zrok/controller/enable.go

package controller

import (
	"bytes"
	"context"
	"encoding/json"
	"fmt"
	"github.com/go-openapi/runtime/middleware"
	"github.com/openziti-test-kitchen/zrok/build"
	"github.com/openziti-test-kitchen/zrok/controller/store"
	"github.com/openziti-test-kitchen/zrok/rest_model_zrok"
	"github.com/openziti-test-kitchen/zrok/rest_server_zrok/operations/environment"
	"github.com/openziti/edge/rest_management_api_client"
	"github.com/openziti/edge/rest_management_api_client/edge_router_policy"
	identity_edge "github.com/openziti/edge/rest_management_api_client/identity"
	rest_model_edge "github.com/openziti/edge/rest_model"
	sdk_config "github.com/openziti/sdk-golang/ziti/config"
	"github.com/openziti/sdk-golang/ziti/enroll"
	"github.com/sirupsen/logrus"
	"time"
)

type enableHandler struct {
}

func newEnableHandler() *enableHandler {
	return &enableHandler{}
}

func (h *enableHandler) Handle(params environment.EnableParams, principal *rest_model_zrok.Principal) middleware.Responder {
	// start transaction early; if it fails, don't bother creating ziti resources
	tx, err := str.Begin()
	if err != nil {
		logrus.Errorf("error starting transaction: %v", err)
		return environment.NewEnableInternalServerError()
	}

	client, err := edgeClient()
	if err != nil {
		logrus.Errorf("error getting edge client: %v", err)
		return environment.NewEnableInternalServerError()
	}
	ident, err := h.createIdentity(principal.Email, client)
	if err != nil {
		logrus.Error(err)
		return environment.NewEnableInternalServerError()
	}
	cfg, err := h.enrollIdentity(ident.Payload.Data.ID, client)
	if err != nil {
		logrus.Error(err)
		return environment.NewEnableInternalServerError()
	}
	if err := h.createEdgeRouterPolicy(ident.Payload.Data.ID, client); err != nil {
		logrus.Error(err)
		return environment.NewEnableInternalServerError()
	}
	envId, err := str.CreateEnvironment(int(principal.ID), &store.Environment{
		Description: params.Body.Description,
		Host:        params.Body.Host,
		Address:     realRemoteAddress(params.HTTPRequest),
		ZId:         ident.Payload.Data.ID,
	}, tx)
	if err != nil {
		logrus.Errorf("error storing created identity: %v", err)
		_ = tx.Rollback()
		return environment.NewEnableInternalServerError()
	}
	if err := tx.Commit(); err != nil {
		logrus.Errorf("error committing: %v", err)
		return environment.NewEnableInternalServerError()
	}
	logrus.Infof("created environment for '%v', with ziti identity '%v', and database id '%v'", principal.Email, ident.Payload.Data.ID, envId)

	resp := environment.NewEnableCreated().WithPayload(&rest_model_zrok.EnableResponse{
		Identity: ident.Payload.Data.ID,
	})

	var out bytes.Buffer
	enc := json.NewEncoder(&out)
	enc.SetEscapeHTML(false)
	err = enc.Encode(&cfg)
	if err != nil {
		panic(err)
	}
	resp.Payload.Cfg = out.String()

	return resp
}

func (h *enableHandler) createIdentity(email string, client *rest_management_api_client.ZitiEdgeManagement) (*identity_edge.CreateIdentityCreated, error) {
	iIsAdmin := false
	name, err := createToken()
	if err != nil {
		return nil, err
	}
	identityType := rest_model_edge.IdentityTypeUser
	tags := h.zrokTags()
	tags.SubTags["zrokEmail"] = email
	i := &rest_model_edge.IdentityCreate{
		Enrollment:          &rest_model_edge.IdentityCreateEnrollment{Ott: true},
		IsAdmin:             &iIsAdmin,
		Name:                &name,
		RoleAttributes:      nil,
		ServiceHostingCosts: nil,
		Tags:                tags,
		Type:                &identityType,
	}
	req := identity_edge.NewCreateIdentityParams()
	req.Identity = i
	resp, err := client.Identity.CreateIdentity(req, nil)
	if err != nil {
		return nil, err
	}
	return resp, nil
}

