Added optional bitwarden_root_cert config to trust an additional root certificate when connecting to the bitwarden_rs instance through http. This can be useful in corporate environments where certificates are issued by a local CA (or for self-signed certificates)

This commit is contained in:
Jeremy 2020-07-09 13:35:55 +08:00
parent 2e5c4c5b55
commit c7e6b0dea4
4 changed files with 47 additions and 14 deletions

View File

@ -19,6 +19,7 @@ Configuration values are as follows:
|----|----|--------|-----------|
|`bitwarden_url`|String||The root URL for accessing `bitwarden_rs`. Eg: `https://bw.example.com`|
|`bitwarden_admin_token`|String||The value passed as `ADMIN_TOKEN` to `bitwarden_rs`|
|`bitwarden_root_cert`|String|Optional|Additional der-encoded root certificate to trust for accessing `bitwarden_rs`|
|`ldap_host`|String||The hostname or IP address for your ldap server|
|`ldap_scheme`|String|Optional|The that should be used to connect. `ldap` or `ldaps`. This is set by default based on SSL settings|
|`ldap_ssl`|Boolean|Optional|Indicates if SSL should be used. Defaults to `false`|

View File

@ -6,6 +6,8 @@ use serde::Deserialize;
use std::collections::HashMap;
use std::error::Error;
use std::time::{Duration, Instant};
use std::fs::File;
use std::io::Read;
const COOKIE_LIFESPAN: Duration = Duration::from_secs(20 * 60);
@ -31,29 +33,50 @@ impl User {
pub struct Client {
url: String,
admin_token: String,
cookie: Option<String>,
cookie_created: Option<Instant>,
root_cert: String,
cookie: Option<String>,
cookie_created: Option<Instant>
}
impl Client {
/// Create new instance of client
pub fn new(url: String, admin_token: String) -> Client {
pub fn new(url: String, admin_token: String, root_cert: String) -> Client {
Client {
url,
admin_token,
cookie: None,
cookie_created: None,
root_cert,
cookie: None,
cookie_created: None
}
}
fn get_http_client(&self) -> reqwest::Client {
let mut client = reqwest::Client::builder()
.redirect(reqwest::RedirectPolicy::none());
if !&self.root_cert.is_empty() {
let mut buf = Vec::new();
// read a local binary DER encoded certificate
File::open(&self.root_cert).expect("cannot open root cert").read_to_end(&mut buf).expect("cannot read root cert");
// create a certificate
let cert = reqwest::Certificate::from_der(&buf).expect("could not load der certificate");
// add the root cert
client = client.add_root_certificate(cert);
}
return client.build().unwrap();
}
/// Authenticate client
fn auth(&mut self) -> Response {
let cookie_created = Instant::now();
let client = reqwest::Client::builder()
// Avoid redirects because server will redirect to admin page after auth
.redirect(reqwest::RedirectPolicy::none())
.build()
.unwrap();
let client = &self.get_http_client();
let result = client
.post(format!("{}{}", &self.url, "/admin/").as_str())
.form(&[("token", &self.admin_token)])
@ -102,8 +125,8 @@ impl Client {
}
Some(cookie) => {
let url = format!("{}/admin{}", &self.url, path);
let request = reqwest::Client::new()
.get(url.as_str())
let client = self.get_http_client();
let request = client.get(url.as_str())
.header(reqwest::header::COOKIE, cookie.clone());
let response = request.send().unwrap_or_else(|e| {
panic!("Could not call with {}. {:?}", url, e);
@ -126,8 +149,8 @@ impl Client {
}
Some(cookie) => {
let url = format!("{}/admin{}", &self.url, path);
let request = reqwest::Client::new()
.post(url.as_str())
let client = self.get_http_client();
let request = client.post(url.as_str())
.header("Cookie", cookie.clone())
.json(&json);
let response = request.send().unwrap_or_else(|e| {

View File

@ -38,6 +38,7 @@ pub struct Config {
// Bitwarden connection config
bitwarden_url: String,
bitwarden_admin_token: String,
bitwarden_root_cert: Option<String>,
// LDAP Connection config
ldap_host: String,
ldap_scheme: Option<String>,
@ -71,6 +72,13 @@ impl Config {
self.bitwarden_admin_token.clone()
}
pub fn get_bitwarden_root_cert(&self) -> String {
match &self.bitwarden_root_cert {
Some(bitwarden_root_cert) => bitwarden_root_cert.clone(),
None => String::new(),
}
}
pub fn get_ldap_url(&self) -> String {
format!(
"{}://{}:{}",

View File

@ -15,6 +15,7 @@ fn main() {
let mut client = bw_admin::Client::new(
config.get_bitwarden_url().clone(),
config.get_bitwarden_admin_token().clone(),
config.get_bitwarden_root_cert().clone()
);
if let Err(e) = invite_users(&config, &mut client, config.get_ldap_sync_loop()) {