Class: Org

org.Org

Organizations are the central component of Padlocs secure data sharing architecture.

All shared Vaults are provisioned and managed in the context of an organization, while the Org class itself is responsible for managing, signing and verifying public keys, identities and priviliges for all of it's members.

Vaults can be assigned to members direcly or indirectly through Groups. In both cases, this access can be declared readonly.

Before being added to an organization, members need to go throug a key exchange procedure designed to allow verification of organization and member details by both parties. See Invite class for details.

The privateKey and invitesKey properties are considered secret and are only accessible to members with the OrgRole.Owner role. To protect this information from unauthorized access, Org extends the SharedContainer class, encrypting this data at rest.

Organization Structure

┌──────────────┐            ┌──────────────┐            ┌──────────────┐
│              │           ╱│              │╲           │              │
│   Account    │┼─────────○─│  Membership  │──┼────────┼│ Organization │
│              │           ╲│              │╱           │              │
└──────────────┘            └───┬──────┬───┘            └──────────────┘
                               ╲│╱    ╲│╱                       ┼
                                ○      ○                        ○
                                │      │                       ╱│╲
                                │      │                ┌──────────────┐
                                │      │               ╱│              │
                                │      └──────────────○─│    Group     │
                                │                      ╲│              │
                                ○                       └──────────────┘
                               ╱│╲                             ╲│╱
                        ┌──────────────┐                        ○
                        │              │╲                       │
                        │ Shared Vault │─○──────────────────────┘
                        │              │╱
                        └──────────────┘

Hierarchy

• SharedContainer

  ↳ Org

  ↳↳ UnlockedOrg

Implements

• Storable

Constructors

constructor

• new Org()

Inherited from

SharedContainer.constructor

Properties

_key

• Protected Optional _key: Uint8Array

The key used for encryption. Sub classes must set this property in the unlock method.

Inherited from

SharedContainer._key

Defined in

core/src/container.ts:33

_propertySerializationOptions

• _propertySerializationOptions: SerializationOptions[]

Implementation of

Storable._propertySerializationOptions

Inherited from

SharedContainer._propertySerializationOptions

Defined in

core/src/encoding.ts:163

accessors

• accessors: Accessor[] = []

The ids and encrypted keys of all accessors

Inherited from

SharedContainer.accessors

Defined in

core/src/container.ts:159

created

• created: Date

Creation date

Defined in

core/src/org.ts:240

directory

• directory: OrgDirectorySettings

Defined in

core/src/org.ts:302

encryptedData

• Optional encryptedData: Uint8Array

Encrypted data

Inherited from

SharedContainer.encryptedData

Defined in

core/src/container.ts:28

encryptionParams

• encryptionParams: AESEncryptionParams

Parameters used for encryption of content data

Inherited from

SharedContainer.encryptionParams

Defined in

core/src/container.ts:24

groups

• groups: Group[] = []

This organizations Groups.

Defined in

core/src/org.ts:292

id

• id: string = ""

Unique identier

Implementation of

Storable.id

Defined in

core/src/org.ts:233

invites

• invites: Invite[] = []

Pending Invites

Defined in

core/src/org.ts:299

invitesKey

• Optional invitesKey: Uint8Array

AES key used as encryption key for Invites

secret IMPORTANT: This property is considered secret and should never stored or transmitted in plain text

Defined in

core/src/org.ts:268

keyParams

• keyParams: RSAEncryptionParams

Parameters used to wrap the shared encryption key

Inherited from

SharedContainer.keyParams

Defined in

core/src/container.ts:155

members

• members: OrgMember[] = []

Array of organization members

Defined in

core/src/org.ts:288

minMemberUpdated

• minMemberUpdated: Date

Minimum accepted update time for organization members. Any members with a OrgMember.updated value lower than this should be considered invalid.

In order to prevent an attacker from rolling back this value, all clients should verify that updated organization object always have a Org.minMemberUpdated value equal to or higher than the previous one.

Defined in

core/src/org.ts:280

name

• name: string = ""

Organization name

Defined in

core/src/org.ts:236

privateKey

• Optional privateKey: Uint8Array

Private key used for signing member details

secret IMPORTANT: This property is considered secret and should never stored or transmitted in plain text

Defined in

core/src/org.ts:258

publicKey

• Optional publicKey: Uint8Array

Public key used for verifying member signatures

Defined in

core/src/org.ts:248

revision

• revision: string = ""

Revision id used for ensuring continuity when synchronizing the account object between client and server

Defined in

core/src/org.ts:308

signingParams

• signingParams: RSASigningParams

Parameters for creating member signatures

Defined in

core/src/org.ts:284

updated

• updated: Date

Last updated

Defined in

core/src/org.ts:244

vaults

• vaults: { id: string ; name: string ; revision?: string }[] = []

