Remove config option for admin email, embdedded admin page, managed IO::Error, and added security and cache headers globally

This commit is contained in:
Daniel García 2018-12-23 22:37:02 +01:00
parent 301919d9d4
commit acb9d1b3c6
No known key found for this signature in database
GPG key ID: FC8A7D14C3CD543A
5 changed files with 93 additions and 51 deletions

View file

@ -1,10 +1,10 @@
use std::io; use std::io;
use std::path::{Path, PathBuf}; use std::path::{Path, PathBuf};
use rocket::http::ContentType;
use rocket::request::Request; use rocket::request::Request;
use rocket::response::content::{Content, Html};
use rocket::response::{self, NamedFile, Responder}; use rocket::response::{self, NamedFile, Responder};
use rocket::response::content::Content;
use rocket::http::{ContentType, Status};
use rocket::Route; use rocket::Route;
use rocket_contrib::json::Json; use rocket_contrib::json::Json;
use serde_json::Value; use serde_json::Value;
@ -19,57 +19,72 @@ pub fn routes() -> Vec<Route> {
} }
} }
// TODO: Might want to use in memory cache: https://github.com/hgzimmerman/rocket-file-cache
#[get("/")] #[get("/")]
fn web_index() -> WebHeaders<io::Result<NamedFile>> { fn web_index() -> Cached<io::Result<NamedFile>> {
web_files("index.html".into()) Cached::short(NamedFile::open(Path::new(&CONFIG.web_vault_folder).join("index.html")))
} }
#[get("/app-id.json")] #[get("/app-id.json")]
fn app_id() -> WebHeaders<Content<Json<Value>>> { fn app_id() -> Cached<Content<Json<Value>>> {
let content_type = ContentType::new("application", "fido.trusted-apps+json"); let content_type = ContentType::new("application", "fido.trusted-apps+json");
WebHeaders(Content(content_type, Json(json!({ Cached::long(Content(
"trustedFacets": [ content_type,
{ Json(json!({
"version": { "major": 1, "minor": 0 }, "trustedFacets": [
"ids": [ {
&CONFIG.domain, "version": { "major": 1, "minor": 0 },
"ios:bundle-id:com.8bit.bitwarden", "ids": [
"android:apk-key-hash:dUGFzUzf3lmHSLBDBIv+WaFyZMI" ] &CONFIG.domain,
}] "ios:bundle-id:com.8bit.bitwarden",
})))) "android:apk-key-hash:dUGFzUzf3lmHSLBDBIv+WaFyZMI" ]
}]
})),
))
} }
const ADMIN_PAGE: &'static str = include_str!("../static/admin.html");
#[get("/admin")] #[get("/admin")]
fn admin_page() -> WebHeaders<io::Result<NamedFile>> { fn admin_page() -> Cached<Html<&'static str>> {
WebHeaders(NamedFile::open("src/static/admin.html")) // TODO: Change this to embed the page in the binary Cached::short(Html(ADMIN_PAGE))
} }
/* // Use this during Admin page development
#[get("/admin")]
fn admin_page() -> Cached<io::Result<NamedFile>> {
Cached::short(NamedFile::open("src/static/admin.html"))
}
*/
#[get("/<p..>", rank = 1)] // Only match this if the other routes don't match #[get("/<p..>", rank = 1)] // Only match this if the other routes don't match
fn web_files(p: PathBuf) -> WebHeaders<io::Result<NamedFile>> { fn web_files(p: PathBuf) -> Cached<io::Result<NamedFile>> {
WebHeaders(NamedFile::open(Path::new(&CONFIG.web_vault_folder).join(p))) Cached::long(NamedFile::open(Path::new(&CONFIG.web_vault_folder).join(p)))
} }
struct WebHeaders<R>(R); struct Cached<R>(R, &'static str);
impl<'r, R: Responder<'r>> Responder<'r> for WebHeaders<R> { impl<R> Cached<R> {
fn long(r: R) -> Cached<R> {
// 7 days
Cached(r, "public, max-age=604800".into())
}
fn short(r: R) -> Cached<R> {
// 10 minutes
Cached(r, "public, max-age=600".into())
}
}
impl<'r, R: Responder<'r>> Responder<'r> for Cached<R> {
fn respond_to(self, req: &Request) -> response::Result<'r> { fn respond_to(self, req: &Request) -> response::Result<'r> {
match self.0.respond_to(req) { match self.0.respond_to(req) {
Ok(mut res) => { Ok(mut res) => {
res.set_raw_header("Referrer-Policy", "same-origin"); res.set_raw_header("Cache-Control", self.1);
res.set_raw_header("X-Frame-Options", "SAMEORIGIN");
res.set_raw_header("X-Content-Type-Options", "nosniff");
res.set_raw_header("X-XSS-Protection", "1; mode=block");
let csp = "frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb moz-extension://*;";
res.set_raw_header("Content-Security-Policy", csp);
Ok(res) Ok(res)
},
Err(_) => {
Err(Status::NotFound)
} }
} e @ Err(_) => e,
}
} }
} }
@ -78,7 +93,6 @@ fn attachments(uuid: String, file: PathBuf) -> io::Result<NamedFile> {
NamedFile::open(Path::new(&CONFIG.attachments_folder).join(uuid).join(file)) NamedFile::open(Path::new(&CONFIG.attachments_folder).join(uuid).join(file))
} }
#[get("/alive")] #[get("/alive")]
fn alive() -> Json<String> { fn alive() -> Json<String> {
use crate::util::format_date; use crate::util::format_date;

