vaultwarden/src/db/models/user.rs

use chrono::{NaiveDateTime, Utc};
use serde_json::Value;

use uuid::Uuid;

use crypto;
use CONFIG;


#[derive(Debug, Identifiable, Queryable, Insertable)]
#[table_name = "users"]
#[primary_key(uuid)]
pub struct User {
    pub uuid: String,
    pub created_at: NaiveDateTime,
    pub updated_at: NaiveDateTime,

    pub email: String,
    pub name: String,

    pub password_hash: Vec<u8>,
    pub salt: Vec<u8>,
    pub password_iterations: i32,
    pub password_hint: Option<String>,

    pub key: String,
    pub private_key: Option<String>,
    pub public_key: Option<String>,
    
    #[column_name = "totp_secret"]
    _totp_secret: Option<String>,
    pub totp_recover: Option<String>,

    pub security_stamp: String,

    pub equivalent_domains: String,
    pub excluded_globals: String,
    
    pub client_kdf_type: i32,
    pub client_kdf_iter: i32,
}

/// Local methods
impl User {
    pub const CLIENT_KDF_TYPE_DEFAULT: i32 = 0; // PBKDF2: 0
    pub const CLIENT_KDF_ITER_DEFAULT: i32 = 5_000;

    pub fn new(mail: String) -> Self {
        let now = Utc::now().naive_utc();
        let email = mail.to_lowercase();

        Self {
            uuid: Uuid::new_v4().to_string(),
            created_at: now,
            updated_at: now,
            name: email.clone(),
            email,
            key: String::new(),

            password_hash: Vec::new(),
            salt: crypto::get_random_64(),
            password_iterations: CONFIG.password_iterations,

            security_stamp: Uuid::new_v4().to_string(),

            password_hint: None,
            private_key: None,
            public_key: None,
            
            _totp_secret: None,
            totp_recover: None,

            equivalent_domains: "[]".to_string(),
            excluded_globals: "[]".to_string(),
            
            client_kdf_type: Self::CLIENT_KDF_TYPE_DEFAULT,
            client_kdf_iter: Self::CLIENT_KDF_ITER_DEFAULT,
        }
    }

    pub fn check_valid_password(&self, password: &str) -> bool {
        crypto::verify_password_hash(password.as_bytes(),
                                     &self.salt,
                                     &self.password_hash,
                                     self.password_iterations as u32)
    }

    pub fn check_valid_recovery_code(&self, recovery_code: &str) -> bool {
        if let Some(ref totp_recover) = self.totp_recover {
            recovery_code == totp_recover.to_lowercase()
        } else {
            false
        }
    }

    pub fn set_password(&mut self, password: &str) {
        self.password_hash = crypto::hash_password(password.as_bytes(),
                                                   &self.salt,
                                                   self.password_iterations as u32);
    }

    pub fn reset_security_stamp(&mut self) {
        self.security_stamp = Uuid::new_v4().to_string();
    }

    pub fn is_server_admin(&self) -> bool {
        match CONFIG.server_admin_email {
            Some(ref server_admin_email) => &self.email == server_admin_email,
            None => false
        }
    }
}

use diesel;
use diesel::prelude::*;
use db::DbConn;
use db::schema::{users, invitations};
use super::{Cipher, Folder, Device, UserOrganization, UserOrgType};

/// Database methods
impl User {
    pub fn to_json(&self, conn: &DbConn) -> Value {
        use super::{UserOrganization, UserOrgType, UserOrgStatus, TwoFactor};

        let mut orgs = UserOrganization::find_by_user(&self.uuid, conn);
        if self.is_server_admin() {
            orgs.push(UserOrganization::new_virtual(self.uuid.clone(), UserOrgType::Owner, UserOrgStatus::Confirmed));
        }
        let orgs_json: Vec<Value> = orgs.iter().map(|c| c.to_json(&conn)).collect();
        let twofactor_enabled = !TwoFactor::find_by_user(&self.uuid, conn).is_empty();

