2019-01-18 22:04:40 +00:00
|
|
|
import Service, { inject as service } from '@ember/service';
|
|
|
|
import { task } from 'ember-concurrency';
|
|
|
|
|
|
|
|
const API_PATHS = {
|
|
|
|
access: {
|
|
|
|
methods: 'sys/auth',
|
2019-07-18 21:24:30 +00:00
|
|
|
entities: 'identity/entity/id',
|
|
|
|
groups: 'identity/group/id',
|
2019-01-18 22:04:40 +00:00
|
|
|
leases: 'sys/leases/lookup',
|
|
|
|
namespaces: 'sys/namespaces',
|
|
|
|
'control-groups': 'sys/control-group/',
|
|
|
|
},
|
|
|
|
policies: {
|
|
|
|
acl: 'sys/policies/acl',
|
|
|
|
rgp: 'sys/policies/rgp',
|
|
|
|
egp: 'sys/policies/egp',
|
|
|
|
},
|
|
|
|
tools: {
|
|
|
|
wrap: 'sys/wrapping/wrap',
|
|
|
|
lookup: 'sys/wrapping/lookup',
|
|
|
|
unwrap: 'sys/wrapping/unwrap',
|
|
|
|
rewrap: 'sys/wrapping/rewrap',
|
|
|
|
random: 'sys/tools/random',
|
|
|
|
hash: 'sys/tools/hash',
|
|
|
|
},
|
|
|
|
status: {
|
|
|
|
replication: 'sys/replication',
|
|
|
|
license: 'sys/license',
|
|
|
|
seal: 'sys/seal',
|
2019-10-14 18:23:29 +00:00
|
|
|
raft: 'sys/storage/raft/configuration',
|
2019-01-18 22:04:40 +00:00
|
|
|
},
|
2019-06-19 23:14:25 +00:00
|
|
|
metrics: {
|
|
|
|
requests: 'sys/internal/counters/requests',
|
|
|
|
},
|
2019-01-18 22:04:40 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
const API_PATHS_TO_ROUTE_PARAMS = {
|
|
|
|
'sys/auth': ['vault.cluster.access.methods'],
|
2019-07-18 21:24:30 +00:00
|
|
|
'identity/entity/id': ['vault.cluster.access.identity', 'entities'],
|
|
|
|
'identity/group/id': ['vault.cluster.access.identity', 'groups'],
|
2019-01-18 22:04:40 +00:00
|
|
|
'sys/leases/lookup': ['vault.cluster.access.leases'],
|
|
|
|
'sys/namespaces': ['vault.cluster.access.namespaces'],
|
|
|
|
'sys/control-group/': ['vault.cluster.access.control-groups'],
|
|
|
|
};
|
|
|
|
|
|
|
|
/*
|
2019-10-30 18:39:51 +00:00
|
|
|
The Permissions service is used to gate top navigation and sidebar items.
|
|
|
|
It fetches a users' policy from the resultant-acl endpoint and stores their
|
|
|
|
allowed exact and glob paths as state. It also has methods for checking whether
|
|
|
|
a user has permission for a given path.
|
2019-01-18 22:04:40 +00:00
|
|
|
*/
|
2019-10-30 18:39:51 +00:00
|
|
|
|
2019-01-18 22:04:40 +00:00
|
|
|
export default Service.extend({
|
|
|
|
exactPaths: null,
|
|
|
|
globPaths: null,
|
|
|
|
canViewAll: null,
|
|
|
|
store: service(),
|
|
|
|
auth: service(),
|
|
|
|
namespace: service(),
|
|
|
|
|
|
|
|
getPaths: task(function*() {
|
|
|
|
if (this.paths) {
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
try {
|
|
|
|
let resp = yield this.get('store')
|
|
|
|
.adapterFor('permissions')
|
|
|
|
.query();
|
|
|
|
this.setPaths(resp);
|
|
|
|
return;
|
|
|
|
} catch (err) {
|
|
|
|
// If no policy can be found, default to showing all nav items.
