Commit Graph

85 Commits

Author SHA1 Message Date
Daniel García
e7c796a660 Verify templates in CI (#5748)
* Verify templates in CI

* No need to install packages

* Remove unnecessary fetch depth
2025-04-04 18:14:19 +02:00
Mathijs van Veluw
8dfe805954 Update Rust, Crates and other deps (#5709)
- Updated Rust to v1.85.1
- Updated crates and fixed breaking changes
- Updated datatables js
- Updated GitHub Actions

Signed-off-by: BlackDex <black.dex@gmail.com>
2025-03-19 17:39:53 +01:00
Mathijs van Veluw
a02fb0fd24 Update workflows and enhance security (#5537)
This commit updates the workflow files and also fixes some security issues which were reported by using zizmor https://github.com/woodruffw/zizmor

Signed-off-by: BlackDex <black.dex@gmail.com>
2025-02-04 00:33:43 +01:00
Mathijs van Veluw
952992c85b Org fixes (#5438)
* Security fixes for admin and sendmail

Because the Vaultwarden Admin Backend endpoints did not validated the Content-Type during a request, it was possible to update settings via CSRF. But, this was only possible if there was no `ADMIN_TOKEN` set at all. To make sure these environments are also safe I added the needed content-type checks at the functions.
This could cause some users who have scripts which uses cURL for example to adjust there commands to provide the correct headers.

By using a crafted favicon and having access to the Admin Backend an attacker could run custom commands on the host/container where Vaultwarden is running on. The main issue here is that we allowed the sendmail binary name/path to be changed. To mitigate this we removed this configuration item and only then `sendmail` binary as a name can be used.
This could cause some issues where the `sendmail` binary is not in the `$PATH` and thus not able to be started. In these cases the admins should make sure `$PATH` is set correctly or create a custom shell script or symlink at a location which is in the `$PATH`.

Added an extra security header and adjusted the CSP to be more strict by setting `default-src` to `none` and added the needed missing specific policies.

Also created a general email validation function which does some more checking to catch invalid email address not found by the email_address crate.

Signed-off-by: BlackDex <black.dex@gmail.com>

* Fix security issue with organizationId validation

Because of a invalid check/validation of the OrganizationId which most of the time is located in the path but sometimes provided as a URL Parameter, the parameter overruled the path ID during the Guard checks.
This resulted in someone being able to execute commands as an Admin or Owner of the OrganizationId fetched from the parameter, but the API endpoints then used the OrganizationId located in the path instead.

This commit fixes the extraction of the OrganizationId in the Guard and also added some extra validations of this OrgId in several functions.

Also added an extra `OrgMemberHeaders` which can be used to only allow access to organization endpoints which should only be accessible by members of that org.

Signed-off-by: BlackDex <black.dex@gmail.com>

* Update server version in config endpoint

Updated the server version reported to the clients to `2025.1.0`.
This should make Vaultwarden future proof for the newer clients released by Bitwarden.

Signed-off-by: BlackDex <black.dex@gmail.com>

* Fix and adjust build workflow

The build workflow had an issue with some `if` checks.
For one they had two `$` signs, and it is not recommended to use `always()` since canceling a workflow does not cancel those calls.
Using `!cancelled()` is the preferred way.

Signed-off-by: BlackDex <black.dex@gmail.com>

* Update crates

Signed-off-by: BlackDex <black.dex@gmail.com>

* Allow sendmail to be configurable

This reverts a previous change which removed the sendmail to be configurable.
We now set the config to be read-only, and omit all read-only values from being stored during a save action from the admin interface.

Signed-off-by: BlackDex <black.dex@gmail.com>

* Add more org_id checks

Added more org_id checks at all functions which use the org_id in there path.

Signed-off-by: BlackDex <black.dex@gmail.com>

---------

Signed-off-by: BlackDex <black.dex@gmail.com>
2025-01-25 01:32:09 +01:00
Daniel
29f2b433f0 Simplify container image attestation (#5387) 2025-01-13 19:16:10 +01:00
Mathijs van Veluw
07f80346b4 Fix version detection on bake (#5382) 2025-01-11 11:54:38 +01:00
Mathijs van Veluw
4f68eafa3e Add Attestations for containers and artifacts (#5378)
* Add Attestations for containers and artifacts

This commit will add attestation actions to sign the containers and binaries which can be verified via the gh cli.
https://cli.github.com/manual/gh_attestation_verify

The binaries from both Alpine and Debian based images are extracted and attested so that you can verify the binaries of all the containers.

