mirror of
https://github.com/openziti/zrok.git
synced 2024-11-28 11:04:04 +01:00
230 lines
7.6 KiB
Go
230 lines
7.6 KiB
Go
package controller
|
|
|
|
import (
|
|
"github.com/go-openapi/runtime/middleware"
|
|
"github.com/jmoiron/sqlx"
|
|
"github.com/openziti/zrok/controller/store"
|
|
"github.com/openziti/zrok/controller/zrokEdgeSdk"
|
|
"github.com/openziti/zrok/rest_model_zrok"
|
|
"github.com/openziti/zrok/rest_server_zrok/operations/share"
|
|
"github.com/openziti/zrok/sdk/golang/sdk"
|
|
"github.com/openziti/zrok/util"
|
|
"github.com/pkg/errors"
|
|
"github.com/sirupsen/logrus"
|
|
)
|
|
|
|
type shareHandler struct{}
|
|
|
|
func newShareHandler() *shareHandler {
|
|
return &shareHandler{}
|
|
}
|
|
|
|
func (h *shareHandler) Handle(params share.ShareParams, principal *rest_model_zrok.Principal) middleware.Responder {
|
|
trx, err := str.Begin()
|
|
if err != nil {
|
|
logrus.Errorf("error starting transaction: %v", err)
|
|
return share.NewShareInternalServerError()
|
|
}
|
|
defer func() { _ = trx.Rollback() }()
|
|
|
|
envZId := params.Body.EnvZID
|
|
envId := 0
|
|
envs, err := str.FindEnvironmentsForAccount(int(principal.ID), trx)
|
|
if err == nil {
|
|
found := false
|
|
for _, env := range envs {
|
|
if env.ZId == envZId {
|
|
logrus.Debugf("found identity '%v' for account '%v'", envZId, principal.Email)
|
|
envId = env.Id
|
|
found = true
|
|
break
|
|
}
|
|
}
|
|
if !found {
|
|
logrus.Errorf("environment '%v' not found for account '%v'", envZId, principal.Email)
|
|
return share.NewShareUnauthorized()
|
|
}
|
|
} else {
|
|
logrus.Errorf("error finding environments for account '%v'", principal.Email)
|
|
return share.NewShareInternalServerError()
|
|
}
|
|
|
|
shareMode := sdk.ShareMode(params.Body.ShareMode)
|
|
backendMode := sdk.BackendMode(params.Body.BackendMode)
|
|
if err := h.checkLimits(envId, principal, params.Body.Reserved, params.Body.UniqueName != "", shareMode, backendMode, trx); err != nil {
|
|
logrus.Errorf("limits error: %v", err)
|
|
return share.NewShareUnauthorized()
|
|
}
|
|
|
|
var accessGrantAcctIds []int
|
|
if store.PermissionMode(params.Body.PermissionMode) == store.ClosedPermissionMode {
|
|
for _, email := range params.Body.AccessGrants {
|
|
acct, err := str.FindAccountWithEmail(email, trx)
|
|
if err != nil {
|
|
logrus.Errorf("unable to find account '%v' for share request from '%v'", email, principal.Email)
|
|
return share.NewShareNotFound()
|
|
}
|
|
logrus.Debugf("found id '%d' for '%v'", acct.Id, acct.Email)
|
|
accessGrantAcctIds = append(accessGrantAcctIds, acct.Id)
|
|
}
|
|
}
|
|
|
|
edge, err := zrokEdgeSdk.Client(cfg.Ziti)
|
|
if err != nil {
|
|
logrus.Error(err)
|
|
return share.NewShareInternalServerError()
|
|
}
|
|
|
|
reserved := params.Body.Reserved
|
|
uniqueName := params.Body.UniqueName
|
|
shrToken, err := createShareToken()
|
|
if err != nil {
|
|
logrus.Error(err)
|
|
return share.NewShareInternalServerError()
|
|
}
|
|
if reserved && uniqueName != "" {
|
|
if !util.IsValidUniqueName(uniqueName) {
|
|
logrus.Errorf("invalid unique name '%v' for account '%v'", uniqueName, principal.Email)
|
|
return share.NewShareUnprocessableEntity()
|
|
}
|
|
shareExists, err := str.ShareWithTokenExists(uniqueName, trx)
|
|
if err != nil {
|
|
logrus.Errorf("error checking share for token collision: %v", err)
|
|
return share.NewUpdateShareInternalServerError()
|
|
}
|
|
if shareExists {
|
|
logrus.Errorf("token '%v' already exists; cannot create share", uniqueName)
|
|
return share.NewShareConflict()
|
|
}
|
|
shrToken = uniqueName
|
|
}
|
|
|
|
var shrZId string
|
|
var frontendEndpoints []string
|
|
switch params.Body.ShareMode {
|
|
case string(sdk.PublicShareMode):
|
|
if len(params.Body.FrontendSelection) < 1 {
|
|
logrus.Info("no frontend selection provided")
|
|
return share.NewShareNotFound()
|
|
}
|
|
|
|
var frontendZIds []string
|
|
var frontendTemplates []string
|
|
for _, frontendSelection := range params.Body.FrontendSelection {
|
|
sfe, err := str.FindFrontendPubliclyNamed(frontendSelection, trx)
|
|
if err != nil {
|
|
logrus.Error(err)
|
|
return share.NewShareNotFound()
