[PM-20592] [PM-22737] [PM-22738] Send grant validator (#6151)

**feat**: create `SendGrantValidator` and initial `SendPasswordValidator` for Send access grants **feat**: add feature flag to toggle Send grant validation logic **feat**: add Send client to Identity and update `ApiClient` to generic `Client` **feat**: register Send services in DI pipeline **feat**: add claims management support to `ProfileService` **feat**: distinguish between invalid grant and invalid request in `SendAccessGrantValidator` **fix**: update parsing of `send_id` from request **fix**: add early return when feature flag is disabled **fix**: rename and organize Send access scope and grant type **fix**: dotnet format **test**: add unit and integration tests for `SendGrantValidator` **test**: update OpenID configuration and API resource claims **doc**: move documentation to interfaces and update inline comments **chore**: add TODO for future support of `CustomGrantTypes`
2026-01-09 20:13:24 +00:00 · 2025-08-13 18:38:00 -04:00
parent 87877aeb3d
commit 43d753dcb1
24 changed files with 961 additions and 19 deletions
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -191,6 +191,7 @@ public static class FeatureFlagKeys
    public const string UserManagedPrivilegedApps = "pm-18970-user-managed-privileged-apps";
    public const string EnablePMPreloginSettings = "enable-pm-prelogin-settings";
    public const string AppIntents = "app-intents";
+    public const string SendAccess = "pm-19394-send-access-control";

    /* Platform Team */
    public const string PersistPopupView = "persist-popup-view";
--- a/src/Core/Enums/BitwardenClient.cs
+++ b/src/Core/Enums/BitwardenClient.cs
@@ -8,5 +8,6 @@ public static class BitwardenClient
        Desktop = "desktop",
        Mobile = "mobile",
        Cli = "cli",
-        DirectoryConnector = "connector";
+        DirectoryConnector = "connector",
+        Send = "send";
 }
--- a/src/Core/Identity/Claims.cs
+++ b/src/Core/Identity/Claims.cs
@@ -39,4 +39,6 @@ public static class Claims
        public const string ManageResetPassword = "manageresetpassword";
        public const string ManageScim = "managescim";
    }
+
+    public const string SendId = "send_id";
 }
--- a/src/Core/Identity/IdentityClientType.cs
+++ b/src/Core/Identity/IdentityClientType.cs
@@ -5,4 +5,5 @@ public enum IdentityClientType : byte
    User = 0,
    Organization = 1,
    ServiceAccount = 2,
+    Send = 3
 }
--- a/src/Core/IdentityServer/ApiScopes.cs
+++ b/src/Core/IdentityServer/ApiScopes.cs
@@ -11,6 +11,7 @@ public static class ApiScopes
    public const string ApiPush = "api.push";
    public const string ApiSecrets = "api.secrets";
    public const string Internal = "internal";
+    public const string ApiSendAccess = "api.send.access";

    public static IEnumerable<ApiScope> GetApiScopes()
    {
@@ -23,6 +24,7 @@ public static class ApiScopes
            new(ApiInstallation, "API Installation Access"),
            new(Internal, "Internal Access"),
            new(ApiSecrets, "Secrets Manager Access"),
+            new(ApiSendAccess, "API Send Access"),
        };
    }
 }
--- a/src/Core/KeyManagement/KeyManagementServiceCollectionExtensions.cs
+++ b/src/Core/KeyManagement/KeyManagementServiceCollectionExtensions.cs
@@ -9,6 +9,7 @@ public static class KeyManagementServiceCollectionExtensions
    public static void AddKeyManagementServices(this IServiceCollection services)
    {
        services.AddKeyManagementCommands();
+        services.AddSendPasswordServices();
    }

    private static void AddKeyManagementCommands(this IServiceCollection services)
--- a/src/Core/KeyManagement/Sends/ISendPasswordHasher.cs
+++ b/src/Core/KeyManagement/Sends/ISendPasswordHasher.cs
@@ -9,7 +9,6 @@ public interface ISendPasswordHasher
    /// <param name="sendPasswordHash">The send password that is hashed by the server.</param>
    /// <param name="clientPasswordHash">The user provided password hash that has not yet been hashed by the server for comparison.</param>
    /// <returns>true if hashes match false otherwise</returns>
-    /// <exception cref="InvalidOperationException">Thrown if the server password hash or client password hash is null or empty.</exception>
    bool PasswordHashMatches(string sendPasswordHash, string clientPasswordHash);

    /// <summary>
--- a/src/Core/Settings/GlobalSettings.cs
+++ b/src/Core/Settings/GlobalSettings.cs
@@ -89,6 +89,7 @@ public class GlobalSettings : IGlobalSettings
    public virtual IWebPushSettings WebPush { get; set; } = new WebPushSettings();
    public virtual IPhishingDomainSettings PhishingDomain { get; set; } = new PhishingDomainSettings();

+    public virtual int SendAccessTokenLifetimeInMinutes { get; set; } = 5;
    public virtual bool EnableEmailVerification { get; set; }
    public virtual string KdfDefaultHashKey { get; set; }
    public virtual string PricingUri { get; set; }