diff --git a/ui/app/adapters/pki/certificate.js b/ui/app/adapters/pki/certificate.js deleted file mode 100644 index 1c88c8979c..0000000000 --- a/ui/app/adapters/pki/certificate.js +++ /dev/null @@ -1,3 +0,0 @@ -import PkiCertAdapter from './cert'; - -export default class PkiCertificateAdapter extends PkiCertAdapter {} diff --git a/ui/app/adapters/pki/certificate/base.js b/ui/app/adapters/pki/certificate/base.js index c95f678dde..b36bb17320 100644 --- a/ui/app/adapters/pki/certificate/base.js +++ b/ui/app/adapters/pki/certificate/base.js @@ -4,10 +4,46 @@ import ApplicationAdapter from '../../application'; export default class PkiCertificateBaseAdapter extends ApplicationAdapter { namespace = 'v1'; - deleteRecord(store, type, snapshot) { + getURL(backend, id) { + const uri = `${this.buildURL()}/${encodePath(backend)}`; + return id ? `${uri}/cert/${id}` : `${uri}/certs`; + } + + fetchByQuery(query) { + const { backend, id } = query; + const data = !id ? { list: true } : {}; + return this.ajax(this.getURL(backend, id), 'GET', { data }).then((resp) => { + resp.data.backend = backend; + if (id) { + resp.data.id = id; + resp.data.serial_number = id; + } + return resp; + }); + } + + query(store, type, query) { + return this.fetchByQuery(query); + } + + queryRecord(store, type, query) { + return this.fetchByQuery(query); + } + + // the only way to update a record is by revoking it which will set the revocationTime property + updateRecord(store, type, snapshot) { const { backend, serialNumber, certificate } = snapshot.record; // Revoke certificate requires either serial_number or certificate const data = serialNumber ? { serial_number: serialNumber } : { certificate }; - return this.ajax(`${this.buildURL()}/${encodePath(backend)}/revoke`, 'POST', { data }); + return this.ajax(`${this.buildURL()}/${encodePath(backend)}/revoke`, 'POST', { data }).then( + (response) => { + return { + data: { + ...this.serialize(snapshot), + ...response.data, + }, + }; + } + ); } } diff --git a/ui/app/models/pki/certificate/base.js b/ui/app/models/pki/certificate/base.js index 517b70cf7e..3453167e8c 100644 --- a/ui/app/models/pki/certificate/base.js +++ b/ui/app/models/pki/certificate/base.js @@ -11,7 +11,15 @@ import lazyCapabilities, { apiPath } from 'vault/macros/lazy-capabilities'; * attributes and adapter methods. */ -const certDisplayFields = ['certificate', 'commonName', 'serialNumber', 'notValidAfter', 'notValidBefore']; +const certDisplayFields = [ + 'certificate', + 'commonName', + 'revocationTime', + 'issueDate', + 'serialNumber', + 'notValidBefore', + 'notValidAfter', +]; @withFormFields(certDisplayFields) export default class PkiCertificateBaseModel extends Model { @@ -31,16 +39,18 @@ export default class PkiCertificateBaseModel extends Model { // Attrs that come back from API POST request @attr() caChain; - @attr('string') certificate; + @attr('string', { masked: true }) certificate; @attr('number') expiration; + @attr('number', { formatDate: true }) revocationTime; @attr('string') issuingCa; @attr('string') privateKey; @attr('string') privateKeyType; @attr('string') serialNumber; // Parsed from cert in serializer - @attr('date') notValidAfter; - @attr('date') notValidBefore; + @attr('number', { formatDate: true }) issueDate; + @attr('number', { formatDate: true }) notValidAfter; + @attr('number', { formatDate: true }) notValidBefore; // For importing @attr('string') pemBundle; diff --git a/ui/app/serializers/pki/certificate/base.js b/ui/app/serializers/pki/certificate/base.js new file mode 100644 index 0000000000..30e904ae7d --- /dev/null +++ b/ui/app/serializers/pki/certificate/base.js @@ -0,0 +1,31 @@ +import { parseCertificate } from 'vault/helpers/parse-pki-cert'; +import ApplicationSerializer from '../../application'; + +export default class PkiCertificateBaseSerializer extends ApplicationSerializer { + primaryKey = 'serial_number'; + + attrs = { + role: { serialize: false }, + }; + + normalizeResponse(store, primaryModelClass, payload, id, requestType) { + if (payload.data.certificate) { + // Parse certificate back from the API and add to payload + const parsedCert = parseCertificate(payload.data.certificate); + // convert issueDate to same format as other date values + // this can be moved into the parseCertificate helper once the old pki implementation is removed + if (parsedCert.issue_date) { + parsedCert.issue_date = parsedCert.issue_date.valueOf(); + } + const json = super.normalizeResponse( + store, + primaryModelClass, + { ...payload, ...parsedCert }, + id, + requestType + ); + return json; + } + return super.normalizeResponse(...arguments); + } +} diff --git a/ui/app/serializers/pki/certificate/generate.js b/ui/app/serializers/pki/certificate/generate.js index fb06f8e8cd..332504f672 100644 --- a/ui/app/serializers/pki/certificate/generate.js +++ b/ui/app/serializers/pki/certificate/generate.js @@ -1,25 +1,3 @@ -import { parseCertificate } from 'vault/helpers/parse-pki-cert'; -import ApplicationSerializer from '../../application'; +import PkiCertificateBaseSerializer from './base'; -export default class PkiCertificateGenerateSerializer extends ApplicationSerializer { - primaryKey = 'serial_number'; - attrs = { - role: { serialize: false }, - }; - - normalizeResponse(store, primaryModelClass, payload, id, requestType) { - if (requestType === 'createRecord' && payload.data.certificate) { - // Parse certificate back from the API and add to payload - const parsedCert = parseCertificate(payload.data.certificate); - const json = super.normalizeResponse( - store, - primaryModelClass, - { ...payload, ...parsedCert }, - id, - requestType - ); - return json; - } - return super.normalizeResponse(...arguments); - } -} +export default class PkiCertificateGenerateSerializer extends PkiCertificateBaseSerializer {} diff --git a/ui/app/serializers/pki/certificate/sign.js b/ui/app/serializers/pki/certificate/sign.js index 367c6398a6..332504f672 100644 --- a/ui/app/serializers/pki/certificate/sign.js +++ b/ui/app/serializers/pki/certificate/sign.js @@ -1,25 +1,3 @@ -import { parseCertificate } from 'vault/helpers/parse-pki-cert'; -import ApplicationSerializer from '../../application'; +import PkiCertificateBaseSerializer from './base'; -export default class PkiCertificateSignSerializer extends ApplicationSerializer { - primaryKey = 'serial_number'; - attrs = { - type: { serialize: false }, - }; - - normalizeResponse(store, primaryModelClass, payload, id, requestType) { - if (requestType === 'createRecord' && payload.data.certificate) { - // Parse certificate back from the API and add to payload - const parsedCert = parseCertificate(payload.data.certificate); - const json = super.normalizeResponse( - store, - primaryModelClass, - { ...payload, ...parsedCert }, - id, - requestType - ); - return json; - } - return super.normalizeResponse(...arguments); - } -} +export default class PkiCertificateGenerateSerializer extends PkiCertificateBaseSerializer {} diff --git a/ui/lib/pki/addon/components/page/pki-certificate-details.hbs b/ui/lib/pki/addon/components/page/pki-certificate-details.hbs new file mode 100644 index 0000000000..2394ee70d0 --- /dev/null +++ b/ui/lib/pki/addon/components/page/pki-certificate-details.hbs @@ -0,0 +1,55 @@ + + + + {{#if @model.canRevoke}} + + Revoke certificate + + {{/if}} + + + +{{#each @model.formFields as |field|}} + {{#if (eq field.name "certificate")}} + + + + {{else if (eq field.name "serialNumber")}} + + {{@model.serialNumber}} + + {{else}} + + {{/if}} +{{/each}} + +{{#if @onBack}} +
+
+ +
+
