Fixed delete user when 2FA is enabled, implemented delete user for admin panel, and the front-end part for invite user. Secured admin panel behind a configurable token.

This commit is contained in:
Daniel García 2018-12-18 18:52:58 +01:00
parent 5fecf09631
commit 1b5134dfe2
No known key found for this signature in database
GPG Key ID: FC8A7D14C3CD543A
6 changed files with 154 additions and 71 deletions

14
.env
View File

@ -34,15 +34,23 @@
## It's recommended to also set 'ROCKET_CLI_COLORS=off' ## It's recommended to also set 'ROCKET_CLI_COLORS=off'
# LOG_FILE=/path/to/log # LOG_FILE=/path/to/log
## Controls if new users can register
# SIGNUPS_ALLOWED=true
## Use a local favicon extractor ## Use a local favicon extractor
## Set to false to use bitwarden's official icon servers ## Set to false to use bitwarden's official icon servers
## Set to true to use the local version, which is not as smart, ## Set to true to use the local version, which is not as smart,
## but it doesn't send the cipher domains to bitwarden's servers ## but it doesn't send the cipher domains to bitwarden's servers
# LOCAL_ICON_EXTRACTOR=false # LOCAL_ICON_EXTRACTOR=false
## Controls if new users can register
# SIGNUPS_ALLOWED=true
## Token for the admin interface, preferably use a long random string
## One option is to use 'openssl rand -base64 48'
## If not set, the admin panel is disabled
# ADMIN_TOKEN=Vy2VyYTTsKPv8W5aEOWUbB/Bt3DEKePbHmI4m9VcemUMS2rEviDowNAFqYi1xjmp
## Invitations org admins to invite users, even when signups are disabled
# INVITATIONS_ALLOWED=true
## Controls the PBBKDF password iterations to apply on the server ## Controls the PBBKDF password iterations to apply on the server
## The change only applies when the password is changed ## The change only applies when the password is changed
# PASSWORD_ITERATIONS=100000 # PASSWORD_ITERATIONS=100000

