open-vault/ui/app/adapters/cluster.js

import { inject as service } from '@ember/service';
import { assign } from '@ember/polyfills';
import { hash, resolve } from 'rsvp';
import { assert } from '@ember/debug';
import { pluralize } from 'ember-inflector';

import ApplicationAdapter from './application';
import DS from 'ember-data';

const { AdapterError } = DS;

const ENDPOINTS = [
  'health',
  'seal-status',
  'tokens',
  'token',
  'seal',
  'unseal',
  'init',
  'capabilities-self',
  'license',
];

const REPLICATION_ENDPOINTS = {
  reindex: 'reindex',
  recover: 'recover',
  status: 'status',

  primary: ['enable', 'disable', 'demote', 'secondary-token', 'revoke-secondary'],

  secondary: ['enable', 'disable', 'promote', 'update-primary'],
};

const REPLICATION_MODES = ['dr', 'performance'];
export default ApplicationAdapter.extend({
  version: service(),
  namespaceService: service('namespace'),
  shouldBackgroundReloadRecord() {
    return true;
  },

  findRecord(store, type, id, snapshot) {
    let fetches = {
      health: this.health(),
      sealStatus: this.sealStatus().catch(e => e),
    };
    if (this.get('version.isEnterprise') && this.get('namespaceService.inRootNamespace')) {
      fetches.replicationStatus = this.replicationStatus().catch(e => e);
    }
    return hash(fetches).then(({ health, sealStatus, replicationStatus }) => {
      let ret = {
        id,
        name: snapshot.attr('name'),
      };
      ret = assign(ret, health);
      if (sealStatus instanceof AdapterError === false) {
        ret = assign(ret, { nodes: [sealStatus] });
      }
      if (replicationStatus && replicationStatus instanceof AdapterError === false) {
        ret = assign(ret, replicationStatus.data);
      }
      return resolve(ret);
    });
  },

  pathForType(type) {
    return type === 'cluster' ? 'clusters' : pluralize(type);
  },

  health() {
    return this.ajax(this.urlFor('health'), 'GET', {
      data: {
        standbycode: 200,
        sealedcode: 200,
        uninitcode: 200,
        drsecondarycode: 200,
        performancestandbycode: 200,
      },
      unauthenticated: true,
    });
  },

  features() {
    return this.ajax(`${this.urlFor('license')}/features`, 'GET', {
      unauthenticated: true,
    });
  },

  sealStatus() {
    return this.ajax(this.urlFor('seal-status'), 'GET', { unauthenticated: true });
  },

  seal() {
    return this.ajax(this.urlFor('seal'), 'PUT');
  },

  unseal(data) {
    return this.ajax(this.urlFor('unseal'), 'PUT', {
      data,
      unauthenticated: true,
    });
  },

  initCluster(data) {
    return this.ajax(this.urlFor('init'), 'PUT', {
      data,
      unauthenticated: true,
    });
  },

  authenticate({ backend, data }) {
    const { role, jwt, token, password, username, path } = data;
    const url = this.urlForAuth(backend, username, path);
    const verb = backend === 'token' ? 'GET' : 'POST';
    let options = {
      unauthenticated: true,
    };
    if (backend === 'token') {
      options.headers = {
        'X-Vault-Token': token,
      };
    } else if (backend === 'jwt' || backend === 'oidc') {
      options.data = { role, jwt };
    } else {
      options.data = token ? { token, password } : { password };
    }

    return this.ajax(url, verb, options);
  },

  urlFor(endpoint) {
    if (!ENDPOINTS.includes(endpoint)) {
      throw new Error(
        `Calls to a ${endpoint} endpoint are not currently allowed in the vault cluster adapater`
      );
    }
    return `${this.buildURL()}/${endpoint}`;
  },

