zms-cli: add -audit-enabled flag for role/group add operations (#2453)

* zms-cli: add -audit-enabled flag for role/group add operations Signed-off-by: Henry Avetisyan <[email protected]> * include missing updates for role/group files Signed-off-by: Henry Avetisyan <[email protected]> --------- Signed-off-by: Henry Avetisyan <[email protected]> Co-authored-by: Henry Avetisyan <[email protected]>
AthenZ · Dec 6, 2023 · 201d1ef · 201d1ef
1 parent a7218f9
commit 201d1ef
Show file tree

Hide file tree

Showing 4 changed files with 52 additions and 28 deletions.
diff --git a/libs/go/zmscli/cli.go b/libs/go/zmscli/cli.go
@@ -5,6 +5,7 @@ package zmscli
 
 import (
 	"bytes"
+	"context"
 	"encoding/json"
 	"fmt"
 	"gopkg.in/yaml.v2"
@@ -554,8 +555,15 @@ func (cli Zms) EvalCommand(params []string) (*string, error) {
 			}
 		case "add-group-role", "add-regular-role":
 			if argc >= 1 {
-				roleMembers := cli.convertRoleMembers(args[1:])
-				return cli.AddRegularRole(dn, args[0], roleMembers)
+				auditEnabled := false
+				var roleMembers []*zms.RoleMember
+				if argc >= 2 && args[1] == "-audit-enabled" {
+					auditEnabled = true
+					roleMembers = cli.convertRoleMembers(args[2:])
+				} else {
+					roleMembers = cli.convertRoleMembers(args[1:])
+				}
+				return cli.AddRegularRole(dn, args[0], auditEnabled, roleMembers)
 			}
 		case "add-provider-role-member", "add-provider-role-members":
 			if argc >= 4 {
@@ -638,8 +646,15 @@ func (cli Zms) EvalCommand(params []string) (*string, error) {
 			return output, err
 		case "add-group":
 			if argc >= 1 {
-				groupMembers := cli.convertGroupMembers(args[1:])
-				return cli.AddGroup(dn, args[0], groupMembers)
+				auditEnabled := false
+				var groupMembers []*zms.GroupMember
+				if argc >= 2 && args[1] == "-audit-enabled" {
+					auditEnabled = true
+					groupMembers = cli.convertGroupMembers(args[2:])
+				} else {
+					groupMembers = cli.convertGroupMembers(args[1:])
+				}
+				return cli.AddGroup(dn, args[0], auditEnabled, groupMembers)
 			}
 		case "add-group-member", "add-group-members":
 			if argc >= 2 {
@@ -2001,15 +2016,17 @@ func (cli Zms) HelpSpecificCommand(interactive bool, cmd string) string {
 		buf.WriteString("   " + domainExample + " add-delegated-role tenant.sports.readers sports\n")
 	case "add-group-role", "add-regular-role":
 		buf.WriteString(" syntax:\n")
-		buf.WriteString("   " + domainParam + " add-regular-role role member [member ... ]\n")
+		buf.WriteString("   " + domainParam + " add-regular-role role [-audit-enabled] [member ... ]\n")
 		buf.WriteString(" parameters:\n")
 		if !interactive {
 			buf.WriteString("   domain  : name of the domain that role belongs to\n")
 		}
 		buf.WriteString("   role    : name of the standard role\n")
+		buf.WriteString("   -audit-enabled : mark the role as audit-enabled - can't have any members specified \n")
 		buf.WriteString("   member  : list of members that could be either users or services\n")
 		buf.WriteString(" examples:\n")
 		buf.WriteString("   " + domainExample + " add-regular-role readers " + cli.UserDomain + ".john " + cli.UserDomain + ".joe media.sports.storage\n")
+		buf.WriteString("   " + domainExample + " add-regular-role readers -audit-enabled\n")
 	case "add-member":
 		buf.WriteString(" syntax:\n")
 		buf.WriteString("   " + domainParam + " add-member regular_role user_or_service [user_or_service ...]\n")
@@ -2187,15 +2204,17 @@ func (cli Zms) HelpSpecificCommand(interactive bool, cmd string) string {
