UVF support

backend/src/main/java/org/cryptomator/hub/api/VaultResource.java

@@ -247,11 +247,18 @@ public Response removeAuthority(@PathParam("vaultId") UUID vaultId, @PathParam("
 	@VaultRole(VaultAccess.Role.OWNER) // may throw 403
 	@Transactional
 	@Produces(MediaType.APPLICATION_JSON)
-	@Operation(summary = "list devices requiring access rights", description = "lists all devices owned by vault members, that don't have a device-specific masterkey yet")
+	@Operation(summary = "list members requiring access tokens", description = "lists all members, that have permissions but lack an access token")
 	@APIResponse(responseCode = "200")
 	@APIResponse(responseCode = "403", description = "not a vault owner")
-	public List<UserDto> getUsersRequiringAccessGrant(@PathParam("vaultId") UUID vaultId) {
-		return userRepo.findRequiringAccessGrant(vaultId).map(UserDto::justPublicInfo).toList();
+	public List<MemberDto> getUsersRequiringAccessGrant(@PathParam("vaultId") UUID vaultId) {
+		return effectiveVaultAccessRepo.findMembersWithoutAccessTokens(vaultId).map(access -> {
+			if (access.getAuthority() instanceof User u) {
+				return MemberDto.fromEntity(u, access.getRole());
+			} else {
+				// findMembersWithoutAccessTokens() should only return users, not groups.
+				throw new IllegalStateException();
+			}
+		}).toList();
 	}
 
 	@Deprecated(forRemoval = true)
@@ -332,6 +339,38 @@ public Response unlock(@PathParam("vaultId") UUID vaultId, @QueryParam("evenIfAr
 		}
 	}
 
+	@GET
+	@Path("/{vaultId}/uvf/vault.uvf")
+	@RolesAllowed("user")
+	@Transactional
+	@Produces(MediaType.APPLICATION_JSON)
+	@Operation(summary = "get the vault.uvf file")
+	@APIResponse(responseCode = "200")
+	@APIResponse(responseCode = "404", description = "unknown vault")
+	public String getUvfMetadata(@PathParam("vaultId") UUID vaultId) {
+		var vault = vaultRepo.findById(vaultId);
+		if (vault == null || vault.getUvfMetadataFile() == null) {
+			throw new NotFoundException();
+		}
+		return vault.getUvfMetadataFile();
+	}
+
+	@GET
+	@Path("/{vaultId}/uvf/jwks.json")
+	@RolesAllowed("user")
+	@Transactional
+	@Produces(MediaType.APPLICATION_JSON)
+	@Operation(summary = "get public vault keys", description = "retrieves a JWK Set containing public keys related to this vault")
+	@APIResponse(responseCode = "200")
+	@APIResponse(responseCode = "404", description = "unknown vault")
+	public String getUvfKeys(@PathParam("vaultId") UUID vaultId) {
+		var vault = vaultRepo.findById(vaultId);
+		if (vault == null || vault.getUvfMetadataFile() == null) {
+			throw new NotFoundException();
+		}
+		return vault.getUvfKeySet();
+	}
+
 	@POST
 	@Path("/{vaultId}/access-tokens")
 	@RolesAllowed("user")
@@ -419,7 +458,9 @@ public Response createOrUpdate(@PathParam("vaultId") UUID vaultId, @Valid @NotNu
 		// set regardless of whether vault is new or existing:
 		vault.setName(vaultDto.name);
 		vault.setDescription(vaultDto.description);
-		vault.setArchived(existingVault.isEmpty() ? false : vaultDto.archived);
+		vault.setArchived(existingVault.isPresent() && vaultDto.archived);
+		vault.setUvfMetadataFile(vaultDto.uvfMetadataFile);
+		vault.setUvfKeySet(vaultDto.uvfKeySet);
 
 		vaultRepo.persistAndFlush(vault); // trigger PersistenceException before we continue with
 		if (existingVault.isEmpty()) {
@@ -500,14 +541,18 @@ public record VaultDto(@JsonProperty("id") UUID id,
 						   @JsonProperty("description") @NoHtmlOrScriptChars String description,
 						   @JsonProperty("archived") boolean archived,
 						   @JsonProperty("creationTime") Instant creationTime,
+						   @JsonProperty("uvfMetadataFile") String uvfMetadataFile,
+						   @JsonProperty("uvfKeySet") String uvfKeySet,
 						   // Legacy properties ("Vault Admin Password"):
-						   @JsonProperty("masterkey") @OnlyBase64Chars String masterkey, @JsonProperty("iterations") Integer iterations,
-						   @JsonProperty("salt") @OnlyBase64Chars String salt,
+						   @JsonProperty("masterkey") @OnlyBase64Chars String masterkey, @JsonProperty("iterations") Integer iterations, @JsonProperty("salt") @OnlyBase64Chars String salt,
 						   @JsonProperty("authPublicKey") @OnlyBase64Chars String authPublicKey, @JsonProperty("authPrivateKey") @OnlyBase64Chars String authPrivateKey
+
 	) {
 
