service policy (#3)

2024-11-07 08:44:14 +01:00 · 2022-07-26 17:17:37 -04:00 · 2022-07-26 17:17:37 -04:00 · 73718804e1
commit 73718804e1
parent f44599e9c2
7 changed files with 76 additions and 14 deletions
--- a/cmd/zrok/enable.go
+++ b/cmd/zrok/enable.go
@ -34,7 +34,10 @@ func enable(_ *cobra.Command, args []string) {
 	if err := zrokdir.WriteToken(token); err != nil {
 		panic(err)
 	}
-	if err := zrokdir.WriteIdentity(resp.Payload.Cfg); err != nil {
+	if err := zrokdir.WriteIdentityId(resp.Payload.Identity); err != nil {
+		panic(err)
+	}
+	if err := zrokdir.WriteIdentityConfig(resp.Payload.Cfg); err != nil {
 		panic(err)
 	}
 	logrus.Infof("enabled, identity = '%v'", resp.Payload.Identity)
--- a/cmd/zrok/http.go
+++ b/cmd/zrok/http.go
@ -13,7 +13,7 @@ var httpCmd = &cobra.Command{
 	Short: "Start an http terminator",
 	Args:  cobra.ExactArgs(1),
 	Run: func(_ *cobra.Command, args []string) {
-		idCfg, err := zrokdir.IdentityFile()
+		idCfg, err := zrokdir.IdentityConfigFile()
 		if err != nil {
 			panic(err)
 		}
@ -21,7 +21,7 @@ var httpCmd = &cobra.Command{
 			IdentityPath:    idCfg,
 			EndpointAddress: args[0],
 		}
-		token, err := zrokdir.ReadToken()
+		id, err := zrokdir.ReadIdentityId()
 		if err != nil {
 			panic(err)
 		}
@ -30,7 +30,7 @@ var httpCmd = &cobra.Command{
 		req := tunnel.NewTunnelParams()
 		req.Body = &rest_model_zrok.TunnelRequest{
 			Endpoint: cfg.EndpointAddress,
-			Token:    token,
+			Identity: id,
 		}
 		resp, err := zrok.Tunnel.Tunnel(req)
 		if err != nil {
--- a/controller/tunnel.go
+++ b/controller/tunnel.go
@ -8,6 +8,7 @@ import (
 	"github.com/openziti-test-kitchen/zrok/rest_server_zrok/operations/tunnel"
 	"github.com/openziti/edge/rest_management_api_client/service"
 	"github.com/openziti/edge/rest_management_api_client/service_edge_router_policy"
+	"github.com/openziti/edge/rest_management_api_client/service_policy"
 	"github.com/openziti/edge/rest_model"
 	"github.com/sirupsen/logrus"
 	"time"
@ -27,6 +28,8 @@ func tunnelHandler(params tunnel.TunnelParams) middleware.Responder {
 	}
 	logrus.Infof("using service '%v'", serviceId)

+	semantic := rest_model.SemanticAllOf
+
 	// Service
 	svcConfigs := make([]string, 0)
 	svcEnc := true
@ -47,14 +50,39 @@ func tunnelHandler(params tunnel.TunnelParams) middleware.Responder {
 	}
 	logrus.Infof("created service '%v'", serviceId)

+	// Service Policy
+	svcpIdRoles := []string{fmt.Sprintf("@%v", params.Body.Identity)}
+	svcpPcRoles := []string{}
+	svcpSvcRoles := []string{fmt.Sprintf("@%v", svcResp.Payload.Data.ID)}
+	svcpDialBind := rest_model.DialBindBind
+	svcp := &rest_model.ServicePolicyCreate{
+		IdentityRoles:     svcpIdRoles,
+		Name:              &serviceId,
+		PostureCheckRoles: svcpPcRoles,
+		Semantic:          &semantic,
+		ServiceRoles:      svcpSvcRoles,
+		Type:              &svcpDialBind,
+	}
+	svcpParams := &service_policy.CreateServicePolicyParams{
+		Policy:  svcp,
+		Context: context.Background(),
+	}
+	svcpParams.SetTimeout(30 * time.Second)
+	_, err = edge.ServicePolicy.CreateServicePolicy(svcpParams, nil)
+	if err != nil {
+		logrus.Error(err)
+		return middleware.Error(500, err.Error())
+	}
+	logrus.Infof("created service policy '%v'", serviceId)
+
 	// Service Edge Router Policy
 	serpErRoles := []string{"@tDnhG8jkG9"} // @linux-edge-router
-	serpSemantic := rest_model.SemanticAllOf
+
 	serpSvcRoles := []string{fmt.Sprintf("@%v", svcResp.Payload.Data.ID)}
 	serp := &rest_model.ServiceEdgeRouterPolicyCreate{
 		EdgeRouterRoles: serpErRoles,
 		Name:            &serviceId,
-		Semantic:        &serpSemantic,
+		Semantic:        &semantic,
 		ServiceRoles:    serpSvcRoles,
 	}
 	serpParams := &service_edge_router_policy.CreateServiceEdgeRouterPolicyParams{
--- a/rest_model_zrok/tunnel_request.go
+++ b/rest_model_zrok/tunnel_request.go
@ -20,8 +20,8 @@ type TunnelRequest struct {
 	// endpoint
 	Endpoint string `json:"endpoint,omitempty"`

-	// token
-	Token string `json:"token,omitempty"`
+	// identity
+	Identity string `json:"identity,omitempty"`
 }

 // Validate validates this tunnel request
--- a/rest_server_zrok/embedded_spec.go
+++ b/rest_server_zrok/embedded_spec.go
@ -183,7 +183,7 @@ func init() {
        "endpoint": {
          "type": "string"
        },
-        "token": {
+        "identity": {
          "type": "string"
        }
      }
@ -372,7 +372,7 @@ func init() {
        "endpoint": {
          "type": "string"
        },
-        "token": {
+        "identity": {
          "type": "string"
        }
      }
--- a/specs/zrok.yml
+++ b/specs/zrok.yml
@ -101,7 +101,7 @@ definitions:
  tunnelRequest:
    type: object
    properties:
-      token:
+      identity:
        type: string
      endpoint:
        type: string
--- a/zrokdir/zrokdir.go
+++ b/zrokdir/zrokdir.go
@ -28,8 +28,31 @@ func WriteToken(token string) error {
 	return nil
 }

-func WriteIdentity(data string) error {
-	path, err := IdentityFile()
+func ReadIdentityId() (string, error) {
+	path, err := IdentityIdFile()
+	if err != nil {
+		return "", err
+	}
+	id, err := os.ReadFile(path)
+	if err != nil {
+		return "", err
+	}
+	return string(id), nil
+}
+
+func WriteIdentityId(id string) error {
+	path, err := IdentityIdFile()
+	if err != nil {
+		return err
+	}
+	if err := os.WriteFile(path, []byte(id), os.FileMode(400)); err != nil {
+		return err
+	}
+	return nil
+}
+
+func WriteIdentityConfig(data string) error {
+	path, err := IdentityConfigFile()
 	if err != nil {
 		return err
 	}
@ -39,7 +62,15 @@ func WriteIdentity(data string) error {
 	return nil
 }

-func IdentityFile() (string, error) {
+func IdentityIdFile() (string, error) {
+	zrok, err := zrokDir()
+	if err != nil {
+		return "", err
+	}
+	return filepath.Join(zrok, "identity.id"), nil
+}
+
+func IdentityConfigFile() (string, error) {
 	zrok, err := zrokDir()
 	if err != nil {
 		return "", err