1
0
mirror of https://github.com/bitwarden/server.git synced 2024-12-04 14:13:28 +01:00
Commit Graph

42 Commits

Author SHA1 Message Date
Rui Tomé
d6cd73cfcc
[PM-11404] Account Management: Prevent a verified user from purging their vault (#4853)
* Add check for managed user before purging account

* Rename IOrganizationRepository.GetByClaimedUserDomainAsync to GetByVerifiedUserEmailDomainAsync and refactor to return a list. Remove ManagedByOrganizationId from ProfileResponseMode. Add ManagesActiveUser to ProfileOrganizationResponseModel

* Rename the property ManagesActiveUser to UserIsManagedByOrganization

* Remove whole class #nullable enable and add it to specific places

* Remove unnecessary .ToList()

* Refactor IUserService methods GetOrganizationsManagingUserAsync and IsManagedByAnyOrganizationAsync to not return nullable objects. Update ProfileOrganizationResponseModel.UserIsManagedByOrganization to not be nullable

* Update error message when unable to purge vault for managed account
2024-10-17 16:06:32 +01:00
Rui Tomé
93e49ffe74
[AC-607] Extract IOrganizationService.DeleteUserAsync into IRemoveOrganizationUserCommand (#4803)
* Add HasConfirmedOwnersExceptQuery class, interface and unit tests

* Register IHasConfirmedOwnersExceptQuery for dependency injection

* Replace OrganizationService.HasConfirmedOwnersExceptAsync with HasConfirmedOwnersExceptQuery

* Refactor DeleteManagedOrganizationUserAccountCommand to use IHasConfirmedOwnersExceptQuery

* Fix unit tests

* Extract IOrganizationService.RemoveUserAsync into IRemoveOrganizationUserCommand; Update unit tests

* Extract IOrganizationService.RemoveUsersAsync into IRemoveOrganizationUserCommand; Update unit tests

* Refactor RemoveUserAsync(Guid organizationId, Guid userId) to use ValidateDeleteUser

* Refactor RemoveOrganizationUserCommandTests to use more descriptive method names

* Refactor controller actions to accept Guid directly instead of parsing strings

* Add unit tests for removing OrganizationUser by UserId

* Refactor remove OrganizationUser by UserId method

* Add summary to IHasConfirmedOwnersExceptQuery
2024-10-16 10:33:00 +01:00
Alex Morask
594b2a274d
[PM-7452] Handle PayPal for premium users (#4835)
* Add PremiumUserSale

* Add PremiumUserBillingService

* Integrate into UserService behind FF

* Update invoice.created handler to bill newly created PayPal customers

* Run dotnet format
2024-10-01 09:12:08 -04:00
Rui Tomé
f2180aa7b7
[PM-10311] Account Management: Create helper methods for checking against verified domains (#4636)
* Add HasVerifiedDomainsAsync method to IOrganizationDomainService

* Add GetManagedUserIdsByOrganizationIdAsync method to IOrganizationUserRepository and the corresponding queries

* Fix case on the sproc OrganizationUser_ReadManagedIdsByOrganizationId parameter

* Update the EF query to use the Email from the User table

* dotnet format

* Fix IOrganizationDomainService.HasVerifiedDomainsAsync by checking that domains have been Verified and add unit tests

* Rename IOrganizationUserRepository.GetManagedUserIdsByOrganizationAsync

* Fix domain queries

* Add OrganizationUserRepository integration tests

* Add summary to IOrganizationDomainService.HasVerifiedDomainsAsync

* chore: Rename IOrganizationUserRepository.GetManagedUserIdsByOrganizationAsync to GetManyIdsManagedByOrganizationIdAsync

* Add IsManagedByAnyOrganizationAsync method to IUserRepository

* Add integration tests for UserRepository.IsManagedByAnyOrganizationAsync

* Refactor to IUserService.IsManagedByAnyOrganizationAsync and IOrganizationService.GetUsersOrganizationManagementStatusAsync

* chore: Refactor IsManagedByAnyOrganizationAsync method in UserService

* Refactor IOrganizationService.GetUsersOrganizationManagementStatusAsync to return IDictionary<Guid, bool>

* Extract IOrganizationService.GetUsersOrganizationManagementStatusAsync into a query

* Update comments in OrganizationDomainService to use proper capitalization

* Move OrganizationDomainService to AdminConsole ownership and update namespace

* feat: Add support for organization domains in enterprise plans

* feat: Add HasOrganizationDomains property to OrganizationAbility class

* refactor: Update GetOrganizationUsersManagementStatusQuery to use IApplicationCacheService

* Remove HasOrganizationDomains and use UseSso to check if Organization can have Verified Domains

* Refactor UserService.IsManagedByAnyOrganizationAsync to simply check the UseSso flag

* Add TODO comment for replacing 'UseSso' organization ability on user verified domain checks

* Bump date on migration script

* Add indexes to OrganizationDomain table

* Bump script migration date; Remove WITH ONLINE = ON from data migration.
2024-09-11 11:29:57 +01:00
Kyle Spearrin
d2567dd42d
[PM-5518] Refactor Email Token Providers (#3784)
* new email token providers

