&", rank = 1)]
-async fn oidcsignin(code: OIDCCode, state: String, mut conn: DbConn) -> ApiResult {
+async fn oidcsignin(code: OIDCCode, state: String, cookies: &CookieJar<'_>, mut conn: DbConn) -> ApiResult {
_oidcsignin_redirect(
state,
OIDCCodeWrapper::Ok {
code,
},
+ cookies,
&mut conn,
)
.await
@@ -1146,6 +1183,7 @@ async fn oidcsignin_error(
state: String,
error: String,
error_description: Option,
+ cookies: &CookieJar<'_>,
mut conn: DbConn,
) -> ApiResult {
_oidcsignin_redirect(
@@ -1154,6 +1192,7 @@ async fn oidcsignin_error(
error,
error_description,
},
+ cookies,
&mut conn,
)
.await
@@ -1165,6 +1204,7 @@ async fn oidcsignin_error(
async fn _oidcsignin_redirect(
base64_state: String,
code_response: OIDCCodeWrapper,
+ cookies: &CookieJar<'_>,
conn: &mut DbConn,
) -> ApiResult {
let state = sso::decode_state(&base64_state)?;
@@ -1173,6 +1213,17 @@ async fn _oidcsignin_redirect(
None => err!(format!("Cannot retrieve sso_auth for {state}")),
Some(sso_auth) => sso_auth,
};
+
+ // Browser-binding check
+ // The cookie was set on /connect/authorize and must come from the same browser that initiated the flow.
+ let cookie_value = cookies.get(SSO_BINDING_COOKIE).map(|c| c.value().to_string());
+ let provided_hash = cookie_value.as_deref().map(|v| crypto::sha256_hex(v.as_bytes()));
+ match (sso_auth.binding_hash.as_deref(), provided_hash.as_deref()) {
+ (Some(expected), Some(actual)) if crypto::ct_eq(expected, actual) => {}
+ _ => err!(format!("SSO session binding mismatch for {state}")),
+ }
+ cookies.remove(Cookie::build(SSO_BINDING_COOKIE).path("/identity/connect/").build());
+
sso_auth.code_response = Some(code_response);
sso_auth.updated_at = Utc::now().naive_utc();
sso_auth.save(conn).await?;
@@ -1219,7 +1270,7 @@ struct AuthorizeData {
// The `redirect_uri` will change depending of the client (web, android, ios ..)
#[get("/connect/authorize?")]
-async fn authorize(data: AuthorizeData, conn: DbConn) -> ApiResult {
+async fn authorize(data: AuthorizeData, cookies: &CookieJar<'_>, secure: Secure, conn: DbConn) -> ApiResult {
let AuthorizeData {
client_id,
redirect_uri,
@@ -1233,7 +1284,23 @@ async fn authorize(data: AuthorizeData, conn: DbConn) -> ApiResult {
err!("Unsupported code challenge method");
}
- let auth_url = sso::authorize_url(state, code_challenge, &client_id, &redirect_uri, conn).await?;
+ // Generate browser-binding token. Stored hashed in DB; raw value handed to the browser as a cookie.
+ // Validated on /connect/oidc-signin
+ let binding_token = data_encoding::BASE64URL_NOPAD.encode(&crypto::get_random_bytes::<32>());
+ let binding_hash = crypto::sha256_hex(binding_token.as_bytes());
+
+ let auth_url =
+ sso::authorize_url(state, code_challenge, &client_id, &redirect_uri, Some(binding_hash), conn).await?;
+
+ cookies.add(
+ Cookie::build((SSO_BINDING_COOKIE, binding_token))
+ .path("/identity/connect/")
+ .max_age(time::Duration::seconds(sso::SSO_AUTH_EXPIRATION.num_seconds()))
+ .same_site(SameSite::Lax) // Lax is needed because the IdP runs on a different FQDN
+ .http_only(true)
+ .secure(secure.https)
+ .build(),
+ );
Ok(Redirect::temporary(String::from(auth_url)))
}
diff --git a/src/api/notifications.rs b/src/api/notifications.rs
index 492fdb19..b1d64472 100644
--- a/src/api/notifications.rs
+++ b/src/api/notifications.rs
@@ -338,7 +338,7 @@ impl WebSocketUsers {
}
// NOTE: The last modified date needs to be updated before calling these methods
- pub async fn send_user_update(&self, ut: UpdateType, user: &User, push_uuid: &Option, conn: &DbConn) {
+ pub async fn send_user_update(&self, ut: UpdateType, user: &User, push_uuid: Option<&PushId>, conn: &DbConn) {
