Modifications for easier testing

This reverts commit ce5b4df289defefb8802a74d125a2bdd08a6c509.

.github/workflows/release.yml

@@ -14,7 +14,7 @@ jobs:
   # We will skip this check if we are creating a tag, because that has the same hash as a previous run already.
   skip_check:
     runs-on: ubuntu-22.04
-    if: ${{ github.repository == 'dani-garcia/vaultwarden' }}
+    if: ${{ github.repository == 'timshel/vaultwarden' }}
     outputs:
       should_skip: ${{ steps.skip_check.outputs.should_skip }}
     steps:
@@ -28,9 +28,10 @@ jobs:
 
   docker-build:
     runs-on: ubuntu-22.04
+    environment: main
     timeout-minutes: 120
     needs: skip_check
-    if: ${{ needs.skip_check.outputs.should_skip != 'true' && github.repository == 'dani-garcia/vaultwarden' }}
+    if: ${{ needs.skip_check.outputs.should_skip != 'true' && github.repository == 'timshel/vaultwarden' }}
     # Start a local docker registry to extract the final Alpine static build binaries
     services:
       registry:
@@ -168,7 +169,7 @@ jobs:
         if: ${{ matrix.base_image == 'alpine' }}
         shell: bash
         run: |
-          echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}localhost:5000/vaultwarden/server" | tee -a "${GITHUB_ENV}"
+          echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}localhost:5000/oidcwarden/vaultwarden-oidc" | tee -a "${GITHUB_ENV}"
 
       - name: Bake ${{ matrix.base_image }} containers
         uses: docker/bake-action@849707117b03d39aba7924c50a10376a69e88d7d # v4.1.0
@@ -204,28 +205,28 @@ jobs:
           # This is needed because using different platforms doesn't trigger a new pull/download
 
           # Extract amd64 binary
-          docker create --name amd64 --platform=linux/amd64 "vaultwarden/server:${EXTRACT_TAG}-alpine"
+          docker create --name amd64 --platform=linux/amd64 "oidcwarden/vaultwarden-oidc:${EXTRACT_TAG}-alpine"
           docker cp amd64:/vaultwarden vaultwarden-amd64
           docker rm --force amd64
-          docker rmi --force "vaultwarden/server:${EXTRACT_TAG}-alpine"
+          docker rmi --force "oidcwarden/vaultwarden-oidc:${EXTRACT_TAG}-alpine"
 
           # Extract arm64 binary
-          docker create --name arm64 --platform=linux/arm64 "vaultwarden/server:${EXTRACT_TAG}-alpine"
+          docker create --name arm64 --platform=linux/arm64 "oidcwarden/vaultwarden-oidc:${EXTRACT_TAG}-alpine"
           docker cp arm64:/vaultwarden vaultwarden-arm64
           docker rm --force arm64
-          docker rmi --force "vaultwarden/server:${EXTRACT_TAG}-alpine"
+          docker rmi --force "oidcwarden/vaultwarden-oidc:${EXTRACT_TAG}-alpine"
 
           # Extract armv7 binary
-          docker create --name armv7 --platform=linux/arm/v7 "vaultwarden/server:${EXTRACT_TAG}-alpine"
+          docker create --name armv7 --platform=linux/arm/v7 "oidcwarden/vaultwarden-oidc:${EXTRACT_TAG}-alpine"
           docker cp armv7:/vaultwarden vaultwarden-armv7
           docker rm --force armv7
-          docker rmi --force "vaultwarden/server:${EXTRACT_TAG}-alpine"
+          docker rmi --force "oidcwarden/vaultwarden-oidc:${EXTRACT_TAG}-alpine"
 
           # Extract armv6 binary
-          docker create --name armv6 --platform=linux/arm/v6 "vaultwarden/server:${EXTRACT_TAG}-alpine"
+          docker create --name armv6 --platform=linux/arm/v6 "oidcwarden/vaultwarden-oidc:${EXTRACT_TAG}-alpine"
           docker cp armv6:/vaultwarden vaultwarden-armv6
           docker rm --force armv6
-          docker rmi --force "vaultwarden/server:${EXTRACT_TAG}-alpine"
+          docker rmi --force "oidcwarden/vaultwarden-oidc:${EXTRACT_TAG}-alpine"
 
