Commit graph

1816 commits

Author SHA1 Message Date
Daniel García
46df3ee7cd
Updated insecure ws dependency and general dep updates 2020-12-15 22:23:12 +01:00
Daniel García
bb945ad01b
Merge pull request #1243 from BlackDex/fix-key-rotate
Fix Key Rotation during password change.
2020-12-14 20:56:31 +01:00
BlackDex
de86aa671e Fix Key Rotation during password change
When ticking the 'Also rotate my account's encryption key' box, the key
rotated ciphers are posted after the change of password.

During the password change the security stamp was reseted which made
the posted key's return an invalid auth. This reset is needed to prevent other clients from still being able to read/write.

This fixes this by adding a new database column which stores a stamp exception which includes the allowed route and the current security stamp before it gets reseted.
When the security stamp check fails it will check if there is a stamp exception and tries to match the route and security stamp.

Currently it only allows for one exception. But if needed we could expand it by using a Vec<UserStampException> and change the functions accordingly.

fixes #1240
2020-12-14 19:58:23 +01:00
Daniel García
e38771bbbd
Merge pull request #1267 from jjlin/datetime-cleanup
Clean up datetime output and code
2020-12-14 18:36:39 +01:00
Daniel García
a3f9a8d7dc
Merge pull request #1265 from jjlin/cipher-rev-date
Fix stale data check failure when cloning a cipher
2020-12-14 18:35:17 +01:00
Daniel García
4b6bc6ef66
Merge pull request #1266 from BlackDex/icon-user-agent
Small update on favicon downloading
2020-12-14 18:34:07 +01:00
Jeremy Lin
455a23361f Clean up datetime output and code
* For clarity, add `UTC` suffix for datetimes in the `Diagnostics` admin tab.
* Format datetimes in the local timezone in the `Users` admin tab.
* Refactor some datetime code and add doc comments.
2020-12-13 19:49:22 -08:00
BlackDex
1a8ec04733 Small update on favicon downloading
- Changed the user-agent, which caused at least one site to stall the
  connection (Same happens on icons.bitwarden.com)
- Added default_header creation to the lazy static CLIENT
- Added referer passing, which is checked by some sites
- Some small other changes
2020-12-10 23:13:24 +01:00
Jeremy Lin
4e60df7a08 Fix stale data check failure when cloning a cipher 2020-12-10 00:17:34 -08:00
Daniel García
219a9d9f5e
Merge pull request #1262 from BlackDex/icon-fixes
Updated icon downloading.
2020-12-08 18:05:05 +01:00
BlackDex
48baf723a4 Updated icon downloading
- Added more checks to prevent panics (Removed unwrap)
- Try do download from base domain or add www when the provided domain
  fails
- Added some more domain validation checks to prevent errors
- Added the ICON_BLACKLIST_REGEX to a Lazy Static HashMap which
  speeds-up the checks!
- Validate the Regex before starting/config change.
- Some cleanups
- Disabled some noisy debugging from 2 crates.
2020-12-08 17:34:18 +01:00
Daniel García
6530904883
Update web vault version to 2.17.1 2020-12-08 16:43:19 +01:00
Daniel García
d15d24f4ff
Merge pull request #1242 from BlackDex/allow-manager-role
Adding Manager Role support
2020-12-08 16:11:55 +01:00
Daniel García
8d992d637e
Merge pull request #1257 from jjlin/cipher-rev-date
Validate cipher updates with revision date
2020-12-08 15:59:21 +01:00
Daniel García
6ebc83c3b7
Merge pull request #1247 from janost/admin-disable-user
Implement admin ability to enable/disable users
2020-12-08 15:43:56 +01:00
Daniel García
b32f4451ee
Merge branch 'master' into admin-disable-user 2020-12-08 15:42:37 +01:00
Daniel García
99142c7552
Merge pull request #1252 from BlackDex/update-dependencies-20201203
Updated dependencies and Dockerfiles
2020-12-08 15:33:41 +01:00
Daniel García
db710bb931
Merge pull request #1245 from janost/user-last-login
Show last active it on admin users page
2020-12-08 15:31:25 +01:00
Jeremy Lin
a9e9a397d8 Validate cipher updates with revision date
Prevent clients from updating a cipher if the local copy is stale.
Validation is only performed when the client provides its last known
revision date; this date isn't provided when using older clients,
or when the operation doesn't involve updating an existing cipher.

Upstream PR: https://github.com/bitwarden/server/pull/994
2020-12-07 19:34:00 -08:00
BlackDex
d46a6ac687 Updated dependencies and Dockerfiles
- Updated crates
- Updated rust-toolchain
- Updated Dockerfile to use latest rust 1.48 version
- Updated AMD64 Alpine to use same version as rust-toolchain and support
  PostgreSQL.
- Updated Rocket to the commit right before they updated hyper.
  Until that update there were some crates updated and some small fixes.
  After that build fails and we probably need to make some changes
(which is probably something already done in the async branch)
2020-12-04 13:38:42 +01:00
janost
1eb5495802 Show latest active device as last active on admin page 2020-12-03 17:07:32 +01:00
BlackDex
7cf8809d77 Adding Manager Role support
This has been requested a few times (#1136 & #246 & forum), and there already were two
(1:1 duplicate) PR's (#1222 & #1223) which needed some changes and no
followups or further comments unfortunally.

