vaultwarden/src/main.rs

#![feature(proc_macro_hygiene, decl_macro, vec_remove_item, try_trait)]
#![recursion_limit = "128"]

#[macro_use]
extern crate rocket;
#[macro_use]
extern crate serde_derive;
#[macro_use]
extern crate serde_json;
#[macro_use]
extern crate log;
#[macro_use]
extern crate diesel;
#[macro_use]
extern crate diesel_migrations;
#[macro_use]
extern crate lazy_static;
#[macro_use]
extern crate derive_more;
#[macro_use]
extern crate num_derive;

use rocket::{fairing::AdHoc, Rocket};

use std::{
    path::Path,
    process::{exit, Command},
};

#[macro_use]
mod error;
mod api;
mod auth;
mod config;
mod crypto;
mod db;
mod mail;
mod util;

pub use config::CONFIG;

fn init_rocket() -> Rocket {
    rocket::ignite()
        .mount("/", api::web_routes())
        .mount("/api", api::core_routes())
        .mount("/admin", api::admin_routes())
        .mount("/identity", api::identity_routes())
        .mount("/icons", api::icons_routes())
        .mount("/notifications", api::notifications_routes())
        .manage(db::init_pool())
        .manage(api::start_notification_server())
        .attach(util::AppHeaders())
        .attach(unofficial_warning())
}

// Embed the migrations from the migrations folder into the application
// This way, the program automatically migrates the database to the latest version
// https://docs.rs/diesel_migrations/*/diesel_migrations/macro.embed_migrations.html
#[allow(unused_imports)]
mod migrations {
    embed_migrations!();

    pub fn run_migrations() {
        // Make sure the database is up to date (create if it doesn't exist, or run the migrations)
        let connection = crate::db::get_connection().expect("Can't conect to DB");

        use std::io::stdout;
        embedded_migrations::run_with_output(&connection, &mut stdout()).expect("Can't run migrations");
    }
}

fn main() {
    if CONFIG.extended_logging() {
        init_logging().ok();
    }

    check_db();
    check_rsa_keys();
    check_web_vault();
    migrations::run_migrations();

    init_rocket().launch();
}

fn init_logging() -> Result<(), fern::InitError> {
    let mut logger = fern::Dispatch::new()
        .format(|out, message, record| {
            out.finish(format_args!(
                "{}[{}][{}] {}",
                chrono::Local::now().format("[%Y-%m-%d %H:%M:%S]"),
                record.target(),
                record.level(),
                message
            ))
        })
        .level(log::LevelFilter::Debug)
        .level_for("hyper", log::LevelFilter::Warn)
        .level_for("rustls", log::LevelFilter::Warn)
        .level_for("handlebars", log::LevelFilter::Warn)
        .level_for("ws", log::LevelFilter::Info)
        .level_for("multipart", log::LevelFilter::Info)
        .level_for("html5ever", log::LevelFilter::Info)
        .chain(std::io::stdout());

    if let Some(log_file) = CONFIG.log_file() {
        logger = logger.chain(fern::log_file(log_file)?);
    }

    logger = chain_syslog(logger);
    logger.apply()?;

    Ok(())
}

#[cfg(not(feature = "enable_syslog"))]
fn chain_syslog(logger: fern::Dispatch) -> fern::Dispatch {
    logger
}

#[cfg(feature = "enable_syslog")]
fn chain_syslog(logger: fern::Dispatch) -> fern::Dispatch {
    let syslog_fmt = syslog::Formatter3164 {
        facility: syslog::Facility::LOG_USER,
        hostname: None,
        process: "bitwarden_rs".into(),
        pid: 0,
    };

    match syslog::unix(syslog_fmt) {
        Ok(sl) => logger.chain(sl),
        Err(e) => {
            error!("Unable to connect to syslog: {:?}", e);
            logger
        }
    }
}

fn check_db() {
    let url = CONFIG.database_url();
    let path = Path::new(&url);

    if let Some(parent) = path.parent() {
        use std::fs;
        if fs::create_dir_all(parent).is_err() {
            error!("Error creating database directory");
            exit(1);
        }
    }

