geforkt von mirrored/vaultwarden
Refactor invite claims and disallow reinvites to virtual_org
Dieser Commit ist enthalten in:
Ursprung
3142d8d01f
Commit
f20c4705d9
1 geänderte Dateien mit 33 neuen und 44 gelöschten Zeilen
|
@ -10,8 +10,12 @@ use crate::db::models::*;
|
||||||
use crate::api::{PasswordData, JsonResult, EmptyResult, NumberOrString, JsonUpcase, WebSocketUsers, UpdateType};
|
use crate::api::{PasswordData, JsonResult, EmptyResult, NumberOrString, JsonUpcase, WebSocketUsers, UpdateType};
|
||||||
use crate::auth::{Headers, AdminHeaders, OwnerHeaders, encode_jwt, decode_invite_jwt, InviteJWTClaims, JWT_ISSUER};
|
use crate::auth::{Headers, AdminHeaders, OwnerHeaders, encode_jwt, decode_invite_jwt, InviteJWTClaims, JWT_ISSUER};
|
||||||
|
|
||||||
|
use crate::mail;
|
||||||
|
|
||||||
use serde::{Deserialize, Deserializer};
|
use serde::{Deserialize, Deserializer};
|
||||||
|
|
||||||
|
use chrono::{Duration, Utc};
|
||||||
|
|
||||||
use rocket::Route;
|
use rocket::Route;
|
||||||
|
|
||||||
pub fn routes() -> Vec<Route> {
|
pub fn routes() -> Vec<Route> {
|
||||||
|
@ -45,7 +49,6 @@ pub fn routes() -> Vec<Route> {
|
||||||
put_organization_user,
|
put_organization_user,
|
||||||
delete_user,
|
delete_user,
|
||||||
post_delete_user,
|
post_delete_user,
|
||||||
post_reinvite_user,
|
|
||||||
post_org_import,
|
post_org_import,
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
@ -486,22 +489,11 @@ fn send_invite(org_id: String, data: JsonUpcase<InviteData>, headers: AdminHeade
|
||||||
}
|
}
|
||||||
|
|
||||||
if CONFIG.mail.is_some() {
|
if CONFIG.mail.is_some() {
|
||||||
use crate::mail;
|
|
||||||
use chrono::{Duration, Utc};
|
|
||||||
let time_now = Utc::now().naive_utc();
|
|
||||||
let claims = InviteJWTClaims {
|
|
||||||
nbf: time_now.timestamp(),
|
|
||||||
exp: (time_now + Duration::days(5)).timestamp(),
|
|
||||||
iss: JWT_ISSUER.to_string(),
|
|
||||||
sub: user.uuid.to_string(),
|
|
||||||
email: email.clone(),
|
|
||||||
org_id: org_id.clone(),
|
|
||||||
user_org_id: org_user_id.clone(),
|
|
||||||
};
|
|
||||||
let org_name = match Organization::find_by_uuid(&org_id, &conn) {
|
let org_name = match Organization::find_by_uuid(&org_id, &conn) {
|
||||||
Some(org) => org.name,
|
Some(org) => org.name,
|
||||||
None => err!("Error looking up organization")
|
None => err!("Error looking up organization")
|
||||||
};
|
};
|
||||||
|
let claims = generate_invite_claims(user.uuid.to_string(), user.email.clone(), org_id.clone(), org_user_id.clone());
|
||||||
let invite_token = encode_jwt(&claims);
|
let invite_token = encode_jwt(&claims);
|
||||||
if let Some(ref mail_config) = CONFIG.mail {
|
if let Some(ref mail_config) = CONFIG.mail {
|
||||||
if let Err(e) = mail::send_invite(&email, &org_id, &org_user_id.unwrap_or(Organization::VIRTUAL_ID.to_string()),
|
if let Err(e) = mail::send_invite(&email, &org_id, &org_user_id.unwrap_or(Organization::VIRTUAL_ID.to_string()),
|
||||||
|
@ -515,8 +507,8 @@ fn send_invite(org_id: String, data: JsonUpcase<InviteData>, headers: AdminHeade
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
||||||
#[post("/organizations/<org_id>/users/<user_uuid>/reinvite", data = "<_data>")]
|
#[post("/organizations/<org_id>/users/<user_org>/reinvite")]
|
||||||
fn reinvite_user(org_id: String, user_uuid: String, _data: JsonUpcase<InviteData>, _headers: AdminHeaders, conn: DbConn) -> EmptyResult {
|
fn reinvite_user(org_id: String, user_org: String, _headers: AdminHeaders, conn: DbConn) -> EmptyResult {
|
||||||
if !CONFIG.invitations_allowed {
|
if !CONFIG.invitations_allowed {
|
||||||
err!("Invitations are not allowed.")
|
err!("Invitations are not allowed.")
|
||||||
}
|
}
|
||||||
|
@ -525,7 +517,16 @@ fn reinvite_user(org_id: String, user_uuid: String, _data: JsonUpcase<InviteData
|
||||||
err!("SMTP is not configured.")
|
err!("SMTP is not configured.")
|
||||||
}
|
}
|
||||||
|
|
||||||
let user = match User::find_by_uuid(&user_uuid, &conn) {
|
if org_id == Organization::VIRTUAL_ID {
|
||||||
|
err!("This functionality is incompatible with the bitwarden_rs virtual organization. Please delete the user and send a new invitation.")
