&", rank = 1)]
-async fn oidcsignin(code: OIDCCode, state: String, cookies: &CookieJar<'_>, mut conn: DbConn) -> ApiResult {
+async fn oidcsignin(code: OIDCCode, state: String, mut conn: DbConn) -> ApiResult {
_oidcsignin_redirect(
state,
OIDCCodeWrapper::Ok {
code,
},
- cookies,
&mut conn,
)
.await
@@ -1183,7 +1146,6 @@ async fn oidcsignin_error(
state: String,
error: String,
error_description: Option,
- cookies: &CookieJar<'_>,
mut conn: DbConn,
) -> ApiResult {
_oidcsignin_redirect(
@@ -1192,7 +1154,6 @@ async fn oidcsignin_error(
error,
error_description,
},
- cookies,
&mut conn,
)
.await
@@ -1204,7 +1165,6 @@ async fn oidcsignin_error(
async fn _oidcsignin_redirect(
base64_state: String,
code_response: OIDCCodeWrapper,
- cookies: &CookieJar<'_>,
conn: &mut DbConn,
) -> ApiResult {
let state = sso::decode_state(&base64_state)?;
@@ -1213,18 +1173,6 @@ async fn _oidcsignin_redirect(
None => err!(format!("Cannot retrieve sso_auth for {state}")),
Some(sso_auth) => sso_auth,
};
-
- // Browser-binding check
- // The cookie was set on /connect/authorize and must come from the same browser that initiated the flow.
- let cookie_value = cookies.get(SSO_BINDING_COOKIE).map(|c| c.value().to_string());
- let provided_hash = cookie_value.as_deref().map(|v| crypto::sha256_hex(v.as_bytes()));
- match (sso_auth.binding_hash.as_deref(), provided_hash.as_deref()) {
- (Some(expected), Some(actual)) if crypto::ct_eq(expected, actual) => {}
- _ => err!(format!("SSO session binding mismatch for {state}")),
- }
- cookies
- .remove(Cookie::build(SSO_BINDING_COOKIE).path(format!("{}/identity/connect/", CONFIG.domain_path())).build());
-
sso_auth.code_response = Some(code_response);
sso_auth.updated_at = Utc::now().naive_utc();
sso_auth.save(conn).await?;
@@ -1271,7 +1219,7 @@ struct AuthorizeData {
// The `redirect_uri` will change depending of the client (web, android, ios ..)
#[get("/connect/authorize?")]
-async fn authorize(data: AuthorizeData, cookies: &CookieJar<'_>, secure: Secure, conn: DbConn) -> ApiResult {
+async fn authorize(data: AuthorizeData, conn: DbConn) -> ApiResult {
let AuthorizeData {
client_id,
redirect_uri,
@@ -1285,23 +1233,7 @@ async fn authorize(data: AuthorizeData, cookies: &CookieJar<'_>, secure: Secure,
err!("Unsupported code challenge method");
}
- // Generate browser-binding token. Stored hashed in DB; raw value handed to the browser as a cookie.
- // Validated on /connect/oidc-signin
- let binding_token = data_encoding::BASE64URL_NOPAD.encode(&crypto::get_random_bytes::<32>());
- let binding_hash = crypto::sha256_hex(binding_token.as_bytes());
-
- let auth_url =
- sso::authorize_url(state, code_challenge, &client_id, &redirect_uri, Some(binding_hash), conn).await?;
-
- cookies.add(
- Cookie::build((SSO_BINDING_COOKIE, binding_token))
- .path(format!("{}/identity/connect/", CONFIG.domain_path()))
- .max_age(time::Duration::seconds(sso::SSO_AUTH_EXPIRATION.num_seconds()))
- .same_site(SameSite::Lax) // Lax is needed because the IdP runs on a different FQDN
- .http_only(true)
- .secure(secure.https)
- .build(),
- );
+ let auth_url = sso::authorize_url(state, code_challenge, &client_id, &redirect_uri, conn).await?;
Ok(Redirect::temporary(String::from(auth_url)))
}
diff --git a/src/api/notifications.rs b/src/api/notifications.rs
index b1d64472..492fdb19 100644
--- a/src/api/notifications.rs
+++ b/src/api/notifications.rs
@@ -338,7 +338,7 @@ impl WebSocketUsers {
}
// NOTE: The last modified date needs to be updated before calling these methods
- pub async fn send_user_update(&self, ut: UpdateType, user: &User, push_uuid: Option<&PushId>, conn: &DbConn) {
+ pub async fn send_user_update(&self, ut: UpdateType, user: &User, push_uuid: &Option, conn: &DbConn) {
// Skip any processing if both WebSockets and Push are not active
if *NOTIFICATIONS_DISABLED {
return;
diff --git a/src/api/push.rs b/src/api/push.rs
index e3ff1383..5000869d 100644
--- a/src/api/push.rs
+++ b/src/api/push.rs
@@ -135,7 +135,7 @@ pub async fn register_push_device(device: &mut Device, conn: &DbConn) -> EmptyRe
Ok(())
}
-pub async fn unregister_push_device(push_id: Option<&PushId>) -> EmptyResult {
+pub async fn unregister_push_device(push_id: &Option) -> EmptyResult {
if !CONFIG.push_enabled() || push_id.is_none() {
return Ok(());
}
@@ -206,7 +206,7 @@ pub async fn push_logout(user: &User, acting_device: Option<&Device>, conn: &DbC
}
}
-pub async fn push_user_update(ut: UpdateType, user: &User, push_uuid: Option<&PushId>, conn: &DbConn) {
+pub async fn push_user_update(ut: UpdateType, user: &User, push_uuid: &Option, conn: &DbConn) {
if Device::check_user_has_push_device(&user.uuid, conn).await {
tokio::task::spawn(send_to_push_relay(json!({
"userId": user.uuid,
diff --git a/src/auth.rs b/src/auth.rs
index 06bd9c22..43184369 100644
--- a/src/auth.rs
+++ b/src/auth.rs
@@ -54,8 +54,12 @@ static PUBLIC_RSA_KEY: OnceLock = OnceLock::new();
pub async fn initialize_keys() -> Result<(), Error> {
use std::io::Error;
- let rsa_key_filename = crate::storage::file_name(&CONFIG.private_rsa_key())
- .ok_or_else(|| Error::other("Private RSA key path missing filename"))?;
+ let rsa_key_filename = std::path::PathBuf::from(CONFIG.private_rsa_key())
+ .file_name()
+ .ok_or_else(|| Error::other("Private RSA key path missing filename"))?
