&", rank = 1)]
-async fn oidcsignin(code: OIDCCode, state: String, cookies: &CookieJar<'_>, mut conn: DbConn) -> ApiResult {
+async fn oidcsignin(code: OIDCCode, state: String, mut conn: DbConn) -> ApiResult {
_oidcsignin_redirect(
state,
OIDCCodeWrapper::Ok {
code,
},
- cookies,
&mut conn,
)
.await
@@ -1183,7 +1146,6 @@ async fn oidcsignin_error(
state: String,
error: String,
error_description: Option,
- cookies: &CookieJar<'_>,
mut conn: DbConn,
) -> ApiResult {
_oidcsignin_redirect(
@@ -1192,7 +1154,6 @@ async fn oidcsignin_error(
error,
error_description,
},
- cookies,
&mut conn,
)
.await
@@ -1204,7 +1165,6 @@ async fn oidcsignin_error(
async fn _oidcsignin_redirect(
base64_state: String,
code_response: OIDCCodeWrapper,
- cookies: &CookieJar<'_>,
conn: &mut DbConn,
) -> ApiResult {
let state = sso::decode_state(&base64_state)?;
@@ -1213,17 +1173,6 @@ async fn _oidcsignin_redirect(
None => err!(format!("Cannot retrieve sso_auth for {state}")),
Some(sso_auth) => sso_auth,
};
-
- // Browser-binding check
- // The cookie was set on /connect/authorize and must come from the same browser that initiated the flow.
- let cookie_value = cookies.get(SSO_BINDING_COOKIE).map(|c| c.value().to_string());
- let provided_hash = cookie_value.as_deref().map(|v| crypto::sha256_hex(v.as_bytes()));
- match (sso_auth.binding_hash.as_deref(), provided_hash.as_deref()) {
- (Some(expected), Some(actual)) if crypto::ct_eq(expected, actual) => {}
- _ => err!(format!("SSO session binding mismatch for {state}")),
- }
- cookies.remove(Cookie::build(SSO_BINDING_COOKIE).path("/identity/connect/").build());
-
sso_auth.code_response = Some(code_response);
sso_auth.updated_at = Utc::now().naive_utc();
sso_auth.save(conn).await?;
@@ -1270,7 +1219,7 @@ struct AuthorizeData {
// The `redirect_uri` will change depending of the client (web, android, ios ..)
#[get("/connect/authorize?")]
-async fn authorize(data: AuthorizeData, cookies: &CookieJar<'_>, secure: Secure, conn: DbConn) -> ApiResult {
+async fn authorize(data: AuthorizeData, conn: DbConn) -> ApiResult {
let AuthorizeData {
client_id,
redirect_uri,
@@ -1284,23 +1233,7 @@ async fn authorize(data: AuthorizeData, cookies: &CookieJar<'_>, secure: Secure,
err!("Unsupported code challenge method");
}
- // Generate browser-binding token. Stored hashed in DB; raw value handed to the browser as a cookie.
- // Validated on /connect/oidc-signin
- let binding_token = data_encoding::BASE64URL_NOPAD.encode(&crypto::get_random_bytes::<32>());
- let binding_hash = crypto::sha256_hex(binding_token.as_bytes());
-
- let auth_url =
- sso::authorize_url(state, code_challenge, &client_id, &redirect_uri, Some(binding_hash), conn).await?;
-
- cookies.add(
- Cookie::build((SSO_BINDING_COOKIE, binding_token))
- .path("/identity/connect/")
- .max_age(time::Duration::seconds(sso::SSO_AUTH_EXPIRATION.num_seconds()))
- .same_site(SameSite::Lax) // Lax is needed because the IdP runs on a different FQDN
- .http_only(true)
- .secure(secure.https)
- .build(),
- );
+ let auth_url = sso::authorize_url(state, code_challenge, &client_id, &redirect_uri, conn).await?;
Ok(Redirect::temporary(String::from(auth_url)))
}
diff --git a/src/api/notifications.rs b/src/api/notifications.rs
index b1d64472..492fdb19 100644
--- a/src/api/notifications.rs
+++ b/src/api/notifications.rs
@@ -338,7 +338,7 @@ impl WebSocketUsers {
}
// NOTE: The last modified date needs to be updated before calling these methods
- pub async fn send_user_update(&self, ut: UpdateType, user: &User, push_uuid: Option<&PushId>, conn: &DbConn) {
