zrok/controller/access.go

package controller

import (
	"github.com/go-openapi/runtime/middleware"
	"github.com/jmoiron/sqlx"
	"github.com/openziti/zrok/controller/store"
	"github.com/openziti/zrok/controller/zrokEdgeSdk"
	"github.com/openziti/zrok/rest_model_zrok"
	"github.com/openziti/zrok/rest_server_zrok/operations/share"
	"github.com/pkg/errors"
	"github.com/sirupsen/logrus"
)

type accessHandler struct{}

func newAccessHandler() *accessHandler {
	return &accessHandler{}
}

func (h *accessHandler) Handle(params share.AccessParams, principal *rest_model_zrok.Principal) middleware.Responder {
	trx, err := str.Begin()
	if err != nil {
		logrus.Errorf("error starting transaction for user '%v': %v", principal.Email, err)
		return share.NewAccessInternalServerError()
	}
	defer func() { _ = trx.Rollback() }()

	envZId := params.Body.EnvZID
	envId := 0
	if envs, err := str.FindEnvironmentsForAccount(int(principal.ID), trx); err == nil {
		found := false
		for _, env := range envs {
			if env.ZId == envZId {
				logrus.Debugf("found identity '%v' for user '%v'", envZId, principal.Email)
				envId = env.Id
				found = true
				break
			}
		}
		if !found {
			logrus.Errorf("environment '%v' not found for user '%v'", envZId, principal.Email)
			return share.NewAccessUnauthorized()
		}
	} else {
		logrus.Errorf("error finding environments for account '%v'", principal.Email)
		return share.NewAccessNotFound()
	}

	shrToken := params.Body.ShrToken
	shr, err := str.FindShareWithToken(shrToken, trx)
	if err != nil {
		logrus.Errorf("error finding share with token '%v': %v", shrToken, err)
		return share.NewAccessNotFound()
	}
	if shr == nil {
		logrus.Errorf("unable to find share '%v' for user '%v'", shrToken, principal.Email)
		return share.NewAccessNotFound()
	}

	if shr.PermissionMode == store.ClosedPermissionMode {
		shrEnv, err := str.GetEnvironment(shr.EnvironmentId, trx)
		if err != nil {
			logrus.Errorf("error getting environment for share '%v': %v", shrToken, err)
			return share.NewAccessInternalServerError()
		}

		if err := h.checkAccessGrants(shr, *shrEnv.AccountId, principal, trx); err != nil {
			logrus.Errorf("closed permission mode for '%v' fails for '%v': %v", shr.Token, principal.Email, err)
			return share.NewAccessUnauthorized()
		}
	}

	if err := h.checkLimits(shr, trx); err != nil {
		logrus.Errorf("cannot access limited share for '%v': %v", principal.Email, err)
		return share.NewAccessNotFound()
	}

	feToken, err := CreateToken()
	if err != nil {
		logrus.Error(err)
		return share.NewAccessInternalServerError()
	}

	if _, err := str.CreateFrontend(envId, &store.Frontend{PrivateShareId: &shr.Id, Token: feToken, ZId: envZId, PermissionMode: store.ClosedPermissionMode}, trx); err != nil {
		logrus.Errorf("error creating frontend record for user '%v': %v", principal.Email, err)
		return share.NewAccessInternalServerError()
	}

	edge, err := zrokEdgeSdk.Client(cfg.Ziti)
	if err != nil {
		logrus.Error(err)
		return share.NewAccessInternalServerError()
	}
	addlTags := map[string]interface{}{
		"zrokEnvironmentZId": envZId,
		"zrokFrontendToken":  feToken,
		"zrokShareToken":     shrToken,
	}
	if err := zrokEdgeSdk.CreateServicePolicyDial(feToken+"-"+envZId+"-"+shr.ZId+"-dial", shr.ZId, []string{envZId}, addlTags, edge); err != nil {
		logrus.Errorf("unable to create dial policy for user '%v': %v", principal.Email, err)
		return share.NewAccessInternalServerError()
	}

	if err := trx.Commit(); err != nil {
		logrus.Errorf("error committing frontend record: %v", err)
		return share.NewAccessInternalServerError()
	}

	return share.NewAccessCreated().WithPayload(&rest_model_zrok.AccessResponse{
		FrontendToken: feToken,
		BackendMode:   shr.BackendMode,
	})
}

func (h *accessHandler) checkLimits(shr *store.Share, trx *sqlx.Tx) error {
	if limitsAgent != nil {
		ok, err := limitsAgent.CanAccessShare(shr.Id, trx)
		if err != nil {
			return errors.Wrapf(err, "error checking share limits for '%v'", shr.Token)
		}
		if !ok {
			return errors.Errorf("share limit check failed for '%v'", shr.Token)
		}
	}
	return nil
}

