Refactor to load vaults only once with short-lived user keys.

Author: dkocher

hub/src/main/java/cloud/katta/protocols/hub/HubSession.java

@@ -30,14 +30,13 @@
 import ch.cyberduck.core.oauth.OAuth2AuthorizationService;
 import ch.cyberduck.core.oauth.OAuth2ErrorResponseInterceptor;
 import ch.cyberduck.core.oauth.OAuth2RequestInterceptor;
-import ch.cyberduck.core.preferences.PreferencesFactory;
+import ch.cyberduck.core.preferences.HostPreferencesFactory;
 import ch.cyberduck.core.proxy.ProxyFinder;
 import ch.cyberduck.core.ssl.X509KeyManager;
 import ch.cyberduck.core.ssl.X509TrustManager;
 import ch.cyberduck.core.synchronization.ComparisonService;
 import ch.cyberduck.core.threading.CancelCallback;
 import ch.cyberduck.core.transfer.TransferStatus;
-import ch.cyberduck.core.vault.VaultRegistry;
 
 import org.apache.http.impl.client.HttpClientBuilder;
 import org.apache.logging.log4j.LogManager;
@@ -54,6 +53,7 @@
 import cloud.katta.client.model.ConfigDto;
 import cloud.katta.client.model.UserDto;
 import cloud.katta.core.DeviceSetupCallback;
+import cloud.katta.crypto.DeviceKeys;
 import cloud.katta.crypto.UserKeys;
 import cloud.katta.protocols.hub.exceptions.HubExceptionMappingService;
 import cloud.katta.protocols.hub.serializer.HubConfigDtoDeserializer;
@@ -77,18 +77,24 @@ public class HubSession extends HttpSession<HubApiClient> {
      */
     private final Scheduler<?> access = new HubGrantAccessSchedulerService(this, keychain);
 
-    private HubVaultListService vaults;
-
     /**
      * Interceptor for OpenID connect flow
      */
     private OAuth2RequestInterceptor authorizationService;
+
     private UserDto me;
+    private ConfigDto config;
+    private UserKeys userKeys;
+    private AttributedList<Path> vaults;
 
     public HubSession(final Host host, final X509TrustManager trust, final X509KeyManager key) {
         super(host, trust, key);
     }
 
+    public static HubSession coerce(final Session<?> session) {
+        return (HubSession) session;
+    }
+
     @Override
     protected HubApiClient connect(final ProxyFinder proxy, final HostKeyCallback key,
                                    final LoginCallback prompt, final CancelCallback cancel) throws BackgroundException {
@@ -99,20 +105,19 @@ protected HubApiClient connect(final ProxyFinder proxy, final HostKeyCallback ke
             final HubApiClient client = new HubApiClient(host, configuration.build());
             try {
                 // Obtain OAuth configuration
-                final ConfigDto configDto = new ConfigResourceApi(client).apiConfigGet();
-
-                int minHubApiLevel = PreferencesFactory.get().getInteger("cloud.katta.min_api_level");
-                final Integer apiLevel = configDto.getApiLevel();
+                config = new ConfigResourceApi(client).apiConfigGet();
+                final int minHubApiLevel = HostPreferencesFactory.get(host).getInteger("cloud.katta.min_api_level");
+                final Integer apiLevel = config.getApiLevel();
                 if(apiLevel == null || apiLevel < minHubApiLevel) {
                     final String detail = String.format("Client requires API level at least %s, found %s, for hub %s", minHubApiLevel, apiLevel, host);
                     log.error(detail);
                     throw new InteroperabilityException(LocaleFactory.localizedString("Login failed", "Credentials"), detail);
                 }
 
-                final String hubId = configDto.getUuid();
+                final String hubId = config.getUuid();
                 log.debug("Configure bookmark with id {}", hubId);
                 host.setUuid(hubId);
-                final Profile profile = new Profile(bundled, new HubConfigDtoDeserializer(configDto));
+                final Profile profile = new Profile(bundled, new HubConfigDtoDeserializer(config));
                 log.debug("Apply profile {} to bookmark {}", profile, host);
                 host.setProtocol(profile);
             }
@@ -156,27 +161,32 @@ public void login(final LoginCallback prompt, final CancelCallback cancel) throw
             // Ensure device key is available
             final DeviceSetupCallback setup = prompt.getFeature(DeviceSetupCallback.class);
             log.debug("Configured with setup prompt {}", setup);
-            this.pair(setup);
+            userKeys = this.pair(setup);
             // Ensure vaults are registered
-            final OAuthTokens tokens = new OAuthTokens(credentials.getOauth().getAccessToken(), credentials.getOauth().getRefreshToken(), credentials.getOauth().getExpiryInMilliseconds(),
-                    credentials.getOauth().getIdToken());
-            vaults = new HubVaultListService(this, tokens);
-            vaults.list(Home.root(), new DisabledListProgressListener());
+            try {
+                vaults = new HubVaultListService(this, prompt).list(Home.root(), new DisabledListProgressListener());
+            }
+            finally {
+                // Short-lived
+                userKeys.destroy();
+            }
         }
         catch(ApiException e) {
             throw new HubExceptionMappingService().map(e);
         }
     }
 
-    private void pair(final DeviceSetupCallback setup) throws BackgroundException {
+    private UserKeys pair(final DeviceSetupCallback setup) throws BackgroundException {
         try {
-            final UserKeys userKeys = new UserKeysServiceImpl(this, keychain).getOrCreateUserKeys(host, me,
-                    new DeviceKeysServiceImpl(keychain).getOrCreateDeviceKeys(host, setup), setup);
+            final DeviceKeys deviceKeys = new DeviceKeysServiceImpl(keychain).getOrCreateDeviceKeys(host, setup);
+            log.debug("Retrieved device keys {}", deviceKeys);
+            final UserKeys userKeys = new UserKeysServiceImpl(this, keychain).getOrCreateUserKeys(host, me, deviceKeys, setup);
             log.debug("Retrieved user keys {}", userKeys);
+            return userKeys;
         }
         catch(SecurityFailure e) {
             // Repeat until canceled by user
-            this.pair(setup);
+            return this.pair(setup);
         }
         catch(AccessException e) {
             throw new ConnectionCanceledException(e);
@@ -192,15 +202,35 @@ protected void logout() {
         client.getHttpClient().close();
     }
 
+    /**
+     *
+     * @return Null prior login
+     */
     public UserDto getMe() {
         return me;
     }
 
+    /**
+     *
+     * @return Null when not connected
+     */
+    public ConfigDto getConfig() {
+        return config;
+    }
+
+    /**
+     *
+     * @return Destroyed keys after login
+     */
+    public UserKeys getUserKeys() {
+        return userKeys;
+    }
+
     @Override
     @SuppressWarnings("unchecked")
     public <T> T _getFeature(final Class<T> type) {
         if(type == ListService.class) {
-            return (T) vaults;
+            return (T) (ListService) (directory, listener) -> vaults;
         }
         if(type == Scheduler.class) {
             return (T) access;

hub/src/main/java/cloud/katta/protocols/hub/HubUVFVault.java

@@ -4,44 +4,79 @@
 
 package cloud.katta.protocols.hub;
 
-import ch.cyberduck.core.AbstractPath;
+import ch.cyberduck.core.Credentials;
 import ch.cyberduck.core.DisabledCancelCallback;
 import ch.cyberduck.core.DisabledHostKeyCallback;
-import ch.cyberduck.core.DisabledListProgressListener;
 import ch.cyberduck.core.DisabledLoginCallback;
-import ch.cyberduck.core.ListService;
+import ch.cyberduck.core.Host;
 import ch.cyberduck.core.PasswordCallback;
 import ch.cyberduck.core.Path;
+import ch.cyberduck.core.PathAttributes;
+import ch.cyberduck.core.Protocol;
+import ch.cyberduck.core.ProtocolFactory;
 import ch.cyberduck.core.Session;
-import ch.cyberduck.core.cryptomator.ContentWriter;
+import ch.cyberduck.core.SessionFactory;
 import ch.cyberduck.core.cryptomator.UVFVault;
 import ch.cyberduck.core.exception.BackgroundException;
+import ch.cyberduck.core.exception.InteroperabilityException;
 import ch.cyberduck.core.exception.UnsupportedException;
-import ch.cyberduck.core.features.Directory;
-import ch.cyberduck.core.features.Write;
-import ch.cyberduck.core.preferences.PreferencesFactory;
+import ch.cyberduck.core.features.AttributesFinder;
 import ch.cyberduck.core.proxy.ProxyFactory;
-import ch.cyberduck.core.transfer.TransferStatus;
+import ch.cyberduck.core.ssl.X509KeyManager;
+import ch.cyberduck.core.ssl.X509TrustManager;
+import ch.cyberduck.core.vault.VaultUnlockCancelException;
 
+import org.apache.http.HttpStatus;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
-import java.nio.charset.StandardCharsets;
 import java.util.EnumSet;
+import java.util.UUID;
+
+import cloud.katta.client.ApiException;
+import cloud.katta.crypto.uvf.UvfMetadataPayload;
+import cloud.katta.crypto.uvf.UvfMetadataPayloadPasswordCallback;
+import cloud.katta.crypto.uvf.VaultMetadataJWEBackendDto;
+import cloud.katta.protocols.hub.exceptions.HubExceptionMappingService;
+import cloud.katta.workflows.VaultServiceImpl;
+import cloud.katta.workflows.exceptions.AccessException;
+import cloud.katta.workflows.exceptions.SecurityFailure;
+import com.fasterxml.jackson.core.JsonProcessingException;
+
+import static cloud.katta.protocols.s3.S3AssumeRoleProtocol.OAUTH_TOKENEXCHANGE_VAULT;
 
 /**
  * Unified vault format (UVF) implementation for Katta
  */
 public class HubUVFVault extends UVFVault {
     private static final Logger log = LogManager.getLogger(HubUVFVault.class);
 
-    private final Session<?> storage;
-    private final Path home;
+    private final UUID vaultId;
+
+    /**
+     * Storage connection only available after loading vault
+     */
+    private Session<?> storage;
 
-    public HubUVFVault(final Session<?> storage, final Path home) {
+    /**
+     * Constructor for factory creating new vault
+     *
+     * @param home Bucket
+     */
+    public HubUVFVault(final Path home) {
         super(home);
-        this.storage = storage;
-        this.home = home;
+        this.vaultId = UUID.fromString(home.getName());
+    }
+
+    /**
+     * Open from existing metadata
+     *
+     * @param vaultId Vault ID Used to lookup profile
+     * @param bucket  Bucket name
+     */
+    public HubUVFVault(final UUID vaultId, final String bucket) {
+        super(new Path(bucket, EnumSet.of(Path.Type.directory, Path.Type.volume)));
+        this.vaultId = vaultId;
     }
 
     public Session<?> getStorage() {
@@ -73,46 +108,66 @@ public synchronized void close() {
     }
 
     /**
-     * Upload vault template into existing bucket (permanent credentials)
+     *
+     * @param session Hub Connection
+     * @param prompt  Return user keys
+     * @return Vault configuration with storage connection
      */
-    // TODO https://github.com/shift7-ch/cipherduck-hub/issues/19 review @dko check method signature?
-    public synchronized Path create(final Session<?> session, final String region, final String metadata, final String hashedRootDirId, final byte[] rootDirUvf) throws BackgroundException {
-        log.debug("Uploading vault template {} in {} ", home, session.getHost());
-
-        // N.B. there seems to be no API to check write permissions without actually writing.
-        if(!session.getFeature(ListService.class).list(home, new DisabledListProgressListener()).isEmpty()) {
-            throw new BackgroundException("Bucket not empty", String.format("Cannot upload bucket %s in %s is not empty.", home, session.getHost()));
+    @Override
+    public HubUVFVault load(final Session<?> session, final PasswordCallback prompt) throws BackgroundException {
+        try {
+            final HubSession hub = HubSession.coerce(session);
+            // Find storage configuration in vault metadata
+            final VaultServiceImpl vaultService = new VaultServiceImpl(hub);
+            final UvfMetadataPayload vaultMetadata = vaultService.getVaultMetadataJWE(vaultId, hub.getUserKeys());
+            final Protocol profile = ProtocolFactory.get().forName(vaultId.toString());
+            log.debug("Loaded profile {} for vault {}", profile, this);
+            final Credentials credentials = new Credentials(hub.getHost().getCredentials());
+            log.debug("Copy credentials {}", credentials);
+            final VaultMetadataJWEBackendDto vaultStorageMetadata = vaultMetadata.storage();
+            if(vaultStorageMetadata.getUsername() != null) {
+                credentials.setUsername(vaultStorageMetadata.getUsername());
+            }
+            if(vaultStorageMetadata.getPassword() != null) {
+                credentials.setPassword(vaultStorageMetadata.getPassword());
+            }
+            final Host bookmark = new Host(profile, credentials);
+            log.debug("Configure bookmark for vault {}", vaultStorageMetadata);
+            bookmark.setNickname(vaultStorageMetadata.getNickname());
+            bookmark.setDefaultPath(vaultStorageMetadata.getDefaultPath());
+            bookmark.setProperty(OAUTH_TOKENEXCHANGE_VAULT, vaultId.toString());
+            // region as chosen by user upon vault creation (STS) or as retrieved from bucket (permanent)
+            bookmark.setRegion(vaultStorageMetadata.getRegion());
+            log.debug("Configured {} for vault {}", bookmark, this);
+            storage = SessionFactory.create(bookmark, session.getFeature(X509TrustManager.class), session.getFeature(X509KeyManager.class));
+            log.debug("Connect to {}", storage);
+            storage.open(ProxyFactory.get(), new DisabledHostKeyCallback(), new DisabledLoginCallback(), new DisabledCancelCallback());
+            storage.login(new DisabledLoginCallback(), new DisabledCancelCallback());
+            final PathAttributes attr = storage.getFeature(AttributesFinder.class).find(home);
+            attr.setDisplayname(vaultMetadata.storage().getNickname());
+            home.setAttributes(attr);
+            log.debug("Initialize vault {} with metadata {}", this, vaultMetadata);
+            // Initialize cryptors
+            super.load(storage, new UvfMetadataPayloadPasswordCallback(vaultMetadata.toJSON()));
+            return this;
+        }
+        catch(ApiException e) {
+            if(HttpStatus.SC_FORBIDDEN == e.getCode()) {
+                throw new VaultUnlockCancelException(this, e);
+            }
+            throw new HubExceptionMappingService().map(e);
+        }
+        catch(JsonProcessingException | SecurityFailure | AccessException e) {
+            throw new InteroperabilityException(e.getMessage(), e);
         }
-
-        // See https://github.com/cryptomator/hub/blob/develop/frontend/src/common/vaultconfig.ts
-        //        zip.file('vault.cryptomator', this.vaultConfigToken);
-        //        zip.folder('d')?.folder(this.rootDirHash.substring(0, 2))?.folder(this.rootDirHash.substring(2));
-
-        // /vault.uvf
-        new ContentWriter(session).write(new Path(home, PreferencesFactory.get().getProperty("cryptomator.vault.config.filename"), EnumSet.of(AbstractPath.Type.file, AbstractPath.Type.vault)), metadata.getBytes(StandardCharsets.US_ASCII));
-        Directory<?> directory = (Directory<?>) session._getFeature(Directory.class);
-
-        // TODO https://github.com/shift7-ch/cipherduck-hub/issues/19 implement CryptoDirectory for uvf
-        //        Path secondLevel = this.directoryProvider.toEncrypted(session, this.home.attributes().getDirectoryId(), this.home);
-        final Path secondLevel = new Path(String.format("/%s/d/%s/%s/", session.getHost().getDefaultPath(), hashedRootDirId.substring(0, 2), hashedRootDirId.substring(2)), EnumSet.of(AbstractPath.Type.directory));
-        final Path firstLevel = secondLevel.getParent();
-        final Path dataDir = firstLevel.getParent();
-        log.debug("Create vault root directory at {}", secondLevel);
-        final TransferStatus status = (new TransferStatus()).setRegion(region);
-
-        directory.mkdir(session._getFeature(Write.class), dataDir, status);
-        directory.mkdir(session._getFeature(Write.class), firstLevel, status);
-        directory.mkdir(session._getFeature(Write.class), secondLevel, status);
-        new ContentWriter(session).write(new Path(secondLevel, "dir.uvf", EnumSet.of(AbstractPath.Type.file)), rootDirUvf);
-        return home;
     }
 
     @Override
-    public HubUVFVault load(final Session<?> ignore, final PasswordCallback prompt) throws BackgroundException {
-        log.debug("Connect to {}", storage);
-        storage.open(ProxyFactory.get(), new DisabledHostKeyCallback(), new DisabledLoginCallback(), new DisabledCancelCallback());
-        storage.login(new DisabledLoginCallback(), new DisabledCancelCallback());
-        super.load(storage, prompt);
-        return this;
+    public String toString() {
+        final StringBuilder sb = new StringBuilder("HubUVFVault{");
+        sb.append("storage=").append(storage);
+        sb.append(", vaultId=").append(vaultId);
+        sb.append('}');
+        return sb.toString();
     }
 }