vw_small

Hardened fork of Vaultwarden (https://github.com/dani-garcia/vaultwarden) with fewer features.
git clone https://git.philomathiclife.com/repos/vw_small
Log | Files | Refs | README

commit 514a372bc85fd495d331f240e35377a8ebdfb3c4
parent f578019df6597cf130c0e7879478271bf4193dbc
Author: Miroslav Prasil <miroslav@prasil.info>
Date:   Mon, 30 Apr 2018 10:52:15 +0100

Add per-user folder-cipher mapping

Diffstat:
Amigrations/2018-04-27-155151_create_users_ciphers/up.sql | 33+++++++++++++++++++++++++++++++++
Msrc/api/core/ciphers.rs | 46+++++++++++++++++++++++-----------------------
Msrc/api/core/organizations.rs | 7++++---
Msrc/api/identity.rs | 2+-
Msrc/db/models/cipher.rs | 100++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++---------
Msrc/db/models/collection.rs | 12++++++++++--
Msrc/db/models/folder.rs | 45+++++++++++++++++++++++++++++++++++++++++++--
Msrc/db/models/mod.rs | 2+-
Msrc/db/models/organization.rs | 4++--
Msrc/db/models/user.rs | 2+-
Msrc/db/schema.rs | 14+++++++++++---
11 files changed, 218 insertions(+), 49 deletions(-)

diff --git a/migrations/2018-04-27-155151_create_users_ciphers/up.sql b/migrations/2018-04-27-155151_create_users_ciphers/up.sql @@ -0,0 +1,32 @@ +ALTER TABLE ciphers RENAME TO oldCiphers; + +CREATE TABLE ciphers ( + uuid TEXT NOT NULL PRIMARY KEY, + created_at DATETIME NOT NULL, + updated_at DATETIME NOT NULL, + user_uuid TEXT REFERENCES users (uuid), -- Make this optional + organization_uuid TEXT REFERENCES organizations (uuid), -- Add reference to orgs table + -- Remove folder_uuid + type INTEGER NOT NULL, + name TEXT NOT NULL, + notes TEXT, + fields TEXT, + data TEXT NOT NULL, + favorite BOOLEAN NOT NULL +); + +CREATE TABLE folders_ciphers ( + cipher_uuid TEXT NOT NULL REFERENCES ciphers (uuid), + folder_uuid TEXT NOT NULL REFERENCES folders (uuid), + + PRIMARY KEY (cipher_uuid, folder_uuid) +); + +INSERT INTO ciphers (uuid, created_at, updated_at, organization_uuid, type, name, notes, fields, data, favorite) +SELECT uuid, created_at, updated_at, organization_uuid, type, name, notes, fields, data, favorite FROM oldCiphers; + +INSERT INTO folders_ciphers (cipher_uuid, folder_uuid) +SELECT uuid, folder_uuid FROM oldCiphers WHERE folder_uuid IS NOT NULL; + + +DROP TABLE oldCiphers; +\ No newline at end of file diff --git a/src/api/core/ciphers.rs b/src/api/core/ciphers.rs @@ -29,7 +29,7 @@ fn sync(headers: Headers, conn: DbConn) -> JsonResult { let folders_json: Vec<Value> = folders.iter().map(|c| c.to_json()).collect(); let ciphers = Cipher::find_by_user(&headers.user.uuid, &conn); - let ciphers_json: Vec<Value> = ciphers.iter().map(|c| c.to_json(&headers.host, &conn)).collect(); + let ciphers_json: Vec<Value> = ciphers.iter().map(|c| c.to_json(&headers.host, &headers.user.uuid, &conn)).collect(); let domains_json = api::core::get_eq_domains(headers).unwrap().into_inner(); @@ -47,7 +47,7 @@ fn sync(headers: Headers, conn: DbConn) -> JsonResult { fn get_ciphers(headers: Headers, conn: DbConn) -> JsonResult { let ciphers = Cipher::find_by_user(&headers.user.uuid, &conn); - let ciphers_json: Vec<Value> = ciphers.iter().map(|c| c.to_json(&headers.host, &conn)).collect(); + let ciphers_json: Vec<Value> = ciphers.iter().map(|c| c.to_json(&headers.host, &headers.user.uuid, &conn)).collect(); Ok(Json(json!({ "Data": ciphers_json, @@ -62,11 +62,11 @@ fn get_cipher(uuid: String, headers: Headers, conn: DbConn) -> JsonResult { None => err!