From 952cfac21ba8eb535b1bdf1206537d994e26bd2f Mon Sep 17 00:00:00 2001 From: chenkins Date: Wed, 28 Feb 2024 16:57:34 +0100 Subject: [PATCH] Add vault metadata WiP (#19). --- .../aws_sts/createbucketpermissionpolicy.json | 2 +- .../setup/minio_sts/createbucketpolicy.json | 2 +- .../api/cipherduck/CreateS3STSBucketDto.java | 27 ++++++++++++++++ .../hub/api/cipherduck/StorageDto.java | 2 +- .../cipherduck/StorageProfileResource.java | 3 +- .../api/cipherduck/StorageProfileS3Dto.java | 2 +- .../cipherduck/StorageProfileS3STSDto.java | 4 +-- .../hub/api/cipherduck/StorageResource.java | 2 +- .../api/cipherduck/VaultJWEBackendDto.java | 2 +- .../api/cipherduck/VaultJWEPayloadDto.java | 2 +- .../api/cipherduck/VaultMasterkeyJWEDto.java | 10 ++++++ ...ultMetadataJWEAutomaticAccessGrantDto.java | 12 +++++++ .../api/cipherduck/VaultMetadataJWEDto.java | 31 +++++++++++++++++++ .../VaultMetadataJWEStorageDto.java | 29 +++++++++++++++++ .../cipherduck/StorageProfileS3STS.java | 4 --- .../cryptomator/hub/flyway/B14__Hub_1.3.0.sql | 3 ++ 16 files changed, 122 insertions(+), 15 deletions(-) create mode 100644 backend/src/main/java/org/cryptomator/hub/api/cipherduck/CreateS3STSBucketDto.java create mode 100644 backend/src/main/java/org/cryptomator/hub/api/cipherduck/VaultMasterkeyJWEDto.java create mode 100644 backend/src/main/java/org/cryptomator/hub/api/cipherduck/VaultMetadataJWEAutomaticAccessGrantDto.java create mode 100644 backend/src/main/java/org/cryptomator/hub/api/cipherduck/VaultMetadataJWEDto.java create mode 100644 backend/src/main/java/org/cryptomator/hub/api/cipherduck/VaultMetadataJWEStorageDto.java diff --git a/backend/setup/aws_sts/createbucketpermissionpolicy.json b/backend/setup/aws_sts/createbucketpermissionpolicy.json index 801f70985..5cf6dc7ce 100644 --- a/backend/setup/aws_sts/createbucketpermissionpolicy.json +++ b/backend/setup/aws_sts/createbucketpermissionpolicy.json @@ -21,7 +21,7 @@ "s3:PutObject" ], "Resource": [ - "arn:aws:s3:::cipherduck*/vault.cryptomator", + "arn:aws:s3:::cipherduck*/vault.uvf", "arn:aws:s3:::cipherduck*/*/" ] } diff --git a/backend/setup/minio_sts/createbucketpolicy.json b/backend/setup/minio_sts/createbucketpolicy.json index 7a205f25d..352471fb9 100644 --- a/backend/setup/minio_sts/createbucketpolicy.json +++ b/backend/setup/minio_sts/createbucketpolicy.json @@ -20,7 +20,7 @@ ], "Resource": [ "arn:aws:s3:::cipherduck*/*/", - "arn:aws:s3:::cipherduck*/vault.cryptomator" + "arn:aws:s3:::cipherduck*/vault.uvf" ] } ] diff --git a/backend/src/main/java/org/cryptomator/hub/api/cipherduck/CreateS3STSBucketDto.java b/backend/src/main/java/org/cryptomator/hub/api/cipherduck/CreateS3STSBucketDto.java new file mode 100644 index 000000000..805f4d874 --- /dev/null +++ b/backend/src/main/java/org/cryptomator/hub/api/cipherduck/CreateS3STSBucketDto.java @@ -0,0 +1,27 @@ +package org.cryptomator.hub.api.cipherduck; + +import com.fasterxml.jackson.annotation.JsonProperty; + +import java.util.UUID; + +public record CreateS3STSBucketDto( + @JsonProperty("vaultId") + String vaultId, + @JsonProperty("storageConfigId") + UUID storageConfigId, + @JsonProperty("vaultUvf") + String vaultUvf, + @JsonProperty("rootDirHash") + String rootDirHash, + @JsonProperty("awsAccessKey") + String awsAccessKey, + @JsonProperty("awsSecretKey") + String awsSecretKey, + @JsonProperty("sessionToken") + String sessionToken, + @JsonProperty("region") + String region +) { + +} + diff --git a/backend/src/main/java/org/cryptomator/hub/api/cipherduck/StorageDto.java b/backend/src/main/java/org/cryptomator/hub/api/cipherduck/StorageDto.java index 513728afa..f371d0158 100644 --- a/backend/src/main/java/org/cryptomator/hub/api/cipherduck/StorageDto.java +++ b/backend/src/main/java/org/cryptomator/hub/api/cipherduck/StorageDto.java @@ -9,7 +9,7 @@ public record StorageDto( String vaultId, @JsonProperty("storageConfigId") UUID storageConfigId, - @JsonProperty("vaultConfigToken") + @JsonProperty("vaultUvf") String vaultConfigToken, @JsonProperty("rootDirHash") String