+ .to_str()
+ .ok_or_else(|| Error::other("Private RSA key path filename is not valid UTF-8"))?
+ .to_string();
let operator = CONFIG.opendal_operator_for_path_type(&PathType::RsaKey).map_err(Error::other)?;
diff --git a/src/config.rs b/src/config.rs
index b6d0ce8a..6ff09467 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -14,7 +14,6 @@ use serde::de::{self, Deserialize, Deserializer, MapAccess, Visitor};
use crate::{
error::Error,
- storage,
util::{
get_active_web_release, get_env, get_env_bool, is_valid_email, parse_experimental_client_feature_flags,
FeatureFlagFilter,
@@ -23,14 +22,18 @@ use crate::{
static CONFIG_FILE: LazyLock = LazyLock::new(|| {
let data_folder = get_env("DATA_FOLDER").unwrap_or_else(|| String::from("data"));
- get_env("CONFIG_FILE").unwrap_or_else(|| storage::join_path(&data_folder, "config.json"))
+ get_env("CONFIG_FILE").unwrap_or_else(|| format!("{data_folder}/config.json"))
});
-static CONFIG_FILE_PARENT_DIR: LazyLock =
- LazyLock::new(|| storage::parent(&CONFIG_FILE).unwrap_or_else(|| "data".to_string()));
+static CONFIG_FILE_PARENT_DIR: LazyLock = LazyLock::new(|| {
+ let path = std::path::PathBuf::from(&*CONFIG_FILE);
+ path.parent().unwrap_or(std::path::Path::new("data")).to_str().unwrap_or("data").to_string()
+});
-static CONFIG_FILENAME: LazyLock =
- LazyLock::new(|| storage::file_name(&CONFIG_FILE).unwrap_or_else(|| "config.json".to_string()));
+static CONFIG_FILENAME: LazyLock = LazyLock::new(|| {
+ let path = std::path::PathBuf::from(&*CONFIG_FILE);
+ path.file_name().unwrap_or(std::ffi::OsStr::new("config.json")).to_str().unwrap_or("config.json").to_string()
+});
pub static SKIP_CONFIG_VALIDATION: AtomicBool = AtomicBool::new(false);
@@ -260,7 +263,7 @@ macro_rules! make_config {
}
async fn from_file() -> Result {
- let operator = storage::operator_for_path(&CONFIG_FILE_PARENT_DIR)?;
+ let operator = opendal_operator_for_path(&CONFIG_FILE_PARENT_DIR)?;
let config_bytes = operator.read(&CONFIG_FILENAME).await?;
println!("[INFO] Using saved config from `{}` for configuration.\n", *CONFIG_FILE);
serde_json::from_slice(&config_bytes.to_vec()).map_err(Into::into)
@@ -504,19 +507,19 @@ make_config! {
/// Data folder |> Main data folder
data_folder: String, false, def, "data".to_string();
/// Database URL
- database_url: String, false, auto, |c| storage::join_path(&c.data_folder, "db.sqlite3");
+ database_url: String, false, auto, |c| format!("{}/db.sqlite3", c.data_folder);
/// Icon cache folder
- icon_cache_folder: String, false, auto, |c| storage::join_path(&c.data_folder, "icon_cache");
+ icon_cache_folder: String, false, auto, |c| format!("{}/icon_cache", c.data_folder);
/// Attachments folder
- attachments_folder: String, false, auto, |c| storage::join_path(&c.data_folder, "attachments");
+ attachments_folder: String, false, auto, |c| format!("{}/attachments", c.data_folder);
/// Sends folder
- sends_folder: String, false, auto, |c| storage::join_path(&c.data_folder, "sends");
+ sends_folder: String, false, auto, |c| format!("{}/sends", c.data_folder);
/// Temp folder |> Used for storing temporary file uploads
- tmp_folder: String, false, auto, |c| storage::join_path(&c.data_folder, "tmp");
+ tmp_folder: String, false, auto, |c| format!("{}/tmp", c.data_folder);
/// Templates folder
- templates_folder: String, false, auto, |c| storage::join_path(&c.data_folder, "templates");
+ templates_folder: String, false, auto, |c| format!("{}/templates", c.data_folder);
/// Session JWT key
- rsa_key_filename: String, false, auto, |c| storage::join_path(&c.data_folder, "rsa_key");
+ rsa_key_filename: String, false, auto, |c| format!("{}/rsa_key", c.data_folder);
/// Web vault folder
web_vault_folder: String, false, def, "web-vault/".to_string();
},
@@ -1073,7 +1076,7 @@ fn validate_config(cfg: &ConfigItems, on_update: bool) -> Result<(), Error> {
validate_internal_sso_issuer_url(&cfg.sso_authority)?;
validate_internal_sso_redirect_url(&cfg.sso_callback_path)?;
- validate_sso_master_password_policy(cfg.sso_master_password_policy.as_ref())?;
+ validate_sso_master_password_policy(&cfg.sso_master_password_policy)?;
}
if cfg._enable_yubico {
@@ -1268,7 +1271,7 @@ fn validate_internal_sso_redirect_url(sso_callback_path: &String) -> Result,
+ sso_master_password_policy: &Option,
) -> Result, Error> {
let policy = sso_master_password_policy.as_ref().map(|mpp| serde_json::from_str::(mpp));
@@ -1363,6 +1366,90 @@ fn smtp_convert_deprecated_ssl_options(smtp_ssl: Option, smtp_explicit_tls
"starttls".to_string()
}
+fn opendal_operator_for_path(path: &str) -> Result {
+ // Cache of previously built operators by path
+ static OPERATORS_BY_PATH: LazyLock> =
+ LazyLock::new(dashmap::DashMap::new);
+
+ if let Some(operator) = OPERATORS_BY_PATH.get(path) {
+ return Ok(operator.clone());
+ }
+
+ let operator = if path.starts_with("s3://") {
+ #[cfg(not(s3))]
+ return Err(opendal::Error::new(opendal::ErrorKind::ConfigInvalid, "S3 support is not enabled").into());
+
+ #[cfg(s3)]
+ opendal_s3_operator_for_path(path)?