// Skip any processing if both WebSockets and Push are not active
if *NOTIFICATIONS_DISABLED {
return;
diff --git a/src/api/push.rs b/src/api/push.rs
index 5000869d..e3ff1383 100644
--- a/src/api/push.rs
+++ b/src/api/push.rs
@@ -135,7 +135,7 @@ pub async fn register_push_device(device: &mut Device, conn: &DbConn) -> EmptyRe
Ok(())
}
-pub async fn unregister_push_device(push_id: &Option) -> EmptyResult {
+pub async fn unregister_push_device(push_id: Option<&PushId>) -> EmptyResult {
if !CONFIG.push_enabled() || push_id.is_none() {
return Ok(());
}
@@ -206,7 +206,7 @@ pub async fn push_logout(user: &User, acting_device: Option<&Device>, conn: &DbC
}
}
-pub async fn push_user_update(ut: UpdateType, user: &User, push_uuid: &Option, conn: &DbConn) {
+pub async fn push_user_update(ut: UpdateType, user: &User, push_uuid: Option<&PushId>, conn: &DbConn) {
if Device::check_user_has_push_device(&user.uuid, conn).await {
tokio::task::spawn(send_to_push_relay(json!({
"userId": user.uuid,
diff --git a/src/config.rs b/src/config.rs
index ad30a205..a78ccee2 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -1088,7 +1088,7 @@ fn validate_config(cfg: &ConfigItems, on_update: bool) -> Result<(), Error> {
validate_internal_sso_issuer_url(&cfg.sso_authority)?;
validate_internal_sso_redirect_url(&cfg.sso_callback_path)?;
- validate_sso_master_password_policy(&cfg.sso_master_password_policy)?;
+ validate_sso_master_password_policy(cfg.sso_master_password_policy.as_ref())?;
}
if cfg.sso_cookie_vendor_enabled {
@@ -1292,7 +1292,7 @@ fn validate_internal_sso_redirect_url(sso_callback_path: &String) -> Result,
+ sso_master_password_policy: Option<&String>,
) -> Result, Error> {
let policy = sso_master_password_policy.as_ref().map(|mpp| serde_json::from_str::(mpp));
@@ -1746,7 +1746,7 @@ impl Config {
}
pub fn sso_master_password_policy_value(&self) -> Option {
- validate_sso_master_password_policy(&self.sso_master_password_policy()).ok().flatten()
+ validate_sso_master_password_policy(self.sso_master_password_policy().as_ref()).ok().flatten()
}
pub fn sso_scopes_vec(&self) -> Vec {
diff --git a/src/crypto.rs b/src/crypto.rs
index 1930f380..46d305a5 100644
--- a/src/crypto.rs
+++ b/src/crypto.rs
@@ -113,3 +113,10 @@ pub fn ct_eq, U: AsRef<[u8]>>(a: T, b: U) -> bool {
use subtle::ConstantTimeEq;
a.as_ref().ct_eq(b.as_ref()).into()
}
+
+//
+// SHA256
+//
+pub fn sha256_hex(data: &[u8]) -> String {
+ HEXLOWER.encode(digest::digest(&digest::SHA256, data).as_ref())
+}
diff --git a/src/db/models/archive.rs b/src/db/models/archive.rs
new file mode 100644
index 00000000..f576e7ed
--- /dev/null
+++ b/src/db/models/archive.rs
@@ -0,0 +1,91 @@
+use chrono::NaiveDateTime;
+use diesel::prelude::*;
+
+use super::{CipherId, User, UserId};
+use crate::api::EmptyResult;
+use crate::db::schema::archives;
+use crate::db::DbConn;
+use crate::error::MapResult;
+
+#[derive(Identifiable, Queryable, Insertable)]
+#[diesel(table_name = archives)]
+#[diesel(primary_key(user_uuid, cipher_uuid))]
+pub struct Archive {
+ pub user_uuid: UserId,
+ pub cipher_uuid: CipherId,
+ pub archived_at: NaiveDateTime,
+}
+
+impl Archive {
+ // Returns the date the specified cipher was archived
+ pub async fn get_archived_at(cipher_uuid: &CipherId, user_uuid: &UserId, conn: &DbConn) -> Option {
+ db_run! { conn: {
+ archives::table
+ .filter(archives::cipher_uuid.eq(cipher_uuid))
+ .filter(archives::user_uuid.eq(user_uuid))
+ .select(archives::archived_at)
+ .first::(conn).ok()
+ }}
+ }
+
+ // Saves (inserts or updates) an archive record with the provided timestamp
