Merge pull request #102 from bitwarden/cert-empty-subject

Fix handling of empty subject names in certs
2025-12-05 23:53:21 +00:00 · 2021-03-11 13:11:36 +10:00 · 2021-03-11 12:43:29 +10:00 · 2021-03-10 12:13:32 -05:00 · 2021-03-10 09:05:02 +10:00 · 2021-03-09 11:33:45 -06:00
5 changed files with 45 additions and 20 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -147,42 +147,42 @@ jobs:
            -t sha256 | Out-File ./dist-cli/bwdc-linux-sha256-${env:PACKAGE_VERSION}.txt

      - name: Upload windows zip to GitHub
-        if: github.ref == 'refs/heads/master'
+        if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc'
        uses: actions/upload-artifact@v2
        with:
          name: bwdc-windows-${{ env.PACKAGE_VERSION }}.zip
          path: ./dist-cli/bwdc-windows-${{ env.PACKAGE_VERSION }}.zip

      - name: Upload mac zip to GitHub
-        if: github.ref == 'refs/heads/master'
+        if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc'
        uses: actions/upload-artifact@v2
        with:
          name: bwdc-macos-${{ env.PACKAGE_VERSION }}.zip
          path: ./dist-cli/bwdc-macos-${{ env.PACKAGE_VERSION }}.zip

      - name: Upload linux zip to GitHub
-        if: github.ref == 'refs/heads/master'
+        if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc'
        uses: actions/upload-artifact@v2
        with:
          name: bwdc-linux-${{ env.PACKAGE_VERSION }}.zip
          path: ./dist-cli/bwdc-linux-${{ env.PACKAGE_VERSION }}.zip

      - name: Upload windows checksum to GitHub
-        if: github.ref == 'refs/heads/master'
+        if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc'
        uses: actions/upload-artifact@v2
        with:
          name: bwdc-windows-sha256-${{ env.PACKAGE_VERSION }}.txt
          path: ./dist-cli/bwdc-windows-sha256-${{ env.PACKAGE_VERSION }}.txt

      - name: Upload mac checksum to GitHub
-        if: github.ref == 'refs/heads/master'
+        if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc'
        uses: actions/upload-artifact@v2
        with:
          name: bwdc-macos-sha256-${{ env.PACKAGE_VERSION }}.txt
          path: ./dist-cli/bwdc-macos-sha256-${{ env.PACKAGE_VERSION }}.txt

      - name: Upload linux checksum to GitHub
-        if: github.ref == 'refs/heads/master'
+        if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc'
        uses: actions/upload-artifact@v2
        with:
          name: bwdc-linux-sha256-${{ env.PACKAGE_VERSION }}.txt
@@ -258,14 +258,14 @@ jobs:
        run: dir ./dist

      - name: Publish Portable Exe to GitHub
-        if: github.ref == 'refs/heads/master'
+        if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc'
        uses: actions/upload-artifact@v2
        with:
          name: Bitwarden-Connector-Portable-${{ env.PACKAGE_VERSION }}.exe
          path: ./dist/Bitwarden-Connector-Portable-${{ env.PACKAGE_VERSION }}.exe

      - name: Publish Installer Exe to GitHub
-        if: github.ref == 'refs/heads/master'
+        if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc'
        uses: actions/upload-artifact@v2
        with:
          name: Bitwarden-Connector-Installer-${{ env.PACKAGE_VERSION }}.exe
@@ -305,7 +305,7 @@ jobs:
        run: npm run dist:lin

      - name: Publish AppImage
-        if: github.ref == 'refs/heads/master'
+        if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc'
        uses: actions/upload-artifact@v2
        with:
          name: Bitwarden-Connector-${{ env.PACKAGE_VERSION }}-x86_64.AppImage
@@ -369,21 +369,21 @@ jobs:
        run: npm run build

      - name: Build application (dist)
-        if: github.ref == 'refs/heads/master'
+        if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc'
        run: npm run dist:mac
        env:
          APPLE_ID_USERNAME: ${{ secrets.APPLE_ID_USERNAME }}
          APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}

      - name: Upload .zip artifact
-        if: github.ref == 'refs/heads/master'
+        if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc'
        uses: actions/upload-artifact@v2
        with:
          name: Bitwarden-Connector-${{ env.PACKAGE_VERSION }}-mac.zip
          path: ./dist/Bitwarden-Connector-${{ env.PACKAGE_VERSION }}-mac.zip

      - name: Upload .dmg artifact
-        if: github.ref == 'refs/heads/master'
+        if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc'
        uses: actions/upload-artifact@v2
        with:
          name: Bitwarden-Connector-${{ env.PACKAGE_VERSION }}.dmg
--- a/2
+++ b/2
--- a/src/package.json
+++ b/src/package.json
@@ -2,7 +2,7 @@
  "name": "bitwarden-directory-connector",
  "productName": "Bitwarden Directory Connector",
  "description": "Sync your user directory to your Bitwarden organization.",
-  "version": "2.9.0",
+  "version": "2.9.1",
  "author": "Bitwarden Inc. <hello@bitwarden.com> (https://bitwarden.com)",
  "homepage": "https://bitwarden.com",
  "license": "GPL-3.0",
--- a/src/services/azure-directory.service.ts
+++ b/src/services/azure-directory.service.ts
@@ -90,7 +90,7 @@ export class AzureDirectoryService extends BaseDirectoryService implements IDire
                        continue;
                    }
                    const entry = this.buildUser(user);
-                    if (await this.filterOutUserResult(setFilter, entry)) {
+                    if (await this.filterOutUserResult(setFilter, entry, true)) {
                        continue;
                    }

