yuki / myvault Goto Github PK

Right now the url is like "https://myvault.example.com/#!/secret/foo", and it shows the secret. When showing the secret, there's a "hack" when clicking a link in the TOC ($('div.markdown-toc a').click(function(e)... ) to scroll down to its section.

It's working, but it doesn't change the URL/hash. It should be changed to something like "https://myvault.example.com/#!/secret/foo#section" in order to have "traceability".

This should be done in "hash_changed(event)"

There's a problem when the emoji and table button is clicked. The save button that I append to the icon list dissappears

In order to don't have a variable hardcoded for the Vault URL, we need an input to use for all the Vault requests.

Add in login.html the option to login with a token, not just LDAP authentication

The tree can be a limitation. Because of the size of the tree, it can be counterproductive.

When searching, the tree expands and it's difficult to see what happens.

It's probably better not to show the tree, but maintain it in a hidden way... The navigation of the secrets should be done in a more "folder/file view", like in the computer file navigator

The references of this issue are: #42 and #43

Create a new option in the preferences panel to show/hide the timer.

By default, the timer will show always.

If you go to an URL and you're not logged, don't loose the URL and make the redirect to the first URL

A client should have a policy like "client_XXX" where "XXX" is the name of the client. With this, the DEFAULT_SECRET_PATH should be /secret/client/XXX/

Create alert when the hash changes and the origin path is "&edit=1"

Maybe should be great to take care if the secret has changed or not...

Right now the print option is functional, and when saving into PDF with chrome, all the links works great.

But it can be better... There should be a header, at least, in the first page with myVault "logo" (aka, the name and the lock). In the header, the option to have the URL of the secret?

A custom footer with the page number will be great.

The editor.md has an external plugin to show keyboard shortcuts: https://github.com/pandao/editor.md/blob/master/plugins/help-dialog/help.md

This should be modified to add our custom shortcuts and to remove the chinese parts.

Instead of having an X hours of lifetime, there's a new feature request in how to use the renewal of the token.

The idea is that the expiration of the token to be 15minutes, always, but renew it when there's activity. The renewal time should be for 10 minutes, and only if the there's activity in the last 10 minutes.

If there's no activity, there should be an alert message when the TTL is less than 5 minutes...

This could be an alternative to #39, #40 and #41... And should take care of #36 and #18...

The menu is created after login, and it's not updated until all the page is reloaded. We must force the update of the menu after a secret is created

Before the saved action is made, there must check that the token that we have exists and has permissions to make the action.

If the token doesn't exists --> the login modal wiil appear: #17

If the token has not privileges to save --> show an error.

Improve the secrets-keys-tree getting all the secrets path and creating something like a folder tree.

I have been using https://github.com/jonmiles/bootstrap-treeview but not in the best way.

Add a search input.

Right now, the button to renew the token will appear 5 minutes before the token expiration.

There should be an option to select when we want to show the button: 10, 20 or 30 minutes ?

When clicking a link in the breadcrumb, the tree doesn't show the actual "selected" secret. It doesn't update. It's a minor bug, but not sure how to fix it right now, without reloading entire tree.

Because there is no way to know if a secret is being editing, we must create something to control this.

The idea is to “lock” the secret when someone wants to edit it. When someone clicks on “edit” button, we will lock the secret. To lock it, the best way to do it is to have a “locked_secrets” path or a secret where will be saved the secret that are locked.

If a secret is locked, the edit button Wii be disabled and there should be a message saying that the secret is locked by someone.

To unlock the secret, the person that is editing it, must unlock it. How? A button? That when it’s clicked, it closes the editor page... it could works.

There should be an spinner or shomething that shows the "loading" status during the loading process.

This must be working when logging and when the menu is reloaded as in #13

When adding a secret, the input retains the name. It must be cleared every time it list secrets paths.

Because of the new ideas, instead of making a redirect to /login.html , there should be a new modal where the user can log ing in the web.

