mirror of
https://github.com/bitwarden/server.git
synced 2025-01-04 19:07:50 +01:00
25a9991908
* added column ApiKey to dbo.User * added dbo.User.ApiKey to User_Update * added dbo.User.ApiKey to User_Create * wrote migration script for implementing dbo.User.ApiKey * Added ApiKey prop to the User table model * Created AccountsController method for getting a user's API Key * Created AccountsController method for rotating a user API key * Added support to ApiClient for passed-through ClientSecrets when the request comes from the cli * Added a new conditional to ClientStore to account for user API keys * Wrote unit tests for new user API Key methods * Added a refresh of dbo.UserView to new migration script for ApiKey * Let client_credentials grants into the custom token logic * Cleanup for ApiKey auth in the CLI feature * Created user API key on registration * Removed uneeded code for user API keys * Changed a .Contains() to a .StartsWith() in ClientStore * Changed index that an array is searched on * Added more claims to the user apikey clients * Moved some claim finding logic to a helper method
280 lines
6.9 KiB
Transact-SQL
280 lines
6.9 KiB
Transact-SQL
-- Add ApiKey column to dbo.User, nullable for now but will be not null after backfilling
|
|
IF COL_LENGTH('[dbo].[User]', 'ApiKey') IS NULL
|
|
BEGIN
|
|
ALTER TABLE
|
|
[dbo].[User]
|
|
ADD
|
|
[ApiKey] VARCHAR (30) NULL
|
|
END
|
|
GO
|
|
|
|
-- Setup for random string generation to backfill dbo.User.ApiKey
|
|
CREATE VIEW [dbo].[SecureRandomBytes]
|
|
AS
|
|
SELECT [RandBytes] = CRYPT_GEN_RANDOM(2)
|
|
GO
|
|
|
|
CREATE FUNCTION [dbo].[SecureRandomString]()
|
|
RETURNS varchar(30)
|
|
AS
|
|
BEGIN
|
|
declare @sLength tinyint
|
|
declare @randomString varchar(30)
|
|
declare @counter tinyint
|
|
declare @nextChar char(1)
|
|
declare @rnd as float
|
|
declare @bytes binary(2)
|
|
|
|
|
|
set @sLength = 30
|
|
set @counter = 1
|
|
set @randomString = ''
|
|
|
|
|
|
while @counter <= @sLength
|
|
begin
|
|
select @bytes = [RandBytes] from [dbo].[SecureRandomBytes]
|
|
select @rnd = cast(cast(cast(@bytes as int) as float) / 65535 as float)
|
|
select @nextChar = char(48 + convert(int, (122-48+1) * @rnd))
|
|
if ascii(@nextChar) not in (58,59,60,61,62,63,64,91,92,93,94,95,96)
|
|
begin
|
|
select @randomString = @randomString + @nextChar
|
|
set @counter = @counter + 1
|
|
end
|
|
end
|
|
return @randomString
|
|
END
|
|
GO
|
|
|
|
-- Backfill dbo.User.ApiKey
|
|
UPDATE
|
|
[dbo].[User]
|
|
SET
|
|
[ApiKey] = (SELECT [dbo].[SecureRandomString]())
|
|
GO
|
|
|
|
-- Change dbo.User.ApiKey to not null to enforece all future users to have one on create
|
|
ALTER TABLE
|
|
[dbo].[User]
|
|
ALTER COLUMN
|
|
