topaLE
/
vaultwarden
mirror of https://github.com/dani-garcia/vaultwarden
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3062 Commits
4 Branches
84 Tags
18 MiB
 
 
 
 
 
 
Tree: 58bbc2d533
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '58bbc2d533'
${ noResults }
vaultwarden/playwright/tests/setups/sso.ts

140 lines
6.1 KiB
Raw Blame History

import { expect, type Page, Test } from '@playwright/test';
import { type MailBuffer, MailServer } from 'maildev';
import * as utils from '../../global-utils';
import { submitTwoFactor, type TwoFactor } from './2fa';
import { fillNewMasterPassword } from './user';
/**
* If a MailBuffer is passed it will be used and consume the expected emails
*/
export async function logNewUser(
test: Test,
page: Page,
user: { email: string, name: string, password: string },
options: { mailBuffer?: MailBuffer } = {}
) {
await test.step(`Create user ${user.name}`, async () => {
await page.context().clearCookies();
await test.step('Landing page', async () => {
await utils.cleanLanding(page);
await page.locator("input[type=email].vw-email-sso").fill(user.email);
await page.getByRole('button', { name: /Use single sign-on/ }).click();
});
await test.step('Keycloak login', async () => {
await expect(page.getByRole('heading', { name: 'Sign in to your account' })).toBeVisible();
await page.getByLabel(/Username/).fill(user.name);
await page.getByLabel('Password', { exact: true }).fill(user.password);
await page.getByRole('button', { name: 'Sign In' }).click();
});
await test.step('Create Vault account', async () => {
// Heading spelling tracks the active locale: `en` ("organization")
// vs. `en_GB` ("organisation"). Both project variants use this
// helper, so accept either.
await expect(page.getByRole('heading', { name: /Join organi[sz]ation/ })).toBeVisible();
await fillNewMasterPassword(page, user.password);
await page.getByRole('button', { name: 'Create account' }).click();
});
await utils.checkNotification(page, 'Account successfully created!');
await utils.checkNotification(page, 'Invitation accepted');
await utils.ignoreExtension(page);
await test.step('Default vault page', async () => {
await expect(page).toHaveTitle(/Vaultwarden Web/);
await expect(page.getByTitle('All vaults', { exact: true })).toBeVisible();
});
if( options.mailBuffer ){
let mailBuffer = options.mailBuffer;
await test.step('Check emails', async () => {
await mailBuffer.expect((m) => m.subject === "Welcome");
await mailBuffer.expect((m) => m.subject.includes("New Device Logged"));
});
}
});
}
/**
* If a MailBuffer is passed it will be used and consume the expected emails
*/
export async function logUser(
test: Test,
page: Page,
user: { email: string, password: string },
options: {
mailBuffer?: MailBuffer,
twoFactor?: TwoFactor,
// Override for the Keycloak password when the vault MP and the
// SSO-provider credential have diverged (e.g. after a master-
// password rotation in vw, where Keycloak's stored credential
// is unaffected). Defaults to `user.password` — the common case.
kcPassword?: string,
} = {}
) {
let mailBuffer = options.mailBuffer;
await test.step(`Log user ${user.email}`, async () => {
await page.context().clearCookies();
await test.step('Landing page', async () => {
await utils.cleanLanding(page);
await page.locator("input[type=email].vw-email-sso").fill(user.email);
await page.getByRole('button', { name: /Use single sign-on/ }).click();
});
await test.step('Keycloak login', async () => {
await expect(page.getByRole('heading', { name: 'Sign in to your account' })).toBeVisible();
await page.getByLabel(/Username/).fill(user.name);
await page.getByLabel('Password', { exact: true }).fill(options.kcPassword ?? user.password);
await page.getByRole('button', { name: 'Sign In' }).click();
});
if( options.twoFactor ){
await submitTwoFactor(test, page, options.twoFactor);
}
await test.step('Unlock vault', async () => {
// After SSO + (optional) 2FA, the bundled web vault routes to
// `/#/lock?promptBiometric=true`. When a PRF passkey is
// enrolled and the user's authenticator can satisfy the
// assertion, the lock screen auto-fires
// `navigator.credentials.get()` on mount and the SPA unwraps
// the user key without manual interaction — the page lands on
// /#/vault directly. If no PRF credential is available (or it
// can't satisfy UV), the lock screen waits for MP. Accept
// either landing so this helper works for both shapes; the
// Default-vault-page step below pins the final state either way.
await page.waitForURL(/#\/(lock|vault|setup-extension)\b/, { timeout: 30_000 });
if (page.url().includes('#/lock')) {
await expect(page).toHaveTitle('Vaultwarden Web');
await expect(page.getByRole('heading', { name: 'Your vault is locked' })).toBeVisible();
await page.getByLabel('Master password').fill(user.password);
// `exact: true` because the lock screen surfaces an additional
// "Unlock with passkey" button when the user has a PRF-capable
// credential enrolled; a substring "Unlock" match would resolve
// to two elements and Playwright's strict mode would throw.
await page.getByRole('button', { name: 'Unlock', exact: true }).click();
}
});
await utils.ignoreExtension(page);
await test.step('Default vault page', async () => {
await expect(page).toHaveTitle(/Vaultwarden Web/);
await expect(page.getByTitle('All vaults', { exact: true })).toBeVisible();
});
if( mailBuffer ){
await test.step('Check email', async () => {
await mailBuffer.expect((m) => m.subject.includes("New Device Logged"));
});
}
});
}