mirror of
				https://github.com/dani-garcia/vaultwarden.git
				synced 2025-10-26 16:00:02 +02:00 
			
		
		
		
	Remove config option for admin email, embdedded admin page, managed IO::Error, and added security and cache headers globally
This commit is contained in:
		| @@ -1,10 +1,10 @@ | |||||||
| use std::io; | use std::io; | ||||||
| use std::path::{Path, PathBuf}; | use std::path::{Path, PathBuf}; | ||||||
|  |  | ||||||
|  | use rocket::http::ContentType; | ||||||
| use rocket::request::Request; | use rocket::request::Request; | ||||||
|  | use rocket::response::content::{Content, Html}; | ||||||
| use rocket::response::{self, NamedFile, Responder}; | use rocket::response::{self, NamedFile, Responder}; | ||||||
| use rocket::response::content::Content; |  | ||||||
| use rocket::http::{ContentType, Status}; |  | ||||||
| use rocket::Route; | use rocket::Route; | ||||||
| use rocket_contrib::json::Json; | use rocket_contrib::json::Json; | ||||||
| use serde_json::Value; | use serde_json::Value; | ||||||
| @@ -19,57 +19,72 @@ pub fn routes() -> Vec<Route> { | |||||||
|     } |     } | ||||||
| } | } | ||||||
|  |  | ||||||
| // TODO: Might want to use in memory cache: https://github.com/hgzimmerman/rocket-file-cache |  | ||||||
| #[get("/")] | #[get("/")] | ||||||
| fn web_index() -> WebHeaders<io::Result<NamedFile>> { | fn web_index() -> Cached<io::Result<NamedFile>> { | ||||||
|     web_files("index.html".into()) |     Cached::short(NamedFile::open(Path::new(&CONFIG.web_vault_folder).join("index.html"))) | ||||||
| } | } | ||||||
|  |  | ||||||
| #[get("/app-id.json")] | #[get("/app-id.json")] | ||||||
| fn app_id() -> WebHeaders<Content<Json<Value>>> { | fn app_id() -> Cached<Content<Json<Value>>> { | ||||||
|     let content_type = ContentType::new("application", "fido.trusted-apps+json"); |     let content_type = ContentType::new("application", "fido.trusted-apps+json"); | ||||||
|  |  | ||||||
|     WebHeaders(Content(content_type, Json(json!({ |     Cached::long(Content( | ||||||
|     "trustedFacets": [ |         content_type, | ||||||
|         { |         Json(json!({ | ||||||
|         "version": { "major": 1, "minor": 0 }, |         "trustedFacets": [ | ||||||
|         "ids": [ |             { | ||||||
|             &CONFIG.domain, |             "version": { "major": 1, "minor": 0 }, | ||||||
|             "ios:bundle-id:com.8bit.bitwarden", |             "ids": [ | ||||||
|             "android:apk-key-hash:dUGFzUzf3lmHSLBDBIv+WaFyZMI" ] |                 &CONFIG.domain, | ||||||
|         }] |                 "ios:bundle-id:com.8bit.bitwarden", | ||||||
|     })))) |                 "android:apk-key-hash:dUGFzUzf3lmHSLBDBIv+WaFyZMI" ] | ||||||
|  |             }] | ||||||
|  |         })), | ||||||
|  |     )) | ||||||
| } | } | ||||||
|  |  | ||||||
|  | const ADMIN_PAGE: &'static str = include_str!("../static/admin.html"); | ||||||
|  |  | ||||||
| #[get("/admin")] | #[get("/admin")] | ||||||
| fn admin_page() -> WebHeaders<io::Result<NamedFile>> { | fn admin_page() -> Cached<Html<&'static str>> { | ||||||
|     WebHeaders(NamedFile::open("src/static/admin.html")) // TODO: Change this to embed the page in the binary |     Cached::short(Html(ADMIN_PAGE)) | ||||||
| } | } | ||||||
|  |  | ||||||
|  | /* // Use this during Admin page development | ||||||
|  | #[get("/admin")] | ||||||
|  | fn admin_page() -> Cached<io::Result<NamedFile>> { | ||||||
|  |     Cached::short(NamedFile::open("src/static/admin.html")) | ||||||
|  | } | ||||||
|  | */ | ||||||
|  |  | ||||||
| #[get("/<p..>", rank = 1)] // Only match this if the other routes don't match | #[get("/<p..>", rank = 1)] // Only match this if the other routes don't match | ||||||
