From 4219249e11845bb8869c26e1182fa1d38b1a162a Mon Sep 17 00:00:00 2001 From: BlackDex Date: Fri, 2 Jun 2023 21:36:15 +0200 Subject: [PATCH 1/3] Add support for Organization token This is a WIP for adding organization token login support. It has basic token login and verification support, but that's about it. This branch is a refresh of the previous version, and will contain code from a PR based upon my previous branch. --- .../down.sql | 0 .../up.sql | 8 ++ .../down.sql | 0 .../up.sql | 8 ++ .../down.sql | 0 .../up.sql | 9 +++ src/api/core/organizations.rs | 58 +++++++++++++- src/api/identity.rs | 56 +++++++++++--- src/auth.rs | 30 ++++++++ src/db/models/device.rs | 6 +- src/db/models/mod.rs | 2 +- src/db/models/organization.rs | 77 ++++++++++++++++++- src/db/schemas/mysql/schema.rs | 12 +++ src/db/schemas/postgresql/schema.rs | 12 +++ src/db/schemas/sqlite/schema.rs | 12 +++ 15 files changed, 272 insertions(+), 18 deletions(-) create mode 100644 migrations/mysql/2022-07-21-200424_create_organization_api_key/down.sql create mode 100644 migrations/mysql/2022-07-21-200424_create_organization_api_key/up.sql create mode 100644 migrations/postgresql/2022-07-21-200424_create_organization_api_key/down.sql create mode 100644 migrations/postgresql/2022-07-21-200424_create_organization_api_key/up.sql create mode 100644 migrations/sqlite/2022-07-21-200424_create_organization_api_key/down.sql create mode 100644 migrations/sqlite/2022-07-21-200424_create_organization_api_key/up.sql diff --git a/migrations/mysql/2022-07-21-200424_create_organization_api_key/down.sql b/migrations/mysql/2022-07-21-200424_create_organization_api_key/down.sql new file mode 100644 index 00000000..e69de29b diff --git a/migrations/mysql/2022-07-21-200424_create_organization_api_key/up.sql b/migrations/mysql/2022-07-21-200424_create_organization_api_key/up.sql new file mode 100644 index 00000000..e9e0b739 --- /dev/null +++ b/migrations/mysql/2022-07-21-200424_create_organization_api_key/up.sql @@ -0,0 +1,8 @@ +CREATE TABLE organization_api_key ( + uuid CHAR(36) NOT NULL, + org_uuid CHAR(36) NOT NULL REFERENCES organizations(uuid), + atype INTEGER NOT NULL, + api_key VARCHAR(255) NOT NULL, + revision_date DATETIME NOT NULL, + PRIMARY KEY(uuid, org_uuid) +); diff --git a/migrations/postgresql/2022-07-21-200424_create_organization_api_key/down.sql b/migrations/postgresql/2022-07-21-200424_create_organization_api_key/down.sql new file mode 100644 index 00000000..e69de29b diff --git a/migrations/postgresql/2022-07-21-200424_create_organization_api_key/up.sql b/migrations/postgresql/2022-07-21-200424_create_organization_api_key/up.sql new file mode 100644 index 00000000..3c37bb5c --- /dev/null +++ b/migrations/postgresql/2022-07-21-200424_create_organization_api_key/up.sql @@ -0,0 +1,8 @@ +CREATE TABLE organization_api_key ( + uuid CHAR(36) NOT NULL, + org_uuid CHAR(36) NOT NULL REFERENCES organizations(uuid), + atype INTEGER NOT NULL, + api_key VARCHAR(255), + revision_date TIMESTAMP NOT NULL, + PRIMARY KEY(uuid, org_uuid) +); diff --git a/migrations/sqlite/2022-07-21-200424_create_organization_api_key/down.sql b/migrations/sqlite/2022-07-21-200424_create_organization_api_key/down.sql new file mode 100644 index 00000000..e69de29b diff --git a/migrations/sqlite/2022-07-21-200424_create_organization_api_key/up.sql b/migrations/sqlite/2022-07-21-200424_create_organization_api_key/up.sql new file mode 100644 index 00000000..986b00d9 --- /dev/null +++ b/migrations/sqlite/2022-07-21-200424_create_organization_api_key/up.sql @@ -0,0 +1,9 @@ +CREATE TABLE organization_api_key ( + uuid TEXT NOT NULL, + org_uuid TEXT NOT NULL, + atype INTEGER NOT NULL, + api_key TEXT NOT NULL, + revision_date DATETIME NOT NULL, + PRIMARY KEY(uuid, org_uuid), + FOREIGN KEY(org_uuid) REFERENCES organizations(uuid) +); diff --git a/src/api/core/organizations.rs b/src/api/core/organizations.rs index 3899611c..a3aee5be 100644 --- a/src/api/core/organizations.rs +++ b/src/api/core/organizations.rs @@ -93,7 +93,9 @@ pub fn routes() -> Vec { put_reset_password_enrollment, get_reset_password_details, put_reset_password, - get_org_export + get_org_export, + api_key, + rotate_api_key, ] } @@ -2891,3 +2893,57 @@ async fn get_org_export(org_id: &str, headers: AdminHeaders, mut conn: DbConn) - })) } } + +async fn _api_key( + org_id: String, + data: JsonUpcase, + rotate: bool, + headers: AdminHeaders, + conn: DbConn, +) -> JsonResult { + let data: PasswordData = data.into_inner().data; + let user = headers.user; + + // Validate the admin users password + if !user.check_valid_password(&data.MasterPasswordHash) { + err!("Invalid password") + } + + let org_api_key = match OrganizationApiKey::find_by_org_uuid(&org_id, &conn).await { + Some(mut org_api_key) => { + if rotate { + org_api_key.api_key = crate::crypto::generate_api_key(); + org_api_key.revision_date = chrono::Utc::now().naive_utc(); + org_api_key.save(&conn).await.expect("Error rotating organization API Key"); + } + org_api_key + } + None => { + let api_key = crate::crypto::generate_api_key(); + let new_org_api_key = OrganizationApiKey::new(org_id, api_key); + new_org_api_key.save(&conn).await.expect("Error creating organization API Key"); + new_org_api_key + } + }; + + Ok(Json(json!