Class: Org
org.Org
Organizations are the central component of Padlocs secure data sharing architecture.
All shared Vaults are provisioned and managed in the context of an organization, while the Org class itself is responsible for managing, signing and verifying public keys, identities and priviliges for all of it's members.
Vaults can be assigned to members direcly or indirectly through Groups. In both cases, this access can be declared readonly.
Before being added to an organization, members need to go throug a key exchange procedure designed to allow verification of organization and member details by both parties. See Invite class for details.
The privateKey and invitesKey properties are considered secret and are only accessible to members with the OrgRole.Owner role. To protect this information from unauthorized access, Org extends the SharedContainer class, encrypting this data at rest.
Organization Structure
┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ │ ╱│ │╲ │ │
│ Account │┼─────────○─│ Membership │──┼────────┼│ Organization │
│ │ ╲│ │╱ │ │
└──────────────┘ └───┬──────┬───┘ └──────────────┘
╲│╱ ╲│╱ ┼
○ ○ ○
│ │ ╱│╲
│ │ ┌──────────────┐
│ │ ╱│ │
│ └──────────────○─│ Group │
│ ╲│ │
○ └──────────────┘
╱│╲ ╲│╱
┌──────────────┐ ○
│ │╲ │
│ Shared Vault │─○──────────────────────┘
│ │╱
└──────────────┘
Hierarchy
-
↳
Org
↳↳
UnlockedOrg
Implements
Constructors
constructor
• new Org()
Inherited from
Properties
_key
• Protected
Optional
_key: Uint8Array
The key used for encryption. Sub classes must set this property in the unlock method.
Inherited from
Defined in
_propertySerializationOptions
• _propertySerializationOptions:
SerializationOptions
[]
Implementation of
Storable._propertySerializationOptions
Inherited from
SharedContainer._propertySerializationOptions
Defined in
accessors
• accessors: Accessor
[] = []
The ids and encrypted keys of all accessors
Inherited from
Defined in
created
• created: Date
Creation date
Defined in
directory
• directory: OrgDirectorySettings
Defined in
encryptedData
• Optional
encryptedData: Uint8Array
Encrypted data
Inherited from
Defined in
encryptionParams
• encryptionParams: AESEncryptionParams
Parameters used for encryption of content data
Inherited from
SharedContainer.encryptionParams
Defined in
groups
• groups: Group
[] = []
This organizations Groups.
Defined in
id
• id: string
= ""
Unique identier
Implementation of
Storable.id
Defined in
invites
• invites: Invite
[] = []
Pending Invites
Defined in
invitesKey
• Optional
invitesKey: Uint8Array
AES key used as encryption key for Invites
secret
IMPORTANT: This property is considered secret and should
never stored or transmitted in plain text
Defined in
keyParams
• keyParams: RSAEncryptionParams
Parameters used to wrap the shared encryption key
Inherited from
Defined in
members
• members: OrgMember
[] = []
Array of organization members
Defined in
minMemberUpdated
• minMemberUpdated: Date
Minimum accepted update time for organization members. Any members with a OrgMember.updated value lower than this should be considered invalid.
In order to prevent an attacker from rolling back this value, all clients should verify that updated organization object always have a Org.minMemberUpdated value equal to or higher than the previous one.
Defined in
name
• name: string
= ""
Organization name
Defined in
privateKey
• Optional
privateKey: Uint8Array
Private key used for signing member details
secret
IMPORTANT: This property is considered secret and should
never stored or transmitted in plain text
Defined in
publicKey
• Optional
publicKey: Uint8Array
Public key used for verifying member signatures
Defined in
revision
• revision: string
= ""
Revision id used for ensuring continuity when synchronizing the account object between client and server
Defined in
signingParams
• signingParams: RSASigningParams
Parameters for creating member signatures
Defined in
updated
• updated: Date
Last updated
Defined in
vaults
• vaults: { id
: string
; name
: string
; revision?
: string
}[] =
[]
Shared Vaults owned by this organization
Defined in
Accessors
info
• get
info(): OrgInfo
Returns
Defined in
kind
• get
kind(): string
A string representing the objects "type", useful for segmenting storage, among other things. Defaults to the lowercase class name, but can be overwritten by subclasses
Returns
string
Implementation of
Storable.kind
Inherited from
SharedContainer.kind
Defined in
owner
• get
owner(): undefined
| OrgMember
Account which created this organization
Returns
undefined
| OrgMember
Defined in
Methods
_fromRaw
▸ Protected
_fromRaw(raw
): void
Restore values from a raw object. The default implementation simply copies over all iterable properties from the base object. Overwrite this method for properties that require special treatment
Parameters
Name | Type |
---|---|
raw |
any |
Returns
void
Implementation of
Storable._fromRaw
Inherited from
Defined in
_toRaw
▸ Protected
_toRaw(version
): any
Transform this object into a raw javascript object used for serialization. The default implementation simply copies all iterable properties not included in the [[exlude]] array and calls toRaw on any properties that are themselfes instances of Serializable. This method should be overwritten by subclasses if certain properties require special treatment.