    // Turn on WAL in SQLite
    use diesel::RunQueryDsl;
    let connection = db::get_connection().expect("Can't conect to DB");
    diesel::sql_query("PRAGMA journal_mode=wal")
        .execute(&connection)
        .expect("Failed to turn on WAL");
}

fn check_rsa_keys() {
    // If the RSA keys don't exist, try to create them
    if !util::file_exists(&CONFIG.private_rsa_key()) || !util::file_exists(&CONFIG.public_rsa_key()) {
        info!("JWT keys don't exist, checking if OpenSSL is available...");

        Command::new("openssl").arg("version").output().unwrap_or_else(|_| {
            info!("Can't create keys because OpenSSL is not available, make sure it's installed and available on the PATH");
            exit(1);
        });

        info!("OpenSSL detected, creating keys...");

        let mut success = Command::new("openssl")
            .arg("genrsa")
            .arg("-out")
            .arg(&CONFIG.private_rsa_key_pem())
            .output()
            .expect("Failed to create private pem file")
            .status
            .success();

        success &= Command::new("openssl")
            .arg("rsa")
            .arg("-in")
            .arg(&CONFIG.private_rsa_key_pem())
            .arg("-outform")
            .arg("DER")
            .arg("-out")
            .arg(&CONFIG.private_rsa_key())
            .output()
            .expect("Failed to create private der file")
            .status
            .success();

        success &= Command::new("openssl")
            .arg("rsa")
            .arg("-in")
            .arg(&CONFIG.private_rsa_key())
            .arg("-inform")
            .arg("DER")
            .arg("-RSAPublicKey_out")
            .arg("-outform")
            .arg("DER")
            .arg("-out")
            .arg(&CONFIG.public_rsa_key())
            .output()
            .expect("Failed to create public der file")
            .status
            .success();

        if success {
            info!("Keys created correctly.");
        } else {
            error!("Error creating keys, exiting...");
            exit(1);
        }
    }
}

fn check_web_vault() {
    if !CONFIG.web_vault_enabled() {
        return;
    }

    let index_path = Path::new(&CONFIG.web_vault_folder()).join("index.html");

    if !index_path.exists() {
        error!("Web vault is not found. To install it, please follow the steps in https://github.com/dani-garcia/bitwarden_rs/wiki/Building-binary#install-the-web-vault");
        exit(1);
    }
}

fn unofficial_warning() -> AdHoc {
    AdHoc::on_launch("Unofficial Warning", |_| {
        warn!("/--------------------------------------------------------------------\\");
        warn!("| This is an *unofficial* Bitwarden implementation, DO NOT use the   |");
        warn!("| official channels to report bugs/features, regardless of client.   |");
        warn!("| Report URL: https://github.com/dani-garcia/bitwarden_rs/issues/new |");
        warn!("\\--------------------------------------------------------------------/");
    })
}
Migrate to rust 2018 edition 6 years ago			`#![feature(proc_macro_hygiene, decl_macro, vec_remove_item, try_trait)]`
			`#![recursion_limit = "128"]`
Updated bw_rs to Rocket version 0.4-rc1 6 years ago
Start using rustfmt and some style changes to make some lines shorter 6 years ago			`#[macro_use]`
			`extern crate rocket;`
			`#[macro_use]`
			`extern crate serde_derive;`
			`#[macro_use]`
			`extern crate serde_json;`
			`#[macro_use]`
			`extern crate log;`
			`#[macro_use]`
			`extern crate diesel;`
			`#[macro_use]`
			`extern crate diesel_migrations;`
			`#[macro_use]`
			`extern crate lazy_static;`
			`#[macro_use]`
			`extern crate derive_more;`
			`#[macro_use]`
			`extern crate num_derive;`

