-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
integrate with EKM to pull keys during setup #1168
Comments
@DenBond7 this task is ready to implement. Maybe you will want to do some prepwork first in a separate PR, client class for EKM, things like that. You can then test this functionality on your company account - the OrgRules are not fully matching there but the EKM url is there, so you can authenticate with the EKM and try retrieving your keys etc as if the OrgRules were set that way. Then you can mock it up. |
@tomholub Could you clarify this one?
Here #748 is described the current logic that we have for enterprise users. I'd like to have more details about |
Actually, for EKM, you can skip this access token handling - I just newly found out. Therefore, you can take the OIDC token and use it directly to call GET keys endpoint. |
|
|
Otherwise all good. It seems that you will have to implement #372 first as a pre-requisite. Thank you for this chart! |
I've updated the chart to fit all needs. |
Looks good! The final functionality will also be changed by #1202 but that's not relevant for this particular issue. It can be changed after. The outcome will be - instead of calling flowcrypt.com/api, the app will first try opportunistically calling https://fes.customerdomain.com to see if there is an API running there instead. If yes, use that, if no, use FlowCrypt backend. But that's for later. |
@DenBond7 Add tests for the following cases
|
Also a successful scenario test, in case you don't have it yet. |
* Refactored code.| #1168 * Added some methods to OrgRules.| #1168 * Fixed errors after merge * Fixed OrgRules. Added skipping 'googlemail.com'.| #1168 * Renamed EnterpriseDomainRulesViewModel to EkmLoginViewModel.| #1168 * Modified EkmLoginViewModel. Added a dialog with 'retry' button in MainSignInFragment.| #1168 * Handled a case when orgRules.usesKeyManager() == false.| #1168 * Added handling of OrgRulesCombinationNotSupportedException.| #1168 * Modifed logic in EkmLoginViewModel.| #1168 * Added '<ekm>/v1/keys/private' API things.| #1168 * Fixed compilation errors after merge.| #1168 * Added handling errors for EkmPrivateKeysResponse.| #1168 * Added 'Key' model. Modifed EkmPrivateKeysResponse.| #1168 * Added showing an error if there are no private keys for a user(EKM).| #1168 * Refactored code.| #1168 * Rename EkmLoginViewModel to LoginViewModel.| #1168 * Exported logic to separate ViewModel(s). Refactored code.| #1168 * Improved retry police.| #1168 * Simplified logic of cheking for unsupported OrgRules combination.| #1168 * Refactored code.| #1168 * Changed logic in RecheckProvidedPassphraseFragment to return a new passphrase to the caller. Refactored code.| #1168 * Migrated SignInActivity to Navigation.| #1168 * Refactored code.| #1168 * Fixed navigation in sing_in_graph.xml| #1168 * Added saving prv keys that were received from EKM to the local database.| #1168 * Added configurable lost passphrase hint.| #1168 * EkmViewModel. Added checking that all fetched keys is fully decrypted.| #1168 * Modified logi of saving prv keys to the local database.| #1168 * Fixed a bug in PgpKey after code refactoring.| #1168 * Fixed typo.| #1168 * Improved parsing keys in EkmViewModel.| #1168 * Fixed typo.| #1168 * Fixed AddOtherAccountFragmentTest.| #1168 * Fixed SignInActivityEnterpriseTest.| #1168 * Fixed JUnit tests.| #1168 * Fixed lint warnings.| #1168 * Fixed typo in names.| #1168 * Fixed retry policy in some tests * Added some tests in SignInActivityEnterpriseTest.| #1168 * Added final tests in SignInActivityEnterpriseTest. Refactored code.| #1168 * SignInActivityEnterpriseTest. Refactored code.| #1168
part of #1298
EKM = Email Key Manager https://flowcrypt.com/docs/technical/enterprise/email-deployment-overview.html
OrgRule definitions https://flowcrypt.com/docs/business/org-rules.html
Here is OrgRule class on browser - I know we already have an existing implementation hera that may look different, but I would suggest aligning the Android approach (to parsing and using OrgRules) with the browser - by porting this class to kotlin and using the same wording for methods. If we do this on all three platforms, it will be much easier to review: https://github.com/FlowCrypt/flowcrypt-browser/blob/master/extension/js/common/org-rules.ts
Immediately after authentication when we receive the OIDC and OrgRules, we should check if
orgRules.usesKeyManager() == true
. If yes, we should:orgRules.mustAutoImportOrAutogenPrvWithKeyManager() == true
and if not, skip following steps (and instead show regular setup flow)orgRules.mustAutogenPassPhraseQuietly() == false
. If not, show an error that this combination of OrgRules (PRV_AUTOIMPORT_OR_AUTOGEN + PASS_PHRASE_QUIET_AUTOGEN) is not supported on this platformorgRules.forbidStoringPassPhrase() == true
. If not, show an error that this combination of OrgRules (PRV_AUTOIMPORT_OR_AUTOGEN + missing FORBID_STORING_PASS_PHRASE) is not supported on iOS.orgRules.mustSubmitToAttester() == false
. If not, show an error that this combination of OrgRules (PRV_AUTOIMPORT_OR_AUTOGEN + ENFORCE_ATTESTER_SUBMIT) is not supported on iOS.orgRules.forbidCreatingPrivateKey() == true
. If not, show an error that this combination of OrgRules (PRV_AUTOIMPORT_OR_AUTOGEN + missing NO_PRV_CREATE) is not supported on iOS.key_manager_url
OrgRule (already includeshttps://
, but may or may not include a trailing slash - please normalize the URL to contain a trailing slash before you use the URL).GET <ekm>/v1/keys/private
. Into authorization header please putBearer <ID_TOKEN>
. On error, offer retryThe goal is that if user has keys already configured on EKM and appropriate OrgRules are in place, they only need to authenticate and choose a pass phrase, and everything will be done automatically. After authentication and successful automatic setup, they will be sent to their inbox.
In this flow, do not submit any public key to attester.
The text was updated successfully, but these errors were encountered: