multitenancy working

controllers/networkHttpController.go

@@ -78,8 +78,15 @@ func SecurityCheck(netname, token string) error {
 	}
 	//all endpoints here require master so not as complicated
 	if !hasBearer || !authenticateMaster(authToken) {
-		_, isadmin, err := functions.VerifyUserToken(authToken)
-		if err != nil || !isadmin {
+		_, networks, isadmin, err := functions.VerifyUserToken(authToken)
+		if err != nil {
+                        return errors.New("Error verifying user token")
+		}
+		if !isadmin && netname != ""{
+			if !functions.SliceContains(networks, netname){
+				return errors.New("You are unauthorized to access this endpoint")
+			}
+		} else if !isadmin {
 			return errors.New("You are unauthorized to access this endpoint")
 		}
 	}

controllers/nodeHttpController.go

@@ -186,8 +186,9 @@ func authorize(networkCheck bool, authNetwork string, next http.Handler) http.Ha
 
                         var isAuthorized = false
 			var macaddress = ""
-                        _, isadmin, errN := functions.VerifyUserToken(authToken)
-                        if errN == nil && isadmin {
+                        _, networks, isadmin, errN := functions.VerifyUserToken(authToken)
+			isnetadmin := isadmin
+			if errN == nil && isadmin {
 	                        macaddress = "mastermac"
                                 isAuthorized = true
 			} else {
@@ -201,6 +202,11 @@ func authorize(networkCheck bool, authNetwork string, next http.Handler) http.Ha
 				}
 				macaddress = mac
 			}
+                        if !isadmin && params["network"] != ""{
+                                if functions.SliceContains(networks, params["network"]){
+                                        isnetadmin = true
+                                }
+                        }
 			//The mastermac (login with masterkey from config) can do everything!! May be dangerous.
 			if macaddress == "mastermac" {
 				isAuthorized = true
@@ -212,8 +218,11 @@ func authorize(networkCheck bool, authNetwork string, next http.Handler) http.Ha
 				case "all":
 					isAuthorized = true
 				case "nodes":
-					isAuthorized = (macaddress != "")
+					isAuthorized = (macaddress != "") || isnetadmin
 				case "network":
+					if isnetadmin {
+						isAuthorized = true
+					} else {
 					node, err := functions.GetNodeByMacAddress(params["network"], macaddress)
 					if err != nil {
 						errorResponse = models.ErrorResponse{
@@ -223,8 +232,13 @@ func authorize(networkCheck bool, authNetwork string, next http.Handler) http.Ha
 						return
 					}
 					isAuthorized = (node.Network == params["network"])
+					}
 				case "node":
-					isAuthorized = (macaddress == params["macaddress"])
+                                        if isnetadmin {
+                                                isAuthorized = true
+                                        } else {
+						isAuthorized = (macaddress == params["macaddress"])
+					}
 				case "master":
 					isAuthorized = (macaddress == "mastermac")
 				default:

controllers/serverHttpController.go

@@ -42,7 +42,7 @@ func securityCheckServer(next http.Handler) http.HandlerFunc {
 		}
 		//all endpoints here require master so not as complicated
 		//still might not be a good  way of doing this
-                _, isadmin, _ := functions.VerifyUserToken(authToken)
+                _, _, isadmin, _ := functions.VerifyUserToken(authToken)
 
 		if !isadmin && !authenticateMasterServer(authToken) {
 				errorResponse = models.ErrorResponse{

controllers/userHttpController.go

@@ -26,8 +26,11 @@ func userHandlers(r *mux.Router) {
 	r.HandleFunc("/api/users/adm/createadmin", createAdmin).Methods("POST")
 	r.HandleFunc("/api/users/adm/authenticate", authenticateUser).Methods("POST")
 	r.HandleFunc("/api/users/{username}", authorizeUser(http.HandlerFunc(updateUser))).Methods("PUT")
+	r.HandleFunc("/api/users/{username}/adm", authorizeUserAdm(http.HandlerFunc(updateUserAdm))).Methods("PUT")
+	r.HandleFunc("/api/users/{username}", authorizeUserAdm(http.HandlerFunc(createUser))).Methods("POST")
 	r.HandleFunc("/api/users/{username}", authorizeUser(http.HandlerFunc(deleteUser))).Methods("DELETE")
 	r.HandleFunc("/api/users/{username}", authorizeUser(http.HandlerFunc(getUser))).Methods("GET")
+        r.HandleFunc("/api/users", authorizeUserAdm(http.HandlerFunc(getUsers))).Methods("GET")
 }
 
