rough and sketchy identity creation and enrollment

cmd/zrok/enable.go

@@ -1,11 +1,13 @@
 package main
 
 import (
+	"fmt"
 	"github.com/openziti-test-kitchen/zrok/rest_model"
 	"github.com/openziti-test-kitchen/zrok/rest_zrok_client/identity"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
+	"os"
 )
 
 func init() {
@@ -33,5 +35,15 @@ func enable(_ *cobra.Command, args []string) {
 		panic(err)
 	}
 
+	cfgFile, err := os.Create(fmt.Sprintf("%v.json", resp.Payload.Identity))
+	if err != nil {
+		panic(err)
+	}
+	defer func() { _ = cfgFile.Close() }()
+	_, err = cfgFile.Write([]byte(resp.Payload.Cfg))
+	if err != nil {
+		panic(err)
+	}
+
 	logrus.Infof("enabled, identity = '%v'", resp.Payload.Identity)
 }

controller/enable.go

@@ -1,10 +1,24 @@
 package controller
 
 import (
+	"bytes"
+	"context"
+	"crypto/x509"
+	"encoding/json"
+	"fmt"
 	"github.com/go-openapi/runtime/middleware"
+	"github.com/openziti-test-kitchen/zrok/controller/store"
 	"github.com/openziti-test-kitchen/zrok/rest_model"
 	"github.com/openziti-test-kitchen/zrok/rest_zrok_server/operations/identity"
+	"github.com/openziti/edge/rest_management_api_client"
+	identity_edge "github.com/openziti/edge/rest_management_api_client/identity"
+	rest_model_edge "github.com/openziti/edge/rest_model"
+	"github.com/openziti/edge/rest_util"
+	sdk_config "github.com/openziti/sdk-golang/ziti/config"
+	"github.com/openziti/sdk-golang/ziti/enroll"
+	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
+	"time"
 )
 
 func enableHandler(params identity.EnableParams) middleware.Responder {
@@ -24,7 +38,92 @@ func enableHandler(params identity.EnableParams) middleware.Responder {
 	}
 	logrus.Infof("found account '%v'", a.Username)
 
-	return identity.NewEnableCreated().WithPayload(&rest_model.EnableResponse{
+	ctrlAddress := "https://linux:1280"
-		Identity: a.Username,
+	caCerts, err := rest_util.GetControllerWellKnownCas(ctrlAddress)
+	if err != nil {
+		panic(errors.Wrap(err, "error getting cas"))
+	}
+	caPool := x509.NewCertPool()
+	for _, ca := range caCerts {
+		caPool.AddCert(ca)
+	}
+	client, err := rest_util.NewEdgeManagementClientWithUpdb("admin", "admin", ctrlAddress, caPool)
+	if err != nil {
+		panic(err)
+	}
+	ident, err := createIdentity(a, client)
+	if err != nil {
+		logrus.Error(err)
+		panic(err)
+	}
+	cfg, err := enrollIdentity(ident.Payload.Data.ID, client)
+	if err != nil {
+		panic(err)
+	}
+
+	resp := identity.NewEnableCreated().WithPayload(&rest_model.EnableResponse{
+		Identity: ident.Payload.Data.ID,
 	})
+
+	var out bytes.Buffer
+	enc := json.NewEncoder(&out)
+	enc.SetEscapeHTML(false)
+	err = enc.Encode(&cfg)
+	if err != nil {
+		panic(err)
+	}
+	resp.Payload.Cfg = out.String()
+
+	return resp
+}
+
+func createIdentity(a *store.Account, client *rest_management_api_client.ZitiEdgeManagement) (*identity_edge.CreateIdentityCreated, error) {
+	iIsAdmin := false
+	iId, err := generateIdentityId()
+	if err != nil {
+		return nil, err
+	}
+	iName := fmt.Sprintf("%v-%v", a.Username, iId)
+	iType := rest_model_edge.IdentityTypeUser
+	i := &rest_model_edge.IdentityCreate{
+		Enrollment:          &rest_model_edge.IdentityCreateEnrollment{Ott: true},
+		IsAdmin:             &iIsAdmin,
+		Name:                &iName,
+		RoleAttributes:      nil,
+		ServiceHostingCosts: nil,
+		Tags:                nil,
+		Type:                &iType,
+	}
+	p := identity_edge.NewCreateIdentityParams()
+	p.Identity = i
+	ident, err := client.Identity.CreateIdentity(p, nil)
+	if err != nil {
+		return nil, err
+	}
+	return ident, nil
+}
+
+func enrollIdentity(id string, client *rest_management_api_client.ZitiEdgeManagement) (*sdk_config.Config, error) {
+	p := &identity_edge.DetailIdentityParams{
+		Context: context.Background(),
+		ID:      id,
+	}
+	p.SetTimeout(30 * time.Second)
+	resp, err := client.Identity.DetailIdentity(p, nil)
+	if err != nil {
+		return nil, err
+	}
+	tkn, _, err := enroll.ParseToken(resp.GetPayload().Data.Enrollment.Ott.JWT)
+	if err != nil {
+		return nil, err
+	}
+	flags := enroll.EnrollmentFlags{
+		Token:  tkn,
+		KeyAlg: "RSA",
+	}
+	conf, err := enroll.Enroll(flags)
+	if err != nil {
+		return nil, err
+	}
+	return conf, nil
 }

controller/identity.go

@@ -13,3 +13,11 @@ func generateApiToken() (string, error) {
 	}
 	return hex.EncodeToString(bytes), nil
 }
+
+func generateIdentityId() (string, error) {
+	bytes := make([]byte, 16)
+	if _, err := rand.Read(bytes); err != nil {
+		return "", errors.Wrap(err, "error generating random identity id")
+	}
+	return hex.EncodeToString(bytes), nil
+}

