Merge pull request #147 from mprasil/master

Bump version to 0.13.0 - latest Vault v1

.env

@@ -27,6 +27,9 @@
 ## The change only applies when the password is changed
 # PASSWORD_ITERATIONS=100000
 
+## Whether password hint should be sent into the error response when the client request it
+# SHOW_PASSWORD_HINT=true
+
 ## Domain settings
 ## The domain must match the address from where you access the server
 ## Unless you are using U2F, or having problems with attachments not downloading, there is no need to change this

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "bitwarden_rs"
-version = "0.10.0"
+version = "0.13.0"
 authors = ["Daniel García <dani-garcia@users.noreply.github.com>"]
 
 [dependencies]

Dockerfile

@@ -68,6 +68,7 @@ RUN cargo build --release
 FROM debian:stretch-slim
 
 ENV ROCKET_ENV "staging"
+ENV ROCKET_WORKERS=10
 
 # Install needed libraries
 RUN apt-get update && apt-get install -y\

README.md

@@ -4,8 +4,10 @@ Image is based on [Rust implementation of Bitwarden API](https://github.com/dani
 
 _*Note, that this project is not associated with the [Bitwarden](https://bitwarden.com/) project nor 8bit Solutions LLC._
 
-## Table of contents <!-- omit in toc -->
+**Table of contents**
+
 - [Features](#features)
+- [Missing features](#missing-features)
 - [Docker image usage](#docker-image-usage)
   - [Starting a container](#starting-a-container)
   - [Updating the bitwarden image](#updating-the-bitwarden-image)
@@ -19,6 +21,8 @@ _*Note, that this project is not associated with the [Bitwarden](https://bitward
     - [attachments location](#attachments-location)
     - [icons cache](#icons-cache)
   - [Changing the API request size limit](#changing-the-api-request-size-limit)
+  - [Changing the number of workers](#changing-the-number-of-workers)
+  - [Disabling or overriding the Vault interface hosting](#disabling-or-overriding-the-vault-interface-hosting)
   - [Other configuration](#other-configuration)
 - [Building your own image](#building-your-own-image)
 - [Building binary](#building-binary)
@@ -30,6 +34,10 @@ _*Note, that this project is not associated with the [Bitwarden](https://bitward
   - [3. the key files](#3-the-key-files)
   - [4. Icon Cache](#4-icon-cache)
 - [Running the server with non-root user](#running-the-server-with-non-root-user)
+- [Differences from upstream API implementation](#differences-from-upstream-api-implementation)
+  - [Changing user email](#changing-user-email)
+  - [Creating organization](#creating-organization)
+  - [Inviting users into organization](#inviting-users-into-organization)
 - [Get in touch](#get-in-touch)
 
