Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WebUI: Vault Management #139

Closed
wants to merge 15 commits into from
Closed

WebUI: Vault Management #139

wants to merge 15 commits into from

Conversation

pvomacka
Copy link

@pvomacka pvomacka commented Oct 5, 2016

Add vault management into WebUI, there are some constraints:

  • There is no crypto library so Symmetric and Assymetric vaults
    are not supported in WebUI. Also retrieving or archiving data
    is not supported.
  • There aren't any container support right now

Supported is:

  • Browsing vaults
  • Adding Standard vaults (users, service, shared)
  • Removing vaults
  • Adding and removing owners
  • Adding and removing members

@MartinBasti
Copy link
Contributor

I'm not sure if this is done on purpose, but Vault section is shown there even I have no KRA installed in topology, and I'm getting error

An error has occurred (IPA Error 3000: InvocationError)

KRA service is not enabled

It is not nice, IMO some placeholder pointing to ipa-kra-install could be better

"shared": _("Shared"),
"shared_vaults_title": _("Shared Vaults"),
"standard_type": _("Standard"),
"type_tooltip": _("Only standard vaults can be created in \
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You dont need \ there because string is inside (), please use:

"first "
"second"

@pvoborni
Copy link
Member

pvoborni commented Oct 6, 2016

For other optional UIs like CA/Trusts or DNS, Web UI checks on UI start if the component is installed by batch command with:

{method: "env", params: [[], {}]}
{method: "dns_is_enabled", params: [[], {}]}
{method: "trustconfig_show", params: [[], {}]}
{method: "domainlevel_get", params: [[], {}]}
{method: "ca_is_enabled", params: [[], {}]}

For KRA, it can add kra_is_enabled command.

Traditionally, UI is hidden if component is not installed.

@MartinBasti
Copy link
Contributor

I created shared vault, but I cannot see it in 'Shared Vaults', it is show only in 'My Vaults'
i.e. it was created ad user vault according CLI

'My Vaults' I expected that it will show all vaults created by me, but it is not true, it shows only my user vaults. Can we set name to more explicit, like 'My User Vaults' or is it too much and only I'm dumb?

I broke it, I cannot add vault, adder dialog just show and instantly disappears

Steps to reproduce:
a. click on add vault
b. click on vault user, mark empty line (dont click)
c. press ESC (dialog should disappear)
d. click on add Vault again, it should not work
e. dialog suddenly shows when you click on My Vaults

No errors in browser console. What could cause this?

Can you please add tests for this?

  1. Nitpick
    If you add vault from Service vault, then predefined value should be service vault in adder dialog.
    Same for shared vault

Missing 'type' column in my vaults

For symmetric vault, there is 'salt' shown in CLI, and I can change this in CLI. IMO this should be supported in webUI too

For asymetric vault, public key is show in CLI, and user can also change this public key, IMO this should work in webUI too.

I would like to see big fat warning in adder dialog that content of 'standard' vaults can be seen by users with higher privileges (admins). This is the reason why we set symmetric vault as default in CLI. But because in webUI the standard vault is the only one vault that can be added, we should inform users to use rather CLI and create symmetric vault

  • IMO we should add this warning into CLI too

Vaultconfig-show shows transport certificate, should we shown this in webUI as well?

@MartinBasti
Copy link
Contributor

Yeah, and I forgot to write:

There should be an information in webUI, that secrets can be added/retrieved to vault only by using vault-archive and vault-retrieve from CLI

@MartinBasti
Copy link
Contributor

Please disregard comment 1), it works (sorry :( my fault)

@pvomacka
Copy link
Author

@mbasti-rh
2) fixed
3) I filled a ticket: https://fedorahosted.org/freeipa/ticket/6388
4) Tests added
5) Fixed
6) Fixed
7) Salt added
8) Field for public key added
9) Warning added
10) Transport certificate is now visible in WebUI
11) Information added into adder dialog

The issue with showing error in case that KRA is not installed is also fixed.

@pvomacka
Copy link
Author

Fixed PEP8 errors.

@MartinBasti
Copy link
Contributor

NACK

view My User Vaults/Add vault
There is no marked radio button and all fields are shown which are mutual exclusive. A one option from radio group should be marked. It is doing fancy things when no radiobutton is marked and you fill other fields and press add.

Vault config view shows only one server, not list of all KRA servers installed

I'm quite puzzled wit behavior User Vaults and My User Vaults executes following commands

User Vaults:  vault-find --users --pkey-only
My Users Vaults: vault-find

So how does it actually works? What My User Vault do then? I would expect a filter in that command and users flag. Also why in one case was called command with --pkey-only and not in second time?

@pvomacka
Copy link
Author

@mbasti-rh Thank you for review.

