bitwarden_rs/src/api/core/mod.rs

mod accounts;
mod ciphers;
mod folders;
mod organizations;
pub mod two_factor;

pub fn routes() -> Vec<Route> {
    let mut mod_routes = routes![
        clear_device_token,
        put_device_token,
        get_eq_domains,
        post_eq_domains,
        put_eq_domains,
        hibp_breach,
    ];

    let mut routes = Vec::new();
    routes.append(&mut accounts::routes());
    routes.append(&mut ciphers::routes());
    routes.append(&mut folders::routes());
    routes.append(&mut organizations::routes());
    routes.append(&mut two_factor::routes());
    routes.append(&mut mod_routes);

    routes
}

//
// Move this somewhere else
//
use rocket::Route;
use rocket_contrib::json::Json;
use serde_json::Value;

use crate::{
    api::{EmptyResult, JsonResult, JsonUpcase},
    auth::Headers,
    db::DbConn,
    error::Error,
};

#[put("/devices/identifier/<uuid>/clear-token")]
fn clear_device_token(uuid: String) -> EmptyResult {
    // This endpoint doesn't have auth header

    let _ = uuid;
    // uuid is not related to deviceId

    // This only clears push token
    // https://github.com/bitwarden/core/blob/master/src/Api/Controllers/DevicesController.cs#L109
    // https://github.com/bitwarden/core/blob/master/src/Core/Services/Implementations/DeviceService.cs#L37
    Ok(())
}

#[put("/devices/identifier/<uuid>/token", data = "<data>")]
fn put_device_token(uuid: String, data: JsonUpcase<Value>, headers: Headers) -> JsonResult {
    let _data: Value = data.into_inner().data;
    // Data has a single string value "PushToken"
    let _ = uuid;
    // uuid is not related to deviceId

    // TODO: This should save the push token, but we don't have push functionality

    Ok(Json(json!({
        "Id": headers.device.uuid,
        "Name": headers.device.name,
        "Type": headers.device.atype,
        "Identifier": headers.device.uuid,
        "CreationDate": crate::util::format_date(&headers.device.created_at),
    })))
}

#[derive(Serialize, Deserialize, Debug)]
#[allow(non_snake_case)]
struct GlobalDomain {
    Type: i32,
    Domains: Vec<String>,
    Excluded: bool,
}

const GLOBAL_DOMAINS: &str = include_str!("../../static/global_domains.json");

#[get("/settings/domains")]
fn get_eq_domains(headers: Headers) -> JsonResult {
    _get_eq_domains(headers, false)
}

fn _get_eq_domains(headers: Headers, no_excluded: bool) -> JsonResult {
    let user = headers.user;
    use serde_json::from_str;

    let equivalent_domains: Vec<Vec<String>> = from_str(&user.equivalent_domains).unwrap();
    let excluded_globals: Vec<i32> = from_str(&user.excluded_globals).unwrap();

    let mut globals: Vec<GlobalDomain> = from_str(GLOBAL_DOMAINS).unwrap();

    for global in &mut globals {
        global.Excluded = excluded_globals.contains(&global.Type);
    }

    if no_excluded {
        globals.retain(|g| !g.Excluded);
    }

    Ok(Json(json!({
        "EquivalentDomains": equivalent_domains,
        "GlobalEquivalentDomains": globals,
        "Object": "domains",
    })))
}

#[derive(Deserialize, Debug)]
#[allow(non_snake_case)]
struct EquivDomainData {
    ExcludedGlobalEquivalentDomains: Option<Vec<i32>>,
    EquivalentDomains: Option<Vec<Vec<String>>>,
}

#[post("/settings/domains", data = "<data>")]
fn post_eq_domains(data: JsonUpcase<EquivDomainData>, headers: Headers, conn: DbConn) -> JsonResult {
    let data: EquivDomainData = data.into_inner().data;

    let excluded_globals = data.ExcludedGlobalEquivalentDomains.unwrap_or_default();
    let equivalent_domains = data.EquivalentDomains.unwrap_or_default();

    let mut user = headers.user;
    use serde_json::to_string;

    user.excluded_globals = to_string(&excluded_globals).unwrap_or_else(|_| "[]".to_string());
    user.equivalent_domains = to_string(&equivalent_domains).unwrap_or_else(|_| "[]".to_string());

    user.save(&conn)?;

    Ok(Json(json!({})))
}

#[put("/settings/domains", data = "<data>")]
fn put_eq_domains(data: JsonUpcase<EquivDomainData>, headers: Headers, conn: DbConn) -> JsonResult {
    post_eq_domains(data, headers, conn)
}

