UI: Support database static roles recovery (#9374) (#9444)

hc-github-team-secure-vault-core · lane-wetmore · web-flow · commit 15ed6007d021 · 2025-09-18T20:52:30.000Z
* support read and recovery of database static roles

* add and update tests

* add changelog entry

* add manual database input support and fix search

* change dropdown alignment

* update changelog entry

* tidy

* update changelog and api headers

Co-authored-by: lane-wetmore &lt;lane.wetmore@hashicorp.com&gt;
diff --git a/changelog/_9225.txt b/changelog/_9225.txt
@@ -1,3 +1,3 @@
 ```release-note:feature
-**UI Secrets Recovery (Enterprise)**: Adds ability to load and unload a snapshot from which single KVv1 or Cubbyhole secrets can be read or recovered to the cluster.
+**UI Secrets Recovery (Enterprise)**: Adds ability to load and unload a snapshot from which single KVv1 or Cubbyhole secrets and Database static roles can be read or recovered to the cluster.
 ```
diff --git a/ui/app/components/recovery/page/snapshots/load.hbs b/ui/app/components/recovery/page/snapshots/load.hbs
@@ -80,6 +80,9 @@
               endpoint.
             </F.HelperText>
             <F.Options>{{F.options}}</F.Options>
+            {{#if this.configError}}
+              <F.Error data-test-validation-error="config">{{this.configError}}</F.Error>
+            {{/if}}
           </Hds::Form::SuperSelect::Single::Field>
         {{else}}
           <Hds::Form::TextInput::Field
diff --git a/ui/app/components/recovery/page/snapshots/snapshot-manage.hbs b/ui/app/components/recovery/page/snapshots/snapshot-manage.hbs
@@ -88,8 +88,10 @@
       @selected={{this.selectedMount}}
       @options={{this.mountOptions}}
       @searchEnabled={{true}}
+      @searchField="path"
       @isInvalid={{this.mountError}}
       @selectedItemComponent={{component "recovery/snapshot-mount-selected-item"}}
+      @placeholder="Select a mount here"
       data-test-select="mount"
       as |F|
     >
@@ -111,7 +113,7 @@
       <F.Label>Mount Path</F.Label>
       <F.Control>
         <Hds::SegmentedGroup as |SG|>
-          <SG.Dropdown as |D|>
+          <SG.Dropdown @listPosition="bottom-left" as |D|>
             <D.ToggleButton @color="secondary" @text={{or this.selectedMount.type "Type"}} />
             {{#each this.recoverySupportedEngines as |engine|}}
               <D.Radio
@@ -147,6 +149,7 @@
   <Hds::Form::TextInput::Field
     @value={{this.resourcePath}}
     @isInvalid={{this.resourcePathError}}
+    placeholder="Enter the resource path..."
     {{on "input" this.updateResourcePath}}
     data-test-input="resourcePath"
     as |F|
diff --git a/ui/app/components/recovery/page/snapshots/snapshot-manage.ts b/ui/app/components/recovery/page/snapshots/snapshot-manage.ts
@@ -18,6 +18,7 @@ import {
 } from 'vault/components/recovery/page/snapshots/snapshot-utils';
 
 import type ApiService from 'vault/services/api';
+import type AuthService from 'vault/vault/services/auth';
 import type NamespaceService from 'vault/services/namespace';
 import type { SnapshotManageModel } from 'vault/routes/vault/cluster/recovery/snapshots/snapshot/manage';
 
@@ -29,12 +30,15 @@ type SecretData = { [key: string]: unknown };
 
 type RecoveryData = {
   models: string[];
-  query?: { namespace: string };
+  query?: { [key: string]: string };
 };
 
 type MountOption = { type: RecoverySupportedEngines; path: string };
+type GroupedOption = { groupName: string; options: MountOption[] };
 
 export default class SnapshotManage extends Component<Args> {
+  // TODO remove once endpoint is updated to accepted `read_snapshot_id`
+  @service declare readonly auth: AuthService;
   @service declare readonly api: ApiService;
   @service declare readonly currentCluster: any;
   @service declare readonly namespace: NamespaceService;
@@ -43,7 +47,7 @@ export default class SnapshotManage extends Component<Args> {
   @tracked selectedMount?: MountOption;
   @tracked resourcePath = '';
 
-  @tracked mountOptions: MountOption[] = [];
+  @tracked mountOptions: GroupedOption[] = [];
   @tracked secretData: SecretData | undefined;
 