| fn web_files(p: PathBuf) -> WebHeaders<io::Result<NamedFile>> { | fn web_files(p: PathBuf) -> Cached<io::Result<NamedFile>> { | ||||||
|     WebHeaders(NamedFile::open(Path::new(&CONFIG.web_vault_folder).join(p))) |     Cached::long(NamedFile::open(Path::new(&CONFIG.web_vault_folder).join(p))) | ||||||
| } | } | ||||||
|  |  | ||||||
| struct WebHeaders<R>(R); | struct Cached<R>(R, &'static str); | ||||||
|  |  | ||||||
| impl<'r, R: Responder<'r>> Responder<'r> for WebHeaders<R> { | impl<R> Cached<R> { | ||||||
|  |     fn long(r: R) -> Cached<R> { | ||||||
|  |         // 7 days | ||||||
|  |         Cached(r, "public, max-age=604800".into()) | ||||||
|  |     } | ||||||
|  |  | ||||||
|  |     fn short(r: R) -> Cached<R> { | ||||||
|  |         // 10 minutes | ||||||
|  |         Cached(r, "public, max-age=600".into()) | ||||||
|  |     } | ||||||
|  | } | ||||||
|  |  | ||||||
|  | impl<'r, R: Responder<'r>> Responder<'r> for Cached<R> { | ||||||
|     fn respond_to(self, req: &Request) -> response::Result<'r> { |     fn respond_to(self, req: &Request) -> response::Result<'r> { | ||||||
|         match self.0.respond_to(req) { |         match self.0.respond_to(req) { | ||||||
|             Ok(mut res) => { |             Ok(mut res) => { | ||||||
|                 res.set_raw_header("Referrer-Policy", "same-origin"); |                 res.set_raw_header("Cache-Control", self.1); | ||||||
|                 res.set_raw_header("X-Frame-Options", "SAMEORIGIN"); |  | ||||||
|                 res.set_raw_header("X-Content-Type-Options", "nosniff"); |  | ||||||
|                 res.set_raw_header("X-XSS-Protection", "1; mode=block"); |  | ||||||
|                 let csp = "frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb moz-extension://*;"; |  | ||||||
|                 res.set_raw_header("Content-Security-Policy", csp); |  | ||||||
|  |  | ||||||
|                 Ok(res) |                 Ok(res) | ||||||
|             }, |  | ||||||
|             Err(_) => { |  | ||||||
|                 Err(Status::NotFound) |  | ||||||
|             } |             } | ||||||
|         }  |             e @ Err(_) => e, | ||||||
|  |         } | ||||||
|     } |     } | ||||||
| } | } | ||||||
|  |  | ||||||
| @@ -78,7 +93,6 @@ fn attachments(uuid: String, file: PathBuf) -> io::Result<NamedFile> { | |||||||
|     NamedFile::open(Path::new(&CONFIG.attachments_folder).join(uuid).join(file)) |     NamedFile::open(Path::new(&CONFIG.attachments_folder).join(uuid).join(file)) | ||||||
| } | } | ||||||
|  |  | ||||||
|  |  | ||||||
| #[get("/alive")] | #[get("/alive")] | ||||||
| fn alive() -> Json<String> { | fn alive() -> Json<String> { | ||||||
|     use crate::util::format_date; |     use crate::util::format_date; | ||||||
|   | |||||||
| @@ -74,7 +74,7 @@ impl Attachment { | |||||||
|         ) |         ) | ||||||
|         .map_res("Error deleting attachment")?; |         .map_res("Error deleting attachment")?; | ||||||
|          |          | ||||||
|         crate::util::delete_file(&self.get_file_path()); |         crate::util::delete_file(&self.get_file_path())?; | ||||||
|         Ok(()) |         Ok(()) | ||||||
|     } |     } | ||||||
|  |  | ||||||
|   | |||||||
| @@ -47,6 +47,7 @@ use diesel::result::Error as DieselError; | |||||||
| use jsonwebtoken::errors::Error as JwtError; | use jsonwebtoken::errors::Error as JwtError; | ||||||
| use serde_json::{Error as SerError, Value}; | use serde_json::{Error as SerError, Value}; | ||||||
| use u2f::u2ferror::U2fError as U2fErr; | use u2f::u2ferror::U2fError as U2fErr; | ||||||
