mirror of
				https://github.com/dani-garcia/vaultwarden.git
				synced 2025-10-26 00:30:40 +03:00 
			
		
		
		
	Remove config option for admin email, embdedded admin page, managed IO::Error, and added security and cache headers globally
This commit is contained in:
		| @@ -1,10 +1,10 @@ | ||||
| use std::io; | ||||
| use std::path::{Path, PathBuf}; | ||||
|  | ||||
| use rocket::http::ContentType; | ||||
| use rocket::request::Request; | ||||
| use rocket::response::content::{Content, Html}; | ||||
| use rocket::response::{self, NamedFile, Responder}; | ||||
| use rocket::response::content::Content; | ||||
| use rocket::http::{ContentType, Status}; | ||||
| use rocket::Route; | ||||
| use rocket_contrib::json::Json; | ||||
| use serde_json::Value; | ||||
| @@ -19,57 +19,72 @@ pub fn routes() -> Vec<Route> { | ||||
|     } | ||||
| } | ||||
|  | ||||
| // TODO: Might want to use in memory cache: https://github.com/hgzimmerman/rocket-file-cache | ||||
| #[get("/")] | ||||
| fn web_index() -> WebHeaders<io::Result<NamedFile>> { | ||||
|     web_files("index.html".into()) | ||||
| fn web_index() -> Cached<io::Result<NamedFile>> { | ||||
|     Cached::short(NamedFile::open(Path::new(&CONFIG.web_vault_folder).join("index.html"))) | ||||
| } | ||||
|  | ||||
| #[get("/app-id.json")] | ||||
| fn app_id() -> WebHeaders<Content<Json<Value>>> { | ||||
| fn app_id() -> Cached<Content<Json<Value>>> { | ||||
|     let content_type = ContentType::new("application", "fido.trusted-apps+json"); | ||||
|  | ||||
|     WebHeaders(Content(content_type, Json(json!({ | ||||
|     "trustedFacets": [ | ||||
|         { | ||||
|         "version": { "major": 1, "minor": 0 }, | ||||
|         "ids": [ | ||||
|             &CONFIG.domain, | ||||
|             "ios:bundle-id:com.8bit.bitwarden", | ||||
|             "android:apk-key-hash:dUGFzUzf3lmHSLBDBIv+WaFyZMI" ] | ||||
|         }] | ||||
|     })))) | ||||
|     Cached::long(Content( | ||||
|         content_type, | ||||
|         Json(json!({ | ||||
|         "trustedFacets": [ | ||||
|             { | ||||
|             "version": { "major": 1, "minor": 0 }, | ||||
|             "ids": [ | ||||
|                 &CONFIG.domain, | ||||
|                 "ios:bundle-id:com.8bit.bitwarden", | ||||
|                 "android:apk-key-hash:dUGFzUzf3lmHSLBDBIv+WaFyZMI" ] | ||||
|             }] | ||||
|         })), | ||||
|     )) | ||||
| } | ||||
|  | ||||
| const ADMIN_PAGE: &'static str = include_str!("../static/admin.html"); | ||||
|  | ||||
| #[get("/admin")] | ||||
| fn admin_page() -> WebHeaders<io::Result<NamedFile>> { | ||||
|     WebHeaders(NamedFile::open("src/static/admin.html")) // TODO: Change this to embed the page in the binary | ||||
| fn admin_page() -> Cached<Html<&'static str>> { | ||||
|     Cached::short(Html(ADMIN_PAGE)) | ||||
| } | ||||
|  | ||||
| /* // Use this during Admin page development | ||||
| #[get("/admin")] | ||||
| fn admin_page() -> Cached<io::Result<NamedFile>> { | ||||
|     Cached::short(NamedFile::open("src/static/admin.html")) | ||||
| } | ||||
| */ | ||||
|  | ||||
| #[get("/<p..>", rank = 1)] // Only match this if the other routes don't match | ||||
| fn web_files(p: PathBuf) -> WebHeaders<io::Result<NamedFile>> { | ||||
|     WebHeaders(NamedFile::open(Path::new(&CONFIG.web_vault_folder).join(p))) | ||||
| fn web_files(p: PathBuf) -> Cached<io::Result<NamedFile>> { | ||||
|     Cached::long(NamedFile::open(Path::new(&CONFIG.web_vault_folder).join(p))) | ||||
| } | ||||
|  | ||||
| struct WebHeaders<R>(R); | ||||
| struct Cached<R>(R, &'static str); | ||||
|  | ||||
| impl<'r, R: Responder<'r>> Responder<'r> for WebHeaders<R> { | ||||
| impl<R> Cached<R> { | ||||
|     fn long(r: R) -> Cached<R> { | ||||
|         // 7 days | ||||
|         Cached(r, "public, max-age=604800".into()) | ||||
|     } | ||||
|  | ||||
|     fn short(r: R) -> Cached<R> { | ||||
|         // 10 minutes | ||||
|         Cached(r, "public, max-age=600".into()) | ||||
|     } | ||||
| } | ||||
|  | ||||
| impl<'r, R: Responder<'r>> Responder<'r> for Cached<R> { | ||||