func (h *enableHandler) enrollIdentity(id string, client *rest_management_api_client.ZitiEdgeManagement) (*sdk_config.Config, error) {
	p := &identity_edge.DetailIdentityParams{
		Context: context.Background(),
		ID:      id,
	}
	p.SetTimeout(30 * time.Second)
	resp, err := client.Identity.DetailIdentity(p, nil)
	if err != nil {
		return nil, err
	}
	tkn, _, err := enroll.ParseToken(resp.GetPayload().Data.Enrollment.Ott.JWT)
	if err != nil {
		return nil, err
	}
	flags := enroll.EnrollmentFlags{
		Token:  tkn,
		KeyAlg: "RSA",
	}
	conf, err := enroll.Enroll(flags)
	if err != nil {
		return nil, err
	}
	return conf, nil
}

func (h *enableHandler) createEdgeRouterPolicy(id string, edge *rest_management_api_client.ZitiEdgeManagement) error {
	edgeRouterRoles := []string{"#all"}
	identityRoles := []string{fmt.Sprintf("@%v", id)}
	semantic := rest_model_edge.SemanticAllOf
	erp := &rest_model_edge.EdgeRouterPolicyCreate{
		EdgeRouterRoles: edgeRouterRoles,
		IdentityRoles:   identityRoles,
		Name:            &id,
		Semantic:        &semantic,
		Tags:            h.zrokTags(),
	}
	req := &edge_router_policy.CreateEdgeRouterPolicyParams{
		Policy:  erp,
		Context: context.Background(),
	}
	req.SetTimeout(30 * time.Second)
	resp, err := edge.EdgeRouterPolicy.CreateEdgeRouterPolicy(req, nil)
	if err != nil {
		return err
	}
	logrus.Infof("created edge router policy '%v' for ziti identity '%v'", resp.Payload.Data.ID, id)
	return nil
}

func (h *enableHandler) zrokTags() *rest_model_edge.Tags {
	return &rest_model_edge.Tags{
		SubTags: map[string]interface{}{
			"zrok": build.String(),
		},
	}
}
skeleton bits for zrok enable 2022-07-25 23:05:44 +02:00			`package controller`

			`import (`
rough and sketchy identity creation and enrollment 2022-07-26 18:26:58 +02:00			`"bytes"`
			`"context"`
			`"encoding/json"`
			`"fmt"`
skeleton bits for zrok enable 2022-07-25 23:05:44 +02:00			`"github.com/go-openapi/runtime/middleware"`
add build-time version metadata (#70) 2022-11-02 20:07:43 +01:00			`"github.com/openziti-test-kitchen/zrok/build"`
fix authentication transaction; record created identities (#10) 2022-07-29 21:54:13 +02:00			`"github.com/openziti-test-kitchen/zrok/controller/store"`
api package naming cleanup (less conflicts with existing ziti infrastructure) 2022-07-26 21:16:02 +02:00			`"github.com/openziti-test-kitchen/zrok/rest_model_zrok"`
api namespace/naming polish 2022-11-30 17:43:00 +01:00			`"github.com/openziti-test-kitchen/zrok/rest_server_zrok/operations/environment"`
rough and sketchy identity creation and enrollment 2022-07-26 18:26:58 +02:00			`"github.com/openziti/edge/rest_management_api_client"`
create edge router policy for identity at enable time, not tunnel time 2022-08-17 19:43:16 +02:00			`"github.com/openziti/edge/rest_management_api_client/edge_router_policy"`
rough and sketchy identity creation and enrollment 2022-07-26 18:26:58 +02:00			`identity_edge "github.com/openziti/edge/rest_management_api_client/identity"`
			`rest_model_edge "github.com/openziti/edge/rest_model"`
			`sdk_config "github.com/openziti/sdk-golang/ziti/config"`
			`"github.com/openziti/sdk-golang/ziti/enroll"`
skeleton bits for zrok enable 2022-07-25 23:05:44 +02:00			`"github.com/sirupsen/logrus"`
rough and sketchy identity creation and enrollment 2022-07-26 18:26:58 +02:00			`"time"`
skeleton bits for zrok enable 2022-07-25 23:05:44 +02:00			`)`