|  | use std::io::Error as IOError; | ||||||
|  |  | ||||||
| // Error struct | // Error struct | ||||||
| // Each variant has two elements, the first is an error of different types, used for logging purposes | // Each variant has two elements, the first is an error of different types, used for logging purposes | ||||||
| @@ -64,6 +65,7 @@ make_error! { | |||||||
|     U2fError(U2fErr,     _): true,  _api_error, |     U2fError(U2fErr,     _): true,  _api_error, | ||||||
|     SerdeError(SerError, _): true,  _api_error, |     SerdeError(SerError, _): true,  _api_error, | ||||||
|     JWTError(JwtError,   _): true,  _api_error, |     JWTError(JwtError,   _): true,  _api_error, | ||||||
|  |     IoErrror(IOError,    _): true,  _api_error, | ||||||
|     //WsError(ws::Error, _): true,  _api_error, |     //WsError(ws::Error, _): true,  _api_error, | ||||||
| } | } | ||||||
|  |  | ||||||
|   | |||||||
| @@ -26,12 +26,13 @@ fn init_rocket() -> Rocket { | |||||||
|     rocket::ignite() |     rocket::ignite() | ||||||
|         .mount("/", api::web_routes()) |         .mount("/", api::web_routes()) | ||||||
|         .mount("/api", api::core_routes()) |         .mount("/api", api::core_routes()) | ||||||
|         .mount("/admin", api::admin_routes())         |         .mount("/admin", api::admin_routes()) | ||||||
|         .mount("/identity", api::identity_routes()) |         .mount("/identity", api::identity_routes()) | ||||||
|         .mount("/icons", api::icons_routes()) |         .mount("/icons", api::icons_routes()) | ||||||
|         .mount("/notifications", api::notifications_routes()) |         .mount("/notifications", api::notifications_routes()) | ||||||
|         .manage(db::init_pool()) |         .manage(db::init_pool()) | ||||||
|         .manage(api::start_notification_server()) |         .manage(api::start_notification_server()) | ||||||
|  |         .attach(util::AppHeaders()) | ||||||
| } | } | ||||||
|  |  | ||||||
| // Embed the migrations from the migrations folder into the application | // Embed the migrations from the migrations folder into the application | ||||||
| @@ -272,7 +273,6 @@ pub struct Config { | |||||||
|     signups_allowed: bool, |     signups_allowed: bool, | ||||||
|     invitations_allowed: bool, |     invitations_allowed: bool, | ||||||
|     admin_token: Option<String>, |     admin_token: Option<String>, | ||||||
|     server_admin_email: Option<String>, |  | ||||||
|     password_iterations: i32, |     password_iterations: i32, | ||||||
|     show_password_hint: bool, |     show_password_hint: bool, | ||||||
|  |  | ||||||
| @@ -326,7 +326,6 @@ impl Config { | |||||||
|             local_icon_extractor: get_env_or("LOCAL_ICON_EXTRACTOR", false), |             local_icon_extractor: get_env_or("LOCAL_ICON_EXTRACTOR", false), | ||||||
|             signups_allowed: get_env_or("SIGNUPS_ALLOWED", true), |             signups_allowed: get_env_or("SIGNUPS_ALLOWED", true), | ||||||
|             admin_token: get_env("ADMIN_TOKEN"), |             admin_token: get_env("ADMIN_TOKEN"), | ||||||
|             server_admin_email:None, // TODO: Delete this |  | ||||||
|             invitations_allowed: get_env_or("INVITATIONS_ALLOWED", true), |             invitations_allowed: get_env_or("INVITATIONS_ALLOWED", true), | ||||||
|             password_iterations: get_env_or("PASSWORD_ITERATIONS", 100_000), |             password_iterations: get_env_or("PASSWORD_ITERATIONS", 100_000), | ||||||
|             show_password_hint: get_env_or("SHOW_PASSWORD_HINT", true), |             show_password_hint: get_env_or("SHOW_PASSWORD_HINT", true), | ||||||
|   | |||||||
							
