Allow SSO role mapping to add admin cookie

Co-authored-by: Fabian Fischer <[email protected]>

.env.template

@@ -464,6 +464,12 @@
 # SSO_MASTER_PASSWORD_POLICY='{"enforceOnLogin":false,"minComplexity":3,"minLength":12,"requireLower":false,"requireNumbers":false,"requireSpecial":false,"requireUpper":false}'
 ## Use sso only for authentication not the session lifecycle
 # SSO_AUTH_ONLY_NOT_SESSION=false
+## Enable the mapping of roles (user/admin) from the access_token
+# SSO_ROLES_ENABLED=false
+## Missing/Invalid roles default to user
+# SSO_ROLES_DEFAULT_TO_USER=true
+## Id token path to read roles
+# SSO_ROLES_TOKEN_PATH=/resource_access/${SSO_CLIENT_ID}/roles
 ## Client cache for discovery endpoint. Duration in seconds (0 to disable).
 # SSO_CLIENT_CACHE_EXPIRATION=0
 ## Log all the tokens, `LOG_LEVEL=debug` or `LOG_LEVEL=info,vaultwarden::sso=debug` need to be set

README.md

@@ -11,9 +11,24 @@ Tagged version are based on Vaultwarden releases, Ex: `1.31.0-1` is the first re
 \
 See [changelog](CHANGELOG.md) for more details.
 
-## Experimental Version
+## Additionnal features
 
-Made a version which allow to run the server without storing the master password (it's still required just not sent to the server).
+This branch now contain additionnal features not added to the SSO [PR](https://github.com/dani-garcia/vaultwarden/pull/3899) since it would slow even more it's review.
+
+### Role mapping
+
+Allow to map roles from the Access token to users to grant access to `VaultWarden` `admin` console.
+Support two roles: `admin` or `user`.
+
+This feature is controlled by the following conf:
+
+- `SSO_ROLES_ENABLED`: control if the mapping is done, default is `false`
+- `SSO_ROLES_DEFAULT_TO_USER`: do not block login in case of missing or invalid roles, default is `true`.
+- `SSO_ROLES_TOKEN_PATH=/resource_access/${SSO_CLIENT_ID}/roles`: path to read roles in the Access token
+
+### Experimental Version
+
+Made a version which additionnaly allow to run the server without storing the master password (it's still required just not sent to the server).
 It´s experimental, more information in [timshel/experimental](https://github.com/Timshel/vaultwarden/tree/experimental).
 
 ## Docker

SSO.md

@@ -25,7 +25,10 @@ The following configurations are available
  - `SSO_CLIENT_ID` : Client Id
  - `SSO_CLIENT_SECRET` : Client Secret
  - `SSO_MASTER_PASSWORD_POLICY`: Optional Master password policy
- - `SSO_AUTH_ONLY_NOT_SESSION`: Enable to use SSO only for authentication not session lifecycle
+ - `SSO_AUTH_ONLY_NOT_SESSION`: Enable to use SSO only for authentication not session lifecycle.
+ - `SSO_ROLES_ENABLED`: control if the mapping is done, default is `false`
+ - `SSO_ROLES_DEFAULT_TO_USER`: do not block login in case of missing or invalid roles, default is `true`.
+ - `SSO_ROLES_TOKEN_PATH=/resource_access/${SSO_CLIENT_ID}/roles`: path to read roles in the Id token
  - `SSO_CLIENT_CACHE_EXPIRATION`: Cache calls to the discovery endpoint, duration in seconds, `0` to disable (default `0`);
  - `SSO_DEBUG_TOKENS`: Log all tokens for easier debugging (default `false`, `LOG_LEVEL=debug` or `LOG_LEVEL=info,vaultwarden::sso=debug` need to be set)
 
@@ -222,6 +225,13 @@ Your configuration should look like this:
 * `SSO_CLIENT_ID=${Application (client) ID}`
 * `SSO_CLIENT_SECRET=${Secret Value}`
 
+If you want to leverage role mapping you have to create app roles first as described here: https://learn.microsoft.com/en-us/entra/identity-platform/howto-add-app-roles-in-apps.
+Afterwards you can use these settings to derive the `admin` role from the ID token:
+
+* `SSO_ROLES_ENABLED=true`
+* `SSO_ROLES_DEFAULT_TO_USER=true`
+* `SSO_ROLES_TOKEN_PATH=/roles
+
 ## Zitadel
 
