Commit Graph

258 Commits

Author SHA1 Message Date
BlackDex 32543c46da
Update Rust and Crates
- Updated Rust to v1.72.0
- Updated all the crates
  Including a CVE https://github.com/dani-garcia/vaultwarden/security/dependabot/21
- Updated GitHub Workflows
- Run `cargo fmt` which has some new fmt's
- Moved from `rust-toolchain` to `rust-toolchain.toml`
2023-08-31 22:45:53 +02:00
BlackDex 6cdcb3b297
Optimized Favicon downloading
Some optimizations in regards to downloading Favicon's.

I also encounterd some issues with accessing some sites where the
connection got dropped or closed early. This seems a reqwest/hyper
thingy, https://github.com/hyperium/hyper/issues/2136. This is now also
fixed.

General:

- Decreased struct size
- Decreased memory allocations
- Optimized tokenizer a bit more to only emit tags when all attributes are there and are valid.

reqwest/hyper connection issue:
The following changes helped solve the connection issues to some sites.
The endresult is that some icons are now able to be downloaded always instead of sometimes.

- Enabled some extra reqwest features, `deflate` and `native-tls-alpn`
  (Which do not bring in any extra crates since other crates already enabled them, but they were not active for Vaultwarden it self)
- Configured reqwest to have a max amount of idle pool connections per host
- Configured reqwest to timeout the idle connections in 10 seconds
2023-08-13 19:13:00 +02:00
BlackDex aaeae16983
Update images to Bookworm and PQ15
This PR updates the base images to use Debian Bookworm as base image. Also the MUSL/Alpine builds now use OpenSSLv3 and PostgreSQL v15.

The GHA Workflows are updated to use Ubuntu 22.04 to better match the versions of Debian Bookworm.

Also:
- Enabled spares crate registry
- Updated workflow actions
- Updated Rust to v1.71.0
- The rust-musl images now use musl v1.2.3 for the 32bit arch's if the Rust version is v1.71.0 or higher.
   The 64bit arch's already used musl v1.2.3.
- Updated crates.

Improves / Closes #3434
2023-08-12 12:29:33 +02:00
BlackDex 0a6b797e6e
Update crates and small clippy fix
- Update all crates
- Remove async which is reported by clippy in v1.72.0
2023-07-04 20:12:50 +02:00
BlackDex 84a23008f4
Update crates and workflow
- Updated all the crates
- Updated workflow actions
- Set cargo registry to sparse
2023-06-21 22:01:05 +02:00
Helmut K. C. Tessarek 2d6ca0ea95
Update a few more crates 2023-06-04 16:14:51 -04:00
Helmut K. C. Tessarek 06a10e2c5a
Update Rust and Crates 2023-06-03 17:04:45 -04:00
BlackDex 0851561392 Update crates and GH Workflow
- Updated crates
- Updated GHA where needed
2023-05-26 17:26:09 +02:00
Stefan Melmuk 349c97efaf
update crates 2023-05-12 09:31:29 +02:00
BlackDex 4a2ed553df
Use Rocket `v0.5` branch to fix endpoints
There now is a `v0.5` branch which will be the final release version
when the time is there. Switched to this instead of the `master` branch
which contains other fixes and enhancements as well (for `v0.6`).

This should solve all the endpoint issue we were having.
2023-05-06 19:46:55 +02:00
BlackDex f906f6230a
Change `String` to `&str` for all Rocket functions
During setting the latest commit hash for Rocket and updating all the
other crates, there were some messages regarding the usage of `String`
for the Rocket endpoint function calls. I acted upon this message and
changed all `String` types to `&str` and modified the code where needed.

This ended up in less alloc calls, and probably also a bit less memory usage.

- Updated all the crates and commit hashes
- Modified all `String` to `&str` where applicable
2023-04-30 17:18:12 +02:00
BlackDex cfba8347a3
Update Rust and Crates
- Updated Rust to v1.69.0
- Updated MSRV to v1.67.1
- Updated crates
- Updated GitHub Actions
2023-04-24 14:10:58 +02:00
BlackDex 48cc31a59f
Small update to Rocket WebSockets
Switched from channels to stream. This is able to use yield, and the
code looks a bit nicer this way.

