mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-11-14 02:10:21 +00:00
171ba6a65d
Bumps the github-dependencies group with 8 updates in the / directory: | Package | From | To | | --- | --- | --- | | [github.com/IBM/keyprotect-go-client](https://github.com/IBM/keyprotect-go-client) | `0.12.2` | `0.14.1` | | [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) | `1.53.14` | `1.54.6` | | [github.com/aws/aws-sdk-go-v2/service/sts](https://github.com/aws/aws-sdk-go-v2) | `1.28.1` | `1.29.1` | | [github.com/hashicorp/vault/api](https://github.com/hashicorp/vault) | `1.12.0` | `1.14.0` | | [github.com/kubernetes-csi/csi-lib-utils](https://github.com/kubernetes-csi/csi-lib-utils) | `0.17.0` | `0.18.1` | | [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) | `2.17.1` | `2.19.0` | | [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) | `1.18.0` | `1.19.1` | | [github.com/Azure/azure-sdk-for-go/sdk/azidentity](https://github.com/Azure/azure-sdk-for-go) | `1.6.0` | `1.7.0` | Updates `github.com/IBM/keyprotect-go-client` from 0.12.2 to 0.14.1 - [Release notes](https://github.com/IBM/keyprotect-go-client/releases) - [Changelog](https://github.com/IBM/keyprotect-go-client/blob/master/CHANGELOG.md) - [Commits](https://github.com/IBM/keyprotect-go-client/compare/v0.12.2...v0.14.1) Updates `github.com/aws/aws-sdk-go` from 1.53.14 to 1.54.6 - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.53.14...v1.54.6) Updates `github.com/aws/aws-sdk-go-v2/service/sts` from 1.28.1 to 1.29.1 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/ecr/v1.28.1...service/s3/v1.29.1) Updates `github.com/hashicorp/vault/api` from 1.12.0 to 1.14.0 - [Release notes](https://github.com/hashicorp/vault/releases) - [Changelog](https://github.com/hashicorp/vault/blob/main/CHANGELOG.md) - [Commits](https://github.com/hashicorp/vault/compare/v1.12.0...v1.14.0) Updates `github.com/kubernetes-csi/csi-lib-utils` from 0.17.0 to 0.18.1 - [Release notes](https://github.com/kubernetes-csi/csi-lib-utils/releases) - [Commits](https://github.com/kubernetes-csi/csi-lib-utils/compare/v0.17.0...v0.18.1) Updates `github.com/onsi/ginkgo/v2` from 2.17.1 to 2.19.0 - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.17.1...v2.19.0) Updates `github.com/onsi/gomega` from 1.32.0 to 1.33.1 - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/gomega/compare/v1.32.0...v1.33.1) Updates `github.com/prometheus/client_golang` from 1.18.0 to 1.19.1 - [Release notes](https://github.com/prometheus/client_golang/releases) - [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md) - [Commits](https://github.com/prometheus/client_golang/compare/v1.18.0...v1.19.1) Updates `github.com/Azure/azure-sdk-for-go/sdk/azidentity` from 1.6.0 to 1.7.0 - [Release notes](https://github.com/Azure/azure-sdk-for-go/releases) - [Changelog](https://github.com/Azure/azure-sdk-for-go/blob/main/documentation/release.md) - [Commits](https://github.com/Azure/azure-sdk-for-go/compare/sdk/azcore/v1.6.0...sdk/azcore/v1.7.0) --- updated-dependencies: - dependency-name: github.com/IBM/keyprotect-go-client dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-dependencies - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-dependencies - dependency-name: github.com/aws/aws-sdk-go-v2/service/sts dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-dependencies - dependency-name: github.com/hashicorp/vault/api dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-dependencies - dependency-name: github.com/kubernetes-csi/csi-lib-utils dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-dependencies - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-dependencies - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-dependencies - dependency-name: github.com/prometheus/client_golang dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-dependencies - dependency-name: github.com/Azure/azure-sdk-for-go/sdk/azidentity dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-dependencies ... Signed-off-by: dependabot[bot] <support@github.com>
614 lines
18 KiB
Go
614 lines
18 KiB
Go
// Copyright 2019 IBM Corp.
