vw_small

Hardened fork of Vaultwarden (https://github.com/dani-garcia/vaultwarden) with fewer features.
git clone https://git.philomathiclife.com/repos/vw_small
Log | Files | Refs | README

commit 3fa78e7bb141979d6f6fdfa20aecc70493b80842
parent 70f3ab8ec3d6ccfd8ec8c71c888459de484d9b43
Author: Daniel GarcĂ­a <dani-garcia@users.noreply.github.com>
Date:   Sat, 14 Mar 2020 13:22:30 +0100

Initial version of policies

Diffstat:
Amigrations/mysql/2020-03-13-205045_add_policy_table/down.sql | 1+
Amigrations/mysql/2020-03-13-205045_add_policy_table/up.sql | 9+++++++++
Amigrations/postgresql/2020-03-13-205045_add_policy_table/down.sql | 1+
Amigrations/postgresql/2020-03-13-205045_add_policy_table/up.sql | 9+++++++++
Amigrations/sqlite/2020-03-13-205045_add_policy_table/down.sql | 1+
Amigrations/sqlite/2020-03-13-205045_add_policy_table/up.sql | 9+++++++++
Msrc/api/core/ciphers.rs | 6+++++-
Msrc/api/core/organizations.rs | 74++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++----------
Msrc/auth.rs | 11+++++++++++
Msrc/db/models/mod.rs | 3+++
Asrc/db/models/org_policy.rs | 142+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Msrc/db/models/organization.rs | 19+++++++------------
Msrc/db/schemas/mysql/schema.rs | 12++++++++++++
Msrc/db/schemas/postgresql/schema.rs | 12++++++++++++
Msrc/db/schemas/sqlite/schema.rs | 12++++++++++++
15 files changed, 298 insertions(+), 23 deletions(-)

diff --git a/migrations/mysql/2020-03-13-205045_add_policy_table/down.sql b/migrations/mysql/2020-03-13-205045_add_policy_table/down.sql @@ -0,0 +1 @@ +DROP TABLE org_policies; diff --git a/migrations/mysql/2020-03-13-205045_add_policy_table/up.sql b/migrations/mysql/2020-03-13-205045_add_policy_table/up.sql @@ -0,0 +1,9 @@ +CREATE TABLE org_policies ( + uuid CHAR(36) NOT NULL PRIMARY KEY, + org_uuid CHAR(36) NOT NULL REFERENCES organizations (uuid), + atype INTEGER NOT NULL, + enabled BOOLEAN NOT NULL, + data TEXT NOT NULL, + + UNIQUE (org_uuid, atype) +); diff --git a/migrations/postgresql/2020-03-13-205045_add_policy_table/down.sql b/migrations/postgresql/2020-03-13-205045_add_policy_table/down.sql @@ -0,0 +1 @@ +DROP TABLE org_policies; diff --git a/migrations/postgresql/2020-03-13-205045_add_policy_table/up.sql b/migrations/postgresql/2020-03-13-205045_add_policy_table/up.sql @@ -0,0 +1,9 @@ +CREATE TABLE org_policies ( + uuid CHAR(36) NOT NULL PRIMARY KEY, + org_uuid CHAR(36) NOT NULL REFERENCES organizations (uuid), + atype INTEGER NOT NULL, + enabled BOOLEAN NOT NULL, + data TEXT NOT NULL, + + UNIQUE (org_uuid, atype) +); diff --git a/migrations/sqlite/2020-03-13-205045_add_policy_table/down.sql b/migrations/sqlite/2020-03-13-205045_add_policy_table/down.sql @@ -0,0 +1 @@ +DROP TABLE org_policies; diff --git a/migrations/sqlite/2020-03-13-205045_add_policy_table/up.sql b/migrations/sqlite/2020-03-13-205045_add_policy_table/up.sql @@ -0,0 +1,9 @@ +CREATE TABLE org_policies ( + uuid TEXT NOT NULL PRIMARY KEY, + org_uuid TEXT NOT NULL REFERENCES organizations (uuid), + atype INTEGER NOT NULL, + enabled BOOLEAN NOT NULL, + data TEXT NOT NULL, + + UNIQUE (org_uuid, atype) +); diff --git a/src/api/core/ciphers.rs b/src/api/core/ciphers.rs @@ -79,6 +79,9 @@ fn sync(data: Form<SyncData>, headers: Headers, conn: DbConn) -> JsonResult { let collections = Collection::find_by_user_uuid(&headers.user.uuid, &conn); let collections_json: Vec<Value> = collections.iter().map(Collection::to_json).collect(); + let policies = OrgPolicy::find_by_user(&headers.user.uuid, &conn); + let policies_json: Vec<Value> = policies.iter().map(OrgPolicy::to_json).collect(); + let ciphers = Cipher::find_by_user(&headers.user.uuid, &conn); let ciphers_json: Vec<Value> = ciphers .iter() @@ -95,6 +98,7 @@ fn sync(data: Form<SyncData>, headers: Headers, conn: DbConn) -> JsonResult { "Profile": user_json, "Folders": folders_json, "Collections": collections_json, + "Policies": policies_json, "Ciphers": ciphers_json, "Domains": domains_json, "Object": "sync" @@ -648,7 +652,7 @@ fn post_attachment( if !cipher.is_write_accessible_to_user(&headers.user.uuid, &conn) { err_discard!("Cipher is not write accessible", data) } - + let mut params = content_type.params(); let boundary_pair = params.next().expect("No boundary provided"); let boundary = boundary_pair.1; diff --git a/src/api/core/organizations.rs b/src/api/core/organizations.rs @@ -2,6 +2,7 @@ use rocket::request::Form; use rocket::Route; use rocket_contrib::json::Json; use serde_json::Value; +use num_traits::FromPrimitive; use crate::api::{ EmptyResult, JsonResult, JsonUpcase, JsonUpcaseVec, Notify, NumberOrString, PasswordData, UpdateType, @@ -45,6 +46,9 @@ pub fn routes() -> Vec<Route> { delete_user, post_delete_user, post_org_import, + list_policies, + get_policy, + put_policy, ] } @@ -830,22 +834,13 @@ struct RelationsData { fn post_org_import( query: Form<OrgIdData>, data: JsonUpcase<ImportData>, - headers: Headers, + headers: AdminHeaders, conn: DbConn, nt: Notify, ) -> EmptyResult { let data: ImportData = data.into_inner().data; let org_id = query.into_inner().organization_id; - let org_user = match UserOrganization::find_by_user_and_org(&headers.user.uuid, &org_id, &conn) { - Some(user) => user, - None => err!("User is not part of the organization"), - }; - - if org_user.atype < UserOrgType::Admin { - err!("Only admins or owners can import into an organization") - } - // Read and create the collections let collections: Vec<_> = data .Collections @@ -866,6 +861,8 @@ fn post_org_import( relations.push((relation.Key, relation.Value)); } + let headers: Headers = headers.into(); + // Read and create the ciphers let ciphers: Vec<_> = data .Ciphers @@ -901,3 +898,59 @@ fn post_org_import( let mut user = headers.user; user.update_revision(&conn) } + +#[get("/organizations/<org_id>/policies")] +fn list_policies(org_id: String, _headers: AdminHeaders, conn: DbConn) -> JsonResult { + let policies = OrgPolicy::find_by_org(&org_id, &conn); + let policies_json: Vec<Value> = policies.iter().map(OrgPolicy::to_json).collect(); + + Ok(Json(json!({ + "Data": policies_json, + "Object": "list", + "ContinuationToken": null + }))) +} + +#[get("/organizations/<org_id>/policies/<pol_type>")] +fn get_policy(org_id: String, pol_type: i32, _headers: AdminHeaders, conn: DbConn) -> JsonResult { + let pol_type_enum = match OrgPolicyType::from_i32(pol_type) { + Some(pt) => pt, + None => err!("Invalid policy type"), + }; + + let policy = match OrgPolicy::find_by_org_and_type(&org_id, pol_type, &conn) { + Some(p) => p, + None => OrgPolicy::new(org_id, pol_type_enum, "{}".to_string()), + }; + + Ok(Json(policy.to_json())) +} + +#[derive(Deserialize)] +struct PolicyData { + enabled: bool, + #[serde(rename = "type")] + _type: i32, + data: Value, +} + +#[put("/organizations/<org_id>/policies/<pol_type>", data = "<data>")] +fn put_policy(org_id: String, pol_type: i32, data: Json<PolicyData>, _headers: AdminHeaders, conn: DbConn) -> JsonResult { + let data: PolicyData = data.into_inner(); + + let pol_type_enum = match OrgPolicyType::from_i32(pol_type) { + Some(pt) => pt, + None => err!