Upstream/bitwarden-server
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2024-11-21 12:05:42 +01:00
Code Issues Projects Releases Wiki Activity

[AC-1192] Create endpoints for new Device Approvals page (#2993)

Browse Source 
* [AC-1192] Create new OrganizationAuthRequestsController.cs

* [AC-1192] Introduce OrganizationAdminAuthRequest model

* [AC-1192] Add GetManyPendingByOrganizationId method to AuthRequest repository

* [AC-1192] Add new list pending organization auth requests endpoint

* [AC-1192] Add new GetManyAdminApprovalsByManyIdsAsync method to the AuthRequestRepository

* [AC-1192] Make the response device identifier optional for admin approval requests

* [AC-1192] Add endpoint for bulk denying admin device auth requests

* [AC-1192] Add OrganizationUserId to PendingOrganizationAuthRequestResponseModel

* [AC-1192] Add UpdateAuthRequest endpoint and logic to OrganizationAuthRequestsController

* [AC-1192] Secure new endpoints behind TDE feature flag

* [AC-1192] Formatting

* [AC-1192] Add sql migration script

* [AC-1192] Add optional OrganizationId column to AuthRequest entity

- Rename migration script to match existing formatting
- Add new column
- Add migration scripts
- Update new sprocs to filter/join on OrganizationId
- Update old sprocs to include OrganizationId

* [AC-1192] Format migration scripts

* [AC-1192] Fix failing AuthRequest EF unit test

* [AC-1192] Make OrganizationId optional in updated AuthRequest sprocs for backwards compatability

* [AC-1192] Fix missing comma in migration file

* [AC-1192] Rename Key to EncryptedUserKey to be more descriptive

* [AC-1192] Move request validation into helper method to reduce repetition

* [AC-1192] Return UnauthorizedAccessException instead of NotFound when user is missing permission

* [AC-1192] Introduce FeatureUnavailableException

* [AC-1192] Introduce RequireFeatureAttribute

* [AC-1192] Utilize the new RequireFeatureAttribute in the OrganizationAuthRequestsController

* [AC-1192] Attempt to fix out of sync database migration by moving new OrganizationId column

* [AC-1192] More attempts to sync database migrations

* [AC-1192] Formatting

* [AC-1192] Remove unused reference to FeatureService

* [AC-1192] Change Id types from String to Guid

* [AC-1192] Add EncryptedString attribute

* [AC-1192] Remove redundant OrganizationId property

* [AC-1192] Switch to projection for OrganizationAdminAuthRequest mapping

- Add new OrganizationUser relationship to EF entity
- Replace AuthRequest DBContext config with new IEntityTypeConfiguration
- Add navigation property to AuthRequest entity configuration for OrganizationUser
- Update EF AuthRequestRepository to use new mapping and navigation properties

* [AC-1192] Remove OrganizationUser navigation property
This commit is contained in:
Shane Melton 2023-06-15 14:54:08 -07:00 committed by GitHub
parent bdd5e0916e
commit 904b2fe205
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
34 changed files with 7417 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/Api/Auth/Models/Request/AdminAuthRequestUpdateRequestModel.cs Normal file
View File

@ -0,0 +1,13 @@
using System.ComponentModel.DataAnnotations;
using Bit.Core.Utilities;
namespace Bit.Api.Auth.Models.Request;
public class AdminAuthRequestUpdateRequestModel
{
[EncryptedString]
public string EncryptedUserKey { get; set; }
[Required]
public bool RequestApproved { get; set; }
}

6
src/Api/Auth/Models/Request/BulkDenyAdminAuthRequestRequestModel.cs Normal file
View File

@ -0,0 +1,6 @@
namespace Bit.Api.Auth.Models.Request;
public class BulkDenyAdminAuthRequestRequestModel
{
public IEnumerable<Guid> Ids { get; set; }
}

38
src/Api/Auth/Models/Response/PendingOrganizationAuthRequestResponseModel.cs Normal file
View File

@ -0,0 +1,38 @@
using System.ComponentModel.DataAnnotations;
using System.Reflection;
using Bit.Core.Auth.Models.Data;
using Bit.Core.Models.Api;
namespace Bit.Api.Auth.Models.Response;
public class PendingOrganizationAuthRequestResponseModel : ResponseModel
{
public PendingOrganizationAuthRequestResponseModel(OrganizationAdminAuthRequest authRequest, string obj = "pending-org-auth-request") : base(obj)
{
if (authRequest == null)
{
throw new ArgumentNullException(nameof(authRequest));
}
Id = authRequest.Id;
UserId = authRequest.UserId;
OrganizationUserId = authRequest.OrganizationUserId;
Email = authRequest.Email;
PublicKey = authRequest.PublicKey;
RequestDeviceIdentifier = authRequest.RequestDeviceIdentifier;
RequestDeviceType = authRequest.RequestDeviceType.GetType().GetMember(authRequest.RequestDeviceType.ToString())
.FirstOrDefault()?.GetCustomAttribute<DisplayAttribute>()?.GetName();
RequestIpAddress = authRequest.RequestIpAddress;
CreationDate = authRequest.CreationDate;
}
public Guid Id { get; set; }
public Guid UserId { get; set; }
public Guid OrganizationUserId { get; set; }
public string Email { get; set; }
public string PublicKey { get; set; }
public string RequestDeviceIdentifier { get; set; }
public string RequestDeviceType { get; set; }
public string RequestIpAddress { get; set; }
public DateTime CreationDate { get; set; }
}

83
src/Api/Controllers/OrganizationAuthRequestsController.cs Normal file
View File

