mirror of
				https://github.com/dani-garcia/vaultwarden.git
				synced 2025-10-26 16:00:02 +02:00 
			
		
		
		
	Implemented key rotation with the latest vault
This commit is contained in:
		| @@ -1,15 +1,15 @@ | |||||||
| use rocket_contrib::json::Json; | use rocket_contrib::json::Json; | ||||||
|  |  | ||||||
| use db::DbConn; |  | ||||||
| use db::models::*; | use db::models::*; | ||||||
|  | use db::DbConn; | ||||||
|  |  | ||||||
| use api::{PasswordData, JsonResult, EmptyResult, JsonUpcase, NumberOrString}; | use api::{EmptyResult, JsonResult, JsonUpcase, NumberOrString, PasswordData, UpdateType, WebSocketUsers}; | ||||||
| use auth::Headers; | use auth::Headers; | ||||||
| use mail; | use mail; | ||||||
|  |  | ||||||
| use CONFIG; | use CONFIG; | ||||||
|  |  | ||||||
| use rocket::Route; | use rocket::{Route, State}; | ||||||
|  |  | ||||||
| pub fn routes() -> Vec<Route> { | pub fn routes() -> Vec<Route> { | ||||||
|     routes![ |     routes![ | ||||||
| @@ -21,6 +21,7 @@ pub fn routes() -> Vec<Route> { | |||||||
|         post_keys, |         post_keys, | ||||||
|         post_password, |         post_password, | ||||||
|         post_kdf, |         post_kdf, | ||||||
|  |         post_rotatekey, | ||||||
|         post_sstamp, |         post_sstamp, | ||||||
|         post_email_token, |         post_email_token, | ||||||
|         post_email, |         post_email, | ||||||
| @@ -56,23 +57,22 @@ struct KeysData { | |||||||
| fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult { | fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult { | ||||||
|     let data: RegisterData = data.into_inner().data; |     let data: RegisterData = data.into_inner().data; | ||||||
|  |  | ||||||
|  |  | ||||||
|     let mut user = match User::find_by_mail(&data.Email, &conn) { |     let mut user = match User::find_by_mail(&data.Email, &conn) { | ||||||
|         Some(mut user) => { |         Some(user) => { | ||||||
|             if Invitation::take(&data.Email, &conn) { |             if Invitation::take(&data.Email, &conn) { | ||||||
|                 for mut user_org in UserOrganization::find_invited_by_user(&user.uuid, &conn).iter_mut() { |                 for mut user_org in UserOrganization::find_invited_by_user(&user.uuid, &conn).iter_mut() { | ||||||
|                     user_org.status = UserOrgStatus::Accepted as i32; |                     user_org.status = UserOrgStatus::Accepted as i32; | ||||||
|                     if user_org.save(&conn).is_err() { |                     if user_org.save(&conn).is_err() { | ||||||
|                         err!("Failed to accept user to organization") |                         err!("Failed to accept user to organization") | ||||||
|                     } |                     } | ||||||
|                 }; |                 } | ||||||
|                 user |                 user | ||||||
|             } else if CONFIG.signups_allowed { |             } else if CONFIG.signups_allowed { | ||||||
|                  err!("Account with this email already exists") |                 err!("Account with this email already exists") | ||||||
|             } else { |             } else { | ||||||
|                  err!("Registration not allowed") |                 err!("Registration not allowed") | ||||||
|             } |             } | ||||||
|         }, |         } | ||||||
|         None => { |         None => { | ||||||
|             if CONFIG.signups_allowed || Invitation::take(&data.Email, &conn) { |             if CONFIG.signups_allowed || Invitation::take(&data.Email, &conn) { | ||||||
|                 User::new(data.Email) |                 User::new(data.Email) | ||||||
