open-vault/ui/app/models/capabilities.js

59 lines
1.7 KiB
JavaScript

/**
* Copyright (c) HashiCorp, Inc.
* SPDX-License-Identifier: MPL-2.0
*/
// This model represents the capabilities on a given `path`
// `path` is also the primaryId
// https://www.vaultproject.io/docs/concepts/policies.html#capabilities
import Model, { attr } from '@ember-data/model';
import { computed } from '@ember/object';
const SUDO_PATHS = [
'sys/seal',
'sys/replication/performance/primary/secondary-token',
'sys/replication/dr/primary/secondary-token',
'sys/replication/reindex',
'sys/leases/lookup/',
];
const SUDO_PATH_PREFIXES = ['sys/leases/revoke-prefix', 'sys/leases/revoke-force'];
export { SUDO_PATHS, SUDO_PATH_PREFIXES };
const computedCapability = function (capability) {
return computed('path', 'capabilities', 'capabilities.[]', function () {
const capabilities = this.capabilities;
const path = this.path;
if (!capabilities) {
return false;
}
if (capabilities.includes('root')) {
return true;
}
if (capabilities.includes('deny')) {
return false;
}
// if the path is sudo protected, they'll need sudo + the appropriate capability
if (SUDO_PATHS.includes(path) || SUDO_PATH_PREFIXES.find((item) => path.startsWith(item))) {
return capabilities.includes('sudo') && capabilities.includes(capability);
}
return capabilities.includes(capability);
});
};
export default Model.extend({
path: attr('string'),
capabilities: attr('array'),
canSudo: computedCapability('sudo'),
canRead: computedCapability('read'),
canCreate: computedCapability('create'),
canUpdate: computedCapability('update'),
canDelete: computedCapability('delete'),
canList: computedCapability('list'),
allowedParameters: attr(),
deniedParameters: attr(),
});