mirror of
https://github.com/openziti/zrok.git
synced 2024-11-26 01:54:09 +01:00
parent
213a6d7407
commit
ce72fceb74
@ -15,8 +15,13 @@ import (
|
||||
"syscall"
|
||||
)
|
||||
|
||||
func init() {
|
||||
accessCmd.AddCommand(newAccessPrivateCommand().cmd)
|
||||
}
|
||||
|
||||
type accessPrivateCommand struct {
|
||||
cmd *cobra.Command
|
||||
cmd *cobra.Command
|
||||
bindAddress string
|
||||
}
|
||||
|
||||
func newAccessPrivateCommand() *accessPrivateCommand {
|
||||
@ -27,6 +32,7 @@ func newAccessPrivateCommand() *accessPrivateCommand {
|
||||
}
|
||||
command := &accessPrivateCommand{cmd: cmd}
|
||||
cmd.Run = command.run
|
||||
cmd.Flags().StringVarP(&command.bindAddress, "bind", "b", "0.0.0.0:9191", "The address to bind the private frontend")
|
||||
return command
|
||||
}
|
||||
|
||||
@ -63,6 +69,7 @@ func (cmd *accessPrivateCommand) run(_ *cobra.Command, args []string) {
|
||||
}
|
||||
|
||||
cfg := private_frontend.DefaultConfig("backend")
|
||||
cfg.Address = cmd.bindAddress
|
||||
|
||||
c := make(chan os.Signal)
|
||||
signal.Notify(c, os.Interrupt, syscall.SIGTERM)
|
||||
|
@ -15,6 +15,7 @@ func init() {
|
||||
rootCmd.PersistentFlags().BoolVarP(&verbose, "verbose", "v", false, "Enable verbose logging")
|
||||
rootCmd.PersistentFlags().BoolVarP(&panicInstead, "panic", "p", false, "Panic instead of showing pretty errors")
|
||||
zrokdir.AddZrokApiEndpointFlag(&apiEndpoint, rootCmd.PersistentFlags())
|
||||
rootCmd.AddCommand(accessCmd)
|
||||
rootCmd.AddCommand(httpCmd)
|
||||
rootCmd.AddCommand(shareCmd)
|
||||
}
|
||||
|
@ -138,7 +138,7 @@ func (cmd *sharePrivateCommand) run(_ *cobra.Command, args []string) {
|
||||
}
|
||||
}()
|
||||
|
||||
logrus.Infof("share your zrok service; use this command for access: 'zrok serve private %v'", resp.Payload.SvcName)
|
||||
logrus.Infof("share your zrok service; use this command for access: 'zrok access private %v'", resp.Payload.SvcName)
|
||||
|
||||
for {
|
||||
time.Sleep(30 * time.Second)
|
||||
|
@ -5,6 +5,7 @@ import (
|
||||
"github.com/openziti-test-kitchen/zrok/controller/store"
|
||||
"github.com/openziti-test-kitchen/zrok/rest_model_zrok"
|
||||
"github.com/openziti-test-kitchen/zrok/rest_server_zrok/operations/service"
|
||||
rest_model_edge "github.com/openziti/edge/rest_model"
|
||||
"github.com/sirupsen/logrus"
|
||||
)
|
||||
|
||||
@ -66,7 +67,8 @@ func (h *accessHandler) Handle(params service.AccessParams, principal *rest_mode
|
||||
return service.NewAccessInternalServerError()
|
||||
}
|
||||
|
||||
if err := createServicePolicyDial(envZId, ssvc.Name, ssvc.ZId, edge); err != nil {
|
||||
extraTags := &rest_model_edge.Tags{SubTags: map[string]interface{}{"zrokEnvironmentZId": envZId}}
|
||||
if err := createServicePolicyDial(envZId, ssvc.Name, ssvc.ZId, edge, extraTags); err != nil {
|
||||
logrus.Errorf("unable to create dial policy: %v", err)
|
||||
return service.NewAccessInternalServerError()
|
||||
}
|
||||
|
@ -36,6 +36,7 @@ func Run(inCfg *Config) error {
|
||||
api.MetadataVersionHandler = metadata.VersionHandlerFunc(versionHandler)
|
||||
api.ServiceAccessHandler = newAccessHandler()
|
||||
api.ServiceShareHandler = newShareHandler()
|
||||
api.ServiceUnaccessHandler = newUnaccessHandler()
|
||||
api.ServiceUnshareHandler = newUnshareHandler()
|
||||
|
||||
if err := controllerStartup(); err != nil {
|
||||
|
@ -109,7 +109,14 @@ func deleteServicePolicyBind(envZId, svcName string, edge *rest_management_api_c
