From 680f5e83d802e69b5ee890fd9be42d745a0cd43c Mon Sep 17 00:00:00 2001 From: Nick Fox Date: Fri, 14 Dec 2018 21:52:16 -0500 Subject: [PATCH 01/10] Add Invite JWT struct and supporting functions --- src/auth.rs | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/src/auth.rs b/src/auth.rs index 6f35143..57c13e8 100644 --- a/src/auth.rs +++ b/src/auth.rs @@ -56,6 +56,27 @@ pub fn decode_jwt(token: &str) -> Result { } } +pub fn decode_invite_jwt(token: &str) -> Result { + let validation = jsonwebtoken::Validation { + leeway: 30, // 30 seconds + validate_exp: true, + validate_iat: false, // IssuedAt is the same as NotBefore + validate_nbf: true, + aud: None, + iss: Some(JWT_ISSUER.clone()), + sub: None, + algorithms: vec![JWT_ALGORITHM], + }; + + match jsonwebtoken::decode(token, &PUBLIC_RSA_KEY, &validation) { + Ok(decoded) => Ok(decoded.claims), + Err(msg) => { + error!("Error validating jwt - {:#?}", msg); + Err(msg.to_string()) + } + } +} + #[derive(Debug, Serialize, Deserialize)] pub struct JWTClaims { // Not before @@ -87,6 +108,20 @@ pub struct JWTClaims { pub amr: Vec, } +#[derive(Debug, Serialize, Deserialize)] +pub struct InviteJWTClaims { + // Not before + pub nbf: i64, + // Expiration time + pub exp: i64, + // Issuer + pub iss: String, + // Subject + pub sub: String, + + pub email: String, +} + /// /// Bearer token authentication /// From e2907f4250b41ffcb00135ecc6b96e3c58d21ff4 Mon Sep 17 00:00:00 2001 From: Nick Fox Date: Fri, 14 Dec 2018 21:54:03 -0500 Subject: [PATCH 02/10] Add invite email functionality --- src/mail.rs | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/src/mail.rs b/src/mail.rs index 8a64c24..2c62006 100644 --- a/src/mail.rs +++ b/src/mail.rs @@ -5,6 +5,7 @@ use lettre::smtp::authentication::Credentials; use lettre_email::EmailBuilder; use crate::MailConfig; +use crate::CONFIG; fn mailer(config: &MailConfig) -> SmtpTransport { let client_security = if config.smtp_ssl { @@ -60,3 +61,31 @@ pub fn send_password_hint(address: &str, hint: Option, config: &MailConf .map_err(|e| e.to_string()) .and(Ok(())) } + +pub fn send_invite(address: &str, org_id: &str, org_user_id: &str, token: &str, org_name: &str, config: &MailConfig) -> Result<(), String> { + let (subject, body) = { + (format!("Join {}", &org_name), + format!( + " +

You have been invited to join the {} organization.

+ Click here to join

+

If you do not wish to join this organization, you can safely ignore this email.

