mirror of
https://github.com/gravitl/netmaker.git
synced 2026-04-22 16:07:11 +08:00
Abhishek Kondur
292af315dd
* feat(go): add user schema; * feat(go): migrate to user schema; * feat(go): add audit fields; * feat(go): remove unused fields from the network model; * feat(go): add network schema; * feat(go): migrate to network schema; * refactor(go): add comment to clarify migration logic; * fix(go): test failures; * fix(go): test failures; * feat(go): change membership table to store memberships at all scopes; * feat(go): add schema for access grants; * feat(go): remove nameservers from new networks table; ensure db passed for schema functions; * feat(go): set max conns for sqlite to 1; * fix(go): issues updating user account status; * NM-236: streamline operations in HA mode * NM-236: only master pod should subscribe to updates from clients * refactor(go): remove converters and access grants; * refactor(go): add json tags in schema models; * refactor(go): rename file to migrate_v1_6_0.go; * refactor(go): add user groups and user roles tables; use schema tables; * refactor(go): inline get and list from schema package; * refactor(go): inline get network and list users from schema package; * fix(go): staticcheck issues; * fix(go): remove test not in use; fix test case; * fix(go): validate network; * fix(go): resolve static checks; * fix(go): new models errors; * fix(go): test errors; * fix(go): handle no records; * fix(go): add validations for user object; * fix(go): set correct extclient status; * fix(go): test error; * feat(go): make schema the base package; * feat(go): add host schema; * feat(go): use schema host everywhere; * feat(go): inline get host, list hosts and delete host; * feat(go): use non-ptr value; * feat(go): use save to upsert all fields; * feat(go): use save to upsert all fields; * feat(go): save turn endpoint as string; * feat(go): check for gorm error record not found; * fix(go): test failures; * fix(go): update all network fields; * fix(go): update all network fields; * feat(go): add paginated list networks api; * feat(go): add paginated list users api; * feat(go): add paginated list hosts api; * feat(go): add pagination to list groups api; * fix(go): comment; * fix(go): implement marshal and unmarshal text for custom types; * fix(go): implement marshal and unmarshal json for custom types; * fix(go): just use the old model for unmarshalling; * fix(go): implement marshal and unmarshal json for custom types; * NM-271:Import swap: compress/gzip replaced with github.com/klauspost/compress/gzip (2-4x faster, wire-compatible output). Added sync import. Two sync.Pool variables (gzipWriterPool, bufferPool): reuse gzip.Writer and bytes.Buffer across calls instead of allocating fresh ones per publish. compressPayload rewritten: pulls writer + buffer from pools, resets them, compresses at gzip.BestSpeed (level 1), copies the result out of the pooled buffer, and returns both objects to the pools. * feat(go): remove paginated list networks api; * feat(go): use custom paginated response object; * NM-271: Improve server scalability under high host count - Replace stdlib compress/gzip with klauspost/compress at BestSpeed and pool gzip writers and buffers via sync.Pool to eliminate compression as the dominant CPU hotspot. - Debounce peer update broadcasts with a 500ms resettable window capped at 3s max-wait, coalescing rapid-fire PublishPeerUpdate calls into a single broadcast cycle. - Cache HostPeerInfo (batch-refreshed by debounce worker) and HostPeerUpdate (stored as side-effect of each publish) so the pull API and peer_info API serve from pre-computed maps instead of triggering expensive per-host computations under thundering herd conditions. - Warm both caches synchronously at startup before the first publish cycle so early pull requests are served instantly. - Bound concurrent MQTT publishes to 5 via semaphore to prevent broker TCP buffer overflows that caused broken pipe disconnects. - Remove manual Disconnect+SetupMQTT from ConnectionLostHandler and rely on the paho client's built-in AutoReconnect; add a 5s retry wait in publish() to ride out brief reconnection windows. * NM-271: Reduce server CPU contention under high concurrent load - Cache ServerSettings with atomic.Value to eliminate repeated DB reads on every pull request (was 32+ goroutines blocked on read lock) - Batch UpdateNodeCheckin writes in memory, flush every 30s to reduce per-checkin write lock contention (was 88+ goroutines blocked) - Enable SQLite WAL mode + busy_timeout and remove global dbMutex; let SQLite handle concurrency natively (reads no longer block writes) - Move ResetFailedOverPeer/ResetAutoRelayedPeer to async in pull() handler since results don't affect the cached