@ -0,0 +1,83 @@
using Bit.Api.Auth.Models.Request;
using Bit.Api.Auth.Models.Response;
using Bit.Api.Models.Response;
using Bit.Core;
using Bit.Core.Auth.Models.Api.Request.AuthRequest;
using Bit.Core.Auth.Services;
using Bit.Core.Context;
using Bit.Core.Exceptions;
using Bit.Core.Repositories;
using Bit.Core.Utilities;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
namespace Bit.Api.Controllers;
[Route("organizations/{orgId}/auth-requests")]
[Authorize("Application")]
[RequireFeature(FeatureFlagKeys.TrustedDeviceEncryption)]
public class OrganizationAuthRequestsController : Controller
{
private readonly IAuthRequestRepository _authRequestRepository;
private readonly ICurrentContext _currentContext;
private readonly IAuthRequestService _authRequestService;
public OrganizationAuthRequestsController(IAuthRequestRepository authRequestRepository,
ICurrentContext currentContext, IAuthRequestService authRequestService)
{
_authRequestRepository = authRequestRepository;
_currentContext = currentContext;
_authRequestService = authRequestService;
}
[HttpGet("")]
public async Task<ListResponseModel<PendingOrganizationAuthRequestResponseModel>> GetPendingRequests(Guid orgId)
{
await ValidateAdminRequest(orgId);
var authRequests = await _authRequestRepository.GetManyPendingByOrganizationIdAsync(orgId);
var responses = authRequests
.Select(a => new PendingOrganizationAuthRequestResponseModel(a))
.ToList();
return new ListResponseModel<PendingOrganizationAuthRequestResponseModel>(responses);
}
[HttpPost("{requestId}")]
public async Task UpdateAuthRequest(Guid orgId, Guid requestId, [FromBody] AdminAuthRequestUpdateRequestModel model)
{
await ValidateAdminRequest(orgId);
var authRequest =
(await _authRequestRepository.GetManyAdminApprovalRequestsByManyIdsAsync(orgId, new[] { requestId })).FirstOrDefault();
if (authRequest == null || authRequest.OrganizationId != orgId)
{
throw new NotFoundException();
}
await _authRequestService.UpdateAuthRequestAsync(authRequest.Id, authRequest.UserId,
new AuthRequestUpdateRequestModel { RequestApproved = model.RequestApproved, Key = model.EncryptedUserKey });
}
[HttpPost("deny")]
public async Task BulkDenyRequests(Guid orgId, [FromBody] BulkDenyAdminAuthRequestRequestModel model)
{
await ValidateAdminRequest(orgId);
var authRequests = await _authRequestRepository.GetManyAdminApprovalRequestsByManyIdsAsync(orgId, model.Ids);
foreach (var authRequest in authRequests)
{
await _authRequestService.UpdateAuthRequestAsync(authRequest.Id, authRequest.UserId,
new AuthRequestUpdateRequestModel { RequestApproved = false, });
}
}
private async Task ValidateAdminRequest(Guid orgId)
{
if (!await _currentContext.ManageResetPassword(orgId))
{
throw new UnauthorizedAccessException();
}
}
}

1
src/Core/Auth/Entities/AuthRequest.cs
View File

@ -9,6 +9,7 @@ public class AuthRequest : ITableObject<Guid>
{
public Guid Id { get; set; }
public Guid UserId { get; set; }
public Guid? OrganizationId { get; set; }
public Enums.AuthRequestType Type { get; set; }
[MaxLength(50)]
public string RequestDeviceIdentifier { get; set; }

3
src/Core/Auth/Enums/AuthRequestType.cs
View File

@ -3,5 +3,6 @@
public enum AuthRequestType : byte
{
AuthenticateAndUnlock = 0,
Unlock = 1
Unlock = 1,
AdminApproval = 2,
}

18
src/Core/Auth/Models/Data/OrganizationAdminAuthRequest.cs Normal file
View File

@ -0,0 +1,18 @@
using Bit.Core.Auth.Entities;
using Bit.Core.Auth.Enums;
namespace Bit.Core.Auth.Models.Data;
/// <summary>
/// Represents an <see cref="AuthRequestType.AdminApproval"/> AuthRequest.
/// Includes additional user and organization information.
/// </summary>
public class OrganizationAdminAuthRequest : AuthRequest
{
/// <summary>
/// Email address of the requesting user
/// </summary>
public string Email { get; set; }
public Guid OrganizationUserId { get; set; }
}

3
src/Core/Auth/Repositories/IAuthRequestRepository.cs
View File

@ -1,4 +1,5 @@
using Bit.Core.Auth.Entities;
using Bit.Core.Auth.Models.Data;
namespace Bit.Core.Repositories;
@ -6,4 +7,6 @@ public interface IAuthRequestRepository : IRepository<AuthRequest, Guid>
{
Task<int> DeleteExpiredAsync();
Task<ICollection<AuthRequest>> GetManyByUserIdAsync(Guid userId);
Task<ICollection<OrganizationAdminAuthRequest>> GetManyPendingByOrganizationIdAsync(Guid organizationId);
Task<ICollection<OrganizationAdminAuthRequest>> GetManyAdminApprovalRequestsByManyIdsAsync(Guid organizationId, IEnumerable<Guid> ids);
}

13
src/Core/Auth/Services/Implementations/AuthRequestService.cs
View File

@ -1,4 +1,5 @@
using Bit.Core.Auth.Entities;
using Bit.Core.Auth.Enums;
using Bit.Core.Auth.Exceptions;
using Bit.Core.Auth.Models.Api.Request.AuthRequest;
using Bit.Core.Context;
@ -119,13 +120,17 @@ public class AuthRequestService : IAuthRequestService
throw new DuplicateAuthRequestException();
}
var device = await _deviceRepository.GetByIdentifierAsync(model.DeviceIdentifier, userId);
if (device == null)
// Admin approval responses are not tied to a specific device, so we don't need to validate it.
if (authRequest.Type != AuthRequestType.AdminApproval)
{
throw new BadRequestException("Invalid device.");
var device = await _deviceRepository.GetByIdentifierAsync(model.DeviceIdentifier, userId);
if (device == null)
{
throw new BadRequestException("Invalid device.");
}
authRequest.ResponseDeviceId = device.Id;
}
authRequest.ResponseDeviceId = device.Id;
authRequest.ResponseDate = DateTime.UtcNow;
authRequest.Approved = model.RequestApproved;

