Enable key connector selfhost (#1707)

* initial commit

* Add code for Key Connector feature

* Add help URL to config

* Fix folders for key-connector service

* Fix paths for key-connector

* fixing the env file builder when disabling the key connector

* swapping a variable name

Co-authored-by: Vince Grassia <593223+vgrassia@users.noreply.github.com>

util/Setup/CertBuilder.cs

@@ -97,5 +97,19 @@ namespace Bit.Setup
                 Helpers.ShowBanner(_context, "WARNING", message, ConsoleColor.Yellow);
             }
         }
+
+        public void BuildForUpdater()
+        {
+            if (_context.Config.EnableKeyConnector && !File.Exists("/bitwarden/key-connector/bwkc.pfx"))
+            {
+                Directory.CreateDirectory("/bitwarden/key-connector/");
+                var keyConnectorCertPassword = Helpers.GetValueFromEnvFile("key-connector",
+                    "keyConnectorSettings__certificate__filesystemPassword");
+                Helpers.Exec("openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout bwkc.key " +
+                             "-out bwkc.crt -subj \"/CN=Bitwarden Key Connector\" -days 36500");
+                Helpers.Exec("openssl pkcs12 -export -out /bitwarden/key-connector/bwkc.pfx -inkey bwkc.key " +
+                             $"-in bwkc.crt -passout pass:{keyConnectorCertPassword}");
+            }
+        }
     }
 }

util/Setup/Configuration.cs

@@ -100,6 +100,9 @@ namespace Bit.Setup
             "Learn more: https://nginx.org/en/docs/http/ngx_http_realip_module.html")]
         public List<string> RealIps { get; set; }
 
+        [Description("Enable Key Connector (https://bitwarden.com/help/article/deploy-key-connector)")]
+        public bool EnableKeyConnector { get; set; } = false;
+
         [YamlIgnore]
         public string Domain
         {

util/Setup/DockerComposeBuilder.cs

@@ -50,6 +50,7 @@ namespace Bit.Setup
                     ComposeVersion = context.Config.ComposeVersion;
                 }
                 MssqlDataDockerVolume = context.Config.DatabaseDockerVolume;
+                EnableKeyConnector = context.Config.EnableKeyConnector;
                 HttpPort = context.Config.HttpPort;
                 HttpsPort = context.Config.HttpsPort;
                 if (!string.IsNullOrWhiteSpace(context.CoreVersion))
@@ -64,6 +65,7 @@ namespace Bit.Setup
 
             public string ComposeVersion { get; set; } = "3";
             public bool MssqlDataDockerVolume { get; set; }
+            public bool EnableKeyConnector { get; set; }
             public string HttpPort { get; set; }
             public string HttpsPort { get; set; }
             public bool HasPort => !string.IsNullOrWhiteSpace(HttpPort) || !string.IsNullOrWhiteSpace(HttpsPort);

util/Setup/EnvironmentFileBuilder.cs

@@ -14,6 +14,7 @@ namespace Bit.Setup
         private IDictionary<string, string> _mssqlValues;
         private IDictionary<string, string> _globalOverrideValues;
         private IDictionary<string, string> _mssqlOverrideValues;
+        private IDictionary<string, string> _keyConnectorOverrideValues;
 
         public EnvironmentFileBuilder(Context context)
         {
@@ -45,6 +46,7 @@ namespace Bit.Setup
             Init();
             LoadExistingValues(_globalOverrideValues, "/bitwarden/env/global.override.env");
             LoadExistingValues(_mssqlOverrideValues, "/bitwarden/env/mssql.override.env");
+            LoadExistingValues(_keyConnectorOverrideValues, "/bitwarden/env/key-connector.override.env");
 
