From 67ba021e36361d714c90783eaa4ec21f4213875e Mon Sep 17 00:00:00 2001
From: Chelsea Shaw <82459713+hashishaw@users.noreply.github.com>
Date: Fri, 25 Feb 2022 12:16:54 -0600
Subject: [PATCH] UI: add Database static role password rotation (#14268)

* Add UI feature allowing database role credential rotation

* Only show the 'rotate credentials' option for static roles

* rotate role path uses id for permissions

* Add rotate credentials button to show page on static role

* Mirage handlers for role for simple testing

* Add changelog

* lint rules

* fix lint

Co-authored-by: Bartek Marczak <bartek.marczak@gmail.com>
---
 changelog/14268.txt                           |  3 +++
 ui/app/adapters/database/credential.js        |  7 +++++
 ui/app/components/database-role-edit.js       | 13 +++++++++
 .../secret-list/database-list-item.js         | 13 +++++++++
 ui/app/models/database/role.js                |  2 ++
 .../components/database-role-edit.hbs         |  5 ++++
 .../secret-list/database-list-item.hbs        |  7 +++++
 ui/mirage/handlers/db.js                      | 27 +++++++++++++++++++
 ui/mirage/handlers/index.js                   |  3 ++-
 9 files changed, 79 insertions(+), 1 deletion(-)
 create mode 100644 changelog/14268.txt
 create mode 100644 ui/mirage/handlers/db.js

