Fixed docker build and implemented automatic creation of JWT signing keys on platforms with OpenSSL (it needs to be on the PATH)
This commit is contained in:
parent
7a3308200a
commit
d5486670d8
|
@ -9,13 +9,9 @@ data
|
||||||
.idea
|
.idea
|
||||||
*.iml
|
*.iml
|
||||||
|
|
||||||
# Git and Docker files
|
# Git files
|
||||||
.git
|
.git
|
||||||
.gitignore
|
.gitignore
|
||||||
.gitmodules
|
|
||||||
Dockerfile
|
|
||||||
docker-compose.yml
|
|
||||||
.dockerignore
|
|
||||||
|
|
||||||
# Documentation
|
# Documentation
|
||||||
*.md
|
*.md
|
||||||
|
|
|
@ -10,19 +10,17 @@ FROM rustlang/rust:nightly as build
|
||||||
RUN apt-get update && \
|
RUN apt-get update && \
|
||||||
apt-get install -y sqlite3
|
apt-get install -y sqlite3
|
||||||
|
|
||||||
# Install the diesel_cli tool, to manage migrations
|
|
||||||
# RUN cargo install diesel_cli --no-default-features --features sqlite
|
|
||||||
|
|
||||||
# Creates a dummy project used to grab dependencies
|
# Creates a dummy project used to grab dependencies
|
||||||
RUN USER=root cargo new --bin app
|
RUN USER=root cargo new --bin app
|
||||||
WORKDIR /app
|
WORKDIR /app
|
||||||
|
|
||||||
# Copies over *only* your manifests and vendored dependencies
|
# Copies over *only* your manifests and vendored dependencies
|
||||||
COPY ./Cargo.* ./
|
COPY ./Cargo.* ./
|
||||||
COPY ./_libs ./_libs
|
COPY ./libs ./libs
|
||||||
|
|
||||||
# Builds your dependencies and removes the
|
# Builds your dependencies and removes the
|
||||||
# dummy project, except the target folder
|
# dummy project, except the target folder
|
||||||
|
# This folder contains the compiled dependencies
|
||||||
RUN cargo build --release
|
RUN cargo build --release
|
||||||
RUN find . -not -path "./target*" -delete
|
RUN find . -not -path "./target*" -delete
|
||||||
|
|
||||||
|
|
42
README.md
42
README.md
|
@ -6,12 +6,26 @@ docker build -t dani/bitwarden_rs .
|
||||||
|
|
||||||
# Run the docker image with a docker volume:
|
# Run the docker image with a docker volume:
|
||||||
docker volume create bw_data
|
docker volume create bw_data
|
||||||
docker run --name bitwarden_rs -it --init --rm --mount source=bw_data,target=/data -p 8000:80 dani/bitwarden_rs
|
docker run --name bitwarden_rs -t --init --rm --mount source=bw_data,target=/data -p 8000:80 dani/bitwarden_rs
|
||||||
|
|
||||||
# OR, Run the docker image with a host bind, where <absolute_path> is the absolute path to a folder in the host:
|
|
||||||
docker run --name bitwarden_rs -it --init --rm --mount type=bind,source=<absolute_path>,target=/data -p 8000:80 dani/bitwarden_rs
|
|
||||||
```
|
```
|
||||||
|
|
||||||
|
#### Other possible Docker options
|
||||||
|
|
||||||
|
To run the container in the background, add the `-d` parameter.
|
||||||
|
|
||||||
|
To check the logs when in background, run `docker logs bitwarden_rs`
|
||||||
|
|
||||||
|
To stop the container in background, run `docker stop bitwarden_rs`
|
||||||
|
|
||||||
|
To make sure the container is restarted automatically, add the `--restart unless-stopped` parameter
|
||||||
|
|
||||||
|
To run the image with a host bind, change the `--mount` parameter to:
|
||||||
|
```
|
||||||
|
--mount type=bind,source=<absolute_path>,target=/data
|
||||||
|
```
|
||||||
|
Where <absolute_path> is an absolute path in the hosts file system (e.g. C:\bitwarden\data)
|
||||||
|
|
||||||
|
|
||||||
## How to compile bitwarden_rs
|
## How to compile bitwarden_rs
|
||||||
Install `rust nightly`, in Windows the recommended way is through `rustup`.
|
Install `rust nightly`, in Windows the recommended way is through `rustup`.