       # Upload artifacts to Github Actions
       - name: "Upload amd64 artifact"

CHANGELOG.md

@@ -0,0 +1,90 @@
+# Changelog
+
+## Testing
+
+  - Update [oidc_web_builds](https://github.com/Timshel/oidc_web_builds) version to `v2024.2.5-rc`
+    - Update to `bw_web_builds` to PR `github.com/dani-garcia/bw_web_builds/pull/157`
+    - Experimental: fix current password check when changing password
+
+## 1.30.5-2
+
+  - Store SSO identifier to prevent account takeover
+
+## 1.30.5-1
+
+  - Rebased on latest from `dani-garcia/vaultwarden`
+
+## 1.30.3-2
+
+  - Add `SSO_CLIENT_CACHE_EXPIRATION` config, to optionally cache the calls to the OpenID discovery endpoint.
+  - Add a `scope` and `iss` in the oidc redirection to try to fix the IOS login failure.
+
+## 1.30.3-1
+
+  - Add `SSO_PKCE` config, disabled for now will probably be activated by defaut in next release.
+
+## 1.30.2-7
+
+ - Reduce default `refresh_validity` to 7 days (reset with each `access_token` refresh, so act as an idle timer).
+   Apply to non sso login and SSO which return a non JWT token with no expiration information.
+ - Roll the already present `Device.refresh_token` which will invalidate past `refresh_token` (SSO and non SSO login).
+ - Remove the `openidconnect` cache since it's not [recommended](https://github.com/ramosbugs/openidconnect-rs/issues/25).
+
+## 1.30.2-6
+
+ - Add `SSO_AUDIENCE_TRUSTED` config to allow to trust additionnal audience.
+
+## 1.30.2-5
+
+ - Fix mysql migration `2024-02-14-170000_add_state_to_sso_nonce`
+
+## 1.30.2-4
+
+ - Upgrade [oidc_web_builds](https://github.com/Timshel/oidc_web_builds) version to `v2024.1.2-6`
+ - Use `openidconnect` to validate Id Token claims
+ - Remove `SSO_KEY_FILEPATH` should not be useful now
+ - Add `SSO_DEBUG_TOKENS` to log Id/Access/Refresh token to debug
+ - Hardcoded redircetion url
+ - Switch to reading the roles and groups Claims from the Id Token
+
+## 1.30.2-3
+
+ - Add `SSO_AUTHORIZE_EXTRA_PARAMS` to add extra parameter to the authorize redirection (needed to obtain a `refresh_token` with Google Auth).
+
+## 1.30.2-2
+
+ - Fix non jwt `acess_token` check when there is no `refresh_token`
+ - Add `SSO_AUTH_ONLY_NOT_SESSION` to use SSO only for auth not the session lifecycle.
+
+## 1.30.2-1
+
+ - Update [oidc_web_builds](https://github.com/Timshel/oidc_web_builds) version to `v2024.1.2-4` which move the org invite patch to the `button` release (which is expected to be merged in VW).
+ - Remove the `sso_acceptall_invites` setting
+ - Allow to override log level for specific target
+
+## 1.30.1-11
+
+ - Encode redirect url parameters and add `debug` logging.
+
+## 1.30.1-10
+
+ - Keep old prevalidate endpoint for Mobile apps
+
+## 1.30.1-9
+
+ - Add non jwt access_token support
+
+## 1.30.1-8
+
+ - Prevalidate endpoint change in Bitwarden WebVault [web-v2024.1.2](https://github.com/bitwarden/clients/tree/web-v2024.1.2/apps/web)
+ - Add support for `experimental` front-end which stop sending the Master password hash to the server
+ - Fix the in docker images
+
+## 1.30.1-7
+
+ - Switch user invitation status to `Confirmed` on when user login not before (cf https://github.com/Timshel/vaultwarden/issues/17)
+ - Return a 404 when user has no `public_key`, will prevent confirming the user in case previous fix is insufficient.
+
+## 1.30.1-6
+
+ - Ensure the token endpoint always return a `refresh_token` (cf https://github.com/Timshel/vaultwarden/issues/16)