+ ", + org_name, CONFIG.domain, org_id, org_user_id, token + )) + }; + + let email = EmailBuilder::new() + .to(address) + .from((config.smtp_from.clone(), "Bitwarden-rs")) + .subject(subject) + .header(("Content-Type", "text/html")) + .body(body) + .build() + .map_err(|e| e.to_string())?; + + mailer(config) + .send(email.into()) + .map_err(|e| e.to_string()) + .and(Ok(())) +} \ No newline at end of file From d428120ec645ad5089833b405c2ee73d094e0e37 Mon Sep 17 00:00:00 2001 From: Nick Fox Date: Fri, 14 Dec 2018 21:54:44 -0500 Subject: [PATCH 03/10] Add email_invitations config option --- src/main.rs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/main.rs b/src/main.rs index 963f82f..001f828 100644 --- a/src/main.rs +++ b/src/main.rs @@ -271,6 +271,7 @@ pub struct Config { local_icon_extractor: bool, signups_allowed: bool, invitations_allowed: bool, + email_invitations: bool, server_admin_email: Option, password_iterations: i32, show_password_hint: bool, @@ -321,6 +322,7 @@ impl Config { signups_allowed: get_env_or("SIGNUPS_ALLOWED", true), server_admin_email: get_env("SERVER_ADMIN_EMAIL"), invitations_allowed: get_env_or("INVITATIONS_ALLOWED", true), + email_invitations: get_env_or("EMAIL_INVITATIONS", false), password_iterations: get_env_or("PASSWORD_ITERATIONS", 100_000), show_password_hint: get_env_or("SHOW_PASSWORD_HINT", true), From 4910b14d57b173c23a893fe778e1c24d2c617e16 Mon Sep 17 00:00:00 2001 From: Nick Fox Date: Fri, 14 Dec 2018 21:56:00 -0500 Subject: [PATCH 04/10] Implement email invitations and registration workflow --- src/api/core/accounts.rs | 25 +++++++++------ src/api/core/organizations.rs | 58 ++++++++++++++++++++++++++++++++++- 2 files changed, 72 insertions(+), 11 deletions(-) diff --git a/src/api/core/accounts.rs b/src/api/core/accounts.rs index fbe0079..6b77d40 100644 --- a/src/api/core/accounts.rs +++ b/src/api/core/accounts.rs @@ -59,22 +59,27 @@ fn register(data: JsonUpcase, conn: DbConn) -> EmptyResult { let mut user = match User::find_by_mail(&data.Email, &conn) { Some(user) => { - if Invitation::take(&data.Email, &conn) { - for mut user_org in UserOrganization::find_invited_by_user(&user.uuid, &conn).iter_mut() { - user_org.status = UserOrgStatus::Accepted as i32; - if user_org.save(&conn).is_err() { - err!("Failed to accept user to organization") + if !CONFIG.email_invitations { + if Invitation::take(&data.Email, &conn) { + for mut user_org in UserOrganization::find_invited_by_user(&user.uuid, &conn).iter_mut() { + user_org.status = UserOrgStatus::Accepted as i32; + if user_org.save(&conn).is_err() { + err!("Failed to accept user to organization") + } } + user + } else if CONFIG.signups_allowed { + err!("Account with this email already exists") + } else { + err!("Registration not allowed") } - user - } else if CONFIG.signups_allowed { - err!("Account with this email already exists") } else { - err!("Registration not allowed") + // User clicked email invite link, so they are already "accepted" in UserOrgs + user } } None => { - if CONFIG.signups_allowed || Invitation::take(&data.Email, &conn) { + if CONFIG.signups_allowed || (!CONFIG.email_invitations && Invitation::take(&data.Email, &conn)) { User::new(data.Email) } else { err!("Registration not allowed") diff --git a/src/api/core/organizations.rs b/src/api/core/organizations.rs index 0350b2e..7a3c002 100644 --- a/src/api/core/organizations.rs +++ b/src/api/core/organizations.rs @@ -8,7 +8,7 @@ use crate::db::DbConn; use crate::db::models::*; use crate::api::{PasswordData, JsonResult, EmptyResult, NumberOrString, JsonUpcase, WebSocketUsers, UpdateType}; -use crate::auth::{Headers, AdminHeaders, OwnerHeaders}; +use crate::auth::{Headers, AdminHeaders, OwnerHeaders, encode_jwt, decode_invite_jwt, InviteJWTClaims, JWT_ISSUER}; use serde::{Deserialize, Deserializer}; @@ -38,6 +38,7 @@ pub fn routes() -> Vec { get_org_users, send_invite, confirm_invite, + accept_invite, get_user, edit_user, put_organization_user, @@ -477,6 +478,61 @@ fn send_invite(org_id: String, data: JsonUpcase, headers: AdminHeade err!