+ pub async fn save(
+ user_uuid: &UserId,
+ cipher_uuid: &CipherId,
+ archived_at: NaiveDateTime,
+ conn: &DbConn,
+ ) -> EmptyResult {
+ User::update_uuid_revision(user_uuid, conn).await;
+ db_run! { conn:
+ sqlite, mysql {
+ diesel::replace_into(archives::table)
+ .values((
+ archives::user_uuid.eq(user_uuid),
+ archives::cipher_uuid.eq(cipher_uuid),
+ archives::archived_at.eq(archived_at),
+ ))
+ .execute(conn)
+ .map_res("Error saving archive")
+ }
+ postgresql {
+ diesel::insert_into(archives::table)
+ .values((
+ archives::user_uuid.eq(user_uuid),
+ archives::cipher_uuid.eq(cipher_uuid),
+ archives::archived_at.eq(archived_at),
+ ))
+ .on_conflict((archives::user_uuid, archives::cipher_uuid))
+ .do_update()
+ .set(archives::archived_at.eq(archived_at))
+ .execute(conn)
+ .map_res("Error saving archive")
+ }
+ }
+ }
+
+ // Deletes an archive record for a specific cipher
+ pub async fn delete_by_cipher(user_uuid: &UserId, cipher_uuid: &CipherId, conn: &DbConn) -> EmptyResult {
+ User::update_uuid_revision(user_uuid, conn).await;
+ db_run! { conn: {
+ diesel::delete(
+ archives::table
+ .filter(archives::user_uuid.eq(user_uuid))
+ .filter(archives::cipher_uuid.eq(cipher_uuid))
+ )
+ .execute(conn)
+ .map_res("Error deleting archive")
+ }}
+ }
+
+ /// Return a vec with (cipher_uuid, archived_at)
+ /// This is used during a full sync so we only need one query for all archive matches
+ pub async fn find_by_user(user_uuid: &UserId, conn: &DbConn) -> Vec<(CipherId, NaiveDateTime)> {
+ db_run! { conn: {
+ archives::table
+ .filter(archives::user_uuid.eq(user_uuid))
+ .select((archives::cipher_uuid, archives::archived_at))
+ .load::<(CipherId, NaiveDateTime)>(conn)
+ .unwrap_or_default()
+ }}
+ }
+}
diff --git a/src/db/models/attachment.rs b/src/db/models/attachment.rs
index 4273c22a..7611b927 100644
--- a/src/db/models/attachment.rs
+++ b/src/db/models/attachment.rs
@@ -50,7 +50,7 @@ impl Attachment {
let token = encode_jwt(&generate_file_download_claims(self.cipher_uuid.clone(), self.id.clone()));
Ok(format!("{host}/attachments/{}/{}?token={token}", self.cipher_uuid, self.id))
} else {
- Ok(operator.presign_read(&self.get_file_path(), Duration::from_secs(5 * 60)).await?.uri().to_string())
+ Ok(operator.presign_read(&self.get_file_path(), Duration::from_mins(5)).await?.uri().to_string())
}
}
diff --git a/src/db/models/cipher.rs b/src/db/models/cipher.rs
index edc5f8c9..db906179 100644
--- a/src/db/models/cipher.rs
+++ b/src/db/models/cipher.rs
@@ -10,8 +10,8 @@ use diesel::prelude::*;
use serde_json::Value;
use super::{
- Attachment, CollectionCipher, CollectionId, Favorite, FolderCipher, FolderId, Group, Membership, MembershipStatus,
- MembershipType, OrganizationId, User, UserId,
+ Archive, Attachment, CollectionCipher, CollectionId, Favorite, FolderCipher, FolderId, Group, Membership,
+ MembershipStatus, MembershipType, OrganizationId, User, UserId,
};
use crate::api::core::{CipherData, CipherSyncData, CipherSyncType};
use macros::UuidFromParam;
@@ -380,6 +380,11 @@ impl Cipher {
} else {
self.is_favorite(user_uuid, conn).await
});
+ json_object["archivedDate"] = json!(if let Some(cipher_sync_data) = cipher_sync_data {
+ cipher_sync_data.cipher_archives.get(&self.uuid).map_or(Value::Null, |d| Value::String(format_date(d)))
+ } else {
+ self.get_archived_at(user_uuid, conn).await.map_or(Value::Null, |d| Value::String(format_date(&d)))
+ });
// These values are true by default, but can be false if the
// cipher belongs to a collection or group where the org owner has enabled
// the "Read Only" or "Hide Passwords" restrictions for the user.
