[IMP] vault: Improve handling if no secure browser context is provide…

…d. Improve readme documentation about this requirement
OCA · Feb 19, 2024 · 9f4cda0 · 9f4cda0
1 parent 6259a60
commit 9f4cda0
Show file tree

Hide file tree

Showing 5 changed files with 36 additions and 11 deletions.
diff --git a/vault/README.rst b/vault/README.rst
@@ -7,7 +7,7 @@ Vault
    !! This file is generated by oca-gen-addon-readme !!
    !! changes will be overwritten.                   !!
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-   !! source digest: sha256:9bc765eb2b8c6fb6a4912b97a282f3c40996011386f83779dccfad8c2672bfe6
+   !! source digest: sha256:12d8822aab453f4a6f00d8151ec6cdef4c66ec07c08d88e6528c85f3526d0818
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 
 .. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
@@ -32,7 +32,7 @@ This module implements a vault for secrets and files using end-to-end-encryption
 
 The server can never access the secrets with the information available. Only people registered in the vault can decrypt or encrypt values in a vault. The meta data isn't encrypted to be able to search/filter for entries more easily.
 
-This modules requires a secure context for the browser to work properly.
+This modules requires a secure context for the browser to work properly and therefore HTTPS support is required.
 
 The `vault-recovery <https://github.com/fkantelberg/vault-recovery>`_ project focuses on disaster recovery in case of an incident to recover secrets from old database backups or old exports.
 
@@ -46,8 +46,6 @@ Known issues / Roadmap
 
 * Field and file history for restoration
 
-* Send secrets directly to an inbox within Odoo
-
 * Import improvement
 
  * Support challenge-response/FIDO2
@@ -59,6 +57,8 @@ Known issues / Roadmap
 
   If you want to move entries between vaults you can use the export -> import option.
 
+* HTTPS or localhost (secure browser context) is required for the client side encryption
+
 Bug Tracker
 ===========
 

diff --git a/vault/readme/DESCRIPTION.rst b/vault/readme/DESCRIPTION.rst
@@ -2,6 +2,6 @@ This module implements a vault for secrets and files using end-to-end-encryption
 
 The server can never access the secrets with the information available. Only people registered in the vault can decrypt or encrypt values in a vault. The meta data isn't encrypted to be able to search/filter for entries more easily.
 
-This modules requires a secure context for the browser to work properly.
+This modules requires a secure context for the browser to work properly and therefore HTTPS support is required.
 
 The `vault-recovery <https://github.com/fkantelberg/vault-recovery>`_ project focuses on disaster recovery in case of an incident to recover secrets from old database backups or old exports.
diff --git a/vault/readme/ROADMAP.rst b/vault/readme/ROADMAP.rst
@@ -1,7 +1,5 @@
 * Field and file history for restoration
 
-* Send secrets directly to an inbox within Odoo
-
 * Import improvement
 
  * Support challenge-response/FIDO2
@@ -12,3 +10,5 @@
   is defined.
 