14
src/Core/Exceptions/FeatureUnavailableException.cs Normal file
View File

@ -0,0 +1,14 @@
namespace Bit.Core.Exceptions;
/// <summary>
/// Exception to throw when a requested feature is not yet enabled/available for the requesting context.
/// </summary>
public class FeatureUnavailableException : NotFoundException
{
public FeatureUnavailableException()
{ }
public FeatureUnavailableException(string message)
: base(message)
{ }
}

36
src/Core/Utilities/RequireFeatureAttribute.cs Normal file
View File

@ -0,0 +1,36 @@
using Bit.Core.Context;
using Bit.Core.Exceptions;
using Bit.Core.Services;
using Microsoft.AspNetCore.Mvc.Filters;
using Microsoft.Extensions.DependencyInjection;
namespace Bit.Core.Utilities;
/// <summary>
/// Specifies that the class or method that this attribute is applied to requires the specified boolean feature flag
/// to be enabled. If the feature flag is not enabled, a <see cref="FeatureUnavailableException"/> is thrown
/// </summary>
public class RequireFeatureAttribute : ActionFilterAttribute
{
private readonly string _featureFlagKey;
/// <summary>
/// Initializes a new instance of the <see cref="RequireFeatureAttribute"/> class with the specified feature flag key.
/// </summary>
/// <param name="featureFlagKey">The name of the feature flag to require.</param>
public RequireFeatureAttribute(string featureFlagKey)
{
_featureFlagKey = featureFlagKey;
}
public override void OnActionExecuting(ActionExecutingContext context)
{
var currentContext = context.HttpContext.RequestServices.GetRequiredService<ICurrentContext>();
var featureService = context.HttpContext.RequestServices.GetRequiredService<IFeatureService>();
if (!featureService.IsEnabled(_featureFlagKey, currentContext))
{
throw new FeatureUnavailableException();
}
}
}

27
src/Infrastructure.Dapper/Auth/Repositories/AuthRequestRepository.cs
View File

@ -1,5 +1,6 @@
using System.Data;
using Bit.Core.Auth.Entities;
using Bit.Core.Auth.Models.Data;
using Bit.Core.Repositories;
using Bit.Core.Settings;
using Bit.Infrastructure.Dapper.Repositories;
@ -41,4 +42,30 @@ public class AuthRequestRepository : Repository<AuthRequest, Guid>, IAuthRequest
return results.ToList();
}
}
public async Task<ICollection<OrganizationAdminAuthRequest>> GetManyPendingByOrganizationIdAsync(Guid organizationId)
{
using (var connection = new SqlConnection(ConnectionString))
{
var results = await connection.QueryAsync<OrganizationAdminAuthRequest>(
$"[{Schema}].[AuthRequest_ReadPendingByOrganizationId]",
new { OrganizationId = organizationId },
commandType: CommandType.StoredProcedure);
return results.ToList();
}
}
public async Task<ICollection<OrganizationAdminAuthRequest>> GetManyAdminApprovalRequestsByManyIdsAsync(Guid organizationId, IEnumerable<Guid> ids)
{
using (var connection = new SqlConnection(ConnectionString))
{
var results = await connection.QueryAsync<OrganizationAdminAuthRequest>(
$"[{Schema}].[AuthRequest_ReadAdminApprovalsByIds]",
new { OrganizationId = organizationId, Ids = ids.ToGuidIdArrayTVP() },
commandType: CommandType.StoredProcedure);
return results.ToList();
}
}
}

14
src/Infrastructure.EntityFramework/Auth/Configurations/AuthRequestConfiguration.cs Normal file
View File

@ -0,0 +1,14 @@
using Bit.Infrastructure.EntityFramework.Auth.Models;
using Microsoft.EntityFrameworkCore;
using Microsoft.EntityFrameworkCore.Metadata.Builders;
namespace Bit.Infrastructure.EntityFramework.Auth.Configurations;
public class AuthRequestConfiguration : IEntityTypeConfiguration<AuthRequest>
{
public void Configure(EntityTypeBuilder<AuthRequest> builder)
{
builder.Property(ar => ar.Id).ValueGeneratedNever();
builder.ToTable(nameof(AuthRequest));
}
}

6
src/Infrastructure.EntityFramework/Auth/Models/AuthRequest.cs
View File

@ -1,4 +1,5 @@
using AutoMapper;
using Bit.Core.Auth.Models.Data;
using Bit.Infrastructure.EntityFramework.Models;
namespace Bit.Infrastructure.EntityFramework.Auth.Models;
@ -7,6 +8,7 @@ public class AuthRequest : Core.Auth.Entities.AuthRequest
{
public virtual User User { get; set; }
public virtual Device ResponseDevice { get; set; }
public virtual Organization Organization { get; set; }
}
public class AuthRequestMapperProfile : Profile
@ -14,5 +16,9 @@ public class AuthRequestMapperProfile : Profile
public AuthRequestMapperProfile()
{
CreateMap<Core.Auth.Entities.AuthRequest, AuthRequest>().ReverseMap();
CreateProjection<AuthRequest, OrganizationAdminAuthRequest>()
.ForMember(m => m.Email, opt => opt.MapFrom(t => t.User.Email))
.ForMember(m => m.OrganizationUserId, opt => opt.MapFrom(
t => t.User.OrganizationUsers.FirstOrDefault(ou => ou.OrganizationId == t.OrganizationId && ou.UserId == t.UserId).Id));
}
}

