[MIG][16.0] Migration of vault

setup/vault/odoo/addons/vault

@@ -0,0 +1 @@
+../../../../vault

setup/vault/setup.py

@@ -0,0 +1,6 @@
+import setuptools
+
+setuptools.setup(
+    setup_requires=['setuptools-odoo'],
+    odoo_addon=True,
+)

vault/README.rst

@@ -0,0 +1,100 @@
+=====
+Vault
+=====
+
+.. 
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! This file is generated by oca-gen-addon-readme !!
+   !! changes will be overwritten.                   !!
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! source digest: sha256:9bc765eb2b8c6fb6a4912b97a282f3c40996011386f83779dccfad8c2672bfe6
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+.. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
+    :target: https://odoo-community.org/page/development-status
+    :alt: Beta
+.. |badge2| image:: https://img.shields.io/badge/licence-AGPL--3-blue.png
+    :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
+    :alt: License: AGPL-3
+.. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github
+    :target: https://github.com/OCA/server-auth/tree/16.0/vault
+    :alt: OCA/server-auth
+.. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
+    :target: https://translation.odoo-community.org/projects/server-auth-16-0/server-auth-16-0-vault
+    :alt: Translate me on Weblate
+.. |badge5| image:: https://img.shields.io/badge/runboat-Try%20me-875A7B.png
+    :target: https://runboat.odoo-community.org/builds?repo=OCA/server-auth&target_branch=16.0
+    :alt: Try me on Runboat
+
+|badge1| |badge2| |badge3| |badge4| |badge5|
+
+This module implements a vault for secrets and files using end-to-end-encryption. The encryption and decryption happens in the browser using a vault specific shared master key. The master keys are encrypted using asymmetrically. For this the user has to enter a second password on the first login or if he needs to access data in a vault. The asymmetric keys are stored for a certain time in the browser storage.
+
+The server can never access the secrets with the information available. Only people registered in the vault can decrypt or encrypt values in a vault. The meta data isn't encrypted to be able to search/filter for entries more easily.
+
+This modules requires a secure context for the browser to work properly.
+
+The `vault-recovery <https://github.com/fkantelberg/vault-recovery>`_ project focuses on disaster recovery in case of an incident to recover secrets from old database backups or old exports.
+
+**Table of contents**
+
+.. contents::
+   :local:
+
+Known issues / Roadmap
+======================
+
+* Field and file history for restoration
+
+* Send secrets directly to an inbox within Odoo
+
+* Import improvement
+
+ * Support challenge-response/FIDO2
+ * Support for argon2 and kdbx v4
+
+* When changing an entry from one vault to another existing vault, the values added on
+  this entry cannot be accessed, so the field vault is going to be readonly when it
+  is defined.
+
+  If you want to move entries between vaults you can use the export -> import option.
+
+Bug Tracker
+===========
+
+Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-auth/issues>`_.
+In case of trouble, please check there if your issue has already been reported.
+If you spotted it first, help us to smash it by providing a detailed and welcomed
+`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20vault%0Aversion:%2016.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
+
+Do not contact contributors directly about support or help with technical issues.
+
+Credits
+=======
+
+Authors
+~~~~~~~
+
+* initOS GmbH
+
+Contributors
+~~~~~~~~~~~~
+
+* Florian Kantelberg <[email protected]>
+
+Maintainers
+~~~~~~~~~~~
+
+This module is maintained by the OCA.
+
+.. image:: https://odoo-community.org/logo.png
+   :alt: Odoo Community Association
+   :target: https://odoo-community.org
+
+OCA, or the Odoo Community Association, is a nonprofit organization whose
+mission is to support the collaborative development of Odoo features and
+promote its widespread use.
+
+This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/16.0/vault>`_ project on GitHub.
+
+You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.

