topaLE
/
vaultwarden
mirror of https://github.com/dani-garcia/vaultwarden
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Remove config option for admin email, embdedded admin page, managed IO::Error, and added security and cache headers globally

pull/321/head
Daniel García 7 years ago
parent
301919d9d4
commit
acb9d1b3c6
No known key found for this signature in database GPG Key ID: FC8A7D14C3CD543A
5 changed files with 93 additions and 51 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 64
      src/api/web.rs
  2. 2
      src/db/models/attachment.rs
  3. 2
      src/error.rs
  4. 3
      src/main.rs
  5. 51
      src/util.rs

64
src/api/web.rs
View File

@ -1,10 +1,10 @@
use std::io; use std::io;
use std::path::{Path, PathBuf}; use std::path::{Path, PathBuf};
use rocket::http::ContentType;
use rocket::request::Request; use rocket::request::Request;
use rocket::response::content::{Content, Html};
use rocket::response::{self, NamedFile, Responder}; use rocket::response::{self, NamedFile, Responder};
use rocket::response::content::Content;
use rocket::http::{ContentType, Status};
use rocket::Route; use rocket::Route;
use rocket_contrib::json::Json; use rocket_contrib::json::Json;
use serde_json::Value; use serde_json::Value;
@ -19,17 +19,18 @@ pub fn routes() -> Vec<Route> {
} }
} }
// TODO: Might want to use in memory cache: https://github.com/hgzimmerman/rocket-file-cache
#[get("/")] #[get("/")]
fn web_index() -> WebHeaders<io::Result<NamedFile>> { fn web_index() -> Cached<io::Result<NamedFile>> {
web_files("index.html".into()) Cached::short(NamedFile::open(Path::new(&CONFIG.web_vault_folder).join("index.html")))
} }
#[get("/app-id.json")] #[get("/app-id.json")]
fn app_id() -> WebHeaders<Content<Json<Value>>> { fn app_id() -> Cached<Content<Json<Value>>> {
let content_type = ContentType::new("application", "fido.trusted-apps+json"); let content_type = ContentType::new("application", "fido.trusted-apps+json");
WebHeaders(Content(content_type, Json(json!({ Cached::long(Content(
content_type,
Json(json!({
"trustedFacets": [ "trustedFacets": [
{ {
"version": { "major": 1, "minor": 0 }, "version": { "major": 1, "minor": 0 },
@ -38,37 +39,51 @@ fn app_id() -> WebHeaders<Content<Json<Value>>> {
"ios:bundle-id:com.8bit.bitwarden", "ios:bundle-id:com.8bit.bitwarden",
"android:apk-key-hash:dUGFzUzf3lmHSLBDBIv+WaFyZMI" ] "android:apk-key-hash:dUGFzUzf3lmHSLBDBIv+WaFyZMI" ]
}] }]
})))) })),
))
} }
const ADMIN_PAGE: &'static str = include_str!("../static/admin.html");
#[get("/admin")]
fn admin_page() -> Cached<Html<&'static str>> {
Cached::short(Html(ADMIN_PAGE))
}
/* // Use this during Admin page development
#[get("/admin")] #[get("/admin")]
fn admin_page() -> WebHeaders<io::Result<NamedFile>> { fn admin_page() -> Cached<io::Result<NamedFile>> {
WebHeaders(NamedFile::open("src/static/admin.html")) // TODO: Change this to embed the page in the binary Cached::short(NamedFile::open("src/static/admin.html"))
} }
*/
#[get("/<p..>", rank = 1)] // Only match this if the other routes don't match #[get("/<p..>", rank = 1)] // Only match this if the other routes don't match
fn web_files(p: PathBuf) -> WebHeaders<io::Result<NamedFile>> { fn web_files(p: PathBuf) -> Cached<io::Result<NamedFile>> {
WebHeaders(NamedFile::open(Path::new(&CONFIG.web_vault_folder).join(p))) Cached::long(NamedFile::open(Path::new(&CONFIG.web_vault_folder).join(p)))
} }
struct WebHeaders<R>(R); struct Cached<R>(R, &'static str);
impl<R> Cached<R> {
fn long(r: R) -> Cached<R> {
// 7 days
Cached(r, "public, max-age=604800".into())
}
impl<'r, R: Responder<'r>> Responder<'r> for WebHeaders<R> { fn short(r: R) -> Cached<R> {
// 10 minutes
Cached(r, "public, max-age=600".into())
}
}
impl<'r, R: Responder<'r>> Responder<'r> for Cached<R> {
fn respond_to(self, req: &Request) -> response::Result<'r> { fn respond_to(self, req: &Request) -> response::Result<'r> {
match self.0.respond_to(req) { match self.0.respond_to(req) {
Ok(mut res) => { Ok(mut res) => {
res.set_raw_header("Referrer-Policy", "same-origin"); res.set_raw_header("Cache-Control", self.1);
res.set_raw_header("X-Frame-Options", "SAMEORIGIN");
res.set_raw_header("X-Content-Type-Options", "nosniff");
res.set_raw_header("X-XSS-Protection", "1; mode=block");
let csp = "frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb moz-extension://*;";
res.set_raw_header("Content-Security-Policy", csp);
Ok(res) Ok(res)
},
Err(_) => {
Err(Status::NotFound)
} }
e @ Err(_) => e,
} }
} }
} }
@ -78,7 +93,6 @@ fn attachments(uuid: String, file: PathBuf) -> io::Result<NamedFile> {
NamedFile::open(Path::new(&CONFIG.attachments_folder).join(uuid).join(file)) NamedFile::open(Path::new(&CONFIG.attachments_folder).join(uuid).join(file))
} }
#[get("/alive")] #[get("/alive")]
fn alive() -> Json<String> { fn alive() -> Json<String> {
use crate::util::format_date; use crate::util::format_date;