+ } else {
+ let builder = opendal::services::Fs::default().root(path);
+ opendal::Operator::new(builder)?.finish()
+ };
+
+ OPERATORS_BY_PATH.insert(path.to_string(), operator.clone());
+
+ Ok(operator)
+}
+
+#[cfg(s3)]
+fn opendal_s3_operator_for_path(path: &str) -> Result {
+ use crate::http_client::aws::AwsReqwestConnector;
+ use aws_config::{default_provider::credentials::DefaultCredentialsChain, provider_config::ProviderConfig};
+
+ // This is a custom AWS credential loader that uses the official AWS Rust
+ // SDK config crate to load credentials. This ensures maximum compatibility
+ // with AWS credential configurations. For example, OpenDAL doesn't support
+ // AWS SSO temporary credentials yet.
+ struct OpenDALS3CredentialLoader {}
+
+ #[async_trait]
+ impl reqsign::AwsCredentialLoad for OpenDALS3CredentialLoader {
+ async fn load_credential(&self, _client: reqwest::Client) -> anyhow::Result> {
+ use aws_credential_types::provider::ProvideCredentials as _;
+ use tokio::sync::OnceCell;
+
+ static DEFAULT_CREDENTIAL_CHAIN: OnceCell = OnceCell::const_new();
+
+ let chain = DEFAULT_CREDENTIAL_CHAIN
+ .get_or_init(|| {
+ let reqwest_client = reqwest::Client::builder().build().unwrap();
+ let connector = AwsReqwestConnector {
+ client: reqwest_client,
+ };
+
+ let conf = ProviderConfig::default().with_http_client(connector);
+
+ DefaultCredentialsChain::builder().configure(conf).build()
+ })
+ .await;
+
+ let creds = chain.provide_credentials().await?;
+
+ Ok(Some(reqsign::AwsCredential {
+ access_key_id: creds.access_key_id().to_string(),
+ secret_access_key: creds.secret_access_key().to_string(),
+ session_token: creds.session_token().map(|s| s.to_string()),
+ expires_in: creds.expiry().map(|expiration| expiration.into()),
+ }))
+ }
+ }
+
+ const OPEN_DAL_S3_CREDENTIAL_LOADER: OpenDALS3CredentialLoader = OpenDALS3CredentialLoader {};
+
+ let url = Url::parse(path).map_err(|e| format!("Invalid path S3 URL path {path:?}: {e}"))?;
+
+ let bucket = url.host_str().ok_or_else(|| format!("Missing Bucket name in data folder S3 URL {path:?}"))?;
+
+ let builder = opendal::services::S3::default()
+ .customized_credential_load(Box::new(OPEN_DAL_S3_CREDENTIAL_LOADER))
+ .enable_virtual_host_style()
+ .bucket(bucket)
+ .root(url.path())
+ .default_storage_class("INTELLIGENT_TIERING");
+
+ Ok(opendal::Operator::new(builder)?.finish())
+}
+
pub enum PathType {
Data,
IconCache,
@@ -1460,7 +1547,7 @@ impl Config {
}
//Save to file
- let operator = storage::operator_for_path(&CONFIG_FILE_PARENT_DIR)?;
+ let operator = opendal_operator_for_path(&CONFIG_FILE_PARENT_DIR)?;
operator.write(&CONFIG_FILENAME, config_str).await?;
Ok(())
@@ -1525,7 +1612,7 @@ impl Config {
}
pub async fn delete_user_config(&self) -> Result<(), Error> {
- let operator = storage::operator_for_path(&CONFIG_FILE_PARENT_DIR)?;
+ let operator = opendal_operator_for_path(&CONFIG_FILE_PARENT_DIR)?;
operator.delete(&CONFIG_FILENAME).await?;
// Empty user config
@@ -1549,7 +1636,7 @@ impl Config {
}
pub fn private_rsa_key(&self) -> String {
- storage::with_extension(&self.rsa_key_filename(), "pem")
+ format!("{}.pem", self.rsa_key_filename())
}
pub fn mail_enabled(&self) -> bool {
let inner = &self.inner.read().unwrap().config;
@@ -1590,11 +1677,15 @@ impl Config {
PathType::IconCache => self.icon_cache_folder(),
PathType::Attachments => self.attachments_folder(),
PathType::Sends => self.sends_folder(),
- PathType::RsaKey => storage::parent(&self.private_rsa_key())
- .ok_or_else(|| std::io::Error::other("Failed to get directory of RSA key file"))?,
+ PathType::RsaKey => std::path::Path::new(&self.rsa_key_filename())
+ .parent()
+ .ok_or_else(|| std::io::Error::other("Failed to get directory of RSA key file"))?
+ .to_str()
+ .ok_or_else(|| std::io::Error::other("Failed to convert RSA key file directory to UTF-8 string"))?