View file

@ -74,7 +74,7 @@ impl Attachment {
) )
.map_res("Error deleting attachment")?; .map_res("Error deleting attachment")?;
crate::util::delete_file(&self.get_file_path()); crate::util::delete_file(&self.get_file_path())?;
Ok(()) Ok(())
} }

View file

@ -47,6 +47,7 @@ use diesel::result::Error as DieselError;
use jsonwebtoken::errors::Error as JwtError; use jsonwebtoken::errors::Error as JwtError;
use serde_json::{Error as SerError, Value}; use serde_json::{Error as SerError, Value};
use u2f::u2ferror::U2fError as U2fErr; use u2f::u2ferror::U2fError as U2fErr;
use std::io::Error as IOError;
// Error struct // Error struct
// Each variant has two elements, the first is an error of different types, used for logging purposes // Each variant has two elements, the first is an error of different types, used for logging purposes
@ -64,6 +65,7 @@ make_error! {
U2fError(U2fErr, _): true, _api_error, U2fError(U2fErr, _): true, _api_error,
SerdeError(SerError, _): true, _api_error, SerdeError(SerError, _): true, _api_error,
JWTError(JwtError, _): true, _api_error, JWTError(JwtError, _): true, _api_error,
IoErrror(IOError, _): true, _api_error,
//WsError(ws::Error, _): true, _api_error, //WsError(ws::Error, _): true, _api_error,
} }

