├── .github └── workflows │ └── build.yml ├── .hgignore ├── LICENSE ├── README.md ├── bin ├── build-frontend.sh ├── build.sh └── codegenerate.go ├── cmd └── passitron │ └── main.go ├── docs ├── architecture.md ├── index.md ├── mkdocs.yml ├── pi-zero-in-wood-case.png └── user-guides │ └── comparison-to-alternatives.md ├── frontend ├── components │ ├── SearchBox.tsx │ ├── SecretListing.tsx │ └── U2F.tsx ├── errors.ts ├── layout │ └── appdefaultlayout.tsx ├── main.tsx ├── modules.d.ts ├── package.json ├── pages │ ├── AccountPage.tsx │ ├── AuditLogPage.tsx │ ├── HomePage.tsx │ ├── ImportOtpToken.tsx │ ├── SearchPage.tsx │ ├── SettingsPage.tsx │ ├── SignInPage.tsx │ ├── SshKeysPage.tsx │ └── UnlockDecryptionKeyPage.tsx ├── tslint.json ├── u2ftypes.ts ├── webpack.config.js └── yarn.lock ├── go.mod ├── go.sum ├── pkg ├── apitypes │ ├── commands.json │ ├── types.json │ └── ui-routes.json ├── commands │ ├── handlers.go │ ├── handlers_test.go │ └── httphandler.go ├── domain │ ├── events.json │ └── types.json ├── envelopeenc │ ├── envelope.go │ ├── envelope_test.go │ ├── marshal.go │ └── marshal_test.go ├── extractpublicfiles │ └── extractpublicfiles.go ├── f61ui │ └── f61ui.go ├── httpserver │ ├── middlewares.go │ ├── muxregistrator │ │ └── muxregistrator.go │ ├── server.go │ └── server_test.go ├── httputil │ └── httputil.go ├── keepassexport │ └── export.go ├── keepassimport │ ├── entrypoint.go │ └── keepass-import.go ├── restqueryapi │ └── queryapi.go ├── signingapi │ ├── server.go │ └── types.json ├── slowcrypto │ ├── slowcrypto.go │ └── slowcrypto_test.go ├── sshagent │ ├── entrypoint.go │ ├── main.go │ ├── run_nonwindows.go │ └── run_windows.go ├── state │ ├── appstate.go │ ├── crypto.go │ ├── getters.go │ ├── jwtconfig.go │ ├── userstate.go │ └── userstate_test.go ├── tarextract │ └── tarextract.go └── u2futil │ └── u2futil.go ├── public ├── favicon.ico └── robots.txt └── turbobob.json /.github/workflows/build.yml: -------------------------------------------------------------------------------- 1 | name: Build 2 | 3 | on: [push] 4 | 5 | jobs: 6 | build: 7 | runs-on: ubuntu-latest 8 | steps: 9 | - uses: actions/checkout@v2 10 | - name: Download Turbo Bob 11 | run: curl --fail --location --output bob https://dl.bintray.com/function61/dl/turbobob/20200220_1142_9c1ea959/bob_linux-amd64 && chmod +x bob 12 | - name: Build with Turbo Bob 13 | run: CI_REVISION_ID="$GITHUB_SHA" ./bob build --publish-artefacts 14 | # unfortunately there doesn't seem to be a way to "expose all secrets", so you must 15 | # list here each secret to pass on to the build 16 | env: 17 | BINTRAY_CREDS: ${{ secrets.BINTRAY_CREDS }} 18 | -------------------------------------------------------------------------------- /.hgignore: -------------------------------------------------------------------------------- 1 | syntax: glob 2 | 3 | # generated files 4 | version.go 5 | 6 | # misc 7 | state.json 8 | .glide/ 9 | vendor/ 10 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ![Build status](https://github.com/function61/passitron/workflows/Build/badge.svg) 2 | [![Download](https://img.shields.io/bintray/v/function61/dl/pi-security-module.svg?style=for-the-badge&label=Download)](https://bintray.com/function61/dl/pi-security-module/_latestVersion#files) 3 | 4 | What is this? 5 | ------------- 6 | 7 | Software for a separate trusted hardware device ("hardware security module") which 8 | essentially acts just like [Keepass](http://keepass.info/) and only serves the 9 | function of storing secrets. 10 | 11 | If you use Keepass on your PC and your PC gets compromised by a virus or a hacker, 12 | it's game over. But if you use a separate device for storing secrets, your PC compromise 13 | does not expose your secrets. This software only exposes your secret when you physically 14 | press a button on the device - and only exposes one secret per push acknowledge. 15 | 16 | 17 | Links 18 | ----- 19 | 20 | - [Architecture summary](https://function61.com/docs/passitron/architecture/) 21 | - [Comparison to alternatives](https://function61.com/docs/passitron/user-guides/comparison-to-alternatives/) 22 | - [All documentation](https://function61.com/docs/passitron/) - everything you 23 | seek is probably here. The above links were just some of the most important links to 24 | this documentation site. 25 | 26 | 27 | Features 28 | -------- 29 | 30 | - No cloud 31 | - Physical acknowledgement to expose a password by pressing a button on a U2F key 32 | (YubiKey for example), so a hacker would need local, physical, access to steal your secrets. 33 | - Supported secrets: 34 | * Passwords 35 | * OTP tokens (Google Authenticator) 36 | * SSH keys (via SSH agent protocol) 37 | * Keylists (["printed OTP list"](https://en.wikipedia.org/wiki/One-time_password#Hardcopy)) 38 | * Freetext (any text content is treated as secret data) 39 | - Create, view and list secrets in a folder hierarchy. 40 | - Export database to Keepass format (for viewing in mobile devices when traveling etc.) 41 | - Import data from Keepass format 42 | 43 | 44 | Recommended hardware 45 | -------------------- 46 | 47 | ![](docs/pi-zero-in-wood-case.png) 48 | 49 | I'm using [Raspberry Zero W](https://www.raspberrypi.org/products/pi-zero-w/) 50 | with [wooden case](https://thepihut.com/products/zebra-zero-for-raspberry-pi-zero-wood). 51 | 52 | It doesn't matter much which hardware you use, as long as you don't run anything else on 53 | that system - to minimize the attack surface. For such a light use Raspberry Pi is 54 | economical, although this project runs across processor architectures and operating systems 55 | because Golang is so awesome. :) 56 | 57 | 58 | Download & running 59 | ------------------ 60 | 61 | Click the "Download" badge at top of this readme and locate the binary for your OS/arch combo: 62 | 63 | - For Raspberry Pi, download `pism_linux-arm` 64 | - For Linux PC, download `pism_linux-amd64` 65 | 66 | Note: don't worry about `public.tar.gz` - it's downloaded automatically if it doesn't exist. 