Merge pull request #1270 from BlackDex/update-ci

Updated Github Actions, Fixed Dockerfile

.env.template

@@ -104,7 +104,8 @@
 ## Icon blacklist Regex
 ## Any domains or IPs that match this regex won't be fetched by the icon service.
 ## Useful to hide other servers in the local network. Check the WIKI for more details
-# ICON_BLACKLIST_REGEX=192\.168\.1\.[0-9].*^
+## NOTE: Always enclose this regex withing single quotes!
+# ICON_BLACKLIST_REGEX='^(192\.168\.0\.[0-9]+|192\.168\.1\.[0-9]+)$'
 
 ## Any IP which is not defined as a global IP will be blacklisted.
 ## Useful to secure your internal environment: See https://en.wikipedia.org/wiki/Reserved_IP_addresses for a list of IPs which it will block
@@ -242,9 +243,9 @@
 # SMTP_HOST=smtp.domain.tld
 # SMTP_FROM=bitwarden-rs@domain.tld
 # SMTP_FROM_NAME=Bitwarden_RS
-# SMTP_PORT=587
-# SMTP_SSL=true          # (Explicit) - This variable by default configures Explicit STARTTLS, it will upgrade an insecure connection to a secure one. Unless SMTP_EXPLICIT_TLS is set to true.
-# SMTP_EXPLICIT_TLS=true # (Implicit) - N.B. This variable configures Implicit TLS. It's currently mislabelled (see bug #851) - SMTP_SSL Needs to be set to true for this option to work.
+# SMTP_PORT=587          # Ports 587 (submission) and 25 (smtp) are standard without encryption and with encryption via STARTTLS (Explicit TLS). Port 465 is outdated and used with Implicit TLS.
+# SMTP_SSL=true          # (Explicit) - This variable by default configures Explicit STARTTLS, it will upgrade an insecure connection to a secure one. Unless SMTP_EXPLICIT_TLS is set to true. Either port 587 or 25 are default.
+# SMTP_EXPLICIT_TLS=true # (Implicit) - N.B. This variable configures Implicit TLS. It's currently mislabelled (see bug #851) - SMTP_SSL Needs to be set to true for this option to work. Usually port 465 is used here.
 # SMTP_USERNAME=username
 # SMTP_PASSWORD=password
 # SMTP_TIMEOUT=15
@@ -259,6 +260,22 @@
 ## but might need to be changed in case it trips some anti-spam filters
 # HELO_NAME=
 
+## SMTP debugging
+## When set to true this will output very detailed SMTP messages.
+## WARNING: This could contain sensitive information like passwords and usernames! Only enable this during troubleshooting!
+# SMTP_DEBUG=false
+
+## Accept Invalid Hostnames
+## DANGEROUS: This option introduces significant vulnerabilities to man-in-the-middle attacks!
+## Only use this as a last resort if you are not able to use a valid certificate.
+# SMTP_ACCEPT_INVALID_HOSTNAMES=false
+
+## Accept Invalid Certificates
+## DANGEROUS: This option introduces significant vulnerabilities to man-in-the-middle attacks!
+## Only use this as a last resort if you are not able to use a valid certificate.
+## If the Certificate is valid but the hostname doesn't match, please use SMTP_ACCEPT_INVALID_HOSTNAMES instead.
+# SMTP_ACCEPT_INVALID_CERTS=false
+
 ## Require new device emails. When a user logs in an email is required to be sent.
 ## If sending the email fails the login attempt will fail!!
 # REQUIRE_DEVICE_EMAIL=false

.github/ISSUE_TEMPLATE/bug_report.md

@@ -6,27 +6,36 @@ labels: ''
 assignees: ''
 
 ---
+<!--
+     # ###
+     NOTE: Please update to the latest version of bitwarden_rs before reporting an issue!
+     This saves you and us a lot of time and troubleshooting.
+     See: https://github.com/dani-garcia/bitwarden_rs/issues/1180
+     # ###
+-->
+
 
 <!--
 Please fill out the following template to make solving your problem easier and faster for us.
-This is only a guideline. If you think that parts are unneccessary for your issue, feel free to remove them.
+This is only a guideline. If you think that parts are unnecessary for your issue, feel free to remove them.
 
-Remember to hide/obfuscate personal and confidential information, 
-such as names, global IP/DNS adresses and especially passwords, if neccessary.
+Remember to hide/obfuscate personal and confidential information,
+such as names, global IP/DNS addresses and especially passwords, if necessary.
 -->
 
 ### Subject of the issue
 <!-- Describe your issue here.-->
 
 ### Your environment
-<!-- The version number, obtained from the logs or the admin page -->
-* Bitwarden_rs version: 
+<!-- The version number, obtained from the logs or the admin diagnostics page -->
+<!-- Remember to check your issue on the latest version first! -->
+* Bitwarden_rs version:
 <!-- How the server was installed: Docker image / package / built from source -->
-* Install method: 
+* Install method:
 * Clients used: <!-- if applicable -->
 * Reverse proxy and version: <!-- if applicable -->
 * Version of mysql/postgresql: <!-- if applicable -->
-* Other relevant information: 
+* Other relevant information:
 
 ### Steps to reproduce
 <!-- Tell us how to reproduce this issue. What parameters did you set (differently from the defaults)

.github/workflows/build.yml

@@ -0,0 +1,125 @@
+name: Build
+
+on:
+  push:
+    # Ignore when there are only changes done too one of these paths
+    paths-ignore:
+      - "**.md"
+      - "**.txt"
+      - "azure-pipelines.yml"
+      - "docker/**"
+      - "hooks/**"
+      - "tools/**"
+
+jobs:
+  build:
+    strategy:
+      fail-fast: false
+      matrix:
+        channel:
+          - nightly
+          # - stable
+        target-triple:
+          - x86_64-unknown-linux-gnu
+          # - x86_64-unknown-linux-musl
+        include:
+          - target-triple: x86_64-unknown-linux-gnu
+            host-triple: x86_64-unknown-linux-gnu
+            features: "sqlite,mysql,postgresql"
+            channel: nightly
+            os: ubuntu-18.04
+            ext:
+          # - target-triple: x86_64-unknown-linux-gnu
+          #   host-triple: x86_64-unknown-linux-gnu
+          #   features: "sqlite,mysql,postgresql"
+          #   channel: stable
+          #   os: ubuntu-18.04
+          #   ext:
+          # - target-triple: x86_64-unknown-linux-musl
+          #   host-triple: x86_64-unknown-linux-gnu
+          #   features: "sqlite,postgresql"
+          #   channel: nightly
+          #   os: ubuntu-18.04
+          #   ext:
+          # - target-triple: x86_64-unknown-linux-musl
+          #   host-triple: x86_64-unknown-linux-gnu
+          #   features: "sqlite,postgresql"
+          #   channel: stable
+          #   os: ubuntu-18.04
+          #   ext:
+
+    name: Building ${{ matrix.channel }}-${{ matrix.target-triple }}
+    runs-on: ${{ matrix.os }}
+    steps:
+      # Checkout the repo
+      - name: Checkout
+        uses: actions/checkout@v2
+      # End Checkout the repo
+
+
+      # Install musl-tools when needed
+      - name: Install musl tools
+        run: sudo apt-get update && sudo apt-get install -y --no-install-recommends musl-dev musl-tools cmake
+        if: matrix.target-triple == 'x86_64-unknown-linux-musl'
+      # End Install musl-tools when needed
+
+
+      # Install dependencies
+      - name: Install dependencies Ubuntu
+        run: sudo apt-get update && sudo apt-get install -y --no-install-recommends openssl sqlite build-essential libmariadb-dev-compat libpq-dev libssl-dev pkgconf
+        if: startsWith( matrix.os, 'ubuntu' )
+      # End Install dependencies
+
+
+      # Enable Rust Caching
+      - uses: Swatinem/rust-cache@v1
+      # End Enable Rust Caching
+
+
+      # Uses the rust-toolchain file to determine version
+      - name: 'Install ${{ matrix.channel }}-${{ matrix.host-triple }} for target: ${{ matrix.target-triple }}'
+        uses: actions-rs/toolchain@v1
+        with:
+          profile: minimal
+          target: ${{ matrix.target-triple }}
+      # End Uses the rust-toolchain file to determine version
+
+
+      # Run cargo tests (In release mode to speed up cargo build afterwards)
+      - name: '`cargo test --release --features ${{ matrix.features }} --target ${{ matrix.target-triple }}`'
+        uses: actions-rs/cargo@v1
+        with:
+          command: test
+          args: --release --features ${{ matrix.features }} --target ${{ matrix.target-triple }}
+      # End Run cargo tests
+
+
+      # Build the binary
+      - name: '`cargo build --release --features ${{ matrix.features }} --target ${{ matrix.target-triple }}`'
+        uses: actions-rs/cargo@v1
+        with:
+          command: build
+          args: --release --features ${{ matrix.features }} --target ${{ matrix.target-triple }}
+      # End Build the binary
+
+
+      # Upload artifact to Github Actions
+      - name: Upload artifact
+        uses: actions/upload-artifact@v2
+        with:
+          name: bitwarden_rs-${{ matrix.target-triple }}${{ matrix.ext }}
+          path: target/${{ matrix.target-triple }}/release/bitwarden_rs${{ matrix.ext }}
+      # End Upload artifact to Github Actions
+
+
+      ## This is not used at the moment
+      ## We could start using this when we can build static binaries
+      # Upload to github actions release
+      # - name: Release
+      #   uses: Shopify/upload-to-release@1
+      #   if: startsWith(github.ref, 'refs/tags/')
+      #   with:
+      #     name: bitwarden_rs-${{ matrix.target-triple }}${{ matrix.ext }}
+      #     path: target/${{ matrix.target-triple }}/release/bitwarden_rs${{ matrix.ext }}
+      #     repo-token: ${{ secrets.GITHUB_TOKEN }}
+      # End Upload to github actions release

.github/workflows/hadolint.yml

@@ -0,0 +1,34 @@
+name: Hadolint
+
+on:
+  pull_request:
+    # Ignore when there are only changes done too one of these paths
+    paths:
+      - "docker/**"
+
+jobs:
+  hadolint:
+    name: Validate Dockerfile syntax
+    runs-on: ubuntu-20.04
+    steps:
+      # Checkout the repo
+      - name: Checkout
+        uses: actions/checkout@v2
+      # End Checkout the repo
+
+
+      # Download hadolint
+      - name: Download hadolint
+        shell: bash
+        run: |
+          sudo curl -L https://github.com/hadolint/hadolint/releases/download/v$HADOLINT_VERSION/hadolint-$(uname -s)-$(uname -m) -o /usr/local/bin/hadolint && \
+          sudo chmod +x /usr/local/bin/hadolint
+        env:
+          HADOLINT_VERSION: 1.19.0
+      # End Download hadolint
+
+      # Test Dockerfiles
+      - name: Run hadolint
+        shell: bash
+        run:  git ls-files --exclude='docker/*/Dockerfile*' --ignored | xargs hadolint
+      # End Test Dockerfiles

.github/workflows/workspace.yml

@@ -1,148 +0,0 @@
-name: Workflow
-
-on:
-  push:
-    paths-ignore:
-      - "**.md"
-  #pull_request:
-  #  paths-ignore:
-  #    - "**.md"
-
-jobs:
-  build:
-    name: Build
-    strategy:
-      fail-fast: false
-      matrix:
-        db-backend: [sqlite, mysql, postgresql]
-        target:
-          - x86_64-unknown-linux-gnu
-          # - x86_64-unknown-linux-musl
-          # - x86_64-apple-darwin
-          # - x86_64-pc-windows-msvc
-        include:
-          - target: x86_64-unknown-linux-gnu
-            os: ubuntu-latest
-            ext:
-          # - target: x86_64-unknown-linux-musl
-          #   os: ubuntu-latest
-          #   ext:
-          # - target: x86_64-apple-darwin
-          #   os: macOS-latest
-          #   ext:
-          # - target: x86_64-pc-windows-msvc
-          #   os: windows-latest
-          #   ext: .exe
-    runs-on: ${{ matrix.os }}
-    steps:
-    - uses: actions/checkout@v1
-
-    # - name: Cache choco cache
-    #   uses: actions/cache@v1.0.3
-    #   if: matrix.os == 'windows-latest'
-    #   with:
-    #     path: ~\AppData\Local\Temp\chocolatey
-    #     key: ${{ runner.os }}-choco-cache-${{ matrix.db-backend }}
-
-    - name: Cache vcpkg installed
-      uses: actions/cache@v1.0.3
-      if: matrix.os == 'windows-latest'
-      with:
-        path: $VCPKG_ROOT/installed
-        key: ${{ runner.os }}-vcpkg-cache-${{ matrix.db-backend }}
-      env:
-        VCPKG_ROOT: 'C:\vcpkg'
-
-    - name: Cache vcpkg downloads
-      uses: actions/cache@v1.0.3
-      if: matrix.os == 'windows-latest'
-      with:
-        path: $VCPKG_ROOT/downloads
-        key: ${{ runner.os }}-vcpkg-cache-${{ matrix.db-backend }}
-      env:
-        VCPKG_ROOT: 'C:\vcpkg'
-
-    # - name: Cache homebrew
-    #   uses: actions/cache@v1.0.3
-    #   if: matrix.os == 'macOS-latest'
-    #   with:
-    #     path: ~/Library/Caches/Homebrew
-    #     key: ${{ runner.os }}-brew-cache
-
-    # - name: Cache apt
-    #   uses: actions/cache@v1.0.3
-    #   if: matrix.os == 'ubuntu-latest'
-    #   with:
-    #     path: /var/cache/apt/archives
-    #     key: ${{ runner.os }}-apt-cache
-
-    # Install dependencies
-    - name: Install dependencies macOS
-      run: brew update; brew install openssl sqlite libpq mysql
-      if: matrix.os == 'macOS-latest'
-
-    - name: Install dependencies Ubuntu
-      run: sudo apt-get update && sudo apt-get install --no-install-recommends openssl sqlite libpq-dev libmysql++-dev
-      if: matrix.os == 'ubuntu-latest'
-
-    - name: Install dependencies Windows
-      run: vcpkg integrate install; vcpkg install sqlite3:x64-windows openssl:x64-windows libpq:x64-windows libmysql:x64-windows
-      if: matrix.os == 'windows-latest'
-      env:
-        VCPKG_ROOT: 'C:\vcpkg'
-    # End Install dependencies
-
-    # Install rust nightly toolchain
-    - name: Cache cargo registry
-      uses: actions/cache@v1.0.3
-      with:
-        path: ~/.cargo/registry
-        key: ${{ runner.os }}-${{matrix.db-backend}}-cargo-registry-${{ hashFiles('**/Cargo.lock') }}
-    - name: Cache cargo index
-      uses: actions/cache@v1.0.3
-      with:
-        path: ~/.cargo/git
-        key: ${{ runner.os }}-${{matrix.db-backend}}-cargo-index-${{ hashFiles('**/Cargo.lock') }}
-    - name: Cache cargo build
-      uses: actions/cache@v1.0.3
-      with:
-        path: target
-        key: ${{ runner.os }}-${{matrix.db-backend}}-cargo-build-target-${{ hashFiles('**/Cargo.lock') }}
-
-    - name: Install latest nightly
-      uses: actions-rs/toolchain@v1.0.5
-      with:
-        # Uses rust-toolchain to determine version
-        profile: minimal
-        target: ${{ matrix.target }}
-
-    # Build
-    - name: Build Win
-      if: matrix.os == 'windows-latest'
-      run: cargo.exe build --features ${{ matrix.db-backend }} --release --target ${{ matrix.target }}
-      env:
-        RUSTFLAGS: -Ctarget-feature=+crt-static
-        VCPKG_ROOT: 'C:\vcpkg'
-
-    - name: Build macOS / Ubuntu
-      if: matrix.os == 'macOS-latest' || matrix.os == 'ubuntu-latest'
-      run: cargo build --verbose --features ${{ matrix.db-backend }} --release --target ${{ matrix.target }}
-
-    # Test
-    - name: Run tests
-      run: cargo test --features ${{ matrix.db-backend }}
-
-    # Upload & Release
-    - name: Upload artifact
-      uses: actions/upload-artifact@v1.0.0
-      with:
-        name: bitwarden_rs-${{ matrix.db-backend }}-${{ matrix.target }}${{ matrix.ext }}
-        path: target/${{ matrix.target }}/release/bitwarden_rs${{ matrix.ext }}
-
-    - name: Release
-      uses: Shopify/upload-to-release@1.0.0
-      if: startsWith(github.ref, 'refs/tags/')
-      with:
-        name: bitwarden_rs-${{ matrix.db-backend }}-${{ matrix.target }}${{ matrix.ext }}
-        path: target/${{ matrix.target }}/release/bitwarden_rs${{ matrix.ext }}
-        repo-token: ${{ secrets.GITHUB_TOKEN }}

