MirrorHub/bitwarden_rs
0
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden synced 2024-11-12 04:52:47 +01:00
Code Issues Releases Wiki Activity
bitwarden_rs/src/db/models/two_factor.rs

220 lines
7.5 KiB
Rust
Raw Normal View History

Updated bw_rs to Rocket version 0.4-rc1
2018-10-10 20:40:39 +02:00
use serde_json::Value;
Implemented U2F, refactored Two Factor authentication, registering U2F device and authentication should work. Works on Chrome on MacOS with a virtual device.
2018-07-12 21:46:50 +02:00
Add email notifications for incomplete 2FA logins An incomplete 2FA login is one where the correct master password was provided, but the 2FA token or action required to complete the login was not provided within the configured time limit. This potentially indicates that the user's master password has been compromised, but the login was blocked by 2FA. Be aware that the 2FA step can usually still be completed after the email notification has already been sent out, which could be confusing. Therefore, the incomplete 2FA time limit should be long enough that this situation would be unlikely. This feature can also be disabled entirely if desired.
2021-10-25 10:36:05 +02:00
use crate::{api::EmptyResult, db::DbConn, error::MapResult};
Add email code logic and move two_factor into separate modules
2019-08-03 18:47:52 +02:00
Add support for multiple simultaneous database features by using macros. Diesel requires the following changes: - Separate connection and pool types per connection, the generate_connections! macro generates an enum with a variant per db type - Separate migrations and schemas, these were always imported as one type depending on db feature, now they are all imported under different module names - Separate model objects per connection, the db_object! macro generates one object for each connection with the diesel macros, a generic object, and methods to convert between the connection-specific and the generic ones - Separate connection queries, the db_run! macro allows writing only one that gets compiled for all databases or multiple ones
2020-08-18 17:15:44 +02:00
db_object! {
Improve sync speed and updated dep. versions Improved sync speed by resolving the N+1 query issues. Solves #1402 and Solves #1453 With this change there is just one query done to retreive all the important data, and matching is done in-code/memory. With a very large database the sync time went down about 3 times. Also updated misc crates and Github Actions versions.
2022-05-04 21:13:05 +02:00
#[derive(Identifiable, Queryable, Insertable, AsChangeset)]
Update to diesel2
2022-05-20 23:39:47 +02:00
#[diesel(table_name = twofactor)]
#[diesel(primary_key(uuid))]
Add support for multiple simultaneous database features by using macros. Diesel requires the following changes: - Separate connection and pool types per connection, the generate_connections! macro generates an enum with a variant per db type - Separate migrations and schemas, these were always imported as one type depending on db feature, now they are all imported under different module names - Separate model objects per connection, the db_object! macro generates one object for each connection with the diesel macros, a generic object, and methods to convert between the connection-specific and the generic ones - Separate connection queries, the db_run! macro allows writing only one that gets compiled for all databases or multiple ones
2020-08-18 17:15:44 +02:00
pub struct TwoFactor {
pub uuid: String,
pub user_uuid: String,
pub atype: i32,
pub enabled: bool,
pub data: String,
Change timestamp data type. (#4355) Co-authored-by: Daniel García <dani-garcia@users.noreply.github.com>
2024-03-17 22:04:37 +01:00
pub last_used: i64,
Add support for multiple simultaneous database features by using macros. Diesel requires the following changes: - Separate connection and pool types per connection, the generate_connections! macro generates an enum with a variant per db type - Separate migrations and schemas, these were always imported as one type depending on db feature, now they are all imported under different module names - Separate model objects per connection, the db_object! macro generates one object for each connection with the diesel macros, a generic object, and methods to convert between the connection-specific and the generic ones - Separate connection queries, the db_run! macro allows writing only one that gets compiled for all databases or multiple ones
2020-08-18 17:15:44 +02:00
}
Implemented U2F, refactored Two Factor authentication, registering U2F device and authentication should work. Works on Chrome on MacOS with a virtual device.
