nextcloud/passman
1
1
Fork 0
mirror of https://github.com/nextcloud/passman.git synced 2025-11-10 06:01:32 +08:00
Code Issues Projects Releases Packages Wiki Activity

Passman 2.2.21

Browse source 
Merge remote-tracking branch 'origin/master' into master16.3

Signed-off-by: Marcos Zuriaga <marcos@wolfi.es>
This commit is contained in:
Marcos Zuriaga 2019-05-12 17:16:48 +00:00
parent e71d870cce
commit d4b711c817
No known key found for this signature in database
GPG key ID: B8AB61E4F218DEE0
9 changed files with 122 additions and 117 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

179
README.md
View file

@ -8,28 +8,21 @@ Passman is a full featured password manager.
[![Scrutinizer Code Quality](https://scrutinizer-ci.com/g/nextcloud/passman/badges/quality-score.png?b=master)](https://scrutinizer-ci.com/g/nextcloud/passman/?branch=master) [![Scrutinizer Code Quality](https://scrutinizer-ci.com/g/nextcloud/passman/badges/quality-score.png?b=master)](https://scrutinizer-ci.com/g/nextcloud/passman/?branch=master)
## Join us! ## Join us!
There is a Telegram-Group: Visit the [“Passman General Talk” Telegram Group](https://t.me/passman_general) to participate in all sorts of topical discussions about Passman and its apps!
* [Passman General](https://t.me/passman_general)
Those are mainly used to discuss all sorts of topics for Passman and it's apps!
## Contents ## Contents
* [Screenshots](https://github.com/nextcloud/passman#Screenshots) * [Screenshots](https://github.com/nextcloud/passman#Screenshots)
* [Features](https://github.com/nextcloud/passman#features) * [Features](https://github.com/nextcloud/passman#features)
* [External apps](https://github.com/nextcloud/passman#external-apps) * [External apps](https://github.com/nextcloud/passman#external-apps)
* [Security](https://github.com/nextcloud/passman#security) * [Security](https://github.com/nextcloud/passman#security)
* [Password generation](https://github.com/nextcloud/passman#password-generation) * [Password generation](https://github.com/nextcloud/passman#password-generation)
* [Storing credentials](https://github.com/nextcloud/passman#storing-credentials) * [Storing credentials](https://github.com/nextcloud/passman#storing-credentials)
* [Support passman](https://github.com/nextcloud/passman#support-passman) * [Support passman](https://github.com/nextcloud/passman#support-passman)
* [Development](https://github.com/nextcloud/passman#development) * [Development](https://github.com/nextcloud/passman#development)
* [API](https://github.com/nextcloud/passman#api) * [API](https://github.com/nextcloud/passman#api)
* [Docker](https://github.com/nextcloud/passman#docker) * [Docker](https://github.com/nextcloud/passman#docker)
* [Maintainers](https://github.com/nextcloud/passman#main-developers) * [Maintainers](https://github.com/nextcloud/passman#main-developers)
* [Contributors](https://github.com/nextcloud/passman#contributors) * [Contributors](https://github.com/nextcloud/passman#contributors)
## Screenshots ## Screenshots
![Logged in to vault](http://i.imgur.com/ciShQZg.png) ![Logged in to vault](http://i.imgur.com/ciShQZg.png)
@ -42,133 +35,115 @@ Those are mainly used to discuss all sorts of topics for Passman and it's apps!
For more screenshots: [Click here](http://imgur.com/a/giKVt) For more screenshots: [Click here](http://imgur.com/a/giKVt)
## Features: ## Features:
- Vaults * Multiple vaults
- Vault key is never sent to the server * Vault keys are never sent to the server
- Credentials are stored with 256 bit AES (see [security](https://github.com/nextcloud/passman#security)) * 256-bit AES-encrypted credentials (see [security](https://github.com/nextcloud/passman#security))
- Ability to add custom fields to credentials * User-defined custom credentials fields
- Built-in OTP(One Time Password) generator * Built-in OTP (One Time Password) generator
- Password analyzer * Password analyzer
- Share passwords internally and via link in a secure manner. * Securely share passwords internally and via link
- Import from various password managers: * Import from various password managers:
- KeePass - KeePass
- LastPass - LastPass
- DashLane - DashLane
- ZOHO - ZOHO
- Clipperz.is - Clipperz.is
- EnPass - EnPass
- [ocPasswords](https://github.com/fcturner/passwords) - [ocPasswords](https://github.com/fcturner/passwords)
