mirror of
https://github.com/openziti/zrok.git
synced 2025-03-03 09:31:26 +01:00
Michael Quigley
parent
93d6f89107
commit
cbf809c06a
@ -95,7 +95,7 @@ func (h *accessHandler) Handle(params service.AccessParams, principal *rest_mode
|
||||
}
|
||||
|
||||
func createServicePolicyDialForEnvironment(envZId, svcToken, svcZId string, edge *rest_management_api_client.ZitiEdgeManagement, tags ...*rest_model.Tags) error {
|
||||
allTags := zrokTags(svcToken)
|
||||
allTags := zrokServiceTags(svcToken)
|
||||
for _, t := range tags {
|
||||
for k, v := range t.SubTags {
|
||||
allTags.SubTags[k] = v
|
||||
|
||||
@ -14,6 +14,9 @@ import (
|
||||
"github.com/openziti/edge/rest_management_api_client/service_edge_router_policy"
|
||||
"github.com/openziti/edge/rest_management_api_client/service_policy"
|
||||
"github.com/openziti/edge/rest_model"
|
||||
rest_model_edge "github.com/openziti/edge/rest_model"
|
||||
sdk_config "github.com/openziti/sdk-golang/ziti/config"
|
||||
"github.com/openziti/sdk-golang/ziti/enroll"
|
||||
"github.com/sirupsen/logrus"
|
||||
"time"
|
||||
)
|
||||
@ -27,7 +30,7 @@ func createServiceEdgeRouterPolicy(envZId, svcToken, svcZId string, edge *rest_m
|
||||
Name: &svcToken,
|
||||
Semantic: &semantic,
|
||||
ServiceRoles: serviceRoles,
|
||||
Tags: zrokTags(svcToken),
|
||||
Tags: zrokServiceTags(svcToken),
|
||||
}
|
||||
serpParams := &service_edge_router_policy.CreateServiceEdgeRouterPolicyParams{
|
||||
Policy: serp,
|
||||
@ -89,7 +92,7 @@ func createServicePolicyBind(envZId, svcToken, svcZId string, edge *rest_managem
|
||||
Semantic: &semantic,
|
||||
ServiceRoles: serviceRoles,
|
||||
Type: &dialBind,
|
||||
Tags: zrokTags(svcToken),
|
||||
Tags: zrokServiceTags(svcToken),
|
||||
}
|
||||
req := &service_policy.CreateServicePolicyParams{
|
||||
Policy: svcp,
|
||||
@ -110,7 +113,7 @@ func deleteServicePolicyBind(envZId, svcToken string, edge *rest_management_api_
|
||||
}
|
||||
|
||||
func createServicePolicyDial(envZId, svcToken, svcZId string, edge *rest_management_api_client.ZitiEdgeManagement, tags ...*rest_model.Tags) error {
|
||||
allTags := zrokTags(svcToken)
|
||||
allTags := zrokServiceTags(svcToken)
|
||||
for _, t := range tags {
|
||||
for k, v := range t.SubTags {
|
||||
allTags.SubTags[k] = v
|
||||
@ -204,7 +207,7 @@ func createConfig(envZId, svcToken string, authSchemeStr string, authUsers []*mo
|
||||
ConfigTypeID: &zrokProxyConfigId,
|
||||
Data: cfg,
|
||||
Name: &svcToken,
|
||||
Tags: zrokTags(svcToken),
|
||||
Tags: zrokServiceTags(svcToken),
|
||||
}
|
||||
cfgReq := &config.CreateConfigParams{
|
||||
Config: cfgCrt,
|
||||
@ -256,7 +259,7 @@ func createService(envZId, svcToken, cfgId string, edge *rest_management_api_cli
|
||||
Configs: configs,
|
||||
EncryptionRequired: &encryptionRequired,
|
||||
Name: &svcToken,
|
||||
Tags: zrokTags(svcToken),
|
||||
Tags: zrokServiceTags(svcToken),
|
||||
}
|
||||
req := &edge_service.CreateServiceParams{
|
||||
Service: svc,
|
||||
@ -285,6 +288,30 @@ func deleteService(envZId, svcZId string, edge *rest_management_api_client.ZitiE
|
||||
return nil
|
||||
}
|
||||
|
||||
func createEdgeRouterPolicy(zId string, edge *rest_management_api_client.ZitiEdgeManagement) error {
|
||||
edgeRouterRoles := []string{"#all"}
|
||||
identityRoles := []string{fmt.Sprintf("@%v", zId)}
|
||||
semantic := rest_model_edge.SemanticAllOf
|
||||
erp := &rest_model_edge.EdgeRouterPolicyCreate{
|
||||
EdgeRouterRoles: edgeRouterRoles,
|
||||
IdentityRoles: identityRoles,
|
||||
Name: &zId,
|
||||
Semantic: &semantic,
|
||||
Tags: zrokTags(),
|
||||
}
|
||||
req := &edge_router_policy.CreateEdgeRouterPolicyParams{
|
||||
Policy: erp,
|
||||
Context: context.Background(),
|
||||
}
|
||||
req.SetTimeout(30 * time.Second)
|
||||
resp, err := edge.EdgeRouterPolicy.CreateEdgeRouterPolicy(req, nil)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