31
src/Infrastructure.EntityFramework/Auth/Repositories/AuthRequestRepository.cs
View File

@ -1,4 +1,7 @@
using AutoMapper;
using AutoMapper.QueryableExtensions;
using Bit.Core.Auth.Enums;
using Bit.Core.Auth.Models.Data;
using Bit.Core.Repositories;
using Bit.Infrastructure.EntityFramework.Auth.Models;
using Bit.Infrastructure.EntityFramework.Repositories;
@ -33,4 +36,32 @@ public class AuthRequestRepository : Repository<Core.Auth.Entities.AuthRequest,
return Mapper.Map<List<Core.Auth.Entities.AuthRequest>>(userAuthRequests);
}
}
public async Task<ICollection<OrganizationAdminAuthRequest>> GetManyPendingByOrganizationIdAsync(Guid organizationId)
{
using (var scope = ServiceScopeFactory.CreateScope())
{
var dbContext = GetDatabaseContext(scope);
var orgUserAuthRequests = await (from ar in dbContext.AuthRequests
where ar.OrganizationId.Equals(organizationId) && ar.ResponseDate == null && ar.Type == AuthRequestType.AdminApproval
select ar).ProjectTo<OrganizationAdminAuthRequest>(Mapper.ConfigurationProvider).ToListAsync();
return orgUserAuthRequests;
}
}
public async Task<ICollection<OrganizationAdminAuthRequest>> GetManyAdminApprovalRequestsByManyIdsAsync(
Guid organizationId,
IEnumerable<Guid> ids)
{
using (var scope = ServiceScopeFactory.CreateScope())
{
var dbContext = GetDatabaseContext(scope);
var orgUserAuthRequests = await (from ar in dbContext.AuthRequests
where ar.OrganizationId.Equals(organizationId) && ids.Contains(ar.Id) && ar.Type == AuthRequestType.AdminApproval
select ar).ProjectTo<OrganizationAdminAuthRequest>(Mapper.ConfigurationProvider).ToListAsync();
return orgUserAuthRequests;
}
}
}

3
src/Infrastructure.EntityFramework/Repositories/DatabaseContext.cs
View File

@ -97,7 +97,6 @@ public class DatabaseContext : DbContext
var eUser = builder.Entity<User>();
var eOrganizationApiKey = builder.Entity<OrganizationApiKey>();
var eOrganizationConnection = builder.Entity<OrganizationConnection>();
var eAuthRequest = builder.Entity<AuthRequest>();
var eOrganizationDomain = builder.Entity<OrganizationDomain>();
eCipher.Property(c => c.Id).ValueGeneratedNever();
@ -119,7 +118,6 @@ public class DatabaseContext : DbContext
eUser.Property(c => c.Id).ValueGeneratedNever();
eOrganizationApiKey.Property(c => c.Id).ValueGeneratedNever();
eOrganizationConnection.Property(c => c.Id).ValueGeneratedNever();
eAuthRequest.Property(ar => ar.Id).ValueGeneratedNever();
eOrganizationDomain.Property(ar => ar.Id).ValueGeneratedNever();
eCollectionCipher.HasKey(cc => new { cc.CollectionId, cc.CipherId });
@ -171,7 +169,6 @@ public class DatabaseContext : DbContext
eUser.ToTable(nameof(User));
eOrganizationApiKey.ToTable(nameof(OrganizationApiKey));
eOrganizationConnection.ToTable(nameof(OrganizationConnection));
eAuthRequest.ToTable(nameof(AuthRequest));
eOrganizationDomain.ToTable(nameof(OrganizationDomain));
ConfigureDateTimeUtcQueries(builder);

5
src/Sql/Auth/dbo/Stored Procedures/AuthRequest_Create.sql
View File

@ -1,6 +1,7 @@
CREATE PROCEDURE [dbo].[AuthRequest_Create]
@Id UNIQUEIDENTIFIER OUTPUT,
@UserId UNIQUEIDENTIFIER,
@OrganizationId UNIQUEIDENTIFIER = NULL,
@Type TINYINT,
@RequestDeviceIdentifier NVARCHAR(50),
@RequestDeviceType TINYINT,
@ -22,6 +23,7 @@ BEGIN
(
[Id],
[UserId],
[OrganizationId],
[Type],
[RequestDeviceIdentifier],
[RequestDeviceType],
@ -40,6 +42,7 @@ BEGIN
(
@Id,
@UserId,
@OrganizationId,
@Type,
@RequestDeviceIdentifier,
@RequestDeviceType,
@ -54,4 +57,4 @@ BEGIN
@ResponseDate,
@AuthenticationDate
)
END
END

20
src/Sql/Auth/dbo/Stored Procedures/AuthRequest_ReadAdminApprovalsByIds.sql Normal file
View File

@ -0,0 +1,20 @@
CREATE PROCEDURE [dbo].[AuthRequest_ReadAdminApprovalsByIds]
@OrganizationId UNIQUEIDENTIFIER,
@Ids AS [dbo].[GuidIdArray] READONLY
AS
BEGIN
SET NOCOUNT ON
SELECT
ar.*, ou.[Email], ou.[Id] AS [OrganizationUserId]
FROM
[dbo].[AuthRequestView] ar
INNER JOIN
[dbo].[OrganizationUser] ou ON ou.[UserId] = ar.[UserId] AND ou.[OrganizationId] = ar.[OrganizationId]
WHERE
ar.[OrganizationId] = @OrganizationId
AND
ar.[Type] = 2 -- AdminApproval
AND
ar.[Id] IN (SELECT [Id] FROM @Ids)
END