configurable edge client (#31) 2022-08-12 17:03:15 +02:00			`type enableHandler struct {`
			`}`

controller config structure improvements 2022-10-19 19:20:47 +02:00			`func newEnableHandler() *enableHandler {`
			`return &enableHandler{}`
configurable edge client (#31) 2022-08-12 17:03:15 +02:00			`}`

api namespace/naming polish 2022-11-30 17:43:00 +01:00			`func (h enableHandler) Handle(params environment.EnableParams, principal rest_model_zrok.Principal) middleware.Responder {`
record service alloc/dealloc (#10) 2022-07-29 22:03:53 +02:00			`// start transaction early; if it fails, don't bother creating ziti resources`
			`tx, err := str.Begin()`
			`if err != nil {`
			`logrus.Errorf("error starting transaction: %v", err)`
api namespace/naming polish 2022-11-30 17:43:00 +01:00			`return environment.NewEnableInternalServerError()`
record service alloc/dealloc (#10) 2022-07-29 22:03:53 +02:00			`}`

controller config structure improvements 2022-10-19 19:20:47 +02:00			`client, err := edgeClient()`
rough and sketchy identity creation and enrollment 2022-07-26 18:26:58 +02:00			`if err != nil {`
create the service (#3) 2022-07-26 22:21:49 +02:00			`logrus.Errorf("error getting edge client: %v", err)`
api namespace/naming polish 2022-11-30 17:43:00 +01:00			`return environment.NewEnableInternalServerError()`
rough and sketchy identity creation and enrollment 2022-07-26 18:26:58 +02:00			`}`
api namespace/naming polish 2022-11-30 17:43:00 +01:00			`ident, err := h.createIdentity(principal.Email, client)`
rough and sketchy identity creation and enrollment 2022-07-26 18:26:58 +02:00			`if err != nil {`
			`logrus.Error(err)`
api namespace/naming polish 2022-11-30 17:43:00 +01:00			`return environment.NewEnableInternalServerError()`
rough and sketchy identity creation and enrollment 2022-07-26 18:26:58 +02:00			`}`
api namespace/naming polish 2022-11-30 17:43:00 +01:00			`cfg, err := h.enrollIdentity(ident.Payload.Data.ID, client)`
rough and sketchy identity creation and enrollment 2022-07-26 18:26:58 +02:00			`if err != nil {`
create the service (#3) 2022-07-26 22:21:49 +02:00			`logrus.Error(err)`
api namespace/naming polish 2022-11-30 17:43:00 +01:00			`return environment.NewEnableInternalServerError()`
rough and sketchy identity creation and enrollment 2022-07-26 18:26:58 +02:00			`}`
api namespace/naming polish 2022-11-30 17:43:00 +01:00			`if err := h.createEdgeRouterPolicy(ident.Payload.Data.ID, client); err != nil {`
create edge router policy for identity at enable time, not tunnel time 2022-08-17 19:43:16 +02:00			`logrus.Error(err)`
api namespace/naming polish 2022-11-30 17:43:00 +01:00			`return environment.NewEnableInternalServerError()`
create edge router policy for identity at enable time, not tunnel time 2022-08-17 19:43:16 +02:00			`}`
elaboration 2022-08-03 20:25:27 +02:00			`envId, err := str.CreateEnvironment(int(principal.ID), &store.Environment{`
more naming simplification 2022-10-19 18:24:43 +02:00			`Description: params.Body.Description,`
			`Host: params.Body.Host,`
			`Address: realRemoteAddress(params.HTTPRequest),`
			`ZId: ident.Payload.Data.ID,`
elaboration 2022-08-03 20:25:27 +02:00			`}, tx)`
fix authentication transaction; record created identities (#10) 2022-07-29 21:54:13 +02:00			`if err != nil {`
			`logrus.Errorf("error storing created identity: %v", err)`
			`_ = tx.Rollback()`
api namespace/naming polish 2022-11-30 17:43:00 +01:00			`return environment.NewEnableInternalServerError()`
fix authentication transaction; record created identities (#10) 2022-07-29 21:54:13 +02:00			`}`
			`if err := tx.Commit(); err != nil {`
			`logrus.Errorf("error committing: %v", err)`
api namespace/naming polish 2022-11-30 17:43:00 +01:00			`return environment.NewEnableInternalServerError()`
fix authentication transaction; record created identities (#10) 2022-07-29 21:54:13 +02:00			`}`
wiring in the environment ziti identity for better correlation in logs (#90) 2022-11-08 21:07:18 +01:00			`logrus.Infof("created environment for '%v', with ziti identity '%v', and database id '%v'", principal.Email, ident.Payload.Data.ID, envId)`
fix authentication transaction; record created identities (#10) 2022-07-29 21:54:13 +02:00
api namespace/naming polish 2022-11-30 17:43:00 +01:00			`resp := environment.NewEnableCreated().WithPayload(&rest_model_zrok.EnableResponse{`
rough and sketchy identity creation and enrollment 2022-07-26 18:26:58 +02:00			`Identity: ident.Payload.Data.ID,`
skeleton bits for zrok enable 2022-07-25 23:05:44 +02:00			`})`
rough and sketchy identity creation and enrollment 2022-07-26 18:26:58 +02:00
			`var out bytes.Buffer`
			`enc := json.NewEncoder(&out)`
			`enc.SetEscapeHTML(false)`
			`err = enc.Encode(&cfg)`
			`if err != nil {`
			`panic(err)`
			`}`
			`resp.Payload.Cfg = out.String()`

