mirror of
https://github.com/dani-garcia/vaultwarden
synced 2024-12-15 10:03:42 +01:00
Remove config option for admin email, embdedded admin page, managed IO::Error, and added security and cache headers globally
This commit is contained in:
parent
301919d9d4
commit
acb9d1b3c6
5 changed files with 93 additions and 51 deletions
|
@ -1,10 +1,10 @@
|
||||||
use std::io;
|
use std::io;
|
||||||
use std::path::{Path, PathBuf};
|
use std::path::{Path, PathBuf};
|
||||||
|
|
||||||
|
use rocket::http::ContentType;
|
||||||
use rocket::request::Request;
|
use rocket::request::Request;
|
||||||
|
use rocket::response::content::{Content, Html};
|
||||||
use rocket::response::{self, NamedFile, Responder};
|
use rocket::response::{self, NamedFile, Responder};
|
||||||
use rocket::response::content::Content;
|
|
||||||
use rocket::http::{ContentType, Status};
|
|
||||||
use rocket::Route;
|
use rocket::Route;
|
||||||
use rocket_contrib::json::Json;
|
use rocket_contrib::json::Json;
|
||||||
use serde_json::Value;
|
use serde_json::Value;
|
||||||
|
@ -19,17 +19,18 @@ pub fn routes() -> Vec<Route> {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// TODO: Might want to use in memory cache: https://github.com/hgzimmerman/rocket-file-cache
|
|
||||||
#[get("/")]
|
#[get("/")]
|
||||||
fn web_index() -> WebHeaders<io::Result<NamedFile>> {
|
fn web_index() -> Cached<io::Result<NamedFile>> {
|
||||||
web_files("index.html".into())
|
Cached::short(NamedFile::open(Path::new(&CONFIG.web_vault_folder).join("index.html")))
|
||||||
}
|
}
|
||||||
|
|
||||||
#[get("/app-id.json")]
|
#[get("/app-id.json")]
|
||||||
fn app_id() -> WebHeaders<Content<Json<Value>>> {
|
fn app_id() -> Cached<Content<Json<Value>>> {
|
||||||
let content_type = ContentType::new("application", "fido.trusted-apps+json");
|
let content_type = ContentType::new("application", "fido.trusted-apps+json");
|
||||||
|
|
||||||
WebHeaders(Content(content_type, Json(json!({
|
Cached::long(Content(
|
||||||
|
content_type,
|
||||||
|
Json(json!({
|
||||||
"trustedFacets": [
|
"trustedFacets": [
|
||||||
{
|
{
|
||||||
"version": { "major": 1, "minor": 0 },
|
"version": { "major": 1, "minor": 0 },
|
||||||
|
@ -38,37 +39,51 @@ fn app_id() -> WebHeaders<Content<Json<Value>>> {
|
||||||
"ios:bundle-id:com.8bit.bitwarden",
|
"ios:bundle-id:com.8bit.bitwarden",
|
||||||
"android:apk-key-hash:dUGFzUzf3lmHSLBDBIv+WaFyZMI" ]
|
"android:apk-key-hash:dUGFzUzf3lmHSLBDBIv+WaFyZMI" ]
|
||||||
}]
|
}]
|
||||||
}))))
|
})),
|
||||||
|
))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
const ADMIN_PAGE: &'static str = include_str!("../static/admin.html");
|
||||||
|
|
||||||
#[get("/admin")]
|
#[get("/admin")]
|
||||||
fn admin_page() -> WebHeaders<io::Result<NamedFile>> {
|
fn admin_page() -> Cached<Html<&'static str>> {
|
||||||
WebHeaders(NamedFile::open("src/static/admin.html")) // TODO: Change this to embed the page in the binary
|
Cached::short(Html(ADMIN_PAGE))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* // Use this during Admin page development
|
||||||
|
#[get("/admin")]
|
||||||
|
fn admin_page() -> Cached<io::Result<NamedFile>> {
|
||||||
|
Cached::short(NamedFile::open("src/static/admin.html"))
|
||||||
|
}
|
||||||
|
*/
|
||||||
|
|
||||||
#[get("/<p..>", rank = 1)] // Only match this if the other routes don't match
|
#[get("/<p..>", rank = 1)] // Only match this if the other routes don't match
|
||||||
fn web_files(p: PathBuf) -> WebHeaders<io::Result<NamedFile>> {
|
fn web_files(p: PathBuf) -> Cached<io::Result<NamedFile>> {
|
||||||
WebHeaders(NamedFile::open(Path::new(&CONFIG.web_vault_folder).join(p)))
|
Cached::long(NamedFile::open(Path::new(&CONFIG.web_vault_folder).join(p)))
|
||||||
}
|
}
|
||||||
|
|
||||||
struct WebHeaders<R>(R);
|
struct Cached<R>(R, &'static str);
|
||||||
|
|
||||||
impl<'r, R: Responder<'r>> Responder<'r> for WebHeaders<R> {
|
impl<R> Cached<R> {
|
||||||
|
fn long(r: R) -> Cached<R> {
|
||||||
|
// 7 days
|
||||||
|
Cached(r, "public, max-age=604800".into())
|
||||||
|
}
|
||||||
|
|
||||||
|
fn short(r: R) -> Cached<R> {
|