19
src/Sql/Auth/dbo/Stored Procedures/AuthRequest_ReadPendingByOrganizationId.sql Normal file
View File

@ -0,0 +1,19 @@
CREATE PROCEDURE [dbo].[AuthRequest_ReadPendingByOrganizationId]
@OrganizationId UNIQUEIDENTIFIER
AS
BEGIN
SET NOCOUNT ON
SELECT
ar.*, ou.[Email], ou.[OrganizationId], ou.[Id] AS [OrganizationUserId]
FROM
[dbo].[AuthRequestView] ar
INNER JOIN
[dbo].[OrganizationUser] ou ON ou.[UserId] = ar.[UserId] AND ou.[OrganizationId] = ar.[OrganizationId]
WHERE
ar.[OrganizationId] = @OrganizationId
AND
ar.[ResponseDate] IS NULL
AND
ar.[Type] = 2 -- AdminApproval
END

2
src/Sql/Auth/dbo/Stored Procedures/AuthRequest_Update.sql
View File

@ -1,6 +1,7 @@
CREATE PROCEDURE [dbo].[AuthRequest_Update]
@Id UNIQUEIDENTIFIER OUTPUT,
@UserId UNIQUEIDENTIFIER,
@OrganizationId UNIQUEIDENTIFIER = NULL,
@Type SMALLINT,
@RequestDeviceIdentifier NVARCHAR(50),
@RequestDeviceType SMALLINT,
@ -23,6 +24,7 @@ BEGIN
SET
[UserId] = @UserId,
[Type] = @Type,
[OrganizationId] = @OrganizationId,
[RequestDeviceIdentifier] = @RequestDeviceIdentifier,
[RequestDeviceType] = @RequestDeviceType,
[RequestIpAddress] = @RequestIpAddress,

4
src/Sql/Auth/dbo/Tables/AuthRequest.sql
View File

@ -14,9 +14,11 @@
[CreationDate] DATETIME2 (7) NOT NULL,
[ResponseDate] DATETIME2 (7) NULL,
[AuthenticationDate] DATETIME2 (7) NULL,
[OrganizationId] UNIQUEIDENTIFIER NULL,
CONSTRAINT [PK_AuthRequest] PRIMARY KEY CLUSTERED ([Id] ASC),
CONSTRAINT [FK_AuthRequest_User] FOREIGN KEY ([UserId]) REFERENCES [dbo].[User] ([Id]),
CONSTRAINT [FK_AuthRequest_ResponseDevice] FOREIGN KEY ([ResponseDeviceId]) REFERENCES [dbo].[Device] ([Id])
CONSTRAINT [FK_AuthRequest_ResponseDevice] FOREIGN KEY ([ResponseDeviceId]) REFERENCES [dbo].[Device] ([Id]),
CONSTRAINT [FK_AuthRequest_Organization] FOREIGN KEY ([OrganizationId]) REFERENCES [dbo].[Organization] ([Id])
);

85
test/Core.Test/Utilities/RequireFeatureAttributeTests.cs Normal file
View File

@ -0,0 +1,85 @@
using Bit.Core.Context;
using Bit.Core.Exceptions;
using Bit.Core.Services;
using Bit.Core.Utilities;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Abstractions;
using Microsoft.AspNetCore.Mvc.Filters;
using Microsoft.AspNetCore.Routing;
using Microsoft.Extensions.DependencyInjection;
using NSubstitute;
using Xunit;
namespace Bit.Core.Test.Utilities;
public class RequireFeatureAttributeTests
{
private const string _testFeature = "test-feature";
[Fact]
public void Throws_When_Feature_Disabled()
{
// Arrange
var rfa = new RequireFeatureAttribute(_testFeature);
// Act & Assert
Assert.Throws<FeatureUnavailableException>(() => rfa.OnActionExecuting(GetContext(enabled: false)));
}
[Fact]
public void Throws_When_Feature_Not_Found()
{
// Arrange
var rfa = new RequireFeatureAttribute("missing-feature");
// Act & Assert
Assert.Throws<FeatureUnavailableException>(() => rfa.OnActionExecuting(GetContext(enabled: false)));
}
[Fact]
public void Success_When_Feature_Enabled()
{
// Arrange
var rfa = new RequireFeatureAttribute(_testFeature);
// Act
rfa.OnActionExecuting(GetContext(enabled: true));
// Assert
// The Assert here is NOT throwing an exception
}
/// <summary>
/// Generates a ActionExecutingContext with the necessary services registered to test
/// the <see cref="RequireFeatureAttribute"/>
/// </summary>
/// <param name="enabled">Mock value for the <see cref="_testFeature"/> flag</param>
/// <returns></returns>
private static ActionExecutingContext GetContext(bool enabled)
{
IServiceCollection services = new ServiceCollection();
var featureService = Substitute.For<IFeatureService>();
var currentContext = Substitute.For<ICurrentContext>();
featureService.IsEnabled(_testFeature, Arg.Any<ICurrentContext>()).Returns(enabled);
services.AddSingleton(featureService);
services.AddSingleton(currentContext);
var httpContext = new DefaultHttpContext();
httpContext.RequestServices = services.BuildServiceProvider();
var context = Substitute.For<ActionExecutingContext>(
Substitute.For<ActionContext>(httpContext,
new RouteData(),
Substitute.For<ActionDescriptor>()),
new List<IFilterMetadata>(),
new Dictionary<string, object>(),
Substitute.For<Controller>());
return context;
}
}

2
test/Infrastructure.EFIntegration.Test/Auth/AutoFixture/AuthRequestFixtures.cs
View File

