|
|
|
#![feature(proc_macro_hygiene, decl_macro, vec_remove_item, try_trait)]
|
|
|
|
#![recursion_limit = "128"]
|
|
|
|
|
|
|
|
#[macro_use]
|
|
|
|
extern crate rocket;
|
|
|
|
#[macro_use]
|
|
|
|
extern crate serde_derive;
|
|
|
|
#[macro_use]
|
|
|
|
extern crate serde_json;
|
|
|
|
#[macro_use]
|
|
|
|
extern crate log;
|
|
|
|
#[macro_use]
|
|
|
|
extern crate diesel;
|
|
|
|
#[macro_use]
|
|
|
|
extern crate diesel_migrations;
|
|
|
|
#[macro_use]
|
|
|
|
extern crate lazy_static;
|
|
|
|
#[macro_use]
|
|
|
|
extern crate derive_more;
|
|
|
|
#[macro_use]
|
|
|
|
extern crate num_derive;
|
|
|
|
|
|
|
|
use handlebars::Handlebars;
|
|
|
|
use rocket::{fairing::AdHoc, Rocket};
|
|
|
|
|
|
|
|
use std::{
|
|
|
|
path::Path,
|
|
|
|
process::{exit, Command},
|
|
|
|
};
|
|
|
|
|
|
|
|
#[macro_use]
|
|
|
|
mod error;
|
|
|
|
mod api;
|
|
|
|
mod auth;
|
|
|
|
mod crypto;
|
|
|
|
mod db;
|
|
|
|
mod mail;
|
|
|
|
mod util;
|
|
|
|
|
|
|
|
fn init_rocket() -> Rocket {
|
|
|
|
rocket::ignite()
|
|
|
|
.mount("/", api::web_routes())
|
|
|
|
.mount("/api", api::core_routes())
|
|
|
|
.mount("/admin", api::admin_routes())
|
|
|
|
.mount("/identity", api::identity_routes())
|
|
|
|
.mount("/icons", api::icons_routes())
|
|
|
|
.mount("/notifications", api::notifications_routes())
|
|
|
|
.manage(db::init_pool())
|
|
|
|
.manage(api::start_notification_server())
|
|
|
|
.attach(util::AppHeaders())
|
|
|
|
.attach(unofficial_warning())
|
|
|
|
}
|
|
|
|
|
|
|
|
// Embed the migrations from the migrations folder into the application
|
|
|
|
// This way, the program automatically migrates the database to the latest version
|
|
|
|
// https://docs.rs/diesel_migrations/*/diesel_migrations/macro.embed_migrations.html
|
|
|
|
#[allow(unused_imports)]
|
|
|
|
mod migrations {
|
|
|
|
embed_migrations!();
|
|
|
|
|
|
|
|
pub fn run_migrations() {
|
|
|
|
// Make sure the database is up to date (create if it doesn't exist, or run the migrations)
|
|
|
|
let connection = crate::db::get_connection().expect("Can't conect to DB");
|
|
|
|
|
|
|
|
use std::io::stdout;
|
|
|
|
embedded_migrations::run_with_output(&connection, &mut stdout()).expect("Can't run migrations");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
fn main() {
|
|
|
|
if CONFIG.extended_logging {
|
|
|
|
init_logging().ok();
|
|
|
|
}
|
|
|
|
|
|
|
|
check_db();
|
|
|
|
check_rsa_keys();
|
|
|
|
check_web_vault();
|
|
|
|
migrations::run_migrations();
|
|
|
|
|
|
|
|
init_rocket().launch();
|
|
|
|
}
|
|
|
|
|
|
|
|
fn init_logging() -> Result<(), fern::InitError> {
|
|
|
|
let mut logger = fern::Dispatch::new()
|
|
|
|
.format(|out, message, record| {
|
|
|
|
out.finish(format_args!(
|
|
|
|
"{}[{}][{}] {}",
|
|
|
|
chrono::Local::now().format("[%Y-%m-%d %H:%M:%S]"),
|
|
|
|
record.target(),
|
|
|
|
record.level(),
|
|
|
|
message
|
|
|
|
))
|
|
|
|
})
|
|
|
|
.level(log::LevelFilter::Debug)
|
|
|
|
.level_for("hyper", log::LevelFilter::Warn)
