Starship/CoreID
1
0
Fork 0
Code Issues 8 Pull Requests Releases 34 Wiki Activity

Remove Vault support; fix OpenID Connect client delete issue

Browse Source
This commit is contained in:
Garrett Mills 2022-10-26 02:59:43 -05:00
parent 562ada3af5
commit 35113ed81c
14 changed files with 24 additions and 403 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
app/assets/app/resource/iam/Policy.resource.js
View File

@ -129,7 +129,6 @@ class PolicyResource extends CRUDBase {
{display: 'API Scope', value: 'api_scope'}, {display: 'API Scope', value: 'api_scope'},
{display: 'Computer', value: 'machine'}, {display: 'Computer', value: 'machine'},
{display: 'Computer Group', value: 'machine_group'}, {display: 'Computer Group', value: 'machine_group'},
{display: 'Vault', value: 'vault'},
], ],
}, },
{ {
@ -180,18 +179,6 @@ class PolicyResource extends CRUDBase {
}, },
if: (form_data) => form_data.target_type === 'machine_group' if: (form_data) => form_data.target_type === 'machine_group'
}, },
{
name: 'Target',
field: 'target_id',
required: true,
type: 'select.dynamic',
options: {
resource: 'vault/Vault',
display: 'name',
value: 'id',
},
if: (form_data) => form_data.target_type === 'vault'
},
{ {
name: 'Permission', name: 'Permission',
field: 'permission', field: 'permission',
@ -256,22 +243,6 @@ class PolicyResource extends CRUDBase {
}, },
if: (form_data, opts) => form_data.target_type === 'machine_group' && opts?.length if: (form_data, opts) => form_data.target_type === 'machine_group' && opts?.length
}, },
{
name: 'Permission',
field: 'permission',
required: false,
type: 'select.dynamic',
options: {
resource: 'iam/Permission',
display: 'permission',
value: 'permission',
other_params: {
target_type: 'vault',
include_unset: true,
},
},
if: (form_data, opts) => form_data.target_type === 'vault' && opts?.length
},
], ],
/*handlers: { /*handlers: {
insert: { insert: {

62
app/assets/app/resource/vault/Vault.resource.js
View File

@ -1,62 +0,0 @@
import CRUDBase from '../CRUDBase.js'
class VaultResource extends CRUDBase {
constructor() {
super()
this.endpoint = '/api/v1/vault/vaults'
this.required_fields = ['name']
this.permission_base = 'v1:vault:vaults'
this.item = 'Vault'
this.plural = 'Vaults'
this.listing_definition = {
display: `Vaults are encrypted key-value stores that can be managed with IAM and accessed via REST APIs.`,
columns: [
{
name: 'Name',
field: 'name',
},
],
actions: [
{
type: 'resource',
position: 'main',
action: 'insert',
text: 'Create New',
color: 'success',
},
{
type: 'resource',
position: 'row',
action: 'update',
icon: 'fa fa-edit',
color: 'primary',
},
{
type: 'resource',
position: 'row',
action: 'delete',
icon: 'fa fa-times',
color: 'danger',
confirm: true,
},
],
}
this.form_definition = {
fields: [
{
name: 'Name',
field: 'name',
required: true,
type: 'text',
},
],
}
}
}
const vault_vault = new VaultResource()
export { vault_vault }

2
app/controllers/OpenID.controller.js
View File

@ -105,7 +105,7 @@ class OpenIDController extends Controller {
const Client = this.models.get('openid:Client') const Client = this.models.get('openid:Client')
const client = await Client.findById(req.params.id) const client = await Client.findById(req.params.id)
if ( !client || !client.active ) if ( !client )
return res.status(404) return res.status(404)
.message(req.T('api.client_not_found')) .message(req.T('api.client_not_found'))
.api() .api()

