Merge remote-tracking branch 'remotes/from/ce/main'

Author: hc-github-team-secure-vault-core

changelog/_10513.txt

@@ -0,0 +1,2 @@
+```release-note:improvement
+ui: Adds license banner indicating when cluster is operating in PKI-only mode and hides client counting dashboards for PKI-only clusters.

ui/app/components/dashboard/overview.ts

@@ -13,7 +13,7 @@ export type Args = {
   replication: unknown;
   secretsEngines: unknown;
   vaultConfiguration: unknown;
-  version: { isEnterprise: boolean };
+  version: { isEnterprise: boolean; hasPKIOnly: boolean };
 };
 
 export default class OverviewComponent extends Component<Args> {
@@ -33,6 +33,9 @@ export default class OverviewComponent extends Component<Args> {
     // don't show client count if this isn't an enterprise cluster
     if (!version.isEnterprise) return false;
 
+    // don't show client count if this is a PKI-only Secrets cluster
+    if (version.hasPKIOnly) return false;
+
     // HVD clusters
     if (namespace.inHvdAdminNamespace) return true;
 

ui/app/components/license-banners.hbs

@@ -7,8 +7,8 @@
   <Hds::Alert
     @type="inline"
     @color="critical"
-    @onDismiss={{fn this.dismissBanner "expired"}}
-    data-test-license-banner-expired
+    @onDismiss={{fn this.dismissBanner this.banners.EXPIRED}}
+    data-test-license-banner={{this.banners.EXPIRED}}
     as |A|
   >
     <A.Title>License expired</A.Title>
@@ -17,18 +17,20 @@
       {{date-format @expiry "MMM d, yyyy"}}. Add a new license to your configuration and restart Vault.
     </A.Description>
     <A.Description class="has-top-margin-xs">
-      <DocLink @path="/vault/tutorials/enterprise/hashicorp-enterprise-license">
-        Read documentation
-        <Icon @name="learn-link" />
-      </DocLink>
+      <Hds::Link::Standalone
+        @icon="learn-link"
+        @iconPosition="trailing"
+        @href={{doc-link "/vault/tutorials/enterprise/hashicorp-enterprise-license"}}
+        @text="Read documentation"
+      />
     </A.Description>
   </Hds::Alert>
 {{else if (and (lte this.licenseExpiringInDays 30) (not this.warningDismissed))}}
   <Hds::Alert
     @type="inline"
     @color="warning"
-    @onDismiss={{fn this.dismissBanner "warning"}}
-    data-test-license-banner-warning
+    @onDismiss={{fn this.dismissBanner this.banners.WARNING}}
+    data-test-license-banner={{this.banners.WARNING}}
     as |A|
   >
     <A.Title>Vault license expiring</A.Title>
@@ -46,10 +48,32 @@
       }}
     </A.Description>
     <A.Description class="has-top-margin-xs">
-      <DocLink @path="/vault/tutorials/enterprise/hashicorp-enterprise-license">
-        Read documentation
-        <Icon @name="learn-link" />
-      </DocLink>
+      <Hds::Link::Standalone
+        @icon="learn-link"
+        @iconPosition="trailing"
+        @href={{doc-link "/vault/tutorials/enterprise/hashicorp-enterprise-license"}}
+        @text="Read documentation"
+      />
+    </A.Description>
+  </Hds::Alert>
+{{/if}}
+
+{{#if (and this.isPKIOnly (not this.infoDismissed))}}
+  <Hds::Alert
+    @type="inline"
+    @color="highlight"
+    @onDismiss={{fn this.dismissBanner this.banners.PKI}}
+    data-test-license-banner={{this.banners.PKI}}
+    as |A|
+  >
+    <A.Title>Cluster operating in PKI-only mode</A.Title>
+    <A.Description>
+      This cluster is operating under PKI-only mode. Other than the built-in Vault PKI engine, all secrets engines are
+      disabled. The
+      <Hds::Link::Inline @isHrefExternal={{true}} @href={{doc-link "/vault/api-docs/system/billing/certificates"}}>
+        number of certificates
+      </Hds::Link::Inline>
+      issued is the relevant license utilization metric.
     </A.Description>
   </Hds::Alert>
 {{/if}}

