diff --git a/Cargo.lock b/Cargo.lock index 959deb46..06cf5bab 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -427,6 +427,30 @@ dependencies = [ "uuid", ] +[[package]] +name = "aws-sdk-sesv2" +version = "1.118.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b8d0642857f4fe76cd9a3d8c4f2b393546f7561f7725052dd9f268005fda92b7" +dependencies = [ + "aws-credential-types", + "aws-runtime", + "aws-smithy-async", + "aws-smithy-http", + "aws-smithy-json", + "aws-smithy-observability", + "aws-smithy-runtime", + "aws-smithy-runtime-api", + "aws-smithy-types", + "aws-types", + "bytes", + "fastrand", + "http 0.2.12", + "http 1.4.0", + "regex-lite", + "tracing", +] + [[package]] name = "aws-sdk-sso" version = "1.98.0" @@ -644,6 +668,7 @@ dependencies = [ "base64-simd", "bytes", "bytes-utils", + "futures-core", "http 0.2.12", "http 1.4.0", "http-body 0.4.6", @@ -656,6 +681,8 @@ dependencies = [ "ryu", "serde", "time", + "tokio", + "tokio-util", ] [[package]] @@ -5959,6 +5986,7 @@ dependencies = [ "argon2", "aws-config", "aws-credential-types", + "aws-sdk-sesv2", "aws-smithy-runtime-api", "bigdecimal", "bytes", diff --git a/Cargo.toml b/Cargo.toml index 019eaf31..a4d26875 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -39,6 +39,8 @@ vendored_openssl = ["openssl/vendored"] # Enable MiMalloc memory allocator to replace the default malloc # This can improve performance for Alpine builds enable_mimalloc = ["dep:mimalloc"] +aws = ["s3", "ses"] +ses = ["dep:aws-config", "dep:aws-sdk-sesv2", "dep:aws-smithy-runtime-api"] s3 = ["opendal/services-s3", "opendal/reqwest-rustls-tls", "dep:aws-config", "dep:aws-credential-types", "dep:aws-smithy-runtime-api", "dep:http", "dep:reqsign-aws-v4", "dep:reqsign-core"] # OIDC specific features @@ -201,6 +203,7 @@ opendal = { version = "0.56.0", features = ["services-fs"], default-features = f # For retrieving AWS credentials, including temporary SSO credentials aws-config = { version = "1.8.16", features = ["behavior-version-latest", "rt-tokio", "credentials-process", "sso"], default-features = false, optional = true } aws-credential-types = { version = "1.2.14", optional = true } +aws-sdk-sesv2 = { version = "1.118.0", features = ["behavior-version-latest", "rt-tokio"], default-features = false, optional = true } aws-smithy-runtime-api = { version = "1.12.0", optional = true } http = { version = "1.4.0", optional = true } reqsign-aws-v4 = { version = "3.0.0", optional = true } diff --git a/build.rs b/build.rs index 2d1106c2..0870134d 100644 --- a/build.rs +++ b/build.rs @@ -16,6 +16,10 @@ fn main() { #[cfg(feature = "s3")] println!("cargo:rustc-cfg=s3"); + #[cfg(feature = "ses")] + println!("cargo:rustc-cfg=ses"); + #[cfg(feature = "aws")] + println!("cargo:rustc-cfg=aws"); // Use check-cfg to let cargo know which cfg's we define, // and avoid warnings when they are used in the code. @@ -23,6 +27,8 @@ fn main() { println!("cargo::rustc-check-cfg=cfg(mysql)"); println!("cargo::rustc-check-cfg=cfg(postgresql)"); println!("cargo::rustc-check-cfg=cfg(s3)"); + println!("cargo::rustc-check-cfg=cfg(ses)"); + println!