Implement unofficial warning message 6 years ago			`use rocket::{fairing::AdHoc, Rocket};`
Initial stab at templates 6 years ago
Start using rustfmt and some style changes to make some lines shorter 6 years ago			`use std::{`
			`path::Path,`
			`process::{exit, Command},`
			`};`
First working version 7 years ago
Start using rustfmt and some style changes to make some lines shorter 6 years ago			`#[macro_use]`
			`mod error;`
First working version 7 years ago			`mod api;`
			`mod auth;`
Change config to thread-safe system, needed for a future config panel. Improved some two factor methods. 6 years ago			`mod config;`
Start using rustfmt and some style changes to make some lines shorter 6 years ago			`mod crypto;`
			`mod db;`
SMTP integration, send password hint by email. 7 years ago			`mod mail;`
Start using rustfmt and some style changes to make some lines shorter 6 years ago			`mod util;`
First working version 7 years ago
Change config to thread-safe system, needed for a future config panel. Improved some two factor methods. 6 years ago			`pub use config::CONFIG;`

First working version 7 years ago			`fn init_rocket() -> Rocket {`
			`rocket::ignite()`
			`.mount("/", api::web_routes())`
			`.mount("/api", api::core_routes())`
Remove config option for admin email, embdedded admin page, managed IO::Error, and added security and cache headers globally 6 years ago			`.mount("/admin", api::admin_routes())`
First working version 7 years ago			`.mount("/identity", api::identity_routes())`
			`.mount("/icons", api::icons_routes())`
Implemented basic support for prelogin and notification negotiation 7 years ago			`.mount("/notifications", api::notifications_routes())`
First working version 7 years ago			`.manage(db::init_pool())`
Initial version of websockets notification support. For now only folder notifications are sent (create, rename, delete). The notifications are only tested between two web-vault sessions in different browsers, mobile apps and browser extensions are untested. The websocket server is exposed in port 3012, while the rocket server is exposed in another port (8000 by default). To make notifications work, both should be accessible in the same port, which requires a reverse proxy. My testing is done with Caddy server, and the following config: ``` localhost { # The negotiation endpoint is also proxied to Rocket proxy /notifications/hub/negotiate 0.0.0.0:8000 { transparent } # Notifications redirected to the websockets server proxy /notifications/hub 0.0.0.0:3012 { websocket } # Proxy the Root directory to Rocket proxy / 0.0.0.0:8000 { transparent } } ``` This exposes the service in port 2015. 6 years ago			`.manage(api::start_notification_server())`
Remove config option for admin email, embdedded admin page, managed IO::Error, and added security and cache headers globally 6 years ago			`.attach(util::AppHeaders())`
Implement unofficial warning message 6 years ago			`.attach(unofficial_warning())`
First working version 7 years ago			`}`

			`// Embed the migrations from the migrations folder into the application`
			`// This way, the program automatically migrates the database to the latest version`
			`// https://docs.rs/diesel_migrations/*/diesel_migrations/macro.embed_migrations.html`
Updated dependencies and created 'rust-toolchain', to mark a working nightly to rustup users, and hopefully avoid some nightly breakage. 7 years ago			`#[allow(unused_imports)]`
			`mod migrations {`
			`embed_migrations!();`

			`pub fn run_migrations() {`
			`// Make sure the database is up to date (create if it doesn't exist, or run the migrations)`
Migrate to rust 2018 edition 6 years ago			`let connection = crate::db::get_connection().expect("Can't conect to DB");`
Updated dependencies and created 'rust-toolchain', to mark a working nightly to rustup users, and hopefully avoid some nightly breakage. 7 years ago
			`use std::io::stdout;`
			`embedded_migrations::run_with_output(&connection, &mut stdout()).expect("Can't run migrations");`
			`}`
			`}`
First working version 7 years ago
			`fn main() {`
Change config to thread-safe system, needed for a future config panel. Improved some two factor methods. 6 years ago			`if CONFIG.extended_logging() {`
Implemented proper logging, with support for file logging, timestamp and syslog (this last one is untested) 6 years ago			`init_logging().ok();`
			`}`

