From 84dfa3ab057a9d2357ebebb69b15e25d0b868c86 Mon Sep 17 00:00:00 2001 From: cyprain-okeke <108260115+cyprain-okeke@users.noreply.github.com> Date: Tue, 10 Dec 2024 21:52:54 +0100 Subject: [PATCH 01/80] prevent access to freefamilies page (#12335) --- .../settings/sponsored-families.component.ts | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/apps/web/src/app/billing/settings/sponsored-families.component.ts b/apps/web/src/app/billing/settings/sponsored-families.component.ts index a8473ee89bb..5e26e80a30a 100644 --- a/apps/web/src/app/billing/settings/sponsored-families.component.ts +++ b/apps/web/src/app/billing/settings/sponsored-families.component.ts @@ -10,6 +10,7 @@ import { AsyncValidatorFn, ValidationErrors, } from "@angular/forms"; +import { Router } from "@angular/router"; import { combineLatest, firstValueFrom, map, Observable, Subject, takeUntil } from "rxjs"; import { ApiService } from "@bitwarden/common/abstractions/api.service"; @@ -26,6 +27,8 @@ import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/pl import { SyncService } from "@bitwarden/common/vault/abstractions/sync/sync.service.abstraction"; import { ToastService } from "@bitwarden/components"; +import { FreeFamiliesPolicyService } from "../services/free-families-policy.service"; + interface RequestSponsorshipForm { selectedSponsorshipOrgId: FormControl; sponsorshipEmail: FormControl; @@ -62,6 +65,8 @@ export class SponsoredFamiliesComponent implements OnInit, OnDestroy { private toastService: ToastService, private configService: ConfigService, private policyService: PolicyService, + private freeFamiliesPolicyService: FreeFamiliesPolicyService, + private router: Router, ) { this.sponsorshipForm = this.formBuilder.group({ selectedSponsorshipOrgId: new FormControl("", { @@ -86,6 +91,8 @@ export class SponsoredFamiliesComponent implements OnInit, OnDestroy { ); if (this.isFreeFamilyFlagEnabled) { + await this.preventAccessToFreeFamiliesPage(); + this.availableSponsorshipOrgs$ = combineLatest([ this.organizationService.organizations$, this.policyService.getAll$(PolicyType.FreeFamiliesSponsorshipPolicy), @@ -142,6 +149,17 @@ export class SponsoredFamiliesComponent implements OnInit, OnDestroy { this._destroy.complete(); } + private async preventAccessToFreeFamiliesPage() { + const showFreeFamiliesPage = await firstValueFrom( + this.freeFamiliesPolicyService.showFreeFamilies$, + ); + + if (!showFreeFamiliesPage) { + await this.router.navigate(["/"]); + return; + } + } + submit = async () => { this.formPromise = this.apiService.postCreateSponsorship( this.sponsorshipForm.value.selectedSponsorshipOrgId, From 7abdc7a42337c92df9f8fb9ed966bf37ff8c6e5c Mon Sep 17 00:00:00 2001 From: Jonas Hendrickx Date: Wed, 11 Dec 2024 10:34:25 +0100 Subject: [PATCH 02/80] [PM-15139] [Defect] Upgrade dialog - Percentage discount not aligned with the Annually/Monthly toggle (#12314) --- .../app/billing/organizations/change-plan-dialog.component.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/web/src/app/billing/organizations/change-plan-dialog.component.html b/apps/web/src/app/billing/organizations/change-plan-dialog.component.html index 878672a1fb9..93751f0ef72 100644 --- a/apps/web/src/app/billing/organizations/change-plan-dialog.component.html +++ b/apps/web/src/app/billing/organizations/change-plan-dialog.component.html @@ -8,7 +8,7 @@
{{ "selectAPlan" | i18n }} -
+
::set_biometric_secret("", "", "", None, "").await; + let result = + ::set_biometric_secret("", "", "", None, "").await; assert!(result.is_err()); assert_eq!( result.unwrap_err().to_string(), diff --git a/apps/desktop/desktop_native/core/src/password/macos.rs b/apps/desktop/desktop_native/core/src/password/macos.rs index c911a0d2430..b69854905d9 100644 --- a/apps/desktop/desktop_native/core/src/password/macos.rs +++ b/apps/desktop/desktop_native/core/src/password/macos.rs @@ -28,12 +28,18 @@ mod tests { #[tokio::test] async fn test() { - set_password("BitwardenTest", "BitwardenTest", "Random").await.unwrap(); + set_password("BitwardenTest", "BitwardenTest", "Random") + .await + .unwrap(); assert_eq!( "Random", - get_password("BitwardenTest", "BitwardenTest").await.unwrap() + get_password("BitwardenTest", "BitwardenTest") + .await + .unwrap() ); - delete_password("BitwardenTest", "BitwardenTest").await.unwrap(); + delete_password("BitwardenTest", "BitwardenTest") + .await + .unwrap(); // Ensure password is deleted match get_password("BitwardenTest", "BitwardenTest").await { diff --git a/apps/desktop/desktop_native/core/src/password/unix.rs b/apps/desktop/desktop_native/core/src/password/unix.rs index 20a79625efb..f73b41de8c1 100644 --- a/apps/desktop/desktop_native/core/src/password/unix.rs +++ b/apps/desktop/desktop_native/core/src/password/unix.rs @@ -5,9 +5,7 @@ use std::collections::HashMap; pub async fn get_password(service: &str, account: &str) -> Result { match get_password_new(service, account).await { Ok(res) => Ok(res), - Err(_) => { - get_password_legacy(service, account).await - } + Err(_) => get_password_legacy(service, account).await, } } @@ -20,8 +18,8 @@ async fn get_password_new(service: &str, account: &str) -> Result { Some(res) => { let secret = res.secret().await?; Ok(String::from_utf8(secret.to_vec())?) - }, - None => Err(anyhow!