Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactored access management #207

Merged
merged 93 commits into from
Aug 22, 2023
Merged

refactored access management #207

merged 93 commits into from
Aug 22, 2023

Conversation

overheadhunter
Copy link
Member

@overheadhunter overheadhunter commented Jul 6, 2023
edited
Loading

This is the first part of a series of PRs, which simplify access management.

Introduction of User Key Pairs

We formerly only had Device Key Pairs. Vault keys have been shared with devices directly. This meant that the Vault Owner who is in possession of the vault keys had to re-run the key distribution (via the "Update Permissions") button, every time a new device required access to the vault.

Now, we added User Key Pairs. Vault keys are now shared with the user. Each user will self-manage his or her devices. The device key pair does still exist and is required to decrypt the user's private key.

Updated Entity Model

ERM

Unlock Procedure

Due to the introduction of an intermediary key, an unlock operation requires to

  1. first load the encrypted vault key (which can be decrypted using the user's private key) from /api/vaults/{vaultId}/access-token (response body is a ECDH-ES JWE)
  2. then load the encrypted private key of the user (which can be decrypted using the device's private key) from /api/devices/{deviceId} (response body contains a JSON. attribute userPrivateKey contains ECDH-ES JWE)

Unlock Workflow

We still keep the legacy API endpoint (/api/vaults/{vaultId}/keys/{deviceId}) for compatibility reasons for a while. However it will only work for existing data. Any newly registered device can only be unlocked using the new workflow.

Device Management

On the profile page, users can see their own devices. In order to add a new device, a Setup Code (here called "Personal Hub Secret", tbd) is required. This code is a secret required to unwrap the user's private key in order to re-wrap it using the device's public key. Once the device is set up, its private key will allow to access the user's private key.

The Setup Code can be access and changed any time by any fully set up device.

Device List

This fixes #189

First Device

The browser used to log in to Hub is now also considered a device and a Device Key Pair is generated and stored by the browser as well. The user will be prompted to name the browser accordingly (for identifying the browser, if they decide to revoke access from it later).

Initial Setup

The first device from which a login succeeds will also be responsible for generating the User Key Pair together with the Setup Code.

The user's private key is then encrypted in JWE format with a) the device's public key (using an ECDH-ES) and b) using the setup code (using PBES2). The setup code in return is encrypted as an JWE using the user's private key (ECDH-ES again). This ensures that any authenticated device has access to the user's key pair and can thus decrypt the setup code again. Also, the setup code can be used to decrypt the user's key pair when setting up a new device.

Vault Ownership

We used to use the Vault Admin Password to protect a vault from being edited by anyone. Instead we will now use role-based permissions. The creator of a vault is the initial owner. Further owners can be added at a later time. Any owner has full administrative access to a vault (e.g. for adding members).

The Vault Admin Password will be removed in a follow-up PR (as this one is already bursting).

Vault List

Other

  • Device.publicKey is now base64-encoded (used to be base64url for some reason)
  • Device.user_privateKey is now non-null, i.e. if a device exists, we can be sure it is able to access the user's key pair

Open Questions

  • Currently, we generate v4 UUID (i.e. 122 bit randomness) as a Setup Code, which is less than the key it protects. In my opinion this is sufficient, this setup code is then fed into PBKDF2 (currently defaulting to 1 mio iterations) to derive the key used to wrap the user's private key.

