mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-18 12:37:02 +02:00
9d8ba3ac2a
* Add Helios Design System Components (#19278) * adds hds dependency * updates reset import path * sets minifyCSS advanced option to false * Remove node-sass (#19376) * removes node-sass and fixes sass compilation * fixes active tab li class * Sidebar Navigation Components (#19446) * links ember-shared-components addon and imports styles * adds sidebar frame and nav components * updates HcNav component name to HcAppFrame and adds sidebar UserMenu component * adds tests for sidebar components * fixes tests * updates user menu styling * fixes typos in nav cluster component * changes padding value in sidebar stylesheet to use variable * Replace and remove old nav components with new ones (#19447) * links ember-shared-components addon and imports styles * adds sidebar frame and nav components * updates activeCluster on auth service and adds activeSession prop for sidebar visibility * replaces old nav components with new ones in templates * fixes sidebar visibility issue and updates user menu label class * removes NavHeader usage * adds clients index route to redirect to dashboard * removes unused HcAppFrame footer block and reduces page header top margin * Nav component cleanup (#19681) * removes nav-header components * removes navbar styling * removes status-menu component and styles * removes cluster and auth info components * removes menu-sidebar component and styling * fixes tests * Console Panel Updates (#19741) * updates console panel styling * adds test for opening and closing the console panel * updates console panel background color to use hds token * adds right margin to console panel input * updates link-status banner styling * updates hc nav components to new API * Namespace Picker Updates (#19753) * updates namespace-picker * updates namespace picker menu styling * adds bottom margin to env banner * updates class order on namespace picker link * restores manage namespaces refresh icon * removes manage namespaces nav icon * removes home link component (#20027) * Auth and Error View Updates (#19749) * adds vault logo to auth page * updates top level error template * updates loading substate handling and moves policies link from access to cluster nav (#20033) * moves console panel to bottom of viewport (#20183) * HDS Sidebar Nav Components (#20197) * updates nav components to hds * upgrades project yarn version to 3.5 * fixes issues in app frame component * updates sidenav actions to use icon button component * Sidebar navigation acceptance tests (#20270) * adds sidebar navigation acceptance tests and fixes other test failures * console panel styling tweaks * bumps addon version * remove and ignore yarn install-state file * fixes auth service and console tests * moves classes from deleted files after bulma merge * fixes sass syntax errors blocking build * cleans up dart sass deprecation warnings * adds changelog entry * hides namespace picker when sidebar nav panel is minimized * style tweaks * fixes sidebar nav tests * bumps hds addon to latest version and removes style override * updates modify-passthrough-response helper * updates sidebar nav tests * mfa-setup test fix attempt * fixes cluster mfa setup test * remove deprecated yarn ignore-optional flag from makefile * removes another instance of yarn ignore-optional and updates ui readme * removes unsupported yarn verbose flag from ci-helper * hides nav headings when user does not have access to any sub links * removes unused optional deps and moves lint-staged to dev deps * updates has-permission helper and permissions service tests * fixes issue with console panel not filling container width
225 lines
7.9 KiB
JavaScript
225 lines
7.9 KiB
JavaScript
/**
|
|
* Copyright (c) HashiCorp, Inc.
