-
-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
refactored access management #207
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/api/vaults/{vaultId}/user-tokens/me /api/users/me/device-tokens/{deviceId}
(so a device can be registered at t0 and verified at t1)
…h upgrade experience
If a field must not be null, use @NotNull additionally. The one must not imply the other.
it doesn't work yet but it's probably close
…ing-access-grant (#201)
tobihagemann
requested changes
Jul 11, 2023
backend/src/main/java/org/cryptomator/hub/api/DeviceResource.java
Outdated
Show resolved
Hide resolved
# Conflicts: # backend/src/main/java/org/cryptomator/hub/api/VaultResource.java # frontend/src/common/backend.ts # frontend/src/components/VaultList.vue # frontend/src/i18n/de-DE.json # frontend/src/i18n/en-US.json
[ci skip]
…ration with version 11` after merging from develop
tobihagemann
requested changes
Jul 13, 2023
backend/src/main/java/org/cryptomator/hub/api/VaultResource.java
Outdated
Show resolved
Hide resolved
# Conflicts: # backend/src/main/java/org/cryptomator/hub/api/VaultResource.java # backend/src/test/java/org/cryptomator/hub/api/VaultResourceTest.java # backend/src/test/resources/org/cryptomator/hub/flyway/V9999__Test_Data.sql # frontend/src/common/backend.ts
[build image]
# Conflicts: # backend/src/main/java/org/cryptomator/hub/api/AuditLogResource.java # backend/src/main/java/org/cryptomator/hub/api/VaultResource.java
[ci skip]
tobihagemann
approved these changes
Jul 28, 2023
6 tasks
# Conflicts: # frontend/src/common/jwe.ts # frontend/test/common/jwe.spec.ts
# Conflicts: # backend/src/main/java/org/cryptomator/hub/api/AuditLogResource.java # backend/src/main/java/org/cryptomator/hub/api/VaultResource.java # backend/src/test/java/org/cryptomator/hub/api/VaultResourceTest.java # frontend/src/common/backend.ts # frontend/src/components/VaultDetails.vue # frontend/src/i18n/en-US.json
See quarkusio/quarkus#35386 for further information [build image]
2 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is the first part of a series of PRs, which simplify access management.
Introduction of User Key Pairs
We formerly only had Device Key Pairs. Vault keys have been shared with devices directly. This meant that the Vault Owner who is in possession of the vault keys had to re-run the key distribution (via the "Update Permissions") button, every time a new device required access to the vault.
Now, we added User Key Pairs. Vault keys are now shared with the user. Each user will self-manage his or her devices. The device key pair does still exist and is required to decrypt the user's private key.
Updated Entity Model
Unlock Procedure
Due to the introduction of an intermediary key, an unlock operation requires to
/api/vaults/{vaultId}/access-token
(response body is a ECDH-ES JWE)/api/devices/{deviceId}
(response body contains a JSON. attributeuserPrivateKey
contains ECDH-ES JWE)We still keep the legacy API endpoint (
/api/vaults/{vaultId}/keys/{deviceId}
) for compatibility reasons for a while. However it will only work for existing data. Any newly registered device can only be unlocked using the new workflow.Device Management
On the profile page, users can see their own devices. In order to add a new device, a Setup Code (here called "Personal Hub Secret", tbd) is required. This code is a secret required to unwrap the user's private key in order to re-wrap it using the device's public key. Once the device is set up, its private key will allow to access the user's private key.
The Setup Code can be access and changed any time by any fully set up device.
This fixes #189
First Device
The browser used to log in to Hub is now also considered a device and a Device Key Pair is generated and stored by the browser as well. The user will be prompted to name the browser accordingly (for identifying the browser, if they decide to revoke access from it later).
The first device from which a login succeeds will also be responsible for generating the User Key Pair together with the Setup Code.
The user's private key is then encrypted in JWE format with a) the device's public key (using an ECDH-ES) and b) using the setup code (using PBES2). The setup code in return is encrypted as an JWE using the user's private key (ECDH-ES again). This ensures that any authenticated device has access to the user's key pair and can thus decrypt the setup code again. Also, the setup code can be used to decrypt the user's key pair when setting up a new device.
Vault Ownership
We used to use the Vault Admin Password to protect a vault from being edited by anyone. Instead we will now use role-based permissions. The creator of a vault is the initial owner. Further owners can be added at a later time. Any owner has full administrative access to a vault (e.g. for adding members).
The Vault Admin Password will be removed in a follow-up PR (as this one is already bursting).
Other
Device.publicKey
is now base64-encoded (used to be base64url for some reason)Device.user_privateKey
is now non-null, i.e. if a device exists, we can be sure it is able to access the user's key pairOpen Questions
Next Steps
Remove Vault Admin Passwordsee DeprecateVault Admin Password
#209Add Claim Vault Ownership button (for migrating old data that still uses the vault admin password)see Migrate former "Vault Admin" toOWNER
role #210WoT for user keys ("verify users")see Sign User's Keys #190Warning in "grant access" dialog, if granting access to unverified userssee Verify Trust Level During Access Grant #191Add Reset User Account feature (re-roll user key pair, keep devices, losing key signatures and vault access)see Reset User Account #208