open-vault/ui/mirage/handlers/mfa-config.js

import { Response } from 'miragejs';

export default function (server) {
  const methods = ['totp', 'duo', 'okta', 'pingid'];
  const required = {
    totp: ['issuer'],
    duo: ['secret_key', 'integration_key', 'api_hostname'],
    okta: ['org_name', 'api_token'],
    pingid: ['settings_file_base64'],
  };

  const validate = (type, data, cb) => {
    if (!methods.includes(type)) {
      return new Response(400, {}, { errors: [`Method ${type} not found`] });
    }
    if (data) {
      const missing = required[type].reduce((params, key) => {
        if (!data[key]) {
          params.push(key);
        }
        return params;
      }, []);
      if (missing.length) {
        return new Response(400, {}, { errors: [`Missing required parameters: [${missing.join(', ')}]`] });
      }
    }
    return cb();
  };

  const dbKeyFromType = (type) => `mfa${type.charAt(0).toUpperCase()}${type.slice(1)}Methods`;

  const generateListResponse = (schema, isMethod) => {
    let records = [];
    if (isMethod) {
      methods.forEach((method) => {
        records.addObjects(schema.db[dbKeyFromType(method)].where({}));
      });
    } else {
      records = schema.db.mfaLoginEnforcements.where({});
    }
    // seed the db with a few records if none exist
    if (!records.length) {
      if (isMethod) {
        methods.forEach((type) => {
          records.push(server.create(`mfa-${type}-method`));
        });
      } else {
        records = server.createList('mfa-login-enforcement', 4).toArray();
      }
    }
    const dataKey = isMethod ? 'id' : 'name';
    const data = records.reduce(
      (resp, record) => {
        resp.key_info[record[dataKey]] = record;
        resp.keys.push(record[dataKey]);
        return resp;
      },
      {
        key_info: {},
        keys: [],
      }
    );
    return { data };
  };