README.md

@@ -1,102 +1,54 @@
-### Alternative implementation of the Bitwarden server API written in Rust and compatible with [upstream Bitwarden clients](https://bitwarden.com/download/)*, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal.
+# Fork from [dani-garcia/vaultwarden](https://github.com/dani-garcia/vaultwarden)
 
-📢 Note: This project was known as Bitwarden_RS and has been renamed to separate itself from the official Bitwarden server in the hopes of avoiding confusion and trademark/branding issues. Please see [#1642](https://github.com/dani-garcia/vaultwarden/discussions/1642) for more explanation.
+Goal is to help testing code for the SSO [PR](https://github.com/dani-garcia/vaultwarden/pull/3899).
+Based on [Timshel/sso-support](https://github.com/Timshel/vaultwarden/tree/sso-support)
 
----
-[![Build](https://github.com/dani-garcia/vaultwarden/actions/workflows/build.yml/badge.svg)](https://github.com/dani-garcia/vaultwarden/actions/workflows/build.yml)
-[![ghcr.io](https://img.shields.io/badge/ghcr.io-download-blue)](https://github.com/dani-garcia/vaultwarden/pkgs/container/vaultwarden)
-[![Docker Pulls](https://img.shields.io/docker/pulls/vaultwarden/server.svg)](https://hub.docker.com/r/vaultwarden/server)
-[![Quay.io](https://img.shields.io/badge/Quay.io-download-blue)](https://quay.io/repository/vaultwarden/server)
-[![Dependency Status](https://deps.rs/repo/github/dani-garcia/vaultwarden/status.svg)](https://deps.rs/repo/github/dani-garcia/vaultwarden)
-[![GitHub Release](https://img.shields.io/github/release/dani-garcia/vaultwarden.svg)](https://github.com/dani-garcia/vaultwarden/releases/latest)
-[![AGPL-3.0 Licensed](https://img.shields.io/github/license/dani-garcia/vaultwarden.svg)](https://github.com/dani-garcia/vaultwarden/blob/main/LICENSE.txt)
-[![Matrix Chat](https://img.shields.io/matrix/vaultwarden:matrix.org.svg?logo=matrix)](https://matrix.to/#/#vaultwarden:matrix.org)
+:warning: Branch will be rebased and forced-pushed from time to time. :warning:
 
-Image is based on [Rust implementation of Bitwarden API](https://github.com/dani-garcia/vaultwarden).
+## Docker
 
-**This project is not associated with the [Bitwarden](https://bitwarden.com/) project nor Bitwarden, Inc.**
+Change the docker files to package both front-end from [Timshel/oidc_web_builds](https://github.com/Timshel/oidc_web_builds/releases).
+\
+By default it will use the release which only make the `sso` button visible.
 
-#### ⚠️**IMPORTANT**⚠️: When using this server, please report any bugs or suggestions to us directly (look at the bottom of this page for ways to get in touch), regardless of whatever clients you are using (mobile, desktop, browser...). DO NOT use the official support channels.
+If you want to use the version which additionally change the default redirection to `/sso` and fix organization invitation to persist.
+You need to pass an env variable: `-e SSO_FRONTEND='override'` (cf [start.sh](docker/start.sh)).
 
----
+Docker images available at:
 
-## Features
+ - Docker hub [hub.docker.com/r/oidcwarden/vaultwarden-oidc](https://hub.docker.com/r/oidcwarden/vaultwarden-oidc/tags)
+ - Github container registry [ghcr.io/timshel/vaultwarden](https://github.com/Timshel/vaultwarden/pkgs/container/vaultwarden)
 
-Basically full implementation of Bitwarden API is provided including:
+### Front-end version
 