("no result")) + } + None => Err(anyhow!("no result")), } } @@ -37,20 +35,30 @@ async fn get_password_legacy(service: &str, account: &str) -> Result { match res { Some(res) => { let secret = res.secret().await?; - println!("deleting legacy secret service entry {} {}", service, account); + println!( + "deleting legacy secret service entry {} {}", + service, account + ); keyring.delete(&attributes).await?; let secret_string = String::from_utf8(secret.to_vec())?; set_password(service, account, &secret_string).await?; Ok(secret_string) - }, - None => Err(anyhow!("no result")) + } + None => Err(anyhow!("no result")), } } pub async fn set_password(service: &str, account: &str, password: &str) -> Result<()> { let keyring = oo7::Keyring::new().await?; let attributes = HashMap::from([("service", service), ("account", account)]); - keyring.create_item("org.freedesktop.Secret.Generic", &attributes, password, true).await?; + keyring + .create_item( + "org.freedesktop.Secret.Generic", + &attributes, + password, + true, + ) + .await?; Ok(()) } @@ -74,22 +82,25 @@ mod tests { #[tokio::test] async fn test() { - set_password("BitwardenTest", "BitwardenTest", "Random").await.unwrap(); + set_password("BitwardenTest", "BitwardenTest", "Random") + .await + .unwrap(); assert_eq!( "Random", - get_password("BitwardenTest", "BitwardenTest").await.unwrap() + get_password("BitwardenTest", "BitwardenTest") + .await + .unwrap() ); - delete_password("BitwardenTest", "BitwardenTest").await.unwrap(); + delete_password("BitwardenTest", "BitwardenTest") + .await + .unwrap(); // Ensure password is deleted match get_password("BitwardenTest", "BitwardenTest").await { Ok(_) => { panic!("Got a result") } - Err(e) => assert_eq!( - "no result", - e.to_string() - ), + Err(e) => assert_eq!("no result", e.to_string()), } } @@ -97,10 +108,7 @@ mod tests { async fn test_error_no_password() { match get_password("Unknown", "Unknown").await { Ok(_) => panic!("Got a result"), - Err(e) => assert_eq!( - "no result", - e.to_string() - ), + Err(e) => assert_eq!("no result", e.to_string()), } } } diff --git a/apps/desktop/desktop_native/core/src/password/windows.rs b/apps/desktop/desktop_native/core/src/password/windows.rs index 873e717ac8b..2a66640286f 100644 --- a/apps/desktop/desktop_native/core/src/password/windows.rs +++ b/apps/desktop/desktop_native/core/src/password/windows.rs @@ -112,12 +112,18 @@ mod tests { #[tokio::test] async fn test() { - set_password("BitwardenTest", "BitwardenTest", "Random").await.unwrap(); + set_password("BitwardenTest", "BitwardenTest", "Random") + .await + .unwrap(); assert_eq!( "Random", - get_password("BitwardenTest", "BitwardenTest").await.unwrap() + get_password("BitwardenTest", "BitwardenTest") + .await + .unwrap() ); - delete_password("BitwardenTest", "BitwardenTest").await.unwrap(); + delete_password("BitwardenTest", "BitwardenTest") + .await + .unwrap(); // Ensure password is deleted match get_password("BitwardenTest", "BitwardenTest").await { diff --git a/apps/desktop/desktop_native/core/src/ssh_agent/mod.rs b/apps/desktop/desktop_native/core/src/ssh_agent/mod.rs index 9d04ea87ccb..82b90c7bff9 100644 --- a/apps/desktop/desktop_native/core/src/ssh_agent/mod.rs +++ b/apps/desktop/desktop_native/core/src/ssh_agent/mod.rs @@ -1,4 +1,7 @@ -use std::sync::Arc; +use std::sync::{ + atomic::{AtomicBool, AtomicU32}, + Arc, +}; use tokio::sync::Mutex; use tokio_util::sync::CancellationToken; @@ -10,34 +13,52 @@ use bitwarden_russh::ssh_agent::{self, Key}; #[cfg_attr(target_os = "linux", path = "unix.rs")] mod platform_ssh_agent; +#[cfg(any(target_os = "linux", target_os = "macos"))] +mod peercred_unix_listener_stream; + pub mod generator; pub mod importer; - +pub mod peerinfo; #[derive(Clone)] pub struct BitwardenDesktopAgent { keystore: ssh_agent::KeyStore, cancellation_token: CancellationToken, - show_ui_request_tx: tokio::sync::mpsc::Sender<(u32, (String, bool))>, + show_ui_request_tx: tokio::sync::mpsc::Sender, get_ui_response_rx: Arc>>, - request_id: Arc>, + request_id: Arc, /// before first unlock, or after account switching, listing keys should require an unlock to get a list of public keys - needs_unlock: Arc>, - is_running: Arc>, + needs_unlock: Arc, + is_running: Arc, } -impl ssh_agent::Agent for BitwardenDesktopAgent { - async fn confirm(&self, ssh_key: Key) -> bool { - if !*self.is_running.lock().await { +pub struct SshAgentUIRequest { + pub request_id: u32, + pub cipher_id: Option, + pub process_name: String, + pub is_list: bool, +} + +impl ssh_agent::Agent for BitwardenDesktopAgent { + async fn confirm(&self, ssh_key: Key, info: &peerinfo::models::PeerInfo) -> bool { + if !self.is_running() { println!("[BitwardenDesktopAgent] Agent is not running, but tried to call confirm"); return false; } let request_id = self.get_request_id().await; + println!( + "[SSH Agent] Confirming request from application: {}", + info.process_name() + ); let mut rx_channel = self.get_ui_response_rx.lock().await.resubscribe(); - let message = (request_id, (ssh_key.cipher_uuid.clone(), false)); self.show_ui_request_tx - .send(message) + .send(SshAgentUIRequest { + request_id, + cipher_id: Some(ssh_key.cipher_uuid.clone()), + process_name: info.process_name().to_string(), + is_list: false, + }) .await .expect("Should send request to ui"); while let Ok((id, response)) = rx_channel.recv().await { @@ -48,15 +69,20 @@ impl ssh_agent::Agent for BitwardenDesktopAgent { false } - async fn can_list(&self) -> bool { - if !