Modifications for easier testing

Timshel · Nov 13, 2023 · 60971f5 · 60971f5
1 parent 68737fe
commit 60971f5
Show file tree

Hide file tree

Showing 19 changed files with 8,872 additions and 170 deletions.
diff --git a/README.md b/README.md
@@ -1,95 +1,56 @@
-### Alternative implementation of the Bitwarden server API written in Rust and compatible with [upstream Bitwarden clients](https://bitwarden.com/download/)*, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal.
+# Fork from [dani-garcia/vaultwarden](https://github.com/dani-garcia/vaultwarden)
 
-📢 Note: This project was known as Bitwarden_RS and has been renamed to separate itself from the official Bitwarden server in the hopes of avoiding confusion and trademark/branding issues. Please see [#1642](https://github.com/dani-garcia/vaultwarden/discussions/1642) for more explanation.
+Goal is to help testing code for the SSO [PR](https://github.com/dani-garcia/vaultwarden/pull/3899).
+Based on [Timshel/sso-support](https://github.com/Timshel/vaultwarden/tree/sso-support)
 
----
-[![Build](https://github.com/dani-garcia/vaultwarden/actions/workflows/build.yml/badge.svg)](https://github.com/dani-garcia/vaultwarden/actions/workflows/build.yml)
-[![ghcr.io](https://img.shields.io/badge/ghcr.io-download-blue)](https://github.com/dani-garcia/vaultwarden/pkgs/container/vaultwarden)
-[![Docker Pulls](https://img.shields.io/docker/pulls/vaultwarden/server.svg)](https://hub.docker.com/r/vaultwarden/server)
-[![Quay.io](https://img.shields.io/badge/Quay.io-download-blue)](https://quay.io/repository/vaultwarden/server)
-[![Dependency Status](https://deps.rs/repo/github/dani-garcia/vaultwarden/status.svg)](https://deps.rs/repo/github/dani-garcia/vaultwarden)
-[![GitHub Release](https://img.shields.io/github/release/dani-garcia/vaultwarden.svg)](https://github.com/dani-garcia/vaultwarden/releases/latest)
-[![AGPL-3.0 Licensed](https://img.shields.io/github/license/dani-garcia/vaultwarden.svg)](https://github.com/dani-garcia/vaultwarden/blob/main/LICENSE.txt)
-[![Matrix Chat](https://img.shields.io/matrix/vaultwarden:matrix.org.svg?logo=matrix)](https://matrix.to/#/#vaultwarden:matrix.org)
+:warning: Branch will be rebased and forced-pushed from time to time. :warning:
 
-Image is based on [Rust implementation of Bitwarden API](https://github.com/dani-garcia/vaultwarden).
+## Docker
 
-**This project is not associated with the [Bitwarden](https://bitwarden.com/) project nor Bitwarden, Inc.**
+Change the docker files to package both front-end from [Timshel/oidc_web_builds](https://github.com/Timshel/oidc_web_builds/releases).
+\
+By default it will use the release which only make the `sso` button visible.
 
-#### ⚠️**IMPORTANT**⚠️: When using this server, please report any bugs or suggestions to us directly (look at the bottom of this page for ways to get in touch), regardless of whatever clients you are using (mobile, desktop, browser...). DO NOT use the official support channels.
+If you want to use the version which additionally change the default redirection to `/sso` and fix organization invitation to persist.
+You need to pass an env variable: `-e SSO_FRONTEND='override'` (cf [start.sh](docker/start.sh)).
 
----
+## To test VaultWarden with Keycloak
 
-## Features
+[Readme](test/oidc/README.md)
 
-Basically full implementation of Bitwarden API is provided including:
+## DB Migration
 
- * Organizations support
- * Attachments and Send
- * Vault API support
- * Serving the static files for Vault interface
- * Website icons API
- * Authenticator and U2F support
- * YubiKey and Duo support
- * Emergency Access
+ATM The migrations add an independant table `sso_nonce` and a column `invited_by_email` to `users_organizations`.
 
