Bump reqwest from 0.12.8 to 0.12.9

Bumps [reqwest](https://github.com/seanmonstar/reqwest) from 0.12.8 to 0.12.9.
- [Release notes](https://github.com/seanmonstar/reqwest/releases)
- [Changelog](https://github.com/seanmonstar/reqwest/blob/master/CHANGELOG.md)
- [Commits](https://github.com/seanmonstar/reqwest/compare/v0.12.8...v0.12.9)

---
updated-dependencies:
- dependency-name: reqwest
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/dependabot.yml

@@ -0,0 +1,22 @@
+# Docs: <https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/customizing-dependency-updates>
+
+version: 2
+
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule: {interval: monthly}
+    reviewers: [ViViDboarder]
+    assignees: [ViViDboarder]
+
+  - package-ecosystem: docker
+    directory: /
+    schedule: {interval: monthly}
+    reviewers: [ViViDboarder]
+    assignees: [ViViDboarder]
+
+  - package-ecosystem: cargo
+    directory: /
+    schedule: {interval: monthly}
+    reviewers: [ViViDboarder]
+    assignees: [ViViDboarder]

.github/workflows/cargo.yml

@@ -16,13 +16,20 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
 
       - name: Build
         run: cargo build --verbose
+
       - name: Run tests
         run: cargo test --verbose
 
-      - uses: actions/setup-python@v2
+      - uses: actions/setup-python@v5
+
       - name: Run pre-commit hooks
-        uses: pre-commit/action@v2.0.2
+        uses: pre-commit/action@v3.0.1
+        env:
+          SKIP: hadolint
+
+      - name: Run hadolint
+        uses: hadolint/hadolint-action@v3.1.0

.github/workflows/docker.yml

@@ -19,16 +19,13 @@ jobs:
           - dockerfile: Dockerfile
             latest: "auto"
             suffix: ""
-          - dockerfile: Dockerfile.alpine
-            latest: "false"
-            suffix: "-alpine"
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@v3
+        uses: docker/metadata-action@v5
         with:
           images: vividboarder/vaultwarden_ldap
           flavor: |
@@ -42,12 +39,12 @@ jobs:
 
       - name: Login to DockerHub
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       - name: Build and push
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v6
         with:
           context: .
           file: ${{ matrix.dockerfile }}

.gitignore

@@ -6,4 +6,4 @@
 **/*.rs.bk
 
 # Ignore config while developing
-config.toml
+./config.toml

.pre-commit-config.yaml

@@ -1,7 +1,7 @@
 ---
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v3.4.0
+    rev: v4.6.0
     hooks:
       - id: check-added-large-files
       - id: check-yaml
@@ -16,7 +16,10 @@ repos:
       - id: cargo-check
       - id: clippy
   - repo: https://github.com/IamTheFij/docker-pre-commit
-    rev: v2.0.0
+    rev: v3.0.1
     hooks:
       - id: docker-compose-check
+  - repo: https://github.com/hadolint/hadolint
+    rev: v2.12.0
+    hooks:
       - id: hadolint

Cargo.toml

@@ -1,15 +1,17 @@
 [package]
 name = "vaultwarden_ldap"
-version = "0.6.0"
+version = "2.0.2"
 authors = ["ViViDboarder <vividboarder@gmail.com>"]
 edition = "2018"
 
 [dependencies]
-ldap3 = "0.6"
+ldap3 = "0.11"
 serde = { version = "1.0", features = ["derive"] }
-toml = "0.5"
+toml = "0.8"
-reqwest = "0.9"
+reqwest = { version = "0.12", features = ["json", "blocking"] }
 serde_json = "1.0"
 thiserror = "1.0"
 anyhow = "1.0"
 envy = "0.4.1"
+pledge = "0.4.2"
+unveil = "0.3.2"

Dockerfile

@@ -1,7 +1,4 @@
-ARG BUILD_TAG=1.46
+FROM rust:1.82 as builder
-ARG RUN_TAG=$BUILD_TAG
-
-FROM rust:$BUILD_TAG as builder
 