("Cipher doesn't exist") }; - if cipher.user_uuid != headers.user.uuid { + if !cipher.is_accessible_to_user(&headers.user.uuid, &conn) { err!("Cipher is not owned by user") } - Ok(Json(cipher.to_json(&headers.host, &conn))) + Ok(Json(cipher.to_json(&headers.host, &headers.user.uuid, &conn))) } #[derive(Deserialize, Debug)] @@ -109,12 +109,12 @@ fn post_ciphers(data: Json<CipherData>, headers: Headers, conn: DbConn) -> JsonR let user_uuid = headers.user.uuid.clone(); let favorite = data.favorite.unwrap_or(false); - let mut cipher = Cipher::new(user_uuid, data.type_, data.name.clone(), favorite); + let mut cipher = Cipher::new(Some(user_uuid), None, data.type_, data.name.clone(), favorite); update_cipher_from_data(&mut cipher, data, &headers, &conn)?; cipher.save(&conn); - Ok(Json(cipher.to_json(&headers.host, &conn))) + Ok(Json(cipher.to_json(&headers.host, &headers.user.uuid, &conn))) } fn update_cipher_from_data(cipher: &mut Cipher, data: CipherData, headers: &Headers, conn: &DbConn) -> EmptyResult { @@ -174,7 +174,7 @@ fn update_cipher_from_data(cipher: &mut Cipher, data: CipherData, headers: &Head // Copy the type data and change the names to the correct case copy_values(&type_data, &mut values); - cipher.folder_uuid = data.folderId; + cipher.move_to_folder(data.folderId, &headers.user.uuid, &conn); cipher.name = data.name; cipher.notes = data.notes; cipher.fields = uppercase_fields.map(|f| f.to_string()); @@ -247,11 +247,11 @@ fn post_ciphers_import(data: Json<ImportData>, headers: Headers, conn: DbConn) - let user_uuid = headers.user.uuid.clone(); let favorite = cipher_data.favorite.unwrap_or(false); - let mut cipher = Cipher::new(user_uuid, cipher_data.type_, cipher_data.name.clone(), favorite); + let mut cipher = Cipher::new(Some(user_uuid), None, cipher_data.type_, cipher_data.name.clone(), favorite); if update_cipher_from_data(&mut cipher, cipher_data, &headers, &conn).is_err() { err!("Error creating cipher") } - cipher.folder_uuid = folder_uuid; + //cipher.folder_uuid = folder_uuid; // TODO: This needs to create new folder-cipher mapping cipher.save(&conn); index += 1; @@ -274,8 +274,8 @@ fn put_cipher(uuid: String, data: Json<CipherData>, headers: Headers, conn: DbCo None => err!("Cipher doesn't exist") }; - if cipher.user_uuid != headers.user.uuid { - err!("Cipher is not owned by user") + if !cipher.is_write_accessible_to_user(&headers.user.uuid, &conn) { + err!("Cipher is not write accessible") } cipher.favorite = data.favorite.unwrap_or(false); @@ -283,7 +283,7 @@ fn put_cipher(uuid: String, data: Json<CipherData>, headers: Headers, conn: DbCo update_cipher_from_data(&mut cipher, data, &headers, &conn)?; cipher.save(&conn); - Ok(Json(cipher.to_json(&headers.host, &conn))) + Ok(Json(cipher.to_json(&headers.host, &headers.user.uuid, &conn))) } @@ -294,8 +294,8 @@ fn post_attachment(uuid: String, data: Data, content_type: &ContentType, headers None => err!("Cipher doesn't exist") }; - if cipher.user_uuid != headers.user.uuid { - err!("Cipher is not owned by user") + if !cipher.is_write_accessible_to_user(&headers.user.uuid, &conn) { + err!("Cipher is not write accessible") } let mut params = content_type.params(); @@ -323,7 +323,7 @@ fn post_attachment(uuid: String, data: Data, content_type: &ContentType, headers attachment.save(&conn); }).expect("Error processing multipart data"); - Ok(Json(cipher.to_json(&headers.host, &conn))) + Ok(Json(cipher.to_json(&headers.host, &headers.user.uuid, &conn))) } #[post("/ciphers/<uuid>/attachment/<attachment_id>/delete")] @@ -347,8 +347,8 @@ fn delete_attachment(uuid: String, attachment_id: String, headers: Headers, conn None => err!