+{{/if}} \ No newline at end of file diff --git a/ui/lib/pki/addon/components/page/pki-certificate-details.ts b/ui/lib/pki/addon/components/page/pki-certificate-details.ts new file mode 100644 index 0000000000..c3860892bd --- /dev/null +++ b/ui/lib/pki/addon/components/page/pki-certificate-details.ts @@ -0,0 +1,48 @@ +import Component from '@glimmer/component'; +import { service } from '@ember/service'; +import { action } from '@ember/object'; +import { task } from 'ember-concurrency'; +import { waitFor } from '@ember/test-waiters'; +import errorMessage from 'vault/utils/error-message'; +import FlashMessageService from 'vault/services/flash-messages'; +import DownloadService from 'vault/services/download'; +import PkiCertificateBaseModel from 'vault/models/pki/certificate/base'; + +interface Args { + model: PkiCertificateBaseModel; + onRevoke?: CallableFunction; + onBack?: CallableFunction; +} + +export default class PkiCertificateDetailsComponent extends Component { + @service declare readonly flashMessages: FlashMessageService; + @service declare readonly download: DownloadService; + + @action + downloadCert() { + try { + const formattedSerial = this.args.model.serialNumber?.replace(/(\s|:)+/g, '-'); + this.download.pem(formattedSerial, this.args.model.certificate); + this.flashMessages.info('Your download has started.'); + } catch (err) { + this.flashMessages.danger(errorMessage(err, 'Unable to prepare certificate for download.')); + } + } + + @task + @waitFor + *revoke() { + try { + // the adapter updateRecord method calls the revoke endpoint since it is the only way to update a cert + yield this.args.model.save(); + this.flashMessages.success('The certificate has been revoked.'); + if (this.args.onRevoke) { + this.args.onRevoke(); + } + } catch (error) { + this.flashMessages.danger( + errorMessage(error, 'Could not revoke certificate. See Vault logs for details.') + ); + } + } +} diff --git a/ui/lib/pki/addon/components/page/pki-overview.hbs b/ui/lib/pki/addon/components/page/pki-overview.hbs index caf511b1ac..4561584afb 100644 --- a/ui/lib/pki/addon/components/page/pki-overview.hbs +++ b/ui/lib/pki/addon/components/page/pki-overview.hbs @@ -60,7 +60,7 @@ - - - {{#if @model.canRevoke}} - - {{/if}} - - - {{#each @model.formFields as |attr|}} - {{#if (eq attr.name "certificate")}} - - - - {{else}} - - {{/if}} - {{/each}} -
-
- -
-
+ {{else}}
diff --git a/ui/lib/pki/addon/components/pki-role-generate.ts b/ui/lib/pki/addon/components/pki-role-generate.ts index beda63cdd4..f1968d77fa 100644 --- a/ui/lib/pki/addon/components/pki-role-generate.ts +++ b/ui/lib/pki/addon/components/pki-role-generate.ts @@ -24,10 +24,6 @@ export default class PkiRoleGenerate extends Component { @tracked errorBanner = ''; - transitionToRole() { - this.router.transitionTo('vault.cluster.secrets.backend.pki.roles.role.details'); - } - get verb() { return this.args.type === 'sign' ? 'sign' : 'generate'; } @@ -45,29 +41,8 @@ export default class PkiRoleGenerate extends Component { } } - @task - *revoke() { - try { - yield this.args.model.destroyRecord(); - this.flashMessages.success('The certificate has been revoked.'); - this.transitionToRole(); - } catch (err) { - this.errorBanner = errorMessage(err, 'Could not revoke certificate. See Vault logs for details.'); - } - } - - @action downloadCert() { - try { - const formattedSerial = this.args.model.serialNumber?.replace(/(\s|:)+/g, '-'); - this.download.pem(formattedSerial, this.args.model.certificate); - this.flashMessages.info('Your download has started.'); - } catch (err) { - this.flashMessages.danger(errorMessage(err, 'Unable to prepare certificate for download.')); - } - } - @action cancel() { this.args.model.unloadRecord(); - this.transitionToRole(); + this.router.transitionTo('vault.cluster.secrets.backend.pki.roles.role.details'); } } diff --git a/ui/lib/pki/addon/routes/certificates/certificate/details.js b/ui/lib/pki/addon/routes/certificates/certificate/details.js