mirrored/vaultwarden
1
0
Fork 1
Spiegel von https://github.com/dani-garcia/vaultwarden.git synchronisiert 2025-03-13 16:57:01 +01:00
Code Issues Releases Aktivität

Unify master password policy resolution

Quellcode durchsuchen
Dieser Commit ist enthalten in:
Timshel 2025-02-04 17:29:53 +01:00
Ursprung a0662bb0db
Commit e31b154fdf
4 geänderte Dateien mit 59 neuen und 53 gelöschten Zeilen
Statistiken anzeigen Patch-Datei herunterladen Diff-Datei herunterladen Alle Dateien ausklappen Alle Dateien einklappen

12
src/api/core/accounts.rs
Datei anzeigen

@ -8,8 +8,8 @@ use serde_json::Value;
use crate::{ use crate::{
api::{ api::{
core::{log_user_event, two_factor::email}, core::{log_user_event, two_factor::email},
register_push_device, unregister_push_device, AnonymousNotify, ApiResult, EmptyResult, JsonResult, Notify, master_password_policy, register_push_device, unregister_push_device, AnonymousNotify, ApiResult, EmptyResult,
PasswordOrOtpData, UpdateType, JsonResult, Notify, PasswordOrOtpData, UpdateType,
}, },
auth::{decode_delete, decode_invite, decode_verify_email, ClientHeaders, Headers}, auth::{decode_delete, decode_invite, decode_verify_email, ClientHeaders, Headers},
crypto, crypto,
@ -1076,14 +1076,8 @@ async fn verify_password(data: Json<SecretVerificationRequest>, headers: Headers
kdf_upgrade(&mut user, &data.master_password_hash, &mut conn).await?; kdf_upgrade(&mut user, &data.master_password_hash, &mut conn).await?;
let policy = if let Some(policy_str) = CONFIG.sso_master_password_policy().filter(|_| CONFIG.sso_enabled()) {
serde_json::from_str(&policy_str).unwrap_or(json!({}))
} else {
json!({})
};
Ok(Json(json!({ Ok(Json(json!({
"MasterPasswordPolicy": policy, "MasterPasswordPolicy": master_password_policy(&user, &conn).await,
}))) })))
} }

45
src/api/identity.rs
Datei anzeigen

@ -16,6 +16,7 @@ use crate::{
log_user_event, log_user_event,
two_factor::{authenticator, duo, duo_oidc, email, enforce_2fa_policy, webauthn, yubikey}, two_factor::{authenticator, duo, duo_oidc, email, enforce_2fa_policy, webauthn, yubikey},
}, },
master_password_policy,
push::register_push_device, push::register_push_device,
ApiResult, EmptyResult, JsonResult, ApiResult, EmptyResult, JsonResult,
}, },
@ -293,18 +294,6 @@ async fn _sso_login(data: ConnectData, user_id: &mut Option<UserId>, conn: &mut
authenticated_response(&user, &mut device, new_device, auth_tokens, twofactor_token, &now, conn, ip).await authenticated_response(&user, &mut device, new_device, auth_tokens, twofactor_token, &now, conn, ip).await
} }
#[derive(Default, Deserialize, Serialize)]
#[serde(rename_all = "camelCase")]
struct MasterPasswordPolicy {
min_complexity: u8,
min_length: u32,
require_lower: bool,
require_upper: bool,
require_numbers: bool,
require_special: bool,
enforce_on_login: bool,
}
async fn _password_login( async fn _password_login(
data: ConnectData, data: ConnectData,
user_id: &mut Option<UserId>, user_id: &mut Option<UserId>,
@ -460,35 +449,7 @@ async fn authenticated_response(
// Save to update `device.updated_at` to track usage // Save to update `device.updated_at` to track usage
device.save(conn).await?; device.save(conn).await?;
// Fetch all valid Master Password Policies and merge them into one with all true's and larges numbers as one policy let mp_policy = master_password_policy(user, conn).await;
let master_password_policies: Vec<MasterPasswordPolicy> =
OrgPolicy::find_accepted_and_confirmed_by_user_and_active_policy(
&user.uuid,
OrgPolicyType::MasterPassword,
conn,
)
.await
.into_iter()
.filter_map(|p| serde_json::from_str(&p.data).ok())
.collect();
let master_password_policy = if !master_password_policies.is_empty() {
let mut mpp_json = json!(master_password_policies.into_iter().reduce(|acc, policy| {
MasterPasswordPolicy {
min_complexity: acc.min_complexity.max(policy.min_complexity),
min_length: acc.min_length.max(policy.min_length),
require_lower: acc.require_lower || policy.require_lower,
require_upper: acc.require_upper || policy.require_upper,
require_numbers: acc.require_numbers || policy.require_numbers,
require_special: acc.require_special || policy.require_special,
enforce_on_login: acc.enforce_on_login || policy.enforce_on_login,
}
}));
mpp_json["object"] = json!("masterPasswordPolicy");
mpp_json
} else {
json!({"object": "masterPasswordPolicy"})
};
let mut result = json!({ let mut result = json!({
"access_token": auth_tokens.access_token(), "access_token": auth_tokens.access_token(),
@ -502,7 +463,7 @@ async fn authenticated_response(
"KdfParallelism": user.client_kdf_parallelism, "KdfParallelism": user.client_kdf_parallelism,
"ResetMasterPassword": false, // TODO: Same as above "ResetMasterPassword": false, // TODO: Same as above
"ForcePasswordReset": false, "ForcePasswordReset": false,
"MasterPasswordPolicy": master_password_policy, "MasterPasswordPolicy": mp_policy,
"scope": auth_tokens.scope(), "scope": auth_tokens.scope(),
"UserDecryptionOptions": { "UserDecryptionOptions": {
"HasMasterPassword": !user.password_hash.is_empty(), "HasMasterPassword": !user.password_hash.is_empty(),

