Spiegel von
https://github.com/dani-garcia/vaultwarden.git
synchronisiert 2024-11-28 06:10:28 +01:00
[PATCH] Some fixes to the Emergency Access PR
- Changed the date of the migration folders to be from this date. - Removed a lot is_email_domain_allowed checks. This check only needs to be done during the invite it self, else everything else will fail even if a user has an account created via the /admin interface which bypasses that specific check! Also, the check was at the wrong place anyway's, since it would only not send out an e-mail, but would still have allowed an not allowed domain to be used when e-mail would have been disabled. While that check always works, even if sending e-mails is disasbled. - Added an extra allowed route during password/key-rotation change which updates/checks the public-key afterwards. - A small change with some `Some` and `None` orders. - Change the new invite object to only generate the UTC time once, since it could be possible that there will be a second difference, and we only need to call it just once. by black.dex@gmail.com Signed-off-by: thelittlefireman <thelittlefireman@users.noreply.github.com>
Dieser Commit ist enthalten in:
Ursprung
4ab9362971
Commit
ca20b3d80c
12 geänderte Dateien mit 12 neuen und 46 gelöschten Zeilen
|
@ -1 +0,0 @@
|
||||||
DROP TABLE emergency_access;
|
|
|
@ -0,0 +1 @@
|
||||||
|
DROP TABLE emergency_access;
|
|
@ -1 +0,0 @@
|
||||||
DROP TABLE emergency_access;
|
|
|
@ -0,0 +1 @@
|
||||||
|
DROP TABLE emergency_access;
|
|
@ -1 +0,0 @@
|
||||||
DROP TABLE emergency_access;
|
|
|
@ -0,0 +1 @@
|
||||||
|
DROP TABLE emergency_access;
|
|
@ -239,7 +239,7 @@ fn post_password(data: JsonUpcase<ChangePassData>, headers: Headers, conn: DbCon
|
||||||
|
|
||||||
user.set_password(
|
user.set_password(
|
||||||
&data.NewMasterPasswordHash,
|
&data.NewMasterPasswordHash,
|
||||||
Some(vec![String::from("post_rotatekey"), String::from("get_contacts")]),
|
Some(vec![String::from("post_rotatekey"), String::from("get_contacts"), String::from("get_public_keys")]),
|
||||||
);
|
);
|
||||||
user.akey = data.Key;
|
user.akey = data.Key;
|
||||||
user.save(&conn)
|
user.save(&conn)
|
||||||
|
|
|
@ -268,13 +268,9 @@ fn resend_invite(emer_id: String, headers: Headers, conn: DbConn) -> EmptyResult
|
||||||
None => err!("Email not valid."),
|
None => err!("Email not valid."),
|
||||||
};
|
};
|
||||||
|
|
||||||
if !CONFIG.is_email_domain_allowed(&email) {
|
|
||||||
err!("Email domain not eligible for invitations.")
|
|
||||||
}
|
|
||||||
|
|
||||||
let grantee_user = match User::find_by_mail(&email, &conn) {
|
let grantee_user = match User::find_by_mail(&email, &conn) {
|
||||||
None => err!("Grantee user not found."),
|
|
||||||
Some(user) => user,
|
Some(user) => user,
|
||||||
|
None => err!("Grantee user not found."),
|
||||||
};
|
};
|
||||||
|
|
||||||
let grantor_user = headers.user;
|
let grantor_user = headers.user;
|
||||||
|
@ -346,10 +342,6 @@ fn accept_invite(emer_id: String, data: JsonUpcase<AcceptData>, conn: DbConn) ->
|
||||||
}
|
}
|
||||||
|
|
||||||
if CONFIG.mail_enabled() {
|
if CONFIG.mail_enabled() {
|
||||||
if !CONFIG.is_email_domain_allowed(&grantor_user.email) {
|
|
||||||
err!("Email domain not valid.")
