conjur-asset-ui 1.4.2 → 1.6.0

data/app/src/app.js

@@ -0,0 +1,83 @@
+import './styles/bootstrap.less';
+import './styles/styles.less';
+
+import React from 'react';
+import Router from 'react-router';
+import Fluxxor from 'fluxxor';
+import {isObject} from 'lodash';
+
+import actions from './actions';
+import routes from './routes';
+
+import AppStore from './stores/app_store';
+import RouteStore from './stores/route_store';
+import SearchStore from './stores/search_store';
+import AuditStore from './stores/audit_store';
+import ResourcesStore from './stores/resources_store';
+import GraphStore from './stores/graph_store';
+
+import UserStore from './stores/user_store';
+import GroupStore from './stores/group_store';
+import HostStore from './stores/host_store';
+import LayerStore from './stores/layer_store';
+import VariableStore from './stores/variable_store';
+import PolicyStore from './stores/policy_store';
+
+let router = Router.create({
+    routes: routes,
+    location: Router.HistoryLocation
+});
+
+let stores = {
+    app: new AppStore(),
+    route: new RouteStore(),
+    search: new SearchStore(),
+    audit: new AuditStore(),
+    resources: new ResourcesStore(),
+    graph: new GraphStore(),
+    user: new UserStore(),
+    group: new GroupStore(),
+    host: new HostStore(),
+    layer: new LayerStore(),
+    variable: new VariableStore(),
+    policy: new PolicyStore()
+};
+
+let flux = new Fluxxor.Flux(stores, actions);
+
+flux.on('dispatch', function(type, payload) {
+    /*eslint-disable no-console */
+    if (console && console.log) {
+        console.log('[Dispatch]', type, payload);
+    }
+    /*eslint-enable no-console */
+});
+
+Promise.all([
+    new Promise((resolve) => {
+        if (window.addEventListener) {
+            window.addEventListener('DOMContentLoaded', resolve);
+        } else {
+            window.attachEvent('onload', resolve);
+        }
+    })
+]).then(() => {
+    router.run(function(Handler, state) {
+        if (flux.actions.getRManager().isLogged ||
+            (isObject(state.routes[0]) && (
+                state.routes[1].name === 'login' ||
+                    state.routes[1].name === 'logout'))) {
+
+            flux.actions.routes.transition(state.params);
+
+            React.render(
+                <Handler flux={flux} />,
+                document.getElementById('wrapper')
+            );
+        } else {
+            this.transitionTo('login', {}, {
+                returnTo: state.path
+            });
+        }
+    });
+});

data/app/src/clients/audit.js

@@ -0,0 +1,34 @@
+import 'event-source-polyfill';
+
+export const c = {
+    AUDIT_ALL: 'AUDIT_ALL',
+    AUDIT_FLOW: 'AUDIT_FLOW',
+    AUDIT_ROLE: 'AUDIT_ROLE',
+    AUDIT_RESOURCE: 'AUDIT_RESOURCE'
+};
+
+export function fetch(rmanager, type, fullId) {
+    switch (type) {
+    case c.AUDIT_ALL:
+        return rmanager
+            .callServer('GET', '/api/audit/all')
+            .end();
+
+        /*eslint-disable no-undef */
+    case c.AUDIT_FLOW:
+        return new EventSource('/api/audit/all');
+        /*eslint-enable no-undef */
+
+    case c.AUDIT_ROLE:
+        return rmanager
+            .callServer('GET', `/api/audit/roles/${fullId}`)
+            .end();
+
+    case c.AUDIT_RESOURCE:
+        return rmanager
+            .callServer('GET', `/api/audit/resources/${fullId}`)
+            .end();
+
+    default:
+    }
+}

