From 71c57dc4e2f38c213f3547289d64a95664724d97 Mon Sep 17 00:00:00 2001
From: Chelsea Shaw <chelshaw.dev@gmail.com>
Date: Tue, 15 Sep 2020 13:46:35 -0500
Subject: [PATCH] Ui/transformation edit update roles (#9955)

* Update or create new role after allowed_roles on transformation updated

* Update tests to include transformation create/edit and role create scenarios
---
 ui/app/components/transform-create-form.js    |   4 +-
 ui/app/components/transform-edit-base.js      |  18 ++-
 ui/app/components/transform-edit-form.js      |   4 +-
 ui/app/components/transform-role-edit.js      |  31 +----
 ui/app/components/transformation-edit.js      | 113 +++++++++++++++++-
 ui/app/serializers/transform/role.js          |   1 -
 .../components/transform-edit-form.hbs        |   2 +-
 .../components/transformation-edit.hbs        |   8 +-
 .../acceptance/enterprise-transform-test.js   | 113 +++++++++++++++---
 .../pages/secrets/backend/transform/roles.js  |   1 +
 .../backend/transform/transformations.js      |   2 +
 11 files changed, 245 insertions(+), 52 deletions(-)

diff --git a/ui/app/components/transform-create-form.js b/ui/app/components/transform-create-form.js
index 548e2dd85c..12fadca2e7 100644
--- a/ui/app/components/transform-create-form.js
+++ b/ui/app/components/transform-create-form.js
@@ -1,3 +1,3 @@
-import TransformBase from './transform-edit-base';
+import TransformationEdit from './transformation-edit';
 
-export default TransformBase.extend({});
+export default TransformationEdit.extend({});
diff --git a/ui/app/components/transform-edit-base.js b/ui/app/components/transform-edit-base.js
index 097c6ce691..17d879da9a 100644
--- a/ui/app/components/transform-edit-base.js
+++ b/ui/app/components/transform-edit-base.js
@@ -8,7 +8,23 @@ import FocusOnInsertMixin from 'vault/mixins/focus-on-insert';
 const LIST_ROOT_ROUTE = 'vault.cluster.secrets.backend.list-root';
 const SHOW_ROUTE = 'vault.cluster.secrets.backend.show';
 
+export const addToList = (list, itemToAdd) => {
+  if (!list || !Array.isArray(list)) return list;
+  list.push(itemToAdd);
+  return list.uniq();
+};
+
+export const removeFromList = (list, itemToRemove) => {
+  if (!list) return list;
+  const index = list.indexOf(itemToRemove);
+  if (index < 0) return list;
+  const newList = list.removeAt(index, 1);
+  return newList.uniq();
+};
+
 export default Component.extend(FocusOnInsertMixin, {
+  store: service(),
+  flashMessages: service(),
   router: service(),
 
   mode: null,
@@ -79,7 +95,7 @@ export default Component.extend(FocusOnInsertMixin, {
 
     delete() {
       this.persist('destroyRecord', () => {
-        this.hasDataChanges();
+        this.onDataChange();
         this.transitionToRoute(LIST_ROOT_ROUTE);
       });
     },
diff --git a/ui/app/components/transform-edit-form.js b/ui/app/components/transform-edit-form.js
index 548e2dd85c..12fadca2e7 100644
--- a/ui/app/components/transform-edit-form.js
+++ b/ui/app/components/transform-edit-form.js
@@ -1,3 +1,3 @@
-import TransformBase from './transform-edit-base';
+import TransformationEdit from './transformation-edit';
 
-export default TransformBase.extend({});
+export default TransformationEdit.extend({});
diff --git a/ui/app/components/transform-role-edit.js b/ui/app/components/transform-role-edit.js
index fbf537aecb..187c331196 100644
--- a/ui/app/components/transform-role-edit.js
+++ b/ui/app/components/transform-role-edit.js
@@ -1,24 +1,6 @@
-import TransformBase from './transform-edit-base';
-import { inject as service } from '@ember/service';
-
-const addToList = (list, itemToAdd) => {
-  if (!list || !Array.isArray(list)) return list;
-  list.push(itemToAdd);
-  return list.uniq();
-};
-
-const removeFromList = (list, itemToRemove) => {
-  if (!list) return list;
-  const index = list.indexOf(itemToRemove);
-  if (index < 0) return list;
-  const newList = list.removeAt(index, 1);
-  return newList.uniq();
-};
+import TransformBase, { addToList, removeFromList } from './transform-edit-base';
 
 export default TransformBase.extend({
-  store: service(),
-  flashMessages: service(),
-
   initialTransformations: null,
 
   init() {
@@ -48,14 +30,9 @@ export default TransformBase.extend({
             allowed_roles: roles,
           });
 