								
								
									
										53
									
								
								src/util.rs
									
									
									
									
									
								
							
							
						
						
									
										53
									
								
								src/util.rs
									
									
									
									
									
								
							| @@ -1,29 +1,57 @@ | |||||||
|  | /// | ||||||
|  | /// Web Headers | ||||||
|  | /// | ||||||
|  | use rocket::fairing::{Fairing, Info, Kind}; | ||||||
|  | use rocket::{Request, Response}; | ||||||
|  |  | ||||||
|  | pub struct AppHeaders (); | ||||||
|  |  | ||||||
|  | impl Fairing for AppHeaders { | ||||||
|  |     fn info(&self) -> Info { | ||||||
|  |         Info { | ||||||
|  |             name: "Application Headers", | ||||||
|  |             kind: Kind::Response, | ||||||
|  |         } | ||||||
|  |     } | ||||||
|  |  | ||||||
|  |     fn on_response(&self, _req: &Request, res: &mut Response) { | ||||||
|  |         res.set_raw_header("Referrer-Policy", "same-origin"); | ||||||
|  |         res.set_raw_header("X-Frame-Options", "SAMEORIGIN"); | ||||||
|  |         res.set_raw_header("X-Content-Type-Options", "nosniff"); | ||||||
|  |         res.set_raw_header("X-XSS-Protection", "1; mode=block"); | ||||||
|  |         let csp = "frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb moz-extension://*;"; | ||||||
|  |         res.set_raw_header("Content-Security-Policy", csp); | ||||||
|  |  | ||||||
|  |         // Disable cache unless otherwise specified | ||||||
|  |         if !res.headers().contains("cache-control") { | ||||||
|  |             res.set_raw_header("Cache-Control", "no-cache, no-store, max-age=0"); | ||||||
|  |         } | ||||||
|  |     } | ||||||
|  | } | ||||||
|  |  | ||||||
|  |  | ||||||
| /// | /// | ||||||
| /// File handling | /// File handling | ||||||
| /// | /// | ||||||
|  |  | ||||||
| use std::path::Path; |  | ||||||
| use std::io::Read; |  | ||||||
| use std::fs::{self, File}; | use std::fs::{self, File}; | ||||||
|  | use std::io::{Read, Result as IOResult}; | ||||||
|  | use std::path::Path; | ||||||
|  |  | ||||||
| pub fn file_exists(path: &str) -> bool { | pub fn file_exists(path: &str) -> bool { | ||||||
|     Path::new(path).exists() |     Path::new(path).exists() | ||||||
| } | } | ||||||
|  |  | ||||||
| pub fn read_file(path: &str) -> Result<Vec<u8>, String> { | pub fn read_file(path: &str) -> IOResult<Vec<u8>> { | ||||||
|     let mut file = File::open(Path::new(path)) |  | ||||||
|         .map_err(|e| format!("Error opening file: {}", e))?; |  | ||||||
|  |  | ||||||
|     let mut contents: Vec<u8> = Vec::new(); |     let mut contents: Vec<u8> = Vec::new(); | ||||||
|  |      | ||||||
|     file.read_to_end(&mut contents) |     let mut file = File::open(Path::new(path))?; | ||||||
|         .map_err(|e| format!("Error reading file: {}", e))?; |     file.read_to_end(&mut contents)?; | ||||||
|  |  | ||||||
|     Ok(contents) |     Ok(contents) | ||||||
| } | } | ||||||
|  |  | ||||||
| pub fn delete_file(path: &str) -> bool { | pub fn delete_file(path: &str) -> IOResult<()> { | ||||||
|     let res = fs::remove_file(path).is_ok(); |     let res = fs::remove_file(path); | ||||||
|  |  | ||||||
|     if let Some(parent) = Path::new(path).parent() { |     if let Some(parent) = Path::new(path).parent() { | ||||||
|         // If the directory isn't empty, this returns an error, which we ignore |         // If the directory isn't empty, this returns an error, which we ignore | ||||||
| @@ -34,7 +62,6 @@ pub fn delete_file(path: &str) -> bool { | |||||||
|     res |     res | ||||||
| } | } | ||||||
|  |  | ||||||
|  |  | ||||||
| const UNITS: [&str; 6] = ["bytes", "KB", "MB", "GB", "TB", "PB"]; | const UNITS: [&str; 6] = ["bytes", "KB", "MB", "GB", "TB", "PB"]; | ||||||
|  |  | ||||||
| pub fn get_display_size(size: i32) -> String { | pub fn get_display_size(size: i32) -> String { | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user