open-vault/ui/app/adapters/database/role.js
Chelsea Shaw 4a9669a1bc
UI/database cg read role (#12111)
* Add type param to secret show, handle CG in database role show

* If roleType is passed to credential, only make one creds API call

* Clean up db role adapter and serializer

* url param roleType passed to credentials call

* Role list capabilities check for static and dynamic separately

* Add changelog

* Consistent adapter response for single or double call

* Prioritize dynamic response if control group on role/creds
2021-07-20 11:28:44 -05:00

198 lines
5.6 KiB
JavaScript

import { assign } from '@ember/polyfills';
import { assert } from '@ember/debug';
import ControlGroupError from 'vault/lib/control-group-error';
import ApplicationAdapter from '../application';
import { allSettled } from 'rsvp';
import { addToArray } from 'vault/helpers/add-to-array';
import { removeFromArray } from 'vault/helpers/remove-from-array';
export default ApplicationAdapter.extend({
namespace: 'v1',
pathForType() {
assert('Generate the url dynamically based on role type', false);
},
urlFor(backend, id, type = 'dynamic') {
let role = 'roles';
if (type === 'static') {
role = 'static-roles';
}
let url = `${this.buildURL()}/${backend}/${role}`;
if (id) {
url = `${this.buildURL()}/${backend}/${role}/${id}`;
}
return url;
},
staticRoles(backend, id) {
return this.ajax(this.urlFor(backend, id, 'static'), 'GET', this.optionsForQuery(id)).then(resp => {
if (id) {
return {
...resp,
type: 'static',
backend,
id,
};
}
return resp;
});
},
dynamicRoles(backend, id) {
return this.ajax(this.urlFor(backend, id), 'GET', this.optionsForQuery(id)).then(resp => {
if (id) {
return {
...resp,
type: 'dynamic',
backend,
id,
};
}
return resp;
});
},
optionsForQuery(id) {
let data = {};
if (!id) {
data['list'] = true;
}
return { data };
},
queryRecord(store, type, query) {
const { backend, id } = query;
if (query.type === 'static') {
return this.staticRoles(backend, id);
} else if (query?.type === 'dynamic') {
return this.dynamicRoles(backend, id);
}
// if role type is not defined, try both
return allSettled([this.staticRoles(backend, id), this.dynamicRoles(backend, id)]).then(
([staticResp, dynamicResp]) => {
if (staticResp.state === 'rejected' && dynamicResp.state === 'rejected') {
let reason = staticResp.reason;
if (dynamicResp.reason instanceof ControlGroupError) {
throw dynamicResp.reason;
}
if (reason?.httpStatus < dynamicResp.reason?.httpStatus) {
reason = dynamicResp.reason;
}
throw reason;
}
// Names are distinct across both types of role,
// so only one request should ever come back with value
let type = staticResp.value ? 'static' : 'dynamic';
let successful = staticResp.value || dynamicResp.value;
let resp = {
data: {},
backend,
id,
type,
};
resp.data = assign({}, successful.data);
return resp;
}
);
},
query(store, type, query) {
const { backend } = query;
const staticReq = this.staticRoles(backend);
const dynamicReq = this.dynamicRoles(backend);
return allSettled([staticReq, dynamicReq]).then(([staticResp, dynamicResp]) => {
let resp = {
backend,
data: { keys: [] },
};
if (staticResp.reason && dynamicResp.reason) {
// both failed, throw error
throw dynamicResp.reason;
}
// at least one request has data
let staticRoles = [];
let dynamicRoles = [];
if (staticResp.value) {
staticRoles = staticResp.value.data.keys;
}
if (dynamicResp.value) {
dynamicRoles = dynamicResp.value.data.keys;
}
resp.data = assign(
{},
resp.data,
{ keys: [...staticRoles, ...dynamicRoles] },
{ backend },
{ staticRoles, dynamicRoles }
);
return resp;
});
},
async _updateAllowedRoles(store, { role, backend, db, type = 'add' }) {
const connection = await store.queryRecord('database/connection', { backend, id: db });
let roles = [...connection.allowed_roles];
const allowedRoles = type === 'add' ? addToArray([roles, role]) : removeFromArray([roles, role]);
connection.allowed_roles = allowedRoles;
return connection.save();
},
async createRecord(store, type, snapshot) {
const serializer = store.serializerFor(type.modelName);
const data = serializer.serialize(snapshot);
const roleType = snapshot.attr('type');
const backend = snapshot.attr('backend');
const id = snapshot.attr('name');
const db = snapshot.attr('database');
try {
await this._updateAllowedRoles(store, {
role: id,
backend,
db: db[0],
});
} catch (e) {
throw new Error('Could not update allowed roles for selected database. Check Vault logs for details');
}
return this.ajax(this.urlFor(backend, id, roleType), 'POST', { data }).then(() => {
// ember data doesn't like 204s if it's not a DELETE
return {
data: assign({}, data, { id }),
};
});
},
async deleteRecord(store, type, snapshot) {
const roleType = snapshot.attr('type');
const backend = snapshot.attr('backend');
const id = snapshot.attr('name');
const db = snapshot.attr('database');
await this._updateAllowedRoles(store, {
role: id,
backend,
db: db[0],
type: 'remove',
});
return this.ajax(this.urlFor(backend, id, roleType), 'DELETE');
},
async updateRecord(store, type, snapshot) {
const serializer = store.serializerFor(type.modelName);
const data = serializer.serialize(snapshot);
const roleType = snapshot.attr('type');
const backend = snapshot.attr('backend');
const id = snapshot.attr('name');
return this.ajax(this.urlFor(backend, id, roleType), 'POST', { data }).then(() => data);
},
});