Bump reqwest from 0.12.8 to 0.12.9

Bumps [reqwest](https://github.com/seanmonstar/reqwest) from 0.12.8 to 0.12.9. - [Release notes](https://github.com/seanmonstar/reqwest/releases) - [Changelog](https://github.com/seanmonstar/reqwest/blob/master/CHANGELOG.md) - [Commits](https://github.com/seanmonstar/reqwest/compare/v0.12.8...v0.12.9) --- updated-dependencies: - dependency-name: reqwest dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bump serde_json from 1.0.128 to 1.0.132
2024-11-16 00:06:27 +00:00 · 2024-11-01 10:39:12 -07:00 · 2024-11-01 10:39:04 -07:00 · 2024-11-01 10:38:54 -07:00 · 2024-11-01 10:37:59 -07:00 · 2024-11-01 10:37:44 -07:00
19 changed files with 1074 additions and 1272 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -0,0 +1,22 @@
+# Docs: <https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/customizing-dependency-updates>
+
+version: 2
+
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule: {interval: monthly}
+    reviewers: [ViViDboarder]
+    assignees: [ViViDboarder]
+
+  - package-ecosystem: docker
+    directory: /
+    schedule: {interval: monthly}
+    reviewers: [ViViDboarder]
+    assignees: [ViViDboarder]
+
+  - package-ecosystem: cargo
+    directory: /
+    schedule: {interval: monthly}
+    reviewers: [ViViDboarder]
+    assignees: [ViViDboarder]
--- a/.github/workflows/cargo.yml
+++ b/.github/workflows/cargo.yml
@ -16,13 +16,20 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4

      - name: Build
        run: cargo build --verbose
+
      - name: Run tests
        run: cargo test --verbose

-      - uses: actions/setup-python@v2
+      - uses: actions/setup-python@v5
+
      - name: Run pre-commit hooks
-        uses: pre-commit/action@v2.0.2
+        uses: pre-commit/action@v3.0.1
+        env:
+          SKIP: hadolint
+
+      - name: Run hadolint
+        uses: hadolint/hadolint-action@v3.1.0
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@ -19,16 +19,13 @@ jobs:
          - dockerfile: Dockerfile
            latest: "auto"
            suffix: ""
-          - dockerfile: Dockerfile.alpine
-            latest: "false"
-            suffix: "-alpine"
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@v3
+        uses: docker/metadata-action@v5
        with:
          images: vividboarder/vaultwarden_ldap
          flavor: |
@ -42,12 +39,12 @@ jobs:

      - name: Login to DockerHub
        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - name: Build and push
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v6
        with:
          context: .
          file: ${{ matrix.dockerfile }}
--- a/.gitignore
+++ b/.gitignore
@ -6,4 +6,4 @@
 **/*.rs.bk

 # Ignore config while developing
-config.toml
+./config.toml
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -1,7 +1,7 @@
 ---
 repos:
  - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v3.4.0
+    rev: v4.6.0
    hooks:
      - id: check-added-large-files
      - id: check-yaml
@ -16,7 +16,10 @@ repos:
      - id: cargo-check
      - id: clippy
  - repo: https://github.com/IamTheFij/docker-pre-commit
-    rev: v2.0.0
+    rev: v3.0.1
    hooks:
      - id: docker-compose-check
+  - repo: https://github.com/hadolint/hadolint
+    rev: v2.12.0
+    hooks:
      - id: hadolint
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@ -1,15 +1,17 @@
 [package]
 name = "vaultwarden_ldap"
-version = "0.6.0"
+version = "2.0.2"
 authors = ["ViViDboarder <vividboarder@gmail.com>"]
 edition = "2018"

 [dependencies]
-ldap3 = "0.6"
+ldap3 = "0.11"
 serde = { version = "1.0", features = ["derive"] }
-toml = "0.5"
-reqwest = "0.9"
+toml = "0.8"
+reqwest = { version = "0.12", features = ["json", "blocking"] }
 serde_json = "1.0"
 thiserror = "1.0"
 anyhow = "1.0"
 envy = "0.4.1"
+pledge = "0.4.2"
+unveil = "0.3.2"
--- a/13
+++ b/13
@ -1,7 +1,4 @@
-ARG BUILD_TAG=1.46
-ARG RUN_TAG=$BUILD_TAG
-
-FROM rust:$BUILD_TAG as builder
+FROM rust:1.82 as builder

