saltyming/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2025-08-28 05:24:49 +00:00
Code Activity
vaultwarden/playwright
History
Timshel cff6c2b3af
 SSO using OpenID Connect (#3899) 
* Add SSO functionality using OpenID Connect

Co-authored-by: Pablo Ovelleiro Corral <mail@pablo.tools>
Co-authored-by: Stuart Heap <sheap13@gmail.com>
Co-authored-by: Alex Moore <skiepp@my-dockerfarm.cloud>
Co-authored-by: Brian Munro <brian.alexander.munro@gmail.com>
Co-authored-by: Jacques B. <timshel@github.com>

* Improvements and error handling

* Stop rolling device token

* Add playwright tests

* Activate PKCE by default

* Ensure result order when searching for sso_user

* add SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION

* Toggle SSO button in scss

* Base64 encode state before sending it to providers

* Prevent disabled User from SSO login

* Review fixes

* Remove unused UserOrganization.invited_by_email

* Split SsoUser::find_by_identifier_or_email

* api::Accounts::verify_password add the policy even if it's ignored

* Disable signups if SSO_ONLY is activated

* Add verifiedDate to organizations::get_org_domain_sso_details

* Review fixes

* Remove OrganizationId guard from get_master_password_policy

* Add wrapper type OIDCCode OIDCState OIDCIdentifier

* Membership::confirm_user_invitations fix and tests

* Allow set-password only if account is unitialized

* Review fixes

* Prevent accepting another user invitation

* Log password change event on SSO account creation

* Unify master password policy resolution

* Upgrade openidconnect to 4.0.0

* Revert "Remove unused UserOrganization.invited_by_email"

This reverts commit 548e19995e141314af98a10d170ea7371f02fab4.

* Process org enrollment in accounts::post_set_password

* Improve tests

* Pass the claim invited_by_email in case it was not in db

* Add Slack configuration hints

* Fix playwright tests

* Skip broken tests

* Add sso identifier in admin user panel

* Remove duplicate expiration check, add a log

* Augment mobile refresh_token validity

* Rauthy configuration hints

* Fix playwright tests

* Playwright upgrade and conf improvement

* Playwright tests improvements

* 2FA email and device creation change

* Fix and improve Playwright tests

* Minor improvements

* Fix enforceOnLogin org policies

* Run playwright sso tests against correct db

* PKCE should now work with Zitadel

* Playwright upgrade maildev to use MailBuffer.expect

* Upgrades playwright tests deps

* Check email_verified in id_token and user_info

* Add sso verified endpoint for v2025.6.0

* Fix playwright tests

* Create a separate sso_client

* Upgrade openidconnect to 4.0.1

* Server settings for login fields toggle

* Use only css for login fields

* Fix playwright test

* Review fix

* More review fix

* Perform same checks when setting kdf

---------

Co-authored-by: Felix Eckhofer <felix@eckhofer.com>
Co-authored-by: Pablo Ovelleiro Corral <mail@pablo.tools>
Co-authored-by: Stuart Heap <sheap13@gmail.com>
Co-authored-by: Alex Moore <skiepp@my-dockerfarm.cloud>
Co-authored-by: Brian Munro <brian.alexander.munro@gmail.com>
Co-authored-by: Jacques B. <timshel@github.com>
Co-authored-by: Timshel <timshel@480s>
2025-08-08 23:22:22 +02:00
..
compose SSO using OpenID Connect (#3899) 2025-08-08 23:22:22 +02:00
tests SSO using OpenID Connect (#3899) 2025-08-08 23:22:22 +02:00
.env.template SSO using OpenID Connect (#3899) 2025-08-08 23:22:22 +02:00
.gitignore SSO using OpenID Connect (#3899) 2025-08-08 23:22:22 +02:00
docker-compose.yml SSO using OpenID Connect (#3899) 2025-08-08 23:22:22 +02:00
global-setup.ts SSO using OpenID Connect (#3899) 2025-08-08 23:22:22 +02:00
global-utils.ts SSO using OpenID Connect (#3899) 2025-08-08 23:22:22 +02:00
package-lock.json SSO using OpenID Connect (#3899) 2025-08-08 23:22:22 +02:00
package.json SSO using OpenID Connect (#3899) 2025-08-08 23:22:22 +02:00
playwright.config.ts SSO using OpenID Connect (#3899) 2025-08-08 23:22:22 +02:00
README.md SSO using OpenID Connect (#3899) 2025-08-08 23:22:22 +02:00
test.env SSO using OpenID Connect (#3899) 2025-08-08 23:22:22 +02:00

README.md

Integration tests

This allows running integration tests using Playwright.
It usse its own test.env with different ports to not collide with a running dev instance.

