mirror of
https://github.com/dani-garcia/vaultwarden
synced 2024-11-16 06:52:07 +01:00
Merge branch 'BlackDex-fix-2622-persistent-volume-check' into main
This commit is contained in:
commit
1385d75972
21 changed files with 90 additions and 190 deletions
|
@ -181,14 +181,6 @@ RUN touch src/main.rs
|
||||||
# hadolint ignore=DL3059
|
# hadolint ignore=DL3059
|
||||||
RUN {{ mount_rust_cache -}} cargo build --features ${DB} --release{{ package_arch_target_param }}
|
RUN {{ mount_rust_cache -}} cargo build --features ${DB} --release{{ package_arch_target_param }}
|
||||||
|
|
||||||
# Create a special empty file which we check within the application.
|
|
||||||
# If this file exists, then we exit Vaultwarden to prevent data loss when someone forgets to use volumes.
|
|
||||||
# If you really really want to use volatile storage you can set the env `I_REALLY_WANT_VOLATILE_STORAGE=true`
|
|
||||||
# This file should disappear if a volume is mounted on-top of this using a docker volume.
|
|
||||||
# We run this in the build image and copy it over, because the runtime image could be missing some executables.
|
|
||||||
# hadolint ignore=DL3059
|
|
||||||
RUN touch /vaultwarden_docker_persistent_volume_check
|
|
||||||
|
|
||||||
######################## RUNTIME IMAGE ########################
|
######################## RUNTIME IMAGE ########################
|
||||||
# Create a new stage with a minimal image
|
# Create a new stage with a minimal image
|
||||||
# because we already have a binary built
|
# because we already have a binary built
|
||||||
|
@ -250,7 +242,6 @@ EXPOSE 3012
|
||||||
# and the binary from the "build" stage to the current stage
|
# and the binary from the "build" stage to the current stage
|
||||||
WORKDIR /
|
WORKDIR /
|
||||||
COPY --from=vault /web-vault ./web-vault
|
COPY --from=vault /web-vault ./web-vault
|
||||||
COPY --from=build /vaultwarden_docker_persistent_volume_check /data/vaultwarden_docker_persistent_volume_check
|
|
||||||
{% if package_arch_target is defined %}
|
{% if package_arch_target is defined %}
|
||||||
COPY --from=build /app/target/{{ package_arch_target }}/release/vaultwarden .
|
COPY --from=build /app/target/{{ package_arch_target }}/release/vaultwarden .
|
||||||
{% else %}
|
{% else %}
|
||||||
|
|
|
@ -84,14 +84,6 @@ RUN touch src/main.rs
|
||||||
# hadolint ignore=DL3059
|
# hadolint ignore=DL3059
|
||||||
RUN cargo build --features ${DB} --release
|
RUN cargo build --features ${DB} --release
|
||||||
|
|
||||||
# Create a special empty file which we check within the application.
|
|
||||||
# If this file exists, then we exit Vaultwarden to prevent data loss when someone forgets to use volumes.
|
|
||||||
# If you really really want to use volatile storage you can set the env `I_REALLY_WANT_VOLATILE_STORAGE=true`
|
|
||||||
# This file should disappear if a volume is mounted on-top of this using a docker volume.
|
|
||||||
# We run this in the build image and copy it over, because the runtime image could be missing some executables.
|
|
||||||
# hadolint ignore=DL3059
|
|
||||||
RUN touch /vaultwarden_docker_persistent_volume_check
|
|
||||||
|
|
||||||
######################## RUNTIME IMAGE ########################
|
######################## RUNTIME IMAGE ########################
|
||||||
# Create a new stage with a minimal image
|
# Create a new stage with a minimal image
|
||||||
# because we already have a binary built
|
# because we already have a binary built
|
||||||
|
@ -124,7 +116,6 @@ EXPOSE 3012
|
||||||
# and the binary from the "build" stage to the current stage
|
# and the binary from the "build" stage to the current stage
|
||||||
WORKDIR /
|
WORKDIR /
|
||||||
COPY --from=vault /web-vault ./web-vault
|
COPY --from=vault /web-vault ./web-vault
|
||||||
COPY --from=build /vaultwarden_docker_persistent_volume_check /data/vaultwarden_docker_persistent_volume_check
|
|
||||||
COPY --from=build /app/target/release/vaultwarden .
|
COPY --from=build /app/target/release/vaultwarden .
|
||||||
|
|
||||||
COPY docker/healthcheck.sh /healthcheck.sh
|
COPY docker/healthcheck.sh /healthcheck.sh
|
||||||
|
|
|
@ -78,14 +78,6 @@ RUN touch src/main.rs
|
||||||
# hadolint ignore=DL3059
|
# hadolint ignore=DL3059
|
||||||
RUN cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl
|
RUN cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl
|
||||||
|
|
||||||
# Create a special empty file which we check within the application.
|
|
||||||
# If this file exists, then we exit Vaultwarden to prevent data loss when someone forgets to use volumes.
|
|
||||||
# If you really really want to use volatile storage you can set the env `I_REALLY_WANT_VOLATILE_STORAGE=true`
|
|
||||||
# This file should disappear if a volume is mounted on-top of this using a docker volume.
|
|
||||||
# We run this in the build image and copy it over, because the runtime image could be missing some executables.
|
|
||||||
# hadolint ignore=DL3059
|
|
||||||
RUN touch /vaultwarden_docker_persistent_volume_check
|
|
||||||
|
|
||||||
######################## RUNTIME IMAGE ########################
|
######################## RUNTIME IMAGE ########################
|
||||||
# Create a new stage with a minimal image
|
# Create a new stage with a minimal image
|
||||||
# because we already have a binary built
|
# because we already have a binary built
|
||||||
|
@ -116,7 +108,6 @@ EXPOSE 3012
|
||||||
# and the binary from the "build" stage to the current stage
|
# and the binary from the "build" stage to the current stage
|
||||||
WORKDIR /
|
WORKDIR /
|
||||||
COPY --from=vault /web-vault ./web-vault
|
COPY --from=vault /web-vault ./web-vault
|
||||||
COPY --from=build /vaultwarden_docker_persistent_volume_check /data/vaultwarden_docker_persistent_volume_check
|
|
||||||
COPY --from=build /app/target/x86_64-unknown-linux-musl/release/vaultwarden .
|
COPY --from=build /app/target/x86_64-unknown-linux-musl/release/vaultwarden .
