[PM-6794] block legacy users from authN (#4088)

* block legacy users from authN * undo change to GetDeviceFromRequest * lint * add feature flag * format * add web vault url to error message * fix test * format
2024-11-21 12:05:42 +01:00 · 2024-06-03 09:19:56 -04:00 · 2024-06-03 09:19:56 -04:00 · b072fc56b1
commit b072fc56b1
parent 21a02054af
6 changed files with 107 additions and 0 deletions
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@ -129,6 +129,7 @@ public static class FeatureFlagKeys
    public const string VaultBulkManagementAction = "vault-bulk-management-action";
    public const string BulkDeviceApproval = "bulk-device-approval";
    public const string MemberAccessReport = "ac-2059-member-access-report";
+    public const string BlockLegacyUsers = "block-legacy-users";

    public static List<string> GetAllKeys()
    {
--- a/src/Core/Services/IUserService.cs
+++ b/src/Core/Services/IUserService.cs
@ -76,4 +76,10 @@ public interface IUserService
    Task SendOTPAsync(User user);
    Task<bool> VerifyOTPAsync(User user, string token);
    Task<bool> VerifySecretAsync(User user, string secret);
+
+    /// <summary>
+    /// Returns true if the user is a legacy user. Legacy users use their master key as their encryption key.
+    /// We force these users to the web to migrate their encryption scheme.
+    /// </summary>
+    Task<bool> IsLegacyUser(string userId);
 }
--- a/src/Core/Services/Implementations/UserService.cs
+++ b/src/Core/Services/Implementations/UserService.cs
@ -1304,6 +1304,28 @@ public class UserService : UserManager<User>, IUserService, IDisposable
        return IdentityResult.Success;
    }

+    public async Task<bool> IsLegacyUser(string userId)
+    {
+        if (string.IsNullOrWhiteSpace(userId))
+        {
+            return false;
+        }
+
+        var user = await FindByIdAsync(userId);
+        if (user == null)
+        {
+            return false;
+        }
+
+        return IsLegacyUser(user);
+    }
+
+    /// <inheritdoc cref="IsLegacyUser(string)"/>
+    public static bool IsLegacyUser(User user)
+    {
+        return user.Key == null && user.MasterPassword != null && user.PrivateKey != null;
+    }
+
    private async Task<IdentityResult> ValidatePasswordInternal(User user, string password)
    {
        var errors = new List<IdentityError>();
--- a/src/Identity/IdentityServer/BaseRequestValidator.cs
+++ b/src/Identity/IdentityServer/BaseRequestValidator.cs
@ -162,6 +162,17 @@ public abstract class BaseRequestValidator<T> where T : class
            twoFactorToken = null;
        }

+
+        // Force legacy users to the web for migration
+        if (FeatureService.IsEnabled(FeatureFlagKeys.BlockLegacyUsers))
+        {
+            if (UserService.IsLegacyUser(user) && request.ClientId != "web")
+            {
+                await FailAuthForLegacyUserAsync(user, context);
+                return;
+            }
+        }
+
        // Returns true if can finish validation process
        if (await IsValidAuthTypeAsync(user, request.GrantType))
        {
@ -184,6 +195,13 @@ public abstract class BaseRequestValidator<T> where T : class
        }
    }

+    protected async Task FailAuthForLegacyUserAsync(User user, T context)
+    {
+        await BuildErrorResultAsync(
+            $"Encryption key migration is required. Please log in to the web vault at {_globalSettings.BaseServiceUri.VaultWithHash}",
+            false, context, user);
+    }
+
    protected abstract Task<bool> ValidateContextAsync(T context, CustomValidatorRequestContext validatorContext);

    protected async Task BuildSuccessResultAsync(User user, T context, Device device, bool sendRememberToken)
--- a/src/Identity/IdentityServer/CustomTokenRequestValidator.cs
+++ b/src/Identity/IdentityServer/CustomTokenRequestValidator.cs
@ -13,6 +13,7 @@ using Bit.Core.Settings;
 using Bit.Core.Tokens;
 using Duende.IdentityServer.Extensions;
 using Duende.IdentityServer.Validation;
+using HandlebarsDotNet;
 using IdentityModel;
 using Microsoft.AspNetCore.Identity;

