2023-04-10 15:36:59 +00:00
|
|
|
/**
|
|
|
|
* Copyright (c) HashiCorp, Inc.
|
|
|
|
* SPDX-License-Identifier: MPL-2.0
|
|
|
|
*/
|
|
|
|
|
2020-05-11 19:43:17 +00:00
|
|
|
import AbstractAbility from './abstract';
|
2022-07-11 16:33:17 +00:00
|
|
|
import { computed, get } from '@ember/object';
|
2020-05-11 19:43:17 +00:00
|
|
|
import { or } from '@ember/object/computed';
|
2020-01-20 20:57:01 +00:00
|
|
|
|
2020-06-10 13:49:16 +00:00
|
|
|
export default class Job extends AbstractAbility {
|
|
|
|
@or('bypassAuthorization', 'selfTokenIsManagement', 'policiesSupportRunning')
|
|
|
|
canRun;
|
2020-01-20 20:57:01 +00:00
|
|
|
|
2020-06-18 05:44:35 +00:00
|
|
|
@or(
|
|
|
|
'bypassAuthorization',
|
|
|
|
'selfTokenIsManagement',
|
2022-07-11 16:33:17 +00:00
|
|
|
'specificNamespaceSupportsRunning',
|
2020-06-18 05:44:35 +00:00
|
|
|
'policiesSupportScaling'
|
|
|
|
)
|
|
|
|
canScale;
|
|
|
|
|
2020-11-04 23:24:34 +00:00
|
|
|
// TODO: A person can also see all jobs if their token grants read access to all namespaces,
|
|
|
|
// but given the complexity of namespaces and policy precedence, there isn't a good quick way
|
|
|
|
// to confirm this.
|
|
|
|
@or('bypassAuthorization', 'selfTokenIsManagement')
|
|
|
|
canListAll;
|
|
|
|
|
2021-12-28 16:08:12 +00:00
|
|
|
@or(
|
|
|
|
'bypassAuthorization',
|
|
|
|
'selfTokenIsManagement',
|
|
|
|
'policiesSupportDispatching'
|
|
|
|
)
|
2021-07-20 22:27:41 +00:00
|
|
|
canDispatch;
|
|
|
|
|
2022-07-11 16:33:17 +00:00
|
|
|
policyNamespacesIncludePermissions(policies = [], permissions = []) {
|
|
|
|
// For each policy record, extract all policies of all namespaces
|
|
|
|
const allNamespacePolicies = policies
|
|
|
|
.toArray()
|
2022-08-16 20:13:36 +00:00
|
|
|
.filter((policy) => get(policy, 'rulesJSON.Namespaces'))
|
2022-07-11 16:33:17 +00:00
|
|
|
.map((policy) => get(policy, 'rulesJSON.Namespaces'))
|
|
|
|
.flat()
|
|
|
|
.map((namespace = {}) => {
|
|
|
|
return namespace.Capabilities;
|
|
|
|
})
|
|
|
|
.flat()
|
|
|
|
.compact();
|
|
|
|
|
|
|
|
// Check for requested permissions
|
|
|
|
return allNamespacePolicies.some((policy) => {
|
|
|
|
return permissions.includes(policy);
|
|
|
|
});
|
|
|
|
}
|
|
|
|
|
|
|
|
@computed('token.selfTokenPolicies.[]')
|
2020-06-10 13:49:16 +00:00
|
|
|
get policiesSupportRunning() {
|
2022-07-11 16:33:17 +00:00
|
|
|
return this.policyNamespacesIncludePermissions(
|
|
|
|
this.token.selfTokenPolicies,
|
|
|
|
['submit-job']
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
|
|
|
@computed('rulesForNamespace.@each.capabilities')
|
|
|
|
get specificNamespaceSupportsRunning() {
|
2021-04-29 20:00:59 +00:00
|
|
|
return this.namespaceIncludesCapability('submit-job');
|
2020-06-18 05:44:35 +00:00
|
|
|
}
|
|
|
|
|
2021-04-29 20:00:59 +00:00
|
|
|
@computed('rulesForNamespace.@each.capabilities')
|
2020-06-18 05:44:35 +00:00
|
|
|
get policiesSupportScaling() {
|
2021-04-29 20:00:59 +00:00
|
|
|
return this.namespaceIncludesCapability('scale-job');
|
2020-06-10 13:49:16 +00:00
|
|
|
}
|
2021-07-20 22:27:41 +00:00
|
|
|
|
|
|
|
@computed('rulesForNamespace.@each.capabilities')
|
|
|
|
get policiesSupportDispatching() {
|
|
|
|
return this.namespaceIncludesCapability('dispatch-job');
|
|
|
|
}
|
2020-06-10 13:49:16 +00:00
|
|
|
}
|