cipher.rs (32284B)
1 use super::{ 2 CollectionCipher, Favorite, FolderCipher, User, UserOrgStatus, UserOrgType, UserOrganization, 3 }; 4 use crate::api::core::{CipherData, CipherSyncData, CipherSyncType}; 5 use crate::util::{self, LowerCase}; 6 use chrono::{DateTime, NaiveDateTime, Utc}; 7 use diesel::result::{self, DatabaseErrorKind}; 8 use serde_json::Value; 9 use std::borrow::Cow; 10 use std::string::ToString; 11 12 db_object! { 13 #[derive(AsChangeset, Insertable, Queryable)] 14 #[diesel(table_name = ciphers)] 15 #[diesel(treat_none_as_null = true)] 16 pub struct Cipher { 17 pub uuid: String, 18 created_at: NaiveDateTime, 19 pub updated_at: NaiveDateTime, 20 pub user_uuid: Option<String>, 21 pub organization_uuid: Option<String>, 22 pub key: Option<String>, 23 atype: i32, 24 pub name: String, 25 pub notes: Option<String>, 26 pub fields: Option<String>, 27 pub data: String, 28 pub password_history: Option<String>, 29 pub deleted_at: Option<NaiveDateTime>, 30 pub reprompt: Option<i32>, 31 } 32 } 33 34 enum RepromptType { 35 None = 0, 36 } 37 impl From<RepromptType> for i32 { 38 fn from(value: RepromptType) -> Self { 39 match value { 40 RepromptType::None => 0i32, 41 } 42 } 43 } 44 45 /// Local methods 46 impl Cipher { 47 pub fn new(atype: i32, name: String) -> Self { 48 let now = Utc::now().naive_utc(); 49 Self { 50 uuid: util::get_uuid(), 51 created_at: now, 52 updated_at: now, 53 user_uuid: None, 54 organization_uuid: None, 55 key: None, 56 atype, 57 name, 58 notes: None, 59 fields: None, 60 data: String::new(), 61 password_history: None, 62 deleted_at: None, 63 reprompt: None, 64 } 65 } 66 pub fn validate_cipher_data(cipher_data: &[CipherData]) -> EmptyResult { 67 let mut validation_errors = serde_json::Map::new(); 68 for (index, cipher) in cipher_data.iter().enumerate() { 69 if let Some(ref note) = cipher.notes { 70 if note.len() > 10_000 { 71 validation_errors.insert( 72 format!("Ciphers[{index}].Notes"), 73 serde_json::to_value([ 74 "The field Notes exceeds the maximum encrypted value length of 10000 characters.", 75 ]) 76 .unwrap(), 77 ); 78 } 79 } 80 // Validate the password history if it contains `null` values and if so, return a warning 81 if let Some(Value::Array(ref password_history)) = cipher.password_history { 82 for pwh in password_history { 83 if let Value::Object(ref pwo) = *pwh { 84 if pwo.get("password").is_some_and(|p| !p.is_string()) { 85 validation_errors.insert( 86 format!("Ciphers[{index}].Notes"), 87 serde_json::to_value([ 88 "The password history contains a `null` value. Only strings are allowed.", 89 ]) 90 .unwrap(), 91 ); 92 break; 93 } 94 } 95 } 96 } 97 } 98 if !validation_errors.is_empty() { 99 let err_json = json!({ 100 "message": "The model state is invalid.", 101 "validationErrors" : validation_errors, 102 "object": "error" 103 }); 104 err_json!(err_json, "Import validation errors") 105 } 106 Ok(()) 107 } 108 } 109 use crate::api::EmptyResult; 110 use crate::db::DbConn; 111 use crate::error::MapResult; 112 /// Database methods 113 impl Cipher { 114 pub async fn to_json( 115 &self, 116 user_uuid: &str, 117 cipher_sync_data: Option<&CipherSyncData>, 118 sync_type: CipherSyncType, 119 conn: &DbConn, 120 ) -> Value { 121 // We don't need these values at all for Organizational syncs 122 // Skip any other database calls if this is the case and just return false. 123 let (read_only, hide_passwords) = if sync_type == CipherSyncType::User { 124 match self 125 .get_access_restrictions(user_uuid, cipher_sync_data, conn) 126 .await 127 { 128 Some((ro, hp)) => (ro, hp), 129 None => (true, true), 130 } 131 } else { 132 (false, false) 133 }; 134 let fields_json = self 135 .fields 136 .as_ref() 137 .and_then(|s| { 138 serde_json::from_str::<Vec<LowerCase<Value>>>(s) 139 .inspect_err(|e| warn!("Error parsing fields {e:?