[UI] Ember Data Migration - LDAP Library (hashicorp#11254) (hashicorp#11260)

* removes withConfig decorator and moves check to application route

* updates backendModel references in ldap engine to secretsEngine

* adds ldap config form class

* updates ldap config type in application route

* updates ldap configure and configuration routes to use api service

* adds capabilities service to ldap engine

* updates ldap mirage handler and scenario

* adds ldap capabilities constants and helper for fetching capabilities for roles

* updates ldap roles view to use api service

* updates ldap role details view to use api service

* updates ldap role create/edit views to use api service and form classes

* updates ldap role subdirectory view to use api service

* updates ldap role credentials view to use api service

* updates ldap libraries list views to use api service

* updates ldap library details view to use api service

* updates ldap library details accounts view to use api service

* updates ldap library details accounts check out view to use api service

* updates ldap library details configuration view to use api service

* updates ldap library create/edit workflows to use api service and form class

* fixes lint errors

* removes errant log

Co-authored-by: Jordan Reimer <zofskeez@gmail.com>

Author: hc-github-team-secure-vault-core

ui/app/forms/secrets/ldap/library.ts

@@ -0,0 +1,58 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Form from 'vault/forms/form';
+import FormField from 'vault/utils/forms/field';
+
+import type { Validations } from 'vault/app-types';
+import type { LdapLibraryConfigureRequest } from '@hashicorp/vault-client-typescript';
+
+// omit 'disable_check_in_enforcement' here to transform it from boolean to string for display
+type LdapLibraryFormData = Omit<LdapLibraryConfigureRequest, 'disable_check_in_enforcement'> & {
+  disable_check_in_enforcement: string;
+  name: string;
+};
+
+export default class LdapLibraryForm extends Form<LdapLibraryFormData> {
+  formFields = [
+    new FormField('name', 'string', {
+      label: 'Library name',
+      editDisabled: true,
+    }),
+    new FormField('service_account_names', 'string', {
+      editType: 'stringArray',
+      label: 'Accounts',
+      subText:
+        'The names of all the accounts that can be checked out from this set. These accounts must only be used by Vault, and may only be in one set.',
+    }),
+    new FormField('ttl', 'string', {
+      editType: 'ttl',
+      label: 'Default lease TTL',
+      helperTextDisabled: 'Vault will use the default lease duration.',
+      defaultValue: '24h',
+      defaultShown: 'Engine default',
+    }),
+    new FormField('max_ttl', 'string', {
+      editType: 'ttl',
+      label: 'Max lease TTL',
+      helperTextDisabled: 'Vault will use the default lease duration.',
+      defaultValue: '24h',
+      defaultShown: 'Engine default',
+    }),
+    // this is a boolean from the server but is transformed in the serializer to display as Disabled or Enabled
+    new FormField('disable_check_in_enforcement', 'string', {
+      editType: 'radio',
+      label: 'Check-in enforcement',
+      subText:
+        'When enabled, accounts must be checked in by the entity or client token that checked them out. If disabled, anyone with the right permission can check the account back in.',
+      possibleValues: ['Disabled', 'Enabled'],
+    }),
+  ];
+
+  validations: Validations = {
+    name: [{ type: 'presence', message: 'Library name is required.' }],
+    service_account_names: [{ type: 'presence', message: 'At least one service account is required.' }],
+  };
+}

ui/app/utils/constants/capabilities.ts

@@ -53,4 +53,7 @@ export const PATH_MAP = {
   ldapRotateStaticRole: apiPath`${'backend'}/rotate-role/${'name'}`,
   ldapStaticRoleCreds: apiPath`${'backend'}/static-cred/${'name'}`,
   ldapDynamicRoleCreds: apiPath`${'backend'}/creds/${'name'}`,
+  ldapLibrary: apiPath`${'backend'}/library/${'name'}`,
+  ldapLibraryCheckOut: apiPath`${'backend'}/library/${'name'}/check-out`,
+  ldapLibraryCheckIn: apiPath`${'backend'}/library/${'name'}/check-in`,
 };

ui/lib/ldap/addon/components/accounts-checked-out.ts

@@ -8,15 +8,19 @@ import { tracked } from '@glimmer/tracking';
 import { service } from '@ember/service';
 import { task } from 'ember-concurrency';
 import { waitFor } from '@ember/test-waiters';
-import errorMessage from 'vault/utils/error-message';
 
