Initial copy-pasta of server config

Co-authored-by: Jake Fink <jlf0dev@users.noreply.github.com>

docs/.gitignore

@@ -0,0 +1,2 @@
+.structurizr
+export

docs/admin_console/models.dsl

@@ -0,0 +1,14 @@
+admin = person "Organization Admin" "An administrator of an organization" {
+  tags "Admin"
+}
+provider = person "MSP" "And employee of a managed service provider" {
+  tags "MSP"
+}
+
+!element server {
+  scim = container "SCIM" {
+    tags "SCIM"
+  }
+}
+
+directory_connector -> server.api "Syncs users and groups to Bitwarden"

docs/admin_console/relationships.dsl

@@ -0,0 +1 @@
+server.scim -> server.database "Queries"

docs/admin_console/views.dsl

@@ -0,0 +1,10 @@
+styles {
+  element "Person" {
+    background #3107d3
+    shape person
+  }
+  element "MSP" {
+    background #3107d3
+    shape person
+  }
+}

docs/auth/models.dsl

@@ -0,0 +1,8 @@
+!element server {
+  identity = container "Identity" {
+    tags "Auth"
+  }
+  sso = container "SSO" {
+    tags "Auth"
+  }
+}

docs/auth/relationships.dsl

@@ -0,0 +1,2 @@
+server.identity -> server.database "Queries"
+server.sso -> server.database "Queries"

docs/billing/models.dsl

@@ -0,0 +1,14 @@
+# External vendors
+group "Payment Systems" {
+  stripe = softwareSystem "Stripe" {
+    tags "External"
+    tags "Billing"
+    description "Handles credit cards and subscriptions."
+  }
+  braintree = softwareSystem "Braintree" {
+    tags "External"
+    tags "Billing"
+    description "Handles PayPal and cryptocurrency."
+  }
+}
+

docs/billing/relationships.dsl

@@ -0,0 +1,4 @@
+# High-level provider relationships
+server.api.billing -> stripe "Requests payments for customers"
+server.api.billing -> braintree "Requests payments for customers"
+stripe -> server.api.billing "Sends subscription events to"

docs/bitwarden_system.dsl

@@ -0,0 +1,56 @@
+workspace "Bitwarden Server System" {
+
+  !identifiers hierarchical
+
+  !docs "usage_docs"
+  model {
+    properties {
+      "structurizr.groupSeparator" "/"
+    }
+
+    # Include shared level models
+    !include "shared.models.dsl"
+
+    # Include team level models
+    !include "admin_console/models.dsl"
+    !include "auth/models.dsl"
+    !include "billing/models.dsl"
+    !include "key_management/models.dsl"
+    !include "platform/models.dsl"
+    !include "tools/models.dsl"
+    !include "vault/models.dsl"
+
+    # Include shared level relationships
+    !include "shared.relationships.dsl"
+
+
+    !include "admin_console/relationships.dsl"
+    !include "auth/relationships.dsl"
+    !include "billing/relationships.dsl"
+    !include "key_management/relationships.dsl"
+    !include "platform/relationships.dsl"
+    !include "tools/relationships.dsl"
+    !include "vault/relationships.dsl"
+  }
+
+  views {
+    !include "admin_console/views.dsl"
+    !include "auth/views.dsl"
+    !include "billing/views.dsl"
+    !include "key_management/views.dsl"
+    !include "platform/views.dsl"
+    !include "tools/views.dsl"
+    !include "vault/views.dsl"
+
+    systemLandscape "Bitwarden" {
+      include *
+    }
+
+    container server "Bitwarden_Server" {
+      include *
+    }
+
+    // This is last to override team styles with common styles
+    !include "shared.views.dsl"
+  }
+}

docs/key_management/relationships.dsl

@@ -0,0 +1 @@
+key_connector -> server.identity "Validates JWTs with"

