1
0
mirror of https://github.com/bitwarden/server.git synced 2024-11-25 12:45:18 +01:00

[AC-1145] Add trusted devices option to SSO Config Data (#2909)

* [AC-1145] Add TDE feature flag

* [AC-1145] Update .gitignore to ignore flags.json in the Api project

* [AC-1145] Introduce MemberDecryptionType property on SsoConfigurationData

* [AC-1145] Add MemberDecryptionType to the SsoConfigurationDataRequest model

* [AC-1145] Automatically enable password reset policy on TDE selection

* [AC-1145] Remove references to obsolete KeyConnectorEnabled field

* [AC-1145] Formatting

* [AC-1145] Update XML doc reference to MemberDecryptionType
This commit is contained in:
Shane Melton 2023-05-10 12:52:08 -07:00 committed by GitHub
parent 5a850f48e2
commit 620a7e0a8d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
17 changed files with 112 additions and 31 deletions

1
.gitignore vendored
View File

@ -225,3 +225,4 @@ src/Identity/Identity.zip
src/Notifications/Notifications.zip
bitwarden_license/src/Portal/Portal.zip
bitwarden_license/src/Sso/Sso.zip
src/Api/flags.json

View File

@ -41,8 +41,14 @@ public class SsoConfigurationDataRequest : IValidatableObject
[Required]
public SsoType ConfigType { get; set; }
public MemberDecryptionType MemberDecryptionType { get; set; }
public bool KeyConnectorEnabled { get; set; }
[Obsolete("Use MemberDecryptionType instead")]
public bool KeyConnectorEnabled
{
// Setter is kept for backwards compatibility with older clients that still use this property.
set { MemberDecryptionType = value ? MemberDecryptionType.KeyConnector : MemberDecryptionType.MasterPassword; }
}
public string KeyConnectorUrl { get; set; }
// OIDC
@ -166,7 +172,7 @@ public class SsoConfigurationDataRequest : IValidatableObject
return new SsoConfigurationData
{
ConfigType = ConfigType,
KeyConnectorEnabled = KeyConnectorEnabled,
MemberDecryptionType = MemberDecryptionType,
KeyConnectorUrl = KeyConnectorUrl,
Authority = Authority,
ClientId = ClientId,

View File

@ -8,6 +8,8 @@ using Bit.Api.Models.Request.Organizations;
using Bit.Api.Models.Response;
using Bit.Api.Models.Response.Organizations;
using Bit.Api.SecretsManager;
using Bit.Core;
using Bit.Core.Auth.Enums;
using Bit.Core.Auth.Repositories;
using Bit.Core.Auth.Services;
using Bit.Core.Context;
@ -46,6 +48,7 @@ public class OrganizationsController : Controller
private readonly IOrganizationApiKeyRepository _organizationApiKeyRepository;
private readonly IUpdateOrganizationLicenseCommand _updateOrganizationLicenseCommand;
private readonly ICloudGetOrganizationLicenseQuery _cloudGetOrganizationLicenseQuery;
private readonly IFeatureService _featureService;
private readonly GlobalSettings _globalSettings;
public OrganizationsController(
@ -65,6 +68,7 @@ public class OrganizationsController : Controller
IOrganizationApiKeyRepository organizationApiKeyRepository,
IUpdateOrganizationLicenseCommand updateOrganizationLicenseCommand,
ICloudGetOrganizationLicenseQuery cloudGetOrganizationLicenseQuery,
IFeatureService featureService,
GlobalSettings globalSettings)
{
_organizationRepository = organizationRepository;
@ -83,6 +87,7 @@ public class OrganizationsController : Controller
_organizationApiKeyRepository = organizationApiKeyRepository;
_updateOrganizationLicenseCommand = updateOrganizationLicenseCommand;
_cloudGetOrganizationLicenseQuery = cloudGetOrganizationLicenseQuery;
_featureService = featureService;
_globalSettings = globalSettings;
}
@ -391,8 +396,7 @@ public class OrganizationsController : Controller
var user = await _userService.GetUserByPrincipalAsync(User);
var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(orgGuidId);
if (ssoConfig?.GetData()?.KeyConnectorEnabled == true &&
user.UsesKeyConnector)
if (ssoConfig?.GetData()?.MemberDecryptionType == MemberDecryptionType.KeyConnector && user.UsesKeyConnector)
{
throw new BadRequestException("Your organization's Single Sign-On settings prevent you from leaving.");
}
@ -678,6 +682,12 @@ public class OrganizationsController : Controller
throw new NotFoundException();
}
if (model.Data.MemberDecryptionType == MemberDecryptionType.TrustedDeviceEncryption &&
!_featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext))
{
throw new BadRequestException(nameof(model.Data.MemberDecryptionType), "Invalid member decryption type.");
}
var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(id);
ssoConfig = ssoConfig == null ? model.ToSsoConfig(id) : model.ToSsoConfig(ssoConfig);
organization.Identifier = model.Identifier;