|
||||||
|
|
||||||
COPY docker/healthcheck.sh /healthcheck.sh
|
COPY docker/healthcheck.sh /healthcheck.sh
|
||||||
|
|
|
@ -84,14 +84,6 @@ RUN touch src/main.rs
|
||||||
# hadolint ignore=DL3059
|
# hadolint ignore=DL3059
|
||||||
RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release
|
RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release
|
||||||
|
|
||||||
# Create a special empty file which we check within the application.
|
|
||||||
# If this file exists, then we exit Vaultwarden to prevent data loss when someone forgets to use volumes.
|
|
||||||
# If you really really want to use volatile storage you can set the env `I_REALLY_WANT_VOLATILE_STORAGE=true`
|
|
||||||
# This file should disappear if a volume is mounted on-top of this using a docker volume.
|
|
||||||
# We run this in the build image and copy it over, because the runtime image could be missing some executables.
|
|
||||||
# hadolint ignore=DL3059
|
|
||||||
RUN touch /vaultwarden_docker_persistent_volume_check
|
|
||||||
|
|
||||||
######################## RUNTIME IMAGE ########################
|
######################## RUNTIME IMAGE ########################
|
||||||
# Create a new stage with a minimal image
|
# Create a new stage with a minimal image
|
||||||
# because we already have a binary built
|
# because we already have a binary built
|
||||||
|
@ -124,7 +116,6 @@ EXPOSE 3012
|
||||||
# and the binary from the "build" stage to the current stage
|
# and the binary from the "build" stage to the current stage
|
||||||
WORKDIR /
|
WORKDIR /
|
||||||
COPY --from=vault /web-vault ./web-vault
|
COPY --from=vault /web-vault ./web-vault
|
||||||
COPY --from=build /vaultwarden_docker_persistent_volume_check /data/vaultwarden_docker_persistent_volume_check
|
|
||||||
COPY --from=build /app/target/release/vaultwarden .
|
COPY --from=build /app/target/release/vaultwarden .
|
||||||
|
|
||||||
COPY docker/healthcheck.sh /healthcheck.sh
|
COPY docker/healthcheck.sh /healthcheck.sh
|
||||||
|
|
|
@ -78,14 +78,6 @@ RUN touch src/main.rs
|
||||||
# hadolint ignore=DL3059
|
# hadolint ignore=DL3059
|
||||||
RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl
|
RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl
|
||||||
|
|
||||||
# Create a special empty file which we check within the application.
|
|
||||||
# If this file exists, then we exit Vaultwarden to prevent data loss when someone forgets to use volumes.
|
|
||||||
# If you really really want to use volatile storage you can set the env `I_REALLY_WANT_VOLATILE_STORAGE=true`
|
|
||||||
# This file should disappear if a volume is mounted on-top of this using a docker volume.
|
|
||||||
# We run this in the build image and copy it over, because the runtime image could be missing some executables.
|
|
||||||
# hadolint ignore=DL3059
|
|
||||||
RUN touch /vaultwarden_docker_persistent_volume_check
|
|
||||||
|
|
||||||
######################## RUNTIME IMAGE ########################
|
######################## RUNTIME IMAGE ########################
|
||||||
# Create a new stage with a minimal image
|
# Create a new stage with a minimal image
|
||||||
# because we already have a binary built
|
# because we already have a binary built
|
||||||
|
@ -116,7 +108,6 @@ EXPOSE 3012
|
||||||
# and the binary from the "build" stage to the current stage
|
# and the binary from the "build" stage to the current stage
|
||||||
WORKDIR /
|
WORKDIR /
|
||||||
COPY --from=vault /web-vault ./web-vault
|
COPY --from=vault /web-vault ./web-vault
|
||||||
COPY --from=build /vaultwarden_docker_persistent_volume_check /data/vaultwarden_docker_persistent_volume_check
|
|
||||||
COPY --from=build /app/target/x86_64-unknown-linux-musl/release/vaultwarden .
|
COPY --from=build /app/target/x86_64-unknown-linux-musl/release/vaultwarden .
|
||||||
|
|
||||||
COPY docker/healthcheck.sh /healthcheck.sh
|
COPY docker/healthcheck.sh /healthcheck.sh
|
||||||
|
|
|
@ -104,14 +104,6 @@ RUN touch src/main.rs
|
||||||
# hadolint ignore=DL3059
|
# hadolint ignore=DL3059
|
||||||
RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu
|
RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu
|
||||||
|
|
||||||
# Create a special empty file which we check within the application.
|
|
||||||
# If this file exists, then we exit Vaultwarden to prevent data loss when someone forgets to use volumes.
|
|
||||||
# If you really really want to use volatile storage you can set the env `I_REALLY_WANT_VOLATILE_STORAGE=true`
|
|
||||||
# This file should disappear if a volume is mounted on-top of this using a docker volume.
|
|
||||||
# We run this in the build image and copy it over, because the runtime image could be missing some executables.
|
|
||||||
# hadolint ignore=DL3059
|
|
||||||
RUN touch /vaultwarden_docker_persistent_volume_check
|
|
||||||
|
|
||||||
######################## RUNTIME IMAGE ########################
|
######################## RUNTIME IMAGE ########################
|
||||||
# Create a new stage with a minimal image
|
# Create a new stage with a minimal image
|
||||||
# because we already have a binary built
|
# because we already have a binary built
|
||||||
|
@ -148,7 +140,6 @@ EXPOSE 3012
|
||||||
# and the binary from the "build" stage to the current stage
|
# and the binary from the "build" stage to the current stage
|
||||||
WORKDIR /
|
WORKDIR /
|
||||||
COPY --from=vault /web-vault ./web-vault
|
COPY --from=vault /web-vault ./web-vault
|
||||||
COPY --from=build /vaultwarden_docker_persistent_volume_check /data/vaultwarden_docker_persistent_volume_check
|
|
||||||
COPY --from=build /app/target/aarch64-unknown-linux-gnu/release/vaultwarden .
|
COPY --from=build /app/target/aarch64-unknown-linux-gnu/release/vaultwarden .
