Aisha Tammy 97a64c7247 add security features on OpenBSD
Signed-off-by: Aisha Tammy <floss@bsd.ac>
2022-05-24 16:30:41 -04:00

195 lines
6.1 KiB
Rust

extern crate anyhow;
extern crate ldap3;
extern crate pledge;
extern crate unveil;
use std::collections::HashSet;
use std::thread::sleep;
use std::time::Duration;
use anyhow::Context as _;
use anyhow::Error as AnyError;
use anyhow::Result;
use ldap3::{DerefAliases, LdapConn, LdapConnSettings, Scope, SearchEntry, SearchOptions};
use pledge::pledge;
use unveil::unveil;
mod config;
mod vw_admin;
fn main() {
let config = config::Config::from_file();
let mut client = vw_admin::Client::new(
config.get_vaultwarden_url(),
config.get_vaultwarden_admin_token(),
config.get_vaultwarden_root_cert_file(),
);
unveil(config::get_config_path(), "r")
.or_else(unveil::Error::ignore_platform)
.expect("Could not unveil config file");
unveil("", "")
.or_else(unveil::Error::ignore_platform)
.expect("Could not disable further unveils");
pledge("dns flock inet rpath stdio tty", "")
.or_else(pledge::Error::ignore_platform)
.expect("Could not pledge permissions");
invite_users(&config, &mut client, config.get_ldap_sync_loop())
}
/// Invites new users to Bitwarden from LDAP
fn invite_users(config: &config::Config, client: &mut vw_admin::Client, start_loop: bool) {
if start_loop {
start_sync_loop(config, client).expect("Failed to start invite sync loop");
} else {
invite_from_ldap(config, client).expect("Failed to invite users");
}
}
/// Creates set of email addresses for users that already exist in Bitwarden
fn get_existing_users(client: &mut vw_admin::Client) -> Result<HashSet<String>, AnyError> {
let all_users = client
.users()
.context("Could not get list of existing users from server")?;
let mut user_emails = HashSet::with_capacity(all_users.len());
for user in all_users {
user_emails.insert(user.get_email().to_lowercase());
if user.is_disabled() {
println!(
"Existing disabled user found with email: {}",
user.get_email()
);
} else {
println!(
"Existing user or invite found with email: {}",
user.get_email()
);
}
}
Ok(user_emails)
}
/// Creates an LDAP connection, authenticating if necessary
fn ldap_client(
ldap_url: String,
bind_dn: String,
bind_pw: String,
no_tls_verify: bool,
starttls: bool,
) -> Result<LdapConn, AnyError> {
let settings = LdapConnSettings::new()
.set_starttls(starttls)
.set_no_tls_verify(no_tls_verify);
let mut ldap = LdapConn::with_settings(settings, ldap_url.as_str())
.context("Failed to connect to LDAP server")?;
ldap.simple_bind(bind_dn.as_str(), bind_pw.as_str())
.context("Could not bind to LDAP server")?;
Ok(ldap)
}
/// Retrieves search results from ldap
fn search_entries(config: &config::Config) -> Result<Vec<SearchEntry>, AnyError> {
let mut ldap = ldap_client(
config.get_ldap_url(),
config.get_ldap_bind_dn(),
config.get_ldap_bind_password(),
config.get_ldap_no_tls_verify(),
config.get_ldap_starttls(),
)
.context("LDAP client initialization failed")?;
let mail_field = config.get_ldap_mail_field();
let fields = vec!["uid", "givenname", "sn", "cn", mail_field.as_str()];
// Something something error handling
let (results, _res) = ldap
.with_search_options(SearchOptions::new().deref(DerefAliases::Always))
.search(
config.get_ldap_search_base_dn().as_str(),
Scope::Subtree,
config.get_ldap_search_filter().as_str(),
fields,
)
.context("LDAP search failure")?
.success()
.context("LDAP search usucessful")?;
// Build list of entries
let mut entries = Vec::new();
for result in results {
entries.push(SearchEntry::construct(result));
}
Ok(entries)
}
/// Invite all LDAP users to Bitwarden
fn invite_from_ldap(
config: &config::Config,
client: &mut vw_admin::Client,
) -> Result<(), AnyError> {
let existing_users =
get_existing_users(client).context("Failed to get existing users from server")?;
let mail_field = config.get_ldap_mail_field();
let mut num_users = 0;
for ldap_user in search_entries(config)? {
//
// Safely get first email from list of emails in field
if let Some(user_email) = ldap_user
.attrs
.get(mail_field.as_str())
.and_then(|l| (l.first()))
{
if existing_users.contains(&user_email.to_lowercase()) {
println!("User with email already exists: {}", user_email);
} else {
println!("Try to invite user: {}", user_email);
client
.invite(user_email)
.context(format!("Failed to invite user {}", user_email))?;
num_users += 1;
}
} else {
match ldap_user.attrs.get("uid").and_then(|l| l.first()) {
Some(user_uid) => println!(
"Warning: Email field, {:?}, not found on user {}",
mail_field, user_uid
),
None => println!("Warning: Email field, {:?}, not found on user", mail_field),
}
}
}
// Maybe think about returning this value for some other use
println!("Sent invites to {} user(s).", num_users);
Ok(())
}
/// Begin sync loop to invite LDAP users to Bitwarden
fn start_sync_loop(config: &config::Config, client: &mut vw_admin::Client) -> Result<(), AnyError> {
let interval = Duration::from_secs(config.get_ldap_sync_interval_seconds());
let mut fail_count = 0;
let fail_limit = 5;
loop {
if let Err(err) = invite_from_ldap(config, client) {
println!(
"Error inviting users from ldap. Count {}: {:?}",
fail_count, err
);
fail_count += 1;
if fail_count > fail_limit {
return Err(err);
}
} else {
fail_count = 0
}
sleep(interval);
}
}