67 | 68 | Rename the downloaded binary to `pism`. 69 | 70 | Pro-tip: you can download this directly to your Pi from command line: 71 | 72 | ``` 73 | $ mkdir passitron/ 74 | $ cd passitron 75 | $ curl --fail --location -o pism 76 | 77 | # mark the binary as executable 78 | $ chmod +x pism 79 | ``` 80 | 81 | Installation & running: 82 | 83 | ``` 84 | $ ./pism server init-config admin yourpassword 85 | $ ./pism server install 86 | Wrote unit file to /etc/systemd/system/passitron.service 87 | Run to enable on boot & to start now: 88 | $ systemctl enable passitron 89 | $ systemctl start passitron 90 | $ systemctl status passitron 91 | ``` 92 | 93 | Looks good. You should now be able to access the web interface at `http://`. 94 | 95 | 96 | How to build & develop 97 | ---------------------- 98 | 99 | [How to build & develop](https://github.com/function61/turbobob/blob/master/docs/external-how-to-build-and-dev.md) 100 | (with Turbo Bob, our build tool). It's easy and simple! 101 | 102 | ### Getting to know the codebase 103 | 104 | See commit where I 105 | [added support to storing an email field](https://github.com/function61/passitron/commit/2182421beb6ce09693e974823dfe8dd5bf2c339a). 106 | -------------------------------------------------------------------------------- /bin/build-frontend.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -eu 2 | 3 | buildFrontend() { 4 | source /build-common.sh 5 | 6 | standardBuildProcess "frontend" 7 | } 8 | 9 | copyF61uiStaticFiles() { 10 | rm -rf public/f61ui/ 11 | cp -r frontend/f61ui/public/ public/f61ui/ 12 | } 13 | 14 | packagePublicFiles() { 15 | tar -czf rel/public.tar.gz public/ 16 | } 17 | 18 | (cd frontend/ && buildFrontend) 19 | 20 | copyF61uiStaticFiles 21 | 22 | packagePublicFiles 23 | -------------------------------------------------------------------------------- /bin/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -eu 2 | 3 | source /build-common.sh 4 | 5 | COMPILE_IN_DIRECTORY="cmd/passitron" 6 | BINARY_NAME="passitron" 7 | GOFMT_TARGETS="cmd/ pkg/" 8 | 9 | # clean slate, because generated files rarely pass formatting check 10 | cleanupGeneratedFiles() { 11 | rm -rf \ 12 | docs_ready/ \ 13 | pkg/**/*.gen.go 14 | } 15 | 16 | buildInternalDependenciesDocs() { 17 | echo "\`\`\`" > docs/internal-dependencies.md 18 | (cd cmd/passitron && depth . | grep github.com/function61/passitron/ | grep -v vendor) >> docs/internal-dependencies.md 19 | echo "\`\`\`" >> docs/internal-dependencies.md 20 | } 21 | 22 | generateCommandlineUserguideDocs() { 23 | # because help text self reflects its binary name 24 | cp rel/passitron_linux-amd64 passitron 25 | 26 | cat << EOF > docs/user-guides/command-line.md 27 | To receive help, just run: 28 | 29 | \`\`\` 30 | ./passitron --help 31 | $(./passitron --help) 32 | \`\`\` 33 | 34 | Any subcommand will also give you help: 35 | 36 | \`\`\` 37 | ./passitron server --help 38 | $(./passitron server --help) 39 | \`\`\` 40 | 41 | EOF 42 | 43 | # cleanup 44 | rm -f passitron 45 | } 46 | 47 | if [ ! -n "${FASTBUILD:-}" ]; then 48 | cleanupGeneratedFiles 49 | fi 50 | 51 | standardBuildProcess 52 | 53 | if [ ! -n "${FASTBUILD:-}" ]; then 54 | buildInternalDependenciesDocs 55 | 56 | generateCommandlineUserguideDocs 57 | fi 58 | 59 | -------------------------------------------------------------------------------- /bin/codegenerate.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "github.com/function61/eventkit/codegen" 6 | "github.com/function61/eventkit/codegen/codegentemplates" 7 | "github.com/function61/gokit/dynversion/precompilationversion" 8 | "os" 9 | ) 10 | 11 | //go:generate go run codegenerate.go 12 | 13 | func main() { 14 | if err := logic(); err != nil { 15 | fmt.Fprintln(os.Stderr, err) 16 | os.Exit(1) 17 | } 18 | } 19 | 20 | func logic() error { 21 | // normalize to root of the project 22 | if err := os.Chdir(".."); err != nil { 23 | return err 24 | } 25 | 26 | return mainInternal() 27 | } 28 | 29 | func mainInternal() error { 30 | modules := []*codegen.Module{ 31 | codegen.NewModule("domain", "pkg/domain/types.json", "pkg/domain/events.json", "", ""), 32 | codegen.NewModule("apitypes", "pkg/apitypes/types.json", "", "pkg/apitypes/commands.json", "pkg/apitypes/ui-routes.json"), 33 | codegen.NewModule("signingapi", "pkg/signingapi/types.json", "", "", ""), 34 | } 35 | 36 | opts := codegen.Opts{ 37 | BackendModulePrefix: "github.com/function61/passitron/pkg/", 38 | FrontendModulePrefix: "generated/", 39 | AutogenerateModuleDocs: true, 40 | } 41 | 42 | if err := codegen.ProcessModules(modules, opts); err != nil { 43 | return err 44 | } 45 | 46 | // PreCompilationVersion = code generation doesn't have access to version via regular method 47 | if err := codegen.ProcessFile( 48 | codegen.Inline("frontend/generated/version.ts", codegentemplates.FrontendVersion), 49 | codegen.NewVersionData(precompilationversion.PreCompilationVersion()), 50 | ); err != nil { 51 | return err 52 | } 53 | 54 | return nil 55 | } 56 | -------------------------------------------------------------------------------- /cmd/passitron/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "github.com/function61/gokit/dynversion" 6 | "github.com/function61/gokit/logex" 7 | "github.com/function61/gokit/ossignal" 8 | "github.com/function61/gokit/systemdinstaller" 9 | "github.com/function61/passitron/pkg/httpserver" 10 | "github.com/function61/passitron/pkg/keepassimport" 11 | "github.com/function61/passitron/pkg/sshagent" 12 | "github.com/function61/passitron/pkg/state" 13 | "github.com/spf13/cobra" 14 | "os" 15 | ) 16 | 17 | func