func (h *accessHandler) checkAccessGrants(shr *store.Share, ownerAccountId int, principal *rest_model_zrok.Principal, trx *sqlx.Tx) error {
	if int(principal.ID) == ownerAccountId {
		logrus.Infof("accessing own share '%v' for '%v'", shr.Token, principal.Email)
		return nil
	}
	count, err := str.CheckAccessGrantForShareAndAccount(shr.Id, int(principal.ID), trx)
	if err != nil {
		logrus.Infof("error checking access grants for '%v': %v", shr.Token, err)
		return err
	}
	if count > 0 {
		logrus.Infof("found '%d' grants for '%v'", count, principal.Email)
		return nil
	}
	return errors.Errorf("access denied for '%v' accessing '%v'", principal.Email, shr.Token)
}
roughed-in access handler (#111) 2022-11-23 18:24:35 +01:00			`package controller`

			`import (`
			`"github.com/go-openapi/runtime/middleware"`
limits check scaffolding in accessHandler 2023-06-06 16:54:57 +02:00			`"github.com/jmoiron/sqlx"`
openziti-rest-kitchen -> openziti (#158) 2023-01-13 21:01:34 +01:00			`"github.com/openziti/zrok/controller/store"`
			`"github.com/openziti/zrok/controller/zrokEdgeSdk"`
			`"github.com/openziti/zrok/rest_model_zrok"`
			`"github.com/openziti/zrok/rest_server_zrok/operations/share"`
limits check scaffolding in accessHandler 2023-06-06 16:54:57 +02:00			`"github.com/pkg/errors"`
roughed-in access handler (#111) 2022-11-23 18:24:35 +01:00			`"github.com/sirupsen/logrus"`
			`)`

			`type accessHandler struct{}`

			`func newAccessHandler() *accessHandler {`
			`return &accessHandler{}`
			`}`

massive services -> share boatload (#144) 2023-01-04 19:43:37 +01:00			`func (h accessHandler) Handle(params share.AccessParams, principal rest_model_zrok.Principal) middleware.Responder {`
limits check scaffolding in accessHandler 2023-06-06 16:54:57 +02:00			`trx, err := str.Begin()`
roughed-in access handler (#111) 2022-11-23 18:24:35 +01:00			`if err != nil {`
operational improvements in log messages (#186) 2023-01-30 17:38:55 +01:00			`logrus.Errorf("error starting transaction for user '%v': %v", principal.Email, err)`
massive services -> share boatload (#144) 2023-01-04 19:43:37 +01:00			`return share.NewAccessInternalServerError()`
roughed-in access handler (#111) 2022-11-23 18:24:35 +01:00			`}`
limits check scaffolding in accessHandler 2023-06-06 16:54:57 +02:00			`defer func() { _ = trx.Rollback() }()`
roughed-in access handler (#111) 2022-11-23 18:24:35 +01:00
more naming refactoring 'name' -> 'token' (#119) 2022-11-30 18:46:19 +01:00			`envZId := params.Body.EnvZID`
roughed-in access handler (#111) 2022-11-23 18:24:35 +01:00			`envId := 0`
limits check scaffolding in accessHandler 2023-06-06 16:54:57 +02:00			`if envs, err := str.FindEnvironmentsForAccount(int(principal.ID), trx); err == nil {`
roughed-in access handler (#111) 2022-11-23 18:24:35 +01:00			`found := false`
			`for _, env := range envs {`
			`if env.ZId == envZId {`
			`logrus.Debugf("found identity '%v' for user '%v'", envZId, principal.Email)`
			`envId = env.Id`
			`found = true`
			`break`
			`}`
			`}`
			`if !found {`
			`logrus.Errorf("environment '%v' not found for user '%v'", envZId, principal.Email)`
massive services -> share boatload (#144) 2023-01-04 19:43:37 +01:00			`return share.NewAccessUnauthorized()`
roughed-in access handler (#111) 2022-11-23 18:24:35 +01:00			`}`
			`} else {`
			`logrus.Errorf("error finding environments for account '%v'", principal.Email)`
massive services -> share boatload (#144) 2023-01-04 19:43:37 +01:00			`return share.NewAccessNotFound()`
roughed-in access handler (#111) 2022-11-23 18:24:35 +01:00			`}`

