bitwarden-server/util/Setup/NginxConfigBuilder.cs

namespace Bit.Setup;

public class NginxConfigBuilder
{
    private const string ConfFile = "/bitwarden/nginx/default.conf";

    private const string DefaultContentSecurityPolicy = "default-src 'self'; " +
        "script-src 'self' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; " +
        "img-src 'self' data: https://haveibeenpwned.com; " +
        "child-src 'self' https://*.duosecurity.com https://*.duofederal.com; " +
        "frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; " +
        "connect-src 'self' wss://{0} https://api.pwnedpasswords.com " +
        "https://api.2fa.directory; object-src 'self' blob:;";

    private readonly Context _context;

    public NginxConfigBuilder(Context context)
    {
        _context = context;
    }

    public void BuildForInstaller()
    {
        var model = new TemplateModel(_context);
        if (model.Ssl && !_context.Config.SslManagedLetsEncrypt)
        {
            var sslPath = _context.Install.SelfSignedCert ?
                $"/etc/ssl/self/{model.Domain}" : $"/etc/ssl/{model.Domain}";
            _context.Config.SslCertificatePath = model.CertificatePath =
                string.Concat(sslPath, "/", "certificate.crt");
            _context.Config.SslKeyPath = model.KeyPath =
                string.Concat(sslPath, "/", "private.key");
            if (_context.Install.Trusted)
            {
                _context.Config.SslCaPath = model.CaPath =
                    string.Concat(sslPath, "/", "ca.crt");
            }
            if (_context.Install.DiffieHellman)
            {
                _context.Config.SslDiffieHellmanPath = model.DiffieHellmanPath =
                    string.Concat(sslPath, "/", "dhparam.pem");
            }
        }
        Build(model);
    }

    public void BuildForUpdater()
    {
        var model = new TemplateModel(_context);
        Build(model);
    }

    private void Build(TemplateModel model)
    {
        Directory.CreateDirectory("/bitwarden/nginx/");
        Helpers.WriteLine(_context, "Building nginx config.");
        if (!_context.Config.GenerateNginxConfig)
        {
            Helpers.WriteLine(_context, "...skipped");
            return;
        }

        var template = Helpers.ReadTemplate("NginxConfig");
        using (var sw = File.CreateText(ConfFile))
        {
            sw.WriteLine(template(model));
        }
    }

    public class TemplateModel
    {
        public TemplateModel() { }

        public TemplateModel(Context context)
        {
            Captcha = context.Config.Captcha;
            Ssl = context.Config.Ssl;
            EnableKeyConnector = context.Config.EnableKeyConnector;
            EnableScim = context.Config.EnableScim;
            Domain = context.Config.Domain;
            Url = context.Config.Url;
            RealIps = context.Config.RealIps;
            var csp = DefaultContentSecurityPolicy;
            if (!string.IsNullOrWhiteSpace(context.Config.NginxHeaderContentSecurityPolicy))
            {
                csp = context.Config.NginxHeaderContentSecurityPolicy;
            }
            ContentSecurityPolicy = string.Format(csp, Domain);

            if (Ssl)
            {
                if (context.Config.SslManagedLetsEncrypt)
                {
                    var sslPath = $"/etc/letsencrypt/live/{Domain}";
                    CertificatePath = CaPath = string.Concat(sslPath, "/", "fullchain.pem");
                    KeyPath = string.Concat(sslPath, "/", "privkey.pem");
                    DiffieHellmanPath = string.Concat(sslPath, "/", "dhparam.pem");
                }
                else
                {
                    CertificatePath = context.Config.SslCertificatePath;
                    KeyPath = context.Config.SslKeyPath;
                    CaPath = context.Config.SslCaPath;
                    DiffieHellmanPath = context.Config.SslDiffieHellmanPath;
                }
            }

            if (!string.IsNullOrWhiteSpace(context.Config.SslCiphersuites))
            {
                SslCiphers = context.Config.SslCiphersuites;
            }
            else
            {
                SslCiphers = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:" +
                    "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:" +
                    "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:" +
                    "ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";
            }

            if (!string.IsNullOrWhiteSpace(context.Config.SslVersions))
            {
                SslProtocols = context.Config.SslVersions;
            }
            else
            {
                SslProtocols = "TLSv1.2";
            }
        }

