[Require SSO] Enterprise policy enforcement (#970)

* Initial commit of require sso authentication policy enforcement * Updated sproc to send UseSso flag // Updated base validator to send back error message // Added changes to EntityFramework (just so its there for the future * Update policy name // adjusted conditional to demorgan's * Updated sproc // Added migrator script * Added .sql file extension to DeleteOrgUserWithOrg migrator script * Added policy // edit // strings // validation to business portal * Change requests from review // Added Owner & Admin exemption * Updated repository function used to get org user's type * Updated with requested changes
5 years ago · 66e44759f0
15 changed files with 195 additions and 11 deletions
--- a/bitwarden_license/src/Portal/Controllers/PoliciesController.cs
+++ b/bitwarden_license/src/Portal/Controllers/PoliciesController.cs
@ -1,4 +1,5 @@
				@@ -1,4 +1,5 @@
-using System.Threading.Tasks;
+using System;
+using System.Threading.Tasks;
 using Bit.Core.Enums;
 using Bit.Core.Models.Table;
 using Bit.Core.Repositories;
@ -50,7 +51,8 @@ namespace Bit.Portal.Controllers
				@@ -50,7 +51,8 @@ namespace Bit.Portal.Controllers
            }
            
            var policies = await _policyRepository.GetManyByOrganizationIdAsync(orgId.Value);
-            return View(new PoliciesModel(policies));
+            var selectedOrgUseSso = _enterprisePortalCurrentContext.SelectedOrganizationDetails.UseSso;
+            return View(new PoliciesModel(policies, selectedOrgUseSso));
        }
        
        [HttpGet("/edit/{type}")]
@ -88,6 +90,7 @@ namespace Bit.Portal.Controllers
				@@ -88,6 +90,7 @@ namespace Bit.Portal.Controllers
                return Redirect("~/");
            }

+            await ValidateDependentPolicies(type, orgId, model.Enabled);
            var policy = await _policyRepository.GetByOrganizationIdTypeAsync(orgId.Value, type);
            if (!ModelState.IsValid)
            {
@ -119,5 +122,37 @@ namespace Bit.Portal.Controllers
				@@ -119,5 +122,37 @@ namespace Bit.Portal.Controllers
                return View(new PolicyEditModel(policy, _i18nService));
            }
        }
+
+        private async Task ValidateDependentPolicies(PolicyType type, Guid? orgId, bool enabled)
+        {
+            if (orgId == null)
+            {
+                throw new ArgumentNullException(nameof(orgId), "OrgId cannot be null");
+            }
+            
+            switch(type)
+            {
+                case PolicyType.MasterPassword:
+                case PolicyType.PasswordGenerator:
+                case PolicyType.TwoFactorAuthentication:
+                case PolicyType.OnlyOrg:
+                    break;
+                
+                case PolicyType.RequireSso:
+                    if (!enabled)
+                    {
+                        break;
+                    }
+                    var singleOrg = await _policyRepository.GetByOrganizationIdTypeAsync(orgId.Value, type);
+                    if (singleOrg?.Enabled != true)
+                    {
+                        ModelState.AddModelError(string.Empty, _i18nService.T("RequireSsoPolicyReqError"));
+                    }
+                    break;
+                
+                default:
+                    throw new ArgumentOutOfRangeException();
+            }
+        }
    }
 }
--- a/bitwarden_license/src/Portal/Models/PoliciesModel.cs
+++ b/bitwarden_license/src/Portal/Models/PoliciesModel.cs
@ -8,7 +8,7 @@ namespace Bit.Portal.Models
				@@ -8,7 +8,7 @@ namespace Bit.Portal.Models
 {
    public class PoliciesModel
    {
-        public PoliciesModel(ICollection<Policy> policies)
+        public PoliciesModel(ICollection<Policy> policies, bool useSso)
        {
            if (policies == null)
            {
@ -20,6 +20,10 @@ namespace Bit.Portal.Models
				@@ -20,6 +20,10 @@ namespace Bit.Portal.Models