} for {}", self.uuid)) 140 .ok() 141 }) 142 .map_or(Value::Null, |d| d.into_iter().map(|da| da.data).collect()); 143 let password_history_json = self 144 .password_history 145 .as_ref() 146 .and_then(|s| { 147 serde_json::from_str::<Vec<LowerCase<Value>>>(s) 148 .inspect_err(|e| { 149 warn!("Error parsing password history {e:?} for {}", self.uuid); 150 }) 151 .ok() 152 }) 153 .map_or(Value::Null, |d| { 154 // Check every password history item if they are valid and return it. 155 // If a password field has the type `null` skip it, it breaks newer Bitwarden clients 156 // A second check is done to verify the lastUsedDate exists and is a string, if not the epoch start time will be used 157 d.into_iter() 158 .filter_map(|da| match da.data.get("password") { 159 Some(p) if p.is_string() => Some(da.data), 160 _ => None, 161 }) 162 .map(|da| match da.get("lastUsedDate").and_then(|l| l.as_str()) { 163 Some(l) if DateTime::parse_from_rfc3339(l).is_ok() => da, 164 _ => { 165 let mut dat = da; 166 dat["lastUsedDate"] = json!("1970-01-01T00:00:00.000Z"); 167 dat 168 } 169 }) 170 .collect() 171 }); 172 // Get the type_data or a default to an empty json object '{}'. 173 // If not passing an empty object, mobile clients will crash. 174 let mut type_data_json = serde_json::from_str::<LowerCase<Value>>(&self.data).map_or_else( 175 |_e| { 176 warn!("Error parsing data field for {}", self.uuid); 177 Value::Object(serde_json::Map::new()) 178 }, 179 |d| d.data, 180 ); 181 // NOTE: This was marked as *Backwards Compatibility Code*, but as of January 2021 this is still being used by upstream 182 // Set the first element of the Uris array as Uri, this is needed several (mobile) clients. 183 if self.atype == 1i32 { 184 if type_data_json["uris"].is_array() { 185 let uri = type_data_json["uris"][0]["uri"].clone(); 186 type_data_json["uri"] = uri; 187 } else { 188 // Upstream always has an Uri key/value 189 type_data_json["uri"] = Value::Null; 190 } 191 } 192 if self.atype == 2i32 { 193 match type_data_json { 194 Value::Object(ref t) if t.get("type").is_some_and(Value::is_number) => {} 195 Value::Null 196 | Value::Bool(_) 197 | Value::Number(_) 198 | Value::String(_) 199 | Value::Array(_) 200 | Value::Object(_) => { 201 type_data_json = json!({"type": 0i32}); 202 } 203 } 204 } 205 // Clone the type_data and add some default value. 206 let mut data_json = type_data_json.clone(); 207 // NOTE: This was marked as *Backwards Compatibility Code*, but as of January 2021 this is still being used by upstream 208 // data_json should always contain the following keys with every atype 209 data_json["fields"] = fields_json.clone(); 210 data_json["name"] = json!(self.name); 211 data_json["notes"] = json!(self.notes); 212 data_json["passwordHistory"] = password_history_json.clone(); 213 let collection_ids = if let Some(cipher_sync_data) = cipher_sync_data { 214 cipher_sync_data 215 .cipher_collections 216 .get(&self.uuid) 217 .map_or_else(|| Cow::from(Vec::with_capacity(0)), Cow::from) 218 } else { 219 Cow::from(self.get_admin_collections(user_uuid.to_owned(), conn).await) 220 }; 221 // There are three types of cipher response models in upstream 222 // Bitwarden: "cipherMini", "cipher", and "cipherDetails" (in order 223 // of increasing level of detail). vaultwarden currently only 224 // supports the "cipherDetails" type, though it seems like the 225 // Bitwarden clients will ignore extra fields. 226 // 227 // Ref: https://github.com/bitwarden/server/blob/master/src/Core/Models/Api/Response/CipherResponseModel.cs 228 let mut json_object = json!