   @tracked mountError = '';
@@ -59,6 +63,7 @@ export default class SnapshotManage extends Component<Args> {
   private pollingController: { start: () => Promise<void>; cancel: () => void } | null = null;
 
   recoverySupportedEngines = [
+    { display: 'Database', value: SupportedSecretBackendsEnum.DATABASE },
     { display: 'Cubbyhole', value: SupportedSecretBackendsEnum.CUBBYHOLE },
     { display: 'KV v1', value: SupportedSecretBackendsEnum.KV },
   ];
@@ -142,7 +147,7 @@ export default class SnapshotManage extends Component<Args> {
       const headers = this.api.buildHeaders({ namespace });
       const { secret } = await this.api.sys.internalUiListEnabledVisibleMounts(headers);
 
-      this.mountOptions = this.api.responseObjectToArray(secret, 'path').flatMap((engine) => {
+      const mounts = this.api.responseObjectToArray(secret, 'path').flatMap((engine) => {
         const eng = new SecretsEngineResource(engine);
 
         // performance secondaries cannot perform snapshot operations on shared paths
@@ -159,6 +164,16 @@ export default class SnapshotManage extends Component<Args> {
             ]
           : [];
       });
+
+      const databases: MountOption[] = mounts.filter((m) => m.type === SupportedSecretBackendsEnum.DATABASE);
+      const secretEngines: MountOption[] = mounts.filter(
+        (m) => m.type !== SupportedSecretBackendsEnum.DATABASE
+      );
+
+      this.mountOptions = [
+        ...(databases.length ? [{ groupName: 'Databases', options: databases }] : []),
+        { groupName: 'Secret Engines', options: secretEngines },
+      ];
     } catch {
       this.mountOptions = [];
     }
@@ -218,6 +233,7 @@ export default class SnapshotManage extends Component<Args> {
       const mountPath = this.selectedMount?.path as string;
       const namespace = this.selectedNamespace === 'root' ? ROOT_NAMESPACE : this.selectedNamespace;
       const headers = this.api.buildHeaders({ namespace });
+
       switch (mountType) {
         case SupportedSecretBackendsEnum.KV: {
           const { data } = await this.api.secrets.kvV1Read(
@@ -234,6 +250,25 @@ export default class SnapshotManage extends Component<Args> {
           this.secretData = data as SecretData;
           break;
         }
+        case SupportedSecretBackendsEnum.DATABASE: {
+          // TODO remove once endpoint is updated to accept `read_snapshot_id`
+          const { currentToken } = this.auth;
+
+          const resp = await fetch(
+            `/v1/${mountPath}/static-roles/${this.resourcePath}?read_snapshot_id=${snapshot_id}`,
+            {
+              method: 'GET',
+              headers: {
+                'X-Vault-Namespace': namespace,
+                'X-Vault-Token': currentToken,
+              },
+            }
+          );
+
+          const { data } = await resp.json();
+          this.secretData = data as SecretData;
+          break;
+        }
         default: {
           // This should never be reached, but just in case
           throw new Error('Unsupported recovery engine');
@@ -258,30 +293,46 @@ export default class SnapshotManage extends Component<Args> {
       const { snapshot_id } = this.args.model.snapshot as { snapshot_id: string };
       const mountType = this.selectedMount?.type;
       const mountPath = this.selectedMount?.path as string;
+
       const namespace = this.selectedNamespace === 'root' ? ROOT_NAMESPACE : this.selectedNamespace;
-      const headers = this.api.buildHeaders({ namespace });
+      const headers = this.api.buildHeaders({ namespace, recoverSnapshotId: snapshot_id });
+
+      // this query is used to build the recovered resource link in the success message
+      let query: { [key: string]: string } = {};
+      if (namespace && namespace !== this.namespace.path) {
+        query = { namespace };
+      }
+
+      // Certain backends have a prefix which is needed for the recovery link we show to the user
+      let modelPrefix = '';
       switch (mountType) {
         case SupportedSecretBackendsEnum.KV: {
           await this.api.secrets.kvV1Write(this.resourcePath, mountPath, {}, snapshot_id, undefined, headers);
           break;
         }
         case SupportedSecretBackendsEnum.CUBBYHOLE: {
-          this.api.buildHeaders({ namespace: namespace || this.namespace.path });
           await this.api.secrets.cubbyholeWrite(this.resourcePath, {}, snapshot_id, undefined, headers);
           break;
         }
+        case SupportedSecretBackendsEnum.DATABASE: {
+          await this.api.secrets.databaseWriteStaticRole(this.resourcePath, mountPath, {}, headers);
+          modelPrefix = 'role/';
+          query = {
+            ...query,
+            type: 'static',
+          };
+          break;
+        }
         default: {
           // This should never be reached, but just in case
           throw new Error('Unsupported recovery engine');
         }
       }
 
       this.recoveryData = {
-        models: [mountPath, this.resourcePath],
+        models: [mountPath, modelPrefix + this.resourcePath],
+        query,
       };
-      if (namespace && namespace !== this.namespace.path) {
-        this.recoveryData.query = { namespace };
-      }
     } catch (e) {
       const error = await this.api.parseError(e);
       this.bannerError = `Snapshot recovery error: ${error.message}`;
diff --git a/ui/app/resources/secrets/engine.ts b/ui/app/resources/secrets/engine.ts
@@ -16,9 +16,9 @@ import type { Mount } from 'vault/mount';
 export const SUPPORTS_RECOVERY = [
   SupportedSecretBackendsEnum.CUBBYHOLE,
   SupportedSecretBackendsEnum.KV, // only kv v1
+  SupportedSecretBackendsEnum.DATABASE,
 ] as const;
 
