&", rank = 1)]
-async fn oidcsignin(code: OIDCCode, state: String, mut conn: DbConn) -> ApiResult {
- _oidcsignin_redirect(
- state,
- OIDCCodeWrapper::Ok {
- code,
- },
- &mut conn,
- )
- .await
+async fn oidcsignin(code: OIDCCode, state: String, cookies: &CookieJar<'_>, mut conn: DbConn) -> ApiResult {
+ _oidcsignin_redirect(state, code, None, cookies, &mut conn).await
}
-// Bitwarden client appear to only care for code and state so we pipe it through
-// cf: https://github.com/bitwarden/clients/blob/80b74b3300e15b4ae414dc06044cc9b02b6c10a6/libs/auth/src/angular/sso/sso.component.ts#L141
+// Bitwarden client appear to only care for code and state
+// We save the error in the database and set the encoded state as the code to be able to retrieve them later on
+// cf: https://github.com/bitwarden/clients/blob/afd36d290ce18fb0048e0575e7d5a8f78b5dbffc/libs/auth/src/angular/sso/sso.component.ts#L156
#[get("/connect/oidc-signin?&&", rank = 2)]
async fn oidcsignin_error(
state: String,
error: String,
error_description: Option,
+ cookies: &CookieJar<'_>,
mut conn: DbConn,
) -> ApiResult {
_oidcsignin_redirect(
- state,
- OIDCCodeWrapper::Error {
+ state.clone(),
+ state.into(),
+ Some(OIDCCodeResponseError {
error,
error_description,
- },
+ }),
+ cookies,
&mut conn,
)
.await
@@ -1154,10 +1195,11 @@ async fn oidcsignin_error(
// The state was encoded using Base64 to ensure no issue with providers.
// iss and scope parameters are needed for redirection to work on IOS.
-// We pass the state as the code to get it back later on.
async fn _oidcsignin_redirect(
base64_state: String,
- code_response: OIDCCodeWrapper,
+ code: OIDCCode,
+ error: Option,
+ cookies: &CookieJar<'_>,
conn: &mut DbConn,
) -> ApiResult {
let state = sso::decode_state(&base64_state)?;
@@ -1166,7 +1208,20 @@ async fn _oidcsignin_redirect(
None => err!(format!("Cannot retrieve sso_auth for {state}")),
Some(sso_auth) => sso_auth,
};
- sso_auth.code_response = Some(code_response);
+
+ // Browser-binding check
+ // The cookie was set on /connect/authorize and must come from the same browser that initiated the flow.
+ let cookie_value = cookies.get(SSO_BINDING_COOKIE).map(|c| c.value().to_string());
+ let provided_hash = cookie_value.as_deref().map(|v| crypto::sha256_hex(v.as_bytes()));
+ match (sso_auth.binding_hash.as_deref(), provided_hash.as_deref()) {
+ (Some(expected), Some(actual)) if crypto::ct_eq(expected, actual) => {}
+ _ => err!(format!("SSO session binding mismatch for {state}")),
+ }
+ cookies
+ .remove(Cookie::build(SSO_BINDING_COOKIE).path(format!("{}/identity/connect/", CONFIG.domain_path())).build());
+
+ sso_auth.code_response = Some(code.clone());
+ sso_auth.code_response_error = error;
sso_auth.updated_at = Utc::now().naive_utc();
sso_auth.save(conn).await?;
@@ -1176,7 +1231,7 @@ async fn _oidcsignin_redirect(
};
url.query_pairs_mut()
- .append_pair("code", &state)
+ .append_pair("code", &code)
.append_pair("state", &state)
.append_pair("scope", &AuthMethod::Sso.scope())
.append_pair("iss", &CONFIG.domain());
@@ -1212,7 +1267,7 @@ struct AuthorizeData {
// The `redirect_uri` will change depending of the client (web, android, ios ..)
#[get("/connect/authorize?")]
-async fn authorize(data: AuthorizeData, conn: DbConn) -> ApiResult {
+async fn authorize(data: AuthorizeData, cookies: &CookieJar<'_>, secure: Secure, conn: DbConn) -> ApiResult {
let AuthorizeData {
client_id,
redirect_uri,
@@ -1226,7 +1281,23 @@ async fn authorize(data: AuthorizeData, conn: DbConn) -> ApiResult {
err!("Unsupported code challenge method");
}
- let auth_url = sso::authorize_url(state, code_challenge, &client_id, &redirect_uri, conn).await?;
+ // Generate browser-binding token. Stored hashed in DB; raw value handed to the browser as a cookie.
+ // Validated on /connect/oidc-signin
+ let binding_token = data_encoding::BASE64URL_NOPAD.encode(&crypto::get_random_bytes::<32>());
+ let binding_hash = crypto::sha256_hex(binding_token.as_bytes());
+
+ let auth_url =
+ sso::authorize_url(state, code_challenge, &client_id, &redirect_uri, Some(binding_hash), conn).await?;
+
+ cookies.add(
+ Cookie::build((SSO_BINDING_COOKIE, binding_token))
+ .path(format!("{}/identity/connect/", CONFIG.domain_path()))
+ .max_age(time::Duration::seconds(sso::SSO_AUTH_EXPIRATION.num_seconds()))
+ .same_site(SameSite::Lax) // Lax is needed because the IdP runs on a different FQDN
+ .http_only(true)
+ .secure(secure.https)
+ .build(),
+ );
Ok(Redirect::temporary(String::from(auth_url)))
}
diff --git a/src/api/notifications.rs b/src/api/notifications.rs
index 492fdb19..b1d64472 100644
--- a/src/api/notifications.rs
+++ b/src/api/notifications.rs
@@ -338,7 +338,7 @@ impl WebSocketUsers {
}
// NOTE: The last modified date needs to be updated before calling these methods
- pub async fn send_user_update(&self, ut: UpdateType, user: &User, push_uuid: &Option, conn: &DbConn) {
+ pub async fn send_user_update(&self, ut: UpdateType, user: &User, push_uuid: Option<&PushId>, conn: &DbConn) {
// Skip any processing if both WebSockets and Push are not active
if *NOTIFICATIONS_DISABLED {
return;
diff --git a/src/api/push.rs b/src/api/push.rs
index 5000869d..e3ff1383 100644
--- a/src/api/push.rs
+++ b/src/api/push.rs
@@ -135,7 +135,7 @@ pub async fn register_push_device(device: &mut Device, conn: &DbConn) -> EmptyRe
Ok(())
}
-pub async fn unregister_push_device(push_id: &Option) -> EmptyResult {
+pub async fn unregister_push_device(push_id: Option<&PushId>) -> EmptyResult {
if !CONFIG.push_enabled() || push_id.is_none() {
return Ok(());
}
@@ -206,7 +206,7 @@ pub async fn push_logout(user: &User, acting_device: Option<&Device>, conn: &DbC
}
}
-pub async fn push_user_update(ut: UpdateType, user: &User, push_uuid: &Option, conn: &DbConn) {
+pub async fn push_user_update(ut: UpdateType, user: &User, push_uuid: Option<&PushId>, conn: &DbConn) {
if Device::check_user_has_push_device(&user.uuid, conn).await {
tokio::task::spawn(send_to_push_relay(json!({
"userId": user.uuid,
diff --git a/src/auth.rs b/src/auth.rs
index 43184369..06bd9c22 100644
--- a/src/auth.rs
+++ b/src/auth.rs
@@ -54,12 +54,8 @@ static PUBLIC_RSA_KEY: OnceLock = OnceLock::new();
pub async fn initialize_keys() -> Result<(), Error> {
use std::io::Error;
- let rsa_key_filename = std::path::PathBuf::from(CONFIG.private_rsa_key())
- .file_name()
- .ok_or_else(|| Error::other("Private RSA key path missing filename"))?
- .to_str()
- .ok_or_else(|| Error::other("Private RSA key path filename is not valid UTF-8"))?
