From b00f58d164aa7c040541972a27a25f54d022ce49 Mon Sep 17 00:00:00 2001
From: yackob03 <jacob.moshenko@gmail.com>
Date: Fri, 22 Nov 2013 15:54:23 -0500
Subject: [PATCH] Add a security page and link it from the landing page and
 footer.

---
 endpoints/web.py              |  7 ++++++
 static/js/app.js              | 12 ++++++----
 static/js/controllers.js      |  3 +++
 static/partials/landing.html  |  9 ++++---
 static/partials/security.html | 44 +++++++++++++++++++++++++++++++++++
 templates/base.html           |  2 +-
 6 files changed, 66 insertions(+), 11 deletions(-)
 create mode 100644 static/partials/security.html

diff --git a/endpoints/web.py b/endpoints/web.py
index 3c6c5e07b..347969268 100644
--- a/endpoints/web.py
+++ b/endpoints/web.py
@@ -100,11 +100,18 @@ def new():
 def repository():
   return index('')
 
+
+@app.route('/security/')
+def security():
+  return index('')
+
+
 @app.route('/v1')
 @app.route('/v1/')
 def v1():
   return index('')
 
+
 @app.route('/status', methods=['GET'])
 def status():
   return make_response('Healthy')
diff --git a/static/js/app.js b/static/js/app.js
index 121f5aee3..ebcc79e01 100644
--- a/static/js/app.js
+++ b/static/js/app.js
@@ -435,16 +435,18 @@ quayApp = angular.module('quay', ['ngRoute', 'restangular', 'angularMoment', 'an
       when('/repository/:namespace/:name/admin', {templateUrl: '/static/partials/repo-admin.html', controller:RepoAdminCtrl}).
       when('/repository/', {title: 'Repositories', description: 'Public and private docker repositories list',
                             templateUrl: '/static/partials/repo-list.html', controller: RepoListCtrl}).
-      when('/user/', {title: 'Account Settings', description:'Account settings for Quay', templateUrl: '/static/partials/user-admin.html', controller: UserAdminCtrl}).
-      when('/guide/', {title: 'Guide', description:'Guide to using private docker repositories on Quay', templateUrl: '/static/partials/guide.html', controller: GuideCtrl}).
-      when('/plans/', {title: 'Plans and Pricing', description: 'Plans and pricing for private docker repositories on Quay',
+      when('/user/', {title: 'Account Settings', description:'Account settings for Quay.io', templateUrl: '/static/partials/user-admin.html', controller: UserAdminCtrl}).
+      when('/guide/', {title: 'Guide', description:'Guide to using private docker repositories on Quay.io', templateUrl: '/static/partials/guide.html', controller: GuideCtrl}).
+      when('/plans/', {title: 'Plans and Pricing', description: 'Plans and pricing for private docker repositories on Quay.io',
                        templateUrl: '/static/partials/plans.html', controller: PlansCtrl}).
-      when('/signin/', {title: 'Sign In', description: 'Sign into Quay', templateUrl: '/static/partials/signin.html', controller: SigninCtrl}).
+      when('/security/', {title: 'Security', description: 'Security features used when transmitting and storing data',
+                       templateUrl: '/static/partials/security.html', controller: SecurityCtrl}).
+      when('/signin/', {title: 'Sign In', description: 'Sign into Quay.io', templateUrl: '/static/partials/signin.html', controller: SigninCtrl}).
       when('/new/', {title: 'Create new repository', description: 'Create a new public or private docker repository, optionally constructing from a dockerfile',
                      templateUrl: '/static/partials/new-repo.html', controller: NewRepoCtrl}).
       when('/organizations/', {title: 'Organizations', description: 'Private docker repository hosting for businesses and organizations',
                                  templateUrl: '/static/partials/organizations.html', controller: OrgsCtrl}).
-      when('/organizations/new/', {title: 'New Organization', description: 'Create a new organization on Quay',
+      when('/organizations/new/', {title: 'New Organization', description: 'Create a new organization on Quay.io',
                                    templateUrl: '/static/partials/new-organization.html', controller: NewOrgCtrl}).
       when('/organization/:orgname', {templateUrl: '/static/partials/org-view.html', controller: OrgViewCtrl}).
       when('/organization/:orgname/admin', {templateUrl: '/static/partials/org-admin.html', controller: OrgAdminCtrl}).
diff --git a/static/js/controllers.js b/static/js/controllers.js
index 813b3ee29..9ac49b60c 100644
--- a/static/js/controllers.js
+++ b/static/js/controllers.js
@@ -58,6 +58,9 @@ function PlansCtrl($scope, $location, UserService, PlanService) {
 function GuideCtrl($scope) {
 }
 
+function SecurityCtrl($scope) {
+}
+
 function RepoListCtrl($scope, Restangular, UserService) {
   $scope.namespace = null;
 
diff --git a/static/partials/landing.html b/static/partials/landing.html
index e5165fc88..d805f94bb 100644
--- a/static/partials/landing.html
+++ b/static/partials/landing.html
@@ -72,17 +72,16 @@
         <i class="fa fa-lock"></i>
         <b>Secure</b>
         <span class="shoutout-expand">
-          Store your private Docker containers where only you and your team
-          can access it, with communication secured by <strong>SSL at all times</strong>
+          Your data is transferred using <strong>SSL at all times</strong> and <strong>encrypted</strong> when at rest. More information available in our <a href="/security/">security guide</a>
         </span>
       </div>
 
