Add vault metadata WiP (#19).

backend/setup/aws_sts/createbucketpermissionpolicy.json

@@ -21,7 +21,7 @@
         "s3:PutObject"
       ],
       "Resource": [
-        "arn:aws:s3:::cipherduck*/vault.cryptomator",
+        "arn:aws:s3:::cipherduck*/vault.uvf",
         "arn:aws:s3:::cipherduck*/*/"
       ]
     }

backend/setup/minio_sts/createbucketpolicy.json

@@ -20,7 +20,7 @@
       ],
       "Resource": [
         "arn:aws:s3:::cipherduck*/*/",
-        "arn:aws:s3:::cipherduck*/vault.cryptomator"
+        "arn:aws:s3:::cipherduck*/vault.uvf"
       ]
     }
   ]

backend/src/main/java/org/cryptomator/hub/api/VaultResource.java

@@ -452,6 +452,10 @@ public Response createOrUpdate(@PathParam("vaultId") UUID vaultId, @Valid @NotNu
 		vault.description = vaultDto.description;
 		vault.archived = existingVault.isEmpty() ? false : vaultDto.archived;
 
+		// / start cipherduck extension
+		vault.metadata = vaultDto.metadata;
+		// \ end cipherduck extension
+
 		vault.persistAndFlush(); // trigger PersistenceException before we continue with
 		if (existingVault.isEmpty()) {
 			var access = new VaultAccess();
@@ -536,10 +540,17 @@ public record VaultDto(@JsonProperty("id") UUID id,
 						   @JsonProperty("masterkey") @OnlyBase64Chars String masterkey, @JsonProperty("iterations") Integer iterations,
 						   @JsonProperty("salt") @OnlyBase64Chars String salt,
 						   @JsonProperty("authPublicKey") @OnlyBase64Chars String authPublicKey, @JsonProperty("authPrivateKey") @OnlyBase64Chars String authPrivateKey
+						   // / start cipherduck extension
+							,@JsonProperty("metadata") @NotNull String metadata
+						   // \ end cipherduck extension
 	) {
 
 		public static VaultDto fromEntity(Vault entity) {
-			return new VaultDto(entity.id, entity.name, entity.description, entity.archived, entity.creationTime.truncatedTo(ChronoUnit.MILLIS), entity.masterkey, entity.iterations, entity.salt, entity.authenticationPublicKey, entity.authenticationPrivateKey);
+			return new VaultDto(entity.id, entity.name, entity.description, entity.archived, entity.creationTime.truncatedTo(ChronoUnit.MILLIS), entity.masterkey, entity.iterations, entity.salt, entity.authenticationPublicKey, entity.authenticationPrivateKey
+					// / start cipherduck extension
+					, entity.metadata
+					// \ end cipherduck extension
+					);
 		}
 
 	}

backend/src/main/java/org/cryptomator/hub/api/cipherduck/CreateS3STSBucketDto.java

@@ -0,0 +1,27 @@
+package org.cryptomator.hub.api.cipherduck;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import java.util.UUID;
+
+public record CreateS3STSBucketDto(
+		@JsonProperty("vaultId")
+		String vaultId,
+		@JsonProperty("storageConfigId")
+		UUID storageConfigId,
+		@JsonProperty("vaultUvf")
+		String vaultUvf,
+		@JsonProperty("rootDirHash")
+		String rootDirHash,
+		@JsonProperty("awsAccessKey")
+		String awsAccessKey,
+		@JsonProperty("awsSecretKey")
+		String awsSecretKey,
+		@JsonProperty("sessionToken")
+		String sessionToken,
+		@JsonProperty("region")
+		String region
+) {
+
+}
+

backend/src/main/java/org/cryptomator/hub/api/cipherduck/StorageDto.java

@@ -9,7 +9,7 @@ public record StorageDto(
 		String vaultId,
 		@JsonProperty("storageConfigId")
 		UUID storageConfigId,
-		@JsonProperty("vaultConfigToken")
+		@JsonProperty("vaultUvf")
 		String vaultConfigToken,
 		@JsonProperty("rootDirHash")
 		String rootDirHash,

backend/src/main/java/org/cryptomator/hub/api/cipherduck/StorageProfileResource.java

@@ -27,7 +27,6 @@
 import java.util.List;
 import java.util.UUID;
 import java.util.stream.Collectors;
-import java.util.stream.Stream;
 
 @Path("/storageprofile")
 public class StorageProfileResource {
@@ -137,7 +136,7 @@ public Response archive(@PathParam("profileId") UUID profileId, @FormParam("arch
 	@Transactional
 	@Operation(summary = "get configs for storage backends", description = "get list of configs for storage backends")
 	@APIResponse(responseCode = "200", description = "uploaded storage configuration")
-	public VaultJWEPayloadDto getVaultJWEBackendDto(final StorageProfileDto.Protocol protocol) {
+	public VaultMasterkeyJWEDto getVaultJWEBackendDto(final StorageProfileDto.Protocol protocol) {
 		// N.B. temporary workaround to have VaultJWEBackendDto exposed in openapi.json for now....
 		return null;
 	}

backend/src/main/java/org/cryptomator/hub/api/cipherduck/StorageProfileS3Dto.java

