Skip to content

Commit

Permalink
Merge pull request dani-garcia#868 from jjlin/alt-base
Browse files Browse the repository at this point in the history
Add backend support for alternate base dir (subdir/subpath) hosting
  • Loading branch information
dani-garcia authored Feb 22, 2020
2 parents 22f9b8f + bd5824c commit 103c34a
Show file tree
Hide file tree
Showing 34 changed files with 125 additions and 94 deletions.
5 changes: 2 additions & 3 deletions docker/Dockerfile.j2
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@
{% endif %}
FROM {{ vault_stage_base_image }} as vault

ENV VAULT_VERSION "v2.12.0c"
ENV VAULT_VERSION "v2.12.0d"

ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"

Expand All @@ -42,8 +42,7 @@ RUN apk add --no-cache --upgrade curl tar
ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color
{% endif %}

RUN mkdir /web-vault
WORKDIR /web-vault
WORKDIR /

{% if "alpine" in vault_stage_base_image %}
SHELL ["/bin/ash", "-o", "nounset", "-o", "pipefail", "-o", "errexit", "-c"]
Expand Down
5 changes: 2 additions & 3 deletions docker/aarch64/mysql/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,14 @@
####################### VAULT BUILD IMAGE #######################
FROM rust:1.40 as vault

ENV VAULT_VERSION "v2.12.0c"
ENV VAULT_VERSION "v2.12.0d"

ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"

# Build time options to avoid dpkg warnings and help with reproducible builds.
ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color

RUN mkdir /web-vault
WORKDIR /web-vault
WORKDIR /

SHELL ["/bin/bash", "-o", "nounset", "-o", "pipefail", "-o", "errexit", "-c"]

Expand Down
5 changes: 2 additions & 3 deletions docker/aarch64/sqlite/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,14 @@
####################### VAULT BUILD IMAGE #######################
FROM rust:1.40 as vault

ENV VAULT_VERSION "v2.12.0c"
ENV VAULT_VERSION "v2.12.0d"

ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"

# Build time options to avoid dpkg warnings and help with reproducible builds.
ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color

RUN mkdir /web-vault
WORKDIR /web-vault
WORKDIR /

SHELL ["/bin/bash", "-o", "nounset", "-o", "pipefail", "-o", "errexit", "-c"]

Expand Down
5 changes: 2 additions & 3 deletions docker/amd64/mysql/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,14 @@
####################### VAULT BUILD IMAGE #######################
FROM rust:1.40 as vault

ENV VAULT_VERSION "v2.12.0c"
ENV VAULT_VERSION "v2.12.0d"

ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"

# Build time options to avoid dpkg warnings and help with reproducible builds.
ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color

RUN mkdir /web-vault
WORKDIR /web-vault
WORKDIR /

SHELL ["/bin/bash", "-o", "nounset", "-o", "pipefail", "-o", "errexit", "-c"]

Expand Down
5 changes: 2 additions & 3 deletions docker/amd64/mysql/Dockerfile.alpine
Original file line number Diff line number Diff line change
Expand Up @@ -7,14 +7,13 @@
####################### VAULT BUILD IMAGE #######################
FROM alpine:3.11 as vault

ENV VAULT_VERSION "v2.12.0c"
ENV VAULT_VERSION "v2.12.0d"

ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"

RUN apk add --no-cache --upgrade curl tar

RUN mkdir /web-vault
WORKDIR /web-vault
WORKDIR /

SHELL ["/bin/ash", "-o", "nounset", "-o", "pipefail", "-o", "errexit", "-c"]

Expand Down
5 changes: 2 additions & 3 deletions docker/amd64/postgresql/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,14 @@
####################### VAULT BUILD IMAGE #######################
FROM rust:1.40 as vault

ENV VAULT_VERSION "v2.12.0c"
ENV VAULT_VERSION "v2.12.0d"

ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"

# Build time options to avoid dpkg warnings and help with reproducible builds.
ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color

RUN mkdir /web-vault
WORKDIR /web-vault
WORKDIR /

SHELL ["/bin/bash", "-o", "nounset", "-o", "pipefail", "-o", "errexit", "-c"]

Expand Down
5 changes: 2 additions & 3 deletions docker/amd64/postgresql/Dockerfile.alpine
Original file line number Diff line number Diff line change
Expand Up @@ -7,14 +7,13 @@
####################### VAULT BUILD IMAGE #######################
FROM alpine:3.11 as vault