Signed-off-by: BlackDex <black.dex@gmail.com>

* Adjust attest to use globbing

Signed-off-by: BlackDex <black.dex@gmail.com>

---------

Signed-off-by: BlackDex <black.dex@gmail.com>
2025-01-10 21:32:38 +01:00
Mathijs van Veluw
b1481c7c1a Update crates and GHA (#5346)
- Updated crates to the latest version
- Updated GitHub Actions to the latest version

Signed-off-by: BlackDex <black.dex@gmail.com>
2025-01-04 19:02:15 +01:00
Mathijs van Veluw
71b3d3c818 Update Rust and crates (#5248)
* Update Rust and crates

- Updated Rust to v1.83.0
- Updated MSRV to v1.82.0 (Needed for html5gum crate)
- Updated icon fetching code to match new html5gum version
- Updated workflows
- Enabled edition 2024 clippy lints
  Nightly reports some clippy hints, but that would be too much to change in this PR i think.

Signed-off-by: BlackDex <black.dex@gmail.com>

* Some additional updates

- Patch fern to allow syslog-7 feature
- Fixed diesel logger which was broken because of the sqlite backup feature
  Refactored the sqlite backup because of this
- Added a build workflow test to include the query_logger feature

Signed-off-by: BlackDex <black.dex@gmail.com>

* Also patch yubico-rs and latest updates

Signed-off-by: BlackDex <black.dex@gmail.com>

---------

Signed-off-by: BlackDex <black.dex@gmail.com>
2024-12-05 22:10:59 +01:00
Mathijs van Veluw
e3541763fd Updates and collection management fixes (#5072)
* Fix collections not editable by managers

Since a newer version of the web-vault we use manager were not able to create sub collections anymore.
This was because of some missing details in the response of some json objects.

This commit fixes this by using the `to_json_details` instead of the `to_json`

Fixes #5066
Fixes #5044

* Update crates and GitHub Actions

- Updated all the crates
- Updated all the GHA dependencies
- Configured the trivy workflow to only run on the main repo and not on forks
  Also selected a random new scheduled date so it will not run at the same time as all other forks.
  The two changes should help running this scan every day without failing, and also prevent the same for new or updated forks.
2024-10-11 18:42:40 +02:00
Mathijs van Veluw
55623ad9c6 Update web-vault, crates and gha (#4909)
- Updated the web-vault to fix an issue with personal export.
  Thanks to @stefan0xC for patching this.
  Fixes #4875
- Updated crates to there latest version
- Updated the GitHub Actions
- Updated the xx image to the latest version

Signed-off-by: BlackDex <black.dex@gmail.com>
2024-09-01 15:53:03 +02:00
Mathijs van Veluw
0f3f97cc76 Update issue template (#4882)
Updated the issue template a bit regarding some remarks in the previous pr.

Also made it so that collapsing all items will show all the specific
item id's instead of there types. Easy for editiing :).

Signed-off-by: BlackDex <black.dex@gmail.com>
2024-08-23 22:03:57 +02:00
Mathijs van Veluw
cbdb5657f1 Update issue template (#4876)
Updated the issue template to use a form and guide users to provide all
information useful to troublshoot issues

Als updated links to prefer the usage of GitHub Discussions.

Signed-off-by: BlackDex <black.dex@gmail.com>
2024-08-20 21:25:28 +02:00
Mathijs van Veluw
9eebbf3b9f Update GitHub Action Workflows (#4849) 2024-08-13 12:52:07 +02:00
Mathijs van Veluw
529c39c6c5 Update Rust, Crates and GHA (#4783)
- Update Rust to v1.80.0
- Updated GitHub Actions
- Updated crates
2024-07-25 20:24:27 +02:00
Daniel
0e8b410798 Switch registry cache compression algorithm to zstd (#4704)
- faster builds than with gzip (the default)
2024-07-08 23:27:39 +02:00
Daniel
d9835f530c Remove duplicate registry step (#4703) 2024-07-04 19:57:49 +02:00
Mathijs van Veluw
55fdee3bf8 Update crates, web-vault and GHA (#4648)
- Updated all crates including Diesel and the new mysqlclient-sys
- Updated the MSRV to v1.78 as that is what Diesel mandates
- Added the mimalloc crate as a patch for now to fix armv6 static builds
  This probably makes #4606 possible
- Updated web-vault to v2024.5.1
- Updated GitHub Actions
  Fixed an issue with the localhost images for extracting the musl binaries.
2024-06-19 13:06:58 +02:00
Mathijs van Veluw
2ad33ec97f Update Crate and Rust (#4522)
* Update Crate and Rust

