bitwarden · justindbaur · Oct 29, 2024 · Nov 1, 2024 · Nov 1, 2024 · Nov 1, 2024
@@ -1,4 +1,5 @@
 using Bitwarden.Extensions.Hosting.Exceptions;
+using Bitwarden.Extensions.Hosting.Licensing;
 using Microsoft.AspNetCore.Mvc.Filters;
 using Microsoft.Extensions.DependencyInjection;
 
@@ -25,12 +26,12 @@ public class SelfHostedAttribute : ActionFilterAttribute
     /// <exception cref="BadRequestException"></exception>
     public override void OnActionExecuting(ActionExecutingContext context)
     {
-        var globalSettings = context.HttpContext.RequestServices.GetRequiredService<GlobalSettingsBase>();
-        if (SelfHostedOnly && !globalSettings.IsSelfHosted)
+        var licensingService = context.HttpContext.RequestServices.GetRequiredService<ILicensingService>();
+        if (SelfHostedOnly && licensingService.IsCloud)
         {
             throw new BadRequestException("Only allowed when self-hosted.");
         }
-        else if (NotSelfHostedOnly && globalSettings.IsSelfHosted)
+        else if (NotSelfHostedOnly && !licensingService.IsCloud)
         {
             throw new BadRequestException("Only allowed when not self-hosted.");
         }

@@ -22,15 +22,18 @@
   </PropertyGroup>
 
   <ItemGroup>
+    <PackageReference Include="Azure.Storage.Blobs" Version="12.22.2" />
     <PackageReference Include="LaunchDarkly.ServerSdk" Version="8.6.0" />
     <PackageReference Include="Microsoft.Extensions.Hosting" Version="8.0.1" />
+    <PackageReference Include="Microsoft.IdentityModel.Tokens" Version="8.1.2" />
     <PackageReference Include="OpenTelemetry.Exporter.OpenTelemetryProtocol" Version="1.9.0" />
     <PackageReference Include="OpenTelemetry.Extensions.Hosting" Version="1.9.0" />
     <PackageReference Include="Serilog.Extensions.Hosting" Version="8.0.0" />
     <PackageReference Include="Serilog.Formatting.Compact" Version="3.0.0" />
     <PackageReference Include="Serilog.Settings.Configuration" Version="8.0.4" />
     <PackageReference Include="Serilog.Sinks.Console" Version="6.0.0" />
     <PackageReference Include="Serilog.Sinks.File" Version="6.0.0" />
+    <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="8.1.2" />
   </ItemGroup>
 
   <ItemGroup>

@@ -6,11 +6,19 @@ namespace Bitwarden.Extensions.Hosting;
 public class BitwardenHostOptions
 {
     /// <summary>
-    /// Gets or sets a value indicating whether to include request logging.
+    /// Gets or sets a value indicating whether to include request logging, defaults to true.
     /// </summary>
     public bool IncludeLogging { get; set; } = true;
     /// <summary>
-    /// Gets or sets a value indicating whether to include metrics.
+    /// Gets or sets a value indicating whether to include metrics, defaults to true.
     /// </summary>
     public bool IncludeMetrics { get; set; } = true;
+
+    /// <summary>
+    /// Gets or sets a value indicating if self-hosting capabilities should be added to the service, defaults to false.
+    /// </summary>
+    /// <remarks>
+    /// If this is not turned on, the assumption is made that the service is running in a cloud environment.
+    /// </remarks>
+    public bool IncludeSelfHosting { get; set; }
 }
@@ -2,11 +2,13 @@
 using System.Reflection;
 using Bitwarden.Extensions.Hosting;
 using Bitwarden.Extensions.Hosting.Features;
+using Bitwarden.Extensions.Hosting.Licensing;
 using LaunchDarkly.Sdk.Server.Interfaces;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.Configuration.Json;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.DependencyInjection.Extensions;
+using Microsoft.Extensions.Options;
 using OpenTelemetry.Metrics;
 using OpenTelemetry.Trace;
 using Serilog;
@@ -51,13 +53,6 @@
         ArgumentNullException.ThrowIfNull(builder);
         ArgumentNullException.ThrowIfNull(bitwardenHostOptions);
 
-        builder.Services.AddOptions<GlobalSettingsBase>()
-            .Configure<IConfiguration>((options, config) =>
-            {
-                options.IsSelfHosted = config.GetValue(SelfHostedConfigKey, false);
-            });
-
-
         if (builder.Configuration.GetValue(SelfHostedConfigKey, false))
         {
             AddSelfHostedConfig(builder.Configuration, builder.Environment);
@@ -75,6 +70,11 @@
 