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
package kp
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"net/http"
|
|
"net/url"
|
|
"time"
|
|
)
|
|
|
|
const (
|
|
// AllowedNetwork defines the policy type as allowed network
|
|
AllowedNetwork = "allowedNetwork"
|
|
|
|
// AllowedIP defines the policy type as allowed ip that are whitelisted
|
|
AllowedIP = "allowedIP"
|
|
|
|
// Metrics defines the policy type as metrics
|
|
Metrics = "metrics"
|
|
// KeyAccess defines the policy type as key create import access
|
|
KeyCreateImportAccess = "keyCreateImportAccess"
|
|
|
|
// KeyAccess policy attributes
|
|
CreateRootKey = "CreateRootKey"
|
|
CreateStandardKey = "CreateStandardKey"
|
|
ImportRootKey = "ImportRootKey"
|
|
ImportStandardKey = "ImportStandardKey"
|
|
EnforceToken = "EnforceToken"
|
|
)
|
|
|
|
// InstancePolicy represents a instance-level policy of a key as returned by the KP API.
|
|
// this policy enables dual authorization for deleting a key
|
|
type InstancePolicy struct {
|
|
CreatedBy string `json:"createdBy,omitempty"`
|
|
CreatedAt *time.Time `json:"creationDate,omitempty"`
|
|
UpdatedAt *time.Time `json:"lastUpdated,omitempty"`
|
|
UpdatedBy string `json:"updatedBy,omitempty"`
|
|
PolicyType string `json:"policy_type,omitempty"`
|
|
PolicyData PolicyData `json:"policy_data,omitempty" mapstructure:"policyData"`
|
|
}
|
|
|
|
// PolicyData contains the details of the policy type
|
|
type PolicyData struct {
|
|
Enabled *bool `json:"enabled,omitempty"`
|
|
Attributes *Attributes `json:"attributes,omitempty"`
|
|
}
|
|
|
|
// Attributes contains the details of an instance policy
|
|
type Attributes struct {
|
|
AllowedNetwork *string `json:"allowed_network,omitempty"`
|
|
AllowedIP *IPAddresses `json:"allowed_ip,omitempty"`
|
|
CreateRootKey *bool `json:"create_root_key,omitempty"`
|
|
CreateStandardKey *bool `json:"create_standard_key,omitempty"`
|
|
ImportRootKey *bool `json:"import_root_key,omitempty"`
|
|
ImportStandardKey *bool `json:"import_standard_key,omitempty"`
|
|
EnforceToken *bool `json:"enforce_token,omitempty"`
|
|
IntervalMonth *int `json:"interval_month,omitempty"`
|
|
}
|
|
|
|
// IPAddresses ...
|
|
type IPAddresses []string
|
|
|
|
// InstancePolicies represents a collection of Policies associated with Key Protect instances.
|
|
type InstancePolicies struct {
|
|
Metadata PoliciesMetadata `json:"metadata"`
|
|
Policies []InstancePolicy `json:"resources"`
|
|
}
|
|
|
|
// GetDualAuthInstancePolicy retrieves the dual auth delete policy details associated with the instance
|
|
// For more information can refer the Key Protect docs in the link below:
|
|
// https://cloud.ibm.com/docs/key-protect?topic=key-protect-manage-dual-auth
|
|
func (c *Client) GetDualAuthInstancePolicy(ctx context.Context) (*InstancePolicy, error) {
|
|
policyResponse := InstancePolicies{}
|
|
|
|
err := c.getInstancePolicy(ctx, DualAuthDelete, &policyResponse)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if len(policyResponse.Policies) == 0 {
|
|
return nil, nil
|
|
}
|
|
return &policyResponse.Policies[0], nil
|
|
}
|
|
|
|
// GetAllowedNetworkInstancePolicy retrieves the allowed network policy details associated with the instance.
