remove networks and groups from user model

auth/register_callback.go

@@ -9,10 +9,8 @@ import (
 	"github.com/gorilla/mux"
 	"github.com/gravitl/netmaker/logger"
 	"github.com/gravitl/netmaker/logic"
-	"github.com/gravitl/netmaker/logic/pro"
 	"github.com/gravitl/netmaker/logic/pro/netcache"
 	"github.com/gravitl/netmaker/models"
-	"github.com/gravitl/netmaker/models/promodels"
 )
 
 var (
@@ -165,25 +163,5 @@ func isUserIsAllowed(username, network string, shouldAddUser bool) (*models.User
 		user, _ = logic.GetUser(username)
 	}
 
-	if !user.IsAdmin { // perform check to see if user is allowed to join a node to network
-		netUser, err := pro.GetNetworkUser(network, promodels.NetworkUserID(user.UserName))
-		if err != nil {
-			logger.Log(0, "failed to get net user details for user", user.UserName, "during node SSO")
-			return nil, fmt.Errorf("failed to verify network user")
-		}
-		if netUser.AccessLevel != pro.NET_ADMIN { // if user is a net admin on network, good to go
-			// otherwise, check if they have node access + haven't reached node limit on network
-			if netUser.AccessLevel == pro.NODE_ACCESS {
-				if len(netUser.Nodes) >= netUser.NodeLimit {
-					logger.Log(0, "user", user.UserName, "has reached their node limit on network", network)
-					return nil, fmt.Errorf("user node limit exceeded")
-				}
-			} else {
-				logger.Log(0, "user", user.UserName, "attempted to access network", network, "via node SSO")
-				return nil, fmt.Errorf("network user not allowed")
-			}
-		}
-	}
-
 	return user, nil
 }

controllers/enrollmentkeys.go

@@ -51,7 +51,7 @@ func getEnrollmentKeys(w http.ResponseWriter, r *http.Request) {
 	// TODO drop double pointer
 	ret := []*models.EnrollmentKey{}
 	for _, key := range keys {
-		if !isMasterAdmin && !logic.UserHasNetworksAccess(key.Networks, user) {
+		if !isMasterAdmin && (!user.IsAdmin || !user.IsSuperAdmin) {
 			continue
 		}
 		if err = logic.Tokenize(key, servercfg.GetAPIHost()); err != nil {

controllers/network_test.go

@@ -29,8 +29,6 @@ func TestMain(m *testing.M) {
 		UserName: "admin",
 		Password: "password",
 		IsAdmin:  true,
-		Networks: []string{},
-		Groups:   []string{},
 	})
 	peerUpdate := make(chan *models.Node)
 	go logic.ManageZombies(context.Background(), peerUpdate)

controllers/node.go

@@ -324,14 +324,6 @@ func getAllNodes(w http.ResponseWriter, r *http.Request) {
 			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
 			return
 		}
-	} else {
-		nodes, err = getUsersNodes(*user)
-		if err != nil {
-			logger.Log(0, r.Header.Get("user"),
-				"error fetching nodes: ", err.Error())
-			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
-			return
-		}
 	}
 	// return all the nodes in JSON/API format
 	apiNodes := logic.GetAllNodesAPI(nodes[:])
@@ -341,19 +333,6 @@ func getAllNodes(w http.ResponseWriter, r *http.Request) {
 	json.NewEncoder(w).Encode(apiNodes)
 }
 
-func getUsersNodes(user models.User) ([]models.Node, error) {
-	var nodes []models.Node
-	var err error
-	for _, networkName := range user.Networks {
-		tmpNodes, err := logic.GetNetworkNodes(networkName)
-		if err != nil {
-			continue
-		}
-		nodes = append(nodes, tmpNodes...)
-	}
-	return nodes, err
-}
-
 // swagger:route GET /api/nodes/{network}/{nodeid} nodes getNode
 //
 // Get an individual node.