			`return resp`
			`}`

api namespace/naming polish 2022-11-30 17:43:00 +01:00			`func (h enableHandler) createIdentity(email string, client rest_management_api_client.ZitiEdgeManagement) (*identity_edge.CreateIdentityCreated, error) {`
rough and sketchy identity creation and enrollment 2022-07-26 18:26:58 +02:00			`iIsAdmin := false`
shortid (#79) 2022-10-18 21:21:53 +02:00			`name, err := createToken()`
			`if err != nil {`
			`return nil, err`
			`}`
api improvements 2022-07-27 19:38:35 +02:00			`identityType := rest_model_edge.IdentityTypeUser`
api namespace/naming polish 2022-11-30 17:43:00 +01:00			`tags := h.zrokTags()`
tags for identity and edge router policy (#60) 2022-09-19 20:42:05 +02:00			`tags.SubTags["zrokEmail"] = email`
rough and sketchy identity creation and enrollment 2022-07-26 18:26:58 +02:00			`i := &rest_model_edge.IdentityCreate{`
			`Enrollment: &rest_model_edge.IdentityCreateEnrollment{Ott: true},`
			`IsAdmin: &iIsAdmin,`
api improvements 2022-07-27 19:38:35 +02:00			`Name: &name,`
rough and sketchy identity creation and enrollment 2022-07-26 18:26:58 +02:00			`RoleAttributes: nil,`
			`ServiceHostingCosts: nil,`
tags for identity and edge router policy (#60) 2022-09-19 20:42:05 +02:00			`Tags: tags,`
api improvements 2022-07-27 19:38:35 +02:00			`Type: &identityType,`
rough and sketchy identity creation and enrollment 2022-07-26 18:26:58 +02:00			`}`
api improvements 2022-07-27 19:38:35 +02:00			`req := identity_edge.NewCreateIdentityParams()`
			`req.Identity = i`
			`resp, err := client.Identity.CreateIdentity(req, nil)`
rough and sketchy identity creation and enrollment 2022-07-26 18:26:58 +02:00			`if err != nil {`
			`return nil, err`
			`}`
api improvements 2022-07-27 19:38:35 +02:00			`return resp, nil`
rough and sketchy identity creation and enrollment 2022-07-26 18:26:58 +02:00			`}`

