Skip to content

Commit

Permalink
Modifications for easier testing
Browse files Browse the repository at this point in the history
  • Loading branch information
Timshel committed Jul 22, 2024
1 parent a20d428 commit 27176b9
Show file tree
Hide file tree
Showing 35 changed files with 18,749 additions and 223 deletions.
2 changes: 1 addition & 1 deletion .dockerignore
Original file line number Diff line number Diff line change
Expand Up @@ -39,5 +39,5 @@ web-vault
# Vaultwarden Resources
resources

# Playwright tests
# Playwrights
playwright
2 changes: 1 addition & 1 deletion .env.template
Original file line number Diff line number Diff line change
Expand Up @@ -447,7 +447,7 @@
# SSO_AUTH_ONLY_NOT_SESSION=false
## Client cache for discovery endpoint. Duration in seconds (0 to disable).
# SSO_CLIENT_CACHE_EXPIRATION=0
## Log all the tokens, LOG_LEVEL=debug is required
## Log all the tokens, `LOG_LEVEL=debug` or `LOG_LEVEL_OVERRIDE=vaultwarden::sso=debug` need to be set
# SSO_DEBUG_TOKENS=false

########################
Expand Down
4 changes: 1 addition & 3 deletions .github/FUNDING.yml
Original file line number Diff line number Diff line change
@@ -1,3 +1 @@
github: dani-garcia
liberapay: dani-garcia
custom: ["https://paypal.me/DaniGG"]
github: Timshel
23 changes: 12 additions & 11 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ jobs:
# We will skip this check if we are creating a tag, because that has the same hash as a previous run already.
skip_check:
runs-on: ubuntu-22.04
if: ${{ github.repository == 'dani-garcia/vaultwarden' }}
if: ${{ github.repository == 'timshel/vaultwarden' }}
outputs:
should_skip: ${{ steps.skip_check.outputs.should_skip }}
steps:
Expand All @@ -28,9 +28,10 @@ jobs:

docker-build:
runs-on: ubuntu-22.04
environment: main
timeout-minutes: 120
needs: skip_check
if: ${{ needs.skip_check.outputs.should_skip != 'true' && github.repository == 'dani-garcia/vaultwarden' }}
if: ${{ needs.skip_check.outputs.should_skip != 'true' && github.repository == 'timshel/vaultwarden' }}
# Start a local docker registry to extract the final Alpine static build binaries
services:
registry:
Expand Down Expand Up @@ -162,7 +163,7 @@ jobs:
if: ${{ matrix.base_image == 'alpine' }}
shell: bash
run: |
echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}localhost:5000/vaultwarden/server" | tee -a "${GITHUB_ENV}"
echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}localhost:5000/timshel/vaultwarden" | tee -a "${GITHUB_ENV}"
- name: Bake ${{ matrix.base_image }} containers
uses: docker/bake-action@1c5f18a523c4c68524cfbc5161494d8bb5b29d20 # v5.0.1
Expand Down Expand Up @@ -198,28 +199,28 @@ jobs:
# This is needed because using different platforms doesn't trigger a new pull/download
# Extract amd64 binary
docker create --name amd64 --platform=linux/amd64 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
docker create --name amd64 --platform=linux/amd64 "localhost:5000/timshel/vaultwarden:${EXTRACT_TAG}-alpine"
docker cp amd64:/vaultwarden vaultwarden-amd64
docker rm --force amd64
docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
docker rmi --force "localhost:5000/timshel/vaultwarden:${EXTRACT_TAG}-alpine"
# Extract arm64 binary
docker create --name arm64 --platform=linux/arm64 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
docker create --name arm64 --platform=linux/arm64 "localhost:5000/timshel/vaultwarden:${EXTRACT_TAG}-alpine"
docker cp arm64:/vaultwarden vaultwarden-arm64
docker rm --force arm64
docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
docker rmi --force "localhost:5000/timshel/vaultwarden:${EXTRACT_TAG}-alpine"
# Extract armv7 binary
docker create --name armv7 --platform=linux/arm/v7 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
docker create --name armv7 --platform=linux/arm/v7 "localhost:5000/timshel/vaultwarden:${EXTRACT_TAG}-alpine"
docker cp armv7:/vaultwarden vaultwarden-armv7
docker rm --force armv7
docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
docker rmi --force "localhost:5000/timshel/vaultwarden:${EXTRACT_TAG}-alpine"
# Extract armv6 binary
docker create --name armv6 --platform=linux/arm/v6 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
docker create --name armv6 --platform=linux/arm/v6 "localhost:5000/timshel/vaultwarden:${EXTRACT_TAG}-alpine"
docker cp armv6:/vaultwarden vaultwarden-armv6
docker rm --force armv6
docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
docker rmi --force "localhost:5000/timshel/vaultwarden:${EXTRACT_TAG}-alpine"
# Upload artifacts to Github Actions
- name: "Upload amd64 artifact"
Expand Down
123 changes: 123 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,123 @@
# Changelog