2018-07-12 21:46:50 +02:00
}
#[allow(dead_code)]
Remove unused dependency and simple feature, update dependencies and fix some clippy lints
2020-05-03 17:24:51 +02:00
#[derive(num_derive::FromPrimitive)]
Implemented U2F, refactored Two Factor authentication, registering U2F device and authentication should work. Works on Chrome on MacOS with a virtual device.
2018-07-12 21:46:50 +02:00
pub enum TwoFactorType {
Authenticator = 0,
Email = 1,
Duo = 2,
YubiKey = 3,
U2f = 4,
Remember = 5,
OrganizationDuo = 6,
Support for webauthn and u2f->webauthn migrations
2021-06-07 23:34:00 +02:00
Webauthn = 7,
Implemented U2F, refactored Two Factor authentication, registering U2F device and authentication should work. Works on Chrome on MacOS with a virtual device.
2018-07-12 21:46:50 +02:00
// These are implementation details
U2fRegisterChallenge = 1000,
U2fLoginChallenge = 1001,
Add email code logic and move two_factor into separate modules
2019-08-03 18:47:52 +02:00
EmailVerificationChallenge = 1002,
Support for webauthn and u2f->webauthn migrations
2021-06-07 23:34:00 +02:00
WebauthnRegisterChallenge = 1003,
WebauthnLoginChallenge = 1004,
Add Protected Actions Check (#4067) Since the feature `Login with device` some actions done via the web-vault need to be verified via an OTP instead of providing the MasterPassword. This only happens if a user used the `Login with device` on a device which uses either Biometrics login or PIN. These actions prevent the athorizing device to send the MasterPasswordHash. When this happens, the web-vault requests an OTP to be filled-in and this OTP is send to the users email address which is the same as the email address to login. The only way to bypass this is by logging in with the your password, in those cases a password is requested instead of an OTP. In case SMTP is not enabled, it will show an error message telling to user to login using there password. Fixes #4042
2023-11-12 22:15:44 +01:00
// Special type for Protected Actions verification via email
ProtectedActions = 2000,
Implemented U2F, refactored Two Factor authentication, registering U2F device and authentication should work. Works on Chrome on MacOS with a virtual device.
2018-07-12 21:46:50 +02:00
}
/// Local methods
impl TwoFactor {
Rework migrations for MySQL
2019-05-20 21:12:41 +02:00
pub fn new(user_uuid: String, atype: TwoFactorType, data: String) -> Self {
Implemented U2F, refactored Two Factor authentication, registering U2F device and authentication should work. Works on Chrome on MacOS with a virtual device.
2018-07-12 21:46:50 +02:00
Self {
Remove some required values during login, now uses default values
2018-12-07 14:32:40 +01:00
uuid: crate::util::get_uuid(),
Implemented U2F, refactored Two Factor authentication, registering U2F device and authentication should work. Works on Chrome on MacOS with a virtual device.
2018-07-12 21:46:50 +02:00
user_uuid,
Rework migrations for MySQL
2019-05-20 21:12:41 +02:00
atype: atype as i32,
Implemented U2F, refactored Two Factor authentication, registering U2F device and authentication should work. Works on Chrome on MacOS with a virtual device.
2018-07-12 21:46:50 +02:00
enabled: true,
data,
Updated authenticator TOTP - Added security check for previouse used codes - Allow TOTP codes with 1 step back and forward when there is a time drift. This means in total 3 codes could be valid. But only newer codes then the previouse used codes are excepted after that.
2019-10-10 17:32:20 +02:00
last_used: 0,
Implemented U2F, refactored Two Factor authentication, registering U2F device and authentication should work. Works on Chrome on MacOS with a virtual device.
2018-07-12 21:46:50 +02:00
}
}
Updated bw_rs to Rocket version 0.4-rc1
2018-10-10 20:40:39 +02:00
pub fn to_json(&self) -> Value {
Implemented U2F, refactored Two Factor authentication, registering U2F device and authentication should work. Works on Chrome on MacOS with a virtual device.
2018-07-12 21:46:50 +02:00
json!({
"Enabled": self.enabled,
"Key": "", // This key and value vary
"Object": "twoFactorAuthenticator" // This value varies
})
}
Rename to_json_list to to_json_provder to reflect the response model
2020-05-08 19:36:35 +02:00
pub fn to_json_provider(&self) -> Value {
Implemented U2F, refactored Two Factor authentication, registering U2F device and authentication should work. Works on Chrome on MacOS with a virtual device.