2
src/db/models/attachment.rs
View File

@ -74,7 +74,7 @@ impl Attachment {
) )
.map_res("Error deleting attachment")?; .map_res("Error deleting attachment")?;
crate::util::delete_file(&self.get_file_path()); crate::util::delete_file(&self.get_file_path())?;
Ok(()) Ok(())
} }

2
src/error.rs
View File

@ -47,6 +47,7 @@ use diesel::result::Error as DieselError;
use jsonwebtoken::errors::Error as JwtError; use jsonwebtoken::errors::Error as JwtError;
use serde_json::{Error as SerError, Value}; use serde_json::{Error as SerError, Value};
use u2f::u2ferror::U2fError as U2fErr; use u2f::u2ferror::U2fError as U2fErr;
use std::io::Error as IOError;
// Error struct // Error struct
// Each variant has two elements, the first is an error of different types, used for logging purposes // Each variant has two elements, the first is an error of different types, used for logging purposes
@ -64,6 +65,7 @@ make_error! {
U2fError(U2fErr, _): true, _api_error, U2fError(U2fErr, _): true, _api_error,
SerdeError(SerError, _): true, _api_error, SerdeError(SerError, _): true, _api_error,
JWTError(JwtError, _): true, _api_error, JWTError(JwtError, _): true, _api_error,
IoErrror(IOError, _): true, _api_error,
//WsError(ws::Error, _): true, _api_error, //WsError(ws::Error, _): true, _api_error,
} }

