[Reset Password] Get/Post Org Keys and API updates (#1323)

* [Reset Password] Organization Keys APIs * Updated details response to include private key and added more security checks for reset password methods * Added org type and policy security checks to the enrollment api * Updated based on PR feedback * Added org user type permission checks * Added TODO for email to user * Removed unecessary policyRepository object
2024-11-22 12:15:36 +01:00 · 2021-05-19 09:40:32 -05:00 · 2021-05-19 09:40:32 -05:00 · c7f88ae430
commit c7f88ae430
parent 982e26cbfd
9 changed files with 181 additions and 21 deletions
--- a/src/Api/Controllers/OrganizationUsersController.cs
+++ b/src/Api/Controllers/OrganizationUsersController.cs
@ -107,14 +107,21 @@ namespace Bit.Api.Controllers
            }
            // Retrieve data necessary for response (KDF, KDF Iterations, ResetPasswordKey)
-            // TODO Revisit this and create SPROC to reduce DB calls
+            // TODO Reset Password - Revisit this and create SPROC to reduce DB calls
            var user = await _userService.GetUserByIdAsync(organizationUser.UserId.Value);
            if (user == null)
            {
                throw new NotFoundException();
            }
-            return new OrganizationUserResetPasswordDetailsResponseModel(new OrganizationUserResetPasswordDetails(organizationUser, user));
+            // Retrieve Encrypted Private Key from organization
            var org = await _organizationRepository.GetByIdAsync(orgGuidId);
            if (org == null)
            {
                throw new NotFoundException();
            }
            return new OrganizationUserResetPasswordDetailsResponseModel(new OrganizationUserResetPasswordDetails(organizationUser, user, org));
        }
        [HttpPost("invite")]
@ -233,29 +240,23 @@ namespace Bit.Api.Controllers
        [HttpPut("{id}/reset-password")]
        public async Task PutResetPassword(string orgId, string id, [FromBody]OrganizationUserResetPasswordRequestModel model)
        {
            var orgGuidId = new Guid(orgId);
            // Calling user must have Manage Reset Password permission
            if (!_currentContext.ManageResetPassword(orgGuidId))
            {
                throw new NotFoundException();
            }
-            var orgUser = await _organizationUserRepository.GetByIdAsync(new Guid(id));
+            // Get the calling user's Type for this organization and pass it along
-            if (orgUser == null || orgUser.Status != OrganizationUserStatusType.Confirmed ||
+            var orgType = _currentContext.Organizations?.FirstOrDefault(o => o.Id == orgGuidId)?.Type;
-                orgUser.OrganizationId != orgGuidId || string.IsNullOrEmpty(orgUser.ResetPasswordKey) ||
+            if (orgType == null)
                !orgUser.UserId.HasValue)
            {
                throw new BadRequestException("Organization User not valid");
            }
            var user = await _userService.GetUserByIdAsync(orgUser.UserId.Value);
            if (user == null)
            {
                throw new NotFoundException();
            }
-
+            var result = await _userService.AdminResetPasswordAsync(orgType.Value, orgGuidId, new Guid(id), model.NewMasterPasswordHash, model.Key);
            var result = await _userService.AdminResetPasswordAsync(user, model.NewMasterPasswordHash, model.Key);
            if (result.Succeeded)
            {
                return;
@ -268,7 +269,7 @@ namespace Bit.Api.Controllers
            await Task.Delay(2000);
            throw new BadRequestException(ModelState);
-            }
+        }
        [HttpDelete("{id}")]
        [HttpPost("{id}/delete")]
--- a/src/Api/Controllers/OrganizationsController.cs
+++ b/src/Api/Controllers/OrganizationsController.cs
@ -11,6 +11,7 @@ using Bit.Core.Services;
 using Bit.Core.Context;
 using Bit.Api.Utilities;
 using Bit.Core.Models.Business;
 using Bit.Core.Models.Data;
 using Bit.Core.Utilities;
 using Bit.Core.Settings;
@ -555,5 +556,30 @@ namespace Bit.Api.Controllers