@ -57,6 +58,17 @@ public class CustomTokenRequestValidator : BaseRequestValidator<CustomTokenReque

    public async Task ValidateAsync(CustomTokenRequestValidationContext context)
    {
+        if (context.Result.ValidatedRequest.GrantType == "refresh_token")
+        {
+            // Force legacy users to the web for migration
+            if (await _userService.IsLegacyUser(GetSubject(context)?.GetSubjectId()) &&
+                context.Result.ValidatedRequest.ClientId != "web")
+            {
+                await FailAuthForLegacyUserAsync(null, context);
+                return;
+            }
+        }
+
        string[] allowedGrantTypes = { "authorization_code", "client_credentials" };
        if (!allowedGrantTypes.Contains(context.Result.ValidatedRequest.GrantType)
            || context.Result.ValidatedRequest.ClientId.StartsWith("organization")
@ -70,6 +82,7 @@ public class CustomTokenRequestValidator : BaseRequestValidator<CustomTokenReque
                context.Result.CustomResponse = new Dictionary<string, object> { { "encrypted_payload", payload } };
            }

+
            return;
        }

--- a/test/Identity.IntegrationTest/Endpoints/IdentityServerTests.cs
+++ b/test/Identity.IntegrationTest/Endpoints/IdentityServerTests.cs
@ -331,6 +331,53 @@ public class IdentityServerTests : IClassFixture<IdentityApplicationFactory>
        await AssertDefaultTokenBodyAsync(context, "api");
    }

+    [Theory, BitAutoData]
+    public async Task TokenEndpoint_GrantTypeClientCredentials_AsLegacyUser_NotOnWebClient_Fails(string deviceId)
+    {
+        var server = _factory.WithWebHostBuilder(builder =>
+        {
+            builder.UseSetting("globalSettings:launchDarkly:flagValues:block-legacy-users", "true");
+        }).Server;
+
+        var username = "test+tokenclientcredentials@email.com";
+
+
+        await server.PostAsync("/accounts/register", JsonContent.Create(new RegisterRequestModel
+        {
+            Email = username,
+            MasterPasswordHash = "master_password_hash"
+        }));
+
+
+        var database = _factory.GetDatabaseContext();
+        var user = await database.Users
+            .FirstAsync(u => u.Email == username);
+
+        user.PrivateKey = "EncryptedPrivateKey";
+        await database.SaveChangesAsync();
+
+        var context = await server.PostAsync("/connect/token", new FormUrlEncodedContent(
+            new Dictionary<string, string>
+            {
+                { "scope", "api offline_access" },
+                { "client_id", "browser" },
+                { "deviceType", DeviceTypeAsString(DeviceType.ChromeBrowser) },
+                { "deviceIdentifier", deviceId },
+                { "deviceName", "chrome" },
+                { "grant_type", "password" },
+                { "username", username },
+                { "password", "master_password_hash" },
+            }), context => context.SetAuthEmail(username));
+
+        Assert.Equal(StatusCodes.Status400BadRequest, context.Response.StatusCode);
+
+        var errorBody = await AssertHelper.AssertResponseTypeIs<JsonDocument>(context);
+        var error = AssertHelper.AssertJsonProperty(errorBody.RootElement, "ErrorModel", JsonValueKind.Object);
+        var message = AssertHelper.AssertJsonProperty(error, "Message", JsonValueKind.String).GetString();
+        Assert.StartsWith("Encryption key migration is required.", message);
+    }
+
+
    [Theory, BitAutoData]
    public async Task TokenEndpoint_GrantTypeClientCredentials_AsOrganization_Success(Organization organization, Bit.Core.Entities.OrganizationApiKey organizationApiKey)
    {