chore: use ubuntu image to reduce image size (#142)

* chore: use ubuntu image to reduce image size

* fix(lint): hadolint issues

.github/dependabot.yml

@@ -0,0 +1,22 @@
+# Docs: <https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/customizing-dependency-updates>
+
+version: 2
+
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule: {interval: monthly}
+    reviewers: [ViViDboarder]
+    assignees: [ViViDboarder]
+
+  - package-ecosystem: docker
+    directory: /
+    schedule: {interval: monthly}
+    reviewers: [ViViDboarder]
+    assignees: [ViViDboarder]
+
+  - package-ecosystem: cargo
+    directory: /
+    schedule: {interval: monthly}
+    reviewers: [ViViDboarder]
+    assignees: [ViViDboarder]

.github/workflows/cargo.yml

@@ -0,0 +1,35 @@
+---
+name: Tests
+
+"on":
+  push:
+    branches: [master]
+  pull_request:
+    branches: [master]
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Build
+        run: cargo build --verbose
+
+      - name: Run tests
+        run: cargo test --verbose
+
+      - uses: actions/setup-python@v4
+
+      - name: Run pre-commit hooks
+        uses: pre-commit/action@v3.0.0
+        env:
+          SKIP: hadolint
+
+      - name: Run hadolint
+        uses: hadolint/hadolint-action@v3.1.0

.github/workflows/docker.yml

@@ -0,0 +1,56 @@
+---
+name: Docker
+
+"on":
+  push:
+    branches:
+      - master
+    tags:
+      - 'v*'
+  pull_request:
+    branches:
+      - master
+
+jobs:
+  docker:
+    strategy:
+      matrix:
+        include:
+          - dockerfile: Dockerfile
+            latest: "auto"
+            suffix: ""
+          - dockerfile: Dockerfile.alpine
+            latest: "false"
+            suffix: "-alpine"
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: vividboarder/vaultwarden_ldap
+          flavor: |
+            latest=${{ matrix.latest }}
+            suffix=${{ matrix.suffix }}
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+
+      - name: Login to DockerHub
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Build and push
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          file: ${{ matrix.dockerfile }}
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

.pre-commit-config.yaml

@@ -1,7 +1,7 @@
 ---
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v3.4.0
+    rev: v4.1.0
     hooks:
       - id: check-added-large-files
       - id: check-yaml
@@ -16,7 +16,10 @@ repos:
       - id: cargo-check
       - id: clippy
   - repo: https://github.com/IamTheFij/docker-pre-commit
-    rev: v2.0.0
+    rev: v2.0.1
     hooks:
       - id: docker-compose-check
+  - repo: https://github.com/hadolint/hadolint
+    rev: v2.8.0
+    hooks:
       - id: hadolint

Cargo.toml

@@ -1,12 +1,17 @@
 [package]
 name = "vaultwarden_ldap"
-version = "0.4.0"
+version = "1.0.0"
 authors = ["ViViDboarder <vividboarder@gmail.com>"]
 edition = "2018"
 
 [dependencies]
-ldap3 = "0.6"
+ldap3 = "0.11"
 serde = { version = "1.0", features = ["derive"] }
 toml = "0.5"
-reqwest = "0.9"
+reqwest = { version = "0.11", features = ["json", "blocking"] }
 serde_json = "1.0"
+thiserror = "1.0"
+anyhow = "1.0"
+envy = "0.4.1"
+pledge = "0.4.2"
+unveil = "0.3.2"

Dockerfile

@@ -1,4 +1,7 @@
-FROM rust:1.46
+ARG BUILD_TAG=1.57.0
+ARG RUN_TAG=$BUILD_TAG
+
+FROM rust:$BUILD_TAG as builder
 
 WORKDIR /usr/src/
 RUN USER=root cargo new --bin vaultwarden_ldap
@@ -9,9 +12,15 @@ COPY Cargo.toml Cargo.lock ./
 RUN cargo build --locked --release
 
 # Remove bins to make sure we rebuild
+# hadolint ignore=DL3059
 RUN rm ./target/release/deps/vaultwarden_ldap*
 # Copy source and install
 COPY src ./src
-RUN cargo install --path .
+RUN cargo build --release
 
