[SSO] Auto enroll during set password (#1520)

* [SSO] Auto enroll during set password

* Updated with requested changes
This commit is contained in:
Vincent Salucci 2021-09-08 12:43:24 -05:00 committed by GitHub
parent 8866fc6322
commit d3f00340fb
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
17 changed files with 158 additions and 6 deletions

View file

@ -32,6 +32,28 @@
StyleClass="text-md"
HorizontalTextAlignment="Start"></Label>
</StackLayout>
<Grid IsVisible="{Binding ResetPasswordAutoEnroll}"
RowSpacing="0"
ColumnSpacing="0">
<Grid.RowDefinitions>
<RowDefinition Height="Auto" />
<RowDefinition Height="*" />
</Grid.RowDefinitions>
<Grid.ColumnDefinitions>
<ColumnDefinition Width="*" />
<ColumnDefinition Width="Auto" />
</Grid.ColumnDefinitions>
<Frame Padding="10"
Margin="0, 12, 0, 0"
HasShadow="False"
BackgroundColor="Transparent"
BorderColor="Accent">
<Label
Text="{u:I18n ResetPasswordAutoEnrollInviteWarning}"
StyleClass="text-muted, text-sm, text-bold"
HorizontalTextAlignment="Start" />
</Frame>
</Grid>
<Grid IsVisible="{Binding IsPolicyInEffect}"
RowSpacing="0"
ColumnSpacing="0">
@ -44,7 +66,7 @@
<ColumnDefinition Width="Auto" />
</Grid.ColumnDefinitions>
<Frame Padding="10"
Margin="0"
Margin="0, 12, 0, 0"
HasShadow="False"
BackgroundColor="Transparent"
BorderColor="Accent">

View file

@ -30,6 +30,7 @@ namespace Bit.App.Pages
private bool _showPassword;
private bool _isPolicyInEffect;
private bool _resetPasswordAutoEnroll;
private string _policySummary;
private MasterPasswordPolicyOptions _policy;
@ -50,7 +51,6 @@ namespace Bit.App.Pages
ToggleConfirmPasswordCommand = new Command(ToggleConfirmPassword);
SubmitCommand = new Command(async () => await SubmitAsync());
}
public bool ShowPassword
{
get => _showPassword;
@ -63,6 +63,12 @@ namespace Bit.App.Pages
get => _isPolicyInEffect;
set => SetProperty(ref _isPolicyInEffect, value);
}
public bool ResetPasswordAutoEnroll
{
get => _resetPasswordAutoEnroll;
set => SetProperty(ref _resetPasswordAutoEnroll, value);
}
public string PolicySummary
{
@ -86,10 +92,17 @@ namespace Bit.App.Pages
public Action SetPasswordSuccessAction { get; set; }
public Action CloseAction { get; set; }
public string OrgIdentifier { get; set; }
public string OrgId { get; set; }
public async Task InitAsync()
{
await CheckPasswordPolicy();
var org = await _userService.GetOrganizationByIdentifierAsync(OrgIdentifier);
OrgId = org?.Id;
var policyList = await _policyService.GetAll(PolicyType.ResetPassword);
var policyResult = _policyService.GetResetPasswordPolicyOptions(policyList, OrgId);
ResetPasswordAutoEnroll = policyResult.Item2 && policyResult.Item1.AutoEnrollEnabled;
}
public async Task SubmitAsync()
@ -171,6 +184,7 @@ namespace Bit.App.Pages
try
{
await _deviceActionService.ShowLoadingAsync(AppResources.CreatingAccount);
// Set Password and relevant information
await _apiService.SetPasswordAsync(request);
await _userService.SetInformationAsync(await _userService.GetUserIdAsync(),
await _userService.GetEmailAsync(), kdf, kdfIterations);
@ -178,6 +192,25 @@ namespace Bit.App.Pages
await _cryptoService.SetKeyHashAsync(localMasterPasswordHash);
await _cryptoService.SetEncKeyAsync(encKey.Item2.EncryptedString);
await _cryptoService.SetEncPrivateKeyAsync(keys.Item2.EncryptedString);
if (ResetPasswordAutoEnroll)
{
// Grab Organization Keys
var response = await _apiService.GetOrganizationKeysAsync(OrgId);
var publicKey = CoreHelpers.Base64UrlDecode(response.PublicKey);
// Grab user's Encryption Key and encrypt with Org Public Key
var userEncKey = await _cryptoService.GetEncKeyAsync();
var encryptedKey = await _cryptoService.RsaEncryptAsync(userEncKey.Key, publicKey);
// Request
var resetRequest = new OrganizationUserResetPasswordEnrollmentRequest
{
ResetPasswordKey = encryptedKey.EncryptedString
};
var userId = await _userService.GetUserIdAsync();
// Enroll user
await _apiService.PutOrganizationUserResetPasswordEnrollmentAsync(OrgId, userId, resetRequest);
}
await _deviceActionService.HideLoadingAsync();
SetPasswordSuccessAction?.Invoke();