({ 229 "object": "cipherDetails", 230 "id": self.uuid, 231 "type": self.atype, 232 "creationDate": util::format_date(&self.created_at), 233 "revisionDate": util::format_date(&self.updated_at), 234 "deletedDate": self.deleted_at.map_or(Value::Null, |d| Value::String(util::format_date(&d))), 235 "reprompt": self.reprompt.unwrap_or_else(|| i32::from(RepromptType::None)), 236 "organizationId": self.organization_uuid, 237 "key": self.key, 238 "attachments": Value::Null, 239 // We have UseTotp set to true by default within the Organization model. 240 // This variable together with UsersGetPremium is used to show or hide the TOTP counter. 241 "organizationUseTotp": true, 242 // This field is specific to the cipherDetails type. 243 "collectionIds": collection_ids, 244 "name": self.name, 245 "notes": self.notes, 246 "fields": fields_json, 247 "data": data_json, 248 "passwordHistory": password_history_json, 249 // All Cipher types are included by default as null, but only the matching one will be populated 250 "login": null, 251 "secureNote": null, 252 "card": null, 253 "identity": null, 254 }); 255 // These values are only needed for user/default syncs 256 // Not during an organizational sync like `get_org_details` 257 // Skip adding these fields in that case 258 if sync_type == CipherSyncType::User { 259 json_object["folderId"] = json!(if let Some(cipher_sync_data) = cipher_sync_data { 260 cipher_sync_data 261 .cipher_folders 262 .get(&self.uuid) 263 .map(ToString::to_string) 264 } else { 265 self.get_folder_uuid(user_uuid, conn).await 266 }); 267 json_object["favorite"] = json!(if let Some(cipher_sync_data) = cipher_sync_data { 268 cipher_sync_data.cipher_favorites.contains(&self.uuid) 269 } else { 270 self.is_favorite(user_uuid, conn).await 271 }); 272 // These values are true by default, but can be false if the 273 // cipher belongs to a collection or group where the org owner has enabled 274 // the "Read Only" or "Hide Passwords" restrictions for the user. 275 json_object["edit"] = json!(!read_only); 276 json_object["viewPassword"] = json!(!hide_passwords); 277 } 278 279 let key = match self.atype { 280 1i32 => "login", 281 2i32 => "secureNote", 282 3i32 => "card", 283 4i32 => "identity", 284 _ => panic!("Wrong type"), 285 }; 286 287 json_object[key] = type_data_json; 288 json_object 289 } 290 291 pub async fn update_users_revision(&self, conn: &DbConn) -> Vec<String> { 292 let mut user_uuids = Vec::new(); 293 match self.user_uuid { 294 Some(ref user_uuid) => { 295 User::update_uuid_revision(user_uuid, conn).await; 296 user_uuids.push(user_uuid.clone()); 297 } 298 None => { 299 // Belongs to Organization, need to update affected users 300 if let Some(ref org_uuid) = self.organization_uuid { 301 for user_org in 302 &UserOrganization::find_by_cipher_and_org(&self.uuid, org_uuid, conn).await 303 { 304 User::update_uuid_revision(&user_org.user_uuid, conn).await; 305 user_uuids.push(user_org.user_uuid.clone()); 306 } 307 } 308 } 309 }; 310 user_uuids 311 } 312 313 pub async fn save(&mut self, conn: &DbConn) -> EmptyResult { 314 self.update_users_revision(conn).await; 315 self.updated_at = Utc::now().naive_utc(); 316 db_run! { conn: 317 { 318 match diesel::replace_into(ciphers::table) 319 .values(CipherDb::to_db(self)) 320 .execute(conn) 321 { 322 Ok(_) => Ok(()), 323 // Record already exists and causes a Foreign Key Violation because replace_into() wants to delete the record first. 324 Err(result::Error::DatabaseError(DatabaseErrorKind::ForeignKeyViolation, _)) => { 325 diesel::update(ciphers::table) 326 .filter(ciphers::uuid.eq(&self.uuid)) 327 .set(CipherDb::to_db(self)) 328 .execute(conn) 329 .map_res("Error saving cipher") 330 } 331 Err(e) => Err(e.into()), 332 }.map_res("Error saving cipher") 333 } 334 } 335 } 336 337 pub async fn delete(&self, conn: &DbConn) -> EmptyResult { 338 self.update_users_revision(conn).await; 339 FolderCipher::delete_all_by_cipher(&self.uuid, conn).await?; 340 CollectionCipher::delete_all_by_cipher(&self.uuid, conn).await?; 341 Favorite::delete_all_by_cipher(&self.uuid, conn).await?; 342 db_run! { conn: { 343 diesel::delete(ciphers::table.filter(ciphers::uuid.eq(&self.uuid))) 344 .execute(conn) 345 .map_res("Error deleting cipher") 346 }} 347 } 348 349 pub async fn delete_all_by_organization(org_uuid: &str, conn: &DbConn) -> EmptyResult { 350 // TODO: Optimize this by executing a DELETE directly on the database, instead of first fetching. 