diff --git a/libs/go/zmscli/cli.go b/libs/go/zmscli/cli.go index 19664871d70..927a478bfce 100644 --- a/libs/go/zmscli/cli.go +++ b/libs/go/zmscli/cli.go @@ -5,6 +5,7 @@ package zmscli import ( "bytes" + "context" "encoding/json" "fmt" "gopkg.in/yaml.v2" @@ -554,8 +555,15 @@ func (cli Zms) EvalCommand(params []string) (*string, error) { } case "add-group-role", "add-regular-role": if argc >= 1 { - roleMembers := cli.convertRoleMembers(args[1:]) - return cli.AddRegularRole(dn, args[0], roleMembers) + auditEnabled := false + var roleMembers []*zms.RoleMember + if argc >= 2 && args[1] == "-audit-enabled" { + auditEnabled = true + roleMembers = cli.convertRoleMembers(args[2:]) + } else { + roleMembers = cli.convertRoleMembers(args[1:]) + } + return cli.AddRegularRole(dn, args[0], auditEnabled, roleMembers) } case "add-provider-role-member", "add-provider-role-members": if argc >= 4 { @@ -638,8 +646,15 @@ func (cli Zms) EvalCommand(params []string) (*string, error) { return output, err case "add-group": if argc >= 1 { - groupMembers := cli.convertGroupMembers(args[1:]) - return cli.AddGroup(dn, args[0], groupMembers) + auditEnabled := false + var groupMembers []*zms.GroupMember + if argc >= 2 && args[1] == "-audit-enabled" { + auditEnabled = true + groupMembers = cli.convertGroupMembers(args[2:]) + } else { + groupMembers = cli.convertGroupMembers(args[1:]) + } + return cli.AddGroup(dn, args[0], auditEnabled, groupMembers) } case "add-group-member", "add-group-members": if argc >= 2 { @@ -2001,15 +2016,17 @@ func (cli Zms) HelpSpecificCommand(interactive bool, cmd string) string { buf.WriteString(" " + domainExample + " add-delegated-role tenant.sports.readers sports\n") case "add-group-role", "add-regular-role": buf.WriteString(" syntax:\n") - buf.WriteString(" " + domainParam + " add-regular-role role member [member ... ]\n") + buf.WriteString(" " + domainParam + " add-regular-role role [-audit-enabled] [member ... ]\n") buf.WriteString(" parameters:\n") if !interactive { buf.WriteString(" domain : name of the domain that role belongs to\n") } buf.WriteString(" role : name of the standard role\n") + buf.WriteString(" -audit-enabled : mark the role as audit-enabled - can't have any members specified \n") buf.WriteString(" member : list of members that could be either users or services\n") buf.WriteString(" examples:\n") buf.WriteString(" " + domainExample + " add-regular-role readers " + cli.UserDomain + ".john " + cli.UserDomain + ".joe media.sports.storage\n") + buf.WriteString(" " + domainExample + " add-regular-role readers -audit-enabled\n") case "add-member": buf.WriteString(" syntax:\n") buf.WriteString(" " + domainParam + " add-member regular_role user_or_service [user_or_service ...]\n") @@ -2187,15 +2204,17 @@ func (cli Zms) HelpSpecificCommand(interactive bool, cmd string) string { buf.WriteString(" show-groups-principal\n") case "add-group": buf.WriteString(" syntax:\n") - buf.WriteString(" " + domainParam + " add-group group member [member ... ]\n") + buf.WriteString(" " + domainParam + " add-group group [-audit-enabled] [member ... ]\n") buf.WriteString(" parameters:\n") if !interactive { buf.WriteString(" domain : name of the domain that group belongs to\n") } buf.WriteString(" group : name of the group\n") + buf.WriteString(" -audit-enabled : mark the group as audit-enabled - can't have any members specified \n") buf.WriteString(" member : list of group members that could be either users or services\n") buf.WriteString(" examples:\n") buf.WriteString(" " + domainExample + " add-group readers " + cli.UserDomain + ".john " + cli.UserDomain + ".joe media.sports.storage\n") + buf.WriteString(" " + domainExample + " add-group readers -audit-enabled\n") case "add-group-member": buf.WriteString(" syntax:\n") buf.WriteString(" " + domainParam + " add-member group user_or_service [user_or_service ...]