|
|
||||||
}
|
|
||||||
|
|
||||||
mail::send_emergency_access_invite_accepted(&grantor_user.email, &grantee_user.email)?;
|
mail::send_emergency_access_invite_accepted(&grantor_user.email, &grantee_user.email)?;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -428,10 +420,6 @@ fn confirm_emergency_access(
|
||||||
emergency_access.save(&conn)?;
|
emergency_access.save(&conn)?;
|
||||||
|
|
||||||
if CONFIG.mail_enabled() {
|
if CONFIG.mail_enabled() {
|
||||||
if !CONFIG.is_email_domain_allowed(&grantee_user.email) {
|
|
||||||
err!("Email domain not valid.")
|
|
||||||
}
|
|
||||||
|
|
||||||
mail::send_emergency_access_invite_confirmed(&grantee_user.email, &grantor_user.name)?;
|
mail::send_emergency_access_invite_confirmed(&grantee_user.email, &grantor_user.name)?;
|
||||||
}
|
}
|
||||||
Ok(Json(emergency_access.to_json()))
|
Ok(Json(emergency_access.to_json()))
|
||||||
|
@ -473,10 +461,6 @@ fn initiate_emergency_access(emer_id: String, headers: Headers, conn: DbConn) ->
|
||||||
emergency_access.save(&conn)?;
|
emergency_access.save(&conn)?;
|
||||||
|
|
||||||
if CONFIG.mail_enabled() {
|
if CONFIG.mail_enabled() {
|
||||||
if !CONFIG.is_email_domain_allowed(&grantor_user.email) {
|
|
||||||
err!("Email domain not valid.")
|
|
||||||
}
|
|
||||||
|
|
||||||
mail::send_emergency_access_recovery_initiated(
|
mail::send_emergency_access_recovery_initiated(
|
||||||
&grantor_user.email,
|
&grantor_user.email,
|
||||||
&initiating_user.name,
|
&initiating_user.name,
|
||||||
|
@ -518,10 +502,6 @@ fn approve_emergency_access(emer_id: String, headers: Headers, conn: DbConn) ->
|
||||||
emergency_access.save(&conn)?;
|
emergency_access.save(&conn)?;
|
||||||
|
|
||||||
if CONFIG.mail_enabled() {
|
if CONFIG.mail_enabled() {
|
||||||
if !CONFIG.is_email_domain_allowed(&grantee_user.email) {
|
|
||||||
err!("Email domain not valid.")
|
|
||||||
}
|
|
||||||
|
|
||||||
mail::send_emergency_access_recovery_approved(&grantee_user.email, &grantor_user.name)?;
|
mail::send_emergency_access_recovery_approved(&grantee_user.email, &grantor_user.name)?;
|
||||||
}
|
}
|
||||||
Ok(Json(emergency_access.to_json()))
|
Ok(Json(emergency_access.to_json()))
|
||||||
|
@ -563,10 +543,6 @@ fn reject_emergency_access(emer_id: String, headers: Headers, conn: DbConn) -> J
|
||||||
emergency_access.save(&conn)?;
|
emergency_access.save(&conn)?;
|
||||||
|
|
||||||
if CONFIG.mail_enabled() {
|
if CONFIG.mail_enabled() {
|
||||||
if !CONFIG.is_email_domain_allowed(&grantee_user.email) {
|
|
||||||
err!("Email domain not valid.")
|
|
||||||
}
|
|
||||||
|
|
||||||
mail::send_emergency_access_recovery_rejected(&grantee_user.email, &grantor_user.name)?;
|
mail::send_emergency_access_recovery_rejected(&grantee_user.email, &grantor_user.name)?;
|
||||||
}
|
}
|
||||||
Ok(Json(emergency_access.to_json()))
|
Ok(Json(emergency_access.to_json()))
|
||||||
|
@ -764,10 +740,6 @@ pub fn emergency_request_timeout_job(pool: DbPool) {
|
||||||
User::find_by_uuid(&emer.grantee_uuid.clone().expect("Grantee user invalid."), &conn)
|
User::find_by_uuid(&emer.grantee_uuid.clone().expect("Grantee user invalid."), &conn)
|
||||||
.expect("Grantee user not found.");
|
.expect("Grantee user not found.");
|
||||||
|
|
||||||
if !CONFIG.is_email_domain_allowed(&grantor_user.email) {
|
|
||||||
error!("Email domain not valid.")