- .to_string();
+ let rsa_key_filename = crate::storage::file_name(&CONFIG.private_rsa_key())
+ .ok_or_else(|| Error::other("Private RSA key path missing filename"))?;
let operator = CONFIG.opendal_operator_for_path_type(&PathType::RsaKey).map_err(Error::other)?;
diff --git a/src/config.rs b/src/config.rs
index 6ff09467..770fb553 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -14,6 +14,7 @@ use serde::de::{self, Deserialize, Deserializer, MapAccess, Visitor};
use crate::{
error::Error,
+ storage,
util::{
get_active_web_release, get_env, get_env_bool, is_valid_email, parse_experimental_client_feature_flags,
FeatureFlagFilter,
@@ -22,18 +23,14 @@ use crate::{
static CONFIG_FILE: LazyLock = LazyLock::new(|| {
let data_folder = get_env("DATA_FOLDER").unwrap_or_else(|| String::from("data"));
- get_env("CONFIG_FILE").unwrap_or_else(|| format!("{data_folder}/config.json"))
+ get_env("CONFIG_FILE").unwrap_or_else(|| storage::join_path(&data_folder, "config.json"))
});
-static CONFIG_FILE_PARENT_DIR: LazyLock = LazyLock::new(|| {
- let path = std::path::PathBuf::from(&*CONFIG_FILE);
- path.parent().unwrap_or(std::path::Path::new("data")).to_str().unwrap_or("data").to_string()
-});
+static CONFIG_FILE_PARENT_DIR: LazyLock =
+ LazyLock::new(|| storage::parent(&CONFIG_FILE).unwrap_or_else(|| "data".to_string()));
-static CONFIG_FILENAME: LazyLock = LazyLock::new(|| {
- let path = std::path::PathBuf::from(&*CONFIG_FILE);
- path.file_name().unwrap_or(std::ffi::OsStr::new("config.json")).to_str().unwrap_or("config.json").to_string()
-});
+static CONFIG_FILENAME: LazyLock =
+ LazyLock::new(|| storage::file_name(&CONFIG_FILE).unwrap_or_else(|| "config.json".to_string()));
pub static SKIP_CONFIG_VALIDATION: AtomicBool = AtomicBool::new(false);
@@ -263,7 +260,7 @@ macro_rules! make_config {
}
async fn from_file() -> Result {
- let operator = opendal_operator_for_path(&CONFIG_FILE_PARENT_DIR)?;
+ let operator = storage::operator_for_path(&CONFIG_FILE_PARENT_DIR)?;
let config_bytes = operator.read(&CONFIG_FILENAME).await?;
println!("[INFO] Using saved config from `{}` for configuration.\n", *CONFIG_FILE);
serde_json::from_slice(&config_bytes.to_vec()).map_err(Into::into)
@@ -507,19 +504,19 @@ make_config! {
/// Data folder |> Main data folder
data_folder: String, false, def, "data".to_string();
/// Database URL
- database_url: String, false, auto, |c| format!("{}/db.sqlite3", c.data_folder);
+ database_url: String, false, auto, |c| format!("sqlite://{}", storage::join_path(&c.data_folder, "db.sqlite3"));
/// Icon cache folder
- icon_cache_folder: String, false, auto, |c| format!("{}/icon_cache", c.data_folder);
+ icon_cache_folder: String, false, auto, |c| storage::join_path(&c.data_folder, "icon_cache");
/// Attachments folder
- attachments_folder: String, false, auto, |c| format!("{}/attachments", c.data_folder);
+ attachments_folder: String, false, auto, |c| storage::join_path(&c.data_folder, "attachments");
/// Sends folder
- sends_folder: String, false, auto, |c| format!("{}/sends", c.data_folder);
+ sends_folder: String, false, auto, |c| storage::join_path(&c.data_folder, "sends");
/// Temp folder |> Used for storing temporary file uploads
- tmp_folder: String, false, auto, |c| format!("{}/tmp", c.data_folder);
+ tmp_folder: String, false, auto, |c| storage::join_path(&c.data_folder, "tmp");
/// Templates folder
- templates_folder: String, false, auto, |c| format!("{}/templates", c.data_folder);
+ templates_folder: String, false, auto, |c| storage::join_path(&c.data_folder, "templates");
/// Session JWT key
- rsa_key_filename: String, false, auto, |c| format!("{}/rsa_key", c.data_folder);
+ rsa_key_filename: String, false, auto, |c| storage::join_path(&c.data_folder, "rsa_key");
/// Web vault folder
web_vault_folder: String, false, def, "web-vault/".to_string();
},
@@ -929,14 +926,17 @@ fn validate_config(cfg: &ConfigItems, on_update: bool) -> Result<(), Error> {
{
use crate::db::DbConnType;
let url = &cfg.database_url;
- if DbConnType::from_url(url)? == DbConnType::Sqlite && url.contains('/') {
- let path = std::path::Path::new(&url);
- if let Some(parent) = path.parent() {
- if !parent.is_dir() {
- err!(format!(
- "SQLite database directory `{}` does not exist or is not a directory",
- parent.display()
- ));
+ if DbConnType::from_url(url)? == DbConnType::Sqlite {
+ let file_path = url.strip_prefix("sqlite://").unwrap_or(url);
+ if file_path.contains('/') {
+ let path = std::path::Path::new(file_path);
+ if let Some(parent) = path.parent() {
+ if !parent.is_dir() {
+ err!(format!(
+ "SQLite database directory `{}` does not exist or is not a directory",
+ parent.display()
+ ));
+ }
}
}
}
@@ -1076,7 +1076,7 @@ fn validate_config(cfg: &ConfigItems, on_update: bool) -> Result<(), Error> {
validate_internal_sso_issuer_url(&cfg.sso_authority)?;
validate_internal_sso_redirect_url(&cfg.sso_callback_path)?;
- validate_sso_master_password_policy(&cfg.sso_master_password_policy)?;
+ validate_sso_master_password_policy(cfg.sso_master_password_policy.as_ref())?;
}
if cfg._enable_yubico {
@@ -1271,7 +1271,7 @@ fn validate_internal_sso_redirect_url(sso_callback_path: &String) -> Result,
+ sso_master_password_policy: Option<&String>,
) -> Result, Error> {
let policy = sso_master_password_policy.as_ref().map(|mpp| serde_json::from_str::(mpp));
@@ -1366,90 +1366,6 @@ fn smtp_convert_deprecated_ssl_options(smtp_ssl: Option, smtp_explicit_tls
"starttls".to_string()
}
-fn opendal_operator_for_path(path: &str) -> Result {
- // Cache of previously built operators by path
- static OPERATORS_BY_PATH: LazyLock> =
- LazyLock::new(dashmap::DashMap::new);
-
- if let Some(operator) = OPERATORS_BY_PATH.get(path) {
- return Ok(operator.clone());
- }
-
- let operator = if path.starts_with("s3://") {
- #[cfg(not(s3))]
- return Err(opendal::Error::new(opendal::ErrorKind::ConfigInvalid, "S3 support is not enabled").into());
-
- #[cfg(s3)]
- opendal_s3_operator_for_path(path)?
- } else {
- let builder = opendal::services::Fs::default().root(path);
- opendal::Operator::new(builder)?.finish()
- };
-
- OPERATORS_BY_PATH.insert(path.to_string(), operator.clone());
-
- Ok(operator)
-}
-
-#[cfg(s3)]
-fn opendal_s3_operator_for_path(path: &str) -> Result {
- use crate::http_client::aws::AwsReqwestConnector;
- use aws_config::{default_provider::credentials::DefaultCredentialsChain, provider_config::ProviderConfig};
-
- // This is a custom AWS credential loader that uses the official AWS Rust
- // SDK config crate to load credentials. This ensures maximum compatibility
- // with AWS credential configurations. For example, OpenDAL doesn't support
- // AWS SSO temporary credentials yet.