ENV VAULT_VERSION "v2.12.0c"
ENV VAULT_VERSION "v2.12.0d"

ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"

RUN apk add --no-cache --upgrade curl tar

RUN mkdir /web-vault
WORKDIR /web-vault
WORKDIR /

SHELL ["/bin/ash", "-o", "nounset", "-o", "pipefail", "-o", "errexit", "-c"]

Expand Down
5 changes: 2 additions & 3 deletions docker/amd64/sqlite/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,14 @@
####################### VAULT BUILD IMAGE #######################
FROM rust:1.40 as vault

ENV VAULT_VERSION "v2.12.0c"
ENV VAULT_VERSION "v2.12.0d"

ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"

# Build time options to avoid dpkg warnings and help with reproducible builds.
ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color

RUN mkdir /web-vault
WORKDIR /web-vault
WORKDIR /

SHELL ["/bin/bash", "-o", "nounset", "-o", "pipefail", "-o", "errexit", "-c"]

Expand Down
5 changes: 2 additions & 3 deletions docker/amd64/sqlite/Dockerfile.alpine
Original file line number Diff line number Diff line change
Expand Up @@ -7,14 +7,13 @@
####################### VAULT BUILD IMAGE #######################
FROM alpine:3.11 as vault

ENV VAULT_VERSION "v2.12.0c"
ENV VAULT_VERSION "v2.12.0d"

ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"

RUN apk add --no-cache --upgrade curl tar

RUN mkdir /web-vault
WORKDIR /web-vault
WORKDIR /

SHELL ["/bin/ash", "-o", "nounset", "-o", "pipefail", "-o", "errexit", "-c"]

Expand Down
5 changes: 2 additions & 3 deletions docker/armv6/mysql/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,14 @@
####################### VAULT BUILD IMAGE #######################
FROM rust:1.40 as vault

ENV VAULT_VERSION "v2.12.0c"
ENV VAULT_VERSION "v2.12.0d"

ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"

# Build time options to avoid dpkg warnings and help with reproducible builds.
ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color

RUN mkdir /web-vault
WORKDIR /web-vault
WORKDIR /

SHELL ["/bin/bash", "-o", "nounset", "-o", "pipefail", "-o", "errexit", "-c"]

Expand Down
5 changes: 2 additions & 3 deletions docker/armv6/sqlite/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,14 @@
####################### VAULT BUILD IMAGE #######################
FROM rust:1.40 as vault

ENV VAULT_VERSION "v2.12.0c"
ENV VAULT_VERSION "v2.12.0d"

ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"

# Build time options to avoid dpkg warnings and help with reproducible builds.
ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color

RUN mkdir /web-vault
WORKDIR /web-vault
WORKDIR /

SHELL ["/bin/bash", "-o", "nounset", "-o", "pipefail", "-o", "errexit", "-c"]

Expand Down
5 changes: 2 additions & 3 deletions docker/armv7/mysql/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,14 @@
####################### VAULT BUILD IMAGE #######################
FROM rust:1.40 as vault

ENV VAULT_VERSION "v2.12.0c"
ENV VAULT_VERSION "v2.12.0d"

ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"

# Build time options to avoid dpkg warnings and help with reproducible builds.
ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color

RUN mkdir /web-vault
WORKDIR /web-vault
WORKDIR /

SHELL ["/bin/bash", "-o", "nounset", "-o", "pipefail", "-o", "errexit", "-c"]

Expand Down
5 changes: 2 additions & 3 deletions docker/armv7/sqlite/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,14 @@
####################### VAULT BUILD IMAGE #######################
FROM rust:1.40 as vault

ENV VAULT_VERSION "v2.12.0c"
ENV VAULT_VERSION "v2.12.0d"

ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"

# Build time options to avoid dpkg warnings and help with reproducible builds.
ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color

RUN mkdir /web-vault
WORKDIR /web-vault
WORKDIR /

SHELL ["/bin/bash", "-o", "nounset", "-o", "pipefail", "-o", "errexit", "-c"]

