Open overheadhunter opened 1 month ago
The changes introduce new event types and corresponding DTOs for signing Web of Trust (WoT) IDs, expand MemberDto
with public key fields, add REST resources for settings management, and implement trust-related user operations. Additionally, there are significant updates to the front-end components and types to support these new features, while also introducing comprehensive integration tests and an enriched database schema to manage the trust relationships.
File(s) | Change Summary |
---|---|
backend/src/.../AuditLogResource.java |
Added handling for SignedWotIdEvent , including new DTOs and methods for conversion and retrieval. |
backend/src/.../MemberDto.java |
Included ecdhPublicKey and ecdsaPublicKey fields, updating constructor and fromEntity methods. |
backend/src/.../SettingsResource.java |
Introduced a RESTful API for managing settings with endpoints subject to role-based access control. |
backend/src/.../UserDto.java |
Deprecated legacyEcdhPublicKey field, noting its eventual removal. |
backend/src/.../UsersResource.java |
Added methods for trust-related operations and introduced relevant data transfer objects. |
backend/src/.../EffectiveWot.java |
Introduced EffectiveWot entity with methods for finding trusted users and a repository class for DB ops. |
backend/src/.../Settings.java |
Added fields wotMaxDepth and wotIdVerifyLen with corresponding getter/setter methods, and updates in utility methods. |
backend/src/.../StringArrayType.java |
Created a custom UserType for handling string arrays in Hibernate with necessary methods. |
backend/src/.../EventLogger.java |
Added logWotIdSigned method to log the signing of WoT IDs. |
backend/src/.../SignedWotIdEvent.java |
Introduced this entity class representing a signed WoT ID event with necessary methods and overrides. |
backend/src/.../flyway/V16__WoT.sql |
Altered the database schema to add new columns and tables for WoT IDs, and created a view to calculate trust relationships. |
backend/src/.../AuditLogResourceIT.java |
Added integration tests for AuditLogResource , including necessary mocks and setups. |
backend/src/.../SettingsResourceIT.java |
Introduced integration tests for the newly created SettingsResource API endpoints with different roles. |
frontend/src/.../auditlog.ts |
Refactored AuditEventDto types into base and derived types for specific events. |
frontend/src/.../backend.ts |
Added new types and methods for handling trust operations and fetching settings data. |
frontend/src/.../crypto.ts |
Renamed key usage constants, updated methods to align with these changes, and introduced getJwkThumbprint function. |
frontend/src/.../GrantPermissionDialog.vue |
Updated imports and replaced getFingerprint with wot.computeFingerprint . |
frontend/src/.../SignUserKeysDialog.vue |
Created a new dialog component for signing user keys. |
frontend/src/.../TrustDetails.vue |
Added a component for displaying trust levels and managing key signing processes. |
frontend/src/.../AuditLogDetailsSignedWotId.vue |
Added a component to display details related to signed identities in an audit log. |
In cryptos' nested lair so deep,
Trust and keys a vigil keep,
Signatures bind, new depths they plumb,
Into the heart of trust we come.
Harmony in settings found,
Where Webs of Trust (WoT) are wound,
In this code, secure and sound.
ππβ¨
[!TIP]
Early access features
- OpenAI `gpt-4o` model for reviews and chat. Note: - You can disable early access features from the CodeRabbit UI or by setting `early_access: false` in the CodeRabbit configuration file. - Please join our [Discord Community](https://discord.com/invite/GsXnASn26c) to provide feedback and report issues. - OSS projects are always opted into early access features.
Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?
@SailReal this is still WiP, but could you please review the backend part up to this point? This is merely the dumb storage logic, all signature creation and validation will then be done by the frontend.
The signature will simply be a JWT containing the trusted user's public key and is signed by the trusting user. Intermediate items in the signature chain can therefore be simply validated without further db lookups. Just the root and leaf public keys must be checked against their respective owners.
No idea what the tooltip (remark number 6) is about. It was there before already.
API endpoints
This adds two new methods to the users resource:
PUT /api/users/trusted/{userId}
, which stores a signature created by the current user for the user referenced byuserId
GET /api/users/trusted
, which retrieves all users with their corresponding signature chains that are directly or transitively trusted by the current userThese added test cases demonstrate the usage.
Database
This adds a new table
wot
as well as a vieweffective_wot
. Thewot
table stores all signatures added via the aforementioned endpoint. Theeffective_wot
contains the signature chains by looking up transitive trusts up to a graph depth of 10.Frontend
A component is added to signify whether a user can be trusted. It shows whether a chain of trust between the user in question and the logged in user exists. Furthermore it allows to sign the user's public keys.
Future work
Currently, there are two new parameters in the
settings
table that may be exposed to the admin interface in a separate future PR:wot_max_depth
limits the number of edges in the WoT graph between two users when trying to find a trust chainwot_id_verify_len
is used by the frontend to specify how many hex digits of the hash of user U's public key a signer S has to enter in order to sign U's keys.The chosen defaults are up for debate, of course.