Revert "Disable deployments for release env (#7033 )"

This reverts commit 8f0e99b875.
2026-05-31 00:00:14 +03:00 · 2026-04-12 16:57:48 +02:00
7 changed files with 23 additions and 50 deletions
@@ -38,9 +38,7 @@ jobs:
  docker-build:
    name: Build Vaultwarden containers
    if: ${{ github.repository == 'dani-garcia/vaultwarden' }}
-    environment: 
-      name: release
-      deployment: false
+    environment: release
    permissions:
      packages: write # Needed to upload packages and artifacts
      contents: read
@@ -251,9 +249,7 @@ jobs:
    name: Merge manifests
    runs-on: ubuntu-latest
    needs: docker-build
-    environment: 
-      name: release
-      deployment: false
+    environment: release
    permissions:
      packages: write # Needed to upload packages and artifacts
      attestations: write # Needed to generate an artifact attestation for a build
@@ -2405,15 +2405,16 @@ dependencies = [

 [[package]]
 name = "hyper-rustls"
-version = "0.27.8"
+version = "0.27.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c2b52f86d1d4bc0d6b4e6826d960b1b333217e07d36b882dca570a5e1c48895b"
+checksum = "e3c93eb611681b207e1fe55d5a71ecf91572ec8a6705cdb6857f7d8d5242cf58"
 dependencies = [
 "http 1.4.0",
 "hyper 1.9.0",
 "hyper-util",
 "rustls 0.23.37",
 "rustls-native-certs",
+ "rustls-pki-types",
 "tokio",
 "tokio-rustls 0.26.4",
 "tower-service",
@@ -3721,9 +3722,9 @@ dependencies = [

 [[package]]
 name = "pkg-config"
-version = "0.3.33"
+version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "19f132c84eca552bf34cab8ec81f1c1dcc229b811638f9d283dceabe58c5569e"
+checksum = "7edddbd0b52d732b21ad9a5fab5c704c14cd949e5e9a1ec5929a24fded1b904c"

 [[package]]
 name = "polling"
@@ -4408,12 +4409,12 @@ dependencies = [

 [[package]]
 name = "rtoolbox"
-version = "0.0.4"
+version = "0.0.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "327b72899159dfae8060c51a1f6aebe955245bcd9cc4997eed0f623caea022e4"
+checksum = "a7cc970b249fbe527d6e02e0a227762c9108b2f49d81094fe357ffc6d14d7f6f"
 dependencies = [
 "libc",
- "windows-sys 0.59.0",
+ "windows-sys 0.52.0",
 ]

 [[package]]
@@ -30,7 +30,6 @@ use crate::{
    error::{Error, MapResult},
    http_client::make_http_request,
    mail,
-    sso::FAKE_SSO_IDENTIFIER,
    util::{
        container_base_image, format_naive_datetime_local, get_active_web_release, get_display_size,
        is_running_in_container, parse_experimental_client_feature_flags, FeatureFlagFilter, NumberOrString,
@@ -316,11 +315,7 @@ async fn invite_user(data: Json<InviteData>, _token: AdminToken, conn: DbConn) -

    async fn _generate_invite(user: &User, conn: &DbConn) -> EmptyResult {
        if CONFIG.mail_enabled() {
-            let org_id: OrganizationId = if CONFIG.sso_enabled() {
-                FAKE_SSO_IDENTIFIER.into()
-            } else {
-                FAKE_ADMIN_UUID.into()
-            };
+            let org_id: OrganizationId = FAKE_ADMIN_UUID.to_string().into();
            let member_id: MembershipId = FAKE_ADMIN_UUID.to_string().into();
            mail::send_invite(user, org_id, member_id, &CONFIG.invitation_org_name(), None).await
        } else {
@@ -523,11 +518,7 @@ async fn resend_user_invite(user_id: UserId, _token: AdminToken, conn: DbConn) -
        }

        if CONFIG.mail_enabled() {
-            let org_id: OrganizationId = if CONFIG.sso_enabled() {
-                FAKE_SSO_IDENTIFIER.into()
-            } else {
-                FAKE_ADMIN_UUID.into()
-            };
+            let org_id: OrganizationId = FAKE_ADMIN_UUID.to_string().into();
            let member_id: MembershipId = FAKE_ADMIN_UUID.to_string().into();
            mail::send_invite(&user, org_id, member_id, &CONFIG.invitation_org_name(), None).await
        } else {
@@ -374,7 +374,7 @@ async fn post_set_password(data: Json<SetPasswordData>, headers: Headers, conn:
    }

    if let Some(identifier) = data.org_identifier {
-        if identifier != crate::sso::FAKE_SSO_IDENTIFIER && identifier != crate::api::admin::FAKE_ADMIN_UUID {
+        if identifier != crate::sso::FAKE_IDENTIFIER && identifier != crate::api::admin::FAKE_ADMIN_UUID {
            let Some(org) = Organization::find_by_uuid(&identifier.into(), &conn).await else {
                err!("Failed to retrieve the associated organization")
            };
@@ -20,8 +20,7 @@ use crate::{
        DbConn,
    },
    mail,
-    sso::FAKE_SSO_IDENTIFIER,
-    util::{convert_json_key_lcase_first, NumberOrString},
+    util::{convert_json_key_lcase_first, get_uuid, NumberOrString},
    CONFIG,
 };

