Self-Hosted
/
vaultwarden
mirror of https://github.com/dani-garcia/vaultwarden.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Implement poor man's invitation via Organization invitation

Browse Source
pull/173/head
Miroslav Prasil 6 years ago
parent 8df6f79f19
commit ec05f14f5a
10 changed files with 156 additions and 36 deletions
Show Stats Download Patch File Download Diff File

17
README.md
Unescape View File

@ -23,6 +23,7 @@ _*Note, that this project is not associated with the [Bitwarden](https://bitward
- [Updating the bitwarden image](#updating-the-bitwarden-image)
- [Configuring bitwarden service](#configuring-bitwarden-service)
- [Disable registration of new users](#disable-registration-of-new-users)
- [Disable invitations](#disable-invitations)
- [Enabling HTTPS](#enabling-https)
- [Enabling U2F authentication](#enabling-u2f-authentication)
- [Changing persistent data location](#changing-persistent-data-location)
@ -136,6 +137,20 @@ docker run -d --name bitwarden \
-p 80:80 \
mprasil/bitwarden:latest
```
Note: While users can't register on their own, they can still be invited by already registered users. Read bellow if you also want to disable that.
### Disable invitations
Even when registration is disabled, organization administrators or owners can invite users to join organization. This won't send email invitation to the users, but after they are invited, they can register with the invited email even if `SIGNUPS_ALLOWED` is actually set to `false`. You can disable this functionality completely by setting `INVITATIONS_ALLOWED` env variable to `false`:
```sh
docker run -d --name bitwarden \
-e SIGNUPS_ALLOWED=false \
-e INVITATIONS_ALLOWED=false \
-v /bw-data/:/data/ \
-p 80:80 \
mprasil/bitwarden:latest
```
### Enabling HTTPS
To enable HTTPS, you need to configure the `ROCKET_TLS`.
@ -365,7 +380,7 @@ We use upstream Vault interface directly without any (significant) changes, this
### Inviting users into organization
The users must already be registered on your server to invite them, because we can't send the invitation via email. The invited users won't get the invitation email, instead they will appear in the interface as if they already accepted the invitation. Organization admin then just needs to confirm them to be proper Organization members and to give them access to the shared secrets.
If you have [invitations disabled](#disable-invitations), the users must already be registered on your server to invite them. The invited users won't get the invitation email, instead they will appear in the interface as if they already accepted the invitation. (if the user has already registered) Organization admin then just needs to confirm them to be proper Organization members and to give them access to the shared secrets.
### Running on unencrypted connection

1
migrations/2018-09-10-111213_add_invites/down.sql
Unescape View File

@ -0,0 +1 @@
DROP TABLE invitations;

3
migrations/2018-09-10-111213_add_invites/up.sql
Unescape View File

@ -0,0 +1,3 @@
CREATE TABLE invitations (
email TEXT NOT NULL PRIMARY KEY
);

32
src/api/core/accounts.rs
Unescape View File

@ -30,15 +30,33 @@ struct KeysData {
fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
let data: RegisterData = data.into_inner().data;
if !CONFIG.signups_allowed {
err!("Signups not allowed")
}
if User::find_by_mail(&data.Email, &conn).is_some() {
err!("Email already exists")
let mut user = match User::find_by_mail(&data.Email, &conn) {
Some(mut user) => {
if Invitation::take(&data.Email, &conn) {
for mut user_org in UserOrganization::find_invited_by_user(&user.uuid, &conn).iter_mut() {
user_org.status = UserOrgStatus::Accepted as i32;
user_org.save(&conn);
};
user.set_password(&data.MasterPasswordHash);
user.key = data.Key;
user
} else {
if CONFIG.signups_allowed {
err!("Account with this email already exists")
} else {
err!("Registration not allowed")
}
let mut user = User::new(data.Email, data.Key, data.MasterPasswordHash);
}
},
None => {
if CONFIG.signups_allowed || Invitation::take(&data.Email, &conn) {
User::new(data.Email, data.Key, data.MasterPasswordHash)
} else {
err!("Registration not allowed")
}
}
};
// Add extra fields if present
if let Some(name) = data.Name {

38
src/api/core/organizations.rs
Unescape View File

@ -1,7 +1,7 @@
#![allow(unused_imports)]
use rocket_contrib::{Json, Value};
use CONFIG;
use db::DbConn;
use db::models::*;
@ -373,18 +373,40 @@ fn send_invite(org_id: String, data: JsonUpcase<InviteData>, headers: AdminHeade
err!("Only Owners can invite Admins or Owners")
}
for user_opt in data.Emails.iter().map(|email| User::find_by_mail(email, &conn)) {
match user_opt {
None => err!("User email does not exist"),
Some(user) => {
if UserOrganization::find_by_user_and_org(&user.uuid, &org_id, &conn).is_some() {
err!("User already in organization")
for email in data.Emails.iter() {