 		public static VaultDto fromEntity(Vault entity) {
-			return new VaultDto(entity.getId(), entity.getName(), entity.getDescription(), entity.isArchived(), entity.getCreationTime().truncatedTo(ChronoUnit.MILLIS), entity.getMasterkey(), entity.getIterations(), entity.getSalt(), entity.getAuthenticationPublicKey(), entity.getAuthenticationPrivateKey());
+			return new VaultDto(entity.getId(), entity.getName(), entity.getDescription(), entity.isArchived(), entity.getCreationTime().truncatedTo(ChronoUnit.MILLIS), entity.getUvfMetadataFile(), entity.getUvfKeySet(),
+					// legacy properties:
+					entity.getMasterkey(), entity.getIterations(), entity.getSalt(), entity.getAuthenticationPublicKey(), entity.getAuthenticationPrivateKey());
 		}
 
 	}

backend/src/main/java/org/cryptomator/hub/entities/EffectiveVaultAccess.java

@@ -9,6 +9,9 @@
 import jakarta.persistence.Entity;
 import jakarta.persistence.EnumType;
 import jakarta.persistence.Enumerated;
+import jakarta.persistence.JoinColumn;
+import jakarta.persistence.ManyToOne;
+import jakarta.persistence.MapsId;
 import jakarta.persistence.NamedQuery;
 import jakarta.persistence.Table;
 import org.hibernate.annotations.Immutable;
@@ -19,6 +22,7 @@
 import java.util.Objects;
 import java.util.UUID;
 import java.util.stream.Collectors;
+import java.util.stream.Stream;
 
 @Entity
 @Immutable
@@ -62,11 +66,29 @@ SELECT count(DISTINCT u)
 		FROM EffectiveVaultAccess eva
 		WHERE eva.id.vaultId = :vaultId AND eva.id.authorityId = :authorityId
 		""")
+@NamedQuery(name = "EffectiveVaultAccess.findMembersWithoutAccessTokens", query = """
+		SELECT eva
+		FROM EffectiveVaultAccess eva
+			INNER JOIN User u ON u.id = eva.id.authorityId
+			LEFT JOIN AccessToken token ON token.id.vaultId = eva.id.vaultId AND token.id.userId = eva.id.authorityId
+			WHERE eva.id.vaultId = :vaultId AND token.vault IS NULL AND u.ecdhPublicKey IS NOT NULL
+		"""
+)
 public class EffectiveVaultAccess {
 
 	@EmbeddedId
 	private EffectiveVaultAccess.Id id;
 
+	@ManyToOne
+	@MapsId("vaultId")
+	@JoinColumn(name = "vault_id")
+	private Vault vault;
+
+	@ManyToOne
+	@MapsId("authorityId")
+	@JoinColumn(name = "authority_id")
+	private Authority authority;
+
 	public Id getId() {
 		return id;
 	}
@@ -75,6 +97,30 @@ public void setId(Id id) {
 		this.id = id;
 	}
 
+	public Vault getVault() {
+		return vault;
+	}
+
+	public void setVault(Vault vault) {
+		this.vault = vault;
+	}
+
+	public Authority getAuthority() {
+		return authority;
+	}
+
+	public void setAuthority(Authority authority) {
+		this.authority = authority;
+	}
+
+	public VaultAccess.Role getRole() {
+		return id.role;
+	}
+
+	public void setRole(VaultAccess.Role role) {
+		this.id.role = role;
+	}
+
 	@Embeddable
 	public static class Id implements Serializable {
 
@@ -170,8 +216,12 @@ public long countSeatOccupyingUsersOfGroup(String groupId) {
 
 		public Collection<VaultAccess.Role> listRoles(UUID vaultId, String authorityId) {
 			return find("#EffectiveVaultAccess.findByAuthorityAndVault", Parameters.with("vaultId", vaultId).and("authorityId", authorityId)).stream()
-					.map(eva -> eva.getId().getRole())
+					.map(EffectiveVaultAccess::getRole)
 					.collect(Collectors.toUnmodifiableSet());
 		}
+
+		public Stream<EffectiveVaultAccess> findMembersWithoutAccessTokens(UUID vaultId) {
+			return find("#EffectiveVaultAccess.findMembersWithoutAccessTokens", Parameters.with("vaultId", vaultId)).stream();
+		}
 	}
 }

