[pull] main from dani-garcia:main (#64)

* Fix remaning inline format

* Use more modern meta tag for charset encoding

* fix (2fa.directory): Allow api.2fa.directory, and remove 2fa.directory

* Optimize CipherSyncData for very large vaults

As mentioned in dani-garcia#3111, using a very very large vault causes some issues.
Mainly because of a SQLite limit, but, it could also cause issue on
MariaDB/MySQL or PostgreSQL. It also uses a lot of memory, and memory
allocations.

This PR solves this by removing the need of all the cipher_uuid's just
to gather the correct attachments.

It will use the user_uuid and org_uuid's to get all attachments linked
to both, weither the user has access to them or not. This isn't an
issue, since the matching is done per cipher and the attachment data is
only returned if there is a matching cipher to where the user has access to.

I also modified some code to be able to use `::with_capacity(n)` where
possible. This prevents re-allocations if the `Vec` increases size,
which will happen a lot if there are a lot of ciphers.

According to my tests measuring the time it takes to sync, it seems to
have lowered the duration a bit more.

Fixes dani-garcia#3111

* Add MFA icon to org member overview

The Organization member overview supports showing an icon if the user
has MFA enabled or not. This PR adds this feature.

This is very useful if you want to enable force mfa for example.

* Add avatar color support

The new web-vault v2023.1.0 supports a custom color for the avatar.
bitwarden/server#2330

This PR adds this feature.

* Update Rust to v1.66.1 to patch CVE

This PR sets Rust to v1.66.1 to fix a CVE.
https://blog.rust-lang.org/2023/01/10/cve-2022-46176.html
https://blog.rust-lang.org/2023/01/10/Rust-1.66.1.html

Also updated some packages while at it.

* Use more modern meta tag for charset encoding

* Use more modern meta tag for charset encoding

* Fix remaning inline format

* Use more modern meta tag for charset encoding

* Fix remaning inline format

* fix (2fa.directory): Allow api.2fa.directory, and remove 2fa.directory

* Use more modern meta tag for charset encoding

* Fix remaning inline format

* fix (2fa.directory): Allow api.2fa.directory, and remove 2fa.directory

* Add MFA icon to org member overview

The Organization member overview supports showing an icon if the user
has MFA enabled or not. This PR adds this feature.

This is very useful if you want to enable force mfa for example.

* Use more modern meta tag for charset encoding

* Fix remaning inline format

* fix (2fa.directory): Allow api.2fa.directory, and remove 2fa.directory

* Add MFA icon to org member overview

The Organization member overview supports showing an icon if the user
has MFA enabled or not. This PR adds this feature.

This is very useful if you want to enable force mfa for example.

* Update Rust to v1.66.1 to patch CVE

This PR sets Rust to v1.66.1 to fix a CVE.
https://blog.rust-lang.org/2023/01/10/cve-2022-46176.html
https://blog.rust-lang.org/2023/01/10/Rust-1.66.1.html

Also updated some packages while at it.

* Use more modern meta tag for charset encoding

* Fix remaning inline format

* fix (2fa.directory): Allow api.2fa.directory, and remove 2fa.directory

* Add MFA icon to org member overview

The Organization member overview supports showing an icon if the user
has MFA enabled or not. This PR adds this feature.

This is very useful if you want to enable force mfa for example.

* Update Rust to v1.66.1 to patch CVE

This PR sets Rust to v1.66.1 to fix a CVE.
https://blog.rust-lang.org/2023/01/10/cve-2022-46176.html
https://blog.rust-lang.org/2023/01/10/Rust-1.66.1.html

Also updated some packages while at it.

* Add avatar color support

The new web-vault v2023.1.0 supports a custom color for the avatar.
bitwarden/server#2330

This PR adds this feature.

* Update web vault to 2023.1.0

* include key into user.set_password

* include key into user.set_password

* Validate note sizes on key-rotation.

We also need to validate the note sizes on key-rotation.
If we do not validate them before we store them, that could lead to a
partial or total loss of the password vault. Validating these
restrictions before actually processing them to store/replace the
existing ciphers should prevent this.

There was also a small bug when using web-sockets. The client which is
triggering the password/key-rotation change should not be forced to
logout via a web-socket request. That is something the client will
handle it self. Refactored the logout notification to either send the
device uuid or not on specific actions.

Fixes dani-garcia#3152

* include key into user.set_password

* Update KDF Configuration and processing

- Change default Password Hash KDF Storage from 100_000 to 600_000 iterations
- Update Password Hash when the default iteration value is different
- Validate password_iterations
- Validate client-side KDF to prevent it from being set lower than 100_000

* include key into user.set_password

* Validate note sizes on key-rotation.