  // list methods
  server.get('/identity/mfa/method/', (schema) => {
    return generateListResponse(schema, true);
  });
  // fetch method by id
  server.get('/identity/mfa/method/:id', (schema, { params: { id } }) => {
    let record;
    for (const method of methods) {
      record = schema.db[dbKeyFromType(method)].find(id);
      if (record) {
        break;
      }
    }
    // inconvenient when testing edit route to return a 404 on refresh since mirage memory is cleared
    // flip this variable to test 404 state if needed
    const shouldError = false;
    // create a new record so data is always returned
    if (!record && !shouldError) {
      return { data: server.create('mfa-totp-method') };
    }
    return !record ? new Response(404, {}, { errors: [] }) : { data: record };
  });
  // create method
  server.post('/identity/mfa/method/:type', (schema, { params: { type }, requestBody }) => {
    const data = JSON.parse(requestBody);
    return validate(type, data, () => {
      const record = server.create(`mfa-${type}-method`, data);
      return { data: { method_id: record.id } };
    });
  });
  // update method
  server.put('/identity/mfa/method/:type/:id', (schema, { params: { type, id }, requestBody }) => {
    const data = JSON.parse(requestBody);
    return validate(type, data, () => {
      schema.db[dbKeyFromType(type)].update(id, data);
      return {};
    });
  });
  // delete method
  server.delete('/identity/mfa/method/:type/:id', (schema, { params: { type, id } }) => {
    return validate(type, null, () => {
      schema.db[dbKeyFromType(type)].remove(id);
      return {};
    });
  });
  // list enforcements
  server.get('/identity/mfa/login-enforcement', (schema) => {
    return generateListResponse(schema);
  });
  // fetch enforcement by name
  server.get('/identity/mfa/login-enforcement/:name', (schema, { params: { name } }) => {
    const record = schema.db.mfaLoginEnforcements.findBy({ name });
    // inconvenient when testing edit route to return a 404 on refresh since mirage memory is cleared
    // flip this variable to test 404 state if needed
    const shouldError = false;
    // create a new record so data is always returned
    if (!record && !shouldError) {
      return { data: server.create('mfa-login-enforcement', { name }) };
    }
    return !record ? new Response(404, {}, { errors: [] }) : { data: record };
  });
  // create/update enforcement
  server.post('/identity/mfa/login-enforcement/:name', (schema, { params: { name }, requestBody }) => {
    const data = JSON.parse(requestBody);
    // at least one method id is required
    if (!data.mfa_method_ids?.length) {
      return new Response(400, {}, { errors: ['missing method ids'] });
    }
    // at least one of the following targets is required
    const required = [
      'auth_method_accessors',
      'auth_method_types',
      'identity_group_ids',
      'identity_entity_ids',
    ];
    let hasRequired = false;
    for (let key of required) {
      if (data[key]?.length) {
        hasRequired = true;
        break;
      }
    }
    if (!hasRequired) {
      return new Response(
        400,
        {},
        {
          errors: [
            'One of auth_method_accessors, auth_method_types, identity_group_ids, identity_entity_ids must be specified',
          ],
        }
      );
    }
    if (schema.db.mfaLoginEnforcements.findBy({ name })) {
      schema.db.mfaLoginEnforcements.update({ name }, data);
    } else {
      schema.db.mfaLoginEnforcements.insert(data);
    }
    return { ...data, id: data.name };
  });
  // delete enforcement
  server.delete('/identity/mfa/login-enforcement/:name', (schema, { params: { name } }) => {
    schema.db.mfaLoginEnforcements.remove({ name });
    return {};
  });
  // endpoints for target selection
  server.get('/identity/group/id', () => ({
    data: {
      key_info: { '34db6b52-591e-bc22-8af0-4add5e167326': { name: 'test-group' } },
      keys: ['34db6b52-591e-bc22-8af0-4add5e167326'],
    },
  }));
  server.get('/identity/group/id/:id', () => ({
    data: {
      id: '34db6b52-591e-bc22-8af0-4add5e167326',
      name: 'test-group',
    },
  }));
  server.get('/identity/entity/id', () => ({
    data: {
      key_info: { 'f831667b-7392-7a1c-c0fc-33d48cb1c57d': { name: 'test-entity' } },
      keys: ['f831667b-7392-7a1c-c0fc-33d48cb1c57d'],
    },
  }));
  server.get('/identity/entity/id/:id', () => ({
    data: {
      id: 'f831667b-7392-7a1c-c0fc-33d48cb1c57d',
      name: 'test-entity',
    },
  }));
  server.get('/sys/auth', () => ({
    data: {
      'userpass/': { accessor: 'auth_userpass_bb95c2b1', type: 'userpass' },
    },
  }));
}
