From 3aee6ec464bb44d684c24d1767a09b50366e2e37 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9mi=20Lapeyre?= <remi.lapeyre@lenstra.fr>
Date: Fri, 5 Jan 2024 20:11:33 +0100
Subject: [PATCH] Fix UI when editing database roles (#24660)

* Fix UI when editing database roles

When using a database role the UI will try to update the database connection
associated to the role. This is to make sure that the role is allowed to
use this connection:

    async _updateAllowedRoles(store, { role, backend, db, type = 'add' }) {
      const connection = await store.queryRecord('database/connection', { backend, id: db });
      const roles = [...connection.allowed_roles];
      const allowedRoles = type === 'add' ? addToArray([roles, role]) : removeFromArray([roles, role]);
      connection.allowed_roles = allowedRoles;
      return connection.save();
    },

    async createRecord(store, type, snapshot) {
      const serializer = store.serializerFor(type.modelName);
      const data = serializer.serialize(snapshot);
      const roleType = snapshot.attr('type');
      const backend = snapshot.attr('backend');
      const id = snapshot.attr('name');
      const db = snapshot.attr('database');
      try {
        await this._updateAllowedRoles(store, {
          role: id,
          backend,
          db: db[0],
        });
      } catch (e) {
        throw new Error('Could not update allowed roles for selected database. Check Vault logs for details');
      }

      return this.ajax(this.urlFor(backend, id, roleType), 'POST', { data }).then(() => {
        // ember data doesn't like 204s if it's not a DELETE
        return {
          data: assign({}, data, { id }),
        };
      });
    },

This is intended to help the administrator as the role will only work if
it is allowed by the database connection.

This is however an issue if the person doing the update does not have
the permission to update the connection: they will not be able to use
the UI to update the role even though they have the appropriate permissions
to do so (using the CLI or the API will work for example).

This is often the case when the database connections are created by a
centralized system but a human operator needs to create the roles.

You can try this with the following test case:

    $ cat main.tf
    resource "vault_auth_backend" "userpass" {
      type = "userpass"
    }

    resource "vault_generic_endpoint" "alice" {
      depends_on           = [vault_auth_backend.userpass]
      path                 = "auth/userpass/users/alice"
      ignore_absent_fields = true

      data_json = jsonencode({
        "policies" : ["root"],
        "password" : "alice"
      })
    }

    data "vault_policy_document" "db_admin" {
      rule {
        path         = "database/roles/*"
        capabilities = ["create", "read", "update", "delete", "list"]
      }
    }

    resource "vault_policy" "db_admin" {
      name   = "db-admin"
      policy = data.vault_policy_document.db_admin.hcl
    }

    resource "vault_generic_endpoint" "bob" {
      depends_on           = [vault_auth_backend.userpass]
      path                 = "auth/userpass/users/bob"
      ignore_absent_fields = true

      data_json = jsonencode({
        "policies" : [vault_policy.db_admin.name],
        "password" : "bob"
      })
    }

    resource "vault_mount" "db" {
      path = "database"
      type = "database"
    }

    resource "vault_database_secret_backend_connection" "postgres" {
      backend           = vault_mount.db.path
      name              = "postgres"
      allowed_roles     = ["*"]
      verify_connection = false

      postgresql {
        connection_url = "postgres://username:password@localhost/database"
      }
    }
    $ terraform apply --auto-approve

then using bob to create a role associated to the `postgres` connection.

This patch changes the way the UI does the update: it still tries to
update the database connection but if it fails to do so because it does not
have the permission it just silently skip this part and updates the role.

This also update the error message returned to the user in case of issues
to include the actual errors.

* Add changelog

* Also ignore error when deleting a role

* Address code review comments

---------

Co-authored-by: Chelsea Shaw <82459713+hashishaw@users.noreply.github.com>
---
 changelog/24660.txt                     |  3 +++
 ui/app/adapters/database/role.js        | 28 ++++++++++++++++++-------
 ui/app/components/database-role-edit.js |  3 ---
 3 files changed, 24 insertions(+), 10 deletions(-)
 create mode 100644 changelog/24660.txt

diff --git a/changelog/24660.txt b/changelog/24660.txt
new file mode 100644
index 0000000000..415944299e
--- /dev/null
+++ b/changelog/24660.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+ui: The UI can now be used to create or update database roles by operator without permission on the database connection.
+```
diff --git a/ui/app/adapters/database/role.js b/ui/app/adapters/database/role.js
index 848719e37a..2a3002c1d1 100644
--- a/ui/app/adapters/database/role.js
+++ b/ui/app/adapters/database/role.js
@@ -164,7 +164,7 @@ export default ApplicationAdapter.extend({
         db: db[0],
       });
     } catch (e) {
-      throw new Error('Could not update allowed roles for selected database. Check Vault logs for details');
+      this.checkError(e);
     }
 
     return this.ajax(this.urlFor(backend, id, roleType), 'POST', { data }).then(() => {
@@ -180,12 +180,16 @@ export default ApplicationAdapter.extend({
     const backend = snapshot.attr('backend');
     const id = snapshot.attr('name');
     const db = snapshot.attr('database');
-    await this._updateAllowedRoles(store, {
-      role: id,
-      backend,
-      db: db[0],
-      type: 'remove',
-    });
+    try {
+      await this._updateAllowedRoles(store, {
+        role: id,
+        backend,
+        db: db[0],
+        type: 'remove',
+      });
+    } catch (e) {
+      this.checkError(e);
+    }
 
     return this.ajax(this.urlFor(backend, id, roleType), 'DELETE');
   },
@@ -199,4 +203,14 @@ export default ApplicationAdapter.extend({
 
     return this.ajax(this.urlFor(backend, id, roleType), 'POST', { data }).then(() => data);
   },
+
+  checkError(e) {
+    if (e.httpStatus === 403) {
+      // The user does not have the permission to update the connection. This
+      // can happen if their permissions are limited to the role. In that case
+      // we ignore the error and continue updating the role.
+      return;
+    }
+    throw new Error(`Could not update allowed roles for selected database: ${e.errors.join(', ')}`);
+  },
 });
diff --git a/ui/app/components/database-role-edit.js b/ui/app/components/database-role-edit.js
index 3379650e6e..9672fe6760 100644
--- a/ui/app/components/database-role-edit.js
+++ b/ui/app/components/database-role-edit.js
@@ -27,9 +27,6 @@ export default class DatabaseRoleEdit extends Component {
 
   get warningMessages() {
     const warnings = {};
-    if (this.args.model.canUpdateDb === false) {
-      warnings.database = `You don’t have permissions to update this database connection, so this role cannot be created.`;
-    }
     if (
       (this.args.model.type === 'dynamic' && this.args.model.canCreateDynamic === false) ||
       (this.args.model.type === 'static' && this.args.model.canCreateStatic === false)