Permissions and cryptographic constraints
This page lists all the permissions you have, and by which means you have
them. If it is protected by the Vault server (allowing or disallowing
certain things), or if it is protected by cryptographic means (mathematically
can’t be accessed, unless certain passwords, passphrases, keys are provided).
We’ll start with a bullet-pointed list of all the constraints, and we’ll
try to make it a table or a graph and order all of this sooner or later:
- user-setup must be called before 300 seconds (can be configured in .ini file under “sflvault.vault.setup_timeout”)
- user-add will fail if user exists
- user-add requires ‘global-admin’ via xml-rpc. Direct library allowed.
- user-add will update the setup time if it was timed out. Same restrictions apply.
- user-del requires ‘global-admin’ via xml-rpc. Direct library access allowed. Will remove user directly if it exists.
- user-list requires authentication via xml-rpc. Direct lib. access allowed. Lib returns setup status, if user is admin, and it’s groups (include admin membership of groups).
- service-get requires authentication via xml-rpc. Direct lib access allowed. Returns the service.
- service-put requires authentication via xml-rpc. Direct lib access allowed. WARNING: No groups constraints are applied, to update service. TODO: apply these checks in XML-RPC.
- show (service-get-tree in lib) requires auth. via xml-rpc. Direct lib access allowed.
- search requires authentication via xml-rpc. Direct lib access allowed. Returns search results.
- customer_get requires authentication via xml-rpc. Direct lib access allowed.
- customer_put requires authentication via xml-rpc. Direct lib access allowed.
- customer_add requires authentication via xml-rpc. Direct lib access allowed.
- customer_del requires ‘global-admin’ permissions via xml-rpc. Direct lib access allowed. Deleting a customer deletes all it’s machines and services.
- machine_put requires authentication via xml-rpc. Direct lib access allowed. Anyone can update machine infos.
- machine_get requires authentication via xml-rpc. Direct lib access allowed.
- machine_add requires authentication via xml-rpc. Direct lib access allowed.
- service_add requires authentication via xml-rpc. Direct lib access allowed. No group restrictions applied. Every user can add a service to any group. Doesn’t mean he’s going to be able to read it.
- group_get requires auth via xml-rpc. Direct lib access allowed.
- group_put requires auth via xml-rpc. Direct lib access allowed. Group admin required to ‘hide’ group. Constraint applied in the library (not at XML-RPC level). TODO: change this behavior, make the checks in XML-RPC lib.
- group_add requires auth via xml-rpc. Direct lib access allowed. Requires self.myself_id to add a group. Anyone can add a group. The one adding a group becomes admin of this group. Any service then added to this group will be accessible to the members of that group.
- group_del requires ‘global-admin’ via xml-rpc. Direct access to lib allowed. Library doesn’t allow deletion of non-empty groups.
- group_list requires auth via xml-rpc. Direct access to lib allowed. Doesn’t show hidden groups to non-members of those groups, except for global admins. Via xml-rpc, can’t override behavior. Direct lib access allows override (see all groups no matter which hidden status it is in, with show_hidden=True). TODO: make sure this is true!
- group_add_service requires auth via xml-rpc. Direct lib allowed. CRYPTO constraint: you need to have a decrypted service symkey (requiring your private key, and previous access to service_get) to add a service to any group. The vault has no means to verify the consistency of your symkey. Providing random symkeys will create an unusable service (accessed via this group).
- group_del_service requires simple auth via xml-rpc. Direct lib allowed. Lib constraint: service must be in another group to be detached from this group (otherwise you’d lose your service :). XML-RPC constraint: can’t delete group if you’re not admin of the group nor global-admin. TODO: move group constraints and admin constraints to XML-RPC layer.
