Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

1 Vault = 1 S3Session aka. OAuth-Sharing #4

Closed
12 of 13 tasks
Tracked by #18
chenkins opened this issue Jul 5, 2023 · 3 comments
Closed
12 of 13 tasks
Tracked by #18

1 Vault = 1 S3Session aka. OAuth-Sharing #4

chenkins opened this issue Jul 5, 2023 · 3 comments
Assignees
@dkocher @chenkins
Labels
client Client (Mountain Duck) design decision hub cipherduck hub extension
Milestone
v1

Comments

@chenkins
Copy link
Collaborator

chenkins commented Jul 5, 2023
edited
Loading

Story

  • Persona: cipherduck user/buyer
  • Need: only one hub per organization.
  • Purpose: bring your own cloud(s)

Acceptance Criteria

  • open separate S3session in client for different vaults
  • oauth sharing: share oauth credentials through passwordstore among hub session and s3 sessions
  • get vault JWE in HubCryptoVault
  • no hard-coded auth endpoints - end-to-end from vault JWE
  • implement Scheduler to create/delete bookmarks and protocols continuously
  • trigger id token renewal when vaults are added
  • dummy fs for HubSession (no folder in cloudstorage should be created)
  • Deserialization of bookmarks with auth endpoints/scheme/clientId or in-memory upon sync?
  • hide hub bookmark / display as folder
  • UI: connect all/disconnect all etc.
  • connection status on hub folder
  • synchronize auth flow after token timeout
  • cleanup/review/documentation

Open Questions

Context

1 Vault = 1 S3Session = 1 S3-Role/Policy

Considered Alternatives:

  • Multiple hubs, shared keycloak.
  • Untight storage access policy (RW but no decryption).

Implementation
@chenkins chenkins added v1 client Client (Mountain Duck) hub cipherduck hub extension labels Jul 5, 2023
@chenkins chenkins mentioned this issue Jul 7, 2023
Closed
18 tasks
@chenkins chenkins changed the title 1 Vault = 1 S3Session = 1 S3-Role/Policy 1 Vault = 1 S3Session Jul 7, 2023
@chenkins chenkins mentioned this issue Jul 7, 2023
Open
6 tasks
@chenkins chenkins mentioned this issue Jul 10, 2023
Closed
9 tasks
@chenkins chenkins removed the v1 label Aug 24, 2023
@chenkins chenkins added this to the v1 milestone Aug 24, 2023
@chenkins chenkins self-assigned this Aug 31, 2023
@chenkins chenkins added the help wanted Extra attention is needed label Aug 31, 2023
@chenkins
Copy link
Collaborator Author

chenkins commented Aug 31, 2023
edited by dkocher
Loading

Discussion with @dkocher @ylangisc

Approaches

(1) 1 Hub = 1 Sync Root, 1 Vault = 1 S3 Session

  • 🟢 UI (1 "Drive" per hub, with expandable folders underneath in the Finder)
  • 🔴 unavailable backends block the sync queue; falsely claiming successful syncing might lead data loss/complex implementations to handle those cases

(2) 1 Sync Root = 1 storage endpoint

  • 🟢 in most cases, this will be only one.
  • 🔴 How can we be sure about this assumption? We only have limited market research in our focus on S3 (how multi-cloud is our architecture in the end? what would support for Azure, Google, WebDav.... mean)
  • ❓ what about S3 regions - they can have differing reachability? what about a bucket deleted on S3 but listed in hub - blocks everything.
  • 🔴 storage should be transparent to users, confusing (aka. ugly design), e.g. migrating from S3 cloud to S3 on premise or from S3 to Azure....

(3) 1 Vault = 1 Sync Root

  • (3a) only hub as bookmark

    • 🟢 get rid of disadvantages of the two above approaches
    • 🔴 UI does not reflect grouping per hub (neither in Finder nor Mountain Duck) and it is hard to detect sync roots for vaults for which access has been removed.

  • (3b) two-level bookmarks (hub bookmark and vault storage bookmarks; opening/reloading hub bookmark creates/removes storage bookmarks)

    • 🟢 get rid of disadvantages of the two above approaches
    • 🔴 implementation/complexity of two-level UI in Mountain Duck
    • 🟢 by default we can connect to all vault bookmarks, however, other approaches can be implemented later and made configurable (only list the bookmarks, but not connect)
    • 🟢 most current concepts (bookmarks, syncing roots) can be kept simple (apart from UI and Share OAuth between HubSession and S3Session (currently only injected initially) #11)

Current favourite is (3b).

chenkins added a commit that referenced this issue Sep 12, 2023
@chenkins
Cipherduckhubbookmark end point for 1 vault = 1 storage (#4).
a93c39e
@chenkins
Copy link
Collaborator Author

chenkins commented Sep 13, 2023
edited
Loading

Depends on

This was referenced Sep 20, 2023
Open
Closed
@chenkins chenkins added design decision and removed help wanted Extra attention is needed labels Sep 22, 2023
@chenkins chenkins mentioned this issue Sep 28, 2023
Closed
3 tasks
@chenkins chenkins changed the title 1 Vault = 1 S3Session 1 Vault = 1 S3Session aka. OAuth-Sharing Oct 11, 2023
chenkins added a commit that referenced this issue Oct 25, 2023
@chenkins
Cipherduckhubbookmark end point for 1 vault = 1 storage (#4).
28f186e
chenkins added a commit that referenced this issue Oct 30, 2023
@chenkins
Refactoring protocol serialization (#4).
adf1697
chenkins added a commit that referenced this issue Nov 7, 2023
@chenkins
Cipherduckhubbookmark end point for 1 vault = 1 storage (#4).
b6eeba5
chenkins added a commit that referenced this issue Nov 7, 2023
@chenkins
Refactoring protocol serialization (#4).
9551dad
chenkins added a commit that referenced this issue Nov 15, 2023
@chenkins
Cipherduckhubbookmark end point for 1 vault = 1 storage (#4).
f3a7b34
chenkins added a commit that referenced this issue Nov 15, 2023
@chenkins
Refactoring protocol serialization (#4).
b30ad88
chenkins added a commit that referenced this issue Dec 12, 2023
@chenkins
Refactoring (R3) storage profile service WiP (#4 #6).
9e89b1b
chenkins added a commit that referenced this issue Dec 14, 2023
@chenkins
Cipherduckhubbookmark end point for 1 vault = 1 storage (#4).
e4ba876
chenkins added a commit that referenced this issue Dec 14, 2023
@chenkins
Refactoring protocol serialization (#4).
5c9e828
chenkins added a commit that referenced this issue Dec 16, 2023
@chenkins
Refactoring (R3) storage profile service WiP (#4 #6).
a91d711
chenkins added a commit that referenced this issue Dec 16, 2023
@chenkins
Refactoring (R3) storage profile service WiP (#4 #6).
8adc666
chenkins added a commit that referenced this issue Dec 20, 2023
@chenkins
Refactoring (R3) storage profile service persistence (#4 #6).
1be77d7
chenkins added a commit that referenced this issue Jan 10, 2024
@chenkins
Cipherduckhubbookmark end point for 1 vault = 1 storage (#4).
076a0ab
chenkins added a commit that referenced this issue Jan 10, 2024
@chenkins
Refactoring protocol serialization (#4).
24affe5
chenkins added a commit that referenced this issue Jan 10, 2024
@chenkins
Refactoring (R3) storage profile service WiP (#4 #6).
217f5a8
chenkins added a commit that referenced this issue Jan 10, 2024
@chenkins
Refactoring (R3) storage profile service WiP (#4 #6).
1be0876
chenkins added a commit that referenced this issue Jan 10, 2024
@chenkins
Refactoring (R3) storage profile service persistence (#4 #6).
20a6262
@chenkins chenkins mentioned this issue Feb 8, 2024
Open
5 tasks
chenkins added a commit that referenced this issue Feb 19, 2024
@chenkins
Remove UUID from vault JWE (#4/#6).
b4b6125
chenkins added a commit that referenced this issue Mar 19, 2024
@chenkins
Fix formatting.
cb2327a 
Use AWS SDK compatible with Quarkus native images (#47).

Build docker image on every build as latest (#47).

Remove UUID from vault JWE (#4/#6).

Add storage class, bucket acceleration and bucket encryption options to storage profiles (#44).

Improved error handling/logging and openapi response documentation (#6).

Improved error handling/logging and openapi response documentation (#6).

Improved error handling/logging for storage profiles and bucket creation (#6/#3/17).

Decouple the client protocol identifier (s3-hub/s3-hub-sts) and the discriminator values (S3/S3STS) in the backend DB tables through openapi-generated client code (#6).

Fix linting (#6).

Hierarchical DB schema for storage profiles based on DiscriminatorColumn (#6).

Use discriminatorProperty openapi scheme annotations for use with openapi-generator's oneOf discriminator lookup (#6).

Use optional chaining to make linter happy again (TS18048) (#17/#3).

Formatting.

Improved error messages (#3/#17).

Slim storage profile for what can be fetched from /api/config (#6).

Fix openapi/markdown documentation for openapi-generator (#6).

Do not show region/GetBucketLocation in permanent case. Update openapi/markdown documentation for storage configurations (#6/#17).

Update openapi/markdown documentation for storage configurations (#6)

Pull up automatic access grant top-level in vault JWE along key and backend (#13).

Create bucket as first call in vault creation (#3).

Bufgix GET for individual storage profile allow all users (not only admins) (#17).

Show aws cli command for setting CORS (#17).

Improve validation message vault template upload frontend permanent (#17)

Implement GET for individual storage profile and DELETE WiP (#17)

Bugfix vault template upload frontend permanent (#17)

Bugfix vault template upload frontend permanent (#17).

Fix linting (#17).

Validate permanent credentials before uploading vault template (#17).

Bugfix vault template upload frontend permanent (#17)

Fix missing aud claim required for MinIO.

Update documentation uploading storage profiles with admin role (#6).

Fix base uri to open in Cipherduck desktop.

Enforce authentication for storage profile api.

Fix enable S3 Versioning upon bucket creation (#44).

Formatting.

Enable S3 Versioning upon bucket creation (#44).

Enable S3 Versioning upon bucket creation (#44).

Implement migration path automatic access grant with WoT (#13 / #43).

Document decision remove access to vault.

Rename KeycloakCryptomatorVaultsHelper.

Rename S3StorageHelper.

Fix linting.

Fix upload vault template to bucket heading.

Use *.cyberduckprofile for hub, s3-hub, s3-hub-sts.

Fix cipherduck start/end extension markers.