@@ -35,7 +35,7 @@ public enum S3_STORAGE_CLASSES {
 	@Schema(description = "Whether to use path style for S3 endpoint for template upload/bucket creation.", example = "false", defaultValue = "false")
 	Boolean withPathStyleAccessEnabled = false;
 
-	@JsonProperty(value = "storageClass")
+	@JsonProperty(value = "storageClass", defaultValue = "STANDARD")
 	@Schema(description = "Storage class for upload. Defaults to STANDARD", example = "STANDARD", required = true)
 	S3_STORAGE_CLASSES storageClass = S3_STORAGE_CLASSES.STANDARD;
 

backend/src/main/java/org/cryptomator/hub/api/cipherduck/StorageProfileS3STSDto.java

@@ -34,11 +34,11 @@ public enum S3_SERVERSIDE_ENCRYPTION {
 	String stsRoleArnClient;
 
 	@JsonProperty(value = "stsRoleArnHub", required = true)
-	@Schema(description = "STS role for frontend to assume to create buckets (used with inline policy and passed to hub backend). Will be the same as stsRoleArnClient for AWS, different for MinIO.", example = "arn:aws:iam::<ACCOUNT ID>:role/cipherduck-createbucket")
+	@Schema(description = "STS role for frontend to assume to create buckets (used with inline policy and passed to hub storage). Will be the same as stsRoleArnClient for AWS, different for MinIO.", example = "arn:aws:iam::<ACCOUNT ID>:role/cipherduck-createbucket")
 	String stsRoleArnHub;
 
 	@JsonProperty("stsEndpoint")
-	@Schema(description = "STS endpoint to use for AssumeRoleWithWebIdentity and AssumeRole for getting a temporary access token passed to the backend. Defaults to AWS SDK default.", nullable = true)
+	@Schema(description = "STS endpoint to use for AssumeRoleWithWebIdentity and AssumeRole for getting a temporary access token passed to the storage. Defaults to AWS SDK default.", nullable = true)
 	String stsEndpoint;
 
 	@JsonProperty(value = "bucketVersioning", defaultValue = "true", required = true)

backend/src/main/java/org/cryptomator/hub/api/cipherduck/StorageResource.java

@@ -55,7 +55,7 @@ public class StorageResource {
 	@APIResponse(responseCode = "400", description = "Could not create bucket")
 	@APIResponse(responseCode = "409", description = "Vault with this ID or bucket with this name already exists")
 	@APIResponse(responseCode = "410", description = "Storage profile is archived")
-	public Response createBucket(@PathParam("vaultId") UUID vaultId, final StorageDto storage) {
+	public Response createBucket(@PathParam("vaultId") UUID vaultId, final CreateS3STSBucketDto storage) {
 		Optional<Vault> vault = Vault.<Vault>findByIdOptional(vaultId);
 		if (vault.isPresent()) {
 			throw new ClientErrorException(String.format("Vault with ID %s already exists", vaultId), Response.Status.CONFLICT);

backend/src/main/java/org/cryptomator/hub/api/cipherduck/VaultJWEBackendDto.java

@@ -5,7 +5,7 @@
 /**
  * Part of vault JWE specifying the vault bookmark.
  * Allows to create a bookmark in the client referencing the vendor in the storage profiles.
- * This Java record is unused in hub, only its ts counterpart in `backend.ts`.
+ * This Java record is unused in hub, only its ts counterpart in `storage.ts`.
  * It will used in Cipherduck client in the OpenAPI generator.
  */
 public record VaultJWEBackendDto(

backend/src/main/java/org/cryptomator/hub/api/cipherduck/VaultJWEPayloadDto.java

@@ -8,7 +8,7 @@ public record VaultJWEPayloadDto(
 		// masterkey
 		String key,
 
-		@JsonProperty(value = "backend", required = true)
+		@JsonProperty(value = "storage", required = true)
 		VaultJWEBackendDto backend,
 
 		@JsonProperty(value = "automaticAccessGrant", required = true)

backend/src/main/java/org/cryptomator/hub/api/cipherduck/VaultMasterkeyJWEDto.java

@@ -0,0 +1,10 @@
+package org.cryptomator.hub.api.cipherduck;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+public record VaultMasterkeyJWEDto(
+		@JsonProperty(value = "key", required = true)
+		// masterkey
+		String key
+) {
+}

backend/src/main/java/org/cryptomator/hub/api/cipherduck/VaultMetadataJWEAutomaticAccessGrantDto.java

