vividboarder/bitwarden_rs_ldap
1
0
Fork 0
mirror of https://github.com/ViViDboarder/bitwarden_rs_ldap.git synced 2024-11-21 18:56:27 +00:00
Code Issues Releases Wiki Activity

Improved error handling

Browse Source 
Massive refactor of error handling to make messages easier to debug
This commit is contained in:
ViViDboarder 2021-06-13 18:01:23 -07:00
parent c090fb5a52
commit 77919aa3d4
5 changed files with 1012 additions and 755 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1465
Cargo.lock generated
View File

File diff suppressed because it is too large Load Diff

2
Cargo.toml
View File

@ -10,3 +10,5 @@ serde = { version = "1.0", features = ["derive"] }
toml = "0.5"
reqwest = "0.9"
serde_json = "1.0"
thiserror = "1.0"
anyhow = "1.0"

2
src/config.rs
View File

@ -151,7 +151,7 @@ impl Config {
pub fn get_ldap_mail_field(&self) -> String {
match &self.ldap_mail_field {
Some(mail_field) => mail_field.clone(),
None => String::from("mail").clone(),
None => String::from("mail"),
}
}

149
src/main.rs
View File

@ -1,10 +1,13 @@
extern crate anyhow;
extern crate ldap3;
use std::collections::HashSet;
use std::error::Error;
use std::thread::sleep;
use std::time::Duration;
use anyhow::Context as _;
use anyhow::Error as AnyError;
use anyhow::Result;
use ldap3::{DerefAliases, LdapConn, LdapConnSettings, Scope, SearchEntry, SearchOptions};
mod config;
@ -13,34 +16,28 @@ mod vw_admin;
fn main() {
let config = config::Config::from_file();
let mut client = vw_admin::Client::new(
config.get_vaultwarden_url().clone(),
config.get_vaultwarden_admin_token().clone(),
config.get_vaultwarden_root_cert_file().clone(),
config.get_vaultwarden_url(),
config.get_vaultwarden_admin_token(),
config.get_vaultwarden_root_cert_file(),
);
if let Err(e) = invite_users(&config, &mut client, config.get_ldap_sync_loop()) {
panic!("{}", e);
}
invite_users(&config, &mut client, config.get_ldap_sync_loop())
}
/// Invites new users to Bitwarden from LDAP
fn invite_users(
config: &config::Config,
client: &mut vw_admin::Client,
start_loop: bool,
) -> Result<(), Box<dyn Error>> {
fn invite_users(config: &config::Config, client: &mut vw_admin::Client, start_loop: bool) {
if start_loop {
start_sync_loop(config, client)?;
start_sync_loop(config, client).expect("Failed to start invite sync loop");
} else {
invite_from_ldap(config, client)?;
invite_from_ldap(config, client).expect("Failed to invite users");
}
Ok(())
}
/// Creates set of email addresses for users that already exist in Bitwarden
fn get_existing_users(client: &mut vw_admin::Client) -> Result<HashSet<String>, Box<dyn Error>> {
let all_users = client.users()?;
fn get_existing_users(client: &mut vw_admin::Client) -> Result<HashSet<String>, AnyError> {
let all_users = client
.users()
.context("Could not get list of existing users from server")?;
let mut user_emails = HashSet::with_capacity(all_users.len());
for user in all_users {
user_emails.insert(user.get_email().to_lowercase());
@ -67,45 +64,44 @@ fn ldap_client(
bind_pw: String,
no_tls_verify: bool,
starttls: bool,
) -> Result<LdapConn, Box<dyn Error>> {
) -> Result<LdapConn, AnyError> {
let settings = LdapConnSettings::new()
.set_starttls(starttls)
.set_no_tls_verify(no_tls_verify);
let ldap = LdapConn::with_settings(settings, ldap_url.as_str())?;
match ldap.simple_bind(bind_dn.as_str(), bind_pw.as_str()) {
_ => {}
};
let ldap = LdapConn::with_settings(settings, ldap_url.as_str())
.context("Failed to connect to LDAP server")?;
ldap.simple_bind(bind_dn.as_str(), bind_pw.as_str())
.context("Could not bind to LDAP server")?;
Ok(ldap)
}
/// Retrieves search results from ldap
fn search_entries(config: &config::Config) -> Result<Vec<SearchEntry>, Box<dyn Error>> {
fn search_entries(config: &config::Config) -> Result<Vec<SearchEntry>, AnyError> {
let ldap = ldap_client(
config.get_ldap_url(),
config.get_ldap_bind_dn(),
