Merge pull request #1087 from jjlin/org-creation-users

Add support for restricting org creation to certain users

.env.template

@@ -118,6 +118,14 @@
 ## even if SIGNUPS_ALLOWED is set to false
 # SIGNUPS_DOMAINS_WHITELIST=example.com,example.net,example.org
 
+## Controls which users can create new orgs.
+## Blank or 'all' means all users can create orgs (this is the default):
+# ORG_CREATION_USERS=
+## 'none' means no users can create orgs:
+# ORG_CREATION_USERS=none
+## A comma-separated list means only those users can create orgs:
+# ORG_CREATION_USERS=admin1@example.com,admin2@example.com
+
 ## Token for the admin interface, preferably use a long random string
 ## One option is to use 'openssl rand -base64 48'
 ## If not set, the admin panel is disabled

hooks/push

@@ -36,6 +36,21 @@ if [[ "${DOCKER_TAG}" =~ ^[0-9]+\.[0-9]+\.[0-9]+ ]]; then
         manifest_lists+=(${DOCKER_REPO}:alpine)
     else
         manifest_lists+=(${DOCKER_REPO}:latest)
+
+        # Add an extra `latest-arm32v6` tag; Docker can't seem to properly
+        # auto-select that image on Armv6 platforms like Raspberry Pi 1 and Zero
+        # (https://github.com/moby/moby/issues/41017).
+        #
+        # Add this tag only for the SQLite image, as the MySQL and PostgreSQL
+        # builds don't currently work on non-amd64 arches.
+        #
+        # TODO: Also add an `alpine-arm32v6` tag if multi-arch support for
+        # Alpine-based bitwarden_rs images is implemented before this Docker
+        # issue is fixed.
+        if [[ ${DOCKER_REPO} == *server ]]; then
+            docker tag "${DOCKER_REPO}:${DOCKER_TAG}-arm32v6" "${DOCKER_REPO}:latest-arm32v6"
+            docker push "${DOCKER_REPO}:latest-arm32v6"
+        fi
     fi
 fi
 

src/api/core/ciphers.rs

@@ -999,11 +999,12 @@ fn _delete_cipher_by_uuid(uuid: &str, headers: &Headers, conn: &DbConn, soft_del
     if soft_delete {
         cipher.deleted_at = Some(chrono::Utc::now().naive_utc());
         cipher.save(&conn)?;
+        nt.send_cipher_update(UpdateType::CipherUpdate, &cipher, &cipher.update_users_revision(&conn));
     } else {
         cipher.delete(&conn)?;
+        nt.send_cipher_update(UpdateType::CipherDelete, &cipher, &cipher.update_users_revision(&conn));
     }
 
-    nt.send_cipher_update(UpdateType::CipherDelete, &cipher, &cipher.update_users_revision(&conn));
     Ok(())
 }
 

src/api/core/organizations.rs

@@ -76,6 +76,10 @@ struct NewCollectionData {
 
 #[post("/organizations", data = "<data>")]
 fn create_organization(headers: Headers, data: JsonUpcase<OrgData>, conn: DbConn) -> JsonResult {
+    if !CONFIG.is_org_creation_allowed(&headers.user.email) {
+        err!("User not allowed to create organizations")
+    }
+
     let data: OrgData = data.into_inner().data;
 
     let org = Organization::new(data.Name, data.BillingEmail);

src/api/identity.rs

@@ -68,6 +68,11 @@ fn _refresh_login(data: ConnectData, conn: DbConn) -> JsonResult {
         "refresh_token": device.refresh_token,
         "Key": user.akey,
         "PrivateKey": user.private_key,
+
+        "Kdf": user.client_kdf_type,
+        "KdfIterations": user.client_kdf_iter,
+        "ResetMasterPassword": false, // TODO: according to official server seems something like: user.password_hash.is_empty(), but would need testing
+        "scope": "api offline_access"
     })))
 }
 
@@ -156,6 +161,11 @@ fn _password_login(data: ConnectData, conn: DbConn, ip: &ClientIp) -> JsonResult
         "Key": user.akey,
         "PrivateKey": user.private_key,
         //"TwoFactorToken": "11122233333444555666777888999"
+        
+        "Kdf": user.client_kdf_type,
+        "KdfIterations": user.client_kdf_iter,
+        "ResetMasterPassword": false,// TODO: Same as above
+        "scope": "api offline_access"
     });
 
     if let Some(token) = twofactor_token {

src/config.rs

@@ -115,6 +115,7 @@ macro_rules! make_config {
                 config.domain_set = _domain_set;
 
                 config.signups_domains_whitelist = config.signups_domains_whitelist.trim().to_lowercase();
+                config.org_creation_users = config.org_creation_users.trim().to_lowercase();
 
