1
0
Fork 0
Commit-Graph

933 Commits

Autor SHA1 Nachricht Datum
Daniel García
4f08167d6f
Merge branch '2fa_enforcement' of https://github.com/olivierIllogika/bitwarden_rs into olivierIllogika-2fa_enforcement 2021-07-15 19:27:36 +02:00
Daniel García
f16d56cb27
Merge branch 'attachment-storage' of https://github.com/BlackDex/vaultwarden into BlackDex-attachment-storage 2021-07-15 19:20:52 +02:00
Daniel García
7f437b6947
Merge branch 'umireon-add-edge-frame-ancestors' of https://github.com/umireon/vaultwarden into umireon-umireon-add-edge-frame-ancestors 2021-07-15 19:20:19 +02:00
Daniel García
d0ec410b73
Merge branch 'password-hints' of https://github.com/jjlin/vaultwarden into jjlin-password-hints 2021-07-15 19:18:22 +02:00
Daniel García
e5ec245626
Protect namedfile against path traversal, rocket only does it for pathbuf 2021-07-15 19:15:55 +02:00
BlackDex
6ea95d1ede Updated attachment limit descriptions
The user and org attachment limit use `size` as wording while it should
have been `storage` since it isn't per attachment, but the sum of all attachments.

- Changed the wording in the config/env
- Changed the wording of the error messages.

Resolves #1818
2021-07-13 15:17:03 +02:00
Jeremy Lin
88bea44dd8 Prevent user enumeration via password hints
When `show_password_hint` is enabled but mail is not configured, the previous
implementation returned a differentiable response for non-existent email
addresses.

Even if mail is enabled, there is a timing side channel since mail is sent
synchronously. Add a randomized sleep to mitigate this somewhat.
2021-07-10 01:21:27 -07:00
Jeremy Lin
8ee5d51bd4 Disable show_password_hint by default
A setting that provides unauthenticated access to potentially sensitive data
shouldn't be enabled by default.
2021-07-10 01:20:37 -07:00
Kaito Udagawa
c640abbcd7
Update src/util.rs
Co-authored-by: William Desportes <williamdes@wdes.fr>
2021-07-08 02:55:58 +09:00
Kaito Udagawa
13598c098f Add links to browser extensions 2021-07-08 02:52:45 +09:00
Kaito Udagawa
a622b4d2fb Add Edge's frame-ancestors
Edge's frame-ancestors are required for Edge extension to do WebAuthn.
2021-07-08 01:19:52 +09:00
BlackDex
403f35b571 Added web-vault v2.21.x support + some misc fixes
- The new web-vault v2.21.0+ has support for Master Password Reset. For
this to work it generates a public/private key-pair which needs to be
stored in the database. Currently the Master Password Reset is not
fixed, but there are endpoints which are needed even if we do not
support this feature (yet). This PR fixes those endpoints, and stores
the keys already in the database.

- There was an issue when you want to do a key-rotate when you change
your password, it also called an Emergency Access endpoint, which we do
not yet support. Because this endpoint failed to reply correctly
produced some errors, and also prevent the user from being forced to
logout. This resolves #1826 by adding at least that endpoint.

Because of that extra endpoint check to Emergency Access is done using
an old user stamp, i also modified the stamp exception to allow multiple
rocket routes to be called, and added an expiration timestamp to it.

During these tests i stumbled upon an issue that after my key-change was
done, it triggered the websockets to try and reload my ciphers, because
they were updated. This shouldn't happen when rotating they keys, since
all access should be invalided. Now there will be no websocket
notification for this, which also prevents error toasts.