 To obtain a `refresh_token` to be able to extend session you'll need to add the `offline_access` scope.

docker/keycloak/setup.dockerfile

@@ -0,0 +1,10 @@
+FROM registry.access.redhat.com/ubi9 AS ubi-micro-build
+
+RUN dnf install -y wget && wget -O /root/jq https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux-amd64 && chmod +x /root/jq
+
+FROM quay.io/keycloak/keycloak
+COPY --from=ubi-micro-build /root/jq /usr/bin/jq
+
+COPY keycloak_setup.sh /root/keycloak_setup.sh
+
+ENTRYPOINT ["/root/keycloak_setup.sh"]

playwright/compose/keycloak/setup.sh

@@ -21,16 +21,57 @@ set -e
 kcadm.sh config credentials --server "http://${KC_HTTP_HOST}:${KC_HTTP_PORT}" --realm master --user "$KEYCLOAK_ADMIN" --password "$KEYCLOAK_ADMIN_PASSWORD" --client admin-cli
 
 kcadm.sh create realms -s realm="$TEST_REALM" -s enabled=true -s "accessTokenLifespan=600"
-kcadm.sh create clients -r test -s "clientId=$SSO_CLIENT_ID" -s "secret=$SSO_CLIENT_SECRET" -s "redirectUris=[\"$DOMAIN/*\"]" -i
+
+## Delete default roles mapping
+DEFAULT_ROLE_SCOPE_ID=$(kcadm.sh get -r "$TEST_REALM" client-scopes | jq -r '.[] | select(.name == "roles") | .id')
+kcadm.sh delete -r "$TEST_REALM" "client-scopes/$DEFAULT_ROLE_SCOPE_ID"
+
+## Create role mapping client scope
+TEST_CLIENT_ROLES_SCOPE_ID=$(kcadm.sh create -r "$TEST_REALM" client-scopes -s name=roles -s protocol=openid-connect -i)
+kcadm.sh create -r "$TEST_REALM" "client-scopes/$TEST_CLIENT_ROLES_SCOPE_ID/protocol-mappers/models" \
+    -s name=Roles \
+    -s protocol=openid-connect \
+    -s protocolMapper=oidc-usermodel-client-role-mapper \
+    -s consentRequired=false \
+    -s 'config."multivalued"=true' \
+    -s 'config."claim.name"=resource_access.${client_id}.roles' \
+    -s 'config."full.path"=false' \
+    -s 'config."id.token.claim"=true' \
+    -s 'config."access.token.claim"=false' \
+    -s 'config."userinfo.token.claim"=true'
+
+TEST_CLIENT_ID=$(kcadm.sh create -r "$TEST_REALM" clients -s "name=VaultWarden" -s "clientId=$SSO_CLIENT_ID" -s "secret=$SSO_CLIENT_SECRET" -s "redirectUris=[\"$DOMAIN/*\"]" -i)
+
+## ADD Role mapping scope
+kcadm.sh update -r "$TEST_REALM" "clients/$TEST_CLIENT_ID" --body "{\"optionalClientScopes\": [\"$TEST_CLIENT_ROLES_SCOPE_ID\"]}"
+kcadm.sh update -r "$TEST_REALM" "clients/$TEST_CLIENT_ID/optional-client-scopes/$TEST_CLIENT_ROLES_SCOPE_ID"
+
+## CREATE TEST ROLES
+kcadm.sh create -r "$TEST_REALM" "clients/$TEST_CLIENT_ID/roles" -s name=admin -s 'description=Admin role'
+kcadm.sh create -r "$TEST_REALM" "clients/$TEST_CLIENT_ID/roles" -s name=user -s 'description=Admin role'
+
+# To list roles : kcadm.sh get-roles -r "$TEST_REALM" --cid "$TEST_CLIENT_ID"
 
 TEST_USER_ID=$(kcadm.sh create users -r "$TEST_REALM" -s "username=$TEST_USER" -s "firstName=$TEST_USER" -s "lastName=$TEST_USER" -s "email=$TEST_USER_MAIL"  -s emailVerified=true -s enabled=true -i)
-kcadm.sh update users/$TEST_USER_ID/reset-password -r "$TEST_REALM" -s type=password -s "value=$TEST_USER_PASSWORD" -n
+kcadm.sh update -r "$TEST_REALM" "users/$TEST_USER_ID/reset-password" -s type=password -s "value=$TEST_USER_PASSWORD" -n
+kcadm.sh add-roles -r "$TEST_REALM" --uusername "$TEST_USER" --cid "$TEST_CLIENT_ID" --rolename admin
+
 
 TEST_USER2_ID=$(kcadm.sh create users -r "$TEST_REALM" -s "username=$TEST_USER2" -s "firstName=$TEST_USER2" -s "lastName=$TEST_USER2" -s "email=$TEST_USER2_MAIL"  -s emailVerified=true -s enabled=true -i)
 kcadm.sh update users/$TEST_USER2_ID/reset-password -r "$TEST_REALM" -s type=password -s "value=$TEST_USER2_PASSWORD" -n
+kcadm.sh add-roles -r "$TEST_REALM" --uusername "$TEST_USER2" --cid "$TEST_CLIENT_ID" --rolename user
 
 TEST_USER3_ID=$(kcadm.sh create users -r "$TEST_REALM" -s "username=$TEST_USER3" -s "firstName=$TEST_USER3" -s "lastName=$TEST_USER3" -s "email=$TEST_USER3_MAIL"  -s emailVerified=true -s enabled=true -i)
 kcadm.sh update users/$TEST_USER3_ID/reset-password -r "$TEST_REALM" -s type=password -s "value=$TEST_USER3_PASSWORD" -n
 
 # Dummy realm to mark end of setup
 kcadm.sh create realms -s realm="$DUMMY_REALM" -s enabled=true -s "accessTokenLifespan=600"
+
+# TO DEBUG uncomment the following line to keep the setup container running
+# sleep 3600
+# THEN in another terminal:
+# docker exec -it keycloakSetup-dev /bin/bash
+# export PATH=$PATH:/opt/keycloak/bin
+# kcadm.sh config credentials --server "http://${KC_HTTP_HOST}:${KC_HTTP_PORT}" --realm master --user "$KEYCLOAK_ADMIN" --password "$KEYCLOAK_ADMIN_PASSWORD" --client admin-cli
+# ENJOY
+# Doc: https://wjw465150.gitbooks.io/keycloak-documentation/content/server_admin/topics/admin-cli.html

playwright/docker-compose.yml

@@ -27,9 +27,12 @@ services:
       - SMTP_HOST
       - SMTP_FROM
       - SMTP_DEBUG
-      - SSO_FRONTEND
       - SSO_ENABLED
+      - SSO_FRONTEND
       - SSO_ONLY
+      - SSO_ROLES_DEFAULT_TO_USER
+      - SSO_ROLES_ENABLED
+      - SSO_SCOPES
     restart: "no"
     depends_on:
       - VaultwardenPrebuild

playwright/tests/sso_roles.spec.ts

@@ -0,0 +1,51 @@
+import { test, expect, type TestInfo } from '@playwright/test';
+
+import * as utils from "../global-utils";
+import { logNewUser, logUser } from './setups/sso';
+
+let users = utils.loadEnv();
+
+let mailserver, user1Mails, user2Mails;
+
+test.beforeAll('Setup', async ({ browser }, testInfo: TestInfo) => {
+    mailserver = new MailDev({
+        port: process.env.MAILDEV_SMTP_PORT,
+        web: { port: process.env.MAILDEV_HTTP_PORT },
+    })
+
+    await mailserver.listen();
+
+    await utils.startVaultwarden(browser, testInfo, {
+        SSO_ENABLED: true,
+        SSO_ONLY: true,
+        SSO_ORGANIZATIONS_INVITE: true,
+        SMTP_HOST: process.env.MAILDEV_HOST,
+        SMTP_FROM: process.env.VAULTWARDEN_SMTP_FROM,
+    });
+
+    user1Mails = mailserver.iterator(users.user1.email);
+    user2Mails = mailserver.iterator(users.user2.email);
+});
+
+test.afterAll('Teardown', async ({}) => {
+    utils.stopVaultwarden();
+    utils.closeMails(mailserver, [user1Mails, user2Mails]);
+});
+
+test('Log user1 and create Test Org', async ({ page }) => {
+    await logNewUser(test, page, users.user1, { emails: user1Mails });
+
+    await test.step('Create Org', async () => {
+        await page.getByRole('link', { name: 'New organization' }).click();
+        await page.getByLabel('Organization name (required)').fill('Test');
+        await page.getByRole('button', { name: 'Submit' }).click();
+        await page.locator('div').filter({ hasText: 'Members' }).nth(2).click();
+    });
+});
+
+test('Log with user2 and receive invite', async ({ page }) => {
+    await logNewUser(test, page, users.user2, { emails: user2Mails });
+
+    const { value: invited } = await user2Mails.next();
+    expect(invited.subject).toContain("Join Test")
+});

