2022-09-14 17:18:37 +00:00
import Model , { attr } from '@ember-data/model' ;
import lazyCapabilities , { apiPath } from 'vault/macros/lazy-capabilities' ;
import { withModelValidations } from 'vault/decorators/model-validations' ;
2022-12-06 20:34:43 +00:00
import { withFormFields } from 'vault/decorators/model-form-fields' ;
2022-09-14 17:18:37 +00:00
const validations = {
2022-09-28 22:11:13 +00:00
name : [ { type : 'presence' , message : 'Name is required.' } ] ,
2022-09-14 17:18:37 +00:00
} ;
2022-12-06 20:34:43 +00:00
const fieldGroups = [
{
default : [
'name' ,
'issuerRef' ,
'customTtl' ,
'notBeforeDuration' ,
'maxTtl' ,
'generateLease' ,
'noStore' ,
'addBasicConstraints' ,
] ,
} ,
{
'Domain handling' : [
'allowedDomains' ,
'allowedDomainsTemplate' ,
'allowBareDomains' ,
'allowSubdomains' ,
'allowGlobDomains' ,
'allowWildcardCertificates' ,
'allowLocalhost' , // default: true (returned true by OpenApi)
'allowAnyName' ,
'enforceHostnames' , // default: true (returned true by OpenApi)
] ,
} ,
{
'Key parameters' : [ 'keyType' , 'keyBits' , 'signatureBits' ] ,
} ,
{
'Key usage' : [ 'keyUsage' , 'extKeyUsage' , 'extKeyUsageOids' ] ,
} ,
{ 'Policy identifiers' : [ 'policyIdentifiers' ] } ,
{
'Subject Alternative Name (SAN) Options' : [
'allowIpSans' ,
'allowedUriSans' ,
'allowUriSansTemplate' ,
'allowedOtherSans' ,
] ,
} ,
{
'Additional subject fields' : [
'allowedSerialNumbers' ,
'requireCn' ,
'useCsrCommonName' ,
'useCsrSans' ,
'ou' ,
'organization' ,
'country' ,
'locality' ,
'province' ,
'streetAddress' ,
'postalCode' ,
] ,
} ,
] ;
@ withFormFields ( null , fieldGroups )
2022-09-14 17:18:37 +00:00
@ withModelValidations ( validations )
2022-11-10 21:27:19 +00:00
export default class PkiRoleModel extends Model {
2022-11-15 17:39:46 +00:00
get useOpenAPI ( ) {
// must be a getter so it can be accessed in path-help.js
return true ;
}
getHelpUrl ( backend ) {
return ` /v1/ ${ backend } /roles/example?help=1 ` ;
}
2022-09-14 17:18:37 +00:00
@ attr ( 'string' , { readOnly : true } ) backend ;
2022-09-28 22:11:13 +00:00
2022-10-12 18:56:05 +00:00
/* Overriding OpenApi default options */
2022-09-14 17:18:37 +00:00
@ attr ( 'string' , {
label : 'Role name' ,
2022-09-28 22:11:13 +00:00
fieldValue : 'name' ,
2022-12-02 16:42:14 +00:00
editDisabled : true ,
2022-09-14 17:18:37 +00:00
} )
name ;
2022-09-28 22:11:13 +00:00
@ attr ( 'string' , {
label : 'Issuer reference' ,
2022-11-21 20:09:04 +00:00
detailsLabel : 'Issuer' ,
2022-09-28 22:11:13 +00:00
defaultValue : 'default' ,
2022-10-25 19:58:11 +00:00
subText : ` Specifies the issuer that will be used to create certificates with this role. To find this, run read -field=default pki_int/config/issuers in the console. By default, we will use the mounts default issuer. ` ,
2022-09-28 22:11:13 +00:00
} )
issuerRef ;
@ attr ( {
label : 'Not valid after' ,
2022-11-21 20:09:04 +00:00
detailsLabel : 'Issued certificates expire after' ,
2022-09-28 22:11:13 +00:00
subText :
2022-12-15 22:42:18 +00:00
'The time after which this certificate will no longer be valid. This can be a TTL (a range of time from now) or a specific date.' ,
2022-09-28 22:11:13 +00:00