351 for cipher in Self::find_by_org(org_uuid, conn).await { 352 cipher.delete(conn).await?; 353 } 354 Ok(()) 355 } 356 357 pub async fn delete_all_by_user(user_uuid: &str, conn: &DbConn) -> EmptyResult { 358 for cipher in Self::find_owned_by_user(user_uuid, conn).await { 359 cipher.delete(conn).await?; 360 } 361 Ok(()) 362 } 363 364 pub async fn move_to_folder( 365 &self, 366 folder_uuid: Option<String>, 367 user_uuid: &str, 368 conn: &DbConn, 369 ) -> EmptyResult { 370 User::update_uuid_revision(user_uuid, conn).await; 371 match (self.get_folder_uuid(user_uuid, conn).await, folder_uuid) { 372 // No changes 373 (None, None) => Ok(()), 374 (Some(ref old), Some(ref new)) if old == new => Ok(()), 375 // Add to folder 376 (None, Some(new)) => FolderCipher::new(&new, &self.uuid).save(conn).await, 377 // Remove from folder 378 (Some(old), None) => { 379 match FolderCipher::find_by_folder_and_cipher(&old, &self.uuid, conn).await { 380 Some(old) => old.delete(conn).await, 381 None => err!("Couldn't move from previous folder"), 382 } 383 } 384 // Move to another folder 385 (Some(old), Some(new)) => { 386 if let Some(old) = 387 FolderCipher::find_by_folder_and_cipher(&old, &self.uuid, conn).await 388 { 389 old.delete(conn).await?; 390 } 391 FolderCipher::new(&new, &self.uuid).save(conn).await 392 } 393 } 394 } 395 /// Returns whether this cipher is directly owned by the user. 396 fn is_owned_by_user(&self, user_uuid: &str) -> bool { 397 self.user_uuid.is_some() && self.user_uuid.as_ref().unwrap() == user_uuid 398 } 399 400 /// Returns whether this cipher is owned by an org in which the user has full access. 401 #[allow(clippy::else_if_without_else)] 402 async fn is_in_full_access_org( 403 &self, 404 user_uuid: &str, 405 cipher_sync_data: Option<&CipherSyncData>, 406 conn: &DbConn, 407 ) -> bool { 408 if let Some(ref org_uuid) = self.organization_uuid { 409 if let Some(cipher_sync_data) = cipher_sync_data { 410 if let Some(cached_user_org) = cipher_sync_data.user_organizations.get(org_uuid) { 411 return cached_user_org.has_full_access(); 412 } 413 } else if let Some(user_org) = 414 UserOrganization::find_by_user_and_org(user_uuid, org_uuid, conn).await 415 { 416 return user_org.has_full_access(); 417 } 418 } 419 false 420 } 421 /// Returns the user's access restrictions to this cipher. A return value 422 /// of None means that this cipher does not belong to the user, and is 423 /// not in any collection the user has access to. Otherwise, the user has 424 /// access to this cipher, and Some(read_only, hide_passwords) represents 425 /// the access restrictions. 426 async fn get_access_restrictions( 427 &self, 428 user_uuid: &str, 429 cipher_sync_data: Option<&CipherSyncData>, 430 conn: &DbConn, 431 ) -> Option<(bool, bool)> { 432 // Check whether this cipher is directly owned by the user, or is in 433 // a collection that the user has full access to. If so, there are no 434 // access restrictions. 435 if self.is_owned_by_user(user_uuid) 436 || self 437 .is_in_full_access_org(user_uuid, cipher_sync_data, conn) 438 .await 439 { 440 return Some((false, false)); 441 } 442 443 let rows = if let Some(cipher_sync_data) = cipher_sync_data { 444 let mut rows: Vec<(bool, bool)> = Vec::new(); 445 if let Some(collections) = cipher_sync_data.cipher_collections.get(&self.uuid) { 446 for collection in collections { 447 //User permissions 448 if let Some(uc) = cipher_sync_data.user_collections.get(collection) { 449 rows.push((uc.read_only, uc.hide_passwords)); 450 } 451 } 452 } 453 rows 454 } else { 455 self.get_user_collections_access_flags(user_uuid, conn) 456 .await 457 }; 458 459 if rows.is_empty() { 460 // This cipher isn't in any collections accessible to the user. 461 return None; 462 } 463 464 // A cipher can be in multiple collections with inconsistent access flags. 