View File

@ -1,4 +1,5 @@
using Bit.Core.Auth.Models.Data;
using Bit.Core.Auth.Enums;
using Bit.Core.Auth.Models.Data;
using Bit.Core.Enums;
using Bit.Core.Enums.Provider;
using Bit.Core.Models.Api;
@ -62,7 +63,7 @@ public class ProfileOrganizationResponseModel : ResponseModel
if (organization.SsoConfig != null)
{
var ssoConfigData = SsoConfigurationData.Deserialize(organization.SsoConfig);
KeyConnectorEnabled = ssoConfigData.KeyConnectorEnabled && !string.IsNullOrEmpty(ssoConfigData.KeyConnectorUrl);
KeyConnectorEnabled = ssoConfigData.MemberDecryptionType == MemberDecryptionType.KeyConnector && !string.IsNullOrEmpty(ssoConfigData.KeyConnectorUrl);
KeyConnectorUrl = ssoConfigData.KeyConnectorUrl;
}
}

View File

@ -0,0 +1,8 @@
namespace Bit.Core.Auth.Enums;
public enum MemberDecryptionType
{
MasterPassword = 0,
KeyConnector = 1,
TrustedDeviceEncryption = 2
}

View File

@ -22,7 +22,25 @@ public class SsoConfigurationData
public SsoType ConfigType { get; set; }
public bool KeyConnectorEnabled { get; set; }
public MemberDecryptionType MemberDecryptionType { get; set; }
/// <summary>
/// Legacy property to determine if KeyConnector was enabled.
/// Kept for backwards compatibility with old configs that will not have
/// the new <see cref="MemberDecryptionType"/> when deserialized from the database.
/// </summary>
[Obsolete("Use MemberDecryptionType instead")]
public bool KeyConnectorEnabled
{
get => MemberDecryptionType == MemberDecryptionType.KeyConnector;
set
{
if (value)
{
MemberDecryptionType = MemberDecryptionType.KeyConnector;
}
}
}
public string KeyConnectorUrl { get; set; }
// OIDC

View File

@ -1,8 +1,10 @@
using Bit.Core.Auth.Entities;
using Bit.Core.Auth.Enums;
using Bit.Core.Auth.Repositories;
using Bit.Core.Entities;
using Bit.Core.Enums;
using Bit.Core.Exceptions;
using Bit.Core.Models.Data.Organizations.Policies;
using Bit.Core.Repositories;
using Bit.Core.Services;
@ -12,21 +14,30 @@ public class SsoConfigService : ISsoConfigService
{
private readonly ISsoConfigRepository _ssoConfigRepository;
private readonly IPolicyRepository _policyRepository;
private readonly IPolicyService _policyService;
private readonly IOrganizationRepository _organizationRepository;
private readonly IOrganizationUserRepository _organizationUserRepository;
private readonly IUserService _userService;
private readonly IOrganizationService _organizationService;
private readonly IEventService _eventService;
public SsoConfigService(
ISsoConfigRepository ssoConfigRepository,
IPolicyRepository policyRepository,
IPolicyService policyService,
IOrganizationRepository organizationRepository,
IOrganizationUserRepository organizationUserRepository,
IUserService userService,
IOrganizationService organizationService,
IEventService eventService)
{
_ssoConfigRepository = ssoConfigRepository;
_policyRepository = policyRepository;
_policyService = policyService;
_organizationRepository = organizationRepository;
_organizationUserRepository = organizationUserRepository;
_userService = userService;
_organizationService = organizationService;
_eventService = eventService;
}
@ -39,19 +50,31 @@ public class SsoConfigService : ISsoConfigService
config.CreationDate = now;
}
var useKeyConnector = config.GetData().KeyConnectorEnabled;
var useKeyConnector = config.GetData().MemberDecryptionType == MemberDecryptionType.KeyConnector;
if (useKeyConnector)
{
await VerifyDependenciesAsync(config, organization);
}
var oldConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(config.OrganizationId);
var disabledKeyConnector = oldConfig?.GetData()?.KeyConnectorEnabled == true && !useKeyConnector;
var disabledKeyConnector = oldConfig?.GetData()?.MemberDecryptionType == MemberDecryptionType.KeyConnector && !useKeyConnector;
if (disabledKeyConnector && await AnyOrgUserHasKeyConnectorEnabledAsync(config.OrganizationId))
{
throw new BadRequestException("Key Connector cannot be disabled at this moment.");
}
// Automatically enable reset password policy if trusted device encryption is selected
if (config.GetData().MemberDecryptionType == MemberDecryptionType.TrustedDeviceEncryption)
{
var resetPolicy = await _policyRepository.GetByOrganizationIdTypeAsync(config.OrganizationId, PolicyType.ResetPassword) ??
new Policy { OrganizationId = config.OrganizationId, Type = PolicyType.ResetPassword, };
resetPolicy.Enabled = true;
resetPolicy.SetDataModel(new ResetPasswordDataModel { AutoEnrollEnabled = true });
await _policyService.SaveAsync(resetPolicy, _userService, _organizationService, null);
}
await LogEventsAsync(config, oldConfig);
await _ssoConfigRepository.UpsertAsync(config);
}
@ -97,8 +120,9 @@ public class SsoConfigService : ISsoConfigService
await _eventService.LogOrganizationEventAsync(organization, e);
}
var keyConnectorEnabled = config.GetData().KeyConnectorEnabled;
if (oldConfig?.GetData()?.KeyConnectorEnabled != keyConnectorEnabled)
var keyConnectorEnabled = config.GetData().MemberDecryptionType == MemberDecryptionType.KeyConnector;
var oldKeyConnectorEnabled = oldConfig?.GetData()?.MemberDecryptionType == MemberDecryptionType.KeyConnector;
if (oldKeyConnectorEnabled != keyConnectorEnabled)
{
var e = keyConnectorEnabled
? EventType.Organization_EnabledKeyConnector