26
app/controllers/api/v1/IAM.controller.js
View File

@ -155,9 +155,9 @@ class IAMController extends Controller {
.message(`${req.T('common.invalid')} access_type. ${req.T('api.must_one')} allow, deny.`) .message(`${req.T('common.invalid')} access_type. ${req.T('api.must_one')} allow, deny.`)
.api() .api()
if ( !['application', 'api_scope', 'machine', 'machine_group', 'vault'].includes(req.body.target_type) ) if ( !['application', 'api_scope', 'machine', 'machine_group'].includes(req.body.target_type) )
return res.status(400) return res.status(400)
.message(`${req.T('common.invalid')} target_type. ${req.T('api.must_one')} application, api_scope, machine, machine_group, vault.`) .message(`${req.T('common.invalid')} target_type. ${req.T('api.must_one')} application, api_scope, machine, machine_group.`)
.api() .api()
// Make sure the target_id is valid // Make sure the target_id is valid
@ -188,13 +188,6 @@ class IAMController extends Controller {
return res.status(400) return res.status(400)
.message(`${req.T('common.invalid')} target_id.`) .message(`${req.T('common.invalid')} target_id.`)
.api() .api()
} else if ( req.body.target_type === 'vault' ) {
const Vault = this.models.get('vault:Vault')
const vault = await Vault.findById(req.body.target_id)
if ( !vault?.active || !(await Policy.check_user_access(req.user, vault.id, 'update')) )
return res.status(400)
.message(`${req.T('common.invalid')} target_id.`)
.api()
} }
const policy = new Policy({ const policy = new Policy({
@ -237,7 +230,7 @@ class IAMController extends Controller {
.api() .api()
} }
const valid_target_types = ['application', 'api_scope', 'machine', 'machine_group', 'vault'] const valid_target_types = ['application', 'api_scope', 'machine', 'machine_group']
if ( !valid_target_types.includes(req.body.target_type) ) { if ( !valid_target_types.includes(req.body.target_type) ) {
return res.status(400) return res.status(400)
.message(`${req.T('api.invalid_target_type')}`) .message(`${req.T('api.invalid_target_type')}`)
@ -319,9 +312,9 @@ class IAMController extends Controller {
.message(`${req.T('common.invalid')} access_type. ${req.T('api.must_one')} allow, deny.`) .message(`${req.T('common.invalid')} access_type. ${req.T('api.must_one')} allow, deny.`)
.api() .api()
if ( !['application', 'api_scope', 'machine', 'machine_group', 'vault'].includes(req.body.target_type) ) if ( !['application', 'api_scope', 'machine', 'machine_group'].includes(req.body.target_type) )
return res.status(400) return res.status(400)
.message(`${req.T('common.invalid')} target_type. ${req.T('api.must_one')} application, api_scope, machine, machine_group, vault.`) .message(`${req.T('common.invalid')} target_type. ${req.T('api.must_one')} application, api_scope, machine, machine_group.`)
.api() .api()
// Make sure the target_id is valid // Make sure the target_id is valid
@ -352,13 +345,6 @@ class IAMController extends Controller {
return res.status(400) return res.status(400)
.message(`${req.T('common.invalid')} target_id.`) .message(`${req.T('common.invalid')} target_id.`)
.api() .api()
} else if ( req.body.target_type === 'vault' ) {
const Vault = this.models.get('vault:Vault')
const vault = await Vault.findById(req.body.target_id)
if ( !vault?.active || !(await Policy.check_user_access(req.user, vault.id, 'update')) )
return res.status(400)
.message(`${req.T('common.invalid')} target_id.`)
.api()
} }
policy.entity_type = req.body.entity_type policy.entity_type = req.body.entity_type
@ -403,7 +389,7 @@ class IAMController extends Controller {
.api() .api()
} }
const valid_target_types = ['application', 'api_scope', 'machine', 'machine_group', 'vault'] const valid_target_types = ['application', 'api_scope', 'machine', 'machine_group']
if ( !valid_target_types.includes(req.body.target_type) ) { if ( !valid_target_types.includes(req.body.target_type) ) {
return res.status(400) return res.status(400)
.message(`${req.T('api.invalid_target_type')}`) .message(`${req.T('api.invalid_target_type')}`)