- Increased Send Size limit to 500MB (with a litle overhead)

As a side note, i tested these changes on both v2.20.4 and v2.21.1 web-vault versions, all keeps working.
2021-07-04 23:02:56 +02:00
Daniel García
e3a2dfffab
Formatting 2021-06-26 14:21:58 +02:00
Daniel García
0dcea75764
Remove unused lifetime and double referencing 2021-06-26 13:35:09 +02:00
Daniel García
46e0f3c43a
Load RSA keys as pem format directly, and using openssl crate, backported from async branch 2021-06-25 20:53:26 +02:00
Daniel García
2cd17fe7af
Add token with short expiration time to send url 2021-06-25 20:53:26 +02:00
Jeremy Lin
49579e4ce7 Avoid Error parsing LastKnownRevisionDate warning for mobile clients
When creating a new cipher, the mobile clients seem to set this field to an
invalid value, which causes a warning to be logged:

    Error parsing LastKnownRevisionDate '0001-01-01T00:00:00': premature end of input

Avoid this by dropping the `LastKnownRevisionDate` field on cipher creation.
2021-06-19 21:32:11 -07:00
Daniel García
9254cf9d9c
Fix clippy lints 2021-06-19 22:02:03 +02:00
BlackDex
8615736e84 Multiple Admin Interface fixes and some others.
Misc:
- Fixed hadolint workflow, new git cli needs some extra arguments.
- Add ignore paths to all specific on triggers.
- Updated hadolint version.
- Made SMTP_DEBUG read-only, since it can't be changed at runtime.

Admin:
- Migrated from Bootstrap v4 to v5
- Updated jquery to v3.6.0
- Updated Datatables
- Made Javascript strict
- Added a way to show which ENV Vars are overridden.
- Changed the way to provide data for handlebars.
- Fixed date/time check.
- Made support string use details and summary feature of markdown/github.
2021-06-19 19:22:19 +02:00
Daniel García
5772836be5
Fix admin page with handlebars 4 2021-06-16 22:57:28 +02:00
Daniel García
c380d9c379
Support for webauthn and u2f->webauthn migrations 2021-06-16 19:06:40 +02:00
Jeremy Lin
3f7e4712cd Fix attachment size limit calculation for v2 uploads 2021-05-25 23:17:22 -07:00
Jeremy Lin
c2ef331df9 Rework file ID generation 2021-05-25 23:15:24 -07:00
Jeremy Lin
5fef7983f4 Clean up attachment error handling 2021-05-25 22:13:04 -07:00
Jeremy Lin
29ed82a359 Add support for v2 attachment upload APIs
Upstream PR: https://github.com/bitwarden/server/pull/1229
2021-05-25 04:14:51 -07:00
Jeremy Lin
848d17ffb9 Sync global_domains.json to bitwarden/server@7857053 (Amazon) 2021-05-16 15:16:41 -07:00
BlackDex
f270f2ed65 Updated icon fetching and crates.
- Updated some crates
- Updated icon fetching code:
  + Use a cookie jar and set Max-Age to 2 minutes for all cookies
  + Locate the base href tag to fix some locations
  + Changed User-Agent (Helps on some sites to get HTML instead of JS)
  + Reduced HTML code limit from 512KB to 384KB
  + Allow some large icons higer-up in the sort
  + Allow GIF images
  + Ignore cookie_store and hyper::client debug messages
2021-05-16 15:29:13 +02:00
Jeremy Lin
9133e2927d Fix attachment downloads
Upstream switched to new upload/download APIs. Uploads fall back to the
legacy APIs for now, but not downloads apparently.
2021-05-15 22:46:57 -07:00
Jeremy Lin
38104ba7cf cargo fmt changes
The PR build seems to fail without this...
2021-05-15 22:46:37 -07:00
Daniel García
8e6c6a1dc4
Merge pull request #1689 from jjlin/hide-email
Add support for hiding the sender's email address in Bitwarden Sends
2021-05-12 23:05:53 +02:00
Daniel García
7a9cfc45da
Merge pull request #1688 from jjlin/config-sends-allowed
Add `sends_allowed` config setting
2021-05-12 23:05:41 +02:00
Daniel García
9e24b9065c
Merge pull request #1682 from dongcarl/2021-05-admin-granular-http-codes
admin: More granular HTTP return codes for user-related endpoints
2021-05-12 23:05:30 +02:00
Daniel García
1c2b376ca2
Merge pull request #1663 from dongcarl/2021-05-invite_user-return
admin: Return newly-created user in invite_user
2021-05-12 23:05:20 +02:00
Jeremy Lin
029008bad5 Add support for the Send Options policy
Upstream refs:

* https://github.com/bitwarden/server/pull/1234
* https://bitwarden.com/help/article/policies/#send-options
2021-05-12 01:22:12 -07:00
Jeremy Lin
d3449bfa00 Add support for hiding the sender's email address in Bitwarden Sends
Note: The original Vaultwarden implementation of Bitwarden Send would always
hide the email address, while the upstream implementation would always show it.