-CMD ["vaultwarden_ldap"]
+FROM ubuntu:focal
+WORKDIR /app
+RUN apt-get update -y && apt-get install -y libssl-dev=1.1.1f-1ubuntu2.20 --no-install-recommends && rm -rf /var/lib/apt/lists/*
+COPY --from=builder /usr/src/vaultwarden_ldap/target/release/vaultwarden_ldap /usr/local/bin/
+
+CMD ["/usr/local/bin/vaultwarden_ldap"]

Dockerfile.alpine

@@ -1,21 +1,21 @@
-FROM ekidd/rust-musl-builder:1.46.0 AS builder
+FROM ekidd/rust-musl-builder:1.57.0 AS builder
+
+WORKDIR /home/rust/src
 
 # Cache build deps
 RUN USER=rust cargo init
-COPY Cargo.toml Cargo.lock ./
-RUN cargo build --locked --release
+COPY --chown=rust:rust Cargo.toml Cargo.lock ./
+RUN cargo build --locked --release && \
+        rm src/*.rs
 
-# Remove temp src
-RUN rm src/*.rs
-# Remove bins to make sure we rebuild
-# RUN rm ./target/release/deps/vaultwarden_ldap*
 COPY --chown=rust:rust ./src ./src
-RUN touch ./src/main.rs
-
+RUN USER=rust touch ./src/main.rs
+# hadolint ignore=DL3059
 RUN cargo build --release
 
 FROM alpine:3
-RUN apk --no-cache add ca-certificates=20191127-r5
+# hadolint ignore=DL3018
+RUN apk --no-cache add ca-certificates
 COPY --from=builder \
     /home/rust/src/target/x86_64-unknown-linux-musl/release/vaultwarden_ldap \
     /usr/local/bin/

Makefile

@@ -14,6 +14,9 @@ target/debug/vaultwarden_ldap: src/
 target/release/vaultwarden_ldap: src/
 	cargo build --locked --release
 
+.PHONY: build
+build: debug
+
 .PHONY: debug
 debug: target/debug/vaultwarden_ldap
 
@@ -30,6 +33,38 @@ run-debug: target/debug/vaultwarden_ldap
 test:
 	cargo test
 
+# Run bootstrapped integration test
+.PHONY: itest
+itest:
+	docker-compose -f docker-compose.yml \
+		-f itest/docker-compose.itest.yml \
+		build
+	docker-compose -f docker-compose.yml \
+		-f itest/docker-compose.itest.yml \
+		up -d vaultwarden ldap
+	docker-compose -f docker-compose.yml \
+		-f itest/docker-compose.itest.yml \
+		run ldap_sync
+	docker-compose stop
+
+# Run bootstrapped integration test using env for config
+.PHONY: itest-env
+itest-env:
+	docker-compose -f docker-compose.yml \
+		-f itest/docker-compose.itest-env.yml \
+		build
+	docker-compose -f docker-compose.yml \
+		-f itest/docker-compose.itest-env.yml \
+		up -d vaultwarden ldap
+	docker-compose -f docker-compose.yml \
+		-f itest/docker-compose.itest-env.yml \
+		run ldap_sync
+	docker-compose stop
+
+.PHONY: clean-itest
+clean-itest:
+	docker-compose down -v
+
 # Installs pre-commit hooks
 .PHONY: install-hooks
 install-hooks:
@@ -49,6 +84,9 @@ check-version:
 clean:
 	rm -f ./target
 
+.PHONY: docker-build-all
+docker-build-all: docker-build docker-build-alpine
+
 .PHONY: docker-build
 docker-build:
 	docker build -f ./Dockerfile -t $(DOCKER_TAG) .

README.md

@@ -1,7 +1,7 @@
 # vaultwarden_ldap
-An LDAP connector for [vaultwarden](https://github.com/dani-garcia/vaultwarden)
+LDAP user invites for [vaultwarden](https://github.com/dani-garcia/vaultwarden)
 
-After configuring, run `vaultwarden_ldap` and it will invite any users it finds in LDAP to your `vaultwarden` instance.
+After configuring, run `vaultwarden_ldap` and it will invite any users it finds in LDAP to your `vaultwarden` instance. This is NOT a sync tool like the [Bitwarden Directory Connector](https://bitwarden.com/help/directory-sync/).
 