.travis.yml

@@ -1,21 +0,0 @@
-dist: xenial
-
-env:
-  global:
-    - HADOLINT_VERSION=1.17.1
-
-language: rust
-rust: nightly
-cache: cargo
-
-before_install:
-  - sudo curl -L https://github.com/hadolint/hadolint/releases/download/v$HADOLINT_VERSION/hadolint-$(uname -s)-$(uname -m) -o /usr/local/bin/hadolint
-  - sudo chmod +rx /usr/local/bin/hadolint
-  - rustup set profile minimal
-
-# Nothing to install
-install: true
-script:
-- git ls-files --exclude='Dockerfile*' --ignored | xargs --max-lines=1 hadolint
-- cargo test --features "sqlite"
-- cargo test --features "mysql"

Cargo.toml

@@ -32,24 +32,24 @@ rocket = { version = "0.5.0-dev", features = ["tls"], default-features = false }
 rocket_contrib = "0.5.0-dev"
 
 # HTTP client
-reqwest = { version = "0.10.8", features = ["blocking", "json"] }
+reqwest = { version = "0.10.10", features = ["blocking", "json"] }
 
 # multipart/form-data support
 multipart = { version = "0.17.0", features = ["server"], default-features = false }
 
 # WebSockets library
-ws = "0.9.1"
+ws = { version = "0.10.0", package = "parity-ws" }
 
 # MessagePack library
-rmpv = "0.4.5"
+rmpv = "0.4.6"
 
 # Concurrent hashmap implementation
 chashmap = "2.2.2"
 
 # A generic serialization/deserialization framework
-serde = "1.0.115"
-serde_derive = "1.0.115"
-serde_json = "1.0.57"
+serde = "1.0.118"
+serde_derive = "1.0.118"
+serde_json = "1.0.60"
 
 # Logging
 log = "0.4.11"
@@ -64,21 +64,21 @@ libsqlite3-sys = { version = "0.18.0", features = ["bundled"], optional = true }
 
 # Crypto-related libraries
 rand = "0.7.3"
-ring = "0.16.15"
+ring = "0.16.19"
 
 # UUID generation
 uuid = { version = "0.8.1", features = ["v4"] }
 
 # Date and time libraries
-chrono = "0.4.15"
+chrono = "0.4.19"
 chrono-tz = "0.5.3"
-time = "0.2.18"
+time = "0.2.23"
 
 # TOTP library
 oath = "0.10.2"
 
 # Data encoding library
-data-encoding = "2.3.0"
+data-encoding = "2.3.1"
 
 # JWT library
 jsonwebtoken = "7.2.0"
@@ -93,26 +93,26 @@ yubico = { version = "0.9.1", features = ["online-tokio"], default-features = fa
 dotenv = { version = "0.15.0", default-features = false }
 
 # Lazy initialization
-once_cell = "1.4.1"
+once_cell = "1.5.2"
 
 # Numerical libraries
-num-traits = "0.2.12"
-num-derive = "0.3.2"
+num-traits = "0.2.14"
+num-derive = "0.3.3"
 
 # Email libraries
-lettre = { version = "0.10.0-alpha.2", features = ["smtp-transport", "builder", "serde", "native-tls", "hostname"], default-features = false }
+lettre = { version = "0.10.0-alpha.4", features = ["smtp-transport", "builder", "serde", "native-tls", "hostname", "tracing"], default-features = false }
 newline-converter = "0.1.0"
 
 # Template library
-handlebars = { version = "3.4.0", features = ["dir_source"] }
+handlebars = { version = "3.5.1", features = ["dir_source"] }
 
 # For favicon extraction from main website
 soup = "0.5.0"
-regex = "1.3.9"
+regex = "1.4.2"
 data-url = "0.1.0"
 
 # Used by U2F, JWT and Postgres
-openssl = "0.10.30"
+openssl = "0.10.31"
 
 # URL encoding library
 percent-encoding = "2.1.0"
@@ -120,18 +120,18 @@ percent-encoding = "2.1.0"
 idna = "0.2.0"
 
 # CLI argument parsing
-structopt = "0.3.17"
+structopt = "0.3.21"
 
 # Logging panics to logfile instead stderr only
-backtrace = "0.3.50"
+backtrace = "0.3.55"
 
 # Macro ident concatenation
-paste = "1.0.0"
+paste = "1.0.4"
 
 [patch.crates-io]
 # Use newest ring
-rocket = { git = 'https://github.com/SergioBenitez/Rocket', rev = '1010f6a2a88fac899dec0cd2f642156908038a53' }
-rocket_contrib = { git = 'https://github.com/SergioBenitez/Rocket', rev = '1010f6a2a88fac899dec0cd2f642156908038a53' }
+rocket = { git = 'https://github.com/SergioBenitez/Rocket', rev = '263e39b5b429de1913ce7e3036575a7b4d88b6d7' }
+rocket_contrib = { git = 'https://github.com/SergioBenitez/Rocket', rev = '263e39b5b429de1913ce7e3036575a7b4d88b6d7' }
 
 # For favicon extraction from main website
-data-url = { git = 'https://github.com/servo/rust-url', package="data-url", rev = '7f1bd6ce1c2fde599a757302a843a60e714c5f72' }
+data-url = { git = 'https://github.com/servo/rust-url', package="data-url", rev = '540ede02d0771824c0c80ff9f57fe8eff38b1291' }

azure-pipelines.yml

@@ -1,5 +1,5 @@
 pool:
-  vmImage: 'Ubuntu-16.04'
+  vmImage: 'Ubuntu-18.04'
 
 steps:
 - script: |
@@ -10,16 +10,13 @@ steps:
 
 - script: |
     sudo apt-get update
-    sudo apt-get install -y libmysql++-dev
-  displayName: Install libmysql
+    sudo apt-get install -y --no-install-recommends build-essential libmariadb-dev-compat libpq-dev libssl-dev pkgconf
+  displayName: 'Install build libraries.'
 
 - script: |
     rustc -Vv
     cargo -V
   displayName: Query rust and cargo versions
 
-- script : cargo test --features "sqlite"
-  displayName: 'Test project with sqlite backend'
-
-- script : cargo test --features "mysql"
-  displayName: 'Test project with mysql backend'
+- script : cargo test --features "sqlite,mysql,postgresql"
+  displayName: 'Test project with sqlite, mysql and postgresql backends'

docker/Dockerfile.j2

@@ -1,49 +1,60 @@
 # This file was generated using a Jinja2 template.
 # Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfile's.
 
-{% set build_stage_base_image = "rust:1.46" %}
+{% set build_stage_base_image = "rust:1.48" %}
 {% if "alpine" in target_file %}
 {%   if "amd64" in target_file %}
-{%     set build_stage_base_image = "clux/muslrust:nightly-2020-10-02" %}
+{%     set build_stage_base_image = "clux/muslrust:nightly-2020-11-22" %}
 {%     set runtime_stage_base_image = "alpine:3.12" %}
-{%     set package_arch_name = "" %}
+{%     set package_arch_target = "x86_64-unknown-linux-musl" %}
 {%   elif "arm32v7" in target_file %}
 {%     set build_stage_base_image = "messense/rust-musl-cross:armv7-musleabihf" %}
 {%     set runtime_stage_base_image = "balenalib/armv7hf-alpine:3.12" %}
-{%     set package_arch_name = "" %}
+{%     set package_arch_target = "armv7-unknown-linux-musleabihf" %}
 {%   endif %}
 {% elif "amd64" in target_file %}
 {%   set runtime_stage_base_image = "debian:buster-slim" %}
-{%   set package_arch_name = "" %}
 {% elif "arm64v8" in target_file %}
 {%   set runtime_stage_base_image = "balenalib/aarch64-debian:buster" %}
 {%   set package_arch_name = "arm64" %}
+{%   set package_arch_target = "aarch64-unknown-linux-gnu" %}
+{%   set package_cross_compiler = "aarch64-linux-gnu" %}
 {% elif "arm32v6" in target_file %}
 {%   set runtime_stage_base_image = "balenalib/rpi-debian:buster" %}
 {%   set package_arch_name = "armel" %}
+{%   set package_arch_target = "arm-unknown-linux-gnueabi" %}
+{%   set package_cross_compiler = "arm-linux-gnueabi" %}
 {% elif "arm32v7" in target_file %}
 {%   set runtime_stage_base_image = "balenalib/armv7hf-debian:buster" %}
 {%   set package_arch_name = "armhf" %}
+{%   set package_arch_target = "armv7-unknown-linux-gnueabihf" %}
+{%   set package_cross_compiler = "arm-linux-gnueabihf" %}
 {% endif %}
-{% set package_arch_prefix = ":" + package_arch_name %}
-{% if package_arch_name == "" %}
+{% if package_arch_name is defined %}
+{%   set package_arch_prefix = ":" + package_arch_name %}
+{% else %}
 {%   set package_arch_prefix = "" %}
 {% endif %}
+{% if package_arch_target is defined %}
+{%   set package_arch_target_param = " --target=" + package_arch_target %}
+{% else %}
+{%   set package_arch_target_param = "" %}
+{% endif %}
 # Using multistage build:
 # 	https://docs.docker.com/develop/develop-images/multistage-build/
 # 	https://whitfin.io/speeding-up-rust-docker-builds/
 ####################### VAULT BUILD IMAGE  #######################
-{% set vault_image_hash = "sha256:e40228f94cead5e50af6575fb39850a002dad146dab6836e5da5663e6d214303" %}
+{% set vault_image_hash = "sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0" %}
 {% raw %}
 #  This hash is extracted from the docker web-vault builds and it's preferred over a simple tag because it's immutable.
 #  It can be viewed in multiple ways:
 #  - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there.
 #  - From the console, with the following commands:
-#      docker pull bitwardenrs/web-vault:v2.16.1
-#      docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.16.1
+#      docker pull bitwardenrs/web-vault:v2.17.1
+#      docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.17.1
 #
 #  - To do the opposite, and get the tag from the hash, you can do:
-#      docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:e40228f94cead5e50af6575fb39850a002dad146dab6836e5da5663e6d214303
+#      docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0
 {% endraw %}
 FROM bitwardenrs/web-vault@{{ vault_image_hash }} as vault
 
@@ -51,14 +62,21 @@ FROM bitwardenrs/web-vault@{{ vault_image_hash }} as vault
 FROM {{ build_stage_base_image }} as build
 
 {% if "alpine" in target_file %}
-# Alpine only works on SQlite
+{%   if "amd64" in target_file %}
+# Alpine-based AMD64 (musl) does not support mysql/mariadb during compile time.
+ARG DB=sqlite,postgresql
+{%     set features = "sqlite,postgresql" %}
+{%   else %}
+# Alpine-based ARM (musl) only supports sqlite during compile time.
 ARG DB=sqlite
-
+{%     set features = "sqlite" %}
+{%   endif %}
 {% else %}
 # Debian-based builds support multidb
 ARG DB=sqlite,mysql,postgresql
-
+{%   set features = "sqlite,mysql,postgresql" %}
 {% endif %}
+
 # Build time options to avoid dpkg warnings and help with reproducible builds.
 ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color
 
@@ -68,7 +86,6 @@ RUN rustup set profile minimal
 {% if "alpine" in target_file %}
 ENV USER "root"
 ENV RUSTFLAGS='-C link-arg=-s'
-
 {% elif "arm" in target_file %}
 # Install required build libs for {{ package_arch_name }} architecture.
 # To compile both mysql and postgresql we need some extra packages for both host arch and target arch
@@ -85,44 +102,19 @@ RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
         libmariadb-dev{{ package_arch_prefix }} \
         libmariadb-dev-compat{{ package_arch_prefix }}
 
+RUN apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        gcc-{{ package_cross_compiler }} \
+    && mkdir -p ~/.cargo \
+    && echo '[target.{{ package_arch_target }}]' >> ~/.cargo/config \
+    && echo 'linker = "{{ package_cross_compiler }}-gcc"' >> ~/.cargo/config \
+    && echo 'rustflags = ["-L/usr/lib/{{ package_cross_compiler }}"]' >> ~/.cargo/config
+
+ENV CARGO_HOME "/root/.cargo"
+ENV USER "root"
 {% endif -%}
-{% if "arm64v8" in target_file %}
-RUN apt-get update \
-    && apt-get install -y \
-        --no-install-recommends \
-        gcc-aarch64-linux-gnu \
-    && mkdir -p ~/.cargo \
-    && echo '[target.aarch64-unknown-linux-gnu]' >> ~/.cargo/config \
-    && echo 'linker = "aarch64-linux-gnu-gcc"' >> ~/.cargo/config \
-    && echo 'rustflags = ["-L/usr/lib/aarch64-linux-gnu"]' >> ~/.cargo/config
 
-ENV CARGO_HOME "/root/.cargo"
-ENV USER "root"
-{% elif "arm32v6" in target_file %}
-RUN apt-get update \
-    && apt-get install -y \
-        --no-install-recommends \
-        gcc-arm-linux-gnueabi \
-    && mkdir -p ~/.cargo \
-    && echo '[target.arm-unknown-linux-gnueabi]' >> ~/.cargo/config \
-    && echo 'linker = "arm-linux-gnueabi-gcc"' >> ~/.cargo/config \
-    && echo 'rustflags = ["-L/usr/lib/arm-linux-gnueabi"]' >> ~/.cargo/config
-
-ENV CARGO_HOME "/root/.cargo"
-ENV USER "root"
-{% elif "arm32v7" in target_file and "alpine" not in target_file %}
-RUN apt-get update \
-    && apt-get install -y \
-        --no-install-recommends \
-        gcc-arm-linux-gnueabihf \
-    && mkdir -p ~/.cargo \
-    && echo '[target.armv7-unknown-linux-gnueabihf]' >> ~/.cargo/config \
-    && echo 'linker = "arm-linux-gnueabihf-gcc"' >> ~/.cargo/config \
-    && echo 'rustflags = ["-L/usr/lib/arm-linux-gnueabihf"]' >> ~/.cargo/config
-
-ENV CARGO_HOME "/root/.cargo"
-ENV USER "root"
-{% endif %}
 {% if "amd64" in target_file and "alpine" not in target_file %}
 # Install DB packages
 RUN apt-get update && apt-get install -y \
@@ -148,71 +140,31 @@ COPY ./build.rs ./build.rs
 # We at least need libmariadb3:amd64 installed for the x86_64 version of libmariadb.so (client)
 # We also need the libmariadb-dev-compat:amd64 but it can not be installed together with the {{ package_arch_prefix }} version.
 # What we can do is a force install, because nothing important is overlapping each other.
-RUN apt-get install -y libmariadb3:amd64 && \
-    mkdir -pv /tmp/dpkg && \
-    cd /tmp/dpkg && \
+RUN apt-get install -y --no-install-recommends libmariadb3:amd64 && \
     apt-get download libmariadb-dev-compat:amd64 && \
-    dpkg --force-all -i *.deb && \
-    rm -rf /tmp/dpkg
+    dpkg --force-all -i ./libmariadb-dev-compat*.deb && \
+    rm -rvf ./libmariadb-dev-compat*.deb
 
 # For Diesel-RS migrations_macros to compile with PostgreSQL we need to do some magic.
 # The libpq5{{ package_arch_prefix }} package seems to not provide a symlink to libpq.so.5 with the name libpq.so.
 # This is only provided by the libpq-dev package which can't be installed for both arch at the same time.
 # Without this specific file the ld command will fail and compilation fails with it.
+RUN ln -sfnr /usr/lib/{{ package_cross_compiler }}/libpq.so.5 /usr/lib/{{ package_cross_compiler }}/libpq.so
+
+ENV CC_{{ package_arch_target | replace("-", "_") }}="/usr/bin/{{ package_cross_compiler }}-gcc"
+ENV CROSS_COMPILE="1"
+ENV OPENSSL_INCLUDE_DIR="/usr/include/{{ package_cross_compiler }}"
+ENV OPENSSL_LIB_DIR="/usr/lib/{{ package_cross_compiler }}"
 {%   endif -%}
-{%   if "arm64v8" in target_file %}
-RUN ln -sfnr /usr/lib/aarch64-linux-gnu/libpq.so.5 /usr/lib/aarch64-linux-gnu/libpq.so
-
-ENV CC_aarch64_unknown_linux_gnu="/usr/bin/aarch64-linux-gnu-gcc"
-ENV CROSS_COMPILE="1"
-ENV OPENSSL_INCLUDE_DIR="/usr/include/aarch64-linux-gnu"
-ENV OPENSSL_LIB_DIR="/usr/lib/aarch64-linux-gnu"
-RUN rustup target add aarch64-unknown-linux-gnu
-{%   elif "arm32v6" in target_file %}
-RUN ln -sfnr /usr/lib/arm-linux-gnueabi/libpq.so.5 /usr/lib/arm-linux-gnueabi/libpq.so
-
-ENV CC_arm_unknown_linux_gnueabi="/usr/bin/arm-linux-gnueabi-gcc"
-ENV CROSS_COMPILE="1"
-ENV OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabi"
-ENV OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabi"
-RUN rustup target add arm-unknown-linux-gnueabi
-{%   elif "arm32v7" in target_file %}
-RUN ln -sfnr /usr/lib/arm-linux-gnueabihf/libpq.so.5 /usr/lib/arm-linux-gnueabihf/libpq.so
-
-ENV CC_armv7_unknown_linux_gnueabihf="/usr/bin/arm-linux-gnueabihf-gcc"
-ENV CROSS_COMPILE="1"
-ENV OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabihf"
-ENV OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabihf"
-RUN rustup target add armv7-unknown-linux-gnueabihf
-{%   endif -%}
-{% else -%}
-{%   if "amd64" in target_file %}
-RUN rustup target add x86_64-unknown-linux-musl
-{%   elif "arm32v7" in target_file %}
-RUN rustup target add armv7-unknown-linux-musleabihf
-{%   endif %}
+{% endif %}
+{% if package_arch_target is defined %}
+RUN rustup target add {{ package_arch_target }}
 {% endif %}
 
