From 17e23c8dc1484b08a59ae12343d85bff40500f04 Mon Sep 17 00:00:00 2001
From: hmalphettes <hmalphettes@gmail.com>
Date: Wed, 3 Jun 2020 17:17:01 +0800
Subject: [PATCH] #6435 UI Obfuscated password input

---
 ui/app/components/secret-edit.js              |  26 +++++++----
 .../vault/cluster/secrets/backend/create.js   |   4 ++
 .../vault/cluster/secrets/backend/edit.js     |   4 ++
 .../vault/cluster/secrets/backend/show.js     |   4 ++
 ui/app/models/auth-config/aws/client.js       |   8 +++-
 ui/app/models/auth-config/azure.js            |   2 +
 ui/app/models/auth-config/jwt.js              |   1 +
 ui/app/models/auth-config/kubernetes.js       |   1 +
 .../cluster/secrets/backend/secret-edit.js    |   3 ++
 ui/app/styles/app.scss                        |  10 +++++
 ui/app/styles/components/masked-input.scss    |   6 +++
 .../components/auth-config-form/config.hbs    |   2 +-
 ui/app/templates/components/secret-edit.hbs   |  12 ++++-
 .../templates/partials/secret-form-create.hbs |   5 ++-
 .../templates/partials/secret-form-edit.hbs   |   1 +
 .../secrets/backend/secret-edit-layout.hbs    |   2 +
 ui/config/environment.js                      |   1 +
 .../templates/components/masked-input.hbs     |  41 +++++++++++-------
 ui/public/fonts/ObfuscatedPasswordFont.woff   | Bin 0 -> 5680 bytes
 ui/public/fonts/ObfuscatedPasswordFont.woff2  | Bin 0 -> 3044 bytes
 vault/ui.go                                   |   2 +-
 21 files changed, 105 insertions(+), 30 deletions(-)
 create mode 100644 ui/public/fonts/ObfuscatedPasswordFont.woff
 create mode 100644 ui/public/fonts/ObfuscatedPasswordFont.woff2

diff --git a/ui/app/components/secret-edit.js b/ui/app/components/secret-edit.js
index 96d224497d0b3..7391448bc6b5e 100644
--- a/ui/app/components/secret-edit.js
+++ b/ui/app/components/secret-edit.js
@@ -1,14 +1,14 @@
-import { isBlank, isNone } from '@ember/utils';
-import { inject as service } from '@ember/service';
 import Component from '@ember/component';
 import { computed, set } from '@ember/object';
 import { alias, or } from '@ember/object/computed';
+import { inject as service } from '@ember/service';
+import { isBlank, isNone } from '@ember/utils';
 import { task, waitForEvent } from 'ember-concurrency';
-import FocusOnInsertMixin from 'vault/mixins/focus-on-insert';
-import WithNavToNearestAncestor from 'vault/mixins/with-nav-to-nearest-ancestor';
 import keys from 'vault/lib/keycodes';
 import KVObject from 'vault/lib/kv-object';
 import { maybeQueryRecord } from 'vault/macros/maybe-query-record';
+import FocusOnInsertMixin from 'vault/mixins/focus-on-insert';
+import WithNavToNearestAncestor from 'vault/mixins/with-nav-to-nearest-ancestor';
 
 const LIST_ROUTE = 'vault.cluster.secrets.backend.list';
 const LIST_ROOT_ROUTE = 'vault.cluster.secrets.backend.list-root';
@@ -19,6 +19,7 @@ export default Component.extend(FocusOnInsertMixin, WithNavToNearestAncestor, {
   router: service(),
   store: service(),
   flashMessages: service(),
+  classNameBindings: ['showObfuscatedInputMode:obfuscated-input'],
 
   // a key model
   key: null,
@@ -41,13 +42,16 @@ export default Component.extend(FocusOnInsertMixin, WithNavToNearestAncestor, {
   onDataChange() {},
   onRefresh() {},
   onToggleAdvancedEdit() {},
+  onToggleObfuscatedInput() {},
 
   // did user request advanced mode
   preferAdvancedEdit: false,
+  preferObfuscatedInput: false,
 
   // use a named action here so we don't have to pass one in
   // this will bubble to the route
   toggleAdvancedEdit: 'toggleAdvancedEdit',
+  toggleObfuscatedInput: 'toggleObfuscatedInput',
   error: null,
 
   codemirrorString: null,
@@ -164,12 +168,15 @@ export default Component.extend(FocusOnInsertMixin, WithNavToNearestAncestor, {
     if (this.isV2 && this.modelForData.failedServerRead) {
       return true;
     }
-    // if the model couldn't be read from the server
-    if (!this.isV2 && this.model.failedServerRead) {
-      return true;
-    }
     return false;
   }),
+  showObfuscatedInputMode: computed('preferObfuscatedInput', 'lastChange', function() {
+    return this.preferObfuscatedInput;
+  }),
+
+  showObfuscatedInputMode: computed('preferObfuscatedInput', 'lastChange', function() {
+    return this.preferObfuscatedInput;
+  }),
 
   transitionToRoute() {
     return this.router.transitionTo(...arguments);
@@ -346,6 +353,9 @@ export default Component.extend(FocusOnInsertMixin, WithNavToNearestAncestor, {
     toggleAdvanced(bool) {
       this.onToggleAdvancedEdit(bool);
     },
+    toggleObfuscated(bool) {
+      this.onToggleObfuscatedInput(bool);
+    },
 
