ffd16dfec6
* Top nav auth dropdown (#15055) * Basic dropdown styles * Some cleanup * delog * Default nomad hover state styles * Component separation-of-concerns and acceptance tests for auth dropdown * lintfix * [ui, sso] Handle token expiry 500s (#15073) * Handle error states generally * Dont direct, just redirect * no longer need explicit error on controller * Redirect on token-doesnt-exist * Forgot to import our time lib * Linting on _blank * Redirect tests * changelog * [ui, sso] warn user about pending token expiry (#15091) * Handle error states generally * Dont direct, just redirect * no longer need explicit error on controller * Linting on _blank * Custom notification actions and shift the template to within an else block * Lintfix * Make the closeAction optional * changelog * Add a mirage token that will always expire in 11 minutes * Test for token expiry with ember concurrency waiters * concurrency handling for earlier test, and button redirect test * [ui] if ACLs are disabled, remove the Sign In link from the top of the UI (#15114) * Remove top nav link if ACLs disabled * Change to an enabled-by-default model since you get no agent config when ACLs are disabled but you lack a token * PR feedback addressed; down with double negative conditionals * lintfix * ember getter instead of ?.prop * [SSO] Auth Methods and Mock OIDC Flow (#15155) * Big ol first pass at a redirect sign in flow * dont recursively add queryparams on redirect * Passing state and code qps * In which I go off the deep end and embed a faux provider page in the nomad ui * Buggy but self-contained flow * Flow auto-delay added and a little more polish to resetting token * secret passing turned to accessor passing * Handle SSO Failure * General cleanup and test fix * Lintfix * SSO flow acceptance tests * Percy snapshots added * Explicitly note the OIDC test route is mirage only * Handling failure case for complete-auth * Leentfeex * Tokens page styles (#15273) * styling and moving columns around * autofocus and enter press handling * Styles refined * Split up manager and regular tests * Standardizing to a binary status state * Serialize auth-methods response to use "name" as primary key (#15380) * Serializer for unique-by-name * Use @classic because of class extension
193 lines
5.9 KiB
JavaScript
193 lines
5.9 KiB
JavaScript
import Service, { inject as service } from '@ember/service';
|
|
import { computed } from '@ember/object';
|
|
import { alias, reads } from '@ember/object/computed';
|
|
import { getOwner } from '@ember/application';
|
|
import { assign } from '@ember/polyfills';
|
|
import { task, timeout } from 'ember-concurrency';
|
|
import queryString from 'query-string';
|
|
import fetch from 'nomad-ui/utils/fetch';
|
|
import classic from 'ember-classic-decorator';
|
|
import moment from 'moment';
|
|
|
|
const MINUTES_LEFT_AT_WARNING = 10;
|
|
const EXPIRY_NOTIFICATION_TITLE = 'Your access is about to expire';
|
|
@classic
|
|
export default class TokenService extends Service {
|
|
@service store;
|
|
@service system;
|
|
@service router;
|
|
@service flashMessages;
|
|
|
|
aclEnabled = true;
|
|
|
|
tokenNotFound = false;
|
|
|
|
@computed
|
|
get secret() {
|
|
return window.localStorage.nomadTokenSecret;
|
|
}
|
|
|
|
set secret(value) {
|
|
if (value == null) {
|
|
window.localStorage.removeItem('nomadTokenSecret');
|
|
} else {
|
|
window.localStorage.nomadTokenSecret = value;
|
|
}
|
|
}
|
|
|
|
@task(function* () {
|
|
const TokenAdapter = getOwner(this).lookup('adapter:token');
|
|
try {
|
|
var token = yield TokenAdapter.findSelf();
|
|
this.secret = token.secret;
|
|
return token;
|
|
} catch (e) {
|
|
const errors = e.errors ? e.errors.mapBy('detail') : [];
|
|
if (errors.find((error) => error === 'ACL support disabled')) {
|
|
this.set('aclEnabled', false);
|
|
}
|
|
if (errors.find((error) => error === 'ACL token not found')) {
|
|
this.set('tokenNotFound', true);
|
|
}
|
|
return null;
|
|
}
|
|
})
|
|
fetchSelfToken;
|
|
|
|
@reads('fetchSelfToken.lastSuccessful.value') selfToken;
|
|
|
|
async exchangeOneTimeToken(oneTimeToken) {
|
|
const TokenAdapter = getOwner(this).lookup('adapter:token');
|
|
|
|
const token = await TokenAdapter.exchangeOneTimeToken(oneTimeToken);
|
|
this.secret = token.secret;
|
|
}
|
|
|
|
@task(function* () {
|
|
try {
|
|
if (this.selfToken) {
|
|
return yield this.selfToken.get('policies');
|
|
} else {
|
|
let policy = yield this.store.findRecord('policy', 'anonymous');
|
|
return [policy];
|
|
}
|
|
} catch (e) {
|
|
return [];
|
|
}
|
|
})
|
|
fetchSelfTokenPolicies;
|
|
|
|
@alias('fetchSelfTokenPolicies.lastSuccessful.value') selfTokenPolicies;
|
|
|
|
@task(function* () {
|
|
yield this.fetchSelfToken.perform();
|
|
this.kickoffTokenTTLMonitoring();
|
|
if (this.aclEnabled) {
|
|
yield this.fetchSelfTokenPolicies.perform();
|
|
}
|
|
})
|
|
fetchSelfTokenAndPolicies;
|
|
|
|
// All non Ember Data requests should go through authorizedRequest.