|
||||||
|
|
||||||
|
@ -27,6 +41,7 @@ cargo build
|
||||||
|
|
||||||
## How to update the web-vault used
|
## How to update the web-vault used
|
||||||
Install `node.js` and either `yarn` or `npm` (usually included with node)
|
Install `node.js` and either `yarn` or `npm` (usually included with node)
|
||||||
|
|
||||||
Clone the web-vault outside the project:
|
Clone the web-vault outside the project:
|
||||||
```
|
```
|
||||||
git clone https://github.com/bitwarden/web.git web-vault
|
git clone https://github.com/bitwarden/web.git web-vault
|
||||||
|
@ -58,22 +73,6 @@ npx gulp dist:selfHosted
|
||||||
|
|
||||||
Finally copy the contents of the `web-vault/dist` folder into the `bitwarden_rs/web-vault` folder.
|
Finally copy the contents of the `web-vault/dist` folder into the `bitwarden_rs/web-vault` folder.
|
||||||
|
|
||||||
## How to create the RSA signing key for JWT
|
|
||||||
Generate the RSA key:
|
|
||||||
```
|
|
||||||
openssl genrsa -out data/private_rsa_key.pem
|
|
||||||
```
|
|
||||||
|
|
||||||
Convert the generated key to .DER:
|
|
||||||
```
|
|
||||||
openssl rsa -in data/private_rsa_key.pem -outform DER -out data/private_rsa_key.der
|
|
||||||
```
|
|
||||||
|
|
||||||
And generate the public key:
|
|
||||||
```
|
|
||||||
openssl rsa -in data/private_rsa_key.der -inform DER -RSAPublicKey_out -outform DER -out data/public_rsa_key.der
|
|
||||||
```
|
|
||||||
|
|
||||||
## How to recreate database schemas
|
## How to recreate database schemas
|
||||||
Install diesel-cli with cargo:
|
Install diesel-cli with cargo:
|
||||||
```
|
```
|
||||||
|
@ -87,8 +86,7 @@ If you want to modify the schemas, create a new migration with:
|
||||||
diesel migration generate <name>
|
diesel migration generate <name>
|
||||||
```
|
```
|
||||||
|
|
||||||
Modify the *.sql files, making sure that any changes are reverted
|
Modify the *.sql files, making sure that any changes are reverted in the down.sql file.
|
||||||
in the down.sql file.
|
|
||||||
|
|
||||||
Apply the migrations and save the generated schemas as follows:
|
Apply the migrations and save the generated schemas as follows:
|
||||||
```
|
```
|
||||||
|
|
77
src/main.rs
77
src/main.rs
|
@ -67,17 +67,57 @@ fn main() {
|
||||||
let connection = db::get_connection().expect("Can't conect to DB");
|
let connection = db::get_connection().expect("Can't conect to DB");
|
||||||
embedded_migrations::run_with_output(&connection, &mut io::stdout()).expect("Can't run migrations");
|
embedded_migrations::run_with_output(&connection, &mut io::stdout()).expect("Can't run migrations");
|
||||||
|
|
||||||
// Validate location of rsa keys
|
check_rsa_keys();
|
||||||
if !util::file_exists(&CONFIG.private_rsa_key) {
|
|
||||||
panic!("private_rsa_key doesn't exist");
|
|
||||||
}
|
|
||||||
if !util::file_exists(&CONFIG.public_rsa_key) {
|
|
||||||
panic!("public_rsa_key doesn't exist");
|
|
||||||
}
|
|
||||||
|
|
||||||
init_rocket().launch();
|
init_rocket().launch();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
fn check_rsa_keys() {
|
||||||
|
// If the RSA keys don't exist, try to create them
|
||||||
|
if !util::file_exists(&CONFIG.private_rsa_key)
|
||||||
|
|| !util::file_exists(&CONFIG.public_rsa_key) {
|
||||||
|
println!("JWT keys don't exist, checking if OpenSSL is available...");
|
||||||
|
use std::process::{exit, Command};
|
||||||
|
|
||||||
|
Command::new("openssl")
|
||||||
|
.arg("version")
|
||||||
|
.output().unwrap_or_else(|_| {
|
||||||
|
println!("Can't create keys because OpenSSL is not available, make sure it's installed and available on the PATH");
|
||||||
|
exit(1);
|
||||||
|
});
|
||||||
|
|
||||||
|
println!("OpenSSL detected, creating keys...");
|
||||||
|
|
||||||
|
let mut success = Command::new("openssl").arg("genrsa")