- Updated all crates
- Updated Rust to the latest patch version

* Updated GitHub Actions
2024-04-27 00:53:42 +02:00
Mathijs van Veluw
d6b97090fa Update crates, GHA and a Python/JS scripts (#4357)
- Update all crates
- Update GHA
- Update Global Domains script to use main instead of master
  Also fixed some Python linting warnings
- Updated Admin JS and CSS libraries
2024-02-25 23:26:46 +01:00
Mathijs van Veluw
897bdf8343 Update GHA Workflows (#4309)
- Update the workflow GH Actions.
- Configured the release workflow to always run on main/tag as discussed
  in #4226

Closes #4226
2024-02-03 16:41:25 +01:00
Mathijs van Veluw
1d00e34bbb Update crates, web-vault and GHA (#4275)
- Update GitHub Actions
- Updated crates
- Updated web-vault to v2024.1.2
2024-01-26 20:19:53 +01:00
Mathijs van Veluw
3246251f29 Fix the version string (#4153)
For some reason still not known, the `.git` directory was not copied
into the container. I think buildkit (buildx) did this by default before, and
stopped this with newer versions.

This PR fixes this by also touching `build.rs` besides `src/main.rs`.

This PR also updates Rust to v1.74.1 and some crates, including the
latest version of Alpine 3.19.

Fixes #4150
2023-12-09 23:04:33 +01:00
Mathijs van Veluw
34e00e1478 Update Rust, Crates, Profile and Actions (#4126)
- Updated Rust to v1.74.0
- Updated all crates (where possible)
- Changed release profile to use
  * fat lto
  * 1 codegen-unit
  This should optimize a bit for speed and a lot for size ~15MB smaller
- Updated Github actions to use caching for the bake process
- Added a schedule to clean the cache every week to prevent stale Debian/Alpine base images
- During the release action, the Alpine/static binaries are added as artifects.
  Later we could also automatically add them to the releases maybe.
- Added CODEWONERS to prevent unchecked changes to github actions workflows
2023-12-04 20:26:11 +01:00
nico
512b3b9b7c ci: add trivy workflow (#3997)
* ci: add trivy workflow

to ensure critical and high vulnerabilties are detected quickly

* push trivy-action to 0.13.1
2023-11-05 15:00:24 +01:00
Mathijs van Veluw
d722328f05 Container building changes (#3958)
* WIP: Container building changes

* Small updates

- Updated to rust 1.73.0
- Updated crates
- Updated documentation
- Added a bake.sh script to make baking easier

* Update GitHub Actions Workflow

- Updated workflow to use qemu and buildx bake

In the future i would like to extract the alpine based binaries and add
them as artifacts to the release.

* Address review remarks and small updates

- Addressed review remarks
- Added `podman-bake.sh` script to build Vaultwarden with podman
- Updated README
- Updated crates
- Added `VW_VERSION` support
- Added annotations
- Updated web-vault to v2023.9.1
2023-10-23 00:18:38 +02:00
BlackDex
a77482575a Update GitHub Workflow
- Updated GitHub actions
- Fixed an issue with testing MSRV (It didn't)
2023-09-22 20:31:31 +02:00
BlackDex
32543c46da Update Rust and Crates
- Updated Rust to v1.72.0
- Updated all the crates
  Including a CVE https://github.com/dani-garcia/vaultwarden/security/dependabot/21
- Updated GitHub Workflows
- Run `cargo fmt` which has some new fmt's
- Moved from `rust-toolchain` to `rust-toolchain.toml`
2023-08-31 22:45:53 +02:00
BlackDex
aaeae16983 Update images to Bookworm and PQ15
This PR updates the base images to use Debian Bookworm as base image. Also the MUSL/Alpine builds now use OpenSSLv3 and PostgreSQL v15.

The GHA Workflows are updated to use Ubuntu 22.04 to better match the versions of Debian Bookworm.

Also:
- Enabled spares crate registry
- Updated workflow actions
- Updated Rust to v1.71.0
- The rust-musl images now use musl v1.2.3 for the 32bit arch's if the Rust version is v1.71.0 or higher.
   The 64bit arch's already used musl v1.2.3.
- Updated crates.

