vw_small

Hardened fork of Vaultwarden (https://github.com/dani-garcia/vaultwarden) with fewer features.
git clone https://git.philomathiclife.com/repos/vw_small
Log | Files | Refs | README

commit 96c2416903b211433c67f1a19f78a10421cd61e6
parent e19420160f24ddb17f2ad708bbba3865ddfd15d1
Author: Daniel GarcĂ­a <dani-garcia@users.noreply.github.com>
Date:   Thu, 15 Jul 2021 21:51:52 +0200

Merge branch 'BlackDex-future-web-vault' into main

Diffstat:
Amigrations/mysql/2021-07-01-203140_add_password_reset_keys/down.sql | 0
Amigrations/mysql/2021-07-01-203140_add_password_reset_keys/up.sql | 5+++++
Amigrations/postgresql/2021-07-01-203140_add_password_reset_keys/down.sql | 0
Amigrations/postgresql/2021-07-01-203140_add_password_reset_keys/up.sql | 5+++++
Amigrations/sqlite/2021-07-01-203140_add_password_reset_keys/down.sql | 0
Amigrations/sqlite/2021-07-01-203140_add_password_reset_keys/up.sql | 5+++++
Msrc/api/core/accounts.rs | 10+++++++---
Asrc/api/core/emergency_access.rs | 24++++++++++++++++++++++++
Msrc/api/core/mod.rs | 2++
Msrc/api/core/organizations.rs | 43++++++++++++++++++++++++++++++++++++++++++-
Msrc/api/core/sends.rs | 8++++----
Msrc/auth.rs | 15+++++++++++++--
Msrc/db/models/organization.rs | 27++++++++++++++++++---------
Msrc/db/models/user.rs | 27+++++++++++++--------------
Msrc/db/schemas/mysql/schema.rs | 2++
Msrc/db/schemas/postgresql/schema.rs | 2++
Msrc/db/schemas/sqlite/schema.rs | 2++
Msrc/error.rs | 3+++
18 files changed, 147 insertions(+), 33 deletions(-)

diff --git a/migrations/mysql/2021-07-01-203140_add_password_reset_keys/down.sql b/migrations/mysql/2021-07-01-203140_add_password_reset_keys/down.sql diff --git a/migrations/mysql/2021-07-01-203140_add_password_reset_keys/up.sql b/migrations/mysql/2021-07-01-203140_add_password_reset_keys/up.sql @@ -0,0 +1,5 @@ +ALTER TABLE organizations + ADD COLUMN private_key TEXT; + +ALTER TABLE organizations + ADD COLUMN public_key TEXT; diff --git a/migrations/postgresql/2021-07-01-203140_add_password_reset_keys/down.sql b/migrations/postgresql/2021-07-01-203140_add_password_reset_keys/down.sql diff --git a/migrations/postgresql/2021-07-01-203140_add_password_reset_keys/up.sql b/migrations/postgresql/2021-07-01-203140_add_password_reset_keys/up.sql @@ -0,0 +1,5 @@ +ALTER TABLE organizations + ADD COLUMN private_key TEXT; + +ALTER TABLE organizations + ADD COLUMN public_key TEXT; diff --git a/migrations/sqlite/2021-07-01-203140_add_password_reset_keys/down.sql b/migrations/sqlite/2021-07-01-203140_add_password_reset_keys/down.sql diff --git a/migrations/sqlite/2021-07-01-203140_add_password_reset_keys/up.sql b/migrations/sqlite/2021-07-01-203140_add_password_reset_keys/up.sql @@ -0,0 +1,5 @@ +ALTER TABLE organizations + ADD COLUMN private_key TEXT; + +ALTER TABLE organizations + ADD COLUMN public_key TEXT; diff --git a/src/api/core/accounts.rs b/src/api/core/accounts.rs @@ -231,7 +231,10 @@ fn post_password(data: JsonUpcase<ChangePassData>, headers: Headers, conn: DbCon err!("Invalid password") } - user.set_password(&data.NewMasterPasswordHash, Some("post_rotatekey")); + user.set_password( + &data.NewMasterPasswordHash, + Some(vec![String::from("post_rotatekey"), String::from("get_contacts")]), + ); user.akey = data.Key; user.save(&conn) } @@ -320,7 +323,9 @@ fn post_rotatekey(data: JsonUpcase<KeyData>, headers: Headers, conn: DbConn, nt: err!("The cipher is not owned by the user") } - update_cipher_from_data(&mut saved_cipher, cipher_data, &headers, false, &conn, &nt, UpdateType::CipherUpdate)? + // Prevent triggering cipher updates via WebSockets by settings UpdateType::None + // The user sessions are invalidated because all the ciphers were re-encrypted and thus triggering an update could cause issues. + update_cipher_from_data(&mut saved_cipher, cipher_data, &headers, false, &conn, &nt, UpdateType::None)? } // Update user data @@ -329,7 +334,6 @@ fn post_rotatekey(data: JsonUpcase<KeyData>, headers: Headers, conn: DbConn, nt: user.akey = data.Key; user.private_key = Some(data.PrivateKey); user.reset_security_stamp(); - user.reset_stamp_exception(); user.save(&conn) } diff --git a/src/api/core/emergency_access.rs b/src/api/core/emergency_access.rs @@ -0,0 +1,24 @@ +use rocket::Route; +use rocket_contrib::json::Json; + +use crate::{api::JsonResult, auth::Headers, db::DbConn}; + +pub fn routes() -> Vec<Route> { + routes![get_contacts,] +} + +/// This endpoint is expected to return at least something. +/// If we return an error message that will trigger error toasts for the user. +/// To prevent this we just return an empty json result with no Data. +/// When this feature is going to be implemented it also needs to return this empty Data +/// instead of throwing an error/4XX unless it really is an error. +#[get("/emergency-access/trusted")] +fn get_contacts(_headers: Headers, _conn: DbConn) -> JsonResult { + debug!("Emergency access is not supported."); + + Ok(Json(json!({ + "Data": [], + "Object": "list", + "ContinuationToken": null + }))) +} diff --git a/src/api/core/mod.rs b/src/api/core/mod.rs @@ -1,5 +1,6 @@ mod accounts; mod ciphers; +mod emergency_access; mod folders; mod organizations; mod sends; @@ -15,6 +16,7 @@ pub fn routes() -> Vec<Route> { let mut routes = Vec::new(); routes.append(&mut accounts::routes()); routes.append(&mut ciphers::routes()); + routes.append(&mut emergency_access::routes()); routes.append(&mut folders::routes()); routes.append(&mut organizations::routes()); routes.append(&mut two_factor::routes()); diff --git a/src/api/core/organizations.rs b/src/api/core/organizations.rs @@ -51,6 +51,7 @@ pub fn routes() -> Vec<Route> { get_plans, get_plans_tax_rates, import, + post_org_keys, ] } @@ -61,6 +62,7 @@ struct OrgData { CollectionName: String, Key: String, Name: String, + Keys: Option<OrgKeyData>, #[serde(rename = "PlanType")] _PlanType: NumberOrString, // Ignored, always use the same plan } @@ -78,6 +80,13 @@ struct NewCollectionData { Name: String, } +#[derive(Deserialize)] +#[allow(non_snake_case)] +struct OrgKeyData { + EncryptedPrivateKey: String, + PublicKey: String, +} + #[post("/organizations", data = "<data>")] fn create_organization(headers: Headers, data: JsonUpcase<OrgData>, conn: DbConn) -> JsonResult { if !CONFIG.is_org_creation_allowed(&headers.user.email) { @@ -85,8 +94,14 @@ fn create_organization(headers: Headers, data: JsonUpcase<OrgData>, conn: DbConn } let data: OrgData = data.into_inner().data; + let (private_key, public_key) = if data.Keys.is_some() { + let keys: OrgKeyData = data.Keys.unwrap(); + (Some(keys.EncryptedPrivateKey), Some(keys.PublicKey)) + } else { + (None, None) + }; - let org = Organization::new(data.Name, data.BillingEmail); + let org = Organization::new(data.Name, data.BillingEmail, private_key, public_key); let mut user_org = UserOrganization::new(headers.user.uuid, org.uuid.clone()); let collection = Collection::new(org.uuid.clone(), data.CollectionName); @@ -468,6 +483,32 @@ fn get_org_users(org_id: String, _headers: ManagerHeadersLoose, conn: DbConn) -> })) } +#[post("/organizations/<org_id>/keys", data = "<data>")] +fn post_org_keys(org_id: String, data: JsonUpcase<OrgKeyData>, _headers: AdminHeaders, conn: DbConn) -> JsonResult { + let data: OrgKeyData = data.into_inner().data; + + let mut org = match Organization::find_by_uuid(&org_id, &conn) { + Some(organization) => { + if organization.private_key.is_some() && organization.public_key.is_some() { + err!("Organization Keys already exist") + } + organization + } + None => err!("Can't find organization details"), + }; + + org.private_key = Some(data.EncryptedPrivateKey); + org.public_key = Some(data.PublicKey); + + org.save(&conn)?; + + Ok(Json(json!({ + "Object": "organizationKeys", + "PublicKey": org.public_key, + "PrivateKey": org.private_key, + }))) +} + #[derive(Deserialize)] #[allow(non_snake_case)] struct CollectionData { diff --git a/src/api/core/sends.rs b/src/api/core/sends.rs @@ -166,8 +166,8 @@ fn post_send_file(data: Data, content_type: &ContentType, headers: Headers, conn let data = serde_json::from_str::<crate::util::UpCase<SendData>>(&buf)?; enforce_disable_hide_email_policy(&data.data, &headers, &conn)?; - // Get the file length and add an extra 10% to avoid issues - const SIZE_110_MB: u64 = 115_343_360; + // Get the file length and add an extra 5% to avoid issues + const SIZE_525_MB: u64 = 550_502_400; let size_limit = match CONFIG.user_attachment_limit() { Some(0) => err!