Merge pull request #3281 from BlackDex/fix-web-vault-issues

Fix the web-vault v2023.2.0 API calls
2025-06-17 17:00:10 +00:00 · 2023-02-28 23:45:59 +01:00 · 2023-02-28 23:45:59 +01:00 · 0426051541
commit 0426051541
parent 4556f668de 7ec00d3850
10 changed files with 396 additions and 95 deletions
--- a/src/db/models/cipher.rs
+++ b/src/db/models/cipher.rs
@ -6,7 +6,7 @@ use super::{
    Attachment, CollectionCipher, Favorite, FolderCipher, Group, User, UserOrgStatus, UserOrgType, UserOrganization,
 };

-use crate::api::core::{CipherData, CipherSyncData};
+use crate::api::core::{CipherData, CipherSyncData, CipherSyncType};

 use std::borrow::Cow;

@ -114,6 +114,7 @@ impl Cipher {
        host: &str,
        user_uuid: &str,
        cipher_sync_data: Option<&CipherSyncData>,
+        sync_type: CipherSyncType,
        conn: &mut DbConn,
    ) -> Value {
        use crate::util::format_date;
@ -134,12 +135,18 @@ impl Cipher {
        let password_history_json =
            self.password_history.as_ref().and_then(|s| serde_json::from_str(s).ok()).unwrap_or(Value::Null);

-        let (read_only, hide_passwords) = match self.get_access_restrictions(user_uuid, cipher_sync_data, conn).await {
-            Some((ro, hp)) => (ro, hp),
-            None => {
-                error!("Cipher ownership assertion failure");
-                (true, true)
+        // We don't need these values at all for Organizational syncs
+        // Skip any other database calls if this is the case and just return false.
+        let (read_only, hide_passwords) = if sync_type == CipherSyncType::User {
+            match self.get_access_restrictions(user_uuid, cipher_sync_data, conn).await {
+                Some((ro, hp)) => (ro, hp),
+                None => {
+                    error!("Cipher ownership assertion failure");
+                    (true, true)
+                }
            }
+        } else {
+            (false, false)
        };

        // Get the type_data or a default to an empty json object '{}'.
@ -192,8 +199,6 @@ impl Cipher {
            "CreationDate": format_date(&self.created_at),
            "RevisionDate": format_date(&self.updated_at),
            "DeletedDate": self.deleted_at.map_or(Value::Null, |d| Value::String(format_date(&d))),
-            "FolderId": if let Some(cipher_sync_data) = cipher_sync_data { cipher_sync_data.cipher_folders.get(&self.uuid).map(|c| c.to_string() ) } else { self.get_folder_uuid(user_uuid, conn).await },
-            "Favorite": if let Some(cipher_sync_data) = cipher_sync_data { cipher_sync_data.cipher_favorites.contains(&self.uuid) } else { self.is_favorite(user_uuid, conn).await },
            "Reprompt": self.reprompt.unwrap_or(RepromptType::None as i32),
            "OrganizationId": self.organization_uuid,
            "Attachments": attachments_json,
@ -210,12 +215,6 @@ impl Cipher {

            "Data": data_json,

-            // These values are true by default, but can be false if the
-            // cipher belongs to a collection where the org owner has enabled
-            // the "Read Only" or "Hide Passwords" restrictions for the user.
-            "Edit": !read_only,
-            "ViewPassword": !hide_passwords,
-
            "PasswordHistory": password_history_json,

            // All Cipher types are included by default as null, but only the matching one will be populated
@ -225,6 +224,27 @@ impl Cipher {
            "Identity": null,
        });

+        // These values are only needed for user/default syncs
+        // Not during an organizational sync like `get_org_details`
+        // Skip adding these fields in that case
+        if sync_type == CipherSyncType::User {
+            json_object["FolderId"] = json!(if let Some(cipher_sync_data) = cipher_sync_data {
+                cipher_sync_data.cipher_folders.get(&self.uuid).map(|c| c.to_string())
+            } else {
+                self.get_folder_uuid(user_uuid, conn).await
+            });
+            json_object["Favorite"] = json!(if let Some(cipher_sync_data) = cipher_sync_data {
+                cipher_sync_data.cipher_favorites.contains(&self.uuid)
+            } else {
+                self.is_favorite(user_uuid, conn).await
+            });
+            // These values are true by default, but can be false if the
+            // cipher belongs to a collection or group where the org owner has enabled
+            // the "Read Only" or "Hide Passwords" restrictions for the user.
+            json_object["Edit"] = json!(!read_only);
+            json_object["ViewPassword"] = json!(!hide_passwords);
+        }
+
        let key = match self.atype {
            1 => "Login",
            2 => "SecureNote",
@ -740,6 +760,7 @@ impl Cipher {
            .or_filter(groups::access_all.eq(true)) //Access via group
            .or_filter(collections_groups::collections_uuid.is_not_null()) //Access via group
            .select(ciphers_collections::all_columns)
+            .distinct()
            .load::<(String, String)>(conn).unwrap_or_default()
        }}
    }
--- a/src/db/models/collection.rs
+++ b/src/db/models/collection.rs
@ -407,6 +407,19 @@ impl CollectionUser {
        }}
    }

