From 3a22f91ff5d444485e80d55b8073d8f653035a16 Mon Sep 17 00:00:00 2001 From: Joseph Flinn <58369717+joseph-flinn@users.noreply.github.com> Date: Tue, 16 Nov 2021 09:52:02 -0800 Subject: [PATCH] Enable key connector selfhost (#1707) * initial commit * Add code for Key Connector feature * Add help URL to config * Fix folders for key-connector service * Fix paths for key-connector * fixing the env file builder when disabling the key connector * swapping a variable name Co-authored-by: Vince Grassia <593223+vgrassia@users.noreply.github.com> --- util/Setup/CertBuilder.cs | 14 ++++++++++++++ util/Setup/Configuration.cs | 3 +++ util/Setup/DockerComposeBuilder.cs | 2 ++ util/Setup/EnvironmentFileBuilder.cs | 24 ++++++++++++++++++++++++ util/Setup/NginxConfigBuilder.cs | 2 ++ util/Setup/Program.cs | 3 +++ util/Setup/Templates/DockerCompose.hbs | 16 ++++++++++++++++ util/Setup/Templates/NginxConfig.hbs | 6 ++++++ 8 files changed, 70 insertions(+) diff --git a/util/Setup/CertBuilder.cs b/util/Setup/CertBuilder.cs index 415b591480..143840e01a 100644 --- a/util/Setup/CertBuilder.cs +++ b/util/Setup/CertBuilder.cs @@ -97,5 +97,19 @@ namespace Bit.Setup Helpers.ShowBanner(_context, "WARNING", message, ConsoleColor.Yellow); } } + + public void BuildForUpdater() + { + if (_context.Config.EnableKeyConnector && !File.Exists("/bitwarden/key-connector/bwkc.pfx")) + { + Directory.CreateDirectory("/bitwarden/key-connector/"); + var keyConnectorCertPassword = Helpers.GetValueFromEnvFile("key-connector", + "keyConnectorSettings__certificate__filesystemPassword"); + Helpers.Exec("openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout bwkc.key " + + "-out bwkc.crt -subj \"/CN=Bitwarden Key Connector\" -days 36500"); + Helpers.Exec("openssl pkcs12 -export -out /bitwarden/key-connector/bwkc.pfx -inkey bwkc.key " + + $"-in bwkc.crt -passout pass:{keyConnectorCertPassword}"); + } + } } } diff --git a/util/Setup/Configuration.cs b/util/Setup/Configuration.cs index c816798ad8..2cb4edfc92 100644 --- a/util/Setup/Configuration.cs +++ b/util/Setup/Configuration.cs @@ -100,6 +100,9 @@ namespace Bit.Setup "Learn more: https://nginx.org/en/docs/http/ngx_http_realip_module.html")] public List RealIps { get; set; } + [Description("Enable Key Connector (https://bitwarden.com/help/article/deploy-key-connector)")] + public bool EnableKeyConnector { get; set; } = false; + [YamlIgnore] public string Domain { diff --git a/util/Setup/DockerComposeBuilder.cs b/util/Setup/DockerComposeBuilder.cs index 64afc8224f..b3394d8925 100644 --- a/util/Setup/DockerComposeBuilder.cs +++ b/util/Setup/DockerComposeBuilder.cs @@ -50,6 +50,7 @@ namespace Bit.Setup ComposeVersion = context.Config.ComposeVersion; } MssqlDataDockerVolume = context.Config.DatabaseDockerVolume; + EnableKeyConnector = context.Config.EnableKeyConnector; HttpPort = context.Config.HttpPort; HttpsPort = context.Config.HttpsPort; if (!string.IsNullOrWhiteSpace(context.CoreVersion)) @@ -64,6 +65,7 @@ namespace Bit.Setup public string ComposeVersion { get; set; } = "3"; public bool MssqlDataDockerVolume { get; set; } + public bool EnableKeyConnector { get; set; } public string HttpPort { get; set; } public string HttpsPort { get; set; } public bool HasPort => !string.IsNullOrWhiteSpace(HttpPort) || !string.IsNullOrWhiteSpace(HttpsPort); diff --git a/util/Setup/EnvironmentFileBuilder.cs b/util/Setup/EnvironmentFileBuilder.cs index 224c954086..ae27746d45 100644 --- a/util/Setup/EnvironmentFileBuilder.cs +++ b/util/Setup/EnvironmentFileBuilder.cs @@ -14,6 +14,7 @@ namespace Bit.Setup private IDictionary _mssqlValues; private IDictionary _globalOverrideValues; private IDictionary _mssqlOverrideValues; + private IDictionary _keyConnectorOverrideValues; public EnvironmentFileBuilder(Context context) { @@ -45,6 +46,7 @@ namespace Bit.Setup