Harald Hoyer
d59819d8f6
All checks were successful
/ build (push) Successful in 8m1s
- Removed redundant step name in Nix CI configuration. - Ensured the `nix run` command executes without a named step. |
||
|---|---|---|
| .forgejo/workflows | ||
| nix | ||
| src | ||
| .gitignore | ||
| Cargo.lock | ||
| Cargo.toml | ||
| CLAUDE.md | ||
| docker-compose.yml | ||
| Dockerfile | ||
| flake.lock | ||
| flake.nix | ||
| README.md | ||
| rust-toolchain.toml | ||
| test_docker.sh | ||
| test_local.sh | ||
Hierarchical Document Signing with HashiCorp Vault
This project implements a hierarchical document signing system using HashiCorp Vault. It allows for secure document signing with a requirement of a specific number of signatures from different departmental groups.
Features
- Hierarchical Signing: Requires 3 of 5 signatures to validate a document, with at least 1 signature from each department
- Department Structure: Two departments (Legal and Finance) with 5 users each
- Document API: Upload, sign, and verify documents through a RESTful API
- CLI Client: Interact with the system through command-line interface
- Vault Integration: Leverages HashiCorp Vault's Transit engine for cryptographic operations
System Architecture
The system consists of:
- Vault Server: Provides secure storage and cryptographic operations
- Rust Application: Initializes Vault and provides a REST API for document operations
- User Hierarchy: 10 users organized into 2 departments
- Signature Requirements: 3 of 5 signatures needed, with at least 1 from each department
API Endpoints
- POST /api/login: Authenticate with username/password and get a token
- POST /api/documents: Upload a new document for signing
- GET /api/documents/:id: Retrieve document metadata
- POST /api/documents/:id/sign: Sign a document with your user credentials
- GET /api/documents/:id/verify: Check if a document has sufficient signatures
Getting Started
Prerequisites
- Docker and Docker Compose
- Rust development environment (if building from source)
Running with Docker
-
Start the Vault server and initialization program:
docker-compose up -d -
The service will automatically:
- Initialize Vault (if needed)
- Unseal Vault
- Create 10 users in a hierarchical structure
- Start the API server on port 3000
-
User credentials:
- Legal department: legal1/legal1pass through legal5/legal5pass
- Finance department: finance1/finance1pass through finance5/finance5pass
CLI Commands
The project includes a command-line interface to interact with the API:
-
Start the Server:
cargo run server [--vault-addr URL] [--api-port PORT] -
Login:
cargo run login --username USER --password PASS [--api-url URL] -
Upload Document:
cargo run upload --name NAME --file PATH [--api-url URL] -
Sign Document:
cargo run sign --document-id ID --username USER --token TOKEN [--api-url URL] -
Verify Document:
cargo run verify --document-id ID [--api-url URL] -
List Documents:
cargo run list [--api-url URL] -
Get Document Details:
cargo run get --document-id ID [--api-url URL]
API Usage Examples (curl)
-
Login:
curl -X POST http://localhost:3000/api/login \ -H "Content-Type: application/json" \ -d '{"username":"legal1","password":"legal1pass"}' -
Upload Document:
curl -X POST http://localhost:3000/api/documents \ -F "name=Contract" \ -F "file=@/path/to/document.pdf" -
Sign Document:
curl -X POST http://localhost:3000/api/documents/DOCUMENT_ID/sign \ -H "Content-Type: application/json" \ -d '{"username":"legal1","token":"USER_TOKEN"}' -
Verify Document:
curl -X GET http://localhost:3000/api/documents/DOCUMENT_ID/verify
Security Considerations
- All cryptographic operations are performed by Vault's Transit engine
- Each user has their own signing key
- Root token should be secured in production environments
- Consider adding TLS for production deployments
License
MIT