mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2025-10-30 09:48:20 +02:00
cff6c2b3af
* Add SSO functionality using OpenID Connect Co-authored-by: Pablo Ovelleiro Corral <mail@pablo.tools> Co-authored-by: Stuart Heap <sheap13@gmail.com> Co-authored-by: Alex Moore <skiepp@my-dockerfarm.cloud> Co-authored-by: Brian Munro <brian.alexander.munro@gmail.com> Co-authored-by: Jacques B. <timshel@github.com> * Improvements and error handling * Stop rolling device token * Add playwright tests * Activate PKCE by default * Ensure result order when searching for sso_user * add SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION * Toggle SSO button in scss * Base64 encode state before sending it to providers * Prevent disabled User from SSO login * Review fixes * Remove unused UserOrganization.invited_by_email * Split SsoUser::find_by_identifier_or_email * api::Accounts::verify_password add the policy even if it's ignored * Disable signups if SSO_ONLY is activated * Add verifiedDate to organizations::get_org_domain_sso_details * Review fixes * Remove OrganizationId guard from get_master_password_policy * Add wrapper type OIDCCode OIDCState OIDCIdentifier * Membership::confirm_user_invitations fix and tests * Allow set-password only if account is unitialized * Review fixes * Prevent accepting another user invitation * Log password change event on SSO account creation * Unify master password policy resolution * Upgrade openidconnect to 4.0.0 * Revert "Remove unused UserOrganization.invited_by_email" This reverts commit 548e19995e141314af98a10d170ea7371f02fab4. * Process org enrollment in accounts::post_set_password * Improve tests * Pass the claim invited_by_email in case it was not in db * Add Slack configuration hints * Fix playwright tests * Skip broken tests * Add sso identifier in admin user panel * Remove duplicate expiration check, add a log * Augment mobile refresh_token validity * Rauthy configuration hints * Fix playwright tests * Playwright upgrade and conf improvement * Playwright tests improvements * 2FA email and device creation change * Fix and improve Playwright tests * Minor improvements * Fix enforceOnLogin org policies * Run playwright sso tests against correct db * PKCE should now work with Zitadel * Playwright upgrade maildev to use MailBuffer.expect * Upgrades playwright tests deps * Check email_verified in id_token and user_info * Add sso verified endpoint for v2025.6.0 * Fix playwright tests * Create a separate sso_client * Upgrade openidconnect to 4.0.1 * Server settings for login fields toggle * Use only css for login fields * Fix playwright test * Review fix * More review fix * Perform same checks when setting kdf --------- Co-authored-by: Felix Eckhofer <felix@eckhofer.com> Co-authored-by: Pablo Ovelleiro Corral <mail@pablo.tools> Co-authored-by: Stuart Heap <sheap13@gmail.com> Co-authored-by: Alex Moore <skiepp@my-dockerfarm.cloud> Co-authored-by: Brian Munro <brian.alexander.munro@gmail.com> Co-authored-by: Jacques B. <timshel@github.com> Co-authored-by: Timshel <timshel@480s>
122 lines
4.7 KiB
TypeScript
122 lines
4.7 KiB
TypeScript
import { test, expect, type TestInfo } from '@playwright/test';
|
|
import { MailDev } from 'maildev';
|
|
|
|
import * as utils from "../global-utils";
|
|
import * as orgs from './setups/orgs';
|
|
import { logNewUser, logUser } from './setups/sso';
|
|
|
|
let users = utils.loadEnv();
|
|
|
|
let mailServer, mail1Buffer, mail2Buffer, mail3Buffer;
|
|
|
|
test.beforeAll('Setup', async ({ browser }, testInfo: TestInfo) => {
|
|
mailServer = new MailDev({
|
|
port: process.env.MAILDEV_SMTP_PORT,
|
|
web: { port: process.env.MAILDEV_HTTP_PORT },
|
|
})
|
|
|
|
await mailServer.listen();
|
|
|
|
await utils.startVault(browser, testInfo, {
|
|
SMTP_HOST: process.env.MAILDEV_HOST,
|
|
SMTP_FROM: process.env.PW_SMTP_FROM,
|
|
SSO_ENABLED: true,
|
|
SSO_ONLY: true,
|
|
});
|
|
|
|
mail1Buffer = mailServer.buffer(users.user1.email);
