open-vault/ui/app/models/pki/role.js

/**
 * Copyright (c) HashiCorp, Inc.
 * SPDX-License-Identifier: MPL-2.0
 */

import Model, { attr } from '@ember-data/model';
import lazyCapabilities, { apiPath } from 'vault/macros/lazy-capabilities';
import { withModelValidations } from 'vault/decorators/model-validations';
import { withFormFields } from 'vault/decorators/model-form-fields';

const validations = {
  name: [{ type: 'presence', message: 'Name is required.' }],
};

const fieldGroups = [
  {
    default: [
      'name',
      'issuerRef',
      'customTtl',
      'notBeforeDuration',
      'maxTtl',
      'generateLease',
      'noStore',
      'addBasicConstraints',
    ],
  },
  {
    'Domain handling': [
      'allowedDomains',
      'allowedDomainsTemplate',
      'allowBareDomains',
      'allowSubdomains',
      'allowGlobDomains',
      'allowWildcardCertificates',
      'allowLocalhost', // default: true (returned true by OpenApi)
      'allowAnyName',
      'enforceHostnames', // default: true (returned true by OpenApi)
    ],
  },
  {
    'Key parameters': ['keyType', 'keyBits', 'signatureBits'],
  },
  {
    'Key usage': ['keyUsage', 'extKeyUsage', 'extKeyUsageOids'],
  },
  { 'Policy identifiers': ['policyIdentifiers'] },
  {
    'Subject Alternative Name (SAN) Options': [
      'allowIpSans',
      'allowedUriSans',
      'allowUriSansTemplate',
      'allowedOtherSans',
    ],
  },
  {
    'Additional subject fields': [
      'allowedUserIds',
      'allowedSerialNumbers',
      'requireCn',
      'useCsrCommonName',
      'useCsrSans',
      'ou',
      'organization',
      'country',
      'locality',
      'province',
      'streetAddress',
      'postalCode',
    ],
  },
];

@withFormFields(null, fieldGroups)
@withModelValidations(validations)
export default class PkiRoleModel extends Model {
  get useOpenAPI() {
    // must be a getter so it can be accessed in path-help.js
    return true;
  }
  getHelpUrl(backend) {
    return `/v1/${backend}/roles/example?help=1`;
  }

  @attr('string', { readOnly: true }) backend;

  /* Overriding OpenApi default options */
  @attr('string', {
    label: 'Role name',
    fieldValue: 'name',
    editDisabled: true,
  })
  name;

  @attr('string', {
    label: 'Issuer reference',
    detailsLabel: 'Issuer',
    defaultValue: 'default',
    subText: `Specifies the issuer that will be used to create certificates with this role. To find this, run read -field=default pki_int/config/issuers in the console. By default, we will use the mounts default issuer.`,
  })
  issuerRef;

  @attr({
    label: 'Not valid after',
    detailsLabel: 'Issued certificates expire after',
    subText:
      'The time after which this certificate will no longer be valid. This can be a TTL (a range of time from now) or a specific date.',
    editType: 'yield',
  })
  customTtl;

  @attr({
    label: 'Backdate validity',
    detailsLabel: 'Issued certificate backdating',
    helperTextDisabled: 'Vault will use the default value, 30s',
    helperTextEnabled:
      'Also called the not_before_duration property. Allows certificates to be valid for a certain time period before now. This is useful to correct clock misalignment on various systems when setting up your CA.',
    editType: 'ttl',
    defaultValue: '30s',
  })
  notBeforeDuration;

  @attr({
    label: 'Max TTL',
    helperTextDisabled:
      'The maximum Time-To-Live of certificates generated by this role. If not set, the system max lease TTL will be used.',
    editType: 'ttl',
    defaultShown: 'System default',
  })
  maxTtl;

  @attr('boolean', {
    label: 'Generate lease with certificate',
    subText:
      'Specifies if certificates issued/signed against this role will have Vault leases attached to them.',
    editType: 'boolean',
    docLink: '/vault/api-docs/secret/pki#create-update-role',
  })
  generateLease;

  @attr('boolean', {
    label: 'Do not store certificates in storage backend',
    detailsLabel: 'Store in storage backend', // template reverses value
    subText:
      'This can improve performance when issuing large numbers of certificates. However, certificates issued in this way cannot be enumerated or revoked.',
    editType: 'boolean',
    docLink: '/vault/api-docs/secret/pki#create-update-role',
  })
  noStore;

  @attr('boolean', {
    label: 'Basic constraints valid for non-CA',
    detailsLabel: 'Add basic constraints',
    subText: 'Mark Basic Constraints valid when issuing non-CA certificates.',
    editType: 'boolean',
  })
  addBasicConstraints;
  /* End of overriding default options */

  /* Overriding OpenApi Domain handling options */
  @attr({
    label: 'Allowed domains',
    subText: 'Specifies the domains this role is allowed to issue certificates for.',
    editType: 'stringArray',
  })
  allowedDomains;

  @attr('boolean', {
    label: 'Allow templates in allowed domains',
  })
  allowedDomainsTemplate;
  /* End of overriding Domain handling options */

  /* Overriding OpenApi Key parameters options */
  @attr('string', {
    label: 'Key type',
    possibleValues: ['rsa', 'ec', 'ed25519', 'any'],
    defaultValue: 'rsa',
  })
  keyType;

  @attr('string', {
    label: 'Key bits',
    defaultValue: '2048',
  })
  keyBits; // no possibleValues because options are dependent on selected key type

  @attr('string', {
    label: 'Signature bits',
    subText: `Only applicable for key_type 'RSA'. Ignore for other key types.`,
    defaultValue: '0',
    possibleValues: ['0', '256', '384', '512'],
  })
  signatureBits;
  /* End of overriding Key parameters options */

