[MIG][16.0] vault_share: Migration and restructuring for 16.0

setup/vault_share/odoo/addons/vault_share

@@ -0,0 +1 @@
+../../../../vault_share

setup/vault_share/setup.py

@@ -0,0 +1,6 @@
+import setuptools
+
+setuptools.setup(
+    setup_requires=['setuptools-odoo'],
+    odoo_addon=True,
+)

vault_share/README.rst

@@ -2,10 +2,13 @@
 Vault - Share
 =============
 
-.. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+.. 
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    !! This file is generated by oca-gen-addon-readme !!
    !! changes will be overwritten.                   !!
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! source digest: sha256:9a16926a6329561017dac0fa81e331bcd50b83bc373281609831a25e42fb3e0c
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 
 .. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
     :target: https://odoo-community.org/page/development-status
@@ -14,16 +17,16 @@ Vault - Share
     :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
     :alt: License: AGPL-3
 .. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github
-    :target: https://github.com/OCA/server-auth/tree/15.0/vault_share
+    :target: https://github.com/OCA/server-auth/tree/16.0/vault_share
     :alt: OCA/server-auth
 .. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
-    :target: https://translation.odoo-community.org/projects/server-auth-15-0/server-auth-15-0-vault_share
+    :target: https://translation.odoo-community.org/projects/server-auth-16-0/server-auth-16-0-vault_share
     :alt: Translate me on Weblate
-.. |badge5| image:: https://img.shields.io/badge/runbot-Try%20me-875A7B.png
-    :target: https://runbot.odoo-community.org/runbot/251/15.0
-    :alt: Try me on Runbot
+.. |badge5| image:: https://img.shields.io/badge/runboat-Try%20me-875A7B.png
+    :target: https://runboat.odoo-community.org/builds?repo=OCA/server-auth&target_branch=16.0
+    :alt: Try me on Runboat
 
-|badge1| |badge2| |badge3| |badge4| |badge5| 
+|badge1| |badge2| |badge3| |badge4| |badge5|
 
 This module implements possibilities to share specific secrets with external users. This bases on the vault implementation and the generated RSA key pair.
 
@@ -37,13 +40,18 @@ This allows an user to share a secret with external users. A share can be genera
 .. contents::
    :local:
 
+Known issues / Roadmap
+======================
+
+* Secure the download of the encrypted file behind a challenge/response
+
 Bug Tracker
 ===========
 
 Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-auth/issues>`_.
 In case of trouble, please check there if your issue has already been reported.
-If you spotted it first, help us smashing it by providing a detailed and welcomed
-`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20vault_share%0Aversion:%2015.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
+If you spotted it first, help us to smash it by providing a detailed and welcomed
+`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20vault_share%0Aversion:%2016.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
 
 Do not contact contributors directly about support or help with technical issues.
 
@@ -73,6 +81,6 @@ OCA, or the Odoo Community Association, is a nonprofit organization whose
 mission is to support the collaborative development of Odoo features and
 promote its widespread use.
 
-This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/15.0/vault_share>`_ project on GitHub.
+This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/16.0/vault_share>`_ project on GitHub.
 
 You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.

vault_share/__manifest__.py

@@ -1,11 +1,11 @@
-# © 2021 Florian Kantelberg - initOS GmbH
+# © 2021-2024 Florian Kantelberg - initOS GmbH
 # License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl).
 
 {
     "name": "Vault - Share",
     "summary": "Implementation of a mechanism to share secrets",
     "license": "AGPL-3",
-    "version": "15.0.1.1.1",
+    "version": "16.0.1.1.1",
     "website": "https://github.com/OCA/server-auth",
     "application": False,
     "author": "initOS GmbH, Odoo Community Association (OCA)",
@@ -25,15 +25,11 @@
             "vault_share/static/src/common/**/*.js",
             "vault_share/static/src/backend/**/*.js",
             "vault_share/static/src/backend/**/*.scss",
-            "vault_share/static/src/legacy/vault_fields.js",
-            "vault_share/static/src/legacy/vault_share_widget.js",
+            "vault_share/static/src/backend/**/*.xml",
         ],
         "vault_share.assets_frontend": [
             "vault/static/src/common/*.js",
             "vault_share/static/src/frontend/*.js",
         ],
-        "web.assets_qweb": [
-            "vault_share/static/src/backend/**/*.xml",
-        ],
     },
 }

vault_share/controllers/main.py

@@ -30,6 +30,7 @@ def vault_share(self, token):
                 "iv": secret.iv,
                 "encrypted_file": secret.secret_file,
                 "filename": secret.filename,
+                "iterations": secret.iterations,
             }
         )
         return request.render("vault_share.share", ctx)