|
||||||
|
|
||||||
COPY docker/healthcheck.sh /healthcheck.sh
|
COPY docker/healthcheck.sh /healthcheck.sh
|
||||||
|
|
|
@ -78,14 +78,6 @@ RUN touch src/main.rs
|
||||||
# hadolint ignore=DL3059
|
# hadolint ignore=DL3059
|
||||||
RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-musl
|
RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-musl
|
||||||
|
|
||||||
# Create a special empty file which we check within the application.
|
|
||||||
# If this file exists, then we exit Vaultwarden to prevent data loss when someone forgets to use volumes.
|
|
||||||
# If you really really want to use volatile storage you can set the env `I_REALLY_WANT_VOLATILE_STORAGE=true`
|
|
||||||
# This file should disappear if a volume is mounted on-top of this using a docker volume.
|
|
||||||
# We run this in the build image and copy it over, because the runtime image could be missing some executables.
|
|
||||||
# hadolint ignore=DL3059
|
|
||||||
RUN touch /vaultwarden_docker_persistent_volume_check
|
|
||||||
|
|
||||||
######################## RUNTIME IMAGE ########################
|
######################## RUNTIME IMAGE ########################
|
||||||
# Create a new stage with a minimal image
|
# Create a new stage with a minimal image
|
||||||
# because we already have a binary built
|
# because we already have a binary built
|
||||||
|
@ -120,7 +112,6 @@ EXPOSE 3012
|
||||||
# and the binary from the "build" stage to the current stage
|
# and the binary from the "build" stage to the current stage
|
||||||
WORKDIR /
|
WORKDIR /
|
||||||
COPY --from=vault /web-vault ./web-vault
|
COPY --from=vault /web-vault ./web-vault
|
||||||
COPY --from=build /vaultwarden_docker_persistent_volume_check /data/vaultwarden_docker_persistent_volume_check
|
|
||||||
COPY --from=build /app/target/aarch64-unknown-linux-musl/release/vaultwarden .
|
COPY --from=build /app/target/aarch64-unknown-linux-musl/release/vaultwarden .
|
||||||
|
|
||||||
COPY docker/healthcheck.sh /healthcheck.sh
|
COPY docker/healthcheck.sh /healthcheck.sh
|
||||||
|
|
|
@ -104,14 +104,6 @@ RUN touch src/main.rs
|
||||||
# hadolint ignore=DL3059
|
# hadolint ignore=DL3059
|
||||||
RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu
|
RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu
|
||||||
|
|
||||||
# Create a special empty file which we check within the application.
|
|
||||||
# If this file exists, then we exit Vaultwarden to prevent data loss when someone forgets to use volumes.
|
|
||||||
# If you really really want to use volatile storage you can set the env `I_REALLY_WANT_VOLATILE_STORAGE=true`
|
|
||||||
# This file should disappear if a volume is mounted on-top of this using a docker volume.
|
|
||||||
# We run this in the build image and copy it over, because the runtime image could be missing some executables.
|
|
||||||
# hadolint ignore=DL3059
|
|
||||||
RUN touch /vaultwarden_docker_persistent_volume_check
|
|
||||||
|
|
||||||
######################## RUNTIME IMAGE ########################
|
######################## RUNTIME IMAGE ########################
|
||||||
# Create a new stage with a minimal image
|
# Create a new stage with a minimal image
|
||||||
# because we already have a binary built
|
# because we already have a binary built
|
||||||
|
@ -148,7 +140,6 @@ EXPOSE 3012
|
||||||
# and the binary from the "build" stage to the current stage
|
# and the binary from the "build" stage to the current stage
|
||||||
WORKDIR /
|
WORKDIR /
|
||||||
COPY --from=vault /web-vault ./web-vault
|
COPY --from=vault /web-vault ./web-vault
|
||||||
COPY --from=build /vaultwarden_docker_persistent_volume_check /data/vaultwarden_docker_persistent_volume_check
|
|
||||||
COPY --from=build /app/target/aarch64-unknown-linux-gnu/release/vaultwarden .
|
COPY --from=build /app/target/aarch64-unknown-linux-gnu/release/vaultwarden .
|
||||||
|
|
||||||
COPY docker/healthcheck.sh /healthcheck.sh
|
COPY docker/healthcheck.sh /healthcheck.sh
|
||||||
|
|
|
@ -78,14 +78,6 @@ RUN touch src/main.rs
|
||||||
# hadolint ignore=DL3059
|
# hadolint ignore=DL3059
|
||||||
RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=aarch64-unknown-linux-musl
|
RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=aarch64-unknown-linux-musl
|
||||||
|
|
||||||
# Create a special empty file which we check within the application.
|
|
||||||
# If this file exists, then we exit Vaultwarden to prevent data loss when someone forgets to use volumes.
|
|
||||||
# If you really really want to use volatile storage you can set the env `I_REALLY_WANT_VOLATILE_STORAGE=true`
|
|
||||||
# This file should disappear if a volume is mounted on-top of this using a docker volume.
|
|
||||||
# We run this in the build image and copy it over, because the runtime image could be missing some executables.
|
|
||||||
# hadolint ignore=DL3059
|
|
||||||
RUN touch /vaultwarden_docker_persistent_volume_check
|
|
||||||
|
|
||||||
######################## RUNTIME IMAGE ########################
|
######################## RUNTIME IMAGE ########################
|
||||||
# Create a new stage with a minimal image
|
# Create a new stage with a minimal image
|
||||||
# because we already have a binary built
|
# because we already have a binary built
|
||||||
|
@ -120,7 +112,6 @@ EXPOSE 3012
|
||||||
# and the binary from the "build" stage to the current stage
|
# and the binary from the "build" stage to the current stage
|
||||||
WORKDIR /
|
WORKDIR /
|
||||||
COPY --from=vault /web-vault ./web-vault
|
COPY --from=vault /web-vault ./web-vault
|
||||||
COPY --from=build /vaultwarden_docker_persistent_volume_check /data/vaultwarden_docker_persistent_volume_check
|
|
||||||
COPY --from=build /app/target/aarch64-unknown-linux-musl/release/vaultwarden .
|
COPY --from=build /app/target/aarch64-unknown-linux-musl/release/vaultwarden .