 WORKDIR /usr/src/
 RUN USER=root cargo new --bin vaultwarden_ldap
@@ -12,13 +9,17 @@ COPY Cargo.toml Cargo.lock ./
 RUN cargo build --locked --release
 
 # Remove bins to make sure we rebuild
+# hadolint ignore=DL3059
 RUN rm ./target/release/deps/vaultwarden_ldap*
 # Copy source and install
 COPY src ./src
 RUN cargo build --release
 
-FROM rust:$RUN_TAG
+# Use most recent ubuntu LTS release
-WORKDIR /app
+FROM ubuntu:24.04
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends 'ca-certificates=20240203' 'libssl-dev=3.*' \
+    && rm -rf /var/cache/apt/lists
 COPY --from=builder /usr/src/vaultwarden_ldap/target/release/vaultwarden_ldap /usr/local/bin/
 
 CMD ["/usr/local/bin/vaultwarden_ldap"]

Dockerfile.alpine

@@ -1,21 +0,0 @@
-FROM ekidd/rust-musl-builder:1.46.0 AS builder
-
-WORKDIR /home/rust/src
-
-# Cache build deps
-RUN USER=rust cargo init
-COPY Cargo.toml Cargo.lock ./
-RUN cargo build --locked --release && \
-        rm src/*.rs
-
-COPY --chown=rust:rust ./src ./src
-RUN touch ./src/main.rs && \
-        cargo build --release
-
-FROM alpine:3
-RUN apk --no-cache add ca-certificates=20191127-r5
-COPY --from=builder \
-    /home/rust/src/target/x86_64-unknown-linux-musl/release/vaultwarden_ldap \
-    /usr/local/bin/
-
-CMD ["/usr/local/bin/vaultwarden_ldap"]

Makefile

@@ -34,22 +34,45 @@ test:
 	cargo test
 
 # Run bootstrapped integration test
-.PHONY: itest
+.PHONY: itest-up
-itest:
+itest-up:
-	docker-compose -f docker-compose.yml \
+	docker compose -f docker-compose.yml \
 		-f itest/docker-compose.itest.yml \
-		up --build
+		build
+	docker compose -f docker-compose.yml \
+		-f itest/docker-compose.itest.yml \
+		up -d vaultwarden ldap
+
+.PHONY: itest-run
+itest-run:
+	docker compose -f docker-compose.yml \
+		-f itest/docker-compose.itest.yml \
+		run ldap_sync
+
+.PHONY: itest-stop
+itest-stop:
+	docker compose stop
+
+.PHONY: itest
+itest: itest-up itest-run itest-stop
 
 # Run bootstrapped integration test using env for config
 .PHONY: itest-env
 itest-env:
-	docker-compose -f docker-compose.yml \
+	docker compose -f docker-compose.yml \
 		-f itest/docker-compose.itest-env.yml \
-		up --build
+		build
+	docker compose -f docker-compose.yml \
+		-f itest/docker-compose.itest-env.yml \
+		up -d vaultwarden ldap
+	docker compose -f docker-compose.yml \
+		-f itest/docker-compose.itest-env.yml \
+		run ldap_sync
+	docker compose stop
 
 .PHONY: clean-itest
 clean-itest:
-	docker-compose down -v
+	docker compose down -v
 
 # Installs pre-commit hooks
 .PHONY: install-hooks
@@ -71,12 +94,8 @@ clean:
 	rm -f ./target
 
 .PHONY: docker-build-all
-docker-build-all: docker-build docker-build-alpine
+docker-build-all: docker-build
 
 .PHONY: docker-build
 docker-build:
 	docker build -f ./Dockerfile -t $(DOCKER_TAG) .
-
-.PHONY: docker-build-alpine
-docker-build-alpine:
-	docker build -f ./Dockerfile.alpine -t $(DOCKER_TAG):alpine .