View File

@ -30,6 +30,7 @@ public static class FeatureFlagKeys
public const string SecretsManager = "secrets-manager";
public const string DisplayEuEnvironment = "display-eu-environment";
public const string DisplayLowKdfIterationWarning = "display-kdf-iteration-warning";
public const string TrustedDeviceEncryption = "trusted-device-encryption";
public static List<string> GetAllKeys()
{

View File

@ -1,5 +1,6 @@
using Bit.Core.AdminConsole.Models.OrganizationConnectionConfigs;
using Bit.Core.Auth.Entities;
using Bit.Core.Auth.Enums;
using Bit.Core.Entities;
using Bit.Core.Enums;
using Bit.Core.Models.Business;
@ -56,7 +57,7 @@ public class SelfHostedOrganizationDetails : Organization
}
if (!license.UseKeyConnector && UseKeyConnector && SsoConfig?.Data != null &&
SsoConfig.GetData().KeyConnectorEnabled)
SsoConfig.GetData().MemberDecryptionType == MemberDecryptionType.KeyConnector)
{
exception = $"Your organization currently has Key Connector enabled. " +
$"Your new license does not allow for the use of Key Connector. Disable your Key Connector.";

View File

@ -262,7 +262,7 @@ public class OrganizationService : IOrganizationService
if (!newPlan.HasKeyConnector && organization.UseKeyConnector)
{
var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(organization.Id);
if (ssoConfig != null && ssoConfig.GetData().KeyConnectorEnabled)
if (ssoConfig != null && ssoConfig.GetData().MemberDecryptionType == MemberDecryptionType.KeyConnector)
{
throw new BadRequestException("Your new plan does not allow the Key Connector feature. " +
"Disable your Key Connector.");
@ -2153,7 +2153,7 @@ public class OrganizationService : IOrganizationService
private async Task ValidateDeleteOrganizationAsync(Organization organization)
{
var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(organization.Id);
if (ssoConfig?.GetData()?.KeyConnectorEnabled == true)
if (ssoConfig?.GetData()?.MemberDecryptionType == MemberDecryptionType.KeyConnector)
{
throw new BadRequestException("You cannot delete an Organization that is using Key Connector.");
}

View File

@ -1,4 +1,5 @@
using Bit.Core.Auth.Repositories;
using Bit.Core.Auth.Enums;
using Bit.Core.Auth.Repositories;
using Bit.Core.Entities;
using Bit.Core.Enums;
using Bit.Core.Exceptions;
@ -185,7 +186,7 @@ public class PolicyService : IPolicyService
{
var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(org.Id);
if (ssoConfig?.GetData()?.KeyConnectorEnabled == true)
if (ssoConfig?.GetData()?.MemberDecryptionType == MemberDecryptionType.KeyConnector)
{
throw new BadRequestException("Key Connector is enabled.");
}