 ## Deploying
 
@@ -34,6 +34,8 @@ Configuration values are as follows:
 |`ldap_sync_interval_seconds`|Integer|Optional|Number of seconds to wait between each LDAP request. Defaults to `60`|
 |`ldap_sync_loop`|Boolean|Optional|Indicates whether or not syncing should be polled in a loop or done once. Defaults to `true`|
 
+Alternatively, instead of using `config.toml`, all values can be provided using enviroment variables prefixed with `APP_`. For example: `APP_VAULTWARDEN_URL=https://vault.example.com`
+
 ## Development
 
 This repo has a predefined set of [pre-commit](https://pre-commit.com) rules. You can install pre-commit via any means you'd like. Once your system has `pre-commit` installed, you can run `make install-hooks` to ensure the hooks will run with every commit. You can also force running all hooks with `make check`.
@@ -42,7 +44,18 @@ For those less familiar with `cargo`, you can use the `make` targets that have b
 
 ## Testing
 
-All testing is manual right now. First step is to set up Bitwarden and the LDAP server.
+There are no unit tests, but there are integration tests that require manual verification.
+
+### Integration tests
+
+Running `make itest` will spin up an ldap server with a test user, a Vaultwarden server, and then run the sync. If successful the log should show an invitation sent to the test user. If you run `make itest` again, it should show no invites sent because the user already has been invited. If you'd like to reset the testing, `make clean-itest` will clear out the Vaultwarden database and start fresh.
+
+It's also possible to test passing configs via enviornment variables by running `make itest-env`. The validation steps are the same.
+
+
+### Steps for manual testing
+
+The first step is to set up Bitwarden and the LDAP server.
 
 ```bash
 docker-compose up -d vaultwarden ldap ldap_admin
@@ -69,7 +82,6 @@ From there you can set up your test group and users.
 docker-compose up ldap_sync
 ```
 
-## Future
+Alternately, you can bootstrap some of this by running:
 
-* Any kind of proper logging
-* Tests
+    docker-compose -f docker-compose.yml -f itest/docker-compose.itest.yml up --build

docker-compose.yml

@@ -4,7 +4,7 @@ services:
   ldap_sync:
     build:
       context: .
-      dockerfile: Dockerfile.alpine
+      dockerfile: Dockerfile
     volumes:
       - ./example.config.toml:/config.toml:ro
       # ./root.cert:/usr/src/vaultwarden_ldap/root.cert:ro
@@ -24,12 +24,10 @@ services:
       ADMIN_TOKEN: admin
       SIGNUPS_ALLOWED: 'false'
       INVITATIONS_ALLOWED: 'true'
+      I_REALLY_WANT_VOLATILE_STORAGE: 'true'
 
   ldap:
     image: osixia/openldap
-    ports:
-      - 389:389
-      - 636:636
     volumes:
       - /var/lib/ldap
       - /etc/ldap/slapd.d

itest/50-seed-user.ldif

@@ -0,0 +1,53 @@
+# LDIF Export for cn=Users,dc=example,dc=org
+# Server: ldap (ldap)
+# Search Scope: sub
+# Search Filter: (objectClass=*)
+# Total Entries: 2
+#
+# Generated by phpLDAPadmin (http://phpldapadmin.sourceforge.net) on May 4, 2021 6:06 pm
+# Version: 1.2.5
+
+version: 1
+
+# Entry 1: cn=Users,dc=example,dc=org
+dn: cn=Users,dc=example,dc=org
+cn: Users
+gidnumber: 500
+objectclass: posixGroup
+objectclass: top
+
+# Entry 2: cn=Someone,cn=Users,dc=example,dc=org
+dn: cn=Someone,cn=Users,dc=example,dc=org
+cn:  Someone
+gidnumber: 500
+homedirectory: /home/users/someone
+mail: test@example.com
+objectclass: inetOrgPerson
+objectclass: posixAccount
+objectclass: top
+sn: Someone
+uid: someone
+uidnumber: 1000
+
+# Entry 3: cn=SomeoneNoEmail,cn=Users,dc=example,dc=org
+dn: cn=SomeoneNoEmail,cn=Users,dc=example,dc=org
+cn:  SomeoneNoEmail
+gidnumber: 500
+homedirectory: /home/users/someonenoemail
+objectclass: inetOrgPerson
+objectclass: posixAccount
+objectclass: top
+sn: SomeoneNoEmail
+uid: someonenoemail
+uidnumber: 1001
+
+# Entry 4: cn=SomeoneNoEmailNoUid,cn=Users,dc=example,dc=org
+# dn: cn=SomeoneNoEmailNoUid,cn=Users,dc=example,dc=org
+# cn:  SomeoneNoEmailNoUid
+# gidnumber: 500
+# homedirectory: /home/users/someonenoemailnoUid
+# objectclass: inetOrgPerson
+# objectclass: posixAccount
+# objectclass: top
+# sn: SomeoneNoEmail
+# uidnumber: 1002

