Merge remote-tracking branch 'origin/master' into auth/pm-3275/tde-add-get-mp-policy-endpoint

# Conflicts:
#	src/Core/Services/Implementations/UserService.cs
#	src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
#	test/Core.Test/Services/UserServiceTests.cs

Author: JaredSnider-Bitwarden

src/Admin/Utilities/WebHostEnvironmentExtensions.cs

@@ -0,0 +1,24 @@
+namespace Bit.Admin.Utilities;
+
+public static class WebHostEnvironmentExtensions
+{
+    public static string GetStripeUrl(this IWebHostEnvironment hostingEnvironment)
+    {
+        if (hostingEnvironment.IsDevelopment() || hostingEnvironment.IsEnvironment("QA"))
+        {
+            return "https://dashboard.stripe.com/test";
+        }
+
+        return "https://dashboard.stripe.com";
+    }
+
+    public static string GetBraintreeMerchantUrl(this IWebHostEnvironment hostingEnvironment)
+    {
+        if (hostingEnvironment.IsDevelopment() || hostingEnvironment.IsEnvironment("QA"))
+        {
+            return "https://www.sandbox.braintreegateway.com/merchants";
+        }
+
+        return "https://www.braintreegateway.com/merchants";
+    }
+}

src/Admin/Views/Shared/_OrganizationFormScripts.cshtml

@@ -1,3 +1,5 @@
+@inject IWebHostEnvironment HostingEnvironment
+@using Bit.Admin.Utilities
 @model OrganizationEditModel
 
 <script>
@@ -15,10 +17,11 @@
                 return;
             }
             if (gateway.value === '@((byte)GatewayType.Stripe)') {
-                window.open('https://dashboard.stripe.com/customers/' + customerId.value, '_blank');
+                const url = `@(HostingEnvironment.GetStripeUrl())/customers/${customerId.value}/`;
+                window.open(url, '_blank');
             } else if (gateway.value === '@((byte)GatewayType.Braintree)') {
-                window.open('https://www.braintreegateway.com/merchants/@(Model.BraintreeMerchantId)/'
-                    + customerId.value, '_blank');
+                const url = `@(HostingEnvironment.GetBraintreeMerchantUrl())/@Model.BraintreeMerchantId/${customerId.value}`;
+                window.open(url, '_blank');
             }
         });
         document.getElementById('gateway-subscription-link')?.addEventListener('click', () => {
@@ -28,10 +31,11 @@
                 return;
             }
             if (gateway.value === '@((byte)GatewayType.Stripe)') {
-                window.open('https://dashboard.stripe.com/subscriptions/' + subId.value, '_blank');
+                const url = `@(HostingEnvironment.GetStripeUrl())/subscriptions/${subId.value}/`;
+                window.open(url, '_blank');
             } else if (gateway.value === '@((byte)GatewayType.Braintree)') {
-                window.open('https://www.braintreegateway.com/merchants/@(Model.BraintreeMerchantId)/' +
-                    'subscriptions/' + subId.value, '_blank');
+                const url = `@(HostingEnvironment.GetBraintreeMerchantUrl())/@Model.BraintreeMerchantId/subscriptions/${subId.value}`;
+                window.open(url, '_blank');
             }
         });
         document.getElementById('@(nameof(Model.UseSecretsManager))').addEventListener('change', (event) => {

src/Admin/Views/Users/Edit.cshtml

@@ -1,5 +1,6 @@
 @using Bit.Admin.Enums;
 @inject Bit.Admin.Services.IAccessControlService AccessControlService
+@inject IWebHostEnvironment HostingEnvironment
 @model UserEditModel
 @{
     ViewData["Title"] = "User: " + Model.User.Email;
@@ -10,7 +11,7 @@
     var canViewPremium = AccessControlService.UserHasPermission(Permission.User_Premium_View);
     var canViewLicensing = AccessControlService.UserHasPermission(Permission.User_Licensing_View);
     var canViewBilling = AccessControlService.UserHasPermission(Permission.User_Billing_View);
-    
+
     var canEditPremium = AccessControlService.UserHasPermission(Permission.User_Premium_Edit);
     var canEditLicensing = AccessControlService.UserHasPermission(Permission.User_Licensing_Edit);
     var canEditBilling = AccessControlService.UserHasPermission(Permission.User_Billing_Edit);
@@ -45,10 +46,15 @@
                 }
 