serverEntrypoint() *cobra.Command { 18 | server := &cobra.Command{ 19 | Use: "server", 20 | Short: "Starts the server", 21 | Args: cobra.NoArgs, 22 | Run: func(cmd *cobra.Command, args []string) { 23 | rootLogger := logex.StandardLogger() 24 | 25 | exitIfError(httpserver.Run( 26 | ossignal.InterruptOrTerminateBackgroundCtx(rootLogger), 27 | rootLogger)) 28 | }, 29 | } 30 | 31 | server.AddCommand(&cobra.Command{ 32 | Use: "init-config [adminUsername] [adminPassword]", 33 | Short: "Initializes configuration file", 34 | Args: cobra.ExactArgs(2), 35 | Run: func(cmd *cobra.Command, args []string) { 36 | exitIfError(state.InitConfig(args[0], args[1])) 37 | }, 38 | }) 39 | 40 | server.AddCommand(&cobra.Command{ 41 | Use: "install", 42 | Short: "Installs systemd unit file to make Passitron start on system boot", 43 | Args: cobra.NoArgs, 44 | Run: func(cmd *cobra.Command, args []string) { 45 | service := systemdinstaller.SystemdServiceFile( 46 | "passitron", 47 | "Passitron", 48 | systemdinstaller.Args("server")) 49 | 50 | exitIfError(systemdinstaller.Install(service)) 51 | 52 | fmt.Println(systemdinstaller.GetHints(service)) 53 | }, 54 | }) 55 | 56 | return server 57 | } 58 | 59 | func main() { 60 | rootCmd := &cobra.Command{ 61 | Use: os.Args[0], 62 | Short: "Keeps your secrets as secure as possible", 63 | Version: dynversion.Version, 64 | } 65 | 66 | rootCmd.AddCommand(serverEntrypoint()) 67 | 68 | rootCmd.AddCommand(sshagent.Entrypoint()) 69 | 70 | rootCmd.AddCommand(keepassimport.Entrypoint()) 71 | 72 | exitIfError(rootCmd.Execute()) 73 | } 74 | 75 | func exitIfError(err error) { 76 | if err != nil { 77 | fmt.Fprintln(os.Stderr, err) 78 | os.Exit(1) 79 | } 80 | } 81 | -------------------------------------------------------------------------------- /docs/architecture.md: -------------------------------------------------------------------------------- 1 | Domain model vs. application model? 2 | ----------------------------------- 3 | 4 | Domain model is the data as close to how it appears in real life, e.g. `User registered`. 5 | 6 | Application model is how the application chooses to interpret this data, perhaps even 7 | optimized for a narrower use case, e.g. `INSERT INTO users SET (username, password) VALUES ...`. 8 | That `User registered` event had a timestamp associated with it (all events in the domain 9 | have a timestamp), but our application model might not care about it. The data and how the 10 | application uses the data are two different things - they are decoupled from each other. 11 | 12 | Why separate models? The domain is supposed to outlive the application model. We could 13 | rewrite this application in a different programming language and use a different database, 14 | but the domain model should not change in any way - only the application model changes. 15 | 16 | 17 | Overview 18 | -------- 19 | 20 | This is an CQRS + EventSourcing application. 21 | 22 | CQRS applied here means that there are totally separate REST endpoints for 23 | [reading](apitypes/rest_endpoints.md) 24 | and [writing](commands/commands.md) 25 | data. 26 | 27 | EventSourcing applied here means that all writes to the database are stored as events, and 28 | the events are the only source of data used to derive the read model in the database. 29 | 30 | To best understand the big picture, here's a journey of a write request, with source code 31 | locations: 32 | 33 | - [UI invokes](https://github.com/function61/passitron/blob/153991ffb0bb/frontend/pages/AccountPage.tsx#L287) 34 | HTTP `POST /command/account.ChangeDescription` with body 35 | `{"Account": 13, "Description": "This is an example"}` 36 | - [Generic command HTTP handler](https://github.com/function61/passitron/blob/153991ffb0bb/pkg/restcommandapi/commandapi.go#L18) 37 | intercepts this request. This handler knows about this command because the command was 38 | defined [here](https://github.com/function61/passitron/blob/153991ffb0bb/pkg/commandhandlers/commands.json#L33). 39 | - It deserializes the JSON, performs basic validations (like is this input field required 40 | etc.), and invokes the [command handler](https://github.com/function61/passitron/blob/153991ffb0bb/pkg/commandhandlers/handlers.go#L89) 41 | - The command handler raises `account.DescriptionChanged` event 42 | (defined [here](https://github.com/function61/passitron/blob/153991ffb0bb/pkg/domain/domain.json#L91)) 43 | - Control is returned to the generic command HTTP handler, which 44 | [appends](https://github.com/function61/passitron/blob/153991ffb0bb/pkg/restcommandapi/commandapi.go#L64) 45 | any raised events to the event log. 46 | - Event log appending eventually means that an event handler will be invoked in the 47 | [state package](https://github.com/function61/passitron/blob/153991ffb0bb/pkg/state/eventhandlers.go#L72) 48 | 49 | Here's the most important source code locations: 50 | 51 | 52 | cmd/ 53 | ---- 54 | 55 | Contains the entrypoint for the single binary that makes up the backend and also serves 56 | frontend resources. 57 | 58 | 59 | frontend/ 60 | --------- 61 | 62 | Contains the source code for the frontend, which is written in React + TypeScript. 63 | 64 | 65 | pkg/ 66 | ---- 67 | 68 | Contains the backend packages. 69 | 70 | 71 | pkg/apitypes/apitypes.json 72 | -------------------------- 73 | 74 | Contains HTTP endpoint definitions and their input/output data structures for the query 75 | layer. This is used to autogenerate code for the frontend and backend. This makes both the 76 | frontend and the backend typesafe, i.e. Go or TypeScript compilers guarantee that your HTTP 77 | endpoint URLs, input and output data structures are kept in-sync with all the code. 78 | 79 | Implementations for the endpoints are found in `pkg/restqueryapi`. Calls come from the UI. 80 | 81 | The query endpoints are documented (autogenerated) in a prettier format in 82 | [this page](apitypes/rest_endpoints.md). 