#[get("/hibp/breach?<username>")]
fn hibp_breach(username: String) -> JsonResult {
    let user_agent = "Bitwarden_RS";
    let url = format!(
        "https://haveibeenpwned.com/api/v3/breachedaccount/{}?truncateResponse=false&includeUnverified=false",
        username
    );

    use reqwest::{blocking::Client, header::USER_AGENT};

    if let Some(api_key) = crate::CONFIG.hibp_api_key() {
        let hibp_client = Client::builder().build()?;

        let res = hibp_client
            .get(&url)
            .header(USER_AGENT, user_agent)
            .header("hibp-api-key", api_key)
            .send()?;

        // If we get a 404, return a 404, it means no breached accounts
        if res.status() == 404 {
            return Err(Error::empty().with_code(404));
        }

        let value: Value = res.error_for_status()?.json()?;
        Ok(Json(value))
    } else {
        Ok(Json(json!([{
            "Name": "HaveIBeenPwned",
            "Title": "Manual HIBP Check",
            "Domain": "haveibeenpwned.com",
            "BreachDate": "2019-08-18T00:00:00Z",
            "AddedDate": "2019-08-18T00:00:00Z",
            "Description": format!("Go to: <a href=\"https://haveibeenpwned.com/account/{account}\" target=\"_blank\" rel=\"noopener\">https://haveibeenpwned.com/account/{account}</a> for a manual check.<br/><br/>HaveIBeenPwned API key not set!<br/>Go to <a href=\"https://haveibeenpwned.com/API/Key\" target=\"_blank\" rel=\"noopener\">https://haveibeenpwned.com/API/Key</a> to purchase an API key from HaveIBeenPwned.<br/><br/>", account=username),
            "LogoPath": "bwrs_static/hibp.png",
            "PwnCount": 0,
            "DataClasses": [
                "Error - No API key set!"
            ]
        }])))
    }
}
First working version 2018-02-10 00:00:55 +00:00			`mod accounts;`
			`mod ciphers;`
			`mod folders;`
Some initial work on organizations, nothing works yet 2018-02-17 21:30:19 +00:00			`mod organizations;`
Remove unused dependency and simple feature, update dependencies and fix some clippy lints 2020-05-03 15:24:51 +00:00			`pub mod two_factor;`
First working version 2018-02-10 00:00:55 +00:00
			`pub fn routes() -> Vec<Route> {`
Updated bw_rs to Rocket version 0.4-rc1 2018-10-10 18:40:39 +00:00			`let mut mod_routes = routes![`
First working version 2018-02-10 00:00:55 +00:00			`clear_device_token,`
			`put_device_token,`
			`get_eq_domains,`
Adding some oganization features 2018-04-20 16:35:11 +00:00			`post_eq_domains,`
Accept PUT and POST on /settings/domains, returns JsonResult, fixes saving Custom Equivalent Domains 2018-10-22 22:32:43 +00:00			`put_eq_domains,`
Implement HIBP check [WIP]. Add extra security attributes to admin cookie. Error handling. 2019-01-20 14:36:33 +00:00			`hibp_breach,`
Updated bw_rs to Rocket version 0.4-rc1 2018-10-10 18:40:39 +00:00			`];`

			`let mut routes = Vec::new();`
			`routes.append(&mut accounts::routes());`
			`routes.append(&mut ciphers::routes());`
			`routes.append(&mut folders::routes());`
			`routes.append(&mut organizations::routes());`
			`routes.append(&mut two_factor::routes());`
			`routes.append(&mut mod_routes);`
Adding some oganization features 2018-04-20 16:35:11 +00:00
Updated bw_rs to Rocket version 0.4-rc1 2018-10-10 18:40:39 +00:00			`routes`
First working version 2018-02-10 00:00:55 +00:00			`}`

Start using rustfmt and some style changes to make some lines shorter 2018-12-30 22:34:31 +00:00			`//`
			`// Move this somewhere else`
			`//`
First working version 2018-02-10 00:00:55 +00:00			`use rocket::Route;`
Updated bw_rs to Rocket version 0.4-rc1 2018-10-10 18:40:39 +00:00			`use rocket_contrib::json::Json;`
			`use serde_json::Value;`
First working version 2018-02-10 00:00:55 +00:00
Removed try_trait and some formatting, particularly around imports 2020-07-14 16:00:09 +00:00			`use crate::{`
			`api::{EmptyResult, JsonResult, JsonUpcase},`
			`auth::Headers,`
			`db::DbConn,`
			`error::Error,`
			`};`
First working version 2018-02-10 00:00:55 +00:00
Update device push token methods to more closely follow the official server response 2018-12-06 15:28:36 +00:00			`#[put("/devices/identifier/<uuid>/clear-token")]`
More changes to the push token, and filtered multipart logs 2018-12-07 17:25:18 +00:00			`fn clear_device_token(uuid: String) -> EmptyResult {`
			`// This endpoint doesn't have auth header`

