luxolus/open-nomad
2
0
Fork 0
Code Issues 1 Pull requests Packages Releases Wiki Activity
open-nomad/ui/mirage/factories/token.js
Phil Renaud 4da169e155
[ui] "Can Read" checks on individual Secure Variables (#14020) 
* Changelog and lintfix

* Changelog removed

* Forbidden state on individual variables

* CanRead checked on variable path links

* Mirage fixture with lesser secure variables access, temporary fix for * namespaces

* Read flow acceptance tests

* Unit tests for variable.canRead

* lintfix

* TODO squashed, thanks Jai

* explicitly link mirage fixture vars to jobs via namespace

* Typofix; delete to read

* Linking the original alloc

* Percy snapshots uniquely named

* Guarantee that the alloc we depend on has tasks within it

* Logging variables

* Trying to skip delete

* Now without create flow either

* Dedicated cluster fixture for testing variables

* Disambiguate percy calls
2022-08-09 13:17:55 -04:00

169 lines
4.4 KiB
JavaScript
Raw Blame History

import { Factory } from 'ember-cli-mirage';
import faker from 'nomad-ui/mirage/faker';
export default Factory.extend({
id: () => faker.random.uuid(),
accessorId() {
return this.id;
},
secretId: () => faker.random.uuid(),
name: (i) => `${i === 0 ? 'Manager ' : ''}${faker.name.findName()}`,
global: () => faker.random.boolean(),
type: (i) => (i === 0 ? 'management' : 'client'),
oneTimeSecret: () => faker.random.uuid(),
afterCreate(token, server) {
const policyIds = Array(faker.random.number({ min: 1, max: 5 }))
.fill(0)
.map(() => faker.hacker.verb())
.uniq();
policyIds.forEach((policy) => {
const dbPolicy = server.db.policies.find(policy);
if (!dbPolicy) {
server.create('policy', { id: policy });
}
});
token.update({ policyIds });
// Create a special policy with secure variables rules in place
if (token.id === '53cur3-v4r14bl35') {
const variableMakerPolicy = {
id: 'Variable Maker',
rules: `
# Allow read only access to the default namespace
namespace "*" {
policy = "read"
capabilities = ["list-jobs", "alloc-exec", "read-logs"]
secure_variables {
# Base access is to all abilities for all secure variables
path "*" {
capabilities = ["list", "read", "destroy", "create"]
}
}
}
node {
policy = "read"
}
`,
rulesJSON: {
Namespaces: [
{
Name: '*',
Capabilities: ['list-jobs', 'alloc-exec', 'read-logs'],
SecureVariables: {
Paths: [
{
Capabilities: ['write', 'read', 'destroy', 'list'],
PathSpec: '*',
},
],
},
},
],
},
};
server.create('policy', variableMakerPolicy);
token.policyIds.push(variableMakerPolicy.id);
}
if (token.id === 'f3w3r-53cur3-v4r14bl35') {
const variableViewerPolicy = {
id: 'Variable Viewer',
rules: `
# Allow read only access to the default namespace
namespace "*" {
policy = "read"
capabilities = ["list-jobs", "alloc-exec", "read-logs"]
secure_variables {
# Base access is to all abilities for all secure variables
path "*" {
capabilities = ["list"]
}
}
}
namespace "namespace-1" {
policy = "read"
capabilities = ["list-jobs", "alloc-exec", "read-logs"]
secure_variables {
# Base access is to all abilities for all secure variables
path "*" {
capabilities = ["list", "read", "destroy", "create"]
}
}
}
namespace "namespace-2" {
policy = "read"
capabilities = ["list-jobs", "alloc-exec", "read-logs"]
secure_variables {
# Base access is to all abilities for all secure variables
path "blue/*" {
capabilities = ["list", "read", "destroy", "create"]
}
path "nomad/jobs/*" {
capabilities = ["list", "read", "create"]
}
}
}
node {
policy = "read"
}
`,
rulesJSON: {
Namespaces: [
{
Name: '*',
Capabilities: ['list-jobs', 'alloc-exec', 'read-logs'],
SecureVariables: {
Paths: [
{
Capabilities: ['list'],
PathSpec: '*',
},
],
},
},
{
Name: 'namespace-1',
Capabilities: ['list-jobs', 'alloc-exec', 'read-logs'],
SecureVariables: {
Paths: [
{
Capabilities: ['list', 'read', 'destroy', 'create'],
PathSpec: '*',
},
],
},
},
{
Name: 'namespace-2',
Capabilities: ['list-jobs', 'alloc-exec', 'read-logs'],
SecureVariables: {
Paths: [
{
Capabilities: ['list', 'read', 'destroy', 'create'],
PathSpec: 'blue/*',
},
{
Capabilities: ['list', 'read', 'create'],
PathSpec: 'nomad/jobs/*',
},
],
},
},
],
},
};
server.create('policy', variableViewerPolicy);
token.policyIds.push(variableViewerPolicy.id);
}
},
});
Reference in a new issue View git blame Copy permalink