            foreach (var type in Enum.GetValues(typeof(PolicyType)).Cast<PolicyType>())
            {
+                if (type == PolicyType.RequireSso && !useSso)
+                {
+                    continue;
+                }
                var enabled = policyDict.ContainsKey(type) ? policyDict[type].Enabled : false;
                Policies.Add(new PolicyModel(type, enabled));
            }
--- a/bitwarden_license/src/Portal/Models/PolicyEditModel.cs
+++ b/bitwarden_license/src/Portal/Models/PolicyEditModel.cs
@ -83,6 +83,7 @@ namespace Bit.Portal.Models
				@@ -83,6 +83,7 @@ namespace Bit.Portal.Models
                    break;
                case PolicyType.OnlyOrg: 
                case PolicyType.TwoFactorAuthentication:
+                case PolicyType.RequireSso:
                    break;
                default:
                    throw new ArgumentOutOfRangeException();
--- a/bitwarden_license/src/Portal/Models/PolicyModel.cs
+++ b/bitwarden_license/src/Portal/Models/PolicyModel.cs
@ -36,6 +36,11 @@ namespace Bit.Portal.Models
				@@ -36,6 +36,11 @@ namespace Bit.Portal.Models
                    NameKey = "OnlyOrganization";
                    DescriptionKey = "OnlyOrganizationDescription";
                    break;
+                
+                case PolicyType.RequireSso:
+                    NameKey = "RequireSso";
+                    DescriptionKey = "RequireSsoDescription";
+                    break;

                default:
                    throw new ArgumentOutOfRangeException();
--- a/bitwarden_license/src/Portal/Views/Policies/Edit.cshtml
+++ b/bitwarden_license/src/Portal/Views/Policies/Edit.cshtml
@ -32,6 +32,19 @@
				@@ -32,6 +32,19 @@
            @i18nService.T("OnlyOrganizationPolicyWarning")
        </div>
    }
+    
+    @if (Model.PolicyType == PolicyType.RequireSso)
+    {
+        <div class="callout callout-success" role="alert">
+            <h3 class="callout-heading">
+                <i class="fa fa-lightbulb-o" *ngIf="icon" aria-hidden="true"></i>
+                @i18nService.T("Prerequisite")
+            </h3>
+            @i18nService.T("RequireSsoPolicyReq")
+        </div>
+    }
+    
+    <div asp-validation-summary="ModelOnly" class="alert alert-danger"></div>

    <div class="form-group">
        <div class="form-check">
--- a/src/Core/Enums/PolicyType.cs
+++ b/src/Core/Enums/PolicyType.cs
@ -6,5 +6,6 @@
				@@ -6,5 +6,6 @@
        MasterPassword = 1,
        PasswordGenerator = 2,
        OnlyOrg = 3,
+        RequireSso = 4,
    }
 }
--- a/src/Core/IdentityServer/BaseRequestValidator.cs
+++ b/src/Core/IdentityServer/BaseRequestValidator.cs
@ -35,6 +35,7 @@ namespace Bit.Core.IdentityServer
				@@ -35,6 +35,7 @@ namespace Bit.Core.IdentityServer
        private readonly ILogger<ResourceOwnerPasswordValidator> _logger;
        private readonly CurrentContext _currentContext;
        private readonly GlobalSettings _globalSettings;
+        private readonly IPolicyRepository _policyRepository;

        public BaseRequestValidator(
            UserManager<User> userManager,
@ -49,7 +50,8 @@ namespace Bit.Core.IdentityServer
				@@ -49,7 +50,8 @@ namespace Bit.Core.IdentityServer
            IMailService mailService,
            ILogger<ResourceOwnerPasswordValidator> logger,
            CurrentContext currentContext,
-            GlobalSettings globalSettings)
+            GlobalSettings globalSettings,
+            IPolicyRepository policyRepository)
        {
            _userManager = userManager;
            _deviceRepository = deviceRepository;
@ -64,6 +66,7 @@ namespace Bit.Core.IdentityServer
				@@ -64,6 +66,7 @@ namespace Bit.Core.IdentityServer
            _logger = logger;
            _currentContext = currentContext;
            _globalSettings = globalSettings;
+            _policyRepository = policyRepository;
        }