README.md

@@ -1,7 +1,7 @@
 # vaultwarden_ldap
-An LDAP connector for [vaultwarden](https://github.com/dani-garcia/vaultwarden)
+LDAP user invites for [vaultwarden](https://github.com/dani-garcia/vaultwarden)
 
-After configuring, run `vaultwarden_ldap` and it will invite any users it finds in LDAP to your `vaultwarden` instance.
+After configuring, run `vaultwarden_ldap` and it will invite any users it finds in LDAP to your `vaultwarden` instance. This is NOT a sync tool like the [Bitwarden Directory Connector](https://bitwarden.com/help/directory-sync/).
 
 ## Deploying
 
@@ -34,6 +34,8 @@ Configuration values are as follows:
 |`ldap_sync_interval_seconds`|Integer|Optional|Number of seconds to wait between each LDAP request. Defaults to `60`|
 |`ldap_sync_loop`|Boolean|Optional|Indicates whether or not syncing should be polled in a loop or done once. Defaults to `true`|
 
+Alternatively, instead of using `config.toml`, all values can be provided using enviroment variables prefixed with `APP_`. For example: `APP_VAULTWARDEN_URL=https://vault.example.com`
+
 ## Development
 
 This repo has a predefined set of [pre-commit](https://pre-commit.com) rules. You can install pre-commit via any means you'd like. Once your system has `pre-commit` installed, you can run `make install-hooks` to ensure the hooks will run with every commit. You can also force running all hooks with `make check`.
@@ -42,7 +44,18 @@ For those less familiar with `cargo`, you can use the `make` targets that have b
 
