From ca20b3d80c75e42b9229ab3a9625a334c83e79a8 Mon Sep 17 00:00:00 2001 From: thelittlefireman Date: Wed, 1 Sep 2021 12:54:47 +0200 Subject: [PATCH] [PATCH] Some fixes to the Emergency Access PR - Changed the date of the migration folders to be from this date. - Removed a lot is_email_domain_allowed checks. This check only needs to be done during the invite it self, else everything else will fail even if a user has an account created via the /admin interface which bypasses that specific check! Also, the check was at the wrong place anyway's, since it would only not send out an e-mail, but would still have allowed an not allowed domain to be used when e-mail would have been disabled. While that check always works, even if sending e-mails is disasbled. - Added an extra allowed route during password/key-rotation change which updates/checks the public-key afterwards. - A small change with some `Some` and `None` orders. - Change the new invite object to only generate the UTC time once, since it could be possible that there will be a second difference, and we only need to call it just once. by black.dex@gmail.com Signed-off-by: thelittlefireman --- .../down.sql | 1 - .../down.sql | 1 + .../up.sql | 2 +- .../down.sql | 1 - .../down.sql | 1 + .../up.sql | 2 +- .../down.sql | 1 - .../down.sql | 1 + .../up.sql | 2 +- src/api/core/accounts.rs | 2 +- src/api/core/emergency_access.rs | 38 +------------------ src/db/models/emergency_access.rs | 6 ++- 12 files changed, 12 insertions(+), 46 deletions(-) delete mode 100644 migrations/mysql/2021-02-10-174254_create_emergency_access/down.sql create mode 100644 migrations/mysql/2021-08-30-193501_create_emergency_access/down.sql rename migrations/mysql/{2021-02-10-174254_create_emergency_access => 2021-08-30-193501_create_emergency_access}/up.sql (99%) delete mode 100644 migrations/postgresql/2021-02-10-174254_create_emergency_access/down.sql create mode 100644 migrations/postgresql/2021-08-30-193501_create_emergency_access/down.sql rename migrations/postgresql/{2021-02-10-174254_create_emergency_access => 2021-08-30-193501_create_emergency_access}/up.sql (99%) delete mode 100644 migrations/sqlite/2021-02-10-174254_create_emergency_access/down.sql create mode 100644 migrations/sqlite/2021-08-30-193501_create_emergency_access/down.sql rename migrations/sqlite/{2021-02-10-174254_create_emergency_access => 2021-08-30-193501_create_emergency_access}/up.sql (99%) diff --git a/migrations/mysql/2021-02-10-174254_create_emergency_access/down.sql b/migrations/mysql/2021-02-10-174254_create_emergency_access/down.sql deleted file mode 100644 index 0a5f4d12..00000000 --- a/migrations/mysql/2021-02-10-174254_create_emergency_access/down.sql +++ /dev/null @@ -1 +0,0 @@ -DROP TABLE emergency_access; \ No newline at end of file diff --git a/migrations/mysql/2021-08-30-193501_create_emergency_access/down.sql b/migrations/mysql/2021-08-30-193501_create_emergency_access/down.sql new file mode 100644 index 00000000..f9d18f1e --- /dev/null +++ b/migrations/mysql/2021-08-30-193501_create_emergency_access/down.sql @@ -0,0 +1 @@ +DROP TABLE emergency_access; diff --git a/migrations/mysql/2021-02-10-174254_create_emergency_access/up.sql b/migrations/mysql/2021-08-30-193501_create_emergency_access/up.sql similarity index 99% rename from migrations/mysql/2021-02-10-174254_create_emergency_access/up.sql rename to migrations/mysql/2021-08-30-193501_create_emergency_access/up.sql index 6ee6ee95..111409d4 100644 --- a/migrations/mysql/2021-02-10-174254_create_emergency_access/up.sql +++ b/migrations/mysql/2021-08-30-193501_create_emergency_access/up.sql @@ -11,4 +11,4 @@ CREATE TABLE emergency_access ( last_notification_at DATETIME, updated_at DATETIME NOT NULL, created_at DATETIME NOT NULL -); \ No newline at end of file +); diff --git