open-vault/ui/app/models/pki/issuer.js

import PkiCertificateBaseModel from './certificate/base';
import { attr } from '@ember-data/model';
import { withFormFields } from 'vault/decorators/model-form-fields';
import lazyCapabilities, { apiPath } from 'vault/macros/lazy-capabilities';

const issuerUrls = ['issuingCertificates', 'crlDistributionPoints', 'ocspServers'];
@withFormFields(
  ['issuerName', 'leafNotAfterBehavior', 'usage', 'manualChain', ...issuerUrls],
  [
    {
      default: [
        'certificate',
        'caChain',
        'commonName',
        'issuerName',
        'issuerId',
        'serialNumber',
        'keyId',
        'uriSans',
        'ipSans',
        'notValidBefore',
        'notValidAfter',
      ],
    },
    { 'Issuer URLs': issuerUrls },
  ]
)
export default class PkiIssuerModel extends PkiCertificateBaseModel {
  // there are too many differences between what openAPI returns and the designs for the update form
  // manually defining the attrs instead with the correct meta data
  get useOpenAPI() {
    return false;
  }

  get issuerRef() {
    return this.issuerName || this.issuerId;
  }

  @attr isDefault; // readonly
  @attr('string') issuerId;

  @attr('string', {
    label: 'Default key ID',
  })
  keyId;

  @attr('string') issuerName;

  @attr({
    label: 'Leaf notAfter behavior',
    subText:
      'What happens when a leaf certificate is issued, but its NotAfter field (and therefore its expiry date) exceeds that of this issuer.',
    docLink: '/vault/api-docs/secret/pki#update-issuer',
    editType: 'yield',
    valueOptions: ['err', 'truncate', 'permit'],
  })
  leafNotAfterBehavior;

  @attr({
    label: 'Usage',
    subText: 'Allowed usages for this issuer. It can always be read.',
    editType: 'yield',
    valueOptions: [
      { label: 'Issuing certificates', value: 'issuing-certificates' },
      { label: 'Signing CRLs', value: 'crl-signing' },
      { label: 'Signing OCSPs', value: 'ocsp-signing' },
    ],
  })
  usage;

  @attr('string', {
    label: 'Manual chain',
    subText:
      "An advanced field useful when automatic chain building isn't desired. The first element must be the present issuer's reference.",
  })
  manualChain;

  @attr('string', {
    label: 'Issuing certificates',
    subText:
      'The URL values for the Issuing Certificate field. These are different URLs for the same resource, and should be added individually, not in a comma-separated list.',
    editType: 'stringArray',
  })
  issuingCertificates;

  @attr('string', {
    label: 'CRL distribution points',
    subText: 'Specifies the URL values for the CRL Distribution Points field.',
    editType: 'stringArray',
  })
  crlDistributionPoints;

  @attr('string', {
    label: 'OCSP servers',
    subText: 'Specifies the URL values for the OCSP Servers field.',
    editType: 'stringArray',
  })
  ocspServers;

