unaccess (#111); more access private wiring (#106, #109)

This commit is contained in:
Michael Quigley 2022-11-23 13:00:01 -05:00
parent 213a6d7407
commit ce72fceb74
No known key found for this signature in database
GPG Key ID: 9B60314A9DD20A62
7 changed files with 83 additions and 5 deletions

View File

@ -15,8 +15,13 @@ import (
"syscall"
)
func init() {
accessCmd.AddCommand(newAccessPrivateCommand().cmd)
}
type accessPrivateCommand struct {
cmd *cobra.Command
cmd *cobra.Command
bindAddress string
}
func newAccessPrivateCommand() *accessPrivateCommand {
@ -27,6 +32,7 @@ func newAccessPrivateCommand() *accessPrivateCommand {
}
command := &accessPrivateCommand{cmd: cmd}
cmd.Run = command.run
cmd.Flags().StringVarP(&command.bindAddress, "bind", "b", "0.0.0.0:9191", "The address to bind the private frontend")
return command
}
@ -63,6 +69,7 @@ func (cmd *accessPrivateCommand) run(_ *cobra.Command, args []string) {
}
cfg := private_frontend.DefaultConfig("backend")
cfg.Address = cmd.bindAddress
c := make(chan os.Signal)
signal.Notify(c, os.Interrupt, syscall.SIGTERM)

View File

@ -15,6 +15,7 @@ func init() {
rootCmd.PersistentFlags().BoolVarP(&verbose, "verbose", "v", false, "Enable verbose logging")
rootCmd.PersistentFlags().BoolVarP(&panicInstead, "panic", "p", false, "Panic instead of showing pretty errors")
zrokdir.AddZrokApiEndpointFlag(&apiEndpoint, rootCmd.PersistentFlags())
rootCmd.AddCommand(accessCmd)
rootCmd.AddCommand(httpCmd)
rootCmd.AddCommand(shareCmd)
}

View File

@ -138,7 +138,7 @@ func (cmd *sharePrivateCommand) run(_ *cobra.Command, args []string) {
}
}()
logrus.Infof("share your zrok service; use this command for access: 'zrok serve private %v'", resp.Payload.SvcName)
logrus.Infof("share your zrok service; use this command for access: 'zrok access private %v'", resp.Payload.SvcName)
for {
time.Sleep(30 * time.Second)

View File

@ -5,6 +5,7 @@ import (
"github.com/openziti-test-kitchen/zrok/controller/store"
"github.com/openziti-test-kitchen/zrok/rest_model_zrok"
"github.com/openziti-test-kitchen/zrok/rest_server_zrok/operations/service"
rest_model_edge "github.com/openziti/edge/rest_model"
"github.com/sirupsen/logrus"
)
@ -66,7 +67,8 @@ func (h *accessHandler) Handle(params service.AccessParams, principal *rest_mode
return service.NewAccessInternalServerError()
}
if err := createServicePolicyDial(envZId, ssvc.Name, ssvc.ZId, edge); err != nil {
extraTags := &rest_model_edge.Tags{SubTags: map[string]interface{}{"zrokEnvironmentZId": envZId}}
if err := createServicePolicyDial(envZId, ssvc.Name, ssvc.ZId, edge, extraTags); err != nil {
logrus.Errorf("unable to create dial policy: %v", err)
return service.NewAccessInternalServerError()
}

View File

@ -36,6 +36,7 @@ func Run(inCfg *Config) error {
api.MetadataVersionHandler = metadata.VersionHandlerFunc(versionHandler)
api.ServiceAccessHandler = newAccessHandler()
api.ServiceShareHandler = newShareHandler()
api.ServiceUnaccessHandler = newUnaccessHandler()
api.ServiceUnshareHandler = newUnshareHandler()
if err := controllerStartup(); err != nil {

View File

@ -109,7 +109,14 @@ func deleteServicePolicyBind(envZId, svcName string, edge *rest_management_api_c
return deleteServicePolicy(envZId, fmt.Sprintf("tags.zrokServiceName=\"%v\" and type=2", svcName), edge)
}
func createServicePolicyDial(envZId, svcName, svcZId string, edge *rest_management_api_client.ZitiEdgeManagement) error {
func createServicePolicyDial(envZId, svcName, svcZId string, edge *rest_management_api_client.ZitiEdgeManagement, tags ...*rest_model.Tags) error {
allTags := zrokTags(svcName)
for _, t := range tags {
for k, v := range t.SubTags {
allTags.SubTags[k] = v
}
}
var identityRoles []string
for _, proxyIdentity := range cfg.Proxy.Identities {
identityRoles = append(identityRoles, "@"+proxyIdentity)
@ -127,7 +134,7 @@ func createServicePolicyDial(envZId, svcName, svcZId string, edge *rest_manageme
Semantic: &semantic,
ServiceRoles: serviceRoles,
Type: &dialBind,
Tags: zrokTags(svcName),
Tags: allTags,
}
req := &service_policy.CreateServicePolicyParams{
Policy: svcp,

60
controller/unaccess.go Normal file
View File

@ -0,0 +1,60 @@
package controller
import (
"fmt"
"github.com/go-openapi/runtime/middleware"
"github.com/openziti-test-kitchen/zrok/controller/store"
"github.com/openziti-test-kitchen/zrok/rest_model_zrok"
"github.com/openziti-test-kitchen/zrok/rest_server_zrok/operations/service"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
)
type unaccessHandler struct{}
func newUnaccessHandler() *unaccessHandler {
return &unaccessHandler{}
}
func (h *unaccessHandler) Handle(params service.UnaccessParams, principal *rest_model_zrok.Principal) middleware.Responder {
svcName := params.Body.SvcName
envZId := params.Body.ZID
tx, err := str.Begin()
if err != nil {
logrus.Errorf("error starting transaction: %v", err)
return service.NewUnaccessInternalServerError()
}
defer func() { _ = tx.Rollback() }()
edge, err := edgeClient()
if err != nil {
logrus.Error(err)
return service.NewUnaccessInternalServerError()
}
var senv *store.Environment
if envs, err := str.FindEnvironmentsForAccount(int(principal.ID), tx); err == nil {
for _, env := range envs {
if env.ZId == params.Body.ZID {
senv = env
break
}
}
if senv == nil {
err := errors.Errorf("environment with id '%v' not found for '%v", params.Body.ZID, principal.Email)
logrus.Error(err)
return service.NewUnaccessUnauthorized()
}
} else {
logrus.Errorf("error finding environments for account '%v': %v", principal.Email, err)
return service.NewUnaccessUnauthorized()
}
if err := deleteServicePolicy(envZId, fmt.Sprintf("tags.zrokServiceName=\"%v\" and tags.zrokEnvironmentZId=\"%v\" and type=1", svcName, envZId), edge); err != nil {
logrus.Errorf("error removing access to '%v' for '%v': %v", svcName, envZId, err)
return service.NewUnaccessInternalServerError()
}
return service.NewUnaccessOK()
}