config.get_ldap_bind_password(),
config.get_ldap_no_tls_verify(),
config.get_ldap_starttls(),
);
if ldap.is_err() {
println!("Error: Could not bind to ldap server");
}
)
.context("LDAP client initialization failed")?;
let mail_field = config.get_ldap_mail_field();
let fields = vec!["uid", "givenname", "sn", "cn", mail_field.as_str()];
// TODO: Something something error handling
let (results, _res) = ldap?
let (results, _res) = ldap
.with_search_options(SearchOptions::new().deref(DerefAliases::Always))
.search(
&config.get_ldap_search_base_dn().as_str(),
Scope::Subtree,
&config.get_ldap_search_filter().as_str(),
fields,
)?
.success()?;
)
.context("LDAP search failure")?
.success()
.context("LDAP search usucessful")?;
// Build list of entries
let mut entries = Vec::new();
@ -120,56 +116,65 @@ fn search_entries(config: &config::Config) -> Result<Vec<SearchEntry>, Box<dyn E
fn invite_from_ldap(
config: &config::Config,
client: &mut vw_admin::Client,
) -> Result<(), Box<dyn Error>> {
match get_existing_users(client) {
Ok(existing_users) => {
let mail_field = config.get_ldap_mail_field();
let mut num_users = 0;
for ldap_user in search_entries(config)? {
// Safely get first email from list of emails in field
if let Some(user_email) = ldap_user
.attrs
.get(mail_field.as_str())
.and_then(|l| (l.first()))
{
if existing_users.contains(&user_email.to_lowercase()) {
println!("User with email already exists: {}", user_email);
} else {
println!("Try to invite user: {}", user_email);
// TODO: Validate response
let _response = client.invite(user_email);
num_users = num_users + 1;
// println!("Invite response: {:?}", response);
}
} else {
match ldap_user.attrs.get("uid").and_then(|l| l.first()) {
Some(user_uid) =>
println!("Warning: Email field, {:?}, not found on user {}", mail_field, user_uid),
None => println!("Warning: Email field, {:?}, not found on user", mail_field)
}
}
}
) -> Result<(), AnyError> {
let existing_users =
get_existing_users(client).context("Failed to get existing users from server")?;
let mail_field = config.get_ldap_mail_field();
let mut num_users = 0;
// Maybe think about returning this value for some other use
println!("Sent invites to {} user(s).", num_users);
}
Err(e) => {
println!("Error: Failed to get existing users from Bitwarden");
return Err(e);
for ldap_user in search_entries(config)? {
//
// Safely get first email from list of emails in field
if let Some(user_email) = ldap_user
.attrs
.get(mail_field.as_str())
.and_then(|l| (l.first()))
{
if existing_users.contains(&user_email.to_lowercase()) {
println!("User with email already exists: {}", user_email);
} else {
println!("Try to invite user: {}", user_email);
client
.invite(user_email)
.context(format!("Failed to invite user {}", user_email))?;
num_users += 1;
}
} else {
match ldap_user.attrs.get("uid").and_then(|l| l.first()) {
Some(user_uid) => println!(
"Warning: Email field, {:?}, not found on user {}",
mail_field, user_uid
),
None => println!("Warning: Email field, {:?}, not found on user", mail_field),
}
}
}
// Maybe think about returning this value for some other use
println!("Sent invites to {} user(s).", num_users);
Ok(())
}
/// Begin sync loop to invite LDAP users to Bitwarden
fn start_sync_loop(
config: &config::Config,
client: &mut vw_admin::Client,
) -> Result<(), Box<dyn Error>> {
fn start_sync_loop(config: &config::Config, client: &mut vw_admin::Client) -> Result<(), AnyError> {
let interval = Duration::from_secs(config.get_ldap_sync_interval_seconds());
let mut fail_count = 0;
let fail_limit = 5;
loop {
invite_from_ldap(config, client)?;
if let Err(err) = invite_from_ldap(config, client) {
println!(
"Error inviting users from ldap. Count {}: {:?}",
fail_count, err
);
fail_count += 1;
if fail_count > fail_limit {
return Err(err);
}
} else {
fail_count = 0
}
sleep(interval);
}
}