This should appear if the user is not logged and it's making an action.

login.html could be dissapear if this is well done

There was a previous version of the web that was all in ajax, but after put the editor, there were some problems. So I put the "/?path=/.." variable in the URL. Try to make the web in more ajax way.

Bug when colapsing the tree appeared in the last commit d49c9b1

Right now, the dafault path is "/secret/", but this should be allowed to be changed by options. So we need to add this option to the modal.

The same for the backup-path.

There should be an option to move/rename a secret. Move to another path, or rename its name

When a secret is moved, move all its backups

When a secret is updated, a backup is created (as #3 shows). There should be an option to go/see a previous version of the secret.

Extra feature, add a diff tool to check differences between them 😄

Create an "auto save" feature when a secret is editing.

It must have a option in preferences to enable/disable auto save.

When a user is logged, it has some policies. There must check those policies and take care of what the user can do in every path it goes.

There should be a very basic admin area in /admin/index.html

Some of the basics features that could be done in the admin area:

• Check Vault status (if sealed, has the option to unseal). https://www.vaultproject.io/api/system/unseal.html
• Create new policies
• Assign policies to LDAP groups
• See all mounts backends ?
  .... ?

After the user clicks in "logout" or a "automatic logout" is made, the token must be revoked. It's more secure.

When we want to create a secret, usually "intro" is used to perform the action to create, as es form... but it isn't... Allow to create the secret when "intro" is pulsed

Right now the token is renewed for 2 hours.

There should be an option to allow the renewal for 1,2 or 3hours?

There could happened that a secret may stay locked (a user reloads the web before unlocks the secret, for example). Because of that, there should be a button to unlock the secret. It's related to #19

The bootstrap-treeview.js is from the repository https://github.com/jonmiles/bootstrap-treeview

Searching the project network: https://github.com/patternfly/patternfly-bootstrap-treeview/network I can see that there are improved forks and more updated than the original. The most updated seems to be:

• https://github.com/aaarghhh/aaarghhh-bootstrap-treeview/tree/master
• https://github.com/patternfly/patternfly-bootstrap-treeview

Make an automatic logout if in X minutes there's no movement in the web.

The "token expiration timer" should start when the user logins, not by default.

When search a secret, there's an option to get the results as seen in http://jonmiles.github.io/bootstrap-treeview/

There must be shown on the main part of the web when the searchComplete event rises. This will help in the secret search.

Right now, all the variables are saved separately.

Should it be improved? Create a uniq variable in a json?

Before make an update for a secret, create a backup in a "/backup" path.

There are some users that want to renew the token. Vault allow this with the "default" policy.

My idea was to block this feature, but hey, who am I to block the user's desires?

But I think that it's better to limit this in some way... Maybe add this feature only for users with "admin" policy, or to everybody but the button only will appear when the TTL is less than 15 minutes.

When the user logouts (or in automatic logout) the login modal appears and the bacground blurs.

The secret still there, and it could be seen hiding the modal with browser's developer tools.

So, before login out action, empty the secret and the tree.

Add "ctrl+s" to save secrets when editing. See #15

When the options gear is pressed, the url-hash changed to "#", and because the "hash_changed" function, the editor or the secret dissapears.

5 minutes before automatic logout there should be a warning message to take care of it.

There should be a message if the automatic logout will happened and before the token will expire.

If you close myVault and came back when the token has expired, the web still appears and you must click on "logout" to see the login-modal

In my stupidity, I have been using "/sys/capabilities" and adding into policies:

path "/sys/capabilities" {
 capabilities = ["update"]
}

when there's a path in the default policy for that, in /sys/capabilities-self.

Change this path, but the most importante thing is to change the documentation in VAULT_config.md

Improve the README.md with all the latest changes. Maybe create a file "VAULT_CONFIG.md" to show how Vault must be config to use myVault (also add examples for policies and LDAP config).

Add an option to delete a secret

Improve the timers. Maybe create a uniq function to rule them all?