     codemirrorUpdated(val, codemirror) {
       this.set('error', null);
diff --git a/ui/app/controllers/vault/cluster/secrets/backend/create.js b/ui/app/controllers/vault/cluster/secrets/backend/create.js
index abf822816ed30..c8abbd6791859 100644
--- a/ui/app/controllers/vault/cluster/secrets/backend/create.js
+++ b/ui/app/controllers/vault/cluster/secrets/backend/create.js
@@ -15,5 +15,9 @@ export default Controller.extend(BackendCrumbMixin, {
       this.set('preferAdvancedEdit', bool);
       this.get('backendController').set('preferAdvancedEdit', bool);
     },
+    toggleObfuscatedInput(bool) {
+      this.set('preferObfuscatedInput', bool);
+      this.get('backendController').set('preferObfuscatedInput', bool);
+    },
   },
 });
diff --git a/ui/app/controllers/vault/cluster/secrets/backend/edit.js b/ui/app/controllers/vault/cluster/secrets/backend/edit.js
index b3acca861301b..a9d461b2bdf1c 100644
--- a/ui/app/controllers/vault/cluster/secrets/backend/edit.js
+++ b/ui/app/controllers/vault/cluster/secrets/backend/edit.js
@@ -19,5 +19,9 @@ export default Controller.extend(BackendCrumbMixin, {
       this.set('preferAdvancedEdit', bool);
       this.get('backendController').set('preferAdvancedEdit', bool);
     },
+    toggleObfuscatedInput(bool) {
+      this.set('preferObfuscatedInput', bool);
+      this.get('backendController').set('preferObfuscatedInput', bool);
+    },
   },
 });
diff --git a/ui/app/controllers/vault/cluster/secrets/backend/show.js b/ui/app/controllers/vault/cluster/secrets/backend/show.js
index 26c00b359fdba..8617154853711 100644
--- a/ui/app/controllers/vault/cluster/secrets/backend/show.js
+++ b/ui/app/controllers/vault/cluster/secrets/backend/show.js
@@ -21,5 +21,9 @@ export default Controller.extend(BackendCrumbMixin, {
       this.set('preferAdvancedEdit', bool);
       this.get('backendController').set('preferAdvancedEdit', bool);
     },
+    toggleObfuscatedInput(bool) {
+      this.set('preferObfuscated', bool);
+      this.get('backendController').set('preferObfuscated', bool);
+    },
   },
 });
diff --git a/ui/app/models/auth-config/aws/client.js b/ui/app/models/auth-config/aws/client.js
index 7568371f5a129..6cda67c9396d0 100644
--- a/ui/app/models/auth-config/aws/client.js
+++ b/ui/app/models/auth-config/aws/client.js
@@ -6,8 +6,12 @@ import fieldToAttrs from 'vault/utils/field-to-attrs';
 const { attr } = DS;
 
 export default AuthConfig.extend({
-  secretKey: attr('string'),
-  accessKey: attr('string'),
+  secretKey: attr('string', {
+    sensitive: true,
+  }),
+  accessKey: attr('string', {
+    sensitive: true,
+  }),
   endpoint: attr('string', {
     label: 'EC2 Endpoint',
   }),
diff --git a/ui/app/models/auth-config/azure.js b/ui/app/models/auth-config/azure.js
index 6ef8a3f507f09..e420f66f18871 100644
--- a/ui/app/models/auth-config/azure.js
+++ b/ui/app/models/auth-config/azure.js
@@ -19,9 +19,11 @@ export default AuthConfig.extend({
     label: 'Client ID',
     helpText:
       'The client ID for credentials to query the Azure APIs. Currently read permissions to query compute resources are required.',
+    sensitive: true,
   }),
   clientSecret: attr('string', {
     helpText: 'The client secret for credentials to query the Azure APIs',
+    sensitive: true,
   }),
 
   googleCertsEndpoint: attr('string'),
diff --git a/ui/app/models/auth-config/jwt.js b/ui/app/models/auth-config/jwt.js
index 91b68b54ff14c..9dc9d17dc91a9 100644
--- a/ui/app/models/auth-config/jwt.js
+++ b/ui/app/models/auth-config/jwt.js
@@ -20,6 +20,7 @@ export default AuthConfig.extend({
 
   oidcClientSecret: attr('string', {
     label: 'OIDC client secret',
+    sensitive: true,
   }),
   oidcDiscoveryCaPem: attr('string', {
     label: 'OIDC discovery CA PEM',
diff --git a/ui/app/models/auth-config/kubernetes.js b/ui/app/models/auth-config/kubernetes.js
index 8eb0b0913e4a2..3041c0d3281a0 100644
--- a/ui/app/models/auth-config/kubernetes.js
+++ b/ui/app/models/auth-config/kubernetes.js
@@ -22,6 +22,7 @@ export default AuthConfig.extend({
   tokenReviewerJwt: attr('string', {
     helpText:
       'A service account JWT used to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API',
+    sensitive: true,
   }),
 
   pemKeys: attr({
diff --git a/ui/app/routes/vault/cluster/secrets/backend/secret-edit.js b/ui/app/routes/vault/cluster/secrets/backend/secret-edit.js
index c79e90972de11..82b1b7fe5f646 100644
--- a/ui/app/routes/vault/cluster/secrets/backend/secret-edit.js
+++ b/ui/app/routes/vault/cluster/secrets/backend/secret-edit.js
@@ -231,6 +231,8 @@ export default Route.extend(UnloadModelRoute, {
     let backend = this.enginePathParam();
     const preferAdvancedEdit =
       this.controllerFor('vault.cluster.secrets.backend').get('preferAdvancedEdit') || false;
+    const preferObfuscatedInput =
+      this.controllerFor('vault.cluster.secrets.backend').get('preferObfuscatedInput') || false;
     const backendType = this.backendType();
     model.secret.setProperties({ backend });
     controller.setProperties({
@@ -244,6 +246,7 @@ export default Route.extend(UnloadModelRoute, {
         .replace('-root', ''),
       backend,
       preferAdvancedEdit,
+      preferObfuscatedInput,
       backendType,
     });
   },
diff --git a/ui/app/styles/app.scss b/ui/app/styles/app.scss
index 7f8fbdb710249..9c8fe851aceed 100644
--- a/ui/app/styles/app.scss
+++ b/ui/app/styles/app.scss
@@ -1,3 +1,13 @@
 @import 'ember-basic-dropdown';
 @import 'ember-power-select';
 @import './core';
+
+@mixin font-face($name) {
+  @font-face {
+    font-family: $name;
+    src: url("/ui/fonts/#{$name}.woff2") format("woff2"),
+      url("/ui/fonts/#{$name}.woff") format("woff");
+  }
+}
+
+@include font-face('ObfuscatedPasswordFont');
\ No newline at end of file
diff --git a/ui/app/styles/components/masked-input.scss b/ui/app/styles/components/masked-input.scss
index 124f2a1640e17..3c4e964f8b4ea 100644
--- a/ui/app/styles/components/masked-input.scss
+++ b/ui/app/styles/components/masked-input.scss
@@ -24,6 +24,12 @@
   line-height: 2.5;
 }
 
