open-vault/ui/app/routes/vault/cluster/secrets/backend/secret-edit.js

291 lines
10 KiB
JavaScript
Raw Normal View History

import { set } from '@ember/object';
import { resolve } from 'rsvp';
2019-02-14 18:52:34 +00:00
import { inject as service } from '@ember/service';
import DS from 'ember-data';
import Route from '@ember/routing/route';
2018-04-03 14:16:57 +00:00
import utils from 'vault/lib/key-utils';
2019-02-14 18:52:34 +00:00
import { getOwner } from '@ember/application';
2018-04-03 14:16:57 +00:00
import UnloadModelRoute from 'vault/mixins/unload-model-route';
import { encodePath, normalizePath } from 'vault/utils/path-encoding-helpers';
2018-04-03 14:16:57 +00:00
export default Route.extend(UnloadModelRoute, {
2019-02-14 18:52:34 +00:00
pathHelp: service('path-help'),
secretParam() {
let { secret } = this.paramsFor(this.routeName);
return secret ? normalizePath(secret) : '';
},
enginePathParam() {
let { backend } = this.paramsFor('vault.cluster.secrets.backend');
return backend;
},
2018-04-03 14:16:57 +00:00
capabilities(secret) {
const backend = this.enginePathParam();
let backendModel = this.modelFor('vault.cluster.secrets.backend');
let backendType = backendModel.engineType;
2018-04-03 14:16:57 +00:00
let path;
if (backendModel.isV2KV) {
path = `${backend}/data/${secret}`;
} else if (backendType === 'transit') {
2018-04-03 14:16:57 +00:00
path = backend + '/keys/' + secret;
} else if (backendType === 'ssh' || backendType === 'aws') {
2018-04-03 14:16:57 +00:00
path = backend + '/roles/' + secret;
2018-10-17 04:23:29 +00:00
} else {
path = backend + '/' + secret;
2018-04-03 14:16:57 +00:00
}
return this.store.findRecord('capabilities', path);
},
backendType() {
UI namespaces (#5119) * add namespace sidebar item * depend on ember-inflector directly * list-view and list-item components * fill out components and render empty namespaces page * list namespaces in access * add menu contextual component to list item * popup contextual component * full crud for namespaces * add namespaces service and picker component * split application and vault.cluster templates and controllers, add namespace query param, add namespace-picker to vault.namespace template * remove usage of href-to * remove ember-href-to from deps * add ember-responsive * start styling the picker and link to appropriate namespaces, use ember-responsive to render picker in different places based on the breakpoint * get query param working and save ns to authdata when authenticating, feed through ns in application adapter * move to observer on the controller for setting state on the service * set state in the beforeModel hook and clear the ember data model cache * nav to secrets on change and make error handling more resilient utilizing the method that atlas does to eagerly update URLs * add a list of sys endpoints in a helper * hide header elements if not in the root namespace * debounce namespace input on auth, fix 404 for auth method fetch, move auth method fetch to a task on the auth-form component and refretch on namespace change * fix display of supported engines and exclusion of sys and identity engines * don't fetch replication status if you're in a non-root namespace * hide seal sub-menu if not in the root namespace * don't autocomplete auth form inputs * always send some requests to the root namespace * use methodType and engineType instead of type in case there it is ns_ prefixed * use sys/internal/ui/namespaces to fetch the list in the dropdown * don't use model for namespace picker and always make the request to the token namespace * fix header handling for fetch calls * use namespace-reminder component on creation and edit forms throughout the application * add namespace-reminder to the console * add flat * add deepmerge for creating the tree in the menu * delayed rendering for animation timing * design and code feedback on the first round * white text in the namespace picker * fix namespace picker issues with root keys * separate path-to-tree * add tests for path-to-tree util * hide picker if you're in the root ns and you can't access other namespaces * show error message if you enter invalid characters for namespace path * return a different model if we dont have the namespaces feature and show upgrade page * if a token has a namespace_path, use that as the root user namespace and transition them there on login * use token namespace for user, but use specified namespace to log in * always renew tokens in the token namespace * fix edition-badge test
2018-08-16 17:48:24 +00:00
return this.modelFor('vault.cluster.secrets.backend').get('engineType');
2018-04-03 14:16:57 +00:00
},
templateName: 'vault/cluster/secrets/backend/secretEditLayout',
beforeModel() {
let secret = this.secretParam();
2019-02-14 18:52:34 +00:00
return this.buildModel(secret).then(() => {
const parentKey = utils.parentKeyForKey(secret);
const mode = this.routeName.split('.').pop();
if (mode === 'edit' && utils.keyIsFolder(secret)) {
if (parentKey) {
return this.transitionTo('vault.cluster.secrets.backend.list', encodePath(parentKey));
2019-02-14 18:52:34 +00:00
} else {
return this.transitionTo('vault.cluster.secrets.backend.list-root');
}
2018-04-03 14:16:57 +00:00
}
