Bitwarden - Self-hosted password manager

girish

My understanding of the way it works is: Each Bitwarden user has a "master" password (also the login password). This password is set by a user when they setup their account (via an invitation email - this is the only way to finish account setup). There is no mechanism to create a user with a pre-setup password (like changeme) on the server. This is because all the encryption/key generation happens on the clients. The clients get the master password, generate keys etc and just send it to the server.

What this means is that Cloudron/LDAP password cannot be used as a login mechanism for Bitwarden. What the LDAP integration in the current Cloudron package does is to basically get the list of all users in Cloudron via LDAP and just sends them invitation emails (it does this periodically). This way each user can click on the invitation email, setup a master password and start using Bitwarden. Because Cloudron apps are installed with "all users" access restriction as the default, this would mean that the LDAP integration sends invitation email to all Cloudron users. In addition, if you change Cloudron/LDAP password or even delete the user in Cloudron, there is no effect in Bitwarden. This is quite different from how all other apps behave.

@d19dotca does that clarify?

iamthefij

Should be possible, like some other apps, to have the option of enabling automatic invites or forego it.

Technically, user management is local to the application. Invites is all that is really happening.

It should also be possible to silently invite users. This means that any user can sign up in the application directly as long as their email has been added to the invite list. May have to patch the core application for that, but certainly doable. If this sounds preferable, I can look into that.

As for disabling customers, it should also be possible. It was also planned, but just not implemented yet. Disabling does sound risky though as cutting off access to a password manager could be extremely disruptive.

d19dotca

@girish Yes I think that clarifies then. Thank you for explaining it. I thought from your earlier post you meant that all LDAP users registered on the Cloudron server would automatically be invited to use Bitwarden and I was worried there for a second. haha. My experience is what you explained most recently in that the invite needs to be manually done through the Bitwarden admin area.

fbartels

@iamthefij said in Bitwarden - Self-hosted password manager:

This means that any user can sign up in the application directly as long as their email has been added to the invite list.

I think there was already an option to only allow signups from specific mail domains.

iamthefij

@fbartels yes. You can whitelist an entire domain. That will not allow whitelisting particular people on that domain though. So group or other constraints that we get with LDAP integration would not be supported.

The issue is that by default if sending mail is enabled Bitwarden will send an invite email with a particular invite code for any newly invited user: https://github.com/dani-garcia/bitwarden_rs/blob/88c56de97b48bb5b9b8af350d0d0e0d5f080ff0e/src/api/admin.rs#L163

An option to suppress this without disabling email entirely would allow whitelisting (and possibly revoking) users based on an LDAP query.

iamthefij

As a short term, I can enable the optionalSso manifest option and disable LDAP integration when the user specifies.

iamthefij

And done. Just pushed an update that allows disabling of SSO entirely and should fall back to the administrator manually inviting folks via the /admin page. I have not had a chance to test this though.

https://git.cloudron.io/iamthefij/bitwardenrs-app

girish

@iamthefij That was quick. Can you put in a LICENSE file into the repo (preferably MIT like the other app packages), so I can get this pushed to unstable?

The optionalSso still has the issue that it will trick people into thinking it behaves like other LDAP apps. I think Cloudron needs to have some enhancement here to make the UX work reliably. For a start, I can push it out with LDAP syncing in place (i.e a person who wants to can run the tool manually from the terminal) but ldap addon removed.

iamthefij

@girish they won't be able to run it on a schedule, will they? If it was possible to schedule that, it would be great.

I just made some more updates to the Description to explain user management. I also updated the env variables set so they can be overridden by users (through the DB, CLI, or some new interface) to allow open signups, block invites, or whitelist a particular domain.

I can also add an MIT license file as long as @fbartels agrees, since I based it on his repo.

fbartels

@iamthefij said in Bitwarden - Self-hosted password manager:

I can also add an MIT license file as long as @fbartels agrees, since I based it on his repo.

Almost forgot to reply here. I have added a license file to my repo now. So when you rebase yours you should get it as well.

will

@fbartels you are the man!

iamthefij

Awesome! Thanks @fbartels!

I've merged your changes in, switched back to the single stage build for speed (possible now that MySQL support is offered in a Docker image), and updated the Readme and Changelog.

I believe this "works for me" but someone else should validate as well.

necrevistonnezr

I'm trying to build and install the new version. After

cloudron update --app=bit.mydomain.com

I received the error

Docker Error: Unable to pull image. Please check the network or if the image needs authentication. statusCode: 404

Trying to restore the app that is now in an error state, I receive the same error. Docker is running, repository is set to public, I'm both logged in in cloudron and docker on the command line.

Any idea?

girish

@necrevistonnezr Is this after you did a cloudron build ? If you open up ~/.cloudron.json, it will have an apps section and inside that various paths. Can you check what the dockerImage in that is?

necrevistonnezr

@girish said in Bitwarden - Self-hosted password manager:

@necrevistonnezr Is this after you did a cloudron build ? If you open up ~/.cloudron.json, it will have an apps section and inside that various paths. Can you check what the dockerImage in that is?

Sorry, can't check that right now as I'm at work - but shouldn't I be able to at least restore the app?

iamthefij

@necrevistonnezr you can specify the image you want Cloudron to pull on the command line to your update command as well via --image=something/something:latest. This is what I do in the Makefile I added to allow me to use a more standard Docker workflow with pushing to Docker Hub and pulling from there.

necrevistonnezr

@girish said in Bitwarden - Self-hosted password manager:

@necrevistonnezr Is this after you did a cloudron build ? If you open up ~/.cloudron.json, it will have an apps section and inside that various paths. Can you check what the dockerImage in that is?

It says (anonymized):

 "apps": {
        "/Users/Username/Cloudron/bitwardenrs-app": {
            "repository": "myrepo/bitwarden",
            "dockerImage": "myrepo/bitwarden:20200122-061725-4544ff2bf",
            "dockerImageSha256": "00000fdbc13fa2f2d8edc85fc73b0d68c803b180a2287c19e03c3b25f453d6a97"
        }
    },

Those are the correct coordinates....

girish

@necrevistonnezr I have sent you an email to follow this up.

will

Is there any way I can help push this along?

jimcavoli

Likewise - this seems tantalizingly close to ready - and it's high up my list of things I'd like to get to deploying. What's the remaining to-do list or best way(s) to contribute at this point?