-          return transformation
-            .save()
-            .then(() => {
-              return 'Successfully saved';
-            })
-            .catch(e => {
-              return { errorStatus: e.httpStatus, ...transform };
-            });
+          return transformation.save().catch(e => {
+            return { errorStatus: e.httpStatus, ...transform };
+          });
         });
     });
 
diff --git a/ui/app/components/transformation-edit.js b/ui/app/components/transformation-edit.js
index 548e2dd85c..2b18c4fd77 100644
--- a/ui/app/components/transformation-edit.js
+++ b/ui/app/components/transformation-edit.js
@@ -1,3 +1,112 @@
-import TransformBase from './transform-edit-base';
+import TransformBase, { addToList, removeFromList } from './transform-edit-base';
 
-export default TransformBase.extend({});
+export default TransformBase.extend({
+  initialRoles: null,
+
+  init() {
+    this._super(...arguments);
+    this.set('initialRoles', this.get('model.allowed_roles'));
+  },
+
+  updateOrCreateRole(role, transformationId, backend) {
+    return this.store
+      .queryRecord('transform/role', {
+        backend,
+        id: role.id,
+      })
+      .then(roleStore => {
+        let transformations = roleStore.transformations;
+        if (role.action === 'ADD') {
+          transformations = addToList(transformations, transformationId);
+        } else if (role.action === 'REMOVE') {
+          transformations = removeFromList(transformations, transformationId);
+        }
+        roleStore.setProperties({
+          backend,
+          transformations,
+        });
+        return roleStore.save().catch(e => {
+          return {
+            errorStatus: e.httpStatus,
+            ...role,
+          };
+        });
+      })
+      .catch(e => {
+        if (e.httpStatus !== 403 && role.action === 'ADD') {
+          // If role doesn't yet exist, create it with this transformation attached
+          var newRole = this.store.createRecord('transform/role', {
+            id: role.id,
+            name: role.id,
+            transformations: [transformationId],
+            backend,
+          });
+          return newRole.save().catch(e => {
+            return {
+              errorStatus: e.httpStatus,
+              ...role,
+              action: 'CREATE',
+            };
+          });
+        }
+
+        return {
+          ...role,
+          errorStatus: e.httpStatus,
+        };
+      });
+  },
+
+  handleUpdateRoles(updateRoles, transformationId) {
+    if (!updateRoles) return;
+    const backend = this.get('model.backend');
+    const promises = updateRoles.map(r => this.updateOrCreateRole(r, transformationId, backend));
+
+    Promise.all(promises).then(results => {
+      let hasError = results.find(role => !!role.errorStatus);
+
+      if (hasError) {
+        let message =
+          'The edits to this transformation were successful, but transformations for its roles was not edited due to a lack of permissions.';
+        if (results.find(e => !!e.errorStatus && e.errorStatus !== 403)) {
+          // if the errors weren't all due to permissions show generic message
+          // eg. trying to update a role with empty array as transformations
+          message = `You've edited the allowed_roles for this transformation. However, the corresponding edits to some roles' transformations were not made`;
+        }
+        this.get('flashMessages').stickyInfo(message);
+      }
+    });
+  },
+
+  actions: {
+    createOrUpdate(type, event) {
+      event.preventDefault();
+
+      this.applyChanges('save', () => {
+        const transformationId = this.get('model.id');
+        const newModelRoles = this.get('model.allowed_roles') || [];
+        const initialRoles = this.get('initialRoles') || [];
+
+        const updateRoles = [...newModelRoles, ...initialRoles]
+          .filter(r => r.indexOf('*') < 0) // TODO: expand wildcards into included roles instead
+          .map(role => {
+            if (initialRoles.indexOf(role) < 0) {
+              return {
+                id: role,
+                action: 'ADD',
