From e7905dec0472e78efec5987c04ef6e1905bc49c0 Mon Sep 17 00:00:00 2001 From: Kyle Spearrin Date: Tue, 8 Aug 2017 00:02:52 -0400 Subject: [PATCH] PersistKeysToFileSystem when selfhosted --- docker/docker-compose.linux.yml | 7 +++++++ docker/docker-compose.override.yml | 7 +++++++ docker/docker-compose.windows.yml | 7 +++++++ src/Api/.dockerignore | 1 + src/Api/Dockerfile | 5 ++++- src/Api/entrypoint.sh | 3 +++ .../Utilities/ServiceCollectionExtensions.cs | 16 +++++++++++++--- util/Setup/Program.cs | 17 +++++++++-------- 8 files changed, 51 insertions(+), 12 deletions(-) create mode 100644 src/Api/entrypoint.sh diff --git a/docker/docker-compose.linux.yml b/docker/docker-compose.linux.yml index 844e51ae3..e3b94a763 100644 --- a/docker/docker-compose.linux.yml +++ b/docker/docker-compose.linux.yml @@ -4,9 +4,16 @@ services: mssql: volumes: - /etc/bitwarden/mssql_data:/var/opt/mssql/data + web: + volumes: + - /etc/bitwarden/web:/etc/bitwarden/web + api: + volumes: + - /etc/bitwarden/core:/etc/bitwarden/core identity: volumes: - /etc/bitwarden/identity:/etc/bitwarden/identity + - /etc/bitwarden/core:/etc/bitwarden/core nginx: volumes: - /etc/bitwarden/nginx:/etc/bitwarden/nginx diff --git a/docker/docker-compose.override.yml b/docker/docker-compose.override.yml index 3f98220d5..20ffe537d 100644 --- a/docker/docker-compose.override.yml +++ b/docker/docker-compose.override.yml @@ -4,9 +4,16 @@ services: mssql: volumes: - mssql_data:/var/opt/mssql/data + web: + volumes: + - c:/bitwarden/web:/etc/bitwarden/web + api: + volumes: + - c:/bitwarden/core:/etc/bitwarden/core identity: volumes: - c:/bitwarden/identity:/etc/bitwarden/identity + - c:/bitwarden/core:/etc/bitwarden/core nginx: volumes: - c:/bitwarden/nginx:/etc/bitwarden/nginx diff --git a/docker/docker-compose.windows.yml b/docker/docker-compose.windows.yml index 3f98220d5..20ffe537d 100644 --- a/docker/docker-compose.windows.yml +++ b/docker/docker-compose.windows.yml @@ -4,9 +4,16 @@ services: mssql: volumes: - mssql_data:/var/opt/mssql/data + web: + volumes: + - c:/bitwarden/web:/etc/bitwarden/web + api: + volumes: + - c:/bitwarden/core:/etc/bitwarden/core identity: volumes: - c:/bitwarden/identity:/etc/bitwarden/identity + - c:/bitwarden/core:/etc/bitwarden/core nginx: volumes: - c:/bitwarden/nginx:/etc/bitwarden/nginx diff --git a/src/Api/.dockerignore b/src/Api/.dockerignore index d8f8175f6..7e37ce5d9 100644 --- a/src/Api/.dockerignore +++ b/src/Api/.dockerignore @@ -1,3 +1,4 @@ * !obj/Docker/publish/* !obj/Docker/empty/ +!entrypoint.sh diff --git a/src/Api/Dockerfile b/src/Api/Dockerfile index 6547ec48d..1dacbf32a 100644 --- a/src/Api/Dockerfile +++ b/src/Api/Dockerfile @@ -22,4 +22,7 @@ done WORKDIR /app EXPOSE 80 COPY obj/Docker/publish . -ENTRYPOINT ["dotnet", "Api.dll"] + +COPY entrypoint.sh / +RUN chmod +x /entrypoint.sh +ENTRYPOINT ["/entrypoint.sh"] diff --git a/src/Api/entrypoint.sh b/src/Api/entrypoint.sh new file mode 100644 index 000000000..78ec70fd2 --- /dev/null +++ b/src/Api/entrypoint.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +dotnet /app/Api.dll diff --git a/src/Core/Utilities/ServiceCollectionExtensions.cs b/src/Core/Utilities/ServiceCollectionExtensions.cs index bc8b25623..e78521629 100644 --- a/src/Core/Utilities/ServiceCollectionExtensions.cs +++ b/src/Core/Utilities/ServiceCollectionExtensions.cs @@ -17,6 +17,7 @@ using Microsoft.Extensions.Configuration; using Microsoft.Extensions.DependencyInjection; using Microsoft.WindowsAzure.Storage; using System; +using System.IO; using SqlServerRepos = Bit.Core.Repositories.SqlServer; namespace