Refactoring (R3) storage profile service persistence (#4 #6).

Refactoring (R3) storage profile service WiP (#4 #6).

Refactoring (R3) storage profile service WiP (#4 #6).

Set container image group and name in application.properties instead of pom.xml (#47).

Update setup documentation(#47).

Set container image group and name (#47)

Re-enable docker image build and pushing to registry.

Remove cipherduckhubbookmark endpoint, add hub UUID to config endpoint to allow client-side hub-specific profile and bookmark generation (#6).

Use better name  VaultRequested instead of VaultR for Tag Key in assuming second role in chain for AWS (review dko).

Get full region list from AWS SDK instead of hard-coding (code review overheadhunter).

Extract global constant axiosUnAuth in backend.ts (code review overheadhunter).

Inline hubbookmark.duck in order to avoit poentital special handling when using GraalVM to build a native image.

Apply suggestions from code review

More idiomatic usage of Java stream API.

Co-authored-by: Sebastian Stenzel <[email protected]>

Update backend/src/main/java/org/cryptomator/hub/api/cipherduck/BackendsConfigResource.java

Co-authored-by: Sebastian Stenzel <[email protected]>

Remove obsolete added into line in diff to upstream.

Comply with vue-tsc (Vue 3 Type-Checking).

Update README.md

Co-authored-by: Sebastian Stenzel <[email protected]>

Moving S3 policies away from src/main/resources.

Remove CreateVaultS3.vue in order to rebase changes in CreateVault.vue from upstream. Bugfix description displayed as false when vaults created in hub introduced through forking CreateVaultS3.vue from CreateVault.vue and then missing breaking API change.

By default, in dev-realm.json, map only realm roles into access token in cryptomator and cryptomator hub clients, but not client roles. Separate roles in MinIO: bucket creation (cryptomator and cryptomatorhub cliients) and bucket access (for cryptomatorvaults client)  (#10 #41)

Implement template upload for permanent shared credentials (#17).

Tentative implementation clean-up sync deleting dangling roles in cryptomatorvaults and corresonding client scopes (#41).

Extract profiles and simplify vault jwe (#28, #6).

Variable cleanup in CreateVaultS3.vue

Comply with pre-release API change in granting access to newly created vault (cryptomator/hub@1c2133d).

Post-rebase fix: remove manage-realm from syncer role in dev-realm.json (#41).

Move staging/testing properties into custom application.properties (#41).

Distinguish stsRoleArn for client and hub when creating bucket, update documentation (#12 #23).

Bugfix download template in CreateVaultS3.vue

User cipherduck profiles to simplify hub application.properties, add AWS permanent credentials to backend configurations application.properties (#28).

Get AWS-STS back to work again, update documentation (#10 #23).

Add developer flag for showing vaultId in VaultDetails and VaultList.

Add missing import  ArrowDownTrayIcon in CreateVaultS3.vue.

BackendsConfigDto instead of Any in backend.ts

Remove unnecessary manage-realm role for syncer (#41).

Automatic Access Grant Flag upon vault creation (#13).

Extract hard-coded cryptomatorvaults client to application.properties (#41).

Get hubId from backends config service (#10 #41).

Implement sharing vaults with groups and unsharing with users/groups; token-exchange into separate client (#10 #41).

Cleanup application.properties

Cleanup application.properties

Remove proxyman stuff again as not used.

Complete region list.

Remove obsolete dependencies in pom.xml.

Refactoring protocol serialization (#4).

Remove obsolete CipherduckBookmark.vue (#16).

Remove obsolete CipherduckBookmark.vue (#16). Localization DE (#31).

Mark cipherduck extensions in vues.

Shared long-living credentials: ask for bucket name and offer vault template download after vault creation (#17).

Shared long-living credentials (#17)

Use inline policy to restrict credentials passed to Hub backend (#3).

Allow for choosing region upon vault creation (#3).

Cleanup and documentation VaultJWEBackend (#23 #6).

Button "Open in Cipherduck" not necessary in vault details, as it is confusing (does not open single vault) and on top of the vault list is still visible (#16).

Cleanup and documentation VaultJWEBackend (#23 #6).

Cleanup and documentation VaultJWEBackend (#23 #6).

Cleanup and documentation VaultJWEBackend (#15 #23 #6).

Bugfix backend/storage configuration not re-encoded upon granting access (#13).

Cleanup bucket prefix and documentation (#15 #23 #6).

Implement token-exchange to get scoped token for AWS with testing.hub.cryptomator.org (#41 #10 #23 #3).

Gitignore local backend/config/application.properties.

Updated top-level README.md for Cipherduck.

Show Vault ID in VaultDetails for debugging.

Implement token-exchange to get scoped token for MinIO (#41 #10 #23 #3).

AssumeRoleWithWebIdentity (MinIO + AWS) in frontend and pass temporary credentials to backend: get rid of policy upload and use only AWS client, admin documentation (#3, #23, #10).

AssumeRoleWithWebIdentity (MinIO + AWS) in frontend and pass temporary credentials to backend: get rid of policy upload and use only AWS client, admin documentation (#3, #23, #10).

Add hub frontend vault storage configuration for STS (MinIO + AWS) (#3).

Cipherduckhubbookmark end point for 1 vault = 1 storage (#4).

Use StorageConfig service in frontend to get values (#3).

Add configuration for hub frontend vault storage configuration for STS (MinIO + AWS) (#3).

 Add admin Documentation for setting up OIDC Provider at AWS/MinIO and testing vault creation (#23).

Add hub frontend vault storage configuration for STS (MinIO + AWS) (#3).

Add protocol field to StorageDto (#6).

Refactor StorageDto into record instead of POJO.

Update frontend/src/common/backend.ts

Co-authored-by: Sebastian Stenzel <[email protected]>

Update backend/src/main/java/org/cryptomator/hub/api/StorageResource.java

Co-authored-by: Sebastian Stenzel <[email protected]>

Fix failing tests as Keycloak is not available at quarkus test time.

Comment out sonarcloud in github action.

Update issue templates (#33)

added "open bookmark" button in vault details (just in case), hid "download vault template" button

Use 'x-cipherduck-action' instead of 'io.mountainduck' for OAuth custom scheme handling (#28).

added "open bookmark" button in vault list

Add Hub Id as UUID in hub bookmark to prevent adding the same bookmark multiple times (#29).

renamed most obvious instances of Cryptomator Hub to Cipherduck

Bugfix missing description in openapi.json for vault storage shared long-living credentials API (#17).

cleaned up frontend

Implement cipherduck hub bookmark download from browser (#16).

Implement cipherduck hub bookmark download frontend page (#16).

Bugfix missing constructor for first version hub frontend vault storage shared long-living credentials (#17).

Implement first version hub frontend vault storage shared long-living credentials (#17).

Implement cipherduck hub bookmark endpoint (#16).

Use amr claim instead of aud claim for now (#10).

Use cryptomator client id in staging keycloak as well (#10). Use vault instead of vault user attribute (#10).

Remove admin role for syncer (#10).

Remove minio client id.

Switch /api/config/cipherduckprofile to local MinIO configuration to fix HubIntegration test in client project.

Update TODOs.

Bugfix empty attributes in keycloak.

Config cipherduck-staging (one role for all buckets).

Set directAccessGrantsEnabled to false.

Simplify concat

Add top-level .gitignore (ignoring top-level .idea folder).

Add /api/config/cipherduckprofile v0.

Remove obsolete dependencies to commons-io and qute.

Move GeneratePolicy back to duck again. Dev-realm with minio client_id.

Upload bucket policy (aws cli call in backend for now) upon vault creation and add vaultId to keycloak upon vault JWE upload. TODO: create bucket upon vault creation.

Update application.properties: comment out proxyman.local

Improve local dev setup description in README.  Add user-001 to dev-realm.json. Add configuration with alternative host proxyman.local instead of localhost name as requests to localhost are bypassing configured proxies.
chenkins added a commit that referenced this issue Mar 19, 2024
@chenkins
Fix formatting.
21e2328 
Use AWS SDK compatible with Quarkus native images (#47).

Build docker image on every build as latest (#47).

Remove UUID from vault JWE (#4/#6).

Add storage class, bucket acceleration and bucket encryption options to storage profiles (#44).

Improved error handling/logging and openapi response documentation (#6).

Improved error handling/logging and openapi response documentation (#6).

Improved error handling/logging for storage profiles and bucket creation (#6/#3/17).

Decouple the client protocol identifier (s3-hub/s3-hub-sts) and the discriminator values (S3/S3STS) in the backend DB tables through openapi-generated client code (#6).

Fix linting (#6).

Hierarchical DB schema for storage profiles based on DiscriminatorColumn (#6).

Use discriminatorProperty openapi scheme annotations for use with openapi-generator's oneOf discriminator lookup (#6).

Use optional chaining to make linter happy again (TS18048) (#17/#3).

Formatting.

Improved error messages (#3/#17).

Slim storage profile for what can be fetched from /api/config (#6).

Fix openapi/markdown documentation for openapi-generator (#6).

Do not show region/GetBucketLocation in permanent case. Update openapi/markdown documentation for storage configurations (#6/#17).

Update openapi/markdown documentation for storage configurations (#6)

Pull up automatic access grant top-level in vault JWE along key and backend (#13).

Create bucket as first call in vault creation (#3).

Bufgix GET for individual storage profile allow all users (not only admins) (#17).

Show aws cli command for setting CORS (#17).

Improve validation message vault template upload frontend permanent (#17)

Implement GET for individual storage profile and DELETE WiP (#17)

Bugfix vault template upload frontend permanent (#17)

Bugfix vault template upload frontend permanent (#17).

Fix linting (#17).

Validate permanent credentials before uploading vault template (#17).

Bugfix vault template upload frontend permanent (#17)

Fix missing aud claim required for MinIO.

Update documentation uploading storage profiles with admin role (#6).

Fix base uri to open in Cipherduck desktop.

Enforce authentication for storage profile api.

Fix enable S3 Versioning upon bucket creation (#44).

Formatting.

Enable S3 Versioning upon bucket creation (#44).

Enable S3 Versioning upon bucket creation (#44).

Implement migration path automatic access grant with WoT (#13 / #43).

Document decision remove access to vault.

Rename KeycloakCryptomatorVaultsHelper.

Rename S3StorageHelper.

Fix linting.

Fix upload vault template to bucket heading.

Use *.cyberduckprofile for hub, s3-hub, s3-hub-sts.

Fix cipherduck start/end extension markers.

Refactoring (R3) storage profile service persistence (#4 #6).