|
||||||
|
}
|
||||||
|
|
||||||
|
let user_org = match UserOrganization::find_by_uuid(&user_org, &conn) {
|
||||||
|
Some(user_org) => user_org,
|
||||||
|
None => err!("UserOrg not found."),
|
||||||
|
};
|
||||||
|
|
||||||
|
let user = match User::find_by_uuid(&user_org.user_uuid, &conn) {
|
||||||
Some(user) => user,
|
Some(user) => user,
|
||||||
None => err!("User not found."),
|
None => err!("User not found."),
|
||||||
};
|
};
|
||||||
|
@ -534,35 +535,15 @@ fn reinvite_user(org_id: String, user_uuid: String, _data: JsonUpcase<InviteData
|
||||||
err!("No invitation found for user to resend. Try inviting them first.")
|
err!("No invitation found for user to resend. Try inviting them first.")
|
||||||
}
|
}
|
||||||
|
|
||||||
let mut org_user_id = None;
|
|
||||||
if org_id != Organization::VIRTUAL_ID {
|
|
||||||
org_user_id = match UserOrganization::find_by_user_and_org(&user.uuid, &org_id, &conn) {
|
|
||||||
Some(org_user) => Some(org_user.uuid),
|
|
||||||
None => None,
|
|
||||||
};
|
|
||||||
}
|
|
||||||
use crate::mail;
|
|
||||||
use chrono::{Duration, Utc};
|
|
||||||
let time_now = Utc::now().naive_utc();
|
|
||||||
let claims = InviteJWTClaims {
|
|
||||||
nbf: time_now.timestamp(),
|
|
||||||
exp: (time_now + Duration::days(5)).timestamp(),
|
|
||||||
iss: JWT_ISSUER.to_string(),
|
|
||||||
sub: user.uuid.to_string(),
|
|
||||||
email: user.email.clone(),
|
|
||||||
org_id: org_id.clone(),
|
|
||||||
user_org_id: org_user_id.clone(),
|
|
||||||
};
|
|
||||||
|
|
||||||
let org_name = match Organization::find_by_uuid(&org_id, &conn) {
|
let org_name = match Organization::find_by_uuid(&org_id, &conn) {
|
||||||
Some(org) => org.name,
|
Some(org) => org.name,
|
||||||
None => err!("Error looking up organization")
|
None => err!("Error looking up organization.")
|
||||||
};
|
};
|
||||||
|
|
||||||
|
let claims = generate_invite_claims(user.uuid.to_string(), user.email.clone(), org_id.clone(), Some(user_org.uuid.clone()));
|
||||||
let invite_token = encode_jwt(&claims);
|
let invite_token = encode_jwt(&claims);
|
||||||
if let Some(ref mail_config) = CONFIG.mail {
|
if let Some(ref mail_config) = CONFIG.mail {
|
||||||
if let Err(e) = mail::send_invite(&user.email, &org_id, &org_user_id.unwrap_or(Organization::VIRTUAL_ID.to_string()),
|
if let Err(e) = mail::send_invite(&user.email, &org_id, &user_org.uuid, &invite_token, &org_name, mail_config) {
|
||||||
&invite_token, &org_name, mail_config) {
|
|
||||||
err!(format!("There has been a problem sending the email: {}", e))
|
err!(format!("There has been a problem sending the email: {}", e))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -576,6 +557,19 @@ struct AcceptData {
|
||||||
Token: String,
|
Token: String,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
fn generate_invite_claims(uuid: String, email: String, org_id: String, org_user_id: Option<String>) -> InviteJWTClaims {
|
||||||
|
let time_now = Utc::now().naive_utc();
|
||||||
|
InviteJWTClaims {
|
||||||
|
nbf: time_now.timestamp(),
|
||||||
|
exp: (time_now + Duration::days(5)).timestamp(),
|
||||||
|
iss: JWT_ISSUER.to_string(),
|
||||||
|
sub: uuid.clone(),
|
||||||
|
email: email.clone(),
|
||||||
|
org_id: org_id.clone(),
|
||||||
|
user_org_id: org_user_id.clone(),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
#[post("/organizations/<_org_id>/users/<_org_user_id>/accept", data = "<data>")]
|
#[post("/organizations/<_org_id>/users/<_org_user_id>/accept", data = "<data>")]
|
||||||
fn accept_invite(_org_id: String, _org_user_id: String, data: JsonUpcase<AcceptData>, conn: DbConn) -> EmptyResult {
|
fn accept_invite(_org_id: String, _org_user_id: String, data: JsonUpcase<AcceptData>, conn: DbConn) -> EmptyResult {
|
||||||
// The web-vault passes org_id and org_user_id in the URL, but we are just reading them from the JWT instead
|
// The web-vault passes org_id and org_user_id in the URL, but we are just reading them from the JWT instead
|
||||||
|
@ -784,11 +778,6 @@ fn post_delete_user(org_id: String, org_user_id: String, headers: AdminHeaders,
|
||||||
delete_user(org_id, org_user_id, headers, conn)
|
delete_user(org_id, org_user_id, headers, conn)
|
||||||
}
|
}
|
||||||
|
|
||||||
#[post("/organizations/<_org_id>/users/<_org_user_id>/reinvite")]
|
|
||||||
fn post_reinvite_user(_org_id: String, _org_user_id: String, _headers: AdminHeaders, _conn: DbConn) -> EmptyResult {
|
|
||||||
err!("This functionality is not implemented. The user needs to manually register before they can be accepted into the organization.")
|
|
||||||
}
|
|
||||||
|
|
||||||
use super::ciphers::CipherData;
|
use super::ciphers::CipherData;
|
||||||
use super::ciphers::update_cipher_from_data;
|
use super::ciphers::update_cipher_from_data;
|
||||||
|
|
||||||
|
|
Laden …
In neuem Issue referenzieren