Improves / Closes #3434
2023-08-12 12:29:33 +02:00
BlackDex
84a23008f4 Update crates and workflow
- Updated all the crates
- Updated workflow actions
- Set cargo registry to sparse
2023-06-21 22:01:05 +02:00
BlackDex
0851561392 Update crates and GH Workflow
- Updated crates
- Updated GHA where needed
2023-05-26 17:26:09 +02:00
BlackDex
cfba8347a3 Update Rust and Crates
- Updated Rust to v1.69.0
- Updated MSRV to v1.67.1
- Updated crates
- Updated GitHub Actions
2023-04-24 14:10:58 +02:00
BlackDex
8bcd0ab0c6 Some small fixes and updates
- Updated workflows to use new checkout version
  This probably fixes the curl download for hadolint also.
- Updated crates including Rocket to the latest rc3 :party:
- Applied 2 nightly clippy lints to prevent future clippy issues.
2023-03-25 12:51:42 +01:00
BlackDex
467ecfdc99 Add support for Quay.io and GHCR.io as registries
- Added support for Quay.io
- Added support for GHCR.io

To enable support for these container image registries the following needs to be added.

As `Actions secrets and variables` - `Secrets`
- `DOCKERHUB_TOKEN` and `DOCKERHUB_USERNAME`
- `QUAY_TOKEN` and `QUAY_USERNAME`

As `Actions secrets and variables` - `Variables` - `Repository Variables`
- `DOCKERHUB_REPO`
- `GHCR_REPO`
- `QUAY_REPO`

The `DOCKERHUB_REPO` currently configured in `Secrets` can be removed if wanted, probably best after this PR has been merged.

If one of the vars/secrets are not configured it will skip that specific registry!
2023-03-23 16:38:27 +01:00
BlackDex
0c0e632bc9 Upd Crates, Rust, MSRV, GHA and remove Backtrace
- Changed MSRV to v1.65.
  Discussed this with @dani-garcia, and we will support **N-2**.
  This is/will be the same as for the `time` crate we use.
  Also updated the wiki regarding this https://github.com/dani-garcia/vaultwarden/wiki/Building-binary
- Removed backtrace crate in favor of `std::backtrace` stable since v1.65
- Updated Rust to v1.67.1
- Updated all the crates
- Updated the GHA action versions
- Adjusted the GHA MSRV build to extract the MSRV from `Cargo.toml`
2023-03-07 09:17:42 +01:00
Jeremy Lin
2c6bd8c9dc Rename .buildx Dockerfiles to .buildkit
This is a more accurate name, since these Dockerfiles require BuildKit, not Buildx.
2023-01-24 13:11:12 -08:00
BlackDex
8e6fd4b4a1 Update dependencies and MSRV
- Updated dependencies.
  This includes a janked openssl crate version we currently use.
- Updated MSRV to v1.61.0 because hashbrown/cached has this version restriction.
2023-01-09 19:10:11 +01:00
BlackDex
8b6dfe48b7 Disable groups by default and Some optimizations
- Put groups support behind a feature flag, and disabled by default.
  The reason is that it has some known issues, but we want to keep
  optimizing this feature. Putting it behind a feature flag could help
  some users, and the developers into optimizing this feature without to
  much trouble.

Further:

- Updates Rust to v1.66.0
- Updated GHA workflows
- Updated Alpine to 3.17
- Updated jquery to v3.6.2
- Moved jdenticon.js to load at the bottom, fixes an issue on chromium
- Added autocomplete attribute to admin login password field
- Added some extra CSP options (Tested this on Safari, Firefox, Chrome, Bitwarden Desktop)
- Moved uppercase convertion from runtime to compile-time using `paste`
  for building the environment variables, lowers heap allocations.
2022-12-16 14:52:42 +01:00
BlackDex
b010dde661 Update Rust version, deps and workflow
- Update Rust to v1.65.0
- Update dependencies
- Updated workflow files
- Added some extra clippy checks
- Fixed some clippy checks
2022-11-08 14:03:31 +01:00
BlackDex
d4577d161e Update github workflows
Updated all the actions where possible.
This should at least for the most actions mean that they are using the
latest github actions core and should partially resolve the issue #2847

The only actions left are the actions from `actions-rs`.
2022-10-21 13:21:57 +02:00
Daniel García
3c8e1c3ca9 Add liberapay funding option 2022-10-20 21:07:26 +02:00
BlackDex
81984c4bce Update build workflow
Currently the branch protection is set on specific workflows which needs
to be run every time a PR is created (or a push).