||||||
|
// 10 minutes
|
||||||
|
Cached(r, "public, max-age=600".into())
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
impl<'r, R: Responder<'r>> Responder<'r> for Cached<R> {
|
||||||
fn respond_to(self, req: &Request) -> response::Result<'r> {
|
fn respond_to(self, req: &Request) -> response::Result<'r> {
|
||||||
match self.0.respond_to(req) {
|
match self.0.respond_to(req) {
|
||||||
Ok(mut res) => {
|
Ok(mut res) => {
|
||||||
res.set_raw_header("Referrer-Policy", "same-origin");
|
res.set_raw_header("Cache-Control", self.1);
|
||||||
res.set_raw_header("X-Frame-Options", "SAMEORIGIN");
|
|
||||||
res.set_raw_header("X-Content-Type-Options", "nosniff");
|
|
||||||
res.set_raw_header("X-XSS-Protection", "1; mode=block");
|
|
||||||
let csp = "frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb moz-extension://*;";
|
|
||||||
res.set_raw_header("Content-Security-Policy", csp);
|
|
||||||
|
|
||||||
Ok(res)
|
Ok(res)
|
||||||
},
|
|
||||||
Err(_) => {
|
|
||||||
Err(Status::NotFound)
|
|
||||||
}
|
}
|
||||||
|
e @ Err(_) => e,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -78,7 +93,6 @@ fn attachments(uuid: String, file: PathBuf) -> io::Result<NamedFile> {
|
||||||
NamedFile::open(Path::new(&CONFIG.attachments_folder).join(uuid).join(file))
|
NamedFile::open(Path::new(&CONFIG.attachments_folder).join(uuid).join(file))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
#[get("/alive")]
|
#[get("/alive")]
|
||||||
fn alive() -> Json<String> {
|
fn alive() -> Json<String> {
|
||||||
use crate::util::format_date;
|
use crate::util::format_date;
|
||||||
|
|
|
@ -74,7 +74,7 @@ impl Attachment {
|
||||||
)
|
)
|
||||||
.map_res("Error deleting attachment")?;
|
.map_res("Error deleting attachment")?;
|
||||||
|
|
||||||
crate::util::delete_file(&self.get_file_path());
|
crate::util::delete_file(&self.get_file_path())?;
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -47,6 +47,7 @@ use diesel::result::Error as DieselError;
|
||||||
use jsonwebtoken::errors::Error as JwtError;
|
use jsonwebtoken::errors::Error as JwtError;
|
||||||
use serde_json::{Error as SerError, Value};
|
use serde_json::{Error as SerError, Value};
|
||||||
use u2f::u2ferror::U2fError as U2fErr;
|
use u2f::u2ferror::U2fError as U2fErr;
|
||||||
|
use std::io::Error as IOError;
|
||||||
|
|
||||||
// Error struct
|
// Error struct
|
||||||
// Each variant has two elements, the first is an error of different types, used for logging purposes
|
// Each variant has two elements, the first is an error of different types, used for logging purposes
|
||||||
|
@ -64,6 +65,7 @@ make_error! {
|
||||||
U2fError(U2fErr, _): true, _api_error,
|
U2fError(U2fErr, _): true, _api_error,
|
||||||
SerdeError(SerError, _): true, _api_error,
|
SerdeError(SerError, _): true, _api_error,
|
||||||
JWTError(JwtError, _): true, _api_error,
|
JWTError(JwtError, _): true, _api_error,
|
||||||
|
IoErrror(IOError, _): true, _api_error,
|
||||||
//WsError(ws::Error, _): true, _api_error,
|
//WsError(ws::Error, _): true, _api_error,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -32,6 +32,7 @@ fn init_rocket() -> Rocket {
|
||||||
.mount("/notifications", api::notifications_routes())
|
.mount("/notifications", api::notifications_routes())
|
||||||
.manage(db::init_pool())
|
.manage(db::init_pool())
|
||||||
.manage(api::start_notification_server())
|
.manage(api::start_notification_server())
|
||||||
|
.attach(util::AppHeaders())
|
||||||
}
|
}
|
||||||
|
|
||||||
// Embed the migrations from the migrations folder into the application
|
// Embed the migrations from the migrations folder into the application
|
||||||
|
@ -272,7 +273,6 @@ pub struct Config {
|
||||||
signups_allowed: bool,
|
signups_allowed: bool,
|
||||||
invitations_allowed: bool,
|
invitations_allowed: bool,
|
||||||
admin_token: Option<String>,
|
admin_token: Option<String>,
|
||||||
server_admin_email: Option<String>,
|
|
||||||
password_iterations: i32,
|
password_iterations: i32,
|
||||||
show_password_hint: bool,
|
show_password_hint: bool,
|
||||||
|
|
||||||
|
@ -326,7 +326,6 @@ impl Config {