+ pub async fn send_user_update(&self, ut: UpdateType, user: &User, push_uuid: &Option, conn: &DbConn) {
// Skip any processing if both WebSockets and Push are not active
if *NOTIFICATIONS_DISABLED {
return;
diff --git a/src/api/push.rs b/src/api/push.rs
index e3ff1383..5000869d 100644
--- a/src/api/push.rs
+++ b/src/api/push.rs
@@ -135,7 +135,7 @@ pub async fn register_push_device(device: &mut Device, conn: &DbConn) -> EmptyRe
Ok(())
}
-pub async fn unregister_push_device(push_id: Option<&PushId>) -> EmptyResult {
+pub async fn unregister_push_device(push_id: &Option) -> EmptyResult {
if !CONFIG.push_enabled() || push_id.is_none() {
return Ok(());
}
@@ -206,7 +206,7 @@ pub async fn push_logout(user: &User, acting_device: Option<&Device>, conn: &DbC
}
}
-pub async fn push_user_update(ut: UpdateType, user: &User, push_uuid: Option<&PushId>, conn: &DbConn) {
+pub async fn push_user_update(ut: UpdateType, user: &User, push_uuid: &Option, conn: &DbConn) {
if Device::check_user_has_push_device(&user.uuid, conn).await {
tokio::task::spawn(send_to_push_relay(json!({
"userId": user.uuid,
diff --git a/src/config.rs b/src/config.rs
index ae995f69..6ff09467 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -1076,7 +1076,7 @@ fn validate_config(cfg: &ConfigItems, on_update: bool) -> Result<(), Error> {
validate_internal_sso_issuer_url(&cfg.sso_authority)?;
validate_internal_sso_redirect_url(&cfg.sso_callback_path)?;
- validate_sso_master_password_policy(cfg.sso_master_password_policy.as_ref())?;
+ validate_sso_master_password_policy(&cfg.sso_master_password_policy)?;
}
if cfg._enable_yubico {
@@ -1271,7 +1271,7 @@ fn validate_internal_sso_redirect_url(sso_callback_path: &String) -> Result,
+ sso_master_password_policy: &Option,
) -> Result, Error> {
let policy = sso_master_password_policy.as_ref().map(|mpp| serde_json::from_str::(mpp));
@@ -1725,7 +1725,7 @@ impl Config {
}
pub fn sso_master_password_policy_value(&self) -> Option {
- validate_sso_master_password_policy(self.sso_master_password_policy().as_ref()).ok().flatten()
+ validate_sso_master_password_policy(&self.sso_master_password_policy()).ok().flatten()
}
pub fn sso_scopes_vec(&self) -> Vec {
diff --git a/src/crypto.rs b/src/crypto.rs
index 46d305a5..1930f380 100644
--- a/src/crypto.rs
+++ b/src/crypto.rs
@@ -113,10 +113,3 @@ pub fn ct_eq, U: AsRef<[u8]>>(a: T, b: U) -> bool {
use subtle::ConstantTimeEq;
a.as_ref().ct_eq(b.as_ref()).into()
}
-
-//
-// SHA256
-//
-pub fn sha256_hex(data: &[u8]) -> String {
- HEXLOWER.encode(digest::digest(&digest::SHA256, data).as_ref())
-}
diff --git a/src/db/models/archive.rs b/src/db/models/archive.rs
deleted file mode 100644
index f576e7ed..00000000
--- a/src/db/models/archive.rs
+++ /dev/null
@@ -1,91 +0,0 @@
-use chrono::NaiveDateTime;
-use diesel::prelude::*;
-
-use super::{CipherId, User, UserId};
-use crate::api::EmptyResult;
-use crate::db::schema::archives;
-use crate::db::DbConn;
-use crate::error::MapResult;
-
-#[derive(Identifiable, Queryable, Insertable)]
-#[diesel(table_name = archives)]
-#[diesel(primary_key(user_uuid, cipher_uuid))]
-pub struct Archive {
- pub user_uuid: UserId,
- pub cipher_uuid: CipherId,
- pub archived_at: NaiveDateTime,
-}
-
-impl Archive {
- // Returns the date the specified cipher was archived
- pub async fn get_archived_at(cipher_uuid: &CipherId, user_uuid: &UserId, conn: &DbConn) -> Option {
- db_run! { conn: {
- archives::table
- .filter(archives::cipher_uuid.eq(cipher_uuid))
- .filter(archives::user_uuid.eq(user_uuid))
- .select(archives::archived_at)
- .first::(conn).ok()
- }}
- }
-
- // Saves (inserts or updates) an archive record with the provided timestamp