|
||||||
|
.arg("-out").arg(&CONFIG.private_rsa_key_pem)
|
||||||
|
.output().expect("Failed to create private pem file")
|
||||||
|
.status.success();
|
||||||
|
|
||||||
|
success &= Command::new("openssl").arg("rsa")
|
||||||
|
.arg("-in").arg(&CONFIG.private_rsa_key_pem)
|
||||||
|
.arg("-outform").arg("DER")
|
||||||
|
.arg("-out").arg(&CONFIG.private_rsa_key)
|
||||||
|
.output().expect("Failed to create private der file")
|
||||||
|
.status.success();
|
||||||
|
|
||||||
|
success &= Command::new("openssl").arg("rsa")
|
||||||
|
.arg("-in").arg(&CONFIG.private_rsa_key)
|
||||||
|
.arg("-inform").arg("DER")
|
||||||
|
.arg("-RSAPublicKey_out")
|
||||||
|
.arg("-outform").arg("DER")
|
||||||
|
.arg("-out").arg(&CONFIG.public_rsa_key)
|
||||||
|
.output().expect("Failed to create public der file")
|
||||||
|
.status.success();
|
||||||
|
|
||||||
|
if success {
|
||||||
|
println!("Keys created correcty.");
|
||||||
|
} else {
|
||||||
|
println!("Error creating keys, exiting...");
|
||||||
|
exit(1);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
lazy_static! {
|
lazy_static! {
|
||||||
// Load the config from .env or from environment variables
|
// Load the config from .env or from environment variables
|
||||||
static ref CONFIG: Config = Config::load();
|
static ref CONFIG: Config = Config::load();
|
||||||
|
@ -86,10 +126,13 @@ lazy_static! {
|
||||||
#[derive(Debug)]
|
#[derive(Debug)]
|
||||||
pub struct Config {
|
pub struct Config {
|
||||||
database_url: String,
|
database_url: String,
|
||||||
private_rsa_key: String,
|
|
||||||
public_rsa_key: String,
|
|
||||||
icon_cache_folder: String,
|
icon_cache_folder: String,
|
||||||
attachments_folder: String,
|
attachments_folder: String,
|
||||||
|
|
||||||
|
private_rsa_key: String,
|
||||||
|
private_rsa_key_pem: String,
|
||||||
|
public_rsa_key: String,
|
||||||
|
|
||||||
web_vault_folder: String,
|
web_vault_folder: String,
|
||||||
|
|
||||||
signups_allowed: bool,
|
signups_allowed: bool,
|
||||||
|
@ -100,12 +143,18 @@ impl Config {
|
||||||
fn load() -> Self {
|
fn load() -> Self {
|
||||||
dotenv::dotenv().ok();
|
dotenv::dotenv().ok();
|
||||||
|
|
||||||
|
let df = env::var("DATA_FOLDER").unwrap_or("data".into());
|
||||||
|
let key = env::var("RSA_KEY_NAME").unwrap_or("rsa_key".into());
|
||||||
|
|
||||||
Config {
|
Config {
|
||||||
database_url: env::var("DATABASE_URL").unwrap_or("data/db.sqlite3".into()),
|
database_url: env::var("DATABASE_URL").unwrap_or(format!("{}/{}", &df, "db.sqlite3")),
|
||||||
private_rsa_key: env::var("PRIVATE_RSA_KEY").unwrap_or("data/private_rsa_key.der".into()),
|
icon_cache_folder: env::var("ICON_CACHE_FOLDER").unwrap_or(format!("{}/{}", &df, "icon_cache")),
|
||||||
public_rsa_key: env::var("PUBLIC_RSA_KEY").unwrap_or("data/public_rsa_key.der".into()),
|
attachments_folder: env::var("ATTACHMENTS_FOLDER").unwrap_or(format!("{}/{}", &df, "attachments")),
|
||||||
icon_cache_folder: env::var("ICON_CACHE_FOLDER").unwrap_or("data/icon_cache".into()),
|
|
||||||
attachments_folder: env::var("ATTACHMENTS_FOLDER").unwrap_or("data/attachments".into()),
|
private_rsa_key: format!("{}/{}.der", &df, &key),
|
||||||
|
private_rsa_key_pem: format!("{}/{}.pem", &df, &key),
|
||||||
|
public_rsa_key: format!("{}/{}.pub.der", &df, &key),
|
||||||
|
|
||||||
web_vault_folder: env::var("WEB_VAULT_FOLDER").unwrap_or("web-vault/".into()),
|
web_vault_folder: env::var("WEB_VAULT_FOLDER").unwrap_or("web-vault/".into()),
|
||||||
|
|
||||||
signups_allowed: util::parse_option_string(env::var("SIGNUPS_ALLOWED").ok()).unwrap_or(false),
|
signups_allowed: util::parse_option_string(env::var("SIGNUPS_ALLOWED").ok()).unwrap_or(false),
|
||||||
|
|
Loading…
Reference in New Issue