         AddFeatureFlagServices(builder.Services, builder.Configuration);
 
+        if (bitwardenHostOptions.IncludeSelfHosting)
+        {
+            AddLicensingServices(builder.Services, builder.Configuration);
+        }
+
         return builder;
     }
 
@@ -97,15 +97,6 @@
     /// <returns></returns>
     public static IHostBuilder UseBitwardenDefaults(this IHostBuilder hostBuilder, BitwardenHostOptions bitwardenHostOptions)
     {
-        hostBuilder.ConfigureServices((_, services) =>
-        {
-            services.AddOptions<GlobalSettingsBase>()
-                .Configure<IConfiguration>((options, config) =>
-                {
-                    options.IsSelfHosted = config.GetValue("globalSettings:selfHosted", false);
-                });
-        });
-
         hostBuilder.ConfigureAppConfiguration((context, builder) =>
         {
             if (context.Configuration.GetValue(SelfHostedConfigKey, false))
@@ -135,6 +126,14 @@
             AddFeatureFlagServices(services, context.Configuration);
         });
 
+        if (bitwardenHostOptions.IncludeSelfHosting)
+        {
+            hostBuilder.ConfigureServices((context, services) =>
+            {
+                AddLicensingServices(services, context.Configuration);
+            });
+        }
+
         return hostBuilder;
     }
 
