PersistKeysToFileSystem when selfhosted

2025-04-08 22:58:11 -05:00 · 2017-08-08 00:02:52 -04:00 · 2017-08-08 00:02:52 -04:00 · e7905dec04
commit e7905dec04
parent 3e7c0f7ca1
8 changed files with 51 additions and 12 deletions
--- a/docker/docker-compose.linux.yml
+++ b/docker/docker-compose.linux.yml
@ -4,9 +4,16 @@ services:
  mssql:
    volumes:
      - /etc/bitwarden/mssql_data:/var/opt/mssql/data
  web:
    volumes:
      - /etc/bitwarden/web:/etc/bitwarden/web
  api:
    volumes:
      - /etc/bitwarden/core:/etc/bitwarden/core
  identity:
    volumes:
      - /etc/bitwarden/identity:/etc/bitwarden/identity
      - /etc/bitwarden/core:/etc/bitwarden/core
  nginx:
    volumes:
      - /etc/bitwarden/nginx:/etc/bitwarden/nginx
--- a/docker/docker-compose.override.yml
+++ b/docker/docker-compose.override.yml
@ -4,9 +4,16 @@ services:
  mssql:
    volumes:
      - mssql_data:/var/opt/mssql/data
  web:
    volumes:
      - c:/bitwarden/web:/etc/bitwarden/web
  api:
    volumes:
      - c:/bitwarden/core:/etc/bitwarden/core
  identity:
    volumes:
      - c:/bitwarden/identity:/etc/bitwarden/identity
      - c:/bitwarden/core:/etc/bitwarden/core
  nginx:
    volumes:
      - c:/bitwarden/nginx:/etc/bitwarden/nginx
--- a/docker/docker-compose.windows.yml
+++ b/docker/docker-compose.windows.yml
@ -4,9 +4,16 @@ services:
  mssql:
    volumes:
      - mssql_data:/var/opt/mssql/data
  web:
    volumes:
      - c:/bitwarden/web:/etc/bitwarden/web
  api:
    volumes:
      - c:/bitwarden/core:/etc/bitwarden/core
  identity:
    volumes:
      - c:/bitwarden/identity:/etc/bitwarden/identity
      - c:/bitwarden/core:/etc/bitwarden/core
  nginx:
    volumes:
      - c:/bitwarden/nginx:/etc/bitwarden/nginx
--- a/src/Api/.dockerignore
+++ b/src/Api/.dockerignore
@ -1,3 +1,4 @@
 *
 !obj/Docker/publish/*
 !obj/Docker/empty/
 !entrypoint.sh
--- a/src/Api/Dockerfile
+++ b/src/Api/Dockerfile
@ -22,4 +22,7 @@ done
 WORKDIR /app
 EXPOSE 80
 COPY obj/Docker/publish .
-ENTRYPOINT ["dotnet", "Api.dll"]
+
 COPY entrypoint.sh /
 RUN chmod +x /entrypoint.sh
 ENTRYPOINT ["/entrypoint.sh"]
--- a/src/Api/entrypoint.sh
+++ b/src/Api/entrypoint.sh
@ -0,0 +1,3 @@
 #!/bin/sh
 dotnet /app/Api.dll
--- a/src/Core/Utilities/ServiceCollectionExtensions.cs
+++ b/src/Core/Utilities/ServiceCollectionExtensions.cs
@ -17,6 +17,7 @@ using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.WindowsAzure.Storage;
 using System;
 using System.IO;
 using SqlServerRepos = Bit.Core.Repositories.SqlServer;
 namespace Bit.Core.Utilities
@ -195,10 +196,19 @@ namespace Bit.Core.Utilities
        public static void AddCustomDataProtectionServices(
            this IServiceCollection services, IHostingEnvironment env, GlobalSettings globalSettings)
        {
            if(env.IsDevelopment())
            {
                return;
            }
            if(globalSettings.SelfHosted)
            {
                var dir = new DirectoryInfo("/etc/bitwarden/core/aspnet-dataprotection");
                services.AddDataProtection().PersistKeysToFileSystem(dir);
            }
 #if NET461
-            if(!env.IsDevelopment() && !globalSettings.SelfHosted &&
+            if(!globalSettings.SelfHosted)
                !string.IsNullOrWhiteSpace(globalSettings.Storage.ConnectionString) &&
                !string.IsNullOrWhiteSpace(globalSettings.DataProtection.CertificateThumbprint))
            {
                var dataProtectionCert = CoreHelpers.GetCertificate(globalSettings.DataProtection.CertificateThumbprint);
                var storageAccount = CloudStorageAccount.Parse(globalSettings.Storage.ConnectionString);
--- a/util/Setup/Program.cs
+++ b/util/Setup/Program.cs
@ -12,7 +12,7 @@ namespace Setup
        private static IDictionary<string, string> _parameters = null;
        private static string _domain = null;
        private static string _url = null;
-        private static string _certPassword = null;
+        private static string _identityCertPassword = null;
        private static bool _ssl = false;
        private static bool _letsEncrypt = false;
@ -28,21 +28,21 @@ namespace Setup
            _ssl = _letsEncrypt || (_parameters.ContainsKey("ssl") ?
                _parameters["ssl"].ToLowerInvariant() == "y" : false);
            _url = _ssl ? $"https://{_domain}" : $"http://{_domain}";
-            _certPassword = Helpers.SecureRandomString(32, alpha: true, numeric: true);
+            _identityCertPassword = Helpers.SecureRandomString(32, alpha: true, numeric: true);
-            MakeIdentityCert();
+            MakeCerts();
            BuildNginxConfig();
            BuildEnvironmentFiles();
            BuildAppSettingsFiles();
        }
-        private static void MakeIdentityCert()
+        private static void MakeCerts()
        {
            Directory.CreateDirectory("/bitwarden/identity/");
-            var identityCertResult = Exec("openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout identity.key " +
+            Exec("openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout identity.key " +
                "-out identity.crt -subj \"/CN=bitwarden IdentityServer\" -days 10950");
-            var identityPfxResult = Exec("openssl pkcs12 -export -out /bitwarden/identity/identity.pfx -inkey identity.key " +
+            Exec("openssl pkcs12 -export -out /bitwarden/identity/identity.pfx -inkey identity.key " +
-                $"-in identity.crt -certfile identity.crt -passout pass:{_certPassword}");
+                $"-in identity.crt -certfile identity.crt -passout pass:{_identityCertPassword}");
        }
        private static void BuildNginxConfig()
@ -165,6 +165,7 @@ server {{
        private static void BuildEnvironmentFiles()
        {
            Directory.CreateDirectory("/bitwarden/docker/");
            var dbPass = _parameters.ContainsKey("db_pass") ? _parameters["db_pass"].ToLowerInvariant() : "REPLACE";
            var dbConnectionString = "Server=tcp:mssql,1433;Initial Catalog=vault;Persist Security Info=False;User ID=sa;" +
                $"Password={dbPass};MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=True;" +
@ -176,7 +177,7 @@ server {{
 globalSettings:baseServiceUri:api={_url}/api
 globalSettings:baseServiceUri:identity={_url}/identity
 globalSettings:sqlServer:connectionString={dbConnectionString}
-globalSettings:identityServer:certificatePassword={_certPassword}
+globalSettings:identityServer:certificatePassword={_identityCertPassword}
 globalSettings:duo:aKey={Helpers.SecureRandomString(32, alpha: true, numeric: true)}
 globalSettings:yubico:clientId=REPLACE
 globalSettings:yubico:REPLACE");