9953eb76aa
* add routes for control groups in tools, settings, access (#4718) * UI control group - storage, request, authorization, and unwrapping (#4899) * UI control groups config (#4927)
296 lines
8 KiB
JavaScript
296 lines
8 KiB
JavaScript
import Ember from 'ember';
|
|
import getStorage from '../lib/token-storage';
|
|
import ENV from 'vault/config/environment';
|
|
import { supportedAuthBackends } from 'vault/helpers/supported-auth-backends';
|
|
|
|
const { get, isArray, computed, getOwner } = Ember;
|
|
|
|
const TOKEN_SEPARATOR = '☃';
|
|
const TOKEN_PREFIX = 'vault-';
|
|
const ROOT_PREFIX = '🗝';
|
|
const IDLE_TIMEOUT_MS = 3 * 60e3;
|
|
const BACKENDS = supportedAuthBackends();
|
|
|
|
export { TOKEN_SEPARATOR, TOKEN_PREFIX, ROOT_PREFIX };
|
|
|
|
export default Ember.Service.extend({
|
|
expirationCalcTS: null,
|
|
init() {
|
|
this._super(...arguments);
|
|
this.checkForRootToken();
|
|
},
|
|
|
|
clusterAdapter() {
|
|
return getOwner(this).lookup('adapter:cluster');
|
|
},
|
|
|
|
tokens: computed(function() {
|
|
return this.getTokensFromStorage() || [];
|
|
}),
|
|
|
|
generateTokenName({ backend, clusterId }, policies) {
|
|
return (policies || []).includes('root')
|
|
? `${TOKEN_PREFIX}${ROOT_PREFIX}${TOKEN_SEPARATOR}${clusterId}`
|
|
: `${TOKEN_PREFIX}${backend}${TOKEN_SEPARATOR}${clusterId}`;
|
|
},
|
|
|
|
backendFromTokenName(tokenName) {
|
|
return tokenName.includes(`${TOKEN_PREFIX}${ROOT_PREFIX}`)
|
|
? 'token'
|
|
: tokenName.slice(TOKEN_PREFIX.length).split(TOKEN_SEPARATOR)[0];
|
|
},
|
|
|
|
storage(tokenName) {
|
|
if (
|
|
tokenName &&
|
|
tokenName.indexOf(`${TOKEN_PREFIX}${ROOT_PREFIX}`) === 0 &&
|
|
this.environment() !== 'development'
|
|
) {
|
|
return getStorage('memory');
|
|
} else {
|
|
return getStorage();
|
|
}
|
|
},
|
|
|
|
environment() {
|
|
return ENV.environment;
|
|
},
|
|
|
|
setCluster(clusterId) {
|
|
this.set('activeCluster', clusterId);
|
|
},
|
|
|
|
ajax(url, method, options) {
|
|
const defaults = {
|
|
url,
|
|
method,
|
|
dataType: 'json',
|
|
headers: {
|
|
'X-Vault-Token': this.get('currentToken'),
|
|
},
|
|
};
|
|
return Ember.$.ajax(Ember.assign(defaults, options));
|
|
},
|
|
|
|
renewCurrentToken() {
|
|
const url = '/v1/auth/token/renew-self';
|
|
return this.ajax(url, 'POST');
|
|
},
|
|
|
|
revokeCurrentToken() {
|
|
const url = '/v1/auth/token/revoke-self';
|
|
return this.ajax(url, 'POST');
|
|
},
|
|
|
|
calculateExpiration(resp, creationTime) {
|
|
const creationTTL = resp.creation_ttl || resp.lease_duration;
|
|
const leaseMilli = creationTTL ? creationTTL * 1e3 : null;
|
|
const tokenIssueEpoch = resp.creation_time ? resp.creation_time * 1e3 : creationTime || Date.now();
|
|
const tokenExpirationEpoch = tokenIssueEpoch + leaseMilli;
|
|
const expirationData = {
|
|
tokenIssueEpoch,
|
|
tokenExpirationEpoch,
|
|
leaseMilli,
|
|
};
|
|
this.set('expirationCalcTS', Date.now());
|
|
return expirationData;
|
|
},
|
|
|
|
persistAuthData() {
|
|
const [firstArg, resp] = arguments;
|
|
let tokens = this.get('tokens');
|
|
let tokenName;
|
|
let options;
|
|
let backend;
|
|
if (typeof firstArg === 'string') {
|
|
tokenName = firstArg;
|
|
backend = this.backendFromTokenName(tokenName);
|
|
} else {
|
|
options = firstArg;
|
|
backend = options.backend;
|
|
}
|
|
|
|
const currentBackend = BACKENDS.findBy('type', backend);
|
|
let displayName;
|
|
if (isArray(currentBackend.displayNamePath)) {
|
|
displayName = currentBackend.displayNamePath.map(name => get(resp, name)).join('/');
|
|
} else {
|
|
displayName = get(resp, currentBackend.displayNamePath);
|
|
}
|
|
|
|
const { entity_id, policies, renewable } = resp;
|
|
let data = {
|
|
displayName,
|
|
backend: currentBackend,
|
|
token: resp.client_token || get(resp, currentBackend.tokenPath),
|
|
policies,
|
|
renewable,
|
|
entity_id,
|
|
};
|
|
|
|
tokenName = this.generateTokenName(
|
|
{
|
|
backend,
|
|
clusterId: (options && options.clusterId) || this.get('activeCluster'),
|
|
},
|
|
resp.policies
|
|
);
|
|
|
|
if (resp.renewable) {
|
|
Ember.assign(data, this.calculateExpiration(resp));
|
|
}
|
|
|
|
if (!data.displayName) {
|
|
data.displayName = get(this.getTokenData(tokenName) || {}, 'displayName');
|
|
}
|
|
tokens.addObject(tokenName);
|
|
this.set('tokens', tokens);
