Get AWS-STS back to work again, update documentation (#10 #23).

shift7-ch · Dec 14, 2023 · 3353fc0 · 3353fc0
1 parent 52fe3d8
commit 3353fc0
Show file tree

Hide file tree

Showing 6 changed files with 60 additions and 52 deletions.
diff --git a/backend/CIPHERDUCK.md b/backend/CIPHERDUCK.md
@@ -83,61 +83,64 @@ AWS
 Documentation: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html
 
 ```shell
-openssl s_client -servername login1.staging.cryptomator.cloud -showcerts -connect login1.staging.cryptomator.cloud:443
+openssl s_client -servername testing.hub.cryptomator.org -showcerts -connect testing.hub.cryptomator.org:443 > testing.hub.cryptomator.org.crt
 
-cat login1.staging.cryptomator.cloud.crt
+vi testing.hub.cryptomator.org.crt ...
+
+cat testing.hub.cryptomator.org.crt
 -----BEGIN CERTIFICATE-----
-MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
-MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
-DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
+MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
 TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
-cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
-AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
-ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
-wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
-LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
-4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
-bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
-sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
-Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
-FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
-SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
-PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
-TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
-SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
-c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
-+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
-ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
-b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
-U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
-MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
-5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
-9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
-WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
-he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
-Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
+WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
+RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
+R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
+sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
+NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
+Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
+/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
+AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
+FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
+AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
+Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
+gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
+PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
+ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
+CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
+lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
+avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
+yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
+yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
+hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
+HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
+MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
+nLRbwHOoq7hHwg==
 -----END CERTIFICATE-----
 
-openssl x509 -in login1.staging.cryptomator.cloud.crt -fingerprint -sha1 -noout | sed -e 's/://g' | sed -e 's/SHA1 Fingerprint=//'
-933C6DDEE95C9C41A40F9F50493D82BE03AD87BF
 
-aws iam create-open-id-connect-provider --url https://testing.hub.cryptomator.org/kc/realms/cipherduck/ --client-id-list cryptomator   --thumbprint-list DEF08E0D6AC5577D3436E4D6AA8E9F13721B00DD
+openssl x509 -in testing.hub.cryptomator.org.crt -fingerprint -sha1 -noout | sed -e 's/://g' | sed -e 's/[Ss][Hh][Aa]1 [Ff]ingerprint=//'
+A053375BFE84E8B748782C7CEE15827A6AF5A405
+
+aws iam create-open-id-connect-provider --url https://testing.hub.cryptomator.org/kc/realms/cipherduck --client-id-list cryptomator cryptomatorhub  --thumbprint-list A053375BFE84E8B748782C7CEE15827A6AF5A405
 {
-    "OpenIDConnectProviderArn": "arn:aws:iam::930717317329:oidc-provider/login1.staging.cryptomator.cloud/realms/cipherduck"
+    "OpenIDConnectProviderArn": "arn:aws:iam::930717317329:oidc-provider/testing.hub.cryptomator.org/kc/realms/cipherduck"
 }
 
 aws iam list-open-id-connect-providers
 
-aws iam get-open-id-connect-provider --open-id-connect-provider-arn "arn:aws:iam::930717317329:oidc-provider/login1.staging.cryptomator.cloud/realms/cipherduck"
+aws iam get-open-id-connect-provider --open-id-connect-provider-arn arn:aws:iam::930717317329:oidc-provider/testing.hub.cryptomator.org/kc/realms/cipherduck
 {
-    "Url": "login1.staging.cryptomator.cloud/realms/cipherduck",
+    "Url": "testing.hub.cryptomator.org/kc/realms/cipherduck",
     "ClientIDList": [
+        "cryptomatorhub",
         "cryptomator"
     ],
     "ThumbprintList": [
-        "933c6ddee95c9c41a40f9f50493d82be03ad87bf"
+        "a053375bfe84e8b748782c7cee15827a6af5a405"
     ],
-    "CreateDate": "2023-06-21T12:13:03.042000+00:00",
+    "CreateDate": "2023-11-13T13:51:32.729000+00:00",
     "Tags": []
 }
 ```
@@ -179,7 +182,7 @@ aws iam get-role-policy --role-name cipherduck-createbucket --policy-name cipher
 ```
 