*self.needs_unlock.lock().await{ + async fn can_list(&self, info: &peerinfo::models::PeerInfo) -> bool { + if !self.needs_unlock.load(std::sync::atomic::Ordering::Relaxed) { return true; } let request_id = self.get_request_id().await; let mut rx_channel = self.get_ui_response_rx.lock().await.resubscribe(); - let message = (request_id, ("".to_string(), true)); + let message = SshAgentUIRequest { + request_id, + cipher_id: None, + process_name: info.process_name().to_string(), + is_list: true, + }; self.show_ui_request_tx .send(message) .await @@ -72,13 +98,13 @@ impl ssh_agent::Agent for BitwardenDesktopAgent { impl BitwardenDesktopAgent { pub fn stop(&self) { - if !*self.is_running.blocking_lock() { + if !self.is_running() { println!("[BitwardenDesktopAgent] Tried to stop agent while it is not running"); return; } - *self.is_running.blocking_lock() = false; - self.cancellation_token.cancel(); + self.is_running + .store(false, std::sync::atomic::Ordering::Relaxed); self.keystore .0 .write() @@ -90,7 +116,7 @@ impl BitwardenDesktopAgent { &mut self, new_keys: Vec<(String, String, String)>, ) -> Result<(), anyhow::Error> { - if !*self.is_running.blocking_lock() { + if !self.is_running() { return Err(anyhow::anyhow!( "[BitwardenDesktopAgent] Tried to set keys while agent is not running" )); @@ -99,7 +125,8 @@ impl BitwardenDesktopAgent { let keystore = &mut self.keystore; keystore.0.write().expect("RwLock is not poisoned").clear(); - *self.needs_unlock.blocking_lock() = false; + self.needs_unlock + .store(true, std::sync::atomic::Ordering::Relaxed); for (key, name, cipher_id) in new_keys.iter() { match parse_key_safe(&key) { @@ -127,7 +154,7 @@ impl BitwardenDesktopAgent { } pub fn lock(&mut self) -> Result<(), anyhow::Error> { - if !*self.is_running.blocking_lock() { + if !self.is_running() { return Err(anyhow::anyhow!( "[BitwardenDesktopAgent] Tried to lock agent, but it is not running" )); @@ -148,24 +175,26 @@ impl BitwardenDesktopAgent { pub fn clear_keys(&mut self) -> Result<(), anyhow::Error> { let keystore = &mut self.keystore; keystore.0.write().expect("RwLock is not poisoned").clear(); - *self.needs_unlock.blocking_lock() = true; + self.needs_unlock + .store(true, std::sync::atomic::Ordering::Relaxed); Ok(()) } async fn get_request_id(&self) -> u32 { - if !*self.is_running.lock().await { + if !self.is_running() { println!("[BitwardenDesktopAgent] Agent is not running, but tried to get request id"); return 0; } - let mut request_id = self.request_id.lock().await; - *request_id += 1; - *request_id + let request_id = self + .request_id + .fetch_add(1, std::sync::atomic::Ordering::Relaxed); + request_id } - pub fn is_running(self) -> bool { - return self.is_running.blocking_lock().clone(); + pub fn is_running(&self) -> bool { + self.is_running.load(std::sync::atomic::Ordering::Relaxed) } } diff --git a/apps/desktop/desktop_native/core/src/ssh_agent/named_pipe_listener_stream.rs b/apps/desktop/desktop_native/core/src/ssh_agent/named_pipe_listener_stream.rs index 49c3aa80612..1358abe32e0 100644 --- a/apps/desktop/desktop_native/core/src/ssh_agent/named_pipe_listener_stream.rs +++ b/apps/desktop/desktop_native/core/src/ssh_agent/named_pipe_listener_stream.rs @@ -1,23 +1,32 @@ +use futures::Stream; +use std::os::windows::prelude::AsRawHandle as _; use std::{ - io, pin::Pin, sync::Arc, task::{Context, Poll} + io, + pin::Pin, + sync::{ + atomic::{AtomicBool, Ordering}, + Arc, + }, + task::{Context, Poll}, }; - -use futures::Stream; use tokio::{ net::windows::named_pipe::{NamedPipeServer, ServerOptions}, select, }; use tokio_util::sync::CancellationToken; +use windows::Win32::{Foundation::HANDLE, System::Pipes::GetNamedPipeClientProcessId}; + +use crate::ssh_agent::peerinfo::{self, models::PeerInfo}; const PIPE_NAME: &str = r"\\.\pipe\openssh-ssh-agent"; #[pin_project::pin_project] pub struct NamedPipeServerStream { - rx: tokio::sync::mpsc::Receiver, + rx: tokio::sync::mpsc::Receiver<(NamedPipeServer, PeerInfo)>, } impl NamedPipeServerStream { - pub fn new(cancellation_token: CancellationToken, is_running: Arc>) -> Self { + pub fn new(cancellation_token: CancellationToken, is_running: Arc) -> Self { let (tx, rx) = tokio::sync::mpsc::channel(16); tokio::spawn(async move { println!( @@ -30,7 +39,7 @@ impl NamedPipeServerStream { println!("[SSH Agent Native Module] Encountered an error creating the first pipe. The system's openssh service must likely be disabled"); println!("[SSH Agent Natvie Module] error: {}", err); cancellation_token.cancel(); - *is_running.lock().await = false; + is_running.store(false, Ordering::Relaxed); return; } }; @@ -43,14 +52,32 @@ impl NamedPipeServerStream { } _ = listener.connect() => { println!("[SSH Agent Native Module] Incoming connection"); - tx.send(listener).await.unwrap(); + let handle = HANDLE(listener.as_raw_handle()); + let mut pid = 0; + unsafe { + if let Err(e) = GetNamedPipeClientProcessId(handle, &mut pid) { + println!("Error getting named pipe client process id {}", e); + continue + } + }; + + let peer_info = peerinfo::gather::get_peer_info(pid as u32); + let peer_info = match peer_info { + Err(err) => { + println!