add/delete secrets access handlers (#983)

2025-08-17 19:31:12 +02:00 · 2025-06-17 12:05:17 -04:00
parent a251aee960
commit d061c440b6
4 changed files with 124 additions and 2 deletions
--- a/controller/addSecretsAccess.go
+++ b/controller/addSecretsAccess.go
@@ -0,0 +1,56 @@
 package controller
 import (
 	"fmt"
 	"github.com/go-openapi/runtime/middleware"
 	"github.com/openziti/edge-api/rest_model"
 	"github.com/openziti/zrok/controller/zrokEdgeSdk"
 	"github.com/openziti/zrok/rest_model_zrok"
 	"github.com/openziti/zrok/rest_server_zrok/operations/admin"
 	"github.com/sirupsen/logrus"
 )
 type addSecretsAccessHandler struct{}
 func newAddSecretsAccessHandler() *addSecretsAccessHandler {
 	return &addSecretsAccessHandler{}
 }
 func (h *addSecretsAccessHandler) Handle(params admin.AddSecretsAccessParams, principal *rest_model_zrok.Principal) middleware.Responder {
 	secretsAccessIdentityZId := params.Body.SecretsIdentityZID
 	if !principal.Admin {
 		logrus.Errorf("invalid admin principal")
 		return admin.NewAddSecretsAccessUnauthorized()
 	}
 	edge, err := zrokEdgeSdk.Client(cfg.Ziti)
 	if err != nil {
 		logrus.Errorf("error getting edge client: %v", err)
 		return admin.NewAddSecretsAccessInternalServerError()
 	}
 	serviceZId, err := getZIdForService(cfg.Secrets.ServiceName, edge)
 	if err != nil {
 		logrus.Errorf("error getting service ziti id for '%v': %v", cfg.Secrets.ServiceName, err)
 		return admin.NewAddSecretsAccessInternalServerError()
 	}
 	spZId, err := getZIdForServicePolicy(serviceZId, secretsAccessIdentityZId, rest_model.DialBindDial, edge)
 	if err != nil {
 		logrus.Infof("could not assert service policy; creating")
 		if err := zrokEdgeSdk.CreateServicePolicyDial(fmt.Sprintf("service-listener-dial-%v", secretsAccessIdentityZId), serviceZId, []string{secretsAccessIdentityZId}, nil, edge); err != nil {
 			logrus.Errorf("error creating dial service policy for '@%v' -> '@%v': %v", secretsAccessIdentityZId, serviceZId, err)
 			return admin.NewAddSecretsAccessInternalServerError()
 		}
 		logrus.Infof("created dial service policy for '@%v' -> '@%v'", secretsAccessIdentityZId, serviceZId)
 	} else {
 		logrus.Errorf("asserted existing service policy with ziti id '%v'", spZId)
 		return admin.NewAddSecretsAccessBadRequest()
 	}
 	return admin.NewAddSecretsAccessOK()
 }
--- a/controller/bootstrap.go
+++ b/controller/bootstrap.go
@@ -332,7 +332,7 @@ func assertBindPolicyForIdentityAndService(serviceName, zId string, edge *rest_m
 		if err := zrokEdgeSdk.CreateServicePolicyBind(fmt.Sprintf("service-listener-bind-%v", zId), serviceZId, zId, nil, edge); err != nil {
 			return errors.Wrapf(err, "error creating bind policy for '%v' -> '%v'", zId, serviceName)
 		}
-		logrus.Infof("created bind policy for '@%v' -> '@%v' with zId '%v'", zId, serviceName, spZId)
+		logrus.Infof("created bind policy for '@%v' -> '@%v'", zId, serviceName)
 	} else {
 		logrus.Infof("found existing bind policy for '@%v' -> '@%v' with zId '%v'", zId, serviceName, spZId)
 	}
--- a/controller/controller.go
+++ b/controller/controller.go
@@ -66,7 +66,11 @@ func Run(inCfg *config.Config) error {
 	api.AdminListOrganizationsHandler = newListOrganizationsHandler()
 	api.AdminRemoveOrganizationMemberHandler = newRemoveOrganizationMemberHandler()
 	api.AdminUpdateFrontendHandler = newUpdateFrontendHandler()
-	if cfg.AgentController != nil {
+	if cfg.Secrets != nil && cfg.Secrets.ZId != "" && cfg.Secrets.ServiceName != "" && cfg.Secrets.IdentityPath != "" {
 		api.AdminAddSecretsAccessHandler = newAddSecretsAccessHandler()
 		api.AdminDeleteSecretsAccessHandler = newDeleteSecretsAccessHandler()
 	}
 	if cfg.AgentController != nil && cfg.AgentController.ZId != "" && cfg.AgentController.IdentityPath != "" {
 		api.AgentEnrollHandler = newAgentEnrollHandler()
 		api.AgentPingHandler = newAgentPingHandler()
 		api.AgentRemoteAccessHandler = newAgentRemoteAccessHandler()
--- a/controller/deleteSecretsAccess.go
+++ b/controller/deleteSecretsAccess.go
@@ -0,0 +1,62 @@
 package controller
 import (
 	"context"
 	"time"
 	"github.com/go-openapi/runtime/middleware"
 	"github.com/openziti/edge-api/rest_management_api_client/service_policy"
 	"github.com/openziti/edge-api/rest_model"
 	"github.com/openziti/zrok/controller/zrokEdgeSdk"
 	"github.com/openziti/zrok/rest_model_zrok"
 	"github.com/openziti/zrok/rest_server_zrok/operations/admin"
 	"github.com/sirupsen/logrus"
 )
 type deleteSecretsAccessHandler struct{}
 func newDeleteSecretsAccessHandler() *deleteSecretsAccessHandler {
 	return &deleteSecretsAccessHandler{}
 }
 func (h *deleteSecretsAccessHandler) Handle(params admin.DeleteSecretsAccessParams, principal *rest_model_zrok.Principal) middleware.Responder {
 	secretsAccessIdentityZId := params.Body.SecretsIdentityZID
 	if !principal.Admin {
 		logrus.Errorf("invalid admin principal")
 		return admin.NewDeleteSecretsAccessUnauthorized()
 	}
 	edge, err := zrokEdgeSdk.Client(cfg.Ziti)
 	if err != nil {
 		logrus.Errorf("error getting edge client: %v", err)
 		return admin.NewDeleteSecretsAccessInternalServerError()
 	}
 	serviceZId, err := getZIdForService(cfg.Secrets.ServiceName, edge)
 	if err != nil {
 		logrus.Errorf("error getting service ziti id for '%v': %v", cfg.Secrets.ServiceName, err)
 		return admin.NewDeleteSecretsAccessInternalServerError()
 	}
 	spZId, err := getZIdForServicePolicy(serviceZId, secretsAccessIdentityZId, rest_model.DialBindDial, edge)
 	if err == nil {
 		req := &service_policy.DeleteServicePolicyParams{
 			ID:      spZId,
 			Context: context.Background(),
 		}
 		req.SetTimeout(30 * time.Second)
 		_, err := edge.ServicePolicy.DeleteServicePolicy(req, nil)
 		if err != nil {
 			logrus.Errorf("error deleting service policy '%v': %v", spZId, err)
 			return admin.NewDeleteSecretsAccessInternalServerError()
 		}
 		logrus.Infof("removed dial service policy for '@%v' -> '@%v", secretsAccessIdentityZId, serviceZId)
 	} else {
 		logrus.Errorf("error getting dial service policy ziti id: %v", err)
 		return admin.NewDeleteSecretsAccessBadRequest()
 	}
 	return admin.NewDeleteSecretsAccessOK()
 }