|
|
// For more information can refer the Key Protect docs in the link below:
|
|
// https://cloud.ibm.com/docs/key-protect?topic=key-protect-managing-network-access-policies
|
|
func (c *Client) GetAllowedNetworkInstancePolicy(ctx context.Context) (*InstancePolicy, error) {
|
|
policyResponse := InstancePolicies{}
|
|
|
|
err := c.getInstancePolicy(ctx, AllowedNetwork, &policyResponse)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if len(policyResponse.Policies) == 0 {
|
|
return nil, nil
|
|
}
|
|
|
|
return &policyResponse.Policies[0], nil
|
|
}
|
|
|
|
// GetAllowedIPInstancePolicy retrieves the allowed IP instance policy details associated with the instance.
|
|
// For more information can refer the Key Protect docs in the link below:
|
|
// https://cloud.ibm.com/docs/key-protect?topic=key-protect-manage-allowed-ip
|
|
func (c *Client) GetAllowedIPInstancePolicy(ctx context.Context) (*InstancePolicy, error) {
|
|
policyResponse := InstancePolicies{}
|
|
|
|
err := c.getInstancePolicy(ctx, AllowedIP, &policyResponse)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if len(policyResponse.Policies) == 0 {
|
|
return nil, nil
|
|
}
|
|
|
|
return &policyResponse.Policies[0], nil
|
|
}
|
|
|
|
// GetKeyCreateImportAccessInstancePolicy retrieves the key create import access policy details associated with the instance.
|
|
// For more information can refer the Key Protect docs in the link below:
|
|
// https://cloud.ibm.com/docs/key-protect?topic=key-protect-manage-keyCreateImportAccess
|
|
func (c *Client) GetKeyCreateImportAccessInstancePolicy(ctx context.Context) (*InstancePolicy, error) {
|
|
policyResponse := InstancePolicies{}
|
|
|
|
err := c.getInstancePolicy(ctx, KeyCreateImportAccess, &policyResponse)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if len(policyResponse.Policies) == 0 {
|
|
return nil, nil
|
|
}
|
|
|
|
return &policyResponse.Policies[0], nil
|
|
}
|
|
|
|
func (c *Client) getInstancePolicy(ctx context.Context, policyType string, policyResponse *InstancePolicies) error {
|
|
req, err := c.newRequest(http.MethodGet, "instance/policies", nil)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
v := url.Values{}
|
|
v.Set("policy", policyType)
|
|
req.URL.RawQuery = v.Encode()
|
|
|
|
_, err = c.do(ctx, req, &policyResponse)
|
|
|
|
return err
|
|
}
|
|
|
|
// GetMetricsInstancePolicy retrieves the metrics policy details associated with the instance
|
|
// For more information can refer the Key Protect docs in the link below:
|
|
// https://cloud.ibm.com/docs/key-protect?topic=key-protect-manage-sysdig-metrics
|
|
func (c *Client) GetMetricsInstancePolicy(ctx context.Context) (*InstancePolicy, error) {
|
|
policyResponse := InstancePolicies{}
|
|
|
|
err := c.getInstancePolicy(ctx, Metrics, &policyResponse)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if len(policyResponse.Policies) == 0 {
|
|
return nil, nil
|
|
}
|
|
return &policyResponse.Policies[0], nil
|
|
}
|
|
|
|
// GetRotationInstancePolicy retrieves the rotation policy details associated with the instance
|
|
func (c *Client) GetRotationInstancePolicy(ctx context.Context) (*InstancePolicy, error) {
|
|
policyResponse := InstancePolicies{}
|
|
|
|
err := c.getInstancePolicy(ctx, RotationPolicy, &policyResponse)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if len(policyResponse.Policies) == 0 {
|
|
return nil, nil
|
|
}
|
|
return &policyResponse.Policies[0], nil
|
|
}
|
|
|
|
// GetInstancePolicies retrieves all policies of an Instance.