editType : 'yield' ,
} )
customTtl ;
@ attr ( {
label : 'Backdate validity' ,
2022-11-21 20:09:04 +00:00
detailsLabel : 'Issued certificate backdating' ,
2022-12-15 22:42:18 +00:00
helperTextDisabled : 'Vault will use the default value, 30s' ,
2022-09-28 22:11:13 +00:00
helperTextEnabled :
'Also called the not_before_duration property. Allows certificates to be valid for a certain time period before now. This is useful to correct clock misalignment on various systems when setting up your CA.' ,
editType : 'ttl' ,
2022-12-15 22:42:18 +00:00
defaultValue : '30s' ,
2022-09-28 22:11:13 +00:00
} )
notBeforeDuration ;
@ attr ( {
label : 'Max TTL' ,
helperTextDisabled :
'The maximum Time-To-Live of certificates generated by this role. If not set, the system max lease TTL will be used.' ,
editType : 'ttl' ,
2022-11-21 20:09:04 +00:00
defaultShown : 'System default' ,
2022-09-28 22:11:13 +00:00
} )
maxTtl ;
@ attr ( 'boolean' , {
label : 'Generate lease with certificate' ,
subText :
'Specifies if certificates issued/signed against this role will have Vault leases attached to them.' ,
editType : 'boolean' ,
2023-02-02 21:17:13 +00:00
docLink : '/vault/api-docs/secret/pki#create-update-role' ,
2022-09-28 22:11:13 +00:00
} )
generateLease ;
@ attr ( 'boolean' , {
label : 'Do not store certificates in storage backend' ,
2022-11-21 20:09:04 +00:00
detailsLabel : 'Store in storage backend' , // template reverses value
2022-09-28 22:11:13 +00:00
subText :
'This can improve performance when issuing large numbers of certificates. However, certificates issued in this way cannot be enumerated or revoked.' ,
editType : 'boolean' ,
2023-02-02 21:17:13 +00:00
docLink : '/vault/api-docs/secret/pki#create-update-role' ,
2022-09-28 22:11:13 +00:00
} )
noStore ;
@ attr ( 'boolean' , {
2022-10-12 18:56:05 +00:00
label : 'Basic constraints valid for non-CA' ,
2022-11-21 20:09:04 +00:00
detailsLabel : 'Add basic constraints' ,
2022-09-28 22:11:13 +00:00
subText : 'Mark Basic Constraints valid when issuing non-CA certificates.' ,
editType : 'boolean' ,
} )
addBasicConstraints ;
2022-10-12 18:56:05 +00:00
/* End of overriding default options */
/* Overriding OpenApi Domain handling options */
@ attr ( {
label : 'Allowed domains' ,
subText : 'Specifies the domains this role is allowed to issue certificates for. Add one item per row.' ,
editType : 'stringArray' ,
} )
allowedDomains ;
@ attr ( 'boolean' , {
label : 'Allow templates in allowed domains' ,
} )
allowedDomainsTemplate ;
/* End of overriding Domain handling options */
/* Overriding OpenApi Key parameters options */
@ attr ( 'string' , {
label : 'Key type' ,
possibleValues : [ 'rsa' , 'ec' , 'ed25519' , 'any' ] ,
defaultValue : 'rsa' ,
} )
keyType ;
@ attr ( 'string' , {
label : 'Key bits' ,
2022-12-08 22:22:33 +00:00
defaultValue : '2048' ,
2022-10-12 18:56:05 +00:00
} )
2022-12-08 22:22:33 +00:00
keyBits ; // no possibleValues because options are dependent on selected key type
2022-10-12 18:56:05 +00:00
@ attr ( 'number' , {
label : 'Signature bits' ,
subText : ` Only applicable for key_type 'RSA'. Ignore for other key types. ` ,
2022-12-08 22:22:33 +00:00
defaultValue : '0' ,