## 1.31.0-1

- Rebased on `1.31.0` from `dani-garcia/vaultwarden`
- Upgrade [oidc_web_builds](https://github.com/Timshel/oidc_web_builds) version to `v2024.5.1-3`
- Use `WEB_VAULT_FOLDER` to switch front-end without modifying the FS

## 1.30.5-9

- Fix organization invitation when SMTP is disabled.
- Add `SSO_ORGANIZATIONS_ALL_COLLECTIONS` config to allow to grant or not access to all collections (default `true`)

## 1.30.5-8

- Rebased on top dani-garcia/vaultwarden latest `main`.
- Update [oidc_web_builds](https://github.com/Timshel/oidc_web_builds) version to `v2024.3.1-1` which introduce new layout.
- Stop rolling the device token (too many issues with refresh token calls in parallel).

## 1.30.5-7

- Fix mysql sso_users.identifier key creation error.

## 1.30.5-6

- Fix lower case issue which generated invalid "your email has changed" (thx @tribut).

## 1.30.5-5

- Add `SSO_ORGANIZATIONS_ID_MAPPING` to map a Provider group `id` to a Vaultwarden organization `uuid`.

## 1.30.5-4

- Rebased on latest from [dani-garcia:main](https://github.com/dani-garcia/vaultwarden/tree/main)
- Move docker release to [timshel](https://hub.docker.com/repository/docker/timshel/vaultwarden/general)
- Split the `experimental` version to a separate [repository](https://hub.docker.com/repository/docker/timshel/oidcwarden/general).

## 1.30.5-3

- Fix `ForeignKeyViolation` when trying to delete sso user.

## 1.30.5-2

- Store SSO identifier to prevent account takeover

## 1.30.5-1

- Rebased on latest from `dani-garcia/vaultwarden`

## 1.30.3-2

- Add `SSO_CLIENT_CACHE_EXPIRATION` config, to optionally cache the calls to the OpenID discovery endpoint.
- Add a `scope` and `iss` in the oidc redirection to try to fix the IOS login failure.

## 1.30.3-1

- Add `SSO_PKCE` config, disabled for now will probably be activated by defaut in next release.

## 1.30.2-7

- Reduce default `refresh_validity` to 7 days (reset with each `access_token` refresh, so act as an idle timer).
Apply to non sso login and SSO which return a non JWT token with no expiration information.
- Roll the already present `Device.refresh_token` which will invalidate past `refresh_token` (SSO and non SSO login).
- Remove the `openidconnect` cache since it's not [recommended](https://github.com/ramosbugs/openidconnect-rs/issues/25).

## 1.30.2-6

- Add `SSO_AUDIENCE_TRUSTED` config to allow to trust additionnal audience.