+ .to_string(),
};
- storage::operator_for_path(&path)
+ opendal_operator_for_path(&path)
}
pub fn render_template(&self, name: &str, data: &T) -> Result {
@@ -1634,7 +1725,7 @@ impl Config {
}
pub fn sso_master_password_policy_value(&self) -> Option {
- validate_sso_master_password_policy(self.sso_master_password_policy().as_ref()).ok().flatten()
+ validate_sso_master_password_policy(&self.sso_master_password_policy()).ok().flatten()
}
pub fn sso_scopes_vec(&self) -> Vec {
diff --git a/src/crypto.rs b/src/crypto.rs
index 46d305a5..1930f380 100644
--- a/src/crypto.rs
+++ b/src/crypto.rs
@@ -113,10 +113,3 @@ pub fn ct_eq, U: AsRef<[u8]>>(a: T, b: U) -> bool {
use subtle::ConstantTimeEq;
a.as_ref().ct_eq(b.as_ref()).into()
}
-
-//
-// SHA256
-//
-pub fn sha256_hex(data: &[u8]) -> String {
- HEXLOWER.encode(digest::digest(&digest::SHA256, data).as_ref())
-}
diff --git a/src/db/models/archive.rs b/src/db/models/archive.rs
deleted file mode 100644
index f576e7ed..00000000
--- a/src/db/models/archive.rs
+++ /dev/null
@@ -1,91 +0,0 @@
-use chrono::NaiveDateTime;
-use diesel::prelude::*;
-
-use super::{CipherId, User, UserId};
-use crate::api::EmptyResult;
-use crate::db::schema::archives;
-use crate::db::DbConn;
-use crate::error::MapResult;
-
-#[derive(Identifiable, Queryable, Insertable)]
-#[diesel(table_name = archives)]
-#[diesel(primary_key(user_uuid, cipher_uuid))]
-pub struct Archive {
- pub user_uuid: UserId,
- pub cipher_uuid: CipherId,
- pub archived_at: NaiveDateTime,
-}
-
-impl Archive {
- // Returns the date the specified cipher was archived
- pub async fn get_archived_at(cipher_uuid: &CipherId, user_uuid: &UserId, conn: &DbConn) -> Option {
- db_run! { conn: {
- archives::table
- .filter(archives::cipher_uuid.eq(cipher_uuid))
- .filter(archives::user_uuid.eq(user_uuid))
- .select(archives::archived_at)
- .first::(conn).ok()
- }}
- }
-
- // Saves (inserts or updates) an archive record with the provided timestamp
- pub async fn save(
- user_uuid: &UserId,
- cipher_uuid: &CipherId,
- archived_at: NaiveDateTime,
- conn: &DbConn,
- ) -> EmptyResult {
- User::update_uuid_revision(user_uuid, conn).await;
- db_run! { conn:
- sqlite, mysql {
- diesel::replace_into(archives::table)
- .values((
- archives::user_uuid.eq(user_uuid),
- archives::cipher_uuid.eq(cipher_uuid),
- archives::archived_at.eq(archived_at),
- ))
- .execute(conn)
- .map_res("Error saving archive")
- }
- postgresql {
- diesel::insert_into(archives::table)
- .values((
- archives::user_uuid.eq(user_uuid),
- archives::cipher_uuid.eq(cipher_uuid),
- archives::archived_at.eq(archived_at),
- ))
- .on_conflict((archives::user_uuid, archives::cipher_uuid))
- .do_update()
- .set(archives::archived_at.eq(archived_at))
- .execute(conn)
- .map_res("Error saving archive")
- }
- }
- }
-
- // Deletes an archive record for a specific cipher
- pub async fn delete_by_cipher(user_uuid: &UserId, cipher_uuid: &CipherId, conn: &DbConn) -> EmptyResult {
- User::update_uuid_revision(user_uuid, conn).await;
- db_run! { conn: {
- diesel::delete(
- archives::table
- .filter(archives::user_uuid.eq(user_uuid))
- .filter(archives::cipher_uuid.eq(cipher_uuid))
- )
- .execute(conn)
- .map_res("Error deleting archive")
- }}
- }
-
- /// Return a vec with (cipher_uuid, archived_at)
- /// This is used during a full sync so we only need one query for all archive matches
- pub async fn find_by_user(user_uuid: &UserId, conn: &DbConn) -> Vec<(CipherId, NaiveDateTime)> {
- db_run! { conn: {
- archives::table
- .filter(archives::user_uuid.eq(user_uuid))
- .select((archives::cipher_uuid, archives::archived_at))
- .load::<(CipherId, NaiveDateTime)>(conn)
- .unwrap_or_default()
- }}
- }
-}
diff --git a/src/db/models/attachment.rs b/src/db/models/attachment.rs
index dad081bd..4273c22a 100644
--- a/src/db/models/attachment.rs
+++ b/src/db/models/attachment.rs
@@ -46,11 +46,11 @@ impl Attachment {
pub async fn get_url(&self, host: &str) -> Result {
let operator = CONFIG.opendal_operator_for_path_type(&PathType::Attachments)?;
- if crate::storage::is_fs_operator(&operator) {
+ if operator.info().scheme() == <&'static str>::from(opendal::Scheme::Fs) {
let token = encode_jwt(&generate_file_download_claims(self.cipher_uuid.clone(), self.id.clone()));
Ok(format!("{host}/attachments/{}/{}?token={token}", self.cipher_uuid, self.id))
} else {
- Ok(operator.presign_read(&self.get_file_path(), Duration::from_mins(5)).await?.uri().to_string())
+ Ok(operator.presign_read(&self.get_file_path(), Duration::from_secs(5 * 60)).await?.uri().to_string())
}
}
diff --git a/src/db/models/cipher.rs b/src/db/models/cipher.rs
index db906179..edc5f8c9 100644
--- a/src/db/models/cipher.rs
+++ b/src/db/models/cipher.rs
@@ -10,8 +10,8 @@ use diesel::prelude::*;
use serde_json::Value;
use super::{
- Archive, Attachment, CollectionCipher, CollectionId, Favorite, FolderCipher, FolderId, Group, Membership,
- MembershipStatus, MembershipType, OrganizationId, User, UserId,
+ Attachment, CollectionCipher, CollectionId, Favorite, FolderCipher, FolderId, Group, Membership, MembershipStatus,
+ MembershipType, OrganizationId, User, UserId,
};
use crate::api::core::{CipherData, CipherSyncData, CipherSyncType};
use macros::UuidFromParam;
@@ -380,11 +380,6 @@ impl Cipher {
} else {
self.is_favorite(user_uuid, conn).await
});
- json_object["archivedDate"] = json!(if let Some(cipher_sync_data) = cipher_sync_data {
- cipher_sync_data.cipher_archives.get(&self.uuid).map_or(Value::Null, |d| Value::String(format_date(d)))
- } else {
- self.get_archived_at(user_uuid, conn).await.map_or(Value::Null, |d| Value::String(format_date(&d)))
- });
// These values are true by default, but can be false if the
// cipher belongs to a collection or group where the org owner has enabled
// the "Read Only" or "Hide Passwords" restrictions for the user.