Refactoring (R3) storage profile service WiP (#4 #6).

Refactoring (R3) storage profile service WiP (#4 #6).

Set container image group and name in application.properties instead of pom.xml (#47).

Update setup documentation(#47).

Set container image group and name (#47)

Re-enable docker image build and pushing to registry.

Remove cipherduckhubbookmark endpoint, add hub UUID to config endpoint to allow client-side hub-specific profile and bookmark generation (#6).

Use better name  VaultRequested instead of VaultR for Tag Key in assuming second role in chain for AWS (review dko).

Get full region list from AWS SDK instead of hard-coding (code review overheadhunter).

Extract global constant axiosUnAuth in backend.ts (code review overheadhunter).

Inline hubbookmark.duck in order to avoit poentital special handling when using GraalVM to build a native image.

Apply suggestions from code review

More idiomatic usage of Java stream API.

Co-authored-by: Sebastian Stenzel <[email protected]>

Update backend/src/main/java/org/cryptomator/hub/api/cipherduck/BackendsConfigResource.java

Co-authored-by: Sebastian Stenzel <[email protected]>

Remove obsolete added into line in diff to upstream.

Comply with vue-tsc (Vue 3 Type-Checking).

Update README.md

Co-authored-by: Sebastian Stenzel <[email protected]>

Moving S3 policies away from src/main/resources.

Remove CreateVaultS3.vue in order to rebase changes in CreateVault.vue from upstream. Bugfix description displayed as false when vaults created in hub introduced through forking CreateVaultS3.vue from CreateVault.vue and then missing breaking API change.

By default, in dev-realm.json, map only realm roles into access token in cryptomator and cryptomator hub clients, but not client roles. Separate roles in MinIO: bucket creation (cryptomator and cryptomatorhub cliients) and bucket access (for cryptomatorvaults client)  (#10 #41)

Implement template upload for permanent shared credentials (#17).

Tentative implementation clean-up sync deleting dangling roles in cryptomatorvaults and corresonding client scopes (#41).

Extract profiles and simplify vault jwe (#28, #6).

Variable cleanup in CreateVaultS3.vue

Comply with pre-release API change in granting access to newly created vault (cryptomator/hub@1c2133d).

Post-rebase fix: remove manage-realm from syncer role in dev-realm.json (#41).

Move staging/testing properties into custom application.properties (#41).

Distinguish stsRoleArn for client and hub when creating bucket, update documentation (#12 #23).

Bugfix download template in CreateVaultS3.vue

User cipherduck profiles to simplify hub application.properties, add AWS permanent credentials to backend configurations application.properties (#28).

Get AWS-STS back to work again, update documentation (#10 #23).

Add developer flag for showing vaultId in VaultDetails and VaultList.

Add missing import  ArrowDownTrayIcon in CreateVaultS3.vue.

BackendsConfigDto instead of Any in backend.ts

Remove unnecessary manage-realm role for syncer (#41).

Automatic Access Grant Flag upon vault creation (#13).

Extract hard-coded cryptomatorvaults client to application.properties (#41).

Get hubId from backends config service (#10 #41).

Implement sharing vaults with groups and unsharing with users/groups; token-exchange into separate client (#10 #41).

Cleanup application.properties

Cleanup application.properties

Remove proxyman stuff again as not used.

Complete region list.

Remove obsolete dependencies in pom.xml.

Refactoring protocol serialization (#4).

Remove obsolete CipherduckBookmark.vue (#16).

Remove obsolete CipherduckBookmark.vue (#16). Localization DE (#31).

Mark cipherduck extensions in vues.

Shared long-living credentials: ask for bucket name and offer vault template download after vault creation (#17).

Shared long-living credentials (#17)

Use inline policy to restrict credentials passed to Hub backend (#3).

Allow for choosing region upon vault creation (#3).

Cleanup and documentation VaultJWEBackend (#23 #6).

Button "Open in Cipherduck" not necessary in vault details, as it is confusing (does not open single vault) and on top of the vault list is still visible (#16).

Cleanup and documentation VaultJWEBackend (#23 #6).

Cleanup and documentation VaultJWEBackend (#23 #6).

Cleanup and documentation VaultJWEBackend (#15 #23 #6).

Bugfix backend/storage configuration not re-encoded upon granting access (#13).

Cleanup bucket prefix and documentation (#15 #23 #6).

Implement token-exchange to get scoped token for AWS with testing.hub.cryptomator.org (#41 #10 #23 #3).

Gitignore local backend/config/application.properties.

Updated top-level README.md for Cipherduck.

Show Vault ID in VaultDetails for debugging.

Implement token-exchange to get scoped token for MinIO (#41 #10 #23 #3).

AssumeRoleWithWebIdentity (MinIO + AWS) in frontend and pass temporary credentials to backend: get rid of policy upload and use only AWS client, admin documentation (#3, #23, #10).

AssumeRoleWithWebIdentity (MinIO + AWS) in frontend and pass temporary credentials to backend: get rid of policy upload and use only AWS client, admin documentation (#3, #23, #10).

Add hub frontend vault storage configuration for STS (MinIO + AWS) (#3).

Cipherduckhubbookmark end point for 1 vault = 1 storage (#4).

Use StorageConfig service in frontend to get values (#3).

Add configuration for hub frontend vault storage configuration for STS (MinIO + AWS) (#3).

 Add admin Documentation for setting up OIDC Provider at AWS/MinIO and testing vault creation (#23).

Add hub frontend vault storage configuration for STS (MinIO + AWS) (#3).

Add protocol field to StorageDto (#6).

Refactor StorageDto into record instead of POJO.

Update frontend/src/common/backend.ts

Co-authored-by: Sebastian Stenzel <[email protected]>

Update backend/src/main/java/org/cryptomator/hub/api/StorageResource.java

Co-authored-by: Sebastian Stenzel <[email protected]>

Fix failing tests as Keycloak is not available at quarkus test time.

Comment out sonarcloud in github action.

Update issue templates (#33)

added "open bookmark" button in vault details (just in case), hid "download vault template" button

Use 'x-cipherduck-action' instead of 'io.mountainduck' for OAuth custom scheme handling (#28).

added "open bookmark" button in vault list

Add Hub Id as UUID in hub bookmark to prevent adding the same bookmark multiple times (#29).

renamed most obvious instances of Cryptomator Hub to Cipherduck

Bugfix missing description in openapi.json for vault storage shared long-living credentials API (#17).

cleaned up frontend

Implement cipherduck hub bookmark download from browser (#16).

Implement cipherduck hub bookmark download frontend page (#16).

Bugfix missing constructor for first version hub frontend vault storage shared long-living credentials (#17).

Implement first version hub frontend vault storage shared long-living credentials (#17).

Implement cipherduck hub bookmark endpoint (#16).

Use amr claim instead of aud claim for now (#10).

Use cryptomator client id in staging keycloak as well (#10). Use vault instead of vault user attribute (#10).

Remove admin role for syncer (#10).

Remove minio client id.

Switch /api/config/cipherduckprofile to local MinIO configuration to fix HubIntegration test in client project.

Update TODOs.

Bugfix empty attributes in keycloak.

Config cipherduck-staging (one role for all buckets).

Set directAccessGrantsEnabled to false.

Simplify concat

Add top-level .gitignore (ignoring top-level .idea folder).

Add /api/config/cipherduckprofile v0.

Remove obsolete dependencies to commons-io and qute.

Move GeneratePolicy back to duck again. Dev-realm with minio client_id.

Upload bucket policy (aws cli call in backend for now) upon vault creation and add vaultId to keycloak upon vault JWE upload. TODO: create bucket upon vault creation.

Update application.properties: comment out proxyman.local

Improve local dev setup description in README.  Add user-001 to dev-realm.json. Add configuration with alternative host proxyman.local instead of localhost name as requests to localhost are bypassing configured proxies.
chenkins added a commit that referenced this issue Jun 7, 2024
@chenkins
Cipherduck Squash
5d3e3ed 
Allow for bucket acceleration to be nullable (#44).

Link to admin setup documentation in github (#44).

Install JDK before running mvn (#44).

Run compile before generating openapi.json in github (#44).

Debug openapi.json github (#44).

Debug openapi.json github (#44).

Fix type safety for storage profile details (#44).

Storage profile details with annotation from openapi.json (#44).

Storage profiles in admin area (#44).

Add missing http client libraries for S3 (#47).

Post-rebase fixes

Fix formatting.

Use AWS SDK compatible with Quarkus native images (#47).

Build docker image on every build as latest (#47).

Remove UUID from vault JWE (#4/#6).

Add storage class, bucket acceleration and bucket encryption options to storage profiles (#44).

Improved error handling/logging and openapi response documentation (#6).

Improved error handling/logging and openapi response documentation (#6).

Improved error handling/logging for storage profiles and bucket creation (#6/#3/17).

Decouple the client protocol identifier (s3-hub/s3-hub-sts) and the discriminator values (S3/S3STS) in the backend DB tables through openapi-generated client code (#6).

Fix linting (#6).

Hierarchical DB schema for storage profiles based on DiscriminatorColumn (#6).

Use discriminatorProperty openapi scheme annotations for use with openapi-generator's oneOf discriminator lookup (#6).

Use optional chaining to make linter happy again (TS18048) (#17/#3).

Formatting.

Improved error messages (#3/#17).

Slim storage profile for what can be fetched from /api/config (#6).

Fix openapi/markdown documentation for openapi-generator (#6).

Do not show region/GetBucketLocation in permanent case. Update openapi/markdown documentation for storage configurations (#6/#17).

Update openapi/markdown documentation for storage configurations (#6)

Pull up automatic access grant top-level in vault JWE along key and backend (#13).

Create bucket as first call in vault creation (#3).

Bufgix GET for individual storage profile allow all users (not only admins) (#17).

Show aws cli command for setting CORS (#17).

Improve validation message vault template upload frontend permanent (#17)

Implement GET for individual storage profile and DELETE WiP (#17)

Bugfix vault template upload frontend permanent (#17)

Bugfix vault template upload frontend permanent (#17).

Fix linting (#17).

Validate permanent credentials before uploading vault template (#17).

Bugfix vault template upload frontend permanent (#17)

Fix missing aud claim required for MinIO.

Update documentation uploading storage profiles with admin role (#6).

Fix base uri to open in Cipherduck desktop.

Enforce authentication for storage profile api.

Fix enable S3 Versioning upon bucket creation (#44).

Formatting.

Enable S3 Versioning upon bucket creation (#44).

Enable S3 Versioning upon bucket creation (#44).

