mirror of
https://github.com/NixOS/nixpkgs.git
synced 2025-01-10 06:55:10 +00:00
4f0dadbf38
After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-builda08b3a4d19
.tar.gz \ --argstr baseRevb32a094368
result/bin/apply-formatting $NIXPKGS_PATH
247 lines
8.9 KiB
Nix
247 lines
8.9 KiB
Nix
# These tests will:
|
|
# * Set up a vaultwarden server
|
|
# * Have Firefox use the web vault to create an account, log in, and save a password to the vault
|
|
# * Have the bw cli log in and read that password from the vault
|
|
#
|
|
# Note that Firefox must be on the same machine as the server for WebCrypto APIs to be available (or HTTPS must be configured)
|
|
#
|
|
# The same tests should work without modification on the official bitwarden server, if we ever package that.
|
|
|
|
let
|
|
makeVaultwardenTest =
|
|
name:
|
|
{
|
|
backend ? name,
|
|
withClient ? true,
|
|
testScript ? null,
|
|
}:
|
|
import ./make-test-python.nix (
|
|
{ lib, pkgs, ... }:
|
|
let
|
|
dbPassword = "please_dont_hack";
|
|
userEmail = "meow@example.com";
|
|
userPassword = "also_super_secret_ZJWpBKZi668QGt"; # Must be complex to avoid interstitial warning on the signup page
|
|
storedPassword = "seeeecret";
|
|
|
|
testRunner =
|
|
pkgs.writers.writePython3Bin "test-runner"
|
|
{
|
|
libraries = [ pkgs.python3Packages.selenium ];
|
|
flakeIgnore = [ "E501" ];
|
|
}
|
|
''
|
|
|
|
from selenium.webdriver.common.by import By
|
|
from selenium.webdriver import Firefox
|
|
from selenium.webdriver.firefox.options import Options
|
|
from selenium.webdriver.support.ui import WebDriverWait
|
|
from selenium.webdriver.support import expected_conditions as EC
|
|
|
|
options = Options()
|
|
options.add_argument('--headless')
|
|
driver = Firefox(options=options)
|
|
|
|
driver.implicitly_wait(20)
|
|
driver.get('http://localhost:8080/#/register')
|
|
|
|
wait = WebDriverWait(driver, 10)
|
|
|
|
wait.until(EC.title_contains("Vaultwarden Web"))
|
|
|
|
driver.find_element(By.CSS_SELECTOR, 'input#register-form_input_email').send_keys(
|
|
'${userEmail}'
|
|
)
|
|
driver.find_element(By.CSS_SELECTOR, 'input#register-form_input_name').send_keys(
|
|
'A Cat'
|
|
)
|
|
driver.find_element(By.CSS_SELECTOR, 'input#register-form_input_master-password').send_keys(
|
|
'${userPassword}'
|
|
)
|
|
driver.find_element(By.CSS_SELECTOR, 'input#register-form_input_confirm-master-password').send_keys(
|
|
'${userPassword}'
|
|
)
|
|
if driver.find_element(By.CSS_SELECTOR, 'input#checkForBreaches').is_selected():
|
|
driver.find_element(By.CSS_SELECTOR, 'input#checkForBreaches').click()
|
|
|
|
driver.find_element(By.XPATH, "//button[contains(., 'Create account')]").click()
|
|
|
|
wait.until_not(EC.title_contains("Create account"))
|
|
|
|
driver.find_element(By.XPATH, "//button[contains(., 'Continue')]").click()
|
|
|
|
driver.find_element(By.CSS_SELECTOR, 'input#login_input_master-password').send_keys(
|
|
'${userPassword}'
|
|
)
|
|
driver.find_element(By.XPATH, "//button[contains(., 'Log in')]").click()
|
|
|
|
wait.until(EC.title_contains("Vaults"))
|
|
|
|
driver.find_element(By.XPATH, "//button[contains(., 'New item')]").click()
|
|
|
|
driver.find_element(By.CSS_SELECTOR, 'input#name').send_keys(
|
|
'secrets'
|
|
)
|
|
driver.find_element(By.CSS_SELECTOR, 'input#loginPassword').send_keys(
|
|
'${storedPassword}'
|
|
)
|
|
|
|
driver.find_element(By.XPATH, "//button[contains(., 'Save')]").click()
|
|
'';
|
|
in
|
|
{
|
|
inherit name;
|
|
|
|
meta = {
|
|
maintainers = with pkgs.lib.maintainers; [
|
|
dotlambda
|
|
SuperSandro2000
|
|
];
|
|
};
|
|
|
|
nodes =
|
|
{
|
|
server =
|
|
{ pkgs, ... }:
|
|
lib.mkMerge [
|
|
{
|
|
mysql = {
|
|
services.mysql = {
|
|
enable = true;
|
|
initialScript = pkgs.writeText "mysql-init.sql" ''
|
|
CREATE DATABASE bitwarden;
|
|