 # Builds your dependencies and removes the
 # dummy project, except the target folder
 # This folder contains the compiled dependencies
-{% if "alpine" in target_file %}
-{%   if "amd64" in target_file %}
-RUN cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl
-{%   elif "arm32v7" in target_file %}
-RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf
-{%   endif %}
-{% elif "alpine" not in target_file %}
-{%   if "amd64" in target_file %}
-RUN cargo build --features ${DB} --release
-{%   elif "arm64v8" in target_file %}
-RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu
-{%   elif "arm32v6" in target_file %}
-RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi
-{%   elif "arm32v7" in target_file %}
-RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf
-{%   endif %}
-{% endif %}
+RUN cargo build --features ${DB} --release{{ package_arch_target_param }}
 RUN find . -not -path "./target*" -delete
 
 # Copies the complete project
@@ -224,22 +176,10 @@ RUN touch src/main.rs
 
 # Builds again, this time it'll just be
 # your actual source files being built
+RUN cargo build --features ${DB} --release{{ package_arch_target_param }}
 {% if "alpine" in target_file %}
-{%   if "amd64" in target_file %}
-RUN cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl
-{%   elif "arm32v7" in target_file %}
-RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf
-RUN musl-strip target/armv7-unknown-linux-musleabihf/release/bitwarden_rs
-{%   endif %}
-{% elif "alpine" not in target_file %}
-{%   if "amd64" in target_file %}
-RUN cargo build --features ${DB} --release
-{%   elif "arm64v8" in target_file %}
-RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu
-{%   elif "arm32v6" in target_file %}
-RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi
-{%   elif "arm32v7" in target_file %}
-RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf
+{%   if "arm32v7" in target_file %}
+RUN musl-strip target/{{ package_arch_target }}/release/bitwarden_rs
 {%   endif %}
 {% endif %}
 
@@ -264,11 +204,13 @@ RUN [ "cross-build-start" ]
 RUN apk add --no-cache \
         openssl \
         curl \
-{%   if "sqlite" in target_file %}
+{%   if "sqlite" in features %}
         sqlite \
-{%   elif "mysql" in target_file %}
+{%   endif %}
+{%   if "mysql" in features %}
         mariadb-connector-c \
-{%   elif "postgresql" in target_file %}
+{%   endif %}
+{%   if "postgresql" in features %}
         postgresql-libs \
 {%   endif %}
         ca-certificates
@@ -301,22 +243,10 @@ EXPOSE 3012
 # and the binary from the "build" stage to the current stage
 COPY Rocket.toml .
 COPY --from=vault /web-vault ./web-vault
-{% if "alpine" in target_file %}
-{%   if "amd64" in target_file %}
-COPY --from=build /app/target/x86_64-unknown-linux-musl/release/bitwarden_rs .
-{%   elif "arm32v7" in target_file %}
-COPY --from=build /app/target/armv7-unknown-linux-musleabihf/release/bitwarden_rs .
-{%   endif %}
-{% elif "alpine" not in target_file %}
-{%   if "arm64v8" in target_file %}
-COPY --from=build /app/target/aarch64-unknown-linux-gnu/release/bitwarden_rs .
-{%   elif "arm32v6" in target_file %}
-COPY --from=build /app/target/arm-unknown-linux-gnueabi/release/bitwarden_rs .
-{%   elif "arm32v7" in target_file %}
-COPY --from=build /app/target/armv7-unknown-linux-gnueabihf/release/bitwarden_rs .
-{%   else %}
-COPY --from=build app/target/release/bitwarden_rs .
-{%   endif %}
+{% if package_arch_target is defined %}
+COPY --from=build /app/target/{{ package_arch_target }}/release/bitwarden_rs .
+{% else %}
+COPY --from=build /app/target/release/bitwarden_rs .
 {% endif %}
 
 COPY docker/healthcheck.sh /healthcheck.sh

docker/amd64/Dockerfile

@@ -10,15 +10,15 @@
 #  It can be viewed in multiple ways:
 #  - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there.
 #  - From the console, with the following commands:
-#      docker pull bitwardenrs/web-vault:v2.16.1
-#      docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.16.1
+#      docker pull bitwardenrs/web-vault:v2.17.1
+#      docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.17.1
 #
 #  - To do the opposite, and get the tag from the hash, you can do:
-#      docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:e40228f94cead5e50af6575fb39850a002dad146dab6836e5da5663e6d214303
-FROM bitwardenrs/web-vault@sha256:e40228f94cead5e50af6575fb39850a002dad146dab6836e5da5663e6d214303 as vault
+#      docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0
+FROM bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0 as vault
 
 ########################## BUILD IMAGE  ##########################
-FROM rust:1.46 as build
+FROM rust:1.48 as build
 
 # Debian-based builds support multidb
 ARG DB=sqlite,mysql,postgresql
@@ -92,7 +92,7 @@ EXPOSE 3012
 # and the binary from the "build" stage to the current stage
 COPY Rocket.toml .
 COPY --from=vault /web-vault ./web-vault
-COPY --from=build app/target/release/bitwarden_rs .
+COPY --from=build /app/target/release/bitwarden_rs .
 
 COPY docker/healthcheck.sh /healthcheck.sh
 COPY docker/start.sh /start.sh

docker/amd64/Dockerfile.alpine

@@ -10,18 +10,18 @@
 #  It can be viewed in multiple ways:
 #  - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there.
 #  - From the console, with the following commands:
-#      docker pull bitwardenrs/web-vault:v2.16.1
-#      docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.16.1
+#      docker pull bitwardenrs/web-vault:v2.17.1
+#      docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.17.1
 #
 #  - To do the opposite, and get the tag from the hash, you can do:
-#      docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:e40228f94cead5e50af6575fb39850a002dad146dab6836e5da5663e6d214303
-FROM bitwardenrs/web-vault@sha256:e40228f94cead5e50af6575fb39850a002dad146dab6836e5da5663e6d214303 as vault
+#      docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0
+FROM bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0 as vault
 
 ########################## BUILD IMAGE  ##########################
-FROM clux/muslrust:nightly-2020-10-02 as build
+FROM clux/muslrust:nightly-2020-11-22 as build
 
-# Alpine only works on SQlite
-ARG DB=sqlite
+# Alpine-based AMD64 (musl) does not support mysql/mariadb during compile time.
+ARG DB=sqlite,postgresql
 
 # Build time options to avoid dpkg warnings and help with reproducible builds.
 ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color
@@ -32,7 +32,6 @@ RUN rustup set profile minimal
 ENV USER "root"
 ENV RUSTFLAGS='-C link-arg=-s'
 
-
 # Creates a dummy project used to grab dependencies
 RUN USER=root cargo new --bin /app
 WORKDIR /app
@@ -75,6 +74,8 @@ ENV SSL_CERT_DIR=/etc/ssl/certs
 RUN apk add --no-cache \
         openssl \
         curl \
+        sqlite \
+        postgresql-libs \
         ca-certificates
 
 RUN mkdir /data

docker/arm32v6/Dockerfile

@@ -10,15 +10,15 @@
 #  It can be viewed in multiple ways:
 #  - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there.
 #  - From the console, with the following commands:
-#      docker pull bitwardenrs/web-vault:v2.16.1
-#      docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.16.1
+#      docker pull bitwardenrs/web-vault:v2.17.1
+#      docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.17.1
 #
 #  - To do the opposite, and get the tag from the hash, you can do:
-#      docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:e40228f94cead5e50af6575fb39850a002dad146dab6836e5da5663e6d214303
-FROM bitwardenrs/web-vault@sha256:e40228f94cead5e50af6575fb39850a002dad146dab6836e5da5663e6d214303 as vault
+#      docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0
+FROM bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0 as vault
 
 ########################## BUILD IMAGE  ##########################
-FROM rust:1.46 as build
+FROM rust:1.48 as build
 
 # Debian-based builds support multidb
 ARG DB=sqlite,mysql,postgresql
@@ -70,12 +70,10 @@ COPY ./build.rs ./build.rs
 # We at least need libmariadb3:amd64 installed for the x86_64 version of libmariadb.so (client)
 # We also need the libmariadb-dev-compat:amd64 but it can not be installed together with the :armel version.
 # What we can do is a force install, because nothing important is overlapping each other.
-RUN apt-get install -y libmariadb3:amd64 && \
-    mkdir -pv /tmp/dpkg && \
-    cd /tmp/dpkg && \
+RUN apt-get install -y --no-install-recommends libmariadb3:amd64 && \
     apt-get download libmariadb-dev-compat:amd64 && \
-    dpkg --force-all -i *.deb && \
-    rm -rf /tmp/dpkg
+    dpkg --force-all -i ./libmariadb-dev-compat*.deb && \
+    rm -rvf ./libmariadb-dev-compat*.deb
 
 # For Diesel-RS migrations_macros to compile with PostgreSQL we need to do some magic.
 # The libpq5:armel package seems to not provide a symlink to libpq.so.5 with the name libpq.so.

docker/arm32v7/Dockerfile

@@ -10,15 +10,15 @@
 #  It can be viewed in multiple ways:
 #  - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there.
 #  - From the console, with the following commands:
-#      docker pull bitwardenrs/web-vault:v2.16.1
-#      docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.16.1
+#      docker pull bitwardenrs/web-vault:v2.17.1
+#      docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.17.1
 #
 #  - To do the opposite, and get the tag from the hash, you can do:
-#      docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:e40228f94cead5e50af6575fb39850a002dad146dab6836e5da5663e6d214303
-FROM bitwardenrs/web-vault@sha256:e40228f94cead5e50af6575fb39850a002dad146dab6836e5da5663e6d214303 as vault
+#      docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0
+FROM bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0 as vault
 
 ########################## BUILD IMAGE  ##########################
-FROM rust:1.46 as build
+FROM rust:1.48 as build
 
 # Debian-based builds support multidb
 ARG DB=sqlite,mysql,postgresql
@@ -70,12 +70,10 @@ COPY ./build.rs ./build.rs
 # We at least need libmariadb3:amd64 installed for the x86_64 version of libmariadb.so (client)
 # We also need the libmariadb-dev-compat:amd64 but it can not be installed together with the :armhf version.
 # What we can do is a force install, because nothing important is overlapping each other.
-RUN apt-get install -y libmariadb3:amd64 && \
-    mkdir -pv /tmp/dpkg && \
-    cd /tmp/dpkg && \
+RUN apt-get install -y --no-install-recommends libmariadb3:amd64 && \
     apt-get download libmariadb-dev-compat:amd64 && \
-    dpkg --force-all -i *.deb && \
-    rm -rf /tmp/dpkg
+    dpkg --force-all -i ./libmariadb-dev-compat*.deb && \
+    rm -rvf ./libmariadb-dev-compat*.deb
 
 # For Diesel-RS migrations_macros to compile with PostgreSQL we need to do some magic.
 # The libpq5:armhf package seems to not provide a symlink to libpq.so.5 with the name libpq.so.

docker/arm32v7/Dockerfile.alpine

@@ -10,17 +10,17 @@
 #  It can be viewed in multiple ways:
 #  - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there.
 #  - From the console, with the following commands:
-#      docker pull bitwardenrs/web-vault:v2.16.1
-#      docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.16.1
+#      docker pull bitwardenrs/web-vault:v2.17.1
+#      docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.17.1
 #
 #  - To do the opposite, and get the tag from the hash, you can do:
-#      docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:e40228f94cead5e50af6575fb39850a002dad146dab6836e5da5663e6d214303
-FROM bitwardenrs/web-vault@sha256:e40228f94cead5e50af6575fb39850a002dad146dab6836e5da5663e6d214303 as vault
+#      docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0
+FROM bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0 as vault
 
 ########################## BUILD IMAGE  ##########################
 FROM messense/rust-musl-cross:armv7-musleabihf as build
 
-# Alpine only works on SQlite
+# Alpine-based ARM (musl) only supports sqlite during compile time.
 ARG DB=sqlite
 
 # Build time options to avoid dpkg warnings and help with reproducible builds.
@@ -32,7 +32,6 @@ RUN rustup set profile minimal
 ENV USER "root"
 ENV RUSTFLAGS='-C link-arg=-s'
 
-
 # Creates a dummy project used to grab dependencies
 RUN USER=root cargo new --bin /app
 WORKDIR /app
@@ -78,6 +77,7 @@ RUN [ "cross-build-start" ]
 RUN apk add --no-cache \
         openssl \
         curl \
+        sqlite \
         ca-certificates
 RUN apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/community catatonit
 

docker/arm64v8/Dockerfile

@@ -10,15 +10,15 @@
 #  It can be viewed in multiple ways:
 #  - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there.
 #  - From the console, with the following commands:
-#      docker pull bitwardenrs/web-vault:v2.16.1
-#      docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.16.1
+#      docker pull bitwardenrs/web-vault:v2.17.1
+#      docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.17.1
 #
 #  - To do the opposite, and get the tag from the hash, you can do:
-#      docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:e40228f94cead5e50af6575fb39850a002dad146dab6836e5da5663e6d214303
-FROM bitwardenrs/web-vault@sha256:e40228f94cead5e50af6575fb39850a002dad146dab6836e5da5663e6d214303 as vault
+#      docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0
+FROM bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0 as vault
 
 ########################## BUILD IMAGE  ##########################
-FROM rust:1.46 as build
+FROM rust:1.48 as build
 
 # Debian-based builds support multidb
 ARG DB=sqlite,mysql,postgresql
@@ -70,12 +70,10 @@ COPY ./build.rs ./build.rs
 # We at least need libmariadb3:amd64 installed for the x86_64 version of libmariadb.so (client)
 # We also need the libmariadb-dev-compat:amd64 but it can not be installed together with the :arm64 version.
 # What we can do is a force install, because nothing important is overlapping each other.
-RUN apt-get install -y libmariadb3:amd64 && \
-    mkdir -pv /tmp/dpkg && \
-    cd /tmp/dpkg && \
+RUN apt-get install -y --no-install-recommends libmariadb3:amd64 && \
     apt-get download libmariadb-dev-compat:amd64 && \
-    dpkg --force-all -i *.deb && \
-    rm -rf /tmp/dpkg
+    dpkg --force-all -i ./libmariadb-dev-compat*.deb && \
+    rm -rvf ./libmariadb-dev-compat*.deb
 
 # For Diesel-RS migrations_macros to compile with PostgreSQL we need to do some magic.
 # The libpq5:arm64 package seems to not provide a symlink to libpq.so.5 with the name libpq.so.

migrations/mysql/2020-11-30-224000_add_user_enabled/up.sql

@@ -0,0 +1 @@
+ALTER TABLE users ADD COLUMN enabled BOOLEAN NOT NULL DEFAULT 1;

migrations/mysql/2020-12-09-173101_add_stamp_exception/up.sql

@@ -0,0 +1 @@
+ALTER TABLE users ADD COLUMN stamp_exception TEXT DEFAULT NULL;

migrations/postgresql/2020-11-30-224000_add_user_enabled/up.sql

@@ -0,0 +1 @@
+ALTER TABLE users ADD COLUMN enabled BOOLEAN NOT NULL DEFAULT true;

migrations/postgresql/2020-12-09-173101_add_stamp_exception/up.sql

@@ -0,0 +1 @@
+ALTER TABLE users ADD COLUMN stamp_exception TEXT DEFAULT NULL;

migrations/sqlite/2020-11-30-224000_add_user_enabled/up.sql

@@ -0,0 +1 @@
+ALTER TABLE users ADD COLUMN enabled BOOLEAN NOT NULL DEFAULT 1;

migrations/sqlite/2020-12-09-173101_add_stamp_exception/up.sql

@@ -0,0 +1 @@
+ALTER TABLE users ADD COLUMN stamp_exception TEXT DEFAULT NULL;

rust-toolchain

@@ -1 +1 @@
-nightly-2020-07-11
+nightly-2020-11-22

src/api/admin.rs

@@ -18,7 +18,7 @@ use crate::{
     db::{backup_database, models::*, DbConn, DbConnType},
     error::{Error, MapResult},
     mail,
-    util::get_display_size,
+    util::{get_display_size, format_naive_datetime_local},
     CONFIG,
 };
 