@@ -0,0 +1,12 @@
+package org.cryptomator.hub.api.cipherduck;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+public record VaultMetadataJWEAutomaticAccessGrantDto(
+		@JsonProperty(value = "enabled", defaultValue = "true")
+		boolean enabled,
+
+		// where -1 means "grant to anyone", where 0, 1, 2 would be the number of edges between any vault owner and the grantee. Exact algorithm tbd
+		@JsonProperty(value = "maxWotDepth", defaultValue = "-1")
+		int maxWotDepth) {
+}

backend/src/main/java/org/cryptomator/hub/api/cipherduck/VaultMetadataJWEDto.java

@@ -0,0 +1,31 @@
+package org.cryptomator.hub.api.cipherduck;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import java.util.Map;
+
+public record VaultMetadataJWEDto(
+		@JsonProperty(value = "fileFormat", required = true)
+		String fileFormat,
+		@JsonProperty(value = "nameFormat", required = true)
+		String nameFormat,
+
+		@JsonProperty(value = "keys", required = true)
+		Map<String, String> keys,
+
+		@JsonProperty(value = "latestFileKey", required = true)
+		String latestFileKey,
+
+		@JsonProperty(value = "nameKey", required = true)
+		String nameKey,
+
+		@JsonProperty(value = "kdf", required = true)
+		String kdf,
+
+		@JsonProperty(value = "com.cipherduck.storage", required = true)
+		VaultMetadataJWEStorageDto storage,
+
+		@JsonProperty(value = "org.cryptomator.automaticAccessGrant", required = true)
+		VaultMetadataJWEAutomaticAccessGrantDto automaticAccessGrant
+) {
+}

backend/src/main/java/org/cryptomator/hub/api/cipherduck/VaultMetadataJWEStorageDto.java

@@ -0,0 +1,29 @@
+package org.cryptomator.hub.api.cipherduck;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+/**
+ * Part of vault JWE specifying the vault metadata.
+ * Allows to create a bookmark in the client referencing the vendor in the storage profiles.
+ * This Java record is unused in hub, only its ts counterpart in `storage.ts`.
+ * Cipherduck client uses code generated by the OpenAPI generator.
+ */
+public record VaultMetadataJWEStorageDto(
+		@JsonProperty(value = "provider", required = true)
+		// references id in StorageProfileDto (aka. vendor in client profile)
+		String provider,
+		@JsonProperty(value = "defaultPath", required = true)
+		String defaultPath,
+		@JsonProperty(value = "nickname", required = true)
+		String nickname,
+		@JsonProperty(value = "region", required = true)
+		String region,
+
+		@JsonProperty(value = "username")
+		// for non-STS
+		String username,
+		@JsonProperty(value = "password")
+		// for non-STS
+		String password
+) {
+}

backend/src/main/java/org/cryptomator/hub/entities/Vault.java

@@ -104,6 +104,11 @@ public class Vault extends PanacheEntityBase {
 	@Column(name = "archived", nullable = false)
 	public boolean archived;
 
+	// / start cipherduck extension
+	@Column(name = "metadata", nullable = false)
+	public String metadata;
+	// \ end cipherduck extension
+
 	public Optional<ECPublicKey> getAuthenticationPublicKey() {
 		if (authenticationPublicKey == null) {
 			return Optional.empty();

backend/src/main/java/org/cryptomator/hub/entities/cipherduck/StorageProfileS3STS.java

@@ -1,15 +1,11 @@
 package org.cryptomator.hub.entities.cipherduck;
 
-import com.fasterxml.jackson.annotation.JsonProperty;
 import jakarta.persistence.Column;
 import jakarta.persistence.DiscriminatorValue;
 import jakarta.persistence.Entity;
 import jakarta.persistence.Table;
-import org.cryptomator.hub.api.cipherduck.StorageProfileS3STSDto;
-import org.eclipse.microprofile.openapi.annotations.media.Schema;
 
 import java.util.List;
-import java.util.UUID;
 
 @Entity
 @Table(name = "storage_profile_s3_sts")

backend/src/main/resources/org/cryptomator/hub/flyway/B14__Hub_1.3.0.sql

@@ -73,6 +73,9 @@ CREATE TABLE "vault"
 	"masterkey"     VARCHAR(255), -- deprecated ("vault admin password")
 	"auth_pubkey"   VARCHAR,      -- deprecated ("vault admin password")
 	"auth_prvkey"   VARCHAR,      -- deprecated ("vault admin password")
+	-- / start cipherduck extension
+	"metadata"      VARCHAR NOT NULL UNIQUE, -- encrypted using vault masterkey (JWE ECDH-ES)
+	-- \ end cipherduck extension
 	CONSTRAINT "VAULT_PK" PRIMARY KEY ("id")
 );