UI/database cg read role (#12111)

* Add type param to secret show, handle CG in database role show

* If roleType is passed to credential, only make one creds API call

* Clean up db role adapter and serializer

* url param roleType passed to credentials call

* Role list capabilities check for static and dynamic separately

* Add changelog

* Consistent adapter response for single or double call

* Prioritize dynamic response if control group on role/creds
This commit is contained in:
Chelsea Shaw 2021-07-20 11:28:44 -05:00 committed by GitHub
parent ed361ee8da
commit 4a9669a1bc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 116 additions and 61 deletions

3
changelog/12111.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:bug
ui: Fix database role CG access
```

View File

@ -1,5 +1,6 @@
import RSVP from 'rsvp';
import { allSettled } from 'rsvp';
import ApplicationAdapter from '../application';
import ControlGroupError from 'vault/lib/control-group-error';
export default ApplicationAdapter.extend({
namespace: 'v1',
@ -20,18 +21,20 @@ export default ApplicationAdapter.extend({
fetchByQuery(store, query) {
const { backend, secret } = query;
return RSVP.allSettled([this._staticCreds(backend, secret), this._dynamicCreds(backend, secret)]).then(
([staticResp, dynamicResp]) => {
// If one comes back with wrapped response from control group, throw it
const accessor = staticResp.accessor || dynamicResp.accessor;
if (accessor) {
throw accessor;
if (query.roleType === 'static') {
return this._staticCreds(backend, secret);
} else if (query.roleType === 'dynamic') {
return this._dynamicCreds(backend, secret);
}
// if neither has payload, throw reason with highest httpStatus
if (!staticResp.value && !dynamicResp.value) {
let reason = dynamicResp.reason;
if (reason?.httpStatus < staticResp.reason?.httpStatus) {
reason = staticResp.reason;
return allSettled([this._staticCreds(backend, secret), this._dynamicCreds(backend, secret)]).then(
([staticResp, dynamicResp]) => {
if (staticResp.state === 'rejected' && dynamicResp.state === 'rejected') {
let reason = staticResp.reason;
if (dynamicResp.reason instanceof ControlGroupError) {
throw dynamicResp.reason;
}
if (reason?.httpStatus < dynamicResp.reason?.httpStatus) {
reason = dynamicResp.reason;
}
throw reason;
}

View File

@ -1,5 +1,6 @@
import { assign } from '@ember/polyfills';
import { assert } from '@ember/debug';
import ControlGroupError from 'vault/lib/control-group-error';
import ApplicationAdapter from '../application';
import { allSettled } from 'rsvp';
import { addToArray } from 'vault/helpers/add-to-array';
@ -24,11 +25,31 @@ export default ApplicationAdapter.extend({
},
staticRoles(backend, id) {
return this.ajax(this.urlFor(backend, id, 'static'), 'GET', this.optionsForQuery(id));
return this.ajax(this.urlFor(backend, id, 'static'), 'GET', this.optionsForQuery(id)).then(resp => {
if (id) {
return {
...resp,
type: 'static',
backend,
id,
};
}
return resp;
});
},
dynamicRoles(backend, id) {
return this.ajax(this.urlFor(backend, id), 'GET', this.optionsForQuery(id));
return this.ajax(this.urlFor(backend, id), 'GET', this.optionsForQuery(id)).then(resp => {
if (id) {
return {
...resp,
type: 'dynamic',
backend,
id,
};
}
return resp;
});
},
optionsForQuery(id) {
@ -39,25 +60,27 @@ export default ApplicationAdapter.extend({
return { data };
},
fetchByQuery(store, query) {
const { backend, id } = query;
return this.ajax(this.urlFor(backend, id), 'GET', this.optionsForQuery(id)).then(resp => {
resp.id = id;
resp.backend = backend;
return resp;
});
},
queryRecord(store, type, query) {
