From c7e6b0dea4321b208f9f028b965cc273f1bdd926 Mon Sep 17 00:00:00 2001 From: Jeremy Date: Thu, 9 Jul 2020 13:35:55 +0800 Subject: [PATCH] Added optional bitwarden_root_cert config to trust an additional root certificate when connecting to the bitwarden_rs instance through http. This can be useful in corporate environments where certificates are issued by a local CA (or for self-signed certificates) --- README.md | 1 + src/bw_admin.rs | 51 +++++++++++++++++++++++++++++++++++-------------- src/config.rs | 8 ++++++++ src/main.rs | 1 + 4 files changed, 47 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index ee54c08..ca58815 100644 --- a/README.md +++ b/README.md @@ -19,6 +19,7 @@ Configuration values are as follows: |----|----|--------|-----------| |`bitwarden_url`|String||The root URL for accessing `bitwarden_rs`. Eg: `https://bw.example.com`| |`bitwarden_admin_token`|String||The value passed as `ADMIN_TOKEN` to `bitwarden_rs`| +|`bitwarden_root_cert`|String|Optional|Additional der-encoded root certificate to trust for accessing `bitwarden_rs`| |`ldap_host`|String||The hostname or IP address for your ldap server| |`ldap_scheme`|String|Optional|The that should be used to connect. `ldap` or `ldaps`. This is set by default based on SSL settings| |`ldap_ssl`|Boolean|Optional|Indicates if SSL should be used. Defaults to `false`| diff --git a/src/bw_admin.rs b/src/bw_admin.rs index e168a65..34ee24d 100644 --- a/src/bw_admin.rs +++ b/src/bw_admin.rs @@ -6,6 +6,8 @@ use serde::Deserialize; use std::collections::HashMap; use std::error::Error; use std::time::{Duration, Instant}; +use std::fs::File; +use std::io::Read; const COOKIE_LIFESPAN: Duration = Duration::from_secs(20 * 60); @@ -31,29 +33,50 @@ impl User { pub struct Client { url: String, admin_token: String, - cookie: Option, - cookie_created: Option, + root_cert: String, + cookie: Option, + cookie_created: Option } impl Client { /// Create new instance of client - pub fn new(url: String, admin_token: String) -> Client { + pub fn new(url: String, admin_token: String, root_cert: String) -> Client { Client { url, admin_token, - cookie: None, - cookie_created: None, + root_cert, + cookie: None, + cookie_created: None } } + fn get_http_client(&self) -> reqwest::Client { + + let mut client = reqwest::Client::builder() + .redirect(reqwest::RedirectPolicy::none()); + + if !&self.root_cert.is_empty() { + + let mut buf = Vec::new(); + + // read a local binary DER encoded certificate + File::open(&self.root_cert).expect("cannot open root cert").read_to_end(&mut buf).expect("cannot read root cert"); + + // create a certificate + let cert = reqwest::Certificate::from_der(&buf).expect("could not load der certificate"); + + // add the root cert + client = client.add_root_certificate(cert); + } + + return client.build().unwrap(); + } + /// Authenticate client fn auth(&mut self) -> Response { + let cookie_created = Instant::now(); - let client = reqwest::Client::builder() - // Avoid redirects because server will redirect to admin page after auth - .redirect(reqwest::RedirectPolicy::none()) - .build() - .unwrap(); + let client = &self.get_http_client(); let result = client .post(format!("{}{}", &self.url, "/admin/").as_str()) .form(&[("token", &self.admin_token)]) @@ -102,8 +125,8 @@ impl Client { } Some(cookie) => { let url = format!("{}/admin{}", &self.url, path); - let request = reqwest::Client::new() - .get(url.as_str()) + let client = self.get_http_client(); + let request = client.get(url.as_str()) .header(reqwest::header::COOKIE, cookie.clone()); let response = request.send().unwrap_or_else(|e| { panic!("Could not call with {}. {:?}", url, e); @@ -126,8 +149,8 @@ impl Client { } Some(cookie) => { let url = format!("{}/admin{}", &self.url, path); - let request = reqwest::Client::new() - .post(url.as_str()) + let client = self.get_http_client(); + let request = client.post(url.as_str()) .header("Cookie", cookie.clone()) .json(&json); let response = request.send().unwrap_or_else(|e| { diff --git a/src/config.rs b/src/config.rs index c63591c..958464a 100644 --- a/src/config.rs +++ b/src/config.rs @@ -38,6 +38,7 @@ pub struct Config { // Bitwarden connection config bitwarden_url: String, bitwarden_admin_token: String, + bitwarden_root_cert: Option, // LDAP Connection config ldap_host: String, ldap_scheme: Option, @@ -71,6 +72,13 @@ impl Config { self.bitwarden_admin_token.clone() } + pub fn get_bitwarden_root_cert(&self) -> String { + match &self.bitwarden_root_cert { + Some(bitwarden_root_cert) => bitwarden_root_cert.clone(), + None => String::new(), + } + } + pub fn get_ldap_url(&self) -> String { format!( "{}://{}:{}", diff --git a/src/main.rs b/src/main.rs index 1be6919..3698012 100644 --- a/src/main.rs +++ b/src/main.rs @@ -15,6 +15,7 @@ fn main() { let mut client = bw_admin::Client::new( config.get_bitwarden_url().clone(), config.get_bitwarden_admin_token().clone(), + config.get_bitwarden_root_cert().clone() ); if let Err(e) = invite_users(&config, &mut client, config.get_ldap_sync_loop()) {