465 // For example, a cipher could be in one collection where the user has 466 // read-only access, but also in another collection where the user has 467 // read/write access. For a flag to be in effect for a cipher, upstream 468 // requires all collections the cipher is in to have that flag set. 469 // Therefore, we do a boolean AND of all values in each of the `read_only` 470 // and `hide_passwords` columns. This could ideally be done as part of the 471 // query, but Diesel doesn't support a min() or bool_and() function on 472 // booleans and this behavior isn't portable anyway. 473 let mut read_only = true; 474 let mut hide_passwords = true; 475 for tup in rows { 476 read_only &= tup.0; 477 hide_passwords &= tup.1; 478 } 479 Some((read_only, hide_passwords)) 480 } 481 482 async fn get_user_collections_access_flags( 483 &self, 484 user_uuid: &str, 485 conn: &DbConn, 486 ) -> Vec<(bool, bool)> { 487 db_run! {conn: { 488 // Check whether this cipher is in any collections accessible to the 489 // user. If so, retrieve the access flags for each collection. 490 ciphers::table 491 .filter(ciphers::uuid.eq(&self.uuid)) 492 .inner_join(ciphers_collections::table.on( 493 ciphers::uuid.eq(ciphers_collections::cipher_uuid))) 494 .inner_join(users_collections::table.on( 495 ciphers_collections::collection_uuid.eq(users_collections::collection_uuid) 496 .and(users_collections::user_uuid.eq(user_uuid)))) 497 .select((users_collections::read_only, users_collections::hide_passwords)) 498 .load::<(bool, bool)>(conn) 499 .expect("Error getting user access restrictions") 500 }} 501 } 502 503 pub async fn is_write_accessible_to_user(&self, user_uuid: &str, conn: &DbConn) -> bool { 504 match self.get_access_restrictions(user_uuid, None, conn).await { 505 Some((read_only, _hide_passwords)) => !read_only, 506 None => false, 507 } 508 } 509 510 pub async fn is_accessible_to_user(&self, user_uuid: &str, conn: &DbConn) -> bool { 511 self.get_access_restrictions(user_uuid, None, conn) 512 .await 513 .is_some() 514 } 515 516 // Returns whether this cipher is a favorite of the specified user. 517 async fn is_favorite(&self, user_uuid: &str, conn: &DbConn) -> bool { 518 Favorite::is_favorite(&self.uuid, user_uuid, conn).await 519 } 520 521 // Sets whether this cipher is a favorite of the specified user. 522 pub async fn set_favorite( 523 &self, 524 favorite: Option<bool>, 525 user_uuid: &str, 526 conn: &DbConn, 527 ) -> EmptyResult { 528 match favorite { 529 None => Ok(()), // No change requested. 530 Some(status) => Favorite::set_favorite(status, &self.uuid, user_uuid, conn).await, 531 } 532 } 533 534 async fn get_folder_uuid(&self, user_uuid: &str, conn: &DbConn) -> Option<String> { 535 db_run! {conn: { 536 folders_ciphers::table 537 .inner_join(folders::table) 538 .filter(folders::user_uuid.eq(&user_uuid)) 539 .filter(folders_ciphers::cipher_uuid.eq(&self.uuid)) 540 .select(folders_ciphers::folder_uuid) 541 .first::<String>(conn) 542 .ok() 543 }} 544 } 545 546 pub async fn find_by_uuid(uuid: &str, conn: &DbConn) -> Option<Self> { 547 db_run! {conn: { 548 ciphers::table 549 .filter(ciphers::uuid.eq(uuid)) 550 .first::<CipherDb>(conn) 551 .ok() 552 .from_db() 553 }} 554 } 555 556 pub async fn find_by_uuid_and_org( 557 cipher_uuid: &str, 558 org_uuid: &str, 559 conn: &DbConn, 560 ) -> Option<Self> { 561 db_run! {conn: { 562 ciphers::table 563 .filter(ciphers::uuid.eq(cipher_uuid)) 564 .filter(ciphers::organization_uuid.eq(org_uuid)) 565 .first::<CipherDb>(conn) 566 .ok() 567 .from_db() 568 }} 569 } 570 571 // Find all ciphers accessible or visible to the specified user. 572 // 573 // "Accessible" means the user has read access to the cipher, either via 574 // direct ownership, collection or via group access. 