Upstream PR: https://github.com/bitwarden/server/pull/1234
2021-05-11 22:51:12 -07:00
Jeremy Lin
a9a5706764 Add support for password reprompt
Upstream PR: https://github.com/bitwarden/server/pull/1269
2021-05-11 20:09:57 -07:00
Jeremy Lin
3ff8014add Add sends_allowed config setting
This provides global control over whether users can create Bitwarden Sends.
2021-05-11 20:07:32 -07:00
Carl Dong
e60bdc7efe admin: Make invite_user error codes more specific
- Return 409 Conflict for when a user with that email already exists
- Return 500 InternalServerError for everything else
2021-05-10 11:47:41 -04:00
Carl Dong
cccd8262fa admin: Add /users/<uuid> route
Individual user information can now be looked up by UUID.
2021-05-10 11:47:41 -04:00
Carl Dong
68e5d95d25 admin: Specifically return 404 for user not found
- Modify err_code to accept an expr for err_code
- Add get_user_or_404, properly returning 404 instead of a generic 400
  for cases where user is not found
- Use get_user_or_404 where appropriate.
2021-05-10 11:47:41 -04:00
Carl Dong
5f458b288a admin: Return newly-created user in invite_user
Instead of having the caller dig through /admin/users for the right one,
just return the user upon creation.
2021-05-10 11:47:41 -04:00
BlackDex
7cb19ef767 Updated branding, email and crates
- Updated branding for admin and emails
- Updated crates and some deprications
- Removed newline-converter because this is built-in into lettre
- Updated email templates to use a shared header and footer template
- Also trigger SMTP SSL When TLS is selected without SSL
  Resolves #1641
2021-05-08 17:46:31 +02:00
Daniel García
b8010be26b
Extract some FromDb trait impls outside the macros so they aren't repeated, and fix some clippy lints 2021-05-02 17:49:25 +02:00
Olivier Martin
39167d333a Merge commit '0d631329873196935ba29db985c5e32def391251' into 2fa_enforcement 2021-05-01 12:35:58 -04:00
Daniel García
7b5d5d1302
Rename references to the discourse forum 2021-04-30 22:40:12 +02:00
Olivier Martin
f707f86c8e Merge commit '1e5306b8203a7ebe24047910e6c690c18c6d827a' into 2fa_enforcement 2021-04-29 23:29:28 -04:00
Daniel García
1e5306b820
Remove warning when compiling only with mysql and add compatibility mode with the old docker script names 2021-04-29 16:01:04 +02:00
Daniel García
2b4dd6f137
Fix branch name 2021-04-28 21:46:20 +02:00
Olivier Martin
cc021a4784 project name and links in new email templates 2021-04-27 21:48:07 -04:00
Olivier Martin
e3c4609c2a Merge commit '3da44a8d30e76f48b84f5b888e0b33427037037c' into 2fa_enforcement 2021-04-27 21:44:32 -04:00
Daniel García
3da44a8d30
Fix formatting 2021-04-27 23:39:36 +02:00
Daniel García
34ea10475d
Project renaming 2021-04-27 23:18:32 +02:00
Olivier Martin
89a68741d6 ran cargo fmt --all 2021-04-16 14:49:59 -04:00
Olivier Martin
2421d49d9a Merge branch 'master' of github.com:dani-garcia/bitwarden_rs into 2fa_enforcement
# Conflicts:
#	src/db/models/org_policy.rs
#	src/db/models/organization.rs
2021-04-16 14:29:28 -04:00
Daniel García
305de2e2cd
Format the changes from merge to master 2021-04-15 18:30:23 +02:00
Daniel García
95d906bdbb
Merge branch 'master' into fmt 2021-04-15 18:24:04 +02:00
Daniel García
4bb0d7bc05
Merge pull request #1587 from RealOrangeOne/request-proxy
Allow outbound requests to go via a proxy
2021-04-15 17:40:39 +02:00
Olivier Martin
1db37bf3d0 make error toast display detailed message
replace invite accept error message with the one from upstream
check if config mail is enabled
2021-04-12 21:54:57 -04:00
Olivier Martin
d75a80bd2d Resolves dani-garcia/bitwarden_rs#981
* a user without 2fa trying to join a 2fa org will fail, but user gets an email to enable 2fa
* a user disabling 2fa will be removed from 2fa orgs; user gets an email for each org
* an org enabling 2fa policy will remove users without 2fa; users get an email
2021-04-11 22:57:17 -04:00
Jeremy Lin
244bad3a24 Warn that the SQLite backup feature doesn't produce a complete backup