Bit.Core.Utilities @@ -195,10 +196,19 @@ namespace Bit.Core.Utilities public static void AddCustomDataProtectionServices( this IServiceCollection services, IHostingEnvironment env, GlobalSettings globalSettings) { + if(env.IsDevelopment()) + { + return; + } + + if(globalSettings.SelfHosted) + { + var dir = new DirectoryInfo("/etc/bitwarden/core/aspnet-dataprotection"); + services.AddDataProtection().PersistKeysToFileSystem(dir); + } + #if NET461 - if(!env.IsDevelopment() && !globalSettings.SelfHosted && - !string.IsNullOrWhiteSpace(globalSettings.Storage.ConnectionString) && - !string.IsNullOrWhiteSpace(globalSettings.DataProtection.CertificateThumbprint)) + if(!globalSettings.SelfHosted) { var dataProtectionCert = CoreHelpers.GetCertificate(globalSettings.DataProtection.CertificateThumbprint); var storageAccount = CloudStorageAccount.Parse(globalSettings.Storage.ConnectionString); diff --git a/util/Setup/Program.cs b/util/Setup/Program.cs index db3dbeb26..ae07d129b 100644 --- a/util/Setup/Program.cs +++ b/util/Setup/Program.cs @@ -12,7 +12,7 @@ namespace Setup private static IDictionary _parameters = null; private static string _domain = null; private static string _url = null; - private static string _certPassword = null; + private static string _identityCertPassword = null; private static bool _ssl = false; private static bool _letsEncrypt = false; @@ -28,21 +28,21 @@ namespace Setup _ssl = _letsEncrypt || (_parameters.ContainsKey("ssl") ? _parameters["ssl"].ToLowerInvariant() == "y" : false); _url = _ssl ? $"https://{_domain}" : $"http://{_domain}"; - _certPassword = Helpers.SecureRandomString(32, alpha: true, numeric: true); + _identityCertPassword = Helpers.SecureRandomString(32, alpha: true, numeric: true); - MakeIdentityCert(); + MakeCerts(); BuildNginxConfig(); BuildEnvironmentFiles(); BuildAppSettingsFiles(); } - private static void MakeIdentityCert() + private static void MakeCerts() { Directory.CreateDirectory("/bitwarden/identity/"); - var identityCertResult = Exec("openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout identity.key " + + Exec("openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout identity.key " + "-out identity.crt -subj \"/CN=bitwarden IdentityServer\" -days 10950"); - var identityPfxResult = Exec("openssl pkcs12 -export -out /bitwarden/identity/identity.pfx -inkey identity.key " + - $"-in identity.crt -certfile identity.crt -passout pass:{_certPassword}"); + Exec("openssl pkcs12 -export -out /bitwarden/identity/identity.pfx -inkey identity.key " + + $"-in identity.crt -certfile identity.crt -passout pass:{_identityCertPassword}"); } private static void BuildNginxConfig() @@ -165,6 +165,7 @@ server {{ private static void BuildEnvironmentFiles() { + Directory.CreateDirectory("/bitwarden/docker/"); var dbPass = _parameters.ContainsKey("db_pass") ? _parameters["db_pass"].ToLowerInvariant() : "REPLACE"; var dbConnectionString = "Server=tcp:mssql,1433;Initial Catalog=vault;Persist Security Info=False;User ID=sa;" + $"Password={dbPass};MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=True;" + @@ -176,7 +177,7 @@ server {{ globalSettings:baseServiceUri:api={_url}/api globalSettings:baseServiceUri:identity={_url}/identity globalSettings:sqlServer:connectionString={dbConnectionString} -globalSettings:identityServer:certificatePassword={_certPassword} +globalSettings:identityServer:certificatePassword={_identityCertPassword} globalSettings:duo:aKey={Helpers.SecureRandomString(32, alpha: true, numeric: true)} globalSettings:yubico:clientId=REPLACE globalSettings:yubico:REPLACE");