@@ -241,4 +240,23 @@
         services.TryAddScoped<ILdClient>(sp => sp.GetRequiredService<LaunchDarklyClientProvider>().Get());
         services.TryAddScoped<IFeatureService, LaunchDarklyFeatureService>();
     }
+
+    private static void AddLicensingServices(IServiceCollection services, IConfiguration configuration)
+    {
+        // Default the product name to the application name if no one else has added it.
+        services.AddOptions<InternalLicensingOptions>()
+            .PostConfigure<IHostEnvironment>((options, environment) =>
+            {
+                if (string.IsNullOrEmpty(options.ProductName))
+                {
+                    options.ProductName = environment.ApplicationName;
+                }
+            });
+
+        services.TryAddEnumerable(
+            ServiceDescriptor.Singleton<IPostConfigureOptions<LicensingOptions>, PostConfigureLicensingOptions>()
+        );
+
+        services.Configure<LicensingOptions>(configuration.GetSection("Licensing"));
+    }
 }
@@ -0,0 +1,123 @@
+using System.IdentityModel.Tokens.Jwt;
+using System.Security.Claims;
+using Microsoft.Extensions.Options;
+using Microsoft.Extensions.Logging;
+using Microsoft.IdentityModel.Tokens;
+
+namespace Bitwarden.Extensions.Hosting.Licensing;
+
+internal sealed class DefaultLicensingService : ILicensingService
+{
+    private readonly LicensingOptions _licensingOptions;
+    private readonly TimeProvider _timeProvider;
+    private readonly ILogger<DefaultLicensingService> _logger;
+    private readonly InternalLicensingOptions _internalLicensingOptions;
+
+    public DefaultLicensingService(
+        IOptions<LicensingOptions> licensingOptions,
+        TimeProvider timeProvider,
+        ILogger<DefaultLicensingService> logger,
+        IOptions<InternalLicensingOptions> internalLicensingOptions)
+    {
+        ArgumentNullException.ThrowIfNull(licensingOptions);
+        ArgumentNullException.ThrowIfNull(timeProvider);
+        ArgumentNullException.ThrowIfNull(logger);
+        ArgumentNullException.ThrowIfNull(internalLicensingOptions);
+
+        // TODO: Do we need to support runtime changes to these settings at all, I don't think we do...
+        _licensingOptions = licensingOptions.Value;
+        _timeProvider = timeProvider;
+        _logger = logger;
+        _internalLicensingOptions = internalLicensingOptions.Value;
+
+        // We are cloud if the signing certificate has a private key that can sign licenses and local development
+        // hasn't forced self host.
+        IsCloud = _licensingOptions.SigningCertificate.HasPrivateKey && !_licensingOptions.ForceSelfHost;
+    }
+
+    public bool IsCloud { get; }
+
+    public string CreateLicense(IEnumerable<Claim> claims, TimeSpan validFor)
+    {
+        ArgumentNullException.ThrowIfNull(claims);
+        ArgumentOutOfRangeException.ThrowIfLessThanOrEqual(validFor, TimeSpan.Zero);
+
+        if (!IsCloud)
+        {
+            throw new InvalidOperationException("Self-hosted services can not create a license, please check 'IsCloud' before calling this method.");
+        }
+
+        var now = _timeProvider.GetUtcNow().UtcDateTime;
+
+
+        var tokenDescriptor = new SecurityTokenDescriptor
+        {
+            Subject = new ClaimsIdentity(claims),
+            Issuer = _licensingOptions.CloudHost,
+            Audience = _internalLicensingOptions.ProductName,
+            SigningCredentials = new SigningCredentials(
+                new X509SecurityKey(_licensingOptions.SigningCertificate), SecurityAlgorithms.RsaSha256),
+            IssuedAt = now,
+            NotBefore = now,
+            Expires = now.Add(validFor),
+        };
+
+        var tokenHandler = new JwtSecurityTokenHandler();
+
+        var token = tokenHandler.CreateToken(tokenDescriptor);
+
+        return tokenHandler.WriteToken(token);
+    }
+
+    public async Task<IEnumerable<Claim>> VerifyLicenseAsync(string license)
+    {
+        ArgumentNullException.ThrowIfNull(license);
+        // TODO: Should we validate that this is self host?
+        // It's not technically wrong to be able to do that but we don't do it currently
+        // so we could disallow it.
+
+        var tokenHandler = new JwtSecurityTokenHandler();
+
+        if (!tokenHandler.CanReadToken(license))
+        {
+            throw new InvalidLicenseException(InvalidLicenseReason.InvalidFormat);
+        }
+
+        var tokenValidateParameters = new TokenValidationParameters
+        {
+            IssuerSigningKey = new X509SecurityKey(_licensingOptions.SigningCertificate),
+            ValidateIssuerSigningKey = true,
+            ValidateLifetime = true,
+            ValidIssuer = _licensingOptions.CloudHost,
+            ValidateIssuer = true,
+            ValidAudience = _internalLicensingOptions.ProductName,
+            ValidateAudience = true,
+#if DEBUG
+            // It's useful to be stricter in tests so that we don't have to wait 5 minutes
+            ClockSkew = TimeSpan.Zero,
+#endif
+        };
+
+        var tokenValidationResult = await tokenHandler.ValidateTokenAsync(license, tokenValidateParameters);
+
+        if (!tokenValidationResult.IsValid)
+        {
+            var exception = tokenValidationResult.Exception;
+            _logger.LogWarning(exception, "The given license is not valid.");
+            if (exception is SecurityTokenExpiredException securityTokenExpiredException)
+            {
+                throw new InvalidLicenseException(InvalidLicenseReason.Expired, null, securityTokenExpiredException);
+            }
+            else if (exception is SecurityTokenSignatureKeyNotFoundException securityTokenSignatureKeyNotFoundException)
+            {
+                throw new InvalidLicenseException(InvalidLicenseReason.WrongKey, null, securityTokenSignatureKeyNotFoundException);
+            }
+            // TODO: Handle other known failures
+
+            throw new InvalidLicenseException(InvalidLicenseReason.Unknown, null, exception);
+        }
+
+        // Should I even take a ClaimsIdentity and return it here instead of a list of claims?
+        return tokenValidationResult.ClaimsIdentity.Claims;
+    }
+}
@@ -0,0 +1,41 @@
+using System.Security.Claims;
+
+namespace Bitwarden.Extensions.Hosting.Licensing;
+
+/// <summary>
+/// A service with the ability to consume and create licenses.
+/// </summary>
+public interface ILicensingService
+{
+    /// <summary>
+    /// Returns whether or not the current service is running as a cloud instance.
+    /// </summary>
+    bool IsCloud { get; }
+
+    // TODO: Any other options than valid for?
+    /// <summary>
+    /// Creates a signed license that can be consumed on self-hosted instances.
+    /// </summary>
+    /// <remarks>
+    /// This method can only be called when <see cref="IsCloud"/> returns <see langword="true" />.
+    /// </remarks>
+    /// <param name="claims">The claims to include in the license file.</param>
+    /// <param name="validFor">How long the license should be valid for.</param>
+    /// <exception cref="InvalidOperationException">
+    /// The exception that is thrown if this method is called when the service is not running as a cloud service.
+    /// </exception>
+    /// <returns>
+    /// A string representation of the license that can be given to people to store with their self hosted instance.
+    /// </returns>
+    string CreateLicense(IEnumerable<Claim> claims, TimeSpan validFor);
+
+    /// <summary>
+    /// Verifies that the given license is valid and can have it's contents be trusted.
+    /// </summary>
+    /// <param name="license">The license to check.</param>
+    /// <exception cref="InvalidLicenseException">
+    /// The exception that is thrown when the given license is invalid and data stored in it can not be trusted.
+    /// </exception>
+    /// <returns>An enumerable of claims included in the license.</returns>
+    Task<IEnumerable<Claim>> VerifyLicenseAsync(string license);
+}