PersistKeysToFileSystem when selfhosted

2024-11-22 12:15:36 +01:00 · 2017-08-08 00:02:52 -04:00 · 2017-08-08 00:02:52 -04:00 · e7905dec04
commit e7905dec04
parent 3e7c0f7ca1
8 changed files with 51 additions and 12 deletions
--- a/docker/docker-compose.linux.yml
+++ b/docker/docker-compose.linux.yml
@ -4,9 +4,16 @@ services:
  mssql:
    volumes:
      - /etc/bitwarden/mssql_data:/var/opt/mssql/data
+  web:
+    volumes:
+      - /etc/bitwarden/web:/etc/bitwarden/web
+  api:
+    volumes:
+      - /etc/bitwarden/core:/etc/bitwarden/core
  identity:
    volumes:
      - /etc/bitwarden/identity:/etc/bitwarden/identity
+      - /etc/bitwarden/core:/etc/bitwarden/core
  nginx:
    volumes:
      - /etc/bitwarden/nginx:/etc/bitwarden/nginx
--- a/docker/docker-compose.override.yml
+++ b/docker/docker-compose.override.yml
@ -4,9 +4,16 @@ services:
  mssql:
    volumes:
      - mssql_data:/var/opt/mssql/data
+  web:
+    volumes:
+      - c:/bitwarden/web:/etc/bitwarden/web
+  api:
+    volumes:
+      - c:/bitwarden/core:/etc/bitwarden/core
  identity:
    volumes:
      - c:/bitwarden/identity:/etc/bitwarden/identity
+      - c:/bitwarden/core:/etc/bitwarden/core
  nginx:
    volumes:
      - c:/bitwarden/nginx:/etc/bitwarden/nginx
--- a/docker/docker-compose.windows.yml
+++ b/docker/docker-compose.windows.yml
@ -4,9 +4,16 @@ services:
  mssql:
    volumes:
      - mssql_data:/var/opt/mssql/data
+  web:
+    volumes:
+      - c:/bitwarden/web:/etc/bitwarden/web
+  api:
+    volumes:
+      - c:/bitwarden/core:/etc/bitwarden/core
  identity:
    volumes:
      - c:/bitwarden/identity:/etc/bitwarden/identity
+      - c:/bitwarden/core:/etc/bitwarden/core
  nginx:
    volumes:
      - c:/bitwarden/nginx:/etc/bitwarden/nginx
--- a/src/Api/.dockerignore
+++ b/src/Api/.dockerignore
@ -1,3 +1,4 @@
 *
 !obj/Docker/publish/*
 !obj/Docker/empty/
+!entrypoint.sh
--- a/src/Api/Dockerfile
+++ b/src/Api/Dockerfile
@ -22,4 +22,7 @@ done
 WORKDIR /app
 EXPOSE 80
 COPY obj/Docker/publish .
-ENTRYPOINT ["dotnet", "Api.dll"]
+
+COPY entrypoint.sh /
+RUN chmod +x /entrypoint.sh
+ENTRYPOINT ["/entrypoint.sh"]
--- a/src/Api/entrypoint.sh
+++ b/src/Api/entrypoint.sh
@ -0,0 +1,3 @@
+#!/bin/sh
+
+dotnet /app/Api.dll
--- a/src/Core/Utilities/ServiceCollectionExtensions.cs
+++ b/src/Core/Utilities/ServiceCollectionExtensions.cs
@ -17,6 +17,7 @@ using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.WindowsAzure.Storage;
 using System;
+using System.IO;
 using SqlServerRepos = Bit.Core.Repositories.SqlServer;

 namespace Bit.Core.Utilities
@ -195,10 +196,19 @@ namespace Bit.Core.Utilities
        public static void AddCustomDataProtectionServices(
            this IServiceCollection services, IHostingEnvironment env, GlobalSettings globalSettings)
        {
+            if(env.IsDevelopment())
+            {
+                return;
+            }
+
+            if(globalSettings.SelfHosted)
+            {
+                var dir = new DirectoryInfo("/etc/bitwarden/core/aspnet-dataprotection");
+                services.AddDataProtection().PersistKeysToFileSystem(dir);
+            }
+
 #if NET461
-            if(!env.IsDevelopment() && !globalSettings.SelfHosted &&
-                !string.IsNullOrWhiteSpace(globalSettings.Storage.ConnectionString) &&
-                !string.IsNullOrWhiteSpace(globalSettings.DataProtection.CertificateThumbprint))
+            if(!globalSettings.SelfHosted)
            {
                var dataProtectionCert = CoreHelpers.GetCertificate(globalSettings.DataProtection.CertificateThumbprint);
                var storageAccount = CloudStorageAccount.Parse(globalSettings.Storage.ConnectionString);
--- a/util/Setup/Program.cs
+++ b/util/Setup/Program.cs
@ -12,7 +12,7 @@ namespace Setup
        private static IDictionary<string, string> _parameters = null;
        private static string _domain = null;
        private static string _url = null;
-        private static string _certPassword = null;
+        private static string _identityCertPassword = null;
        private static bool _ssl = false;
        private static bool _letsEncrypt = false;

@ -28,21 +28,21 @@ namespace Setup
            _ssl = _letsEncrypt || (_parameters.ContainsKey("ssl") ?
                _parameters["ssl"].ToLowerInvariant() == "y" : false);
            _url = _ssl ? $"https://{_domain}" : $"http://{_domain}";
-            _certPassword = Helpers.SecureRandomString(32, alpha: true, numeric: true);
+            _identityCertPassword = Helpers.SecureRandomString(32, alpha: true, numeric: true);

-            MakeIdentityCert();
+            MakeCerts();
            BuildNginxConfig();
            BuildEnvironmentFiles();
            BuildAppSettingsFiles();
        }

-        private static void MakeIdentityCert()
+        private static void MakeCerts()
        {
            Directory.CreateDirectory("/bitwarden/identity/");
-            var identityCertResult = Exec("openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout identity.key " +
+            Exec("openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout identity.key " +
                "-out identity.crt -subj \"/CN=bitwarden IdentityServer\" -days 10950");
-            var identityPfxResult = Exec("openssl pkcs12 -export -out /bitwarden/identity/identity.pfx -inkey identity.key " +
-                $"-in identity.crt -certfile identity.crt -passout pass:{_certPassword}");
+            Exec("openssl pkcs12 -export -out /bitwarden/identity/identity.pfx -inkey identity.key " +
+                $"-in identity.crt -certfile identity.crt -passout pass:{_identityCertPassword}");
        }

        private static void BuildNginxConfig()
@ -165,6 +165,7 @@ server {{

        private static void BuildEnvironmentFiles()
        {
+            Directory.CreateDirectory("/bitwarden/docker/");
            var dbPass = _parameters.ContainsKey("db_pass") ? _parameters["db_pass"].ToLowerInvariant() : "REPLACE";
            var dbConnectionString = "Server=tcp:mssql,1433;Initial Catalog=vault;Persist Security Info=False;User ID=sa;" +
                $"Password={dbPass};MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=True;" +
@ -176,7 +177,7 @@ server {{
 globalSettings:baseServiceUri:api={_url}/api
 globalSettings:baseServiceUri:identity={_url}/identity
 globalSettings:sqlServer:connectionString={dbConnectionString}
-globalSettings:identityServer:certificatePassword={_certPassword}
+globalSettings:identityServer:certificatePassword={_identityCertPassword}
 globalSettings:duo:aKey={Helpers.SecureRandomString(32, alpha: true, numeric: true)}
 globalSettings:yubico:clientId=REPLACE
 globalSettings:yubico:REPLACE");