-## Installation
-Pull the docker image and mount a volume from the host for persistent storage:
+### Revert to default VW
 
-```sh
-docker pull vaultwarden/server:latest
-docker run -d --name vaultwarden -v /vw-data/:/data/ --restart unless-stopped -p 80:80 vaultwarden/server:latest
+Reverting to the default VW DB state can easily be done manually (Make a backup :) :
+
+```psql
+>BEGIN;
+BEGIN
+>DELETE FROM __diesel_schema_migrations WHERE version in ('20230910133000', '20230914133000');
+DELETE 2
+>DROP TABLE sso_nonce;
+DROP TABLE
+>ALTER TABLE users_organizations DROP COLUMN invited_by_email;
+ALTER TABLE
+> COMMIT / ROLLBACK;
+```
+
+### FROM old PR Version
+
+:warning: Changed the past migration creating the `sso_nonce` table in a recent [commit](https://github.com/Timshel/vaultwarden/commit/afa26f3cf5a39ff0bc4c3cbe563cfcfaf91b40a0).:warning: <br>
+If you already deployed the previous version you'll need to do some manual cleanup :
+
+```psql
+>BEGIN;
+BEGIN
+>DELETE FROM __diesel_schema_migrations WHERE version = '20230201133000';
+DELETE 1
+>DROP TABLE sso_nonce;
+DROP TABLE
+> COMMIT / ROLLBACK;
 ```
-This will preserve any persistent data under /vw-data/, you can adapt the path to whatever suits you.
-
-**IMPORTANT**: Most modern web browsers disallow the use of Web Crypto APIs in insecure contexts. In this case, you might get an error like `Cannot read property 'importKey'`. To solve this problem, you need to access the web vault via HTTPS or localhost.
-
-This can be configured in [vaultwarden directly](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS) or using a third-party reverse proxy ([some examples](https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples)).
-
-If you have an available domain name, you can get HTTPS certificates with [Let's Encrypt](https://letsencrypt.org/), or you can generate self-signed certificates with utilities like [mkcert](https://github.com/FiloSottile/mkcert). Some proxies automatically do this step, like Caddy (see examples linked above).
-
-## Usage
-See the [vaultwarden wiki](https://github.com/dani-garcia/vaultwarden/wiki) for more information on how to configure and run the vaultwarden server.
-
-## Get in touch
-To ask a question, offer suggestions or new features or to get help configuring or installing the software, please use [GitHub Discussions](https://github.com/dani-garcia/vaultwarden/discussions) or [the forum](https://vaultwarden.discourse.group/).
-
-If you spot any bugs or crashes with vaultwarden itself, please [create an issue](https://github.com/dani-garcia/vaultwarden/issues/). Make sure you are on the latest version and there aren't any similar issues open, though!
-
-If you prefer to chat, we're usually hanging around at [#vaultwarden:matrix.org](https://matrix.to/#/#vaultwarden:matrix.org) room on Matrix. Feel free to join us!
-
-### Sponsors
-Thanks for your contribution to the project!
-
-<!--
-<table>
-  <tr>
-    <td align="center">
-      <a href="https://github.com/username">
-        <img src="https://avatars.githubusercontent.com/u/725423?s=75&v=4" width="75px;" alt="username"/>
-        <br />
-        <sub><b>username</b></sub>
-      </a>
-  </td>
-  </tr>
-</table>
-
-<br/>
--->
-
-<table>
-  <tr>
-    <td align="center">
-       <a href="https://github.com/themightychris" style="width: 75px">
-        <sub><b>Chris Alfano</b></sub>
-      </a>
-    </td>
-  </tr>
-  <tr>
-    <td align="center">
-      <a href="https://github.com/numberly" style="width: 75px">
-        <sub><b>Numberly</b></sub>
-      </a>
-    </td>
-  </tr>
-</table>
+
+Then the new migration will play without issue.
diff --git a/docker/DockerSettings.yaml b/docker/DockerSettings.yaml
@@ -1,6 +1,5 @@
 ---
-vault_version: "v2023.10.0"
-vault_image_digest: "sha256:419e4976921f98f1124f296ed02e68bf7f8ff29b3f1fba59e7e715228a065935"
+vault_release: "https://github.com/Timshel/oidc_web_builds/releases/latest/download"
 # Cross Compile Docker Helper Scripts v1.3.0
 # We use the linux/amd64 platform shell scripts since there is no difference between the different platform scripts
 xx_image_digest: "sha256:c9609ace652bbe51dd4ce90e0af9d48a4590f1214246da5bc70e46f6dd586edc"

diff --git a/docker/Dockerfile.alpine b/docker/Dockerfile.alpine
