1
0
Fork 1
Spiegel von https://github.com/dani-garcia/vaultwarden.git synchronisiert 2024-11-28 06:10:28 +01:00

[PATCH] Some fixes to the Emergency Access PR

- Changed the date of the migration folders to be from this date.
- Removed a lot is_email_domain_allowed checks.
  This check only needs to be done during the invite it self, else
everything else will fail even if a user has an account created via the
/admin interface which bypasses that specific check! Also, the check was
at the wrong place anyway's, since it would only not send out an e-mail,
but would still have allowed an not allowed domain to be used when
e-mail would have been disabled. While that check always works, even if
sending e-mails is disasbled.
- Added an extra allowed route during password/key-rotation change which
updates/checks the public-key afterwards.
- A small change with some `Some` and `None` orders.
- Change the new invite object to only generate the UTC time once, since
it could be possible that there will be a second difference, and we only
need to call it just once.

by black.dex@gmail.com

Signed-off-by: thelittlefireman <thelittlefireman@users.noreply.github.com>
Dieser Commit ist enthalten in:
thelittlefireman 2021-09-01 12:54:47 +02:00
Ursprung 4ab9362971
Commit ca20b3d80c
12 geänderte Dateien mit 12 neuen und 46 gelöschten Zeilen

Datei anzeigen

@ -1 +0,0 @@
DROP TABLE emergency_access;

Datei anzeigen

@ -0,0 +1 @@
DROP TABLE emergency_access;

Datei anzeigen

@ -11,4 +11,4 @@ CREATE TABLE emergency_access (
last_notification_at DATETIME, last_notification_at DATETIME,
updated_at DATETIME NOT NULL, updated_at DATETIME NOT NULL,
created_at DATETIME NOT NULL created_at DATETIME NOT NULL
); );

Datei anzeigen

@ -1 +0,0 @@
DROP TABLE emergency_access;

Datei anzeigen

@ -0,0 +1 @@
DROP TABLE emergency_access;

Datei anzeigen

@ -11,4 +11,4 @@ CREATE TABLE emergency_access (
last_notification_at TIMESTAMP, last_notification_at TIMESTAMP,
updated_at TIMESTAMP NOT NULL, updated_at TIMESTAMP NOT NULL,
created_at TIMESTAMP NOT NULL created_at TIMESTAMP NOT NULL
); );

Datei anzeigen

@ -1 +0,0 @@
DROP TABLE emergency_access;

Datei anzeigen

@ -0,0 +1 @@
DROP TABLE emergency_access;

Datei anzeigen

@ -11,4 +11,4 @@ CREATE TABLE emergency_access (
last_notification_at DATETIME, last_notification_at DATETIME,
updated_at DATETIME NOT NULL, updated_at DATETIME NOT NULL,
created_at DATETIME NOT NULL created_at DATETIME NOT NULL
); );

Datei anzeigen

@ -239,7 +239,7 @@ fn post_password(data: JsonUpcase<ChangePassData>, headers: Headers, conn: DbCon
user.set_password( user.set_password(
&data.NewMasterPasswordHash, &data.NewMasterPasswordHash,
Some(vec![String::from("post_rotatekey"), String::from("get_contacts")]), Some(vec![String::from("post_rotatekey"), String::from("get_contacts"), String::from("get_public_keys")]),
); );
user.akey = data.Key; user.akey = data.Key;
user.save(&conn) user.save(&conn)

