Skip to content

Grant Access via WebApp #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
overheadhunter merged 53 commits into from
Aug 11, 2021
Merged

Grant Access via WebApp #1

overheadhunter merged 53 commits into from
Aug 11, 2021

Conversation

@overheadhunter
Copy link
Member

@overheadhunter overheadhunter commented Aug 11, 2021

This completes the unlock workflow by computing and storing a device-specific masterkey, i.e. the vault owner re-encrypts the masterkey using the public key of a certain trusted device.

The public key gets stored on first contact of the device (further device verification may be added later).

During unlock the device retrieves the key from via a callback URL which it will listen to on localhost (compatable to RFC 8252 section 7.3).

SailReal and others added 30 commits August 2, 2021 20:31
@SailReal
WIP add database and REST-interface
af6abd1
@SailReal
Enhance vault and device resource and fix PUT-test
06fc9e4
@SailReal
Set ID of user 'owner' to run tests without changes
c3399b0
@SailReal
Merge branch 'main' into feature/add-db-and-rest-interface
9beae7b
@SailReal
Create test-vault from TypeScript
8bd4030
@SailReal
Switch to iterations in vault because PBKDF2 is used instead of scrypt
904adc9
@SailReal
Provide uuid of vault while creation as path variable
40b134f
@overheadhunter
Merge branch 'feature/add-db-and-rest-interface' into develop
4969df5
@overheadhunter
adjusted folder strucuture for vue.js
77be59e
@overheadhunter
tslint → eslint
346cae3
@overheadhunter
adjust linter
f5daaac
@overheadhunter
added vue-router
eebb17d
@overheadhunter
adjust linter
ea9ab66
@overheadhunter
* always require login (via router)
f9b7ad4 
* created "create vault" component
@overheadhunter
no longer used
b1b5694
@overheadhunter
ignore the contents, not the folder
87cde34
@overheadhunter
Merge branch 'feature/vue-ui-poc' into develop
3204235
@overheadhunter
cleanup
e17186a
@overheadhunter
allow cross-origin requests during dev
2de2e92
@overheadhunter
don't use web history api
b1b9086 
until we solve server-side redirects to index.html
@SailReal
Enhance dev mode of backend
abc55d6 
* Separate db of development/testing and production
* Remove static uuid of admin in production but instead use a separate keycloak config file for development
@overheadhunter
improve login/logout
52b1035
@SailReal
Refresh token as long as the session is valid otherwise we get 401 error
02369d2 
If the user is still authenticated but the session token is expired, we get 401 status codes when executing requests. We need to refresh the token as long as we allowed until the user is logged out. 

For more details see https://stackoverflow.com/questions/43422542/keycloak-js-automatic-token-refesh
@overheadhunter
use axios request interceptor to add Authorization header
91bc02f
@overheadhunter
renamed some crypto classes and added unit tests
68e7c7d
@overheadhunter
cleanup
d1653f6
@overheadhunter
add user service
f964329
@overheadhunter
add some actual public keys
f0f2470
@overheadhunter
retrieve devices from backend
5bc323d
@overheadhunter
encrypt a masterkey for a single device (prototype)
ac0a6f0
SailReal and others added 23 commits August 6, 2021 13:13
@SailReal
Show alert when vault creation was successful
fefe325
@SailReal
WIP create device
69ee4d7
@overheadhunter
persist key when granting access
9359e7c
@SailReal
Reformat code: use tabs instead of spaces
f073849
@SailReal
Merge branch 'develop' into feature/access-list
1936462
@SailReal
Minor refactoring
b24f882
@SailReal
Minor refactoring 2.0
298cfa4
@overheadhunter
allow user interaction during certain states of the unlock workflow
9d31729
@SailReal
Return 404 when vault or device doesn't exists while creating access
13a8196
@SailReal
Option to download vault folder after creation
30cd769
@overheadhunter
add additional field to Access entity
05ff079
@overheadhunter
first attempt to pass masterkey to client after successful authentica…
7ae1105 
…tion
@overheadhunter
use correct masterkey during access grant workflow
16879c1
@overheadhunter
fix compatibility issue, reduce scope of key material
bbea984
@SailReal
Create root folder structure using AES-SIV in zipped export
cd8bb88
@SailReal
Use common lib for base32 and base64 encoding
32a50a2
@SailReal
Fix build by switching to correct base64url-impl in VaultDetauls too
e86bc36
@overheadhunter
revoke access
dcd4ad3
@overheadhunter
Switching to P-384 + X9.63 KDF SHA-256 + AES-GCM
e2b18a7
@overheadhunter
hash encrypted dir id to bring it to uniform length
670f49c
@overheadhunter
adjust tests
046cc01
@overheadhunter
stop being fancy
101d68a 
[ci skip]
@SailReal
Fix hashDirectoryId, SIV lib requires macKey before encKey
32e609f
@overheadhunter overheadhunter merged commit 5a13f6b into main Aug 11, 2021
@overheadhunter overheadhunter deleted the feature/access-list branch August 11, 2021 14:13
sonatype-lift[bot]
sonatype-lift bot reviewed Aug 11, 2021
View reviewed changes
web/src/common/util.ts
*/
export function uuid(): string {
return 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, function (c) {
var r = Math.random() * 16 | 0, v = c == 'x' ? r : (r & 0x3 | 0x8);
Copy link

@sonatype-lift sonatype-lift bot Aug 11, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

opt.semgrep.node_insecure_random_generator: crypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator.
(at-me in a reply with help or ignore)

Copy link
Member Author

@overheadhunter overheadhunter Aug 11, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sonatype-lift ignore

this uuid is just used to create vault ids, which aren't involved in anything security-related

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@sonatype-lift sonatype-lift[bot] sonatype-lift[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@overheadhunter @SailReal