  urlForAuth(type, username, path) {
    const authBackend = type.toLowerCase();
    const authURLs = {
      github: 'login',
      jwt: 'login',
      oidc: 'login',
      userpass: `login/${encodeURIComponent(username)}`,
      ldap: `login/${encodeURIComponent(username)}`,
      okta: `login/${encodeURIComponent(username)}`,
      radius: `login/${encodeURIComponent(username)}`,
      token: 'lookup-self',
    };
    const urlSuffix = authURLs[authBackend];
    const urlPrefix = path && authBackend !== 'token' ? path : authBackend;
    if (!urlSuffix) {
      throw new Error(`There is no auth url for ${type}.`);
    }
    return `/v1/auth/${urlPrefix}/${urlSuffix}`;
  },

  urlForReplication(replicationMode, clusterMode, endpoint) {
    let suffix;
    const errString = `Calls to replication ${endpoint} endpoint are not currently allowed in the vault cluster adapater`;
    if (clusterMode) {
      assert(errString, REPLICATION_ENDPOINTS[clusterMode].includes(endpoint));
      suffix = `${replicationMode}/${clusterMode}/${endpoint}`;
    } else {
      assert(errString, REPLICATION_ENDPOINTS[endpoint]);
      suffix = `${endpoint}`;
    }
    return `${this.buildURL()}/replication/${suffix}`;
  },

  replicationStatus() {
    return this.ajax(`${this.buildURL()}/replication/status`, 'GET', { unauthenticated: true });
  },

  replicationDrPromote(data, options) {
    const verb = options && options.checkStatus ? 'GET' : 'PUT';
    return this.ajax(`${this.buildURL()}/replication/dr/secondary/promote`, verb, {
      data,
      unauthenticated: true,
    });
  },

  generateDrOperationToken(data, options) {
    const verb = options && options.checkStatus ? 'GET' : 'PUT';
    let url = `${this.buildURL()}/replication/dr/secondary/generate-operation-token/`;
    if (!data || data.pgp_key || data.attempt) {
      // start the generation
      url = url + 'attempt';
    } else {
      // progress the operation
      url = url + 'update';
    }
    return this.ajax(url, verb, {
      data,
      unauthenticated: true,
    });
  },

  replicationAction(action, replicationMode, clusterMode, data) {
    assert(
      `${replicationMode} is an unsupported replication mode.`,
      replicationMode && REPLICATION_MODES.includes(replicationMode)
    );

    const url =
      action === 'recover' || action === 'reindex'
        ? this.urlForReplication(replicationMode, null, action)
        : this.urlForReplication(replicationMode, clusterMode, action);

    return this.ajax(url, 'POST', { data });
  },
});
Ember update (#5386) Ember update - update ember-cli, ember-data, and ember to 3.4 series 2018-09-25 16:28:26 +00:00			`import { inject as service } from '@ember/service';`
			`import { assign } from '@ember/polyfills';`
			`import { hash, resolve } from 'rsvp';`
			`import { assert } from '@ember/debug';`
			`import { pluralize } from 'ember-inflector';`

Moving UI assets to OSS 2018-04-03 14:16:57 +00:00			`import ApplicationAdapter from './application';`
			`import DS from 'ember-data';`

			`const { AdapterError } = DS;`

Licensing in the UI (#5437) Add licensing to the UI 2018-10-12 19:03:01 +00:00			`const ENDPOINTS = [`
			`'health',`
			`'seal-status',`
			`'tokens',`
			`'token',`
			`'seal',`
			`'unseal',`
			`'init',`
			`'capabilities-self',`
			`'license',`
			`];`
Moving UI assets to OSS 2018-04-03 14:16:57 +00:00
			`const REPLICATION_ENDPOINTS = {`
			`reindex: 'reindex',`
			`recover: 'recover',`
			`status: 'status',`

			`primary: ['enable', 'disable', 'demote', 'secondary-token', 'revoke-secondary'],`