- pub async fn save(
- user_uuid: &UserId,
- cipher_uuid: &CipherId,
- archived_at: NaiveDateTime,
- conn: &DbConn,
- ) -> EmptyResult {
- User::update_uuid_revision(user_uuid, conn).await;
- db_run! { conn:
- sqlite, mysql {
- diesel::replace_into(archives::table)
- .values((
- archives::user_uuid.eq(user_uuid),
- archives::cipher_uuid.eq(cipher_uuid),
- archives::archived_at.eq(archived_at),
- ))
- .execute(conn)
- .map_res("Error saving archive")
- }
- postgresql {
- diesel::insert_into(archives::table)
- .values((
- archives::user_uuid.eq(user_uuid),
- archives::cipher_uuid.eq(cipher_uuid),
- archives::archived_at.eq(archived_at),
- ))
- .on_conflict((archives::user_uuid, archives::cipher_uuid))
- .do_update()
- .set(archives::archived_at.eq(archived_at))
- .execute(conn)
- .map_res("Error saving archive")
- }
- }
- }
-
- // Deletes an archive record for a specific cipher
- pub async fn delete_by_cipher(user_uuid: &UserId, cipher_uuid: &CipherId, conn: &DbConn) -> EmptyResult {
- User::update_uuid_revision(user_uuid, conn).await;
- db_run! { conn: {
- diesel::delete(
- archives::table
- .filter(archives::user_uuid.eq(user_uuid))
- .filter(archives::cipher_uuid.eq(cipher_uuid))
- )
- .execute(conn)
- .map_res("Error deleting archive")
- }}
- }
-
- /// Return a vec with (cipher_uuid, archived_at)
- /// This is used during a full sync so we only need one query for all archive matches
- pub async fn find_by_user(user_uuid: &UserId, conn: &DbConn) -> Vec<(CipherId, NaiveDateTime)> {
- db_run! { conn: {
- archives::table
- .filter(archives::user_uuid.eq(user_uuid))
- .select((archives::cipher_uuid, archives::archived_at))
- .load::<(CipherId, NaiveDateTime)>(conn)
- .unwrap_or_default()
- }}
- }
-}
diff --git a/src/db/models/attachment.rs b/src/db/models/attachment.rs
index 7611b927..4273c22a 100644
--- a/src/db/models/attachment.rs
+++ b/src/db/models/attachment.rs
@@ -50,7 +50,7 @@ impl Attachment {
let token = encode_jwt(&generate_file_download_claims(self.cipher_uuid.clone(), self.id.clone()));
Ok(format!("{host}/attachments/{}/{}?token={token}", self.cipher_uuid, self.id))
} else {
- Ok(operator.presign_read(&self.get_file_path(), Duration::from_mins(5)).await?.uri().to_string())
+ Ok(operator.presign_read(&self.get_file_path(), Duration::from_secs(5 * 60)).await?.uri().to_string())
}
}
diff --git a/src/db/models/cipher.rs b/src/db/models/cipher.rs
index db906179..edc5f8c9 100644
--- a/src/db/models/cipher.rs
+++ b/src/db/models/cipher.rs
@@ -10,8 +10,8 @@ use diesel::prelude::*;
use serde_json::Value;
use super::{
- Archive, Attachment, CollectionCipher, CollectionId, Favorite, FolderCipher, FolderId, Group, Membership,
- MembershipStatus, MembershipType, OrganizationId, User, UserId,
+ Attachment, CollectionCipher, CollectionId, Favorite, FolderCipher, FolderId, Group, Membership, MembershipStatus,
+ MembershipType, OrganizationId, User, UserId,
};
use crate::api::core::{CipherData, CipherSyncData, CipherSyncType};
use macros::UuidFromParam;
@@ -380,11 +380,6 @@ impl Cipher {
} else {
self.is_favorite(user_uuid, conn).await
});
- json_object["archivedDate"] = json!(if let Some(cipher_sync_data) = cipher_sync_data {
- cipher_sync_data.cipher_archives.get(&self.uuid).map_or(Value::Null, |d| Value::String(format_date(d)))
- } else {
- self.get_archived_at(user_uuid, conn).await.map_or(Value::Null, |d| Value::String(format_date(&d)))
- });
// These values are true by default, but can be false if the
// cipher belongs to a collection or group where the org owner has enabled
// the "Read Only" or "Hide Passwords" restrictions for the user.
