Auth/PM-3275 - Changes to support TDE User without MP being able to Set a Password + misc refactoring

src/Api/AdminConsole/Controllers/OrganizationUsersController.cs

@@ -11,6 +11,7 @@
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Core.Models.Data.Organizations.Policies;
 using Bit.Core.OrganizationFeatures.OrganizationSubscriptions.Interface;
+using Bit.Core.OrganizationFeatures.OrganizationUsers.Interfaces;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Microsoft.AspNetCore.Authorization;
@@ -33,6 +34,7 @@ public class OrganizationUsersController : Controller
     private readonly ICountNewSmSeatsRequiredQuery _countNewSmSeatsRequiredQuery;
     private readonly IUpdateSecretsManagerSubscriptionCommand _updateSecretsManagerSubscriptionCommand;
     private readonly IUpdateOrganizationUserGroupsCommand _updateOrganizationUserGroupsCommand;
+    private readonly IAcceptOrgUserCommand _acceptOrgUserCommand;
 
     public OrganizationUsersController(
         IOrganizationRepository organizationRepository,
@@ -45,7 +47,8 @@ public OrganizationUsersController(
         ICurrentContext currentContext,
         ICountNewSmSeatsRequiredQuery countNewSmSeatsRequiredQuery,
         IUpdateSecretsManagerSubscriptionCommand updateSecretsManagerSubscriptionCommand,
-        IUpdateOrganizationUserGroupsCommand updateOrganizationUserGroupsCommand)
+        IUpdateOrganizationUserGroupsCommand updateOrganizationUserGroupsCommand,
+        IAcceptOrgUserCommand acceptOrgUserCommand)
     {
         _organizationRepository = organizationRepository;
         _organizationUserRepository = organizationUserRepository;
@@ -58,6 +61,7 @@ public OrganizationUsersController(
         _countNewSmSeatsRequiredQuery = countNewSmSeatsRequiredQuery;
         _updateSecretsManagerSubscriptionCommand = updateSecretsManagerSubscriptionCommand;
         _updateOrganizationUserGroupsCommand = updateOrganizationUserGroupsCommand;
+        _acceptOrgUserCommand = acceptOrgUserCommand;
     }
 
     [HttpGet("{id}")]
@@ -199,7 +203,7 @@ public async Task AcceptInit(Guid orgId, Guid organizationUserId, [FromBody] Org
         }
 
         await _organizationService.InitPendingOrganization(user.Id, orgId, model.Keys.PublicKey, model.Keys.EncryptedPrivateKey, model.CollectionName);
-        await _organizationService.AcceptUserAsync(organizationUserId, user, model.Token, _userService);
+        await _acceptOrgUserCommand.AcceptOrgUserByEmailTokenAsync(organizationUserId, user, model.Token, _userService);
         await _organizationService.ConfirmUserAsync(orgId, organizationUserId, model.Key, user.Id, _userService);
     }
 
@@ -221,7 +225,7 @@ public async Task Accept(Guid orgId, Guid organizationUserId, [FromBody] Organiz
             throw new BadRequestException(string.Empty, "Master Password reset is required, but not provided.");
         }
 
-        await _organizationService.AcceptUserAsync(organizationUserId, user, model.Token, _userService);
+        await _acceptOrgUserCommand.AcceptOrgUserByEmailTokenAsync(organizationUserId, user, model.Token, _userService);
 
         if (useMasterPasswordPolicy)
         {
@@ -332,7 +336,7 @@ await _organizationService.UpdateUserResetPasswordEnrollmentAsync(
         var orgUser = await _organizationUserRepository.GetByOrganizationAsync(orgId, user.Id);
         if (orgUser.Status == OrganizationUserStatusType.Invited)
         {
-            await _organizationService.AcceptUserAsync(orgId, user, _userService);
+            await _acceptOrgUserCommand.AcceptOrgUserByOrgIdAsync(orgId, user, _userService);
         }
     }
 

src/Api/AdminConsole/Controllers/PoliciesController.cs

@@ -1,12 +1,14 @@
 using Bit.Api.AdminConsole.Models.Request;
 using Bit.Api.Models.Response;
+using Bit.Core.Auth.Models.Business.Tokenables;
 using Bit.Core.Context;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Api.Response;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Settings;
+using Bit.Core.Tokens;
 using Bit.Core.Utilities;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.DataProtection;
@@ -26,6 +28,7 @@ public class PoliciesController : Controller
     private readonly ICurrentContext _currentContext;
     private readonly GlobalSettings _globalSettings;
     private readonly IDataProtector _organizationServiceDataProtector;
+    private readonly IDataProtectorTokenFactory<OrgUserInviteTokenable> _orgUserInviteTokenDataFactory;
 