|
||||||
|
|
||||||
COPY docker/healthcheck.sh /healthcheck.sh
|
COPY docker/healthcheck.sh /healthcheck.sh
|
||||||
|
|
|
@ -104,14 +104,6 @@ RUN touch src/main.rs
|
||||||
# hadolint ignore=DL3059
|
# hadolint ignore=DL3059
|
||||||
RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi
|
RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi
|
||||||
|
|
||||||
# Create a special empty file which we check within the application.
|
|
||||||
# If this file exists, then we exit Vaultwarden to prevent data loss when someone forgets to use volumes.
|
|
||||||
# If you really really want to use volatile storage you can set the env `I_REALLY_WANT_VOLATILE_STORAGE=true`
|
|
||||||
# This file should disappear if a volume is mounted on-top of this using a docker volume.
|
|
||||||
# We run this in the build image and copy it over, because the runtime image could be missing some executables.
|
|
||||||
# hadolint ignore=DL3059
|
|
||||||
RUN touch /vaultwarden_docker_persistent_volume_check
|
|
||||||
|
|
||||||
######################## RUNTIME IMAGE ########################
|
######################## RUNTIME IMAGE ########################
|
||||||
# Create a new stage with a minimal image
|
# Create a new stage with a minimal image
|
||||||
# because we already have a binary built
|
# because we already have a binary built
|
||||||
|
@ -153,7 +145,6 @@ EXPOSE 3012
|
||||||
# and the binary from the "build" stage to the current stage
|
# and the binary from the "build" stage to the current stage
|
||||||
WORKDIR /
|
WORKDIR /
|
||||||
COPY --from=vault /web-vault ./web-vault
|
COPY --from=vault /web-vault ./web-vault
|
||||||
COPY --from=build /vaultwarden_docker_persistent_volume_check /data/vaultwarden_docker_persistent_volume_check
|
|
||||||
COPY --from=build /app/target/arm-unknown-linux-gnueabi/release/vaultwarden .
|
COPY --from=build /app/target/arm-unknown-linux-gnueabi/release/vaultwarden .
|
||||||
|
|
||||||
COPY docker/healthcheck.sh /healthcheck.sh
|
COPY docker/healthcheck.sh /healthcheck.sh
|
||||||
|
|
|
@ -80,14 +80,6 @@ RUN touch src/main.rs
|
||||||
# hadolint ignore=DL3059
|
# hadolint ignore=DL3059
|
||||||
RUN cargo build --features ${DB} --release --target=arm-unknown-linux-musleabi
|
RUN cargo build --features ${DB} --release --target=arm-unknown-linux-musleabi
|
||||||
|
|
||||||
# Create a special empty file which we check within the application.
|
|
||||||
# If this file exists, then we exit Vaultwarden to prevent data loss when someone forgets to use volumes.
|
|
||||||
# If you really really want to use volatile storage you can set the env `I_REALLY_WANT_VOLATILE_STORAGE=true`
|
|
||||||
# This file should disappear if a volume is mounted on-top of this using a docker volume.
|
|
||||||
# We run this in the build image and copy it over, because the runtime image could be missing some executables.
|
|
||||||
# hadolint ignore=DL3059
|
|
||||||
RUN touch /vaultwarden_docker_persistent_volume_check
|
|
||||||
|
|
||||||
######################## RUNTIME IMAGE ########################
|
######################## RUNTIME IMAGE ########################
|
||||||
# Create a new stage with a minimal image
|
# Create a new stage with a minimal image
|
||||||
# because we already have a binary built
|
# because we already have a binary built
|
||||||
|
@ -122,7 +114,6 @@ EXPOSE 3012
|
||||||
# and the binary from the "build" stage to the current stage
|
# and the binary from the "build" stage to the current stage
|
||||||
WORKDIR /
|
WORKDIR /
|
||||||
COPY --from=vault /web-vault ./web-vault
|
COPY --from=vault /web-vault ./web-vault
|
||||||
COPY --from=build /vaultwarden_docker_persistent_volume_check /data/vaultwarden_docker_persistent_volume_check
|
|
||||||
COPY --from=build /app/target/arm-unknown-linux-musleabi/release/vaultwarden .
|
COPY --from=build /app/target/arm-unknown-linux-musleabi/release/vaultwarden .
|
||||||
|
|
||||||
COPY docker/healthcheck.sh /healthcheck.sh
|
COPY docker/healthcheck.sh /healthcheck.sh
|
||||||
|
|
|
@ -104,14 +104,6 @@ RUN touch src/main.rs
|
||||||
# hadolint ignore=DL3059
|
# hadolint ignore=DL3059
|
||||||
RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi
|
RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi
|
||||||
|
|
||||||
# Create a special empty file which we check within the application.
|
|
||||||
# If this file exists, then we exit Vaultwarden to prevent data loss when someone forgets to use volumes.
|
|
||||||
# If you really really want to use volatile storage you can set the env `I_REALLY_WANT_VOLATILE_STORAGE=true`
|
|
||||||
# This file should disappear if a volume is mounted on-top of this using a docker volume.
|
|
||||||
# We run this in the build image and copy it over, because the runtime image could be missing some executables.
|
|
||||||
# hadolint ignore=DL3059
|
|
||||||
RUN touch /vaultwarden_docker_persistent_volume_check
|
|
||||||
|
|
||||||
######################## RUNTIME IMAGE ########################
|
######################## RUNTIME IMAGE ########################
|
||||||
# Create a new stage with a minimal image
|
# Create a new stage with a minimal image
|
||||||
# because we already have a binary built
|
# because we already have a binary built
|
||||||
|
@ -153,7 +145,6 @@ EXPOSE 3012
|
||||||
# and the binary from the "build" stage to the current stage
|
# and the binary from the "build" stage to the current stage
|
||||||
WORKDIR /
|
WORKDIR /
|
||||||
COPY --from=vault /web-vault ./web-vault
|
COPY --from=vault /web-vault ./web-vault
|
||||||
COPY --from=build /vaultwarden_docker_persistent_volume_check /data/vaultwarden_docker_persistent_volume_check
|
|
||||||
COPY --from=build /app/target/arm-unknown-linux-gnueabi/release/vaultwarden .
|
COPY --from=build /app/target/arm-unknown-linux-gnueabi/release/vaultwarden .
