luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
open-vault/ui/app/services/permissions.js
Jordan Reimer 7da2085fa3
MFA Config (#15200) 
* adds mirage factories for mfa methods and login enforcement

* adds mirage handler for mfa config endpoints

* adds mirage identity manager for uuids

* updates mfa test to use renamed mfaLogin mirage handler

* updates mfa login workflow for push methods (#15214)

* MFA Login Enforcement Model (#15244)

* adds mfa login enforcement model, adapter and serializer

* updates mfa methods to hasMany realtionship and transforms property names

* updates login enforcement adapter to use urlForQuery over buildURL

* Model for mfa method (#15218)

* Model for mfa method

* Added adapter and serializer for mfa method

- Updated mfa method model
- Basic route to handle list view
- Added MFA to access nav

* Show landing page if methods are not configured

* Updated adapter,serializer

- Backend is adding new endpoint to list all the mfa methods

* Updated landing page

- Added MFA diagram
- Created helper to resolve full path for assets like images

* Remove ember assign

* Fixed failing test

* MFA method and enforcement list view (#15353)

* MFA method and enforcement list view

- Added new route for list views
- List mfa methods along with id, type and icon
- Added client side pagination to list views

* Throw error if method id is not present

* MFA Login Enforcement Form (#15410)

* adds mfa login enforcement form and header components and radio card component

* skips login enforcement form tests for now

* adds jsdoc annotations for mfa-login-enforcement-header component

* adds error handling when fetching identity targets in login enforcement form component

* updates radio-card label elements

* MFA Login Enforcement Create and Edit routes (#15422)

* adds mfa login enforcement form and header components and radio card component

* skips login enforcement form tests for now

* updates to login enforcement form to fix issues hydrating methods and targets from model when editing

* updates to mfa-config mirage handler and login enforcement handler

* fixes issue with login enforcement serializer normalizeItems method throwing error on save

* updates to mfa route structure

* adds login enforcement create and edit routes

* MFA Login Enforcement Read Views (#15462)

* adds login enforcement read views

* skip mfa-method-list-item test for now

* MFA method form (#15432)

* MFA method form

- Updated model for form attributes
- Form for editing, creating mfa methods

* Added comments

* Update model for mfa method

* Refactor buildURL in mfa method adapter

* Update adapter to handle mfa create

* Fixed adapter to handle create mfa response

* Sidebranch: MFA end user setup (#15273)

* initial setup of components and route

* fix navbar

* replace parent component with controller

* use auth service to return entity id

* adapter and some error handling:

* clean up adapter and handle warning

* wip

* use library for qrCode generation

* clear warning and QR code display fix

* flow for restart setup

* add documentation

* clean up

* fix warning issue

* handle root user

* remove comment

* update copy

* fix margin

* address comment

* MFA Guided Setup Route (#15479)

* adds mfa method create route with type selection workflow

* updates mfa method create route links to use DocLink component

* MFA Guided Setup Config View (#15486)

* adds mfa guided setup config view

* resets type query param on mfa method create route exit

* hide next button if type is not selected in mfa method create route

* updates to sure correct state when changing mfa method type in guided setup

* Enforcement view at MFA method level (#15485)

- List enforcements for each mfa method
- Delete MFA method if no enforcements are present
- Moved method, enforcement list item component to mfa folder

* MFA Login Enforcement Validations (#15498)

* adds model and form validations for mfa login enforcements

* updates mfa login enforcement validation messages

* updates validation message for mfa login enforcement targets

* adds transition action to configure mfa button on landing page

* unset enforcement on preference change in mfa guided setup workflow

* Added validations for mfa method model (#15506)

* UI/mfa breadcrumbs and small fixes (#15499)

* add active class when on index

* breadcrumbs

* remove box-shadow to match designs

* fix refresh load mfa-method

* breadcrumb create

* add an empty state the enforcements list view

* change to beforeModel

* UI/mfa small bugs (#15522)

* remove pagintion and fix on methods list view

* fix enforcements

* Fix label for value on radio-card (#15542)

* MFA Login Enforcement Component Tests (#15539)

* adds tests for mfa-login-enforcement-header component

* adds tests for mfa-login-enforcement-form component

* Remove default values from mfa method model (#15540)

- use passcode had a default value, as a result it was being sent
with all the mfa method types during save and edit flows..

* UI/mfa small cleanup (#15549)

* data-test-mleh -> data-test-mfa

* Only one label per radio card

* Remove unnecessary async

* Simplify boolean logic

* Make mutation clear

* Revert "data-test-mleh -> data-test-mfa"

This reverts commit 31430df7bb42580a976d082667cb6ed1f09c3944.