+.obfuscated-input .masked-input .input {
+  font-size: 9px;
+  font-family: ObfuscatedPasswordFont;
+  line-height: 2.5;
+}
+
 .masked-input.display-only .masked-value {
   order: 1;
 }
diff --git a/ui/app/templates/components/auth-config-form/config.hbs b/ui/app/templates/components/auth-config-form/config.hbs
index a03f76f13e4ae..188d6ee74cea5 100644
--- a/ui/app/templates/components/auth-config-form/config.hbs
+++ b/ui/app/templates/components/auth-config-form/config.hbs
@@ -1,5 +1,5 @@
 <form {{action (perform saveModel) on="submit"}}>
-  <div class="box is-sideless is-fullwidth is-marginless">
+  <div class="box is-sideless is-fullwidth is-marginless obfuscated-input">
     <NamespaceReminder @mode="save" @noun="Auth Method" />
     {{message-error model=model}}
     {{#if model.attrs}}
diff --git a/ui/app/templates/components/secret-edit.hbs b/ui/app/templates/components/secret-edit.hbs
index 9719fb03342cf..5fbf3f6a22378 100644
--- a/ui/app/templates/components/secret-edit.hbs
+++ b/ui/app/templates/components/secret-edit.hbs
@@ -26,6 +26,16 @@
 <Toolbar>
   {{#unless (and (eq mode 'show') isWriteWithoutRead)}}
     <ToolbarFilters>
+      <Toggle
+        @name="obfuscated"
+        @status="success"
+        @size="small"
+        @disabled={{and (eq mode 'show') secretDataIsAdvanced}}
+        @checked={{showObfuscatedInputMode}}
+        @onChange={{action "toggleObfuscated"}}
+        >
+        <span class="has-text-grey">Obfuscated Input</span>
+      </Toggle>
       <Toggle
         @name="json"
         @status="success"
@@ -188,4 +198,4 @@
   </ToolbarActions>
 </Toolbar>
 