Also updated all the crates.
2023-04-12 15:59:05 +02:00
BlackDex 3d11f4cd16
WebSockets via Rocket's Upgrade connection
This PR implements a (not yet fully released) new feature of Rocket which allows WebSockets/Upgrade connections.
No more need for multiple ports to be opened for Vaultwarden.
No explicit need for a reverse proxy to get WebSockets to work (Although I still suggest to use a reverse proxy).

- Using a git revision for Rocket, since `rocket_ws` is not yet released.
- Updated other crates as well.
- Added a connection guard to clear the WS connection from the Users list.

Fixes #685
Fixes #2917
Fixes #1424
2023-04-10 16:58:58 +02:00
BlackDex fc43608eec
Revert setcap, update rust and crates
- Revert #3170 as discussed in #3387
  In hindsight it's better to not have this feature
- Update Dockerfile.j2 for easy version changes.
  Just change it in one place instead of multiple
- Updated to Rust to latest patched version
- Updated crates to latest available
- Pinned mimalloc to an older version, as it breaks on musl builds
2023-04-02 15:19:59 +02:00
BlackDex 8bcd0ab0c6
Some small fixes and updates
- Updated workflows to use new checkout version
  This probably fixes the curl download for hadolint also.
- Updated crates including Rocket to the latest rc3 :party:
- Applied 2 nightly clippy lints to prevent future clippy issues.
2023-03-25 12:51:42 +01:00
Daniel García 5800aceb2d
Update web vault to v2023.3.0 and dependencies 2023-03-22 21:30:30 +01:00
BlackDex c8655c4f89
Update Rust, MSRV and Crates
- Updated all the crates
- Updated Rust and MSRV
2023-03-15 20:41:12 +01:00
BlackDex 0c0e632bc9
Upd Crates, Rust, MSRV, GHA and remove Backtrace
- Changed MSRV to v1.65.
  Discussed this with @dani-garcia, and we will support **N-2**.
  This is/will be the same as for the `time` crate we use.
  Also updated the wiki regarding this https://github.com/dani-garcia/vaultwarden/wiki/Building-binary
- Removed backtrace crate in favor of `std::backtrace` stable since v1.65
- Updated Rust to v1.67.1
- Updated all the crates
- Updated the GHA action versions
- Adjusted the GHA MSRV build to extract the MSRV from `Cargo.toml`
2023-03-07 09:17:42 +01:00
BlackDex de157b2654
Admin token Argon2 hashing support
Added support for Argon2 hashing support for the `ADMIN_TOKEN` instead
of only supporting a plain text string.

The hash must be a PHC string which can be generated via the `argon2`
CLI **or** via the also built-in hash command in Vaultwarden.

You can simply run `vaultwarden hash` to generate a hash based upon a
password the user provides them self.

Added a warning during startup and within the admin settings panel is
the `ADMIN_TOKEN` is not an Argon2 hash.

Within the admin environment a user can ignore that warning and it will
not be shown for at least 30 days. After that the warning will appear
again unless the `ADMIN_TOKEN` has be converted to an Argon2 hash.

I have also tested this on my RaspberryPi 2b and there the `Bitwarden`
preset takes almost 4.5 seconds to generate/verify the Argon2 hash.