                 if (gateway.value === '@((byte)Bit.Core.Enums.GatewayType.Stripe)') {
-                    window.open('https://dashboard.stripe.com/customers/' + customerId.value, '_blank');
+                    const url = '@(HostingEnvironment.IsDevelopment()
+                                     ? "https://dashboard.stripe.com/test"
+                                     : "https://dashboard.stripe.com")';
+                    window.open(`${url}/customers/${customerId.value}/`, '_blank');
                 } else if (gateway.value === '@((byte)Bit.Core.Enums.GatewayType.Braintree)') {
-                    window.open('https://www.braintreegateway.com/merchants/@(Model.BraintreeMerchantId)/' +
-                        'customers/' + customerId.value, '_blank');
+                    const url = '@(HostingEnvironment.IsDevelopment()
+                                     ? $"https://www.sandbox.braintreegateway.com/merchants/{Model.BraintreeMerchantId}"
+                                     : $"https://www.braintreegateway.com/merchants/{Model.BraintreeMerchantId}")';
+                    window.open(`${url}/${customerId.value}`, '_blank');
                 }
             });
 
@@ -60,10 +66,15 @@
                 }
 
                 if (gateway.value === '@((byte)Bit.Core.Enums.GatewayType.Stripe)') {
-                    window.open('https://dashboard.stripe.com/subscriptions/' + subId.value, '_blank');
+                    const url = '@(HostingEnvironment.IsDevelopment() || HostingEnvironment.IsEnvironment("QA")
+                                     ? "https://dashboard.stripe.com/test"
+                                     : "https://dashboard.stripe.com")'
+                    window.open(`${url}/subscriptions/${subId.value}`, '_blank');
                 } else if (gateway.value === '@((byte)Bit.Core.Enums.GatewayType.Braintree)') {
-                    window.open('https://www.braintreegateway.com/merchants/@(Model.BraintreeMerchantId)/' +
-                        'subscriptions/' + subId.value, '_blank');
+                    const url = '@(HostingEnvironment.IsDevelopment() || HostingEnvironment.IsEnvironment("QA")
+                                     ? $"https://www.sandbox.braintreegateway.com/merchants/{Model.BraintreeMerchantId}"
+                                     : $"https://www.braintreegateway.com/merchants/{Model.BraintreeMerchantId}")';
+                    window.open(`${url}/subscriptions/${subId.value}`, '_blank');
                 }
             });
         })();
@@ -80,7 +91,7 @@
 @if (canViewBillingInformation)
 {
     <h2>Billing Information</h2>
-    @await Html.PartialAsync("_BillingInformation", 
+    @await Html.PartialAsync("_BillingInformation",
         new BillingInformationModel { BillingInfo = Model.BillingInfo, UserId = Model.User.Id, Entity = "User" })
 }
 @if (canViewGeneral)

