mirror of
https://github.com/gravitl/netmaker.git
synced 2026-04-23 00:17:10 +08:00
Abhishek Kondur
edda2868fc
* feat(go): add user schema; * feat(go): migrate to user schema; * feat(go): add audit fields; * feat(go): remove unused fields from the network model; * feat(go): add network schema; * feat(go): migrate to network schema; * refactor(go): add comment to clarify migration logic; * fix(go): test failures; * fix(go): test failures; * feat(go): change membership table to store memberships at all scopes; * feat(go): add schema for access grants; * feat(go): remove nameservers from new networks table; ensure db passed for schema functions; * feat(go): set max conns for sqlite to 1; * fix(go): issues updating user account status; * refactor(go): remove converters and access grants; * refactor(go): add json tags in schema models; * refactor(go): rename file to migrate_v1_6_0.go; * refactor(go): add user groups and user roles tables; use schema tables; * refactor(go): inline get and list from schema package; * refactor(go): inline get network and list users from schema package; * fix(go): staticcheck issues; * fix(go): remove test not in use; fix test case; * fix(go): validate network; * fix(go): resolve static checks; * fix(go): new models errors; * fix(go): test errors; * fix(go): handle no records; * fix(go): add validations for user object; * fix(go): set correct extclient status; * fix(go): test error; * feat(go): make schema the base package; * feat(go): add host schema; * feat(go): use schema host everywhere; * feat(go): inline get host, list hosts and delete host; * feat(go): use non-ptr value; * feat(go): use save to upsert all fields; * feat(go): use save to upsert all fields; * feat(go): save turn endpoint as string; * feat(go): check for gorm error record not found; * fix(go): test failures; * fix(go): update all network fields; * fix(go): update all network fields; * feat(go): add paginated list networks api; * feat(go): add paginated list users api; * feat(go): add paginated list hosts api; * feat(go): add pagination to list groups api; * fix(go): comment; * fix(go): implement marshal and unmarshal text for custom types; * fix(go): implement marshal and unmarshal json for custom types; * fix(go): just use the old model for unmarshalling; * fix(go): implement marshal and unmarshal json for custom types; * feat(go): remove paginated list networks api; * feat(go): use custom paginated response object; * fix(go): ensure default values for page and per_page are used when not passed; * fix(go): rename v1.6.0 to v1.5.1; * fix(go): check for gorm.ErrRecordNotFound instead of database.IsEmptyRecord; * fix(go): use host id, not pending host id; * feat(go): add filters to paginated apis; * feat(go): add filters to paginated apis; * feat(go): remove check for max username length; * feat(go): add filters to count as well; * feat(go): use library to check email address validity; * feat(go): ignore pagination if params not passed; * fix(go): pagination issues; * fix(go): check exists before using; * fix(go): remove debug log; * fix(go): use gorm err record not found; * fix(go): use gorm err record not found; * fix(go): use user principal name when creating pending user; * fix(go): use schema package for consts; * fix(go): prevent disabling superadmin user; Co-authored-by: tenki-reviewer[bot] <262613592+tenki-reviewer[bot]@users.noreply.github.com> * fix(go): swap is admin and is superadmin; Co-authored-by: tenki-reviewer[bot] <262613592+tenki-reviewer[bot]@users.noreply.github.com> * fix(go): remove dead code block; https://github.com/gravitl/netmaker/pull/3910#discussion_r2928837937 * fix(go): incorrect message when trying to disable self; https://github.com/gravitl/netmaker/pull/3910#discussion_r2928837934 * fix(go): use correct header; Co-authored-by: tenki-reviewer[bot] <262613592+tenki-reviewer[bot]@users.noreply.github.com> * fix(go): return after error response; Co-authored-by: tenki-reviewer[bot] <262613592+tenki-reviewer[bot]@users.noreply.github.com> * fix(go): use correct order of params; https://github.com/gravitl/netmaker/pull/3910#discussion_r2929593036 * fix(go): set default values for page and page size; use v2 instead of /list; * Update logic/auth.go Co-authored-by: tenki-reviewer[bot] <262613592+tenki-reviewer[bot]@users.noreply.github.com> * Update schema/user_roles.go Co-authored-by: tenki-reviewer[bot] <262613592+tenki-reviewer[bot]@users.noreply.github.com> * fix(go): syntax error; * fix(go): set default values when page and per_page are not passed or 0; * fix(go): use uuid.parse instead of uuid.must parse; * fix(go): review errors; * fix(go): review errors; * Update controllers/user.go Co-authored-by: tenki-reviewer[bot] <262613592+tenki-reviewer[bot]@users.noreply.github.com> * Update controllers/user.go Co-authored-by: tenki-reviewer[bot] <262613592+tenki-reviewer[bot]@users.noreply.github.com> * NM-163: fix errors: * Update db/types/options.go Co-authored-by: tenki-reviewer[bot] <262613592+tenki-reviewer[bot]@users.noreply.github.com> * fix(go): persist return user in event; * Update db/types/options.go Co-authored-by: tenki-reviewer[bot] <262613592+tenki-reviewer[bot]@users.noreply.github.com> * NM-163: duplicate lines of code * NM-163: fix(go): fix missing return and filter parsing in user controller - Add missing return after error response in updateUserAccountStatus to prevent double-response and spurious ext-client side-effects - Use switch statements in listUsers to skip unrecognized account_status and mfa_status filter values * fix(go): check for both min and max page size; * fix(go): enclose transfer superadmin in transaction; * fix(go): review errors; * fix(go): remove free tier checks; * fix(go): review fixes; --------- Co-authored-by: VishalDalwadi <dalwadivishal26@gmail.com> Co-authored-by: Vishal Dalwadi <51291657+VishalDalwadi@users.noreply.github.com> Co-authored-by: tenki-reviewer[bot] <262613592+tenki-reviewer[bot]@users.noreply.github.com>
184 lines
5.0 KiB
Go
184 lines
5.0 KiB
Go
package logic
|
|
|
|
import (
|
|
"errors"
|
|
"net/http"
|
|
"strings"
|
|
|
|
"github.com/golang-jwt/jwt/v4"
|
|
|
|
"github.com/gorilla/mux"
|
|
"github.com/gravitl/netmaker/models"
|
|
"github.com/gravitl/netmaker/schema"
|
|
"github.com/gravitl/netmaker/servercfg"
|
|
)
|
|
|
|
const (
|
|
MasterUser = "masteradministrator"
|
|
Forbidden_Msg = "forbidden"
|
|
Forbidden_Err = models.Error(Forbidden_Msg)
|
|
Unauthorized_Msg = "unauthorized"
|
|
Unauthorized_Err = models.Error(Unauthorized_Msg)
|
|
)
|
|
|
|
var NetworkPermissionsCheck = func(username string, r *http.Request) error { return nil }
|
|
var GlobalPermissionsCheck = func(username string, r *http.Request) error { return nil }
|
|
|
|
// SecurityCheck - Check if user has appropriate permissions
|
|
func SecurityCheck(reqAdmin bool, next http.Handler) http.HandlerFunc {
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
|
r.Header.Set("ismaster", "no")
|
|
isGlobalAccesss := r.Header.Get("IS_GLOBAL_ACCESS") == "yes"
|
|
bearerToken := r.Header.Get("Authorization")
|
|
username, err := GetUserNameFromToken(bearerToken)
|
|
if err != nil {
|
|
ReturnErrorResponse(w, r, FormatError(err, "unauthorized"))
|
|
return
|
|
}
|
|
if username != MasterUser {
|
|
user := &schema.User{Username: username}
|
|
err = user.Get(r.Context())
|
|
if err != nil {
|
|
ReturnErrorResponse(w, r, FormatError(err, "unauthorized"))
|
|
return
|
|
}
|
|
|
|
if user.AccountDisabled {
|
|
err = errors.New("user account disabled")
|
|
ReturnErrorResponse(w, r, FormatError(err, "unauthorized"))
|
|
return
|
|
}
|
|
}
|
|
|
|
// detect masteradmin
|
|
if username == MasterUser {
|
|
r.Header.Set("ismaster", "yes")
|
|
} else {
|
|
if isGlobalAccesss {
|
|
err = GlobalPermissionsCheck(username, r)
|
|
} else {
|
|
err = NetworkPermissionsCheck(username, r)
|
|
}
|
|
}
|
|
w.Header().Set("TARGET_RSRC", r.Header.Get("TARGET_RSRC"))
|
|
w.Header().Set("TARGET_RSRC_ID", r.Header.Get("TARGET_RSRC_ID"))
|
|
w.Header().Set("RSRC_TYPE", r.Header.Get("RSRC_TYPE"))
|
|
w.Header().Set("IS_GLOBAL_ACCESS", r.Header.Get("IS_GLOBAL_ACCESS"))
|
|
w.Header().Set("Access-Control-Allow-Origin", "*")
|
|
if err != nil {
|
|
w.Header().Set("ACCESS_PERM", err.Error())
|
|
ReturnErrorResponse(w, r, FormatError(err, "forbidden"))
|
|
return
|
|
}
|
|
r.Header.Set("user", username)
|
|
next.ServeHTTP(w, r)
|
|
}
|
|
}
|
|
|
|
func PreAuthCheck(next http.Handler) http.HandlerFunc {
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
|
authHeader := r.Header.Get("Authorization")
|
|
headerSplits := strings.Split(authHeader, " ")
|
|
if len(headerSplits) != 2 {
|
|
ReturnErrorResponse(w, r, FormatError(Unauthorized_Err, "unauthorized"))
|
|
return
|
|
}
|
|
|
|
authToken := headerSplits[1]
|
|
|
|
// first check is user is authenticated.
|
|
// if yes, allow the user to go through.
|
|
username, err := GetUserNameFromToken(authHeader)
|
|
if err != nil {
|
|
// if no, then check the user has a pre-auth token.
|
|
var claims jwt.RegisteredClaims
|
|
token, err := jwt.ParseWithClaims(authToken, &claims, func(token *jwt.Token) (interface{}, error) {
|
|
return jwtSecretKey, nil
|
|
})
|
|
if err != nil {
|
|
ReturnErrorResponse(w, r, FormatError(Unauthorized_Err, "unauthorized"))
|
|
return
|
|
}
|
|
|
|
if token != nil && token.Valid {
|
|
if len(claims.Audience) > 0 {
|
|
var found bool
|
|
for _, aud := range claims.Audience {
|
|
if aud == "auth:mfa" {
|
|
found = true
|
|
}
|
|
}
|
|
|
|
if !found {
|
|
ReturnErrorResponse(w, r, FormatError(Unauthorized_Err, "unauthorized"))
|
|
return
|
|
}
|
|
|
|
r.Header.Set("user", claims.Subject)
|
|
next.ServeHTTP(w, r)
|
|
return
|
|
} else {
|
|
ReturnErrorResponse(w, r, FormatError(Unauthorized_Err, "unauthorized"))
|
|
return
|
|
}
|
|
} else {
|
|
ReturnErrorResponse(w, r, FormatError(Unauthorized_Err, "unauthorized"))
|
|
return
|
|
}
|
|
} else {
|
|
r.Header.Set("user", username)
|
|
next.ServeHTTP(w, r)
|
|
return
|
|
}
|
|
}
|
|
}
|
|
|
|
// UserPermissions - checks token stuff
|
|
func UserPermissions(reqAdmin bool, token string) (string, error) {
|
|
var tokenSplit = strings.Split(token, " ")
|
|
var authToken = ""
|
|
|
|
if len(tokenSplit) < 2 {
|
|
return "", Unauthorized_Err
|
|
} else {
|
|
authToken = tokenSplit[1]
|
|
}
|
|
//all endpoints here require master so not as complicated
|
|
if authenticateMaster(authToken) {
|
|
// TODO log in as an actual admin user
|
|
return MasterUser, nil
|
|
}
|
|
username, issuperadmin, isadmin, err := VerifyUserToken(authToken)
|
|
if err != nil {
|
|
return username, Unauthorized_Err
|
|
}
|
|
if reqAdmin && !(issuperadmin || isadmin) {
|
|
return username, Forbidden_Err
|
|
}
|
|
|
|
return username, nil
|
|
}
|
|
|
|
// Consider a more secure way of setting master key
|
|
func authenticateMaster(tokenString string) bool {
|
|
return tokenString == servercfg.GetMasterKey() && servercfg.GetMasterKey() != ""
|
|
}
|
|
|
|
func ContinueIfUserMatch(next http.Handler) http.HandlerFunc {
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
|
var errorResponse = models.ErrorResponse{
|
|
Code: http.StatusForbidden, Message: Forbidden_Msg,
|
|
}
|
|
var params = mux.Vars(r)
|
|
var requestedUser = params["username"]
|
|
if requestedUser == "" {
|
|
requestedUser = r.URL.Query().Get("username")
|
|
}
|
|
if requestedUser != r.Header.Get("user") {
|
|
ReturnErrorResponse(w, r, errorResponse)
|
|
return
|
|
}
|
|
next.ServeHTTP(w, r)
|
|
}
|
|
}
|