MFA Config (#15200) * adds mirage factories for mfa methods and login enforcement * adds mirage handler for mfa config endpoints * adds mirage identity manager for uuids * updates mfa test to use renamed mfaLogin mirage handler * updates mfa login workflow for push methods (#15214) * MFA Login Enforcement Model (#15244) * adds mfa login enforcement model, adapter and serializer * updates mfa methods to hasMany realtionship and transforms property names * updates login enforcement adapter to use urlForQuery over buildURL * Model for mfa method (#15218) * Model for mfa method * Added adapter and serializer for mfa method - Updated mfa method model - Basic route to handle list view - Added MFA to access nav * Show landing page if methods are not configured * Updated adapter,serializer - Backend is adding new endpoint to list all the mfa methods * Updated landing page - Added MFA diagram - Created helper to resolve full path for assets like images * Remove ember assign * Fixed failing test * MFA method and enforcement list view (#15353) * MFA method and enforcement list view - Added new route for list views - List mfa methods along with id, type and icon - Added client side pagination to list views * Throw error if method id is not present * MFA Login Enforcement Form (#15410) * adds mfa login enforcement form and header components and radio card component * skips login enforcement form tests for now * adds jsdoc annotations for mfa-login-enforcement-header component * adds error handling when fetching identity targets in login enforcement form component * updates radio-card label elements * MFA Login Enforcement Create and Edit routes (#15422) * adds mfa login enforcement form and header components and radio card component * skips login enforcement form tests for now * updates to login enforcement form to fix issues hydrating methods and targets from model when editing * updates to mfa-config mirage handler and login enforcement handler * fixes issue with login enforcement serializer normalizeItems method throwing error on save * updates to mfa route structure * adds login enforcement create and edit routes * MFA Login Enforcement Read Views (#15462) * adds login enforcement read views * skip mfa-method-list-item test for now * MFA method form (#15432) * MFA method form - Updated model for form attributes - Form for editing, creating mfa methods * Added comments * Update model for mfa method * Refactor buildURL in mfa method adapter * Update adapter to handle mfa create * Fixed adapter to handle create mfa response * Sidebranch: MFA end user setup (#15273) * initial setup of components and route * fix navbar * replace parent component with controller * use auth service to return entity id * adapter and some error handling: * clean up adapter and handle warning * wip * use library for qrCode generation * clear warning and QR code display fix * flow for restart setup * add documentation * clean up * fix warning issue * handle root user * remove comment * update copy * fix margin * address comment * MFA Guided Setup Route (#15479) * adds mfa method create route with type selection workflow * updates mfa method create route links to use DocLink component * MFA Guided Setup Config View (#15486) * adds mfa guided setup config view * resets type query param on mfa method create route exit * hide next button if type is not selected in mfa method create route * updates to sure correct state when changing mfa method type in guided setup * Enforcement view at MFA method level (#15485) - List enforcements for each mfa method - Delete MFA method if no enforcements are present - Moved method, enforcement list item component to mfa folder * MFA Login Enforcement Validations (#15498) * adds model and form validations for mfa login enforcements * updates mfa login enforcement validation messages * updates validation message for mfa login enforcement targets * adds transition action to configure mfa button on landing page * unset enforcement on preference change in mfa guided setup workflow * Added validations for mfa method model (#15506) * UI/mfa breadcrumbs and small fixes (#15499) * add active class when on index * breadcrumbs * remove box-shadow to match designs * fix refresh load mfa-method * breadcrumb create * add an empty state the enforcements list view * change to beforeModel * UI/mfa small bugs (#15522) * remove pagintion and fix on methods list view * fix enforcements * Fix label for value on radio-card (#15542) * MFA Login Enforcement Component Tests (#15539) * adds tests for mfa-login-enforcement-header component * adds tests for mfa-login-enforcement-form component * Remove default values from mfa method model (#15540) - use passcode had a default value, as a result it was being sent with all the mfa method types during save and edit flows.. * UI/mfa small cleanup (#15549) * data-test-mleh -> data-test-mfa * Only one label per radio card * Remove unnecessary async * Simplify boolean logic * Make mutation clear * Revert "data-test-mleh -> data-test-mfa" This reverts commit 31430df7bb42580a976d082667cb6ed1f09c3944. * updates mfa login enforcement form to only display auth method types for current mounts as targets (#15547) * remove token type (#15548) * remove token type * conditional param * removes type from mfa method payload and fixes bug transitioning to method route on save success * removes punctuation from mfa form error message string match * updates qr-code component invocation to angle bracket * Re-trigger CI jobs with empty commit Co-authored-by: Arnav Palnitkar <arnav@hashicorp.com> Co-authored-by: Angel Garbarino <Monkeychip@users.noreply.github.com> Co-authored-by: Chelsea Shaw <82459713+hashishaw@users.noreply.github.com> Co-authored-by: Michele Degges <mdeggies@gmail.com> 2022-05-21 00:40:16 +00:00			`import { Response } from 'miragejs';`