 import type FlashMessageService from 'vault/services/flash-messages';
 import type AuthService from 'vault/services/auth';
-import type LdapLibraryModel from 'vault/models/ldap/library';
+import type { LdapLibrary } from 'vault/secrets/ldap';
 import type { LdapLibraryAccountStatus } from 'vault/adapters/ldap/library';
+import type { CapabilitiesMap } from 'vault/app-types';
+import type CapabilitiesService from 'vault/services/capabilities';
+import type ApiService from 'vault/services/api';
+import type SecretMountPath from 'vault/services/secret-mount-path';
 
 interface Args {
-  libraries: Array<LdapLibraryModel>;
+  libraries: Array<LdapLibrary>;
+  capabilities: CapabilitiesMap;
   statuses: Array<LdapLibraryAccountStatus>;
   showLibraryColumn: boolean;
   onCheckInSuccess: CallableFunction;
@@ -26,6 +30,9 @@ interface Args {
 export default class LdapAccountsCheckedOutComponent extends Component<Args> {
   @service declare readonly flashMessages: FlashMessageService;
   @service declare readonly auth: AuthService;
+  @service declare readonly capabilities: CapabilitiesService;
+  @service declare readonly api: ApiService;
+  @service declare readonly secretMountPath: SecretMountPath;
 
   @tracked selectedStatus: LdapLibraryAccountStatus | undefined;
 
@@ -39,38 +46,47 @@ export default class LdapAccountsCheckedOutComponent extends Component<Args> {
 
   get filteredAccounts() {
     // filter status to only show checked out accounts associated to the current user
-    // if disable_check_in_enforcement is true on the library set then all checked out accounts are displayed
+    // if disable_check_in_enforcement is true on the library then all checked out accounts are displayed
     return this.args.statuses.filter((status) => {
       const authEntityId = this.auth.authData?.entityId;
       const isRoot = !status.borrower_entity_id && !authEntityId; // root user will not have an entity id and it won't be populated on status
       const isEntity = status.borrower_entity_id === authEntityId;
       const library = this.findLibrary(status.library);
-      const enforcementDisabled = library.disable_check_in_enforcement === 'Disabled';
 
-      return !status.available && (enforcementDisabled || isEntity || isRoot);
+      return !status.available && (library.disable_check_in_enforcement || isEntity || isRoot);
     });
   }
 
-  disableCheckIn = (name: string) => {
-    return !this.findLibrary(name).canCheckIn;
+  disableCheckIn = (libraryName: string) => {
+    const { completeLibraryName: name } = this.findLibrary(libraryName);
+    const { currentPath: backend } = this.secretMountPath;
+    const path = this.capabilities.pathFor('ldapLibraryCheckIn', { backend, name });
+    const { canUpdate } = this.args.capabilities[path] || {};
+    return !canUpdate;
   };
 
-  findLibrary(name: string): LdapLibraryModel {
-    return this.args.libraries.find((library) => library.completeLibraryName === name) as LdapLibraryModel;
+  findLibrary(name: string): LdapLibrary {
+    return this.args.libraries.find((library) => library.completeLibraryName === name) as LdapLibrary;
   }
 
-  @task
-  @waitFor
-  *checkIn() {
-    const { library, account } = this.selectedStatus as LdapLibraryAccountStatus;
-    try {
-      const libraryModel = this.findLibrary(library);
-      yield libraryModel.checkInAccount(account);
-      this.flashMessages.success(`Successfully checked in the account ${account}.`);
-      this.args.onCheckInSuccess();
-    } catch (error) {
-      this.selectedStatus = undefined;
-      this.flashMessages.danger(`Error checking in the account ${account}. \n ${errorMessage(error)}`);
-    }
-  }
+  checkIn = task(
+    waitFor(async () => {
+      const { library, account } = this.selectedStatus as LdapLibraryAccountStatus;
+      try {
+        const { completeLibraryName } = this.findLibrary(library);
+        const payload = { service_account_names: [account] };
+        await this.api.secrets.ldapLibraryForceCheckIn(
+          completeLibraryName,
+          this.secretMountPath.currentPath,
+          payload
+        );
+        this.flashMessages.success(`Successfully checked in the account ${account}.`);
+        this.args.onCheckInSuccess();
+      } catch (error) {
+        const { message } = await this.api.parseError(error);
+        this.selectedStatus = undefined;
+        this.flashMessages.danger(`Error checking in the account ${account}. \n ${message}`);
+      }
+    })
+  );
 }