Try a Passman demo [here](https://demo.passman.cc).
For a demo of this app visit [https://demo.passman.cc](https://demo.passman.cc)
## Tested on ## Tested on
- Nextcloud 14 - Nextcloud 14
For older Versions see the [Releases Tab](https://github.com/nextcloud/passman/releases) For older Versions see the [Releases Tab](https://github.com/nextcloud/passman/releases)
## External apps ## External apps
- [Firefox / chrome extension](https://github.com/nextcloud/passman-webextension) * [Firefox / chrome extension](https://github.com/nextcloud/passman-webextension)
- [Android app](https://github.com/nextcloud/passman-android) * [Android app](https://github.com/nextcloud/passman-android)
## Database Compatibility
## Supported databases | | Supported | Tested | Untested |
- SQL Lite* | :--- | :---: | :---: | :---: |
- MySQL / MariaDB* | SQL Lite | • | | |
| MySQL / MariaDB | • | | |
*Tested on travis | travis | | • | |
| pgsql | | | • |
Untested databases:
- pgsql
## Security ## Security
### Password generation ### Password generation
Passman features a build in password generator. Passman can generate passwords *and* measure their strength using [zxcvbn](https://github.com/dropbox/zxcvbn).
Not it only generates passwords, but it also measures their strength using [zxcvbn](https://github.com/dropbox/zxcvbn).
![](http://i.imgur.com/2qVBUfM.png) ![](http://i.imgur.com/2qVBUfM.png)
Generate passwords as you like Generate passwords as you like
![](http://i.imgur.com/jcRicOV.png) ![](http://i.imgur.com/jcRicOV.png)
Passwords are generated using the random functions from `sjcl`. Passwords are generated using `sjcl` randomization.
### Storing credentials ### Storing credentials
All passwords are encrypted client side using [sjcl](https://github.com/bitwiseshiftleft/sjcl) which uses AES-256 bit. All passwords are encrypted client side with [sjcl](https://github.com/bitwiseshiftleft/sjcl) using 256-bit AES.
Users supply a vault key which is feed into sjcl as encryption key. You supply a vault key which sjcl uses to encrypt your credentials. Your encrypted credentials are then sent to the server and encrypted yet again using the following routine:
After the credentials are encrypted they are send to the server, there they will be encrypted again. * A key is generated using `passwordsalt` and `secret` from config.php *(so back those up)*.
This time using the following routine: * The key is [stretched](http://en.wikipedia.org/wiki/Key_stretching) using [Password-Based Key Derivation Function 2](http://en.wikipedia.org/wiki/PBKDF2) (PBKDF2).
- A key is generated using `passwordsalt` and `secret` from config.php *so back those up* * [Encrypt-then-MAC](http://en.wikipedia.org/wiki/Authenticated_encryption#Approaches_to_Authenticated_Encryption) (EtM) is used to ensure encrypted data authenticity.
- Then the key is [stretched](http://en.wikipedia.org/wiki/Key_stretching) using [Password-Based Key Derivation Function 2](http://en.wikipedia.org/wiki/PBKDF2) (PBKDF2). * Uses openssl with the `aes-256-cbc` cipher.
- [Encrypt-then-MAC](http://en.wikipedia.org/wiki/Authenticated_encryption#Approaches_to_Authenticated_Encryption) (EtM) is used for ensuring the authenticity of the encrypted data. * [Initialization vector](http://en.wikipedia.org/wiki/Initialization_vector) (IV) is hidden.
- Uses openssl with the `aes-256-cbc` ciper. * [Double Hash-based Message Authentication Code](http://en.wikipedia.org/wiki/Hash-based_message_authentication_code) (HMAC) is applied for source data verification.
- [Initialization vector](http://en.wikipedia.org/wiki/Initialization_vector) (IV) is hidden
- [Double Hash-based Message Authentication Code](http://en.wikipedia.org/wiki/Hash-based_message_authentication_code) (HMAC) is applied for verification of the source data.
### Sharing credentials
### Sharing credentials. Passman allows users to share passwords. *(Administrators may disable this feature.)*
Passman allows users to share passwords (this can be turned off by an administrator).
## API ## API
For developers Passman offers an [api](https://github.com/nextcloud/passman/wiki/API). Passman offers a [developer API](https://github.com/nextcloud/passman/wiki/API).
## Support Passman ## Support Passman
Passman is open source, and we would gladly accept a beer (or pizza!) Passman is open source but well gladly accept a beer *or pizza!* Please consider donating:
