0
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden synced 2024-11-05 07:08:59 +01:00
Commit graph

2115 commits

Author SHA1 Message Date
Daniel García
06189a58fe
Merge branch 'BlackDex-fix-admin-repost' 2022-12-04 23:16:54 +01:00
BlackDex
f402dd81bb
Limit Cipher Note encrypted string size
As discussed in #2937, this will limit the amount of encrypted
characters to 10.000 characters, same as Bitwarden.
This will not break current ciphers which exceed this limit, but it will prevent those
ciphers from being updated.

Fixes #2937
2022-12-04 23:16:50 +01:00
BlackDex
c885bbc947
Update dependencies for Rust and Admin interface.
- Updated Rust deps and one small change regarding chrono
- Updated bootstrap 5 css
- Updated datatables
- Replaced identicon.js with jdenticon.
  identicon.js is unmaintained ( https://github.com/stewartlord/identicon.js/issues/52 )
  The icon's are very different, but nice. It also doesn't need custom
  code to find and update the icons our selfs.
2022-12-04 23:16:50 +01:00
BlackDex
63fb0e5a57
Cleanups and Fixes for Emergency Access
- Several cleanups and code optimizations for Emergency Access
- Fixed a race-condition regarding jobs for Emergency Access
- Some other small changes like `allow(clippy::)` removals

Fixes #2925
2022-12-04 23:16:49 +01:00
Daniel García
37d0792a7d
Merge branch 'BlackDex-issue-2937' 2022-12-04 23:15:08 +01:00
BlackDex
c8040d2f63
Update dependencies for Rust and Admin interface.
- Updated Rust deps and one small change regarding chrono
- Updated bootstrap 5 css
- Updated datatables
- Replaced identicon.js with jdenticon.
  identicon.js is unmaintained ( https://github.com/stewartlord/identicon.js/issues/52 )
  The icon's are very different, but nice. It also doesn't need custom
  code to find and update the icons our selfs.
2022-12-04 23:15:03 +01:00
BlackDex
dbcad65b68
Cleanups and Fixes for Emergency Access
- Several cleanups and code optimizations for Emergency Access
- Fixed a race-condition regarding jobs for Emergency Access
- Some other small changes like `allow(clippy::)` removals

Fixes #2925
2022-12-04 23:15:03 +01:00
Daniel García
226da67bc0
Merge branch 'BlackDex-update-deps' 2022-12-04 23:14:41 +01:00
BlackDex
fee2b5c3fb
Cleanups and Fixes for Emergency Access
- Several cleanups and code optimizations for Emergency Access
- Fixed a race-condition regarding jobs for Emergency Access
- Some other small changes like `allow(clippy::)` removals

Fixes #2925
2022-12-04 23:14:37 +01:00
Daniel García
6bbb3d53ae
Merge branch 'BlackDex-emergency-access-cleanup' 2022-12-04 23:14:02 +01:00
BlackDex
610b183cef
Update dependencies for Rust and Admin interface.
- Updated Rust deps and one small change regarding chrono
- Updated bootstrap 5 css
- Updated datatables
- Replaced identicon.js with jdenticon.
  identicon.js is unmaintained ( https://github.com/stewartlord/identicon.js/issues/52 )
  The icon's are very different, but nice. It also doesn't need custom
  code to find and update the icons our selfs.
2022-12-04 18:38:46 +01:00
BlackDex
b022be9ba8
Fix admin repost warning.
Currently when you login into the admin, and then directly hit the save
button, it will come with a re-post/re-submit warning.
This has to do with the `window.location.reload()` function, which
triggers the admin login POST again.

By changing the way to reload the page, we prevent this repost.
2022-12-03 17:28:25 +01:00
BlackDex
7f11363725
Limit Cipher Note encrypted string size
As discussed in #2937, this will limit the amount of encrypted
characters to 10.000 characters, same as Bitwarden.
This will not break current ciphers which exceed this limit, but it will prevent those
ciphers from being updated.

Fixes #2937
2022-12-02 16:25:11 +01:00
BlackDex
4aa6dd22bb
Cleanups and Fixes for Emergency Access
- Several cleanups and code optimizations for Emergency Access
- Fixed a race-condition regarding jobs for Emergency Access
- Some other small changes like `allow(clippy::)` removals

Fixes #2925
2022-12-02 09:44:23 +01:00
Daniel García
8feed2916f
Update web vault to v2022.11.1 2022-12-01 22:53:47 +01:00
Daniel García
59eaa0aa0d
Merge branch 'stefan0xC-forward-to-admin-login' 2022-12-01 22:41:00 +01:00
Stefan Melmuk
d5e54cb576
only check sqlite parent if there could be one 2022-12-01 22:38:59 +01:00
Stefan Melmuk
8837660ba7
check if sqlite folder exists
instead of creating the parent folders to a sqlite database
vaultwarden should just exit if it does not.

this should fix issues like #2835 when a wrongly configured
`DATABASE_URL` falls back to using sqlite
2022-12-01 22:38:59 +01:00
BlackDex
464a489b44
Update Vaultwarden Logo's
Updated the logo's so the `V` is better visible.
Also the cog it self is better now, the previous version wasn't fully round.
These versions also are used with the PR to update the web-vault and use these logo's.

