Enable key connector selfhost (#1707)

* initial commit * Add code for Key Connector feature * Add help URL to config * Fix folders for key-connector service * Fix paths for key-connector * fixing the env file builder when disabling the key connector * swapping a variable name Co-authored-by: Vince Grassia <593223+vgrassia@users.noreply.github.com>
2025-04-05 05:00:19 -05:00 · 2021-11-16 09:52:02 -08:00 · 2021-11-16 09:52:02 -08:00 · 3a22f91ff5
commit 3a22f91ff5
parent cdb622d4aa
8 changed files with 70 additions and 0 deletions
--- a/util/Setup/CertBuilder.cs
+++ b/util/Setup/CertBuilder.cs
@ -97,5 +97,19 @@ namespace Bit.Setup
                Helpers.ShowBanner(_context, "WARNING", message, ConsoleColor.Yellow);
            }
        }
        public void BuildForUpdater()
        {
            if (_context.Config.EnableKeyConnector && !File.Exists("/bitwarden/key-connector/bwkc.pfx"))
            {
                Directory.CreateDirectory("/bitwarden/key-connector/");
                var keyConnectorCertPassword = Helpers.GetValueFromEnvFile("key-connector",
                    "keyConnectorSettings__certificate__filesystemPassword");
                Helpers.Exec("openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout bwkc.key " +
                             "-out bwkc.crt -subj \"/CN=Bitwarden Key Connector\" -days 36500");
                Helpers.Exec("openssl pkcs12 -export -out /bitwarden/key-connector/bwkc.pfx -inkey bwkc.key " +
                             $"-in bwkc.crt -passout pass:{keyConnectorCertPassword}");
            }
        }
    }
 }
--- a/util/Setup/Configuration.cs
+++ b/util/Setup/Configuration.cs
@ -100,6 +100,9 @@ namespace Bit.Setup
            "Learn more: https://nginx.org/en/docs/http/ngx_http_realip_module.html")]
        public List<string> RealIps { get; set; }
        [Description("Enable Key Connector (https://bitwarden.com/help/article/deploy-key-connector)")]
        public bool EnableKeyConnector { get; set; } = false;
        [YamlIgnore]
        public string Domain
        {
--- a/util/Setup/DockerComposeBuilder.cs
+++ b/util/Setup/DockerComposeBuilder.cs
@ -50,6 +50,7 @@ namespace Bit.Setup
                    ComposeVersion = context.Config.ComposeVersion;
                }
                MssqlDataDockerVolume = context.Config.DatabaseDockerVolume;
                EnableKeyConnector = context.Config.EnableKeyConnector;
                HttpPort = context.Config.HttpPort;
                HttpsPort = context.Config.HttpsPort;
                if (!string.IsNullOrWhiteSpace(context.CoreVersion))
@ -64,6 +65,7 @@ namespace Bit.Setup
            public string ComposeVersion { get; set; } = "3";
            public bool MssqlDataDockerVolume { get; set; }
            public bool EnableKeyConnector { get; set; }
            public string HttpPort { get; set; }
            public string HttpsPort { get; set; }
            public bool HasPort => !string.IsNullOrWhiteSpace(HttpPort) || !string.IsNullOrWhiteSpace(HttpsPort);
--- a/util/Setup/EnvironmentFileBuilder.cs
+++ b/util/Setup/EnvironmentFileBuilder.cs
@ -14,6 +14,7 @@ namespace Bit.Setup
        private IDictionary<string, string> _mssqlValues;
        private IDictionary<string, string> _globalOverrideValues;
        private IDictionary<string, string> _mssqlOverrideValues;
        private IDictionary<string, string> _keyConnectorOverrideValues;
        public EnvironmentFileBuilder(Context context)
        {
@ -45,6 +46,7 @@ namespace Bit.Setup
            Init();
            LoadExistingValues(_globalOverrideValues, "/bitwarden/env/global.override.env");
            LoadExistingValues(_mssqlOverrideValues, "/bitwarden/env/mssql.override.env");
            LoadExistingValues(_keyConnectorOverrideValues, "/bitwarden/env/key-connector.override.env");
            if (_context.Config.PushNotifications &&
                _globalOverrideValues.ContainsKey("globalSettings__pushRelayBaseUri") &&
