2023-04-10 15:36:59 +00:00
|
|
|
/**
|
|
|
|
* Copyright (c) HashiCorp, Inc.
|
|
|
|
* SPDX-License-Identifier: MPL-2.0
|
|
|
|
*/
|
|
|
|
|
2020-05-11 19:43:17 +00:00
|
|
|
import { Ability } from 'ember-can';
|
|
|
|
import { inject as service } from '@ember/service';
|
|
|
|
import { computed, get } from '@ember/object';
|
|
|
|
import { equal, not } from '@ember/object/computed';
|
2020-06-10 13:49:16 +00:00
|
|
|
import classic from 'ember-classic-decorator';
|
2020-05-11 19:43:17 +00:00
|
|
|
|
2020-06-10 13:49:16 +00:00
|
|
|
@classic
|
|
|
|
export default class Abstract extends Ability {
|
|
|
|
@service system;
|
|
|
|
@service token;
|
2020-05-11 19:43:17 +00:00
|
|
|
|
2020-06-10 13:49:16 +00:00
|
|
|
@not('token.aclEnabled') bypassAuthorization;
|
|
|
|
@equal('token.selfToken.type', 'management') selfTokenIsManagement;
|
2020-05-11 19:43:17 +00:00
|
|
|
|
2021-04-29 20:00:59 +00:00
|
|
|
// Pass in a namespace to `can` or `cannot` calls to override
|
|
|
|
// https://github.com/minutebase/ember-can#additional-attributes
|
|
|
|
namespace = 'default';
|
|
|
|
|
|
|
|
get _namespace() {
|
|
|
|
if (!this.namespace) return 'default';
|
|
|
|
if (typeof this.namespace === 'string') return this.namespace;
|
|
|
|
return get(this.namespace, 'name');
|
2020-06-10 13:49:16 +00:00
|
|
|
}
|
2020-05-11 19:43:17 +00:00
|
|
|
|
2021-04-29 20:00:59 +00:00
|
|
|
@computed('_namespace', 'token.selfTokenPolicies.[]')
|
|
|
|
get rulesForNamespace() {
|
|
|
|
let namespace = this._namespace;
|
2020-05-11 19:43:17 +00:00
|
|
|
|
2021-12-28 16:08:12 +00:00
|
|
|
return (this.get('token.selfTokenPolicies') || [])
|
|
|
|
.toArray()
|
|
|
|
.reduce((rules, policy) => {
|
|
|
|
let policyNamespaces = get(policy, 'rulesJSON.Namespaces') || [];
|
|
|
|
|
|
|
|
let matchingNamespace = this._findMatchingNamespace(
|
|
|
|
policyNamespaces,
|
|
|
|
namespace
|
|
|
|
);
|
|
|
|
|
|
|
|
if (matchingNamespace) {
|
|
|
|
rules.push(
|
|
|
|
policyNamespaces.find(
|
|
|
|
(namespace) => namespace.Name === matchingNamespace
|
|
|
|
)
|
|
|
|
);
|
|
|
|
}
|
2020-05-11 19:43:17 +00:00
|
|
|
|
2021-12-28 16:08:12 +00:00
|
|
|
return rules;
|
|
|
|
}, []);
|
2020-06-10 13:49:16 +00:00
|
|
|
}
|
2020-05-11 19:43:17 +00:00
|
|
|
|
2020-10-29 12:46:42 +00:00
|
|
|
@computed('token.selfTokenPolicies.[]')
|
|
|
|
get capabilitiesForAllNamespaces() {
|
|
|
|
return (this.get('token.selfTokenPolicies') || [])
|
|
|
|
.toArray()
|
|
|
|
.reduce((allCapabilities, policy) => {
|
2021-12-28 16:08:12 +00:00
|
|
|
(get(policy, 'rulesJSON.Namespaces') || []).forEach(
|
|
|
|
({ Capabilities }) => {
|
|
|
|
allCapabilities = allCapabilities.concat(Capabilities);
|
|
|
|
}
|
|
|
|
);
|
