From 9d09e31f7c33bb0fdc33582f9b09cb051286122b Mon Sep 17 00:00:00 2001 From: meyerjrr Date: Tue, 17 Sep 2024 13:23:51 +1000 Subject: [PATCH 1/6] set duration returned from preflight in batch ensure request --- pkg/hook/accessrequesthook/accessrequesthook.go | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/pkg/hook/accessrequesthook/accessrequesthook.go b/pkg/hook/accessrequesthook/accessrequesthook.go index 3aa8429f..3a2fb87e 100644 --- a/pkg/hook/accessrequesthook/accessrequesthook.go +++ b/pkg/hook/accessrequesthook/accessrequesthook.go @@ -166,6 +166,15 @@ func (h Hook) NoEntitlementAccess(ctx context.Context, cfg *config.Context, inpu req.Justification.Reason = &customReason } } + + for i := range req.Entitlements { + if result.DurationConfiguration.DefaultDuration != nil { + req.Entitlements[i].Duration = result.DurationConfiguration.DefaultDuration + } else { + req.Entitlements[i].Duration = result.DurationConfiguration.MaxDuration + } + } + // the spinner must be started after prompting for reason, otherwise the prompt gets hidden si := spinner.New(spinner.CharSets[14], 100*time.Millisecond) si.Suffix = " ensuring access..." From 1844193b067626cb9ec603d47c631139c74f27cb Mon Sep 17 00:00:00 2001 From: meyerjrr Date: Tue, 17 Sep 2024 13:39:30 +1000 Subject: [PATCH 2/6] fix duration passed in --- pkg/hook/accessrequesthook/accessrequesthook.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/pkg/hook/accessrequesthook/accessrequesthook.go b/pkg/hook/accessrequesthook/accessrequesthook.go index 3a2fb87e..1d881810 100644 --- a/pkg/hook/accessrequesthook/accessrequesthook.go +++ b/pkg/hook/accessrequesthook/accessrequesthook.go @@ -168,7 +168,11 @@ func (h Hook) NoEntitlementAccess(ctx context.Context, cfg *config.Context, inpu } for i := range req.Entitlements { - if result.DurationConfiguration.DefaultDuration != nil { + + if input.Duration != nil { + req.Entitlements[i].Duration = input.Duration + + } else if result.DurationConfiguration.DefaultDuration != nil { req.Entitlements[i].Duration = result.DurationConfiguration.DefaultDuration } else { req.Entitlements[i].Duration = result.DurationConfiguration.MaxDuration From 2b9dde1326e89ddf4ba98be6ffe916671ee918c0 Mon Sep 17 00:00:00 2001 From: meyerjrr Date: Tue, 17 Sep 2024 16:14:30 +1000 Subject: [PATCH 3/6] fix messaging when passing in duration --- pkg/hook/accessrequesthook/accessrequesthook.go | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/pkg/hook/accessrequesthook/accessrequesthook.go b/pkg/hook/accessrequesthook/accessrequesthook.go index 1d881810..296b4687 100644 --- a/pkg/hook/accessrequesthook/accessrequesthook.go +++ b/pkg/hook/accessrequesthook/accessrequesthook.go @@ -203,12 +203,16 @@ func (h Hook) NoEntitlementAccess(ctx context.Context, cfg *config.Context, inpu exp := "" - if res.Msg.DurationConfiguration != nil { + if req.Entitlements[0].Duration != nil { + exp = ShortDur(req.Entitlements[0].Duration.AsDuration()) + } else if res.Msg.DurationConfiguration != nil { exp = ShortDur(res.Msg.DurationConfiguration.MaxDuration.AsDuration()) if res.Msg.DurationConfiguration.DefaultDuration != nil { exp = ShortDur(res.Msg.DurationConfiguration.DefaultDuration.AsDuration()) - } + } else if g.Grant.ExpiresAt != nil { + //attempt to work out duration from expiry to preserve backwards compatability with older common fate