2022-11-23 18:24:35 +01:00
|
|
|
package controller
|
|
|
|
|
|
|
|
import (
|
|
|
|
"github.com/go-openapi/runtime/middleware"
|
2023-06-06 16:54:57 +02:00
|
|
|
"github.com/jmoiron/sqlx"
|
2023-01-13 21:01:34 +01:00
|
|
|
"github.com/openziti/zrok/controller/store"
|
|
|
|
"github.com/openziti/zrok/controller/zrokEdgeSdk"
|
|
|
|
"github.com/openziti/zrok/rest_model_zrok"
|
|
|
|
"github.com/openziti/zrok/rest_server_zrok/operations/share"
|
2023-06-06 16:54:57 +02:00
|
|
|
"github.com/pkg/errors"
|
2022-11-23 18:24:35 +01:00
|
|
|
"github.com/sirupsen/logrus"
|
|
|
|
)
|
|
|
|
|
|
|
|
type accessHandler struct{}
|
|
|
|
|
|
|
|
func newAccessHandler() *accessHandler {
|
|
|
|
return &accessHandler{}
|
|
|
|
}
|
|
|
|
|
2023-01-04 19:43:37 +01:00
|
|
|
func (h *accessHandler) Handle(params share.AccessParams, principal *rest_model_zrok.Principal) middleware.Responder {
|
2023-06-06 16:54:57 +02:00
|
|
|
trx, err := str.Begin()
|
2022-11-23 18:24:35 +01:00
|
|
|
if err != nil {
|
2023-01-30 17:38:55 +01:00
|
|
|
logrus.Errorf("error starting transaction for user '%v': %v", principal.Email, err)
|
2023-01-04 19:43:37 +01:00
|
|
|
return share.NewAccessInternalServerError()
|
2022-11-23 18:24:35 +01:00
|
|
|
}
|
2023-06-06 16:54:57 +02:00
|
|
|
defer func() { _ = trx.Rollback() }()
|
2022-11-23 18:24:35 +01:00
|
|
|
|
2022-11-30 18:46:19 +01:00
|
|
|
envZId := params.Body.EnvZID
|
2022-11-23 18:24:35 +01:00
|
|
|
envId := 0
|
2023-06-06 16:54:57 +02:00
|
|
|
if envs, err := str.FindEnvironmentsForAccount(int(principal.ID), trx); err == nil {
|
2022-11-23 18:24:35 +01:00
|
|
|
found := false
|
|
|
|
for _, env := range envs {
|
|
|
|
if env.ZId == envZId {
|
|
|
|
logrus.Debugf("found identity '%v' for user '%v'", envZId, principal.Email)
|
|
|
|
envId = env.Id
|
|
|
|
found = true
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if !found {
|
|
|
|
logrus.Errorf("environment '%v' not found for user '%v'", envZId, principal.Email)
|
2023-01-04 19:43:37 +01:00
|
|
|
return share.NewAccessUnauthorized()
|
2022-11-23 18:24:35 +01:00
|
|
|
}
|
|
|
|
} else {
|
|
|
|
logrus.Errorf("error finding environments for account '%v'", principal.Email)
|
2023-01-04 19:43:37 +01:00
|
|
|
return share.NewAccessNotFound()
|
2022-11-23 18:24:35 +01:00
|
|
|
}
|
|
|
|
|
2023-01-04 20:21:23 +01:00
|
|
|
shrToken := params.Body.ShrToken
|
2023-06-06 16:54:57 +02:00
|
|
|
shr, err := str.FindShareWithToken(shrToken, trx)
|
2022-11-23 18:24:35 +01:00
|
|
|
if err != nil {
|
2023-01-04 20:21:23 +01:00
|
|
|
logrus.Errorf("error finding share")
|
2023-01-04 19:43:37 +01:00
|
|
|
return share.NewAccessNotFound()
|
2022-11-23 18:24:35 +01:00
|
|
|
}
|
2023-03-29 19:53:14 +02:00
|
|
|
if shr == nil {
|
2023-01-04 20:21:23 +01:00
|
|
|
logrus.Errorf("unable to find share '%v' for user '%v'", shrToken, principal.Email)
|
2023-01-04 19:43:37 +01:00
|
|
|
return share.NewAccessNotFound()
|
2022-11-23 18:24:35 +01:00
|
|
|
}
|
|
|
|
|
2023-06-06 17:29:22 +02:00
|
|
|
if err := h.checkLimits(shr, trx); err != nil {
|