Also updated the images in the static folder.
2022-12-01 22:38:59 +01:00
BlackDex
7035700c8d
Add Organizational event logging feature
This PR adds event/audit logging support for organizations.
By default this feature is disabled, since it does log a lot and adds
extra database transactions.

All events are touched except a few, since we do not support those
features (yet), like SSO for example.

This feature is tested with multiple clients and all database types.

Fixes #229
2022-12-01 22:38:59 +01:00
Daniel García
23c2921690
Merge branch 'stefan0xC-check-sqlite-folder' 2022-12-01 22:36:01 +01:00
BlackDex
7d506f3633
Update Vaultwarden Logo's
Updated the logo's so the `V` is better visible.
Also the cog it self is better now, the previous version wasn't fully round.
These versions also are used with the PR to update the web-vault and use these logo's.

Also updated the images in the static folder.
2022-12-01 22:35:57 +01:00
BlackDex
b186813049
Add Organizational event logging feature
This PR adds event/audit logging support for organizations.
By default this feature is disabled, since it does log a lot and adds
extra database transactions.

All events are touched except a few, since we do not support those
features (yet), like SSO for example.

This feature is tested with multiple clients and all database types.

Fixes #229
2022-12-01 22:35:57 +01:00
Daniel García
bfa82225da
Merge pull request #2940 from BlackDex/update-logos
Update Vaultwarden Logo's
2022-12-01 22:10:37 +01:00
Daniel García
ffa2044563
Merge pull request #2868 from BlackDex/impl-events
Add Organizational event logging feature
2022-12-01 22:09:27 +01:00
BlackDex
d57b69952d
Update Vaultwarden Logo's
Updated the logo's so the `V` is better visible.
Also the cog it self is better now, the previous version wasn't fully round.
These versions also are used with the PR to update the web-vault and use these logo's.

Also updated the images in the static folder.
2022-12-01 12:32:24 +01:00
Stefan Melmuk
5a13efefd3
only check sqlite parent if there could be one 2022-11-28 22:54:03 +01:00
Stefan Melmuk
2f9d7060bd
check if sqlite folder exists
instead of creating the parent folders to a sqlite database
vaultwarden should just exit if it does not.

this should fix issues like #2835 when a wrongly configured
`DATABASE_URL` falls back to using sqlite
2022-11-28 22:54:02 +01:00
Stefan Melmuk
0aa33a2cb4
don't use param for passing the redirect info
revert some changes and also rename catcher to `admin_login` to make its
function clearer

Co-authored-by: BlackDex <black.dex@gmail.com>
2022-11-28 18:21:30 +01:00
Stefan Melmuk
fa7dbedd5d
redirect to admin login page when forward fails
currently, if the admin guard fails the user will get a 404 page.
and when the session times out after 20 minutes post methods will
give the reason "undefined" as a response while generating the support
string will fail without any user feedback.

this commit changes the error handling on admin pages

* by removing the reliance on Rockets forwarding and making the login
  page an explicit route that can be redirected to from all admin pages

* by removing the obsolete and mostly unused Referer struct we can
  redirect the user back to the requested admin page directley

* by providing an error message for json requests the
  `get_diagnostics_config` and all post methods can return a more
  comprehensible message and the user can be alerted

* the `admin_url()` function can be simplified because rfc2616 has been
  obsoleted by rfc7231 in 2014 (and also by the recently released
  rfc9110) which allows relative urls in the Location header.

  c.f. https://www.rfc-editor.org/rfc/rfc7231#section-7.1.2 and
  https://www.rfc-editor.org/rfc/rfc9110#section-10.2.2
2022-11-28 16:46:06 +01:00
BlackDex
2ea9b66943
Add Organizational event logging feature
This PR adds event/audit logging support for organizations.
By default this feature is disabled, since it does log a lot and adds
extra database transactions.

All events are touched except a few, since we do not support those
features (yet), like SSO for example.

This feature is tested with multiple clients and all database types.