ui/app/components/license-banners.js

@@ -0,0 +1,118 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Component from '@glimmer/component';
+import { action } from '@ember/object';
+import { tracked } from '@glimmer/tracking';
+import { service } from '@ember/service';
+import isAfter from 'date-fns/isAfter';
+import differenceInDays from 'date-fns/differenceInDays';
+import localStorage from 'vault/lib/local-storage';
+import timestamp from 'core/utils/timestamp';
+import type VersionService from 'vault/services/version';
+
+enum Banners {
+  EXPIRED = 'expired',
+  WARNING = 'warning',
+  PKI = 'pki-only-info',
+}
+
+interface Args {
+  expiry: string;
+  autoloaded: boolean;
+}
+
+/**
+ * @module LicenseBanners
+ * LicenseBanners components are used to display Vault-specific license messages
+ *
+ * @example
+ * ```js
+ * <LicenseBanners @expiry={expiryDate} />
+ * ```
+ * @param {string} expiry - RFC3339 date timestamp
+ */
+
+export default class LicenseBanners extends Component<Args> {
+  @service declare readonly version: VersionService;
+
+  @tracked warningDismissed = false;
+  @tracked expiredDismissed = false;
+  @tracked infoDismissed = false;
+
+  banners = Banners;
+
+  constructor(owner: unknown, args: Args) {
+    super(owner, args);
+
+    // reset and show a previously dismissed license banner if:
+    // the version has been updated or the license has been updated (indicated by a change in the expiry date).
+    const item = localStorage.getItem(this.dismissedBannerKey) ?? []; // returns warning, expired and/or pki-only-info
+    // older entries will not be an array as it was either "expired" OR "warning"
+    // with the addition of "pki-only-info", it can hold all values
+    // this check maintains backwards compatibility with the previous format
+    const bannerTypes = Array.isArray(item) ? item : [item];
+
+    bannerTypes.forEach((type) => {
+      this.updateDismissType(type);
+    });
+  }
+
+  get currentVersion() {
+    return this.version.version;
+  }
+
+  get dismissedBannerKey() {
+    return `dismiss-license-banner-${this.currentVersion}-${this.args.expiry}`;
+  }
+
+  get licenseExpired() {
+    if (!this.args.expiry) return false;
+    return isAfter(timestamp.now(), new Date(this.args.expiry));
+  }
+
+  get licenseExpiringInDays() {
+    // Anything more than 30 does not render a warning
+    if (!this.args.expiry) return 99;
+    return differenceInDays(new Date(this.args.expiry), timestamp.now());
+  }
+
+  get isPKIOnly() {
+    return this.version.hasPKIOnly;
+  }
+
+  @action
+  dismissBanner(dismissAction: Banners) {
+    // if a client's version changed their old localStorage key will still exists.
+    localStorage.cleanupStorage('dismiss-license-banner', this.dismissedBannerKey);
+
+    // updates localStorage and then updates the template by calling updateDismissType
+    const item = localStorage.getItem(this.dismissedBannerKey) ?? [];
+    // older entries will not be an array as it was either "expired" OR "warning"
+    // with the addition of "pki-only-info", it can hold all values
+    // this check maintains backwards compatibility with the previous format
+    const bannerTypes = Array.isArray(item) ? item : [item];
+    localStorage.setItem(this.dismissedBannerKey, [...bannerTypes, dismissAction]);
+
+    this.updateDismissType(dismissAction);
+  }
+
+  updateDismissType(dismissType?: Banners) {
+    // updates tracked properties to update template
+    switch (dismissType) {
+      case this.banners.WARNING:
+        this.warningDismissed = true;
+        break;
+      case this.banners.EXPIRED:
+        this.expiredDismissed = true;
+        break;
+      case this.banners.PKI:
+        this.infoDismissed = true;
+        break;
+      default:
+        break;
+    }
+  }
+}