|
|
mail2Buffer = mailServer.buffer(users.user2.email);
|
|
mail3Buffer = mailServer.buffer(users.user3.email);
|
|
});
|
|
|
|
test.afterAll('Teardown', async ({}) => {
|
|
utils.stopVault();
|
|
[mail1Buffer, mail2Buffer, mail3Buffer, mailServer].map((m) => m?.close());
|
|
});
|
|
|
|
test('Create user3', async ({ page }) => {
|
|
await logNewUser(test, page, users.user3, { mailBuffer: mail3Buffer });
|
|
});
|
|
|
|
test('Invite users', async ({ page }) => {
|
|
await logNewUser(test, page, users.user1, { mailBuffer: mail1Buffer });
|
|
|
|
await orgs.create(test, page, '/Test');
|
|
await orgs.members(test, page, '/Test');
|
|
await orgs.invite(test, page, '/Test', users.user2.email);
|
|
await orgs.invite(test, page, '/Test', users.user3.email);
|
|
});
|
|
|
|
test('invited with new account', async ({ page }) => {
|
|
const link = await test.step('Extract email link', async () => {
|
|
const invited = await mail2Buffer.expect((m) => m.subject === "Join /Test");
|
|
await page.setContent(invited.html);
|
|
return await page.getByTestId("invite").getAttribute("href");
|
|
});
|
|
|
|
await test.step('Redirect to Keycloak', async () => {
|
|
await page.goto(link);
|
|
});
|
|
|
|
await test.step('Keycloak login', async () => {
|
|
await expect(page.getByRole('heading', { name: 'Sign in to your account' })).toBeVisible();
|
|
await page.getByLabel(/Username/).fill(users.user2.name);
|
|
await page.getByLabel('Password', { exact: true }).fill(users.user2.password);
|
|
await page.getByRole('button', { name: 'Sign In' }).click();
|
|
});
|
|
|
|
await test.step('Create Vault account', async () => {
|
|
await expect(page.getByRole('heading', { name: 'Join organisation' })).toBeVisible();
|
|
await page.getByLabel('New master password (required)', { exact: true }).fill(users.user2.password);
|
|
await page.getByLabel('Confirm new master password (').fill(users.user2.password);
|
|
await page.getByRole('button', { name: 'Create account' }).click();
|
|
});
|
|
|
|
await test.step('Default vault page', async () => {
|
|
await expect(page).toHaveTitle(/Vaultwarden Web/);
|
|
|
|
await utils.checkNotification(page, 'Account successfully created!');
|
|
await utils.checkNotification(page, 'Invitation accepted');
|
|
});
|
|
|
|
await test.step('Check mails', async () => {
|
|
await mail2Buffer.expect((m) => m.subject.includes("New Device Logged"));
|
|
await mail1Buffer.expect((m) => m.subject === "Invitation to /Test accepted");
|
|
});
|
|
});
|
|
|
|
test('invited with existing account', async ({ page }) => {
|
|
const link = await test.step('Extract email link', async () => {
|
|
const invited = await mail3Buffer.expect((m) => m.subject === "Join /Test");
|
|
await page.setContent(invited.html);
|
|
return await page.getByTestId("invite").getAttribute("href");
|
|
});
|
|
|
|
await test.step('Redirect to Keycloak', async () => {
|
|
await page.goto(link);
|
|
});
|
|
|
|
await test.step('Keycloak login', async () => {
|
|
await expect(page.getByRole('heading', { name: 'Sign in to your account' })).toBeVisible();
|
|
await page.getByLabel(/Username/).fill(users.user3.name);
|
|
await page.getByLabel('Password', { exact: true }).fill(users.user3.password);
|
|
await page.getByRole('button', { name: 'Sign In' }).click();
|
|
});
|
|
|
|
await test.step('Unlock vault', async () => {
|
|
await expect(page).toHaveTitle('Vaultwarden Web');
|
|
await page.getByLabel('Master password').fill(users.user3.password);
|
|
await page.getByRole('button', { name: 'Unlock' }).click();
|
|
});
|
|
|
|
await test.step('Default vault page', async () => {
|
|
await expect(page).toHaveTitle(/Vaultwarden Web/);
|
|
await utils.checkNotification(page, 'Invitation accepted');
|
|
});
|
|
|
|
await test.step('Check mails', async () => {
|
|
await mail3Buffer.expect((m) => m.subject.includes("New Device Logged"));
|
|
await mail1Buffer.expect((m) => m.subject === "Invitation to /Test accepted");
|
|
});
|
|
});
|