|
|
|
|
.level_for("rustls", log::LevelFilter::Warn)
|
|
|
|
.level_for("handlebars", log::LevelFilter::Warn)
|
|
|
|
.level_for("ws", log::LevelFilter::Info)
|
|
|
|
.level_for("multipart", log::LevelFilter::Info)
|
|
|
|
.chain(std::io::stdout());
|
|
|
|
|
|
|
|
if let Some(log_file) = CONFIG.log_file.as_ref() {
|
|
|
|
logger = logger.chain(fern::log_file(log_file)?);
|
|
|
|
}
|
|
|
|
|
|
|
|
logger = chain_syslog(logger);
|
|
|
|
logger.apply()?;
|
|
|
|
|
|
|
|
Ok(())
|
|
|
|
}
|
|
|
|
|
|
|
|
#[cfg(not(feature = "enable_syslog"))]
|
|
|
|
fn chain_syslog(logger: fern::Dispatch) -> fern::Dispatch {
|
|
|
|
logger
|
|
|
|
}
|
|
|
|
|
|
|
|
#[cfg(feature = "enable_syslog")]
|
|
|
|
fn chain_syslog(logger: fern::Dispatch) -> fern::Dispatch {
|
|
|
|
let syslog_fmt = syslog::Formatter3164 {
|
|
|
|
facility: syslog::Facility::LOG_USER,
|
|
|
|
hostname: None,
|
|
|
|
process: "bitwarden_rs".into(),
|
|
|
|
pid: 0,
|
|
|
|
};
|
|
|
|
|
|
|
|
match syslog::unix(syslog_fmt) {
|
|
|
|
Ok(sl) => logger.chain(sl),
|
|
|
|
Err(e) => {
|
|
|
|
error!("Unable to connect to syslog: {:?}", e);
|
|
|
|
logger
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
fn check_db() {
|
|
|
|
let path = Path::new(&CONFIG.database_url);
|
|
|
|
|
|
|
|
if let Some(parent) = path.parent() {
|
|
|
|
use std::fs;
|
|
|
|
if fs::create_dir_all(parent).is_err() {
|
|
|
|
error!("Error creating database directory");
|
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Turn on WAL in SQLite
|
|
|
|
use diesel::RunQueryDsl;
|
|
|
|
let connection = db::get_connection().expect("Can't conect to DB");
|
|
|
|
diesel::sql_query("PRAGMA journal_mode=wal")
|
|
|
|
.execute(&connection)
|
|
|
|
.expect("Failed to turn on WAL");
|
|
|
|
}
|
|
|
|
|
|
|
|
fn check_rsa_keys() {
|
|
|
|
// If the RSA keys don't exist, try to create them
|
|
|
|
if !util::file_exists(&CONFIG.private_rsa_key) || !util::file_exists(&CONFIG.public_rsa_key) {
|
|
|
|
info!("JWT keys don't exist, checking if OpenSSL is available...");
|
|
|
|
|
|
|
|
Command::new("openssl").arg("version").output().unwrap_or_else(|_| {
|
|
|
|
info!("Can't create keys because OpenSSL is not available, make sure it's installed and available on the PATH");
|
|
|
|
exit(1);
|
|
|
|
});
|
|
|
|
|
|
|
|
info!("OpenSSL detected, creating keys...");
|
|
|
|
|
|
|
|
let mut success = Command::new("openssl")
|
|
|
|
.arg("genrsa")
|
|
|
|
.arg("-out")
|
|
|
|
.arg(&CONFIG.private_rsa_key_pem)
|
|
|
|
.output()
|
|
|
|
.expect("Failed to create private pem file")
|
|
|
|
.status
|
|
|
|
.success();
|
|
|
|
|
|
|
|
success &= Command::new("openssl")
|
|
|
|
.arg("rsa")
|
|
|
|
.arg("-in")
|
|
|
|
.arg(&CONFIG.private_rsa_key_pem)
|
|
|
|
.arg("-outform")
|
|
|
|
.arg("DER")
|
|
|
|
.arg("-out")
|
|
|
|
.arg(&CONFIG.private_rsa_key)
|
|
|
|
.output()
|
|
|
|
.expect("Failed to create private der file")
|
|
|
|
.status
|
|
|
|
.success();
|
|
|
|
|
|
|
|