src/api/admin.rs

@@ -18,7 +18,7 @@ use crate::{
         core::{log_event, two_factor},
         unregister_push_device, ApiResult, EmptyResult, JsonResult, Notify,
     },
-    auth::{decode_admin, encode_jwt, generate_admin_claims, ClientIp, Secure},
+    auth::{decode_admin, encode_jwt, generate_admin_claims, ClientIp},
     config::ConfigBuilder,
     db::{backup_database, get_sql_server_version, models::*, DbConn, DbConnType},
     error::{Error, MapResult},
@@ -31,8 +31,12 @@ use crate::{
     CONFIG, VERSION,
 };
 
+#[allow(clippy::nonminimal_bool)]
 pub fn routes() -> Vec<Route> {
-    if !CONFIG.disable_admin_token() && !CONFIG.is_admin_token_set() {
+    if !CONFIG.disable_admin_token()
+        && !CONFIG.is_admin_token_set()
+        && !(CONFIG.sso_enabled() && CONFIG.sso_roles_enabled())
+    {
         return routes![admin_disabled];
     }
 
@@ -91,15 +95,15 @@ fn admin_disabled() -> &'static str {
     "The admin panel is disabled, please configure the 'ADMIN_TOKEN' variable to enable it"
 }
 
-const COOKIE_NAME: &str = "VW_ADMIN";
+pub const COOKIE_NAME: &str = "VW_ADMIN";
 const ADMIN_PATH: &str = "/admin";
 const DT_FMT: &str = "%Y-%m-%d %H:%M:%S %Z";
 
 const BASE_TEMPLATE: &str = "admin/base";
 
 const ACTING_ADMIN_USER: &str = "vaultwarden-admin-00000-000000000000";
 
-fn admin_path() -> String {
+pub fn admin_path() -> String {
     format!("{}{}", CONFIG.domain_path(), ADMIN_PATH)
 }
 
@@ -154,6 +158,7 @@ fn render_admin_login(msg: Option<&str>, redirect: Option<String>) -> ApiResult<
     let json = json!({
         "page_content": "admin/login",
         "error": msg,
+        "sso_only": CONFIG.sso_enabled() && CONFIG.sso_roles_enabled(),
         "redirect": redirect,
         "urlpath": CONFIG.domain_path()
     });
@@ -169,12 +174,24 @@ struct LoginForm {
     redirect: Option<String>,
 }
 