@@ -398,7 +403,7 @@ impl Cipher {
3 => "card",
4 => "identity",
5 => "sshKey",
- _ => panic!("Wrong type"),
+ _ => err!(format!("Cipher {} has an invalid type {}", self.uuid, self.atype)),
};
json_object[key] = type_data_json;
@@ -742,6 +747,18 @@ impl Cipher {
}
}
+ pub async fn get_archived_at(&self, user_uuid: &UserId, conn: &DbConn) -> Option {
+ Archive::get_archived_at(&self.uuid, user_uuid, conn).await
+ }
+
+ pub async fn set_archived_at(&self, archived_at: NaiveDateTime, user_uuid: &UserId, conn: &DbConn) -> EmptyResult {
+ Archive::save(user_uuid, &self.uuid, archived_at, conn).await
+ }
+
+ pub async fn unarchive(&self, user_uuid: &UserId, conn: &DbConn) -> EmptyResult {
+ Archive::delete_by_cipher(user_uuid, &self.uuid, conn).await
+ }
+
pub async fn get_folder_uuid(&self, user_uuid: &UserId, conn: &DbConn) -> Option {
db_run! { conn: {
folders_ciphers::table
diff --git a/src/db/models/device.rs b/src/db/models/device.rs
index 1026574c..7364a2ec 100644
--- a/src/db/models/device.rs
+++ b/src/db/models/device.rs
@@ -25,7 +25,7 @@ pub struct Device {
pub user_uuid: UserId,
pub name: String,
- pub atype: i32, // https://github.com/bitwarden/server/blob/9ebe16587175b1c0e9208f84397bb75d0d595510/src/Core/Enums/DeviceType.cs
+ pub atype: i32, // https://github.com/bitwarden/server/blob/8d547dcc280babab70dd4a3c94ced6a34b12dfbf/src/Core/Enums/DeviceType.cs
pub push_uuid: Option,
pub push_token: Option,
@@ -332,6 +332,8 @@ pub enum DeviceType {
MacOsCLI = 24,
#[display("Linux CLI")]
LinuxCLI = 25,
+ #[display("DuckDuckGo")]
+ DuckDuckGoBrowser = 26,
}
impl DeviceType {
@@ -363,6 +365,7 @@ impl DeviceType {
23 => DeviceType::WindowsCLI,
24 => DeviceType::MacOsCLI,
25 => DeviceType::LinuxCLI,
+ 26 => DeviceType::DuckDuckGoBrowser,
_ => DeviceType::UnknownBrowser,
}
}
diff --git a/src/db/models/emergency_access.rs b/src/db/models/emergency_access.rs
index cf7f5385..5ea334a4 100644
--- a/src/db/models/emergency_access.rs
+++ b/src/db/models/emergency_access.rs
@@ -85,7 +85,8 @@ impl EmergencyAccess {
pub async fn to_json_grantee_details(&self, conn: &DbConn) -> Option {
let grantee_user = if let Some(grantee_uuid) = &self.grantee_uuid {
User::find_by_uuid(grantee_uuid, conn).await.expect("Grantee user not found.")
- } else if let Some(email) = self.email.as_deref() {
+ } else {
+ let email = self.email.as_deref()?;
match User::find_by_mail(email, conn).await {
Some(user) => user,
None => {
@@ -94,8 +95,6 @@ impl EmergencyAccess {
return None;
}
}
- } else {
- return None;
};
Some(json!({
diff --git a/src/db/models/mod.rs b/src/db/models/mod.rs
index b4fcf658..2d31259c 100644
--- a/src/db/models/mod.rs
+++ b/src/db/models/mod.rs
@@ -1,3 +1,4 @@
+mod archive;
mod attachment;
mod auth_request;
mod cipher;
@@ -17,6 +18,7 @@ mod two_factor_duo_context;
mod two_factor_incomplete;
mod user;
+pub use self::archive::Archive;
pub use self::attachment::{Attachment, AttachmentId};
pub use self::auth_request::{AuthRequest, AuthRequestId};
pub use self::cipher::{Cipher, CipherId, RepromptType};
diff --git a/src/db/models/sso_auth.rs b/src/db/models/sso_auth.rs
index fec0433a..2c6eec6d 100644
--- a/src/db/models/sso_auth.rs
+++ b/src/db/models/sso_auth.rs
@@ -54,11 +54,18 @@ pub struct SsoAuth {
pub auth_response: Option,
pub created_at: NaiveDateTime,
pub updated_at: NaiveDateTime,
+ pub binding_hash: Option,
}
/// Local methods
impl SsoAuth {