@@ -403,7 +398,7 @@ impl Cipher {
3 => "card",
4 => "identity",
5 => "sshKey",
- _ => err!(format!("Cipher {} has an invalid type {}", self.uuid, self.atype)),
+ _ => panic!("Wrong type"),
};
json_object[key] = type_data_json;
@@ -747,18 +742,6 @@ impl Cipher {
}
}
- pub async fn get_archived_at(&self, user_uuid: &UserId, conn: &DbConn) -> Option {
- Archive::get_archived_at(&self.uuid, user_uuid, conn).await
- }
-
- pub async fn set_archived_at(&self, archived_at: NaiveDateTime, user_uuid: &UserId, conn: &DbConn) -> EmptyResult {
- Archive::save(user_uuid, &self.uuid, archived_at, conn).await
- }
-
- pub async fn unarchive(&self, user_uuid: &UserId, conn: &DbConn) -> EmptyResult {
- Archive::delete_by_cipher(user_uuid, &self.uuid, conn).await
- }
-
pub async fn get_folder_uuid(&self, user_uuid: &UserId, conn: &DbConn) -> Option {
db_run! { conn: {
folders_ciphers::table
diff --git a/src/db/models/device.rs b/src/db/models/device.rs
index 7364a2ec..1026574c 100644
--- a/src/db/models/device.rs
+++ b/src/db/models/device.rs
@@ -25,7 +25,7 @@ pub struct Device {
pub user_uuid: UserId,
pub name: String,
- pub atype: i32, // https://github.com/bitwarden/server/blob/8d547dcc280babab70dd4a3c94ced6a34b12dfbf/src/Core/Enums/DeviceType.cs
+ pub atype: i32, // https://github.com/bitwarden/server/blob/9ebe16587175b1c0e9208f84397bb75d0d595510/src/Core/Enums/DeviceType.cs
pub push_uuid: Option,
pub push_token: Option,
@@ -332,8 +332,6 @@ pub enum DeviceType {
MacOsCLI = 24,
#[display("Linux CLI")]
LinuxCLI = 25,
- #[display("DuckDuckGo")]
- DuckDuckGoBrowser = 26,
}
impl DeviceType {
@@ -365,7 +363,6 @@ impl DeviceType {
23 => DeviceType::WindowsCLI,
24 => DeviceType::MacOsCLI,
25 => DeviceType::LinuxCLI,
- 26 => DeviceType::DuckDuckGoBrowser,
_ => DeviceType::UnknownBrowser,
}
}
diff --git a/src/db/models/emergency_access.rs b/src/db/models/emergency_access.rs
index 5ea334a4..cf7f5385 100644
--- a/src/db/models/emergency_access.rs
+++ b/src/db/models/emergency_access.rs
@@ -85,8 +85,7 @@ impl EmergencyAccess {
pub async fn to_json_grantee_details(&self, conn: &DbConn) -> Option {
let grantee_user = if let Some(grantee_uuid) = &self.grantee_uuid {
User::find_by_uuid(grantee_uuid, conn).await.expect("Grantee user not found.")
- } else {
- let email = self.email.as_deref()?;
+ } else if let Some(email) = self.email.as_deref() {
match User::find_by_mail(email, conn).await {
Some(user) => user,
None => {
@@ -95,6 +94,8 @@ impl EmergencyAccess {
return None;
}
}
+ } else {
+ return None;
};
Some(json!({
diff --git a/src/db/models/mod.rs b/src/db/models/mod.rs
index 2d31259c..b4fcf658 100644
--- a/src/db/models/mod.rs
+++ b/src/db/models/mod.rs
@@ -1,4 +1,3 @@
-mod archive;
mod attachment;
mod auth_request;
mod cipher;
@@ -18,7 +17,6 @@ mod two_factor_duo_context;
mod two_factor_incomplete;
mod user;
-pub use self::archive::Archive;
pub use self::attachment::{Attachment, AttachmentId};
pub use self::auth_request::{AuthRequest, AuthRequestId};
pub use self::cipher::{Cipher, CipherId, RepromptType};
diff --git a/src/db/models/send.rs b/src/db/models/send.rs
index 5b6611fa..84802c54 100644
--- a/src/db/models/send.rs
+++ b/src/db/models/send.rs
@@ -237,7 +237,7 @@ impl Send {
if self.atype == SendType::File as i32 {
let operator = CONFIG.opendal_operator_for_path_type(&PathType::Sends)?;
- operator.delete_with(&self.uuid).recursive(true).await.ok();
+ operator.remove_all(&self.uuid).await.ok();
}
db_run! { conn: {
diff --git a/src/db/models/sso_auth.rs b/src/db/models/sso_auth.rs
index 2c6eec6d..fec0433a 100644
--- a/src/db/models/sso_auth.rs
+++ b/src/db/models/sso_auth.rs
@@ -54,18 +54,11 @@ pub struct SsoAuth {
pub auth_response: Option,
pub created_at: NaiveDateTime,
pub updated_at: NaiveDateTime,
- pub binding_hash: Option,
}
/// Local methods
impl SsoAuth {
- pub fn new(
- state: OIDCState,
- client_challenge: OIDCCodeChallenge,
- nonce: String,
- redirect_uri: String,
- binding_hash: Option,
- ) -> Self {
+ pub fn new(state: OIDCState, client_challenge: OIDCCodeChallenge, nonce: String, redirect_uri: String) -> Self {
let now = Utc::now().naive_utc();
SsoAuth {
@@ -77,7 +70,6 @@ impl SsoAuth {
updated_at: now,
code_response: None,
auth_response: None,
- binding_hash,
}
}
}
diff --git a/src/db/schema.rs b/src/db/schema.rs
index bf79ceac..914b4fe9 100644
--- a/src/db/schema.rs
+++ b/src/db/schema.rs
@@ -265,7 +265,6 @@ table! {
auth_response -> Nullable,
created_at -> Timestamp,
updated_at -> Timestamp,
- binding_hash -> Nullable,
}
}
@@ -342,16 +341,6 @@ table! {
}
}
-table! {
- archives (user_uuid, cipher_uuid) {
- user_uuid -> Text,
- cipher_uuid -> Text,
- archived_at -> Timestamp,
- }
-}
-
-joinable!(archives -> users (user_uuid));
-joinable!(archives -> ciphers (cipher_uuid));
joinable!(attachments -> ciphers (cipher_uuid));
joinable!(ciphers -> organizations (organization_uuid));
joinable!(ciphers -> users (user_uuid));
@@ -383,7 +372,6 @@ joinable!(auth_requests -> users (user_uuid));
joinable!(sso_users -> users (user_uuid));
allow_tables_to_appear_in_same_query!(
- archives,