* move email redaction to core helpers

* make token options configurable

* protected setters on options

* fix email token provider tests

* fix core tests

---------

Co-authored-by: Matt Bishop <mbishop@bitwarden.com>
2024-07-11 14:39:27 -04:00
Andreas Coroiu
d63c917c95
[PM-4619] Rewrite UserService methods as commands (#3432)
* [PM-4619] feat: scaffold new create options command

* [PM-4169] feat: implement credential create options command

* [PM-4619] feat: create command for credential creation

* [PM-4619] feat: create assertion options command

* [PM-4619] chore: clean-up unused argument

* [PM-4619] feat: implement assertion command

* [PM-4619] feat: migrate to commands

* [PM-4619] fix: lint

* [PM-4169] fix: use constant

* [PM-4619] fix: lint

I have no idea what this commit acutally changes, but the file seems to have some character encoding issues. This fix was generated by `dotnet format`
2023-12-14 09:35:52 +01:00
Thomas Rittson
9021236d61
AC Team code ownership moves: Organization pt. 1 (#3472)
* move Organization.cs files to AC Team code ownership
2023-11-28 17:18:08 -06:00
Thomas Rittson
42cec31d07
[AC-1287] AC Team code ownership moves: Policies (1/2) (#3383)
* note: IPolicyData and EntityFramework Policy.cs are moved without any
  changes to namespace or content in order to preserve git history.
2023-11-22 16:07:37 -05:00
Andreas Coroiu
80740aa4ba
[PM-2032] Server endpoints to support authentication with a passkey (#3361)
* [PM-2032] feat: add assertion options tokenable

* [PM-2032] feat: add request and response models

* [PM-2032] feat: implement `assertion-options` identity endpoint

* [PM-2032] feat: implement authentication with passkey

* [PM-2032] chore: rename to `WebAuthnGrantValidator`

* [PM-2032] fix: add missing subsitute

* [PM-2032] feat: start adding builder

* [PM-2032] feat: add support for KeyConnector

* [PM-2032] feat: add first version of TDE

* [PM-2032] chore: refactor WithSso

* [PM-2023] feat: add support for TDE feature flag

* [PM-2023] feat: add support for approving devices

* [PM-2023] feat: add support for hasManageResetPasswordPermission

* [PM-2032] feat: add support for hasAdminApproval

* [PM-2032] chore: don't supply device if not necessary

* [PM-2032] chore: clean up imports

* [PM-2023] feat: extract interface

* [PM-2023] chore: add clarifying comment

* [PM-2023] feat: use new builder in production code

* [PM-2032] feat: add support for PRF

* [PM-2032] chore: clean-up todos

* [PM-2023] chore: remove token which is no longer used

* [PM-2032] chore: remove todo

* [PM-2032] feat: improve assertion error handling

* [PM-2032] fix: linting issues

* [PM-2032] fix: revert changes to `launchSettings.json`

* [PM-2023] chore: clean up assertion endpoint

* [PM-2032] feat: bypass 2FA

* [PM-2032] fix: rename prf option to singular

* [PM-2032] fix: lint

* [PM-2032] fix: typo

* [PM-2032] chore: improve builder tests

Co-authored-by: Jared Snider <116684653+JaredSnider-Bitwarden@users.noreply.github.com>

* [PM-2032] chore: clarify why we don't require 2FA

* [PM-2023] feat: move `identityProvider` constant to common class

* [PM-2032] fix: lint

* [PM-2023] fix: move `IdentityProvider` to core.Constants

* [PM-2032] fix: missing import

* [PM-2032] chore: refactor token timespan to use `TimeSpan`

* [PM-2032] chore: make `StartWebAuthnLoginAssertion` sync

* [PM-2032] chore: use `FromMinutes`

* [PM-2032] fix: change to 17 minutes to cover webauthn assertion

* [PM-2032] chore: do not use `async void`

* [PM-2032] fix: comment saying wrong amount of minutes

* [PM-2032] feat: put validator behind feature flag

* [PM-2032] fix: lint

---------

Co-authored-by: Jared Snider <116684653+JaredSnider-Bitwarden@users.noreply.github.com>
2023-11-20 15:55:31 +01:00
Andreas Coroiu
e401fc0983
[PM-4167] Add PRF attestation flow during passkey registration (#3339)
* [PM-4167] feat: add support for `SupportsPrf`

* [PM-4167] feat: add `prfStatus` property

* [PM-4167] feat: add support for storing PRF keys

* [PM-4167] fix: allow credentials to be created without encryption support

* [PM-4167] fix: broken test

* [PM-4167] chore: remove whitespace

* [PM-4167] fix: controller test

* [PM-4167] chore: improve readability of `GetPrfStatus`

* [PM-4167] fix: make prf optional

* [PM-4167] fix: commit missing controller change

* [PM-4167] fix: tests
2023-11-07 16:59:51 +01:00
Jared Snider
ee618328c0
Auth/PM-3275 - Changes to support TDE User without MP being able to Set a Password + misc refactoring (#3242)
* PM-3275 - Add new GetMasterPasswordPolicy endpoint which will allow authenticated clients to get an enabled MP org policy if it exists for the purposes of enforcing those policy requirements when setting a password.