ui/lib/ldap/addon/components/page/libraries.hbs

@@ -44,45 +44,47 @@
           <span data-test-library={{library.name}}>{{library.name}}</span>
         </Item.content>
         <Item.menu>
-          {{#if (or library.canRead library.canEdit library.canDelete)}}
-            <Hds::Dropdown @isInline={{true}} @listPosition="bottom-right" as |dd|>
-              <dd.ToggleIcon
-                @icon="more-horizontal"
-                @text="More options"
-                @hasChevron={{false}}
-                data-test-popup-menu-trigger={{library.name}}
-              />
-              {{#if (this.isHierarchical library.name)}}
-                <dd.Interactive
-                  data-test-subdirectory
-                  @route="libraries.subdirectory"
-                  @model={{library.completeLibraryName}}
-                >Content</dd.Interactive>
-              {{else}}
-                {{#if library.canEdit}}
+          {{#let (hash name=library.completeLibraryName backend=this.secretMountPath.currentPath) as |capabilityParams|}}
+            {{#if (has-capability @capabilities "read" "update" "delete" pathKey="ldapLibrary" params=capabilityParams)}}
+              <Hds::Dropdown @isInline={{true}} @listPosition="bottom-right" as |dd|>
+                <dd.ToggleIcon
+                  @icon="more-horizontal"
+                  @text="More options"
+                  @hasChevron={{false}}
+                  data-test-popup-menu-trigger={{library.name}}
+                />
+                {{#if (this.isHierarchical library.name)}}
                   <dd.Interactive
-                    data-test-edit
-                    @route="libraries.library.edit"
-                    @model={{this.getEncodedLibraryName library}}
-                  >Edit</dd.Interactive>
+                    data-test-subdirectory
+                    @route="libraries.subdirectory"
+                    @model={{library.completeLibraryName}}
+                  >Content</dd.Interactive>
+                {{else}}
+                  {{#if (has-capability @capabilities "update" pathKey="ldapLibrary" params=capabilityParams)}}
+                    <dd.Interactive
+                      data-test-edit
+                      @route="libraries.library.edit"
+                      @model={{this.getEncodedLibraryName library}}
+                    >Edit</dd.Interactive>
+                  {{/if}}
+                  {{#if (has-capability @capabilities "read" pathKey="ldapLibrary" params=capabilityParams)}}
+                    <dd.Interactive
+                      data-test-details
+                      @route="libraries.library.details"
+                      @model={{this.getEncodedLibraryName library}}
+                    >Details</dd.Interactive>
+                  {{/if}}
+                  {{#if (has-capability @capabilities "delete" pathKey="ldapLibrary" params=capabilityParams)}}
+                    <dd.Interactive
+                      data-test-delete
+                      @color="critical"
+                      {{on "click" (fn (mut this.libraryToDelete) library)}}
+                    >Delete</dd.Interactive>
+                  {{/if}}
                 {{/if}}
-                {{#if library.canRead}}
-                  <dd.Interactive
-                    data-test-details
-                    @route="libraries.library.details"
-                    @model={{this.getEncodedLibraryName library}}
-                  >Details</dd.Interactive>
-                {{/if}}
-                {{#if library.canDelete}}
-                  <dd.Interactive
-                    data-test-delete
-                    @color="critical"
-                    {{on "click" (fn (mut this.libraryToDelete) library)}}
-                  >Delete</dd.Interactive>
-                {{/if}}
-              {{/if}}
-            </Hds::Dropdown>
-          {{/if}}
+              </Hds::Dropdown>
+            {{/if}}
+          {{/let}}
         </Item.menu>
       </ListItem>
     {{/each}}

ui/lib/ldap/addon/components/page/libraries.ts

@@ -8,16 +8,18 @@ import { tracked } from '@glimmer/tracking';
 import { service } from '@ember/service';
 import { action } from '@ember/object';
 import { getOwner } from '@ember/owner';
-import errorMessage from 'vault/utils/error-message';
 