possibleValues : [ '0' , '256' , '384' , '512' ] ,
2022-10-12 18:56:05 +00:00
} )
signatureBits ;
/* End of overriding Key parameters options */
/* Overriding API Policy identifier option */
@ attr ( {
label : 'Policy identifiers' ,
subText : 'A comma-separated string or list of policy object identifiers (OIDs). Add one per row. ' ,
editType : 'stringArray' ,
} )
policyIdentifiers ;
/* End of overriding Policy identifier options */
/* Overriding OpenApi SAN options */
@ attr ( 'boolean' , {
label : 'Allow IP SANs' ,
subText : 'Specifies if clients can request IP Subject Alternative Names.' ,
editType : 'boolean' ,
defaultValue : true ,
} )
allowIpSans ;
@ attr ( {
label : 'URI Subject Alternative Names (URI SANs)' ,
subText : 'Defines allowed URI Subject Alternative Names. Add one item per row' ,
editType : 'stringArray' ,
2023-02-02 21:17:13 +00:00
docLink : '/vault/docs/concepts/policies' ,
2022-10-12 18:56:05 +00:00
} )
allowedUriSans ;
@ attr ( 'boolean' , {
label : 'Allow URI SANs template' ,
subText : 'If true, the URI SANs above may contain templates, as with ACL Path Templating.' ,
editType : 'boolean' ,
2023-02-02 21:17:13 +00:00
docLink : '/vault/docs/concepts/policies' ,
2022-10-12 18:56:05 +00:00
} )
allowUriSansTemplate ;
@ attr ( {
label : 'Other SANs' ,
subText : 'Defines allowed custom OID/UTF8-string SANs. Add one item per row.' ,
editType : 'stringArray' ,
} )
allowedOtherSans ;
/* End of overriding SAN options */
/* Overriding OpenApi Additional subject field options */
@ attr ( {
label : 'Allowed serial numbers' ,
subText :
'A list of allowed serial numbers to be requested during certificate issuance. Shell-style globbing is supported. If empty, custom-specified serial numbers will be forbidden.' ,
editType : 'stringArray' ,
} )
allowedSerialNumbers ;
@ attr ( 'boolean' , {
label : 'Require common name' ,
subText : 'If set to false, common name will be optional when generating a certificate.' ,
defaultValue : true ,
} )
requireCn ;
@ attr ( 'boolean' , {
label : 'Use CSR common name' ,
subText :
'When used with the CSR signing endpoint, the common name in the CSR will be used instead of taken from the JSON data.' ,
defaultValue : true ,
} )
useCsrCommonName ;
@ attr ( 'boolean' , {
label : 'Use CSR SANs' ,
subText :
'When used with the CSR signing endpoint, the subject alternate names in the CSR will be used instead of taken from the JSON data.' ,
defaultValue : true ,
} )
useCsrSans ;
@ attr ( {
label : 'Organization Units (OU)' ,
subText :
'A list of allowed serial numbers to be requested during certificate issuance. Shell-style globbing is supported. If empty, custom-specified serial numbers will be forbidden.' ,
2023-02-02 17:23:15 +00:00
editType : 'stringArray' ,
2022-10-12 18:56:05 +00:00
} )
ou ;
2022-11-15 17:39:46 +00:00
@ attr ( 'array' , {
defaultValue ( ) {
return [ 'DigitalSignature' , 'KeyAgreement' , 'KeyEncipherment' ] ;
} ,
2022-11-21 20:09:04 +00:00
defaultShown : 'None' ,
2022-11-15 17:39:46 +00:00
} )
keyUsage ;
@ attr ( 'array' , {
2022-11-21 20:09:04 +00:00
defaultShown : 'None' ,
2022-11-15 17:39:46 +00:00
} )
extKeyUsage ;
2022-11-21 20:09:04 +00:00