+              };
+            }
+            if (newModelRoles.indexOf(role) < 0) {
+              return {
+                id: role,
+                action: 'REMOVE',
+              };
+            }
+            return null;
+          })
+          .filter(r => !!r);
+        this.handleUpdateRoles(updateRoles, transformationId);
+      });
+    },
+  },
+});
diff --git a/ui/app/serializers/transform/role.js b/ui/app/serializers/transform/role.js
index 8a3d8f9eb3..ed04af7935 100644
--- a/ui/app/serializers/transform/role.js
+++ b/ui/app/serializers/transform/role.js
@@ -1,7 +1,6 @@
 import ApplicationSerializer from '../application';
 export default ApplicationSerializer.extend({
   extractLazyPaginatedData(payload) {
-    // TODO: do this for transform too?
     let ret;
     ret = payload.data.keys.map(key => {
       let model = {
diff --git a/ui/app/templates/components/transform-edit-form.hbs b/ui/app/templates/components/transform-edit-form.hbs
index 3855980c7f..d2ef34999f 100644
--- a/ui/app/templates/components/transform-edit-form.hbs
+++ b/ui/app/templates/components/transform-edit-form.hbs
@@ -40,7 +40,7 @@
         type="submit"
         disabled={{buttonDisabled}}
         class="button is-primary"
-        data-test-role-ssh-create=true
+        data-test-transformation-save-button=true
       >
         {{#if (eq mode 'create')}}
           Create transformation
diff --git a/ui/app/templates/components/transformation-edit.hbs b/ui/app/templates/components/transformation-edit.hbs
index 96f04e5c37..d177363c49 100644
--- a/ui/app/templates/components/transformation-edit.hbs
+++ b/ui/app/templates/components/transformation-edit.hbs
@@ -62,6 +62,7 @@
           <a
             class="toolbar-link"
             onclick={{action (mut isEditModalActive) true}}
+            data-test-edit-link
           >
             Edit transformation
           </a>
@@ -117,7 +118,12 @@
     </p>
   </section>
   <footer class="modal-card-foot modal-card-foot-outlined">
-    {{#link-to "vault.cluster.secrets.backend.edit" model.id tagName="button" class="button is-primary"}}
+    {{#link-to
+      "vault.cluster.secrets.backend.edit" model.id
+      tagName="button"
+      class="button is-primary"
+      data-test-edit-confirm-button=true
+    }}
       Confirm
     {{/link-to}}
     <button
diff --git a/ui/tests/acceptance/enterprise-transform-test.js b/ui/tests/acceptance/enterprise-transform-test.js
index 4b3fbc28f0..ecd3da7438 100644
--- a/ui/tests/acceptance/enterprise-transform-test.js
+++ b/ui/tests/acceptance/enterprise-transform-test.js
@@ -2,7 +2,7 @@ import { module, test } from 'qunit';
 import { setupApplicationTest } from 'ember-qunit';
 import { currentURL, click } from '@ember/test-helpers';
 import { create } from 'ember-cli-page-object';
-import { selectChoose, clickTrigger } from 'ember-power-select/test-support/helpers';
+import { typeInSearch, selectChoose, clickTrigger } from 'ember-power-select/test-support/helpers';
 
 import authPage from 'vault/tests/pages/auth';
 import mountSecrets from 'vault/tests/pages/settings/mount-secret-backend';
@@ -18,6 +18,29 @@ const mount = async () => {
   return path;
 };
 
+const newTransformation = async (backend, name, submit = false) => {
+  const transformationName = name || 'foo';
+  await transformationsPage.visitCreate({ backend });
+  await transformationsPage.name(transformationName);
+  await clickTrigger('#template');
+  await selectChoose('#template', '.ember-power-select-option', 0);
+  // Don't automatically choose role because we might be testing that
+  if (submit) {
+    await transformationsPage.submit();
+  }
+  return transformationName;
+};
+
+const newRole = async (backend, name) => {
+  const roleName = name || 'bar';
+  await rolesPage.visitCreate({ backend });
+  await rolesPage.name(roleName);
+  await clickTrigger('#transformations');
+  await selectChoose('#transformations', '.ember-power-select-option', 0);
+  await rolesPage.submit();
+  return roleName;
+};
+
 module('Acceptance | Enterprise | Transform secrets', function(hooks) {
   setupApplicationTest(hooks);
 