        protected async Task ValidateAsync(T context, ValidatedTokenRequest request)
@ -112,9 +115,18 @@ namespace Bit.Core.IdentityServer
				@@ -112,9 +115,18 @@ namespace Bit.Core.IdentityServer
                twoFactorToken = null;
            }

-            var device = await SaveDeviceAsync(user, request);
-            await BuildSuccessResultAsync(user, context, device, twoFactorRequest && twoFactorRemember);
-            return;
+            if (await IsValidAuthTypeAsync(user, request.GrantType)) // Returns true if can finish validation process
+            {
+                var device = await SaveDeviceAsync(user, request);
+                await BuildSuccessResultAsync(user, context, device, twoFactorRequest && twoFactorRemember);
+            }
+            else
+            {
+                SetSsoResult(context, new Dictionary<string, object>
+                {{
+                    "ErrorModel", new ErrorResponseModel("SSO authentication is required.")
+                }});
+            }
        }

        protected abstract Task<(User, bool)> ValidateContextAsync(T context);
@ -229,6 +241,8 @@ namespace Bit.Core.IdentityServer
				@@ -229,6 +241,8 @@ namespace Bit.Core.IdentityServer
        }

        protected abstract void SetTwoFactorResult(T context, Dictionary<string, object> customResponse);
+        
+        protected abstract void SetSsoResult(T context, Dictionary<string, object> customResponse);

        protected abstract void SetSuccessResult(T context, User user, List<Claim> claims,
            Dictionary<string, object> customResponse);
@ -259,11 +273,63 @@ namespace Bit.Core.IdentityServer
				@@ -259,11 +273,63 @@ namespace Bit.Core.IdentityServer
            return new Tuple<bool, Organization>(individualRequired || firstEnabledOrg != null, firstEnabledOrg);
        }

+        private async Task<bool> IsValidAuthTypeAsync(User user, string grantType)
+        {
+            if (grantType == "authorization_code")
+            {
+                return true; // Already using SSO to authorize, finish successfully
+            }
+            
+            // Is user apart of any orgs? Use cache for initial checks.
+            var orgs = (await _currentContext.OrganizationMembershipAsync(_organizationUserRepository, user.Id))
+                .ToList();
+            if (orgs.Any())
+            {
+                // Get all org abilities
+                var orgAbilities = await _applicationCacheService.GetOrganizationAbilitiesAsync();
+                // Parse all user orgs that are enabled and have the ability to use sso
+                var ssoOrgs = orgs.Where(o => OrgCanUseSso(orgAbilities, o.Id));
+                if (ssoOrgs.Any())
+                {
+                    // Parse users orgs and determine if require sso policy is enabled
+                    var userOrgs = await _organizationRepository.GetManyByUserIdAsync(user.Id);
+                    foreach (var org in userOrgs)
+                    {
+                        if (!(org.Enabled && org.UseSso))
+                        {
+                            continue;
+                        }
+                        
+                        var orgPolicy = await _policyRepository.GetByOrganizationIdTypeAsync(org.Id, PolicyType.RequireSso);
+                        if (orgPolicy != null && orgPolicy.Enabled)
+                        {
+                            var userType = await _organizationUserRepository.GetByOrganizationAsync(org.Id, user.Id);
+                            // Owners and Admins are exempt from this policy
+                            if (userType != null 
+                                && userType.Type != OrganizationUserType.Owner 
+                                && userType.Type != OrganizationUserType.Admin)
+                            {
+                                return false;
+                            }
+                        }
+                    }
+                }
+            }
+            
+            return true; // Default - continue validation process
+        }
+
        private bool OrgUsing2fa(IDictionary<Guid, OrganizationAbility> orgAbilities, Guid orgId)
        {
            return orgAbilities != null && orgAbilities.ContainsKey(orgId) &&
                orgAbilities[orgId].Enabled && orgAbilities[orgId].Using2fa;
        }
+        
+        private bool OrgCanUseSso(IDictionary<Guid, OrganizationAbility> orgAbilities, Guid orgId)
+        {
+            return orgAbilities != null && orgAbilities.ContainsKey(orgId) &&
+                   orgAbilities[orgId].Enabled && orgAbilities[orgId].UseSso;
+        }