|
||||||
|
|
||||||
COPY docker/healthcheck.sh /healthcheck.sh
|
COPY docker/healthcheck.sh /healthcheck.sh
|
||||||
|
|
|
@ -80,14 +80,6 @@ RUN touch src/main.rs
|
||||||
# hadolint ignore=DL3059
|
# hadolint ignore=DL3059
|
||||||
RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=arm-unknown-linux-musleabi
|
RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=arm-unknown-linux-musleabi
|
||||||
|
|
||||||
# Create a special empty file which we check within the application.
|
|
||||||
# If this file exists, then we exit Vaultwarden to prevent data loss when someone forgets to use volumes.
|
|
||||||
# If you really really want to use volatile storage you can set the env `I_REALLY_WANT_VOLATILE_STORAGE=true`
|
|
||||||
# This file should disappear if a volume is mounted on-top of this using a docker volume.
|
|
||||||
# We run this in the build image and copy it over, because the runtime image could be missing some executables.
|
|
||||||
# hadolint ignore=DL3059
|
|
||||||
RUN touch /vaultwarden_docker_persistent_volume_check
|
|
||||||
|
|
||||||
######################## RUNTIME IMAGE ########################
|
######################## RUNTIME IMAGE ########################
|
||||||
# Create a new stage with a minimal image
|
# Create a new stage with a minimal image
|
||||||
# because we already have a binary built
|
# because we already have a binary built
|
||||||
|
@ -122,7 +114,6 @@ EXPOSE 3012
|
||||||
# and the binary from the "build" stage to the current stage
|
# and the binary from the "build" stage to the current stage
|
||||||
WORKDIR /
|
WORKDIR /
|
||||||
COPY --from=vault /web-vault ./web-vault
|
COPY --from=vault /web-vault ./web-vault
|
||||||
COPY --from=build /vaultwarden_docker_persistent_volume_check /data/vaultwarden_docker_persistent_volume_check
|
|
||||||
COPY --from=build /app/target/arm-unknown-linux-musleabi/release/vaultwarden .
|
COPY --from=build /app/target/arm-unknown-linux-musleabi/release/vaultwarden .
|
||||||
|
|
||||||
COPY docker/healthcheck.sh /healthcheck.sh
|
COPY docker/healthcheck.sh /healthcheck.sh
|
||||||
|
|
|
@ -104,14 +104,6 @@ RUN touch src/main.rs
|
||||||
# hadolint ignore=DL3059
|
# hadolint ignore=DL3059
|
||||||
RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf
|
RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf
|
||||||
|
|
||||||
# Create a special empty file which we check within the application.
|
|
||||||
# If this file exists, then we exit Vaultwarden to prevent data loss when someone forgets to use volumes.
|
|
||||||
# If you really really want to use volatile storage you can set the env `I_REALLY_WANT_VOLATILE_STORAGE=true`
|
|
||||||
# This file should disappear if a volume is mounted on-top of this using a docker volume.
|
|
||||||
# We run this in the build image and copy it over, because the runtime image could be missing some executables.
|
|
||||||
# hadolint ignore=DL3059
|
|
||||||
RUN touch /vaultwarden_docker_persistent_volume_check
|
|
||||||
|
|
||||||
######################## RUNTIME IMAGE ########################
|
######################## RUNTIME IMAGE ########################
|
||||||
# Create a new stage with a minimal image
|
# Create a new stage with a minimal image
|
||||||
# because we already have a binary built
|
# because we already have a binary built
|
||||||
|
@ -148,7 +140,6 @@ EXPOSE 3012
|
||||||
# and the binary from the "build" stage to the current stage
|
# and the binary from the "build" stage to the current stage
|
||||||
WORKDIR /
|
WORKDIR /
|
||||||
COPY --from=vault /web-vault ./web-vault
|
COPY --from=vault /web-vault ./web-vault
|
||||||
COPY --from=build /vaultwarden_docker_persistent_volume_check /data/vaultwarden_docker_persistent_volume_check
|
|
||||||
COPY --from=build /app/target/armv7-unknown-linux-gnueabihf/release/vaultwarden .
|
COPY --from=build /app/target/armv7-unknown-linux-gnueabihf/release/vaultwarden .
|
||||||
|
|
||||||
COPY docker/healthcheck.sh /healthcheck.sh
|
COPY docker/healthcheck.sh /healthcheck.sh
|
||||||
|
|
|
@ -78,14 +78,6 @@ RUN touch src/main.rs
|
||||||
# hadolint ignore=DL3059
|
# hadolint ignore=DL3059
|
||||||
RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf
|
RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf
|
||||||
|
|
||||||
# Create a special empty file which we check within the application.
|
|
||||||
# If this file exists, then we exit Vaultwarden to prevent data loss when someone forgets to use volumes.
|
|
||||||
# If you really really want to use volatile storage you can set the env `I_REALLY_WANT_VOLATILE_STORAGE=true`
|
|
||||||
# This file should disappear if a volume is mounted on-top of this using a docker volume.
|
|
||||||
# We run this in the build image and copy it over, because the runtime image could be missing some executables.
|
|
||||||
# hadolint ignore=DL3059
|
|
||||||
RUN touch /vaultwarden_docker_persistent_volume_check
|
|
||||||
|
|
||||||
######################## RUNTIME IMAGE ########################
|
######################## RUNTIME IMAGE ########################
|
||||||
# Create a new stage with a minimal image
|
# Create a new stage with a minimal image
|
||||||
# because we already have a binary built
|
# because we already have a binary built
|
||||||
|
@ -120,7 +112,6 @@ EXPOSE 3012
|
||||||
# and the binary from the "build" stage to the current stage
|
# and the binary from the "build" stage to the current stage
|
||||||
WORKDIR /
|
WORKDIR /
|
||||||
COPY --from=vault /web-vault ./web-vault
|
COPY --from=vault /web-vault ./web-vault
|
||||||
COPY --from=build /vaultwarden_docker_persistent_volume_check /data/vaultwarden_docker_persistent_volume_check
|
|
||||||
COPY --from=build /app/target/armv7-unknown-linux-musleabihf/release/vaultwarden .
|
COPY --from=build /app/target/armv7-unknown-linux-musleabihf/release/vaultwarden .