+pub fn create_admin_cookie<'a>() -> Cookie<'a> {
+    let claims = generate_admin_claims();
+    let jwt = encode_jwt(&claims);
+
+    Cookie::build((COOKIE_NAME, jwt))
+        .path(admin_path())
+        .max_age(rocket::time::Duration::minutes(CONFIG.admin_session_lifetime()))
+        .same_site(SameSite::Strict)
+        .http_only(true)
+        .secure(CONFIG.is_https())
+        .into()
+}
+
 #[post("/", data = "<data>")]
 fn post_admin_login(
     data: Form<LoginForm>,
     cookies: &CookieJar<'_>,
     ip: ClientIp,
-    secure: Secure,
 ) -> Result<Redirect, AdminResponse> {
     let data = data.into_inner();
     let redirect = data.redirect;
@@ -192,17 +209,7 @@ fn post_admin_login(
         Err(AdminResponse::Unauthorized(render_admin_login(Some("Invalid admin token, please try again."), redirect)))
     } else {
         // If the token received is valid, generate JWT and save it as a cookie
-        let claims = generate_admin_claims();
-        let jwt = encode_jwt(&claims);
-
-        let cookie = Cookie::build((COOKIE_NAME, jwt))
-            .path(admin_path())
-            .max_age(rocket::time::Duration::minutes(CONFIG.admin_session_lifetime()))
-            .same_site(SameSite::Strict)
-            .http_only(true)
-            .secure(secure.https);
-
-        cookies.add(cookie);
+        cookies.add(create_admin_cookie());
         if let Some(redirect) = redirect {
             Ok(Redirect::to(format!("{}{}", admin_path(), redirect)))
         } else {
@@ -258,6 +265,7 @@ fn render_admin_page() -> ApiResult<Html<String>> {
     let settings_json = json!({
         "config": CONFIG.prepare_json(),
         "can_backup": *CAN_BACKUP,
+        "sso_only": CONFIG.sso_enabled() && CONFIG.sso_roles_enabled(),
     });
     let text = AdminTemplateData::new("admin/settings", settings_json).render()?;
     Ok(Html(text))

src/api/identity.rs

@@ -2,7 +2,7 @@ use chrono::{NaiveDateTime, Utc};
 use num_traits::FromPrimitive;
 use rocket::{
     form::{Form, FromForm},
-    http::Status,
+    http::{CookieJar, Status},
     response::Redirect,
     serde::json::Json,
     Route,
@@ -11,6 +11,7 @@ use serde_json::Value;
 
 use crate::{
     api::{
+        admin,
         core::{
             accounts::{PreloginData, RegisterData, _prelogin, _register, kdf_upgrade},
             log_user_event,
@@ -31,7 +32,12 @@ pub fn routes() -> Vec<Route> {
 }
 
 #[post("/connect/token", data = "<data>")]
-async fn login(data: Form<ConnectData>, client_header: ClientHeaders, mut conn: DbConn) -> JsonResult {
+async fn login(
+    data: Form<ConnectData>,
+    client_header: ClientHeaders,
+    cookies: &CookieJar<'_>,
+    mut conn: DbConn,
+) -> JsonResult {
     let data: ConnectData = data.into_inner();
 
     let mut user_uuid: Option<String> = None;
@@ -73,7 +79,7 @@ async fn login(data: Form<ConnectData>, client_header: ClientHeaders, mut conn:
             _check_is_some(&data.device_name, "device_name cannot be blank")?;
             _check_is_some(&data.device_type, "device_type cannot be blank")?;
 
-            _sso_login(data, &mut user_uuid, &mut conn, &client_header.ip).await
+            _sso_login(data, &mut user_uuid, &mut conn, cookies, &client_header.ip).await
         }
         "authorization_code" => err!("SSO sign-in is not available"),
         t => err!("Invalid type", t),
@@ -152,7 +158,13 @@ async fn _refresh_login(data: ConnectData, conn: &mut DbConn) -> JsonResult {
 }
 
 // After exchanging the code we need to check first if 2FA is needed before continuing
-async fn _sso_login(data: ConnectData, user_uuid: &mut Option<String>, conn: &mut DbConn, ip: &ClientIp) -> JsonResult {
+async fn _sso_login(
+    data: ConnectData,
+    user_uuid: &mut Option<String>,
+    conn: &mut DbConn,
+    cookies: &CookieJar<'_>,
+    ip: &ClientIp,
+) -> JsonResult {
     AuthMethod::Sso.check_scope(data.scope.as_ref())?;
 
     // Ratelimit the login
@@ -248,6 +260,11 @@ async fn _sso_login(data: ConnectData, user_uuid: &mut Option<String>, conn: &mu
     // Set the user_uuid here to be passed back used for event logging.
     *user_uuid = Some(user.uuid.clone());
 
+    if auth_user.is_admin() {
+        info!("User {} logged with admin cookie", user.email);
+        cookies.add(admin::create_admin_cookie());
+    }
+
     let auth_tokens = sso::create_auth_tokens(
         &device,
         &user,