Implement migration path automatic access grant with WoT (#13 / #43).

Document decision remove access to vault.

Rename KeycloakCryptomatorVaultsHelper.

Rename S3StorageHelper.

Fix linting.

Fix upload vault template to bucket heading.

Use *.cyberduckprofile for hub, s3-hub, s3-hub-sts.

Fix cipherduck start/end extension markers.

Refactoring (R3) storage profile service persistence (#4 #6).

Refactoring (R3) storage profile service WiP (#4 #6).

Refactoring (R3) storage profile service WiP (#4 #6).

Set container image group and name in application.properties instead of pom.xml (#47).

Update setup documentation(#47).

Set container image group and name (#47)

Re-enable docker image build and pushing to registry.

Remove cipherduckhubbookmark endpoint, add hub UUID to config endpoint to allow client-side hub-specific profile and bookmark generation (#6).

Use better name  VaultRequested instead of VaultR for Tag Key in assuming second role in chain for AWS (review dko).

Get full region list from AWS SDK instead of hard-coding (code review overheadhunter).

Extract global constant axiosUnAuth in backend.ts (code review overheadhunter).

Inline hubbookmark.duck in order to avoit poentital special handling when using GraalVM to build a native image.

Apply suggestions from code review

More idiomatic usage of Java stream API.

Co-authored-by: Sebastian Stenzel <[email protected]>

Update backend/src/main/java/org/cryptomator/hub/api/cipherduck/BackendsConfigResource.java

Co-authored-by: Sebastian Stenzel <[email protected]>

Remove obsolete added into line in diff to upstream.

Comply with vue-tsc (Vue 3 Type-Checking).

Update README.md

Co-authored-by: Sebastian Stenzel <[email protected]>

Moving S3 policies away from src/main/resources.

Remove CreateVaultS3.vue in order to rebase changes in CreateVault.vue from upstream. Bugfix description displayed as false when vaults created in hub introduced through forking CreateVaultS3.vue from CreateVault.vue and then missing breaking API change.

By default, in dev-realm.json, map only realm roles into access token in cryptomator and cryptomator hub clients, but not client roles. Separate roles in MinIO: bucket creation (cryptomator and cryptomatorhub cliients) and bucket access (for cryptomatorvaults client)  (#10 #41)

Implement template upload for permanent shared credentials (#17).

Tentative implementation clean-up sync deleting dangling roles in cryptomatorvaults and corresonding client scopes (#41).

Extract profiles and simplify vault jwe (#28, #6).

Variable cleanup in CreateVaultS3.vue

Comply with pre-release API change in granting access to newly created vault (cryptomator/hub@1c2133d).

Post-rebase fix: remove manage-realm from syncer role in dev-realm.json (#41).

Move staging/testing properties into custom application.properties (#41).

Distinguish stsRoleArn for client and hub when creating bucket, update documentation (#12 #23).

Bugfix download template in CreateVaultS3.vue

User cipherduck profiles to simplify hub application.properties, add AWS permanent credentials to backend configurations application.properties (#28).

Get AWS-STS back to work again, update documentation (#10 #23).

Add developer flag for showing vaultId in VaultDetails and VaultList.

Add missing import  ArrowDownTrayIcon in CreateVaultS3.vue.

BackendsConfigDto instead of Any in backend.ts

Remove unnecessary manage-realm role for syncer (#41).

Automatic Access Grant Flag upon vault creation (#13).

Extract hard-coded cryptomatorvaults client to application.properties (#41).

Get hubId from backends config service (#10 #41).

Implement sharing vaults with groups and unsharing with users/groups; token-exchange into separate client (#10 #41).

Cleanup application.properties

Cleanup application.properties

Remove proxyman stuff again as not used.

Complete region list.

Remove obsolete dependencies in pom.xml.

Refactoring protocol serialization (#4).

Remove obsolete CipherduckBookmark.vue (#16).

Remove obsolete CipherduckBookmark.vue (#16). Localization DE (#31).

Mark cipherduck extensions in vues.

Shared long-living credentials: ask for bucket name and offer vault template download after vault creation (#17).

Shared long-living credentials (#17)

Use inline policy to restrict credentials passed to Hub backend (#3).

Allow for choosing region upon vault creation (#3).

Cleanup and documentation VaultJWEBackend (#23 #6).

Button "Open in Cipherduck" not necessary in vault details, as it is confusing (does not open single vault) and on top of the vault list is still visible (#16).

Cleanup and documentation VaultJWEBackend (#23 #6).

Cleanup and documentation VaultJWEBackend (#23 #6).

Cleanup and documentation VaultJWEBackend (#15 #23 #6).

Bugfix backend/storage configuration not re-encoded upon granting access (#13).

Cleanup bucket prefix and documentation (#15 #23 #6).

Implement token-exchange to get scoped token for AWS with testing.hub.cryptomator.org (#41 #10 #23 #3).

Gitignore local backend/config/application.properties.

Updated top-level README.md for Cipherduck.

Show Vault ID in VaultDetails for debugging.

Implement token-exchange to get scoped token for MinIO (#41 #10 #23 #3).

AssumeRoleWithWebIdentity (MinIO + AWS) in frontend and pass temporary credentials to backend: get rid of policy upload and use only AWS client, admin documentation (#3, #23, #10).

AssumeRoleWithWebIdentity (MinIO + AWS) in frontend and pass temporary credentials to backend: get rid of policy upload and use only AWS client, admin documentation (#3, #23, #10).

Add hub frontend vault storage configuration for STS (MinIO + AWS) (#3).

Cipherduckhubbookmark end point for 1 vault = 1 storage (#4).

Use StorageConfig service in frontend to get values (#3).

Add configuration for hub frontend vault storage configuration for STS (MinIO + AWS) (#3).

 Add admin Documentation for setting up OIDC Provider at AWS/MinIO and testing vault creation (#23).

Add hub frontend vault storage configuration for STS (MinIO + AWS) (#3).

Add protocol field to StorageDto (#6).

Refactor StorageDto into record instead of POJO.

Update frontend/src/common/backend.ts

Co-authored-by: Sebastian Stenzel <[email protected]>

Update backend/src/main/java/org/cryptomator/hub/api/StorageResource.java

Co-authored-by: Sebastian Stenzel <[email protected]>

Fix failing tests as Keycloak is not available at quarkus test time.

Comment out sonarcloud in github action.

Update issue templates (#33)

added "open bookmark" button in vault details (just in case), hid "download vault template" button

Use 'x-cipherduck-action' instead of 'io.mountainduck' for OAuth custom scheme handling (#28).

added "open bookmark" button in vault list

Add Hub Id as UUID in hub bookmark to prevent adding the same bookmark multiple times (#29).

renamed most obvious instances of Cryptomator Hub to Cipherduck

Bugfix missing description in openapi.json for vault storage shared long-living credentials API (#17).

cleaned up frontend

Implement cipherduck hub bookmark download from browser (#16).

Implement cipherduck hub bookmark download frontend page (#16).

Bugfix missing constructor for first version hub frontend vault storage shared long-living credentials (#17).

Implement first version hub frontend vault storage shared long-living credentials (#17).

Implement cipherduck hub bookmark endpoint (#16).

Use amr claim instead of aud claim for now (#10).

Use cryptomator client id in staging keycloak as well (#10). Use vault instead of vault user attribute (#10).

Remove admin role for syncer (#10).

Remove minio client id.

Switch /api/config/cipherduckprofile to local MinIO configuration to fix HubIntegration test in client project.

Update TODOs.

Bugfix empty attributes in keycloak.

Config cipherduck-staging (one role for all buckets).

Set directAccessGrantsEnabled to false.

Simplify concat

Add top-level .gitignore (ignoring top-level .idea folder).

Add /api/config/cipherduckprofile v0.

Remove obsolete dependencies to commons-io and qute.

Move GeneratePolicy back to duck again. Dev-realm with minio client_id.

Upload bucket policy (aws cli call in backend for now) upon vault creation and add vaultId to keycloak upon vault JWE upload. TODO: create bucket upon vault creation.

Update application.properties: comment out proxyman.local

Improve local dev setup description in README.  Add user-001 to dev-realm.json. Add configuration with alternative host proxyman.local instead of localhost name as requests to localhost are bypassing configured proxies.
chenkins added a commit that referenced this issue Jun 7, 2024
@chenkins
Cipherduck Squash
de3a59f 
Allow for bucket acceleration to be nullable (#44).

Link to admin setup documentation in github (#44).

Install JDK before running mvn (#44).

Run compile before generating openapi.json in github (#44).

Debug openapi.json github (#44).

Debug openapi.json github (#44).

Fix type safety for storage profile details (#44).

Storage profile details with annotation from openapi.json (#44).

Storage profiles in admin area (#44).

Add missing http client libraries for S3 (#47).

Post-rebase fixes

Fix formatting.

Use AWS SDK compatible with Quarkus native images (#47).

Build docker image on every build as latest (#47).

Remove UUID from vault JWE (#4/#6).

Add storage class, bucket acceleration and bucket encryption options to storage profiles (#44).

Improved error handling/logging and openapi response documentation (#6).

Improved error handling/logging and openapi response documentation (#6).

Improved error handling/logging for storage profiles and bucket creation (#6/#3/17).

Decouple the client protocol identifier (s3-hub/s3-hub-sts) and the discriminator values (S3/S3STS) in the backend DB tables through openapi-generated client code (#6).

Fix linting (#6).

Hierarchical DB schema for storage profiles based on DiscriminatorColumn (#6).

Use discriminatorProperty openapi scheme annotations for use with openapi-generator's oneOf discriminator lookup (#6).

Use optional chaining to make linter happy again (TS18048) (#17/#3).

Formatting.

Improved error messages (#3/#17).

Slim storage profile for what can be fetched from /api/config (#6).

Fix openapi/markdown documentation for openapi-generator (#6).

Do not show region/GetBucketLocation in permanent case. Update openapi/markdown documentation for storage configurations (#6/#17).

Update openapi/markdown documentation for storage configurations (#6)

Pull up automatic access grant top-level in vault JWE along key and backend (#13).

Create bucket as first call in vault creation (#3).

Bufgix GET for individual storage profile allow all users (not only admins) (#17).

Show aws cli command for setting CORS (#17).

Improve validation message vault template upload frontend permanent (#17)

Implement GET for individual storage profile and DELETE WiP (#17)

Bugfix vault template upload frontend permanent (#17)

Bugfix vault template upload frontend permanent (#17).

Fix linting (#17).

Validate permanent credentials before uploading vault template (#17).