                 config
             }
@@ -276,6 +277,9 @@ make_config! {
         signups_verify_resend_limit: u32, true, def,    6;
         /// Email domain whitelist |> Allow signups only from this list of comma-separated domains, even when signups are otherwise disabled
         signups_domains_whitelist: String, true, def,   "".to_string();
+        /// Org creation users |> Allow org creation only by this list of comma-separated user emails.
+        /// Blank or 'all' means all users can create orgs; 'none' means no users can create orgs.
+        org_creation_users:     String, true,   def,    "".to_string();
         /// Allow invitations |> Controls whether users can be invited by organization admins, even when signups are otherwise disabled
         invitations_allowed:    bool,   true,   def,    true;
         /// Password iterations |> Number of server-side passwords hashing iterations.
@@ -442,6 +446,13 @@ fn validate_config(cfg: &ConfigItems) -> Result<(), Error> {
         err!("`SIGNUPS_DOMAINS_WHITELIST` contains empty tokens");
     }
 
+    let org_creation_users = cfg.org_creation_users.trim().to_lowercase();
+    if !(org_creation_users.is_empty() || org_creation_users == "all" || org_creation_users == "none") {
+        if org_creation_users.split(',').any(|u| !u.contains('@')) {
+            err!("`ORG_CREATION_USERS` contains invalid email addresses");
+        }
+    }
+
     if let Some(ref token) = cfg.admin_token {
         if token.trim().is_empty() && !cfg.disable_admin_token {
             println!("[WARNING] `ADMIN_TOKEN` is enabled but has an empty value, so the admin page will be disabled.");
@@ -592,6 +603,19 @@ impl Config {
         }
     }
 
+    /// Tests whether the specified user is allowed to create an organization.
+    pub fn is_org_creation_allowed(&self, email: &str) -> bool {
+        let users = self.org_creation_users();
+        if users == "" || users == "all" {
+            true
+        } else if users == "none" {
+            false
+        } else {
+            let email = email.to_lowercase();
+            users.split(',').any(|u| u.trim() == email)
+        }
+    }
+
     pub fn delete_user_config(&self) -> Result<(), Error> {
         crate::util::delete_file(&CONFIG_FILE)?;
 

src/static/global_domains.json

@@ -39,8 +39,7 @@
     "Type": 1,
     "Domains": [
       "apple.com",
-      "icloud.com",
-      "tv.apple.com"
+      "icloud.com"
     ],
     "Excluded": false
   },
@@ -106,6 +105,7 @@
       "passport.net",
       "windows.com",
       "microsoftonline.com",
+      "office.com",
       "office365.com",
       "microsoftstore.com",
       "xbox.com",
@@ -193,7 +193,12 @@
       "amazon.it",
       "amazon.com.au",
       "amazon.co.nz",
-      "amazon.in"
+      "amazon.in",
+      "amazon.com.mx",
+      "amazon.nl",
+      "amazon.sg",
+      "amazon.com.tr",
+      "amazon.ae"
     ],
     "Excluded": false
   },
@@ -386,8 +391,7 @@
       "alibaba.com",
       "aliexpress.com",
       "aliyun.com",
-      "net.cn",
-      "www.net.cn"
+      "net.cn"
     ],
     "Excluded": false
   },
@@ -717,41 +721,27 @@
       "eventbrite.ca",
       "eventbrite.ch",
       "eventbrite.cl",
-      "eventbrite.co.id",
-      "eventbrite.co.in",
-      "eventbrite.co.kr",
+      "eventbrite.co",
       "eventbrite.co.nz",
       "eventbrite.co.uk",
-      "eventbrite.co.ve",
       "eventbrite.com",
+      "eventbrite.com.ar",
       "eventbrite.com.au",
-      "eventbrite.com.bo",
       "eventbrite.com.br",
-      "eventbrite.com.co",
-      "eventbrite.com.hk",
-      "eventbrite.com.hn",
+      "eventbrite.com.mx",
       "eventbrite.com.pe",
-      "eventbrite.com.sg",
-      "eventbrite.com.tr",
-      "eventbrite.com.tw",
-      "eventbrite.cz",
       "eventbrite.de",
       "eventbrite.dk",
+      "eventbrite.es",
       "eventbrite.fi",
       "eventbrite.fr",
-      "eventbrite.gy",
-      "eventbrite.hu",
+      "eventbrite.hk",
       "eventbrite.ie",
-      "eventbrite.is",
       "eventbrite.it",
-      "eventbrite.jp",
-      "eventbrite.mx",
       "eventbrite.nl",
-      "eventbrite.no",
-      "eventbrite.pl",
       "eventbrite.pt",
-      "eventbrite.ru",
-      "eventbrite.se"
+      "eventbrite.se",
+      "eventbrite.sg"
     ],
     "Excluded": false
   },
@@ -769,15 +759,6 @@
   },
   {
     "Type": 75,
-    "Domains": [
-      "netcup.de",
-      "netcup.eu",
-      "customercontrolpanel.de"
-    ],
-    "Excluded": false
-  },
-  {
-    "Type": 76,
     "Domains": [
       "docusign.com",
       "docusign.net"
@@ -785,7 +766,7 @@
     "Excluded": false
   },
   {
-    "Type": 77,
+    "Type": 76,
     "Domains": [
       "envato.com",
       "themeforest.net",
@@ -799,7 +780,7 @@
     "Excluded": false
   },
   {
-    "Type": 78,
+    "Type": 77,
     "Domains": [
       "x10hosting.com",
       "x10premium.com"
@@ -807,7 +788,7 @@
     "Excluded": false
   },
   {
-    "Type": 79,
+    "Type": 78,
     "Domains": [
       "dnsomatic.com",
       "opendns.com",
@@ -816,7 +797,7 @@
     "Excluded": false
   },
   {
-    "Type": 80,
+    "Type": 79,
     "Domains": [
       "cagreatamerica.com",
       "canadaswonderland.com",
@@ -835,11 +816,19 @@
     "Excluded": false
   },
   {
-    "Type": 81,
+    "Type": 80,
     "Domains": [
       "ubnt.com",
       "ui.com"
     ],
     "Excluded": false
+  },
+  {
+    "Type": 81,
+    "Domains": [
+      "discordapp.com",
+      "discord.com"
+    ],
+    "Excluded": false
   }
-]
+]