* PM-3275 - AccountsController.cs - PostSetPasswordAsync - (1) Convert UserService.setPasswordAsync into new SetInitialMasterPasswordCommand (2) Refactor SetInitialMasterPasswordCommand to only accept post SSO users who are in the invited state
(3) Add TODOs for more cleanup work and more commands

* PM-3275 - Update AccountsControllerTests.cs to add new SetInitialMasterPasswordCommand

* PM-3275 - UserService.cs - Remove non implemented ChangePasswordAsync method

* PM-3275 - The new SetInitialMasterPasswordCommand leveraged the OrganizationService.cs AcceptUserAsync method so while I was in here I converted the AcceptUserAsync methods into a new AcceptOrgUserCommand.cs and turned the private method which accepted an existing org user public for use in the SetInitialMasterPasswordCommand

* PM-3275 - Dotnet format

* PM-3275 - Test SetInitialMasterPasswordCommand

* Dotnet format

* PM-3275 - In process AcceptOrgUserCommandTests.cs

* PM-3275 - Migrate changes from AC-244 / #3199 over into new AcceptOrgUserCommand

* PM-3275 - AcceptOrgUserCommand.cs - create data protector specifically for this command

* PM-3275 - Add TODO for renaming / removing overloading of methods to improve readability / clarity

* PM-3275 - AcceptOrgUserCommand.cs - refactor AcceptOrgUserAsync by OrgId to retrieve orgUser with _organizationUserRepository.GetByOrganizationAsync which gets a single user instead of a collection

* PM-3275 - AcceptOrgUserCommand.cs - update name in TODO for evaluation later

* PM-3275 / PM-1196 - (1) Slightly refactor SsoEmail2faSessionTokenable to provide public static GetTokenLifeTime() method for testing (2) Add missed tests to SsoEmail2faSessionTokenable in preparation for building tests for new OrgUserInviteTokenable.cs

* PM-3275 / PM-1196 - Removing SsoEmail2faSessionTokenable.cs changes + tests as I've handled that separately in a new PR (#3270) for newly created task PM-3925

* PM-3275 - ExpiringTokenable.cs - add clarifying comments to help distinguish between the Valid property and the TokenIsValid method.

* PM-3275 - Create OrgUserInviteTokenable.cs and add tests in OrgUserInviteTokenableTests.cs

* PM-3275 - OrganizationService.cs - Refactor Org User Invite methods to use new OrgUserInviteTokenable instead of manual creation of a token

* PM-3275 - OrgUserInviteTokenable.cs - clarify backwards compat note

* PM-3275 - AcceptOrgUserCommand.cs - Add TODOs + minor name refactor

* PM-3275 - AcceptOrgUserCommand.cs - replace method overloading with more easily readable names.

* PM-3275 - AcceptOrgUserCommand.cs - Update ValidateOrgUserInviteToken to add new token validation while maintaining backwards compatibility for 1 release.

* dotnet format

* PM-3275 - AcceptOrgUserCommand.cs - Move private method below where it is used

* PM-3275 - ServiceCollectionExtensions.cs - Must register IDataProtectorTokenFactory<OrgUserInviteTokenable> for new tokenable

* PM-3275 - OrgUserInviteTokenable needed access to global settings to set its token lifetime to the _globalSettings.OrganizationInviteExpirationHours value.  Creating a factory seemed the most straightforward way to encapsulate the desired creation logic. Unsure if in the correct location in ServiceCollectionExtensions.cs but will figure that out later.

* PM-3275 - In process work of creating AcceptOrgUserCommandTests.cs

* PM-3275 - Remove no longer relevant AcceptOrgUser tests from OrganizationServiceTests.cs

* PM-3275 - Register OrgUserInviteTokenableFactory alongside tokenizer

* PM-3275 - AcceptOrgUserCommandTests.cs - AcceptOrgUserAsync basic test suite completed.

* PM-3275 - AcceptOrgUserCommandTests.cs - tweak test names

* PM-3275 - AcceptOrgUserCommandTests.cs - (1) Remove old tests from OrganizationServiceTests as no longer needed to reference (2) Add summary for SetupCommonAcceptOrgUserMocks (3) Get AcceptOrgUserByToken_OldToken_AcceptsUserAndVerifiesEmail passing

* PM-3275 - Create interface for OrgUserInviteTokenableFactory b/c that's the right thing to do + enables test substitution

* PM-3275 - AcceptOrgUserCommandTests.cs - (1) Start work on AcceptOrgUserByToken_NewToken_AcceptsUserAndVerifiesEmail (2) Create and use SetupCommonAcceptOrgUserByTokenMocks() (3) Create generic FakeDataProtectorTokenFactory for tokenable testing

* PM-3275 - (1) Get AcceptOrgUserByToken_NewToken_AcceptsUserAndVerifiesEmail test passing (2) Move FakeDataProtectorTokenFactory to own file

* PM-3275 - AcceptOrgUserCommandTests.cs - Finish up tests for AcceptOrgUserByTokenAsync

* PM-3275 - Add pseudo section comments

* PM-3275 - Clean up unused params on AcceptOrgUserByToken_EmailMismatch_ThrowsBadRequest test

* PM-3275 - (1) Tests written for AcceptOrgUserByOrgSsoIdAsync (2) Refactor happy path assertions into helper function AssertValidAcceptedOrgUser to reduce code duplication

* PM-3275 - Finish up testing AcceptOrgUserCommandTests.cs by adding tests for AcceptOrgUserByOrgIdAsync

* PM-3275 - Tweaking test naming to ensure consistency.

