From e31b154fdf0e039f09759b1a7c5c81682feeb5d8 Mon Sep 17 00:00:00 2001
From: Timshel <Timshel@users.noreply.github.com>
Date: Tue, 4 Feb 2025 17:29:53 +0100
Subject: [PATCH] Unify master password policy resolution

---
 src/api/core/accounts.rs    | 12 +++------
 src/api/identity.rs         | 45 +++----------------------------
 src/api/mod.rs              | 53 ++++++++++++++++++++++++++++++++++++-
 src/db/models/org_policy.rs |  2 +-
 4 files changed, 59 insertions(+), 53 deletions(-)

diff --git a/src/api/core/accounts.rs b/src/api/core/accounts.rs
index 2f5b0cca..491f6c6a 100644
--- a/src/api/core/accounts.rs
+++ b/src/api/core/accounts.rs
@@ -8,8 +8,8 @@ use serde_json::Value;
 use crate::{
     api::{
         core::{log_user_event, two_factor::email},
-        register_push_device, unregister_push_device, AnonymousNotify, ApiResult, EmptyResult, JsonResult, Notify,
-        PasswordOrOtpData, UpdateType,
+        master_password_policy, register_push_device, unregister_push_device, AnonymousNotify, ApiResult, EmptyResult,
+        JsonResult, Notify, PasswordOrOtpData, UpdateType,
     },
     auth::{decode_delete, decode_invite, decode_verify_email, ClientHeaders, Headers},
     crypto,
@@ -1076,14 +1076,8 @@ async fn verify_password(data: Json<SecretVerificationRequest>, headers: Headers
 
     kdf_upgrade(&mut user, &data.master_password_hash, &mut conn).await?;
 
-    let policy = if let Some(policy_str) = CONFIG.sso_master_password_policy().filter(|_| CONFIG.sso_enabled()) {
-        serde_json::from_str(&policy_str).unwrap_or(json!({}))
-    } else {
-        json!({})
-    };
-
     Ok(Json(json!({
-      "MasterPasswordPolicy": policy,
+      "MasterPasswordPolicy": master_password_policy(&user, &conn).await,
     })))
 }
 
diff --git a/src/api/identity.rs b/src/api/identity.rs
index 9fce5ca8..5ca185a9 100644
--- a/src/api/identity.rs
+++ b/src/api/identity.rs
@@ -16,6 +16,7 @@ use crate::{
             log_user_event,
             two_factor::{authenticator, duo, duo_oidc, email, enforce_2fa_policy, webauthn, yubikey},
         },
+        master_password_policy,
         push::register_push_device,
         ApiResult, EmptyResult, JsonResult,
     },
@@ -293,18 +294,6 @@ async fn _sso_login(data: ConnectData, user_id: &mut Option<UserId>, conn: &mut
     authenticated_response(&user, &mut device, new_device, auth_tokens, twofactor_token, &now, conn, ip).await
 }
 
-#[derive(Default, Deserialize, Serialize)]
-#[serde(rename_all = "camelCase")]
-struct MasterPasswordPolicy {
-    min_complexity: u8,
-    min_length: u32,
-    require_lower: bool,
-    require_upper: bool,
-    require_numbers: bool,
-    require_special: bool,
-    enforce_on_login: bool,
-}
-
 async fn _password_login(
     data: ConnectData,
     user_id: &mut Option<UserId>,
@@ -460,35 +449,7 @@ async fn authenticated_response(
     // Save to update `device.updated_at` to track usage
     device.save(conn).await?;
 
-    // Fetch all valid Master Password Policies and merge them into one with all true's and larges numbers as one policy
-    let master_password_policies: Vec<MasterPasswordPolicy> =
-        OrgPolicy::find_accepted_and_confirmed_by_user_and_active_policy(
-            &user.uuid,
-            OrgPolicyType::MasterPassword,
-            conn,
-        )
-        .await
-        .into_iter()
-        .filter_map(|p| serde_json::from_str(&p.data).ok())
-        .collect();
-
-    let master_password_policy = if !master_password_policies.is_empty() {
-        let mut mpp_json = json!(master_password_policies.into_iter().reduce(|acc, policy| {
-            MasterPasswordPolicy {
-                min_complexity: acc.min_complexity.max(policy.min_complexity),
-                min_length: acc.min_length.max(policy.min_length),
-                require_lower: acc.require_lower || policy.require_lower,
-                require_upper: acc.require_upper || policy.require_upper,
-                require_numbers: acc.require_numbers || policy.require_numbers,
-                require_special: acc.require_special || policy.require_special,
-                enforce_on_login: acc.enforce_on_login || policy.enforce_on_login,
-            }
-        }));
-        mpp_json["object"] = json!("masterPasswordPolicy");
-        mpp_json
-    } else {
-        json!({"object": "masterPasswordPolicy"})
-    };
+    let mp_policy = master_password_policy(user, conn).await;
 
