From eabb8e10a0be39423d3c2ce28eef94b265df9907 Mon Sep 17 00:00:00 2001
From: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
Date: Thu, 9 May 2024 20:44:21 +0100
Subject: [PATCH] UI: Add max ttl to acme certificates  (#26906)

* add max ttl to acme

* change test title?

* hide toggle

* update sign-intermediate

* add enforce_leaf_not_after_behavior
---
 ui/app/models/pki/config/acme.js              |  9 +++
 ui/app/models/pki/sign-intermediate.js        |  6 ++
 .../page/pki-configuration-details.hbs        |  1 +
 .../acceptance/open-api-path-help-test.js     | 67 ++++++++++---------
 .../helpers/openapi/expected-secret-attrs.js  | 12 ++++
 .../pki/pki-sign-intermediate-form-test.js    |  2 +-
 6 files changed, 64 insertions(+), 33 deletions(-)

diff --git a/ui/app/models/pki/config/acme.js b/ui/app/models/pki/config/acme.js
index 80531c28b1..4afffc74e9 100644
--- a/ui/app/models/pki/config/acme.js
+++ b/ui/app/models/pki/config/acme.js
@@ -66,6 +66,15 @@ export default class PkiConfigAcmeModel extends Model {
   })
   dnsResolver;
 
+  @attr({
+    label: 'Max TTL',
+    editType: 'ttl',
+    hideToggle: true,
+    helperTextEnabled:
+      'Specify the maximum TTL for ACME certificates. Role TTL values will be limited to this value.',
+  })
+  maxTtl;
+
   @lazyCapabilities(apiPath`${'id'}/config/acme`, 'id')
   acmePath;
 
diff --git a/ui/app/models/pki/sign-intermediate.js b/ui/app/models/pki/sign-intermediate.js
index 6cc9fc6b57..53c5b69b15 100644
--- a/ui/app/models/pki/sign-intermediate.js
+++ b/ui/app/models/pki/sign-intermediate.js
@@ -19,6 +19,7 @@ const validations = {
   'excludeCnFromSans',
   'customTtl',
   'notBeforeDuration',
+  'enforceLeafNotAfterBehavior',
   'format',
   'permittedDnsDomains',
   'maxPathLength',
@@ -56,6 +57,11 @@ export default class PkiSignIntermediateModel extends PkiCertificateBaseModel {
   })
   notBeforeDuration;
 
+  @attr('boolean', {
+    subText: "Do not truncate the NotAfter field, use the issuer's configured leaf_not_after_behavior",
+  })
+  enforceLeafNotAfterBehavior;
+
   @attr({
     label: 'Permitted DNS domains',
     subText:
diff --git a/ui/lib/pki/addon/components/page/pki-configuration-details.hbs b/ui/lib/pki/addon/components/page/pki-configuration-details.hbs
index 5306191583..f9e188962b 100644
--- a/ui/lib/pki/addon/components/page/pki-configuration-details.hbs
+++ b/ui/lib/pki/addon/components/page/pki-configuration-details.hbs
@@ -42,6 +42,7 @@
       <InfoTableRow
         @label={{or attr.options.label (humanize (dasherize attr.name))}}
         @value={{or (get @acme attr.name) "None"}}
+        @formatTtl={{eq attr.options.editType "ttl"}}
       />
     {{/each}}
   {{/if}}
diff --git a/ui/tests/acceptance/open-api-path-help-test.js b/ui/tests/acceptance/open-api-path-help-test.js
index bbafbeb426..d700fd679c 100644
--- a/ui/tests/acceptance/open-api-path-help-test.js
+++ b/ui/tests/acceptance/open-api-path-help-test.js
@@ -19,46 +19,49 @@ import expectedAuthAttrs from 'vault/tests/helpers/openapi/expected-auth-attrs';
  * if it is not updated automatically or is a more involved feature request.
  * Marked as enterprise so it only runs periodically
  */
-module('Acceptance | OpenAPI provides expected attributes enterprise', function (hooks) {
-  setupApplicationTest(hooks);
-  hooks.beforeEach(function () {
-    this.pathHelp = this.owner.lookup('service:pathHelp');
-    this.store = this.owner.lookup('service:store');
-    return authPage.login();
-  });
-
-  // Secret engines that use OpenAPI
-  ['ssh', 'kmip', 'pki'].forEach(function (testCase) {
-    return module(`${testCase} engine`, function (hooks) {
-      hooks.beforeEach(async function () {
-        this.backend = `${testCase}-openapi`;
-        await runCmd(mountEngineCmd(testCase, this.backend), false);
-      });
-      hooks.afterEach(async function () {
-        await runCmd(deleteEngineCmd(this.backend), false);
-      });
-
-      secretEngineHelper(test, testCase);
+module(
+  'Acceptance | Heads up - backend param changes! Expected OpenAPI attributes enterprise',
+  function (hooks) {
+    setupApplicationTest(hooks);
+    hooks.beforeEach(function () {
+      this.pathHelp = this.owner.lookup('service:pathHelp');
+      this.store = this.owner.lookup('service:store');
+      return authPage.login();
     });
-  });
 
