openziti · michaelquigley · Jun 25, 2025 · Jun 24, 2025 · Jun 24, 2025 · Jun 25, 2025
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,11 @@
 # CHANGELOG
 
+## v1.0.7
+
+FEATURE: New add and delete API endpoints for frontend grants. New `zrok admin create frontend-grant` and `zrok admin delete frontend-grant` CLI for invoking these API endpoints from the command line (https://github.com/openziti/zrok/issues/992)
+
+FEATURE: New admin endpoint for deleting accounts. New `zrok admin delete account` CLI for invoking the API endpoint from the command line (https://github.com/openziti/zrok/issues/993)
+
 ## v1.0.6
 
 CHANGE: The `/overview` endpoint has been adjusted to include a new `remoteAgent` `boolean` on the `environment` instances, indicating whether or not the environment has an enrolled remote agent (https://github.com/openziti/zrok/issues/977)

diff --git a/cmd/zrok/adminCreateFrontend.go b/cmd/zrok/adminCreateFrontend.go
@@ -7,7 +7,6 @@ import (
 	"github.com/openziti/zrok/tui"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
-	"os"
 )
 
 func init() {
@@ -36,12 +35,12 @@ func (cmd *adminCreateFrontendCommand) run(_ *cobra.Command, args []string) {
 	publicName := args[1]
 	urlTemplate := args[2]
 
-	env, err := environment.LoadRoot()
+	root, err := environment.LoadRoot()
 	if err != nil {
 		panic(err)
 	}
 
-	zrok, err := env.Client()
+	zrok, err := root.Client()
 	if err != nil {
 		panic(err)
 	}
@@ -61,10 +60,8 @@ func (cmd *adminCreateFrontendCommand) run(_ *cobra.Command, args []string) {
 		switch err.(type) {
 		case *admin.CreateFrontendBadRequest:
 			tui.Error("create frontend request failed: name already exists", err)
-			os.Exit(1)
 		default:
 			tui.Error("create frontend request failed", err)
-			os.Exit(1)
 		}
 	}
 

diff --git a/cmd/zrok/adminCreateFrontendGrant.go b/cmd/zrok/adminCreateFrontendGrant.go
@@ -0,0 +1,56 @@
+package main
+
+import (
+	"os"
+
+	"github.com/openziti/zrok/environment"
+	"github.com/openziti/zrok/rest_client_zrok/admin"
+	"github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+)
+
+func init() {
+	adminCreateCmd.AddCommand(newAdminCreateFrontendGrantCommand().cmd)
+}
+
+type adminCreateFrontendGrantCommand struct {
+	cmd *cobra.Command
+}
+
+func newAdminCreateFrontendGrantCommand() *adminCreateFrontendGrantCommand {
+	cmd := &cobra.Command{
+		Use:     "frontend-grant <frontendToken> <accountEmail>",
+		Aliases: []string{"fg"},
+		Short:   "Grant an account access to a frontend",
+		Args:    cobra.ExactArgs(2),
+	}
+	command := &adminCreateFrontendGrantCommand{cmd: cmd}
+	cmd.Run = command.run
+	return command
+}
+
+func (cmd *adminCreateFrontendGrantCommand) run(_ *cobra.Command, args []string) {
+	frontendToken := args[0]
+	accountEmail := args[1]
+
+	root, err := environment.LoadRoot()
+	if err != nil {
+		panic(err)
+	}
+
+	zrok, err := root.Client()
+	if err != nil {
+		panic(err)
+	}
+
+	req := admin.NewAddFrontendGrantParams()
+	req.Body.FrontendToken = frontendToken
+	req.Body.Email = accountEmail
+
+	if _, err = zrok.Admin.AddFrontendGrant(req, mustGetAdminAuth()); err != nil {
+		logrus.Errorf("error addming frontend grant: %v", err)
+		os.Exit(1)
+	}
+
+	logrus.Infof("added frontend ('%v') grant for '%v'", frontendToken, accountEmail)
+}
diff --git a/cmd/zrok/adminDeleteAccount.go b/cmd/zrok/adminDeleteAccount.go
@@ -0,0 +1,50 @@
+package main
+
+import (
+	"github.com/openziti/zrok/environment"
+	"github.com/openziti/zrok/rest_client_zrok/admin"
+	"github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+)
+
+func init() {
+	adminDeleteCmd.AddCommand(newAdminDeleteAccountCommand().cmd)
+}
+
+type adminDeleteAccountCommand struct {
+	cmd *cobra.Command
+}
+
+func newAdminDeleteAccountCommand() *adminDeleteAccountCommand {
+	cmd := &cobra.Command{
+		Use:   "account <email>",
+		Short: "Delete an account and disable all allocated resources",
+		Args:  cobra.ExactArgs(1),
+	}
+	command := &adminDeleteAccountCommand{cmd: cmd}
+	cmd.Run = command.run
+	return command
+}
+
+func (cmd *adminDeleteAccountCommand) run(_ *cobra.Command, args []string) {
+	email := args[0]
+
+	root, err := environment.LoadRoot()
+	if err != nil {
+		panic(err)
+	}
+
+	zrok, err := root.Client()
+	if err != nil {
+		panic(err)
+	}
+
+	req := admin.NewDeleteAccountParams()
+	req.Body.Email = email
+
+	if _, err := zrok.Admin.DeleteAccount(req, mustGetAdminAuth()); err != nil {
+		panic(err)
+	}
+
+	logrus.Infof("deleted account '%v'", email)
+}
diff --git a/cmd/zrok/adminDeleteFrontend.go b/cmd/zrok/adminDeleteFrontend.go
@@ -42,8 +42,7 @@ func (cmd *adminDeleteFrontendCommand) run(_ *cobra.Command, args []string) {
 	req := admin.NewDeleteFrontendParams()
 	req.Body.FrontendToken = feToken
 