 		buf.WriteString("   show-groups-principal\n")
 	case "add-group":
 		buf.WriteString(" syntax:\n")
-		buf.WriteString("   " + domainParam + " add-group group member [member ... ]\n")
+		buf.WriteString("   " + domainParam + " add-group group [-audit-enabled] [member ... ]\n")
 		buf.WriteString(" parameters:\n")
 		if !interactive {
 			buf.WriteString("   domain  : name of the domain that group belongs to\n")
 		}
 		buf.WriteString("   group    : name of the group\n")
+		buf.WriteString("   -audit-enabled : mark the group as audit-enabled - can't have any members specified \n")
 		buf.WriteString("   member  : list of group members that could be either users or services\n")
 		buf.WriteString(" examples:\n")
 		buf.WriteString("   " + domainExample + " add-group readers " + cli.UserDomain + ".john " + cli.UserDomain + ".joe media.sports.storage\n")
+		buf.WriteString("   " + domainExample + " add-group readers -audit-enabled\n")
 	case "add-group-member":
 		buf.WriteString(" syntax:\n")
 		buf.WriteString("   " + domainParam + " add-member group user_or_service [user_or_service ...]\n")
@@ -3430,7 +3449,7 @@ func (cli Zms) HelpListCommand() string {
 	buf.WriteString("   show-roles-principal [principal] [expand]\n")
 	buf.WriteString("   list-roles-for-review [principal]\n")
 	buf.WriteString("   add-delegated-role role trusted_domain\n")
-	buf.WriteString("   add-regular-role role member [member ... ]\n")
+	buf.WriteString("   add-regular-role role [-audit-enabled] [member ... ]\n")
 	buf.WriteString("   add-member regular_role user_or_service [user_or_service ...]\n")
 	buf.WriteString("   add-temporary-member regular_role user_or_service expiration\n")
 	buf.WriteString("   add-reviewed-member regular_role user_or_service review\n")
@@ -3473,7 +3492,7 @@ func (cli Zms) HelpListCommand() string {
 	buf.WriteString("   show-groups [tag_key] [tag_value]\n")
 	buf.WriteString("   show-groups-principal [principal]\n")
 	buf.WriteString("   list-groups-for-review [principal]\n")
-	buf.WriteString("   add-group group member [member ... ]\n")
+	buf.WriteString("   add-group group [-audit-enabled] [member ... ]\n")
 	buf.WriteString("   add-group-member group user_or_service [user_or_service ...]\n")
 	buf.WriteString("   check-group-member group user_or_service [user_or_service ...]\n")
 	buf.WriteString("   check-active-group-member group user_or_service\n")
@@ -3586,15 +3605,15 @@ func SetX509CertClient(cli *Zms, keyFile, certFile, caCertFile, socksProxy strin
 			return err
 		}
 	}
-	config, err := config.ClientTLSConfigFromPEM(keypem, certpem, cacertpem)
+	tlsConfig, err := config.ClientTLSConfigFromPEM(keypem, certpem, cacertpem)
 	if err != nil {
 		return err
 	}
 	if skipVerify {
-		config.InsecureSkipVerify = skipVerify
+		tlsConfig.InsecureSkipVerify = skipVerify
 	}
 	tr := &http.Transport{
-		TLSClientConfig: config,
+		TLSClientConfig: tlsConfig,
 	}
 	if httpProxy {
 		tr.Proxy = http.ProxyFromEnvironment
@@ -3603,7 +3622,10 @@ func SetX509CertClient(cli *Zms, keyFile, certFile, caCertFile, socksProxy strin
 		dialer := &net.Dialer{}
 		dialSocksProxy, err := proxy.SOCKS5("tcp", socksProxy, nil, dialer)
 		if err == nil {
-			tr.Dial = dialSocksProxy.Dial
+			dialContext := func(ctx context.Context, network, address string) (net.Conn, error) {
+				return dialSocksProxy.Dial(network, address)
+			}
+			tr.DialContext = dialContext
 		}
 	}
 	cli.Zms = zms.NewClient(cli.ZmsUrl, tr)

