Merge pull request #747 from openziti/update_interstitial_config

Endpoint for Synchronzing Interstitial Configs (#744)

CHANGELOG.md

@@ -2,6 +2,8 @@
 
 ## v0.4.40
 
+FEATURE: New endpoint for synchronizing grants for an account (https://github.com/openziti/zrok/pull/744). Useful for updating the `zrok.proxy.v1` config objects containing interstitial setting when the `skip_interstitial_grants` table has been updated.
+
 FIX: prune incorrect troubleshooting advice about listing Caddy's certificates
 
 ## v0.4.39

cmd/zrok/adminGenerate.go

@@ -27,9 +27,7 @@ func newAdminGenerateCommand() *adminGenerateCommand {
 	}
 	command := &adminGenerateCommand{cmd: cmd}
 	cmd.Run = command.run
-
 	cmd.Flags().IntVarP(&command.amount, "count", "n", 5, "Number of tokens to generate")
-
 	return command
 }
 

cmd/zrok/adminGrants.go

@@ -0,0 +1,51 @@
+package main
+
+import (
+	"fmt"
+	"github.com/openziti/zrok/environment"
+	"github.com/openziti/zrok/rest_client_zrok/admin"
+	"github.com/spf13/cobra"
+)
+
+func init() {
+	adminCmd.AddCommand(newAdminGrantsCommand().cmd)
+}
+
+type adminGrantsCommand struct {
+	cmd   *cobra.Command
+	email string
+}
+
+func newAdminGrantsCommand() *adminGrantsCommand {
+	cmd := &cobra.Command{
+		Use:   "grants <email>",
+		Short: "Synchronize ziti objects with account grants",
+		Args:  cobra.ExactArgs(1),
+	}
+	command := &adminGrantsCommand{cmd: cmd}
+	cmd.Run = command.run
+	cmd.Flags().StringVarP(&command.email, "email", "e", "", "email address")
+	return command
+}
+
+func (command *adminGrantsCommand) run(_ *cobra.Command, args []string) {
+	env, err := environment.LoadRoot()
+	if err != nil {
+		panic(err)
+	}
+
+	zrok, err := env.Client()
+	if err != nil {
+		panic(err)
+	}
+
+	req := admin.NewGrantsParams()
+	req.Body.Email = args[0]
+
+	_, err = zrok.Admin.Grants(req, mustGetAdminAuth())
+	if err != nil {
+		panic(err)
+	}
+
+	fmt.Println("success.")
+}

controller/controller.go

@@ -2,23 +2,22 @@ package controller
 
 import (
 	"context"
+	"github.com/go-openapi/loads"
+	influxdb2 "github.com/influxdata/influxdb-client-go/v2"
 	"github.com/jessevdk/go-flags"
 	"github.com/openziti/zrok/controller/config"
 	"github.com/openziti/zrok/controller/limits"
 	"github.com/openziti/zrok/controller/metrics"
-	"github.com/sirupsen/logrus"
-	"log"
-	"net/http"
-	_ "net/http/pprof"
-
-	"github.com/go-openapi/loads"
-	influxdb2 "github.com/influxdata/influxdb-client-go/v2"
 	"github.com/openziti/zrok/controller/store"
 	"github.com/openziti/zrok/rest_server_zrok"
 	"github.com/openziti/zrok/rest_server_zrok/operations"
 	"github.com/openziti/zrok/rest_server_zrok/operations/account"
 	"github.com/openziti/zrok/rest_server_zrok/operations/metadata"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"log"
+	"net/http"
+	_ "net/http/pprof"
 )
 
 var (
@@ -56,6 +55,7 @@ func Run(inCfg *config.Config) error {
 	api.AdminCreateFrontendHandler = newCreateFrontendHandler()
 	api.AdminCreateIdentityHandler = newCreateIdentityHandler()
 	api.AdminDeleteFrontendHandler = newDeleteFrontendHandler()
+	api.AdminGrantsHandler = newGrantsHandler()
 	api.AdminInviteTokenGenerateHandler = newInviteTokenGenerateHandler()
 	api.AdminListFrontendsHandler = newListFrontendsHandler()
 	api.AdminUpdateFrontendHandler = newUpdateFrontendHandler()
@@ -150,7 +150,3 @@ func Run(inCfg *config.Config) error {
 