-	_, err = zrok.Admin.DeleteFrontend(req, mustGetAdminAuth())
-	if err != nil {
+	if _, err := zrok.Admin.DeleteFrontend(req, mustGetAdminAuth()); err != nil {
 		panic(err)
 	}
 

diff --git a/cmd/zrok/adminDeleteFrontendGrant.go b/cmd/zrok/adminDeleteFrontendGrant.go
@@ -0,0 +1,56 @@
+package main
+
+import (
+	"os"
+
+	"github.com/openziti/zrok/environment"
+	"github.com/openziti/zrok/rest_client_zrok/admin"
+	"github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+)
+
+func init() {
+	adminDeleteCmd.AddCommand(newAdminDeleteFrontendGrantCommand().cmd)
+}
+
+type adminDeleteFrontendGrantCommand struct {
+	cmd *cobra.Command
+}
+
+func newAdminDeleteFrontendGrantCommand() *adminDeleteFrontendGrantCommand {
+	cmd := &cobra.Command{
+		Use:     "frontend-grant <frontendToken> <accountEmail>",
+		Aliases: []string{"fg"},
+		Short:   "Remove account access from a frontend",
+		Args:    cobra.ExactArgs(2),
+	}
+	command := &adminDeleteFrontendGrantCommand{cmd: cmd}
+	cmd.Run = command.run
+	return command
+}
+
+func (cmd *adminDeleteFrontendGrantCommand) run(_ *cobra.Command, args []string) {
+	frontendToken := args[0]
+	accountEmail := args[1]
+
+	root, err := environment.LoadRoot()
+	if err != nil {
+		panic(err)
+	}
+
+	zrok, err := root.Client()
+	if err != nil {
+		panic(err)
+	}
+
+	req := admin.NewDeleteFrontendGrantParams()
+	req.Body.FrontendToken = frontendToken
+	req.Body.Email = accountEmail
+
+	if _, err := zrok.Admin.DeleteFrontendGrant(req, mustGetAdminAuth()); err != nil {
+		logrus.Errorf("error deleting frontend grant: %v", err)
+		os.Exit(1)
+	}
+
+	logrus.Infof("deleted frontend ('%v') grant for '%v'", frontendToken, accountEmail)
+}
diff --git a/controller/access.go b/controller/access.go
@@ -134,7 +134,7 @@ func (h *accessHandler) checkAccessGrants(shr *store.Share, ownerAccountId int,
 		logrus.Infof("accessing own share '%v' for '%v'", shr.Token, principal.Email)
 		return nil
 	}
-	count, err := str.CheckAccessGrantForShareAndAccount(shr.Id, int(principal.ID), trx)
+	count, err := str.IsAccessGrantedToAccountForShare(shr.Id, int(principal.ID), trx)
 	if err != nil {
 		logrus.Infof("error checking access grants for '%v': %v", shr.Token, err)
 		return err

