k.startsWith(namespace)) ||
+ Object.keys(this.exactPaths).any((k) => k.startsWith(namespace));
+ this.set('permissionsBanner', allowed ? null : PERMISSIONS_BANNER_STATES.noAccess);
+ },
+
setPaths(resp) {
this.set('exactPaths', resp.data.exact_paths);
this.set('globPaths', resp.data.glob_paths);
this.set('canViewAll', resp.data.root);
this.set('chrootNamespace', resp.data.chroot_namespace);
- this.set('readFailed', false);
+ this.calcNsAccess();
},
reset() {
this.set('exactPaths', null);
this.set('globPaths', null);
this.set('canViewAll', null);
- this.set('readFailed', false);
this.set('chrootNamespace', null);
+ this.set('permissionsBanner', null);
},
hasNavPermission(navItem, routeParams, requireAll) {
@@ -128,9 +151,7 @@ export default Service.extend({
},
pathNameWithNamespace(pathName) {
- const namespace = this.chrootNamespace
- ? `${sanitizePath(this.chrootNamespace)}/${sanitizePath(this.namespace.path)}`
- : sanitizePath(this.namespace.path);
+ const namespace = this.baseNs;
if (namespace) {
return `${sanitizePath(namespace)}/${sanitizeStart(pathName)}`;
} else {
diff --git a/ui/app/templates/vault/cluster.hbs b/ui/app/templates/vault/cluster.hbs
index da95a414eb3e..c13e4b95cbfc 100644
--- a/ui/app/templates/vault/cluster.hbs
+++ b/ui/app/templates/vault/cluster.hbs
@@ -11,8 +11,8 @@
@autoloaded={{eq this.activeCluster.licenseState "autoloaded"}}
/>
{{/if}}
- {{#if this.permissionReadFailed}}
-
+ {{#if this.permissionBanner}}
+
{{/if}}
diff --git a/ui/tests/integration/components/resultant-acl-banner-test.js b/ui/tests/integration/components/resultant-acl-banner-test.js
index 97de2c59bd37..f64ad7154683 100644
--- a/ui/tests/integration/components/resultant-acl-banner-test.js
+++ b/ui/tests/integration/components/resultant-acl-banner-test.js
@@ -7,35 +7,51 @@ import { module, test } from 'qunit';
import { setupRenderingTest } from 'vault/tests/helpers';
import { click, render } from '@ember/test-helpers';
import { hbs } from 'ember-cli-htmlbars';
+import { PERMISSIONS_BANNER_STATES } from 'vault/services/permissions';
+const TEXT = {
+ titleReadFail: 'Resultant ACL check failed',
+ titleNoAccess: 'You do not have access to this namespace',
+ messageReadFail:
+ "Links might be shown that you don't have access to. Contact your administrator to update your policy.",
+ messageNoAccess:
+ 'Log into the namespace directly, or contact your administrator if you think you should have access.',
+};
module('Integration | Component | resultant-acl-banner', function (hooks) {
setupRenderingTest(hooks);
test('it renders correctly by default', async function (assert) {
await render(hbs``);
- assert.dom('[data-test-resultant-acl-banner] .hds-alert__title').hasText('Resultant ACL check failed');
- assert
- .dom('[data-test-resultant-acl-banner] .hds-alert__description')
- .hasText(
- "Links might be shown that you don't have access to. Contact your administrator to update your policy."
- );
+ assert.dom('[data-test-resultant-acl-banner] .hds-alert__title').hasText(TEXT.titleReadFail);
+ assert.dom('[data-test-resultant-acl-banner] .hds-alert__description').hasText(TEXT.messageReadFail);
assert.dom('[data-test-resultant-acl-reauthenticate]').doesNotExist('Does not show reauth link');
});
test('it renders correctly with set namespace', async function (assert) {
const nsService = this.owner.lookup('service:namespace');
nsService.setNamespace('my-ns');
+ this.set('failType', undefined);
- await render(hbs``);
+ await render(hbs``);
- assert.dom('[data-test-resultant-acl-banner] .hds-alert__title').hasText('Resultant ACL check failed');
+ assert
+ .dom('[data-test-resultant-acl-banner] .hds-alert__title')
+ .hasText(TEXT.titleReadFail, 'title correct for default fail type');
assert
.dom('[data-test-resultant-acl-banner] .hds-alert__description')
- .hasText('You do not have access to resources in this namespace.');
+ .hasText(TEXT.messageReadFail, 'message correct for default fail type');
assert
.dom('[data-test-resultant-acl-reauthenticate]')
.hasText('Log into my-ns namespace', 'Shows reauth link with given namespace');
+
+ this.set('failType', PERMISSIONS_BANNER_STATES.noAccess);
+ assert
+ .dom('[data-test-resultant-acl-banner] .hds-alert__title')
+ .hasText(TEXT.titleNoAccess, 'title correct for no access failtype');
+ assert
+ .dom('[data-test-resultant-acl-banner] .hds-alert__description')
+ .hasText(TEXT.messageNoAccess, 'message correct for no access failtype');
});
test('it renders correctly with default namespace', async function (assert) {
diff --git a/ui/tests/unit/adapters/permissions-test.js b/ui/tests/unit/adapters/permissions-test.js
new file mode 100644
index 000000000000..2bcb12565685
--- /dev/null
+++ b/ui/tests/unit/adapters/permissions-test.js
@@ -0,0 +1,37 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { module, test } from 'qunit';
+import { setupTest } from 'ember-qunit';
+import { setupMirage } from 'ember-cli-mirage/test-support';
+
+module('Unit | Adapter | permissions', function (hooks) {
+ setupTest(hooks);
+ setupMirage(hooks);
+
+ test('it calls resultant-acl with the users root namespace', async function (assert) {
+ assert.expect(1);
+ const adapter = this.owner.lookup('adapter:permissions');
+ const nsService = this.owner.lookup('service:namespace');
+ nsService.setNamespace('admin/foo');
+ nsService.reopen({
+ userRootNamespace: 'admin/bar',
+ });
+ this.server.get('/sys/internal/ui/resultant-acl', (schema, request) => {
+ assert.strictEqual(
+ request.requestHeaders['X-Vault-Namespace'],
+ 'admin/bar',
+ 'Namespace is users root not current path'
+ );
+ return {
+ data: {
+ exact_paths: {},
+ glob_paths: {},
+ },
+ };
+ });
+ await adapter.query();
+ });
+});