575 // 576 // "Visible" usually means the same as accessible, except when an org 577 // owner/admin sets their account or group to have access to only selected 578 // collections in the org (presumably because they aren't interested in 579 // the other collections in the org). In this case, if `visible_only` is 580 // true, then the non-interesting ciphers will not be returned. As a 581 // result, those ciphers will not appear in "My Vault" for the org 582 // owner/admin, but they can still be accessed via the org vault view. 583 async fn find_by_user(user_uuid: &str, visible_only: bool, conn: &DbConn) -> Vec<Self> { 584 db_run! {conn: { 585 let mut query = ciphers::table 586 .left_join(ciphers_collections::table.on( 587 ciphers::uuid.eq(ciphers_collections::cipher_uuid) 588 )) 589 .left_join(users_organizations::table.on( 590 ciphers::organization_uuid.eq(users_organizations::org_uuid.nullable()) 591 .and(users_organizations::user_uuid.eq(user_uuid)) 592 .and(users_organizations::status.eq(i32::from(UserOrgStatus::Confirmed))) 593 )) 594 .left_join(users_collections::table.on( 595 ciphers_collections::collection_uuid.eq(users_collections::collection_uuid) 596 // Ensure that users_collections::user_uuid is NULL for unconfirmed users. 597 .and(users_organizations::user_uuid.eq(users_collections::user_uuid)) 598 )) 599 .filter(ciphers::user_uuid.eq(user_uuid)) // Cipher owner 600 .or_filter(users_organizations::access_all.eq(true)) // access_all in org 601 .or_filter(users_collections::user_uuid.eq(user_uuid)) // Access to collection 602 .into_boxed(); 603 if !visible_only { 604 query = query.or_filter( 605 users_organizations::atype.le(i32::from(UserOrgType::Admin)) // Org admin/owner 606 ); 607 } 608 query 609 .select(ciphers::all_columns) 610 .distinct() 611 .load::<CipherDb>(conn).expect("Error loading ciphers").from_db() 612 }} 613 } 614 // Find all ciphers visible to the specified user. 615 pub async fn find_by_user_visible(user_uuid: &str, conn: &DbConn) -> Vec<Self> { 616 Self::find_by_user(user_uuid, true, conn).await 617 } 618 // Find all ciphers directly owned by the specified user. 619 pub async fn find_owned_by_user(user_uuid: &str, conn: &DbConn) -> Vec<Self> { 620 db_run! {conn: { 621 ciphers::table 622 .filter( 623 ciphers::user_uuid.eq(user_uuid) 624 .and(ciphers::organization_uuid.is_null()) 625 ) 626 .load::<CipherDb>(conn).expect("Error loading ciphers").from_db() 627 }} 628 } 629 630 pub async fn count_owned_by_user(user_uuid: &str, conn: &DbConn) -> u64 { 631 u64::try_from({ 632 db_run! {conn: { 633 ciphers::table 634 .filter(ciphers::user_uuid.eq(user_uuid)) 635 .count() 636 .first::<i64>(conn) 637 .ok() 638 .unwrap_or(0) 639 }} 640 }) 641 .expect("underflow") 642 } 643 644 pub async fn find_by_org(org_uuid: &str, conn: &DbConn) -> Vec<Self> { 645 db_run! {conn: { 646 ciphers::table 647 .filter(ciphers::organization_uuid.eq(org_uuid)) 648 .load::<CipherDb>(conn).expect("Error loading ciphers").from_db() 649 }} 650 } 651 652 pub async fn count_by_org(org_uuid: &str, conn: &DbConn) -> u64 { 653 u64::try_from({ 654 db_run! {conn: { 655 ciphers::table 656 .filter(ciphers::organization_uuid.eq(org_uuid)) 657 .count() 658 .first::<i64>(conn) 659 .ok() 660 .unwrap_or(0) 661 }} 662 }) 663 .expect("underflow") 664 } 665 666 pub async fn find_by_folder(folder_uuid: &str, conn: &DbConn) -> Vec<Self> { 667 db_run! {conn: { 668 folders_ciphers::table.inner_join(ciphers::table) 669 .filter(folders_ciphers::folder_uuid.eq(folder_uuid)) 670 .select(ciphers::all_columns) 671 .load::<CipherDb>(conn).expect("Error loading ciphers").from_db() 672 }} 673 } 674 675 /// Find all ciphers that were deleted before the specified datetime. 