diff --git a/controller/addFrontendGrant.go b/controller/addFrontendGrant.go
@@ -0,0 +1,64 @@
+package controller
+
+import (
+	"fmt"
+
+	"github.com/go-openapi/runtime/middleware"
+	"github.com/openziti/zrok/rest_model_zrok"
+	"github.com/openziti/zrok/rest_server_zrok/operations/admin"
+	"github.com/sirupsen/logrus"
+)
+
+type addFrontendGrantHandler struct{}
+
+func newAddFrontendGrantHandler() *addFrontendGrantHandler {
+	return &addFrontendGrantHandler{}
+}
+
+func (h *addFrontendGrantHandler) Handle(params admin.AddFrontendGrantParams, principal *rest_model_zrok.Principal) middleware.Responder {
+	if !principal.Admin {
+		logrus.Error("invalid admin principal")
+		return admin.NewAddFrontendGrantUnauthorized()
+	}
+
+	trx, err := str.Begin()
+	if err != nil {
+		logrus.Errorf("error starting transaction: %v", err)
+		return admin.NewAddFrontendGrantInternalServerError()
+	}
+	defer trx.Rollback()
+
+	fe, err := str.FindFrontendWithToken(params.Body.FrontendToken, trx)
+	if err != nil {
+		logrus.Errorf("error finding frontend with token '%v': %v", params.Body.FrontendToken, err)
+		return admin.NewAddFrontendGrantNotFound().WithPayload(rest_model_zrok.ErrorMessage(fmt.Sprintf("frontend token '%v' not found", params.Body.FrontendToken)))
+	}
+
+	acct, err := str.FindAccountWithEmail(params.Body.Email, trx)
+	if err != nil {
+		logrus.Errorf("error finding account with email '%v': %v", params.Body.Email, err)
+		return admin.NewAddFrontendGrantNotFound().WithPayload(rest_model_zrok.ErrorMessage(fmt.Sprintf("account '%v' not found", params.Body.Email)))
+	}
+
+	if granted, err := str.IsFrontendGrantedToAccount(fe.Id, acct.Id, trx); err != nil {
+		logrus.Errorf("error checking frontend grant for account '%v' and frontend '%v': %v", acct.Email, fe.Token, err)
+		return admin.NewAddFrontendGrantInternalServerError()
+
+	} else if !granted {
+		if _, err := str.CreateFrontendGrant(fe.Id, acct.Id, trx); err != nil {
+			logrus.Errorf("error creating frontend ('%v') grant for '%v': %v", fe.Token, acct.Email, err)
+			return admin.NewAddFrontendGrantInternalServerError()
+		}
+		logrus.Infof("granted '%v' access to frontend '%v'", acct.Email, fe.Token)
+
+		if err := trx.Commit(); err != nil {
+			logrus.Errorf("error committing transaction: %v", err)
+			return admin.NewAddFrontendGrantInternalServerError()
+		}
+
+	} else {
+		logrus.Infof("account '%v' already granted access to frontend '%v'", acct.Email, fe.Token)
+	}
+
+	return admin.NewAddFrontendGrantOK()
+}
diff --git a/controller/controller.go b/controller/controller.go
@@ -2,6 +2,10 @@ package controller
 
 import (
 	"context"
+	"log"
+	"net/http"
+	_ "net/http/pprof"
+
 	"github.com/go-openapi/loads"
 	influxdb2 "github.com/influxdata/influxdb-client-go/v2"
 	"github.com/jessevdk/go-flags"
@@ -15,9 +19,6 @@ import (
 	"github.com/openziti/zrok/rest_server_zrok/operations/metadata"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
-	"log"
-	"net/http"
-	_ "net/http/pprof"
 )
 
 var (
@@ -51,11 +52,14 @@ func Run(inCfg *config.Config) error {
 	api.AccountResetPasswordHandler = newResetPasswordHandler(cfg)
 	api.AccountResetPasswordRequestHandler = newResetPasswordRequestHandler()
 	api.AccountVerifyHandler = newVerifyHandler()
+	api.AdminAddFrontendGrantHandler = newAddFrontendGrantHandler()
 	api.AdminAddOrganizationMemberHandler = newAddOrganizationMemberHandler()
 	api.AdminCreateAccountHandler = newCreateAccountHandler()
 	api.AdminCreateFrontendHandler = newCreateFrontendHandler()
 	api.AdminCreateIdentityHandler = newCreateIdentityHandler()
 	api.AdminCreateOrganizationHandler = newCreateOrganizationHandler()
+	api.AdminDeleteAccountHandler = newDeleteAccountHandler()
+	api.AdminDeleteFrontendGrantHandler = newDeleteFrontendGrantHandler()
 	api.AdminDeleteFrontendHandler = newDeleteFrontendHandler()
 	api.AdminDeleteOrganizationHandler = newDeleteOrganizationHandler()
 	api.AdminGrantsHandler = newGrantsHandler()

diff --git a/controller/createAccount.go b/controller/createAccount.go
@@ -16,7 +16,7 @@ func newCreateAccountHandler() *createAccountHandler {
 
 func (h *createAccountHandler) Handle(params admin.CreateAccountParams, principal *rest_model_zrok.Principal) middleware.Responder {
 	if !principal.Admin {
-		logrus.Errorf("invalid admin principal")
+		logrus.Error("invalid admin principal")
 		return admin.NewCreateAccountUnauthorized()
 	}
 
@@ -36,9 +36,8 @@ func (h *createAccountHandler) Handle(params admin.CreateAccountParams, principa
 		logrus.Errorf("error starting transaction: %v", err)
 		return admin.NewCreateAccountInternalServerError()
 	}
-	defer func() {
-		_ = trx.Rollback()
-	}()
+	defer trx.Rollback()
+
 	a := &store.Account{
 		Email:    params.Body.Email,
 		Salt:     hpwd.Salt,