@@ -403,7 +398,7 @@ impl Cipher {
3 => "card",
4 => "identity",
5 => "sshKey",
- _ => err!(format!("Cipher {} has an invalid type {}", self.uuid, self.atype)),
+ _ => panic!("Wrong type"),
};
json_object[key] = type_data_json;
@@ -747,18 +742,6 @@ impl Cipher {
}
}
- pub async fn get_archived_at(&self, user_uuid: &UserId, conn: &DbConn) -> Option {
- Archive::get_archived_at(&self.uuid, user_uuid, conn).await
- }
-
- pub async fn set_archived_at(&self, archived_at: NaiveDateTime, user_uuid: &UserId, conn: &DbConn) -> EmptyResult {
- Archive::save(user_uuid, &self.uuid, archived_at, conn).await
- }
-
- pub async fn unarchive(&self, user_uuid: &UserId, conn: &DbConn) -> EmptyResult {
- Archive::delete_by_cipher(user_uuid, &self.uuid, conn).await
- }
-
pub async fn get_folder_uuid(&self, user_uuid: &UserId, conn: &DbConn) -> Option {
db_run! { conn: {
folders_ciphers::table
diff --git a/src/db/models/device.rs b/src/db/models/device.rs
index 7364a2ec..1026574c 100644
--- a/src/db/models/device.rs
+++ b/src/db/models/device.rs
@@ -25,7 +25,7 @@ pub struct Device {
pub user_uuid: UserId,
pub name: String,
- pub atype: i32, // https://github.com/bitwarden/server/blob/8d547dcc280babab70dd4a3c94ced6a34b12dfbf/src/Core/Enums/DeviceType.cs
+ pub atype: i32, // https://github.com/bitwarden/server/blob/9ebe16587175b1c0e9208f84397bb75d0d595510/src/Core/Enums/DeviceType.cs
pub push_uuid: Option,
pub push_token: Option,
@@ -332,8 +332,6 @@ pub enum DeviceType {
MacOsCLI = 24,
#[display("Linux CLI")]
LinuxCLI = 25,
- #[display("DuckDuckGo")]
- DuckDuckGoBrowser = 26,
}
impl DeviceType {
@@ -365,7 +363,6 @@ impl DeviceType {
23 => DeviceType::WindowsCLI,
24 => DeviceType::MacOsCLI,
25 => DeviceType::LinuxCLI,
- 26 => DeviceType::DuckDuckGoBrowser,
_ => DeviceType::UnknownBrowser,
}
}
diff --git a/src/db/models/emergency_access.rs b/src/db/models/emergency_access.rs
index 5ea334a4..cf7f5385 100644
--- a/src/db/models/emergency_access.rs
+++ b/src/db/models/emergency_access.rs
@@ -85,8 +85,7 @@ impl EmergencyAccess {
pub async fn to_json_grantee_details(&self, conn: &DbConn) -> Option {
let grantee_user = if let Some(grantee_uuid) = &self.grantee_uuid {
User::find_by_uuid(grantee_uuid, conn).await.expect("Grantee user not found.")
- } else {
- let email = self.email.as_deref()?;
+ } else if let Some(email) = self.email.as_deref() {
match User::find_by_mail(email, conn).await {
Some(user) => user,
None => {
@@ -95,6 +94,8 @@ impl EmergencyAccess {
return None;
}
}
+ } else {
+ return None;
};
Some(json!({
diff --git a/src/db/models/mod.rs b/src/db/models/mod.rs
index 2d31259c..b4fcf658 100644
--- a/src/db/models/mod.rs
+++ b/src/db/models/mod.rs
@@ -1,4 +1,3 @@
-mod archive;
mod attachment;
mod auth_request;
mod cipher;
@@ -18,7 +17,6 @@ mod two_factor_duo_context;
mod two_factor_incomplete;
mod user;
-pub use self::archive::Archive;
pub use self::attachment::{Attachment, AttachmentId};
pub use self::auth_request::{AuthRequest, AuthRequestId};
pub use self::cipher::{Cipher, CipherId, RepromptType};
diff --git a/src/db/models/sso_auth.rs b/src/db/models/sso_auth.rs
index 2c6eec6d..fec0433a 100644
--- a/src/db/models/sso_auth.rs
+++ b/src/db/models/sso_auth.rs
@@ -54,18 +54,11 @@ pub struct SsoAuth {
pub auth_response: Option,
pub created_at: NaiveDateTime,
pub updated_at: NaiveDateTime,
- pub binding_hash: Option,
}
/// Local methods
impl SsoAuth {
- pub fn new(
- state: OIDCState,
- client_challenge: OIDCCodeChallenge,
- nonce: String,
- redirect_uri: String,
- binding_hash: Option,
- ) -> Self {
+ pub fn new(state: OIDCState, client_challenge: OIDCCodeChallenge, nonce: String, redirect_uri: String) -> Self {
let now = Utc::now().naive_utc();
SsoAuth {
@@ -77,7 +70,6 @@ impl SsoAuth {
updated_at: now,
code_response: None,
auth_response: None,
- binding_hash,
}
}
}
diff --git a/src/db/schema.rs b/src/db/schema.rs
index bf79ceac..914b4fe9 100644
--- a/src/db/schema.rs