Bugfix vault template upload frontend permanent (#17)

Fix missing aud claim required for MinIO.

Update documentation uploading storage profiles with admin role (#6).

Fix base uri to open in Cipherduck desktop.

Enforce authentication for storage profile api.

Fix enable S3 Versioning upon bucket creation (#44).

Formatting.

Enable S3 Versioning upon bucket creation (#44).

Enable S3 Versioning upon bucket creation (#44).

Implement migration path automatic access grant with WoT (#13 / #43).

Document decision remove access to vault.

Rename KeycloakCryptomatorVaultsHelper.

Rename S3StorageHelper.

Fix linting.

Fix upload vault template to bucket heading.

Use *.cyberduckprofile for hub, s3-hub, s3-hub-sts.

Fix cipherduck start/end extension markers.

Refactoring (R3) storage profile service persistence (#4 #6).

Refactoring (R3) storage profile service WiP (#4 #6).

Refactoring (R3) storage profile service WiP (#4 #6).

Set container image group and name in application.properties instead of pom.xml (#47).

Update setup documentation(#47).

Set container image group and name (#47)

Re-enable docker image build and pushing to registry.

Remove cipherduckhubbookmark endpoint, add hub UUID to config endpoint to allow client-side hub-specific profile and bookmark generation (#6).

Use better name  VaultRequested instead of VaultR for Tag Key in assuming second role in chain for AWS (review dko).

Get full region list from AWS SDK instead of hard-coding (code review overheadhunter).

Extract global constant axiosUnAuth in backend.ts (code review overheadhunter).

Inline hubbookmark.duck in order to avoit poentital special handling when using GraalVM to build a native image.

Apply suggestions from code review

More idiomatic usage of Java stream API.

Co-authored-by: Sebastian Stenzel <[email protected]>

Update backend/src/main/java/org/cryptomator/hub/api/cipherduck/BackendsConfigResource.java

Co-authored-by: Sebastian Stenzel <[email protected]>

Remove obsolete added into line in diff to upstream.

Comply with vue-tsc (Vue 3 Type-Checking).

Update README.md

Co-authored-by: Sebastian Stenzel <[email protected]>

Moving S3 policies away from src/main/resources.

Remove CreateVaultS3.vue in order to rebase changes in CreateVault.vue from upstream. Bugfix description displayed as false when vaults created in hub introduced through forking CreateVaultS3.vue from CreateVault.vue and then missing breaking API change.

By default, in dev-realm.json, map only realm roles into access token in cryptomator and cryptomator hub clients, but not client roles. Separate roles in MinIO: bucket creation (cryptomator and cryptomatorhub cliients) and bucket access (for cryptomatorvaults client)  (#10 #41)

Implement template upload for permanent shared credentials (#17).

Tentative implementation clean-up sync deleting dangling roles in cryptomatorvaults and corresonding client scopes (#41).

Extract profiles and simplify vault jwe (#28, #6).

Variable cleanup in CreateVaultS3.vue

Comply with pre-release API change in granting access to newly created vault (cryptomator/hub@1c2133d).

Post-rebase fix: remove manage-realm from syncer role in dev-realm.json (#41).

Move staging/testing properties into custom application.properties (#41).

Distinguish stsRoleArn for client and hub when creating bucket, update documentation (#12 #23).

Bugfix download template in CreateVaultS3.vue

User cipherduck profiles to simplify hub application.properties, add AWS permanent credentials to backend configurations application.properties (#28).

Get AWS-STS back to work again, update documentation (#10 #23).

Add developer flag for showing vaultId in VaultDetails and VaultList.

Add missing import  ArrowDownTrayIcon in CreateVaultS3.vue.

BackendsConfigDto instead of Any in backend.ts

Remove unnecessary manage-realm role for syncer (#41).

Automatic Access Grant Flag upon vault creation (#13).

Extract hard-coded cryptomatorvaults client to application.properties (#41).

Get hubId from backends config service (#10 #41).

Implement sharing vaults with groups and unsharing with users/groups; token-exchange into separate client (#10 #41).

Cleanup application.properties

Cleanup application.properties

Remove proxyman stuff again as not used.

Complete region list.

Remove obsolete dependencies in pom.xml.

Refactoring protocol serialization (#4).

Remove obsolete CipherduckBookmark.vue (#16).

Remove obsolete CipherduckBookmark.vue (#16). Localization DE (#31).

Mark cipherduck extensions in vues.

Shared long-living credentials: ask for bucket name and offer vault template download after vault creation (#17).

Shared long-living credentials (#17)

Use inline policy to restrict credentials passed to Hub backend (#3).

Allow for choosing region upon vault creation (#3).

Cleanup and documentation VaultJWEBackend (#23 #6).

Button "Open in Cipherduck" not necessary in vault details, as it is confusing (does not open single vault) and on top of the vault list is still visible (#16).

Cleanup and documentation VaultJWEBackend (#23 #6).

Cleanup and documentation VaultJWEBackend (#23 #6).

Cleanup and documentation VaultJWEBackend (#15 #23 #6).

Bugfix backend/storage configuration not re-encoded upon granting access (#13).

Cleanup bucket prefix and documentation (#15 #23 #6).

Implement token-exchange to get scoped token for AWS with testing.hub.cryptomator.org (#41 #10 #23 #3).

Gitignore local backend/config/application.properties.

Updated top-level README.md for Cipherduck.

Show Vault ID in VaultDetails for debugging.

Implement token-exchange to get scoped token for MinIO (#41 #10 #23 #3).

AssumeRoleWithWebIdentity (MinIO + AWS) in frontend and pass temporary credentials to backend: get rid of policy upload and use only AWS client, admin documentation (#3, #23, #10).

AssumeRoleWithWebIdentity (MinIO + AWS) in frontend and pass temporary credentials to backend: get rid of policy upload and use only AWS client, admin documentation (#3, #23, #10).

Add hub frontend vault storage configuration for STS (MinIO + AWS) (#3).

Cipherduckhubbookmark end point for 1 vault = 1 storage (#4).

Use StorageConfig service in frontend to get values (#3).

Add configuration for hub frontend vault storage configuration for STS (MinIO + AWS) (#3).

 Add admin Documentation for setting up OIDC Provider at AWS/MinIO and testing vault creation (#23).

Add hub frontend vault storage configuration for STS (MinIO + AWS) (#3).

Add protocol field to StorageDto (#6).

Refactor StorageDto into record instead of POJO.

Update frontend/src/common/backend.ts

Co-authored-by: Sebastian Stenzel <[email protected]>

Update backend/src/main/java/org/cryptomator/hub/api/StorageResource.java

Co-authored-by: Sebastian Stenzel <[email protected]>

Fix failing tests as Keycloak is not available at quarkus test time.

Comment out sonarcloud in github action.

Update issue templates (#33)

added "open bookmark" button in vault details (just in case), hid "download vault template" button

Use 'x-cipherduck-action' instead of 'io.mountainduck' for OAuth custom scheme handling (#28).

added "open bookmark" button in vault list

Add Hub Id as UUID in hub bookmark to prevent adding the same bookmark multiple times (#29).

renamed most obvious instances of Cryptomator Hub to Cipherduck

Bugfix missing description in openapi.json for vault storage shared long-living credentials API (#17).

cleaned up frontend

Implement cipherduck hub bookmark download from browser (#16).

Implement cipherduck hub bookmark download frontend page (#16).

Bugfix missing constructor for first version hub frontend vault storage shared long-living credentials (#17).

Implement first version hub frontend vault storage shared long-living credentials (#17).

Implement cipherduck hub bookmark endpoint (#16).

Use amr claim instead of aud claim for now (#10).

Use cryptomator client id in staging keycloak as well (#10). Use vault instead of vault user attribute (#10).

Remove admin role for syncer (#10).

Remove minio client id.

Switch /api/config/cipherduckprofile to local MinIO configuration to fix HubIntegration test in client project.

Update TODOs.

Bugfix empty attributes in keycloak.

Config cipherduck-staging (one role for all buckets).

Set directAccessGrantsEnabled to false.

Simplify concat

Add top-level .gitignore (ignoring top-level .idea folder).

Add /api/config/cipherduckprofile v0.

Remove obsolete dependencies to commons-io and qute.

Move GeneratePolicy back to duck again. Dev-realm with minio client_id.

Upload bucket policy (aws cli call in backend for now) upon vault creation and add vaultId to keycloak upon vault JWE upload. TODO: create bucket upon vault creation.

Update application.properties: comment out proxyman.local

Improve local dev setup description in README.  Add user-001 to dev-realm.json. Add configuration with alternative host proxyman.local instead of localhost name as requests to localhost are bypassing configured proxies.
chenkins added a commit that referenced this issue Jun 7, 2024
@chenkins
Cipherduck Squash
0ff5ff1 
Post-uvf-rebase fix repository refactoring upstream.

Post-uvf-rebase fix ConfigResource.

Allow for bucket acceleration to be nullable (#44).

Link to admin setup documentation in github (#44).

Install JDK before running mvn (#44).

Run compile before generating openapi.json in github (#44).

Debug openapi.json github (#44).

Debug openapi.json github (#44).

Fix type safety for storage profile details (#44).

Storage profile details with annotation from openapi.json (#44).

Storage profiles in admin area (#44).

Add missing http client libraries for S3 (#47).

Post-rebase fixes

Fix formatting.

Use AWS SDK compatible with Quarkus native images (#47).

Build docker image on every build as latest (#47).

Remove UUID from vault JWE (#4/#6).

Add storage class, bucket acceleration and bucket encryption options to storage profiles (#44).

Improved error handling/logging and openapi response documentation (#6).

Improved error handling/logging and openapi response documentation (#6).

Improved error handling/logging for storage profiles and bucket creation (#6/#3/17).

Decouple the client protocol identifier (s3-hub/s3-hub-sts) and the discriminator values (S3/S3STS) in the backend DB tables through openapi-generated client code (#6).

Fix linting (#6).

Hierarchical DB schema for storage profiles based on DiscriminatorColumn (#6).

Use discriminatorProperty openapi scheme annotations for use with openapi-generator's oneOf discriminator lookup (#6).

Use optional chaining to make linter happy again (TS18048) (#17/#3).

Formatting.

Improved error messages (#3/#17).

Slim storage profile for what can be fetched from /api/config (#6).

Fix openapi/markdown documentation for openapi-generator (#6).

Do not show region/GetBucketLocation in permanent case. Update openapi/markdown documentation for storage configurations (#6/#17).