- struct OpenDALS3CredentialLoader {}
-
- #[async_trait]
- impl reqsign::AwsCredentialLoad for OpenDALS3CredentialLoader {
- async fn load_credential(&self, _client: reqwest::Client) -> anyhow::Result> {
- use aws_credential_types::provider::ProvideCredentials as _;
- use tokio::sync::OnceCell;
-
- static DEFAULT_CREDENTIAL_CHAIN: OnceCell = OnceCell::const_new();
-
- let chain = DEFAULT_CREDENTIAL_CHAIN
- .get_or_init(|| {
- let reqwest_client = reqwest::Client::builder().build().unwrap();
- let connector = AwsReqwestConnector {
- client: reqwest_client,
- };
-
- let conf = ProviderConfig::default().with_http_client(connector);
-
- DefaultCredentialsChain::builder().configure(conf).build()
- })
- .await;
-
- let creds = chain.provide_credentials().await?;
-
- Ok(Some(reqsign::AwsCredential {
- access_key_id: creds.access_key_id().to_string(),
- secret_access_key: creds.secret_access_key().to_string(),
- session_token: creds.session_token().map(|s| s.to_string()),
- expires_in: creds.expiry().map(|expiration| expiration.into()),
- }))
- }
- }
-
- const OPEN_DAL_S3_CREDENTIAL_LOADER: OpenDALS3CredentialLoader = OpenDALS3CredentialLoader {};
-
- let url = Url::parse(path).map_err(|e| format!("Invalid path S3 URL path {path:?}: {e}"))?;
-
- let bucket = url.host_str().ok_or_else(|| format!("Missing Bucket name in data folder S3 URL {path:?}"))?;
-
- let builder = opendal::services::S3::default()
- .customized_credential_load(Box::new(OPEN_DAL_S3_CREDENTIAL_LOADER))
- .enable_virtual_host_style()
- .bucket(bucket)
- .root(url.path())
- .default_storage_class("INTELLIGENT_TIERING");
-
- Ok(opendal::Operator::new(builder)?.finish())
-}
-
pub enum PathType {
Data,
IconCache,
@@ -1547,7 +1463,7 @@ impl Config {
}
//Save to file
- let operator = opendal_operator_for_path(&CONFIG_FILE_PARENT_DIR)?;
+ let operator = storage::operator_for_path(&CONFIG_FILE_PARENT_DIR)?;
operator.write(&CONFIG_FILENAME, config_str).await?;
Ok(())
@@ -1612,7 +1528,7 @@ impl Config {
}
pub async fn delete_user_config(&self) -> Result<(), Error> {
- let operator = opendal_operator_for_path(&CONFIG_FILE_PARENT_DIR)?;
+ let operator = storage::operator_for_path(&CONFIG_FILE_PARENT_DIR)?;
operator.delete(&CONFIG_FILENAME).await?;
// Empty user config
@@ -1636,7 +1552,7 @@ impl Config {
}
pub fn private_rsa_key(&self) -> String {
- format!("{}.pem", self.rsa_key_filename())
+ storage::with_extension(&self.rsa_key_filename(), "pem")
}
pub fn mail_enabled(&self) -> bool {
let inner = &self.inner.read().unwrap().config;
@@ -1677,15 +1593,11 @@ impl Config {
PathType::IconCache => self.icon_cache_folder(),
PathType::Attachments => self.attachments_folder(),
PathType::Sends => self.sends_folder(),
- PathType::RsaKey => std::path::Path::new(&self.rsa_key_filename())
- .parent()
- .ok_or_else(|| std::io::Error::other("Failed to get directory of RSA key file"))?
- .to_str()
- .ok_or_else(|| std::io::Error::other("Failed to convert RSA key file directory to UTF-8 string"))?
- .to_string(),
+ PathType::RsaKey => storage::parent(&self.private_rsa_key())
+ .ok_or_else(|| std::io::Error::other("Failed to get directory of RSA key file"))?,
};
- opendal_operator_for_path(&path)
+ storage::operator_for_path(&path)
}
pub fn render_template(&self, name: &str, data: &T) -> Result {
@@ -1725,7 +1637,7 @@ impl Config {
}
pub fn sso_master_password_policy_value(&self) -> Option {
- validate_sso_master_password_policy(&self.sso_master_password_policy()).ok().flatten()
+ validate_sso_master_password_policy(self.sso_master_password_policy().as_ref()).ok().flatten()
}
pub fn sso_scopes_vec(&self) -> Vec {
diff --git a/src/crypto.rs b/src/crypto.rs
index 1930f380..46d305a5 100644
--- a/src/crypto.rs
+++ b/src/crypto.rs
@@ -113,3 +113,10 @@ pub fn ct_eq, U: AsRef<[u8]>>(a: T, b: U) -> bool {
use subtle::ConstantTimeEq;
a.as_ref().ct_eq(b.as_ref()).into()
}
+
+//
+// SHA256
+//
+pub fn sha256_hex(data: &[u8]) -> String {
+ HEXLOWER.encode(digest::digest(&digest::SHA256, data).as_ref())
+}
diff --git a/src/db/mod.rs b/src/db/mod.rs
index d2ed9479..4aafe995 100644
--- a/src/db/mod.rs
+++ b/src/db/mod.rs
@@ -272,13 +272,32 @@ impl DbConnType {
#[cfg(not(postgresql))]
err!("`DATABASE_URL` is a PostgreSQL URL, but the 'postgresql' feature is not enabled")
- //Sqlite
- } else {
+ // Sqlite (explicit)
+ } else if url.len() > 7 && &url[..7] == "sqlite:" {
#[cfg(sqlite)]
return Ok(DbConnType::Sqlite);
#[cfg(not(sqlite))]
- err!("`DATABASE_URL` looks like a SQLite URL, but 'sqlite' feature is not enabled")
+ err!("`DATABASE_URL` is a SQLite URL, but the 'sqlite' feature is not enabled")
+
+ // No recognized scheme — assume legacy bare-path SQLite, but the database file must already exist.
+ // This prevents misconfigured URLs (typos, quoted strings) from silently creating a new empty SQLite database.
+ } else {
+ #[cfg(sqlite)]
+ {
+ if std::path::Path::new(url).exists() {
+ return Ok(DbConnType::Sqlite);
+ }
+ err!(format!(
+ "`DATABASE_URL` does not match any known database scheme (mysql://, postgresql://, sqlite://) \
+ and no existing SQLite database was found at '{url}'. \
+ If you intend to use SQLite, use an explicit `sqlite://` scheme in your `DATABASE_URL`. \
+ Otherwise, check your DATABASE_URL for typos or quoting issues."
+ ))
+ }
+
+ #[cfg(not(sqlite))]
+ err!("`DATABASE_URL` does not match any known database scheme (mysql://, postgresql://, sqlite://)")
}
}
@@ -390,11 +409,12 @@ pub fn backup_sqlite() -> Result {
let db_url = CONFIG.database_url();
if DbConnType::from_url(&CONFIG.database_url()).map(|t| t == DbConnType::Sqlite).unwrap_or(false) {
- // Since we do not allow any schema for sqlite database_url's like `file:` or `sqlite:` to be set, we can assume here it isn't
- // This way we can set a readonly flag on the opening mode without issues.