Check that the database folder exists before connecting If the parent folder ('data' by default) doesn't exist, the database won't be able to connect. 7 years ago			`check_db();`
			`check_rsa_keys();`
Added config option for websocket port, and reworked the config parsing a bit. Added SMTP_FROM config to examples and made it mandatory, it doesn't make much sense to not specify the from address. 6 years ago			`check_web_vault();`
Initial version of websockets notification support. For now only folder notifications are sent (create, rename, delete). The notifications are only tested between two web-vault sessions in different browsers, mobile apps and browser extensions are untested. The websocket server is exposed in port 3012, while the rocket server is exposed in another port (8000 by default). To make notifications work, both should be accessible in the same port, which requires a reverse proxy. My testing is done with Caddy server, and the following config: ``` localhost { # The negotiation endpoint is also proxied to Rocket proxy /notifications/hub/negotiate 0.0.0.0:8000 { transparent } # Notifications redirected to the websockets server proxy /notifications/hub 0.0.0.0:3012 { websocket } # Proxy the Root directory to Rocket proxy / 0.0.0.0:8000 { transparent } } ``` This exposes the service in port 2015. 6 years ago			`migrations::run_migrations();`
First working version 7 years ago
			`init_rocket().launch();`
			`}`

Implemented proper logging, with support for file logging, timestamp and syslog (this last one is untested) 6 years ago			`fn init_logging() -> Result<(), fern::InitError> {`
			`let mut logger = fern::Dispatch::new()`
Start using rustfmt and some style changes to make some lines shorter 6 years ago			`.format(\|out, message, record\| {`
			`out.finish(format_args!(`
			`"{}[{}][{}] {}",`
			`chrono::Local::now().format("[%Y-%m-%d %H:%M:%S]"),`
			`record.target(),`
			`record.level(),`
			`message`
			`))`
			`})`
			`.level(log::LevelFilter::Debug)`
			`.level_for("hyper", log::LevelFilter::Warn)`
Updated dependencies, removing need for yubico fork 6 years ago			`.level_for("rustls", log::LevelFilter::Warn)`
Implement admin JWT cookie, separate JWT issuers for each type of token and migrate admin page to handlebars template 6 years ago			`.level_for("handlebars", log::LevelFilter::Warn)`
Start using rustfmt and some style changes to make some lines shorter 6 years ago			`.level_for("ws", log::LevelFilter::Info)`
			`.level_for("multipart", log::LevelFilter::Info)`
Added better favicon downloader. 6 years ago			`.level_for("html5ever", log::LevelFilter::Info)`
Start using rustfmt and some style changes to make some lines shorter 6 years ago			`.chain(std::io::stdout());`
Implemented proper logging, with support for file logging, timestamp and syslog (this last one is untested) 6 years ago
Change config to thread-safe system, needed for a future config panel. Improved some two factor methods. 6 years ago			`if let Some(log_file) = CONFIG.log_file() {`
Implemented proper logging, with support for file logging, timestamp and syslog (this last one is untested) 6 years ago			`logger = logger.chain(fern::log_file(log_file)?);`
			`}`

			`logger = chain_syslog(logger);`
			`logger.apply()?;`

			`Ok(())`
			`}`

			`#[cfg(not(feature = "enable_syslog"))]`
Start using rustfmt and some style changes to make some lines shorter 6 years ago			`fn chain_syslog(logger: fern::Dispatch) -> fern::Dispatch {`
			`logger`
			`}`
Implemented proper logging, with support for file logging, timestamp and syslog (this last one is untested) 6 years ago
			`#[cfg(feature = "enable_syslog")]`
			`fn chain_syslog(logger: fern::Dispatch) -> fern::Dispatch {`
			`let syslog_fmt = syslog::Formatter3164 {`
			`facility: syslog::Facility::LOG_USER,`
			`hostname: None,`
			`process: "bitwarden_rs".into(),`
			`pid: 0,`
			`};`

			`match syslog::unix(syslog_fmt) {`
			`Ok(sl) => logger.chain(sl),`
			`Err(e) => {`
			`error!("Unable to connect to syslog: {:?}", e);`
			`logger`
			`}`
			`}`
			`}`