            };
            await _paymentService.SaveTaxInfoAsync(organization, taxInfo);
        }
        [HttpGet("{id}/keys")]
        public async Task<OrganizationKeysResponseModel> GetKeys(string id)
        {
            var org = await _organizationRepository.GetByIdAsync(new Guid(id));
            if (org == null)
            {
                throw new NotFoundException();
            }
            return new OrganizationKeysResponseModel(org);
        }
        [HttpPost("{id}/keys")]
        public async Task<OrganizationKeysResponseModel> PostKeys(string id, [FromBody]OrganizationKeysRequestModel model)
        {
            var user = await _userService.GetUserByPrincipalAsync(User);
            if (user == null)
            {
                throw new UnauthorizedAccessException();
            }
            var org = await _organizationService.UpdateOrganizationKeysAsync(user.Id, new Guid(id), model.PublicKey, model.EncryptedPrivateKey);
            return new OrganizationKeysResponseModel(org);
        }
    }
 }
--- a/src/Core/Models/Api/Response/OrganizationKeysResponseModel.cs
+++ b/src/Core/Models/Api/Response/OrganizationKeysResponseModel.cs
@ -0,0 +1,22 @@
 using System;
 using Bit.Core.Models.Table;
 namespace Bit.Core.Models.Api
 {
    public class OrganizationKeysResponseModel : ResponseModel
    {
        public OrganizationKeysResponseModel(Organization org) : base("organizationKeys")
        {
            if (org == null)
            {
                throw new ArgumentNullException(nameof(org));
            }
            PublicKey = org.PublicKey;
            PrivateKey = org.PrivateKey;
        }
        public string PublicKey { get; set; }
        public string PrivateKey { get; set; }
    }
 }
--- a/src/Core/Models/Api/Response/OrganizationUserResponseModel.cs
+++ b/src/Core/Models/Api/Response/OrganizationUserResponseModel.cs
@ -100,10 +100,12 @@ namespace Bit.Core.Models.Api
            Kdf = orgUser.Kdf;
            KdfIterations = orgUser.KdfIterations;
            ResetPasswordKey = orgUser.ResetPasswordKey;
            EncryptedPrivateKey = orgUser.EncryptedPrivateKey;
        }
        public KdfType Kdf { get; set; }
        public int KdfIterations { get; set; }
        public string ResetPasswordKey { get; set; }
        public string EncryptedPrivateKey { get; set; }
    }
 }
--- a/src/Core/Models/Data/OrganizationUserResetPasswordDetails.cs
+++ b/src/Core/Models/Data/OrganizationUserResetPasswordDetails.cs
@ -6,7 +6,7 @@ namespace Bit.Core.Models.Data
 {
    public class OrganizationUserResetPasswordDetails
    {
-        public OrganizationUserResetPasswordDetails(OrganizationUser orgUser, User user)
+        public OrganizationUserResetPasswordDetails(OrganizationUser orgUser, User user, Organization org)
        {
            if (orgUser == null)
            {
@ -18,12 +18,19 @@ namespace Bit.Core.Models.Data
                throw new ArgumentNullException(nameof(user));
            }
            if (org == null)
            {
                throw new ArgumentNullException(nameof(org));
            }
            Kdf = user.Kdf;
            KdfIterations = user.KdfIterations;
            ResetPasswordKey = orgUser.ResetPasswordKey;
            EncryptedPrivateKey = org.PrivateKey;
        }
        public KdfType Kdf { get; set; }
        public int KdfIterations { get; set; }
        public string ResetPasswordKey { get; set; }
        public string EncryptedPrivateKey { get; set; }
    }
 }
--- a/src/Core/Services/IOrganizationService.cs
+++ b/src/Core/Services/IOrganizationService.cs
@ -4,6 +4,7 @@ using Bit.Core.Models.Table;
 using System;
 using System.Collections.Generic;
 using Bit.Core.Enums;
 using Bit.Core.Models.Api;
 using Bit.Core.Models.Data;
 namespace Bit.Core.Services
@ -54,5 +55,6 @@ namespace Bit.Core.Services
            bool overwriteExisting);
        Task RotateApiKeyAsync(Organization organization);
        Task DeleteSsoUserAsync(Guid userId, Guid? organizationId);
