWellFormedUriString(ssoUri, UriKind.Absolute))