|     fn respond_to(self, req: &Request) -> response::Result<'r> { | ||||
|         match self.0.respond_to(req) { | ||||
|             Ok(mut res) => { | ||||
|                 res.set_raw_header("Referrer-Policy", "same-origin"); | ||||
|                 res.set_raw_header("X-Frame-Options", "SAMEORIGIN"); | ||||
|                 res.set_raw_header("X-Content-Type-Options", "nosniff"); | ||||
|                 res.set_raw_header("X-XSS-Protection", "1; mode=block"); | ||||
|                 let csp = "frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb moz-extension://*;"; | ||||
|                 res.set_raw_header("Content-Security-Policy", csp); | ||||
|  | ||||
|                 res.set_raw_header("Cache-Control", self.1); | ||||
|                 Ok(res) | ||||
|             }, | ||||
|             Err(_) => { | ||||
|                 Err(Status::NotFound) | ||||
|             } | ||||
|         }  | ||||
|             e @ Err(_) => e, | ||||
|         } | ||||
|     } | ||||
| } | ||||
|  | ||||
| @@ -78,7 +93,6 @@ fn attachments(uuid: String, file: PathBuf) -> io::Result<NamedFile> { | ||||
|     NamedFile::open(Path::new(&CONFIG.attachments_folder).join(uuid).join(file)) | ||||
| } | ||||
|  | ||||
|  | ||||
| #[get("/alive")] | ||||
| fn alive() -> Json<String> { | ||||
|     use crate::util::format_date; | ||||
|   | ||||
| @@ -74,7 +74,7 @@ impl Attachment { | ||||
|         ) | ||||
|         .map_res("Error deleting attachment")?; | ||||
|          | ||||
|         crate::util::delete_file(&self.get_file_path()); | ||||
|         crate::util::delete_file(&self.get_file_path())?; | ||||
|         Ok(()) | ||||
|     } | ||||
|  | ||||
|   | ||||
| @@ -47,6 +47,7 @@ use diesel::result::Error as DieselError; | ||||
| use jsonwebtoken::errors::Error as JwtError; | ||||
| use serde_json::{Error as SerError, Value}; | ||||
| use u2f::u2ferror::U2fError as U2fErr; | ||||
| use std::io::Error as IOError; | ||||
|  | ||||
| // Error struct | ||||
| // Each variant has two elements, the first is an error of different types, used for logging purposes | ||||
| @@ -64,6 +65,7 @@ make_error! { | ||||
|     U2fError(U2fErr,     _): true,  _api_error, | ||||
|     SerdeError(SerError, _): true,  _api_error, | ||||
|     JWTError(JwtError,   _): true,  _api_error, | ||||
|     IoErrror(IOError,    _): true,  _api_error, | ||||
|     //WsError(ws::Error, _): true,  _api_error, | ||||
| } | ||||
|  | ||||
|   | ||||
| @@ -26,12 +26,13 @@ fn init_rocket() -> Rocket { | ||||
|     rocket::ignite() | ||||
|         .mount("/", api::web_routes()) | ||||
|         .mount("/api", api::core_routes()) | ||||
|         .mount("/admin", api::admin_routes())         | ||||
|         .mount("/admin", api::admin_routes()) | ||||
|         .mount("/identity", api::identity_routes()) | ||||
|         .mount("/icons", api::icons_routes()) | ||||
|         .mount("/notifications", api::notifications_routes()) | ||||
|         .manage(db::init_pool()) | ||||
|         .manage(api::start_notification_server()) | ||||
|         .attach(util::AppHeaders()) | ||||
| } | ||||
|  | ||||
| // Embed the migrations from the migrations folder into the application | ||||
| @@ -272,7 +273,6 @@ pub struct Config { | ||||
|     signups_allowed: bool, | ||||
|     invitations_allowed: bool, | ||||
|     admin_token: Option<String>, | ||||
|     server_admin_email: Option<String>, | ||||
|     password_iterations: i32, | ||||
|     show_password_hint: bool, | ||||
|  | ||||
| @@ -326,7 +326,6 @@ impl Config { | ||||
|             local_icon_extractor: get_env_or("LOCAL_ICON_EXTRACTOR", false), | ||||
|             signups_allowed: get_env_or("SIGNUPS_ALLOWED", true), | ||||
|             admin_token: get_env("ADMIN_TOKEN"), | ||||
|             server_admin_email:None, // TODO: Delete this | ||||
|             invitations_allowed: get_env_or("INVITATIONS_ALLOWED", true), | ||||
|             password_iterations: get_env_or("PASSWORD_ITERATIONS", 100_000), | ||||
|             show_password_hint: get_env_or("SHOW_PASSWORD_HINT", true), | ||||
|   | ||||
							