+    pub async fn find_by_organization(org_uuid: &str, conn: &mut DbConn) -> Vec<Self> {
+        db_run! { conn: {
+            users_collections::table
+                .inner_join(collections::table.on(collections::uuid.eq(users_collections::collection_uuid)))
+                .filter(collections::org_uuid.eq(org_uuid))
+                .inner_join(users_organizations::table.on(users_organizations::user_uuid.eq(users_collections::user_uuid)))
+                .select((users_organizations::uuid, users_collections::collection_uuid, users_collections::read_only, users_collections::hide_passwords))
+                .load::<CollectionUserDb>(conn)
+                .expect("Error loading users_collections")
+                .from_db()
+        }}
+    }
+
    pub async fn save(
        user_uuid: &str,
        collection_uuid: &str,
@ -490,6 +503,21 @@ impl CollectionUser {
        }}
    }

+    pub async fn find_by_collection_swap_user_uuid_with_org_user_uuid(
+        collection_uuid: &str,
+        conn: &mut DbConn,
+    ) -> Vec<Self> {
+        db_run! { conn: {
+            users_collections::table
+                .filter(users_collections::collection_uuid.eq(collection_uuid))
+                .inner_join(users_organizations::table.on(users_organizations::user_uuid.eq(users_collections::user_uuid)))
+                .select((users_organizations::uuid, users_collections::collection_uuid, users_collections::read_only, users_collections::hide_passwords))
+                .load::<CollectionUserDb>(conn)
+                .expect("Error loading users_collections")
+                .from_db()
+        }}
+    }
+
    pub async fn find_by_collection_and_user(
        collection_uuid: &str,
        user_uuid: &str,
--- a/src/db/models/group.rs
+++ b/src/db/models/group.rs
@ -64,7 +64,32 @@ impl Group {
            "AccessAll": self.access_all,
            "ExternalId": self.external_id,
            "CreationDate": format_date(&self.creation_date),
-            "RevisionDate": format_date(&self.revision_date)
+            "RevisionDate": format_date(&self.revision_date),
+            "Object": "group"
+        })
+    }
+
+    pub async fn to_json_details(&self, conn: &mut DbConn) -> Value {
+        let collections_groups: Vec<Value> = CollectionGroup::find_by_group(&self.uuid, conn)
+            .await
+            .iter()
+            .map(|entry| {
+                json!({
+                    "Id": entry.collections_uuid,
+                    "ReadOnly": entry.read_only,
+                    "HidePasswords": entry.hide_passwords
+                })
+            })
+            .collect();
+
+        json!({
+            "Id": self.uuid,
+            "OrganizationId": self.organizations_uuid,
+            "Name": self.name,
+            "AccessAll": self.access_all,
+            "ExternalId": self.external_id,
+            "Collections": collections_groups,
+            "Object": "groupDetails"
        })
    }

--- a/src/db/models/organization.rs
+++ b/src/db/models/organization.rs
@ -326,7 +326,7 @@ impl UserOrganization {
            // TODO: Add support for Custom User Roles
            // See: https://bitwarden.com/help/article/user-types-access-control/#custom-role
            // "Permissions": {
-            //     "AccessEventLogs": false, // Not supported
+            //     "AccessEventLogs": false,
            //     "AccessImportExport": false,
            //     "AccessReports": false,
            //     "ManageAllCollections": false,
@ -337,9 +337,9 @@ impl UserOrganization {
            //     "editAssignedCollections": false,
            //     "deleteAssignedCollections": false,
            //     "ManageCiphers": false,
-            //     "ManageGroups": false, // Not supported
+            //     "ManageGroups": false,
            //     "ManagePolicies": false,
-            //     "ManageResetPassword": false, // Not supported
+            //     "ManageResetPassword": false,
            //     "ManageSso": false, // Not supported
            //     "ManageUsers": false,
            //     "ManageScim": false, // Not supported (Not AGPLv3 Licensed)
@ -358,7 +358,12 @@ impl UserOrganization {
        })
    }

-    pub async fn to_json_user_details(&self, conn: &mut DbConn) -> Value {
+    pub async fn to_json_user_details(
+        &self,
+        include_collections: bool,
+        include_groups: bool,
+        conn: &mut DbConn,
+    ) -> Value {
        let user = User::find_by_uuid(&self.user_uuid, conn).await.unwrap();

        // Because BitWarden want the status to be -1 for revoked users we need to catch that here.
@ -371,11 +376,37 @@ impl UserOrganization {

        let twofactor_enabled = !TwoFactor::find_by_user(&user.uuid, conn).await.is_empty();

+        let groups: Vec<String> = if include_groups && CONFIG.org_groups_enabled() {
+            GroupUser::find_by_user(&self.uuid, conn).await.iter().map(|gu| gu.groups_uuid.clone()).collect()
+        } else {
+            // The Bitwarden clients seem to call this API regardless of whether groups are enabled,
+            // so just act as if there are no groups.
+            Vec::with_capacity(0)
+        };
+
+        let collections: Vec<Value> = if include_collections {
+            CollectionUser::find_by_organization_and_user_uuid(&self.org_uuid, &self.user_uuid, conn)
+                .await
+                .iter()
+                .map(|cu| {
+                    json!({
+                        "Id": cu.collection_uuid,
+                        "ReadOnly": cu.read_only,
+                        "HidePasswords": cu.hide_passwords,
+                    })
+                })
+                .collect()
+        } else {
+            Vec::with_capacity(0)
+        };
+
        json!({
            "Id": self.uuid,
            "UserId": self.user_uuid,
            "Name": user.name,
            "Email": user.email,
+            "Groups": groups,
+            "Collections": collections,

            "Status": status,
            "Type": self.atype,