We also need to validate the note sizes on key-rotation.
If we do not validate them before we store them, that could lead to a
partial or total loss of the password vault. Validating these
restrictions before actually processing them to store/replace the
existing ciphers should prevent this.

There was also a small bug when using web-sockets. The client which is
triggering the password/key-rotation change should not be forced to
logout via a web-socket request. That is something the client will
handle it self. Refactored the logout notification to either send the
device uuid or not on specific actions.

Fixes dani-garcia#3152

* Updated web vault to 2023.1.1 and rust dependencies

* Re-License Vaultwarden to AGPLv3

This commit prepares Vaultwarden for the Re-Licensing to AGPLv3
Solves #2450

* Remove `arm32v6`-specific tag

This section of code seems to be breaking the Docker release workflow as of a
few days ago, though it's unclear why. This tag only existed to work around
an issue with Docker pulling the wrong image for ARMv6 platforms; that issue
was resolved in Docker 20.10.0, which has been out for a few years now, so it
seems like a reasonable time to drop this tag.

* Rename `.buildx` Dockerfiles to `.buildkit`

This is a more accurate name, since these Dockerfiles require BuildKit, not Buildx.

* Disable Hadolint check for consecutive `RUN` instructions (DL3059)

This check doesn't seem to add enough value to justify the difficulties it
tends to create when generating `RUN` instructions from a template.

* added database migration

* working implementation

* fixes for current upstream main

* "Spell-Jacking" mitigation ~ prevent sensitive data leak from spell checker.
@see https://www.otto-js.com/news/article/chrome-and-edge-enhanced-spellcheck-features-expose-pii-even-your-passwords

* Fix Javascript issue on non sqlite databases

When a non sqlite database is used, loading the admin interface fails
because the backup button is not generated.
This PR is solves it by checking if the elements are valid.

Also made some other changes and fixed some eslint errors.
Showing `_post` errors is better now.

Update jquery to latest version.

Fixes dani-garcia#3166

* Allow listening on privileged ports (below 1024) as non-root

This is done by running `setcap cap_net_bind_service=+ep` on the executable
in the build stage (doing it in the runtime stage creates an extra copy of
the executable that bloats the image). This only works when using the
BuildKit-based builder, since the `COPY` instruction doesn't copy
capabilities on the legacy builder.

* don't nullify key when editing emergency access

the client does not send the key on every update of an emergency access
contact so the field would be emptied on a change of the wait days or access level.

* Replaced wrong mysql column type

* improved security, disabling policy usage on
email-disabled clients and some refactoring

* rust lang specific improvements

* completly hide reset password policy
on email disabled instances

* change description of domain configuration

Vaultwarden send won't work if the domain includes a trailing slash.
This should be documented, as it may lead to confusion amoung users.

* improve wording of domain description

* Generate distinct log messages for regex vs. IP blacklisting.

When an icon will not be downloaded due to matching a configured
blacklist, ensure that the log message indicates the type of blacklist
that was matched.

* Ensure that all results from check_domain_blacklist_reason are cached.

* remove documentation of bug since I'm fixing it

* fix trailing slash not being removed from domain

* allow editing/unhiding by group

Fixes dani-garcia#2989

Signed-off-by: Jan Jansen <[email protected]>

* Revert "fix trailing slash not being removed from domain"

This reverts commit 679bc7a.

* fix trailing slash in configuration builder

* remove warn when sanitizing domain

* add argon2 kdf fields

* Add support for sendmail as a mail transport

* check if SENDMAIL_COMMAND is valid using 'which' crate

* add EXE_SUFFIX to sendmail executable when not specified

* Updated Rust and crates

- Updated Rust to v1.67.0
- Updated all crates except for `cookies` and `webauthn`

* docs: add build status badge in readme

* Fix Organization delete when groups are configured

With existing groups configured within an org, deleting that org would
fail because of Foreign Key issues.

This PR fixes this by making sure the groups get deleted before the org does.

Fixes dani-garcia#3247

* Fix Collection Read Only access for groups

I messed up with identation sorry it's my first PR

Fix Collection Read Only access for groups

Fix Collection Read Only access for groups

With indentation modification

* Validate all needed fields for client API login

During the client API login we need to have a `device_identifier`, `device_name` and `device_type`.
When these were not provided Vaultwarden would panic.

This PR add checks for these fields and makes sure it returns a better error message instead of causing a panic.