2019-02-14 18:52:34 +00:00
});
},
buildModel(secret) {
const backend = this.enginePathParam();
2019-02-14 18:52:34 +00:00
let modelType = this.modelType(backend, secret);
if (['secret', 'secret-v2'].includes(modelType)) {
return resolve();
2018-04-03 14:16:57 +00:00
}
2019-02-14 18:52:34 +00:00
let owner = getOwner(this);
return this.pathHelp.getNewModel(modelType, owner, backend);
2018-04-03 14:16:57 +00:00
},
modelType(backend, secret) {
let backendModel = this.modelFor('vault.cluster.secrets.backend', backend);
UI namespaces (#5119) * add namespace sidebar item * depend on ember-inflector directly * list-view and list-item components * fill out components and render empty namespaces page * list namespaces in access * add menu contextual component to list item * popup contextual component * full crud for namespaces * add namespaces service and picker component * split application and vault.cluster templates and controllers, add namespace query param, add namespace-picker to vault.namespace template * remove usage of href-to * remove ember-href-to from deps * add ember-responsive * start styling the picker and link to appropriate namespaces, use ember-responsive to render picker in different places based on the breakpoint * get query param working and save ns to authdata when authenticating, feed through ns in application adapter * move to observer on the controller for setting state on the service * set state in the beforeModel hook and clear the ember data model cache * nav to secrets on change and make error handling more resilient utilizing the method that atlas does to eagerly update URLs * add a list of sys endpoints in a helper * hide header elements if not in the root namespace * debounce namespace input on auth, fix 404 for auth method fetch, move auth method fetch to a task on the auth-form component and refretch on namespace change * fix display of supported engines and exclusion of sys and identity engines * don't fetch replication status if you're in a non-root namespace * hide seal sub-menu if not in the root namespace * don't autocomplete auth form inputs * always send some requests to the root namespace * use methodType and engineType instead of type in case there it is ns_ prefixed * use sys/internal/ui/namespaces to fetch the list in the dropdown * don't use model for namespace picker and always make the request to the token namespace * fix header handling for fetch calls * use namespace-reminder component on creation and edit forms throughout the application * add namespace-reminder to the console * add flat * add deepmerge for creating the tree in the menu * delayed rendering for animation timing * design and code feedback on the first round * white text in the namespace picker * fix namespace picker issues with root keys * separate path-to-tree * add tests for path-to-tree util * hide picker if you're in the root ns and you can't access other namespaces * show error message if you enter invalid characters for namespace path * return a different model if we dont have the namespaces feature and show upgrade page * if a token has a namespace_path, use that as the root user namespace and transition them there on login * use token namespace for user, but use specified namespace to log in * always renew tokens in the token namespace * fix edition-badge test
2018-08-16 17:48:24 +00:00
let type = backendModel.get('engineType');
let types = {
2018-04-03 14:16:57 +00:00
transit: 'transit-key',
ssh: 'role-ssh',
aws: 'role-aws',
pki: secret && secret.startsWith('cert/') ? 'pki-certificate' : 'role-pki',
cubbyhole: 'secret',
kv: backendModel.get('modelTypeForKV'),
generic: backendModel.get('modelTypeForKV'),
2018-04-03 14:16:57 +00:00
};
return types[type];
2018-04-03 14:16:57 +00:00
},
getTargetVersion(currentVersion, paramsVersion) {
if (currentVersion) {
// we have the secret metadata, so we can read the currentVersion but give priority to any
// version passed in via the url
return parseInt(paramsVersion || currentVersion, 10);
} else {
// we've got a stub model because don't have read access on the metadata endpoint
return paramsVersion ? parseInt(paramsVersion, 10) : null;
}
},
async fetchV2Models(capabilities, secretModel, params) {
let backend = this.enginePathParam();
let backendModel = this.modelFor('vault.cluster.secrets.backend', backend);
let targetVersion = this.getTargetVersion(secretModel.currentVersion, params.version);
// if we have the metadata, a list of versions are part of the payload
let version = secretModel.versions && secretModel.versions.findBy('version', targetVersion);
// if it didn't fail the server read, and the version is not attached to the metadata,
// this should 404
if (!version && secretModel.failedServerRead !== true) {
let error = new DS.AdapterError();
set(error, 'httpStatus', 404);
throw error;
}
// manually set the related model
secretModel.set('engine', backendModel);
secretModel.set(
'selectedVersion',
await this.fetchV2VersionModel(capabilities, secretModel, version, targetVersion)
);
return secretModel;
},
async fetchV2VersionModel(capabilities, secretModel, version, targetVersion) {
let secret = this.secretParam();
let backend = this.enginePathParam();
