Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UI: Don't show Resultant-ACL banner when wildcard policy present #26233

Merged
merged 7 commits into from
Apr 3, 2024
Merged

UI: Don't show Resultant-ACL banner when wildcard policy present #26233

merged 7 commits into from
Apr 3, 2024

Conversation

hashishaw
Copy link
Contributor

@hashishaw hashishaw commented Apr 1, 2024
edited
Loading

This PR is to update the behavior of the Resultant ACL banner so that it no longer shows in child namespaces if the user has a "*" path in their policy.

  • Ent tests passed

How to test

To set up namespaces with some users to log in and verify the behavior, run the following script:

# create namespace
vault namespace create admin
vault namespace create -namespace=admin child

# create policies
vault policy write root-admin - <<EOF
path "*" {
capabilities = ["read", "list", "create", "update", "delete"]
}
EOF
vault policy write -namespace=admin admin - <<EOF
path "*" {
capabilities = ["read", "list", "create", "update", "delete"]
}
EOF

# create users
vault auth enable userpass
vault write auth/userpass/users/root password=password policies=root-admin
vault auth enable -namespace=admin userpass
vault auth tune -namespace=admin -listing-visibility="unauth" userpass
vault write -namespace=admin auth/userpass/users/admin password=password policies=admin

Test 1

  • Log into root namespace with root username
  • resultant-acl banner is not rendered
  • Navigate to admin namespace
    - Previously, resultant-acl banner would show but with these changes it does not
  • Change namespace in url to some namespace that does not exist (eg "foo")
    - Previously, resultant-acl banner would show but with these changes it does not

Test 2

  • Log into admin namespace with admin username
  • resultant-acl banner is not rendered
  • Navigate to child namespace
    - Previously, resultant-acl banner would show but with these changes it does not
  • Change namespace in url to some namespace that does not exist (eg "foo")
  • Resultant-acl banner should show

Before
image

After
image

This PR also updates the Resultant-ACL banner so that it only shows when a user has a non-expired token.

@hashishaw hashishaw added ui bug Used to indicate a potential bug labels Apr 1, 2024
@github-actions github-actions bot added the hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed label Apr 1, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Apr 1, 2024

CI Results:
All Go tests succeeded! ✅

hellobontempo
hellobontempo approved these changes Apr 2, 2024
View reviewed changes
Copy link
Contributor

@hellobontempo hellobontempo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for all of the comments and detailed testing steps!

@hashishaw hashishaw added this to the 1.15.8 milestone Apr 2, 2024
@hashishaw hashishaw marked this pull request as ready for review April 2, 2024 17:21
@github-actions GitHub Actions
Copy link

github-actions bot commented Apr 2, 2024

Build Results:
All builds succeeded! ✅

@hashishaw hashishaw modified the milestones: 1.15.8, 1.16.1 Apr 3, 2024
@hashishaw hashishaw merged commit f8f40c3 into main Apr 3, 2024
33 of 35 checks passed
@hashishaw hashishaw deleted the ui/VAULT-24544/hide-resultant-acl-when-wildcard-policy branch April 3, 2024 15:14
Closed
1 task
hashishaw added a commit that referenced this pull request Apr 3, 2024
@hashishaw
UI: Don't show Resultant-ACL banner when wildcard policy present (#26233
c7b1f54 
)

* Add wildcard calc helpers to permissions service with tests

* Check for wildcard access when calculating permissionsBanner

* Move resultant-acl banner within TokenExpireWarning so it's mutually exclusive with token expired banner

* fix permissions banner if statement

* Add margin to resultant-acl

* cleanup comments
@hashishaw hashishaw mentioned this pull request Apr 3, 2024
Merged
@hashishaw hashishaw modified the milestones: 1.16.1, 1.15.8 Apr 4, 2024
Closed
1 task
hashishaw added a commit that referenced this pull request Apr 4, 2024
@hashishaw
UI: Don't show Resultant-ACL banner when wildcard policy present (#26233
f25fb58 
)

* Add wildcard calc helpers to permissions service with tests

* Check for wildcard access when calculating permissionsBanner

* Move resultant-acl banner within TokenExpireWarning so it's mutually exclusive with token expired banner

* fix permissions banner if statement

* Add margin to resultant-acl

* cleanup comments
@hashishaw hashishaw mentioned this pull request Apr 4, 2024
Merged
hashishaw added a commit that referenced this pull request Apr 4, 2024
@hashishaw
UI: Don't show Resultant-ACL banner when wildcard policy present (#26233
8ec42cb 
) (#26253)

* Add wildcard calc helpers to permissions service with tests

* Check for wildcard access when calculating permissionsBanner

* Move resultant-acl banner within TokenExpireWarning so it's mutually exclusive with token expired banner

* fix permissions banner if statement

* Add margin to resultant-acl

* cleanup comments
hashishaw added a commit that referenced this pull request Apr 4, 2024
@hashishaw
UI: Don't show Resultant-ACL banner when wildcard policy present (#26233
049dc66 
) (#26271)

* Add wildcard calc helpers to permissions service with tests

* Check for wildcard access when calculating permissionsBanner

* Move resultant-acl banner within TokenExpireWarning so it's mutually exclusive with token expired banner

