Fix creating bucket in requested region. Upload dir.uvf for root dir.

Author: chenkins

hub/src/main/java/cloud/katta/crypto/uvf/UvfMetadataPayload.java

@@ -132,8 +132,7 @@ public byte[] computeRootDirUvf() throws JsonProcessingException {
         final Cryptor cryptor = provider.provide(masterKey, FastSecureRandomProvider.get().provide());
         DirectoryMetadata rootDirMetadata = cryptor.directoryContentCryptor().rootDirectoryMetadata();
         DirectoryContentCryptor dirContentCryptor = cryptor.directoryContentCryptor();
-        byte[] rootDirUvfFileContents = dirContentCryptor.encryptDirectoryMetadata(rootDirMetadata);
-        return rootDirUvfFileContents;
+        return dirContentCryptor.encryptDirectoryMetadata(rootDirMetadata);
     }
 
     public static final class UniversalVaultFormatJWKS {

hub/src/main/java/cloud/katta/workflows/CreateVaultService.java

@@ -26,6 +26,7 @@
 
 import java.io.IOException;
 import java.nio.charset.Charset;
+import java.util.Base64;
 import java.util.Collections;
 import java.util.EnumSet;
 import java.util.UUID;
@@ -96,6 +97,7 @@ public void createVault(final UserKeys userKeys, final StorageProfileDtoWrapper
                     .withStorage(new VaultMetadataJWEBackendDto()
                             .provider(storageProfileWrapper.getId().toString())
                             .defaultPath(storageProfileWrapper.getProtocol() == Protocol.S3_STS ? storageProfileWrapper.getBucketPrefix() + vaultModel.vaultId() : vaultModel.bucketName())
+                            .region(vaultModel.region())
                             .nickname(vaultModel.vaultName())
                             .username(vaultModel.accessKeyId())
                             .password(vaultModel.secretKey()))
@@ -119,12 +121,12 @@ public void createVault(final UserKeys userKeys, final StorageProfileDtoWrapper
                     .uvfKeySet(jwks.serializePublicRecoverykey());
 
             final String hashedRootDirId = metadataPayload.computeRootDirIdHash();
-            final byte[] rootDirUvf = metadataPayload.computeRootDirUvf();
             final CreateS3STSBucketDto storageDto = new CreateS3STSBucketDto()
                     .vaultId(vaultModel.vaultId().toString())
                     .storageConfigId(storageProfileWrapper.getId())
                     .vaultUvf(uvfMetadataFile)
                     .rootDirHash(hashedRootDirId)
+                    .dirUvf(Base64.getUrlEncoder().encodeToString(metadataPayload.computeRootDirUvf()))
                     .region(metadataPayload.storage().getRegion());
             log.debug("Created storage dto {}", storageDto);
 
@@ -135,7 +137,7 @@ public void createVault(final UserKeys userKeys, final StorageProfileDtoWrapper
                     configResource.apiConfigGet(), vaultDto.getId(), metadataPayload.storage(), tokens);
             if(storageProfileWrapper.getProtocol() == Protocol.S3) {
                 // permanent: template upload into existing bucket from client (not backend)
-                templateUploadService.uploadTemplate(bookmark, metadataPayload, storageDto, hashedRootDirId, rootDirUvf);
+                templateUploadService.uploadTemplate(bookmark, metadataPayload, storageDto, hashedRootDirId);
             }
             else {
                 // non-permanent: pass STS tokens (restricted by inline policy) to hub backend and have bucket created from there
@@ -174,19 +176,19 @@ public void createVault(final UserKeys userKeys, final StorageProfileDtoWrapper
     static class TemplateUploadService {
         static TemplateUploadService disabled = new TemplateUploadService() {
             @Override
-            void uploadTemplate(final Host bookmark, final UvfMetadataPayload metadataPayload, final CreateS3STSBucketDto storageDto, final String hashedRootDirId, final byte[] rootDirUvf) {
+            void uploadTemplate(final Host bookmark, final UvfMetadataPayload metadataPayload, final CreateS3STSBucketDto storageDto, final String hashedRootDirId) {
                 // do nothing
             }
         };
 
-        void uploadTemplate(final Host bookmark, final UvfMetadataPayload metadataPayload, final CreateS3STSBucketDto storageDto, final String hashedRootDirId, final byte[] rootDirUvf) throws BackgroundException {
+        void uploadTemplate(final Host bookmark, final UvfMetadataPayload metadataPayload, final CreateS3STSBucketDto storageDto, final String hashedRootDirId) throws BackgroundException {
             final S3Session session = new S3Session(bookmark);
             session.open(new DisabledProxyFinder(), new DisabledHostKeyCallback(), new DisabledLoginCallback(), new DisabledCancelCallback());
             session.login(new DisabledLoginCallback(), new DisabledCancelCallback());
 