-import type LdapLibraryModel from 'vault/models/ldap/library';
+import type { LdapLibrary } from 'vault/secrets/ldap';
 import type FlashMessageService from 'vault/services/flash-messages';
-import type { Breadcrumb, EngineOwner } from 'vault/vault/app-types';
+import type { Breadcrumb, CapabilitiesMap, EngineOwner } from 'vault/vault/app-types';
 import type RouterService from '@ember/routing/router-service';
 import type SecretsEngineResource from 'vault/resources/secrets/engine';
+import type SecretMountPath from 'vault/services/secret-mount-path';
+import type ApiService from 'vault/services/api';
 
 interface Args {
-  libraries: Array<LdapLibraryModel>;
+  libraries: Array<LdapLibrary>;
+  capabilities: CapabilitiesMap;
   promptConfig: boolean;
   secretsEngine: SecretsEngineResource;
   breadcrumbs: Array<Breadcrumb>;
@@ -26,18 +28,20 @@ interface Args {
 export default class LdapLibrariesPageComponent extends Component<Args> {
   @service declare readonly flashMessages: FlashMessageService;
   @service('app-router') declare readonly router: RouterService;
+  @service declare readonly secretMountPath: SecretMountPath;
+  @service declare readonly api: ApiService;
 
   @tracked filterValue = '';
-  @tracked libraryToDelete: LdapLibraryModel | null = null;
+  @tracked libraryToDelete: LdapLibrary | null = null;
 
   isHierarchical = (name: string) => name.endsWith('/');
 
-  linkParams = (library: LdapLibraryModel) => {
+  linkParams = (library: LdapLibrary) => {
     const route = this.isHierarchical(library.name) ? 'libraries.subdirectory' : 'libraries.library.details';
     return [route, library.completeLibraryName];
   };
 
-  getEncodedLibraryName = (library: LdapLibraryModel) => {
+  getEncodedLibraryName = (library: LdapLibrary) => {
     return library.completeLibraryName;
   };
 
@@ -54,14 +58,15 @@ export default class LdapLibrariesPageComponent extends Component<Args> {
   }
 
   @action
-  async onDelete(model: LdapLibraryModel) {
+  async onDelete(library: LdapLibrary) {
     try {
-      const message = `Successfully deleted library ${model.completeLibraryName}.`;
-      await model.destroyRecord();
+      const { completeLibraryName } = library;
+      await this.api.secrets.ldapLibraryDelete(completeLibraryName, this.secretMountPath.currentPath);
       this.router.transitionTo('vault.cluster.secrets.backend.ldap.libraries');
-      this.flashMessages.success(message);
+      this.flashMessages.success(`Successfully deleted library ${completeLibraryName}.`);
     } catch (error) {
-      this.flashMessages.danger(`Error deleting library \n ${errorMessage(error)}`);
+      const { message } = await this.api.parseError(error);
+      this.flashMessages.danger(`Error deleting library \n ${message}`);
     }
   }
 }

ui/lib/ldap/addon/components/page/library/check-out.hbs

@@ -18,7 +18,7 @@
 </Hds::Alert>
 
 <div class="has-top-margin-m">
-  <InfoTableRow @label="Account name" @value={{@credentials.account}} />
+  <InfoTableRow @label="Account name" @value={{@credentials.service_account_name}} />
   <InfoTableRow @label="Password">
     <MaskedInput @value={{@credentials.password}} @displayOnly={{true}} @allowCopy={{true}} />
   </InfoTableRow>

ui/lib/ldap/addon/components/page/library/create-and-edit.hbs

@@ -2,7 +2,7 @@
   Copyright IBM Corp. 2016, 2025
   SPDX-License-Identifier: BUSL-1.1
 }}
-<Page::Header @title={{if @model.isNew "Create Library" "Edit Library"}}>
+<Page::Header @title={{if @form.isNew "Create Library" "Edit Library"}}>
   <:breadcrumbs>
     <Page::Breadcrumbs @breadcrumbs={{@breadcrumbs}} />
   </:breadcrumbs>
@@ -13,15 +13,15 @@
 <form {{on "submit" (perform this.save)}} class="has-top-margin-m">
   <MessageError @errorMessage={{this.error}} />
 
-  {{#each @model.formFields as |field|}}
-    <FormField @attr={{field}} @model={{@model}} @modelValidations={{this.modelValidations}} />
+  {{#each @form.formFields as |field|}}
+    <FormField @attr={{field}} @model={{@form}} @modelValidations={{this.modelValidations}} />
   {{/each}}
 
   <hr class="has-background-gray-200 has-top-margin-l" />
 
   <div class="has-top-margin-l has-bottom-margin-l is-flex">
     <Hds::Button
-      @text={{if @model.isNew "Create library" "Save"}}
+      @text={{if @form.isNew "Create library" "Save"}}
       data-test-submit
       type="submit"
       disabled={{this.save.isRunning}}