data/app/src/clients/auth.js

@@ -0,0 +1,24 @@
+import {request} from './request';
+
+export function account() {
+    return request
+        .get('/api/info')
+        .timeout(30000)
+        .end();
+}
+
+export function login(username, password) {
+    return request
+        .get('/api/authn/users/login')
+        .auth(username, password)
+        .timeout(30000)
+        .end();
+}
+
+export function authenticate(username, apiKey) {
+    return request
+        .post(`/api/authn/users/${username}/authenticate`)
+        .send(apiKey)
+        .timeout(30000)
+        .end();
+}

data/app/src/clients/generic.js

@@ -0,0 +1,52 @@
+import {pluralize} from '../utils';
+
+export const c = {
+    ATTRIBUTES: 'ATTRIBUTES',
+    OWNED_RESOURCES: 'OWNED_RESOURCES',
+    ALL_ROLES: 'ALL_ROLES',
+    RESOURCE: 'RESOURCE',
+    PUBLIC_KEYS: 'PUBLIC_KEYS'
+};
+
+const encode = window.encodeURIComponent;
+
+export function fetch(rmanager, type, kind, id) {
+    switch (type) {
+    case c.ATTRIBUTES:
+        return rmanager
+            .callServer('GET', `/api/${pluralize(kind)}/${encode(id)}`)
+            .end();
+
+    case c.OWNED_RESOURCES:
+        var roleid = [kind, id].join(':');
+
+        return rmanager
+            .callServer('GET', `/api/authz/\${account}/resources?owner=${roleid}`)
+            .end()
+            .then(function(res) {
+                res.body = res.body.filter(function(item) {
+                    // assets of 'secret' kind are internal
+                    return item.id.split(':')[1] !== 'secret';
+                });
+
+                return res;
+            });
+
+    case c.ALL_ROLES:
+        return rmanager
+            .callServer('GET', `/api/authz/\${account}/roles/${encode(kind)}/${encode(id)}?all`)
+            .end();
+
+    case c.RESOURCE:
+        return rmanager
+            .callServer('GET', `/api/authz/\${account}/resources/${kind}/${encode(id)}`)
+            .end();
+
+    case c.PUBLIC_KEYS:
+        return rmanager
+            .callServer('GET', `/api/pubkeys/${encode(id)}`)
+            .end();
+
+    default:
+    }
+}

data/app/src/clients/graph.js

@@ -0,0 +1,7 @@
+const encode = window.encodeURIComponent;
+
+export function fetch(rmanager, fullId) {
+    return rmanager
+        .callServer('GET', `/api/authz/\${account}/roles?${encode('roles[]')}=${fullId}`)
+        .end();
+}

data/app/src/clients/layer_members.js

@@ -0,0 +1,18 @@
+export const c = {
+    LAYER_MEMBERS_USE: 'LAYER_MEMBERS_USE',
+    LAYER_MEMBERS_ADMIN: 'LAYER_MEMBERS_ADMIN'
+};
+
+export function fetch(rmanager, type, id) {
+    var role = '';
+
+    if (type === c.LAYER_MEMBERS_USE) {
+        role = `@/layer/${id}/use_host`;
+    } else if (type === c.LAYER_MEMBERS_ADMIN) {
+        role = `@/layer/${id}/admin_host`;
+    }
+
+    return rmanager
+        .callServer('GET', `/api/authz/\${account}/roles/${role}?members`)
+        .end();
+}

data/app/src/clients/list.js

@@ -0,0 +1,31 @@
+const encode = window.encodeURIComponent;
+
+export function fetch(rmanager, kind) {
+    if (kind === 'custom-type') {
+        return rmanager
+            .callServer('GET', `/api/authz/\${account}/resources`)
+            .end();
+    } else {
+        return rmanager
+            .callServer('GET', `/api/authz/\${account}/resources/${encode(kind)}`)
+            .end();
+    }
+}
+
+export function fetchOne(rmanager, kind, id) {
+    return rmanager
+        .callServer('GET', `/api/authz/\${account}/resources/${encode(kind)}/${encode(id)}`)
+        .end();
+}
+
+export function fetchGroupRoles(rmanager, id) {
+    return rmanager
+        .callServer('GET', `/api/authz/\${account}/roles/group/${id}?members`)
+        .end();
+}
+
+export function fetchResources(rmanager, fullId) {
+    return rmanager
+        .callServer('GET', `/api/authz/\${account}/resources?acting_as=${fullId}`)
+        .end();
+}