Expand Down
16 changes: 11 additions & 5 deletions src/api/admin.rs
Original file line number Diff line number Diff line change
Expand Up @@ -52,11 +52,15 @@ const ADMIN_PATH: &str = "/admin";
const BASE_TEMPLATE: &str = "admin/base";
const VERSION: Option<&str> = option_env!("GIT_VERSION");

fn admin_path() -> String {
format!("{}{}", CONFIG.domain_path(), ADMIN_PATH)
}

#[get("/", rank = 2)]
fn admin_login(flash: Option<FlashMessage>) -> ApiResult<Html<String>> {
// If there is an error, show it
let msg = flash.map(|msg| format!("{}: {}", msg.name(), msg.msg()));
let json = json!({"page_content": "admin/login", "version": VERSION, "error": msg});
let json = json!({"page_content": "admin/login", "version": VERSION, "error": msg, "urlpath": CONFIG.domain_path()});

// Return the page
let text = CONFIG.render_template(BASE_TEMPLATE, &json)?;
Expand All @@ -76,7 +80,7 @@ fn post_admin_login(data: Form<LoginForm>, mut cookies: Cookies, ip: ClientIp) -
if !_validate_token(&data.token) {
error!("Invalid admin token. IP: {}", ip.ip);
Err(Flash::error(
Redirect::to(ADMIN_PATH),
Redirect::to(admin_path()),
"Invalid admin token, please try again.",
))
} else {
Expand All @@ -85,14 +89,14 @@ fn post_admin_login(data: Form<LoginForm>, mut cookies: Cookies, ip: ClientIp) -
let jwt = encode_jwt(&claims);

let cookie = Cookie::build(COOKIE_NAME, jwt)
.path(ADMIN_PATH)
.path(admin_path())
.max_age(chrono::Duration::minutes(20))
.same_site(SameSite::Strict)
.http_only(true)
.finish();

cookies.add(cookie);
Ok(Redirect::to(ADMIN_PATH))
Ok(Redirect::to(admin_path()))
}
}

Expand All @@ -111,6 +115,7 @@ struct AdminTemplateData {
config: Value,
can_backup: bool,
logged_in: bool,
urlpath: String,
}

impl AdminTemplateData {
Expand All @@ -122,6 +127,7 @@ impl AdminTemplateData {
config: CONFIG.prepare_json(),
can_backup: *CAN_BACKUP,
logged_in: true,
urlpath: CONFIG.domain_path(),
}
}

Expand Down Expand Up @@ -167,7 +173,7 @@ fn invite_user(data: Json<InviteData>, _token: AdminToken, conn: DbConn) -> Empt
#[get("/logout")]
fn logout(mut cookies: Cookies) -> Result<Redirect, ()> {
cookies.remove(Cookie::named(COOKIE_NAME));
Ok(Redirect::to(ADMIN_PATH))
Ok(Redirect::to(admin_path()))
}

