path: root/nixos/tests/vaultwarden.nix

# These tests will:
#  * Set up a vaultwarden server
#  * Have Firefox use the web vault to create an account, log in, and save a password to the vault
#  * Have the bw cli log in and read that password from the vault
#
# Note that Firefox must be on the same machine as the server for WebCrypto APIs to be available (or HTTPS must be configured)
#
# The same tests should work without modification on the official bitwarden server, if we ever package that.

let
  makeVaultwardenTest = name: {
    backend ? name,
    withClient ? true,
    testScript ? null,
  }: import ./make-test-python.nix ({ lib, pkgs, ...}: let
    dbPassword = "please_dont_hack";
    userEmail = "meow@example.com";
    userPassword = "also_super_secret_ZJWpBKZi668QGt"; # Must be complex to avoid interstitial warning on the signup page
    storedPassword = "seeeecret";

    testRunner = pkgs.writers.writePython3Bin "test-runner" {
      libraries = [ pkgs.python3Packages.selenium ];
      flakeIgnore = [  "E501" ];
    } ''

      from selenium.webdriver.common.by import By
      from selenium.webdriver import Firefox
      from selenium.webdriver.firefox.options import Options
      from selenium.webdriver.support.ui import WebDriverWait
      from selenium.webdriver.support import expected_conditions as EC

      options = Options()
      options.add_argument('--headless')
      driver = Firefox(options=options)

      driver.implicitly_wait(20)
      driver.get('http://localhost:8080/#/register')

      wait = WebDriverWait(driver, 10)

      wait.until(EC.title_contains("Vaultwarden Web"))

      driver.find_element(By.CSS_SELECTOR, 'input#register-form_input_email').send_keys(
          '${userEmail}'
      )
      driver.find_element(By.CSS_SELECTOR, 'input#register-form_input_name').send_keys(
          'A Cat'
      )
      driver.find_element(By.CSS_SELECTOR, 'input#register-form_input_master-password').send_keys(
          '${userPassword}'
      )
      driver.find_element(By.CSS_SELECTOR, 'input#register-form_input_confirm-master-password').send_keys(
          '${userPassword}'
      )
      if driver.find_element(By.CSS_SELECTOR, 'input#checkForBreaches').is_selected():
          driver.find_element(By.CSS_SELECTOR, 'input#checkForBreaches').click()

      driver.find_element(By.XPATH, "//button[contains(., 'Create account')]").click()

      wait.until_not(EC.title_contains("Create account"))

      driver.find_element(By.XPATH, "//button[contains(., 'Continue')]").click()

      driver.find_element(By.CSS_SELECTOR, 'input#login_input_master-password').send_keys(
          '${userPassword}'
      )
      driver.find_element(By.XPATH, "//button[contains(., 'Log in')]").click()

      wait.until(EC.title_contains("Vaults"))

      driver.find_element(By.XPATH, "//button[contains(., 'New item')]").click()

      driver.find_element(By.CSS_SELECTOR, 'input#name').send_keys(
          'secrets'
      )
      driver.find_element(By.CSS_SELECTOR, 'input#loginPassword').send_keys(
          '${storedPassword}'
      )

      driver.find_element(By.XPATH, "//button[contains(., 'Save')]").click()
    '';
  in {
    inherit name;

    meta = {
      maintainers = with pkgs.lib.maintainers; [ dotlambda SuperSandro2000 ];
    };

    nodes = {
      server = { pkgs, ... }: lib.mkMerge [
        {
          mysql = {
            services.mysql = {
              enable = true;
              initialScript = pkgs.writeText "mysql-init.sql" ''
                CREATE DATABASE bitwarden;
                CREATE USER 'bitwardenuser'@'localhost' IDENTIFIED BY '${dbPassword}';
                GRANT ALL ON `bitwarden`.* TO 'bitwardenuser'@'localhost';
                FLUSH PRIVILEGES;
              '';
              package = pkgs.mariadb;
            };