("File uploads are disabled"), @@ -176,9 +176,9 @@ fn post_send_file(data: Data, content_type: &ContentType, headers: Headers, conn if left <= 0 { err!("Attachment storage limit reached! Delete some attachments to free up space") } - std::cmp::Ord::max(left as u64, SIZE_110_MB) + std::cmp::Ord::max(left as u64, SIZE_525_MB) } - None => SIZE_110_MB, + None => SIZE_525_MB, }; // Create the Send diff --git a/src/auth.rs b/src/auth.rs @@ -325,8 +325,19 @@ impl<'a, 'r> FromRequest<'a, 'r> for Headers { _ => err_handler!("Error getting current route for stamp exception"), }; - // Check if both match, if not this route is not allowed with the current security stamp. - if stamp_exception.route != current_route { + // Check if the stamp exception has expired first. + // Then, check if the current route matches any of the allowed routes. + // After that check the stamp in exception matches the one in the claims. + if Utc::now().naive_utc().timestamp() > stamp_exception.expire { + // If the stamp exception has been expired remove it from the database. + // This prevents checking this stamp exception for new requests. + let mut user = user; + user.reset_stamp_exception(); + if let Err(e) = user.save(&conn) { + error!("Error updating user: {:#?}", e); + } + err_handler!("Stamp exception is expired") + } else if !stamp_exception.routes.contains(&current_route.to_string()) { err_handler!("Invalid security stamp: Current route and exception route do not match") } else if stamp_exception.security_stamp != claims.sstamp { err_handler!("Invalid security stamp for matched stamp exception") diff --git a/src/db/models/organization.rs b/src/db/models/organization.rs @@ -12,6 +12,8 @@ db_object! { pub uuid: String, pub name: String, pub billing_email: String, + pub private_key: Option<String>, + pub public_key: Option<String>, } #[derive(Identifiable, Queryable, Insertable, AsChangeset)] @@ -122,12 +124,13 @@ impl PartialOrd<UserOrgType> for i32 { /// Local methods impl Organization { - pub fn new(name: String, billing_email: String) -> Self { + pub fn new(name: String, billing_email: String, private_key: Option<String>, public_key: Option<String>) -> Self { Self { uuid: crate::util::get_uuid(), - name, billing_email, + private_key, + public_key, } } @@ -140,14 +143,16 @@ impl Organization { "MaxCollections": 10, // The value doesn't matter, we don't check server-side "MaxStorageGb": 10, // The value doesn't matter, we don't check server-side "Use2fa": true, - "UseDirectory": false, - "UseEvents": false, - "UseGroups": false, + "UseDirectory": false, // Is supported, but this value isn't checked anywhere (yet) + "UseEvents": false, // not supported by us + "UseGroups": false, // not supported by us "UseTotp": true, "UsePolicies": true, "UseSso": false, // We do not support SSO "SelfHost": true, "UseApi": false, // not supported by us + "HasPublicAndPrivateKeys": self.private_key.is_some() && self.public_key.is_some(), + "ResetPasswordEnrolled": false, // not supported by us "BusinessName": null, "BusinessAddress1": null, @@ -269,13 +274,15 @@ impl UserOrganization { "UsersGetPremium": true, "Use2fa": true, - "UseDirectory": false, - "UseEvents": false, - "UseGroups": false, + "UseDirectory": false, // Is supported, but this value isn't checked anywhere (yet) + "UseEvents": false, // not supported by us + "UseGroups": false, // not supported by us "UseTotp": true, "UsePolicies": true, "UseApi": false, // not supported by us "SelfHost": true, + "HasPublicAndPrivateKeys": org.private_key.is_some() && org.public_key.is_some(), + "ResetPasswordEnrolled": false, // not supported by us "SsoBound": false, // We do not support SSO "UseSso": false, // We do not support SSO // TODO: Add support for Business Portal @@ -293,10 +300,12 @@ impl UserOrganization { // "AccessReports": false, // "ManageAllCollections": false, // "ManageAssignedCollections": false, + // "ManageCiphers": false, // "ManageGroups": false, // "ManagePolicies": false, + // "ManageResetPassword": false, // "ManageSso": false, - // "ManageUsers": false + // "ManageUsers": false, // }, "MaxStorageGb": 10, // The value doesn't matter, we don't check server-side diff --git a/src/db/models/user.rs b/src/db/models/user.rs @@ -1,4 +1,4 @@ -use chrono::{NaiveDateTime, Utc}; +use chrono::{Duration, NaiveDateTime, Utc}; use serde_json::Value; use crate::crypto; @@ -63,8 +63,9 @@ enum UserStatus { #[derive(Serialize, Deserialize)] pub struct UserStampException { - pub route: String, + pub routes: Vec<String>, pub security_stamp: String, + pub expire: i64, } /// Local methods @@ -135,9 +136,11 @@ impl User { /// # Arguments /// /// * `password` - A str which contains a hashed version of the users master password. - /// * `allow_next_route` - A Option<&str> with the function name of the next allowed (rocket) route. + /// * `allow_next_route` - A Option<Vec<String>> with the function names of the next allowed (rocket) routes. + /// These routes are able to use the previous stamp id for the next 2 minutes. + /// After these 2 minutes this stamp will expire. /// - pub fn set_password(&mut self, password: &str, allow_next_route: Option<&str>) { + pub fn set_password(&mut self, password: &str, allow_next_route: Option<Vec<String>>) { self.password_hash = crypto::hash_password(password.as_bytes(), &self.salt, self.password_iterations as u32); if let Some(route) = allow_next_route { @@ -154,24 +157,20 @@ impl User { /// Set the stamp_exception to only allow a subsequent request matching a specific route using the current security-stamp. /// /// # Arguments - /// * `route_exception` - A str with the function name of the next allowed (rocket) route. + /// * `route_exception` - A Vec<String> with the function names of the next allowed (rocket) routes. + /// These routes are able to use the previous stamp id for the next 2 minutes. + /// After these 2 minutes this stamp will expire. /// - /// ### Future - /// In the future it could be posible that we need more of these exception routes. - /// In that case we could use an Vec<UserStampException> and add multiple exceptions. - pub fn set_stamp_exception(&mut self, route_exception: &str) { + pub fn set_stamp_exception(&mut self, route_exception: Vec<String>) { let stamp_exception = UserStampException { - route: route_exception.to_string(), + routes: route_exception, security_stamp: self.security_stamp.to_string(), + expire: (Utc::now().naive_utc() + Duration::minutes(2)).timestamp(), }; self.stamp_exception = Some(serde_json::to_string(&stamp_exception).unwrap_or_default()); } /// Resets the stamp_exception to prevent re-use of the previous security-stamp - /// - /// ### Future - /// In the future it could be posible that we need more of these exception routes. - /// In that case we could use an Vec<UserStampException> and add multiple exceptions. pub fn reset_stamp_exception(&mut self) { self.stamp_exception = None; } diff --git a/src/db/schemas/mysql/schema.rs b/src/db/schemas/mysql/schema.rs @@ -100,6 +100,8 @@ table! { uuid -> Text, name -> Text, billing_email -> Text, + private_key -> Nullable<Text>, + public_key -> Nullable<Text>, } } diff --git a/src/db/schemas/postgresql/schema.rs b/src/db/schemas/postgresql/schema.rs @@ -100,6 +100,8 @@ table! { uuid -> Text, name -> Text, billing_email -> Text, + private_key -> Nullable<Text>, + public_key -> Nullable<Text>, } } diff --git a/src/db/schemas/sqlite/schema.rs b/src/db/schemas/sqlite/schema.rs @@ -100,6 +100,8 @@ table! { uuid -> Text, name -> Text, billing_email -> Text, + private_key -> Nullable<Text>, + public_key -> Nullable<Text>, } } diff --git a/src/error.rs b/src/error.rs @@ -174,6 +174,9 @@ fn _api_error(_: &impl std::any::Any, msg: &str) -> String { "Message": msg, "Object": "error" }, + "ExceptionMessage": null, + "ExceptionStackTrace": null, + "InnerExceptionMessage": null, "Object": "error" }); _serialize(&json, "")