Please consider donating * [PayPal](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=6YS8F97PETVU2)
- [PayPal](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=6YS8F97PETVU2) * [Patreon](https://www.patreon.com/user?u=4833592)
- [Patreon](https://www.patreon.com/user?u=4833592) * [Flattr](https://flattr.com/@passman)
- [Flattr](https://flattr.com/@passman) * bitcoin: 1H2c5tkGX54n48yEtM4Wm4UrAGTW85jQpe
- bitcoin: 1H2c5tkGX54n48yEtM4Wm4UrAGTW85jQpe
## Code reviews ## Code reviews
If you have any improvements regarding our code. If you have any code improvements:
Please do the following * Clone us
- Clone us * Make your edits
- Make your edits * Add your name to the contributors
- Add your name to the contributors * Send a [PR](https://github.com/nextcloud/passman/pulls)
- Send a [PR](https://github.com/nextcloud/passman/pulls)
Or if you're feeling lazy, create an issue, and we'll think about it. Or, if youre feeling lazy, create an issue and well think about it.
## Docker ## Docker
To run Passman with [Docker](https://www.docker.com/) you can use our test docker image. To run Passman with [Docker](https://www.docker.com/), use our test Docker image. Supply your own self-signed SSL certs or use [Lets Encrypt](https://letsencrypt.org/). Please note: The Docker image is for _testing *only*_ as database user / password are hardcoded.
You have to supply your own SSL certs, self signed or Let's encrypt it doesn't matter.
Please note that the docker is only for testing purposes, as database user / password are hardcoded.
If you like to spiece up our docker image and make it a full fledged secure, production ready install, you're welcome to do so. If youd like to *spice up* our Passman Docker image into a full-fledged, production-ready install, youre welcome to do so. Please note:
Please note that: * Port 80 and 443 are used
- Port 80 and 443 are used * SSL is enabled (or disabled if no certs are found)
- SSL is enabled (or disabled if certs not found) * Container startup time must be less than 15 seconds
- Startup time of container must be less than 15 seconds
Example: Example:
``` ```
docker run -p 8080:80 -p 8443:443 -v /directory/cert.pem:/data/ssl/cert.pem -v /directory/cert.key:/data/ssl/cert.key brantje/passman docker run -p 8080:80 -p 8443:443 -v /directory/cert.pem:/data/ssl/cert.pem -v /directory/cert.key:/data/ssl/cert.key brantje/passman
``` ```
If you want a production ready container you can use the [Nextcloud docker](https://hub.docker.com/_/nextcloud/), and install passman as an app. If you want a production-ready container, use the [Nextcloud Docker](https://hub.docker.com/_/nextcloud/) and install Passman as an app.
## Development ## Development
Passman uses a single `.js` file for the templates. This gives the benefit that we don't need to request every template with XHR. * Passman uses a single `.js` file for templates which minimizes XHR template requests.
For CSS we use SASS so you need ruby and sass installed. * CSS uses SASS, so Ruby and SASS must be installed.
`templates.js` and the CSS are built with `grunt`. * `templates.js` and the CSS are built with `grunt`.
To watch for changes use `grunt watch` * Watch for changes using `grunt watch`.
To run the unit tests install phpunit globally, and setup the environment variables on the `launch_phpunit.sh` script then just run that script, any arguments passed to this script will be forwarded to phpunit. * Run unit tests — Install phpunit globally, setup environment variables in the `launch_phpunit.sh` script, and run the script. All arguments passed to `launch_phpunit.sh` are forwarded to phpunit.
## Main developers ## Main developers
- Brantje * Brantje
- Animalillo * Animalillo
## Contributors ## Contributors
Add yours when creating a [pull request](https://help.github.com/articles/creating-a-pull-request/)! Add yours when creating a [pull request](https://help.github.com/articles/creating-a-pull-request/)!
- Newhinton * Newhinton
## FAQ ## FAQ
**Are you adding something to check if malicious code is executing on the browser?** **Are you adding something to check if malicious code is executing on the browser?**
No, because malicious code could edit the functions that check for malicious code. No, because malicious code can edit functions that check for malicious code.