ui/app/components/license-banners.ts

@@ -4,7 +4,7 @@
  */
 
 import Component from '@glimmer/component';
-import { allFeatures } from 'vault/helpers/all-features';
+import { allFeatures } from 'core/utils/all-features';
 /**
  * @module LicenseInfo
  *

ui/app/components/license-info.js

@@ -85,7 +85,12 @@
     />
   {{/if}}
   {{#if
-    (and (has-permission "clients" routeParams="activity") (not this.cluster.dr.isSecondary) (not this.hasChrootNamespace))
+    (and
+      (has-permission "clients" routeParams="activity")
+      (not this.cluster.dr.isSecondary)
+      (not this.hasChrootNamespace)
+      (not this.version.hasPKIOnly)
+    )
   }}
     <Nav.Link
       @route="vault.cluster.clients"

ui/app/components/sidebar/nav/cluster.hbs

@@ -28,6 +28,10 @@ export default class VersionService extends Service {
   }
 
   /* Features */
+  get hasPKIOnly() {
+    return this.features.includes('PKI-only Secrets');
+  }
+
   get hasPerfReplication() {
     return this.features.includes('Performance Replication');
   }

ui/app/services/version.js

@@ -3,8 +3,6 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-import { helper as buildHelper } from '@ember/component/helper';
-
 const ALL_FEATURES = [
   'HSM',
   'Performance Replication',
@@ -19,10 +17,9 @@ const ALL_FEATURES = [
   'Entropy Augmentation',
   'Transform Secrets Engine',
   'Secrets Sync',
+  'PKI-only Secrets',
 ];
 
 export function allFeatures() {
   return ALL_FEATURES;
 }
-
-export default buildHelper(allFeatures);

ui/app/helpers/all-features.js renamed to ui/lib/core/addon/utils/all-features.ts

@@ -11,6 +11,7 @@ import formatRFC3339 from 'date-fns/formatRFC3339';
 import { addDays, subDays } from 'date-fns';
 import timestamp from 'core/utils/timestamp';
 import { setupMirage } from 'ember-cli-mirage/test-support';
+import { GENERAL } from '../helpers/general-selectors';
 
 const generateHealthResponse = (now, state) => {
   let expiry;
@@ -58,23 +59,23 @@ module('Acceptance | Enterprise | License banner warnings', function (hooks) {
     const healthResp = generateHealthResponse(this.now);
     this.server.get('/sys/health', () => healthResp);
     await visit('/vault/auth');
-    assert.dom('[data-test-license-banner-expired]').doesNotExist('expired banner does not show');
-    assert.dom('[data-test-license-banner-warning]').doesNotExist('warning banner does not show');
+    assert.dom(GENERAL.licenseBanner('expired')).doesNotExist('expired banner does not show');
+    assert.dom(GENERAL.licenseBanner('warning')).doesNotExist('warning banner does not show');
     this.server.shutdown();
   });
   test('it shows license banner warning if license expires within 30 days', async function (assert) {
     const healthResp = generateHealthResponse(this.now, 'expiring');
     this.server.get('/sys/health', () => healthResp);
     await visit('/vault/auth');
-    assert.dom('[data-test-license-banner-warning]').exists('license warning shows');
+    assert.dom(GENERAL.licenseBanner('warning')).exists('license warning shows');
     this.server.shutdown();
   });
 
   test('it shows license banner alert if license has already expired', async function (assert) {
     const healthResp = generateHealthResponse(this.now, 'expired');
     this.server.get('/sys/health', () => healthResp);
     await visit('/vault/auth');
-    assert.dom('[data-test-license-banner-expired]').exists('expired license message shows');
+    assert.dom(GENERAL.licenseBanner('expired')).exists('expired license message shows');
     this.server.shutdown();
   });
 });