* PM-3275 - Bugfix - OrgUserInviteTokenableFactory implementation required when declaring singleton service in ServiceCollectionExtensions.cs

* PM-3275 - Resolve failing OrganizationServiceTests.cs

* dotnet format

* PM-3275 - PoliciesController.cs - GetMasterPasswordPolicy bugfix - for orgs without a MP policy, policy comes back as null and we should return notFound in that case.

* PM-3275 - Add PoliciesControllerTests.cs specifically for new GetMasterPasswordPolicy(...) endpoint.

* PM-3275 - dotnet format PoliciesControllerTests.cs

* PM-3275 - PoliciesController.cs - (1) Add tech debt task number (2) Properly flag endpoint as deprecated

* PM-3275 - Add new hasManageResetPasswordPermission property to ProfileResponseModel.cs primarily for sync so that we can condition client side if TDE user obtains elevated permissions

* PM-3275 - Fix AccountsControllerTests.cs

* PM-3275 - OrgUserInviteTokenable.cs - clarify TODO

* PM-3275 - AcceptOrgUserCommand.cs - Refactor token validation to use short circuiting to only run old token validation if new token validation fails.

* PM-3275 - OrgUserInviteTokenable.cs - (1) Add new static methods to centralize validation logic to avoid repetition (2) Add new token validation method so we can avoid having to pass in a full org user (and hitting the db to do so)

* PM-3275 - Realized that the old token validation was used in the PoliciesController.cs (existing user clicks invite link in email and goes to log in) and UserService.cs (user clicks invite link in email and registers for a new acct). Added tech debt item for cleaning up backwards compatibility in future.

* dotnet format

* PM-3275 - (1) AccountsController.cs - Update PostSetPasswordAsync SetPasswordRequestModel to allow null keys for the case where we have a TDE user who obtains elevated permissions - they already have a user public and user encrypted private key saved in the db. (2) AccountsControllerTests.cs - test PostSetPasswordAsync scenarios to ensure changes will work as expected.

* PM-3275 - PR review feedback - (1) set CurrentContext to private (2) Refactor GetProfile to use variables to improve clarity and simplify debugging.

* PM-3275 - SyncController.cs - PR Review Feedback - Set current context as private instead of protected.

* PM-3275 - CurrentContextExtensions.cs - PR Feedback - move parenthesis up from own line.

* PM-3275 - SetInitialMasterPasswordCommandTests.cs - Replace unnecessary variable

* PM-3275 - SetInitialMasterPasswordCommandTests.cs - PR Feedback - Add expected outcome statement to test name

* PM-3275 - Set Initial Password command and tests - PR Feedback changes - (1) Rename orgIdentifier --> OrgSsoIdentifier for clarity (2) Update SetInitialMasterPasswordAsync to not allow null orgSsoId with explicit message saying this vs letting null org trigger invalid organization (3) Add test to cover this new scenario.

* PM-3275 - SetInitialMasterPasswordCommand.cs - Move summary from implementation to interface to better respect standards and the fact that the interface is the more seen piece of code.

* PM-3275 - AcceptOrgUserCommand.cs - Per PR feedback, rename AcceptOrgUserByTokenAsync -> AcceptOrgUserByEmailTokenAsync + replace generic name token with emailToken

* PM-3275 - OrganizationService.cs - Per PR feedback, remove dupe line

* PM-3275 - AcceptOrgUserCommand.cs - Per PR feedback, remove new lines in error messages for consistency.

* PM-3275 - SetInitialMasterPasswordCommand.cs - Per PR feedback, adjust formatting of constructor for improved readability.

* PM-3275 - CurrentContextExtensions.cs - Refactor AnyOrgUserHasManageResetPasswordPermission per PR feedback to remove unnecessary var.

* PM-3275 - AcceptOrgUserCommand.cs - Per PR feedback, remove completed TODO

* PM-3275 - PoliciesController.cs - Per PR feedback, update GetByInvitedUser param to be guid instead of string.

* PM-3275 - OrgUserInviteTokenable.cs - per PR feedback, add tech debt item info.

* PM-3275 - AcceptOrgUserCommand.cs - Per PR feedback, use const purpose from tokenable instead of magic string.

* PM-3275 - Restore non duplicate line to fix tests

* PM-3275 - Per PR feedback, revert all sync controller changes as the ProfileResponseModel.organizations array has org objects which have permissions which have the ManageResetPassword permission.  So, I have the information that I need clientside already to determine if the user has the ManageResetPassword in any org.

