luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
open-vault/ui/app/services/auth.js
Angel Garbarino 081db3a240
Ember-cli upgrade from ~3.8 to ~3.20 (#9972) 
* Update ember-cli to ~3.20

* Remove bad optional-feature

* Remove ember-fetch dep

* re-install ember-fetch

* update model fragments pr

* update ember model fragments correct package name

* update ember composable helpers to solve array helper error

* update ember-concurrency

* add back engine dependencies, automatically removed during ember-cli-upgrade

* make author-form-options component js file otherwise error

* for now comment out withTestWaiter

* add eslint-node and fix if not with unless in templates

* fix linting for tab index of false is now -1 and add type button to all buttons without types

* fix href errors for linting, likely have to come back and fix

* using eslint fix flag to fix all this.gets

* ember modules codemode removed files that had module twice, will fix in next commit

* finish codemode ember-data-codemod needed to rename const model

* more this.get removal codemode did not work

* cont. removal of this.get

* stop mixin rules until figure out how to reconfig them all

* smaller eslint ignores

* get codemode

* testing app small fixes to bring it back after all the changes

* small changes to eslint

* test removal of getProperties

* fix issue with baseKey because value could be unknown needed to add a question mark in nested get

* smaller linting fixes

* get nested fixes

* small linting error fixes

* small linting changes

* working through more small linting changes

* another round of linting modifications

* liniting fixes

* ember module codemod

* quinit dom codemod

* angle bracket codemod

* discovered that components must have js files

* ran all codemods this is all that's left

* small changes to fix get needs two object, should not have been using get.

* fix issue with one input in form field

* fun times with set and onChange from oninput

* fix issue with model not being passed through on secret-edit-display

* fix issue with yarn run test not working, revert without npm run all

* linting and small fix when loading without a selectAuthBackend

* fix failing test with ui-wizard issue

* fix test failure due to model not being asked for correctly with new changes, probably run into this more.

* fix issue with component helper and at props specific to wizard

* rename log to clilog due to conflict with new eslint rule

* small changes for test failures

* component helper at fixes

* Revert to old component style something with new one broke this and can't figure it out for now

* small fishy smelling test fixes will revisit

* small test changes

* more small test changes, appears upgrade treats spaces differently

* comment out code and test that no longer seems relevant but confirm

* clean run on component test though still some potential timing issues on ui-console test

* fixing one auth test issue and timing issue on enable-test

* small mods

* fix this conditional check from upgrade

* linting fixes after master merge

* package updates using yarn upgrade-interactive

* update libraries that did not effect any of the test failures.

* update ember truth helpers library

* settling tests

* Fix ui-panel control group output

* fix features selection test failures

* Fix auth tests (x-vault-token)

* fix shared test

* fix issue with data null on backend

* Revert "Fix auth tests (x-vault-token)"

This reverts commit 89cb174b2f1998efa56d9604d14131415ae65d6f.

* Fix auth tests (x-vault-token) without updating this.set

* Update redirect-to tests

* fix wrapped token test

* skip some flaky test

* fix issue with href and a tags vs buttons

* fix linting

* updates to get tests running (#10409)

* yarn isntall

* increasing resource_class

* whoops

* trying large

* back to xlarge

* Fix param issue on transform item routes

* test fixes

* settle on policies (old) test

* fix browserstack test warning and skips of test confirmed worked

* Fix redirect-to test

* skips

* fix transformation test and skip some kmip

* Skip tests

* Add meep marker to remaining failing tests

* Skip test with failing component

* rever skip on secret-create test

* Skip piece of test that fails due to navigation-input

* fix settings test where can and skip in others after confirming

* fix circle ci test failures

* ssh role settle

* Fix navigate-input and add settled to test

* Remove extra import

* secret cubbyhole and alicloud

* Add settled to gcpkms test

* settles on redirect to test

* Bump browserstack test resource to large

* Update browserstack resource size to xlarge

* update todos

* add back in withTestWaiter

* try and fix credentials conditional action added comment instead

* Update volatile computed properies to get functions

* this step was never reached and we never defined secretType anywhere so I removed

* add settled to policy old test

* Fix navigate-input on policies and leases

* replace ssh test with no var hoping that helps and add settled to other failing tests, unskip console tests

* kmip, transit, role test remove a skip and add in settled

* fix hover copy button, had to remove some testing functionality

* Remove private router service

* remove skip on control ssh and ui panel, fix search select by restructuring how to read the error

* final bit of working through skipped test

* Replace clearNonGlobalModels by linking directly to namespace with href-to

* Remove unused var

* Fix role-ssh id bug by updating form-field-from-model to form-field-group-loop

* Fix transit create id would not update

* Update option toggle selector for ssh-role

* Fix ssh selector

* cleanup pt1

* small clean up

* cleanup part2

* Fix computed on pricing-metrics-form

* small cleanup based on chelseas comments.

