From 94f11b16ddb4213fa1b91139fee208e347870f63 Mon Sep 17 00:00:00 2001
From: Michael Quigley <michael@quigley.com>
Date: Mon, 2 Jun 2025 17:04:38 -0400
Subject: [PATCH] /agent/unaccess handler (#967)

---
 controller/agentRemoteUnaccess.go | 55 +++++++++++++++++++++++++++++++
 controller/controller.go          |  1 +
 2 files changed, 56 insertions(+)
 create mode 100644 controller/agentRemoteUnaccess.go

diff --git a/controller/agentRemoteUnaccess.go b/controller/agentRemoteUnaccess.go
new file mode 100644
index 00000000..12a17375
--- /dev/null
+++ b/controller/agentRemoteUnaccess.go
@@ -0,0 +1,55 @@
+package controller
+
+import (
+	"context"
+	"github.com/go-openapi/runtime/middleware"
+	"github.com/openziti/zrok/agent/agentGrpc"
+	"github.com/openziti/zrok/controller/agentController"
+	"github.com/openziti/zrok/rest_model_zrok"
+	"github.com/openziti/zrok/rest_server_zrok/operations/agent"
+	"github.com/sirupsen/logrus"
+)
+
+type agentRemoteUnaccessHandler struct{}
+
+func newAgentRemoteUnaccessHandler() *agentRemoteUnaccessHandler {
+	return &agentRemoteUnaccessHandler{}
+}
+
+func (h *agentRemoteUnaccessHandler) Handle(params agent.RemoteUnaccessParams, principal *rest_model_zrok.Principal) middleware.Responder {
+	trx, err := str.Begin()
+	if err != nil {
+		logrus.Errorf("error starting transaction for '%v': %v", principal.Email, err)
+		return agent.NewRemoteUnshareInternalServerError()
+	}
+	defer trx.Rollback()
+
+	env, err := str.FindEnvironmentForAccount(params.Body.EnvZID, int(principal.ID), trx)
+	if err != nil {
+		logrus.Errorf("error finding environment '%v' for '%v': %v", params.Body.EnvZID, principal.Email, err)
+		return agent.NewRemoteUnshareUnauthorized()
+	}
+
+	ae, err := str.FindAgentEnrollmentForEnvironment(env.Id, trx)
+	if err != nil {
+		logrus.Errorf("error finding agent enrollment for environment '%v' (%v): %v", params.Body.EnvZID, principal.Email, err)
+		return agent.NewRemoteUnshareBadGateway()
+	}
+	_ = trx.Rollback() // ...or will block unshare trx on sqlite
+
+	acli, aconn, err := agentController.NewAgentClient(ae.Token, cfg.AgentController)
+	if err != nil {
+		logrus.Errorf("error creating agent client for '%v' (%v): %v", params.Body.EnvZID, principal.Email, err)
+		return agent.NewRemoteUnshareInternalServerError()
+	}
+	defer aconn.Close()
+
+	req := &agentGrpc.ReleaseAccessRequest{FrontendToken: params.Body.FrontendToken}
+	_, err = acli.ReleaseAccess(context.Background(), req)
+	if err != nil {
+		logrus.Errorf("error releasing access '%v' for '%v' (%v): %v", params.Body.FrontendToken, params.Body.EnvZID, principal.Email, err)
+		return agent.NewRemoteUnaccessBadGateway()
+	}
+
+	return agent.NewRemoteUnaccessOK()
+}
diff --git a/controller/controller.go b/controller/controller.go
index 7a17c6f4..9383b3bc 100644
--- a/controller/controller.go
+++ b/controller/controller.go
@@ -71,6 +71,7 @@ func Run(inCfg *config.Config) error {
 		api.AgentRemoteAccessHandler = newAgentRemoteAccessHandler()
 		api.AgentRemoteShareHandler = newAgentRemoteShareHandler()
 		api.AgentRemoteStatusHandler = newAgentRemoteStatusHandler()
+		api.AgentRemoteUnaccessHandler = newAgentRemoteUnaccessHandler()
 		api.AgentRemoteUnshareHandler = newAgentRemoteUnshareHandler()
 		api.AgentUnenrollHandler = newAgentUnenrollHandler()
 	}