vault_share/i18n/es.po

@@ -7,8 +7,8 @@ msgstr ""
 "Project-Id-Version: Odoo Server 13.0\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2022-06-06 07:44+0000\n"
-"PO-Revision-Date: 2023-06-13 11:09+0000\n"
-"Last-Translator: Víctor Martínez <[email protected]>\n"
+"PO-Revision-Date: 2023-10-30 21:37+0000\n"
+"Last-Translator: Ivorra78 <[email protected]>\n"
 "Language-Team: \n"
 "Language: es\n"
 "MIME-Version: 1.0\n"
@@ -157,7 +157,7 @@ msgstr "Pin"
 #. module: vault_share
 #: model:ir.model.fields,field_description:vault_share.field_vault_share__salt
 msgid "Salt"
-msgstr ""
+msgstr "Sal"
 
 #. module: vault_share
 #. openerp-web
@@ -245,13 +245,13 @@ msgstr "El secreto ha expirado"
 #: code:addons/vault_share/models/vault_share.py:0
 #, python-format
 msgid "The share was accessed by %(name)s via %(ip)s"
-msgstr ""
+msgstr "%(name)s ha accedido a la acción a través de %(ip)s"
 
 #. module: vault_share
 #: code:addons/vault_share/models/vault_share.py:0
 #, python-format
 msgid "The share was created by %(name)s"
-msgstr ""
+msgstr "La acción fue creada por %(name)s"
 
 #. module: vault_share
 #: model:ir.model.fields,field_description:vault_share.field_vault_share__token
@@ -271,21 +271,21 @@ msgstr "Utilizando este enlace y el pin la gente puede acceder al secreto."
 #. module: vault_share
 #: model:ir.model.fields,field_description:vault_share.field_res_company__vault_share_delay
 msgid "Vault Share Delay"
-msgstr ""
+msgstr "Retraso de la Acción de la Bóveda"
 
 #. module: vault_share
 #: code:addons/vault_share/models/vault_share_log.py:0
 #: model:ir.model,name:vault_share.model_vault_share_log
 #, python-format
 msgid "Vault share log"
-msgstr ""
+msgstr "Registro de compartición de la bóveda"
 
 #. module: vault_share
 #: code:addons/vault_share/models/vault_share.py:0
 #: model:ir.model,name:vault_share.model_vault_share
 #, python-format
 msgid "Vault share outgoing secrets"
-msgstr ""
+msgstr "La bóveda comparte secretos de salida"
 
 #, python-format
 #~ msgid "The share was accessed by %s via %s"

vault_share/i18n/nl.po

@@ -159,9 +159,6 @@ msgstr ""
 #. module: vault_share
 #. openerp-web
 #: code:addons/vault_share/static/src/backend/templates.xml:0
-#: code:addons/vault_share/static/src/backend/templates.xml:0
-#: code:addons/vault_share/static/src/backend/templates.xml:0
-#: code:addons/vault_share/static/src/backend/templates.xml:0
 #, python-format
 msgid "Save in a vault"
 msgstr "Opslaan in een kluis"
@@ -196,7 +193,6 @@ msgstr "Deel het geheim"
 #. module: vault_share
 #. openerp-web
 #: code:addons/vault_share/static/src/backend/templates.xml:0
-#: code:addons/vault_share/static/src/backend/templates.xml:0
 #, python-format
 msgid "Share the secret with an external user"
 msgstr "Het geheim delen met een externe gebruiker"

vault_share/migrations/16.0.1.1.1/post-migrate.py

@@ -0,0 +1,13 @@
+# © 2024 Florian Kantelberg - initOS GmbH
+# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl).
+
+import logging
+
+_logger = logging.getLogger(__name__)
+
+
+def migrate(cr, version):
+    # Before the migration the iterations were hardcoded to 4000
+    _logger.info("Setting iterations for previous records")
+
+    cr.execute("UPDATE vault_share SET iterations = 4000 WHERE iterations IS NULL")

vault_share/models/vault_share.py

@@ -27,6 +27,7 @@ class VaultShare(models.Model):
     secret_file = fields.Char()
     filename = fields.Char()
     salt = fields.Char(required=True)
+    iterations = fields.Integer()
     iv = fields.Char(required=True)
     pin = fields.Char(required=True, help="The pin needed to decrypt the share.")
     accesses = fields.Integer(
@@ -70,12 +71,13 @@ def get(self, token, ip=None):
 
         return None
 
-    @api.model
-    def create(self, vals):
-        rec = super().create(vals)
+    @api.model_create_multi
+    def create(self, vals_list):
+        res = super().create(vals_list)
         log = _("The share was created by %(name)s")
-        rec.log_ids = [(0, 0, {"name": log % {"name": self.env.user.name}})]
-        return rec
+        for rec in res:
+            rec.log_ids = [(0, 0, {"name": log % {"name": self.env.user.name}})]
+        return res
 