View File

@ -1,4 +1,5 @@
using System.Security.Claims;
using Bit.Core.Auth.Enums;
using Bit.Core.Auth.Identity;
using Bit.Core.Auth.Models.Business.Tokenables;
using Bit.Core.Auth.Repositories;
@ -129,7 +130,7 @@ public class CustomTokenRequestValidator : BaseRequestValidator<CustomTokenReque
var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(organizationId);
var ssoConfigData = ssoConfig.GetData();
if (ssoConfigData is { KeyConnectorEnabled: true } && !string.IsNullOrEmpty(ssoConfigData.KeyConnectorUrl))
if (ssoConfigData is { MemberDecryptionType: MemberDecryptionType.KeyConnector } && !string.IsNullOrEmpty(ssoConfigData.KeyConnectorUrl))
{
context.Result.CustomResponse["KeyConnectorUrl"] = ssoConfigData.KeyConnectorUrl;
// Prevent clients redirecting to set-password

View File

@ -2,6 +2,7 @@
using AutoFixture.Xunit2;
using Bit.Api.Controllers;
using Bit.Core.Auth.Entities;
using Bit.Core.Auth.Enums;
using Bit.Core.Auth.Models.Data;
using Bit.Core.Auth.Repositories;
using Bit.Core.Auth.Services;
@ -38,6 +39,7 @@ public class OrganizationsControllerTests : IDisposable
private readonly ICreateOrganizationApiKeyCommand _createOrganizationApiKeyCommand;
private readonly IUpdateOrganizationLicenseCommand _updateOrganizationLicenseCommand;
private readonly IOrganizationDomainRepository _organizationDomainRepository;
private readonly IFeatureService _featureService;
private readonly OrganizationsController _sut;
@ -60,12 +62,13 @@ public class OrganizationsControllerTests : IDisposable
_cloudGetOrganizationLicenseQuery = Substitute.For<ICloudGetOrganizationLicenseQuery>();
_createOrganizationApiKeyCommand = Substitute.For<ICreateOrganizationApiKeyCommand>();
_updateOrganizationLicenseCommand = Substitute.For<IUpdateOrganizationLicenseCommand>();
_featureService = Substitute.For<IFeatureService>();
_sut = new OrganizationsController(_organizationRepository, _organizationUserRepository,
_policyRepository, _providerRepository, _organizationService, _userService, _paymentService, _currentContext,
_ssoConfigRepository, _ssoConfigService, _getOrganizationApiKeyQuery, _rotateOrganizationApiKeyCommand,
_createOrganizationApiKeyCommand, _organizationApiKeyRepository, _updateOrganizationLicenseCommand,
_cloudGetOrganizationLicenseQuery, _globalSettings);
_cloudGetOrganizationLicenseQuery, _featureService, _globalSettings);
}
public void Dispose()
@ -82,7 +85,7 @@ public class OrganizationsControllerTests : IDisposable
Id = default,
Data = new SsoConfigurationData
{
KeyConnectorEnabled = true,
MemberDecryptionType = MemberDecryptionType.KeyConnector
}.Serialize(),
Enabled = true,
OrganizationId = orgId,
@ -115,7 +118,9 @@ public class OrganizationsControllerTests : IDisposable
Id = default,
Data = new SsoConfigurationData
{
KeyConnectorEnabled = keyConnectorEnabled,
MemberDecryptionType = keyConnectorEnabled
? MemberDecryptionType.KeyConnector
: MemberDecryptionType.MasterPassword
}.Serialize(),
Enabled = true,
OrganizationId = orgId,