("cargo::rustc-check-cfg=cfg(aws)"); // Rerun when these paths are changed. // Someone could have checked-out a tag or specific commit, but no other files changed. diff --git a/src/aws.rs b/src/aws.rs new file mode 100644 index 00000000..0a4f7dff --- /dev/null +++ b/src/aws.rs @@ -0,0 +1,26 @@ +use aws_config::{AppName, BehaviorVersion}; +use tokio::sync::OnceCell; + +use crate::http_client::aws::AwsReqwestConnector; + +fn aws_reqwest_connector() -> AwsReqwestConnector { + let reqwest_client = reqwest::Client::builder().build().expect("Failed to build reqwest client"); + + AwsReqwestConnector { + client: reqwest_client, + } +} + +pub(crate) async fn aws_sdk_config() -> &'static aws_config::SdkConfig { + static AWS_CONFIG: OnceCell = OnceCell::const_new(); + + AWS_CONFIG + .get_or_init(|| async { + aws_config::defaults(BehaviorVersion::latest()) + .app_name(AppName::new("vaultwarden").expect("Failed to build AWS app name")) + .http_client(aws_reqwest_connector()) + .load() + .await + }) + .await +} diff --git a/src/config.rs b/src/config.rs index b6d0ce8a..8b8cd15e 100644 --- a/src/config.rs +++ b/src/config.rs @@ -901,12 +901,14 @@ make_config! { smtp_accept_invalid_certs: bool, true, def, false; /// Accept Invalid Hostnames (Know the risks!) |> DANGEROUS: Allow invalid hostnames. This option introduces significant vulnerabilities to man-in-the-middle attacks! smtp_accept_invalid_hostnames: bool, true, def, false; + /// Use AWS SES |> Whether to send mail via AWS Simple Email Service (SES) + use_aws_ses: bool, true, def, false; }, /// Email 2FA Settings email_2fa: _enable_email_2fa { /// Enabled |> Disabling will prevent users from setting up new email 2FA and using existing email 2FA configured - _enable_email_2fa: bool, true, auto, |c| c._enable_smtp && (c.smtp_host.is_some() || c.use_sendmail); + _enable_email_2fa: bool, true, auto, |c| c._enable_smtp && (c.smtp_host.is_some() || c.use_sendmail || c.use_aws_ses); /// Email token size |> Number of digits in an email 2FA token (min: 6, max: 255). Note that the Bitwarden clients are hardcoded to mention 6 digit codes regardless of this setting. email_token_size: u8, true, def, 6; /// Token expiration time |> Maximum time in seconds a token is valid. The time the user has to open email client and copy token. @@ -1130,6 +1132,9 @@ fn validate_config(cfg: &ConfigItems, on_update: bool) -> Result<(), Error> { } } } + } else if cfg.use_aws_ses { + #[cfg(not(ses))] + err!("`USE_AWS_SES` is set, but the `ses` feature is not enabled in this build"); } else { if cfg.smtp_host.is_some() == cfg.smtp_from.is_empty() { err!("Both `SMTP_HOST` and `SMTP_FROM` need to be set for email support without `USE_SENDMAIL`") @@ -1140,7 +1145,7 @@ fn validate_config(cfg: &ConfigItems, on_update: bool) -> Result<(), Error> { } } - if (cfg.smtp_host.is_some() || cfg.use_sendmail) && !is_valid_email(&cfg.smtp_from) { + if (cfg.smtp_host.is_some() || cfg.use_sendmail || cfg.use_aws_ses) && !is_valid_email(&cfg.smtp_from) { err!(format!("SMTP_FROM '{}' is not a valid email address", cfg.smtp_from)) } @@ -1149,7 +1154,7 @@ fn validate_config(cfg: &ConfigItems, on_update: bool) -> Result<(), Error> { } } - if cfg._enable_email_2fa && !(cfg.smtp_host.is_some() || cfg.use_sendmail) { + if cfg._enable_email_2fa && !(cfg.smtp_host.is_some() || cfg.use_sendmail || cfg.use_aws_ses) { err!("To enable email 2FA, a mail transport must be configured") } @@ -1553,7 +1558,7 @@ impl Config { } pub fn mail_enabled(&self) -> bool { let inner = &self.inner.read().unwrap().config; - inner._enable_smtp && (inner.smtp_host.is_some() || inner.use_sendmail) + inner._enable_smtp && (inner.smtp_host.is_some() || inner.use_sendmail || inner.use_aws_ses) } pub async fn get_duo_akey(&self) -> String { diff --git a/src/http_client.rs b/src/http_client.rs index d39b884d..f5f5dff2 100644 --- a/src/http_client.rs +++ b/src/http_client.rs @@ -295,7 +295,7 @@ impl Resolve for CustomDnsResolver { } } -#[cfg(s3)] +#[cfg(any(s3, ses))] pub(crate) mod aws { use