itest/docker-compose.itest-env.yml

@@ -0,0 +1,21 @@
+---
+version: '3'
+services:
+  ldap_sync:
+    environment:
+      CONFIG_PATH: ""
+      APP_VAULTWARDEN_URL: "http://vaultwarden:80"
+      APP_VAULTWARDEN_ADMIN_TOKEN: "admin"
+      APP_LDAP_HOST: "ldap"
+      APP_LDAP_BIND_DN: "cn=admin,dc=example,dc=org"
+      APP_LDAP_BIND_PASSWORD: "admin"
+      APP_LDAP_SEARCH_BASE_DN: "dc=example,dc=org"
+      APP_LDAP_SEARCH_FILTER: "(&(objectClass=*)(uid=*))"
+      APP_LDAP_SYNC_LOOP: "false"
+
+  vaultwarden: {}
+
+  ldap:
+    command: ["--copy-service"]
+    volumes:
+      - ./itest/50-seed-user.ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom/50-seed-user.ldif

itest/docker-compose.itest.yml

@@ -0,0 +1,13 @@
+---
+version: '3'
+services:
+  ldap_sync:
+    volumes:
+      - ./itest/config.toml:/config.toml:ro
+
+  vaultwarden: {}
+
+  ldap:
+    command: ["--copy-service"]
+    volumes:
+      - ./itest/50-seed-user.ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom/50-seed-user.ldif

src/config.rs

@@ -17,18 +17,41 @@ pub fn get_config_path() -> String {
     }
 }
 
-/// Reads configuration from file and panics if it can't
+// Tries to read configuration from file, failing that from the environment,
+// panics if it can't
 pub fn read_config() -> Config {
+    match read_config_from_file() {
+        Ok(config) => config,
+        Err(err) => {
+            println!("{}", err);
+            match read_config_from_env() {
+                Ok(config) => config,
+                Err(err) => panic!("{}", err),
+            }
+        }
+    }
+}
+
+/// Tries to read configuration from file
+pub fn read_config_from_file() -> Result<Config, String> {
     let config_path = get_config_path();
 
-    let contents = fs::read_to_string(&config_path).unwrap_or_else(|_| {
-        panic!("Failed to open config file at {}", config_path);
-    });
-    let config: Config = toml::from_str(contents.as_str()).unwrap_or_else(|_| {
-        panic!("Failed to parse config file at {}", config_path);
-    });
+    let contents = fs::read_to_string(&config_path)
+        .map_err(|err| format!("Failed to open config file at {}: {}", config_path, err))?;
+    let config: Config = toml::from_str(contents.as_str())
+        .map_err(|err| format!("Failed to parse config file at {}: {}", config_path, err))?;
 
-    config
+    println!("Config read from file at {}", config_path);
+    Ok(config)
+}
+
+// Tries to read configuration from environment
+pub fn read_config_from_env() -> Result<Config, String> {
+    let config = envy::prefixed("APP_")
+        .from_env()
+        .map_err(|err| format!("Error parsing config from env: {}", err))?;
+    println!("Config read from environment");
+    Ok(config)
 }
 