        json!({
            "Id": self.uuid,
            "Name": self.name,
            "Email": self.email,
            "EmailVerified": true,
            "Premium": true,
            "MasterPasswordHint": self.password_hint,
            "Culture": "en-US",
            "TwoFactorEnabled": twofactor_enabled,
            "Key": self.key,
            "PrivateKey": self.private_key,
            "SecurityStamp": self.security_stamp,
            "Organizations": orgs_json,
            "Object": "profile"
        })
    }


    pub fn save(&mut self, conn: &DbConn) -> QueryResult<()> {
        self.updated_at = Utc::now().naive_utc();

        diesel::replace_into(users::table) // Insert or update
            .values(&*self).execute(&**conn).and(Ok(()))
    }

    pub fn delete(self, conn: &DbConn) -> QueryResult<()> {
        for user_org in UserOrganization::find_by_user(&self.uuid, &*conn) {
            if user_org.type_ == UserOrgType::Owner {
                if UserOrganization::find_by_org_and_type(
                    &user_org.org_uuid, 
                    UserOrgType::Owner as i32, &conn
                ).len() <= 1 {
                    return Err(diesel::result::Error::NotFound);
                }
            }
        }

        UserOrganization::delete_all_by_user(&self.uuid, &*conn)?;
        Cipher::delete_all_by_user(&self.uuid, &*conn)?;
        Folder::delete_all_by_user(&self.uuid, &*conn)?;
        Device::delete_all_by_user(&self.uuid, &*conn)?;
        Invitation::take(&self.email, &*conn); // Delete invitation if any

        diesel::delete(users::table.filter(
        users::uuid.eq(self.uuid)))
        .execute(&**conn).and(Ok(()))
    }

    pub fn update_uuid_revision(uuid: &str, conn: &DbConn) {
        if let Some(mut user) = User::find_by_uuid(&uuid, conn) {
            if user.update_revision(conn).is_err(){
                warn!("Failed to update revision for {}", user.email);
            };
        };
    }

    pub fn update_revision(&mut self, conn: &DbConn) -> QueryResult<()> {
        self.updated_at = Utc::now().naive_utc();
        diesel::update(
            users::table.filter(
                users::uuid.eq(&self.uuid)
            )
        )
        .set(users::updated_at.eq(&self.updated_at))
        .execute(&**conn).and(Ok(()))
    }

    pub fn find_by_mail(mail: &str, conn: &DbConn) -> Option<Self> {
        let lower_mail = mail.to_lowercase();
        users::table
            .filter(users::email.eq(lower_mail))
            .first::<Self>(&**conn).ok()
    }

    pub fn find_by_uuid(uuid: &str, conn: &DbConn) -> Option<Self> {
        users::table
            .filter(users::uuid.eq(uuid))
            .first::<Self>(&**conn).ok()
    }

    pub fn get_all(conn: &DbConn) -> Vec<Self> {
        users::table
        .load::<Self>(&**conn).expect("Error loading users")
    }
}

#[derive(Debug, Identifiable, Queryable, Insertable)]
#[table_name = "invitations"]
#[primary_key(email)]
pub struct Invitation {
    pub email: String,
}

impl Invitation {
    pub fn new(email: String) -> Self {
        Self {
            email
        }
    }

    pub fn save(&mut self, conn: &DbConn) -> QueryResult<()> {
        diesel::replace_into(invitations::table)
        .values(&*self)
        .execute(&**conn)
        .and(Ok(()))
    }

    pub fn delete(self, conn: &DbConn) -> QueryResult<()> {
        diesel::delete(invitations::table.filter(
        invitations::email.eq(self.email)))
        .execute(&**conn)
        .and(Ok(()))
    }

    pub fn find_by_mail(mail: &str, conn: &DbConn) -> Option<Self> {
        let lower_mail = mail.to_lowercase();
        invitations::table
            .filter(invitations::email.eq(lower_mail))
            .first::<Self>(&**conn).ok()
    }

    pub fn take(mail: &str, conn: &DbConn) -> bool {
        CONFIG.invitations_allowed &&
        match Self::find_by_mail(mail, &conn) {
            Some(invitation) => invitation.delete(&conn).is_ok(),
            None => false
        }
    }
}
Solved some warnings 2018-02-14 23:53:11 +00:00			`use chrono::{NaiveDateTime, Utc};`
Updated bw_rs to Rocket version 0.4-rc1 2018-10-10 18:40:39 +00:00			`use serde_json::Value;`
First working version 2018-02-10 00:00:55 +00:00
			`use uuid::Uuid;`