			`export default function (server) {`
			`const methods = ['totp', 'duo', 'okta', 'pingid'];`
			`const required = {`
			`totp: ['issuer'],`
			`duo: ['secret_key', 'integration_key', 'api_hostname'],`
			`okta: ['org_name', 'api_token'],`
			`pingid: ['settings_file_base64'],`
			`};`

			`const validate = (type, data, cb) => {`
			`if (!methods.includes(type)) {`
			return new Response(400, {}, { errors: [`Method ${type} not found`] });
			`}`
			`if (data) {`
			`const missing = required[type].reduce((params, key) => {`
			`if (!data[key]) {`
			`params.push(key);`
			`}`
			`return params;`
			`}, []);`
			`if (missing.length) {`
			return new Response(400, {}, { errors: [`Missing required parameters: [${missing.join(', ')}]`] });
			`}`
			`}`
			`return cb();`
			`};`

			const dbKeyFromType = (type) => `mfa${type.charAt(0).toUpperCase()}${type.slice(1)}Methods`;

			`const generateListResponse = (schema, isMethod) => {`
			`let records = [];`
			`if (isMethod) {`
			`methods.forEach((method) => {`
			`records.addObjects(schema.db[dbKeyFromType(method)].where({}));`
			`});`
			`} else {`
			`records = schema.db.mfaLoginEnforcements.where({});`
			`}`
			`// seed the db with a few records if none exist`
			`if (!records.length) {`
			`if (isMethod) {`
			`methods.forEach((type) => {`
			records.push(server.create(`mfa-${type}-method`));
			`});`
			`} else {`
			`records = server.createList('mfa-login-enforcement', 4).toArray();`
			`}`
			`}`
			`const dataKey = isMethod ? 'id' : 'name';`
			`const data = records.reduce(`
			`(resp, record) => {`
			`resp.key_info[record[dataKey]] = record;`
			`resp.keys.push(record[dataKey]);`
			`return resp;`
			`},`
			`{`
			`key_info: {},`
			`keys: [],`
			`}`
			`);`
			`return { data };`
			`};`