			`secondary: ['enable', 'disable', 'promote', 'update-primary'],`
			`};`

			`const REPLICATION_MODES = ['dr', 'performance'];`
			`export default ApplicationAdapter.extend({`
Ember update (#5386) Ember update - update ember-cli, ember-data, and ember to 3.4 series 2018-09-25 16:28:26 +00:00			`version: service(),`
			`namespaceService: service('namespace'),`
Moving UI assets to OSS 2018-04-03 14:16:57 +00:00			`shouldBackgroundReloadRecord() {`
			`return true;`
			`},`
Licensing in the UI (#5437) Add licensing to the UI 2018-10-12 19:03:01 +00:00
Moving UI assets to OSS 2018-04-03 14:16:57 +00:00			`findRecord(store, type, id, snapshot) {`
			`let fetches = {`
			`health: this.health(),`
			`sealStatus: this.sealStatus().catch(e => e),`
			`};`
UI namespaces (#5119) * add namespace sidebar item * depend on ember-inflector directly * list-view and list-item components * fill out components and render empty namespaces page * list namespaces in access * add menu contextual component to list item * popup contextual component * full crud for namespaces * add namespaces service and picker component * split application and vault.cluster templates and controllers, add namespace query param, add namespace-picker to vault.namespace template * remove usage of href-to * remove ember-href-to from deps * add ember-responsive * start styling the picker and link to appropriate namespaces, use ember-responsive to render picker in different places based on the breakpoint * get query param working and save ns to authdata when authenticating, feed through ns in application adapter * move to observer on the controller for setting state on the service * set state in the beforeModel hook and clear the ember data model cache * nav to secrets on change and make error handling more resilient utilizing the method that atlas does to eagerly update URLs * add a list of sys endpoints in a helper * hide header elements if not in the root namespace * debounce namespace input on auth, fix 404 for auth method fetch, move auth method fetch to a task on the auth-form component and refretch on namespace change * fix display of supported engines and exclusion of sys and identity engines * don't fetch replication status if you're in a non-root namespace * hide seal sub-menu if not in the root namespace * don't autocomplete auth form inputs * always send some requests to the root namespace * use methodType and engineType instead of type in case there it is ns_ prefixed * use sys/internal/ui/namespaces to fetch the list in the dropdown * don't use model for namespace picker and always make the request to the token namespace * fix header handling for fetch calls * use namespace-reminder component on creation and edit forms throughout the application * add namespace-reminder to the console * add flat * add deepmerge for creating the tree in the menu * delayed rendering for animation timing * design and code feedback on the first round * white text in the namespace picker * fix namespace picker issues with root keys * separate path-to-tree * add tests for path-to-tree util * hide picker if you're in the root ns and you can't access other namespaces * show error message if you enter invalid characters for namespace path * return a different model if we dont have the namespaces feature and show upgrade page * if a token has a namespace_path, use that as the root user namespace and transition them there on login * use token namespace for user, but use specified namespace to log in * always renew tokens in the token namespace * fix edition-badge test 2018-08-16 17:48:24 +00:00			`if (this.get('version.isEnterprise') && this.get('namespaceService.inRootNamespace')) {`
Moving UI assets to OSS 2018-04-03 14:16:57 +00:00			`fetches.replicationStatus = this.replicationStatus().catch(e => e);`
			`}`
Ember update (#5386) Ember update - update ember-cli, ember-data, and ember to 3.4 series 2018-09-25 16:28:26 +00:00			`return hash(fetches).then(({ health, sealStatus, replicationStatus }) => {`
Moving UI assets to OSS 2018-04-03 14:16:57 +00:00			`let ret = {`
			`id,`
			`name: snapshot.attr('name'),`
			`};`
Ember update (#5386) Ember update - update ember-cli, ember-data, and ember to 3.4 series 2018-09-25 16:28:26 +00:00			`ret = assign(ret, health);`
Moving UI assets to OSS 2018-04-03 14:16:57 +00:00			`if (sealStatus instanceof AdapterError === false) {`
Ember update (#5386) Ember update - update ember-cli, ember-data, and ember to 3.4 series 2018-09-25 16:28:26 +00:00			`ret = assign(ret, { nodes: [sealStatus] });`
Moving UI assets to OSS 2018-04-03 14:16:57 +00:00			`}`
			`if (replicationStatus && replicationStatus instanceof AdapterError === false) {`
Ember update (#5386) Ember update - update ember-cli, ember-data, and ember to 3.4 series 2018-09-25 16:28:26 +00:00			`ret = assign(ret, replicationStatus.data);`
Moving UI assets to OSS 2018-04-03 14:16:57 +00:00			`}`
Ember update (#5386) Ember update - update ember-cli, ember-data, and ember to 3.4 series 2018-09-25 16:28:26 +00:00			`return resolve(ret);`
Moving UI assets to OSS 2018-04-03 14:16:57 +00:00			`});`
			`},`