			`let _ = uuid;`
			`// uuid is not related to deviceId`
Improved two factor auth 2018-06-01 13:08:03 +00:00
Update device push token methods to more closely follow the official server response 2018-12-06 15:28:36 +00:00			`// This only clears push token`
			`// https://github.com/bitwarden/core/blob/master/src/Api/Controllers/DevicesController.cs#L109`
			`// https://github.com/bitwarden/core/blob/master/src/Core/Services/Implementations/DeviceService.cs#L37`
			`Ok(())`
Detect device type correctly and shorten return types of functions 2018-02-17 19:47:13 +00:00			`}`
First working version 2018-02-10 00:00:55 +00:00
Improved two factor auth 2018-06-01 13:08:03 +00:00			`#[put("/devices/identifier/<uuid>/token", data = "<data>")]`
More changes to the push token, and filtered multipart logs 2018-12-07 17:25:18 +00:00			`fn put_device_token(uuid: String, data: JsonUpcase<Value>, headers: Headers) -> JsonResult {`
Updated bw_rs to Rocket version 0.4-rc1 2018-10-10 18:40:39 +00:00			`let _data: Value = data.into_inner().data;`
More changes to the push token, and filtered multipart logs 2018-12-07 17:25:18 +00:00			`// Data has a single string value "PushToken"`
			`let _ = uuid;`
			`// uuid is not related to deviceId`
Update device push token methods to more closely follow the official server response 2018-12-06 15:28:36 +00:00
More changes to the push token, and filtered multipart logs 2018-12-07 17:25:18 +00:00			`// TODO: This should save the push token, but we don't have push functionality`
Update device push token methods to more closely follow the official server response 2018-12-06 15:28:36 +00:00
			`Ok(Json(json!({`
More changes to the push token, and filtered multipart logs 2018-12-07 17:25:18 +00:00			`"Id": headers.device.uuid,`
			`"Name": headers.device.name,`
Fix key and type variable names for mysql 2019-05-20 19:24:29 +00:00			`"Type": headers.device.atype,`
More changes to the push token, and filtered multipart logs 2018-12-07 17:25:18 +00:00			`"Identifier": headers.device.uuid,`
			`"CreationDate": crate::util::format_date(&headers.device.created_at),`
Update device push token methods to more closely follow the official server response 2018-12-06 15:28:36 +00:00			`})))`
Detect device type correctly and shorten return types of functions 2018-02-17 19:47:13 +00:00			`}`
First working version 2018-02-10 00:00:55 +00:00
Equivalent domains 2018-02-17 22:21:04 +00:00			`#[derive(Serialize, Deserialize, Debug)]`
			`#[allow(non_snake_case)]`
			`struct GlobalDomain {`
			`Type: i32,`
			`Domains: Vec<String>,`
			`Excluded: bool,`
			`}`

Initial version of admin panel, list users and reload user list works. No serious auth method yet, password is 'token123' 2018-12-18 00:53:21 +00:00			`const GLOBAL_DOMAINS: &str = include_str!("../../static/global_domains.json");`
Equivalent domains 2018-02-17 22:21:04 +00:00
First working version 2018-02-10 00:00:55 +00:00			`#[get("/settings/domains")]`
Added equivalent domains to /api/sync 2018-02-20 13:09:00 +00:00			`fn get_eq_domains(headers: Headers) -> JsonResult {`
Don't include excluded global equivalent domains during sync Fixes #681 2019-11-05 02:30:57 +00:00			`_get_eq_domains(headers, false)`
			`}`

			`fn _get_eq_domains(headers: Headers, no_excluded: bool) -> JsonResult {`
Equivalent domains 2018-02-17 22:21:04 +00:00			`let user = headers.user;`
			`use serde_json::from_str;`

			`let equivalent_domains: Vec<Vec<String>> = from_str(&user.equivalent_domains).unwrap();`
			`let excluded_globals: Vec<i32> = from_str(&user.excluded_globals).unwrap();`

