nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-04-06 21:48:12 -05:00
Code

load certs from azure storage

Browse Source
This commit is contained in:
Kyle Spearrin 2019-07-10 20:05:07 -04:00
parent f97539d558
commit b5d2a1da75
4 changed files with 67 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/Core/GlobalSettings.cs
View File

@ -11,6 +11,7 @@ namespace Bit.Core
public virtual string ProjectName { get; set; } public virtual string ProjectName { get; set; }
public virtual string LogDirectory { get; set; } public virtual string LogDirectory { get; set; }
public virtual string LicenseDirectory { get; set; } public virtual string LicenseDirectory { get; set; }
public string LicenseCertificatePassword { get; set; }
public virtual string PushRelayBaseUri { get; set; } public virtual string PushRelayBaseUri { get; set; }
public virtual string InternalIdentityKey { get; set; } public virtual string InternalIdentityKey { get; set; }
public virtual string HibpBreachApiKey { get; set; } public virtual string HibpBreachApiKey { get; set; }
@ -141,6 +142,7 @@ namespace Bit.Core
public class DataProtectionSettings public class DataProtectionSettings
{ {
public string CertificateThumbprint { get; set; } public string CertificateThumbprint { get; set; }
public string CertificatePassword { get; set; }
public string Directory { get; set; } public string Directory { get; set; }
} }

22
src/Core/Services/Implementations/LicensingService.cs
View File

@ -4,6 +4,7 @@ using Bit.Core.Repositories;
using Bit.Core.Utilities; using Bit.Core.Utilities;
using Microsoft.AspNetCore.Hosting; using Microsoft.AspNetCore.Hosting;
using Microsoft.Extensions.Logging; using Microsoft.Extensions.Logging;
using Microsoft.WindowsAzure.Storage;
using Newtonsoft.Json; using Newtonsoft.Json;
using System; using System;
using System.Collections.Generic; using System.Collections.Generic;
@ -38,12 +39,27 @@ namespace Bit.Core.Services
_organizationRepository = organizationRepository; _organizationRepository = organizationRepository;
_organizationUserRepository = organizationUserRepository; _organizationUserRepository = organizationUserRepository;
_logger = logger; _logger = logger;
_globalSettings = globalSettings;
var certThumbprint = environment.IsDevelopment() ? "207E64A231E8AA32AAF68A61037C075EBEBD553F" : var certThumbprint = environment.IsDevelopment() ? "207E64A231E8AA32AAF68A61037C075EBEBD553F" :
"B34876439FCDA2846505B2EFBBA6C4A951313EBE"; "B34876439FCDA2846505B2EFBBA6C4A951313EBE";
_globalSettings = globalSettings; if(_globalSettings.SelfHosted)
_certificate = !_globalSettings.SelfHosted ? CoreHelpers.GetCertificate(certThumbprint) {
: CoreHelpers.GetEmbeddedCertificate("licensing.cer", null); _certificate = CoreHelpers.GetEmbeddedCertificate("licensing.cer", null);
}
else if(CoreHelpers.SettingHasValue(_globalSettings.Storage?.ConnectionString) &&
CoreHelpers.SettingHasValue(_globalSettings.LicenseCertificatePassword))
{
var storageAccount = CloudStorageAccount.Parse(globalSettings.Storage.ConnectionString);
_certificate = CoreHelpers.GetBlobCertificateAsync(storageAccount, "certificates",
"licensing.pfx", _globalSettings.LicenseCertificatePassword)
.GetAwaiter().GetResult();
}
else
{
_certificate = CoreHelpers.GetCertificate(certThumbprint);
}
if(_certificate == null || !_certificate.Thumbprint.Equals(CoreHelpers.CleanCertificateThumbprint(certThumbprint), if(_certificate == null || !_certificate.Thumbprint.Equals(CoreHelpers.CleanCertificateThumbprint(certThumbprint),
StringComparison.InvariantCultureIgnoreCase)) StringComparison.InvariantCultureIgnoreCase))
{ {

20
src/Core/Utilities/CoreHelpers.cs
View File

@ -15,6 +15,8 @@ using System.Globalization;
using System.Web; using System.Web;
using Microsoft.AspNetCore.DataProtection; using Microsoft.AspNetCore.DataProtection;
using Bit.Core.Enums; using Bit.Core.Enums;
using System.Threading.Tasks;
using Microsoft.WindowsAzure.Storage;
namespace Bit.Core.Utilities namespace Bit.Core.Utilities
{ {
@ -149,6 +151,24 @@ namespace Bit.Core.Utilities
} }
} }
public async static Task<X509Certificate2> GetBlobCertificateAsync(CloudStorageAccount cloudStorageAccount,
string container, string file, string password)
{
var blobClient = cloudStorageAccount.CreateCloudBlobClient();
var containerRef = blobClient.GetContainerReference(container);
if(await containerRef.ExistsAsync())
{
var blobRef = containerRef.GetBlobReference(file);
if(await blobRef.ExistsAsync())
{
var blobBytes = new byte[blobRef.Properties.Length];
await blobRef.DownloadToByteArrayAsync(blobBytes, 0);
return new X509Certificate2(blobBytes, password);
}
}
return null;
}
public static long ToEpocMilliseconds(DateTime date) public static long ToEpocMilliseconds(DateTime date)
{ {
return (long)Math.Round((date - _epoc).TotalMilliseconds, 0); return (long)Math.Round((date - _epoc).TotalMilliseconds, 0);

