UI/database cg read role (#12111)
* Add type param to secret show, handle CG in database role show * If roleType is passed to credential, only make one creds API call * Clean up db role adapter and serializer * url param roleType passed to credentials call * Role list capabilities check for static and dynamic separately * Add changelog * Consistent adapter response for single or double call * Prioritize dynamic response if control group on role/creds
This commit is contained in:
parent
ed361ee8da
commit
4a9669a1bc
|
@ -0,0 +1,3 @@
|
||||||
|
```release-note:bug
|
||||||
|
ui: Fix database role CG access
|
||||||
|
```
|
|
@ -1,5 +1,6 @@
|
||||||
import RSVP from 'rsvp';
|
import { allSettled } from 'rsvp';
|
||||||
import ApplicationAdapter from '../application';
|
import ApplicationAdapter from '../application';
|
||||||
|
import ControlGroupError from 'vault/lib/control-group-error';
|
||||||
|
|
||||||
export default ApplicationAdapter.extend({
|
export default ApplicationAdapter.extend({
|
||||||
namespace: 'v1',
|
namespace: 'v1',
|
||||||
|
@ -20,18 +21,20 @@ export default ApplicationAdapter.extend({
|
||||||
|
|
||||||
fetchByQuery(store, query) {
|
fetchByQuery(store, query) {
|
||||||
const { backend, secret } = query;
|
const { backend, secret } = query;
|
||||||
return RSVP.allSettled([this._staticCreds(backend, secret), this._dynamicCreds(backend, secret)]).then(
|
if (query.roleType === 'static') {
|
||||||
|
return this._staticCreds(backend, secret);
|
||||||
|
} else if (query.roleType === 'dynamic') {
|
||||||
|
return this._dynamicCreds(backend, secret);
|
||||||
|
}
|
||||||
|
return allSettled([this._staticCreds(backend, secret), this._dynamicCreds(backend, secret)]).then(
|
||||||
([staticResp, dynamicResp]) => {
|
([staticResp, dynamicResp]) => {
|
||||||
// If one comes back with wrapped response from control group, throw it
|
if (staticResp.state === 'rejected' && dynamicResp.state === 'rejected') {
|
||||||
const accessor = staticResp.accessor || dynamicResp.accessor;
|
let reason = staticResp.reason;
|
||||||
if (accessor) {
|
if (dynamicResp.reason instanceof ControlGroupError) {
|
||||||
throw accessor;
|
throw dynamicResp.reason;
|
||||||
}
|
}
|
||||||
// if neither has payload, throw reason with highest httpStatus
|
if (reason?.httpStatus < dynamicResp.reason?.httpStatus) {
|
||||||
if (!staticResp.value && !dynamicResp.value) {
|
reason = dynamicResp.reason;
|
||||||
let reason = dynamicResp.reason;
|
|
||||||
if (reason?.httpStatus < staticResp.reason?.httpStatus) {
|
|
||||||
reason = staticResp.reason;
|
|
||||||
}
|
}
|
||||||
throw reason;
|
throw reason;
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,5 +1,6 @@
|
||||||
import { assign } from '@ember/polyfills';
|
import { assign } from '@ember/polyfills';
|
||||||
import { assert } from '@ember/debug';
|
import { assert } from '@ember/debug';
|
||||||
|
import ControlGroupError from 'vault/lib/control-group-error';
|
||||||
import ApplicationAdapter from '../application';
|
import ApplicationAdapter from '../application';
|
||||||
import { allSettled } from 'rsvp';
|
import { allSettled } from 'rsvp';
|
||||||
import { addToArray } from 'vault/helpers/add-to-array';
|
import { addToArray } from 'vault/helpers/add-to-array';
|
||||||
|
@ -24,11 +25,31 @@ export default ApplicationAdapter.extend({
|
||||||
},
|
},
|
||||||
|
|
||||||
staticRoles(backend, id) {
