2018-09-25 16:28:26 +00:00
|
|
|
import { set } from '@ember/object';
|
2019-04-16 20:27:23 +00:00
|
|
|
import { resolve } from 'rsvp';
|
2019-02-14 18:52:34 +00:00
|
|
|
import { inject as service } from '@ember/service';
|
|
|
|
import DS from 'ember-data';
|
2018-09-25 16:28:26 +00:00
|
|
|
import Route from '@ember/routing/route';
|
2018-04-03 14:16:57 +00:00
|
|
|
import utils from 'vault/lib/key-utils';
|
2019-02-14 18:52:34 +00:00
|
|
|
import { getOwner } from '@ember/application';
|
2018-04-03 14:16:57 +00:00
|
|
|
import UnloadModelRoute from 'vault/mixins/unload-model-route';
|
2019-03-01 16:08:30 +00:00
|
|
|
import { encodePath, normalizePath } from 'vault/utils/path-encoding-helpers';
|
2018-04-03 14:16:57 +00:00
|
|
|
|
2018-09-25 16:28:26 +00:00
|
|
|
export default Route.extend(UnloadModelRoute, {
|
2019-02-14 18:52:34 +00:00
|
|
|
pathHelp: service('path-help'),
|
2019-03-01 16:08:30 +00:00
|
|
|
secretParam() {
|
|
|
|
let { secret } = this.paramsFor(this.routeName);
|
|
|
|
return secret ? normalizePath(secret) : '';
|
|
|
|
},
|
|
|
|
enginePathParam() {
|
|
|
|
let { backend } = this.paramsFor('vault.cluster.secrets.backend');
|
|
|
|
return backend;
|
|
|
|
},
|
2018-04-03 14:16:57 +00:00
|
|
|
capabilities(secret) {
|
2019-03-01 16:08:30 +00:00
|
|
|
const backend = this.enginePathParam();
|
2018-04-24 21:30:44 +00:00
|
|
|
let backendModel = this.modelFor('vault.cluster.secrets.backend');
|
2019-04-16 20:27:23 +00:00
|
|
|
let backendType = backendModel.engineType;
|
2018-04-03 14:16:57 +00:00
|
|
|
let path;
|
2019-04-16 20:27:23 +00:00
|
|
|
if (backendModel.isV2KV) {
|
|
|
|
path = `${backend}/data/${secret}`;
|
|
|
|
} else if (backendType === 'transit') {
|
2018-04-03 14:16:57 +00:00
|
|
|
path = backend + '/keys/' + secret;
|
2018-04-16 22:18:46 +00:00
|
|
|
} else if (backendType === 'ssh' || backendType === 'aws') {
|
2018-04-03 14:16:57 +00:00
|
|
|
path = backend + '/roles/' + secret;
|
2018-10-17 04:23:29 +00:00
|
|
|
} else {
|
|
|
|
path = backend + '/' + secret;
|
2018-04-03 14:16:57 +00:00
|
|
|
}
|
|
|
|
return this.store.findRecord('capabilities', path);
|
|
|
|
},
|
|
|
|
|
2018-04-24 21:30:44 +00:00
|
|
|
backendType() {
|
2018-08-16 17:48:24 +00:00
|
|
|
return this.modelFor('vault.cluster.secrets.backend').get('engineType');
|
2018-04-03 14:16:57 +00:00
|
|
|
},
|
|
|
|
|
|
|
|
templateName: 'vault/cluster/secrets/backend/secretEditLayout',
|
|
|
|
|
|
|
|
beforeModel() {
|
2019-03-01 16:08:30 +00:00
|
|
|
let secret = this.secretParam();
|
2019-02-14 18:52:34 +00:00
|
|
|
return this.buildModel(secret).then(() => {
|
|
|
|
const parentKey = utils.parentKeyForKey(secret);
|
|
|
|
const mode = this.routeName.split('.').pop();
|
|
|
|
if (mode === 'edit' && utils.keyIsFolder(secret)) {
|
|
|
|
if (parentKey) {
|
2019-03-01 16:08:30 +00:00
|
|
|
return this.transitionTo('vault.cluster.secrets.backend.list', encodePath(parentKey));
|
2019-02-14 18:52:34 +00:00
|
|
|
} else {
|
|
|
|
return this.transitionTo('vault.cluster.secrets.backend.list-root');
|
|
|
|
}
|
2018-04-03 14:16:57 +00:00
|
|
|
}
|
2019-02-14 18:52:34 +00:00
|
|
|
});
|
|
|
|
},
|
|
|
|
|
|
|
|
buildModel(secret) {
|
2019-03-01 16:08:30 +00:00
|
|
|
const backend = this.enginePathParam();
|
|
|
|
|
2019-02-14 18:52:34 +00:00
|
|
|
let modelType = this.modelType(backend, secret);