 #[derive(Deserialize)]
@@ -151,7 +174,7 @@ impl Config {
     pub fn get_ldap_mail_field(&self) -> String {
         match &self.ldap_mail_field {
             Some(mail_field) => mail_field.clone(),
-            None => String::from("mail").clone(),
+            None => String::from("mail"),
         }
     }
 

src/main.rs

@@ -1,11 +1,18 @@
+extern crate anyhow;
 extern crate ldap3;
+extern crate pledge;
+extern crate unveil;
 
 use std::collections::HashSet;
-use std::error::Error;
 use std::thread::sleep;
 use std::time::Duration;
 
+use anyhow::Context as _;
+use anyhow::Error as AnyError;
+use anyhow::Result;
 use ldap3::{DerefAliases, LdapConn, LdapConnSettings, Scope, SearchEntry, SearchOptions};
+use pledge::pledge;
+use unveil::unveil;
 
 mod config;
 mod vw_admin;
@@ -13,34 +20,38 @@ mod vw_admin;
 fn main() {
     let config = config::Config::from_file();
     let mut client = vw_admin::Client::new(
-        config.get_vaultwarden_url().clone(),
-        config.get_vaultwarden_admin_token().clone(),
-        config.get_vaultwarden_root_cert_file().clone(),
+        config.get_vaultwarden_url(),
+        config.get_vaultwarden_admin_token(),
+        config.get_vaultwarden_root_cert_file(),
     );
 
-    if let Err(e) = invite_users(&config, &mut client, config.get_ldap_sync_loop()) {
-        panic!("{}", e);
-    }
+    unveil(config::get_config_path(), "r")
+        .or_else(unveil::Error::ignore_platform)
+        .expect("Could not unveil config file");
+    unveil("", "")
+        .or_else(unveil::Error::ignore_platform)
+        .expect("Could not disable further unveils");
+    pledge("dns flock inet rpath stdio tty", "")
+        .or_else(pledge::Error::ignore_platform)
+        .expect("Could not pledge permissions");
+
+    invite_users(&config, &mut client, config.get_ldap_sync_loop())
 }
 
 /// Invites new users to Bitwarden from LDAP
-fn invite_users(
-    config: &config::Config,
-    client: &mut vw_admin::Client,
-    start_loop: bool,
-) -> Result<(), Box<dyn Error>> {
+fn invite_users(config: &config::Config, client: &mut vw_admin::Client, start_loop: bool) {
     if start_loop {
-        start_sync_loop(config, client)?;
+        start_sync_loop(config, client).expect("Failed to start invite sync loop");
     } else {
-        invite_from_ldap(config, client)?;
+        invite_from_ldap(config, client).expect("Failed to invite users");
     }
-
-    Ok(())
 }
 
 /// Creates set of email addresses for users that already exist in Bitwarden
-fn get_existing_users(client: &mut vw_admin::Client) -> Result<HashSet<String>, Box<dyn Error>> {
-    let all_users = client.users()?;
+fn get_existing_users(client: &mut vw_admin::Client) -> Result<HashSet<String>, AnyError> {
+    let all_users = client
+        .users()
+        .context("Could not get list of existing users from server")?;
     let mut user_emails = HashSet::with_capacity(all_users.len());
     for user in all_users {
         user_emails.insert(user.get_email().to_lowercase());
@@ -67,45 +78,44 @@ fn ldap_client(
     bind_pw: String,
     no_tls_verify: bool,
     starttls: bool,
-) -> Result<LdapConn, Box<dyn Error>> {
+) -> Result<LdapConn, AnyError> {
     let settings = LdapConnSettings::new()
         .set_starttls(starttls)
         .set_no_tls_verify(no_tls_verify);
-    let ldap = LdapConn::with_settings(settings, ldap_url.as_str())?;
-    match ldap.simple_bind(bind_dn.as_str(), bind_pw.as_str()) {
-        _ => {}
-    };
+    let mut ldap = LdapConn::with_settings(settings, ldap_url.as_str())
+        .context("Failed to connect to LDAP server")?;
+    ldap.simple_bind(bind_dn.as_str(), bind_pw.as_str())
+        .context("Could not bind to LDAP server")?;
 
