extern/zrok
1
1
Fork 0
mirror of https://github.com/openziti/zrok.git synced 2024-11-08 01:04:08 +01:00
Code Issues Packages Projects Releases Wiki Activity
069417ade0
zrok/controller/tunnel.go
Michael Quigley 069417ade0
better authorization handling
2022-08-01 15:44:26 -04:00

222 lines
7.8 KiB
Go
Raw Blame History

package controller
import (
"context"
"fmt"
"github.com/go-openapi/runtime/middleware"
"github.com/openziti-test-kitchen/zrok/controller/store"
"github.com/openziti-test-kitchen/zrok/rest_model_zrok"
"github.com/openziti-test-kitchen/zrok/rest_server_zrok/operations/tunnel"
"github.com/openziti/edge/rest_management_api_client"
"github.com/openziti/edge/rest_management_api_client/edge_router_policy"
"github.com/openziti/edge/rest_management_api_client/service"
"github.com/openziti/edge/rest_management_api_client/service_edge_router_policy"
"github.com/openziti/edge/rest_management_api_client/service_policy"
"github.com/openziti/edge/rest_model"
"github.com/sirupsen/logrus"
"time"
)
func tunnelHandler(params tunnel.TunnelParams, principal *rest_model_zrok.Principal) middleware.Responder {
logrus.Infof("tunneling for '%v' (%v)", principal.Username, principal.Token)
tx, err := str.Begin()
if err != nil {
logrus.Errorf("error starting transaction: %v", err)
return tunnel.NewTunnelInternalServerError().WithPayload(rest_model_zrok.ErrorMessage(err.Error()))
}
defer func() { _ = tx.Rollback() }()
envId := params.Body.Identity
if is, err := str.FindIdentitiesForAccount(int(principal.ID), tx); err == nil {
found := false
for _, i := range is {
if i.ZitiId == envId {
logrus.Infof("found identity '%v' for user '%v'", envId, principal.Username)
found = true
break
}
}
if !found {
logrus.Errorf("identity '%v' not found for user '%v'", envId, principal.Username)
return tunnel.NewTunnelUnauthorized().WithPayload("bad environment identity")
}
} else {
logrus.Errorf("error finding identities for account '%v'", principal.Username)
return tunnel.NewTunnelInternalServerError().WithPayload(rest_model_zrok.ErrorMessage(err.Error()))
}
edge, err := edgeClient()
if err != nil {
logrus.Error(err)
return tunnel.NewTunnelInternalServerError().WithPayload(rest_model_zrok.ErrorMessage(err.Error()))
}
svcName, err := randomId()
if err != nil {
logrus.Error(err)
return tunnel.NewTunnelInternalServerError().WithPayload(rest_model_zrok.ErrorMessage(err.Error()))
}
svcId, err := createService(svcName, edge)
if err != nil {
logrus.Error(err)
return tunnel.NewTunnelInternalServerError().WithPayload(rest_model_zrok.ErrorMessage(err.Error()))
}
if err := createServicePolicyBind(svcName, svcId, envId, edge); err != nil {
logrus.Error(err)
return tunnel.NewTunnelInternalServerError().WithPayload(rest_model_zrok.ErrorMessage(err.Error()))
}
if err := createServicePolicyDial(svcName, svcId, edge); err != nil {
logrus.Error(err)
return tunnel.NewTunnelInternalServerError().WithPayload(rest_model_zrok.ErrorMessage(err.Error()))
}
if err := createServiceEdgeRouterPolicy(svcName, svcId, edge); err != nil {
logrus.Error(err)
return tunnel.NewTunnelInternalServerError().WithPayload(rest_model_zrok.ErrorMessage(err.Error()))
}
if err := createEdgeRouterPolicy(svcName, envId, edge); err != nil {
logrus.Error(err)
return tunnel.NewTunnelInternalServerError().WithPayload(rest_model_zrok.ErrorMessage(err.Error()))
}
logrus.Infof("allocated service '%v'", svcName)
sid, err := str.CreateService(int(principal.ID), &store.Service{ZitiId: svcId, Endpoint: params.Body.Endpoint}, tx)
if err != nil {
logrus.Errorf("error creating service record: %v", err)
_ = tx.Rollback()
return tunnel.NewUntunnelInternalServerError().WithPayload(rest_model_zrok.ErrorMessage(err.Error()))
}
if err := tx.Commit(); err != nil {
logrus.Errorf("error committing service record: %v", err)
return tunnel.NewTunnelInternalServerError().WithPayload(rest_model_zrok.ErrorMessage(err.Error()))
}
logrus.Infof("recorded service '%v' with id '%v' for '%v'", svcId, sid, principal.Username)