|
||||||
|
|
||||||
COPY docker/healthcheck.sh /healthcheck.sh
|
COPY docker/healthcheck.sh /healthcheck.sh
|
||||||
|
|
|
@ -104,14 +104,6 @@ RUN touch src/main.rs
|
||||||
# hadolint ignore=DL3059
|
# hadolint ignore=DL3059
|
||||||
RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf
|
RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf
|
||||||
|
|
||||||
# Create a special empty file which we check within the application.
|
|
||||||
# If this file exists, then we exit Vaultwarden to prevent data loss when someone forgets to use volumes.
|
|
||||||
# If you really really want to use volatile storage you can set the env `I_REALLY_WANT_VOLATILE_STORAGE=true`
|
|
||||||
# This file should disappear if a volume is mounted on-top of this using a docker volume.
|
|
||||||
# We run this in the build image and copy it over, because the runtime image could be missing some executables.
|
|
||||||
# hadolint ignore=DL3059
|
|
||||||
RUN touch /vaultwarden_docker_persistent_volume_check
|
|
||||||
|
|
||||||
######################## RUNTIME IMAGE ########################
|
######################## RUNTIME IMAGE ########################
|
||||||
# Create a new stage with a minimal image
|
# Create a new stage with a minimal image
|
||||||
# because we already have a binary built
|
# because we already have a binary built
|
||||||
|
@ -148,7 +140,6 @@ EXPOSE 3012
|
||||||
# and the binary from the "build" stage to the current stage
|
# and the binary from the "build" stage to the current stage
|
||||||
WORKDIR /
|
WORKDIR /
|
||||||
COPY --from=vault /web-vault ./web-vault
|
COPY --from=vault /web-vault ./web-vault
|
||||||
COPY --from=build /vaultwarden_docker_persistent_volume_check /data/vaultwarden_docker_persistent_volume_check
|
|
||||||
COPY --from=build /app/target/armv7-unknown-linux-gnueabihf/release/vaultwarden .
|
COPY --from=build /app/target/armv7-unknown-linux-gnueabihf/release/vaultwarden .
|
||||||
|
|
||||||
COPY docker/healthcheck.sh /healthcheck.sh
|
COPY docker/healthcheck.sh /healthcheck.sh
|
||||||
|
|
|
@ -78,14 +78,6 @@ RUN touch src/main.rs
|
||||||
# hadolint ignore=DL3059
|
# hadolint ignore=DL3059
|
||||||
RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf
|
RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf
|
||||||
|
|
||||||
# Create a special empty file which we check within the application.
|
|
||||||
# If this file exists, then we exit Vaultwarden to prevent data loss when someone forgets to use volumes.
|
|
||||||
# If you really really want to use volatile storage you can set the env `I_REALLY_WANT_VOLATILE_STORAGE=true`
|
|
||||||
# This file should disappear if a volume is mounted on-top of this using a docker volume.
|
|
||||||
# We run this in the build image and copy it over, because the runtime image could be missing some executables.
|
|
||||||
# hadolint ignore=DL3059
|
|
||||||
RUN touch /vaultwarden_docker_persistent_volume_check
|
|
||||||
|
|
||||||
######################## RUNTIME IMAGE ########################
|
######################## RUNTIME IMAGE ########################
|
||||||
# Create a new stage with a minimal image
|
# Create a new stage with a minimal image
|
||||||
# because we already have a binary built
|
# because we already have a binary built
|
||||||
|
@ -120,7 +112,6 @@ EXPOSE 3012
|
||||||
# and the binary from the "build" stage to the current stage
|
# and the binary from the "build" stage to the current stage
|
||||||
WORKDIR /
|
WORKDIR /
|
||||||
COPY --from=vault /web-vault ./web-vault
|
COPY --from=vault /web-vault ./web-vault
|
||||||
COPY --from=build /vaultwarden_docker_persistent_volume_check /data/vaultwarden_docker_persistent_volume_check
|
|
||||||
COPY --from=build /app/target/armv7-unknown-linux-musleabihf/release/vaultwarden .
|
COPY --from=build /app/target/armv7-unknown-linux-musleabihf/release/vaultwarden .
|
||||||
|
|
||||||
COPY docker/healthcheck.sh /healthcheck.sh
|
COPY docker/healthcheck.sh /healthcheck.sh
|
||||||
|
|
|
@ -30,10 +30,7 @@ use crate::{
|
||||||
pub fn routes() -> Vec<Route> {
|
pub fn routes() -> Vec<Route> {
|
||||||
match CONFIG.icon_service().as_str() {
|
match CONFIG.icon_service().as_str() {
|
||||||
"internal" => routes![icon_internal],
|
"internal" => routes![icon_internal],
|
||||||
"bitwarden" => routes![icon_bitwarden],
|
_ => routes![icon_external],
|
||||||
"duckduckgo" => routes![icon_duckduckgo],
|
|
||||||
"google" => routes![icon_google],
|
|
||||||
_ => routes![icon_custom],
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -100,23 +97,8 @@ async fn icon_redirect(domain: &str, template: &str) -> Option<Redirect> {
|
||||||
}
|
}
|
||||||
|
|
||||||
#[get("/<domain>/icon.png")]
|
#[get("/<domain>/icon.png")]
|
||||||
async fn icon_custom(domain: String) -> Option<Redirect> {
|
async fn icon_external(domain: String) -> Option<Redirect> {
|
||||||
icon_redirect(&domain, &CONFIG.icon_service()).await
|
icon_redirect(&domain, &CONFIG._icon_service_url()).await
|
||||||
}
|
|
||||||
|
|
||||||
#[get("/<domain>/icon.png")]
|
|
||||||
async fn icon_bitwarden(domain: String) -> Option<Redirect> {
|
|
||||||
icon_redirect(&domain, "https://icons.bitwarden.net/{}/icon.png").await
|
|
||||||
}
|
|
||||||
|
|
||||||
#[get("/<domain>/icon.png")]
|
|
||||||
async fn icon_duckduckgo(domain: String) -> Option<Redirect> {
|
|
||||||
icon_redirect(&domain, "https://icons.duckduckgo.com/ip3/{}.ico").await
|
|
||||||
}
|
|
||||||
|
|
||||||
#[get("/<domain>/icon.png")]
|
|
||||||
async fn icon_google(domain: String) -> Option<Redirect> {
|
|
||||||
icon_redirect(&domain, "https://www.google.com/s2/favicons?domain={}&sz=32").await
|
|
||||||
}
|
}
|
||||||
|
|
||||||
#[get("/<domain>/icon.png")]
|
#[get("/<domain>/icon.png")]
|
||||||
|
|
|
@ -463,6 +463,10 @@ make_config! {
|
||||||
/// service is set, an icon request to Vaultwarden will return an HTTP redirect to the
|
/// service is set, an icon request to Vaultwarden will return an HTTP redirect to the
|
||||||
/// corresponding icon at the external service.
|
/// corresponding icon at the external service.