@@ -36,6 +36,8 @@ pub fn routes() -> Vec<Route> {
         logout,
         delete_user,
         deauth_user,
+        disable_user,
+        enable_user,
         remove_2fa,
         update_revision_users,
         post_config,
@@ -291,12 +293,19 @@ fn get_users_json(_token: AdminToken, conn: DbConn) -> JsonResult {
 #[get("/users/overview")]
 fn users_overview(_token: AdminToken, conn: DbConn) -> ApiResult<Html<String>> {
     let users = User::get_all(&conn);
+    let dt_fmt = "%Y-%m-%d %H:%M:%S %Z";
     let users_json: Vec<Value> = users.iter()
         .map(|u| {
             let mut usr = u.to_json(&conn);
             usr["cipher_count"] = json!(Cipher::count_owned_by_user(&u.uuid, &conn));
             usr["attachment_count"] = json!(Attachment::count_by_user(&u.uuid, &conn));
             usr["attachment_size"] = json!(get_display_size(Attachment::size_by_user(&u.uuid, &conn) as i32));
+            usr["user_enabled"] = json!(u.enabled);
+            usr["created_at"] = json!(format_naive_datetime_local(&u.created_at, dt_fmt));
+            usr["last_active"] = match u.last_active(&conn) {
+                Some(dt) => json!(format_naive_datetime_local(&dt, dt_fmt)),
+                None => json!("Never")
+            };
             usr
     }).collect();
 
@@ -319,6 +328,24 @@ fn deauth_user(uuid: String, _token: AdminToken, conn: DbConn) -> EmptyResult {
     user.save(&conn)
 }
 
+#[post("/users/<uuid>/disable")]
+fn disable_user(uuid: String, _token: AdminToken, conn: DbConn) -> EmptyResult {
+    let mut user = User::find_by_uuid(&uuid, &conn).map_res("User doesn't exist")?;
+    Device::delete_all_by_user(&user.uuid, &conn)?;
+    user.reset_security_stamp();
+    user.enabled = false;
+
+    user.save(&conn)
+}
+
+#[post("/users/<uuid>/enable")]
+fn enable_user(uuid: String, _token: AdminToken, conn: DbConn) -> EmptyResult {
+    let mut user = User::find_by_uuid(&uuid, &conn).map_res("User doesn't exist")?;
+    user.enabled = true;
+
+    user.save(&conn)
+}
+
 #[post("/users/<uuid>/remove-2fa")]
 fn remove_2fa(uuid: String, _token: AdminToken, conn: DbConn) -> EmptyResult {
     let mut user = User::find_by_uuid(&uuid, &conn).map_res("User doesn't exist")?;
@@ -420,7 +447,7 @@ fn diagnostics(_token: AdminToken, _conn: DbConn) -> ApiResult<Html<String>> {
     // Run the date check as the last item right before filling the json.
     // This should ensure that the time difference between the browser and the server is as minimal as possible.
     let dt = Utc::now();
-    let server_time = dt.format("%Y-%m-%d %H:%M:%S").to_string();
+    let server_time = dt.format("%Y-%m-%d %H:%M:%S UTC").to_string();
 
     let diagnostics_json = json!({
         "dns_resolved": dns_resolved,

src/api/core/accounts.rs

@@ -115,7 +115,7 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
         user.client_kdf_type = client_kdf_type;
     }
 
-    user.set_password(&data.MasterPasswordHash);
+    user.set_password(&data.MasterPasswordHash, None);
     user.akey = data.Key;
 
     // Add extra fields if present
@@ -232,7 +232,7 @@ fn post_password(data: JsonUpcase<ChangePassData>, headers: Headers, conn: DbCon
         err!("Invalid password")
     }
 
-    user.set_password(&data.NewMasterPasswordHash);
+    user.set_password(&data.NewMasterPasswordHash, Some("post_rotatekey"));
     user.akey = data.Key;
     user.save(&conn)
 }
@@ -259,7 +259,7 @@ fn post_kdf(data: JsonUpcase<ChangeKdfData>, headers: Headers, conn: DbConn) ->
 
     user.client_kdf_iter = data.KdfIterations;
     user.client_kdf_type = data.Kdf;
-    user.set_password(&data.NewMasterPasswordHash);
+    user.set_password(&data.NewMasterPasswordHash, None);
     user.akey = data.Key;
     user.save(&conn)
 }
@@ -338,6 +338,7 @@ fn post_rotatekey(data: JsonUpcase<KeyData>, headers: Headers, conn: DbConn, nt:
     user.akey = data.Key;
     user.private_key = Some(data.PrivateKey);
     user.reset_security_stamp();
+    user.reset_stamp_exception();
 
     user.save(&conn)
 }
@@ -445,7 +446,7 @@ fn post_email(data: JsonUpcase<ChangeEmailData>, headers: Headers, conn: DbConn)
     user.email_new = None;
     user.email_new_token = None;
 
-    user.set_password(&data.NewMasterPasswordHash);
+    user.set_password(&data.NewMasterPasswordHash, None);
     user.akey = data.Key;
 
     user.save(&conn)
@@ -460,7 +461,7 @@ fn post_verify_email(headers: Headers, _conn: DbConn) -> EmptyResult {
     }
 
     if let Err(e) = mail::send_verify_email(&user.email, &user.uuid) {
-        error!("Error sending delete account email: {:#?}", e);
+        error!("Error sending verify_email email: {:#?}", e);
     }
 
     Ok(())

src/api/core/ciphers.rs

@@ -1,6 +1,7 @@
 use std::collections::{HashMap, HashSet};
 use std::path::Path;
 
+use chrono::{NaiveDateTime, Utc};
 use rocket::{http::ContentType, request::Form, Data, Route};
 use rocket_contrib::json::Json;
 use serde_json::Value;
@@ -17,6 +18,16 @@ use crate::{
 };
 
 pub fn routes() -> Vec<Route> {
+    // Note that many routes have an `admin` variant; this seems to be
+    // because the stored procedure that upstream Bitwarden uses to determine
+    // whether the user can edit a cipher doesn't take into account whether
+    // the user is an org owner/admin. The `admin` variant first checks
+    // whether the user is an owner/admin of the relevant org, and if so,
+    // allows the operation unconditionally.
+    //
+    // bitwarden_rs factors in the org owner/admin status as part of
+    // determining the write accessibility of a cipher, so most
+    // admin/non-admin implementations can be shared.
     routes![
         sync,
         get_ciphers,
@@ -38,7 +49,7 @@ pub fn routes() -> Vec<Route> {
         post_cipher_admin,
         post_cipher_share,
         put_cipher_share,
-        put_cipher_share_seleted,
+        put_cipher_share_selected,
         post_cipher,
         put_cipher,
         delete_cipher_post,
@@ -50,6 +61,9 @@ pub fn routes() -> Vec<Route> {
         delete_cipher_selected,
         delete_cipher_selected_post,
         delete_cipher_selected_put,
+        delete_cipher_selected_admin,
+        delete_cipher_selected_post_admin,
+        delete_cipher_selected_put_admin,
         restore_cipher_put,
         restore_cipher_put_admin,
         restore_cipher_selected,
@@ -181,6 +195,14 @@ pub struct CipherData {
     #[serde(rename = "Attachments")]
     _Attachments: Option<Value>, // Unused, contains map of {id: filename}
     Attachments2: Option<HashMap<String, Attachments2Data>>,
+
+    // The revision datetime (in ISO 8601 format) of the client's local copy
+    // of the cipher. This is used to prevent a client from updating a cipher
+    // when it doesn't have the latest version, as that can result in data
+    // loss. It's not an error when no value is provided; this can happen
+    // when using older client versions, or if the operation doesn't involve
+    // updating an existing cipher.
+    LastKnownRevisionDate: Option<String>,
 }
 
 #[derive(Deserialize, Debug)]
@@ -190,22 +212,35 @@ pub struct Attachments2Data {
     Key: String,
 }
 
+/// Called when an org admin clones an org cipher.
 #[post("/ciphers/admin", data = "<data>")]
 fn post_ciphers_admin(data: JsonUpcase<ShareCipherData>, headers: Headers, conn: DbConn, nt: Notify) -> JsonResult {
-    let data: ShareCipherData = data.into_inner().data;
+    post_ciphers_create(data, headers, conn, nt)
+}
+
+/// Called when creating a new org-owned cipher, or cloning a cipher (whether
+/// user- or org-owned). When cloning a cipher to a user-owned cipher,
+/// `organizationId` is null.
+#[post("/ciphers/create", data = "<data>")]
+fn post_ciphers_create(data: JsonUpcase<ShareCipherData>, headers: Headers, conn: DbConn, nt: Notify) -> JsonResult {
+    let mut data: ShareCipherData = data.into_inner().data;
 
     let mut cipher = Cipher::new(data.Cipher.Type, data.Cipher.Name.clone());
     cipher.user_uuid = Some(headers.user.uuid.clone());
     cipher.save(&conn)?;
 
+    // When cloning a cipher, the Bitwarden clients seem to set this field
+    // based on the cipher being cloned (when creating a new cipher, it's set
+    // to null as expected). However, `cipher.created_at` is initialized to
+    // the current time, so the stale data check will end up failing down the
+    // line. Since this function only creates new ciphers (whether by cloning
+    // or otherwise), we can just ignore this field entirely.
+    data.Cipher.LastKnownRevisionDate = None;
+
     share_cipher_by_uuid(&cipher.uuid, data, &headers, &conn, &nt)
 }
 
-#[post("/ciphers/create", data = "<data>")]
-fn post_ciphers_create(data: JsonUpcase<ShareCipherData>, headers: Headers, conn: DbConn, nt: Notify) -> JsonResult {
-    post_ciphers_admin(data, headers, conn, nt)
-}
-
+/// Called when creating a new user-owned cipher.
 #[post("/ciphers", data = "<data>")]
 fn post_ciphers(data: JsonUpcase<CipherData>, headers: Headers, conn: DbConn, nt: Notify) -> JsonResult {
     let data: CipherData = data.into_inner().data;
@@ -225,6 +260,17 @@ pub fn update_cipher_from_data(
     nt: &Notify,
     ut: UpdateType,
 ) -> EmptyResult {
+    // Check that the client isn't updating an existing cipher with stale data.
+    if let Some(dt) = data.LastKnownRevisionDate {
+        match NaiveDateTime::parse_from_str(&dt, "%+") { // ISO 8601 format
+            Err(err) =>
+                warn!("Error parsing LastKnownRevisionDate '{}': {}", dt, err),
+            Ok(dt) if cipher.updated_at.signed_duration_since(dt).num_seconds() > 1 =>
+                err!("The client copy of this cipher is out of date. Resync the client and try again."),
+            Ok(_) => (),
+        }
+    }
+
     if cipher.organization_uuid.is_some() && cipher.organization_uuid != data.OrganizationId {
         err!("Organization mismatch. Please resync the client before updating the cipher")
     }
@@ -374,6 +420,7 @@ fn post_ciphers_import(data: JsonUpcase<ImportData>, headers: Headers, conn: DbC
     Ok(())
 }
 
+/// Called when an org admin modifies an existing org cipher.
 #[put("/ciphers/<uuid>/admin", data = "<data>")]
 fn put_cipher_admin(
     uuid: String,
@@ -548,7 +595,7 @@ struct ShareSelectedCipherData {
 }
 
 #[put("/ciphers/share", data = "<data>")]
-fn put_cipher_share_seleted(
+fn put_cipher_share_selected(
     data: JsonUpcase<ShareSelectedCipherData>,
     headers: Headers,
     conn: DbConn,
@@ -862,7 +909,22 @@ fn delete_cipher_selected_post(data: JsonUpcase<Value>, headers: Headers, conn:
 
 #[put("/ciphers/delete", data = "<data>")]
 fn delete_cipher_selected_put(data: JsonUpcase<Value>, headers: Headers, conn: DbConn, nt: Notify) -> EmptyResult {
-    _delete_multiple_ciphers(data, headers, conn, true, nt)
+    _delete_multiple_ciphers(data, headers, conn, true, nt) // soft delete
+}
+
+#[delete("/ciphers/admin", data = "<data>")]
+fn delete_cipher_selected_admin(data: JsonUpcase<Value>, headers: Headers, conn: DbConn, nt: Notify) -> EmptyResult {
+    delete_cipher_selected(data, headers, conn, nt)
+}
+
+#[post("/ciphers/delete-admin", data = "<data>")]
+fn delete_cipher_selected_post_admin(data: JsonUpcase<Value>, headers: Headers, conn: DbConn, nt: Notify) -> EmptyResult {
+    delete_cipher_selected_post(data, headers, conn, nt)
+}
+
+#[put("/ciphers/delete-admin", data = "<data>")]
+fn delete_cipher_selected_put_admin(data: JsonUpcase<Value>, headers: Headers, conn: DbConn, nt: Notify) -> EmptyResult {
+    delete_cipher_selected_put(data, headers, conn, nt)
 }
 
 #[put("/ciphers/<uuid>/restore")]
@@ -1002,7 +1064,7 @@ fn _delete_cipher_by_uuid(uuid: &str, headers: &Headers, conn: &DbConn, soft_del
     }
 
     if soft_delete {
-        cipher.deleted_at = Some(chrono::Utc::now().naive_utc());
+        cipher.deleted_at = Some(Utc::now().naive_utc());
         cipher.save(&conn)?;
         nt.send_cipher_update(UpdateType::CipherUpdate, &cipher, &cipher.update_users_revision(&conn));
     } else {

src/api/core/organizations.rs

@@ -5,7 +5,7 @@ use serde_json::Value;
 
 use crate::{
     api::{EmptyResult, JsonResult, JsonUpcase, JsonUpcaseVec, Notify, NumberOrString, PasswordData, UpdateType},
-    auth::{decode_invite, AdminHeaders, Headers, OwnerHeaders},
+    auth::{decode_invite, AdminHeaders, Headers, OwnerHeaders, ManagerHeaders, ManagerHeadersLoose},
     db::{models::*, DbConn},
     mail, CONFIG,
 };
@@ -217,7 +217,7 @@ fn get_org_collections(org_id: String, _headers: AdminHeaders, conn: DbConn) ->
 #[post("/organizations/<org_id>/collections", data = "<data>")]
 fn post_organization_collections(
     org_id: String,
-    _headers: AdminHeaders,
+    headers: ManagerHeadersLoose,
     data: JsonUpcase<NewCollectionData>,
     conn: DbConn,
 ) -> JsonResult {
@@ -228,9 +228,22 @@ fn post_organization_collections(
         None => err!("Can't find organization details"),
     };
 
+    // Get the user_organization record so that we can check if the user has access to all collections.
+    let user_org = match UserOrganization::find_by_user_and_org(&headers.user.uuid, &org_id, &conn) {
+        Some(u) => u,
+        None => err!("User is not part of organization"),
+    };
+
     let collection = Collection::new(org.uuid, data.Name);
     collection.save(&conn)?;
 
+    // If the user doesn't have access to all collections, only in case of a Manger,
+    // then we need to save the creating user uuid (Manager) to the users_collection table.
+    // Else the user will not have access to his own created collection.
+    if !user_org.access_all {
+        CollectionUser::save(&headers.user.uuid, &collection.uuid, false, false, &conn)?;
+    }
+
     Ok(Json(collection.to_json()))
 }
 
@@ -238,7 +251,7 @@ fn post_organization_collections(
 fn put_organization_collection_update(
     org_id: String,
     col_id: String,
-    headers: AdminHeaders,
+    headers: ManagerHeaders,
     data: JsonUpcase<NewCollectionData>,
     conn: DbConn,
 ) -> JsonResult {
@@ -249,7 +262,7 @@ fn put_organization_collection_update(
 fn post_organization_collection_update(
     org_id: String,
     col_id: String,
-    _headers: AdminHeaders,
+    _headers: ManagerHeaders,
     data: JsonUpcase<NewCollectionData>,
     conn: DbConn,
 ) -> JsonResult {
@@ -317,7 +330,7 @@ fn post_organization_collection_delete_user(
 }
 
 #[delete("/organizations/<org_id>/collections/<col_id>")]
-fn delete_organization_collection(org_id: String, col_id: String, _headers: AdminHeaders, conn: DbConn) -> EmptyResult {
+fn delete_organization_collection(org_id: String, col_id: String, _headers: ManagerHeaders, conn: DbConn) -> EmptyResult {
     match Collection::find_by_uuid(&col_id, &conn) {
         None => err!("Collection not found"),
         Some(collection) => {
@@ -341,7 +354,7 @@ struct DeleteCollectionData {
 fn post_organization_collection_delete(
     org_id: String,
     col_id: String,
-    headers: AdminHeaders,
+    headers: ManagerHeaders,
     _data: JsonUpcase<DeleteCollectionData>,
     conn: DbConn,
 ) -> EmptyResult {
@@ -349,7 +362,7 @@ fn post_organization_collection_delete(
 }
 
 #[get("/organizations/<org_id>/collections/<coll_id>/details")]
-fn get_org_collection_detail(org_id: String, coll_id: String, headers: AdminHeaders, conn: DbConn) -> JsonResult {
+fn get_org_collection_detail(org_id: String, coll_id: String, headers: ManagerHeaders, conn: DbConn) -> JsonResult {
     match Collection::find_by_uuid_and_user(&coll_id, &headers.user.uuid, &conn) {
         None => err!("Collection not found"),
         Some(collection) => {
@@ -363,7 +376,7 @@ fn get_org_collection_detail(org_id: String, coll_id: String, headers: AdminHead
 }
 