-{{partial partialName}}
+{{partial partialName}}
\ No newline at end of file
diff --git a/ui/app/templates/partials/secret-form-create.hbs b/ui/app/templates/partials/secret-form-create.hbs
index 3470343406dfc..6bdca7182a088 100644
--- a/ui/app/templates/partials/secret-form-create.hbs
+++ b/ui/app/templates/partials/secret-form-create.hbs
@@ -1,10 +1,10 @@
-<form class="{{if showAdvancedMode 'advanced-edit' 'simple-edit'}}" onsubmit={{action "createOrUpdateKey" "create"}}>
+<form class="{{if showAdvancedMode 'advanced-edit' 'simple-edit'}} {{if showObfuscatedInput 'obfuscated-input'}}" onsubmit={{action "createOrUpdateKey" "create"}}>
   <div class="field box is-fullwidth is-sideless is-marginless">
     <NamespaceReminder @mode="create" @noun="secret" />
     <MessageError @model={{modelForData}} @errorMessage={{error}} />
     <label class="is-label" for="kv-key">Path for this secret</label>
     <p class="control is-expanded">
-      {{input 
+      {{input
         autocomplete="off"
         spellcheck="false"
         data-test-secret-path="true"
@@ -21,6 +21,7 @@
   </div>
   <SecretEditDisplay
     @showAdvancedMode={{showAdvancedMode}}
+    @showObfuscatedInputMode={{showObfuscatedInputMode}}
     @codemirrorString={{codemirrorString}}
     @secretData={{secretData}}
     @isV2={{isV2}}
diff --git a/ui/app/templates/partials/secret-form-edit.hbs b/ui/app/templates/partials/secret-form-edit.hbs
index af6f9b55780be..7c45ac7758569 100644
--- a/ui/app/templates/partials/secret-form-edit.hbs
+++ b/ui/app/templates/partials/secret-form-edit.hbs
@@ -13,6 +13,7 @@
     {{/if}}
     <SecretEditDisplay
       @showAdvancedMode={{showAdvancedMode}}
+      @showObfuscatedInputMode={{showObfuscatedInputMode}}
       @codemirrorString={{codemirrorString}}
       @secretData={{secretData}}
       @isV2={{isV2}}
diff --git a/ui/app/templates/vault/cluster/secrets/backend/secret-edit-layout.hbs b/ui/app/templates/vault/cluster/secrets/backend/secret-edit-layout.hbs
index 4ee2aa5ccf3d1..2170620698cc8 100644
--- a/ui/app/templates/vault/cluster/secrets/backend/secret-edit-layout.hbs
+++ b/ui/app/templates/vault/cluster/secrets/backend/secret-edit-layout.hbs
@@ -7,7 +7,9 @@
     capabilities=capabilities
     onRefresh=(action "refresh")
     onToggleAdvancedEdit=(action "toggleAdvancedEdit")
+    onToggleObfuscatedInput=(action "toggleObfuscatedInput")
     initialKey=initialKey
     baseKey=baseKey
     preferAdvancedEdit=preferAdvancedEdit
+    preferObfuscatedInput=preferObfuscatedInput
   }}
diff --git a/ui/config/environment.js b/ui/config/environment.js
index e150100b0b526..2c7d94a5b220b 100644
--- a/ui/config/environment.js
+++ b/ui/config/environment.js
@@ -57,6 +57,7 @@ module.exports = function(environment) {
     ENV.contentSecurityPolicyHeader = 'Content-Security-Policy';
     ENV.contentSecurityPolicyMeta = true;
     ENV.contentSecurityPolicy = {
+      'font-src': ["'self'"],
       'connect-src': ["'self'"],
       'img-src': ["'self'", 'data:'],
       'form-action': ["'none'"],
diff --git a/ui/lib/core/addon/templates/components/masked-input.hbs b/ui/lib/core/addon/templates/components/masked-input.hbs
index 660260f158f2e..3a154644ae3b5 100644
--- a/ui/lib/core/addon/templates/components/masked-input.hbs