             // upload vault template
             new HubUVFVault(session, new Path(metadataPayload.storage().getDefaultPath(), EnumSet.of(Path.Type.directory, Path.Type.vault)))
-                    .create(session, metadataPayload.storage().getRegion(), storageDto.getVaultUvf(), hashedRootDirId, rootDirUvf);
+                    .create(session, metadataPayload.storage().getRegion(), storageDto.getVaultUvf(), hashedRootDirId, Base64.getUrlDecoder().decode(storageDto.getDirUvf()));
             session.close();
         }
     }

hub/src/main/resources/sts_create_bucket_inline_policy_template.json

@@ -19,9 +19,9 @@
         "s3:PutObject"
       ],
       "Resource": [
-        "arn:aws:s3:::{}/vault.uvf",
+        "arn:aws:s3:::{}/*.uvf",
         "arn:aws:s3:::{}/*/"
       ]
     }
   ]
-}
+}

hub/src/test/resources/.env

@@ -1,4 +1,4 @@
-KATTA_SERVER_IMAGE=ghcr.io/shift7-ch/katta-server:1.5.0-SNAPSHOT-ci
+KATTA_SERVER_IMAGE=ghcr.io/shift7-ch/katta-server:commit-940cd56264fc0a53619e1af995ef9b33bfe23015-ci
 HUB_PORT=8080
 HUB_KEYCLOAK_URL=http://localhost:8180
 HUB_KEYCLOAK_BASEPATH=

hub/src/test/resources/.hybrid.env

@@ -1,4 +1,4 @@
-KATTA_SERVER_IMAGE=ghcr.io/shift7-ch/katta-server:1.5.0-SNAPSHOT-ci
+KATTA_SERVER_IMAGE=ghcr.io/shift7-ch/katta-server:commit-940cd56264fc0a53619e1af995ef9b33bfe23015-ci
 HUB_PORT=8280
 HUB_KEYCLOAK_URL=https://testing.katta.cloud
 HUB_KEYCLOAK_BASEPATH=/kc

hub/src/test/resources/.local.env

@@ -1,4 +1,4 @@
-KATTA_SERVER_IMAGE=ghcr.io/shift7-ch/katta-server:1.5.0-SNAPSHOT-ci
+KATTA_SERVER_IMAGE=ghcr.io/shift7-ch/katta-server:commit-940cd56264fc0a53619e1af995ef9b33bfe23015-ci
 HUB_PORT=8280
 HUB_KEYCLOAK_URL=http://localhost:8380
 HUB_KEYCLOAK_BASEPATH=

hub/src/test/resources/log4j-test.xml

@@ -31,6 +31,7 @@
         <Logger name="testrunner" level="info"/>
         <Logger name="ch.cyberduck" level="warn"/>
         <Logger name="ch.cyberduck.core.cryptomator" level="debug"/>
+        <Logger name="ch.cyberduck.core.s3" level="debug"/>
         <Logger name="ch.cyberduck.transcript" level="info"/>
         <Logger name="org.apache.http.wire" additivity="true" level="debug">
             <AppenderRef ref="rollingFile"/>

hub/src/test/resources/setup/aws_sts/cipherduck_chain_02_permissionpolicy.json

@@ -1,26 +1,27 @@
 {
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": [
-        "s3:GetBucketLocation",
-        "s3:ListBucket",
-        "s3:ListBucketMultipartUploads",
-        "s3:GetBucketVersioning"
-      ],
-      "Resource": "arn:aws:s3:::cipherduck${aws:PrincipalTag/VaultRequested}"
-    },
-    {
-      "Effect": "Allow",
-      "Action": [
-        "s3:GetObject",
-        "s3:PutObject",
-        "s3:DeleteObject",
-        "s3:ListMultipartUploadParts",
-        "s3:AbortMultipartUpload"
-      ],
-      "Resource": "arn:aws:s3:::cipherduck${aws:PrincipalTag/VaultRequested}/*"
-    }
-  ]
-}
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "s3:GetBucketLocation",
+                "s3:ListBucket",
+                "s3:ListBucketMultipartUploads",
+                "s3:GetBucketVersioning",
+                "s3:ListBucketVersions"
+            ],
+            "Resource": "arn:aws:s3:::cipherduck${aws:PrincipalTag/VaultRequested}"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "s3:GetObject",
+                "s3:PutObject",
+                "s3:DeleteObject",
+                "s3:ListMultipartUploadParts",
+                "s3:AbortMultipartUpload"
+            ],
+            "Resource": "arn:aws:s3:::cipherduck${aws:PrincipalTag/VaultRequested}/*"
+        }
+    ]
+}

hub/src/test/resources/setup/aws_sts/createbucketpermissionpolicy.json

@@ -21,9 +21,9 @@
         "s3:PutObject"
       ],
       "Resource": [
-        "arn:aws:s3:::cipherduck*/vault.uvf",
+        "arn:aws:s3:::cipherduck*/*.uvf",
         "arn:aws:s3:::cipherduck*/*/"
       ]
     }
   ]
-}
+}

hub/src/test/resources/setup/minio_sts/createbucketpolicy.json

@@ -20,7 +20,7 @@
       ],
       "Resource": [
         "arn:aws:s3:::katta*/*/",
-        "arn:aws:s3:::katta*/vault.uvf"
+        "arn:aws:s3:::katta*/*.uvf"
       ]
     }
   ]