        Task<Organization> UpdateOrganizationKeysAsync(Guid userId, Guid orgId, string publicKey, string privateKey);
    }
 }
--- a/src/Core/Services/IUserService.cs
+++ b/src/Core/Services/IUserService.cs
@ -34,7 +34,7 @@ namespace Bit.Core.Services
            string token, string key);
        Task<IdentityResult> ChangePasswordAsync(User user, string masterPassword, string newMasterPassword, string key);
        Task<IdentityResult> SetPasswordAsync(User user, string newMasterPassword, string key, string orgIdentifier = null);
-        Task<IdentityResult> AdminResetPasswordAsync(User user, string newMasterPassword, string key);
+        Task<IdentityResult> AdminResetPasswordAsync(OrganizationUserType type, Guid orgId, Guid id, string newMasterPassword, string key);
        Task<IdentityResult> ChangeKdfAsync(User user, string masterPassword, string newMasterPassword, string key,
            KdfType kdf, int kdfIterations);
        Task<IdentityResult> UpdateKeyAsync(User user, string masterPassword, string key, string privateKey,
--- a/src/Core/Services/Implementations/OrganizationService.cs
+++ b/src/Core/Services/Implementations/OrganizationService.cs
@ -15,6 +15,7 @@ using Bit.Core.Settings;
 using System.IO;
 using Newtonsoft.Json;
 using System.Text.Json;
 using Bit.Core.Models.Api;
 namespace Bit.Core.Services
 {
@ -1588,15 +1589,28 @@ namespace Bit.Core.Services
        public async Task UpdateUserResetPasswordEnrollmentAsync(Guid organizationId, Guid organizationUserId, string resetPasswordKey, Guid? callingUserId)
        {
            // Org User must be the same as the calling user and the organization ID associated with the user must match passed org ID
            var orgUser = await _organizationUserRepository.GetByOrganizationAsync(organizationId, organizationUserId);
            if (!callingUserId.HasValue || orgUser == null || orgUser.UserId != callingUserId.Value || 
                orgUser.Status != OrganizationUserStatusType.Confirmed ||
                orgUser.OrganizationId != organizationId)
            {
                throw new BadRequestException("User not valid.");
            }
-            // TODO Reset Password - Block certain org types from using this feature?
+            // Make sure the organization has the ability to use password reset
            var org = await _organizationRepository.GetByIdAsync(organizationId);
            if (org == null || !org.UseResetPassword)
            {
                throw new BadRequestException("Organization does not allow password reset enrollment.");
            }
            // Make sure the organization has the policy enabled
            var resetPasswordPolicy =
                await _policyRepository.GetByOrganizationIdTypeAsync(organizationId, PolicyType.ResetPassword);
            if (resetPasswordPolicy == null || !resetPasswordPolicy.Enabled)
            {
                throw new BadRequestException("Organization does not have the password reset policy enabled.");
            }
            orgUser.ResetPasswordKey = resetPasswordKey;
            await _organizationUserRepository.ReplaceAsync(orgUser);
@ -1849,6 +1863,40 @@ namespace Bit.Core.Services
            }
        }
        public async Task<Organization> UpdateOrganizationKeysAsync(Guid userId, Guid orgId, string publicKey, string privateKey)
        {
            // Only Owners/Admins/Custom (w/ ManageResetPassword) can create org keys
            var orgUser = await _organizationUserRepository.GetDetailsByUserAsync(userId, orgId);
            if (orgUser == null || orgUser.Type != OrganizationUserType.Admin && 
                orgUser.Type != OrganizationUserType.Owner && orgUser.Type != OrganizationUserType.Custom)
            {
                throw new UnauthorizedAccessException();
            }
            if (orgUser.Type == OrganizationUserType.Custom)
            {
                var permissions = CoreHelpers.LoadClassFromJsonData<Permissions>(orgUser.Permissions);
                if (permissions == null || !permissions.ManageResetPassword)
                {