        public bool Captcha { get; set; }
        public bool Ssl { get; set; }
        public bool EnableKeyConnector { get; set; }
        public bool EnableScim { get; set; }
        public string Domain { get; set; }
        public string Url { get; set; }
        public string CertificatePath { get; set; }
        public string KeyPath { get; set; }
        public string CaPath { get; set; }
        public string DiffieHellmanPath { get; set; }
        public string SslCiphers { get; set; }
        public string SslProtocols { get; set; }
        public string ContentSecurityPolicy { get; set; }
        public List<string> RealIps { get; set; }
    }
}
-												Turn On `ImplicitUsings` (#2079)

* Turn on ImplicitUsings

* Fix formatting

* Run linter
											
										
										
											2022-06-30 01:46:41 +02:00
+								namespace Bit.Setup;
-												Run formatting (#2230)


											
										
										
											2022-08-29 22:06:55 +02:00
-												builders and update rebuilds

											
										
										
											2017-10-24 04:45:59 +02:00
+								public class NginxConfigBuilder
 								{
-												move cert questions up

											
										
										
											2018-03-29 19:43:52 +02:00
+								    private const string ConfFile = "/bitwarden/nginx/default.conf";
-												builders and update rebuilds

											
										
										
											2017-10-24 04:45:59 +02:00
-												[PS-2416 and PS-2417] dont set CSP config value by default (#2667)

* dont set CSP config value by default

* space
											
										
										
											2023-02-03 20:50:33 +01:00
+								    private const string DefaultContentSecurityPolicy = "default-src 'self'; " +
 								        "script-src 'self' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; " +
 								        "img-src 'self' data: https://haveibeenpwned.com; " +
 								        "child-src 'self' https://*.duosecurity.com https://*.duofederal.com; " +
 								        "frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; " +
 								        "connect-src 'self' wss://{0} https://api.pwnedpasswords.com " +
 								        "https://api.2fa.directory; object-src 'self' blob:;";
-												convert setup to use config.yml

											
										
										
											2018-08-30 17:35:44 +02:00
+								    private readonly Context _context;
-												builders and update rebuilds

											
										
										
											2017-10-24 04:45:59 +02:00
-												convert setup to use config.yml

											
										
										
											2018-08-30 17:35:44 +02:00
+								    public NginxConfigBuilder(Context context)
-												builders and update rebuilds

											
										
										
											2017-10-24 04:45:59 +02:00
+								    {
-												convert setup to use config.yml

											
										
										
											2018-08-30 17:35:44 +02:00
+								        _context = context;
-												builders and update rebuilds

											
										
										
											2017-10-24 04:45:59 +02:00
+								    }
 								    public void BuildForInstaller()
-												Run formatting (#2230)


											
										
										
											2022-08-29 22:06:55 +02:00
+								    {
-												convert setup to use config.yml

											
										
										
											2018-08-30 17:35:44 +02:00
+								        var model = new TemplateModel(_context);
-												Changed all C# control flow block statements to include space between keyword and open paren

											
										
										
											2020-03-27 19:36:37 +01:00
+								        if (model.Ssl && !_context.Config.SslManagedLetsEncrypt)
-												builders and update rebuilds

											
										
										
											2017-10-24 04:45:59 +02:00
+								        {
-												convert setup to use config.yml

											
										
										
											2018-08-30 17:35:44 +02:00
+								            var sslPath = _context.Install.SelfSignedCert ?
 								                $"/etc/ssl/self/{model.Domain}" : $"/etc/ssl/{model.Domain}";
 								            _context.Config.SslCertificatePath = model.CertificatePath =
-												Changed all C# control flow block statements to include space between keyword and open paren

											
										
										
											2020-03-27 19:36:37 +01:00
+								                string.Concat(sslPath, "/", "certificate.crt");
 								            _context.Config.SslKeyPath = model.KeyPath =
-												convert setup to use config.yml

											
										
										
											2018-08-30 17:35:44 +02:00
+								                string.Concat(sslPath, "/", "private.key");
-												Changed all C# control flow block statements to include space between keyword and open paren

											
										
										
											2020-03-27 19:36:37 +01:00
+								            if (_context.Install.Trusted)
-												convert setup to use config.yml

											
										
										
											2018-08-30 17:35:44 +02:00
+								            {
 								                _context.Config.SslCaPath = model.CaPath =
 								                    string.Concat(sslPath, "/", "ca.crt");
-												Revert filescoped (#2227)

* Revert "Add git blame entry (#2226)"

This reverts commit 239286737d15cb84a893703ee5a8b33a2d67ad3d.

