set extclient permission scope when rag vpn access is set

pro/controllers/users.go

@@ -524,7 +524,7 @@ func createRole(w http.ResponseWriter, r *http.Request) {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
 		return
 	}
-	err = proLogic.ValidateCreateRoleReq(userRole)
+	err = proLogic.ValidateCreateRoleReq(&userRole)
 	if err != nil {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
 		return
@@ -559,7 +559,7 @@ func updateRole(w http.ResponseWriter, r *http.Request) {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
 		return
 	}
-	err = proLogic.ValidateUpdateRoleReq(userRole)
+	err = proLogic.ValidateUpdateRoleReq(&userRole)
 	if err != nil {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
 		return

pro/logic/user_mgmt.go

@@ -205,7 +205,7 @@ func ListPlatformRoles() ([]models.UserRolePermissionTemplate, error) {
 	return userRoles, nil
 }
 
-func ValidateCreateRoleReq(userRole models.UserRolePermissionTemplate) error {
+func ValidateCreateRoleReq(userRole *models.UserRolePermissionTemplate) error {
 	// check if role exists with this id
 	_, err := logic.GetRole(userRole.ID)
 	if err == nil {
@@ -216,6 +216,29 @@ func ValidateCreateRoleReq(userRole models.UserRolePermissionTemplate) error {
 			if _, ok := models.RsrcTypeMap[rsrcType]; !ok {
 				return errors.New("invalid rsrc type " + rsrcType.String())
 			}
+			if rsrcType == models.RemoteAccessGwRsrc {
+				userRsrcPermissions := userRole.NetworkLevelAccess[models.RemoteAccessGwRsrc]
+				var vpnAccess bool
+				for _, scope := range userRsrcPermissions {
+					if scope.VPNaccess {
+						vpnAccess = true
+						break
+					}
+				}
+				if vpnAccess {
+					userRole.NetworkLevelAccess[models.ExtClientsRsrc] = map[models.RsrcID]models.RsrcPermissionScope{
+						models.AllExtClientsRsrcID: {
+							Read:     true,
+							Create:   true,
+							Update:   true,
+							Delete:   true,
+							SelfOnly: true,
+						},
+					}
+
+				}
+
+			}
 		}
 	}
 	if userRole.NetworkID == "" {
@@ -224,7 +247,7 @@ func ValidateCreateRoleReq(userRole models.UserRolePermissionTemplate) error {
 	return nil
 }
 
-func ValidateUpdateRoleReq(userRole models.UserRolePermissionTemplate) error {
+func ValidateUpdateRoleReq(userRole *models.UserRolePermissionTemplate) error {
 	roleInDB, err := logic.GetRole(userRole.ID)
 	if err != nil {
 		return err
@@ -240,6 +263,29 @@ func ValidateUpdateRoleReq(userRole models.UserRolePermissionTemplate) error {
 			if _, ok := models.RsrcTypeMap[rsrcType]; !ok {
 				return errors.New("invalid rsrc type " + rsrcType.String())
 			}
+			if rsrcType == models.RemoteAccessGwRsrc {
+				userRsrcPermissions := userRole.NetworkLevelAccess[models.RemoteAccessGwRsrc]
+				var vpnAccess bool
+				for _, scope := range userRsrcPermissions {
+					if scope.VPNaccess {
+						vpnAccess = true
+						break
+					}
+				}
+				if vpnAccess {
+					userRole.NetworkLevelAccess[models.ExtClientsRsrc] = map[models.RsrcID]models.RsrcPermissionScope{
+						models.AllExtClientsRsrcID: {
+							Read:     true,
+							Create:   true,
+							Update:   true,
+							Delete:   true,
+							SelfOnly: true,
+						},
+					}
+
+				}
+
+			}
 		}
 	}
 	return nil