2018-07-12 21:46:50 +02:00
json!({
"Enabled": self.enabled,
Rework migrations for MySQL
2019-05-20 21:12:41 +02:00
"Type": self.atype,
Implemented U2F, refactored Two Factor authentication, registering U2F device and authentication should work. Works on Chrome on MacOS with a virtual device.
2018-07-12 21:46:50 +02:00
"Object": "twoFactorProvider"
})
}
}
/// Database methods
impl TwoFactor {
Update to diesel2
2022-05-20 23:39:47 +02:00
pub async fn save(&self, conn: &mut DbConn) -> EmptyResult {
Fixed foreign-key (mariadb) errors. When using MariaDB v10.5+ Foreign-Key errors were popping up because of some changes in that version. To mitigate this on MariaDB and other MySQL forks those errors are now catched, and instead of a replace_into an update will happen. I have tested this as thorough as possible with MariaDB 10.5, 10.4, 10.3 and the default MySQL on Ubuntu Focal. And tested it again using sqlite, all seems to be ok on all tables. resolves #1081. resolves #1065, resolves #1050
2020-09-22 12:13:02 +02:00
db_run! { conn:
Add support for multiple simultaneous database features by using macros. Diesel requires the following changes: - Separate connection and pool types per connection, the generate_connections! macro generates an enum with a variant per db type - Separate migrations and schemas, these were always imported as one type depending on db feature, now they are all imported under different module names - Separate model objects per connection, the db_object! macro generates one object for each connection with the diesel macros, a generic object, and methods to convert between the connection-specific and the generic ones - Separate connection queries, the db_run! macro allows writing only one that gets compiled for all databases or multiple ones
2020-08-18 17:15:44 +02:00
sqlite, mysql {
Fixed foreign-key (mariadb) errors. When using MariaDB v10.5+ Foreign-Key errors were popping up because of some changes in that version. To mitigate this on MariaDB and other MySQL forks those errors are now catched, and instead of a replace_into an update will happen. I have tested this as thorough as possible with MariaDB 10.5, 10.4, 10.3 and the default MySQL on Ubuntu Focal. And tested it again using sqlite, all seems to be ok on all tables. resolves #1081. resolves #1065, resolves #1050
2020-09-22 12:13:02 +02:00
match diesel::replace_into(twofactor::table)
Add support for multiple simultaneous database features by using macros. Diesel requires the following changes: - Separate connection and pool types per connection, the generate_connections! macro generates an enum with a variant per db type - Separate migrations and schemas, these were always imported as one type depending on db feature, now they are all imported under different module names - Separate model objects per connection, the db_object! macro generates one object for each connection with the diesel macros, a generic object, and methods to convert between the connection-specific and the generic ones - Separate connection queries, the db_run! macro allows writing only one that gets compiled for all databases or multiple ones
2020-08-18 17:15:44 +02:00
.values(TwoFactorDb::to_db(self))
.execute(conn)
Fixed foreign-key (mariadb) errors. When using MariaDB v10.5+ Foreign-Key errors were popping up because of some changes in that version. To mitigate this on MariaDB and other MySQL forks those errors are now catched, and instead of a replace_into an update will happen. I have tested this as thorough as possible with MariaDB 10.5, 10.4, 10.3 and the default MySQL on Ubuntu Focal. And tested it again using sqlite, all seems to be ok on all tables. resolves #1081. resolves #1065, resolves #1050
2020-09-22 12:13:02 +02:00
{
Ok(_) => Ok(()),
// Record already exists and causes a Foreign Key Violation because replace_into() wants to delete the record first.
