This repository has been archived by the owner on Aug 24, 2023. It is now read-only.
forked from gravitational/teleport-plugins
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathapp.go
378 lines (317 loc) · 9.76 KB
/
app.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
package main
import (
"context"
"net/url"
"regexp"
"strings"
"time"
"github.com/gravitational/teleport-plugins/access"
"github.com/gravitational/teleport-plugins/lib"
"github.com/gravitational/teleport-plugins/lib/logger"
"google.golang.org/grpc"
"google.golang.org/grpc/backoff"
"github.com/gravitational/trace"
)
// MinServerVersion is the minimal teleport version the plugin supports.
const MinServerVersion = "5.0.0"
var resolveReasonInlineRegex = regexp.MustCompile(`(?im)^ *(resolution|reason) *: *(.+)$`)
var resolveReasonSeparatorRegex = regexp.MustCompile(`(?im)^ *(resolution|reason) *: *$`)
// App contains global application state.
type App struct {
conf Config
accessClient access.Client
bot *Bot
webhookSrv *WebhookServer
mainJob lib.ServiceJob
*lib.Process
}
func NewApp(conf Config) (*App, error) {
app := &App{conf: conf}
app.mainJob = lib.NewServiceJob(app.run)
return app, nil
}
// Run initializes and runs a watcher and a callback server
func (a *App) Run(ctx context.Context) error {
// Initialize the process.
a.Process = lib.NewProcess(ctx)
a.SpawnCriticalJob(a.mainJob)
<-a.Process.Done()
return trace.Wrap(a.mainJob.Err())
}
// Err returns the error app finished with.
func (a *App) Err() error {
return trace.Wrap(a.mainJob.Err())
}
// WaitReady waits for http and watcher service to start up.
func (a *App) WaitReady(ctx context.Context) (bool, error) {
return a.mainJob.WaitReady(ctx)
}
func (a *App) PublicURL() *url.URL {
if !a.mainJob.IsReady() {
panic("app is not running")
}
return a.webhookSrv.BaseURL()
}
func (a *App) run(ctx context.Context) (err error) {
log := logger.Get(ctx)
log.Infof("Starting Teleport Access JIRAbot %s:%s", Version, Gitref)
// Create webhook server prividing a.OnJIRAWebhook as a callback function
a.webhookSrv, err = NewWebhookServer(a.conf.HTTP, a.onJIRAWebhook)
if err != nil {
return
}
a.bot = NewBot(a.conf.JIRA)
tlsConf, err := access.LoadTLSConfig(
a.conf.Teleport.ClientCrt,
a.conf.Teleport.ClientKey,
a.conf.Teleport.RootCAs,
)
if trace.Unwrap(err) == access.ErrInvalidCertificate {
log.WithError(err).Warning("Auth client TLS configuration error")
} else if err != nil {
return err
}
bk := backoff.DefaultConfig
bk.MaxDelay = time.Second * 2
a.accessClient, err = access.NewClient(
ctx,
"jira",
a.conf.Teleport.AuthServer,
tlsConf,
grpc.WithConnectParams(grpc.ConnectParams{
Backoff: bk,
}),
)
if err != nil {
return trace.Wrap(err)
}
if err = a.checkTeleportVersion(ctx); err != nil {
return
}
log.Debug("Starting JIRA API health check...")
if err = a.bot.HealthCheck(ctx); err != nil {
log.WithError(err).Error("JIRA API health check failed")
a.Terminate()
return
}
log.Debug("JIRA API health check finished ok")
err = a.webhookSrv.EnsureCert()
if err != nil {
return
}
httpJob := a.webhookSrv.ServiceJob()
a.SpawnCriticalJob(httpJob)
httpOk, err := httpJob.WaitReady(ctx)
if err != nil {
return
}
watcherJob := access.NewWatcherJob(
a.accessClient,
access.Filter{State: access.StatePending},
a.onWatcherEvent,
)
a.SpawnCriticalJob(watcherJob)
watcherOk, err := watcherJob.WaitReady(ctx)
if err != nil {
return
}
a.mainJob.SetReady(httpOk && watcherOk)
<-httpJob.Done()
<-watcherJob.Done()
return trace.NewAggregate(httpJob.Err(), watcherJob.Err())
}
func (a *App) checkTeleportVersion(ctx context.Context) error {
log := logger.Get(ctx)
log.Debug("Checking Teleport server version")
ctx, cancel := context.WithTimeout(ctx, 5*time.Second)
defer cancel()
pong, err := a.accessClient.Ping(ctx)
if err != nil {
if trace.IsNotImplemented(err) {
return trace.Wrap(err, "server version must be at least %s", MinServerVersion)
}
log.Error("Unable to get Teleport server version")
return trace.Wrap(err)
}
a.bot.clusterName = pong.ClusterName
err = pong.AssertServerVersion(MinServerVersion)
return trace.Wrap(err)
}
func (a *App) onWatcherEvent(ctx context.Context, event access.Event) error {
req, op := event.Request, event.Type
ctx = logger.SetField(ctx, "request_id", req.ID)
switch op {
case access.OpPut:
ctx, log := logger.WithField(ctx, "request_op", "put")
if !req.State.IsPending() {
log.WithField("event", event).Warn("non-pending request event")
return nil
}
if err := a.onPendingRequest(ctx, req); err != nil {
log := log.WithError(err)
log.Errorf("Failed to process pending request")
log.Debugf("%v", trace.DebugReport(err))
return err
}
return nil
case access.OpDelete:
ctx, log := logger.WithField(ctx, "request_op", "delete")
if err := a.onDeletedRequest(ctx, req); err != nil {
log := log.WithError(err)
log.Errorf("Failed to process deleted request")
log.Debugf("%v", trace.DebugReport(err))
return err