success &= Command::new("openssl")
|
|
|
|
.arg("rsa")
|
|
|
|
.arg("-in")
|
|
|
|
.arg(&CONFIG.private_rsa_key)
|
|
|
|
.arg("-inform")
|
|
|
|
.arg("DER")
|
|
|
|
.arg("-RSAPublicKey_out")
|
|
|
|
.arg("-outform")
|
|
|
|
.arg("DER")
|
|
|
|
.arg("-out")
|
|
|
|
.arg(&CONFIG.public_rsa_key)
|
|
|
|
.output()
|
|
|
|
.expect("Failed to create public der file")
|
|
|
|
.status
|
|
|
|
.success();
|
|
|
|
|
|
|
|
if success {
|
|
|
|
info!("Keys created correctly.");
|
|
|
|
} else {
|
|
|
|
error!("Error creating keys, exiting...");
|
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
fn check_web_vault() {
|
|
|
|
if !CONFIG.web_vault_enabled {
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
let index_path = Path::new(&CONFIG.web_vault_folder).join("index.html");
|
|
|
|
|
|
|
|
if !index_path.exists() {
|
|
|
|
error!("Web vault is not found. Please follow the steps in the README to install it");
|
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
fn unofficial_warning() -> AdHoc {
|
|
|
|
AdHoc::on_launch("Unofficial Warning", |_| {
|
|
|
|
warn!("/--------------------------------------------------------------------\\");
|
|
|
|
warn!("| This is an *unofficial* Bitwarden implementation, DO NOT use the |");
|
|
|
|
warn!("| official channels to report bugs/features, regardless of client. |");
|
|
|
|
warn!("| Report URL: https://github.com/dani-garcia/bitwarden_rs/issues/new |");
|
|
|
|
warn!("\\--------------------------------------------------------------------/");
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
lazy_static! {
|
|
|
|
// Load the config from .env or from environment variables
|
|
|
|
static ref CONFIG: Config = Config::load();
|
|
|
|
}
|
|
|
|
|
|
|
|
#[derive(Debug)]
|
|
|
|
pub struct MailConfig {
|
|
|
|
smtp_host: String,
|
|
|
|
smtp_port: u16,
|
|
|
|
smtp_ssl: bool,
|
|
|
|
smtp_from: String,
|
|
|
|
smtp_from_name: String,
|
|
|
|
smtp_username: Option<String>,
|
|
|
|
smtp_password: Option<String>,
|
|
|
|
}
|
|
|
|
|
|
|
|
impl MailConfig {
|
|
|
|
fn load() -> Option<Self> {
|
|
|
|
use crate::util::{get_env, get_env_or};
|
|
|
|
|
|
|
|
// When SMTP_HOST is absent, we assume the user does not want to enable it.
|
|
|
|
let smtp_host = match get_env("SMTP_HOST") {
|
|
|
|
Some(host) => host,
|
|
|
|
None => return None,
|
|
|
|
};
|
|
|
|
|
|
|
|
let smtp_from = get_env("SMTP_FROM").unwrap_or_else(|| {
|
|
|
|
error!("Please specify SMTP_FROM to enable SMTP support.");
|
|
|
|
exit(1);
|
|
|
|
});
|
|
|
|
|
|
|
|
let smtp_from_name = get_env_or("SMTP_FROM_NAME", "Bitwarden_RS".into());
|
|
|
|
|
|
|
|
let smtp_ssl = get_env_or("SMTP_SSL", true);
|
|
|
|
let smtp_port = get_env("SMTP_PORT").unwrap_or_else(|| if smtp_ssl { 587u16 } else { 25u16 });
|
|
|
|
|
|
|
|
let smtp_username = get_env("SMTP_USERNAME");
|
|
|
|
let smtp_password = get_env("SMTP_PASSWORD").or_else(|| {
|
|
|
|
if smtp_username.as_ref().is_some() {
|
|
|
|