versions + exp = ShortDur(time.Until(g.Grant.ExpiresAt.AsTime())) } switch g.Change { @@ -407,7 +411,9 @@ func DryRun(ctx context.Context, apiURL *url.URL, client accessv1alpha1connect.A exp := "" - if res.Msg.DurationConfiguration != nil { + if req.Entitlements[0].Duration != nil { + exp = ShortDur(req.Entitlements[0].Duration.AsDuration()) + } else if res.Msg.DurationConfiguration != nil { exp = ShortDur(res.Msg.DurationConfiguration.MaxDuration.AsDuration()) if res.Msg.DurationConfiguration.DefaultDuration != nil { exp = ShortDur(res.Msg.DurationConfiguration.DefaultDuration.AsDuration()) From 328a6b6b83953542132a2270e3881fed6935ce9e Mon Sep 17 00:00:00 2001 From: meyerjrr Date: Wed, 18 Sep 2024 13:37:45 +1000 Subject: [PATCH 4/6] fix potential nil pointer --- pkg/hook/accessrequesthook/accessrequesthook.go | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/pkg/hook/accessrequesthook/accessrequesthook.go b/pkg/hook/accessrequesthook/accessrequesthook.go index 296b4687..4922c3df 100644 --- a/pkg/hook/accessrequesthook/accessrequesthook.go +++ b/pkg/hook/accessrequesthook/accessrequesthook.go @@ -171,12 +171,17 @@ func (h Hook) NoEntitlementAccess(ctx context.Context, cfg *config.Context, inpu if input.Duration != nil { req.Entitlements[i].Duration = input.Duration + continue + } - } else if result.DurationConfiguration.DefaultDuration != nil { - req.Entitlements[i].Duration = result.DurationConfiguration.DefaultDuration - } else { - req.Entitlements[i].Duration = result.DurationConfiguration.MaxDuration + if result.DurationConfiguration != nil { + if result.DurationConfiguration.DefaultDuration != nil { + req.Entitlements[i].Duration = result.DurationConfiguration.DefaultDuration + } else { + req.Entitlements[i].Duration = result.DurationConfiguration.MaxDuration + } } + } // the spinner must be started after prompting for reason, otherwise the prompt gets hidden From 67806f6a8c24a5676e990c5bceeff3b05147bcf1 Mon Sep 17 00:00:00 2001 From: JoshuaWilkes <14214200+JoshuaWilkes@users.noreply.github.com> Date: Thu, 19 Sep 2024 08:23:18 +0800 Subject: [PATCH 5/6] Ugrade to latest API which includes the Duration on the grant --- .../accessrequesthook/accessrequesthook.go | 33 ++++--------------- 1 file changed, 7 insertions(+), 26 deletions(-) diff --git a/pkg/hook/accessrequesthook/accessrequesthook.go b/pkg/hook/accessrequesthook/accessrequesthook.go index 4922c3df..83907f4b 100644 --- a/pkg/hook/accessrequesthook/accessrequesthook.go +++ b/pkg/hook/accessrequesthook/accessrequesthook.go @@ -206,19 +206,8 @@ func (h Hook) NoEntitlementAccess(ctx context.Context, cfg *config.Context, inpu for _, g := range res.Msg.Grants { names[eid.New("Access::Grant", g.Grant.Id)] = g.Grant.Name - exp := "" - - if req.Entitlements[0].Duration != nil { - exp = ShortDur(req.Entitlements[0].Duration.AsDuration()) - } else if res.Msg.DurationConfiguration != nil { - exp = ShortDur(res.Msg.DurationConfiguration.MaxDuration.AsDuration()) - if res.Msg.DurationConfiguration.DefaultDuration != nil { - exp = ShortDur(res.Msg.DurationConfiguration.DefaultDuration.AsDuration()) - } - } else if g.Grant.ExpiresAt != nil { - //attempt to work out duration from expiry to preserve backwards compatability with older common fate versions - exp = ShortDur(time.Until(g.Grant.ExpiresAt.AsTime())) - } + // default is to show the