|
|
* SPDX-License-Identifier: MPL-2.0
|
|
*/
|
|
|
|
import { module, test } from 'qunit';
|
|
import { setupTest } from 'ember-qunit';
|
|
import Pretender from 'pretender';
|
|
import Service from '@ember/service';
|
|
|
|
const PERMISSIONS_RESPONSE = {
|
|
data: {
|
|
exact_paths: {
|
|
foo: {
|
|
capabilities: ['read'],
|
|
},
|
|
'bar/bee': {
|
|
capabilities: ['create', 'list'],
|
|
},
|
|
boo: {
|
|
capabilities: ['deny'],
|
|
},
|
|
},
|
|
glob_paths: {
|
|
'baz/biz': {
|
|
capabilities: ['read'],
|
|
},
|
|
'ends/in/slash/': {
|
|
capabilities: ['list'],
|
|
},
|
|
},
|
|
},
|
|
};
|
|
|
|
module('Unit | Service | permissions', function (hooks) {
|
|
setupTest(hooks);
|
|
|
|
hooks.beforeEach(function () {
|
|
this.server = new Pretender();
|
|
this.server.get('/v1/sys/internal/ui/resultant-acl', () => {
|
|
return [200, { 'Content-Type': 'application/json' }, JSON.stringify(PERMISSIONS_RESPONSE)];
|
|
});
|
|
this.service = this.owner.lookup('service:permissions');
|
|
});
|
|
|
|
hooks.afterEach(function () {
|
|
this.server.shutdown();
|
|
});
|
|
|
|
test('sets paths properly', async function (assert) {
|
|
await this.service.getPaths.perform();
|
|
assert.deepEqual(this.service.get('exactPaths'), PERMISSIONS_RESPONSE.data.exact_paths);
|
|
assert.deepEqual(this.service.get('globPaths'), PERMISSIONS_RESPONSE.data.glob_paths);
|
|
});
|
|
|
|
test('returns true if a policy includes access to an exact path', function (assert) {
|
|
this.service.set('exactPaths', PERMISSIONS_RESPONSE.data.exact_paths);
|
|
assert.true(this.service.hasPermission('foo'));
|
|
});
|
|
|
|
test('returns true if a paths prefix is included in the policys exact paths', function (assert) {
|
|
this.service.set('exactPaths', PERMISSIONS_RESPONSE.data.exact_paths);
|
|
assert.true(this.service.hasPermission('bar'));
|
|
});
|
|
|
|
test('it returns true if a policy includes access to a glob path', function (assert) {
|
|
this.service.set('globPaths', PERMISSIONS_RESPONSE.data.glob_paths);
|
|
assert.true(this.service.hasPermission('baz/biz/hi'));
|
|
});
|
|
|
|
test('it returns true if a policy includes access to the * glob path', function (assert) {
|
|
const splatPath = { '': {} };
|
|
this.service.set('globPaths', splatPath);
|
|
assert.true(this.service.hasPermission('hi'));
|
|
});
|
|
|
|
test('it returns false if the matched path includes the deny capability', function (assert) {
|
|
this.service.set('globPaths', PERMISSIONS_RESPONSE.data.glob_paths);
|
|
assert.false(this.service.hasPermission('boo'));
|
|
});
|
|
|
|
test('it returns true if passed path does not end in a slash but globPath does', function (assert) {
|
|
this.service.set('globPaths', PERMISSIONS_RESPONSE.data.glob_paths);
|
|
assert.true(this.service.hasPermission('ends/in/slash'), 'matches without slash');
|
|
assert.true(this.service.hasPermission('ends/in/slash/'), 'matches with slash');
|
|
});
|
|
|
|
test('it returns false if a policy does not includes access to a path', function (assert) {
|
|
assert.false(this.service.hasPermission('danger'));
|
|
});
|
|
|
|
test('sets the root token', function (assert) {
|
|
this.service.setPaths({ data: { root: true } });
|
|
assert.true(this.service.canViewAll);
|
|
});
|
|
|
|
test('returns true with the root token', function (assert) {
|
|
this.service.set('canViewAll', true);
|
|
assert.true(this.service.hasPermission('hi'));
|
|
});
|
|
|
|
test('it returns true if a policy has the specified capabilities on a path', function (assert) {
|
|
this.service.set('exactPaths', PERMISSIONS_RESPONSE.data.exact_paths);
|
|
this.service.set('globPaths', PERMISSIONS_RESPONSE.data.glob_paths);
|
|
assert.true(this.service.hasPermission('bar/bee', ['create', 'list']));
|
|
assert.true(this.service.hasPermission('baz/biz', ['read']));
|
|
});
|
|
|
|
test('it returns false if a policy does not have the specified capabilities on a path', function (assert) {
|
|
this.service.set('exactPaths', PERMISSIONS_RESPONSE.data.exact_paths);
|
|
this.service.set('globPaths', PERMISSIONS_RESPONSE.data.glob_paths);
