Make user keys short-lived.

dkocher · dkocher · commit b23ef58880fc · 2025-10-16T13:10:13.000+02:00
diff --git a/hub/src/main/java/cloud/katta/protocols/hub/HubSession.java b/hub/src/main/java/cloud/katta/protocols/hub/HubSession.java
@@ -89,8 +89,11 @@ public class HubSession extends HttpSession<HubApiClient> {
 
     private UserDto me;
     private ConfigDto config;
-    private UserKeys userKeys;
-    private AttributedList<Path> vaults;
+
+    private final ExpiringObjectHolder<UserKeys> userKeys
+            = new ExpiringObjectHolder<>(preferences.getLong("katta.userkeys.ttl"));
+
+    private HubVaultListService vaults;
 
     public HubSession(final Host host, final X509TrustManager trust, final X509KeyManager key) {
         super(host, trust, key);
@@ -166,7 +169,7 @@ public void login(final LoginCallback prompt, final CancelCallback cancel) throw
             // Ensure device key is available
             final DeviceSetupCallback setup = prompt.getFeature(DeviceSetupCallback.class);
             log.debug("Configured with setup prompt {}", setup);
-            userKeys = this.pair(setup);
+            userKeys.set(this.pair(setup));
             final List<StorageProfileDto> storageProfileDtos = new StorageProfileResourceApi(client).apiStorageprofileGet(false);
             for(StorageProfileDto storageProfileDto : storageProfileDtos) {
                 final StorageProfileDtoWrapper storageProfile = StorageProfileDtoWrapper.coerce(storageProfileDto);
@@ -184,8 +187,7 @@ public void login(final LoginCallback prompt, final CancelCallback cancel) throw
                         throw new InteroperabilityException(String.format("Unsupported storage configuration %s", storageProfile.getProtocol().name()));
                 }
             }
-            // Ensure vaults are registered
-            vaults = new HubVaultListService(this, prompt).list(Home.root(), new DisabledListProgressListener());
+            vaults = new HubVaultListService(this, prompt);
         }
         catch(ApiException e) {
             throw new HubExceptionMappingService().map(e);
@@ -230,18 +232,18 @@ public UserDto getMe() {
      *
      * @return Destroyed keys after login
      */
-    public UserKeys getUserKeys() {
-        return userKeys;
+    public UserKeys getUserKeys(final DeviceSetupCallback setup) throws BackgroundException {
+        if(userKeys.get() == null) {
+            userKeys.set(this.pair(setup));
+        }
+        return userKeys.get();
     }
 
     @Override
     @SuppressWarnings("unchecked")
     public <T> T _getFeature(final Class<T> type) {
         if(type == ListService.class) {
-            return (T) (ListService) (Path directory, ListProgressListener listener) -> {
-                listener.chunk(directory, vaults);
-                return vaults;
-            };
+            return (T) vaults;
         }
         if(type == Scheduler.class) {
             return (T) access;
diff --git a/hub/src/main/java/cloud/katta/protocols/hub/HubUVFVault.java b/hub/src/main/java/cloud/katta/protocols/hub/HubUVFVault.java
@@ -37,6 +37,7 @@
 import cloud.katta.client.api.VaultResourceApi;
 import cloud.katta.client.model.UserDto;
 import cloud.katta.client.model.VaultDto;
+import cloud.katta.core.DeviceSetupCallback;
 import cloud.katta.crypto.UserKeys;
 import cloud.katta.crypto.uvf.UvfMetadataPayload;
 import cloud.katta.crypto.uvf.UvfMetadataPayloadPasswordCallback;
@@ -182,7 +183,8 @@ public Path create(final Session<?> session, final String region, final VaultCre
             // Upload JWE
             log.debug("Grant access to vault {}", vaultDto);
             final UserDto userDto = hub.getMe();
-            final UserKeys userKeys = hub.getUserKeys();
+            final DeviceSetupCallback setup = prompt.getFeature(DeviceSetupCallback.class);
+            final UserKeys userKeys = hub.getUserKeys(setup);
             vaultResourceApi.apiVaultsVaultIdAccessTokensPost(vaultDto.getId(),
                     Collections.singletonMap(userDto.getId(), jwks.toOwnerAccessToken().encryptForUser(userKeys.ecdhKeyPair().getPublic())));
             // Upload vault template to storage
diff --git a/hub/src/main/java/cloud/katta/protocols/hub/HubVaultListService.java b/hub/src/main/java/cloud/katta/protocols/hub/HubVaultListService.java
@@ -25,6 +25,7 @@
 import cloud.katta.client.ApiException;
 import cloud.katta.client.api.VaultResourceApi;
 import cloud.katta.client.model.VaultDto;
+import cloud.katta.core.DeviceSetupCallback;
 import cloud.katta.crypto.uvf.UvfMetadataPayload;
 import cloud.katta.protocols.hub.exceptions.HubExceptionMappingService;
 import cloud.katta.workflows.VaultServiceImpl;
@@ -57,7 +58,8 @@ public AttributedList<Path> list(final Path directory, final ListProgressListene
                     try {
                         // Find storage configuration in vault metadata
                         final VaultServiceImpl vaultService = new VaultServiceImpl(session);
-                        final UvfMetadataPayload vaultMetadata = vaultService.getVaultMetadataJWE(vaultDto.getId(), session.getUserKeys());
+                        final DeviceSetupCallback setup = prompt.getFeature(DeviceSetupCallback.class);
+                        final UvfMetadataPayload vaultMetadata = vaultService.getVaultMetadataJWE(vaultDto.getId(), session.getUserKeys(setup));
                         final HubUVFVault vault = new HubUVFVault(session, vaultDto.getId(), vaultMetadata, prompt);
                         try {
                             registry.add(vault.load(session, prompt));
diff --git a/hub/src/test/resources/Katta Server.cyberduckprofile b/hub/src/test/resources/Katta Server.cyberduckprofile
@@ -38,5 +38,10 @@
         <false/>
         <key>Username Configurable</key>
         <false/>
+        <key>Properties</key>
+        <dict>
+            <key>katta.userkeys.ttl</key>
+            <string>3600</string>
+        </dict>
     </dict>
 </plist>