 //Node authenticates using its password and retrieves a JWT for authorization.
@@ -96,9 +99,9 @@ func VerifyAuthRequest(authRequest models.UserAuthParams) (string, error) {
 		return "", errors.New("User " + authRequest.UserName + " not found")
 	}
 	// This is a a useless test as cannot create user that is not an an admin
-	if !result.IsAdmin {
-		return "", errors.New("User is not an admin")
-	}
+	//if !result.IsAdmin {
+	//	return "", errors.New("User is not an admin")
+	//}
 
 	//compare password from request to stored password in database
 	//might be able to have a common hash (certificates?) and compare those so that a password isn't passed in in plain text...
@@ -109,7 +112,7 @@ func VerifyAuthRequest(authRequest models.UserAuthParams) (string, error) {
 	}
 
 	//Create a new JWT for the node
-	tokenString, _ := functions.CreateUserJWT(authRequest.UserName, true)
+	tokenString, _ := functions.CreateUserJWT(authRequest.UserName, result.Networks,  result.IsAdmin)
 	return tokenString, nil
 }
 
@@ -123,10 +126,11 @@ func VerifyAuthRequest(authRequest models.UserAuthParams) (string, error) {
 func authorizeUser(next http.Handler) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", "application/json")
+	        var params = mux.Vars(r)
 
 		//get the auth token
 		bearerToken := r.Header.Get("Authorization")
-		err := ValidateUserToken(bearerToken)
+		err := ValidateUserToken(bearerToken, params["username"], false)
 		if err != nil {
 			returnErrorResponse(w, r, formatError(err, "unauthorized"))
 			return
@@ -135,7 +139,24 @@ func authorizeUser(next http.Handler) http.HandlerFunc {
 	}
 }
 
-func ValidateUserToken(token string) error {
+func authorizeUserAdm(next http.Handler) http.HandlerFunc {
+        return func(w http.ResponseWriter, r *http.Request) {
+                w.Header().Set("Content-Type", "application/json")
+	        var params = mux.Vars(r)
+
+                //get the auth token
+                bearerToken := r.Header.Get("Authorization")
+                err := ValidateUserToken(bearerToken, params["username"], true)
+                if err != nil {
+                        returnErrorResponse(w, r, formatError(err, "unauthorized"))
+                        return
+                }
+                next.ServeHTTP(w, r)
+        }
+}
+
+
+func ValidateUserToken(token string, user string, adminonly bool) error {
 	var tokenSplit = strings.Split(token, " ")
 
 	//I put this in in case the user doesn't put in a token at all (in which case it's empty)
@@ -148,12 +169,16 @@ func ValidateUserToken(token string) error {
 		return errors.New("Missing Auth Token.")
 	}
 
-	username, _, err := functions.VerifyUserToken(authToken)
+	username, _, isadmin, err := functions.VerifyUserToken(authToken)
 	if err != nil {
 		return errors.New("Error Verifying Auth Token")
 	}
-
-	isAuthorized := username != ""
+	isAuthorized := false
+	if adminonly {
+		isAuthorized = isadmin
+	} else {
+		isAuthorized = username == user || isadmin
+	}
 	if !isAuthorized {
 		return errors.New("You are unauthorized to access this endpoint.")
 	}
@@ -214,6 +239,42 @@ func GetUser(username string) (models.User, error) {
 	return user, err
 }
 