Co-authored-by: Chelsea Shaw <chelshaw.dev@gmail.com>
Co-authored-by: Sarah Thompson <sthompson@hashicorp.com>
2020-12-03 16:00:22 -07:00

376 lines
10 KiB
JavaScript
Raw Blame History

import Ember from 'ember';
import { resolve, reject } from 'rsvp';
import { assign } from '@ember/polyfills';
import { isArray } from '@ember/array';
import { computed, get } from '@ember/object';
import fetch from 'fetch';
import { getOwner } from '@ember/application';
import Service, { inject as service } from '@ember/service';
import getStorage from '../lib/token-storage';
import ENV from 'vault/config/environment';
import { supportedAuthBackends } from 'vault/helpers/supported-auth-backends';
import { task, timeout } from 'ember-concurrency';
const TOKEN_SEPARATOR = '☃';
const TOKEN_PREFIX = 'vault-';
const ROOT_PREFIX = '_root_';
const BACKENDS = supportedAuthBackends();
export { TOKEN_SEPARATOR, TOKEN_PREFIX, ROOT_PREFIX };
export default Service.extend({
permissions: service(),
namespaceService: service('namespace'),
IDLE_TIMEOUT: 3 * 60e3,
expirationCalcTS: null,
init() {
this._super(...arguments);
this.checkForRootToken();
},
clusterAdapter() {
return getOwner(this).lookup('adapter:cluster');
},
tokens: computed(function() {
return this.getTokensFromStorage() || [];
}),
generateTokenName({ backend, clusterId }, policies) {
return (policies || []).includes('root')
? `${TOKEN_PREFIX}${ROOT_PREFIX}${TOKEN_SEPARATOR}${clusterId}`
: `${TOKEN_PREFIX}${backend}${TOKEN_SEPARATOR}${clusterId}`;
},
backendFromTokenName(tokenName) {
return tokenName.includes(`${TOKEN_PREFIX}${ROOT_PREFIX}`)
? 'token'
: tokenName.slice(TOKEN_PREFIX.length).split(TOKEN_SEPARATOR)[0];
},
storage(tokenName) {
if (
tokenName &&
tokenName.indexOf(`${TOKEN_PREFIX}${ROOT_PREFIX}`) === 0 &&
this.environment() !== 'development'
) {
return getStorage('memory');
} else {
return getStorage();
}
},
environment() {
return ENV.environment;
},
now() {
return Date.now();
},
setCluster(clusterId) {
this.set('activeCluster', clusterId);
},
ajax(url, method, options) {
const defaults = {
url,
method,
dataType: 'json',
headers: {
'X-Vault-Token': this.currentToken,
},
};
let namespace = typeof options.namespace === 'undefined' ? this.namespaceService.path : options.namespace;
if (namespace) {
defaults.headers['X-Vault-Namespace'] = namespace;
}
let opts = assign(defaults, options);
return fetch(url, {
method: opts.method || 'GET',
headers: opts.headers || {},
}).then(response => {
if (response.status === 204) {
return resolve();
} else if (response.status >= 200 && response.status < 300) {
return resolve(response.json());
} else {
return reject();
}
});
},
renewCurrentToken() {
let namespace = this.authData.userRootNamespace;
const url = '/v1/auth/token/renew-self';
return this.ajax(url, 'POST', { namespace });
},
revokeCurrentToken() {
let namespace = this.authData.userRootNamespace;
const url = '/v1/auth/token/revoke-self';
return this.ajax(url, 'POST', { namespace });
},
calculateExpiration(resp) {
let now = this.now();
const ttl = resp.ttl || resp.lease_duration;
const tokenExpirationEpoch = now + ttl * 1e3;
this.set('expirationCalcTS', now);
return {
ttl,
tokenExpirationEpoch,
};
},
persistAuthData() {
let [firstArg, resp] = arguments;
let tokens = this.tokens;
let currentNamespace = this.namespaceService.path || '';
let tokenName;
let options;
let backend;
if (typeof firstArg === 'string') {
tokenName = firstArg;
backend = this.backendFromTokenName(tokenName);
} else {
options = firstArg;
backend = options.backend;
}
let currentBackend = BACKENDS.findBy('type', backend);
let displayName;
if (isArray(currentBackend.displayNamePath)) {
displayName = currentBackend.displayNamePath.map(name => get(resp, name)).join('/');
} else {
displayName = get(resp, currentBackend.displayNamePath);
}
let { entity_id, policies, renewable, namespace_path } = resp;
// here we prefer namespace_path if its defined,
// else we look and see if there's already a namespace saved
// and then finally we'll use the current query param if the others
// haven't set a value yet
// all of the typeof checks are necessary because the root namespace is ''
let userRootNamespace = namespace_path && namespace_path.replace(/\/$/, '');
// if we're logging in with token and there's no namespace_path, we can assume
// that the token belongs to the root namespace
if (backend === 'token' && !userRootNamespace) {
userRootNamespace = '';
}
if (typeof userRootNamespace === 'undefined') {
if (this.authData) {
userRootNamespace = this.authData.userRootNamespace;
}
}
if (typeof userRootNamespace === 'undefined') {
userRootNamespace = currentNamespace;
}
let data = {
userRootNamespace,
displayName,
backend: currentBackend,
token: resp.client_token || get(resp, currentBackend.tokenPath),
