[SM-394] Secrets Manager (#2164)

Long lived feature branch for Secrets Manager Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com> Co-authored-by: cd-bitwarden <106776772+cd-bitwarden@users.noreply.github.com> Co-authored-by: CarleyDiaz-Bitwarden <103955722+CarleyDiaz-Bitwarden@users.noreply.github.com> Co-authored-by: Thomas Avery <tavery@bitwarden.com> Co-authored-by: Colton Hurst <colton@coltonhurst.com>
2025-12-26 13:13:24 +00:00 · 2023-01-13 15:02:53 +01:00
parent 09e524c9a2
commit 1f0fc43278
188 changed files with 21346 additions and 329 deletions
--- a/src/Identity/IdentityServer/CustomTokenRequestValidator.cs
+++ b/src/Identity/IdentityServer/CustomTokenRequestValidator.cs
@@ -2,6 +2,7 @@
 using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Identity;
+using Bit.Core.IdentityServer;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Settings;
@@ -17,7 +18,6 @@ public class CustomTokenRequestValidator : BaseRequestValidator<CustomTokenReque
 {
    private UserManager<User> _userManager;
    private readonly ISsoConfigRepository _ssoConfigRepository;
-    private readonly IOrganizationRepository _organizationRepository;

    public CustomTokenRequestValidator(
        UserManager<User> userManager,
@@ -30,21 +30,19 @@ public class CustomTokenRequestValidator : BaseRequestValidator<CustomTokenReque
        IOrganizationUserRepository organizationUserRepository,
        IApplicationCacheService applicationCacheService,
        IMailService mailService,
-        ILogger<ResourceOwnerPasswordValidator> logger,
+        ILogger<CustomTokenRequestValidator> logger,
        ICurrentContext currentContext,
        GlobalSettings globalSettings,
        IPolicyRepository policyRepository,
        ISsoConfigRepository ssoConfigRepository,
-        IUserRepository userRepository,
-        ICaptchaValidationService captchaValidationService)
+        IUserRepository userRepository)
        : base(userManager, deviceRepository, deviceService, userService, eventService,
              organizationDuoWebTokenProvider, organizationRepository, organizationUserRepository,
              applicationCacheService, mailService, logger, currentContext, globalSettings, policyRepository,
-              userRepository, captchaValidationService)
+              userRepository)
    {
        _userManager = userManager;
        _ssoConfigRepository = ssoConfigRepository;
-        _organizationRepository = organizationRepository;
    }

    public async Task ValidateAsync(CustomTokenRequestValidationContext context)
@@ -53,10 +51,18 @@ public class CustomTokenRequestValidator : BaseRequestValidator<CustomTokenReque
        if (!allowedGrantTypes.Contains(context.Result.ValidatedRequest.GrantType)
            || context.Result.ValidatedRequest.ClientId.StartsWith("organization")
            || context.Result.ValidatedRequest.ClientId.StartsWith("installation")
-            || context.Result.ValidatedRequest.ClientId.StartsWith("internal"))
+            || context.Result.ValidatedRequest.ClientId.StartsWith("internal")
+            || context.Result.ValidatedRequest.Client.AllowedScopes.Contains(ApiScopes.ApiSecrets))
        {
+            if (context.Result.ValidatedRequest.Client.Properties.TryGetValue("encryptedPayload", out var payload) &&
+                !string.IsNullOrWhiteSpace(payload))
+            {
+                context.Result.CustomResponse = new Dictionary<string, object> { { "encrypted_payload", payload } };
+            }
+
            return;
        }
+
        await ValidateAsync(context, context.Result.ValidatedRequest,
            new CustomValidatorRequestContext { KnownDevice = true });
    }