     @api.model
     def clean(self):

vault_share/readme/ROADMAP.rst

@@ -0,0 +1 @@
+* Secure the download of the encrypted file behind a challenge/response

vault_share/static/description/index.html

@@ -1,20 +1,20 @@
-<?xml version="1.0" encoding="utf-8" ?>
+<?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
-<meta name="generator" content="Docutils 0.15.1: http://docutils.sourceforge.net/" />
+<meta name="generator" content="Docutils: https://docutils.sourceforge.io/" />
 <title>Vault - Share</title>
 <style type="text/css">
 
 /*
 :Author: David Goodger ([email protected])
-:Id: $Id: html4css1.css 7952 2016-07-26 18:15:59Z milde $
+:Id: $Id: html4css1.css 8954 2022-01-20 10:10:25Z milde $
 :Copyright: This stylesheet has been placed in the public domain.
 
 Default cascading style sheet for the HTML output of Docutils.
 
-See http://docutils.sf.net/docs/howto/html-stylesheets.html for how to
+See https://docutils.sourceforge.io/docs/howto/html-stylesheets.html for how to
 customize this style sheet.
 */
 
@@ -366,20 +366,28 @@ <h1 class="title">Vault - Share</h1>
 <!-- !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !! This file is generated by oca-gen-addon-readme !!
 !! changes will be overwritten.                   !!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!! source digest: sha256:9a16926a6329561017dac0fa81e331bcd50b83bc373281609831a25e42fb3e0c
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -->
-<p><a class="reference external" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external" href="http://www.gnu.org/licenses/agpl-3.0-standalone.html"><img alt="License: AGPL-3" src="https://img.shields.io/badge/licence-AGPL--3-blue.png" /></a> <a class="reference external" href="https://github.com/OCA/server-auth/tree/15.0/vault_share"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external" href="https://translation.odoo-community.org/projects/server-auth-15-0/server-auth-15-0-vault_share"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external" href="https://runbot.odoo-community.org/runbot/251/15.0"><img alt="Try me on Runbot" src="https://img.shields.io/badge/runbot-Try%20me-875A7B.png" /></a></p>
+<p><a class="reference external image-reference" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external image-reference" href="http://www.gnu.org/licenses/agpl-3.0-standalone.html"><img alt="License: AGPL-3" src="https://img.shields.io/badge/licence-AGPL--3-blue.png" /></a> <a class="reference external image-reference" href="https://github.com/OCA/server-auth/tree/16.0/vault_share"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external image-reference" href="https://translation.odoo-community.org/projects/server-auth-16-0/server-auth-16-0-vault_share"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external image-reference" href="https://runboat.odoo-community.org/builds?repo=OCA/server-auth&amp;target_branch=16.0"><img alt="Try me on Runboat" src="https://img.shields.io/badge/runboat-Try%20me-875A7B.png" /></a></p>
 <p>This module implements possibilities to share specific secrets with external users. This bases on the vault implementation and the generated RSA key pair.</p>
 <div class="section" id="share">
 <h1>Share</h1>
 <p>This allows an user to share a secret with external users. A share can be generated from a vault entry or directly created by an user. The secret is symmetrically encrypted by a key derived from a pin. To grant access the user has to transmit the link and pin with the external. If either the access counter reaches 0 or the share expires it will be deleted automatically. Due to the usage of a numeric pin and the browser side decryption a share is vulnerable to brute-force attacks and shouldn’t be used as a permanent storage for secrets. For long time uses the user should create an account and a vault should be used.</p>
 <p><strong>Table of contents</strong></p>
 </div>
+<div class="section" id="known-issues-roadmap">
+<h1>Known issues / Roadmap</h1>
+<ul class="simple">
+<li>Secure the download of the encrypted file behind a challenge/response</li>
+</ul>
+</div>
 <div class="section" id="bug-tracker">
 <h1>Bug Tracker</h1>
 <p>Bugs are tracked on <a class="reference external" href="https://github.com/OCA/server-auth/issues">GitHub Issues</a>.
 In case of trouble, please check there if your issue has already been reported.
-If you spotted it first, help us smashing it by providing a detailed and welcomed
-<a class="reference external" href="https://github.com/OCA/server-auth/issues/new?body=module:%20vault_share%0Aversion:%2015.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**">feedback</a>.</p>
+If you spotted it first, help us to smash it by providing a detailed and welcomed
+<a class="reference external" href="https://github.com/OCA/server-auth/issues/new?body=module:%20vault_share%0Aversion:%2016.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**">feedback</a>.</p>
 <p>Do not contact contributors directly about support or help with technical issues.</p>
 </div>
 <div class="section" id="credits">
@@ -403,7 +411,7 @@ <h2>Maintainers</h2>
 <p>OCA, or the Odoo Community Association, is a nonprofit organization whose
 mission is to support the collaborative development of Odoo features and
 promote its widespread use.</p>
-<p>This module is part of the <a class="reference external" href="https://github.com/OCA/server-auth/tree/15.0/vault_share">OCA/server-auth</a> project on GitHub.</p>
+<p>This module is part of the <a class="reference external" href="https://github.com/OCA/server-auth/tree/16.0/vault_share">OCA/server-auth</a> project on GitHub.</p>
 <p>You are welcome to contribute. To learn how please visit <a class="reference external" href="https://odoo-community.org/page/Contribute">https://odoo-community.org/page/Contribute</a>.</p>
 </div>
 </div>