Install

This rely on docker and the compose plugin. Databases (Mariadb, Mysql and Postgres) and Playwright will run in containers.

Running Playwright outside docker

It's possible to run Playwright outside of the container, this remove the need to rebuild the image for each change. You'll additionally need nodejs then run:

npm install
npx playwright install-deps
npx playwright install firefox

Usage

To run all the tests:

DOCKER_BUILDKIT=1 docker compose --profile playwright --env-file test.env run Playwright

To force a rebuild of the Playwright image:

DOCKER_BUILDKIT=1 docker compose --env-file test.env build Playwright

To access the ui to easily run test individually and debug if needed (will not work in docker):

npx playwright test --ui

DB

Projects are configured to allow to run tests only on specific database.
You can use:

DOCKER_BUILDKIT=1 docker compose --profile playwright --env-file test.env run Playwright test --project=mariadb
DOCKER_BUILDKIT=1 docker compose --profile playwright --env-file test.env run Playwright test --project=mysql
DOCKER_BUILDKIT=1 docker compose --profile playwright --env-file test.env run Playwright test --project=postgres
DOCKER_BUILDKIT=1 docker compose --profile playwright --env-file test.env run Playwright test --project=sqlite

SSO

To run the SSO tests:

DOCKER_BUILDKIT=1 docker compose --profile playwright --env-file test.env run Playwright test --project sso-sqlite

Keep services running

If you want you can keep the Db and Keycloak runnning (states are not impacted by the tests):

PW_KEEP_SERVICE_RUNNNING=true npx playwright test

Running specific tests

To run a whole file you can :

DOCKER_BUILDKIT=1 docker compose --profile playwright --env-file test.env run Playwright test --project=sqlite tests/login.spec.ts
DOCKER_BUILDKIT=1 docker compose --profile playwright --env-file test.env run Playwright test --project=sqlite login

To run only a specifc test (It might fail if it has dependency):

DOCKER_BUILDKIT=1 docker compose --profile playwright --env-file test.env run Playwright test --project=sqlite -g "Account creation"
DOCKER_BUILDKIT=1 docker compose --profile playwright --env-file test.env run Playwright test --project=sqlite tests/login.spec.ts:16

Writing scenario

When creating new scenario use the recorder to more easily identify elements (in general try to rely on visible hint to identify elements and not hidden ids). This does not start the server, you will need to start it manually.

npx playwright codegen "http://127.0.0.1:8000"

Override web-vault

It's possible to change the web-vault used by referencing a different bw_web_builds commit.

export PW_WV_REPO_URL=https://github.com/Timshel/oidc_web_builds.git
export PW_WV_COMMIT_HASH=8707dc76df3f0cceef2be5bfae37bb29bd17fae6
DOCKER_BUILDKIT=1 docker compose --profile playwright --env-file test.env build Playwright

OpenID Connect test setup

Additionally this docker-compose template allow to run locally VaultWarden, Keycloak and Maildev to test OIDC.

Setup

This rely on docker and the compose plugin. First create a copy of .env.template as .env (This is done to prevent commiting your custom settings, Ex SMTP_).

Usage

Then start the stack (the profile is required to run Vaultwarden) :

> docker compose --profile vaultwarden --env-file .env up
....
keycloakSetup_1  | Logging into http://127.0.0.1:8080 as user admin of realm master
keycloakSetup_1  | Created new realm with id 'test'
keycloakSetup_1  | 74af4933-e386-4e64-ba15-a7b61212c45e
oidc_keycloakSetup_1 exited with code 0

Wait until oidc_keycloakSetup_1 exited with code 0 which indicate the correct setup of the Keycloak realm, client and user (It's normal for this container to stop once the configuration is done).

Then you can access :

To proceed with an SSO login after you enter the email, on the screen prompting for Master Password the SSO button should be visible. To use your computer external ip (for example when testing with a phone) you will have to configure KC_HTTP_HOST and DOMAIN.

Running only Keycloak

You can run just Keycloak with --profile keycloak:

> docker compose --profile keycloak --env-file .env up

When running with a local VaultWarden, you can use a front-end build from dani-garcia/bw_web_builds.

Rebuilding the Vaultwarden

To force rebuilding the Vaultwarden image you can run

docker compose --profile vaultwarden --env-file .env build VaultwardenPrebuild Vaultwarden

Configuration

All configuration for keycloak / VaultWarden / keycloak_setup.sh can be found in .env. The content of the file will be loaded as environment variables in all containers.

  • keycloak configuration include KEYCLOAK_ADMIN / KEYCLOAK_ADMIN_PASSWORD and any variable prefixed KC_ (more information).
  • All VaultWarden configuration can be set (EX: SMTP_*)

Cleanup

Use docker compose --profile vaultWarden down.