View file

@ -26,12 +26,13 @@ fn init_rocket() -> Rocket {
rocket::ignite() rocket::ignite()
.mount("/", api::web_routes()) .mount("/", api::web_routes())
.mount("/api", api::core_routes()) .mount("/api", api::core_routes())
.mount("/admin", api::admin_routes()) .mount("/admin", api::admin_routes())
.mount("/identity", api::identity_routes()) .mount("/identity", api::identity_routes())
.mount("/icons", api::icons_routes()) .mount("/icons", api::icons_routes())
.mount("/notifications", api::notifications_routes()) .mount("/notifications", api::notifications_routes())
.manage(db::init_pool()) .manage(db::init_pool())
.manage(api::start_notification_server()) .manage(api::start_notification_server())
.attach(util::AppHeaders())
} }
// Embed the migrations from the migrations folder into the application // Embed the migrations from the migrations folder into the application
@ -272,7 +273,6 @@ pub struct Config {
signups_allowed: bool, signups_allowed: bool,
invitations_allowed: bool, invitations_allowed: bool,
admin_token: Option<String>, admin_token: Option<String>,
server_admin_email: Option<String>,
password_iterations: i32, password_iterations: i32,
show_password_hint: bool, show_password_hint: bool,
@ -326,7 +326,6 @@ impl Config {
local_icon_extractor: get_env_or("LOCAL_ICON_EXTRACTOR", false), local_icon_extractor: get_env_or("LOCAL_ICON_EXTRACTOR", false),
signups_allowed: get_env_or("SIGNUPS_ALLOWED", true), signups_allowed: get_env_or("SIGNUPS_ALLOWED", true),
admin_token: get_env("ADMIN_TOKEN"), admin_token: get_env("ADMIN_TOKEN"),
server_admin_email:None, // TODO: Delete this
invitations_allowed: get_env_or("INVITATIONS_ALLOWED", true), invitations_allowed: get_env_or("INVITATIONS_ALLOWED", true),
password_iterations: get_env_or("PASSWORD_ITERATIONS", 100_000), password_iterations: get_env_or("PASSWORD_ITERATIONS", 100_000),
show_password_hint: get_env_or("SHOW_PASSWORD_HINT", true), show_password_hint: get_env_or("SHOW_PASSWORD_HINT", true),

View file

@ -1,29 +1,57 @@
///
/// Web Headers
///
use rocket::fairing::{Fairing, Info, Kind};
use rocket::{Request, Response};
pub struct AppHeaders ();
impl Fairing for AppHeaders {
fn info(&self) -> Info {
Info {
name: "Application Headers",
kind: Kind::Response,
}
}
fn on_response(&self, _req: &Request, res: &mut Response) {
res.set_raw_header("Referrer-Policy", "same-origin");
res.set_raw_header("X-Frame-Options", "SAMEORIGIN");
res.set_raw_header("X-Content-Type-Options", "nosniff");
res.set_raw_header("X-XSS-Protection", "1; mode=block");
let csp = "frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb moz-extension://*;";
res.set_raw_header("Content-Security-Policy", csp);
// Disable cache unless otherwise specified
if !res.headers().contains("cache-control") {
res.set_raw_header("Cache-Control", "no-cache, no-store, max-age=0");
}
}
}
/// ///
/// File handling /// File handling
/// ///
use std::path::Path;
use std::io::Read;
use std::fs::{self, File}; use std::fs::{self, File};
use std::io::{Read, Result as IOResult};
use std::path::Path;
pub fn file_exists(path: &str) -> bool { pub fn file_exists(path: &str) -> bool {
Path::new(path).exists() Path::new(path).exists()
} }
pub fn read_file(path: &str) -> Result<Vec<u8>, String> { pub fn read_file(path: &str) -> IOResult<Vec<u8>> {
let mut file = File::open(Path::new(path))
.map_err(|e| format!("Error opening file: {}", e))?;
let mut contents: Vec<u8> = Vec::new(); let mut contents: Vec<u8> = Vec::new();
file.read_to_end(&mut contents) let mut file = File::open(Path::new(path))?;
.map_err(|e| format!("Error reading file: {}", e))?; file.read_to_end(&mut contents)?;
Ok(contents) Ok(contents)
} }
pub fn delete_file(path: &str) -> bool { pub fn delete_file(path: &str) -> IOResult<()> {
let res = fs::remove_file(path).is_ok(); let res = fs::remove_file(path);
if let Some(parent) = Path::new(path).parent() { if let Some(parent) = Path::new(path).parent() {
// If the directory isn't empty, this returns an error, which we ignore // If the directory isn't empty, this returns an error, which we ignore
@ -34,7 +62,6 @@ pub fn delete_file(path: &str) -> bool {
res res
} }
const UNITS: [&str; 6] = ["bytes", "KB", "MB", "GB", "TB", "PB"]; const UNITS: [&str; 6] = ["bytes", "KB", "MB", "GB", "TB", "PB"];
pub fn get_display_size(size: i32) -> String { pub fn get_display_size(size: i32) -> String {