			`// list methods`
			`server.get('/identity/mfa/method/', (schema) => {`
			`return generateListResponse(schema, true);`
			`});`
			`// fetch method by id`
			`server.get('/identity/mfa/method/:id', (schema, { params: { id } }) => {`
			`let record;`
			`for (const method of methods) {`
			`record = schema.db[dbKeyFromType(method)].find(id);`
			`if (record) {`
			`break;`
			`}`
			`}`
			`// inconvenient when testing edit route to return a 404 on refresh since mirage memory is cleared`
			`// flip this variable to test 404 state if needed`
			`const shouldError = false;`
			`// create a new record so data is always returned`
			`if (!record && !shouldError) {`
			`return { data: server.create('mfa-totp-method') };`
			`}`
			`return !record ? new Response(404, {}, { errors: [] }) : { data: record };`
			`});`
			`// create method`
			`server.post('/identity/mfa/method/:type', (schema, { params: { type }, requestBody }) => {`
			`const data = JSON.parse(requestBody);`
			`return validate(type, data, () => {`
			const record = server.create(`mfa-${type}-method`, data);
			`return { data: { method_id: record.id } };`
			`});`
			`});`
			`// update method`
			`server.put('/identity/mfa/method/:type/:id', (schema, { params: { type, id }, requestBody }) => {`
			`const data = JSON.parse(requestBody);`
			`return validate(type, data, () => {`
			`schema.db[dbKeyFromType(type)].update(id, data);`
			`return {};`
			`});`
			`});`
			`// delete method`
			`server.delete('/identity/mfa/method/:type/:id', (schema, { params: { type, id } }) => {`
			`return validate(type, null, () => {`
			`schema.db[dbKeyFromType(type)].remove(id);`
			`return {};`
			`});`
			`});`
			`// list enforcements`
			`server.get('/identity/mfa/login-enforcement', (schema) => {`
			`return generateListResponse(schema);`
			`});`
			`// fetch enforcement by name`
			`server.get('/identity/mfa/login-enforcement/:name', (schema, { params: { name } }) => {`
			`const record = schema.db.mfaLoginEnforcements.findBy({ name });`
			`// inconvenient when testing edit route to return a 404 on refresh since mirage memory is cleared`
			`// flip this variable to test 404 state if needed`
			`const shouldError = false;`
			`// create a new record so data is always returned`
			`if (!record && !shouldError) {`
			`return { data: server.create('mfa-login-enforcement', { name }) };`
			`}`
			`return !record ? new Response(404, {}, { errors: [] }) : { data: record };`
			`});`
			`// create/update enforcement`
			`server.post('/identity/mfa/login-enforcement/:name', (schema, { params: { name }, requestBody }) => {`
			`const data = JSON.parse(requestBody);`
			`// at least one method id is required`
			`if (!data.mfa_method_ids?.length) {`
			`return new Response(400, {}, { errors: ['missing method ids'] });`
			`}`
			`// at least one of the following targets is required`
			`const required = [`
			`'auth_method_accessors',`
			`'auth_method_types',`
			`'identity_group_ids',`
			`'identity_entity_ids',`
			`];`
			`let hasRequired = false;`
			`for (let key of required) {`
			`if (data[key]?.length) {`
			`hasRequired = true;`
			`break;`
			`}`
			`}`
			`if (!hasRequired) {`
			`return new Response(`
			`400,`
			`{},`
			`{`
			`errors: [`
			`'One of auth_method_accessors, auth_method_types, identity_group_ids, identity_entity_ids must be specified',`
			`],`
			`}`
			`);`
			`}`
			`if (schema.db.mfaLoginEnforcements.findBy({ name })) {`
			`schema.db.mfaLoginEnforcements.update({ name }, data);`
			`} else {`
			`schema.db.mfaLoginEnforcements.insert(data);`
			`}`
			`return { ...data, id: data.name };`
			`});`
			`// delete enforcement`
			`server.delete('/identity/mfa/login-enforcement/:name', (schema, { params: { name } }) => {`
			`schema.db.mfaLoginEnforcements.remove({ name });`
			`return {};`
			`});`
adds acceptance tests for mfa config login enforcement workflows (#15630) 2022-05-26 16:09:32 +00:00			`// endpoints for target selection`
			`server.get('/identity/group/id', () => ({`
			`data: {`
			`key_info: { '34db6b52-591e-bc22-8af0-4add5e167326': { name: 'test-group' } },`
			`keys: ['34db6b52-591e-bc22-8af0-4add5e167326'],`
			`},`
			`}));`
			`server.get('/identity/group/id/:id', () => ({`
			`data: {`
			`id: '34db6b52-591e-bc22-8af0-4add5e167326',`
			`name: 'test-group',`
			`},`
			`}));`
			`server.get('/identity/entity/id', () => ({`
			`data: {`
			`key_info: { 'f831667b-7392-7a1c-c0fc-33d48cb1c57d': { name: 'test-entity' } },`
			`keys: ['f831667b-7392-7a1c-c0fc-33d48cb1c57d'],`
			`},`
			`}));`
			`server.get('/identity/entity/id/:id', () => ({`
			`data: {`
			`id: 'f831667b-7392-7a1c-c0fc-33d48cb1c57d',`
			`name: 'test-entity',`
			`},`
			`}));`
			`server.get('/sys/auth', () => ({`
			`data: {`
			`'userpass/': { accessor: 'auth_userpass_bb95c2b1', type: 'userpass' },`
			`},`
			`}));`