-  // All auth backends use OpenAPI except aws
-  ['azure', 'userpass', 'cert', 'gcp', 'github', 'jwt', 'kubernetes', 'ldap', 'okta', 'radius'].forEach(
-    function (testCase) {
-      return module(`${testCase} auth`, function (hooks) {
+    // Secret engines that use OpenAPI
+    ['ssh', 'kmip', 'pki'].forEach(function (testCase) {
+      return module(`${testCase} engine`, function (hooks) {
         hooks.beforeEach(async function () {
-          this.mount = `${testCase}-openapi`;
-          await runCmd(mountAuthCmd(testCase, this.mount), false);
+          this.backend = `${testCase}-openapi`;
+          await runCmd(mountEngineCmd(testCase, this.backend), false);
         });
         hooks.afterEach(async function () {
-          await runCmd(deleteAuthCmd(this.backend), false);
+          await runCmd(deleteEngineCmd(this.backend), false);
         });
 
-        authEngineHelper(test, testCase);
+        secretEngineHelper(test, testCase);
       });
-    }
-  );
-});
+    });
+
+    // All auth backends use OpenAPI except aws
+    ['azure', 'userpass', 'cert', 'gcp', 'github', 'jwt', 'kubernetes', 'ldap', 'okta', 'radius'].forEach(
+      function (testCase) {
+        return module(`${testCase} auth`, function (hooks) {
+          hooks.beforeEach(async function () {
+            this.mount = `${testCase}-openapi`;
+            await runCmd(mountAuthCmd(testCase, this.mount), false);
+          });
+          hooks.afterEach(async function () {
+            await runCmd(deleteAuthCmd(this.backend), false);
+          });
+
+          authEngineHelper(test, testCase);
+        });
+      }
+    );
+  }
+);
 
 function secretEngineHelper(test, secretEngine) {
   const engineData = expectedSecretAttrs[secretEngine];
diff --git a/ui/tests/helpers/openapi/expected-secret-attrs.js b/ui/tests/helpers/openapi/expected-secret-attrs.js
index c1094d7b61..cc057becb4 100644
--- a/ui/tests/helpers/openapi/expected-secret-attrs.js
+++ b/ui/tests/helpers/openapi/expected-secret-attrs.js
@@ -569,6 +569,12 @@ const pki = {
       fieldGroup: 'default',
       type: 'boolean',
     },
+    maxTtl: {
+      editType: 'ttl',
+      fieldGroup: 'default',
+      helpText:
+        'Specify the maximum TTL for ACME certificates. Role TTL values will be limited to this value',
+    },
   },
   'pki/certificate/generate': {
     role: {
@@ -1200,6 +1206,12 @@ const pki = {
       fieldGroup: 'default',
       type: 'string',
     },
+    enforceLeafNotAfterBehavior: {
+      editType: 'boolean',
+      fieldGroup: 'default',
+      helpText: "Do not truncate the NotAfter field, use the issuer's configured leaf_not_after_behavior",
+      type: 'boolean',
+    },
     excludeCnFromSans: {
       editType: 'boolean',
       helpText:
diff --git a/ui/tests/integration/components/pki/pki-sign-intermediate-form-test.js b/ui/tests/integration/components/pki/pki-sign-intermediate-form-test.js
index e3d4af60d6..0b49812901 100644
--- a/ui/tests/integration/components/pki/pki-sign-intermediate-form-test.js
+++ b/ui/tests/integration/components/pki/pki-sign-intermediate-form-test.js
@@ -47,7 +47,7 @@ module('Integration | Component | pki-sign-intermediate-form', function (hooks)
 
     assert.dom(selectors.form).exists('Form is rendered');
     assert.dom(selectors.resultsContainer).doesNotExist('Results display not rendered');
-    assert.dom('[data-test-field]').exists({ count: 9 }, '9 default fields shown');
+    assert.dom('[data-test-field]').exists({ count: 10 }, '10 default fields shown');
     assert.dom(selectors.toggleSigningOptions).exists();
     assert.dom(selectors.toggleSANOptions).exists();
     assert.dom(selectors.toggleAdditionalFields).exists();