## 1.30.2-5

- Fix mysql migration `2024-02-14-170000_add_state_to_sso_nonce`

## 1.30.2-4

- Upgrade [oidc_web_builds](https://github.com/Timshel/oidc_web_builds) version to `v2024.1.2-6`
- Use `openidconnect` to validate Id Token claims
- Remove `SSO_KEY_FILEPATH` should not be useful now
- Add `SSO_DEBUG_TOKENS` to log Id/Access/Refresh token to debug
- Hardcoded redircetion url
- Switch to reading the roles and groups Claims from the Id Token

## 1.30.2-3

- Add `SSO_AUTHORIZE_EXTRA_PARAMS` to add extra parameter to the authorize redirection (needed to obtain a `refresh_token` with Google Auth).

## 1.30.2-2

- Fix non jwt `acess_token` check when there is no `refresh_token`
- Add `SSO_AUTH_ONLY_NOT_SESSION` to use SSO only for auth not the session lifecycle.

## 1.30.2-1

- Update [oidc_web_builds](https://github.com/Timshel/oidc_web_builds) version to `v2024.1.2-4` which move the org invite patch to the `button` release (which is expected to be merged in VW).
- Remove the `sso_acceptall_invites` setting
- Allow to override log level for specific target

## 1.30.1-11

- Encode redirect url parameters and add `debug` logging.

## 1.30.1-10

- Keep old prevalidate endpoint for Mobile apps

## 1.30.1-9

- Add non jwt access_token support

## 1.30.1-8

- Prevalidate endpoint change in Bitwarden WebVault [web-v2024.1.2](https://github.com/bitwarden/clients/tree/web-v2024.1.2/apps/web)
- Add support for `experimental` front-end which stop sending the Master password hash to the server
- Fix the in docker images

## 1.30.1-7

- Switch user invitation status to `Confirmed` on when user login not before (cf https://github.com/Timshel/vaultwarden/issues/17)
- Return a 404 when user has no `public_key`, will prevent confirming the user in case previous fix is insufficient.

## 1.30.1-6

- Ensure the token endpoint always return a `refresh_token` (cf https://github.com/Timshel/vaultwarden/issues/16)
143 changes: 53 additions & 90 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,102 +1,65 @@
### Alternative implementation of the Bitwarden server API written in Rust and compatible with [upstream Bitwarden clients](https://bitwarden.com/download/)*, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal.
# Fork from [dani-garcia/vaultwarden](https://github.com/dani-garcia/vaultwarden)

📢 Note: This project was known as Bitwarden_RS and has been renamed to separate itself from the official Bitwarden server in the hopes of avoiding confusion and trademark/branding issues. Please see [#1642](https://github.com/dani-garcia/vaultwarden/discussions/1642) for more explanation.
Goal is to help testing code for the SSO [PR](https://github.com/dani-garcia/vaultwarden/pull/3899).
Based on [Timshel/sso-support](https://github.com/Timshel/vaultwarden/tree/sso-support)

---
[![Build](https://github.com/dani-garcia/vaultwarden/actions/workflows/build.yml/badge.svg)](https://github.com/dani-garcia/vaultwarden/actions/workflows/build.yml)
[![ghcr.io](https://img.shields.io/badge/ghcr.io-download-blue)](https://github.com/dani-garcia/vaultwarden/pkgs/container/vaultwarden)
[![Docker Pulls](https://img.shields.io/docker/pulls/vaultwarden/server.svg)](https://hub.docker.com/r/vaultwarden/server)
[![Quay.io](https://img.shields.io/badge/Quay.io-download-blue)](https://quay.io/repository/vaultwarden/server)
[![Dependency Status](https://deps.rs/repo/github/dani-garcia/vaultwarden/status.svg)](https://deps.rs/repo/github/dani-garcia/vaultwarden)
[![GitHub Release](https://img.shields.io/github/release/dani-garcia/vaultwarden.svg)](https://github.com/dani-garcia/vaultwarden/releases/latest)
[![AGPL-3.0 Licensed](https://img.shields.io/github/license/dani-garcia/vaultwarden.svg)](https://github.com/dani-garcia/vaultwarden/blob/main/LICENSE.txt)
[![Matrix Chat](https://img.shields.io/matrix/vaultwarden:matrix.org.svg?logo=matrix)](https://matrix.to/#/#vaultwarden:matrix.org)
#### :warning: Branch will be rebased and forced-pushed when updated. :warning:

Image is based on [Rust implementation of Bitwarden API](https://github.com/dani-garcia/vaultwarden).
## Versions

**This project is not associated with the [Bitwarden](https://bitwarden.com/) project nor Bitwarden, Inc.**
Tagged version are based on Vaultwarden releases, Ex: `1.31.0-1` is the first release based on Vaultwarden `1.31.0`.
\
See [changelog](CHANGELOG.md) for more details.

#### ⚠️**IMPORTANT**⚠️: When using this server, please report any bugs or suggestions to us directly (look at the bottom of this page for ways to get in touch), regardless of whatever clients you are using (mobile, desktop, browser...). DO NOT use the official support channels.
## Experimental Version

---
Made a version which allow to run the server without storing the master password (it's still required just not sent to the server).
It´s experimental, more information in [timshel/experimental](https://github.com/Timshel/vaultwarden/tree/experimental).

## Features
## Docker

Basically full implementation of Bitwarden API is provided including:
Change the docker files to package both front-end from [Timshel/oidc_web_builds](https://github.com/Timshel/oidc_web_builds/releases).
\
By default it will use the release which only make the `sso` button visible.

* Organizations support
* Attachments and Send
* Vault API support
* Serving the static files for Vault interface
* Website icons API
* Authenticator and U2F support
* YubiKey and Duo support
* Emergency Access
If you want to use the version which additionally change the default redirection to `/sso` and fix organization invitation to persist.
You need to pass an env variable: `-e SSO_FRONTEND='override'` (cf [start.sh](docker/start.sh)).

## Installation
Pull the docker image and mount a volume from the host for persistent storage:
Docker images available at:

```sh
docker pull vaultwarden/server:latest
docker run -d --name vaultwarden -v /vw-data/:/data/ --restart unless-stopped -p 80:80 vaultwarden/server:latest
- Docker hub [hub.docker.com/r/timshel/vaultwarden](https://hub.docker.com/r/timshel/vaultwarden/tags)
- Github container registry [ghcr.io/timshel/vaultwarden](https://github.com/Timshel/vaultwarden/pkgs/container/vaultwarden)

### Front-end version

By default front-end version is fixed to prevent regression (check [CHANGELOG.md](CHANGELOG.md)).
\
When building the docker image it can be overrided by passing the `OIDC_WEB_RELEASE` arg.
\
Ex to build with latest: `--build-arg OIDC_WEB_RELEASE="https://github.com/Timshel/oidc_web_builds/releases/latest/download"`

## To test VaultWarden with Keycloak

[Readme](docker/keycloak/README.md)

## DB Migration

ATM The migrations add two tables `sso_nonce`, `sso_users` and a column `invited_by_email` to `users_organizations`.

### Revert to default VW

Reverting to the default VW DB state can easily be done manually (Make a backup :) :