 ## Testing
 
-All testing is manual right now. First step is to set up Bitwarden and the LDAP server.
+There are no unit tests, but there are integration tests that require manual verification.
+
+### Integration tests
+
+Running `make itest` will spin up an ldap server with a test user, a Vaultwarden server, and then run the sync. If successful the log should show an invitation sent to the test user. If you run `make itest` again, it should show no invites sent because the user already has been invited. If you'd like to reset the testing, `make clean-itest` will clear out the Vaultwarden database and start fresh.
+
+It's also possible to test passing configs via enviornment variables by running `make itest-env`. The validation steps are the same.
+
+
+### Steps for manual testing
+
+The first step is to set up Bitwarden and the LDAP server.
 
 ```bash
 docker-compose up -d vaultwarden ldap ldap_admin
@@ -72,8 +85,3 @@ docker-compose up ldap_sync
 Alternately, you can bootstrap some of this by running:
 
     docker-compose -f docker-compose.yml -f itest/docker-compose.itest.yml up --build
-
-## Future
-
-* Any kind of proper logging
-* Tests

docker-compose.yml

@@ -1,5 +1,4 @@
 ---
-version: '3'
 services:
   ldap_sync:
     build:
@@ -10,7 +9,7 @@ services:
       # ./root.cert:/usr/src/vaultwarden_ldap/root.cert:ro
     environment:
       CONFIG_PATH: /config.toml
-      RUST_BACKTRACE: 1
+      RUST_BACKTRACE: full
     depends_on:
       - vaultwarden
       - ldap
@@ -24,6 +23,7 @@ services:
       ADMIN_TOKEN: admin
       SIGNUPS_ALLOWED: 'false'
       INVITATIONS_ALLOWED: 'true'
+      I_REALLY_WANT_VOLATILE_STORAGE: 'true'
 
   ldap:
     image: osixia/openldap

itest/config.toml

@@ -0,0 +1,8 @@
+vaultwarden_url = "http://vaultwarden:80"
+vaultwarden_admin_token = "admin"
+ldap_host = "ldap"
+ldap_bind_dn = "cn=readonly,dc=example,dc=org"
+ldap_bind_password = "readonly"
+ldap_search_base_dn = "dc=example,dc=org"
+ldap_search_filter = "(&(objectClass=*)(uid=*))"
+ldap_sync_loop = false

itest/docker-compose.itest-env.yml

@@ -1,5 +1,4 @@
 ---
-version: '3'
 services:
   ldap_sync:
     environment:
@@ -11,11 +10,11 @@ services:
       APP_LDAP_BIND_PASSWORD: "admin"
       APP_LDAP_SEARCH_BASE_DN: "dc=example,dc=org"
       APP_LDAP_SEARCH_FILTER: "(&(objectClass=*)(uid=*))"
-      APP_LDAP_SYNC_INTERVAL_SECONDS: 10
+      APP_LDAP_SYNC_LOOP: "false"
 
-  vaultwarden:
+  vaultwarden: {}
 
   ldap:
     command: ["--copy-service"]
     volumes:
-      - ./itest/50-seed-user.ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom/50-seed-user.ldif
+      - ./itest/ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom

itest/docker-compose.itest.yml

@@ -1,11 +1,12 @@
 ---
-version: '3'
 services:
   ldap_sync:
+    volumes:
+      - ./itest/config.toml:/config.toml:ro
 
-  vaultwarden:
+  vaultwarden: {}
 
   ldap:
     command: ["--copy-service"]
     volumes:
-      - ./itest/50-seed-user.ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom/50-seed-user.ldif
+      - ./itest/ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom

itest/ldif/50-seed-user.ldif

@@ -1,22 +1,16 @@
-# LDIF Export for cn=Users,dc=example,dc=org
-# Server: ldap (ldap)
-# Search Scope: sub
-# Search Filter: (objectClass=*)
-# Total Entries: 2
-#
 # Generated by phpLDAPadmin (http://phpldapadmin.sourceforge.net) on May 4, 2021 6:06 pm
 # Version: 1.2.5
 
 version: 1
 
-# Entry 1: cn=Users,dc=example,dc=org
+# Entry 1: Users group
 dn: cn=Users,dc=example,dc=org
 cn: Users
 gidnumber: 500
 objectclass: posixGroup
 objectclass: top
 
-# Entry 2: cn=Someone,cn=Users,dc=example,dc=org
+# Entry 2: User with email
 dn: cn=Someone,cn=Users,dc=example,dc=org
 cn:  Someone
 gidnumber: 500
@@ -29,7 +23,7 @@ sn: Someone
 uid: someone
 uidnumber: 1000
 
-# Entry 3: cn=SomeoneNoEmail,cn=Users,dc=example,dc=org
+# Entry 3: User with no email
 dn: cn=SomeoneNoEmail,cn=Users,dc=example,dc=org
 cn:  SomeoneNoEmail
 gidnumber: 500
@@ -41,13 +35,15 @@ sn: SomeoneNoEmail
 uid: someonenoemail
 uidnumber: 1001
 
-# Entry 4: cn=SomeoneNoEmailNoUid,cn=Users,dc=example,dc=org
+# Entry 4: User with email containing +
-# dn: cn=SomeoneNoEmailNoUid,cn=Users,dc=example,dc=org
+dn: cn=SomeonePlus,cn=Users,dc=example,dc=org
-# cn:  SomeoneNoEmailNoUid
+cn:  SomeonePlus
-# gidnumber: 500
+gidnumber: 500
-# homedirectory: /home/users/someonenoemailnoUid
+homedirectory: /home/users/someoneplus
-# objectclass: inetOrgPerson
+mail: test+plus@example.com
-# objectclass: posixAccount