Improved error messagees, implemented delete ciphers, attachments and account, implemented two factor recovery. Known missing: - import ciphers, create ciphers types other than login and card, update ciphers - clear and put device_tokens - Equivalent domains - Organizations 2018-02-15 18:05:57 +00:00			`use crypto;`
First working version 2018-02-10 00:00:55 +00:00			`use CONFIG;`

Adding some oganization features 2018-04-20 16:35:11 +00:00
Upload and download attachments, and added License file 2018-02-14 23:40:34 +00:00			`#[derive(Debug, Identifiable, Queryable, Insertable)]`
First working version 2018-02-10 00:00:55 +00:00			`#[table_name = "users"]`
			`#[primary_key(uuid)]`
			`pub struct User {`
			`pub uuid: String,`
			`pub created_at: NaiveDateTime,`
			`pub updated_at: NaiveDateTime,`

			`pub email: String,`
			`pub name: String,`

			`pub password_hash: Vec<u8>,`
			`pub salt: Vec<u8>,`
			`pub password_iterations: i32,`
			`pub password_hint: Option<String>,`

			`pub key: String,`
			`pub private_key: Option<String>,`
			`pub public_key: Option<String>,`
Improved two factor auth 2018-06-01 13:08:03 +00:00
Implemented U2F, refactored Two Factor authentication, registering U2F device and authentication should work. Works on Chrome on MacOS with a virtual device. 2018-07-12 19:46:50 +00:00			`#[column_name = "totp_secret"]`
			`_totp_secret: Option<String>,`
First working version 2018-02-10 00:00:55 +00:00			`pub totp_recover: Option<String>,`
Improved two factor auth 2018-06-01 13:08:03 +00:00
First working version 2018-02-10 00:00:55 +00:00			`pub security_stamp: String,`
Upload and download attachments, and added License file 2018-02-14 23:40:34 +00:00
			`pub equivalent_domains: String,`
			`pub excluded_globals: String,`
Implement KDF iterations change (Fixes #195) 2018-09-19 15:30:14 +00:00
			`pub client_kdf_type: i32,`
			`pub client_kdf_iter: i32,`
First working version 2018-02-10 00:00:55 +00:00			`}`

			`/// Local methods`
			`impl User {`
Implement KDF iterations change (Fixes #195) 2018-09-19 15:30:14 +00:00			`pub const CLIENT_KDF_TYPE_DEFAULT: i32 = 0; // PBKDF2: 0`
			`pub const CLIENT_KDF_ITER_DEFAULT: i32 = 5_000;`

Modify User::new to be keyless and paswordless 2018-09-11 13:25:12 +00:00			`pub fn new(mail: String) -> Self {`
First working version 2018-02-10 00:00:55 +00:00			`let now = Utc::now().naive_utc();`
			`let email = mail.to_lowercase();`

Upload and download attachments, and added License file 2018-02-14 23:40:34 +00:00			`Self {`
First working version 2018-02-10 00:00:55 +00:00			`uuid: Uuid::new_v4().to_string(),`
			`created_at: now,`
			`updated_at: now,`
			`name: email.clone(),`
			`email,`
Modify User::new to be keyless and paswordless 2018-09-11 13:25:12 +00:00			`key: String::new(),`
First working version 2018-02-10 00:00:55 +00:00
Modify User::new to be keyless and paswordless 2018-09-11 13:25:12 +00:00			`password_hash: Vec::new(),`
Implement KDF iterations change (Fixes #195) 2018-09-19 15:30:14 +00:00			`salt: crypto::get_random_64(),`
			`password_iterations: CONFIG.password_iterations,`
First working version 2018-02-10 00:00:55 +00:00
			`security_stamp: Uuid::new_v4().to_string(),`

