bcgov-nr · mbystedt · Jul 17, 2024 · Jul 17, 2024 · Jul 17, 2024 · Jul 17, 2024
diff --git a/docs/_sidebar.md b/docs/_sidebar.md
@@ -6,8 +6,10 @@
 ** [Overview](/dev_integrate_overview.md)
 ** [Generate Account Token](/dev_account_token.md)
 ** [Intention Lifecycle](/dev_intention_lifecycle.md)
-** [Using Intentions to Access Vault](/dev_intention_usage.md)
 ** [Intention Action Reference](/dev_intention_actions.md)
+** [Intention Event Reference](/dev_intention_event.md)
+** [Intention User Reference](/dev_intention_user.md)
+** [Using Intentions to Access Vault](/dev_intention_usage.md)
 ** [GitHub Actions](/github_actions.md)
 
 * Operations

diff --git a/docs/dev_intention_event.md b/docs/dev_intention_event.md
@@ -0,0 +1,23 @@
+# Intention Event Reference
+
+All intentions have an event field that describes the event that caused the intention to be opened. The event object is loosely based on Elastic Common Schema [event field](https://www.elastic.co/guide/en/ecs/current/ecs-event.html).
+
+## Fields
+
+| Field | Description |
+| --- | --- |
+| provider | This should identify the pipeline, action, etc. that uses the broker.  If this event is transient, this must uniquely identify the action. Example: provision-fluentbit-demo |
+| reason | This should be a short text message outlining what triggered the usage of the broker. |
+| transient | This should be set true for events triggered frequently as part of an automated process. |
+| url | This should be the url to the job run or action that started this usage. |
+
+## Transient events
+
+If the intention being opened is a frequent and/or periodic event then examine if you should set the event object's 'transient' field to true. Transient events can be filtered out in the UI and are removed from the database after a period. Some examples of transient events:
+
+* The deploy of an ephemeral environment
+* A periodic database check
+* Backup of files
+
+While these are still audited, there is no reason to keep these events long term in the database.
+
diff --git a/docs/dev_intention_usage.md b/docs/dev_intention_usage.md
@@ -19,13 +19,7 @@ It is not recommended to use the "access" pattern to simply copy the secrets and
 
 **Examples:** Start an OpenShift pod, Run a server application on premise and other continuous activities
 
-If you are following the provision workflow, you'll be using the static role id unique to the instance of your deployment (retrieved via Broker UI or API) and a secret id (retrieved via Broker API) to login your application to Vault.
-
-The first step is to open your intention with the Broker API. You must provide your team's JWT as an authorization bearer token.
-
-You must modify the event, service and user fields in this example. In particular, the user id must be a member of your team (even if this sent by an automated process). Jq is an excellent tool for doing this modification.
-
-You may wish (or be required) to provide additional actions to describe the intention in more detail. (Example: accessing a server to do the provision)
+The first step is to open an intention with the Broker API. The open API is authenticated using a Broker Account that is connected to the project/service(s) in the actions. Your team can generate a Broker Token for Broker Accounts that your team is connected to. See: [Broker Account Token](dev_account_token.md)
 
 **Call  1.** POST /v1/intention/open
 
@@ -56,6 +50,10 @@ Header: "Authorization: Bearer $BROKER_JWT"
 }
 ```
 
+The intention you send can be a base JSON file with modified event and user fields. Jq is an excellent tool for doing this modification. In particular, the user id (<username>@idir or <username>@github) must be the member of your team doing the action(even if this is an automated process).
+
+You may wish (or be required) to provide additional details and/or actions to describe the intention in more detail. (Example: the server you are provisioning)
+
 The response will look like this:
 
 ```json
@@ -79,10 +77,10 @@ Next, let's get that secret id so that we can provision our application.
 
 **Call  2.** POST /v1/provision/approle/secret-id
 
-There is no body to send. Two headers must be sent:
+There is no body to send. Two headers can be sent:
 