4
appinfo/database.xml
View file

@ -229,6 +229,10 @@
<type>boolean</type> <type>boolean</type>
<default>false</default> <default>false</default>
</field> </field>
<field>
<name>compromised</name>
<type>clob</type>
</field>
<field> <field>
<name>shared_key</name> <name>shared_key</name>
<type>clob</type> <type>clob</type>

4
appinfo/info.xml
View file

@ -42,8 +42,8 @@ For an demo of this app visit [https://demo.passman.cc](https://demo.passman.cc)
<database>pgsql</database> <database>pgsql</database>
<database min-version="5.5">mysql</database> <database min-version="5.5">mysql</database>
<lib>openssl</lib> <lib>openssl</lib>
<nextcloud min-version="14" max-version="15"/> <nextcloud min-version="14" max-version="16"/>
<owncloud min-version="14" max-version="15"/> <owncloud min-version="14" max-version="16"/>
</dependencies> </dependencies>
<background-jobs> <background-jobs>

8
controller/credentialcontroller.php
View file

@ -70,7 +70,7 @@ class CredentialController extends ApiController {
$credential_id, $custom_fields, $delete_time, $credential_id, $custom_fields, $delete_time,
$description, $email, $expire_time, $favicon, $files, $guid, $description, $email, $expire_time, $favicon, $files, $guid,
$hidden, $label, $otp, $password, $renew_interval, $hidden, $label, $otp, $password, $renew_interval,
$tags, $url, $username, $vault_id) { $tags, $url, $username, $vault_id, $compromised) {
$credential = array( $credential = array(
'credential_id' => $credential_id, 'credential_id' => $credential_id,
'guid' => $guid, 'guid' => $guid,
@ -93,6 +93,7 @@ class CredentialController extends ApiController {
'custom_fields' => $custom_fields, 'custom_fields' => $custom_fields,
'otp' => $otp, 'otp' => $otp,
'hidden' => $hidden, 'hidden' => $hidden,
'compromised' => $compromised
); );
@ -125,7 +126,7 @@ class CredentialController extends ApiController {
$credential_id, $custom_fields, $delete_time, $credential_guid, $credential_id, $custom_fields, $delete_time, $credential_guid,
$description, $email, $expire_time, $icon, $files, $guid, $description, $email, $expire_time, $icon, $files, $guid,
$hidden, $label, $otp, $password, $renew_interval, $hidden, $label, $otp, $password, $renew_interval,
$tags, $url, $username, $vault_id, $revision_created, $shared_key, $acl, $unshare_action, $set_share_key, $skip_revision) { $tags, $url, $username, $vault_id, $revision_created, $shared_key, $acl, $unshare_action, $set_share_key, $skip_revision, $compromised) {
$storedCredential = $this->credentialService->getCredentialByGUID($credential_guid); $storedCredential = $this->credentialService->getCredentialByGUID($credential_guid);
@ -151,7 +152,8 @@ class CredentialController extends ApiController {
'delete_time' => $delete_time, 'delete_time' => $delete_time,
'hidden' => $hidden, 'hidden' => $hidden,
'otp' => $otp, 'otp' => $otp,
'user_id' => $storedCredential->getUserId() 'user_id' => $storedCredential->getUserId(),
'compromised' => $compromised
); );

