Skip to content

Commit

Permalink
Merge PR #611 into 16.0
Browse files Browse the repository at this point in the history 
Signed-off-by pedrobaeza
  • Loading branch information
@OCA-git-bot
OCA-git-bot committed Feb 22, 2024
2 parents f84c7f2 + 9f4cda0 commit 2bfc1ee
Show file tree
Hide file tree
Showing 82 changed files with 11,537 additions and 0 deletions.
1 change: 1 addition & 0 deletions setup/vault/odoo/addons/vault
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
../../../../vault
6 changes: 6 additions & 0 deletions setup/vault/setup.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
import setuptools

setuptools.setup(
setup_requires=['setuptools-odoo'],
odoo_addon=True,
)
100 changes: 100 additions & 0 deletions vault/README.rst
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
=====
Vault
=====

..
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! This file is generated by oca-gen-addon-readme !!
!! changes will be overwritten. !!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! source digest: sha256:12d8822aab453f4a6f00d8151ec6cdef4c66ec07c08d88e6528c85f3526d0818
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
.. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
:target: https://odoo-community.org/page/development-status
:alt: Beta
.. |badge2| image:: https://img.shields.io/badge/licence-AGPL--3-blue.png
:target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
:alt: License: AGPL-3
.. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github
:target: https://github.com/OCA/server-auth/tree/16.0/vault
:alt: OCA/server-auth
.. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
:target: https://translation.odoo-community.org/projects/server-auth-16-0/server-auth-16-0-vault
:alt: Translate me on Weblate
.. |badge5| image:: https://img.shields.io/badge/runboat-Try%20me-875A7B.png
:target: https://runboat.odoo-community.org/builds?repo=OCA/server-auth&target_branch=16.0
:alt: Try me on Runboat

|badge1| |badge2| |badge3| |badge4| |badge5|

This module implements a vault for secrets and files using end-to-end-encryption. The encryption and decryption happens in the browser using a vault specific shared master key. The master keys are encrypted using asymmetrically. For this the user has to enter a second password on the first login or if he needs to access data in a vault. The asymmetric keys are stored for a certain time in the browser storage.

The server can never access the secrets with the information available. Only people registered in the vault can decrypt or encrypt values in a vault. The meta data isn't encrypted to be able to search/filter for entries more easily.

This modules requires a secure context for the browser to work properly and therefore HTTPS support is required.

The `vault-recovery <https://github.com/fkantelberg/vault-recovery>`_ project focuses on disaster recovery in case of an incident to recover secrets from old database backups or old exports.

**Table of contents**

.. contents::
:local:

Known issues / Roadmap
======================

* Field and file history for restoration

* Import improvement

* Support challenge-response/FIDO2
* Support for argon2 and kdbx v4

* When changing an entry from one vault to another existing vault, the values added on
this entry cannot be accessed, so the field vault is going to be readonly when it
is defined.

If you want to move entries between vaults you can use the export -> import option.

* HTTPS or localhost (secure browser context) is required for the client side encryption

Bug Tracker
===========

Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-auth/issues>`_.
In case of trouble, please check there if your issue has already been reported.
If you spotted it first, help us to smash it by providing a detailed and welcomed
`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20vault%0Aversion:%2016.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.

Do not contact contributors directly about support or help with technical issues.