index a0bec30d03..be77bd8de4 100644 --- a/ui/lib/pki/addon/routes/certificates/certificate/details.js +++ b/ui/lib/pki/addon/routes/certificates/certificate/details.js @@ -1,3 +1,22 @@ import Route from '@ember/routing/route'; +import { inject as service } from '@ember/service'; -export default class PkiCertificateDetailsRoute extends Route {} +export default class PkiCertificateDetailsRoute extends Route { + @service store; + @service secretMountPath; + + model() { + const id = this.paramsFor('certificates/certificate').serial; + return this.store.queryRecord('pki/certificate/base', { backend: this.secretMountPath.currentPath, id }); + } + setupController(controller, model) { + super.setupController(controller, model); + const backend = this.secretMountPath.currentPath || 'pki'; + controller.breadcrumbs = [ + { label: 'secrets', route: 'secrets', linkExternal: true }, + { label: backend, route: 'overview' }, + { label: 'certificates', route: 'certificates.index' }, + { label: model.id }, + ]; + } +} diff --git a/ui/lib/pki/addon/routes/certificates/index.js b/ui/lib/pki/addon/routes/certificates/index.js index 401aee5508..5f5757668a 100644 --- a/ui/lib/pki/addon/routes/certificates/index.js +++ b/ui/lib/pki/addon/routes/certificates/index.js @@ -5,16 +5,10 @@ import { hash } from 'rsvp'; export default class PkiCertificatesIndexRoute extends PkiOverviewRoute { @service store; @service secretMountPath; - @service pathHelp; - - beforeModel() { - // Must call this promise before the model hook otherwise it doesn't add OpenApi to record. - return this.pathHelp.getNewModel('pki/certificate', this.secretMountPath.currentPath); - } async fetchCertificates() { try { - return await this.store.query('pki/certificate', { backend: this.secretMountPath.currentPath }); + return await this.store.query('pki/certificate/base', { backend: this.secretMountPath.currentPath }); } catch (e) { if (e.httpStatus === 404) { return { parentModel: this.modelFor('certificates') }; diff --git a/ui/lib/pki/addon/templates/certificates/certificate/details.hbs b/ui/lib/pki/addon/templates/certificates/certificate/details.hbs index 2ac0cad72c..895f1bd0a3 100644 --- a/ui/lib/pki/addon/templates/certificates/certificate/details.hbs +++ b/ui/lib/pki/addon/templates/certificates/certificate/details.hbs @@ -1 +1,12 @@ -route: certificate.details \ No newline at end of file + + + + + +

+ + View certificate +

+ + + \ No newline at end of file diff --git a/ui/tests/integration/components/pki/page/pki-certificate-details-test.js b/ui/tests/integration/components/pki/page/pki-certificate-details-test.js new file mode 100644 index 0000000000..b8dbdfc3d6 --- /dev/null +++ b/ui/tests/integration/components/pki/page/pki-certificate-details-test.js @@ -0,0 +1,116 @@ +import { module, test } from 'qunit'; +import { setupRenderingTest } from 'ember-qunit'; +import { click, render } from '@ember/test-helpers'; +import { hbs } from 'ember-cli-htmlbars'; +import { setupEngine } from 'ember-engines/test-support'; +import { setupMirage } from 'ember-cli-mirage/test-support'; +import sinon from 'sinon'; + +module('Integration | Component | pki | Page::PkiCertificateDetails', function (hooks) { + setupRenderingTest(hooks); + setupEngine(hooks, 'pki'); + setupMirage(hooks); + + hooks.beforeEach(function () { + const downloadService = this.owner.lookup('service:download'); + this.downloadSpy = sinon.stub(downloadService, 'pem'); + + const routerService = this.owner.lookup('service:router'); + this.routerSpy = sinon.stub(routerService, 'transitionTo'); + + this.owner.lookup('service:secretMountPath').update('pki'); + + const store = this.owner.lookup('service:store'); + const id = '4d:b6:ed:90:d6:b0:d4:bb:8e:5d:73:6a:6f:32:dc:8c:71:7c:db:5f'; + store.pushPayload('pki/certificate/base', { + modelName: 