Err(diesel::result::Error::DatabaseError(diesel::result::DatabaseErrorKind::ForeignKeyViolation, _)) => {
diesel::update(twofactor::table)
.filter(twofactor::uuid.eq(&self.uuid))
.set(TwoFactorDb::to_db(self))
.execute(conn)
.map_res("Error saving twofactor")
}
Err(e) => Err(e.into()),
}.map_res("Error saving twofactor")
Add support for multiple simultaneous database features by using macros. Diesel requires the following changes: - Separate connection and pool types per connection, the generate_connections! macro generates an enum with a variant per db type - Separate migrations and schemas, these were always imported as one type depending on db feature, now they are all imported under different module names - Separate model objects per connection, the db_object! macro generates one object for each connection with the diesel macros, a generic object, and methods to convert between the connection-specific and the generic ones - Separate connection queries, the db_run! macro allows writing only one that gets compiled for all databases or multiple ones
2020-08-18 17:15:44 +02:00
}
postgresql {
let value = TwoFactorDb::to_db(self);
// We need to make sure we're not going to violate the unique constraint on user_uuid and atype.
// This happens automatically on other DBMS backends due to replace_into(). PostgreSQL does
// not support multiple constraints on ON CONFLICT clauses.
diesel::delete(twofactor::table.filter(twofactor::user_uuid.eq(&self.user_uuid)).filter(twofactor::atype.eq(&self.atype)))
.execute(conn)
.map_res("Error deleting twofactor for insert")?;
Adds support for PostgreSQL which resolves #87 and is mentioned in #246. This includes migrations as well as Dockerfile's for amd64. The biggest change is that replace_into isn't supported by Diesel for the PostgreSQL backend, instead requiring the use of on_conflict. This unfortunately requires a branch for save() on all of the models currently using replace_into.
2019-09-12 22:12:22 +02:00
Add support for multiple simultaneous database features by using macros. Diesel requires the following changes: - Separate connection and pool types per connection, the generate_connections! macro generates an enum with a variant per db type - Separate migrations and schemas, these were always imported as one type depending on db feature, now they are all imported under different module names - Separate model objects per connection, the db_object! macro generates one object for each connection with the diesel macros, a generic object, and methods to convert between the connection-specific and the generic ones - Separate connection queries, the db_run! macro allows writing only one that gets compiled for all databases or multiple ones
2020-08-18 17:15:44 +02:00
diesel::insert_into(twofactor::table)
.values(&value)
.on_conflict(twofactor::uuid)
.do_update()
.set(&value)
.execute(conn)
Fixed foreign-key (mariadb) errors. When using MariaDB v10.5+ Foreign-Key errors were popping up because of some changes in that version. To mitigate this on MariaDB and other MySQL forks those errors are now catched, and instead of a replace_into an update will happen. I have tested this as thorough as possible with MariaDB 10.5, 10.4, 10.3 and the default MySQL on Ubuntu Focal. And tested it again using sqlite, all seems to be ok on all tables. resolves #1081. resolves #1065, resolves #1050
2020-09-22 12:13:02 +02:00
.map_res("Error saving twofactor")
Add support for multiple simultaneous database features by using macros. Diesel requires the following changes: - Separate connection and pool types per connection, the generate_connections! macro generates an enum with a variant per db type - Separate migrations and schemas, these were always imported as one type depending on db feature, now they are all imported under different module names - Separate model objects per connection, the db_object! macro generates one object for each connection with the diesel macros, a generic object, and methods to convert between the connection-specific and the generic ones - Separate connection queries, the db_run! macro allows writing only one that gets compiled for all databases or multiple ones
2020-08-18 17:15:44 +02:00
}
}
Implemented U2F, refactored Two Factor authentication, registering U2F device and authentication should work. Works on Chrome on MacOS with a virtual device.
2018-07-12 21:46:50 +02:00
}
Update to diesel2
2022-05-20 23:39:47 +02:00
pub async fn delete(self, conn: &mut DbConn) -> EmptyResult {
Add support for multiple simultaneous database features by using macros. Diesel requires the following changes: - Separate connection and pool types per connection, the generate_connections! macro generates an enum with a variant per db type - Separate migrations and schemas, these were always imported as one type depending on db feature, now they are all imported under different module names - Separate model objects per connection, the db_object! macro generates one object for each connection with the diesel macros, a generic object, and methods to convert between the connection-specific and the generic ones - Separate connection queries, the db_run! macro allows writing only one that gets compiled for all databases or multiple ones
2020-08-18 17:15:44 +02:00
db_run! { conn: {
diesel::delete(twofactor::table.filter(twofactor::uuid.eq(self.uuid)))
.execute(conn)
.map_res("Error deleting twofactor")
}}
Implemented U2F, refactored Two Factor authentication, registering U2F device and authentication should work. Works on Chrome on MacOS with a virtual device.