controllers/user.go

@@ -474,7 +474,7 @@ func updateUserNetworks(w http.ResponseWriter, r *http.Request) {
 	var params = mux.Vars(r)
 	// start here
 	username := params["username"]
-	user, err := logic.GetUser(username)
+	_, err := logic.GetUser(username)
 	if err != nil {
 		logger.Log(0, username,
 			"failed to update user networks: ", err.Error())
@@ -490,19 +490,7 @@ func updateUserNetworks(w http.ResponseWriter, r *http.Request) {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
 		return
 	}
-	err = logic.UpdateUserNetworks(userChange.Networks, userChange.Groups, userChange.IsAdmin, &models.ReturnUser{
-		Groups:   user.Groups,
-		IsAdmin:  user.IsAdmin,
-		Networks: user.Networks,
-		UserName: user.UserName,
-	})
 
-	if err != nil {
-		logger.Log(0, username,
-			"failed to update user networks: ", err.Error())
-		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
-		return
-	}
 	logger.Log(1, username, "status was updated")
 	// re-read and return the new user struct
 	returnUser, err := logic.GetReturnUser(username)
@@ -568,7 +556,6 @@ func updateUser(w http.ResponseWriter, r *http.Request) {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("not authorizied"), "unauthorized"))
 		return
 	}
-	userchange.Networks = nil
 	user, err = logic.UpdateUser(&userchange, user)
 	if err != nil {
 		logger.Log(0, username,

controllers/user_test.go

@@ -90,8 +90,8 @@ func TestUpdateUserNoHashedPassword(t *testing.T) {
 
 	// mock the jwt verification
 	oldVerify := verifyJWT
-	verifyJWT = func(bearerToken string) (username string, networks []string, isadmin bool, err error) {
-		return user1.UserName, user1.Networks, user1.IsAdmin, nil
+	verifyJWT = func(bearerToken string) (username string, issuperadmin, isadmin bool, err error) {
+		return user1.UserName, user1.IsSuperAdmin, user1.IsAdmin, nil
 	}
 	defer func() { verifyJWT = oldVerify }()
 
@@ -281,7 +281,7 @@ func TestValidateUser(t *testing.T) {
 func TestGetUser(t *testing.T) {
 	deleteAllUsers(t)
 
-	user := models.User{UserName: "admin", Password: "password", Networks: nil, IsAdmin: true, Groups: nil}
+	user := models.User{UserName: "admin", Password: "password", IsAdmin: true}
 
 	t.Run("NonExistantUser", func(t *testing.T) {
 		admin, err := logic.GetUser("admin")
@@ -339,7 +339,7 @@ func TestGetUsers(t *testing.T) {
 func TestUpdateUser(t *testing.T) {
 	deleteAllUsers(t)
 	user := models.User{UserName: "admin", Password: "password", IsAdmin: true}
-	newuser := models.User{UserName: "hello", Password: "world", Networks: []string{"wirecat, netmaker"}, IsAdmin: true, Groups: []string{}}
+	newuser := models.User{UserName: "hello", Password: "world", IsAdmin: true}
 	t.Run("NonExistantUser", func(t *testing.T) {
 		admin, err := logic.UpdateUser(&newuser, &user)
 		assert.EqualError(t, err, "could not find any records")
@@ -382,7 +382,7 @@ func TestUpdateUser(t *testing.T) {
 
 func TestVerifyAuthRequest(t *testing.T) {
 	deleteAllUsers(t)
-	user := models.User{UserName: "admin", Password: "password", Networks: nil, IsAdmin: true, Groups: nil}
+	user := models.User{UserName: "admin", Password: "password", IsSuperAdmin: false, IsAdmin: true}
 	var authRequest models.UserAuthParams
 	t.Run("EmptyUserName", func(t *testing.T) {
 		authRequest.UserName = ""
@@ -418,7 +418,7 @@ func TestVerifyAuthRequest(t *testing.T) {
 		assert.Nil(t, err)
 	})
 	t.Run("WrongPassword", func(t *testing.T) {
-		user := models.User{UserName: "admin", Password: "password", Groups: []string{}}
+		user := models.User{UserName: "admin", Password: "password"}
 		if err := logic.CreateUser(&user); err != nil {
 			t.Error(err)
 		}