- pub fn new(state: OIDCState, client_challenge: OIDCCodeChallenge, nonce: String, redirect_uri: String) -> Self {
+ pub fn new(
+ state: OIDCState,
+ client_challenge: OIDCCodeChallenge,
+ nonce: String,
+ redirect_uri: String,
+ binding_hash: Option,
+ ) -> Self {
let now = Utc::now().naive_utc();
SsoAuth {
@@ -70,6 +77,7 @@ impl SsoAuth {
updated_at: now,
code_response: None,
auth_response: None,
+ binding_hash,
}
}
}
diff --git a/src/db/schema.rs b/src/db/schema.rs
index 914b4fe9..bf79ceac 100644
--- a/src/db/schema.rs
+++ b/src/db/schema.rs
@@ -265,6 +265,7 @@ table! {
auth_response -> Nullable,
created_at -> Timestamp,
updated_at -> Timestamp,
+ binding_hash -> Nullable,
}
}
@@ -341,6 +342,16 @@ table! {
}
}
+table! {
+ archives (user_uuid, cipher_uuid) {
+ user_uuid -> Text,
+ cipher_uuid -> Text,
+ archived_at -> Timestamp,
+ }
+}
+
+joinable!(archives -> users (user_uuid));
+joinable!(archives -> ciphers (cipher_uuid));
joinable!(attachments -> ciphers (cipher_uuid));
joinable!(ciphers -> organizations (organization_uuid));
joinable!(ciphers -> users (user_uuid));
@@ -372,6 +383,7 @@ joinable!(auth_requests -> users (user_uuid));
joinable!(sso_users -> users (user_uuid));
allow_tables_to_appear_in_same_query!(
+ archives,
attachments,
ciphers,
ciphers_collections,
diff --git a/src/http_client.rs b/src/http_client.rs
index df52e2bc..d39b884d 100644
--- a/src/http_client.rs
+++ b/src/http_client.rs
@@ -1,7 +1,6 @@
use std::{
fmt,
net::{IpAddr, SocketAddr},
- str::FromStr,
sync::{Arc, LazyLock, Mutex},
time::Duration,
};
@@ -59,16 +58,6 @@ pub fn get_reqwest_client_builder() -> ClientBuilder {
.timeout(Duration::from_secs(10))
}
-pub fn should_block_address(domain_or_ip: &str) -> bool {
- if let Ok(ip) = IpAddr::from_str(domain_or_ip) {
- if should_block_ip(ip) {
- return true;
- }
- }
-
- should_block_address_regex(domain_or_ip)
-}
-
fn should_block_ip(ip: IpAddr) -> bool {
if !CONFIG.http_request_block_non_global_ips() {
return false;
@@ -100,11 +89,54 @@ fn should_block_address_regex(domain_or_ip: &str) -> bool {
is_match
}
-fn should_block_host(host: &Host<&str>) -> Result<(), CustomHttpClientError> {
+pub fn get_valid_host(host: &str) -> Result {
+ let Ok(host) = Host::parse(host) else {
+ return Err(CustomHttpClientError::Invalid {
+ domain: host.to_string(),
+ });
+ };
+
+ // Some extra checks to validate hosts
+ match host {
+ Host::Domain(ref domain) => {
+ // Host::parse() does not verify length or all possible invalid characters
+ // We do some extra checks here to prevent issues
+ if domain.len() > 253 {
+ debug!("Domain validation error: '{domain}' exceeds 253 characters");
+ return Err(CustomHttpClientError::Invalid {
+ domain: host.to_string(),
+ });
+ }
+ if !domain.split('.').all(|label| {
+ !label.is_empty()
+ // Labels can't be longer than 63 chars
+ && label.len() <= 63
+ // Labels are not allowed to start or end with a hyphen `-`
+ && !label.starts_with('-')
+ && !label.ends_with('-')
+ // Only ASCII Alphanumeric characters are allowed
+ // We already received a punycoded domain back, so no unicode should exists here
+ && label.chars().all(|c| c.is_ascii_alphanumeric() || c == '-')
+ }) {
+ debug!(
+ "Domain validation error: '{domain}' labels contain invalid characters or exceed the maximum length"
+ );
+ return Err(CustomHttpClientError::Invalid {
+ domain: host.to_string(),
+ });
+ }
+ }
+ Host::Ipv4(_) | Host::Ipv6(_) => {}
+ }
+
+ Ok(host)
+}
+