			`password_hint: None,`
			`private_key: None,`
			`public_key: None,`
Improved two factor auth 2018-06-01 13:08:03 +00:00
Implemented U2F, refactored Two Factor authentication, registering U2F device and authentication should work. Works on Chrome on MacOS with a virtual device. 2018-07-12 19:46:50 +00:00			`_totp_secret: None,`
First working version 2018-02-10 00:00:55 +00:00			`totp_recover: None,`
Upload and download attachments, and added License file 2018-02-14 23:40:34 +00:00
			`equivalent_domains: "[]".to_string(),`
			`excluded_globals: "[]".to_string(),`
Implement KDF iterations change (Fixes #195) 2018-09-19 15:30:14 +00:00
			`client_kdf_type: Self::CLIENT_KDF_TYPE_DEFAULT,`
			`client_kdf_iter: Self::CLIENT_KDF_ITER_DEFAULT,`
First working version 2018-02-10 00:00:55 +00:00			`}`
			`}`

			`pub fn check_valid_password(&self, password: &str) -> bool {`
			`crypto::verify_password_hash(password.as_bytes(),`
			`&self.salt,`
			`&self.password_hash,`
			`self.password_iterations as u32)`
			`}`

Improved error messagees, implemented delete ciphers, attachments and account, implemented two factor recovery. Known missing: - import ciphers, create ciphers types other than login and card, update ciphers - clear and put device_tokens - Equivalent domains - Organizations 2018-02-15 18:05:57 +00:00			`pub fn check_valid_recovery_code(&self, recovery_code: &str) -> bool {`
			`if let Some(ref totp_recover) = self.totp_recover {`
			`recovery_code == totp_recover.to_lowercase()`
			`} else {`
			`false`
			`}`
			`}`

First working version 2018-02-10 00:00:55 +00:00			`pub fn set_password(&mut self, password: &str) {`
			`self.password_hash = crypto::hash_password(password.as_bytes(),`
			`&self.salt,`
			`self.password_iterations as u32);`
			`}`

			`pub fn reset_security_stamp(&mut self) {`
			`self.security_stamp = Uuid::new_v4().to_string();`
			`}`
Implement poor man's admin panel 2018-10-12 14:20:10 +00:00
			`pub fn is_server_admin(&self) -> bool {`
			`match CONFIG.server_admin_email {`
			`Some(ref server_admin_email) => &self.email == server_admin_email,`
			`None => false`
			`}`
			`}`
Initial organizations functionality: Creating orgs and inviting users 2018-04-24 20:01:55 +00:00			`}`

			`use diesel;`
			`use diesel::prelude::*;`
			`use db::DbConn;`
Implement poor man's invitation via Organization invitation 2018-09-10 13:51:40 +00:00			`use db::schema::{users, invitations};`
Implement poor man's admin panel 2018-10-12 14:20:10 +00:00			`use super::{Cipher, Folder, Device, UserOrganization, UserOrgType};`
Initial organizations functionality: Creating orgs and inviting users 2018-04-24 20:01:55 +00:00
			`/// Database methods`
			`impl User {`
Updated bw_rs to Rocket version 0.4-rc1 2018-10-10 18:40:39 +00:00			`pub fn to_json(&self, conn: &DbConn) -> Value {`
Implement poor man's admin panel 2018-10-12 14:20:10 +00:00			`use super::{UserOrganization, UserOrgType, UserOrgStatus, TwoFactor};`
Initial organizations functionality: Creating orgs and inviting users 2018-04-24 20:01:55 +00:00
Implement poor man's admin panel 2018-10-12 14:20:10 +00:00			`let mut orgs = UserOrganization::find_by_user(&self.uuid, conn);`
			`if self.is_server_admin() {`
			`orgs.push(UserOrganization::new_virtual(self.uuid.clone(), UserOrgType::Owner, UserOrgStatus::Confirmed));`
			`}`
Updated bw_rs to Rocket version 0.4-rc1 2018-10-10 18:40:39 +00:00			`let orgs_json: Vec<Value> = orgs.iter().map(\|c\| c.to_json(&conn)).collect();`
Fixed some lint issues 2018-09-13 19:55:23 +00:00			`let twofactor_enabled = !TwoFactor::find_by_user(&self.uuid, conn).is_empty();`
Implemented U2F, refactored Two Factor authentication, registering U2F device and authentication should work. Works on Chrome on MacOS with a virtual device. 2018-07-12 19:46:50 +00:00
First working version 2018-02-10 00:00:55 +00:00			`json!({`
			`"Id": self.uuid,`
			`"Name": self.name,`
			`"Email": self.email,`
			`"EmailVerified": true,`
			`"Premium": true,`
			`"MasterPasswordHint": self.password_hint,`
			`"Culture": "en-US",`
Implemented U2F, refactored Two Factor authentication, registering U2F device and authentication should work. Works on Chrome on MacOS with a virtual device. 2018-07-12 19:46:50 +00:00			`"TwoFactorEnabled": twofactor_enabled,`
First working version 2018-02-10 00:00:55 +00:00			`"Key": self.key,`
			`"PrivateKey": self.private_key,`
			`"SecurityStamp": self.security_stamp,`
Initial organizations functionality: Creating orgs and inviting users 2018-04-24 20:01:55 +00:00			`"Organizations": orgs_json,`
First working version 2018-02-10 00:00:55 +00:00			`"Object": "profile"`
			`})`
			`}`