MFA Config (#15200) * adds mirage factories for mfa methods and login enforcement * adds mirage handler for mfa config endpoints * adds mirage identity manager for uuids * updates mfa test to use renamed mfaLogin mirage handler * updates mfa login workflow for push methods (#15214) * MFA Login Enforcement Model (#15244) * adds mfa login enforcement model, adapter and serializer * updates mfa methods to hasMany realtionship and transforms property names * updates login enforcement adapter to use urlForQuery over buildURL * Model for mfa method (#15218) * Model for mfa method * Added adapter and serializer for mfa method - Updated mfa method model - Basic route to handle list view - Added MFA to access nav * Show landing page if methods are not configured * Updated adapter,serializer - Backend is adding new endpoint to list all the mfa methods * Updated landing page - Added MFA diagram - Created helper to resolve full path for assets like images * Remove ember assign * Fixed failing test * MFA method and enforcement list view (#15353) * MFA method and enforcement list view - Added new route for list views - List mfa methods along with id, type and icon - Added client side pagination to list views * Throw error if method id is not present * MFA Login Enforcement Form (#15410) * adds mfa login enforcement form and header components and radio card component * skips login enforcement form tests for now * adds jsdoc annotations for mfa-login-enforcement-header component * adds error handling when fetching identity targets in login enforcement form component * updates radio-card label elements * MFA Login Enforcement Create and Edit routes (#15422) * adds mfa login enforcement form and header components and radio card component * skips login enforcement form tests for now * updates to login enforcement form to fix issues hydrating methods and targets from model when editing * updates to mfa-config mirage handler and login enforcement handler * fixes issue with login enforcement serializer normalizeItems method throwing error on save * updates to mfa route structure * adds login enforcement create and edit routes * MFA Login Enforcement Read Views (#15462) * adds login enforcement read views * skip mfa-method-list-item test for now * MFA method form (#15432) * MFA method form - Updated model for form attributes - Form for editing, creating mfa methods * Added comments * Update model for mfa method * Refactor buildURL in mfa method adapter * Update adapter to handle mfa create * Fixed adapter to handle create mfa response * Sidebranch: MFA end user setup (#15273) * initial setup of components and route * fix navbar * replace parent component with controller * use auth service to return entity id * adapter and some error handling: * clean up adapter and handle warning * wip * use library for qrCode generation * clear warning and QR code display fix * flow for restart setup * add documentation * clean up * fix warning issue * handle root user * remove comment * update copy * fix margin * address comment * MFA Guided Setup Route (#15479) * adds mfa method create route with type selection workflow * updates mfa method create route links to use DocLink component * MFA Guided Setup Config View (#15486) * adds mfa guided setup config view * resets type query param on mfa method create route exit * hide next button if type is not selected in mfa method create route * updates to sure correct state when changing mfa method type in guided setup * Enforcement view at MFA method level (#15485) - List enforcements for each mfa method - Delete MFA method if no enforcements are present - Moved method, enforcement list item component to mfa folder * MFA Login Enforcement Validations (#15498) * adds model and form validations for mfa login enforcements * updates mfa login enforcement validation messages * updates validation message for mfa login enforcement targets * adds transition action to configure mfa button on landing page * unset enforcement on preference change in mfa guided setup workflow * Added validations for mfa method model (#15506) * UI/mfa breadcrumbs and small fixes (#15499) * add active class when on index * breadcrumbs * remove box-shadow to match designs * fix refresh load mfa-method * breadcrumb create * add an empty state the enforcements list view * change to beforeModel * UI/mfa small bugs (#15522) * remove pagintion and fix on methods list view * fix enforcements * Fix label for value on radio-card (#15542) * MFA Login Enforcement Component Tests (#15539) * adds tests for mfa-login-enforcement-header component * adds tests for mfa-login-enforcement-form component * Remove default values from mfa method model (#15540) - use passcode had a default value, as a result it was being sent with all the mfa method types during save and edit flows.. * UI/mfa small cleanup (#15549) * data-test-mleh -> data-test-mfa * Only one label per radio card * Remove unnecessary async * Simplify boolean logic * Make mutation clear * Revert "data-test-mleh -> data-test-mfa" This reverts commit 31430df7bb42580a976d082667cb6ed1f09c3944. * updates mfa login enforcement form to only display auth method types for current mounts as targets (#15547) * remove token type (#15548) * remove token type * conditional param * removes type from mfa method payload and fixes bug transitioning to method route on save success * removes punctuation from mfa form error message string match * updates qr-code component invocation to angle bracket * Re-trigger CI jobs with empty commit Co-authored-by: Arnav Palnitkar <arnav@hashicorp.com> Co-authored-by: Angel Garbarino <Monkeychip@users.noreply.github.com> Co-authored-by: Chelsea Shaw <82459713+hashishaw@users.noreply.github.com> Co-authored-by: Michele Degges <mdeggies@gmail.com> 2022-05-21 00:40:16 +00:00			`}`