return tunnel.NewTunnelCreated().WithPayload(&rest_model_zrok.TunnelResponse{
Service: svcName,
})
}
func createService(name string, edge *rest_management_api_client.ZitiEdgeManagement) (serviceId string, err error) {
configs := make([]string, 0)
encryptionRequired := true
svc := &rest_model.ServiceCreate{
Configs: configs,
EncryptionRequired: &encryptionRequired,
Name: &name,
}
req := &service.CreateServiceParams{
Service: svc,
Context: context.Background(),
}
req.SetTimeout(30 * time.Second)
resp, err := edge.Service.CreateService(req, nil)
if err != nil {
return "", err
}
logrus.Infof("created service '%v'", resp.Payload.Data.ID)
return resp.Payload.Data.ID, nil
}
func createServicePolicyBind(svcName, svcId, envId string, edge *rest_management_api_client.ZitiEdgeManagement) error {
semantic := rest_model.SemanticAllOf
identityRoles := []string{fmt.Sprintf("@%v", envId)}
name := fmt.Sprintf("%v-bind", svcName)
postureCheckRoles := []string{}
serviceRoles := []string{fmt.Sprintf("@%v", svcId)}
dialBind := rest_model.DialBindBind
svcp := &rest_model.ServicePolicyCreate{
IdentityRoles: identityRoles,
Name: &name,
PostureCheckRoles: postureCheckRoles,
Semantic: &semantic,
ServiceRoles: serviceRoles,
Type: &dialBind,
}
req := &service_policy.CreateServicePolicyParams{
Policy: svcp,
Context: context.Background(),
}
req.SetTimeout(30 * time.Second)
resp, err := edge.ServicePolicy.CreateServicePolicy(req, nil)
if err != nil {
return err
}
logrus.Infof("created service policy '%v'", resp.Payload.Data.ID)
return nil
}
func createServicePolicyDial(svcName, svcId string, edge *rest_management_api_client.ZitiEdgeManagement) error {
identityRoles := []string{"@PyB606.S."} // @proxy
name := fmt.Sprintf("%v-dial", svcName)
postureCheckRoles := []string{}
semantic := rest_model.SemanticAllOf
serviceRoles := []string{fmt.Sprintf("@%v", svcId)}
dialBind := rest_model.DialBindDial
svcp := &rest_model.ServicePolicyCreate{
IdentityRoles: identityRoles,
Name: &name,
PostureCheckRoles: postureCheckRoles,
Semantic: &semantic,
ServiceRoles: serviceRoles,
Type: &dialBind,
}
req := &service_policy.CreateServicePolicyParams{
Policy: svcp,
Context: context.Background(),
}
req.SetTimeout(30 * time.Second)
resp, err := edge.ServicePolicy.CreateServicePolicy(req, nil)
if err != nil {
return err
}
logrus.Infof("created service policy '%v'", resp.Payload.Data.ID)
return nil
}
func createServiceEdgeRouterPolicy(svcName, svcId string, edge *rest_management_api_client.ZitiEdgeManagement) error {
edgeRouterRoles := []string{"#all"}
semantic := rest_model.SemanticAllOf
serviceRoles := []string{fmt.Sprintf("@%v", svcId)}
serp := &rest_model.ServiceEdgeRouterPolicyCreate{
EdgeRouterRoles: edgeRouterRoles,
Name: &svcName,
Semantic: &semantic,
ServiceRoles: serviceRoles,
}
serpParams := &service_edge_router_policy.CreateServiceEdgeRouterPolicyParams{
Policy: serp,
Context: context.Background(),
}
serpParams.SetTimeout(30 * time.Second)
resp, err := edge.ServiceEdgeRouterPolicy.CreateServiceEdgeRouterPolicy(serpParams, nil)
if err != nil {
return err
}
logrus.Infof("created service edge router policy '%v'", resp.Payload.Data.ID)
return nil
}
func createEdgeRouterPolicy(svcName, envId string, edge *rest_management_api_client.ZitiEdgeManagement) error {
edgeRouterRoles := []string{"#all"}
identityRoles := []string{fmt.Sprintf("@%v", envId)}
semantic := rest_model.SemanticAllOf
erp := &rest_model.EdgeRouterPolicyCreate{
EdgeRouterRoles: edgeRouterRoles,
IdentityRoles: identityRoles,
Name: &svcName,
Semantic: &semantic,
}
req := &edge_router_policy.CreateEdgeRouterPolicyParams{
Policy: erp,
Context: context.Background(),
}
req.SetTimeout(30 * time.Second)
resp, err := edge.EdgeRouterPolicy.CreateEdgeRouterPolicy(req, nil)
if err != nil {
return err
}
logrus.Infof("created edge router policy '%v'", resp.Payload.Data.ID)
return nil
}
Reference in New Issue View Git Blame Copy Permalink