View File

@ -1,20 +1,17 @@
use rocket_contrib::json::Json; use rocket_contrib::json::Json;
use serde_json::Value; use serde_json::Value;
use crate::api::{JsonResult, JsonUpcase};
use crate::CONFIG;
use crate::db::models::*; use crate::db::models::*;
use crate::db::DbConn; use crate::db::DbConn;
use crate::api::{EmptyResult, JsonResult, JsonUpcase}; use rocket::request::{self, FromRequest, Request};
use rocket::{Outcome, Route};
use rocket::{Route, Outcome};
use rocket::request::{self, Request, FromRequest};
pub fn routes() -> Vec<Route> { pub fn routes() -> Vec<Route> {
routes![ routes![get_users, invite_user, delete_user]
get_users,
invite_user,
delete_user,
]
} }
#[derive(Deserialize, Debug)] #[derive(Deserialize, Debug)]
@ -25,14 +22,14 @@ struct InviteData {
#[get("/users")] #[get("/users")]
fn get_users(_token: AdminToken, conn: DbConn) -> JsonResult { fn get_users(_token: AdminToken, conn: DbConn) -> JsonResult {
let users = User::get_all(&conn); let users = User::get_all(&conn);
let users_json: Vec<Value> = users.iter().map(|u| u.to_json(&conn)).collect(); let users_json: Vec<Value> = users.iter().map(|u| u.to_json(&conn)).collect();
Ok(Json(Value::Array(users_json))) Ok(Json(Value::Array(users_json)))
} }
#[post("/users", data="<data>")] #[post("/invite", data = "<data>")]
fn invite_user(data: JsonUpcase<InviteData>, _token: AdminToken, conn: DbConn) -> EmptyResult { fn invite_user(data: JsonUpcase<InviteData>, _token: AdminToken, conn: DbConn) -> JsonResult {
let data: InviteData = data.into_inner().data; let data: InviteData = data.into_inner().data;
if User::find_by_mail(&data.Email, &conn).is_some() { if User::find_by_mail(&data.Email, &conn).is_some() {
@ -42,30 +39,30 @@ fn invite_user(data: JsonUpcase<InviteData>, _token: AdminToken, conn: DbConn) -
err!("Unimplemented") err!("Unimplemented")
} }
#[delete("/users/<uuid>")] #[post("/users/<uuid>/delete")]
fn delete_user(uuid: String, _token: AdminToken, conn: DbConn) -> EmptyResult { fn delete_user(uuid: String, _token: AdminToken, conn: DbConn) -> JsonResult {
let _user = match User::find_by_uuid(&uuid, &conn) { let user = match User::find_by_uuid(&uuid, &conn) {
Some(user) => user, Some(user) => user,
None => err!("User doesn't exist") None => err!("User doesn't exist"),
}; };
// TODO: Enable this once we have a more secure auth method
err!("Unimplemented")
/*
match user.delete(&conn) { match user.delete(&conn) {
Ok(_) => Ok(()), Ok(_) => Ok(Json(json!({}))),
Err(e) => err!("Error deleting user", e) Err(e) => err!("Error deleting user", e),
} }
*/
} }
pub struct AdminToken {} pub struct AdminToken {}
impl<'a, 'r> FromRequest<'a, 'r> for AdminToken { impl<'a, 'r> FromRequest<'a, 'r> for AdminToken {
type Error = &'static str; type Error = &'static str;
fn from_request(request: &'a Request<'r>) -> request::Outcome<Self, Self::Error> { fn from_request(request: &'a Request<'r>) -> request::Outcome<Self, Self::Error> {
let config_token = match CONFIG.admin_token.as_ref() {
Some(token) => token,
None => err_handler!("Admin panel is disabled"),
};
// Get access_token // Get access_token
let access_token: &str = match request.headers().get_one("Authorization") { let access_token: &str = match request.headers().get_one("Authorization") {
Some(a) => match a.rsplit("Bearer ").next() { Some(a) => match a.rsplit("Bearer ").next() {
@ -81,10 +78,10 @@ impl<'a, 'r> FromRequest<'a, 'r> for AdminToken {
// Option 2a: Send it to admin email, like upstream // Option 2a: Send it to admin email, like upstream
// Option 2b: Print in console or save to data dir, so admin can check // Option 2b: Print in console or save to data dir, so admin can check
if access_token != "token123" { if access_token != config_token {
err_handler!("Invalid admin token") err_handler!("Invalid admin token")
} }
Outcome::Success(AdminToken {}) Outcome::Success(AdminToken {})
} }
} }

View File

@ -107,4 +107,12 @@ impl TwoFactor {
.filter(twofactor::type_.eq(type_)) .filter(twofactor::type_.eq(type_))
.first::<Self>(&**conn).ok() .first::<Self>(&**conn).ok()
} }
}
pub fn delete_all_by_user(user_uuid: &str, conn: &DbConn) -> QueryResult<usize> {
diesel::delete(
twofactor::table.filter(
twofactor::user_uuid.eq(user_uuid)
)
).execute(&**conn)
}
}

View File

@ -113,7 +113,7 @@ use diesel;
use diesel::prelude::*; use diesel::prelude::*;
use crate::db::DbConn; use crate::db::DbConn;
use crate::db::schema::{users, invitations}; use crate::db::schema::{users, invitations};
use super::{Cipher, Folder, Device, UserOrganization, UserOrgType}; use super::{Cipher, Folder, Device, UserOrganization, UserOrgType, TwoFactor};
/// Database methods /// Database methods
impl User { impl User {
@ -168,6 +168,7 @@ impl User {
Cipher::delete_all_by_user(&self.uuid, &*conn)?; Cipher::delete_all_by_user(&self.uuid, &*conn)?;
Folder::delete_all_by_user(&self.uuid, &*conn)?; Folder::delete_all_by_user(&self.uuid, &*conn)?;
Device::delete_all_by_user(&self.uuid, &*conn)?; Device::delete_all_by_user(&self.uuid, &*conn)?;
TwoFactor::delete_all_by_user(&self.uuid, &*conn)?;
Invitation::take(&self.email, &*conn); // Delete invitation if any Invitation::take(&self.email, &*conn); // Delete invitation if any
diesel::delete(users::table.filter( diesel::delete(users::table.filter(