\n") @@ -3430,7 +3449,7 @@ func (cli Zms) HelpListCommand() string { buf.WriteString(" show-roles-principal [principal] [expand]\n") buf.WriteString(" list-roles-for-review [principal]\n") buf.WriteString(" add-delegated-role role trusted_domain\n") - buf.WriteString(" add-regular-role role member [member ... ]\n") + buf.WriteString(" add-regular-role role [-audit-enabled] [member ... ]\n") buf.WriteString(" add-member regular_role user_or_service [user_or_service ...]\n") buf.WriteString(" add-temporary-member regular_role user_or_service expiration\n") buf.WriteString(" add-reviewed-member regular_role user_or_service review\n") @@ -3473,7 +3492,7 @@ func (cli Zms) HelpListCommand() string { buf.WriteString(" show-groups [tag_key] [tag_value]\n") buf.WriteString(" show-groups-principal [principal]\n") buf.WriteString(" list-groups-for-review [principal]\n") - buf.WriteString(" add-group group member [member ... ]\n") + buf.WriteString(" add-group group [-audit-enabled] [member ... ]\n") buf.WriteString(" add-group-member group user_or_service [user_or_service ...]\n") buf.WriteString(" check-group-member group user_or_service [user_or_service ...]\n") buf.WriteString(" check-active-group-member group user_or_service\n") @@ -3586,15 +3605,15 @@ func SetX509CertClient(cli *Zms, keyFile, certFile, caCertFile, socksProxy strin return err } } - config, err := config.ClientTLSConfigFromPEM(keypem, certpem, cacertpem) + tlsConfig, err := config.ClientTLSConfigFromPEM(keypem, certpem, cacertpem) if err != nil { return err } if skipVerify { - config.InsecureSkipVerify = skipVerify + tlsConfig.InsecureSkipVerify = skipVerify } tr := &http.Transport{ - TLSClientConfig: config, + TLSClientConfig: tlsConfig, } if httpProxy { tr.Proxy = http.ProxyFromEnvironment @@ -3603,7 +3622,10 @@ func SetX509CertClient(cli *Zms, keyFile, certFile, caCertFile, socksProxy strin dialer := &net.Dialer{} dialSocksProxy, err := proxy.SOCKS5("tcp", socksProxy, nil, dialer) if err == nil { - tr.Dial = dialSocksProxy.Dial + dialContext := func(ctx context.Context, network, address string) (net.Conn, error) { + return dialSocksProxy.Dial(network, address) + } + tr.DialContext = dialContext } } cli.Zms = zms.NewClient(cli.ZmsUrl, tr) diff --git a/libs/go/zmscli/group.go b/libs/go/zmscli/group.go index b784d13ab59..820eb9c3c01 100644 --- a/libs/go/zmscli/group.go +++ b/libs/go/zmscli/group.go @@ -182,7 +182,7 @@ func (cli Zms) SetGroupServiceExpiryDays(dn string, rn string, days int32) (*str return cli.dumpByFormat(message, cli.buildYAMLOutput) } -func (cli Zms) AddGroup(dn string, gn string, groupMembers []*zms.GroupMember) (*string, error) { +func (cli Zms) AddGroup(dn string, gn string, auditEnabled bool, groupMembers []*zms.GroupMember) (*string, error) { fullResourceName := dn + ":group." + gn var group zms.Group if !cli.Overwrite { @@ -198,6 +198,9 @@ func (cli Zms) AddGroup(dn string, gn string, groupMembers []*zms.GroupMember) ( } } group.Name = zms.ResourceName(fullResourceName) + if auditEnabled { + group.AuditEnabled = &auditEnabled + } group.GroupMembers = groupMembers cli.validateGroupMembers(group.GroupMembers) returnObject := true diff --git a/libs/go/zmscli/import.go b/libs/go/zmscli/import.go index ea9854feb8b..ad54fc34348 100644 --- a/libs/go/zmscli/import.go +++ b/libs/go/zmscli/import.go @@ -89,11 +89,7 @@ func (cli Zms) importGroups(dn string, lstGroups []*zms.Group, existingGroups *z } _, err = cli.AddGroupMembers(dn, gn, groupMembers) } else { - groupMembers := make([]*zms.GroupMember, 0) - for _, groupMember := range group.GroupMembers { - groupMembers = append(groupMembers, groupMember) - } - _, err = cli.AddGroup(dn, gn, groupMembers) + _, err = cli.AddGroup(dn, gn, *group.AuditEnabled, group.GroupMembers) } cli.Verbose = b if shouldReportError(updateDomain, cli.SkipErrors, err) { @@ -118,7 +114,7 @@ func (cli Zms) importGroupsOld(dn