+++ b/src/db/schema.rs
@@ -265,7 +265,6 @@ table! {
auth_response -> Nullable,
created_at -> Timestamp,
updated_at -> Timestamp,
- binding_hash -> Nullable,
}
}
@@ -342,16 +341,6 @@ table! {
}
}
-table! {
- archives (user_uuid, cipher_uuid) {
- user_uuid -> Text,
- cipher_uuid -> Text,
- archived_at -> Timestamp,
- }
-}
-
-joinable!(archives -> users (user_uuid));
-joinable!(archives -> ciphers (cipher_uuid));
joinable!(attachments -> ciphers (cipher_uuid));
joinable!(ciphers -> organizations (organization_uuid));
joinable!(ciphers -> users (user_uuid));
@@ -383,7 +372,6 @@ joinable!(auth_requests -> users (user_uuid));
joinable!(sso_users -> users (user_uuid));
allow_tables_to_appear_in_same_query!(
- archives,
attachments,
ciphers,
ciphers_collections,
diff --git a/src/http_client.rs b/src/http_client.rs
index d39b884d..5462ef8e 100644
--- a/src/http_client.rs
+++ b/src/http_client.rs
@@ -1,11 +1,12 @@
use std::{
fmt,
net::{IpAddr, SocketAddr},
+ str::FromStr,
sync::{Arc, LazyLock, Mutex},
time::Duration,
};
-use hickory_resolver::{net::runtime::TokioRuntimeProvider, TokioResolver};
+use hickory_resolver::{name_server::TokioConnectionProvider, TokioResolver};
use regex::Regex;
use reqwest::{
dns::{Name, Resolve, Resolving},
@@ -58,6 +59,16 @@ pub fn get_reqwest_client_builder() -> ClientBuilder {
.timeout(Duration::from_secs(10))
}
+pub fn should_block_address(domain_or_ip: &str) -> bool {
+ if let Ok(ip) = IpAddr::from_str(domain_or_ip) {
+ if should_block_ip(ip) {
+ return true;
+ }
+ }
+
+ should_block_address_regex(domain_or_ip)
+}
+
fn should_block_ip(ip: IpAddr) -> bool {
if !CONFIG.http_request_block_non_global_ips() {
return false;
@@ -89,54 +100,11 @@ fn should_block_address_regex(domain_or_ip: &str) -> bool {
is_match
}
-pub fn get_valid_host(host: &str) -> Result {
- let Ok(host) = Host::parse(host) else {
- return Err(CustomHttpClientError::Invalid {
- domain: host.to_string(),
- });
- };
-
- // Some extra checks to validate hosts
- match host {
- Host::Domain(ref domain) => {
- // Host::parse() does not verify length or all possible invalid characters
- // We do some extra checks here to prevent issues
- if domain.len() > 253 {
- debug!("Domain validation error: '{domain}' exceeds 253 characters");
- return Err(CustomHttpClientError::Invalid {
- domain: host.to_string(),
- });
- }
- if !domain.split('.').all(|label| {
- !label.is_empty()
- // Labels can't be longer than 63 chars
- && label.len() <= 63
- // Labels are not allowed to start or end with a hyphen `-`
- && !label.starts_with('-')
- && !label.ends_with('-')
- // Only ASCII Alphanumeric characters are allowed
- // We already received a punycoded domain back, so no unicode should exists here
- && label.chars().all(|c| c.is_ascii_alphanumeric() || c == '-')
- }) {
- debug!(
- "Domain validation error: '{domain}' labels contain invalid characters or exceed the maximum length"
- );
- return Err(CustomHttpClientError::Invalid {
- domain: host.to_string(),
- });
- }
- }
- Host::Ipv4(_) | Host::Ipv6(_) => {}
- }
-
- Ok(host)
-}
-
-pub fn should_block_host>(host: &Host) -> Result<(), CustomHttpClientError> {
+fn should_block_host(host: &Host<&str>) -> Result<(), CustomHttpClientError> {
let (ip, host_str): (Option, String) = match host {
Host::Ipv4(ip) => (Some(IpAddr::V4(*ip)), ip.to_string()),
Host::Ipv6(ip) => (Some(IpAddr::V6(*ip)), ip.to_string()),
- Host::Domain(d) => (None, d.as_ref().to_string()),
+ Host::Domain(d) => (None, (*d).to_string()),
};
if let Some(ip) = ip {
@@ -166,9 +134,6 @@ pub enum CustomHttpClientError {
domain: Option,
ip: IpAddr,
},
- Invalid {
- domain: String,
- },
}
impl CustomHttpClientError {
@@ -190,7 +155,7 @@ impl fmt::Display for CustomHttpClientError {
match self {
Self::Blocked {
domain,
- } => write!(f, "Blocked domain: '{domain}' matched HTTP_REQUEST_BLOCK_REGEX"),
+ } => write!(f, "Blocked domain: {domain} matched HTTP_REQUEST_BLOCK_REGEX"),
Self::NonGlobalIp {