 WORKDIR /usr/src/
 RUN USER=root cargo new --bin vaultwarden_ldap
@ -12,13 +9,17 @@ COPY Cargo.toml Cargo.lock ./
 RUN cargo build --locked --release

 # Remove bins to make sure we rebuild
+# hadolint ignore=DL3059
 RUN rm ./target/release/deps/vaultwarden_ldap*
 # Copy source and install
 COPY src ./src
 RUN cargo build --release

-FROM rust:$RUN_TAG
-WORKDIR /app
+# Use most recent ubuntu LTS release
+FROM ubuntu:24.04
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends 'ca-certificates=20240203' 'libssl-dev=3.*' \
+    && rm -rf /var/cache/apt/lists
 COPY --from=builder /usr/src/vaultwarden_ldap/target/release/vaultwarden_ldap /usr/local/bin/

 CMD ["/usr/local/bin/vaultwarden_ldap"]
--- a/Dockerfile.alpine
+++ b/Dockerfile.alpine
@ -1,21 +0,0 @@
-FROM ekidd/rust-musl-builder:1.46.0 AS builder
-
-WORKDIR /home/rust/src
-
-# Cache build deps
-RUN USER=rust cargo init
-COPY Cargo.toml Cargo.lock ./
-RUN cargo build --locked --release && \
-        rm src/*.rs
-
-COPY --chown=rust:rust ./src ./src
-RUN touch ./src/main.rs && \
-        cargo build --release
-
-FROM alpine:3
-RUN apk --no-cache add ca-certificates=20191127-r5
-COPY --from=builder \
-    /home/rust/src/target/x86_64-unknown-linux-musl/release/vaultwarden_ldap \
-    /usr/local/bin/
-
-CMD ["/usr/local/bin/vaultwarden_ldap"]
--- a/43
+++ b/43
@ -34,22 +34,45 @@ test:
 	cargo test

 # Run bootstrapped integration test
-.PHONY: itest
-itest:
-	docker-compose -f docker-compose.yml \
+.PHONY: itest-up
+itest-up:
+	docker compose -f docker-compose.yml \
 		-f itest/docker-compose.itest.yml \
-		up --build
+		build
+	docker compose -f docker-compose.yml \
+		-f itest/docker-compose.itest.yml \
+		up -d vaultwarden ldap
+
+.PHONY: itest-run
+itest-run:
+	docker compose -f docker-compose.yml \
+		-f itest/docker-compose.itest.yml \
+		run ldap_sync
+
+.PHONY: itest-stop
+itest-stop:
+	docker compose stop
+
+.PHONY: itest
+itest: itest-up itest-run itest-stop

 # Run bootstrapped integration test using env for config
 .PHONY: itest-env
 itest-env:
-	docker-compose -f docker-compose.yml \
+	docker compose -f docker-compose.yml \
 		-f itest/docker-compose.itest-env.yml \
-		up --build
+		build
+	docker compose -f docker-compose.yml \
+		-f itest/docker-compose.itest-env.yml \
+		up -d vaultwarden ldap
+	docker compose -f docker-compose.yml \
+		-f itest/docker-compose.itest-env.yml \
+		run ldap_sync
+	docker compose stop

 .PHONY: clean-itest
 clean-itest:
-	docker-compose down -v
+	docker compose down -v

 # Installs pre-commit hooks
 .PHONY: install-hooks
@ -71,12 +94,8 @@ clean:
 	rm -f ./target

 .PHONY: docker-build-all
-docker-build-all: docker-build docker-build-alpine
+docker-build-all: docker-build

 .PHONY: docker-build
 docker-build:
 	docker build -f ./Dockerfile -t $(DOCKER_TAG) .
-
-.PHONY: docker-build-alpine
-docker-build-alpine:
-	docker build -f ./Dockerfile.alpine -t $(DOCKER_TAG):alpine .
--- a/README.md
+++ b/README.md
@ -1,7 +1,7 @@
 # vaultwarden_ldap
-An LDAP connector for [vaultwarden](https://github.com/dani-garcia/vaultwarden)
+LDAP user invites for [vaultwarden](https://github.com/dani-garcia/vaultwarden)

-After configuring, run `vaultwarden_ldap` and it will invite any users it finds in LDAP to your `vaultwarden` instance.
+After configuring, run `vaultwarden_ldap` and it will invite any users it finds in LDAP to your `vaultwarden` instance. This is NOT a sync tool like the [Bitwarden Directory Connector](https://bitwarden.com/help/directory-sync/).