Parameters
Name | Type |
---|---|
version |
undefined | string |
Returns
any
Implementation of
Storable._toRaw
Inherited from
Defined in
addOrUpdateMember
▸ addOrUpdateMember(__namedParameters
): Promise
<void
>
Adds a member to the organization, or updates the existing member with the same id.
Parameters
Name | Type |
---|---|
__namedParameters |
Object |
__namedParameters.accountId? |
string |
__namedParameters.email |
string |
__namedParameters.name |
string |
__namedParameters.orgSignature? |
Uint8Array |
__namedParameters.publicKey? |
Uint8Array |
__namedParameters.role? |
OrgRole |
__namedParameters.status? |
OrgMemberStatus |
Returns
Promise
<void
>
Defined in
canRead
▸ canRead(vault
, account
): undefined
| boolean
Check whether the given account
has read access to a vault
Parameters
Name | Type |
---|---|
vault |
Object |
vault.id |
string |
account |
Object |
account.email |
string |
Returns
undefined
| boolean
Defined in
canWrite
▸ canWrite(vault
, acc
): undefined
| boolean
Check whether the given account
has write access to a vault
Parameters
Name | Type |
---|---|
vault |
Object |
vault.id |
string |
acc |
Object |
acc.email |
string |
Returns
undefined
| boolean
Defined in
clone
▸ clone(): Org
Creates a deep clone of the object
Returns
Implementation of
Storable.clone
Inherited from
Defined in
fromBytes
▸ fromBytes(bytes
): Org
Deserializes the object from a byte array
Parameters
Name | Type |
---|---|
bytes |
Uint8Array |
Returns
Implementation of
Storable.fromBytes
Inherited from
Defined in
fromJSON
▸ fromJSON(json
): Org
Deserializes the object from a JSON string
Parameters
Name | Type |
---|---|
json |
string |
Returns
Implementation of
Storable.fromJSON
Inherited from
Defined in
fromRaw
▸ fromRaw(raw
): Org
Restores propertiers from a raw object of the same form generated by
toRaw. The base implementation blindly copies over values
from the raw object via Object.assign
so subclasses should explictly process
any propertyies that need special treatment.
Also takes are of validation and "upgrading" in case the raw object has an old version. Use the protected _fromRaw method to implement subclass-specific behavior.
Parameters
Name | Type |
---|---|
raw |
any |
Returns
Implementation of
Storable.fromRaw
Inherited from
Defined in
generateKeys
▸ generateKeys(): Promise
<void
>
Generates a new publicKey, privateKey and invitesKey and encrypts the latter two
Returns
Promise
<void
>
Defined in
getAccessors
▸ getAccessors(vault
):
ActiveOrgMember
[]
Get all membes that have acess to a given vault
, either directly or through a
Group
Parameters
Name | Type |
---|---|
vault |
Vault |
Returns
Defined in
getData
▸ getData(): Promise
<Uint8Array
>
Decrypts and extracts the plain text data from the container. This will usually require unlocking the container first.
Returns
Promise
<Uint8Array
>
Inherited from
Defined in
getGroup
▸ getGroup(name
): undefined
| Group
Get group with the given name
Parameters
Name | Type |
---|---|
name |
string |
Returns
undefined
| Group
Defined in
getGroupsForMember
▸ getGroupsForMember(__namedParameters
): Group
[]
Get all Groups the given Account is a member of
Parameters
Name | Type |
---|---|
__namedParameters |
Object |
__namedParameters.email |
string |
Returns
Group
[]
Defined in
getGroupsForVault
▸ getGroupsForVault(__namedParameters
): Group
[]
Get all groups assigned to a given Vault
Parameters
Name | Type |
---|---|
__namedParameters |
Object |
__namedParameters.id |
string |
Returns
Group
[]
Defined in
getInvite
▸ getInvite(id
): undefined
| Invite
Get the invite with the given id
Parameters
Name | Type |
---|---|
id |
string |
Returns
undefined
| Invite
Defined in
getMember
▸ getMember(__namedParameters
): undefined
|
OrgMember
Get the OrgMember object for this Account
Parameters
Name | Type |
---|---|
__namedParameters |
{ accountId? : string ; email : string } | { accountId : string ; email? : string } |
Returns
undefined
| OrgMember
Defined in
getMembersForGroup
▸ getMembersForGroup(group
): OrgMember
[]
Get all members of a given group
Parameters
Name | Type |
---|---|
group |
Group |
Returns
Defined in
getMembersForVault
▸ getMembersForVault(__namedParameters
):
ActiveOrgMember
[]
Get all members directly assigned to a given Vault
Parameters
Name | Type |
---|---|
__namedParameters |
Object |
__namedParameters.id |
string |
Returns
Defined in
getVaultsForMember
▸ getVaultsForMember(acc
): { id
: string
; name
: string
;
revision?
: string
}[]
Get all vaults the given member has access to
Parameters
Name | Type |
---|---|
acc |
Object |
acc.email |
string |
Returns
{ id
: string
; name
: string
; revision?
