vw_small

Hardened fork of Vaultwarden (https://github.com/dani-garcia/vaultwarden) with fewer features.
git clone https://git.philomathiclife.com/repos/vw_small
Log | Files | Refs | README

commit d5486670d8abf83309385ac6fa0b30ce55689528
parent 7a3308200a4256c492010c519831bc12ae0076c8
Author: Daniel GarcĂ­a <dani-garcia@users.noreply.github.com>
Date:   Sat, 17 Feb 2018 01:13:02 +0100

Fixed docker build and implemented automatic creation of JWT signing keys on platforms with OpenSSL (it needs to be on the PATH)

Diffstat:
M.dockerignore | 6+-----
MDockerfile | 6++----
MREADME.md | 40+++++++++++++++++++---------------------
Msrc/main.rs | 77+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--------------
4 files changed, 85 insertions(+), 44 deletions(-)

diff --git a/.dockerignore b/.dockerignore @@ -9,13 +9,9 @@ data .idea *.iml -# Git and Docker files +# Git files .git .gitignore -.gitmodules -Dockerfile -docker-compose.yml -.dockerignore # Documentation *.md diff --git a/Dockerfile b/Dockerfile @@ -10,19 +10,17 @@ FROM rustlang/rust:nightly as build RUN apt-get update && \ apt-get install -y sqlite3 -# Install the diesel_cli tool, to manage migrations -# RUN cargo install diesel_cli --no-default-features --features sqlite - # Creates a dummy project used to grab dependencies RUN USER=root cargo new --bin app WORKDIR /app # Copies over *only* your manifests and vendored dependencies COPY ./Cargo.* ./ -COPY ./_libs ./_libs +COPY ./libs ./libs # Builds your dependencies and removes the # dummy project, except the target folder +# This folder contains the compiled dependencies RUN cargo build --release RUN find . -not -path "./target*" -delete diff --git a/README.md b/README.md @@ -6,11 +6,25 @@ docker build -t dani/bitwarden_rs . # Run the docker image with a docker volume: docker volume create bw_data -docker run --name bitwarden_rs -it --init --rm --mount source=bw_data,target=/data -p 8000:80 dani/bitwarden_rs +docker run --name bitwarden_rs -t --init --rm --mount source=bw_data,target=/data -p 8000:80 dani/bitwarden_rs +``` + +#### Other possible Docker options + +To run the container in the background, add the `-d` parameter. + +To check the logs when in background, run `docker logs bitwarden_rs` + +To stop the container in background, run `docker stop bitwarden_rs` -# OR, Run the docker image with a host bind, where <absolute_path> is the absolute path to a folder in the host: -docker run --name bitwarden_rs -it --init --rm --mount type=bind,source=<absolute_path>,target=/data -p 8000:80 dani/bitwarden_rs +To make sure the container is restarted automatically, add the `--restart unless-stopped` parameter + +To run the image with a host bind, change the `--mount` parameter to: +``` +--mount type=bind,source=<absolute_path>,target=/data ``` +Where <absolute_path> is an absolute path in the hosts file system (e.g. C:\bitwarden\data) + ## How to compile bitwarden_rs Install `rust nightly`, in Windows the recommended way is through `rustup`. @@ -27,6 +41,7 @@ cargo build ## How to update the web-vault used Install `node.js` and either `yarn` or `npm` (usually included with node) + Clone the web-vault outside the project: ``` git clone https://github.com/bitwarden/web.git web-vault @@ -58,22 +73,6 @@ npx gulp dist:selfHosted Finally copy the contents of the `web-vault/dist` folder into the `bitwarden_rs/web-vault` folder. -## How to create the RSA signing key for JWT -Generate the RSA key: -``` -openssl genrsa -out data/private_rsa_key.pem -``` - -Convert the generated key to .DER: -``` -openssl rsa -in data/private_rsa_key.pem -outform DER -out data/private_rsa_key.der -``` - -And generate the public key: -``` -openssl rsa -in data/private_rsa_key.der -inform DER -RSAPublicKey_out -outform DER -out data/public_rsa_key.der -``` - ## How to recreate database schemas Install diesel-cli with cargo: ``` @@ -87,8 +86,7 @@ If you want to modify the schemas, create a new migration with: diesel migration generate <name> ``` -Modify the *.sql files, making sure that any changes are reverted -in the down.sql file. +Modify the *.sql files, making sure that any changes are reverted in the down.sql file. Apply the migrations and save the generated schemas as follows: ``` diff --git a/src/main.rs b/src/main.rs @@ -67,17 +67,57 @@ fn main() { let connection = db::get_connection().expect("Can't conect to DB"); embedded_migrations::run_with_output(&connection, &mut io::stdout()).expect("Can't run migrations"); - // Validate location of rsa keys - if !util::file_exists(&CONFIG.private_rsa_key) { - panic!("private_rsa_key doesn't exist"); - } - if !util::file_exists(&CONFIG.public_rsa_key) { - panic!("public_rsa_key doesn't exist"); - } + check_rsa_keys(); init_rocket().launch(); } +fn check_rsa_keys() { + // If the RSA keys don't exist, try to create them + if !util::file_exists(&CONFIG.private_rsa_key) + || !util::file_exists(&CONFIG.public_rsa_key) { + println!("JWT keys don't exist, checking if OpenSSL is available..."); + use std::process::{exit, Command}; + + Command::new("openssl") + .arg("version") + .output().unwrap_or_else(|_| { + println!("Can't create keys because OpenSSL is not available, make sure it's installed and available on the PATH"); + exit(1); + }); + + println!("OpenSSL detected, creating keys..."); + + let mut success = Command::new("openssl").arg("genrsa") + .arg("-out").arg(&CONFIG.private_rsa_key_pem) + .output().expect("Failed to create private pem file") + .status.success(); + + success &= Command::new("openssl").arg("rsa") + .arg("-in").arg(&CONFIG.private_rsa_key_pem) + .arg("-outform").arg("DER") + .arg("-out").arg(&CONFIG.private_rsa_key) + .output().expect("Failed to create private der file") + .status.success(); + + success &= Command::new("openssl").arg("rsa") + .arg("-in").arg(&CONFIG.private_rsa_key) + .arg("-inform").arg("DER") + .arg("-RSAPublicKey_out") + .arg("-outform").arg("DER") + .arg("-out").arg(&CONFIG.public_rsa_key) + .output().expect("Failed to create public der file") + .status.success(); + + if success { + println!("Keys created correcty."); + } else { + println!("Error creating keys, exiting..."); + exit(1); + } + } +} + lazy_static! { // Load the config from .env or from environment variables static ref CONFIG: Config = Config::load(); @@ -86,10 +126,13 @@ lazy_static! { #[derive(Debug)] pub struct Config { database_url: String, - private_rsa_key: String, - public_rsa_key: String, icon_cache_folder: String, attachments_folder: String, + + private_rsa_key: String, + private_rsa_key_pem: String, + public_rsa_key: String, + web_vault_folder: String, signups_allowed: bool, @@ -100,12 +143,18 @@ impl Config { fn load() -> Self { dotenv::dotenv().ok(); + let df = env::var("DATA_FOLDER").unwrap_or("data".into()); + let key = env::var("RSA_KEY_NAME").unwrap_or("rsa_key".into()); + Config { - database_url: env::var("DATABASE_URL").unwrap_or("data/db.sqlite3".into()), - private_rsa_key: env::var("PRIVATE_RSA_KEY").unwrap_or("data/private_rsa_key.der".into()), - public_rsa_key: env::var("PUBLIC_RSA_KEY").unwrap_or("data/public_rsa_key.der".into()), - icon_cache_folder: env::var("ICON_CACHE_FOLDER").unwrap_or("data/icon_cache".into()), - attachments_folder: env::var("ATTACHMENTS_FOLDER").unwrap_or("data/attachments".into()), + database_url: env::var("DATABASE_URL").unwrap_or(format!("{}/{}", &df, "db.sqlite3")), + icon_cache_folder: env::var("ICON_CACHE_FOLDER").unwrap_or(format!("{}/{}", &df, "icon_cache")), + attachments_folder: env::var("ATTACHMENTS_FOLDER").unwrap_or(format!("{}/{}", &df, "attachments")), + + private_rsa_key: format!("{}/{}.der", &df, &key), + private_rsa_key_pem: format!("{}/{}.pem", &df, &key), + public_rsa_key: format!("{}/{}.pub.der", &df, &key), + web_vault_folder: env::var("WEB_VAULT_FOLDER").unwrap_or("web-vault/".into()), signups_allowed: util::parse_option_string(env::var("SIGNUPS_ALLOWED").ok()).unwrap_or(false),