3
src/main.rs
View File

@ -32,6 +32,7 @@ fn init_rocket() -> Rocket {
.mount("/notifications", api::notifications_routes()) .mount("/notifications", api::notifications_routes())
.manage(db::init_pool()) .manage(db::init_pool())
.manage(api::start_notification_server()) .manage(api::start_notification_server())
.attach(util::AppHeaders())
} }
// Embed the migrations from the migrations folder into the application // Embed the migrations from the migrations folder into the application
@ -272,7 +273,6 @@ pub struct Config {
signups_allowed: bool, signups_allowed: bool,
invitations_allowed: bool, invitations_allowed: bool,
admin_token: Option<String>, admin_token: Option<String>,
server_admin_email: Option<String>,
password_iterations: i32, password_iterations: i32,
show_password_hint: bool, show_password_hint: bool,
@ -326,7 +326,6 @@ impl Config {
local_icon_extractor: get_env_or("LOCAL_ICON_EXTRACTOR", false), local_icon_extractor: get_env_or("LOCAL_ICON_EXTRACTOR", false),
signups_allowed: get_env_or("SIGNUPS_ALLOWED", true), signups_allowed: get_env_or("SIGNUPS_ALLOWED", true),
admin_token: get_env("ADMIN_TOKEN"), admin_token: get_env("ADMIN_TOKEN"),
server_admin_email:None, // TODO: Delete this
invitations_allowed: get_env_or("INVITATIONS_ALLOWED", true), invitations_allowed: get_env_or("INVITATIONS_ALLOWED", true),
password_iterations: get_env_or("PASSWORD_ITERATIONS", 100_000), password_iterations: get_env_or("PASSWORD_ITERATIONS", 100_000),
show_password_hint: get_env_or("SHOW_PASSWORD_HINT", true), show_password_hint: get_env_or("SHOW_PASSWORD_HINT", true),

51
src/util.rs
View File

@ -1,29 +1,57 @@
/// ///
/// File handling /// Web Headers
/// ///
use rocket::fairing::{Fairing, Info, Kind};
use rocket::{Request, Response};
use std::path::Path; pub struct AppHeaders ();
use std::io::Read;
impl Fairing for AppHeaders {
fn info(&self) -> Info {
Info {
name: "Application Headers",
kind: Kind::Response,
}
}
fn on_response(&self, _req: &Request, res: &mut Response) {
res.set_raw_header("Referrer-Policy", "same-origin");
res.set_raw_header("X-Frame-Options", "SAMEORIGIN");
res.set_raw_header("X-Content-Type-Options", "nosniff");
res.set_raw_header("X-XSS-Protection", "1; mode=block");
let csp = "frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb moz-extension://*;";
res.set_raw_header("Content-Security-Policy", csp);
// Disable cache unless otherwise specified
if !res.headers().contains("cache-control") {
res.set_raw_header("Cache-Control", "no-cache, no-store, max-age=0");
}
}
}
///
/// File handling
///
use std::fs::{self, File}; use std::fs::{self, File};
use std::io::{Read, Result as IOResult};
use std::path::Path;
pub fn file_exists(path: &str) -> bool { pub fn file_exists(path: &str) -> bool {
Path::new(path).exists() Path::new(path).exists()
} }
pub fn read_file(path: &str) -> Result<Vec<u8>, String> { pub fn read_file(path: &str) -> IOResult<Vec<u8>> {
let mut file = File::open(Path::new(path))
.map_err(|e| format!("Error opening file: {}", e))?;
let mut contents: Vec<u8> = Vec::new(); let mut contents: Vec<u8> = Vec::new();
file.read_to_end(&mut contents) let mut file = File::open(Path::new(path))?;
.map_err(|e| format!("Error reading file: {}", e))?; file.read_to_end(&mut contents)?;
Ok(contents) Ok(contents)
} }
pub fn delete_file(path: &str) -> bool { pub fn delete_file(path: &str) -> IOResult<()> {
let res = fs::remove_file(path).is_ok(); let res = fs::remove_file(path);
if let Some(parent) = Path::new(path).parent() { if let Some(parent) = Path::new(path).parent() {
// If the directory isn't empty, this returns an error, which we ignore // If the directory isn't empty, this returns an error, which we ignore
@ -34,7 +62,6 @@ pub fn delete_file(path: &str) -> bool {
res res
} }
const UNITS: [&str; 6] = ["bytes", "KB", "MB", "GB", "TB", "PB"]; const UNITS: [&str; 6] = ["bytes", "KB", "MB", "GB", "TB", "PB"];
pub fn get_display_size(size: i32) -> String { pub fn get_display_size(size: i32) -> String {

Write Preview
Loading…
Cancel
Save