error!("SMTP_PASSWORD is mandatory when specifying SMTP_USERNAME.");
|
|
|
|
exit(1);
|
|
|
|
} else {
|
|
|
|
None
|
|
|
|
}
|
|
|
|
});
|
|
|
|
|
|
|
|
Some(MailConfig {
|
|
|
|
smtp_host,
|
|
|
|
smtp_port,
|
|
|
|
smtp_ssl,
|
|
|
|
smtp_from,
|
|
|
|
smtp_from_name,
|
|
|
|
smtp_username,
|
|
|
|
smtp_password,
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
#[derive(Debug)]
|
|
|
|
pub struct Config {
|
|
|
|
database_url: String,
|
|
|
|
icon_cache_folder: String,
|
|
|
|
attachments_folder: String,
|
|
|
|
|
|
|
|
icon_cache_ttl: u64,
|
|
|
|
icon_cache_negttl: u64,
|
|
|
|
|
|
|
|
private_rsa_key: String,
|
|
|
|
private_rsa_key_pem: String,
|
|
|
|
public_rsa_key: String,
|
|
|
|
|
|
|
|
web_vault_folder: String,
|
|
|
|
web_vault_enabled: bool,
|
|
|
|
|
|
|
|
websocket_enabled: bool,
|
|
|
|
websocket_url: String,
|
|
|
|
|
|
|
|
extended_logging: bool,
|
|
|
|
log_file: Option<String>,
|
|
|
|
|
|
|
|
local_icon_extractor: bool,
|
|
|
|
signups_allowed: bool,
|
|
|
|
invitations_allowed: bool,
|
|
|
|
admin_token: Option<String>,
|
|
|
|
password_iterations: i32,
|
|
|
|
show_password_hint: bool,
|
|
|
|
|
|
|
|
domain: String,
|
|
|
|
domain_set: bool,
|
|
|
|
|
|
|
|
yubico_cred_set: bool,
|
|
|
|
yubico_client_id: String,
|
|
|
|
yubico_secret_key: String,
|
|
|
|
yubico_server: Option<String>,
|
|
|
|
|
|
|
|
mail: Option<MailConfig>,
|
|
|
|
templates: Handlebars,
|
|
|
|
templates_folder: String,
|
|
|
|
reload_templates: bool,
|
|
|
|
}
|
|
|
|
|
|
|
|
fn load_templates(path: &str) -> Handlebars {
|
|
|
|
let mut hb = Handlebars::new();
|
|
|
|
// Error on missing params
|
|
|
|
hb.set_strict_mode(true);
|
|
|
|
|
|
|
|
macro_rules! reg {
|
|
|
|
($name:expr) => {{
|
|
|
|
let template = include_str!(concat!("static/templates/", $name, ".hbs"));
|
|
|
|
hb.register_template_string($name, template).unwrap();
|
|
|
|
}};
|
|
|
|
}
|
|
|
|
|
|
|
|
// First register default templates here
|
|
|
|
reg!("email/invite_accepted");
|
|
|
|
reg!("email/invite_confirmed");
|
|
|
|
reg!("email/pw_hint_none");
|
|
|
|
reg!("email/pw_hint_some");
|
|
|
|
reg!("email/send_org_invite");
|
|
|
|
|
|
|
|
reg!("admin/base");
|
|
|
|
reg!("admin/login");
|
|
|
|
reg!("admin/page");
|
|
|
|
|
|
|
|
// And then load user templates to overwrite the defaults
|
|
|
|
// Use .hbs extension for the files
|
|
|
|
// Templates get registered with their relative name
|
|
|
|
hb.register_templates_directory(".hbs", path).unwrap();
|
|
|
|
|
|
|
|
hb
|
|
|
|
}
|
|
|
|
|
|
|
|
impl Config {
|
|
|
|
pub fn render_template<T: serde::ser::Serialize>(&self, name: &str, data: &T) -> Result<String, error::Error> {
|
|
|
|
// We add this to signal the compiler not to drop the result of 'load_templates'
|
|
|
|
let hb_owned;
|
|
|
|
|
|
|
|
let hb = if CONFIG.reload_templates {
|
|
|
|
warn!("RELOADING TEMPLATES");
|
|
|
|
hb_owned = load_templates(&self.templates_folder);
|
|
|
|
&hb_owned
|
|
|
|
} else {
|
|
|
|
&self.templates