|
|
func (c *Client) GetInstancePolicies(ctx context.Context) ([]InstancePolicy, error) {
|
|
policyresponse := InstancePolicies{}
|
|
|
|
req, err := c.newRequest(http.MethodGet, "instance/policies", nil)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
_, err = c.do(ctx, req, &policyresponse)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return policyresponse.Policies, nil
|
|
}
|
|
|
|
func (c *Client) setInstancePolicy(ctx context.Context, policyType string, policyRequest InstancePolicies) error {
|
|
req, err := c.newRequest(http.MethodPut, "instance/policies", &policyRequest)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
v := url.Values{}
|
|
v.Set("policy", policyType)
|
|
req.URL.RawQuery = v.Encode()
|
|
|
|
policiesResponse := InstancePolicies{}
|
|
_, err = c.do(ctx, req, &policiesResponse)
|
|
|
|
return err
|
|
}
|
|
|
|
// SetDualAuthInstancePolicy updates the dual auth delete policy details associated with an instance
|
|
// For more information can refer the Key Protect docs in the link below:
|
|
// https://cloud.ibm.com/docs/key-protect?topic=key-protect-manage-dual-auth
|
|
func (c *Client) SetDualAuthInstancePolicy(ctx context.Context, enable bool) error {
|
|
policy := InstancePolicy{
|
|
PolicyType: DualAuthDelete,
|
|
PolicyData: PolicyData{
|
|
Enabled: &enable,
|
|
},
|
|
}
|
|
|
|
policyRequest := InstancePolicies{
|
|
Metadata: PoliciesMetadata{
|
|
CollectionType: policyType,
|
|
NumberOfPolicies: 1,
|
|
},
|
|
Policies: []InstancePolicy{policy},
|
|
}
|
|
|
|
err := c.setInstancePolicy(ctx, DualAuthDelete, policyRequest)
|
|
|
|
return err
|
|
}
|
|
|
|
func addRotationInstancePolicyData(enable bool, intervalMonth *int) (InstancePolicy, error) {
|
|
|
|
rotationPolicyData := InstancePolicy{
|
|
PolicyType: RotationPolicy,
|
|
PolicyData: PolicyData{
|
|
Enabled: &enable,
|
|
},
|
|
}
|
|
|
|
if enable && intervalMonth == nil {
|
|
return InstancePolicy{}, fmt.Errorf("Interval Month is required to enable rotation instance policy")
|
|
} else if !enable && intervalMonth != nil {
|
|
return InstancePolicy{}, fmt.Errorf("Interval Month should only be provided if the policy is being enabled")
|
|
} else if intervalMonth != nil {
|
|
rotationPolicyData.PolicyData.Attributes = &Attributes{
|
|
IntervalMonth: intervalMonth,
|
|
}
|
|
}
|
|
|
|
return rotationPolicyData, nil
|
|
}
|
|
|
|
// SetRotationInstancePolicy updates the rotation instance policy details associated with an instance.
|
|
func (c *Client) SetRotationInstancePolicy(ctx context.Context, enable bool, intervalMonth *int) error {
|
|
|
|
rotationPolicyData, err := addRotationInstancePolicyData(enable, intervalMonth)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
policyRequest := InstancePolicies{
|
|
Metadata: PoliciesMetadata{
|
|
CollectionType: policyType,
|
|
NumberOfPolicies: 1,
|
|
},
|
|
Policies: []InstancePolicy{rotationPolicyData},
|
|
}
|
|
|
|
err = c.setInstancePolicy(ctx, RotationPolicy, policyRequest)
|
|
|
|
return err
|
|
}
|
|
|
|
// SetAllowedIPInstancePolices updates the allowed IP instance policy details associated with an instance.
|
|
// For more information can refet to the Key Protect docs in the link below:
|
|
// https://cloud.ibm.com/docs/key-protect?topic=key-protect-manage-allowed-ip
|
|
func (c *Client) SetAllowedIPInstancePolicy(ctx context.Context, enable bool, allowedIPs []string) error {
|
|
|
|
policy := InstancePolicy{
|
|
PolicyType: AllowedIP,
|
|
PolicyData: PolicyData{
|
|
Enabled: &enable,
|
|
},
|
|
}
|
|
|
|
// The IP address validation is performed by the key protect service.