* Revert "Turn on file scoped namespaces (#2225)"

This reverts commit 34fb4cca2aa78deb84d4cbc359992a7c6bba7ea5.
											
										
										
											2022-08-29 21:53:48 +02:00
+								            }
-												Changed all C# control flow block statements to include space between keyword and open paren

											
										
										
											2020-03-27 19:36:37 +01:00
+								            if (_context.Install.DiffieHellman)
-												Revert filescoped (#2227)

* Revert "Add git blame entry (#2226)"

This reverts commit 239286737d15cb84a893703ee5a8b33a2d67ad3d.

* Revert "Turn on file scoped namespaces (#2225)"

This reverts commit 34fb4cca2aa78deb84d4cbc359992a7c6bba7ea5.
											
										
										
											2022-08-29 21:53:48 +02:00
+								            {
-												convert setup to use config.yml

											
										
										
											2018-08-30 17:35:44 +02:00
+								                _context.Config.SslDiffieHellmanPath = model.DiffieHellmanPath =
 								                    string.Concat(sslPath, "/", "dhparam.pem");
 								            }
-												builders and update rebuilds

											
										
										
											2017-10-24 04:45:59 +02:00
+								        }
-												convert setup to use config.yml

											
										
										
											2018-08-30 17:35:44 +02:00
+								        Build(model);
-												Run formatting (#2230)


											
										
										
											2022-08-29 22:06:55 +02:00
+								    }
-												builders and update rebuilds

											
										
										
											2017-10-24 04:45:59 +02:00
+								    public void BuildForUpdater()
-												Run formatting (#2230)


											
										
										
											2022-08-29 22:06:55 +02:00
+								    {
-												convert setup to use config.yml

											
										
										
											2018-08-30 17:35:44 +02:00
+								        var model = new TemplateModel(_context);
 								        Build(model);
-												Run formatting (#2230)


											
										
										
											2022-08-29 22:06:55 +02:00
+								    }
-												builders and update rebuilds

											
										
										
											2017-10-24 04:45:59 +02:00
 								    private void Build(TemplateModel model)
-												Run formatting (#2230)


											
										
										
											2022-08-29 22:06:55 +02:00
+								    {
-												builders and update rebuilds

											
										
										
											2017-10-24 04:45:59 +02:00
+								        Directory.CreateDirectory("/bitwarden/nginx/");
 								        Helpers.WriteLine(_context, "Building nginx config.");
-												Changed all C# control flow block statements to include space between keyword and open paren

											
										
										
											2020-03-27 19:36:37 +01:00
+								        if (!_context.Config.GenerateNginxConfig)
-												builders and update rebuilds

											
										
										
											2017-10-24 04:45:59 +02:00
+								        {
-												convert setup to use config.yml

											
										
										
											2018-08-30 17:35:44 +02:00
+								            Helpers.WriteLine(_context, "...skipped");
 								            return;
-												builders and update rebuilds

											
										
										
											2017-10-24 04:45:59 +02:00
+								        }
-												convert setup to use config.yml

											
										
										
											2018-08-30 17:35:44 +02:00
+								        var template = Helpers.ReadTemplate("NginxConfig");
 								        using (var sw = File.CreateText(ConfFile))
-												builders and update rebuilds

											
										
										
											2017-10-24 04:45:59 +02:00
+								        {
-												convert setup to use config.yml

											
										
										
											2018-08-30 17:35:44 +02:00
+								            sw.WriteLine(template(model));
-												Revert filescoped (#2227)

* Revert "Add git blame entry (#2226)"

This reverts commit 239286737d15cb84a893703ee5a8b33a2d67ad3d.

* Revert "Turn on file scoped namespaces (#2225)"

This reverts commit 34fb4cca2aa78deb84d4cbc359992a7c6bba7ea5.
											