130
app/controllers/api/v1/Vault.controller.js
View File

@ -1,130 +0,0 @@
const { Controller } = require('libflitter')
class VaultController extends Controller {
static get services() {
return [...super.services, 'models']
}
async get_vaults(req, res, next) {
const Policy = this.models.get('iam:Policy')
const Vault = this.models.get('vault:Vault')
await Vault.for_user(req.user)
const vaults = await Vault.find({ active: true })
console.log('found vaults', vaults)
const accessible = []
for ( const vault of vaults ) {
if ( await Policy.check_user_access(req.user, vault.id, 'view') ) {
accessible.push(await vault.to_api())
}
}
return res.api(accessible)
}
async get_vault(req, res, next) {
const Policy = this.models.get('iam:Policy')
const Vault = this.models.get('vault:Vault')
const vault = await Vault.findById(req.params.id)
if ( !vault?.active ) {
return res.status(404)
.message(req.T('api.vault_not_found'))
.api()
}
if ( !(await Policy.check_user_access(req.user, vault.id, 'view')) ) {
return res.status(401)
.message(req.T('api.insufficient_permissions'))
.api()
}
return res.api(await vault.to_api())
}
async create_vault(req, res, next) {
const Policy = this.models.get('iam:Policy')
const Vault = this.models.get('vault:Vault')
if ( !req.body.name ) {
return res.status(400)
.message(`${req.T('api.missing_field')} name`)
.api()
}
const vault = new Vault({
name: req.body.name
})
await vault.save()
await vault.grant_default(req.user)
return res.api(await vault.to_api())
}
async update_vault(req, res, next) {
const Policy = this.models.get('iam:Policy')
const Vault = this.models.get('vault:Vault')
if ( !req.body.name ) {
return res.status(400)
.message(`${req.T('api.missing_field')} name`)
.api()
}
const vault = await Vault.findById(req.params.id)
if ( !vault?.active ) {
return res.status(404)
.message(req.T('api.vault_not_found'))
.api()
}
if ( !(await Policy.check_user_access(req.user, vault.id, 'update')) ) {
return res.status(401)
.message(req.T('api.insufficient_permissions'))
.api()
}
vault.name = req.body.name
await vault.save()
return res.api(await vault.to_api())
}
async delete_vault(req, res, next) {
const Policy = this.models.get('iam:Policy')
const Vault = this.models.get('vault:Vault')
const vault = await Vault.findById(req.params.id)
if ( !vault?.active ) {
return res.status(404)
.message(req.T('api.vault_not_found'))
.api()
}
if ( !(await Policy.check_user_access(req.user, vault.id, 'delete')) ) {
return res.status(401)
.message(req.T('api.insufficient_permissions'))
.api()
}
vault.active = false
await vault.save()
const policies = await Policy.find({
active: true,
target_type: 'vault',
target_id: vault.id,
})
for ( const policy of policies ) {
policy.active = false
await policy.save()
}
return res.api()
}
}
module.exports = exports = VaultController