   If you want to move entries between vaults you can use the export -> import option.
+
+* HTTPS or localhost (secure browser context) is required for the client side encryption
diff --git a/vault/static/description/index.html b/vault/static/description/index.html
@@ -367,12 +367,12 @@ <h1 class="title">Vault</h1>
 !! This file is generated by oca-gen-addon-readme !!
 !! changes will be overwritten.                   !!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-!! source digest: sha256:9bc765eb2b8c6fb6a4912b97a282f3c40996011386f83779dccfad8c2672bfe6
+!! source digest: sha256:12d8822aab453f4a6f00d8151ec6cdef4c66ec07c08d88e6528c85f3526d0818
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -->
 <p><a class="reference external image-reference" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external image-reference" href="http://www.gnu.org/licenses/agpl-3.0-standalone.html"><img alt="License: AGPL-3" src="https://img.shields.io/badge/licence-AGPL--3-blue.png" /></a> <a class="reference external image-reference" href="https://github.com/OCA/server-auth/tree/16.0/vault"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external image-reference" href="https://translation.odoo-community.org/projects/server-auth-16-0/server-auth-16-0-vault"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external image-reference" href="https://runboat.odoo-community.org/builds?repo=OCA/server-auth&amp;target_branch=16.0"><img alt="Try me on Runboat" src="https://img.shields.io/badge/runboat-Try%20me-875A7B.png" /></a></p>
 <p>This module implements a vault for secrets and files using end-to-end-encryption. The encryption and decryption happens in the browser using a vault specific shared master key. The master keys are encrypted using asymmetrically. For this the user has to enter a second password on the first login or if he needs to access data in a vault. The asymmetric keys are stored for a certain time in the browser storage.</p>
 <p>The server can never access the secrets with the information available. Only people registered in the vault can decrypt or encrypt values in a vault. The meta data isn’t encrypted to be able to search/filter for entries more easily.</p>
-<p>This modules requires a secure context for the browser to work properly.</p>
+<p>This modules requires a secure context for the browser to work properly and therefore HTTPS support is required.</p>
 <p>The <a class="reference external" href="https://github.com/fkantelberg/vault-recovery">vault-recovery</a> project focuses on disaster recovery in case of an incident to recover secrets from old database backups or old exports.</p>
 <p><strong>Table of contents</strong></p>
 <div class="contents local topic" id="contents">
@@ -391,7 +391,6 @@ <h1 class="title">Vault</h1>
 <h1><a class="toc-backref" href="#toc-entry-1">Known issues / Roadmap</a></h1>
 <ul class="simple">
 <li>Field and file history for restoration</li>
-<li>Send secrets directly to an inbox within Odoo</li>
 <li>Import improvement</li>
 </ul>
 <blockquote>
@@ -406,6 +405,8 @@ <h1><a class="toc-backref" href="#toc-entry-1">Known issues / Roadmap</a></h1>
 is defined.</p>
 <p>If you want to move entries between vaults you can use the export -&gt; import option.</p>
 </li>
+<li><p class="first">HTTPS or localhost (secure browser context) is required for the client side encryption</p>
+</li>
 </ul>
 </div>
 <div class="section" id="bug-tracker">

diff --git a/vault/static/src/backend/controller.esm.js b/vault/static/src/backend/controller.esm.js
@@ -2,9 +2,11 @@
 // © 2021-2024 Florian Kantelberg - initOS GmbH
 // License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl).
 
+import {AlertDialog} from "@web/core/confirmation_dialog/confirmation_dialog";
 import Dialog from "web.Dialog";
 import {FormController} from "@web/views/form/form_controller";
 import Importer from "vault.import";
+import {ListController} from "@web/views/list/list_controller";
 import {_lt} from "@web/core/l10n/translation";
 import framework from "web.framework";
 import {patch} from "@web/core/utils/patch";
@@ -288,7 +290,16 @@ patch(FormController.prototype, "vault", {
      * @param {Object} button
      */
     async _vaultAction(button) {
-        if (!utils.supported()) return false;
+        if (!utils.supported()) {
+            await this.dialogService.add(AlertDialog, {
+                title: _lt("Vault is not supported"),
+                body: _lt(
+                    "A secure browser context is required. Please switch to " +
+                        "https or contact your administrator"
+                ),
+            });
+            return false;
+        }
 
         const root = this.model.root;
         switch (root.resModel) {
@@ -331,6 +342,11 @@ patch(FormController.prototype, "vault", {
      * get/store information from/to the vault controller
      */
     setup() {
+        if (this.props.resModel === "vault" && !utils.supported()) {
+            this.props.preventCreate = true;
+            this.props.preventEdit = true;
+        }
+
         this._super(...arguments);
         this.rpc = useService("rpc");
     },
@@ -380,3 +396,11 @@ patch(FormController.prototype, "vault", {
         return await _super(...arguments);
     },
 });
+
+patch(ListController.prototype, "vault", {
+    setup() {
+        this._super(...arguments);
+        if (this.props.resModel === "vault" && !utils.supported())
+            this.props.showButtons = false;
+    },
+});