83 | 84 | 85 | pkg/domain/domain.json 86 | ---------------------- 87 | 88 | Contains all the event definitions (names and their payload data) that can be raised in 89 | this domain. 90 | 91 | Implementations for the event listeners are found in `pkg/state`. These events are mainly 92 | raised from `pkg/commandhandlers`. 93 | 94 | The domain information is documented (autogenerated) in a prettier format in 95 | [this page](domain/events.md). 96 | 97 | 98 | pkg/commandhandlers/commands.json 99 | --------------------------------- 100 | 101 | This file essentially contains all the actions that can be done from the UI. This is used 102 | to code generate as much as possible in frontend and backend, so the code should be 103 | typesafe at both sides of the HTTP layer. 104 | 105 | Implementations for the command handlers are found in `pkg/commandhandlers` 106 | 107 | Also, `pkg/commandhandlers/handlers_test.go` is a good place to see how the command tests 108 | test for command + event + read model interaction. 109 | 110 | The commands are documented (autogenerated) in a prettier format in 111 | [this page](commands/commands.md). 112 | -------------------------------------------------------------------------------- /docs/index.md: -------------------------------------------------------------------------------- 1 | Welcome to the documentation site. 2 | 3 | Documentation is a hard subject in that most of it tends to get out-of-date, as its 4 | maintenance is usually of lower priority than other tasks. To combat this, most of the 5 | pages here are autogenerated from the same data structures the application uses. 6 | 7 | [Back to home page of the project](https://github.com/function61/passitron). 8 | -------------------------------------------------------------------------------- /docs/mkdocs.yml: -------------------------------------------------------------------------------- 1 | site_name: 'pi-security-module docs' 2 | 3 | theme: readthedocs 4 | 5 | docs_dir: '.' 6 | 7 | pages: 8 | 9 | - 'index.md' 10 | 11 | - 'For users': 12 | - 'Command line': 'user-guides/command-line.md' 13 | - 'Comparison to alternatives': 'user-guides/comparison-to-alternatives.md' 14 | 15 | - 'General': 16 | - 'Architecture': 'architecture.md' 17 | - 'Internal dependencies': 'internal-dependencies.md' 18 | 19 | - 'Domain model': 20 | - 'Events': 'domain/events.md' 21 | - 'Types': 'domain/types.md' 22 | 23 | - 'Data API (REST)': 24 | - 'Types': 'apitypes/types.md' 25 | - 'Commands (for writing data)': 'commands/commands.md' 26 | - 'Endpoints (for reading data)': 'apitypes/rest_endpoints.md' 27 | 28 | - 'Signing API (REST)': 29 | - 'Types': 'signingapi/types.md' 30 | - 'Endpoints': 'signingapi/rest_endpoints.md' 31 | -------------------------------------------------------------------------------- /docs/pi-zero-in-wood-case.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/function61/passitron/de0f6732f22053f49cd16dc080f299c539aab6d3/docs/pi-zero-in-wood-case.png -------------------------------------------------------------------------------- /docs/user-guides/comparison-to-alternatives.md: -------------------------------------------------------------------------------- 1 | 2 | | Application | Free | No cloud | Hacker safe | U2F support | SSH agent support | 3 | |--------------------|-----------------|----------|-------------|-------------|-------------------| 4 | | Passitron | ☑ | ☑ | ☑ | ☑ | ☑ | 5 | | KeePass | ☑ | ☑ | ☐ | ? | ☑ (plugin) | 6 | | LastPass | ☑ | ☐ | ☐ | ? | ☐ | 7 | | 1Password | ☐ | ☐ | ☐ | ? | ☐ | 8 | | Dashlane | 50 account limit | ☐ | ☐ | ? | ☐ | 9 | 10 | "Hacker safe": if hacker gains access to your computer, can the application still guarantee 11 | that the hacker doesn't get access to all your credentials? Basically the question boils 12 | down to if the application implements BOTH: 13 | 14 | 1. Does the password database run in a separate machine (with cloud-based apps this is always yes) 15 | 2. Are the secrets accessible without a press of a physical button that the hacker doesn't 16 | have access to? (i.e. a signature from a U2F key) 17 | 18 | 19 | On the radar 20 | ------------ 21 | 22 | .. means mention-worthy projects for which we haven't had the time to write a feature 23 | breakdown yet. 24 | 25 | [Krypton](https://krypt.co/) - while Krypton is not a password manager (at all), on the 26 | surface (I haven't tested it yet) it seems to do a great job of handling the use case of 27 | U2F-enabled logins. It seems that you need a browser plugin to use it, which is kind of a 28 | bummer - I wonder if it is technically possible to emulate U2F token as a kernel driver to 29 | support every already-U2F-enabled browser without a plugin. 30 | 31 | [pass](https://www.passwordstore.org/) 32 | 33 | [Bitwarden](https://github.com/bitwarden/core) 34 | 35 | [Buttercup](https://buttercup.pw/) 36 | 37 | 38 | Errors 39 | ------ 40 | 41 | If you notice any errors in this comparison, please report an issue! Being accurate and 42 | honest is important to us. 43 | -------------------------------------------------------------------------------- /frontend/components/SearchBox.tsx: -------------------------------------------------------------------------------- 1 | import { navigateTo } from 'f61ui/browserutils'; 2 | import { defaultErrorHandler } from 'f61ui/errors'; 3 | import { shouldAlwaysSucceed } from 'f61ui/utils'; 4 | import { search } from 'generated/apitypes_endpoints'; 5 | import * as React from 'react'; 6 | import * as Autocomplete from 'react-autocomplete'; 7 | import { accountUrl, folderUrl, indexUrl, searchUrl } from 'generated/apitypes_uiroutes'; 8 | 9 | interface SearchBoxProps { 10 | searchTerm?: string; // initial 11 | } 12 | 13 | interface SearchBoxState { 14 | searchTerm?: string; 15 | items: AutocompleteItem[]; 16 | hasInflight: boolean; 17 | } 18 | 19 | interface AutocompleteItem { 20 | label: string; 21 | url: string; 22 | } 23 | 24 | export class SearchBox extends React.Component { 25 | state: SearchBoxState = { hasInflight: false, items: [] }; 26 | private hasInflight = false; 27 | private beginSearchTimeout?: ReturnType; 28 | private queuedQuery = ''; 29 | 30 | render() { 31 | return ( 32 | { 35 | // https://github.com/reactjs/react-autocomplete/issues/338 36 | if (e.key !