+func GetUsers() ([]models.User, error) {
+
+        var users []models.User
+
+        collection := mongoconn.Client.Database("netmaker").Collection("users")
+
+        ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+
+        cur, err := collection.Find(ctx, bson.M{}, options.Find().SetProjection(bson.M{"_id": 0}))
+
+        if err != nil {
+                return users, err
+        }
+
+        defer cancel()
+
+        for cur.Next(context.TODO()) {
+
+                var user models.User
+                err := cur.Decode(&user)
+                if err != nil {
+                        return users, err
+                }
+
+                // add network our array
+                users = append(users, user)
+        }
+
+        if err := cur.Err(); err != nil {
+                return users, err
+        }
+
+        return users, err
+}
+
+
 //Get an individual node. Nothin fancy here folks.
 func getUser(w http.ResponseWriter, r *http.Request) {
 	// set header.
@@ -231,13 +292,27 @@ func getUser(w http.ResponseWriter, r *http.Request) {
 	json.NewEncoder(w).Encode(user)
 }
 
+//Get an individual node. Nothin fancy here folks.
+func getUsers(w http.ResponseWriter, r *http.Request) {
+        // set header.
+        w.Header().Set("Content-Type", "application/json")
+
+        users, err := GetUsers()
+
+        if err != nil {
+                returnErrorResponse(w, r, formatError(err, "internal"))
+                return
+        }
+
+        json.NewEncoder(w).Encode(users)
+}
+
+
 func CreateUser(user models.User) (models.User, error) {
 	hasadmin, err := HasAdmin()
-	if hasadmin {
+	if hasadmin && user.IsAdmin {
 		return models.User{}, errors.New("Admin already Exists")
 	}
-
-	user.IsAdmin = true
 	err = ValidateUser("create", user)
 	if err != nil {
 		return models.User{}, err
@@ -251,7 +326,7 @@ func CreateUser(user models.User) (models.User, error) {
 	//set password to encrypted password
 	user.Password = string(hash)
 
-	tokenString, _ := functions.CreateUserJWT(user.UserName, user.IsAdmin)
+	tokenString, _ := functions.CreateUserJWT(user.UserName,user.Networks, user.IsAdmin)
 
 	if tokenString == "" {
 		//returnErrorResponse(w, r, errorResponse)
@@ -275,7 +350,7 @@ func createAdmin(w http.ResponseWriter, r *http.Request) {
 	var admin models.User
 	//get node from body of request
 	_ = json.NewDecoder(r.Body).Decode(&admin)
-
+        admin.IsAdmin = true
 	admin, err := CreateUser(admin)
 
 	if err != nil {
@@ -286,6 +361,24 @@ func createAdmin(w http.ResponseWriter, r *http.Request) {
 	json.NewEncoder(w).Encode(admin)
 }
 
+func createUser(w http.ResponseWriter, r *http.Request) {
+        w.Header().Set("Content-Type", "application/json")
+
+        var user models.User
+        //get node from body of request
+        _ = json.NewDecoder(r.Body).Decode(&user)
+
+        user, err := CreateUser(user)
+
+        if err != nil {
+                returnErrorResponse(w, r, formatError(err, "badrequest"))
+                return
+        }
+
+        json.NewEncoder(w).Encode(user)
+}
+
+
 func UpdateUser(userchange models.User, user models.User) (models.User, error) {
 
 	err := ValidateUser("update", userchange)
@@ -298,6 +391,9 @@ func UpdateUser(userchange models.User, user models.User) (models.User, error) {
 	if userchange.UserName != "" {
 		user.UserName = userchange.UserName
 	}
+        if len(userchange.Networks) > 0  {
+                user.Networks = userchange.Networks
+        }
 	if userchange.Password != "" {
 		//encrypt that password so we never see it again
 		hash, err := bcrypt.GenerateFromPassword([]byte(userchange.Password), 5)
@@ -325,6 +421,7 @@ func UpdateUser(userchange models.User, user models.User) (models.User, error) {
 		{"$set", bson.D{
 			{"username", user.UserName},
 			{"password", user.Password},
+			{"networks", user.Networks},
 			{"isadmin", user.IsAdmin},
 		}},
 	}
@@ -360,6 +457,7 @@ func updateUser(w http.ResponseWriter, r *http.Request) {
 		returnErrorResponse(w, r, formatError(err, "internal"))
 		return
 	}
+	userchange.Networks = nil
 	user, err = UpdateUser(userchange, user)
 	if err != nil {
 		returnErrorResponse(w, r, formatError(err, "badrequest"))
@@ -368,6 +466,31 @@ func updateUser(w http.ResponseWriter, r *http.Request) {
 	json.NewEncoder(w).Encode(user)
 }
 