* Make the admin cookie lifetime adjustable

* Add function to fetch user by email address

* Apply Admin Session Lifetime to JWT

* Apply rewording

* docs: add build status badge in readme

* docs: add build status badge in readme

* Validate all needed fields for client API login

During the client API login we need to have a `device_identifier`, `device_name` and `device_type`.
When these were not provided Vaultwarden would panic.

This PR add checks for these fields and makes sure it returns a better error message instead of causing a panic.

* docs: add build status badge in readme

* Validate all needed fields for client API login

During the client API login we need to have a `device_identifier`, `device_name` and `device_type`.
When these were not provided Vaultwarden would panic.

This PR add checks for these fields and makes sure it returns a better error message instead of causing a panic.

* Fix Organization delete when groups are configured

With existing groups configured within an org, deleting that org would
fail because of Foreign Key issues.

This PR fixes this by making sure the groups get deleted before the org does.

Fixes dani-garcia#3247

* docs: add build status badge in readme

* Validate all needed fields for client API login

During the client API login we need to have a `device_identifier`, `device_name` and `device_type`.
When these were not provided Vaultwarden would panic.

This PR add checks for these fields and makes sure it returns a better error message instead of causing a panic.

* Fix Organization delete when groups are configured

With existing groups configured within an org, deleting that org would
fail because of Foreign Key issues.

This PR fixes this by making sure the groups get deleted before the org does.

Fixes dani-garcia#3247

* Fix Collection Read Only access for groups

I messed up with identation sorry it's my first PR

Fix Collection Read Only access for groups

Fix Collection Read Only access for groups

With indentation modification

* docs: add build status badge in readme

* Validate all needed fields for client API login

During the client API login we need to have a `device_identifier`, `device_name` and `device_type`.
When these were not provided Vaultwarden would panic.

This PR add checks for these fields and makes sure it returns a better error message instead of causing a panic.

* Fix Organization delete when groups are configured

With existing groups configured within an org, deleting that org would
fail because of Foreign Key issues.

This PR fixes this by making sure the groups get deleted before the org does.

Fixes dani-garcia#3247

* Fix Collection Read Only access for groups

I messed up with identation sorry it's my first PR

Fix Collection Read Only access for groups

Fix Collection Read Only access for groups

With indentation modification

* Make the admin cookie lifetime adjustable

* Apply Admin Session Lifetime to JWT

* Apply rewording

* Add missing collections/details endpoint, based on the existing one

* Update web vault to v2023.2.0 and dependencies

* Fix vault item display in org vault view

In the org vault view, the Bitwarden web vault currently tries to fetch the
groups for an org regardless of whether it claims to have group support.
If this errors out, no vault items are displayed.

* Add confirmation for removing 2FA and deauth sessions in admin panel

* Fix the web-vault v2023.2.0 API calls

- Supports the new Collection/Group/User editing UI's
- Support `/partial` endpoint for cipher updating to allow folder and favorite update for read-only ciphers.
- Prevent `Favorite`, `Folder`, `read-only` and `hide-passwords` from being added to the organizational sync.
- Added and corrected some `Object` key's to the output json.

Fixes dani-garcia#3279

* Some Admin Interface updates

- Updated datatables
- Added NTP Time check
- Added Collections, Groups and Events count for orgs
- Renamed `Items` to `Ciphers`
- Some small style updates

* Fix confirmation for removing 2FA and deauthing sessions in admin panel

* Admin token Argon2 hashing support

Added support for Argon2 hashing support for the `ADMIN_TOKEN` instead
of only supporting a plain text string.

The hash must be a PHC string which can be generated via the `argon2`
CLI **or** via the also built-in hash command in Vaultwarden.

You can simply run `vaultwarden hash` to generate a hash based upon a
password the user provides them self.

Added a warning during startup and within the admin settings panel is
the `ADMIN_TOKEN` is not an Argon2 hash.

Within the admin environment a user can ignore that warning and it will
not be shown for at least 30 days. After that the warning will appear
again unless the `ADMIN_TOKEN` has be converted to an Argon2 hash.

I have also tested this on my RaspberryPi 2b and there the `Bitwarden`
preset takes almost 4.5 seconds to generate/verify the Argon2 hash.

Using the `OWASP` preset it is below 1 second, which I think should be
fine for low-graded hardware. If it is needed people could use lower
memory settings, but in those cases I even doubt Vaultwarden it self
would run. They can always use the `argon2` CLI and generate a faster hash.

* Add HEAD routes to avoid spurious error messages

Rocket automatically implements a HEAD route when there's a matching GET
route, but relying on this behavior also means a spurious error gets
logged due to <rwf2/Rocket#1098>.