* PM-3275 - PoliciesControllerTests.cs - Update imports as the PoliciesController was moved under the admin console team's domain.

* PM-3275 - Resolve issues from merge conflict resolutions to get solution building.

* PM-3275 / PM-4633 - PoliciesController.cs - use orgUserId to look up user instead of orgId. Oops.

* Fix user service tests

* Resolve merge conflict
2023-11-02 08:02:25 -07:00
Kyle Spearrin
44c559c723
Support for passkey registration (#2885)
* support for fido2 auth

* stub out registration implementations

* stub out assertion steps and token issuance

* verify token

* webauthn tokenable

* remove duplicate expiration set

* revert sqlproj changes

* update sqlproj target framework

* update new validator signature

* [PM-2014] Passkey registration (#2915)

* [PM-2014] chore: rename `IWebAuthnRespository` to `IWebAuthnCredentialRepository`

* [PM-2014] fix: add missing service registration

* [PM-2014] feat: add user verification when fetching options

* [PM-2014] feat: create migration script for mssql

* [PM-2014] chore: append to todo comment

* [PM-2014] feat: add support for creation token

* [PM-2014] feat: implement credential saving

* [PM-2014] chore: add resident key TODO comment

* [PM-2014] feat: implement passkey listing

* [PM-2014] feat: implement deletion without user verification

* [PM-2014] feat: add user verification to delete

* [PM-2014] feat: implement passkey limit

* [PM-2014] chore: clean up todo comments

* [PM-2014] fix: add missing sql scripts

Missed staging them when commiting

* [PM-2014] feat: include options response model in swagger docs

* [PM-2014] chore: move properties after ctor

* [PM-2014] feat: use `Guid` directly as input paramter

* [PM-2014] feat: use nullable guid in token

* [PM-2014] chore: add new-line

* [PM-2014] feat: add support for feature flag

* [PM-2014] feat: start adding controller tests

* [PM-2014] feat: add user verification test

* [PM-2014] feat: add controller tests for token interaction

* [PM-2014] feat: add tokenable tests

* [PM-2014] chore: clean up commented premium check

* [PM-2014] feat: add user service test for credential limit

* [PM-2014] fix: run `dotnet format`

* [PM-2014] chore: remove trailing comma

* [PM-2014] chore: add `Async` suffix

* [PM-2014] chore: move delay to constant

* [PM-2014] chore: change `default` to `null`

* [PM-2014] chore: remove autogenerated weirdness

* [PM-2014] fix: lint

* Added check for PasswordlessLogin feature flag on new controller and methods. (#3284)

* Added check for PasswordlessLogin feature flag on new controller and methods.

* fix: build error from missing constructor argument

---------

Co-authored-by: Andreas Coroiu <andreas.coroiu@gmail.com>

* [PM-4171] Update DB to support PRF (#3321)

* [PM-4171] feat: update database to support PRF

* [PM-4171] feat: rename `DescriptorId` to `CredentialId`

* [PM-4171] feat: add PRF felds to domain object

* [PM-4171] feat: add `SupportsPrf` column

* [PM-4171] fix: add missing comma

* [PM-4171] fix: add comma

* [PM-3263] fix identity server tests for passkey registration (#3331)

* Added WebAuthnRepo to EF DI

* updated config to match current grant types

* Remove ExtensionGrantValidator (#3363)

* Linting

---------

Co-authored-by: Andreas Coroiu <acoroiu@bitwarden.com>
Co-authored-by: Andreas Coroiu <andreas.coroiu@gmail.com>
Co-authored-by: Todd Martin <106564991+trmartin4@users.noreply.github.com>
Co-authored-by: Ike <137194738+ike-kottlowski@users.noreply.github.com>
Co-authored-by: Todd Martin <tmartin@bitwarden.com>
2023-10-30 09:40:06 -04:00
Thomas Rittson
26dd8b0e47
[AC-1284] AC Team code ownership moves - Provider (#3359) 2023-10-26 13:38:29 -04:00
Todd Martin
1c3afcdffc
Trusted Device Encryption feature (#3151)
* [PM-1203] feat: allow verification for all passwordless accounts (#3038)

* [PM-1033] Org invite user creation flow 1 (#3028)

* [PM-1033] feat: remove user verification from password enrollment

* [PM-1033] feat: auto accept invitation when enrolling into password reset

* [PM-1033] fix: controller tests

* [PM-1033] refactor: `UpdateUserResetPasswordEnrollmentCommand`

* [PM-1033] refactor(wip): make `AcceptUserCommand`

* Revert "[PM-1033] refactor(wip): make `AcceptUserCommand`"

This reverts commit dc1319e7fa.

* Revert "[PM-1033] refactor: `UpdateUserResetPasswordEnrollmentCommand`"

This reverts commit 43df689c7f.