const { backend, id } = query;
const staticReq = this.staticRoles(backend, id);
const dynamicReq = this.dynamicRoles(backend, id);
return allSettled([staticReq, dynamicReq]).then(([staticResp, dynamicResp]) => {
if (!staticResp.value && !dynamicResp.value) {
// Throw error, both reqs failed
if (query.type === 'static') {
return this.staticRoles(backend, id);
} else if (query?.type === 'dynamic') {
return this.dynamicRoles(backend, id);
}
// if role type is not defined, try both
return allSettled([this.staticRoles(backend, id), this.dynamicRoles(backend, id)]).then(
([staticResp, dynamicResp]) => {
if (staticResp.state === 'rejected' && dynamicResp.state === 'rejected') {
let reason = staticResp.reason;
if (dynamicResp.reason instanceof ControlGroupError) {
throw dynamicResp.reason;
}
if (reason?.httpStatus < dynamicResp.reason?.httpStatus) {
reason = dynamicResp.reason;
}
throw reason;
}
// Names are distinct across both types of role,
// so only one request should ever come back with value
let type = staticResp.value ? 'static' : 'dynamic';
@ -65,13 +88,15 @@ export default ApplicationAdapter.extend({
let resp = {
data: {},
backend,
secret: id,
id,
type,
};
resp.data = assign({}, resp.data, successful.data, { backend, type, secret: id });
resp.data = assign({}, successful.data);
return resp;
});
}
);
},
query(store, type, query) {

View File

@ -54,8 +54,10 @@ export default class DatabaseRoleEdit extends Component {
}
@action
generateCreds(roleId) {
this.router.transitionTo('vault.cluster.secrets.backend.credentials', roleId);
generateCreds(roleId, roleType = '') {
this.router.transitionTo('vault.cluster.secrets.backend.credentials', roleId, {
queryParams: { roleType },
});
}
@action

View File

@ -1,9 +1,11 @@
import Controller from '@ember/controller';
export default Controller.extend({
queryParams: ['action'],
queryParams: ['action', 'roleType'],
action: '',
roleType: '',
reset() {
this.set('action', '');
this.set('roleType', '');
},
});

View File

@ -3,12 +3,14 @@ import BackendCrumbMixin from 'vault/mixins/backend-crumb';
export default Controller.extend(BackendCrumbMixin, {
backendController: controller('vault.cluster.secrets.backend'),
queryParams: ['tab', 'version'],
queryParams: ['tab', 'version', 'type'],
version: '',
tab: '',
type: '',
reset() {
this.set('tab', '');
this.set('version', '');
this.set('type', '');
},
actions: {
refresh: function() {

View File

@ -1,9 +1,12 @@
import { helper } from '@ember/component/helper';
export function secretQueryParams([backendType]) {
export function secretQueryParams([backendType, type = '']) {
if (backendType === 'transit') {
return { tab: 'actions' };
}
if (backendType === 'database') {
return { type: type };
}
return;
}

View File

@ -127,7 +127,9 @@ export default Model.extend({
staticPath: lazyCapabilities(apiPath`${'backend'}/static-roles/+`, 'backend'),
canCreateStatic: alias('staticPath.canCreate'),
credentialPath: lazyCapabilities(apiPath`${'backend'}/creds/${'id'}`, 'backend', 'id'),
staticCredentialPath: lazyCapabilities(apiPath`${'backend'}/static-creds/${'id'}`, 'backend', 'id'),
canGenerateCredentials: alias('credentialPath.canRead'),
canGetCredentials: alias('staticCredentialPath.canRead'),
databasePath: lazyCapabilities(apiPath`${'backend'}/config/${'database[0]'}`, 'backend', 'database'),
canUpdateDb: alias('databasePath.canUpdate'),
});

View File

@ -23,8 +23,8 @@ export default Route.extend({
return this.pathHelp.getNewModel(modelType, backend);
},
getDatabaseCredential(backend, secret) {