| @@ -109,7 +109,7 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult { | |||||||
|  |  | ||||||
|     match user.save(&conn) { |     match user.save(&conn) { | ||||||
|         Ok(()) => Ok(()), |         Ok(()) => Ok(()), | ||||||
|         Err(_) => err!("Failed to save user") |         Err(_) => err!("Failed to save user"), | ||||||
|     } |     } | ||||||
| } | } | ||||||
|  |  | ||||||
| @@ -122,7 +122,7 @@ fn profile(headers: Headers, conn: DbConn) -> JsonResult { | |||||||
| #[allow(non_snake_case)] | #[allow(non_snake_case)] | ||||||
| struct ProfileData { | struct ProfileData { | ||||||
|     #[serde(rename = "Culture")] |     #[serde(rename = "Culture")] | ||||||
|     _Culture: String,  // Ignored, always use en-US |     _Culture: String, // Ignored, always use en-US | ||||||
|     MasterPasswordHint: Option<String>, |     MasterPasswordHint: Option<String>, | ||||||
|     Name: String, |     Name: String, | ||||||
| } | } | ||||||
| @@ -145,7 +145,7 @@ fn post_profile(data: JsonUpcase<ProfileData>, headers: Headers, conn: DbConn) - | |||||||
|     }; |     }; | ||||||
|     match user.save(&conn) { |     match user.save(&conn) { | ||||||
|         Ok(()) => Ok(Json(user.to_json(&conn))), |         Ok(()) => Ok(Json(user.to_json(&conn))), | ||||||
|         Err(_) => err!("Failed to save user profile") |         Err(_) => err!("Failed to save user profile"), | ||||||
|     } |     } | ||||||
| } | } | ||||||
|  |  | ||||||
| @@ -153,7 +153,7 @@ fn post_profile(data: JsonUpcase<ProfileData>, headers: Headers, conn: DbConn) - | |||||||
| fn get_public_keys(uuid: String, _headers: Headers, conn: DbConn) -> JsonResult { | fn get_public_keys(uuid: String, _headers: Headers, conn: DbConn) -> JsonResult { | ||||||
|     let user = match User::find_by_uuid(&uuid, &conn) { |     let user = match User::find_by_uuid(&uuid, &conn) { | ||||||
|         Some(user) => user, |         Some(user) => user, | ||||||
|         None => err!("User doesn't exist") |         None => err!("User doesn't exist"), | ||||||
|     }; |     }; | ||||||
|  |  | ||||||
|     Ok(Json(json!({ |     Ok(Json(json!({ | ||||||
| @@ -174,12 +174,10 @@ fn post_keys(data: JsonUpcase<KeysData>, headers: Headers, conn: DbConn) -> Json | |||||||
|  |  | ||||||
|     match user.save(&conn) { |     match user.save(&conn) { | ||||||
|         Ok(()) => Ok(Json(user.to_json(&conn))), |         Ok(()) => Ok(Json(user.to_json(&conn))), | ||||||
|         Err(_) => err!("Failed to save the user's keys") |         Err(_) => err!("Failed to save the user's keys"), | ||||||
|     } |     } | ||||||
| } | } | ||||||
|  |  | ||||||
|      |  | ||||||
|  |  | ||||||
| #[derive(Deserialize)] | #[derive(Deserialize)] | ||||||
| #[allow(non_snake_case)] | #[allow(non_snake_case)] | ||||||
| struct ChangePassData { | struct ChangePassData { | ||||||
| @@ -201,7 +199,7 @@ fn post_password(data: JsonUpcase<ChangePassData>, headers: Headers, conn: DbCon | |||||||
|     user.key = data.Key; |     user.key = data.Key; | ||||||
|     match user.save(&conn) { |     match user.save(&conn) { | ||||||
|         Ok(()) => Ok(()), |         Ok(()) => Ok(()), | ||||||
|         Err(_) => err!("Failed to save password") |         Err(_) => err!("Failed to save password"), | ||||||
|     } |     } | ||||||
| } | } | ||||||
|  |  | ||||||
| @@ -231,10 +229,86 @@ fn post_kdf(data: JsonUpcase<ChangeKdfData>, headers: Headers, conn: DbConn) -> | |||||||
|     user.key = data.Key; |     user.key = data.Key; | ||||||
|     match user.save(&conn) { |     match user.save(&conn) { | ||||||
|         Ok(()) => Ok(()), |         Ok(()) => Ok(()), | ||||||