original duration, except for an active request, where it gets recalculated below to the time remaining + exp := ShortDur(g.Grant.Duration.AsDuration()) switch g.Change { case accessv1alpha1.GrantChange_GRANT_CHANGE_ACTIVATED: @@ -262,6 +251,8 @@ func (h Hook) NoEntitlementAccess(ctx context.Context, cfg *config.Context, inpu switch g.Grant.Status { case accessv1alpha1.GrantStatus_GRANT_STATUS_ACTIVE: + // work out how long is remaining on the active grant + exp = ShortDur(time.Until(g.Grant.ExpiresAt.AsTime())) color.New(color.FgGreen).Fprintf(os.Stderr, "[ACTIVE] %s is already active for the next %s: %s\n", g.Grant.Name, exp, requestURL(apiURL, g.Grant)) retry = true @@ -414,19 +405,8 @@ func DryRun(ctx context.Context, apiURL *url.URL, client accessv1alpha1connect.A for _, g := range res.Msg.Grants { names[eid.New("Access::Grant", g.Grant.Id)] = g.Grant.Name - exp := "" - - if req.Entitlements[0].Duration != nil { - exp = ShortDur(req.Entitlements[0].Duration.AsDuration()) - } else if res.Msg.DurationConfiguration != nil { - exp = ShortDur(res.Msg.DurationConfiguration.MaxDuration.AsDuration()) - if res.Msg.DurationConfiguration.DefaultDuration != nil { - exp = ShortDur(res.Msg.DurationConfiguration.DefaultDuration.AsDuration()) - } - } else if g.Grant.ExpiresAt != nil { - //attempt to work out duration from expiry to preserve backwards compatability with older common fate versions - exp = ShortDur(time.Until(g.Grant.ExpiresAt.AsTime())) - } + // default is to show the original duration, except for an active request, where it gets recalculated below to the time remaining + exp := ShortDur(g.Grant.Duration.AsDuration()) if g.Change > 0 { hasChanges = true @@ -460,6 +440,7 @@ func DryRun(ctx context.Context, apiURL *url.URL, client accessv1alpha1connect.A switch g.Grant.Status { case accessv1alpha1.GrantStatus_GRANT_STATUS_ACTIVE: + exp = ShortDur(time.Until(g.Grant.ExpiresAt.AsTime())) color.New(color.FgGreen).Fprintf(os.Stderr, "[ACTIVE] %s is already active for the next %s: %s\n", g.Grant.Name, exp, requestURL(apiURL, g.Grant)) continue case accessv1alpha1.GrantStatus_GRANT_STATUS_PENDING: From d701d3116ee8cb88d1f1f621690d0a08bdd2ea4d Mon Sep 17 00:00:00 2001 From: meyerjrr Date: Thu, 19 Sep 2024 11:01:44 +1000 Subject: [PATCH 6/6] remove setting override duration --- pkg/hook/accessrequesthook/accessrequesthook.go | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/pkg/hook/accessrequesthook/accessrequesthook.go b/pkg/hook/accessrequesthook/accessrequesthook.go index 83907f4b..e7bf339d 100644 --- a/pkg/hook/accessrequesthook/accessrequesthook.go +++ b/pkg/hook/accessrequesthook/accessrequesthook.go @@ -167,23 +167,6 @@ func (h Hook) NoEntitlementAccess(ctx context.Context, cfg *config.Context, inpu } } - for i := range req.Entitlements { - - if input.Duration != nil { - req.Entitlements[i].Duration = input.Duration - continue - } - - if result.DurationConfiguration != nil { - if result.DurationConfiguration.DefaultDuration != nil { - req.Entitlements[i].Duration = result.DurationConfiguration.DefaultDuration - } else { - req.Entitlements[i].Duration = result.DurationConfiguration.MaxDuration - } - } - - } - // the spinner must be started after prompting for reason, otherwise the prompt gets hidden si := spinner.New(spinner.CharSets[14], 100*time.Millisecond) si.Suffix = " ensuring access..."