Merge pull request #64 from /issues/63

Review device and account key setup

Author: dkocher

hub/src/main/java/ch/iterate/hub/core/FirstLoginDeviceSetupCallback.java renamed to hub/src/main/java/ch/iterate/hub/core/DeviceSetupCallback.java

@@ -6,29 +6,30 @@
 
 import ch.cyberduck.core.Host;
 import ch.cyberduck.core.UUIDRandomStringService;
-import ch.cyberduck.core.exception.ConnectionCanceledException;
-import ch.cyberduck.core.exception.LoginCanceledException;
 
+import ch.iterate.hub.crypto.DeviceKeys;
+import ch.iterate.hub.crypto.UserKeys;
 import ch.iterate.hub.model.AccountKeyAndDeviceName;
+import ch.iterate.hub.workflows.exceptions.AccessException;
 
-public interface FirstLoginDeviceSetupCallback {
+public interface DeviceSetupCallback {
 
     /**
      * Prompt user for device name
      *
      * @return Device name
-     * @throws ConnectionCanceledException Canceled prompt by user
+     * @throws AccessException Canceled prompt by user
      */
-    String displayAccountKeyAndAskDeviceName(Host bookmark, AccountKeyAndDeviceName accountKeyAndDeviceName) throws ConnectionCanceledException;
+    String displayAccountKeyAndAskDeviceName(Host bookmark, AccountKeyAndDeviceName accountKeyAndDeviceName) throws AccessException;
 
     /**
      * Prompt user for existing account key
      *
      * @param initialDeviceName Default device name
      * @return Account key and device name
-     * @throws ConnectionCanceledException Canceled prompt by user
+     * @throws AccessException Canceled prompt by user
      */
-    AccountKeyAndDeviceName askForAccountKeyAndDeviceName(Host bookmark, String initialDeviceName) throws ConnectionCanceledException;
+    AccountKeyAndDeviceName askForAccountKeyAndDeviceName(Host bookmark, String initialDeviceName) throws AccessException;
 
     /**
      * Generate initial account key
@@ -39,15 +40,23 @@ default String generateAccountKey() {
         return new UUIDRandomStringService().random();
     }
 
-    FirstLoginDeviceSetupCallback disabled = new FirstLoginDeviceSetupCallback() {
+    default DeviceKeys generateDeviceKey() {
+        return DeviceKeys.create();
+    }
+
+    default UserKeys generateUserKeys() {
+        return UserKeys.create();
+    }
+
+    DeviceSetupCallback disabled = new DeviceSetupCallback() {
         @Override
-        public String displayAccountKeyAndAskDeviceName(final Host bookmark, final AccountKeyAndDeviceName accountKeyAndDeviceName) throws ConnectionCanceledException {
-            throw new LoginCanceledException();
+        public String displayAccountKeyAndAskDeviceName(final Host bookmark, final AccountKeyAndDeviceName accountKeyAndDeviceName) throws AccessException {
+            throw new AccessException("Disabled");
         }
 
         @Override
-        public AccountKeyAndDeviceName askForAccountKeyAndDeviceName(final Host bookmark, final String initialDeviceName) throws ConnectionCanceledException {
-            throw new LoginCanceledException();
+        public AccountKeyAndDeviceName askForAccountKeyAndDeviceName(final Host bookmark, final String initialDeviceName) throws AccessException {
+            throw new AccessException("Disabled");
         }
     };
 }

hub/src/main/java/ch/iterate/hub/core/FirstLoginDeviceSetupCallbackFactory.java renamed to hub/src/main/java/ch/iterate/hub/core/DeviceSetupCallbackFactory.java

@@ -13,16 +13,16 @@
 import java.lang.reflect.Constructor;
 import java.lang.reflect.InvocationTargetException;
 
-public class FirstLoginDeviceSetupCallbackFactory extends Factory<FirstLoginDeviceSetupCallback> {
-    private static final Logger log = LogManager.getLogger(FirstLoginDeviceSetupCallbackFactory.class);
+public final class DeviceSetupCallbackFactory extends Factory<DeviceSetupCallback> {
+    private static final Logger log = LogManager.getLogger(DeviceSetupCallbackFactory.class);
 
-    private FirstLoginDeviceSetupCallbackFactory() {
-        super("factory.firstlogindevicesetupcallback.class");
+    private DeviceSetupCallbackFactory() {
+        super("factory.devicesetupcallback.class");
     }
 
-    public FirstLoginDeviceSetupCallback create() {
+    public DeviceSetupCallback create() {
         try {
-            final Constructor<? extends FirstLoginDeviceSetupCallback> constructor
+            final Constructor<? extends DeviceSetupCallback> constructor
                     = ConstructorUtils.getMatchingAccessibleConstructor(clazz);
             if(null == constructor) {
                 log.warn("No default controller in {}", constructor.getClass());
@@ -33,18 +33,18 @@ public FirstLoginDeviceSetupCallback create() {
         }
         catch(InstantiationException | InvocationTargetException | IllegalAccessException | NoSuchMethodException e) {
             log.error("Failure loading callback class {}. {}", clazz, e.getMessage());
-            return FirstLoginDeviceSetupCallback.disabled;
+            return DeviceSetupCallback.disabled;
         }
     }
 