 #[get("/organizations/<org_id>/collections/<coll_id>/users")]
-fn get_collection_users(org_id: String, coll_id: String, _headers: AdminHeaders, conn: DbConn) -> JsonResult {
+fn get_collection_users(org_id: String, coll_id: String, _headers: ManagerHeaders, conn: DbConn) -> JsonResult {
     // Get org and collection, check that collection is from org
     let collection = match Collection::find_by_uuid_and_org(&coll_id, &org_id, &conn) {
         None => err!("Collection not found in Organization"),
@@ -388,7 +401,7 @@ fn put_collection_users(
     org_id: String,
     coll_id: String,
     data: JsonUpcaseVec<CollectionData>,
-    _headers: AdminHeaders,
+    _headers: ManagerHeaders,
     conn: DbConn,
 ) -> EmptyResult {
     // Get org and collection, check that collection is from org
@@ -440,7 +453,7 @@ fn get_org_details(data: Form<OrgIdData>, headers: Headers, conn: DbConn) -> Jso
 }
 
 #[get("/organizations/<org_id>/users")]
-fn get_org_users(org_id: String, _headers: AdminHeaders, conn: DbConn) -> JsonResult {
+fn get_org_users(org_id: String, _headers: ManagerHeadersLoose, conn: DbConn) -> JsonResult {
     let users = UserOrganization::find_by_org(&org_id, &conn);
     let users_json: Vec<Value> = users.iter().map(|c| c.to_json_user_details(&conn)).collect();
 

src/api/icons.rs

@@ -1,13 +1,15 @@
 use std::{
+    collections::HashMap,
     fs::{create_dir_all, remove_file, symlink_metadata, File},
     io::prelude::*,
     net::{IpAddr, ToSocketAddrs},
+    sync::RwLock,
     time::{Duration, SystemTime},
 };
 
 use once_cell::sync::Lazy;
 use regex::Regex;
-use reqwest::{blocking::Client, blocking::Response, header::HeaderMap, Url};
+use reqwest::{blocking::Client, blocking::Response, header, Url};
 use rocket::{http::ContentType, http::Cookie, response::Content, Route};
 use soup::prelude::*;
 
@@ -17,33 +19,67 @@ pub fn routes() -> Vec<Route> {
     routes![icon]
 }
 
-const FALLBACK_ICON: &[u8; 344] = include_bytes!("../static/fallback-icon.png");
-
 const ALLOWED_CHARS: &str = "_-.";
 
 static CLIENT: Lazy<Client> = Lazy::new(|| {
+    // Generate the default headers
+    let mut default_headers = header::HeaderMap::new();
+    default_headers.insert(header::USER_AGENT, header::HeaderValue::from_static("Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.1 Safari/605.1.15"));
+    default_headers.insert(header::ACCEPT_LANGUAGE, header::HeaderValue::from_static("en-US,en;q=0.8"));
+    default_headers.insert(header::CACHE_CONTROL, header::HeaderValue::from_static("no-cache"));
+    default_headers.insert(header::PRAGMA, header::HeaderValue::from_static("no-cache"));
+    default_headers.insert(header::ACCEPT, header::HeaderValue::from_static("text/html,application/xhtml+xml,application/xml; q=0.9,image/webp,image/apng,*/*;q=0.8"));
+
     // Reuse the client between requests
     Client::builder()
         .timeout(Duration::from_secs(CONFIG.icon_download_timeout()))
-        .default_headers(_header_map())
+        .default_headers(default_headers)
         .build()
         .unwrap()
 });
 
-static ICON_REL_REGEX: Lazy<Regex> = Lazy::new(|| Regex::new(r"icon$|apple.*icon").unwrap());
-static ICON_HREF_REGEX: Lazy<Regex> =
-    Lazy::new(|| Regex::new(r"(?i)\w+\.(jpg|jpeg|png|ico)(\?.*)?$|^data:image.*base64").unwrap());
+// Build Regex only once since this takes a lot of time.
+static ICON_REL_REGEX: Lazy<Regex> = Lazy::new(|| Regex::new(r"(?i)icon$|apple.*icon").unwrap());
 static ICON_SIZE_REGEX: Lazy<Regex> = Lazy::new(|| Regex::new(r"(?x)(\d+)\D*(\d+)").unwrap());
 
+// Special HashMap which holds the user defined Regex to speedup matching the regex.
+static ICON_BLACKLIST_REGEX: Lazy<RwLock<HashMap<String, Regex>>> = Lazy::new(|| RwLock::new(HashMap::new()));
+
+#[get("/<domain>/icon.png")]
+fn icon(domain: String) -> Option<Cached<Content<Vec<u8>>>> {
+    if !is_valid_domain(&domain) {
+        warn!("Invalid domain: {}", domain);
+        return None;
+    }
+
+    get_icon(&domain).map(|icon| Cached::long(Content(ContentType::new("image", "x-icon"), icon)))
+}
+
+/// Returns if the domain provided is valid or not.
+///
+/// This does some manual checks and makes use of Url to do some basic checking.
+/// domains can't be larger then 63 characters (not counting multiple subdomains) according to the RFC's, but we limit the total size to 255.
 fn is_valid_domain(domain: &str) -> bool {
-    // Don't allow empty or too big domains or path traversal
-    if domain.is_empty() || domain.len() > 255 || domain.contains("..") {
+    // If parsing the domain fails using Url, it will not work with reqwest.
+    if let Err(parse_error) = Url::parse(format!("https://{}", domain).as_str()) {
+        debug!("Domain parse error: '{}' - {:?}", domain, parse_error);
+        return false;
+    } else if domain.is_empty()
+        || domain.contains("..")
+        || domain.starts_with('.')
+        || domain.starts_with('-')
+        || domain.ends_with('-')
+    {
+        debug!("Domain validation error: '{}' is either empty, contains '..', starts with an '.', starts or ends with a '-'", domain);
+        return false;
+    } else if domain.len() > 255 {
+        debug!("Domain validation error: '{}' exceeds 255 characters", domain);
         return false;
     }
 
-    // Only alphanumeric or specific characters
     for c in domain.chars() {
         if !c.is_alphanumeric() && !ALLOWED_CHARS.contains(c) {
+            debug!("Domain validation error: '{}' contains an invalid character '{}'", domain, c);
             return false;
         }
     }
@@ -51,21 +87,10 @@ fn is_valid_domain(domain: &str) -> bool {
     true
 }
 
-#[get("/<domain>/icon.png")]
-fn icon(domain: String) -> Cached<Content<Vec<u8>>> {
-    let icon_type = ContentType::new("image", "x-icon");
-
-    if !is_valid_domain(&domain) {
-        warn!("Invalid domain: {:#?}", domain);
-        return Cached::long(Content(icon_type, FALLBACK_ICON.to_vec()));
-    }
-
-    Cached::long(Content(icon_type, get_icon(&domain)))
-}
-
 /// TODO: This is extracted from IpAddr::is_global, which is unstable:
 /// https://doc.rust-lang.org/nightly/std/net/enum.IpAddr.html#method.is_global
 /// Remove once https://github.com/rust-lang/rust/issues/27709 is merged
+#[allow(clippy::nonminimal_bool)]
 #[cfg(not(feature = "unstable"))]
 fn is_global(ip: IpAddr) -> bool {
     match ip {
@@ -161,7 +186,7 @@ mod tests {
     }
 }
 
-fn check_icon_domain_is_blacklisted(domain: &str) -> bool {
+fn is_domain_blacklisted(domain: &str) -> bool {
     let mut is_blacklisted = CONFIG.icon_blacklist_non_global_ips()
         && (domain, 0)
             .to_socket_addrs()
@@ -179,7 +204,31 @@ fn check_icon_domain_is_blacklisted(domain: &str) -> bool {
     // Skip the regex check if the previous one is true already
     if !is_blacklisted {
         if let Some(blacklist) = CONFIG.icon_blacklist_regex() {
-            let regex = Regex::new(&blacklist).expect("Valid Regex");
+            let mut regex_hashmap = ICON_BLACKLIST_REGEX.read().unwrap();
+
+            // Use the pre-generate Regex stored in a Lazy HashMap if there's one, else generate it.
+            let regex = if let Some(regex) = regex_hashmap.get(&blacklist) {
+                regex
+            } else {
+                drop(regex_hashmap);
+
+                let mut regex_hashmap_write = ICON_BLACKLIST_REGEX.write().unwrap();
+                // Clear the current list if the previous key doesn't exists.
+                // To prevent growing of the HashMap after someone has changed it via the admin interface.
+                if regex_hashmap_write.len() >= 1 {
+                    regex_hashmap_write.clear();
+                }
+
+                // Generate the regex to store in too the Lazy Static HashMap.
+                let blacklist_regex = Regex::new(&blacklist).unwrap();
+                regex_hashmap_write.insert(blacklist.to_string(), blacklist_regex);
+                drop(regex_hashmap_write);
+
+                regex_hashmap = ICON_BLACKLIST_REGEX.read().unwrap();
+                regex_hashmap.get(&blacklist).unwrap()
+            };
+
+            // Use the pre-generate Regex stored in a Lazy HashMap.
             if regex.is_match(&domain) {
                 warn!("Blacklisted domain: {:#?} matched {:#?}", domain, blacklist);
                 is_blacklisted = true;
@@ -190,39 +239,38 @@ fn check_icon_domain_is_blacklisted(domain: &str) -> bool {
     is_blacklisted
 }
 
-fn get_icon(domain: &str) -> Vec<u8> {
+fn get_icon(domain: &str) -> Option<Vec<u8>> {
     let path = format!("{}/{}.png", CONFIG.icon_cache_folder(), domain);
 
+    // Check for expiration of negatively cached copy
+    if icon_is_negcached(&path) {
+        return None;
+    }
+
     if let Some(icon) = get_cached_icon(&path) {
-        return icon;
+        return Some(icon);
     }
 
     if CONFIG.disable_icon_download() {
-        return FALLBACK_ICON.to_vec();
+        return None;
     }
 
-    // Get the icon, or fallback in case of error
+    // Get the icon, or None in case of error
     match download_icon(&domain) {
         Ok(icon) => {
             save_icon(&path, &icon);
-            icon
+            Some(icon)
         }
         Err(e) => {
             error!("Error downloading icon: {:?}", e);
             let miss_indicator = path + ".miss";
-            let empty_icon = Vec::new();
-            save_icon(&miss_indicator, &empty_icon);
-            FALLBACK_ICON.to_vec()
+            save_icon(&miss_indicator, &[]);
+            None
         }
     }
 }
 
 fn get_cached_icon(path: &str) -> Option<Vec<u8>> {
-    // Check for expiration of negatively cached copy
-    if icon_is_negcached(path) {
-        return Some(FALLBACK_ICON.to_vec());
-    }
-
     // Check for expiration of successfully cached copy
     if icon_is_expired(path) {
         return None;
@@ -284,6 +332,12 @@ impl Icon {
     }
 }
 
+struct IconUrlResult {
+    iconlist: Vec<Icon>,
+    cookies: String,
+    referer: String,
+}
+
 /// Returns a Result/Tuple which holds a Vector IconList and a string which holds the cookies from the last response.
 /// There will always be a result with a string which will contain https://example.com/favicon.ico and an empty string for the cookies.
 /// This does not mean that that location does exists, but it is the default location browser use.
@@ -296,24 +350,65 @@ impl Icon {
 /// let (mut iconlist, cookie_str) = get_icon_url("github.com")?;
 /// let (mut iconlist, cookie_str) = get_icon_url("gitlab.com")?;
 /// ```
-fn get_icon_url(domain: &str) -> Result<(Vec<Icon>, String), Error> {
+fn get_icon_url(domain: &str) -> Result<IconUrlResult, Error> {
     // Default URL with secure and insecure schemes
     let ssldomain = format!("https://{}", domain);
     let httpdomain = format!("http://{}", domain);
 
+    // First check the domain as given during the request for both HTTPS and HTTP.
+    let resp = match get_page(&ssldomain).or_else(|_| get_page(&httpdomain)) {
+        Ok(c) => Ok(c),
+        Err(e) => {
+            let mut sub_resp = Err(e);
+
+            // When the domain is not an IP, and has more then one dot, remove all subdomains.
+            let is_ip = domain.parse::<IpAddr>();
+            if is_ip.is_err() && domain.matches('.').count() > 1 {
+                let mut domain_parts = domain.split('.');
+                let base_domain = format!(
+                    "{base}.{tld}",
+                    tld = domain_parts.next_back().unwrap(),
+                    base = domain_parts.next_back().unwrap()
+                );
+                if is_valid_domain(&base_domain) {
+                    let sslbase = format!("https://{}", base_domain);
+                    let httpbase = format!("http://{}", base_domain);
+                    debug!("[get_icon_url]: Trying without subdomains '{}'", base_domain);
+
+                    sub_resp = get_page(&sslbase).or_else(|_| get_page(&httpbase));
+                }
+
+            // When the domain is not an IP, and has less then 2 dots, try to add www. infront of it.
+            } else if is_ip.is_err() && domain.matches('.').count() < 2 {
+                let www_domain = format!("www.{}", domain);
+                if is_valid_domain(&www_domain) {
+                    let sslwww = format!("https://{}", www_domain);
+                    let httpwww = format!("http://{}", www_domain);
+                    debug!("[get_icon_url]: Trying with www. prefix '{}'", www_domain);
+
+                    sub_resp = get_page(&sslwww).or_else(|_| get_page(&httpwww));
+                }
+            }
+
+            sub_resp
+        }
+    };
+
     // Create the iconlist
     let mut iconlist: Vec<Icon> = Vec::new();
 
     // Create the cookie_str to fill it all the cookies from the response
     // These cookies can be used to request/download the favicon image.
     // Some sites have extra security in place with for example XSRF Tokens.
-    let mut cookie_str = String::new();
+    let mut cookie_str = "".to_string();
+    let mut referer = "".to_string();
 
-    let resp = get_page(&ssldomain).or_else(|_| get_page(&httpdomain));
     if let Ok(content) = resp {
         // Extract the URL from the respose in case redirects occured (like @ gitlab.com)
         let url = content.url().clone();
 
+        // Get all the cookies and pass it on to the next function.
+        // Needed for XSRF Cookies for example (like @ mijn.ing.nl)
         let raw_cookies = content.headers().get_all("set-cookie");
         cookie_str = raw_cookies
             .iter()
@@ -327,6 +422,10 @@ fn get_icon_url(domain: &str) -> Result<(Vec<Icon>, String), Error> {
             })
             .collect::<String>();
 
+        // Set the referer to be used on the final request, some sites check this.
+        // Mostly used to prevent direct linking and other security resons.
+        referer = url.as_str().to_string();
+
         // Add the default favicon.ico to the list with the domain the content responded from.
         iconlist.push(Icon::new(35, url.join("/favicon.ico").unwrap().into_string()));
 
@@ -339,14 +438,18 @@ fn get_icon_url(domain: &str) -> Result<(Vec<Icon>, String), Error> {
         let favicons = soup
             .tag("link")
             .attr("rel", ICON_REL_REGEX.clone()) // Only use icon rels
-            .attr("href", ICON_HREF_REGEX.clone()) // Only allow specific extensions
+            .attr_name("href") // Make sure there is a href
             .find_all();
 
         // Loop through all the found icons and determine it's priority
         for favicon in favicons {
             let sizes = favicon.get("sizes");
-            let href = favicon.get("href").expect("Missing href");
-            let full_href = url.join(&href).unwrap().into_string();
+            let href = favicon.get("href").unwrap();
+            // Skip invalid url's
+            let full_href = match url.join(&href) {
+                Ok(h) => h.into_string(),
+                _ => continue,
+            };
 
             let priority = get_icon_priority(&full_href, sizes);
 
@@ -362,28 +465,33 @@ fn get_icon_url(domain: &str) -> Result<(Vec<Icon>, String), Error> {
     iconlist.sort_by_key(|x| x.priority);
 
     // There always is an icon in the list, so no need to check if it exists, and just return the first one
-    Ok((iconlist, cookie_str))
+    Ok(IconUrlResult{
+        iconlist,
+        cookies: cookie_str,
+        referer
+    })
 }
 
 fn get_page(url: &str) -> Result<Response, Error> {
-    get_page_with_cookies(url, "")
+    get_page_with_cookies(url, "", "")
 }
 
-fn get_page_with_cookies(url: &str, cookie_str: &str) -> Result<Response, Error> {
-    if check_icon_domain_is_blacklisted(Url::parse(url).unwrap().host_str().unwrap_or_default()) {
-        err!("Favicon rel linked to a non blacklisted domain!");
+fn get_page_with_cookies(url: &str, cookie_str: &str, referer: &str) -> Result<Response, Error> {
+    if is_domain_blacklisted(Url::parse(url).unwrap().host_str().unwrap_or_default()) {
+        err!("Favicon rel linked to a blacklisted domain!");
     }
 
-    if cookie_str.is_empty() {
-        CLIENT.get(url).send()?.error_for_status().map_err(Into::into)
-    } else {
-        CLIENT
-            .get(url)
-            .header("cookie", cookie_str)
-            .send()?
-            .error_for_status()
-            .map_err(Into::into)
+    let mut client = CLIENT.get(url);
+    if !cookie_str.is_empty() {
+        client = client.header("Cookie", cookie_str)
     }
+    if !referer.is_empty() {
+        client = client.header("Referer", referer)
+    }
+
+    client.send()?
+        .error_for_status()
+        .map_err(Into::into)
 }
 