Shared Vaults owned by this organization

Defined in

core/src/org.ts:295

Accessors

info

• get info(): OrgInfo

Returns

OrgInfo

Defined in

core/src/org.ts:315

kind

• get kind(): string

A string representing the objects "type", useful for segmenting storage, among other things. Defaults to the lowercase class name, but can be overwritten by subclasses

Returns

string

Implementation of

Storable.kind

Inherited from

SharedContainer.kind

Defined in

core/src/encoding.ts:159

owner

• get owner(): undefined | OrgMember

Account which created this organization

Returns

undefined | OrgMember

Defined in

core/src/org.ts:311

Methods

_fromRaw

▸ Protected _fromRaw(raw): void

Restore values from a raw object. The default implementation simply copies over all iterable properties from the base object. Overwrite this method for properties that require special treatment

Parameters

Returns

void

Implementation of

Storable._fromRaw

Inherited from

SharedContainer._fromRaw

Defined in

core/src/encoding.ts:286

_toRaw

▸ Protected _toRaw(version): any

Transform this object into a raw javascript object used for serialization. The default implementation simply copies all iterable properties not included in the [[exlude]] array and calls toRaw on any properties that are themselfes instances of Serializable. This method should be overwritten by subclasses if certain properties require special treatment.

Parameters

Returns

any

Implementation of

Storable._toRaw

Inherited from

SharedContainer._toRaw

Defined in

core/src/encoding.ts:257

addOrUpdateMember

▸ addOrUpdateMember(__namedParameters): Promise<void>

Adds a member to the organization, or updates the existing member with the same id.

Parameters

Returns

Promise<void>

Defined in

core/src/org.ts:616

canRead

▸ canRead(vault, account): undefined | boolean

Check whether the given account has read access to a vault

Parameters

Returns

undefined | boolean

Defined in

core/src/org.ts:426

canWrite

▸ canWrite(vault, acc): undefined | boolean

Check whether the given account has write access to a vault

Parameters

Returns

undefined | boolean

Defined in

core/src/org.ts:436

clone

▸ clone(): Org

Creates a deep clone of the object

Returns

Org

Implementation of

Storable.clone

Inherited from

SharedContainer.clone

Defined in

core/src/container.ts:85

fromBytes

▸ fromBytes(bytes): Org

Deserializes the object from a byte array

Parameters

Returns

Org

Implementation of

Storable.fromBytes

Inherited from

SharedContainer.fromBytes

Defined in

core/src/encoding.ts:237

fromJSON

▸ fromJSON(json): Org

Deserializes the object from a JSON string

Parameters

Returns

Org

Implementation of

Storable.fromJSON

Inherited from

SharedContainer.fromJSON

Defined in

core/src/encoding.ts:223

fromRaw

▸ fromRaw(raw): Org

Restores propertiers from a raw object of the same form generated by toRaw. The base implementation blindly copies over values from the raw object via Object.assign so subclasses should explictly process any propertyies that need special treatment.

Also takes are of validation and "upgrading" in case the raw object has an old version. Use the protected _fromRaw method to implement subclass-specific behavior.

Parameters

Returns

Org

Implementation of

Storable.fromRaw

Inherited from

SharedContainer.fromRaw

Defined in

core/src/encoding.ts:196

generateKeys

▸ generateKeys(): Promise<void>

Generates a new publicKey, privateKey and invitesKey and encrypts the latter two

Returns

Promise<void>

Defined in

core/src/org.ts:496

getAccessors

▸ getAccessors(vault): ActiveOrgMember[]

Get all membes that have acess to a given vault, either directly or through a Group

Parameters

Returns

ActiveOrgMember[]

Defined in

core/src/org.ts:391

getData

▸ getData(): Promise<Uint8Array>

Decrypts and extracts the plain text data from the container. This will usually require unlocking the container first.

Returns

Promise<Uint8Array>

Inherited from

SharedContainer.getData

Defined in

core/src/container.ts:61

getGroup

▸ getGroup(name): undefined | Group

Get group with the given name

Parameters

Returns

undefined | Group

Defined in

core/src/org.ts:355

getGroupsForMember

▸ getGroupsForMember(__namedParameters): Group[]

Get all Groups the given Account is a member of

Parameters

Returns

Group[]

Defined in

core/src/org.ts:370

getGroupsForVault

▸ getGroupsForVault(__namedParameters): Group[]

Get all groups assigned to a given Vault

Parameters

Returns

Group[]

Defined in

core/src/org.ts:375

getInvite

▸ getInvite(id): undefined | Invite

Get the invite with the given id

Parameters

Returns

undefined | Invite

Defined in

core/src/org.ts:449

getMember

▸ getMember(__namedParameters): undefined | OrgMember

Get the OrgMember object for this Account

Parameters

Returns

undefined | OrgMember

Defined in

core/src/org.ts:345

getMembersForGroup

▸ getMembersForGroup(group): OrgMember[]

Get all members of a given group

Parameters

Returns

OrgMember[]

Defined in

core/src/org.ts:360

getMembersForVault

▸ getMembersForVault(__namedParameters): ActiveOrgMember[]

Get all members directly assigned to a given Vault

Parameters

Returns

ActiveOrgMember[]

Defined in

core/src/org.ts:380

getVaultsForMember

▸ getVaultsForMember(acc): { id: string ; name: string ; revision?: string }[]

Get all vaults the given member has access to

Parameters

Returns

{ id: string ; name: string ; revision?: string }[]

Defined in

core/src/org.ts:407

initialize

▸ initialize(account): Promise<void>

Initializes the organization, generating publicKey, privateKey, and invitesKey and adding the given account as the organization owner.