docs/platform/icons/models.dsl

@@ -0,0 +1,59 @@
+!element server {
+  icons = container "Icons" {
+    !docs "threat_model.md"
+    icons_controller = component "IconsController" {
+      description "IconsController"
+      technology "C# ASP.NET Core"
+      
+    }
+    info_controller = component "InfoController" {
+      description "Provides information about the deployed icon service. Allow for health checks."
+      technology "C# ASP.NET Core"
+      tags "Info" "HealthCheck"
+    }
+    icon_determination = component "IconDetermination" {
+      description "Resolves a single source for a website icon and downloads it."
+    }
+    icon_cache = component "IconCache" {
+      description "Caches icons for a given domain"
+      tags "Cache"
+      technology "C# MemoryCache"
+    }
+
+    clients -> icons_controller "Requests icons for cleartext urls from" {
+      perspectives {
+        "Security" "\
+        Icons 1.2.1 Broken SSL communication exposes vault contents to network administrators \n\n\
+        Icons 1.2.2 Tracking of user vault contents by ip correlation between identity and icons services \n\n\
+        Icons 1.2.3 No SLA offered on Icons service, graceful degradation of features needed if it goes down \n\n\
+        Icons 1.2.4 SSRF through crafted input resolving to a location the server has elevated privileges in\
+        "
+      }
+    }
+    icons_controller -> icon_determination "Requests icons from"
+    icons_controller -> icon_cache "Caches icons in" {
+      perspectives {
+        "Security" "\
+        Icons 1.3.1 Aggregate vault content leak through timing attack on cache \n\n\
+        Icons 1.3.2 Possible injection attack through cache key \n\n\
+        Icons 1.3.3 & Icons 1.3.4 Cache bloat leading to DoS \n\n\
+        Icons 1.3.5 Cache poisoning leading to incorrect icon storage \
+        "
+      }
+    }
+  }
+}
+
+dns = softwareSystem "DNS" {
+  tags "External"
+  tags "Icons"
+}
+
+server.icons.icon_determination -> dns "Resolves IP addresses for domain names from"
+
+external_websites = softwareSystem "External Websites" {
+  tags "External"
+  tags "Icons"
+}
+
+server.icons.icon_determination -> external_websites "Retrieves icons from"