@@ -26,11 +49,11 @@ module('Acceptance | Enterprise | Transform secrets', function(hooks) {
   });
 
   test('it enables Transform secrets engine and shows tabs', async function(assert) {
-    let path = `transform-${Date.now()}`;
-    await mountSecrets.enable('transform', path);
+    let backend = `transform-${Date.now()}`;
+    await mountSecrets.enable('transform', backend);
     assert.equal(
       currentURL(),
-      `/vault/secrets/${path}/list`,
+      `/vault/secrets/${backend}/list`,
       'mounts and redirects to the transformations list page'
     );
     assert.ok(transformationsPage.isEmpty, 'renders empty state');
@@ -42,12 +65,12 @@ module('Acceptance | Enterprise | Transform secrets', function(hooks) {
     assert.dom('[data-test-tab="Alphabets"]').exists('Has Alphabets tab');
   });
 
-  test('it can create a transformation and role', async function(assert) {
-    let path = await mount();
+  test('it can create a transformation and add itself to the role attached', async function(assert) {
+    let backend = await mount();
     const transformationName = 'foo';
     const roleName = 'foo-role';
-    await transformationsPage.createLink();
-    assert.equal(currentURL(), `/vault/secrets/${path}/create`, 'redirects to create transformation page');
+    await transformationsPage.createLink({ backend });
+    assert.equal(currentURL(), `/vault/secrets/${backend}/create`, 'redirects to create transformation page');
     await transformationsPage.name(transformationName);
 