policies,
renewable,
entity_id,
};
tokenName = this.generateTokenName(
{
backend,
clusterId: (options && options.clusterId) || this.activeCluster,
},
resp.policies
);
if (resp.renewable) {
assign(data, this.calculateExpiration(resp));
}
if (!data.displayName) {
data.displayName = get(this.getTokenData(tokenName) || {}, 'displayName');
}
tokens.addObject(tokenName);
this.set('tokens', tokens);
this.set('allowExpiration', false);
this.setTokenData(tokenName, data);
return resolve({
namespace: currentNamespace || data.userRootNamespace,
token: tokenName,
isRoot: policies.includes('root'),
});
},
setTokenData(token, data) {
this.storage(token).setItem(token, data);
},
getTokenData(token) {
return this.storage(token).getItem(token);
},
removeTokenData(token) {
return this.storage(token).removeItem(token);
},
tokenExpirationDate: computed('currentTokenName', 'expirationCalcTS', function() {
const tokenName = this.currentTokenName;
if (!tokenName) {
return;
}
const { tokenExpirationEpoch } = this.getTokenData(tokenName);
const expirationDate = new Date(0);
return tokenExpirationEpoch ? expirationDate.setUTCMilliseconds(tokenExpirationEpoch) : null;
}),
get tokenExpired() {
const expiration = this.tokenExpirationDate;
return expiration ? this.now() >= expiration : null;
},
renewAfterEpoch: computed('currentTokenName', 'expirationCalcTS', function() {
const tokenName = this.currentTokenName;
let { expirationCalcTS } = this;
const data = this.getTokenData(tokenName);
if (!tokenName || !data || !expirationCalcTS) {
return null;
}
const { ttl, renewable } = data;
// renew after last expirationCalc time + half of the ttl (in ms)
return renewable ? Math.floor((ttl * 1e3) / 2) + expirationCalcTS : null;
}),
renew() {
const tokenName = this.currentTokenName;
const currentlyRenewing = this.isRenewing;
if (currentlyRenewing) {
return;
}
this.set('isRenewing', true);
return this.renewCurrentToken().then(
resp => {
this.set('isRenewing', false);
return this.persistAuthData(tokenName, resp.data || resp.auth);
},
e => {
this.set('isRenewing', false);
throw e;
}
);
},
checkShouldRenew: task(function*() {
while (true) {
if (Ember.testing) {
return;
}
yield timeout(5000);
if (this.shouldRenew()) {
yield this.renew();
}
}
}).on('init'),
shouldRenew() {
const now = this.now();
const lastFetch = this.lastFetch;
const renewTime = this.renewAfterEpoch;
if (!this.currentTokenName || this.tokenExpired || this.allowExpiration || !renewTime) {
return false;
}
if (lastFetch && now - lastFetch >= this.IDLE_TIMEOUT) {
this.set('allowExpiration', true);
return false;
}
if (now >= renewTime) {
return true;
}
return false;
},
setLastFetch(timestamp) {
this.set('lastFetch', timestamp);
// if expiration was allowed we want to go ahead and renew here
if (this.allowExpiration) {
this.renew();
}
this.set('allowExpiration', false);
},
getTokensFromStorage(filterFn) {
return this.storage()
.keys()
.reject(key => {
return key.indexOf(TOKEN_PREFIX) !== 0 || (filterFn && filterFn(key));
});
},
checkForRootToken() {
if (this.environment() === 'development') {
return;
}
this.getTokensFromStorage().forEach(key => {
const data = this.getTokenData(key);
if (data && data.policies && data.policies.includes('root')) {
this.removeTokenData(key);
}
});
},
async authenticate(/*{clusterId, backend, data}*/) {
const [options] = arguments;
const adapter = this.clusterAdapter();
let resp = await adapter.authenticate(options);
let authData = await this.persistAuthData(options, resp.auth || resp.data, this.namespaceService.path);
await this.permissions.getPaths.perform();
return authData;
},
getAuthType() {
if (!this.authData) return;
return this.authData.backend.type;
},
deleteCurrentToken() {
const tokenName = this.currentTokenName;
this.deleteToken(tokenName);
this.removeTokenData(tokenName);
},
deleteToken(tokenName) {
const tokenNames = this.tokens.without(tokenName);
this.removeTokenData(tokenName);
this.set('tokens', tokenNames);
},
// returns the key for the token to use
currentTokenName: computed('activeCluster', 'tokens', 'tokens.[]', function() {
const regex = new RegExp(this.activeCluster);
return this.tokens.find(key => regex.test(key));
}),
currentToken: computed('currentTokenName', function() {
const name = this.currentTokenName;
const data = name && this.getTokenData(name);
// data.token is undefined so that's why it returns current token undefined
return name && data ? data.token : null;
}),
authData: computed('currentTokenName', function() {
const token = this.currentTokenName;
if (!token) {
return;
}
const backend = this.backendFromTokenName(token);
const stored = this.getTokenData(token);
return assign(stored, {
backend: BACKENDS.findBy('type', backend),
});
}),
});
Reference in a new issue View git blame Copy permalink