This PR adds two auth headers.
- ManagerHeaders
  Checks if the user-type is Manager or higher and if the manager is
part of that collection or not.
- ManagerHeadersLoose
  Check if the user-type is Manager or higher, but does not check if the
user is part of the collection, needed for a few features like
retreiving all the users of an org.

I think this is the safest way to implement this instead of having to
check this within every function which needs this manually.

Also some extra checks if a manager has access to all collections or
just a selection.

fixes #1136
2020-12-02 22:50:51 +01:00
janost
043aa27aa3 Implement admin ability to enable/disable users 2020-11-30 23:12:56 +01:00
Daniel García
9824d94a1c
Merge pull request #1244 from janost/read-config-from-files
Read config vars from files
2020-11-29 15:28:13 +01:00
janost
e8ef76b8f9 Read config vars from files 2020-11-29 02:31:49 +01:00
Daniel García
be1ddb4203
Merge pull request #1234 from janost/fix-failed-auth-log
Log proper namespace in the err!() macro
2020-11-27 18:49:46 +01:00
janost
caddf21fca Log proper namespace in the err!() macro 2020-11-22 00:09:45 +01:00
Daniel García
5379329ef7
Merge pull request #1229 from BlackDex/email-fixes
Email fixes
2020-11-18 16:16:27 +01:00
BlackDex
6faaeaae66 Updated email processing.
- Added an option to enable smtp debugging via SMTP_DEBUG. This will
  trigger a trace of the smtp commands sent/received to/from the mail
server. Useful when troubleshooting.
- Added two options to ignore invalid certificates which either do not
  match at all, or only doesn't match the hostname.
- Updated lettre to the latest alpha.4 version.
2020-11-18 12:07:08 +01:00
BlackDex
3fed323385 Fixed plain/text email format
plain/text emails should not contain html elements like <p> <a> etc..
This triggers some spamfilters and increases the spam score.

Also added the github link into the text only emails since this also
triggers spamfilters to increase the score since the url/link count is
different between the multipart messages.
2020-11-18 12:04:16 +01:00
BlackDex
58a928547d Updated admin settings page.
- Added check if settings are changed but not saved when sending test
  email.
- Added some styling to emphasize some risks settings.
- Fixed alignment of elements when the label has multiple lines.
2020-11-18 12:00:25 +01:00
Daniel García
558410c5bd
Merge pull request #1220 from jameshurst/master
Return 404 instead of fallback icon
2020-11-14 14:17:53 +01:00
Daniel García
0dc0decaa7
Merge pull request #1212 from BlackDex/dotenv-warnings
Added error handling during dotenv loading
2020-11-14 14:11:56 +01:00
BlackDex
d11d663c5c Added error handling during dotenv loading
Some issue people report are because of misconfiguration or bad .env
files. To mittigate this i added error handling for this.

- Panic/Quit on a LineParse error, which indicates bad .env file format.
- Emits a info message when there is no .env file found.
- Emits a warning message when there is a .env file, but not no
  permissions.
- Emits a warning on every other message not specifically catched.
2020-11-12 13:40:26 +01:00
James Hurst
771233176f Fix for negcached icons 2020-11-09 22:06:11 -05:00
James Hurst
ed70b07d81 Return 404 instead of fallback icon 2020-11-09 20:47:26 -05:00
Daniel García
e25fc7083d
Merge pull request #1219 from aveao/master
Ensure that a user is actually in an org when applying policies
2020-11-07 23:29:12 +01:00
Ave
fa364c3f2c
Ensure that a user is actually in an org when applying policies 2020-11-08 01:14:17 +03:00
Daniel García
b5f9fe4d3b
Fix #1206 2020-11-07 23:03:02 +01:00
Daniel García
013d4c28b2
Try to fix #1218 2020-11-07 23:01:56 +01:00
Daniel García
63acc8619b
Update dependencies 2020-11-07 23:01:04 +01:00
Daniel García
ec920b5756
Merge pull request #1199 from jjlin/delete-admin
Add missing admin endpoints for deleting ciphers
2020-10-23 14:18:41 +02:00
Jeremy Lin
95caaf2a40 Add missing admin endpoints for deleting ciphers
This fixes the inability to bulk-delete ciphers from org vault views.
2020-10-23 03:42:22 -07:00
Mathijs van Veluw
7099f8bee8
Merge pull request #1198 from fabianvansteen/patch-1
Correction of verify_email error message
2020-10-23 11:40:39 +02:00
Fabian van Steen
b41a0d840c
Correction of verify_email error message 2020-10-23 10:30:25 +02:00
Daniel García
c577ade90e
Updated dependencies 2020-10-15 23:44:35 +02:00
Daniel García
257b143df1
Remove some duplicate code in Dockerfile with the help of some variables 2020-10-11 17:27:15 +02:00
Daniel García
34ee326ce9
Merge pull request #1178 from BlackDex/update-azure-pipelines
Updated the azure-pipelines.yml for multidb
2020-10-11 17:25:15 +02:00
Daniel García
090104ce1b
Merge pull request #1181 from BlackDex/update-issue-template
Updated bug-report to note to update first
2020-10-11 17:24:42 +02:00
BlackDex
3305d5dc92 Updated bug-report to note to update first 2020-10-11 15:58:31 +02:00