+pub fn should_block_host>(host: &Host) -> Result<(), CustomHttpClientError> {
let (ip, host_str): (Option, String) = match host {
Host::Ipv4(ip) => (Some(IpAddr::V4(*ip)), ip.to_string()),
Host::Ipv6(ip) => (Some(IpAddr::V6(*ip)), ip.to_string()),
- Host::Domain(d) => (None, (*d).to_string()),
+ Host::Domain(d) => (None, d.as_ref().to_string()),
};
if let Some(ip) = ip {
@@ -134,6 +166,9 @@ pub enum CustomHttpClientError {
domain: Option,
ip: IpAddr,
},
+ Invalid {
+ domain: String,
+ },
}
impl CustomHttpClientError {
@@ -155,7 +190,7 @@ impl fmt::Display for CustomHttpClientError {
match self {
Self::Blocked {
domain,
- } => write!(f, "Blocked domain: {domain} matched HTTP_REQUEST_BLOCK_REGEX"),
+ } => write!(f, "Blocked domain: '{domain}' matched HTTP_REQUEST_BLOCK_REGEX"),
Self::NonGlobalIp {
domain: Some(domain),
ip,
@@ -163,7 +198,10 @@ impl fmt::Display for CustomHttpClientError {
Self::NonGlobalIp {
domain: None,
ip,
- } => write!(f, "IP {ip} is not a global IP!"),
+ } => write!(f, "IP '{ip}' is not a global IP!"),
+ Self::Invalid {
+ domain,
+ } => write!(f, "Invalid host: '{domain}' contains invalid characters or exceeds the maximum length"),
}
}
}
@@ -217,7 +255,13 @@ impl CustomDnsResolver {
}
fn pre_resolve(name: &str) -> Result<(), CustomHttpClientError> {
- if should_block_address(name) {
+ let Ok(host) = get_valid_host(name) else {
+ return Err(CustomHttpClientError::Invalid {
+ domain: name.to_string(),
+ });
+ };
+
+ if should_block_host(&host).is_err() {
return Err(CustomHttpClientError::Blocked {
domain: name.to_string(),
});
@@ -308,3 +352,209 @@ pub(crate) mod aws {
}
}
}
+
+#[cfg(test)]
+mod tests {
+ use super::*;
+ use crate::util::is_global_hardcoded;
+ use std::net::Ipv4Addr;
+ use url::Host;
+
+ // ===
+ // IPv4 numeric-format normalization
+ fn parse_to_ip(s: &str) -> Option {
+ match Host::parse(s).ok()? {
+ Host::Ipv4(v4) => Some(IpAddr::V4(v4)),
+ Host::Ipv6(v6) => Some(IpAddr::V6(v6)),
+ Host::Domain(_) => None,
+ }
+ }
+
+ #[test]
+ fn dotted_decimal_loopback_normalizes() {
+ let ip = parse_to_ip("127.0.0.1").unwrap();
+ assert_eq!(ip, IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)));
+ assert!(!is_global_hardcoded(ip));
+ }
+
+ #[test]
+ fn single_decimal_loopback_normalizes() {
+ // 127.0.0.1 == 2130706433
+ let ip = parse_to_ip("2130706433").unwrap();
+ assert_eq!(ip, IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)));
+ assert!(!is_global_hardcoded(ip));
+ }
+
+ #[test]
+ fn hex_loopback_normalizes() {
+ let ip = parse_to_ip("0x7f000001").unwrap();
+ assert_eq!(ip, IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)));
+ assert!(!is_global_hardcoded(ip));
+ }
+
+ #[test]
+ fn dotted_hex_loopback_normalizes() {
+ let ip = parse_to_ip("0x7f.0.0.1").unwrap();
+ assert_eq!(ip, IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)));
+ assert!(!is_global_hardcoded(ip));
+ }
+
+ #[test]
+ fn octal_loopback_normalizes() {
+ // 017700000001 == 127.0.0.1
+ let ip = parse_to_ip("017700000001").unwrap();
+ assert_eq!(ip, IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)));
+ assert!(!is_global_hardcoded(ip));
+ }
+
+ #[test]
+ fn dotted_octal_loopback_normalizes() {
+ let ip = parse_to_ip("0177.0.0.01").unwrap();
+ assert_eq!(ip, IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)));
+ assert!(!is_global_hardcoded(ip));
+ }
+
+ #[test]
+ fn aws_metadata_decimal_blocked() {
+ // 169.254.169.254 == 2852039166 (link-local, AWS IMDS)