       <div class="col-md-4 shoutout">
-        <i class="fa fa-user"></i>
+        <i class="fa fa-group"></i>
         <b>Shareable</b>
         <span class="shoutout-expand">
           Have to share a repository? No problem! Share with anyone you choose
-	</span>
+        </span>
       </div>
 
       <div class="col-md-4 shoutout">
@@ -90,7 +89,7 @@
         <b>Cloud Hosted</b>
         <span class="shoutout-expand">
           Accessible from anywhere, anytime
-	</span>
+        </span>
       </div>
     </div> <!-- row -->
   </div> <!-- container -->
diff --git a/static/partials/security.html b/static/partials/security.html
new file mode 100644
index 000000000..73e599aff
--- /dev/null
+++ b/static/partials/security.html
@@ -0,0 +1,44 @@
+<div class="container">
+  <div class="row">
+    <div class="col-md-12">
+      <h1>Quay.io Security</h1>
+      <p>We understand that when you upload one of your repositories to Quay.io that you are trusting us with some potentially very sensitive data. On this page we will lay out our security features and practices to help you make an informed decision about whether you can trust us with your data.</p>
+    </div>
+  </div>
+  <div class="row">
+    <div class="col-md-12">
+      <h3>SSL Everwhere</h3>
+      <p>We expressly forbid connections to Quay.io using unencrypted HTTP traffic. This helps keep your data and account information safe on the wire. Our SSL traffic is decrypted on our application servers, so your traffic is encrypted even within the datacenter. We use a 4096-bit RSA key, and after the key exchange is complete, traffic is transferred using 256-bit AES, for the maximum encryption strength.</p>
+    </div>
+  </div>
+  <div class="row">
+    <div class="col-md-12">
+      <h3>Encryption</h3>
+      <p>Our binary data is currently stored in Amazon's <a href="http://aws.amazon.com/s3/">S3</a> service. We use HTTPS when transferring your data internally between our application servers and S3, so your data is never exposed in plain text on any wire. We use their <a href="http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html">server side encryption</a> to protect your data while stored at rest in their data centers.</p>
+    </div>
+  </div>
+  <div class="row">
+    <div class="col-md-12">
+      <h3>Passwords</h3>
+      <p>There have been a number of high profile leaks recently where companies have been storing their customers' passwords in plain text, an unsalted hash, or a <a href="http://en.wikipedia.org/wiki/Salt_(cryptography)">salted hash</a> where every salt is the same. At Quay.io we use the <a href="http://en.wikipedia.org/wiki/Bcrypt">bcrypt</a> algorithm to generate a salted hash from your password, using a unique salt for each password. This method of storage is safe against <a href="http://en.wikipedia.org/wiki/Rainbow_table">rainbow attacks</a> and is obviously superior to plain-text storage. Your credentials are also never written in plain text to our application logs, a leak that is commonly overlooked.</p>
+    </div>
+  </div>
+  <div class="row">
+    <div class="col-md-12">
+      <h3>Access Controls</h3>
+      <p>Repositories will only ever be shared with people to whom you delegate access. Repositories created from the Docker command line are private by default and repositories must subsequently made public with an explicit action in the Quay.io UI. We have a test suite which is run before every code push which tests all methods which expose private data with all levels of access to ensure nothing is accidentally leaked.</p>
+    </div>
+  </div>
+  <div class="row">
+    <div class="col-md-12">
+      <h3>Firewalls</h3>
+      <p>Our application servers and database servers are all protected with firewall settings that only allow communication with known hosts and host groups on sensitive ports (e.g. SSH). None of our servers have SSH password authentication enabled, preventing brute force password attacks.</p>
+    </div>
+  </div>
+  <div class="row">
+    <div class="col-md-12">
+      <h3>Data Resilience</h3>
+      <p>While not related directly to security, many of you are probably worried about whether you can depend on the data you store in Quay.io. All binary data that we store is stored in Amazon S3 at the highest redundancy level, which Amazon claims provides <a href="http://aws.amazon.com/s3/faqs/#How_is_Amazon_S3_designed_to_achieve_99.999999999%_durability">11-nines of durability</a>. Our service metadata (e.g. logins, tags, teams) is stored in a database which is backed up nightly, and backups are preserved for 7 days.</p>
+    </div>
+  </div>
+</div>
\ No newline at end of file
diff --git a/templates/base.html b/templates/base.html
index d0831634a..6379a452b 100644
--- a/templates/base.html
+++ b/templates/base.html
@@ -93,7 +93,7 @@ mixpanel.init(isProd ? "50ff2b2569faa3a51c8f5724922ffb7e" : "38014a0f27e7bdc3ff8
               <li><a href="http://blog.devtable.com/">Blog</a></li>
               <li><a href="/tos" target="_self">Terms of Service</a></li>
               <li><a href="/privacy" target="_self">Privacy Policy</a></li>
-              <li><a href="/guide/">User Guide</a></li>
+              <li><a href="/security/">Security</a></li>
               <li><b><a href="mailto:support@quay.io">Contact Support</a></b></li>
             </ul>
           </div>