("Cipher doesn't exist") }; - if cipher.user_uuid != headers.user.uuid { - err!("Cipher is not owned by user") + if !cipher.is_write_accessible_to_user(&headers.user.uuid, &conn) { + err!("Cipher cannot be deleted by user") } // Delete attachment @@ -399,7 +399,7 @@ fn move_cipher_selected(data: Json<Value>, headers: Headers, conn: DbConn) -> Em if folder.user_uuid != headers.user.uuid { err!("Folder is not owned by user") } - Some(folder_id.to_string()) + Some(folder.uuid) } None => err!("Folder doesn't exist") } @@ -424,12 +424,12 @@ fn move_cipher_selected(data: Json<Value>, headers: Headers, conn: DbConn) -> Em None => err!("Cipher doesn't exist") }; - if cipher.user_uuid != headers.user.uuid { - err!("Cipher is not owned by user") + if !cipher.is_accessible_to_user(&headers.user.uuid, &conn) { + err!("Cipher is not accessible by user") } // Move cipher - cipher.folder_uuid = folder_id.clone(); + cipher.move_to_folder(folder_id.clone(), &headers.user.uuid, &conn); cipher.save(&conn); } @@ -464,8 +464,8 @@ fn _delete_cipher_by_uuid(uuid: &str, headers: &Headers, conn: &DbConn) -> Empty None => err!("Cipher doesn't exist"), }; - if cipher.user_uuid != headers.user.uuid { - err!("Cipher is not owned by user") + if !cipher.is_write_accessible_to_user(&headers.user.uuid, &conn) { + err!("Cipher can't be deleted by user") } _delete_cipher(cipher, conn); diff --git a/src/api/core/organizations.rs b/src/api/core/organizations.rs @@ -109,6 +109,7 @@ fn get_user_collections(headers: Headers, conn: DbConn) -> JsonResult { Ok(Json(json!({ "Data": Collection::find_by_user_uuid(&headers.user.uuid, &conn) + .expect("Error loading collections") .iter() .map(|collection| { collection.to_json() @@ -121,9 +122,9 @@ fn get_user_collections(headers: Headers, conn: DbConn) -> JsonResult { fn get_org_collections(org_id: String, headers: Headers, conn: DbConn) -> JsonResult { Ok(Json(json!({ "Data": - Collection::find_by_user_uuid(&headers.user.uuid, &conn) + Collection::find_by_organization_and_user_uuid(&org_id, &headers.user.uuid, &conn) + .unwrap_or(vec![]) .iter() - .filter(|collection| { collection.org_uuid == org_id }) .map(|collection| { collection.to_json() }).collect::<Value>(), @@ -230,7 +231,7 @@ struct OrgIdData { #[get("/ciphers/organization-details?<data>")] fn get_org_details(data: OrgIdData, headers: Headers, conn: DbConn) -> JsonResult { let ciphers = Cipher::find_by_org(&data.organizationId, &conn); - let ciphers_json: Vec<Value> = ciphers.iter().map(|c| c.to_json(&headers.host, &conn)).collect(); + let ciphers_json: Vec<Value> = ciphers.iter().map(|c| c.to_json(&headers.host, &headers.user.uuid, &conn)).collect(); Ok(Json(json!