1
0
mirror of https://github.com/bitwarden/server.git synced 2024-11-22 12:15:36 +01:00

[Reset Password] Get/Post Org Keys and API updates (#1323)

* [Reset Password] Organization Keys APIs

* Updated details response to include private key and added more security checks for reset password methods

* Added org type and policy security checks to the enrollment api

* Updated based on PR feedback

* Added org user type permission checks

* Added TODO for email to user

* Removed unecessary policyRepository object
This commit is contained in:
Vincent Salucci 2021-05-19 09:40:32 -05:00 committed by GitHub
parent 982e26cbfd
commit c7f88ae430
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 181 additions and 21 deletions

View File

@ -107,14 +107,21 @@ namespace Bit.Api.Controllers
}
// Retrieve data necessary for response (KDF, KDF Iterations, ResetPasswordKey)
// TODO Revisit this and create SPROC to reduce DB calls
// TODO Reset Password - Revisit this and create SPROC to reduce DB calls
var user = await _userService.GetUserByIdAsync(organizationUser.UserId.Value);
if (user == null)
{
throw new NotFoundException();
}
return new OrganizationUserResetPasswordDetailsResponseModel(new OrganizationUserResetPasswordDetails(organizationUser, user));
// Retrieve Encrypted Private Key from organization
var org = await _organizationRepository.GetByIdAsync(orgGuidId);
if (org == null)
{
throw new NotFoundException();
}
return new OrganizationUserResetPasswordDetailsResponseModel(new OrganizationUserResetPasswordDetails(organizationUser, user, org));
}
[HttpPost("invite")]
@ -233,29 +240,23 @@ namespace Bit.Api.Controllers
[HttpPut("{id}/reset-password")]
public async Task PutResetPassword(string orgId, string id, [FromBody]OrganizationUserResetPasswordRequestModel model)
{
var orgGuidId = new Guid(orgId);
// Calling user must have Manage Reset Password permission
if (!_currentContext.ManageResetPassword(orgGuidId))
{
throw new NotFoundException();
}
var orgUser = await _organizationUserRepository.GetByIdAsync(new Guid(id));
if (orgUser == null || orgUser.Status != OrganizationUserStatusType.Confirmed ||
orgUser.OrganizationId != orgGuidId || string.IsNullOrEmpty(orgUser.ResetPasswordKey) ||
!orgUser.UserId.HasValue)
{
throw new BadRequestException("Organization User not valid");
}
var user = await _userService.GetUserByIdAsync(orgUser.UserId.Value);
if (user == null)
// Get the calling user's Type for this organization and pass it along
var orgType = _currentContext.Organizations?.FirstOrDefault(o => o.Id == orgGuidId)?.Type;
if (orgType == null)
{
throw new NotFoundException();
}
var result = await _userService.AdminResetPasswordAsync(user, model.NewMasterPasswordHash, model.Key);
var result = await _userService.AdminResetPasswordAsync(orgType.Value, orgGuidId, new Guid(id), model.NewMasterPasswordHash, model.Key);
if (result.Succeeded)
{
return;
@ -268,7 +269,7 @@ namespace Bit.Api.Controllers
await Task.Delay(2000);
throw new BadRequestException(ModelState);
}
}
[HttpDelete("{id}")]
[HttpPost("{id}/delete")]

View File

@ -11,6 +11,7 @@ using Bit.Core.Services;
using Bit.Core.Context;
using Bit.Api.Utilities;
using Bit.Core.Models.Business;
using Bit.Core.Models.Data;
using Bit.Core.Utilities;
using Bit.Core.Settings;
@ -555,5 +556,30 @@ namespace Bit.Api.Controllers
};
await _paymentService.SaveTaxInfoAsync(organization, taxInfo);
}
[HttpGet("{id}/keys")]
public async Task<OrganizationKeysResponseModel> GetKeys(string id)
{
var org = await _organizationRepository.GetByIdAsync(new Guid(id));
if (org == null)
{
throw new NotFoundException();
}
return new OrganizationKeysResponseModel(org);
}
[HttpPost("{id}/keys")]
public async Task<OrganizationKeysResponseModel> PostKeys(string id, [FromBody]OrganizationKeysRequestModel model)
{
var user = await _userService.GetUserByPrincipalAsync(User);
if (user == null)
{
throw new UnauthorizedAccessException();
}
var org = await _organizationService.UpdateOrganizationKeysAsync(user.Id, new Guid(id), model.PublicKey, model.EncryptedPrivateKey);
return new OrganizationKeysResponseModel(org);
}
}
}