@@ -147,7 +147,7 @@ export class AzureDirectoryService extends BaseDirectoryService implements IDire
                    if (!entry.disabled && !entry.deleted) {
                        continue;
                    }
-                    if (await this.filterOutUserResult(setFilter, entry)) {
+                    if (await this.filterOutUserResult(setFilter, entry, false)) {
                        continue;
                    }

@@ -257,7 +257,8 @@ export class AzureDirectoryService extends BaseDirectoryService implements IDire
        return [userSetType, set];
    }

-    private async filterOutUserResult(setFilter: [UserSetType, Set<string>], user: UserEntry): Promise<boolean> {
+    private async filterOutUserResult(setFilter: [UserSetType, Set<string>], user: UserEntry,
+        checkGroupsFilter: boolean): Promise<boolean> {
        if (setFilter == null) {
            return false;
        }
@@ -273,6 +274,10 @@ export class AzureDirectoryService extends BaseDirectoryService implements IDire
            return this.filterOutResult([userSetTypeExclude, setFilter[1]], user.email);
        }

+        // We need to *not* call the /checkMemberGroups method for deleted users, it will always fail
+        if (!checkGroupsFilter) {
+            return false;
+        }
        const memberGroups = await this.client.api(`/users/${user.externalId}/checkMemberGroups`).post({
            groupIds: Array.from(setFilter[1]),
        });
--- a/src/services/ldap-directory.service.ts
+++ b/src/services/ldap-directory.service.ts
@@ -1,6 +1,8 @@
 import * as fs from 'fs';
 import * as ldap from 'ldapjs';

+import { checkServerIdentity, PeerCertificate } from 'tls';
+
 import { DirectoryType } from '../enums/directoryType';

 import { GroupEntry } from '../models/groupEntry';
@@ -360,9 +362,8 @@ export class LdapDirectoryService implements IDirectoryService {
                }
            }

-            if (Object.keys(tlsOptions).length > 0) {
-                options.tlsOptions = tlsOptions;
-            }
+            tlsOptions.checkServerIdentity = this.checkServerIdentityAltNames;
+            options.tlsOptions = tlsOptions;

            this.client = ldap.createClient(options);

@@ -425,4 +426,23 @@ export class LdapDirectoryService implements IDirectoryService {
            '-' + Utils.fromBufferToHex(p4) + '-' + Utils.fromBufferToHex(p5);
        return guid.toLowerCase();
    }
+
+    private checkServerIdentityAltNames(host: string, cert: PeerCertificate) {
+        // Fixes the cert representation when subject is empty and altNames are present
+        // Required for node versions < 12.14.1 (which could be used for bwdc cli)
+        // Adapted from: https://github.com/auth0/ad-ldap-connector/commit/1f4dd2be6ed93dda591dd31ed5483a9b452a8d2a
+        // See https://github.com/nodejs/node/issues/11771 for details
+        if (cert && cert.subject == null && /(IP|DNS|URL)/.test(cert.subjectaltname)) {
+            cert.subject = {
+                C: null,
+                ST: null,
+                L: null,
+                O: null,
+                OU: null,
+                CN: null
+            }
+        }
+
+        return checkServerIdentity(host, cert);
+    }
 }
Author	SHA1	Message	Date
Thomas Rittson	9cfa646bcb	Merge pull request #102 from bitwarden/cert-empty-subject Fix handling of empty subject names in certs	2021-03-11 13:11:36 +10:00
Thomas Rittson	b4301c7d41	Fix handling of empty subject names in certs	2021-03-11 12:43:29 +10:00
Chad Scharf	71b5f6a38a	Merge pull request #101 from bitwarden/version-bump Patch release version bump to 2.9.1	2021-03-10 12:13:32 -05:00
Thomas Rittson	1c0052fe30	Patch release version bump to 2.9.1	2021-03-10 09:05:02 +10:00
Matt Gibson	35862acb73	Update jslib (#100 )	2021-03-09 11:33:45 -06:00
Chad Scharf	11cf64fcc7	Merge pull request #99 from bitwarden/fix/deleted-user-fail Don't check user group filter for deleted users	2021-03-05 18:04:01 -05:00
Chad Scharf	2ab37b45cf	Don't check user group filter for deleted users	2021-03-05 15:49:57 -05:00
Joseph Flinn	7096fc830b	adding the build assets for the rc branch (#98 )	2021-03-04 10:25:23 -08:00
Matt Gibson	39806b7d96	Update jslib (#97 )	2021-03-02 13:30:11 -06:00