Add support to replace a server public key

Author: stripthis

.editorconfig

@@ -6,7 +6,7 @@ root = true
 [*]
 indent_style = space
 end_of_line = lf
-insert_final_newline = true
+insert_final_newline = false
 trim_trailing_whitespace = true
 
 [*.js]

dist/chrome/passbolt-2.12.2-debug.crx

@@ -1,7 +1,7 @@
 {
-    "debug": false,
+    "debug": true,
     "log": {
-       "level": 0,
-       "console": false
+       "level": 3,
+       "console": true
     }
 }

src/all/background_page/config/config.json

@@ -0,0 +1,39 @@
+/**
+ * Passbolt ~ Open source password manager for teams
+ * Copyright (c) Passbolt SA (https://www.passbolt.com)
+ *
+ * Licensed under GNU Affero General Public License version 3 of the or any later version.
+ * For full copyright and license information, please see the LICENSE.txt
+ * Redistributions of files must retain the above copyright notice.
+ *
+ * @copyright     Copyright (c) Passbolt SA (https://www.passbolt.com)
+ * @license       https://opensource.org/licenses/AGPL-3.0 AGPL License
+ * @link          https://www.passbolt.com Passbolt(tm)
+ * @since         2.13.0
+ */
+const Config = require('../../model/config');
+const {GpgAuth} = require('../../model/gpgauth');
+const {Keyring} = require('../../model/keyring');
+
+class AuthUpdateServerKeyController {
+
+  constructor(worker, requestId) {
+    this.worker = worker;
+    this.requestId = requestId;
+    this.auth = new GpgAuth();
+    this.keyring = new Keyring();
+  }
+
+  async main() {
+    try {
+      const domain = Config.read('user.settings.trustedDomain');
+      const serverKey = await this.auth.getServerKey(domain);
+      await this.keyring.importServerPublicKey(serverKey.keydata, domain);
+      this.worker.port.emit(this.requestId, 'SUCCESS', domain);
+    } catch (error) {
+      this.worker.port.emit(this.requestId, 'ERROR', this.worker.port.getEmitableError(error));
+    }
+  }
+}
+
+exports.AuthUpdateServerKeyController = AuthUpdateServerKeyController;

src/all/background_page/controller/auth/authUpdateServerKeyController.js

@@ -6,15 +6,15 @@
  * @copyright (c) 2019 Passbolt SA
  * @licence GNU Affero General Public License http://www.gnu.org/licenses/agpl-3.0.en.html
  */
-const AuthController = require('../controller/authController').AuthController;
-const AuthCheckStatusController = require('../controller/auth/authCheckStatusController').AuthCheckStatusController;
-const AuthIsAuthenticatedController = require('../controller/auth/authIsAuthenticatedController').AuthIsAuthenticatedController;
-const AuthIsMfaRequiredController = require('../controller/auth/authIsMfaRequiredController').AuthIsMfaRequiredController;
-const GpgAuth = require('../model/gpgauth').GpgAuth;
+const {AuthController} = require('../controller/authController');
+const {AuthCheckStatusController} = require('../controller/auth/authCheckStatusController');
+const {AuthIsAuthenticatedController} = require('../controller/auth/authIsAuthenticatedController');
+const {AuthIsMfaRequiredController} = require('../controller/auth/authIsMfaRequiredController');
+const {AuthUpdateServerKeyController} = require('../controller/auth/authUpdateServerKeyController');
+const {GpgAuth} = require('../model/gpgauth');
 const Worker = require('../model/worker');
 
 const listen = function (worker) {
-
   /*
    * Check if the user is authenticated.
    *
@@ -79,11 +79,11 @@ const listen = function (worker) {
   /*
    * Get the password server key for a given domain.
    *
-   * @listens passbolt.auth.getServerKey
+   * @listens passbolt.auth.get-server-key
    * @param requestId {uuid} The request identifier
    * @param domain {string} The server's domain
    */
-  worker.port.on('passbolt.auth.getServerKey', function (requestId, domain) {
+  worker.port.on('passbolt.auth.get-server-key', function (requestId, domain) {
     var gpgauth = new GpgAuth();
     gpgauth.getServerKey(domain).then(
       function success(msg) {
@@ -95,6 +95,17 @@ const listen = function (worker) {
     );
   });
 