- let mut conn = diesel::sqlite::SqliteConnection::establish(&format!("sqlite://{db_url}?mode=ro"))?;
+ // Strip the sqlite:// prefix if present to get the raw file path
+ let file_path = db_url.strip_prefix("sqlite://").unwrap_or(&db_url);
+ // Open a read-only connection for the backup
+ let mut conn = diesel::sqlite::SqliteConnection::establish(&format!("sqlite://{file_path}?mode=ro"))?;
- let db_path = std::path::Path::new(&db_url).parent().unwrap();
+ let db_path = std::path::Path::new(file_path).parent().unwrap();
let backup_file = db_path
.join(format!("db_{}.sqlite3", chrono::Utc::now().format("%Y%m%d_%H%M%S")))
.to_string_lossy()
diff --git a/src/db/models/archive.rs b/src/db/models/archive.rs
new file mode 100644
index 00000000..f576e7ed
--- /dev/null
+++ b/src/db/models/archive.rs
@@ -0,0 +1,91 @@
+use chrono::NaiveDateTime;
+use diesel::prelude::*;
+
+use super::{CipherId, User, UserId};
+use crate::api::EmptyResult;
+use crate::db::schema::archives;
+use crate::db::DbConn;
+use crate::error::MapResult;
+
+#[derive(Identifiable, Queryable, Insertable)]
+#[diesel(table_name = archives)]
+#[diesel(primary_key(user_uuid, cipher_uuid))]
+pub struct Archive {
+ pub user_uuid: UserId,
+ pub cipher_uuid: CipherId,
+ pub archived_at: NaiveDateTime,
+}
+
+impl Archive {
+ // Returns the date the specified cipher was archived
+ pub async fn get_archived_at(cipher_uuid: &CipherId, user_uuid: &UserId, conn: &DbConn) -> Option {
+ db_run! { conn: {
+ archives::table
+ .filter(archives::cipher_uuid.eq(cipher_uuid))
+ .filter(archives::user_uuid.eq(user_uuid))
+ .select(archives::archived_at)
+ .first::(conn).ok()
+ }}
+ }
+
+ // Saves (inserts or updates) an archive record with the provided timestamp
+ pub async fn save(
+ user_uuid: &UserId,
+ cipher_uuid: &CipherId,
+ archived_at: NaiveDateTime,
+ conn: &DbConn,
+ ) -> EmptyResult {
+ User::update_uuid_revision(user_uuid, conn).await;
+ db_run! { conn:
+ sqlite, mysql {
+ diesel::replace_into(archives::table)
+ .values((
+ archives::user_uuid.eq(user_uuid),
+ archives::cipher_uuid.eq(cipher_uuid),
+ archives::archived_at.eq(archived_at),
+ ))
+ .execute(conn)
+ .map_res("Error saving archive")
+ }
+ postgresql {
+ diesel::insert_into(archives::table)
+ .values((
+ archives::user_uuid.eq(user_uuid),
+ archives::cipher_uuid.eq(cipher_uuid),
+ archives::archived_at.eq(archived_at),
+ ))
+ .on_conflict((archives::user_uuid, archives::cipher_uuid))
+ .do_update()
+ .set(archives::archived_at.eq(archived_at))
+ .execute(conn)
+ .map_res("Error saving archive")
+ }
+ }
+ }
+
+ // Deletes an archive record for a specific cipher
+ pub async fn delete_by_cipher(user_uuid: &UserId, cipher_uuid: &CipherId, conn: &DbConn) -> EmptyResult {
+ User::update_uuid_revision(user_uuid, conn).await;
+ db_run! { conn: {
+ diesel::delete(
+ archives::table
+ .filter(archives::user_uuid.eq(user_uuid))
+ .filter(archives::cipher_uuid.eq(cipher_uuid))
+ )
+ .execute(conn)
+ .map_res("Error deleting archive")
+ }}
+ }
+
+ /// Return a vec with (cipher_uuid, archived_at)
+ /// This is used during a full sync so we only need one query for all archive matches
+ pub async fn find_by_user(user_uuid: &UserId, conn: &DbConn) -> Vec<(CipherId, NaiveDateTime)> {
+ db_run! { conn: {
+ archives::table
+ .filter(archives::user_uuid.eq(user_uuid))
+ .select((archives::cipher_uuid, archives::archived_at))
+ .load::<(CipherId, NaiveDateTime)>(conn)
+ .unwrap_or_default()
+ }}
+ }
+}
diff --git a/src/db/models/attachment.rs b/src/db/models/attachment.rs
index 4273c22a..dad081bd 100644
--- a/src/db/models/attachment.rs
+++ b/src/db/models/attachment.rs
@@ -46,11 +46,11 @@ impl Attachment {
pub async fn get_url(&self, host: &str) -> Result {
let operator = CONFIG.opendal_operator_for_path_type(&PathType::Attachments)?;
- if operator.info().scheme() == <&'static str>::from(opendal::Scheme::Fs) {
+ if crate::storage::is_fs_operator(&operator) {
let token = encode_jwt(&generate_file_download_claims(self.cipher_uuid.clone(), self.id.clone()));
Ok(format!("{host}/attachments/{}/{}?token={token}", self.cipher_uuid, self.id))
} else {
- Ok(operator.presign_read(&self.get_file_path(), Duration::from_secs(5 * 60)).await?.uri().to_string())
+ Ok(operator.presign_read(&self.get_file_path(), Duration::from_mins(5)).await?.uri().to_string())
}
}
diff --git a/src/db/models/cipher.rs b/src/db/models/cipher.rs
index edc5f8c9..db906179 100644
--- a/src/db/models/cipher.rs
+++ b/src/db/models/cipher.rs
@@ -10,8 +10,8 @@ use diesel::prelude::*;
use serde_json::Value;
use super::{
- Attachment, CollectionCipher, CollectionId, Favorite, FolderCipher, FolderId, Group, Membership, MembershipStatus,
- MembershipType, OrganizationId, User, UserId,
+ Archive, Attachment, CollectionCipher, CollectionId, Favorite, FolderCipher, FolderId, Group, Membership,
+ MembershipStatus, MembershipType, OrganizationId, User, UserId,
};
use crate::api::core::{CipherData, CipherSyncData, CipherSyncType};
use macros::UuidFromParam;
@@ -380,6 +380,11 @@ impl Cipher {
} else {
self.is_favorite(user_uuid, conn).await
});
+ json_object["archivedDate"] = json!(if let Some(cipher_sync_data) = cipher_sync_data {
+ cipher_sync_data.cipher_archives.get(&self.uuid).map_or(Value::Null, |d| Value::String(format_date(d)))
+ } else {
+ self.get_archived_at(user_uuid, conn).await.map_or(Value::Null, |d| Value::String(format_date(&d)))
+ });
// These values are true by default, but can be false if the
// cipher belongs to a collection or group where the org owner has enabled
// the "Read Only" or "Hide Passwords" restrictions for the user.
@@ -398,7 +403,7 @@ impl Cipher {
3 => "card",
4 => "identity",
5 => "sshKey",
- _ => panic!("Wrong type"),
+ _ => err!(format!("Cipher {} has an invalid type {}", self.uuid, self.atype)),
};
json_object[key] = type_data_json;
@@ -742,6 +747,18 @@ impl Cipher {
}
}
+ pub async fn get_archived_at(&self, user_uuid: &UserId, conn: &DbConn) -> Option {
+ Archive::get_archived_at(&self.uuid, user_uuid, conn).await
+ }
+
+ pub async fn set_archived_at(&self, archived_at: NaiveDateTime, user_uuid: &UserId, conn: &DbConn) -> EmptyResult {
+ Archive::save(user_uuid, &self.uuid, archived_at, conn).await
+ }
+
+ pub async fn unarchive(&self, user_uuid: &UserId, conn: &DbConn) -> EmptyResult {
+ Archive::delete_by_cipher(user_uuid, &self.uuid, conn).await
+ }
+
pub async fn get_folder_uuid(&self, user_uuid: &UserId, conn: &DbConn) -> Option {
db_run! { conn: {
folders_ciphers::table
diff --git a/src/db/models/device.rs b/src/db/models/device.rs
index 1026574c..7364a2ec 100644
--- a/src/db/models/device.rs
+++ b/src/db/models/device.rs
@@ -25,7 +25,7 @@ pub struct Device {
pub user_uuid: UserId,
pub name: String,
- pub atype: i32, // https://github.com/bitwarden/server/blob/9ebe16587175b1c0e9208f84397bb75d0d595510/src/Core/Enums/DeviceType.cs
+ pub atype: i32, // https://github.com/bitwarden/server/blob/8d547dcc280babab70dd4a3c94ced6a34b12dfbf/src/Core/Enums/DeviceType.cs
pub push_uuid: Option,
pub push_token: Option,
@@ -332,6 +332,8 @@ pub enum DeviceType {
MacOsCLI = 24,
#[display("Linux CLI")]
LinuxCLI = 25,
+ #[display("DuckDuckGo")]
+ DuckDuckGoBrowser = 26,
}
impl DeviceType {
@@ -363,6 +365,7 @@ impl DeviceType {
23 => DeviceType::WindowsCLI,
24 => DeviceType::MacOsCLI,
25 => DeviceType::LinuxCLI,
+ 26 => DeviceType::DuckDuckGoBrowser,
_ => DeviceType::UnknownBrowser,
}
}
diff --git a/src/db/models/emergency_access.rs b/src/db/models/emergency_access.rs
index cf7f5385..5ea334a4 100644
--- a/src/db/models/emergency_access.rs
+++ b/src/db/models/emergency_access.rs
@@ -85,7 +85,8 @@ impl EmergencyAccess {
pub async fn to_json_grantee_details(&self, conn: &DbConn) -> Option {
let grantee_user = if let Some(grantee_uuid) = &self.grantee_uuid {
User::find_by_uuid(grantee_uuid, conn).await.expect("Grantee user not found.")