Add explicit HEAD routes for `/` and `/alive` to prevent uptime monitoring
services from generating error messages like `No matching routes for HEAD /`.
With these new routes, `HEAD /` only checks that the server can respond over
the network, while `HEAD /alive` also checks that the database connection is
alive, similar to `GET /alive`.

* Fix web-vault Member UI show/edit/save

There was a small bug left in regards to the web-vault v2023.2.0 fixes.
This PR fixes the left items. I think all should be addressed now.
When editing a User, you were not able to see or edit groups, or see
wich collections a user bellonged to.

Fixes dani-garcia#3311

* Upd Crates, Rust, MSRV, GHA and remove Backtrace

- Changed MSRV to v1.65.
  Discussed this with @dani-garcia, and we will support **N-2**.
  This is/will be the same as for the `time` crate we use.
  Also updated the wiki regarding this https://github.com/dani-garcia/vaultwarden/wiki/Building-binary
- Removed backtrace crate in favor of `std::backtrace` stable since v1.65
- Updated Rust to v1.67.1
- Updated all the crates
- Updated the GHA action versions
- Adjusted the GHA MSRV build to extract the MSRV from `Cargo.toml`

* Merge ClientIp with Headers.

Since we now use the `ClientIp` Guard on a lot more places, it also
increases the size of binary, and the macro generated code because of
this extra Guard. By merging the `ClientIp` Guard with the several
`Header` guards we have it reduces the amount of code generated
(including LLVM IR), but also a small speedup in build time.

I also spotted some small `json!()` optimizations which also reduced the
amount of code generated.

* Add support for `/api/devices/knowndevice` with HTTP header params

Upstream PR: bitwarden/server#2682

* Update Rust, MSRV and Crates

- Updated all the crates
- Updated Rust and MSRV

* Update web vault to v2023.3.0 and dependencies

* add endpoint to bulk delete groups

* add endpoint to bulk delete collections

* don't use `assert()` in production code

Co-authored-by: Daniel García <[email protected]>

* Add support for Quay.io and GHCR.io as registries

- Added support for Quay.io
- Added support for GHCR.io

To enable support for these container image registries the following needs to be added.

As `Actions secrets and variables` - `Secrets`
- `DOCKERHUB_TOKEN` and `DOCKERHUB_USERNAME`
- `QUAY_TOKEN` and `QUAY_USERNAME`

As `Actions secrets and variables` - `Variables` - `Repository Variables`
- `DOCKERHUB_REPO`
- `GHCR_REPO`
- `QUAY_REPO`

The `DOCKERHUB_REPO` currently configured in `Secrets` can be removed if wanted, probably best after this PR has been merged.

If one of the vars/secrets are not configured it will skip that specific registry!

* Some small fixes and updates

- Updated workflows to use new checkout version
  This probably fixes the curl download for hadolint also.
- Updated crates including Rocket to the latest rc3 :party:
- Applied 2 nightly clippy lints to prevent future clippy issues.

* Update web vault to v2023.3.0b

* Decode knowndevice `X-Request-Email` as base64url with no padding

The clients end up removing the padding characters [1][2].

[1] https://github.com/bitwarden/clients/blob/web-v2023.3.0/libs/common/src/misc/utils.ts#L141-L143
[2] https://github.com/bitwarden/mobile/blob/v2023.3.1/src/Core/Utilities/CoreHelpers.cs#L227-L234

* Fix password reset issues

There was used a wrong macro to produce an error message when mailing
the user his password was reset failed. It was using `error!()` which
does not return an `Err` and aborts the rest of the code.

This resulted in the users password still being resetted, but not being
notified. This PR fixes this by using `err!()`. Also, do not set the
user object as mutable until it really is needed.

Second, when a user was using the new Argon2id KDF with custom values
like memory and parallelism, that would have rendered the password
incorrect. The endpoint which should return all the data did not
returned all the new Argon2id values.

Fixes dani-garcia#3388

Co-authored-by: Stefan Melmuk <[email protected]>

* support `/users/<uuid>/invite/resend` admin api

* fmt

* always return KdfMemory and KdfParallelism

the client will ignore the value of theses fields in case of `PBKDF2`
(whether they are unset or left from trying out `Argon2id` as KDF).

with `Argon2id` those fields should never be `null` but always in a
valid state. if they are `null` (how would that even happen?) the
client still assumes default values for `Argon2id` (i.e. m=64 and p=4)
and if they are set to something else login will fail anyway.

