open-nomad/command/sentinel_apply.go
2023-04-10 15:36:59 +00:00

137 lines
3.3 KiB
Go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0
package command
import (
"fmt"
"io"
"os"
"strings"
"github.com/hashicorp/nomad/api"
"github.com/posener/complete"
)
type SentinelApplyCommand struct {
Meta
}
func (c *SentinelApplyCommand) Help() string {
helpText := `
Usage: nomad sentinel apply [options] <name> <file>
Apply is used to write a new Sentinel policy or update an existing one.
The name of the policy and file must be specified. The file will be read
from stdin by specifying "-".
Sentinel commands are only available when ACLs are enabled. This command
requires a management token.
General Options:
` + generalOptionsUsage(usageOptsDefault|usageOptsNoNamespace) + `
Apply Options:
-description
Sets a human readable description for the policy.
-scope (default: submit-job)
Sets the scope of the policy and when it should be enforced.
-level (default: advisory)
Sets the enforcement level of the policy. Must be one of advisory,
soft-mandatory, hard-mandatory.
`
return strings.TrimSpace(helpText)
}
func (c *SentinelApplyCommand) AutocompleteFlags() complete.Flags {
return mergeAutocompleteFlags(c.Meta.AutocompleteFlags(FlagSetClient),
complete.Flags{
"-description": complete.PredictAnything,
"-scope": complete.PredictAnything,
"-level": complete.PredictAnything,
})
}
func (c *SentinelApplyCommand) AutocompleteArgs() complete.Predictor {
return complete.PredictNothing
}
func (c *SentinelApplyCommand) Synopsis() string {
return "Create a new or update existing Sentinel policies"
}
func (c *SentinelApplyCommand) Name() string { return "sentinel apply" }
func (c *SentinelApplyCommand) Run(args []string) int {
var description, scope, enfLevel string
var err error
flags := c.Meta.FlagSet(c.Name(), FlagSetClient)
flags.Usage = func() { c.Ui.Output(c.Help()) }
flags.StringVar(&description, "description", "", "")
flags.StringVar(&scope, "scope", "submit-job", "")
flags.StringVar(&enfLevel, "level", "advisory", "")
if err := flags.Parse(args); err != nil {
return 1
}
// Check that we got exactly two arguments
args = flags.Args()
if l := len(args); l != 2 {
c.Ui.Error("This command takes exactly two arguments: <name> <file>")
c.Ui.Error(commandErrorText(c))
return 1
}
// Get the name and file
policyName := args[0]
// Read the file contents
file := args[1]
var rawPolicy []byte
if file == "-" {
rawPolicy, err = io.ReadAll(os.Stdin)
if err != nil {
c.Ui.Error(fmt.Sprintf("Failed to read stdin: %v", err))
return 1
}
} else {
rawPolicy, err = os.ReadFile(file)
if err != nil {
c.Ui.Error(fmt.Sprintf("Failed to read file: %v", err))
return 1
}
}
// Construct the policy
sp := &api.SentinelPolicy{
Name: policyName,
Description: description,
Scope: scope,
EnforcementLevel: enfLevel,
Policy: string(rawPolicy),
}
// Get the HTTP client
client, err := c.Meta.Client()
if err != nil {
c.Ui.Error(fmt.Sprintf("Error initializing client: %s", err))
return 1
}
// Get the list of policies
_, err = client.SentinelPolicies().Upsert(sp, nil)
if err != nil {
c.Ui.Error(fmt.Sprintf("Error writing Sentinel policy: %s", err))
return 1
}
c.Ui.Output(fmt.Sprintf("Successfully wrote %q Sentinel policy!",
policyName))
return 0
}