             if (_context.Config.PushNotifications &&
                 _globalOverrideValues.ContainsKey("globalSettings__pushRelayBaseUri") &&
@@ -107,6 +109,18 @@ namespace Bit.Setup
             {
                 ["SA_PASSWORD"] = dbPassword,
             };
+
+            _keyConnectorOverrideValues = new Dictionary<string, string>
+            {
+                ["keyConnectorSettings__webVaultUri"] = _context.Config.Url,
+                ["keyConnectorSettings__identityServerUri"] = "http://identity:5000",
+                ["keyConnectorSettings__database__provider"] = "json",
+                ["keyConnectorSettings__database__jsonFilePath"] = "/etc/bitwarden/key-connector/data.json",
+                ["keyConnectorSettings__rsaKey__provider"] = "certificate",
+                ["keyConnectorSettings__certificate__provider"] = "filesystem",
+                ["keyConnectorSettings__certificate__filesystemPath"] = "/etc/bitwarden/key-connector/bwkc.pfx",
+                ["keyConnectorSettings__certificate__filesystemPassword"] = Helpers.SecureRandomString(32, alpha: true, numeric: true),
+            };
         }
 
         private void LoadExistingValues(IDictionary<string, string> _values, string file)
@@ -179,6 +193,16 @@ namespace Bit.Setup
             }
             Helpers.Exec("chmod 600 /bitwarden/env/mssql.override.env");
 
+            if (_context.Config.EnableKeyConnector)
+            {
+                using (var sw = File.CreateText("/bitwarden/env/key-connector.override.env"))
+                {
+                    sw.Write(template(new TemplateModel(_keyConnectorOverrideValues)));
+                }
+
+                Helpers.Exec("chmod 600 /bitwarden/env/key-connector.override.env");
+            }
+
             // Empty uid env file. Only used on Linux hosts.
             if (!File.Exists("/bitwarden/env/uid.env"))
             {

util/Setup/NginxConfigBuilder.cs

@@ -70,6 +70,7 @@ namespace Bit.Setup
             {
                 Captcha = context.Config.Captcha;
                 Ssl = context.Config.Ssl;
+                EnableKeyConnector = context.Config.EnableKeyConnector;
                 Domain = context.Config.Domain;
                 Url = context.Config.Url;
                 RealIps = context.Config.RealIps;
@@ -117,6 +118,7 @@ namespace Bit.Setup
 
             public bool Captcha { get; set; }
             public bool Ssl { get; set; }
+            public bool EnableKeyConnector { get; set; }
             public string Domain { get; set; }
             public string Url { get; set; }
             public string CertificatePath { get; set; }

util/Setup/Program.cs

@@ -291,6 +291,9 @@ namespace Bit.Setup
 
             var environmentFileBuilder = new EnvironmentFileBuilder(_context);
             environmentFileBuilder.BuildForUpdater();
+            
+            var certBuilder = new CertBuilder(_context);
+            certBuilder.BuildForUpdater();
 
             var nginxBuilder = new NginxConfigBuilder(_context);
             nginxBuilder.BuildForUpdater();

util/Setup/Templates/DockerCompose.hbs

@@ -194,6 +194,22 @@ services:
     networks:
       - default
       - public
+
+{{#if EnableKeyConnector}}
+  key-connector:
+    image: bitwarden/key-connector:latest
+    container_name: bitwarden-key-connector
+    restart: always
+    volumes:
+      - ../key-connector:/etc/bitwarden/key-connector
+      - ../ca-certificates:/etc/bitwarden/ca-certificates
+      - ../logs/key-connector:/etc/bitwarden/logs
+    env_file:
+      - ../env/key-connector.override.env
+    networks:
+      - default
+      - public
+{{/if}}
 {{#if MssqlDataDockerVolume}}
 
 volumes:

util/Setup/Templates/NginxConfig.hbs

@@ -166,4 +166,10 @@ server {
     include /etc/nginx/security-headers.conf;
     add_header X-Frame-Options SAMEORIGIN;
   }
+
+{{#if EnableKeyConnector}}
+  location /key-connector/ {
+    proxy_pass http://key-connector:5000/;
+  }
+{{/if}}
 }