@ attr ( 'array' , {
defaultShown : 'None' ,
} )
extKeyUsageOids ;
2023-02-02 17:23:15 +00:00
@ attr ( { editType : 'stringArray' } ) organization ;
@ attr ( { editType : 'stringArray' } ) country ;
@ attr ( { editType : 'stringArray' } ) locality ;
@ attr ( { editType : 'stringArray' } ) province ;
@ attr ( { editType : 'stringArray' } ) streetAddress ;
@ attr ( { editType : 'stringArray' } ) postalCode ;
2022-10-12 18:56:05 +00:00
/* End of overriding Additional subject field options */
2022-09-28 22:11:13 +00:00
2022-12-06 20:34:43 +00:00
/ * C A P A B I L I T I E S
* Default to show UI elements unless we know they can ' t access the given path
* /
2022-09-14 17:18:37 +00:00
@ lazyCapabilities ( apiPath ` ${ 'backend' } /roles/ ${ 'id' } ` , 'backend' , 'id' ) updatePath ;
get canDelete ( ) {
2022-12-06 20:34:43 +00:00
return this . updatePath . get ( 'isLoading' ) || this . updatePath . get ( 'canCreate' ) !== false ;
2022-09-14 17:18:37 +00:00
}
get canEdit ( ) {
2022-12-06 20:34:43 +00:00
return this . updatePath . get ( 'isLoading' ) || this . updatePath . get ( 'canUpdate' ) !== false ;
2022-09-14 17:18:37 +00:00
}
get canRead ( ) {
2022-12-06 20:34:43 +00:00
return this . updatePath . get ( 'isLoading' ) || this . updatePath . get ( 'canRead' ) !== false ;
2022-09-14 17:18:37 +00:00
}
@ lazyCapabilities ( apiPath ` ${ 'backend' } /issue/ ${ 'id' } ` , 'backend' , 'id' ) generatePath ;
2022-12-06 20:34:43 +00:00
get canGenerateCert ( ) {
return this . generatePath . get ( 'isLoading' ) || this . generatePath . get ( 'canUpdate' ) !== false ;
2022-09-14 17:18:37 +00:00
}
@ lazyCapabilities ( apiPath ` ${ 'backend' } /sign/ ${ 'id' } ` , 'backend' , 'id' ) signPath ;
get canSign ( ) {
2022-12-06 20:34:43 +00:00
return this . signPath . get ( 'isLoading' ) || this . signPath . get ( 'canUpdate' ) !== false ;
2022-09-14 17:18:37 +00:00
}
@ lazyCapabilities ( apiPath ` ${ 'backend' } /sign-verbatim/ ${ 'id' } ` , 'backend' , 'id' ) signVerbatimPath ;
get canSignVerbatim ( ) {
2022-12-06 20:34:43 +00:00
return this . signVerbatimPath . get ( 'isLoading' ) || this . signVerbatimPath . get ( 'canUpdate' ) !== false ;
2022-09-14 17:18:37 +00:00
}
2022-10-12 18:56:05 +00:00
// Gets header/footer copy for specific toggle groups.
get fieldGroupsInfo ( ) {
return {
'Domain handling' : {
footer : {
text : 'These options can interact intricately with one another. For more information,' ,
docText : 'learn more here.' ,
2023-02-02 21:17:13 +00:00
docLink : '/vault/api-docs/secret/pki#allowed_domains' ,
2022-10-12 18:56:05 +00:00
} ,
} ,
2022-11-21 22:58:34 +00:00
'Key parameters' : {
header : {
text : ` These are the parameters for generating or validating the certificate's key material. ` ,
} ,
} ,
2022-10-12 18:56:05 +00:00
'Subject Alternative Name (SAN) Options' : {
header : {
text : ` Subject Alternative Names (SANs) are identities (domains, IP addresses, and URIs) Vault attaches to the requested certificates. ` ,
} ,
} ,
'Additional subject fields' : {
header : {
text : ` Additional identity metadata Vault can attach to the requested certificates. ` ,
} ,
} ,
} ;
2022-09-14 17:18:37 +00:00
}
}