|
|
|
|
if (['secret', 'secret-v2'].includes(modelType)) {
|
|
|
|
return resolve();
|
2018-04-03 14:16:57 +00:00
|
|
|
}
|
2019-02-14 18:52:34 +00:00
|
|
|
let owner = getOwner(this);
|
|
|
|
return this.pathHelp.getNewModel(modelType, owner, backend);
|
2018-04-03 14:16:57 +00:00
|
|
|
},
|
|
|
|
|
|
|
|
modelType(backend, secret) {
|
2018-06-14 04:06:19 +00:00
|
|
|
let backendModel = this.modelFor('vault.cluster.secrets.backend', backend);
|
2018-08-16 17:48:24 +00:00
|
|
|
let type = backendModel.get('engineType');
|
2018-04-20 02:26:25 +00:00
|
|
|
let types = {
|
2018-04-03 14:16:57 +00:00
|
|
|
transit: 'transit-key',
|
|
|
|
ssh: 'role-ssh',
|
|
|
|
aws: 'role-aws',
|
|
|
|
pki: secret && secret.startsWith('cert/') ? 'pki-certificate' : 'role-pki',
|
2018-06-28 20:54:02 +00:00
|
|
|
cubbyhole: 'secret',
|
2018-06-14 04:06:19 +00:00
|
|
|
kv: backendModel.get('modelTypeForKV'),
|
|
|
|
generic: backendModel.get('modelTypeForKV'),
|
2018-04-03 14:16:57 +00:00
|
|
|
};
|
2018-06-14 04:06:19 +00:00
|
|
|
return types[type];
|
2018-04-03 14:16:57 +00:00
|
|
|
},
|
|
|
|
|
2019-04-16 20:27:23 +00:00
|
|
|
getTargetVersion(currentVersion, paramsVersion) {
|
|
|
|
if (currentVersion) {
|
|
|
|
// we have the secret metadata, so we can read the currentVersion but give priority to any
|
|
|
|
// version passed in via the url
|
|
|
|
return parseInt(paramsVersion || currentVersion, 10);
|
|
|
|
} else {
|
|
|
|
// we've got a stub model because don't have read access on the metadata endpoint
|
|
|
|
return paramsVersion ? parseInt(paramsVersion, 10) : null;
|
|
|
|
}
|
|
|
|
},
|
|
|
|
|
|
|
|
async fetchV2Models(capabilities, secretModel, params) {
|
2019-03-01 16:08:30 +00:00
|
|
|
let backend = this.enginePathParam();
|
2018-12-03 14:22:13 +00:00
|
|
|
let backendModel = this.modelFor('vault.cluster.secrets.backend', backend);
|
2019-04-16 20:27:23 +00:00
|
|
|
let targetVersion = this.getTargetVersion(secretModel.currentVersion, params.version);
|
|
|
|
|
|
|
|
// if we have the metadata, a list of versions are part of the payload
|
|
|
|
let version = secretModel.versions && secretModel.versions.findBy('version', targetVersion);
|
|
|
|
// if it didn't fail the server read, and the version is not attached to the metadata,
|
|
|
|
// this should 404
|
|
|
|
if (!version && secretModel.failedServerRead !== true) {
|
|
|
|
let error = new DS.AdapterError();
|
|
|
|
set(error, 'httpStatus', 404);
|
|
|
|
throw error;
|
|
|
|
}
|
|
|
|
// manually set the related model
|
|
|
|
secretModel.set('engine', backendModel);
|
|
|
|
|
|
|
|
secretModel.set(
|
|
|
|
'selectedVersion',
|
|
|
|
await this.fetchV2VersionModel(capabilities, secretModel, version, targetVersion)
|
|
|
|
);
|
|
|
|
return secretModel;
|
|
|
|
},
|
|
|
|
|
|
|
|
async fetchV2VersionModel(capabilities, secretModel, version, targetVersion) {
|
|
|
|
let secret = this.secretParam();
|
|
|
|
let backend = this.enginePathParam();
|
|
|
|
|
|
|
|
// v2 versions have a composite ID, we generated one here if we need to manually set it
|
|
|
|
// after a failed fetch later;
|
|
|
|
let versionId = targetVersion ? [backend, secret, targetVersion] : [backend, secret];
|
|
|
|
|
|
|
|
let versionModel;
|
|
|
|
try {
|
|
|
|
if (secretModel.failedServerRead) {
|
|
|
|
// we couldn't read metadata, so we want to directly fetch the version