("Invalid policy type"), + }; + + let mut policy = match OrgPolicy::find_by_org_and_type(&org_id, pol_type, &conn) { + Some(p) => p, + None => OrgPolicy::new(org_id, pol_type_enum, "{}".to_string()), + }; + + policy.enabled = data.enabled; + policy.data = serde_json::to_string(&data.data)?; + policy.save(&conn)?; + + Ok(Json(policy.to_json())) +} +\ No newline at end of file diff --git a/src/auth.rs b/src/auth.rs @@ -4,6 +4,7 @@ use crate::util::read_file; use chrono::{Duration, Utc}; use once_cell::sync::Lazy; +use num_traits::FromPrimitive; use jsonwebtoken::{self, Algorithm, Header}; use serde::de::DeserializeOwned; @@ -385,6 +386,16 @@ impl<'a, 'r> FromRequest<'a, 'r> for AdminHeaders { } } +impl Into<Headers> for AdminHeaders { + fn into(self) -> Headers { + Headers { + host: self.host, + device: self.device, + user: self.user + } + } +} + pub struct OwnerHeaders { pub host: String, pub device: Device, diff --git a/src/db/models/mod.rs b/src/db/models/mod.rs @@ -7,6 +7,7 @@ mod user; mod collection; mod organization; mod two_factor; +mod org_policy; pub use self::attachment::Attachment; pub use self::cipher::Cipher; @@ -17,3 +18,4 @@ pub use self::organization::Organization; pub use self::organization::{UserOrgStatus, UserOrgType, UserOrganization}; pub use self::two_factor::{TwoFactor, TwoFactorType}; pub use self::user::{Invitation, User}; +pub use self::org_policy::{OrgPolicy, OrgPolicyType}; +\ No newline at end of file diff --git a/src/db/models/org_policy.rs b/src/db/models/org_policy.rs @@ -0,0 +1,142 @@ +use diesel; +use diesel::prelude::*; +use serde_json::Value; + +use crate::api::EmptyResult; +use crate::db::schema::org_policies; +use crate::db::DbConn; +use crate::error::MapResult; + +use super::Organization; + +#[derive(Debug, Identifiable, Queryable, Insertable, Associations, AsChangeset)] +#[table_name = "org_policies"] +#[belongs_to(Organization, foreign_key = "org_uuid")] +#[primary_key(uuid)] +pub struct OrgPolicy { + pub uuid: String, + pub org_uuid: String, + pub atype: i32, + pub enabled: bool, + pub data: String, +} + +#[allow(dead_code)] +#[derive(FromPrimitive)] +pub enum OrgPolicyType { + TwoFactorAuthentication = 0, + MasterPassword = 1, + PasswordGenerator = 2, +} + +/// Local methods +impl OrgPolicy { + pub fn new(org_uuid: String, atype: OrgPolicyType, data: String) -> Self { + Self { + uuid: crate::util::get_uuid(), + org_uuid, + atype: atype as i32, + enabled: false, + data, + } + } + + pub fn to_json(&self) -> Value { + let data_json: Value = serde_json::from_str(&self.data).unwrap_or(Value::Null); + json!