docs/platform/icons/threat_model.md

@@ -0,0 +1,167 @@
+## Threat Model
+
+### Example Model or Relationship
+
+#### Example Threat
+
+- **Type**: type
+- **Priority**: TBD/Low/Medium/High/Critical
+- **Likelihood**: TBD/Low/Medium/High/Critical
+- **Impact**: TBD/Low/Medium/High/Critical
+
+description of the threat.
+
+##### Example Threat Mitigations
+
+describe the mitigations for the threat.
+
+### Clients -> IconsController
+
+Communication from clients to the icons component. This is an unauthenticated endpoint with minimal input validation.
+
+#### SSL termination exposes vault contents to network administrators
+
+- **Type**: Information Disclosure
+- **Priority**: TBD
+- **Likelihood**: TBD
+- **Impact**: TBD
+
+A machine with SSL terminating proxies cannot rely on encrypted query parameters hiding vault contents from network administrators.
+
+##### Mitigations
+
+- <span style="color:red">Not Implemented</span>: Establish encrypted pipe communication with Icons service prior to requesting icon resolution
+
+#### Cleartext transmission of vault contents to Server
+
+- **Type**: Information Disclosure
+- **Priority**: TBD
+- **Likelihood**: TBD
+- **Impact**: TBD
+
+Server-side after TLS by necessity to lookup a favicon. However, to maintain our promises as a no-log proxy, we need to be sure not to maintain ip records for icon service requests
+
+##### Mitigations
+
+- <span style="color:red">Unconfirmed</span>: Configure network edge and datadog to drop this identifying data.
+
+#### No SLA offered on Icons service
+
+- **Type**: Denial of Service
+- **Priority**: TBD
+- **Likelihood**: TBD
+- **Impact**: TBD
+
+We do not offer SLA on up time of icons service. Clients may be unable to resolve icons, and we need to determine a graceful degradation strategy.
+
+##### Mitigations
+
+- <span style="color:green">Done</span>: Default icon fallback (globe)
+- <span style="color:red">Not Implemented, Not Prioritized</span>: Local cache of retrieved icons
+
+#### SSRF by proxied requests
+
+- **Type**: Elevation of Privilege / Information Disclosure
+- **Priority**: TBD
+- **Likelihood**: TBD
+- **Impact**: TBD
+
+The service is designed to proxy requests to arbitrary URLs. This can be used to access internal network resources.
+
+If a site redirects to an internal network address, the internal network topography may be exposed to the client.
+
+##### Mitigations
+
+- <span style="color:green">Done</span>: Isolation of the icons component from the rest of the system intranet.
+- <span style="color:green">Done</span>: Avoid fetching by domain name. All requests must be first resolved to an IP address and filtered against internal network ranges, defined as:
+
+  - `::1`, `::`, `::ffff:`
+  - IPv6 and starting with `fc`, `fd`, `fe`, or `ff`
+  - IPv4 and starting with `0.`, `10.`, `100.`, `127.`, `169.254`, `172.16-31`, or `192.168`
+
+  This is done in the `IconDetermination` component
+
+### IconsController -> IconCache
+
+Communication from the icons controller to a mem cache of previously retrieved icons, keyed by original domain requested.
+
+#### Cache determination through timing measurements
+
+- **Type**: Information Disclosure
+- **Priority**: Low
+- **Likelihood**: Low
+- **Impact**: Low
+
+By measuring the time it takes to retrieve an icon, an attacker may be able to determine if a domain has been previously requested by another user, revealing that some user on the service has that domain in their vault.
+
+##### Mitigations
+
+<span style="color:red">None identified</span>
+
+#### Unescaped storage of user-input data in cache
+
+- **Type**: Tampering
+- **Priority**: Low
+- **Likelihood**: Low
+- **Impact**: Low
+
+Unescaped user input data may be stored as keys in the cache. This input data is not executed, but if the storage method is changed in the future, this may lead to some injection attack.
+
+##### Mitigations
+
+<span style="color:red">None identified</span>
+
+#### Cache bloat through intentionally large icons
+
+- **Type**: Denial of Service
+- **Priority**: TBD
+- **Likelihood**: TBD
+- **Impact**: TBD
+
+User request may intentionally resolve to very large icons, bloating the cache and increasing memory requirements.
+
+<span style="color:red">Open question</span>: Should we also limit the size of icons fetched?
+
+##### Mitigations
+
+<span style="color:green">Done</span>: Limit size of icons stored in cache
+
+#### Cache bloat through many unique domain requests
+
+- **Type**: Denial of Service
+- **Priority**: TBD
+- **Likelihood**: TBD
+- **Impact**: TBD
+
+User request may intentionally resolve many unique domains to resolve that may or may not exist, bloating the cache and increasing memory requirements.
+
+##### Mitigations
+
+<span style="color:red">Unconfirmed</span>: Rate limit requests to the icons service
+
+#### Storage of potentially sensitive data as keys or values in cache
+
+- **Type**: Information Disclosure
+- **Priority**: TBD
+- **Likelihood**: TBD
+- **Impact**: TBD
+
+Upload of urls is automatic to our icon service. If our filters for upload are incorrect, we may store sensitive data in our cache. For example, onion addresses.
+
+##### Mitigations
+
+<span style="color:green">Done</span>: Avoid filter known sensitive urls
+<span style="color:red">Not implemented, Not prioritized</span>: Add client-side setting to disable icon request for a given url or pattern
+
+#### Cache poisoning via dns poisoning
+
+- **Type**: Tampering
+- **Priority**: Low
+- **Likelihood**: Low
+- **Impact**: Low
+
+DNS poisoning would lead to incorrect icons being cached for a given domain.
+
+##### Mitigations
+
+<span style="color:red">None Identified</span>