|
|
|
|
versionModel = await this.store.findRecord('secret-v2-version', JSON.stringify(versionId), {
|
|
|
|
reload: true,
|
|
|
|
});
|
|
|
|
} else {
|
|
|
|
// we may have previously errored, so roll it back here
|
|
|
|
version.rollbackAttributes();
|
|
|
|
// if metadata read was successful, the version we have is only a partial model
|
|
|
|
// trigger reload to fetch the whole version model
|
|
|
|
versionModel = await version.reload();
|
|
|
|
}
|
|
|
|
} catch (error) {
|
|
|
|
// cannot read the version data, but can write according to capabilities-self endpoint
|
|
|
|
if (error.httpStatus === 403 && capabilities.get('canUpdate')) {
|
|
|
|
// versionModel is then a partial model from the metadata (if we have read there), or
|
|
|
|
// we need to create one on the client
|
|
|
|
versionModel = version || this.store.createRecord('secret-v2-version');
|
|
|
|
versionModel.setProperties({
|
|
|
|
failedServerRead: true,
|
|
|
|
});
|
|
|
|
// if it was created on the client we need to trigger an event via ember-data
|
|
|
|
// so that it won't try to create the record on save
|
|
|
|
if (versionModel.isNew) {
|
|
|
|
versionModel.set('id', JSON.stringify(versionId));
|
|
|
|
//TODO make this a util to better show what's happening
|
|
|
|
// this is because we want the ember-data model save to call update instead of create
|
|
|
|
// in the adapter so we have to force the frontend model to a "saved" state
|
|
|
|
versionModel.send('pushedData');
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
throw error;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return versionModel;
|
|
|
|
},
|
|
|
|
|
|
|
|
handleSecretModelError(capabilities, secret, modelType, error) {
|
|
|
|
// can't read the path and don't have update capability, so re-throw
|
|
|
|
if (!capabilities.get('canUpdate') && modelType === 'secret') {
|
|
|
|
throw error;
|
|
|
|
}
|
|
|
|
// don't have access to the metadata for v2 or the secret for v1,
|
|
|
|
// so we make a stub model and mark it as `failedServerRead`
|
|
|
|
let secretModel = this.store.createRecord(modelType);
|
|
|
|
secretModel.setProperties({
|
|
|
|
id: secret,
|
|
|
|
failedServerRead: true,
|
|
|
|
});
|
|
|
|
return secretModel;
|
|
|
|
},
|
|
|
|
|
|
|
|
async model(params) {
|
|
|
|
let secret = this.secretParam();
|
|
|
|
let backend = this.enginePathParam();
|
2019-03-01 16:08:30 +00:00
|
|
|
let modelType = this.modelType(backend, secret);
|
2018-04-03 14:16:57 +00:00
|
|
|
|
|
|
|
if (!secret) {
|
|
|
|
secret = '\u0020';
|
|
|
|
}
|
|
|
|
if (modelType === 'pki-certificate') {
|
|
|
|
secret = secret.replace('cert/', '');
|
|
|
|
}
|
2019-04-16 20:27:23 +00:00
|
|
|
let secretModel;
|
|
|
|
|
|
|
|
let capabilities = this.capabilities(secret);
|
|
|
|
try {
|
|
|
|
secretModel = await this.store.queryRecord(modelType, { id: secret, backend });
|
|
|
|
} catch (err) {
|
|
|
|
// we've failed the read request, but if it's a kv-type backend, we want to
|
|
|
|
// do additional checks of the capabilities
|
|
|
|
if (err.httpStatus === 403 && (modelType === 'secret-v2' || modelType === 'secret')) {
|
|
|
|
await capabilities;
|
|
|
|
secretModel = this.handleSecretModelError(capabilities, secret, modelType, err);
|
|
|
|
} else {
|
|
|
|
throw err;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
await capabilities;