|
|
// However, the request that gets regions falls into that category.
|
|
// This authorizedRawRequest is necessary in order to fetch data
|
|
// with the guarantee of a token but without the automatic region
|
|
// param since the region cannot be known at this point.
|
|
authorizedRawRequest(url, options = {}) {
|
|
const credentials = 'include';
|
|
const headers = {};
|
|
const token = this.secret;
|
|
|
|
if (token) {
|
|
headers['X-Nomad-Token'] = token;
|
|
}
|
|
|
|
return fetch(url, assign(options, { headers, credentials }));
|
|
}
|
|
|
|
authorizedRequest(url, options) {
|
|
if (this.get('system.shouldIncludeRegion')) {
|
|
const region = this.get('system.activeRegion');
|
|
if (region && url.indexOf('region=') === -1) {
|
|
url = addParams(url, { region });
|
|
}
|
|
}
|
|
|
|
return this.authorizedRawRequest(url, options);
|
|
}
|
|
|
|
reset() {
|
|
this.fetchSelfToken.cancelAll({ resetState: true });
|
|
this.fetchSelfTokenPolicies.cancelAll({ resetState: true });
|
|
this.fetchSelfTokenAndPolicies.cancelAll({ resetState: true });
|
|
this.monitorTokenTime.cancelAll({ resetState: true });
|
|
window.localStorage.removeItem('nomadOIDCNonce');
|
|
window.localStorage.removeItem('nomadOIDCAuthMethod');
|
|
}
|
|
|
|
kickoffTokenTTLMonitoring() {
|
|
this.monitorTokenTime.perform();
|
|
}
|
|
|
|
@task(function* () {
|
|
while (this.selfToken?.expirationTime) {
|
|
const diff = new Date(this.selfToken.expirationTime) - new Date();
|
|
// Let the user know at the 10 minute mark,
|
|
// or any time they refresh with under 10 minutes left
|
|
if (diff < 1000 * 60 * MINUTES_LEFT_AT_WARNING) {
|
|
const existingNotification = this.flashMessages.queue?.find(
|
|
(m) => m.title === EXPIRY_NOTIFICATION_TITLE
|
|
);
|
|
// For the sake of updating the "time left" message, we keep running the task down to the moment of expiration
|
|
if (diff > 0) {
|
|
if (existingNotification) {
|
|
existingNotification.set(
|
|
'message',
|
|
`Your token access expires ${moment(
|
|
this.selfToken.expirationTime
|
|
).fromNow()}`
|
|
);
|
|
} else {
|
|
if (!this.expirationNotificationDismissed) {
|
|
this.flashMessages.add({
|
|
title: EXPIRY_NOTIFICATION_TITLE,
|
|
message: `Your token access expires ${moment(
|
|
this.selfToken.expirationTime
|
|
).fromNow()}`,
|
|
type: 'error',
|
|
destroyOnClick: false,
|
|
sticky: true,
|
|
customCloseAction: () => {
|
|
this.set('expirationNotificationDismissed', true);
|
|
},
|
|
customAction: {
|
|
label: 'Re-authenticate',
|
|
action: () => {
|
|
this.router.transitionTo('settings.tokens');
|
|
},
|
|
},
|
|
});
|
|
}
|
|
}
|
|
} else {
|
|
if (existingNotification) {
|
|
existingNotification.setProperties({
|
|
title: 'Your access has expired',
|
|
message: `Your token will need to be re-authenticated`,
|
|
});
|
|
}
|
|
this.monitorTokenTime.cancelAll(); // Stop updating time left after expiration
|
|
}
|
|
}
|
|
yield timeout(1000);
|
|
}
|
|
})
|
|
monitorTokenTime;
|
|
}
|
|
|
|
function addParams(url, params) {
|
|
const paramsStr = queryString.stringify(params);
|
|
const delimiter = url.includes('?') ? '&' : '?';
|
|
return `${url}${delimiter}${paramsStr}`;
|
|
}
|