|
|
if enable && len(allowedIPs) != 0 {
|
|
policy.PolicyData.Attributes = &Attributes{}
|
|
ips := IPAddresses(allowedIPs)
|
|
policy.PolicyData.Attributes.AllowedIP = &ips
|
|
} else if enable && len(allowedIPs) == 0 {
|
|
return fmt.Errorf("Please provide at least 1 IP subnet specified with CIDR notation")
|
|
} else if !enable && len(allowedIPs) != 0 {
|
|
return fmt.Errorf("IP address list should only be provided if the policy is being enabled")
|
|
}
|
|
|
|
policyRequest := InstancePolicies{
|
|
Metadata: PoliciesMetadata{
|
|
CollectionType: policyType,
|
|
NumberOfPolicies: 1,
|
|
},
|
|
Policies: []InstancePolicy{policy},
|
|
}
|
|
err := c.setInstancePolicy(ctx, AllowedIP, policyRequest)
|
|
|
|
return err
|
|
}
|
|
|
|
// SetAllowedNetWorkInstancePolicy updates the allowed network policy details associated with an instance
|
|
// For more information can refer to the Key Protect docs in the link below:
|
|
// https://cloud.ibm.com/docs/key-protect?topic=key-protect-managing-network-access-policies
|
|
func (c *Client) SetAllowedNetworkInstancePolicy(ctx context.Context, enable bool, networkType string) error {
|
|
policy := InstancePolicy{
|
|
PolicyType: AllowedNetwork,
|
|
PolicyData: PolicyData{
|
|
Enabled: &enable,
|
|
Attributes: &Attributes{},
|
|
},
|
|
}
|
|
if networkType != "" {
|
|
policy.PolicyData.Attributes.AllowedNetwork = &networkType
|
|
}
|
|
|
|
policyRequest := InstancePolicies{
|
|
Metadata: PoliciesMetadata{
|
|
CollectionType: policyType,
|
|
NumberOfPolicies: 1,
|
|
},
|
|
Policies: []InstancePolicy{policy},
|
|
}
|
|
|
|
err := c.setInstancePolicy(ctx, AllowedNetwork, policyRequest)
|
|
|
|
return err
|
|
}
|
|
|
|
// SetMetricsInstancePolicy updates the metrics policy details associated with an instance
|
|
// For more information can refer the Key Protect docs in the link below:
|
|
// https://cloud.ibm.com/docs/key-protect?topic=key-protect-manage-sysdig-metrics
|
|
func (c *Client) SetMetricsInstancePolicy(ctx context.Context, enable bool) error {
|
|
policy := InstancePolicy{
|
|
PolicyType: Metrics,
|
|
PolicyData: PolicyData{
|
|
Enabled: &enable,
|
|
},
|
|
}
|
|
|
|
policyRequest := InstancePolicies{
|
|
Metadata: PoliciesMetadata{
|
|
CollectionType: policyType,
|
|
NumberOfPolicies: 1,
|
|
},
|
|
Policies: []InstancePolicy{policy},
|
|
}
|
|
|
|
err := c.setInstancePolicy(ctx, Metrics, policyRequest)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
return err
|
|
}
|
|
|
|
// SetKeyCreateImportAccessInstancePolicy updates the key create import access policy details associated with an instance.
|
|
// For more information, please refer to the Key Protect docs in the link below:
|
|
// https://cloud.ibm.com/docs/key-protect?topic=key-protect-manage-keyCreateImportAccess
|
|
func (c *Client) SetKeyCreateImportAccessInstancePolicy(ctx context.Context, enable bool, attributes map[string]bool) error {
|
|
policy := InstancePolicy{
|
|
PolicyType: KeyCreateImportAccess,
|
|
PolicyData: PolicyData{
|
|
Enabled: &enable,
|
|
},
|
|
}
|
|
|
|
if enable {
|
|
policy.PolicyData.Attributes = &Attributes{}
|
|
a := policy.PolicyData.Attributes
|
|
if val, ok := attributes[CreateRootKey]; ok {
|
|
a.CreateRootKey = &val
|
|
}
|
|
if val, ok := attributes[CreateStandardKey]; ok {
|
|
a.CreateStandardKey = &val
|
|
}
|
|
if val, ok := attributes[ImportRootKey]; ok {
|
|
a.ImportRootKey = &val
|
|
}
|
|
if val, ok := attributes[ImportStandardKey]; ok {
|
|
a.ImportStandardKey = &val
|
|
}
|
|
if val, ok := attributes[EnforceToken]; ok {
|
|
a.EnforceToken = &val
|
|
}
|
|
}
|
|
|
|
policyRequest := InstancePolicies{
|
|
Metadata: PoliciesMetadata{
|
|
CollectionType: policyType,
|
|
NumberOfPolicies: 1,
|
|
},
|
|
Policies: []InstancePolicy{policy},
|
|
}
|
|
|
|
err := c.setInstancePolicy(ctx, KeyCreateImportAccess, policyRequest)
|
|
|
|
return err
|
|
}
|
|
|
|
// BasicPolicyData defines the attribute input for the policy that supports only enabled parameter
|
|
type BasicPolicyData struct {
|
|
Enabled bool
|
|
}
|
|
|
|
// AllowedNetworkPolicyData defines the attribute input for the Allowed Network instance policy
|
|
type AllowedNetworkPolicyData struct {
|
|
Enabled bool
|
|
Network string
|
|
}
|
|
|
|
// AllowedIPPolicyData defines the attribute input for the Allowed IP instance policy
|
|
type AllowedIPPolicyData struct {
|
|
Enabled bool
|
|
IPAddresses *IPAddresses
|
|
}
|
|
|
|
// KeyAccessInstancePolicyData defines the attribute input for the Key Create Import Access instance policy
|
|
type KeyCreateImportAccessInstancePolicy struct {
|
|
Enabled bool
|
|
Attributes *KeyCreateImportAccessInstancePolicyAttributes
|
|
}
|
|
|
|
type KeyCreateImportAccessInstancePolicyAttributes struct {
|
|
CreateRootKey *bool
|
|
CreateStandardKey *bool
|
|
ImportRootKey *bool
|
|
ImportStandardKey *bool
|
|
EnforceToken *bool
|
|
}
|
|
|
|
type RotationPolicyData struct {
|
|
Enabled bool
|
|
IntervalMonth *int
|
|
}
|
|
|
|
// MultiplePolicies defines the input for the SetInstancPolicies method that can hold multiple policy details
|
|
type MultiplePolicies struct {
|
|
DualAuthDelete *BasicPolicyData
|
|
AllowedNetwork *AllowedNetworkPolicyData
|
|
AllowedIP *AllowedIPPolicyData
|
|
Metrics *BasicPolicyData
|
|
KeyCreateImportAccess *KeyCreateImportAccessInstancePolicy
|
|
Rotation *RotationPolicyData
|
|
}
|
|
|
|
// SetInstancePolicies updates single or multiple policy details of an instance.