676 pub async fn find_deleted_before(dt: &NaiveDateTime, conn: &DbConn) -> Vec<Self> { 677 db_run! {conn: { 678 ciphers::table 679 .filter(ciphers::deleted_at.lt(dt)) 680 .load::<CipherDb>(conn).expect("Error loading ciphers").from_db() 681 }} 682 } 683 684 pub async fn get_collections(&self, user_id: String, conn: &DbConn) -> Vec<String> { 685 db_run! {conn: { 686 ciphers_collections::table 687 .filter(ciphers_collections::cipher_uuid.eq(&self.uuid)) 688 .inner_join(collections::table.on( 689 collections::uuid.eq(ciphers_collections::collection_uuid) 690 )) 691 .inner_join(users_organizations::table.on( 692 users_organizations::org_uuid.eq(collections::org_uuid) 693 .and(users_organizations::user_uuid.eq(user_id.clone())) 694 )) 695 .left_join(users_collections::table.on( 696 users_collections::collection_uuid.eq(ciphers_collections::collection_uuid) 697 .and(users_collections::user_uuid.eq(user_id.clone())) 698 )) 699 .filter(users_organizations::access_all.eq(true) // User has access all 700 .or(users_collections::user_uuid.eq(user_id) // User has access to collection 701 .and(users_collections::read_only.eq(false))) 702 ) 703 .select(ciphers_collections::collection_uuid) 704 .load::<String>(conn).unwrap_or_default() 705 }} 706 } 707 708 pub async fn get_admin_collections(&self, user_id: String, conn: &DbConn) -> Vec<String> { 709 db_run! {conn: { 710 ciphers_collections::table 711 .filter(ciphers_collections::cipher_uuid.eq(&self.uuid)) 712 .inner_join(collections::table.on( 713 collections::uuid.eq(ciphers_collections::collection_uuid) 714 )) 715 .inner_join(users_organizations::table.on( 716 users_organizations::org_uuid.eq(collections::org_uuid) 717 .and(users_organizations::user_uuid.eq(user_id.clone())) 718 )) 719 .left_join(users_collections::table.on( 720 users_collections::collection_uuid.eq(ciphers_collections::collection_uuid) 721 .and(users_collections::user_uuid.eq(user_id.clone())) 722 )) 723 .filter(users_organizations::access_all.eq(true) // User has access all 724 .or(users_collections::user_uuid.eq(user_id) // User has access to collection 725 .and(users_collections::read_only.eq(false))) 726 .or(users_organizations::atype.le(i32::from(UserOrgType::Admin))) // User is admin or owner 727 ) 728 .select(ciphers_collections::collection_uuid) 729 .load::<String>(conn).unwrap_or_default() 730 }} 731 } 732 733 /// Return a Vec with (cipher_uuid, collection_uuid) 734 /// This is used during a full sync so we only need one query for all collections accessible. 735 pub async fn get_collections_with_cipher_by_user( 736 user_id: String, 737 conn: &DbConn, 738 ) -> Vec<(String, String)> { 739 db_run! {conn: { 740 ciphers_collections::table 741 .inner_join(collections::table.on( 742 collections::uuid.eq(ciphers_collections::collection_uuid) 743 )) 744 .inner_join(users_organizations::table.on( 745 users_organizations::org_uuid.eq(collections::org_uuid).and( 746 users_organizations::user_uuid.eq(user_id.clone()) 747 ) 748 )) 749 .left_join(users_collections::table.on( 750 users_collections::collection_uuid.eq(ciphers_collections::collection_uuid).and( 751 users_collections::user_uuid.eq(user_id.clone()) 752 ) 753 )) 754 .or_filter(users_collections::user_uuid.eq(user_id)) // User has access to collection 755 .or_filter(users_organizations::access_all.eq(true)) // User has access all 756 .or_filter(users_organizations::atype.le(i32::from(UserOrgType::Admin))) // User is admin or owner 757 .select(ciphers_collections::all_columns) 758 .distinct() 759 .load::<(String, String)>(conn).unwrap_or_default() 760 }} 761 } 762 }