Next Steps

overheadhunter and others added 30 commits April 27, 2023 14:30
@overheadhunter
prepare table for new intermediary "user keys"
58f4260
@overheadhunter
generate user key + device key on first login
ec32f4b
@overheadhunter
grant access by encrypting vault key for user
1f5e7f3
@overheadhunter
prepare /api/devices for repeated PUT and GET
9bb8a23
@overheadhunter
updated paths to obtain JWEs
497592f 
/api/vaults/{vaultId}/user-tokens/me
/api/users/me/device-tokens/{deviceId}
@overheadhunter
made Device.userKeyJwe nullable
0949aa1 
(so a device can be registered at t0 and verified at t1)
@overheadhunter
re-added legacy API /api/vaults/{vaultId}/keys/{deviceId} for a smoot…
2a3c106 
…h upgrade experience
@overheadhunter
diversified test case
28afe35
@overheadhunter
moved service
074a173
@overheadhunter
prepare more test data for testing with other platforms
40f4b33
@overheadhunter
keep device public key base64url-encoded for compatibility with exist…
c6d3811 
…ing data
@overheadhunter
Allow use of validation annotations for nullable fields.
a67f212 
If a field must not be null, use @NotNull additionally. The one must not imply the other.
@overheadhunter
adjust unlock success screen for new authentication model
2198602
@overheadhunter
encrypt user key for a device
86e790d
@overheadhunter
store recovery code for later display
45b0968
@tobihagemann
added SetupUserKey component
4578b3a
@tobihagemann
added "enter recovery code" flow in SetupUserKey
274ffa6 
it doesn't work yet but it's probably close
@tobihagemann
deduplicated code
ed57bde
@overheadhunter
fix recovering user key from setup code
2f1afc6
@overheadhunter
always roll a new key pair when creating/recovering a user key
efc4cdf
@tobihagemann
added current device badge, hidden remove button
2ed6624
@tobihagemann
added device name input to SetupUserKey
4c21c86
@tobihagemann
updated current device badge
740fd10
@tobihagemann
added last seen column to DeviceList
4766afe
@tobihagemann
added type and last_seen_time to device entity
cfd280c
@overheadhunter
show Personal Hub Secret (in device list??)
11f818f
@chenkins
added missing 200 response code to /api/vaults/{vaultId}/users-requir…
29e45bc 
…ing-access-grant (#201)
@overheadhunter
fixed Hibernate error: Schema-validation: wrong column type encountered
9b35286 
[ci skip]
@overheadhunter
use single PUT /api/users/me API for all create/update requests
5df9236
@overheadhunter
alternative CSP headers for using Quarkus Dev UI
f590182 
[ci skip]
@overheadhunter
renamed "recovery code" → "setup code" in code
29bcb78
@overheadhunter
added missing translations (tbd)
f4d0c0d
@overheadhunter
cleanup
51d6742 
[build image]
@overheadhunter
fix NPE in "Grant Permissions" dialog
a5b26fb
@overheadhunter
Merge branch 'develop' into feature/refactored-access-grant
57ce308 
# Conflicts:
#	backend/src/main/java/org/cryptomator/hub/api/VaultResource.java
#	frontend/src/common/backend.ts
#	frontend/src/components/VaultList.vue
#	frontend/src/i18n/de-DE.json
#	frontend/src/i18n/en-US.json
@overheadhunter
added inline comment
bf4a625 
[ci skip]
@overheadhunter
fixed `org.flywaydb.core.api.FlywayException: Found more than one mig…
a81ec97 
…ration with version 11` after merging from develop
@overheadhunter
Merge branch 'develop' into feature/refactored-access-grant
cdd0937 
# Conflicts:
#	backend/src/main/java/org/cryptomator/hub/api/VaultResource.java
#	backend/src/test/java/org/cryptomator/hub/api/VaultResourceTest.java
#	backend/src/test/resources/org/cryptomator/hub/flyway/V9999__Test_Data.sql
#	frontend/src/common/backend.ts
@overheadhunter
add AuditEventVaultMemberAdd.role
0bcbc3a 
[build image]
@overheadhunter
delete legacy device during re-registration to "new" device table
8795fab
@tobihagemann tobihagemann mentioned this pull request Jul 26, 2023
Merged
@overheadhunter
Merge branch 'develop' into feature/refactored-access-grant
2baf0d1 
# Conflicts:
#	backend/src/main/java/org/cryptomator/hub/api/AuditLogResource.java
#	backend/src/main/java/org/cryptomator/hub/api/VaultResource.java
@overheadhunter
Merge branch 'develop' into feature/refactored-access-grant
0f88fe8
@overheadhunter
fix compile error
21264cf
@overheadhunter
adjusted flyway migration version
bcf5dcc
@overheadhunter
log unlock attempts
e9411b4
@overheadhunter overheadhunter mentioned this pull request Jul 28, 2023
Merged
6 tasks
overheadhunter and others added 5 commits August 2, 2023 09:05
@overheadhunter
Merge branch 'develop' into feature/refactored-access-grant
19faa14
@overheadhunter
Merge branch 'develop' into feature/refactored-access-grant
52052ca 
# Conflicts:
#	frontend/src/common/jwe.ts
#	frontend/test/common/jwe.spec.ts
@tobihagemann
renamed personal hub secret to setup code
963d1d8
@tobihagemann
Merge branch 'develop' into feature/refactored-access-grant
e55caa1 
# Conflicts:
#	backend/src/main/java/org/cryptomator/hub/api/AuditLogResource.java
#	backend/src/main/java/org/cryptomator/hub/api/VaultResource.java
#	backend/src/test/java/org/cryptomator/hub/api/VaultResourceTest.java
#	frontend/src/common/backend.ts
#	frontend/src/components/VaultDetails.vue
#	frontend/src/i18n/en-US.json
@SailReal
Fix unlock, query fails due to Hibernate bug
1baf734 
See quarkusio/quarkus#35386 for further information

[build image]
@overheadhunter overheadhunter merged commit 465138a into develop Aug 22, 2023
4 of 5 checks passed
@overheadhunter overheadhunter mentioned this pull request Jan 26, 2024
Closed
2 tasks
@overheadhunter overheadhunter deleted the feature/refactored-access-grant branch January 27, 2024 09:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tobihagemann tobihagemann tobihagemann approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.3.0
Development

Successfully merging this pull request may close these issues.

Self-Manage Devices
4 participants
@overheadhunter @tobihagemann @chenkins @SailReal