vault_share/static/src/backend/fields/templates.xml

@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<templates id="template" xml:space="preserve">
+    <t
+        t-name="vault.FieldShareVault"
+        t-inherit="vault.FieldVault"
+        t-inherit-mode="primary"
+        owl="1"
+    >
+        <xpath expr="//div[@t-elif='props.readonly']" position="attributes">
+            <attribute name="t-elif">!isNew</attribute>
+        </xpath>
+    </t>
+
+    <t
+        t-name="vault.FileShareVault"
+        t-inherit="web.BinaryField"
+        t-inherit-mode="primary"
+        owl="1"
+    >
+        <xpath expr="//t[@t-if='!props.readonly']" position="attributes">
+            <attribute name="t-if">isNew</attribute>
+        </xpath>
+    </t>
+
+    <t t-name="vault.FieldPinVault" owl="1">
+        <div class="o_vault o_vault_error" t-if="!supported()">
+            <span>*******</span>
+        </div>
+        <div class="o_vault" t-else="">
+            <t t-call="vault.Field.buttons" />
+            <span t-esc="formattedValue" t-ref="span" />
+        </div>
+    </t>
+
+    <t t-inherit="vault.FieldVault" t-inherit-mode="extension" owl="1">
+        <xpath expr="//span[hasclass('o_vault_buttons')]" position="inside">
+            <button
+                t-if="shareButton"
+                class="btn btn-secondary btn-sm fa fa-external-link o_vault_share"
+                title="Share the secret with an external user"
+                aria-label="Share the secret with an external user"
+                t-on-click="_onShareValue"
+            />
+        </xpath>
+    </t>
+</templates>

vault_share/static/src/backend/fields/vault_field.esm.js

@@ -0,0 +1,45 @@
+/** @odoo-module **/
+// © 2021-2024 Florian Kantelberg - initOS GmbH
+// License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl).
+
+import VaultField from "vault.field";
+import {_lt} from "@web/core/l10n/translation";
+import {patch} from "@web/core/utils/patch";
+import sh_utils from "vault.share.utils";
+import utils from "vault.utils";
+import vault from "vault";
+
+// Extend the widget to share
+patch(VaultField.prototype, "vault_share", {
+    /**
+     * Share the value for an external user
+     *
+     * @private
+     */
+    async _onShareValue() {
+        const iv = await utils.generate_iv_base64();
+        const pin = sh_utils.generate_pin(sh_utils.PinSize);
+        const salt = utils.generate_bytes(utils.SaltLength).buffer;
+        const key = await utils.derive_key(pin, salt, utils.Derive.iterations);
+        const public_key = await vault.get_public_key();
+        const value = await this._decrypt(this.value);
+
+        this.action.doAction({
+            type: "ir.actions.act_window",
+            title: _lt("Share the secret"),
+            target: "new",
+            res_model: "vault.share",
+            views: [[false, "form"]],
+            context: {
+                default_secret: await utils.sym_encrypt(key, value, iv),
+                default_pin: await utils.asym_encrypt(
+                    public_key,
+                    pin + utils.generate_iv_base64()
+                ),
+                default_iterations: utils.Derive.iterations,
+                default_iv: iv,
+                default_salt: utils.toBase64(salt),
+            },
+        });
+    },
+});