({ + "ApiKey": org_api_key.api_key, + "RevisionDate": crate::util::format_date(&org_api_key.revision_date), + "Object": "apiKey", + }))) +} + +#[post("/organizations//api-key", data = "")] +async fn api_key(org_id: String, data: JsonUpcase, headers: AdminHeaders, conn: DbConn) -> JsonResult { + _api_key(org_id, data, false, headers, conn).await +} + +#[post("/organizations//rotate-api-key", data = "")] +async fn rotate_api_key( + org_id: String, + data: JsonUpcase, + headers: AdminHeaders, + conn: DbConn, +) -> JsonResult { + _api_key(org_id, data, true, headers, conn).await +} diff --git a/src/api/identity.rs b/src/api/identity.rs index cefee692..048ac17d 100644 --- a/src/api/identity.rs +++ b/src/api/identity.rs @@ -14,7 +14,7 @@ use crate::{ core::two_factor::{duo, email, email::EmailTokenData, yubikey}, ApiResult, EmptyResult, JsonResult, JsonUpcase, }, - auth::{ClientHeaders, ClientIp}, + auth::{generate_organization_api_key_login_claims, ClientHeaders, ClientIp}, db::{models::*, DbConn}, error::MapResult, mail, util, CONFIG, @@ -276,16 +276,23 @@ async fn _api_key_login( conn: &mut DbConn, ip: &ClientIp, ) -> JsonResult { - // Validate scope - let scope = data.scope.as_ref().unwrap(); - if scope != "api" { - err!("Scope not supported") - } - let scope_vec = vec!["api".into()]; - // Ratelimit the login crate::ratelimit::check_limit_login(&ip.ip)?; + // Validate scope + match data.scope.as_ref().unwrap().as_ref() { + "api" => _user_api_key_login(data, user_uuid, conn, ip).await, + "api.organization" => _organization_api_key_login(data, conn, ip).await, + _ => err!("Scope not supported"), + } +} + +async fn _user_api_key_login( + data: ConnectData, + user_uuid: &mut Option, + conn: &mut DbConn, + ip: &ClientIp, +) -> JsonResult { // Get the user via the client_id let client_id = data.client_id.as_ref().unwrap(); let client_user_uuid = match client_id.strip_prefix("user.") { @@ -342,6 +349,7 @@ async fn _api_key_login( } // Common + let scope_vec = vec!["api".into()]; let orgs = UserOrganization::find_confirmed_by_user(&user.uuid, conn).await; let (access_token, expires_in) = device.refresh_tokens(&user, orgs, scope_vec); device.save(conn).await?; @@ -362,13 +370,43 @@ async fn _api_key_login( "KdfMemory": user.client_kdf_memory, "KdfParallelism": user.client_kdf_parallelism, "ResetMasterPassword": false, // TODO: Same as above - "scope": scope, + "scope": "api", "unofficialServer": true, }); Ok(Json(result)) } +async fn _organization_api_key_login(data: ConnectData, conn: &mut DbConn, ip: &ClientIp) -> JsonResult { + // Get the org via the client_id + let client_id = data.client_id.as_ref().unwrap(); + let org_uuid = match client_id.strip_prefix("organization.") { + Some(uuid) => uuid, + None => err!("Malformed client_id", format!("IP: {}.", ip.ip)), + }; + let org_api_key = match OrganizationApiKey::find_by_org_uuid(org_uuid, conn).await { + Some(org_api_key) => org_api_key, + None => err!("Invalid client_id", format!("IP: {}.", ip.ip)), + }; + + // Check API key. + let client_secret = data.client_secret.as_ref().unwrap(); + if !org_api_key.check_valid_api_key(client_secret) { + err!("Incorrect client_secret", format!("IP: {}. Organization: {}.", ip.ip, org_api_key.org_uuid)) + } + + let claim = generate_organization_api_key_login_claims(org_api_key.uuid, org_api_key.org_uuid); + let access_token = crate::auth::encode_jwt(&claim); + + Ok(Json(json!({ + "access_token": access_token, + "expires_in": 3600, + "token_type": "Bearer", + "scope": "api.organization", + "unofficialServer": true, + }))) +} + /// Retrieves an existing device or creates a new device from ConnectData and the User async fn get_device(data: &ConnectData, conn: &mut DbConn, user: &User) -> (Device, bool) { // On iOS, device_type sends "iOS", on others it sends a number diff --git a/src/auth.rs b/src/auth.rs index 2a6f8a32..d96e98e1 100644 --- a/src/auth.rs +++ b/src/auth.rs @@ -23,6 +23,7 @@ static JWT_DELETE_ISSUER: Lazy = Lazy::new(|| format!("{}|delete", CONFI static JWT_VERIFYEMAIL_ISSUER: Lazy = Lazy::new(|| format!("{}|verifyemail", CONFIG.domain_origin())); static JWT_ADMIN_ISSUER: Lazy = Lazy::new(|| format!("{}|admin", CONFIG.domain_origin())); static JWT_SEND_ISSUER: Lazy = Lazy::new(|| format!("{}|send", CONFIG.domain_origin())); +static JWT_ORG_API_KEY_ISSUER: Lazy = Lazy::new(|| format!("{}|api.organization", CONFIG.domain_origin())); static PRIVATE_RSA_KEY: Lazy = Lazy::new(|| { let key = @@ -200,6 +201,35 @@ pub fn generate_emergency_access_invite_claims( } } +#[derive(Debug, Serialize, Deserialize)] +pub struct OrgApiKeyLoginJwtClaims { + // Not before + pub nbf: i64, + // Expiration time + pub exp: i64, + // Issuer + pub iss: String, + // Subject + pub sub: String, + + pub client_id: String, + pub client_sub: String, + pub scope: Vec, +} + +pub fn generate_organization_api_key_login_claims(uuid: String, org_id: String) -> OrgApiKeyLoginJwtClaims { + let time_now = Utc::now().naive_utc(); + OrgApiKeyLoginJwtClaims { + nbf: time_now.timestamp(), + exp: (time_now + Duration::hours(1)).timestamp(), + iss: JWT_ORG_API_KEY_ISSUER.to_string(), + sub: uuid, + client_id: format!("organization.{org_id}"), + client_sub: org_id, + scope: vec!