response - Skip no-op UpsertNode writes in failover/relay reset functions (early return when node has no failover/relay state) - Remove CheckHostPorts from hostUpdateFallback hot path - Switch to pure-Go SQLite driver (glebarez/sqlite), set CGO_ENABLED=0 * fix(go): ensure default values for page and per_page are used when not passed; * fix(go): rename v1.6.0 to v1.5.1; * fix(go): check for gorm.ErrRecordNotFound instead of database.IsEmptyRecord; * fix(go): use host id, not pending host id; * NM-271: Revert pure-Go SQLite and FIPS disable to verify impact Revert to CGO-based mattn/go-sqlite3 driver and re-enable FIPS to isolate whether these changes are still needed now that the global dbMutex has been removed and WAL mode is enabled. Keep WAL mode pragma with mattn-compatible DSN format. * feat(go): add filters to paginated apis; * feat(go): add filters to paginated apis; * feat(go): remove check for max username length; * feat(go): add filters to count as well; * feat(go): use library to check email address validity; * feat(go): ignore pagination if params not passed; * fix(go): pagination issues; * fix(go): check exists before using; * fix(go): remove debug log; * NM-271: rm debug logs * NM-271: check if caching is enabled * NM-271: add server sync mq topic for HA mode * NM-271: fix build * NM-271: push metrics in batch to exproter over api * NM-271: use basic auth for exporter metrics api * fix(go): use gorm err record not found; * NM-271: Add monitoring stack on demand * NM-271: -m arg for install script should only add monitoring stack * fix(go): use gorm err record not found; * NM-271: update docker compose file for prometheus * NM-271: update docker compose file for prometheus * fix(go): use user principal name when creating pending user; * fix(go): use schema package for consts; * NM-236: rm duplicate network hook * NM-271: add server topic to reset idp hooks on master node * fix(go): prevent disabling superadmin user; Co-authored-by: tenki-reviewer[bot] <262613592+tenki-reviewer[bot]@users.noreply.github.com> * fix(go): swap is admin and is superadmin; Co-authored-by: tenki-reviewer[bot] <262613592+tenki-reviewer[bot]@users.noreply.github.com> * fix(go): remove dead code block; https://github.com/gravitl/netmaker/pull/3910#discussion_r2928837937 * fix(go): incorrect message when trying to disable self; https://github.com/gravitl/netmaker/pull/3910#discussion_r2928837934 * NM-271: fix stale peers on reset_failovered pull and add HTTP timeout to metrics exporter Run the failover/relay reset synchronously in the pull handler so the response reflects post-reset topology instead of serving stale cached peers. Add a 30s timeout to the metrics exporter HTTP client to prevent PushAllMetricsToExporter from blocking the Keepalive loop. * NM-271: fix gzip pool corruption, MQTT topic mismatch, stale settings cache, and reduce redundant DB fetches - Only return gzip.Writer to pool after successful Close to prevent silently malformed MQTT payloads from a previously errored writer. - Fix serversync subscription to exact topic match since syncType is now in the message payload, not the topic path. - Prevent zero-value ServerSettings from being cached indefinitely when the DB record is missing or unmarshal fails on startup. - Return fetched hosts/nodes from RefreshHostPeerInfoCache so warmPeerCaches reuses them instead of querying the DB twice. - Compute fresh HostPeerUpdate on reset_failovered pull instead of serving stale cache, and store result back for subsequent requests. * NM-271: fix gzip writer pool leak, log checkin flush errors, and fix master pod ordinal parsing - Reset gzip.Writer to io.Discard before returning to pool so errored writers are never leaked or silently reused with corrupt state. - Track and log failed DB inserts in FlushNodeCheckins so operators have visibility when check-in timestamps are lost. - Parse StatefulSet pod ordinal as integer instead of using HasSuffix to prevent netmaker-10 from being misidentified as master pod. * NM-271: simplify masterpod logic * fix(go): use correct header; Co-authored-by: tenki-reviewer[bot] <262613592+tenki-reviewer[bot]@users.noreply.github.com> * fix(go): return after error response; Co-authored-by: tenki-reviewer[bot] <262613592+tenki-reviewer[bot]@users.noreply.github.com> * fix(go): use correct order of params; https://github.com/gravitl/netmaker/pull/3910#discussion_r2929593036 * fix(go): set default values for page and page size; use v2 instead of /list; * NM-271: use host name * Update mq/serversync.go Co-authored-by: tenki-reviewer[bot] <262613592+tenki-reviewer[bot]@users.noreply.github.com> * NM-271: fix duplicate serversynce case * NM-271: streamline gw updates * Update logic/auth.go