a/migrations/postgresql/2021-02-10-174254_create_emergency_access/down.sql b/migrations/postgresql/2021-02-10-174254_create_emergency_access/down.sql deleted file mode 100644 index 0a5f4d12..00000000 --- a/migrations/postgresql/2021-02-10-174254_create_emergency_access/down.sql +++ /dev/null @@ -1 +0,0 @@ -DROP TABLE emergency_access; \ No newline at end of file diff --git a/migrations/postgresql/2021-08-30-193501_create_emergency_access/down.sql b/migrations/postgresql/2021-08-30-193501_create_emergency_access/down.sql new file mode 100644 index 00000000..f9d18f1e --- /dev/null +++ b/migrations/postgresql/2021-08-30-193501_create_emergency_access/down.sql @@ -0,0 +1 @@ +DROP TABLE emergency_access; diff --git a/migrations/postgresql/2021-02-10-174254_create_emergency_access/up.sql b/migrations/postgresql/2021-08-30-193501_create_emergency_access/up.sql similarity index 99% rename from migrations/postgresql/2021-02-10-174254_create_emergency_access/up.sql rename to migrations/postgresql/2021-08-30-193501_create_emergency_access/up.sql index f5d4e548..5d84b151 100644 --- a/migrations/postgresql/2021-02-10-174254_create_emergency_access/up.sql +++ b/migrations/postgresql/2021-08-30-193501_create_emergency_access/up.sql @@ -11,4 +11,4 @@ CREATE TABLE emergency_access ( last_notification_at TIMESTAMP, updated_at TIMESTAMP NOT NULL, created_at TIMESTAMP NOT NULL -); \ No newline at end of file +); diff --git a/migrations/sqlite/2021-02-10-174254_create_emergency_access/down.sql b/migrations/sqlite/2021-02-10-174254_create_emergency_access/down.sql deleted file mode 100644 index 0a5f4d12..00000000 --- a/migrations/sqlite/2021-02-10-174254_create_emergency_access/down.sql +++ /dev/null @@ -1 +0,0 @@ -DROP TABLE emergency_access; \ No newline at end of file diff --git a/migrations/sqlite/2021-08-30-193501_create_emergency_access/down.sql b/migrations/sqlite/2021-08-30-193501_create_emergency_access/down.sql new file mode 100644 index 00000000..f9d18f1e --- /dev/null +++ b/migrations/sqlite/2021-08-30-193501_create_emergency_access/down.sql @@ -0,0 +1 @@ +DROP TABLE emergency_access; diff --git a/migrations/sqlite/2021-02-10-174254_create_emergency_access/up.sql b/migrations/sqlite/2021-08-30-193501_create_emergency_access/up.sql similarity index 99% rename from migrations/sqlite/2021-02-10-174254_create_emergency_access/up.sql rename to migrations/sqlite/2021-08-30-193501_create_emergency_access/up.sql index 07e50f3d..8d0d8bad 100644 --- a/migrations/sqlite/2021-02-10-174254_create_emergency_access/up.sql +++ b/migrations/sqlite/2021-08-30-193501_create_emergency_access/up.sql @@ -11,4 +11,4 @@ CREATE TABLE emergency_access ( last_notification_at DATETIME, updated_at DATETIME NOT NULL, created_at DATETIME NOT NULL -); \ No newline at end of file +); diff --git a/src/api/core/accounts.rs b/src/api/core/accounts.rs index 4c49d665..435a2cd1 100644 --- a/src/api/core/accounts.rs +++ b/src/api/core/accounts.rs @@ -239,7 +239,7 @@ fn post_password(data: JsonUpcase, headers: Headers, conn: DbCon user.set_password( &data.NewMasterPasswordHash, - Some(vec![String::from("post_rotatekey"), String::from("get_contacts")]), + Some(vec![String::from("post_rotatekey"), String::from("get_contacts"), String::from("get_public_keys")]), ); user.akey = data.Key; user.save(&conn) diff --git a/src/api/core/emergency_access.rs b/src/api/core/emergency_access.rs index 6ae0a96a..0b87a84b 100644 --- a/src/api/core/emergency_access.rs +++ b/src/api/core/emergency_access.rs @@ -268,13 +268,9 @@ fn resend_invite(emer_id: String, headers: Headers, conn: DbConn) -> EmptyResult None => err!("Email not valid."), }; - if !CONFIG.is_email_domain_allowed(&email) { - err!("Email domain not eligible for invitations.") - } - let grantee_user = match User::find_by_mail(&email, &conn) { - None => err!