 ## Deploying

@ -34,6 +34,8 @@ Configuration values are as follows:
 |`ldap_sync_interval_seconds`|Integer|Optional|Number of seconds to wait between each LDAP request. Defaults to `60`|
 |`ldap_sync_loop`|Boolean|Optional|Indicates whether or not syncing should be polled in a loop or done once. Defaults to `true`|

+Alternatively, instead of using `config.toml`, all values can be provided using enviroment variables prefixed with `APP_`. For example: `APP_VAULTWARDEN_URL=https://vault.example.com`
+
 ## Development

 This repo has a predefined set of [pre-commit](https://pre-commit.com) rules. You can install pre-commit via any means you'd like. Once your system has `pre-commit` installed, you can run `make install-hooks` to ensure the hooks will run with every commit. You can also force running all hooks with `make check`.
@ -42,7 +44,18 @@ For those less familiar with `cargo`, you can use the `make` targets that have b

 ## Testing

-All testing is manual right now. First step is to set up Bitwarden and the LDAP server.
+There are no unit tests, but there are integration tests that require manual verification.
+
+### Integration tests
+
+Running `make itest` will spin up an ldap server with a test user, a Vaultwarden server, and then run the sync. If successful the log should show an invitation sent to the test user. If you run `make itest` again, it should show no invites sent because the user already has been invited. If you'd like to reset the testing, `make clean-itest` will clear out the Vaultwarden database and start fresh.
+
+It's also possible to test passing configs via enviornment variables by running `make itest-env`. The validation steps are the same.
+
+
+### Steps for manual testing
+
+The first step is to set up Bitwarden and the LDAP server.

 ```bash
 docker-compose up -d vaultwarden ldap ldap_admin
@ -72,8 +85,3 @@ docker-compose up ldap_sync
 Alternately, you can bootstrap some of this by running:

    docker-compose -f docker-compose.yml -f itest/docker-compose.itest.yml up --build
-
-## Future
-
-* Any kind of proper logging
-* Tests
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -1,5 +1,4 @@
 ---
-version: '3'
 services:
  ldap_sync:
    build:
@ -10,7 +9,7 @@ services:
      # ./root.cert:/usr/src/vaultwarden_ldap/root.cert:ro
    environment:
      CONFIG_PATH: /config.toml
-      RUST_BACKTRACE: 1
+      RUST_BACKTRACE: full
    depends_on:
      - vaultwarden
      - ldap
@ -24,6 +23,7 @@ services:
      ADMIN_TOKEN: admin
      SIGNUPS_ALLOWED: 'false'
      INVITATIONS_ALLOWED: 'true'
+      I_REALLY_WANT_VOLATILE_STORAGE: 'true'

  ldap:
    image: osixia/openldap
--- a/itest/config.toml
+++ b/itest/config.toml
@ -0,0 +1,8 @@
+vaultwarden_url = "http://vaultwarden:80"
+vaultwarden_admin_token = "admin"
+ldap_host = "ldap"
+ldap_bind_dn = "cn=readonly,dc=example,dc=org"
+ldap_bind_password = "readonly"
+ldap_search_base_dn = "dc=example,dc=org"
+ldap_search_filter = "(&(objectClass=*)(uid=*))"
+ldap_sync_loop = false
--- a/itest/docker-compose.itest-env.yml
+++ b/itest/docker-compose.itest-env.yml
@ -1,5 +1,4 @@
 ---
-version: '3'
 services:
  ldap_sync:
    environment:
@ -11,11 +10,11 @@ services:
      APP_LDAP_BIND_PASSWORD: "admin"
      APP_LDAP_SEARCH_BASE_DN: "dc=example,dc=org"
      APP_LDAP_SEARCH_FILTER: "(&(objectClass=*)(uid=*))"
-      APP_LDAP_SYNC_INTERVAL_SECONDS: 10