+func updateUserAdm(w http.ResponseWriter, r *http.Request) {
+        w.Header().Set("Content-Type", "application/json")
+        var params = mux.Vars(r)
+        var user models.User
+        //start here
+        user, err := GetUser(params["username"])
+        if err != nil {
+                returnErrorResponse(w, r, formatError(err, "internal"))
+                return
+        }
+        var userchange models.User
+        // we decode our body request params
+        err = json.NewDecoder(r.Body).Decode(&userchange)
+        if err != nil {
+                returnErrorResponse(w, r, formatError(err, "internal"))
+                return
+        }
+	user, err = UpdateUser(userchange, user)
+        if err != nil {
+                returnErrorResponse(w, r, formatError(err, "badrequest"))
+                return
+        }
+        json.NewEncoder(w).Encode(user)
+}
+
 func DeleteUser(user string) (bool, error) {
 
 	deleted := false

functions/helpers.go

@@ -26,6 +26,16 @@ import (
 //Takes in an arbitrary field and value for field and checks to see if any other
 //node has that value for the same field within the network
 
+func SliceContains(slice []string, item string) bool {
+    set := make(map[string]struct{}, len(slice))
+    for _, s := range slice {
+        set[s] = struct{}{}
+    }
+
+    _, ok := set[item] 
+    return ok
+}
+
 func CreateServerToken(netID string) (string, error) {
 	var network models.Network
 	var accesskey models.AccessKey

functions/jwt.go

@@ -28,11 +28,12 @@ func CreateJWT(macaddress string, network string) (response string, err error) {
     return "", err
 }
 
-func CreateUserJWT(username string, isadmin bool) (response string, err error) {
+func CreateUserJWT(username string, networks []string, isadmin bool) (response string, err error) {
     expirationTime := time.Now().Add(60 * time.Minute)
     claims := &models.UserClaims{
         UserName: username,
-        IsAdmin: isadmin,
+	Networks: networks,
+	IsAdmin: isadmin,
         StandardClaims: jwt.StandardClaims{
             ExpiresAt: expirationTime.Unix(),
         },
@@ -47,11 +48,11 @@ func CreateUserJWT(username string, isadmin bool) (response string, err error) {
 }
 
 // VerifyToken func will used to Verify the JWT Token while using APIS
-func VerifyUserToken(tokenString string) (username string, isadmin bool, err error) {
+func VerifyUserToken(tokenString string) (username string, networks []string, isadmin bool, err error) {
     claims := &models.UserClaims{}
 
     if tokenString == servercfg.GetMasterKey() {
-        return "masteradministrator", true, nil
+        return "masteradministrator", nil, true, nil
     }
 
     token, err := jwt.ParseWithClaims(tokenString, claims, func(token *jwt.Token) (interface{}, error) {
@@ -59,9 +60,9 @@ func VerifyUserToken(tokenString string) (username string, isadmin bool, err err
     })
 
     if token != nil {
-        return claims.UserName, claims.IsAdmin, nil
+        return claims.UserName, claims.Networks, claims.IsAdmin, nil
     }
-    return "", false, err
+    return "", nil, false, err
 }
 
 // VerifyToken func will used to Verify the JWT Token while using APIS

models/structs.go

@@ -10,6 +10,7 @@ type AuthParams struct {
 type User struct {
 	UserName string `json:"username" bson:"username" validate:"alphanum,min=3"`
 	Password string `json:"password" bson:"password" validate:"required,min=5"`
+	Networks []string `json:"networks" bson:"networks"`
 	IsAdmin  bool   `json:"isadmin" bson:"isadmin"`
 }
 
@@ -21,6 +22,7 @@ type UserAuthParams struct {
 type UserClaims struct {
 	IsAdmin  bool
 	UserName string
+	Networks []string
 	jwt.StandardClaims
 }