+++ b/ui/lib/core/addon/templates/components/masked-input.hbs
@@ -1,21 +1,32 @@
-<div class="masked-input {{if shouldObscure "masked"}} {{if displayOnly "display-only"}} {{if allowCopy "allow-copy"}}"
-  data-test-masked-input data-test-field>
-  {{#if displayOnly}}
-    <pre class="masked-value display-only is-word-break">{{displayValue}}</pre>
+<div class="masked-input {{if shouldObscure "masked"}} {{if displayOnly "display-only"}} {{if allowCopy "allow-copy"}}" data-test-masked-input data-test-field>
+	{{#if displayOnly}}
+		<pre class="masked-value display-only is-word-break">{{displayValue}}</pre>
   {{else}}
-    <textarea class="input masked-value" rows=1 wrap="off" placeholder={{placeholder}}
-      onfocus={{action (mut isFocused) true}} onblur={{action (mut isFocused) false}} onkeydown={{action onKeyDown}}
-      onchange={{action "updateValue"}} value={{readonly displayValue}} data-test-textarea />
-  {{/if}}
+  <textarea
+    class="input masked-value"
+    rows=1
+    wrap="off"
+    spellcheck="false"
+    placeholder={{placeholder}}
+    onfocus={{action (mut isFocused) true}}
+    onblur={{action (mut isFocused) false}}
+    onkeydown={{action onKeyDown}}
+    onchange={{action "updateValue"}}
+    value={{readonly displayValue}}
+    data-test-textarea
+    />
+	{{/if}}
   {{#if allowCopy}}
-    <CopyButton @clipboardText={{value}} @success={{success}} class="copy-button button {{if displayOnly "is-compact"}}"
-      data-test-copy-button>
+    <CopyButton
+      @clipboardText={{value}}
+      @success={{success}}
+      class="copy-button button {{if displayOnly "is-compact"}}"
+      data-test-copy-button
+    >
       <Icon @glyph="copy-action" aria-hidden="Copy value" />
     </CopyButton>
   {{/if}}
-  <button {{action "toggleMask"}}
-    class="{{if (eq value "") "has-text-grey"}} masked-input-toggle button {{if displayOnly "is-compact"}}"
-    data-test-button>
+  <button {{action "toggleMask"}}  class="{{if (eq value "") "has-text-grey"}} masked-input-toggle button {{if displayOnly "is-compact"}}" data-test-button>
     <Icon @glyph={{if shouldObscure "visibility-hide" "visibility-show"}} aria-hidden="true" />
-  </button>
-</div>
\ No newline at end of file
+	</button>
+</div>
diff --git a/ui/public/fonts/ObfuscatedPasswordFont.woff b/ui/public/fonts/ObfuscatedPasswordFont.woff
new file mode 100644
index 0000000000000000000000000000000000000000..d80ca4a92a00e194676cd93d87d9a4b7a5614639
GIT binary patch
literal 5680
zcmZ8lWl$W-(p}swc!C9j!)0*@?(P=c7T3iIiv@Q{a0>({5G1&}OMnFy35zELU7R3q
z?|a{`Z>rAJ>C;_3Q#CzRGwrXXsHml{uLS^500DRa<Pd`(CzOBL{~vOSiVR2>HUL1p
z2>|e@`^R8eDk|!0001Pvkg+e3pb2h&2T_t&Py_&8pd)R1Bp6UN0q9zKJbXy)4bn!&
z1FT}RadvIptUZyM4>D&d0DzjjzXK_7w6g{Q0Ay6i7+xfVNDXiA9FZbYQ%BmgNW8&#
zk8<Pa<`aO_T#+_17G2Rp#97+SIsloEEE1_<{tMLC+5mTJH#?-3h+HEJ06+_p>M51>
z^zcTmN%8Mq@R48upaB2@`Nt+WK6=olpAMUWN1x(RQMb`h><o22IXlVa>E@;jStXRT
zIys^_&1VrxlV=<NbWu=ba>$4=6r_oX(aEUEk!)Y)a*Grt=3owYBGh|f{*CbSy}3ti
z=-tova~a*UkBzhb*D!}u?-{q((hJhqI)dL?WjVe7K7{j4<DrL3-`qP_(yJUQSwA{f
z_e9raRGH+|b<b5vwn}C>!H%lhG6Cn@rbp_IIGLH|9_nw1&^wuB)qbIOza~8bVxL4Y
zo=J=956S@v%LixzFf3v+>M4GP*VdC>56FlRS`GwOMyN$H^QpX9PA4qIYtJc7Rrlgy
zXC+E!9Y^Pj6IZiOy94nWD;lO<f%st>*QqJvBwo1>@f<><LMwDZwuJk(uL*}4xfJN1
z2pr%vW?^dQ1Q62AksD8}kl2`WPVt!MQjuy5Us_)@XwIQZnYNHKgMoC0j%^iqQQjF>