functions/helpers_test.go

@@ -29,8 +29,6 @@ func TestMain(m *testing.M) {
 		UserName:     "superadmin",
 		Password:     "password",
 		IsSuperAdmin: true,
-		Networks:     []string{},
-		Groups:       []string{},
 	})
 	peerUpdate := make(chan *models.Node)
 	go logic.ManageZombies(context.Background(), peerUpdate)

logic/auth.go

@@ -141,7 +141,7 @@ func VerifyAuthRequest(authRequest models.UserAuthParams) (string, error) {
 	}
 
 	// Create a new JWT for the node
-	tokenString, _ := CreateUserJWT(authRequest.UserName, result.Networks, result.IsAdmin)
+	tokenString, _ := CreateUserJWT(authRequest.UserName, result.IsSuperAdmin, result.IsAdmin)
 	return tokenString, nil
 }
 
@@ -159,11 +159,10 @@ func UpdateUserNetworks(newNetworks, newGroups []string, isadmin bool, currentUs
 		currentUser.Networks = nil
 	}
 	userChange := models.User{
-		UserName: currentUser.UserName,
-		Networks: currentUser.Networks,
-		IsAdmin:  currentUser.IsAdmin,
-		Password: "",
-		Groups:   currentUser.Groups,
+		UserName:     currentUser.UserName,
+		IsSuperAdmin: currentUser.IsSuperAdmin,
+		IsAdmin:      currentUser.IsAdmin,
+		Password:     "",
 	}
 
 	_, err = UpdateUser(&userChange, returnedUser)
@@ -194,12 +193,7 @@ func UpdateUser(userchange, user *models.User) (*models.User, error) {
 	if userchange.UserName != "" {
 		user.UserName = userchange.UserName
 	}
-	if len(userchange.Networks) > 0 {
-		user.Networks = userchange.Networks
-	}
-	if len(userchange.Groups) > 0 {
-		user.Groups = userchange.Groups
-	}
+
 	if userchange.Password != "" {
 		// encrypt that password so we never see it again
 		hash, err := bcrypt.GenerateFromPassword([]byte(userchange.Password), 5)

logic/enrollmentkey.go

@@ -5,7 +5,6 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"golang.org/x/exp/slices"
 	"time"
 
 	"github.com/gravitl/netmaker/database"
@@ -224,16 +223,3 @@ func getEnrollmentKeysMap() (map[string]*models.EnrollmentKey, error) {
 	}
 	return currentKeys, nil
 }
-
-// UserHasNetworksAccess - checks if a user `u` has access to all `networks`
-func UserHasNetworksAccess(networks []string, u *models.User) bool {
-	if u.IsAdmin {
-		return true
-	}
-	for _, n := range networks {
-		if !slices.Contains(u.Networks, n) {
-			return false
-		}
-	}
-	return true
-}