({ + "Id": self.uuid, + "OrganizationId": self.org_uuid, + "Type": self.atype, + "Data": data_json, + "Enabled": self.enabled, + "Object": "policy", + }) + } +} + +/// Database methods +impl OrgPolicy { + #[cfg(feature = "postgresql")] + pub fn save(&mut self, conn: &DbConn) -> EmptyResult { + // We need to make sure we're not going to violate the unique constraint on org_uuid and atype. + // This happens automatically on other DBMS backends due to replace_into(). PostgreSQL does + // not support multiple constraints on ON CONFLICT clauses. + diesel::delete( + org_policies::table + .filter(org_policies::org_uuid.eq(&self.org_uuid)) + .filter(org_policies::atype.eq(&self.atype)), + ) + .execute(&**conn) + .map_res("Error deleting org_policy for insert")?; + + diesel::insert_into(org_policies::table) + .values(self) + .on_conflict(org_policies::uuid) + .do_update() + .set(self) + .execute(&**conn) + .map_res("Error saving org_policy") + } + + #[cfg(not(feature = "postgresql"))] + pub fn save(&mut self, conn: &DbConn) -> EmptyResult { + diesel::replace_into(org_policies::table) + .values(&*self) + .execute(&**conn) + .map_res("Error saving org_policy") + } + + pub fn delete(self, conn: &DbConn) -> EmptyResult { + diesel::delete(org_policies::table.filter(org_policies::uuid.eq(self.uuid))) + .execute(&**conn) + .map_res("Error deleting org_policy") + } + + pub fn find_by_uuid(uuid: &str, conn: &DbConn) -> Option<Self> { + org_policies::table + .filter(org_policies::uuid.eq(uuid)) + .first::<Self>(&**conn) + .ok() + } + + pub fn find_by_org(org_uuid: &str, conn: &DbConn) -> Vec<Self> { + org_policies::table + .filter(org_policies::org_uuid.eq(org_uuid)) + .load::<Self>(&**conn) + .expect("Error loading org_policy") + } + + pub fn find_by_user(user_uuid: &str, conn: &DbConn) -> Vec<Self> { + use crate::db::schema::users_organizations; + + org_policies::table + .left_join( + users_organizations::table.on( + users_organizations::org_uuid.eq(org_policies::org_uuid) + .and(users_organizations::user_uuid.eq(user_uuid))) + ) + .select(org_policies::all_columns) + .load::<Self>(&**conn) + .expect("Error loading org_policy") + } + + pub fn find_by_org_and_type(org_uuid: &str, atype: i32, conn: &DbConn) -> Option<Self> { + org_policies::table + .filter(org_policies::org_uuid.eq(org_uuid)) + .filter(org_policies::atype.eq(atype)) + .first::<Self>(&**conn) + .ok() + } + + pub fn delete_all_by_organization(org_uuid: &str, conn: &DbConn) -> EmptyResult { + diesel::delete(org_policies::table.filter(org_policies::org_uuid.eq(org_uuid))) + .execute(&**conn) + .map_res("Error deleting org_policy") + } + + /*pub fn delete_all_by_user(user_uuid: &str, conn: &DbConn) -> EmptyResult { + diesel::delete(twofactor::table.filter(twofactor::user_uuid.eq(user_uuid))) + .execute(&**conn) + .map_res("Error deleting twofactors") + }*/ +} diff --git a/src/db/models/organization.rs b/src/db/models/organization.rs @@ -1,7 +1,8 @@ use serde_json::Value; use std::cmp::Ordering; +use num_traits::FromPrimitive; -use super::{CollectionUser, User}; +use super::{CollectionUser, User, OrgPolicy}; #[derive(Debug, Identifiable, Queryable, Insertable, AsChangeset)] #[table_name = "organizations"] @@ -33,6 +34,7 @@ pub enum UserOrgStatus { } #[derive(Copy, Clone, PartialEq, Eq)] +#[derive(FromPrimitive)] pub enum UserOrgType { Owner = 0, Admin = 1, @@ -135,16 +137,6 @@ impl UserOrgType { _ => None, } } - - pub fn from_i32(i: i32) -> Option<Self> { - match i { - 0 => Some(UserOrgType::Owner), - 1 => Some(UserOrgType::Admin), - 2 => Some(UserOrgType::User), - 3 => Some(UserOrgType::Manager), - _ => None, - } - } } /// Local methods @@ -170,6 +162,7 @@ impl Organization { "UseEvents": false, "UseGroups": false, "UseTotp": true, + "UsePolicies": true, "BusinessName": null, "BusinessAddress1": null, @@ -250,6 +243,7 @@ impl Organization { Cipher::delete_all_by_organization(&self.uuid, &conn)?; Collection::delete_all_by_organization(&self.uuid, &conn)?; UserOrganization::delete_all_by_organization(&self.uuid, &conn)?; + OrgPolicy::delete_all_by_organization(&self.uuid, &conn)?; diesel::delete(organizations::table.filter(organizations::uuid.eq(self.uuid))) .execute(&**conn) @@ -267,7 +261,7 @@ impl Organization { impl UserOrganization { pub fn to_json(&self, conn: &DbConn) -> Value { let org = Organization::find_by_uuid(&self.org_uuid, conn).unwrap(); - + json!({ "Id": self.org_uuid, "Name": org.name, @@ -280,6 +274,7 @@ impl UserOrganization { "UseEvents": false, "UseGroups": false, "UseTotp": true, + "UsePolicies": true, "MaxStorageGb": 10, // The value doesn't matter, we don't check server-side diff --git a/src/db/schemas/mysql/schema.rs b/src/db/schemas/mysql/schema.rs @@ -78,6 +78,16 @@ table! { } table! { + org_policies (uuid) { + uuid -> Varchar, + org_uuid -> Varchar, + atype -> Integer, + enabled -> Bool, + data -> Text, + } +} + +table! { organizations (uuid) { uuid -> Varchar, name -> Text, @@ -155,6 +165,7 @@ joinable!(devices -> users (user_uuid)); joinable!(folders -> users (user_uuid)); joinable!(folders_ciphers -> ciphers (cipher_uuid)); joinable!(folders_ciphers -> folders (folder_uuid)); +joinable!(org_policies -> organizations (org_uuid)); joinable!(twofactor -> users (user_uuid)); joinable!(users_collections -> collections (collection_uuid)); joinable!(users_collections -> users (user_uuid)); @@ -170,6 +181,7 @@ allow_tables_to_appear_in_same_query!( folders, folders_ciphers, invitations, + org_policies, organizations, twofactor, users, diff --git a/src/db/schemas/postgresql/schema.rs b/src/db/schemas/postgresql/schema.rs @@ -78,6 +78,16 @@ table! { } table! { + org_policies (uuid) { + uuid -> Text, + org_uuid -> Text, + atype -> Integer, + enabled -> Bool, + data -> Text, + } +} + +table! { organizations (uuid) { uuid -> Text, name -> Text, @@ -155,6 +165,7 @@ joinable!(devices -> users (user_uuid)); joinable!(folders -> users (user_uuid)); joinable!(folders_ciphers -> ciphers (cipher_uuid)); joinable!(folders_ciphers -> folders (folder_uuid)); +joinable!(org_policies -> organizations (org_uuid)); joinable!(twofactor -> users (user_uuid)); joinable!(users_collections -> collections (collection_uuid)); joinable!(users_collections -> users (user_uuid)); @@ -170,6 +181,7 @@ allow_tables_to_appear_in_same_query!( folders, folders_ciphers, invitations, + org_policies, organizations, twofactor, users, diff --git a/src/db/schemas/sqlite/schema.rs b/src/db/schemas/sqlite/schema.rs @@ -78,6 +78,16 @@ table! { } table! { + org_policies (uuid) { + uuid -> Text, + org_uuid -> Text, + atype -> Integer, + enabled -> Bool, + data -> Text, + } +} + +table! { organizations (uuid) { uuid -> Text, name -> Text, @@ -155,6 +165,7 @@ joinable!(devices -> users (user_uuid)); joinable!(folders -> users (user_uuid)); joinable!(folders_ciphers -> ciphers (cipher_uuid)); joinable!(folders_ciphers -> folders (folder_uuid)); +joinable!(org_policies -> organizations (org_uuid)); joinable!(twofactor -> users (user_uuid)); joinable!(users_collections -> collections (collection_uuid)); joinable!(users_collections -> users (user_uuid)); @@ -170,6 +181,7 @@ allow_tables_to_appear_in_same_query!( folders, folders_ciphers, invitations, + org_policies, organizations, twofactor, users,