@@ -65,7 +64,6 @@ pub fn routes() -> Vec<Route> {
        post_org_import,
        list_policies,
        list_policies_token,
-        get_dummy_master_password_policy,
        get_master_password_policy,
        get_policy,
        put_policy,
@@ -355,7 +353,7 @@ async fn get_user_collections(headers: Headers, conn: DbConn) -> Json<Value> {
 // The returned `Id` will then be passed to `get_master_password_policy` which will mainly ignore it
 #[get("/organizations/<identifier>/auto-enroll-status")]
 async fn get_auto_enroll_status(identifier: &str, headers: Headers, conn: DbConn) -> JsonResult {
-    let org = if identifier == FAKE_SSO_IDENTIFIER {
+    let org = if identifier == crate::sso::FAKE_IDENTIFIER {
        match Membership::find_main_user_org(&headers.user.uuid, &conn).await {
            Some(member) => Organization::find_by_uuid(&member.org_uuid, &conn).await,
            None => None,
@@ -365,7 +363,7 @@ async fn get_auto_enroll_status(identifier: &str, headers: Headers, conn: DbConn
    };

    let (id, identifier, rp_auto_enroll) = match org {
-        None => (identifier.to_string(), identifier.to_string(), false),
+        None => (get_uuid(), identifier.to_string(), false),
        Some(org) => (
            org.uuid.to_string(),
            org.uuid.to_string(),
@@ -926,7 +924,7 @@ async fn get_org_domain_sso_verified(data: Json<OrgDomainDetails>, conn: DbConn)
        .collect::<Vec<(String, String)>>()
    {
        v if !v.is_empty() => v,
-        _ => vec![(FAKE_SSO_IDENTIFIER.to_string(), FAKE_SSO_IDENTIFIER.to_string())],
+        _ => vec![(crate::sso::FAKE_IDENTIFIER.to_string(), crate::sso::FAKE_IDENTIFIER.to_string())],
    };

    Ok(Json(json!({
@@ -1977,19 +1975,9 @@ async fn list_policies_token(org_id: OrganizationId, token: &str, conn: DbConn)
    })))
 }

-// Called during the SSO enrollment return the default policy
-#[get("/organizations/vaultwarden-dummy-oidc-identifier/policies/master-password", rank = 1)]
-fn get_dummy_master_password_policy() -> JsonResult {
-    let (enabled, data) = match CONFIG.sso_master_password_policy_value() {
-        Some(policy) if CONFIG.sso_enabled() => (true, policy.to_string()),
-        _ => (false, "null".to_string()),
-    };
-    let policy = OrgPolicy::new(FAKE_SSO_IDENTIFIER.into(), OrgPolicyType::MasterPassword, enabled, data);
-    Ok(Json(policy.to_json()))
-}
-
-// Called during the SSO enrollment return the org policy if it exists
-#[get("/organizations/<org_id>/policies/master-password", rank = 2)]
+// Called during the SSO enrollment.
+// Return the org policy if it exists, otherwise use the default one.
+#[get("/organizations/<org_id>/policies/master-password", rank = 1)]
 async fn get_master_password_policy(org_id: OrganizationId, _headers: OrgMemberHeaders, conn: DbConn) -> JsonResult {
    let policy =
        OrgPolicy::find_by_org_and_type(&org_id, OrgPolicyType::MasterPassword, &conn).await.unwrap_or_else(|| {
@@ -2004,7 +1992,7 @@ async fn get_master_password_policy(org_id: OrganizationId, _headers: OrgMemberH
    Ok(Json(policy.to_json()))
 }

-#[get("/organizations/<org_id>/policies/<pol_type>", rank = 3)]
+#[get("/organizations/<org_id>/policies/<pol_type>", rank = 2)]
 async fn get_policy(org_id: OrganizationId, pol_type: i32, headers: AdminHeaders, conn: DbConn) -> JsonResult {
    if org_id != headers.org_id {
        err!("Organization not found", "Organization id's do not match");
@@ -754,10 +754,7 @@ async fn twofactor_auth(
    }

    let selected_id = data.two_factor_provider.unwrap_or(twofactor_ids[0]); // If we aren't given a two factor provider, assume the first one
-                                                                            // Ignore Remember and RecoveryCode Types during this check, these are special
-    if ![TwoFactorType::Remember as i32, TwoFactorType::RecoveryCode as i32].contains(&selected_id)
-        && !twofactor_ids.contains(&selected_id)
-    {
+    if !twofactor_ids.contains(&selected_id) {
        err_json!(
            _json_err_twofactor(&twofactor_ids, &user.uuid, data, client_version, conn).await?,
            "Invalid two factor provider"
@@ -17,7 +17,7 @@ use crate::{
    CONFIG,
 };

-pub static FAKE_SSO_IDENTIFIER: &str = "vaultwarden-dummy-oidc-identifier";
+pub static FAKE_IDENTIFIER: &str = "VW_DUMMY_IDENTIFIER_FOR_OIDC";

 static SSO_JWT_ISSUER: LazyLock<String> = LazyLock::new(|| format!("{}|sso", CONFIG.domain_origin()));