View File

@ -272,6 +272,7 @@ pub struct Config {
local_icon_extractor: bool, local_icon_extractor: bool,
signups_allowed: bool, signups_allowed: bool,
invitations_allowed: bool, invitations_allowed: bool,
admin_token: Option<String>,
server_admin_email: Option<String>, server_admin_email: Option<String>,
password_iterations: i32, password_iterations: i32,
show_password_hint: bool, show_password_hint: bool,
@ -325,7 +326,8 @@ impl Config {
local_icon_extractor: get_env_or("LOCAL_ICON_EXTRACTOR", false), local_icon_extractor: get_env_or("LOCAL_ICON_EXTRACTOR", false),
signups_allowed: get_env_or("SIGNUPS_ALLOWED", true), signups_allowed: get_env_or("SIGNUPS_ALLOWED", true),
server_admin_email: get_env("SERVER_ADMIN_EMAIL"), admin_token: get_env("ADMIN_TOKEN"),
server_admin_email:None, // TODO: Delete this
invitations_allowed: get_env_or("INVITATIONS_ALLOWED", true), invitations_allowed: get_env_or("INVITATIONS_ALLOWED", true),
password_iterations: get_env_or("PASSWORD_ITERATIONS", 100_000), password_iterations: get_env_or("PASSWORD_ITERATIONS", 100_000),
show_password_hint: get_env_or("SHOW_PASSWORD_HINT", true), show_password_hint: get_env_or("SHOW_PASSWORD_HINT", true),

