organizations.rs (66687B)
1 use crate::{ 2 api::{ 3 EmptyResult, JsonResult, PasswordOrOtpData, 4 core::{CipherSyncData, CipherSyncType}, 5 }, 6 auth::{self, AdminHeaders, Headers, ManagerHeaders, ManagerHeadersLoose, OwnerHeaders}, 7 db::{ 8 DbConn, 9 models::{ 10 Cipher, Collection, CollectionCipher, CollectionUser, OrgPolicy, OrgPolicyErr, 11 OrgPolicyType, Organization, TwoFactorType, User, UserOrgStatus, UserOrgType, 12 UserOrganization, 13 }, 14 }, 15 error::Error, 16 util::{self, NumberOrString}, 17 }; 18 use core::convert; 19 use rocket::{Route, http::Status, serde::json::Json}; 20 use serde_json::Value; 21 use std::collections::{HashMap, HashSet}; 22 23 pub fn routes() -> Vec<Route> { 24 routes![ 25 accept_invite, 26 activate_organization_user, 27 api_key, 28 bulk_activate_organization_user, 29 bulk_confirm_invite, 30 bulk_deactivate_organization_user, 31 bulk_delete_groups, 32 bulk_delete_organization_collections, 33 bulk_delete_user, 34 bulk_public_keys, 35 bulk_reinvite_user, 36 bulk_restore_organization_user, 37 bulk_revoke_organization_user, 38 confirm_invite, 39 create_organization, 40 deactivate_organization_user, 41 delete_group, 42 delete_group_user, 43 delete_organization, 44 delete_organization_collection, 45 delete_organization_collection_user, 46 delete_user, 47 edit_user, 48 get_collection_users, 49 get_group, 50 get_group_details, 51 get_group_users, 52 get_groups, 53 get_org_collection_detail, 54 get_org_collections, 55 get_org_collections_details, 56 get_org_details, 57 get_org_export, 58 get_org_users, 59 get_organization, 60 get_organization_public_key, 61 get_organization_tax, 62 get_plans, 63 get_plans_all, 64 get_plans_tax_rates, 65 get_policy, 66 get_reset_password_details, 67 get_user, 68 get_user_collections, 69 get_user_groups, 70 import, 71 leave_organization, 72 list_policies, 73 list_policies_token, 74 post_bulk_collections, 75 post_delete_group, 76 post_delete_group_user, 77 post_delete_organization, 78 post_delete_user, 79 post_group, 80 post_groups, 81 post_org_import, 82 post_org_keys, 83 post_organization, 84 post_organization_collection_delete, 85 post_organization_collection_delete_user, 86 post_organization_collection_update, 87 post_organization_collections, 88 post_user_groups, 89 put_collection_users, 90 put_group, 91 put_group_users, 92 put_organization, 93 put_organization_collection_update, 94 put_organization_user, 95 put_policy, 96 put_reset_password, 97 put_reset_password_enrollment, 98 put_user_groups, 99 reinvite_user, 100 restore_organization_user, 101 revoke_organization_user, 102 rotate_api_key, 103 send_invite, 104 ] 105 } 106 107 #[derive(Deserialize)] 108 #[serde(rename_all = "camelCase")] 109 struct OrgData { 110 #[allow(dead_code)] 111 billing_email: String, 112 #[allow(dead_code)] 113 collection_name: String, 114 #[allow(dead_code)] 115 key: String, 116 #[allow(dead_code)] 117 name: String, 118 #[allow(dead_code)] 119 keys: Option<OrgKeyData>, 120 #[allow(dead_code)] 121 plan_type: NumberOrString, // Ignored, always use the same plan 122 } 123 124 #[derive(Deserialize)] 125 #[serde(rename_all = "camelCase")] 126 struct OrganizationUpdateData { 127 billing_email: String, 128 name: String, 129 } 130 131 #[derive(Deserialize)] 132 #[serde(rename_all = "camelCase")] 133 struct NewCollectionData { 134 name: String, 135 #[allow(dead_code)] 136 groups: Vec<NewCollectionObjectData>, 137 users: Vec<NewCollectionObjectData>, 138 external_id: Option<String>, 139 } 140 141 #[derive(Deserialize)] 142 #[serde(rename_all = "camelCase")] 143 struct NewCollectionObjectData { 144 hide_passwords: bool, 145 id: String, 146 read_only: bool, 147 } 148 149 #[derive(Deserialize)] 150 #[serde(rename_all = "camelCase")] 151 struct OrgKeyData { 152 encrypted_private_key: String, 153 public_key: String, 154 } 155 156 #[derive(Deserialize)] 157 #[serde(rename_all = "camelCase")] 158 struct OrgBulkIds { 159 ids: Vec<String>, 160 } 161 162 const ORG_CREATION_NOT_ALLOWED_MSG: &str = "Organization creation is not allowed"; 163 #[allow(unused_variables, clippy::needless_pass_by_value)] 164 #[post("/organizations", data = "<data>")] 165 fn create_organization(_headers: Headers, data: Json<OrgData>) -> Error { 166 Error::new(ORG_CREATION_NOT_ALLOWED_MSG, ORG_CREATION_NOT_ALLOWED_MSG) 167 } 168 169 #[delete("/organizations/<org_id>", data = "<data>")] 170 async fn delete_organization( 171 org_id: &str, 172 data: Json<PasswordOrOtpData>, 173 headers: OwnerHeaders, 174 conn: DbConn, 175 ) -> EmptyResult { 176 let data: PasswordOrOtpData = data.into_inner(); 177 data.validate(&headers.user)?; 178 match Organization::find_by_uuid(org_id, &conn).await { 179 None => err!("Organization not found"), 180 Some(org) => org.delete(&conn).await, 181 } 182 } 183 184 #[post("/organizations/<org_id>/delete", data = "<data>")] 185 async fn post_delete_organization( 186 org_id: &str, 187 data: Json<PasswordOrOtpData>, 188 headers: OwnerHeaders, 189 conn: DbConn, 190 ) -> EmptyResult { 191 delete_organization(org_id, data, headers, conn).await 192 } 193 194 #[post("/organizations/<org_id>/leave")] 195 async fn leave_organization(org_id: &str, headers: Headers, conn: DbConn) -> EmptyResult { 196 match UserOrganization::find_by_user_and_org(&headers.user.uuid, org_id, &conn).await { 197 None => err!("User not part of organization"), 198 Some(user_org) => { 199 if user_org.atype == UserOrgType::Owner 200 && UserOrganization::count_confirmed_by_org_and_type( 201 org_id, 202 UserOrgType::Owner, 203 &conn, 204 ) 205 .await 206 <= 1 207 { 208 err!("The last owner can't leave") 209 } 210 user_org.delete(&conn).await 211 } 212 } 213 } 214 215 #[get("/organizations/<org_id>")] 216 async fn get_organization(org_id: &str, _headers: OwnerHeaders, conn: DbConn) -> JsonResult { 217 match Organization::find_by_uuid(org_id, &conn).await { 218 Some(organization) => Ok(Json(organization.to_json())), 219 None => err!("Can't find organization details"), 220 } 221 } 222 223 #[put("/organizations/<org_id>", data = "<data>")] 224 async fn put_organization( 225 org_id: &str, 226 headers: OwnerHeaders, 227 data: Json<OrganizationUpdateData>, 228 conn: DbConn, 229 ) -> JsonResult { 230 post_organization(org_id, headers, data, conn).await 231 } 232 233 #[post("/organizations/<org_id>", data = "<data>")] 234 async fn post_organization( 235 org_id: &str, 236 _headers: OwnerHeaders, 237 data: Json<OrganizationUpdateData>, 238 conn: DbConn, 239 ) -> JsonResult { 240 let data: OrganizationUpdateData = data.into_inner(); 241 let Some(mut org) = Organization::find_by_uuid(org_id, &conn).await else { 242 err!("Can't find organization details") 243 }; 244 org.name = data.name; 245 org.billing_email = data.billing_email; 246 org.save(&conn).await?; 247 Ok(Json(org.to_json())) 248 } 249 250 // GET /api/collections?writeOnly=false 251 #[get("/collections")] 252 async fn get_user_collections(headers: Headers, conn: DbConn) -> Json<Value> { 253 Json(json!({ 254 "data": 255 Collection::find_by_user_uuid(headers.user.uuid.clone(), &conn).await 256 .iter() 257 .map(Collection::to_json) 258 .collect::<Value>(), 259 "object": "list", 260 "continuationToken": null, 261 })) 262 } 263 264 #[get("/organizations/<org_id>/collections")] 265 async fn get_org_collections( 266 org_id: &str, 267 _headers: ManagerHeadersLoose, 268 conn: DbConn, 269 ) -> Json<Value> { 270 Json(json!({ 271 "data": _get_org_collections(org_id, &conn).await, 272 "object": "list", 273 "continuationToken": null, 274 })) 275 } 276 277 #[get("/organizations/<org_id>/collections/details")] 278 async fn get_org_collections_details( 279 org_id: &str, 280 headers: ManagerHeadersLoose, 281 conn: DbConn, 282 ) -> JsonResult { 283 let mut data = Vec::new(); 284 let Some(user_org) = 285 UserOrganization::find_by_user_and_org(&headers.user.uuid, org_id, &conn).await 286 else { 287 err!