- } else if let Some(email) = self.email.as_deref() {
+ } else {
+ let email = self.email.as_deref()?;
match User::find_by_mail(email, conn).await {
Some(user) => user,
None => {
@@ -94,8 +95,6 @@ impl EmergencyAccess {
return None;
}
}
- } else {
- return None;
};
Some(json!({
diff --git a/src/db/models/mod.rs b/src/db/models/mod.rs
index b4fcf658..7cc81852 100644
--- a/src/db/models/mod.rs
+++ b/src/db/models/mod.rs
@@ -1,3 +1,4 @@
+mod archive;
mod attachment;
mod auth_request;
mod cipher;
@@ -17,6 +18,7 @@ mod two_factor_duo_context;
mod two_factor_incomplete;
mod user;
+pub use self::archive::Archive;
pub use self::attachment::{Attachment, AttachmentId};
pub use self::auth_request::{AuthRequest, AuthRequestId};
pub use self::cipher::{Cipher, CipherId, RepromptType};
@@ -36,7 +38,7 @@ pub use self::send::{
id::{SendFileId, SendId},
Send, SendType,
};
-pub use self::sso_auth::{OIDCAuthenticatedUser, OIDCCodeWrapper, SsoAuth};
+pub use self::sso_auth::{OIDCAuthenticatedUser, OIDCCodeResponseError, SsoAuth};
pub use self::two_factor::{TwoFactor, TwoFactorType};
pub use self::two_factor_duo_context::TwoFactorDuoContext;
pub use self::two_factor_incomplete::TwoFactorIncomplete;
diff --git a/src/db/models/send.rs b/src/db/models/send.rs
index 84802c54..5b6611fa 100644
--- a/src/db/models/send.rs
+++ b/src/db/models/send.rs
@@ -237,7 +237,7 @@ impl Send {
if self.atype == SendType::File as i32 {
let operator = CONFIG.opendal_operator_for_path_type(&PathType::Sends)?;
- operator.remove_all(&self.uuid).await.ok();
+ operator.delete_with(&self.uuid).recursive(true).await.ok();
}
db_run! { conn: {
diff --git a/src/db/models/sso_auth.rs b/src/db/models/sso_auth.rs
index fec0433a..3ecaf9f7 100644
--- a/src/db/models/sso_auth.rs
+++ b/src/db/models/sso_auth.rs
@@ -15,17 +15,12 @@ use diesel::sql_types::Text;
#[derive(AsExpression, Clone, Debug, Serialize, Deserialize, FromSqlRow)]
#[diesel(sql_type = Text)]
-pub enum OIDCCodeWrapper {
- Ok {
- code: OIDCCode,
- },
- Error {
- error: String,
- error_description: Option,
- },
+pub struct OIDCCodeResponseError {
+ pub error: String,
+ pub error_description: Option,
}
-impl_FromToSqlText!(OIDCCodeWrapper);
+impl_FromToSqlText!(OIDCCodeResponseError);
#[derive(AsExpression, Clone, Debug, Serialize, Deserialize, FromSqlRow)]
#[diesel(sql_type = Text)]
@@ -50,15 +45,23 @@ pub struct SsoAuth {
pub client_challenge: OIDCCodeChallenge,
pub nonce: String,
pub redirect_uri: String,
- pub code_response: Option,
+ pub code_response: Option,
+ pub code_response_error: Option,
pub auth_response: Option,
pub created_at: NaiveDateTime,
pub updated_at: NaiveDateTime,
+ pub binding_hash: Option,
}
/// Local methods
impl SsoAuth {
- pub fn new(state: OIDCState, client_challenge: OIDCCodeChallenge, nonce: String, redirect_uri: String) -> Self {
+ pub fn new(
+ state: OIDCState,
+ client_challenge: OIDCCodeChallenge,
+ nonce: String,
+ redirect_uri: String,
+ binding_hash: Option,
+ ) -> Self {
let now = Utc::now().naive_utc();
SsoAuth {
@@ -69,7 +72,9 @@ impl SsoAuth {
created_at: now,
updated_at: now,
code_response: None,
+ code_response_error: None,
auth_response: None,
+ binding_hash,
}
}
}
@@ -110,6 +115,17 @@ impl SsoAuth {
}}
}
+ pub async fn find_by_code(code: &OIDCCode, conn: &DbConn) -> Option {
+ let oldest = Utc::now().naive_utc() - *SSO_AUTH_EXPIRATION;
+ db_run! { conn: {
+ sso_auth::table
+ .filter(sso_auth::code_response.eq(code))
+ .filter(sso_auth::created_at.ge(oldest))
+ .first::(conn)
+ .ok()
+ }}
+ }
+
pub async fn delete(self, conn: &DbConn) -> EmptyResult {
db_run! {conn: {
diesel::delete(sso_auth::table.filter(sso_auth::state.eq(self.state)))
diff --git a/src/db/schema.rs b/src/db/schema.rs
index 914b4fe9..af342186 100644
--- a/src/db/schema.rs
+++ b/src/db/schema.rs
@@ -262,9 +262,11 @@ table! {
nonce -> Text,
redirect_uri -> Text,
code_response -> Nullable,
+ code_response_error -> Nullable,
auth_response -> Nullable,
created_at -> Timestamp,
updated_at -> Timestamp,
+ binding_hash -> Nullable,
}
}
@@ -341,6 +343,16 @@ table! {
}
}
+table! {
+ archives (user_uuid, cipher_uuid) {
+ user_uuid -> Text,
+ cipher_uuid -> Text,
+ archived_at -> Timestamp,
+ }
+}
+
+joinable!(archives -> users (user_uuid));
+joinable!(archives -> ciphers (cipher_uuid));
joinable!(attachments -> ciphers (cipher_uuid));
joinable!(ciphers -> organizations (organization_uuid));
joinable!(ciphers -> users (user_uuid));
@@ -372,6 +384,7 @@ joinable!(auth_requests -> users (user_uuid));
joinable!(sso_users -> users (user_uuid));
allow_tables_to_appear_in_same_query!(
+ archives,
attachments,
ciphers,
ciphers_collections,
diff --git a/src/http_client.rs b/src/http_client.rs
index 5462ef8e..d39b884d 100644
--- a/src/http_client.rs
+++ b/src/http_client.rs
@@ -1,12 +1,11 @@
use std::{
fmt,
net::{IpAddr, SocketAddr},
- str::FromStr,
sync::{Arc, LazyLock, Mutex},
time::Duration,
};
-use hickory_resolver::{name_server::TokioConnectionProvider, TokioResolver};
+use hickory_resolver::{net::runtime::TokioRuntimeProvider, TokioResolver};
use regex::Regex;
use reqwest::{
dns::{Name, Resolve, Resolving},
@@ -59,16 +58,6 @@ pub fn get_reqwest_client_builder() -> ClientBuilder {
.timeout(Duration::from_secs(10))
}
-pub fn should_block_address(domain_or_ip: &str) -> bool {
- if let Ok(ip) = IpAddr::from_str(domain_or_ip) {
- if should_block_ip(ip) {
- return true;
- }
- }
-
- should_block_address_regex(domain_or_ip)
-}
-
fn should_block_ip(ip: IpAddr) -> bool {
if !CONFIG.http_request_block_non_global_ips() {
return false;
@@ -100,11 +89,54 @@ fn should_block_address_regex(domain_or_ip: &str) -> bool {
is_match
}
-fn should_block_host(host: &Host<&str>) -> Result<(), CustomHttpClientError> {
+pub fn get_valid_host(host: &str) -> Result {
+ let Ok(host) = Host::parse(host) else {
+ return Err(CustomHttpClientError::Invalid {
+ domain: host.to_string(),
+ });
+ };
+
+ // Some extra checks to validate hosts
+ match host {
+ Host::Domain(ref domain) => {
+ // Host::parse() does not verify length or all possible invalid characters
+ // We do some extra checks here to prevent issues
+ if domain.len() > 253 {
+ debug!("Domain validation error: '{domain}' exceeds 253 characters");