Using the `OWASP` preset it is below 1 second, which I think should be
fine for low-graded hardware. If it is needed people could use lower
memory settings, but in those cases I even doubt Vaultwarden it self
would run. They can always use the `argon2` CLI and generate a faster hash.
2023-03-04 16:15:30 +01:00
Daniel García 024d12db08
Update web vault to v2023.2.0 and dependencies 2023-02-21 22:48:20 +01:00
BlackDex a0a4994250
Updated Rust and crates
- Updated Rust to v1.67.0
- Updated all crates except for `cookies` and `webauthn`
2023-02-13 08:32:01 +01:00
soruh 8cc6dac893 check if SENDMAIL_COMMAND is valid using 'which' crate 2023-02-12 18:55:15 +01:00
soruh b7c4316c77 Add support for sendmail as a mail transport 2023-02-12 18:54:59 +01:00
BlackDex 9342fa5744
Re-License Vaultwarden to AGPLv3
This commit prepares Vaultwarden for the Re-Licensing to AGPLv3
Solves #2450
2023-01-24 20:49:11 +01:00
Daniel García 50fc22966c
Updated web vault to 2023.1.1 and rust dependencies 2023-01-24 20:39:09 +01:00
BlackDex 8e6fd4b4a1 Update dependencies and MSRV
- Updated dependencies.
  This includes a janked openssl crate version we currently use.
- Updated MSRV to v1.61.0 because hashbrown/cached has this version restriction.
2023-01-09 19:10:11 +01:00
Alex Martel a6d09407b9 Remove patched multer-rs 2022-12-29 12:09:53 -05:00
BlackDex 8b6dfe48b7
Disable groups by default and Some optimizations
- Put groups support behind a feature flag, and disabled by default.
  The reason is that it has some known issues, but we want to keep
  optimizing this feature. Putting it behind a feature flag could help
  some users, and the developers into optimizing this feature without to
  much trouble.

Further:

- Updates Rust to v1.66.0
- Updated GHA workflows
- Updated Alpine to 3.17
- Updated jquery to v3.6.2
- Moved jdenticon.js to load at the bottom, fixes an issue on chromium
- Added autocomplete attribute to admin login password field
- Added some extra CSP options (Tested this on Safari, Firefox, Chrome, Bitwarden Desktop)
- Moved uppercase convertion from runtime to compile-time using `paste`
  for building the environment variables, lowers heap allocations.
2022-12-16 14:52:42 +01:00
BlackDex cebe0f6442
Remove ctrlc crate and some updates
- Removed ctrlc crate and use the tokio provided ctrl_c function.
- Updated some crates.
2022-12-12 12:58:48 +01:00
BlackDex 7b09d74b1f
Update dependencies for Rust and Admin interface.
- Updated Rust deps and one small change regarding chrono
- Updated bootstrap 5 css
- Updated datatables
- Replaced identicon.js with jdenticon.
  identicon.js is unmaintained ( https://github.com/stewartlord/identicon.js/issues/52 )
  The icon's are very different, but nice. It also doesn't need custom
  code to find and update the icons our selfs.
2022-12-04 23:17:48 +01:00
BlackDex 1b64b9e164
Add dev-only query logging support
This PR adds query logging support as an optional feature.
It is only allowed during development/debug builds, and will abort when
used during a `--release` build.

For this feature to be fully activated you also need to se an
environment variable `QUERY_LOGGER=1` to activate the debug log-level
for this crate, else there will be no output.

The reason for this PR is that sometimes it is useful to be able to see
the generated queries, like when debugging an issue, or trying to
optimize a query. Currently i always added this code when needed, but
having this a part of the code could benifit other developers too who
maybe need this.
2022-12-03 18:36:46 +01:00
BlackDex 439ef44973
Update Rust version, deps and workflow
- Update Rust to v1.65.0
- Update dependencies
- Updated workflow files
- Added some extra clippy checks
- Fixed some clippy checks
2022-11-09 22:40:00 +01:00
BlackDex c9ec389b24
Support Org Export for v2022.11 clients
Since v2022.9.x the org export uses a different endpoint.
But, since v2022.11.x this endpoint will return a different format.
See: https://github.com/bitwarden/clients/pull/3641 and https://github.com/bitwarden/server/pull/2316