src/Api/Auth/Controllers/WebAuthnController.cs

@@ -0,0 +1,112 @@
+using Bit.Api.Auth.Models.Request.Accounts;
+using Bit.Api.Auth.Models.Request.Webauthn;
+using Bit.Api.Auth.Models.Response.WebAuthn;
+using Bit.Api.Models.Response;
+using Bit.Core;
+using Bit.Core.Auth.Models.Business.Tokenables;
+using Bit.Core.Auth.Repositories;
+using Bit.Core.Exceptions;
+using Bit.Core.Services;
+using Bit.Core.Tokens;
+using Bit.Core.Utilities;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+
+namespace Bit.Api.Auth.Controllers;
+
+[Route("webauthn")]
+[Authorize("Web")]
+[RequireFeature(FeatureFlagKeys.PasswordlessLogin)]
+public class WebAuthnController : Controller
+{
+    private readonly IUserService _userService;
+    private readonly IWebAuthnCredentialRepository _credentialRepository;
+    private readonly IDataProtectorTokenFactory<WebAuthnCredentialCreateOptionsTokenable> _createOptionsDataProtector;
+
+    public WebAuthnController(
+        IUserService userService,
+        IWebAuthnCredentialRepository credentialRepository,
+        IDataProtectorTokenFactory<WebAuthnCredentialCreateOptionsTokenable> createOptionsDataProtector)
+    {
+        _userService = userService;
+        _credentialRepository = credentialRepository;
+        _createOptionsDataProtector = createOptionsDataProtector;
+    }
+
+    [HttpGet("")]
+    public async Task<ListResponseModel<WebAuthnCredentialResponseModel>> Get()
+    {
+        var user = await GetUserAsync();
+        var credentials = await _credentialRepository.GetManyByUserIdAsync(user.Id);
+
+        return new ListResponseModel<WebAuthnCredentialResponseModel>(credentials.Select(c => new WebAuthnCredentialResponseModel(c)));
+    }
+
+    [HttpPost("options")]
+    public async Task<WebAuthnCredentialCreateOptionsResponseModel> PostOptions([FromBody] SecretVerificationRequestModel model)
+    {
+        var user = await VerifyUserAsync(model);
+        var options = await _userService.StartWebAuthnLoginRegistrationAsync(user);
+
+        var tokenable = new WebAuthnCredentialCreateOptionsTokenable(user, options);
+        var token = _createOptionsDataProtector.Protect(tokenable);
+
+        return new WebAuthnCredentialCreateOptionsResponseModel
+        {
+            Options = options,
+            Token = token
+        };
+    }
+
+    [HttpPost("")]
+    public async Task Post([FromBody] WebAuthnCredentialRequestModel model)
+    {
+        var user = await GetUserAsync();
+        var tokenable = _createOptionsDataProtector.Unprotect(model.Token);
+        if (!tokenable.TokenIsValid(user))
+        {
+            throw new BadRequestException("The token associated with your request is expired. A valid token is required to continue.");
+        }
+
+        var success = await _userService.CompleteWebAuthLoginRegistrationAsync(user, model.Name, tokenable.Options, model.DeviceResponse);
+        if (!success)
+        {
+            throw new BadRequestException("Unable to complete WebAuthn registration.");
+        }
+    }
+
+    [HttpPost("{id}/delete")]
+    public async Task Delete(Guid id, [FromBody] SecretVerificationRequestModel model)
+    {
+        var user = await VerifyUserAsync(model);
+        var credential = await _credentialRepository.GetByIdAsync(id, user.Id);
+        if (credential == null)
+        {
+            throw new NotFoundException("Credential not found.");
+        }
+
+        await _credentialRepository.DeleteAsync(credential);
+    }
+
+    private async Task<Core.Entities.User> GetUserAsync()
+    {
+        var user = await _userService.GetUserByPrincipalAsync(User);
+        if (user == null)
+        {
+            throw new UnauthorizedAccessException();
+        }
+        return user;
+    }
+
+    private async Task<Core.Entities.User> VerifyUserAsync(SecretVerificationRequestModel model)
+    {
+        var user = await GetUserAsync();
+        if (!await _userService.VerifySecretAsync(user, model.Secret))
+        {
+            await Task.Delay(Constants.FailedSecretVerificationDelay);
+            throw new BadRequestException(string.Empty, "User verification failed.");
+        }
+
+        return user;
+    }
+}

src/Api/Auth/Models/Request/WebAuthn/WebAuthnCredentialRequestModel.cs

@@ -0,0 +1,17 @@
+using System.ComponentModel.DataAnnotations;
+using Fido2NetLib;
+
+namespace Bit.Api.Auth.Models.Request.Webauthn;
+
+public class WebAuthnCredentialRequestModel
+{
+    [Required]
+    public AuthenticatorAttestationRawResponse DeviceResponse { get; set; }
+
+    [Required]
+    public string Name { get; set; }
+
+    [Required]
+    public string Token { get; set; }
+}
+

src/Api/Auth/Models/Response/WebAuthn/WebAuthnCredentialCreateOptionsResponseModel.cs

