From ce72fceb749478257e2e1c3def03e58d86ac94fa Mon Sep 17 00:00:00 2001 From: Michael Quigley Date: Wed, 23 Nov 2022 13:00:01 -0500 Subject: [PATCH] unaccess (#111); more access private wiring (#106, #109) --- cmd/zrok/access_private.go | 9 +++++- cmd/zrok/main.go | 1 + cmd/zrok/share_private.go | 2 +- controller/access.go | 4 ++- controller/controller.go | 1 + controller/edge.go | 11 +++++-- controller/unaccess.go | 60 ++++++++++++++++++++++++++++++++++++++ 7 files changed, 83 insertions(+), 5 deletions(-) create mode 100644 controller/unaccess.go diff --git a/cmd/zrok/access_private.go b/cmd/zrok/access_private.go index 345d5c10..0e4bc1df 100644 --- a/cmd/zrok/access_private.go +++ b/cmd/zrok/access_private.go @@ -15,8 +15,13 @@ import ( "syscall" ) +func init() { + accessCmd.AddCommand(newAccessPrivateCommand().cmd) +} + type accessPrivateCommand struct { - cmd *cobra.Command + cmd *cobra.Command + bindAddress string } func newAccessPrivateCommand() *accessPrivateCommand { @@ -27,6 +32,7 @@ func newAccessPrivateCommand() *accessPrivateCommand { } command := &accessPrivateCommand{cmd: cmd} cmd.Run = command.run + cmd.Flags().StringVarP(&command.bindAddress, "bind", "b", "0.0.0.0:9191", "The address to bind the private frontend") return command } @@ -63,6 +69,7 @@ func (cmd *accessPrivateCommand) run(_ *cobra.Command, args []string) { } cfg := private_frontend.DefaultConfig("backend") + cfg.Address = cmd.bindAddress c := make(chan os.Signal) signal.Notify(c, os.Interrupt, syscall.SIGTERM) diff --git a/cmd/zrok/main.go b/cmd/zrok/main.go index f092ad71..5e333c80 100644 --- a/cmd/zrok/main.go +++ b/cmd/zrok/main.go @@ -15,6 +15,7 @@ func init() { rootCmd.PersistentFlags().BoolVarP(&verbose, "verbose", "v", false, "Enable verbose logging") rootCmd.PersistentFlags().BoolVarP(&panicInstead, "panic", "p", false, "Panic instead of showing pretty errors") zrokdir.AddZrokApiEndpointFlag(&apiEndpoint, rootCmd.PersistentFlags()) + rootCmd.AddCommand(accessCmd) rootCmd.AddCommand(httpCmd) rootCmd.AddCommand(shareCmd) } diff --git a/cmd/zrok/share_private.go b/cmd/zrok/share_private.go index 7c2f95b1..09c769b0 100644 --- a/cmd/zrok/share_private.go +++ b/cmd/zrok/share_private.go @@ -138,7 +138,7 @@ func (cmd *sharePrivateCommand) run(_ *cobra.Command, args []string) { } }() - logrus.Infof("share your zrok service; use this command for access: 'zrok serve private %v'", resp.Payload.SvcName) + logrus.Infof("share your zrok service; use this command for access: 'zrok access private %v'", resp.Payload.SvcName) for { time.Sleep(30 * time.Second) diff --git a/controller/access.go b/controller/access.go index 9173dee1..3360b22b 100644 --- a/controller/access.go +++ b/controller/access.go @@ -5,6 +5,7 @@ import ( "github.com/openziti-test-kitchen/zrok/controller/store" "github.com/openziti-test-kitchen/zrok/rest_model_zrok" "github.com/openziti-test-kitchen/zrok/rest_server_zrok/operations/service" + rest_model_edge "github.com/openziti/edge/rest_model" "github.com/sirupsen/logrus" ) @@ -66,7 +67,8 @@ func (h *accessHandler) Handle(params service.AccessParams, principal *rest_mode return service.NewAccessInternalServerError() } - if err := createServicePolicyDial(envZId, ssvc.Name, ssvc.ZId, edge); err != nil { + extraTags := &rest_model_edge.Tags{SubTags: map[string]interface{}{"zrokEnvironmentZId": envZId}} + if err := createServicePolicyDial(envZId, ssvc.Name, ssvc.ZId, edge, extraTags); err != nil { logrus.Errorf("unable to create dial policy: %v", err) return service.NewAccessInternalServerError() } diff --git a/controller/controller.go b/controller/controller.go