WebUI: Vault Management #139
Conversation
|
I'm not sure if this is done on purpose, but Vault section is shown there even I have no KRA installed in topology, and I'm getting error It is not nice, IMO some placeholder pointing to ipa-kra-install could be better |
ipaserver/plugins/internal.py
Outdated
| "shared": _("Shared"), | ||
| "shared_vaults_title": _("Shared Vaults"), | ||
| "standard_type": _("Standard"), | ||
| "type_tooltip": _("Only standard vaults can be created in \ |
There was a problem hiding this comment.
You dont need \ there because string is inside (), please use:
"first "
"second"
|
For other optional UIs like CA/Trusts or DNS, Web UI checks on UI start if the component is installed by batch command with: {method: "env", params: [[], {}]}
{method: "dns_is_enabled", params: [[], {}]}
{method: "trustconfig_show", params: [[], {}]}
{method: "domainlevel_get", params: [[], {}]}
{method: "ca_is_enabled", params: [[], {}]}For KRA, it can add kra_is_enabled command. Traditionally, UI is hidden if component is not installed. |
|
I created shared vault, but I cannot see it in 'Shared Vaults', it is show only in 'My Vaults' 'My Vaults' I expected that it will show all vaults created by me, but it is not true, it shows only my user vaults. Can we set name to more explicit, like 'My User Vaults' or is it too much and only I'm dumb? I broke it, I cannot add vault, adder dialog just show and instantly disappears Steps to reproduce: No errors in browser console. What could cause this? Can you please add tests for this?
Missing 'type' column in my vaults For symmetric vault, there is 'salt' shown in CLI, and I can change this in CLI. IMO this should be supported in webUI too For asymetric vault, public key is show in CLI, and user can also change this public key, IMO this should work in webUI too. I would like to see big fat warning in adder dialog that content of 'standard' vaults can be seen by users with higher privileges (admins). This is the reason why we set symmetric vault as default in CLI. But because in webUI the standard vault is the only one vault that can be added, we should inform users to use rather CLI and create symmetric vault
Vaultconfig-show shows transport certificate, should we shown this in webUI as well? |
|
Yeah, and I forgot to write: There should be an information in webUI, that secrets can be added/retrieved to vault only by using vault-archive and vault-retrieve from CLI |
|
Please disregard comment 1), it works (sorry :( my fault) |
|
@mbasti-rh The issue with showing error in case that KRA is not installed is also fixed. |
|
Fixed PEP8 errors. |
|
NACK view My User Vaults/Add vault Vault config view shows only one server, not list of all KRA servers installed I'm quite puzzled wit behavior So how does it actually works? What |
|
@mbasti-rh Thank you for review.
I understand that the difference between those two sections could not be very clear. If you have any idea on how to improve this feel free to put a comment here or open a ticket. |
I have, you can extend vault-find command :) |
|
NACK: DNS records page is broken |
|
Server roles page is broken too, or at least it looks weird, probably server names are missing |
|
@mbasti-rh Both bugs fixed, thank you. Back to the difference between My User Vault and User Vault. I forgot to mention that My User Vault shows only vaults which are created for the user (who is logged in) and where that user is in Member or Owner group. I think that it is consistent with CLI, or not? |
|
Works for me |
|
@MartinBasti you approved this PR a month ago but it has neither the ACK flag nor was it merged. @pvomacka Your work would be useful for my Custodia Vault work. Can you rebase this PR to master to verify it still works? |
|
@tiran Yes, rebased. |
install/ui/src/freeipa/vault.js
Outdated
| * | ||
| * You should have received a copy of the GNU General Public License | ||
| * along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
| */ |
There was a problem hiding this comment.
Short copyright note should be used for new files.
| "status_mod_s": _("Modified"), | ||
| "status_new_ns": _("New: key not set"), | ||
| "status_new_s": _("New: key set"), | ||
| }, |
There was a problem hiding this comment.
missing in ipa_init.json, but could be ignored given that ipa_init.json will be removed anyway
| * | ||
| * @property {String} fieldname | ||
| */ | ||
| that.additional_add_del_field = spec.additional_add_del_field; |
There was a problem hiding this comment.
I don't like this approach much. But we can live with it.
The approach adds relatively big amount of code but it is limited only to one field.
You could use similar approach which is in IPA.dialog.
that.save = function(record) {
var fields = that.fields.get_fields();
for (var i=0; i<fields.length; i++) {
var field = fields[i];
field.save(record);
}
};Where only get_fields would be replaced by add_del_fields: ['field1','field2'] record could be empty object and then you would use command.set_options(otps) method.
| * @property other_option_name {String} | ||
| */ | ||
| that.other_option_name = spec.other_option_name; | ||
|
|
||
| that.other_entity = IPA.get_entity(spec.other_entity); |
There was a problem hiding this comment.
Would be good also to add doc string for this one and attribute_member. This logic is becoming to be quite complex and confusing.
I wonder if we can come up with a general approach which would cover this and the join_additional_option use case. E.g. define a list of option value providers. But probably it is out of range of this patch.
| * In case that there is set acl_param in spec then this property will be | ||
| * set to true and it checks ACLs. | ||
| */ | ||
| that.acl_param_set = !!spec.acl_param; |
There was a problem hiding this comment.
Do we really need it? Why can't you use !!that.acl_param later in the if?
install/ui/src/freeipa/details.js
Outdated
| * | ||
| * @property {string} | ||
| */ | ||
| that.refresh_url_arg = spec.refresh_url_arg || null; |
There was a problem hiding this comment.