data/app/src/clients/members.js

@@ -0,0 +1,20 @@
+export const c = {
+    MEMBERS_EXECUTE: 'MEMBERS_EXECUTE',
+    MEMBERS_UPDATE: 'MEMBERS_UPDATE'
+};
+
+const encode = window.encodeURIComponent;
+
+export function fetch(rmanager, assetType, type, id) {
+    var privilege = '';
+
+    if (type === c.MEMBERS_EXECUTE) {
+        privilege = 'execute';
+    } else if (type === c.MEMBERS_UPDATE) {
+        privilege = 'update';
+    }
+
+    return rmanager
+        .callServer('GET', `/api/authz/\${account}/roles/allowed_to/${privilege}/${assetType}/${encode(id)}`)
+        .end();
+}

data/app/src/clients/request.js

@@ -0,0 +1,531 @@
+import {Buffer} from 'buffer';
+import _ from 'lodash';
+import superagent from 'superagent';
+import moment from 'moment';
+
+function PRequest(method, url, rmanager) {
+    superagent.Request.apply(this, [method, url]);
+
+    this.rmanager = rmanager;
+    this._highPriority = false;
+}
+
+PRequest.prototype = Object.create(superagent.Request.prototype);
+
+PRequest.prototype.highPriority = function() {
+    this._highPriority = true;
+    return this;
+};
+
+PRequest.prototype.isHighPriority = function() {
+    return this._highPriority;
+};
+
+PRequest.prototype.end = function() {
+    let _super = superagent.Request.prototype.end,
+        self = this;
+
+    return new Promise(function(accept, reject) {
+        self.rmanager.placeOnWaitQ(_super, self, accept, reject);
+    });
+};
+
+var configProps = {
+    _conf: {
+        value: {
+            applianceUrl: null,
+            account: null,
+            username: null,
+            apiKey: null,
+            token: null,
+            tokenExpire: null,
+            requestToken: null
+        }
+    }
+};
+
+/**
+ *
+ * RManagerNoopConfig provides a no-op configuration for
+ * RManager. Allows in-memory storage of attributes, always shows the
+ * user as logged in, disallows logout. Used when the UI is launched
+ * in plugin mode.
+ *
+ */
+function RManagerNoopConfig(configCookie) {
+    var cookie = JSON.parse(configCookie);
+    this.account = cookie.account;
+    this.applianceUrl = `http://${document.location.host}`;
+    this.username = cookie.login;
+}
+
+Object.defineProperties(RManagerNoopConfig.prototype, configProps);
+Object.defineProperties(RManagerNoopConfig.prototype, {
+    applianceUrl: {
+        get: function getApplianceUrl() {
+            return this._conf.applianceUrl;
+        },
+        set: function setApplianceUrl(applianceUrl) {
+            this._conf.applianceUrl = applianceUrl;
+        }
+    },
+    account: {
+        get: function getAccount() {
+            return this._conf.account;
+        },
+        set: function setAccount(account) {
+            this._conf.account = account;
+        }
+    },
+    username: {
+        get: function getUsername() {
+            return this._conf.username;
+        },
+        set: function setUsername(username) {
+            this._conf.username = username;
+        }
+    },
+    apiKey: {
+        get: function getApiKey() {
+            return this._conf.apiKey;
+        },
+        set: function setApiKey(apiKey) {
+            this._conf.apiKey = apiKey;
+        }
+    },
+    token: {
+        get: function getToken() {
+            return this._conf.token;
+        },
+        set: function setToken(token) {
+            this._conf.token = token;
+        }
+    },
+    tokenExpire: {
+        get: function getTokenExpire() {
+            return this._conf.tokenExpire;
+        },
+        set: function setTokenExpire(tokenExpire) {
+            this._conf.tokenExpire = tokenExpire;
+        }
+    },
+    isLogged: {
+        get: function() {
+            return true;
+        }
+    },
+    allowLogout: {
+        get: function() {
+            return false;
+        }
+    }
+});
+
+RManagerNoopConfig.prototype._saveState = function() {};
+RManagerNoopConfig.prototype._restoreState = function() {};
+RManagerNoopConfig.prototype._removeStoredState = function() {};
+
+/**
+ *
+ * RManagerLocalStorageConfig provides a local-storage-backed
+ * configuration for RManager. Persists the provided attributes to
+ * local storage, manages refreshing the user's token, shows the user
+ * as logged in while he has an active token, allows logout.
+ *
+ * Used when connecting to server-side UI.
+ */
+
+function RManagerLocalStorageConfig() {
+    this._timer = null;
+}
+
+Object.defineProperties(RManagerLocalStorageConfig.prototype, configProps);
+Object.defineProperties(RManagerLocalStorageConfig.prototype, {
+    applianceUrl: {
+        get: function getApplianceUrl() {
+            return this._conf.applianceUrl;
+        },
+        set: function setApplianceUrl(applianceUrl) {
+            this._conf.applianceUrl = applianceUrl;
+            this.account = null;
+        }
+    },
+    account: {
+        get: function getAccount() {
+            return this._conf.account;
+        },
+        set: function setAccount(account) {
+            this._conf.account = account;
+            this.username = null;
+        }
+    },
+    username: {
+        get: function getUsername() {
+            return this._conf.username;
+        },
+        set: function setUsername(username) {
+            this._conf.username = username;
+            this.apiKey = null;
+        }
+    },
+    apiKey: {
+        get: function getApiKey() {
+            return this._conf.apiKey;
+        },
+        set: function setApiKey(apiKey) {
+            this._conf.apiKey = apiKey;
+            this.token = null;
+        }
+    },
+    token: {
+        get: function getToken() {
+            return this._conf.token;
+        },
+        set: function setToken(token) {
+            if (_.isNull(token)) {
+                this._conf.token = null;
+            } else if (_.isString(token)) {
+                this._conf.token = token;
+            } else {
+                this._conf.token = new Buffer(JSON.stringify(token)).toString('base64');
+            }
+
+            this.tokenExpire = null;
+        }
+    },
+    tokenExpire: {
+        get: function getTokenExpire() {
+            return this._conf.tokenExpire;
+        },
+        set: function setTokenExpire(tokenExpire) {
+            this._stopTokenRefreshTimeout();
+
+            if (_.isNull(tokenExpire)) {
+                this._conf.tokenExpire = null;
+            } else {
+                const expirationDate = tokenExpire + 300000,
+                      timeout = expirationDate - moment.utc();
+
+                this._startTokenRefreshTimeout(timeout > 0 ? timeout : 1);
+                this._conf.tokenExpire = expirationDate;
+            }
+        }
+    },
+    isLogged: {
+        get: function isLogged() {
+            let diff = this.tokenExpire - moment.utc();
+
+            if (_.isString(this.applianceUrl) && _.isString(this.account) &&
+                _.isString(this.username) && _.isString(this.apiKey) &&
+                _.isString(this.token) && _.isNumber(this.tokenExpire) &&
+                (diff > 0)) {
+                return true;
+            } else {
+                return false;
+            }
+        }
+    },
+    allowLogout: {
+        get: function() {
+            return true;
+        }
+    }
+});
+
+RManagerLocalStorageConfig.prototype._saveState = function() {
+    if (this.isLogged) {
+        let state = {
+            applianceUrl: this.applianceUrl,
+            account: this.account,
+            username: this.username,
+            apiKey: this.apiKey,
+            token: this.token,
+            tokenExpire: this.tokenExpire
+        };
+
+        if (window.localStorage) {
+            window.localStorage.conjur = JSON.stringify(state);
+        }
+    }
+};
+
+RManagerLocalStorageConfig.prototype._restoreState = function() {