  1. Fixed

  2. Fixed
    Additionally I fixed two more issues which I found during testing. The tables on User Vaults or Service Vaults didn't show different (different users/services) vaults which have the same name - FIXED now.
    The second issue was that when i.e. admin add user/share vault on service page, the search page with new vault was not refreshed - FIXED now.

  3. My User Vaults calls vault-find which returns all Vaults which have currently logged user is in Owners or Members group. It is called without --pkey-only, because we want to get also information about vault type in response.
    User Vaults shows all user vaults (of all users) and there is --pkey-only because we call vault-show for each user vault which is returned and in each vault-show response we get all (and several more) information which are also in vault-find (without --pkey-only). So, we don't need to transfer data (those parts which are in both responses) twice.

I understand that the difference between those two sections could not be very clear. If you have any idea on how to improve this feel free to put a comment here or open a ticket.

@MartinBasti
Copy link
Contributor

I understand that the difference between those two sections could not be very clear. If you have any idea on how to improve this feel free to put a comment here or open a ticket.

I have, you can extend vault-find command :)

@MartinBasti
Copy link
Contributor

NACK: DNS records page is broken

@MartinBasti
Copy link
Contributor

Server roles page is broken too, or at least it looks weird, probably server names are missing

@pvomacka
Copy link
Author

@mbasti-rh Both bugs fixed, thank you.

Back to the difference between My User Vault and User Vault. I forgot to mention that My User Vault shows only vaults which are created for the user (who is logged in) and where that user is in Member or Owner group. I think that it is consistent with CLI, or not?

@MartinBasti
Copy link
Contributor

Works for me

@tiran
Copy link
Member

tiran commented Feb 23, 2017

@MartinBasti you approved this PR a month ago but it has neither the ACK flag nor was it merged.

@pvomacka Your work would be useful for my Custodia Vault work. Can you rebase this PR to master to verify it still works?

@pvomacka
Copy link
Author

@tiran Yes, rebased.

Copy link
Member

@pvoborni pvoborni left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comments in code.

*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Short copyright note should be used for new files.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed

"status_mod_s": _("Modified"),
"status_new_ns": _("New: key not set"),
"status_new_s": _("New: key set"),
},
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

missing in ipa_init.json, but could be ignored given that ipa_init.json will be removed anyway

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, I won't add it there

*
* @property {String} fieldname
*/
that.additional_add_del_field = spec.additional_add_del_field;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't like this approach much. But we can live with it.

The approach adds relatively big amount of code but it is limited only to one field.

You could use similar approach which is in IPA.dialog.

    that.save = function(record) {
        var fields = that.fields.get_fields();
        for (var i=0; i<fields.length; i++) {
            var field = fields[i];
            field.save(record);
        }
    };

Where only get_fields would be replaced by add_del_fields: ['field1','field2'] record could be empty object and then you would use command.set_options(otps) method.

* @property other_option_name {String}
*/
that.other_option_name = spec.other_option_name;

that.other_entity = IPA.get_entity(spec.other_entity);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would be good also to add doc string for this one and attribute_member. This logic is becoming to be quite complex and confusing.

I wonder if we can come up with a general approach which would cover this and the join_additional_option use case. E.g. define a list of option value providers. But probably it is out of range of this patch.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed

* In case that there is set acl_param in spec then this property will be
* set to true and it checks ACLs.
*/
that.acl_param_set = !!spec.acl_param;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we really need it? Why can't you use !!that.acl_param later in the if?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed

*
* @property {string}
*/
that.refresh_url_arg = spec.refresh_url_arg || null;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do you use naming *_url_arg when previous commit had naming refresh_attribute. Same issue in following commit with update_url_arg. *_attribute is IMO better because it defines usage and not source of the value. Facets in fact should not be aware of urls. That is a role of navigation subsystem.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed

*
* @property {String}
*/
that.load_page_additional_attr = spec.load_page_additional_attr || null;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

again, different naming pattern

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed

* attribute, then checks whether the element exists and if it exists, then
* it removes it.
*/
that.remove_tab_from_sidebar = function(tab_name) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this logic, if it needs to be somewhere then it should be in FacetGroupsWidget which is then accessible as that.tabs_widget. With interface hide_tab(tab_name) and show_tab(tab_name).

There you can get tab element by var tab_el = this.tab_els[tab_name]; which is more robust because tabs doesn't have to be <li> elements.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, that make sense to move it there. Fixed.

* Creates specification of search facet for User Vaults
*/
var make_user_vault_search_spec = function() {
return {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In self-service, user cannot add vault because 'add' button is hidden. He can add stadard vault on CLI though.

It is hidden because of spec.hide_cond = spec.hide_cond || ['self-service']; in IPA.add_action

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, that's true, I will make a function which allows to override default actions of search facet and use own actions.