										
										
											2022-08-29 21:53:48 +02:00
+								        }
-												Run formatting (#2230)


											
										
										
											2022-08-29 22:06:55 +02:00
+								    }
-												convert setup to use config.yml

											
										
										
											2018-08-30 17:35:44 +02:00
+								    public class TemplateModel
-												Run formatting (#2230)


											
										
										
											2022-08-29 22:06:55 +02:00
+								    {
-												convert setup to use config.yml

											
										
										
											2018-08-30 17:35:44 +02:00
+								        public TemplateModel() { }
-												builders and update rebuilds

											
										
										
											2017-10-24 04:45:59 +02:00
-												convert setup to use config.yml

											
										
										
											2018-08-30 17:35:44 +02:00
+								        public TemplateModel(Context context)
 								        {
-												Make nginx Content-Security-Policy configurable (#1048)

* Adding the nginx head Content-Security-Policy to the Configuration file

* fixing whitespace formatting

* adding a '+' that got removed
											
										
										
											2020-12-18 16:58:35 +01:00
+								            Captcha = context.Config.Captcha;
 								            Ssl = context.Config.Ssl;
-												convert setup to use config.yml

											
										
										
											2018-08-30 17:35:44 +02:00
+								            EnableKeyConnector = context.Config.EnableKeyConnector;
-												[EC-261] SCIM (#2105)

* scim project stub

* some scim models and v2 controllers

* implement some v2 scim endpoints

* fix spacing

* api key auth

* EC-261 - SCIM Org API Key and connection type config

* EC-261 - Fix lint errors/formatting

* updates for okta implementation testing

* fix var ref

* updates from testing with Okta

* implement scim context via provider parsing

* support single and list of ids for add/remove groups

* log ops not handled

* touch up scim context

* group list filtering

* EC-261 - Additional SCIM provider types

* EC-265 - UseScim flag and license update

* EC-265 - SCIM provider type of default (0)

* EC-265 - Add Scim URL and update connection validation

* EC-265 - Model validation and cleanup for SCIM keys

* implement scim org connection

* EC-265 - Ensure ServiceUrl is not persisted to DB

* EC-265 - Exclude provider type from DB if not configured

* EC-261 - EF Migrations for SCIM

* add docker builds for scim

* EC-261 - Fix failing permissions tests

* EC-261 - Fix unit tests and pgsql migrations

* Formatting fixes from linter

* EC-265 - Remove service URL from scim config

* EC-265 - Fix unit tests, removed wayward validation

* EC-265 - Require self-hosted for billing sync org conn

* EC-265 - Fix formatting issues - whitespace

* EC-261 - PR feedback and cleanup

* scim constants rename

* no scim settings right now

* update project name

* delete package lock

* update appsettings configs for scim

* use default scim provider for context

Co-authored-by: Kyle Spearrin <kyle.spearrin@gmail.com>
											
										
										
											2022-07-14 21:58:48 +02:00
+								            EnableScim = context.Config.EnableScim;
-												convert setup to use config.yml

											
										
										
											2018-08-30 17:35:44 +02:00
+								            Domain = context.Config.Domain;
 								            Url = context.Config.Url;
-												real ips config

											
										
										
											2019-04-26 18:26:54 +02:00
+								            RealIps = context.Config.RealIps;
-												[PS-2416 and PS-2417] dont set CSP config value by default (#2667)

* dont set CSP config value by default

* space
											
										
										
											2023-02-03 20:50:33 +01:00
+								            var csp = DefaultContentSecurityPolicy;
 								            if (!string.IsNullOrWhiteSpace(context.Config.NginxHeaderContentSecurityPolicy))
 								            {
 								                csp = context.Config.NginxHeaderContentSecurityPolicy;
 								            }
 								            ContentSecurityPolicy = string.Format(csp, Domain);
-												convert setup to use config.yml

											
										
										
											2018-08-30 17:35:44 +02:00
 								            if (Ssl)
 								            {
-												Make nginx Content-Security-Policy configurable (#1048)

* Adding the nginx head Content-Security-Policy to the Configuration file

* fixing whitespace formatting

* adding a '+' that got removed
											
										
										
											2020-12-18 16:58:35 +01:00
+								                if (context.Config.SslManagedLetsEncrypt)
-												builders and update rebuilds

											
										