zupn1sx`IM)vI@HR-kG#HX;rD<v!>ob<=fm6gZq~qf*Z*vs+*b>bA<1y%;mI7DCcT^
z9ba1Ci$_cusI#&}fq{eBI#cNT81~Ff8L-KGn-F`27V@=%=0*%xYO&0MnHd{P&?d;g
zUTMVxW+@WanfYg`%u91-FlnpYlfMnN?&Xf>ANDu8bBOhP`J(&w>ERI)7Mfl(&a=0<
zy?H=%ae&VF29GvMQnuwROq)ggjX2X3xgqviq}+gLTI{%uQbUS}wok&B;ka!GxcN3b
zK>fk6q||;sY2IA7P@hqPO(U~ht*LBpp5k}dWs;AIX1Yh}Y3eaTTa-bHQR^e+_@CVZ
z1o#f?u4I5C-bTlSv)~iia527~^Cy)FRJ)``J<+;{&yCLB%?YbUw55bb^oAAH-zq(7
zf)@1-XTdgRHEnd@$8Fpl#UbdBM!YF;D~r3sdU4wVxOb%H+-=7rX*QnzC4FotUx?vD
z<L&f$(Qr}Rv&3uO;$Yd+$o$BX$m+<77yB$<l~*!7*|y9WRn#?)vR7EaRwZH$Z^5$L
zcyXMht*msK;zf}vM$Epdsw!S@2vp|NtJ4crbMwA4I+@O&lzvo^G6_)2XNJv>%x}yu
z^Ns0RQQMrqo8X3uhFBhygqgnDI?vGm<noVyVdy)%-@g#LtvuhV*J&#~F~s*WGMFB>
zw8~Ig#g1U7-W8cnbzz$oQTo+0?~a%7a}Ifa^wJkc>F4fOSNnA0=j<cU%?#`YyH0fK
z%I!@WdUd_q*Lzf#_Y8B@7L3iK)rCP|IWhP$M*@Kp0l_gLdkt^PTI$lI_{k)<%NVV{
zvN3^B>udg8Gj=Cudn$G2=&80T-TB>O!;`ATF4)P0sy~BmX+@)cN@-8CJmYZT6wAbX
zxxIZF1shbVMKz^$<(RjWTYyAM8J3tP5&b<X|2p#1aU)R+*X-F>miaAfUV@vt-to?-
zq@PJ_KPZ<DppaoYqm~B6pL42FH?u-lv+hSlZt`<3W3C%K-=4;KsUY@+G^ARZOj^nP
za6FaTbxR%Uvp>{MR~c==%-7oT53lWnWw(V(yT4Bum0(m)beR~GNj>yi<I@Ahwt%8r
zjy?nba!}!qrh(Kz4REca^FBsrK(~oPL^2igrhsb54%;1OXxZzFE3(Q(DNQDnYW&~$
z8ciIf`6J>rNcxM}l$>nltjaJ-N<>anms~d@Z=Dvl$mQsq?CwnQ(z})yw6#Z8)4q<l
zzj|bJl?{#{#jVpD8Y1{EfNA(U<;3(i4^KRP?ul2SgMPrAta4;V_xf>@5`$AQ@8G>4
z!xIUKU)3NgUDkd=-@NT@o;yOg`^To|W;Lp$Ke%J<RgT5|TMQ0Hy?<s6-s<vC_rDCk
zOxRLV<WlG4To~vYqaizQ*08KqX85kU|H!~-@%U<o+<fP~d$gR1u}(wzPTHhBx=mR7
zVt2VN(Y`i_;e%t&sKp`C?Sl--U2Ux#JuS8^4&#Vzq<Ni_Y<m(Zt^|dMdR(T|Jbi}a
z+ZWb$wQNc67PcASH%iMs?G!cFY8rm!J_2)LYt;FE8BQlN2;3C9I&4?%#7H(^k|DA8
z_W^CjNErDDmz9f#)1|lPDbAneFmw(^-Y@dsN2=~#jVrZj6rUbcCF6D{x4l9@EBOD6
z`b95W!p4LGzRxae$J|Sn1}=2bEys=|;=3cZl&g)TXu3=o@V(l6r4sdcV-+$xNYJy|
zA1)>aCZ#}S9~Eg5jQ92UN=!e=XlAy{Gah}x*OiNirWRn(;k4(6!E9Dx8h+Q=ewrT(
zE<#&5ujSXsg9L7h>>O4LYxiRnFV&MoWwEdFj!J}=k4H|(>8db?$aC1K%U35Ixl-_V
z=(KIdsIr8(-+xT*u6|1YWk68){G4ts$DHRPHjwo-yQh@$sVEARoUk9CtagU`!a7S-
z_d;G#pp7}Zrs~Z@y|eW9!$o+~c-xX=mTA=zF<j_Vw`}hS^<c-N#<W!C3j+mvu@s)w
znJ*qLY1TsL#<mD!4aib9M2NJAo26)a$RT0eLHHbIi-2iBuCpP8q(w|DMT0{JvEv5<
z=c2X<Q4PpUHY89{Hs(T*!Oo8NpX>6$4UiF>2j^Qc+*V&zDNEmeD&4tFNMTdK+#r06
zGj)Ty2VL{x2R&GUEiqW?DPpY<dg*2B25FB=lcUokRPboUG;wOg>mhh-$WKI^rmT`@
zx14?$IbOT0s~KIp{P{9&Z?tdzO4!C<LBUXDQF!Casp{Sqj2GC7!q20$2$h)jNiQAl
z8WuGBIbHRtfkrXjC~=XaM2{&};bd{dmkZ*Yq+A*rY<qje72hEemAo&rpC6x{Ex13_
zsP1RXdyJXu6=F4&@1K23!+VFT?uU`&H+b0^>JLr})wfTf+jxIPlkYUyx=-L!{`PBx
z+g%P}CqJtMzFO14ZpEsXtEdJ`j$ceI5Zgi6+Arp5y#654c4pnIhG}h;N2-?({zJ8T
zg22SV{lKh~n{_kuW7=tb+4Z!h#vl6VJp$$F<Q6=eN7uldB~%ytn>F{}Fn%#;nzcrg
z=zL>s^fADtV_K9!pizd3Fw*pwe00P{hmXfv%a+lRn{2Ob%0pD=QwjhTLjc%^idDuC
zhW%pfa~Lj|m<T5oTg56I)P|ee5A`Gvh@qH!Q5R)6_j0w*caEYirdL|bkw{n?>lbzb
zT(J%3tsLbq+>Os-mtlpT{OhQ#vOH}B?lC_-vDR^d88A*hbZ))=h3Aw?X!r|@Iu%D~
z?88$k0U86=Q7Rr<KT2RKktP*-#1<V}m@F0Q%|I}a?1Xg(jxzTdTlF*5em^h(-y*_<
zif}gV{ESZ=_rjVmFkU^3_e@-08c@j445U`<#{<5y_<&_i%@w}9Meq)H(i-(^7_|Py
z&q#xM!lgdbdJ6mgwKKx6F$8D-xJC{GNm>Si>Zx1$gtGA#tSP&Q==);oN&N=->#?r;
zmCksNqGsWww`A9Yj3NLfI0MaxFP>Bukxpl#G%=)}FEsm6Z$F4@u%xSi_yVKVU+awv
zAh>cg?NblNE<h|f3icmGLH`7XcPZ~9-&iPtaa?bBJ{pZNHfDFJS}>`N{Q<EXD`tKa
z9>Z-+?@}>LgMtVG6TUM48CwHMzyNw<iU`8MELX<Uv}q6?OtmHL7=#sA1d;YjH$M|l
zXYL%20TJEBLe#I*gLg?0>@Y1!Caf_TuUMLBl`}3;+2nNFT@g_k&GgxEb_B*<`a?l}
zw1#IQMBz!Mhs9w`c$Z65Y38HHxc_bt0_~3VF6}`+grzt2t*%xGGv%1Vie?B???*N4