18
controller/translationcontroller.php
View file

@ -420,6 +420,24 @@ class TranslationController extends ApiController {
'share.page.link_loading' => $this->trans->t('Loading…'), 'share.page.link_loading' => $this->trans->t('Loading…'),
'expired.share' => $this->trans->t('Awwhh… credential not found. Maybe it expired'), 'expired.share' => $this->trans->t('Awwhh… credential not found. Maybe it expired'),
//compromised credentials
'compromised.label' => $this->trans->t('Compromise!'),
'compromised.warning.list' => $this->trans->t('Compromised!'),
'compromised.warning' => $this->trans->t('This password is compromised. You can only remove this warning with changing the password.'),
//searchboxexpanderservice
'search.settings.input.label' => $this->trans->t('Label'),
'search.settings.input.username' => $this->trans->t('Username'),
'search.settings.input.email' => $this->trans->t('email'),
'search.settings.input.custom_fields' => $this->trans->t('Custom Fields'),
'search.settings.input.password' => $this->trans->t('Password'),
'search.settings.input.description' => $this->trans->t('Description'),
'search.settings.input.url' => $this->trans->t('Url'),
'search.settings.title' => $this->trans->t('Custom Search:'),
'search.settings.defaults_button' => $this->trans->t('Revert to defaults'),
); );
return new JSONResponse($translations); return new JSONResponse($translations);
} }

4
css/passman.min.css vendored
View file

File diff suppressed because one or more lines are too long

16
js/passman.min.js vendored
View file

File diff suppressed because one or more lines are too long

4
lib/Db/Credential.php
View file

@ -70,6 +70,8 @@ use \OCP\AppFramework\Db\Entity;
* @method string getHidden() * @method string getHidden()
* @method void setSharedKey(string $value) * @method void setSharedKey(string $value)
* @method string getSharedKey() * @method string getSharedKey()
* @method void setCompromised(bool $value)
* @method bool getCompromised()
@ -101,6 +103,7 @@ class Credential extends Entity implements \JsonSerializable{
protected $otp; protected $otp;
protected $hidden; protected $hidden;
protected $sharedKey; protected $sharedKey;
protected $compromised;
public function __construct() { public function __construct() {
// add types in constructor // add types in constructor
@ -142,6 +145,7 @@ class Credential extends Entity implements \JsonSerializable{
'otp' => $this->getOtp(), 'otp' => $this->getOtp(),
'hidden' => $this->getHidden(), 'hidden' => $this->getHidden(),
'shared_key' => $this->getSharedKey(), 'shared_key' => $this->getSharedKey(),
'compromised' => $this->getCompromised()
]; ];
} }
} }

2
lib/Db/CredentialMapper.php
View file

@ -138,6 +138,7 @@ class CredentialMapper extends Mapper {
$credential->setCustomFields($raw_credential['custom_fields']); $credential->setCustomFields($raw_credential['custom_fields']);
$credential->setOtp($raw_credential['otp']); $credential->setOtp($raw_credential['otp']);
$credential->setHidden($raw_credential['hidden']); $credential->setHidden($raw_credential['hidden']);
$credential->setCompromised($raw_credential['compromised']);
if (isset($raw_credential['shared_key'])) { if (isset($raw_credential['shared_key'])) {
$credential->setSharedKey($raw_credential['shared_key']); $credential->setSharedKey($raw_credential['shared_key']);
} }
@ -177,6 +178,7 @@ class CredentialMapper extends Mapper {
$credential->setOtp($raw_credential['otp']); $credential->setOtp($raw_credential['otp']);
$credential->setHidden($raw_credential['hidden']); $credential->setHidden($raw_credential['hidden']);
$credential->setDeleteTime($raw_credential['delete_time']); $credential->setDeleteTime($raw_credential['delete_time']);
$credential->setCompromised($raw_credential['compromised']);
if (isset($raw_credential['shared_key'])) { if (isset($raw_credential['shared_key'])) {
$credential->setSharedKey($raw_credential['shared_key']); $credential->setSharedKey($raw_credential['shared_key']);