return this.store.queryRecord('database/credential', { backend, secret }).catch(error => {
getDatabaseCredential(backend, secret, roleType = '') {
return this.store.queryRecord('database/credential', { backend, secret, roleType }).catch(error => {
if (error instanceof ControlGroupError) {
throw error;
}
@ -57,7 +57,7 @@ export default Route.extend({
let roleType = params.roleType;
let dbCred;
if (backendType === 'database') {
dbCred = await this.getDatabaseCredential(backendPath, role);
dbCred = await this.getDatabaseCredential(backendPath, role, roleType);
}
if (!SUPPORTED_DYNAMIC_BACKENDS.includes(backendModel.get('type'))) {
return this.transitionTo('vault.cluster.secrets.backend.list-root', backendPath);

View File

@ -219,6 +219,7 @@ export default Route.extend(UnloadModelRoute, {
let secret = this.secretParam();
let backend = this.enginePathParam();
let modelType = this.modelType(backend, secret);
let type = params.type || '';
if (!secret) {
secret = '\u0020';
}
@ -235,7 +236,7 @@ export default Route.extend(UnloadModelRoute, {
let capabilities = this.capabilities(secret, modelType);
try {
secretModel = await this.store.queryRecord(modelType, { id: secret, backend });
secretModel = await this.store.queryRecord(modelType, { id: secret, backend, type });
} catch (err) {
// we've failed the read request, but if it's a kv-type backend, we want to
// do additional checks of the capabilities

View File

@ -17,7 +17,7 @@ export default RESTSerializer.extend({
return roles;
}
let path = 'roles';
if (payload.data.type === 'static') {
if (payload.type === 'static') {
path = 'static-roles';
}
let database = [];
@ -34,9 +34,10 @@ export default RESTSerializer.extend({
revocation_statement = payload.data.revocation_statements[0];
}
return {
id: payload.secret,
name: payload.secret,
id: payload.id,
backend: payload.backend,
name: payload.id,
type: payload.type,
database,
path,
creation_statement,

View File

@ -35,7 +35,7 @@
<button
type="button"
class="toolbar-link"
{{on 'click' (fn this.generateCreds @model.id)}}
{{on 'click' (fn this.generateCreds @model.id @model.type)}}
data-test-database-role-generate-creds
>
{{if (eq @model.type "static") "Get credentials" "Generate credentials"}}

View File

@ -4,11 +4,16 @@
class="list-item-row"
data-test-secret-link=@item.id
encode=true
queryParams=(secret-query-params @backendType)
queryParams=(secret-query-params @backendType @item.type)
}}
<div class="columns is-mobile">
<div class="column is-10">
<LinkTo @route={{concat "vault.cluster.secrets.backend.show" }} @model={{if this.keyTypeValue (concat 'role/' @item.id) @item.id}} class="has-text-black has-text-weight-semibold">
<LinkTo
@route={{concat "vault.cluster.secrets.backend.show" }}
@model={{if this.keyTypeValue (concat 'role/' @item.id) @item.id}}
@query={{secret-query-params @backendType @item.type}}
class="has-text-black has-text-weight-semibold"
>
<Icon
@glyph="user-square-outline"
class="has-text-grey-light is-pulled-left"
@ -50,10 +55,16 @@
</button>
</li>
{{/if}}
{{#if @item.canGenerateCredentials}}
{{#if (and (eq @item.type "dynamic") @item.canGenerateCredentials)}}
<li class="action">
<LinkTo @route="vault.cluster.secrets.backend.credentials" @model={{@item.id}} @query={{hash roleType=this.keyTypeValue}}>
{{if (eq @item.type "static") "Get credentials" "Generate credentials"}}
Generate credentials
</LinkTo>
</li>
{{else if (and (eq @item.type "static") @item.canGetCredentials)}}
<li class="action">
<LinkTo @route="vault.cluster.secrets.backend.credentials" @model={{@item.id}} @query={{hash roleType=this.keyTypeValue}}>
Get credentials
</LinkTo>
</li>
{{/if}}