Init(); LoadExistingValues(_globalOverrideValues, "/bitwarden/env/global.override.env"); LoadExistingValues(_mssqlOverrideValues, "/bitwarden/env/mssql.override.env"); + LoadExistingValues(_keyConnectorOverrideValues, "/bitwarden/env/key-connector.override.env"); if (_context.Config.PushNotifications && _globalOverrideValues.ContainsKey("globalSettings__pushRelayBaseUri") && @@ -107,6 +109,18 @@ namespace Bit.Setup { ["SA_PASSWORD"] = dbPassword, }; + + _keyConnectorOverrideValues = new Dictionary + { + ["keyConnectorSettings__webVaultUri"] = _context.Config.Url, + ["keyConnectorSettings__identityServerUri"] = "http://identity:5000", + ["keyConnectorSettings__database__provider"] = "json", + ["keyConnectorSettings__database__jsonFilePath"] = "/etc/bitwarden/key-connector/data.json", + ["keyConnectorSettings__rsaKey__provider"] = "certificate", + ["keyConnectorSettings__certificate__provider"] = "filesystem", + ["keyConnectorSettings__certificate__filesystemPath"] = "/etc/bitwarden/key-connector/bwkc.pfx", + ["keyConnectorSettings__certificate__filesystemPassword"] = Helpers.SecureRandomString(32, alpha: true, numeric: true), + }; } private void LoadExistingValues(IDictionary _values, string file) @@ -179,6 +193,16 @@ namespace Bit.Setup } Helpers.Exec("chmod 600 /bitwarden/env/mssql.override.env"); + if (_context.Config.EnableKeyConnector) + { + using (var sw = File.CreateText("/bitwarden/env/key-connector.override.env")) + { + sw.Write(template(new TemplateModel(_keyConnectorOverrideValues))); + } + + Helpers.Exec("chmod 600 /bitwarden/env/key-connector.override.env"); + } + // Empty uid env file. Only used on Linux hosts. if (!File.Exists("/bitwarden/env/uid.env")) { diff --git a/util/Setup/NginxConfigBuilder.cs b/util/Setup/NginxConfigBuilder.cs index 1cf5a90bc2..07ec52a581 100644 --- a/util/Setup/NginxConfigBuilder.cs +++ b/util/Setup/NginxConfigBuilder.cs @@ -70,6 +70,7 @@ namespace Bit.Setup { Captcha = context.Config.Captcha; Ssl = context.Config.Ssl; + EnableKeyConnector = context.Config.EnableKeyConnector; Domain = context.Config.Domain; Url = context.Config.Url; RealIps = context.Config.RealIps; @@ -117,6 +118,7 @@ namespace Bit.Setup public bool Captcha { get; set; } public bool Ssl { get; set; } + public bool EnableKeyConnector { get; set; } public string Domain { get; set; } public string Url { get; set; } public string CertificatePath { get; set; } diff --git a/util/Setup/Program.cs b/util/Setup/Program.cs index 39ee5126bc..fa8a4e2f9a 100644 --- a/util/Setup/Program.cs +++ b/util/Setup/Program.cs @@ -291,6 +291,9 @@ namespace Bit.Setup var environmentFileBuilder = new EnvironmentFileBuilder(_context); environmentFileBuilder.BuildForUpdater(); + + var certBuilder = new CertBuilder(_context); + certBuilder.BuildForUpdater(); var nginxBuilder = new NginxConfigBuilder(_context); nginxBuilder.BuildForUpdater(); diff --git a/util/Setup/Templates/DockerCompose.hbs b/util/Setup/Templates/DockerCompose.hbs index 0e5cbb6fc7..82a65dc32f 100644 --- a/util/Setup/Templates/DockerCompose.hbs +++ b/util/Setup/Templates/DockerCompose.hbs @@ -194,6 +194,22 @@ services: networks: - default - public + +{{#if EnableKeyConnector}} + key-connector: + image: bitwarden/key-connector:latest + container_name: bitwarden-key-connector + restart: always + volumes: + - ../key-connector:/etc/bitwarden/key-connector + - ../ca-certificates:/etc/bitwarden/ca-certificates + - ../logs/key-connector:/etc/bitwarden/logs + env_file: + - ../env/key-connector.override.env + networks: + - default + - public +{{/if}} {{#if MssqlDataDockerVolume}} volumes: diff --git a/util/Setup/Templates/NginxConfig.hbs b/util/Setup/Templates/NginxConfig.hbs index 48de67526d..7bc964635a 100644 --- a/util/Setup/Templates/NginxConfig.hbs +++ b/util/Setup/Templates/NginxConfig.hbs @@ -166,4 +166,10 @@ server { include /etc/nginx/security-headers.conf; add_header X-Frame-Options SAMEORIGIN; } + +{{#if EnableKeyConnector}} + location /key-connector/ { + proxy_pass http://key-connector:5000/; + } +{{/if}} }