Check that the database folder exists before connecting If the parent folder ('data' by default) doesn't exist, the database won't be able to connect. 7 years ago			`fn check_db() {`
Change config to thread-safe system, needed for a future config panel. Improved some two factor methods. 6 years ago			`let url = CONFIG.database_url();`
			`let path = Path::new(&url);`
Check that the database folder exists before connecting If the parent folder ('data' by default) doesn't exist, the database won't be able to connect. 7 years ago
			`if let Some(parent) = path.parent() {`
			`use std::fs;`
			`if fs::create_dir_all(parent).is_err() {`
Implemented proper logging, with support for file logging, timestamp and syslog (this last one is untested) 6 years ago			`error!("Error creating database directory");`
Check that the database folder exists before connecting If the parent folder ('data' by default) doesn't exist, the database won't be able to connect. 7 years ago			`exit(1);`
			`}`
			`}`
WAL journal mode and delete retry added 7 years ago
			`// Turn on WAL in SQLite`
			`use diesel::RunQueryDsl;`
			`let connection = db::get_connection().expect("Can't conect to DB");`
Start using rustfmt and some style changes to make some lines shorter 6 years ago			`diesel::sql_query("PRAGMA journal_mode=wal")`
			`.execute(&connection)`
			`.expect("Failed to turn on WAL");`
Check that the database folder exists before connecting If the parent folder ('data' by default) doesn't exist, the database won't be able to connect. 7 years ago			`}`

Fixed docker build and implemented automatic creation of JWT signing keys on platforms with OpenSSL (it needs to be on the PATH) 7 years ago			`fn check_rsa_keys() {`
			`// If the RSA keys don't exist, try to create them`
Change config to thread-safe system, needed for a future config panel. Improved some two factor methods. 6 years ago			`if !util::file_exists(&CONFIG.private_rsa_key()) \|\| !util::file_exists(&CONFIG.public_rsa_key()) {`
Implemented proper logging, with support for file logging, timestamp and syslog (this last one is untested) 6 years ago			`info!("JWT keys don't exist, checking if OpenSSL is available...");`
Fixed docker build and implemented automatic creation of JWT signing keys on platforms with OpenSSL (it needs to be on the PATH) 7 years ago
Start using rustfmt and some style changes to make some lines shorter 6 years ago			`Command::new("openssl").arg("version").output().unwrap_or_else(\|_\| {`
Implemented proper logging, with support for file logging, timestamp and syslog (this last one is untested) 6 years ago			`info!("Can't create keys because OpenSSL is not available, make sure it's installed and available on the PATH");`
Fixed docker build and implemented automatic creation of JWT signing keys on platforms with OpenSSL (it needs to be on the PATH) 7 years ago			`exit(1);`
			`});`

Implemented proper logging, with support for file logging, timestamp and syslog (this last one is untested) 6 years ago			`info!("OpenSSL detected, creating keys...");`
Fixed docker build and implemented automatic creation of JWT signing keys on platforms with OpenSSL (it needs to be on the PATH) 7 years ago
Start using rustfmt and some style changes to make some lines shorter 6 years ago			`let mut success = Command::new("openssl")`
			`.arg("genrsa")`
			`.arg("-out")`
Change config to thread-safe system, needed for a future config panel. Improved some two factor methods. 6 years ago			`.arg(&CONFIG.private_rsa_key_pem())`
Start using rustfmt and some style changes to make some lines shorter 6 years ago			`.output()`
			`.expect("Failed to create private pem file")`
			`.status`
			`.success();`

			`success &= Command::new("openssl")`
			`.arg("rsa")`
			`.arg("-in")`
Change config to thread-safe system, needed for a future config panel. Improved some two factor methods. 6 years ago			`.arg(&CONFIG.private_rsa_key_pem())`
Start using rustfmt and some style changes to make some lines shorter 6 years ago			`.arg("-outform")`
			`.arg("DER")`
			`.arg("-out")`
Change config to thread-safe system, needed for a future config panel. Improved some two factor methods. 6 years ago			`.arg(&CONFIG.private_rsa_key())`
Start using rustfmt and some style changes to make some lines shorter 6 years ago			`.output()`
			`.expect("Failed to create private der file")`
			`.status`
			`.success();`

