commit ca20b3d80c75e42b9229ab3a9625a334c83e79a8 parent 4ab936297186746f00a275182b8e01d54466fc3d Author: thelittlefireman <thelittlefireman@users.noreply.github.com> Date: Wed, 1 Sep 2021 12:54:47 +0200 [PATCH] Some fixes to the Emergency Access PR - Changed the date of the migration folders to be from this date. - Removed a lot is_email_domain_allowed checks. This check only needs to be done during the invite it self, else everything else will fail even if a user has an account created via the /admin interface which bypasses that specific check! Also, the check was at the wrong place anyway's, since it would only not send out an e-mail, but would still have allowed an not allowed domain to be used when e-mail would have been disabled. While that check always works, even if sending e-mails is disasbled. - Added an extra allowed route during password/key-rotation change which updates/checks the public-key afterwards. - A small change with some `Some` and `None` orders. - Change the new invite object to only generate the UTC time once, since it could be possible that there will be a second difference, and we only need to call it just once. by black.dex@gmail.com Signed-off-by: thelittlefireman <thelittlefireman@users.noreply.github.com> Diffstat:
15 files changed, 51 insertions(+), 91 deletions(-)
diff --git a/migrations/mysql/2021-02-10-174254_create_emergency_access/down.sql b/migrations/mysql/2021-02-10-174254_create_emergency_access/down.sql @@ -1 +0,0 @@ -DROP TABLE emergency_access; -\ No newline at end of file diff --git a/migrations/mysql/2021-02-10-174254_create_emergency_access/up.sql b/migrations/mysql/2021-02-10-174254_create_emergency_access/up.sql @@ -1,14 +0,0 @@ -CREATE TABLE emergency_access ( - uuid CHAR(36) NOT NULL PRIMARY KEY, - grantor_uuid CHAR(36) REFERENCES users (uuid), - grantee_uuid CHAR(36) REFERENCES users (uuid), - email VARCHAR(255), - key_encrypted TEXT, - atype INTEGER NOT NULL, - status INTEGER NOT NULL, - wait_time_days INTEGER NOT NULL, - recovery_initiated_at DATETIME, - last_notification_at DATETIME, - updated_at DATETIME NOT NULL, - created_at DATETIME NOT NULL -); -\ No newline at end of file diff --git a/migrations/mysql/2021-08-30-193501_create_emergency_access/down.sql b/migrations/mysql/2021-08-30-193501_create_emergency_access/down.sql @@ -0,0 +1 @@ +DROP TABLE emergency_access; diff --git a/migrations/mysql/2021-08-30-193501_create_emergency_access/up.sql b/migrations/mysql/2021-08-30-193501_create_emergency_access/up.sql @@ -0,0 +1,14 @@ +CREATE TABLE emergency_access ( + uuid CHAR(36) NOT NULL PRIMARY KEY, + grantor_uuid CHAR(36) REFERENCES users (uuid), + grantee_uuid CHAR(36) REFERENCES users (uuid), + email VARCHAR(255), + key_encrypted TEXT, + atype INTEGER NOT NULL, + status INTEGER NOT NULL, + wait_time_days INTEGER NOT NULL, + recovery_initiated_at DATETIME, + last_notification_at DATETIME, + updated_at DATETIME NOT NULL, + created_at DATETIME NOT NULL +); diff --git a/migrations/postgresql/2021-02-10-174254_create_emergency_access/down.sql b/migrations/postgresql/2021-02-10-174254_create_emergency_access/down.sql @@ -1 +0,0 @@ -DROP TABLE emergency_access; -\ No newline at end of file diff --git a/migrations/postgresql/2021-02-10-174254_create_emergency_access/up.sql b/migrations/postgresql/2021-02-10-174254_create_emergency_access/up.sql @@ -1,14 +0,0 @@ -CREATE TABLE emergency_access ( - uuid CHAR(36) NOT NULL PRIMARY KEY, - grantor_uuid CHAR(36) REFERENCES users (uuid), - grantee_uuid CHAR(36) REFERENCES users (uuid), - email VARCHAR(255), - key_encrypted TEXT, - atype INTEGER NOT NULL, - status INTEGER NOT NULL, - wait_time_days INTEGER NOT NULL, - recovery_initiated_at TIMESTAMP, - last_notification_at TIMESTAMP, - updated_at TIMESTAMP NOT NULL, - created_at TIMESTAMP NOT NULL -); -\ No newline at end of file diff --git a/migrations/postgresql/2021-08-30-193501_create_emergency_access/down.sql b/migrations/postgresql/2021-08-30-193501_create_emergency_access/down.sql @@ -0,0 +1 @@ +DROP TABLE emergency_access; diff --git a/migrations/postgresql/2021-08-30-193501_create_emergency_access/up.sql b/migrations/postgresql/2021-08-30-193501_create_emergency_access/up.sql @@ -0,0 +1,14 @@ +CREATE TABLE emergency_access ( + uuid CHAR(36) NOT NULL PRIMARY KEY, + grantor_uuid CHAR(36) REFERENCES users (uuid), + grantee_uuid CHAR(36) REFERENCES users (uuid), + email VARCHAR(255), + key_encrypted TEXT, + atype INTEGER NOT NULL, + status INTEGER NOT NULL, + wait_time_days INTEGER NOT NULL, + recovery_initiated_at TIMESTAMP, + last_notification_at TIMESTAMP, + updated_at TIMESTAMP NOT NULL, + created_at TIMESTAMP NOT NULL +); diff --git a/migrations/sqlite/2021-02-10-174254_create_emergency_access/down.sql b/migrations/sqlite/2021-02-10-174254_create_emergency_access/down.sql @@ -1 +0,0 @@ -DROP TABLE emergency_access; -\ No newline at end of file diff --git a/migrations/sqlite/2021-02-10-174254_create_emergency_access/up.sql b/migrations/sqlite/2021-02-10-174254_create_emergency_access/up.sql @@ -1,14 +0,0 @@ -CREATE TABLE emergency_access ( - uuid TEXT NOT NULL PRIMARY KEY, - grantor_uuid TEXT REFERENCES users (uuid), - grantee_uuid TEXT REFERENCES users (uuid), - email TEXT, - key_encrypted TEXT, - atype INTEGER NOT NULL, - status INTEGER NOT NULL, - wait_time_days INTEGER NOT NULL, - recovery_initiated_at DATETIME, - last_notification_at DATETIME, - updated_at DATETIME NOT NULL, - created_at DATETIME NOT NULL -); -\ No newline at end of file diff --git a/migrations/sqlite/2021-08-30-193501_create_emergency_access/down.sql b/migrations/sqlite/2021-08-30-193501_create_emergency_access/down.sql @@ -0,0 +1 @@ +DROP TABLE emergency_access; diff --git a/migrations/sqlite/2021-08-30-193501_create_emergency_access/up.sql b/migrations/sqlite/2021-08-30-193501_create_emergency_access/up.sql @@ -0,0 +1,14 @@ +CREATE TABLE emergency_access ( + uuid TEXT NOT NULL PRIMARY KEY, + grantor_uuid TEXT REFERENCES users (uuid), + grantee_uuid TEXT REFERENCES users (uuid), + email TEXT, + key_encrypted TEXT, + atype INTEGER NOT NULL, + status INTEGER NOT NULL, + wait_time_days INTEGER NOT NULL, + recovery_initiated_at DATETIME, + last_notification_at DATETIME, + updated_at DATETIME NOT NULL, + created_at DATETIME NOT NULL +); diff --git a/src/api/core/accounts.rs b/src/api/core/accounts.rs @@ -239,7 +239,7 @@ fn post_password(data: JsonUpcase<ChangePassData>, headers: Headers, conn: DbCon user.set_password( &data.NewMasterPasswordHash, - Some(vec![String::from("post_rotatekey"), String::from("get_contacts")]), + Some(vec![String::from("post_rotatekey"), String::from("get_contacts"), String::from("get_public_keys")]), ); user.akey = data.Key; user.save(&conn) diff --git a/src/api/core/emergency_access.rs b/src/api/core/emergency_access.rs @@ -268,13 +268,9 @@ fn resend_invite(emer_id: String, headers: Headers, conn: DbConn) -> EmptyResult None => err!("Email not valid."), }; - if !CONFIG.is_email_domain_allowed(&email) { - err!("Email domain not eligible for invitations.") - } - let grantee_user = match User::find_by_mail(&email, &conn) { - None => err!("Grantee user not found."), Some(user) => user, + None => err!