View File

@ -1,4 +1,5 @@
using Bit.Core.Auth.Entities;
using Bit.Core.Auth.Enums;
using Bit.Core.Auth.Models.Data;
using Bit.Core.Auth.Repositories;
using Bit.Core.Auth.Services;
@ -83,7 +84,7 @@ public class SsoConfigServiceTests
Id = 1,
Data = new SsoConfigurationData
{
KeyConnectorEnabled = true,
MemberDecryptionType = MemberDecryptionType.KeyConnector
}.Serialize(),
Enabled = true,
OrganizationId = organization.Id,
@ -127,7 +128,7 @@ public class SsoConfigServiceTests
Id = 1,
Data = new SsoConfigurationData
{
KeyConnectorEnabled = true,
MemberDecryptionType = MemberDecryptionType.KeyConnector,
}.Serialize(),
Enabled = true,
OrganizationId = organization.Id,
@ -165,7 +166,7 @@ public class SsoConfigServiceTests
Id = default,
Data = new SsoConfigurationData
{
KeyConnectorEnabled = true,
MemberDecryptionType = MemberDecryptionType.KeyConnector,
}.Serialize(),
Enabled = true,
OrganizationId = organization.Id,
@ -193,7 +194,7 @@ public class SsoConfigServiceTests
Id = default,
Data = new SsoConfigurationData
{
KeyConnectorEnabled = true,
MemberDecryptionType = MemberDecryptionType.KeyConnector,
}.Serialize(),
Enabled = true,
OrganizationId = organization.Id,
@ -227,7 +228,7 @@ public class SsoConfigServiceTests
Id = default,
Data = new SsoConfigurationData
{
KeyConnectorEnabled = true,
MemberDecryptionType = MemberDecryptionType.KeyConnector,
}.Serialize(),
Enabled = false,
OrganizationId = organization.Id,
@ -262,7 +263,7 @@ public class SsoConfigServiceTests
Id = default,
Data = new SsoConfigurationData
{
KeyConnectorEnabled = true,
MemberDecryptionType = MemberDecryptionType.KeyConnector,
}.Serialize(),
Enabled = true,
OrganizationId = organization.Id,
@ -297,7 +298,7 @@ public class SsoConfigServiceTests
Id = default,
Data = new SsoConfigurationData
{
KeyConnectorEnabled = true,
MemberDecryptionType = MemberDecryptionType.KeyConnector,
}.Serialize(),
Enabled = true,
OrganizationId = organization.Id,

View File

@ -1,5 +1,6 @@
using Bit.Core.AdminConsole.Models.OrganizationConnectionConfigs;
using Bit.Core.Auth.Entities;
using Bit.Core.Auth.Enums;
using Bit.Core.Auth.Models.Data;
using Bit.Core.Entities;
using Bit.Core.Enums;
@ -173,7 +174,7 @@ public class SelfHostedOrganizationDetailsTests
{
var (orgDetails, orgLicense) = GetOrganizationAndLicense(orgUsers, policies, ssoConfig, scimConnections, license);
orgLicense.UseKeyConnector = false;
orgDetails.SsoConfig.SetData(new SsoConfigurationData() { KeyConnectorEnabled = false });
orgDetails.SsoConfig.SetData(new SsoConfigurationData() { MemberDecryptionType = MemberDecryptionType.MasterPassword });
var result = orgDetails.CanUseLicense(license, out var exception);
@ -318,7 +319,7 @@ public class SelfHostedOrganizationDetailsTests
ssoConfig.Enabled = true;
ssoConfig.SetData(new SsoConfigurationData()
{
KeyConnectorEnabled = true
MemberDecryptionType = MemberDecryptionType.KeyConnector,
});
var enabledScimConfig = new ScimConfig() { Enabled = true };

View File

@ -1,5 +1,6 @@
using System.Text.Json;
using Bit.Core.Auth.Entities;
using Bit.Core.Auth.Enums;
using Bit.Core.Auth.Models.Business;
using Bit.Core.Auth.Models.Data;
using Bit.Core.Auth.Repositories;
@ -1192,7 +1193,7 @@ public class OrganizationServiceTests
SsoConfig ssoConfig)
{
ssoConfig.Enabled = true;
ssoConfig.SetData(new SsoConfigurationData { KeyConnectorEnabled = true });
ssoConfig.SetData(new SsoConfigurationData { MemberDecryptionType = MemberDecryptionType.KeyConnector });
var ssoConfigRepository = sutProvider.GetDependency<ISsoConfigRepository>();
var organizationRepository = sutProvider.GetDependency<IOrganizationRepository>();
var applicationCacheService = sutProvider.GetDependency<IApplicationCacheService>();

View File

@ -1,4 +1,5 @@
using Bit.Core.Auth.Entities;
using Bit.Core.Auth.Enums;
using Bit.Core.Auth.Models.Data;
using Bit.Core.Auth.Repositories;
using Bit.Core.Entities;
@ -147,7 +148,7 @@ public class PolicyServiceTests
});
var ssoConfig = new SsoConfig { Enabled = true };
var data = new SsoConfigurationData { KeyConnectorEnabled = true };
var data = new SsoConfigurationData { MemberDecryptionType = MemberDecryptionType.KeyConnector };
ssoConfig.SetData(data);
sutProvider.GetDependency<ISsoConfigRepository>()