     Ok(ldap)
 }
 
 /// Retrieves search results from ldap
-fn search_entries(config: &config::Config) -> Result<Vec<SearchEntry>, Box<dyn Error>> {
-    let ldap = ldap_client(
+fn search_entries(config: &config::Config) -> Result<Vec<SearchEntry>, AnyError> {
+    let mut ldap = ldap_client(
         config.get_ldap_url(),
         config.get_ldap_bind_dn(),
         config.get_ldap_bind_password(),
         config.get_ldap_no_tls_verify(),
         config.get_ldap_starttls(),
-    );
-
-    if ldap.is_err() {
-        println!("Error: Could not bind to ldap server");
-    }
+    )
+    .context("LDAP client initialization failed")?;
 
     let mail_field = config.get_ldap_mail_field();
     let fields = vec!["uid", "givenname", "sn", "cn", mail_field.as_str()];
 
-    // TODO: Something something error handling
-    let (results, _res) = ldap?
+    // Something something error handling
+    let (results, _res) = ldap
         .with_search_options(SearchOptions::new().deref(DerefAliases::Always))
         .search(
-            &config.get_ldap_search_base_dn().as_str(),
+            config.get_ldap_search_base_dn().as_str(),
             Scope::Subtree,
-            &config.get_ldap_search_filter().as_str(),
+            config.get_ldap_search_filter().as_str(),
             fields,
-        )?
-        .success()?;
+        )
+        .context("LDAP search failure")?
+        .success()
+        .context("LDAP search usucessful")?;
 
     // Build list of entries
     let mut entries = Vec::new();
@@ -120,52 +130,65 @@ fn search_entries(config: &config::Config) -> Result<Vec<SearchEntry>, Box<dyn E
 fn invite_from_ldap(
     config: &config::Config,
     client: &mut vw_admin::Client,
-) -> Result<(), Box<dyn Error>> {
-    match get_existing_users(client) {
-        Ok(existing_users) => {
-            let mail_field = config.get_ldap_mail_field();
-            let mut num_users = 0;
-            for ldap_user in search_entries(config)? {
-                // Safely get first email from list of emails in field
-                if let Some(user_email) = ldap_user
-                    .attrs
-                    .get(mail_field.as_str())
-                    .and_then(|l| (l.first()))
-                {
-                    if existing_users.contains(&user_email.to_lowercase()) {
-                        println!("User with email already exists: {}", user_email);
-                    } else {
-                        println!("Try to invite user: {}", user_email);
-                        // TODO: Validate response
-                        let _response = client.invite(user_email);
-                        num_users = num_users + 1;
-                        // println!("Invite response: {:?}", response);
-                    }
-                } else {
-                    println!("Warning: Email field, {:?}, not found on user", mail_field);
-                }
-            }
+) -> Result<(), AnyError> {
+    let existing_users =
+        get_existing_users(client).context("Failed to get existing users from server")?;
+    let mail_field = config.get_ldap_mail_field();
+    let mut num_users = 0;
 
-            // Maybe think about returning this value for some other use
-            println!("Sent invites to {} user(s).", num_users);
-        }
-        Err(e) => {
-            println!("Error: Failed to get existing users from Bitwarden");
-            return Err(e);
+    for ldap_user in search_entries(config)? {
+        //
+        // Safely get first email from list of emails in field
+        if let Some(user_email) = ldap_user
+            .attrs
+            .get(mail_field.as_str())
+            .and_then(|l| (l.first()))
+        {
+            if existing_users.contains(&user_email.to_lowercase()) {
+                println!("User with email already exists: {}", user_email);
+            } else {
+                println!("Try to invite user: {}", user_email);
+                client
+                    .invite(user_email)
+                    .context(format!("Failed to invite user {}", user_email))?;
+                num_users += 1;
+            }
+        } else {
+            match ldap_user.attrs.get("uid").and_then(|l| l.first()) {
+                Some(user_uid) => println!(
+                    "Warning: Email field, {:?}, not found on user {}",
+                    mail_field, user_uid
+                ),
+                None => println!("Warning: Email field, {:?}, not found on user", mail_field),
+            }
         }
     }
 
