open-vault/ui/app/models/role-ssh.js

169 lines
5.6 KiB
JavaScript

/**
* Copyright (c) HashiCorp, Inc.
* SPDX-License-Identifier: MPL-2.0
*/
import Model, { attr } from '@ember-data/model';
import { alias } from '@ember/object/computed';
import { computed } from '@ember/object';
import fieldToAttrs, { expandAttributeMeta } from 'vault/utils/field-to-attrs';
import lazyCapabilities, { apiPath } from 'vault/macros/lazy-capabilities';
// these arrays define the order in which the fields will be displayed
// see
// https://github.com/hashicorp/vault/blob/main/builtin/logical/ssh/path_roles.go#L542 for list of fields for each key type
const OTP_FIELDS = [
'name',
'keyType',
'defaultUser',
'adminUser',
'port',
'allowedUsers',
'cidrList',
'excludeCidrList',
];
const CA_FIELDS = [
'name',
'keyType',
'allowUserCertificates',
'allowHostCertificates',
'defaultUser',
'allowedUsers',
'allowedUsersTemplate',
'allowedDomains',
'allowedDomainsTemplate',
'ttl',
'maxTtl',
'allowedCriticalOptions',
'defaultCriticalOptions',
'allowedExtensions',
'defaultExtensions',
'allowBareDomains',
'allowSubdomains',
'allowUserKeyIds',
'keyIdFormat',
'notBeforeDuration',
'algorithmSigner',
];
export default Model.extend({
useOpenAPI: true,
getHelpUrl: function (backend) {
return `/v1/${backend}/roles/example?help=1`;
},
zeroAddress: attr('boolean', {
readOnly: true,
}),
backend: attr('string', {
readOnly: true,
}),
name: attr('string', {
label: 'Role Name',
fieldValue: 'name',
readOnly: true,
}),
keyType: attr('string', {
possibleValues: ['ca', 'otp'], //overriding the API which also lists 'dynamic' as a type though it is deprecated
}),
adminUser: attr('string', {
helpText: 'Username of the admin user at the remote host',
}),
defaultUser: attr('string', {
helpText: "Username to use when one isn't specified",
}),
allowedUsers: attr('string', {
helpText:
'Create a list of users who are allowed to use this key (e.g. `admin, dev`, or use `*` to allow all.)',
}),
allowedUsersTemplate: attr('boolean', {
helpText:
'Specifies that Allowed Users can be templated e.g. {{identity.entity.aliases.mount_accessor_xyz.name}}',
}),
allowedDomains: attr('string', {
helpText:
'List of domains for which a client can request a certificate (e.g. `example.com`, or `*` to allow all)',
}),
allowedDomainsTemplate: attr('boolean', {
helpText:
'Specifies that Allowed Domains can be set using identity template policies. Non-templated domains are also permitted.',
}),
cidrList: attr('string', {
helpText: 'List of CIDR blocks for which this role is applicable',
}),
excludeCidrList: attr('string', {
helpText: 'List of CIDR blocks that are not accepted by this role',
}),
port: attr('number', {
helpText: 'Port number for the SSH connection (default is `22`)',
}),
allowedCriticalOptions: attr('string', {
helpText: 'List of critical options that certificates have when signed',
}),
defaultCriticalOptions: attr('object', {
helpText: 'Map of critical options certificates should have if none are provided when signing',
}),
allowedExtensions: attr('string', {
helpText: 'List of extensions that certificates can have when signed',
}),
defaultExtensions: attr('object', {
helpText: 'Map of extensions certificates should have if none are provided when signing',
}),
allowUserCertificates: attr('boolean', {
helpText: 'Specifies if certificates are allowed to be signed for us as a user',
}),
allowHostCertificates: attr('boolean', {
helpText: 'Specifies if certificates are allowed to be signed for us as a host',
}),
allowBareDomains: attr('boolean', {
helpText:
'Specifies if host certificates that are requested are allowed to use the base domains listed in Allowed Domains',
}),
allowSubdomains: attr('boolean', {
helpText:
'Specifies if host certificates that are requested are allowed to be subdomains of those listed in Allowed Domains',
}),
allowUserKeyIds: attr('boolean', {
helpText: 'Specifies if users can override the key ID for a signed certificate with the "key_id" field',
}),
keyIdFormat: attr('string', {
helpText: 'When supplied, this value specifies a custom format for the key id of a signed certificate',
}),
algorithmSigner: attr('string', {
helpText: 'When supplied, this value specifies a signing algorithm for the key',
possibleValues: ['default', 'ssh-rsa', 'rsa-sha2-256', 'rsa-sha2-512'],
}),
showFields: computed('keyType', function () {
const keyType = this.keyType;
const keys = keyType === 'ca' ? CA_FIELDS.slice(0) : OTP_FIELDS.slice(0);
return expandAttributeMeta(this, keys);
}),
fieldGroups: computed('keyType', function () {
const numRequired = this.keyType === 'otp' ? 3 : 4;
const fields = this.keyType === 'otp' ? [...OTP_FIELDS] : [...CA_FIELDS];
const defaultFields = fields.splice(0, numRequired);
const groups = [
{ default: defaultFields },
{
Options: [...fields],
},
];
return fieldToAttrs(this, groups);
}),
updatePath: lazyCapabilities(apiPath`${'backend'}/roles/${'id'}`, 'backend', 'id'),
canDelete: alias('updatePath.canDelete'),
canEdit: alias('updatePath.canUpdate'),
canRead: alias('updatePath.canRead'),
generatePath: lazyCapabilities(apiPath`${'backend'}/creds/${'id'}`, 'backend', 'id'),
canGenerate: alias('generatePath.canUpdate'),
signPath: lazyCapabilities(apiPath`${'backend'}/sign/${'id'}`, 'backend', 'id'),
canSign: alias('signPath.canUpdate'),
zeroAddressPath: lazyCapabilities(apiPath`${'backend'}/config/zeroaddress`, 'backend'),
canEditZeroAddress: alias('zeroAddressPath.canUpdate'),
});