+  /*
+   * Get the password server key for a given domain.
+   *
+   * @listens passbolt.auth.replace-server-key
+   * @param requestId {uuid} The request identifier
+   */
+  worker.port.on('passbolt.auth.replace-server-key', async function (requestId) {
+    const controller = new AuthUpdateServerKeyController(worker, requestId);
+    await controller.main();
+  });
+
   /*
    * Attempt to login the current user.
    *
@@ -108,7 +119,7 @@ const listen = function (worker) {
    * @param redirect {string} The uri to redirect the user after login
    */
   worker.port.on('passbolt.auth.login', function (requestId, passphrase, remember, redirect) {
-    var auth = new AuthController(worker, requestId);
+    const auth = new AuthController(worker, requestId);
     auth.login(passphrase, remember, redirect);
   });
 

src/all/background_page/event/authEvents.js

@@ -82,13 +82,29 @@ $(function () {
         }
         // All other cases.
         else {
-          passbolt.html.loadTemplate('.login.form', 'login/feedbackLoginOops.ejs');
+          passbolt.login.onStep0ChangeKey();
+          // passbolt.html.loadTemplate('.login.form', 'login/feedbackLoginOops.ejs');
         }
       }
     );
     passbolt.login.onStep1RequestPassphrase();
   };
 
+  /**
+   * Insert the passphrase dialog iframe.
+   */
+  passbolt.login.onStep0ChangeKey = function () {
+    // Inject the change key dialog iframe into the web page DOM.
+    // piggy back on login form page mod / port
+    const iframeId = 'passbolt-iframe-login-change-key';
+    const port = passphraseIframeId;
+    const className = 'loading';
+    const appendTo = '.login.form';
+    const style = 'width:330px;height:250px;';
+    $(appendTo).empty();
+    passbolt.html.insertIframe(iframeId, appendTo, className, null, null, style, port);
+  };
+
   /**
    * Insert the passphrase dialog iframe.
    */
@@ -152,4 +168,4 @@ $(function () {
 
   passbolt.login.init();
 });
-undefined; // result must be structured-clonable data
+undefined; // result must be structured-clonable data

src/all/content_scripts/js/login/login.js

@@ -0,0 +1,14 @@
+<h3>The server key has changed!</h3>
+<p>
+    For
+    <a href="https://help.passbolt.com/start/key-change" target="_blank" target="_blank" rel="noopener noreferrer">
+    security reasons</a>, please confirm with your IT administrator that this is
+    a change they initiated.
+</p>
+<div class="input checkbox required">
+    <input type="checkbox" id="js_server_key_change_confirm" value="legit"/>
+    <label for="js_server_key_change_confirm">I have checked, all is fine.</label>
+</div><br>
+<div class="actions-wrapper center">
+    <a id="js_server_key_change_submit" class="button primary big disabled" href="#" role="button">Accept new key</a>
+</div>

src/all/data/ejs/login/changeKey.ejs

@@ -0,0 +1,9 @@
+<h2>Oops, something went wrong.</h2>
+<p>
+    There was an internal error when trying to add the new key.
+    Please contact your administrator for more information, or refresh the page
+    to retry.
+</p>
+<p>
+    <em><?= message ?></em>
+</p>

src/all/data/ejs/login/changeKeyOops.ejs

@@ -0,0 +1,10 @@
+<h2>Success!</h2>
+<p>
+    The key was changed.
+    You are good to go. Click on the button bellow or refresh the page to retry.
+</p>
+<div class="actions-wrapper center">
+    <a class="button primary big" href="<?= domain ?>" role="button" target="_parent" rel="noopener noreferrer">
+        Retry login
+    </a>
+</div>

src/all/data/ejs/login/changeKeySuccess.ejs

@@ -103,22 +103,26 @@ passbolt.templates = window.templates;
   passbolt.html.getBrowserName = getBrowserName;
 
   /**
+   * InsertIframe
    *
    * @param iframeId string
    * @param iframeUrlOptions Object
    * @param appendTo string acting as jQuery selector
    * @param className string (optional)
+   * @param style string (optional)
+   * @param port string (optional)
    * @returns {*|jQuery|HTMLElement}
    */
-  var insertIframe = function (iframeId, appendTo, className, iframeUrlOptions, insertMode, style) {
+  var insertIframe = function (iframeId, appendTo, className, iframeUrlOptions, insertMode, style, port) {
     // set defaults
     const mode = insertMode || 'append';
     const css = style || '';
     const urlOptions = iframeUrlOptions || {};
     const cssClass = className || '';
 