Why do you use naming *_url_arg when previous commit had naming refresh_attribute. Same issue in following commit with update_url_arg. *_attribute is IMO better because it defines usage and not source of the value. Facets in fact should not be aware of urls. That is a role of navigation subsystem.
install/ui/src/freeipa/facet.js
Outdated
| * | ||
| * @property {String} | ||
| */ | ||
| that.load_page_additional_attr = spec.load_page_additional_attr || null; |
There was a problem hiding this comment.
again, different naming pattern
install/ui/src/freeipa/facet.js
Outdated
| * attribute, then checks whether the element exists and if it exists, then | ||
| * it removes it. | ||
| */ | ||
| that.remove_tab_from_sidebar = function(tab_name) { |
There was a problem hiding this comment.
this logic, if it needs to be somewhere then it should be in FacetGroupsWidget which is then accessible as that.tabs_widget. With interface hide_tab(tab_name) and show_tab(tab_name).
There you can get tab element by var tab_el = this.tab_els[tab_name]; which is more robust because tabs doesn't have to be <li> elements.
There was a problem hiding this comment.
Yes, that make sense to move it there. Fixed.
| * Creates specification of search facet for User Vaults | ||
| */ | ||
| var make_user_vault_search_spec = function() { | ||
| return { |
There was a problem hiding this comment.
In self-service, user cannot add vault because 'add' button is hidden. He can add stadard vault on CLI though.
It is hidden because of spec.hide_cond = spec.hide_cond || ['self-service']; in IPA.add_action
There was a problem hiding this comment.
Yes, that's true, I will make a function which allows to override default actions of search facet and use own actions.
Fixed.
install/ui/src/freeipa/vault.js
Outdated
| that.create_content = function() { | ||
| var warn_st_w = that.widgets.get_widget('warning_st.warn_standard'); | ||
| var warn_arch_ret_w = that.widgets.get_widget('warning_ar.warn_arch_ret'); | ||
| var warn_standard = $('<div />', { |
There was a problem hiding this comment.
can you use widget.alert_helper for generating the alert?
install/ui/src/freeipa/vault.js
Outdated
| ] | ||
| }; | ||
|
|
||
| var section_warn_standard = { |
By setting the property 'additional_add_del_field' to the name of one of
the fields which are on current details page, we choose field which value
will be added to *_add_* and *_del_* commands in this format:
{field_name: field_value}
--field_name: field_value
Part of: https://fedorahosted.org/freeipa/ticket/5426
Association table's add, del commands needs as option list of cn of other_entity, which is added or deleted. There is a case (currently in vaults) that the name of option is different than the name of other_entity. In this situation we can set 'other_option_name' and put there the option name. This option name will be used instead of 'other_entity' name. Part of: https://fedorahosted.org/freeipa/ticket/5426
Useful in association tables which need to ignore object's metadata flags. Association tables don't check right at all. They check them only when 'acl_param' is set in association table field spec. In case that checking metadata needs to be turned on even for Association table, then set 'check_writable_from_metadata' true value in spec. Part of: https://fedorahosted.org/freeipa/ticket/5426
The 'refresh_option' of association field takes string. This string has to
correspond with field name on details page. In case that the field is present
the value of the field is passed to command as option in following format:
{fieldname: field_value}
Part of: https://fedorahosted.org/freeipa/ticket/5426
'refresh_attribute' can be set to the name of url parameter name. This parameter with its value is then passed to refresh command of the details facet. Part of: https://fedorahosted.org/freeipa/ticket/5426
'update_attribute' can contain a name of field in details page. In that case the value of the field with field name will be appended to the update command options. Part of: https://fedorahosted.org/freeipa/ticket/5426
Allow pagination to table facets which needs to call _show on all rows with additional parameter. 'show_command_additional_attr' can be set to any attribute from result of _find command. This attribute is taken with its value and added to options of _each command for each row. Part of: https://fedorahosted.org/freeipa/ticket/5426
…el command 'additional_table_attrs' can contain array of names of columns. Value from each column with its name will be added to the batch _del command. in case that the column with set name does not exists - the name is skipped. Part of: https://fedorahosted.org/freeipa/ticket/5426
Removes item selected by name attribute from sidebar Part of: https://fedorahosted.org/freeipa/ticket/5426
While defining search facet and adding custom actions with the same name as default actions in search facet. Custom actions will be used and their definition will override default actions. Part of:https://fedorahosted.org/freeipa/ticket/5426
Allows to show rows which have the same primary key. Used in Vault. https://fedorahosted.org/freeipa/ticket/5426
Add vault management into WebUI, there are some constraints: - There is no crypto library so Symmetric and Assymetric vaults are not supported in WebUI. Also retrieving or archiving data is not supported. - There aren't any container support right now Supported is: - Browsing vaults - Adding Standard vaults (users, service, shared) - Removing vaults - Adding and removing owners - Adding and removing members https://fedorahosted.org/freeipa/ticket/5426
Bunch of tests for WebUI Vault Management. Covers: Adding vaults Modifying vaults Adding members and owners to all types of vaults https://fedorahosted.org/freeipa/ticket/5426
|
master:
|
Add vault management into WebUI, there are some constraints:
are not supported in WebUI. Also retrieving or archiving data
is not supported.
Supported is: