From 95adcfe10a08b520098dadbbce15669173e0ea54 Mon Sep 17 00:00:00 2001
From: Michael Quigley <michael@quigley.com>
Date: Mon, 5 Dec 2022 17:29:35 -0500
Subject: [PATCH] assert service policies for frontend and ctrl <-> metrics
 (#131)

---
 controller/bootstrap.go | 61 +++++++++++++++++++++++++++++++++++++
 controller/edge.go      | 66 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 127 insertions(+)

diff --git a/controller/bootstrap.go b/controller/bootstrap.go
index 4fa81e6f..587c92ff 100644
--- a/controller/bootstrap.go
+++ b/controller/bootstrap.go
@@ -13,6 +13,7 @@ import (
 	"github.com/openziti/edge/rest_management_api_client/identity"
 	"github.com/openziti/edge/rest_management_api_client/service"
 	"github.com/openziti/edge/rest_management_api_client/service_edge_router_policy"
+	"github.com/openziti/edge/rest_management_api_client/service_policy"
 	"github.com/openziti/edge/rest_model"
 	rest_model_edge "github.com/openziti/edge/rest_model"
 	"github.com/openziti/sdk-golang/ziti"
@@ -79,6 +80,18 @@ func Bootstrap(skipCtrl, skipFrontend bool, inCfg *Config) error {
 		return err
 	}
 
+	if !skipCtrl {
+		if err := assertCtrlMetricsBind(ctrlZId, metricsSvcZId, edge); err != nil {
+			return err
+		}
+	}
+
+	if !skipFrontend {
+		if err := assertFrontendMetricsDial(frontendZId, metricsSvcZId, edge); err != nil {
+			return err
+		}
+	}
+
 	return nil
 }
 
@@ -255,3 +268,51 @@ func assertMetricsSerp(metricsSvcZId string, cfg *Config, edge *rest_management_
 	logrus.Infof("asserted '%v' serp", cfg.Metrics.ServiceName)
 	return nil
 }
+
+func assertCtrlMetricsBind(ctrlZId, metricsSvcZId string, edge *rest_management_api_client.ZitiEdgeManagement) error {
+	filter := fmt.Sprintf("allOf(serviceRoles) = \"@%v\" and allOf(identityRoles) = \"@%v\" and type = 2 and tags.zrok != null", metricsSvcZId, ctrlZId)
+	limit := int64(0)
+	offset := int64(0)
+	listReq := &service_policy.ListServicePoliciesParams{
+		Filter: &filter,
+		Limit:  &limit,
+		Offset: &offset,
+	}
+	listReq.SetTimeout(30 * time.Second)
+	listResp, err := edge.ServicePolicy.ListServicePolicies(listReq, nil)
+	if err != nil {
+		return errors.Wrapf(err, "error listing 'ctrl-metrics-bind' service policy")
+	}
+	if len(listResp.Payload.Data) != 1 {
+		logrus.Info("creating 'ctrl-metrics-bind' service policy")
+		if err := createNamedBindServicePolicy("ctrl-metrics-bind", metricsSvcZId, ctrlZId, edge, zrokTags()); err != nil {
+			return errors.Wrap(err, "error creating 'ctrl-metrics-bind' service policy")
+		}
+	}
+	logrus.Infof("asserted 'ctrl-metrics-bind' service policy")
+	return nil
+}
+
+func assertFrontendMetricsDial(frontendZId, metricsSvcZId string, edge *rest_management_api_client.ZitiEdgeManagement) error {
+	filter := fmt.Sprintf("allOf(serviceRoles) = \"@%v\" and allOf(identityRoles) = \"@%v\" and type = 1 and tags.zrok != null", metricsSvcZId, frontendZId)
+	limit := int64(0)
+	offset := int64(0)
+	listReq := &service_policy.ListServicePoliciesParams{
+		Filter: &filter,
+		Limit:  &limit,
+		Offset: &offset,
+	}
+	listReq.SetTimeout(30 * time.Second)
+	listResp, err := edge.ServicePolicy.ListServicePolicies(listReq, nil)
+	if err != nil {
+		return errors.Wrapf(err, "error listing 'frontend-metrics-dial' service policy")
+	}
+	if len(listResp.Payload.Data) != 1 {
+		logrus.Info("creating 'frontend-metrics-dial' service policy")
+		if err := createNamedDialServicePolicy("frontend-metrics-dial", metricsSvcZId, frontendZId, edge, zrokTags()); err != nil {
+			return errors.Wrap(err, "error creating 'frontend-metrics-dial' service policy")
+		}
+	}
+	logrus.Infof("asserted 'frontend-metrics-dial' service policy")
+	return nil
+}
diff --git a/controller/edge.go b/controller/edge.go
index 84d8a9f4..bd704b36 100644
--- a/controller/edge.go
+++ b/controller/edge.go
@@ -120,6 +120,39 @@ func createServicePolicyBind(envZId, svcToken, svcZId string, edge *rest_managem
 	return nil
 }
 
+func createNamedBindServicePolicy(name, svcZId, idZId string, edge *rest_management_api_client.ZitiEdgeManagement, tags ...*rest_model.Tags) error {
+	allTags := &rest_model_edge.Tags{SubTags: make(rest_model_edge.SubTags)}
+	for _, t := range tags {
+		for k, v := range t.SubTags {
+			allTags.SubTags[k] = v
+		}
+	}
+	identityRoles := []string{"@" + idZId}
+	var postureCheckRoles []string
+	semantic := rest_model.SemanticAllOf
+	serviceRoles := []string{"@" + svcZId}
+	dialBind := rest_model.DialBindBind
+	sp := &rest_model.ServicePolicyCreate{
+		IdentityRoles:     identityRoles,
+		Name:              &name,
+		PostureCheckRoles: postureCheckRoles,
+		Semantic:          &semantic,
+		ServiceRoles:      serviceRoles,
+		Type:              &dialBind,
+		Tags:              allTags,
+	}
+	req := &service_policy.CreateServicePolicyParams{
+		Policy:  sp,
+		Context: context.Background(),
+	}
+	req.SetTimeout(30 * time.Second)
+	_, err := edge.ServicePolicy.CreateServicePolicy(req, nil)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
 func deleteServicePolicyBind(envZId, svcToken string, edge *rest_management_api_client.ZitiEdgeManagement) error {
 	// type=2 == "Bind"
 	return deleteServicePolicy(envZId, fmt.Sprintf("tags.zrokServiceToken=\"%v\" and type=2", svcToken), edge)
@@ -165,6 +198,39 @@ func createServicePolicyDial(envZId, svcToken, svcZId string, edge *rest_managem
 	return nil
 }
 
+func createNamedDialServicePolicy(name, svcZId, idZId string, edge *rest_management_api_client.ZitiEdgeManagement, tags ...*rest_model.Tags) error {
+	allTags := &rest_model_edge.Tags{SubTags: make(rest_model_edge.SubTags)}
+	for _, t := range tags {
+		for k, v := range t.SubTags {
+			allTags.SubTags[k] = v
+		}
+	}
+	identityRoles := []string{"@" + idZId}
+	var postureCheckRoles []string
+	semantic := rest_model.SemanticAllOf
+	serviceRoles := []string{"@" + svcZId}
+	dialBind := rest_model.DialBindDial
+	sp := &rest_model.ServicePolicyCreate{
+		IdentityRoles:     identityRoles,
+		Name:              &name,
+		PostureCheckRoles: postureCheckRoles,
+		Semantic:          &semantic,
+		ServiceRoles:      serviceRoles,
+		Type:              &dialBind,
+		Tags:              allTags,
+	}
+	req := &service_policy.CreateServicePolicyParams{
+		Policy:  sp,
+		Context: context.Background(),
+	}
+	req.SetTimeout(30 * time.Second)
+	_, err := edge.ServicePolicy.CreateServicePolicy(req, nil)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
 func deleteServicePolicyDial(envZId, svcToken string, edge *rest_management_api_client.ZitiEdgeManagement) error {
 	// type=1 == "Dial"
 	return deleteServicePolicy(envZId, fmt.Sprintf("tags.zrokServiceToken=\"%v\" and type=1", svcToken), edge)