32
src/Core/Utilities/ServiceCollectionExtensions.cs
View File

@ -29,6 +29,7 @@ using System.Security.Claims;
using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.HttpOverrides; using Microsoft.AspNetCore.HttpOverrides;
using System.Linq; using System.Linq;
using System.Security.Cryptography.X509Certificates;
namespace Bit.Core.Utilities namespace Bit.Core.Utilities
{ {
@ -131,7 +132,7 @@ namespace Bit.Core.Utilities
services.AddSingleton<IPushRegistrationService, NoopPushRegistrationService>(); services.AddSingleton<IPushRegistrationService, NoopPushRegistrationService>();
} }
if(!globalSettings.SelfHosted && CoreHelpers.SettingHasValue(globalSettings.Storage.ConnectionString)) if(!globalSettings.SelfHosted && CoreHelpers.SettingHasValue(globalSettings.Storage?.ConnectionString))
{ {
services.AddSingleton<IBlockIpService, AzureQueueBlockIpService>(); services.AddSingleton<IBlockIpService, AzureQueueBlockIpService>();
} }
@ -326,7 +327,8 @@ namespace Bit.Core.Utilities
{ {
identityServerBuilder.AddDeveloperSigningCredential(false); identityServerBuilder.AddDeveloperSigningCredential(false);
} }
else if(!string.IsNullOrWhiteSpace(globalSettings.IdentityServer.CertificatePassword) else if(globalSettings.SelfHosted &&
!string.IsNullOrWhiteSpace(globalSettings.IdentityServer.CertificatePassword)
&& File.Exists("identity.pfx")) && File.Exists("identity.pfx"))
{ {
var identityServerCert = CoreHelpers.GetCertificate("identity.pfx", var identityServerCert = CoreHelpers.GetCertificate("identity.pfx",
@ -338,6 +340,15 @@ namespace Bit.Core.Utilities
var identityServerCert = CoreHelpers.GetCertificate(globalSettings.IdentityServer.CertificateThumbprint); var identityServerCert = CoreHelpers.GetCertificate(globalSettings.IdentityServer.CertificateThumbprint);
identityServerBuilder.AddSigningCredential(identityServerCert); identityServerBuilder.AddSigningCredential(identityServerCert);
} }
else if(!globalSettings.SelfHosted &&
CoreHelpers.SettingHasValue(globalSettings.Storage?.ConnectionString) &&
CoreHelpers.SettingHasValue(globalSettings.IdentityServer.CertificatePassword))
{
var storageAccount = CloudStorageAccount.Parse(globalSettings.Storage.ConnectionString);
var identityServerCert = CoreHelpers.GetBlobCertificateAsync(storageAccount, "certificates",
"identity.pfx", globalSettings.IdentityServer.CertificatePassword).GetAwaiter().GetResult();
identityServerBuilder.AddSigningCredential(identityServerCert);
}
else else
{ {
throw new Exception("No identity certificate to use."); throw new Exception("No identity certificate to use.");
@ -366,12 +377,21 @@ namespace Bit.Core.Utilities
.PersistKeysToFileSystem(new DirectoryInfo(globalSettings.DataProtection.Directory)); .PersistKeysToFileSystem(new DirectoryInfo(globalSettings.DataProtection.Directory));
} }
if(!globalSettings.SelfHosted && CoreHelpers.SettingHasValue(globalSettings.Storage.ConnectionString) && if(!globalSettings.SelfHosted && CoreHelpers.SettingHasValue(globalSettings.Storage?.ConnectionString))
CoreHelpers.SettingHasValue(globalSettings.DataProtection.CertificateThumbprint))
{ {
var dataProtectionCert = CoreHelpers.GetCertificate(
globalSettings.DataProtection.CertificateThumbprint);
var storageAccount = CloudStorageAccount.Parse(globalSettings.Storage.ConnectionString); var storageAccount = CloudStorageAccount.Parse(globalSettings.Storage.ConnectionString);
X509Certificate2 dataProtectionCert = null;
if(CoreHelpers.SettingHasValue(globalSettings.DataProtection.CertificateThumbprint))
{
dataProtectionCert = CoreHelpers.GetCertificate(
globalSettings.DataProtection.CertificateThumbprint);
}
else if(CoreHelpers.SettingHasValue(globalSettings.DataProtection.CertificatePassword))
{
dataProtectionCert = CoreHelpers.GetBlobCertificateAsync(storageAccount, "certificates",
"dataprotection.pfx", globalSettings.DataProtection.CertificatePassword)
.GetAwaiter().GetResult();
}
services.AddDataProtection() services.AddDataProtection()
.PersistKeysToAzureBlobStorage(storageAccount, "aspnet-dataprotection/keys.xml") .PersistKeysToAzureBlobStorage(storageAccount, "aspnet-dataprotection/keys.xml")
.ProtectKeysWithCertificate(dataProtectionCert); .ProtectKeysWithCertificate(dataProtectionCert);