Distinguish stsRoleArn for client and hub when creating bucket, updat…

…e documentation (#12 #23).
shift7-ch · Nov 14, 2023 · c51a591 · c51a591
1 parent e6dd53c
commit c51a591
Show file tree

Hide file tree

Showing 7 changed files with 23 additions and 39 deletions.
diff --git a/backend/CIPHERDUCK.md b/backend/CIPHERDUCK.md
@@ -241,9 +241,10 @@ dropdown?
 | Backend property             | Description                                                                                      |
 |------------------------------|--------------------------------------------------------------------------------------------------|
 | `bucketPrefix`               | Prefix for all new buckets.                                                                      |
-| `stsRoleArn`                 | Role for `AssumeRoleWithWebIdentity` when creating buckets.                                      |
+| `stsRoleArnHub`              | Role for `AssumeRoleWithWebIdentity` when creating buckets in hub.                               |
+| `stsRoleArnClient`           | Role for `AssumeRoleWithWebIdentity` when creating buckets in client.                            |
 | `stsEndpoint`                | Endpoint `AssumeRoleWithWebIdentity` when creating buckets. Leave empty for defaults in AWS SDK. |
-| `region`                     | Default region to create buckets in. Defaults to `us-east-1`                                     |
+| `region`                     | Default region to create buckets in. Defaults to `us-east-1` if left empty.                      |
 | `regions`                    | Allowed regions to create buckets in. Defaults to full list of regions.                          |
 | `withPathStyleAccessEnabled` | Configures the client to use path-style access for all S3 requests.                              |
 

diff --git a/backend/config/application.properties b/backend/config/application.properties
@@ -13,11 +13,10 @@ backends.backends[0].bucket-prefix=cipherduck
 backends.backends[0].region=eu-central-1
 backends.backends[0].regions=eu-west-1,eu-west-2,eu-west-3,eu-north-1,eu-south-1,eu-south-2,eu-central-1,eu-central-2
 backends.backends[0].with-path-style-access-enabled=true
-
-# role for cryptomatorhub client
-backends.backends[0].sts-role-arn=arn:minio:iam:::role/HGKdlY4eFFsXVvJmwlMYMhmbnDE
-# role for cryptomator client (TODO: https://github.com/chenkins/cipherduck-hub/issues/12 required for client-side vault creation)
-#backends.backends[0].sts-role-arn=arn:minio:iam:::role/IqZpDC5ahW_DCAvZPZA4ACjEnDE
+#   (role for cryptomatorhub client)
+backends.backends[0].sts-role-arn-hub=arn:minio:iam:::role/HGKdlY4eFFsXVvJmwlMYMhmbnDE
+#   (role for cryptomator client)
+backends.backends[0].sts-role-arn-client=arn:minio:iam:::role/IqZpDC5ahW_DCAvZPZA4ACjEnDE
 backends.backends[0].sts-endpoint=http://minio:9000
 #
 # (1) protocol
@@ -51,7 +50,8 @@ backends.backends[1].name=AWS S3 STS
 #
 #  bucket creation:
 backends.backends[1].bucket-prefix=cipherduck
-backends.backends[1].sts-role-arn=arn:aws:iam::930717317329:role/cipherduck-createbucket
+backends.backends[1].sts-role-arn-hub=arn:aws:iam::930717317329:role/cipherduck-createbucket
+backends.backends[1].sts-role-arn-client=arn:aws:iam::930717317329:role/cipherduck-createbucket
 backends.backends[1].region=eu-west-1
 backends.backends[1].regions=eu-west-1,eu-west-2,eu-west-3
 #
@@ -79,15 +79,7 @@ backends.backends[1].jwe.sts-role-arn2=arn:aws:iam::930717317329:role/cipherduck
 backends.backends[2].id=http://minio:9000_static
 backends.backends[2].name=MinIO S3 static
 #
-# bucket creation:
-backends.backends[2].bucket-prefix=cipherduck
-backends.backends[2].region=eu-central-1
-backends.backends[2].regions=eu-west-1,eu-west-2,eu-west-3,eu-north-1,eu-south-1,eu-south-2,eu-central-1,eu-central-2
-backends.backends[2].with-path-style-access-enabled=true
-#
 # (1) protocol
-# (1a) protocol hub-independent:
-#
 # (1c) protocol storage-specific:
 backends.backends[2].jwe.vendor=s3-http-path-style
 backends.backends[2].jwe.hostname=minio
@@ -102,15 +94,7 @@ backends.backends[2].jwe.port=9000
 backends.backends[3].id=AWS static
 backends.backends[3].name=AWS S3 static1
 #
-#  bucket creation:
-backends.backends[3].bucket-prefix=cipherduck
-backends.backends[3].sts-role-arn=arn:aws:iam::930717317329:role/cipherduck-createbucket
-backends.backends[3].region=eu-west-1
-backends.backends[3].regions=eu-west-1,eu-west-2,eu-west-3
-#
 # (1) protocol
-# (1a) protocol hub-independent:
-#
 # (1c) protocol storage-specific:
 backends.backends[3].jwe.vendor=s3-https
 #

diff --git a/backend/src/main/java/org/cryptomator/hub/api/cipherduck/StorageConfig.java b/backend/src/main/java/org/cryptomator/hub/api/cipherduck/StorageConfig.java
@@ -16,11 +16,14 @@ public interface StorageConfig {
 	String name();
 