|
|
func (c *Client) SetInstancePolicies(ctx context.Context, policies MultiplePolicies) error {
|
|
var resPolicies []InstancePolicy
|
|
|
|
if policies.DualAuthDelete != nil {
|
|
policy := InstancePolicy{
|
|
PolicyType: DualAuthDelete,
|
|
PolicyData: PolicyData{
|
|
Enabled: &(policies.DualAuthDelete.Enabled),
|
|
},
|
|
}
|
|
resPolicies = append(resPolicies, policy)
|
|
}
|
|
|
|
if policies.AllowedNetwork != nil {
|
|
policy := InstancePolicy{
|
|
PolicyType: AllowedNetwork,
|
|
PolicyData: PolicyData{
|
|
Enabled: &(policies.AllowedNetwork.Enabled),
|
|
// due to legacy reasons, the allowed_network policy requires attribute to always be specified
|
|
Attributes: &Attributes{
|
|
AllowedNetwork: &(policies.AllowedNetwork.Network),
|
|
},
|
|
},
|
|
}
|
|
resPolicies = append(resPolicies, policy)
|
|
}
|
|
|
|
if policies.AllowedIP != nil {
|
|
policy := InstancePolicy{
|
|
PolicyType: AllowedIP,
|
|
PolicyData: PolicyData{
|
|
Enabled: &(policies.AllowedIP.Enabled),
|
|
Attributes: &Attributes{
|
|
AllowedIP: policies.AllowedIP.IPAddresses,
|
|
},
|
|
},
|
|
}
|
|
resPolicies = append(resPolicies, policy)
|
|
}
|
|
|
|
if policies.Metrics != nil {
|
|
policy := InstancePolicy{
|
|
PolicyType: Metrics,
|
|
PolicyData: PolicyData{
|
|
Enabled: &(policies.Metrics.Enabled),
|
|
},
|
|
}
|
|
resPolicies = append(resPolicies, policy)
|
|
}
|
|
|
|
if policies.KeyCreateImportAccess != nil {
|
|
policy := InstancePolicy{
|
|
PolicyType: KeyCreateImportAccess,
|
|
PolicyData: PolicyData{
|
|
Enabled: &(policies.KeyCreateImportAccess.Enabled),
|
|
},
|
|
}
|
|
|
|
if attr := policies.KeyCreateImportAccess.Attributes; attr != nil {
|
|
policy.PolicyData.Attributes = &Attributes{
|
|
CreateRootKey: attr.CreateRootKey,
|
|
CreateStandardKey: attr.CreateStandardKey,
|
|
ImportRootKey: attr.ImportRootKey,
|
|
ImportStandardKey: attr.ImportStandardKey,
|
|
EnforceToken: attr.EnforceToken,
|
|
}
|
|
}
|
|
|
|
resPolicies = append(resPolicies, policy)
|
|
}
|
|
|
|
if policies.Rotation != nil {
|
|
policy, err := addRotationInstancePolicyData(policies.Rotation.Enabled, policies.Rotation.IntervalMonth)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
resPolicies = append(resPolicies, policy)
|
|
}
|
|
|
|
policyRequest := InstancePolicies{
|
|
Metadata: PoliciesMetadata{
|
|
CollectionType: policyType,
|
|
NumberOfPolicies: len(resPolicies),
|
|
},
|
|
Policies: resPolicies,
|
|
}
|
|
|
|
policyresponse := Policies{}
|
|
|
|
req, err := c.newRequest(http.MethodPut, "instance/policies", &policyRequest)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
_, err = c.do(ctx, req, &policyresponse)
|
|
|
|
return err
|
|
}
|
|
|
|
type portsMetadata struct {
|
|
CollectionType string `json:"collectionType"`
|
|
NumberOfPorts int `json:"collectionTotal"`
|
|
}
|
|
|
|
type portResponse struct {
|
|
Metadata portsMetadata `json:"metadata"`
|
|
Ports []privatePort `json:"resources"`
|
|
}
|
|
type privatePort struct {
|
|
PrivatePort int `json:"private_endpoint_port,omitempty"`
|
|
}
|
|
|
|
// GetAllowedIPPrivateNetworkPort retrieves the private endpoint port assigned to allowed ip policy.
|
|
func (c *Client) GetAllowedIPPrivateNetworkPort(ctx context.Context) (int, error) {
|
|
var portResponse portResponse
|
|
|
|
req, err := c.newRequest(http.MethodGet, "instance/allowed_ip_port", nil)
|
|
if err != nil {
|
|
return 0, err
|
|
}
|
|
|
|
_, err = c.do(ctx, req, &portResponse)
|
|
if err != nil {
|
|
return 0, err
|
|
}
|
|
|
|
if len(portResponse.Ports) == 0 {
|
|
return 0, fmt.Errorf("No port number available. Please check the instance has an enabled allowedIP policy")
|
|
}
|
|
return portResponse.Ports[0].PrivatePort, nil
|
|
}
|