("User is not part of organization") 288 }; 289 let coll_users = CollectionUser::find_by_organization(org_id, &conn).await; 290 let has_full_access_to_org = user_org.access_all; 291 for col in Collection::find_by_organization(org_id, &conn).await { 292 let assigned = has_full_access_to_org; 293 let users: Vec<Value> = coll_users 294 .iter() 295 .filter(|collection_user| collection_user.collection_uuid == col.uuid) 296 .map(|collection_user| { 297 SelectionReadOnly::to_collection_user_details_read_only(collection_user).to_json() 298 }) 299 .collect(); 300 let groups = Vec::<Value>::new(); 301 let mut json_object = col.to_json_details(&headers.user.uuid, None, &conn).await; 302 json_object["assigned"] = json!(assigned); 303 json_object["users"] = json!(users); 304 json_object["groups"] = json!(groups); 305 json_object["object"] = json!("collectionAccessDetails"); 306 json_object["unmanaged"] = json!(false); 307 data.push(json_object); 308 } 309 Ok(Json(json!({ 310 "data": data, 311 "object": "list", 312 "continuationToken": null, 313 }))) 314 } 315 316 async fn _get_org_collections(org_id: &str, conn: &DbConn) -> Value { 317 Collection::find_by_organization(org_id, conn) 318 .await 319 .iter() 320 .map(Collection::to_json) 321 .collect::<Value>() 322 } 323 324 #[post("/organizations/<org_id>/collections", data = "<data>")] 325 async fn post_organization_collections( 326 org_id: &str, 327 headers: ManagerHeadersLoose, 328 data: Json<NewCollectionData>, 329 conn: DbConn, 330 ) -> JsonResult { 331 let data: NewCollectionData = data.into_inner(); 332 let Some(org) = Organization::find_by_uuid(org_id, &conn).await else { 333 err!("Can't find organization details") 334 }; 335 let collection = Collection::new(org.uuid, data.name, data.external_id); 336 collection.save(&conn).await?; 337 for user in data.users { 338 let Some(org_user) = UserOrganization::find_by_uuid(&user.id, &conn).await else { 339 err!("User is not part of organization") 340 }; 341 if org_user.access_all { 342 continue; 343 } 344 CollectionUser::save( 345 &org_user.user_uuid, 346 &collection.uuid, 347 user.read_only, 348 user.hide_passwords, 349 &conn, 350 ) 351 .await?; 352 } 353 if headers.org_user.atype == UserOrgType::Manager && !headers.org_user.access_all { 354 CollectionUser::save( 355 &headers.org_user.user_uuid, 356 &collection.uuid, 357 false, 358 false, 359 &conn, 360 ) 361 .await?; 362 } 363 Ok(Json(collection.to_json())) 364 } 365 366 #[put("/organizations/<org_id>/collections/<col_id>", data = "<data>")] 367 async fn put_organization_collection_update( 368 org_id: &str, 369 col_id: &str, 370 headers: ManagerHeaders, 371 data: Json<NewCollectionData>, 372 conn: DbConn, 373 ) -> JsonResult { 374 post_organization_collection_update(org_id, col_id, headers, data, conn).await 375 } 376 377 #[post("/organizations/<org_id>/collections/<col_id>", data = "<data>")] 378 async fn post_organization_collection_update( 379 org_id: &str, 380 col_id: &str, 381 headers: ManagerHeaders, 382 data: Json<NewCollectionData>, 383 conn: DbConn, 384 ) -> JsonResult { 385 let data: NewCollectionData = data.into_inner(); 386 let Some(org) = Organization::find_by_uuid(org_id, &conn).await else { 387 err!("Can't find organization details") 388 }; 389 let Some(mut collection) = Collection::find_by_uuid(col_id, &conn).await else { 390 err!("Collection not found") 391 }; 392 if collection.org_uuid != org.uuid { 393 err!("Collection is not owned by organization"); 394 } 395 collection.name = data.name; 396 collection.external_id = match data.external_id { 397 Some(external_id) if !external_id.trim().is_empty() => Some(external_id), 398 _ => None, 399 }; 400 collection.save(&conn).await?; 401 CollectionUser::delete_all_by_collection(col_id, &conn).await?; 402 for user in data.users { 403 let Some(org_user) = UserOrganization::find_by_uuid(&user.id, &conn).await else { 404 err!("User is not part of organization") 405 }; 406 if org_user.access_all { 407 continue; 408 } 409 CollectionUser::save( 410 &org_user.user_uuid, 411 col_id, 412 user.read_only, 413 user.hide_passwords, 414 &conn, 415 ) 416 .await?; 417 } 418 Ok(Json( 419 collection 420 .to_json_details(&headers.user.uuid, None, &conn) 421 .await, 422 )) 423 } 424 425 #[delete("/organizations/<org_id>/collections/<col_id>/user/<org_user_id>")] 426 async fn delete_organization_collection_user( 427 org_id: &str, 428 col_id: &str, 429 org_user_id: &str, 430 _headers: AdminHeaders, 431 conn: DbConn, 432 ) -> EmptyResult { 433 let collection = match Collection::find_by_uuid(col_id, &conn).await { 434 None => err!("Collection not found"), 435 Some(collection) => { 436 if collection.org_uuid == org_id { 437 collection 438 } else { 439 err!("Collection and Organization id do not match") 440 } 441 } 442 }; 443 match UserOrganization::find_by_uuid_and_org(org_user_id, org_id, &conn).await { 444 None => err!("User not found in organization"), 445 Some(user_org) => { 446 match CollectionUser::find_by_collection_and_user( 447 &collection.uuid, 448 &user_org.user_uuid, 449 &conn, 450 ) 451 .await 452 { 453 None => err!("User not assigned to collection"), 454 Some(col_user) => col_user.delete(&conn).await, 455 } 456 } 457 } 458 } 459 460 #[post("/organizations/<org_id>/collections/<col_id>/delete-user/<org_user_id>")] 461 async fn post_organization_collection_delete_user( 462 org_id: &str, 463 col_id: &str, 464 org_user_id: &str, 465 headers: AdminHeaders, 466 conn: DbConn, 467 ) -> EmptyResult { 468 delete_organization_collection_user(org_id, col_id, org_user_id, headers, conn).await 469 } 470 471 async fn _delete_organization_collection( 472 org_id: &str, 473 col_id: &str, 474 _headers: &ManagerHeaders, 475 conn: &DbConn, 476 ) -> EmptyResult { 477 match Collection::find_by_uuid(col_id, conn).await { 478 None => err!("Collection not found"), 479 Some(collection) => { 480 if collection.org_uuid == org_id { 481 collection.delete(conn).await 482 } else { 483 err!("Collection and Organization id do not match") 484 } 485 } 486 } 487 } 488 489 #[delete("/organizations/<org_id>/collections/<col_id>")] 490 async fn delete_organization_collection( 491 org_id: &str, 492 col_id: &str, 493 headers: ManagerHeaders, 494 conn: DbConn, 495 ) -> EmptyResult { 496 _delete_organization_collection(org_id, col_id, &headers, &conn).await 497 } 498 499 #[derive(Deserialize)] 500 #[serde(rename_all = "camelCase")] 501 struct DeleteCollectionData { 502 #[allow(dead_code)] 503 id: String, 504 #[allow(dead_code)] 505 org_id: String, 506 } 507 508 #[post( 509 "/organizations/<org_id>/collections/<col_id>/delete", 510 data = "<_data>" 511 )] 512 async fn post_organization_collection_delete( 513 org_id: &str, 514 col_id: &str, 515 headers: ManagerHeaders, 516 _data: Json<DeleteCollectionData>, 517 conn: DbConn, 518 ) -> EmptyResult { 519 _delete_organization_collection(org_id, col_id, &headers, &conn).await 520 } 521 522 #[derive(Deserialize)] 523 #[serde(rename_all = "camelCase")] 524 struct BulkCollectionIds { 525 ids: Vec<String>, 526 organization_id: String, 527 } 528 529 #[delete("/organizations/<org_id>/collections", data = "<data>")] 530 async fn bulk_delete_organization_collections( 531 org_id: &str, 532 headers: ManagerHeadersLoose, 533 data: Json<BulkCollectionIds>, 534 conn: DbConn, 535 ) -> EmptyResult { 536 let data: BulkCollectionIds = data.into_inner(); 537 if org_id != data.organization_id { 538 err!("OrganizationId mismatch"); 539 } 540 let collections = data.ids; 541 let headers = ManagerHeaders::from_loose(headers, &collections, &conn).await?; 542 for col_id in collections { 543 _delete_organization_collection(org_id, &col_id, &headers, &conn).await?; 544 } 545 Ok(()) 546 } 547 548 #[get("/organizations/<org_id>/collections/<coll_id>/details")] 549 async fn get_org_collection_detail( 550 org_id: &str, 551 coll_id: &str, 552 headers: ManagerHeaders, 553 conn: DbConn, 554 ) -> JsonResult { 555 match Collection::find_by_uuid_and_user(coll_id, headers.user.uuid.clone(), &conn).await { 556 None => err!("Collection not found"), 557 Some(collection) => { 558 if collection.org_uuid != org_id { 559 err!("Collection is not owned by organization") 560 } 561 let Some(user_org) = 562 UserOrganization::find_by_user_and_org(&headers.user.uuid, org_id, &conn).await 563 else { 564 err!