("Failed to add user to organization") } } + + if CONFIG.email_invitations { + use crate::mail; + use chrono::{Duration, Utc}; + let time_now = Utc::now().naive_utc(); + let claims = InviteJWTClaims { + nbf: time_now.timestamp(), + exp: (time_now + Duration::days(5)).timestamp(), + iss: JWT_ISSUER.to_string(), + sub: user.uuid.to_string(), + email: email.clone(), + }; + let org_name = match Organization::find_by_uuid(&org_id, &conn) { + Some(org) => org.name, + None => err!("Error looking up organization") + }; + let invite_token = encode_jwt(&claims); + let org_user_id = Organization::VIRTUAL_ID; + + if let Some(ref mail_config) = CONFIG.mail { + if let Err(e) = mail::send_invite(&email, &org_id, &org_user_id, &invite_token, &org_name, mail_config) { + err!(format!("There has been a problem sending the email: {}", e)) + } + } + } + } + + Ok(()) +} + +// TODO: Figure out how to make this redirect to the registration page +#[get("/organizations//users//accept?")] +fn accept_invite(org_id: String, org_user_id: String, token: String, conn: DbConn) -> EmptyResult { + let invite_claims: InviteJWTClaims = match decode_invite_jwt(&token) { + Ok(claims) => claims, + Err(msg) => err!("Invalid claim: {:#?}", msg), + }; + + match User::find_by_mail(&invite_claims.email, &conn) { + Some(user) => { + if Invitation::take(&invite_claims.email, &conn) { + for mut user_org in UserOrganization::find_invited_by_user(&user.uuid, &conn).iter_mut() { + user_org.status = UserOrgStatus::Accepted as i32; + if user_org.save(&conn).is_err() { + err!("Failed to accept user to organization") + } + } + //rocket::response::Redirect::to(format!("/#/register?email={}", invite_claims.email)) + } else { + err!("Invitation for user not found") + } + }, + None => { + err!("Invited user not found") + }, } Ok(()) From e245e965baaef161c7407f5eead1115641d27a4f Mon Sep 17 00:00:00 2001 From: Nick Fox Date: Sat, 15 Dec 2018 22:45:39 -0500 Subject: [PATCH 05/10] Fix broken rebase --- BUILD.md | 3 +++ Dockerfile.alpine | 4 +++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/BUILD.md b/BUILD.md index 89bac2d..1e35113 100644 --- a/BUILD.md +++ b/BUILD.md @@ -21,6 +21,8 @@ A compiled version of the web vault can be downloaded from [dani-garcia/bw_web_b If you prefer to compile it manually, follow these steps: +*Note: building the Vault needs ~1.5GB of RAM. On systems like a RaspberryPI with 1GB or less, please [enable swapping](https://www.tecmint.com/create-a-linux-swap-file/) or build it on a more powerful machine and copy the directory from there. This much memory is only needed for building it, running bitwarden_rs with vault needs only about 10MB of RAM.* + - Clone the git repository at [bitwarden/web](https://github.com/bitwarden/web) and checkout the latest release tag (e.g. v2.1.1): ```sh # clone the repository @@ -37,6 +39,7 @@ git apply /path/to/bitwarden_rs/docker/set-vault-baseurl.patch ``` - Then, build the Vault: + ```sh npm run sub:init npm install diff --git a/Dockerfile.alpine b/Dockerfile.alpine index ddc8549..ff098a1 100644 --- a/Dockerfile.alpine +++ b/Dockerfile.alpine @@ -20,7 +20,7 @@ RUN ls ########################## BUILD IMAGE ########################## # Musl build image for statically compiled binary -FROM clux/muslrust:nightly-2018-11-30 as build +FROM clux/muslrust:nightly-2018-12-01 as build ENV USER "root" @@ -30,6 +30,8 @@ WORKDIR /app # To avoid copying unneeded files, use .dockerignore COPY . . +RUN rustup target add x86_64-unknown-linux-musl + # Build RUN cargo build --release From 042c1072d9f35003348815288693324028646a5d Mon Sep 17 00:00:00 2001 From: Nick Fox Date: Mon, 17 Dec 2018 17:02:15 -0500 Subject: [PATCH 06/10] Remove CONFIG.email_invitation option --- src/api/core/organizations.rs | 2 +- src/main.rs | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/src/api/core/organizations.rs b/src/api/core/organizations.rs index 7a3c002..2c1c601 100644 --- a/src/api/core/organizations.rs +++ b/src/api/core/organizations.rs @@ -479,7 +479,7 @@ fn send_invite(org_id: String, data: JsonUpcase, headers: AdminHeade } } - if CONFIG.email_invitations { + if CONFIG.mail.is_some() { use crate::mail; use chrono::{Duration, Utc}; let time_now = Utc::now().naive_utc(); diff --git a/src/main.rs b/src/main.rs index 001f828..963f82f 100644 --- a/src/main.rs +++ b/src/main.rs @@ -271,7 +271,6 @@ pub struct Config { local_icon_extractor: bool, signups_allowed: bool, invitations_allowed: bool, - email_invitations: bool, server_admin_email: Option, password_iterations: i32, show_password_hint: bool, @@ -322,7 +321,6 @@ impl Config { signups_allowed: get_env_or("SIGNUPS_ALLOWED", true), server_admin_email: get_env("SERVER_ADMIN_EMAIL"), invitations_allowed: get_env_or("INVITATIONS_ALLOWED", true), - email_invitations: get_env_or("EMAIL_INVITATIONS", false), password_iterations: get_env_or("PASSWORD_ITERATIONS", 100_000), show_password_hint: get_env_or("SHOW_PASSWORD_HINT", true), From 9479108fb7861b2abf67be9c7825c6b7f3e4fa3d Mon Sep 17 00:00:00 2001 From: Nick Fox Date: Mon, 17 Dec 2018 17:10:09 -0500 Subject: [PATCH 07/10] Remove CONFIG.email_invitations --- src/api/core/accounts.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/api/core/accounts.rs b/src/api/core/accounts.rs index 6b77d40..9f47bd1 100644 --- a/src/api/core/accounts.rs +++ b/src/api/core/accounts.rs @@ -59,7 +59,7 @@ fn register(data: JsonUpcase, conn: DbConn) -> EmptyResult { let mut user = match User::find_by_mail(&data.Email, &conn) { Some(user) => { - if !CONFIG.email_invitations { + if CONFIG.mail.is_none() { if Invitation::take(&data.Email, &conn) { for mut user_org in UserOrganization::find_invited_by_user(&user.uuid, &conn).iter_mut() { user_org.status = UserOrgStatus::Accepted as i32; @@ -79,7 +79,7 @@ fn register(data: JsonUpcase, conn: DbConn) -> EmptyResult { } } None => { - if CONFIG.signups_allowed || (!CONFIG.email_invitations && Invitation::take(&data.Email, &conn)) { + if CONFIG.signups_allowed || (CONFIG.mail.is_none() && Invitation::take(&data.Email, &conn)) { User::new(data.Email) } else { err!("Registration not allowed") From 26bf7bc12f9d6eda0426a545d52a7236a39cf5a7 Mon Sep 17 00:00:00 2001 From: Nick Fox Date: Tue, 18 Dec 2018 23:16:03 -0500 Subject: [PATCH 08/10] Use upstream jslib invite/registration workflow --- src/api/core/accounts.rs | 1 - src/api/core/organizations.rs | 43 ++++++++++++++++++++++++----------- src/auth.rs | 2 ++ src/mail.rs | 4 ++-- 4 files changed, 34 insertions(+), 16 deletions(-) diff --git a/src/api/core/accounts.rs b/src/api/core/accounts.rs index 9f47bd1..9aea3ef 100644 --- a/src/api/core/accounts.rs +++ b/src/api/core/accounts.rs @@ -74,7 +74,6 @@ fn register(data: JsonUpcase, conn: DbConn) -> EmptyResult { err!("Registration not allowed") } } else { - // User clicked email invite link, so they are already "accepted" in UserOrgs user } } diff --git a/src/api/core/organizations.rs b/src/api/core/organizations.rs index 2c1c601..7110e56 100644 --- a/src/api/core/organizations.rs +++ b/src/api/core/organizations.rs @@ -424,7 +424,10 @@ fn send_invite(org_id: String, data: JsonUpcase, headers: AdminHeade } for email in data.Emails.iter() { - let mut user_org_status = UserOrgStatus::Accepted as i32; + let mut user_org_status = match CONFIG.mail { + Some(_) => UserOrgStatus::Invited as i32, + None => UserOrgStatus::Accepted as i32, // Automatically mark user as accepted if no email invites + }; let user = match User::find_by_mail(&email, &conn) { None => if CONFIG.invitations_allowed { // Invite user if that's enabled let mut invitation = Invitation::new(email.clone()); @@ -453,6 +456,7 @@ fn send_invite(org_id: String, data: JsonUpcase, headers: AdminHeade }; // Don't create UserOrganization in virtual organization + let mut org_user_id = None; if org_id != Organization::VIRTUAL_ID { let mut new_user = UserOrganization::new(user.uuid.clone(), org_id.clone()); let access_all = data.AccessAll.unwrap_or(false); @@ -477,6 +481,7 @@ fn send_invite(org_id: String, data: JsonUpcase, headers: AdminHeade if new_user.save(&conn).is_err() { err!("Failed to add user to organization") } + org_user_id = Some(new_user.uuid.clone()); } if CONFIG.mail.is_some() { @@ -489,16 +494,17 @@ fn send_invite(org_id: String, data: JsonUpcase, headers: AdminHeade iss: JWT_ISSUER.to_string(), sub: user.uuid.to_string(), email: email.clone(), + org_id: org_id.clone(), + user_org_id: org_user_id.clone(), }; let org_name = match Organization::find_by_uuid(&org_id, &conn) { Some(org) => org.name, None => err!("Error looking up organization") }; let invite_token = encode_jwt(&claims); - let org_user_id = Organization::VIRTUAL_ID; - if let Some(ref mail_config) = CONFIG.mail { - if let Err(e) = mail::send_invite(&email, &org_id, &org_user_id, &invite_token, &org_name, mail_config) { + if let Err(e) = mail::send_invite(&email, &org_id, &org_user_id.unwrap_or(Organization::VIRTUAL_ID.to_string()), + &invite_token, &org_name, mail_config) { err!(format!("There has been a problem sending the email: {}", e)) } } @@ -508,24 +514,35 @@ fn send_invite(org_id: String, data: JsonUpcase, headers: AdminHeade Ok(()) } -// TODO: Figure out how to make this redirect to the registration page -#[get("/organizations//users//accept?")] -fn accept_invite(org_id: String, org_user_id: String, token: String, conn: DbConn) -> EmptyResult { - let invite_claims: InviteJWTClaims = match decode_invite_jwt(&token) { +#[derive(Deserialize)] +#[allow(non_snake_case)] +struct AcceptData { + Token: String, +} + +#[post("/organizations//users//accept", data = "")] +fn accept_invite(org_id: String, org_user_id: String, data: JsonUpcase, conn: DbConn) -> EmptyResult { + let data: AcceptData = data.into_inner().data; + let token = &data.Token; + let claims: InviteJWTClaims = match decode_invite_jwt(&token) { Ok(claims) => claims, Err(msg) => err!("Invalid claim: {:#?}", msg), }; - match User::find_by_mail(&invite_claims.email, &conn) { - Some(user) => { - if Invitation::take(&invite_claims.email, &conn) { - for mut user_org in UserOrganization::find_invited_by_user(&user.uuid, &conn).iter_mut() { + match User::find_by_mail(&claims.email, &conn) { + Some(_) => { + if Invitation::take(&claims.email, &conn) { + if claims.user_org_id.is_some() { + // If this isn't the virtual_org, mark userorg as accepted + let mut user_org = match UserOrganization::find_by_uuid_and_org(&claims.user_org_id.unwrap(), &claims.org_id, &conn) { + Some(user_org) => user_org, + None => err!("Error accepting the invitation") + }; user_org.status = UserOrgStatus::Accepted as i32; if user_org.save(&conn).is_err() { err!("Failed to accept user to organization") } } - //rocket::response::Redirect::to(format!("/#/register?email={}", invite_claims.email)) } else { err!("Invitation for user not found") } diff --git a/src/auth.rs b/src/auth.rs index 57c13e8..0e851aa 100644 --- a/src/auth.rs +++ b/src/auth.rs @@ -120,6 +120,8 @@ pub struct InviteJWTClaims { pub sub: String, pub email: String, + pub org_id: String, + pub user_org_id: Option, } /// diff --git a/src/mail.rs b/src/mail.rs index 2c62006..485e5c1 100644 --- a/src/mail.rs +++ b/src/mail.rs @@ -68,10 +68,10 @@ pub fn send_invite(address: &str, org_id: &str, org_user_id: &str, token: &str, format!( "

You have been invited to join the {} organization.

