zrok/controller/access.go

132 lines
4.1 KiB
Go

package controller
import (
"context"
"fmt"
"github.com/go-openapi/runtime/middleware"
"github.com/openziti-test-kitchen/zrok/controller/store"
"github.com/openziti-test-kitchen/zrok/rest_model_zrok"
"github.com/openziti-test-kitchen/zrok/rest_server_zrok/operations/service"
"github.com/openziti/edge/rest_management_api_client"
"github.com/openziti/edge/rest_management_api_client/service_policy"
"github.com/openziti/edge/rest_model"
rest_model_edge "github.com/openziti/edge/rest_model"
"github.com/sirupsen/logrus"
"time"
)
type accessHandler struct{}
func newAccessHandler() *accessHandler {
return &accessHandler{}
}
func (h *accessHandler) Handle(params service.AccessParams, principal *rest_model_zrok.Principal) middleware.Responder {
tx, err := str.Begin()
if err != nil {
logrus.Errorf("error starting transaction: %v", err)
return service.NewAccessInternalServerError()
}
defer func() { _ = tx.Rollback() }()
envZId := params.Body.ZID
envId := 0
if envs, err := str.FindEnvironmentsForAccount(int(principal.ID), tx); err == nil {
found := false
for _, env := range envs {
if env.ZId == envZId {
logrus.Debugf("found identity '%v' for user '%v'", envZId, principal.Email)
envId = env.Id
found = true
break
}
}
if !found {
logrus.Errorf("environment '%v' not found for user '%v'", envZId, principal.Email)
return service.NewAccessUnauthorized()
}
} else {
logrus.Errorf("error finding environments for account '%v'", principal.Email)
return service.NewAccessNotFound()
}
svcName := params.Body.SvcName
ssvc, err := str.FindServiceWithName(svcName, tx)
if err != nil {
logrus.Errorf("error finding service")
return service.NewAccessNotFound()
}
if ssvc == nil {
logrus.Errorf("unable to find service '%v' for user '%v'", params.Body.SvcName, principal.Email)
return service.NewAccessNotFound()
}
frontendName, err := createToken()
if err != nil {
logrus.Error(err)
return service.NewAccessInternalServerError()
}
if _, err := str.CreateFrontend(envId, &store.Frontend{Name: frontendName, ZId: envZId}, tx); err != nil {
logrus.Errorf("error creating frontend record: %v", err)
return service.NewAccessInternalServerError()
}
edge, err := edgeClient()
if err != nil {
logrus.Error(err)
return service.NewAccessInternalServerError()
}
extraTags := &rest_model_edge.Tags{SubTags: map[string]interface{}{
"zrokEnvironmentZId": envZId,
"zrokFrontendName": frontendName,
}}
if err := createServicePolicyDialForEnvironment(envZId, ssvc.Name, ssvc.ZId, edge, extraTags); err != nil {
logrus.Errorf("unable to create dial policy: %v", err)
return service.NewAccessInternalServerError()
}
if err := tx.Commit(); err != nil {
logrus.Errorf("error committing frontend record: %v", err)
return service.NewAccessInternalServerError()
}
return service.NewAccessCreated().WithPayload(&rest_model_zrok.AccessResponse{FrontendName: frontendName})
}
func createServicePolicyDialForEnvironment(envZId, svcName, svcZId string, edge *rest_management_api_client.ZitiEdgeManagement, tags ...*rest_model.Tags) error {
allTags := zrokTags(svcName)
for _, t := range tags {
for k, v := range t.SubTags {
allTags.SubTags[k] = v
}
}
identityRoles := []string{"@" + envZId}
name := fmt.Sprintf("%v-%v-dial", envZId, svcName)
var postureCheckRoles []string
semantic := rest_model.SemanticAllOf
serviceRoles := []string{fmt.Sprintf("@%v", svcZId)}
dialBind := rest_model.DialBindDial
svcp := &rest_model.ServicePolicyCreate{
IdentityRoles: identityRoles,
Name: &name,
PostureCheckRoles: postureCheckRoles,
Semantic: &semantic,
ServiceRoles: serviceRoles,
Type: &dialBind,
Tags: allTags,
}
req := &service_policy.CreateServicePolicyParams{
Policy: svcp,
Context: context.Background(),
}
req.SetTimeout(30 * time.Second)
resp, err := edge.ServicePolicy.CreateServicePolicy(req, nil)
if err != nil {
return err
}
logrus.Infof("created dial service policy '%v' for service '%v' for environment '%v'", resp.Payload.Data.ID, svcZId, envZId)
return nil
}