CREATE USER 'bitwardenuser'@'localhost' IDENTIFIED BY '${dbPassword}';
|
|
GRANT ALL ON `bitwarden`.* TO 'bitwardenuser'@'localhost';
|
|
FLUSH PRIVILEGES;
|
|
'';
|
|
package = pkgs.mariadb;
|
|
};
|
|
|
|
services.vaultwarden.config.databaseUrl = "mysql://bitwardenuser:${dbPassword}@localhost/bitwarden";
|
|
|
|
systemd.services.vaultwarden.after = [ "mysql.service" ];
|
|
};
|
|
|
|
postgresql = {
|
|
services.postgresql = {
|
|
enable = true;
|
|
ensureDatabases = [ "vaultwarden" ];
|
|
ensureUsers = [
|
|
{
|
|
name = "vaultwarden";
|
|
ensureDBOwnership = true;
|
|
}
|
|
];
|
|
};
|
|
|
|
services.vaultwarden.config.databaseUrl = "postgresql:///vaultwarden?host=/run/postgresql";
|
|
|
|
systemd.services.vaultwarden.after = [ "postgresql.service" ];
|
|
};
|
|
|
|
sqlite = {
|
|
services.vaultwarden.backupDir = "/srv/backups/vaultwarden";
|
|
|
|
environment.systemPackages = [ pkgs.sqlite ];
|
|
};
|
|
}
|
|
.${backend}
|
|
|
|
{
|
|
services.vaultwarden = {
|
|
enable = true;
|
|
dbBackend = backend;
|
|
config = {
|
|
rocketAddress = "::";
|
|
rocketPort = 8080;
|
|
};
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [ 8080 ];
|
|
|
|
environment.systemPackages = [
|
|
pkgs.firefox-unwrapped
|
|
pkgs.geckodriver
|
|
testRunner
|
|
];
|
|
}
|
|
];
|
|
}
|
|
// lib.optionalAttrs withClient {
|
|
client =
|
|
{ pkgs, ... }:
|
|
{
|
|
environment.systemPackages = [ pkgs.bitwarden-cli ];
|
|
};
|
|
};
|
|
|
|
testScript =
|
|
if testScript != null then
|
|
testScript
|
|
else
|
|
''
|
|
start_all()
|
|
server.wait_for_unit("vaultwarden.service")
|
|
server.wait_for_open_port(8080)
|
|
|
|
with subtest("configure the cli"):
|
|
client.succeed("bw --nointeraction config server http://server:8080")
|
|
|
|
with subtest("can't login to nonexistent account"):
|
|
client.fail(
|
|
"bw --nointeraction --raw login ${userEmail} ${userPassword}"
|
|
)
|
|
|
|
with subtest("use the web interface to sign up, log in, and save a password"):
|
|
server.succeed("PYTHONUNBUFFERED=1 systemd-cat -t test-runner test-runner")
|
|
|
|
with subtest("log in with the cli"):
|
|
key = client.succeed(
|
|
"bw --nointeraction --raw login ${userEmail} ${userPassword}"
|
|
).strip()
|
|
|
|
with subtest("sync with the cli"):
|
|
client.succeed(f"bw --nointeraction --raw --session {key} sync -f")
|
|
|
|
with subtest("get the password with the cli"):
|
|
password = client.wait_until_succeeds(
|
|
f"bw --nointeraction --raw --session {key} list items | ${pkgs.jq}/bin/jq -r .[].login.password",
|
|
timeout=60
|
|
)
|
|
assert password.strip() == "${storedPassword}"
|
|
|
|
with subtest("Check systemd unit hardening"):
|
|
server.log(server.succeed("systemd-analyze security vaultwarden.service | grep -v ✓"))
|
|
'';
|
|
}
|
|
);
|
|
in
|
|
builtins.mapAttrs (k: v: makeVaultwardenTest k v) {
|
|
mysql = { };
|
|
postgresql = { };
|
|
sqlite = { };
|
|
sqlite-backup = {
|
|
backend = "sqlite";
|
|
withClient = false;
|
|
|
|
testScript = ''
|
|
start_all()
|
|
server.wait_for_unit("vaultwarden.service")
|
|
server.wait_for_open_port(8080)
|
|
|
|
with subtest("Set up vaultwarden"):
|
|
server.succeed("PYTHONUNBUFFERED=1 test-runner | systemd-cat -t test-runner")
|
|
|
|
with subtest("Run the backup script"):
|
|
server.start_job("backup-vaultwarden.service")
|
|
|
|
with subtest("Check that backup exists"):
|
|
server.succeed('[ -d "/srv/backups/vaultwarden" ]')
|
|
server.succeed('[ -f "/srv/backups/vaultwarden/db.sqlite3" ]')
|
|
server.succeed('[ -d "/srv/backups/vaultwarden/attachments" ]')
|
|
server.succeed('[ -f "/srv/backups/vaultwarden/rsa_key.pem" ]')
|
|
# Ensure only the db backed up with the backup command exists and not the other db files.
|
|
server.succeed('[ ! -f "/srv/backups/vaultwarden/db.sqlite3-shm" ]')
|
|
'';
|
|
};
|
|
}
|