View File

@ -0,0 +1,22 @@
using System;
using Bit.Core.Models.Table;
namespace Bit.Core.Models.Api
{
public class OrganizationKeysResponseModel : ResponseModel
{
public OrganizationKeysResponseModel(Organization org) : base("organizationKeys")
{
if (org == null)
{
throw new ArgumentNullException(nameof(org));
}
PublicKey = org.PublicKey;
PrivateKey = org.PrivateKey;
}
public string PublicKey { get; set; }
public string PrivateKey { get; set; }
}
}

View File

@ -100,10 +100,12 @@ namespace Bit.Core.Models.Api
Kdf = orgUser.Kdf;
KdfIterations = orgUser.KdfIterations;
ResetPasswordKey = orgUser.ResetPasswordKey;
EncryptedPrivateKey = orgUser.EncryptedPrivateKey;
}
public KdfType Kdf { get; set; }
public int KdfIterations { get; set; }
public string ResetPasswordKey { get; set; }
public string EncryptedPrivateKey { get; set; }
}
}

View File

@ -6,7 +6,7 @@ namespace Bit.Core.Models.Data
{
public class OrganizationUserResetPasswordDetails
{
public OrganizationUserResetPasswordDetails(OrganizationUser orgUser, User user)
public OrganizationUserResetPasswordDetails(OrganizationUser orgUser, User user, Organization org)
{
if (orgUser == null)
{
@ -18,12 +18,19 @@ namespace Bit.Core.Models.Data
throw new ArgumentNullException(nameof(user));
}
if (org == null)
{
throw new ArgumentNullException(nameof(org));
}
Kdf = user.Kdf;
KdfIterations = user.KdfIterations;
ResetPasswordKey = orgUser.ResetPasswordKey;
EncryptedPrivateKey = org.PrivateKey;
}
public KdfType Kdf { get; set; }
public int KdfIterations { get; set; }
public string ResetPasswordKey { get; set; }
public string EncryptedPrivateKey { get; set; }
}
}

View File

@ -4,6 +4,7 @@ using Bit.Core.Models.Table;
using System;
using System.Collections.Generic;
using Bit.Core.Enums;
using Bit.Core.Models.Api;
using Bit.Core.Models.Data;
namespace Bit.Core.Services
@ -54,5 +55,6 @@ namespace Bit.Core.Services
bool overwriteExisting);
Task RotateApiKeyAsync(Organization organization);
Task DeleteSsoUserAsync(Guid userId, Guid? organizationId);
Task<Organization> UpdateOrganizationKeysAsync(Guid userId, Guid orgId, string publicKey, string privateKey);
}
}

View File

@ -34,7 +34,7 @@ namespace Bit.Core.Services
string token, string key);
Task<IdentityResult> ChangePasswordAsync(User user, string masterPassword, string newMasterPassword, string key);
Task<IdentityResult> SetPasswordAsync(User user, string newMasterPassword, string key, string orgIdentifier = null);
Task<IdentityResult> AdminResetPasswordAsync(User user, string newMasterPassword, string key);
Task<IdentityResult> AdminResetPasswordAsync(OrganizationUserType type, Guid orgId, Guid id, string newMasterPassword, string key);
Task<IdentityResult> ChangeKdfAsync(User user, string masterPassword, string newMasterPassword, string key,
KdfType kdf, int kdfIterations);
Task<IdentityResult> UpdateKeyAsync(User user, string masterPassword, string key, string privateKey,

