hashicorp · hellobontempo · Dec 13, 2023 · Oct 16, 2023 · Oct 16, 2023 · Oct 17, 2023
@@ -0,0 +1,3 @@
+```release-note:feature
+**Secrets Sync UI (enterprise)**: Adds secret syncing for KV v2 secrets to external destinations using the UI.
+```
@@ -36,7 +36,7 @@ export default RESTAdapter.extend({
     return false;
   },
 
-  addHeaders(url, options) {
+  addHeaders(url, options, method) {
     const token = options.clientToken || this.auth.currentToken;
     const headers = {};
     if (token && !options.unauthenticated) {
@@ -45,6 +45,9 @@ export default RESTAdapter.extend({
     if (options.wrapTTL) {
       headers['X-Vault-Wrap-TTL'] = options.wrapTTL;
     }
+    if (method === 'PATCH') {
+      headers['Content-Type'] = 'application/merge-patch+json';
+    }
     const namespace =
       typeof options.namespace === 'undefined' ? this.namespaceService.path : options.namespace;
     if (namespace && !NAMESPACE_ROOT_URLS.some((str) => url.includes(str))) {
@@ -53,8 +56,8 @@ export default RESTAdapter.extend({
     options.headers = assign(options.headers || {}, headers);
   },
 
-  _preRequest(url, options) {
-    this.addHeaders(url, options);
+  _preRequest(url, options, method) {
+    this.addHeaders(url, options, method);
     const isPolling = POLLING_URLS.some((str) => url.includes(str));
     if (!isPolling) {
       this.auth.setLastFetch(Date.now());
@@ -83,7 +86,7 @@ export default RESTAdapter.extend({
         },
       };
     }
-    const opts = this._preRequest(url, options);
+    const opts = this._preRequest(url, options, method);
 
     return this._super(url, type, opts).then((...args) => {
       if (controlGroupToken) {