["api.organization".into()], + } +} + #[derive(Debug, Serialize, Deserialize)] pub struct BasicJwtClaims { // Not before diff --git a/src/db/models/device.rs b/src/db/models/device.rs index a1f4aee9..81f12e18 100644 --- a/src/db/models/device.rs +++ b/src/db/models/device.rs @@ -1,6 +1,6 @@ use chrono::{NaiveDateTime, Utc}; -use crate::CONFIG; +use crate::{crypto, CONFIG}; db_object! { #[derive(Identifiable, Queryable, Insertable, AsChangeset)] @@ -47,9 +47,7 @@ impl Device { } pub fn refresh_twofactor_remember(&mut self) -> String { - use crate::crypto; use data_encoding::BASE64; - let twofactor_remember = crypto::encode_random_bytes::<180>(BASE64); self.twofactor_remember = Some(twofactor_remember.clone()); @@ -68,9 +66,7 @@ impl Device { ) -> (String, i64) { // If there is no refresh token, we create one if self.refresh_token.is_empty() { - use crate::crypto; use data_encoding::BASE64URL; - self.refresh_token = crypto::encode_random_bytes::<64>(BASE64URL); } diff --git a/src/db/models/mod.rs b/src/db/models/mod.rs index 96dc27ce..6cbde05f 100644 --- a/src/db/models/mod.rs +++ b/src/db/models/mod.rs @@ -24,7 +24,7 @@ pub use self::favorite::Favorite; pub use self::folder::{Folder, FolderCipher}; pub use self::group::{CollectionGroup, Group, GroupUser}; pub use self::org_policy::{OrgPolicy, OrgPolicyErr, OrgPolicyType}; -pub use self::organization::{Organization, UserOrgStatus, UserOrgType, UserOrganization}; +pub use self::organization::{Organization, OrganizationApiKey, UserOrgStatus, UserOrgType, UserOrganization}; pub use self::send::{Send, SendType}; pub use self::two_factor::{TwoFactor, TwoFactorType}; pub use self::two_factor_incomplete::TwoFactorIncomplete; diff --git a/src/db/models/organization.rs b/src/db/models/organization.rs index e0b92239..47151a96 100644 --- a/src/db/models/organization.rs +++ b/src/db/models/organization.rs @@ -1,3 +1,4 @@ +use chrono::{NaiveDateTime, Utc}; use num_traits::FromPrimitive; use serde_json::Value; use std::cmp::Ordering; @@ -31,6 +32,17 @@ db_object! { pub atype: i32, pub reset_password_key: Option, } + + #[derive(Identifiable, Queryable, Insertable, AsChangeset)] + #[diesel(table_name = organization_api_key)] + #[diesel(primary_key(uuid, org_uuid))] + pub struct OrganizationApiKey { + pub uuid: String, + pub org_uuid: String, + pub atype: i32, + pub api_key: String, + pub revision_date: NaiveDateTime, + } } // https://github.com/bitwarden/server/blob/b86a04cef9f1e1b82cf18e49fc94e017c641130c/src/Core/Enums/OrganizationUserStatusType.cs @@ -157,7 +169,7 @@ impl Organization { "UseSso": false, // Not supported // "UseKeyConnector": false, // Not supported "SelfHost": true, - "UseApi": false, // Not supported + "UseApi": true, "HasPublicAndPrivateKeys": self.private_key.is_some() && self.public_key.is_some(), "UseResetPassword": CONFIG.mail_enabled(), @@ -212,6 +224,23 @@ impl UserOrganization { } } +impl OrganizationApiKey { + pub fn new(org_uuid: String, api_key: String) -> Self { + Self { + uuid: crate::util::get_uuid(), + + org_uuid, + atype: 0, // Type 0 is the default and only type we support currently + api_key, + revision_date: Utc::now().naive_utc(), + } + } + + pub fn check_valid_api_key(&self, api_key: &str) -> bool { + crate::crypto::ct_eq(&self.api_key, api_key) + } +} + use crate::db::DbConn; use crate::api::EmptyResult; @@ -311,7 +340,7 @@ impl UserOrganization { "UseTotp": true, // "UseScim": false, // Not supported (Not AGPLv3 Licensed) "UsePolicies": true, - "UseApi": false, // Not supported + "UseApi": true, "SelfHost": true, "HasPublicAndPrivateKeys": org.private_key.is_some() && org.public_key.is_some(), "ResetPasswordEnrolled": self.reset_password_key.is_some(), @@ -750,6 +779,50 @@ impl UserOrganization { } } +impl OrganizationApiKey { + pub async fn save(&self, conn: &DbConn) -> EmptyResult { + db_run! { conn: + sqlite, mysql { + match diesel::replace_into(organization_api_key::table) + .values(OrganizationApiKeyDb::to_db(self)) + .execute(conn) + { + Ok(_) => Ok(()), + // Record already exists and causes a Foreign Key Violation because replace_into() wants to delete the record first. + Err(diesel::result::Error::DatabaseError(diesel::result::DatabaseErrorKind::ForeignKeyViolation, _)) => { + diesel::update(organization_api_key::table) + .filter(organization_api_key::uuid.eq(&self.uuid)) + .set(OrganizationApiKeyDb::to_db(self)) + .execute(conn) + .map_res("Error saving organization") + } + Err(e) => Err(e.into()), + }.map_res("Error saving organization") + + } + postgresql { + let value = OrganizationApiKeyDb::to_db(self); + diesel::insert_into(organization_api_key::table) + .values(&value) + .on_conflict(organization_api_key::uuid) + .do_update() + .set(&value) + .execute(conn) + .map_res("Error saving organization") + } + } + } + + pub async fn find_by_org_uuid(org_uuid: &str, conn: &DbConn) -> Option { + db_run! { conn: { + organization_api_key::table + .filter(organization_api_key::org_uuid.eq(org_uuid)) + .first::(conn) + .ok().from_db() + }} + } +} + #[cfg(test)] mod tests { use super::*; diff --git a/src/db/schemas/mysql/schema.rs b/src/db/schemas/mysql/schema.rs index 315f4953..4d58f63f 100644 --- a/src/db/schemas/mysql/schema.rs +++ b/src/db/schemas/mysql/schema.rs @@ -229,6 +229,16 @@ table! { } } +table! { + organization_api_key (uuid, org_uuid) { + uuid -> Text, + org_uuid -> Text, + atype -> Integer, + api_key -> Text, + revision_date -> Timestamp, + } +} + table! { emergency_access (uuid) { uuid -> Text, @@ -292,6 +302,7 @@ joinable!(users_collections -> collections (collection_uuid)); joinable!(users_collections -> users (user_uuid)); joinable!(users_organizations -> organizations (org_uuid)); joinable!(users_organizations -> users (user_uuid)); +joinable!