2023-06-06 16:54:57 +02:00
|
|
|
logrus.Errorf("cannot access limited share for '%v': %v", principal.Email, err)
|
|
|
|
return share.NewAccessNotFound()
|
|
|
|
}
|
|
|
|
|
2022-11-30 17:52:48 +01:00
|
|
|
feToken, err := createToken()
|
2022-11-23 18:24:35 +01:00
|
|
|
if err != nil {
|
|
|
|
logrus.Error(err)
|
2023-01-04 19:43:37 +01:00
|
|
|
return share.NewAccessInternalServerError()
|
2022-11-23 18:24:35 +01:00
|
|
|
}
|
|
|
|
|
2023-06-06 16:54:57 +02:00
|
|
|
if _, err := str.CreateFrontend(envId, &store.Frontend{PrivateShareId: &shr.Id, Token: feToken, ZId: envZId}, trx); err != nil {
|
2023-01-30 17:38:55 +01:00
|
|
|
logrus.Errorf("error creating frontend record for user '%v': %v", principal.Email, err)
|
2023-01-04 19:43:37 +01:00
|
|
|
return share.NewAccessInternalServerError()
|
2022-11-28 19:33:59 +01:00
|
|
|
}
|
|
|
|
|
2023-03-07 20:31:39 +01:00
|
|
|
edge, err := zrokEdgeSdk.Client(cfg.Ziti)
|
2022-11-28 19:33:59 +01:00
|
|
|
if err != nil {
|
|
|
|
logrus.Error(err)
|
2023-01-04 19:43:37 +01:00
|
|
|
return share.NewAccessInternalServerError()
|
2022-11-28 19:33:59 +01:00
|
|
|
}
|
2022-12-14 23:17:19 +01:00
|
|
|
addlTags := map[string]interface{}{
|
2022-11-28 19:33:59 +01:00
|
|
|
"zrokEnvironmentZId": envZId,
|
2022-11-30 17:52:48 +01:00
|
|
|
"zrokFrontendToken": feToken,
|
2023-01-04 20:21:23 +01:00
|
|
|
"zrokShareToken": shrToken,
|
2022-12-14 23:17:19 +01:00
|
|
|
}
|
2023-05-18 19:19:16 +02:00
|
|
|
if err := zrokEdgeSdk.CreateServicePolicyDial(feToken+"-"+envZId+"-"+shr.ZId+"-dial", shr.ZId, []string{envZId}, addlTags, edge); err != nil {
|
2023-01-30 17:38:55 +01:00
|
|
|
logrus.Errorf("unable to create dial policy for user '%v': %v", principal.Email, err)
|
2023-01-04 19:43:37 +01:00
|
|
|
return share.NewAccessInternalServerError()
|
2022-11-23 18:24:35 +01:00
|
|
|
}
|
|
|
|
|
2023-06-06 16:54:57 +02:00
|
|
|
if err := trx.Commit(); err != nil {
|
2022-11-28 19:33:59 +01:00
|
|
|
logrus.Errorf("error committing frontend record: %v", err)
|
2023-01-04 19:43:37 +01:00
|
|
|
return share.NewAccessInternalServerError()
|
2022-11-28 19:33:59 +01:00
|
|
|
}
|
|
|
|
|
2023-05-01 18:19:06 +02:00
|
|
|
return share.NewAccessCreated().WithPayload(&rest_model_zrok.AccessResponse{
|
|
|
|
FrontendToken: feToken,
|
|
|
|
BackendMode: shr.BackendMode,
|
|
|
|
})
|
2022-11-23 18:24:35 +01:00
|
|
|
}
|
2023-06-06 16:54:57 +02:00
|
|
|
|
2023-06-06 17:29:22 +02:00
|
|
|
func (h *accessHandler) checkLimits(shr *store.Share, trx *sqlx.Tx) error {
|
2023-06-06 16:54:57 +02:00
|
|
|
if limitsAgent != nil {
|
2023-06-06 17:29:22 +02:00
|
|
|
ok, err := limitsAgent.CanAccessShare(shr.Id, trx)
|
2023-06-06 16:54:57 +02:00
|
|
|
if err != nil {
|
2023-06-06 17:29:22 +02:00
|
|
|
return errors.Wrapf(err, "error checking share limits for '%v'", shr.Token)
|
2023-06-06 16:54:57 +02:00
|
|
|
}
|
|
|
|
if !ok {
|
2023-06-06 17:29:22 +02:00
|
|
|
return errors.Errorf("share limit check failed for '%v'", shr.Token)
|
2023-06-06 16:54:57 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|