more services -> shares (#144) 2023-01-04 20:21:23 +01:00			`shrToken := params.Body.ShrToken`
limits check scaffolding in accessHandler 2023-06-06 16:54:57 +02:00			`shr, err := str.FindShareWithToken(shrToken, trx)`
roughed-in access handler (#111) 2022-11-23 18:24:35 +01:00			`if err != nil {`
tweaks and controller cleanup for access grants (#432) 2024-03-05 19:21:43 +01:00			`logrus.Errorf("error finding share with token '%v': %v", shrToken, err)`
massive services -> share boatload (#144) 2023-01-04 19:43:37 +01:00			`return share.NewAccessNotFound()`
roughed-in access handler (#111) 2022-11-23 18:24:35 +01:00			`}`
add 'private_share_id' to store 'frontends' table (#278) 2023-03-29 19:53:14 +02:00			`if shr == nil {`
more services -> shares (#144) 2023-01-04 20:21:23 +01:00			`logrus.Errorf("unable to find share '%v' for user '%v'", shrToken, principal.Email)`
massive services -> share boatload (#144) 2023-01-04 19:43:37 +01:00			`return share.NewAccessNotFound()`
roughed-in access handler (#111) 2022-11-23 18:24:35 +01:00			`}`

access grant checking for access (#432) 2024-03-04 19:56:02 +01:00			`if shr.PermissionMode == store.ClosedPermissionMode {`
tweaks and controller cleanup for access grants (#432) 2024-03-05 19:21:43 +01:00			`shrEnv, err := str.GetEnvironment(shr.EnvironmentId, trx)`
			`if err != nil {`
			`logrus.Errorf("error getting environment for share '%v': %v", shrToken, err)`
			`return share.NewAccessInternalServerError()`
			`}`

			`if err := h.checkAccessGrants(shr, *shrEnv.AccountId, principal, trx); err != nil {`
access grant checking for access (#432) 2024-03-04 19:56:02 +01:00			`logrus.Errorf("closed permission mode for '%v' fails for '%v': %v", shr.Token, principal.Email, err)`
tweaks and controller cleanup for access grants (#432) 2024-03-05 19:21:43 +01:00			`return share.NewAccessUnauthorized()`
access grant checking for access (#432) 2024-03-04 19:56:02 +01:00			`}`
access handler block (#432) 2024-03-01 21:50:54 +01:00			`}`

limits.CanAccessShare 2023-06-06 17:29:22 +02:00			`if err := h.checkLimits(shr, trx); err != nil {`
limits check scaffolding in accessHandler 2023-06-06 16:54:57 +02:00			`logrus.Errorf("cannot access limited share for '%v': %v", principal.Email, err)`
			`return share.NewAccessNotFound()`
			`}`

'zrok admin create account' 2024-01-30 18:59:56 +01:00			`feToken, err := CreateToken()`
roughed-in access handler (#111) 2022-11-23 18:24:35 +01:00			`if err != nil {`
			`logrus.Error(err)`
massive services -> share boatload (#144) 2023-01-04 19:43:37 +01:00			`return share.NewAccessInternalServerError()`
roughed-in access handler (#111) 2022-11-23 18:24:35 +01:00			`}`

fix for private frontend permission mode (#677) 2024-06-25 20:27:45 +02:00			`if _, err := str.CreateFrontend(envId, &store.Frontend{PrivateShareId: &shr.Id, Token: feToken, ZId: envZId, PermissionMode: store.ClosedPermissionMode}, trx); err != nil {`
operational improvements in log messages (#186) 2023-01-30 17:38:55 +01:00			`logrus.Errorf("error creating frontend record for user '%v': %v", principal.Email, err)`
massive services -> share boatload (#144) 2023-01-04 19:43:37 +01:00			`return share.NewAccessInternalServerError()`
continued refinement of frontends; access/unacess (#113, #109) 2022-11-28 19:33:59 +01:00			`}`