attachments,
ciphers,
ciphers_collections,
diff --git a/src/http_client.rs b/src/http_client.rs
index d39b884d..df52e2bc 100644
--- a/src/http_client.rs
+++ b/src/http_client.rs
@@ -1,6 +1,7 @@
use std::{
fmt,
net::{IpAddr, SocketAddr},
+ str::FromStr,
sync::{Arc, LazyLock, Mutex},
time::Duration,
};
@@ -58,6 +59,16 @@ pub fn get_reqwest_client_builder() -> ClientBuilder {
.timeout(Duration::from_secs(10))
}
+pub fn should_block_address(domain_or_ip: &str) -> bool {
+ if let Ok(ip) = IpAddr::from_str(domain_or_ip) {
+ if should_block_ip(ip) {
+ return true;
+ }
+ }
+
+ should_block_address_regex(domain_or_ip)
+}
+
fn should_block_ip(ip: IpAddr) -> bool {
if !CONFIG.http_request_block_non_global_ips() {
return false;
@@ -89,54 +100,11 @@ fn should_block_address_regex(domain_or_ip: &str) -> bool {
is_match
}
-pub fn get_valid_host(host: &str) -> Result {
- let Ok(host) = Host::parse(host) else {
- return Err(CustomHttpClientError::Invalid {
- domain: host.to_string(),
- });
- };
-
- // Some extra checks to validate hosts
- match host {
- Host::Domain(ref domain) => {
- // Host::parse() does not verify length or all possible invalid characters
- // We do some extra checks here to prevent issues
- if domain.len() > 253 {
- debug!("Domain validation error: '{domain}' exceeds 253 characters");
- return Err(CustomHttpClientError::Invalid {
- domain: host.to_string(),
- });
- }
- if !domain.split('.').all(|label| {
- !label.is_empty()
- // Labels can't be longer than 63 chars
- && label.len() <= 63
- // Labels are not allowed to start or end with a hyphen `-`
- && !label.starts_with('-')
- && !label.ends_with('-')
- // Only ASCII Alphanumeric characters are allowed
- // We already received a punycoded domain back, so no unicode should exists here
- && label.chars().all(|c| c.is_ascii_alphanumeric() || c == '-')
- }) {
- debug!(
- "Domain validation error: '{domain}' labels contain invalid characters or exceed the maximum length"
- );
- return Err(CustomHttpClientError::Invalid {
- domain: host.to_string(),
- });
- }
- }
- Host::Ipv4(_) | Host::Ipv6(_) => {}
- }
-
- Ok(host)
-}
-
-pub fn should_block_host>(host: &Host) -> Result<(), CustomHttpClientError> {
+fn should_block_host(host: &Host<&str>) -> Result<(), CustomHttpClientError> {
let (ip, host_str): (Option, String) = match host {
Host::Ipv4(ip) => (Some(IpAddr::V4(*ip)), ip.to_string()),
Host::Ipv6(ip) => (Some(IpAddr::V6(*ip)), ip.to_string()),
- Host::Domain(d) => (None, d.as_ref().to_string()),
+ Host::Domain(d) => (None, (*d).to_string()),
};
if let Some(ip) = ip {
@@ -166,9 +134,6 @@ pub enum CustomHttpClientError {
domain: Option,
ip: IpAddr,
},
- Invalid {
- domain: String,
- },
}
impl CustomHttpClientError {
@@ -190,7 +155,7 @@ impl fmt::Display for CustomHttpClientError {
match self {
Self::Blocked {
domain,
- } => write!(f, "Blocked domain: '{domain}' matched HTTP_REQUEST_BLOCK_REGEX"),
+ } => write!(f, "Blocked domain: {domain} matched HTTP_REQUEST_BLOCK_REGEX"),
Self::NonGlobalIp {
domain: Some(domain),
ip,
@@ -198,10 +163,7 @@ impl fmt::Display for CustomHttpClientError {
Self::NonGlobalIp {
domain: None,
ip,
- } => write!(f, "IP '{ip}' is not a global IP!"),
- Self::Invalid {
- domain,
- } => write!(f, "Invalid host: '{domain}' contains invalid characters or exceeds the maximum length"),
+ } => write!(f, "IP {ip} is not a global IP!"),
}
}
}
@@ -255,13 +217,7 @@ impl CustomDnsResolver {
}
fn pre_resolve(name: &str) -> Result<(), CustomHttpClientError> {
- let Ok(host) = get_valid_host(name) else {
- return Err(CustomHttpClientError::Invalid {
- domain: name.to_string(),
- });
- };
-
- if should_block_host(&host).is_err() {
+ if should_block_address(name) {
return Err(CustomHttpClientError::Blocked {
domain: name.to_string(),
});
@@ -352,209 +308,3 @@ pub(crate) mod aws {
}
}
}
-
-#[cfg(test)]
-mod tests {
- use super::*;
- use crate::util::is_global_hardcoded;
- use std::net::Ipv4Addr;
- use url::Host;
-
- // ===
- // IPv4 numeric-format normalization
- fn parse_to_ip(s: &str) -> Option {
- match Host::parse(s).ok()? {
- Host::Ipv4(v4) => Some(IpAddr::V4(v4)),
- Host::Ipv6(v6) => Some(IpAddr::V6(v6)),
- Host::Domain(_) => None,
- }
- }
-
- #[test]
- fn dotted_decimal_loopback_normalizes() {
- let ip = parse_to_ip("127.0.0.1").unwrap();
- assert_eq!(ip, IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)));
- assert!(!is_global_hardcoded(ip));
- }
-
- #[test]
- fn single_decimal_loopback_normalizes() {
- // 127.0.0.1 == 2130706433
- let ip = parse_to_ip("2130706433").unwrap();
- assert_eq!(ip, IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)));
- assert!(!is_global_hardcoded(ip));
- }
-
- #[test]
- fn hex_loopback_normalizes() {
- let ip = parse_to_ip("0x7f000001").unwrap();
- assert_eq!(ip, IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)));
- assert!(!is_global_hardcoded(ip));
- }
-
- #[test]
- fn dotted_hex_loopback_normalizes() {
- let ip = parse_to_ip("0x7f.0.0.1").unwrap();
- assert_eq!(ip, IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)));
- assert!(!is_global_hardcoded(ip));
- }