 /// Returns a Integer with the priority of the type of the icon which to prefer.
@@ -411,7 +519,7 @@ fn get_icon_priority(href: &str, sizes: Option<String>) -> u8 {
                 1
             } else if width == 64 {
                 2
-            } else if width >= 24 && width <= 128 {
+            } else if (24..=128).contains(&width) {
                 3
             } else if width == 16 {
                 4
@@ -466,17 +574,17 @@ fn parse_sizes(sizes: Option<String>) -> (u16, u16) {
 }
 
 fn download_icon(domain: &str) -> Result<Vec<u8>, Error> {
-    if check_icon_domain_is_blacklisted(domain) {
+    if is_domain_blacklisted(domain) {
         err!("Domain is blacklisted", domain)
     }
 
-    let (iconlist, cookie_str) = get_icon_url(&domain)?;
+    let icon_result = get_icon_url(&domain)?;
 
     let mut buffer = Vec::new();
 
     use data_url::DataUrl;
 
-    for icon in iconlist.iter().take(5) {
+    for icon in icon_result.iconlist.iter().take(5) {
         if icon.href.starts_with("data:image") {
             let datauri = DataUrl::process(&icon.href).unwrap();
             // Check if we are able to decode the data uri
@@ -491,13 +599,13 @@ fn download_icon(domain: &str) -> Result<Vec<u8>, Error> {
                 _ => warn!("data uri is invalid"),
             };
         } else {
-            match get_page_with_cookies(&icon.href, &cookie_str) {
+            match get_page_with_cookies(&icon.href, &icon_result.cookies, &icon_result.referer) {
                 Ok(mut res) => {
                     info!("Downloaded icon from {}", icon.href);
                     res.copy_to(&mut buffer)?;
                     break;
-                }
-                Err(_) => info!("Download failed for {}", icon.href),
+                },
+                _ => warn!("Download failed for {}", icon.href),
             };
         }
     }
@@ -522,25 +630,3 @@ fn save_icon(path: &str, icon: &[u8]) {
         }
     }
 }
-
-fn _header_map() -> HeaderMap {
-    // Set some default headers for the request.
-    // Use a browser like user-agent to make sure most websites will return there correct website.
-    use reqwest::header::*;
-
-    macro_rules! headers {
-        ($( $name:ident : $value:literal),+ $(,)? ) => {
-            let mut headers = HeaderMap::new();
-            $( headers.insert($name, HeaderValue::from_static($value)); )+
-            headers
-        };
-    }
-
-    headers! {
-        USER_AGENT: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299",
-        ACCEPT_LANGUAGE: "en-US,en;q=0.8",
-        CACHE_CONTROL: "no-cache",
-        PRAGMA: "no-cache",
-        ACCEPT: "text/html,application/xhtml+xml,application/xml; q=0.9,image/webp,image/apng,*/*;q=0.8",
-    }
-}

src/api/identity.rs

@@ -102,6 +102,14 @@ fn _password_login(data: ConnectData, conn: DbConn, ip: &ClientIp) -> JsonResult
         )
     }
 
+    // Check if the user is disabled
+    if !user.enabled {
+        err!(
+            "This user has been disabled",
+            format!("IP: {}. Username: {}.", ip.ip, username)
+        )
+    }
+
     let now = Local::now();
 
     if user.verified_at.is_none() && CONFIG.mail_enabled() && CONFIG.signups_verify() {

src/auth.rs

@@ -215,12 +215,10 @@ pub fn generate_admin_claims() -> AdminJWTClaims {
 //
 // Bearer token authentication
 //
-use rocket::{
-    request::{FromRequest, Request, Outcome},
-};
+use rocket::request::{FromRequest, Outcome, Request};
 
 use crate::db::{
-    models::{Device, User, UserOrgStatus, UserOrgType, UserOrganization},
+    models::{CollectionUser, Device, User, UserOrgStatus, UserOrgType, UserOrganization, UserStampException},
     DbConn,
 };
 
@@ -298,7 +296,25 @@ impl<'a, 'r> FromRequest<'a, 'r> for Headers {
         };
 
         if user.security_stamp != claims.sstamp {
-            err_handler!("Invalid security stamp")
+            if let Some(stamp_exception) = user
+                .stamp_exception
+                .as_deref()
+                .and_then(|s| serde_json::from_str::<UserStampException>(s).ok())
+            {
+                let current_route = match request.route().and_then(|r| r.name) {
+                    Some(name) => name,
+                    _ => err_handler!("Error getting current route for stamp exception"),
+                };
+
+                // Check if both match, if not this route is not allowed with the current security stamp.
+                if stamp_exception.route != current_route {
+                    err_handler!("Invalid security stamp: Current route and exception route do not match")
+                } else if stamp_exception.security_stamp != claims.sstamp {
+                    err_handler!("Invalid security stamp for matched stamp exception")
+                }
+            } else {
+                err_handler!("Invalid security stamp")
+            }
         }
 
         Outcome::Success(Headers { host, device, user })
@@ -310,6 +326,8 @@ pub struct OrgHeaders {
     pub device: Device,
     pub user: User,
     pub org_user_type: UserOrgType,
+    pub org_user: UserOrganization,
+    pub org_id: String,
 }
 
 // org_id is usually the second param ("/organizations/<org_id>")
@@ -370,6 +388,8 @@ impl<'a, 'r> FromRequest<'a, 'r> for OrgHeaders {
                                     err_handler!("Unknown user type in the database")
                                 }
                             },
+                            org_user,
+                            org_id,
                         })
                     }
                     _ => err_handler!("Error getting the organization id"),
@@ -419,6 +439,127 @@ impl Into<Headers> for AdminHeaders {
     }
 }
 
+// col_id is usually the forth param ("/organizations/<org_id>/collections/<col_id>")
+// But there cloud be cases where it is located in a query value.
+// First check the param, if this is not a valid uuid, we will try the query value.
+fn get_col_id(request: &Request) -> Option<String> {
+    if let Some(Ok(col_id)) = request.get_param::<String>(3) {
+        if uuid::Uuid::parse_str(&col_id).is_ok() {
+            return Some(col_id);
+        }
+    }
+
+    if let Some(Ok(col_id)) = request.get_query_value::<String>("collectionId") {
+        if uuid::Uuid::parse_str(&col_id).is_ok() {
+            return Some(col_id);
+        }
+    }
+
+    None
+}
+
+/// The ManagerHeaders are used to check if you are at least a Manager
+/// and have access to the specific collection provided via the <col_id>/collections/collectionId.
+/// This does strict checking on the collection_id, ManagerHeadersLoose does not.
+pub struct ManagerHeaders {
+    pub host: String,
+    pub device: Device,
+    pub user: User,
+    pub org_user_type: UserOrgType,
+}
+
+impl<'a, 'r> FromRequest<'a, 'r> for ManagerHeaders {
+    type Error = &'static str;
+
+    fn from_request(request: &'a Request<'r>) -> Outcome<Self, Self::Error> {
+        match request.guard::<OrgHeaders>() {
+            Outcome::Forward(_) => Outcome::Forward(()),
+            Outcome::Failure(f) => Outcome::Failure(f),
+            Outcome::Success(headers) => {
+                if headers.org_user_type >= UserOrgType::Manager {
+                    match get_col_id(request) {
+                        Some(col_id) => {
+                            let conn = match request.guard::<DbConn>() {
+                                Outcome::Success(conn) => conn,
+                                _ => err_handler!("Error getting DB"),
+                            };
+
+                            if !headers.org_user.access_all {
+                                match CollectionUser::find_by_collection_and_user(&col_id, &headers.org_user.user_uuid, &conn) {
+                                    Some(_) => (),
+                                    None => err_handler!("The current user isn't a manager for this collection"),
+                                }
+                            }
+                        }
+                        _ => err_handler!("Error getting the collection id"),
+                    }
+
+                    Outcome::Success(Self {
+                        host: headers.host,
+                        device: headers.device,
+                        user: headers.user,
+                        org_user_type: headers.org_user_type,
+                    })
+                } else {
+                    err_handler!("You need to be a Manager, Admin or Owner to call this endpoint")
+                }
+            }
+        }
+    }
+}
+
+impl Into<Headers> for ManagerHeaders {
+    fn into(self) -> Headers {
+        Headers {
+            host: self.host,
+            device: self.device,
+            user: self.user,
+        }
+    }
+}
+
+/// The ManagerHeadersLoose is used when you at least need to be a Manager,
+/// but there is no collection_id sent with the request (either in the path or as form data).
+pub struct ManagerHeadersLoose {
+    pub host: String,
+    pub device: Device,
+    pub user: User,
+    pub org_user_type: UserOrgType,
+}
+
+impl<'a, 'r> FromRequest<'a, 'r> for ManagerHeadersLoose {
+    type Error = &'static str;
+
+    fn from_request(request: &'a Request<'r>) -> Outcome<Self, Self::Error> {
+        match request.guard::<OrgHeaders>() {
+            Outcome::Forward(_) => Outcome::Forward(()),
+            Outcome::Failure(f) => Outcome::Failure(f),
+            Outcome::Success(headers) => {
+                if headers.org_user_type >= UserOrgType::Manager {
+                    Outcome::Success(Self {
+                        host: headers.host,
+                        device: headers.device,
+                        user: headers.user,
+                        org_user_type: headers.org_user_type,
+                    })
+                } else {
+                    err_handler!("You need to be a Manager, Admin or Owner to call this endpoint")
+                }
+            }
+        }
+    }
+}
+
+impl Into<Headers> for ManagerHeadersLoose {
+    fn into(self) -> Headers {
+        Headers {
+            host: self.host,
+            device: self.device,
+            user: self.user,
+        }
+    }
+}
+
 pub struct OwnerHeaders {
     pub host: String,
     pub device: Device,

src/config.rs

@@ -53,7 +53,32 @@ macro_rules! make_config {
 
         impl ConfigBuilder {
             fn from_env() -> Self {
-                dotenv::from_path(".env").ok();
+                match dotenv::from_path(".env") {
+                    Ok(_) => (),
+                    Err(e) => match e {
+                        dotenv::Error::LineParse(msg, pos) => {
+                            panic!("Error loading the .env file:\nNear {:?} on position {}\nPlease fix and restart!\n", msg, pos);
+                        },
+                        dotenv::Error::Io(ioerr) => match ioerr.kind() {
+                            std::io::ErrorKind::NotFound => {
+                                println!("[INFO] No .env file found.\n");
+                                ()
+                            },
+                            std::io::ErrorKind::PermissionDenied => {
+                                println!("[WARNING] Permission Denied while trying to read the .env file!\n");
+                                ()
+                            },
+                            _ => {
+                                println!("[WARNING] Reading the .env file failed:\n{:?}\n", ioerr);
+                                ()
+                            }
+                        },
+                        _ => {
+                            println!("[WARNING] Reading the .env file failed:\n{:?}\n", e);
+                            ()
+                        }
+                    }
+                };
 
                 let mut builder = ConfigBuilder::default();
                 $($(
@@ -388,29 +413,35 @@ make_config! {
     /// SMTP Email Settings
     smtp: _enable_smtp {
         /// Enabled
-        _enable_smtp:           bool,   true,   def,     true;
+        _enable_smtp:                  bool,   true,   def,     true;
         /// Host
-        smtp_host:              String, true,   option;
+        smtp_host:                     String, true,   option;
         /// Enable Secure SMTP |> (Explicit) - Enabling this by default would use STARTTLS (Standard ports 587 or 25)
-        smtp_ssl:               bool,   true,   def,     true;
+        smtp_ssl:                      bool,   true,   def,     true;
         /// Force TLS |> (Implicit) - Enabling this would force the use of an SSL/TLS connection, instead of upgrading an insecure one with STARTTLS (Standard port 465)
-        smtp_explicit_tls:      bool,   true,   def,     false;
+        smtp_explicit_tls:             bool,   true,   def,     false;
         /// Port
-        smtp_port:              u16,    true,   auto,    |c| if c.smtp_explicit_tls {465} else if c.smtp_ssl {587} else {25};
+        smtp_port:                     u16,    true,   auto,    |c| if c.smtp_explicit_tls {465} else if c.smtp_ssl {587} else {25};
         /// From Address
-        smtp_from:              String, true,   def,     String::new();
+        smtp_from:                     String, true,   def,     String::new();
         /// From Name
-        smtp_from_name:         String, true,   def,     "Bitwarden_RS".to_string();
+        smtp_from_name:                String, true,   def,     "Bitwarden_RS".to_string();
         /// Username
-        smtp_username:          String, true,   option;
+        smtp_username:                 String, true,   option;
         /// Password
-        smtp_password:          Pass,   true,   option;
+        smtp_password:                 Pass,   true,   option;
         /// SMTP Auth mechanism |> Defaults for SSL is "Plain" and "Login" and nothing for Non-SSL connections. Possible values: ["Plain", "Login", "Xoauth2"]. Multiple options need to be separated by a comma ','.
-        smtp_auth_mechanism:    String, true,   option;
+        smtp_auth_mechanism:           String, true,   option;
         /// SMTP connection timeout |> Number of seconds when to stop trying to connect to the SMTP server
-        smtp_timeout:           u64,    true,   def,     15;
+        smtp_timeout:                  u64,    true,   def,     15;
         /// Server name sent during HELO |> By default this value should be is on the machine's hostname, but might need to be changed in case it trips some anti-spam filters
-        helo_name:              String, true,   option;
+        helo_name:                     String, true,   option;
+        /// Enable SMTP debugging (Know the risks!) |> DANGEROUS: Enabling this will output very detailed SMTP messages. This could contain sensitive information like passwords and usernames! Only enable this during troubleshooting!
+        smtp_debug:                    bool,   true,   def,     false;
+        /// Accept Invalid Certs (Know the risks!) |> DANGEROUS: Allow invalid certificates. This option introduces significant vulnerabilities to man-in-the-middle attacks!
+        smtp_accept_invalid_certs:     bool,   true,   def,     false;
+        /// Accept Invalid Hostnames (Know the risks!) |> DANGEROUS: Allow invalid hostnames. This option introduces significant vulnerabilities to man-in-the-middle attacks!
+        smtp_accept_invalid_hostnames: bool,   true,   def,     false;
     },
 
     /// Email 2FA Settings
@@ -496,6 +527,16 @@ fn validate_config(cfg: &ConfigItems) -> Result<(), Error> {
         }
     }
 
+    // Check if the icon blacklist regex is valid
+    if let Some(ref r) = cfg.icon_blacklist_regex {
+        use regex::Regex;
+        let validate_regex = Regex::new(&r);
+        match validate_regex {
+            Ok(_) => (),
+            Err(e) => err!(format!("`ICON_BLACKLIST_REGEX` is invalid: {:#?}", e)),
+        }
+    }
+
     Ok(())
 }
 

src/db/models/collection.rs

@@ -356,13 +356,20 @@ impl CollectionUser {
         }}
     }
 
-    pub fn delete_all_by_user(user_uuid: &str, conn: &DbConn) -> EmptyResult {
-        User::update_uuid_revision(&user_uuid, conn);
+    pub fn delete_all_by_user_and_org(user_uuid: &str, org_uuid: &str, conn: &DbConn) -> EmptyResult {
+        let collectionusers = Self::find_by_organization_and_user_uuid(org_uuid, user_uuid, conn);
 
         db_run! { conn: {
-            diesel::delete(users_collections::table.filter(users_collections::user_uuid.eq(user_uuid)))
-                .execute(conn)
-                .map_res("Error removing user from collections")
+            for user in collectionusers {
+                diesel::delete(users_collections::table.filter(
+                    users_collections::user_uuid.eq(user_uuid)
+                    .and(users_collections::collection_uuid.eq(user.collection_uuid))
+                
+                ))
+                    .execute(conn)
+                    .map_res("Error removing user from collections")?;
+            }
+            Ok(())
         }}
     }
 }

src/db/models/device.rs

@@ -178,4 +178,15 @@ impl Device {
                 .from_db()
         }}
     }
+
+    pub fn find_latest_active_by_user(user_uuid: &str, conn: &DbConn) -> Option<Self> {
+        db_run! { conn: {
+            devices::table
+                .filter(devices::user_uuid.eq(user_uuid))
+                .order(devices::updated_at.desc())
+                .first::<DeviceDb>(conn)
+                .ok()
+                .from_db()
+        }}
+    }
 }

src/db/models/mod.rs

@@ -18,4 +18,4 @@ pub use self::folder::{Folder, FolderCipher};
 pub use self::org_policy::{OrgPolicy, OrgPolicyType};
 pub use self::organization::{Organization, UserOrgStatus, UserOrgType, UserOrganization};
 pub use self::two_factor::{TwoFactor, TwoFactorType};
-pub use self::user::{Invitation, User};
+pub use self::user::{Invitation, User, UserStampException};

src/db/models/org_policy.rs

@@ -4,7 +4,7 @@ use crate::api::EmptyResult;
 use crate::db::DbConn;
 use crate::error::MapResult;
 