|
|
|
|
};
|
|
|
|
|
|
|
|
hb.render(name, data).map_err(Into::into)
|
|
|
|
}
|
|
|
|
|
|
|
|
fn load() -> Self {
|
|
|
|
use crate::util::{get_env, get_env_or};
|
|
|
|
dotenv::dotenv().ok();
|
|
|
|
|
|
|
|
let df = get_env_or("DATA_FOLDER", "data".to_string());
|
|
|
|
let key = get_env_or("RSA_KEY_FILENAME", format!("{}/{}", &df, "rsa_key"));
|
|
|
|
|
|
|
|
let domain = get_env("DOMAIN");
|
|
|
|
|
|
|
|
let yubico_client_id = get_env("YUBICO_CLIENT_ID");
|
|
|
|
let yubico_secret_key = get_env("YUBICO_SECRET_KEY");
|
|
|
|
|
|
|
|
let templates_folder = get_env_or("TEMPLATES_FOLDER", format!("{}/{}", &df, "templates"));
|
|
|
|
|
|
|
|
Config {
|
|
|
|
database_url: get_env_or("DATABASE_URL", format!("{}/{}", &df, "db.sqlite3")),
|
|
|
|
icon_cache_folder: get_env_or("ICON_CACHE_FOLDER", format!("{}/{}", &df, "icon_cache")),
|
|
|
|
attachments_folder: get_env_or("ATTACHMENTS_FOLDER", format!("{}/{}", &df, "attachments")),
|
|
|
|
templates: load_templates(&templates_folder),
|
|
|
|
templates_folder,
|
|
|
|
reload_templates: get_env_or("RELOAD_TEMPLATES", false),
|
|
|
|
|
|
|
|
// icon_cache_ttl defaults to 30 days (30 * 24 * 60 * 60 seconds)
|
|
|
|
icon_cache_ttl: get_env_or("ICON_CACHE_TTL", 2_592_000),
|
|
|
|
// icon_cache_negttl defaults to 3 days (3 * 24 * 60 * 60 seconds)
|
|
|
|
icon_cache_negttl: get_env_or("ICON_CACHE_NEGTTL", 259_200),
|
|
|
|
|
|
|
|
private_rsa_key: format!("{}.der", &key),
|
|
|
|
private_rsa_key_pem: format!("{}.pem", &key),
|
|
|
|
public_rsa_key: format!("{}.pub.der", &key),
|
|
|
|
|
|
|
|
web_vault_folder: get_env_or("WEB_VAULT_FOLDER", "web-vault/".into()),
|
|
|
|
web_vault_enabled: get_env_or("WEB_VAULT_ENABLED", true),
|
|
|
|
|
|
|
|
websocket_enabled: get_env_or("WEBSOCKET_ENABLED", false),
|
|
|
|
websocket_url: format!(
|
|
|
|
"{}:{}",
|
|
|
|
get_env_or("WEBSOCKET_ADDRESS", "0.0.0.0".to_string()),
|
|
|
|
get_env_or("WEBSOCKET_PORT", 3012)
|
|
|
|
),
|
|
|
|
|
|
|
|
extended_logging: get_env_or("EXTENDED_LOGGING", true),
|
|
|
|
log_file: get_env("LOG_FILE"),
|
|
|
|
|
|
|
|
local_icon_extractor: get_env_or("LOCAL_ICON_EXTRACTOR", false),
|
|
|
|
signups_allowed: get_env_or("SIGNUPS_ALLOWED", true),
|
|
|
|
admin_token: get_env("ADMIN_TOKEN"),
|
|
|
|
invitations_allowed: get_env_or("INVITATIONS_ALLOWED", true),
|
|
|
|
password_iterations: get_env_or("PASSWORD_ITERATIONS", 100_000),
|
|
|
|
show_password_hint: get_env_or("SHOW_PASSWORD_HINT", true),
|
|
|
|
|
|
|
|
domain_set: domain.is_some(),
|
|
|
|
domain: domain.unwrap_or("http://localhost".into()),
|
|
|
|
|
|
|
|
yubico_cred_set: yubico_client_id.is_some() && yubico_secret_key.is_some(),
|
|
|
|
yubico_client_id: yubico_client_id.unwrap_or("00000".into()),
|
|
|
|
yubico_secret_key: yubico_secret_key.unwrap_or("AAAAAAA".into()),
|
|
|
|
yubico_server: get_env("YUBICO_SERVER"),
|
|
|
|
|
|
|
|
mail: MailConfig::load(),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|