added database migration

2023-01-25 08:06:21 +01:00 · 2023-01-25 08:06:21 +01:00 · 95494083f2
Commit 95494083f2
--- a/migrations/mysql/2023-01-06-151600_add_reset_password_support/down.sql
+++ b/migrations/mysql/2023-01-06-151600_add_reset_password_support/down.sql
--- a/migrations/mysql/2023-01-06-151600_add_reset_password_support/up.sql
+++ b/migrations/mysql/2023-01-06-151600_add_reset_password_support/up.sql
@ -0,0 +1,2 @@
+ALTER TABLE users_organizations
+ADD COLUMN reset_password_key VARCHAR(255);
--- a/migrations/postgresql/2023-01-06-151600_add_reset_password_support/down.sql
+++ b/migrations/postgresql/2023-01-06-151600_add_reset_password_support/down.sql
--- a/migrations/postgresql/2023-01-06-151600_add_reset_password_support/up.sql
+++ b/migrations/postgresql/2023-01-06-151600_add_reset_password_support/up.sql
@ -0,0 +1,2 @@
+ALTER TABLE users_organizations
+ADD COLUMN reset_password_key TEXT;
--- a/migrations/sqlite/2023-01-06-151600_add_reset_password_support/down.sql
+++ b/migrations/sqlite/2023-01-06-151600_add_reset_password_support/down.sql
--- a/migrations/sqlite/2023-01-06-151600_add_reset_password_support/up.sql
+++ b/migrations/sqlite/2023-01-06-151600_add_reset_password_support/up.sql
@ -0,0 +1,2 @@
+ALTER TABLE users_organizations
+ADD COLUMN reset_password_key TEXT;
--- a/src/db/models/event.rs
+++ b/src/db/models/event.rs
@ -87,9 +87,9 @@ pub enum EventType {
    OrganizationUserRemoved = 1503,
    OrganizationUserUpdatedGroups = 1504,
    // OrganizationUserUnlinkedSso = 1505, // Not supported
-    // OrganizationUserResetPasswordEnroll = 1506, // Not supported
-    // OrganizationUserResetPasswordWithdraw = 1507, // Not supported
-    // OrganizationUserAdminResetPassword = 1508, // Not supported
+    OrganizationUserResetPasswordEnroll = 1506,
+    OrganizationUserResetPasswordWithdraw = 1507,
+    OrganizationUserAdminResetPassword = 1508,
    // OrganizationUserResetSsoLink = 1509, // Not supported
    // OrganizationUserFirstSsoLogin = 1510, // Not supported
    OrganizationUserRevoked = 1511,
--- a/src/db/models/org_policy.rs
+++ b/src/db/models/org_policy.rs
@ -32,7 +32,7 @@ pub enum OrgPolicyType {
    PersonalOwnership = 5,
    DisableSend = 6,
    SendOptions = 7,
-    // ResetPassword = 8, // Not supported
+    ResetPassword = 8,
    // MaximumVaultTimeout = 9, // Not supported (Not AGPLv3 Licensed)
    // DisablePersonalVaultExport = 10, // Not supported (Not AGPLv3 Licensed)
 }
@ -44,6 +44,13 @@ pub struct SendOptionsPolicyData {
    pub DisableHideEmail: bool,
 }

+// https://github.com/bitwarden/server/blob/5cbdee137921a19b1f722920f0fa3cd45af2ef0f/src/Core/Models/Data/Organizations/Policies/ResetPasswordDataModel.cs
+#[derive(Deserialize)]
+#[allow(non_snake_case)]
+pub struct ResetPasswordDataModel {
+    pub AutoEnrollEnabled: bool,
+}
+
 pub type OrgPolicyResult = Result<(), OrgPolicyErr>;