@ -41,9 +41,11 @@ internal class EfAuthRequest : ICustomization
fixture.Customizations.Add(new GlobalSettingsBuilder());
fixture.Customizations.Add(new AuthRequestBuilder());
fixture.Customizations.Add(new DeviceBuilder());
fixture.Customizations.Add(new OrganizationBuilder());
fixture.Customizations.Add(new UserBuilder());
fixture.Customizations.Add(new EfRepositoryListBuilder<AuthRequestRepository>());
fixture.Customizations.Add(new EfRepositoryListBuilder<DeviceRepository>());
fixture.Customizations.Add(new EfRepositoryListBuilder<OrganizationRepository>());
fixture.Customizations.Add(new EfRepositoryListBuilder<UserRepository>());
}
}

11
test/Infrastructure.EFIntegration.Test/Auth/Repositories/AuthRequestRepositoryTests.cs
View File

@ -19,9 +19,12 @@ public class AuthRequestRepositoryTests
AuthRequestCompare equalityComparer,
List<EfAuthRepo.AuthRequestRepository> suts,
SqlAuthRepo.AuthRequestRepository sqlAuthRequestRepo,
Organization organization,
User user,
List<EfRepo.UserRepository> efUserRepos,
SqlRepo.UserRepository sqlUserRepo
List<EfRepo.OrganizationRepository> efOrgRepos,
SqlRepo.UserRepository sqlUserRepo,
SqlRepo.OrganizationRepository sqlOrgRepo
)
{
authRequest.ResponseDeviceId = null;
@ -34,6 +37,10 @@ public class AuthRequestRepositoryTests
sut.ClearChangeTracking();
authRequest.UserId = efUser.Id;
var efOrg = await efOrgRepos[i].CreateAsync(organization);
sut.ClearChangeTracking();
authRequest.OrganizationId = efOrg.Id;
var postEfAuthRequest = await sut.CreateAsync(authRequest);
sut.ClearChangeTracking();
@ -43,6 +50,8 @@ public class AuthRequestRepositoryTests
var sqlUser = await sqlUserRepo.CreateAsync(user);
authRequest.UserId = sqlUser.Id;
var sqlOrg = await sqlOrgRepo.CreateAsync(organization);
authRequest.OrganizationId = sqlOrg.Id;
var sqlAuthRequest = await sqlAuthRequestRepo.CreateAsync(authRequest);
var savedSqlAuthRequest = await sqlAuthRequestRepo.GetByIdAsync(sqlAuthRequest.Id);
savedAuthRequests.Add(savedSqlAuthRequest);

193
util/Migrator/DbScripts/2023-06-01_00_TdeAdminApproval.sql Normal file
View File

@ -0,0 +1,193 @@
--Add OrganizationId Column and Foreign Key
IF COL_LENGTH('[dbo].[AuthRequest]', 'OrganizationId') IS NULL
BEGIN
ALTER TABLE
[dbo].[AuthRequest]
ADD [OrganizationId] UNIQUEIDENTIFIER NULL;
ALTER TABLE
[dbo].[AuthRequest]
ADD CONSTRAINT [FK_AuthRequest_Organization] FOREIGN KEY ([OrganizationId]) REFERENCES [dbo].[Organization] ([Id])
END
GO
-- Drop and recreate view
IF EXISTS(SELECT * FROM sys.views WHERE [Name] = 'AuthRequestView')
BEGIN
DROP VIEW [dbo].[AuthRequestView]
END
GO
CREATE VIEW [dbo].[AuthRequestView]
AS
SELECT
*
FROM
[dbo].[AuthRequest]
GO
--Drop existing SPROC
IF OBJECT_ID('[dbo].[AuthRequest_Update]') IS NOT NULL
BEGIN
DROP PROCEDURE [dbo].[AuthRequest_Update]
END
GO
--Create SPROC with OrganizationId column
CREATE PROCEDURE [dbo].[AuthRequest_Update]
@Id UNIQUEIDENTIFIER OUTPUT,
@UserId UNIQUEIDENTIFIER,
@OrganizationId UNIQUEIDENTIFIER = NULL,
@Type SMALLINT,
@RequestDeviceIdentifier NVARCHAR(50),
@RequestDeviceType SMALLINT,
@RequestIpAddress VARCHAR(50),
@ResponseDeviceId UNIQUEIDENTIFIER,
@AccessCode VARCHAR(25),
@PublicKey VARCHAR(MAX),
@Key VARCHAR(MAX),
@MasterPasswordHash VARCHAR(MAX),
@Approved BIT,
@CreationDate DATETIME2 (7),
@ResponseDate DATETIME2 (7),
@AuthenticationDate DATETIME2 (7)
AS
BEGIN
SET NOCOUNT ON
UPDATE
[dbo].[AuthRequest]
SET
[UserId] = @UserId,
[Type] = @Type,
[OrganizationId] = @OrganizationId,
[RequestDeviceIdentifier] = @RequestDeviceIdentifier,
[RequestDeviceType] = @RequestDeviceType,
[RequestIpAddress] = @RequestIpAddress,
[ResponseDeviceId] = @ResponseDeviceId,
[AccessCode] = @AccessCode,
[PublicKey] = @PublicKey,
[Key] = @Key,
[MasterPasswordHash] = @MasterPasswordHash,
[Approved] = @Approved,
[CreationDate] = @CreationDate,
[ResponseDate] = @ResponseDate,
[AuthenticationDate] = @AuthenticationDate
WHERE
[Id] = @Id
END
GO
--Drop existing SPROC
IF OBJECT_ID('[dbo].[AuthRequest_Create]') IS NOT NULL
BEGIN
DROP PROCEDURE [dbo].[AuthRequest_Create]
END
GO
--Create SPROC with OrganizationId column
CREATE PROCEDURE [dbo].[AuthRequest_Create]
@Id UNIQUEIDENTIFIER OUTPUT,
@UserId UNIQUEIDENTIFIER,
@OrganizationId UNIQUEIDENTIFIER = NULL,
@Type TINYINT,
@RequestDeviceIdentifier NVARCHAR(50),
@RequestDeviceType TINYINT,
@RequestIpAddress VARCHAR(50),
@ResponseDeviceId UNIQUEIDENTIFIER,
@AccessCode VARCHAR(25),
@PublicKey VARCHAR(MAX),
@Key VARCHAR(MAX),
@MasterPasswordHash VARCHAR(MAX),
@Approved BIT,
@CreationDate DATETIME2(7),
@ResponseDate DATETIME2(7),
@AuthenticationDate DATETIME2(7)
AS
BEGIN
SET NOCOUNT ON
INSERT INTO [dbo].[AuthRequest]
(
[Id],
[UserId],
[OrganizationId],
[Type],
[RequestDeviceIdentifier],
[RequestDeviceType],
[RequestIpAddress],
[ResponseDeviceId],
[AccessCode],
[PublicKey],
[Key],
[MasterPasswordHash],
[Approved],
[CreationDate],
[ResponseDate],
[AuthenticationDate]
)
VALUES
(
@Id,
@UserId,
@OrganizationId,
@Type,
@RequestDeviceIdentifier,
@RequestDeviceType,
@RequestIpAddress,
@ResponseDeviceId,
@AccessCode,
@PublicKey,
@Key,
@MasterPasswordHash,
@Approved,
@CreationDate,
@ResponseDate,
@AuthenticationDate
)
END
Go
-- New SPROC
CREATE OR ALTER PROCEDURE [dbo].[AuthRequest_ReadAdminApprovalsByIds]
@OrganizationId UNIQUEIDENTIFIER,
@Ids AS [dbo].[GuidIdArray] READONLY
AS
BEGIN
SET NOCOUNT ON
SELECT
ar.*, ou.[Email], ou.[Id] AS [OrganizationUserId]
FROM
[dbo].[AuthRequestView] ar
INNER JOIN
[dbo].[OrganizationUser] ou ON ou.[UserId] = ar.[UserId] AND ou.[OrganizationId] = ar.[OrganizationId]
WHERE
ar.[OrganizationId] = @OrganizationId
AND
ar.[Type] = 2 -- AdminApproval
AND
ar.[Id] IN (SELECT [Id] FROM @Ids)
END
GO
-- New SPROC
CREATE OR ALTER PROCEDURE [dbo].[AuthRequest_ReadPendingByOrganizationId]
@OrganizationId UNIQUEIDENTIFIER
AS
BEGIN
SET NOCOUNT ON
SELECT
ar.*, ou.[Email], ou.[OrganizationId], ou.[Id] AS [OrganizationUserId]
FROM
[dbo].[AuthRequestView] ar
INNER JOIN
[dbo].[OrganizationUser] ou ON ou.[UserId] = ar.[UserId] AND ou.[OrganizationId] = ar.[OrganizationId]
WHERE
ar.[OrganizationId] = @OrganizationId
AND
ar.[ResponseDate] IS NULL
AND
ar.[Type] = 2 -- AdminApproval
END
GO

