From 243261d70a9d5a239a984abff81f6ed1f3683b2e Mon Sep 17 00:00:00 2001
From: Michael Quigley <michael@quigley.com>
Date: Tue, 6 Jun 2023 10:54:57 -0400
Subject: [PATCH 1/2] limits check scaffolding in accessHandler

---
 controller/access.go       | 32 ++++++++++++++++++++++++++------
 controller/limits/agent.go |  4 ++++
 2 files changed, 30 insertions(+), 6 deletions(-)

diff --git a/controller/access.go b/controller/access.go
index b989988e..7e8b3dbf 100644
--- a/controller/access.go
+++ b/controller/access.go
@@ -2,10 +2,12 @@ package controller
 
 import (
 	"github.com/go-openapi/runtime/middleware"
+	"github.com/jmoiron/sqlx"
 	"github.com/openziti/zrok/controller/store"
 	"github.com/openziti/zrok/controller/zrokEdgeSdk"
 	"github.com/openziti/zrok/rest_model_zrok"
 	"github.com/openziti/zrok/rest_server_zrok/operations/share"
+	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )
 
@@ -16,16 +18,16 @@ func newAccessHandler() *accessHandler {
 }
 
 func (h *accessHandler) Handle(params share.AccessParams, principal *rest_model_zrok.Principal) middleware.Responder {
-	tx, err := str.Begin()
+	trx, err := str.Begin()
 	if err != nil {
 		logrus.Errorf("error starting transaction for user '%v': %v", principal.Email, err)
 		return share.NewAccessInternalServerError()
 	}
-	defer func() { _ = tx.Rollback() }()
+	defer func() { _ = trx.Rollback() }()
 
 	envZId := params.Body.EnvZID
 	envId := 0
-	if envs, err := str.FindEnvironmentsForAccount(int(principal.ID), tx); err == nil {
+	if envs, err := str.FindEnvironmentsForAccount(int(principal.ID), trx); err == nil {
 		found := false
 		for _, env := range envs {
 			if env.ZId == envZId {
@@ -45,7 +47,7 @@ func (h *accessHandler) Handle(params share.AccessParams, principal *rest_model_
 	}
 
 	shrToken := params.Body.ShrToken
-	shr, err := str.FindShareWithToken(shrToken, tx)
+	shr, err := str.FindShareWithToken(shrToken, trx)
 	if err != nil {
 		logrus.Errorf("error finding share")
 		return share.NewAccessNotFound()
@@ -55,13 +57,18 @@ func (h *accessHandler) Handle(params share.AccessParams, principal *rest_model_
 		return share.NewAccessNotFound()
 	}
 
+	if err := h.checkLimits(shrToken, trx); err != nil {
+		logrus.Errorf("cannot access limited share for '%v': %v", principal.Email, err)
+		return share.NewAccessNotFound()
+	}
+
 	feToken, err := createToken()
 	if err != nil {
 		logrus.Error(err)
 		return share.NewAccessInternalServerError()
 	}
 
-	if _, err := str.CreateFrontend(envId, &store.Frontend{PrivateShareId: &shr.Id, Token: feToken, ZId: envZId}, tx); err != nil {
+	if _, err := str.CreateFrontend(envId, &store.Frontend{PrivateShareId: &shr.Id, Token: feToken, ZId: envZId}, trx); err != nil {
 		logrus.Errorf("error creating frontend record for user '%v': %v", principal.Email, err)
 		return share.NewAccessInternalServerError()
 	}
@@ -81,7 +88,7 @@ func (h *accessHandler) Handle(params share.AccessParams, principal *rest_model_
 		return share.NewAccessInternalServerError()
 	}
 
-	if err := tx.Commit(); err != nil {
+	if err := trx.Commit(); err != nil {
 		logrus.Errorf("error committing frontend record: %v", err)
 		return share.NewAccessInternalServerError()
 	}
@@ -91,3 +98,16 @@ func (h *accessHandler) Handle(params share.AccessParams, principal *rest_model_
 		BackendMode:   shr.BackendMode,
 	})
 }
+
+func (h *accessHandler) checkLimits(shrToken string, trx *sqlx.Tx) error {
+	if limitsAgent != nil {
+		ok, err := limitsAgent.CanAccessShare(shrToken, trx)
+		if err != nil {
+			return errors.Wrapf(err, "error checking share limits for '%v'", shrToken)
+		}
+		if !ok {
+			return errors.Errorf("share limit check failed for '%v'", shrToken)
+		}
+	}
+	return nil
+}
diff --git a/controller/limits/agent.go b/controller/limits/agent.go
index 85420253..b67e9839 100644
--- a/controller/limits/agent.go
+++ b/controller/limits/agent.go
@@ -139,6 +139,10 @@ func (a *Agent) CanCreateShare(acctId, envId int, trx *sqlx.Tx) (bool, error) {
 	return true, nil
 }
 