2020-10-29 12:46:42 +00:00
|
|
|
return allCapabilities;
|
|
|
|
}, []);
|
|
|
|
}
|
|
|
|
|
2021-04-29 20:00:59 +00:00
|
|
|
namespaceIncludesCapability(capability) {
|
2021-12-28 14:45:20 +00:00
|
|
|
return this.rulesForNamespace.some((rules) => {
|
2020-06-18 05:44:35 +00:00
|
|
|
let capabilities = get(rules, 'Capabilities') || [];
|
|
|
|
return capabilities.includes(capability);
|
|
|
|
});
|
|
|
|
}
|
|
|
|
|
2020-11-06 14:21:38 +00:00
|
|
|
@computed('system.features.[]')
|
|
|
|
get features() {
|
|
|
|
return this.system.features;
|
|
|
|
}
|
|
|
|
|
|
|
|
featureIsPresent(featureName) {
|
|
|
|
return this.features.includes(featureName);
|
|
|
|
}
|
|
|
|
|
2020-05-11 19:43:17 +00:00
|
|
|
// Chooses the closest namespace as described at the bottom here:
|
2020-11-04 23:23:47 +00:00
|
|
|
// https://learn.hashicorp.com/tutorials/nomad/access-control-policies?in=nomad/access-control#namespace-rules
|
2021-04-29 20:00:59 +00:00
|
|
|
_findMatchingNamespace(policyNamespaces, namespace) {
|
2020-05-11 19:43:17 +00:00
|
|
|
let namespaceNames = policyNamespaces.mapBy('Name');
|
|
|
|
|
2021-04-29 20:00:59 +00:00
|
|
|
if (namespaceNames.includes(namespace)) {
|
|
|
|
return namespace;
|
2020-05-11 19:43:17 +00:00
|
|
|
}
|
|
|
|
|
2021-12-28 16:08:12 +00:00
|
|
|
let globNamespaceNames = namespaceNames.filter((namespaceName) =>
|
|
|
|
namespaceName.includes('*')
|
|
|
|
);
|
2020-05-11 19:43:17 +00:00
|
|
|
|
|
|
|
let matchingNamespaceName = globNamespaceNames.reduce(
|
|
|
|
(mostMatching, namespaceName) => {
|
|
|
|
// Convert * wildcards to .* for regex matching
|
2021-12-28 16:08:12 +00:00
|
|
|
let namespaceNameRegExp = new RegExp(
|
|
|
|
namespaceName.replace(/\*/g, '.*')
|
|
|
|
);
|
2021-04-29 20:00:59 +00:00
|
|
|
let characterDifference = namespace.length - namespaceName.length;
|
2020-05-11 19:43:17 +00:00
|
|
|
|
|
|
|
if (
|
|
|
|
characterDifference < mostMatching.mostMatchingCharacterDifference &&
|
2021-04-29 20:00:59 +00:00
|
|
|
namespace.match(namespaceNameRegExp)
|
2020-05-11 19:43:17 +00:00
|
|
|
) {
|
|
|
|
return {
|
|
|
|
mostMatchingNamespaceName: namespaceName,
|
|
|
|
mostMatchingCharacterDifference: characterDifference,
|
|
|
|
};
|
|
|
|
} else {
|
|
|
|
return mostMatching;
|
|
|
|
}
|
|
|
|
},
|
2021-12-28 16:08:12 +00:00
|
|
|
{
|
|
|
|
mostMatchingNamespaceName: null,
|
|
|
|
mostMatchingCharacterDifference: Number.MAX_SAFE_INTEGER,
|
|
|
|
}
|
2020-05-11 19:43:17 +00:00
|
|
|
).mostMatchingNamespaceName;
|
|
|
|
|
|
|
|
if (matchingNamespaceName) {
|
|
|
|
return matchingNamespaceName;
|
|
|
|
} else if (namespaceNames.includes('default')) {
|
|
|
|
return 'default';
|
|
|
|
}
|
2020-06-10 13:49:16 +00:00
|
|
|
}
|
|
|
|
}
|