domain: Some(domain),
ip,
@@ -198,10 +163,7 @@ impl fmt::Display for CustomHttpClientError {
Self::NonGlobalIp {
domain: None,
ip,
- } => write!(f, "IP '{ip}' is not a global IP!"),
- Self::Invalid {
- domain,
- } => write!(f, "Invalid host: '{domain}' contains invalid characters or exceeds the maximum length"),
+ } => write!(f, "IP {ip} is not a global IP!"),
}
}
}
@@ -222,46 +184,40 @@ impl CustomDnsResolver {
}
fn new() -> Arc {
- TokioResolver::builder(TokioRuntimeProvider::default())
- .and_then(|mut builder| {
- // Hickory's default since v0.26 is `Ipv6AndIpv4`, which sorts IPv6 first
- // This might cause issues on IPv4 only systems or containers
- // Unless someone enabled DNS_PREFER_IPV6, use Ipv4AndIpv6, which returns IPv4 first which was our previous default
- if !CONFIG.dns_prefer_ipv6() {
- builder.options_mut().ip_strategy = hickory_resolver::config::LookupIpStrategy::Ipv4AndIpv6;
+ match TokioResolver::builder(TokioConnectionProvider::default()) {
+ Ok(mut builder) => {
+ if CONFIG.dns_prefer_ipv6() {
+ builder.options_mut().ip_strategy = hickory_resolver::config::LookupIpStrategy::Ipv6thenIpv4;
}
- builder.build()
- })
- .inspect_err(|e| warn!("Error creating Hickory resolver, falling back to default: {e:?}"))
- .map(|resolver| Arc::new(Self::Hickory(Arc::new(resolver))))
- .unwrap_or_else(|_| Arc::new(Self::Default()))
+ let resolver = builder.build();
+ Arc::new(Self::Hickory(Arc::new(resolver)))
+ }
+ Err(e) => {
+ warn!("Error creating Hickory resolver, falling back to default: {e:?}");
+ Arc::new(Self::Default())
+ }
+ }
}
// Note that we get an iterator of addresses, but we only grab the first one for convenience
- async fn resolve_domain(&self, name: &str) -> Result, BoxError> {
+ async fn resolve_domain(&self, name: &str) -> Result, BoxError> {
pre_resolve(name)?;
- let results: Vec = match self {
- Self::Default() => tokio::net::lookup_host((name, 0)).await?.collect(),
- Self::Hickory(r) => r.lookup_ip(name).await?.iter().map(|i| SocketAddr::new(i, 0)).collect(),
+ let result = match self {
+ Self::Default() => tokio::net::lookup_host(name).await?.next(),
+ Self::Hickory(r) => r.lookup_ip(name).await?.iter().next().map(|a| SocketAddr::new(a, 0)),
};
- for addr in &results {
+ if let Some(addr) = &result {
post_resolve(name, addr.ip())?;
}
- Ok(results)
+ Ok(result)
}
}
fn pre_resolve(name: &str) -> Result<(), CustomHttpClientError> {
- let Ok(host) = get_valid_host(name) else {
- return Err(CustomHttpClientError::Invalid {
- domain: name.to_string(),
- });
- };
-
- if should_block_host(&host).is_err() {
+ if should_block_address(name) {
return Err(CustomHttpClientError::Blocked {
domain: name.to_string(),
});
@@ -286,11 +242,8 @@ impl Resolve for CustomDnsResolver {
let this = self.clone();
Box::pin(async move {
let name = name.as_str();
- let results = this.resolve_domain(name).await?;
- if results.is_empty() {
- warn!("Unable to resolve {name} to any valid IP address");
- }
- Ok::(Box::new(results.into_iter()))
+ let result = this.resolve_domain(name).await?;
+ Ok::(Box::new(result.into_iter()))
})
}
}
@@ -352,209 +305,3 @@ pub(crate) mod aws {
}
}
}
-
-#[cfg(test)]
-mod tests {
- use super::*;
- use crate::util::is_global_hardcoded;
- use std::net::Ipv4Addr;
- use url::Host;
-
- // ===
- // IPv4 numeric-format normalization
- fn parse_to_ip(s: &str) -> Option {
- match Host::parse(s).ok()? {
- Host::Ipv4(v4) => Some(IpAddr::V4(v4)),
- Host::Ipv6(v6) => Some(IpAddr::V6(v6)),
- Host::Domain(_) => None,
- }
- }
-
- #[test]
- fn dotted_decimal_loopback_normalizes() {
- let ip = parse_to_ip("127.0.0.1").unwrap();
- assert_eq!(ip, IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)));
- assert!(!is_global_hardcoded(ip));
- }
-
- #[test]
- fn single_decimal_loopback_normalizes() {
- // 127.0.0.1 == 2130706433
- let ip = parse_to_ip("2130706433").unwrap();
- assert_eq!(ip, IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)));