-use super::Organization;
+use super::{Organization, UserOrgStatus};
 
 db_object! {
     #[derive(Debug, Identifiable, Queryable, Insertable, Associations, AsChangeset)]
@@ -129,11 +129,14 @@ impl OrgPolicy {
     pub fn find_by_user(user_uuid: &str, conn: &DbConn) -> Vec<Self> {
         db_run! { conn: {
             org_policies::table
-                .left_join(
+                .inner_join(
                     users_organizations::table.on(
                         users_organizations::org_uuid.eq(org_policies::org_uuid)
                             .and(users_organizations::user_uuid.eq(user_uuid)))
                 )
+                .filter(
+                    users_organizations::status.eq(UserOrgStatus::Confirmed as i32)
+                )
                 .select(org_policies::all_columns)
                 .load::<OrgPolicyDb>(conn)
                 .expect("Error loading org_policy")

src/db/models/organization.rs

@@ -389,7 +389,7 @@ impl UserOrganization {
     pub fn delete(self, conn: &DbConn) -> EmptyResult {
         User::update_uuid_revision(&self.user_uuid, conn);
 
-        CollectionUser::delete_all_by_user(&self.user_uuid, &conn)?;
+        CollectionUser::delete_all_by_user_and_org(&self.user_uuid, &self.org_uuid, &conn)?;
 
         db_run! { conn: {
             diesel::delete(users_organizations::table.filter(users_organizations::uuid.eq(self.uuid)))

src/db/models/user.rs

@@ -11,6 +11,7 @@ db_object! {
     #[primary_key(uuid)]
     pub struct User {
         pub uuid: String,
+        pub enabled: bool,
         pub created_at: NaiveDateTime,
         pub updated_at: NaiveDateTime,
         pub verified_at: Option<NaiveDateTime>,
@@ -36,6 +37,7 @@ db_object! {
         pub totp_recover: Option<String>,
 
         pub security_stamp: String,
+        pub stamp_exception: Option<String>,
 
         pub equivalent_domains: String,
         pub excluded_globals: String,
@@ -59,6 +61,12 @@ enum UserStatus {
     _Disabled = 2,
 }
 
+#[derive(Serialize, Deserialize)]
+pub struct UserStampException {
+  pub route: String,
+  pub security_stamp: String
+}
+
 /// Local methods
 impl User {
     pub const CLIENT_KDF_TYPE_DEFAULT: i32 = 0; // PBKDF2: 0
@@ -70,6 +78,7 @@ impl User {
 
         Self {
             uuid: crate::util::get_uuid(),
+            enabled: true,
             created_at: now,
             updated_at: now,
             verified_at: None,
@@ -86,6 +95,7 @@ impl User {
             password_iterations: CONFIG.password_iterations(),
 
             security_stamp: crate::util::get_uuid(),
+            stamp_exception: None,
 
             password_hint: None,
             private_key: None,
@@ -119,14 +129,52 @@ impl User {
         }
     }
 
-    pub fn set_password(&mut self, password: &str) {
+    /// Set the password hash generated
+    /// And resets the security_stamp. Based upon the allow_next_route the security_stamp will be different.
+    ///
+    /// # Arguments
+    ///
+    /// * `password` - A str which contains a hashed version of the users master password.
+    /// * `allow_next_route` - A Option<&str> with the function name of the next allowed (rocket) route.
+    ///
+    pub fn set_password(&mut self, password: &str, allow_next_route: Option<&str>) {
         self.password_hash = crypto::hash_password(password.as_bytes(), &self.salt, self.password_iterations as u32);
-        self.reset_security_stamp();
+
+        if let Some(route) = allow_next_route {
+            self.set_stamp_exception(route);
+        }
+
+        self.reset_security_stamp()
     }
 
     pub fn reset_security_stamp(&mut self) {
         self.security_stamp = crate::util::get_uuid();
     }
+
+    /// Set the stamp_exception to only allow a subsequent request matching a specific route using the current security-stamp.
+    ///
+    /// # Arguments
+    /// * `route_exception` - A str with the function name of the next allowed (rocket) route.
+    ///
+    /// ### Future
+    /// In the future it could be posible that we need more of these exception routes.
+    /// In that case we could use an Vec<UserStampException> and add multiple exceptions.
+    pub fn set_stamp_exception(&mut self, route_exception: &str) {
+        let stamp_exception = UserStampException {
+            route: route_exception.to_string(),
+            security_stamp: self.security_stamp.to_string()
+        };
+        self.stamp_exception = Some(serde_json::to_string(&stamp_exception).unwrap_or_default());
+    }
+
+    /// Resets the stamp_exception to prevent re-use of the previous security-stamp
+    ///
+    /// ### Future
+    /// In the future it could be posible that we need more of these exception routes.
+    /// In that case we could use an Vec<UserStampException> and add multiple exceptions.
+    pub fn reset_stamp_exception(&mut self) {
+        self.stamp_exception = None;
+    }
 }
 
 use super::{Cipher, Device, Favorite, Folder, TwoFactor, UserOrgType, UserOrganization};
@@ -288,6 +336,13 @@ impl User {
             users::table.load::<UserDb>(conn).expect("Error loading users").from_db()
         }}
     }
+
+    pub fn last_active(&self, conn: &DbConn) -> Option<NaiveDateTime> {
+        match Device::find_latest_active_by_user(&self.uuid, conn) {
+            Some(device) => Some(device.updated_at),
+            None => None
+        }
+    }
 }
 
 impl Invitation {

src/db/schemas/mysql/schema.rs

@@ -116,6 +116,7 @@ table! {
 table! {
     users (uuid) {
         uuid -> Text,
+        enabled -> Bool,
         created_at -> Datetime,
         updated_at -> Datetime,
         verified_at -> Nullable<Datetime>,
@@ -135,6 +136,7 @@ table! {
         totp_secret -> Nullable<Text>,
         totp_recover -> Nullable<Text>,
         security_stamp -> Text,
+        stamp_exception -> Nullable<Text>,
         equivalent_domains -> Text,
         excluded_globals -> Text,
         client_kdf_type -> Integer,

src/db/schemas/postgresql/schema.rs

@@ -116,6 +116,7 @@ table! {
 table! {
     users (uuid) {
         uuid -> Text,
+        enabled -> Bool,
         created_at -> Timestamp,
         updated_at -> Timestamp,
         verified_at -> Nullable<Timestamp>,
@@ -135,6 +136,7 @@ table! {
         totp_secret -> Nullable<Text>,
         totp_recover -> Nullable<Text>,
         security_stamp -> Text,
+        stamp_exception -> Nullable<Text>,
         equivalent_domains -> Text,
         excluded_globals -> Text,
         client_kdf_type -> Integer,

src/db/schemas/sqlite/schema.rs

@@ -116,6 +116,7 @@ table! {
 table! {
     users (uuid) {
         uuid -> Text,
+        enabled -> Bool,
         created_at -> Timestamp,
         updated_at -> Timestamp,
         verified_at -> Nullable<Timestamp>,
@@ -135,6 +136,7 @@ table! {
         totp_secret -> Nullable<Text>,
         totp_recover -> Nullable<Text>,
         security_stamp -> Text,
+        stamp_exception -> Nullable<Text>,
         equivalent_domains -> Text,
         excluded_globals -> Text,
         client_kdf_type -> Integer,

src/error.rs

@@ -191,6 +191,7 @@ impl<'r> Responder<'r> for Error {
     fn respond_to(self, _: &Request) -> response::Result<'r> {
         match self.error {
             ErrorKind::EmptyError(_) => {} // Don't print the error in this situation
+            ErrorKind::SimpleError(_) => {} // Don't print the error in this situation
             _ => error!(target: "error", "{:#?}", self),
         };
 
@@ -210,9 +211,11 @@ impl<'r> Responder<'r> for Error {
 #[macro_export]
 macro_rules! err {
     ($msg:expr) => {{
+        error!("{}", $msg);
         return Err(crate::error::Error::new($msg, $msg));
     }};
     ($usr_msg:expr, $log_value:expr) => {{
+        error!("{}. {}", $usr_msg, $log_value);
         return Err(crate::error::Error::new($usr_msg, $log_value));
     }};
 }

src/mail.rs

@@ -1,12 +1,12 @@
-use std::{env, str::FromStr};
+use std::{str::FromStr};
 
 use chrono::{DateTime, Local};
-use chrono_tz::Tz;
 use percent_encoding::{percent_encode, NON_ALPHANUMERIC};
 
 use lettre::{
     message::{header, Mailbox, Message, MultiPart, SinglePart},
     transport::smtp::authentication::{Credentials, Mechanism as SmtpAuthMechanism},
+    transport::smtp::client::{Tls, TlsParameters},
     transport::smtp::extension::ClientId,
     Address, SmtpTransport, Transport,
 };
@@ -22,21 +22,30 @@ fn mailer() -> SmtpTransport {
     use std::time::Duration;
     let host = CONFIG.smtp_host().unwrap();
 
-    // Determine security
-    let smtp_client = if CONFIG.smtp_ssl() {
-        if CONFIG.smtp_explicit_tls() {
-            SmtpTransport::relay(host.as_str())
-        } else {
-            SmtpTransport::starttls_relay(host.as_str())
-        }
-    } else {
-        Ok(SmtpTransport::builder_dangerous(host.as_str()))
-    };
-
-    let smtp_client = smtp_client.unwrap()
+    let smtp_client = SmtpTransport::builder_dangerous(host.as_str())
         .port(CONFIG.smtp_port())
         .timeout(Some(Duration::from_secs(CONFIG.smtp_timeout())));
 
+    // Determine security
+    let smtp_client = if CONFIG.smtp_ssl() {
+        let mut tls_parameters = TlsParameters::builder(host);
+        if CONFIG.smtp_accept_invalid_hostnames() {
+            tls_parameters.dangerous_accept_invalid_hostnames(true);
+        }
+        if CONFIG.smtp_accept_invalid_certs() {
+            tls_parameters.dangerous_accept_invalid_certs(true);
+        }
+        let tls_parameters = tls_parameters.build().unwrap();
+
+        if CONFIG.smtp_explicit_tls() {
+            smtp_client.tls(Tls::Wrapper(tls_parameters))
+        } else {
+            smtp_client.tls(Tls::Required(tls_parameters))
+        }
+    } else {
+        smtp_client
+    };
+
     let smtp_client = match (CONFIG.smtp_username(), CONFIG.smtp_password()) {
         (Some(user), Some(pass)) => smtp_client.credentials(Credentials::new(user, pass)),
         _ => smtp_client,
@@ -97,22 +106,6 @@ fn get_template(template_name: &str, data: &serde_json::Value) -> Result<(String
     Ok((subject, body))
 }
 
-pub fn format_datetime(dt: &DateTime<Local>) -> String {
-    let fmt = "%A, %B %_d, %Y at %r %Z";
-
-    // With a DateTime<Local>, `%Z` formats as the time zone's UTC offset
-    // (e.g., `+00:00`). If the `TZ` environment variable is set, try to
-    // format as a time zone abbreviation instead (e.g., `UTC`).
-    if let Ok(tz) = env::var("TZ") {
-        if let Ok(tz) = tz.parse::<Tz>() {
-            return dt.with_timezone(&tz).format(fmt).to_string();
-        }
-    }
-
-    // Otherwise, fall back to just displaying the UTC offset.
-    dt.format(fmt).to_string()
-}
-
 pub fn send_password_hint(address: &str, hint: Option<String>) -> EmptyResult {
     let template_name = if hint.is_some() {
         "email/pw_hint_some"
@@ -247,13 +240,14 @@ pub fn send_new_device_logged_in(address: &str, ip: &str, dt: &DateTime<Local>,
     use crate::util::upcase_first;
     let device = upcase_first(device);
 
+    let fmt = "%A, %B %_d, %Y at %r %Z";
     let (subject, body_html, body_text) = get_text(
         "email/new_device_logged_in",
         json!({
             "url": CONFIG.domain(),
             "ip": ip,
             "device": device,
-            "datetime": format_datetime(dt),
+            "datetime": crate::util::format_datetime_local(dt, fmt),
         }),
     )?;
 
@@ -318,14 +312,17 @@ fn send_email(address: &str, subject: &str, body_html: &str, body_text: &str) ->
 
     // The boundary generated by Lettre it self is mostly too large based on the RFC822, so we generate one our selfs.
     use uuid::Uuid;
-    let boundary = format!("_Part_{}_", Uuid::new_v4().to_simple());
+    let unique_id = Uuid::new_v4().to_simple();
+    let boundary = format!("_Part_{}_", unique_id);
     let alternative = MultiPart::alternative().boundary(boundary).singlepart(text).singlepart(html);
+    let smtp_from = &CONFIG.smtp_from();
 
     let email = Message::builder()
+        .message_id(Some(format!("<{}.{}>", unique_id, smtp_from)))
         .to(Mailbox::new(None, Address::from_str(&address)?))
         .from(Mailbox::new(
             Some(CONFIG.smtp_from_name()),
-            Address::from_str(&CONFIG.smtp_from())?,
+            Address::from_str(smtp_from)?,
         ))
         .subject(subject)
         .multipart(alternative)?;

src/main.rs

@@ -113,8 +113,21 @@ fn init_logging(level: log::LevelFilter) -> Result<(), fern::InitError> {
         .level_for("launch_", log::LevelFilter::Off)
         .level_for("rocket::rocket", log::LevelFilter::Off)
         .level_for("rocket::fairing", log::LevelFilter::Off)
+        // Never show html5ever and hyper::proto logs, too noisy
+        .level_for("html5ever", log::LevelFilter::Off)
+        .level_for("hyper::proto", log::LevelFilter::Off)
         .chain(std::io::stdout());
 
+    // Enable smtp debug logging only specifically for smtp when need.
+    // This can contain sensitive information we do not want in the default debug/trace logging.
+    if CONFIG.smtp_debug() {
+        println!("[WARNING] SMTP Debugging is enabled (SMTP_DEBUG=true). Sensitive information could be disclosed via logs!");
+        println!("[WARNING] Only enable SMTP_DEBUG during troubleshooting!\n");
+        logger = logger.level_for("lettre::transport::smtp", log::LevelFilter::Debug)
+    } else {
+        logger = logger.level_for("lettre::transport::smtp", log::LevelFilter::Off)
+    }
+
     if CONFIG.extended_logging() {
         logger = logger.format(|out, message, record| {
             out.finish(format_args!(

src/static/templates/admin/diagnostics.hbs

@@ -72,7 +72,7 @@
         const hour = String(d.getUTCHours()).padStart(2, '0');
         const minute = String(d.getUTCMinutes()).padStart(2, '0');
         const seconds = String(d.getUTCSeconds()).padStart(2, '0');
-        const browserUTC = year + '-' + month + '-' + day + ' ' + hour + ':' + minute + ':' + seconds;
+        const browserUTC = `${year}-${month}-${day} ${hour}:${minute}:${seconds} UTC`;
         document.getElementById("time-browser-string").innerText = browserUTC;
 
         const serverUTC = document.getElementById("time-server-string").innerText;
@@ -147,4 +147,4 @@
             }
         }
     })();
-</script>
+</script>

src/static/templates/admin/settings.hbs

@@ -17,7 +17,7 @@
                     <div id="g_{{group}}" class="card-body collapse" data-parent="#config-form">
                         {{#each elements}}
                         {{#if editable}}
-                        <div class="form-group row" title="[{{name}}] {{doc.description}}">
+                        <div class="form-group row align-items-center" title="[{{name}}] {{doc.description}}">
                             {{#case type "text" "number" "password"}}
                             <label for="input_{{name}}" class="col-sm-3 col-form-label">{{doc.name}}</label>
                             <div class="col-sm-8 input-group">
@@ -34,7 +34,7 @@
                             </div>
                             {{/case}}
                             {{#case type "checkbox"}}
-                            <div class="col-sm-3">{{doc.name}}</div>
+                            <div class="col-sm-3 col-form-label">{{doc.name}}</div>
                             <div class="col-sm-8">
                                 <div class="form-check">
                                     <input class="form-check-input conf-{{type}}" type="checkbox" id="input_{{name}}"
@@ -48,7 +48,7 @@
                         {{/if}}
                         {{/each}}
                         {{#case group "smtp"}}
-                            <div class="form-group row pt-3 border-top" title="Send a test email to given email address">
+                            <div class="form-group row align-items-center pt-3 border-top" title="Send a test email to given email address">
                                 <label for="smtp-test-email" class="col-sm-3 col-form-label">Test SMTP</label>
                                 <div class="col-sm-8 input-group">
                                     <input class="form-control" id="smtp-test-email" type="email" placeholder="Enter test email">
@@ -76,7 +76,7 @@
                         {{#each config}}
                         {{#each elements}}
                         {{#unless editable}}
-                        <div class="form-group row" title="[{{name}}] {{doc.description}}">
+                        <div class="form-group row align-items-center" title="[{{name}}] {{doc.description}}">
                             {{#case type "text" "number" "password"}}
                             <label for="input_{{name}}" class="col-sm-3 col-form-label">{{doc.name}}</label>
                             <div class="col-sm-8 input-group">
@@ -92,9 +92,9 @@
                             </div>
                             {{/case}}
                             {{#case type "checkbox"}}
-                            <div class="col-sm-3">{{doc.name}}</div>
+                            <div class="col-sm-3 col-form-label">{{doc.name}}</div>
                             <div class="col-sm-8">
-                                <div class="form-check">
+                                <div class="form-check align-middle">
                                     <input disabled class="form-check-input" type="checkbox" id="input_{{name}}"
                                         {{#if value}} checked {{/if}}>
 