 ## Features
@@ -131,11 +139,10 @@ Where:
 
 ```sh
 docker run -d --name bitwarden \
-  -e ROCKET_TLS={certs='"/ssl/certs.pem",key="/ssl/key.pem"}' \
+  -e ROCKET_TLS='{certs="/ssl/certs.pem",key="/ssl/key.pem"}' \
   -v /ssl/keys/:/ssl/ \
   -v /bw-data/:/data/ \
-  -v /icon_cache/ \
+  -p 443:80 \
-  -p 443:443 \
   mprasil/bitwarden:latest
 ```
 Note that you need to mount ssl files and you need to forward appropriate port.
@@ -231,6 +238,44 @@ docker run -d --name bitwarden \
   mprasil/bitwarden:latest
 ```
 
+### Changing the number of workers
+
+When you run bitwarden_rs, it spawns `2 * <number of cpu cores>` workers to handle requests. On some systems this might lead to low number of workers and hence slow performance, so the default in the docker image is changed to spawn 10 threads. You can override this setting to increase or decrease the number of workers by setting the `ROCKET_WORKERS` variable.
+
+In the example bellow, we're starting with 20 workers:
+
+```sh
+docker run -d --name bitwarden \
+  -e ROCKET_WORKERS=20 \
+  -v /bw-data/:/data/ \
+  -p 80:80 \
+  mprasil/bitwarden:latest
+```
+
+### Disabling or overriding the Vault interface hosting
+
+As a convenience bitwarden_rs image will also host static files for Vault web interface. You can disable this static file hosting completely by setting the WEB_VAULT_ENABLED variable.
+
+```sh
+docker run -d --name bitwarden \
+  -e WEB_VAULT_ENABLED=false \
+  -v /bw-data/:/data/ \
+  -p 80:80 \
+  mprasil/bitwarden:latest
+```
+
+Alternatively you can override the Vault files and provide your own static files to host. You can do that by mounting a path with your files over the `/web-vault` directory in the container. Just make sure the directory contains at least `index.html` file.
+
+```sh
+docker run -d --name bitwarden \
+  -v /path/to/static/files_directory:/web-vault \
+  -v /bw-data/:/data/ \
+  -p 80:80 \
+  mprasil/bitwarden:latest
+```
+
+Note that you can also change the path where bitwarden_rs looks for static files by providing the `WEB_VAULT_FOLDER` environment variable with the path.
+
 ### Other configuration
 
 Though this is unlikely to be required in small deployment, you can fine-tune some other settings like number of workers using environment variables that are processed by [Rocket](https://rocket.rs), please see details in [documentation](https://rocket.rs/guide/configuration/#environment-variables).
@@ -252,8 +297,7 @@ For building binary outside the Docker environment and running it locally withou
 
 ### Arch Linux
 
-Bitwarden_rs is already packaged for Archlinux thanks to @mqus. There is an AUR package [with](https://aur.archlinux.org/packages/bitwarden_rs-vault-git/) and 
+Bitwarden_rs is already packaged for Archlinux thanks to @mqus. There is an [AUR package](https://aur.archlinux.org/packages/bitwarden_rs) (optionally with the [vault web interface](https://aur.archlinux.org/packages/bitwarden_rs-vault/) ) available.
-[without](https://aur.archlinux.org/packages/bitwarden_rs-git/) the vault web interface available.
 
 ## Backing up your vault
 
@@ -297,8 +341,23 @@ docker run -d --name bitwarden \
   -p 80:8080 \
   mprasil/bitwarden:latest
 ```
+
+## Differences from upstream API implementation
+
+### Changing user email
+
+Because we don't have any SMTP functionality at the moment, there's no way to deliver the verification token when you try to change the email. User just needs to enter any random token to continue and the change will be applied.
+
+### Creating organization
+
+We use upstream Vault interface directly without any (significant) changes, this is why user is presented with paid options when creating organization. To create an organization, just use the free option, none of the limits apply when using bitwarden_rs as back-end API and after the organization is created it should behave like Enterprise organization.
+
+### Inviting users into organization
+
+The users must already be registered on your server to invite them, because we can't send the invitation via email. The invited users won't get the invitation email, instead they will appear in the interface as if they already accepted the invitation. Organization admin then just needs to confirm them to be proper Organization members and to give them access to the shared secrets.
+
 ## Get in touch
 
 To ask an question, [raising an issue](https://github.com/dani-garcia/bitwarden_rs/issues/new) is fine, also please report any bugs spotted here.
 
-If you prefer to chat, we're usually hanging around at [#bitwarden_rs:matrix.org](https://matrix.to/#/!cASGtOHlSftdScFNMs:matrix.org) room on Matrix. Feel free to join us!
+If you prefer to chat, we're usually hanging around at [#bitwarden_rs:matrix.org](https://matrix.to/#/#bitwarden_rs:matrix.org) room on Matrix. Feel free to join us!

src/api/core/accounts.rs

@@ -244,6 +244,29 @@ fn delete_account(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn
 