  @lazyCapabilities(apiPath`${'backend'}/issuer/${'issuerId'}`) issuerPath;
  @lazyCapabilities(apiPath`${'backend'}/root/rotate/exported`) rotateExported;
  @lazyCapabilities(apiPath`${'backend'}/root/rotate/internal`) rotateInternal;
  @lazyCapabilities(apiPath`${'backend'}/root/rotate/existing`) rotateExisting;
  @lazyCapabilities(apiPath`${'backend'}/intermediate/cross-sign`) crossSignPath;
  @lazyCapabilities(apiPath`${'backend'}/issuer/${'issuerId'}/sign-intermediate`) signIntermediate;
  get canRotateIssuer() {
    return (
      this.rotateExported.get('canUpdate') !== false ||
      this.rotateExisting.get('canUpdate') !== false ||
      this.rotateInternal.get('canUpdate') !== false
    );
  }
  get canCrossSign() {
    return this.crossSignPath.get('canUpdate') !== false;
  }
  get canSignIntermediate() {
    return this.signIntermediate.get('canUpdate') !== false;
  }
  get canConfigure() {
    return this.issuerPath.get('canUpdate') !== false;
  }
}
UI: PKI Issuer details (#18495) 2022-12-21 16:30:24 +00:00			`import PkiCertificateBaseModel from './certificate/base';`
			`import { attr } from '@ember-data/model';`
			`import { withFormFields } from 'vault/decorators/model-form-fields';`
			`import lazyCapabilities, { apiPath } from 'vault/macros/lazy-capabilities';`
PKI Issuer List view (#17210) * initial setup for issuers toolbar and some slight changes to roles model after discussion with design. * wip * wip ... :/ * finalizes serializer and linkedblock iteration of is_default * clean up * fix * forgot this bit * pr comments amendments: * small PR comment changes 2022-09-20 15:25:57 +00:00
PKI Issuer Edit (#18687) * adds pki issuer edit view * updates pki issuer details test and fixes styling issue in issuer edit form * addresses feedback 2023-01-12 23:33:14 +00:00			`const issuerUrls = ['issuingCertificates', 'crlDistributionPoints', 'ocspServers'];`
			`@withFormFields(`
			`['issuerName', 'leafNotAfterBehavior', 'usage', 'manualChain', ...issuerUrls],`
			`[`
			`{`
			`default: [`
			`'certificate',`
			`'caChain',`
			`'commonName',`
			`'issuerName',`
UI: VAULT-13135 Add copyable issuer id row to issuer details (#19054) * VAULT-13135 Add copyable issuer id row to issuer details * Fix failing test 2023-02-08 17:38:30 +00:00			`'issuerId',`
PKI Issuer Edit (#18687) * adds pki issuer edit view * updates pki issuer details test and fixes styling issue in issuer edit form * addresses feedback 2023-01-12 23:33:14 +00:00			`'serialNumber',`
			`'keyId',`
			`'uriSans',`
Add support for missing attributes in PKI UI (#18953) * Add additional OIDs for extKeyUsage Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Allow ignoring AIA info on issuers Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Tell users which extension OIDs are not allowed Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add commentary on cross-signing failure modes Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add parsing of keyUsage Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Remove ext_key_usage parsing - doesn't exist on API Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add support for parsing ip_sans attribute Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Use Uint8Array directly for key_usage parsing Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add error on unknown key usage values Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Fix typing of IPv6 SANs, verficiation of keyUsages Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Correctly format ip addresses Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * add ip_sans to details page * fix typo * update tests * alphabetize attrs * hold off on ip compression * rename model attrs * parse other_names * is that illegal * add parenthesis to labels * update tests to account for other_sans --------- Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> Co-authored-by: clairebontempo@gmail.com <clairebontempo@gmail.com> Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com> 2023-02-03 19:36:02 +00:00			`'ipSans',`
ui: add params to pki parser (#18760) * refactor parser to pull serial number from subject * refactor pki parser * uninstall pvtutils * remove hideFormSection as attr * remove hideFormSection as attr * add string-list * test removing issueDate * update tests * final answer - make number types * change to unix time - since valueOf() is typically used internally * add algo mapping * add comment to complete in followon * add attrs to pki parser * add conditional operands so parser continues when values dont exist * add error handling WIP * finish tests, add error handling * revert to helper * move helper to util * add parseSubject test * finish tests * move certs to pki helper file * wrap parsing functions in try...catch 2023-01-24 00:49:16 +00:00			`'notValidBefore',`
PKI Issuer Edit (#18687) * adds pki issuer edit view * updates pki issuer details test and fixes styling issue in issuer edit form * addresses feedback 2023-01-12 23:33:14 +00:00			`'notValidAfter',`
			`],`
			`},`
			`{ 'Issuer URLs': issuerUrls },`
			`]`
			`)`
UI: PKI Issuer details (#18495) 2022-12-21 16:30:24 +00:00			`export default class PkiIssuerModel extends PkiCertificateBaseModel {`
PKI Issuer Edit (#18687) * adds pki issuer edit view * updates pki issuer details test and fixes styling issue in issuer edit form * addresses feedback 2023-01-12 23:33:14 +00:00			`// there are too many differences between what openAPI returns and the designs for the update form`
			`// manually defining the attrs instead with the correct meta data`
			`get useOpenAPI() {`
			`return false;`
UI: PKI Issuer details (#18495) 2022-12-21 16:30:24 +00:00			`}`