     // build iframe url
-    var iframeUrl = chrome.runtime.getURL('data/' + iframeId +'.html') + `?passbolt=${iframeId}&`;
+    var port = port ? port : iframeId;
+    var iframeUrl = chrome.runtime.getURL('data/' + iframeId +'.html') + `?passbolt=${port}&`;
     let optionUrl = [];
     for (var options in urlOptions)
       if (iframeUrlOptions.hasOwnProperty(options)) {

src/all/data/js/lib/html.js

@@ -0,0 +1,78 @@
+/**
+ * Login form.
+ *
+ * @copyright (c) 2020 Passbolt SA
+ * @licence GNU Affero General Public License http://www.gnu.org/licenses/agpl-3.0.en.html
+ */
+
+$(function () {
+
+  let $changeConfirm = null,
+    $changeSubmit = null;
+
+  /**
+   * Initialize the master password dialog.
+   */
+  const init = function () {
+    // Load the page template.
+    loadTemplate()
+      .then(initEventsListeners)
+      // Mark the iframe container as ready.
+      .then(function () {
+        passbolt.message.emit('passbolt.auth.remove-class', '#passbolt-iframe-login-form', 'loading');
+        passbolt.message.emit('passbolt.auth.add-class', '#passbolt-iframe-login-form', 'ready');
+      }, function(error) {
+        console.error(error);
+        console.error('Something went wrong when initializing loginChangeKey.js');
+      });
+  };
+
+  /**
+   * Load the page template and initialize the constiables relative to it.
+   * @returns {Promise}
+   */
+  const loadTemplate = function () {
+    return passbolt.html.loadTemplate('body', 'login/changeKey.ejs', 'html',
+      {})
+      .then(function success() {
+        $changeConfirm = $('#js_server_key_change_confirm');
+        $changeSubmit = $('#js_server_key_change_submit');
+      });
+  };
+
+  /**
+   * Init the events listeners.
+   * The events can come from the following sources : addon, page or DOM.
+   */
+  const initEventsListeners = function () {
+    $changeConfirm.on('click', onChangeConfirm);
+    $changeSubmit.on('click', onLoginSubmit);
+  };
+
+  const onChangeConfirm = function() {
+    $changeSubmit.toggleClass('disabled');
+  }
+
+  const onLoginSubmit = function() {
+    if($changeSubmit.hasClass('disabled')) {
+      // do nothing
+    } else {
+      passbolt.request('passbolt.auth.replace-server-key').then(
+        function success(domain) {
+          passbolt.html.loadTemplate('body', 'login/changeKeySuccess.ejs','html',
+            {domain: domain}
+          );
+        },
+        function error(error) {
+          passbolt.html.loadTemplate('body', 'login/changeKeyOops.ejs', 'html',
+            {message: error.message}
+          );
+        }
+      );
+    }
+  }
+
+  // Init the login form.
+  init();
+
+});

src/all/data/js/login/loginChangeKey.js

@@ -135,7 +135,7 @@ $(function () {
    * @private
    */
   step._fetchServerKey = function (domain) {
-    return passbolt.request('passbolt.auth.getServerKey', domain)
+    return passbolt.request('passbolt.auth.get-server-key', domain)
       .then(function (serverKey) {
         step._data.serverKey = serverKey.keydata;
         return serverKey.keydata;

src/all/data/js/setup/step/domainCheck.js

@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html lang="en" class="alpha version passboltplugin">
+<head>
+    <meta charset="utf-8"/>
+    <link href="css/themes/default/ext_iframe.min.css" media="all" rel="stylesheet">
+    <script src="vendors/jquery.js"></script>
+    <script src="tpl/login.js"></script>
+    <script src="js/lib/port.js"></script>
+    <script src="js/lib/request.js"></script>
+    <script src="js/lib/message.js"></script>
+    <script src="js/lib/html.js"></script>
+    <script src="js/login/loginChangeKey.js"></script>
+</head>
+<body class="iframe">
+</body>
+</html>

src/all/data/passbolt-iframe-login-change-key.html

@@ -1,5 +1,8 @@
 window.templates = window.templates || {};
 window.templates.login = window.templates.login || {};
+window.templates.login.changeKey = require('./login/changeKey.js');
+window.templates.login.changeKeyOops = require('./login/changeKeyOops.js');
+window.templates.login.changeKeySuccess = require('./login/changeKeySuccess.js');
 window.templates.login.feedbackLoginError = require('./login/feedbackLoginError.js');
 window.templates.login.feedbackLoginNoUser = require('./login/feedbackLoginNoUser.js');
 window.templates.login.feedbackLoginOops = require('./login/feedbackLoginOops.js');