Datei anzeigen

@ -268,13 +268,9 @@ fn resend_invite(emer_id: String, headers: Headers, conn: DbConn) -> EmptyResult
None => err!("Email not valid."), None => err!("Email not valid."),
}; };
if !CONFIG.is_email_domain_allowed(&email) {
err!("Email domain not eligible for invitations.")
}
let grantee_user = match User::find_by_mail(&email, &conn) { let grantee_user = match User::find_by_mail(&email, &conn) {
None => err!("Grantee user not found."),
Some(user) => user, Some(user) => user,
None => err!("Grantee user not found."),
}; };
let grantor_user = headers.user; let grantor_user = headers.user;
@ -346,10 +342,6 @@ fn accept_invite(emer_id: String, data: JsonUpcase<AcceptData>, conn: DbConn) ->
} }
if CONFIG.mail_enabled() { if CONFIG.mail_enabled() {
if !CONFIG.is_email_domain_allowed(&grantor_user.email) {
err!("Email domain not valid.")
}
mail::send_emergency_access_invite_accepted(&grantor_user.email, &grantee_user.email)?; mail::send_emergency_access_invite_accepted(&grantor_user.email, &grantee_user.email)?;
} }
@ -428,10 +420,6 @@ fn confirm_emergency_access(
emergency_access.save(&conn)?; emergency_access.save(&conn)?;
if CONFIG.mail_enabled() { if CONFIG.mail_enabled() {
if !CONFIG.is_email_domain_allowed(&grantee_user.email) {
err!("Email domain not valid.")
}
mail::send_emergency_access_invite_confirmed(&grantee_user.email, &grantor_user.name)?; mail::send_emergency_access_invite_confirmed(&grantee_user.email, &grantor_user.name)?;
} }
Ok(Json(emergency_access.to_json())) Ok(Json(emergency_access.to_json()))
@ -473,10 +461,6 @@ fn initiate_emergency_access(emer_id: String, headers: Headers, conn: DbConn) ->
emergency_access.save(&conn)?; emergency_access.save(&conn)?;
if CONFIG.mail_enabled() { if CONFIG.mail_enabled() {
if !CONFIG.is_email_domain_allowed(&grantor_user.email) {
err!("Email domain not valid.")
}
mail::send_emergency_access_recovery_initiated( mail::send_emergency_access_recovery_initiated(
&grantor_user.email, &grantor_user.email,
&initiating_user.name, &initiating_user.name,
@ -518,10 +502,6 @@ fn approve_emergency_access(emer_id: String, headers: Headers, conn: DbConn) ->
emergency_access.save(&conn)?; emergency_access.save(&conn)?;
if CONFIG.mail_enabled() { if CONFIG.mail_enabled() {
if !CONFIG.is_email_domain_allowed(&grantee_user.email) {
err!("Email domain not valid.")
}
mail::send_emergency_access_recovery_approved(&grantee_user.email, &grantor_user.name)?; mail::send_emergency_access_recovery_approved(&grantee_user.email, &grantor_user.name)?;
} }
Ok(Json(emergency_access.to_json())) Ok(Json(emergency_access.to_json()))
@ -563,10 +543,6 @@ fn reject_emergency_access(emer_id: String, headers: Headers, conn: DbConn) -> J
emergency_access.save(&conn)?; emergency_access.save(&conn)?;
if CONFIG.mail_enabled() { if CONFIG.mail_enabled() {
if !CONFIG.is_email_domain_allowed(&grantee_user.email) {
err!("Email domain not valid.")
}
mail::send_emergency_access_recovery_rejected(&grantee_user.email, &grantor_user.name)?; mail::send_emergency_access_recovery_rejected(&grantee_user.email, &grantor_user.name)?;
} }
Ok(Json(emergency_access.to_json())) Ok(Json(emergency_access.to_json()))
@ -764,10 +740,6 @@ pub fn emergency_request_timeout_job(pool: DbPool) {
User::find_by_uuid(&emer.grantee_uuid.clone().expect("Grantee user invalid."), &conn) User::find_by_uuid(&emer.grantee_uuid.clone().expect("Grantee user invalid."), &conn)
.expect("Grantee user not found."); .expect("Grantee user not found.");
if !CONFIG.is_email_domain_allowed(&grantor_user.email) {
error!("Email domain not valid.")
}
mail::send_emergency_access_recovery_timed_out( mail::send_emergency_access_recovery_timed_out(
&grantor_user.email, &grantor_user.email,
&grantee_user.name.clone(), &grantee_user.name.clone(),
@ -775,10 +747,6 @@ pub fn emergency_request_timeout_job(pool: DbPool) {
) )
.expect("Error on sending email"); .expect("Error on sending email");
if !CONFIG.is_email_domain_allowed(&grantee_user.email) {
error!("Email not valid.")
}
mail::send_emergency_access_recovery_approved(&grantee_user.email, &grantor_user.name.clone()) mail::send_emergency_access_recovery_approved(&grantee_user.email, &grantor_user.name.clone())
.expect("Error on sending email"); .expect("Error on sending email");
} }
@ -816,10 +784,6 @@ pub fn emergency_notification_reminder_job(pool: DbPool) {
// get grantor user to send Accepted email // get grantor user to send Accepted email
let grantor_user = User::find_by_uuid(&emer.grantor_uuid, &conn).expect("Grantor user not found."); let grantor_user = User::find_by_uuid(&emer.grantor_uuid, &conn).expect("Grantor user not found.");
if !CONFIG.is_email_domain_allowed(&grantor_user.email) {
error!("Email not valid.")
}
// get grantee user to send Accepted email // get grantee user to send Accepted email
let grantee_user = let grantee_user =
User::find_by_uuid(&emer.grantee_uuid.clone().expect("Grantee user invalid."), &conn) User::find_by_uuid(&emer.grantee_uuid.clone().expect("Grantee user invalid."), &conn)

Datei anzeigen

@ -29,6 +29,8 @@ db_object! {
impl EmergencyAccess { impl EmergencyAccess {
pub fn new(grantor_uuid: String, email: Option<String>, status: i32, atype: i32, wait_time_days: i32) -> Self { pub fn new(grantor_uuid: String, email: Option<String>, status: i32, atype: i32, wait_time_days: i32) -> Self {
let now = Utc::now().naive_utc();
Self { Self {
uuid: crate::util::get_uuid(), uuid: crate::util::get_uuid(),
grantor_uuid, grantor_uuid,
@ -38,8 +40,8 @@ impl EmergencyAccess {
atype, atype,
wait_time_days, wait_time_days,
recovery_initiated_at: None, recovery_initiated_at: None,
created_at: Utc::now().naive_utc(), created_at: now,
updated_at: Utc::now().naive_utc(), updated_at: now,
key_encrypted: None, key_encrypted: None,
last_notification_at: None, last_notification_at: None,
} }