Co-authored-by: tenki-reviewer[bot] <262613592+tenki-reviewer[bot]@users.noreply.github.com> * Update schema/user_roles.go Co-authored-by: tenki-reviewer[bot] <262613592+tenki-reviewer[bot]@users.noreply.github.com> * fix(go): syntax error; * fix(go): set default values when page and per_page are not passed or 0; * fix(go): use uuid.parse instead of uuid.must parse; * fix(go): review errors; * fix(go): review errors; * Update controllers/user.go Co-authored-by: tenki-reviewer[bot] <262613592+tenki-reviewer[bot]@users.noreply.github.com> * Update controllers/user.go Co-authored-by: tenki-reviewer[bot] <262613592+tenki-reviewer[bot]@users.noreply.github.com> * NM-163: fix errors: * Update db/types/options.go Co-authored-by: tenki-reviewer[bot] <262613592+tenki-reviewer[bot]@users.noreply.github.com> * fix(go): persist return user in event; * Update db/types/options.go Co-authored-by: tenki-reviewer[bot] <262613592+tenki-reviewer[bot]@users.noreply.github.com> * NM-271: signal pull on ip changes * NM-163: duplicate lines of code * NM-163: fix(go): fix missing return and filter parsing in user controller - Add missing return after error response in updateUserAccountStatus to prevent double-response and spurious ext-client side-effects - Use switch statements in listUsers to skip unrecognized account_status and mfa_status filter values * NM-271: signal pull req on node ip change * fix(go): check for both min and max page size; * NM-271: refresh node object before update * fix(go): enclose transfer superadmin in transaction; * fix(go): review errors; * fix(go): remove free tier checks; * fix(go): review fixes; * NM-271: streamline ip pool ops * NM-271: fix tests, set max idle conns * NM-271: fix(go): fix data races in settings cache and peer update worker - Use pointer type in atomic.Value for serverSettingsCache to avoid replacing the variable non-atomically in InvalidateServerSettingsCache - Swap peerUpdateReplace flag before draining the channel to prevent a concurrent replacePeers=true from being consumed by the wrong cycle --------- Co-authored-by: VishalDalwadi <dalwadivishal26@gmail.com> Co-authored-by: Vishal Dalwadi <51291657+VishalDalwadi@users.noreply.github.com> Co-authored-by: tenki-reviewer[bot] <262613592+tenki-reviewer[bot]@users.noreply.github.com>
745 lines
24 KiB
Go
745 lines
24 KiB
Go
package controller
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
"net/http"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/gorilla/mux"
|
|
"github.com/gravitl/netmaker/database"
|
|
"github.com/gravitl/netmaker/logger"
|
|
"github.com/gravitl/netmaker/logic"
|
|
"github.com/gravitl/netmaker/models"
|
|
"github.com/gravitl/netmaker/mq"
|
|
"github.com/gravitl/netmaker/schema"
|
|
"github.com/gravitl/netmaker/servercfg"
|
|
"golang.org/x/crypto/bcrypt"
|
|
"golang.org/x/exp/slog"
|
|
)
|
|
|
|
var hostIDHeader = "host-id"
|
|
|
|
func nodeHandlers(r *mux.Router) {
|
|
|
|
r.HandleFunc("/api/nodes", logic.SecurityCheck(true, http.HandlerFunc(getAllNodes))).Methods(http.MethodGet)
|
|
r.HandleFunc("/api/nodes/{network}", logic.SecurityCheck(true, http.HandlerFunc(getNetworkNodes))).Methods(http.MethodGet)
|
|
r.HandleFunc("/api/nodes/{network}/{nodeid}", AuthorizeHost(http.HandlerFunc(getNode))).Methods(http.MethodGet)
|
|
r.HandleFunc("/api/nodes/{network}/{nodeid}", logic.SecurityCheck(true, http.HandlerFunc(updateNode))).Methods(http.MethodPut)
|
|
r.HandleFunc("/api/nodes/{network}/{nodeid}", AuthorizeHost(http.HandlerFunc(deleteNode))).Methods(http.MethodDelete)
|
|
r.HandleFunc("/api/nodes/{network}/{nodeid}/creategateway", logic.SecurityCheck(true, http.HandlerFunc(createEgressGateway))).Methods(http.MethodPost)
|
|
r.HandleFunc("/api/nodes/{network}/{nodeid}/deletegateway", logic.SecurityCheck(true, http.HandlerFunc(deleteEgressGateway))).Methods(http.MethodDelete)
|
|
r.HandleFunc("/api/nodes/{network}/{nodeid}/createingress", logic.SecurityCheck(true, http.HandlerFunc(createGateway))).Methods(http.MethodPost)
|
|
r.HandleFunc("/api/nodes/{network}/{nodeid}/deleteingress", logic.SecurityCheck(true, http.HandlerFunc(deleteGateway))).Methods(http.MethodDelete)
|
|
r.HandleFunc("/api/nodes/adm/{network}/authenticate", authenticate).Methods(http.MethodPost)
|
|
r.HandleFunc("/api/v1/nodes/{network}/status", logic.SecurityCheck(true, http.HandlerFunc(getNetworkNodeStatus))).Methods(http.MethodGet)
|
|
r.HandleFunc("/api/v1/nodes/migrate", migrate).Methods(http.MethodPost)
|
|
}
|
|
|
|
func authenticate(response http.ResponseWriter, request *http.Request) {
|
|
|
|
var authRequest models.AuthParams
|
|
var result models.Node
|
|
var errorResponse = models.ErrorResponse{
|
|
Code: http.StatusInternalServerError, Message: "W1R3: It's not you it's me.",
