search

bitwarden / clients

Bitwarden client apps (web, browser extension, desktop, and cli).
https://bitwarden.com
Other
8.99k stars 1.18k forks source link

Always error "Logout before server config update" when CLI run in systemd service #10109

Open marius opened 1 month ago

marius commented 1 month ago

Steps To Reproduce

I'm running the bitwarden CLI client in a script started by systemd to do a restore test of a backup.

Now every time I run bw config server http://127.0.0.1:55555 I get Logout required before server config update. even when running bw logout right before the command (it says You are not logged in.). When running the same commands in a normal user shell things work as expexted.

bw is installed via Snap on Ubuntu 24.04.

Reverting back to the previous version fixed the issue:

$ snap list bw --all
Name  Version   Rev  Tracking       Publisher   Notes
bw    2024.6.0  64   latest/stable  bitwarden✓  disabled
bw    2024.6.1  65   latest/stable  bitwarden✓  -
$ sudo snap revert bw
bw reverted to 2024.6.0

Expected Result

It should just work like in version 2024.6.0.

Actual Result

Error Logout required before server config update.

Screenshots or Videos

No response

Additional Context

I think the problem was introduced by https://github.com/bitwarden/clients/pull/9347

Operating System

Linux

Operating System Version

Ubuntu 24.04

Shell

Bash

Build Version

2024.6.1

Issue Tracking Info

SergeantConfused commented 1 month ago

Hi @marius,

Thank you for this report. Could you please walk me through how you set that script up?

Thank you in advance,

marius commented 1 month ago

/usr/libexec/vaultwarden-restore-test

#!/bin/bash

source /etc/resticenv
VAULT_PASSWORD=example123

set -Eeuxo pipefail

cleanup() {
  rc=$?
  cd /
  docker stop $CONTAINER
  bw logout || true
  rm -r "$WORKDIR"
  exit $rc
}

WORKDIR=$(mktemp -d)
if [[ ! -d "$WORKDIR" ]]; then
  echo "Could not create temp dir"
  exit 1
fi
cd $WORKDIR
trap cleanup EXIT

export RESTIC_PROGRESS_FPS=0.05
PARAMS='--limit-download=4000 --limit-upload=4000 --verbose'
SNAPSHOT=$(restic $PARAMS --json snapshots --tag=docker latest)
ID=$(echo $SNAPSHOT | jq -r '.[].id')
DATETIME=$(echo $SNAPSHOT | jq -r '.[].time')
TIMESTAMP=$(date --date "$DATETIME" '+%s')
if [ "$TIMESTAMP" -lt "$(date --date '2 days ago' '+%s')" ]; then
  echo "Snapshot too old"
  exit 1
fi

restic $PARAMS restore --tag=docker --include=docker/vaultwarden --target=. "$ID" 2>&1 | cat

IC=$(sqlite3 ${WORKDIR}/tank/.zfs/snapshot/backup/docker/vaultwarden/db.sqlite3 "PRAGMA integrity_check")
if [ "$IC" != ok ]; then
  echo "Integrity check of the database failed"
  exit 1
fi

docker pull vaultwarden/server
CONTAINER=$(docker run -d -it --rm --name vaultwarden-restore-test -v ${WORKDIR}/tank/.zfs/snapshot/backup/docker/vaultwarden:/data -p 127.0.0.1:55555:80 vaultwarden/server)

# Make sure we are not logged in
bw logout || true 
bw config server http://127.0.0.1:55555
set +x
SESSION=$(echo $VAULT_PASSWORD | bw --raw login test@example.com)
set -x

PASSWORD=$(bw list items --session=$SESSION | jq -r '.[0].login.password')
if [ "$PASSWORD" != restore-test ]; then
  echo "Password did not match: $PASSWORD != restore-test"
  exit 1
fi

LENGTH=$(bw list items --session=$SESSION | jq '. | length')
if [ "$LENGTH" -ne 1 ]; then
  echo "Number of items != 1"
  exit 1
fi

/etc/systemd/system/vaultwarden-restore-test.service

[Unit]
Description=Restore a backup of Vaultwarden and test it

[Service]
Type=oneshot
ExecStart=/usr/libexec/vaultwarden-restore-test

/etc/systemd/system/vaultwarden-restore-test.timer

[Unit]
Description=Run vaultwarden-restore-test regularly

[Timer]
OnCalendar=09:38

[Install]
WantedBy=timers.target
sincerelysaucy commented 1 month ago

That "vaultwarden-restore-test" file is really scary, with the password stored in plain text in a file that is likely set to be readable by everyone. And echoing VAULT_PASSWORD which may have syntactic suger in it like pound signs, &, quote marks, or semi-colons is just begging for password management pain in the shell scripting, in ways unlikely to occur on a normal command line.

marius commented 1 month ago

Well, this is, of course, a restore-test account, and the password doesn't contain any weird characters.

SergeantConfused commented 1 month ago

Hi @marius,

Thank you for your patience. This matter has been escalated for further investigation; If you have any additional information that you think may assist, please feel free to post it below.

Thank you again,

petertheautomator commented 1 month ago

I have the same issue with version 2024.7.2 of the Windows CLI.

Version 2024.6.0 works fine, so I reverted back to that one. Same symptoms as @marius is experiencing.

Command: 

bw config server https://vault.bitwarden.eu --response