#[get("/users")]
Expand Down
2 changes: 1 addition & 1 deletion src/api/core/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -172,7 +172,7 @@ fn hibp_breach(username: String) -> JsonResult {
"BreachDate": "2019-08-18T00:00:00Z",
"AddedDate": "2019-08-18T00:00:00Z",
"Description": format!("Go to: <a href=\"https://haveibeenpwned.com/account/{account}\" target=\"_blank\" rel=\"noopener\">https://haveibeenpwned.com/account/{account}</a> for a manual check.<br/><br/>HaveIBeenPwned API key not set!<br/>Go to <a href=\"https://haveibeenpwned.com/API/Key\" target=\"_blank\" rel=\"noopener\">https://haveibeenpwned.com/API/Key</a> to purchase an API key from HaveIBeenPwned.<br/><br/>", account=username),
"LogoPath": "/bwrs_static/hibp.png",
"LogoPath": "bwrs_static/hibp.png",
"PwnCount": 0,
"DataClasses": [
"Error - No API key set!"
Expand Down
14 changes: 12 additions & 2 deletions src/api/web.rs
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,17 @@ fn app_id() -> Cached<Content<Json<Value>>> {
{
"version": { "major": 1, "minor": 0 },
"ids": [
&CONFIG.domain(),
// Per <https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-appid-and-facets-v2.0-id-20180227.html#determining-the-facetid-of-a-calling-application>:
//
// "In the Web case, the FacetID MUST be the Web Origin [RFC6454]
// of the web page triggering the FIDO operation, written as
// a URI with an empty path. Default ports are omitted and any
// path component is ignored."
//
// This leaves it unclear as to whether the path must be empty,
// or whether it can be non-empty and will be ignored. To be on
// the safe side, use a proper web origin (with empty path).
&CONFIG.domain_origin(),
"ios:bundle-id:com.8bit.bitwarden",
"android:apk-key-hash:dUGFzUzf3lmHSLBDBIv+WaFyZMI" ]
}]
Expand Down Expand Up @@ -75,6 +85,6 @@ fn static_files(filename: String) -> Result<Content<&'static [u8]>, Error> {
"bootstrap-native-v4.js" => Ok(Content(ContentType::JavaScript, include_bytes!("../static/scripts/bootstrap-native-v4.js"))),
"md5.js" => Ok(Content(ContentType::JavaScript, include_bytes!("../static/scripts/md5.js"))),
"identicon.js" => Ok(Content(ContentType::JavaScript, include_bytes!("../static/scripts/identicon.js"))),
_ => err!("Image not found"),
_ => err!(format!("Static file not found: {}", filename)),
}
}
10 changes: 5 additions & 5 deletions src/auth.rs
Original file line number Diff line number Diff line change
Expand Up @@ -16,11 +16,11 @@ const JWT_ALGORITHM: Algorithm = Algorithm::RS256;
lazy_static! {
pub static ref DEFAULT_VALIDITY: Duration = Duration::hours(2);
static ref JWT_HEADER: Header = Header::new(JWT_ALGORITHM);
pub static ref JWT_LOGIN_ISSUER: String = format!("{}|login", CONFIG.domain());
pub static ref JWT_INVITE_ISSUER: String = format!("{}|invite", CONFIG.domain());
pub static ref JWT_DELETE_ISSUER: String = format!("{}|delete", CONFIG.domain());
pub static ref JWT_VERIFYEMAIL_ISSUER: String = format!("{}|verifyemail", CONFIG.domain());
pub static ref JWT_ADMIN_ISSUER: String = format!("{}|admin", CONFIG.domain());
pub static ref JWT_LOGIN_ISSUER: String = format!("{}|login", CONFIG.domain_origin());
pub static ref JWT_INVITE_ISSUER: String = format!("{}|invite", CONFIG.domain_origin());
pub static ref JWT_DELETE_ISSUER: String = format!("{}|delete", CONFIG.domain_origin());
pub static ref JWT_VERIFYEMAIL_ISSUER: String = format!("{}|verifyemail", CONFIG.domain_origin());
pub static ref JWT_ADMIN_ISSUER: String = format!("{}|admin", CONFIG.domain_origin());
static ref PRIVATE_RSA_KEY: Vec<u8> = match read_file(&CONFIG.private_rsa_key()) {
Ok(key) => key,
Err(e) => panic!("Error loading private RSA Key.\n Error: {}", e),
Expand Down
21 changes: 21 additions & 0 deletions src/config.rs
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
use std::process::exit;
use std::sync::RwLock;

use reqwest::Url;

use crate::error::Error;
use crate::util::{get_env, get_env_bool};

Expand Down Expand Up @@ -240,6 +242,10 @@ make_config! {
domain: String, true, def, "http://localhost".to_string();
/// Domain Set |> Indicates if the domain is set by the admin. Otherwise the default will be used.
domain_set: bool, false, def, false;
/// Domain origin |> Domain URL origin (in https://example.com:8443/path, https://example.com:8443 is the origin)
domain_origin: String, false, auto, |c| extract_url_origin(&c.domain);
/// Domain path |> Domain URL path (in https://example.com:8443/path, /path is the path)
domain_path: String, false, auto, |c| extract_url_path(&c.domain);
/// Enable web vault
web_vault_enabled: bool, false, def, true;

Expand Down Expand Up @@ -457,6 +463,21 @@ fn validate_config(cfg: &ConfigItems) -> Result<(), Error> {
Ok(())
}

/// Extracts an RFC 6454 web origin from a URL.
fn extract_url_origin(url: &str) -> String {
let url = Url::parse(url).expect("valid URL");

url.origin().ascii_serialization()
}

/// Extracts the path from a URL.
/// All trailing '/' chars are trimmed, even if the path is a lone '/'.
fn extract_url_path(url: &str) -> String {
let url = Url::parse(url).expect("valid URL");

url.path().trim_end_matches('/').to_string()
}

impl Config {
pub fn load() -> Result<Self, Error> {
// Loading from env and file
Expand Down
Loading

0 comments on commit 103c34a

Please sign in to comment.