-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Auth/PM-3275 - Changes to support TDE User without MP being able to Set a Password + misc refactoring #3242
Merged
JaredSnider-Bitwarden
merged 111 commits into
master
from
auth/pm-3275/tde-add-get-mp-policy-endpoint
Nov 2, 2023
Merged
Auth/PM-3275 - Changes to support TDE User without MP being able to Set a Password + misc refactoring #3242
JaredSnider-Bitwarden
merged 111 commits into
master
from
auth/pm-3275/tde-add-get-mp-policy-endpoint
Nov 2, 2023
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…uthenticated clients to get an enabled MP org policy if it exists for the purposes of enforcing those policy requirements when setting a password.
…UserService.setPasswordAsync into new SetInitialMasterPasswordCommand (2) Refactor SetInitialMasterPasswordCommand to only accept post SSO users who are in the invited state (3) Add TODOs for more cleanup work and more commands
…erPasswordCommand
No New Or Fixed Issues Found |
…izationService.cs AcceptUserAsync method so while I was in here I converted the AcceptUserAsync methods into a new AcceptOrgUserCommand.cs and turned the private method which accepted an existing org user public for use in the SetInitialMasterPasswordCommand
…d-get-mp-policy-endpoint # Conflicts: # src/Api/Controllers/OrganizationUsersController.cs # src/Core/Services/IOrganizationService.cs # src/Core/Services/Implementations/OrganizationService.cs
…y for this command
…improve readability / clarity
…gId to retrieve orgUser with _organizationUserRepository.GetByOrganizationAsync which gets a single user instead of a collection
… to provide public static GetTokenLifeTime() method for testing (2) Add missed tests to SsoEmail2faSessionTokenable in preparation for building tests for new OrgUserInviteTokenable.cs
… tests as I've handled that separately in a new PR (#3270) for newly created task PM-3925
…cy-endpoint' into auth/pm-3275/tde-add-get-mp-policy-endpoint
…inguish between the Valid property and the TokenIsValid method.
…viteTokenableTests.cs
…o use new OrgUserInviteTokenable instead of manual creation of a token
…ore easily readable names.
… to add new token validation while maintaining backwards compatibility for 1 release.
…d-get-mp-policy-endpoint # Conflicts: # src/Core/Services/Implementations/UserService.cs # src/SharedWeb/Utilities/ServiceCollectionExtensions.cs # test/Core.Test/Services/UserServiceTests.cs
JaredSnider-Bitwarden
dismissed stale reviews from ike-kottlowski, r-tome, shane-melton, and LRNcardozoWDF
via
October 30, 2023 22:03
6806047
…user instead of orgId. Oops.
r-tome
previously approved these changes
Oct 31, 2023
…d-get-mp-policy-endpoint # Conflicts: # src/Core/Services/Implementations/OrganizationService.cs
JaredSnider-Bitwarden
requested review from
LRNcardozoWDF,
r-tome,
ike-kottlowski and
shane-melton
November 1, 2023 23:07
Passed QA. Awaiting final stamps for merging! |
shane-melton
approved these changes
Nov 1, 2023
r-tome
approved these changes
Nov 2, 2023
LRNcardozoWDF
approved these changes
Nov 2, 2023
ike-kottlowski
approved these changes
Nov 2, 2023
JaredSnider-Bitwarden
deleted the
auth/pm-3275/tde-add-get-mp-policy-endpoint
branch
November 2, 2023 15:02
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Type of change
Objective
Resolve PM-3275 where a TDE User without a MP who obtains the ability to reset other user passwords must set a password but they could not without these changes.
Associated clients PR here.
Notes for Reviewers
Code changes
Originally, the scope of these this branch was to simply add a new endpoint for retrieving just the Master Password policy options for a user (which is done on the
set-password.component
client side), but it quickly grew as more changes and refactorings were required to support this new flow while meeting our latest code standards.New MP Policy Endpoint + Existing Endpoint Deprecation
GetMasterPasswordPolicy(...)
endpointGetByInvitedUser(...)
endpoint as deprecated with associated tech debt ticket to clean it up laterPoliciesController
so I created a test file and tested the newGetMasterPasswordPolicy(...)
method. I did not test all existing methods as that would be even more scope creep, but now we have a starting point for future tests.Service to Command refactors per ADR-0008
Refactor
UserService.SetPasswordAsync(...)
intoSetInitialMasterPasswordCommand
SetPasswordAsync(...)
UpdatePasswordHash(...)
from private to public (+ add to interface) for consumption in newSetInitialMasterPasswordCommand
UserServiceCollectionExtensions
file which matching existing code patterns and bundles the addition of the existingUserService
along with new commands like theSetInitialMasterPasswordCommand
UserServiceCollectionExtensions
to addUserService
and any user commands_userService.SetPasswordAsync(...)
withSetInitialMasterPasswordCommand
SetInitialMasterPasswordCommand
and pass to controller constructorRefactor
OrganizationService.AcceptUserAsync(...)
intoAcceptOrgUserCommand
SetInitialMasterPasswordCommand
leveraged theOrganizationService.AcceptUserAsync(...)
method, I continued the command refactoring efforts at @justindbaur's request.AcceptUserAsync(...)
and private helperAcceptUserAsync(...)
AcceptOrgUser
scenariosOrganizationServiceTests
into theAcceptOrgUserCommandTests
.IOrganizationService
withIAcceptOrgUserCommand
Org Email Invite Token Creation Process Refactor
While building the
AcceptOrgUserCommand.AcceptOrgUserByTokenAsync(...)
method, due to the existingDataProtectionProvider
implementation, I had to instantiate the command's data protector with the same purpose as theOrganizationService
:_dataProtector = dataProtectionProvider.CreateProtector("OrganizationServiceDataProtector")
.In order to be able to decrypt the token included in an org user invite email generated in the
OrganizationService
, this wasn't ideal as the whole point of the command refactor was to move towards standalone commands. So, I decided to refactor the Org User Invite email token creation process to use ourTokenable
framework instead.This change affects the following flows:
Code changes:
_globalSettings.OrganizationInviteExpirationHours
as part of its validation process inCoreHelpers.UserInviteTokenIsValid(...)
.OrgUserInviteTokenable
s so that the expiration could be set accordingly.OrgUserInviteTokenable
OrgUserInviteTokenable
AcceptOrgUserByTokenAsync
to be backwards compatible with old and new tokens (backwards compatibility is required as invites can already have been emailed out when this server change goes live).services
.GetByToken(...)
to have new token and old token validationRegisterUserAsync(...)
to have new token and old token validationIDataProtectorTokenFactory
which can be used to mock validation of anytokenable
OrganizationServiceTests
to reflect use of newOrgUserInviteTokenable
Org Invite working with old token:
PM-3275.-.Org.Invite.Refactor.Backwards.compatibility.proof.with.old.token.mov
Org Invite working with new token:
PM-3275.-.Org.Invite.working.with.new.token.mov
AccountsController
PostSetPasswordAsync(...)
Refactor to support TDE user setting a passwordSetPasswordRequestModel
to allow user asymmetric keys to be null; a TDE user will have already generated a user asymmetric key pair, so we should allow initial password setting without requiring new user keys.PostSetPasswordAsync(...)
method to guarantee that the change to allow null will not break anythingMisc Refactors
ExpiringTokenable
class props / methods.Before you submit
dotnet format --verify-no-changes
) (required)