luxolus/open-nomad
2
0
Fork 0
Code Issues 1 Pull requests Packages Releases Wiki Activity
open-nomad/ui/app/services/token.js
Phil Renaud bfba4f5e13
[ui] ACL Roles in the UI, plus Role, Policy and Token management (#17770) (#18599) 
* Rename pages to include roles

* Models and adapters

* [ui] Any policy checks in the UI now check for roles' policies as well as token policies (#18346)

* combinedPolicies as a concept

* Classic decorator on role adapter

* We added a new request for roles, so the test based on a specific order of requests got fickle fast

* Mirage roles cluster scaffolded

* Acceptance test for roles and policies on the login page

* Update mirage mock for nodes fetch to account for role policies / empty token.policies

* Roles-derived policies checks

* [ui] Access Control with Roles and Tokens (#18413)

* top level policies routes moved into access control

* A few more routes and name cleanup

* Delog and test fixes to account for new url prefix and document titles

* Overview page

* Tokens and Roles routes

* Tokens helios table

* Add a role

* Hacky role page and deletion

* New policy keyboard shortcut and roles breadcrumb nav

* If you leave New Role but havent made any changes, remove the newly-created record from store

* Roles index list and general role route crud

* Roles index actually links to roles now

* Helios button styles for new roles and policies

* Handle when you try to create a new role without having any policies

* Token editing generally

* Create Token functionality

* Cant delete self-token but management token editing and deleting is fine

* Upgrading helios caused codemirror to explode, shimmed

* Policies table fix

* without bang-element condition, modifier would refire over and over

* Token TTL or Time setting

* time will take you on

* Mirage hooks for create and list roles

* Ensure policy names only use allow characters in mirage mocks

* Mirage mocked roles and policies in the default cluster

* log and lintfix

* chromedriver to 2.1.2

* unused unit tests removed

* Nice profile dropdown

* With the HDS accordion, rename our internal component scss ref

* design revisions after discussion

* Tooltip on deleted-policy tokens

* Two-step button peripheral isDeleting gcode removed

* Never to null on token save

* copywrite headers added and empty routefiles removed

* acceptance test fixes for policies endpoint

* Route for updating a token

* Policies testfixes

* Ember on-click-outside modifier upgraded with general ember-modifier upgrade

* Test adjustments to account for new profile header dropdown

* Test adjustments for tokens via policy pages

* Removed an unused route

* Access Control index page tests

* a11y tests

* Tokens index acceptance tests generally

* Lintfix

* Token edit page tests

* Token editing tests

* New token expiration tests

* Roles Index tests

* Role editing policies tests

* A complete set of Access Control Roles tests

* Policies test

* Be more specific about which row to check for expiration time

* Nil check on expirationTime equality

* Management tokens shouldnt show No Roles/Policies, give them their own designation

* Route guard on selftoken, conditional columns, and afterModel at parent to prevent orphaned policies on tokens/roles from stopping a new save

* Policy unloading on delete and other todos plus autofocus conditionally re-enabled