+func (a *Agent) CanAccessShare(shrToken string, trx *sqlx.Tx) (bool, error) {
+	return true, nil
+}
+
 func (a *Agent) Handle(u *metrics.Usage) error {
 	logrus.Debugf("handling: %v", u)
 	a.queue <- u

From 0fa1a350cde19386cccde2b7b5966847fabc5131 Mon Sep 17 00:00:00 2001
From: Michael Quigley <michael@quigley.com>
Date: Tue, 6 Jun 2023 11:29:22 -0400
Subject: [PATCH 2/2] limits.CanAccessShare

---
 controller/access.go       | 10 +++----
 controller/limits/agent.go | 53 +++++++++++++++++++++++++++++++++++++-
 2 files changed, 57 insertions(+), 6 deletions(-)

diff --git a/controller/access.go b/controller/access.go
index 7e8b3dbf..56f9c8c5 100644
--- a/controller/access.go
+++ b/controller/access.go
@@ -57,7 +57,7 @@ func (h *accessHandler) Handle(params share.AccessParams, principal *rest_model_
 		return share.NewAccessNotFound()
 	}
 
-	if err := h.checkLimits(shrToken, trx); err != nil {
+	if err := h.checkLimits(shr, trx); err != nil {
 		logrus.Errorf("cannot access limited share for '%v': %v", principal.Email, err)
 		return share.NewAccessNotFound()
 	}
@@ -99,14 +99,14 @@ func (h *accessHandler) Handle(params share.AccessParams, principal *rest_model_
 	})
 }
 
-func (h *accessHandler) checkLimits(shrToken string, trx *sqlx.Tx) error {
+func (h *accessHandler) checkLimits(shr *store.Share, trx *sqlx.Tx) error {
 	if limitsAgent != nil {
-		ok, err := limitsAgent.CanAccessShare(shrToken, trx)
+		ok, err := limitsAgent.CanAccessShare(shr.Id, trx)
 		if err != nil {
-			return errors.Wrapf(err, "error checking share limits for '%v'", shrToken)
+			return errors.Wrapf(err, "error checking share limits for '%v'", shr.Token)
 		}
 		if !ok {
-			return errors.Errorf("share limit check failed for '%v'", shrToken)
+			return errors.Errorf("share limit check failed for '%v'", shr.Token)
 		}
 	}
 	return nil
diff --git a/controller/limits/agent.go b/controller/limits/agent.go
index b67e9839..81c5e63b 100644
--- a/controller/limits/agent.go
+++ b/controller/limits/agent.go
@@ -139,7 +139,58 @@ func (a *Agent) CanCreateShare(acctId, envId int, trx *sqlx.Tx) (bool, error) {
 	return true, nil
 }
 
-func (a *Agent) CanAccessShare(shrToken string, trx *sqlx.Tx) (bool, error) {
+func (a *Agent) CanAccessShare(shrId int, trx *sqlx.Tx) (bool, error) {
+	if a.cfg.Enforcing {
+		shr, err := a.str.GetShare(shrId, trx)
+		if err != nil {
+			return false, err
+		}
+		if empty, err := a.str.IsShareLimitJournalEmpty(shr.Id, trx); err == nil && !empty {
+			slj, err := a.str.FindLatestShareLimitJournal(shr.Id, trx)
+			if err != nil {
+				return false, err
+			}
+			if slj.Action == store.LimitAction {
+				return false, nil
+			}
+		} else if err != nil {
+			return false, err
+		}
+
+		env, err := a.str.GetEnvironment(shr.EnvironmentId, trx)
+		if err != nil {
+			return false, err
+		}
+		if empty, err := a.str.IsEnvironmentLimitJournalEmpty(env.Id, trx); err == nil && !empty {
+			elj, err := a.str.FindLatestEnvironmentLimitJournal(env.Id, trx)
+			if err != nil {
+				return false, err
+			}
+			if elj.Action == store.LimitAction {
+				return false, nil
+			}
+		} else if err != nil {
+			return false, err
+		}
+
+		if env.AccountId != nil {
+			acct, err := a.str.GetAccount(*env.AccountId, trx)
+			if err != nil {
+				return false, err
+			}
+			if empty, err := a.str.IsAccountLimitJournalEmpty(acct.Id, trx); err == nil && !empty {
+				alj, err := a.str.FindLatestAccountLimitJournal(acct.Id, trx)
+				if err != nil {
+					return false, err
+				}
+				if alj.Action == store.LimitAction {
+					return false, nil
+				}
+			} else if err != nil {
+				return false, err
+			}
+		}
+	}
 	return true, nil
 }