mirror of
https://github.com/bitwarden/server.git
synced 2024-11-29 13:25:17 +01:00
6514bdbb7e
* add more CSPs to the default correction check * add Dec2020ContentSecurityPolicy
194 lines
8.3 KiB
C#
194 lines
8.3 KiB
C#
using YamlDotNet.Serialization;
|
|
using YamlDotNet.Serialization.NamingConventions;
|
|
|
|
namespace Bit.Setup;
|
|
|
|
public class Context
|
|
{
|
|
private const string ConfigPath = "/bitwarden/config.yml";
|
|
|
|
// These track of old CSP default values to correct.
|
|
// Do not change these values.
|
|
private const string Dec2020ContentSecurityPolicy = "default-src 'self'; style-src 'self' " +
|
|
"'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com; " +
|
|
"child-src 'self' https://*.duosecurity.com; frame-src 'self' https://*.duosecurity.com; " +
|
|
"connect-src 'self' wss://{0} https://api.pwnedpasswords.com " +
|
|
"https://twofactorauth.org; object-src 'self' blob:;";
|
|
private const string Jan2021ContentSecurityPolicy = "default-src 'self'; style-src 'self' " +
|
|
"'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com; " +
|
|
"child-src 'self' https://*.duosecurity.com https://*.duofederal.com; " +
|
|
"frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; " +
|
|
"connect-src 'self' wss://{0} https://api.pwnedpasswords.com " +
|
|
"https://twofactorauth.org; object-src 'self' blob:;";
|
|
private const string Feb2021ContentSecurityPolicy = "default-src 'self'; style-src 'self' " +
|
|
"'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com; " +
|
|
"child-src 'self' https://*.duosecurity.com https://*.duofederal.com; " +
|
|
"frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; " +
|
|
"connect-src 'self' wss://{0} https://api.pwnedpasswords.com " +
|
|
"https://2fa.directory; object-src 'self' blob:;";
|
|
private const string Jan2023ContentSecurityPolicy = "default-src 'self'; style-src 'self' " +
|
|
"'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com; " +
|
|
"child-src 'self' https://*.duosecurity.com https://*.duofederal.com; " +
|
|
"frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; " +
|
|
"connect-src 'self' wss://{0} https://api.pwnedpasswords.com " +
|
|
"https://api.2fa.directory; object-src 'self' blob:;";
|
|
|
|
private string[] _oldCspDefaults =
|
|
{
|
|
Dec2020ContentSecurityPolicy,
|
|
Jan2021ContentSecurityPolicy,
|
|
Feb2021ContentSecurityPolicy,
|
|
Jan2023ContentSecurityPolicy
|
|
};
|
|
|
|
public string[] Args { get; set; }
|
|
public bool Quiet { get; set; }
|
|
public bool Stub { get; set; }
|
|
public IDictionary<string, string> Parameters { get; set; }
|
|
public string OutputDir { get; set; } = "/etc/bitwarden";
|
|
public string HostOS { get; set; } = "win";
|
|
public string CoreVersion { get; set; } = "latest";
|
|
public string WebVersion { get; set; } = "latest";
|
|
public string KeyConnectorVersion { get; set; } = "latest";
|
|
public Installation Install { get; set; } = new Installation();
|
|
public Configuration Config { get; set; } = new Configuration();
|
|
|
|
public bool PrintToScreen()
|
|
{
|
|
return !Quiet || Parameters.ContainsKey("install");
|
|
}
|
|
|
|
public void LoadConfiguration()
|
|
{
|
|
if (!File.Exists(ConfigPath))
|
|
{
|
|
Helpers.WriteLine(this, "No existing `config.yml` detected. Let's generate one.");
|
|
|
|
// Looks like updating from older version. Try to create config file.