tools/global_domains.py

@@ -0,0 +1,80 @@
+#!/usr/bin/env python3
+#
+# This script generates a global equivalent domains JSON file from
+# the upstream Bitwarden source repo.
+#
+import json
+import re
+import sys
+import urllib.request
+
+from collections import OrderedDict
+
+if len(sys.argv) != 2:
+    print("usage: %s <OUTPUT-FILE>" % sys.argv[0])
+    print()
+    print("This script generates a global equivalent domains JSON file from")
+    print("the upstream Bitwarden source repo.")
+    sys.exit(1)
+
+OUTPUT_FILE = sys.argv[1]
+
+BASE_URL = 'https://github.com/bitwarden/server/raw/master'
+ENUMS_URL = '%s/src/Core/Enums/GlobalEquivalentDomainsType.cs' % BASE_URL
+DOMAIN_LISTS_URL = '%s/src/Core/Utilities/StaticStore.cs' % BASE_URL
+
+# Enum lines look like:
+#
+#   EnumName0 = 0,
+#   EnumName1 = 1,
+#
+ENUM_RE = re.compile(
+    r'\s*'             # Leading whitespace (optional).
+    r'([_0-9a-zA-Z]+)' # Enum name (capture group 1).
+    r'\s*=\s*'         # '=' with optional surrounding whitespace.
+    r'([0-9]+)'        # Enum value (capture group 2).
+)
+
+# Global domains lines look like:
+#
+#   GlobalDomains.Add(GlobalEquivalentDomainsType.EnumName, new List<string> { "x.com", "y.com" });
+#
+DOMAIN_LIST_RE = re.compile(
+    r'\s*'             # Leading whitespace (optional).
+    r'GlobalDomains\.Add\(GlobalEquivalentDomainsType\.'
+    r'([_0-9a-zA-Z]+)' # Enum name (capture group 1).
+    r'\s*,\s*new List<string>\s*{'
+    r'([^}]+)'         # Domain list (capture group 2).
+    r'}\);'
+)
+
+enums = dict()
+domain_lists = OrderedDict()
+
+# Read in the enum names and values.
+with urllib.request.urlopen(ENUMS_URL) as response:
+    for ln in response.read().decode('utf-8').split('\n'):
+        m = ENUM_RE.match(ln)
+        if m:
+            enums[m.group(1)] = int(m.group(2))
+
+# Read in the domain lists.
+with urllib.request.urlopen(DOMAIN_LISTS_URL) as response:
+    for ln in response.read().decode('utf-8').split('\n'):
+        m = DOMAIN_LIST_RE.match(ln)
+        if m:
+            # Strip double quotes and extraneous spaces in each domain.
+            domain_lists[m.group(1)] = [d.strip(' "') for d in m.group(2).split(",")]
+
+# Build the global domains data structure.
+global_domains = []
+for name, domain_list in domain_lists.items():
+    entry = OrderedDict()
+    entry["Type"] = enums[name]
+    entry["Domains"] = domain_list
+    entry["Excluded"] = False
+    global_domains.append(entry)
+
+# Write out the global domains JSON file.
+with open(OUTPUT_FILE, 'w') as f:
+    json.dump(global_domains, f, indent=2)