api namespace/naming polish 2022-11-30 17:43:00 +01:00			`func (h enableHandler) enrollIdentity(id string, client rest_management_api_client.ZitiEdgeManagement) (*sdk_config.Config, error) {`
rough and sketchy identity creation and enrollment 2022-07-26 18:26:58 +02:00			`p := &identity_edge.DetailIdentityParams{`
			`Context: context.Background(),`
			`ID: id,`
			`}`
			`p.SetTimeout(30 * time.Second)`
			`resp, err := client.Identity.DetailIdentity(p, nil)`
			`if err != nil {`
			`return nil, err`
			`}`
			`tkn, _, err := enroll.ParseToken(resp.GetPayload().Data.Enrollment.Ott.JWT)`
			`if err != nil {`
			`return nil, err`
			`}`
			`flags := enroll.EnrollmentFlags{`
			`Token: tkn,`
			`KeyAlg: "RSA",`
			`}`
			`conf, err := enroll.Enroll(flags)`
			`if err != nil {`
			`return nil, err`
			`}`
			`return conf, nil`
skeleton bits for zrok enable 2022-07-25 23:05:44 +02:00			`}`
create edge router policy for identity at enable time, not tunnel time 2022-08-17 19:43:16 +02:00
api namespace/naming polish 2022-11-30 17:43:00 +01:00			`func (h enableHandler) createEdgeRouterPolicy(id string, edge rest_management_api_client.ZitiEdgeManagement) error {`
create edge router policy for identity at enable time, not tunnel time 2022-08-17 19:43:16 +02:00			`edgeRouterRoles := []string{"#all"}`
			`identityRoles := []string{fmt.Sprintf("@%v", id)}`
			`semantic := rest_model_edge.SemanticAllOf`
			`erp := &rest_model_edge.EdgeRouterPolicyCreate{`
			`EdgeRouterRoles: edgeRouterRoles,`
			`IdentityRoles: identityRoles,`
tags for identity and edge router policy (#60) 2022-09-19 20:42:05 +02:00			`Name: &id,`
create edge router policy for identity at enable time, not tunnel time 2022-08-17 19:43:16 +02:00			`Semantic: &semantic,`
api namespace/naming polish 2022-11-30 17:43:00 +01:00			`Tags: h.zrokTags(),`
create edge router policy for identity at enable time, not tunnel time 2022-08-17 19:43:16 +02:00			`}`
			`req := &edge_router_policy.CreateEdgeRouterPolicyParams{`
			`Policy: erp,`
			`Context: context.Background(),`
			`}`
			`req.SetTimeout(30 * time.Second)`
			`resp, err := edge.EdgeRouterPolicy.CreateEdgeRouterPolicy(req, nil)`
			`if err != nil {`
			`return err`
			`}`
wiring in the environment ziti identity for better correlation in logs (#90) 2022-11-08 21:07:18 +01:00			`logrus.Infof("created edge router policy '%v' for ziti identity '%v'", resp.Payload.Data.ID, id)`
create edge router policy for identity at enable time, not tunnel time 2022-08-17 19:43:16 +02:00			`return nil`
			`}`
add zrok tags to identities and edge router policies (#60) 2022-09-15 22:06:38 +02:00
api namespace/naming polish 2022-11-30 17:43:00 +01:00			`func (h enableHandler) zrokTags() rest_model_edge.Tags {`
add zrok tags to identities and edge router policies (#60) 2022-09-15 22:06:38 +02:00			`return &rest_model_edge.Tags{`
			`SubTags: map[string]interface{}{`
add build-time version metadata (#70) 2022-11-02 20:07:43 +01:00			`"zrok": build.String(),`
add zrok tags to identities and edge router policies (#60) 2022-09-15 22:06:38 +02:00			`},`
			`}`
			`}`