* Invalid policies non-links now a concept for Roles index

* HDS style links to make job.variables.alert links look like links again

* Mirage finding looks weird so making model async in hash even though redundant

* Drop rsvp

* RSVP wasnt the problem, cached lookups were

* remove old todo comments

* de-log
2023-09-27 17:02:48 -04:00

214 lines
6.5 KiB
JavaScript
Raw Permalink Blame History

/**
* Copyright (c) HashiCorp, Inc.
* SPDX-License-Identifier: MPL-2.0
*/
import Service, { inject as service } from '@ember/service';
import { computed } from '@ember/object';
import { alias, reads } from '@ember/object/computed';
import { getOwner } from '@ember/application';
import { assign } from '@ember/polyfills';
import { task, timeout } from 'ember-concurrency';
import queryString from 'query-string';
import fetch from 'nomad-ui/utils/fetch';
import classic from 'ember-classic-decorator';
import moment from 'moment';
const MINUTES_LEFT_AT_WARNING = 10;
const EXPIRY_NOTIFICATION_TITLE = 'Your access is about to expire';
@classic
export default class TokenService extends Service {
@service store;
@service system;
@service router;
@service notifications;
aclEnabled = true;
tokenNotFound = false;
@computed
get secret() {
return window.localStorage.nomadTokenSecret;
}
set secret(value) {
if (value == null) {
window.localStorage.removeItem('nomadTokenSecret');
} else {
window.localStorage.nomadTokenSecret = value;
}
}
@task(function* () {
const TokenAdapter = getOwner(this).lookup('adapter:token');
try {
var token = yield TokenAdapter.findSelf();
this.secret = token.secret;
return token;
} catch (e) {
const errors = e.errors ? e.errors.mapBy('detail') : [];
if (errors.find((error) => error === 'ACL support disabled')) {
this.set('aclEnabled', false);
}
if (errors.find((error) => error === 'ACL token not found')) {
this.set('tokenNotFound', true);
}
return null;
}
})
fetchSelfToken;
@reads('fetchSelfToken.lastSuccessful.value') selfToken;
async exchangeOneTimeToken(oneTimeToken) {
const TokenAdapter = getOwner(this).lookup('adapter:token');
const token = await TokenAdapter.exchangeOneTimeToken(oneTimeToken);
this.secret = token.secret;
}
@task(function* () {
try {
if (this.selfToken) {
// return yield this.selfToken.get('policies');
let tokenPolicies = yield this.selfToken.get('policies');
let rolePolicies = [];
const roles = yield this.selfToken.get('roles');
if (roles.length) {
yield Promise.all(
roles.map((role) => {
return role.policies;
})
);
rolePolicies = roles
.map((role) => {
return role.policies;
})
.map((policies) => policies.toArray())
.flat();
}
return [...tokenPolicies.toArray(), ...rolePolicies];
} else {
let policy = yield this.store.findRecord('policy', 'anonymous');
return [policy];
}
} catch (e) {
return [];
}
})
fetchSelfTokenPolicies;
@alias('fetchSelfTokenPolicies.lastSuccessful.value') selfTokenPolicies;
@task(function* () {
yield this.fetchSelfToken.perform();
this.kickoffTokenTTLMonitoring();
if (this.aclEnabled) {
yield this.fetchSelfTokenPolicies.perform();
}
})
fetchSelfTokenAndPolicies;
// All non Ember Data requests should go through authorizedRequest.
// However, the request that gets regions falls into that category.
// This authorizedRawRequest is necessary in order to fetch data
// with the guarantee of a token but without the automatic region
// param since the region cannot be known at this point.
authorizedRawRequest(url, options = {}) {
const credentials = 'include';
const headers = {};
const token = this.secret;
if (token) {
headers['X-Nomad-Token'] = token;
}
return fetch(url, assign(options, { headers, credentials }));
}
authorizedRequest(url, options) {
if (this.get('system.shouldIncludeRegion')) {
const region = this.get('system.activeRegion');
if (region && url.indexOf('region=') === -1) {
url = addParams(url, { region });
}
}
return this.authorizedRawRequest(url, options);
}
reset() {
this.fetchSelfToken.cancelAll({ resetState: true });
this.fetchSelfTokenPolicies.cancelAll({ resetState: true });
this.fetchSelfTokenAndPolicies.cancelAll({ resetState: true });
this.monitorTokenTime.cancelAll({ resetState: true });
window.localStorage.removeItem('nomadOIDCNonce');
window.localStorage.removeItem('nomadOIDCAuthMethod');
}
kickoffTokenTTLMonitoring() {
this.monitorTokenTime.perform();
}
@task(function* () {
while (this.selfToken?.expirationTime) {
const diff = new Date(this.selfToken.expirationTime) - new Date();
// Let the user know at the 10 minute mark,
// or any time they refresh with under 10 minutes left
if (diff < 1000 * 60 * MINUTES_LEFT_AT_WARNING) {
const existingNotification = this.notifications.queue?.find(
(m) => m.title === EXPIRY_NOTIFICATION_TITLE
);
// For the sake of updating the "time left" message, we keep running the task down to the moment of expiration
if (diff > 0) {
if (existingNotification) {
existingNotification.set(
'message',
`Your token access expires ${moment(
this.selfToken.expirationTime
).fromNow()}`
);
} else {
if (!this.expirationNotificationDismissed) {
this.notifications.add({
title: EXPIRY_NOTIFICATION_TITLE,
message: `Your token access expires ${moment(
this.selfToken.expirationTime
).fromNow()}`,
color: 'warning',
sticky: true,
customCloseAction: () => {
this.set('expirationNotificationDismissed', true);
},
customAction: {
label: 'Re-authenticate',
action: () => {
this.router.transitionTo('settings.tokens');
},
},
});
}
}
} else {
if (existingNotification) {
existingNotification.setProperties({
title: 'Your access has expired',
message: `Your token will need to be re-authenticated`,
});
}
this.monitorTokenTime.cancelAll(); // Stop updating time left after expiration
}
}
yield timeout(1000);
}
})
monitorTokenTime;
}
function addParams(url, params) {
const paramsStr = queryString.stringify(params);
const delimiter = url.includes('?') ? '&' : '?';
return `${url}${delimiter}${paramsStr}`;
}
Reference in a new issue View git blame Copy permalink