== 'Enter') { 37 | return; 38 | } 39 | 40 | // => user hit enter with non-suggested term => go to search results 41 | const searchTerm = e.target.value; 42 | 43 | if (searchTerm !== '') { 44 | navigateTo(searchUrl({ q: searchTerm })); 45 | } else { 46 | navigateTo(indexUrl()); 47 | } 48 | }, 49 | }} 50 | getItemValue={(item: AutocompleteItem) => item.url} 51 | items={this.state.items} 52 | renderItem={(item: AutocompleteItem, isHighlighted: boolean) => ( 53 |
56 | {item.label} 57 |
58 | )} 59 | value={this.state.searchTerm} 60 | onChange={(e: any) => { 61 | this.setState({ searchTerm: e.target.value, items: [] }); 62 | this.searchtermChanged(e.target.value); 63 | }} 64 | onSelect={(url: string) => { 65 | navigateTo(url); 66 | }} 67 | /> 68 | ); 69 | } 70 | 71 | private searchtermChanged(term: string) { 72 | this.queuedQuery = term; 73 | 74 | if (this.beginSearchTimeout || this.hasInflight) { 75 | return; 76 | } 77 | 78 | this.beginSearchTimeout = setTimeout(() => { 79 | this.beginSearchTimeout = undefined; 80 | 81 | shouldAlwaysSucceed(this.search(this.queuedQuery)); 82 | }, 500); 83 | } 84 | 85 | private async search(term: string) { 86 | this.queuedQuery = ''; 87 | 88 | this.hasInflight = true; 89 | 90 | try { 91 | const searchResult = await search(term); 92 | 93 | const folderMatches: AutocompleteItem[] = searchResult.SubFolders.map((item) => ({ 94 | label: item.Name, 95 | url: folderUrl({ id: item.Id }), 96 | })); 97 | 98 | const accountMatches: AutocompleteItem[] = searchResult.Accounts.map((item) => { 99 | const label = item.Username ? `${item.Title} (${item.Username})` : item.Title; 100 | return { 101 | label, 102 | url: accountUrl({ id: item.Id }), 103 | }; 104 | }); 105 | 106 | this.setState({ items: folderMatches.concat(accountMatches) }); 107 | } catch (err) { 108 | defaultErrorHandler(err); 109 | } 110 | 111 | this.hasInflight = false; 112 | 113 | // while we were fetching data from server, user wanted another query? 114 | if (this.queuedQuery) { 115 | shouldAlwaysSucceed(this.search(this.queuedQuery)); 116 | } 117 | } 118 | } 119 | -------------------------------------------------------------------------------- /frontend/components/SecretListing.tsx: -------------------------------------------------------------------------------- 1 | import { SearchBox } from 'components/SearchBox'; 2 | import { CommandLink } from 'f61ui/component/CommandButton'; 3 | import { Dropdown } from 'f61ui/component/dropdown'; 4 | import { 5 | AccountDeleteFolder, 6 | AccountMove, 7 | AccountMoveFolder, 8 | AccountRenameFolder, 9 | } from 'generated/apitypes_commands'; 10 | import { FolderResponse } from 'generated/apitypes_types'; 11 | import * as React from 'react'; 12 | import { accountUrl, folderUrl } from 'generated/apitypes_uiroutes'; 13 | 14 | interface SecretListingProps { 15 | searchTerm?: string; 16 | listing: FolderResponse; 17 | } 18 | 19 | export class SecretListing extends React.Component { 20 | render() { 21 | const folderRows = this.props.listing.SubFolders.map((folder) => { 22 | return ( 23 | 24 | 25 | 26 | 27 | 28 | {folder.Name} 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | ); 40 | }); 41 | 42 | const accountRows = this.props.listing.Accounts.map((account) => { 43 | return ( 44 | 45 | 46 | 47 | {account.Title} 48 | 49 | {account.Username} 50 | 51 | 52 | 53 | 54 | 55 | 56 | ); 57 | }); 58 | 59 | return ( 60 |
61 | 62 | 63 | 64 | 70 | 71 | 73 | 74 | 75 | {folderRows} 76 | {accountRows} 77 | 78 |
65 | 66 | Title 67 |
68 | 69 | 		Username 72 |
79 |
80 | ); 81 | } 82 | } 83 | -------------------------------------------------------------------------------- /frontend/components/U2F.tsx: -------------------------------------------------------------------------------- 1 | import { DangerAlert, InfoAlert } from 'f61ui/component/alerts'; 2 | import { Button } from 'f61ui/component/bootstrap'; 3 | import { Loading } from 'f61ui/component/loading'; 4 | import { defaultErrorHandler } from 'f61ui/errors'; 5 | import { shouldAlwaysSucceed } from 'f61ui/utils'; 6 | import { U2FChallengeBundle, U2FResponseBundle } from 'generated/apitypes_types'; 7 | import * as React from 'react'; 8 | import { isU2FError, nativeSignResultToApiType, u2fErrorMsg, u2fSign } from 'u2ftypes'; 9 | 10 | interface U2fSignerProps { 11 | challenge: U2FChallengeBundle; 12 | signed: (result: U2FResponseBundle) => void; 13 | } 14 | 15 | interface U2fSignerState { 16 | authing: boolean; 17 | authError?: string; 18 | } 19 | 20 | export class U2fSigner extends React.Component { 21 | state: U2fSignerState = { authing: false }; 22 | 23 | componentDidMount() { 24 | // start fetching process automatically. in some rare cases the user might not 25 | // want this, but failed auth attempt timeouts are not dangerous and this reduces 26 | // extra clicks in the majority case 27 | shouldAlwaysSucceed(this.startSigning()); 28 | } 29 | 30 | render() { 31 | if (this.state.authing) { 32 | return ( 33 |
34 | Please swipe your U2F token now ... 35 | 36 | 37 |
38 | ); 39 | } 40 | 41 | return ( 42 |
43 |
