Add basic logic for managing vaults
This commit is contained in:
@@ -152,12 +152,12 @@ class IAMController extends Controller {
|
||||
|
||||
if ( !['allow', 'deny'].includes(req.body.access_type) )
|
||||
return res.status(400)
|
||||
.message(`${req.T('common.invalid')} access_type. ${req.T('api:must_one')} allow, deny.`)
|
||||
.message(`${req.T('common.invalid')} access_type. ${req.T('api.must_one')} allow, deny.`)
|
||||
.api()
|
||||
|
||||
if ( !['application', 'api_scope', 'machine', 'machine_group'].includes(req.body.target_type) )
|
||||
if ( !['application', 'api_scope', 'machine', 'machine_group', 'vault'].includes(req.body.target_type) )
|
||||
return res.status(400)
|
||||
.message(`${req.T('common.invalid')} target_type. ${req.T('api:must_one')} application, api_scope, machine, machine_group.`)
|
||||
.message(`${req.T('common.invalid')} target_type. ${req.T('api.must_one')} application, api_scope, machine, machine_group, vault.`)
|
||||
.api()
|
||||
|
||||
// Make sure the target_id is valid
|
||||
@@ -188,6 +188,13 @@ class IAMController extends Controller {
|
||||
return res.status(400)
|
||||
.message(`${req.T('common.invalid')} target_id.`)
|
||||
.api()
|
||||
} else if ( req.body.target_type === 'vault' ) {
|
||||
const Vault = this.models.get('vault:Vault')
|
||||
const vault = await Vault.findById(req.body.target_id)
|
||||
if ( !vault?.active || !(await Policy.check_user_access(req.user, vault.id, 'update')) )
|
||||
return res.status(400)
|
||||
.message(`${req.T('common.invalid')} target_id.`)
|
||||
.api()
|
||||
}
|
||||
|
||||
const policy = new Policy({
|
||||
@@ -230,7 +237,7 @@ class IAMController extends Controller {
|
||||
.api()
|
||||
}
|
||||
|
||||
const valid_target_types = ['application', 'api_scope', 'machine', 'machine_group']
|
||||
const valid_target_types = ['application', 'api_scope', 'machine', 'machine_group', 'vault']
|
||||
if ( !valid_target_types.includes(req.body.target_type) ) {
|
||||
return res.status(400)
|
||||
.message(`${req.T('api.invalid_target_type')}`)
|
||||
@@ -312,9 +319,9 @@ class IAMController extends Controller {
|
||||
.message(`${req.T('common.invalid')} access_type. ${req.T('api.must_one')} allow, deny.`)
|
||||
.api()
|
||||
|
||||
if ( !['application', 'api_scope', 'machine', 'machine_group'].includes(req.body.target_type) )
|
||||
if ( !['application', 'api_scope', 'machine', 'machine_group', 'vault'].includes(req.body.target_type) )
|
||||
return res.status(400)
|
||||
.message(`${req.T('common.invalid')} target_type. ${req.T('api.must_one')} application, api_scope, machine, machine_group.`)
|
||||
.message(`${req.T('common.invalid')} target_type. ${req.T('api.must_one')} application, api_scope, machine, machine_group, vault.`)
|
||||
.api()
|
||||
|
||||
// Make sure the target_id is valid
|
||||
@@ -345,6 +352,13 @@ class IAMController extends Controller {
|
||||
return res.status(400)
|
||||
.message(`${req.T('common.invalid')} target_id.`)
|
||||
.api()
|
||||
} else if ( req.body.target_type === 'vault' ) {
|
||||
const Vault = this.models.get('vault:Vault')
|
||||
const vault = await Vault.findById(req.body.target_id)
|
||||
if ( !vault?.active || !(await Policy.check_user_access(req.user, vault.id, 'update')) )
|
||||
return res.status(400)
|
||||
.message(`${req.T('common.invalid')} target_id.`)
|
||||
.api()
|
||||
}
|
||||
|
||||
policy.entity_type = req.body.entity_type
|
||||
@@ -389,7 +403,7 @@ class IAMController extends Controller {
|
||||
.api()
|
||||
}
|
||||
|
||||
const valid_target_types = ['application', 'api_scope', 'machine', 'machine_group']
|
||||
const valid_target_types = ['application', 'api_scope', 'machine', 'machine_group', 'vault']
|
||||
if ( !valid_target_types.includes(req.body.target_type) ) {
|
||||
return res.status(400)
|
||||
.message(`${req.T('api.invalid_target_type')}`)