User::save() should return QueryResult instead of bool 2018-10-14 17:32:43 +00:00			`pub fn save(&mut self, conn: &DbConn) -> QueryResult<()> {`
Updated modified date when saving and removed hardcoded attachment domain 2018-02-15 00:07:57 +00:00			`self.updated_at = Utc::now().naive_utc();`
First working version 2018-02-10 00:00:55 +00:00
User::save() should return QueryResult instead of bool 2018-10-14 17:32:43 +00:00			`diesel::replace_into(users::table) // Insert or update`
			`.values(&self).execute(&*conn).and(Ok(()))`
First working version 2018-02-10 00:00:55 +00:00			`}`

Implement poor man's admin panel 2018-10-12 14:20:10 +00:00			`pub fn delete(self, conn: &DbConn) -> QueryResult<()> {`
			`for user_org in UserOrganization::find_by_user(&self.uuid, &*conn) {`
Implement comparison between i32 and UserOrgType 2018-11-12 17:13:25 +00:00			`if user_org.type_ == UserOrgType::Owner {`
Implement poor man's admin panel 2018-10-12 14:20:10 +00:00			`if UserOrganization::find_by_org_and_type(`
			`&user_org.org_uuid,`
			`UserOrgType::Owner as i32, &conn`
			`).len() <= 1 {`
			`return Err(diesel::result::Error::NotFound);`
			`}`
			`}`
Improved error messagees, implemented delete ciphers, attachments and account, implemented two factor recovery. Known missing: - import ciphers, create ciphers types other than login and card, update ciphers - clear and put device_tokens - Equivalent domains - Organizations 2018-02-15 18:05:57 +00:00			`}`
Implement poor man's admin panel 2018-10-12 14:20:10 +00:00
			`UserOrganization::delete_all_by_user(&self.uuid, &*conn)?;`
			`Cipher::delete_all_by_user(&self.uuid, &*conn)?;`
			`Folder::delete_all_by_user(&self.uuid, &*conn)?;`
			`Device::delete_all_by_user(&self.uuid, &*conn)?;`
			`Invitation::take(&self.email, &*conn); // Delete invitation if any`

			`diesel::delete(users::table.filter(`
			`users::uuid.eq(self.uuid)))`
			`.execute(&**conn).and(Ok(()))`
Improved error messagees, implemented delete ciphers, attachments and account, implemented two factor recovery. Known missing: - import ciphers, create ciphers types other than login and card, update ciphers - clear and put device_tokens - Equivalent domains - Organizations 2018-02-15 18:05:57 +00:00			`}`

Update affected users revision when there are collection changes 2018-08-21 11:20:55 +00:00			`pub fn update_uuid_revision(uuid: &str, conn: &DbConn) {`
			`if let Some(mut user) = User::find_by_uuid(&uuid, conn) {`
			`if user.update_revision(conn).is_err(){`
Implemented proper logging, with support for file logging, timestamp and syslog (this last one is untested) 2018-12-06 19:35:25 +00:00			`warn!("Failed to update revision for {}", user.email);`
Update affected users revision when there are collection changes 2018-08-21 11:20:55 +00:00			`};`
			`};`
			`}`

Implement update_revision trigger 2018-08-13 09:58:39 +00:00			`pub fn update_revision(&mut self, conn: &DbConn) -> QueryResult<()> {`
Actually update the revision date for user struct, not just in DB 2018-08-21 09:36:04 +00:00			`self.updated_at = Utc::now().naive_utc();`
Implement update_revision trigger 2018-08-13 09:58:39 +00:00			`diesel::update(`
			`users::table.filter(`
			`users::uuid.eq(&self.uuid)`
			`)`
			`)`
Actually update the revision date for user struct, not just in DB 2018-08-21 09:36:04 +00:00			`.set(users::updated_at.eq(&self.updated_at))`
Implement update_revision trigger 2018-08-13 09:58:39 +00:00			`.execute(&**conn).and(Ok(()))`
			`}`

Upload and download attachments, and added License file 2018-02-14 23:40:34 +00:00			`pub fn find_by_mail(mail: &str, conn: &DbConn) -> Option<Self> {`
First working version 2018-02-10 00:00:55 +00:00			`let lower_mail = mail.to_lowercase();`
			`users::table`
			`.filter(users::email.eq(lower_mail))`
Upload and download attachments, and added License file 2018-02-14 23:40:34 +00:00			`.first::<Self>(&**conn).ok()`
First working version 2018-02-10 00:00:55 +00:00			`}`

Upload and download attachments, and added License file 2018-02-14 23:40:34 +00:00			`pub fn find_by_uuid(uuid: &str, conn: &DbConn) -> Option<Self> {`
First working version 2018-02-10 00:00:55 +00:00			`users::table`
			`.filter(users::uuid.eq(uuid))`
Upload and download attachments, and added License file 2018-02-14 23:40:34 +00:00			`.first::<Self>(&**conn).ok()`
First working version 2018-02-10 00:00:55 +00:00			`}`
Implement poor man's admin panel 2018-10-12 14:20:10 +00:00
			`pub fn get_all(conn: &DbConn) -> Vec<Self> {`
			`users::table`
			`.load::<Self>(&**conn).expect("Error loading users")`
			`}`
First working version 2018-02-10 00:00:55 +00:00			`}`
Implement poor man's invitation via Organization invitation 2018-09-10 13:51:40 +00:00
			`#[derive(Debug, Identifiable, Queryable, Insertable)]`
			`#[table_name = "invitations"]`
			`#[primary_key(email)]`
			`pub struct Invitation {`
			`pub email: String,`
			`}`

			`impl Invitation {`
			`pub fn new(email: String) -> Self {`
			`Self {`
			`email`
			`}`
			`}`

			`pub fn save(&mut self, conn: &DbConn) -> QueryResult<()> {`
			`diesel::replace_into(invitations::table)`
			`.values(&*self)`
			`.execute(&**conn)`
			`.and(Ok(()))`
			`}`

			`pub fn delete(self, conn: &DbConn) -> QueryResult<()> {`
			`diesel::delete(invitations::table.filter(`
			`invitations::email.eq(self.email)))`
			`.execute(&**conn)`
			`.and(Ok(()))`
			`}`

			`pub fn find_by_mail(mail: &str, conn: &DbConn) -> Option<Self> {`
			`let lower_mail = mail.to_lowercase();`
			`invitations::table`
			`.filter(invitations::email.eq(lower_mail))`
			`.first::<Self>(&**conn).ok()`
			`}`

			`pub fn take(mail: &str, conn: &DbConn) -> bool {`
			`CONFIG.invitations_allowed &&`
			`match Self::find_by_mail(mail, &conn) {`
			`Some(invitation) => invitation.delete(&conn).is_ok(),`
			`None => false`
			`}`
			`}`
			`}`