                    throw new UnauthorizedAccessException();
                }
            }
            // If the keys already exist, error out
            var org = await _organizationRepository.GetByIdAsync(orgId);
            if (org.PublicKey != null && org.PrivateKey != null)
            {
                throw new BadRequestException("Organization Keys already exist");
            }
            // Update org with generated public/private key
            org.PublicKey = publicKey;
            org.PrivateKey = privateKey;
            await UpdateAsync(org);
            return org;
        }
        private async Task UpdateUsersAsync(Group group, HashSet<string> groupUsers,
            Dictionary<string, Guid> existingUsersIdDict, HashSet<Guid> existingUsers = null)
        {
--- a/src/Core/Services/Implementations/UserService.cs
+++ b/src/Core/Services/Implementations/UserService.cs
@ -626,8 +626,59 @@ namespace Bit.Core.Services
            return IdentityResult.Success;
        }
-        public async Task<IdentityResult> AdminResetPasswordAsync(User user, string newMasterPassword, string key)
+        public async Task<IdentityResult> AdminResetPasswordAsync(OrganizationUserType callingUserType, Guid orgId, Guid id, string newMasterPassword, string key)
        {
            // Org must be able to use reset password
            var org = await _organizationRepository.GetByIdAsync(orgId);
            if (org == null || !org.UseResetPassword)
            {
                throw new BadRequestException("Organization does not allow password reset.");
            }
            // Enterprise policy must be enabled 
            var resetPasswordPolicy =
                await _policyRepository.GetByOrganizationIdTypeAsync(orgId, PolicyType.ResetPassword);
            if (resetPasswordPolicy == null || !resetPasswordPolicy.Enabled)
            {
                throw new BadRequestException("Organization does not have the password reset policy enabled.");
            }
            // Org User must be confirmed and have a ResetPasswordKey
            var orgUser = await _organizationUserRepository.GetByIdAsync(id);
            if (orgUser == null || orgUser.Status != OrganizationUserStatusType.Confirmed ||
                orgUser.OrganizationId != orgId || string.IsNullOrEmpty(orgUser.ResetPasswordKey) ||
                !orgUser.UserId.HasValue)
            {
                throw new BadRequestException("Organization User not valid");
            }
            // Calling User must be of higher/equal user type to reset user's password
            var canAdjustPassword = false;
            switch (callingUserType)
            {
                case OrganizationUserType.Owner:
                    canAdjustPassword = true;
                    break;
                case OrganizationUserType.Admin:
                    canAdjustPassword = orgUser.Type != OrganizationUserType.Owner;
                    break;
                case OrganizationUserType.Custom:
                    canAdjustPassword = orgUser.Type != OrganizationUserType.Owner &&
                        orgUser.Type != OrganizationUserType.Admin;
                    break;
            }
            if (!canAdjustPassword)
            {
                throw new BadRequestException("Calling user does not have permission to reset this user's master password");
            }
            var user = await GetUserByIdAsync(orgUser.UserId.Value);
            if (user == null)
            {
                throw new NotFoundException();
            }
            var result = await UpdatePasswordHash(user, newMasterPassword);
            if (!result.Succeeded)
            {
@ -638,6 +689,7 @@ namespace Bit.Core.Services
            user.Key = key;
            await _userRepository.ReplaceAsync(user);
            // TODO Reset Password - Send email alerting user of changed password
            await _eventService.LogUserEventAsync(user.Id, EventType.User_ChangedPassword);
            await _pushService.PushLogOutAsync(user.Id);