     let mut result = json!({
         "access_token": auth_tokens.access_token(),
@@ -502,7 +463,7 @@ async fn authenticated_response(
         "KdfParallelism": user.client_kdf_parallelism,
         "ResetMasterPassword": false, // TODO: Same as above
         "ForcePasswordReset": false,
-        "MasterPasswordPolicy": master_password_policy,
+        "MasterPasswordPolicy": mp_policy,
         "scope": auth_tokens.scope(),
         "UserDecryptionOptions": {
             "HasMasterPassword": !user.password_hash.is_empty(),
diff --git a/src/api/mod.rs b/src/api/mod.rs
index 16d13ccb..aa3dd87b 100644
--- a/src/api/mod.rs
+++ b/src/api/mod.rs
@@ -32,7 +32,11 @@ pub use crate::api::{
     web::routes as web_routes,
     web::static_files,
 };
-use crate::db::{models::User, DbConn};
+use crate::db::{
+    models::{OrgPolicy, OrgPolicyType, User},
+    DbConn,
+};
+use crate::CONFIG;
 
 // Type aliases for API methods results
 pub type ApiResult<T> = Result<T, crate::error::Error>;
@@ -68,3 +72,50 @@ impl PasswordOrOtpData {
         Ok(())
     }
 }
+
+#[derive(Default, Deserialize, Serialize)]
+#[serde(rename_all = "camelCase")]
+pub struct MasterPasswordPolicy {
+    min_complexity: u8,
+    min_length: u32,
+    require_lower: bool,
+    require_upper: bool,
+    require_numbers: bool,
+    require_special: bool,
+    enforce_on_login: bool,
+}
+
+// Fetch all valid Master Password Policies and merge them into one with all true's and larges numbers as one policy
+async fn master_password_policy(user: &User, conn: &DbConn) -> Value {
+    let master_password_policies: Vec<MasterPasswordPolicy> =
+        OrgPolicy::find_accepted_and_confirmed_by_user_and_active_policy(
+            &user.uuid,
+            OrgPolicyType::MasterPassword,
+            conn,
+        )
+        .await
+        .into_iter()
+        .filter_map(|p| serde_json::from_str(&p.data).ok())
+        .collect();
+
+    let mut mpp_json = if !master_password_policies.is_empty() {
+        json!(master_password_policies.into_iter().reduce(|acc, policy| {
+            MasterPasswordPolicy {
+                min_complexity: acc.min_complexity.max(policy.min_complexity),
+                min_length: acc.min_length.max(policy.min_length),
+                require_lower: acc.require_lower || policy.require_lower,
+                require_upper: acc.require_upper || policy.require_upper,
+                require_numbers: acc.require_numbers || policy.require_numbers,
+                require_special: acc.require_special || policy.require_special,
+                enforce_on_login: acc.enforce_on_login || policy.enforce_on_login,
+            }
+        }))
+    } else if let Some(policy_str) = CONFIG.sso_master_password_policy().filter(|_| CONFIG.sso_enabled()) {
+        serde_json::from_str(&policy_str).unwrap_or(json!({}))
+    } else {
+        json!({})
+    };
+
+    mpp_json["object"] = json!("masterPasswordPolicy");
+    mpp_json
+}
diff --git a/src/db/models/org_policy.rs b/src/db/models/org_policy.rs
index f98619a5..643f968b 100644
--- a/src/db/models/org_policy.rs
+++ b/src/db/models/org_policy.rs
@@ -196,7 +196,7 @@ impl OrgPolicy {
     pub async fn find_accepted_and_confirmed_by_user_and_active_policy(
         user_uuid: &UserId,
         policy_type: OrgPolicyType,
-        conn: &mut DbConn,
+        conn: &DbConn,
     ) -> Vec<Self> {
         db_run! { conn: {
             org_policies::table