Credits
=======

Authors
~~~~~~~

* initOS GmbH

Contributors
~~~~~~~~~~~~

* Florian Kantelberg <[email protected]>

Maintainers
~~~~~~~~~~~

This module is maintained by the OCA.

.. image:: https://odoo-community.org/logo.png
:alt: Odoo Community Association
:target: https://odoo-community.org

OCA, or the Odoo Community Association, is a nonprofit organization whose
mission is to support the collaborative development of Odoo features and
promote its widespread use.

This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/16.0/vault>`_ project on GitHub.

You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.
143 changes: 143 additions & 0 deletions vault/TECHNICAL.rst
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,143 @@
::

┌───────┐ ┏━━━━━━━━━━━━━┓ ╔═══════════╗
│ input │ ┃ unencrypted ┃ ║ encrypted ║
└───────┘ ┗━━━━━━━━━━━━━┛ ╚═══════════╝

Vault
=====

Each vault stores entries with enrypted fields and files in a tree like structure. The access is controlled per vault. Every added user can read the secrets of a vault. Otherwise the users can receive permission to share the vault with other users, to write secrets in the vault, or to delete entries of the vault. The databases stores the public and password protected private key of each user. The password used for the private key is derived from a password entered by the user and should be different than the password used for the login. Keep in mind that the meta information like field name or file names aren't encrypted.

Shared-key encryption
=====================

To be able to securely share sensitive data between all users a shared-key encryption is used. All users share a common secret for each vault. This secret is encrypted by the public key of each user to grant access to the user by using the private key to restore the secret.

Encryption of master key
------------------------

::

. ┏━━━━━━━━━━━━┓
┃ Master key ┃
┗━━━━━━━━━━━━┛
┏━━━━━━━━━━━━━━━━━┓ ┃
┃ User ┃ ▼
┃ ┃ ┏━━━━━━━━━┓
┃ ┏━━━━━━━━━━━━━┓ ┃ ┃ encrypt ┃ ╔════════════╗
┃ ┃ Public key ┃━━━━▶┃ (RSA) ┃━━━━━▶║ Master key ║
┃ ┗━━━━━━━━━━━━━┛ ┃ ┗━━━━━━━━━┛ ╚════════════╝
┃ ╔═════════════╗ ┃
┃ ║ Private key ║ ┃
┃ ╚═════════════╝ ┃
┗━━━━━━━━━━━━━━━━━┛

Decryption of master key
------------------------

::

. ┌──────────┐ ┏━━━━━━━━━━┓
│ Password │━━━━▶┃ derive ┃
└──────────┘ ┃ (PBKDF2) ┃
┗━━━━━━━━━━┛
┏━━━━━━━━━━━━━━━━━┓ ▼ ╔════════════╗
┃ User ┃ ┏━━━━━━━━━━┓ ║ Master key ║
┃ ┃ ┃ Password ┃ ╚════════════╝
┃ ┏━━━━━━━━━━━━━┓ ┃ ┗━━━━━━━━━━┛ ┃
┃ ┃ Public key ┃ ┃ ┃ ▼
┃ ┗━━━━━━━━━━━━━┛ ┃ ▼ ┏━━━━━━━━━┓
┃ ╔═════════════╗ ┃ ┏━━━━━━━━┓ ┏━━━━━━━━━━━━━┓ ┃ decrypt ┃ ┏━━━━━━━━━━━━┓
┃ ║ Private key ║━━━━━┃ unlock ┃━━▶┃ Private key ┃━━━▶┃ (RSA) ┃━━━━━▶┃ Master key ┃
┃ ╚═════════════╝ ┃ ┗━━━━━━━━┛ ┗━━━━━━━━━━━━━┛ ┗━━━━━━━━━┛ ┗━━━━━━━━━━━━┛
┗━━━━━━━━━━━━━━━━━┛

Symmetric encryption of the data
================================

The symmetric cipher AES is used with the common master key to encrypt/decrypt the secrets of the vaults. The encryption parameter and encrypted data is stored in the database while everything else happens in the browser.

Encryption of data
------------------

::

. ┏━━━━━━━━━━━━┓
┃ Master key ┃
┗━━━━━━━━━━━━┛
┃ ┏━━━━━━━━━━━━━━━━━━┓
▼ ┃ Database ┃
┏━━━━━━━━━┓ ┃ ┃
┏━━━━━━━━━━━━┓ ┃ encrypt ┃ ┃╔════════════════╗┃
┃ Plain text ┃━━▶┃ (AES) ┃━━━▶║ Encrypted data ║┃
┗━━━━━━━━━━━━┛ ┗━━━━━━━━━┛ ┃╚════════════════╝┃
┃ ┃┏━━━━━━━━━━━━━━━━┓┃
┗━━━━━━━━▶┃ Parameters ┃┃
┃┗━━━━━━━━━━━━━━━━┛┃
┗━━━━━━━━━━━━━━━━━━┛

Decryption of data
------------------

::

. ┏━━━━━━━━━━━━┓
┃ Master key ┃
┗━━━━━━━━━━━━┛
┏━━━━━━━━━━━━━━━━━━┓ ┃
┃ Database ┃ ▼
┃ ┃ ┏━━━━━━━━━┓
┃╔════════════════╗┃ ┃ decrypt ┃ ┏━━━━━━━━━━━━┓
┃║ Encrypted data ║━━━▶┃ (AES) ┃━━▶┃ Plain text ┃