("User is not part of organization") 565 }; 566 let groups: Vec<Value> = Vec::new(); 567 let users: Vec<Value> = 568 CollectionUser::find_by_collection_swap_user_uuid_with_org_user_uuid( 569 &collection.uuid, 570 &conn, 571 ) 572 .await 573 .iter() 574 .map(|collection_user| { 575 SelectionReadOnly::to_collection_user_details_read_only(collection_user) 576 .to_json() 577 }) 578 .collect(); 579 let assigned = 580 Collection::can_access_collection(&user_org, &collection.uuid, &conn).await; 581 let mut json_object = collection 582 .to_json_details(&headers.user.uuid, None, &conn) 583 .await; 584 json_object["assigned"] = json!(assigned); 585 json_object["users"] = json!(users); 586 json_object["groups"] = json!(groups); 587 json_object["object"] = json!("collectionAccessDetails"); 588 Ok(Json(json_object)) 589 } 590 } 591 } 592 593 #[get("/organizations/<org_id>/collections/<coll_id>/users")] 594 async fn get_collection_users( 595 org_id: &str, 596 coll_id: &str, 597 _headers: ManagerHeaders, 598 conn: DbConn, 599 ) -> JsonResult { 600 // Get org and collection, check that collection is from org 601 let collection = match Collection::find_by_uuid_and_org(coll_id, org_id, &conn).await { 602 None => err!("Collection not found in Organization"), 603 Some(collection) => collection, 604 }; 605 let mut user_list = Vec::new(); 606 for col_user in CollectionUser::find_by_collection(&collection.uuid, &conn).await { 607 user_list.push( 608 UserOrganization::find_by_user_and_org(&col_user.user_uuid, org_id, &conn) 609 .await 610 .unwrap() 611 .to_json_user_access_restrictions(&col_user), 612 ); 613 } 614 Ok(Json(json!(user_list))) 615 } 616 617 #[put("/organizations/<org_id>/collections/<coll_id>/users", data = "<data>")] 618 async fn put_collection_users( 619 org_id: &str, 620 coll_id: &str, 621 data: Json<Vec<CollectionData>>, 622 _headers: ManagerHeaders, 623 conn: DbConn, 624 ) -> EmptyResult { 625 // Get org and collection, check that collection is from org 626 if Collection::find_by_uuid_and_org(coll_id, org_id, &conn) 627 .await 628 .is_none() 629 { 630 err!("Collection not found in Organization") 631 } 632 // Delete all the user-collections 633 CollectionUser::delete_all_by_collection(coll_id, &conn).await?; 634 // And then add all the received ones (except if the user has access_all) 635 for d in data.iter() { 636 let Some(user) = UserOrganization::find_by_uuid(&d.id, &conn).await else { 637 err!("User is not part of organization") 638 }; 639 if user.access_all { 640 continue; 641 } 642 CollectionUser::save( 643 &user.user_uuid, 644 coll_id, 645 d.read_only, 646 d.hide_passwords, 647 &conn, 648 ) 649 .await?; 650 } 651 Ok(()) 652 } 653 654 #[derive(FromForm)] 655 struct OrgIdData { 656 #[field(name = "organizationId")] 657 organization_id: String, 658 } 659 660 #[get("/ciphers/organization-details?<data..>")] 661 async fn get_org_details(data: OrgIdData, headers: Headers, conn: DbConn) -> JsonResult { 662 if UserOrganization::find_confirmed_by_user_and_org( 663 &headers.user.uuid, 664 &data.organization_id, 665 &conn, 666 ) 667 .await 668 .is_none() 669 { 670 err_code!("Resource not found.", Status::NotFound.code); 671 } 672 673 Ok(Json(json!({ 674 "data": _get_org_details(&data.organization_id, &headers.user.uuid, &conn).await, 675 "object": "list", 676 "continuationToken": null, 677 }))) 678 } 679 680 async fn _get_org_details(org_id: &str, user_uuid: &str, conn: &DbConn) -> Value { 681 let ciphers = Cipher::find_by_org(org_id, conn).await; 682 let cipher_sync_data = CipherSyncData::new(user_uuid, CipherSyncType::Organization, conn).await; 683 let mut ciphers_json = Vec::with_capacity(ciphers.len()); 684 for c in ciphers { 685 ciphers_json.push( 686 c.to_json( 687 user_uuid, 688 Some(&cipher_sync_data), 689 CipherSyncType::Organization, 690 conn, 691 ) 692 .await, 693 ); 694 } 695 json!(ciphers_json) 696 } 697 698 #[derive(FromForm)] 699 struct GetOrgUserData { 700 #[field(name = "includeCollections")] 701 include_collections: Option<bool>, 702 #[field(name = "includeGroups")] 703 include_groups: Option<bool>, 704 } 705 706 #[get("/organizations/<org_id>/users?<data..>")] 707 async fn get_org_users( 708 data: GetOrgUserData, 709 org_id: &str, 710 _headers: ManagerHeadersLoose, 711 conn: DbConn, 712 ) -> Json<Value> { 713 let mut users_json = Vec::new(); 714 for u in UserOrganization::find_by_org(org_id, &conn).await { 715 users_json.push( 716 u.to_json_user_details(data.include_collections.unwrap_or(false), &conn) 717 .await, 718 ); 719 } 720 Json(json!({ 721 "data": users_json, 722 "object": "list", 723 "continuationToken": null, 724 })) 725 } 726 727 #[post("/organizations/<org_id>/keys", data = "<data>")] 728 async fn post_org_keys( 729 org_id: &str, 730 data: Json<OrgKeyData>, 731 _headers: AdminHeaders, 732 conn: DbConn, 733 ) -> JsonResult { 734 let data: OrgKeyData = data.into_inner(); 735 let mut org = match Organization::find_by_uuid(org_id, &conn).await { 736 Some(organization) => { 737 if organization.private_key.is_some() && organization.public_key.is_some() { 738 err!("Organization Keys already exist") 739 } 740 organization 741 } 742 None => err!("Can't find organization details"), 743 }; 744 org.private_key = Some(data.encrypted_private_key); 745 org.public_key = Some(data.public_key); 746 org.save(&conn).await?; 747 Ok(Json(json!({ 748 "object": "organizationKeys", 749 "publicKey": org.public_key, 750 "privateKey": org.private_key, 751 }))) 752 } 753 754 #[derive(Deserialize)] 755 #[serde(rename_all = "camelCase")] 756 struct CollectionData { 757 id: String, 758 read_only: bool, 759 hide_passwords: bool, 760 } 761 762 #[derive(Deserialize)] 763 #[serde(rename_all = "camelCase")] 764 struct InviteData { 765 #[allow(dead_code)] 766 emails: Vec<String>, 767 #[allow(dead_code)] 768 groups: Vec<String>, 769 #[allow(dead_code)] 770 r#type: NumberOrString, 771 #[allow(dead_code)] 772 collections: Option<Vec<CollectionData>>, 773 #[allow(dead_code)] 774 #[serde(default)] 775 access_all: bool, 776 } 777 const INVITATIONS_NOT_ALLOWED_MSG: &str = "Invitations are not allowed."; 778 #[allow(unused_variables, clippy::needless_pass_by_value)] 779 #[post("/organizations/<org_id>/users/invite", data = "<data>")] 780 fn send_invite(org_id: &str, data: Json<InviteData>, _headers: AdminHeaders) -> Error { 781 Error::new(INVITATIONS_NOT_ALLOWED_MSG, INVITATIONS_NOT_ALLOWED_MSG) 782 } 783 #[allow(unused_variables, clippy::needless_pass_by_value)] 784 #[post("/organizations/<org_id>/users/reinvite", data = "<data>")] 785 fn bulk_reinvite_user(org_id: &str, data: Json<OrgBulkIds>, _headers: AdminHeaders) -> Json<Value> { 786 Json(json!({ 787 "data": Vec::<Value>::new(), 788 "object": "list", 789 "continuationToken": null 790 })) 791 } 792 793 #[allow(unused_variables, clippy::needless_pass_by_value)] 794 #[post("/organizations/<org_id>/users/<user_org>/reinvite")] 795 fn reinvite_user(org_id: &str, user_org: &str, _headers: AdminHeaders) -> Error { 796 Error::new(INVITATIONS_NOT_ALLOWED_MSG, INVITATIONS_NOT_ALLOWED_MSG) 797 } 798 799 #[derive(Deserialize)] 800 #[serde(rename_all = "camelCase")] 801 struct AcceptData { 802 #[allow(dead_code)] 803 token: String, 804 #[allow(dead_code)] 805 reset_password_key: Option<String>, 806 } 807 808 #[allow(unused_variables, clippy::needless_pass_by_value)] 809 #[post("/organizations/<org_id>/users/<_org_user_id>/accept", data = "<data>")] 810 fn accept_invite(org_id: &str, _org_user_id: &str, data: Json<AcceptData>) -> Error { 811 Error::new(INVITATIONS_NOT_ALLOWED_MSG, INVITATIONS_NOT_ALLOWED_MSG) 812 } 813 814 #[allow(unused_variables, clippy::needless_pass_by_value)] 815 #[post("/organizations/<org_id>/users/confirm", data = "<data>")] 816 fn bulk_confirm_invite(org_id: &str, data: Json<Value>, _headers: AdminHeaders) -> Json<Value> { 817 Json(json!({ 818 "data": Vec::<Value>::new(), 819 "object": "list", 820 "continuationToken": null 821 })) 822 } 823 824 #[allow(unused_variables, clippy::needless_pass_by_value)] 825 #[post("/organizations/<org_id>/users/<org_user_id>/confirm", data = "<data>")] 826 fn confirm_invite( 827 org_id: &str, 828 org_user_id: &str, 829 data: Json<Value>, 830 _headers: AdminHeaders, 831 ) -> Error { 832 Error::new(INVITATIONS_NOT_ALLOWED_MSG, INVITATIONS_NOT_ALLOWED_MSG) 833 } 834 835 #[get("/organizations/<org_id>/users/<org_user_id>?