Merge branch '2fa_enforcement' of https://github.com/olivierIllogika/bitwarden_rs into olivierIllogika-2fa_enforcement

2025-06-12 13:17:43 +02:00 · 2021-07-15 19:27:36 +02:00
parent fef76e2f6f 39167d333a
commit 4f08167d6f
9 changed files with 223 additions and 7 deletions
--- a/src/api/core/organizations.rs
+++ b/src/api/core/organizations.rs
@ -646,6 +646,19 @@ fn accept_invite(_org_id: String, _org_user_id: String, data: JsonUpcase<AcceptD
                    err!("User already accepted the invitation")
                }

+                let user_twofactor_disabled = TwoFactor::find_by_user(&user_org.user_uuid, &conn).is_empty();
+
+                let policy = OrgPolicyType::TwoFactorAuthentication as i32;
+                let org_twofactor_policy_enabled =
+                    match OrgPolicy::find_by_org_and_type(&user_org.org_uuid, policy, &conn) {
+                        Some(p) => p.enabled,
+                        None => false,
+                    };
+
+                if org_twofactor_policy_enabled && user_twofactor_disabled {
+                    err!("You cannot join this organization until you enable two-step login on your user account.")
+                }
+
                user_org.status = UserOrgStatus::Accepted as i32;
                user_org.save(&conn)?;
            }
@ -998,6 +1011,24 @@ fn put_policy(
        None => err!("Invalid policy type"),
    };

+    if pol_type_enum == OrgPolicyType::TwoFactorAuthentication && data.enabled {
+        let org_list = UserOrganization::find_by_org(&org_id, &conn);
+
+        for user_org in org_list.into_iter() {
+            let user_twofactor_disabled = TwoFactor::find_by_user(&user_org.user_uuid, &conn).is_empty();
+
+            if user_twofactor_disabled && user_org.atype < UserOrgType::Admin {
+                if CONFIG.mail_enabled() {
+                    let org = Organization::find_by_uuid(&user_org.org_uuid, &conn).unwrap();
+                    let user = User::find_by_uuid(&user_org.user_uuid, &conn).unwrap();
+
+                    mail::send_2fa_removed_from_org(&user.email, &org.name)?;
+                }
+                user_org.delete(&conn)?;
+            }
+        }
+    }
+
    let mut policy = match OrgPolicy::find_by_org_and_type(&org_id, pol_type, &conn) {
        Some(p) => p,
        None => OrgPolicy::new(org_id, pol_type_enum, "{}".to_string()),
--- a/src/api/core/two_factor/mod.rs
+++ b/src/api/core/two_factor/mod.rs
@ -7,10 +7,8 @@ use crate::{
    api::{JsonResult, JsonUpcase, NumberOrString, PasswordData},
    auth::Headers,
    crypto,
-    db::{
-        models::{TwoFactor, User},
-        DbConn,
-    },
+    db::{models::*, DbConn},
+    mail, CONFIG,
 };

 pub mod authenticator;
@ -130,6 +128,23 @@ fn disable_twofactor(data: JsonUpcase<DisableTwoFactorData>, headers: Headers, c
        twofactor.delete(&conn)?;
    }

+    let twofactor_disabled = TwoFactor::find_by_user(&user.uuid, &conn).is_empty();
+
+    if twofactor_disabled {
+        let policy_type = OrgPolicyType::TwoFactorAuthentication;
+        let org_list = UserOrganization::find_by_user_and_policy(&user.uuid, policy_type, &conn);
+
+        for user_org in org_list.into_iter() {
+            if user_org.atype < UserOrgType::Admin {
+                if CONFIG.mail_enabled() {
+                    let org = Organization::find_by_uuid(&user_org.org_uuid, &conn).unwrap();
+                    mail::send_2fa_removed_from_org(&user.email, &org.name)?;
+                }
+                user_org.delete(&conn)?;
+            }
+        }
+    }
+
    Ok(Json(json!({
        "Enabled": false,
        "Type": type_,