Also add a link to the wiki page on backups.
2021-04-09 22:30:39 -07:00
Jake Howard
994669fb69
Merge remote-tracking branch 'origin/master' into fmt 2021-04-06 21:55:28 +01:00
Jake Howard
3ab90259f2
Modify rustfmt file 2021-04-06 21:54:42 +01:00
Jake Howard
155109dea1
Extract client creation to a single place 2021-04-06 21:04:37 +01:00
Daniel García
b268c3dd1c
Update web vault and add unnoficialserver response 2021-04-06 20:38:22 +02:00
Daniel García
4e64dbdde4
Merge pull request #1579 from jjlin/job-scheduler
Add support for auto-deleting trashed items
2021-04-06 19:48:49 +02:00
Daniel García
a2955daffe
Merge pull request #1576 from jjlin/global-domains
Sync global_domains.json
2021-04-06 19:36:11 +02:00
Daniel García
d3921b973b
Merge pull request #1583 from BlackDex/icon-updates
Updated icon fetching.
2021-04-06 19:35:51 +02:00
Jeremy Lin
90e0b7fec6 Offset scheduled jobs by 5 minutes
This is intended to avoid contention with database backups that many users
probably schedule to start at exactly the top of an hour.
2021-04-05 23:20:08 -07:00
Jeremy Lin
d77333576b Add support for auto-deleting trashed items
Upstream will soon auto-delete trashed items after 30 days, but some people
use the trash as an archive folder, so to avoid unexpected data loss, this
implementation requires the user to explicitly enable auto-deletion.
2021-04-05 23:07:25 -07:00
Jeremy Lin
73ff8d79f7 Add a generic job scheduler
Also rewrite deletion of old sends using the job scheduler.
2021-04-05 23:07:15 -07:00
BlackDex
95fc88ae5b Some admin interface updates.
- Fixed bug when web-vault is disabled.
- Updated sql-server version check to be simpler thx to @weiznich ( https://github.com/dani-garcia/bitwarden_rs/pull/1548#discussion_r604767196 )
- Use `VACUUM INTO` to create a SQLite backup instead of using the external sqlite3 application.
  - This also removes the dependancy of having the sqlite3 packages installed on the final image unnecessary, and thus removed it.
- Updated backup filename to also have the current time.
- Add specific bitwarden_rs web-vault version check (to match letter patched versions)
  Will work when https://github.com/dani-garcia/bw_web_builds/pull/33 is build (But still works without it also).
2021-04-05 15:09:16 +02:00
BlackDex
1d0eaac260 Updated icon fetching.
- Added image type checking, and prevent downloading non images.
  We didn't checked this before, which could in turn could allow someone
to download an arbitrary file.
- This also prevents SVG images from being used, while they work on the
  web-vault and desktop client, they didn't on the mobile versions.
- Because of this image type checking we can return a valid file type
  instead of only 'x-icon' (which is still used as a fallback).
- Prevent rel values with `icon-mask`, these are not valid favicons.
2021-04-03 22:51:44 +02:00
Jeremy Lin
3565bfc939 Sync global_domains.json to bitwarden/server@261916d (Stack Exchange) 2021-04-01 21:59:06 -07:00
Jake Howard
93c881a7a9
Reflow some lines manually 2021-03-31 21:45:05 +01:00
Jake Howard
0af3956abd
Run cargo fmt on codebase 2021-03-31 21:18:35 +01:00
BlackDex
9caf4bf383 Misc changes.
Some small changes in general:
- Moved the SQL Version check struct into the function.
- Updated hadolint to 2.0.0
- Fixed hadolint 2.0.0 warnings
- Updated github workflows
- Added .editorconfig for some general shared editor settings.
2021-03-30 21:45:10 +02:00
BlackDex
3a3390963c Icon and SMTP Debug fixes.
- We need to add some feature to enable smtp debugging again. See: https://github.com/lettre/lettre/pull/584
- Upstream added the fallback icon again, probably because of caching ;). See: https://github.com/bitwarden/server/pull/1149
- Enabled gzip and brotli compression support with reqwest. Some sites seem to force this, or assume that because of the User-Agent string it is supported. This caused some failed icons.

