UI: fix PKI issuer capabilities (#24686)

Author: hashishaw

changelog/24686.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+ui: fix incorrectly calculated capabilities on PKI issuer endpoints
+```

ui/app/models/pki/issuer.js

@@ -135,13 +135,14 @@ export default class PkiIssuerModel extends Model {
   @attr importedKeys;
   @attr mapping;
 
-  @lazyCapabilities(apiPath`${'backend'}/issuer/${'issuerId'}`) issuerPath;
-  @lazyCapabilities(apiPath`${'backend'}/root/rotate/exported`) rotateExported;
-  @lazyCapabilities(apiPath`${'backend'}/root/rotate/internal`) rotateInternal;
-  @lazyCapabilities(apiPath`${'backend'}/root/rotate/existing`) rotateExisting;
+  @lazyCapabilities(apiPath`${'backend'}/issuer/${'issuerId'}`, 'backend', 'issuerId') issuerPath;
+  @lazyCapabilities(apiPath`${'backend'}/root/rotate/exported`, 'backend') rotateExported;
+  @lazyCapabilities(apiPath`${'backend'}/root/rotate/internal`, 'backend') rotateInternal;
+  @lazyCapabilities(apiPath`${'backend'}/root/rotate/existing`, 'backend') rotateExisting;
   @lazyCapabilities(apiPath`${'backend'}/root`, 'backend') deletePath;
-  @lazyCapabilities(apiPath`${'backend'}/intermediate/cross-sign`) crossSignPath;
-  @lazyCapabilities(apiPath`${'backend'}/issuer/${'issuerId'}/sign-intermediate`) signIntermediate;
+  @lazyCapabilities(apiPath`${'backend'}/intermediate/cross-sign`, 'backend') crossSignPath;
+  @lazyCapabilities(apiPath`${'backend'}/issuer/${'issuerId'}/sign-intermediate`, 'backend', 'issuerId')
+  signIntermediate;
   get canRotateIssuer() {
     return (
       this.rotateExported.get('canUpdate') !== false ||

ui/tests/acceptance/pki/pki-engine-workflow-test.js

@@ -40,43 +40,53 @@ module('Acceptance | pki workflow', function (hooks) {
     await logout.visit();
     await authPage.login();
     // Cleanup engine
-    await runCmd(`delete sys/mounts/${this.mountPath}`, false);
+    await runCommands([`delete sys/mounts/${this.mountPath}`]);
   });
 
-  test('empty state messages are correct when PKI not configured', async function (assert) {
-    assert.expect(21);
-    const assertEmptyState = (assert, resource) => {
-      assert.strictEqual(currentURL(), `/vault/secrets/${this.mountPath}/pki/${resource}`);
-      assert
-        .dom(SELECTORS.emptyStateTitle)
-        .hasText(
-          'PKI not configured',
-          `${resource} index renders correct empty state title when PKI not configured`
-        );
-      assert.dom(SELECTORS.emptyStateLink).hasText('Configure PKI');
-      assert
-        .dom(SELECTORS.emptyStateMessage)
-        .hasText(
-          `This PKI mount hasn't yet been configured with a certificate issuer.`,
-          `${resource} index empty state message correct when PKI not configured`
-        );
-    };
-    await authPage.login(this.pkiAdminToken);
-    await visit(`/vault/secrets/${this.mountPath}/pki/overview`);
-    assert.strictEqual(currentURL(), `/vault/secrets/${this.mountPath}/pki/overview`);
-
-    await click(SELECTORS.rolesTab);
-    assertEmptyState(assert, 'roles');
-
-    await click(SELECTORS.issuersTab);
-    assertEmptyState(assert, 'issuers');
-
-    await click(SELECTORS.certsTab);
-    assertEmptyState(assert, 'certificates');
-    await click(SELECTORS.keysTab);
-    assertEmptyState(assert, 'keys');
-    await click(SELECTORS.tidyTab);
-    assertEmptyState(assert, 'tidy');
+  module('not configured', function (hooks) {
+    hooks.beforeEach(async function () {
+      await authPage.login();
+      const pki_admin_policy = adminPolicy(this.mountPath, 'roles');
+      this.pkiAdminToken = await tokenWithPolicy(`pki-admin-${this.mountPath}`, pki_admin_policy);
+      await logout.visit();
+      clearPkiRecords(this.store);
+    });
+
+    test('empty state messages are correct when PKI not configured', async function (assert) {
+      assert.expect(21);
+      const assertEmptyState = (assert, resource) => {
+        assert.strictEqual(currentURL(), `/vault/secrets/${this.mountPath}/pki/${resource}`);
+        assert
+          .dom(SELECTORS.emptyStateTitle)
+          .hasText(
+            'PKI not configured',
+            `${resource} index renders correct empty state title when PKI not configured`
+          );
+        assert.dom(SELECTORS.emptyStateLink).hasText('Configure PKI');
+        assert
+          .dom(SELECTORS.emptyStateMessage)
+          .hasText(
+            `This PKI mount hasn't yet been configured with a certificate issuer.`,
+            `${resource} index empty state message correct when PKI not configured`
+          );
+      };
+      await authPage.login(this.pkiAdminToken);
+      await visit(`/vault/secrets/${this.mountPath}/pki/overview`);
+      assert.strictEqual(currentURL(), `/vault/secrets/${this.mountPath}/pki/overview`);
+
+      await click(SELECTORS.rolesTab);
+      assertEmptyState(assert, 'roles');
+
+      await click(SELECTORS.issuersTab);
+      assertEmptyState(assert, 'issuers');
+
+      await click(SELECTORS.certsTab);
+      assertEmptyState(assert, 'certificates');
+      await click(SELECTORS.keysTab);
+      assertEmptyState(assert, 'keys');
+      await click(SELECTORS.tidyTab);
+      assertEmptyState(assert, 'tidy');
+    });
   });
 