+    let state;
+
+    try {
+        if (window.localStorage) {
+            state = JSON.parse(window.localStorage.conjur);
+        }
+    } catch(e) {
+        this._removeStoredState();
+    }
+
+    if (_.isObject(state)) {
+        let diff = state.tokenExpire - moment.utc();
+
+        if (diff > 1000) { // expired
+            this.applianceUrl = state.applianceUrl;
+            this.account = state.account;
+            this.username = state.username;
+            this.apiKey = state.apiKey;
+            this.token = state.token;
+            this.tokenExpire = state.tokenExpire - 300000;
+        } else {
+            this._removeStoredState();
+        }
+    }
+};
+
+RManagerLocalStorageConfig.prototype._removeStoredState = function() {
+    if (window.localStorage) {
+        window.localStorage.conjur = null;
+    }
+};
+
+RManagerLocalStorageConfig.prototype._startTokenRefreshTimeout = function(timeout) {
+    this._timer = window.setTimeout(() => {
+        this.requestToken();
+    }, timeout);
+};
+
+RManagerLocalStorageConfig.prototype._stopTokenRefreshTimeout = function() {
+    window.clearTimeout(this._timer);
+};
+
+export function RManager(flux, configCookie) {
+    this.flux = flux;
+
+    this._config = configCookie? new RManagerNoopConfig(configCookie) : new RManagerLocalStorageConfig();
+    this._config._restoreState();
+    this._config.requestToken = _.bind(this.requestToken, this);
+
+    this._waitQueue = [];
+    this._runPool = {};
+    this._nextRequestId = 1;
+}
+
+Object.defineProperties(RManager.prototype, {
+    account: {
+        get: function() {
+            return this._config.account;
+        },
+        set: function(account) {
+            this._config.account = account;
+        }
+    },
+    username: {
+        get: function() {
+            return this._config.username;
+        },
+        set: function(u) {
+            this._config.username = u;
+        }
+    },
+    isLogged: {
+        get: function() {
+            return this._config.isLogged;
+        }
+    },
+    allowLogout: {
+        get: function() {
+            return this._config.allowLogout;
+        }
+    }
+});
+
+RManager.prototype.placeOnWaitQ = function(run, request, accept, reject) {
+    let self = this;
+
+    this._waitQueue.push({
+        request: request,
+        run: function(index) {
+            run.call(request, function(err, value) {
+                if (err || value.error) {
+                    if (value && value.error) {
+                        self.flux.actions.flashMessage(value.error.message);
+                    } else {
+                        self.flux.actions.flashMessage(err.message);
+                    }
+
+                    reject(value);
+                } else {
+                    accept(value);
+                }
+
+                self.removeFromRunPool(index);
+            });
+        }
+    });
+
+    this._notify();
+};
+
+RManager.prototype.emptyWaitQ = function() {
+    this._waitQueue = [];
+};
+
+RManager.prototype.takeFromWaitQ = function() {
+    return this._waitQueue.shift();
+};
+
+RManager.prototype.pushBackToWaitQ = function(request) {
+    this._waitQueue.unshift(request);
+};
+
+RManager.prototype.isWaitQEmpty = function() {
+    return this._waitQueue.length === 0;
+};
+
+RManager.prototype.isFirstOnWaitQHighPriority = function() {
+    return this._waitQueue[0] && this._waitQueue[0].request.isHighPriority();
+};
+
+RManager.prototype.placeInRunPool = function(request) {
+    const requestId = this._nextRequestId;
+    this._nextRequestId += 1;
+
+    this._runPool[requestId] = request;
+
+    return requestId;
+};
+
+RManager.prototype.removeFromRunPool = function(requestId) {
+    delete this._runPool[requestId];
+};
+
+RManager.prototype.isHighPriorityInRunPool = function() {
+    return _.isObject(_.find(this._runPool, (e) => {
