zrok/controller/access.go

144 lines
4.6 KiB
Go
Raw Normal View History

2022-11-23 18:24:35 +01:00
package controller
import (
"github.com/go-openapi/runtime/middleware"
"github.com/jmoiron/sqlx"
"github.com/openziti/zrok/controller/store"
"github.com/openziti/zrok/controller/zrokEdgeSdk"
"github.com/openziti/zrok/rest_model_zrok"
"github.com/openziti/zrok/rest_server_zrok/operations/share"
"github.com/pkg/errors"
2022-11-23 18:24:35 +01:00
"github.com/sirupsen/logrus"
)
type accessHandler struct{}
func newAccessHandler() *accessHandler {
return &accessHandler{}
}
func (h *accessHandler) Handle(params share.AccessParams, principal *rest_model_zrok.Principal) middleware.Responder {
trx, err := str.Begin()
2022-11-23 18:24:35 +01:00
if err != nil {
logrus.Errorf("error starting transaction for user '%v': %v", principal.Email, err)
return share.NewAccessInternalServerError()
2022-11-23 18:24:35 +01:00
}
defer func() { _ = trx.Rollback() }()
2022-11-23 18:24:35 +01:00
envZId := params.Body.EnvZID
2022-11-23 18:24:35 +01:00
envId := 0
if envs, err := str.FindEnvironmentsForAccount(int(principal.ID), trx); err == nil {
2022-11-23 18:24:35 +01:00
found := false
for _, env := range envs {
if env.ZId == envZId {
logrus.Debugf("found identity '%v' for user '%v'", envZId, principal.Email)
envId = env.Id
found = true
break
}
}
if !found {
logrus.Errorf("environment '%v' not found for user '%v'", envZId, principal.Email)
return share.NewAccessUnauthorized()
2022-11-23 18:24:35 +01:00
}
} else {
logrus.Errorf("error finding environments for account '%v'", principal.Email)
return share.NewAccessNotFound()
2022-11-23 18:24:35 +01:00
}
2023-01-04 20:21:23 +01:00
shrToken := params.Body.ShrToken
shr, err := str.FindShareWithToken(shrToken, trx)
2022-11-23 18:24:35 +01:00
if err != nil {
logrus.Errorf("error finding share with token '%v': %v", shrToken, err)
return share.NewAccessNotFound()
2022-11-23 18:24:35 +01:00
}
if shr == nil {
2023-01-04 20:21:23 +01:00
logrus.Errorf("unable to find share '%v' for user '%v'", shrToken, principal.Email)
return share.NewAccessNotFound()
2022-11-23 18:24:35 +01:00
}
if shr.PermissionMode == store.ClosedPermissionMode {
shrEnv, err := str.GetEnvironment(shr.EnvironmentId, trx)
if err != nil {
logrus.Errorf("error getting environment for share '%v': %v", shrToken, err)
return share.NewAccessInternalServerError()
}
if err := h.checkAccessGrants(shr, *shrEnv.AccountId, principal, trx); err != nil {
logrus.Errorf("closed permission mode for '%v' fails for '%v': %v", shr.Token, principal.Email, err)
return share.NewAccessUnauthorized()
}
2024-03-01 21:50:54 +01:00
}
2023-06-06 17:29:22 +02:00
if err := h.checkLimits(shr, trx); err != nil {
logrus.Errorf("cannot access limited share for '%v': %v", principal.Email, err)
return share.NewAccessNotFound()
}
2024-01-30 18:59:56 +01:00
feToken, err := CreateToken()
2022-11-23 18:24:35 +01:00
if err != nil {
logrus.Error(err)
return share.NewAccessInternalServerError()
2022-11-23 18:24:35 +01:00
}
if _, err := str.CreateFrontend(envId, &store.Frontend{PrivateShareId: &shr.Id, Token: feToken, ZId: envZId}, trx); err != nil {
logrus.Errorf("error creating frontend record for user '%v': %v", principal.Email, err)
return share.NewAccessInternalServerError()
}
2023-03-07 20:31:39 +01:00
edge, err := zrokEdgeSdk.Client(cfg.Ziti)
if err != nil {
logrus.Error(err)
return share.NewAccessInternalServerError()
}
addlTags := map[string]interface{}{
"zrokEnvironmentZId": envZId,
"zrokFrontendToken": feToken,
2023-01-04 20:21:23 +01:00
"zrokShareToken": shrToken,
}
if err := zrokEdgeSdk.CreateServicePolicyDial(feToken+"-"+envZId+"-"+shr.ZId+"-dial", shr.ZId, []string{envZId}, addlTags, edge); err != nil {
logrus.Errorf("unable to create dial policy for user '%v': %v", principal.Email, err)
return share.NewAccessInternalServerError()
2022-11-23 18:24:35 +01:00
}
if err := trx.Commit(); err != nil {
logrus.Errorf("error committing frontend record: %v", err)
return share.NewAccessInternalServerError()
}
2023-05-01 18:19:06 +02:00
return share.NewAccessCreated().WithPayload(&rest_model_zrok.AccessResponse{
FrontendToken: feToken,
BackendMode: shr.BackendMode,
})
2022-11-23 18:24:35 +01:00
}
2023-06-06 17:29:22 +02:00
func (h *accessHandler) checkLimits(shr *store.Share, trx *sqlx.Tx) error {
if limitsAgent != nil {
2023-06-06 17:29:22 +02:00
ok, err := limitsAgent.CanAccessShare(shr.Id, trx)
if err != nil {
2023-06-06 17:29:22 +02:00
return errors.Wrapf(err, "error checking share limits for '%v'", shr.Token)
}
if !ok {
2023-06-06 17:29:22 +02:00
return errors.Errorf("share limit check failed for '%v'", shr.Token)
}
}
return nil
}
func (h *accessHandler) checkAccessGrants(shr *store.Share, ownerAccountId int, principal *rest_model_zrok.Principal, trx *sqlx.Tx) error {
if int(principal.ID) == ownerAccountId {
logrus.Infof("accessing own share '%v' for '%v'", shr.Token, principal.Email)
return nil
}
count, err := str.CheckAccessGrantForShareAndAccount(shr.Id, int(principal.ID), trx)
if err != nil {
logrus.Infof("error checking access grants for '%v': %v", shr.Token, err)
return err
}
if count > 0 {
logrus.Infof("found '%d' grants for '%v'", count, principal.Email)
return nil
}
return errors.Errorf("access denied for '%v' accessing '%v'", principal.Email, shr.Token)
}