@@ -139,6 +139,10 @@
 
 <script>
     function smtpTest() {
+        if (formHasChanges(config_form)) {
+            alert("Config has been changed but not yet saved.\nPlease save the changes first before sending a test email.");
+            return false;
+        }
         test_email = document.getElementById("smtp-test-email");
         data = JSON.stringify({ "email": test_email.value });
         _post("{{urlpath}}/admin/test/smtp/",
@@ -205,4 +209,35 @@
     // {{#each config}} {{#if grouptoggle}}
     masterCheck("input_{{grouptoggle}}", "#g_{{group}} input");
     // {{/if}} {{/each}}
+
+    // Two functions to help check if there were changes to the form fields
+    // Useful for example during the smtp test to prevent people from clicking save before testing there new settings
+    function initChangeDetection(form) {
+        const ignore_fields = ["smtp-test-email"];
+        Array.from(form).forEach((el) => {
+            if (! ignore_fields.includes(el.id)) {
+                el.dataset.origValue = el.value
+            }
+        });
+    }
+    function formHasChanges(form) {
+        return Array.from(form).some(el => 'origValue' in el.dataset && ( el.dataset.origValue !== el.value));
+    }
+
+    // Trigger Form Change Detection
+    const config_form = document.getElementById('config-form');
+    initChangeDetection(config_form);
+
+    // Colorize some settings which are high risk
+    const risk_items = document.getElementsByClassName('col-form-label');
+    function colorRiskSettings(risk_el) {
+        Array.from(risk_el).forEach((el) => {
+            if (el.innerText.toLowerCase().includes('risks') ) {
+                el.parentElement.className += ' alert-danger'
+                console.log(el)
+            }
+        });
+    }
+    colorRiskSettings(risk_items);
+
 </script>

src/static/templates/admin/users.hbs

@@ -21,7 +21,12 @@
                             <div class="float-left">
                                 <strong>{{Name}}</strong>
                                 <span class="d-block">{{Email}}</span>
+                                <span class="d-block">Created at: {{created_at}}</span>
+                                <span class="d-block">Last active: {{last_active}}</span>
                                 <span class="d-block">
+                                    {{#unless user_enabled}}
+                                        <span class="badge badge-danger mr-2" title="User is disabled">Disabled</span>
+                                    {{/unless}}
                                     {{#if TwoFactorEnabled}}
                                         <span class="badge badge-success mr-2" title="2FA is enabled">2FA</span>
                                     {{/if}}
@@ -54,6 +59,11 @@
                             {{/if}}
                             <a class="d-block" href="#" onclick='deauthUser({{jsesc Id}})'>Deauthorize sessions</a>
                             <a class="d-block" href="#" onclick='deleteUser({{jsesc Id}}, {{jsesc Email}})'>Delete User</a>
+                            {{#if user_enabled}}
+                            <a class="d-block" href="#" onclick='disableUser({{jsesc Id}}, {{jsesc Email}})'>Disable User</a>
+                            {{else}}
+                            <a class="d-block" href="#" onclick='enableUser({{jsesc Id}}, {{jsesc Email}})'>Enable User</a>
+                            {{/if}}
                         </td>
                     </tr>
                     {{/each}}
@@ -113,6 +123,24 @@
             "Error deauthorizing sessions");
         return false;
     }
+    function disableUser(id, mail) {
+        var confirmed = confirm("Are you sure you want to disable user '" + mail + "'? This will also deauthorize their sessions.")
+        if (confirmed) {
+            _post("{{urlpath}}/admin/users/" + id + "/disable",
+                "User disabled successfully",
+                "Error disabling user");
+        }
+        return false;
+    }
+    function enableUser(id, mail) {
+        var confirmed = confirm("Are you sure you want to enable user '" + mail + "'?")
+        if (confirmed) {
+            _post("{{urlpath}}/admin/users/" + id + "/enable",
+                "User enabled successfully",
+                "Error enabling user");
+        }
+        return false;
+    }
     function updateRevisions() {
         _post("{{urlpath}}/admin/users/update_revision",
             "Success, clients will sync next time they connect",

src/static/templates/email/change_email.hbs

@@ -1,6 +1,8 @@
 Your Email Change
 <!---------------->
-<html>
-<p>To finalize changing your email address enter the following code in web vault: <b>{{token}}</b></p>
-<p>If you did not try to change an email address, you can safely ignore this email.</p>
-</html>
+To finalize changing your email address enter the following code in web vault: {{token}}
+
+If you did not try to change an email address, you can safely ignore this email.
+
+===
+Github: https://github.com/dani-garcia/bitwarden_rs

src/static/templates/email/delete_account.hbs

@@ -1,12 +1,10 @@
 Delete Your Account
 <!---------------->
-<html>
-<p>
-click the link below to delete your account.
-<br>
-<br>
-<a href="{{url}}/#/verify-recover-delete?userId={{user_id}}&token={{token}}&email={{email}}">
-Delete Your Account</a>
-</p>
-<p>If you did not request this email to delete your account, you can safely ignore this email.</p>
-</html>
+Click the link below to delete your account.
+
+Delete Your Account: {{url}}/#/verify-recover-delete?userId={{user_id}}&token={{token}}&email={{email}}
+
+If you did not request this email to delete your account, you can safely ignore this email.
+
+===
+Github: https://github.com/dani-garcia/bitwarden_rs

src/static/templates/email/invite_accepted.hbs

@@ -1,8 +1,7 @@
 Invitation to {{{org_name}}} accepted
 <!---------------->
-<html>
-<p>
-    Your invitation for <b>{{email}}</b> to join <b>{{org_name}}</b> was accepted.
-    Please <a href="{{url}}/">log in</a> to the bitwarden_rs server and confirm them from the organization management page.
-</p>
-</html>
+Your invitation for *{{email}}* to join *{{org_name}}* was accepted.
+Please log in via {{url}} to the bitwarden_rs server and confirm them from the organization management page.
+
+===
+Github: https://github.com/dani-garcia/bitwarden_rs

src/static/templates/email/invite_confirmed.hbs

@@ -1,8 +1,7 @@
 Invitation to {{{org_name}}} confirmed
 <!---------------->
-<html>
-<p>
-    Your invitation to join <b>{{org_name}}</b> was confirmed.
-    It will now appear under the Organizations the next time you <a href="{{url}}/">log in</a> to the web vault.
-</p>
-</html>
+Your invitation to join *{{org_name}}* was confirmed.
+It will now appear under the Organizations the next time you log in to the web vault at {{url}}.
+
+===
+Github: https://github.com/dani-garcia/bitwarden_rs

src/static/templates/email/new_device_logged_in.hbs

@@ -1,14 +1,12 @@
 New Device Logged In From {{{device}}}
 <!---------------->
-<html>
-<p>
-   Your account was just logged into from a new device.
+Your account was just logged into from a new device.
 
-   Date: {{datetime}}
-   IP Address: {{ip}}
-   Device Type: {{device}}
+* Date: {{datetime}}
+* IP Address: {{ip}}
+* Device Type: {{device}}
 
-   You can deauthorize all devices that have access to your account from the
-    <a href="{{url}}/">web vault</a> under Settings > My Account > Deauthorize Sessions.
-</p>
-</html>
+You can deauthorize all devices that have access to your account from the web vault ( {{url}} ) under Settings > My Account > Deauthorize Sessions.
+
+===
+Github: https://github.com/dani-garcia/bitwarden_rs

src/static/templates/email/pw_hint_none.hbs

@@ -2,6 +2,9 @@ Your master password hint
 <!---------------->
 You (or someone) recently requested your master password hint. Unfortunately, your account does not have a master password hint.
 
-If you cannot remember your master password, there is no way to recover your data. The only option to gain access to your account again is to <a href="{{url}}/#/recover-delete">delete the account</a> so that you can register again and start over. All data associated with your account will be deleted.
+If you cannot remember your master password, there is no way to recover your data. The only option to gain access to your account again is to delete the account ( {{url}}/#/recover-delete ) so that you can register again and start over. All data associated with your account will be deleted.
 
 If you did not request your master password hint you can safely ignore this email.
+
+===
+Github: https://github.com/dani-garcia/bitwarden_rs

src/static/templates/email/pw_hint_some.hbs

@@ -2,9 +2,12 @@ Your master password hint
 <!---------------->
 You (or someone) recently requested your master password hint.
 
-Your hint is: "{{hint}}"
-Log in: <a href="{{url}}/">Web Vault</a>
+Your hint is: *{{hint}}*
+Log in to the web vault: {{url}}
 
-If you cannot remember your master password, there is no way to recover your data. The only option to gain access to your account again is to <a href="{{url}}/#/recover-delete">delete the account</a> so that you can register again and start over. All data associated with your account will be deleted.
+If you cannot remember your master password, there is no way to recover your data. The only option to gain access to your account again is to delete the account ( {{url}}/#/recover-delete ) so that you can register again and start over. All data associated with your account will be deleted.
 
 If you did not request your master password hint you can safely ignore this email.
+
+===
+Github: https://github.com/dani-garcia/bitwarden_rs

src/static/templates/email/send_org_invite.hbs

@@ -1,12 +1,12 @@
 Join {{{org_name}}}
 <!---------------->
-<html>
-<p>
-You have been invited to join the <b>{{org_name}}</b> organization.
-<br>
-<br>
-<a href="{{url}}/#/accept-organization/?organizationId={{org_id}}&organizationUserId={{org_user_id}}&email={{email}}&organizationName={{org_name}}&token={{token}}">
-Click here to join</a>
-</p>
-<p>If you do not wish to join this organization, you can safely ignore this email.</p>
-</html>
+You have been invited to join the *{{org_name}}* organization.
+
+
+Click here to join: {{url}}/#/accept-organization/?organizationId={{org_id}}&organizationUserId={{org_user_id}}&email={{email}}&organizationName={{org_name}}&token={{token}}
+
+
+If you do not wish to join this organization, you can safely ignore this email.
+
+===
+Github: https://github.com/dani-garcia/bitwarden_rs

src/static/templates/email/smtp_test.hbs

@@ -1,8 +1,8 @@
 Bitwarden_rs SMTP Test
 <!---------------->
-<html>
-<p>
-This is a test email to verify the SMTP configuration for <a href="{{url}}">{{url}}</a>.
-</p>
-<p>When you can read this email it is probably configured correctly.</p>
-</html>
+This is a test email to verify the SMTP configuration for {{url}}.
+
+When you can read this email it is probably configured correctly.
+
+===
+Github: https://github.com/dani-garcia/bitwarden_rs

src/static/templates/email/twofactor_email.hbs

@@ -1,9 +1,8 @@
 Your Two-step Login Verification Code
 <!---------------->
-<html>
-<p>
-    Your two-step verification code is: <b>{{token}}</b>
+Your two-step verification code is: {{token}}
 
-    Use this code to complete logging in with Bitwarden.
-</p>
-</html>
+Use this code to complete logging in with Bitwarden.
+
+===
+Github: https://github.com/dani-garcia/bitwarden_rs

src/static/templates/email/verify_email.hbs

@@ -1,12 +1,10 @@
 Verify Your Email
 <!---------------->
-<html>
-<p>
 Verify this email address for your account by clicking the link below.
-<br>
-<br>
-<a href="{{url}}/#/verify-email/?userId={{user_id}}&token={{token}}">
-Verify Email Address Now</a>
-</p>
-<p>If you did not request to verify your account, you can safely ignore this email.</p>
-</html>
+
+Verify Email Address Now: {{url}}/#/verify-email/?userId={{user_id}}&token={{token}}
+
+If you did not request to verify your account, you can safely ignore this email.
+
+===
+Github: https://github.com/dani-garcia/bitwarden_rs

src/static/templates/email/welcome.hbs

@@ -1,8 +1,8 @@
 Welcome
 <!---------------->
-<html>
-<p>
-Thank you for creating an account at <a href="{{url}}/">{{url}}</a>. You may now log in with your new account.
-</p>
-<p>If you did not request to create an account, you can safely ignore this email.</p>
-</html>
+Thank you for creating an account at {{url}}. You may now log in with your new account.
+
+If you did not request to create an account, you can safely ignore this email.
+
+===
+Github: https://github.com/dani-garcia/bitwarden_rs

src/static/templates/email/welcome_must_verify.hbs

@@ -1,12 +1,10 @@
 Welcome
 <!---------------->
-<html>
-<p>
-Thank you for creating an account at <a href="{{url}}/">{{url}}</a>. Before you can login with your new account, you must verify this email address by clicking the link below.
-<br>
-<br>
-<a href="{{url}}/#/verify-email/?userId={{user_id}}&token={{token}}">
-Verify Email Address Now</a>
-</p>
-<p>If you did not request to create an account, you can safely ignore this email.</p>
-</html>
+Thank you for creating an account at {{url}}. Before you can login with your new account, you must verify this email address by clicking the link below.
+
+Verify Email Address Now: {{url}}/#/verify-email/?userId={{user_id}}&token={{token}}
+
+If you did not request to create an account, you can safely ignore this email.
+
+===
+Github: https://github.com/dani-garcia/bitwarden_rs

src/util.rs

@@ -283,20 +283,37 @@ where
 
 use std::env;
 
+pub fn get_env_str_value(key: &str) -> Option<String>
+{
+    let key_file = format!("{}_FILE", key);
+    let value_from_env = env::var(key);
+    let value_file = env::var(&key_file);
+
+    match (value_from_env, value_file) {
+        (Ok(_), Ok(_)) => panic!("You should not define both {} and {}!", key, key_file),
+        (Ok(v_env), Err(_)) => Some(v_env),
+        (Err(_), Ok(v_file)) => match fs::read_to_string(v_file) {
+            Ok(content) => Some(content.trim().to_string()),
+            Err(e) => panic!("Failed to load {}: {:?}", key, e)
+        },
+        _ => None
+    }
+}
+
 pub fn get_env<V>(key: &str) -> Option<V>
 where
     V: FromStr,
 {
-    try_parse_string(env::var(key).ok())
+    try_parse_string(get_env_str_value(key))
 }
 
 const TRUE_VALUES: &[&str] = &["true", "t", "yes", "y", "1"];
 const FALSE_VALUES: &[&str] = &["false", "f", "no", "n", "0"];
 
 pub fn get_env_bool(key: &str) -> Option<bool> {
-    match env::var(key) {
-        Ok(val) if TRUE_VALUES.contains(&val.to_lowercase().as_ref()) => Some(true),
-        Ok(val) if FALSE_VALUES.contains(&val.to_lowercase().as_ref()) => Some(false),
+    match get_env_str_value(key) {
+        Some(val) if TRUE_VALUES.contains(&val.to_lowercase().as_ref()) => Some(true),
+        Some(val) if FALSE_VALUES.contains(&val.to_lowercase().as_ref()) => Some(false),
         _ => None,
     }
 }
@@ -305,12 +322,40 @@ pub fn get_env_bool(key: &str) -> Option<bool> {
 // Date util methods
 //
 
-use chrono::NaiveDateTime;
+use chrono::{DateTime, Local, NaiveDateTime, TimeZone};
+use chrono_tz::Tz;
 
-const DATETIME_FORMAT: &str = "%Y-%m-%dT%H:%M:%S%.6fZ";
+/// Formats a UTC-offset `NaiveDateTime` in the format used by Bitwarden API
+/// responses with "date" fields (`CreationDate`, `RevisionDate`, etc.).
+pub fn format_date(dt: &NaiveDateTime) -> String {
+    dt.format("%Y-%m-%dT%H:%M:%S%.6fZ").to_string()
+}
 
-pub fn format_date(date: &NaiveDateTime) -> String {
-    date.format(DATETIME_FORMAT).to_string()
+/// Formats a `DateTime<Local>` using the specified format string.
+///
+/// For a `DateTime<Local>`, the `%Z` specifier normally formats as the
+/// time zone's UTC offset (e.g., `+00:00`). In this function, if the
+/// `TZ` environment variable is set, then `%Z` instead formats as the
+/// abbreviation for that time zone (e.g., `UTC`).
+pub fn format_datetime_local(dt: &DateTime<Local>, fmt: &str) -> String {
+    // Try parsing the `TZ` environment variable to enable formatting `%Z` as
+    // a time zone abbreviation.
+    if let Ok(tz) = env::var("TZ") {
+        if let Ok(tz) = tz.parse::<Tz>() {
+            return dt.with_timezone(&tz).format(fmt).to_string();
+        }
+    }
+
+    // Otherwise, fall back to formatting `%Z` as a UTC offset.
+    dt.format(fmt).to_string()
+}
+
+/// Formats a UTC-offset `NaiveDateTime` as a datetime in the local time zone.
+///
+/// This function basically converts the `NaiveDateTime` to a `DateTime<Local>`,
+/// and then calls [format_datetime_local](crate::util::format_datetime_local).
+pub fn format_naive_datetime_local(dt: &NaiveDateTime, fmt: &str) -> String {
+    format_datetime_local(&Local.from_utc_datetime(dt), fmt)
 }
 
 //