("Grantee user not found."), }; let grantor_user = headers.user; @@ -346,10 +342,6 @@ fn accept_invite(emer_id: String, data: JsonUpcase<AcceptData>, conn: DbConn) -> } if CONFIG.mail_enabled() { - if !CONFIG.is_email_domain_allowed(&grantor_user.email) { - err!("Email domain not valid.") - } - mail::send_emergency_access_invite_accepted(&grantor_user.email, &grantee_user.email)?; } @@ -428,10 +420,6 @@ fn confirm_emergency_access( emergency_access.save(&conn)?; if CONFIG.mail_enabled() { - if !CONFIG.is_email_domain_allowed(&grantee_user.email) { - err!("Email domain not valid.") - } - mail::send_emergency_access_invite_confirmed(&grantee_user.email, &grantor_user.name)?; } Ok(Json(emergency_access.to_json())) @@ -473,10 +461,6 @@ fn initiate_emergency_access(emer_id: String, headers: Headers, conn: DbConn) -> emergency_access.save(&conn)?; if CONFIG.mail_enabled() { - if !CONFIG.is_email_domain_allowed(&grantor_user.email) { - err!("Email domain not valid.") - } - mail::send_emergency_access_recovery_initiated( &grantor_user.email, &initiating_user.name, @@ -518,10 +502,6 @@ fn approve_emergency_access(emer_id: String, headers: Headers, conn: DbConn) -> emergency_access.save(&conn)?; if CONFIG.mail_enabled() { - if !CONFIG.is_email_domain_allowed(&grantee_user.email) { - err!("Email domain not valid.") - } - mail::send_emergency_access_recovery_approved(&grantee_user.email, &grantor_user.name)?; } Ok(Json(emergency_access.to_json())) @@ -563,10 +543,6 @@ fn reject_emergency_access(emer_id: String, headers: Headers, conn: DbConn) -> J emergency_access.save(&conn)?; if CONFIG.mail_enabled() { - if !CONFIG.is_email_domain_allowed(&grantee_user.email) { - err!("Email domain not valid.") - } - mail::send_emergency_access_recovery_rejected(&grantee_user.email, &grantor_user.name)?; } Ok(Json(emergency_access.to_json())) @@ -764,10 +740,6 @@ pub fn emergency_request_timeout_job(pool: DbPool) { User::find_by_uuid(&emer.grantee_uuid.clone().expect("Grantee user invalid."), &conn) .expect("Grantee user not found."); - if !CONFIG.is_email_domain_allowed(&grantor_user.email) { - error!("Email domain not valid.") - } - mail::send_emergency_access_recovery_timed_out( &grantor_user.email, &grantee_user.name.clone(), @@ -775,10 +747,6 @@ pub fn emergency_request_timeout_job(pool: DbPool) { ) .expect("Error on sending email"); - if !CONFIG.is_email_domain_allowed(&grantee_user.email) { - error!("Email not valid.") - } - mail::send_emergency_access_recovery_approved(&grantee_user.email, &grantor_user.name.clone()) .expect("Error on sending email"); } @@ -816,10 +784,6 @@ pub fn emergency_notification_reminder_job(pool: DbPool) { // get grantor user to send Accepted email let grantor_user = User::find_by_uuid(&emer.grantor_uuid, &conn).expect("Grantor user not found."); - if !CONFIG.is_email_domain_allowed(&grantor_user.email) { - error!("Email not valid.") - } - // get grantee user to send Accepted email let grantee_user = User::find_by_uuid(&emer.grantee_uuid.clone().expect("Grantee user invalid."), &conn) diff --git a/src/db/models/emergency_access.rs b/src/db/models/emergency_access.rs @@ -29,6 +29,8 @@ db_object! { impl EmergencyAccess { pub fn new(grantor_uuid: String, email: Option<String>, status: i32, atype: i32, wait_time_days: i32) -> Self { + let now = Utc::now().naive_utc(); + Self { uuid: crate::util::get_uuid(), grantor_uuid, @@ -38,8 +40,8 @@ impl EmergencyAccess { atype, wait_time_days, recovery_initiated_at: None, - created_at: Utc::now().naive_utc(), - updated_at: Utc::now().naive_utc(), + created_at: now, + updated_at: now, key_encrypted: None, last_notification_at: None, }