Enable key connector selfhost (#1707)

* initial commit * Add code for Key Connector feature * Add help URL to config * Fix folders for key-connector service * Fix paths for key-connector * fixing the env file builder when disabling the key connector * swapping a variable name Co-authored-by: Vince Grassia <593223+vgrassia@users.noreply.github.com>
2025-04-05 05:00:19 -05:00 · 2021-11-16 09:52:02 -08:00 · 2021-11-16 09:52:02 -08:00 · 3a22f91ff5
commit 3a22f91ff5
parent cdb622d4aa
8 changed files with 70 additions and 0 deletions
--- a/util/Setup/CertBuilder.cs
+++ b/util/Setup/CertBuilder.cs
@ -97,5 +97,19 @@ namespace Bit.Setup
                Helpers.ShowBanner(_context, "WARNING", message, ConsoleColor.Yellow);
            }
        }
+
+        public void BuildForUpdater()
+        {
+            if (_context.Config.EnableKeyConnector && !File.Exists("/bitwarden/key-connector/bwkc.pfx"))
+            {
+                Directory.CreateDirectory("/bitwarden/key-connector/");
+                var keyConnectorCertPassword = Helpers.GetValueFromEnvFile("key-connector",
+                    "keyConnectorSettings__certificate__filesystemPassword");
+                Helpers.Exec("openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout bwkc.key " +
+                             "-out bwkc.crt -subj \"/CN=Bitwarden Key Connector\" -days 36500");
+                Helpers.Exec("openssl pkcs12 -export -out /bitwarden/key-connector/bwkc.pfx -inkey bwkc.key " +
+                             $"-in bwkc.crt -passout pass:{keyConnectorCertPassword}");
+            }
+        }
    }
 }
--- a/util/Setup/Configuration.cs
+++ b/util/Setup/Configuration.cs
@ -100,6 +100,9 @@ namespace Bit.Setup
            "Learn more: https://nginx.org/en/docs/http/ngx_http_realip_module.html")]
        public List<string> RealIps { get; set; }

+        [Description("Enable Key Connector (https://bitwarden.com/help/article/deploy-key-connector)")]
+        public bool EnableKeyConnector { get; set; } = false;
+
        [YamlIgnore]
        public string Domain
        {
--- a/util/Setup/DockerComposeBuilder.cs
+++ b/util/Setup/DockerComposeBuilder.cs
@ -50,6 +50,7 @@ namespace Bit.Setup
                    ComposeVersion = context.Config.ComposeVersion;
                }
                MssqlDataDockerVolume = context.Config.DatabaseDockerVolume;
+                EnableKeyConnector = context.Config.EnableKeyConnector;
                HttpPort = context.Config.HttpPort;
                HttpsPort = context.Config.HttpsPort;
                if (!string.IsNullOrWhiteSpace(context.CoreVersion))
@ -64,6 +65,7 @@ namespace Bit.Setup

            public string ComposeVersion { get; set; } = "3";
            public bool MssqlDataDockerVolume { get; set; }
+            public bool EnableKeyConnector { get; set; }
            public string HttpPort { get; set; }
            public string HttpsPort { get; set; }
            public bool HasPort => !string.IsNullOrWhiteSpace(HttpPort) || !string.IsNullOrWhiteSpace(HttpsPort);
--- a/util/Setup/EnvironmentFileBuilder.cs
+++ b/util/Setup/EnvironmentFileBuilder.cs
@ -14,6 +14,7 @@ namespace Bit.Setup
        private IDictionary<string, string> _mssqlValues;
        private IDictionary<string, string> _globalOverrideValues;
        private IDictionary<string, string> _mssqlOverrideValues;
+        private IDictionary<string, string> _keyConnectorOverrideValues;

        public EnvironmentFileBuilder(Context context)
        {
@ -45,6 +46,7 @@ namespace Bit.Setup
            Init();
            LoadExistingValues(_globalOverrideValues, "/bitwarden/env/global.override.env");
            LoadExistingValues(_mssqlOverrideValues, "/bitwarden/env/mssql.override.env");
+            LoadExistingValues(_keyConnectorOverrideValues, "/bitwarden/env/key-connector.override.env");

            if (_context.Config.PushNotifications &&
                _globalOverrideValues.ContainsKey("globalSettings__pushRelayBaseUri") &&
@ -107,6 +109,18 @@ namespace Bit.Setup
            {
                ["SA_PASSWORD"] = dbPassword,
            };
+
+            _keyConnectorOverrideValues = new Dictionary<string, string>
+            {
+                ["keyConnectorSettings__webVaultUri"] = _context.Config.Url,
+                ["keyConnectorSettings__identityServerUri"] = "http://identity:5000",
+                ["keyConnectorSettings__database__provider"] = "json",
+                ["keyConnectorSettings__database__jsonFilePath"] = "/etc/bitwarden/key-connector/data.json",
+                ["keyConnectorSettings__rsaKey__provider"] = "certificate",
+                ["keyConnectorSettings__certificate__provider"] = "filesystem",
+                ["keyConnectorSettings__certificate__filesystemPath"] = "/etc/bitwarden/key-connector/bwkc.pfx",
+                ["keyConnectorSettings__certificate__filesystemPassword"] = Helpers.SecureRandomString(32, alpha: true, numeric: true),
+            };
        }

        private void LoadExistingValues(IDictionary<string, string> _values, string file)
@ -179,6 +193,16 @@ namespace Bit.Setup
            }
            Helpers.Exec("chmod 600 /bitwarden/env/mssql.override.env");

+            if (_context.Config.EnableKeyConnector)
+            {
+                using (var sw = File.CreateText("/bitwarden/env/key-connector.override.env"))
+                {
+                    sw.Write(template(new TemplateModel(_keyConnectorOverrideValues)));
+                }
+
+                Helpers.Exec("chmod 600 /bitwarden/env/key-connector.override.env");
+            }
+
            // Empty uid env file. Only used on Linux hosts.
            if (!File.Exists("/bitwarden/env/uid.env"))
            {
--- a/util/Setup/NginxConfigBuilder.cs
+++ b/util/Setup/NginxConfigBuilder.cs
@ -70,6 +70,7 @@ namespace Bit.Setup
            {
                Captcha = context.Config.Captcha;
                Ssl = context.Config.Ssl;
+                EnableKeyConnector = context.Config.EnableKeyConnector;
                Domain = context.Config.Domain;
                Url = context.Config.Url;
                RealIps = context.Config.RealIps;
@ -117,6 +118,7 @@ namespace Bit.Setup

            public bool Captcha { get; set; }
            public bool Ssl { get; set; }
+            public bool EnableKeyConnector { get; set; }
            public string Domain { get; set; }
            public string Url { get; set; }
            public string CertificatePath { get; set; }
--- a/util/Setup/Program.cs
+++ b/util/Setup/Program.cs
@ -292,6 +292,9 @@ namespace Bit.Setup
            var environmentFileBuilder = new EnvironmentFileBuilder(_context);
            environmentFileBuilder.BuildForUpdater();
            
+            var certBuilder = new CertBuilder(_context);
+            certBuilder.BuildForUpdater();
+
            var nginxBuilder = new NginxConfigBuilder(_context);
            nginxBuilder.BuildForUpdater();

--- a/util/Setup/Templates/DockerCompose.hbs
+++ b/util/Setup/Templates/DockerCompose.hbs
@ -194,6 +194,22 @@ services:
    networks:
      - default
      - public
+
+{{#if EnableKeyConnector}}
+  key-connector:
+    image: bitwarden/key-connector:latest
+    container_name: bitwarden-key-connector
+    restart: always
+    volumes:
+      - ../key-connector:/etc/bitwarden/key-connector
+      - ../ca-certificates:/etc/bitwarden/ca-certificates
+      - ../logs/key-connector:/etc/bitwarden/logs
+    env_file:
+      - ../env/key-connector.override.env
+    networks:
+      - default
+      - public
+{{/if}}
 {{#if MssqlDataDockerVolume}}

 volumes:
--- a/util/Setup/Templates/NginxConfig.hbs
+++ b/util/Setup/Templates/NginxConfig.hbs
@ -166,4 +166,10 @@ server {
    include /etc/nginx/security-headers.conf;
    add_header X-Frame-Options SAMEORIGIN;
  }
+
+{{#if EnableKeyConnector}}
+  location /key-connector/ {
+    proxy_pass http://key-connector:5000/;
+  }
+{{/if}}
 }