Fixes #1540
2021-03-29 10:27:58 +02:00
Daniel García
fd27759a95
Merge pull request #1546 from RealOrangeOne/clippy-run
Run Clippy
2021-03-28 16:04:09 +02:00
Daniel García
01d8056c73
Merge pull request #1545 from RealOrangeOne/icon-client-cache
Client caching
2021-03-28 16:03:16 +02:00
Jake Howard
81fa33ebb5
Remove unnecessary reference 2021-03-28 10:59:49 +01:00
Jake Howard
e8aa3bc066
Merge branch 'master' into clippy-run 2021-03-28 10:51:25 +01:00
Jake Howard
0bf0125e82
Reverse negation on ordering
Co-authored-by: Daniel García <dani-garcia@users.noreply.github.com>
2021-03-28 10:49:29 +01:00
Jake Howard
6209e778e5
Icons should always be cached using full TTL 2021-03-28 10:39:12 +01:00
BlackDex
57e17d0648 Updated diagnostics page
- Added reverse proxy check
- Better deffinition of internet proxy
- Added SQL Server version detection
2021-03-28 00:10:01 +01:00
Jake Howard
3e5971b9db
Remove unnecessary result return types 2021-03-27 15:07:26 +00:00
Jake Howard
47c2625d38
Prevent clippy complaining at method
It's not incorrectly wrapped. We care about the return type being `Option`.
2021-03-27 14:36:50 +00:00
Jake Howard
49af9cf4f5
Correctly camelCase acronyms
https://rust-lang.github.io/rust-clippy/master/index.html#upper_case_acronyms
2021-03-27 14:26:32 +00:00
Jake Howard
6b1daeba05
Implement From over Into
https://rust-lang.github.io/rust-clippy/master/index.html#from_over_into
2021-03-27 14:19:57 +00:00
Jake Howard
9f1240d8d9
Only construct JSON object if it's useful 2021-03-27 14:03:46 +00:00
Jake Howard
a8138be69b
Use if let more 2021-03-27 14:03:31 +00:00
Jake Howard
ea57dc3bc9
Use matches macro 2021-03-27 14:03:07 +00:00
Jake Howard
131348a49f
Add immutable caching for vault assets
The URLs are cachebusted, so updates will still be applied cleanly and immediately
2021-03-27 13:37:56 +00:00
Jake Howard
b22564cb00
Cache icons on the client
This should make the vault pages load much faster, and massively reduce the number of requests.
2021-03-27 13:30:40 +00:00
Daniel García
8ea01a67f6
Merge pull request #1529 from mprasil/more-generic-send-error-messages
Return generic message when Send not available
2021-03-25 19:56:24 +01:00
Miro Prasil
aa5cc642e1 Use constant for the "inaccessible" error message 2021-03-25 11:40:32 +00:00
Jeremy Lin
f842a80cdb Sync global_domains.json to bitwarden/server@455e4b2 (ProtonMail/ProtonVPN) 2021-03-23 11:30:00 -07:00
Miro Prasil
4b6a574ee0 Return generic message when Send not available
This should help avoid leaking information about (non)existence of Send
and be more in line with what official server returns.
2021-03-23 13:39:09 +00:00
Daniel García
f9ebb780f9
Update dependencies 2021-03-22 20:00:57 +01:00
Daniel García
1fc6c30652
Send deletion thread and updated users revision 2021-03-22 19:57:35 +01:00
Daniel García
46a1a013cd
Update user revision date with sends 2021-03-22 19:05:15 +01:00