2201
util/MySqlMigrations/Migrations/20230605183142_TdeAdminApproval.Designer.cs generated Normal file
View File

File diff suppressed because it is too large Load Diff

45
util/MySqlMigrations/Migrations/20230605183142_TdeAdminApproval.cs Normal file
View File

@ -0,0 +1,45 @@
using Microsoft.EntityFrameworkCore.Migrations;
#nullable disable
namespace Bit.MySqlMigrations.Migrations;
public partial class TdeAdminApproval : Migration
{
protected override void Up(MigrationBuilder migrationBuilder)
{
migrationBuilder.AddColumn<Guid>(
name: "OrganizationId",
table: "AuthRequest",
type: "char(36)",
nullable: true,
collation: "ascii_general_ci");
migrationBuilder.CreateIndex(
name: "IX_AuthRequest_OrganizationId",
table: "AuthRequest",
column: "OrganizationId");
migrationBuilder.AddForeignKey(
name: "FK_AuthRequest_Organization_OrganizationId",
table: "AuthRequest",
column: "OrganizationId",
principalTable: "Organization",
principalColumn: "Id");
}
protected override void Down(MigrationBuilder migrationBuilder)
{
migrationBuilder.DropForeignKey(
name: "FK_AuthRequest_Organization_OrganizationId",
table: "AuthRequest");
migrationBuilder.DropIndex(
name: "IX_AuthRequest_OrganizationId",
table: "AuthRequest");
migrationBuilder.DropColumn(
name: "OrganizationId",
table: "AuthRequest");
}
}

11
util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs
View File

@ -43,6 +43,9 @@ namespace Bit.MySqlMigrations.Migrations
b.Property<string>("MasterPasswordHash")
.HasColumnType("longtext");
b.Property<Guid?>("OrganizationId")
.HasColumnType("char(36)");
b.Property<string>("PublicKey")
.HasColumnType("longtext");
@ -71,6 +74,8 @@ namespace Bit.MySqlMigrations.Migrations
b.HasKey("Id");
b.HasIndex("OrganizationId");
b.HasIndex("ResponseDeviceId");
b.HasIndex("UserId");
@ -1658,6 +1663,10 @@ namespace Bit.MySqlMigrations.Migrations
modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
{
b.HasOne("Bit.Infrastructure.EntityFramework.Models.Organization", "Organization")
.WithMany()
.HasForeignKey("OrganizationId");
b.HasOne("Bit.Infrastructure.EntityFramework.Models.Device", "ResponseDevice")
.WithMany()
.HasForeignKey("ResponseDeviceId");
@ -1668,6 +1677,8 @@ namespace Bit.MySqlMigrations.Migrations
.OnDelete(DeleteBehavior.Cascade)
.IsRequired();
b.Navigation("Organization");
b.Navigation("ResponseDevice");
b.Navigation("User");