* clear kdf memory and parallelism with pbkdf2

when changing back from argon2id to PBKDF2 the unused parameters
should be set to 0.

also fix small bug in _register

* add mail check

* add check user state

* Revert setcap, update rust and crates

- Revert dani-garcia#3170 as discussed in #3387
  In hindsight it's better to not have this feature
- Update Dockerfile.j2 for easy version changes.
  Just change it in one place instead of multiple
- Updated to Rust to latest patched version
- Updated crates to latest available
- Pinned mimalloc to an older version, as it breaks on musl builds

* Fix sending out multiple websocket notifications

For some reason I encountered a strange bug which resulted in sending
out multiple websocket notifications for the exact same user.

Added a `distinct()` for the query to filter out multiple uuid's.

---------

Signed-off-by: Jan Jansen <[email protected]>
Co-authored-by: BlackDex <[email protected]>
Co-authored-by: Rychart Redwerkz <[email protected]>
Co-authored-by: GeekCorner <[email protected]>
Co-authored-by: Daniel García <[email protected]>
Co-authored-by: sirux88 <[email protected]>
Co-authored-by: Jeremy Lin <[email protected]>
Co-authored-by: Daniel Hammer <[email protected]>
Co-authored-by: Stefan Melmuk <[email protected]>
Co-authored-by: BlockListed <[email protected]>
Co-authored-by: Kevin P. Fleming <[email protected]>
Co-authored-by: Jan Jansen <[email protected]>
Co-authored-by: Helmut K. C. Tessarek <[email protected]>
Co-authored-by: soruh <[email protected]>
Co-authored-by: r3drun3 <[email protected]>
Co-authored-by: Misterbabou <[email protected]>
Co-authored-by: Nils Mittler <[email protected]>
Co-authored-by: Jeremy Lin <[email protected]>
Co-authored-by: Jonathan Elias Caicedo <[email protected]>
Co-authored-by: Dylan Pinsonneault <[email protected]>
Co-authored-by: Stefan Melmuk <[email protected]>
Co-authored-by: Nikolay Nikolaev <[email protected]>

Author: 20 people

.env.template

@@ -259,9 +259,13 @@
 ## A comma-separated list means only those users can create orgs:
 # [email protected],[email protected]
 
-## Token for the admin interface, preferably use a long random string
-## One option is to use 'openssl rand -base64 48'
+## Token for the admin interface, preferably an Argon2 PCH string
+## Vaultwarden has a built-in generator by calling `vaultwarden hash`
+## For details see: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token
 ## If not set, the admin panel is disabled
+## New Argon2 PHC string
+# ADMIN_TOKEN='$argon2id$v=19$m=65540,t=3,p=4$MmeKRnGK5RW5mJS7h3TOL89GrpLPXJPAtTK8FTqj9HM$DqsstvoSAETl9YhnsXbf43WeaUwJC6JhViIvuPoig78'
+## Old plain text string (Will generate warnings in favor of Argon2)
 # ADMIN_TOKEN=Vy2VyYTTsKPv8W5aEOWUbB/Bt3DEKePbHmI4m9VcemUMS2rEviDowNAFqYi1xjmp
 
 ## Enable this to bypass the admin panel security. This option is only
@@ -298,9 +302,9 @@
 ## This setting applies globally to all users.
 # INCOMPLETE_2FA_TIME_LIMIT=3
 
-## Controls the PBBKDF password iterations to apply on the server
-## The change only applies when the password is changed
-# PASSWORD_ITERATIONS=100000
+## Number of server-side passwords hashing iterations for the password hash.
+## The default for new users. If changed, it will be updated during login for existing users.
+# PASSWORD_ITERATIONS=350000
 
 ## Controls whether users can set password hints. This setting applies globally to all users.
 # PASSWORD_HINTS_ALLOWED=true
@@ -335,6 +339,9 @@
 ## Allow a burst of requests of up to this size, while maintaining the average indicated by `ADMIN_RATELIMIT_SECONDS`.
 # ADMIN_RATELIMIT_MAX_BURST=3
 
+## Set the lifetime of admin sessions to this value (in minutes).
+# ADMIN_SESSION_LIFETIME=20
+
 ## Yubico (Yubikey) Settings
 ## Set your Client ID and Secret Key for Yubikey OTP
 ## You can generate it here: https://upgrade.yubico.com/getapikey/
@@ -373,7 +380,7 @@
 # ROCKET_WORKERS=10
 # ROCKET_TLS={certs="/path/to/certs.pem",key="/path/to/key.pem"}
 