     public PoliciesController(
         IPolicyRepository policyRepository,
@@ -35,7 +38,8 @@ public PoliciesController(
         IUserService userService,
         ICurrentContext currentContext,
         GlobalSettings globalSettings,
-        IDataProtectionProvider dataProtectionProvider)
+        IDataProtectionProvider dataProtectionProvider,
+        IDataProtectorTokenFactory<OrgUserInviteTokenable> orgUserInviteTokenDataFactory)
     {
         _policyRepository = policyRepository;
         _policyService = policyService;
@@ -46,6 +50,8 @@ public PoliciesController(
         _globalSettings = globalSettings;
         _organizationServiceDataProtector = dataProtectionProvider.CreateProtector(
             "OrganizationServiceDataProtector");
+
+        _orgUserInviteTokenDataFactory = orgUserInviteTokenDataFactory;
     }
 
     [HttpGet("{type}")]
@@ -81,41 +87,46 @@ public async Task<ListResponseModel<PolicyResponseModel>> Get(string orgId)
 
     [AllowAnonymous]
     [HttpGet("token")]
-    public async Task<ListResponseModel<PolicyResponseModel>> GetByToken(string orgId, [FromQuery] string email,
-        [FromQuery] string token, [FromQuery] string organizationUserId)
+    public async Task<ListResponseModel<PolicyResponseModel>> GetByToken(Guid orgId, [FromQuery] string email,
+        [FromQuery] string token, [FromQuery] Guid organizationUserId)
     {
-        var orgUserId = new Guid(organizationUserId);
-        var tokenValid = CoreHelpers.UserInviteTokenIsValid(_organizationServiceDataProtector, token,
-            email, orgUserId, _globalSettings);
+        // TODO: PM-4142 - remove old token validation logic once 3 releases of backwards compatibility are complete
+        var newTokenValid = OrgUserInviteTokenable.ValidateOrgUserInviteStringToken(
+            _orgUserInviteTokenDataFactory, token, organizationUserId, email);
+
+        var tokenValid = newTokenValid || CoreHelpers.UserInviteTokenIsValid(
+            _organizationServiceDataProtector, token, email, organizationUserId, _globalSettings
+        );
+
         if (!tokenValid)
         {
             throw new NotFoundException();
         }
 
-        var orgIdGuid = new Guid(orgId);
-        var orgUser = await _organizationUserRepository.GetByIdAsync(orgUserId);
-        if (orgUser == null || orgUser.OrganizationId != orgIdGuid)
+        var orgUser = await _organizationUserRepository.GetByIdAsync(organizationUserId);
+        if (orgUser == null || orgUser.OrganizationId != orgId)
         {
             throw new NotFoundException();
         }
 
-        var policies = await _policyRepository.GetManyByOrganizationIdAsync(orgIdGuid);
+        var policies = await _policyRepository.GetManyByOrganizationIdAsync(orgId);
         var responses = policies.Where(p => p.Enabled).Select(p => new PolicyResponseModel(p));
         return new ListResponseModel<PolicyResponseModel>(responses);
     }
 
+    // TODO: PM-4097 - remove GetByInvitedUser once all clients are updated to use the GetMasterPasswordPolicy endpoint below
+    [Obsolete("Deprecated API", false)]
     [AllowAnonymous]
     [HttpGet("invited-user")]
-    public async Task<ListResponseModel<PolicyResponseModel>> GetByInvitedUser(string orgId, [FromQuery] string userId)
+    public async Task<ListResponseModel<PolicyResponseModel>> GetByInvitedUser(Guid orgId, [FromQuery] Guid userId)
     {
-        var user = await _userService.GetUserByIdAsync(new Guid(userId));
+        var user = await _userService.GetUserByIdAsync(userId);
         if (user == null)
         {
             throw new UnauthorizedAccessException();
         }
-        var orgIdGuid = new Guid(orgId);
         var orgUsersByUserId = await _organizationUserRepository.GetManyByUserAsync(user.Id);
-        var orgUser = orgUsersByUserId.SingleOrDefault(u => u.OrganizationId == orgIdGuid);
+        var orgUser = orgUsersByUserId.SingleOrDefault(u => u.OrganizationId == orgId);
         if (orgUser == null)
         {
             throw new NotFoundException();
@@ -125,11 +136,33 @@ public async Task<ListResponseModel<PolicyResponseModel>> GetByInvitedUser(strin
             throw new UnauthorizedAccessException();
         }
 
-        var policies = await _policyRepository.GetManyByOrganizationIdAsync(orgIdGuid);
+        var policies = await _policyRepository.GetManyByOrganizationIdAsync(orgId);
         var responses = policies.Where(p => p.Enabled).Select(p => new PolicyResponseModel(p));
         return new ListResponseModel<PolicyResponseModel>(responses);
     }
 