|
||||||
local_icon_extractor: get_env_or("LOCAL_ICON_EXTRACTOR", false),
|
local_icon_extractor: get_env_or("LOCAL_ICON_EXTRACTOR", false),
|
||||||
signups_allowed: get_env_or("SIGNUPS_ALLOWED", true),
|
signups_allowed: get_env_or("SIGNUPS_ALLOWED", true),
|
||||||
admin_token: get_env("ADMIN_TOKEN"),
|
admin_token: get_env("ADMIN_TOKEN"),
|
||||||
server_admin_email:None, // TODO: Delete this
|
|
||||||
invitations_allowed: get_env_or("INVITATIONS_ALLOWED", true),
|
invitations_allowed: get_env_or("INVITATIONS_ALLOWED", true),
|
||||||
password_iterations: get_env_or("PASSWORD_ITERATIONS", 100_000),
|
password_iterations: get_env_or("PASSWORD_ITERATIONS", 100_000),
|
||||||
show_password_hint: get_env_or("SHOW_PASSWORD_HINT", true),
|
show_password_hint: get_env_or("SHOW_PASSWORD_HINT", true),
|
||||||
|
|
51
src/util.rs
51
src/util.rs
|
@ -1,29 +1,57 @@
|
||||||
|
///
|
||||||
|
/// Web Headers
|
||||||
|
///
|
||||||
|
use rocket::fairing::{Fairing, Info, Kind};
|
||||||
|
use rocket::{Request, Response};
|
||||||
|
|
||||||
|
pub struct AppHeaders ();
|
||||||
|
|
||||||
|
impl Fairing for AppHeaders {
|
||||||
|
fn info(&self) -> Info {
|
||||||
|
Info {
|
||||||
|
name: "Application Headers",
|
||||||
|
kind: Kind::Response,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
fn on_response(&self, _req: &Request, res: &mut Response) {
|
||||||
|
res.set_raw_header("Referrer-Policy", "same-origin");
|
||||||
|
res.set_raw_header("X-Frame-Options", "SAMEORIGIN");
|
||||||
|
res.set_raw_header("X-Content-Type-Options", "nosniff");
|
||||||
|
res.set_raw_header("X-XSS-Protection", "1; mode=block");
|
||||||
|
let csp = "frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb moz-extension://*;";
|
||||||
|
res.set_raw_header("Content-Security-Policy", csp);
|
||||||
|
|
||||||
|
// Disable cache unless otherwise specified
|
||||||
|
if !res.headers().contains("cache-control") {
|
||||||
|
res.set_raw_header("Cache-Control", "no-cache, no-store, max-age=0");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
///
|
///
|
||||||
/// File handling
|
/// File handling
|
||||||
///
|
///
|
||||||
|
|
||||||
use std::path::Path;
|
|
||||||
use std::io::Read;
|
|
||||||
use std::fs::{self, File};
|
use std::fs::{self, File};
|
||||||
|
use std::io::{Read, Result as IOResult};
|
||||||
|
use std::path::Path;
|
||||||
|
|
||||||
pub fn file_exists(path: &str) -> bool {
|
pub fn file_exists(path: &str) -> bool {
|
||||||
Path::new(path).exists()
|
Path::new(path).exists()
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn read_file(path: &str) -> Result<Vec<u8>, String> {
|
pub fn read_file(path: &str) -> IOResult<Vec<u8>> {
|
||||||
let mut file = File::open(Path::new(path))
|
|
||||||
.map_err(|e| format!("Error opening file: {}", e))?;
|
|
||||||
|
|
||||||
let mut contents: Vec<u8> = Vec::new();
|
let mut contents: Vec<u8> = Vec::new();
|
||||||
|
|
||||||
file.read_to_end(&mut contents)
|
let mut file = File::open(Path::new(path))?;
|
||||||
.map_err(|e| format!("Error reading file: {}", e))?;
|
file.read_to_end(&mut contents)?;
|
||||||
|
|
||||||
Ok(contents)
|
Ok(contents)
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn delete_file(path: &str) -> bool {
|
pub fn delete_file(path: &str) -> IOResult<()> {
|
||||||
let res = fs::remove_file(path).is_ok();
|
let res = fs::remove_file(path);
|
||||||
|
|
||||||
if let Some(parent) = Path::new(path).parent() {
|
if let Some(parent) = Path::new(path).parent() {
|
||||||
// If the directory isn't empty, this returns an error, which we ignore
|
// If the directory isn't empty, this returns an error, which we ignore
|
||||||
|
@ -34,7 +62,6 @@ pub fn delete_file(path: &str) -> bool {
|
||||||
res
|
res
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
const UNITS: [&str; 6] = ["bytes", "KB", "MB", "GB", "TB", "PB"];
|
const UNITS: [&str; 6] = ["bytes", "KB", "MB", "GB", "TB", "PB"];
|
||||||
|
|
||||||
pub fn get_display_size(size: i32) -> String {
|
pub fn get_display_size(size: i32) -> String {
|
||||||
|
|
Loading…
Reference in a new issue