6
app/models/iam/Policy.model.js
View File

@ -12,7 +12,7 @@ class PolicyModel extends Model {
entity_type: String, // user | group entity_type: String, // user | group
entity_id: String, entity_id: String,
access_type: String, // allow | deny access_type: String, // allow | deny
target_type: { type: String, default: 'application' }, // application | api_scope | machine | machine_group | vault target_type: { type: String, default: 'application' }, // application | api_scope | machine | machine_group
target_id: String, target_id: String,
active: { type: Boolean, default: true }, active: { type: Boolean, default: true },
for_permission: { type: Boolean, default: false }, for_permission: { type: Boolean, default: false },
@ -209,10 +209,6 @@ class PolicyModel extends Model {
const MachineGroup = this.models.get('ldap:MachineGroup') const MachineGroup = this.models.get('ldap:MachineGroup')
const group = await MachineGroup.findById(this.target_id) const group = await MachineGroup.findById(this.target_id)
target_display = `Computer Group: ${group.name} (${group.machine_ids.length} computers)` target_display = `Computer Group: ${group.name} (${group.machine_ids.length} computers)`
} else if ( this.target_type === 'vault' ) {
const Vault = this.models.get('vault:Vault')
const vault = await Vault.findById(this.target_id)
target_display = `Vault: ${vault.name}`
} }
return { return {

29
app/models/vault/Entry.model.js
View File

@ -1,29 +0,0 @@
const { Model } = require('flitter-orm')
class EntryModel extends Model {
static get services() {
return [...super.services, 'models']
}
static get schema() {
return {
active: { type: Boolean, default: true },
vault_id: String,
key: String,
locked_value: String,
}
}
async to_api() {
return {
id: this.id,
_id: this.id,
vault_id: this.vault_id,
key: this.key,
locked_value: this.locked_value,
active: this.active,
}
}
}
module.exports = exports = EntryModel

66
app/models/vault/Vault.model.js
View File

@ -1,66 +0,0 @@
const { Model } = require('flitter-orm')
class VaultModel extends Model {
static get services() {
return [...super.services, 'models']
}
static get schema() {
return {
active: { type: Boolean, default: true },
name: String,
user_id: String,
}
}
static async for_user(user) {
const existing = await this.findOne({
user_id: user.id,
})
if ( existing ) return existing
const vault = new this({
name: `${user.first_name} ${user.last_name}'s Vault`,
user_id: user.id,
})
await vault.save()
await vault.grant_default(user)
return vault
}
async grant_default(user) {
const Policy = this.models.get('iam:Policy')
const grants = ['view', 'read', 'update', 'delete', undefined]
for ( const grant of grants ) {
const policy = new Policy({
entity_type: 'user',
entity_id: user.id,
access_type: 'allow',
target_type: 'vault',
target_id: this.id,
...(grant ? {
for_permission: true,
permission: grant
} : {})
})
await policy.save()
}
}
async to_api() {
return {
id: this.id,
_id: this.id,
name: this.name,
active: this.active,
user_id: this.user_id,
}
}
}
module.exports = exports = VaultModel

41
app/routing/routers/api/v1/vault.routes.js
View File

@ -1,41 +0,0 @@
const iam_routes = {
prefix: '/api/v1/vault',
middleware: [
'auth:APIRoute'
],
get: {
'/vaults': [
['middleware::api:Permission', { check: 'v1:vault:vaults:list' }],
'controller::api:v1:Vault.get_vaults',
],
'/vaults/:id': [
['middleware::api:Permission', { check: 'v1:vault:vaults:get' }],
'controller::api:v1:Vault.get_vault',
],
},
post: {
'/vaults': [
['middleware::api:Permission', { check: 'v1:vault:vaults:create' }],
'controller::api:v1:Vault.create_vault',
],
},
patch: {
'/vaults/:id': [
['middleware::api:Permission', { check: 'v1:vault:vaults:update' }],
'controller::api:v1:Vault.update_vault',
],
},
delete: {
'/vaults/:id': [
['middleware::api:Permission', { check: 'v1:vault:vaults:delete' }],
'controller::api:v1:Vault.delete_vault',
],
},
}
module.exports = exports = iam_routes