'pki/certificate/base', + data: { + certificate: '-----BEGIN CERTIFICATE-----', + common_name: 'example.com Intermediate Authority', + issue_date: 1673540867000, + serial_number: id, + not_valid_after: 1831220897000, + not_valid_before: 1673540867000, + }, + }); + this.model = store.peekRecord('pki/certificate/base', id); + + this.server.post('/sys/capabilities-self', () => ({ + data: { + capabilities: ['root'], + 'pki/revoke': ['root'], + }, + })); + }); + + test('it should render actions and fields', async function (assert) { + assert.expect(6); + + this.server.post('/pki/revoke', (schema, req) => { + const data = JSON.parse(req.requestBody); + assert.strictEqual( + data.serial_number, + this.model.serialNumber, + 'Revoke request made with serial number' + ); + return { + data: { + revocation_time: 1673972804, + revocation_time_rfc3339: '2023-01-17T16:26:44.960933411Z', + }, + }; + }); + + await render(hbs``, { owner: this.engine }); + + assert + .dom('[data-test-component="info-table-row"]') + .exists({ count: 6 }, 'Correct number of fields render when certificate has not been revoked'); + assert + .dom('[data-test-value-div="Certificate"] [data-test-masked-input]') + .exists('Masked input renders for certificate'); + assert.dom('[data-test-value-div="Serial number"] code').exists('Serial number renders as monospace'); + + await click('[data-test-pki-cert-download-button]'); + const { serialNumber, certificate } = this.model; + assert.ok( + this.downloadSpy.calledWith(serialNumber.replace(/(\s|:)+/g, '-'), certificate), + 'Download pem method called with correct args' + ); + + await click('[data-test-confirm-action-trigger]'); + await click('[data-test-confirm-button]'); + + assert.dom('[data-test-value-div="Revocation time"]').exists('Revocation time is displayed'); + }); + + test('it should render back button', async function (assert) { + assert.expect(1); + + this.cancel = () => assert.ok('onBack action is triggered'); + + await render(hbs``, { + owner: this.engine, + }); + await click('[data-test-pki-cert-details-back]'); + }); + + test('it should send action on revoke if provided', async function (assert) { + assert.expect(1); + + this.server.post('/pki/revoke', () => ({ + data: { + revocation_time: 1673972804, + revocation_time_rfc3339: '2023-01-17T16:26:44.960933411Z', + }, + })); + + this.revoked = () => assert.ok('onRevoke action is triggered'); + + await render(hbs``, { + owner: this.engine, + }); + await click('[data-test-confirm-action-trigger]'); + await click('[data-test-confirm-button]'); + }); +}); diff --git a/ui/tests/integration/components/pki/page/pki-overview-test.js b/ui/tests/integration/components/pki/page/pki-overview-test.js index 55cfe852c4..b281789cb6 100644 --- a/ui/tests/integration/components/pki/page/pki-overview-test.js +++ b/ui/tests/integration/components/pki/page/pki-overview-test.js @@ -21,8 +21,8 @@ module('Integration | Component | Page::PkiOverview', function (hooks) { this.store.createRecord('pki/role', { name: 'role-0' }); this.store.createRecord('pki/role', { name: 'role-1' }); this.store.createRecord('pki/role', { name: 'role-2' }); - this.store.createRecord('pki/certificate', { serialNumber: '22:2222:22222:2222' }); - this.store.createRecord('pki/certificate', { serialNumber: '33:3333:33333:3333' }); + this.store.createRecord('pki/certificate/base', { serialNumber: '22:2222:22222:2222' }); + this.store.createRecord('pki/certificate/base', { serialNumber: '33:3333:33333:3333' }); this.issuers = this.store.peekAll('pki/issuer'); this.roles = this.store.peekAll('pki/role'); diff --git a/ui/tests/unit/adapters/pki/certificate/base-test.js b/ui/tests/unit/adapters/pki/certificate/base-test.js new file mode 100644 index 0000000000..6cdd0c1cbc --- /dev/null +++ b/ui/tests/unit/adapters/pki/certificate/base-test.js @@ -0,0 +1,57 @@ +import { module, test } from 'qunit'; +import { setupTest } from 'vault/tests/helpers'; +import { setupMirage } from 'ember-cli-mirage/test-support'; + +module('Unit | Adapter | pki/certificate/base', function (hooks) { + setupTest(hooks); + setupMirage(hooks); + + hooks.beforeEach(function () { + this.store = this.owner.lookup('service:store'); + this.owner.lookup('service:secretMountPath').update('pki-test'); + }); + + test('it should make request to correct endpoint on queryRecord', async function (assert) { + assert.expect(1); + + this.server.get('/pki-test/cert/1234', () => { + assert.ok(true, 'Request made to correct endpoint on queryRecord'); + return { data: {} }; + }); + + await this.store.queryRecord('pki/certificate/base', { backend: 'pki-test', id: '1234' }); + }); + + test('it should make request to correct endpoint on query', async function (assert) { + assert.expect(1); + + this.server.get('/pki-test/certs', (schema, req) => { + assert.strictEqual(req.queryParams.list, 'true', 'Request made to correct endpoint on query'); + return { data: { keys: [] } }; + }); + + await this.store.query('pki/certificate/base', { backend: 'pki-test' }); + }); + + test('it should make request to correct endpoint on update', async function (assert) { + assert.expect(1); + + this.store.pushPayload('pki/certificate/base', { + modelName: 'pki/certificate/base', + data: { + serial_number: '1234', + }, + }); + + this.server.post('pki-test/revoke', (schema, req) => { + assert.deepEqual( + JSON.parse(req.requestBody), + { serial_number: '1234' }, + 'Request made to correct endpoint on update' + ); + return { data: {} }; + }); + + await this.store.peekRecord('pki/certificate/base', '1234').save(); + }); +}); diff --git a/ui/tests/unit/adapters/pki/certificate/generate-test.js b/ui/tests/unit/adapters/pki/certificate/generate-test.js index 6485465d2b..b809afaa66 100644 --- a/ui/tests/unit/adapters/pki/certificate/generate-test.js +++ b/ui/tests/unit/adapters/pki/certificate/generate-test.js @@ -35,20 +35,4 @@ module('Unit | Adapter | pki/certificate/generate', function (hooks) { const model = await this.store.createRecord('pki/certificate/generate', generateData); await model.save(); }); - - test('it should make request to correct endpoint on delete', async function (assert) { - assert.expect(2); - this.store.pushPayload('pki/certificate/generate', { - modelName: 'pki/certificate/generate', - ...this.data, - }); - this.server.post(`${this.backend}/revoke`, (schema, req) => { - assert.deepEqual(JSON.parse(req.requestBody), { serial_number: 'my-serial-number' }); - assert.ok(true, 'request made to correct endpoint on delete'); - return { data: {} }; - }); - - const model = await this.store.peekRecord('pki/certificate/generate', this.data.serial_number); - await model.destroyRecord(); - }); }); diff --git a/ui/tests/unit/adapters/pki/certificate/sign-test.js b/ui/tests/unit/adapters/pki/certificate/sign-test.js index 8ee54d7330..c0b9e08939 100644 --- a/ui/tests/unit/adapters/pki/certificate/sign-test.js +++ b/ui/tests/unit/adapters/pki/certificate/sign-test.js @@ -47,19 +47,4 @@ module('Unit | Adapter | pki/certificate/sign', function (hooks) { await this.store.createRecord('pki/certificate/sign', generateData).save(); }); - - test('it should make request to correct endpoint on delete', async function (assert) { - assert.expect(2); - this.store.pushPayload('pki/certificate/sign', { - modelName: 'pki/certificate/sign', - ...this.data, - }); - this.server.post(`${this.backend}/revoke`, (schema, req) => { - assert.deepEqual(JSON.parse(req.requestBody), { serial_number: 'my-serial-number' }); - assert.ok(true, 'request made to correct endpoint on delete'); - return { data: {} }; - }); - - await this.store.peekRecord('pki/certificate/sign', this.data.serial_number).destroyRecord(); - }); });