|
|
|
|
if (modelType === 'secret-v2') {
|
|
|
|
// after the the base model fetch, kv-v2 has a second associated
|
|
|
|
// version model that contains the secret data
|
|
|
|
secretModel = await this.fetchV2Models(capabilities, secretModel, params);
|
|
|
|
}
|
|
|
|
return {
|
|
|
|
secret: secretModel,
|
|
|
|
capabilities,
|
|
|
|
};
|
2018-04-03 14:16:57 +00:00
|
|
|
},
|
|
|
|
|
|
|
|
setupController(controller, model) {
|
|
|
|
this._super(...arguments);
|
2019-03-01 16:08:30 +00:00
|
|
|
let secret = this.secretParam();
|
|
|
|
let backend = this.enginePathParam();
|
2018-04-03 14:16:57 +00:00
|
|
|
const preferAdvancedEdit =
|
|
|
|
this.controllerFor('vault.cluster.secrets.backend').get('preferAdvancedEdit') || false;
|
2018-04-24 21:30:44 +00:00
|
|
|
const backendType = this.backendType();
|
2018-04-03 14:16:57 +00:00
|
|
|
model.secret.setProperties({ backend });
|
|
|
|
controller.setProperties({
|
|
|
|
model: model.secret,
|
|
|
|
capabilities: model.capabilities,
|
|
|
|
baseKey: { id: secret },
|
|
|
|
// mode will be 'show', 'edit', 'create'
|
2018-09-25 16:28:26 +00:00
|
|
|
mode: this.routeName
|
|
|
|
.split('.')
|
|
|
|
.pop()
|
|
|
|
.replace('-root', ''),
|
2018-04-03 14:16:57 +00:00
|
|
|
backend,
|
|
|
|
preferAdvancedEdit,
|
|
|
|
backendType,
|
|
|
|
});
|
|
|
|
},
|
|
|
|
|
|
|
|
resetController(controller) {
|
|
|
|
if (controller.reset && typeof controller.reset === 'function') {
|
|
|
|
controller.reset();
|
|
|
|
}
|
|
|
|
},
|
|
|
|
|
|
|
|
actions: {
|
|
|
|
error(error) {
|
2019-03-01 16:08:30 +00:00
|
|
|
let secret = this.secretParam();
|
|
|
|
let backend = this.enginePathParam();
|
2018-09-25 16:28:26 +00:00
|
|
|
set(error, 'keyId', backend + '/' + secret);
|
|
|
|
set(error, 'backend', backend);
|
2018-04-03 14:16:57 +00:00
|
|
|
return true;
|
|
|
|
},
|
|
|
|
|
|
|
|
refreshModel() {
|
|
|
|
this.refresh();
|
|
|
|
},
|
|
|
|
|
|
|
|
willTransition(transition) {
|
2018-10-19 22:24:57 +00:00
|
|
|
let { mode, model } = this.controller;
|
2018-10-15 14:38:05 +00:00
|
|
|
let version = model.get('selectedVersion');
|
2018-10-17 03:11:15 +00:00
|
|
|
let changed = model.changedAttributes();
|
|
|
|
let changedKeys = Object.keys(changed);
|
|
|
|
// until we have time to move `backend` on a v1 model to a relationship,
|
|
|
|
// it's going to dirty the model state, so we need to look for it
|
|
|
|
// and explicity ignore it here
|
2018-10-17 02:42:29 +00:00
|
|
|
if (
|
2018-10-19 22:24:57 +00:00
|
|
|
(mode !== 'show' && (changedKeys.length && changedKeys[0] !== 'backend')) ||
|
|
|
|
(mode !== 'show' && version && Object.keys(version.changedAttributes()).length)
|
2018-10-17 02:42:29 +00:00
|
|
|
) {
|
2018-04-03 14:16:57 +00:00
|
|
|
if (
|
|
|
|
window.confirm(
|
|
|
|
'You have unsaved changes. Navigating away will discard these changes. Are you sure you want to discard your changes?'
|
|
|
|
)
|
|
|
|
) {
|
2018-10-15 14:38:05 +00:00
|
|
|
version && version.rollbackAttributes();
|
2018-04-03 14:16:57 +00:00
|
|
|
this.unloadModel();
|
2018-09-25 16:28:26 +00:00
|
|
|
return true;
|
2018-04-03 14:16:57 +00:00
|
|
|
} else {
|
|
|
|
transition.abort();
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
}
|
2018-09-25 16:28:26 +00:00
|
|
|
return this._super(...arguments);
|
2018-04-03 14:16:57 +00:00
|
|
|
},
|
|
|
|
},
|
|
|
|
});
|