- group_add_user requires XML-RPC auth. Lib access allowed. CRYPTO constraint: you need to have a decrypted group key (requiring your private key, and previous access to group_add_user to retrieve the user’s public key, and the group’s encrypted private key). Lib enforces being in the group, since this is the only way you can provide a validly encrypted groupkey. Being global-admin in any case doesn’t help here (because of CRYPTO constraints). This command trusts that the remote user adding another user enters valid data as a cryptgroupkey. If junk is added in that field, the added user simply won’t be able to access the group’s data. Also will he need to be removed and added successfully to the group for everything to work. TODO: implement group’s symkey encryption + migration scripts.
- group_del_user requires simple auth via XML-RPC. Lib access allowed. Lib constraints prevents from deleting yourself from the group. Makes sure someone else will remain in the group. The library will make everything possible to make sure there is at least a group admin left. It will warn if there is no more. It will prevent you from deleting the last admin. XML-RPC will block if you are not either group-admin of this group, or global-admin. TODO: Admin flags are to be verified in the XML-RPC layer.
- machine_del requires ‘global-admin’ via xml-rpc. Lib access is allowed. Lib constraint: prevent deleting a machine that containts a service that is a parent to another service. Otherwise, delete machine and it’s services.
- service_del requires ‘global-admin’ via xml-rpc. Lib access is allowed. Lib constraint: won’t remove a service with childs. If user is global admin, allow. If user is admin of all groups the service is in, allow. Otherwise, you’ll have to ask each admins of each groups the service is in to detach the service first. TODO: move admin checks to XML-RPC, require auth and more checks in body. DOUBLE CHECK
- customer_list requires auth via xml-rpc. Lib access allowed. No constraints.
- machine_list requires auth via xml-rpc. Lib access allowed. No constraints.
- service_list requires auth via xml-rpc. Lib access allowed. No constraints. NO cryptogram is sent with responses to service_list.
- service_passwd requires auth via xml-rpc. Lib access allowed. Constraints: lib (and xml-rpc call) refuses to perform operation if you don’t have access to decrypt the password first. The call to this function will not actually decrypt anything, it will just make sure you’re not overwriting some data you didn’t previously have access to.
TODO: documenter ce qui est cryptographié, et ce qui est accessible si la voute est compromise.
TODO: note functions that requires self.myself_id to operate.
NOTE: first user called admin, implication, where to store it’s credentials. Use it as a user, or not ? Ça en prendra un. Procédure sera d’imprimer la clé privée, et de la foutre dans un voute, à la banque.
- Dans l’armée, write higher, read lower. Pattern ici ? Comment est restreint la suppression ? Pour effacer un service, faut être admin ? être du même niveau ?
- http://en.wikipedia.org/wiki/Bell-LaPadula_Model
Suivant le modèle, on ne peut pas modifier
Overwriter un document existant, dans ce modèle là ?? service_put par exemple ? Vérifier avec Alexandre Miege.
Hasher, utiliser la clé sans avoir la clé. Hasher avec la date, sans pouvoir la réutiliser ?
Deux clés de groupes, une pour admin, l’autre pour pas admin.
Permissions for each function (library and via xml-rpc)
All functions requires user authentication when called via XML-RPC, unless otherwise noted.
All functions can be accessed directly via the Python library with no constraints, unless otherwise noted.
Of course, a call via XML-RPC will call the library only if authentications and checks pass.
Function name |
Access via library |
Access via web (xml-rpc) |
user_add |
Fails if user exists.
Resets setup-time if timed out. |
Requires ‘global-admin’ permission. |
user_setup |
Must be called before 300 seconds
(can be configured in the .ini file
under the key:
sflvaut.vault.setup_timeout) |
|
user_del |
Removes user directly. |
Requires ‘global-admin’ permission. |
user_list |
Returns setup statuses, admin flags,
each users’ groups (and admin flags) |
|
service_add |
No group restrictions apply. Anyone
can add service to any group. Mind
that he can’t necessariliy read it
back. |
|
service_del |
Prevents removing services with
childs. ‘global-admin’ and admins
of all groups the service is in are
allowed to delete the service.