@ -107,6 +109,18 @@ namespace Bit.Setup
            {
                ["SA_PASSWORD"] = dbPassword,
            };
            _keyConnectorOverrideValues = new Dictionary<string, string>
            {
                ["keyConnectorSettings__webVaultUri"] = _context.Config.Url,
                ["keyConnectorSettings__identityServerUri"] = "http://identity:5000",
                ["keyConnectorSettings__database__provider"] = "json",
                ["keyConnectorSettings__database__jsonFilePath"] = "/etc/bitwarden/key-connector/data.json",
                ["keyConnectorSettings__rsaKey__provider"] = "certificate",
                ["keyConnectorSettings__certificate__provider"] = "filesystem",
                ["keyConnectorSettings__certificate__filesystemPath"] = "/etc/bitwarden/key-connector/bwkc.pfx",
                ["keyConnectorSettings__certificate__filesystemPassword"] = Helpers.SecureRandomString(32, alpha: true, numeric: true),
            };
        }
        private void LoadExistingValues(IDictionary<string, string> _values, string file)
@ -179,6 +193,16 @@ namespace Bit.Setup
            }
            Helpers.Exec("chmod 600 /bitwarden/env/mssql.override.env");
            if (_context.Config.EnableKeyConnector)
            {
                using (var sw = File.CreateText("/bitwarden/env/key-connector.override.env"))
                {
                    sw.Write(template(new TemplateModel(_keyConnectorOverrideValues)));
                }
                Helpers.Exec("chmod 600 /bitwarden/env/key-connector.override.env");
            }
            // Empty uid env file. Only used on Linux hosts.
            if (!File.Exists("/bitwarden/env/uid.env"))
            {
--- a/util/Setup/NginxConfigBuilder.cs
+++ b/util/Setup/NginxConfigBuilder.cs
@ -70,6 +70,7 @@ namespace Bit.Setup
            {
                Captcha = context.Config.Captcha;
                Ssl = context.Config.Ssl;
                EnableKeyConnector = context.Config.EnableKeyConnector;
                Domain = context.Config.Domain;
                Url = context.Config.Url;
                RealIps = context.Config.RealIps;
@ -117,6 +118,7 @@ namespace Bit.Setup
            public bool Captcha { get; set; }
            public bool Ssl { get; set; }
            public bool EnableKeyConnector { get; set; }
            public string Domain { get; set; }
            public string Url { get; set; }
            public string CertificatePath { get; set; }
--- a/util/Setup/Program.cs
+++ b/util/Setup/Program.cs
@ -291,6 +291,9 @@ namespace Bit.Setup
            var environmentFileBuilder = new EnvironmentFileBuilder(_context);
            environmentFileBuilder.BuildForUpdater();
            var certBuilder = new CertBuilder(_context);
            certBuilder.BuildForUpdater();
            var nginxBuilder = new NginxConfigBuilder(_context);
            nginxBuilder.BuildForUpdater();
--- a/util/Setup/Templates/DockerCompose.hbs
+++ b/util/Setup/Templates/DockerCompose.hbs
@ -194,6 +194,22 @@ services:
    networks:
      - default
      - public
 {{#if EnableKeyConnector}}
  key-connector:
    image: bitwarden/key-connector:latest
    container_name: bitwarden-key-connector
    restart: always
    volumes:
      - ../key-connector:/etc/bitwarden/key-connector
      - ../ca-certificates:/etc/bitwarden/ca-certificates
      - ../logs/key-connector:/etc/bitwarden/logs
    env_file:
      - ../env/key-connector.override.env
    networks:
      - default
      - public
 {{/if}}
 {{#if MssqlDataDockerVolume}}
 volumes:
--- a/util/Setup/Templates/NginxConfig.hbs
+++ b/util/Setup/Templates/NginxConfig.hbs
@ -166,4 +166,10 @@ server {
    include /etc/nginx/security-headers.conf;
    add_header X-Frame-Options SAMEORIGIN;
  }
 {{#if EnableKeyConnector}}
  location /key-connector/ {
    proxy_pass http://key-connector:5000/;
  }
 {{/if}}
 }