backend/src/main/java/org/cryptomator/hub/entities/User.java

@@ -20,15 +20,6 @@
 @Entity
 @Table(name = "user_details")
 @DiscriminatorValue("USER")
-@NamedQuery(name = "User.requiringAccessGrant",
-		query = """
-				SELECT u
-				FROM User u
-					INNER JOIN EffectiveVaultAccess perm ON u.id = perm.id.authorityId
-					LEFT JOIN u.accessTokens token ON token.id.vaultId = :vaultId AND token.id.userId = u.id
-					WHERE perm.id.vaultId = :vaultId AND token.vault IS NULL AND u.ecdhPublicKey IS NOT NULL
-				"""
-)
 @NamedQuery(name = "User.getEffectiveGroupUsers", query = """
 				SELECT DISTINCT u
 				FROM User u
@@ -149,10 +140,6 @@ public int hashCode() {
 	@ApplicationScoped
 	public static class Repository implements PanacheRepositoryBase<User, String> {
 
-		public Stream<User> findRequiringAccessGrant(UUID vaultId) {
-			return find("#User.requiringAccessGrant", Parameters.with("vaultId", vaultId)).stream();
-		}
-
 		public long countEffectiveGroupUsers(String groupdId) {
 			return count("#User.countEffectiveGroupUsers", Parameters.with("groupId", groupdId));
 		}

backend/src/main/java/org/cryptomator/hub/entities/Vault.java

@@ -105,6 +105,12 @@ public class Vault {
 	@Column(name = "archived", nullable = false)
 	private boolean archived;
 
+	@Column(name = "uvf_metadata_file")
+	private String uvfMetadataFile;
+
+	@Column(name = "uvf_jwks")
+	private String uvfKeySet;
+
 	public Optional<ECPublicKey> getAuthenticationPublicKeyOptional() {
 		if (authenticationPublicKey == null) {
 			return Optional.empty();
@@ -230,6 +236,22 @@ public void setArchived(boolean archived) {
 		this.archived = archived;
 	}
 
+	public String getUvfMetadataFile() {
+		return uvfMetadataFile;
+	}
+
+	public void setUvfMetadataFile(String uvfMetadataFile) {
+		this.uvfMetadataFile = uvfMetadataFile;
+	}
+
+	public String getUvfKeySet() {
+		return uvfKeySet;
+	}
+
+	public void setUvfKeySet(String uvfKeySet) {
+		this.uvfKeySet = uvfKeySet;
+	}
+
 	@Override
 	public boolean equals(Object o) {
 		if (this == o) return true;
@@ -240,12 +262,14 @@ public boolean equals(Object o) {
 				&& Objects.equals(salt, vault.salt)
 				&& Objects.equals(iterations, vault.iterations)
 				&& Objects.equals(masterkey, vault.masterkey)
-				&& Objects.equals(archived, vault.archived);
+				&& Objects.equals(archived, vault.archived)
+				&& Objects.equals(uvfMetadataFile, vault.uvfMetadataFile)
+				&& Objects.equals(uvfKeySet, vault.uvfKeySet);
 	}
 
 	@Override
 	public int hashCode() {
-		return Objects.hash(id, name, salt, iterations, masterkey, archived);
+		return Objects.hash(id, name, salt, iterations, masterkey, archived, uvfMetadataFile, uvfKeySet);
 	}
 
 	@Override
@@ -255,12 +279,12 @@ public String toString() {
 				", members=" + directMembers.stream().map(Authority::getId).collect(Collectors.joining(", ")) +
 				", accessToken=" + accessTokens.stream().map(a -> a.getId().toString()).collect(Collectors.joining(", ")) +
 				", name='" + name + '\'' +
-				", archived='" + archived + '\'' +
 				", salt='" + salt + '\'' +
 				", iterations='" + iterations + '\'' +
 				", masterkey='" + masterkey + '\'' +
-				", authenticationPublicKey='" + authenticationPublicKey + '\'' +
-				", authenticationPrivateKey='" + authenticationPrivateKey + '\'' +
+				", archived='" + archived + '\'' +
+				", uvfMetadataFile='" + uvfMetadataFile + '\'' +
+				", uvfKeySet='" + uvfKeySet + '\'' +
 				'}';
 	}
 

backend/src/main/resources/org/cryptomator/hub/flyway/V17__UVF_Support.sql

@@ -0,0 +1,2 @@
+ALTER TABLE vault ADD uvf_metadata_file VARCHAR UNIQUE; -- vault.uvf file, encrypted as JWE
+ALTER TABLE vault ADD uvf_jwks VARCHAR UNIQUE; -- encoded as JWKs