logrus.Infof("created edge router policy '%v' for ziti identity '%v'", resp.Payload.Data.ID, zId)
|
||||
return nil
|
||||
}
|
||||
|
||||
func deleteEdgeRouterPolicy(envZId string, edge *rest_management_api_client.ZitiEdgeManagement) error {
|
||||
filter := fmt.Sprintf("name=\"%v\"", envZId)
|
||||
limit := int64(0)
|
||||
@ -317,6 +344,58 @@ func deleteEdgeRouterPolicy(envZId string, edge *rest_management_api_client.Ziti
|
||||
return nil
|
||||
}
|
||||
|
||||
func createIdentity(email string, client *rest_management_api_client.ZitiEdgeManagement) (*identity_edge.CreateIdentityCreated, error) {
|
||||
iIsAdmin := false
|
||||
name, err := createToken()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
identityType := rest_model_edge.IdentityTypeUser
|
||||
tags := zrokTags()
|
||||
tags.SubTags["zrokEmail"] = email
|
||||
i := &rest_model_edge.IdentityCreate{
|
||||
Enrollment: &rest_model_edge.IdentityCreateEnrollment{Ott: true},
|
||||
IsAdmin: &iIsAdmin,
|
||||
Name: &name,
|
||||
RoleAttributes: nil,
|
||||
ServiceHostingCosts: nil,
|
||||
Tags: tags,
|
||||
Type: &identityType,
|
||||
}
|
||||
req := identity_edge.NewCreateIdentityParams()
|
||||
req.Identity = i
|
||||
resp, err := client.Identity.CreateIdentity(req, nil)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return resp, nil
|
||||
}
|
||||
|
||||
func enrollIdentity(zId string, client *rest_management_api_client.ZitiEdgeManagement) (*sdk_config.Config, error) {
|
||||
p := &identity_edge.DetailIdentityParams{
|
||||
Context: context.Background(),
|
||||
ID: zId,
|
||||
}
|
||||
p.SetTimeout(30 * time.Second)
|
||||
resp, err := client.Identity.DetailIdentity(p, nil)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
tkn, _, err := enroll.ParseToken(resp.GetPayload().Data.Enrollment.Ott.JWT)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
flags := enroll.EnrollmentFlags{
|
||||
Token: tkn,
|
||||
KeyAlg: "RSA",
|
||||
}
|
||||
conf, err := enroll.Enroll(flags)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return conf, nil
|
||||
}
|
||||
|
||||
func deleteIdentity(id string, edge *rest_management_api_client.ZitiEdgeManagement) error {
|
||||
req := &identity_edge.DeleteIdentityParams{
|
||||
ID: id,
|
||||
@ -331,11 +410,16 @@ func deleteIdentity(id string, edge *rest_management_api_client.ZitiEdgeManageme
|
||||
return nil
|
||||
}
|
||||
|
||||
func zrokTags(svcToken string) *rest_model.Tags {
|
||||
func zrokTags() *rest_model.Tags {
|
||||
return &rest_model.Tags{
|
||||
SubTags: map[string]interface{}{
|
||||
"zrok": build.String(),
|
||||
"zrokServiceToken": svcToken,
|
||||
"zrok": build.String(),
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
func zrokServiceTags(svcToken string) *rest_model.Tags {
|
||||
tags := zrokTags()
|
||||
tags.SubTags["zrokServiceToken"] = svcToken
|
||||
return tags
|
||||
}
|
||||
|
||||
@ -2,22 +2,12 @@ package controller
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"context"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"github.com/go-openapi/runtime/middleware"
|
||||
"github.com/openziti-test-kitchen/zrok/build"
|
||||
"github.com/openziti-test-kitchen/zrok/controller/store"
|
||||
"github.com/openziti-test-kitchen/zrok/rest_model_zrok"
|
||||
"github.com/openziti-test-kitchen/zrok/rest_server_zrok/operations/environment"
|
||||
"github.com/openziti/edge/rest_management_api_client"
|
||||
"github.com/openziti/edge/rest_management_api_client/edge_router_policy"
|
||||
identity_edge "github.com/openziti/edge/rest_management_api_client/identity"
|
||||
rest_model_edge "github.com/openziti/edge/rest_model"
|
||||
sdk_config "github.com/openziti/sdk-golang/ziti/config"
|
||||
"github.com/openziti/sdk-golang/ziti/enroll"
|
||||
"github.com/sirupsen/logrus"
|
||||
"time"
|
||||
)
|
||||
|
||||
type enableHandler struct {
|
||||