@@ -0,0 +1,96 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import ApplicationAdapter from 'vault/adapters/application';
+import { assert } from '@ember/debug';
+import { all } from 'rsvp';
+
+export default class SyncAssociationAdapter extends ApplicationAdapter {
+  namespace = 'v1/sys/sync';
+
+  buildURL(modelName, id, snapshot, requestType, query = {}) {
+    const { destinationType, destinationName } = snapshot ? snapshot.attributes() : query;
+    if (!destinationType || !destinationName) {
+      return `${super.buildURL()}/associations`;
+    }
+    const { action } = snapshot?.adapterOptions || {};
+    const uri = action ? `/${action}` : '';
+    return `${super.buildURL()}/destinations/${destinationType}/${destinationName}/associations${uri}`;
+  }
+
+  query(store, { modelName }, query) {
+    // endpoint doesn't accept the typical list query param and we don't want to pass options from lazyPaginatedQuery
+    const url = this.buildURL(modelName, null, null, 'query', query);
+    return this.ajax(url, 'GET');
+  }
+
+  // typically associations are queried for a specific destination which is what the standard query method does
+  // in specific cases we can query all associations to access total_associations and total_secrets values
+  queryAll() {
+    return this.query(this.store, { modelName: 'sync/association' }).then((response) => {
+      const { total_associations, total_secrets } = response.data;
+      return { total_associations, total_secrets };
+    });
+  }
+
+  // fetch associations for many destinations
+  // returns aggregated association information for each destination
+  // information includes total associations, total unsynced and most recent updated datetime
+  async fetchByDestinations(destinations) {
+    const promises = destinations.map(({ name: destinationName, type: destinationType }) => {
+      return this.query(this.store, { modelName: 'sync/association' }, { destinationName, destinationType });
+    });
+    const queryResponses = await all(promises);
+    const serializer = this.store.serializerFor('sync/association');
+    return queryResponses.map((response) => serializer.normalizeFetchByDestinations(response));
+  }
+
+  // array of association data for each destination a secret is synced to
+  fetchSyncStatus({ mount, secretName }) {
+    const url = `${this.buildURL()}/${mount}/${secretName}`;
+    return this.ajax(url, 'GET').then((resp) => {
+      const { associated_destinations } = resp.data;
+      const syncData = [];
+      for (const key in associated_destinations) {
+        const data = associated_destinations[key];
+        // renaming keys to match query() response
+        syncData.push({
+          destinationType: data.type,
+          destinationName: data.name,
+          syncStatus: data.sync_status,
+          updatedAt: data.updated_at,
+        });
+      }
+      return syncData;
+    });
+  }
+
+  // snapshot is needed for mount and secret_name values which are used to parse response since all associations are returned
+  _setOrRemove(store, { modelName }, snapshot) {
+    assert(
+      "action type of set or remove required when saving association => association.save({ adapterOptions: { action: 'set' }})",
+      ['set', 'remove'].includes(snapshot?.adapterOptions?.action)
+    );
+    const url = this.buildURL(modelName, null, snapshot);
+    const data = snapshot.serialize();
+    return this.ajax(url, 'POST', { data }).then((resp) => {
+      const id = `${data.mount}/${data.secret_name}`;
+      return {
+        ...resp.data.associated_secrets[id],
+        id,
+        destinationName: resp.data.store_name,
+        destinationType: resp.data.store_type,
+      };
+    });
+  }
+
+  createRecord() {
+    return this._setOrRemove(...arguments);
+  }
+
+  updateRecord() {
+    return this._setOrRemove(...arguments);
+  }
+}
@@ -0,0 +1,43 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import ApplicationAdapter from 'vault/adapters/application';
+import { pluralize } from 'ember-inflector';
+
+export default class SyncDestinationAdapter extends ApplicationAdapter {
+  namespace = 'v1/sys';
+
+  pathForType(modelName) {
+    return modelName === 'sync/destination' ? pluralize(modelName) : modelName;
+  }
+
+  urlForCreateRecord(modelName, snapshot) {
+    const { name } = snapshot.attributes();
+    return `${super.urlForCreateRecord(modelName, snapshot)}/${name}`;
+  }
+
+  updateRecord(store, { modelName }, snapshot) {
+    const { name } = snapshot.attributes();
+    return this.ajax(`${this.buildURL(modelName)}/${name}`, 'PATCH', { data: snapshot.serialize() });
+  }
+
+  urlForDeleteRecord(id, modelName, snapshot) {
+    const { name, type } = snapshot.attributes();
+    // the only delete option in the UI is to purge which unsyncs all secrets prior to deleting
+    return `${this.buildURL('sync/destinations')}/${type}/${name}?purge=true`;
+  }
+
+  query(store, { modelName }) {
+    return this.ajax(this.buildURL(modelName), 'GET', { data: { list: true } });
+  }
+
+  // return normalized query response
+  // useful for fetching data directly without loading models into store
+  async normalizedQuery() {
+    const queryResponse = await this.query(this.store, { modelName: 'sync/destination' });
+    const serializer = this.store.serializerFor('sync/destination');
+    return serializer.extractLazyPaginatedData(queryResponse);
+  }
+}
@@ -0,0 +1,8 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import SyncDestinationAdapter from '../destination';
+
+export default class SyncDestinationsAwsSecretsManagerAdapter extends SyncDestinationAdapter {}
@@ -0,0 +1,8 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import SyncDestinationAdapter from '../destination';
+
+export default class SyncDestinationsAzureKeyVaultAdapter extends SyncDestinationAdapter {}
@@ -0,0 +1,8 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import SyncDestinationAdapter from '../destination';
+
+export default class SyncDestinationGoogleCloudSecretManagerAdapter extends SyncDestinationAdapter {}
@@ -0,0 +1,8 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import SyncDestinationAdapter from '../destination';
+
+export default class SyncDestinationsGithubAdapter extends SyncDestinationAdapter {}
@@ -0,0 +1,8 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import SyncDestinationAdapter from '../destination';
+
+export default class SyncDestinationsVercelProjectAdapter extends SyncDestinationAdapter {}
@@ -83,6 +83,7 @@ export default class App extends Application {
         ],
         externalRoutes: {
           secrets: 'vault.cluster.secrets.backends',
+          syncDestination: 'vault.cluster.sync.secrets.destinations.destination',
         },
       },
     },
@@ -106,6 +107,15 @@ export default class App extends Application {
         },
       },
     },
+    sync: {
+      dependencies: {
+        services: ['flash-messages', 'router', 'store', 'version'],
+        externalRoutes: {
+          kvSecretDetails: 'vault.cluster.secrets.backend.kv.secret.details',
+          clientCountDashboard: 'vault.cluster.clients.dashboard',
+        },
+      },
+    },
   };
 }
 

@@ -13,6 +13,12 @@
     @text="Secrets Engines"
     data-test-sidebar-nav-link="Secrets Engines"
   />
+  <Nav.Link
+    @route="vault.cluster.sync"
+    @text="Secrets Sync"
+    @badge={{unless this.version.isEnterprise "Enterprise"}}
+    data-test-sidebar-nav-link="Secrets Sync"
+  />
   {{#if (has-permission "access")}}
     <Nav.Link
       @route={{get (route-params-for "access") "route"}}