- * Organizations support
- * Attachments and Send
- * Vault API support
- * Serving the static files for Vault interface
- * Website icons API
- * Authenticator and U2F support
- * YubiKey and Duo support
- * Emergency Access
+By default front-end version is fixed to prevent regression (check [CHANGELOG.md](CHANGELOG.md)).
+\
+When building the docker image it can be overrided by passing the `OIDC_WEB_RELEASE` arg.
+\
+Ex to build with latest: `--build-arg OIDC_WEB_RELEASE="https://github.com/Timshel/oidc_web_builds/releases/latest/download"`
 
-## Installation
-Pull the docker image and mount a volume from the host for persistent storage:
+## To test VaultWarden with Keycloak
 
-```sh
-docker pull vaultwarden/server:latest
-docker run -d --name vaultwarden -v /vw-data/:/data/ --restart unless-stopped -p 80:80 vaultwarden/server:latest
+[Readme](docker/keycloak/README.md)
+
+## DB Migration
+
+ATM The migrations add two tables `sso_nonce`, `sso_users` and a column `invited_by_email` to `users_organizations`.
+
+### Revert to default VW
+
+Reverting to the default VW DB state can easily be done manually (Make a backup :) :
+
+```psql
+>BEGIN;
+BEGIN
+>DELETE FROM __diesel_schema_migrations WHERE version in ('20230910133000', '20230914133000', '20240214170000', '20240226170000', '20240306170000');
+DELETE 5
+>DROP TABLE sso_nonce;
+DROP TABLE
+>DROP TABLE sso_users;
+DROP TABLE
+>ALTER TABLE users_organizations DROP COLUMN invited_by_email;
+ALTER TABLE
+> COMMIT / ROLLBACK;
 ```
-This will preserve any persistent data under /vw-data/, you can adapt the path to whatever suits you.
-
-**IMPORTANT**: Most modern web browsers disallow the use of Web Crypto APIs in insecure contexts. In this case, you might get an error like `Cannot read property 'importKey'`. To solve this problem, you need to access the web vault via HTTPS or localhost.
-
-This can be configured in [vaultwarden directly](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS) or using a third-party reverse proxy ([some examples](https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples)).
-
-If you have an available domain name, you can get HTTPS certificates with [Let's Encrypt](https://letsencrypt.org/), or you can generate self-signed certificates with utilities like [mkcert](https://github.com/FiloSottile/mkcert). Some proxies automatically do this step, like Caddy (see examples linked above).
-
-## Usage
-See the [vaultwarden wiki](https://github.com/dani-garcia/vaultwarden/wiki) for more information on how to configure and run the vaultwarden server.
-
-## Get in touch
-To ask a question, offer suggestions or new features or to get help configuring or installing the software, please use [GitHub Discussions](https://github.com/dani-garcia/vaultwarden/discussions) or [the forum](https://vaultwarden.discourse.group/).
-
-If you spot any bugs or crashes with vaultwarden itself, please [create an issue](https://github.com/dani-garcia/vaultwarden/issues/). Make sure you are on the latest version and there aren't any similar issues open, though!
-
-If you prefer to chat, we're usually hanging around at [#vaultwarden:matrix.org](https://matrix.to/#/#vaultwarden:matrix.org) room on Matrix. Feel free to join us!
-
-### Sponsors
-Thanks for your contribution to the project!
-
-<!--
-<table>
-  <tr>
-    <td align="center">
-      <a href="https://github.com/username">
-        <img src="https://avatars.githubusercontent.com/u/725423?s=75&v=4" width="75px;" alt="username"/>
-        <br />
-        <sub><b>username</b></sub>
-      </a>
-  </td>
-  </tr>
-</table>
-
-<br/>
--->
-
-<table>
-  <tr>
-    <td align="center">
-       <a href="https://github.com/themightychris" style="width: 75px">
-        <sub><b>Chris Alfano</b></sub>
-      </a>
-    </td>
-  </tr>
-  <tr>
-    <td align="center">
-      <a href="https://github.com/numberly" style="width: 75px">