|
||||||
icon_service: String, false, def, "internal".to_string();
|
icon_service: String, false, def, "internal".to_string();
|
||||||
|
/// Internal
|
||||||
|
_icon_service_url: String, false, gen, |c| generate_icon_service_url(&c.icon_service);
|
||||||
|
/// Internal
|
||||||
|
_icon_service_csp: String, false, gen, |c| generate_icon_service_csp(&c.icon_service, &c._icon_service_url);
|
||||||
/// Icon redirect code |> The HTTP status code to use for redirects to an external icon service.
|
/// Icon redirect code |> The HTTP status code to use for redirects to an external icon service.
|
||||||
/// The supported codes are 301 (legacy permanent), 302 (legacy temporary), 307 (temporary), and 308 (permanent).
|
/// The supported codes are 301 (legacy permanent), 302 (legacy temporary), 307 (temporary), and 308 (permanent).
|
||||||
/// Temporary redirects are useful while testing different icon services, but once a service
|
/// Temporary redirects are useful while testing different icon services, but once a service
|
||||||
|
@ -748,6 +752,34 @@ fn extract_url_path(url: &str) -> String {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// Generate the correct URL for the icon service.
|
||||||
|
/// This will be used within icons.rs to call the external icon service.
|
||||||
|
fn generate_icon_service_url(icon_service: &str) -> String {
|
||||||
|
match icon_service {
|
||||||
|
"internal" => "".to_string(),
|
||||||
|
"bitwarden" => "https://icons.bitwarden.net/{}/icon.png".to_string(),
|
||||||
|
"duckduckgo" => "https://icons.duckduckgo.com/ip3/{}.ico".to_string(),
|
||||||
|
"google" => "https://www.google.com/s2/favicons?domain={}&sz=32".to_string(),
|
||||||
|
_ => icon_service.to_string(),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/// Generate the CSP string needed to allow redirected icon fetching
|
||||||
|
fn generate_icon_service_csp(icon_service: &str, icon_service_url: &str) -> String {
|
||||||
|
// We split on the first '{', since that is the variable delimiter for an icon service URL.
|
||||||
|
// Everything up until the first '{' should be fixed and can be used as an CSP string.
|
||||||
|
let csp_string = match icon_service_url.split_once('{') {
|
||||||
|
Some((c, _)) => c.to_string(),
|
||||||
|
None => "".to_string(),
|
||||||
|
};
|
||||||
|
|
||||||
|
// Because Google does a second redirect to there gstatic.com domain, we need to add an extra csp string.
|
||||||
|
match icon_service {
|
||||||
|
"google" => csp_string + " https://*.gstatic.com/favicon",
|
||||||
|
_ => csp_string,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/// Convert the old SMTP_SSL and SMTP_EXPLICIT_TLS options
|
/// Convert the old SMTP_SSL and SMTP_EXPLICIT_TLS options
|
||||||
fn smtp_convert_deprecated_ssl_options(smtp_ssl: Option<bool>, smtp_explicit_tls: Option<bool>) -> String {
|
fn smtp_convert_deprecated_ssl_options(smtp_ssl: Option<bool>, smtp_explicit_tls: Option<bool>) -> String {
|
||||||
if smtp_explicit_tls.is_some() || smtp_ssl.is_some() {
|
if smtp_explicit_tls.is_some() || smtp_ssl.is_some() {
|
||||||
|
|
48
src/main.rs
48
src/main.rs
|
@ -61,6 +61,11 @@ use std::{
|
||||||
thread,
|
thread,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
use tokio::{
|
||||||
|
fs::File,
|
||||||
|
io::{AsyncBufReadExt, BufReader},
|
||||||
|
};
|
||||||
|
|
||||||
#[macro_use]
|
#[macro_use]
|
||||||
mod error;
|
mod error;
|
||||||
mod api;
|
mod api;
|
||||||
|
@ -89,7 +94,7 @@ async fn main() -> Result<(), Error> {
|
||||||
|
|
||||||
let extra_debug = matches!(level, LF::Trace | LF::Debug);
|
let extra_debug = matches!(level, LF::Trace | LF::Debug);
|
||||||
|
|
||||||
check_data_folder();
|
check_data_folder().await;
|
||||||
check_rsa_keys().unwrap_or_else(|_| {
|
check_rsa_keys().unwrap_or_else(|_| {
|
||||||
error!("Error creating keys, exiting...");
|
error!("Error creating keys, exiting...");
|
||||||
exit(1);
|
exit(1);
|
||||||
|
@ -286,7 +291,7 @@ fn create_dir(path: &str, description: &str) {
|
||||||
create_dir_all(path).expect(&err_msg);
|
create_dir_all(path).expect(&err_msg);
|
||||||
}
|
}
|
||||||
|
|
||||||
fn check_data_folder() {
|
async fn check_data_folder() {
|
||||||
let data_folder = &CONFIG.data_folder();
|
let data_folder = &CONFIG.data_folder();
|
||||||
let path = Path::new(data_folder);
|
let path = Path::new(data_folder);
|
||||||
if !path.exists() {
|
if !path.exists() {
|
||||||
|
@ -299,9 +304,10 @@ fn check_data_folder() {
|
||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
|
|
||||||
let persistent_volume_check_file = format!("{data_folder}/vaultwarden_docker_persistent_volume_check");
|
if is_running_in_docker()
|
||||||
let check_file = Path::new(&persistent_volume_check_file);
|
&& std::env::var("I_REALLY_WANT_VOLATILE_STORAGE").is_err()
|
||||||
if check_file.exists() && std::env::var("I_REALLY_WANT_VOLATILE_STORAGE").is_err() {
|
&& !docker_data_folder_is_persistent(data_folder).await
|
||||||
|
{
|
||||||
error!(
|
error!(
|
||||||
"No persistent volume!\n\
|
"No persistent volume!\n\
|
||||||
########################################################################################\n\
|
########################################################################################\n\
|
||||||
|
@ -314,6 +320,38 @@ fn check_data_folder() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// Detect when using Docker or Podman the DATA_FOLDER is either a bind-mount or a volume created manually.
|
||||||
|
/// If not created manually, then the data will not be persistent.
|
||||||
|
/// A none persistent volume in either Docker or Podman is represented by a 64 alphanumerical string.
|
||||||
|
/// If we detect this string, we will alert about not having a persistent self defined volume.