			`let mut globals: Vec<GlobalDomain> = from_str(GLOBAL_DOMAINS).unwrap();`

			`for global in &mut globals {`
			`global.Excluded = excluded_globals.contains(&global.Type);`
			`}`

Don't include excluded global equivalent domains during sync Fixes #681 2019-11-05 02:30:57 +00:00			`if no_excluded {`
			`globals.retain(\|g\| !g.Excluded);`
			`}`

Equivalent domains 2018-02-17 22:21:04 +00:00			`Ok(Json(json!({`
			`"EquivalentDomains": equivalent_domains,`
Added equivalent domains to /api/sync 2018-02-20 13:09:00 +00:00			`"GlobalEquivalentDomains": globals,`
			`"Object": "domains",`
Equivalent domains 2018-02-17 22:21:04 +00:00			`})))`
First working version 2018-02-10 00:00:55 +00:00			`}`

Fixed cipher import, created missing data structs instead of using generic Value, and fixed some warnings 2018-02-22 23:38:54 +00:00			`#[derive(Deserialize, Debug)]`
			`#[allow(non_snake_case)]`
			`struct EquivDomainData {`
			`ExcludedGlobalEquivalentDomains: Option<Vec<i32>>,`
			`EquivalentDomains: Option<Vec<Vec<String>>>,`
			`}`

Upload and download attachments, and added License file 2018-02-14 23:40:34 +00:00			`#[post("/settings/domains", data = "<data>")]`
Accept PUT and POST on /settings/domains, returns JsonResult, fixes saving Custom Equivalent Domains 2018-10-22 22:32:43 +00:00			`fn post_eq_domains(data: JsonUpcase<EquivDomainData>, headers: Headers, conn: DbConn) -> JsonResult {`
Make sure the inputs are always in the same case (PascalCase, which is what upstream seems to prefer most of the time) 2018-05-31 22:18:50 +00:00			`let data: EquivDomainData = data.into_inner().data;`
Upload and download attachments, and added License file 2018-02-14 23:40:34 +00:00
Some style changes, removed useless matches and formats 2018-06-11 13:44:37 +00:00			`let excluded_globals = data.ExcludedGlobalEquivalentDomains.unwrap_or_default();`
			`let equivalent_domains = data.EquivalentDomains.unwrap_or_default();`
Upload and download attachments, and added License file 2018-02-14 23:40:34 +00:00
Equivalent domains 2018-02-17 22:21:04 +00:00			`let mut user = headers.user;`
			`use serde_json::to_string;`
Upload and download attachments, and added License file 2018-02-14 23:40:34 +00:00
Fixed some clippy lints and changed update_uuid_revision to only use one db query 2019-02-08 17:45:07 +00:00			`user.excluded_globals = to_string(&excluded_globals).unwrap_or_else(\|_\| "[]".to_string());`
			`user.equivalent_domains = to_string(&equivalent_domains).unwrap_or_else(\|_\| "[]".to_string());`
Equivalent domains 2018-02-17 22:21:04 +00:00
Implemented proper error handling, now we can do `user.save($conn)?;` and it works. In the future, maybe we can do the same with the `find_by_id` methods that return an Option. 2018-12-19 20:52:53 +00:00			`user.save(&conn)?;`

			`Ok(Json(json!({})))`
First working version 2018-02-10 00:00:55 +00:00			`}`
Accept PUT and POST on /settings/domains, returns JsonResult, fixes saving Custom Equivalent Domains 2018-10-22 22:32:43 +00:00
			`#[put("/settings/domains", data = "<data>")]`
			`fn put_eq_domains(data: JsonUpcase<EquivDomainData>, headers: Headers, conn: DbConn) -> JsonResult {`
			`post_eq_domains(data, headers, conn)`
			`}`
Implement HIBP check [WIP]. Add extra security attributes to admin cookie. Error handling. 2019-01-20 14:36:33 +00:00
			`#[get("/hibp/breach?<username>")]`
			`fn hibp_breach(username: String) -> JsonResult {`
			`let user_agent = "Bitwarden_RS";`
Update HIBP to v3, requires paid API key, fixes #583 2019-08-20 18:07:12 +00:00			`let url = format!(`
			`"https://haveibeenpwned.com/api/v3/breachedaccount/{}?truncateResponse=false&includeUnverified=false",`
			`username`
			`);`
Implement HIBP check [WIP]. Add extra security attributes to admin cookie. Error handling. 2019-01-20 14:36:33 +00:00
Removed try_trait and some formatting, particularly around imports 2020-07-14 16:00:09 +00:00			`use reqwest::{blocking::Client, header::USER_AGENT};`
Implement HIBP check [WIP]. Add extra security attributes to admin cookie. Error handling. 2019-01-20 14:36:33 +00:00
Update HIBP to v3, requires paid API key, fixes #583 2019-08-20 18:07:12 +00:00			`if let Some(api_key) = crate::CONFIG.hibp_api_key() {`
Updated reqwest to the latest version. - Use the blocking client (no async). - Disabled gzip. - use_sys_proxy is now default. 2020-03-14 22:12:45 +00:00			`let hibp_client = Client::builder().build()?;`
Some modification when no HIBP API Key is set - Added an URL with the useraccount for manual check. - Added support for HTTP(S)_PROXY for hibp. 2019-10-08 19:39:11 +00:00
Formatting 2019-12-27 17:37:14 +00:00			`let res = hibp_client`
			`.get(&url)`
Update HIBP to v3, requires paid API key, fixes #583 2019-08-20 18:07:12 +00:00			`.header(USER_AGENT, user_agent)`
			`.header("hibp-api-key", api_key)`
			`.send()?;`