-## Mail specific settings, set SMTP_HOST and SMTP_FROM to enable the mail service.
+## Mail specific settings, set SMTP_FROM and either SMTP_HOST or USE_SENDMAIL to enable the mail service.
 ## To make sure the email links are pointing to the correct host, set the DOMAIN variable.
 ## Note: if SMTP_USERNAME is specified, SMTP_PASSWORD is mandatory
 # SMTP_HOST=smtp.domain.tld
@@ -385,6 +392,11 @@
 # SMTP_PASSWORD=password
 # SMTP_TIMEOUT=15
 
+# Whether to send mail via the `sendmail` command
+# USE_SENDMAIL=false
+# Which sendmail command to use. The one found in the $PATH is used if not specified.
+# SENDMAIL_COMMAND="/path/to/sendmail"
+
 ## Defaults for SSL is "Plain" and "Login" and nothing for Non-SSL connections.
 ## Possible values: ["Plain", "Login", "Xoauth2"].
 ## Multiple options need to be separated by a comma ','.

.github/workflows/build.yml

@@ -9,6 +9,8 @@ on:
       - "Cargo.*"
       - "build.rs"
       - "rust-toolchain"
+      - "rustfmt.toml"
+      - "diesel.toml"
   pull_request:
     paths:
       - ".github/workflows/build.yml"
@@ -17,6 +19,8 @@ on:
       - "Cargo.*"
       - "build.rs"
       - "rust-toolchain"
+      - "rustfmt.toml"
+      - "diesel.toml"
 
 jobs:
   build:
@@ -26,60 +30,66 @@ jobs:
     # This is done globally to prevent rebuilds when the RUSTFLAGS env variable changes.
     env:
       RUSTFLAGS: "-D warnings"
+      CARGO_REGISTRIES_CRATES_IO_PROTOCOL: git # Use the old git protocol until it is stable probably in 1.68 or 1.69. MSRV needs to be at this before removed.
     strategy:
       fail-fast: false
       matrix:
         channel:
           - "rust-toolchain" # The version defined in rust-toolchain
           - "msrv" # The supported MSRV
-        include:
-          - channel: "msrv"
-            version: "1.61.0"
 
     name: Build and Test ${{ matrix.channel }}
 
     steps:
       # Checkout the repo
       - name: "Checkout"
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
+        uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
       # End Checkout the repo
 
+
       # Install dependencies
       - name: "Install dependencies Ubuntu"
         run: sudo apt-get update && sudo apt-get install -y --no-install-recommends openssl sqlite build-essential libmariadb-dev-compat libpq-dev libssl-dev pkg-config
       # End Install dependencies
 
+
       # Determine rust-toolchain version
       - name: Init Variables
         id: toolchain
         shell: bash
-        if: ${{ matrix.channel == 'rust-toolchain' }}
         run: |
-          RUST_TOOLCHAIN="$(cat rust-toolchain)"
+          if [[ "${{ matrix.channel }}" == 'rust-toolchain' ]]; then
+            RUST_TOOLCHAIN="$(cat rust-toolchain)"
+          elif [[ "${{ matrix.channel }}" == 'msrv' ]]; then
+            RUST_TOOLCHAIN="$(grep -oP 'rust-version.*"(\K.*?)(?=")' Cargo.toml)"
+          else
+            RUST_TOOLCHAIN="${{ matrix.channel }}"
+          fi
           echo "RUST_TOOLCHAIN=${RUST_TOOLCHAIN}" | tee -a "${GITHUB_OUTPUT}"
       # End Determine rust-toolchain version
 
-      # Uses the rust-toolchain file to determine version
+
+      # Only install the clippy and rustfmt components on the default rust-toolchain
       - name: "Install rust-toolchain version"
-        uses: dtolnay/rust-toolchain@55c7845fad90d0ae8b2e83715cb900e5e861e8cb # master @ 2022-10-25 - 21:40 GMT+2
+        uses: dtolnay/rust-toolchain@fc3253060d0c959bea12a59f10f8391454a0b02d # master @ 2023-03-21 - 06:36 GMT+1
         if: ${{ matrix.channel == 'rust-toolchain' }}
         with:
           toolchain: "${{steps.toolchain.outputs.RUST_TOOLCHAIN}}"
           components: clippy, rustfmt
       # End Uses the rust-toolchain file to determine version
 
 
-      # Install the MSRV channel to be used
+      # Install the any other channel to be used for which we do not execute clippy and rustfmt
       - name: "Install MSRV version"
-        uses: dtolnay/rust-toolchain@55c7845fad90d0ae8b2e83715cb900e5e861e8cb # master @ 2022-10-25 - 21:40 GMT+2
+        uses: dtolnay/rust-toolchain@fc3253060d0c959bea12a59f10f8391454a0b02d # master @ 2023-03-21 - 06:36 GMT+1
         if: ${{ matrix.channel != 'rust-toolchain' }}
         with:
-          toolchain: ${{ matrix.version }}
+          toolchain: "${{steps.toolchain.outputs.RUST_TOOLCHAIN}}"
       # End Install the MSRV channel to be used
 