53
src/api/mod.rs
Datei anzeigen

@ -32,7 +32,11 @@ pub use crate::api::{
web::routes as web_routes, web::routes as web_routes,
web::static_files, web::static_files,
}; };
use crate::db::{models::User, DbConn}; use crate::db::{
models::{OrgPolicy, OrgPolicyType, User},
DbConn,
};
use crate::CONFIG;
// Type aliases for API methods results // Type aliases for API methods results
pub type ApiResult<T> = Result<T, crate::error::Error>; pub type ApiResult<T> = Result<T, crate::error::Error>;
@ -68,3 +72,50 @@ impl PasswordOrOtpData {
Ok(()) Ok(())
} }
} }
#[derive(Default, Deserialize, Serialize)]
#[serde(rename_all = "camelCase")]
pub struct MasterPasswordPolicy {
min_complexity: u8,
min_length: u32,
require_lower: bool,
require_upper: bool,
require_numbers: bool,
require_special: bool,
enforce_on_login: bool,
}
// Fetch all valid Master Password Policies and merge them into one with all true's and larges numbers as one policy
async fn master_password_policy(user: &User, conn: &DbConn) -> Value {
let master_password_policies: Vec<MasterPasswordPolicy> =
OrgPolicy::find_accepted_and_confirmed_by_user_and_active_policy(
&user.uuid,
OrgPolicyType::MasterPassword,
conn,
)
.await
.into_iter()
.filter_map(|p| serde_json::from_str(&p.data).ok())
.collect();
let mut mpp_json = if !master_password_policies.is_empty() {
json!(master_password_policies.into_iter().reduce(|acc, policy| {
MasterPasswordPolicy {
min_complexity: acc.min_complexity.max(policy.min_complexity),
min_length: acc.min_length.max(policy.min_length),
require_lower: acc.require_lower || policy.require_lower,
require_upper: acc.require_upper || policy.require_upper,
require_numbers: acc.require_numbers || policy.require_numbers,
require_special: acc.require_special || policy.require_special,
enforce_on_login: acc.enforce_on_login || policy.enforce_on_login,
}
}))
} else if let Some(policy_str) = CONFIG.sso_master_password_policy().filter(|_| CONFIG.sso_enabled()) {
serde_json::from_str(&policy_str).unwrap_or(json!({}))
} else {
json!({})
};
mpp_json["object"] = json!("masterPasswordPolicy");
mpp_json
}

2
src/db/models/org_policy.rs
Datei anzeigen

@ -196,7 +196,7 @@ impl OrgPolicy {
pub async fn find_accepted_and_confirmed_by_user_and_active_policy( pub async fn find_accepted_and_confirmed_by_user_and_active_policy(
user_uuid: &UserId, user_uuid: &UserId,
policy_type: OrgPolicyType, policy_type: OrgPolicyType,
conn: &mut DbConn, conn: &DbConn,
) -> Vec<Self> { ) -> Vec<Self> {
db_run! { conn: { db_run! { conn: {
org_policies::table org_policies::table