package controller
import (
"bytes"
"context"
"encoding/json"
"fmt"
"github.com/go-openapi/runtime/middleware"
"github.com/openziti-test-kitchen/zrok/controller/store"
"github.com/openziti-test-kitchen/zrok/rest_model_zrok"
"github.com/openziti-test-kitchen/zrok/rest_server_zrok/operations/identity"
"github.com/openziti/edge/rest_management_api_client"
"github.com/openziti/edge/rest_management_api_client/edge_router_policy"
identity_edge "github.com/openziti/edge/rest_management_api_client/identity"
rest_model_edge "github.com/openziti/edge/rest_model"
sdk_config "github.com/openziti/sdk-golang/ziti/config"
"github.com/openziti/sdk-golang/ziti/enroll"
"github.com/sirupsen/logrus"
"strings"
"time"
)
type enableHandler struct {
cfg *Config
}
func newEnableHandler(cfg *Config) *enableHandler {
return &enableHandler{cfg: cfg}
}
func (self *enableHandler) Handle(params identity.EnableParams, principal *rest_model_zrok.Principal) middleware.Responder {
// start transaction early; if it fails, don't bother creating ziti resources
tx, err := str.Begin()
if err != nil {
logrus.Errorf("error starting transaction: %v", err)
return identity.NewCreateAccountInternalServerError().WithPayload(rest_model_zrok.ErrorMessage(err.Error()))
}
client, err := edgeClient(self.cfg.Ziti)
if err != nil {
logrus.Errorf("error getting edge client: %v", err)
return identity.NewEnableInternalServerError().WithPayload(rest_model_zrok.ErrorMessage(err.Error()))
}
ident, err := self.createIdentity(principal.Username, client)
if err != nil {
logrus.Error(err)
return identity.NewEnableInternalServerError().WithPayload(rest_model_zrok.ErrorMessage(err.Error()))
}
cfg, err := self.enrollIdentity(ident.Payload.Data.ID, client)
if err != nil {
logrus.Error(err)
return identity.NewEnableInternalServerError().WithPayload(rest_model_zrok.ErrorMessage(err.Error()))
}
if err := self.createEdgeRouterPolicy(ident.Payload.Data.ID, client); err != nil {
logrus.Error(err)
return identity.NewEnableInternalServerError().WithPayload(rest_model_zrok.ErrorMessage(err.Error()))
}
addrTokens := strings.Split(params.HTTPRequest.RemoteAddr, ":")
addr := addrTokens[0]
envId, err := str.CreateEnvironment(int(principal.ID), &store.Environment{
Description: params.Body.Description,
Host: params.Body.Host,
Address: addr,
ZitiIdentityId: ident.Payload.Data.ID,
}, tx)
if err != nil {
logrus.Errorf("error storing created identity: %v", err)
_ = tx.Rollback()
return identity.NewCreateAccountInternalServerError().WithPayload(rest_model_zrok.ErrorMessage(err.Error()))
}
if err := tx.Commit(); err != nil {
logrus.Errorf("error committing: %v", err)
return identity.NewCreateAccountInternalServerError().WithPayload(rest_model_zrok.ErrorMessage(err.Error()))
}
logrus.Infof("recorded identity '%v' with id '%v' for '%v'", ident.Payload.Data.ID, envId, principal.Username)
resp := identity.NewEnableCreated().WithPayload(&rest_model_zrok.EnableResponse{
Identity: ident.Payload.Data.ID,
})
var out bytes.Buffer
enc := json.NewEncoder(&out)
enc.SetEscapeHTML(false)
err = enc.Encode(&cfg)
if err != nil {
panic(err)
}
resp.Payload.Cfg = out.String()
return resp
}
func (_ *enableHandler) createIdentity(username string, client *rest_management_api_client.ZitiEdgeManagement) (*identity_edge.CreateIdentityCreated, error) {
iIsAdmin := false
iId, err := randomId()
if err != nil {
return nil, err
}
name := fmt.Sprintf("%v-%v", username, iId)
identityType := rest_model_edge.IdentityTypeUser
i := &rest_model_edge.IdentityCreate{
Enrollment: &rest_model_edge.IdentityCreateEnrollment{Ott: true},
IsAdmin: &iIsAdmin,
Name: &name,
RoleAttributes: nil,
ServiceHostingCosts: nil,
Tags: nil,
Type: &identityType,
}
req := identity_edge.NewCreateIdentityParams()
req.Identity = i
resp, err := client.Identity.CreateIdentity(req, nil)
if err != nil {
return nil, err
}
return resp, nil
}
func (_ *enableHandler) enrollIdentity(id string, client *rest_management_api_client.ZitiEdgeManagement) (*sdk_config.Config, error) {
p := &identity_edge.DetailIdentityParams{
Context: context.Background(),
ID: id,
}
p.SetTimeout(30 * time.Second)
resp, err := client.Identity.DetailIdentity(p, nil)
if err != nil {
return nil, err
}
tkn, _, err := enroll.ParseToken(resp.GetPayload().Data.Enrollment.Ott.JWT)
if err != nil {
return nil, err
}
flags := enroll.EnrollmentFlags{
Token: tkn,
KeyAlg: "RSA",
}
conf, err := enroll.Enroll(flags)
if err != nil {
return nil, err
}
return conf, nil
}
func (_ *enableHandler) createEdgeRouterPolicy(id string, edge *rest_management_api_client.ZitiEdgeManagement) error {
edgeRouterRoles := []string{"#all"}
identityRoles := []string{fmt.Sprintf("@%v", id)}
name := fmt.Sprintf("zrok-%v", id)
semantic := rest_model_edge.SemanticAllOf
erp := &rest_model_edge.EdgeRouterPolicyCreate{
EdgeRouterRoles: edgeRouterRoles,
IdentityRoles: identityRoles,
Name: &name,
Semantic: &semantic,
}
req := &edge_router_policy.CreateEdgeRouterPolicyParams{
Policy: erp,
Context: context.Background(),
}
req.SetTimeout(30 * time.Second)
resp, err := edge.EdgeRouterPolicy.CreateEdgeRouterPolicy(req, nil)
if err != nil {
return err
}
logrus.Infof("created edge router policy '%v'", resp.Payload.Data.ID)
return nil
}