* [PM-1033] refactor: move invite accept to controller

This avoids creating yet another method that depends on having `IUserService` passed in as a parameter

* [PM-1033] fix: add missing changes

* [PM-1381] Add Trusted Device Keys to Auth Response (#3066)

* Return Keys for Trusted Device

- Check whether the current logging in device is trusted
- Return their keys on successful login

* Formatting

* Address PR Feedback

* Add Remarks Comment

* [PM-1338] `AuthRequest` Event Logs (#3046)

* Update AuthRequestController

- Only allow AdminApproval Requests to be created from authed endpoint
- Add endpoint that has authentication to be able to create admin approval

* Add PasswordlessAuthSettings

- Add settings for customizing expiration times

* Add new EventTypes

* Add Logic for AdminApproval Type

- Add logic for validating AdminApproval expiration
- Add event logging for Approval/Disapproval of AdminApproval
- Add logic for creating AdminApproval types

* Add Test Helpers

- Change BitAutoData to allow you to use string representations of common types.

* Add/Update AuthRequestService Tests

* Run Formatting

* Switch to 7 Days

* Add Test Covering ResponseDate Being Set

* Address PR Feedback

- Create helper for checking if date is expired
- Move validation logic into smaller methods

* Switch to User Event Type

- Make RequestDeviceApproval user type
- User types will log for each org user is in

* [PM-2998] Move Approving Device Check (#3101)

* Move Check for Approving Devices

- Exclude currently logging in device
- Remove old way of checking
- Add tests asserting behavior

* Update DeviceType list

* Update Naming & Address PR Feedback

* Fix Tests

* Address PR Feedback

* Formatting

* Now Fully Update Naming?

* Feature/auth/pm 2759/add can reset password to user decryption options (#3113)

* PM-2759 - BaseRequestValidator.cs - CreateUserDecryptionOptionsAsync - Add new hasManageResetPasswordPermission for post SSO redirect logic required on client.

* PM-2759 - Update IdentityServerSsoTests.cs to all pass based on the addition of HasManageResetPasswordPermission to TrustedDeviceUserDecryptionOption

* IdentityServerSsoTests.cs - fix typo in test name:  LoggingApproval --> LoginApproval

* PM1259 - Add test case for verifying that TrustedDeviceOption.hasManageResetPasswordPermission is set properly based on user permission

* dotnet format run

* Feature/auth/pm 2759/add can reset password to user decryption options fix jit users (#3120)

* PM-2759 - IdentityServer - CreateUserDecryptionOptionsAsync - hasManageResetPasswordPermission set logic was broken for JIT provisioned users as I assumed we would always have a list of at least 1 org during the SSO process. Added TODO for future test addition but getting this out there now as QA is blocked by being unable to create JIT provisioned users.

* dotnet format

* Tiny tweak

* [PM-1339] Allow Rotating Device Keys (#3096)

* Allow Rotation of Trusted Device Keys

- Add endpoint for getting keys relating to rotation
- Add endpoint for rotating your current device
- In the same endpoint allow a list of other devices to rotate

* Formatting

* Use Extension Method

* Add Tests from PR

Co-authored-by: Jared Snider <jsnider@bitwarden.com>

---------

Co-authored-by: Jared Snider <jsnider@bitwarden.com>

* Check the user directly if they have the ResetPasswordKey (#3153)

* PM-3327 - UpdateKeyAsync must exempt the currently calling device from the logout notification in order to prevent prematurely logging the user out before the client side key rotation process can complete. The calling device will log itself out once it is done. (#3170)

* Allow OTP Requests When Users Are On TDE (#3184)

* [PM-3356][PM-3292] Allow OTP For All (#3188)

* Allow OTP For All

- On a trusted device isn't a good check because a user might be using a trusted device locally but not trusted it long term
- The logic wasn't working for KC users anyways

* Remove Old Comment

* [AC-1601] Added RequireSso policy as a dependency of TDE (#3209)

* Added RequireSso policy as a dependency of TDE.

* Added test for RequireSso for TDE.

* Added save.

* Fixed policy name.

---------

Co-authored-by: Andreas Coroiu <acoroiu@bitwarden.com>
Co-authored-by: Justin Baur <19896123+justindbaur@users.noreply.github.com>
Co-authored-by: Vincent Salucci <vincesalucci21@gmail.com>
Co-authored-by: Jared Snider <116684653+JaredSnider-Bitwarden@users.noreply.github.com>
Co-authored-by: Jared Snider <jsnider@bitwarden.com>
2023-08-17 16:03:06 -04:00
Jake Fink
88dd745070
[PM-1188] Server owner auth migration (#2825)
* [PM-1188] add sso project to auth