2018-07-12 21:46:50 +02:00
}
Update to diesel2
2022-05-20 23:39:47 +02:00
pub async fn find_by_user(user_uuid: &str, conn: &mut DbConn) -> Vec<Self> {
Add support for multiple simultaneous database features by using macros. Diesel requires the following changes: - Separate connection and pool types per connection, the generate_connections! macro generates an enum with a variant per db type - Separate migrations and schemas, these were always imported as one type depending on db feature, now they are all imported under different module names - Separate model objects per connection, the db_object! macro generates one object for each connection with the diesel macros, a generic object, and methods to convert between the connection-specific and the generic ones - Separate connection queries, the db_run! macro allows writing only one that gets compiled for all databases or multiple ones
2020-08-18 17:15:44 +02:00
db_run! { conn: {
twofactor::table
.filter(twofactor::user_uuid.eq(user_uuid))
.filter(twofactor::atype.lt(1000)) // Filter implementation types
.load::<TwoFactorDb>(conn)
.expect("Error loading twofactor")
.from_db()
}}
Implemented U2F, refactored Two Factor authentication, registering U2F device and authentication should work. Works on Chrome on MacOS with a virtual device.
2018-07-12 21:46:50 +02:00
}
Update to diesel2
2022-05-20 23:39:47 +02:00
pub async fn find_by_user_and_type(user_uuid: &str, atype: i32, conn: &mut DbConn) -> Option<Self> {
Add support for multiple simultaneous database features by using macros. Diesel requires the following changes: - Separate connection and pool types per connection, the generate_connections! macro generates an enum with a variant per db type - Separate migrations and schemas, these were always imported as one type depending on db feature, now they are all imported under different module names - Separate model objects per connection, the db_object! macro generates one object for each connection with the diesel macros, a generic object, and methods to convert between the connection-specific and the generic ones - Separate connection queries, the db_run! macro allows writing only one that gets compiled for all databases or multiple ones
2020-08-18 17:15:44 +02:00
db_run! { conn: {
twofactor::table
.filter(twofactor::user_uuid.eq(user_uuid))
.filter(twofactor::atype.eq(atype))
.first::<TwoFactorDb>(conn)
.ok()
.from_db()
}}
Implemented U2F, refactored Two Factor authentication, registering U2F device and authentication should work. Works on Chrome on MacOS with a virtual device.
2018-07-12 21:46:50 +02:00
}
Start using rustfmt and some style changes to make some lines shorter
2018-12-30 23:34:31 +01:00
Update to diesel2
2022-05-20 23:39:47 +02:00
pub async fn delete_all_by_user(user_uuid: &str, conn: &mut DbConn) -> EmptyResult {
Add support for multiple simultaneous database features by using macros. Diesel requires the following changes: - Separate connection and pool types per connection, the generate_connections! macro generates an enum with a variant per db type - Separate migrations and schemas, these were always imported as one type depending on db feature, now they are all imported under different module names - Separate model objects per connection, the db_object! macro generates one object for each connection with the diesel macros, a generic object, and methods to convert between the connection-specific and the generic ones - Separate connection queries, the db_run! macro allows writing only one that gets compiled for all databases or multiple ones
2020-08-18 17:15:44 +02:00
db_run! { conn: {
diesel::delete(twofactor::table.filter(twofactor::user_uuid.eq(user_uuid)))
.execute(conn)
.map_res("Error deleting twofactors")
}}
Fixed delete user when 2FA is enabled, implemented delete user for admin panel, and the front-end part for invite user. Secured admin panel behind a configurable token.