     assert.dom('[data-test-input="type"').hasValue('fpe', 'Has type FPE by default');
@@ -60,31 +83,91 @@ module('Acceptance | Enterprise | Transform secrets', function(hooks) {
     await clickTrigger('#template');
     assert.equal(searchSelectComponent.options.length, 2, 'list shows two builtin options by default');
     await selectChoose('#template', '.ember-power-select-option', 0);
+    await clickTrigger('#allowed_roles');
+    await typeInSearch(roleName);
+    await selectChoose('#allowed_roles', '.ember-power-select-option', 0);
     await transformationsPage.submit();
     assert.equal(
       currentURL(),
-      `/vault/secrets/${path}/show/${transformationName}`,
+      `/vault/secrets/${backend}/show/${transformationName}`,
       'redirects to show transformation page after submit'
     );
-    await click(`[data-test-secret-breadcrumb="${path}"]`);
-    assert.equal(currentURL(), `/vault/secrets/${path}/list`, 'Links back to list view from breadcrumb');
+    await click(`[data-test-secret-breadcrumb="${backend}"]`);
+    assert.equal(currentURL(), `/vault/secrets/${backend}/list`, 'Links back to list view from breadcrumb');
+  });
+
+  test('it can create a role and add itself to the transformation attached', async function(assert) {
+    const roleName = 'my-role';
+    let backend = await mount();
+    // create transformation without role
+    await newTransformation(backend, 'a-transformation', true);
+    await click(`[data-test-secret-breadcrumb="${backend}"]`);
+    assert.equal(currentURL(), `/vault/secrets/${backend}/list`, 'Links back to list view from breadcrumb');
     await click('[data-test-tab="Roles"]');
-    assert.equal(currentURL(), `/vault/secrets/${path}/list?tab=role`, 'links to role list page');
+    assert.equal(currentURL(), `/vault/secrets/${backend}/list?tab=role`, 'links to role list page');
+    // create role with transformation attached
     await rolesPage.createLink();
     assert.equal(
       currentURL(),
-      `/vault/secrets/${path}/create?itemType=role`,
+      `/vault/secrets/${backend}/create?itemType=role`,
       'redirects to create role page'
     );
     await rolesPage.name(roleName);
     await clickTrigger('#transformations');
-    assert.equal(searchSelectComponent.options.length, 1, 'lists the transformation that was just created');
+    assert.equal(searchSelectComponent.options.length, 1, 'lists the transformation');
     await selectChoose('#transformations', '.ember-power-select-option', 0);
     await rolesPage.submit();
     assert.equal(
       currentURL(),
-      `/vault/secrets/${path}/show/role/${roleName}`,
+      `/vault/secrets/${backend}/show/role/${roleName}`,
       'redirects to show role page after submit'
     );
+    await click(`[data-test-secret-breadcrumb="${backend}"]`);
+    assert.equal(
+      currentURL(),
+      `/vault/secrets/${backend}/list?tab=role`,
+      'Links back to role list view from breadcrumb'
+    );
+  });
+
+  test('it adds a role to a transformation when added to a role', async function(assert) {
+    const roleName = 'role-test';
+    let backend = await mount();
+    let transformation = await newTransformation(backend, 'b-transformation', true);
+    await newRole(backend, roleName);
+    await transformationsPage.visitShow({ backend, id: transformation });
+    assert.dom('[data-test-row-value="Allowed roles"]').hasText(roleName);
+  });
+
+  test('it shows a message if an update fails after save', async function(assert) {
+    const roleName = 'role-remove';
+    let backend = await mount();
+    // Create transformation
+    let transformation = await newTransformation(backend, 'c-transformation', true);
+    // create role
+    await newRole(backend, roleName);
+    await transformationsPage.visitShow({ backend, id: transformation });
+    assert.dom('[data-test-row-value="Allowed roles"]').hasText(roleName);
+    // Edit transformation
+    await click('[data-test-edit-link]');
+    assert.dom('.modal.is-active').exists('Confirmation modal appears');
+    await rolesPage.modalConfirm();
+    assert.equal(
+      currentURL(),
+      `/vault/secrets/${backend}/edit/${transformation}`,
+      'Correctly links to edit page for secret'
+    );
+    // remove role
+    await click('#allowed_roles [data-test-selected-list-button="delete"]');
+    await transformationsPage.save();
+    assert.dom('.flash-message.is-info').exists('Shows info message since role could not be updated');
+    assert.equal(
+      currentURL(),
+      `/vault/secrets/${backend}/show/${transformation}`,
+      'Correctly links to show page for secret'
+    );
+    assert
+      .dom('[data-test-row-value="Allowed roles"]')
+      .doesNotExist('Allowed roles are no longer on the transformation');
   });
 });
diff --git a/ui/tests/pages/secrets/backend/transform/roles.js b/ui/tests/pages/secrets/backend/transform/roles.js
index fa89c7b4ae..400025efcc 100644
--- a/ui/tests/pages/secrets/backend/transform/roles.js
+++ b/ui/tests/pages/secrets/backend/transform/roles.js
@@ -9,4 +9,5 @@ export default create({
   name: fillable('[data-test-input="name"]'),
   transformations: fillable('[data-test-input="transformations"'),
   submit: clickable('[data-test-role-transform-create="true"]'),
+  modalConfirm: clickable('[data-test-edit-confirm-button]'),
 });
diff --git a/ui/tests/pages/secrets/backend/transform/transformations.js b/ui/tests/pages/secrets/backend/transform/transformations.js
index 22a20a75e0..f67a754d2a 100644
--- a/ui/tests/pages/secrets/backend/transform/transformations.js
+++ b/ui/tests/pages/secrets/backend/transform/transformations.js
@@ -4,6 +4,7 @@ import ListView from 'vault/tests/pages/components/list-view';
 export default create({
   ...ListView,
   visit: visitable('/vault/secrets/:backend/list'),
+  visitShow: visitable('/vault/secrets/:backend/show/:id'),
   visitCreate: visitable('/vault/secrets/:backend/create'),
   createLink: clickable('[data-test-secret-create="true"]'),
   name: fillable('[data-test-input="name"]'),
@@ -11,4 +12,5 @@ export default create({
   type: fillable('[data-test-input="type"'),
   tweakSource: fillable('[data-test-input="tweak_source"'),
   maskingChar: fillable('[data-test-input="masking_character"'),
+  save: clickable('[data-test-transformation-save-button]'),
 });