View File

@ -15,6 +15,7 @@ using Bit.Core.Settings;
using System.IO;
using Newtonsoft.Json;
using System.Text.Json;
using Bit.Core.Models.Api;
namespace Bit.Core.Services
{
@ -1588,15 +1589,28 @@ namespace Bit.Core.Services
public async Task UpdateUserResetPasswordEnrollmentAsync(Guid organizationId, Guid organizationUserId, string resetPasswordKey, Guid? callingUserId)
{
// Org User must be the same as the calling user and the organization ID associated with the user must match passed org ID
var orgUser = await _organizationUserRepository.GetByOrganizationAsync(organizationId, organizationUserId);
if (!callingUserId.HasValue || orgUser == null || orgUser.UserId != callingUserId.Value ||
orgUser.Status != OrganizationUserStatusType.Confirmed ||
orgUser.OrganizationId != organizationId)
{
throw new BadRequestException("User not valid.");
}
// TODO Reset Password - Block certain org types from using this feature?
// Make sure the organization has the ability to use password reset
var org = await _organizationRepository.GetByIdAsync(organizationId);
if (org == null || !org.UseResetPassword)
{
throw new BadRequestException("Organization does not allow password reset enrollment.");
}
// Make sure the organization has the policy enabled
var resetPasswordPolicy =
await _policyRepository.GetByOrganizationIdTypeAsync(organizationId, PolicyType.ResetPassword);
if (resetPasswordPolicy == null || !resetPasswordPolicy.Enabled)
{
throw new BadRequestException("Organization does not have the password reset policy enabled.");
}
orgUser.ResetPasswordKey = resetPasswordKey;
await _organizationUserRepository.ReplaceAsync(orgUser);
@ -1849,6 +1863,40 @@ namespace Bit.Core.Services
}
}
public async Task<Organization> UpdateOrganizationKeysAsync(Guid userId, Guid orgId, string publicKey, string privateKey)
{
// Only Owners/Admins/Custom (w/ ManageResetPassword) can create org keys
var orgUser = await _organizationUserRepository.GetDetailsByUserAsync(userId, orgId);
if (orgUser == null || orgUser.Type != OrganizationUserType.Admin &&
orgUser.Type != OrganizationUserType.Owner && orgUser.Type != OrganizationUserType.Custom)
{
throw new UnauthorizedAccessException();
}
if (orgUser.Type == OrganizationUserType.Custom)
{
var permissions = CoreHelpers.LoadClassFromJsonData<Permissions>(orgUser.Permissions);
if (permissions == null || !permissions.ManageResetPassword)
{
throw new UnauthorizedAccessException();
}
}
// If the keys already exist, error out
var org = await _organizationRepository.GetByIdAsync(orgId);
if (org.PublicKey != null && org.PrivateKey != null)
{
throw new BadRequestException("Organization Keys already exist");
}
// Update org with generated public/private key
org.PublicKey = publicKey;
org.PrivateKey = privateKey;
await UpdateAsync(org);
return org;
}
private async Task UpdateUsersAsync(Group group, HashSet<string> groupUsers,
Dictionary<string, Guid> existingUsersIdDict, HashSet<Guid> existingUsers = null)
{

View File

@ -626,8 +626,59 @@ namespace Bit.Core.Services
return IdentityResult.Success;
}
public async Task<IdentityResult> AdminResetPasswordAsync(User user, string newMasterPassword, string key)
public async Task<IdentityResult> AdminResetPasswordAsync(OrganizationUserType callingUserType, Guid orgId, Guid id, string newMasterPassword, string key)
{
// Org must be able to use reset password
var org = await _organizationRepository.GetByIdAsync(orgId);
if (org == null || !org.UseResetPassword)
{
throw new BadRequestException("Organization does not allow password reset.");
}
// Enterprise policy must be enabled
var resetPasswordPolicy =
await _policyRepository.GetByOrganizationIdTypeAsync(orgId, PolicyType.ResetPassword);
if (resetPasswordPolicy == null || !resetPasswordPolicy.Enabled)
{
throw new BadRequestException("Organization does not have the password reset policy enabled.");
}
// Org User must be confirmed and have a ResetPasswordKey
var orgUser = await _organizationUserRepository.GetByIdAsync(id);
if (orgUser == null || orgUser.Status != OrganizationUserStatusType.Confirmed ||
orgUser.OrganizationId != orgId || string.IsNullOrEmpty(orgUser.ResetPasswordKey) ||
!orgUser.UserId.HasValue)
{
throw new BadRequestException("Organization User not valid");
}
// Calling User must be of higher/equal user type to reset user's password
var canAdjustPassword = false;
switch (callingUserType)
{
case OrganizationUserType.Owner:
canAdjustPassword = true;
break;
case OrganizationUserType.Admin:
canAdjustPassword = orgUser.Type != OrganizationUserType.Owner;
break;
case OrganizationUserType.Custom:
canAdjustPassword = orgUser.Type != OrganizationUserType.Owner &&
orgUser.Type != OrganizationUserType.Admin;
break;
}
if (!canAdjustPassword)
{
throw new BadRequestException("Calling user does not have permission to reset this user's master password");
}
var user = await GetUserByIdAsync(orgUser.UserId.Value);
if (user == null)
{
throw new NotFoundException();
}
var result = await UpdatePasswordHash(user, newMasterPassword);
if (!result.Succeeded)
{
@ -638,6 +689,7 @@ namespace Bit.Core.Services
user.Key = key;
await _userRepository.ReplaceAsync(user);
// TODO Reset Password - Send email alerting user of changed password
await _eventService.LogUserEventAsync(user.Id, EventType.User_ChangedPassword);
await _pushService.PushLogOutAsync(user.Id);