logic/enrollmentkey_test.go

@@ -204,77 +204,3 @@ func TestDeTokenize_EnrollmentKeys(t *testing.T) {
 
 	removeAllEnrollments()
 }
-
-func TestHasNetworksAccess(t *testing.T) {
-	type Case struct {
-		// network names
-		n []string
-		u models.User
-	}
-	pass := []Case{
-		{
-			n: []string{"n1", "n2"},
-			u: models.User{
-				Networks: []string{"n1", "n2"},
-				IsAdmin:  false,
-			},
-		},
-		{
-			n: []string{"n1", "n2"},
-			u: models.User{
-				Networks: []string{},
-				IsAdmin:  true,
-			},
-		},
-		{
-			n: []string{"n1", "n2"},
-			u: models.User{
-				Networks: []string{"n1", "n2", "n3"},
-				IsAdmin:  false,
-			},
-		},
-		{
-			n: []string{"n2"},
-			u: models.User{
-				Networks: []string{"n2"},
-				IsAdmin:  false,
-			},
-		},
-	}
-	deny := []Case{
-		{
-			n: []string{"n1", "n2"},
-			u: models.User{
-				Networks: []string{"n2"},
-				IsAdmin:  false,
-			},
-		},
-		{
-			n: []string{"n1", "n2"},
-			u: models.User{
-				Networks: []string{},
-				IsAdmin:  false,
-			},
-		},
-		{
-			n: []string{"n1", "n2"},
-			u: models.User{
-				Networks: []string{"n3"},
-				IsAdmin:  false,
-			},
-		},
-		{
-			n: []string{"n2"},
-			u: models.User{
-				Networks: []string{"n1"},
-				IsAdmin:  false,
-			},
-		},
-	}
-	for _, tc := range pass {
-		assert.True(t, UserHasNetworksAccess(tc.n, &tc.u))
-	}
-	for _, tc := range deny {
-		assert.False(t, UserHasNetworksAccess(tc.n, &tc.u))
-	}
-}

logic/jwts.go

@@ -52,37 +52,13 @@ func CreateJWT(uuid string, macAddress string, network string) (response string,
 	return "", err
 }
 
-// CreateProUserJWT - creates a user jwt token
-func CreateProUserJWT(username string, networks, groups []string, isadmin bool) (response string, err error) {
-	expirationTime := time.Now().Add(60 * 12 * time.Minute)
-	claims := &models.UserClaims{
-		UserName: username,
-		Networks: networks,
-		IsAdmin:  isadmin,
-		Groups:   groups,
-		RegisteredClaims: jwt.RegisteredClaims{
-			Issuer:    "Netmaker",
-			Subject:   fmt.Sprintf("user|%s", username),
-			IssuedAt:  jwt.NewNumericDate(time.Now()),
-			ExpiresAt: jwt.NewNumericDate(expirationTime),
-		},
-	}
-
-	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
-	tokenString, err := token.SignedString(jwtSecretKey)
-	if err == nil {
-		return tokenString, nil
-	}
-	return "", err
-}
-
 // CreateUserJWT - creates a user jwt token
-func CreateUserJWT(username string, networks []string, isadmin bool) (response string, err error) {
+func CreateUserJWT(username string, issuperadmin, isadmin bool) (response string, err error) {
 	expirationTime := time.Now().Add(60 * 12 * time.Minute)
 	claims := &models.UserClaims{
-		UserName: username,
-		Networks: networks,
-		IsAdmin:  isadmin,
+		UserName:     username,
+		IsSuperAdmin: issuperadmin,
+		IsAdmin:      isadmin,
 		RegisteredClaims: jwt.RegisteredClaims{
 			Issuer:    "Netmaker",
 			Subject:   fmt.Sprintf("user|%s", username),
@@ -100,23 +76,23 @@ func CreateUserJWT(username string, networks []string, isadmin bool) (response s
 }
 
 // VerifyJWT verifies Auth Header
-func VerifyJWT(bearerToken string) (username string, networks []string, isadmin bool, err error) {
+func VerifyJWT(bearerToken string) (username string, issuperadmin, isadmin bool, err error) {
 	token := ""
 	tokenSplit := strings.Split(bearerToken, " ")
 	if len(tokenSplit) > 1 {
 		token = tokenSplit[1]
 	} else {
-		return "", nil, false, errors.New("invalid auth header")
+		return "", false, false, errors.New("invalid auth header")
 	}
 	return VerifyUserToken(token)
 }
 