@@ -0,0 +1,39 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Model, { attr } from '@ember-data/model';
+import lazyCapabilities, { apiPath } from 'vault/macros/lazy-capabilities';
+
+export default class SyncAssociationModel extends Model {
+  @attr mount;
+  @attr secretName;
+  @attr syncStatus;
+  @attr updatedAt;
+  // destination related properties that are not serialized to payload
+  @attr destinationName;
+  @attr destinationType;
+
+  @lazyCapabilities(
+    apiPath`sys/sync/destinations/${'destinationType'}/${'destinationName'}/associations/set`,
+    'destinationType',
+    'destinationName'
+  )
+  setAssociationPath;
+
+  @lazyCapabilities(
+    apiPath`sys/sync/destinations/${'destinationType'}/${'destinationName'}/associations/remove`,
+    'destinationType',
+    'destinationName'
+  )
+  removeAssociationPath;
+
+  get canSync() {
+    return this.setAssociationPath.get('canUpdate') !== false;
+  }
+
+  get canUnsync() {
+    return this.removeAssociationPath.get('canUpdate') !== false;
+  }
+}
@@ -0,0 +1,53 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Model, { attr } from '@ember-data/model';
+import { findDestination } from 'vault/helpers/sync-destinations';
+import lazyCapabilities, { apiPath } from 'vault/macros/lazy-capabilities';
+import { withModelValidations } from 'vault/decorators/model-validations';
+
+// Base model for all secret sync destination types
+const validations = {
+  name: [{ type: 'presence', message: 'Name is required.' }],
+};
+
+@withModelValidations(validations)
+export default class SyncDestinationModel extends Model {
+  @attr('string', { subText: 'Specifies the name for this destination.', editDisabled: true }) name;
+  @attr type;
+
+  // findDestination returns static attributes for each destination type
+  get icon() {
+    return findDestination(this.type)?.icon;
+  }
+
+  get typeDisplayName() {
+    return findDestination(this.type)?.name;
+  }
+
+  get maskedParams() {
+    return findDestination(this.type)?.maskedParams;
+  }
+
+  @lazyCapabilities(apiPath`sys/sync/destinations/${'type'}/${'name'}`, 'type', 'name') destinationPath;
+  @lazyCapabilities(apiPath`sys/sync/destinations/${'type'}/${'name'}/associations/set`, 'type', 'name')
+  setAssociationPath;
+
+  get canCreate() {
+    return this.destinationPath.get('canCreate') !== false;
+  }
+  get canDelete() {
+    return this.destinationPath.get('canDelete') !== false;
+  }
+  get canEdit() {
+    return this.destinationPath.get('canUpdate') !== false;
+  }
+  get canRead() {
+    return this.destinationPath.get('canRead') !== false;
+  }
+  get canSync() {
+    return this.setAssociationPath.get('canUpdate') !== false;
+  }
+}
@@ -0,0 +1,37 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import SyncDestinationModel from '../destination';
+import { attr } from '@ember-data/model';
+import { withFormFields } from 'vault/decorators/model-form-fields';
+
+const displayFields = ['name', 'region', 'accessKeyId', 'secretAccessKey'];
+const formFieldGroups = [
+  { default: ['name', 'region'] },
+  { Credentials: ['accessKeyId', 'secretAccessKey'] },
+];
+@withFormFields(displayFields, formFieldGroups)
+export default class SyncDestinationsAwsSecretsManagerModel extends SyncDestinationModel {
+  @attr('string', {
+    label: 'Access key ID',
+    subText:
+      'Access key ID to authenticate against the secrets manager. If empty, Vault will use the AWS_ACCESS_KEY_ID environment variable if configured.',
+  })
+  accessKeyId; // obfuscated, never returned by API
+
+  @attr('string', {
+    label: 'Secret access key',
+    subText:
+      'Secret access key to authenticate against the secrets manager. If empty, Vault will use the AWS_SECRET_ACCESS_KEY environment variable if configured.',
+  })
+  secretAccessKey; // obfuscated, never returned by API
+
+  @attr('string', {
+    subText:
+      'For AWS secrets manager, the name of the region must be supplied, something like “us-west-1.” If empty, Vault will use the AWS_REGION environment variable if configured.',
+    editDisabled: true,
+  })
+  region;
+}