Merge branch 'master' of github.com:dani-garcia/bitwarden_rs into 2fa_enforcement

# Conflicts: # src/db/models/org_policy.rs # src/db/models/organization.rs
2025-09-11 03:05:58 +03:00 · 2021-04-16 14:29:28 -04:00
parent 1db37bf3d0 ced7f1771a
commit 2421d49d9a
43 changed files with 592 additions and 617 deletions
--- a/src/api/core/two_factor/authenticator.rs
+++ b/src/api/core/two_factor/authenticator.rs
@@ -17,11 +17,7 @@ use crate::{
 pub use crate::config::CONFIG;

 pub fn routes() -> Vec<Route> {
-    routes![
-        generate_authenticator,
-        activate_authenticator,
-        activate_authenticator_put,
-    ]
+    routes![generate_authenticator, activate_authenticator, activate_authenticator_put,]
 }

 #[post("/two-factor/get-authenticator", data = "<data>")]
@@ -141,7 +137,7 @@ pub fn validate_totp_code(user_uuid: &str, totp_code: u64, secret: &str, ip: &Cl
    // The amount of steps back and forward in time
    // Also check if we need to disable time drifted TOTP codes.
    // If that is the case, we set the steps to 0 so only the current TOTP is valid.
-    let steps: i64 = if CONFIG.authenticator_disable_time_drift() { 0 } else { 1 };
+    let steps = !CONFIG.authenticator_disable_time_drift() as i64;

    for step in -steps..=steps {
        let time_step = current_timestamp / 30i64 + step;
@@ -163,22 +159,11 @@ pub fn validate_totp_code(user_uuid: &str, totp_code: u64, secret: &str, ip: &Cl
            twofactor.save(&conn)?;
            return Ok(());
        } else if generated == totp_code && time_step <= twofactor.last_used as i64 {
-            warn!(
-                "This or a TOTP code within {} steps back and forward has already been used!",
-                steps
-            );
-            err!(format!(
-                "Invalid TOTP code! Server time: {} IP: {}",
-                current_time.format("%F %T UTC"),
-                ip.ip
-            ));
+            warn!("This or a TOTP code within {} steps back and forward has already been used!", steps);
+            err!(format!("Invalid TOTP code! Server time: {} IP: {}", current_time.format("%F %T UTC"), ip.ip));
        }
    }

    // Else no valide code received, deny access
-    err!(format!(
-        "Invalid TOTP code! Server time: {} IP: {}",
-        current_time.format("%F %T UTC"),
-        ip.ip
-    ));
+    err!(format!("Invalid TOTP code! Server time: {} IP: {}", current_time.format("%F %T UTC"), ip.ip));
 }
--- a/src/api/core/two_factor/duo.rs
+++ b/src/api/core/two_factor/duo.rs
@@ -12,6 +12,7 @@ use crate::{
        DbConn,
    },
    error::MapResult,
+    util::get_reqwest_client,
    CONFIG,
 };

@@ -59,7 +60,11 @@ impl DuoData {
        ik.replace_range(digits.., replaced);
        sk.replace_range(digits.., replaced);

-        Self { host, ik, sk }
+        Self {
+            host,
+            ik,
+            sk,
+        }
    }
 }

@@ -185,9 +190,7 @@ fn activate_duo_put(data: JsonUpcase<EnableDuoData>, headers: Headers, conn: DbC
 }

 fn duo_api_request(method: &str, path: &str, params: &str, data: &DuoData) -> EmptyResult {
-    const AGENT: &str = "bitwarden_rs:Duo/1.0 (Rust)";
-
-    use reqwest::{blocking::Client, header::*, Method};
+    use reqwest::{header, Method};
    use std::str::FromStr;

    // https://duo.com/docs/authapi#api-details
@@ -199,11 +202,13 @@ fn duo_api_request(method: &str, path: &str, params: &str, data: &DuoData) -> Em

    let m = Method::from_str(method).unwrap_or_default();

-    Client::new()
+    let client = get_reqwest_client();
+
+    client
        .request(m, &url)
        .basic_auth(username, Some(password))
-        .header(USER_AGENT, AGENT)
-        .header(DATE, date)
+        .header(header::USER_AGENT, "bitwarden_rs:Duo/1.0 (Rust)")
+        .header(header::DATE, date)
        .send()?
        .error_for_status()?;

--- a/src/api/core/two_factor/email.rs
+++ b/src/api/core/two_factor/email.rs
@@ -125,11 +125,7 @@ fn send_email(data: JsonUpcase<SendEmailData>, headers: Headers, conn: DbConn) -
    let twofactor_data = EmailTokenData::new(data.Email, generated_token);