docs/platform/models.dsl

@@ -0,0 +1 @@
+!include "icons/models.dsl"

docs/platform/views.dsl

@@ -0,0 +1,3 @@
+component server.icons "icons_service" {
+  include *
+}

docs/shared.models.dsl

@@ -0,0 +1,82 @@
+# Person types
+user = person "Bitwarden User" "An end user of the Bitwarden System"
+system_admin = person "System Admin" "Either a Bitwarden site-reliability engineer or administrator of a self-hosted instance" {
+  tags "Bitwarden Employee" "Self-Host Admin"
+}
+
+
+bw_controlled = group "Bitwarden Controlled" {
+  # Bitwarden staff
+  customer_success = person "Customer Success" "A customer success engineer. Inspects bitwarden state through the admin portal and internal tools" {
+    tags "Bitwarden Employee"
+  }
+  
+  # Root systems
+  server = softwareSystem "Bitwarden Server" {
+    api = container "API" {
+      billing = component "Billing" {
+        tags "Billing"
+      }
+      tags "API"
+    }
+    events = container "Events" {
+      tags "Events"
+    }
+    notifications = container "Notifications"
+    portal = container "Bitwarden Portal" {
+      tags "Web"
+    }
+    events_processor = container "Events Processor" {
+      tags "Events"
+    }
+
+    # Data stores
+    database = container "Database" {
+      tags "Database"
+    }
+    events_queue = container "Events Queue" {
+      tags "Queue"
+      tags "Azure"
+    }
+    mail_queue = container "Mail Queue" {
+      tags "Queue"
+      tags "Azure"
+    }
+    notifications_queue = container "Notifications Queue" {
+      tags "Queue"
+      tags "Azure"
+    }
+  }
+  clients = softwareSystem "Clients" {
+    web = container "Web Application" {
+      tags "Web"
+    }
+    ios = container "iOS Application" {
+      tags "Mobile"
+    }
+    android = container "Android Application" {
+      tags "Mobile"
+    }
+    browser_extension = container "Browser Extension" {
+      tags "Browser"
+    }
+    cli = container "CLI" {
+      tags "CLI"
+    }
+    desktop = container "Desktop Application" {
+      tags "Desktop"
+    }
+  }
+  directory_connector = softwareSystem "Directory Connector" {
+    tags "Directory"
+    tags "LDAP"
+    tags "Self-Hosted"
+  }
+  key_connector = softwareSystem "Key Connector" 
+}
+
+self_hosted_instances = softwareSystem "Self-Hosted Instances" {
+  tags "Self-Hosted"
+  tags "External"
+  description "Self-hosted instances of Bitwarden servers"
+}

docs/shared.relationships.dsl

@@ -0,0 +1,47 @@
+# User Relationships
+user -> clients.web "Uses"
+user -> clients.ios "Uses"
+user -> clients.android "Uses"
+user -> clients.browser_extension "Uses"
+user -> clients.cli "Uses"
+user -> clients.desktop "Uses"
+admin -> clients.web "Administers Organizations"
+provider -> server.portal "Completes Provider registration with"
+provider -> clients.web "Administers Providers and Organizations"
+customer_success -> server.portal "Inspects and supports"
+system_admin -> server.portal "Administers System"
+
+# High-level Client Relationships
+clients.web -> server.api "Makes requests to"
+clients.ios -> server.api "Makes requests to"
+clients.android -> server.api "Makes requests to"
+clients.browser_extension -> server.api "Makes requests to"
+clients.cli -> server.api "Makes requests to"
+clients.desktop -> server.api "Makes requests to"
+clients.web -> server.identity "Authenticates with"
+clients.ios -> server.identity "Authenticates With"
+clients.android -> server.identity "Authenticates With"
+clients.browser_extension -> server.identity "Authenticates With"
+clients.cli -> server.identity "Authenticates With"
+clients.desktop -> server.identity "Authenticates With"
+server.api -> server.identity "Validates JWTs with" {
+  url "https://bitwarden.com"
+}
+clients -> server.events "Posts local usage events to"
+
+# Database Relationships
+
+server.api -> server.database "Queries"
+server.portal -> server.database "Queries"
+
+# queue Relationships
+server.api -> server.events_queue "Sends events to"
+server.events -> server.events_queue "Sends events to"
+server.api -> server.mail_queue "Sends emails to"
+server.api -> server.notifications_queue "Sends notifications to"
+server.notifications -> server.notifications_queue "Sends notifications to"
+server.events_queue -> server.events_processor "Processes events from"
+server.mail_queue -> server.portal "Processes emails from"
+
+# self host phone home
+self_hosted_instances -> server.notifications "Sends push notification proxy requests to"