   module('roles', function (hooks) {
@@ -231,10 +241,11 @@ module('Acceptance | pki workflow', function (hooks) {
       const pki_admin_policy = adminPolicy(this.mountPath);
       const pki_reader_policy = readerPolicy(this.mountPath, 'keys', true);
       const pki_editor_policy = updatePolicy(this.mountPath, 'keys');
-      this.pkiKeyReader = await runCmd(tokenWithPolicyCmd('pki-reader', pki_reader_policy));
-      this.pkiKeyEditor = await runCmd(tokenWithPolicyCmd('pki-editor', pki_editor_policy));
-      this.pkiAdminToken = await runCmd(tokenWithPolicyCmd('pki-admin', pki_admin_policy));
+      this.pkiKeyReader = await tokenWithPolicy(`pki-reader-${this.mountPath}`, pki_reader_policy);
+      this.pkiKeyEditor = await tokenWithPolicy(`pki-editor-${this.mountPath}`, pki_editor_policy);
+      this.pkiAdminToken = await tokenWithPolicy(`pki-admin-${this.mountPath}`, pki_admin_policy);
       await logout.visit();
+      clearPkiRecords(this.store);
     });
 
     test('shows correct items if user has all permissions', async function (assert) {
@@ -349,9 +360,12 @@ module('Acceptance | pki workflow', function (hooks) {
   module('issuers', function (hooks) {
     hooks.beforeEach(async function () {
       await authPage.login();
+      const pki_admin_policy = adminPolicy(this.mountPath);
+      this.pkiAdminToken = await tokenWithPolicy(`pki-admin-${this.mountPath}`, pki_admin_policy);
       // Configure engine with a default issuer
       await configureEngine(this.mountPath, 'common_name="Hashicorp Test" issuer_name="hashicorp_test"');
       await logout.visit();
+      clearPkiRecords(this.store);
     });
     test('lists the correct issuer metadata info', async function (assert) {
       assert.expect(8);

ui/tests/acceptance/pki/pki-overview-test.js

@@ -10,12 +10,18 @@ import logout from 'vault/tests/pages/logout';
 import enablePage from 'vault/tests/pages/settings/mount-secret-backend';
 import { click, currentURL, currentRouteName, visit } from '@ember/test-helpers';
 import { SELECTORS } from 'vault/tests/helpers/pki/overview';
-import { tokenWithPolicy, runCommands, configureEngine } from 'vault/tests/helpers/pki/pki-run-commands';
+import {
+  tokenWithPolicy,
+  runCommands,
+  configureEngine,
+  clearPkiRecords,
+} from 'vault/tests/helpers/pki/pki-run-commands';
 
 module('Acceptance | pki overview', function (hooks) {
   setupApplicationTest(hooks);
 
   hooks.beforeEach(async function () {
+    this.store = this.owner.lookup('service:store');
     await authPage.login();
     // Setup PKI engine
     const mountPath = `pki`;
@@ -42,6 +48,7 @@ module('Acceptance | pki overview', function (hooks) {
     this.pkiIssuersList = await tokenWithPolicy('pki-issuers-list', pki_issuers_list_policy);
     this.pkiAdminToken = await tokenWithPolicy('pki-admin', pki_admin_policy);
     await logout.visit();
+    clearPkiRecords(this.store);
   });
 
   hooks.afterEach(async function () {

ui/tests/helpers/pki/pki-run-commands.js

@@ -37,20 +37,21 @@ export const runCommands = async function (commands) {
     throw error;
   }
 };
-
 export const clearPkiRecords = (store) => {
   // Clears pki-related data and capabilities so that admin
   // capabilities from setup don't rollover in permissions tests
   store.unloadAll('pki/issuer');
   store.unloadAll('pki/action');
-  store.unloadAll('pki/config/acme');
   store.unloadAll('pki/certificate/generate');
   store.unloadAll('pki/certificate/sign');
   store.unloadAll('pki/config/cluster');
+  store.unloadAll('pki/action');
+  store.unloadAll('pki/issuer');
   store.unloadAll('pki/key');
   store.unloadAll('pki/role');
   store.unloadAll('pki/sign-intermediate');
   store.unloadAll('pki/tidy');
+  store.unloadAll('pki/config/acme');
   store.unloadAll('pki/config/urls');
   store.unloadAll('capabilities');
 };
@@ -68,4 +69,10 @@ export function arbitraryWait(millis = 1000) {
 export async function configureEngine(mountPath, opts = 'common_name="Hashicorp Test"') {
   await runCommands([`write -field=issuer_id ${mountPath}/root/generate/internal ${opts}`]);
   await arbitraryWait(500);
+  store.unloadAll('pki/config/crl');
+  store.unloadAll('pki/config/cluster');
+  store.unloadAll('pki/config/acme');
+  store.unloadAll('pki/certificate/generate');
+  store.unloadAll('pki/certificate/sign');
+  store.unloadAll('capabilities');
 }