Add Bitwarden.Server.Sdk.Authentication Package (#154)

Author: justindbaur

.github/workflows/start-release.yml

@@ -11,6 +11,7 @@ on:
         options:
         - Bitwarden.Server.Sdk
         - Bitwarden.Server.Sdk.Features
+        - Bitwarden.Server.Sdk.Authentication
 
 permissions:
   pull-requests: write

bitwarden-dotnet.sln

@@ -45,6 +45,14 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "tests", "tests", "{4949B721
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Bitwarden.Server.Sdk.Features.Tests", "extensions\Bitwarden.Server.Sdk.Features\tests\Bitwarden.Server.Sdk.Features.Tests\Bitwarden.Server.Sdk.Features.Tests.csproj", "{1789F567-87B3-4313-80CF-E3CCFA1B6D5E}"
 EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Bitwarden.Server.Sdk.Authentication", "Bitwarden.Server.Sdk.Authentication", "{79CC5F16-EEB8-4539-AA15-FDC1E9AB03D1}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Bitwarden.Server.Sdk.Authentication", "extensions\Bitwarden.Server.Sdk.Authentication\src\Bitwarden.Server.Sdk.Authentication.csproj", "{0E96965A-4397-46A8-8D84-330ACFF2F8CF}"
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "tests", "tests", "{D623B9E7-6555-45AB-AAEC-EA388FACCE11}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Bitwarden.Server.Sdk.Authentication.Tests", "extensions\Bitwarden.Server.Sdk.Authentication\tests\Bitwarden.Server.Sdk.Authentication.Tests\Bitwarden.Server.Sdk.Authentication.Tests.csproj", "{5AA835F4-F265-403F-897C-8989E354C052}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -102,6 +110,14 @@ Global
 		{1789F567-87B3-4313-80CF-E3CCFA1B6D5E}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{1789F567-87B3-4313-80CF-E3CCFA1B6D5E}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{1789F567-87B3-4313-80CF-E3CCFA1B6D5E}.Release|Any CPU.Build.0 = Release|Any CPU
+		{0E96965A-4397-46A8-8D84-330ACFF2F8CF}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{0E96965A-4397-46A8-8D84-330ACFF2F8CF}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{0E96965A-4397-46A8-8D84-330ACFF2F8CF}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{0E96965A-4397-46A8-8D84-330ACFF2F8CF}.Release|Any CPU.Build.0 = Release|Any CPU
+		{5AA835F4-F265-403F-897C-8989E354C052}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{5AA835F4-F265-403F-897C-8989E354C052}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{5AA835F4-F265-403F-897C-8989E354C052}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{5AA835F4-F265-403F-897C-8989E354C052}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(NestedProjects) = preSolution
 		{5EC8B943-2E9E-437D-9FFC-D18B5DB4D7D0} = {695C76EF-1102-4805-970F-7C995EE54930}
@@ -124,5 +140,9 @@ Global
 		{DF914CD1-F916-4A58-B749-625DB67FAAA7} = {026589E0-5AAA-44EB-B973-3CFFF5B54AFC}
 		{4949B721-5C7F-4D85-AB35-F57B54D7A6E6} = {026589E0-5AAA-44EB-B973-3CFFF5B54AFC}
 		{1789F567-87B3-4313-80CF-E3CCFA1B6D5E} = {4949B721-5C7F-4D85-AB35-F57B54D7A6E6}
+		{79CC5F16-EEB8-4539-AA15-FDC1E9AB03D1} = {695C76EF-1102-4805-970F-7C995EE54930}
+		{0E96965A-4397-46A8-8D84-330ACFF2F8CF} = {79CC5F16-EEB8-4539-AA15-FDC1E9AB03D1}
+		{D623B9E7-6555-45AB-AAEC-EA388FACCE11} = {79CC5F16-EEB8-4539-AA15-FDC1E9AB03D1}
+		{5AA835F4-F265-403F-897C-8989E354C052} = {D623B9E7-6555-45AB-AAEC-EA388FACCE11}
 	EndGlobalSection
 EndGlobal

extensions/Bitwarden.Server.Sdk.Authentication/src/AuthenticationApplicationBuilderExtensions.cs