|
|
var url = Helpers.GetValueFromEnvFile("global", "globalSettings__baseServiceUri__vault");
|
|
if (!Uri.TryCreate(url, UriKind.Absolute, out var uri))
|
|
{
|
|
Helpers.WriteLine(this, "Unable to determine existing installation url.");
|
|
return;
|
|
}
|
|
Config.Url = url;
|
|
|
|
var push = Helpers.GetValueFromEnvFile("global", "globalSettings__pushRelayBaseUri");
|
|
Config.PushNotifications = push != "REPLACE";
|
|
|
|
var composeFile = "/bitwarden/docker/docker-compose.yml";
|
|
if (File.Exists(composeFile))
|
|
{
|
|
var fileLines = File.ReadAllLines(composeFile);
|
|
foreach (var line in fileLines)
|
|
{
|
|
if (!line.StartsWith("# Parameter:"))
|
|
{
|
|
continue;
|
|
}
|
|
|
|
var paramParts = line.Split("=");
|
|
if (paramParts.Length < 2)
|
|
{
|
|
continue;
|
|
}
|
|
|
|
if (paramParts[0] == "# Parameter:MssqlDataDockerVolume" &&
|
|
bool.TryParse(paramParts[1], out var mssqlDataDockerVolume))
|
|
{
|
|
Config.DatabaseDockerVolume = mssqlDataDockerVolume;
|
|
continue;
|
|
}
|
|
|
|
if (paramParts[0] == "# Parameter:HttpPort" && int.TryParse(paramParts[1], out var httpPort))
|
|
{
|
|
Config.HttpPort = httpPort == 0 ? null : httpPort.ToString();
|
|
continue;
|
|
}
|
|
|
|
if (paramParts[0] == "# Parameter:HttpsPort" && int.TryParse(paramParts[1], out var httpsPort))
|
|
{
|
|
Config.HttpsPort = httpsPort == 0 ? null : httpsPort.ToString();
|
|
continue;
|
|
}
|
|
}
|
|
}
|
|
|
|
var nginxFile = "/bitwarden/nginx/default.conf";
|
|
if (File.Exists(nginxFile))
|
|
{
|
|
var confContent = File.ReadAllText(nginxFile);
|
|
var selfSigned = confContent.Contains("/etc/ssl/self/");
|
|
Config.Ssl = confContent.Contains("ssl http2;");
|
|
Config.SslManagedLetsEncrypt = !selfSigned && confContent.Contains("/etc/letsencrypt/live/");
|
|
var diffieHellman = confContent.Contains("/dhparam.pem;");
|
|
var trusted = confContent.Contains("ssl_trusted_certificate ");
|
|
if (Config.SslManagedLetsEncrypt)
|
|
{
|
|
Config.Ssl = true;
|
|
}
|
|
else if (Config.Ssl)
|
|
{
|
|
var sslPath = selfSigned ? $"/etc/ssl/self/{Config.Domain}" : $"/etc/ssl/{Config.Domain}";
|
|
Config.SslCertificatePath = string.Concat(sslPath, "/", "certificate.crt");
|
|
Config.SslKeyPath = string.Concat(sslPath, "/", "private.key");
|
|
if (trusted)
|
|
{
|
|
Config.SslCaPath = string.Concat(sslPath, "/", "ca.crt");
|
|
}
|
|
if (diffieHellman)
|
|
{
|
|
Config.SslDiffieHellmanPath = string.Concat(sslPath, "/", "dhparam.pem");
|
|
}
|
|
}
|
|
}
|
|
|
|
SaveConfiguration();
|
|
}
|
|
|
|
var configText = File.ReadAllText(ConfigPath);
|
|
var deserializer = new DeserializerBuilder()
|
|
.WithNamingConvention(UnderscoredNamingConvention.Instance)
|
|
.Build();
|
|
Config = deserializer.Deserialize<Configuration>(configText);
|
|
|
|
// Fix old explicit config assignments of CSP which should be treated as a default value
|
|
if (_oldCspDefaults.Any(c => c == Config.NginxHeaderContentSecurityPolicy))
|
|
{
|
|
Config.NginxHeaderContentSecurityPolicy = null;
|
|
SaveConfiguration();
|
|
}
|
|
}
|
|
|
|
public void SaveConfiguration()
|
|
{
|
|
if (Config == null)
|
|
{
|
|
throw new Exception("Config is null.");
|
|
}
|
|
var serializer = new SerializerBuilder()
|
|
.WithNamingConvention(UnderscoredNamingConvention.Instance)
|
|
.WithTypeInspector(inner => new CommentGatheringTypeInspector(inner))
|
|
.WithEmissionPhaseObjectGraphVisitor(args => new CommentsObjectGraphVisitor(args.InnerVisitor))
|
|
.Build();
|
|
var yaml = serializer.Serialize(Config);
|
|
Directory.CreateDirectory("/bitwarden/");
|
|
using (var sw = File.CreateText(ConfigPath))
|
|
{
|
|
sw.Write(yaml);
|
|
}
|
|
}
|
|
|
|
public class Installation
|
|
{
|
|
public Guid InstallationId { get; set; }
|
|
public string InstallationKey { get; set; }
|
|
public bool DiffieHellman { get; set; }
|
|
public bool Trusted { get; set; }
|
|
public bool SelfSignedCert { get; set; }
|
|
public string IdentityCertPassword { get; set; }
|
|
public string Domain { get; set; }
|
|
public string Database { get; set; }
|
|
}
|
|
}
|