-    private static FirstLoginDeviceSetupCallbackFactory singleton;
+    private static DeviceSetupCallbackFactory singleton;
 
     /**
      * @return Firs tLogin Device Setup Callback instance for the current platform.
      */
-    public static synchronized FirstLoginDeviceSetupCallback get() {
+    public static synchronized DeviceSetupCallback get() {
         if(null == singleton) {
-            singleton = new FirstLoginDeviceSetupCallbackFactory();
+            singleton = new DeviceSetupCallbackFactory();
         }
         return singleton.create();
     }

hub/src/main/java/ch/iterate/hub/crypto/DeviceKeys.java

@@ -0,0 +1,65 @@
+/*
+ * Copyright (c) 2025 shift7 GmbH. All rights reserved.
+ */
+
+package ch.iterate.hub.crypto;
+
+import org.cryptomator.cryptolib.common.ECKeyPair;
+import org.cryptomator.cryptolib.common.P384KeyPair;
+
+import javax.security.auth.Destroyable;
+import java.util.Objects;
+
+public class DeviceKeys implements Destroyable {
+
+    private final ECKeyPair ecKeyPair;
+
+    public DeviceKeys(final ECKeyPair ecKeyPair) {
+        this.ecKeyPair = ecKeyPair;
+    }
+
+    public ECKeyPair getEcKeyPair() {
+        return ecKeyPair;
+    }
+
+    @Override
+    public void destroy() {
+        ecKeyPair.destroy();
+    }
+
+    @Override
+    public boolean isDestroyed() {
+        return ecKeyPair.isDestroyed();
+    }
+
+    @Override
+    public final boolean equals(final Object o) {
+        if (!(o instanceof DeviceKeys)) return false;
+
+        DeviceKeys that = (DeviceKeys) o;
+        return Objects.equals(ecKeyPair, that.ecKeyPair);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hashCode(ecKeyPair);
+    }
+
+    @Override
+    public String toString() {
+        final StringBuilder sb = new StringBuilder("DeviceKeys{");
+        sb.append("ecKeyPair=").append(ecKeyPair);
+        sb.append('}');
+        return sb.toString();
+    }
+
+    public static DeviceKeys create() {
+        return new DeviceKeys(P384KeyPair.generate());
+    }
+
+    public static boolean validate(final DeviceKeys deviceKeys) {
+        return deviceKeys.getEcKeyPair() != null;
+    }
+
+    public static final DeviceKeys notfound = new DeviceKeys(null);
+}

hub/src/main/java/ch/iterate/hub/crypto/KeyHelper.java

@@ -25,7 +25,7 @@
 import ch.iterate.hub.crypto.exceptions.NotECKeyException;
 import com.google.common.io.BaseEncoding;
 
-public class KeyHelper {
+public final class KeyHelper {
 
     // adapted from org.cryptomator.ui.keyloading.hub.HubKeyLoadingModule
     public static String getDeviceIdFromDeviceKeyPair(final ECKeyPair deviceKeyPair) {

hub/src/main/java/ch/iterate/hub/crypto/UserKeys.java

@@ -7,24 +7,26 @@
 import org.cryptomator.cryptolib.common.ECKeyPair;
 import org.cryptomator.cryptolib.common.P384KeyPair;
 
+import javax.security.auth.Destroyable;
 import java.security.interfaces.ECPrivateKey;
 import java.security.interfaces.ECPublicKey;
 import java.security.spec.InvalidKeySpecException;
 import java.text.ParseException;
 import java.util.Base64;
+import java.util.Objects;
+
+import static ch.iterate.hub.crypto.KeyHelper.decodeKeyPair;
+import static ch.iterate.hub.crypto.UserKeyPayload.createFromPayload;
 
 import ch.iterate.hub.crypto.uvf.UvfAccessTokenPayload;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.nimbusds.jose.JOSEException;
 
-import static ch.iterate.hub.crypto.KeyHelper.decodeKeyPair;
-import static ch.iterate.hub.crypto.UserKeyPayload.createFromPayload;
-
 /**
  * Represents Cryptomator Hub <a href="https://docs.cryptomator.org/en/latest/security/hub/#user-key-pair>User Keys</a>.
  * Counterpart of <a href="https://github.com/cryptomator/hub/blob/develop/frontend/src/common/crypto.ts"><code>UserKeys</code></a>.
  */
-public class UserKeys {
+public class UserKeys implements Destroyable {
 
     private final ECKeyPair ecdhKeyPair;
     private final ECKeyPair ecdsaKeyPair;
@@ -42,6 +44,34 @@ public ECKeyPair ecdsaKeyPair() {
         return ecdsaKeyPair;
     }
 