- Click here to join

+ Click here to join

If you do not wish to join this organization, you can safely ignore this email.

", - org_name, CONFIG.domain, org_id, org_user_id, token + org_name, CONFIG.domain, org_id, org_user_id, address, org_name, token )) }; From 99256b9b3a53831367c0616ce834aeb65f53cbd2 Mon Sep 17 00:00:00 2001 From: Nick Fox Date: Thu, 20 Dec 2018 21:37:03 -0500 Subject: [PATCH 09/10] Prefix unused params with underscore --- src/api/core/organizations.rs | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/api/core/organizations.rs b/src/api/core/organizations.rs index 7110e56..59bfced 100644 --- a/src/api/core/organizations.rs +++ b/src/api/core/organizations.rs @@ -520,8 +520,9 @@ struct AcceptData { Token: String, } -#[post("/organizations//users//accept", data = "")] -fn accept_invite(org_id: String, org_user_id: String, data: JsonUpcase, conn: DbConn) -> EmptyResult { +#[post("/organizations/<_org_id>/users/<_org_user_id>/accept", data = "")] +fn accept_invite(_org_id: String, _org_user_id: String, data: JsonUpcase, conn: DbConn) -> EmptyResult { +// The web-vault passes org_id and org_user_id in the URL, but we are just reading them from the JWT instead let data: AcceptData = data.into_inner().data; let token = &data.Token; let claims: InviteJWTClaims = match decode_invite_jwt(&token) { From 2cd736ab817e2d1c717ec876978cd2623e62665a Mon Sep 17 00:00:00 2001 From: Nick Fox Date: Thu, 20 Dec 2018 22:16:41 -0500 Subject: [PATCH 10/10] Validate JWT if a user registers with SMTP invites enabled --- src/api/core/accounts.rs | 31 ++++++++++++++++++++++++------- 1 file changed, 24 insertions(+), 7 deletions(-) diff --git a/src/api/core/accounts.rs b/src/api/core/accounts.rs index 9aea3ef..a8132a7 100644 --- a/src/api/core/accounts.rs +++ b/src/api/core/accounts.rs @@ -4,7 +4,7 @@ use crate::db::models::*; use crate::db::DbConn; use crate::api::{EmptyResult, JsonResult, JsonUpcase, NumberOrString, PasswordData, UpdateType, WebSocketUsers}; -use crate::auth::Headers; +use crate::auth::{Headers, decode_invite_jwt, InviteJWTClaims}; use crate::mail; use crate::CONFIG; @@ -44,6 +44,8 @@ struct RegisterData { MasterPasswordHash: String, MasterPasswordHint: Option, Name: Option, + Token: Option, + OrganizationUserId: Option, } #[derive(Deserialize, Debug)] @@ -59,22 +61,37 @@ fn register(data: JsonUpcase, conn: DbConn) -> EmptyResult { let mut user = match User::find_by_mail(&data.Email, &conn) { Some(user) => { - if CONFIG.mail.is_none() { - if Invitation::take(&data.Email, &conn) { + if Invitation::find_by_mail(&data.Email, &conn).is_some() { + if CONFIG.mail.is_none() { for mut user_org in UserOrganization::find_invited_by_user(&user.uuid, &conn).iter_mut() { user_org.status = UserOrgStatus::Accepted as i32; if user_org.save(&conn).is_err() { err!("Failed to accept user to organization") } } + if !Invitation::take(&data.Email, &conn) { + err!("Error accepting invitation") + } user - } else if CONFIG.signups_allowed { - err!("Account with this email already exists") } else { - err!("Registration not allowed") + let token = match &data.Token { + Some(token) => token, + None => err!("No valid invite token") + }; + let claims: InviteJWTClaims = match decode_invite_jwt(&token) { + Ok(claims) => claims, + Err(msg) => err!("Invalid claim: {:#?}", msg), + }; + if &claims.email == &data.Email { + user + } else { + err!("Registration email does not match invite email") + } } + } else if CONFIG.signups_allowed { + err!("Account with this email already exists") } else { - user + err!("Registration not allowed") } } None => {