-* x-vault-role-id (provided to your team)
-* x-broker-token (the token [.actions.provision.token] received for the action in the response to the intention open)
+* x-vault-role-id (Optional: A Broker Account can be set to require it.)
+* x-broker-token (Required: The token [.actions.provision.token] received for the action in the response to the intention open. This is NOT your Broker JWT)
 
 ```json
 {
@@ -136,12 +134,14 @@ You're done! Pass in '.token' from the open response as the 'x-broker-token' hea
 
 If you are following the access workflow, you'll be using the role id (provided) to retrieve a wrapped token with access to Vault. The token will have policies that are identical to a provisioned token. The 'provision/token/self' API allows you to skip sending a request to Vault to do the login yourself. The main difference is that the token cannot be renewed. The example here assumes some kind of database upgrade is going on.
 
-The first step is to open your intention with the Broker API. You must provide your teams JWT as an authorization bearer token.
+The first step is to open an intention with the Broker API. The open API is authenticated using a Broker Account that is connected to the project/service(s) in the actions. Your team can generate a Broker Token for Broker Accounts that your team is connected to. See: [Broker Account Token](dev_account_token.md)
 
 You must modify the event, service and user fields in this example. In particular, the user id (<username>@idir or <username>@github) must be a member of your team (even if this sent by an automated process). Jq is an excellent tool for doing this modification.
 
 You may wish (or be required) to provide additional actions to describe the event in more detail.
 
+A periodic process that is accessing secrets may be transient. This means there is no need to save the event long-term and can be filtered out from other activites. If your activity is transient then event.transient should be set to true.
+
 **Call  1.** POST /v1/intention/open
 
 Header: "Authorization: Bearer $BROKER_JWT"
@@ -151,7 +151,8 @@ Header: "Authorization: Bearer $BROKER_JWT"
   "event": {
     "provider": "provision-fluentbit-demo",
     "reason": "Job triggered",
-    "url": "JOB_URL"
+    "url": "JOB_URL",
+    "transient": false
   },
   "actions": [
     {

diff --git a/docs/dev_intention_user.md b/docs/dev_intention_user.md
@@ -0,0 +1,8 @@
+# Intention User Reference
+
+The user object in the intention must uniquely identify a user in the Broker database. This can be done by defining the id field or both the name and domain field. The id field should be the name and domain of a user combined using an at mark (name@domain).
+
+## Internal users
+
+It is suggested that internal users used for automated processes use the 'internal' domain. See: [Adding Internal Users](/operations_internal_user.md)
+
diff --git a/src/auth/auth.controller.ts b/src/auth/auth.controller.ts
@@ -32,24 +32,25 @@ export class AuthController {
   async logout(@Request() req: ExpressRequest, @Res() res: Response) {
     const id_token = req.user ? (req.user as any).id_token : undefined;
     // eslint-disable-next-line @typescript-eslint/no-empty-function
-    req.logout(() => {});
-    // eslint-disable-next-line @typescript-eslint/no-unused-vars
-    req.session.destroy(async (error: any) => {
-      const TrustIssuer = await Issuer.discover(
-        `${process.env.OAUTH2_CLIENT_PROVIDER_OIDC_ISSUER}/.well-known/openid-configuration`,
-      );
-      const end_session_endpoint = TrustIssuer.metadata.end_session_endpoint;
-      if (end_session_endpoint) {
-        res.redirect(
-          end_session_endpoint +
-            '?post_logout_redirect_uri=' +
-            process.env
-              .OAUTH2_CLIENT_REGISTRATION_LOGIN_POST_LOGOUT_REDIRECT_URI +
-            (id_token ? '&id_token_hint=' + id_token : ''),
+    req.logout(() => {
+      // eslint-disable-next-line @typescript-eslint/no-unused-vars
+      req.session.destroy(async (error: any) => {
+        const TrustIssuer = await Issuer.discover(
+          `${process.env.OAUTH2_CLIENT_PROVIDER_OIDC_ISSUER}/.well-known/openid-configuration`,
         );
-      } else {
-        res.redirect('/');
-      }
+        const end_session_endpoint = TrustIssuer.metadata.end_session_endpoint;
+        if (end_session_endpoint) {
+          res.redirect(
+            end_session_endpoint +
+              '?post_logout_redirect_uri=' +
+              process.env
+                .OAUTH2_CLIENT_REGISTRATION_LOGIN_POST_LOGOUT_REDIRECT_URI +
+              (id_token ? '&id_token_hint=' + id_token : ''),
+          );
+        } else {
+          res.redirect('/');
+        }
+      });
     });
   }
 }
diff --git a/src/collection/collection.service.ts b/src/collection/collection.service.ts
@@ -332,7 +332,7 @@ export class CollectionService {
     const project = vertices[0].collection;
     const roleIds = await Promise.all(
       VAULT_ENVIRONMENTS_SHORT.map((env) =>
-        this.getRoleIdForApplicationSupressed(project.name, service.name, env),
+        this.getRoleIdForApplicationSuppressed(project.name, service.name, env),
       ),
     );
 
@@ -351,7 +351,7 @@ export class CollectionService {
     return this.collectionRepository.doUniqueKeyCheck(collection, key, value);
   }
 
-  private async getRoleIdForApplicationSupressed(
+  private async getRoleIdForApplicationSuppressed(
     projectName: string,
     serviceName: string,
     environment: string,

diff --git a/ui/package-lock.json b/ui/package-lock.json
diff --git a/ui/package.json b/ui/package.json
@@ -13,12 +13,12 @@
   "license": "Apache-2.0",
   "dependencies": {
     "@angular/animations": "^18.1.0",
-    "@angular/cdk": "^18.1.0",
+    "@angular/cdk": "^18.1.1",
     "@angular/common": "^18.1.0",
     "@angular/compiler": "^18.1.0",
     "@angular/core": "^18.1.0",
     "@angular/forms": "^18.1.0",
-    "@angular/material": "^18.1.0",
+    "@angular/material": "^18.1.1",
     "@angular/platform-browser": "^18.1.0",
     "@angular/platform-browser-dynamic": "^18.1.0",
     "@angular/router": "^18.1.0",

diff --git a/ui/src/app/graph/inspector/inspector.component.ts b/ui/src/app/graph/inspector/inspector.component.ts
@@ -62,7 +62,6 @@ import { InspectorTimestampsComponent } from '../inspector-timestamps/inspector-
 import { GraphUtilService } from '../../service/graph-util.service';
 import { EdgeRestDto } from '../../service/dto/edge-rest.dto';
 import { VertexRestDto } from '../../service/dto/vertex-rest.dto';
-import { InspectorPeopleComponent } from '../inspector-people/inspector-people.component';
 
 @Component({
   selector: 'app-inspector',