Parameters

Returns

Promise<void>

Defined in

core/src/org.ts:463

isAdmin

▸ isAdmin(m): boolean

Whether the given Account is an OrgRole.Admin

Parameters

Returns

boolean

Defined in

core/src/org.ts:333

isMember

▸ isMember(acc): boolean

Whether the given Account is an organization member

Parameters

Returns

boolean

Defined in

core/src/org.ts:350

isOwner

▸ isOwner(__namedParameters): boolean

Whether the given Account is an OrgRole.Owner

Parameters

Returns

boolean

Defined in

core/src/org.ts:328

isSuspended

▸ isSuspended(m): boolean

Whether the given Account is currently suspended

Parameters

Returns

boolean

Defined in

core/src/org.ts:339

lock

▸ lock(): void

Locks the container, removing the possibility to extract the plain text data via getData until the container is unlocked again. Subclasses extending this class must take care to delete any keys or other sensitive data that may have been stored temporarily after unlocking the container.

Returns

void

Overrides

SharedContainer.lock

Defined in

core/src/org.ts:537

makeOwner

▸ makeOwner(member): Promise<void>

Transfers organization ownership to a different member

Parameters

Returns

Promise<void>

Defined in

core/src/org.ts:685

removeInvite

▸ removeInvite(__namedParameters): void

Remove an invite

Parameters

Returns

void

Defined in

core/src/org.ts:454

removeMember

▸ removeMember(member, reSignMembers?): Promise<void>

Removes a member from the organization

Parameters

Returns

Promise<void>

Defined in

core/src/org.ts:655

rotateKeys

▸ rotateKeys(force?): Promise<void>

Regenerates all cryptographic keys and updates all member signatures

Parameters

Returns

Promise<void>

Defined in

core/src/org.ts:507

setData

▸ setData(data): Promise<void>

Encrypts the provided data and stores it in the container

Parameters

Returns

Promise<void>

Inherited from

SharedContainer.setData

Defined in

core/src/container.ts:38

sign

▸ sign(member): Promise<OrgMember>

Signs the members public key, id, role and email address so they can be verified later

Parameters

Returns

Promise<OrgMember>

Defined in

core/src/org.ts:547

toBytes

▸ toBytes(): Uint8Array

Returns a serialization of the object in form of a byte array

Returns

Uint8Array

Implementation of

Storable.toBytes

Inherited from

SharedContainer.toBytes

Defined in

core/src/encoding.ts:230

toJSON

▸ toJSON(): string

Returns a JSON serialization of the object

Returns

string

Implementation of

Storable.toJSON

Inherited from

SharedContainer.toJSON

Defined in

core/src/encoding.ts:216

toRaw

▸ toRaw(version?): any

Creates a raw javascript object representation of the class, which can be used for storage or data transmission. Also handles "downgrading" to previous versions. Use _toRaw for subclass-specific behavior.

Parameters

Returns

any

Implementation of

Storable.toRaw

Inherited from

SharedContainer.toRaw

Defined in

core/src/encoding.ts:179

toString

▸ toString(): string

Returns

string

Defined in

core/src/org.ts:717

unlock

▸ unlock(account): Promise<void>

"Unlocks" the organization, granting access to the organizations privateKey and invitesKey properties.

Parameters

Returns

Promise<void>

Overrides

SharedContainer.unlock

Defined in

core/src/org.ts:529

updateAccessors

▸ updateAccessors(subjects): Promise<void>

Updates the containers accessors, generating a new shared key and encrypting it with the public keys of the provided subjects. Non-empty containers need to be unlocked first.

Parameters

Returns

Promise<void>

Inherited from

SharedContainer.updateAccessors

Defined in

core/src/container.ts:189

validate

▸ validate(): boolean

This is called during deserialization and should verify that all properties have been populated with values of the correct type. Subclasses should implement this method based on their class structure.

Returns

boolean

Implementation of

Storable.validate

Overrides

SharedContainer.validate

Defined in

core/src/org.ts:709

verify

▸ verify(member): Promise<void>

Verifies the members public key, id, role and email address. Throws if verification fails.

Parameters

Returns

Promise<void>

Defined in

core/src/org.ts:577

verifyAll

▸ verifyAll(members?): Promise<void>

Verify all provided members, throws if verification fails for any of them.

Parameters

Returns

Promise<void>

Defined in

core/src/org.ts:608