Enhancements

.gitignore

@@ -1,3 +1,6 @@
 node_modules
 node_debug.log
 /dist
+**.DS_Store
+/build
+/release

LICENSE → LICENSE.md

@@ -1,4 +1,4 @@
-Copyright (c) 2016 Jacob Crowther
+Copyright (c) 2017 Jacob Crowther
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
 

README.md

@@ -1,38 +1,101 @@
 # Cryptr
-Cryptr is a secret store GUI built for secrets managed by SaltStack's [GPG renderer](https://docs.saltstack.com/en/latest/ref/renderers/all/salt.renderers.gpg.html). Using Salt's gpg renderer, you can securely save passwords, certificates, or other secrets on the salt master, where minions may request them as needed. This repo houses the front-end GUI to integrate with cryptr-server, which runs on a salt-master housing salt gpg-encrypted passwords. Using Cryptr, a user may easily interact with the secrets in the saltstore, including reading and (eventually) modifying secrets easily.
+Cryptr is a GUI for [Hashicorp's Vault](https://www.vaultproject.io/).
+
+Using Cryptr, a user may easily interact with their Vault instance's API, reading, creating, and modifying secrets with ease.
 
 ![alt text](app/images/cryptr-demo.png "Cryptr")
 
-Download Binaries
------------------
+## Download Binaries
+
+Current release can be [downloaded here](https://github.com/jcrowthe/cryptr/releases).
+Cryptr supports Windows, Linux and Mac OS. It has been tested on Windows 10, Ubuntu 16.04 Desktop, and macOS 10.12 Sierra.
+
+
+## Building from Source
+
+```
+git clone https://github.com/jcrowthe/cryptr.git
+cd cryptr
+npm install
+npm run dev
+```
+
+
+## License
+
+MIT License.
+
+
+## HTTPS
+
+Cryptr will ONLY access Vault servers enabled with HTTPS.
+These are your secrets. Don't be stupid.
+
 
-Current release can be [downloaded from here](https://github.com/jcrowthe/cryptr/releases).
-Cryptr supports Windows, Linux and Mac OS. It has been tested on Windows 10, Ubuntu 14.04 Desktop, and Mac OS 10.10 Yosemite.
+## Auth backends
 
-On first run, Cryptr prompts you for the url of cryptr-server. If you haven't already set it up, you may do so [here](https://github.com/jcrowthe/cryptr-server.git).
+Currently LDAP, UserPass and Token auth backends are accepted. Most others are not useful for a GUI, but if you feel otherwise, submit a pull request.
 
 
-Status
-------
+# Important Notes about Policies
 
-Currently Cryptr only allows read-only access to the salt secret storage. Write access is in progress.
+## Secret Discovery
 
+Cryptr requires the policies associated with the token to be readable by the token. The purpose for this is to discover what secrets are available to the token. An example ACL for policy found at `sys/policy/allsecrets` would be as follows:
 
-Building from Source
------------------
 
 ```
-git clone https://github.com/jcrowthe/cryptr.git
-npm install
-npm run build
+path "secret/mysecrets/*" {
+ policy = "write"
+}
+
+path "sys/policy/allsecrets" {
+ policy = "read"
+}
 ```
 
-This will run the npm 'build' script, which runs electron-packager. It will create a binary application for all distributions (Win/Mac/Linux) for both x32 and amd64. See electron-packager documentation for more info. Binaries are found in /dist.
+Only the permission to `read` is advised. **NOTE: This policy addition is _critical_ to discovering available secrets.** Without this, there is no programatic way for Cryptr to know what secrets it should show the user. (Also, for that matter, there is no way for a human using the CLI to discover secrets either except for blinding attempting to `list` potential folders) As such, it is **highly** recommended to do this for all policies. All policies without this ability must, and will, be ignored by Cryptr.
 
-NOTE: If building for the Windows platform on a non-windows machine, you will [need](https://www.npmjs.com/package/electron-packager#building-windows-apps-from-non-windows-platforms) to install Wine and node-rcedit. This is due to the custom app icon.
+## Wildcards and Secret Discovery
 
+Wildcards in path names are supported. However, there is a caveat that is best described with an example. Take the following policy as an example, understanding it being the only policy applied in this example:
 
-License
--------
+```
+path "secret/myteam*" {
+ policy = "write"
+}
+```
 
-MIT License.
+With this policy, a user may create secrets such as `secret/myteam-keys` or `secret/myteam/certs`. This is absolutely accepted in Vault, however without an additional policy, neither Cryptr nor a human being on the CLI will be able to *discover* any of these secrets. This is because there is no containing folder upon which to execute a `list` command. The natural next step, then, would be to make an addition to the policy, as follows:
+
+```
+path "secret/myteam*" {
+ policy = "write"
+}
+
+path "secret/*" {
+ policy = "list"
+}
+```
+
+But this is _not_ recommended for multiple reasons (the above being one obvious reason). Noted [here](https://www.vaultproject.io/docs/concepts/policies.html#list), `list` command outputs are not filtered by policy. This means all secrets found at `secret/*` will be listed, regardless if the token has rights to use any of them.
+
+As such, the recommended procedure for using wildcards in policies is to not use prefixes and suffixes in the path. ie:
+
+```
+#GOOD
+path "secret/myteam/*" {
+ policy = "write"
+}
+
+#BAD
+path "secret/group*" {
+ policy = "write"
+}
+
+#BAD
+path "secret/*group" {
+ policy = "write"
+}
+
+```

app/bower.json

@@ -0,0 +1,25 @@
+{
+ "name": "Cryptr",
+ "homepage": "https://github.com/jcrowthe/cryptr",
+ "authors": [
+ "Jacob Crowther <[email protected]>"
+ ],
+ "description": "A GUI for Vault",
+ "main": "main.js",
+ "license": "MIT",
+ "private": true,
+ "ignore": [
+ "**/.*",
+ "node_modules",
+ "bower_components",
+ "test",
+ "tests"
+ ],
+ "dependencies": {
+ "iron-elements": "PolymerElements/iron-elements#^1.0.10",
+ "paper-elements": "PolymerElements/paper-elements#^1.0.7",
+ "neon-elements": "PolymerElements/neon-elements#^1.0.0",
+ "vaadin-grid": "^1.2.0",
+ "page": "visionmedia/page.js#^1.7.1"
+ }
+}