2212
util/PostgresMigrations/Migrations/20230605182609_TdeAdminApproval.Designer.cs generated Normal file
View File

File diff suppressed because it is too large Load Diff

44
util/PostgresMigrations/Migrations/20230605182609_TdeAdminApproval.cs Normal file
View File

@ -0,0 +1,44 @@
using Microsoft.EntityFrameworkCore.Migrations;
#nullable disable
namespace Bit.PostgresMigrations.Migrations;
public partial class TdeAdminApproval : Migration
{
protected override void Up(MigrationBuilder migrationBuilder)
{
migrationBuilder.AddColumn<Guid>(
name: "OrganizationId",
table: "AuthRequest",
type: "uuid",
nullable: true);
migrationBuilder.CreateIndex(
name: "IX_AuthRequest_OrganizationId",
table: "AuthRequest",
column: "OrganizationId");
migrationBuilder.AddForeignKey(
name: "FK_AuthRequest_Organization_OrganizationId",
table: "AuthRequest",
column: "OrganizationId",
principalTable: "Organization",
principalColumn: "Id");
}
protected override void Down(MigrationBuilder migrationBuilder)
{
migrationBuilder.DropForeignKey(
name: "FK_AuthRequest_Organization_OrganizationId",
table: "AuthRequest");
migrationBuilder.DropIndex(
name: "IX_AuthRequest_OrganizationId",
table: "AuthRequest");
migrationBuilder.DropColumn(
name: "OrganizationId",
table: "AuthRequest");
}
}

11
util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs
View File

@ -47,6 +47,9 @@ namespace Bit.PostgresMigrations.Migrations
b.Property<string>("MasterPasswordHash")
.HasColumnType("text");
b.Property<Guid?>("OrganizationId")
.HasColumnType("uuid");
b.Property<string>("PublicKey")
.HasColumnType("text");
@ -75,6 +78,8 @@ namespace Bit.PostgresMigrations.Migrations
b.HasKey("Id");
b.HasIndex("OrganizationId");
b.HasIndex("ResponseDeviceId");
b.HasIndex("UserId");
@ -1669,6 +1674,10 @@ namespace Bit.PostgresMigrations.Migrations
modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
{
b.HasOne("Bit.Infrastructure.EntityFramework.Models.Organization", "Organization")
.WithMany()
.HasForeignKey("OrganizationId");
b.HasOne("Bit.Infrastructure.EntityFramework.Models.Device", "ResponseDevice")
.WithMany()
.HasForeignKey("ResponseDeviceId");
@ -1679,6 +1688,8 @@ namespace Bit.PostgresMigrations.Migrations
.OnDelete(DeleteBehavior.Cascade)
.IsRequired();
b.Navigation("Organization");
b.Navigation("ResponseDevice");
b.Navigation("User");

2199
util/SqliteMigrations/Migrations/20230605182605_TdeAdminApproval.Designer.cs generated Normal file
View File

File diff suppressed because it is too large Load Diff

44
util/SqliteMigrations/Migrations/20230605182605_TdeAdminApproval.cs Normal file
View File

@ -0,0 +1,44 @@
using Microsoft.EntityFrameworkCore.Migrations;
#nullable disable
namespace Bit.SqliteMigrations.Migrations;
public partial class TdeAdminApproval : Migration
{
protected override void Up(MigrationBuilder migrationBuilder)
{
migrationBuilder.AddColumn<Guid>(
name: "OrganizationId",
table: "AuthRequest",
type: "TEXT",
nullable: true);
migrationBuilder.CreateIndex(
name: "IX_AuthRequest_OrganizationId",
table: "AuthRequest",
column: "OrganizationId");
migrationBuilder.AddForeignKey(
name: "FK_AuthRequest_Organization_OrganizationId",
table: "AuthRequest",
column: "OrganizationId",
principalTable: "Organization",
principalColumn: "Id");
}
protected override void Down(MigrationBuilder migrationBuilder)
{
migrationBuilder.DropForeignKey(
name: "FK_AuthRequest_Organization_OrganizationId",
table: "AuthRequest");
migrationBuilder.DropIndex(
name: "IX_AuthRequest_OrganizationId",
table: "AuthRequest");
migrationBuilder.DropColumn(
name: "OrganizationId",
table: "AuthRequest");
}
}

11
util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs
View File

@ -41,6 +41,9 @@ namespace Bit.SqliteMigrations.Migrations
b.Property<string>("MasterPasswordHash")
.HasColumnType("TEXT");
b.Property<Guid?>("OrganizationId")
.HasColumnType("TEXT");
b.Property<string>("PublicKey")
.HasColumnType("TEXT");
@ -69,6 +72,8 @@ namespace Bit.SqliteMigrations.Migrations
b.HasKey("Id");
b.HasIndex("OrganizationId");
b.HasIndex("ResponseDeviceId");
b.HasIndex("UserId");
@ -1656,6 +1661,10 @@ namespace Bit.SqliteMigrations.Migrations
modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
{
b.HasOne("Bit.Infrastructure.EntityFramework.Models.Organization", "Organization")
.WithMany()
.HasForeignKey("OrganizationId");
b.HasOne("Bit.Infrastructure.EntityFramework.Models.Device", "ResponseDevice")
.WithMany()
.HasForeignKey("ResponseDeviceId");
@ -1666,6 +1675,8 @@ namespace Bit.SqliteMigrations.Migrations
.OnDelete(DeleteBehavior.Cascade)
.IsRequired();
b.Navigation("Organization");
b.Navigation("ResponseDevice");
b.Navigation("User");