|
|
|
|
this.set('canViewAll', true);
|
|
|
|
}
|
|
|
|
}),
|
|
|
|
|
|
|
|
setPaths(resp) {
|
|
|
|
this.set('exactPaths', resp.data.exact_paths);
|
|
|
|
this.set('globPaths', resp.data.glob_paths);
|
|
|
|
this.set('canViewAll', resp.data.root);
|
|
|
|
},
|
|
|
|
|
|
|
|
reset() {
|
|
|
|
this.set('exactPaths', null);
|
|
|
|
this.set('globPaths', null);
|
|
|
|
this.set('canViewAll', null);
|
|
|
|
},
|
|
|
|
|
|
|
|
hasNavPermission(navItem, routeParams) {
|
|
|
|
if (routeParams) {
|
2019-10-30 18:39:51 +00:00
|
|
|
// viewing the entity and groups pages require the list capability, while the others require the default, which is anything other than deny
|
|
|
|
let capability = routeParams === 'entities' || routeParams === 'groups' ? ['list'] : [null];
|
|
|
|
|
|
|
|
return this.hasPermission(API_PATHS[navItem][routeParams], capability);
|
2019-01-18 22:04:40 +00:00
|
|
|
}
|
|
|
|
return Object.values(API_PATHS[navItem]).some(path => this.hasPermission(path));
|
|
|
|
},
|
|
|
|
|
|
|
|
navPathParams(navItem) {
|
|
|
|
const path = Object.values(API_PATHS[navItem]).find(path => this.hasPermission(path));
|
|
|
|
if (['policies', 'tools'].includes(navItem)) {
|
|
|
|
return path.split('/').lastObject;
|
|
|
|
}
|
|
|
|
|
|
|
|
return API_PATHS_TO_ROUTE_PARAMS[path];
|
|
|
|
},
|
|
|
|
|
|
|
|
pathNameWithNamespace(pathName) {
|
|
|
|
const namespace = this.get('namespace').path;
|
|
|
|
if (namespace) {
|
|
|
|
return `${namespace}/${pathName}`;
|
|
|
|
} else {
|
|
|
|
return pathName;
|
|
|
|
}
|
|
|
|
},
|
|
|
|
|
2019-01-28 22:49:25 +00:00
|
|
|
hasPermission(pathName, capabilities = [null]) {
|
2019-01-18 22:04:40 +00:00
|
|
|
const path = this.pathNameWithNamespace(pathName);
|
|
|
|
|
2019-01-28 22:49:25 +00:00
|
|
|
if (this.canViewAll) {
|
2019-01-18 22:04:40 +00:00
|
|
|
return true;
|
|
|
|
}
|
2019-01-28 22:49:25 +00:00
|
|
|
|
|
|
|
return capabilities.every(
|
|
|
|
capability => this.hasMatchingExactPath(path, capability) || this.hasMatchingGlobPath(path, capability)
|
|
|
|
);
|
2019-01-18 22:04:40 +00:00
|
|
|
},
|
|
|
|
|
2019-01-28 22:49:25 +00:00
|
|
|
hasMatchingExactPath(pathName, capability) {
|
2019-01-18 22:04:40 +00:00
|
|
|
const exactPaths = this.get('exactPaths');
|
|
|
|
if (exactPaths) {
|
|
|
|
const prefix = Object.keys(exactPaths).find(path => path.startsWith(pathName));
|
2019-01-28 22:49:25 +00:00
|
|
|
const hasMatchingPath = prefix && !this.isDenied(exactPaths[prefix]);
|
|
|
|
|
|
|
|
if (prefix && capability) {
|
|
|
|
return this.hasCapability(exactPaths[prefix], capability) && hasMatchingPath;
|
|
|
|
}
|
|
|
|
|
|
|
|
return hasMatchingPath;
|
2019-01-18 22:04:40 +00:00
|
|
|
}
|
|
|
|
return false;
|
|
|
|
},
|
|
|
|
|
2019-01-28 22:49:25 +00:00
|
|
|
hasMatchingGlobPath(pathName, capability) {
|
2019-01-18 22:04:40 +00:00
|
|
|
const globPaths = this.get('globPaths');
|
|
|
|
if (globPaths) {
|
2019-03-01 21:16:53 +00:00
|
|
|
const matchingPath = Object.keys(globPaths).find(k => {
|
|
|
|
return pathName.includes(k) || pathName.includes(k.replace(/\/$/, ''));
|
|
|
|
});
|
2019-01-28 22:49:25 +00:00
|
|
|
const hasMatchingPath =
|
Update ui dependencies (#7244)
* be more specific about node version, and specify a yarn version
* update ember, ember-cli, ember-data, ember-data-model-fragments