<data..>")] 836 async fn get_user( 837 org_id: &str, 838 org_user_id: &str, 839 data: GetOrgUserData, 840 _headers: AdminHeaders, 841 conn: DbConn, 842 ) -> JsonResult { 843 let Some(user) = UserOrganization::find_by_uuid_and_org(org_user_id, org_id, &conn).await 844 else { 845 err!("The specified user isn't a member of the organization") 846 }; 847 // In this case, when groups are requested we also need to include collections. 848 // Else these will not be shown in the interface, and could lead to missing collections when saved. 849 let include_groups = data.include_groups.unwrap_or(false); 850 Ok(Json( 851 user.to_json_user_details(data.include_collections.unwrap_or(include_groups), &conn) 852 .await, 853 )) 854 } 855 856 #[derive(Deserialize)] 857 #[serde(rename_all = "camelCase")] 858 struct EditUserData { 859 r#type: NumberOrString, 860 collections: Option<Vec<CollectionData>>, 861 #[allow(dead_code)] 862 groups: Option<Vec<String>>, 863 access_all: bool, 864 } 865 866 #[put( 867 "/organizations/<org_id>/users/<org_user_id>", 868 data = "<data>", 869 rank = 1 870 )] 871 async fn put_organization_user( 872 org_id: &str, 873 org_user_id: &str, 874 data: Json<EditUserData>, 875 headers: AdminHeaders, 876 conn: DbConn, 877 ) -> EmptyResult { 878 edit_user(org_id, org_user_id, data, headers, conn).await 879 } 880 881 #[post( 882 "/organizations/<org_id>/users/<org_user_id>", 883 data = "<data>", 884 rank = 1 885 )] 886 async fn edit_user( 887 org_id: &str, 888 org_user_id: &str, 889 data: Json<EditUserData>, 890 headers: AdminHeaders, 891 conn: DbConn, 892 ) -> EmptyResult { 893 let data: EditUserData = data.into_inner(); 894 let Some(new_type) = UserOrgType::from_str(&data.r#type.into_string()) else { 895 err!("Invalid type") 896 }; 897 let Some(mut user_to_edit) = 898 UserOrganization::find_by_uuid_and_org(org_user_id, org_id, &conn).await 899 else { 900 err!("The specified user isn't member of the organization") 901 }; 902 if new_type != user_to_edit.atype 903 && (user_to_edit.atype >= UserOrgType::Admin || new_type >= UserOrgType::Admin) 904 && headers.org_user_type != UserOrgType::Owner 905 { 906 err!("Only Owners can grant and remove Admin or Owner privileges") 907 } 908 if user_to_edit.atype == UserOrgType::Owner && headers.org_user_type != UserOrgType::Owner { 909 err!("Only Owners can edit Owner users") 910 } 911 if user_to_edit.atype == UserOrgType::Owner 912 && new_type != UserOrgType::Owner 913 && user_to_edit.status == i32::from(UserOrgStatus::Confirmed) 914 { 915 // Removing owner permission, check that there is at least one other confirmed owner 916 if UserOrganization::count_confirmed_by_org_and_type(org_id, UserOrgType::Owner, &conn) 917 .await 918 <= 1 919 { 920 err!("Can't delete the last owner") 921 } 922 } 923 // This check is also done at accept_invite(), _confirm_invite, _activate_user(), edit_user(), admin::update_user_org_type 924 // It returns different error messages per function. 925 if new_type < UserOrgType::Admin { 926 match OrgPolicy::is_user_allowed(&user_to_edit.user_uuid, org_id, true, &conn).await { 927 Ok(()) => {} 928 Err(OrgPolicyErr::TwoFactorMissing) => { 929 err!( 930 "You cannot modify this user to this type because it has no two-step login method activated" 931 ); 932 } 933 Err(OrgPolicyErr::SingleOrgEnforced) => { 934 err!( 935 "You cannot modify this user to this type because it is a member of an organization which forbids it" 936 ); 937 } 938 } 939 } 940 user_to_edit.access_all = data.access_all; 941 user_to_edit.atype = i32::from(new_type); 942 // Delete all the odd collections 943 for c in 944 CollectionUser::find_by_organization_and_user_uuid(org_id, &user_to_edit.user_uuid, &conn) 945 .await 946 { 947 c.delete(&conn).await?; 948 } 949 // If no accessAll, add the collections received 950 if !data.access_all { 951 for col in data.collections.iter().flatten() { 952 match Collection::find_by_uuid_and_org(&col.id, org_id, &conn).await { 953 None => err!("Collection not found in Organization"), 954 Some(collection) => { 955 CollectionUser::save( 956 &user_to_edit.user_uuid, 957 &collection.uuid, 958 col.read_only, 959 col.hide_passwords, 960 &conn, 961 ) 962 .await?; 963 } 964 } 965 } 966 } 967 user_to_edit.save(&conn).await 968 } 969 970 #[delete("/organizations/<org_id>/users", data = "<data>")] 971 async fn bulk_delete_user( 972 org_id: &str, 973 data: Json<OrgBulkIds>, 974 headers: AdminHeaders, 975 conn: DbConn, 976 ) -> Json<Value> { 977 let data: OrgBulkIds = data.into_inner(); 978 let mut bulk_response = Vec::new(); 979 for org_user_id in data.ids { 980 let err_msg = match _delete_user(org_id, &org_user_id, &headers, &conn).await { 981 Ok(()) => String::new(), 982 Err(e) => format!("{e:?}"), 983 }; 984 bulk_response.push(json!( 985 { 986 "object": "organizationBulkConfirmResponseModel", 987 "id": org_user_id, 988 "error": err_msg 989 } 990 )); 991 } 992 Json(json!({ 993 "data": bulk_response, 994 "object": "list", 995 "continuationToken": null 996 })) 997 } 998 999 #[delete("/organizations/<org_id>/users/<org_user_id>")] 1000 async fn delete_user( 1001 org_id: &str, 1002 org_user_id: &str, 1003 headers: AdminHeaders, 1004 conn: DbConn, 1005 ) -> EmptyResult { 1006 _delete_user(org_id, org_user_id, &headers, &conn).await 1007 } 1008 1009 #[post("/organizations/<org_id>/users/<org_user_id>/delete")] 1010 async fn post_delete_user( 1011 org_id: &str, 1012 org_user_id: &str, 1013 headers: AdminHeaders, 1014 conn: DbConn, 1015 ) -> EmptyResult { 1016 _delete_user(org_id, org_user_id, &headers, &conn).await 1017 } 1018 1019 async fn _delete_user( 1020 org_id: &str, 1021 org_user_id: &str, 1022 headers: &AdminHeaders, 1023 conn: &DbConn, 1024 ) -> EmptyResult { 1025 let Some(user_to_delete) = 1026 UserOrganization::find_by_uuid_and_org(org_user_id, org_id, conn).await 1027 else { 1028 err!("User to delete isn't member of the organization") 1029 }; 1030 if user_to_delete.atype != UserOrgType::User && headers.org_user_type != UserOrgType::Owner { 1031 err!("Only Owners can delete Admins or Owners") 1032 } 1033 if user_to_delete.atype == UserOrgType::Owner 1034 && user_to_delete.status == i32::from(UserOrgStatus::Confirmed) 1035 { 1036 // Removing owner, check that there is at least one other confirmed owner 1037 if UserOrganization::count_confirmed_by_org_and_type(org_id, UserOrgType::Owner, conn).await 1038 <= 1 1039 { 1040 err!("Can't delete the last owner") 1041 } 1042 } 1043 user_to_delete.delete(conn).await 1044 } 1045 1046 #[post("/organizations/<org_id>/users/public-keys", data = "<data>")] 1047 async fn bulk_public_keys( 1048 org_id: &str, 1049 data: Json<OrgBulkIds>, 1050 _headers: AdminHeaders, 1051 conn: DbConn, 1052 ) -> Json<Value> { 1053 let data: OrgBulkIds = data.into_inner(); 1054 let mut bulk_response = Vec::new(); 1055 // Check all received UserOrg UUID's and find the matching User to retrieve the public-key. 1056 // If the user does not exists, just ignore it, and do not return any information regarding that UserOrg UUID. 1057 // The web-vault will then ignore that user for the following steps. 1058 for user_org_id in data.ids { 1059 if let Some(user_org) = 1060 UserOrganization::find_by_uuid_and_org(&user_org_id, org_id, &conn).await 1061 { 1062 if let Some(user) = User::find_by_uuid(&user_org.user_uuid, &conn).await { 1063 bulk_response.push(json!( 1064 { 1065 "object": "organizationUserPublicKeyResponseModel", 1066 "id": user_org_id, 1067 "userId": user.uuid, 1068 "key": user.public_key 1069 } 1070 )); 1071 } else { 1072 debug!("User doesn't exist"); 1073 } 1074 } else { 1075 debug!("UserOrg doesn't exist"); 1076 } 1077 } 1078 Json(json!