```psql
>BEGIN;
BEGIN
>DELETE FROM __diesel_schema_migrations WHERE version in ('20230910133000', '20230914133000', '20240214170000', '20240226170000', '20240306170000', '20240313170000');
DELETE 5
>DROP TABLE sso_nonce;
DROP TABLE
>DROP TABLE sso_users;
DROP TABLE
>ALTER TABLE users_organizations DROP COLUMN invited_by_email;
ALTER TABLE
> COMMIT / ROLLBACK;
```
This will preserve any persistent data under /vw-data/, you can adapt the path to whatever suits you.

**IMPORTANT**: Most modern web browsers disallow the use of Web Crypto APIs in insecure contexts. In this case, you might get an error like `Cannot read property 'importKey'`. To solve this problem, you need to access the web vault via HTTPS or localhost.

This can be configured in [vaultwarden directly](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS) or using a third-party reverse proxy ([some examples](https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples)).

If you have an available domain name, you can get HTTPS certificates with [Let's Encrypt](https://letsencrypt.org/), or you can generate self-signed certificates with utilities like [mkcert](https://github.com/FiloSottile/mkcert). Some proxies automatically do this step, like Caddy (see examples linked above).

## Usage
See the [vaultwarden wiki](https://github.com/dani-garcia/vaultwarden/wiki) for more information on how to configure and run the vaultwarden server.

## Get in touch
To ask a question, offer suggestions or new features or to get help configuring or installing the software, please use [GitHub Discussions](https://github.com/dani-garcia/vaultwarden/discussions) or [the forum](https://vaultwarden.discourse.group/).

If you spot any bugs or crashes with vaultwarden itself, please [create an issue](https://github.com/dani-garcia/vaultwarden/issues/). Make sure you are on the latest version and there aren't any similar issues open, though!

If you prefer to chat, we're usually hanging around at [#vaultwarden:matrix.org](https://matrix.to/#/#vaultwarden:matrix.org) room on Matrix. Feel free to join us!

### Sponsors
Thanks for your contribution to the project!

<!--
<table>
<tr>
<td align="center">
<a href="https://github.com/username">
<img src="https://avatars.githubusercontent.com/u/725423?s=75&v=4" width="75px;" alt="username"/>
<br />
<sub><b>username</b></sub>
</a>
</td>
</tr>
</table>
<br/>
-->

<table>
<tr>
<td align="center">
<a href="https://github.com/themightychris" style="width: 75px">
<sub><b>Chris Alfano</b></sub>
</a>
</td>
</tr>
<tr>
<td align="center">
<a href="https://github.com/numberly" style="width: 75px">
<sub><b>Numberly</b></sub>
</a>
</td>
</tr>
<tr>
<td align="center">
<a href="https://github.com/IQ333777" style="width: 75px">
<sub><b>IQ333777</b></sub>
</a>
</td>
</tr>
</table>
2 changes: 1 addition & 1 deletion SSO.md
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ The following configurations are available
- `SSO_MASTER_PASSWORD_POLICY`: Optional Master password policy
- `SSO_AUTH_ONLY_NOT_SESSION`: Enable to use SSO only for authentication not session lifecycle
- `SSO_CLIENT_CACHE_EXPIRATION`: Cache calls to the discovery endpoint, duration in seconds, `0` to disable (default `0`);
- `SSO_DEBUG_TOKENS`: Log all tokens (default `false`, `LOG_LEVEL=debug` is required)
- `SSO_DEBUG_TOKENS`: Log all tokens for easier debugging (default `false`, `LOG_LEVEL=debug` or `LOG_LEVEL_OVERRIDE=vaultwarden::sso=debug` need to be set)

The callback url is : `https://your.domain/identity/connect/oidc-signin`

Expand Down
3 changes: 1 addition & 2 deletions docker/DockerSettings.yaml
Original file line number Diff line number Diff line change
@@ -1,12 +1,11 @@
---
vault_version: "v2024.5.1b"
vault_image_digest: "sha256:1a867b4b175e85fc8602314bd83bc263c76c49787031704f16a2915567725375"
# Cross Compile Docker Helper Scripts v1.4.0
# We use the linux/amd64 platform shell scripts since there is no difference between the different platform scripts
xx_image_digest: "sha256:0cd3f05c72d6c9b038eb135f91376ee1169ef3a330d34e418e65e2a5c2e9c0d4"
rust_version: 1.79.0 # Rust version to be used
debian_version: bookworm # Debian release name to be used
alpine_version: "3.20" # Alpine version to be used
oidc_web_release: https://github.com/Timshel/oidc_web_builds/releases/download/v2024.5.1-3
# For which platforms/architectures will we try to build images
platforms: ["linux/amd64", "linux/arm64", "linux/arm/v7", "linux/arm/v6"]
# Determine the build images per OS/Arch
Expand Down
Loading

0 comments on commit 27176b9

Please sign in to comment.