[ApiKey] VARCHAR(30) NOT NULL
|
|
GO
|
|
|
|
|
|
-- Cleanup random string generation
|
|
DROP VIEW [dbo].[SecureRandomBytes]
|
|
GO
|
|
DROP FUNCTION [dbo].[SecureRandomString]
|
|
GO
|
|
|
|
-- Update dbo.User_Create to account for ApiKey
|
|
IF OBJECT_ID('[dbo].[User_Create]') IS NOT NULL
|
|
BEGIN
|
|
DROP PROCEDURE [dbo].[User_Create]
|
|
END
|
|
GO
|
|
|
|
CREATE PROCEDURE [dbo].[User_Create]
|
|
@Id UNIQUEIDENTIFIER,
|
|
@Name NVARCHAR(50),
|
|
@Email NVARCHAR(50),
|
|
@EmailVerified BIT,
|
|
@MasterPassword NVARCHAR(300),
|
|
@MasterPasswordHint NVARCHAR(50),
|
|
@Culture NVARCHAR(10),
|
|
@SecurityStamp NVARCHAR(50),
|
|
@TwoFactorProviders NVARCHAR(MAX),
|
|
@TwoFactorRecoveryCode NVARCHAR(32),
|
|
@EquivalentDomains NVARCHAR(MAX),
|
|
@ExcludedGlobalEquivalentDomains NVARCHAR(MAX),
|
|
@AccountRevisionDate DATETIME2(7),
|
|
@Key NVARCHAR(MAX),
|
|
@PublicKey NVARCHAR(MAX),
|
|
@PrivateKey NVARCHAR(MAX),
|
|
@Premium BIT,
|
|
@PremiumExpirationDate DATETIME2(7),
|
|
@RenewalReminderDate DATETIME2(7),
|
|
@Storage BIGINT,
|
|
@MaxStorageGb SMALLINT,
|
|
@Gateway TINYINT,
|
|
@GatewayCustomerId VARCHAR(50),
|
|
@GatewaySubscriptionId VARCHAR(50),
|
|
@ReferenceData VARCHAR(MAX),
|
|
@LicenseKey VARCHAR(100),
|
|
@Kdf TINYINT,
|
|
@KdfIterations INT,
|
|
@CreationDate DATETIME2(7),
|
|
@RevisionDate DATETIME2(7),
|
|
@ApiKey VARCHAR(30)
|
|
AS
|
|
BEGIN
|
|
SET NOCOUNT ON
|
|
|
|
INSERT INTO [dbo].[User]
|
|
(
|
|
[Id],
|
|
[Name],
|
|
[Email],
|
|
[EmailVerified],
|
|
[MasterPassword],
|
|
[MasterPasswordHint],
|
|
[Culture],
|
|
[SecurityStamp],
|
|
[TwoFactorProviders],
|
|
[TwoFactorRecoveryCode],
|
|
[EquivalentDomains],
|
|
[ExcludedGlobalEquivalentDomains],
|
|
[AccountRevisionDate],
|
|
[Key],
|
|
[PublicKey],
|
|
[PrivateKey],
|
|
[Premium],
|
|
[PremiumExpirationDate],
|
|
[RenewalReminderDate],
|
|
[Storage],
|
|
[MaxStorageGb],
|
|
[Gateway],
|
|
[GatewayCustomerId],
|
|
[GatewaySubscriptionId],
|
|
[ReferenceData],
|
|
[LicenseKey],
|
|
[Kdf],
|
|
[KdfIterations],
|
|
[CreationDate],
|
|
[RevisionDate],
|
|
[ApiKey]
|
|
)
|
|
VALUES
|
|
(
|
|
@Id,
|
|
@Name,
|
|
@Email,
|
|
@EmailVerified,
|
|
@MasterPassword,
|
|
@MasterPasswordHint,
|
|
@Culture,
|
|
@SecurityStamp,
|
|
@TwoFactorProviders,
|
|
@TwoFactorRecoveryCode,
|
|
@EquivalentDomains,
|
|
@ExcludedGlobalEquivalentDomains,
|
|
@AccountRevisionDate,
|
|
@Key,
|
|
@PublicKey,
|
|
@PrivateKey,
|
|
@Premium,
|
|
@PremiumExpirationDate,
|
|
@RenewalReminderDate,
|
|
@Storage,
|
|
@MaxStorageGb,
|
|
@Gateway,
|
|
@GatewayCustomerId,
|
|
@GatewaySubscriptionId,
|
|
@ReferenceData,
|
|
@LicenseKey,
|
|
@Kdf,
|
|
@KdfIterations,
|
|
@CreationDate,
|
|
@RevisionDate,
|
|
@ApiKey
|
|
