0
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden synced 2024-12-12 16:53:05 +01:00

[PATCH] Some fixes to the Emergency Access PR

- Changed the date of the migration folders to be from this date.
- Removed a lot is_email_domain_allowed checks.
  This check only needs to be done during the invite it self, else
everything else will fail even if a user has an account created via the
/admin interface which bypasses that specific check! Also, the check was
at the wrong place anyway's, since it would only not send out an e-mail,
but would still have allowed an not allowed domain to be used when
e-mail would have been disabled. While that check always works, even if
sending e-mails is disasbled.
- Added an extra allowed route during password/key-rotation change which
updates/checks the public-key afterwards.
- A small change with some `Some` and `None` orders.
- Change the new invite object to only generate the UTC time once, since
it could be possible that there will be a second difference, and we only
need to call it just once.

by black.dex@gmail.com

Signed-off-by: thelittlefireman <thelittlefireman@users.noreply.github.com>
This commit is contained in:
thelittlefireman 2021-09-01 12:54:47 +02:00
parent 4ab9362971
commit ca20b3d80c
12 changed files with 12 additions and 46 deletions

View file

@ -1 +0,0 @@
DROP TABLE emergency_access;

View file

@ -0,0 +1 @@
DROP TABLE emergency_access;

View file

@ -11,4 +11,4 @@ CREATE TABLE emergency_access (
last_notification_at DATETIME,
updated_at DATETIME NOT NULL,
created_at DATETIME NOT NULL
);
);

View file

@ -1 +0,0 @@
DROP TABLE emergency_access;

View file

@ -0,0 +1 @@
DROP TABLE emergency_access;

View file

@ -11,4 +11,4 @@ CREATE TABLE emergency_access (
last_notification_at TIMESTAMP,
updated_at TIMESTAMP NOT NULL,
created_at TIMESTAMP NOT NULL
);
);

View file

@ -1 +0,0 @@
DROP TABLE emergency_access;

View file

@ -0,0 +1 @@
DROP TABLE emergency_access;

View file

@ -11,4 +11,4 @@ CREATE TABLE emergency_access (
last_notification_at DATETIME,
updated_at DATETIME NOT NULL,
created_at DATETIME NOT NULL
);
);

View file

@ -239,7 +239,7 @@ fn post_password(data: JsonUpcase<ChangePassData>, headers: Headers, conn: DbCon
user.set_password(
&data.NewMasterPasswordHash,
Some(vec![String::from("post_rotatekey"), String::from("get_contacts")]),
Some(vec![String::from("post_rotatekey"), String::from("get_contacts"), String::from("get_public_keys")]),
);
user.akey = data.Key;
user.save(&conn)

View file

@ -268,13 +268,9 @@ fn resend_invite(emer_id: String, headers: Headers, conn: DbConn) -> EmptyResult
None => err!("Email not valid."),
};
if !CONFIG.is_email_domain_allowed(&email) {
err!("Email domain not eligible for invitations.")
}
let grantee_user = match User::find_by_mail(&email, &conn) {
None => err!("Grantee user not found."),
Some(user) => user,
None => err!("Grantee user not found."),
};
let grantor_user = headers.user;
@ -346,10 +342,6 @@ fn accept_invite(emer_id: String, data: JsonUpcase<AcceptData>, conn: DbConn) ->
}
if CONFIG.mail_enabled() {
if !CONFIG.is_email_domain_allowed(&grantor_user.email) {
err!("Email domain not valid.")
}
mail::send_emergency_access_invite_accepted(&grantor_user.email, &grantee_user.email)?;
}
@ -428,10 +420,6 @@ fn confirm_emergency_access(
emergency_access.save(&conn)?;
if CONFIG.mail_enabled() {
if !CONFIG.is_email_domain_allowed(&grantee_user.email) {
err!("Email domain not valid.")
}
mail::send_emergency_access_invite_confirmed(&grantee_user.email, &grantor_user.name)?;
}
Ok(Json(emergency_access.to_json()))
@ -473,10 +461,6 @@ fn initiate_emergency_access(emer_id: String, headers: Headers, conn: DbConn) ->
emergency_access.save(&conn)?;
if CONFIG.mail_enabled() {
if !CONFIG.is_email_domain_allowed(&grantor_user.email) {
err!("Email domain not valid.")
}
mail::send_emergency_access_recovery_initiated(
&grantor_user.email,
&initiating_user.name,
@ -518,10 +502,6 @@ fn approve_emergency_access(emer_id: String, headers: Headers, conn: DbConn) ->
emergency_access.save(&conn)?;
if CONFIG.mail_enabled() {
if !CONFIG.is_email_domain_allowed(&grantee_user.email) {
err!("Email domain not valid.")
}
mail::send_emergency_access_recovery_approved(&grantee_user.email, &grantor_user.name)?;
}
Ok(Json(emergency_access.to_json()))
@ -563,10 +543,6 @@ fn reject_emergency_access(emer_id: String, headers: Headers, conn: DbConn) -> J
emergency_access.save(&conn)?;
if CONFIG.mail_enabled() {
if !CONFIG.is_email_domain_allowed(&grantee_user.email) {
err!("Email domain not valid.")
}
mail::send_emergency_access_recovery_rejected(&grantee_user.email, &grantor_user.name)?;
}
Ok(Json(emergency_access.to_json()))
@ -764,10 +740,6 @@ pub fn emergency_request_timeout_job(pool: DbPool) {
User::find_by_uuid(&emer.grantee_uuid.clone().expect("Grantee user invalid."), &conn)
.expect("Grantee user not found.");
if !CONFIG.is_email_domain_allowed(&grantor_user.email) {
error!("Email domain not valid.")
}
mail::send_emergency_access_recovery_timed_out(
&grantor_user.email,
&grantee_user.name.clone(),
@ -775,10 +747,6 @@ pub fn emergency_request_timeout_job(pool: DbPool) {
)
.expect("Error on sending email");
if !CONFIG.is_email_domain_allowed(&grantee_user.email) {
error!("Email not valid.")
}
mail::send_emergency_access_recovery_approved(&grantee_user.email, &grantor_user.name.clone())
.expect("Error on sending email");
}
@ -816,10 +784,6 @@ pub fn emergency_notification_reminder_job(pool: DbPool) {
// get grantor user to send Accepted email
let grantor_user = User::find_by_uuid(&emer.grantor_uuid, &conn).expect("Grantor user not found.");
if !CONFIG.is_email_domain_allowed(&grantor_user.email) {
error!("Email not valid.")
}
// get grantee user to send Accepted email
let grantee_user =
User::find_by_uuid(&emer.grantee_uuid.clone().expect("Grantee user invalid."), &conn)

View file

@ -29,6 +29,8 @@ db_object! {
impl EmergencyAccess {
pub fn new(grantor_uuid: String, email: Option<String>, status: i32, atype: i32, wait_time_days: i32) -> Self {
let now = Utc::now().naive_utc();
Self {
uuid: crate::util::get_uuid(),
grantor_uuid,
@ -38,8 +40,8 @@ impl EmergencyAccess {
atype,
wait_time_days,
recovery_initiated_at: None,
created_at: Utc::now().naive_utc(),
updated_at: Utc::now().naive_utc(),
created_at: now,
updated_at: now,
key_encrypted: None,
last_notification_at: None,
}