diff --git a/libs/go/zmscli/group.go b/libs/go/zmscli/group.go
@@ -182,7 +182,7 @@ func (cli Zms) SetGroupServiceExpiryDays(dn string, rn string, days int32) (*str
 	return cli.dumpByFormat(message, cli.buildYAMLOutput)
 }
 
-func (cli Zms) AddGroup(dn string, gn string, groupMembers []*zms.GroupMember) (*string, error) {
+func (cli Zms) AddGroup(dn string, gn string, auditEnabled bool, groupMembers []*zms.GroupMember) (*string, error) {
 	fullResourceName := dn + ":group." + gn
 	var group zms.Group
 	if !cli.Overwrite {
@@ -198,6 +198,9 @@ func (cli Zms) AddGroup(dn string, gn string, groupMembers []*zms.GroupMember) (
 		}
 	}
 	group.Name = zms.ResourceName(fullResourceName)
+	if auditEnabled {
+		group.AuditEnabled = &auditEnabled
+	}
 	group.GroupMembers = groupMembers
 	cli.validateGroupMembers(group.GroupMembers)
 	returnObject := true

diff --git a/libs/go/zmscli/import.go b/libs/go/zmscli/import.go
@@ -89,11 +89,7 @@ func (cli Zms) importGroups(dn string, lstGroups []*zms.Group, existingGroups *z
 			}
 			_, err = cli.AddGroupMembers(dn, gn, groupMembers)
 		} else {
-			groupMembers := make([]*zms.GroupMember, 0)
-			for _, groupMember := range group.GroupMembers {
-				groupMembers = append(groupMembers, groupMember)
-			}
-			_, err = cli.AddGroup(dn, gn, groupMembers)
+			_, err = cli.AddGroup(dn, gn, *group.AuditEnabled, group.GroupMembers)
 		}
 		cli.Verbose = b
 		if shouldReportError(updateDomain, cli.SkipErrors, err) {
@@ -118,7 +114,7 @@ func (cli Zms) importGroupsOld(dn string, lstGroups []interface{}, skipErrors bo
 		}
 		b := cli.Verbose
 		cli.Verbose = true
-		_, err := cli.AddGroup(dn, gn, groupMembers)
+		_, err := cli.AddGroup(dn, gn, false, groupMembers)
 		cli.Verbose = b
 		if shouldReportError(skipErrors, cli.SkipErrors, err) {
 			return err
@@ -176,7 +172,7 @@ func (cli Zms) importRoles(dn string, lstRoles []*zms.Role, existingRoles *zms.R
 				if updateDomain && roleExists(role.Name, existingRoles) {
 					_, err = cli.AddRoleMembers(dn, rn, roleMembers)
 				} else {
-					_, err = cli.AddRegularRole(dn, rn, roleMembers)
+					_, err = cli.AddRegularRole(dn, rn, *role.AuditEnabled, roleMembers)
 				}
 				cli.Verbose = b
 			}
@@ -194,7 +190,7 @@ func (cli Zms) importRoles(dn string, lstRoles []*zms.Role, existingRoles *zms.R
 				roleMembers := make([]*zms.RoleMember, 0)
 				b := cli.Verbose
 				cli.Verbose = true
-				_, err := cli.AddRegularRole(dn, rn, roleMembers)
+				_, err := cli.AddRegularRole(dn, rn, *role.AuditEnabled, roleMembers)
 				cli.Verbose = b
 				if shouldReportError(updateDomain, cli.SkipErrors, err) {
 					return err
@@ -214,24 +210,24 @@ func (cli Zms) importRolesOld(dn string, lstRoles []interface{}, validatedAdmins
 			mem := val.([]interface{})
 			roleMembers := make([]*zms.RoleMember, 0)
 			var err error
-			var role *zms.Role
+			var adminRole *zms.Role
 			if rn == "admin" && validatedAdmins != nil {
 				// need to retrieve the current admin role
 				// and make sure to remove any existing admin
-				role, err = cli.Zms.GetRole(zms.DomainName(dn), "admin", nil, nil, nil)
+				adminRole, err = cli.Zms.GetRole(zms.DomainName(dn), "admin", nil, nil, nil)
 				if err != nil {
 					return err
 				}
 				for _, mbr := range mem {
 					roleMember := parseRoleMember(mbr.(map[string]interface{}))
-					if !cli.containsMember(role.RoleMembers, string(roleMember.MemberName)) {
+					if !cli.containsMember(adminRole.RoleMembers, string(roleMember.MemberName)) {
 						roleMembers = append(roleMembers, roleMember)
 					}
 				}
 				for _, admin := range validatedAdmins {
 					roleMember := zms.NewRoleMember()
 					roleMember.MemberName = zms.MemberName(admin)
-					if !cli.containsMember(roleMembers, admin) && !cli.containsMember(role.RoleMembers, admin) {
+					if !cli.containsMember(roleMembers, admin) && !cli.containsMember(adminRole.RoleMembers, admin) {
 						roleMembers = append(roleMembers, roleMember)
 					}
 				}
@@ -243,7 +239,7 @@ func (cli Zms) importRolesOld(dn string, lstRoles []interface{}, validatedAdmins
 				}
 				b := cli.Verbose
 				cli.Verbose = true
-				_, err = cli.AddRegularRole(dn, rn, roleMembers)
+				_, err = cli.AddRegularRole(dn, rn, false, roleMembers)
 				cli.Verbose = b
 			}
 			if shouldReportError(skipErrors, cli.SkipErrors, err) {
@@ -259,7 +255,7 @@ func (cli Zms) importRolesOld(dn string, lstRoles []interface{}, validatedAdmins
 			roleMembers := make([]*zms.RoleMember, 0)
 			b := cli.Verbose
 			cli.Verbose = true
-			_, err := cli.AddRegularRole(dn, rn, roleMembers)
+			_, err := cli.AddRegularRole(dn, rn, false, roleMembers)
 			cli.Verbose = b
 			if shouldReportError(skipErrors, cli.SkipErrors, err) {
 				return err

diff --git a/libs/go/zmscli/role.go b/libs/go/zmscli/role.go
@@ -118,7 +118,7 @@ func (cli Zms) AddDelegatedRole(dn string, rn string, trusted string) (*string,
 	return cli.ShowUpdatedRole(updatedRole, false)
 }
 
-func (cli Zms) AddRegularRole(dn string, rn string, roleMembers []*zms.RoleMember) (*string, error) {
+func (cli Zms) AddRegularRole(dn string, rn string, auditEnabled bool, roleMembers []*zms.RoleMember) (*string, error) {
 	fullResourceName := dn + ":role." + rn
 	var role zms.Role
 	if !cli.Overwrite {
@@ -137,6 +137,9 @@ func (cli Zms) AddRegularRole(dn string, rn string, roleMembers []*zms.RoleMembe
 		return nil, fmt.Errorf("cannot replace reserved 'admin' role")
 	}
 	role.Name = zms.ResourceName(fullResourceName)
+	if auditEnabled {
+		role.AuditEnabled = &auditEnabled
+	}
 	role.RoleMembers = roleMembers
 	cli.validateRoleMembers(role.RoleMembers)
 	returnObject := true