+      APP_LDAP_SYNC_LOOP: "false"

-  vaultwarden:
+  vaultwarden: {}

  ldap:
    command: ["--copy-service"]
    volumes:
-      - ./itest/50-seed-user.ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom/50-seed-user.ldif
+      - ./itest/ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom
--- a/itest/docker-compose.itest.yml
+++ b/itest/docker-compose.itest.yml
@ -1,11 +1,12 @@
 ---
-version: '3'
 services:
  ldap_sync:
+    volumes:
+      - ./itest/config.toml:/config.toml:ro

-  vaultwarden:
+  vaultwarden: {}

  ldap:
    command: ["--copy-service"]
    volumes:
-      - ./itest/50-seed-user.ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom/50-seed-user.ldif
+      - ./itest/ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom
--- a/itest/ldif/50-seed-user.ldif
+++ b/itest/ldif/50-seed-user.ldif
@ -1,22 +1,16 @@
-# LDIF Export for cn=Users,dc=example,dc=org
-# Server: ldap (ldap)
-# Search Scope: sub
-# Search Filter: (objectClass=*)
-# Total Entries: 2
-#
 # Generated by phpLDAPadmin (http://phpldapadmin.sourceforge.net) on May 4, 2021 6:06 pm
 # Version: 1.2.5

 version: 1

-# Entry 1: cn=Users,dc=example,dc=org
+# Entry 1: Users group
 dn: cn=Users,dc=example,dc=org
 cn: Users
 gidnumber: 500
 objectclass: posixGroup
 objectclass: top

-# Entry 2: cn=Someone,cn=Users,dc=example,dc=org
+# Entry 2: User with email
 dn: cn=Someone,cn=Users,dc=example,dc=org
 cn:  Someone
 gidnumber: 500
@ -29,7 +23,7 @@ sn: Someone
 uid: someone
 uidnumber: 1000

-# Entry 3: cn=SomeoneNoEmail,cn=Users,dc=example,dc=org
+# Entry 3: User with no email
 dn: cn=SomeoneNoEmail,cn=Users,dc=example,dc=org
 cn:  SomeoneNoEmail
 gidnumber: 500
@ -41,13 +35,15 @@ sn: SomeoneNoEmail
 uid: someonenoemail
 uidnumber: 1001

-# Entry 4: cn=SomeoneNoEmailNoUid,cn=Users,dc=example,dc=org
-# dn: cn=SomeoneNoEmailNoUid,cn=Users,dc=example,dc=org
-# cn:  SomeoneNoEmailNoUid
-# gidnumber: 500
-# homedirectory: /home/users/someonenoemailnoUid
-# objectclass: inetOrgPerson
-# objectclass: posixAccount
-# objectclass: top
-# sn: SomeoneNoEmail
-# uidnumber: 1002
+# Entry 4: User with email containing +
+dn: cn=SomeonePlus,cn=Users,dc=example,dc=org
+cn:  SomeonePlus
+gidnumber: 500
+homedirectory: /home/users/someoneplus
+mail: test+plus@example.com
+objectclass: inetOrgPerson
+objectclass: posixAccount
+objectclass: top
+sn: SomeonePlus
+uid: someoneplus
+uidnumber: 1002
--- a/src/config.rs
+++ b/src/config.rs
@ -37,9 +37,9 @@ pub fn read_config_from_file() -> Result<Config, String> {
    let config_path = get_config_path();

    let contents = fs::read_to_string(&config_path)
-        .map_err(|_| format!("Failed to open config file at {}", config_path))?;
+        .map_err(|err| format!("Failed to open config file at {}: {}", config_path, err))?;
    let config: Config = toml::from_str(contents.as_str())
-        .map_err(|_| format!("Failed to parse config file at {}", config_path))?;
+        .map_err(|err| format!("Failed to parse config file at {}: {}", config_path, err))?;

    println!("Config read from file at {}", config_path);
    Ok(config)
--- a/src/main.rs
+++ b/src/main.rs
@ -1,5 +1,7 @@
 extern crate anyhow;
 extern crate ldap3;
+extern crate pledge;
+extern crate unveil;

 use std::collections::HashSet;
 use std::thread::sleep;
@ -9,6 +11,8 @@ use anyhow::Context as _;
 use anyhow::Error as AnyError;
 use anyhow::Result;
