commit 95494083f2b09417fef916f4d315cb5a38a78128 parent 9366e3145231034040d7d2e0216070163d6d889f Author: sirux88 <sirux88@gmail.com> Date: Wed, 25 Jan 2023 08:06:21 +0100 added database migration Diffstat:
13 files changed, 61 insertions(+), 6 deletions(-)
diff --git a/migrations/mysql/2023-01-06-151600_add_reset_password_support/down.sql b/migrations/mysql/2023-01-06-151600_add_reset_password_support/down.sql diff --git a/migrations/mysql/2023-01-06-151600_add_reset_password_support/up.sql b/migrations/mysql/2023-01-06-151600_add_reset_password_support/up.sql @@ -0,0 +1,2 @@ +ALTER TABLE users_organizations +ADD COLUMN reset_password_key VARCHAR(255); diff --git a/migrations/postgresql/2023-01-06-151600_add_reset_password_support/down.sql b/migrations/postgresql/2023-01-06-151600_add_reset_password_support/down.sql diff --git a/migrations/postgresql/2023-01-06-151600_add_reset_password_support/up.sql b/migrations/postgresql/2023-01-06-151600_add_reset_password_support/up.sql @@ -0,0 +1,2 @@ +ALTER TABLE users_organizations +ADD COLUMN reset_password_key TEXT; diff --git a/migrations/sqlite/2023-01-06-151600_add_reset_password_support/down.sql b/migrations/sqlite/2023-01-06-151600_add_reset_password_support/down.sql diff --git a/migrations/sqlite/2023-01-06-151600_add_reset_password_support/up.sql b/migrations/sqlite/2023-01-06-151600_add_reset_password_support/up.sql @@ -0,0 +1,2 @@ +ALTER TABLE users_organizations +ADD COLUMN reset_password_key TEXT; diff --git a/src/db/models/event.rs b/src/db/models/event.rs @@ -87,9 +87,9 @@ pub enum EventType { OrganizationUserRemoved = 1503, OrganizationUserUpdatedGroups = 1504, // OrganizationUserUnlinkedSso = 1505, // Not supported - // OrganizationUserResetPasswordEnroll = 1506, // Not supported - // OrganizationUserResetPasswordWithdraw = 1507, // Not supported - // OrganizationUserAdminResetPassword = 1508, // Not supported + OrganizationUserResetPasswordEnroll = 1506, + OrganizationUserResetPasswordWithdraw = 1507, + OrganizationUserAdminResetPassword = 1508, // OrganizationUserResetSsoLink = 1509, // Not supported // OrganizationUserFirstSsoLogin = 1510, // Not supported OrganizationUserRevoked = 1511, diff --git a/src/db/models/org_policy.rs b/src/db/models/org_policy.rs @@ -32,7 +32,7 @@ pub enum OrgPolicyType { PersonalOwnership = 5, DisableSend = 6, SendOptions = 7, - // ResetPassword = 8, // Not supported + ResetPassword = 8, // MaximumVaultTimeout = 9, // Not supported (Not AGPLv3 Licensed) // DisablePersonalVaultExport = 10, // Not supported (Not AGPLv3 Licensed) } @@ -44,6 +44,13 @@ pub struct SendOptionsPolicyData { pub DisableHideEmail: bool, } +// https://github.com/bitwarden/server/blob/5cbdee137921a19b1f722920f0fa3cd45af2ef0f/src/Core/Models/Data/Organizations/Policies/ResetPasswordDataModel.cs +#[derive(Deserialize)] +#[allow(non_snake_case)] +pub struct ResetPasswordDataModel { + pub AutoEnrollEnabled: bool, +} + pub type OrgPolicyResult = Result<(), OrgPolicyErr>; #[derive(Debug)] @@ -298,6 +305,20 @@ impl OrgPolicy { Ok(()) } + pub async fn org_is_reset_password_auto_enroll(org_uuid: &str, conn: &mut DbConn) -> bool { + match OrgPolicy::find_by_org_and_type(org_uuid, OrgPolicyType::ResetPassword, conn).await { + Some(policy) => match serde_json::from_str::<UpCase<ResetPasswordDataModel>>(&policy.data) { + Ok(opts) => { + return opts.data.AutoEnrollEnabled; + } + _ => error!