zdbA$-53ywPV+;v22)56$FD5EK$AhU-aI#}n;EH%GI|eKG-$q>OMO*qZ1GrlTmR2yo
z4YmYGJYlR^2X&!{St%Vw3U6zyP<L7x9Yt?6U|kR8ol|s?2W`0ph+U6}ooOCLum@27
zOsZO;TmaJ6t`PA9N!_xe9(iA3SrM-CQeu^$T>$9|M6j`TB;JKZiJ+ej|Mg`1nL_kA
zTH)7#jn58{t6%pL?nx7F!6iq3-$3&mkMgxo_3MB$P23kxfhBmvEpc*x%sB~!Y;=3`
zj2A*v)W-^@Ngl26L|xim5FugR0zoh<;QIN|v)exT;j>#8BBTymuK5w(=NJ%@gDr?z
z7|)h0gxa!Sp^eINc-a%DCs_?l{m-bdCq~_nFqph<MDUiPZrJx$sBV;?jbyXmA57X4
zlLy9gA9ib_^@snxML8KVZ+j&*Bymd;k{AT05BX5E9rA!r1eXzyj5)`q8@3Ig(SoZy
zm|3C(<2jXkU>;wVoK{i#I}aAYPZrd?A}zeWT=CIVu>SDL{*txs@;<E=n&8xFAy9N!
z2FC4)K7~`>769d0R7yqLlYJP>$7@T8R9GM5BJi2rx0%UHqZ65Tu5@#Xvxa0Pu8a=Z
zdsMV`CEhpEK}ivbg+9LTog3cYzq@?nRKqGK9Q;G?a(H@)vO(MOt8TDP^%Y#I4lA&l
zZYuEoT;}h7*k`Rrrr`L|GqnfI(7yM$Y{|M+plW7c325A*=7!>i!qpc{?Yl+d>R5#K
z-lFoM^&!rolk-c#nyp!1m&&9?Lubn7l(+H)r9CAxdQv)+PVp4K(eIr*1cRA2B6<pX
z@@77JJF*7z9GAo_gqA7&NSV``C;jd48+M6$Z*Wg=&wWq({#AG0Q>3JNsOEFTQ|437
zQ&KT?oC>JUdKD-PG|x887RwP}NuVBEA6%ae$iXd-rk+f6VBzP_Zl991$7xD89(A?x
z0|sS3PU-C9?c-la=#84$7#mu1yW+KQucaN2T-)fq<IJ1hZ;1LjlGzy2l1n=%IkVKL
z2g^AU_ao^{G@o|2YONQ8&92xUWgQ705xGiW(TrA^@hzu!7XBIXJ#gPS*}ey(wL#pm
zjfMi-yxia10B_K51ca0FhNllGyeHcQ*A?A4TNBnsX}2}KEWrouMQsV<!wC@7P{GYy
zk6HhHkNs2lUxbik7X1{_-bPo}H@M4f!$Uv_pHxKAB+qWv8Rwnv14{^2Z_MT_{a!D8
z_H6UQ_klT_oUEVmJMk(mZIrt#&ufKxT$pU3Hk+et6`Zm<ig#c~wialR%|1m+fioEi
z9l*3ssMlNJq#@J9u88s;NEyH&QIJWb%!{iX^4r$1(Q0VT=CF_V1E&TQz2izIM%#8g
z*8%5?sN^%xP*NsL4hwE8f@|8;)>-LZXvJH`9Sj!@CA?sc)BWJnylCRg<D2Q8d6Igs
zD#UK|l8Yc?J>94})w#4`KESC_KrWY)`%|VeXPNIji&M;ZrBxo<jGojP<xMr;dFGr9
zau{Q4>e>YDp1T*1s6xvG%&X9h&Bd$gD63|V7qR12D{fH8K8yTdP3}Swn1KmhdOtbo
zKWU9s?0F+n5EvNbGI2(^?6sf#CNxyF%39N_K^%T|sa{38UlX-aCmi>5?DF|ka_XjZ
zEOagO4B1>V{4<UxVkRmkNcKJ<nh^zv1VraVWn*rskkL0iu}X8ODOA$AW7X2P65|lf
zIqp!eW-(@QbP?x}>?-g|;fmb1szcTMo4cWuwv-`J<tVhb#sT{FN|)wU#gOr~$%9#u
z+H%=*W)N?|MjP*4)<<6lo_rA0;}0ftE6KOYP-AF8*|RI<liFg2vL()WZ*50F=*IqT
z2R9{r)_<>8&Rhk`c^H2`YiQ(r8{bh<SNTkT72}_EZ;<&m9a604wgEF~F{Cj4z|4MY
zc@WjnM0rJTcu$X?*qw&#Z`fK{S%Cl__*)WYB7VIJ@-UD10eB~hgY1<2>jPO?!O?7R
zFo~^fkQ}57NawPmLjzz801W=?w>PwU80eem>suWDo);coj3vwe(*Xzq*+`=j;Nw5w
z<KudUpc4Z{fNYgdcB>bsxZ1sRg94v{Ov=gU#5=D)>tbLk0+JAfsK|y(Kz`DXWseza
zGOV*%Q-ekKV~t1G=Bn;ij^-OxTSd+WS({U8e#4T=C5ke?fm+VzzMvf*;$_Bf6&^v>
z^4o6?AhUP-;;aV{`bF(Mw;}!2V(sB{-)di!JSVd3@2STs;|Z!Ijg^e|WWmWjic&A)
zb`uEWzid|uaD3bEHA2Mk#HE~<1Xy=56w=QoIgB<{A3VD`vH#8>zL-sZZqEKx?^2y>
zy=mfH!(?uLwYV%j=&58&%_sOnzzk}J$K5>t)@;>K?0Art);GPZNtx2zcfp)U;%eTs
zMe_czq8A18C8++j7rx+>CsU%pgrjYu;7kCiy1+O{PhD`@hkrMheU__fFVD6vaNpFb
zSb@USrphkUG;Q&z{!6mhLE|fTc0bcNu@esOO$j3L%M~Uq@vABCJ&S;<0aK5z3rTgh
z#?_ZDaxEJgd9_5arCljHF!K<%N&&9xUxj7@zo>VI&E1ADGSHM3;?*%BxGb2kgKRR^
z?y3B$22O7y8v4+e>?{tCeAIlq|DAv4?cRrkaH-SWKXvz+M;u>Iei~y)p#bu%;{LBD
z0NbZ={)QtLYY;oQeFzGfbz8&Dl0W*RRDu)H0v$tEL^#eHTtEYW2>9P~{cj!pd-`Z-
zO{i#SvD1BHVYt}<i+VJ_|M|Q6`})52rSjn_ZL!fr?aBbQ^`OB3fHna2^}lsd@S|6A
zK${BV%o|09EH?3Fj0=|1GZ&#d3qB#?j63;D*RDBLHGGzyFb}xRwpG451bt&YUqF*Z
zGCZ%T;>z(871ry$r?#8FJ%!}}ac|6s6fG1x*yj(%qHE@v363^O{}hLl27X{Y@S^rz
zpCI>>8vA(JWM&7g5sy+>NUzWVVtFM=rvItT(`)a4<P5|l_hu5-5lWe|R)vbwf(DbT
z&ESg|?bt*vUN{$?2=u0c3A?E+*}D2ei^9^PT@HtyF};<6Jn^J-SeA<q$1<-&@*d_5
z&mOhFRP(z0^g3_RDCN+kgGfxI3lYlm+pJrOk`!#T6T5?7N)d&#f`3ftT^gj+Bs|Rd
zj~teZu6Bkw-wkkNl|j!(HdlMFCg~6G@~BECIjy9GVm7S%e3|GSNlHEvsaN?)&NZ%B
zM^Xj3){Dm>HeFdKX_`2;Zh%BT#-rUu90oP#v<6#FU6+%#yNAltG?c(rwo)pDUu0PC
zxYvZdj}d;bX>Jpm90`Ll=@q(@j(Rs!omry4x0^2SvCI}jg8z5_`;g7yU;z4m01|<z
APyhe`