-// TODO: Add "database" when once that is supported later in 1.21 feature work
 export type RecoverySupportedEngines = (typeof SUPPORTS_RECOVERY)[number];
 
 export default class SecretsEngineResource extends baseResourceFactory<Mount>() {
diff --git a/ui/app/services/api.ts b/ui/app/services/api.ts
@@ -137,6 +137,8 @@ export default class ApiService extends Service {
         namespace: 'X-Vault-Namespace',
         token: 'X-Vault-Token',
         wrap: 'X-Vault-Wrap-TTL',
+        recoverSnapshotId: 'X-Vault-Recover-Snapshot-Id',
+        recoverSourcePath: 'X-Vault-Recover-Source-Path',
       }[key] as keyof XVaultHeaders;
 
       headers[headerKey] = headerMap[key as keyof HeaderMap];
diff --git a/ui/mirage/handlers/recovery.js b/ui/mirage/handlers/recovery.js
@@ -63,28 +63,18 @@ export default function (server) {
       secret: {
         'cubbyhole/': {
           type: 'cubbyhole',
-          description: 'per-token private secret storage',
           local: true,
-          seal_wrap: false,
-          external_entropy_access: false,
-          config: {
-            default_lease_ttl: 0,
-            max_lease_ttl: 0,
-            force_no_cache: false,
-          },
+          path: 'cubbyhole/',
         },
         'kv/': {
           type: 'kv',
-          description: 'key/value secret storage',
-          options: { version: '1' },
           local: false,
-          seal_wrap: false,
-          external_entropy_access: false,
-          config: {
-            default_lease_ttl: 0,
-            max_lease_ttl: 0,
-            force_no_cache: false,
-          },
+          path: 'kv/',
+        },
+        'database/': {
+          type: 'database',
+          local: true,
+          path: 'database/',
         },
       },
     },
@@ -139,11 +129,28 @@ export default function (server) {
     };
   });
 
+  server.get('/database/static-roles/:path', () => {
+    return {
+      data: {
+        credential_type: 'password',
+        db_name: 'test-db',
+        rotation_period: 86400,
+        rotation_statements: [],
+        skip_import_rotation: true,
+        username: 'super-user',
+      },
+    };
+  });
+
   // RECOVER SECRET HANDLERS
   server.post('/cubbyhole/:path', () => ({
     data: {},
   }));
 
+  server.post('/database/static-roles/:path', () => ({
+    data: {},
+  }));
+
   // server.post('/kv/:path', () => ({
   //   data: {},
   // }));
diff --git a/ui/tests/acceptance/recovery/snapshot-manage-test.js b/ui/tests/acceptance/recovery/snapshot-manage-test.js
@@ -36,7 +36,7 @@ module('Acceptance | recovery | snapshot-manage', function (hooks) {
     await visit('/vault/recovery/snapshots');
 
     await click(GENERAL.selectByAttr('mount'));
-    await click('[data-option-index]');
+    await click('[data-option-index="1.0"]');
     await fillIn(GENERAL.inputByAttr('resourcePath'), 'recovered-secret');
 
     await click(GENERAL.button('recover'));
@@ -57,7 +57,7 @@ module('Acceptance | recovery | snapshot-manage', function (hooks) {
     await click(GENERAL.selectByAttr('namespace'));
     await click('[data-option-index="1"]');
     await click(GENERAL.selectByAttr('mount'));
-    await click('[data-option-index]');
+    await click('[data-option-index="1.0"]');
     await fillIn(GENERAL.inputByAttr('resourcePath'), 'recovered-secret');
 
     await click(GENERAL.button('recover'));
@@ -78,7 +78,7 @@ module('Acceptance | recovery | snapshot-manage', function (hooks) {
     await click(GENERAL.selectByAttr('namespace'));
     await click('[data-option-index="2"]');
     await click(GENERAL.selectByAttr('mount'));
-    await click('[data-option-index]');
+    await click('[data-option-index="1.0"]');
     await fillIn(GENERAL.inputByAttr('resourcePath'), 'recovered-secret');
 
     await click(GENERAL.button('recover'));
diff --git a/ui/tests/integration/components/recovery/page/snapshot-manage-test.js b/ui/tests/integration/components/recovery/page/snapshot-manage-test.js
diff --git a/ui/types/vault/api.d.ts b/ui/types/vault/api.d.ts