								
								
									
										53
									
								
								src/util.rs
									
									
									
									
									
								
							
							
						
						
									
										53
									
								
								src/util.rs
									
									
									
									
									
								
							| @@ -1,29 +1,57 @@ | ||||
| /// | ||||
| /// Web Headers | ||||
| /// | ||||
| use rocket::fairing::{Fairing, Info, Kind}; | ||||
| use rocket::{Request, Response}; | ||||
|  | ||||
| pub struct AppHeaders (); | ||||
|  | ||||
| impl Fairing for AppHeaders { | ||||
|     fn info(&self) -> Info { | ||||
|         Info { | ||||
|             name: "Application Headers", | ||||
|             kind: Kind::Response, | ||||
|         } | ||||
|     } | ||||
|  | ||||
|     fn on_response(&self, _req: &Request, res: &mut Response) { | ||||
|         res.set_raw_header("Referrer-Policy", "same-origin"); | ||||
|         res.set_raw_header("X-Frame-Options", "SAMEORIGIN"); | ||||
|         res.set_raw_header("X-Content-Type-Options", "nosniff"); | ||||
|         res.set_raw_header("X-XSS-Protection", "1; mode=block"); | ||||
|         let csp = "frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb moz-extension://*;"; | ||||
|         res.set_raw_header("Content-Security-Policy", csp); | ||||
|  | ||||
|         // Disable cache unless otherwise specified | ||||
|         if !res.headers().contains("cache-control") { | ||||
|             res.set_raw_header("Cache-Control", "no-cache, no-store, max-age=0"); | ||||
|         } | ||||
|     } | ||||
| } | ||||
|  | ||||
|  | ||||
| /// | ||||
| /// File handling | ||||
| /// | ||||
|  | ||||
| use std::path::Path; | ||||
| use std::io::Read; | ||||
| use std::fs::{self, File}; | ||||
| use std::io::{Read, Result as IOResult}; | ||||
| use std::path::Path; | ||||
|  | ||||
| pub fn file_exists(path: &str) -> bool { | ||||
|     Path::new(path).exists() | ||||
| } | ||||
|  | ||||
| pub fn read_file(path: &str) -> Result<Vec<u8>, String> { | ||||
|     let mut file = File::open(Path::new(path)) | ||||
|         .map_err(|e| format!("Error opening file: {}", e))?; | ||||
|  | ||||
| pub fn read_file(path: &str) -> IOResult<Vec<u8>> { | ||||
|     let mut contents: Vec<u8> = Vec::new(); | ||||
|  | ||||
|     file.read_to_end(&mut contents) | ||||
|         .map_err(|e| format!("Error reading file: {}", e))?; | ||||
|      | ||||
|     let mut file = File::open(Path::new(path))?; | ||||
|     file.read_to_end(&mut contents)?; | ||||
|  | ||||
|     Ok(contents) | ||||
| } | ||||
|  | ||||
| pub fn delete_file(path: &str) -> bool { | ||||
|     let res = fs::remove_file(path).is_ok(); | ||||
| pub fn delete_file(path: &str) -> IOResult<()> { | ||||
|     let res = fs::remove_file(path); | ||||
|  | ||||
|     if let Some(parent) = Path::new(path).parent() { | ||||
|         // If the directory isn't empty, this returns an error, which we ignore | ||||
| @@ -34,7 +62,6 @@ pub fn delete_file(path: &str) -> bool { | ||||
|     res | ||||
| } | ||||
|  | ||||
|  | ||||
| const UNITS: [&str; 6] = ["bytes", "KB", "MB", "GB", "TB", "PB"]; | ||||
|  | ||||
| pub fn get_display_size(size: i32) -> String { | ||||
|   | ||||
		Reference in New Issue
	
	Block a user