go.mod

@@ -16,6 +16,7 @@ require (
 	github.com/mattn/go-sqlite3 v1.14.14
 	github.com/michaelquigley/pfxlog v0.6.9
 	github.com/openziti/edge v0.22.39
+	github.com/openziti/foundation/v2 v2.0.1
 	github.com/openziti/sdk-golang v0.16.103
 	github.com/pkg/errors v0.9.1
 	github.com/rubenv/sql-migrate v1.1.2
@@ -25,6 +26,7 @@ require (
 )
 
 require (
+	github.com/Jeffail/gabs v1.4.0 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect
 	github.com/cenkalti/backoff/v4 v4.1.3 // indirect
 	github.com/docker/go-units v0.4.0 // indirect
@@ -51,7 +53,6 @@ require (
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/openziti/channel v0.18.58 // indirect
-	github.com/openziti/foundation/v2 v2.0.1 // indirect
 	github.com/openziti/identity v1.0.5 // indirect
 	github.com/openziti/metrics v1.0.2 // indirect
 	github.com/openziti/transport/v2 v2.0.20 // indirect

go.sum

@@ -39,6 +39,8 @@ cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
+github.com/Jeffail/gabs v1.4.0 h1://5fYRRTq1edjfIrQGvdkcd22pkYUrHZ5YC/H2GJVAo=
+github.com/Jeffail/gabs v1.4.0/go.mod h1:6xMvQMK4k33lb7GUUpaAPh6nKMmemQeg5d4gn7/bOXc=
 github.com/Masterminds/goutils v1.1.0/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
 github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
 github.com/Masterminds/sprig v2.22.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuNhlNS5hqE0NB0E6fgfo2Br3o=

rest_model/enable_response.go

@@ -17,6 +17,9 @@ import (
 // swagger:model enableResponse
 type EnableResponse struct {
 
+	// cfg
+	Cfg string `json:"cfg,omitempty"`
+
 	// identity
 	Identity string `json:"identity,omitempty"`
 }

rest_zrok_client/identity/enable_responses.go

@@ -29,6 +29,12 @@ func (o *EnableReader) ReadResponse(response runtime.ClientResponse, consumer ru
 			return nil, err
 		}
 		return result, nil
+	case 404:
+		result := NewEnableNotFound()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return nil, result
 	case 500:
 		result := NewEnableInternalServerError()
 		if err := result.readResponse(response, consumer, o.formats); err != nil {
@@ -72,6 +78,27 @@ func (o *EnableCreated) readResponse(response runtime.ClientResponse, consumer r
 	return nil
 }
 
+// NewEnableNotFound creates a EnableNotFound with default headers values
+func NewEnableNotFound() *EnableNotFound {
+	return &EnableNotFound{}
+}
+
+/* EnableNotFound describes a response with status code 404, with default header values.
+
+account not found
+*/
+type EnableNotFound struct {
+}
+
+func (o *EnableNotFound) Error() string {
+	return fmt.Sprintf("[POST /enable][%d] enableNotFound ", 404)
+}
+
+func (o *EnableNotFound) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	return nil
+}
+
 // NewEnableInternalServerError creates a EnableInternalServerError with default headers values
 func NewEnableInternalServerError() *EnableInternalServerError {
 	return &EnableInternalServerError{}

rest_zrok_server/embedded_spec.go

@@ -87,6 +87,9 @@ func init() {
               "$ref": "#/definitions/enableResponse"
             }
           },
+          "404": {
+            "description": "account not found"
+          },
           "500": {
             "description": "internal server error"
           }
@@ -141,6 +144,9 @@ func init() {
     "enableResponse": {
       "type": "object",
       "properties": {
+        "cfg": {
+          "type": "string"
+        },
         "identity": {
           "type": "string"
         }
@@ -226,6 +232,9 @@ func init() {
               "$ref": "#/definitions/enableResponse"
             }
           },
+          "404": {
+            "description": "account not found"
+          },
           "500": {
             "description": "internal server error"
           }
@@ -280,6 +289,9 @@ func init() {
     "enableResponse": {
       "type": "object",
       "properties": {
+        "cfg": {
+          "type": "string"
+        },
         "identity": {
           "type": "string"
         }

rest_zrok_server/operations/identity/enable_responses.go

@@ -57,6 +57,30 @@ func (o *EnableCreated) WriteResponse(rw http.ResponseWriter, producer runtime.P
 	}
 }
 
+// EnableNotFoundCode is the HTTP code returned for type EnableNotFound
+const EnableNotFoundCode int = 404
+
+/*EnableNotFound account not found
+
+swagger:response enableNotFound
+*/
+type EnableNotFound struct {
+}
+
+// NewEnableNotFound creates EnableNotFound with default headers values
+func NewEnableNotFound() *EnableNotFound {
+
+	return &EnableNotFound{}
+}
+
+// WriteResponse to the client
+func (o *EnableNotFound) WriteResponse(rw http.ResponseWriter, producer runtime.Producer) {
+
+	rw.Header().Del(runtime.HeaderContentType) //Remove Content-Type on empty responses
+
+	rw.WriteHeader(404)
+}
+
 // EnableInternalServerErrorCode is the HTTP code returned for type EnableInternalServerError
 const EnableInternalServerErrorCode int = 500
 

specs/zrok.yml

@@ -81,6 +81,8 @@ definitions:
     properties:
       identity:
         type: string
+      cfg:
+        type: string
 
 produces:
 - application/zrok.v1+json