14
app/unit/OpenIDConnectUnit.js
View File

@ -1,3 +1,4 @@
const fs = require('fs')
const Unit = require('libflitter/Unit') const Unit = require('libflitter/Unit')
const { Provider, interactionPolicy: { Prompt, base: policy } } = require('oidc-provider') const { Provider, interactionPolicy: { Prompt, base: policy } } = require('oidc-provider')
const uuid = require('uuid').v4 const uuid = require('uuid').v4
@ -14,6 +15,15 @@ class OpenIDConnectUnit extends Unit {
return [...super.services, 'output', 'configs', 'models'] return [...super.services, 'output', 'configs', 'models']
} }
load_jwks(file) {
if ( fs.existsSync(file) ) {
const content = fs.readFileSync(file)
try {
return JSON.parse(content)
} catch (e) {}
}
}
async go(app) { async go(app) {
this.Vue = this.app.di().get('Vue') this.Vue = this.app.di().get('Vue')
const issuer = this.configs.get('app.url') const issuer = this.configs.get('app.url')
@ -23,9 +33,13 @@ class OpenIDConnectUnit extends Unit {
CoreIDAdapter.connect(app) CoreIDAdapter.connect(app)
const jwks_file = this.configs.get('oidc.jwks_file')
const jwks = this.load_jwks(jwks_file)
this.provider = new Provider(issuer, { this.provider = new Provider(issuer, {
adapter: CoreIDAdapter, adapter: CoreIDAdapter,
clients: [], clients: [],
jwks,
interactions: { interactions: {
interactions, interactions,
url: (ctx, interaction) => `/openid/interaction/${ctx.oidc.uid.toLowerCase()}`, url: (ctx, interaction) => `/openid/interaction/${ctx.oidc.uid.toLowerCase()}`,

16
config/auth.config.js
View File

@ -13,22 +13,6 @@ const auth_config = {
target_type: 'machine_group', target_type: 'machine_group',
permission: 'sudo', permission: 'sudo',
}, },
{
target_type: 'vault',
permission: 'view',
},
{
target_type: 'vault',
permission: 'read',
},
{
target_type: 'vault',
permission: 'update',
},
{
target_type: 'vault',
permission: 'delete',
},
], ],
}, },

3
config/oidc.config.js
View File

@ -1,7 +1,8 @@
const oidc_config = { const oidc_config = {
provider: { provider: {
proxy: env('OPENID_CONNECT_PROXY', false), proxy: env('OPENID_CONNECT_PROXY', false),
} },
jwks_file: env('OPENID_CONNECT_JWKS_FILE'),
} }
module.exports = exports = oidc_config module.exports = exports = oidc_config

2
config/traps.config.js
View File

@ -38,7 +38,6 @@ const traps_config = {
'/api/v1/locale/batch', '/api/v1/locale/batch',
'/api/v1/auth/validate/username', '/api/v1/auth/validate/username',
'/api/v1/auth/attempt', '/api/v1/auth/attempt',
'/api/v1/vault/get-trust-payload',
], ],
}, },
verify_email: { verify_email: {
@ -51,7 +50,6 @@ const traps_config = {
'/api/v1/locale/batch', '/api/v1/locale/batch',
'/api/v1/auth/validate/username', '/api/v1/auth/validate/username',
'/api/v1/auth/attempt', '/api/v1/auth/attempt',
'/api/v1/vault/get-trust-payload',
'/auth/action/*', '/auth/action/*',
'/api/v1/message/banners', '/api/v1/message/banners',
'/api/v1/message/banners/read/*', '/api/v1/message/banners/read/*',

1
locale/en_US/api.locale.js
View File

@ -6,7 +6,6 @@ module.exports = exports = {
machine_not_found: 'Machine not found with that ID.', machine_not_found: 'Machine not found with that ID.',
group_already_exists: 'A group with that name already exists.', group_already_exists: 'A group with that name already exists.',
machine_already_exists: 'A machine with that name already exists.', machine_already_exists: 'A machine with that name already exists.',
vault_not_found: 'A vault with that ID not found.',
user_not_found: 'User not found with that ID.', user_not_found: 'User not found with that ID.',
photo_not_found: 'This user has no photo.', photo_not_found: 'This user has no photo.',