Fixed docker build and implemented automatic creation of JWT signing keys on platforms with OpenSSL (it needs to be on the PATH)

7 years ago · d5486670d8
parent 7a3308200a
commit d5486670d8
4 changed files with 85 additions and 44 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -9,13 +9,9 @@ data
 .idea
 *.iml

-# Git and Docker files
+# Git files
 .git
 .gitignore
-.gitmodules
-Dockerfile
-docker-compose.yml
-.dockerignore

 # Documentation
 *.md
--- a/6
+++ b/6
@ -10,19 +10,17 @@ FROM rustlang/rust:nightly as build
 RUN apt-get update && \
 	apt-get install -y sqlite3

-# Install the diesel_cli tool, to manage migrations
-# RUN cargo install diesel_cli --no-default-features --features sqlite
-	
 # Creates a dummy project used to grab dependencies
 RUN USER=root cargo new --bin app
 WORKDIR /app

 # Copies over *only* your manifests and vendored dependencies
 COPY ./Cargo.* ./
-COPY ./_libs ./_libs
+COPY ./libs ./libs

 # Builds your dependencies and removes the
 # dummy project, except the target folder
+# This folder contains the compiled dependencies
 RUN cargo build --release
 RUN find . -not -path "./target*" -delete

--- a/README.md
+++ b/README.md
@ -6,11 +6,25 @@ docker build -t dani/bitwarden_rs .

 # Run the docker image with a docker volume:
 docker volume create bw_data
-docker run --name bitwarden_rs -it --init --rm --mount source=bw_data,target=/data -p 8000:80 dani/bitwarden_rs
+docker run --name bitwarden_rs -t --init --rm --mount source=bw_data,target=/data -p 8000:80 dani/bitwarden_rs
+```
+
+#### Other possible Docker options
+
+To run the container in the background, add the `-d` parameter.
+
+To check the logs when in background, run `docker logs bitwarden_rs`
+
+To stop the container in background, run `docker stop bitwarden_rs`

-# OR, Run the docker image with a host bind, where <absolute_path> is the absolute path to a folder in the host:
-docker run --name bitwarden_rs -it --init --rm --mount type=bind,source=<absolute_path>,target=/data -p 8000:80 dani/bitwarden_rs
+To make sure the container is restarted automatically, add the `--restart unless-stopped` parameter
+
+To run the image with a host bind, change the `--mount` parameter to:
+```
+--mount type=bind,source=<absolute_path>,target=/data
 ```
+Where <absolute_path> is an absolute path in the hosts file system (e.g. C:\bitwarden\data)
+

 ## How to compile bitwarden_rs
 Install `rust nightly`, in Windows the recommended way is through `rustup`.
@ -27,6 +41,7 @@ cargo build

 ## How to update the web-vault used
 Install `node.js` and either `yarn` or `npm` (usually included with node)
+
 Clone the web-vault outside the project:
 ```
 git clone https://github.com/bitwarden/web.git web-vault
@ -58,22 +73,6 @@ npx gulp dist:selfHosted

 Finally copy the contents of the `web-vault/dist` folder into the `bitwarden_rs/web-vault` folder.

-## How to create the RSA signing key for JWT
-Generate the RSA key:
-```
-openssl genrsa -out data/private_rsa_key.pem
-```
-
-Convert the generated key to .DER:
-```
-openssl rsa -in data/private_rsa_key.pem -outform DER -out data/private_rsa_key.der
-```
-
-And generate the public key:
-```
-openssl rsa -in data/private_rsa_key.der -inform DER -RSAPublicKey_out -outform DER -out data/public_rsa_key.der
-```
-
 ## How to recreate database schemas
 Install diesel-cli with cargo:
 ```
@ -87,8 +86,7 @@ If you want to modify the schemas, create a new migration with:
 diesel migration generate <name>
 ```

-Modify the *.sql files, making sure that any changes are reverted
-in the down.sql file.
+Modify the *.sql files, making sure that any changes are reverted in the down.sql file.