UI: add issuerRef getter in case issuer is nameless (#18968) * add issuerRef getter in case issuer is nameless * declare as getter * remove changes to test, oops! 2023-02-03 21:07:59 +00:00			`get issuerRef() {`
			`return this.issuerName \|\| this.issuerId;`
			`}`

add is default text (#18717) 2023-01-17 16:34:09 +00:00			`@attr isDefault; // readonly`
UI: PKI Issuer details (#18495) 2022-12-21 16:30:24 +00:00			`@attr('string') issuerId;`
PKI Issuer List view (#17210) * initial setup for issuers toolbar and some slight changes to roles model after discussion with design. * wip * wip ... :/ * finalizes serializer and linkedblock iteration of is_default * clean up * fix * forgot this bit * pr comments amendments: * small PR comment changes 2022-09-20 15:25:57 +00:00
			`@attr('string', {`
UI: PKI Issuer details (#18495) 2022-12-21 16:30:24 +00:00			`label: 'Default key ID',`
			`})`
			`keyId;`

PKI Issuer Edit (#18687) * adds pki issuer edit view * updates pki issuer details test and fixes styling issue in issuer edit form * addresses feedback 2023-01-12 23:33:14 +00:00			`@attr('string') issuerName;`

			`@attr({`
			`label: 'Leaf notAfter behavior',`
			`subText:`
			`'What happens when a leaf certificate is issued, but its NotAfter field (and therefore its expiry date) exceeds that of this issuer.',`
			`docLink: '/vault/api-docs/secret/pki#update-issuer',`
			`editType: 'yield',`
			`valueOptions: ['err', 'truncate', 'permit'],`
			`})`
			`leafNotAfterBehavior;`

			`@attr({`
			`label: 'Usage',`
UI: PKI Clean up dirty model on leave (#19058) 2023-02-08 16:42:02 +00:00			`subText: 'Allowed usages for this issuer. It can always be read.',`
PKI Issuer Edit (#18687) * adds pki issuer edit view * updates pki issuer details test and fixes styling issue in issuer edit form * addresses feedback 2023-01-12 23:33:14 +00:00			`editType: 'yield',`
			`valueOptions: [`
			`{ label: 'Issuing certificates', value: 'issuing-certificates' },`
			`{ label: 'Signing CRLs', value: 'crl-signing' },`
			`{ label: 'Signing OCSPs', value: 'ocsp-signing' },`
			`],`
			`})`
			`usage;`

			`@attr('string', {`
			`label: 'Manual chain',`
			`subText:`
			`"An advanced field useful when automatic chain building isn't desired. The first element must be the present issuer's reference.",`
			`})`
			`manualChain;`

			`@attr('string', {`
			`label: 'Issuing certificates',`
			`subText:`
			`'The URL values for the Issuing Certificate field. These are different URLs for the same resource, and should be added individually, not in a comma-separated list.',`
			`editType: 'stringArray',`
			`})`
			`issuingCertificates;`