|
staticRoles(backend, id) {
|
||||||
return this.ajax(this.urlFor(backend, id, 'static'), 'GET', this.optionsForQuery(id));
|
return this.ajax(this.urlFor(backend, id, 'static'), 'GET', this.optionsForQuery(id)).then(resp => {
|
||||||
|
if (id) {
|
||||||
|
return {
|
||||||
|
...resp,
|
||||||
|
type: 'static',
|
||||||
|
backend,
|
||||||
|
id,
|
||||||
|
};
|
||||||
|
}
|
||||||
|
return resp;
|
||||||
|
});
|
||||||
},
|
},
|
||||||
|
|
||||||
dynamicRoles(backend, id) {
|
dynamicRoles(backend, id) {
|
||||||
return this.ajax(this.urlFor(backend, id), 'GET', this.optionsForQuery(id));
|
return this.ajax(this.urlFor(backend, id), 'GET', this.optionsForQuery(id)).then(resp => {
|
||||||
|
if (id) {
|
||||||
|
return {
|
||||||
|
...resp,
|
||||||
|
type: 'dynamic',
|
||||||
|
backend,
|
||||||
|
id,
|
||||||
|
};
|
||||||
|
}
|
||||||
|
return resp;
|
||||||
|
});
|
||||||
},
|
},
|
||||||
|
|
||||||
optionsForQuery(id) {
|
optionsForQuery(id) {
|
||||||
|
@ -39,39 +60,43 @@ export default ApplicationAdapter.extend({
|
||||||
return { data };
|
return { data };
|
||||||
},
|
},
|
||||||
|
|
||||||
fetchByQuery(store, query) {
|
|
||||||
const { backend, id } = query;
|
|
||||||
return this.ajax(this.urlFor(backend, id), 'GET', this.optionsForQuery(id)).then(resp => {
|
|
||||||
resp.id = id;
|
|
||||||
resp.backend = backend;
|
|
||||||
return resp;
|
|
||||||
});
|
|
||||||
},
|
|
||||||
|
|
||||||
queryRecord(store, type, query) {
|
queryRecord(store, type, query) {
|
||||||
const { backend, id } = query;
|
const { backend, id } = query;
|
||||||
const staticReq = this.staticRoles(backend, id);
|
|
||||||
const dynamicReq = this.dynamicRoles(backend, id);
|
|
||||||
|
|
||||||
return allSettled([staticReq, dynamicReq]).then(([staticResp, dynamicResp]) => {
|
if (query.type === 'static') {
|
||||||
if (!staticResp.value && !dynamicResp.value) {
|
return this.staticRoles(backend, id);
|
||||||
// Throw error, both reqs failed
|
} else if (query?.type === 'dynamic') {
|
||||||
throw dynamicResp.reason;
|
return this.dynamicRoles(backend, id);
|
||||||
|
}
|
||||||
|
// if role type is not defined, try both
|
||||||
|
return allSettled([this.staticRoles(backend, id), this.dynamicRoles(backend, id)]).then(
|
||||||
|
([staticResp, dynamicResp]) => {
|
||||||
|
if (staticResp.state === 'rejected' && dynamicResp.state === 'rejected') {
|
||||||
|
let reason = staticResp.reason;
|
||||||
|
if (dynamicResp.reason instanceof ControlGroupError) {
|
||||||
|
throw dynamicResp.reason;
|
||||||
|
}
|
||||||
|
if (reason?.httpStatus < dynamicResp.reason?.httpStatus) {
|
||||||
|
reason = dynamicResp.reason;
|
||||||
|
}
|
||||||
|
throw reason;
|
||||||
|
}
|
||||||
|
// Names are distinct across both types of role,
|
||||||
|
// so only one request should ever come back with value
|
||||||
|
let type = staticResp.value ? 'static' : 'dynamic';
|
||||||
|
let successful = staticResp.value || dynamicResp.value;
|
||||||
|
let resp = {
|
||||||
|
data: {},
|
||||||
|
backend,
|
||||||
|
id,
|
||||||
|
type,
|
||||||
|
};
|
||||||
|
|
||||||
|
resp.data = assign({}, successful.data);
|
||||||
|
|
||||||
|
return resp;
|
||||||
}
|
}
|
||||||
// Names are distinct across both types of role,
|
);
|
||||||
// so only one request should ever come back with value
|
|
||||||
let type = staticResp.value ? 'static' : 'dynamic';
|
|
||||||
let successful = staticResp.value || dynamicResp.value;