}
return nil
default:
return trace.BadParameter("unexpected event operation %s", op)
}
}
// onJIRAWebhook processes JIRA webhook and updates the status of an issue
func (a *App) onJIRAWebhook(ctx context.Context, webhook Webhook) error {
log := logger.Get(ctx)
if webhook.WebhookEvent != "jira:issue_updated" || webhook.IssueEventTypeName != "issue_generic" {
return nil
}
if webhook.Issue == nil {
return trace.Errorf("got webhook without issue info")
}
issue, err := a.bot.GetIssue(ctx, webhook.Issue.ID)
if err != nil {
return trace.Wrap(err)
}
statusName := strings.ToLower(issue.Fields.Status.Name)
if statusName == "pending" {
log.Debug("Issue is pending, ignoring it")
return nil
} else if statusName == "expired" {
log.Debug("Issue is expired, ignoring it")
return nil
} else if statusName != "approved" && statusName != "denied" {
return trace.BadParameter("unknown JIRA status %q", statusName)
}
reqID, err := issue.GetRequestID()
if err != nil {
return trace.Wrap(err)
}
ctx, log = logger.WithField(ctx, "request_id", reqID)
req, err := a.accessClient.GetRequest(ctx, reqID)
if err != nil {
if trace.IsNotFound(err) {
log.WithError(err).Warning("Cannot process expired request")
return nil
}
return trace.Wrap(err)
}
if req.State != access.StatePending {
log.WithField("request_state", req.State).Warningf("Cannot process not pending request")
return nil
}
pluginData, err := a.getPluginData(ctx, reqID)
if err != nil {
return trace.Wrap(err)
}
ctx, log = logger.WithFields(ctx, logger.Fields{
"jira_issue_id": issue.ID,
"jira_issue_key": issue.Key,
})
if pluginData.JiraData.ID != issue.ID {
log.WithField("plugin_data_issue_id", pluginData.JiraData.ID).Debug("plugin_data.issue_id does not match issue.id")
return trace.Errorf("issue_id from request's plugin_data does not match")
}
var (
params access.RequestStateParams
resolution string
)
issueUpdate, err := issue.GetLastUpdate(statusName)
if err == nil {
params.Delegator = issueUpdate.Author.EmailAddress
accountID := issueUpdate.Author.AccountID
err := a.bot.RangeIssueCommentsDescending(ctx, issue.ID, func(page PageOfComments) bool {
for _, comment := range page.Comments {
if comment.Author.AccountID != accountID {
continue
}
contents := comment.Body
if submatch := resolveReasonInlineRegex.FindStringSubmatch(contents); len(submatch) > 0 {
params.Reason = strings.Trim(submatch[2], " \n")
return false
} else if locs := resolveReasonSeparatorRegex.FindStringIndex(contents); len(locs) > 0 {
params.Reason = strings.TrimLeft(contents[locs[1]:], "\n")
return false
}
}
return true
})
if err != nil {
log.WithError(err).Error("Cannot load issue comments")
}
} else {
log.WithError(err).Error("Cannot determine who updated the issue status")
}
ctx, log = logger.WithFields(ctx, logger.Fields{
"jira_user_email": issueUpdate.Author.EmailAddress,
"jira_user_name": issueUpdate.Author.DisplayName,
"request_user": req.User,
"request_roles": req.Roles,
"reason": params.Reason,
})
switch statusName {
case "approved":
params.State = access.StateApproved
resolution = "approved"
case "denied":
params.State = access.StateDenied
resolution = "denied"
}
if err := a.accessClient.SetRequestStateExt(ctx, req.ID, params); err != nil {
return trace.Wrap(err)
}
log.Infof("JIRA user %s the request", resolution)
return nil
}
func (a *App) onPendingRequest(ctx context.Context, req access.Request) error {
reqData := RequestData{User: req.User, Roles: req.Roles, RequestReason: req.RequestReason, Created: req.Created}
jiraData, err := a.bot.CreateIssue(ctx, req.ID, reqData)
if err != nil {
return trace.Wrap(err)
}
logger.Get(ctx).WithFields(logger.Fields{
"jira_issue_id": jiraData.ID,
"jira_issue_key": jiraData.Key,
}).Info("JIRA Issue created")
err = a.setPluginData(ctx, req.ID, PluginData{reqData, jiraData})
return trace.Wrap(err)
}
func (a *App) onDeletedRequest(ctx context.Context, req access.Request) error {
log := logger.Get(ctx)
reqID := req.ID // This is the only available field
pluginData, err := a.getPluginData(ctx, reqID)
if err != nil {
if trace.IsNotFound(err) {
log.WithError(err).Warn("Cannot expire unknown request")
return nil
}
return trace.Wrap(err)
}
reqData, jiraData := pluginData.RequestData, pluginData.JiraData
if jiraData.ID == "" {
log.Warn("Plugin data is either missing or expired")
return nil
}
if err := a.bot.ExpireIssue(ctx, reqID, reqData, jiraData); err != nil {
return trace.Wrap(err)
}
log.Info("Successfully marked request as expired")
return nil
}
func (a *App) getPluginData(ctx context.Context, reqID string) (PluginData, error) {
dataMap, err := a.accessClient.GetPluginData(ctx, reqID)
if err != nil {
return PluginData{}, trace.Wrap(err)
}
return DecodePluginData(dataMap), nil
}
func (a *App) setPluginData(ctx context.Context, reqID string, data PluginData) error {
return a.accessClient.UpdatePluginData(ctx, reqID, EncodePluginData(data), nil)
}