|         Err(_) => err!("Failed to save password settings") |         Err(_) => err!("Failed to save password settings"), | ||||||
|     } |     } | ||||||
| } | } | ||||||
|  |  | ||||||
|  | #[derive(Deserialize)] | ||||||
|  | #[allow(non_snake_case)] | ||||||
|  | struct UpdateFolderData { | ||||||
|  |     Id: String, | ||||||
|  |     Name: String, | ||||||
|  | } | ||||||
|  |  | ||||||
|  | use super::ciphers::CipherData; | ||||||
|  |  | ||||||
|  | #[derive(Deserialize)] | ||||||
|  | #[allow(non_snake_case)] | ||||||
|  | struct KeyData { | ||||||
|  |     Ciphers: Vec<CipherData>, | ||||||
|  |     Folders: Vec<UpdateFolderData>, | ||||||
|  |     Key: String, | ||||||
|  |     PrivateKey: String, | ||||||
|  |     MasterPasswordHash: String, | ||||||
|  | } | ||||||
|  |  | ||||||
|  | #[post("/accounts/key", data = "<data>")] | ||||||
|  | fn post_rotatekey(data: JsonUpcase<KeyData>, headers: Headers, conn: DbConn, ws: State<WebSocketUsers>) -> EmptyResult { | ||||||
|  |     let data: KeyData = data.into_inner().data; | ||||||
|  |  | ||||||
|  |     if !headers.user.check_valid_password(&data.MasterPasswordHash) { | ||||||
|  |         err!("Invalid password") | ||||||
|  |     } | ||||||
|  |  | ||||||
|  |     let user_uuid = &headers.user.uuid; | ||||||
|  |  | ||||||
|  |     // Update folder data | ||||||
|  |     for folder_data in data.Folders { | ||||||
|  |         let mut saved_folder = match Folder::find_by_uuid(&folder_data.Id, &conn) { | ||||||
|  |             Some(folder) => folder, | ||||||
|  |             None => err!("Folder doesn't exist"), | ||||||
|  |         }; | ||||||
|  |  | ||||||
|  |         if &saved_folder.user_uuid != user_uuid { | ||||||
|  |             err!("The folder is not owned by the user") | ||||||
|  |         } | ||||||
|  |  | ||||||
|  |         saved_folder.name = folder_data.Name; | ||||||
|  |         if saved_folder.save(&conn).is_err() { | ||||||
|  |             err!("Failed to save folder") | ||||||
|  |         } | ||||||
|  |     } | ||||||
|  |  | ||||||
|  |     // Update cipher data | ||||||
|  |     use super::ciphers::update_cipher_from_data; | ||||||
|  |  | ||||||
|  |     for cipher_data in data.Ciphers { | ||||||
|  |         let mut saved_cipher = match Cipher::find_by_uuid(cipher_data.Id.as_ref().unwrap(), &conn) { | ||||||
|  |             Some(cipher) => cipher, | ||||||
|  |             None => err!("Cipher doesn't exist"), | ||||||
|  |         }; | ||||||
|  |  | ||||||
|  |         if saved_cipher.user_uuid.as_ref().unwrap() != user_uuid { | ||||||
|  |             err!("The cipher is not owned by the user") | ||||||
|  |         } | ||||||
|  |  | ||||||
|  |         update_cipher_from_data(&mut saved_cipher, cipher_data, &headers, false, &conn, &ws, UpdateType::SyncCipherUpdate)? | ||||||
|  |     } | ||||||
|  |  | ||||||
|  |     // Update user data | ||||||
|  |     let mut user = headers.user; | ||||||
|  |  | ||||||
|  |     user.key = data.Key; | ||||||
|  |     user.private_key = Some(data.PrivateKey); | ||||||
|  |     user.reset_security_stamp(); | ||||||
|  |  | ||||||
|  |     if user.save(&conn).is_err() { | ||||||
|  |         err!("Failed modify user key"); | ||||||
|  |     } | ||||||
|  |  | ||||||
|  |     Ok(()) | ||||||
|  | } | ||||||
|  |  | ||||||
| #[post("/accounts/security-stamp", data = "<data>")] | #[post("/accounts/security-stamp", data = "<data>")] | ||||||
| fn post_sstamp(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn) -> EmptyResult { | fn post_sstamp(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn) -> EmptyResult { | ||||||