@@ -8,26 +8,6 @@
 # 	https://docs.docker.com/develop/develop-images/multistage-build/
 # 	https://whitfin.io/speeding-up-rust-docker-builds/
 
-####################### VAULT BUILD IMAGE #######################
-# The web-vault digest specifies a particular web-vault build on Docker Hub.
-# Using the digest instead of the tag name provides better security,
-# as the digest of an image is immutable, whereas a tag name can later
-# be changed to point to a malicious image.
-#
-# To verify the current digest for a given tag name:
-# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
-#   click the tag name to view the digest of the image it currently points to.
-# - From the command line:
-#     $ docker pull docker.io/vaultwarden/web-vault:v2023.10.0
-#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.10.0
-#     [docker.io/vaultwarden/web-vault@sha256:419e4976921f98f1124f296ed02e68bf7f8ff29b3f1fba59e7e715228a065935]
-#
-# - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:419e4976921f98f1124f296ed02e68bf7f8ff29b3f1fba59e7e715228a065935
-#     [docker.io/vaultwarden/web-vault:v2023.10.0]
-#
-FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:419e4976921f98f1124f296ed02e68bf7f8ff29b3f1fba59e7e715228a065935 as vault
-
 ########################## ALPINE BUILD IMAGES ##########################
 ## NOTE: The Alpine Base Images do not support other platforms then linux/amd64
 ## And for Alpine we define all build images here, they will only be loaded when actually used
@@ -57,6 +37,12 @@ ENV DEBIAN_FRONTEND=noninteractive \
     PQ_LIB_DIR="/usr/local/musl/pq15/lib"
 
 
+# Get both version of the front-end
+RUN wget -c https://github.com/Timshel/oidc_web_builds/releases/latest/download/oidc_button_web_vault.tar.gz -O - | tar -xz \
+    ; mv web-vault web-vault_button
+RUN wget -c https://github.com/Timshel/oidc_web_builds/releases/latest/download/oidc_override_web_vault.tar.gz -O - | tar -xz \
+    ; mv web-vault web-vault_override
+
 # Create CARGO_HOME folder and don't download rust docs
 RUN mkdir -pv "${CARGO_HOME}" \
     && rustup set profile minimal
@@ -152,7 +138,8 @@ WORKDIR /
 COPY docker/healthcheck.sh /healthcheck.sh
 COPY docker/start.sh /start.sh
 
-COPY --from=vault /web-vault ./web-vault
+COPY --from=build /web-vault_button ./web-vault_button
+COPY --from=build /web-vault_override ./web-vault_override
 COPY --from=build /app/target/final/vaultwarden .
 
 HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]

diff --git a/docker/Dockerfile.debian b/docker/Dockerfile.debian
@@ -8,26 +8,6 @@
 # 	https://docs.docker.com/develop/develop-images/multistage-build/
 # 	https://whitfin.io/speeding-up-rust-docker-builds/
 
-####################### VAULT BUILD IMAGE #######################
-# The web-vault digest specifies a particular web-vault build on Docker Hub.
-# Using the digest instead of the tag name provides better security,
-# as the digest of an image is immutable, whereas a tag name can later
-# be changed to point to a malicious image.
-#
-# To verify the current digest for a given tag name:
-# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
-#   click the tag name to view the digest of the image it currently points to.
-# - From the command line:
-#     $ docker pull docker.io/vaultwarden/web-vault:v2023.10.0
-#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.10.0
-#     [docker.io/vaultwarden/web-vault@sha256:419e4976921f98f1124f296ed02e68bf7f8ff29b3f1fba59e7e715228a065935]
-#
-# - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:419e4976921f98f1124f296ed02e68bf7f8ff29b3f1fba59e7e715228a065935
-#     [docker.io/vaultwarden/web-vault:v2023.10.0]
-#
-FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:419e4976921f98f1124f296ed02e68bf7f8ff29b3f1fba59e7e715228a065935 as vault
-
 ########################## Cross Compile Docker Helper Scripts ##########################
 ## We use the linux/amd64 no matter which Build Platform, since these are all bash scripts
 ## And these bash scripts do not have any significant difference if at all
@@ -63,7 +43,8 @@ RUN apt-get update && \
         git \
         "libc6-$(xx-info debian-arch)-cross" \
         "libc6-dev-$(xx-info debian-arch)-cross" \