 	@JsonProperty("bucketPrefix")
-	String bucketPrefix();
+	Optional<String> bucketPrefix();
 
 
-	@JsonProperty("stsRoleArn")
-	Optional<String> stsRoleArn();
+	@JsonProperty("stsRoleArnClient")
+	Optional<String> stsRoleArnClient();
+
+	@JsonProperty("stsRoleArnHub")
+	Optional<String> stsRoleArnHub();
 
 	@JsonProperty("stsEndpoint")
 	Optional<String> stsEndpoint();

diff --git a/backend/src/main/java/org/cryptomator/hub/api/cipherduck/StorageConfigDto.java b/backend/src/main/java/org/cryptomator/hub/api/cipherduck/StorageConfigDto.java
@@ -7,8 +7,9 @@
 public record StorageConfigDto(
 		String id,
 		String name,
-		String bucketPrefix,
-		Optional<String> stsRoleArn,
+		Optional<String> bucketPrefix,
+		Optional<String> stsRoleArnClient,
+		Optional<String> stsRoleArnHub,
 		Optional<String> stsEndpoint,
 		Optional<String> region,
 		Optional<List<String>> regions,
@@ -18,7 +19,7 @@ public record StorageConfigDto(
 ) implements StorageConfig {
 	public StorageConfigDto(final StorageConfig s, final VaultJWEBackend jwe) {
 		// workaround for defaultValue in JSONPrroperty not working as expected
-		this(s.id(), s.name(), s.bucketPrefix(), s.stsRoleArn(), s.stsEndpoint(),
+		this(s.id(), s.name(), s.bucketPrefix(), s.stsRoleArnClient(), s.stsRoleArnHub(), s.stsEndpoint(),
 				s.region().isPresent() ? s.region() : Optional.of("us-east-1"),
 				s.regions().isPresent() ? s.regions() : Optional.of(Arrays.asList(
 						"af-south-1",

diff --git a/backend/src/main/java/org/cryptomator/hub/api/cipherduck/storage/S3Storage.java b/backend/src/main/java/org/cryptomator/hub/api/cipherduck/storage/S3Storage.java
@@ -24,7 +24,7 @@ public static void makeS3Bucket(
 			final StorageDto dto
 	) {
 
-		final String bucketName = storageConfig.bucketPrefix() + dto.vaultId();
+		final String bucketName = storageConfig.bucketPrefix().get() + dto.vaultId();
 		// https://github.com/awsdocs/aws-doc-sdk-examples/blob/main/java/example_code/s3/src/main/java/aws/example/s3/CreateBucket.java
 		final String region = dto.region();
 		AmazonS3ClientBuilder s3Builder = AmazonS3ClientBuilder
@@ -34,7 +34,7 @@ public static void makeS3Bucket(
 			s3Builder = s3Builder
 					.withEndpointConfiguration(new AwsClientBuilder.EndpointConfiguration(storageConfig.stsEndpoint().get(), region))
 					.withPathStyleAccessEnabled(storageConfig.withPathStyleAccessEnabled().orElse(false));
-		} else {
+		} else if (region != null) {
 			s3Builder = s3Builder.withRegion(region);
 		}
 		final AmazonS3 s3 = s3Builder

diff --git a/frontend/src/components/CreateVaultS3.vue b/frontend/src/components/CreateVaultS3.vue
@@ -535,7 +535,7 @@ async function createVault() {
       }`.replaceAll("{}", config["jwe"]["defaultPath"])
     }
     // Required. ARN of the role that the caller is assuming.
-    assumeRoleWithWebIdentityArgs["RoleArn"] = config["stsRoleArn"];
+    assumeRoleWithWebIdentityArgs["RoleArn"] = config["stsRoleArnHub"];
 
 
     const { Credentials } = await stsClient
@@ -592,7 +592,7 @@ function setRegionsOnSelectStorage(storage){
     console.log('   available regions: ' + storage.regions);
     selectedRegion.value = storage.region;
     console.log('   default region: ' + storage.region);
-    isPermanent.value = !Boolean(selectedStorage.value['jwe']['stsRoleArn'])
+    isPermanent.value = !Boolean(selectedStorage.value['stsRoleArnHub'])
     console.log('   isPermanent: ' + isPermanent.value);
 }
 

diff --git a/frontend/src/components/VaultDetails.vue b/frontend/src/components/VaultDetails.vue
@@ -127,11 +127,6 @@
           <button type="button" class="bg-white py-2 px-4 border border-gray-300 rounded-md shadow-sm text-sm font-medium text-gray-700 hover:bg-gray-50 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary" @click="showEditVaultMetadataDialog()">
             {{ t('vaultDetails.actions.editVaultMetadata') }}
           </button>
-          <!-- / start cipherduck extension -->
-          <!-- <button type="button" class="bg-white py-2 px-4 border border-gray-300 rounded-md shadow-sm text-sm font-medium text-gray-700 hover:bg-gray-50 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary" @click="showDownloadVaultTemplateDialog()">
-            {{ t('vaultDetails.actions.downloadVaultTemplate') }}
-          </button> -->
-          <!-- \ start cipherduck extension -->
           <button type="button" class="bg-white py-2 px-4 border border-gray-300 rounded-md shadow-sm text-sm font-medium text-gray-700 hover:bg-gray-50 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary" @click="showRecoveryKeyDialog()">
             {{ t('vaultDetails.actions.showRecoveryKey') }}
           </button>