To support both version in the case of users having an older client
either web-vault or cli this PR checks the version and responds using
the correct format. If no version can be determined it will use the new
format as a default.
2022-11-07 17:13:34 +01:00
Daniel García f60a6929a9
Update dependencies 2022-10-26 21:42:38 +02:00
Stefan Melmuk 870f0d0932
validate billing_email on save 2022-10-26 21:42:36 +02:00
Daniel García 8409b31d6b
Update to diesel2 2022-10-23 00:49:23 +02:00
Daniel García 638766b346
Update web-vault to 2022.10.0 and dependencies 2022-10-14 18:21:01 +02:00
Daniel García 382e6107fe
Update dependencies 2022-10-09 17:40:45 +02:00
BlackDex 1094f359c3
Update libraries and Rust version
- Updated to Rust v1.64.0
- Updated all libararies
- Updated multer-rs to be based upon the latest version
- Updated Dockerfiles to match the Rust version
2022-09-25 16:44:34 +02:00
Daniel García a62dc102fb
Update web vault to 2022.8.1 and cargo dependencies 2022-09-04 23:18:27 +02:00
BlackDex 5b98bd66ee
Fix uploads from mobile clients (and dep updates)
This patch fixes the file upload send by the mobile clients.
It resolves #2644 by always providing a `Content-Type` even though one
isn't set in this specific case.

I do hope it will be fixed upstream by either Bitwarden by fixing the
client. Or Rocket by allowing to override this somehow.

Until then, we can use this patched version of multer-rs.

Issue @ Rocket: https://github.com/SergioBenitez/Rocket/issues/2299
Issue @ Bitwarden: https://github.com/bitwarden/mobile/issues/2018

Also updated some dependencies.
2022-08-04 23:28:45 +02:00
BlackDex 7f0d0cf8a4
Update MSRV to 1.60.0
The latest version of chrono-tz needs 1.60.0 because of phf.
Since chrono-tz has updated timezone information i do think it is
usefull in some cases around the world.
2022-08-01 16:21:06 +02:00
BlackDex 6e23a573fb
Update deps and Alpine image
- Updated deps
- Updated Alpine images to 3.16
- Removed dumb-init, not needed anymore
- Some small shellcheck tweaks on the start/healthcheck scripts
2022-07-31 15:45:31 +02:00
BlackDex 3c1d4254e7
Update deps and fix file-uploads
- Update deps. One of them is multer-rs which fixes #2516
- Changed MSRV to `1.59.0`, since that is the correct MSRV currently.
  It could be lower, but that would mean removing the `strip` option.
2022-07-15 16:03:57 +02:00
Daniel García b64cf27038
Upgrade dependencies and swap lettre to async transport 2022-07-06 23:57:37 +02:00
BlackDex c7a752b01d
Update dep's and small improvements on favicons
- Updated dependencies (html5gum for favicon downloading)
  * Also openssl, time, jsonwebtoken and r2d2
- Small optimizations on downloading favicons.
  It now only emits tokens/tags which needs to be parsed, all others are
  being skipped. This prevents unneeded items within the for-loop being
  parsed.
2022-06-25 11:29:08 +02:00
BlackDex 5d05ec58be
Updated deps and misc fixes and updates
- Updated some Rust dependencies
- Fixed an issue with CSP header, this was not configured correctly
- Prevent sending CSP and Frame headers for the MFA connector.html files.
  Else some clients will fail to handle these protocols.
- Add `unsafe-inline` for `script-src` only to the CSP for the Admin Interface
- Updated JavaScript and CSS files for the Admin interface
- Changed the layout for showing overridden settings, better visible now.
- Made the version check cachable to prevent hitting the Github API rate limits
- Hide the `database_url` as if it is a password in the Admin Interface
  Else for MariaDB/MySQL or PostgreSQL this was plain text.
- Fixed an issue that pressing enter on the SMTP Test would save the config.
  resolves #2542
- Prevent user names larger then 50 characters
  resolves #2419
2022-06-14 14:51:51 +02:00
Daniel García f95bd3bb04
Update pico-args 2022-06-04 19:16:36 +02:00
BlackDex e33b8fab34
Re-Base, Update crates and small change. 2022-06-04 19:14:14 +02:00