vault/TECHNICAL.rst

@@ -0,0 +1,143 @@
+::
+
+  ┌───────┐ ┏━━━━━━━━━━━━━┓ ╔═══════════╗
+  │ input │ ┃ unencrypted ┃ ║ encrypted ║
+  └───────┘ ┗━━━━━━━━━━━━━┛ ╚═══════════╝
+
+Vault
+=====
+
+Each vault stores entries with enrypted fields and files in a tree like structure. The access is controlled per vault. Every added user can read the secrets of a vault. Otherwise the users can receive permission to share the vault with other users, to write secrets in the vault, or to delete entries of the vault. The databases stores the public and password protected private key of each user. The password used for the private key is derived from a password entered by the user and should be different than the password used for the login. Keep in mind that the meta information like field name or file names aren't encrypted.
+
+Shared-key encryption
+=====================
+
+To be able to securely share sensitive data between all users a shared-key encryption is used. All users share a common secret for each vault. This secret is encrypted by the public key of each user to grant access to the user by using the private key to restore the secret.
+
+Encryption of master key
+------------------------
+
+::
+
+  .                   ┏━━━━━━━━━━━━┓
+                      ┃ Master key ┃
+                      ┗━━━━━━━━━━━━┛
+  ┏━━━━━━━━━━━━━━━━━┓       ┃
+  ┃ User            ┃       ▼
+  ┃                 ┃   ┏━━━━━━━━━┓
+  ┃ ┏━━━━━━━━━━━━━┓ ┃   ┃ encrypt ┃      ╔════════════╗
+  ┃ ┃ Public key  ┃━━━━▶┃ (RSA)   ┃━━━━━▶║ Master key ║
+  ┃ ┗━━━━━━━━━━━━━┛ ┃   ┗━━━━━━━━━┛      ╚════════════╝
+  ┃ ╔═════════════╗ ┃
+  ┃ ║ Private key ║ ┃
+  ┃ ╚═════════════╝ ┃
+  ┗━━━━━━━━━━━━━━━━━┛
+
+Decryption of master key
+------------------------
+
+::
+
+  .   ┌──────────┐     ┏━━━━━━━━━━┓
+      │ Password │━━━━▶┃ derive   ┃
+      └──────────┘     ┃ (PBKDF2) ┃
+                       ┗━━━━━━━━━━┛
+                            ┃
+  ┏━━━━━━━━━━━━━━━━━┓       ▼                          ╔════════════╗
+  ┃ User            ┃  ┏━━━━━━━━━━┓                    ║ Master key ║
+  ┃                 ┃  ┃ Password ┃                    ╚════════════╝
+  ┃ ┏━━━━━━━━━━━━━┓ ┃  ┗━━━━━━━━━━┛                          ┃
+  ┃ ┃ Public key  ┃ ┃       ┃                                ▼
+  ┃ ┗━━━━━━━━━━━━━┛ ┃       ▼                           ┏━━━━━━━━━┓
+  ┃ ╔═════════════╗ ┃   ┏━━━━━━━━┓   ┏━━━━━━━━━━━━━┓    ┃ decrypt ┃      ┏━━━━━━━━━━━━┓
+  ┃ ║ Private key ║━━━━━┃ unlock ┃━━▶┃ Private key ┃━━━▶┃ (RSA)   ┃━━━━━▶┃ Master key ┃
+  ┃ ╚═════════════╝ ┃   ┗━━━━━━━━┛   ┗━━━━━━━━━━━━━┛    ┗━━━━━━━━━┛      ┗━━━━━━━━━━━━┛
+  ┗━━━━━━━━━━━━━━━━━┛
+
+Symmetric encryption of the data
+================================
+
+The symmetric cipher AES is used with the common master key to encrypt/decrypt the secrets of the vaults. The encryption parameter and encrypted data is stored in the database while everything else happens in the browser.
+
+Encryption of data
+------------------
+
+::
+
+  .               ┏━━━━━━━━━━━━┓
+                  ┃ Master key ┃
+                  ┗━━━━━━━━━━━━┛
+                        ┃        ┏━━━━━━━━━━━━━━━━━━┓
+                        ▼        ┃ Database         ┃
+                   ┏━━━━━━━━━┓   ┃                  ┃
+  ┏━━━━━━━━━━━━┓   ┃ encrypt ┃   ┃╔════════════════╗┃
+  ┃ Plain text ┃━━▶┃ (AES)   ┃━━━▶║ Encrypted data ║┃
+  ┗━━━━━━━━━━━━┛   ┗━━━━━━━━━┛   ┃╚════════════════╝┃
+                        ┃        ┃┏━━━━━━━━━━━━━━━━┓┃
+                        ┗━━━━━━━━▶┃ Parameters     ┃┃
+                                 ┃┗━━━━━━━━━━━━━━━━┛┃
+                                 ┗━━━━━━━━━━━━━━━━━━┛
+
+Decryption of data
+------------------
+
+::
+
+  .                    ┏━━━━━━━━━━━━┓
+                       ┃ Master key ┃
+                       ┗━━━━━━━━━━━━┛
+  ┏━━━━━━━━━━━━━━━━━━┓       ┃
+  ┃ Database         ┃       ▼
+  ┃                  ┃   ┏━━━━━━━━━┓
+  ┃╔════════════════╗┃   ┃ decrypt ┃   ┏━━━━━━━━━━━━┓
+  ┃║ Encrypted data ║━━━▶┃ (AES)   ┃━━▶┃ Plain text ┃
+  ┃╚════════════════╝┃   ┗━━━━━━━━━┛   ┗━━━━━━━━━━━━┛
+  ┃┏━━━━━━━━━━━━━━━━┓┃       ▲
+  ┃┃ Parameters     ┃━━━━━━━━┛
+  ┃┗━━━━━━━━━━━━━━━━┛┃
+  ┗━━━━━━━━━━━━━━━━━━┛
+
+Inbox
+=====
+
+This allows an user to receive encrypted secrets by external or internal Odoo users. External users have to use either the owner specific inbox link from his preferences or the link of an already created inbox. The value is symmetrically encrypted. The key for the encryption is wrapped with the public key of the user of the inbox to grant the user the access to the key. Internal users can directly send a secret from a vault entry to another user who has enabled this feature. If a direct link is used the access counter and expiration time can block an overwrite.
+
+Encryption of inbox
+-------------------
+
+::
+
+  .                   ┏━━━━━━━━━━━━┓
+                      ┃ Plain data ┃
+                      ┗━━━━━━━━━━━━┛
+  ┏━━━━━━━━━━━━━━━━━┓       ┃
+  ┃ User            ┃       ▼
+  ┃                 ┃   ┏━━━━━━━━━┓
+  ┃ ┏━━━━━━━━━━━━━┓ ┃   ┃ encrypt ┃      ╔════════════════╗
+  ┃ ┃ Public key  ┃━━━━▶┃ (RSA)   ┃━━━━━▶║ Encrypted data ║
+  ┃ ┗━━━━━━━━━━━━━┛ ┃   ┗━━━━━━━━━┛      ╚════════════════╝
+  ┃ ╔═════════════╗ ┃
+  ┃ ║ Private key ║ ┃
+  ┃ ╚═════════════╝ ┃
+  ┗━━━━━━━━━━━━━━━━━┛
+
+Decryption of inbox
+-------------------
+
+::
+
+  .   ┌──────────┐     ┏━━━━━━━━━━┓
+      │ Password │━━━━▶┃ derive   ┃
+      └──────────┘     ┃ (PBKDF2) ┃
+                       ┗━━━━━━━━━━┛
+                            ┃
+  ┏━━━━━━━━━━━━━━━━━┓       ▼                        ╔════════════════╗
+  ┃ User            ┃  ┏━━━━━━━━━━┓                  ║ Encrypted data ║
+  ┃                 ┃  ┃ Password ┃                  ╚════════════════╝
+  ┃ ┏━━━━━━━━━━━━━┓ ┃  ┗━━━━━━━━━━┛                          ┃
+  ┃ ┃ Public key  ┃ ┃       ┃                                ▼
+  ┃ ┗━━━━━━━━━━━━━┛ ┃       ▼                           ┏━━━━━━━━━┓
+  ┃ ╔═════════════╗ ┃   ┏━━━━━━━━┓   ┏━━━━━━━━━━━━━┓    ┃ decrypt ┃      ┏━━━━━━━━━━━━┓
+  ┃ ║ Private key ║━━━━━┃ unlock ┃━━▶┃ Private key ┃━━━▶┃ (RSA)   ┃━━━━━▶┃ Plain data ┃
+  ┃ ╚═════════════╝ ┃   ┗━━━━━━━━┛   ┗━━━━━━━━━━━━━┛    ┗━━━━━━━━━┛      ┗━━━━━━━━━━━━┛
+  ┗━━━━━━━━━━━━━━━━━┛