@@ -0,0 +1,27 @@
+using Microsoft.AspNetCore.Builder;
+
+namespace Bitwarden.Server.Sdk.Authentication;
+
+/// <summary>
+/// Extension methods to add Bitwarden-style authentication to the HTTP application pipeline.
+/// </summary>
+public static class AuthenticationApplicationBuilderExtensions
+{
+    /// <summary>
+    /// Uses Bitwarden-style Authentication middleware.
+    /// This will always call <see cref="AuthAppBuilderExtensions.UseAuthentication"/> and all rules for that function
+    /// apply to this one. It should be called after <c>UseRouting</c> and before <c>UseAuthorization</c>.
+    /// </summary>
+    /// <param name="app">The <see cref="IApplicationBuilder"/> to add the middleware to.</param>
+    /// <returns>A reference to this instance after the operation has completed.</returns>
+    public static IApplicationBuilder UseBitwardenAuthentication(this IApplicationBuilder app)
+    {
+        ArgumentNullException.ThrowIfNull(app);
+
+        app.UseAuthentication();
+
+        app.UseMiddleware<PostAuthenticationLoggingMiddleware>();
+
+        return app;
+    }
+}

extensions/Bitwarden.Server.Sdk.Authentication/src/AuthenticationServiceCollectionExtensions.cs

@@ -0,0 +1,30 @@
+using Microsoft.AspNetCore.Authentication.JwtBearer;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection.Extensions;
+using Microsoft.Extensions.Options;
+
+namespace Bitwarden.Server.Sdk.Authentication;
+
+/// <summary>
+/// Extension methods for setting up Bitwarden-style authentication in a <see cref="IServiceCollection"/>.
+/// </summary>
+public static class AuthenticationServiceCollectionExtensions
+{
+    /// <summary>
+    /// Adds Bitwarden compatible authentication, can be configured through the `Authentication:Schemes:Bearer` config
+    /// section.
+    /// </summary>
+    /// <param name="services">The <see cref="IServiceCollection"/> to add the services to.</param>
+    /// <returns>The <see cref="IServiceCollection"/> for additional chaining.</returns>
+    public static IServiceCollection AddBitwardenAuthentication(this IServiceCollection services)
+    {
+        ArgumentNullException.ThrowIfNull(services);
+
+        services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
+            .AddJwtBearer();
+
+        services.TryAddEnumerable(ServiceDescriptor.Singleton<IConfigureOptions<JwtBearerOptions>, BitwardenConfigureJwtBearerOptions>());
+
+        return services;
+    }
+}

extensions/Bitwarden.Server.Sdk.Authentication/src/Bitwarden.Server.Sdk.Authentication.csproj

@@ -0,0 +1,24 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFramework>net8.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+  </PropertyGroup>
+
+  <PropertyGroup>
+    <VersionPrefix>0.1.0</VersionPrefix>
+    <PreReleaseVersionLabel>beta</PreReleaseVersionLabel>
+    <PreReleaseVersionIteration>1</PreReleaseVersionIteration>
+    <VersionSuffix Condition="'$(VersionSuffix)' == '' AND '$(IsPreRelease)' == 'true'">$(PreReleaseVersionLabel).$(PreReleaseVersionIteration)</VersionSuffix>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <FrameworkReference Include="Microsoft.AspNetCore.App" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.10" />
+  </ItemGroup>
+
+</Project>

extensions/Bitwarden.Server.Sdk.Authentication/src/BitwardenConfigureJwtBearerOptions.cs