+ return Err(CustomHttpClientError::Invalid {
+ domain: host.to_string(),
+ });
+ }
+ if !domain.split('.').all(|label| {
+ !label.is_empty()
+ // Labels can't be longer than 63 chars
+ && label.len() <= 63
+ // Labels are not allowed to start or end with a hyphen `-`
+ && !label.starts_with('-')
+ && !label.ends_with('-')
+ // Only ASCII Alphanumeric characters are allowed
+ // We already received a punycoded domain back, so no unicode should exists here
+ && label.chars().all(|c| c.is_ascii_alphanumeric() || c == '-')
+ }) {
+ debug!(
+ "Domain validation error: '{domain}' labels contain invalid characters or exceed the maximum length"
+ );
+ return Err(CustomHttpClientError::Invalid {
+ domain: host.to_string(),
+ });
+ }
+ }
+ Host::Ipv4(_) | Host::Ipv6(_) => {}
+ }
+
+ Ok(host)
+}
+
+pub fn should_block_host>(host: &Host) -> Result<(), CustomHttpClientError> {
let (ip, host_str): (Option, String) = match host {
Host::Ipv4(ip) => (Some(IpAddr::V4(*ip)), ip.to_string()),
Host::Ipv6(ip) => (Some(IpAddr::V6(*ip)), ip.to_string()),
- Host::Domain(d) => (None, (*d).to_string()),
+ Host::Domain(d) => (None, d.as_ref().to_string()),
};
if let Some(ip) = ip {
@@ -134,6 +166,9 @@ pub enum CustomHttpClientError {
domain: Option,
ip: IpAddr,
},
+ Invalid {
+ domain: String,
+ },
}
impl CustomHttpClientError {
@@ -155,7 +190,7 @@ impl fmt::Display for CustomHttpClientError {
match self {
Self::Blocked {
domain,
- } => write!(f, "Blocked domain: {domain} matched HTTP_REQUEST_BLOCK_REGEX"),
+ } => write!(f, "Blocked domain: '{domain}' matched HTTP_REQUEST_BLOCK_REGEX"),
Self::NonGlobalIp {
domain: Some(domain),
ip,
@@ -163,7 +198,10 @@ impl fmt::Display for CustomHttpClientError {
Self::NonGlobalIp {
domain: None,
ip,
- } => write!(f, "IP {ip} is not a global IP!"),
+ } => write!(f, "IP '{ip}' is not a global IP!"),
+ Self::Invalid {
+ domain,
+ } => write!(f, "Invalid host: '{domain}' contains invalid characters or exceeds the maximum length"),
}
}
}
@@ -184,40 +222,46 @@ impl CustomDnsResolver {
}
fn new() -> Arc {
- match TokioResolver::builder(TokioConnectionProvider::default()) {
- Ok(mut builder) => {
- if CONFIG.dns_prefer_ipv6() {
- builder.options_mut().ip_strategy = hickory_resolver::config::LookupIpStrategy::Ipv6thenIpv4;
+ TokioResolver::builder(TokioRuntimeProvider::default())
+ .and_then(|mut builder| {
+ // Hickory's default since v0.26 is `Ipv6AndIpv4`, which sorts IPv6 first
+ // This might cause issues on IPv4 only systems or containers
+ // Unless someone enabled DNS_PREFER_IPV6, use Ipv4AndIpv6, which returns IPv4 first which was our previous default
+ if !CONFIG.dns_prefer_ipv6() {
+ builder.options_mut().ip_strategy = hickory_resolver::config::LookupIpStrategy::Ipv4AndIpv6;
}
- let resolver = builder.build();
- Arc::new(Self::Hickory(Arc::new(resolver)))
- }
- Err(e) => {
- warn!("Error creating Hickory resolver, falling back to default: {e:?}");
- Arc::new(Self::Default())
- }
- }
+ builder.build()
+ })
+ .inspect_err(|e| warn!("Error creating Hickory resolver, falling back to default: {e:?}"))
+ .map(|resolver| Arc::new(Self::Hickory(Arc::new(resolver))))
+ .unwrap_or_else(|_| Arc::new(Self::Default()))
}
// Note that we get an iterator of addresses, but we only grab the first one for convenience
- async fn resolve_domain(&self, name: &str) -> Result, BoxError> {
+ async fn resolve_domain(&self, name: &str) -> Result, BoxError> {
pre_resolve(name)?;
- let result = match self {
- Self::Default() => tokio::net::lookup_host(name).await?.next(),
- Self::Hickory(r) => r.lookup_ip(name).await?.iter().next().map(|a| SocketAddr::new(a, 0)),
+ let results: Vec = match self {
+ Self::Default() => tokio::net::lookup_host((name, 0)).await?.collect(),
+ Self::Hickory(r) => r.lookup_ip(name).await?.iter().map(|i| SocketAddr::new(i, 0)).collect(),
};
- if let Some(addr) = &result {
+ for addr in &results {
post_resolve(name, addr.ip())?;
}
- Ok(result)
+ Ok(results)
}
}
fn pre_resolve(name: &str) -> Result<(), CustomHttpClientError> {
- if should_block_address(name) {
+ let Ok(host) = get_valid_host(name) else {
+ return Err(CustomHttpClientError::Invalid {
+ domain: name.to_string(),
+ });
+ };
+
+ if should_block_host(&host).is_err() {
return Err(CustomHttpClientError::Blocked {
domain: name.to_string(),
});
@@ -242,8 +286,11 @@ impl Resolve for CustomDnsResolver {
let this = self.clone();
Box::pin(async move {
let name = name.as_str();
- let result = this.resolve_domain(name).await?;
- Ok::(Box::new(result.into_iter()))
+ let results = this.resolve_domain(name).await?;
+ if results.is_empty() {
+ warn!("Unable to resolve {name} to any valid IP address");
+ }
+ Ok::(Box::new(results.into_iter()))
})
}
}
@@ -305,3 +352,209 @@ pub(crate) mod aws {
}
}
}
+
+#[cfg(test)]
+mod tests {
+ use super::*;
+ use crate::util::is_global_hardcoded;
+ use std::net::Ipv4Addr;
+ use url::Host;
+
+ // ===
+ // IPv4 numeric-format normalization
+ fn parse_to_ip(s: &str) -> Option {
+ match Host::parse(s).ok()? {
+ Host::Ipv4(v4) => Some(IpAddr::V4(v4)),
+ Host::Ipv6(v6) => Some(IpAddr::V6(v6)),
+ Host::Domain(_) => None,
+ }
+ }
+
+ #[test]
+ fn dotted_decimal_loopback_normalizes() {
+ let ip = parse_to_ip("127.0.0.1").unwrap();
+ assert_eq!(ip, IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)));
+ assert!(!is_global_hardcoded(ip));
+ }
+
+ #[test]
+ fn single_decimal_loopback_normalizes() {
+ // 127.0.0.1 == 2130706433
+ let ip = parse_to_ip("2130706433").unwrap();
+ assert_eq!(ip, IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)));
+ assert!(!is_global_hardcoded(ip));
+ }
+
+ #[test]
+ fn hex_loopback_normalizes() {
+ let ip = parse_to_ip("0x7f000001").unwrap();
+ assert_eq!(ip, IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)));
+ assert!(!is_global_hardcoded(ip));
+ }
+
+ #[test]
+ fn dotted_hex_loopback_normalizes() {
+ let ip = parse_to_ip("0x7f.0.0.1").unwrap();
+ assert_eq!(ip, IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)));
+ assert!(!is_global_hardcoded(ip));
+ }
+
+ #[test]
+ fn octal_loopback_normalizes() {
+ // 017700000001 == 127.0.0.1
+ let ip = parse_to_ip("017700000001").unwrap();
+ assert_eq!(ip, IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)));
+ assert!(!is_global_hardcoded(ip));