vault/__init__.py

@@ -0,0 +1,4 @@
+# © 2021 Florian Kantelberg - initOS GmbH
+# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl).
+
+from . import controllers, models, wizards

vault/__manifest__.py

@@ -0,0 +1,50 @@
+# © 2021 Florian Kantelberg - initOS GmbH
+# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl).
+
+{
+    "name": "Vault",
+    "summary": "Password vault integration in Odoo",
+    "license": "AGPL-3",
+    "version": "16.0.1.0.0",
+    "website": "https://github.com/OCA/server-auth",
+    "application": True,
+    "author": "initOS GmbH, Odoo Community Association (OCA)",
+    "category": "Vault",
+    "depends": ["base_setup", "web"],
+    "data": [
+        "security/ir.model.access.csv",
+        "security/ir_rule.xml",
+        "security/vault_security.xml",
+        "views/res_config_settings_views.xml",
+        "views/res_users_views.xml",
+        "views/vault_entry_views.xml",
+        "views/vault_field_views.xml",
+        "views/vault_file_views.xml",
+        "views/vault_log_views.xml",
+        "views/vault_inbox_views.xml",
+        "views/vault_right_views.xml",
+        "views/vault_views.xml",
+        "views/menuitems.xml",
+        "views/templates.xml",
+        "wizards/vault_export_wizard.xml",
+        "wizards/vault_import_wizard.xml",
+        "wizards/vault_send_wizard.xml",
+        "wizards/vault_store_wizard.xml",
+    ],
+    "assets": {
+        "vault.assets_frontend": [
+            "vault/static/src/common/*.js",
+            "vault/static/src/frontend/*.js",
+        ],
+        "web.assets_backend": [
+            "vault/static/lib/**/*.min.js",
+            "vault/static/src/**/*.xml",
+            "vault/static/src/common/*.js",
+            "vault/static/src/backend/*.scss",
+            "vault/static/src/backend/**/*.js",
+        ],
+        "web.tests_assets": [
+            "vault/static/tests/**/*.js",
+        ],
+    },
+}

vault/controllers/__init__.py

@@ -0,0 +1,4 @@
+# © 2021 Florian Kantelberg - initOS GmbH
+# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl).
+
+from . import main