+ let ip = parse_to_ip("2852039166").unwrap();
+ assert_eq!(ip, IpAddr::V4(Ipv4Addr::new(169, 254, 169, 254)));
+ assert!(!is_global_hardcoded(ip));
+ }
+
+ #[test]
+ fn rfc1918_hex_blocked() {
+ // 10.0.0.1
+ let ip = parse_to_ip("0x0a000001").unwrap();
+ assert!(!is_global_hardcoded(ip));
+ }
+
+ #[test]
+ fn public_ip_decimal_allowed() {
+ // 8.8.8.8 == 134744072
+ let ip = parse_to_ip("134744072").unwrap();
+ assert_eq!(ip, IpAddr::V4(Ipv4Addr::new(8, 8, 8, 8)));
+ assert!(is_global_hardcoded(ip));
+ }
+
+ // ===
+ // get_valid_host integration: numeric forms become Host::Ipv4
+ #[test]
+ fn get_valid_host_normalizes_decimal_int() {
+ let h = get_valid_host("2130706433").expect("valid");
+ assert!(matches!(h, Host::Ipv4(ip) if ip == Ipv4Addr::new(127, 0, 0, 1)));
+ }
+
+ #[test]
+ fn get_valid_host_normalizes_hex() {
+ let h = get_valid_host("0x7f000001").expect("valid");
+ assert!(matches!(h, Host::Ipv4(ip) if ip == Ipv4Addr::new(127, 0, 0, 1)));
+ }
+
+ #[test]
+ fn get_valid_host_normalizes_octal() {
+ let h = get_valid_host("017700000001").expect("valid");
+ assert!(matches!(h, Host::Ipv4(ip) if ip == Ipv4Addr::new(127, 0, 0, 1)));
+ }
+
+ // ===
+ // IPv6 formats
+ #[test]
+ fn ipv6_loopback_blocked() {
+ let h = get_valid_host("[::1]").expect("valid");
+ let Host::Ipv6(ip) = h else {
+ panic!("expected v6")
+ };
+ assert!(!is_global_hardcoded(IpAddr::V6(ip)));
+ }
+
+ #[test]
+ fn ipv4_mapped_in_ipv6_loopback_blocked() {
+ // ::ffff:127.0.0.1 — v4-mapped form; is_global_hardcoded blocks via ::ffff:0:0/96
+ let h = get_valid_host("[::ffff:127.0.0.1]").expect("valid");
+ let Host::Ipv6(ip) = h else {
+ panic!("expected v6")
+ };
+ assert!(!is_global_hardcoded(IpAddr::V6(ip)));
+ }
+
+ #[test]
+ fn ipv6_unique_local_blocked() {
+ let h = get_valid_host("[fc00::1]").expect("valid");
+ let Host::Ipv6(ip) = h else {
+ panic!("expected v6")
+ };
+ assert!(!is_global_hardcoded(IpAddr::V6(ip)));
+ }
+
+ // ===
+ // Punycode / IDN
+ #[test]
+ fn punycode_passthrough() {
+ let h = get_valid_host("xn--deadbeafcaf-lbb.test").expect("valid");
+ match h {
+ Host::Domain(d) => assert_eq!(d, "xn--deadbeafcaf-lbb.test"),
+ _ => panic!("expected domain"),
+ }
+ }
+
+ #[test]
+ fn idn_unicode_gets_punycoded() {
+ let h = get_valid_host("deadbeafcafé.test").expect("valid");
+ match h {
+ Host::Domain(d) => assert_eq!(d, "xn--deadbeafcaf-lbb.test"),
+ _ => panic!("expected domain"),
+ }
+ }
+
+ #[test]
+ fn idn_unicode_gets_punycoded_tld() {
+ let h = get_valid_host("deadbeaf.café").expect("valid");
+ match h {
+ Host::Domain(d) => assert_eq!(d, "deadbeaf.xn--caf-dma"),
+ _ => panic!("expected domain"),
+ }
+ }
+
+ #[test]
+ fn idn_emoji_gets_punycoded() {
+ let h = get_valid_host("xn--t88h.test").expect("valid"); // 🛡️.test
+ match h {
+ Host::Domain(d) => assert_eq!(d, "xn--t88h.test"),
+ _ => panic!("expected domain"),
+ }
+ }
+
+ #[test]
+ fn idn_unicode_to_punycode_roundtrip() {
+ let from_unicode = get_valid_host("🛡️.test").expect("valid");
+ let from_puny = get_valid_host("xn--t88h.test").expect("valid");
+ match (from_unicode, from_puny) {
+ (Host::Domain(a), Host::Domain(b)) => assert_eq!(a, b),
+ _ => panic!("expected domains"),
+ }
+ }
+
+ #[test]
+ fn invalid_punycode_rejected() {
+ // bare invalid punycode
+ assert!(get_valid_host("xn--").is_err());
+ }
+
+ #[test]
+ fn underscore_in_label_rejected() {
+ assert!(get_valid_host("dead_beaf.cafe").is_err());