-        "linux-libc-dev-$(xx-info debian-arch)-cross" && \
+        "linux-libc-dev-$(xx-info debian-arch)-cross" \
+        wget && \
     # Run xx-cargo early, since it sometimes seems to break when run at a later stage
     echo "export CARGO_TARGET=$(xx-cargo --print-target-triple)" >> /env-cargo
 
@@ -79,6 +60,12 @@ RUN xx-apt-get install -y \
     apt-get download "libmariadb-dev-compat:$(xx-info debian-arch)" "libmariadb-dev:$(xx-info debian-arch)" && \
     dpkg --force-all -i ./libmariadb-dev*.deb
 
+# Get both version of the front-end
+RUN wget -c https://github.com/Timshel/oidc_web_builds/releases/latest/download/oidc_button_web_vault.tar.gz -O - | tar -xz \
+    ; mv web-vault web-vault_button
+RUN wget -c https://github.com/Timshel/oidc_web_builds/releases/latest/download/oidc_override_web_vault.tar.gz -O - | tar -xz \
+    ; mv web-vault web-vault_override
+
 # Create CARGO_HOME folder and don't download rust docs
 RUN mkdir -pv "${CARGO_HOME}" \
     && rustup set profile minimal
@@ -186,7 +173,8 @@ WORKDIR /
 COPY docker/healthcheck.sh /healthcheck.sh
 COPY docker/start.sh /start.sh
 
-COPY --from=vault /web-vault ./web-vault
+COPY --from=build /web-vault_button ./web-vault_button
+COPY --from=build /web-vault_override ./web-vault_override
 COPY --from=build /app/target/final/vaultwarden .
 
 HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]

diff --git a/docker/Dockerfile.j2 b/docker/Dockerfile.j2
@@ -8,26 +8,6 @@
 # 	https://docs.docker.com/develop/develop-images/multistage-build/
 # 	https://whitfin.io/speeding-up-rust-docker-builds/
 
-####################### VAULT BUILD IMAGE #######################
-# The web-vault digest specifies a particular web-vault build on Docker Hub.
-# Using the digest instead of the tag name provides better security,
-# as the digest of an image is immutable, whereas a tag name can later
-# be changed to point to a malicious image.
-#
-# To verify the current digest for a given tag name:
-# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
-#   click the tag name to view the digest of the image it currently points to.
-# - From the command line:
-#     $ docker pull docker.io/vaultwarden/web-vault:{{ vault_version }}
-#     $ docker image inspect --format "{{ '{{' }}.RepoDigests}}" docker.io/vaultwarden/web-vault:{{ vault_version }}
-#     [docker.io/vaultwarden/web-vault@{{ vault_image_digest }}]
-#
-# - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{ '{{' }}.RepoTags}}" docker.io/vaultwarden/web-vault@{{ vault_image_digest }}
-#     [docker.io/vaultwarden/web-vault:{{ vault_version }}]
-#
-FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@{{ vault_image_digest }} as vault
-
 {% if base == "debian" %}
 ########################## Cross Compile Docker Helper Scripts ##########################
 ## We use the linux/amd64 no matter which Build Platform, since these are all bash scripts
@@ -81,7 +61,8 @@ RUN apt-get update && \
         git \
         "libc6-$(xx-info debian-arch)-cross" \
         "libc6-dev-$(xx-info debian-arch)-cross" \
-        "linux-libc-dev-$(xx-info debian-arch)-cross" && \
+        "linux-libc-dev-$(xx-info debian-arch)-cross" \
+        wget && \
     # Run xx-cargo early, since it sometimes seems to break when run at a later stage
     echo "export CARGO_TARGET=$(xx-cargo --print-target-triple)" >> /env-cargo
 
@@ -98,6 +79,12 @@ RUN xx-apt-get install -y \
     dpkg --force-all -i ./libmariadb-dev*.deb
 {% endif %}
 
+# Get both version of the front-end
+RUN wget -c {{ vault_release }}/oidc_button_web_vault.tar.gz -O - | tar -xz \
+    ; mv web-vault web-vault_button
+RUN wget -c {{ vault_release }}/oidc_override_web_vault.tar.gz -O - | tar -xz \
+    ; mv web-vault web-vault_override
+
 # Create CARGO_HOME folder and don't download rust docs
 RUN mkdir -pv "${CARGO_HOME}" \
     && rustup set profile minimal
@@ -229,7 +216,8 @@ WORKDIR /
 COPY docker/healthcheck.sh /healthcheck.sh
 COPY docker/start.sh /start.sh
 
-COPY --from=vault /web-vault ./web-vault
+COPY --from=build /web-vault_button ./web-vault_button
+COPY --from=build /web-vault_override ./web-vault_override
 COPY --from=build /app/target/final/vaultwarden .
 
 HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]