Fixed.

that.create_content = function() {
var warn_st_w = that.widgets.get_widget('warning_st.warn_standard');
var warn_arch_ret_w = that.widgets.get_widget('warning_ar.warn_arch_ret');
var warn_standard = $('<div />', {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you use widget.alert_helper for generating the alert?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed

Copy link
Member

@pvoborni pvoborni left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Read the code, looks good, only one minor issue - wrong indentation.

]
};

var section_warn_standard = {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wrong indentation

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pvoborni fixed

Pavel Vomacka added 15 commits March 13, 2017 18:22
By setting the property 'additional_add_del_field' to the name of one of
the fields which are on current details page, we choose field which value
will be added to  *_add_* and *_del_* commands in this format:

{field_name: field_value}
--field_name: field_value

Part of: https://fedorahosted.org/freeipa/ticket/5426
Association table's add, del commands needs as option list of cn of
other_entity, which is added or deleted. There is a case (currently in vaults)
that the name of option is different than the name of other_entity.
In this situation we can set 'other_option_name' and put there the option name.
This option name will be used instead of 'other_entity' name.

Part of: https://fedorahosted.org/freeipa/ticket/5426
Useful in association tables which need to ignore object's metadata flags.
Association tables don't check right at all. They check them only when
'acl_param' is set in association table field spec. In case that checking metadata
needs to be turned on even for Association table, then set 'check_writable_from_metadata'
true value in spec.

Part of: https://fedorahosted.org/freeipa/ticket/5426
The 'refresh_option' of association field takes string. This string has to
correspond with field name on details page. In case that the field is present
the value of the field is passed to command as option in following format:

{fieldname: field_value}

Part of: https://fedorahosted.org/freeipa/ticket/5426
'refresh_attribute' can be set to the name of url parameter name. This parameter with
its value is then passed to refresh command of the details facet.

Part of: https://fedorahosted.org/freeipa/ticket/5426
'update_attribute' can contain a name of field in details page. In that case the value
of the field with field name will be appended to the update command options.

Part of: https://fedorahosted.org/freeipa/ticket/5426
Allow pagination to table facets which needs to call _show on all rows
with additional parameter. 'show_command_additional_attr' can be set to any
attribute from result of _find command. This attribute is taken with its value
and added to options of _each command for each row.

Part of: https://fedorahosted.org/freeipa/ticket/5426
…el command

'additional_table_attrs' can contain array of names of columns. Value from each
column with its name will be added to the batch _del command. in case that
the column with set name does not exists - the name is skipped.

Part of: https://fedorahosted.org/freeipa/ticket/5426
Removes item selected by name attribute from sidebar

Part of: https://fedorahosted.org/freeipa/ticket/5426
While defining search facet and adding custom actions with the same name
as default actions in search facet. Custom actions will be used and their
definition will override default actions.

Part of:https://fedorahosted.org/freeipa/ticket/5426
Allows to show rows which have the same primary key. Used in Vault.

https://fedorahosted.org/freeipa/ticket/5426
Add vault management into WebUI, there are some constraints:
- There is no crypto library so Symmetric and Assymetric vaults
  are not supported in WebUI. Also retrieving or archiving data
  is not supported.
- There aren't any container support right now

Supported is:
- Browsing vaults
- Adding Standard vaults (users, service, shared)
- Removing vaults
- Adding and removing owners
- Adding and removing members

https://fedorahosted.org/freeipa/ticket/5426
Bunch of tests for WebUI Vault Management.

Covers:
Adding vaults
Modifying vaults
Adding members and owners to all types of vaults

https://fedorahosted.org/freeipa/ticket/5426
@pvoborni pvoborni added the ack Pull Request approved, can be merged label Mar 14, 2017
@MartinBasti
Copy link
Contributor

master:

  • c3115fa Additional option to add and del operations can be set
  • ec63456 Allow to set another other_entity name
  • 93a7f4c Possibility to skip checking writable according to metadata
  • 6d1374f Added optional option in refreshing after modifying association table
  • bbca1d9 Add property which allows refresh command to use url value
  • 042e113 Add possibility to pass url parameter to update command of details page
  • 2e6e069 Extend _show command after _find command in table facets
  • 039a6f7 Possibility to set list of table attributes which will be added to _del command
  • 8dfe692 Add possibility to hide only one tab in sidebar
  • de4d4a5 WebUI: search facet's default actions might be overriden
  • 587b732 WebUI: allow to show rows with same pkey in tables
  • 39d7ef3 WebUI: add vault management
  • ab8c69f TESTS: Add support for KRA in ui_driver
  • 0808504 TESTS: Add support for sidebar with facets
  • f952757 TESTS WebUI: Vaults management

@MartinBasti MartinBasti added the pushed Pull Request has already been pushed label Mar 14, 2017
@MartinBasti MartinBasti removed their assignment Mar 14, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
ack Pull Request approved, can be merged pushed Pull Request has already been pushed
Projects
None yet
4 participants