(organization_api_key -> organizations (org_uuid)); joinable!(emergency_access -> users (grantor_uuid)); joinable!(groups -> organizations (organizations_uuid)); joinable!(groups_users -> users_organizations (users_organizations_uuid)); @@ -316,6 +327,7 @@ allow_tables_to_appear_in_same_query!( users, users_collections, users_organizations, + organization_api_key, emergency_access, groups, groups_users, diff --git a/src/db/schemas/postgresql/schema.rs b/src/db/schemas/postgresql/schema.rs index c42e8d18..941f51cb 100644 --- a/src/db/schemas/postgresql/schema.rs +++ b/src/db/schemas/postgresql/schema.rs @@ -229,6 +229,16 @@ table! { } } +table! { + organization_api_key (uuid, org_uuid) { + uuid -> Text, + org_uuid -> Text, + atype -> Integer, + api_key -> Text, + revision_date -> Timestamp, + } +} + table! { emergency_access (uuid) { uuid -> Text, @@ -292,6 +302,7 @@ joinable!(users_collections -> collections (collection_uuid)); joinable!(users_collections -> users (user_uuid)); joinable!(users_organizations -> organizations (org_uuid)); joinable!(users_organizations -> users (user_uuid)); +joinable!(organization_api_key -> organizations (org_uuid)); joinable!(emergency_access -> users (grantor_uuid)); joinable!(groups -> organizations (organizations_uuid)); joinable!(groups_users -> users_organizations (users_organizations_uuid)); @@ -316,6 +327,7 @@ allow_tables_to_appear_in_same_query!( users, users_collections, users_organizations, + organization_api_key, emergency_access, groups, groups_users, diff --git a/src/db/schemas/sqlite/schema.rs b/src/db/schemas/sqlite/schema.rs index 402f0a22..ce9c7e33 100644 --- a/src/db/schemas/sqlite/schema.rs +++ b/src/db/schemas/sqlite/schema.rs @@ -229,6 +229,16 @@ table! { } } +table! { + organization_api_key (uuid, org_uuid) { + uuid -> Text, + org_uuid -> Text, + atype -> Integer, + api_key -> Text, + revision_date -> Timestamp, + } +} + table! { emergency_access (uuid) { uuid -> Text, @@ -293,6 +303,7 @@ joinable!(users_collections -> users (user_uuid)); joinable!(users_organizations -> organizations (org_uuid)); joinable!(users_organizations -> users (user_uuid)); joinable!(users_organizations -> ciphers (org_uuid)); +joinable!(organization_api_key -> organizations (org_uuid)); joinable!(emergency_access -> users (grantor_uuid)); joinable!(groups -> organizations (organizations_uuid)); joinable!(groups_users -> users_organizations (users_organizations_uuid)); @@ -317,6 +328,7 @@ allow_tables_to_appear_in_same_query!( users, users_collections, users_organizations, + organization_api_key, emergency_access, groups, groups_users, From 8e34495e73f280e1c62f0f1b63e0219225f001d7 Mon Sep 17 00:00:00 2001 From: BlackDex Date: Fri, 2 Jun 2023 22:28:30 +0200 Subject: [PATCH 2/3] Merge and modify PR from @Kurnihil Merging a PR from @Kurnihil into the already rebased branch. Made some small changes to make it work with newer changes. Some finetuning is probably still needed. Co-authored-by: Daniele Andrei Co-authored-by: Kurnihil --- .../down.sql | 0 .../up.sql | 2 + .../down.sql | 0 .../up.sql | 2 + .../down.sql | 0 .../up.sql | 2 + src/api/core/mod.rs | 2 + src/api/core/organizations.rs | 2 +- src/api/core/public.rs | 231 ++++++++++++++++++ src/auth.rs | 4 + src/db/models/group.rs | 15 +- src/db/models/organization.rs | 2 +- src/db/models/user.rs | 24 ++ src/db/schemas/mysql/schema.rs | 1 + src/db/schemas/postgresql/schema.rs | 1 + src/db/schemas/sqlite/schema.rs | 1 + 16 files changed, 282 insertions(+), 7 deletions(-) rename migrations/mysql/{2022-07-21-200424_create_organization_api_key => 2023-06-02-200424_create_organization_api_key}/down.sql (100%) rename migrations/mysql/{2022-07-21-200424_create_organization_api_key => 2023-06-02-200424_create_organization_api_key}/up.sql (83%) rename migrations/postgresql/{2022-07-21-200424_create_organization_api_key => 2023-06-02-200424_create_organization_api_key}/down.sql (100%) rename migrations/postgresql/{2022-07-21-200424_create_organization_api_key => 2023-06-02-200424_create_organization_api_key}/up.sql (83%) rename migrations/sqlite/{2022-07-21-200424_create_organization_api_key => 2023-06-02-200424_create_organization_api_key}/down.sql (100%) rename migrations/sqlite/{2022-07-21-200424_create_organization_api_key => 2023-06-02-200424_create_organization_api_key}/up.sql (86%) create mode 100644 src/api/core/public.rs diff --git a/migrations/mysql/2022-07-21-200424_create_organization_api_key/down.sql b/migrations/mysql/2023-06-02-200424_create_organization_api_key/down.sql similarity index 100% rename from migrations/mysql/2022-07-21-200424_create_organization_api_key/down.sql rename to migrations/mysql/2023-06-02-200424_create_organization_api_key/down.sql diff --git a/migrations/mysql/2022-07-21-200424_create_organization_api_key/up.sql b/migrations/mysql/2023-06-02-200424_create_organization_api_key/up.sql similarity index 83% rename from migrations/mysql/2022-07-21-200424_create_organization_api_key/up.sql rename to migrations/mysql/2023-06-02-200424_create_organization_api_key/up.sql index e9e0b739..6c4f5cb6 100644 --- a/migrations/mysql/2022-07-21-200424_create_organization_api_key/up.sql +++ b/migrations/mysql/2023-06-02-200424_create_organization_api_key/up.sql @@ -6,3 +6,5 @@ CREATE TABLE organization_api_key ( revision_date DATETIME NOT NULL, PRIMARY KEY(uuid, org_uuid) ); + +ALTER TABLE users ADD COLUMN external_id TEXT; diff --git a/migrations/postgresql/2022-07-21-200424_create_organization_api_key/down.sql b/migrations/postgresql/2023-06-02-200424_create_organization_api_key/down.sql similarity index 100% rename from migrations/postgresql/2022-07-21-200424_create_organization_api_key/down.sql rename to migrations/postgresql/2023-06-02-200424_create_organization_api_key/down.sql diff --git a/migrations/postgresql/2022-07-21-200424_create_organization_api_key/up.sql b/migrations/postgresql/2023-06-02-200424_create_organization_api_key/up.sql similarity index 83% rename from migrations/postgresql/2022-07-21-200424_create_organization_api_key/up.sql rename to migrations/postgresql/2023-06-02-200424_create_organization_api_key/up.sql index 3c37bb5c..9c3ba41c 100644 --- a/migrations/postgresql/2022-07-21-200424_create_organization_api_key/up.sql +++ b/migrations/postgresql/2023-06-02-200424_create_organization_api_key/up.sql @@ -6,3 +6,5 @@ CREATE TABLE organization_api_key ( revision_date TIMESTAMP NOT NULL, PRIMARY KEY(uuid, org_uuid) ); + +ALTER TABLE users ADD COLUMN external_id TEXT; diff --git a/migrations/sqlite/2022-07-21-200424_create_organization_api_key/down.sql b/migrations/sqlite/2023-06-02-200424_create_organization_api_key/down.sql similarity index 100% rename from migrations/sqlite/2022-07-21-200424_create_organization_api_key/down.sql rename to migrations/sqlite/2023-06-02-200424_create_organization_api_key/down.sql diff --git a/migrations/sqlite/2022-07-21-200424_create_organization_api_key/up.sql b/migrations/sqlite/2023-06-02-200424_create_organization_api_key/up.sql similarity index 86% rename from migrations/sqlite/2022-07-21-200424_create_organization_api_key/up.sql rename to migrations/sqlite/2023-06-02-200424_create_organization_api_key/up.sql index 986b00d9..2880bb22 100644 --- a/migrations/sqlite/2022-07-21-200424_create_organization_api_key/up.sql +++ b/migrations/sqlite/2023-06-02-200424_create_organization_api_key/up.sql @@ -7,3 +7,5 @@ CREATE TABLE organization_api_key ( PRIMARY KEY(uuid, org_uuid), FOREIGN KEY(org_uuid) REFERENCES organizations(uuid) ); + +ALTER TABLE users ADD COLUMN external_id TEXT; diff --git a/src/api/core/mod.rs b/src/api/core/mod.rs index 00cfcf85..f7e912cf 100644 --- a/src/api/core/mod.rs +++ b/src/api/core/mod.rs @@ -4,6 +4,7 @@ mod emergency_access; mod events; mod folders; mod organizations; +mod public; mod sends; pub mod two_factor; @@ -27,6 +28,7 @@ pub fn routes() -> Vec { routes.append(&mut organizations::routes()); routes.append(&mut two_factor::routes()); routes.append(&mut sends::routes()); + routes.append(&mut public::routes()); routes.append(&mut eq_domains_routes); routes.append(&mut hibp_routes); routes.append(&mut meta_routes); diff --git a/src/api/core/organizations.rs b/src/api/core/organizations.rs index a3aee5be..a71eb641 100644 --- a/src/api/core/organizations.rs +++ b/src/api/core/organizations.rs @@ -2382,7 +2382,7 @@ async fn add_update_group( "OrganizationId": group.organizations_uuid, "Name": group.name, "AccessAll": group.access_all, - "ExternalId": group.get_external_id() + "ExternalId": group.external_id }))) } diff --git a/src/api/core/public.rs b/src/api/core/public.rs new file mode 100644 index 00000000..c8689222 --- /dev/null +++ b/src/api/core/public.rs @@ -0,0 +1,231 @@ +use chrono::Utc; +use rocket::{ + request::{self, FromRequest, Outcome}, + Request, Route, +}; + +use crate::{ + api::{EmptyResult, JsonUpcase}, + auth, + db::{models::*, DbConn}, + mail, CONFIG, +}; + +pub fn routes() -> Vec { + routes![ldap_import] +} + +#[derive(Deserialize, Debug)] +#[allow(non_snake_case)] +struct OrgImportGroupData { + Name: String, + ExternalId: String, + MemberExternalIds: Vec, +} + +#[derive(Deserialize, Debug)] +#[allow(non_snake_case)] +struct OrgImportUserData { + Email: String, + ExternalId: String, + Deleted: bool, +} + +#[derive(Deserialize, Debug)] +#[allow(non_snake_case)] +struct OrgImportData { + Groups: Vec, + Members: Vec, + OverwriteExisting: bool, + #[allow(dead_code)] + LargeImport: bool, +} + +#[post("/public/organization/import", data = "")] +async fn ldap_import(data: JsonUpcase, token: PublicToken, mut conn: DbConn) -> EmptyResult { + let _ = &conn; + let org_id = token.0; + let data = data.into_inner().data; + + for user_data in &data.Members { + if user_data.Deleted { + // If user is marked for deletion and it exists, revoke it + if let Some(mut user_org) = + UserOrganization::find_by_email_and_org(&user_data.Email, &org_id, &mut conn).await + { + user_org.revoke(); + user_org.save(&mut conn).await?; + } + + // If user is part of the organization, restore it + } else if let Some(mut user_org) = + UserOrganization::find_by_email_and_org(&user_data.Email, &org_id, &mut conn).await + { + if user_org.status < UserOrgStatus::Revoked as i32 { + user_org.restore(); + user_org.save(&mut conn).await?; + } + } else { + // If user is not part of the organization + let user = match User::find_by_mail(&user_data.Email, &mut conn).await { + Some(user) => user, // exists in vaultwarden + None => { + // doesn't exist in vaultwarden + let mut new_user = User::new(user_data.Email.clone()); + new_user.set_external_id(Some(user_data.ExternalId.clone())); + new_user.save(&mut conn).await?; + + if !CONFIG.mail_enabled() { + let invitation = Invitation::new(&new_user.email); + invitation.save(&mut conn).await?; + } + new_user + } + }; + let user_org_status = if CONFIG.mail_enabled() { + UserOrgStatus::Invited as i32 + } else { + UserOrgStatus::Accepted as i32 // Automatically mark user as accepted if no email invites + }; + + let mut new_org_user = UserOrganization::new(user.uuid.clone(), org_id.clone()); + new_org_user.access_all = false; + new_org_user.atype = UserOrgType::User as i32; + new_org_user.status = user_org_status; + + new_org_user.save(&mut conn).await?; + + if CONFIG.mail_enabled() { + let (org_name, org_email) = match Organization::find_by_uuid(&org_id, &mut conn).await { + Some(org) => (org.name, org.billing_email), + None => err!