// v2 versions have a composite ID, we generated one here if we need to manually set it
// after a failed fetch later;
let versionId = targetVersion ? [backend, secret, targetVersion] : [backend, secret];
let versionModel;
try {
if (secretModel.failedServerRead) {
// we couldn't read metadata, so we want to directly fetch the version
versionModel = await this.store.findRecord('secret-v2-version', JSON.stringify(versionId), {
reload: true,
});
} else {
// we may have previously errored, so roll it back here
version.rollbackAttributes();
// if metadata read was successful, the version we have is only a partial model
// trigger reload to fetch the whole version model
versionModel = await version.reload();
}
} catch (error) {
// cannot read the version data, but can write according to capabilities-self endpoint
if (error.httpStatus === 403 && capabilities.get('canUpdate')) {
// versionModel is then a partial model from the metadata (if we have read there), or
// we need to create one on the client
versionModel = version || this.store.createRecord('secret-v2-version');
versionModel.setProperties({
failedServerRead: true,
});
// if it was created on the client we need to trigger an event via ember-data
// so that it won't try to create the record on save
if (versionModel.isNew) {
versionModel.set('id', JSON.stringify(versionId));
//TODO make this a util to better show what's happening
// this is because we want the ember-data model save to call update instead of create
// in the adapter so we have to force the frontend model to a "saved" state
versionModel.send('pushedData');
}
} else {
throw error;
}
}
return versionModel;
},
handleSecretModelError(capabilities, secret, modelType, error) {
// can't read the path and don't have update capability, so re-throw
if (!capabilities.get('canUpdate') && modelType === 'secret') {
throw error;
}
// don't have access to the metadata for v2 or the secret for v1,
// so we make a stub model and mark it as `failedServerRead`
let secretModel = this.store.createRecord(modelType);
secretModel.setProperties({
id: secret,
failedServerRead: true,
});
return secretModel;
},
async model(params) {
let secret = this.secretParam();
let backend = this.enginePathParam();
let modelType = this.modelType(backend, secret);
2018-04-03 14:16:57 +00:00
if (!secret) {
secret = '\u0020';
}
if (modelType === 'pki-certificate') {
secret = secret.replace('cert/', '');
}
let secretModel;
let capabilities = this.capabilities(secret);
try {
secretModel = await this.store.queryRecord(modelType, { id: secret, backend });
} catch (err) {
// we've failed the read request, but if it's a kv-type backend, we want to
// do additional checks of the capabilities
if (err.httpStatus === 403 && (modelType === 'secret-v2' || modelType === 'secret')) {
await capabilities;
secretModel = this.handleSecretModelError(capabilities, secret, modelType, err);
} else {
throw err;
}
}
await capabilities;
if (modelType === 'secret-v2') {
// after the the base model fetch, kv-v2 has a second associated
// version model that contains the secret data
secretModel = await this.fetchV2Models(capabilities, secretModel, params);
}
return {
secret: secretModel,
capabilities,
};
2018-04-03 14:16:57 +00:00
},
setupController(controller, model) {
this._super(...arguments);
let secret = this.secretParam();
let backend = this.enginePathParam();
2018-04-03 14:16:57 +00:00
const preferAdvancedEdit =
this.controllerFor('vault.cluster.secrets.backend').get('preferAdvancedEdit') || false;
const backendType = this.backendType();
2018-04-03 14:16:57 +00:00
model.secret.setProperties({ backend });
controller.setProperties({
model: model.secret,
capabilities: model.capabilities,
baseKey: { id: secret },
// mode will be 'show', 'edit', 'create'
mode: this.routeName
.split('.')
.pop()
.replace('-root', ''),
2018-04-03 14:16:57 +00:00
backend,
preferAdvancedEdit,
backendType,
});
},
resetController(controller) {
if (controller.reset && typeof controller.reset === 'function') {
controller.reset();
}
},
actions: {
error(error) {
let secret = this.secretParam();
let backend = this.enginePathParam();
set(error, 'keyId', backend + '/' + secret);
set(error, 'backend', backend);
2018-04-03 14:16:57 +00:00
return true;
},
refreshModel() {
this.refresh();
},
willTransition(transition) {
let { mode, model } = this.controller;
let version = model.get('selectedVersion');
let changed = model.changedAttributes();
let changedKeys = Object.keys(changed);
// until we have time to move `backend` on a v1 model to a relationship,
// it's going to dirty the model state, so we need to look for it
// and explicity ignore it here
if (
(mode !== 'show' && (changedKeys.length && changedKeys[0] !== 'backend')) ||
(mode !== 'show' && version && Object.keys(version.changedAttributes()).length)
) {
2018-04-03 14:16:57 +00:00
if (
window.confirm(
'You have unsaved changes. Navigating away will discard these changes. Are you sure you want to discard your changes?'
)
) {
version && version.rollbackAttributes();
2018-04-03 14:16:57 +00:00
this.unloadModel();
return true;
2018-04-03 14:16:57 +00:00
} else {
transition.abort();
return false;
}
}
return this._super(...arguments);
2018-04-03 14:16:57 +00:00
},
},
});