Fixes #229
2022-11-27 23:36:34 +01:00
Daniel García
f3beaea9e9
Merge pull request #2933 from stefan0xC/fix-manager-issue
allow managers to set groups of a collection
2022-11-27 22:02:10 +01:00
Daniel García
39ae2f1f76
Merge pull request #2928 from karbobc/settings-description
Update settings description
2022-11-27 22:01:54 +01:00
Daniel García
366b1050ec
Merge pull request #2921 from BlackDex/issue-2909
Prevent DNS leak when icon regex is configured
2022-11-27 22:00:54 +01:00
Daniel García
b3aab7a6ad
Merge pull request #2920 from BlackDex/issue-2889
Added missing `register` endpoint to `identity`
2022-11-27 22:00:23 +01:00
Daniel García
aa8d050d6b
Merge pull request #2919 from BlackDex/issue-2828
Fully remove DuckDuckGo email service.
2022-11-27 21:59:51 +01:00
Daniel García
5200f0e98d
Merge pull request #2918 from BlackDex/issue-2761
Set "Bypass admin page security" as read-only
2022-11-27 21:59:39 +01:00
Daniel García
5f4abb1b7f
Merge pull request #2911 from skid9000/patch-1
Update config comment to reflect rfc8314.
2022-11-27 21:59:18 +01:00
Daniel García
dfe1e30d1b
Merge pull request #2910 from samueltardieu/const-crypto
Use constant size generic parameter for random bytes generation
2022-11-27 21:58:27 +01:00
Stefan Melmuk
e27a5be47a
allow managers to set groups of a collection
fixes #2932
2022-11-23 15:47:45 +01:00
Karbob
56786a18f1 Update settings description
Update description to `admin login requests`.
2022-11-22 22:12:06 +08:00
BlackDex
0d2399d485
Prevent DNS leak when icon regex is configured
When a icon blacklist regex was configured to not check for a domain, it
still did a DNS lookup first. This could cause a DNS leakage for these
regex blocked domains.

This PR resolves this issue by first checking the regex, and afterwards
the other checks.

Fixes #2909
2022-11-14 17:25:44 +01:00
BlackDex
5bfc7cfde3
Added missing register endpoint to identity
In the upcomming web-vault and other clients they changed the register
endpoint from `/api/accounts/register` to `/identity/register`.

This PR adds the new endpoint to already be compatible with the new
clients.

Fixes #2889
2022-11-14 17:22:37 +01:00
BlackDex
723f0cbc1e
Fully remove DuckDuckGo email service.
The DuckDuckGo email service is not supported for self-hosted servers.
This option is already hidden via the latest web-vault.

This PR also removes some server side headers.

Fixes #2828
2022-11-14 17:19:30 +01:00
BlackDex
b141f789f6
Set "Bypass admin page security" as read-only
It was possible to disable the admin security via the admin interface.
This is kinda insecure as mentioned in #2761.

This PR set this value as read-only and admin's need to set the correct ENV variable.
Currently saved settings which do override this are still valid though.
If an admin want's this removed, they either need to reset the config,
or change the value in the `config.json` file.

Fixes #2761
2022-11-14 17:18:25 +01:00
Samuel Tardieu
7445ee40f8 Remove get_random_64()
Its uses are replaced by get_randm_bytes() or encode_random_bytes().
2022-11-13 10:03:06 +01:00
Skid
4a9a0f7e64
Update .env.template
Co-authored-by: Helmut K. C. Tessarek <tessarek@evermeet.cx>
2022-11-12 22:39:41 +01:00
Skid
63aad2e5d2
Update config comment to reflect rfc8314. 2022-11-12 22:07:03 +01:00
Samuel Tardieu
d0baa23f9a Use constant size generic parameter for random bytes generation
All uses of `get_random()` were in the form of:

  `&get_random(vec![0u8; SIZE])`

with `SIZE` being a constant.

Building a `Vec` is unnecessary for two reasons. First, it uses a
very short-lived dynamic memory allocation. Second, a `Vec` is a
resizable object, which is useless in those context when random
data have a fixed size and will only be read.

`get_random_bytes()` takes a constant as a generic parameter and
returns an array with the requested number of random bytes.

Stack safety analysis: the random bytes will be allocated on the
caller stack for a very short time (until the encoding function has
been called on the data). In some cases, the random bytes take
less room than the `Vec` did (a `Vec` is 24 bytes on a 64 bit
computer). The maximum used size is 180 bytes, which makes it
for 0.008% of the default stack size for a Rust thread (2MiB),
so this is a non-issue.

Also, most of the uses of those random bytes are to encode them
using an `Encoding`. The function `crypto::encode_random_bytes()`
generates random bytes and encode them with the provided
`Encoding`, leading to code deduplication.

`generate_id()` has also been converted to use a constant generic
parameter as well since the length of the requested String is always
a constant.
2022-11-11 11:59:27 +01:00
Daniel García
7a7673103f
Merge branch 'BlackDex-org-export-fixes' 2022-11-09 22:40:05 +01:00