({ "Data": ciphers_json, diff --git a/src/api/identity.rs b/src/api/identity.rs @@ -97,7 +97,7 @@ fn login(connect_data: Form<ConnectData>, device_type: DeviceType, conn: DbConn) }; let user = User::find_by_uuid(&device.user_uuid, &conn).unwrap(); - let orgs = UserOrganization::find_by_user(&user.uuid, &conn); + let orgs = UserOrganization::find_by_user(&user.uuid, &conn).unwrap_or(vec![]); let (access_token, expires_in) = device.refresh_tokens(&user, orgs); device.save(&conn); diff --git a/src/db/models/cipher.rs b/src/db/models/cipher.rs @@ -3,19 +3,19 @@ use serde_json::Value as JsonValue; use uuid::Uuid; -use super::User; +use super::{User, Organization, UserOrganization, FolderCipher}; #[derive(Debug, Identifiable, Queryable, Insertable, Associations)] #[table_name = "ciphers"] #[belongs_to(User, foreign_key = "user_uuid")] +#[belongs_to(Organization, foreign_key = "organization_uuid")] #[primary_key(uuid)] pub struct Cipher { pub uuid: String, pub created_at: NaiveDateTime, pub updated_at: NaiveDateTime, - pub user_uuid: String, - pub folder_uuid: Option<String>, + pub user_uuid: Option<String>, pub organization_uuid: Option<String>, /* @@ -36,7 +36,7 @@ pub struct Cipher { /// Local methods impl Cipher { - pub fn new(user_uuid: String, type_: i32, name: String, favorite: bool) -> Self { + pub fn new(user_uuid: Option<String>, organization_uuid: Option<String>, type_: i32, name: String, favorite: bool) -> Self { let now = Utc::now().naive_utc(); Self { @@ -45,8 +45,7 @@ impl Cipher { updated_at: now, user_uuid, - folder_uuid: None, - organization_uuid: None, + organization_uuid, type_, favorite, @@ -63,11 +62,11 @@ impl Cipher { use diesel; use diesel::prelude::*; use db::DbConn; -use db::schema::ciphers; +use db::schema::*; /// Database methods impl Cipher { - pub fn to_json(&self, host: &str, conn: &DbConn) -> JsonValue { + pub fn to_json(&self, host: &str, user_uuid: &str, conn: &DbConn) -> JsonValue { use serde_json; use util::format_date; use super::Attachment; @@ -94,7 +93,7 @@ impl Cipher { "Id": self.uuid, "Type": self.type_, "RevisionDate": format_date(&self.updated_at), - "FolderId": self.folder_uuid, + "FolderId": self.get_folder_uuid(&user_uuid, &conn), "Favorite": self.favorite, "OrganizationId": self.organization_uuid, "Attachments": attachments_json, @@ -142,6 +141,84 @@ impl Cipher { } } + pub fn move_to_folder(&self, folder_uuid: Option<String>, user_uuid: &str, conn: &DbConn) -> Result<(), &str> { + match self.get_folder_uuid(&user_uuid, &conn) { + None => { + match folder_uuid { + Some(new_folder) => { + let folder_cipher = FolderCipher::new(&new_folder, &self.uuid); + folder_cipher.save(&conn).or(Err("Couldn't save folder setting")) + }, + None => Ok(()) //nothing to do + } + }, + Some(current_folder) => { + match folder_uuid { + Some(new_folder) => { + if current_folder == new_folder { + Ok(()) //nothing to do + } else { + match FolderCipher::find_by_folder_and_cipher(&current_folder, &self.uuid, &conn) { + Some(current_folder) => { + current_folder.delete(&conn).or(Err("Failed removing old folder mapping")) + }, + None => Ok(()) // Weird, but nothing to do + }; + + FolderCipher::new(&new_folder, &self.uuid) + .save(&conn).or(Err("Couldn't save folder setting")) + } + }, + None => { + match FolderCipher::find_by_folder_and_cipher(&current_folder, &self.uuid, &conn) { + Some(current_folder) => { + current_folder.delete(&conn).or(Err("Failed removing old folder mapping")) + }, + None => Err("Couldn't move from previous folder") + } + } + } + } + } + } + + pub fn is_write_accessible_to_user(&self, user_uuid: &str, conn: &DbConn) -> bool { + match ciphers::table + .filter(ciphers::user_uuid.eq(user_uuid)) + .filter(ciphers::uuid.eq(&self.uuid)) + .first::<Self>(&**conn).ok() { + Some(_) => true, // cipher directly owned by user + None =>{ + match self.organization_uuid { + Some(ref org_uuid) => { + match users_organizations::table + .filter(users_organizations::org_uuid.eq(org_uuid)) + .filter(users_organizations::user_uuid.eq(user_uuid)) + .filter(users_organizations::access_all.eq(true)) + .first::<UserOrganization>(&**conn).ok() { + Some(_) => true, + None => false //TODO R/W access on collection + } + }, + None => false // cipher not in organization and not owned by user + } + } + } + } + + pub fn is_accessible_to_user(&self, user_uuid: &str, conn: &DbConn) -> bool { + // TODO also check for read-only access + self.is_write_accessible_to_user(user_uuid, conn) + } + + pub fn get_folder_uuid(&self, user_uuid: &str, conn: &DbConn) -> Option<String> { + folders_ciphers::table.inner_join(folders::table) + .filter(folders::user_uuid.eq(&user_uuid)) + .filter(folders_ciphers::cipher_uuid.eq(&self.uuid)) + .select(folders_ciphers::folder_uuid) + .first::<String>(&**conn).ok() + } + pub fn find_by_uuid(uuid: &str, conn: &DbConn) -> Option<Self> { ciphers::table .filter(ciphers::uuid.eq(uuid)) @@ -161,8 +238,9 @@ impl Cipher { } pub fn find_by_folder(folder_uuid: &str, conn: &DbConn) -> Vec<Self> { - ciphers::table - .filter(ciphers::folder_uuid.eq(folder_uuid)) + folders_ciphers::table.inner_join(ciphers::table) + .filter(folders_ciphers::folder_uuid.eq(folder_uuid)) + .select(ciphers::all_columns) .load::<Self>(&**conn).expect("Error loading ciphers") } } diff --git a/src/db/models/collection.rs b/src/db/models/collection.rs @@ -66,11 +66,19 @@ impl Collection { .first::<Self>(&**conn).ok() } - pub fn find_by_user_uuid(user_uuid: &str, conn: &DbConn) -> Vec<Self> { + pub fn find_by_user_uuid(user_uuid: &str, conn: &DbConn) -> Option<Vec<Self>> { users_collections::table.inner_join(collections::table) .filter(users_collections::user_uuid.eq(user_uuid)) .select(collections::all_columns) - .load::<Self>(&**conn).expect("Error loading user collections") + .load::<Self>(&**conn).ok() + } + + pub fn find_by_organization_and_user_uuid(org_uuid: &str, user_uuid: &str, conn: &DbConn) -> Option<Vec<Self>> { + users_collections::table.inner_join(collections::table) + .filter(users_collections::user_uuid.eq(user_uuid)) + .filter(collections::org_uuid.eq(org_uuid)) + .select(collections::all_columns) + .load::<Self>(&**conn).ok() } pub fn find_by_uuid_and_user(uuid: &str, user_uuid: &str, conn: &DbConn) -> Option<Self> { diff --git a/src/db/models/folder.rs b/src/db/models/folder.rs @@ -3,7 +3,7 @@ use serde_json::Value as JsonValue; use uuid::Uuid; -use super::User; +use super::{User, Cipher}; #[derive(Debug, Identifiable, Queryable, Insertable, Associations)] #[table_name = "folders"] @@ -17,6 +17,16 @@ pub struct Folder { pub name: String, } +#[derive(Debug, Identifiable, Queryable, Insertable, Associations)] +#[table_name = "folders_ciphers"] +#[belongs_to(Cipher, foreign_key = "cipher_uuid")] +#[belongs_to(Folder, foreign_key = "folder_uuid")] +#[primary_key(cipher_uuid, folder_uuid)] +pub struct FolderCipher { + pub cipher_uuid: String, + pub folder_uuid: String, +} + /// Local methods impl Folder { pub fn new(user_uuid: String, name: String) -> Self { @@ -44,10 +54,19 @@ impl Folder { } } +impl FolderCipher { + pub fn new(cipher_uuid: &str, folder_uuid: &str) -> Self { + Self { + cipher_uuid: cipher_uuid.to_string(), + folder_uuid: folder_uuid.to_string(), + } + } +} + use diesel; use diesel::prelude::*; use db::DbConn; -use db::schema::folders; +use db::schema::{folders, folders_ciphers}; /// Database