 #[get("/accounts/revision-date")]
 fn revision_date(headers: Headers) -> String {
-    let revision_date = headers.user.updated_at.timestamp();
+    let revision_date = headers.user.updated_at.timestamp_millis();
     revision_date.to_string()
 }
+
+#[derive(Deserialize)]
+#[allow(non_snake_case)]
+struct PasswordHintData {
+    Email: String,
+}
+
+#[post("/accounts/password-hint", data = "<data>")]
+fn password_hint(data: JsonUpcase<PasswordHintData>, conn: DbConn) -> EmptyResult {
+    let data: PasswordHintData = data.into_inner().data;
+
+    if !CONFIG.show_password_hint {
+        return Ok(())
+    }
+
+    match User::find_by_mail(&data.Email, &conn) {
+        Some(user) => {
+            let hint = user.password_hint.to_owned().unwrap_or_default();
+            err!(format!("Your password hint is: {}", hint))
+        },
+        None => Ok(()),
+    }
+}

src/api/core/ciphers.rs

@@ -415,6 +415,22 @@ fn post_attachment(uuid: String, data: Data, content_type: &ContentType, headers
     Ok(Json(cipher.to_json(&headers.host, &headers.user.uuid, &conn)))
 }
 
+#[post("/ciphers/<uuid>/attachment-admin", format = "multipart/form-data", data = "<data>")]
+fn post_attachment_admin(uuid: String, data: Data, content_type: &ContentType, headers: Headers, conn: DbConn) -> JsonResult {
+    post_attachment(uuid, data, content_type, headers, conn)
+}
+
+#[post("/ciphers/<uuid>/attachment/<attachment_id>/share", format = "multipart/form-data", data = "<data>")]
+fn post_attachment_share(uuid: String, attachment_id: String, data: Data, content_type: &ContentType, headers: Headers, conn: DbConn) -> JsonResult {
+    _delete_cipher_attachment_by_id(&uuid, &attachment_id, &headers, &conn)?;
+    post_attachment(uuid, data, content_type, headers, conn)
+}
+
+#[post("/ciphers/<uuid>/attachment/<attachment_id>/delete-admin")]
+fn delete_attachment_post_admin(uuid: String, attachment_id: String, headers: Headers, conn: DbConn) -> EmptyResult {
+    delete_attachment(uuid, attachment_id, headers, conn)
+}
+
 #[post("/ciphers/<uuid>/attachment/<attachment_id>/delete")]
 fn delete_attachment_post(uuid: String, attachment_id: String, headers: Headers, conn: DbConn) -> EmptyResult {
     delete_attachment(uuid, attachment_id, headers, conn)
@@ -422,29 +438,7 @@ fn delete_attachment_post(uuid: String, attachment_id: String, headers: Headers,
 
 #[delete("/ciphers/<uuid>/attachment/<attachment_id>")]
 fn delete_attachment(uuid: String, attachment_id: String, headers: Headers, conn: DbConn) -> EmptyResult {
-    let attachment = match Attachment::find_by_id(&attachment_id, &conn) {
+    _delete_cipher_attachment_by_id(&uuid, &attachment_id, &headers, &conn)
-        Some(attachment) => attachment,
-        None => err!("Attachment doesn't exist")
-    };
-
-    if attachment.cipher_uuid != uuid {
-        err!("Attachment from other cipher")
-    }
-
-    let cipher = match Cipher::find_by_uuid(&uuid, &conn) {
-        Some(cipher) => cipher,
-        None => err!("Cipher doesn't exist")
-    };
-
-    if !cipher.is_write_accessible_to_user(&headers.user.uuid, &conn) {
-        err!("Cipher cannot be deleted by user")
-    }
-
-    // Delete attachment
-    match attachment.delete(&conn) {
-        Ok(()) => Ok(()),
-        Err(_) => err!("Deleting attachement failed")
-    }
 }
 
 #[post("/ciphers/<uuid>/delete")]
@@ -578,3 +572,29 @@ fn _delete_cipher_by_uuid(uuid: &str, headers: &Headers, conn: &DbConn) -> Empty
         Err(_) => err!("Failed deleting cipher")
     }
 }
+
+fn _delete_cipher_attachment_by_id(uuid: &str, attachment_id: &str, headers: &Headers, conn: &DbConn) -> EmptyResult {
+    let attachment = match Attachment::find_by_id(&attachment_id, &conn) {
+        Some(attachment) => attachment,
+        None => err!("Attachment doesn't exist")
+    };
+
+    if attachment.cipher_uuid != uuid {
+        err!("Attachment from other cipher")
+    }
+
+    let cipher = match Cipher::find_by_uuid(&uuid, &conn) {
+        Some(cipher) => cipher,
+        None => err!("Cipher doesn't exist")
+    };
+
+    if !cipher.is_write_accessible_to_user(&headers.user.uuid, &conn) {
+        err!("Cipher cannot be deleted by user")
+    }
+
+    // Delete attachment
+    match attachment.delete(&conn) {
+        Ok(()) => Ok(()),
+        Err(_) => err!("Deleting attachement failed")
+    }
+}