* use router handlers to access transition information
* fix shadowing of component helper
* update ivy-codemirror, ember-cli-inject-live-reload
* remove custom router service
* don't use transition.queryParams
* update ember-cli-deprecation-workflow
* refactor kv v1 to use 'path' instead of 'id' on creation
* fix auth-jwt-test and toolbar-link-test
* update ember composable helpers
* remove Ember.copy from test file
* no more deprecations in the workflow
* fix more secret tests
* fix remaining failed tests
* move select component to core because it's used by ttl-picker
* generate new model class for each test instead of reusing an existing one
* fix selectors on kmip tests
* refactor how control groups construct urls from the new transition objects
* add router service override back in, and have it be evented so that we can trigger router events on it
* move stories and markdown files to core if the component lives in core
* update ember-cli, ember-cli-babel, ember-auto-import
* update base64js, date-fns, deepmerge, codemirror, broccoli-asset-rev
* update linting rules
* fix test selectors
* update ember-api-actions, ember-concurrency, ember-load-initializers, escape-string-regexp, normalize.css, prettier-eslint-cli, jsdoc-to-markdown
* remove test-results dir
* update base64js, ember-cli-clipboard, ember-cli-sass, ember-cli-string-helpers, ember-cli-template-lint, ember-cli-uglify, ember-link-action
* fix linting
* run yarn install without restoring from cache
* refactor how tests are run and handle the vault server subprocess
* update makefile for new test task names
* update circle config to use the new yarn task
* fix writing the seal keys when starting the dev server
* remove optional deps from the lockfile
* don't ignore-optional on yarn install
* remove errant console.log
* update ember-basic-dropdown-hover, jsonlint, yargs-parser
* update ember-cli-flash
* add back optionalDeps
* update @babel/core@7.5.5, ember-basic-dropdown@1.1.3, eslint-plugin-ember@6.8.2
* update storybook to the latest release
* add a babel config with targets so that the ember babel plugin works properly
* update ember-resolver, move ember-cli-storybook to devDependencies
* revert normalize.css upgrade
* silence fetchadapter warning for now
* exclude 3rd party array helper now that ember includes one
* fix switch and entity lookup styling
* only add -root suffix if it's not in versions mode
* make sure drop always has an array on the aws role form
* fix labels like we did with the backport
* update eslintignore
* update the yarn version in the docker build file
* update eslint ignore
2019-08-19 20:45:39 +00:00
|
|
|
(matchingPath && !this.isDenied(globPaths[matchingPath])) ||
|
|
|
|
Object.prototype.hasOwnProperty.call(globPaths, '');
|
2019-01-28 22:49:25 +00:00
|
|
|
|
|
|
|
if (matchingPath && capability) {
|
|
|
|
return this.hasCapability(globPaths[matchingPath], capability) && hasMatchingPath;
|
|
|
|
}
|
|
|
|
|
|
|
|
return hasMatchingPath;
|
2019-01-18 22:04:40 +00:00
|
|
|
}
|
|
|
|
return false;
|
|
|
|
},
|
|
|
|
|
2019-01-28 22:49:25 +00:00
|
|
|
hasCapability(path, capability) {
|
|
|
|
return path.capabilities.includes(capability);
|
|
|
|
},
|
|
|
|
|
2019-01-18 22:04:40 +00:00
|
|
|
isDenied(path) {
|
|
|
|
return path.capabilities.includes('deny');
|
|
|
|
},
|
|
|
|
});
|