										
											2017-10-24 04:45:59 +02:00
+								                {
-												convert setup to use config.yml

											
										
										
											2018-08-30 17:35:44 +02:00
+								                    var sslPath = $"/etc/letsencrypt/live/{Domain}";
 								                    CertificatePath = CaPath = string.Concat(sslPath, "/", "fullchain.pem");
 								                    KeyPath = string.Concat(sslPath, "/", "privkey.pem");
-												allow configurable ssl protocols and ciphersuites

											
										
										
											2018-08-31 18:11:44 +02:00
+								                    DiffieHellmanPath = string.Concat(sslPath, "/", "dhparam.pem");
 								                }
 								                else
 								                {
 								                    CertificatePath = context.Config.SslCertificatePath;
-												convert setup to use config.yml

											
										
										
											2018-08-30 17:35:44 +02:00
+								                    KeyPath = context.Config.SslKeyPath;
 								                    CaPath = context.Config.SslCaPath;
-												allow configurable ssl protocols and ciphersuites

											
										
										
											2018-08-31 18:11:44 +02:00
+								                    DiffieHellmanPath = context.Config.SslDiffieHellmanPath;
 								                }
-												Run formatting (#2230)


											
										
										
											2022-08-29 22:06:55 +02:00
+								            }
-												allow configurable ssl protocols and ciphersuites

											
										
										
											2018-08-31 18:11:44 +02:00
-												Changed all C# control flow block statements to include space between keyword and open paren

											
										
										
											2020-03-27 19:36:37 +01:00
+								            if (!string.IsNullOrWhiteSpace(context.Config.SslCiphersuites))
-												allow configurable ssl protocols and ciphersuites

											
										
										
											2018-08-31 18:11:44 +02:00
+								            {
 								                SslCiphers = context.Config.SslCiphersuites;
 								            }
 								            else
 								            {
 								                SslCiphers = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:" +
 								                    "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:" +
 								                    "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:" +
 								                    "ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";
-												builders and update rebuilds

											
										
										
											2017-10-24 04:45:59 +02:00
+								            }
-												convert setup to use config.yml

											
										
										
											2018-08-30 17:35:44 +02:00
 								            if (!string.IsNullOrWhiteSpace(context.Config.SslVersions))
 								            {
-												allow configurable ssl protocols and ciphersuites

											
										
										
											2018-08-31 18:11:44 +02:00
+								                SslProtocols = context.Config.SslVersions;
 								            }
 								            else
 								            {
 								                SslProtocols = "TLSv1.2";
-												real ips config

											
										
										
											2019-04-26 18:26:54 +02:00
+								            }
-												builders and update rebuilds

											
										
										
											2017-10-24 04:45:59 +02:00
+								        }
-												Run formatting (#2230)


											
										
										
											2022-08-29 22:06:55 +02:00
-												Add captcha option to Nginx config (#1509)

* Add captcha option to Nginx config

* Fix formatting
											
										
										
											2021-08-13 15:52:26 +02:00
+								        public bool Captcha { get; set; }
-												convert setup to use config.yml

											
										
										
											2018-08-30 17:35:44 +02:00
+								        public bool Ssl { get; set; }
 								        public bool EnableKeyConnector { get; set; }
 								        public bool EnableScim { get; set; }
 								        public string Domain { get; set; }
 								        public string Url { get; set; }
-												allow configurable ssl protocols and ciphersuites

											
										
										
											2018-08-31 18:11:44 +02:00
+								        public string CertificatePath { get; set; }
-												convert setup to use config.yml

											
										
										
											2018-08-30 17:35:44 +02:00
+								        public string KeyPath { get; set; }
-												allow configurable ssl protocols and ciphersuites

											
										
										
											2018-08-31 18:11:44 +02:00
+								        public string CaPath { get; set; }
 								        public string DiffieHellmanPath { get; set; }
 								        public string SslCiphers { get; set; }
-												real ips config

											
										
										
											2019-04-26 18:26:54 +02:00
+								        public string SslProtocols { get; set; }
 								        public string ContentSecurityPolicy { get; set; }
 								        public List<string> RealIps { get; set; }
-												builders and update rebuilds

											
										
										
											2017-10-24 04:45:59 +02:00
+								    }
 								}