2018-12-18 18:52:58 +01:00
}
Support for webauthn and u2f->webauthn migrations
2021-06-07 23:34:00 +02:00
Update to diesel2
2022-05-20 23:39:47 +02:00
pub async fn migrate_u2f_to_webauthn(conn: &mut DbConn) -> EmptyResult {
Support for webauthn and u2f->webauthn migrations
2021-06-07 23:34:00 +02:00
let u2f_factors = db_run! { conn: {
twofactor::table
.filter(twofactor::atype.eq(TwoFactorType::U2f as i32))
.load::<TwoFactorDb>(conn)
.expect("Error loading twofactor")
.from_db()
}};
Remove u2f implementation For a while now WebAuthn has replaced u2f. And since web-vault v2.27.0 the connector files for u2f have been removed. Also, on the official bitwarden server the endpoint to `/two-factor/get-u2f` results in a 404. - Removed all u2f code except the migration code from u2f to WebAuthn
2022-03-27 17:25:04 +02:00
use crate::api::core::two_factor::webauthn::U2FRegistration;
Support for webauthn and u2f->webauthn migrations
2021-06-07 23:34:00 +02:00
use crate::api::core::two_factor::webauthn::{get_webauthn_registrations, WebauthnRegistration};
use webauthn_rs::proto::*;
for mut u2f in u2f_factors {
let mut regs: Vec<U2FRegistration> = serde_json::from_str(&u2f.data)?;
// If there are no registrations or they are migrated (we do the migration in batch so we can consider them all migrated when the first one is)
if regs.is_empty() || regs[0].migrated == Some(true) {
continue;
}
Async/Awaited all db methods This is a rather large PR which updates the async branch to have all the database methods as an async fn. Some iter/map logic needed to be changed to a stream::iter().then(), but besides that most changes were just adding async/await where needed.
2021-11-16 17:07:55 +01:00
let (_, mut webauthn_regs) = get_webauthn_registrations(&u2f.user_uuid, conn).await?;
Support for webauthn and u2f->webauthn migrations
2021-06-07 23:34:00 +02:00
// If the user already has webauthn registrations saved, don't overwrite them
if !webauthn_regs.is_empty() {
continue;
}
for reg in &mut regs {
let x: [u8; 32] = reg.reg.pub_key[1..33].try_into().unwrap();
let y: [u8; 32] = reg.reg.pub_key[33..65].try_into().unwrap();
let key = COSEKey {
type_: COSEAlgorithm::ES256,
key: COSEKeyType::EC_EC2(COSEEC2Key {
curve: ECDSACurve::SECP256R1,
x,
y,
}),
};
let new_reg = WebauthnRegistration {
id: reg.id,
migrated: true,
name: reg.name.clone(),
credential: Credential {
counter: reg.counter,
verified: false,
cred: key,
cred_id: reg.reg.key_handle.clone(),
registration_policy: UserVerificationPolicy::Discouraged,
},
};
webauthn_regs.push(new_reg);
reg.migrated = Some(true);
}
u2f.data = serde_json::to_string(&regs)?;
Async/Awaited all db methods This is a rather large PR which updates the async branch to have all the database methods as an async fn. Some iter/map logic needed to be changed to a stream::iter().then(), but besides that most changes were just adding async/await where needed.
2021-11-16 17:07:55 +01:00
u2f.save(conn).await?;
Support for webauthn and u2f->webauthn migrations
2021-06-07 23:34:00 +02:00
TwoFactor::new(u2f.user_uuid.clone(), TwoFactorType::Webauthn, serde_json::to_string(&webauthn_regs)?)
Async/Awaited all db methods This is a rather large PR which updates the async branch to have all the database methods as an async fn. Some iter/map logic needed to be changed to a stream::iter().then(), but besides that most changes were just adding async/await where needed.
2021-11-16 17:07:55 +01:00
.save(conn)
.await?;
Support for webauthn and u2f->webauthn migrations
2021-06-07 23:34:00 +02:00
}
Ok(())
}
Fixed delete user when 2FA is enabled, implemented delete user for admin panel, and the front-end part for invite user. Secured admin panel behind a configurable token.
2018-12-18 18:52:58 +01:00
}
Reference in a new issue Copy permalink