let mut user_org_status = UserOrgStatus::Accepted as i32;
let user = match User::find_by_mail(&email, &conn) {
None => if CONFIG.invitations_allowed { // Invite user if that's enabled
let mut invitation = Invitation::new(email.clone());
match invitation.save(&conn) {
Ok(()) => {
let mut user = User::new_invited(email.clone());
if user.save(&conn) {
user_org_status = UserOrgStatus::Invited as i32;
user
} else {
err!("Failed to create placeholder for invited user")
}
}
Err(_) => err!(format!("Failed to invite: {}", email))
}
} else {
err!(format!("User email does not exist: {}", email))
},
Some(user) => if UserOrganization::find_by_user_and_org(&user.uuid, &org_id, &conn).is_some() {
err!(format!("User already in organization: {}", email))
} else {
user
}
};
let mut new_user = UserOrganization::new(user.uuid.clone(), org_id.clone());
let access_all = data.AccessAll.unwrap_or(false);
new_user.access_all = access_all;
new_user.type_ = new_type;
new_user.status = user_org_status;
// If no accessAll, add the collections received
if !access_all {
@ -402,8 +424,6 @@ fn send_invite(org_id: String, data: JsonUpcase<InviteData>, headers: AdminHeade
new_user.save(&conn);
}
}
}
Ok(())
}

2
src/db/models/mod.rs
Unescape View File

@ -12,7 +12,7 @@ pub use self::attachment::Attachment;
pub use self::cipher::Cipher;
pub use self::device::Device;
pub use self::folder::{Folder, FolderCipher};
pub use self::user::User;
pub use self::user::{User, Invitation};
pub use self::organization::Organization;
pub use self::organization::{UserOrganization, UserOrgStatus, UserOrgType};
pub use self::collection::{Collection, CollectionUser, CollectionCipher};

9
src/db/models/organization.rs
Unescape View File

@ -27,7 +27,7 @@ pub struct UserOrganization {
}
pub enum UserOrgStatus {
_Invited = 0, // Unused, users are accepted automatically
Invited = 0,
Accepted = 1,
Confirmed = 2,
}
@ -284,6 +284,13 @@ impl UserOrganization {
.load::<Self>(&**conn).unwrap_or(vec![])
}
pub fn find_invited_by_user(user_uuid: &str, conn: &DbConn) -> Vec<Self> {
users_organizations::table
.filter(users_organizations::user_uuid.eq(user_uuid))
.filter(users_organizations::status.eq(UserOrgStatus::Invited as i32))
.load::<Self>(&**conn).unwrap_or(vec![])
}
pub fn find_by_org(org_uuid: &str, conn: &DbConn) -> Vec<Self> {
users_organizations::table
.filter(users_organizations::org_uuid.eq(org_uuid))

50
src/db/models/user.rs
Unescape View File

@ -73,6 +73,10 @@ impl User {
}
}
pub fn new_invited(mail: String) -> Self {
Self::new(mail,"".to_string(),"".to_string())
}
pub fn check_valid_password(&self, password: &str) -> bool {
crypto::verify_password_hash(password.as_bytes(),
&self.salt,
@ -103,7 +107,7 @@ impl User {
use diesel;
use diesel::prelude::*;
use db::DbConn;
use db::schema::users;
use db::schema::{users, invitations};
/// Database methods
impl User {
@ -186,3 +190,47 @@ impl User {
.first::<Self>(&**conn).ok()
}
}
#[derive(Debug, Identifiable, Queryable, Insertable)]
#[table_name = "invitations"]
#[primary_key(email)]
pub struct Invitation {
pub email: String,
}
impl Invitation {
pub fn new(email: String) -> Self {
Self {
email
}
}
pub fn save(&mut self, conn: &DbConn) -> QueryResult<()> {
diesel::replace_into(invitations::table)
.values(&*self)
.execute(&**conn)
.and(Ok(()))
}
pub fn delete(self, conn: &DbConn) -> QueryResult<()> {
diesel::delete(invitations::table.filter(
invitations::email.eq(self.email)))
.execute(&**conn)
.and(Ok(()))
}
pub fn find_by_mail(mail: &str, conn: &DbConn) -> Option<Self> {
let lower_mail = mail.to_lowercase();
invitations::table
.filter(invitations::email.eq(lower_mail))
.first::<Self>(&**conn).ok()
}
pub fn take(mail: &str, conn: &DbConn) -> bool {
CONFIG.invitations_allowed &&
match Self::find_by_mail(mail, &conn) {
Some(invitation) => invitation.delete(&conn).is_ok(),
None => false
}
}
}

6
src/db/schema.rs
Unescape View File

@ -113,6 +113,12 @@ table! {
}
}
table! {
invitations (email) {
email -> Text,
}
}
table! {
users_collections (user_uuid, collection_uuid) {
user_uuid -> Text,

2
src/main.rs
Unescape View File

@ -170,6 +170,7 @@ pub struct Config {
local_icon_extractor: bool,
signups_allowed: bool,
invitations_allowed: bool,
password_iterations: i32,
show_password_hint: bool,
domain: String,
@ -199,6 +200,7 @@ impl Config {
local_icon_extractor: util::parse_option_string(env::var("LOCAL_ICON_EXTRACTOR").ok()).unwrap_or(false),
signups_allowed: util::parse_option_string(env::var("SIGNUPS_ALLOWED").ok()).unwrap_or(true),
invitations_allowed: util::parse_option_string(env::var("INVITATIONS_ALLOWED").ok()).unwrap_or(true),
password_iterations: util::parse_option_string(env::var("PASSWORD_ITERATIONS").ok()).unwrap_or(100_000),
show_password_hint: util::parse_option_string(env::var("SHOW_PASSWORD_HINT").ok()).unwrap_or(true),

Write Preview
Loading…
Cancel
Save