|
|
||||||
let resp = {
|
|
||||||
data: {},
|
|
||||||
backend,
|
|
||||||
secret: id,
|
|
||||||
};
|
|
||||||
|
|
||||||
resp.data = assign({}, resp.data, successful.data, { backend, type, secret: id });
|
|
||||||
|
|
||||||
return resp;
|
|
||||||
});
|
|
||||||
},
|
},
|
||||||
|
|
||||||
query(store, type, query) {
|
query(store, type, query) {
|
||||||
|
|
|
@ -54,8 +54,10 @@ export default class DatabaseRoleEdit extends Component {
|
||||||
}
|
}
|
||||||
|
|
||||||
@action
|
@action
|
||||||
generateCreds(roleId) {
|
generateCreds(roleId, roleType = '') {
|
||||||
this.router.transitionTo('vault.cluster.secrets.backend.credentials', roleId);
|
this.router.transitionTo('vault.cluster.secrets.backend.credentials', roleId, {
|
||||||
|
queryParams: { roleType },
|
||||||
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
@action
|
@action
|
||||||
|
|
|
@ -1,9 +1,11 @@
|
||||||
import Controller from '@ember/controller';
|
import Controller from '@ember/controller';
|
||||||
|
|
||||||
export default Controller.extend({
|
export default Controller.extend({
|
||||||
queryParams: ['action'],
|
queryParams: ['action', 'roleType'],
|
||||||
action: '',
|
action: '',
|
||||||
|
roleType: '',
|
||||||
reset() {
|
reset() {
|
||||||
this.set('action', '');
|
this.set('action', '');
|
||||||
|
this.set('roleType', '');
|
||||||
},
|
},
|
||||||
});
|
});
|
||||||
|
|
|
@ -3,12 +3,14 @@ import BackendCrumbMixin from 'vault/mixins/backend-crumb';
|
||||||
|
|
||||||
export default Controller.extend(BackendCrumbMixin, {
|
export default Controller.extend(BackendCrumbMixin, {
|
||||||
backendController: controller('vault.cluster.secrets.backend'),
|
backendController: controller('vault.cluster.secrets.backend'),
|
||||||
queryParams: ['tab', 'version'],
|
queryParams: ['tab', 'version', 'type'],
|
||||||
version: '',
|
version: '',
|
||||||
tab: '',
|
tab: '',
|
||||||
|
type: '',
|
||||||
reset() {
|
reset() {
|
||||||
this.set('tab', '');
|
this.set('tab', '');
|
||||||
this.set('version', '');
|
this.set('version', '');
|
||||||
|
this.set('type', '');
|
||||||
},
|
},
|
||||||
actions: {
|
actions: {
|
||||||
refresh: function() {
|
refresh: function() {
|
||||||
|
|
|
@ -1,9 +1,12 @@
|
||||||
import { helper } from '@ember/component/helper';
|
import { helper } from '@ember/component/helper';
|
||||||
|
|
||||||
export function secretQueryParams([backendType]) {
|
export function secretQueryParams([backendType, type = '']) {
|
||||||
if (backendType === 'transit') {
|
if (backendType === 'transit') {
|
||||||
return { tab: 'actions' };
|
return { tab: 'actions' };
|
||||||
}
|
}
|
||||||
|
if (backendType === 'database') {
|
||||||
|
return { type: type };
|
||||||
|
}
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -127,7 +127,9 @@ export default Model.extend({
|
||||||
staticPath: lazyCapabilities(apiPath`${'backend'}/static-roles/+`, 'backend'),
|
staticPath: lazyCapabilities(apiPath`${'backend'}/static-roles/+`, 'backend'),
|
||||||
canCreateStatic: alias('staticPath.canCreate'),
|
canCreateStatic: alias('staticPath.canCreate'),
|
||||||
credentialPath: lazyCapabilities(apiPath`${'backend'}/creds/${'id'}`, 'backend', 'id'),
|
credentialPath: lazyCapabilities(apiPath`${'backend'}/creds/${'id'}`, 'backend', 'id'),
|
||||||
|
staticCredentialPath: lazyCapabilities(apiPath`${'backend'}/static-creds/${'id'}`, 'backend', 'id'),