string, lstGroups []interface{}, skipErrors bo } b := cli.Verbose cli.Verbose = true - _, err := cli.AddGroup(dn, gn, groupMembers) + _, err := cli.AddGroup(dn, gn, false, groupMembers) cli.Verbose = b if shouldReportError(skipErrors, cli.SkipErrors, err) { return err @@ -176,7 +172,7 @@ func (cli Zms) importRoles(dn string, lstRoles []*zms.Role, existingRoles *zms.R if updateDomain && roleExists(role.Name, existingRoles) { _, err = cli.AddRoleMembers(dn, rn, roleMembers) } else { - _, err = cli.AddRegularRole(dn, rn, roleMembers) + _, err = cli.AddRegularRole(dn, rn, *role.AuditEnabled, roleMembers) } cli.Verbose = b } @@ -194,7 +190,7 @@ func (cli Zms) importRoles(dn string, lstRoles []*zms.Role, existingRoles *zms.R roleMembers := make([]*zms.RoleMember, 0) b := cli.Verbose cli.Verbose = true - _, err := cli.AddRegularRole(dn, rn, roleMembers) + _, err := cli.AddRegularRole(dn, rn, *role.AuditEnabled, roleMembers) cli.Verbose = b if shouldReportError(updateDomain, cli.SkipErrors, err) { return err @@ -214,24 +210,24 @@ func (cli Zms) importRolesOld(dn string, lstRoles []interface{}, validatedAdmins mem := val.([]interface{}) roleMembers := make([]*zms.RoleMember, 0) var err error - var role *zms.Role + var adminRole *zms.Role if rn == "admin" && validatedAdmins != nil { // need to retrieve the current admin role // and make sure to remove any existing admin - role, err = cli.Zms.GetRole(zms.DomainName(dn), "admin", nil, nil, nil) + adminRole, err = cli.Zms.GetRole(zms.DomainName(dn), "admin", nil, nil, nil) if err != nil { return err } for _, mbr := range mem { roleMember := parseRoleMember(mbr.(map[string]interface{})) - if !cli.containsMember(role.RoleMembers, string(roleMember.MemberName)) { + if !cli.containsMember(adminRole.RoleMembers, string(roleMember.MemberName)) { roleMembers = append(roleMembers, roleMember) } } for _, admin := range validatedAdmins { roleMember := zms.NewRoleMember() roleMember.MemberName = zms.MemberName(admin) - if !cli.containsMember(roleMembers, admin) && !cli.containsMember(role.RoleMembers, admin) { + if !cli.containsMember(roleMembers, admin) && !cli.containsMember(adminRole.RoleMembers, admin) { roleMembers = append(roleMembers, roleMember) } } @@ -243,7 +239,7 @@ func (cli Zms) importRolesOld(dn string, lstRoles []interface{}, validatedAdmins } b := cli.Verbose cli.Verbose = true - _, err = cli.AddRegularRole(dn, rn, roleMembers) + _, err = cli.AddRegularRole(dn, rn, false, roleMembers) cli.Verbose = b } if shouldReportError(skipErrors, cli.SkipErrors, err) { @@ -259,7 +255,7 @@ func (cli Zms) importRolesOld(dn string, lstRoles []interface{}, validatedAdmins roleMembers := make([]*zms.RoleMember, 0) b := cli.Verbose cli.Verbose = true - _, err := cli.AddRegularRole(dn, rn, roleMembers) + _, err := cli.AddRegularRole(dn, rn, false, roleMembers) cli.Verbose = b if shouldReportError(skipErrors, cli.SkipErrors, err) { return err diff --git a/libs/go/zmscli/role.go b/libs/go/zmscli/role.go index ae2d1045fbc..a23ec979ff9 100644 --- a/libs/go/zmscli/role.go +++ b/libs/go/zmscli/role.go @@ -118,7 +118,7 @@ func (cli Zms) AddDelegatedRole(dn string, rn string, trusted string) (*string, return cli.ShowUpdatedRole(updatedRole, false) } -func (cli Zms) AddRegularRole(dn string, rn string, roleMembers []*zms.RoleMember) (*string, error) { +func (cli Zms) AddRegularRole(dn string, rn string, auditEnabled bool, roleMembers []*zms.RoleMember) (*string, error) { fullResourceName := dn + ":role." + rn var role zms.Role if !cli.Overwrite { @@ -137,6 +137,9 @@ func (cli Zms) AddRegularRole(dn string, rn string, roleMembers []*zms.RoleMembe return nil, fmt.Errorf("cannot replace reserved 'admin' role") } role.Name = zms.ResourceName(fullResourceName) + if auditEnabled { + role.AuditEnabled = &auditEnabled + } role.RoleMembers = roleMembers cli.validateRoleMembers(role.RoleMembers) returnObject := true