+ }
+
+ #[test]
+ fn dotted_octal_loopback_normalizes() {
+ let ip = parse_to_ip("0177.0.0.01").unwrap();
+ assert_eq!(ip, IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)));
+ assert!(!is_global_hardcoded(ip));
+ }
+
+ #[test]
+ fn aws_metadata_decimal_blocked() {
+ // 169.254.169.254 == 2852039166 (link-local, AWS IMDS)
+ let ip = parse_to_ip("2852039166").unwrap();
+ assert_eq!(ip, IpAddr::V4(Ipv4Addr::new(169, 254, 169, 254)));
+ assert!(!is_global_hardcoded(ip));
+ }
+
+ #[test]
+ fn rfc1918_hex_blocked() {
+ // 10.0.0.1
+ let ip = parse_to_ip("0x0a000001").unwrap();
+ assert!(!is_global_hardcoded(ip));
+ }
+
+ #[test]
+ fn public_ip_decimal_allowed() {
+ // 8.8.8.8 == 134744072
+ let ip = parse_to_ip("134744072").unwrap();
+ assert_eq!(ip, IpAddr::V4(Ipv4Addr::new(8, 8, 8, 8)));
+ assert!(is_global_hardcoded(ip));
+ }
+
+ // ===
+ // get_valid_host integration: numeric forms become Host::Ipv4
+ #[test]
+ fn get_valid_host_normalizes_decimal_int() {
+ let h = get_valid_host("2130706433").expect("valid");
+ assert!(matches!(h, Host::Ipv4(ip) if ip == Ipv4Addr::new(127, 0, 0, 1)));
+ }
+
+ #[test]
+ fn get_valid_host_normalizes_hex() {
+ let h = get_valid_host("0x7f000001").expect("valid");
+ assert!(matches!(h, Host::Ipv4(ip) if ip == Ipv4Addr::new(127, 0, 0, 1)));
+ }
+
+ #[test]
+ fn get_valid_host_normalizes_octal() {
+ let h = get_valid_host("017700000001").expect("valid");
+ assert!(matches!(h, Host::Ipv4(ip) if ip == Ipv4Addr::new(127, 0, 0, 1)));
+ }
+
+ // ===
+ // IPv6 formats
+ #[test]
+ fn ipv6_loopback_blocked() {
+ let h = get_valid_host("[::1]").expect("valid");
+ let Host::Ipv6(ip) = h else {
+ panic!("expected v6")
+ };
+ assert!(!is_global_hardcoded(IpAddr::V6(ip)));
+ }
+
+ #[test]
+ fn ipv4_mapped_in_ipv6_loopback_blocked() {
+ // ::ffff:127.0.0.1 — v4-mapped form; is_global_hardcoded blocks via ::ffff:0:0/96
+ let h = get_valid_host("[::ffff:127.0.0.1]").expect("valid");
+ let Host::Ipv6(ip) = h else {
+ panic!("expected v6")
+ };
+ assert!(!is_global_hardcoded(IpAddr::V6(ip)));
+ }
+
+ #[test]
+ fn ipv6_unique_local_blocked() {
+ let h = get_valid_host("[fc00::1]").expect("valid");
+ let Host::Ipv6(ip) = h else {
+ panic!("expected v6")
+ };
+ assert!(!is_global_hardcoded(IpAddr::V6(ip)));
+ }
+
+ // ===
+ // Punycode / IDN
+ #[test]
+ fn punycode_passthrough() {
+ let h = get_valid_host("xn--deadbeafcaf-lbb.test").expect("valid");
+ match h {
+ Host::Domain(d) => assert_eq!(d, "xn--deadbeafcaf-lbb.test"),
+ _ => panic!("expected domain"),
+ }
+ }
+
+ #[test]
+ fn idn_unicode_gets_punycoded() {
+ let h = get_valid_host("deadbeafcafé.test").expect("valid");
+ match h {
+ Host::Domain(d) => assert_eq!(d, "xn--deadbeafcaf-lbb.test"),
+ _ => panic!("expected domain"),
+ }
+ }
+
+ #[test]
+ fn idn_unicode_gets_punycoded_tld() {
+ let h = get_valid_host("deadbeaf.café").expect("valid");
+ match h {
+ Host::Domain(d) => assert_eq!(d, "deadbeaf.xn--caf-dma"),
+ _ => panic!("expected domain"),
+ }
+ }
+
+ #[test]
+ fn idn_emoji_gets_punycoded() {
+ let h = get_valid_host("xn--t88h.test").expect("valid"); // 🛡️.test
+ match h {
+ Host::Domain(d) => assert_eq!(d, "xn--t88h.test"),
+ _ => panic!("expected domain"),
+ }
+ }
+
+ #[test]
+ fn idn_unicode_to_punycode_roundtrip() {
+ let from_unicode = get_valid_host("🛡️.test").expect("valid");
+ let from_puny = get_valid_host("xn--t88h.test").expect("valid");
+ match (from_unicode, from_puny) {
+ (Host::Domain(a), Host::Domain(b)) => assert_eq!(a, b),
+ _ => panic!("expected domains"),
+ }
+ }
+
+ #[test]
+ fn invalid_punycode_rejected() {
+ // bare invalid punycode
+ assert!(get_valid_host("xn--").is_err());
+ }
+
+ #[test]
+ fn underscore_in_label_rejected() {
+ assert!(get_valid_host("dead_beaf.cafe").is_err());
+ }
+
+ #[test]
+ fn label_too_long_rejected() {
+ let label = "a".repeat(64);
+ assert!(get_valid_host(&format!("{label}.test")).is_err());
+ }
+
+ #[test]
+ fn domain_too_long_rejected() {
+ let big = "a.".repeat(130) + "test"; // > 253
+ assert!(get_valid_host(&big).is_err());
+ }
+}
diff --git a/src/main.rs b/src/main.rs
index 60c5a593..4ffeacc1 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -57,6 +57,7 @@ mod mail;
mod ratelimit;
mod sso;
mod sso_client;
+mod storage;
mod util;
use crate::api::core::two_factor::duo_oidc::purge_duo_contexts;
@@ -70,6 +71,7 @@ pub use util::is_running_in_container;
#[rocket::main]
async fn main() -> Result<(), Error> {
+ install_rustls_crypto_provider();
parse_args();
launch_info();
@@ -202,6 +204,14 @@ fn parse_args() {
}
}
+fn install_rustls_crypto_provider() {
+ if rustls::crypto::CryptoProvider::get_default().is_none() {
+ rustls::crypto::ring::default_provider()
+ .install_default()
+ .expect("failed to install rustls ring crypto provider");
+ }
+}
+
fn launch_info() {
println!(
"\
diff --git a/src/sso.rs b/src/sso.rs
index ee6d707a..56e9a534 100644
--- a/src/sso.rs
+++ b/src/sso.rs
@@ -10,14 +10,14 @@ use crate::{
auth,
auth::{AuthMethod, AuthTokens, TokenWrapper, BW_EXPIRATION, DEFAULT_REFRESH_VALIDITY},
db::{
- models::{Device, OIDCAuthenticatedUser, OIDCCodeWrapper, SsoAuth, SsoUser, User},
+ models::{Device, OIDCAuthenticatedUser, SsoAuth, SsoUser, User},
DbConn,
},
sso_client::Client,
CONFIG,
};
-pub static FAKE_IDENTIFIER: &str = "VW_DUMMY_IDENTIFIER_FOR_OIDC";
+pub static FAKE_SSO_IDENTIFIER: &str = "00000000-01DC-01DC-01DC-000000000000";
static SSO_JWT_ISSUER: LazyLock = LazyLock::new(|| format!("{}|sso", CONFIG.domain_origin()));
@@ -188,6 +188,7 @@ pub async fn authorize_url(
client_challenge: OIDCCodeChallenge,
client_id: &str,
raw_redirect_uri: &str,
+ binding_hash: Option,
conn: DbConn,
) -> ApiResult {
let redirect_uri = match client_id {
@@ -203,7 +204,7 @@ pub async fn authorize_url(
_ => err!(format!("Unsupported client {client_id}")),
};
- let (auth_url, sso_auth) = Client::authorize_url(state, client_challenge, redirect_uri).await?;
+ let (auth_url, sso_auth) = Client::authorize_url(state, client_challenge, redirect_uri, binding_hash).await?;
sso_auth.save(&conn).await?;
Ok(auth_url)
}
@@ -239,14 +240,14 @@ impl OIDCIdentifier {
// - second time we will rely on `SsoAuth.auth_response` since the `code` has already been exchanged.