|
||||
return deleteServicePolicy(envZId, fmt.Sprintf("tags.zrokServiceName=\"%v\" and type=2", svcName), edge)
|
||||
}
|
||||
|
||||
func createServicePolicyDial(envZId, svcName, svcZId string, edge *rest_management_api_client.ZitiEdgeManagement) error {
|
||||
func createServicePolicyDial(envZId, svcName, svcZId string, edge *rest_management_api_client.ZitiEdgeManagement, tags ...*rest_model.Tags) error {
|
||||
allTags := zrokTags(svcName)
|
||||
for _, t := range tags {
|
||||
for k, v := range t.SubTags {
|
||||
allTags.SubTags[k] = v
|
||||
}
|
||||
}
|
||||
|
||||
var identityRoles []string
|
||||
for _, proxyIdentity := range cfg.Proxy.Identities {
|
||||
identityRoles = append(identityRoles, "@"+proxyIdentity)
|
||||
@ -127,7 +134,7 @@ func createServicePolicyDial(envZId, svcName, svcZId string, edge *rest_manageme
|
||||
Semantic: &semantic,
|
||||
ServiceRoles: serviceRoles,
|
||||
Type: &dialBind,
|
||||
Tags: zrokTags(svcName),
|
||||
Tags: allTags,
|
||||
}
|
||||
req := &service_policy.CreateServicePolicyParams{
|
||||
Policy: svcp,
|
||||
|
60
controller/unaccess.go
Normal file
60
controller/unaccess.go
Normal file
@ -0,0 +1,60 @@
|
||||
package controller
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"github.com/go-openapi/runtime/middleware"
|
||||
"github.com/openziti-test-kitchen/zrok/controller/store"
|
||||
"github.com/openziti-test-kitchen/zrok/rest_model_zrok"
|
||||
"github.com/openziti-test-kitchen/zrok/rest_server_zrok/operations/service"
|
||||
"github.com/pkg/errors"
|
||||
"github.com/sirupsen/logrus"
|
||||
)
|
||||
|
||||
type unaccessHandler struct{}
|
||||
|
||||
func newUnaccessHandler() *unaccessHandler {
|
||||
return &unaccessHandler{}
|
||||
}
|
||||
|
||||
func (h *unaccessHandler) Handle(params service.UnaccessParams, principal *rest_model_zrok.Principal) middleware.Responder {
|
||||
svcName := params.Body.SvcName
|
||||
envZId := params.Body.ZID
|
||||
|
||||
tx, err := str.Begin()
|
||||
if err != nil {
|
||||
logrus.Errorf("error starting transaction: %v", err)
|
||||
return service.NewUnaccessInternalServerError()
|
||||
}
|
||||
defer func() { _ = tx.Rollback() }()
|
||||
|
||||
edge, err := edgeClient()
|
||||
if err != nil {
|
||||
logrus.Error(err)
|
||||
return service.NewUnaccessInternalServerError()
|
||||
}
|
||||
|
||||
var senv *store.Environment
|
||||
if envs, err := str.FindEnvironmentsForAccount(int(principal.ID), tx); err == nil {
|
||||
for _, env := range envs {
|
||||
if env.ZId == params.Body.ZID {
|
||||
senv = env
|
||||
break
|
||||
}
|
||||
}
|
||||
if senv == nil {
|
||||
err := errors.Errorf("environment with id '%v' not found for '%v", params.Body.ZID, principal.Email)
|
||||
logrus.Error(err)
|
||||
return service.NewUnaccessUnauthorized()
|
||||
}
|
||||
} else {
|
||||
logrus.Errorf("error finding environments for account '%v': %v", principal.Email, err)
|
||||
return service.NewUnaccessUnauthorized()
|
||||
}
|
||||
|
||||
if err := deleteServicePolicy(envZId, fmt.Sprintf("tags.zrokServiceName=\"%v\" and tags.zrokEnvironmentZId=\"%v\" and type=1", svcName, envZId), edge); err != nil {
|
||||
logrus.Errorf("error removing access to '%v' for '%v': %v", svcName, envZId, err)
|
||||
return service.NewUnaccessInternalServerError()
|
||||
}
|
||||
|
||||
return service.NewUnaccessOK()
|
||||
}
|
Loading…
Reference in New Issue
Block a user