methods impl Folder { @@ -83,3 +102,25 @@ impl Folder { .load::<Self>(&**conn).expect("Error loading folders") } } + +impl FolderCipher { + pub fn save(&self, conn: &DbConn) -> QueryResult<()> { + diesel::replace_into(folders_ciphers::table) + .values(&*self) + .execute(&**conn).and(Ok(())) + } + + pub fn delete(self, conn: &DbConn) -> QueryResult<()> { + diesel::delete(folders_ciphers::table + .filter(folders_ciphers::cipher_uuid.eq(self.cipher_uuid)) + .filter(folders_ciphers::folder_uuid.eq(self.folder_uuid)) + ).execute(&**conn).and(Ok(())) + } + + pub fn find_by_folder_and_cipher(folder_uuid: &str, cipher_uuid: &str, conn: &DbConn) -> Option<Self> { + folders_ciphers::table + .filter(folders_ciphers::folder_uuid.eq(folder_uuid)) + .filter(folders_ciphers::cipher_uuid.eq(cipher_uuid)) + .first::<Self>(&**conn).ok() + } +} diff --git a/src/db/models/mod.rs b/src/db/models/mod.rs @@ -10,7 +10,7 @@ mod organization; pub use self::attachment::Attachment; pub use self::cipher::Cipher; pub use self::device::Device; -pub use self::folder::Folder; +pub use self::folder::{Folder, FolderCipher}; pub use self::user::User; pub use self::organization::Organization; pub use self::organization::{UserOrganization, UserOrgStatus, UserOrgType}; diff --git a/src/db/models/organization.rs b/src/db/models/organization.rs @@ -222,10 +222,10 @@ impl UserOrganization { .first::<Self>(&**conn).ok() } - pub fn find_by_user(user_uuid: &str, conn: &DbConn) -> Vec<Self> { + pub fn find_by_user(user_uuid: &str, conn: &DbConn) -> Option<Vec<Self>> { users_organizations::table .filter(users_organizations::user_uuid.eq(user_uuid)) - .load::<Self>(&**conn).expect("Error loading user organizations") + .load::<Self>(&**conn).ok() } pub fn find_by_org(org_uuid: &str, conn: &DbConn) -> Vec<Self> { diff --git a/src/db/models/user.rs b/src/db/models/user.rs @@ -128,7 +128,7 @@ impl User { pub fn to_json(&self, conn: &DbConn) -> JsonValue { use super::UserOrganization; - let orgs = UserOrganization::find_by_user(&self.uuid, conn); + let orgs = UserOrganization::find_by_user(&self.uuid, conn).unwrap_or(vec![]); let orgs_json: Vec<JsonValue> = orgs.iter().map(|c| c.to_json(&conn)).collect(); json!({ diff --git a/src/db/schema.rs b/src/db/schema.rs @@ -12,8 +12,7 @@ table! { uuid -> Text, created_at -> Timestamp, updated_at -> Timestamp, - user_uuid -> Text, - folder_uuid -> Nullable<Text>, + user_uuid -> Nullable<Text>, organization_uuid -> Nullable<Text>, #[sql_name = "type"] type_ -> Integer, @@ -107,8 +106,14 @@ table! { } } +table! { + folders_ciphers (cipher_uuid, folder_uuid) { + cipher_uuid -> Text, + folder_uuid -> Text, + } +} + joinable!(attachments -> ciphers (cipher_uuid)); -joinable!(ciphers -> folders (folder_uuid)); joinable!(ciphers -> users (user_uuid)); joinable!(collections -> organizations (org_uuid)); joinable!(devices -> users (user_uuid)); @@ -117,6 +122,8 @@ joinable!(users_collections -> collections (collection_uuid)); joinable!(users_collections -> users (user_uuid)); joinable!(users_organizations -> organizations (org_uuid)); joinable!(users_organizations -> users (user_uuid)); +joinable!(folders_ciphers -> ciphers (cipher_uuid)); +joinable!(folders_ciphers -> folders (folder_uuid)); allow_tables_to_appear_in_same_query!( attachments, @@ -128,4 +135,5 @@ allow_tables_to_appear_in_same_query!( users, users_collections, users_organizations, + folders_ciphers, );