implement EKM integration to load private keys during setup #279
Description
EKM = Email Key Manager https://flowcrypt.com/docs/technical/enterprise/email-deployment-overview.html
OrgRule definitions https://flowcrypt.com/docs/business/org-rules.html
As a part of #275 and after #276 and #277 , immediately after authentication when we receive the OIDC and OrgRules, we should check if orgRules.usesKeyManager() == true. If yes, we should:
- 7) call
GET <ekm>/v1/keys/private. Into authorization header please putBearer <ID_TOKEN>. On error, offer retry - 8) if there are no private keys there (empty array), show an error to the user that there are no private keys configured for them and that they should ask their systems administrator or help desk. Offer retry
- 9) check that all of the received private keys are fully decrypted
- 10) if there is at least one private key, ask user to provide a passphrase (similar UI to creating a new key), then ask to confirm the pass phrase
- 11) encrypt the received keys with the pass phrase. Keep pass phrase in memory option to keep pass phrase only in memory #197 , store encrypted key in storage
- 12) finish setup without any further user interaction
The goal is that if user has keys already configured on EKM and appropriate OrgRules are in place, they only need to authenticate and choose a pass phrase, and everything will be done automatically. After authentication and successful automatic setup, they will be sent to their inbox.
In this flow, do not submit any public key to attester.