({ 1079 "data": bulk_response, 1080 "object": "list", 1081 "continuationToken": null 1082 })) 1083 } 1084 1085 use super::ciphers::CipherData; 1086 use super::ciphers::update_cipher_from_data; 1087 1088 #[derive(Deserialize)] 1089 #[serde(rename_all = "camelCase")] 1090 struct ImportData { 1091 ciphers: Vec<CipherData>, 1092 collections: Vec<NewCollectionData>, 1093 collection_relationships: Vec<RelationsData>, 1094 } 1095 1096 #[derive(Deserialize)] 1097 #[serde(rename_all = "camelCase")] 1098 struct RelationsData { 1099 // Cipher index 1100 key: usize, 1101 // Collection index 1102 value: usize, 1103 } 1104 1105 #[post("/ciphers/import-organization?<query..>", data = "<data>")] 1106 async fn post_org_import( 1107 query: OrgIdData, 1108 data: Json<ImportData>, 1109 headers: AdminHeaders, 1110 conn: DbConn, 1111 ) -> EmptyResult { 1112 let data: ImportData = data.into_inner(); 1113 let org_id = query.organization_id; 1114 // Validate the import before continuing 1115 // Bitwarden does not process the import if there is one item invalid. 1116 // Since we check for the size of the encrypted note length, we need to do that here to pre-validate it. 1117 // TODO: See if we can optimize the whole cipher adding/importing and prevent duplicate code and checks. 1118 Cipher::validate_cipher_data(&data.ciphers)?; 1119 let mut collections = Vec::new(); 1120 for coll in data.collections { 1121 let collection = Collection::new(org_id.clone(), coll.name, coll.external_id); 1122 if collection.save(&conn).await.is_err() { 1123 collections.push(Err(Error::new( 1124 "Failed to create Collection", 1125 "Failed to create Collection", 1126 ))); 1127 } else { 1128 collections.push(Ok(collection)); 1129 } 1130 } 1131 // Read the relations between collections and ciphers 1132 let mut relations = Vec::new(); 1133 for relation in data.collection_relationships { 1134 relations.push((relation.key, relation.value)); 1135 } 1136 let headers: Headers = headers.into(); 1137 let mut ciphers = Vec::new(); 1138 for cipher_data in data.ciphers { 1139 let mut cipher = Cipher::new(cipher_data.r#type, cipher_data.name.clone()); 1140 drop(update_cipher_from_data(&mut cipher, cipher_data, &headers, None, &conn, true).await); 1141 ciphers.push(cipher); 1142 } 1143 // Assign the collections 1144 for (cipher_index, coll_index) in relations { 1145 let cipher_id = &ciphers[cipher_index].uuid; 1146 let coll = &collections[coll_index]; 1147 let coll_id = match *coll { 1148 Ok(ref coll) => coll.uuid.as_str(), 1149 Err(_) => err!("Failed to assign to collection"), 1150 }; 1151 1152 CollectionCipher::save(cipher_id, coll_id, &conn).await?; 1153 } 1154 let mut user = headers.user; 1155 user.update_revision(&conn).await 1156 } 1157 1158 #[derive(Deserialize)] 1159 #[serde(rename_all = "camelCase")] 1160 struct BulkCollectionsData { 1161 organization_id: String, 1162 cipher_ids: Vec<String>, 1163 collection_ids: HashSet<String>, 1164 remove_collections: bool, 1165 } 1166 1167 // This endpoint is only reachable via the organization view, therefor this endpoint is located here 1168 // Also Bitwarden does not send out Notifications for these changes, it only does this for individual cipher collection updates 1169 #[allow(clippy::iter_over_hash_type)] 1170 #[post("/ciphers/bulk-collections", data = "<data>")] 1171 async fn post_bulk_collections( 1172 data: Json<BulkCollectionsData>, 1173 headers: Headers, 1174 conn: DbConn, 1175 ) -> EmptyResult { 1176 let data: BulkCollectionsData = data.into_inner(); 1177 1178 // This feature does not seem to be active on all the clients 1179 // To prevent future issues, add a check to block a call when this is set to true 1180 if data.remove_collections { 1181 err!("Bulk removing of collections is not yet implemented") 1182 } 1183 1184 // Get all the collection available to the user in one query 1185 // Also filter based upon the provided collections 1186 let user_collections: HashMap<String, Collection> = 1187 Collection::find_by_organization_and_user_uuid( 1188 &data.organization_id, 1189 &headers.user.uuid, 1190 &conn, 1191 ) 1192 .await 1193 .into_iter() 1194 .filter_map(|c| { 1195 if data.collection_ids.contains(&c.uuid) { 1196 Some((c.uuid.clone(), c)) 1197 } else { 1198 None 1199 } 1200 }) 1201 .collect(); 1202 1203 // Verify if all the collections requested exists and are writeable for the user, else abort 1204 for collection_uuid in &data.collection_ids { 1205 match user_collections.get(collection_uuid) { 1206 Some(collection) 1207 if collection 1208 .is_writable_by_user(&headers.user.uuid, &conn) 1209 .await => {} 1210 _ => err_code!( 1211 "Resource not found", 1212 "User does not have access to a collection", 1213 404 1214 ), 1215 } 1216 } 1217 1218 for cipher_id in &data.cipher_ids { 1219 // Only act on existing cipher uuid's 1220 // Do not abort the operation just ignore it, it could be a cipher was just deleted for example 1221 if let Some(cipher) = 1222 Cipher::find_by_uuid_and_org(cipher_id, &data.organization_id, &conn).await 1223 { 1224 if cipher 1225 .is_write_accessible_to_user(&headers.user.uuid, &conn) 1226 .await 1227 { 1228 for collection in &data.collection_ids { 1229 CollectionCipher::save(&cipher.uuid, collection, &conn).await?; 1230 } 1231 } 1232 } 1233 } 1234 1235 Ok(()) 1236 } 1237 1238 #[get("/organizations/<org_id>/policies")] 1239 async fn list_policies(org_id: &str, _headers: AdminHeaders, conn: DbConn) -> Json<Value> { 1240 let policies = OrgPolicy::find_by_org(org_id, &conn).await; 1241 let policies_json: Vec<Value> = policies.iter().map(OrgPolicy::to_json).collect(); 1242 Json(json!({ 1243 "data": policies_json, 1244 "object": "list", 1245 "continuationToken": null 1246 })) 1247 } 1248 1249 #[get("/organizations/<org_id>/policies/token?<token>")] 1250 async fn list_policies_token(org_id: &str, token: &str, conn: DbConn) -> JsonResult { 1251 if org_id == "undefined" && token == "undefined" { 1252 return Ok(Json(json!({}))); 1253 } 1254 let invite = auth::decode_invite(token)?; 1255 let Some(invite_org_id) = invite.org_id else { 1256 err!("Invalid token") 1257 }; 1258 if invite_org_id != org_id { 1259 err!("Token doesn't match request organization"); 1260 } 1261 // TODO: We receive the invite token as ?token=<>, validate it contains the org id 1262 let policies = OrgPolicy::find_by_org(org_id, &conn).await; 1263 let policies_json: Vec<Value> = policies.iter().map(OrgPolicy::to_json).collect(); 1264 Ok(Json(json!({ 1265 "data": policies_json, 1266 "object": "list", 1267 "continuationToken": null 1268 }))) 1269 } 1270 1271 #[get("/organizations/<org_id>/policies/<pol_type>")] 1272 async fn get_policy( 1273 org_id: &str, 1274 pol_type: i32, 1275 _headers: AdminHeaders, 1276 conn: DbConn, 1277 ) -> JsonResult { 1278 let Ok(pol_type_enum) = OrgPolicyType::try_from(pol_type) else { 1279 err!("Invalid or unsupported policy type") 1280 }; 1281 let policy = (OrgPolicy::find_by_org_and_type(org_id, pol_type_enum, &conn).await).map_or_else( 1282 || OrgPolicy::new(String::from(org_id), pol_type_enum, "null".to_owned()), 1283 convert::identity, 1284 ); 1285 Ok(Json(policy.to_json())) 1286 } 1287 1288 #[derive(Deserialize)] 1289 struct PolicyData { 1290 enabled: bool, 1291 #[serde(rename = "type")] 1292 _type: i32, 1293 data: Option<Value>, 1294 } 1295 1296 #[put("/organizations/<org_id>/policies/<pol_type>", data = "<data>")] 1297 async fn put_policy( 1298 org_id: &str, 1299 pol_type: i32, 1300 data: Json<PolicyData>, 1301 _headers: AdminHeaders, 1302 conn: DbConn, 1303 ) -> JsonResult { 1304 let data: PolicyData = data.into_inner(); 1305 let Ok(pol_type_enum) = OrgPolicyType::try_from(pol_type) else { 1306 err!("Invalid or unsupported policy type") 1307 }; 1308 // When enabling the TwoFactorAuthentication policy, remove this org's members that do have 2FA 1309 if pol_type_enum == OrgPolicyType::TwoFactorAuthentication && data.enabled { 1310 for member in UserOrganization::find_by_org(org_id, &conn).await { 1311 // Policy only applies to non-Owner/non-Admin members who have accepted joining the org 1312 // Invited users still need to accept the invite and will get an error when they try to accept the invite. 1313 if member.atype < UserOrgType::Admin 1314 && member.status != i32::from(UserOrgStatus::Invited) 1315 && !TwoFactorType::has_twofactor(&member.user_uuid, &conn).await? 