* updates mfa login enforcement form to only display auth method types for current mounts as targets (#15547)

* remove token type (#15548)

* remove token type

* conditional param

* removes type from mfa method payload and fixes bug transitioning to method route on save success

* removes punctuation from mfa form error message string match

* updates qr-code component invocation to angle bracket

* Re-trigger CI jobs with empty commit

Co-authored-by: Arnav Palnitkar <arnav@hashicorp.com>
Co-authored-by: Angel Garbarino <Monkeychip@users.noreply.github.com>
Co-authored-by: Chelsea Shaw <82459713+hashishaw@users.noreply.github.com>
Co-authored-by: Michele Degges <mdeggies@gmail.com>
2022-05-20 18:40:16 -06:00

173 lines
5 KiB
JavaScript
Raw Blame History

import Service, { inject as service } from '@ember/service';
import { task } from 'ember-concurrency';
const API_PATHS = {
access: {
methods: 'sys/auth',
mfa: 'identity/mfa/method',
entities: 'identity/entity/id',
groups: 'identity/group/id',
leases: 'sys/leases/lookup',
namespaces: 'sys/namespaces',
'control-groups': 'sys/control-group/',
},
policies: {
acl: 'sys/policies/acl',
rgp: 'sys/policies/rgp',
egp: 'sys/policies/egp',
},
tools: {
wrap: 'sys/wrapping/wrap',
lookup: 'sys/wrapping/lookup',
unwrap: 'sys/wrapping/unwrap',
rewrap: 'sys/wrapping/rewrap',
random: 'sys/tools/random',
hash: 'sys/tools/hash',
},
status: {
replication: 'sys/replication',
license: 'sys/license',
seal: 'sys/seal',
raft: 'sys/storage/raft/configuration',
},
clients: {
activity: 'sys/internal/counters/activity',
config: 'sys/internal/counters/config',
},
};
const API_PATHS_TO_ROUTE_PARAMS = {
'sys/auth': { route: 'vault.cluster.access.methods', models: [] },
'identity/entity/id': { route: 'vault.cluster.access.identity', models: ['entities'] },
'identity/group/id': { route: 'vault.cluster.access.identity', models: ['groups'] },
'sys/leases/lookup': { route: 'vault.cluster.access.leases', models: [] },
'sys/namespaces': { route: 'vault.cluster.access.namespaces', models: [] },
'sys/control-group/': { route: 'vault.cluster.access.control-groups', models: [] },
};
/*
The Permissions service is used to gate top navigation and sidebar items.
It fetches a users' policy from the resultant-acl endpoint and stores their
allowed exact and glob paths as state. It also has methods for checking whether
a user has permission for a given path.
*/
export default Service.extend({
exactPaths: null,
globPaths: null,
canViewAll: null,
store: service(),
auth: service(),
namespace: service(),
getPaths: task(function* () {
if (this.paths) {
return;
}
try {
let resp = yield this.store.adapterFor('permissions').query();
this.setPaths(resp);
return;
} catch (err) {
// If no policy can be found, default to showing all nav items.
this.set('canViewAll', true);
}
}),
setPaths(resp) {
this.set('exactPaths', resp.data.exact_paths);
this.set('globPaths', resp.data.glob_paths);
this.set('canViewAll', resp.data.root);
},
reset() {
this.set('exactPaths', null);
this.set('globPaths', null);
this.set('canViewAll', null);
},
hasNavPermission(navItem, routeParams) {
if (routeParams) {
// viewing the entity and groups pages require the list capability, while the others require the default, which is anything other than deny
let capability = routeParams === 'entities' || routeParams === 'groups' ? ['list'] : [null];
return this.hasPermission(API_PATHS[navItem][routeParams], capability);
}
return Object.values(API_PATHS[navItem]).some((path) => this.hasPermission(path));
},
navPathParams(navItem) {
const path = Object.values(API_PATHS[navItem]).find((path) => this.hasPermission(path));
if (['policies', 'tools'].includes(navItem)) {
return { models: [path.split('/').lastObject] };
}
return API_PATHS_TO_ROUTE_PARAMS[path];
},
pathNameWithNamespace(pathName) {
const namespace = this.namespace.path;
if (namespace) {
return `${namespace}/${pathName}`;
} else {
return pathName;
}
},
hasPermission(pathName, capabilities = [null]) {
const path = this.pathNameWithNamespace(pathName);
if (this.canViewAll) {
return true;
}
return capabilities.every(
(capability) =>
this.hasMatchingExactPath(path, capability) || this.hasMatchingGlobPath(path, capability)
);
},
hasMatchingExactPath(pathName, capability) {
const exactPaths = this.exactPaths;
if (exactPaths) {
const prefix = Object.keys(exactPaths).find((path) => path.startsWith(pathName));
const hasMatchingPath = prefix && !this.isDenied(exactPaths[prefix]);
if (prefix && capability) {
return this.hasCapability(exactPaths[prefix], capability) && hasMatchingPath;
}
return hasMatchingPath;
}
return false;
},
hasMatchingGlobPath(pathName, capability) {
const globPaths = this.globPaths;
if (globPaths) {
const matchingPath = Object.keys(globPaths).find((k) => {
return pathName.includes(k) || pathName.includes(k.replace(/\/$/, ''));
});
const hasMatchingPath =
(matchingPath && !this.isDenied(globPaths[matchingPath])) ||
Object.prototype.hasOwnProperty.call(globPaths, '');
if (matchingPath && capability) {
return this.hasCapability(globPaths[matchingPath], capability) && hasMatchingPath;
}
return hasMatchingPath;
}
return false;
},
hasCapability(path, capability) {
return path.capabilities.includes(capability);
},
isDenied(path) {
return path.capabilities.includes('deny');
},
});
Reference in a new issue View git blame Copy permalink