+    [HttpGet("master-password")]
+    public async Task<PolicyResponseModel> GetMasterPasswordPolicy(Guid orgId)
+    {
+        var userId = _userService.GetProperUserId(User).Value;
+
+        var orgUser = await _organizationUserRepository.GetByOrganizationAsync(orgId, userId);
+
+        if (orgUser == null)
+        {
+            throw new NotFoundException();
+        }
+
+        var policy = await _policyRepository.GetByOrganizationIdTypeAsync(orgId, PolicyType.MasterPassword);
+
+        if (policy == null || !policy.Enabled)
+        {
+            throw new NotFoundException();
+        }
+
+        return new PolicyResponseModel(policy);
+    }
+
     [HttpPut("{type}")]
     public async Task<PolicyResponseModel> Put(string orgId, int type, [FromBody] PolicyRequestModel model)
     {

src/Api/Auth/Models/Request/Accounts/SetPasswordRequestModel.cs

@@ -1,4 +1,6 @@
-using System.ComponentModel.DataAnnotations;
+#nullable enable
+
+using System.ComponentModel.DataAnnotations;
 using Bit.Core.Auth.Models.Api.Request.Accounts;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
@@ -15,8 +17,7 @@ public class SetPasswordRequestModel : IValidatableObject
     public string Key { get; set; }
     [StringLength(50)]
     public string MasterPasswordHint { get; set; }
-    [Required]
-    public KeysRequestModel Keys { get; set; }
+    public KeysRequestModel? Keys { get; set; }
     [Required]
     public KdfType Kdf { get; set; }
     [Required]
@@ -33,7 +34,7 @@ public User ToUser(User existingUser)
         existingUser.KdfMemory = KdfMemory;
         existingUser.KdfParallelism = KdfParallelism;
         existingUser.Key = Key;
-        Keys.ToUser(existingUser);
+        Keys?.ToUser(existingUser);
         return existingUser;
     }
 

src/Api/Controllers/AccountsController.cs

@@ -10,6 +10,7 @@
 using Bit.Core.Auth.Models.Api.Request.Accounts;
 using Bit.Core.Auth.Models.Api.Response.Accounts;
 using Bit.Core.Auth.Services;
+using Bit.Core.Auth.UserFeatures.UserMasterPassword.Interfaces;
 using Bit.Core.Auth.Utilities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
@@ -47,6 +48,8 @@ public class AccountsController : Controller
     private readonly ISendService _sendService;
     private readonly ICaptchaValidationService _captchaValidationService;
     private readonly IPolicyService _policyService;
+    private readonly ISetInitialMasterPasswordCommand _setInitialMasterPasswordCommand;
+
 
     public AccountsController(
         GlobalSettings globalSettings,
@@ -61,7 +64,9 @@ public AccountsController(
         ISendRepository sendRepository,
         ISendService sendService,
         ICaptchaValidationService captchaValidationService,
-        IPolicyService policyService)
+        IPolicyService policyService,
+        ISetInitialMasterPasswordCommand setInitialMasterPasswordCommand
+        )
     {
         _cipherRepository = cipherRepository;
         _folderRepository = folderRepository;
@@ -76,6 +81,7 @@ public AccountsController(
         _sendService = sendService;
         _captchaValidationService = captchaValidationService;
         _policyService = policyService;
+        _setInitialMasterPasswordCommand = setInitialMasterPasswordCommand;
     }
 
     #region DEPRECATED (Moved to Identity Service)
@@ -253,8 +259,12 @@ public async Task PostSetPasswordAsync([FromBody] SetPasswordRequestModel model)
             throw new UnauthorizedAccessException();
         }
 
-        var result = await _userService.SetPasswordAsync(model.ToUser(user), model.MasterPasswordHash, model.Key,
+        var result = await _setInitialMasterPasswordCommand.SetInitialMasterPasswordAsync(
+            model.ToUser(user),
+            model.MasterPasswordHash,
+            model.Key,
             model.OrgIdentifier);
+
         if (result.Succeeded)
         {
             return;
@@ -456,8 +466,13 @@ public async Task<ProfileResponseModel> GetProfile()
         var providerUserOrganizationDetails =
             await _providerUserRepository.GetManyOrganizationDetailsByUserAsync(user.Id,
                 ProviderUserStatusType.Confirmed);
+
+        var twoFactorEnabled = await _userService.TwoFactorIsEnabledAsync(user);
+        var hasPremiumFromOrg = await _userService.HasPremiumFromOrganization(user);
+
         var response = new ProfileResponseModel(user, organizationUserDetails, providerUserDetails,
-            providerUserOrganizationDetails, await _userService.TwoFactorIsEnabledAsync(user), await _userService.HasPremiumFromOrganization(user));
+            providerUserOrganizationDetails, twoFactorEnabled,
+            hasPremiumFromOrg);
         return response;
     }
 