|
|
||||||
}
|
|
||||||
|
|
||||||
mail::send_emergency_access_recovery_timed_out(
|
mail::send_emergency_access_recovery_timed_out(
|
||||||
&grantor_user.email,
|
&grantor_user.email,
|
||||||
&grantee_user.name.clone(),
|
&grantee_user.name.clone(),
|
||||||
|
@ -775,10 +747,6 @@ pub fn emergency_request_timeout_job(pool: DbPool) {
|
||||||
)
|
)
|
||||||
.expect("Error on sending email");
|
.expect("Error on sending email");
|
||||||
|
|
||||||
if !CONFIG.is_email_domain_allowed(&grantee_user.email) {
|
|
||||||
error!("Email not valid.")
|
|
||||||
}
|
|
||||||
|
|
||||||
mail::send_emergency_access_recovery_approved(&grantee_user.email, &grantor_user.name.clone())
|
mail::send_emergency_access_recovery_approved(&grantee_user.email, &grantor_user.name.clone())
|
||||||
.expect("Error on sending email");
|
.expect("Error on sending email");
|
||||||
}
|
}
|
||||||
|
@ -816,10 +784,6 @@ pub fn emergency_notification_reminder_job(pool: DbPool) {
|
||||||
// get grantor user to send Accepted email
|
// get grantor user to send Accepted email
|
||||||
let grantor_user = User::find_by_uuid(&emer.grantor_uuid, &conn).expect("Grantor user not found.");
|
let grantor_user = User::find_by_uuid(&emer.grantor_uuid, &conn).expect("Grantor user not found.");
|
||||||
|
|
||||||
if !CONFIG.is_email_domain_allowed(&grantor_user.email) {
|
|
||||||
error!("Email not valid.")
|
|
||||||
}
|
|
||||||
|
|
||||||
// get grantee user to send Accepted email
|
// get grantee user to send Accepted email
|
||||||
let grantee_user =
|
let grantee_user =
|
||||||
User::find_by_uuid(&emer.grantee_uuid.clone().expect("Grantee user invalid."), &conn)
|
User::find_by_uuid(&emer.grantee_uuid.clone().expect("Grantee user invalid."), &conn)
|
||||||
|
|
|
@ -29,6 +29,8 @@ db_object! {
|
||||||
|
|
||||||
impl EmergencyAccess {
|
impl EmergencyAccess {
|
||||||
pub fn new(grantor_uuid: String, email: Option<String>, status: i32, atype: i32, wait_time_days: i32) -> Self {
|
pub fn new(grantor_uuid: String, email: Option<String>, status: i32, atype: i32, wait_time_days: i32) -> Self {
|
||||||
|
let now = Utc::now().naive_utc();
|
||||||
|
|
||||||
Self {
|
Self {
|
||||||
uuid: crate::util::get_uuid(),
|
uuid: crate::util::get_uuid(),
|
||||||
grantor_uuid,
|
grantor_uuid,
|
||||||
|
@ -38,8 +40,8 @@ impl EmergencyAccess {
|
||||||
atype,
|
atype,
|
||||||
wait_time_days,
|
wait_time_days,
|
||||||
recovery_initiated_at: None,
|
recovery_initiated_at: None,
|
||||||
created_at: Utc::now().naive_utc(),
|
created_at: now,
|
||||||
updated_at: Utc::now().naive_utc(),
|
updated_at: now,
|
||||||
key_encrypted: None,
|
key_encrypted: None,
|
||||||
last_notification_at: None,
|
last_notification_at: None,
|
||||||
}
|
}
|
||||||
|
|
Laden …
In neuem Issue referenzieren