diff --git a/src/api/core/organizations.rs b/src/api/core/organizations.rs index b78bf128..22712003 100644 --- a/src/api/core/organizations.rs +++ b/src/api/core/organizations.rs @@ -2063,12 +2063,12 @@ async fn list_policies_token(org_id: OrganizationId, token: &str, mut conn: DbCo async fn get_master_password_policy(org_id: OrganizationId, _headers: Headers, mut conn: DbConn) -> JsonResult { let policy = OrgPolicy::find_by_org_and_type(&org_id, OrgPolicyType::MasterPassword, &mut conn).await.unwrap_or_else(|| { - let data = match CONFIG.sso_master_password_policy() { - Some(policy) => policy, - None => "null".to_string(), + let (enabled, data) = match CONFIG.sso_master_password_policy_value() { + Some(policy) if CONFIG.sso_enabled() => (true, policy.to_string()), + _ => (false, "null".to_string()), }; - OrgPolicy::new(org_id, OrgPolicyType::MasterPassword, CONFIG.sso_master_password_policy().is_some(), data) + OrgPolicy::new(org_id, OrgPolicyType::MasterPassword, enabled, data) }); Ok(Json(policy.to_json())) diff --git a/src/api/mod.rs b/src/api/mod.rs index e0df1e64..6227b56f 100644 --- a/src/api/mod.rs +++ b/src/api/mod.rs @@ -110,8 +110,8 @@ async fn master_password_policy(user: &User, conn: &DbConn) -> Value { enforce_on_login: acc.enforce_on_login || policy.enforce_on_login, } })) - } else if let Some(policy_str) = CONFIG.sso_master_password_policy().filter(|_| CONFIG.sso_enabled()) { - serde_json::from_str(&policy_str).unwrap_or(json!({})) + } else if CONFIG.sso_enabled() { + CONFIG.sso_master_password_policy_value().unwrap_or(json!({})) } else { json!({}) }; diff --git a/src/config.rs b/src/config.rs index 75caadbd..878d3861 100644 --- a/src/config.rs +++ b/src/config.rs @@ -974,7 +974,7 @@ fn validate_config(cfg: &ConfigItems) -> Result<(), Error> { validate_internal_sso_issuer_url(&cfg.sso_authority)?; validate_internal_sso_redirect_url(&cfg.sso_callback_path)?; - check_master_password_policy(&cfg.sso_master_password_policy)?; + validate_sso_master_password_policy(&cfg.sso_master_password_policy)?; } if cfg._enable_yubico { @@ -1168,12 +1168,19 @@ fn validate_internal_sso_redirect_url(sso_callback_path: &String) -> Result) -> Result<(), Error> { +fn validate_sso_master_password_policy( + sso_master_password_policy: &Option, +) -> Result, Error> { let policy = sso_master_password_policy.as_ref().map(|mpp| serde_json::from_str::(mpp)); - if let Some(Err(error)) = policy { - err!(format!("Invalid sso_master_password_policy ({error}), Ensure that it's correctly escaped with ''")) + + match policy { + None => Ok(None), + Some(Ok(jsobject @ serde_json::Value::Object(_))) => Ok(Some(jsobject)), + Some(Ok(_)) => err!("Invalid sso_master_password_policy: parsed value is not a JSON object"), + Some(Err(error)) => { + err!(format!("Invalid sso_master_password_policy ({error}), Ensure that it's correctly escaped with ''")) + } } - Ok(()) } /// Extracts an RFC 6454 web origin from a URL. @@ -1578,6 +1585,10 @@ impl Config { validate_internal_sso_redirect_url(&self.sso_callback_path()) } + pub fn sso_master_password_policy_value(&self) -> Option { + validate_sso_master_password_policy(&self.sso_master_password_policy()).ok().flatten() + } + pub fn sso_scopes_vec(&self) -> Vec { self.sso_scopes().split_whitespace().map(str::to_string).collect() }