View file

@ -3590,5 +3590,11 @@ namespace Bit.App.Resources {
return ResourceManager.GetString("Fido2SomethingWentWrong", resourceCulture);
}
}
public static string ResetPasswordAutoEnrollInviteWarning {
get {
return ResourceManager.GetString("ResetPasswordAutoEnrollInviteWarning", resourceCulture);
}
}
}
}

View file

@ -2031,4 +2031,7 @@
<data name="Fido2SomethingWentWrong" xml:space="preserve">
<value>Something Went Wrong. Try again.</value>
</data>
<data name="ResetPasswordAutoEnrollInviteWarning" xml:space="preserve">
<value>This organization has an enterprise policy that will automatically enroll you in password reset. Enrollment will allow organization administrators to change your master password.</value>
</data>
</root>

View file

@ -58,6 +58,9 @@ namespace Bit.Core.Abstractions
Task PostTwoFactorEmailAsync(TwoFactorEmailRequest request);
Task PutDeviceTokenAsync(string identifier, DeviceTokenRequest request);
Task PostEventsCollectAsync(IEnumerable<EventRequest> request);
Task<OrganizationKeysResponse> GetOrganizationKeysAsync(string id);
Task PutOrganizationUserResetPasswordEnrollmentAsync(string orgId, string userId,
OrganizationUserResetPasswordEnrollmentRequest request);
Task<SendResponse> GetSendAsync(string id);
Task<SendResponse> PostSendAsync(SendRequest request);

View file

@ -1,3 +1,4 @@
using System;
using System.Collections.Generic;
using System.Threading.Tasks;
using Bit.Core.Enums;
@ -15,5 +16,7 @@ namespace Bit.Core.Abstractions
Task<MasterPasswordPolicyOptions> GetMasterPasswordPolicyOptions(IEnumerable<Policy> policies = null);
Task<bool> EvaluateMasterPassword(int passwordStrength, string newPassword,
MasterPasswordPolicyOptions enforcedPolicyOptions);
Tuple<ResetPasswordPolicyOptions, bool> GetResetPasswordPolicyOptions(IEnumerable<Policy> policies,
string orgId);
}
}

View file

@ -16,6 +16,7 @@ namespace Bit.Core.Abstractions
Task<KdfType?> GetKdfAsync();
Task<int?> GetKdfIterationsAsync();
Task<Organization> GetOrganizationAsync(string id);
Task<Organization> GetOrganizationByIdentifierAsync(string identifier);
Task<string> GetSecurityStampAsync();
Task<bool> GetEmailVerifiedAsync();
Task<string> GetUserIdAsync();

View file

@ -10,5 +10,6 @@
PersonalOwnership = 5, // Disables personal vault ownership for adding/cloning items
DisableSend = 6, // Disables the ability to create and edit Sends
SendOptions = 7, // Sets restrictions or defaults for Bitwarden Sends
ResetPassword = 8, // Allows orgs to use reset password : also can enable auto-enrollment during invite flow
}
}

View file

@ -1,4 +1,5 @@
using Bit.Core.Enums;
using System.Data.Common;
using Bit.Core.Enums;
using Bit.Core.Models.Response;
namespace Bit.Core.Models.Data
@ -27,6 +28,7 @@ namespace Bit.Core.Models.Data
MaxCollections = response.MaxCollections;
MaxStorageGb = response.MaxStorageGb;
Permissions = response.Permissions ?? new Permissions();
Identifier = response.Identifier;
}
public string Id { get; set; }
@ -47,5 +49,6 @@ namespace Bit.Core.Models.Data
public short? MaxCollections { get; set; }
public short? MaxStorageGb { get; set; }
public Permissions Permissions { get; set; } = new Permissions();
public string Identifier { get; set; }
}
}