            services.vaultwarden.config.databaseUrl = "mysql://bitwardenuser:${dbPassword}@localhost/bitwarden";

            systemd.services.vaultwarden.after = [ "mysql.service" ];
          };

          postgresql = {
            services.postgresql = {
              enable = true;
              ensureDatabases = [ "vaultwarden" ];
              ensureUsers = [{
                name = "vaultwarden";
                ensureDBOwnership = true;
              }];
            };

            services.vaultwarden.config.databaseUrl = "postgresql:///vaultwarden?host=/run/postgresql";

            systemd.services.vaultwarden.after = [ "postgresql.service" ];
          };

          sqlite = {
            services.vaultwarden.backupDir = "/var/lib/vaultwarden/backups";

            environment.systemPackages = [ pkgs.sqlite ];
          };
        }.${backend}

        {
          services.vaultwarden = {
            enable = true;
            dbBackend = backend;
            config = {
              rocketAddress = "0.0.0.0";
              rocketPort = 8080;
            };
          };

          networking.firewall.allowedTCPPorts = [ 8080 ];

          environment.systemPackages = [ pkgs.firefox-unwrapped pkgs.geckodriver testRunner ];
        }
      ];
    } // lib.optionalAttrs withClient {
      client = { pkgs, ... }: {
        environment.systemPackages = [ pkgs.bitwarden-cli ];
      };
    };

    testScript = if testScript != null then testScript else ''
      start_all()
      server.wait_for_unit("vaultwarden.service")
      server.wait_for_open_port(8080)

      with subtest("configure the cli"):
          client.succeed("bw --nointeraction config server http://server:8080")

      with subtest("can't login to nonexistent account"):
          client.fail(
              "bw --nointeraction --raw login ${userEmail} ${userPassword}"
          )

      with subtest("use the web interface to sign up, log in, and save a password"):
          server.succeed("PYTHONUNBUFFERED=1 systemd-cat -t test-runner test-runner")

      with subtest("log in with the cli"):
          key = client.succeed(
              "bw --nointeraction --raw login ${userEmail} ${userPassword}"
          ).strip()

      with subtest("sync with the cli"):
          client.succeed(f"bw --nointeraction --raw --session {key} sync -f")

      with subtest("get the password with the cli"):
          password = client.wait_until_succeeds(
              f"bw --nointeraction --raw --session {key} list items | ${pkgs.jq}/bin/jq -r .[].login.password",
              timeout=60
          )
          assert password.strip() == "${storedPassword}"

      with subtest("Check systemd unit hardening"):
          server.log(server.succeed("systemd-analyze security vaultwarden.service | grep -v ✓"))
    '';
  });
in
builtins.mapAttrs (k: v: makeVaultwardenTest k v) {
  mysql = {};
  postgresql = {};
  sqlite = {};
  sqlite-backup = {
    backend = "sqlite";
    withClient = false;

    testScript = ''
      start_all()
      server.wait_for_unit("vaultwarden.service")
      server.wait_for_open_port(8080)

      with subtest("Set up vaultwarden"):
          server.succeed("PYTHONUNBUFFERED=1 test-runner | systemd-cat -t test-runner")

      with subtest("Run the backup script"):
          server.start_job("backup-vaultwarden.service")

      with subtest("Check that backup exists"):
          server.succeed('[ -d "/var/lib/vaultwarden/backups" ]')
          server.succeed('[ -f "/var/lib/vaultwarden/backups/db.sqlite3" ]')
          server.succeed('[ -d "/var/lib/vaultwarden/backups/attachments" ]')
          server.succeed('[ -f "/var/lib/vaultwarden/backups/rsa_key.pem" ]')
          server.succeed('[ -f "/var/lib/vaultwarden/backups/rsa_key.pub.pem" ]')
          # Ensure only the db backed up with the backup command exists and not the other db files.
          server.succeed('[ ! -f "/var/lib/vaultwarden/backups/db.sqlite3-shm" ]')
    '';
  };
}