+    // Maybe think about returning this value for some other use
+    println!("Sent invites to {} user(s).", num_users);
+
     Ok(())
 }
 
 /// Begin sync loop to invite LDAP users to Bitwarden
-fn start_sync_loop(
-    config: &config::Config,
-    client: &mut vw_admin::Client,
-) -> Result<(), Box<dyn Error>> {
+fn start_sync_loop(config: &config::Config, client: &mut vw_admin::Client) -> Result<(), AnyError> {
     let interval = Duration::from_secs(config.get_ldap_sync_interval_seconds());
+    let mut fail_count = 0;
+    let fail_limit = 5;
     loop {
-        invite_from_ldap(config, client)?;
+        if let Err(err) = invite_from_ldap(config, client) {
+            println!(
+                "Error inviting users from ldap. Count {}: {:?}",
+                fail_count, err
+            );
+            fail_count += 1;
+            if fail_count > fail_limit {
+                return Err(err);
+            }
+        } else {
+            fail_count = 0
+        }
+
         sleep(interval);
     }
 }

src/vw_admin.rs

@@ -1,16 +1,26 @@
 extern crate reqwest;
 extern crate serde;
+extern crate thiserror;
 
-use reqwest::Response;
+use reqwest::blocking::Response;
 use serde::Deserialize;
 use std::collections::HashMap;
-use std::error::Error;
 use std::fs::File;
 use std::io::Read;
 use std::time::{Duration, Instant};
+use thiserror::Error;
 
 const COOKIE_LIFESPAN: Duration = Duration::from_secs(20 * 60);
 
+#[derive(Error, Debug)]
+pub enum ResponseError {
+    #[error("vaultwarden error {0}")]
+    ApiError(String),
+
+    #[error("http error making request {0:?}")]
+    HttpError(#[from] reqwest::Error),
+}
+
 #[derive(Debug, Deserialize)]
 pub struct User {
     #[serde(rename = "Email")]
@@ -59,115 +69,109 @@ impl Client {
             .read_to_end(&mut buf)
             .expect("Could not read root cert file");
 
-        return reqwest::Certificate::from_der(&buf).expect("Could not load der root cert file");
+        reqwest::Certificate::from_der(&buf).expect("Could not load DER root cert file")
     }
 
-    fn get_http_client(&self) -> reqwest::Client {
-        let mut client = reqwest::Client::builder().redirect(reqwest::RedirectPolicy::none());
+    fn get_http_client(&self) -> reqwest::blocking::Client {
+        let mut client =
+            reqwest::blocking::Client::builder().redirect(reqwest::redirect::Policy::none());
 
         if !&self.root_cert_file.is_empty() {
             let cert = self.get_root_cert();
             client = client.add_root_certificate(cert);
         }
 
-        return client.build().unwrap();
+        client.build().expect("Failed to build http client")
     }
 
     /// Authenticate client
-    fn auth(&mut self) -> Response {
+    fn auth(&mut self) -> Result<Response, ResponseError> {
         let cookie_created = Instant::now();
         let client = self.get_http_client();
         let result = client
             .post(format!("{}{}", &self.url, "/admin/").as_str())
             .form(&[("token", &self.admin_token)])
-            .send()
-            .unwrap_or_else(|e| {
-                panic!("Could not authenticate with {}. {:?}", &self.url, e);
-            });
+            .send()?
+            .error_for_status()?;
 
-        // TODO: Handle error statuses
+        let cookie = result
+            .headers()
+            .get(reqwest::header::SET_COOKIE)
+            .ok_or_else(|| {
+                ResponseError::ApiError(String::from("Could not read authentication cookie"))
+            })?;
 
-        if let Some(cookie) = result.headers().get(reqwest::header::SET_COOKIE) {
-            self.cookie = cookie.to_str().map(|s| String::from(s)).ok();
-            self.cookie_created = Some(cookie_created);
-        } else {
-            panic!("Could not authenticate.")
+        self.cookie = cookie.to_str().map(String::from).ok();
+        self.cookie_created = Some(cookie_created);
+
+        Ok(result)
+    }
+
+    fn cookie_expired(&self) -> bool {
+        match &self.cookie {
+            Some(_) => self
+                .cookie_created
+                .map_or(true, |created| (created.elapsed() >= COOKIE_LIFESPAN)),
+            None => true,
         }
-
-        result
     }
 