View File

@ -20,13 +20,12 @@
<style> <style>
body { padding-top: 70px; } body { padding-top: 70px; }
img { width: 48px; height: 48px; } img { width: 48px; height: 48px; }
#logo { width: 48px; height: 48px; }
</style> </style>
<script> <script>
let key = null; let key = null;
function getIdenticon(email) { function identicon(email) {
const data = new Identicon(md5(email), { const data = new Identicon(md5(email), {
size: 48, size: 48,
format: 'svg' format: 'svg'
@ -35,41 +34,97 @@
return "data:image/svg+xml;base64," + data; return "data:image/svg+xml;base64," + data;
} }
function setVis(elem, vis) {
if (vis) { $(elem).removeClass('d-none'); }
else { $(elem).addClass('d-none'); }
}
function updateVis() {
setVis("#no-key-form", !key);
setVis("#users-block", key);
setVis("#invite-form", key);
}
function setKey() {
key = $('#key').val() || window.location.hash.slice(1);
updateVis();
if (key) { loadUsers(); }
return false;
}
function resetKey() {
key = null;
updateVis();
}
function fillRow(data) {
for (i in data) {
const user = data[i];
const row = $("#tmp-row").clone();
row.attr("id", "user-row:" + user.Id);
row.find(".tmp-name").text(user.Name);
row.find(".tmp-mail").text(user.Email);
row.find(".tmp-icon").attr("src", identicon(user.Email))
row.find(".tmp-del").on("click", function (e) {
if (confirm("Delete User '" + user.Name + "'?")) {
deleteUser(user.Id);
}
return false;
});
row.appendTo("#users-list");
setVis(row, true);
}
}
function _headers() { return { "Authorization": "Bearer " + key }; }
function loadUsers() { function loadUsers() {
$("#users-list").empty(); $("#users-list").empty();
$.get({ url: "/admin/users", headers: _headers() })
.done(fillRow)
.fail(resetKey);
$.ajax({ return false;
type: "GET", }
url: "/admin/users",
headers: { "Authorization": "Bearer " + key }
}).done(function (data) {
for (i in data) {
let user = data[i];
let row = $("#tmp-user-row").clone();
row.attr("id", "user-row:" + user.Id); function _post(url, successMsg, errMsg, resetOnErr, data) {
row.find(".tmp-user-name").text(user.Name); $.post({ url: url, headers: _headers(), data: data })
row.find(".tmp-user-mail").text(user.Email); .done(() => {
row.find(".tmp-user-icon").attr("src", getIdenticon(user.Email)) alert(successMsg);
loadUsers();
})
.fail((e) => {
const msg = e.responseJSON ?
e.responseJSON.ErrorModel.Message
: "Unknown error";
alert(errMsg + ": " + msg);
if (resetOnErr) { resetKey(); }
});
}
row.find(".tmp-user-del").on("click", function (e) { function deleteUser(id) {
alert("Not Implemented: Deleting UUID " + user.Id); _post("/admin/users/" + id + "/delete",
}); "User deleted correctly",
"Error deleting user", true);
}
row.appendTo("#users-list"); function inviteUser() {
row.removeClass('d-none'); data = JSON.stringify({ "Email": $("#email-invite").val() });
}
}) _post("/admin/invite/",
"User invited correctly",
"Error inviting user", false, data);
} }
$(window).on('load', function () { $(window).on('load', function () {
key = new URLSearchParams(window.location.search).get('key'); setKey();
if (key) {
$("#no-key-form").addClass('d-none'); $("#key-form").submit(setKey);
loadUsers(); $("#reload-btn").on("click", loadUsers);
} else { $("#invite-form").submit(inviteUser);
$("#users-block").addClass('d-none');
}
}); });
</script> </script>
</head> </head>
@ -89,36 +144,48 @@
</div> </div>
</nav> </nav>
<main class="container"> <main class="container">
<div id="no-key-form" class="align-items-center p-3 mb-3 text-white-50 bg-danger rounded shadow"> <div id="no-key-form" class="d-none align-items-center p-3 mb-3 text-white-50 bg-danger rounded shadow">
<div> <div>
<h6 class="mb-0 text-white">Authentication key needed to continue</h6> <h6 class="mb-0 text-white">Authentication key needed to continue</h6>
<small>Please provide it below:</small> <small>Please provide it below:</small>
<form class="form-inline" method="get"> <form class="form-inline" id="key-form">
<input type="text" class="form-control mr-2" id="key" name="key" placeholder="Enter admin key"> <input type="password" class="form-control w-50 mr-2" id="key" placeholder="Enter admin key">
<button type="submit" class="btn btn-primary">Submit</button> <button type="submit" class="btn btn-primary">Save</button>
</form> </form>
</div> </div>
</div> </div>
<div id="users-block" class="my-3 p-3 bg-white rounded shadow"> <div id="users-block" class="d-none my-3 p-3 bg-white rounded shadow">
<h6 class="border-bottom pb-2 mb-0">Registered Users</h6> <h6 class="border-bottom pb-2 mb-0">Registered Users</h6>
<div id="users-list"></div> <div id="users-list"></div>
<small class="d-block text-right mt-3"> <small class="d-block text-right mt-3">
<a href="#" onclick="loadUsers();">Reload users</a> <a id="reload-btn" href="#">Reload users</a>
</small> </small>
</div> </div>
<div id="tmp-user-row" class="d-none media pt-3"> <div id="invite-form" class="d-none align-items-center p-3 mb-3 text-white-50 bg-secondary rounded shadow">
<img src="#" alt="identicon" class="mr-2 rounded tmp-user-icon"> <div>
<h6 class="mb-0 text-white">Invite User</h6>
<small>Email:</small>
<form class="form-inline" id="invite-form">
<input type="email" class="form-control w-50 mr-2" id="email-invite" placeholder="Enter email">
<button type="submit" class="btn btn-primary">Invite</button>
</form>
</div>
</div>
<div id="tmp-row" class="d-none media pt-3">
<img class="mr-2 rounded tmp-icon">
<div class="media-body pb-3 mb-0 small border-bottom"> <div class="media-body pb-3 mb-0 small border-bottom">
<div class="d-flex justify-content-between"> <div class="d-flex justify-content-between">
<strong class="tmp-user-name">Full Name</strong> <strong class="tmp-name">Full Name</strong>
<a class="tmp-user-del mr-3" href="#">Delete User</a> <a class="tmp-del mr-3" href="#">Delete User</a>
</div> </div>
<span class="d-block tmp-user-mail">Email</span> <span class="d-block tmp-mail">Email</span>
</div> </div>
</div> </div>
</main> </main>