 use ldap3::{DerefAliases, LdapConn, LdapConnSettings, Scope, SearchEntry, SearchOptions};
+use pledge::pledge;
+use unveil::unveil;

 mod config;
 mod vw_admin;
@ -21,6 +25,16 @@ fn main() {
        config.get_vaultwarden_root_cert_file(),
    );

+    unveil(config::get_config_path(), "r")
+        .or_else(unveil::Error::ignore_platform)
+        .expect("Could not unveil config file");
+    unveil("", "")
+        .or_else(unveil::Error::ignore_platform)
+        .expect("Could not disable further unveils");
+    pledge("dns flock inet rpath stdio tty", "")
+        .or_else(pledge::Error::ignore_platform)
+        .expect("Could not pledge permissions");
+
    invite_users(&config, &mut client, config.get_ldap_sync_loop())
 }

@ -68,7 +82,7 @@ fn ldap_client(
    let settings = LdapConnSettings::new()
        .set_starttls(starttls)
        .set_no_tls_verify(no_tls_verify);
-    let ldap = LdapConn::with_settings(settings, ldap_url.as_str())
+    let mut ldap = LdapConn::with_settings(settings, ldap_url.as_str())
        .context("Failed to connect to LDAP server")?;
    ldap.simple_bind(bind_dn.as_str(), bind_pw.as_str())
        .context("Could not bind to LDAP server")?;
@ -78,7 +92,7 @@ fn ldap_client(

 /// Retrieves search results from ldap
 fn search_entries(config: &config::Config) -> Result<Vec<SearchEntry>, AnyError> {
-    let ldap = ldap_client(
+    let mut ldap = ldap_client(
        config.get_ldap_url(),
        config.get_ldap_bind_dn(),
        config.get_ldap_bind_password(),
@ -90,13 +104,13 @@ fn search_entries(config: &config::Config) -> Result<Vec<SearchEntry>, AnyError>
    let mail_field = config.get_ldap_mail_field();
    let fields = vec!["uid", "givenname", "sn", "cn", mail_field.as_str()];

-    // TODO: Something something error handling
+    // Something something error handling
    let (results, _res) = ldap
        .with_search_options(SearchOptions::new().deref(DerefAliases::Always))
        .search(
-            &config.get_ldap_search_base_dn().as_str(),
+            config.get_ldap_search_base_dn().as_str(),
            Scope::Subtree,
-            &config.get_ldap_search_filter().as_str(),
+            config.get_ldap_search_filter().as_str(),
            fields,
        )
        .context("LDAP search failure")?
--- a/src/vw_admin.rs
+++ b/src/vw_admin.rs
@ -2,7 +2,7 @@ extern crate reqwest;
 extern crate serde;
 extern crate thiserror;

-use reqwest::Response;
+use reqwest::blocking::Response;
 use serde::Deserialize;
 use std::collections::HashMap;
 use std::fs::File;
@ -23,9 +23,9 @@ pub enum ResponseError {

 #[derive(Debug, Deserialize)]
 pub struct User {
-    #[serde(rename = "Email")]
+    #[serde(alias = "Email")]
    email: String,
-    #[serde(rename = "_Status")]
+    #[serde(rename = "_status", alias = "_Status")]
    status: i32,
 }

@ -72,8 +72,9 @@ impl Client {
        reqwest::Certificate::from_der(&buf).expect("Could not load DER root cert file")
    }

-    fn get_http_client(&self) -> reqwest::Client {
-        let mut client = reqwest::Client::builder().redirect(reqwest::RedirectPolicy::none());
+    fn get_http_client(&self) -> reqwest::blocking::Client {
+        let mut client =
+            reqwest::blocking::Client::builder().redirect(reqwest::redirect::Policy::none());

        if !&self.root_cert_file.is_empty() {
            let cert = self.get_root_cert();