consul/command/acl/bindingrule/update/bindingrule_update.go

272 lines
6.4 KiB
Go
Raw Normal View History

// Copyright (c) HashiCorp, Inc.
[COMPLIANCE] License changes (#18443) * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Updating the license from MPL to Business Source License Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at <Blog URL>, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl. * add missing license headers * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 --------- Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>
2023-08-11 13:12:13 +00:00
// SPDX-License-Identifier: BUSL-1.1
package bindingruleupdate
import (
"flag"
"fmt"
"strings"
"github.com/mitchellh/cli"
"github.com/hashicorp/consul/api"
"github.com/hashicorp/consul/command/acl"
"github.com/hashicorp/consul/command/acl/bindingrule"
"github.com/hashicorp/consul/command/flags"
)
func New(ui cli.Ui) *cmd {
c := &cmd{UI: ui}
c.init()
return c
}
type cmd struct {
UI cli.Ui
flags *flag.FlagSet
http *flags.HTTPFlags
help string
ruleID string
description string
selector string
bindType string
bindName string
bindVars map[string]string
noMerge bool
showMeta bool
format string
}
func (c *cmd) init() {
c.flags = flag.NewFlagSet("", flag.ContinueOnError)
c.flags.BoolVar(
&c.showMeta,
"meta",
false,
"Indicates that binding rule metadata such "+
"as the raft indices should be shown for each entry.",
)
c.flags.StringVar(
&c.ruleID,
"id",
"",
"The ID of the binding rule to update. "+
"It may be specified as a unique ID prefix but will error if the prefix "+
"matches multiple binding rule IDs",
)
c.flags.StringVar(
&c.description,
"description",
"",
"A description of the binding rule.",
)
c.flags.StringVar(
&c.selector,
"selector",
"",
"Selector is an expression that matches against verified identity "+
"attributes returned from the auth method during login.",
)
c.flags.StringVar(
&c.bindType,
"bind-type",
string(api.BindingRuleBindTypeService),
"Type of binding to perform (\"service\" or \"role\").",
)
c.flags.StringVar(
&c.bindName,
"bind-name",
"",
"Name to bind on match. Can use ${var} interpolation. "+
"This flag is required.",
)
c.flags.BoolVar(
&c.noMerge,
"no-merge",
false,
"Do not merge the current binding rule "+
"information with what is provided to the command. Instead overwrite all fields "+
"with the exception of the binding rule ID which is immutable.",
)
c.flags.StringVar(
&c.format,
"format",
bindingrule.PrettyFormat,
fmt.Sprintf("Output format {%s}", strings.Join(bindingrule.GetSupportedFormats(), "|")),
)
c.flags.Var(
(*flags.FlagMapValue)(&c.bindVars),
"bind-vars",
"Templated policy variables. Can only be used when -bind-type is templated-policy."+
" May be specified multiple times with different variables. Can use ${var} interpolation."+
" Format is VariableName=Value",
)
c.http = &flags.HTTPFlags{}
flags.Merge(c.flags, c.http.ClientFlags())
flags.Merge(c.flags, c.http.ServerFlags())
flags.Merge(c.flags, c.http.MultiTenancyFlags())
c.help = flags.Usage(help, c.flags)
}
func (c *cmd) Run(args []string) int {
if err := c.flags.Parse(args); err != nil {
return 1
}
if c.ruleID == "" {
c.UI.Error("Cannot update a binding rule without specifying the -id parameter")
return 1
}
client, err := c.http.APIClient()
if err != nil {
c.UI.Error(fmt.Sprintf("Error connecting to Consul agent: %s", err))
return 1
}
ruleID, err := acl.GetBindingRuleIDFromPartial(client, c.ruleID)
if err != nil {
c.UI.Error(fmt.Sprintf("Error determining binding rule ID: %v", err))
return 1
}
// Read the current binding rule in both cases so we can fail better if not found.
currentRule, _, err := client.ACL().BindingRuleRead(ruleID, nil)
if err != nil {
c.UI.Error(fmt.Sprintf("Error when retrieving current binding rule: %v", err))
return 1
} else if currentRule == nil {
c.UI.Error(fmt.Sprintf("Binding rule not found with ID %q", ruleID))
return 1
}
processBindVars, err := acl.ExtractBindVars(c.bindVars)
if err != nil {
c.UI.Error("Failed to decode '-bind-vars'")
c.UI.Error(c.Help())
return 1
}
var rule *api.ACLBindingRule
if c.noMerge {
if c.bindType == "" {
c.UI.Error("Missing required '-bind-type' flag")
c.UI.Error(c.Help())
return 1
} else if c.bindName == "" {
c.UI.Error("Missing required '-bind-name' flag")
c.UI.Error(c.Help())
return 1
} else if len(c.bindVars) > 0 && api.BindingRuleBindType(c.bindType) != api.BindingRuleBindTypeTemplatedPolicy {
c.UI.Error("-bind-vars cannot be specified when -bind-type is not templated-policy")
c.UI.Error(c.Help())
return 1
}
rule = &api.ACLBindingRule{
ID: ruleID,
AuthMethod: currentRule.AuthMethod, // immutable
Description: c.description,
BindType: api.BindingRuleBindType(c.bindType),
BindVars: processBindVars,
BindName: c.bindName,
Selector: c.selector,
}
} else {
rule = currentRule
if c.description != "" {
rule.Description = c.description
}
if c.bindType != "" {
rule.BindType = api.BindingRuleBindType(c.bindType)
}
if c.bindName != "" {
rule.BindName = c.bindName
}
if len(c.bindVars) > 0 {
rule.BindVars = processBindVars
}
// remove bind vars for non templated-policy binding rules types
if api.BindingRuleBindType(c.bindType) != api.BindingRuleBindTypeTemplatedPolicy {
rule.BindVars = nil
}
if isFlagSet(c.flags, "selector") {
rule.Selector = c.selector // empty is valid
}
}
rule, _, err = client.ACL().BindingRuleUpdate(rule, nil)
if err != nil {
c.UI.Error(fmt.Sprintf("Error updating binding rule %q: %v", ruleID, err))
return 1
}
formatter, err := bindingrule.NewFormatter(c.format, c.showMeta)
if err != nil {
c.UI.Error(err.Error())
return 1
}
out, err := formatter.FormatBindingRule(rule)
if err != nil {
c.UI.Error(err.Error())
return 1
}
if out != "" {
c.UI.Info(out)
}
return 0
}
func (c *cmd) Synopsis() string {
return synopsis
}
func (c *cmd) Help() string {
return flags.Usage(c.help, nil)
}
func isFlagSet(flags *flag.FlagSet, name string) bool {
found := false
flags.Visit(func(f *flag.Flag) {
if f.Name == name {
found = true
}
})
return found
}
const (
synopsis = "Update an ACL binding rule"
help = `
Usage: consul acl binding-rule update -id ID [options]
Updates a binding rule. By default it will merge the binding rule
information with its current state so that you do not have to provide all
parameters. This behavior can be disabled by passing -no-merge.
Update all editable fields of the binding rule:
$ consul acl binding-rule update \
-id=43cb72df-9c6f-4315-ac8a-01a9d98155ef \
-description="new description" \
-bind-type=role \
-bind-name='k8s-${serviceaccount.name}' \
-selector='serviceaccount.namespace==default and serviceaccount.name==web'
`
)