docs/shared.views.dsl

@@ -0,0 +1,32 @@
+styles {
+  theme default
+  element "Element" {
+    color #3c3b3b
+  }
+  element "Person" {
+    background #d34407
+    shape person
+  }
+  element "Container" {
+    background #f88728
+  }
+  element "MSP" {
+    background #3107d3
+  }
+  element "Queue" {
+    shape pipe
+  }
+  element "Mobile" {
+    shape mobileDevicePortrait
+  }
+  element "Web" {
+    shape webBrowser
+  }
+  element "Database" {
+    shape cylinder
+  }
+  element "External" {
+    color #000000
+    background #b5b5b5
+  }
+}

docs/structurizr.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+## start Structurizr Lite with the given workspace file, relative to the current working directory. Omit the file extension.
+## Optional second argument of a port number to use. Default is 8085.
+
+echo "hosting on http://localhost:${PORT:=${2:-8085}}"
+# Check if the workspace file exists
+if [ ! -f "$1.dsl" ]; then
+  echo "Workspace file $1 does not exist."
+  exit 1
+fi
+
+docker run -it --rm -p $PORT:8080 -v $(pwd):/usr/local/structurizr -e STRUCTURIZR_WORKSPACE_FILENAME=$1 structurizr/lite

docs/usage_docs/file_hierarchy.md

@@ -0,0 +1 @@
+## File Hierarchy

docs/usage_docs/perspectives.md

@@ -0,0 +1,26 @@
+## Perspectives
+
+### Security
+
+Highlights models and relationships identified as a part of [threat modeling](https://www.threatmodelingmanifesto.org/).
+
+Identified threats are expected to be itemized in the perspective description, tagged with an appropriate `Security: threat` tag, and include a `!docs` property that describes the threat and mitigations. [`-> (relationships)`](https://docs.structurizr.com/dsl/language#relationship) do not allow for a `!docs` property, so a `url` property is used instead, linking to the appropriate section of the published docs.
+
+#### Example Model or Relationship
+
+##### Example Threat
+
+- **Type**: type
+- **Priority**: TBD/Low/Medium/High/Critical
+- **Likelihood**: TBD/Low/Medium/High/Critical
+- **Impact**: TBD/Low/Medium/High/Critical
+
+description of the threat.
+
+###### Example Threat Mitigations
+
+describe the mitigations for the threat and whether or not they are complete
+
+### SRE
+
+Highlights concerns and requirements for cloud deployments.

docs/usage_docs/tags.md

@@ -0,0 +1,49 @@
+## Tags
+
+### Admin
+
+### API
+
+### Auth
+
+### Azure
+
+### Billing
+
+### Bitwarden Employee
+
+### Browser
+
+### CLI
+
+### Cloud Host Requirement
+
+### Database
+
+### Desktop
+
+### Directory
+
+### Events
+
+### External
+
+### HealthCheck
+
+### Icons
+
+### LDAP
+
+### MSP
+
+### Mobile
+
+### Queue
+
+### SCIM
+
+### Security:Privacy
+
+### Self-Hosted
+
+### Web