        private Device GetDeviceFromRequest(ValidatedRequest request)
        {
--- a/src/Core/IdentityServer/CustomTokenRequestValidator.cs
+++ b/src/Core/IdentityServer/CustomTokenRequestValidator.cs
@ -31,10 +31,11 @@ namespace Bit.Core.IdentityServer
				@@ -31,10 +31,11 @@ namespace Bit.Core.IdentityServer
            IMailService mailService,
            ILogger<ResourceOwnerPasswordValidator> logger,
            CurrentContext currentContext,
-            GlobalSettings globalSettings)
+            GlobalSettings globalSettings,
+            IPolicyRepository policyRepository)
            : base(userManager, deviceRepository, deviceService, userService, eventService,
                  organizationDuoWebTokenProvider, organizationRepository, organizationUserRepository,
-                  applicationCacheService, mailService, logger, currentContext, globalSettings)
+                  applicationCacheService, mailService, logger, currentContext, globalSettings, policyRepository)
        {
            _userManager = userManager;
        }
@ -78,6 +79,9 @@ namespace Bit.Core.IdentityServer
				@@ -78,6 +79,9 @@ namespace Bit.Core.IdentityServer
            context.Result.CustomResponse = customResponse;
        }

+        protected override void SetSsoResult(CustomTokenRequestValidationContext context, 
+            Dictionary<string, object> customResponse) => throw new System.NotImplementedException();
+
        protected override void SetErrorResult(CustomTokenRequestValidationContext context,
            Dictionary<string, object> customResponse)
        {
--- a/src/Core/IdentityServer/ResourceOwnerPasswordValidator.cs
+++ b/src/Core/IdentityServer/ResourceOwnerPasswordValidator.cs
@ -31,10 +31,11 @@ namespace Bit.Core.IdentityServer
				@@ -31,10 +31,11 @@ namespace Bit.Core.IdentityServer
            IMailService mailService,
            ILogger<ResourceOwnerPasswordValidator> logger,
            CurrentContext currentContext,
-            GlobalSettings globalSettings)
+            GlobalSettings globalSettings,
+            IPolicyRepository policyRepository)
            : base(userManager, deviceRepository, deviceService, userService, eventService,
                  organizationDuoWebTokenProvider, organizationRepository, organizationUserRepository,
-                  applicationCacheService, mailService, logger, currentContext, globalSettings)
+                  applicationCacheService, mailService, logger, currentContext, globalSettings, policyRepository)
        {
            _userManager = userManager;
            _userService = userService;
@ -77,6 +78,13 @@ namespace Bit.Core.IdentityServer
				@@ -77,6 +78,13 @@ namespace Bit.Core.IdentityServer
                customResponse);
        }

+        protected override void SetSsoResult(ResourceOwnerPasswordValidationContext context,
+            Dictionary<string, object> customResponse)
+        {
+            context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "Sso authentication required.",
+                customResponse);
+        }
+
        protected override void SetErrorResult(ResourceOwnerPasswordValidationContext context,
            Dictionary<string, object> customResponse)
        {
--- a/src/Core/Models/Data/OrganizationAbility.cs
+++ b/src/Core/Models/Data/OrganizationAbility.cs
@ -16,6 +16,7 @@ namespace Bit.Core.Models.Data
				@@ -16,6 +16,7 @@ namespace Bit.Core.Models.Data
                organization.TwoFactorProviders != "{}";
            UsersGetPremium = organization.UsersGetPremium;
            Enabled = organization.Enabled;
+            UseSso = organization.UseSso;
        }