|
|
assert.false(this.service.hasPermission('bar/bee', ['create', 'delete']));
|
|
assert.false(this.service.hasPermission('foo', ['create']));
|
|
});
|
|
|
|
test('defaults to show all items when policy cannot be found', async function (assert) {
|
|
this.server.get('/v1/sys/internal/ui/resultant-acl', () => {
|
|
return [403, { 'Content-Type': 'application/json' }];
|
|
});
|
|
await this.service.getPaths.perform();
|
|
assert.true(this.service.canViewAll);
|
|
});
|
|
|
|
test('returns the first allowed nav route for policies', function (assert) {
|
|
const policyPaths = {
|
|
'sys/policies/acl': {
|
|
capabilities: ['deny'],
|
|
},
|
|
'sys/policies/rgp': {
|
|
capabilities: ['read'],
|
|
},
|
|
};
|
|
this.service.set('exactPaths', policyPaths);
|
|
assert.strictEqual(this.service.navPathParams('policies').models[0], 'rgp');
|
|
});
|
|
|
|
test('returns the first allowed nav route for access', function (assert) {
|
|
const accessPaths = {
|
|
'sys/auth': {
|
|
capabilities: ['deny'],
|
|
},
|
|
'identity/entity/id': {
|
|
capabilities: ['read'],
|
|
},
|
|
};
|
|
const expected = { route: 'vault.cluster.access.identity', models: ['entities'] };
|
|
this.service.set('exactPaths', accessPaths);
|
|
assert.deepEqual(this.service.navPathParams('access'), expected);
|
|
});
|
|
|
|
test('hasNavPermission returns true if a policy includes the required capabilities for at least one path', function (assert) {
|
|
const accessPaths = {
|
|
'sys/auth': {
|
|
capabilities: ['deny'],
|
|
},
|
|
'identity/group/id': {
|
|
capabilities: ['list', 'read'],
|
|
},
|
|
};
|
|
this.service.set('exactPaths', accessPaths);
|
|
assert.true(this.service.hasNavPermission('access', 'groups'));
|
|
});
|
|
|
|
test('hasNavPermission returns false if a policy does not include the required capabilities for at least one path', function (assert) {
|
|
const accessPaths = {
|
|
'sys/auth': {
|
|
capabilities: ['deny'],
|
|
},
|
|
'identity/group/id': {
|
|
capabilities: ['read'],
|
|
},
|
|
};
|
|
this.service.set('exactPaths', accessPaths);
|
|
assert.false(this.service.hasNavPermission('access', 'groups'));
|
|
});
|
|
|
|
test('hasNavPermission should handle routeParams as array', function (assert) {
|
|
const getPaths = (override) => ({
|
|
'sys/auth': {
|
|
capabilities: [override || 'read'],
|
|
},
|
|
'identity/mfa/method': {
|
|
capabilities: [override || 'read'],
|
|
},
|
|
'identity/oidc/client': {
|
|
capabilities: [override || 'deny'],
|
|
},
|
|
});
|
|
|
|
this.service.set('exactPaths', getPaths());
|
|
assert.true(
|
|
this.service.hasNavPermission('access', ['methods', 'mfa', 'oidc']),
|
|
'hasNavPermission returns true for array of route params when any route is permitted'
|
|
);
|
|
assert.false(
|
|
this.service.hasNavPermission('access', ['methods', 'mfa', 'oidc'], true),
|
|
'hasNavPermission returns false for array of route params when any route is not permitted and requireAll is passed'
|
|
);
|
|
|
|
this.service.set('exactPaths', getPaths('read'));
|
|
assert.true(
|
|
this.service.hasNavPermission('access', ['methods', 'mfa', 'oidc'], true),
|
|
'hasNavPermission returns true for array of route params when all routes are permitted and requireAll is passed'
|
|
);
|
|
|
|
this.service.set('exactPaths', getPaths('deny'));
|
|
assert.false(
|
|
this.service.hasNavPermission('access', ['methods', 'mfa', 'oidc']),
|
|
'hasNavPermission returns false for array of route params when no routes are permitted'
|
|
);
|
|
assert.false(
|
|
this.service.hasNavPermission('access', ['methods', 'mfa', 'oidc'], true),
|
|
'hasNavPermission returns false for array of route params when no routes are permitted and requireAll is passed'
|
|
);
|
|
});
|
|
|
|
test('appends the namespace to the path if there is one', function (assert) {
|
|
const namespaceService = Service.extend({
|
|
path: 'marketing',
|
|
});
|
|
this.owner.register('service:namespace', namespaceService);
|
|
assert.strictEqual(this.service.pathNameWithNamespace('sys/auth'), 'marketing/sys/auth');
|
|
});
|
|
});
|