Because it isn't possible to tell the branch protection only to do it's
job if specific files are touched or not, we just need to make sure
these jobs are always started.

Also, because we now check the builds for an MSRV, and the title would
change all the time, that would cause the branch protection to be
updated everytime the MSRV would change. This is now also addressed by
naming that job 'msrv' instead of the version number.
2022-09-15 16:51:52 +02:00
BlackDex
7f0d0cf8a4 Update MSRV to 1.60.0
The latest version of chrono-tz needs 1.60.0 because of phf.
Since chrono-tz has updated timezone information i do think it is
usefull in some cases around the world.
2022-08-01 16:21:06 +02:00
BlackDex
0dcc435bb4 Update build workflow for CI
Because we want to support MSRV, we also need to run a CI for this.
This PR adds checks for the MSRV and rust-toolchain defined versions.

It will also run all cargo test, clippy and fmt checks no matter the outcome of the previous job.
This will help when there are multiple issues, like clippy errors and formatting.
Previously it would show only the first failed check and stopped.

It will also output a nice step summary with some details on which checks have failed.
Or it will output a success message.
2022-07-19 23:17:49 +02:00
BlackDex
5d05ec58be Updated deps and misc fixes and updates
- Updated some Rust dependencies
- Fixed an issue with CSP header, this was not configured correctly
- Prevent sending CSP and Frame headers for the MFA connector.html files.
  Else some clients will fail to handle these protocols.
- Add `unsafe-inline` for `script-src` only to the CSP for the Admin Interface
- Updated JavaScript and CSS files for the Admin interface
- Changed the layout for showing overridden settings, better visible now.
- Made the version check cachable to prevent hitting the Github API rate limits
- Hide the `database_url` as if it is a password in the Admin Interface
  Else for MariaDB/MySQL or PostgreSQL this was plain text.
- Fixed an issue that pressing enter on the SMTP Test would save the config.
  resolves #2542
- Prevent user names larger then 50 characters
  resolves #2419
2022-06-14 14:51:51 +02:00
BlackDex
2168d09421 Update Rust version in Dockerfile
Updated Rust from v1.60 to v1.61 for building the images.
Also made the rust version fixed for the Alpine build images to prevent
those images being build with a newer version when released.
2022-05-21 17:46:14 +02:00
BlackDex
3ca85028ea Improve sync speed and updated dep. versions
Improved sync speed by resolving the N+1 query issues.
Solves #1402 and Solves #1453

With this change there is just one query done to retreive all the
important data, and matching is done in-code/memory.

With a very large database the sync time went down about 3 times.

Also updated misc crates and Github Actions versions.
2022-05-06 17:01:02 +02:00
BlackDex
b0faaf2527 Several updates and fixes
- Removed all `thread::sleep` and use `tokio::time::sleep` now.
  This solves an issue with updating to Bullseye ( Resolves #1998 )
- Updated all Debian images to Bullseye
- Added MiMalloc feature and enabled it by default for Alpine based images
  This increases performance for the Alpine images because the default
  memory allocator for MUSL based binaries isn't that fast
- Updated `dotenv` to `dotenvy` a maintained and updated fork
- Fixed an issue with a newer jslib (not fully released yet)
  That version uses a different endpoint for `prelogin` Resolves #2378 )
2022-03-20 18:51:24 +01:00
BlackDex
5f01db69ff Update async to prepare for main merge
- Changed nightly to stable in Dockerfile and Workflow
- Updated Dockerfile to use stable and updated ENV's
- Removed 0.0.0.0 as default addr it now uses ROCKET_ADDRESS or the default
- Updated Github Workflow actions to the latest versions
- Updated Hadolint version
- Re-orderd the Cargo.toml file a bit and put libs together which are linked
- Updated some libs
- Updated .dockerignore file
2022-02-22 20:00:33 +01:00
BlackDex
ca0fd7a31b Optimize release workflow.
- Split Debian and Alpine into different build matrix
  This starts building both Debian and Alpine based images at the same time
- Make use of Docker BuildKit, which improves speed also.
- Use BuildKit caching for Rust Cargo across docker images.
  This prevents downloading the same crates multiple times.
- Use Github Actions Services to start a docker registry, starting it
via the build script sometimes caused issues.
- Updated the Build workflow to use Ubuntu 20.04 which is more close to
the Bullseye Debian release regarding package versions.
2021-09-13 14:42:15 +02:00