TOTP secrets in the web UI #27413
TOTP secrets in the web UI #27413
Conversation
|
|
|
|
|
I haven't added any test yet but can do if required. But it would be great to get a first review if the approach in general is fine. |
There was a problem hiding this comment.
Wow! 🤩 Amazing start on this, and kudos for navigating the notoriously difficult secrets area of the codebase!
Overall, I think your approach for the TOTP keys makes sense, as it closely follows CRUD. However, for the code workflow I think we should copy a combination of AWS and Database:
- list view -- rename "Accounts" to "Keys" to better match documentation
- click on item takes you to /vault/secrets/totp/credentials/:keyName
- in the credentials route, if the backend type is
totpwe go ahead and get the credentials and show them on a credentials view, similar to how database credentials works - From the keys list view, you can click the popup menu to access show or edit pages for the key details
For the code generation and verification, since the payload and responses are both fairly small it might be worth removing the code-totp model/adapter and using a custom adapter method for those endpoints instead.
The "show" and "edit" views should show/edit the TOTP Key data, not the code. The code generation will be moved to the credentials page.
Again, this is a great start and please feel free to tag @hashicorp/vault-ui if you have any questions!
ui/app/components/totp-create.js
Outdated
| @service router; | ||
| @service store; | ||
|
|
||
| checkValidation(name, value) { |
There was a problem hiding this comment.
We typically define validation on the model (search @withModelValidations in the codebase for examples) and then it would get invoked/read via this.args.model.validate(). Using that pattern should simplify this component a bit!
There was a problem hiding this comment.
I added the @withModelValidations decorator but I'm not sure where to call the validate since totp-edit.js extends the role-edit.js. Could I just add the validate() call in the createOrUpdate action or would that break for models without the decorator?
vault/ui/app/components/role-edit.js
Line 69 in 7f0e644
ui/app/adapters/code-totp.js
Outdated
| namespace: 'v1', | ||
|
|
||
| // TODO: Validation is not yet supported | ||
| //createRecord(store, type, snapshot) { |
There was a problem hiding this comment.
Even though validation is a POST request, it doesn't create a new item in the CRUD sense, so for validation I would probably make some custom adapter method that could get invoked anywhere like this.store.adapterFor('code-totp').validateCode(backend, code, payload). transit-key adapter has a custom method called keyAction that you could look at as an example of something similar.
|
Thanks for the detailed feedback. I'll try to find some time this weekend to make the changes according to your suggestions. |
|
I adapted the create/edit and generate workflow to your suggestions @hashishaw. I think I addressed most of your comments. Some open questions that I still have: To which extend does it make sense to allow editing the key entries? How to deal with the URL vs individual fields to create a new key Is the key name equal to the TOTP account_name? Support for provider mode? @hashicorp/vault-ui
|
|
I added the provider mode as well. After the key created the user is presented with the QR code: |
|
The create dialog is still not great because of the ambiguity between the URL field and the other fields. |
| @attr('string', { | ||
| editDisabled: true, | ||
| possibleValues: ALGORITHMS, | ||
| defaultValue: 'SHA1', |
There was a problem hiding this comment.
Is it possible to provide default values for the create/edit form without having to set them here on the model?
There was a problem hiding this comment.
Sort of -- do you want the default value to be dynamic, or why isn't setting it on the model preferable?
There was a problem hiding this comment.
No, the main reason was that everything which is set on the model is currently serialized. But some options are mutually exclusive in the POST request. I just realized that it's probably better to tackle this in the serializer and conditionally remove attributes from the serialized data.
The other reason was that some attributes are only used in the POST request but never returned by the GET request. But with the default values it looks like they got returned from the request as well.
There was a problem hiding this comment.
Got it! Yes, we don't want to show "default" values that are not actually reflected in the backend. One way we get around this limitation (which we run into fairly often) is to instead set the "initial values" in the createRecord invocation. So in this case, in the credentials route, we would have:
getTOTPCode(backend, keyName) {
return this.store.adapterFor('totp').generateCode(backend, keyName, { algorithm: 'SHA1' });
},
with whatever other values we want to set initially, and remove the defaultValue unless this is truly the default value that the backend has. Good question!
|
Thank you, this is excellent progress! Pardon me while I get up to speed on TOTP 😄
Good question -- let me take this back to my team for discussion. I don't think we have any other engines that don't allow edit at all, and according to the API it looks like any of the fields other than name could be updated (whether that's advisable is something different).
Another great question. Generally we prefer not to mess too much with the user input, and submit as-is. For displaying the fields relevant to the mode, we do have some patterns for choosing a type of setup that maybe we could incorporate here. I will talk to our design team, but relying on the user to know what to fill out might be fine for now. Do you know, if you create a key and set
It looks like the key's name is different than
Your solution for provider mode seems reasonable, and I think it's good to support it with this work. If the key read response returns Thanks again for your work on this! I will pull down the latest changes and test, and let you know if there are any other things we should update. |
I just tried to edit the vault/builtin/logical/totp/path_keys.go Line 210 in 9af5c5c
I'm not sure which exact request you're talking about. So I'll just provide the answer for all of them. 😉
If generate is
Yes, I would say so. For example in the screenshot from FreeOTP the accounts are just identified by information like account name and issuer. I'm not sure if you could add a custom key name as well or edit some of the information.
The last two options might come with some issues to transform the values into a valid key name. I'm not sure if all characters are allowed as part of the key name. And if we allow to edit the
Unfortunately that information is not stored. From a TOTP perspective it matters only during the setup and doesn't make any difference later which is I guess why it is not stored. But as you said, I think we can stick to what I currently implemented and that should be fine.
You're welcome, thanks for the review and feedback. I'll address your new comments over the next days. |
|
@hashishaw do you have any update on this? |
|
any ETA regarding that feature ? |
|
Hey folks, sorry I was on vacation last month and then dropped the ball on this. Let me schedule a sync with our designer, and I'll post an update after we review based on our user experience standards. Thanks for your patience! |
|
thanks for working on this, so important feature for us..any eta on release? |
mpflanzer
force-pushed
the
ui/totp-web
branch
from
87e959d to
8cd0a78
Compare
|
Is there still interest in merging this into Vault? |
Extends the UI to create, delete TOTP token generators and read TOTP tokens. The details view for an account refreshes automatically to generate the next token.
The "provider" mode of the TOTP engine is currently not supported. This could easily be added in another PR if there is a use case for it.
Closes: #12698 and #16786