@ -40,17 +30,17 @@ func (h *enableHandler) Handle(params environment.EnableParams, principal *rest_
|
||||
logrus.Errorf("error getting edge client: %v", err)
|
||||
return environment.NewEnableInternalServerError()
|
||||
}
|
||||
ident, err := h.createIdentity(principal.Email, client)
|
||||
ident, err := createIdentity(principal.Email, client)
|
||||
if err != nil {
|
||||
logrus.Error(err)
|
||||
return environment.NewEnableInternalServerError()
|
||||
}
|
||||
cfg, err := h.enrollIdentity(ident.Payload.Data.ID, client)
|
||||
cfg, err := enrollIdentity(ident.Payload.Data.ID, client)
|
||||
if err != nil {
|
||||
logrus.Error(err)
|
||||
return environment.NewEnableInternalServerError()
|
||||
}
|
||||
if err := h.createEdgeRouterPolicy(ident.Payload.Data.ID, client); err != nil {
|
||||
if err := createEdgeRouterPolicy(ident.Payload.Data.ID, client); err != nil {
|
||||
logrus.Error(err)
|
||||
return environment.NewEnableInternalServerError()
|
||||
}
|
||||
@ -86,87 +76,3 @@ func (h *enableHandler) Handle(params environment.EnableParams, principal *rest_
|
||||
|
||||
return resp
|
||||
}
|
||||
|
||||
func (h *enableHandler) createIdentity(email string, client *rest_management_api_client.ZitiEdgeManagement) (*identity_edge.CreateIdentityCreated, error) {
|
||||
iIsAdmin := false
|
||||
name, err := createToken()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
identityType := rest_model_edge.IdentityTypeUser
|
||||
tags := h.zrokTags()
|
||||
tags.SubTags["zrokEmail"] = email
|
||||
i := &rest_model_edge.IdentityCreate{
|
||||
Enrollment: &rest_model_edge.IdentityCreateEnrollment{Ott: true},
|
||||
IsAdmin: &iIsAdmin,
|
||||
Name: &name,
|
||||
RoleAttributes: nil,
|
||||
ServiceHostingCosts: nil,
|
||||
Tags: tags,
|
||||
Type: &identityType,
|
||||
}
|
||||
req := identity_edge.NewCreateIdentityParams()
|
||||
req.Identity = i
|
||||
resp, err := client.Identity.CreateIdentity(req, nil)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return resp, nil
|
||||
}
|
||||
|
||||
func (h *enableHandler) enrollIdentity(id string, client *rest_management_api_client.ZitiEdgeManagement) (*sdk_config.Config, error) {
|
||||
p := &identity_edge.DetailIdentityParams{
|
||||
Context: context.Background(),
|
||||
ID: id,
|
||||
}
|
||||
p.SetTimeout(30 * time.Second)
|
||||
resp, err := client.Identity.DetailIdentity(p, nil)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
tkn, _, err := enroll.ParseToken(resp.GetPayload().Data.Enrollment.Ott.JWT)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
flags := enroll.EnrollmentFlags{
|
||||
Token: tkn,
|
||||
KeyAlg: "RSA",
|
||||
}
|
||||
conf, err := enroll.Enroll(flags)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return conf, nil
|
||||
}
|
||||
|
||||
func (h *enableHandler) createEdgeRouterPolicy(id string, edge *rest_management_api_client.ZitiEdgeManagement) error {
|
||||
edgeRouterRoles := []string{"#all"}
|
||||
identityRoles := []string{fmt.Sprintf("@%v", id)}
|
||||
semantic := rest_model_edge.SemanticAllOf
|
||||
erp := &rest_model_edge.EdgeRouterPolicyCreate{
|
||||
EdgeRouterRoles: edgeRouterRoles,
|
||||
IdentityRoles: identityRoles,
|
||||
Name: &id,
|
||||
Semantic: &semantic,
|
||||
Tags: h.zrokTags(),
|
||||
}
|
||||
req := &edge_router_policy.CreateEdgeRouterPolicyParams{
|
||||
Policy: erp,
|
||||
Context: context.Background(),
|
||||
}
|
||||
req.SetTimeout(30 * time.Second)
|
||||
resp, err := edge.EdgeRouterPolicy.CreateEdgeRouterPolicy(req, nil)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
logrus.Infof("created edge router policy '%v' for ziti identity '%v'", resp.Payload.Data.ID, id)
|
||||
return nil
|
||||
}
|
||||
|
||||
func (h *enableHandler) zrokTags() *rest_model_edge.Tags {
|
||||
return &rest_model_edge.Tags{
|
||||
SubTags: map[string]interface{}{
|
||||
"zrok": build.String(),
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user