189 lines
4.3 KiB
JavaScript
189 lines
4.3 KiB
JavaScript
/**
|
|
* Copyright (c) HashiCorp, Inc.
|
|
* SPDX-License-Identifier: MPL-2.0
|
|
*/
|
|
|
|
import RepositoryService from 'consul-ui/services/repository';
|
|
import { inject as service } from '@ember/service';
|
|
import { tracked } from '@glimmer/tracking';
|
|
import { runInDebug } from '@ember/debug';
|
|
import dataSource from 'consul-ui/decorators/data-source';
|
|
|
|
const modelName = 'permission';
|
|
// The set of permissions/resources required globally by the UI in order to
|
|
// run correctly
|
|
const REQUIRED_PERMISSIONS = [
|
|
{
|
|
Resource: 'operator',
|
|
Access: 'write',
|
|
},
|
|
{
|
|
Resource: 'operator',
|
|
Access: 'read',
|
|
},
|
|
{
|
|
Resource: 'service',
|
|
Access: 'read',
|
|
},
|
|
{
|
|
Resource: 'node',
|
|
Access: 'read',
|
|
},
|
|
{
|
|
Resource: 'session',
|
|
Access: 'read',
|
|
},
|
|
{
|
|
Resource: 'session',
|
|
Access: 'write',
|
|
},
|
|
{
|
|
Resource: 'key',
|
|
Access: 'read',
|
|
},
|
|
{
|
|
Resource: 'key',
|
|
Access: 'write',
|
|
},
|
|
{
|
|
Resource: 'intention',
|
|
Access: 'read',
|
|
},
|
|
{
|
|
Resource: 'intention',
|
|
Access: 'write',
|
|
},
|
|
{
|
|
Resource: 'acl',
|
|
Access: 'read',
|
|
},
|
|
{
|
|
Resource: 'acl',
|
|
Access: 'write',
|
|
},
|
|
];
|
|
const PEERING_PERMISSIONS = [
|
|
{
|
|
Resource: 'peering',
|
|
Access: 'read',
|
|
},
|
|
{
|
|
Resource: 'peering',
|
|
Access: 'write',
|
|
},
|
|
];
|
|
export default class PermissionService extends RepositoryService {
|
|
@service('env') env;
|
|
@service('abilities') _can;
|
|
|
|
// TODO: move this to the store, if we want it to use ember-data
|
|
// currently this overwrites an inherited permissions service (this service)
|
|
// which isn't ideal, but if the name of this changes be aware that we'd
|
|
// probably have some circular dependency happening here
|
|
@tracked permissions = [];
|
|
|
|
getModelName() {
|
|
return modelName;
|
|
}
|
|
|
|
has(permission) {
|
|
const keys = Object.keys(permission);
|
|
return this.permissions.some((item) => {
|
|
return keys.every((key) => item[key] === permission[key]) && item.Allow === true;
|
|
});
|
|
}
|
|
|
|
can(can) {
|
|
return this._can.can(can);
|
|
}
|
|
|
|
abilityFor(str) {
|
|
return this._can.abilityFor(str);
|
|
}
|
|
|
|
generate(resource, action, segment) {
|
|
const req = {
|
|
Resource: resource,
|
|
Access: action,
|
|
};
|
|
if (typeof segment !== 'undefined') {
|
|
req.Segment = segment;
|
|
}
|
|
return req;
|
|
}
|
|
|
|
/**
|
|
* Requests the access for the defined resources/permissions from the backend.
|
|
* If ACLs are disabled, then you have access to everything, hence we check
|
|
* that here and only make the request if ACLs are enabled
|
|
*/
|
|
async authorize(params) {
|
|
if (!this.env.var('CONSUL_ACLS_ENABLED')) {
|
|
return params.resources.map((item) => {
|
|
return {
|
|
...item,
|
|
Allow: true,
|
|
};
|
|
});
|
|
} else {
|
|
let resources = [];
|
|
try {
|
|
resources = await this.store.authorize('permission', params);
|
|
} catch (e) {
|
|
runInDebug(() => console.error(e));
|
|
// passthrough
|
|
}
|
|
return resources;
|
|
}
|
|
}
|
|
|
|
async findBySlug(params, model) {
|
|
let ability;
|
|
try {
|
|
ability = this._can.abilityFor(model);
|
|
} catch (e) {
|
|
return [];
|
|
}
|
|
|
|
const resources = ability.generateForSegment(params.id.toString());
|
|
// if we get no resources for a segment it means that this
|
|
// ability/permission isn't segmentable
|
|
if (resources.length === 0) {
|
|
return [];
|
|
}
|
|
params.resources = resources;
|
|
return this.authorize(params);
|
|
}
|
|
|
|
async findByPermissions(params) {
|
|
return this.authorize(params);
|
|
}
|
|
|
|
@dataSource('/:partition/:nspace/:dc/permissions')
|
|
async findAll(params) {
|
|
params.resources = this.permissionsToRequest;
|
|
this.permissions = await this.findByPermissions(params);
|
|
/**/
|
|
// Temporarily revert to pre-1.10 UI functionality by overwriting frontend
|
|
// permissions. These are used to hide certain UI elements, but they are
|
|
// still enforced on the backend.
|
|
// This temporary measure should be removed again once https://github.com/hashicorp/consul/issues/11098
|
|
// has been resolved
|
|
this.permissions.forEach((item) => {
|
|
if (['key', 'node', 'service', 'intention', 'session'].includes(item.Resource)) {
|
|
item.Allow = true;
|
|
}
|
|
});
|
|
/**/
|
|
return this.permissions;
|
|
}
|
|
|
|
get permissionsToRequest() {
|
|
if (this._can.can('use peers')) {
|
|
return [...REQUIRED_PERMISSIONS, ...PEERING_PERMISSIONS];
|
|
} else {
|
|
return REQUIRED_PERMISSIONS;
|
|
}
|
|
}
|
|
}
|