literal 0
HcmV?d00001

diff --git a/ui/public/fonts/ObfuscatedPasswordFont.woff2 b/ui/public/fonts/ObfuscatedPasswordFont.woff2
new file mode 100644
index 0000000000000000000000000000000000000000..50137210aee2c5e665ead86efddfde3321622a61
GIT binary patch
literal 3044
zcmV<A3mf!zPew8T0RR9101M;*4FCWD0A_#y01J%(0RR9100000000000000000000
z0000#Mn+Uk92y`7U;u><5eN$S6u4juh)4hdHUcCAh)x6`1%`VEvq~GDK}80HjRSzh
zdS67<q$N}Jn4sj?|8Qoaa%KoY+EOWf`VOj8UP|FOLI{-}8upm9F=idz!QcCx-=If|
z9;x&t{3RG6$t*!+2UR`0Cjf7xqB1c1^Pe{NAUQ*4hG=QVb(OJi0RM2UnoX8$vviNB
zJohpQ7rZmkFr`z53RV0?t6dzolzF&f2LUjSypX~JbfrQUwzWY}W9v2{Vnb-8M2dv0
z^6J=&@@8J5SOEO5I_om6cp0uP14S`1MYxEZx#?r{Yz0}LC(CfjFbqe4jp<)}g>O2d
z0AUz}ohE6gr_6MDNM(ZH<{ywY#$?Pq0%DuTqdt=mx7d)*;JNv91QnPmc7F&MacP`Z
zJQL3BOn?Fuq)_ivnwEx%^#XEW0WWxz1`>=0B)~zaUyIQjyus_Eyy)M%_G#}W*&OSW
zXR#pU{y(ECWj1>`g8ULnU{#(;k9Lat%Zfo&_v>m=FAE;B3E4B@$8gI7Ba)SDU@h7%
zK2}1&n>`Be0G~ef`N!q;2TGzcNJ5tC3ON$8takoZfOIrHf#ZqM@eSG}sY>jo6tz(%
zlcTrV^S}M%{~wZCUNjdZ@q9dw+5#EghUx<BmkCstTMQ~HEmIIX+o)M;Fx_CY!D)CM
zeulrs0BXCn!AOIt25U;x@BMJ&XFgx9t*(k%eMeR6Y9L@?!BkZLpy>(b({-dl3u_k7
z{#Q^~5k(bKTnQzWQd${hl~Y~?6;)DM6;)MJT@5wWQd=E$)l**s4K>nO6HPVKyoHvn
zwAMyj?X=fHN1b%mMb~cK^$<Pv(pw*W(T{aW-+~nj*PHE*@1r<L#o_%=cKjO<7!({5
zN|kE0>b2`JWZakuQzlKDHE+&>Ma!0~Sha4`hAlg`9oTp12x$?KvE+<Oi6<+L8huEI
z=xhKI3Yf8{RCtmyjPZaKu9)lPfJ;$6D!?*4hUcuV{4M^@-0!%3PB`k6)6O{Qf{Qrs
zx|>|{7hny5tpJD{1_@F<$Ol4dLgCve{v%*8Ac05;k~ra0xL*_3{BR=iCB`-?;g|0F
zy!zP@dE!U6Kwe@j9`in}mnx9ERVDdd3e0kH-Q`s+y%=5!Jk!M@|Cmt{pS2)O$zPIB
zKKbaAJ8CB{8Ror=walz|QsI(jW9Op}BfQ>XHJKBMFKHp}LJW_`3}4isMFxjaHAimh
zgy%Xr>*)TCie<l^jJN*RA^UeQwf#;{qOin(`ZT&dt1WEkCwThv_>{SE1jVO~`L$1*
ze_`|IKO`+uy|`z3LJ0H*;&pSg0Dn?&fKW&kBn7oXri`h`m2?yZWNt%2B|L{hl8-2b
z8DFD_f__6$4bvaRq*y~K&e)0)O5_SkO7Rd%D-_R;E2Ch1EE9Q=IkNzSl8PWHt`0JF
zbwsYZ<tU(_D=4U{yHH5(9ZF%wrzoPh?@-im{EK4pSVk$%SdS8_#txK}$2};mWIVc&
zGK$Bm>Z(iK6U@PJBqC%mXLE`~2CSs?gb0T-$4oF#uWPo(8BfX2GL2gt10~Sr&F-kR
zmThRghOWYCZBn-=y6%jFu|Z*wAs9RqLq<R!W+KNDsYt6Nvp5#vj#?$+SWmT-66O4^
zxLSmeJ*Af-=(G7%64}K*wk0|GzKTG5ZeBy0FUn|dj88b~=#Nz<idQ6@U#h;;vJ-Hk
z;gjkYJk>);=c9cWjqMKm9q^Qkes$1E$K2#TcSh!@&+T(A@+jbhOAdPhUq`{whRpfv
zkAKE2I(2MGSa^$wbCD;`T)S}T%Co3@H*PJ9{?h8ngGVv1-qnhWjZaKS8j+lul9ryC
zk(K=-Coea@uwciiVnroNz4;)PTO>%4kyD@)zfl&UMuS%T3+T{e0F0P0W5J3II}V(<
zaN`jlAt%Z!rb@LMwd&Ms(5OkX7OmPMAMW_H>(Hr7w;sLv^cyf}$gq(}grrep#!Z+s
zW!j8cbLK5rv}8GMM3vu)RcqF5*tBKaP86aTQXy^Eo_z-n9XWR5)R{yolPi=ewMMJc
z$0uMknd1*x=T@8D;dHq@UKcK1xh6<Rn24yT5ECaMNlKcGEID~<)KaIO28}dnrbR1l
z+Ud|qmu`CW(x*UCiLwg)1{gHNun|U$F>ZpYNv2FQW0pDdELdd8GAmYDvu?wtE!%eN
z+OzM#p(DpmoH}#v!lf(MZrr+a@4=%d&tANG^DZtSDJ3l<>)wM$PoBMa_2%7&PhY<M
z`1R*sPF_J#Nm<32JOKehkys*?$%|5@ZnQeR!Duo&IlH*JxqEnedHZ~kSk(CtQ!cf2
zLKzoQX=B&6bKie*ydXX$Sy7*wZkU$+bX>1rhx~mhvg)lP#wADY%Fk;l&EVmOnm67d
zxI2!938j@%Ycd+?%__((8V@?TWOlOhCJ7|vB8CMTc~PU@?&9-hv|?g)b@M@HXR)J$
z{GByyc``zl8?ZB<+dtPVH;dprI<ZU|s^xth%A{MiJUR<TMnbvG%J%);V21KVF6b`i
z{i`VaYg~5@?#h+9^pgrrzIayM70+CG{>y3w`%-cxVNU6@Br4PLn5i;l*qpM)j2ZRY
zCl)?^AKj3D?t_^_U~Si{y~}0j<*)3}At#$9X`Cdw%`gBqb`#0QGPOScWwWDu(L}Q2
z1sP!1y)!#)_IC|jBL6pw*HS)HQ#?ykc-*2gG+g69^?BKt0&G)hXj~shB8le*vOwG&
zn^@aO5)Qh)zneG#ss_@<l(R{-TX{*nhjK=kCKFj>gl;Z-6;_$zwP`)r7p8A$TAuJm
z^G%4%zi++|@>%XPlB2ox*L|I15b6H<$*V?F)QhR+&IL;gA#!4wjt=!wvhI4a&xt5y
zq7D-Zl;#usDh<~+znE%(K-S=es=U>T!QyhJfu&s%8UOU`=PV`HTRu0NneERcd3gtu
zG@;oW#U^Mn`4B_}{TX?7br`FDf}sXq;@ypnQFyzv>#AuC;bJ-(Yy1qv=?r(pE?9}Q
zjU)i=d>2Ed_#Z0u%1gB76<eI@KK9L~WE03@m_fpR!R&snRce#P-f$?r<4xq&5xh+6
z(s%0V^F4oqDo&UbRF7kym?N8}s7_e<Dy#u$eo0(wrBOyacpxD|He;yNaiDgTthDCu
z`eF$eeR)L5I$LKPI_zL-#s%cw<|5r<_)YDmfow_NOD`Dl?MBFRpwXGm>Gw}##=-Wa
zln(SYUvrae@xbO1o9PuZeUqrcrh=pH*A}BmFT+F+g>^`IoH3A8l;&BmLtL{74VjJV
z2ld8b)oy%X$AX#-<=_XBjk^U#g<t?ja6n+iz*$lBAA^MINlY(L>*aLXSrP-t$I<Hl
ze1$1llUopiU}}R%g3S<JB-bMWxCN&kz=D!b01Z_L`2hmvX2*tA!(f*VagF_y9SuNE
z$(qJ3Q-83!gR)~Nqmfjwi-l!H@o~6yW@~MJb7~R#2fZ21_Jh2%%WDmFIq1gq@h<I}
z6V-q+l&re(11N$56hQ%oU;slffFn4-5gdpSF%TnSKp+Gl5JDwcPNAl%KuD=<+BiO&
zVNnjVew5*(R|Y8A*5YPdV$=8&d1Lhuwum6P3oeA?=7>FRNW>}7Z8J-gz6($x+NK~l
zDz_uIE<W~&I6y+SEU+2f5TCSug2bJSP4m<JOVroJZw+1a@O-I0#*M&WwC9{BxnnW6
zKm^3a&SNMsAf(Qtl9%c`)H2;is@HD}&S{`zRWgre&IFg&iWAtKnkEN<nh!yRkO~nB
zQK&#fLd*{l3mLN6T>HTjolf|Vto{@$hJ+LLe}Itt+Tr4hj)_e9UnD)ncK#SQ2{(K*
zEc3X}27CvFK*sL-hp$e(-zq4YE8hcR|N9GxuVA|%joHi>lK5s=O12491kHF~uH1=c
ml$4(qj6ng6FJ7>Cv7uvH|E~-Asn3qTzL-e1_}Wf9XD0{FsH=<s

literal 0
HcmV?d00001

diff --git a/vault/ui.go b/vault/ui.go
index 5b6f7c4963aec..0e2b53e063c46 100644
--- a/vault/ui.go
+++ b/vault/ui.go
@@ -32,7 +32,7 @@ type UIConfig struct {
 // NewUIConfig creates a new UI config
 func NewUIConfig(enabled bool, physicalStorage physical.Backend, barrierStorage logical.Storage) *UIConfig {
 	defaultHeaders := http.Header{}
-	defaultHeaders.Set("Content-Security-Policy", "default-src 'none'; connect-src 'self'; img-src 'self' data:; script-src 'self'; style-src 'unsafe-inline' 'self'; form-action 'none'; frame-ancestors 'none'")
+	defaultHeaders.Set("Content-Security-Policy", "default-src 'none'; connect-src 'self'; img-src 'self' data:; script-src 'self'; style-src 'unsafe-inline' 'self'; form-action 'none'; frame-ancestors 'none'; font-src 'self'")
 	defaultHeaders.Set("Service-Worker-Allowed", "/")
 
 	return &UIConfig{