: string
}[]
Defined in
initialize
▸ initialize(account
): Promise
<void
>
Initializes the organization, generating publicKey,
privateKey, and invitesKey and
adding the given account
as the organization owner.
Parameters
Name | Type |
---|---|
account |
Account |
Returns
Promise
<void
>
Defined in
isAdmin
▸ isAdmin(m
): boolean
Whether the given Account is an OrgRole.Admin
Parameters
Name | Type |
---|---|
m |
Object |
m.email |
string |
Returns
boolean
Defined in
isMember
▸ isMember(acc
): boolean
Whether the given Account is an organization member
Parameters
Name | Type |
---|---|
acc |
Object |
acc.email |
string |
Returns
boolean
Defined in
isOwner
▸ isOwner(__namedParameters
): boolean
Whether the given Account is an OrgRole.Owner
Parameters
Name | Type |
---|---|
__namedParameters |
Object |
__namedParameters.email |
string |
Returns
boolean
Defined in
isSuspended
▸ isSuspended(m
): boolean
Whether the given Account is currently suspended
Parameters
Name | Type |
---|---|
m |
Object |
m.email |
string |
Returns
boolean
Defined in
lock
▸ lock(): void
Locks the container, removing the possibility to extract the plain text data via getData until the container is unlocked again. Subclasses extending this class must take care to delete any keys or other sensitive data that may have been stored temporarily after unlocking the container.
Returns
void
Overrides
Defined in
makeOwner
▸ makeOwner(member
): Promise
<void
>
Transfers organization ownership to a different member
Parameters
Name | Type |
---|---|
member |
Object |
member.email |
string |
Returns
Promise
<void
>
Defined in
removeInvite
▸ removeInvite(__namedParameters
): void
Remove an invite
Parameters
Name | Type |
---|---|
__namedParameters |
Invite |
Returns
void
Defined in
removeMember
▸ removeMember(member
, reSignMembers?
): Promise
<void
>
Removes a member from the organization
Parameters
Name | Type | Default value |
---|---|---|
member |
Object |
undefined |
member.email |
string |
undefined |
reSignMembers |
boolean |
true |
Returns
Promise
<void
>
Defined in
rotateKeys
▸ rotateKeys(force?
): Promise
<void
>
Regenerates all cryptographic keys and updates all member signatures
Parameters
Name | Type | Default value |
---|---|---|
force |
boolean |
false |
Returns
Promise
<void
>
Defined in
setData
▸ setData(data
): Promise
<void
>
Encrypts the provided data
and stores it in the container
Parameters
Name | Type |
---|---|
data |
Uint8Array |
Returns
Promise
<void
>
Inherited from
Defined in
sign
▸ sign(member
): Promise
<OrgMember
>
Signs the member
s public key, id, role and email address so they can be
verified later
Parameters
Name | Type |
---|---|
member |
OrgMember |
Returns
Promise
<OrgMember
>
Defined in
toBytes
▸ toBytes(): Uint8Array
Returns a serialization of the object in form of a byte array
Returns
Uint8Array
Implementation of
Storable.toBytes
Inherited from
Defined in
toJSON
▸ toJSON(): string
Returns a JSON serialization of the object
Returns
string
Implementation of
Storable.toJSON
Inherited from
Defined in
toRaw
▸ toRaw(version?
): any
Creates a raw javascript object representation of the class, which can be used for storage or data transmission. Also handles "downgrading" to previous versions. Use _toRaw for subclass-specific behavior.
Parameters
Name | Type |
---|---|
version? |
string |
Returns
any
Implementation of
Storable.toRaw
Inherited from
Defined in
toString
▸ toString(): string
Returns
string
Defined in
unlock
▸ unlock(account
): Promise
<void
>
"Unlocks" the organization, granting access to the organizations privateKey and invitesKey properties.
Parameters
Name | Type |
---|---|
account |
UnlockedAccount |
Returns
Promise
<void
>
Overrides
Defined in
updateAccessors
▸ updateAccessors(subjects
): Promise
<void
>
Updates the containers accessors, generating a new shared key and encrypting it with the public keys of the provided subjects. Non-empty containers need to be unlocked first.
Parameters
Name | Type |
---|---|
subjects |
{ id : string ; publicKey : Uint8Array }[] |
Returns
Promise
<void
>
Inherited from
SharedContainer.updateAccessors
Defined in
validate
▸ validate(): boolean
This is called during deserialization and should verify that all properties have been populated with values of the correct type. Subclasses should implement this method based on their class structure.
Returns
boolean
Implementation of
Storable.validate
Overrides
Defined in
verify
▸ verify(member
): Promise
<void
>
Verifies the member
s public key, id, role and email address. Throws if
verification fails.
Parameters
Name | Type |
---|---|
member |
OrgMember |
Returns
Promise
<void
>
Defined in
verifyAll
▸ verifyAll(members?
): Promise
<void
>
Verify all provided members
, throws if verification fails for any of them.
Parameters
Name | Type |
---|---|
members |
OrgMember [] |
Returns
Promise
<void
>