forked from gravitational/teleport
-
Notifications
You must be signed in to change notification settings - Fork 0
/
command.go
236 lines (200 loc) · 7.32 KB
/
command.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
/*
* Teleport
* Copyright (C) 2023 Gravitational, Inc.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
package loginrule
import (
"context"
"errors"
"io"
"os"
"github.com/alecthomas/kingpin/v2"
"github.com/gravitational/trace"
"github.com/sirupsen/logrus"
kyaml "k8s.io/apimachinery/pkg/util/yaml"
"github.com/gravitational/teleport"
loginrulepb "github.com/gravitational/teleport/api/gen/proto/go/teleport/loginrule/v1"
"github.com/gravitational/teleport/api/types"
"github.com/gravitational/teleport/lib/auth"
"github.com/gravitational/teleport/lib/defaults"
"github.com/gravitational/teleport/lib/service/servicecfg"
"github.com/gravitational/teleport/lib/services"
"github.com/gravitational/teleport/lib/utils"
)
type subcommand interface {
initialize(parent *kingpin.CmdClause, cfg *servicecfg.Config)
tryRun(ctx context.Context, selectedCommand string, c auth.ClientI) (match bool, err error)
}
// Command implements all commands under "tctl login_rule".
type Command struct {
subcommands []subcommand
}
// Initialize installs the base "login_rule" command and all subcommands.
func (t *Command) Initialize(app *kingpin.Application, cfg *servicecfg.Config) {
loginRuleCommand := app.Command("login_rule", "Test login rules")
t.subcommands = []subcommand{
&testCommand{},
}
for _, subcommand := range t.subcommands {
subcommand.initialize(loginRuleCommand, cfg)
}
}
// TryRun calls tryRun for each subcommand, and if none of them match returns
// (false, nil)
func (t *Command) TryRun(ctx context.Context, selectedCommand string, c auth.ClientI) (match bool, err error) {
for _, subcommand := range t.subcommands {
match, err = subcommand.tryRun(ctx, selectedCommand, c)
if err != nil {
return match, trace.Wrap(err)
}
if match {
return match, nil
}
}
return false, nil
}
// testCommand implements the "tctl login_rule test" command.
type testCommand struct {
cmd *kingpin.CmdClause
inputResourceFiles []string
loadFromCluster bool
inputTraitsFile string
outputFormat string
}
func (t *testCommand) initialize(parent *kingpin.CmdClause, cfg *servicecfg.Config) {
t.cmd = parent.Command("test", "Test the parsing and evaluation of login rules.")
t.cmd.Flag("resource-file", "login rule resource file name (YAML or JSON)").StringsVar(&t.inputResourceFiles)
t.cmd.Flag("load-from-cluster", "load existing login rules from the connected Teleport cluster").BoolVar(&t.loadFromCluster)
t.cmd.Flag("format", "Output format: 'yaml' or 'json'").Default(teleport.YAML).StringVar(&t.outputFormat)
t.cmd.Arg("traits-file", "input user traits file name (YAML or JSON), empty for stdin").StringVar(&t.inputTraitsFile)
// Hack: use Alias to include some examples in the help output. This is also
// done elsewhere in the codebase.
t.cmd.Alias(`
Examples:
Test evaluation of the login rules from rule1.yaml and rule2.yaml with input traits from traits.json
> tctl login_rule test --resource-file rule1.yaml --resource-file rule2.yaml traits.json
Test the login rule in rule.yaml along with all login rules already present in the cluster
> tctl login_rule test --resource-file rule.yaml --load-from-cluster traits.json
Read the input traits from stdin
> echo '{"groups": ["example"]}' | tctl login_rule test --resource-file rule.yaml`)
}
func (t *testCommand) tryRun(ctx context.Context, selectedCommand string, c auth.ClientI) (match bool, err error) {
if selectedCommand != t.cmd.FullCommand() {
return false, nil
}
if len(t.inputResourceFiles) == 0 && !t.loadFromCluster {
return true, trace.BadParameter("no login rules to test, --resource-file or --load-from-cluster must be set")
}
return true, trace.Wrap(t.run(ctx, c))
}
func (t *testCommand) run(ctx context.Context, c auth.ClientI) error {
loginRules, err := parseLoginRuleFiles(t.inputResourceFiles)
if err != nil {
return trace.Wrap(err)
}
if len(loginRules) == 0 && !t.loadFromCluster {
return trace.BadParameter("no login rules to test")
}
if len(t.inputResourceFiles) > 0 {
logrus.Debugf("Loaded %d login rule(s) from input resource files", len(loginRules))
}
traits, err := parseTraitsFile(t.inputTraitsFile)
if err != nil {
return trace.Wrap(err)
}
result, err := c.LoginRuleClient().TestLoginRule(ctx, &loginrulepb.TestLoginRuleRequest{
LoginRules: loginRules,
Traits: traitsMapResourceToProto(traits),
LoadFromCluster: t.loadFromCluster,
})
if err != nil {
if trace.IsNotImplemented(err) {
return trace.NotImplemented("the server does not support testing login rules - try downgrading your client to match the server version")
}
return trace.Wrap(err)
}
switch t.outputFormat {
case teleport.YAML:
utils.WriteYAML(os.Stdout, traitsMapProtoToResource(result.Traits))
case teleport.JSON:
utils.WriteJSONObject(os.Stdout, traitsMapProtoToResource(result.Traits))
default:
return trace.BadParameter("unsupported output format %q, supported values are %s and %s", t.outputFormat, teleport.YAML, teleport.JSON)
}
return nil
}
// parseLoginRuleFiles parses login rules from YAML or JSON files. Supports
// multiple rules per YAML file separated into YAML documents with "---".
func parseLoginRuleFiles(fileNames []string) ([]*loginrulepb.LoginRule, error) {
var rules []*loginrulepb.LoginRule
for _, fileName := range fileNames {
fileRules, err := parseLoginRuleFile(fileName)
if err != nil {
return nil, trace.Wrap(err)
}
rules = append(rules, fileRules...)
}
return rules, nil
}
func parseLoginRuleFile(fileName string) ([]*loginrulepb.LoginRule, error) {
f, err := os.Open(fileName)
if err != nil {
return nil, trace.ConvertSystemError(err)
}
defer f.Close()
rules, err := parseLoginRules(f)
return rules, trace.Wrap(err)
}
func parseLoginRules(r io.Reader) ([]*loginrulepb.LoginRule, error) {
var rules []*loginrulepb.LoginRule
decoder := kyaml.NewYAMLOrJSONDecoder(r, defaults.LookaheadBufSize)
for {
var raw services.UnknownResource
err := decoder.Decode(&raw)
if err != nil {
if errors.Is(err, io.EOF) {
return rules, nil
}
return nil, trace.Wrap(err)
}
if raw.Kind != types.KindLoginRule {
return nil, trace.BadParameter("found resource kind %q, expected %s", raw.Kind, types.KindLoginRule)
}
rule, err := UnmarshalLoginRule(raw.Raw)
if err != nil {
return nil, trace.Wrap(err)
}
rules = append(rules, rule)
}
}
func parseTraitsFile(fileName string) (map[string][]string, error) {
var r io.Reader = os.Stdin
if fileName != "" {
f, err := os.Open(fileName)
if err != nil {
return nil, trace.Wrap(err)
}
defer f.Close()
r = f
}
decoder := kyaml.NewYAMLOrJSONDecoder(r, defaults.LookaheadBufSize)
var traits map[string][]string
err := decoder.Decode(&traits)
if err != nil {
return nil, trace.Wrap(err)
}
return traits, nil
}