)
|
|
END
|
|
GO
|
|
|
|
-- Update dbo.User_Update to account for ApiKey
|
|
IF OBJECT_ID('[dbo].[User_Update]') IS NOT NULL
|
|
BEGIN
|
|
DROP PROCEDURE [dbo].[User_Update]
|
|
END
|
|
GO
|
|
|
|
CREATE PROCEDURE [dbo].[User_Update]
|
|
@Id UNIQUEIDENTIFIER,
|
|
@Name NVARCHAR(50),
|
|
@Email NVARCHAR(50),
|
|
@EmailVerified BIT,
|
|
@MasterPassword NVARCHAR(300),
|
|
@MasterPasswordHint NVARCHAR(50),
|
|
@Culture NVARCHAR(10),
|
|
@SecurityStamp NVARCHAR(50),
|
|
@TwoFactorProviders NVARCHAR(MAX),
|
|
@TwoFactorRecoveryCode NVARCHAR(32),
|
|
@EquivalentDomains NVARCHAR(MAX),
|
|
@ExcludedGlobalEquivalentDomains NVARCHAR(MAX),
|
|
@AccountRevisionDate DATETIME2(7),
|
|
@Key NVARCHAR(MAX),
|
|
@PublicKey NVARCHAR(MAX),
|
|
@PrivateKey NVARCHAR(MAX),
|
|
@Premium BIT,
|
|
@PremiumExpirationDate DATETIME2(7),
|
|
@RenewalReminderDate DATETIME2(7),
|
|
@Storage BIGINT,
|
|
@MaxStorageGb SMALLINT,
|
|
@Gateway TINYINT,
|
|
@GatewayCustomerId VARCHAR(50),
|
|
@GatewaySubscriptionId VARCHAR(50),
|
|
@ReferenceData VARCHAR(MAX),
|
|
@LicenseKey VARCHAR(100),
|
|
@Kdf TINYINT,
|
|
@KdfIterations INT,
|
|
@CreationDate DATETIME2(7),
|
|
@RevisionDate DATETIME2(7),
|
|
@ApiKey VARCHAR(30)
|
|
AS
|
|
BEGIN
|
|
SET NOCOUNT ON
|
|
|
|
UPDATE
|
|
[dbo].[User]
|
|
SET
|
|
[Name] = @Name,
|
|
[Email] = @Email,
|
|
[EmailVerified] = @EmailVerified,
|
|
[MasterPassword] = @MasterPassword,
|
|
[MasterPasswordHint] = @MasterPasswordHint,
|
|
[Culture] = @Culture,
|
|
[SecurityStamp] = @SecurityStamp,
|
|
[TwoFactorProviders] = @TwoFactorProviders,
|
|
[TwoFactorRecoveryCode] = @TwoFactorRecoveryCode,
|
|
[EquivalentDomains] = @EquivalentDomains,
|
|
[ExcludedGlobalEquivalentDomains] = @ExcludedGlobalEquivalentDomains,
|
|
[AccountRevisionDate] = @AccountRevisionDate,
|
|
[Key] = @Key,
|
|
[PublicKey] = @PublicKey,
|
|
[PrivateKey] = @PrivateKey,
|
|
[Premium] = @Premium,
|
|
[PremiumExpirationDate] = @PremiumExpirationDate,
|
|
[RenewalReminderDate] = @RenewalReminderDate,
|
|
[Storage] = @Storage,
|
|
[MaxStorageGb] = @MaxStorageGb,
|
|
[Gateway] = @Gateway,
|
|
[GatewayCustomerId] = @GatewayCustomerId,
|
|
[GatewaySubscriptionId] = @GatewaySubscriptionId,
|
|
[ReferenceData] = @ReferenceData,
|
|
[LicenseKey] = @LicenseKey,
|
|
[Kdf] = @Kdf,
|
|
[KdfIterations] = @KdfIterations,
|
|
[CreationDate] = @CreationDate,
|
|
[RevisionDate] = @RevisionDate,
|
|
[ApiKey] = @ApiKey
|
|
WHERE
|
|
[Id] = @Id
|
|
END
|
|
GO
|
|
|
|
-- Refresh dbo.UserView so it has access to ApiKey
|
|
IF OBJECT_ID('[dbo].[UserView]') IS NOT NULL
|
|
BEGIN
|
|
DROP VIEW [dbo].[UserView]
|
|
END
|
|
GO
|
|
|
|
CREATE VIEW [dbo].[UserView]
|
|
AS
|
|
SELECT
|
|
*
|
|
FROM
|
|
[dbo].[User]
|
|
|
|
GO
|