+        return _.isObject(e) && e.request.isHighPriority();
+    }));
+};
+
+RManager.prototype._notify = function() {
+    // inspect run q for request to refresh token
+    if (this.isHighPriorityInRunPool()) {
+        // if yes - end method
+        return;
+        // if no - go forward
+        // if waitq is not empty - go forward
+    } else if (!this.isWaitQEmpty()) {
+        // if first on waitq is refresh token request
+        // run and place it on runq - end
+        if (this.isFirstOnWaitQHighPriority()) {
+            let request = this.takeFromWaitQ(),
+                requestId = this.placeInRunPool(request);
+
+            request.run(requestId);
+        } else {
+            // take from waitq util request to refresh token endpoint
+            // run them all and place on runq - end
+            let request,
+                requestId;
+
+            for (;;) {
+                request = this.takeFromWaitQ();
+
+                if (_.isUndefined(request) || _.isNull(request)) {
+                    break;
+                }
+
+                if (request.request.isHighPriority()) {
+                    this.pushBackToWaitQ(request);
+
+                    break;
+                }
+
+                requestId = this.placeInRunPool(request);
+
+                request.run(requestId);
+            }
+        }
+    }
+};
+
+RManager.prototype.getRequest = function(method, path) {
+    let url = path;
+
+    if (_.isString(this._config.applianceUrl)) {
+        url = `${this._config.applianceUrl}${url}`;
+    }
+
+    return new PRequest(method, url, this);
+};
+
+RManager.prototype.callServer = function(verb, path) {
+    let req = this.getRequest(
+        verb,
+        path.replace('\${account}', window.encodeURIComponent(this._config.account))
+    );
+
+    if (typeof this._config.token === 'string') {
+        req.set('Authorization', `Token token="${this._config.token}"`);
+    }
+
+    return req;
+};
+
+RManager.prototype.login = function(applianceUrl, username, password) {
+    return this.requestAccount(applianceUrl)
+        .then(() => {
+            return this.requestApiKey(username, password)
+                .then(() => {
+                    return this._config.requestToken();
+                });
+        })
+        .then(
+            () => {
+                return true;
+            },
+            () => {
+                return false;
+            });
+};
+
+RManager.prototype.logout = function() {
+    this._config.applianceUrl = null;
+    this._config._removeStoredState();
+    this.emptyWaitQ();
+};
+
+RManager.prototype.requestAccount = function(applianceUrl) {
+    return this
+        .getRequest('GET', '/api/info')
+        .timeout(30000)
+        .highPriority()
+        .end()
+        .then(res => {
+            this._config.applianceUrl = applianceUrl;
+            this._config.account = res.body.account;
+        });
+};
+
+RManager.prototype.requestApiKey = function(username, password) {
+    return this
+        .getRequest('GET', '/api/authn/users/login')
+        .auth(username, password)
+        .timeout(30000)
+        .highPriority()
+        .set('Accept', 'text/plain')
+        .end()
+        .then(res => {
+            this._config.username = username;
+            this._config.apiKey = res.text;
+        });
+};
+
+RManager.prototype.requestToken = function() {
+    return this
+        .getRequest('POST', `/api/authn/users/${this._config.username}/authenticate`)
+        .send(this._config.apiKey)
+        .timeout(30000)
+        .highPriority()
+        .end()
+        .then(res => {
+            this._config.token = res.body;
+            this._config.tokenExpire = moment.utc(res.body.timestamp, 'YYYY-MM-DD hh:mm:ss UTC');
+
+            if (this._config.isLogged) {
+                this._config._saveState();
+            }
+        });
+};