mirror of
https://github.com/gravitl/netmaker.git
synced 2026-04-22 16:07:11 +08:00
Abhishek Kondur
edda2868fc
* feat(go): add user schema; * feat(go): migrate to user schema; * feat(go): add audit fields; * feat(go): remove unused fields from the network model; * feat(go): add network schema; * feat(go): migrate to network schema; * refactor(go): add comment to clarify migration logic; * fix(go): test failures; * fix(go): test failures; * feat(go): change membership table to store memberships at all scopes; * feat(go): add schema for access grants; * feat(go): remove nameservers from new networks table; ensure db passed for schema functions; * feat(go): set max conns for sqlite to 1; * fix(go): issues updating user account status; * refactor(go): remove converters and access grants; * refactor(go): add json tags in schema models; * refactor(go): rename file to migrate_v1_6_0.go; * refactor(go): add user groups and user roles tables; use schema tables; * refactor(go): inline get and list from schema package; * refactor(go): inline get network and list users from schema package; * fix(go): staticcheck issues; * fix(go): remove test not in use; fix test case; * fix(go): validate network; * fix(go): resolve static checks; * fix(go): new models errors; * fix(go): test errors; * fix(go): handle no records; * fix(go): add validations for user object; * fix(go): set correct extclient status; * fix(go): test error; * feat(go): make schema the base package; * feat(go): add host schema; * feat(go): use schema host everywhere; * feat(go): inline get host, list hosts and delete host; * feat(go): use non-ptr value; * feat(go): use save to upsert all fields; * feat(go): use save to upsert all fields; * feat(go): save turn endpoint as string; * feat(go): check for gorm error record not found; * fix(go): test failures; * fix(go): update all network fields; * fix(go): update all network fields; * feat(go): add paginated list networks api; * feat(go): add paginated list users api; * feat(go): add paginated list hosts api; * feat(go): add pagination to list groups api; * fix(go): comment; * fix(go): implement marshal and unmarshal text for custom types; * fix(go): implement marshal and unmarshal json for custom types; * fix(go): just use the old model for unmarshalling; * fix(go): implement marshal and unmarshal json for custom types; * feat(go): remove paginated list networks api; * feat(go): use custom paginated response object; * fix(go): ensure default values for page and per_page are used when not passed; * fix(go): rename v1.6.0 to v1.5.1; * fix(go): check for gorm.ErrRecordNotFound instead of database.IsEmptyRecord; * fix(go): use host id, not pending host id; * feat(go): add filters to paginated apis; * feat(go): add filters to paginated apis; * feat(go): remove check for max username length; * feat(go): add filters to count as well; * feat(go): use library to check email address validity; * feat(go): ignore pagination if params not passed; * fix(go): pagination issues; * fix(go): check exists before using; * fix(go): remove debug log; * fix(go): use gorm err record not found; * fix(go): use gorm err record not found; * fix(go): use user principal name when creating pending user; * fix(go): use schema package for consts; * fix(go): prevent disabling superadmin user; Co-authored-by: tenki-reviewer[bot] <262613592+tenki-reviewer[bot]@users.noreply.github.com> * fix(go): swap is admin and is superadmin; Co-authored-by: tenki-reviewer[bot] <262613592+tenki-reviewer[bot]@users.noreply.github.com> * fix(go): remove dead code block; https://github.com/gravitl/netmaker/pull/3910#discussion_r2928837937 * fix(go): incorrect message when trying to disable self; https://github.com/gravitl/netmaker/pull/3910#discussion_r2928837934 * fix(go): use correct header; Co-authored-by: tenki-reviewer[bot] <262613592+tenki-reviewer[bot]@users.noreply.github.com> * fix(go): return after error response; Co-authored-by: tenki-reviewer[bot] <262613592+tenki-reviewer[bot]@users.noreply.github.com> * fix(go): use correct order of params; https://github.com/gravitl/netmaker/pull/3910#discussion_r2929593036 * fix(go): set default values for page and page size; use v2 instead of /list; * Update logic/auth.go Co-authored-by: tenki-reviewer[bot] <262613592+tenki-reviewer[bot]@users.noreply.github.com> * Update schema/user_roles.go Co-authored-by: tenki-reviewer[bot] <262613592+tenki-reviewer[bot]@users.noreply.github.com> * fix(go): syntax error; * fix(go): set default values when page and per_page are not passed or 0; * fix(go): use uuid.parse instead of uuid.must parse; * fix(go): review errors; * fix(go): review errors; * Update controllers/user.go Co-authored-by: tenki-reviewer[bot] <262613592+tenki-reviewer[bot]@users.noreply.github.com> * Update controllers/user.go Co-authored-by: tenki-reviewer[bot] <262613592+tenki-reviewer[bot]@users.noreply.github.com> * NM-163: fix errors: * Update db/types/options.go Co-authored-by: tenki-reviewer[bot] <262613592+tenki-reviewer[bot]@users.noreply.github.com> * fix(go): persist return user in event; * Update db/types/options.go Co-authored-by: tenki-reviewer[bot] <262613592+tenki-reviewer[bot]@users.noreply.github.com> * NM-163: duplicate lines of code * NM-163: fix(go): fix missing return and filter parsing in user controller - Add missing return after error response in updateUserAccountStatus to prevent double-response and spurious ext-client side-effects - Use switch statements in listUsers to skip unrecognized account_status and mfa_status filter values * fix(go): check for both min and max page size; * fix(go): enclose transfer superadmin in transaction; * fix(go): review errors; * fix(go): remove free tier checks; * fix(go): review fixes; --------- Co-authored-by: VishalDalwadi <dalwadivishal26@gmail.com> Co-authored-by: Vishal Dalwadi <51291657+VishalDalwadi@users.noreply.github.com> Co-authored-by: tenki-reviewer[bot] <262613592+tenki-reviewer[bot]@users.noreply.github.com>
474 lines
13 KiB
Go
474 lines
13 KiB
Go
package controller
|
|
|
|
import (
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
"net/http"
|
|
"time"
|
|
|
|
"github.com/google/uuid"
|
|
"github.com/gorilla/mux"
|
|
"github.com/gravitl/netmaker/db"
|
|
"github.com/gravitl/netmaker/logger"
|
|
"github.com/gravitl/netmaker/logic"
|
|
"github.com/gravitl/netmaker/models"
|
|
"github.com/gravitl/netmaker/mq"
|
|
"github.com/gravitl/netmaker/schema"
|
|
"gorm.io/datatypes"
|
|
)
|
|
|
|
func egressHandlers(r *mux.Router) {
|
|
r.HandleFunc("/api/v1/egress", logic.SecurityCheck(true, http.HandlerFunc(createEgress))).Methods(http.MethodPost)
|
|
r.HandleFunc("/api/v1/egress", logic.SecurityCheck(true, http.HandlerFunc(listEgress))).Methods(http.MethodGet)
|
|
r.HandleFunc("/api/v1/egress", logic.SecurityCheck(true, http.HandlerFunc(updateEgress))).Methods(http.MethodPut)
|
|
r.HandleFunc("/api/v1/egress", logic.SecurityCheck(true, http.HandlerFunc(deleteEgress))).Methods(http.MethodDelete)
|
|
}
|
|
|
|
// @Summary Create Egress Resource
|
|
// @Router /api/v1/egress [post]
|
|
// @Tags Egress
|
|
// @Security oauth
|
|
// @Accept json
|
|
// @Produce json
|
|
// @Param body body models.EgressReq true "Egress request data"
|
|
// @Success 200 {object} schema.Egress
|
|
// @Failure 400 {object} models.ErrorResponse
|
|
// @Failure 401 {object} models.ErrorResponse
|
|
// @Failure 500 {object} models.ErrorResponse
|
|
func createEgress(w http.ResponseWriter, r *http.Request) {
|
|
|
|
var req models.EgressReq
|
|
err := json.NewDecoder(r.Body).Decode(&req)
|
|
if err != nil {
|
|
logger.Log(0, "error decoding request body: ",
|
|
err.Error())
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
|
return
|
|
}
|
|
var egressRange string
|
|
if !req.IsInetGw {
|
|
if req.Range != "" {
|
|
var err error
|
|
egressRange, err = logic.NormalizeCIDR(req.Range)
|
|
if err != nil {
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
|
return
|
|
}
|
|
}
|
|
|
|
if req.Domain != "" {
|
|
isDomain := logic.IsFQDN(req.Domain)
|
|
if !isDomain {
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("bad domain name"), "badrequest"))
|
|
return
|
|
}
|
|
|
|
egressRange = ""
|
|
}
|
|
} else {
|
|
egressRange = "*"
|
|
req.Domain = ""
|
|
}
|
|
network := &schema.Network{Name: req.Network}
|
|
err = network.Get(r.Context())
|
|
if err != nil {
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
|
return
|
|
}
|
|
e := schema.Egress{
|
|
ID: uuid.New().String(),
|
|
Name: req.Name,
|
|
Network: req.Network,
|
|
Description: req.Description,
|
|
Range: egressRange,
|
|
Domain: req.Domain,
|
|
DomainAns: []string{},
|
|
Nat: req.Nat,
|
|
Mode: req.Mode,
|
|
Nodes: make(datatypes.JSONMap),
|
|
Tags: make(datatypes.JSONMap),
|
|
Status: true,
|
|
CreatedBy: r.Header.Get("user"),
|
|
CreatedAt: time.Now().UTC(),
|
|
}
|
|
if err := logic.AssignVirtualRangeToEgress(network, &e); err != nil {
|
|
logger.Log(0, "error assigning virtual range to egress: ", err.Error())
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
|
return
|
|
}
|
|
logger.Log(1, fmt.Sprintf("createEgress: after AssignVirtualRangeToEgress, e.VirtualRange = '%s', e.Mode = '%s', e.Nat = %v", e.VirtualRange, e.Mode, e.Nat))
|
|
if len(req.Tags) > 0 {
|
|
for tagID, metric := range req.Tags {
|
|
e.Tags[tagID] = metric
|
|
}
|
|
e.Nodes = make(datatypes.JSONMap)
|
|
} else {
|
|
for nodeID, metric := range req.Nodes {
|
|
e.Nodes[nodeID] = metric
|
|
}
|
|
}
|
|
if err := logic.ValidateEgressReq(&e); err != nil {
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
|
return
|
|
}
|
|
err = e.Create(db.WithContext(r.Context()))
|
|
if err != nil {
|
|
logic.ReturnErrorResponse(
|
|
w,
|
|
r,
|
|
logic.FormatError(errors.New("error creating egress resource"+err.Error()), "internal"),
|
|
)
|
|
return
|
|
}
|
|
logic.LogEvent(&models.Event{
|
|
Action: schema.Create,
|
|
Source: models.Subject{
|
|
ID: r.Header.Get("user"),
|
|
Name: r.Header.Get("user"),
|
|
Type: schema.UserSub,
|
|
},
|
|
TriggeredBy: r.Header.Get("user"),
|
|
Target: models.Subject{
|
|
ID: e.ID,
|
|
Name: e.Name,
|
|
Type: schema.EgressSub,
|
|
},
|
|
NetworkID: schema.NetworkID(e.Network),
|
|
Origin: schema.Dashboard,
|
|
})
|
|
// for nodeID := range e.Nodes {
|
|
// node, err := logic.GetNodeByID(nodeID)
|
|
// if err != nil {
|
|
// logic.AddEgressInfoToNode(&node, e)
|
|
// logic.UpsertNode(&node)
|
|
// }
|
|
|
|
// }
|
|
if req.Domain != "" {
|
|
if req.Nodes != nil {
|
|
for nodeID := range req.Nodes {
|
|
node, err := logic.GetNodeByID(nodeID)
|
|
if err != nil {
|
|
continue
|
|
}
|
|
host := &schema.Host{
|
|
ID: node.HostID,
|
|
}
|
|
err = host.Get(r.Context())
|
|
if err != nil {
|
|
continue
|
|
}
|
|
mq.HostUpdate(&models.HostUpdate{
|
|
Action: models.EgressUpdate,
|
|
Host: *host,
|
|
EgressDomain: models.EgressDomain{
|
|
ID: e.ID,
|
|
Host: *host,
|
|
Node: node,
|
|
Domain: e.Domain,
|
|
},
|
|
Node: node,
|
|
})
|
|
}
|
|
}
|
|
|
|
} else {
|
|
go mq.PublishPeerUpdate(false)
|
|
}
|
|
|
|
logic.ReturnSuccessResponseWithJson(w, r, e, "created egress resource")
|
|
}
|
|
|
|
// @Summary List Egress Resources
|
|
// @Router /api/v1/egress [get]
|
|
// @Tags Egress
|
|
// @Security oauth
|
|
// @Produce json
|
|
// @Param network query string true "Network identifier"
|
|
// @Success 200 {array} schema.Egress
|
|
// @Failure 400 {object} models.ErrorResponse
|
|
// @Failure 401 {object} models.ErrorResponse
|
|
// @Failure 500 {object} models.ErrorResponse
|
|
func listEgress(w http.ResponseWriter, r *http.Request) {
|
|
|
|
network := r.URL.Query().Get("network")
|
|
if network == "" {
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("network is required"), "badrequest"))
|
|
return
|
|
}
|
|
e := schema.Egress{Network: network}
|
|
list, err := e.ListByNetwork(db.WithContext(r.Context()))
|
|
if err != nil {
|
|
logic.ReturnErrorResponse(
|
|
w,
|
|
r,
|
|
logic.FormatError(errors.New("error listing egress resource"+err.Error()), "internal"),
|
|
)
|
|
return
|
|
}
|
|
logic.ReturnSuccessResponseWithJson(w, r, list, "fetched egress resource list")
|
|
}
|
|
|
|
// @Summary Update Egress Resource
|
|
// @Router /api/v1/egress [put]
|
|
// @Tags Egress
|
|
// @Security oauth
|
|
// @Accept json
|
|
// @Produce json
|
|
// @Param body body models.EgressReq true "Egress request data"
|
|
// @Success 200 {object} schema.Egress
|
|
// @Failure 400 {object} models.ErrorResponse
|
|
// @Failure 401 {object} models.ErrorResponse
|
|
// @Failure 500 {object} models.ErrorResponse
|
|
func updateEgress(w http.ResponseWriter, r *http.Request) {
|
|
|
|
var req models.EgressReq
|
|
err := json.NewDecoder(r.Body).Decode(&req)
|
|
if err != nil {
|
|
logger.Log(0, "error decoding request body: ",
|
|
err.Error())
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
|
return
|
|
}
|
|
network := &schema.Network{Name: req.Network}
|
|
err = network.Get(r.Context())
|
|
if err != nil {
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
|
return
|
|
}
|
|
var egressRange string
|
|
if !req.IsInetGw {
|
|
if req.Range != "" {
|
|
var err error
|
|
egressRange, err = logic.NormalizeCIDR(req.Range)
|
|
if err != nil {
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
|
return
|
|
}
|
|
}
|
|
|
|
if req.Domain != "" {
|
|
isDomain := logic.IsFQDN(req.Domain)
|
|
if !isDomain {
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("bad domain name"), "badrequest"))
|
|
return
|
|
}
|
|
|
|
egressRange = ""
|
|
}
|
|
} else {
|
|
egressRange = "*"
|
|
req.Domain = ""
|
|
}
|
|
|
|
e := schema.Egress{ID: req.ID}
|
|
err = e.Get(db.WithContext(r.Context()))
|
|
if err != nil {
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
|
return
|
|
}
|
|
// Store old mode for comparison (before we modify e)
|
|
oldMode := e.Mode
|
|
|
|
// Update Range first so AssignVirtualRangeToEgress can use the correct range
|
|
e.Range = egressRange
|
|
|
|
// Update mode and NAT before calling AssignVirtualRangeToEgress
|
|
// This ensures the function sees the new values
|
|
if req.Mode != schema.VirtualNAT || !req.Nat {
|
|
e.Mode = schema.DirectNAT
|
|
if !req.Nat {
|
|
e.Mode = ""
|
|
}
|
|
e.Nat = req.Nat
|
|
e.VirtualRange = ""
|
|
} else {
|
|
// Switching to virtual NAT mode
|
|
e.Mode = req.Mode
|
|
e.Nat = req.Nat
|
|
// Assign virtual range if switching to virtual NAT mode from a different mode,
|
|
// or if already in virtual NAT mode but virtual range is empty
|
|
if (oldMode != schema.VirtualNAT) || (e.VirtualRange == "") {
|
|
if err := logic.AssignVirtualRangeToEgress(network, &e); err != nil {
|
|
logger.Log(0, "error assigning virtual range to egress: ", err.Error())
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
|
return
|
|
}
|
|
}
|
|
}
|
|
event := &models.Event{
|
|
Action: schema.Update,
|
|
Source: models.Subject{
|
|
ID: r.Header.Get("user"),
|
|
Name: r.Header.Get("user"),
|
|
Type: schema.UserSub,
|
|
},
|
|
TriggeredBy: r.Header.Get("user"),
|
|
Target: models.Subject{
|
|
ID: e.ID,
|
|
Name: e.Name,
|
|
Type: schema.EgressSub,
|
|
},
|
|
Diff: models.Diff{
|
|
Old: e,
|
|
},
|
|
NetworkID: schema.NetworkID(e.Network),
|
|
Origin: schema.Dashboard,
|
|
}
|
|
e.Nodes = make(datatypes.JSONMap)
|
|
e.Tags = make(datatypes.JSONMap)
|
|
if len(req.Tags) > 0 {
|
|
for tagID, metric := range req.Tags {
|
|
e.Tags[tagID] = metric
|
|
}
|
|
e.Nodes = make(datatypes.JSONMap)
|
|
} else {
|
|
for nodeID, metric := range req.Nodes {
|
|
e.Nodes[nodeID] = metric
|
|
}
|
|
}
|
|
if e.Domain != req.Domain {
|
|
e.DomainAns = datatypes.JSONSlice[string]{}
|
|
}
|
|
// Update fields from request (Mode and Nat are already set correctly above)
|
|
e.Range = egressRange
|
|
e.Description = req.Description
|
|
e.Name = req.Name
|
|
e.Domain = req.Domain
|
|
e.Status = req.Status
|
|
e.UpdatedAt = time.Now().UTC()
|
|
if err := logic.ValidateEgressReq(&e); err != nil {
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
|
return
|
|
}
|
|
|
|
// Build update map with all fields including zero values
|
|
// GORM's Updates(&e) doesn't update zero values, so we use a map explicitly
|
|
updateMap := map[string]any{
|
|
"name": e.Name,
|
|
"description": e.Description,
|
|
"range": e.Range,
|
|
"domain": e.Domain,
|
|
"nat": e.Nat,
|
|
"mode": e.Mode,
|
|
"status": e.Status,
|
|
"nodes": e.Nodes,
|
|
"tags": e.Tags,
|
|
"domain_ans": e.DomainAns,
|
|
"virtual_range": e.VirtualRange,
|
|
"updated_at": e.UpdatedAt,
|
|
}
|
|
|
|
// Perform single update with all fields including zero values
|
|
err = db.FromContext(r.Context()).Table(e.Table()).Where("id = ?", e.ID).Updates(updateMap).Error
|
|
if err != nil {
|
|
logic.ReturnErrorResponse(
|
|
w,
|
|
r,
|
|
logic.FormatError(errors.New("error updating egress resource: "+err.Error()), "internal"),
|
|
)
|
|
return
|
|
}
|
|
event.Diff.New = e
|
|
logic.LogEvent(event)
|
|
if req.Domain != "" {
|
|
if req.Nodes != nil {
|
|
for nodeID := range req.Nodes {
|
|
node, err := logic.GetNodeByID(nodeID)
|
|
if err != nil {
|
|
continue
|
|
}
|
|
host := &schema.Host{
|
|
ID: node.HostID,
|
|
}
|
|
err = host.Get(r.Context())
|
|
if err != nil {
|
|
continue
|
|
}
|
|
mq.HostUpdate(&models.HostUpdate{
|
|
Action: models.EgressUpdate,
|
|
Host: *host,
|
|
EgressDomain: models.EgressDomain{
|
|
ID: e.ID,
|
|
Host: *host,
|
|
Node: node,
|
|
Domain: e.Domain,
|
|
},
|
|
Node: node,
|
|
})
|
|
}
|
|
}
|
|
|
|
}
|
|
go mq.PublishPeerUpdate(false)
|
|
logic.ReturnSuccessResponseWithJson(w, r, e, "updated egress resource")
|
|
}
|
|
|
|
// @Summary Delete Egress Resource
|
|
// @Router /api/v1/egress [delete]
|
|
// @Tags Egress
|
|
// @Security oauth
|
|
// @Produce json
|
|
// @Param id query string true "Egress resource ID"
|
|
// @Success 200 {object} models.SuccessResponse
|
|
// @Failure 400 {object} models.ErrorResponse
|
|
// @Failure 401 {object} models.ErrorResponse
|
|
// @Failure 500 {object} models.ErrorResponse
|
|
func deleteEgress(w http.ResponseWriter, r *http.Request) {
|
|
|
|
id := r.URL.Query().Get("id")
|
|
if id == "" {
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("id is required"), "badrequest"))
|
|
return
|
|
}
|
|
e := schema.Egress{ID: id}
|
|
err := e.Get(db.WithContext(r.Context()))
|
|
if err != nil {
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, logic.BadReq))
|
|
return
|
|
}
|
|
err = e.Delete(db.WithContext(r.Context()))
|
|
if err != nil {
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, logic.Internal))
|
|
return
|
|
}
|
|
logic.LogEvent(&models.Event{
|
|
Action: schema.Delete,
|
|
Source: models.Subject{
|
|
ID: r.Header.Get("user"),
|
|
Name: r.Header.Get("user"),
|
|
Type: schema.UserSub,
|
|
},
|
|
TriggeredBy: r.Header.Get("user"),
|
|
Target: models.Subject{
|
|
ID: e.ID,
|
|
Name: e.Name,
|
|
Type: schema.EgressSub,
|
|
},
|
|
NetworkID: schema.NetworkID(e.Network),
|
|
Origin: schema.Dashboard,
|
|
Diff: models.Diff{
|
|
Old: e,
|
|
New: nil,
|
|
},
|
|
})
|
|
// delete related acl policies
|
|
acls := logic.ListAcls()
|
|
for _, acl := range acls {
|
|
|
|
for i := len(acl.Dst) - 1; i >= 0; i-- {
|
|
if acl.Dst[i].ID == models.EgressID && acl.Dst[i].Value == id {
|
|
acl.Dst = append(acl.Dst[:i], acl.Dst[i+1:]...)
|
|
}
|
|
}
|
|
if len(acl.Dst) == 0 {
|
|
logic.DeleteAcl(acl)
|
|
} else {
|
|
logic.UpsertAcl(acl)
|
|
}
|
|
}
|
|
go mq.PublishPeerUpdate(false)
|
|
logic.ReturnSuccessResponseWithJson(w, r, nil, "deleted egress resource")
|
|
}
|