|
|
}
|
|
if sfe.PermissionMode == store.ClosedPermissionMode {
|
|
granted, err := str.IsFrontendGrantedToAccount(int(principal.ID), sfe.Id, trx)
|
|
if err != nil {
|
|
logrus.Error(err)
|
|
return share.NewShareInternalServerError()
|
|
}
|
|
if !granted {
|
|
logrus.Errorf("'%v' is not granted access to frontend '%v'", principal.Email, frontendSelection)
|
|
return share.NewShareNotFound()
|
|
}
|
|
}
|
|
if sfe != nil && sfe.UrlTemplate != nil {
|
|
frontendZIds = append(frontendZIds, sfe.ZId)
|
|
frontendTemplates = append(frontendTemplates, *sfe.UrlTemplate)
|
|
logrus.Infof("added frontend selection '%v' with ziti identity '%v' for share '%v'", frontendSelection, sfe.ZId, shrToken)
|
|
}
|
|
}
|
|
var skipInterstitial bool
|
|
if backendMode != sdk.DriveBackendMode {
|
|
skipInterstitial, err = str.IsAccountGrantedSkipInterstitial(int(principal.ID), trx)
|
|
if err != nil {
|
|
logrus.Errorf("error checking skip interstitial for account '%v': %v", principal.Email, err)
|
|
return share.NewShareInternalServerError()
|
|
}
|
|
} else {
|
|
skipInterstitial = true
|
|
}
|
|
shrZId, frontendEndpoints, err = newPublicResourceAllocator().allocate(envZId, shrToken, frontendZIds, frontendTemplates, params, !skipInterstitial, edge)
|
|
if err != nil {
|
|
logrus.Error(err)
|
|
return share.NewShareInternalServerError()
|
|
}
|
|
|
|
case string(sdk.PrivateShareMode):
|
|
shrZId, frontendEndpoints, err = newPrivateResourceAllocator().allocate(envZId, shrToken, params, edge)
|
|
if err != nil {
|
|
logrus.Error(err)
|
|
return share.NewShareInternalServerError()
|
|
}
|
|
|
|
default:
|
|
logrus.Errorf("unknown share mode '%v", params.Body.ShareMode)
|
|
return share.NewShareInternalServerError()
|
|
}
|
|
|
|
logrus.Debugf("allocated share '%v'", shrToken)
|
|
|
|
sshr := &store.Share{
|
|
ZId: shrZId,
|
|
Token: shrToken,
|
|
ShareMode: params.Body.ShareMode,
|
|
BackendMode: params.Body.BackendMode,
|
|
BackendProxyEndpoint: ¶ms.Body.BackendProxyEndpoint,
|
|
Reserved: reserved,
|
|
UniqueName: reserved && uniqueName != "",
|
|
PermissionMode: store.OpenPermissionMode,
|
|
}
|
|
if params.Body.PermissionMode != "" {
|
|
sshr.PermissionMode = store.PermissionMode(params.Body.PermissionMode)
|
|
}
|
|
if len(params.Body.FrontendSelection) > 0 {
|
|
sshr.FrontendSelection = ¶ms.Body.FrontendSelection[0]
|
|
}
|
|
if len(frontendEndpoints) > 0 {
|
|
sshr.FrontendEndpoint = &frontendEndpoints[0]
|
|
} else if sshr.ShareMode == string(sdk.PrivateShareMode) {
|
|
sshr.FrontendEndpoint = &sshr.ShareMode
|
|
}
|
|
|
|
sid, err := str.CreateShare(envId, sshr, trx)
|
|
if err != nil {
|
|
logrus.Errorf("error creating share record: %v", err)
|
|
return share.NewShareInternalServerError()
|
|
}
|
|
|
|
if sshr.PermissionMode == store.ClosedPermissionMode {
|
|
for _, acctId := range accessGrantAcctIds {
|
|
_, err := str.CreateAccessGrant(sid, acctId, trx)
|
|
if err != nil {
|
|
logrus.Errorf("error creating access grant for '%v': %v", principal.Email, err)
|
|
return share.NewShareInternalServerError()
|
|
}
|
|
}
|
|
}
|
|
|
|
if err := trx.Commit(); err != nil {
|
|
logrus.Errorf("error committing share record: %v", err)
|
|
return share.NewShareInternalServerError()
|
|
}
|
|
logrus.Infof("recorded share '%v' with id '%v' for '%v'", shrToken, sid, principal.Email)
|
|
|
|
return share.NewShareCreated().WithPayload(&rest_model_zrok.ShareResponse{
|
|
FrontendProxyEndpoints: frontendEndpoints,
|
|
ShrToken: shrToken,
|
|
})
|
|
}
|
|
|
|
func (h *shareHandler) checkLimits(envId int, principal *rest_model_zrok.Principal, reserved, uniqueName bool, shareMode sdk.ShareMode, backendMode sdk.BackendMode, trx *sqlx.Tx) error {
|
|
if !principal.Limitless {
|
|
if limitsAgent != nil {
|
|
ok, err := limitsAgent.CanCreateShare(int(principal.ID), envId, reserved, uniqueName, shareMode, backendMode, trx)
|
|
if err != nil {
|
|
return errors.Wrapf(err, "error checking share limits for '%v'", principal.Email)
|
|
}
|
|
if !ok {
|
|
return errors.Errorf("share limit check failed for '%v'", principal.Email)
|
|
}
|
|
}
|
|
}
|
|
return nil
|
|
}
|