mirror of
https://github.com/openziti/zrok.git
synced 2024-11-23 00:23:48 +01:00
Merge pull request #340 from openziti/v0.4.0_access_limit_check
Private Access Limit Check
This commit is contained in:
Michael Quigley
GitHub
commit
04fddce422
@ -2,10 +2,12 @@ package controller
|
||||
|
||||
import (
|
||||
"github.com/go-openapi/runtime/middleware"
|
||||
"github.com/jmoiron/sqlx"
|
||||
"github.com/openziti/zrok/controller/store"
|
||||
"github.com/openziti/zrok/controller/zrokEdgeSdk"
|
||||
"github.com/openziti/zrok/rest_model_zrok"
|
||||
"github.com/openziti/zrok/rest_server_zrok/operations/share"
|
||||
"github.com/pkg/errors"
|
||||
"github.com/sirupsen/logrus"
|
||||
)
|
||||
|
||||
@ -16,16 +18,16 @@ func newAccessHandler() *accessHandler {
|
||||
}
|
||||
|
||||
func (h *accessHandler) Handle(params share.AccessParams, principal *rest_model_zrok.Principal) middleware.Responder {
|
||||
tx, err := str.Begin()
|
||||
trx, err := str.Begin()
|
||||
if err != nil {
|
||||
logrus.Errorf("error starting transaction for user '%v': %v", principal.Email, err)
|
||||
return share.NewAccessInternalServerError()
|
||||
}
|
||||
defer func() { _ = tx.Rollback() }()
|
||||
defer func() { _ = trx.Rollback() }()
|
||||
|
||||
envZId := params.Body.EnvZID
|
||||
envId := 0
|
||||
if envs, err := str.FindEnvironmentsForAccount(int(principal.ID), tx); err == nil {
|
||||
if envs, err := str.FindEnvironmentsForAccount(int(principal.ID), trx); err == nil {
|
||||
found := false
|
||||
for _, env := range envs {
|
||||
if env.ZId == envZId {
|
||||
@ -45,7 +47,7 @@ func (h *accessHandler) Handle(params share.AccessParams, principal *rest_model_
|
||||
}
|
||||
|
||||
shrToken := params.Body.ShrToken
|
||||
shr, err := str.FindShareWithToken(shrToken, tx)
|
||||
shr, err := str.FindShareWithToken(shrToken, trx)
|
||||
if err != nil {
|
||||
logrus.Errorf("error finding share")
|
||||
return share.NewAccessNotFound()
|
||||
@ -55,13 +57,18 @@ func (h *accessHandler) Handle(params share.AccessParams, principal *rest_model_
|
||||
return share.NewAccessNotFound()
|
||||
}
|
||||
|
||||
if err := h.checkLimits(shr, trx); err != nil {
|
||||
logrus.Errorf("cannot access limited share for '%v': %v", principal.Email, err)
|
||||
return share.NewAccessNotFound()
|
||||
}
|
||||
|
||||
feToken, err := createToken()
|
||||
if err != nil {
|
||||
logrus.Error(err)
|
||||
return share.NewAccessInternalServerError()
|
||||
}
|
||||
|
||||
if _, err := str.CreateFrontend(envId, &store.Frontend{PrivateShareId: &shr.Id, Token: feToken, ZId: envZId}, tx); err != nil {
|
||||
if _, err := str.CreateFrontend(envId, &store.Frontend{PrivateShareId: &shr.Id, Token: feToken, ZId: envZId}, trx); err != nil {
|
||||
logrus.Errorf("error creating frontend record for user '%v': %v", principal.Email, err)
|
||||
return share.NewAccessInternalServerError()
|
||||
}
|
||||
@ -81,7 +88,7 @@ func (h *accessHandler) Handle(params share.AccessParams, principal *rest_model_
|
||||
return share.NewAccessInternalServerError()
|
||||
}
|
||||
|
||||
if err := tx.Commit(); err != nil {
|
||||
if err := trx.Commit(); err != nil {
|
||||
logrus.Errorf("error committing frontend record: %v", err)
|
||||
return share.NewAccessInternalServerError()
|
||||
}
|
||||
@ -91,3 +98,16 @@ func (h *accessHandler) Handle(params share.AccessParams, principal *rest_model_
|
||||
BackendMode: shr.BackendMode,
|
||||
})
|
||||
}
|
||||
|
||||
func (h *accessHandler) checkLimits(shr *store.Share, trx *sqlx.Tx) error {
|
||||
if limitsAgent != nil {
|
||||
ok, err := limitsAgent.CanAccessShare(shr.Id, trx)
|
||||
if err != nil {
|
||||
return errors.Wrapf(err, "error checking share limits for '%v'", shr.Token)
|
||||
}
|
||||
if !ok {
|
||||
return errors.Errorf("share limit check failed for '%v'", shr.Token)
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
@ -139,6 +139,61 @@ func (a *Agent) CanCreateShare(acctId, envId int, trx *sqlx.Tx) (bool, error) {
|
||||
return true, nil
|
||||
}
|
||||
|
||||
func (a *Agent) CanAccessShare(shrId int, trx *sqlx.Tx) (bool, error) {
|
||||
if a.cfg.Enforcing {
|
||||
shr, err := a.str.GetShare(shrId, trx)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
if empty, err := a.str.IsShareLimitJournalEmpty(shr.Id, trx); err == nil && !empty {
|
||||
slj, err := a.str.FindLatestShareLimitJournal(shr.Id, trx)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
if slj.Action == store.LimitAction {
|
||||
return false, nil
|
||||
}
|
||||
} else if err != nil {
|
||||
return false, err
|
||||
}
|
||||
|
||||
env, err := a.str.GetEnvironment(shr.EnvironmentId, trx)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
if empty, err := a.str.IsEnvironmentLimitJournalEmpty(env.Id, trx); err == nil && !empty {
|
||||
elj, err := a.str.FindLatestEnvironmentLimitJournal(env.Id, trx)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
if elj.Action == store.LimitAction {
|
||||
return false, nil
|
||||
}
|
||||
} else if err != nil {
|
||||
return false, err
|
||||
}
|
||||
|
||||
if env.AccountId != nil {
|
||||
acct, err := a.str.GetAccount(*env.AccountId, trx)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
if empty, err := a.str.IsAccountLimitJournalEmpty(acct.Id, trx); err == nil && !empty {
|
||||
alj, err := a.str.FindLatestAccountLimitJournal(acct.Id, trx)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
if alj.Action == store.LimitAction {
|
||||
return false, nil
|
||||
}
|
||||
} else if err != nil {
|
||||
return false, err
|
||||
}
|
||||
}
|
||||
}
|
||||
return true, nil
|
||||
}
|
||||
|
||||
func (a *Agent) Handle(u *metrics.Usage) error {
|
||||
logrus.Debugf("handling: %v", u)
|
||||
a.queue <- u
|
||||
|
||||
Loading…
Reference in New Issue
Block a user