src/api/core/mod.rs

@@ -23,6 +23,7 @@ pub fn routes() -> Vec<Route> {
         post_email,
         delete_account,
         revision_date,
+        password_hint,
 
         sync,
 
@@ -34,7 +35,10 @@ pub fn routes() -> Vec<Route> {
         post_ciphers_admin,
         post_ciphers_import,
         post_attachment,
+        post_attachment_admin,
+        post_attachment_share,
         delete_attachment_post,
+        delete_attachment_post_admin,
         delete_attachment,
         post_cipher_admin,
         post_cipher_share,

src/api/web.rs

@@ -4,7 +4,7 @@ use std::path::{Path, PathBuf};
 use rocket::request::Request;
 use rocket::response::{self, NamedFile, Responder};
 use rocket::response::content::Content;
-use rocket::http::ContentType;
+use rocket::http::{ContentType, Status};
 use rocket::Route;
 use rocket_contrib::{Json, Value};
 
@@ -49,14 +49,19 @@ struct WebHeaders<R>(R);
 
 impl<'r, R: Responder<'r>> Responder<'r> for WebHeaders<R> {
     fn respond_to(self, req: &Request) -> response::Result<'r> {
-        let mut res = self.0.respond_to(req)?;
+        match self.0.respond_to(req) {
+            Ok(mut res) => {
+                res.set_raw_header("Referrer-Policy", "same-origin");
+                res.set_raw_header("X-Frame-Options", "SAMEORIGIN");
+                res.set_raw_header("X-Content-Type-Options", "nosniff");
+                res.set_raw_header("X-XSS-Protection", "1; mode=block");
 
-        res.set_raw_header("Referrer-Policy", "same-origin");
+                Ok(res)
-        res.set_raw_header("X-Frame-Options", "SAMEORIGIN");
+            },
-        res.set_raw_header("X-Content-Type-Options", "nosniff");
+            Err(_) => {
-        res.set_raw_header("X-XSS-Protection", "1; mode=block");
+                Err(Status::NotFound)
-
+            }
-        Ok(res)
+        } 
     }
 }
 

src/auth.rs

@@ -95,7 +95,7 @@ use rocket::Outcome;
 use rocket::request::{self, Request, FromRequest};
 
 use db::DbConn;
-use db::models::{User, UserOrganization, UserOrgType, Device};
+use db::models::{User, UserOrganization, UserOrgType, UserOrgStatus, Device};
 
 pub struct Headers {
     pub host: String,
@@ -205,7 +205,13 @@ impl<'a, 'r> FromRequest<'a, 'r> for OrgHeaders {
                         };
 
                         let org_user = match UserOrganization::find_by_user_and_org(&headers.user.uuid, &org_id, &conn) {
-                            Some(user) => user,
+                            Some(user) => {
+                                if user.status == UserOrgStatus::Confirmed as i32 {
+                                    user
+                                } else {
+                                    err_handler!("The current user isn't confirmed member of the organization")
+                                }
+                            }
                             None => err_handler!("The current user isn't member of the organization")
                         };
 

src/db/models/attachment.rs

@@ -64,14 +64,33 @@ impl Attachment {
 
     pub fn delete(self, conn: &DbConn) -> QueryResult<()> {
         use util;
+        use std::{thread, time};
+
+        let mut retries = 10;
+        
+        loop {
+            match diesel::delete(
+                attachments::table.filter(
+                    attachments::id.eq(&self.id)
+                )
+            ).execute(&**conn) {
+                Ok(_) => break,
+                Err(err) => {
+                    if retries < 1 {
+                        println!("ERROR: Failed with 10 retries");
+                        return Err(err)
+                    } else {
+                        retries = retries - 1;
+                        println!("Had to retry! Retries left: {}", retries);
+                        thread::sleep(time::Duration::from_millis(500));
+                        continue
+                    }
+                }
+            }
+        }
 