("Grantee user not found."), Some(user) => user, + None => err!("Grantee user not found."), }; let grantor_user = headers.user; @@ -346,10 +342,6 @@ fn accept_invite(emer_id: String, data: JsonUpcase, conn: DbConn) -> } if CONFIG.mail_enabled() { - if !CONFIG.is_email_domain_allowed(&grantor_user.email) { - err!("Email domain not valid.") - } - mail::send_emergency_access_invite_accepted(&grantor_user.email, &grantee_user.email)?; } @@ -428,10 +420,6 @@ fn confirm_emergency_access( emergency_access.save(&conn)?; if CONFIG.mail_enabled() { - if !CONFIG.is_email_domain_allowed(&grantee_user.email) { - err!("Email domain not valid.") - } - mail::send_emergency_access_invite_confirmed(&grantee_user.email, &grantor_user.name)?; } Ok(Json(emergency_access.to_json())) @@ -473,10 +461,6 @@ fn initiate_emergency_access(emer_id: String, headers: Headers, conn: DbConn) -> emergency_access.save(&conn)?; if CONFIG.mail_enabled() { - if !CONFIG.is_email_domain_allowed(&grantor_user.email) { - err!("Email domain not valid.") - } - mail::send_emergency_access_recovery_initiated( &grantor_user.email, &initiating_user.name, @@ -518,10 +502,6 @@ fn approve_emergency_access(emer_id: String, headers: Headers, conn: DbConn) -> emergency_access.save(&conn)?; if CONFIG.mail_enabled() { - if !CONFIG.is_email_domain_allowed(&grantee_user.email) { - err!("Email domain not valid.") - } - mail::send_emergency_access_recovery_approved(&grantee_user.email, &grantor_user.name)?; } Ok(Json(emergency_access.to_json())) @@ -563,10 +543,6 @@ fn reject_emergency_access(emer_id: String, headers: Headers, conn: DbConn) -> J emergency_access.save(&conn)?; if CONFIG.mail_enabled() { - if !CONFIG.is_email_domain_allowed(&grantee_user.email) { - err!("Email domain not valid.") - } - mail::send_emergency_access_recovery_rejected(&grantee_user.email, &grantor_user.name)?; } Ok(Json(emergency_access.to_json())) @@ -764,10 +740,6 @@ pub fn emergency_request_timeout_job(pool: DbPool) { User::find_by_uuid(&emer.grantee_uuid.clone().expect("Grantee user invalid."), &conn) .expect("Grantee user not found."); - if !CONFIG.is_email_domain_allowed(&grantor_user.email) { - error!("Email domain not valid.") - } - mail::send_emergency_access_recovery_timed_out( &grantor_user.email, &grantee_user.name.clone(), @@ -775,10 +747,6 @@ pub fn emergency_request_timeout_job(pool: DbPool) { ) .expect("Error on sending email"); - if !CONFIG.is_email_domain_allowed(&grantee_user.email) { - error!("Email not valid.") - } - mail::send_emergency_access_recovery_approved(&grantee_user.email, &grantor_user.name.clone()) .expect("Error on sending email"); } @@ -816,10 +784,6 @@ pub fn emergency_notification_reminder_job(pool: DbPool) { // get grantor user to send Accepted email let grantor_user = User::find_by_uuid(&emer.grantor_uuid, &conn).expect("Grantor user not found."); - if !CONFIG.is_email_domain_allowed(&grantor_user.email) { - error!("Email not valid.") - } - // get grantee user to send Accepted email let grantee_user = User::find_by_uuid(&emer.grantee_uuid.clone().expect("Grantee user invalid."), &conn) diff --git a/src/db/models/emergency_access.rs b/src/db/models/emergency_access.rs index 6e32db4e..94822108 100644 --- a/src/db/models/emergency_access.rs +++ b/src/db/models/emergency_access.rs @@ -29,6 +29,8 @@ db_object! { impl EmergencyAccess { pub fn new(grantor_uuid: String, email: Option, status: i32, atype: i32, wait_time_days: i32) -> Self { + let now = Utc::now().naive_utc(); + Self { uuid: crate::util::get_uuid(), grantor_uuid, @@ -38,8 +40,8 @@ impl EmergencyAccess { atype, wait_time_days, recovery_initiated_at: None, - created_at: Utc::now().naive_utc(), - updated_at: Utc::now().naive_utc(), + created_at: now, + updated_at: now, key_encrypted: None, last_notification_at: None, }