Update openapi/markdown documentation for storage configurations (#6)

Pull up automatic access grant top-level in vault JWE along key and backend (#13).

Create bucket as first call in vault creation (#3).

Bufgix GET for individual storage profile allow all users (not only admins) (#17).

Show aws cli command for setting CORS (#17).

Improve validation message vault template upload frontend permanent (#17)

Implement GET for individual storage profile and DELETE WiP (#17)

Bugfix vault template upload frontend permanent (#17)

Bugfix vault template upload frontend permanent (#17).

Fix linting (#17).

Validate permanent credentials before uploading vault template (#17).

Bugfix vault template upload frontend permanent (#17)

Fix missing aud claim required for MinIO.

Update documentation uploading storage profiles with admin role (#6).

Fix base uri to open in Cipherduck desktop.

Enforce authentication for storage profile api.

Fix enable S3 Versioning upon bucket creation (#44).

Formatting.

Enable S3 Versioning upon bucket creation (#44).

Enable S3 Versioning upon bucket creation (#44).

Implement migration path automatic access grant with WoT (#13 / #43).

Document decision remove access to vault.

Rename KeycloakCryptomatorVaultsHelper.

Rename S3StorageHelper.

Fix linting.

Fix upload vault template to bucket heading.

Use *.cyberduckprofile for hub, s3-hub, s3-hub-sts.

Fix cipherduck start/end extension markers.

Refactoring (R3) storage profile service persistence (#4 #6).

Refactoring (R3) storage profile service WiP (#4 #6).

Refactoring (R3) storage profile service WiP (#4 #6).

Set container image group and name in application.properties instead of pom.xml (#47).

Update setup documentation(#47).

Set container image group and name (#47)

Re-enable docker image build and pushing to registry.

Remove cipherduckhubbookmark endpoint, add hub UUID to config endpoint to allow client-side hub-specific profile and bookmark generation (#6).

Use better name  VaultRequested instead of VaultR for Tag Key in assuming second role in chain for AWS (review dko).

Get full region list from AWS SDK instead of hard-coding (code review overheadhunter).

Extract global constant axiosUnAuth in backend.ts (code review overheadhunter).

Inline hubbookmark.duck in order to avoit poentital special handling when using GraalVM to build a native image.

Apply suggestions from code review

More idiomatic usage of Java stream API.

Co-authored-by: Sebastian Stenzel <[email protected]>

Update backend/src/main/java/org/cryptomator/hub/api/cipherduck/BackendsConfigResource.java

Co-authored-by: Sebastian Stenzel <[email protected]>

Remove obsolete added into line in diff to upstream.

Comply with vue-tsc (Vue 3 Type-Checking).

Update README.md

Co-authored-by: Sebastian Stenzel <[email protected]>

Moving S3 policies away from src/main/resources.

Remove CreateVaultS3.vue in order to rebase changes in CreateVault.vue from upstream. Bugfix description displayed as false when vaults created in hub introduced through forking CreateVaultS3.vue from CreateVault.vue and then missing breaking API change.

By default, in dev-realm.json, map only realm roles into access token in cryptomator and cryptomator hub clients, but not client roles. Separate roles in MinIO: bucket creation (cryptomator and cryptomatorhub cliients) and bucket access (for cryptomatorvaults client)  (#10 #41)

Implement template upload for permanent shared credentials (#17).

Tentative implementation clean-up sync deleting dangling roles in cryptomatorvaults and corresonding client scopes (#41).

Extract profiles and simplify vault jwe (#28, #6).

Variable cleanup in CreateVaultS3.vue

Comply with pre-release API change in granting access to newly created vault (cryptomator/hub@1c2133d).

Post-rebase fix: remove manage-realm from syncer role in dev-realm.json (#41).

Move staging/testing properties into custom application.properties (#41).

Distinguish stsRoleArn for client and hub when creating bucket, update documentation (#12 #23).

Bugfix download template in CreateVaultS3.vue

User cipherduck profiles to simplify hub application.properties, add AWS permanent credentials to backend configurations application.properties (#28).

Get AWS-STS back to work again, update documentation (#10 #23).

Add developer flag for showing vaultId in VaultDetails and VaultList.

Add missing import  ArrowDownTrayIcon in CreateVaultS3.vue.

BackendsConfigDto instead of Any in backend.ts

Remove unnecessary manage-realm role for syncer (#41).

Automatic Access Grant Flag upon vault creation (#13).

Extract hard-coded cryptomatorvaults client to application.properties (#41).

Get hubId from backends config service (#10 #41).

Implement sharing vaults with groups and unsharing with users/groups; token-exchange into separate client (#10 #41).

Cleanup application.properties

Cleanup application.properties

Remove proxyman stuff again as not used.

Complete region list.

Remove obsolete dependencies in pom.xml.

Refactoring protocol serialization (#4).

Remove obsolete CipherduckBookmark.vue (#16).

Remove obsolete CipherduckBookmark.vue (#16). Localization DE (#31).

Mark cipherduck extensions in vues.

Shared long-living credentials: ask for bucket name and offer vault template download after vault creation (#17).

Shared long-living credentials (#17)

Use inline policy to restrict credentials passed to Hub backend (#3).

Allow for choosing region upon vault creation (#3).

Cleanup and documentation VaultJWEBackend (#23 #6).

Button "Open in Cipherduck" not necessary in vault details, as it is confusing (does not open single vault) and on top of the vault list is still visible (#16).

Cleanup and documentation VaultJWEBackend (#23 #6).

Cleanup and documentation VaultJWEBackend (#23 #6).

Cleanup and documentation VaultJWEBackend (#15 #23 #6).

Bugfix backend/storage configuration not re-encoded upon granting access (#13).

Cleanup bucket prefix and documentation (#15 #23 #6).

Implement token-exchange to get scoped token for AWS with testing.hub.cryptomator.org (#41 #10 #23 #3).

Gitignore local backend/config/application.properties.

Updated top-level README.md for Cipherduck.

Show Vault ID in VaultDetails for debugging.

Implement token-exchange to get scoped token for MinIO (#41 #10 #23 #3).

AssumeRoleWithWebIdentity (MinIO + AWS) in frontend and pass temporary credentials to backend: get rid of policy upload and use only AWS client, admin documentation (#3, #23, #10).

AssumeRoleWithWebIdentity (MinIO + AWS) in frontend and pass temporary credentials to backend: get rid of policy upload and use only AWS client, admin documentation (#3, #23, #10).

Add hub frontend vault storage configuration for STS (MinIO + AWS) (#3).

Cipherduckhubbookmark end point for 1 vault = 1 storage (#4).

Use StorageConfig service in frontend to get values (#3).

Add configuration for hub frontend vault storage configuration for STS (MinIO + AWS) (#3).

 Add admin Documentation for setting up OIDC Provider at AWS/MinIO and testing vault creation (#23).

Add hub frontend vault storage configuration for STS (MinIO + AWS) (#3).

Add protocol field to StorageDto (#6).

Refactor StorageDto into record instead of POJO.

Update frontend/src/common/backend.ts

Co-authored-by: Sebastian Stenzel <[email protected]>

Update backend/src/main/java/org/cryptomator/hub/api/StorageResource.java

Co-authored-by: Sebastian Stenzel <[email protected]>

Fix failing tests as Keycloak is not available at quarkus test time.

Comment out sonarcloud in github action.

Update issue templates (#33)

added "open bookmark" button in vault details (just in case), hid "download vault template" button

Use 'x-cipherduck-action' instead of 'io.mountainduck' for OAuth custom scheme handling (#28).

added "open bookmark" button in vault list

Add Hub Id as UUID in hub bookmark to prevent adding the same bookmark multiple times (#29).

renamed most obvious instances of Cryptomator Hub to Cipherduck

Bugfix missing description in openapi.json for vault storage shared long-living credentials API (#17).

cleaned up frontend

Implement cipherduck hub bookmark download from browser (#16).

Implement cipherduck hub bookmark download frontend page (#16).

Bugfix missing constructor for first version hub frontend vault storage shared long-living credentials (#17).

Implement first version hub frontend vault storage shared long-living credentials (#17).

Implement cipherduck hub bookmark endpoint (#16).

Use amr claim instead of aud claim for now (#10).

Use cryptomator client id in staging keycloak as well (#10). Use vault instead of vault user attribute (#10).

Remove admin role for syncer (#10).

Remove minio client id.

Switch /api/config/cipherduckprofile to local MinIO configuration to fix HubIntegration test in client project.

Update TODOs.

Bugfix empty attributes in keycloak.

Config cipherduck-staging (one role for all buckets).

Set directAccessGrantsEnabled to false.

Simplify concat

Add top-level .gitignore (ignoring top-level .idea folder).

Add /api/config/cipherduckprofile v0.

Remove obsolete dependencies to commons-io and qute.

Move GeneratePolicy back to duck again. Dev-realm with minio client_id.

Upload bucket policy (aws cli call in backend for now) upon vault creation and add vaultId to keycloak upon vault JWE upload. TODO: create bucket upon vault creation.

Update application.properties: comment out proxyman.local

Improve local dev setup description in README.  Add user-001 to dev-realm.json. Add configuration with alternative host proxyman.local instead of localhost name as requests to localhost are bypassing configured proxies.
chenkins added a commit that referenced this issue Aug 20, 2024
@chenkins
Cipherduck Squash
c9f29be 
Post-uvf-rebase fix repository refactoring upstream.

Post-uvf-rebase fix ConfigResource.

Allow for bucket acceleration to be nullable (#44).

Link to admin setup documentation in github (#44).

Install JDK before running mvn (#44).

Run compile before generating openapi.json in github (#44).

Debug openapi.json github (#44).

Debug openapi.json github (#44).

Fix type safety for storage profile details (#44).

Storage profile details with annotation from openapi.json (#44).

Storage profiles in admin area (#44).

Add missing http client libraries for S3 (#47).

Post-rebase fixes

Fix formatting.

Use AWS SDK compatible with Quarkus native images (#47).

Build docker image on every build as latest (#47).

Remove UUID from vault JWE (#4/#6).

Add storage class, bucket acceleration and bucket encryption options to storage profiles (#44).

Improved error handling/logging and openapi response documentation (#6).

Improved error handling/logging and openapi response documentation (#6).

Improved error handling/logging for storage profiles and bucket creation (#6/#3/17).

Decouple the client protocol identifier (s3-hub/s3-hub-sts) and the discriminator values (S3/S3STS) in the backend DB tables through openapi-generated client code (#6).

Fix linting (#6).

Hierarchical DB schema for storage profiles based on DiscriminatorColumn (#6).