-
- #[test]
- fn octal_loopback_normalizes() {
- // 017700000001 == 127.0.0.1
- let ip = parse_to_ip("017700000001").unwrap();
- assert_eq!(ip, IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)));
- assert!(!is_global_hardcoded(ip));
- }
-
- #[test]
- fn dotted_octal_loopback_normalizes() {
- let ip = parse_to_ip("0177.0.0.01").unwrap();
- assert_eq!(ip, IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)));
- assert!(!is_global_hardcoded(ip));
- }
-
- #[test]
- fn aws_metadata_decimal_blocked() {
- // 169.254.169.254 == 2852039166 (link-local, AWS IMDS)
- let ip = parse_to_ip("2852039166").unwrap();
- assert_eq!(ip, IpAddr::V4(Ipv4Addr::new(169, 254, 169, 254)));
- assert!(!is_global_hardcoded(ip));
- }
-
- #[test]
- fn rfc1918_hex_blocked() {
- // 10.0.0.1
- let ip = parse_to_ip("0x0a000001").unwrap();
- assert!(!is_global_hardcoded(ip));
- }
-
- #[test]
- fn public_ip_decimal_allowed() {
- // 8.8.8.8 == 134744072
- let ip = parse_to_ip("134744072").unwrap();
- assert_eq!(ip, IpAddr::V4(Ipv4Addr::new(8, 8, 8, 8)));
- assert!(is_global_hardcoded(ip));
- }
-
- // ===
- // get_valid_host integration: numeric forms become Host::Ipv4
- #[test]
- fn get_valid_host_normalizes_decimal_int() {
- let h = get_valid_host("2130706433").expect("valid");
- assert!(matches!(h, Host::Ipv4(ip) if ip == Ipv4Addr::new(127, 0, 0, 1)));
- }
-
- #[test]
- fn get_valid_host_normalizes_hex() {
- let h = get_valid_host("0x7f000001").expect("valid");
- assert!(matches!(h, Host::Ipv4(ip) if ip == Ipv4Addr::new(127, 0, 0, 1)));
- }
-
- #[test]
- fn get_valid_host_normalizes_octal() {
- let h = get_valid_host("017700000001").expect("valid");
- assert!(matches!(h, Host::Ipv4(ip) if ip == Ipv4Addr::new(127, 0, 0, 1)));
- }
-
- // ===
- // IPv6 formats
- #[test]
- fn ipv6_loopback_blocked() {
- let h = get_valid_host("[::1]").expect("valid");
- let Host::Ipv6(ip) = h else {
- panic!("expected v6")
- };
- assert!(!is_global_hardcoded(IpAddr::V6(ip)));
- }
-
- #[test]
- fn ipv4_mapped_in_ipv6_loopback_blocked() {
- // ::ffff:127.0.0.1 — v4-mapped form; is_global_hardcoded blocks via ::ffff:0:0/96
- let h = get_valid_host("[::ffff:127.0.0.1]").expect("valid");
- let Host::Ipv6(ip) = h else {
- panic!("expected v6")
- };
- assert!(!is_global_hardcoded(IpAddr::V6(ip)));
- }
-
- #[test]
- fn ipv6_unique_local_blocked() {
- let h = get_valid_host("[fc00::1]").expect("valid");
- let Host::Ipv6(ip) = h else {
- panic!("expected v6")
- };
- assert!(!is_global_hardcoded(IpAddr::V6(ip)));
- }
-
- // ===
- // Punycode / IDN
- #[test]
- fn punycode_passthrough() {
- let h = get_valid_host("xn--deadbeafcaf-lbb.test").expect("valid");
- match h {
- Host::Domain(d) => assert_eq!(d, "xn--deadbeafcaf-lbb.test"),
- _ => panic!("expected domain"),
- }
- }
-
- #[test]
- fn idn_unicode_gets_punycoded() {
- let h = get_valid_host("deadbeafcafé.test").expect("valid");
- match h {
- Host::Domain(d) => assert_eq!(d, "xn--deadbeafcaf-lbb.test"),
- _ => panic!("expected domain"),
- }
- }
-
- #[test]
- fn idn_unicode_gets_punycoded_tld() {
- let h = get_valid_host("deadbeaf.café").expect("valid");
- match h {
- Host::Domain(d) => assert_eq!(d, "deadbeaf.xn--caf-dma"),
- _ => panic!("expected domain"),
- }
- }
-
- #[test]
- fn idn_emoji_gets_punycoded() {
- let h = get_valid_host("xn--t88h.test").expect("valid"); // 🛡️.test
- match h {
- Host::Domain(d) => assert_eq!(d, "xn--t88h.test"),
- _ => panic!("expected domain"),
- }
- }
-
- #[test]
- fn idn_unicode_to_punycode_roundtrip() {
- let from_unicode = get_valid_host("🛡️.test").expect("valid");
- let from_puny = get_valid_host("xn--t88h.test").expect("valid");
- match (from_unicode, from_puny) {
- (Host::Domain(a), Host::Domain(b)) => assert_eq!(a, b),
- _ => panic!("expected domains"),
- }
- }
-
- #[test]
- fn invalid_punycode_rejected() {
- // bare invalid punycode
- assert!(get_valid_host("xn--").is_err());
- }
-
- #[test]
- fn underscore_in_label_rejected() {
- assert!(get_valid_host("dead_beaf.cafe").is_err());
- }
-
- #[test]
- fn label_too_long_rejected() {
- let label = "a".repeat(64);
- assert!(get_valid_host(&format!("{label}.test")).is_err());
- }
-
- #[test]
- fn domain_too_long_rejected() {
- let big = "a.".repeat(130) + "test"; // > 253
- assert!(get_valid_host(&big).is_err());
- }
-}
diff --git a/src/main.rs b/src/main.rs
index 4ffeacc1..60c5a593 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -57,7 +57,6 @@ mod mail;
mod ratelimit;
mod sso;
mod sso_client;
-mod storage;
mod util;
use crate::api::core::two_factor::duo_oidc::purge_duo_contexts;
@@ -71,7 +70,6 @@ pub use util::is_running_in_container;
#[rocket::main]
async fn main() -> Result<(), Error> {
- install_rustls_crypto_provider();
parse_args();
launch_info();
@@ -204,14 +202,6 @@ fn parse_args() {
}
}
-fn install_rustls_crypto_provider() {
- if rustls::crypto::CryptoProvider::get_default().is_none() {
- rustls::crypto::ring::default_provider()
- .install_default()
- .expect("failed to install rustls ring crypto provider");
- }
-}
-
fn launch_info() {
println!(
"\
diff --git a/src/sso.rs b/src/sso.rs
