Added optional bitwarden_root_cert config to trust an additional root…

… certificate when connecting to the bitwarden_rs instance. This can be useful in corporate environments where certificates are issued by a local CA (or for self-signed certificates)
ViViDboarder · Jul 9, 2020 · 9d7f226 · 9d7f226
1 parent 2e5c4c5
commit 9d7f226
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 14 deletions.
diff --git a/README.md b/README.md
@@ -19,6 +19,7 @@ Configuration values are as follows:
 |----|----|--------|-----------|
 |`bitwarden_url`|String||The root URL for accessing `bitwarden_rs`. Eg: `https://bw.example.com`|
 |`bitwarden_admin_token`|String||The value passed as `ADMIN_TOKEN` to `bitwarden_rs`|
+|`bitwarden_root_cert`|String|Optional|Additional der-encoded root certificate to trust for accessing `bitwarden_rs`|
 |`ldap_host`|String||The hostname or IP address for your ldap server|
 |`ldap_scheme`|String|Optional|The that should be used to connect. `ldap` or `ldaps`. This is set by default based on SSL settings|
 |`ldap_ssl`|Boolean|Optional|Indicates if SSL should be used. Defaults to `false`|

diff --git a/src/bw_admin.rs b/src/bw_admin.rs
@@ -6,6 +6,8 @@ use serde::Deserialize;
 use std::collections::HashMap;
 use std::error::Error;
 use std::time::{Duration, Instant};
+use std::fs::File;
+use std::io::Read;
 
 const COOKIE_LIFESPAN: Duration = Duration::from_secs(20 * 60);
 
@@ -31,29 +33,50 @@ impl User {
 pub struct Client {
     url: String,
     admin_token: String,
-    cookie: Option<String>,
-    cookie_created: Option<Instant>,
+    root_cert: String,
+	cookie: Option<String>,
+    cookie_created: Option<Instant>
 }
 
 impl Client {
     /// Create new instance of client
-    pub fn new(url: String, admin_token: String) -> Client {
+    pub fn new(url: String, admin_token: String, root_cert: String) -> Client {
         Client {
             url,
             admin_token,
-            cookie: None,
-            cookie_created: None,
+            root_cert,
+			cookie: None,
+            cookie_created: None
         }
     }
 
+    fn get_http_client(&self) -> reqwest::Client {
+
+        let mut client = reqwest::Client::builder()
+            .redirect(reqwest::RedirectPolicy::none());
+
+        if !&self.root_cert.is_empty() {
+
+            let mut buf = Vec::new();
+
+            // read a local binary DER encoded certificate
+            File::open(&self.root_cert).expect("cannot open root cert").read_to_end(&mut buf).expect("cannot read root cert");
+
+            // create a certificate
+            let cert = reqwest::Certificate::from_der(&buf).expect("could not load der certificate");
+
+			// add the root cert
+            client = client.add_root_certificate(cert);
+        }
+
+        return client.build().unwrap();
+    }
+
     /// Authenticate client
     fn auth(&mut self) -> Response {
+
         let cookie_created = Instant::now();
-        let client = reqwest::Client::builder()
-            // Avoid redirects because server will redirect to admin page after auth
-            .redirect(reqwest::RedirectPolicy::none())
-            .build()
-            .unwrap();
+        let client = &self.get_http_client();
         let result = client
             .post(format!("{}{}", &self.url, "/admin/").as_str())
             .form(&[("token", &self.admin_token)])
@@ -102,8 +125,8 @@ impl Client {
             }
             Some(cookie) => {
                 let url = format!("{}/admin{}", &self.url, path);
-                let request = reqwest::Client::new()
-                    .get(url.as_str())
+                let client = self.get_http_client();
+                let request = client.get(url.as_str())
                     .header(reqwest::header::COOKIE, cookie.clone());
                 let response = request.send().unwrap_or_else(|e| {
                     panic!("Could not call with {}. {:?}", url, e);
@@ -126,8 +149,8 @@ impl Client {
             }
             Some(cookie) => {
                 let url = format!("{}/admin{}", &self.url, path);
-                let request = reqwest::Client::new()
-                    .post(url.as_str())
+                let client = self.get_http_client();
+                let request = client.post(url.as_str())
                     .header("Cookie", cookie.clone())
                     .json(&json);
                 let response = request.send().unwrap_or_else(|e| {

diff --git a/src/config.rs b/src/config.rs
@@ -38,6 +38,7 @@ pub struct Config {
     // Bitwarden connection config
     bitwarden_url: String,
     bitwarden_admin_token: String,
+    bitwarden_root_cert: Option<String>,
     // LDAP Connection config
     ldap_host: String,
     ldap_scheme: Option<String>,
@@ -71,6 +72,13 @@ impl Config {
         self.bitwarden_admin_token.clone()
     }
 
+    pub fn get_bitwarden_root_cert(&self) -> String {
+		match &self.bitwarden_root_cert {
+            Some(bitwarden_root_cert) => bitwarden_root_cert.clone(),
+            None => String::new(),
+        }
+    }
+
     pub fn get_ldap_url(&self) -> String {
         format!(
             "{}://{}:{}",

diff --git a/src/main.rs b/src/main.rs
@@ -15,6 +15,7 @@ fn main() {
     let mut client = bw_admin::Client::new(
         config.get_bitwarden_url().clone(),
         config.get_bitwarden_admin_token().clone(),
+        config.get_bitwarden_root_cert().clone()
     );
 
     if let Err(e) = invite_users(&config, &mut client, config.get_ldap_sync_loop()) {