         util::delete_file(&self.get_file_path());
-
+        Ok(())
-        diesel::delete(
-            attachments::table.filter(
-                attachments::id.eq(self.id)
-            )
-        ).execute(&**conn).and(Ok(()))
     }
 
     pub fn delete_all_by_cipher(cipher_uuid: &str, conn: &DbConn) -> QueryResult<()> {

src/db/models/collection.rs

@@ -2,7 +2,7 @@ use serde_json::Value as JsonValue;
 
 use uuid::Uuid;
 
-use super::{Organization, UserOrganization, UserOrgType};
+use super::{Organization, UserOrganization, UserOrgType, UserOrgStatus};
 
 #[derive(Debug, Identifiable, Queryable, Insertable, Associations)]
 #[table_name = "collections"]
@@ -78,13 +78,18 @@ impl Collection {
     pub fn find_by_user_uuid(user_uuid: &str, conn: &DbConn) -> Vec<Self> {
         let mut all_access_collections = users_organizations::table
             .filter(users_organizations::user_uuid.eq(user_uuid))
+            .filter(users_organizations::status.eq(UserOrgStatus::Confirmed as i32))
             .filter(users_organizations::access_all.eq(true))
             .inner_join(collections::table.on(collections::org_uuid.eq(users_organizations::org_uuid)))
             .select(collections::all_columns)
             .load::<Self>(&**conn).expect("Error loading collections");
 
         let mut assigned_collections = users_collections::table.inner_join(collections::table)
+            .left_join(users_organizations::table.on(
+                users_collections::user_uuid.eq(users_organizations::user_uuid)
+            ))
             .filter(users_collections::user_uuid.eq(user_uuid))
+            .filter(users_organizations::status.eq(UserOrgStatus::Confirmed as i32))
             .select(collections::all_columns)
             .load::<Self>(&**conn).expect("Error loading collections");
 

src/db/models/organization.rs

@@ -268,6 +268,7 @@ impl UserOrganization {
     pub fn find_by_user(user_uuid: &str, conn: &DbConn) -> Vec<Self> {
         users_organizations::table
             .filter(users_organizations::user_uuid.eq(user_uuid))
+            .filter(users_organizations::status.eq(UserOrgStatus::Confirmed as i32))
             .load::<Self>(&**conn).unwrap_or(vec![])
     }
 

src/main.rs

@@ -83,6 +83,11 @@ fn check_db() {
             exit(1);
         }
     }
+
+    // Turn on WAL in SQLite
+    use diesel::RunQueryDsl;
+    let connection = db::get_connection().expect("Can't conect to DB");
+    diesel::sql_query("PRAGMA journal_mode=wal").execute(&connection).expect("Failed to turn on WAL");
 }
 
 fn check_rsa_keys() {
@@ -164,6 +169,7 @@ pub struct Config {
     local_icon_extractor: bool,
     signups_allowed: bool,
     password_iterations: i32,
+    show_password_hint: bool,
     domain: String,
     domain_set: bool,
 }
@@ -192,6 +198,8 @@ impl Config {
             local_icon_extractor: util::parse_option_string(env::var("LOCAL_ICON_EXTRACTOR").ok()).unwrap_or(false),
             signups_allowed: util::parse_option_string(env::var("SIGNUPS_ALLOWED").ok()).unwrap_or(true),
             password_iterations: util::parse_option_string(env::var("PASSWORD_ITERATIONS").ok()).unwrap_or(100_000),
+            show_password_hint: util::parse_option_string(env::var("SHOW_PASSWORD_HINT").ok()).unwrap_or(true),
+
             domain_set: domain.is_ok(),
             domain: domain.unwrap_or("http://localhost".into()),
         }