|
||||||
canGenerateCredentials: alias('credentialPath.canRead'),
|
canGenerateCredentials: alias('credentialPath.canRead'),
|
||||||
|
canGetCredentials: alias('staticCredentialPath.canRead'),
|
||||||
databasePath: lazyCapabilities(apiPath`${'backend'}/config/${'database[0]'}`, 'backend', 'database'),
|
databasePath: lazyCapabilities(apiPath`${'backend'}/config/${'database[0]'}`, 'backend', 'database'),
|
||||||
canUpdateDb: alias('databasePath.canUpdate'),
|
canUpdateDb: alias('databasePath.canUpdate'),
|
||||||
});
|
});
|
||||||
|
|
|
@ -23,8 +23,8 @@ export default Route.extend({
|
||||||
return this.pathHelp.getNewModel(modelType, backend);
|
return this.pathHelp.getNewModel(modelType, backend);
|
||||||
},
|
},
|
||||||
|
|
||||||
getDatabaseCredential(backend, secret) {
|
getDatabaseCredential(backend, secret, roleType = '') {
|
||||||
return this.store.queryRecord('database/credential', { backend, secret }).catch(error => {
|
return this.store.queryRecord('database/credential', { backend, secret, roleType }).catch(error => {
|
||||||
if (error instanceof ControlGroupError) {
|
if (error instanceof ControlGroupError) {
|
||||||
throw error;
|
throw error;
|
||||||
}
|
}
|
||||||
|
@ -57,7 +57,7 @@ export default Route.extend({
|
||||||
let roleType = params.roleType;
|
let roleType = params.roleType;
|
||||||
let dbCred;
|
let dbCred;
|
||||||
if (backendType === 'database') {
|
if (backendType === 'database') {
|
||||||
dbCred = await this.getDatabaseCredential(backendPath, role);
|
dbCred = await this.getDatabaseCredential(backendPath, role, roleType);
|
||||||
}
|
}
|
||||||
if (!SUPPORTED_DYNAMIC_BACKENDS.includes(backendModel.get('type'))) {
|
if (!SUPPORTED_DYNAMIC_BACKENDS.includes(backendModel.get('type'))) {
|
||||||
return this.transitionTo('vault.cluster.secrets.backend.list-root', backendPath);
|
return this.transitionTo('vault.cluster.secrets.backend.list-root', backendPath);
|
||||||
|
|
|
@ -219,6 +219,7 @@ export default Route.extend(UnloadModelRoute, {
|
||||||
let secret = this.secretParam();
|
let secret = this.secretParam();
|
||||||
let backend = this.enginePathParam();
|
let backend = this.enginePathParam();
|
||||||
let modelType = this.modelType(backend, secret);
|
let modelType = this.modelType(backend, secret);
|
||||||
|
let type = params.type || '';
|
||||||
if (!secret) {
|
if (!secret) {
|
||||||
secret = '\u0020';
|
secret = '\u0020';
|
||||||
}
|
}
|
||||||
|
@ -235,7 +236,7 @@ export default Route.extend(UnloadModelRoute, {
|
||||||
|
|
||||||
let capabilities = this.capabilities(secret, modelType);
|
let capabilities = this.capabilities(secret, modelType);
|
||||||
try {
|
try {
|
||||||
secretModel = await this.store.queryRecord(modelType, { id: secret, backend });
|
secretModel = await this.store.queryRecord(modelType, { id: secret, backend, type });
|
||||||
} catch (err) {
|
} catch (err) {
|
||||||
// we've failed the read request, but if it's a kv-type backend, we want to
|
// we've failed the read request, but if it's a kv-type backend, we want to
|
||||||
// do additional checks of the capabilities
|
// do additional checks of the capabilities
|
||||||
|
|
|
@ -17,7 +17,7 @@ export default RESTSerializer.extend({
|
||||||
return roles;
|
return roles;
|
||||||
}
|
}
|
||||||
let path = 'roles';
|
let path = 'roles';
|
||||||
if (payload.data.type === 'static') {
|
if (payload.type === 'static') {
|
||||||