|     let data: PasswordData = data.into_inner().data; |     let data: PasswordData = data.into_inner().data; | ||||||
| @@ -247,7 +321,7 @@ fn post_sstamp(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn) - | |||||||
|     user.reset_security_stamp(); |     user.reset_security_stamp(); | ||||||
|     match user.save(&conn) { |     match user.save(&conn) { | ||||||
|         Ok(()) => Ok(()), |         Ok(()) => Ok(()), | ||||||
|         Err(_) => err!("Failed to reset security stamp") |         Err(_) => err!("Failed to reset security stamp"), | ||||||
|     } |     } | ||||||
| } | } | ||||||
|  |  | ||||||
| @@ -305,7 +379,7 @@ fn post_email(data: JsonUpcase<ChangeEmailData>, headers: Headers, conn: DbConn) | |||||||
|  |  | ||||||
|     match user.save(&conn) { |     match user.save(&conn) { | ||||||
|         Ok(()) => Ok(()), |         Ok(()) => Ok(()), | ||||||
|         Err(_) => err!("Failed to save email address") |         Err(_) => err!("Failed to save email address"), | ||||||
|     } |     } | ||||||
| } | } | ||||||
|  |  | ||||||
| @@ -325,7 +399,7 @@ fn delete_account(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn | |||||||
|  |  | ||||||
|     match user.delete(&conn) { |     match user.delete(&conn) { | ||||||
|         Ok(()) => Ok(()), |         Ok(()) => Ok(()), | ||||||
|         Err(_) => err!("Failed deleting user account, are you the only owner of some organization?") |         Err(_) => err!("Failed deleting user account, are you the only owner of some organization?"), | ||||||
|     } |     } | ||||||
| } | } | ||||||
|  |  | ||||||
|   | |||||||
| @@ -136,7 +136,7 @@ fn get_cipher_details(uuid: String, headers: Headers, conn: DbConn) -> JsonResul | |||||||
| #[allow(non_snake_case)] | #[allow(non_snake_case)] | ||||||
| pub struct CipherData { | pub struct CipherData { | ||||||
|     // Id is optional as it is included only in bulk share |     // Id is optional as it is included only in bulk share | ||||||
|     Id: Option<String>, |     pub Id: Option<String>, | ||||||
|     // Folder id is not included in import |     // Folder id is not included in import | ||||||
|     FolderId: Option<String>, |     FolderId: Option<String>, | ||||||
|     // TODO: Some of these might appear all the time, no need for Option |     // TODO: Some of these might appear all the time, no need for Option | ||||||
|   | |||||||
| @@ -97,7 +97,6 @@ impl User { | |||||||
|         self.password_hash = crypto::hash_password(password.as_bytes(), |         self.password_hash = crypto::hash_password(password.as_bytes(), | ||||||
|                                                    &self.salt, |                                                    &self.salt, | ||||||
|                                                    self.password_iterations as u32); |                                                    self.password_iterations as u32); | ||||||
|         self.reset_security_stamp(); |  | ||||||
|     } |     } | ||||||
|  |  | ||||||
|     pub fn reset_security_stamp(&mut self) { |     pub fn reset_security_stamp(&mut self) { | ||||||
|   | |||||||
| @@ -1,4 +1,4 @@ | |||||||
| #![feature(proc_macro_hygiene, decl_macro, custom_derive, vec_remove_item, try_trait)] | #![feature(proc_macro_hygiene, decl_macro, custom_derive, vec_remove_item, try_trait, nll)] | ||||||
| #![recursion_limit="128"] | #![recursion_limit="128"] | ||||||
| #![allow(proc_macro_derive_resolution_fallback)] // TODO: Remove this when diesel update fixes warnings | #![allow(proc_macro_derive_resolution_fallback)] // TODO: Remove this when diesel update fixes warnings | ||||||
|  |  | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user