("Failed getting process info for pid {} {}", pid, err); + continue + }, + Ok(info) => info, + }; + + tx.send((listener, peer_info)).await.unwrap(); listener = match ServerOptions::new().create(PIPE_NAME) { Ok(pipe) => pipe, Err(err) => { println!("[SSH Agent Native Module] Encountered an error creating a new pipe {}", err); cancellation_token.cancel(); - *is_running.lock().await = false; + is_running.store(false, Ordering::Relaxed); return; } }; @@ -63,12 +90,12 @@ impl NamedPipeServerStream { } impl Stream for NamedPipeServerStream { - type Item = io::Result; + type Item = io::Result<(NamedPipeServer, PeerInfo)>; fn poll_next( self: Pin<&mut Self>, cx: &mut Context<'_>, - ) -> Poll>> { + ) -> Poll>> { let this = self.project(); this.rx.poll_recv(cx).map(|v| v.map(Ok)) diff --git a/apps/desktop/desktop_native/core/src/ssh_agent/peercred_unix_listener_stream.rs b/apps/desktop/desktop_native/core/src/ssh_agent/peercred_unix_listener_stream.rs new file mode 100644 index 00000000000..f0114fc08da --- /dev/null +++ b/apps/desktop/desktop_native/core/src/ssh_agent/peercred_unix_listener_stream.rs @@ -0,0 +1,72 @@ +use futures::Stream; +use std::io; +use std::pin::Pin; +use std::task::{Context, Poll}; +use tokio::net::{UnixListener, UnixStream}; + +use super::peerinfo; +use super::peerinfo::models::PeerInfo; + +#[derive(Debug)] +pub struct PeercredUnixListenerStream { + inner: UnixListener, +} + +impl PeercredUnixListenerStream { + pub fn new(listener: UnixListener) -> Self { + Self { inner: listener } + } +} + +impl Stream for PeercredUnixListenerStream { + type Item = io::Result<(UnixStream, PeerInfo)>; + + fn poll_next( + self: Pin<&mut Self>, + cx: &mut Context<'_>, + ) -> Poll>> { + match self.inner.poll_accept(cx) { + Poll::Ready(Ok((stream, _))) => { + let pid = match stream.peer_cred() { + Ok(peer) => match peer.pid() { + Some(pid) => pid, + None => { + return Poll::Ready(Some(Err(io::Error::new( + io::ErrorKind::Other, + "Failed to get peer PID", + )))); + } + }, + Err(err) => { + return Poll::Ready(Some(Err(io::Error::new( + io::ErrorKind::Other, + format!("Failed to get peer credentials: {}", err), + )))); + } + }; + let peer_info = peerinfo::gather::get_peer_info(pid as u32); + match peer_info { + Ok(info) => Poll::Ready(Some(Ok((stream, info)))), + Err(err) => Poll::Ready(Some(Err(io::Error::new( + io::ErrorKind::Other, + format!("Failed to get peer info: {}", err), + )))), + } + } + Poll::Ready(Err(err)) => Poll::Ready(Some(Err(err))), + Poll::Pending => Poll::Pending, + } + } +} + +impl AsRef for PeercredUnixListenerStream { + fn as_ref(&self) -> &UnixListener { + &self.inner + } +} + +impl AsMut for PeercredUnixListenerStream { + fn as_mut(&mut self) -> &mut UnixListener { + &mut self.inner + } +} diff --git a/apps/desktop/desktop_native/core/src/ssh_agent/peerinfo/gather.rs b/apps/desktop/desktop_native/core/src/ssh_agent/peerinfo/gather.rs new file mode 100644 index 00000000000..699203d613d --- /dev/null +++ b/apps/desktop/desktop_native/core/src/ssh_agent/peerinfo/gather.rs @@ -0,0 +1,23 @@ +use sysinfo::{Pid, System}; + +use super::models::PeerInfo; + +pub fn get_peer_info(peer_pid: u32) -> Result { + let s = System::new_all(); + if let Some(process) = s.process(Pid::from_u32(peer_pid)) { + let peer_process_name = match process.name().to_str() { + Some(name) => name.to_string(), + None => { + return Err("Failed to get process name".to_string()); + } + }; + + return Ok(PeerInfo::new( + peer_pid, + process.pid().as_u32(), + peer_process_name, + )); + } + + Err("Failed to get process".to_string()) +} diff --git a/apps/desktop/desktop_native/core/src/ssh_agent/peerinfo/mod.rs b/apps/desktop/desktop_native/core/src/ssh_agent/peerinfo/mod.rs new file mode 100644 index 00000000000..fb12aa66e09 --- /dev/null +++ b/apps/desktop/desktop_native/core/src/ssh_agent/peerinfo/mod.rs @@ -0,0 +1,2 @@ +pub mod gather; +pub mod models; diff --git a/apps/desktop/desktop_native/core/src/ssh_agent/peerinfo/models.rs b/apps/desktop/desktop_native/core/src/ssh_agent/peerinfo/models.rs new file mode 100644 index 00000000000..823d912883e --- /dev/null +++ b/apps/desktop/desktop_native/core/src/ssh_agent/peerinfo/models.rs @@ -0,0 +1,32 @@ +/** +* Peerinfo represents the information of a peer process connecting over a socket. +* This can be later extended to include more information (icon, app name) for the corresponding application. +*/ +#[derive(Debug)] +pub struct PeerInfo { + uid: u32, + pid: u32, + process_name: String, +} + +impl PeerInfo { + pub fn new(uid: u32, pid: u32, process_name: String) -> Self { + Self { + uid, + pid, + process_name, + } + } + + pub fn uid(&self) -> u32 { + self.uid + } + + pub fn pid(&self) -> u32 { + self.pid + } + + pub fn process_name(&self) -> &str { + &self.process_name + } +} diff --git a/apps/desktop/desktop_native/core/src/ssh_agent/unix.rs b/apps/desktop/desktop_native/core/src/ssh_agent/unix.rs index ed2fe9ffab1..a74c1205b57 100644 --- a/apps/desktop/desktop_native/core/src/ssh_agent/unix.rs +++ b/apps/desktop/desktop_native/core/src/ssh_agent/unix.rs @@ -2,7 +2,10 @@ use std::{ collections::HashMap, fs, os::unix::fs::PermissionsExt, - sync::{Arc, RwLock}, + sync::{ + atomic::{AtomicBool, AtomicU32}, + Arc, RwLock, + }, }; use bitwarden_russh::ssh_agent; @@ -10,11 +13,13 @@ use homedir::my_home; use tokio::{net::UnixListener, sync::Mutex}; use tokio_util::sync::CancellationToken; -use super::BitwardenDesktopAgent; +use crate::ssh_agent::peercred_unix_listener_stream::PeercredUnixListenerStream; + +use super::{BitwardenDesktopAgent, SshAgentUIRequest}; impl BitwardenDesktopAgent { pub async fn start_server( - auth_request_tx: tokio::sync::mpsc::Sender<(u32, (String, bool))>, + auth_request_tx: tokio::sync::mpsc::Sender, auth_response_rx: Arc>>, ) -> Result { let agent = BitwardenDesktopAgent { @@ -22,9 +27,9 @@ impl BitwardenDesktopAgent { cancellation_token: CancellationToken::new(), show_ui_request_tx: auth_request_tx, get_ui_response_rx: auth_response_rx, - request_id: Arc::new(tokio::sync::Mutex::new(0)), - needs_unlock: Arc::new(tokio::sync::Mutex::new(true)), - is_running: Arc::new(tokio::sync::Mutex::new(false)), + request_id: Arc::new(AtomicU32::new(0)), + needs_unlock: Arc::new(AtomicBool::new(false)), + is_running: Arc::new(AtomicBool::new(false)), }; let cloned_agent_state = agent.clone(); tokio::spawn(async move { @@ -75,18 +80,23 @@ impl BitwardenDesktopAgent { return; } - let wrapper = tokio_stream::wrappers::UnixListenerStream::new(listener); + let stream = PeercredUnixListenerStream::new(listener); + let cloned_keystore = cloned_agent_state.keystore.clone(); let cloned_cancellation_token = cloned_agent_state.cancellation_token.clone(); - *cloned_agent_state.is_running.lock().await = true; + cloned_agent_state + .is_running + .store(true, std::sync::atomic::Ordering::Relaxed); let _ = ssh_agent::serve( - wrapper, + stream, cloned_agent_state.clone(), cloned_keystore, cloned_cancellation_token, ) .await; - *cloned_agent_state.is_running.lock().await = false; + cloned_agent_state + .is_running + .store(false, std::sync::atomic::Ordering::Relaxed); println!("[SSH Agent Native Module] SSH Agent server exited"); } Err(e) => { diff --git a/apps/desktop/desktop_native/core/src/ssh_agent/windows.rs b/apps/desktop/desktop_native/core/src/ssh_agent/windows.rs index 6a99b7cfb00..bc63ef552b7 100644 --- a/apps/desktop/desktop_native/core/src/ssh_agent/windows.rs +++ b/apps/desktop/desktop_native/core/src/ssh_agent/windows.rs @@ -3,16 +3,19 @@ pub mod named_pipe_listener_stream; use std::{ collections::HashMap, - sync::{Arc, RwLock}, + sync::{ + atomic::{AtomicBool, AtomicU32}, + Arc, RwLock, + }, }; use tokio::sync::Mutex; use tokio_util::sync::CancellationToken; -use super::BitwardenDesktopAgent; +use super::{BitwardenDesktopAgent, SshAgentUIRequest}; impl BitwardenDesktopAgent { pub async fn start_server( - auth_request_tx: tokio::sync::mpsc::Sender<(u32, (String, bool))>, + auth_request_tx: tokio::sync::mpsc::Sender, auth_response_rx: Arc>>, ) -> Result { let agent_state = BitwardenDesktopAgent { @@ -20,9 +23,9 @@ impl BitwardenDesktopAgent { show_ui_request_tx: auth_request_tx, get_ui_response_rx: auth_response_rx, cancellation_token: CancellationToken::new(), - request_id: Arc::new(tokio::sync::Mutex::new(0)), - needs_unlock: Arc::new(tokio::sync::Mutex::new(true)), - is_running: Arc::new(tokio::sync::Mutex::new(true)), + request_id: Arc::new(AtomicU32::new(0)), + needs_unlock: Arc::new(AtomicBool::new(true)), + is_running: Arc::new(AtomicBool::new(true)), }; let stream = named_pipe_listener_stream::NamedPipeServerStream::new( agent_state.cancellation_token.clone(), @@ -31,7 +34,9 @@ impl BitwardenDesktopAgent { let cloned_agent_state = agent_state.clone(); tokio::spawn(async move { - *cloned_agent_state.is_running.lock().await = true; + cloned_agent_state + .is_running + .store(true, std::sync::atomic::Ordering::Relaxed); let _ = ssh_agent::serve( stream, cloned_agent_state.clone(), @@ -39,7 +44,9 @@ impl BitwardenDesktopAgent { cloned_agent_state.cancellation_token.clone(), ) .await; - *cloned_agent_state.is_running.lock().await = false; + cloned_agent_state + .is_running + .store(false, std::sync::atomic::Ordering::Relaxed); }); Ok(agent_state) } diff --git a/apps/desktop/desktop_native/napi/index.d.ts b/apps/desktop/desktop_native/napi/index.d.ts index 0eaba197919..b884829e77d 100644 --- a/apps/desktop/desktop_native/napi/index.d.ts +++ b/apps/desktop/desktop_native/napi/index.d.ts @@ -67,7 +67,7 @@ export declare namespace sshagent { status: SshKeyImportStatus sshKey?: SshKey } - export function serve(callback: (err: Error | null, arg0: string, arg1: boolean) => any): Promise + export function serve(callback: (err: Error | null, arg0: string | undefined | null, arg1: boolean, arg2: string) => any): Promise export function stop(agentState: SshAgentState): void export function isRunning(agentState: SshAgentState): boolean export function setKeys(agentState: SshAgentState, newKeys: Array): void diff --git a/apps/desktop/desktop_native/napi/src/lib.rs b/apps/desktop/desktop_native/napi/src/lib.rs index 5037108afd7..a7e2144b1dc 100644 --- a/apps/desktop/desktop_native/napi/src/lib.rs +++ b/apps/desktop/desktop_native/napi/src/lib.rs @@ -247,30 +247,28 @@ pub mod sshagent { #[napi] pub async fn serve( - callback: ThreadsafeFunction<(String, bool), CalleeHandled>, + callback: ThreadsafeFunction<(Option, bool, String), CalleeHandled>, ) -> napi::Result { let (auth_request_tx, mut auth_request_rx) = - tokio::sync::mpsc::channel::<(u32, (String, bool))>(32); + tokio::sync::mpsc::channel::(32); let (auth_response_tx, auth_response_rx) = tokio::sync::broadcast::channel::<(u32, bool)>(32); let auth_response_tx_arc = Arc::new(Mutex::new(auth_response_tx)); tokio::spawn(async move { let _ = auth_response_rx; - while let Some((request_id, (cipher_uuid, is_list_request))) = - auth_request_rx.recv().await - { - let cloned_request_id = request_id.clone(); - let cloned_cipher_uuid = cipher_uuid.clone(); + while let Some(request) = auth_request_rx.recv().await { let cloned_response_tx_arc = auth_response_tx_arc.clone(); let cloned_callback = callback.clone(); tokio::spawn(async move { - let request_id = cloned_request_id; - let cipher_uuid = cloned_cipher_uuid; let auth_response_tx_arc = cloned_response_tx_arc; let callback = cloned_callback; let promise_result: Result, napi::Error> = callback - .call_async(Ok((cipher_uuid, is_list_request))) + .call_async(Ok(( + request.cipher_id, + request.is_list, + request.process_name, + ))) .await; match promise_result { Ok(promise_result) => match promise_result.await { @@ -278,7 +276,7 @@ pub mod sshagent { let _ = auth_response_tx_arc .lock() .await - .send((request_id, result)) + .send((request.request_id, result)) .expect("should be able to send auth response to agent"); } Err(e) => { @@ -286,7 +284,7 @@ pub mod sshagent { let _ = auth_response_tx_arc .lock() .await - .send((request_id, false)) + .send((request.request_id, false)) .expect("should be able to send auth response to agent"); } }, @@ -295,7 +293,7 @@ pub mod sshagent { let _ = auth_response_tx_arc .lock() .await - .send((request_id, false)) + .send((request.request_id, false)) .expect("should be able to send auth response to agent"); } } diff --git a/apps/desktop/desktop_native/napi/src/registry/windows.rs b/apps/desktop/desktop_native/napi/src/registry/windows.rs index 481dfb5dc49..aeb381dafda 100644 --- a/apps/desktop/desktop_native/napi/src/registry/windows.rs +++ b/apps/desktop/desktop_native/napi/src/registry/windows.rs @@ -13,7 +13,7 @@ pub fn create_key(key: &str, subkey: &str, value: &str) -> Result<()> { let key = convert_key(key)?; let subkey = key.create(subkey)?; - + const DEFAULT: &str = ""; subkey.set_string(DEFAULT, value)?; diff --git a/apps/desktop/src/platform/main/main-ssh-agent.service.ts b/apps/desktop/src/platform/main/main-ssh-agent.service.ts index 9141e30d820..8858134a6be 100644 --- a/apps/desktop/src/platform/main/main-ssh-agent.service.ts +++ b/apps/desktop/src/platform/main/main-ssh-agent.service.ts @@ -29,7 +29,7 @@ export class MainSshAgentService { init() { // handle sign request passing to UI sshagent - .serve(async (err: Error, cipherId: string, isListRequest: boolean) => { + .serve(async (err: Error, cipherId: string, isListRequest: boolean, processName: string) => { // clear all old (> SIGN_TIMEOUT) requests this.requestResponses = this.requestResponses.filter( (response) => response.timestamp > new Date(Date.now() - this.SIGN_TIMEOUT), @@ -41,6 +41,7 @@ export class MainSshAgentService { cipherId, isListRequest, requestId: id_for_this_request, + processName, }); const result = await firstValueFrom( diff --git a/apps/desktop/src/platform/services/ssh-agent.service.ts b/apps/desktop/src/platform/services/ssh-agent.service.ts index 9dc7abeca01..651e67e9467 100644 --- a/apps/desktop/src/platform/services/ssh-agent.service.ts +++ b/apps/desktop/src/platform/services/ssh-agent.service.ts @@ -122,6 +122,10 @@ export class SshAgentService implements OnDestroy { const cipherId = message.cipherId as string; const isListRequest = message.isListRequest as boolean; const requestId = message.requestId as number; + let application = message.processName as string; + if (application == "") { + application = this.i18nService.t("unknownApplication"); + } if (isListRequest) { const sshCiphers = ciphers.filter( @@ -151,7 +155,7 @@ export class SshAgentService implements OnDestroy { const dialogRef = ApproveSshRequestComponent.open( this.dialogService, cipher.name, - this.i18nService.t("unknownApplication"), + application, ); const result = await firstValueFrom(dialogRef.closed); From d4fcb5852a52e29400f74e0bfceac76d979658d7 Mon Sep 17 00:00:00 2001 From: Andreas Coroiu Date: Wed, 11 Dec 2024 13:20:32 +0100 Subject: [PATCH 04/80] fix: text-drag directive ts-strict error (#12346) --- libs/angular/src/directives/text-drag.directive.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libs/angular/src/directives/text-drag.directive.ts b/libs/angular/src/directives/text-drag.directive.ts index da3e70d1de2..443fbdac157 100644 --- a/libs/angular/src/directives/text-drag.directive.ts +++ b/libs/angular/src/directives/text-drag.directive.ts @@ -17,6 +17,6 @@ export class TextDragDirective { @HostListener("dragstart", ["$event"]) onDragStart(event: DragEvent) { - event.dataTransfer.setData("text", this.data); + event.dataTransfer?.setData("text", this.data); } } From b502e2bc251dfbfee2c5220ab3ccd4629ddcbbd4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rui=20Tom=C3=A9?