			`pathForType(type) {`
Ember update (#5386) Ember update - update ember-cli, ember-data, and ember to 3.4 series 2018-09-25 16:28:26 +00:00			`return type === 'cluster' ? 'clusters' : pluralize(type);`
Moving UI assets to OSS 2018-04-03 14:16:57 +00:00			`},`

			`health() {`
			`return this.ajax(this.urlFor('health'), 'GET', {`
UI - ent fixes (#5430) * re-add performancestandycode for health api call * update debounce timeout for namespace input on the auth page * re-fetch cluster model on successful init * 500ms for the debounce * swap auth methods after successful api call so that the auth box doesn't jump around * move list capability fetch to namespace component and don't use computed queryRecord to fetch it * convert ed models to JSON so that they're unaffected by store unloading * serialize with the id for the auth method models * speed tests back up with different polling while loop * login flash isn't in the same run loop so no longer needs withFlash 2018-10-02 15:05:34 +00:00			`data: {`
			`standbycode: 200,`
			`sealedcode: 200,`
			`uninitcode: 200,`
			`drsecondarycode: 200,`
			`performancestandbycode: 200,`
			`},`
Moving UI assets to OSS 2018-04-03 14:16:57 +00:00			`unauthenticated: true,`
			`});`
			`},`

			`features() {`
Licensing in the UI (#5437) Add licensing to the UI 2018-10-12 19:03:01 +00:00			return this.ajax(`${this.urlFor('license')}/features`, 'GET', {
Moving UI assets to OSS 2018-04-03 14:16:57 +00:00			`unauthenticated: true,`
			`});`
			`},`

			`sealStatus() {`
			`return this.ajax(this.urlFor('seal-status'), 'GET', { unauthenticated: true });`
			`},`

			`seal() {`
			`return this.ajax(this.urlFor('seal'), 'PUT');`
			`},`

			`unseal(data) {`
			`return this.ajax(this.urlFor('unseal'), 'PUT', {`
			`data,`
			`unauthenticated: true,`
			`});`
			`},`

			`initCluster(data) {`
			`return this.ajax(this.urlFor('init'), 'PUT', {`
			`data,`
			`unauthenticated: true,`
			`});`
			`},`