diff --git a/changelog/14268.txt b/changelog/14268.txt
new file mode 100644
index 000000000..85de0a898
--- /dev/null
+++ b/changelog/14268.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+ui: Allow static role credential rotation in Database secrets engines
+```
diff --git a/ui/app/adapters/database/credential.js b/ui/app/adapters/database/credential.js
index 6f7763e2e..b3652c2ff 100644
--- a/ui/app/adapters/database/credential.js
+++ b/ui/app/adapters/database/credential.js
@@ -47,4 +47,11 @@ export default ApplicationAdapter.extend({
   queryRecord(store, type, query) {
     return this.fetchByQuery(store, query);
   },
+
+  rotateRoleCredentials(backend, id) {
+    return this.ajax(
+      `${this.buildURL()}/${encodeURIComponent(backend)}/rotate-role/${encodeURIComponent(id)}`,
+      'POST'
+    );
+  },
 });
diff --git a/ui/app/components/database-role-edit.js b/ui/app/components/database-role-edit.js
index 988396b52..ff8d8b60a 100644
--- a/ui/app/components/database-role-edit.js
+++ b/ui/app/components/database-role-edit.js
@@ -108,4 +108,17 @@ export default class DatabaseRoleEdit extends Component {
         this.loading = false;
       });
   }
+  @action
+  rotateRoleCred(id) {
+    const backend = this.args.model?.backend;
+    let adapter = this.store.adapterFor('database/credential');
+    adapter
+      .rotateRoleCredentials(backend, id)
+      .then(() => {
+        this.flashMessages.success(`Success: Credentials for ${id} role were rotated`);
+      })
+      .catch((e) => {
+        this.flashMessages.danger(e.errors);
+      });
+  }
 }
diff --git a/ui/app/components/secret-list/database-list-item.js b/ui/app/components/secret-list/database-list-item.js
index 76663617c..32b057248 100644
--- a/ui/app/components/secret-list/database-list-item.js
+++ b/ui/app/components/secret-list/database-list-item.js
@@ -58,4 +58,17 @@ export default class DatabaseListItem extends Component {
         this.flashMessages.danger(e.errors);
       });
   }
+  @action
+  rotateRoleCred(id) {
+    const { backend } = this.args.item;
+    let adapter = this.store.adapterFor('database/credential');
+    adapter
+      .rotateRoleCredentials(backend, id)
+      .then(() => {
+        this.flashMessages.success(`Success: Credentials for ${id} role were rotated`);
+      })
+      .catch((e) => {
+        this.flashMessages.danger(e.errors);
+      });
+  }
 }
diff --git a/ui/app/models/database/role.js b/ui/app/models/database/role.js
index fb3d71670..e8fc3a67a 100644
--- a/ui/app/models/database/role.js
+++ b/ui/app/models/database/role.js
@@ -130,4 +130,6 @@ export default Model.extend({
   canGetCredentials: alias('staticCredentialPath.canRead'),
   databasePath: lazyCapabilities(apiPath`${'backend'}/config/${'database[0]'}`, 'backend', 'database'),
   canUpdateDb: alias('databasePath.canUpdate'),
+  rotateRolePath: lazyCapabilities(apiPath`${'backend'}/rotate-role/${'id'}`, 'backend', 'id'),
+  canRotateRoleCredentials: alias('rotateRolePath.canUpdate'),
 });
diff --git a/ui/app/templates/components/database-role-edit.hbs b/ui/app/templates/components/database-role-edit.hbs
index 5e8a8e854..9293e23e2 100644
--- a/ui/app/templates/components/database-role-edit.hbs
+++ b/ui/app/templates/components/database-role-edit.hbs
@@ -31,6 +31,11 @@
         </ConfirmAction>
         <div class="toolbar-separator"></div>
       {{/if}}
+      {{#if (and @model.canRotateRoleCredentials (eq @model.type "static"))}}
+        <button type="button" class="toolbar-link" {{on "click" (fn this.rotateRoleCred @model.id)}}>
+          Rotate credentials
+        </button>
+      {{/if}}
       {{#if @model.canGenerateCredentials}}
         <button
           type="button"
diff --git a/ui/app/templates/components/secret-list/database-list-item.hbs b/ui/app/templates/components/secret-list/database-list-item.hbs
index 3367a4daf..2095ca27b 100644
--- a/ui/app/templates/components/secret-list/database-list-item.hbs
+++ b/ui/app/templates/components/secret-list/database-list-item.hbs
@@ -70,6 +70,13 @@
                 </LinkTo>
               </li>
             {{/if}}
+            {{#if (and @item.canRotateRoleCredentials (eq this.keyTypeValue "static"))}}
+              <li class="action">
+                <button type="button" class="link" {{on "click" (fn this.rotateRoleCred @item.id)}}>
+                  Rotate credentials
+                </button>
+              </li>
+            {{/if}}
             {{#if @item.canRotateRoot}}
               <li class="action">
                 <button type="button" class="link" {{on "click" (fn this.rotateRootCred @item.id)}}>
diff --git a/ui/mirage/handlers/db.js b/ui/mirage/handlers/db.js
new file mode 100644
index 000000000..ca4ee390a
--- /dev/null
+++ b/ui/mirage/handlers/db.js
@@ -0,0 +1,27 @@
+export default function (server) {
+  server.get('/database/static-roles', function () {
+    return {
+      data: { keys: ['dev-static', 'prod-static'] },
+    };
+  });
+
+  server.get('/database/static-roles/:rolename', function (db, req) {
+    if (req.params.rolename.includes('tester')) {
+      return new Response(400);
+    }
+    return {
+      data: {
+        rotation_statements: [
+          '{ "db": "admin", "roles": [{ "role": "readWrite" }, {"role": "read", "db": "foo"}] }',
+        ],
+        db_name: 'connection',
+        username: 'alice',
+        rotation_period: '1h',
+      },
+    };
+  });
+
+  server.post('/database/rotate-role/:rolename', function () {
+    return new Response(204);
+  });
+}
diff --git a/ui/mirage/handlers/index.js b/ui/mirage/handlers/index.js
index 4466bfb79..58b135738 100644
--- a/ui/mirage/handlers/index.js
+++ b/ui/mirage/handlers/index.js
@@ -4,5 +4,6 @@ import base from './base';
 import mfa from './mfa';
 import activity from './activity';
 import clients from './clients';
+import db from './db';
 
-export { base, activity, mfa, clients };
+export { base, activity, mfa, clients, db };