+objectclass: inetOrgPerson
-# objectclass: top
+objectclass: posixAccount
-# sn: SomeoneNoEmail
+objectclass: top
-# uidnumber: 1002
+sn: SomeonePlus
+uid: someoneplus
+uidnumber: 1002

src/config.rs

@@ -37,9 +37,9 @@ pub fn read_config_from_file() -> Result<Config, String> {
     let config_path = get_config_path();
 
     let contents = fs::read_to_string(&config_path)
-        .map_err(|_| format!("Failed to open config file at {}", config_path))?;
+        .map_err(|err| format!("Failed to open config file at {}: {}", config_path, err))?;
     let config: Config = toml::from_str(contents.as_str())
-        .map_err(|_| format!("Failed to parse config file at {}", config_path))?;
+        .map_err(|err| format!("Failed to parse config file at {}: {}", config_path, err))?;
 
     println!("Config read from file at {}", config_path);
     Ok(config)

src/main.rs

@@ -1,5 +1,7 @@
 extern crate anyhow;
 extern crate ldap3;
+extern crate pledge;
+extern crate unveil;
 
 use std::collections::HashSet;
 use std::thread::sleep;
@@ -9,6 +11,8 @@ use anyhow::Context as _;
 use anyhow::Error as AnyError;
 use anyhow::Result;
 use ldap3::{DerefAliases, LdapConn, LdapConnSettings, Scope, SearchEntry, SearchOptions};
+use pledge::pledge;
+use unveil::unveil;
 
 mod config;
 mod vw_admin;
@@ -21,6 +25,16 @@ fn main() {
         config.get_vaultwarden_root_cert_file(),
     );
 
+    unveil(config::get_config_path(), "r")
+        .or_else(unveil::Error::ignore_platform)
+        .expect("Could not unveil config file");
+    unveil("", "")
+        .or_else(unveil::Error::ignore_platform)
+        .expect("Could not disable further unveils");
+    pledge("dns flock inet rpath stdio tty", "")
+        .or_else(pledge::Error::ignore_platform)
+        .expect("Could not pledge permissions");
+
     invite_users(&config, &mut client, config.get_ldap_sync_loop())
 }
 
@@ -68,7 +82,7 @@ fn ldap_client(
     let settings = LdapConnSettings::new()
         .set_starttls(starttls)
         .set_no_tls_verify(no_tls_verify);
-    let ldap = LdapConn::with_settings(settings, ldap_url.as_str())
+    let mut ldap = LdapConn::with_settings(settings, ldap_url.as_str())
         .context("Failed to connect to LDAP server")?;
     ldap.simple_bind(bind_dn.as_str(), bind_pw.as_str())
         .context("Could not bind to LDAP server")?;
@@ -78,7 +92,7 @@ fn ldap_client(
 
 /// Retrieves search results from ldap
 fn search_entries(config: &config::Config) -> Result<Vec<SearchEntry>, AnyError> {
-    let ldap = ldap_client(
+    let mut ldap = ldap_client(
         config.get_ldap_url(),
         config.get_ldap_bind_dn(),
         config.get_ldap_bind_password(),
@@ -90,13 +104,13 @@ fn search_entries(config: &config::Config) -> Result<Vec<SearchEntry>, AnyError>
     let mail_field = config.get_ldap_mail_field();
     let fields = vec!["uid", "givenname", "sn", "cn", mail_field.as_str()];
 
-    // TODO: Something something error handling
+    // Something something error handling
     let (results, _res) = ldap
         .with_search_options(SearchOptions::new().deref(DerefAliases::Always))
         .search(
-            &config.get_ldap_search_base_dn().as_str(),
+            config.get_ldap_search_base_dn().as_str(),
             Scope::Subtree,
-            &config.get_ldap_search_filter().as_str(),
+            config.get_ldap_search_filter().as_str(),
             fields,
         )
         .context("LDAP search failure")?

src/vw_admin.rs

@@ -2,7 +2,7 @@ extern crate reqwest;
 extern crate serde;
 extern crate thiserror;
 
-use reqwest::Response;
+use reqwest::blocking::Response;
 use serde::Deserialize;
 use std::collections::HashMap;
 use std::fs::File;
@@ -23,9 +23,9 @@ pub enum ResponseError {
 
 #[derive(Debug, Deserialize)]
 pub struct User {
-    #[serde(rename = "Email")]
+    #[serde(alias = "Email")]
     email: String,
-    #[serde(rename = "_Status")]
+    #[serde(rename = "_status", alias = "_Status")]
     status: i32,
 }
 
@@ -72,8 +72,9 @@ impl Client {
         reqwest::Certificate::from_der(&buf).expect("Could not load DER root cert file")
     }
 
-    fn get_http_client(&self) -> reqwest::Client {
+    fn get_http_client(&self) -> reqwest::blocking::Client {
-        let mut client = reqwest::Client::builder().redirect(reqwest::RedirectPolicy::none());
+        let mut client =
+            reqwest::blocking::Client::builder().redirect(reqwest::redirect::Policy::none());
 
         if !&self.root_cert_file.is_empty() {
             let cert = self.get_root_cert();