52 | ); 53 | } 54 | 55 | private async startSigning() { 56 | this.setState({ authing: true, authError: undefined }); 57 | 58 | try { 59 | // u2fSign should never error/throw 60 | const result = await u2fSign(this.props.challenge.SignRequest); 61 | 62 | if (isU2FError(result)) { 63 | this.setState({ authing: false, authError: u2fErrorMsg(result) }); 64 | return; 65 | } 66 | 67 | this.props.signed({ 68 | Challenge: this.props.challenge.Challenge, 69 | SignResult: nativeSignResultToApiType(result), 70 | }); 71 | } catch (e) { 72 | defaultErrorHandler(e); 73 | } 74 | } 75 | } 76 | -------------------------------------------------------------------------------- /frontend/errors.ts: -------------------------------------------------------------------------------- 1 | import { StructuredErrorResponse } from 'f61ui/types'; 2 | 3 | export function isSealedError(err: StructuredErrorResponse): boolean { 4 | return err.error_code === 'database_is_sealed'; 5 | } 6 | 7 | export function isNotSignedInError(err: StructuredErrorResponse): boolean { 8 | return err.error_code === 'not_signed_in'; 9 | } 10 | -------------------------------------------------------------------------------- /frontend/layout/appdefaultlayout.tsx: -------------------------------------------------------------------------------- 1 | import { SearchBox } from 'components/SearchBox'; 2 | import { getCurrentLocation } from 'f61ui/browserutils'; 3 | import { Breadcrumb } from 'f61ui/component/breadcrumbtrail'; 4 | import { NavLink } from 'f61ui/component/navigation'; 5 | import { DefaultLayout } from 'f61ui/layout/defaultlayout'; 6 | import { version } from 'generated/version'; 7 | import * as React from 'react'; 8 | import { auditLogUrl, indexUrl, settingsUrl, sshKeysUrl } from 'generated/apitypes_uiroutes'; 9 | 10 | interface AppDefaultLayoutProps { 11 | title: string; 12 | breadcrumbs: Breadcrumb[]; 13 | children: React.ReactNode; 14 | } 15 | 16 | // app's default layout uses the default layout with props that are common to the whole app 17 | export class AppDefaultLayout extends React.Component { 18 | render() { 19 | const currLoc = getCurrentLocation(); 20 | 21 | const navLinks: NavLink[] = [ 22 | { 23 | title: 'Home', 24 | url: indexUrl(), 25 | active: currLoc === indexUrl(), 26 | }, 27 | { 28 | title: 'SSH keys', 29 | url: sshKeysUrl(), 30 | active: currLoc === sshKeysUrl(), 31 | }, 32 | { 33 | title: 'Settings', 34 | url: settingsUrl(), 35 | active: currLoc === settingsUrl(), 36 | }, 37 | { 38 | title: 'Audit log', 39 | url: auditLogUrl(), 40 | active: currLoc === auditLogUrl(), 41 | }, 42 | ]; 43 | 44 | const appName = 'Passitron'; 45 | return ( 46 | } 57 | /> 58 | ); 59 | } 60 | } 61 | -------------------------------------------------------------------------------- /frontend/main.tsx: -------------------------------------------------------------------------------- 1 | import { isNotSignedInError, isSealedError } from 'errors'; 2 | import { boot, makeRouter } from 'f61ui/appcontroller'; 3 | import { getCurrentLocation, navigateTo } from 'f61ui/browserutils'; 4 | import { GlobalConfig } from 'f61ui/globalconfig'; 5 | import { StructuredErrorResponse } from 'f61ui/types'; 6 | import { RootFolderId } from 'generated/domain_types'; 7 | import AccountPage from 'pages/AccountPage'; 8 | import AuditLogPage from 'pages/AuditLogPage'; 9 | import HomePage from 'pages/HomePage'; 10 | import ImportOtpToken from 'pages/ImportOtpToken'; 11 | import SearchPage from 'pages/SearchPage'; 12 | import SettingsPage from 'pages/SettingsPage'; 13 | import SignInPage from 'pages/SignInPage'; 14 | import SshKeysPage from 'pages/SshKeysPage'; 15 | import UnlockDecryptionKeyPage from 'pages/UnlockDecryptionKeyPage'; 16 | import { DangerAlert } from 'f61ui/component/alerts'; 17 | import { AppDefaultLayout } from 'layout/appdefaultlayout'; 18 | import * as React from 'react'; 19 | import * as r from 'generated/apitypes_uiroutes'; 20 | 21 | class Handlers implements r.RouteHandlers { 22 | index() { 23 | return ; 24 | } 25 | 26 | folder(opts: r.FolderOpts) { 27 | return ; 28 | } 29 | 30 | search(opts: r.SearchOpts) { 31 | return ; 32 | } 33 | 34 | importOtpToken(opts: r.ImportOtpTokenOpts) { 35 | return ; 36 | } 37 | 38 | account(opts: r.AccountOpts) { 39 | return ; 40 | } 41 | 42 | sshKeys() { 43 | return ; 44 | } 45 | 46 | settings() { 47 | return ; 48 | } 49 | 50 | signIn(opts: r.SignInOpts) { 51 | return ; 52 | } 53 | 54 | unlockDecryptionKey(opts: r.UnlockDecryptionKeyOpts) { 55 | return ; 56 | } 57 | 58 | auditLog() { 59 | return ; 60 | } 61 | 62 | notFound(url: string) { 63 | return ( 64 | 65 |

404

66 | 67 | The page ({url}) you were looking for, is not found. 68 | 69 | ); 70 | } 71 | } 72 | 73 | // entrypoint for the app. this is called when DOM is loaded 74 | export function main(appElement: HTMLElement, config: GlobalConfig): void { 75 | config.knownGlobalErrorsHandler = (err: StructuredErrorResponse) => { 76 | if (isNotSignedInError(err)) { 77 | navigateTo(r.signInUrl({ next: getCurrentLocation() })); 78 | return true; 79 | } else if (isSealedError(err)) { 80 | navigateTo(r.unlockDecryptionKeyUrl({ next: getCurrentLocation() })); 81 | return true; 82 | } 83 | 84 | return false; 85 | }; 86 | 87 | const handlers = new Handlers(); 88 | 89 | boot( 90 | appElement, 91 | config, 92 | makeRouter(r.hasRouteFor, (relativeUrl: string) => r.handle(relativeUrl, handlers)), 93 | ); 94 | } 95 | -------------------------------------------------------------------------------- /frontend/modules.d.ts: -------------------------------------------------------------------------------- 1 | // https://stackoverflow.com/a/12695001 2 | 3 | // badly behaving external modules with no TypeScript defs 4 | declare module 'react-autocomplete'; 5 | 6 | // FIXME: type this shit out 7 | declare var u2f: any; 8 | -------------------------------------------------------------------------------- /frontend/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "app", 3 | "version": "1.0.0", 4 | "description": "", 5 | "main": "-", 6 | "dependencies": { 7 | "@types/bootstrap": "3.3.28", 8 | "@types/jquery": "3.3.29", 9 | "@types/react-dom": "16.0.10", 10 | "react": "16.5.2", 11 | "jquery": "3.3.1", 12 | "date-fns": "2.0.0-alpha.27", 13 | "react-autocomplete": "1.8.1", 14 | "react-dom": "16.5.2", 15 | "bootstrap": "3.4.0", 16 | "jsqr": "1.1.1", 17 | "u2f-api": "1.0.10" 18 | }, 19 | "devDependencies": {}, 20 | "scripts": { 21 | "test": "echo \"no test specified\" && exit 0" 22 | }, 23 | "author": "", 24 | "license": "ISC" 25 | } 26 | -------------------------------------------------------------------------------- /frontend/pages/AuditLogPage.tsx: -------------------------------------------------------------------------------- 1 | import { Breadcrumb } from 'f61ui/component/breadcrumbtrail'; 2 | import { Loading } from 'f61ui/component/loading'; 3 | import { Timestamp } from 'f61ui/component/timestamp'; 4 | import { defaultErrorHandler } from 'f61ui/errors'; 5 | import { auditLogEntries } from 'generated/apitypes_endpoints'; 6 | import { AuditlogEntry } from 'generated/apitypes_types'; 7 | import { RootFolderName } from 'generated/domain_types'; 8 | import { AppDefaultLayout } from 'layout/appdefaultlayout'; 9 | import * as React from 'react'; 10 | import { indexUrl } from 'generated/apitypes_uiroutes'; 11 | 12 | interface AuditLogPageState { 13 | entries: AuditlogEntry[]; 14 | } 15 | 16 | export default class AuditLogPage extends React.Component<{}, AuditLogPageState> { 17 | private title = 'Audit log'; 18 | 19 | componentDidMount() { 20 | this.fetchData(); 21 | } 22 | 23 | render() { 24 | const entryToRow = (entry: AuditlogEntry, idx: number) => ( 25 | 26 | 27 | 28 | 29 | {entry.UserId} 30 | {entry.Message} 31 | 32 | ); 33 | 34 | const rows = 35 | this.state && this.state.entries ? ( 36 | this.state.entries.map(entryToRow) 37 | ) : ( 38 | 39 | 40 | 41 | 42 | 43 | ); 44 | 45 | return ( 46 | 47 |

{this.title}

48 | 49 | 50 | {rows} 51 |
52 | 53 | ); 54 | } 55 | 56 | private getBreadcrumbs(): Breadcrumb[] { 57 | return [ 58 | { url: indexUrl(), title: RootFolderName }, 59 | { url: '', title: this.title }, 60 | ]; 61 | } 62 | 63 | private fetchData() { 64 | auditLogEntries().then((entries) => { 65 | this.setState({ 66 | entries, 67 | }); 68 | }, defaultErrorHandler); 69 | } 70 | } 71 | -------------------------------------------------------------------------------- /frontend/pages/HomePage.tsx: -------------------------------------------------------------------------------- 1 | import { SecretListing } from 'components/SecretListing'; 2 | import { Breadcrumb } from 'f61ui/component/breadcrumbtrail'; 3 | import { CommandLink } from 'f61ui/component/CommandButton'; 4 | import { Dropdown } from 'f61ui/component/dropdown'; 5 | import { Loading } from 'f61ui/component/loading'; 6 | import { defaultErrorHandler } from 'f61ui/errors'; 7 | import { AccountCreate, AccountCreateFolder } from 'generated/apitypes_commands'; 8 | import { getFolder } from 'generated/apitypes_endpoints'; 9 | import { FolderResponse } from 'generated/apitypes_types'; 10 | import { AppDefaultLayout } from 'layout/appdefaultlayout'; 11 | import * as React from 'react'; 12 | import { accountUrl, folderUrl } from 'generated/apitypes_uiroutes'; 13 | 14 | interface HomePageProps { 15 | folderId: string; 16 | } 17 | 18 | interface HomePageState { 19 | listing: FolderResponse; 20 | } 21 | 22 | export default class HomePage extends React.Component { 23 | componentDidMount() { 24 | this.fetchData(this.props.folderId); 25 | } 26 | 27 | componentWillReceiveProps(nextProps: HomePageProps) { 28 | this.fetchData(nextProps.folderId); 29 | } 30 | 31 | render() { 32 | if (!this.state) { 33 | return ; 34 | } 35 | 36 | const listing = this.state.listing; 37 | 38 | const breadcrumbs: Breadcrumb[] = [{ url: '', title: listing.Folder!.Name }]; 39 | 40 | for (const parent of listing.ParentFolders) { 41 | breadcrumbs.unshift({ 42 | url: folderUrl({ id: parent.Id }), 43 | title: parent.Name, 44 | }); 45 | } 46 | 47 | return ( 48 | 49 | 50 | 51 | 52 | accountUrl({ id }), 55 | })} 56 | /> 57 | 58 | 59 | 60 | ); 61 | } 62 | 63 | private fetchData(folderId: string) { 64 | getFolder(folderId).then((listing) => { 65 | this.setState({ listing }); 66 | }, defaultErrorHandler); 67 | } 68 | } 69 | -------------------------------------------------------------------------------- /frontend/pages/ImportOtpToken.tsx: -------------------------------------------------------------------------------- 1 | import { CommandButton } from 'f61ui/component/CommandButton'; 2 | import { AccountAddOtpToken } from 'generated/apitypes_commands'; 3 | import jsQR from 'jsqr'; 4 | import { AppDefaultLayout } from 'layout/appdefaultlayout'; 5 | import * as React from 'react'; 6 | 7 | interface ImportOtpTokenProps { 8 | account: string; 9 | } 10 | 11 | interface ImportOtpTokenState { 12 | OtpProvisioningUrl?: string; 13 | } 14 | 15 | export default class ImportOtpToken extends React.Component< 16 | ImportOtpTokenProps, 17 | ImportOtpTokenState 18 | > { 19 | private title = 'Import OTP token'; 20 | 21 | render() { 22 | const breadcrumbs = [{ url: '', title: this.title }]; 23 | 24 | const maybeSubmit = 25 | this.state && this.state.OtpProvisioningUrl ? ( 26 | 29 | ) : ( 30 |

button will appear here

31 | ); 32 | 33 | return ( 34 | 35 |

Import OTP token from QR code: {this.props.account}

36 | 37 | { 41 | this.fileChange(e); 42 | }} 43 | /> 44 | 45 | {maybeSubmit} 46 | 47 |

Or import manually