 	return nil
 }
-
-func Store() *store.Store {
-	return str
-}

controller/grants.go

@@ -0,0 +1,86 @@
+package controller
+
+import (
+	"github.com/go-openapi/runtime/middleware"
+	"github.com/openziti/zrok/controller/zrokEdgeSdk"
+	"github.com/openziti/zrok/rest_model_zrok"
+	"github.com/openziti/zrok/rest_server_zrok/operations/admin"
+	"github.com/openziti/zrok/sdk/golang/sdk"
+	"github.com/sirupsen/logrus"
+)
+
+type grantsHandler struct{}
+
+func newGrantsHandler() *grantsHandler {
+	return &grantsHandler{}
+}
+
+func (h *grantsHandler) Handle(params admin.GrantsParams, principal *rest_model_zrok.Principal) middleware.Responder {
+	if !principal.Admin {
+		logrus.Errorf("invalid admin principal")
+		return admin.NewGrantsUnauthorized()
+	}
+
+	edge, err := zrokEdgeSdk.Client(cfg.Ziti)
+	if err != nil {
+		logrus.Errorf("error connecting to ziti: %v", err)
+		return admin.NewGrantsInternalServerError()
+	}
+
+	trx, err := str.Begin()
+	if err != nil {
+		logrus.Errorf("error starting transaction: %v", err)
+		return admin.NewGrantsInternalServerError()
+	}
+	defer func() { _ = trx.Rollback() }()
+
+	acct, err := str.FindAccountWithEmail(params.Body.Email, trx)
+	if err != nil {
+		logrus.Errorf("error finding account with email '%v': %v", params.Body.Email, err)
+		return admin.NewGrantsNotFound()
+	}
+
+	acctSkipInterstitial, err := str.IsAccountGrantedSkipInterstitial(acct.Id, trx)
+	if err != nil {
+		logrus.Errorf("error checking account '%v' granted skip interstitial: %v", acct.Email, err)
+	}
+
+	envs, err := str.FindEnvironmentsForAccount(acct.Id, trx)
+	if err != nil {
+		logrus.Errorf("error finding environments for '%v': %v", acct.Email, err)
+		return admin.NewGrantsInternalServerError()
+	}
+
+	for _, env := range envs {
+		shrs, err := str.FindSharesForEnvironment(env.Id, trx)
+		if err != nil {
+			logrus.Errorf("error finding shares for '%v': %v", acct.Email, err)
+			return admin.NewGrantsInternalServerError()
+		}
+
+		for _, shr := range shrs {
+			if shr.ShareMode == string(sdk.PublicShareMode) && shr.BackendMode != string(sdk.DriveBackendMode) {
+				cfgZId, shrCfg, err := zrokEdgeSdk.GetConfig(shr.Token, edge)
+				if err != nil {
+					logrus.Errorf("error getting config for share '%v': %v", shr.Token, err)
+					return admin.NewGrantsInternalServerError()
+				}
+
+				if shrCfg.Interstitial != !acctSkipInterstitial {
+					shrCfg.Interstitial = !acctSkipInterstitial
+					err := zrokEdgeSdk.UpdateConfig(shr.Token, cfgZId, shrCfg, edge)
+					if err != nil {
+						logrus.Errorf("error updating config for '%v': %v", shr.Token, err)
+						return admin.NewGrantsInternalServerError()
+					}
+				} else {
+					logrus.Infof("skipping config update for '%v'", shr.Token)
+				}
+			} else {
+				logrus.Debugf("skipping share mode %v, backend mode %v", shr.ShareMode, shr.BackendMode)
+			}
+		}
+	}
+
+	return admin.NewGrantsOK()
+}

controller/zrokEdgeSdk/config.go

@@ -8,6 +8,7 @@ import (
 	"github.com/openziti/edge-api/rest_model"
 	"github.com/openziti/zrok/sdk/golang/sdk"
 	"github.com/sirupsen/logrus"
+	"reflect"
 	"time"
 )
 
@@ -55,6 +56,56 @@ func CreateConfig(cfgTypeZId, envZId, shrToken string, options *FrontendOptions,
 	return cfgResp.Payload.Data.ID, nil
 }
 
+func GetConfig(shrToken string, edge *rest_management_api_client.ZitiEdgeManagement) (string, *sdk.FrontendConfig, error) {
+	filter := fmt.Sprintf("tags.zrokShareToken=\"%v\"", shrToken)
+	limit := int64(0)
+	offset := int64(0)
+	listReq := &config.ListConfigsParams{
+		Filter:  &filter,
+		Limit:   &limit,
+		Offset:  &offset,
+		Context: context.Background(),
+	}
+	listReq.SetTimeout(30 * time.Second)
+	listResp, err := edge.Config.ListConfigs(listReq, nil)
+	if err != nil {
+		return "", nil, err
+	}
+	if len(listResp.Payload.Data) != 1 {
+		return "", nil, fmt.Errorf("expected 1 configuration, found %v", len(listResp.Payload.Data))
+	}
+	if listResp.Payload.Data[0].ConfigType.Name != sdk.ZrokProxyConfig {
+		return "", nil, fmt.Errorf("expected '%v', found '%v'", sdk.ZrokProxyConfig, listResp.Payload.Data[0].ConfigType.Name)
+	}
+	if v, ok := listResp.Payload.Data[0].Data.(map[string]interface{}); ok {
+		fec, err := sdk.FrontendConfigFromMap(v)
+		if err != nil {
+			return "", nil, err
+		}
+		return *listResp.Payload.Data[0].ID, fec, nil
+	}
+	return "", nil, fmt.Errorf("unknown data type '%v' unmarshaling config for '%v'", reflect.TypeOf(listResp.Payload.Data[0].Data), shrToken)
+}
+
+func UpdateConfig(shrToken, cfgZId string, cfg *sdk.FrontendConfig, edge *rest_management_api_client.ZitiEdgeManagement) error {
+	logrus.Infof("updating config for '%v' (%v)", shrToken, cfgZId)
+	req := &config.UpdateConfigParams{
+		Config: &rest_model.ConfigUpdate{
+			Data: cfg,
+			Name: &shrToken,
+			Tags: ZrokShareTags(shrToken),
+		},
+		ID:      cfgZId,
+		Context: context.Background(),
+	}
+	req.SetTimeout(30 * time.Second)
+	_, err := edge.Config.UpdateConfig(req, nil)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
 func DeleteConfig(envZId, shrToken string, edge *rest_management_api_client.ZitiEdgeManagement) error {
 	filter := fmt.Sprintf("tags.zrokShareToken=\"%v\"", shrToken)
 	limit := int64(0)