("Failed to deserialize ResetPasswordDataModel: {}", policy.data), + }, + None => return false, + } + + false + } + /// Returns true if the user belongs to an org that has enabled the `DisableHideEmail` /// option of the `Send Options` policy, and the user is not an owner or admin of that org. pub async fn is_hide_email_disabled(user_uuid: &str, conn: &mut DbConn) -> bool { diff --git a/src/db/models/organization.rs b/src/db/models/organization.rs @@ -29,6 +29,7 @@ db_object! { pub akey: String, pub status: i32, pub atype: i32, + pub reset_password_key: Option<String>, } } @@ -158,7 +159,7 @@ impl Organization { "SelfHost": true, "UseApi": false, // Not supported "HasPublicAndPrivateKeys": self.private_key.is_some() && self.public_key.is_some(), - "UseResetPassword": false, // Not supported + "UseResetPassword": true, "BusinessName": null, "BusinessAddress1": null, @@ -194,6 +195,7 @@ impl UserOrganization { akey: String::new(), status: UserOrgStatus::Accepted as i32, atype: UserOrgType::User as i32, + reset_password_key: None, } } @@ -311,7 +313,8 @@ impl UserOrganization { "UseApi": false, // Not supported "SelfHost": true, "HasPublicAndPrivateKeys": org.private_key.is_some() && org.public_key.is_some(), - "ResetPasswordEnrolled": false, // Not supported + "ResetPasswordEnrolled": self.reset_password_key.is_some(), + "UseResetPassword": true, "SsoBound": false, // Not supported "UseSso": false, // Not supported "ProviderId": null, @@ -377,6 +380,7 @@ impl UserOrganization { "Type": self.atype, "AccessAll": self.access_all, "TwoFactorEnabled": twofactor_enabled, + "ResetPasswordEnrolled":self.reset_password_key.is_some(), "Object": "organizationUserUserDetails", }) diff --git a/src/db/models/user.rs b/src/db/models/user.rs @@ -178,6 +178,27 @@ impl User { self.security_stamp = crate::util::get_uuid(); } + /// Set the password hash generated + /// And resets the security_stamp. Based upon the allow_next_route the security_stamp will be different. + /// + /// # Arguments + /// + /// * `new_password_hash` - A str which contains a hashed version of the users master password. + /// * `new_key` - A String which contains the new aKey value of the users master password. + /// * `allow_next_route` - A Option<Vec<String>> with the function names of the next allowed (rocket) routes. + /// These routes are able to use the previous stamp id for the next 2 minutes. + /// After these 2 minutes this stamp will expire. + /// + pub fn set_password_and_key( + &mut self, + new_password_hash: &str, + new_key: &str, + allow_next_route: Option<Vec<String>>, + ) { + self.set_password(new_password_hash, allow_next_route); + self.akey = String::from(new_key); + } + /// Set the stamp_exception to only allow a subsequent request matching a specific route using the current security-stamp. /// /// # Arguments diff --git a/src/db/schemas/mysql/schema.rs b/src/db/schemas/mysql/schema.rs @@ -222,6 +222,7 @@ table! { akey -> Text, status -> Integer, atype -> Integer, + reset_password_key -> Nullable<Text>, } } diff --git a/src/db/schemas/postgresql/schema.rs b/src/db/schemas/postgresql/schema.rs @@ -222,6 +222,7 @@ table! { akey -> Text, status -> Integer, atype -> Integer, + reset_password_key -> Nullable<Text>, } } diff --git a/src/db/schemas/sqlite/schema.rs b/src/db/schemas/sqlite/schema.rs @@ -222,6 +222,7 @@ table! { akey -> Text, status -> Integer, atype -> Integer, + reset_password_key -> Nullable<Text>, } }