 #[derive(Debug)]
@ -298,6 +305,20 @@ impl OrgPolicy {
        Ok(())
    }

+    pub async fn org_is_reset_password_auto_enroll(org_uuid: &str, conn: &mut DbConn) -> bool {
+        match OrgPolicy::find_by_org_and_type(org_uuid, OrgPolicyType::ResetPassword, conn).await {
+            Some(policy) => match serde_json::from_str::<UpCase<ResetPasswordDataModel>>(&policy.data) {
+                Ok(opts) => {
+                    return opts.data.AutoEnrollEnabled;
+                }
+                _ => error!("Failed to deserialize ResetPasswordDataModel: {}", policy.data),
+            },
+            None => return false,
+        }
+
+        false
+    }
+
    /// Returns true if the user belongs to an org that has enabled the `DisableHideEmail`
    /// option of the `Send Options` policy, and the user is not an owner or admin of that org.
    pub async fn is_hide_email_disabled(user_uuid: &str, conn: &mut DbConn) -> bool {
--- a/src/db/models/organization.rs
+++ b/src/db/models/organization.rs
@ -29,6 +29,7 @@ db_object! {
        pub akey: String,
        pub status: i32,
        pub atype: i32,
+        pub reset_password_key: Option<String>,
    }
 }

@ -158,7 +159,7 @@ impl Organization {
            "SelfHost": true,
            "UseApi": false, // Not supported
            "HasPublicAndPrivateKeys": self.private_key.is_some() && self.public_key.is_some(),
-            "UseResetPassword": false, // Not supported
+            "UseResetPassword": true,

            "BusinessName": null,
            "BusinessAddress1": null,
@ -194,6 +195,7 @@ impl UserOrganization {
            akey: String::new(),
            status: UserOrgStatus::Accepted as i32,
            atype: UserOrgType::User as i32,
+            reset_password_key: None,
        }
    }

@ -311,7 +313,8 @@ impl UserOrganization {
            "UseApi": false, // Not supported
            "SelfHost": true,
            "HasPublicAndPrivateKeys": org.private_key.is_some() && org.public_key.is_some(),
-            "ResetPasswordEnrolled": false, // Not supported
+            "ResetPasswordEnrolled": self.reset_password_key.is_some(),
+            "UseResetPassword": true,
            "SsoBound": false, // Not supported
            "UseSso": false, // Not supported
            "ProviderId": null,
@ -377,6 +380,7 @@ impl UserOrganization {
            "Type": self.atype,
            "AccessAll": self.access_all,
            "TwoFactorEnabled": twofactor_enabled,
+            "ResetPasswordEnrolled":self.reset_password_key.is_some(),

            "Object": "organizationUserUserDetails",
        })
--- a/src/db/models/user.rs
+++ b/src/db/models/user.rs
@ -178,6 +178,27 @@ impl User {
        self.security_stamp = crate::util::get_uuid();
    }

+    /// Set the password hash generated
+    /// And resets the security_stamp. Based upon the allow_next_route the security_stamp will be different.
+    ///
+    /// # Arguments
+    ///
+    /// * `new_password_hash` - A str which contains a hashed version of the users master password.
+    /// * `new_key` - A String  which contains the new aKey value of the users master password.
+    /// * `allow_next_route` - A Option<Vec<String>> with the function names of the next allowed (rocket) routes.
+    ///                       These routes are able to use the previous stamp id for the next 2 minutes.
+    ///                       After these 2 minutes this stamp will expire.
+    ///
+    pub fn set_password_and_key(
+        &mut self,
+        new_password_hash: &str,
+        new_key: &str,
+        allow_next_route: Option<Vec<String>>,
+    ) {
+        self.set_password(new_password_hash, allow_next_route);
+        self.akey = String::from(new_key);
+    }
+
    /// Set the stamp_exception to only allow a subsequent request matching a specific route using the current security-stamp.
    ///
    /// # Arguments
--- a/src/db/schemas/mysql/schema.rs
+++ b/src/db/schemas/mysql/schema.rs
@ -222,6 +222,7 @@ table! {
        akey -> Text,
        status -> Integer,
        atype -> Integer,
+        reset_password_key -> Nullable<Text>,
    }
 }

--- a/src/db/schemas/postgresql/schema.rs
+++ b/src/db/schemas/postgresql/schema.rs
@ -222,6 +222,7 @@ table! {
        akey -> Text,
        status -> Integer,
        atype -> Integer,
+        reset_password_key -> Nullable<Text>,
    }
 }

--- a/src/db/schemas/sqlite/schema.rs
+++ b/src/db/schemas/sqlite/schema.rs
@ -222,6 +222,7 @@ table! {
        akey -> Text,
        status -> Integer,
        atype -> Integer,
+        reset_password_key -> Nullable<Text>,
    }
 }