			`authenticate({ backend, data }) {`
UI - jwt auth (#6188) * fix default rendering of svg and allow plugins access to mount tune form * add auth-jwt component * add callback route, and allow it to be navigated to on load * add jwt as a supported auth method * use auth-jwt component and implement intial oidc flow * allow wrapping un-authed requests * pass redirect_url and properly redirect with the wrapped token * popup for login * center popup window and move to localStorage events for cross window communication because of IE11 * access window via a getter on the auth-form component * show OIDC provider name on the button * fetch default role on render of the auth-jwt component * simplify auth-form template * style callback page * refetch auth_url when path changes for auth-jwt component * fix glimmer error on alias metadata, and add back popup-metadata component * fix link in metadata page * add logo-edition component and remove use of partial for logo svg * render oidc callback template on the loading page if we're going there * add docs icon and change timeout on the auth form * move OIDC auth specific things to auth-jwt component * start to add branded buttons for OIDC providers * add google button * finish branded buttons * update glyph for error messages * update tests for auth screen not showing tabs, add adapter tests and new auth jwt tests * start auth-jwt tests * simplify auth-jwt * remove negative top margin on AlertInline * only preventDefault if there's an event * fill out tests * sort out some naming * feedback on templates and styles * clear error when starting OIDC auth and call for new auth_url * also allow 'oidc' as the auth method type * handle namespaces with OIDC auth * review feedback * use new getters in popup-metadata 2019-02-14 15:39:19 +00:00			`const { role, jwt, token, password, username, path } = data;`
Moving UI assets to OSS 2018-04-03 14:16:57 +00:00			`const url = this.urlForAuth(backend, username, path);`
			`const verb = backend === 'token' ? 'GET' : 'POST';`
			`let options = {`
			`unauthenticated: true,`
			`};`
			`if (backend === 'token') {`
			`options.headers = {`
			`'X-Vault-Token': token,`
			`};`
fix tests for auth-jwt and related functionality (#6277) 2019-02-21 22:21:23 +00:00			`} else if (backend === 'jwt' \|\| backend === 'oidc') {`
UI - jwt auth (#6188) * fix default rendering of svg and allow plugins access to mount tune form * add auth-jwt component * add callback route, and allow it to be navigated to on load * add jwt as a supported auth method * use auth-jwt component and implement intial oidc flow * allow wrapping un-authed requests * pass redirect_url and properly redirect with the wrapped token * popup for login * center popup window and move to localStorage events for cross window communication because of IE11 * access window via a getter on the auth-form component * show OIDC provider name on the button * fetch default role on render of the auth-jwt component * simplify auth-form template * style callback page * refetch auth_url when path changes for auth-jwt component * fix glimmer error on alias metadata, and add back popup-metadata component * fix link in metadata page * add logo-edition component and remove use of partial for logo svg * render oidc callback template on the loading page if we're going there * add docs icon and change timeout on the auth form * move OIDC auth specific things to auth-jwt component * start to add branded buttons for OIDC providers * add google button * finish branded buttons * update glyph for error messages * update tests for auth screen not showing tabs, add adapter tests and new auth jwt tests * start auth-jwt tests * simplify auth-jwt * remove negative top margin on AlertInline * only preventDefault if there's an event * fill out tests * sort out some naming * feedback on templates and styles * clear error when starting OIDC auth and call for new auth_url * also allow 'oidc' as the auth method type * handle namespaces with OIDC auth * review feedback * use new getters in popup-metadata 2019-02-14 15:39:19 +00:00			`options.data = { role, jwt };`
Moving UI assets to OSS 2018-04-03 14:16:57 +00:00			`} else {`
			`options.data = token ? { token, password } : { password };`
			`}`

			`return this.ajax(url, verb, options);`
			`},`

			`urlFor(endpoint) {`
			`if (!ENDPOINTS.includes(endpoint)) {`
			`throw new Error(`
			`Calls to a ${endpoint} endpoint are not currently allowed in the vault cluster adapater`
			`);`
			`}`
			return `${this.buildURL()}/${endpoint}`;
			`},`