src/Api/Vault/Controllers/SyncController.cs

@@ -71,6 +71,7 @@ public async Task<SyncResponseModel> Get([FromQuery] bool excludeDomains = false
             await _providerUserRepository.GetManyOrganizationDetailsByUserAsync(user.Id,
                 ProviderUserStatusType.Confirmed);
         var hasEnabledOrgs = organizationUserDetails.Any(o => o.Enabled);
+
         var folders = await _folderRepository.GetManyByUserIdAsync(user.Id);
         var ciphers = await _cipherRepository.GetManyByUserIdAsync(user.Id, hasEnabledOrgs);
         var sends = await _sendRepository.GetManyByUserIdAsync(user.Id);

src/Core/Auth/Models/Business/Tokenables/IOrgUserInviteTokenableFactory.cs

@@ -0,0 +1,8 @@
+using Bit.Core.Entities;
+
+namespace Bit.Core.Auth.Models.Business.Tokenables;
+
+public interface IOrgUserInviteTokenableFactory
+{
+    OrgUserInviteTokenable CreateToken(OrganizationUser orgUser);
+}

src/Core/Auth/Models/Business/Tokenables/OrgUserInviteTokenable.cs

@@ -0,0 +1,84 @@
+using System.Text.Json.Serialization;
+using Bit.Core.Entities;
+using Bit.Core.Tokens;
+
+namespace Bit.Core.Auth.Models.Business.Tokenables;
+
+public class OrgUserInviteTokenable : ExpiringTokenable
+{
+    // TODO: PM-4317 - Ideally this would be internal and only visible to the test project.
+    // but configuring that is out of scope for these changes.
+    public static TimeSpan GetTokenLifetime() => TimeSpan.FromDays(5);
+
+    public const string ClearTextPrefix = "BwOrgUserInviteToken_";
+
+    // Backwards compatibility Note:
+    // Previously, tokens were manually created in the OrganizationService using a data protector
+    // initialized with purpose: "OrganizationServiceDataProtector"
+    // So, we must continue to use the existing purpose to be able to decrypt tokens
+    // in emailed invites that have not yet been accepted.
+    public const string DataProtectorPurpose = "OrganizationServiceDataProtector";
+
+    public const string TokenIdentifier = "OrgUserInviteToken";
+
+    public string Identifier { get; set; } = TokenIdentifier;
+    public Guid OrgUserId { get; set; }
+    public string OrgUserEmail { get; set; }
+
+    [JsonConstructor]
+    public OrgUserInviteTokenable()
+    {
+        ExpirationDate = DateTime.UtcNow.Add(GetTokenLifetime());
+    }
+
+    public OrgUserInviteTokenable(OrganizationUser orgUser) : this()
+    {
+        OrgUserId = orgUser?.Id ?? default;
+        OrgUserEmail = orgUser?.Email;
+    }
+
+    public bool TokenIsValid(OrganizationUser orgUser)
+    {
+        if (OrgUserId == default || OrgUserEmail == default || orgUser == null)
+        {
+            return false;
+        }
+
+        return OrgUserId == orgUser.Id &&
+               OrgUserEmail.Equals(orgUser.Email, StringComparison.InvariantCultureIgnoreCase);
+    }
+
+    public bool TokenIsValid(Guid orgUserId, string orgUserEmail)
+    {
+        if (OrgUserId == default || OrgUserEmail == default || orgUserId == default || orgUserEmail == default)
+        {
+            return false;
+        }
+
+        return OrgUserId == orgUserId &&
+               OrgUserEmail.Equals(orgUserEmail, StringComparison.InvariantCultureIgnoreCase);
+    }
+
+    // Validates deserialized
+    protected override bool TokenIsValid() =>
+        Identifier == TokenIdentifier && OrgUserId != default && !string.IsNullOrWhiteSpace(OrgUserEmail);
+
+
+    public static bool ValidateOrgUserInviteStringToken(
+        IDataProtectorTokenFactory<OrgUserInviteTokenable> orgUserInviteTokenDataFactory,
+        string orgUserInviteToken, OrganizationUser orgUser)
+    {
+        return orgUserInviteTokenDataFactory.TryUnprotect(orgUserInviteToken, out var decryptedToken)
+               && decryptedToken.Valid
+               && decryptedToken.TokenIsValid(orgUser);
+    }
+
+    public static bool ValidateOrgUserInviteStringToken(
+        IDataProtectorTokenFactory<OrgUserInviteTokenable> orgUserInviteTokenDataFactory,
+        string orgUserInviteToken, Guid orgUserId, string orgUserEmail)
+    {
+        return orgUserInviteTokenDataFactory.TryUnprotect(orgUserInviteToken, out var decryptedToken)
+               && decryptedToken.Valid
+               && decryptedToken.TokenIsValid(orgUserId, orgUserEmail);
+    }
+}