 ```shell
-TOKEN=`curl -v -X POST https://login1.staging.cryptomator.cloud/realms/cipherduck/protocol/openid-connect/token \                                                 
+TOKEN=`curl -v -X POST https://testing.hub.cryptomator.org/kc/realms/cipherduck/protocol/openid-connect/token \
      -H "Content-Type: application/x-www-form-urlencoded" \
      -d "client_id=cryptomator" \
      -d "scope=openid" \
@@ -234,7 +237,6 @@ dropdown?
 
 #### (0a) bucket creation
 
-TODO https://github.com/chenkins/cipherduck-hub/issues/3 how to choose region in frontend?
 
 | Backend property             | Description                                                                                      |
 |------------------------------|--------------------------------------------------------------------------------------------------|

diff --git a/backend/config/application.properties b/backend/config/application.properties
@@ -51,7 +51,8 @@ backends.backends[1].name=AWS S3 STS
 #  bucket creation:
 backends.backends[1].bucket-prefix=cipherduck
 backends.backends[1].sts-role-arn=arn:aws:iam::930717317329:role/cipherduck-createbucket
-backends.backends[1].region=eu-central-2
+backends.backends[1].region=eu-west-1
+backends.backends[1].regions=eu-west-1,eu-west-2,eu-west-3
 #
 # (1) protocol
 # (1a) protocol hub-independent:

diff --git a/backend/src/main/java/org/cryptomator/hub/api/cipherduck/StorageResource.java b/backend/src/main/java/org/cryptomator/hub/api/cipherduck/StorageResource.java
@@ -54,11 +54,10 @@ public class StorageResource {
 	@APIResponse(responseCode = "400", description = "Could not create bucket")
 	public Response createBucket(@PathParam("vaultId") UUID vaultId, StorageDto dto) {
 
-		// TODO https://github.com/chenkins/cipherduck-hub/issues/41 prevent overwriting?
-
 		final Map<String, StorageConfig> storageConfigs = backendsConfig.backends().stream().collect(Collectors.toMap(StorageConfig::id, Function.identity()));
 		final StorageConfig storageConfig = storageConfigs.get(dto.storageConfigId());
 
+		// N.B. if the bucket already exists, this will fail, so we do not prevent calling this method several times.
 		makeS3Bucket(storageConfig, dto);
 
 		keycloakPrepareVault(syncerConfig, vaultId.toString(), storageConfig, jwt.getSubject(), cipherduckConfig.keycloakClientIdCryptomatorVaults());

diff --git a/backend/src/main/java/org/cryptomator/hub/cipherduck/KeycloakGrantAccessToVault.java b/backend/src/main/java/org/cryptomator/hub/cipherduck/KeycloakGrantAccessToVault.java
@@ -29,7 +29,7 @@ public class KeycloakGrantAccessToVault {
 	public static void keycloakPrepareVault(final SyncerConfig syncerConfig, final String vaultId, final StorageConfig storageConfig, final String userOrGroupId, final String clientId) {
 
 		// N.B. quarkus has no means to provide empty string as value, interpreted as no value, see https://github.com/quarkusio/quarkus/issues/2765
-		// TODO better solution than using sentinel string "empty"?
+		// TODO review better solution than using sentinel string "empty"?
 		if ("empty".equals(syncerConfig.getKeycloakUrl())) {
 			LOG.error(String.format("Could not grant access to vault %s for user %s as keycloak URL is not defined.", vaultId, userOrGroupId));
 			return;
@@ -94,7 +94,7 @@ public static void keycloakPrepareVault(final SyncerConfig syncerConfig, final S
 