			`urlForAuth(type, username, path) {`
			`const authBackend = type.toLowerCase();`
			`const authURLs = {`
			`github: 'login',`
UI - jwt auth (#6188) * fix default rendering of svg and allow plugins access to mount tune form * add auth-jwt component * add callback route, and allow it to be navigated to on load * add jwt as a supported auth method * use auth-jwt component and implement intial oidc flow * allow wrapping un-authed requests * pass redirect_url and properly redirect with the wrapped token * popup for login * center popup window and move to localStorage events for cross window communication because of IE11 * access window via a getter on the auth-form component * show OIDC provider name on the button * fetch default role on render of the auth-jwt component * simplify auth-form template * style callback page * refetch auth_url when path changes for auth-jwt component * fix glimmer error on alias metadata, and add back popup-metadata component * fix link in metadata page * add logo-edition component and remove use of partial for logo svg * render oidc callback template on the loading page if we're going there * add docs icon and change timeout on the auth form * move OIDC auth specific things to auth-jwt component * start to add branded buttons for OIDC providers * add google button * finish branded buttons * update glyph for error messages * update tests for auth screen not showing tabs, add adapter tests and new auth jwt tests * start auth-jwt tests * simplify auth-jwt * remove negative top margin on AlertInline * only preventDefault if there's an event * fill out tests * sort out some naming * feedback on templates and styles * clear error when starting OIDC auth and call for new auth_url * also allow 'oidc' as the auth method type * handle namespaces with OIDC auth * review feedback * use new getters in popup-metadata 2019-02-14 15:39:19 +00:00			`jwt: 'login',`
fix tests for auth-jwt and related functionality (#6277) 2019-02-21 22:21:23 +00:00			`oidc: 'login',`
Moving UI assets to OSS 2018-04-03 14:16:57 +00:00			userpass: `login/${encodeURIComponent(username)}`,
			ldap: `login/${encodeURIComponent(username)}`,
			okta: `login/${encodeURIComponent(username)}`,
add support for authenticating with RADIUS (#6488) 2019-03-28 21:40:22 +00:00			radius: `login/${encodeURIComponent(username)}`,
Moving UI assets to OSS 2018-04-03 14:16:57 +00:00			`token: 'lookup-self',`
			`};`
			`const urlSuffix = authURLs[authBackend];`
			`const urlPrefix = path && authBackend !== 'token' ? path : authBackend;`
			`if (!urlSuffix) {`
			throw new Error(`There is no auth url for ${type}.`);
			`}`
			return `/v1/auth/${urlPrefix}/${urlSuffix}`;
			`},`

			`urlForReplication(replicationMode, clusterMode, endpoint) {`
			`let suffix;`
			const errString = `Calls to replication ${endpoint} endpoint are not currently allowed in the vault cluster adapater`;
			`if (clusterMode) {`
			`assert(errString, REPLICATION_ENDPOINTS[clusterMode].includes(endpoint));`
			suffix = `${replicationMode}/${clusterMode}/${endpoint}`;
			`} else {`
			`assert(errString, REPLICATION_ENDPOINTS[endpoint]);`
			suffix = `${endpoint}`;
			`}`
			return `${this.buildURL()}/replication/${suffix}`;
			`},`

			`replicationStatus() {`
			return this.ajax(`${this.buildURL()}/replication/status`, 'GET', { unauthenticated: true });
			`},`

			`replicationDrPromote(data, options) {`
			`const verb = options && options.checkStatus ? 'GET' : 'PUT';`
			return this.ajax(`${this.buildURL()}/replication/dr/secondary/promote`, verb, {
			`data,`
			`unauthenticated: true,`
			`});`
			`},`

			`generateDrOperationToken(data, options) {`
			`const verb = options && options.checkStatus ? 'GET' : 'PUT';`
			let url = `${this.buildURL()}/replication/dr/secondary/generate-operation-token/`;
UI secondary dr recovery token fix (#5818) * use the OTP that the server provides instead of generating one in the JS client * fix button styling * differentiate between OTP and encoded token and encrypted token in the template 2018-11-19 21:14:24 +00:00			`if (!data \|\| data.pgp_key \|\| data.attempt) {`
Moving UI assets to OSS 2018-04-03 14:16:57 +00:00			`// start the generation`
			`url = url + 'attempt';`
			`} else {`
			`// progress the operation`
			`url = url + 'update';`
			`}`
			`return this.ajax(url, verb, {`
			`data,`
			`unauthenticated: true,`
			`});`
			`},`

			`replicationAction(action, replicationMode, clusterMode, data) {`
			`assert(`
			`${replicationMode} is an unsupported replication mode.`,
			`replicationMode && REPLICATION_MODES.includes(replicationMode)`
			`);`

			`const url =`
			`action === 'recover' \|\| action === 'reindex'`
			`? this.urlForReplication(replicationMode, null, action)`
			`: this.urlForReplication(replicationMode, clusterMode, action);`

			`return this.ajax(url, 'POST', { data });`
			`},`
			`});`