From 9f4cda0712707304785084e8aee796b4bc9aa353 Mon Sep 17 00:00:00 2001 From: fkantelberg Date: Mon, 19 Feb 2024 19:11:14 +0100 Subject: [PATCH] [IMP] vault: Improve handling if no secure browser context is provided. Improve readme documentation about this requirement --- vault/README.rst | 8 +++---- vault/readme/DESCRIPTION.rst | 2 +- vault/readme/ROADMAP.rst | 4 ++-- vault/static/description/index.html | 7 +++--- vault/static/src/backend/controller.esm.js | 26 +++++++++++++++++++++- 5 files changed, 36 insertions(+), 11 deletions(-) diff --git a/vault/README.rst b/vault/README.rst index 1b127f4d65..e58d1e5c71 100644 --- a/vault/README.rst +++ b/vault/README.rst @@ -7,7 +7,7 @@ Vault !! This file is generated by oca-gen-addon-readme !! !! changes will be overwritten. !! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! - !! source digest: sha256:9bc765eb2b8c6fb6a4912b97a282f3c40996011386f83779dccfad8c2672bfe6 + !! source digest: sha256:12d8822aab453f4a6f00d8151ec6cdef4c66ec07c08d88e6528c85f3526d0818 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! .. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png @@ -32,7 +32,7 @@ This module implements a vault for secrets and files using end-to-end-encryption The server can never access the secrets with the information available. Only people registered in the vault can decrypt or encrypt values in a vault. The meta data isn't encrypted to be able to search/filter for entries more easily. -This modules requires a secure context for the browser to work properly. +This modules requires a secure context for the browser to work properly and therefore HTTPS support is required. The `vault-recovery `_ project focuses on disaster recovery in case of an incident to recover secrets from old database backups or old exports. @@ -46,8 +46,6 @@ Known issues / Roadmap * Field and file history for restoration -* Send secrets directly to an inbox within Odoo - * Import improvement * Support challenge-response/FIDO2 @@ -59,6 +57,8 @@ Known issues / Roadmap If you want to move entries between vaults you can use the export -> import option. +* HTTPS or localhost (secure browser context) is required for the client side encryption + Bug Tracker =========== diff --git a/vault/readme/DESCRIPTION.rst b/vault/readme/DESCRIPTION.rst index 8d77993dc9..50cf3c7679 100644 --- a/vault/readme/DESCRIPTION.rst +++ b/vault/readme/DESCRIPTION.rst @@ -2,6 +2,6 @@ This module implements a vault for secrets and files using end-to-end-encryption The server can never access the secrets with the information available. Only people registered in the vault can decrypt or encrypt values in a vault. The meta data isn't encrypted to be able to search/filter for entries more easily. -This modules requires a secure context for the browser to work properly. +This modules requires a secure context for the browser to work properly and therefore HTTPS support is required. The `vault-recovery `_ project focuses on disaster recovery in case of an incident to recover secrets from old database backups or old exports. diff --git a/vault/readme/ROADMAP.rst b/vault/readme/ROADMAP.rst index 738bcd6446..ccaf5abc1d 100644 --- a/vault/readme/ROADMAP.rst +++ b/vault/readme/ROADMAP.rst @@ -1,7 +1,5 @@ * Field and file history for restoration -* Send secrets directly to an inbox within Odoo - * Import improvement * Support challenge-response/FIDO2 @@ -12,3 +10,5 @@ is defined. If you want to move entries between vaults you can use the export -> import option. + +* HTTPS or localhost (secure browser context) is required for the client side encryption diff --git a/vault/static/description/index.html b/vault/static/description/index.html index 6fcc35e1b3..99cd2f80d1 100644 --- a/vault/static/description/index.html +++ b/vault/static/description/index.html @@ -367,12 +367,12 @@

Vault

!! This file is generated by oca-gen-addon-readme !! !! changes will be overwritten. !! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -!! source digest: sha256:9bc765eb2b8c6fb6a4912b97a282f3c40996011386f83779dccfad8c2672bfe6 +!! source digest: sha256:12d8822aab453f4a6f00d8151ec6cdef4c66ec07c08d88e6528c85f3526d0818 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -->

Beta License: AGPL-3 OCA/server-auth Translate me on Weblate Try me on Runboat

This module implements a vault for secrets and files using end-to-end-encryption. The encryption and decryption happens in the browser using a vault specific shared master key. The master keys are encrypted using asymmetrically. For this the user has to enter a second password on the first login or if he needs to access data in a vault. The asymmetric keys are stored for a certain time in the browser storage.

The server can never access the secrets with the information available. Only people registered in the vault can decrypt or encrypt values in a vault. The meta data isn’t encrypted to be able to search/filter for entries more easily.

-

This modules requires a secure context for the browser to work properly.

+

This modules requires a secure context for the browser to work properly and therefore HTTPS support is required.

The vault-recovery project focuses on disaster recovery in case of an incident to recover secrets from old database backups or old exports.

Table of contents

@@ -391,7 +391,6 @@

Vault

Known issues / Roadmap

  • Field and file history for restoration
    • -
  • Send secrets directly to an inbox within Odoo
  • Import improvement
@@ -406,6 +405,8 @@

Known issues / Roadmap

is defined.

If you want to move entries between vaults you can use the export -> import option.

+

  • HTTPS or localhost (secure browser context) is required for the client side encryption

    +
    • diff --git a/vault/static/src/backend/controller.esm.js b/vault/static/src/backend/controller.esm.js index ca519b5b35..d3f4b6c42e 100644 --- a/vault/static/src/backend/controller.esm.js +++ b/vault/static/src/backend/controller.esm.js @@ -2,9 +2,11 @@ // © 2021-2024 Florian Kantelberg - initOS GmbH // License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl). +import {AlertDialog} from "@web/core/confirmation_dialog/confirmation_dialog"; import Dialog from "web.Dialog"; import {FormController} from "@web/views/form/form_controller"; import Importer from "vault.import"; +import {ListController} from "@web/views/list/list_controller"; import {_lt} from "@web/core/l10n/translation"; import framework from "web.framework"; import {patch} from "@web/core/utils/patch"; @@ -288,7 +290,16 @@ patch(FormController.prototype, "vault", { * @param {Object} button */ async _vaultAction(button) { - if (!utils.supported()) return false; + if (!utils.supported()) { + await this.dialogService.add(AlertDialog, { + title: _lt("Vault is not supported"), + body: _lt( + "A secure browser context is required. Please switch to " + + "https or contact your administrator" + ), + }); + return false; + } const root = this.model.root; switch (root.resModel) { @@ -331,6 +342,11 @@ patch(FormController.prototype, "vault", { * get/store information from/to the vault controller */ setup() { + if (this.props.resModel === "vault" && !utils.supported()) { + this.props.preventCreate = true; + this.props.preventEdit = true; + } + this._super(...arguments); this.rpc = useService("rpc"); }, @@ -380,3 +396,11 @@ patch(FormController.prototype, "vault", { return await _super(...arguments); }, }); + +patch(ListController.prototype, "vault", { + setup() { + this._super(...arguments); + if (this.props.resModel === "vault" && !utils.supported()) + this.props.showButtons = false; + }, +});