+    @Override
+    public void destroy() {
+        ecdhKeyPair.destroy();
+        ecdsaKeyPair.destroy();
+    }
+
+    @Override
+    public boolean isDestroyed() {
+        return ecdhKeyPair.isDestroyed() || ecdsaKeyPair.isDestroyed();
+    }
+
+    @Override
+    public final boolean equals(final Object o) {
+        if(!(o instanceof UserKeys)) {
+            return false;
+        }
+
+        UserKeys userKeys = (UserKeys) o;
+        return Objects.equals(ecdhKeyPair, userKeys.ecdhKeyPair) && Objects.equals(ecdsaKeyPair, userKeys.ecdsaKeyPair);
+    }
+
+    @Override
+    public int hashCode() {
+        int result = Objects.hashCode(ecdhKeyPair);
+        result = 31 * result + Objects.hashCode(ecdsaKeyPair);
+        return result;
+    }
+
     @Override
     public String toString() {
         final StringBuilder sb = new StringBuilder("UserKeys{");

hub/src/main/java/ch/iterate/hub/model/AccountKeyAndDeviceName.java

@@ -6,12 +6,8 @@
 
 public class AccountKeyAndDeviceName {
     private String accountKey;
-
     private String deviceName;
 
-    public AccountKeyAndDeviceName() {
-    }
-
     public String accountKey() {
         return accountKey;
     }

hub/src/main/java/ch/iterate/hub/protocols/hub/HubGrantAccessSchedulerService.java

@@ -5,46 +5,55 @@
 package ch.iterate.hub.protocols.hub;
 
 import ch.cyberduck.core.Host;
+import ch.cyberduck.core.HostPasswordStore;
 import ch.cyberduck.core.PasswordCallback;
 import ch.cyberduck.core.exception.BackgroundException;
 import ch.cyberduck.core.shared.OneTimeSchedulerFeature;
 
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
+import java.util.List;
+
 import ch.iterate.hub.client.ApiException;
-import ch.iterate.hub.client.api.DeviceResourceApi;
-import ch.iterate.hub.client.api.UsersResourceApi;
 import ch.iterate.hub.client.api.VaultResourceApi;
-import ch.iterate.hub.core.FirstLoginDeviceSetupCallbackFactory;
+import ch.iterate.hub.client.model.Role;
+import ch.iterate.hub.client.model.VaultDto;
+import ch.iterate.hub.crypto.UserKeys;
 import ch.iterate.hub.protocols.hub.exceptions.HubExceptionMappingService;
-import ch.iterate.hub.workflows.CachingUserKeysService;
-import ch.iterate.hub.workflows.CachingWoTService;
+import ch.iterate.hub.workflows.DeviceKeysServiceImpl;
 import ch.iterate.hub.workflows.GrantAccessServiceImpl;
 import ch.iterate.hub.workflows.UserKeysServiceImpl;
-import ch.iterate.hub.workflows.VaultServiceImpl;
-import ch.iterate.hub.workflows.WoTServiceImpl;
 import ch.iterate.hub.workflows.exceptions.AccessException;
 import ch.iterate.hub.workflows.exceptions.SecurityFailure;
 
 public class HubGrantAccessSchedulerService extends OneTimeSchedulerFeature<Host> {
     private static final Logger log = LogManager.getLogger(HubGrantAccessSchedulerService.class);
 
     private final HubSession session;
+    private final HostPasswordStore keychain;
 
-    public HubGrantAccessSchedulerService(final HubSession session) {
+    public HubGrantAccessSchedulerService(final HubSession session, final HostPasswordStore keychain) {
         this.session = session;
+        this.keychain = keychain;
     }
 
     @Override
     public Host operate(final PasswordCallback callback) throws BackgroundException {
         log.info("Scheduler for {}", session.getHost());
         try {
-            final GrantAccessServiceImpl service = new GrantAccessServiceImpl(new VaultResourceApi(session.getClient()), new UsersResourceApi(session.getClient()),
-                    new CachingUserKeysService(new UserKeysServiceImpl(new UsersResourceApi(session.getClient()), new DeviceResourceApi(session.getClient()))),
-                    new VaultServiceImpl(new VaultResourceApi(session.getClient())),
-                    new CachingWoTService(new WoTServiceImpl(new UsersResourceApi(session.getClient()))));
-            service.grantAccessToUsersRequiringAccessGrant(session.getHost(), FirstLoginDeviceSetupCallbackFactory.get());
+            final UserKeys userKeys = new UserKeysServiceImpl(session).getUserKeys(session.getHost(), session.getMe(),
+                    new DeviceKeysServiceImpl(keychain).getDeviceKeys(session.getHost()));
+            final List<VaultDto> accessibleVaults = new VaultResourceApi(session.getClient()).apiVaultsAccessibleGet(Role.OWNER);
+            final GrantAccessServiceImpl service = new GrantAccessServiceImpl(session);
+            for(final VaultDto accessibleVault : accessibleVaults) {
+                if(Boolean.TRUE.equals(accessibleVault.getArchived())) {
+                    log.debug("Skip archived vault {}", accessibleVault);
+                    continue;
+                }
+                service.grantAccessToUsersRequiringAccessGrant(accessibleVault.getId(), userKeys);
+            }
+            userKeys.destroy();
         }
         catch(ApiException e) {
             log.error("Scheduler for {}: Automatic Access Grant failed.", session.getHost(), e);