index 411dda6f..a24cc37b 100644 --- a/controller/controller.go +++ b/controller/controller.go @@ -36,6 +36,7 @@ func Run(inCfg *Config) error { api.MetadataVersionHandler = metadata.VersionHandlerFunc(versionHandler) api.ServiceAccessHandler = newAccessHandler() api.ServiceShareHandler = newShareHandler() + api.ServiceUnaccessHandler = newUnaccessHandler() api.ServiceUnshareHandler = newUnshareHandler() if err := controllerStartup(); err != nil { diff --git a/controller/edge.go b/controller/edge.go index 5390f654..965e6919 100644 --- a/controller/edge.go +++ b/controller/edge.go @@ -109,7 +109,14 @@ func deleteServicePolicyBind(envZId, svcName string, edge *rest_management_api_c return deleteServicePolicy(envZId, fmt.Sprintf("tags.zrokServiceName=\"%v\" and type=2", svcName), edge) } -func createServicePolicyDial(envZId, svcName, svcZId string, edge *rest_management_api_client.ZitiEdgeManagement) error { +func createServicePolicyDial(envZId, svcName, svcZId string, edge *rest_management_api_client.ZitiEdgeManagement, tags ...*rest_model.Tags) error { + allTags := zrokTags(svcName) + for _, t := range tags { + for k, v := range t.SubTags { + allTags.SubTags[k] = v + } + } + var identityRoles []string for _, proxyIdentity := range cfg.Proxy.Identities { identityRoles = append(identityRoles, "@"+proxyIdentity) @@ -127,7 +134,7 @@ func createServicePolicyDial(envZId, svcName, svcZId string, edge *rest_manageme Semantic: &semantic, ServiceRoles: serviceRoles, Type: &dialBind, - Tags: zrokTags(svcName), + Tags: allTags, } req := &service_policy.CreateServicePolicyParams{ Policy: svcp, diff --git a/controller/unaccess.go b/controller/unaccess.go new file mode 100644 index 00000000..0af8797a --- /dev/null +++ b/controller/unaccess.go @@ -0,0 +1,60 @@ +package controller + +import ( + "fmt" + "github.com/go-openapi/runtime/middleware" + "github.com/openziti-test-kitchen/zrok/controller/store" + "github.com/openziti-test-kitchen/zrok/rest_model_zrok" + "github.com/openziti-test-kitchen/zrok/rest_server_zrok/operations/service" + "github.com/pkg/errors" + "github.com/sirupsen/logrus" +) + +type unaccessHandler struct{} + +func newUnaccessHandler() *unaccessHandler { + return &unaccessHandler{} +} + +func (h *unaccessHandler) Handle(params service.UnaccessParams, principal *rest_model_zrok.Principal) middleware.Responder { + svcName := params.Body.SvcName + envZId := params.Body.ZID + + tx, err := str.Begin() + if err != nil { + logrus.Errorf("error starting transaction: %v", err) + return service.NewUnaccessInternalServerError() + } + defer func() { _ = tx.Rollback() }() + + edge, err := edgeClient() + if err != nil { + logrus.Error(err) + return service.NewUnaccessInternalServerError() + } + + var senv *store.Environment + if envs, err := str.FindEnvironmentsForAccount(int(principal.ID), tx); err == nil { + for _, env := range envs { + if env.ZId == params.Body.ZID { + senv = env + break + } + } + if senv == nil { + err := errors.Errorf("environment with id '%v' not found for '%v", params.Body.ZID, principal.Email) + logrus.Error(err) + return service.NewUnaccessUnauthorized() + } + } else { + logrus.Errorf("error finding environments for account '%v': %v", principal.Email, err) + return service.NewUnaccessUnauthorized() + } + + if err := deleteServicePolicy(envZId, fmt.Sprintf("tags.zrokServiceName=\"%v\" and tags.zrokEnvironmentZId=\"%v\" and type=1", svcName, envZId), edge); err != nil { + logrus.Errorf("error removing access to '%v' for '%v': %v", svcName, envZId, err) + return service.NewUnaccessInternalServerError() + } + + return service.NewUnaccessOK() +}