 // VerifyUserToken func will used to Verify the JWT Token while using APIS
-func VerifyUserToken(tokenString string) (username string, networks []string, isadmin bool, err error) {
+func VerifyUserToken(tokenString string) (username string, issuperadmin, isadmin bool, err error) {
 	claims := &models.UserClaims{}
 
 	if tokenString == servercfg.GetMasterKey() && servercfg.GetMasterKey() != "" {
-		return "masteradministrator", nil, true, nil
+		return "masteradministrator", true, true, nil
 	}
 
 	token, err := jwt.ParseWithClaims(tokenString, claims, func(token *jwt.Token) (interface{}, error) {
@@ -128,15 +104,15 @@ func VerifyUserToken(tokenString string) (username string, networks []string, is
 		// check that user exists
 		user, err = GetUser(claims.UserName)
 		if err != nil {
-			return "", nil, false, err
+			return "", false, false, err
 		}
 
 		if user.UserName != "" {
-			return claims.UserName, claims.Networks, claims.IsAdmin, nil
+			return claims.UserName, claims.IsSuperAdmin, claims.IsAdmin, nil
 		}
 		err = errors.New("user does not exist")
 	}
-	return "", nil, false, err
+	return "", false, false, err
 }
 
 // VerifyHostToken - [hosts] Only

logic/security.go

@@ -83,24 +83,14 @@ func UserPermissions(reqAdmin bool, netname string, token string) ([]string, str
 		// TODO log in as an actual admin user
 		return []string{ALL_NETWORK_ACCESS}, master_uname, nil
 	}
-	username, networks, isadmin, err := VerifyUserToken(authToken)
+	username, _, isadmin, err := VerifyUserToken(authToken)
 	if err != nil {
 		return nil, username, Unauthorized_Err
 	}
 	if !isadmin && reqAdmin {
 		return nil, username, Forbidden_Err
 	}
-	userNetworks = networks
-	if isadmin {
-		return []string{ALL_NETWORK_ACCESS}, username, nil
-	}
-	// check network admin access
-	if len(netname) > 0 && (len(userNetworks) == 0 || !authenticateNetworkUser(netname, userNetworks)) {
-		return nil, username, Forbidden_Err
-	}
-	if isEE && len(netname) > 0 {
-		return nil, "", Forbidden_Err
-	}
+
 	return userNetworks, username, nil
 }
 

logic/users.go

@@ -40,10 +40,9 @@ func GetReturnUser(username string) (models.ReturnUser, error) {
 // ToReturnUser - gets a user as a return user
 func ToReturnUser(user models.User) models.ReturnUser {
 	return models.ReturnUser{
-		UserName: user.UserName,
-		Networks: user.Networks,
-		IsAdmin:  user.IsAdmin,
-		Groups:   user.Groups,
+		UserName:     user.UserName,
+		IsSuperAdmin: user.IsSuperAdmin,
+		IsAdmin:      user.IsAdmin,
 	}
 }
 

models/structs.go

@@ -26,11 +26,9 @@ type AuthParams struct {
 type User struct {
 	UserName     string              `json:"username" bson:"username" validate:"min=3,max=40,in_charset|email"`
 	Password     string              `json:"password" bson:"password" validate:"required,min=5"`
-	Networks     []string            `json:"networks" bson:"networks"`
 	IsAdmin      bool                `json:"isadmin" bson:"isadmin"`
 	IsSuperAdmin bool                `json:"super_admin"`
 	RemoteGwIDs  map[string]struct{} `json:"remote_gw_ids"`
-	Groups       []string            `json:"groups" bson:"groups" yaml:"groups"`
 }
 
 // ReturnUser - return user struct
@@ -53,9 +51,6 @@ type UserClaims struct {
 	IsAdmin      bool
 	IsSuperAdmin bool
 	UserName     string
-	Networks     []string
-	Groups       []string
-	GateWays     map[string]struct{}
 	jwt.RegisteredClaims
 }