			`// If we get a 404, return a 404, it means no breached accounts`
			`if res.status() == 404 {`
			`return Err(Error::empty().with_code(404));`
			`}`

			`let value: Value = res.error_for_status()?.json()?;`
			`Ok(Json(value))`
			`} else {`
			`Ok(Json(json!([{`
Some modification when no HIBP API Key is set - Added an URL with the useraccount for manual check. - Added support for HTTP(S)_PROXY for hibp. 2019-10-08 19:39:11 +00:00			`"Name": "HaveIBeenPwned",`
Changed HIBP Error message. - Moved the manual link to the check to the top. - Clearified that hibp is a payed service. - Changed error logo to hibp logo. 2019-10-08 20:29:12 +00:00			`"Title": "Manual HIBP Check",`
Some modification when no HIBP API Key is set - Added an URL with the useraccount for manual check. - Added support for HTTP(S)_PROXY for hibp. 2019-10-08 19:39:11 +00:00			`"Domain": "haveibeenpwned.com",`
			`"BreachDate": "2019-08-18T00:00:00Z",`
			`"AddedDate": "2019-08-18T00:00:00Z",`
Changed HIBP Error message. - Moved the manual link to the check to the top. - Clearified that hibp is a payed service. - Changed error logo to hibp logo. 2019-10-08 20:29:12 +00:00			`"Description": format!("Go to: <a href=\"https://haveibeenpwned.com/account/{account}\" target=\"_blank\" rel=\"noopener\">https://haveibeenpwned.com/account/{account}</a> for a manual check.<br/><br/>HaveIBeenPwned API key not set!<br/>Go to <a href=\"https://haveibeenpwned.com/API/Key\" target=\"_blank\" rel=\"noopener\">https://haveibeenpwned.com/API/Key</a> to purchase an API key from HaveIBeenPwned.<br/><br/>", account=username),`
Add backend support for alternate base dir (subdir/subpath) hosting To use this, include a path in the `DOMAIN` URL, e.g.: * `DOMAIN=https://example.com/custom-path` * `DOMAIN=https://example.com/multiple/levels/are/ok` 2020-02-19 05:27:00 +00:00			`"LogoPath": "bwrs_static/hibp.png",`
Some modification when no HIBP API Key is set - Added an URL with the useraccount for manual check. - Added support for HTTP(S)_PROXY for hibp. 2019-10-08 19:39:11 +00:00			`"PwnCount": 0,`
			`"DataClasses": [`
Changed HIBP Error message. - Moved the manual link to the check to the top. - Clearified that hibp is a payed service. - Changed error logo to hibp logo. 2019-10-08 20:29:12 +00:00			`"Error - No API key set!"`
Some modification when no HIBP API Key is set - Added an URL with the useraccount for manual check. - Added support for HTTP(S)_PROXY for hibp. 2019-10-08 19:39:11 +00:00			`]`
Update HIBP to v3, requires paid API key, fixes #583 2019-08-20 18:07:12 +00:00			`}])))`
Allow changing error codes and create an empty error. Return 404 instead of 400 when no accounts breached. 2019-03-13 23:17:36 +00:00			`}`
Implement HIBP check [WIP]. Add extra security attributes to admin cookie. Error handling. 2019-01-20 14:36:33 +00:00			`}`