View file

@ -1,4 +1,5 @@
using Bit.Core.Enums;
using System.Data.Common;
using Bit.Core.Enums;
using Bit.Core.Models.Data;
namespace Bit.Core.Models.Domain
@ -27,6 +28,7 @@ namespace Bit.Core.Models.Domain
MaxCollections = obj.MaxCollections;
MaxStorageGb = obj.MaxStorageGb;
Permissions = obj.Permissions ?? new Permissions();
Identifier = obj.Identifier;
}
public string Id { get; set; }
@ -47,6 +49,7 @@ namespace Bit.Core.Models.Domain
public short? MaxCollections { get; set; }
public short? MaxStorageGb { get; set; }
public Permissions Permissions { get; set; } = new Permissions();
public string Identifier { get; set; }
public bool CanAccess
{

View file

@ -0,0 +1,7 @@
namespace Bit.Core.Models.Domain
{
public class ResetPasswordPolicyOptions
{
public bool AutoEnrollEnabled { get; set; }
}
}

View file

@ -0,0 +1,7 @@
namespace Bit.Core.Models.Request
{
public class OrganizationUserResetPasswordEnrollmentRequest
{
public string ResetPasswordKey { get; set; }
}
}

View file

@ -0,0 +1,8 @@
namespace Bit.Core.Models.Response
{
public class OrganizationKeysResponse
{
public string PrivateKey { get; set; }
public string PublicKey { get; set; }
}
}

View file

@ -24,5 +24,6 @@ namespace Bit.Core.Models.Response
public OrganizationUserType Type { get; set; }
public bool Enabled { get; set; }
public Permissions Permissions { get; set; } = new Permissions();
public string Identifier { get; set; }
}
}

View file

@ -177,7 +177,7 @@ namespace Bit.Core.Services
return SendAsync<PasswordVerificationRequest, object>(HttpMethod.Post, "/accounts/verify-password", request,
true, false);
}
#endregion
#region Folder APIs
@ -402,6 +402,26 @@ namespace Bit.Core.Services
string.Concat("/hibp/breach?username=", username), null, true, true);
}
#endregion
#region Organizations APIs
public Task<OrganizationKeysResponse> GetOrganizationKeysAsync(string id)
{
return SendAsync<object, OrganizationKeysResponse>(HttpMethod.Get, $"/organizations/{id}/keys", null, true, true);
}
#endregion
#region Organization User APIs
public Task PutOrganizationUserResetPasswordEnrollmentAsync(string orgId, string userId,
OrganizationUserResetPasswordEnrollmentRequest request)
{
return SendAsync<OrganizationUserResetPasswordEnrollmentRequest, object>(HttpMethod.Put,
$"/organizations/{orgId}/users/{userId}/reset-password-enrollment", request, true, false);
}
#endregion
#region Helpers

View file

@ -1,4 +1,5 @@
using System.Collections.Generic;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text.RegularExpressions;
using System.Threading.Tasks;
@ -180,6 +181,23 @@ namespace Bit.Core.Services
return true;
}
public Tuple<ResetPasswordPolicyOptions, bool> GetResetPasswordPolicyOptions(IEnumerable<Policy> policies,
string orgId)
{
var resetPasswordPolicyOptions = new ResetPasswordPolicyOptions();
if (policies == null || orgId == null)
{
return new Tuple<ResetPasswordPolicyOptions, bool>(resetPasswordPolicyOptions, false);
}
var policy = policies.FirstOrDefault(p =>
p.OrganizationId == orgId && p.Type == PolicyType.ResetPassword && p.Enabled);
resetPasswordPolicyOptions.AutoEnrollEnabled = GetPolicyBool(policy, "autoEnrollEnabled") ?? false;
return new Tuple<ResetPasswordPolicyOptions, bool>(resetPasswordPolicyOptions, policy != null);
}
private int? GetPolicyInt(Policy policy, string key)
{
if (policy.Data.ContainsKey(key))

View file

@ -167,6 +167,19 @@ namespace Bit.Core.Services
}
return new Organization(organizations[id]);
}
public async Task<Organization> GetOrganizationByIdentifierAsync(string identifier)
{
var userId = await GetUserIdAsync();
var organizations = await GetAllOrganizationAsync();
if (organizations == null || organizations.Count == 0)
{
return null;
}
return organizations.FirstOrDefault(o => o.Identifier == identifier);
}
public async Task<List<Organization>> GetAllOrganizationAsync()
{