path = 'static-roles';
|
path = 'static-roles';
|
||||||
}
|
}
|
||||||
let database = [];
|
let database = [];
|
||||||
|
@ -34,9 +34,10 @@ export default RESTSerializer.extend({
|
||||||
revocation_statement = payload.data.revocation_statements[0];
|
revocation_statement = payload.data.revocation_statements[0];
|
||||||
}
|
}
|
||||||
return {
|
return {
|
||||||
id: payload.secret,
|
id: payload.id,
|
||||||
name: payload.secret,
|
|
||||||
backend: payload.backend,
|
backend: payload.backend,
|
||||||
|
name: payload.id,
|
||||||
|
type: payload.type,
|
||||||
database,
|
database,
|
||||||
path,
|
path,
|
||||||
creation_statement,
|
creation_statement,
|
||||||
|
|
|
@ -35,7 +35,7 @@
|
||||||
<button
|
<button
|
||||||
type="button"
|
type="button"
|
||||||
class="toolbar-link"
|
class="toolbar-link"
|
||||||
{{on 'click' (fn this.generateCreds @model.id)}}
|
{{on 'click' (fn this.generateCreds @model.id @model.type)}}
|
||||||
data-test-database-role-generate-creds
|
data-test-database-role-generate-creds
|
||||||
>
|
>
|
||||||
{{if (eq @model.type "static") "Get credentials" "Generate credentials"}}
|
{{if (eq @model.type "static") "Get credentials" "Generate credentials"}}
|
||||||
|
|
|
@ -4,11 +4,16 @@
|
||||||
class="list-item-row"
|
class="list-item-row"
|
||||||
data-test-secret-link=@item.id
|
data-test-secret-link=@item.id
|
||||||
encode=true
|
encode=true
|
||||||
queryParams=(secret-query-params @backendType)
|
queryParams=(secret-query-params @backendType @item.type)
|
||||||
}}
|
}}
|
||||||
<div class="columns is-mobile">
|
<div class="columns is-mobile">
|
||||||
<div class="column is-10">
|
<div class="column is-10">
|
||||||
<LinkTo @route={{concat "vault.cluster.secrets.backend.show" }} @model={{if this.keyTypeValue (concat 'role/' @item.id) @item.id}} class="has-text-black has-text-weight-semibold">
|
<LinkTo
|
||||||
|
@route={{concat "vault.cluster.secrets.backend.show" }}
|
||||||
|
@model={{if this.keyTypeValue (concat 'role/' @item.id) @item.id}}
|
||||||
|
@query={{secret-query-params @backendType @item.type}}
|
||||||
|
class="has-text-black has-text-weight-semibold"
|
||||||
|
>
|
||||||
<Icon
|
<Icon
|
||||||
@glyph="user-square-outline"
|
@glyph="user-square-outline"
|
||||||
class="has-text-grey-light is-pulled-left"
|
class="has-text-grey-light is-pulled-left"
|
||||||
|
@ -50,10 +55,16 @@
|
||||||
</button>
|
</button>
|
||||||
</li>
|
</li>
|
||||||
{{/if}}
|
{{/if}}
|
||||||
{{#if @item.canGenerateCredentials}}
|
{{#if (and (eq @item.type "dynamic") @item.canGenerateCredentials)}}
|
||||||
<li class="action">
|
<li class="action">
|
||||||
<LinkTo @route="vault.cluster.secrets.backend.credentials" @model={{@item.id}} @query={{hash roleType=this.keyTypeValue}}>
|
<LinkTo @route="vault.cluster.secrets.backend.credentials" @model={{@item.id}} @query={{hash roleType=this.keyTypeValue}}>
|
||||||
{{if (eq @item.type "static") "Get credentials" "Generate credentials"}}
|
Generate credentials
|
||||||
|
</LinkTo>
|
||||||
|
</li>
|
||||||
|
{{else if (and (eq @item.type "static") @item.canGetCredentials)}}
|
||||||
|
<li class="action">
|
||||||
|
<LinkTo @route="vault.cluster.secrets.backend.credentials" @model={{@item.id}} @query={{hash roleType=this.keyTypeValue}}>
|
||||||
|
Get credentials
|
||||||
</LinkTo>
|
</LinkTo>
|
||||||
</li>
|
</li>
|
||||||
{{/if}}
|
{{/if}}
|
||||||
|
|
Loading…
Reference in New Issue