Use discriminatorProperty openapi scheme annotations for use with openapi-generator's oneOf discriminator lookup (#6).

Use optional chaining to make linter happy again (TS18048) (#17/#3).

Formatting.

Improved error messages (#3/#17).

Slim storage profile for what can be fetched from /api/config (#6).

Fix openapi/markdown documentation for openapi-generator (#6).

Do not show region/GetBucketLocation in permanent case. Update openapi/markdown documentation for storage configurations (#6/#17).

Update openapi/markdown documentation for storage configurations (#6)

Pull up automatic access grant top-level in vault JWE along key and backend (#13).

Create bucket as first call in vault creation (#3).

Bufgix GET for individual storage profile allow all users (not only admins) (#17).

Show aws cli command for setting CORS (#17).

Improve validation message vault template upload frontend permanent (#17)

Implement GET for individual storage profile and DELETE WiP (#17)

Bugfix vault template upload frontend permanent (#17)

Bugfix vault template upload frontend permanent (#17).

Fix linting (#17).

Validate permanent credentials before uploading vault template (#17).

Bugfix vault template upload frontend permanent (#17)

Fix missing aud claim required for MinIO.

Update documentation uploading storage profiles with admin role (#6).

Fix base uri to open in Cipherduck desktop.

Enforce authentication for storage profile api.

Fix enable S3 Versioning upon bucket creation (#44).

Formatting.

Enable S3 Versioning upon bucket creation (#44).

Enable S3 Versioning upon bucket creation (#44).

Implement migration path automatic access grant with WoT (#13 / #43).

Document decision remove access to vault.

Rename KeycloakCryptomatorVaultsHelper.

Rename S3StorageHelper.

Fix linting.

Fix upload vault template to bucket heading.

Use *.cyberduckprofile for hub, s3-hub, s3-hub-sts.

Fix cipherduck start/end extension markers.

Refactoring (R3) storage profile service persistence (#4 #6).

Refactoring (R3) storage profile service WiP (#4 #6).

Refactoring (R3) storage profile service WiP (#4 #6).

Set container image group and name in application.properties instead of pom.xml (#47).

Update setup documentation(#47).

Set container image group and name (#47)

Re-enable docker image build and pushing to registry.

Remove cipherduckhubbookmark endpoint, add hub UUID to config endpoint to allow client-side hub-specific profile and bookmark generation (#6).

Use better name  VaultRequested instead of VaultR for Tag Key in assuming second role in chain for AWS (review dko).

Get full region list from AWS SDK instead of hard-coding (code review overheadhunter).

Extract global constant axiosUnAuth in backend.ts (code review overheadhunter).

Inline hubbookmark.duck in order to avoit poentital special handling when using GraalVM to build a native image.

Apply suggestions from code review

More idiomatic usage of Java stream API.

Co-authored-by: Sebastian Stenzel <[email protected]>

Update backend/src/main/java/org/cryptomator/hub/api/cipherduck/BackendsConfigResource.java

Co-authored-by: Sebastian Stenzel <[email protected]>

Remove obsolete added into line in diff to upstream.

Comply with vue-tsc (Vue 3 Type-Checking).

Update README.md

Co-authored-by: Sebastian Stenzel <[email protected]>

Moving S3 policies away from src/main/resources.

Remove CreateVaultS3.vue in order to rebase changes in CreateVault.vue from upstream. Bugfix description displayed as false when vaults created in hub introduced through forking CreateVaultS3.vue from CreateVault.vue and then missing breaking API change.

By default, in dev-realm.json, map only realm roles into access token in cryptomator and cryptomator hub clients, but not client roles. Separate roles in MinIO: bucket creation (cryptomator and cryptomatorhub cliients) and bucket access (for cryptomatorvaults client)  (#10 #41)

Implement template upload for permanent shared credentials (#17).

Tentative implementation clean-up sync deleting dangling roles in cryptomatorvaults and corresonding client scopes (#41).

Extract profiles and simplify vault jwe (#28, #6).

Variable cleanup in CreateVaultS3.vue

Comply with pre-release API change in granting access to newly created vault (cryptomator/hub@1c2133d).

Post-rebase fix: remove manage-realm from syncer role in dev-realm.json (#41).

Move staging/testing properties into custom application.properties (#41).

Distinguish stsRoleArn for client and hub when creating bucket, update documentation (#12 #23).

Bugfix download template in CreateVaultS3.vue

User cipherduck profiles to simplify hub application.properties, add AWS permanent credentials to backend configurations application.properties (#28).

Get AWS-STS back to work again, update documentation (#10 #23).

Add developer flag for showing vaultId in VaultDetails and VaultList.

Add missing import  ArrowDownTrayIcon in CreateVaultS3.vue.

BackendsConfigDto instead of Any in backend.ts

Remove unnecessary manage-realm role for syncer (#41).

Automatic Access Grant Flag upon vault creation (#13).

Extract hard-coded cryptomatorvaults client to application.properties (#41).

Get hubId from backends config service (#10 #41).

Implement sharing vaults with groups and unsharing with users/groups; token-exchange into separate client (#10 #41).

Cleanup application.properties

Cleanup application.properties

Remove proxyman stuff again as not used.

Complete region list.

Remove obsolete dependencies in pom.xml.

Refactoring protocol serialization (#4).

Remove obsolete CipherduckBookmark.vue (#16).

Remove obsolete CipherduckBookmark.vue (#16). Localization DE (#31).

Mark cipherduck extensions in vues.

Shared long-living credentials: ask for bucket name and offer vault template download after vault creation (#17).

Shared long-living credentials (#17)

Use inline policy to restrict credentials passed to Hub backend (#3).

Allow for choosing region upon vault creation (#3).

Cleanup and documentation VaultJWEBackend (#23 #6).

Button "Open in Cipherduck" not necessary in vault details, as it is confusing (does not open single vault) and on top of the vault list is still visible (#16).

Cleanup and documentation VaultJWEBackend (#23 #6).

Cleanup and documentation VaultJWEBackend (#23 #6).

Cleanup and documentation VaultJWEBackend (#15 #23 #6).

Bugfix backend/storage configuration not re-encoded upon granting access (#13).

Cleanup bucket prefix and documentation (#15 #23 #6).

Implement token-exchange to get scoped token for AWS with testing.hub.cryptomator.org (#41 #10 #23 #3).

Gitignore local backend/config/application.properties.

Updated top-level README.md for Cipherduck.

Show Vault ID in VaultDetails for debugging.

Implement token-exchange to get scoped token for MinIO (#41 #10 #23 #3).

AssumeRoleWithWebIdentity (MinIO + AWS) in frontend and pass temporary credentials to backend: get rid of policy upload and use only AWS client, admin documentation (#3, #23, #10).

AssumeRoleWithWebIdentity (MinIO + AWS) in frontend and pass temporary credentials to backend: get rid of policy upload and use only AWS client, admin documentation (#3, #23, #10).

Add hub frontend vault storage configuration for STS (MinIO + AWS) (#3).

Cipherduckhubbookmark end point for 1 vault = 1 storage (#4).

Use StorageConfig service in frontend to get values (#3).

Add configuration for hub frontend vault storage configuration for STS (MinIO + AWS) (#3).

 Add admin Documentation for setting up OIDC Provider at AWS/MinIO and testing vault creation (#23).

Add hub frontend vault storage configuration for STS (MinIO + AWS) (#3).

Add protocol field to StorageDto (#6).

Refactor StorageDto into record instead of POJO.

Update frontend/src/common/backend.ts

Co-authored-by: Sebastian Stenzel <[email protected]>

Update backend/src/main/java/org/cryptomator/hub/api/StorageResource.java

Co-authored-by: Sebastian Stenzel <[email protected]>

Fix failing tests as Keycloak is not available at quarkus test time.

Comment out sonarcloud in github action.

Update issue templates (#33)

added "open bookmark" button in vault details (just in case), hid "download vault template" button

Use 'x-cipherduck-action' instead of 'io.mountainduck' for OAuth custom scheme handling (#28).

added "open bookmark" button in vault list

Add Hub Id as UUID in hub bookmark to prevent adding the same bookmark multiple times (#29).

renamed most obvious instances of Cryptomator Hub to Cipherduck

Bugfix missing description in openapi.json for vault storage shared long-living credentials API (#17).

cleaned up frontend

Implement cipherduck hub bookmark download from browser (#16).

Implement cipherduck hub bookmark download frontend page (#16).

Bugfix missing constructor for first version hub frontend vault storage shared long-living credentials (#17).

Implement first version hub frontend vault storage shared long-living credentials (#17).

Implement cipherduck hub bookmark endpoint (#16).

Use amr claim instead of aud claim for now (#10).

Use cryptomator client id in staging keycloak as well (#10). Use vault instead of vault user attribute (#10).

Remove admin role for syncer (#10).

Remove minio client id.

Switch /api/config/cipherduckprofile to local MinIO configuration to fix HubIntegration test in client project.

Update TODOs.

Bugfix empty attributes in keycloak.

Config cipherduck-staging (one role for all buckets).

Set directAccessGrantsEnabled to false.

Simplify concat

Add top-level .gitignore (ignoring top-level .idea folder).

Add /api/config/cipherduckprofile v0.

Remove obsolete dependencies to commons-io and qute.

Move GeneratePolicy back to duck again. Dev-realm with minio client_id.

Upload bucket policy (aws cli call in backend for now) upon vault creation and add vaultId to keycloak upon vault JWE upload. TODO: create bucket upon vault creation.

Update application.properties: comment out proxyman.local

Improve local dev setup description in README.  Add user-001 to dev-realm.json. Add configuration with alternative host proxyman.local instead of localhost name as requests to localhost are bypassing configured proxies.
@chenkins
Copy link
Collaborator Author

Continue technical documentation #38

chenkins added a commit that referenced this issue Nov 5, 2024
@chenkins
Cipherduck Squash
c1038f4 
Post-uvf-rebase fix repository refactoring upstream.

Post-uvf-rebase fix ConfigResource.

Allow for bucket acceleration to be nullable (#44).

Link to admin setup documentation in github (#44).

Install JDK before running mvn (#44).

Run compile before generating openapi.json in github (#44).

Debug openapi.json github (#44).

Debug openapi.json github (#44).

Fix type safety for storage profile details (#44).

Storage profile details with annotation from openapi.json (#44).

Storage profiles in admin area (#44).

Add missing http client libraries for S3 (#47).

Post-rebase fixes

Fix formatting.

Use AWS SDK compatible with Quarkus native images (#47).

