[PM-1188] Server owner auth migration (#2825)

* [PM-1188] add sso project to auth * [PM-1188] move sso api models to auth * [PM-1188] fix sso api model namespace & imports * [PM-1188] move core files to auth * [PM-1188] fix core sso namespace & models * [PM-1188] move sso repository files to auth * [PM-1188] fix sso repo files namespace & imports * [PM-1188] move sso sql files to auth folder * [PM-1188] move sso test files to auth folders * [PM-1188] fix sso tests namespace & imports * [PM-1188] move auth api files to auth folder * [PM-1188] fix auth api files namespace & imports * [PM-1188] move auth core files to auth folder * [PM-1188] fix auth core files namespace & imports * [PM-1188] move auth email templates to auth folder * [PM-1188] move auth email folder back into shared directory * [PM-1188] fix auth email names * [PM-1188] move auth core models to auth folder * [PM-1188] fix auth model namespace & imports * [PM-1188] add entire Identity project to auth codeowners * [PM-1188] fix auth orm files namespace & imports * [PM-1188] move auth orm files to auth folder * [PM-1188] move auth sql files to auth folder * [PM-1188] move auth tests to auth folder * [PM-1188] fix auth test files namespace & imports * [PM-1188] move emergency access api files to auth folder * [PM-1188] fix emergencyaccess api files namespace & imports * [PM-1188] move emergency access core files to auth folder * [PM-1188] fix emergency access core files namespace & imports * [PM-1188] move emergency access orm files to auth folder * [PM-1188] fix emergency access orm files namespace & imports * [PM-1188] move emergency access sql files to auth folder * [PM-1188] move emergencyaccess test files to auth folder * [PM-1188] fix emergency access test files namespace & imports * [PM-1188] move captcha files to auth folder * [PM-1188] fix captcha files namespace & imports * [PM-1188] move auth admin files into auth folder * [PM-1188] fix admin auth files namespace & imports - configure mvc to look in auth folders for views * [PM-1188] remove extra imports and formatting * [PM-1188] fix ef auth model imports * [PM-1188] fix DatabaseContextModelSnapshot paths * [PM-1188] fix grant import in ef * [PM-1188] update sqlproj * [PM-1188] move missed sqlproj files * [PM-1188] move auth ef models out of auth folder * [PM-1188] fix auth ef models namespace * [PM-1188] remove auth ef models unused imports * [PM-1188] fix imports for auth ef models * [PM-1188] fix more ef model imports * [PM-1188] fix file encodings
2025-12-17 00:33:23 +00:00 · 2023-04-14 13:25:56 -04:00
parent 2529c5b36f
commit 88dd745070
332 changed files with 704 additions and 522 deletions
--- a/src/Core/Auth/Identity/OrganizationDuoWebTokenProvider.cs
+++ b/src/Core/Auth/Identity/OrganizationDuoWebTokenProvider.cs
@@ -0,0 +1,75 @@
+using Bit.Core.Auth.Enums;
+using Bit.Core.Auth.Models;
+using Bit.Core.Auth.Utilities.Duo;
+using Bit.Core.Entities;
+using Bit.Core.Settings;
+
+namespace Bit.Core.Auth.Identity;
+
+public interface IOrganizationDuoWebTokenProvider : IOrganizationTwoFactorTokenProvider { }
+
+public class OrganizationDuoWebTokenProvider : IOrganizationDuoWebTokenProvider
+{
+    private readonly GlobalSettings _globalSettings;
+
+    public OrganizationDuoWebTokenProvider(GlobalSettings globalSettings)
+    {
+        _globalSettings = globalSettings;
+    }
+
+    public Task<bool> CanGenerateTwoFactorTokenAsync(Organization organization)
+    {
+        if (organization == null || !organization.Enabled || !organization.Use2fa)
+        {
+            return Task.FromResult(false);
+        }
+
+        var provider = organization.GetTwoFactorProvider(TwoFactorProviderType.OrganizationDuo);
+        var canGenerate = organization.TwoFactorProviderIsEnabled(TwoFactorProviderType.OrganizationDuo)
+            && HasProperMetaData(provider);
+        return Task.FromResult(canGenerate);
+    }
+
+    public Task<string> GenerateAsync(Organization organization, User user)
+    {
+        if (organization == null || !organization.Enabled || !organization.Use2fa)
+        {
+            return Task.FromResult<string>(null);
+        }
+
+        var provider = organization.GetTwoFactorProvider(TwoFactorProviderType.OrganizationDuo);
+        if (!HasProperMetaData(provider))
+        {
+            return Task.FromResult<string>(null);
+        }
+
+        var signatureRequest = DuoWeb.SignRequest(provider.MetaData["IKey"].ToString(),
+            provider.MetaData["SKey"].ToString(), _globalSettings.Duo.AKey, user.Email);
+        return Task.FromResult(signatureRequest);
+    }
+
+    public Task<bool> ValidateAsync(string token, Organization organization, User user)
+    {
+        if (organization == null || !organization.Enabled || !organization.Use2fa)
+        {
+            return Task.FromResult(false);
+        }
+
+        var provider = organization.GetTwoFactorProvider(TwoFactorProviderType.OrganizationDuo);
+        if (!HasProperMetaData(provider))
+        {
+            return Task.FromResult(false);
+        }
+
+        var response = DuoWeb.VerifyResponse(provider.MetaData["IKey"].ToString(),
+            provider.MetaData["SKey"].ToString(), _globalSettings.Duo.AKey, token);
+
+        return Task.FromResult(response == user.Email);
+    }
+
+    private bool HasProperMetaData(TwoFactorProvider provider)
+    {
+        return provider?.MetaData != null && provider.MetaData.ContainsKey("IKey") &&
+            provider.MetaData.ContainsKey("SKey") && provider.MetaData.ContainsKey("Host");
+    }
+}