149
src/vw_admin.rs
View File

@ -1,16 +1,26 @@
extern crate reqwest;
extern crate serde;
extern crate thiserror;
use reqwest::Response;
use serde::Deserialize;
use std::collections::HashMap;
use std::error::Error;
use std::fs::File;
use std::io::Read;
use std::time::{Duration, Instant};
use thiserror::Error;
const COOKIE_LIFESPAN: Duration = Duration::from_secs(20 * 60);
#[derive(Error, Debug)]
pub enum ResponseError {
#[error("vaultwarden error {0}")]
ApiError(String),
#[error("http error making request {0:?}")]
HttpError(#[from] reqwest::Error),
}
#[derive(Debug, Deserialize)]
pub struct User {
#[serde(rename = "Email")]
@ -59,7 +69,7 @@ impl Client {
.read_to_end(&mut buf)
.expect("Could not read root cert file");
return reqwest::Certificate::from_der(&buf).expect("Could not load der root cert file");
reqwest::Certificate::from_der(&buf).expect("Could not load DER root cert file")
}
fn get_http_client(&self) -> reqwest::Client {
@ -70,104 +80,97 @@ impl Client {
client = client.add_root_certificate(cert);
}
return client.build().unwrap();
client.build().expect("Failed to build http client")
}
/// Authenticate client
fn auth(&mut self) -> Response {
fn auth(&mut self) -> Result<Response, ResponseError> {
let cookie_created = Instant::now();
let client = self.get_http_client();
let result = client
.post(format!("{}{}", &self.url, "/admin/").as_str())
.form(&[("token", &self.admin_token)])
.send()
.unwrap_or_else(|e| {
panic!("Could not authenticate with {}. {:?}", &self.url, e);
});
.send()?
.error_for_status()?;
// TODO: Handle error statuses
let cookie = result
.headers()
.get(reqwest::header::SET_COOKIE)
.ok_or_else(|| {
ResponseError::ApiError(String::from("Could not read authentication cookie"))
})?;
if let Some(cookie) = result.headers().get(reqwest::header::SET_COOKIE) {
self.cookie = cookie.to_str().map(|s| String::from(s)).ok();
self.cookie_created = Some(cookie_created);
} else {
panic!("Could not authenticate.")
self.cookie = cookie.to_str().map(String::from).ok();
self.cookie_created = Some(cookie_created);
Ok(result)
}
fn cookie_expired(&self) -> bool {
match &self.cookie {
Some(_) => self
.cookie_created
.map_or(true, |created| (created.elapsed() >= COOKIE_LIFESPAN)),
None => true,
}
result
}
/// Ensure that the client has a current auth cookie
fn ensure_auth(&mut self) {
match &self.cookie {
Some(_) => {
if self
.cookie_created
.map_or(true, |created| (created.elapsed() >= COOKIE_LIFESPAN))
{
self.auth();
}
}
None => {
self.auth();
}
};
// TODO: handle errors
fn ensure_auth(&mut self) -> Result<(), ResponseError> {
if self.cookie_expired() {
match self.auth() {
Ok(_) => Ok(()),
Err(err) => Err(err),
}?
}
Ok(())
}
/// Make an authenticated GET to Bitwarden Admin
fn get(&mut self, path: &str) -> Response {
self.ensure_auth();
fn get(&mut self, path: &str) -> Result<Response, ResponseError> {
self.ensure_auth()?;
match &self.cookie {
None => {
panic!("We haven't authenticated. Must be an error");
}
Some(cookie) => {
let url = format!("{}/admin{}", &self.url, path);
let client = self.get_http_client();
let request = client
.get(url.as_str())
.header(reqwest::header::COOKIE, cookie.clone());
let response = request.send().unwrap_or_else(|e| {
panic!("Could not call with {}. {:?}", url, e);
});
let url = format!("{}/admin{}", &self.url, path);
let client = self.get_http_client();
let request = client.get(url.as_str()).header(
reqwest::header::COOKIE,
self.cookie
.as_ref()
.expect("No cookie found to add to header")
.clone(),
);
// TODO: Handle error statuses
let response = request.send()?.error_for_status()?;
return response;
}
}
Ok(response)
}
/// Make authenticated POST to Bitwarden Admin with JSON data
fn post(&mut self, path: &str, json: &HashMap<String, String>) -> Response {
self.ensure_auth();
fn post(
&mut self,
path: &str,
json: &HashMap<String, String>,
) -> Result<Response, ResponseError> {
self.ensure_auth()?;
match &self.cookie {
None => {
panic!("We haven't authenticated. Must be an error");
}
Some(cookie) => {
let url = format!("{}/admin{}", &self.url, path);
let client = self.get_http_client();
let request = client
.post(url.as_str())
.header("Cookie", cookie.clone())
.json(&json);
let response = request.send().unwrap_or_else(|e| {
panic!("Could not call with {}. {:?}", url, e);
});
let url = format!("{}/admin{}", &self.url, path);
let client = self.get_http_client();
let request = client.post(url.as_str()).json(&json).header(
reqwest::header::COOKIE,
self.cookie
.as_ref()
.expect("No cookie found to add to header")
.clone(),
);
// TODO: Handle error statuses
let response = request.send()?.error_for_status()?;
return response;
}
}
Ok(response)
}
/// Invite user with provided email
pub fn invite(&mut self, email: &str) -> Response {
pub fn invite(&mut self, email: &str) -> Result<Response, ResponseError> {
let mut json = HashMap::new();
json.insert("email".to_string(), email.to_string());
@ -175,8 +178,8 @@ impl Client {
}
/// Get all existing users
pub fn users(&mut self) -> Result<Vec<User>, Box<dyn Error>> {
let all_users: Vec<User> = self.get("/users").json()?;
pub fn users(&mut self) -> Result<Vec<User>, ResponseError> {
let all_users: Vec<User> = self.get("/users")?.json()?;
Ok(all_users)
}
}