┃╚════════════════╝┃ ┗━━━━━━━━━┛ ┗━━━━━━━━━━━━┛
┃┏━━━━━━━━━━━━━━━━┓┃ ▲
┃┃ Parameters ┃━━━━━━━━┛
┃┗━━━━━━━━━━━━━━━━┛┃
┗━━━━━━━━━━━━━━━━━━┛

Inbox
=====

This allows an user to receive encrypted secrets by external or internal Odoo users. External users have to use either the owner specific inbox link from his preferences or the link of an already created inbox. The value is symmetrically encrypted. The key for the encryption is wrapped with the public key of the user of the inbox to grant the user the access to the key. Internal users can directly send a secret from a vault entry to another user who has enabled this feature. If a direct link is used the access counter and expiration time can block an overwrite.

Encryption of inbox
-------------------

::

. ┏━━━━━━━━━━━━┓
┃ Plain data ┃
┗━━━━━━━━━━━━┛
┏━━━━━━━━━━━━━━━━━┓ ┃
┃ User ┃ ▼
┃ ┃ ┏━━━━━━━━━┓
┃ ┏━━━━━━━━━━━━━┓ ┃ ┃ encrypt ┃ ╔════════════════╗
┃ ┃ Public key ┃━━━━▶┃ (RSA) ┃━━━━━▶║ Encrypted data ║
┃ ┗━━━━━━━━━━━━━┛ ┃ ┗━━━━━━━━━┛ ╚════════════════╝
┃ ╔═════════════╗ ┃
┃ ║ Private key ║ ┃
┃ ╚═════════════╝ ┃
┗━━━━━━━━━━━━━━━━━┛

Decryption of inbox
-------------------

::

. ┌──────────┐ ┏━━━━━━━━━━┓
│ Password │━━━━▶┃ derive ┃
└──────────┘ ┃ (PBKDF2) ┃
┗━━━━━━━━━━┛
┏━━━━━━━━━━━━━━━━━┓ ▼ ╔════════════════╗
┃ User ┃ ┏━━━━━━━━━━┓ ║ Encrypted data ║
┃ ┃ ┃ Password ┃ ╚════════════════╝
┃ ┏━━━━━━━━━━━━━┓ ┃ ┗━━━━━━━━━━┛ ┃
┃ ┃ Public key ┃ ┃ ┃ ▼
┃ ┗━━━━━━━━━━━━━┛ ┃ ▼ ┏━━━━━━━━━┓
┃ ╔═════════════╗ ┃ ┏━━━━━━━━┓ ┏━━━━━━━━━━━━━┓ ┃ decrypt ┃ ┏━━━━━━━━━━━━┓
┃ ║ Private key ║━━━━━┃ unlock ┃━━▶┃ Private key ┃━━━▶┃ (RSA) ┃━━━━━▶┃ Plain data ┃
┃ ╚═════════════╝ ┃ ┗━━━━━━━━┛ ┗━━━━━━━━━━━━━┛ ┗━━━━━━━━━┛ ┗━━━━━━━━━━━━┛
┗━━━━━━━━━━━━━━━━━┛
4 changes: 4 additions & 0 deletions vault/__init__.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
# © 2021 Florian Kantelberg - initOS GmbH
# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl).

from . import controllers, models, wizards
50 changes: 50 additions & 0 deletions vault/__manifest__.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
# © 2021 Florian Kantelberg - initOS GmbH
# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl).

{
"name": "Vault",
"summary": "Password vault integration in Odoo",
"license": "AGPL-3",
"version": "16.0.1.0.0",
"website": "https://github.com/OCA/server-auth",
"application": True,
"author": "initOS GmbH, Odoo Community Association (OCA)",
"category": "Vault",
"depends": ["base_setup", "web"],
"data": [
"security/ir.model.access.csv",
"security/ir_rule.xml",
"security/vault_security.xml",
"views/res_config_settings_views.xml",
"views/res_users_views.xml",
"views/vault_entry_views.xml",
"views/vault_field_views.xml",
"views/vault_file_views.xml",
"views/vault_log_views.xml",
"views/vault_inbox_views.xml",
"views/vault_right_views.xml",
"views/vault_views.xml",
"views/menuitems.xml",
"views/templates.xml",
"wizards/vault_export_wizard.xml",
"wizards/vault_import_wizard.xml",
"wizards/vault_send_wizard.xml",
"wizards/vault_store_wizard.xml",
],
"assets": {
"vault.assets_frontend": [
"vault/static/src/common/*.js",
"vault/static/src/frontend/*.js",
],
"web.assets_backend": [
"vault/static/lib/**/*.min.js",
"vault/static/src/**/*.xml",
"vault/static/src/common/*.js",
"vault/static/src/backend/*.scss",
"vault/static/src/backend/**/*.js",
],
"web.tests_assets": [
"vault/static/tests/**/*.js",
],
},
}
4 changes: 4 additions & 0 deletions vault/controllers/__init__.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
# © 2021 Florian Kantelberg - initOS GmbH
# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl).

from . import main
Loading

0 comments on commit 2bfc1ee

Please sign in to comment.