("Error looking up organization"), + }; + + mail::send_invite( + &user_data.Email, + &user.uuid, + Some(org_id.clone()), + Some(new_org_user.uuid), + &org_name, + Some(org_email), + ) + .await?; + } + } + } + + for group_data in &data.Groups { + let group_uuid = match Group::find_by_external_id(&group_data.ExternalId, &mut conn).await { + Some(group) => group.uuid, + None => { + let mut group = + Group::new(org_id.clone(), group_data.Name.clone(), false, Some(group_data.ExternalId.clone())); + group.save(&mut conn).await?; + group.uuid + } + }; + + GroupUser::delete_all_by_group(&group_uuid, &mut conn).await?; + + for ext_id in &group_data.MemberExternalIds { + if let Some(user) = User::find_by_external_id(ext_id, &mut conn).await { + if let Some(user_org) = UserOrganization::find_by_user_and_org(&user.uuid, &org_id, &mut conn).await { + let mut group_user = GroupUser::new(group_uuid.clone(), user_org.uuid.clone()); + group_user.save(&mut conn).await?; + } + } + } + } + + // If this flag is enabled, any user that isn't provided in the Users list will be removed (by default they will be kept unless they have Deleted == true) + if data.OverwriteExisting { + for user_org in UserOrganization::find_by_org(&org_id, &mut conn).await { + if let Some(user_external_id) = + User::find_by_uuid(&user_org.user_uuid, &mut conn).await.map(|u| u.external_id) + { + if user_external_id.is_some() + && !data.Members.iter().any(|u| u.ExternalId == *user_external_id.as_ref().unwrap()) + { + if user_org.atype == UserOrgType::Owner && user_org.status == UserOrgStatus::Confirmed as i32 { + // Removing owner, check that there is at least one other confirmed owner + if UserOrganization::count_confirmed_by_org_and_type(&org_id, UserOrgType::Owner, &mut conn) + .await + <= 1 + { + warn!("Can't delete the last owner"); + continue; + } + } + user_org.delete(&mut conn).await?; + } + } + } + } + + Ok(()) +} + +#[derive(Debug)] +pub struct PublicToken(String); + +#[rocket::async_trait] +impl<'r> FromRequest<'r> for PublicToken { + type Error = &'static str; + + async fn from_request(request: &'r Request<'_>) -> request::Outcome { + let headers = request.headers(); + // Get access_token + let access_token: &str = match headers.get_one("Authorization") { + Some(a) => match a.rsplit("Bearer ").next() { + Some(split) => split, + None => err_handler!("No access token provided"), + }, + None => err_handler!("No access token provided"), + }; + // Check JWT token is valid and get device and user from it + let claims = match auth::decode_api_org(access_token) { + Ok(claims) => claims, + Err(_) => err_handler!("Invalid claim"), + }; + // Check if time is between claims.nbf and claims.exp + let time_now = Utc::now().naive_utc().timestamp(); + if time_now < claims.nbf { + err_handler!("Token issued in the future"); + } + if time_now > claims.exp { + err_handler!("Token expired"); + } + // Check if claims.iss is host|claims.scope[0] + let host = match auth::Host::from_request(request).await { + Outcome::Success(host) => host, + _ => err_handler!("Error getting Host"), + }; + let complete_host = format!("{}|{}", host.host, claims.scope[0]); + if complete_host != claims.iss { + err_handler!("Token not issued by this server"); + } + + // Check if claims.sub is org_api_key.uuid + // Check if claims.client_sub is org_api_key.org_uuid + let conn = match DbConn::from_request(request).await { + Outcome::Success(conn) => conn, + _ => err_handler!("Error getting DB"), + }; + let org_uuid = match claims.client_id.strip_prefix("organization.") { + Some(uuid) => uuid, + None => err_handler!("Malformed client_id"), + }; + let org_api_key = match OrganizationApiKey::find_by_org_uuid(org_uuid, &conn).await { + Some(org_api_key) => org_api_key, + None => err_handler!("Invalid client_id"), + }; + if org_api_key.org_uuid != claims.client_sub { + err_handler!("Token not issued for this org"); + } + if org_api_key.uuid != claims.sub { + err_handler!("Token not issued for this client"); + } + + Outcome::Success(PublicToken(claims.client_sub)) + } +} diff --git a/src/auth.rs b/src/auth.rs index d96e98e1..6b01a4d4 100644 --- a/src/auth.rs +++ b/src/auth.rs @@ -94,6 +94,10 @@ pub fn decode_send(token: &str) -> Result { decode_jwt(token, JWT_SEND_ISSUER.to_string()) } +pub fn decode_api_org(token: &str) -> Result { + decode_jwt(token, JWT_ORG_API_KEY_ISSUER.to_string()) +} + #[derive(Debug, Serialize, Deserialize)] pub struct LoginJwtClaims { // Not before diff --git a/src/db/models/group.rs b/src/db/models/group.rs index 258b9e42..5bae798d 100644 --- a/src/db/models/group.rs +++ b/src/db/models/group.rs @@ -10,7 +10,7 @@ db_object! { pub organizations_uuid: String, pub name: String, pub access_all: bool, - external_id: Option, + pub external_id: Option, pub creation_date: NaiveDateTime, pub revision_date: NaiveDateTime, } @@ -107,10 +107,6 @@ impl Group { None => self.external_id = None, } } - - pub fn get_external_id(&self) -> Option { - self.external_id.clone() - } } impl CollectionGroup { @@ -214,6 +210,15 @@ impl Group { }} } + pub async fn find_by_external_id(id: &str, conn: &mut DbConn) -> Option { + db_run! { conn: { + groups::table + .filter(groups::external_id.eq(id)) + .first::(conn) + .ok() + .from_db() + }} + } //Returns all organizations the user has full access to pub async fn gather_user_organizations_full_access(user_uuid: &str, conn: &mut DbConn) -> Vec { db_run! { conn: { diff --git a/src/db/models/organization.rs b/src/db/models/organization.rs index 47151a96..5d1f0af2 100644 --- a/src/db/models/organization.rs +++ b/src/db/models/organization.rs @@ -510,7 +510,7 @@ impl UserOrganization { .set(UserOrganizationDb::to_db(self)) .execute(conn) .map_res("Error adding user to organization") - } + }, Err(e) => Err(e.into()), }.map_res("Error adding user to organization") } diff --git a/src/db/models/user.rs b/src/db/models/user.rs index 83a59524..a4764ada 100644 --- a/src/db/models/user.rs +++ b/src/db/models/user.rs @@ -50,6 +50,8 @@ db_object! { pub api_key: Option, pub avatar_color: Option, + + pub external_id: Option, } #[derive(Identifiable, Queryable, Insertable)] @@ -126,6 +128,8 @@ impl User { api_key: None, avatar_color: None, + + external_id: None, } } @@ -150,6 +154,21 @@ impl User { matches!(self.api_key, Some(ref api_key) if crate::crypto::ct_eq(api_key, key)) } + pub fn set_external_id(&mut self, external_id: Option) { + //Check if external id is empty. We don't want to have + //empty strings in the database + match external_id { + Some(external_id) => { + if external_id.is_empty() { + self.external_id = None; + } else { + self.external_id = Some(external_id) + } + } + None => self.external_id = None, + } + } + /// Set the password hash generated /// And resets the security_stamp. Based upon the allow_next_route the security_stamp will be different. /// @@ -376,6 +395,11 @@ impl User { }} } + pub async fn find_by_external_id(id: &str, conn: &mut DbConn) -> Option { + db_run! {conn: { + users::table.filter(users::external_id.eq(id)).first::(conn).ok().from_db() + }} + } pub async fn get_all(conn: &mut DbConn) -> Vec { db_run! {conn: { users::table.load::(conn).expect("Error loading users").from_db() diff --git a/src/db/schemas/mysql/schema.rs b/src/db/schemas/mysql/schema.rs index 4d58f63f..37803275 100644 --- a/src/db/schemas/mysql/schema.rs +++ b/src/db/schemas/mysql/schema.rs @@ -204,6 +204,7 @@ table! { client_kdf_parallelism -> Nullable, api_key -> Nullable, avatar_color -> Nullable, + external_id -> Nullable, } } diff --git a/src/db/schemas/postgresql/schema.rs b/src/db/schemas/postgresql/schema.rs index 941f51cb..0b69bbc4 100644 --- a/src/db/schemas/postgresql/schema.rs +++ b/src/db/schemas/postgresql/schema.rs @@ -204,6 +204,7 @@ table! { client_kdf_parallelism -> Nullable, api_key -> Nullable, avatar_color -> Nullable, + external_id -> Nullable, } } diff --git a/src/db/schemas/sqlite/schema.rs b/src/db/schemas/sqlite/schema.rs index ce9c7e33..10dd3fe8 100644 --- a/src/db/schemas/sqlite/schema.rs +++ b/src/db/schemas/sqlite/schema.rs @@ -204,6 +204,7 @@ table! { client_kdf_parallelism -> Nullable, api_key -> Nullable, avatar_color -> Nullable, + external_id -> Nullable, } } From a05187c0ff8e38b5828c19906a649798b4b650af Mon Sep 17 00:00:00 2001 From: BlackDex Date: Fri, 9 Jun 2023 22:50:44 +0200 Subject: [PATCH 3/3] Some code changes and optimizations Some cleanups and optimizations done on the code generated by @Kurnihil --- src/api/core/organizations.rs | 10 +++--- src/api/core/public.rs | 59 ++++++++++++++++++++--------------- src/db/models/user.rs | 14 ++++----- 3 files changed, 44 insertions(+), 39 deletions(-) diff --git a/src/api/core/organizations.rs b/src/api/core/organizations.rs index a71eb641..c404fbf0 100644 --- a/src/api/core/organizations.rs +++ b/src/api/core/organizations.rs @@ -2895,7 +2895,7 @@ async fn get_org_export(org_id: &str, headers: AdminHeaders, mut conn: DbConn) - } async fn _api_key( - org_id: String, + org_id: &str, data: JsonUpcase, rotate: bool, headers: AdminHeaders, @@ -2909,7 +2909,7 @@ async fn _api_key( err!("Invalid password") } - let org_api_key = match OrganizationApiKey::find_by_org_uuid(&org_id, &conn).await { + let org_api_key = match OrganizationApiKey::find_by_org_uuid(org_id, &conn).await { Some(mut org_api_key) => { if rotate { org_api_key.api_key = crate::crypto::generate_api_key(); @@ -2920,7 +2920,7 @@ async fn _api_key( } None => { let api_key = crate::crypto::generate_api_key(); - let new_org_api_key = OrganizationApiKey::new(org_id, api_key); + let new_org_api_key = OrganizationApiKey::new(String::from(org_id), api_key); new_org_api_key.save(&conn).await.expect("Error creating organization API Key"); new_org_api_key } @@ -2934,13 +2934,13 @@ async fn _api_key( } #[post("/organizations//api-key", data = "")] -async fn api_key(org_id: String, data: JsonUpcase, headers: AdminHeaders, conn: DbConn) -> JsonResult { +async fn api_key(org_id: &str, data: JsonUpcase, headers: AdminHeaders, conn: DbConn) -> JsonResult { _api_key(org_id, data, false, headers, conn).await } #[post("/organizations//rotate-api-key", data = "")] async fn rotate_api_key( - org_id: String, + org_id: &str, data: JsonUpcase, headers: AdminHeaders, conn: DbConn, diff --git a/src/api/core/public.rs b/src/api/core/public.rs index c8689222..b2945918 100644 --- a/src/api/core/public.rs +++ b/src/api/core/public.rs @@ -4,6 +4,8 @@ use rocket::{ Request, Route, }; +use std::collections::HashSet; + use crate::{ api::{EmptyResult, JsonUpcase}, auth, @@ -15,7 +17,7 @@ pub fn routes() -> Vec { routes![ldap_import] } -#[derive(Deserialize, Debug)] +#[derive(Deserialize)] #[allow(non_snake_case)] struct OrgImportGroupData { Name: String, @@ -23,7 +25,7 @@ struct OrgImportGroupData { MemberExternalIds: Vec, } -#[derive(Deserialize, Debug)] +#[derive(Deserialize)] #[allow(non_snake_case)] struct OrgImportUserData { Email: String, @@ -31,19 +33,20 @@ struct OrgImportUserData { Deleted: bool, } -#[derive(Deserialize, Debug)] +#[derive(Deserialize)] #[allow(non_snake_case)] struct OrgImportData { Groups: Vec, Members: Vec, OverwriteExisting: bool, - #[allow(dead_code)] - LargeImport: bool, + // LargeImport: bool, // For now this will not be used, upstream uses this to prevent syncs of more then 2000 users or groups without the flag set. } #[post("/public/organization/import", data = "")] async fn ldap_import(data: JsonUpcase, token: PublicToken, mut conn: DbConn) -> EmptyResult { - let _ = &conn; + // Most of the logic for this function can be found here + // https://github.com/bitwarden/server/blob/fd892b2ff4547648a276734fb2b14a8abae2c6f5/src/Core/Services/Implementations/OrganizationService.cs#L1797 + let org_id = token.0; let data = data.into_inner().data; @@ -114,38 +117,43 @@ async fn ldap_import(data: JsonUpcase, token: PublicToken, mut co } } - for group_data in &data.Groups { - let group_uuid = match Group::find_by_external_id(&group_data.ExternalId, &mut conn).await { - Some(group) => group.uuid, - None => { - let mut group = - Group::new(org_id.clone(), group_data.Name.clone(), false, Some(group_data.ExternalId.clone())); - group.save(&mut conn).await?; - group.uuid - } - }; + if CONFIG.org_groups_enabled() { + for group_data in &data.Groups { + let group_uuid = match Group::find_by_external_id(&group_data.ExternalId, &mut conn).await { + Some(group) => group.uuid, + None => { + let mut group = + Group::new(org_id.clone(), group_data.Name.clone(), false, Some(group_data.ExternalId.clone())); + group.save(&mut conn).await?; + group.uuid + } + }; - GroupUser::delete_all_by_group(&group_uuid, &mut conn).await?; + GroupUser::delete_all_by_group(&group_uuid, &mut conn).await?; - for ext_id in &group_data.MemberExternalIds { - if let Some(user) = User::find_by_external_id(ext_id, &mut conn).await { - if let Some(user_org) = UserOrganization::find_by_user_and_org(&user.uuid, &org_id, &mut conn).await { - let mut group_user = GroupUser::new(group_uuid.clone(), user_org.uuid.clone()); - group_user.save(&mut conn).await?; + for ext_id in &group_data.MemberExternalIds { + if let Some(user) = User::find_by_external_id(ext_id, &mut conn).await { + if let Some(user_org) = UserOrganization::find_by_user_and_org(&user.uuid, &org_id, &mut conn).await + { + let mut group_user = GroupUser::new(group_uuid.clone(), user_org.uuid.clone()); + group_user.save(&mut conn).await?; + } } } } + } else { + warn!("Group support is disabled, groups will not be imported!"); } // If this flag is enabled, any user that isn't provided in the Users list will be removed (by default they will be kept unless they have Deleted == true) if data.OverwriteExisting { + // Generate a HashSet to quickly verify if a member is listed or not. + let sync_members: HashSet = data.Members.into_iter().map(|m| m.ExternalId).collect(); for user_org in UserOrganization::find_by_org(&org_id, &mut conn).await { if let Some(user_external_id) = User::find_by_uuid(&user_org.user_uuid, &mut conn).await.map(|u| u.external_id) { - if user_external_id.is_some() - && !data.Members.iter().any(|u| u.ExternalId == *user_external_id.as_ref().unwrap()) - { + if user_external_id.is_some() && !sync_members.contains(&user_external_id.unwrap()) { if user_org.atype == UserOrgType::Owner && user_org.status == UserOrgStatus::Confirmed as i32 { // Removing owner, check that there is at least one other confirmed owner if UserOrganization::count_confirmed_by_org_and_type(&org_id, UserOrgType::Owner, &mut conn) @@ -165,7 +173,6 @@ async fn ldap_import(data: JsonUpcase, token: PublicToken, mut co Ok(()) } -#[derive(Debug)] pub struct PublicToken(String); #[rocket::async_trait] diff --git a/src/db/models/user.rs b/src/db/models/user.rs index a4764ada..596d2d75 100644 --- a/src/db/models/user.rs +++ b/src/db/models/user.rs @@ -157,16 +157,13 @@ impl User { pub fn set_external_id(&mut self, external_id: Option) { //Check if external id is empty. We don't want to have //empty strings in the database - match external_id { - Some(external_id) => { - if external_id.is_empty() { - self.external_id = None; - } else { - self.external_id = Some(external_id) - } + let mut ext_id: Option = None; + if let Some(external_id) = external_id { + if !external_id.is_empty() { + ext_id = Some(external_id); } - None => self.external_id = None, } + self.external_id = ext_id; } /// Set the password hash generated @@ -400,6 +397,7 @@ impl User { users::table.filter(users::external_id.eq(id)).first::(conn).ok().from_db() }} } + pub async fn get_all(conn: &mut DbConn) -> Vec { db_run! {conn: { users::table.load::(conn).expect("Error loading users").from_db()