 
       # Enable Rust Caching
-      - uses: Swatinem/rust-cache@359a70e43a0bb8a13953b04a90f76428b4959bb6 # v2.2.0
+      - uses: Swatinem/rust-cache@6fd3edff6979b79f87531400ad694fb7f2c84b1f # v2.2.1
       # End Enable Rust Caching
 
 
@@ -184,7 +194,7 @@ jobs:
 
       # Upload artifact to Github Actions
       - name: "Upload artifact"
-        uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         if: ${{ matrix.channel == 'rust-toolchain' }}
         with:
           name: vaultwarden

.github/workflows/hadolint.yml

@@ -13,7 +13,7 @@ jobs:
     steps:
       # Checkout the repo
       - name: Checkout
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
+        uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
       # End Checkout the repo
 
 

.github/workflows/release.yml

@@ -48,11 +48,23 @@ jobs:
         ports:
           - 5000:5000
     env:
-      DOCKER_BUILDKIT: 1 # Disabled for now, but we should look at this because it will speedup building!
-      # DOCKER_REPO/secrets.DOCKERHUB_REPO needs to be 'index.docker.io/<user>/<repo>'
-      DOCKER_REPO: ${{ secrets.DOCKERHUB_REPO }}
+      # Use BuildKit (https://docs.docker.com/build/buildkit/) for better
+      # build performance and the ability to copy extended file attributes
+      # (e.g., for executable capabilities) across build phases.
+      DOCKER_BUILDKIT: 1
       SOURCE_COMMIT: ${{ github.sha }}
       SOURCE_REPOSITORY_URL: "https://github.com/${{ github.repository }}"
+      # The *_REPO variables need to be configured as repository variables
+      # Append `/settings/variables/actions` to your repo url
+      # DOCKERHUB_REPO needs to be 'index.docker.io/<user>/<repo>'
+      # Check for Docker hub credentials in secrets
+      HAVE_DOCKERHUB_LOGIN: ${{ vars.DOCKERHUB_REPO != '' && secrets.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }}
+      # GHCR_REPO needs to be 'ghcr.io/<user>/<repo>'
+      # Check for Github credentials in secrets
+      HAVE_GHCR_LOGIN: ${{ vars.GHCR_REPO != '' && github.repository_owner != '' && secrets.GITHUB_TOKEN != '' }}
+      # QUAY_REPO needs to be 'quay.io/<user>/<repo>'
+      # Check for Quay.io credentials in secrets
+      HAVE_QUAY_LOGIN: ${{ vars.QUAY_REPO != '' && secrets.QUAY_USERNAME != '' && secrets.QUAY_TOKEN != '' }}
     if: ${{ needs.skip_check.outputs.should_skip != 'true' && github.repository == 'dani-garcia/vaultwarden' }}
     strategy:
       matrix:
@@ -61,17 +73,10 @@ jobs:
     steps:
       # Checkout the repo
       - name: Checkout
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
+        uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
         with:
           fetch-depth: 0
 
-      # Login to Docker Hub
-      - name: Login to Docker Hub
-        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
       # Determine Docker Tag
       - name: Init Variables
         id: vars
@@ -85,34 +90,146 @@ jobs:
           fi
       # End Determine Docker Tag
 