1316 { 1317 member.delete(&conn).await?; 1318 } 1319 } 1320 } 1321 // When enabling the SingleOrg policy, remove this org's members that are members of other orgs 1322 if pol_type_enum == OrgPolicyType::SingleOrg && data.enabled { 1323 for member in UserOrganization::find_by_org(org_id, &conn).await { 1324 // Policy only applies to non-Owner/non-Admin members who have accepted joining the org 1325 // Exclude invited and revoked users when checking for this policy. 1326 // Those users will not be allowed to accept or be activated because of the policy checks done there. 1327 // We check if the count is larger then 1, because it includes this organization also. 1328 if member.atype < UserOrgType::Admin 1329 && member.status != i32::from(UserOrgStatus::Invited) 1330 && UserOrganization::count_accepted_and_confirmed_by_user(&member.user_uuid, &conn) 1331 .await 1332 > 1 1333 { 1334 member.delete(&conn).await?; 1335 } 1336 } 1337 } 1338 let mut policy = (OrgPolicy::find_by_org_and_type(org_id, pol_type_enum, &conn).await) 1339 .map_or_else( 1340 || OrgPolicy::new(String::from(org_id), pol_type_enum, "{}".to_owned()), 1341 |p| p, 1342 ); 1343 policy.enabled = data.enabled; 1344 policy.data = serde_json::to_string(&data.data)?; 1345 policy.save(&conn).await?; 1346 Ok(Json(policy.to_json())) 1347 } 1348 1349 #[allow(unused_variables, clippy::needless_pass_by_value)] 1350 #[get("/organizations/<org_id>/tax")] 1351 fn get_organization_tax(org_id: &str, _headers: Headers) -> Json<Value> { 1352 // Prevent a 404 error, which also causes Javascript errors. 1353 // Upstream sends "Only allowed when not self hosted." As an error message. 1354 // If we do the same it will also output this to the log, which is overkill. 1355 // An empty list/data also works fine. 1356 Json(_empty_data_json()) 1357 } 1358 1359 #[get("/plans")] 1360 fn get_plans() -> Json<Value> { 1361 // Respond with a minimal json just enough to allow the creation of an new organization. 1362 Json(json!({ 1363 "object": "list", 1364 "data": [{ 1365 "object": "plan", 1366 "type": 0i32, 1367 "product": 0i32, 1368 "name": "Free", 1369 "nameLocalizationKey": "planNameFree", 1370 "bitwardenProduct": 0i32, 1371 "maxUsers": 0i32, 1372 "descriptionLocalizationKey": "planDescFree" 1373 },{ 1374 "object": "plan", 1375 "type": 0i32, 1376 "product": 1i32, 1377 "name": "Free", 1378 "nameLocalizationKey": "planNameFree", 1379 "bitwardenProduct": 1i32, 1380 "maxUsers": 0i32, 1381 "descriptionLocalizationKey": "planDescFree" 1382 }], 1383 "ContinuationToken": null 1384 })) 1385 } 1386 1387 #[get("/plans/all")] 1388 fn get_plans_all() -> Json<Value> { 1389 get_plans() 1390 } 1391 1392 #[allow(clippy::needless_pass_by_value)] 1393 #[get("/plans/sales-tax-rates")] 1394 fn get_plans_tax_rates(_headers: Headers) -> Json<Value> { 1395 // Prevent a 404 error, which also causes Javascript errors. 1396 Json(_empty_data_json()) 1397 } 1398 1399 fn _empty_data_json() -> Value { 1400 json!({ 1401 "object": "list", 1402 "data": [], 1403 "continuationToken": null 1404 }) 1405 } 1406 1407 #[derive(Deserialize)] 1408 #[serde(rename_all = "camelCase")] 1409 struct OrgImportGroupData { 1410 #[allow(dead_code)] 1411 name: String, // "GroupName" 1412 #[allow(dead_code)] 1413 external_id: String, // "cn=GroupName,ou=Groups,dc=example,dc=com" 1414 #[allow(dead_code)] 1415 users: Vec<String>, // ["uid=user,ou=People,dc=example,dc=com"] 1416 } 1417 1418 #[derive(Deserialize)] 1419 #[serde(rename_all = "camelCase")] 1420 struct OrgImportUserData { 1421 email: String, // "user@maildomain.net" 1422 #[allow(dead_code)] 1423 external_id: String, // "uid=user,ou=People,dc=example,dc=com" 1424 deleted: bool, 1425 } 1426 1427 #[derive(Deserialize)] 1428 #[serde(rename_all = "camelCase")] 1429 struct OrgImportData { 1430 #[allow(dead_code)] 1431 groups: Vec<OrgImportGroupData>, 1432 overwrite_existing: bool, 1433 users: Vec<OrgImportUserData>, 1434 } 1435 1436 #[post("/organizations/<org_id>/import", data = "<data>")] 1437 async fn import( 1438 org_id: &str, 1439 data: Json<OrgImportData>, 1440 headers: Headers, 1441 conn: DbConn, 1442 ) -> EmptyResult { 1443 let data = data.into_inner(); 1444 // TODO: Currently we aren't storing the externalId's anywhere, so we also don't have a way 1445 // to differentiate between auto-imported users and manually added ones. 1446 // This means that this endpoint can end up removing users that were added manually by an admin, 1447 // as opposed to upstream which only removes auto-imported users. 1448 // User needs to be admin or owner to use the Directory Connector 1449 match UserOrganization::find_by_user_and_org(&headers.user.uuid, org_id, &conn).await { 1450 Some(user_org) if user_org.atype >= UserOrgType::Admin => { /* Okay, nothing to do */ } 1451 Some(_) => err!("User has insufficient permissions to use Directory Connector"), 1452 None => err!("User not part of organization"), 1453 } 1454 for user_data in &data.users { 1455 if user_data.deleted { 1456 // If user is marked for deletion and it exists, delete it 1457 if let Some(user_org) = 1458 UserOrganization::find_by_email_and_org(&user_data.email, org_id, &conn).await 1459 { 1460 user_org.delete(&conn).await?; 1461 } 1462 1463 // If user is not part of the organization, but it exists 1464 } else if UserOrganization::find_by_email_and_org(&user_data.email, org_id, &conn) 1465 .await 1466 .is_none() 1467 { 1468 if let Some(user) = User::find_by_mail(&user_data.email, &conn).await { 1469 let user_org_status = i32::from(UserOrgStatus::Accepted); 1470 let mut new_org_user = 1471 UserOrganization::new(user.uuid.clone(), String::from(org_id)); 1472 new_org_user.access_all = false; 1473 new_org_user.atype = i32::from(UserOrgType::User); 1474 new_org_user.status = user_org_status; 1475 new_org_user.save(&conn).await?; 1476 } 1477 } else { 1478 // We don't care. 1479 } 1480 } 1481 // If this flag is enabled, any user that isn't provided in the Users list will be removed (by default they will be kept unless they have Deleted == true) 1482 if data.overwrite_existing { 1483 for user_org in 1484 UserOrganization::find_by_org_and_type(org_id, UserOrgType::User, &conn).await 1485 { 1486 if let Some(user_email) = User::find_by_uuid(&user_org.user_uuid, &conn) 1487 .await 1488 .map(|u| u.email) 1489 { 1490 if !data.users.iter().any(|u| u.email == user_email) { 1491 user_org.delete(&conn).await?; 1492 } 1493 } 1494 } 1495 } 1496 Ok(()) 1497 } 1498 1499 // Pre web-vault v2022.9.x endpoint 1500 #[put("/organizations/<org_id>/users/<org_user_id>/deactivate")] 1501 async fn deactivate_organization_user( 1502 org_id: &str, 1503 org_user_id: &str, 1504 headers: AdminHeaders, 1505 conn: DbConn, 1506 ) -> EmptyResult { 1507 _revoke_organization_user(org_id, org_user_id, &headers, &conn).await 1508 } 1509 1510 // Pre web-vault v2022.9.x endpoint 1511 #[put("/organizations/<org_id>/users/deactivate", data = "<data>")] 1512 async fn bulk_deactivate_organization_user( 1513 org_id: &str, 1514 data: Json<Value>, 1515 headers: AdminHeaders, 1516 conn: DbConn, 1517 ) -> Json<Value> { 1518 bulk_revoke_organization_user(org_id, data, headers, conn).await 1519 } 1520 1521 #[put("/organizations/<org_id>/users/<org_user_id>/revoke")] 1522 async fn revoke_organization_user( 1523 org_id: &str, 1524 org_user_id: &str, 1525 headers: AdminHeaders, 1526 conn: DbConn, 1527 ) -> EmptyResult { 1528 _revoke_organization_user(org_id, org_user_id, &headers, &conn).await 1529 } 1530 1531 #[put("/organizations/<org_id>/users/revoke", data = "<data>")] 1532 async fn bulk_revoke_organization_user( 1533 org_id: &str, 1534 data: Json<Value>, 1535 headers: AdminHeaders, 1536 conn: DbConn, 1537 ) -> Json<Value> { 1538 let data = data.into_inner(); 1539 let mut bulk_response = Vec::new(); 1540 match data["Ids"].as_array() { 1541 Some(org_users) => { 1542 for org_user_id in org_users { 1543 let org_user_id = org_user_id.as_str().unwrap_or_default(); 1544 let err_msg = 1545 match _revoke_organization_user(org_id, org_user_id, &headers, &conn).await { 1546 Ok(()) => String::new(), 1547 Err(e) => format!