// The `SsoAuth` will ensure that the user is authorized only once.
pub async fn exchange_code(
- state: &OIDCState,
+ code: &OIDCCode,
client_verifier: OIDCCodeVerifier,
conn: &DbConn,
) -> ApiResult<(SsoAuth, OIDCAuthenticatedUser)> {
use openidconnect::OAuth2TokenResponse;
- let mut sso_auth = match SsoAuth::find(state, conn).await {
- None => err!(format!("Invalid state cannot retrieve sso auth")),
+ let mut sso_auth = match SsoAuth::find_by_code(code, conn).await {
+ None => err!(format!("Invalid code cannot retrieve sso auth")),
Some(sso_auth) => sso_auth,
};
@@ -254,18 +255,18 @@ pub async fn exchange_code(
return Ok((sso_auth, authenticated_user));
}
- let code = match sso_auth.code_response.clone() {
- Some(OIDCCodeWrapper::Ok {
- code,
- }) => code.clone(),
- Some(OIDCCodeWrapper::Error {
- error,
- error_description,
- }) => {
+ let code = match (sso_auth.code_response.clone(), sso_auth.code_response_error.as_ref()) {
+ (Some(code), None) => code,
+ (_, Some(re)) => {
+ let error_msg = format!(
+ "SSO authorization failed: {}, {}",
+ re.error,
+ re.error_description.as_ref().unwrap_or(&String::new())
+ );
sso_auth.delete(conn).await?;
- err!(format!("SSO authorization failed: {error}, {}", error_description.as_ref().unwrap_or(&String::new())))
+ err!(error_msg);
}
- None => {
+ (None, _) => {
sso_auth.delete(conn).await?;
err!("Missing authorization provider return");
}
@@ -283,7 +284,7 @@ pub async fn exchange_code(
let email_verified = id_claims.email_verified().or(user_info.email_verified());
- let user_name = id_claims.preferred_username().map(|un| un.to_string());
+ let user_name = id_claims.preferred_username().or(user_info.preferred_username()).map(|un| un.to_string());
let refresh_token = token_response.refresh_token().map(|t| t.secret());
if refresh_token.is_none() && CONFIG.sso_scopes_vec().contains(&"offline_access".to_string()) {
diff --git a/src/sso_client.rs b/src/sso_client.rs
index 6204ab48..68e171c6 100644
--- a/src/sso_client.rs
+++ b/src/sso_client.rs
@@ -1,12 +1,13 @@
-use std::{borrow::Cow, sync::LazyLock, time::Duration};
+use std::{borrow::Cow, future::Future, pin::Pin, sync::LazyLock, time::Duration};
-use openidconnect::{core::*, reqwest, *};
+use openidconnect::{core::*, *};
use regex::Regex;
use url::Url;
use crate::{
api::{ApiResult, EmptyResult},
db::models::SsoAuth,
+ http_client::get_reqwest_client_builder,
sso::{OIDCCode, OIDCCodeChallenge, OIDCCodeVerifier, OIDCState},
CONFIG,
};
@@ -46,10 +47,42 @@ pub type RefreshTokenResponse = (Option, String, Option);
#[derive(Clone)]
pub struct Client {
- pub http_client: reqwest::Client,
+ pub http_client: OidcHttpClient,
pub core_client: CustomClient,
}
+#[derive(Clone)]
+pub struct OidcHttpClient {
+ client: reqwest::Client,
+}
+
+impl OidcHttpClient {
+ fn new() -> Result {
+ get_reqwest_client_builder().redirect(reqwest::redirect::Policy::none()).build().map(|client| Self {
+ client,
+ })
+ }
+}
+
+impl<'c> AsyncHttpClient<'c> for OidcHttpClient {
+ type Error = HttpClientError;
+ type Future = Pin> + Send + Sync + 'c>>;
+
+ fn call(&'c self, request: HttpRequest) -> Self::Future {
+ Box::pin(async move {
+ let response = self.client.execute(request.try_into().map_err(Box::new)?).await.map_err(Box::new)?;
+
+ let mut builder = http::Response::builder().status(response.status()).version(response.version());
+
+ for (name, value) in response.headers() {
+ builder = builder.header(name, value);
+ }
+
+ builder.body(response.bytes().await.map_err(Box::new)?.to_vec()).map_err(HttpClientError::Http)
+ })
+ }
+}
+
impl Client {
// Call the OpenId discovery endpoint to retrieve configuration
async fn _get_client() -> ApiResult {
@@ -58,7 +91,7 @@ impl Client {
let issuer_url = CONFIG.sso_issuer_url()?;
- let http_client = match reqwest::ClientBuilder::new().redirect(reqwest::redirect::Policy::none()).build() {
+ let http_client = match OidcHttpClient::new() {
Err(err) => err!(format!("Failed to build http client: {err}")),
Ok(client) => client,
};
@@ -117,6 +150,7 @@ impl Client {
state: OIDCState,
client_challenge: OIDCCodeChallenge,
redirect_uri: String,
+ binding_hash: Option,
) -> ApiResult<(Url, SsoAuth)> {
let scopes = CONFIG.sso_scopes_vec().into_iter().map(Scope::new);
let base64_state = data_encoding::BASE64.encode(state.to_string().as_bytes());
@@ -139,7 +173,7 @@ impl Client {
}
let (auth_url, _, nonce) = auth_req.url();
- Ok((auth_url, SsoAuth::new(state, client_challenge, nonce.secret().clone(), redirect_uri)))
+ Ok((auth_url, SsoAuth::new(state, client_challenge, nonce.secret().clone(), redirect_uri, binding_hash)))
}
pub async fn exchange_code(
diff --git a/src/static/scripts/admin.css b/src/static/scripts/admin.css
index 0df56771..c7c6f443 100644
--- a/src/static/scripts/admin.css
+++ b/src/static/scripts/admin.css
@@ -1,6 +1,17 @@
body {
padding-top: 75px;
}
+/* Some extra width's for the main layout */
+@media (min-width: 1600px) {
+ .container-xxl {
+ max-width: 1520px;
+ }
+}
+@media (min-width: 1800px) {
+ .container-xxl {
+ max-width: 1720px;
+ }
+}
img {
width: 48px;
height: 48px;
@@ -38,8 +49,8 @@ img {
max-width: 130px;
}
#users-table .vw-actions, #orgs-table .vw-actions {
- min-width: 155px;
- max-width: 160px;
+ min-width: 170px;
+ max-width: 180px;
}
#users-table .vw-org-cell {
max-height: 120px;
diff --git a/src/static/templates/admin/base.hbs b/src/static/templates/admin/base.hbs
index f56d8262..e1dcacb5 100644
--- a/src/static/templates/admin/base.hbs
+++ b/src/static/templates/admin/base.hbs
@@ -27,7 +27,7 @@