aws_smithy_runtime_api::client::{ http::{HttpClient, HttpConnector, HttpConnectorFuture, HttpConnectorSettings, SharedHttpConnector}, diff --git a/src/mail.rs b/src/mail.rs index cdbd269a..ccab3f41 100644 --- a/src/mail.rs +++ b/src/mail.rs @@ -95,6 +95,44 @@ fn smtp_transport() -> AsyncSmtpTransport { smtp_client.build() } +#[cfg(ses)] +async fn send_with_aws_ses(email: Message) -> std::io::Result<()> { + use std::io::Error; + + use aws_sdk_sesv2::{ + types::{EmailContent, RawMessage}, + Client, + }; + use tokio::sync::OnceCell; + + static AWS_SESV2_CLIENT: OnceCell = OnceCell::const_new(); + + let client = AWS_SESV2_CLIENT + .get_or_init(|| async { + let config = crate::aws::aws_sdk_config().await; + Client::new(config) + }) + .await; + + client + .send_email() + .content( + EmailContent::builder() + .raw( + RawMessage::builder() + .data(email.formatted().into()) + .build() + .map_err(|e| Error::other(format!("Failed to build AWS SESv2 RawMessage: {e:?}")))?, + ) + .build(), + ) + .send() + .await + .map_err(Error::other)?; + + Ok(()) +} + // This will sanitize the string values by stripping all the html tags to prevent XSS and HTML Injections fn sanitize_data(data: &mut serde_json::Value) { use regex::Regex; @@ -670,6 +708,15 @@ async fn send_with_selected_transport(email: Message) -> EmptyResult { } } } + } else if CONFIG.use_aws_ses() { + #[cfg(ses)] + match send_with_aws_ses(email).await { + Ok(_) => Ok(()), + Err(e) => err!("Failed to send email", format!("Failed to send email using AWS SES: {e:?}")), + } + + #[cfg(not(ses))] + unreachable!("Failed to send email using AWS SES: `ses` feature is not enabled"); } else { match smtp_transport().send(email).await { Ok(_) => Ok(()), diff --git a/src/main.rs b/src/main.rs index 96aa55b5..67c59d43 100644 --- a/src/main.rs +++ b/src/main.rs @@ -48,6 +48,8 @@ use tokio::signal::unix::SignalKind; mod error; mod api; mod auth; +#[cfg(any(s3, ses))] +mod aws; mod config; mod crypto; #[macro_use] diff --git a/src/storage.rs b/src/storage.rs index ada2a951..22579242 100644 --- a/src/storage.rs +++ b/src/storage.rs @@ -152,8 +152,6 @@ mod s3 { } pub(super) fn operator_for_path(path: &str) -> Result { - use crate::http_client::aws::AwsReqwestConnector; - use aws_config::{default_provider::credentials::DefaultCredentialsChain, provider_config::ProviderConfig}; use opendal::Configurator; use reqsign_aws_v4::Credential; use reqsign_core::{Context, ProvideCredential, ProvideCredentialChain}; @@ -171,24 +169,12 @@ mod s3 { async fn provide_credential(&self, _ctx: &Context) -> reqsign_core::Result> { use aws_credential_types::provider::ProvideCredentials as _; use reqsign_core::time::Timestamp; - use tokio::sync::OnceCell; - static DEFAULT_CREDENTIAL_CHAIN: OnceCell = OnceCell::const_new(); - - let chain = DEFAULT_CREDENTIAL_CHAIN - .get_or_init(|| { - let reqwest_client = reqwest::Client::builder().build().unwrap(); - let connector = AwsReqwestConnector { - client: reqwest_client, - }; - - let conf = ProviderConfig::default().with_http_client(connector); - - DefaultCredentialsChain::builder().configure(conf).build() - }) - .await; - - let creds = chain.provide_credentials().await.map_err(|e| { + let credentials_provider = + crate::aws::aws_sdk_config().await.credentials_provider().ok_or_else(|| { + reqsign_core::Error::unexpected("failed to load AWS credentials provider from AWS SDK config") + })?; + let creds = credentials_provider.provide_credentials().await.map_err(|e| { reqsign_core::Error::unexpected("failed to load AWS credentials via AWS SDK").with_source(e) })?;