			`success &= Command::new("openssl")`
			`.arg("rsa")`
			`.arg("-in")`
Change config to thread-safe system, needed for a future config panel. Improved some two factor methods. 6 years ago			`.arg(&CONFIG.private_rsa_key())`
Start using rustfmt and some style changes to make some lines shorter 6 years ago			`.arg("-inform")`
			`.arg("DER")`
Fixed docker build and implemented automatic creation of JWT signing keys on platforms with OpenSSL (it needs to be on the PATH) 7 years ago			`.arg("-RSAPublicKey_out")`
Start using rustfmt and some style changes to make some lines shorter 6 years ago			`.arg("-outform")`
			`.arg("DER")`
			`.arg("-out")`
Change config to thread-safe system, needed for a future config panel. Improved some two factor methods. 6 years ago			`.arg(&CONFIG.public_rsa_key())`
Start using rustfmt and some style changes to make some lines shorter 6 years ago			`.output()`
			`.expect("Failed to create public der file")`
			`.status`
			`.success();`
Fixed docker build and implemented automatic creation of JWT signing keys on platforms with OpenSSL (it needs to be on the PATH) 7 years ago
			`if success {`
Implemented proper logging, with support for file logging, timestamp and syslog (this last one is untested) 6 years ago			`info!("Keys created correctly.");`
Fixed docker build and implemented automatic creation of JWT signing keys on platforms with OpenSSL (it needs to be on the PATH) 7 years ago			`} else {`
Implemented proper logging, with support for file logging, timestamp and syslog (this last one is untested) 6 years ago			`error!("Error creating keys, exiting...");`
Fixed docker build and implemented automatic creation of JWT signing keys on platforms with OpenSSL (it needs to be on the PATH) 7 years ago			`exit(1);`
			`}`
			`}`
			`}`

Removed included web vault. Now that docker automatically downloads the web-vault, keeping it in the repo doesn't make sense. Added error message in case someone tries to run the application directly without the web-vault instaled.. 7 years ago			`fn check_web_vault() {`
Change config to thread-safe system, needed for a future config panel. Improved some two factor methods. 6 years ago			`if !CONFIG.web_vault_enabled() {`
Improved configuration and documented options. Implemented option to disable web vault and to disable the use of bitwarden's official icon servers 7 years ago			`return;`
			`}`

Change config to thread-safe system, needed for a future config panel. Improved some two factor methods. 6 years ago			`let index_path = Path::new(&CONFIG.web_vault_folder()).join("index.html");`
Removed included web vault. Now that docker automatically downloads the web-vault, keeping it in the repo doesn't make sense. Added error message in case someone tries to run the application directly without the web-vault instaled.. 7 years ago
			`if !index_path.exists() {`
Update web vault error message 6 years ago			`error!("Web vault is not found. To install it, please follow the steps in https://github.com/dani-garcia/bitwarden_rs/wiki/Building-binary#install-the-web-vault");`
Removed included web vault. Now that docker automatically downloads the web-vault, keeping it in the repo doesn't make sense. Added error message in case someone tries to run the application directly without the web-vault instaled.. 7 years ago			`exit(1);`
			`}`
			`}`

Implement unofficial warning message 6 years ago			`fn unofficial_warning() -> AdHoc {`
			`AdHoc::on_launch("Unofficial Warning", \|_\| {`
			`warn!("/--------------------------------------------------------------------\\");`
			`warn!("\| This is an unofficial Bitwarden implementation, DO NOT use the \|");`
			`warn!("\| official channels to report bugs/features, regardless of client. \|");`
			`warn!("\| Report URL: https://github.com/dani-garcia/bitwarden_rs/issues/new \|");`
			`warn!("\\--------------------------------------------------------------------/");`
			`})`
			`}`