@@ -0,0 +1,16 @@
+using Bit.Core.Models.Api;
+using Fido2NetLib;
+
+namespace Bit.Api.Auth.Models.Response.WebAuthn;
+
+public class WebAuthnCredentialCreateOptionsResponseModel : ResponseModel
+{
+    private const string ResponseObj = "webauthnCredentialCreateOptions";
+
+    public WebAuthnCredentialCreateOptionsResponseModel() : base(ResponseObj)
+    {
+    }
+
+    public CredentialCreateOptions Options { get; set; }
+    public string Token { get; set; }
+}

src/Api/Auth/Models/Response/WebAuthn/WebAuthnCredentialResponseModel.cs

@@ -0,0 +1,20 @@
+using Bit.Core.Auth.Entities;
+using Bit.Core.Models.Api;
+
+namespace Bit.Api.Auth.Models.Response.WebAuthn;
+
+public class WebAuthnCredentialResponseModel : ResponseModel
+{
+    private const string ResponseObj = "webauthnCredential";
+
+    public WebAuthnCredentialResponseModel(WebAuthnCredential credential) : base(ResponseObj)
+    {
+        Id = credential.Id.ToString();
+        Name = credential.Name;
+        PrfSupport = false;
+    }
+
+    public string Id { get; set; }
+    public string Name { get; set; }
+    public bool PrfSupport { get; set; }
+}

src/Core/Auth/Entities/WebAuthnCredential.cs

@@ -0,0 +1,32 @@
+using System.ComponentModel.DataAnnotations;
+using Bit.Core.Entities;
+using Bit.Core.Utilities;
+
+namespace Bit.Core.Auth.Entities;
+
+public class WebAuthnCredential : ITableObject<Guid>
+{
+    public Guid Id { get; set; }
+    public Guid UserId { get; set; }
+    [MaxLength(50)]
+    public string Name { get; set; }
+    [MaxLength(256)]
+    public string PublicKey { get; set; }
+    [MaxLength(256)]
+    public string CredentialId { get; set; }
+    public int Counter { get; set; }
+    [MaxLength(20)]
+    public string Type { get; set; }
+    public Guid AaGuid { get; set; }
+    public string EncryptedUserKey { get; set; }
+    public string EncryptedPrivateKey { get; set; }
+    public string EncryptedPublicKey { get; set; }
+    public bool SupportsPrf { get; set; }
+    public DateTime CreationDate { get; internal set; } = DateTime.UtcNow;
+    public DateTime RevisionDate { get; internal set; } = DateTime.UtcNow;
+
+    public void SetNewId()
+    {
+        Id = CoreHelpers.GenerateComb();
+    }
+}

src/Core/Auth/Models/Business/Tokenables/WebAuthnCredentialCreateOptionsTokenable.cs

@@ -0,0 +1,44 @@
+using System.Text.Json.Serialization;
+using Bit.Core.Entities;
+using Bit.Core.Tokens;
+using Fido2NetLib;
+
+namespace Bit.Core.Auth.Models.Business.Tokenables;
+
+public class WebAuthnCredentialCreateOptionsTokenable : ExpiringTokenable
+{
+    // 7 minutes = max webauthn timeout (6 minutes) + slack for miscellaneous delays
+    private const double _tokenLifetimeInHours = (double)7 / 60;
+    public const string ClearTextPrefix = "BWWebAuthnCredentialCreateOptions_";
+    public const string DataProtectorPurpose = "WebAuthnCredentialCreateDataProtector";
+    public const string TokenIdentifier = "WebAuthnCredentialCreateOptionsToken";
+
+    public string Identifier { get; set; } = TokenIdentifier;
+    public Guid? UserId { get; set; }
+    public CredentialCreateOptions Options { get; set; }
+
+    [JsonConstructor]
+    public WebAuthnCredentialCreateOptionsTokenable()
+    {
+        ExpirationDate = DateTime.UtcNow.AddHours(_tokenLifetimeInHours);
+    }
+
+    public WebAuthnCredentialCreateOptionsTokenable(User user, CredentialCreateOptions options) : this()
+    {
+        UserId = user?.Id;
+        Options = options;
+    }
+
+    public bool TokenIsValid(User user)
+    {
+        if (!Valid || user == null)
+        {
+            return false;
+        }
+
+        return UserId == user.Id;
+    }
+
+    protected override bool TokenIsValid() => Identifier == TokenIdentifier && UserId != null && Options != null;
+}
+