= <108268980+r-tome@users.noreply.github.com> Date: Wed, 11 Dec 2024 14:47:49 +0000 Subject: [PATCH 05/80] [PM-15154] Domain verification copy update (#12217) * refactor: update domain verification terminology to claimed domains * feat: add description for claimed domains in domain verification * Add informational link to claimed domains description in domain verification component * Update domain verification references to claimed domains in organization layout and SSO component * Add validation message for invalid domain name format in domain verification * Add domain claim messages and descriptions to localization files * Update domain verification navigation text based on feature flag * Update domain verification dialog to support account deprovisioning feature flag * Update domain verification component to support account deprovisioning feature flag * Refactor domain verification dialog to use synchronous feature flag for account deprovisioning * Refactor domain verification routing to resolve title based on account deprovisioning feature flag * Update SSO component to conditionally display domain verification link based on account deprovisioning feature flag * Update event service to conditionally display domain verification messages based on account deprovisioning feature flag * Update domain verification warning message * Refactor domain verification navigation text handling based on account deprovisioning feature flag * Refactor domain verification dialog to use observable for account deprovisioning feature flag * Refactor domain verification component to use observable for account deprovisioning feature flag --- .../organization-layout.component.html | 2 +- .../layouts/organization-layout.component.ts | 9 +++ apps/web/src/app/core/event.service.ts | 17 +++++- apps/web/src/locales/en/messages.json | 61 ++++++++++++++++++- .../domain-add-edit-dialog.component.html | 40 +++++++++--- .../domain-add-edit-dialog.component.ts | 58 ++++++++++++------ .../domain-verification.component.html | 29 ++++++++- .../domain-verification.component.ts | 22 +++++-- .../organizations-routing.module.ts | 13 +++- .../src/app/auth/sso/sso.component.html | 5 +- .../bit-web/src/app/auth/sso/sso.component.ts | 11 +++- 11 files changed, 223 insertions(+), 44 deletions(-) diff --git a/apps/web/src/app/admin-console/organizations/layouts/organization-layout.component.html b/apps/web/src/app/admin-console/organizations/layouts/organization-layout.component.html index fa4d027d0f6..8387c53e5e3 100644 --- a/apps/web/src/app/admin-console/organizations/layouts/organization-layout.component.html +++ b/apps/web/src/app/admin-console/organizations/layouts/organization-layout.component.html @@ -98,7 +98,7 @@ *ngIf="canAccessExport$ | async" > diff --git a/apps/web/src/app/admin-console/organizations/layouts/organization-layout.component.ts b/apps/web/src/app/admin-console/organizations/layouts/organization-layout.component.ts index 91c965658a3..6ead83b01d8 100644 --- a/apps/web/src/app/admin-console/organizations/layouts/organization-layout.component.ts +++ b/apps/web/src/app/admin-console/organizations/layouts/organization-layout.component.ts @@ -23,6 +23,7 @@ import { Organization } from "@bitwarden/common/admin-console/models/domain/orga import { ProductTierType } from "@bitwarden/common/billing/enums"; import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum"; import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service"; +import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service"; import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service"; import { getById } from "@bitwarden/common/platform/misc"; import { BannerModule, IconModule } from "@bitwarden/components"; @@ -49,6 +50,7 @@ export class OrganizationLayoutComponent implements OnInit { protected readonly logo = AdminConsoleLogo; protected orgFilter = (org: Organization) => canAccessOrgAdmin(org); + protected domainVerificationNavigationTextKey: string; protected integrationPageEnabled$: Observable; @@ -67,6 +69,7 @@ export class OrganizationLayoutComponent implements OnInit { private configService: ConfigService, private policyService: PolicyService, private providerService: ProviderService, + private i18nService: I18nService, ) {} async ngOnInit() { @@ -116,6 +119,12 @@ export class OrganizationLayoutComponent implements OnInit { org.productTierType === ProductTierType.Enterprise && featureFlagEnabled, ), ); + + this.domainVerificationNavigationTextKey = (await this.configService.getFeatureFlag( + FeatureFlag.AccountDeprovisioning, + )) + ? "claimedDomains" + : "domainVerification"; } canShowVaultTab(organization: Organization): boolean { diff --git a/apps/web/src/app/core/event.service.ts b/apps/web/src/app/core/event.service.ts index 412423a3a24..aedad9b26ea 100644 --- a/apps/web/src/app/core/event.service.ts +++ b/apps/web/src/app/core/event.service.ts @@ -6,7 +6,9 @@ import { PolicyService } from "@bitwarden/common/admin-console/abstractions/poli import { PolicyType } from "@bitwarden/common/admin-console/enums"; import { Policy } from "@bitwarden/common/admin-console/models/domain/policy"; import { DeviceType, EventType } from "@bitwarden/common/enums"; +import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum"; import { EventResponse } from "@bitwarden/common/models/response/event.response"; +import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service"; import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service"; @Injectable() @@ -16,6 +18,7 @@ export class EventService { constructor( private i18nService: I18nService, policyService: PolicyService, + private configService: ConfigService, ) { policyService.policies$.subscribe((policies) => { this.policies = policies; @@ -451,10 +454,20 @@ export class EventService { msg = humanReadableMsg = this.i18nService.t("removedDomain", ev.domainName); break; case EventType.OrganizationDomain_Verified: - msg = humanReadableMsg = this.i18nService.t("domainVerifiedEvent", ev.domainName); + msg = humanReadableMsg = this.i18nService.t( + (await this.configService.getFeatureFlag(FeatureFlag.AccountDeprovisioning)) + ? "domainClaimedEvent" + : "domainVerifiedEvent", + ev.domainName, + ); break; case EventType.OrganizationDomain_NotVerified: - msg = humanReadableMsg = this.i18nService.t("domainNotVerifiedEvent", ev.domainName); + msg = humanReadableMsg = this.i18nService.t( + (await this.configService.getFeatureFlag(FeatureFlag.AccountDeprovisioning)) + ? "domainNotClaimedEvent" + : "domainNotVerifiedEvent", + ev.domainName, + ); break; // Secrets Manager case EventType.Secret_Retrieved: diff --git a/apps/web/src/locales/en/messages.json b/apps/web/src/locales/en/messages.json index 06728929912..b1203230688 100644 --- a/apps/web/src/locales/en/messages.json +++ b/apps/web/src/locales/en/messages.json @@ -9801,8 +9801,8 @@ "selfHostingTitleProper": { "message": "Self-Hosting" }, - "verified-domain-single-org-warning" : { - "message": "Verifying a domain will turn on the single organization policy." + "claim-domain-single-org-warning" : { + "message": "Claiming a domain will turn on the single organization policy." }, "single-org-revoked-user-warning": { "message": "Non-compliant members will be revoked. Administrators can restore members once they leave all other organizations." @@ -9902,5 +9902,62 @@ }, "removeMembers": { "message": "Remove members" + }, + "claimedDomains": { + "message": "Claimed domains" + }, + "claimDomain": { + "message": "Claim domain" + }, + "reclaimDomain": { + "message": "Reclaim domain" + }, + "claimDomainNameInputHint": { + "message": "Example: mydomain.com. Subdomains require separate entries to be claimed." + }, + "automaticClaimedDomains": { + "message": "Automatic Claimed Domains" + }, + "automaticDomainClaimProcess": { + "message": "Bitwarden will attempt to claim the domain 3 times during the first 72 hours. If the domain can’t be claimed, check the DNS record in your host and manually claim. The domain will be removed from your organization in 7 days if it is not claimed." + }, + "domainNotClaimed": { + "message": "$DOMAIN$ not claimed. Check your DNS records.", + "placeholders": { + "DOMAIN": { + "content": "$1", + "example": "bitwarden.com" + } + } + }, + "domainStatusClaimed": { + "message": "Claimed" + }, + "domainStatusUnderVerification": { + "message": "Under verification" + }, + "claimedDomainsDesc": { + "message": "Claim a domain to own all member accounts whose email address matches the domain. Members will be able to skip the SSO identifier when logging in. Administrators will also be able to delete member accounts." + }, + "invalidDomainNameClaimMessage": { + "message": "Input is not a valid format. Format: mydomain.com. Subdomains require separate entries to be claimed." + }, + "domainClaimedEvent": { + "message": "$DOMAIN$ claimed", + "placeholders": { + "DOMAIN": { + "content": "$1", + "example": "bitwarden.com" + } + } + }, + "domainNotClaimedEvent": { + "message": "$DOMAIN$ not claimed", + "placeholders": { + "DOMAIN": { + "content": "$1", + "example": "bitwarden.com" + } + } } } diff --git a/bitwarden_license/bit-web/src/app/admin-console/organizations/manage/domain-verification/domain-add-edit-dialog/domain-add-edit-dialog.component.html b/bitwarden_license/bit-web/src/app/admin-console/organizations/manage/domain-verification/domain-add-edit-dialog/domain-add-edit-dialog.component.html index 15120eed92a..7226c957598 100644 --- a/bitwarden_license/bit-web/src/app/admin-console/organizations/manage/domain-verification/domain-add-edit-dialog/domain-add-edit-dialog.component.html +++ b/bitwarden_license/bit-web/src/app/admin-console/organizations/manage/domain-verification/domain-add-edit-dialog/domain-add-edit-dialog.component.html @@ -6,24 +6,37 @@ {{ "newDomain" | i18n }} - {{ "verifyDomain" | i18n }} + + {{ + ((accountDeprovisioningEnabled$ | async) ? "claimDomain" : "verifyDomain") | i18n + }} {{ data.orgDomain.domainName }} {{ - "domainStatusUnverified" | i18n + ((accountDeprovisioningEnabled$ | async) + ? "domainStatusUnderVerification" + : "domainStatusUnverified" + ) | i18n }} {{ - "domainStatusVerified" | i18n + ((accountDeprovisioningEnabled$ | async) ? "domainStatusClaimed" : "domainStatusVerified") + | i18n }}
{{ "domainName" | i18n }} - {{ "domainNameInputHint" | i18n }} + {{ + ((accountDeprovisioningEnabled$ | async) + ? "claimDomainNameInputHint" + : "domainNameInputHint" + ) | i18n + }} @@ -42,18 +55,29 @@ - {{ "automaticDomainVerificationProcess" | i18n }} + {{ + ((accountDeprovisioningEnabled$ | async) + ? "automaticDomainClaimProcess" + : "automaticDomainVerificationProcess" + ) | i18n + }}
+

+ {{ "claimedDomainsDesc" | i18n }} + + + +

+