* fix permissions banner if statement

* Add margin to resultant-acl

* cleanup comments
akshya96 pushed a commit that referenced this pull request Apr 11, 2024
@hashishaw @akshya96
UI: Don't show Resultant-ACL banner when wildcard policy present (#26233
cd870dd 
) (#26271)

* Add wildcard calc helpers to permissions service with tests

* Check for wildcard access when calculating permissionsBanner

* Move resultant-acl banner within TokenExpireWarning so it's mutually exclusive with token expired banner

* fix permissions banner if statement

* Add margin to resultant-acl

* cleanup comments
akshya96 added a commit that referenced this pull request Apr 12, 2024
@hc-github-team-secure-vault-core @akshya96
@sgmiller @peteski22 @miagilepner @mladlow @tvoran @socheatsok78 @hashishaw @jbayer @victorr @NikolaiMagicnet @ryancragun
Backport of Change minimum retention window CE changes into release/1…
9ae77cb 
….15.x (#26143)

* Change minimum retention window CE changes  (#26118)

* Retention window oss changes

* latest oss changes

* remove operator_diagnose change

* backport of commit da21b85 (#25666)

Co-authored-by: Scott Miller <smiller@hashicorp.com>

* headers only modified if we have a header formatter and headers (#26140)

* backport of commit 1885f16 (#26153)

Co-authored-by: miagilepner <mia.epner@hashicorp.com>

* Known issues: Vault Enterprise - Performance Standby nodes audit log all request headers (#26158) (#26159)

* Add known issue docs for Ent Perf Standby audit header logging issue

* attempt to improve description

Co-authored-by: Peter Wilson <peter.wilson@hashicorp.com>

* Correct version for next 1.15 release (#26212)

* Update CHANGELOG.md (#26215)

To follow new processes for creating release notes on GitHub, I need to update the changelog on the release branch. I've opted to copy the entirety of the 1.15 changelog content to the release branch, adding the notes for 1.15.7.

Next I'll create the tag per these instructions https://github.com/hashicorp/engineering-docs/blob/main/consul/releases/release-process.md#manually-create-github-releases-for-ent-only-patch-releases, and update the release notes for that tag & release.

* backport of commit 92c5847 (#26234)

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

* backport of commit f1922d2 (#26272)

Co-authored-by: Socheat Sok <socheatsok78@gmail.com>

* UI: Don't show Resultant-ACL banner when wildcard policy present (#26233) (#26271)

* Add wildcard calc helpers to permissions service with tests

* Check for wildcard access when calculating permissionsBanner

* Move resultant-acl banner within TokenExpireWarning so it's mutually exclusive with token expired banner

* fix permissions banner if statement

* Add margin to resultant-acl

* cleanup comments

* backport of commit d1fda88 (#26302)

Co-authored-by: James Bayer <1139532+jbayer@users.noreply.github.com>

* backport of commit 02312cb (#26305)

Co-authored-by: Victor Rodriguez <vrizo@hashicorp.com>

* backport of commit c9dafc1 (#26187)

Co-authored-by: NikolaiMagicnet <118166702+NikolaiMagicnet@users.noreply.github.com>

* UI: Replication page navigation fix (#26325) (#26339)

* Add replication mirage handler

* Add test with skipped failed assertion

* Use component-calculated attrsForCurrentMode instead of cluster.replicationAttrs which wasn't triggering component updates

* assert previously-skipped assertion

* Add changelog

* UI: fix replication nav 1.15.x (#26349)

* Update test selectors specific to 1.15.x

* calculate attrs based on replication-mode service instead of cluster model getter

* backport of commit 71758f4 (#26358)

Co-authored-by: Ryan Cragun <me@ryan.ec>

* UI: Dependency bumps 1.15.x (#26371)

* reform yarn.lock without minimatch or qs in resolutions

* pin async and nth-check

* fix TS errors after bump

* bump ember-template-lint and disable broken rules

* pin ansi-html

* add extra lint rule to skip

* remove ember-d3 in favor of specific d3 libraries we import except d3-selection which was failing in compareAttributes

* add changelog from PR to main

---------

Co-authored-by: akshya96 <87045294+akshya96@users.noreply.github.com>
Co-authored-by: Scott Miller <smiller@hashicorp.com>
Co-authored-by: Peter Wilson <peter.wilson@hashicorp.com>
Co-authored-by: miagilepner <mia.epner@hashicorp.com>
Co-authored-by: Meggie <meggie@hashicorp.com>
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
Co-authored-by: Socheat Sok <socheatsok78@gmail.com>
Co-authored-by: Chelsea Shaw <82459713+hashishaw@users.noreply.github.com>
Co-authored-by: James Bayer <1139532+jbayer@users.noreply.github.com>
Co-authored-by: Victor Rodriguez <vrizo@hashicorp.com>
Co-authored-by: NikolaiMagicnet <118166702+NikolaiMagicnet@users.noreply.github.com>
Co-authored-by: Ryan Cragun <me@ryan.ec>
@hashishaw hashishaw mentioned this pull request May 29, 2024
Merged
1 task
This was referenced May 30, 2024
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hellobontempo hellobontempo hellobontempo approved these changes

Assignees
No one assigned
Labels
bug Used to indicate a potential bug hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed ui
Projects
None yet
Milestone
1.15.8
Development

Successfully merging this pull request may close these issues.
2 participants
@hashishaw @hellobontempo