* [PM-1188] move sso api models to auth

* [PM-1188] fix sso api model namespace & imports

* [PM-1188] move core files to auth

* [PM-1188] fix core sso namespace & models

* [PM-1188] move sso repository files to auth

* [PM-1188] fix sso repo files namespace & imports

* [PM-1188] move sso sql files to auth folder

* [PM-1188] move sso test files to auth folders

* [PM-1188] fix sso tests namespace & imports

* [PM-1188] move auth api files to auth folder

* [PM-1188] fix auth api files namespace & imports

* [PM-1188] move auth core files to auth folder

* [PM-1188] fix auth core files namespace & imports

* [PM-1188] move auth email templates to auth folder

* [PM-1188] move auth email folder back into shared directory

* [PM-1188] fix auth email names

* [PM-1188] move auth core models to auth folder

* [PM-1188] fix auth model namespace & imports

* [PM-1188] add entire Identity project to auth codeowners

* [PM-1188] fix auth orm files namespace & imports

* [PM-1188] move auth orm files to auth folder

* [PM-1188] move auth sql files to auth folder

* [PM-1188] move auth tests to auth folder

* [PM-1188] fix auth test files namespace & imports

* [PM-1188] move emergency access api files to auth folder

* [PM-1188] fix emergencyaccess api files namespace & imports

* [PM-1188] move emergency access core files to auth folder

* [PM-1188] fix emergency access core files namespace & imports

* [PM-1188] move emergency access orm files to auth folder

* [PM-1188] fix emergency access orm files namespace & imports

* [PM-1188] move emergency access sql files to auth folder

* [PM-1188] move emergencyaccess test files to auth folder

* [PM-1188] fix emergency access test files namespace & imports

* [PM-1188] move captcha files to auth folder

* [PM-1188] fix captcha files namespace & imports

* [PM-1188] move auth admin files into auth folder

* [PM-1188] fix admin auth files namespace & imports
- configure mvc to look in auth folders for views

* [PM-1188] remove extra imports and formatting

* [PM-1188] fix ef auth model imports

* [PM-1188] fix DatabaseContextModelSnapshot paths

* [PM-1188] fix grant import in ef

* [PM-1188] update sqlproj

* [PM-1188] move missed sqlproj files

* [PM-1188] move auth ef models out of auth folder

* [PM-1188] fix auth ef models namespace

* [PM-1188] remove auth ef models unused imports

* [PM-1188] fix imports for auth ef models

* [PM-1188] fix more ef model imports

* [PM-1188] fix file encodings
2023-04-14 13:25:56 -04:00
Federico Maccaroni
69511160cb
[EC-400] Code clean up Device Verification (#2601)
* EC-400 Clean up code regarding Unknown Device Verification

* EC-400 Fix formatting
2023-02-17 10:15:28 -03:00
Jake Fink
64c15ed8cd
[EC-1032] if name is Empty, set to null before saving (#2619) 2023-01-25 11:07:33 -05:00
Matt Gibson
a6d97118fa
Feature/bit auto data (#2219)
* Update ProviderService tests

* Use BitAutoData in CipherService tests

* Simplify UserCipher fixture

Because we use a single customizer for all ciphers, they all have the same userId.

* Clean up more cipher fixtures

* Swap Cipher Fixtures to BitCustomizeAttribute

* Clean up collection fixtures

* Clean up GroupFixtures

* Move SendService Tests to BitAutoData

* Clean up Organization Fixtures

TODO: The customize attributes should not be customizing more than one class

* Name files after the class they contain

* Clear up usage of CustomAutoDataAttribute in tests

* Clean up usages of InlineCustomAutoData

* format

* Manually merge with file-scoped-namespace changes
2022-08-31 08:38:35 -05:00
Justin Baur
7f5f010e1e
Run formatting (#2230) 2022-08-29 16:06:55 -04:00
Justin Baur
bae03feffe
Revert filescoped (#2227)
* Revert "Add git blame entry (#2226)"

This reverts commit 239286737d.

* Revert "Turn on file scoped namespaces (#2225)"

This reverts commit 34fb4cca2a.
2022-08-29 15:53:48 -04:00
Justin Baur
34fb4cca2a
Turn on file scoped namespaces (#2225) 2022-08-29 14:53:16 -04:00
Justin Baur
231eb84e69
Turn On ImplicitUsings (#2079)
* Turn on ImplicitUsings

* Fix formatting

* Run linter
2022-06-29 19:46:41 -04:00
Thomas Rittson
3360d40592
[EC-243] Grant premium status when member accepts org invite (#2043) 2022-06-17 06:30:50 +10:00
Federico Maccaroni
b070e9a387
[PS-589] Fix emergency contact takeover device verification and endpoints for its settings (#2016)
* Added UnknownDeviceVerificationEnabled on User that is turned off when emergency contact takes over the account. Also added endpoints to get and update 2fa device verification settings. And Updated migrations & tests

* Applied dotnet format

* Fixed method rename call on TwoFactorController

* PS-589 Format fixes

* PS-589 changed UnknownDeviceVerificationEnabled to be non-nullable
2022-06-06 14:52:50 -03:00
Federico Maccaroni
2e2d3075d1
EC-198 Added feature flag for 2FA Email for new device login (#1993)
* EC-198 added global setting flag for 2FA email on new device login feature

* EC-198 Removed is development environment check on 2FA email new device login given that we can now rely on the global settings feature flag

* EC-198 Improved IGlobalSettings and UserService code for testing
2022-05-13 10:48:48 -03:00
Federico Maccaroni
a7a45893a3
PS-82 check send 2FA email for new devices on TwoFactorController send-email-login (#1977) 2022-04-28 13:14:09 -03:00
Federico Maccaroni
6f60d24f5a
Email verification for new devices (#1931)
* PS-56 Added Email 2FA on login with new devices that don't have any 2FA enabled

* PS-56 Fixed wrong argument in VerifyTwoFactor call
2022-04-01 17:08:47 -03:00
Justin Baur
5268f2781e
Start Migration from Newtonsoft.Json to System.Text.Json (#1803)
* Start switch to System.Text.Json

* Work on switching to System.Text.Json

* Main work on STJ refactor

* Fix build errors

* Run formatting

* Delete unused file

* Use legacy for two factor providers

* Run formatter

* Add TokenProviderTests

* Run formatting

* Fix merge issues

* Switch to use JsonSerializer

* Address PR feedback

* Fix formatting

* Ran formatter

* Switch to async

* Ensure Enums are serialized as strings

* Fix formatting

* Enqueue single items as arrays

* Remove CreateAsync method on AzureQueueService
2022-01-21 09:36:25 -05:00
Oscar Hinton
e4a10aae27
Split out repositories to Infrastructure.Dapper / EntityFramework (#1759) 2022-01-11 10:40:51 +01:00
Oscar Hinton
23b0a1f9df
Run dotnet format (#1764) 2021-12-16 15:35:09 +01:00
Oscar Hinton
c22e48c1b4
Resolve error when deleting an account connected to a provider (#1580) 2021-09-15 20:34:06 +02:00
Oscar Hinton
feb3106f37
[Provider] Create and access child organizations (#1427) 2021-07-08 17:05:32 +02:00
Thomas Rittson
86a12efa76
[send.key] Update send.key when account encryption key is rotated (#1417)
* Rotate send.key with account encryption key

* Update tests

* Improve and refactor style, fix typo

* Use null instead of empty lists

* Revert "Use null instead of empty lists"

This reverts commit 775a52ca56.

* Fix style (use AddRange instead of reassignment)
2021-07-02 06:27:03 +10:00
Oscar Hinton
a47b86a995
Remove U2F APIs again (#1319)
* Revert "U2F (#1304)"

This reverts commit ce4f025a0c.

* Avoid removing WebAuthn fixes
2021-05-12 19:48:00 +02:00
Oscar Hinton
ce4f025a0c
U2F (#1304)
* Delete U2F tokens alongside WebAuthn

* Bring back u2f apis
2021-05-05 16:14:49 +02:00
Oscar Hinton
07f37d1f74
WebAuthn (#903) 2021-03-22 23:21:43 +01:00
Matt Gibson
5537470703
Use sas token for attachment downloads (#1153)
* Get limited life attachment download URL

This change limits url download to a 1min lifetime.
This requires moving to a new container to allow for non-public blob
access.

Clients will have to call GetAttachmentData api function to receive the download
URL. For backwards compatibility, attachment URLs are still present, but will not
work for attachments stored in non-public access blobs.

* Make GlobalSettings interface for testing

* Test LocalAttachmentStorageService equivalence

* Remove comment

* Add missing globalSettings using

* Simplify default attachment container

* Default to attachments containe for existing methods

A new upload method will be made for uploading to attachments-v2.
For compatibility for clients which don't use these new methods, we need
to still use the old container. The new container will be used only for
new uploads

* Remove Default MetaData fixture.

* Keep attachments container blob-level security for all instances

* Close unclosed FileStream

* Favor default value for noop services
2021-02-22 15:35:16 -06:00
Matt Gibson
edd4bc2623
Add disable send policy (#1130)
* Add Disable Send policy

* Test DisableSend policy

* PR Review

* Update tests for using CurrentContext

This required making an interface for CurrentContext and mocking out
the members used. The interface can be expanded as needed for tests.

I moved CurrentContext to a folder, which changes the namespace
and causes a lot of file touches, but most are just adding a reference

* Fix failing test

* Update exemption to include all exempt users

* Move all CurrentContext usages to ICurrentContext

* PR review. Match messaging with Web
2021-02-04 12:54:21 -06:00
Vincent Salucci
50cf16a3fb
[SSO] New user provision flow (#945)
* Initial commit of accept user during set password flow

* changed new org user from accepted to invited // moved another check to token accept function

* Revised some white space // Moved business logic to UserService

* Fixed UserServiceTest

* Removed some white-space

* Removed more white-space

* Final white-space issues
2020-10-13 15:00:33 -05:00
Chad Scharf
5ecdc77d3f
Fix broken unit tests (#816) 2020-07-08 15:05:24 -04:00
Kyle Spearrin
462303e701 fix tests 2020-02-20 14:36:31 -05:00
Joshua Ford
0f3fcc122d Add basic Core.Services test files (#526)
Following the paradigms illustrated in "Working Effectively with Legacy
Code", this commit introduces at least one test for each service class
implementation. This test is a simple construction test -- we just
create each service and assert that it exists. Each test suite includes
a comment instructing the developer who comes next to remove the
constructor test. We don't want to keep these tests as the codebase
matures, as they aren't useful in the longterm. They only prove that we
have that class under test.

Where test suites failed to construct their associated classes, we skip
the test but leave behind the implementation. This is by design, so that
as the constructors for those classes change, we are forced to keep the
test suite current by leaning on the compiler.
2019-07-05 20:35:54 -07:00