			`@attr('string', {`
			`label: 'CRL distribution points',`
			`subText: 'Specifies the URL values for the CRL Distribution Points field.',`
UI: VAULT-13044 pki cleanup attributes (#18954) * Update form model attributes to be stringArray * Update pki certificate sign to be string * Update organization, ou, name to stringArray * More organization, ou update to stringArray * VAULT-13123 Update missing field attributes in create/role * Fix formatting * Revert "VAULT-13123 Update missing field attributes in create/role" This reverts commit 6da5cb508588488789dc6cde412880e45425cce4. * Fix failing test * Add string array for SAN * Update pki issuer uriSAN label 2023-02-02 17:23:15 +00:00			`editType: 'stringArray',`
PKI Issuer Edit (#18687) * adds pki issuer edit view * updates pki issuer details test and fixes styling issue in issuer edit form * addresses feedback 2023-01-12 23:33:14 +00:00			`})`
			`crlDistributionPoints;`

			`@attr('string', {`
			`label: 'OCSP servers',`
			`subText: 'Specifies the URL values for the OCSP Servers field.',`
UI: VAULT-13044 pki cleanup attributes (#18954) * Update form model attributes to be stringArray * Update pki certificate sign to be string * Update organization, ou, name to stringArray * More organization, ou update to stringArray * VAULT-13123 Update missing field attributes in create/role * Fix formatting * Revert "VAULT-13123 Update missing field attributes in create/role" This reverts commit 6da5cb508588488789dc6cde412880e45425cce4. * Fix failing test * Add string array for SAN * Update pki issuer uriSAN label 2023-02-02 17:23:15 +00:00			`editType: 'stringArray',`
PKI Issuer Edit (#18687) * adds pki issuer edit view * updates pki issuer details test and fixes styling issue in issuer edit form * addresses feedback 2023-01-12 23:33:14 +00:00			`})`
			`ocspServers;`

UI: PKI Issuer details (#18495) 2022-12-21 16:30:24 +00:00			@lazyCapabilities(apiPath`${'backend'}/issuer/${'issuerId'}`) issuerPath;
			@lazyCapabilities(apiPath`${'backend'}/root/rotate/exported`) rotateExported;
			@lazyCapabilities(apiPath`${'backend'}/root/rotate/internal`) rotateInternal;
			@lazyCapabilities(apiPath`${'backend'}/root/rotate/existing`) rotateExisting;
			@lazyCapabilities(apiPath`${'backend'}/intermediate/cross-sign`) crossSignPath;
			@lazyCapabilities(apiPath`${'backend'}/issuer/${'issuerId'}/sign-intermediate`) signIntermediate;
			`get canRotateIssuer() {`
			`return (`
			`this.rotateExported.get('canUpdate') !== false \|\|`
			`this.rotateExisting.get('canUpdate') !== false \|\|`
			`this.rotateInternal.get('canUpdate') !== false`
			`);`
PKI Issuer List view (#17210) * initial setup for issuers toolbar and some slight changes to roles model after discussion with design. * wip * wip ... :/ * finalizes serializer and linkedblock iteration of is_default * clean up * fix * forgot this bit * pr comments amendments: * small PR comment changes 2022-09-20 15:25:57 +00:00			`}`
UI: PKI Issuer details (#18495) 2022-12-21 16:30:24 +00:00			`get canCrossSign() {`
			`return this.crossSignPath.get('canUpdate') !== false;`
PKI Issuer List view (#17210) * initial setup for issuers toolbar and some slight changes to roles model after discussion with design. * wip * wip ... :/ * finalizes serializer and linkedblock iteration of is_default * clean up * fix * forgot this bit * pr comments amendments: * small PR comment changes 2022-09-20 15:25:57 +00:00			`}`
UI: PKI Issuer details (#18495) 2022-12-21 16:30:24 +00:00			`get canSignIntermediate() {`
			`return this.signIntermediate.get('canUpdate') !== false;`
			`}`
			`get canConfigure() {`
			`return this.issuerPath.get('canUpdate') !== false;`
PKI Issuer List view (#17210) * initial setup for issuers toolbar and some slight changes to roles model after discussion with design. * wip * wip ... :/ * finalizes serializer and linkedblock iteration of is_default * clean up * fix * forgot this bit * pr comments amendments: * small PR comment changes 2022-09-20 15:25:57 +00:00			`}`
			`}`