Build docker image on every build as latest (#47).

Remove UUID from vault JWE (#4/#6).

Add storage class, bucket acceleration and bucket encryption options to storage profiles (#44).

Improved error handling/logging and openapi response documentation (#6).

Improved error handling/logging and openapi response documentation (#6).

Improved error handling/logging for storage profiles and bucket creation (#6/#3/17).

Decouple the client protocol identifier (s3-hub/s3-hub-sts) and the discriminator values (S3/S3STS) in the backend DB tables through openapi-generated client code (#6).

Fix linting (#6).

Hierarchical DB schema for storage profiles based on DiscriminatorColumn (#6).

Use discriminatorProperty openapi scheme annotations for use with openapi-generator's oneOf discriminator lookup (#6).

Use optional chaining to make linter happy again (TS18048) (#17/#3).

Formatting.

Improved error messages (#3/#17).

Slim storage profile for what can be fetched from /api/config (#6).

Fix openapi/markdown documentation for openapi-generator (#6).

Do not show region/GetBucketLocation in permanent case. Update openapi/markdown documentation for storage configurations (#6/#17).

Update openapi/markdown documentation for storage configurations (#6)

Pull up automatic access grant top-level in vault JWE along key and backend (#13).

Create bucket as first call in vault creation (#3).

Bufgix GET for individual storage profile allow all users (not only admins) (#17).

Show aws cli command for setting CORS (#17).

Improve validation message vault template upload frontend permanent (#17)

Implement GET for individual storage profile and DELETE WiP (#17)

Bugfix vault template upload frontend permanent (#17)

Bugfix vault template upload frontend permanent (#17).

Fix linting (#17).

Validate permanent credentials before uploading vault template (#17).

Bugfix vault template upload frontend permanent (#17)

Fix missing aud claim required for MinIO.

Update documentation uploading storage profiles with admin role (#6).

Fix base uri to open in Cipherduck desktop.

Enforce authentication for storage profile api.

Fix enable S3 Versioning upon bucket creation (#44).

Formatting.

Enable S3 Versioning upon bucket creation (#44).

Enable S3 Versioning upon bucket creation (#44).

Implement migration path automatic access grant with WoT (#13 / #43).

Document decision remove access to vault.

Rename KeycloakCryptomatorVaultsHelper.

Rename S3StorageHelper.

Fix linting.

Fix upload vault template to bucket heading.

Use *.cyberduckprofile for hub, s3-hub, s3-hub-sts.

Fix cipherduck start/end extension markers.

Refactoring (R3) storage profile service persistence (#4 #6).

Refactoring (R3) storage profile service WiP (#4 #6).

Refactoring (R3) storage profile service WiP (#4 #6).

Set container image group and name in application.properties instead of pom.xml (#47).

Update setup documentation(#47).

Set container image group and name (#47)

Re-enable docker image build and pushing to registry.

Remove cipherduckhubbookmark endpoint, add hub UUID to config endpoint to allow client-side hub-specific profile and bookmark generation (#6).

Use better name  VaultRequested instead of VaultR for Tag Key in assuming second role in chain for AWS (review dko).

Get full region list from AWS SDK instead of hard-coding (code review overheadhunter).

Extract global constant axiosUnAuth in backend.ts (code review overheadhunter).

Inline hubbookmark.duck in order to avoit poentital special handling when using GraalVM to build a native image.

Apply suggestions from code review

More idiomatic usage of Java stream API.

Co-authored-by: Sebastian Stenzel <[email protected]>

Update backend/src/main/java/org/cryptomator/hub/api/cipherduck/BackendsConfigResource.java

Co-authored-by: Sebastian Stenzel <[email protected]>

Remove obsolete added into line in diff to upstream.

Comply with vue-tsc (Vue 3 Type-Checking).

Update README.md

Co-authored-by: Sebastian Stenzel <[email protected]>

Moving S3 policies away from src/main/resources.

Remove CreateVaultS3.vue in order to rebase changes in CreateVault.vue from upstream. Bugfix description displayed as false when vaults created in hub introduced through forking CreateVaultS3.vue from CreateVault.vue and then missing breaking API change.

By default, in dev-realm.json, map only realm roles into access token in cryptomator and cryptomator hub clients, but not client roles. Separate roles in MinIO: bucket creation (cryptomator and cryptomatorhub cliients) and bucket access (for cryptomatorvaults client)  (#10 #41)

Implement template upload for permanent shared credentials (#17).

Tentative implementation clean-up sync deleting dangling roles in cryptomatorvaults and corresonding client scopes (#41).

Extract profiles and simplify vault jwe (#28, #6).

Variable cleanup in CreateVaultS3.vue

Comply with pre-release API change in granting access to newly created vault (cryptomator/hub@1c2133d).

Post-rebase fix: remove manage-realm from syncer role in dev-realm.json (#41).

Move staging/testing properties into custom application.properties (#41).

Distinguish stsRoleArn for client and hub when creating bucket, update documentation (#12 #23).

Bugfix download template in CreateVaultS3.vue

User cipherduck profiles to simplify hub application.properties, add AWS permanent credentials to backend configurations application.properties (#28).

Get AWS-STS back to work again, update documentation (#10 #23).

Add developer flag for showing vaultId in VaultDetails and VaultList.

Add missing import  ArrowDownTrayIcon in CreateVaultS3.vue.

BackendsConfigDto instead of Any in backend.ts

Remove unnecessary manage-realm role for syncer (#41).

Automatic Access Grant Flag upon vault creation (#13).

Extract hard-coded cryptomatorvaults client to application.properties (#41).

Get hubId from backends config service (#10 #41).

Implement sharing vaults with groups and unsharing with users/groups; token-exchange into separate client (#10 #41).

Cleanup application.properties

Cleanup application.properties

Remove proxyman stuff again as not used.

Complete region list.

Remove obsolete dependencies in pom.xml.

Refactoring protocol serialization (#4).

Remove obsolete CipherduckBookmark.vue (#16).

Remove obsolete CipherduckBookmark.vue (#16). Localization DE (#31).

Mark cipherduck extensions in vues.

Shared long-living credentials: ask for bucket name and offer vault template download after vault creation (#17).

Shared long-living credentials (#17)

Use inline policy to restrict credentials passed to Hub backend (#3).

Allow for choosing region upon vault creation (#3).

Cleanup and documentation VaultJWEBackend (#23 #6).

Button "Open in Cipherduck" not necessary in vault details, as it is confusing (does not open single vault) and on top of the vault list is still visible (#16).

Cleanup and documentation VaultJWEBackend (#23 #6).

Cleanup and documentation VaultJWEBackend (#23 #6).

Cleanup and documentation VaultJWEBackend (#15 #23 #6).

Bugfix backend/storage configuration not re-encoded upon granting access (#13).

Cleanup bucket prefix and documentation (#15 #23 #6).

Implement token-exchange to get scoped token for AWS with testing.hub.cryptomator.org (#41 #10 #23 #3).

Gitignore local backend/config/application.properties.

Updated top-level README.md for Cipherduck.

Show Vault ID in VaultDetails for debugging.

Implement token-exchange to get scoped token for MinIO (#41 #10 #23 #3).

AssumeRoleWithWebIdentity (MinIO + AWS) in frontend and pass temporary credentials to backend: get rid of policy upload and use only AWS client, admin documentation (#3, #23, #10).

AssumeRoleWithWebIdentity (MinIO + AWS) in frontend and pass temporary credentials to backend: get rid of policy upload and use only AWS client, admin documentation (#3, #23, #10).

Add hub frontend vault storage configuration for STS (MinIO + AWS) (#3).

Cipherduckhubbookmark end point for 1 vault = 1 storage (#4).

Use StorageConfig service in frontend to get values (#3).

Add configuration for hub frontend vault storage configuration for STS (MinIO + AWS) (#3).

 Add admin Documentation for setting up OIDC Provider at AWS/MinIO and testing vault creation (#23).

Add hub frontend vault storage configuration for STS (MinIO + AWS) (#3).

Add protocol field to StorageDto (#6).

Refactor StorageDto into record instead of POJO.

Update frontend/src/common/backend.ts

Co-authored-by: Sebastian Stenzel <[email protected]>

Update backend/src/main/java/org/cryptomator/hub/api/StorageResource.java

Co-authored-by: Sebastian Stenzel <[email protected]>

Fix failing tests as Keycloak is not available at quarkus test time.

Comment out sonarcloud in github action.

Update issue templates (#33)

added "open bookmark" button in vault details (just in case), hid "download vault template" button

Use 'x-cipherduck-action' instead of 'io.mountainduck' for OAuth custom scheme handling (#28).

added "open bookmark" button in vault list

Add Hub Id as UUID in hub bookmark to prevent adding the same bookmark multiple times (#29).

renamed most obvious instances of Cryptomator Hub to Cipherduck

Bugfix missing description in openapi.json for vault storage shared long-living credentials API (#17).

cleaned up frontend

Implement cipherduck hub bookmark download from browser (#16).

Implement cipherduck hub bookmark download frontend page (#16).

Bugfix missing constructor for first version hub frontend vault storage shared long-living credentials (#17).

Implement first version hub frontend vault storage shared long-living credentials (#17).

Implement cipherduck hub bookmark endpoint (#16).

Use amr claim instead of aud claim for now (#10).

Use cryptomator client id in staging keycloak as well (#10). Use vault instead of vault user attribute (#10).

Remove admin role for syncer (#10).

Remove minio client id.

Switch /api/config/cipherduckprofile to local MinIO configuration to fix HubIntegration test in client project.

Update TODOs.

Bugfix empty attributes in keycloak.

Config cipherduck-staging (one role for all buckets).

Set directAccessGrantsEnabled to false.

Simplify concat

Add top-level .gitignore (ignoring top-level .idea folder).

Add /api/config/cipherduckprofile v0.

Remove obsolete dependencies to commons-io and qute.

Move GeneratePolicy back to duck again. Dev-realm with minio client_id.

Upload bucket policy (aws cli call in backend for now) upon vault creation and add vaultId to keycloak upon vault JWE upload. TODO: create bucket upon vault creation.

Update application.properties: comment out proxyman.local

Improve local dev setup description in README.  Add user-001 to dev-realm.json. Add configuration with alternative host proxyman.local instead of localhost name as requests to localhost are bypassing configured proxies.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dkocher dkocher

@chenkins chenkins

Labels
client Client (Mountain Duck) design decision hub cipherduck hub extension
Projects
None yet
Milestone
v1
Development

No branches or pull requests
2 participants
@dkocher @chenkins