 Apply the migrations and save the generated schemas as follows:
 ```
--- a/src/main.rs
+++ b/src/main.rs
@ -67,17 +67,57 @@ fn main() {
    let connection = db::get_connection().expect("Can't conect to DB");
    embedded_migrations::run_with_output(&connection, &mut io::stdout()).expect("Can't run migrations");

-    // Validate location of rsa keys
-    if !util::file_exists(&CONFIG.private_rsa_key) {
-        panic!("private_rsa_key doesn't exist");
-    }
-    if !util::file_exists(&CONFIG.public_rsa_key) {
-        panic!("public_rsa_key doesn't exist");
-    }
+    check_rsa_keys();

    init_rocket().launch();
 }

+fn check_rsa_keys() {
+    // If the RSA keys don't exist, try to create them
+    if !util::file_exists(&CONFIG.private_rsa_key)
+        || !util::file_exists(&CONFIG.public_rsa_key) {
+        println!("JWT keys don't exist, checking if OpenSSL is available...");
+        use std::process::{exit, Command};
+
+        Command::new("openssl")
+            .arg("version")
+            .output().unwrap_or_else(|_| {
+            println!("Can't create keys because OpenSSL is not available, make sure it's installed and available on the PATH");
+            exit(1);
+        });
+
+        println!("OpenSSL detected, creating keys...");
+
+        let mut success = Command::new("openssl").arg("genrsa")
+            .arg("-out").arg(&CONFIG.private_rsa_key_pem)
+            .output().expect("Failed to create private pem file")
+            .status.success();
+
+        success &= Command::new("openssl").arg("rsa")
+            .arg("-in").arg(&CONFIG.private_rsa_key_pem)
+            .arg("-outform").arg("DER")
+            .arg("-out").arg(&CONFIG.private_rsa_key)
+            .output().expect("Failed to create private der file")
+            .status.success();
+
+        success &= Command::new("openssl").arg("rsa")
+            .arg("-in").arg(&CONFIG.private_rsa_key)
+            .arg("-inform").arg("DER")
+            .arg("-RSAPublicKey_out")
+            .arg("-outform").arg("DER")
+            .arg("-out").arg(&CONFIG.public_rsa_key)
+            .output().expect("Failed to create public der file")
+            .status.success();
+
+        if success {
+            println!("Keys created correcty.");
+        } else {
+            println!("Error creating keys, exiting...");
+            exit(1);
+        }
+    }
+}
+
 lazy_static! {
    // Load the config from .env or from environment variables
    static ref CONFIG: Config = Config::load();
@ -86,10 +126,13 @@ lazy_static! {
 #[derive(Debug)]
 pub struct Config {
    database_url: String,
-    private_rsa_key: String,
-    public_rsa_key: String,
    icon_cache_folder: String,
    attachments_folder: String,
+
+    private_rsa_key: String,
+    private_rsa_key_pem: String,
+    public_rsa_key: String,
+
    web_vault_folder: String,

    signups_allowed: bool,
@ -100,12 +143,18 @@ impl Config {
    fn load() -> Self {
        dotenv::dotenv().ok();

+        let df = env::var("DATA_FOLDER").unwrap_or("data".into());
+        let key = env::var("RSA_KEY_NAME").unwrap_or("rsa_key".into());
+
        Config {
-            database_url: env::var("DATABASE_URL").unwrap_or("data/db.sqlite3".into()),
-            private_rsa_key: env::var("PRIVATE_RSA_KEY").unwrap_or("data/private_rsa_key.der".into()),
-            public_rsa_key: env::var("PUBLIC_RSA_KEY").unwrap_or("data/public_rsa_key.der".into()),
-            icon_cache_folder: env::var("ICON_CACHE_FOLDER").unwrap_or("data/icon_cache".into()),
-            attachments_folder: env::var("ATTACHMENTS_FOLDER").unwrap_or("data/attachments".into()),
+            database_url: env::var("DATABASE_URL").unwrap_or(format!("{}/{}", &df, "db.sqlite3")),
+            icon_cache_folder: env::var("ICON_CACHE_FOLDER").unwrap_or(format!("{}/{}", &df, "icon_cache")),
+            attachments_folder: env::var("ATTACHMENTS_FOLDER").unwrap_or(format!("{}/{}", &df, "attachments")),
+
+            private_rsa_key: format!("{}/{}.der", &df, &key),
+            private_rsa_key_pem: format!("{}/{}.pem", &df, &key),
+            public_rsa_key: format!("{}/{}.pub.der", &df, &key),
+
            web_vault_folder: env::var("WEB_VAULT_FOLDER").unwrap_or("web-vault/".into()),

            signups_allowed: util::parse_option_string(env::var("SIGNUPS_ALLOWED").ok()).unwrap_or(false),