- assert!(!is_global_hardcoded(ip));
- }
-
- #[test]
- fn hex_loopback_normalizes() {
- let ip = parse_to_ip("0x7f000001").unwrap();
- assert_eq!(ip, IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)));
- assert!(!is_global_hardcoded(ip));
- }
-
- #[test]
- fn dotted_hex_loopback_normalizes() {
- let ip = parse_to_ip("0x7f.0.0.1").unwrap();
- assert_eq!(ip, IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)));
- assert!(!is_global_hardcoded(ip));
- }
-
- #[test]
- fn octal_loopback_normalizes() {
- // 017700000001 == 127.0.0.1
- let ip = parse_to_ip("017700000001").unwrap();
- assert_eq!(ip, IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)));
- assert!(!is_global_hardcoded(ip));
- }
-
- #[test]
- fn dotted_octal_loopback_normalizes() {
- let ip = parse_to_ip("0177.0.0.01").unwrap();
- assert_eq!(ip, IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)));
- assert!(!is_global_hardcoded(ip));
- }
-
- #[test]
- fn aws_metadata_decimal_blocked() {
- // 169.254.169.254 == 2852039166 (link-local, AWS IMDS)
- let ip = parse_to_ip("2852039166").unwrap();
- assert_eq!(ip, IpAddr::V4(Ipv4Addr::new(169, 254, 169, 254)));
- assert!(!is_global_hardcoded(ip));
- }
-
- #[test]
- fn rfc1918_hex_blocked() {
- // 10.0.0.1
- let ip = parse_to_ip("0x0a000001").unwrap();
- assert!(!is_global_hardcoded(ip));
- }
-
- #[test]
- fn public_ip_decimal_allowed() {
- // 8.8.8.8 == 134744072
- let ip = parse_to_ip("134744072").unwrap();
- assert_eq!(ip, IpAddr::V4(Ipv4Addr::new(8, 8, 8, 8)));
- assert!(is_global_hardcoded(ip));
- }
-
- // ===
- // get_valid_host integration: numeric forms become Host::Ipv4
- #[test]
- fn get_valid_host_normalizes_decimal_int() {
- let h = get_valid_host("2130706433").expect("valid");
- assert!(matches!(h, Host::Ipv4(ip) if ip == Ipv4Addr::new(127, 0, 0, 1)));
- }
-
- #[test]
- fn get_valid_host_normalizes_hex() {
- let h = get_valid_host("0x7f000001").expect("valid");
- assert!(matches!(h, Host::Ipv4(ip) if ip == Ipv4Addr::new(127, 0, 0, 1)));
- }
-
- #[test]
- fn get_valid_host_normalizes_octal() {
- let h = get_valid_host("017700000001").expect("valid");
- assert!(matches!(h, Host::Ipv4(ip) if ip == Ipv4Addr::new(127, 0, 0, 1)));
- }
-
- // ===
- // IPv6 formats
- #[test]
- fn ipv6_loopback_blocked() {
- let h = get_valid_host("[::1]").expect("valid");
- let Host::Ipv6(ip) = h else {
- panic!("expected v6")
- };
- assert!(!is_global_hardcoded(IpAddr::V6(ip)));
- }
-
- #[test]
- fn ipv4_mapped_in_ipv6_loopback_blocked() {
- // ::ffff:127.0.0.1 — v4-mapped form; is_global_hardcoded blocks via ::ffff:0:0/96
- let h = get_valid_host("[::ffff:127.0.0.1]").expect("valid");
- let Host::Ipv6(ip) = h else {
- panic!("expected v6")
- };
- assert!(!is_global_hardcoded(IpAddr::V6(ip)));
- }
-
- #[test]
- fn ipv6_unique_local_blocked() {
- let h = get_valid_host("[fc00::1]").expect("valid");
- let Host::Ipv6(ip) = h else {
- panic!("expected v6")
- };
- assert!(!is_global_hardcoded(IpAddr::V6(ip)));
- }
-
- // ===
- // Punycode / IDN
- #[test]
- fn punycode_passthrough() {
- let h = get_valid_host("xn--deadbeafcaf-lbb.test").expect("valid");
- match h {
- Host::Domain(d) => assert_eq!(d, "xn--deadbeafcaf-lbb.test"),
- _ => panic!("expected domain"),
- }
- }
-
- #[test]
- fn idn_unicode_gets_punycoded() {
- let h = get_valid_host("deadbeafcafé.test").expect("valid");
- match h {
- Host::Domain(d) => assert_eq!(d, "xn--deadbeafcaf-lbb.test"),
- _ => panic!("expected domain"),
- }
- }
-
- #[test]
- fn idn_unicode_gets_punycoded_tld() {
- let h = get_valid_host("deadbeaf.café").expect("valid");
- match h {
- Host::Domain(d) => assert_eq!(d, "deadbeaf.xn--caf-dma"),
- _ => panic!("expected domain"),
- }
- }
-
- #[test]
- fn idn_emoji_gets_punycoded() {
- let h = get_valid_host("xn--t88h.test").expect("valid"); // 🛡️.test
- match h {
- Host::Domain(d) => assert_eq!(d, "xn--t88h.test"),
- _ => panic!("expected domain"),
- }
- }
-
- #[test]