-        <sub><b>Numberly</b></sub>
-      </a>
-    </td>
-  </tr>
-  <tr>
-    <td align="center">
-      <a href="https://github.com/IQ333777" style="width: 75px">
-        <sub><b>IQ333777</b></sub>
-      </a>
-    </td>
-  </tr>
-</table>

docker/DockerSettings.yaml

@@ -1,12 +1,11 @@
 ---
-vault_version: "v2024.1.2b"
-vault_image_digest: "sha256:798c0c893b6d16728878ff280b49da08863334d1f8dd88895580dc3dba622f08"
 # Cross Compile Docker Helper Scripts v1.3.0
 # We use the linux/amd64 platform shell scripts since there is no difference between the different platform scripts
 xx_image_digest: "sha256:c9609ace652bbe51dd4ce90e0af9d48a4590f1214246da5bc70e46f6dd586edc"
 rust_version: 1.76.0 # Rust version to be used
 debian_version: bookworm # Debian release name to be used
 alpine_version: 3.19 # Alpine version to be used
+oidc_web_release: https://github.com/Timshel/oidc_web_builds/releases/download/v2024.2.5-rc
 # For which platforms/architectures will we try to build images
 platforms: ["linux/amd64", "linux/arm64", "linux/arm/v7", "linux/arm/v6"]
 # Determine the build images per OS/Arch

docker/Dockerfile.alpine

@@ -8,26 +8,6 @@
 # 	https://docs.docker.com/develop/develop-images/multistage-build/
 # 	https://whitfin.io/speeding-up-rust-docker-builds/
 
-####################### VAULT BUILD IMAGE #######################
-# The web-vault digest specifies a particular web-vault build on Docker Hub.
-# Using the digest instead of the tag name provides better security,
-# as the digest of an image is immutable, whereas a tag name can later
-# be changed to point to a malicious image.
-#
-# To verify the current digest for a given tag name:
-# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
-#   click the tag name to view the digest of the image it currently points to.
-# - From the command line:
-#     $ docker pull docker.io/vaultwarden/web-vault:v2024.1.2b
-#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2024.1.2b
-#     [docker.io/vaultwarden/web-vault@sha256:798c0c893b6d16728878ff280b49da08863334d1f8dd88895580dc3dba622f08]
-#
-# - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:798c0c893b6d16728878ff280b49da08863334d1f8dd88895580dc3dba622f08
-#     [docker.io/vaultwarden/web-vault:v2024.1.2b]
-#
-FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:798c0c893b6d16728878ff280b49da08863334d1f8dd88895580dc3dba622f08 as vault
-
 ########################## ALPINE BUILD IMAGES ##########################
 ## NOTE: The Alpine Base Images do not support other platforms then linux/amd64
 ## And for Alpine we define all build images here, they will only be loaded when actually used
@@ -43,6 +23,8 @@ ARG TARGETARCH
 ARG TARGETVARIANT
 ARG TARGETPLATFORM
 
+ARG OIDC_WEB_RELEASE="https://github.com/Timshel/oidc_web_builds/releases/download/v2024.1.2-6"
+
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
 # Build time options to avoid dpkg warnings and help with reproducible builds.
@@ -57,6 +39,10 @@ ENV DEBIAN_FRONTEND=noninteractive \
     PQ_LIB_DIR="/usr/local/musl/pq15/lib"
 
 
+# Get all version of the front-end
+RUN curl -L "${OIDC_WEB_RELEASE}/oidc_button_web_vault.tar.gz" | tar -xz ; mv web-vault /web-vault_button
+RUN curl -L "${OIDC_WEB_RELEASE}/oidc_override_web_vault.tar.gz" | tar -xz ; mv web-vault /web-vault_override
+
 # Create CARGO_HOME folder and don't download rust docs
 RUN mkdir -pv "${CARGO_HOME}" \
     && rustup set profile minimal
@@ -153,7 +139,9 @@ WORKDIR /
 COPY docker/healthcheck.sh /healthcheck.sh
 COPY docker/start.sh /start.sh
 
-COPY --from=vault /web-vault ./web-vault
+COPY --from=build /web-vault_button ./web-vault_button
+COPY --from=build /web-vault_override ./web-vault_override
+COPY --from=build /web-vault_experimental ./web-vault_experimental
 COPY --from=build /app/target/final/vaultwarden .
 
 HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]