+ }
+
+ #[test]
+ fn label_too_long_rejected() {
+ let label = "a".repeat(64);
+ assert!(get_valid_host(&format!("{label}.test")).is_err());
+ }
+
+ #[test]
+ fn domain_too_long_rejected() {
+ let big = "a.".repeat(130) + "test"; // > 253
+ assert!(get_valid_host(&big).is_err());
+ }
+}
diff --git a/src/sso.rs b/src/sso.rs
index 2f56f3a6..7505f84f 100644
--- a/src/sso.rs
+++ b/src/sso.rs
@@ -17,7 +17,7 @@ use crate::{
CONFIG,
};
-pub static FAKE_SSO_IDENTIFIER: &str = "vaultwarden-dummy-oidc-identifier";
+pub static FAKE_SSO_IDENTIFIER: &str = "00000000-01DC-01DC-01DC-000000000000";
static SSO_JWT_ISSUER: LazyLock = LazyLock::new(|| format!("{}|sso", CONFIG.domain_origin()));
@@ -188,6 +188,7 @@ pub async fn authorize_url(
client_challenge: OIDCCodeChallenge,
client_id: &str,
raw_redirect_uri: &str,
+ binding_hash: Option,
conn: DbConn,
) -> ApiResult {
let redirect_uri = match client_id {
@@ -203,7 +204,7 @@ pub async fn authorize_url(
_ => err!(format!("Unsupported client {client_id}")),
};
- let (auth_url, sso_auth) = Client::authorize_url(state, client_challenge, redirect_uri).await?;
+ let (auth_url, sso_auth) = Client::authorize_url(state, client_challenge, redirect_uri, binding_hash).await?;
sso_auth.save(&conn).await?;
Ok(auth_url)
}
@@ -283,7 +284,7 @@ pub async fn exchange_code(
let email_verified = id_claims.email_verified().or(user_info.email_verified());
- let user_name = id_claims.preferred_username().map(|un| un.to_string());
+ let user_name = id_claims.preferred_username().or(user_info.preferred_username()).map(|un| un.to_string());
let refresh_token = token_response.refresh_token().map(|t| t.secret());
if refresh_token.is_none() && CONFIG.sso_scopes_vec().contains(&"offline_access".to_string()) {
diff --git a/src/sso_client.rs b/src/sso_client.rs
index 6204ab48..abff6bcb 100644
--- a/src/sso_client.rs
+++ b/src/sso_client.rs
@@ -117,6 +117,7 @@ impl Client {
state: OIDCState,
client_challenge: OIDCCodeChallenge,
redirect_uri: String,
+ binding_hash: Option,
) -> ApiResult<(Url, SsoAuth)> {
let scopes = CONFIG.sso_scopes_vec().into_iter().map(Scope::new);
let base64_state = data_encoding::BASE64.encode(state.to_string().as_bytes());
@@ -139,7 +140,7 @@ impl Client {
}
let (auth_url, _, nonce) = auth_req.url();
- Ok((auth_url, SsoAuth::new(state, client_challenge, nonce.secret().clone(), redirect_uri)))
+ Ok((auth_url, SsoAuth::new(state, client_challenge, nonce.secret().clone(), redirect_uri, binding_hash)))
}
pub async fn exchange_code(
diff --git a/src/static/scripts/admin.css b/src/static/scripts/admin.css
index 0df56771..c7c6f443 100644
--- a/src/static/scripts/admin.css
+++ b/src/static/scripts/admin.css
@@ -1,6 +1,17 @@
body {
padding-top: 75px;
}
+/* Some extra width's for the main layout */
+@media (min-width: 1600px) {
+ .container-xxl {
+ max-width: 1520px;
+ }
+}
+@media (min-width: 1800px) {
+ .container-xxl {
+ max-width: 1720px;
+ }
+}
img {
width: 48px;
height: 48px;
@@ -38,8 +49,8 @@ img {
max-width: 130px;
}
#users-table .vw-actions, #orgs-table .vw-actions {
- min-width: 155px;
- max-width: 160px;
+ min-width: 170px;
+ max-width: 180px;
}
#users-table .vw-org-cell {
max-height: 120px;
diff --git a/src/static/templates/admin/base.hbs b/src/static/templates/admin/base.hbs
index f56d8262..e1dcacb5 100644
--- a/src/static/templates/admin/base.hbs
+++ b/src/static/templates/admin/base.hbs
@@ -27,7 +27,7 @@