|
||||
|
||||
130
app/controllers/api/v1/Vault.controller.js
Normal file
130
app/controllers/api/v1/Vault.controller.js
Normal file
@@ -0,0 +1,130 @@
|
||||
const { Controller } = require('libflitter')
|
||||
|
||||
class VaultController extends Controller {
|
||||
static get services() {
|
||||
return [...super.services, 'models']
|
||||
}
|
||||
|
||||
async get_vaults(req, res, next) {
|
||||
const Policy = this.models.get('iam:Policy')
|
||||
const Vault = this.models.get('vault:Vault')
|
||||
|
||||
await Vault.for_user(req.user)
|
||||
|
||||
const vaults = await Vault.find({ active: true })
|
||||
console.log('found vaults', vaults)
|
||||
|
||||
const accessible = []
|
||||
for ( const vault of vaults ) {
|
||||
if ( await Policy.check_user_access(req.user, vault.id, 'view') ) {
|
||||
accessible.push(await vault.to_api())
|
||||
}
|
||||
}
|
||||
|
||||
return res.api(accessible)
|
||||
}
|
||||
|
||||
async get_vault(req, res, next) {
|
||||
const Policy = this.models.get('iam:Policy')
|
||||
const Vault = this.models.get('vault:Vault')
|
||||
|
||||
const vault = await Vault.findById(req.params.id)
|
||||
if ( !vault?.active ) {
|
||||
return res.status(404)
|
||||
.message(req.T('api.vault_not_found'))
|
||||
.api()
|
||||
}
|
||||
|
||||
if ( !(await Policy.check_user_access(req.user, vault.id, 'view')) ) {
|
||||
return res.status(401)
|
||||
.message(req.T('api.insufficient_permissions'))
|
||||
.api()
|
||||
}
|
||||
|
||||
return res.api(await vault.to_api())
|
||||
}
|
||||
|
||||
async create_vault(req, res, next) {
|
||||
const Policy = this.models.get('iam:Policy')
|
||||
const Vault = this.models.get('vault:Vault')
|
||||
|
||||
if ( !req.body.name ) {
|
||||
return res.status(400)
|
||||
.message(`${req.T('api.missing_field')} name`)
|
||||
.api()
|
||||
}
|
||||
|
||||
const vault = new Vault({
|
||||
name: req.body.name
|
||||
})
|
||||
|
||||
await vault.save()
|
||||
await vault.grant_default(req.user)
|
||||
|
||||
return res.api(await vault.to_api())
|
||||
}
|
||||
|
||||
async update_vault(req, res, next) {
|
||||
const Policy = this.models.get('iam:Policy')
|
||||
const Vault = this.models.get('vault:Vault')
|
||||
|
||||
if ( !req.body.name ) {
|
||||
return res.status(400)
|
||||
.message(`${req.T('api.missing_field')} name`)
|
||||
.api()
|
||||
}
|
||||
|
||||
const vault = await Vault.findById(req.params.id)
|
||||
if ( !vault?.active ) {
|
||||
return res.status(404)
|
||||
.message(req.T('api.vault_not_found'))
|
||||
.api()
|
||||
}
|
||||
|
||||
if ( !(await Policy.check_user_access(req.user, vault.id, 'update')) ) {
|
||||
return res.status(401)
|
||||
.message(req.T('api.insufficient_permissions'))
|
||||
.api()
|
||||
}
|
||||
|
||||
vault.name = req.body.name
|
||||
await vault.save()
|
||||
return res.api(await vault.to_api())
|
||||
}
|
||||
|
||||
async delete_vault(req, res, next) {
|
||||
const Policy = this.models.get('iam:Policy')
|
||||
const Vault = this.models.get('vault:Vault')
|
||||
|
||||
const vault = await Vault.findById(req.params.id)
|
||||
if ( !vault?.active ) {
|
||||
return res.status(404)
|
||||
.message(req.T('api.vault_not_found'))
|
||||
.api()
|
||||
}
|
||||
|
||||
if ( !(await Policy.check_user_access(req.user, vault.id, 'delete')) ) {
|
||||
return res.status(401)
|
||||
.message(req.T('api.insufficient_permissions'))
|
||||
.api()
|
||||
}
|
||||
|
||||
vault.active = false
|
||||
await vault.save()
|
||||
|
||||
const policies = await Policy.find({
|
||||
active: true,
|
||||
target_type: 'vault',
|
||||
target_id: vault.id,
|
||||
})
|
||||
|
||||
for ( const policy of policies ) {
|
||||
policy.active = false
|
||||
await policy.save()
|
||||
}
|
||||
|
||||
return res.api()
|
||||
}
|
||||
}
|
||||
|
||||
module.exports = exports = VaultController
|
||||
Reference in New Issue
Block a user