     /// Ensure that the client has a current auth cookie
-    fn ensure_auth(&mut self) {
-        match &self.cookie {
-            Some(_) => {
-                if self
-                    .cookie_created
-                    .map_or(true, |created| (created.elapsed() >= COOKIE_LIFESPAN))
-                {
-                    self.auth();
-                }
-            }
-            None => {
-                self.auth();
-            }
-        };
-        // TODO: handle errors
+    fn ensure_auth(&mut self) -> Result<(), ResponseError> {
+        if self.cookie_expired() {
+            match self.auth() {
+                Ok(_) => Ok(()),
+                Err(err) => Err(err),
+            }?
+        }
+
+        Ok(())
     }
 
     /// Make an authenticated GET to Bitwarden Admin
-    fn get(&mut self, path: &str) -> Response {
-        self.ensure_auth();
+    fn get(&mut self, path: &str) -> Result<Response, ResponseError> {
+        self.ensure_auth()?;
 
-        match &self.cookie {
-            None => {
-                panic!("We haven't authenticated. Must be an error");
-            }
-            Some(cookie) => {
-                let url = format!("{}/admin{}", &self.url, path);
-                let client = self.get_http_client();
-                let request = client
-                    .get(url.as_str())
-                    .header(reqwest::header::COOKIE, cookie.clone());
-                let response = request.send().unwrap_or_else(|e| {
-                    panic!("Could not call with {}. {:?}", url, e);
-                });
+        let url = format!("{}/admin{}", &self.url, path);
+        let client = self.get_http_client();
+        let request = client.get(url.as_str()).header(
+            reqwest::header::COOKIE,
+            self.cookie
+                .as_ref()
+                .expect("No cookie found to add to header")
+                .clone(),
+        );
 
-                // TODO: Handle error statuses
+        let response = request.send()?.error_for_status()?;
 
-                return response;
-            }
-        }
+        Ok(response)
     }
 
     /// Make authenticated POST to Bitwarden Admin with JSON data
-    fn post(&mut self, path: &str, json: &HashMap<String, String>) -> Response {
-        self.ensure_auth();
+    fn post(
+        &mut self,
+        path: &str,
+        json: &HashMap<String, String>,
+    ) -> Result<Response, ResponseError> {
+        self.ensure_auth()?;
 
-        match &self.cookie {
-            None => {
-                panic!("We haven't authenticated. Must be an error");
-            }
-            Some(cookie) => {
-                let url = format!("{}/admin{}", &self.url, path);
-                let client = self.get_http_client();
-                let request = client
-                    .post(url.as_str())
-                    .header("Cookie", cookie.clone())
-                    .json(&json);
-                let response = request.send().unwrap_or_else(|e| {
-                    panic!("Could not call with {}. {:?}", url, e);
-                });
+        let url = format!("{}/admin{}", &self.url, path);
+        let client = self.get_http_client();
+        let request = client.post(url.as_str()).json(&json).header(
+            reqwest::header::COOKIE,
+            self.cookie
+                .as_ref()
+                .expect("No cookie found to add to header")
+                .clone(),
+        );
 
-                // TODO: Handle error statuses
+        let response = request.send()?.error_for_status()?;
 
-                return response;
-            }
-        }
+        Ok(response)
     }
 
     /// Invite user with provided email
-    pub fn invite(&mut self, email: &str) -> Response {
+    pub fn invite(&mut self, email: &str) -> Result<Response, ResponseError> {
         let mut json = HashMap::new();
         json.insert("email".to_string(), email.to_string());
 
@@ -175,8 +179,8 @@ impl Client {
     }
 
     /// Get all existing users
-    pub fn users(&mut self) -> Result<Vec<User>, Box<dyn Error>> {
-        let all_users: Vec<User> = self.get("/users").json()?;
+    pub fn users(&mut self) -> Result<Vec<User>, ResponseError> {
+        let all_users: Vec<User> = self.get("/users")?.json()?;
         Ok(all_users)
     }
 }