rootDirHash, diff --git a/backend/src/main/java/org/cryptomator/hub/api/cipherduck/StorageProfileResource.java b/backend/src/main/java/org/cryptomator/hub/api/cipherduck/StorageProfileResource.java index 5e2338f27..3d0a415d9 100644 --- a/backend/src/main/java/org/cryptomator/hub/api/cipherduck/StorageProfileResource.java +++ b/backend/src/main/java/org/cryptomator/hub/api/cipherduck/StorageProfileResource.java @@ -27,7 +27,6 @@ import java.util.List; import java.util.UUID; import java.util.stream.Collectors; -import java.util.stream.Stream; @Path("/storageprofile") public class StorageProfileResource { @@ -137,7 +136,7 @@ public Response archive(@PathParam("profileId") UUID profileId, @FormParam("arch @Transactional @Operation(summary = "get configs for storage backends", description = "get list of configs for storage backends") @APIResponse(responseCode = "200", description = "uploaded storage configuration") - public VaultJWEPayloadDto getVaultJWEBackendDto(final StorageProfileDto.Protocol protocol) { + public VaultMasterkeyJWEDto getVaultJWEBackendDto(final StorageProfileDto.Protocol protocol) { // N.B. temporary workaround to have VaultJWEBackendDto exposed in openapi.json for now.... return null; } diff --git a/backend/src/main/java/org/cryptomator/hub/api/cipherduck/StorageProfileS3Dto.java b/backend/src/main/java/org/cryptomator/hub/api/cipherduck/StorageProfileS3Dto.java index ebb25add1..cf470076f 100644 --- a/backend/src/main/java/org/cryptomator/hub/api/cipherduck/StorageProfileS3Dto.java +++ b/backend/src/main/java/org/cryptomator/hub/api/cipherduck/StorageProfileS3Dto.java @@ -35,7 +35,7 @@ public enum S3_STORAGE_CLASSES { @Schema(description = "Whether to use path style for S3 endpoint for template upload/bucket creation.", example = "false", defaultValue = "false") Boolean withPathStyleAccessEnabled = false; - @JsonProperty(value = "storageClass") + @JsonProperty(value = "storageClass", defaultValue = "STANDARD") @Schema(description = "Storage class for upload. Defaults to STANDARD", example = "STANDARD", required = true) S3_STORAGE_CLASSES storageClass = S3_STORAGE_CLASSES.STANDARD; diff --git a/backend/src/main/java/org/cryptomator/hub/api/cipherduck/StorageProfileS3STSDto.java b/backend/src/main/java/org/cryptomator/hub/api/cipherduck/StorageProfileS3STSDto.java index dd0b88ed1..3aa390cb6 100644 --- a/backend/src/main/java/org/cryptomator/hub/api/cipherduck/StorageProfileS3STSDto.java +++ b/backend/src/main/java/org/cryptomator/hub/api/cipherduck/StorageProfileS3STSDto.java @@ -34,11 +34,11 @@ public enum S3_SERVERSIDE_ENCRYPTION { String stsRoleArnClient; @JsonProperty(value = "stsRoleArnHub", required = true) - @Schema(description = "STS role for frontend to assume to create buckets (used with inline policy and passed to hub backend). Will be the same as stsRoleArnClient for AWS, different for MinIO.", example = "arn:aws:iam:::role/cipherduck-createbucket") + @Schema(description = "STS role for frontend to assume to create buckets (used with inline policy and passed to hub storage). Will be the same as stsRoleArnClient for AWS, different for MinIO.", example = "arn:aws:iam:::role/cipherduck-createbucket") String stsRoleArnHub; @JsonProperty("stsEndpoint") - @Schema(description = "STS endpoint to use for AssumeRoleWithWebIdentity and AssumeRole for getting a temporary access token passed to the backend. Defaults to AWS SDK default.", nullable = true) + @Schema(description = "STS endpoint to use for AssumeRoleWithWebIdentity and AssumeRole for getting a temporary access token passed to the storage. Defaults to AWS SDK default.", nullable = true) String stsEndpoint; @JsonProperty(value = "bucketVersioning", defaultValue = "true", required = true) diff --git a/backend/src/main/java/org/cryptomator/hub/api/cipherduck/StorageResource.java b/backend/src/main/java/org/cryptomator/hub/api/cipherduck/StorageResource.java index f609bfab2..0d041a903 100644 --- a/backend/src/main/java/org/cryptomator/hub/api/cipherduck/StorageResource.java +++ b/backend/src/main/java/org/cryptomator/hub/api/cipherduck/StorageResource.java @@ -55,7 +55,7 @@ public class StorageResource { @APIResponse(responseCode = "400", description = "Could not create bucket") @APIResponse(responseCode = "409", description = "Vault with this ID or bucket with this name already exists") @APIResponse(responseCode = "410", description = "Storage profile is archived") - public Response createBucket(@PathParam("vaultId") UUID vaultId, final StorageDto storage) { + public Response createBucket(@PathParam("vaultId") UUID vaultId, final CreateS3STSBucketDto storage) { Optional vault = Vault.findByIdOptional(vaultId); if (vault.isPresent()) { throw new ClientErrorException(String.format("Vault with ID %s already exists", vaultId), Response.Status.CONFLICT); diff --git a/backend/src/main/java/org/cryptomator/hub/api/cipherduck/VaultJWEBackendDto.java b/backend/src/main/java/org/cryptomator/hub/api/cipherduck/VaultJWEBackendDto.java index ff391e263..f32fe6e47 100644 --- a/backend/src/main/java/org/cryptomator/hub/api/cipherduck/VaultJWEBackendDto.java +++ b/backend/src/main/java/org/cryptomator/hub/api/cipherduck/VaultJWEBackendDto.java @@ -5,7 +5,7 @@ /** * Part of vault JWE specifying the vault bookmark. * Allows to create a bookmark in the client referencing the vendor in the storage profiles. - * This Java record is unused in hub, only its ts counterpart in `backend.ts`. + * This Java record is unused in hub, only its ts counterpart in `storage.ts`. * It will used in Cipherduck client in the OpenAPI generator. */ public record VaultJWEBackendDto( diff --git a/backend/src/main/java/org/cryptomator/hub/api/cipherduck/VaultJWEPayloadDto.java b/backend/src/main/java/org/cryptomator/hub/api/cipherduck/VaultJWEPayloadDto.java index a3b7dcb85..f9427a5c0 100644 --- a/backend/src/main/java/org/cryptomator/hub/api/cipherduck/VaultJWEPayloadDto.java +++ b/backend/src/main/java/org/cryptomator/hub/api/cipherduck/VaultJWEPayloadDto.java @@ -8,7 +8,7 @@ public record VaultJWEPayloadDto( // masterkey String key, - @JsonProperty(value = "backend", required = true) + @JsonProperty(value = "storage", required = true) VaultJWEBackendDto backend, @JsonProperty(value = "automaticAccessGrant", required = true) diff --git a/backend/src/main/java/org/cryptomator/hub/api/cipherduck/VaultMasterkeyJWEDto.java b/backend/src/main/java/org/cryptomator/hub/api/cipherduck/VaultMasterkeyJWEDto.java new file mode 100644 index 000000000..0d753381c --- /dev/null +++ b/backend/src/main/java/org/cryptomator/hub/api/cipherduck/VaultMasterkeyJWEDto.java @@ -0,0 +1,10 @@ +package org.cryptomator.hub.api.cipherduck; + +import com.fasterxml.jackson.annotation.JsonProperty; + +public record VaultMasterkeyJWEDto( + @JsonProperty(value = "key", required = true) + // masterkey + String key +) { +} diff --git a/backend/src/main/java/org/cryptomator/hub/api/cipherduck/VaultMetadataJWEAutomaticAccessGrantDto.java b/backend/src/main/java/org/cryptomator/hub/api/cipherduck/VaultMetadataJWEAutomaticAccessGrantDto.java new file mode 100644 index 000000000..74431db7a --- /dev/null +++ b/backend/src/main/java/org/cryptomator/hub/api/cipherduck/VaultMetadataJWEAutomaticAccessGrantDto.java @@ -0,0 +1,12 @@ +package org.cryptomator.hub.api.cipherduck; + +import com.fasterxml.jackson.annotation.JsonProperty; + +public record VaultMetadataJWEAutomaticAccessGrantDto( + @JsonProperty(value = "enabled", defaultValue = "true") + boolean enabled, + + // where -1 means "grant to anyone", where 0, 1, 2 would be the number of edges between any vault owner and the grantee. Exact algorithm tbd + @JsonProperty(value = "maxWotDepth", defaultValue = "-1") + int maxWotDepth) { +} diff --git a/backend/src/main/java/org/cryptomator/hub/api/cipherduck/VaultMetadataJWEDto.java b/backend/src/main/java/org/cryptomator/hub/api/cipherduck/VaultMetadataJWEDto.java new file mode 100644 index 000000000..8ad10e40e --- /dev/null +++ b/backend/src/main/java/org/cryptomator/hub/api/cipherduck/VaultMetadataJWEDto.java @@ -0,0 +1,31 @@ +package org.cryptomator.hub.api.cipherduck; + +import com.fasterxml.jackson.annotation.JsonProperty; + +import java.util.Map; + +public record VaultMetadataJWEDto( + @JsonProperty(value = "fileFormat", required = true) + String fileFormat, + @JsonProperty(value = "nameFormat", required = true) + String nameFormat, + + @JsonProperty(value = "keys", required = true) + Map keys, + + @JsonProperty(value = "latestFileKey", required = true) + String latestFileKey, + + @JsonProperty(value = "nameKey", required = true) + String nameKey, + + @JsonProperty(value = "kdf", required = true) + String kdf, + + @JsonProperty(value = "com.cipherduck.storage", required = true) + VaultMetadataJWEStorageDto storage, + + @JsonProperty(value = "org.cryptomator.automaticAccessGrant", required = true) + VaultMetadataJWEAutomaticAccessGrantDto automaticAccessGrant +) { +} \ No newline at end of file diff --git a/backend/src/main/java/org/cryptomator/hub/api/cipherduck/VaultMetadataJWEStorageDto.java b/backend/src/main/java/org/cryptomator/hub/api/cipherduck/VaultMetadataJWEStorageDto.java new file mode 100644 index 000000000..a270aa58f --- /dev/null +++ b/backend/src/main/java/org/cryptomator/hub/api/cipherduck/VaultMetadataJWEStorageDto.java @@ -0,0 +1,29 @@ +package org.cryptomator.hub.api.cipherduck; + +import com.fasterxml.jackson.annotation.JsonProperty; + +/** + * Part of vault JWE specifying the vault metadata. + * Allows to create a bookmark in the client referencing the vendor in the storage profiles. + * This Java record is unused in hub, only its ts counterpart in `storage.ts`. + * Cipherduck client uses code generated by the OpenAPI generator. + */ +public record VaultMetadataJWEStorageDto( + @JsonProperty(value = "provider", required = true) + // references id in StorageProfileDto (aka. vendor in client profile) + String provider, + @JsonProperty(value = "defaultPath", required = true) + String defaultPath, + @JsonProperty(value = "nickname", required = true) + String nickname, + @JsonProperty(value = "region", required = true) + String region, + + @JsonProperty(value = "username") + // for non-STS + String username, + @JsonProperty(value = "password") + // for non-STS + String password +) { +} \ No newline at end of file diff --git a/backend/src/main/java/org/cryptomator/hub/entities/cipherduck/StorageProfileS3STS.java b/backend/src/main/java/org/cryptomator/hub/entities/cipherduck/StorageProfileS3STS.java index c098fbc65..05823d3ec 100644 --- a/backend/src/main/java/org/cryptomator/hub/entities/cipherduck/StorageProfileS3STS.java +++ b/backend/src/main/java/org/cryptomator/hub/entities/cipherduck/StorageProfileS3STS.java @@ -1,15 +1,11 @@ package org.cryptomator.hub.entities.cipherduck; -import com.fasterxml.jackson.annotation.JsonProperty; import jakarta.persistence.Column; import jakarta.persistence.DiscriminatorValue; import jakarta.persistence.Entity; import jakarta.persistence.Table; -import org.cryptomator.hub.api.cipherduck.StorageProfileS3STSDto; -import org.eclipse.microprofile.openapi.annotations.media.Schema; import java.util.List; -import java.util.UUID; @Entity @Table(name = "storage_profile_s3_sts") diff --git a/backend/src/main/resources/org/cryptomator/hub/flyway/B14__Hub_1.3.0.sql b/backend/src/main/resources/org/cryptomator/hub/flyway/B14__Hub_1.3.0.sql index 3fed56430..44b454b74 100644 --- a/backend/src/main/resources/org/cryptomator/hub/flyway/B14__Hub_1.3.0.sql +++ b/backend/src/main/resources/org/cryptomator/hub/flyway/B14__Hub_1.3.0.sql @@ -73,6 +73,9 @@ CREATE TABLE "vault" "masterkey" VARCHAR(255), -- deprecated ("vault admin password") "auth_pubkey" VARCHAR, -- deprecated ("vault admin password") "auth_prvkey" VARCHAR, -- deprecated ("vault admin password") + -- / start cipherduck extension + "metadata" VARCHAR NOT NULL UNIQUE, -- encrypted using vault masterkey (JWE ECDH-ES) + -- \ end cipherduck extension CONSTRAINT "VAULT_PK" PRIMARY KEY ("id") );