    // Uses EmailVerificationChallenge as type to show that it's not verified yet.
-    let twofactor = TwoFactor::new(
-        user.uuid,
-        TwoFactorType::EmailVerificationChallenge,
-        twofactor_data.to_json(),
-    );
+    let twofactor = TwoFactor::new(user.uuid, TwoFactorType::EmailVerificationChallenge, twofactor_data.to_json());
    twofactor.save(&conn)?;

    mail::send_token(&twofactor_data.email, &twofactor_data.last_token.map_res("Token is empty")?)?;
@@ -186,7 +182,8 @@ fn email(data: JsonUpcase<EmailData>, headers: Headers, conn: DbConn) -> JsonRes
 /// Validate the email code when used as TwoFactor token mechanism
 pub fn validate_email_code_str(user_uuid: &str, token: &str, data: &str, conn: &DbConn) -> EmptyResult {
    let mut email_data = EmailTokenData::from_json(&data)?;
-    let mut twofactor = TwoFactor::find_by_user_and_type(&user_uuid, TwoFactorType::Email as i32, &conn).map_res("Two factor not found")?;
+    let mut twofactor = TwoFactor::find_by_user_and_type(&user_uuid, TwoFactorType::Email as i32, &conn)
+        .map_res("Two factor not found")?;
    let issued_token = match &email_data.last_token {
        Some(t) => t,
        _ => err!("No token available"),
--- a/src/api/core/two_factor/mod.rs
+++ b/src/api/core/two_factor/mod.rs
@@ -21,13 +21,7 @@ pub mod u2f;
 pub mod yubikey;

 pub fn routes() -> Vec<Route> {
-    let mut routes = routes![
-        get_twofactor,
-        get_recover,
-        recover,
-        disable_twofactor,
-        disable_twofactor_put,
-    ];
+    let mut routes = routes![get_twofactor, get_recover, recover, disable_twofactor, disable_twofactor_put,];

    routes.append(&mut authenticator::routes());
    routes.append(&mut duo::routes());
--- a/src/api/core/two_factor/u2f.rs
+++ b/src/api/core/two_factor/u2f.rs
@@ -28,13 +28,7 @@ static APP_ID: Lazy<String> = Lazy::new(|| format!("{}/app-id.json", &CONFIG.dom
 static U2F: Lazy<U2f> = Lazy::new(|| U2f::new(APP_ID.clone()));

 pub fn routes() -> Vec<Route> {
-    routes![
-        generate_u2f,
-        generate_u2f_challenge,
-        activate_u2f,
-        activate_u2f_put,
-        delete_u2f,
-    ]
+    routes![generate_u2f, generate_u2f_challenge, activate_u2f, activate_u2f_put, delete_u2f,]
 }

 #[post("/two-factor/get-u2f", data = "<data>")]
@@ -161,10 +155,7 @@ fn activate_u2f(data: JsonUpcase<EnableU2FData>, headers: Headers, conn: DbConn)

    let response: RegisterResponseCopy = serde_json::from_str(&data.DeviceResponse)?;

-    let error_code = response
-        .error_code
-        .clone()
-        .map_or("0".into(), NumberOrString::into_string);
+    let error_code = response.error_code.clone().map_or("0".into(), NumberOrString::into_string);

    if error_code != "0" {
        err!("Error registering U2F token")
@@ -300,20 +291,13 @@ fn _old_parse_registrations(registations: &str) -> Vec<Registration> {

    let regs: Vec<Value> = serde_json::from_str(registations).expect("Can't parse Registration data");

-    regs.into_iter()
-        .map(|r| serde_json::from_value(r).unwrap())
-        .map(|Helper(r)| r)
-        .collect()
+    regs.into_iter().map(|r| serde_json::from_value(r).unwrap()).map(|Helper(r)| r).collect()
 }

 pub fn generate_u2f_login(user_uuid: &str, conn: &DbConn) -> ApiResult<U2fSignRequest> {
    let challenge = _create_u2f_challenge(user_uuid, TwoFactorType::U2fLoginChallenge, conn);

-    let registrations: Vec<_> = get_u2f_registrations(user_uuid, conn)?
-        .1
-        .into_iter()
-        .map(|r| r.reg)
-        .collect();
+    let registrations: Vec<_> = get_u2f_registrations(user_uuid, conn)?.1.into_iter().map(|r| r.reg).collect();

    if registrations.is_empty() {
        err!("No U2F devices registered")