 	public static void keycloakGrantAccessToVault(final SyncerConfig syncerConfig, final String vaultId, final String userOrGroupId, final String clientId) {
 		// N.B. quarkus has no means to provide empty string as value, interpreted as no value, see https://github.com/quarkusio/quarkus/issues/2765
-		// TODO better solution than using sentinel string "empty"?
+		// TODO review better solution than using sentinel string "empty"?
 		if ("empty".equals(syncerConfig.getKeycloakUrl())) {
 			LOG.error(String.format("Could not grant access to vault %s for user %s as keycloak URL is not defined.", vaultId, userOrGroupId));
 			return;
@@ -162,7 +162,7 @@ public static void keycloakGrantAccessToVault(final SyncerConfig syncerConfig, f
 
 	public static void keycloakRemoveAccessToVault(final SyncerConfig syncerConfig, final String vaultId, final String userOrGroupId, final String clientId) {
 		// N.B. quarkus has no means to provide empty string as value, interpreted as no value, see https://github.com/quarkusio/quarkus/issues/2765
-		// TODO better solution than using sentinel string "empty"?
+		// TODO review better solution than using sentinel string "empty"?
 		if ("empty".equals(syncerConfig.getKeycloakUrl())) {
 			LOG.error(String.format("Could not grant access to vault %s for user %s as keycloak URL is not defined.", vaultId, userOrGroupId));
 			return;

diff --git a/backend/src/main/resources/application.properties b/backend/src/main/resources/application.properties
@@ -17,15 +17,18 @@ hub.public-root-path=${quarkus.http.root-path}
 
 hub.keycloak.public-url=http://localhost:8180
 hub.keycloak.local-url=http://localhost:8180
-# TODO find better solution for workaround, see KeycloakGrantAccessToVault:keycloakGrantAccessToVault
+
+# TODO review better solution than using sentinel string "empty"?, see KeycloakGrantAccessToVault:keycloakGrantAccessToVault
 %test.hub.keycloak.local-url=empty
+
+# TODO https://github.com/chenkins/cipherduck-hub/issues/41 extract staging and testing properties into separate file, include via shell sourcing, https://quarkus.io/guides/config-reference#configuration-sources
 %cipherduck-staging.hub.keycloak.public-url=https://login1.staging.cryptomator.cloud
 %cipherduck-staging.hub.keycloak.local-url=https://login1.staging.cryptomator.cloud
+%cipherduck-staging.quarkus.oidc.auth-server-url=https://login1.staging.cryptomator.cloud/realms/cipherduck
 %cipherduck-testing.hub.keycloak.public-url=https://testing.hub.cryptomator.org/kc
 %cipherduck-testing.hub.keycloak.local-url=https://testing.hub.cryptomator.org/kc
-
-%cipherduck-staging.quarkus.oidc.auth-server-url=https://login1.staging.cryptomator.cloud/realms/cipherduck
 %cipherduck-testing.quarkus.oidc.auth-server-url=https://testing.hub.cryptomator.org/kc/realms/cipherduck
+
 hub.keycloak.realm=cryptomator
 %cipherduck-staging.hub.keycloak.realm=cipherduck
 %cipherduck-testing.hub.keycloak.realm=cipherduck
@@ -41,8 +44,6 @@ quarkus.http.access-log.enabled=true
 
 quarkus.oidc.application-type=service
 quarkus.oidc.client-id=cryptomatorhub
-%cipherduck-staging.quarkus.oidc.client-id=cryptomator
-%cipherduck-testing.quarkus.oidc.client-id=cryptomator
 hub.keycloak.oidc.cryptomator-client-id=cryptomator
 hub.keycloak.oidc.cryptomator-vaults-client-id=cryptomatorvaults
 

diff --git a/frontend/src/components/CreateVaultS3.vue b/frontend/src/components/CreateVaultS3.vue
@@ -557,7 +557,12 @@ async function createVault() {
     state.value = State.Finished;
   } catch (error) {
     console.error('Creating vault failed.', error);
-    onCreateError.value = error instanceof Error ? error : new Error('Unknown reason');
+    if(typeof(error) === 'string'){
+        onCreateError.value = new Error(error);
+    }
+    else {
+        onCreateError.value = error instanceof Error ? error : new Error('Unknown reason');
+    }
   } finally {
     processing.value = false;
   }