|
|
this.set('allowExpiration', false);
|
|
this.setTokenData(tokenName, data);
|
|
return Ember.RSVP.resolve({
|
|
token: tokenName,
|
|
isRoot: policies.includes('root'),
|
|
});
|
|
},
|
|
|
|
setTokenData(token, data) {
|
|
this.storage(token).setItem(token, data);
|
|
},
|
|
|
|
getTokenData(token) {
|
|
return this.storage(token).getItem(token);
|
|
},
|
|
|
|
removeTokenData(token) {
|
|
return this.storage(token).removeItem(token);
|
|
},
|
|
|
|
tokenExpirationDate: computed('currentTokenName', 'expirationCalcTS', function() {
|
|
const tokenName = this.get('currentTokenName');
|
|
if (!tokenName) {
|
|
return;
|
|
}
|
|
const { tokenExpirationEpoch } = this.getTokenData(tokenName);
|
|
const expirationDate = new Date(0);
|
|
return tokenExpirationEpoch ? expirationDate.setUTCMilliseconds(tokenExpirationEpoch) : null;
|
|
}),
|
|
|
|
tokenExpired: computed(function() {
|
|
const expiration = this.get('tokenExpirationDate');
|
|
return expiration ? Date.now() >= expiration : null;
|
|
}).volatile(),
|
|
|
|
renewAfterEpoch: computed('currentTokenName', 'expirationCalcTS', function() {
|
|
const tokenName = this.get('currentTokenName');
|
|
const data = this.getTokenData(tokenName);
|
|
if (!tokenName || !data) {
|
|
return null;
|
|
}
|
|
const { leaseMilli, tokenIssueEpoch, renewable } = data;
|
|
return data && renewable ? Math.floor(leaseMilli / 2) + tokenIssueEpoch : null;
|
|
}),
|
|
|
|
renew() {
|
|
const tokenName = this.get('currentTokenName');
|
|
const currentlyRenewing = this.get('isRenewing');
|
|
if (currentlyRenewing) {
|
|
return;
|
|
}
|
|
this.set('isRenewing', true);
|
|
return this.renewCurrentToken().then(
|
|
resp => {
|
|
this.set('isRenewing', false);
|
|
return this.persistAuthData(tokenName, resp.data || resp.auth);
|
|
},
|
|
e => {
|
|
this.set('isRenewing', false);
|
|
throw e;
|
|
}
|
|
);
|
|
},
|
|
|
|
shouldRenew: computed(function() {
|
|
const now = Date.now();
|
|
const lastFetch = this.get('lastFetch');
|
|
const renewTime = this.get('renewAfterEpoch');
|
|
if (this.get('tokenExpired') || this.get('allowExpiration') || !renewTime) {
|
|
return false;
|
|
}
|
|
if (lastFetch && now - lastFetch >= IDLE_TIMEOUT_MS) {
|
|
this.set('allowExpiration', true);
|
|
return false;
|
|
}
|
|
if (now >= renewTime) {
|
|
return true;
|
|
}
|
|
return false;
|
|
}).volatile(),
|
|
|
|
setLastFetch(timestamp) {
|
|
this.set('lastFetch', timestamp);
|
|
},
|
|
|
|
getTokensFromStorage(filterFn) {
|
|
return this.storage().keys().reject(key => {
|
|
return key.indexOf(TOKEN_PREFIX) !== 0 || (filterFn && filterFn(key));
|
|
});
|
|
},
|
|
|
|
checkForRootToken() {
|
|
if (this.environment() === 'development') {
|
|
return;
|
|
}
|
|
this.getTokensFromStorage().forEach(key => {
|
|
const data = this.getTokenData(key);
|
|
if (data.policies.includes('root')) {
|
|
this.removeTokenData(key);
|
|
}
|
|
});
|
|
},
|
|
|
|
authenticate(/*{clusterId, backend, data}*/) {
|
|
const [options] = arguments;
|
|
const adapter = this.clusterAdapter();
|
|
|
|
return adapter.authenticate(options).then(resp => {
|
|
return this.persistAuthData(options, resp.auth || resp.data);
|
|
});
|
|
},
|
|
|
|
deleteCurrentToken() {
|
|
const tokenName = this.get('currentTokenName');
|
|
this.deleteToken(tokenName);
|
|
this.removeTokenData(tokenName);
|
|
},
|
|
|
|
deleteToken(tokenName) {
|
|
const tokenNames = this.get('tokens').without(tokenName);
|
|
this.removeTokenData(tokenName);
|
|
this.set('tokens', tokenNames);
|
|
},
|
|
|
|
currentTokenName: computed('activeCluster', 'tokens', 'tokens.[]', function() {
|
|
const regex = new RegExp(this.get('activeCluster'));
|
|
return this.get('tokens').find(key => regex.test(key));
|
|
}),
|
|
|
|
currentToken: computed('currentTokenName', function() {
|
|
const name = this.get('currentTokenName');
|
|
const data = name && this.getTokenData(name);
|
|
return name && data ? data.token : null;
|
|
}),
|
|
|
|
authData: computed('currentTokenName', function() {
|
|
const token = this.get('currentTokenName');
|
|
if (!token) {
|
|
return;
|
|
}
|
|
const backend = this.backendFromTokenName(token);
|
|
const stored = this.getTokenData(token);
|
|
|
|
return Ember.assign(stored, {
|
|
backend: BACKENDS.findBy('type', backend),
|
|
});
|
|
}),
|
|
});
|