        public Guid Id { get; set; }
@ -24,5 +25,6 @@ namespace Bit.Core.Models.Data
				@@ -24,5 +25,6 @@ namespace Bit.Core.Models.Data
        public bool Using2fa { get; set; }
        public bool UsersGetPremium { get; set; }
        public bool Enabled { get; set; }
+        public bool UseSso { get; set; }
    }
 }
--- a/src/Core/Repositories/EntityFramework/OrganizationRepository.cs
+++ b/src/Core/Repositories/EntityFramework/OrganizationRepository.cs
@ -99,6 +99,7 @@ namespace Bit.Core.Repositories.EntityFramework
				@@ -99,6 +99,7 @@ namespace Bit.Core.Repositories.EntityFramework
                    UseEvents = e.UseEvents,
                    UsersGetPremium = e.UsersGetPremium,
                    Using2fa = e.Use2fa && e.TwoFactorProviders != null,
+                    UseSso = e.UseSso,
                }).ToListAsync();
            }
        }
--- a/src/Core/Resources/SharedResources.en.resx
+++ b/src/Core/Resources/SharedResources.en.resx
@ -548,4 +548,19 @@
				@@ -548,4 +548,19 @@
  <data name="OnlyOrganizationPolicyWarning" xml:space="preserve">
    <value>Organization members who are already a part of another organization will be removed from this organization and will receive an email notifying them about the change.</value>
  </data>
+  <data name="RequireSso" xml:space="preserve">
+    <value>Single Sign-On Authentication</value>
+  </data>
+  <data name="RequireSsoDescription" xml:space="preserve">
+    <value>Require users to log in with the Enterprise Single Sign-On method.</value>
+  </data>
+  <data name="Prerequisite" xml:space="preserve">
+    <value>Prerequisite</value>
+  </data>
+  <data name="RequireSsoPolicyReq" xml:space="preserve">
+    <value>The Single Organization enterprise policy must be enabled before activating this policy.</value>
+  </data>
+  <data name="RequireSsoPolicyReqError" xml:space="preserve">
+    <value>Single Organization policy not enabled.</value>
+  </data>
 </root>
--- a/Procedures/Organization_ReadAbilities.sql
+++ b/Procedures/Organization_ReadAbilities.sql
@ -14,6 +14,7 @@ BEGIN
				@@ -14,6 +14,7 @@ BEGIN
            0
        END AS [Using2fa],
        [UsersGetPremium],
+        [UseSso],
        [Enabled]
    FROM
        [dbo].[Organization]
--- a/util/Migrator/DbScripts/2020-10-08_00_DeleteOrgUserWithOrg.sql
+++ b/util/Migrator/DbScripts/2020-10-08_00_DeleteOrgUserWithOrg.sql
--- a/util/Migrator/DbScripts/2020-10-20_00_OrgReadAbilities.sql
+++ b/util/Migrator/DbScripts/2020-10-20_00_OrgReadAbilities.sql
@ -0,0 +1,28 @@
				@@ -0,0 +1,28 @@
+IF OBJECT_ID('[dbo].[Organization_ReadAbilities]') IS NOT NULL
+BEGIN
+    DROP PROCEDURE [dbo].[Organization_ReadAbilities]
+END
+GO
+
+CREATE PROCEDURE [dbo].[Organization_ReadAbilities]
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    SELECT
+        [Id],
+        [UseEvents],
+        [Use2fa],
+        CASE 
+        WHEN [Use2fa] = 1 AND [TwoFactorProviders] IS NOT NULL AND [TwoFactorProviders] != '{}' THEN
+            1
+        ELSE
+            0
+        END AS [Using2fa],
+        [UsersGetPremium],
+        [UseSso],
+        [Enabled]
+    FROM
+        [dbo].[Organization]
+END
+GO