- fn idn_unicode_to_punycode_roundtrip() {
- let from_unicode = get_valid_host("🛡️.test").expect("valid");
- let from_puny = get_valid_host("xn--t88h.test").expect("valid");
- match (from_unicode, from_puny) {
- (Host::Domain(a), Host::Domain(b)) => assert_eq!(a, b),
- _ => panic!("expected domains"),
- }
- }
-
- #[test]
- fn invalid_punycode_rejected() {
- // bare invalid punycode
- assert!(get_valid_host("xn--").is_err());
- }
-
- #[test]
- fn underscore_in_label_rejected() {
- assert!(get_valid_host("dead_beaf.cafe").is_err());
- }
-
- #[test]
- fn label_too_long_rejected() {
- let label = "a".repeat(64);
- assert!(get_valid_host(&format!("{label}.test")).is_err());
- }
-
- #[test]
- fn domain_too_long_rejected() {
- let big = "a.".repeat(130) + "test"; // > 253
- assert!(get_valid_host(&big).is_err());
- }
-}
diff --git a/src/sso.rs b/src/sso.rs
index 7505f84f..ee6d707a 100644
--- a/src/sso.rs
+++ b/src/sso.rs
@@ -17,7 +17,7 @@ use crate::{
CONFIG,
};
-pub static FAKE_SSO_IDENTIFIER: &str = "00000000-01DC-01DC-01DC-000000000000";
+pub static FAKE_IDENTIFIER: &str = "VW_DUMMY_IDENTIFIER_FOR_OIDC";
static SSO_JWT_ISSUER: LazyLock = LazyLock::new(|| format!("{}|sso", CONFIG.domain_origin()));
@@ -188,7 +188,6 @@ pub async fn authorize_url(
client_challenge: OIDCCodeChallenge,
client_id: &str,
raw_redirect_uri: &str,
- binding_hash: Option,
conn: DbConn,
) -> ApiResult {
let redirect_uri = match client_id {
@@ -204,7 +203,7 @@ pub async fn authorize_url(
_ => err!(format!("Unsupported client {client_id}")),
};
- let (auth_url, sso_auth) = Client::authorize_url(state, client_challenge, redirect_uri, binding_hash).await?;
+ let (auth_url, sso_auth) = Client::authorize_url(state, client_challenge, redirect_uri).await?;
sso_auth.save(&conn).await?;
Ok(auth_url)
}
@@ -284,7 +283,7 @@ pub async fn exchange_code(
let email_verified = id_claims.email_verified().or(user_info.email_verified());
- let user_name = id_claims.preferred_username().or(user_info.preferred_username()).map(|un| un.to_string());
+ let user_name = id_claims.preferred_username().map(|un| un.to_string());
let refresh_token = token_response.refresh_token().map(|t| t.secret());
if refresh_token.is_none() && CONFIG.sso_scopes_vec().contains(&"offline_access".to_string()) {
diff --git a/src/sso_client.rs b/src/sso_client.rs
index abff6bcb..6204ab48 100644
--- a/src/sso_client.rs
+++ b/src/sso_client.rs
@@ -117,7 +117,6 @@ impl Client {
state: OIDCState,
client_challenge: OIDCCodeChallenge,
redirect_uri: String,
- binding_hash: Option,
) -> ApiResult<(Url, SsoAuth)> {
let scopes = CONFIG.sso_scopes_vec().into_iter().map(Scope::new);
let base64_state = data_encoding::BASE64.encode(state.to_string().as_bytes());
@@ -140,7 +139,7 @@ impl Client {
}
let (auth_url, _, nonce) = auth_req.url();
- Ok((auth_url, SsoAuth::new(state, client_challenge, nonce.secret().clone(), redirect_uri, binding_hash)))
+ Ok((auth_url, SsoAuth::new(state, client_challenge, nonce.secret().clone(), redirect_uri)))
}
pub async fn exchange_code(
diff --git a/src/static/scripts/admin.css b/src/static/scripts/admin.css
index c7c6f443..0df56771 100644
--- a/src/static/scripts/admin.css
+++ b/src/static/scripts/admin.css
@@ -1,17 +1,6 @@
body {
padding-top: 75px;
}
-/* Some extra width's for the main layout */
-@media (min-width: 1600px) {
- .container-xxl {
- max-width: 1520px;
- }
-}
-@media (min-width: 1800px) {
- .container-xxl {
- max-width: 1720px;
- }
-}
img {
width: 48px;
height: 48px;
@@ -49,8 +38,8 @@ img {
max-width: 130px;
}
#users-table .vw-actions, #orgs-table .vw-actions {
- min-width: 170px;
- max-width: 180px;
+ min-width: 155px;
+ max-width: 160px;
}
#users-table .vw-org-cell {
max-height: 120px;
diff --git a/src/static/templates/admin/base.hbs b/src/static/templates/admin/base.hbs
index e1dcacb5..f56d8262 100644
--- a/src/static/templates/admin/base.hbs
+++ b/src/static/templates/admin/base.hbs
@@ -27,7 +27,7 @@