@@ -0,0 +1,53 @@
+using System.IdentityModel.Tokens.Jwt;
+using Microsoft.AspNetCore.Authentication.JwtBearer;
+using Microsoft.Extensions.Hosting;
+using Microsoft.Extensions.Options;
+using Microsoft.IdentityModel.Logging;
+
+namespace Bitwarden.Server.Sdk.Authentication;
+
+internal class BitwardenConfigureJwtBearerOptions : IConfigureNamedOptions<JwtBearerOptions>
+{
+    private readonly IHostEnvironment _hostEnvironment;
+
+    public BitwardenConfigureJwtBearerOptions(IHostEnvironment hostEnvironment)
+    {
+        _hostEnvironment = hostEnvironment;
+
+        if (_hostEnvironment.IsDevelopment())
+        {
+            IdentityModelEventSource.ShowPII = true;
+        }
+    }
+
+    public void Configure(string? schemeName, JwtBearerOptions options)
+    {
+        if (schemeName != JwtBearerDefaults.AuthenticationScheme)
+        {
+            return;
+        }
+
+        // The MapInBoundClaims maps the Jwt claim names into the more microsoft standard of the same claims
+        // For example, the claim `"amr"` might exist in the JWT but with MapInboundClaims = true then once
+        // you get your hand on the ClaimsPrincipal you'd have to find the claim value using
+        // `ClaimTypes.AuthenticationMethod` or `"http://schemas.microsoft.com/claims/authnmethodsreferences"`
+        // Keeping the exact same name on the issuing side and the consumption side is less error prone in our
+        // opinion.
+        options.MapInboundClaims = false;
+
+        // Our identity service does not issue an audience claim for us to validate
+        options.TokenValidationParameters.ValidateAudience = false;
+
+        // This is the default AccessTokenJwtType that IdentityServer uses
+        options.TokenValidationParameters.ValidTypes = ["at+jwt"];
+
+        // Since we don't map inbound claims our if an email is going to exist
+        // it will be as a `"email"` claim.
+        options.TokenValidationParameters.NameClaimType = JwtRegisteredClaimNames.Email;
+    }
+
+    public void Configure(JwtBearerOptions options)
+    {
+        // Do nothing for unnamed options
+    }
+}

extensions/Bitwarden.Server.Sdk.Authentication/src/PostAuthenticationLoggingMiddleware.cs

@@ -0,0 +1,74 @@
+using System.Collections;
+using System.IdentityModel.Tokens.Jwt;
+using System.Security.Claims;
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.Logging;
+
+namespace Bitwarden.Server.Sdk.Authentication;
+
+internal sealed class PostAuthenticationLoggingMiddleware
+{
+    private readonly RequestDelegate _next;
+    private readonly ILogger<PostAuthenticationLoggingMiddleware> _logger;
+
+    public PostAuthenticationLoggingMiddleware(RequestDelegate next, ILogger<PostAuthenticationLoggingMiddleware> logger)
+    {
+        _next = next;
+        _logger = logger;
+    }
+
+    public Task Invoke(HttpContext context)
+    {
+        if (context.User.Identity == null || !context.User.Identity.IsAuthenticated)
+        {
+            return _next(context);
+        }
+
+        var subject = context.User.FindFirstValue(JwtRegisteredClaimNames.Sub);
+
+        if (string.IsNullOrEmpty(subject))
+        {
+            return _next(context);
+        }
+
+        using (_logger.BeginScope(new AuthenticatedUserLogScope(subject)))
+        {
+            return _next(context);
+        }
+    }
+
+    private sealed class AuthenticatedUserLogScope : IReadOnlyList<KeyValuePair<string, object>>
+    {
+        public string Subject { get; }
+
+        int IReadOnlyCollection<KeyValuePair<string, object>>.Count { get; } = 1;
+
+        KeyValuePair<string, object> IReadOnlyList<KeyValuePair<string, object>>.this[int index]
+        {
+            get
+            {
+                if (index == 0)
+                {
+                    return new KeyValuePair<string, object>(nameof(Subject), Subject);
+                }
+
+                throw new ArgumentOutOfRangeException(nameof(index));
+            }
+        }
+
+        public AuthenticatedUserLogScope(string subject)
+        {
+            Subject = subject;
+        }
+
+        IEnumerator<KeyValuePair<string, object>> IEnumerable<KeyValuePair<string, object>>.GetEnumerator()
+        {
+            yield return new KeyValuePair<string, object>(nameof(Subject), Subject);
+        }
+
+        IEnumerator IEnumerable.GetEnumerator()
+        {
+            return ((IEnumerable<KeyValuePair<string, object>>)this).GetEnumerator();
+        }
+    }
+}