("{e:?}"), 1548 }; 1549 bulk_response.push(json!( 1550 { 1551 "object": "organizationUserBulkResponseModel", 1552 "id": org_user_id, 1553 "error": err_msg 1554 } 1555 )); 1556 } 1557 } 1558 None => panic!("No users to revoke"), 1559 } 1560 Json(json!({ 1561 "data": bulk_response, 1562 "object": "list", 1563 "continuationToken": null 1564 })) 1565 } 1566 1567 async fn _revoke_organization_user( 1568 org_id: &str, 1569 org_user_id: &str, 1570 headers: &AdminHeaders, 1571 conn: &DbConn, 1572 ) -> EmptyResult { 1573 match UserOrganization::find_by_uuid_and_org(org_user_id, org_id, conn).await { 1574 Some(mut user_org) if user_org.status > i32::from(UserOrgStatus::Revoked) => { 1575 if user_org.user_uuid == headers.user.uuid { 1576 err!("You cannot revoke yourself") 1577 } 1578 if user_org.atype == UserOrgType::Owner && headers.org_user_type != UserOrgType::Owner { 1579 err!("Only owners can revoke other owners") 1580 } 1581 if user_org.atype == UserOrgType::Owner 1582 && UserOrganization::count_confirmed_by_org_and_type( 1583 org_id, 1584 UserOrgType::Owner, 1585 conn, 1586 ) 1587 .await 1588 <= 1 1589 { 1590 err!("Organization must have at least one confirmed owner") 1591 } 1592 user_org.revoke(); 1593 user_org.save(conn).await?; 1594 } 1595 Some(_) => err!("User is already revoked"), 1596 None => err!("User not found in organization"), 1597 } 1598 Ok(()) 1599 } 1600 1601 // Pre web-vault v2022.9.x endpoint 1602 #[put("/organizations/<org_id>/users/<org_user_id>/activate")] 1603 async fn activate_organization_user( 1604 org_id: &str, 1605 org_user_id: &str, 1606 headers: AdminHeaders, 1607 conn: DbConn, 1608 ) -> EmptyResult { 1609 _restore_organization_user(org_id, org_user_id, &headers, &conn).await 1610 } 1611 1612 // Pre web-vault v2022.9.x endpoint 1613 #[put("/organizations/<org_id>/users/activate", data = "<data>")] 1614 async fn bulk_activate_organization_user( 1615 org_id: &str, 1616 data: Json<OrgBulkIds>, 1617 headers: AdminHeaders, 1618 conn: DbConn, 1619 ) -> Json<Value> { 1620 bulk_restore_organization_user(org_id, data, headers, conn).await 1621 } 1622 1623 #[put("/organizations/<org_id>/users/<org_user_id>/restore")] 1624 async fn restore_organization_user( 1625 org_id: &str, 1626 org_user_id: &str, 1627 headers: AdminHeaders, 1628 conn: DbConn, 1629 ) -> EmptyResult { 1630 _restore_organization_user(org_id, org_user_id, &headers, &conn).await 1631 } 1632 1633 #[put("/organizations/<org_id>/users/restore", data = "<data>")] 1634 async fn bulk_restore_organization_user( 1635 org_id: &str, 1636 data: Json<OrgBulkIds>, 1637 headers: AdminHeaders, 1638 conn: DbConn, 1639 ) -> Json<Value> { 1640 let data = data.into_inner(); 1641 let mut bulk_response = Vec::new(); 1642 for org_user_id in data.ids { 1643 let err_msg = match _restore_organization_user(org_id, &org_user_id, &headers, &conn).await 1644 { 1645 Ok(()) => String::new(), 1646 Err(e) => format!("{e:?}"), 1647 }; 1648 bulk_response.push(json!( 1649 { 1650 "object": "OrganizationUserBulkResponseModel", 1651 "id": org_user_id, 1652 "error": err_msg 1653 } 1654 )); 1655 } 1656 Json(json!({ 1657 "data": bulk_response, 1658 "object": "list", 1659 "continuationToken": null 1660 })) 1661 } 1662 1663 async fn _restore_organization_user( 1664 org_id: &str, 1665 org_user_id: &str, 1666 headers: &AdminHeaders, 1667 conn: &DbConn, 1668 ) -> EmptyResult { 1669 match UserOrganization::find_by_uuid_and_org(org_user_id, org_id, conn).await { 1670 Some(mut user_org) if user_org.status < i32::from(UserOrgStatus::Accepted) => { 1671 if user_org.user_uuid == headers.user.uuid { 1672 err!("You cannot restore yourself") 1673 } 1674 if user_org.atype == UserOrgType::Owner && headers.org_user_type != UserOrgType::Owner { 1675 err!("Only owners can restore other owners") 1676 } 1677 // This check is also done at accept_invite(), _confirm_invite, _activate_user(), edit_user(), admin::update_user_org_type 1678 // It returns different error messages per function. 1679 if user_org.atype < UserOrgType::Admin { 1680 match OrgPolicy::is_user_allowed(&user_org.user_uuid, org_id, false, conn).await { 1681 Ok(()) => {} 1682 Err(OrgPolicyErr::TwoFactorMissing) => { 1683 err!( 1684 "You cannot restore this user because it has no two-step login method activated" 1685 ); 1686 } 1687 Err(OrgPolicyErr::SingleOrgEnforced) => { 1688 err!( 1689 "You cannot restore this user because it is a member of an organization which forbids it" 1690 ); 1691 } 1692 } 1693 } 1694 user_org.restore(); 1695 user_org.save(conn).await?; 1696 } 1697 Some(_) => err!("User is already active"), 1698 None => err!("User not found in organization"), 1699 } 1700 Ok(()) 1701 } 1702 1703 #[allow(unused_variables, clippy::needless_pass_by_value)] 1704 #[get("/organizations/<org_id>/groups")] 1705 fn get_groups(org_id: &str, _headers: ManagerHeadersLoose) -> Json<Value> { 1706 Json(json!({ 1707 "data": Vec::<Value>::new(), 1708 "object": "list", 1709 "continuationToken": null, 1710 })) 1711 } 1712 1713 #[derive(Deserialize)] 1714 #[serde(rename_all = "camelCase")] 1715 struct GroupRequest; 1716 #[derive(Serialize)] 1717 #[serde(rename_all = "camelCase")] 1718 struct SelectionReadOnly { 1719 id: String, 1720 read_only: bool, 1721 hide_passwords: bool, 1722 } 1723 1724 impl SelectionReadOnly { 1725 fn to_collection_user_details_read_only(collection_user: &CollectionUser) -> Self { 1726 Self { 1727 id: collection_user.user_uuid.clone(), 1728 read_only: collection_user.read_only, 1729 hide_passwords: collection_user.hide_passwords, 1730 } 1731 } 1732 fn to_json(&self) -> Value { 1733 json!(self) 1734 } 1735 } 1736 1737 const GROUPS_DISABLED_MSG: &str = "Groups are disabled."; 1738 #[allow(unused_variables, clippy::needless_pass_by_value)] 1739 #[post("/organizations/<org_id>/groups/<group_id>", data = "<data>")] 1740 fn post_group( 1741 org_id: &str, 1742 group_id: &str, 1743 data: Json<GroupRequest>, 1744 _headers: AdminHeaders, 1745 ) -> Error { 1746 Error::new(GROUPS_DISABLED_MSG, GROUPS_DISABLED_MSG) 1747 } 1748 1749 #[allow(unused_variables, clippy::needless_pass_by_value)] 1750 #[post("/organizations/<org_id>/groups", data = "<data>")] 1751 fn post_groups(org_id: &str, _headers: AdminHeaders, data: Json<GroupRequest>) -> Error { 1752 Error::new(GROUPS_DISABLED_MSG, GROUPS_DISABLED_MSG) 1753 } 1754 1755 #[allow(unused_variables, clippy::needless_pass_by_value)] 1756 #[put("/organizations/<org_id>/groups/<group_id>", data = "<data>")] 1757 fn put_group( 1758 org_id: &str, 1759 group_id: &str, 1760 data: Json<GroupRequest>, 1761 _headers: AdminHeaders, 1762 ) -> Error { 1763 Error::new(GROUPS_DISABLED_MSG, GROUPS_DISABLED_MSG) 1764 } 1765 1766 #[allow(unused_variables, clippy::needless_pass_by_value)] 1767 #[get("/organizations/<_org_id>/groups/<group_id>/details")] 1768 fn get_group_details(_org_id: &str, group_id: &str, _headers: AdminHeaders) -> Error { 1769 Error::new(GROUPS_DISABLED_MSG, GROUPS_DISABLED_MSG) 1770 } 1771 1772 #[allow(unused_variables, clippy::needless_pass_by_value)] 1773 #[post("/organizations/<org_id>/groups/<group_id>/delete")] 1774 fn post_delete_group(org_id: &str, group_id: &str, _headers: AdminHeaders) -> Error { 1775 Error::new(GROUPS_DISABLED_MSG, GROUPS_DISABLED_MSG) 1776 } 1777 1778 #[allow(unused_variables, clippy::needless_pass_by_value)] 1779 #[delete("/organizations/<org_id>/groups/<group_id>")] 1780 fn delete_group(org_id: &str, group_id: &str, _headers: AdminHeaders) -> Error { 1781 Error::new(GROUPS_DISABLED_MSG, GROUPS_DISABLED_MSG) 1782 } 1783 #[allow(unused_variables, clippy::needless_pass_by_value)] 1784 #[delete("/organizations/<org_id>/groups", data = "<data>")] 1785 fn bulk_delete_groups(org_id: &str, data: Json<OrgBulkIds>, _headers: AdminHeaders) -> Error { 1786 Error::new(GROUPS_DISABLED_MSG, GROUPS_DISABLED_MSG) 1787 } 1788 1789 #[allow(unused_variables, clippy::needless_pass_by_value)] 1790 #[get("/organizations/<_org_id>/groups/<group_id>")] 1791 fn get_group(_org_id: &str, group_id: &str, _headers: AdminHeaders) -> Error { 1792 Error::new(GROUPS_DISABLED_MSG, GROUPS_DISABLED_MSG) 1793 } 1794 1795 #[allow(unused_variables, clippy::needless_pass_by_value)] 1796 #[get("/organizations/<_org_id>/groups/<group_id>/users")] 1797 fn get_group_users(_org_id: &str, group_id: &str, _headers: AdminHeaders) -> Error { 1798 Error::new(GROUPS_DISABLED_MSG, GROUPS_DISABLED_MSG) 1799 } 1800 #[allow(unused_variables, clippy::needless_pass_by_value)] 1801 #[put("/organizations/<org_id>/groups/<group_id>/users", data = "<data>")] 1802 fn put_group_users( 1803 org_id: &str, 1804 group_id: &str, 1805 _headers: AdminHeaders, 1806 data: Json<Vec<String>>, 1807 ) -> Error { 1808 Error::new(GROUPS_DISABLED_MSG, GROUPS_DISABLED_MSG) 1809 } 1810 1811 #[allow(unused_variables, clippy::needless_pass_by_value)] 1812 #[get("/organizations/<_org_id>/users/<user_id>/groups")] 1813 fn get_user_groups(_org_id: &str, user_id: &str, _headers: AdminHeaders) -> Error { 1814 Error::new(GROUPS_DISABLED_MSG, GROUPS_DISABLED_MSG) 1815 } 1816 1817 #[derive(Deserialize)] 1818 #[serde(rename_all = "camelCase")] 1819 struct OrganizationUserUpdateGroupsRequest; 1820 1821 #[allow(unused_variables, clippy::needless_pass_by_value)] 1822 #[post("/organizations/<org_id>/users/<org_user_id>/groups", data = "<data>")] 1823 fn post_user_groups( 1824 org_id: &str, 1825 org_user_id: &str, 1826 data: Json<OrganizationUserUpdateGroupsRequest>, 1827 _headers: AdminHeaders, 1828 ) -> Error { 1829 Error::new(GROUPS_DISABLED_MSG, GROUPS_DISABLED_MSG) 1830 } 1831 1832 #[allow(unused_variables, clippy::needless_pass_by_value)] 1833 #[put("/organizations/<org_id>/users/<org_user_id>/groups", data = "<data>")] 1834 fn put_user_groups( 1835 org_id: &str, 1836 org_user_id: &str, 1837 data: Json<OrganizationUserUpdateGroupsRequest>, 1838 _headers: AdminHeaders, 1839 ) -> Error { 1840 Error::new(GROUPS_DISABLED_MSG, GROUPS_DISABLED_MSG) 1841 } 1842 1843 #[allow(unused_variables, clippy::needless_pass_by_value)] 1844 #[post("/organizations/<org_id>/groups/<group_id>/delete-user/<org_user_id>")] 1845 fn post_delete_group_user( 1846 org_id: &str, 1847 group_id: &str, 1848 org_user_id: &str, 1849 _headers: AdminHeaders, 1850 ) -> Error { 1851 Error::new(GROUPS_DISABLED_MSG, GROUPS_DISABLED_MSG) 1852 } 1853 1854 #[allow(unused_variables, clippy::needless_pass_by_value)] 1855 #[delete("/organizations/<org_id>/groups/<group_id>/users/<org_user_id>")] 1856 fn delete_group_user( 1857 org_id: &str, 1858 group_id: &str, 1859 org_user_id: &str, 1860 _headers: AdminHeaders, 1861 ) -> Error { 1862 Error::new(GROUPS_DISABLED_MSG, GROUPS_DISABLED_MSG) 1863 } 1864 1865 #[derive(Deserialize)] 1866 #[serde(rename_all = "camelCase")] 1867 struct OrganizationUserResetPasswordEnrollmentRequest { 1868 #[allow(dead_code)] 1869 reset_password_key: Option<String>, 1870 #[allow(dead_code)] 1871 master_password_hash: Option<String>, 1872 #[allow(dead_code)] 1873 otp: Option<String>, 1874 } 1875 1876 #[derive(Deserialize)] 1877 #[serde(rename_all = "camelCase")] 1878 struct OrganizationUserResetPasswordRequest { 1879 #[allow(dead_code)] 1880 new_master_password_hash: String, 1881 #[allow(dead_code)] 1882 key: String, 1883 } 1884 #[get("/organizations/<org_id>/public-key")] 1885 async fn get_organization_public_key(org_id: &str, _headers: Headers, conn: DbConn) -> JsonResult { 1886 let Some(org) = Organization::find_by_uuid(org_id, &conn).await else { 1887 err!("Organization not found") 1888 }; 1889 1890 Ok(Json(json!({ 1891 "object": "organizationPublicKey", 1892 "publicKey": org.public_key, 1893 }))) 1894 } 1895 const PASS_RESET_MSG: &str = "Password reset is not supported on an email-disabled instance."; 1896 #[allow(unused_variables)] 1897 #[put( 1898 "/organizations/<org_id>/users/<org_user_id>/reset-password", 1899 data = "<data>" 1900 )] 1901 async fn put_reset_password( 1902 org_id: &str, 1903 org_user_id: &str, 1904 _headers: AdminHeaders, 1905 data: Json<OrganizationUserResetPasswordRequest>, 1906 conn: DbConn, 1907 ) -> EmptyResult { 1908 let Some(org) = Organization::find_by_uuid(org_id, &conn).await else { 1909 err!("Required organization not found") 1910 }; 1911 let Some(org_user) = 1912 UserOrganization::find_by_uuid_and_org(org_user_id, &org.uuid, &conn).await 1913 else { 1914 err!("User to reset isn't member of required organization") 1915 }; 1916 match User::find_by_uuid(&org_user.user_uuid, &conn).await { 1917 Some(_) => err!(PASS_RESET_MSG), 1918 None => err!("User not found"), 1919 } 1920 } 1921 1922 #[allow(unused_variables, clippy::needless_pass_by_value)] 1923 #[get("/organizations/<org_id>/users/<org_user_id>/reset-password-details")] 1924 fn get_reset_password_details(org_id: &str, org_user_id: &str, _headers: AdminHeaders) -> Error { 1925 Error::new(PASS_RESET_MSG, PASS_RESET_MSG) 1926 } 1927 1928 #[allow(unused_variables, clippy::needless_pass_by_value)] 1929 #[put( 1930 "/organizations/<org_id>/users/<org_user_id>/reset-password-enrollment", 1931 data = "<data>" 1932 )] 1933 fn put_reset_password_enrollment( 1934 org_id: &str, 1935 org_user_id: &str, 1936 _headers: Headers, 1937 data: Json<OrganizationUserResetPasswordEnrollmentRequest>, 1938 ) -> Error { 1939 Error::new(PASS_RESET_MSG, PASS_RESET_MSG) 1940 } 1941 1942 // This is a new function active since the v2022.9.x clients. 1943 // It combines the previous two calls done before. 1944 // We call those two functions here and combine them ourselves. 1945 // 1946 // NOTE: It seems clients can't handle uppercase-first keys!! 1947 // We need to convert all keys so they have the first character to be a lowercase. 1948 // Else the export will be just an empty JSON file. 1949 #[get("/organizations/<org_id>/export")] 1950 async fn get_org_export(org_id: &str, headers: AdminHeaders, conn: DbConn) -> Json<Value> { 1951 use semver::{Version, VersionReq}; 1952 // Since version v2023.1.0 the format of the export is different. 1953 // Also, this endpoint was created since v2022.9.0. 1954 // Therefore, we will check for any version smaller then v2023.1.0 and return a different response. 1955 // If we can't determine the version, we will use the latest default v2023.1.0 and higher. 1956 // https://github.com/bitwarden/server/blob/9ca93381ce416454734418c3a9f99ab49747f1b6/src/Api/Controllers/OrganizationExportController.cs#L44 1957 let use_list_response_model = headers.client_version.is_some_and(|client_version| { 1958 let ver_match = VersionReq::parse("<2023.1.0").unwrap(); 1959 let client_version = Version::parse(&client_version).unwrap(); 1960 ver_match.matches(&client_version) 1961 }); 1962 // Also both main keys here need to be lowercase, else the export will fail. 1963 if use_list_response_model { 1964 // Backwards compatible pre v2023.1.0 response 1965 Json(json!({ 1966 "collections": { 1967 "data": util::convert_json_key_lcase_first(_get_org_collections(org_id, &conn).await), 1968 "object": "list", 1969 "continuationToken": null, 1970 }, 1971 "ciphers": { 1972 "data": util::convert_json_key_lcase_first(_get_org_details(org_id, &headers.user.uuid, &conn).await), 1973 "object": "list", 1974 "continuationToken": null, 1975 } 1976 })) 1977 } else { 1978 // v2023.1.0 and newer response 1979 Json(json!({ 1980 "collections": util::convert_json_key_lcase_first(_get_org_collections(org_id, &conn).await), 1981 "ciphers": util::convert_json_key_lcase_first(_get_org_details(org_id, &headers.user.uuid, &conn).await), 1982 })) 1983 } 1984 } 1985 const API_DISABLED_MSG: &str = "API access is disabled."; 1986 #[allow(unused_variables, clippy::needless_pass_by_value)] 1987 #[post("/organizations/<org_id>/api-key", data = "<data>")] 1988 fn api_key(org_id: &str, data: Json<PasswordOrOtpData>, _headers: AdminHeaders) -> Error { 1989 Error::new(API_DISABLED_MSG, API_DISABLED_MSG) 1990 } 1991 #[allow(unused_variables, clippy::needless_pass_by_value)] 1992 #[post("/organizations/<org_id>/rotate-api-key", data = "<data>")] 1993 fn rotate_api_key(org_id: &str, data: Json<PasswordOrOtpData>, _headers: AdminHeaders) -> Error { 1994 Error::new(API_DISABLED_MSG, API_DISABLED_MSG) 1995 }