ziti edge client in sdk package (#128) 2023-03-07 20:31:39 +01:00			`edge, err := zrokEdgeSdk.Client(cfg.Ziti)`
continued refinement of frontends; access/unacess (#113, #109) 2022-11-28 19:33:59 +01:00			`if err != nil {`
			`logrus.Error(err)`
massive services -> share boatload (#144) 2023-01-04 19:43:37 +01:00			`return share.NewAccessInternalServerError()`
continued refinement of frontends; access/unacess (#113, #109) 2022-11-28 19:33:59 +01:00			`}`
massive zrokEdgeSdk cleanups around service policies (#112) 2022-12-14 23:17:19 +01:00			`addlTags := map[string]interface{}{`
continued refinement of frontends; access/unacess (#113, #109) 2022-11-28 19:33:59 +01:00			`"zrokEnvironmentZId": envZId,`
frontends.name -> frontends.token (#119) 2022-11-30 17:52:48 +01:00			`"zrokFrontendToken": feToken,`
more services -> shares (#144) 2023-01-04 20:21:23 +01:00			`"zrokShareToken": shrToken,`
massive zrokEdgeSdk cleanups around service policies (#112) 2022-12-14 23:17:19 +01:00			`}`
make frontend dial policies for private access names more unique (include frontend token) (#329) 2023-05-18 19:19:16 +02:00			`if err := zrokEdgeSdk.CreateServicePolicyDial(feToken+"-"+envZId+"-"+shr.ZId+"-dial", shr.ZId, []string{envZId}, addlTags, edge); err != nil {`
operational improvements in log messages (#186) 2023-01-30 17:38:55 +01:00			`logrus.Errorf("unable to create dial policy for user '%v': %v", principal.Email, err)`
massive services -> share boatload (#144) 2023-01-04 19:43:37 +01:00			`return share.NewAccessInternalServerError()`
roughed-in access handler (#111) 2022-11-23 18:24:35 +01:00			`}`

limits check scaffolding in accessHandler 2023-06-06 16:54:57 +02:00			`if err := trx.Commit(); err != nil {`
continued refinement of frontends; access/unacess (#113, #109) 2022-11-28 19:33:59 +01:00			`logrus.Errorf("error committing frontend record: %v", err)`
massive services -> share boatload (#144) 2023-01-04 19:43:37 +01:00			`return share.NewAccessInternalServerError()`
continued refinement of frontends; access/unacess (#113, #109) 2022-11-28 19:33:59 +01:00			`}`

merged tui for tcpTunnel (#307) 2023-05-01 18:19:06 +02:00			`return share.NewAccessCreated().WithPayload(&rest_model_zrok.AccessResponse{`
			`FrontendToken: feToken,`
			`BackendMode: shr.BackendMode,`
			`})`
roughed-in access handler (#111) 2022-11-23 18:24:35 +01:00			`}`
limits check scaffolding in accessHandler 2023-06-06 16:54:57 +02:00
limits.CanAccessShare 2023-06-06 17:29:22 +02:00			`func (h accessHandler) checkLimits(shr store.Share, trx *sqlx.Tx) error {`
limits check scaffolding in accessHandler 2023-06-06 16:54:57 +02:00			`if limitsAgent != nil {`
limits.CanAccessShare 2023-06-06 17:29:22 +02:00			`ok, err := limitsAgent.CanAccessShare(shr.Id, trx)`
limits check scaffolding in accessHandler 2023-06-06 16:54:57 +02:00			`if err != nil {`
limits.CanAccessShare 2023-06-06 17:29:22 +02:00			`return errors.Wrapf(err, "error checking share limits for '%v'", shr.Token)`
limits check scaffolding in accessHandler 2023-06-06 16:54:57 +02:00			`}`
			`if !ok {`
limits.CanAccessShare 2023-06-06 17:29:22 +02:00			`return errors.Errorf("share limit check failed for '%v'", shr.Token)`
limits check scaffolding in accessHandler 2023-06-06 16:54:57 +02:00			`}`
			`}`
			`return nil`
			`}`
access grant checking for access (#432) 2024-03-04 19:56:02 +01:00
			`func (h accessHandler) checkAccessGrants(shr store.Share, ownerAccountId int, principal rest_model_zrok.Principal, trx sqlx.Tx) error {`
			`if int(principal.ID) == ownerAccountId {`
			`logrus.Infof("accessing own share '%v' for '%v'", shr.Token, principal.Email)`
			`return nil`
			`}`
			`count, err := str.CheckAccessGrantForShareAndAccount(shr.Id, int(principal.ID), trx)`
			`if err != nil {`
tweaks and controller cleanup for access grants (#432) 2024-03-05 19:21:43 +01:00			`logrus.Infof("error checking access grants for '%v': %v", shr.Token, err)`
access grant checking for access (#432) 2024-03-04 19:56:02 +01:00			`return err`
			`}`
			`if count > 0 {`
tweaks and controller cleanup for access grants (#432) 2024-03-05 19:21:43 +01:00			`logrus.Infof("found '%d' grants for '%v'", count, principal.Email)`
access grant checking for access (#432) 2024-03-04 19:56:02 +01:00			`return nil`
			`}`
			`return errors.Errorf("access denied for '%v' accessing '%v'", principal.Email, shr.Token)`
			`}`