|
||||||
|
/// This probably means that someone forgot to add `-v /path/to/vaultwarden_data/:/data`
|
||||||
|
async fn docker_data_folder_is_persistent(data_folder: &str) -> bool {
|
||||||
|
if let Ok(mountinfo) = File::open("/proc/self/mountinfo").await {
|
||||||
|
// Since there can only be one mountpoint to the DATA_FOLDER
|
||||||
|
// We do a basic check for this mountpoint surrounded by a space.
|
||||||
|
let data_folder_match = if data_folder.starts_with('/') {
|
||||||
|
format!(" {data_folder} ")
|
||||||
|
} else {
|
||||||
|
format!(" /{data_folder} ")
|
||||||
|
};
|
||||||
|
let mut lines = BufReader::new(mountinfo).lines();
|
||||||
|
while let Some(line) = lines.next_line().await.unwrap_or_default() {
|
||||||
|
// Only execute a regex check if we find the base match
|
||||||
|
if line.contains(&data_folder_match) {
|
||||||
|
let re = regex::Regex::new(r"/volumes/[a-z0-9]{64}/_data /").unwrap();
|
||||||
|
if re.is_match(&line) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
// If we did found a match for the mountpoint, but not the regex, then still stop searching.
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
// In all other cases, just assume a true.
|
||||||
|
// This is just an informative check to try and prevent data loss.
|
||||||
|
true
|
||||||
|
}
|
||||||
|
|
||||||
fn check_rsa_keys() -> Result<(), crate::error::Error> {
|
fn check_rsa_keys() -> Result<(), crate::error::Error> {
|
||||||
// If the RSA keys don't exist, try to create them
|
// If the RSA keys don't exist, try to create them
|
||||||
let priv_path = CONFIG.private_rsa_key();
|
let priv_path = CONFIG.private_rsa_key();
|
||||||
|
|
15
src/util.rs
15
src/util.rs
|
@ -38,6 +38,10 @@ impl Fairing for AppHeaders {
|
||||||
|
|
||||||
let req_uri_path = req.uri().path();
|
let req_uri_path = req.uri().path();
|
||||||
|
|
||||||
|
// Do not send the Content-Security-Policy (CSP) Header and X-Frame-Options for the *-connector.html files.
|
||||||
|
// This can cause issues when some MFA requests needs to open a popup or page within the clients like WebAuthn, or Duo.
|
||||||
|
// This is the same behaviour as upstream Bitwarden.
|
||||||
|
if !req_uri_path.ends_with("connector.html") {
|
||||||
// Check if we are requesting an admin page, if so, allow unsafe-inline for scripts.
|
// Check if we are requesting an admin page, if so, allow unsafe-inline for scripts.
|
||||||
// TODO: In the future maybe we need to see if we can generate a sha256 hash or have no scripts inline at all.
|
// TODO: In the future maybe we need to see if we can generate a sha256 hash or have no scripts inline at all.
|
||||||
let admin_path = format!("{}/admin", CONFIG.domain_path());
|
let admin_path = format!("{}/admin", CONFIG.domain_path());
|
||||||
|
@ -46,10 +50,6 @@ impl Fairing for AppHeaders {
|
||||||
script_src = " 'unsafe-inline'";
|
script_src = " 'unsafe-inline'";
|
||||||
}
|
}
|
||||||
|
|
||||||
// Do not send the Content-Security-Policy (CSP) Header and X-Frame-Options for the *-connector.html files.
|
|
||||||
// This can cause issues when some MFA requests needs to open a popup or page within the clients like WebAuthn, or Duo.
|
|
||||||
// This is the same behaviour as upstream Bitwarden.
|
|
||||||
if !req_uri_path.ends_with("connector.html") {
|
|
||||||
// # Frame Ancestors:
|
// # Frame Ancestors:
|
||||||
// Chrome Web Store: https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb
|
// Chrome Web Store: https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb
|
||||||
// Edge Add-ons: https://microsoftedge.microsoft.com/addons/detail/bitwarden-free-password/jbkfoedolllekgbhcbcoahefnbanhhlh?hl=en-US
|
// Edge Add-ons: https://microsoftedge.microsoft.com/addons/detail/bitwarden-free-password/jbkfoedolllekgbhcbcoahefnbanhhlh?hl=en-US
|
||||||
|
@ -65,13 +65,14 @@ impl Fairing for AppHeaders {
|
||||||
"default-src 'self'; \
|
"default-src 'self'; \
|
||||||
script-src 'self'{script_src}; \
|
script-src 'self'{script_src}; \
|
||||||
style-src 'self' 'unsafe-inline'; \
|
style-src 'self' 'unsafe-inline'; \
|
||||||
img-src 'self' data: https://haveibeenpwned.com/ https://www.gravatar.com; \
|
img-src 'self' data: https://haveibeenpwned.com/ https://www.gravatar.com {icon_service_csp}; \
|
||||||
child-src 'self' https://*.duosecurity.com https://*.duofederal.com; \
|
child-src 'self' https://*.duosecurity.com https://*.duofederal.com; \
|
||||||
frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; \
|
frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; \
|
||||||
connect-src 'self' https://api.pwnedpasswords.com/range/ https://2fa.directory/api/ https://app.simplelogin.io/api/ https://app.anonaddy.com/api/ https://relay.firefox.com/api/; \
|
connect-src 'self' https://api.pwnedpasswords.com/range/ https://2fa.directory/api/ https://app.simplelogin.io/api/ https://app.anonaddy.com/api/ https://relay.firefox.com/api/; \
|
||||||
object-src 'self' blob:; \
|
object-src 'self' blob:; \
|
||||||
frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh moz-extension://* {};",
|
frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh moz-extension://* {allowed_iframe_ancestors};",
|
||||||
CONFIG.allowed_iframe_ancestors()
|
icon_service_csp=CONFIG._icon_service_csp(),
|
||||||
|
allowed_iframe_ancestors=CONFIG.allowed_iframe_ancestors()
|
||||||
);
|
);
|
||||||
res.set_raw_header("Content-Security-Policy", csp);
|
res.set_raw_header("Content-Security-Policy", csp);
|
||||||
res.set_raw_header("X-Frame-Options", "SAMEORIGIN");
|
res.set_raw_header("X-Frame-Options", "SAMEORIGIN");
|
||||||
|
|
Loading…
Reference in a new issue