  /* Overriding API Policy identifier option */
  @attr({
    label: 'Policy identifiers',
    subText: 'A list of policy object identifiers (OIDs).',
    editType: 'stringArray',
  })
  policyIdentifiers;
  /* End of overriding Policy identifier options */

  /* Overriding OpenApi SAN options */
  @attr('boolean', {
    label: 'Allow IP SANs',
    subText: 'Specifies if clients can request IP Subject Alternative Names.',
    editType: 'boolean',
    defaultValue: true,
  })
  allowIpSans;

  @attr({
    label: 'URI Subject Alternative Names (URI SANs)',
    subText: 'Defines allowed URI Subject Alternative Names.',
    editType: 'stringArray',
    docLink: '/vault/docs/concepts/policies',
  })
  allowedUriSans;

  @attr('boolean', {
    label: 'Allow URI SANs template',
    subText: 'If true, the URI SANs above may contain templates, as with ACL Path Templating.',
    editType: 'boolean',
    docLink: '/vault/docs/concepts/policies',
  })
  allowUriSansTemplate;

  @attr({
    label: 'Other SANs',
    subText: 'Defines allowed custom OID/UTF8-string SANs.',
    editType: 'stringArray',
  })
  allowedOtherSans;
  /* End of overriding SAN options */

  /* Overriding OpenApi Additional subject field options */
  @attr({
    label: 'Allowed serial numbers',
    subText:
      'A list of allowed serial numbers to be requested during certificate issuance. Shell-style globbing is supported. If empty, custom-specified serial numbers will be forbidden.',
    editType: 'stringArray',
  })
  allowedSerialNumbers;

  @attr('boolean', {
    label: 'Require common name',
    subText: 'If set to false, common name will be optional when generating a certificate.',
    defaultValue: true,
  })
  requireCn;

  @attr('boolean', {
    label: 'Use CSR common name',
    subText:
      'When used with the CSR signing endpoint, the common name in the CSR will be used instead of taken from the JSON data.',
    defaultValue: true,
  })
  useCsrCommonName;

  @attr('boolean', {
    label: 'Use CSR SANs',
    subText:
      'When used with the CSR signing endpoint, the subject alternate names in the CSR will be used instead of taken from the JSON data.',
    defaultValue: true,
  })
  useCsrSans;

  @attr({
    label: 'Organization Units (OU)',
    subText:
      'A list of allowed serial numbers to be requested during certificate issuance. Shell-style globbing is supported. If empty, custom-specified serial numbers will be forbidden.',
    editType: 'stringArray',
  })
  ou;

  @attr('array', {
    defaultValue() {
      return ['DigitalSignature', 'KeyAgreement', 'KeyEncipherment'];
    },
    defaultShown: 'None',
  })
  keyUsage;

  @attr('array', {
    defaultShown: 'None',
  })
  extKeyUsage;

  @attr('array', {
    defaultShown: 'None',
  })
  extKeyUsageOids;

  @attr({ editType: 'stringArray' }) allowedUserIds;
  @attr({ editType: 'stringArray' }) organization;
  @attr({ editType: 'stringArray' }) country;
  @attr({ editType: 'stringArray' }) locality;
  @attr({ editType: 'stringArray' }) province;
  @attr({ editType: 'stringArray' }) streetAddress;
  @attr({ editType: 'stringArray' }) postalCode;
  /* End of overriding Additional subject field options */

  /* CAPABILITIES
   * Default to show UI elements unless we know they can't access the given path
   */
  @lazyCapabilities(apiPath`${'backend'}/roles/${'id'}`, 'backend', 'id') updatePath;
  get canDelete() {
    return this.updatePath.get('isLoading') || this.updatePath.get('canCreate') !== false;
  }
  get canEdit() {
    return this.updatePath.get('isLoading') || this.updatePath.get('canUpdate') !== false;
  }
  get canRead() {
    return this.updatePath.get('isLoading') || this.updatePath.get('canRead') !== false;
  }

  @lazyCapabilities(apiPath`${'backend'}/issue/${'id'}`, 'backend', 'id') generatePath;
  get canGenerateCert() {
    return this.generatePath.get('isLoading') || this.generatePath.get('canUpdate') !== false;
  }
  @lazyCapabilities(apiPath`${'backend'}/sign/${'id'}`, 'backend', 'id') signPath;
  get canSign() {
    return this.signPath.get('isLoading') || this.signPath.get('canUpdate') !== false;
  }
  @lazyCapabilities(apiPath`${'backend'}/sign-verbatim/${'id'}`, 'backend', 'id') signVerbatimPath;
  get canSignVerbatim() {
    return this.signVerbatimPath.get('isLoading') || this.signVerbatimPath.get('canUpdate') !== false;
  }

  // Gets header/footer copy for specific toggle groups.
  get fieldGroupsInfo() {
    return {
      'Domain handling': {
        footer: {
          text: 'These options can interact intricately with one another. For more information,',
          docText: 'learn more here.',
          docLink: '/vault/api-docs/secret/pki#allowed_domains',
        },
      },
      'Key parameters': {
        header: {
          text: `These are the parameters for generating or validating the certificate's key material.`,
        },
      },
      'Subject Alternative Name (SAN) Options': {
        header: {
          text: `Subject Alternative Names (SANs) are identities (domains, IP addresses, and URIs) Vault attaches to the requested certificates.`,
        },
      },
      'Additional subject fields': {
        header: {
          text: `Additional identity metadata Vault can attach to the requested certificates.`,
        },
      },
    };
  }
}