-      - name: Build Debian based images
+      # Login to Docker Hub
+      - name: Login to Docker Hub
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+        if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' }}
+
+      # Login to GitHub Container Registry
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+        if: ${{ env.HAVE_GHCR_LOGIN == 'true' }}
+
+      # Login to Quay.io
+      - name: Login to Quay.io
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_USERNAME }}
+          password: ${{ secrets.QUAY_TOKEN }}
+        if: ${{ env.HAVE_QUAY_LOGIN == 'true' }}
+
+      # Debian
+
+      # Docker Hub
+      - name: Build Debian based images (docker.io)
+        shell: bash
+        env:
+          DOCKER_REPO: "${{ vars.DOCKERHUB_REPO }}"
+          DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}"
+        run: |
+          ./hooks/build
+        if: ${{ matrix.base_image == 'debian' && env.HAVE_DOCKERHUB_LOGIN == 'true' }}
+
+      - name: Push Debian based images (docker.io)
+        shell: bash
+        env:
+          DOCKER_REPO: "${{ vars.DOCKERHUB_REPO }}"
+          DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}"
+        run: |
+          ./hooks/push
+        if: ${{ matrix.base_image == 'debian' && env.HAVE_DOCKERHUB_LOGIN == 'true' }}
+
+      # GitHub Container Registry
+      - name: Build Debian based images (ghcr.io)
+        shell: bash
+        env:
+          DOCKER_REPO: "${{ vars.GHCR_REPO }}"
+          DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}"
+        run: |
+          ./hooks/build
+        if: ${{ matrix.base_image == 'debian' && env.HAVE_GHCR_LOGIN == 'true' }}
+
+      - name: Push Debian based images (ghcr.io)
+        shell: bash
+        env:
+          DOCKER_REPO: "${{ vars.GHCR_REPO }}"
+          DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}"
+        run: |
+          ./hooks/push
+        if: ${{ matrix.base_image == 'debian' && env.HAVE_GHCR_LOGIN == 'true' }}
+
+      # Quay.io
+      - name: Build Debian based images (quay.io)
         shell: bash
         env:
+          DOCKER_REPO: "${{ vars.QUAY_REPO }}"
           DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}"
         run: |
           ./hooks/build
-        if: ${{ matrix.base_image == 'debian' }}
+        if: ${{ matrix.base_image == 'debian' && env.HAVE_QUAY_LOGIN == 'true' }}
 
-      - name: Push Debian based images
+      - name: Push Debian based images (quay.io)
         shell: bash
         env:
+          DOCKER_REPO: "${{ vars.QUAY_REPO }}"
           DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}"
         run: |
           ./hooks/push
-        if: ${{ matrix.base_image == 'debian' }}
+        if: ${{ matrix.base_image == 'debian' && env.HAVE_QUAY_LOGIN == 'true' }}
+
+      # Alpine
+
+      # Docker Hub
+      - name: Build Alpine based images (docker.io)
+        shell: bash
+        env:
+          DOCKER_REPO: "${{ vars.DOCKERHUB_REPO }}"
+          DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}-alpine"
+        run: |
+          ./hooks/build
+        if: ${{ matrix.base_image == 'alpine' && env.HAVE_DOCKERHUB_LOGIN == 'true' }}
+
+      - name: Push Alpine based images (docker.io)
+        shell: bash
+        env:
+          DOCKER_REPO: "${{ vars.DOCKERHUB_REPO }}"
+          DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}-alpine"
+        run: |
+          ./hooks/push
+        if: ${{ matrix.base_image == 'alpine' && env.HAVE_DOCKERHUB_LOGIN == 'true' }}
+
+      # GitHub Container Registry
+      - name: Build Alpine based images (ghcr.io)
+        shell: bash
+        env:
+          DOCKER_REPO: "${{ vars.GHCR_REPO }}"
+          DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}-alpine"
+        run: |
+          ./hooks/build
+        if: ${{ matrix.base_image == 'alpine' && env.HAVE_GHCR_LOGIN == 'true' }}
+
+      - name: Push Alpine based images (ghcr.io)
+        shell: bash
+        env:
+          DOCKER_REPO: "${{ vars.GHCR_REPO }}"
+          DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}-alpine"
+        run: |
+          ./hooks/push
+        if: ${{ matrix.base_image == 'alpine' && env.HAVE_GHCR_LOGIN == 'true' }}
 
-      - name: Build Alpine based images
+      # Quay.io
+      - name: Build Alpine based images (quay.io)
         shell: bash
         env:
+          DOCKER_REPO: "${{ vars.QUAY_REPO }}"
           DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}-alpine"
         run: |
           ./hooks/build
-        if: ${{ matrix.base_image == 'alpine' }}
+        if: ${{ matrix.base_image == 'alpine' && env.HAVE_QUAY_LOGIN == 'true' }}
 
-      - name: Push Alpine based images
+      - name: Push Alpine based images (quay.io)
         shell: bash
         env:
+          DOCKER_REPO: "${{ vars.QUAY_REPO }}"
           DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}-alpine"
         run: |
           ./hooks/push
-        if: ${{ matrix.base_image == 'alpine' }}
+        if: ${{ matrix.base_image == 'alpine' && env.HAVE_QUAY_LOGIN == 'true' }}

.hadolint.yaml

@@ -3,5 +3,9 @@ ignored:
   - DL3008
   # disable explicit version for apk install
   - DL3018
+  # disable check for consecutive `RUN` instructions
+  - DL3059
 trustedRegistries:
   - docker.io
+  - ghcr.io
+  - quay.io