|
|
}
|
|
|
|
decoder := json.NewDecoder(request.Body)
|
|
decoderErr := decoder.Decode(&authRequest)
|
|
defer request.Body.Close()
|
|
|
|
if decoderErr != nil {
|
|
errorResponse.Code = http.StatusBadRequest
|
|
errorResponse.Message = decoderErr.Error()
|
|
logger.Log(0, request.Header.Get("user"), "error decoding request body: ",
|
|
decoderErr.Error())
|
|
logic.ReturnErrorResponse(response, request, errorResponse)
|
|
return
|
|
}
|
|
errorResponse.Code = http.StatusBadRequest
|
|
if authRequest.ID == "" {
|
|
errorResponse.Message = "W1R3: ID can't be empty"
|
|
logger.Log(0, request.Header.Get("user"), errorResponse.Message)
|
|
logic.ReturnErrorResponse(response, request, errorResponse)
|
|
return
|
|
} else if authRequest.Password == "" {
|
|
errorResponse.Message = "W1R3: Password can't be empty"
|
|
logger.Log(0, request.Header.Get("user"), errorResponse.Message)
|
|
logic.ReturnErrorResponse(response, request, errorResponse)
|
|
return
|
|
}
|
|
var err error
|
|
result, err = logic.GetNodeByID(authRequest.ID)
|
|
if err != nil {
|
|
result, err = logic.GetDeletedNodeByID(authRequest.ID)
|
|
if err != nil {
|
|
errorResponse.Code = http.StatusBadRequest
|
|
errorResponse.Message = err.Error()
|
|
logger.Log(0, request.Header.Get("user"),
|
|
fmt.Sprintf("failed to get node info [%s]: %v", authRequest.ID, err))
|
|
logic.ReturnErrorResponse(response, request, errorResponse)
|
|
return
|
|
}
|
|
}
|
|
host := &schema.Host{
|
|
ID: result.HostID,
|
|
}
|
|
err = host.Get(request.Context())
|
|
if err != nil {
|
|
errorResponse.Code = http.StatusBadRequest
|
|
errorResponse.Message = err.Error()
|
|
logger.Log(0, request.Header.Get("user"),
|
|
"error retrieving host: ", result.HostID.String(), err.Error())
|
|
logic.ReturnErrorResponse(response, request, errorResponse)
|
|
return
|
|
}
|
|
err = bcrypt.CompareHashAndPassword([]byte(host.HostPass), []byte(authRequest.Password))
|
|
if err != nil {
|
|
errorResponse.Code = http.StatusBadRequest
|
|
errorResponse.Message = err.Error()
|
|
logger.Log(0, request.Header.Get("user"),
|
|
"error validating user password: ", err.Error())
|
|
logic.ReturnErrorResponse(response, request, errorResponse)
|
|
return
|
|
}
|
|
|
|
tokenString, err := logic.CreateJWT(authRequest.ID, authRequest.MacAddress, result.Network)
|
|
if tokenString == "" {
|
|
errorResponse.Code = http.StatusBadRequest
|
|
errorResponse.Message = "Could not create Token"
|
|
logger.Log(0, request.Header.Get("user"),
|
|
fmt.Sprintf("%s: %v", errorResponse.Message, err))
|
|
logic.ReturnErrorResponse(response, request, errorResponse)
|
|
return
|
|
}
|
|
|
|
var successResponse = models.SuccessResponse{
|
|
Code: http.StatusOK,
|
|
Message: "W1R3: Device " + authRequest.ID + " Authorized",
|
|
Response: models.SuccessfulLoginResponse{
|
|
AuthToken: tokenString,
|
|
ID: authRequest.ID,
|
|
},
|
|
}
|
|
successJSONResponse, jsonError := json.Marshal(successResponse)
|
|
|
|
if jsonError != nil {
|
|
errorResponse.Code = http.StatusBadRequest
|
|
errorResponse.Message = err.Error()
|
|
logger.Log(0, request.Header.Get("user"),
|
|
"error marshalling resp: ", err.Error())
|
|
logic.ReturnErrorResponse(response, request, errorResponse)
|
|
return
|
|
}
|
|
response.WriteHeader(http.StatusOK)
|
|
response.Header().Set("Content-Type", "application/json")
|
|
response.Write(successJSONResponse)
|
|
}
|
|
|
|
// AuthorizeHost - middleware that authenticates a host via JWT and ensures
|
|
// the host is only operating on its own resources (matched by hostid/nodeid path params).
|
|
func AuthorizeHost(
|
|
next http.Handler,
|
|
) http.HandlerFunc {
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
|
var forbiddenResponse = models.ErrorResponse{
|
|
Code: http.StatusForbidden, Message: logic.Forbidden_Msg,
|
|
}
|
|
w.Header().Set("Content-Type", "application/json")
|
|
|
|
bearerToken := r.Header.Get("Authorization")
|
|
var tokenSplit = strings.Split(bearerToken, " ")
|
|
var authToken = ""
|
|
|
|
if len(tokenSplit) < 2 {
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(logic.Unauthorized_Err, logic.Unauthorized_Msg))
|
|
return
|
|
} else {
|
|
authToken = tokenSplit[1]
|
|
}
|
|
|
|
hostID, _, _, err := logic.VerifyHostToken(authToken)
|
|
if err != nil {
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(logic.Unauthorized_Err, logic.Unauthorized_Msg))
|
|
return
|
|
}
|
|
|
|
// master key bypasses ownership checks
|
|
if hostID != logic.MasterUser {
|
|
params := mux.Vars(r)
|
|
if paramHostID := params["hostid"]; paramHostID != "" && hostID != paramHostID {
|
|
logic.ReturnErrorResponse(w, r, forbiddenResponse)
|
|
return
|
|
}
|
|
if nodeID := params["nodeid"]; nodeID != "" {
|
|
node, err := logic.GetNodeByID(nodeID)
|
|
if err != nil {
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
|
return
|
|
}
|
|
if node.HostID.String() != hostID {
|
|
logic.ReturnErrorResponse(w, r, forbiddenResponse)
|
|
return
|
|
}
|
|
}
|
|
}
|
|
r.Header.Set(hostIDHeader, hostID)
|
|
next.ServeHTTP(w, r)
|
|
}
|
|
}
|
|
|
|
// @Summary Gets all nodes associated with network including pending nodes
|
|
// @Router /api/nodes/{network} [get]
|
|
// @Tags Nodes
|
|
// @Security oauth
|
|
// @Produce json
|
|
// @Param network path string true "Network ID"
|
|
// @Success 200 {array} models.ApiNode
|
|
// @Failure 500 {object} models.ErrorResponse
|
|
func getNetworkNodes(w http.ResponseWriter, r *http.Request) {
|
|
w.Header().Set("Content-Type", "application/json")
|
|
var params = mux.Vars(r)
|
|
networkName := params["network"]
|
|
nodes, err := logic.GetNetworkNodes(networkName)
|
|
if err != nil {
|
|
logger.Log(0, r.Header.Get("user"),
|
|
fmt.Sprintf("error fetching nodes on network %s: %v", networkName, err))
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
|
|
return
|
|
}
|
|
nodes = logic.AddStaticNodestoList(nodes)
|
|
nodes = logic.AddStatusToNodes(nodes, false)
|
|
// returns all the nodes in JSON/API format
|
|
apiNodes := logic.GetAllNodesAPI(nodes[:])
|
|
for i := range apiNodes {
|
|
apiNodes[i].StaticNode.PrivateKey = ""
|
|
}
|
|
logger.Log(2, r.Header.Get("user"), "fetched nodes on network", networkName)
|
|
w.WriteHeader(http.StatusOK)
|
|
json.NewEncoder(w).Encode(apiNodes)
|
|
}
|
|
|
|
// @Summary Get all nodes across all networks
|
|
// @Router /api/nodes [get]
|
|
// @Tags Nodes
|
|
// @Security oauth
|
|
// @Produce json
|
|
// @Success 200 {array} models.ApiNode
|
|
// @Failure 500 {object} models.ErrorResponse
|
|
func getAllNodes(w http.ResponseWriter, r *http.Request) {
|
|
w.Header().Set("Content-Type", "application/json")
|
|
var nodes []models.Node
|
|
nodes, err := logic.GetAllNodes()
|
|
if err != nil {
|
|
logger.Log(0, "error fetching all nodes info: ", err.Error())
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
|
|
return
|
|
}
|
|
username := r.Header.Get("user")
|
|
if r.Header.Get("ismaster") == "no" {
|
|
user := &schema.User{Username: username}
|
|
err = user.Get(r.Context())
|
|
if err != nil {
|
|
return
|
|
}
|
|
userPlatformRole := &schema.UserRole{ID: user.PlatformRoleID}
|
|
err = userPlatformRole.Get(r.Context())
|
|
if err != nil {
|
|
return
|
|
}
|
|
if !userPlatformRole.FullAccess {
|
|
nodes = logic.GetFilteredNodesByUserAccess(user, nodes)
|
|
}
|
|
|
|
}
|
|
nodes = logic.AddStaticNodestoList(nodes)
|
|
nodes = logic.AddStatusToNodes(nodes, false)
|
|
// return all the nodes in JSON/API format
|
|
apiNodes := logic.GetAllNodesAPI(nodes[:])
|
|
for i := range apiNodes {
|
|
apiNodes[i].StaticNode.PrivateKey = ""
|
|
}
|
|
logger.Log(3, r.Header.Get("user"), "fetched all nodes they have access to")
|
|
logic.SortApiNodes(apiNodes[:])
|
|
w.WriteHeader(http.StatusOK)
|
|
json.NewEncoder(w).Encode(apiNodes)
|
|
}
|
|
|
|
// @Summary Get all nodes status on the network
|
|
// @Router /api/v1/nodes/{network}/status [get]
|
|
// @Tags Nodes
|
|
// @Security oauth
|
|
// @Produce json
|
|
// @Param network path string true "Network ID"
|
|
// @Success 200 {object} map[string]models.NodeStatus
|
|
// @Failure 500 {object} models.ErrorResponse
|
|
func getNetworkNodeStatus(w http.ResponseWriter, r *http.Request) {
|
|
var params = mux.Vars(r)
|
|
netID := params["network"]
|
|
// validate network
|
|
err := (&schema.Network{Name: netID}).Get(r.Context())
|
|
if err != nil {
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to get network %v", err), "badrequest"))
|
|
return
|
|
}
|
|
var nodes []models.Node
|
|
nodes, err = logic.GetNetworkNodes(netID)
|
|
if err != nil {
|
|
logger.Log(0, "error fetching all nodes info: ", err.Error())
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
|
|
return
|
|
}
|
|
nodes = logic.AddStaticNodestoList(nodes)
|
|
nodes = logic.AddStatusToNodes(nodes, true)
|
|
// return all the nodes in JSON/API format
|
|
apiNodesStatusMap := logic.GetNodesStatusAPI(nodes[:])
|
|
logger.Log(3, r.Header.Get("user"), "fetched all nodes they have access to")
|
|
logic.ReturnSuccessResponseWithJson(w, r, apiNodesStatusMap, "fetched nodes with metric status")
|
|
}
|
|
|
|
// @Summary Get an individual node
|
|
// @Router /api/nodes/{network}/{nodeid} [get]
|
|
// @Tags Nodes
|
|
// @Security oauth
|
|
// @Produce json
|
|
// @Param network path string true "Network ID"
|
|
// @Param nodeid path string true "Node ID"
|
|
// @Success 200 {object} models.NodeGet
|
|
// @Failure 500 {object} models.ErrorResponse
|
|
func getNode(w http.ResponseWriter, r *http.Request) {
|
|
// set header.
|
|
w.Header().Set("Content-Type", "application/json")
|
|
|
|
var params = mux.Vars(r)
|
|
nodeid := params["nodeid"]
|
|
|
|
node, err := logic.ValidateParams(nodeid, params["network"])
|
|
if err != nil {
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
|
return
|
|
}
|
|
host := &schema.Host{
|
|
ID: node.HostID,
|
|
}
|
|
err = host.Get(r.Context())
|
|
if err != nil {
|
|
logger.Log(0, r.Header.Get("user"),
|
|
fmt.Sprintf("error fetching host for node [ %s ] info: %v", nodeid, err))
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
|
|
return
|
|
}
|
|
allNodes, err := logic.GetAllNodes()
|
|
if err != nil {
|
|
logger.Log(
|
|
0,
|
|
r.Header.Get("user"),
|
|
fmt.Sprintf(
|
|
"error fetching wg peers config for host [ %s ]: %v",
|
|
host.ID.String(),
|
|
err,
|
|
),
|
|
)
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
|
|
return
|
|
}
|
|
hostPeerUpdate, err := logic.GetPeerUpdateForHost(node.Network, host, allNodes, nil, nil)
|
|
if err != nil && !database.IsEmptyRecord(err) {
|
|
logger.Log(
|
|
0,
|
|
r.Header.Get("user"),
|
|
fmt.Sprintf(
|
|
"error fetching wg peers config for host [ %s ]: %v",
|
|
host.ID.String(),
|
|
err,
|
|
),
|
|
)
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
|
|
return
|
|
}
|
|
server := logic.GetServerInfo()
|
|
response := models.NodeGet{
|
|
Node: node,
|
|
Host: *host,
|
|
HostPeers: hostPeerUpdate.Peers,
|
|
Peers: hostPeerUpdate.NodePeers,
|
|
ServerConfig: server,
|
|
PeerIDs: hostPeerUpdate.PeerIDs,
|
|
}
|
|
|
|
logger.Log(2, r.Header.Get("user"), "fetched node", params["nodeid"])
|
|
w.WriteHeader(http.StatusOK)
|
|
json.NewEncoder(w).Encode(response)
|
|
}
|
|
|
|
// == EGRESS ==
|
|
|
|
// @Summary Create an egress gateway
|
|
// @Router /api/nodes/{network}/{nodeid}/creategateway [post]
|
|
// @Tags Nodes
|
|
// @Security oauth
|
|
// @Accept json
|
|
// @Produce json
|
|
// @Param network path string true "Network ID"
|
|
// @Param nodeid path string true "Node ID"
|
|
// @Param body body models.EgressGatewayRequest true "Egress gateway request"
|
|
// @Success 200 {object} models.ApiNode
|
|
// @Failure 500 {object} models.ErrorResponse
|
|
func createEgressGateway(w http.ResponseWriter, r *http.Request) {
|
|
var gateway models.EgressGatewayRequest
|
|
var params = mux.Vars(r)
|
|
node, err := logic.ValidateParams(params["nodeid"], params["network"])
|
|
if err != nil {
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
|
return
|
|
}
|
|
w.Header().Set("Content-Type", "application/json")
|
|
if err := json.NewDecoder(r.Body).Decode(&gateway); err != nil {
|
|
logger.Log(0, r.Header.Get("user"), "error decoding request body: ", err.Error())
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
|
return
|
|
}
|
|
gateway.NetID = params["network"]
|
|
gateway.NodeID = params["nodeid"]
|
|
err = logic.ValidateEgressRange(gateway.NetID, gateway.Ranges)
|
|
if err != nil {
|
|
logger.Log(0, r.Header.Get("user"), "error validating egress range: ", err.Error())
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
|
return
|
|
}
|
|
node, err = logic.CreateEgressGateway(gateway)
|
|
if err != nil {
|
|
logger.Log(0, r.Header.Get("user"),
|
|
fmt.Sprintf("failed to create egress gateway on node [%s] on network [%s]: %v",
|
|
gateway.NodeID, gateway.NetID, err))
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
|
|
return
|
|
}
|
|
|
|
apiNode := node.ConvertToAPINode()
|
|
logger.Log(
|
|
1,
|
|
r.Header.Get("user"),
|
|
"created egress gateway on node",
|
|
gateway.NodeID,
|
|
"on network",
|
|
gateway.NetID,
|
|
)
|
|
w.WriteHeader(http.StatusOK)
|
|
json.NewEncoder(w).Encode(apiNode)
|
|
go func() {
|
|
if err := mq.NodeUpdate(&node); err != nil {
|
|
slog.Error("error publishing node update to node", "node", node.ID, "error", err)
|
|
}
|
|
mq.PublishPeerUpdate(false)
|
|
}()
|
|
}
|
|
|
|
// @Summary Delete an egress gateway
|
|
// @Router /api/nodes/{network}/{nodeid}/deletegateway [delete]
|
|
// @Tags Nodes
|
|
// @Security oauth
|
|
// @Produce json
|
|
// @Param network path string true "Network ID"
|
|
// @Param nodeid path string true "Node ID"
|
|
// @Success 200 {object} models.ApiNode
|
|
// @Failure 500 {object} models.ErrorResponse
|
|
func deleteEgressGateway(w http.ResponseWriter, r *http.Request) {
|
|
|
|
w.Header().Set("Content-Type", "application/json")
|
|
var params = mux.Vars(r)
|
|
nodeid := params["nodeid"]
|
|
netid := params["network"]
|
|
node, err := logic.ValidateParams(nodeid, netid)
|
|
if err != nil {
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
|
return
|
|
}
|
|
node, err = logic.DeleteEgressGateway(netid, nodeid)
|
|
if err != nil {
|
|
logger.Log(0, r.Header.Get("user"),
|
|
fmt.Sprintf("failed to delete egress gateway on node [%s] on network [%s]: %v",
|
|
nodeid, netid, err))
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
|
|
return
|
|
}
|
|
|
|
apiNode := node.ConvertToAPINode()
|
|
logger.Log(
|
|
1,
|
|
r.Header.Get("user"),
|
|
"deleted egress gateway on node",
|
|
nodeid,
|
|
"on network",
|
|
netid,
|
|
)
|
|
w.WriteHeader(http.StatusOK)
|
|
json.NewEncoder(w).Encode(apiNode)
|
|
go func() {
|
|
if err := mq.NodeUpdate(&node); err != nil {
|
|
slog.Error("error publishing node update to node", "node", node.ID, "error", err)
|
|
}
|
|
mq.PublishPeerUpdate(false)
|
|
}()
|
|
}
|
|
|
|
// @Summary Update an individual node
|
|
// @Router /api/nodes/{network}/{nodeid} [put]
|
|
// @Tags Nodes
|
|
// @Security oauth
|
|
// @Accept json
|
|
// @Produce json
|
|
// @Param network path string true "Network ID"
|
|
// @Param nodeid path string true "Node ID"
|
|
// @Param body body models.ApiNode true "Node update data"
|
|
// @Success 200 {object} models.ApiNode
|
|
// @Failure 500 {object} models.ErrorResponse
|
|
func updateNode(w http.ResponseWriter, r *http.Request) {
|
|
w.Header().Set("Content-Type", "application/json")
|
|
|
|
var params = mux.Vars(r)
|
|
|
|
//start here
|
|
nodeid := params["nodeid"]
|
|
currentNode, err := logic.ValidateParams(nodeid, params["network"])
|
|
if err != nil {
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
|
return
|
|
}
|
|
var newData models.ApiNode
|
|
// we decode our body request params
|
|
err = json.NewDecoder(r.Body).Decode(&newData)
|
|
if err != nil {
|
|
logger.Log(0, r.Header.Get("user"), "error decoding request body: ", err.Error())
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
|
return
|
|
}
|
|
err = logic.ValidateNodeIp(¤tNode, &newData)
|
|
if err != nil {
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
|
return
|
|
}
|
|
|
|
if !servercfg.IsPro {
|
|
newData.AdditionalRagIps = []string{}
|
|
}
|
|
newNode := newData.ConvertToServerNode(¤tNode)
|
|
if newNode == nil {
|
|
logic.ReturnErrorResponse(
|
|
w,
|
|
r,
|
|
logic.FormatError(fmt.Errorf("error converting node"), "badrequest"),
|
|
)
|
|
return
|
|
}
|
|
if currentNode.IsAutoRelay && (!newNode.IsAutoRelay || !newNode.Connected) {
|
|
logic.ResetAutoRelay(newNode)
|
|
}
|
|
|
|
if newNode.IsInternetGateway && len(newNode.InetNodeReq.InetNodeClientIDs) > 0 {
|
|
err = logic.ValidateInetGwReq(*newNode, newNode.InetNodeReq, newNode.IsInternetGateway && currentNode.IsInternetGateway)
|
|
if err != nil {
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
|
return
|
|
}
|
|
newNode.RelayedNodes = append(newNode.RelayedNodes, newNode.InetNodeReq.InetNodeClientIDs...)
|
|
newNode.RelayedNodes = logic.UniqueStrings(newNode.RelayedNodes)
|
|
}
|
|
|
|
relayUpdate := logic.RelayUpdates(¤tNode, newNode)
|
|
if relayUpdate && newNode.IsRelay {
|
|
err = logic.ValidateRelay(models.RelayRequest{
|
|
NodeID: newNode.ID.String(),
|
|
NetID: newNode.Network,
|
|
RelayedNodes: newNode.RelayedNodes,
|
|
}, true)
|
|
if err != nil {
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
|
return
|
|
}
|
|
}
|
|
host := &schema.Host{
|
|
ID: newNode.HostID,
|
|
}
|
|
err = host.Get(r.Context())
|
|
if err != nil {
|
|
logger.Log(0, r.Header.Get("user"),
|
|
fmt.Sprintf("failed to get host for node [ %s ] info: %v", nodeid, err))
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
|
|
return
|
|
}
|
|
if newNode.IsInternetGateway {
|
|
if host.DNS != "yes" {
|
|
host.DNS = "yes"
|
|
logic.UpsertHost(host)
|
|
}
|
|
}
|
|
aclUpdate := currentNode.DefaultACL != newNode.DefaultACL
|
|
|
|
err = logic.UpdateNode(¤tNode, newNode)
|
|
if err != nil {
|
|
logger.Log(0, r.Header.Get("user"),
|
|
fmt.Sprintf("failed to update node info [ %s ] info: %v", nodeid, err))
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
|
|
return
|
|
}
|
|
if relayUpdate {
|
|
logic.UpdateRelayed(¤tNode, newNode)
|
|
}
|
|
if !currentNode.IsInternetGateway && newNode.IsInternetGateway {
|
|
logic.SetInternetGw(newNode, newNode.InetNodeReq)
|
|
}
|
|
if currentNode.IsInternetGateway && newNode.IsInternetGateway {
|
|
// logic.UnsetInternetGw resets newNode.InetNodeReq.
|
|
// So, keeping a copy to pass into logic.SetInternetGw.
|
|
req := newNode.InetNodeReq
|
|
logic.UnsetInternetGw(newNode)
|
|
logic.SetInternetGw(newNode, req)
|
|
}
|
|
if !newNode.IsInternetGateway {
|
|
logic.UnsetInternetGw(newNode)
|
|
}
|
|
if currentNode.AutoAssignGateway && !newNode.AutoAssignGateway {
|
|
// if relayed remove it
|
|
if newNode.IsRelayed {
|
|
relayNode, err := logic.GetNodeByID(newNode.RelayedBy)
|
|
if err == nil {
|
|
logic.RemoveAllFromSlice(relayNode.RelayedNodes, newNode.ID.String())
|
|
logic.UpsertNode(&relayNode)
|
|
}
|
|
newNode.IsRelayed = false
|
|
newNode.RelayedBy = ""
|
|
}
|
|
}
|
|
if (currentNode.IsRelayed) && newNode.AutoAssignGateway {
|
|
// if relayed remove it
|
|
if currentNode.IsRelayed {
|
|
relayNode, err := logic.GetNodeByID(currentNode.RelayedBy)
|
|
if err == nil {
|
|
logic.RemoveAllFromSlice(relayNode.RelayedNodes, currentNode.ID.String())
|
|
logic.UpsertNode(&relayNode)
|
|
}
|
|
newNode.IsRelayed = false
|
|
newNode.RelayedBy = ""
|
|
}
|
|
if len(currentNode.AutoRelayedPeers) > 0 {
|
|
logic.ResetAutoRelayedPeer(¤tNode)
|
|
}
|
|
}
|
|
if !currentNode.AutoAssignGateway && newNode.AutoAssignGateway {
|
|
if len(currentNode.AutoRelayedPeers) > 0 {
|
|
logic.ResetAutoRelayedPeer(¤tNode)
|
|
}
|
|
}
|
|
newNode.PostureChecksViolations,
|
|
newNode.PostureCheckVolationSeverityLevel = logic.CheckPostureViolations(logic.GetPostureCheckDeviceInfoByNode(newNode),
|
|
schema.NetworkID(newNode.Network))
|
|
newNode.LastEvaluatedAt = time.Now().UTC()
|
|
logic.UpsertNode(newNode)
|
|
logic.GetNodeStatus(newNode, false)
|
|
|
|
apiNode := newNode.ConvertToAPINode()
|
|
logger.Log(
|
|
1,
|
|
r.Header.Get("user"),
|
|
"updated node",
|
|
currentNode.ID.String(),
|
|
"on network",
|
|
currentNode.Network,
|
|
)
|
|
logic.LogEvent(&models.Event{
|
|
Action: schema.Update,
|
|
Source: models.Subject{
|
|
ID: r.Header.Get("user"),
|
|
Name: r.Header.Get("user"),
|
|
Type: schema.UserSub,
|
|
},
|
|
TriggeredBy: r.Header.Get("user"),
|
|
Target: models.Subject{
|
|
ID: newNode.ID.String(),
|
|
Name: host.Name,
|
|
Type: schema.NodeSub,
|
|
},
|
|
Diff: models.Diff{
|
|
Old: currentNode,
|
|
New: newNode,
|
|
},
|
|
Origin: schema.Dashboard,
|
|
})
|
|
ipChanged := currentNode.Address.String() != newNode.Address.String() ||
|
|
currentNode.Address6.String() != newNode.Address6.String()
|
|
w.WriteHeader(http.StatusOK)
|
|
json.NewEncoder(w).Encode(apiNode)
|
|
go func(aclUpdate, relayupdate bool, newNode *models.Node) {
|
|
if err := mq.NodeUpdate(newNode); err != nil {
|
|
slog.Error("error publishing node update to node", "node", newNode.ID, "error", err)
|
|
}
|
|
if ipChanged {
|
|
if err := mq.HostUpdate(&models.HostUpdate{Action: models.RequestPull, Host: *host}); err != nil {
|
|
slog.Error("error sending sync pull to host on ip change", "host", host.ID, "error", err)
|
|
}
|
|
}
|
|
allNodes, err := logic.GetAllNodes()
|
|
if err == nil {
|
|
mq.PublishSingleHostPeerUpdate(host, allNodes, nil, nil, false, nil)
|
|
}
|
|
if servercfg.IsPro && newNode.AutoAssignGateway {
|
|
mq.HostUpdate(&models.HostUpdate{Action: models.CheckAutoAssignGw, Host: *host, Node: *newNode})
|
|
}
|
|
mq.PublishPeerUpdate(false)
|
|
if servercfg.IsDNSMode() {
|
|
logic.SetDNS()
|
|
}
|
|
if !newNode.Connected {
|
|
metrics, err := logic.GetMetrics(newNode.ID.String())
|
|
if err == nil {
|
|
for peer, connectivity := range metrics.Connectivity {
|
|
connectivity.Connected = false
|
|
metrics.Connectivity[peer] = connectivity
|
|
}
|
|
|
|
_ = logic.UpdateMetrics(newNode.ID.String(), metrics)
|
|
}
|
|
}
|
|
}(aclUpdate, relayUpdate, newNode)
|
|
}
|
|
|
|
// @Summary Delete an individual node
|
|
// @Router /api/nodes/{network}/{nodeid} [delete]
|
|
// @Tags Nodes
|
|
// @Security oauth
|
|
// @Produce json
|
|
// @Param network path string true "Network ID"
|
|
// @Param nodeid path string true "Node ID"
|
|
// @Param force query string false "Force delete"
|
|
// @Success 200 {object} models.SuccessResponse
|
|
// @Failure 500 {object} models.ErrorResponse
|
|
func deleteNode(w http.ResponseWriter, r *http.Request) {
|
|
// Set header
|
|
w.Header().Set("Content-Type", "application/json")
|
|
|
|
// get params
|
|
var params = mux.Vars(r)
|
|
var nodeid = params["nodeid"]
|
|
node, err := logic.ValidateParams(nodeid, params["network"])
|
|
if err != nil {
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
|
return
|
|
}
|
|
forceDelete := r.URL.Query().Get("force") == "true"
|
|
fromNode := r.Header.Get("requestfrom") == "node"
|
|
purge := forceDelete || fromNode
|
|
if err := logic.DeleteNode(&node, purge); err != nil {
|
|
logic.ReturnErrorResponse(
|
|
w,
|
|
r,
|
|
logic.FormatError(fmt.Errorf("failed to delete node"), "internal"),
|
|
)
|
|
return
|
|
}
|
|
|
|
logic.ReturnSuccessResponse(w, r, nodeid+" deleted.")
|
|
logger.Log(1, r.Header.Get("user"), "Deleted node", nodeid, "from network", params["network"])
|
|
go mq.PublishMqUpdatesForDeletedNode(node, !fromNode)
|
|
}
|