Otherwise, the service needs to be
detached first. |
Requires ‘global-admin’ permission. |
service_get |
|
|
service_put |
WARN: No groups constraints are
enforced when updating a service. |
|
service_get_tree |
|
|
(show) |
|
|
service_list |
No cryptogram is transmitted here |
|
service_passwd |
Prior access to password is required
and enforced. |
|
search |
|
|
customer_get |
|
|
customer_put |
|
|
customer_add |
|
|
customer_del |
Deletes all it’s machines and
services. Stops if breaking service
cascades. |
Requires ‘global-admin’ permission. |
customer_list |
|
|
machine_put |
|
Anyone can update machine infos. |
machine_get |
|
|
machine_add |
|
|
machine_del |
Deletes all it’s services as well.
Stops if breaking service cascades. |
Requires ‘global-admin’ permission. |
machine_list |
|
|
group_get |
|
|
group_put |
Group admin required to hide group.
Group member required to modify. |
|
group_add |
Creator of the group is granted
admin privs. on that group. |
|
group_del |
Can’t remove non-empty groups |
Requires ‘global-admin’ permission. |
group_list |
Hidden groups are hidden from non-
members, unless ‘global-admin’. |
|
group_add_service |
CRYPTO constraint: you need to have
a decrypted service symkey
(requiring your private key, and
previous access to service_get) to
add a service to any group. The
vault has no means to verify the
consistency of your symkey.
Providing random symkeys will create
an unusable service (accessed via
this group). |
|
group_del_service |
Can’t detach a service if it’s its
last group (otherwise, you lose it). |
|
group_add_user |
You need to have a decrypted group
key (requiring your private key, and
previous access to group_add_user to
retrieve the user’s public key, and
the group’s encrypted private key).
Enforces being in the group, since
this is the only way you can provide
a validly encrypted groupkey.
This command trusts that the remote
user adding another user enters
valid data as a cryptgroupkey.
If junk is added in that field, the
added user simply won’t be able to
access the group’s data. Also will
he need to be removed and added
successfully to the group for
everything to work. |
|
group_del_user |
Prevents from deleting yourself from
the group.
Makes sure someone else will remain
in the group.
Makes everything possible to make
sure there is at least a group admin
left. |
Group-admin or ‘global-admin’
required |
What happens if the vault is compromised
If the vault is compromised on server side – some guy ran away with the database contents, or cracked the vault server, it is still impossible for him to decrypt anything, except in the following situations:
- If the attacker also has access to a user’s private key (decrypted, that is). In that case:
- the attacker now has access to any service the user had. Any services in any of the groups that user was member of.
- he still does not have access to any of the services that aren’t in the user’s groups.
- If the attacker holds control of the vault, and it continues to be used, he could discover these three elements, which all have limited damage at start, but grows over time:
- When adding a new service (service_add), the attacker will gain knowledge of the symkey used to encrypt the secret, and the plaintext secret itself. This would allow him to decrypt the secret in the future without any other constraint. He could also simply save the secret! This symkey, though, doesn’t give access to any other service, only to this one. This symkey is regenerated when the password is changed with service_passwd, but if he still has access to running a compromised vault, he will probably get the new service password also.
- When changing a service’s password, the same thing applies. The attacker gains knowledge of both the generated symkey and the plaintext secret.
- When adding a new group, the attacker can gain knowledge of the group’s generated private key. It does not give access to any service at that particular moment, but could be used after several services have been added to that group, to decrypt those services’ secret. Though, if the attacker still has control of the vault, all these services were already compromised by the two previous cases (adding a new service, and changing a service’s password).
Other risks involved
A user could create a group, having admin privileges upon creation, and set a name that could fool other users into adding services to it, by giving it the same name as already existing group for example. If another user adds a service to that group, the creator of the group could have access to that service, even if the user didn’t have access to the original group.