index 7505f84f..2f56f3a6 100644
--- a/src/sso.rs
+++ b/src/sso.rs
@@ -17,7 +17,7 @@ use crate::{
CONFIG,
};
-pub static FAKE_SSO_IDENTIFIER: &str = "00000000-01DC-01DC-01DC-000000000000";
+pub static FAKE_SSO_IDENTIFIER: &str = "vaultwarden-dummy-oidc-identifier";
static SSO_JWT_ISSUER: LazyLock = LazyLock::new(|| format!("{}|sso", CONFIG.domain_origin()));
@@ -188,7 +188,6 @@ pub async fn authorize_url(
client_challenge: OIDCCodeChallenge,
client_id: &str,
raw_redirect_uri: &str,
- binding_hash: Option,
conn: DbConn,
) -> ApiResult {
let redirect_uri = match client_id {
@@ -204,7 +203,7 @@ pub async fn authorize_url(
_ => err!(format!("Unsupported client {client_id}")),
};
- let (auth_url, sso_auth) = Client::authorize_url(state, client_challenge, redirect_uri, binding_hash).await?;
+ let (auth_url, sso_auth) = Client::authorize_url(state, client_challenge, redirect_uri).await?;
sso_auth.save(&conn).await?;
Ok(auth_url)
}
@@ -284,7 +283,7 @@ pub async fn exchange_code(
let email_verified = id_claims.email_verified().or(user_info.email_verified());
- let user_name = id_claims.preferred_username().or(user_info.preferred_username()).map(|un| un.to_string());
+ let user_name = id_claims.preferred_username().map(|un| un.to_string());
let refresh_token = token_response.refresh_token().map(|t| t.secret());
if refresh_token.is_none() && CONFIG.sso_scopes_vec().contains(&"offline_access".to_string()) {
diff --git a/src/sso_client.rs b/src/sso_client.rs
index 68e171c6..6204ab48 100644
--- a/src/sso_client.rs
+++ b/src/sso_client.rs
@@ -1,13 +1,12 @@
-use std::{borrow::Cow, future::Future, pin::Pin, sync::LazyLock, time::Duration};
+use std::{borrow::Cow, sync::LazyLock, time::Duration};
-use openidconnect::{core::*, *};
+use openidconnect::{core::*, reqwest, *};
use regex::Regex;
use url::Url;
use crate::{
api::{ApiResult, EmptyResult},
db::models::SsoAuth,
- http_client::get_reqwest_client_builder,
sso::{OIDCCode, OIDCCodeChallenge, OIDCCodeVerifier, OIDCState},
CONFIG,
};
@@ -47,42 +46,10 @@ pub type RefreshTokenResponse = (Option, String, Option);
#[derive(Clone)]
pub struct Client {
- pub http_client: OidcHttpClient,
+ pub http_client: reqwest::Client,
pub core_client: CustomClient,
}
-#[derive(Clone)]
-pub struct OidcHttpClient {
- client: reqwest::Client,
-}
-
-impl OidcHttpClient {
- fn new() -> Result {
- get_reqwest_client_builder().redirect(reqwest::redirect::Policy::none()).build().map(|client| Self {
- client,
- })
- }
-}
-
-impl<'c> AsyncHttpClient<'c> for OidcHttpClient {
- type Error = HttpClientError;
- type Future = Pin> + Send + Sync + 'c>>;
-
- fn call(&'c self, request: HttpRequest) -> Self::Future {
- Box::pin(async move {
- let response = self.client.execute(request.try_into().map_err(Box::new)?).await.map_err(Box::new)?;
-
- let mut builder = http::Response::builder().status(response.status()).version(response.version());
-
- for (name, value) in response.headers() {
- builder = builder.header(name, value);
- }
-
- builder.body(response.bytes().await.map_err(Box::new)?.to_vec()).map_err(HttpClientError::Http)
- })
- }
-}
-
impl Client {
// Call the OpenId discovery endpoint to retrieve configuration
async fn _get_client() -> ApiResult {
@@ -91,7 +58,7 @@ impl Client {
let issuer_url = CONFIG.sso_issuer_url()?;
- let http_client = match OidcHttpClient::new() {
+ let http_client = match reqwest::ClientBuilder::new().redirect(reqwest::redirect::Policy::none()).build() {
Err(err) => err!(format!("Failed to build http client: {err}")),
Ok(client) => client,
};
@@ -150,7 +117,6 @@ impl Client {
state: OIDCState,
client_challenge: OIDCCodeChallenge,
redirect_uri: String,
- binding_hash: Option,
) -> ApiResult<(Url, SsoAuth)> {
let scopes = CONFIG.sso_scopes_vec().into_iter().map(Scope::new);
let base64_state = data_encoding::BASE64.encode(state.to_string().as_bytes());
@@ -173,7 +139,7 @@ impl Client {
}
let (auth_url, _, nonce) = auth_req.url();
- Ok((auth_url, SsoAuth::new(state, client_challenge, nonce.secret().clone(), redirect_uri, binding_hash)))
+ Ok((auth_url, SsoAuth::new(state, client_challenge, nonce.secret().clone(), redirect_uri)))
}
pub async fn exchange_code(
diff --git a/src/static/scripts/admin.css b/src/static/scripts/admin.css
index c7c6f443..0df56771 100644
--- a/src/static/scripts/admin.css
+++ b/src/static/scripts/admin.css
@@ -1,17 +1,6 @@
body {
padding-top: 75px;
}
-/* Some extra width's for the main layout */
-@media (min-width: 1600px) {
- .container-xxl {
- max-width: 1520px;
- }
-}
-@media (min-width: 1800px) {
- .container-xxl {
- max-width: 1720px;
- }
-}
img {
width: 48px;
height: 48px;
@@ -49,8 +38,8 @@ img {
max-width: 130px;
}
#users-table .vw-actions, #orgs-table .vw-actions {
- min-width: 170px;
- max-width: 180px;
+ min-width: 155px;
+ max-width: 160px;
}
#users-table .vw-org-cell {
max-height: 120px;
diff --git a/src/static/templates/admin/base.hbs b/src/static/templates/admin/base.hbs
index e1dcacb5..f56d8262 100644
--- a/src/static/templates/admin/base.hbs
+++ b/src/static/templates/admin/base.hbs
@@ -27,7 +27,7 @@