48 | 49 | 50 | 51 | ); 52 | } 53 | 54 | fileChange(e: React.ChangeEvent) { 55 | if (!e.target.files || e.target.files.length === 0) { 56 | return; 57 | } 58 | 59 | if (e.target.files.length !== 1) { 60 | throw new Error('Expecting one file'); 61 | } 62 | 63 | const file = e.target.files[0]; 64 | 65 | if (!/^image\//.test(file.type)) { 66 | throw new Error('Unsupported image type - must be image/*'); 67 | } 68 | 69 | imageFromFile(file, (img: HTMLImageElement) => { 70 | const idata = imageDataFromImage(img); 71 | 72 | const scanResult = jsQR(idata.data, idata.width, idata.height); 73 | if (!scanResult) { 74 | alert('error reading QR code'); 75 | return; 76 | } 77 | 78 | this.setState({ 79 | OtpProvisioningUrl: scanResult.data, 80 | }); 81 | }); 82 | } 83 | } 84 | 85 | function imageDataFromImage(img: HTMLImageElement): ImageData { 86 | const tempCanvas = document.createElement('canvas'); 87 | // these have to be set explicitly via direct width and height, and not via .style 88 | tempCanvas.width = img.width; 89 | tempCanvas.height = img.height; 90 | 91 | const canvasCtx = tempCanvas.getContext('2d'); 92 | if (!canvasCtx) { 93 | throw new Error('canvas 2d rendering context not available'); 94 | } 95 | 96 | // drawing on the canvas seems to work (at least in Chrome) when it's not in the 97 | // document, which is convenient b/c we don't have to do cleanup 98 | canvasCtx.drawImage(img, 0, 0); 99 | 100 | return canvasCtx.getImageData(0, 0, img.width, img.height); 101 | } 102 | 103 | function imageFromFile(file: File, load: (img: HTMLImageElement) => void) { 104 | const img = new Image(); 105 | img.onload = () => { 106 | URL.revokeObjectURL(img.src); 107 | 108 | load(img); 109 | }; 110 | img.src = URL.createObjectURL(file); 111 | } 112 | -------------------------------------------------------------------------------- /frontend/pages/SearchPage.tsx: -------------------------------------------------------------------------------- 1 | import { SecretListing } from 'components/SecretListing'; 2 | import { Breadcrumb } from 'f61ui/component/breadcrumbtrail'; 3 | import { Loading } from 'f61ui/component/loading'; 4 | import { defaultErrorHandler } from 'f61ui/errors'; 5 | import { search } from 'generated/apitypes_endpoints'; 6 | import { FolderResponse } from 'generated/apitypes_types'; 7 | import { RootFolderName } from 'generated/domain_types'; 8 | import { AppDefaultLayout } from 'layout/appdefaultlayout'; 9 | import * as React from 'react'; 10 | import { indexUrl } from 'generated/apitypes_uiroutes'; 11 | 12 | interface SearchPageProps { 13 | searchTerm: string; 14 | } 15 | 16 | interface SearchPageState { 17 | searchResult: FolderResponse; 18 | } 19 | 20 | export default class SearchPage extends React.Component { 21 | componentDidMount() { 22 | this.fetchData(); 23 | } 24 | 25 | render() { 26 | if (!this.state) { 27 | return ; 28 | } 29 | 30 | const breadcrumbs: Breadcrumb[] = [ 31 | { url: indexUrl(), title: RootFolderName }, 32 | { url: '', title: `Search: ${this.props.searchTerm}` }, 33 | ]; 34 | 35 | return ( 36 | 37 | 41 | 42 | ); 43 | } 44 | 45 | private fetchData() { 46 | search(this.props.searchTerm).then((searchResult) => { 47 | this.setState({ searchResult }); 48 | }, defaultErrorHandler); 49 | } 50 | } 51 | -------------------------------------------------------------------------------- /frontend/pages/SettingsPage.tsx: -------------------------------------------------------------------------------- 1 | import { DangerAlert, InfoAlert } from 'f61ui/component/alerts'; 2 | import { Button, Panel } from 'f61ui/component/bootstrap'; 3 | import { Breadcrumb } from 'f61ui/component/breadcrumbtrail'; 4 | import { CommandButton, CommandInlineForm, CommandLink } from 'f61ui/component/CommandButton'; 5 | import { Dropdown } from 'f61ui/component/dropdown'; 6 | import { Loading } from 'f61ui/component/loading'; 7 | import { Timestamp } from 'f61ui/component/timestamp'; 8 | import { defaultErrorHandler, formatAnyError } from 'f61ui/errors'; 9 | import { shouldAlwaysSucceed } from 'f61ui/utils'; 10 | import { 11 | DatabaseExportToKeepass, 12 | SessionSignOut, 13 | UserAddAccessToken, 14 | UserChangeDecryptionKeyPassword, 15 | UserChangePassword, 16 | UserCreate, 17 | UserRegisterU2FToken, 18 | } from 'generated/apitypes_commands'; 19 | import { u2fEnrolledTokens, u2fEnrollmentChallenge, userList } from 'generated/apitypes_endpoints'; 20 | import { RegisterResponse, U2FEnrolledToken, User } from 'generated/apitypes_types'; 21 | import { RootFolderName } from 'generated/domain_types'; 22 | import { AppDefaultLayout } from 'layout/appdefaultlayout'; 23 | import * as React from 'react'; 24 | import { indexUrl } from 'generated/apitypes_uiroutes'; 25 | import { isU2FError, u2fErrorMsg, U2FStdRegisterResponse } from 'u2ftypes'; 26 | 27 | interface SettingsPageState { 28 | u2fregistrationrequest?: string; 29 | enrollmentInProgress: boolean; 30 | enrolledTokens?: U2FEnrolledToken[]; 31 | enrollmentError?: string; 32 | users?: User[]; 33 | } 34 | 35 | export default class SettingsPage extends React.Component<{}, SettingsPageState> { 36 | state: SettingsPageState = { 37 | enrollmentInProgress: false, 38 | }; 39 | private title = 'Settings'; 40 | 41 | componentDidMount() { 42 | shouldAlwaysSucceed(this.fetchData()); 43 | } 44 | 45 | render() { 46 | return ( 47 | 48 |
49 |
50 | 51 |
52 | 53 |
54 | 55 |
56 | 57 |
58 | 59 |
60 | 61 |
62 | 63 |
64 |
65 | {this.renderUsers()} 66 | 67 | 68 |

Enrolled tokens

69 | 70 | {this.renderEnrolledTokens()} 71 | 72 | {this.u2fEnrollmentUi()} 73 | 74 |
75 |
76 | 77 | ); 78 | } 79 | 80 | // shows: 81 | // - enrollment start button 82 | // - error 83 | // - progress 84 | // - finish 85 | private u2fEnrollmentUi(): React.ReactNode { 86 | if (this.state.enrollmentInProgress) { 87 | return ( 88 |
89 | Please swipe your U2F token now. 90 | 91 |
92 | ); 93 | } 94 | 95 | if (this.state.u2fregistrationrequest) { 96 | return ( 97 | 100 | ); 101 | } 102 | 103 | return ( 104 |

105 | {this.state.enrollmentError && ( 106 | {this.state.enrollmentError} 107 | )} 108 |