Ana Sayfa Keşfet Yardım
Giriş Yap
golang
/
netmaker
şunun yansıması https://github.com/gravitl/netmaker
2
0
Çatalla 0
Dosyalar Sorunlar 0 Wiki
Kaynağa Gözat

allow multiple network roles

abhishek9686 1 yıl önce
ebeveyn
e326c0fd49
işleme
49c2e60744
4 değiştirilmiş dosya ile 82 ekleme ve 40 silme
Görünümü Böl Farklılık Durumunu Göster
  1. 14 0
      controllers/user.go
  2. 42 22
      logic/security.go
  3. 22 15
      logic/user_mgmt.go
  4. 4 3
      models/user_mgmt.go

+ 14 - 0
controllers/user.go
Dosyayı Görüntüle 

@@ -642,6 +642,20 @@ func createUser(w http.ResponseWriter, r *http.Request) {
 
 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
 
 		return
 
 	}
 
+	uniqueGroupsPlatformRole := make(map[models.UserRole]struct{})
 
+	for groupID := range user.UserGroups {
 
+		userG, err := logic.GetUserGroup(groupID)
 
+		if err != nil {
 
+			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
 
+			return
 
+		}
 
+		uniqueGroupsPlatformRole[userG.PlatformRole] = struct{}{}
 
+	}
 
+	if len(uniqueGroupsPlatformRole) > 1 {
 
+		err = errors.New("only groups with same platform role can be assigned to an user")
 
+		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
 
+		return
 
+	}
 
 	if !caller.IsSuperAdmin && user.IsAdmin {
 
 		err = errors.New("only superadmin can create admin users")
 
 		slog.Error("error creating new user: ", "user", user.UserName, "error", err)

+ 42 - 22
logic/security.go
Dosyayı Görüntüle 

@@ -51,35 +51,55 @@ func networkPermissionsCheck(username string, r *http.Request) error {
 
 	// TODO - differentitate between global scope and network scope apis
 
 	netRoles := user.NetworkRoles[models.NetworkID(netID)]
 
 	for netRoleID := range netRoles {
 
-		networkPermissionScope, err := GetRole(netRoleID)
 
-		if err != nil {
 
-			continue
 
-		}
 
-		if networkPermissionScope.FullAccess {
 
+		err = checkNetworkAccessPermissions(netRoleID, r.Method, targetRsrc, targetRsrcID)
 
+		if err == nil {
 
 			return nil
 
 		}
 
-		rsrcPermissionScope, ok := networkPermissionScope.NetworkLevelAccess[models.RsrcType(targetRsrc)]
 
-		if !ok {
 
-			continue
 
-		}
 
-		if allRsrcsTypePermissionScope, ok := rsrcPermissionScope[models.RsrcID(fmt.Sprintf("all_%s", targetRsrc))]; ok {
 
-			err = checkPermissionScopeWithReqMethod(allRsrcsTypePermissionScope, r.Method)
 
-			if err == nil {
 
-				return nil
 
+	}
 
+	for groupID := range user.UserGroups {
 
+		userG, err := GetUserGroup(groupID)
 
+		if err == nil {
 
+			netRoles := userG.NetworkRoles[models.NetworkID(netID)]
 
+			for netRoleID := range netRoles {
 
+				err = checkNetworkAccessPermissions(netRoleID, r.Method, targetRsrc, targetRsrcID)
 
+				if err == nil {
 
+					return nil
 
+				}
 
 			}
 
-
 
 		}
 
-		if targetRsrcID == "" {
 
-			continue
 
+	}
 
+
 
+	return errors.New("access denied")
 
+}
 
+
 
+func checkNetworkAccessPermissions(netRoleID models.UserRole, reqScope, targetRsrc, targetRsrcID string) error {
 
+	networkPermissionScope, err := GetRole(netRoleID)
 
+	if err != nil {
 
+		return err
 
+	}
 
+	if networkPermissionScope.FullAccess {
 
+		return nil
 
+	}
 
+	rsrcPermissionScope, ok := networkPermissionScope.NetworkLevelAccess[models.RsrcType(targetRsrc)]
 
+	if !ok {
 
+		return errors.New("access denied")
 
+	}
 
+	if allRsrcsTypePermissionScope, ok := rsrcPermissionScope[models.RsrcID(fmt.Sprintf("all_%s", targetRsrc))]; ok {
 
+		err = checkPermissionScopeWithReqMethod(allRsrcsTypePermissionScope, reqScope)
 
+		if err == nil {
 
+			return nil
 
 		}
 
-		if scope, ok := rsrcPermissionScope[models.RsrcID(targetRsrcID)]; ok {
 
-			err = checkPermissionScopeWithReqMethod(scope, r.Method)
 
-			if err == nil {
 
-				return nil
 
-			}
 
+
 
+	}
 
+	if targetRsrcID == "" {
 
+		return errors.New("target rsrc id is empty")
 
+	}
 
+	if scope, ok := rsrcPermissionScope[models.RsrcID(targetRsrcID)]; ok {
 
+		err = checkPermissionScopeWithReqMethod(scope, reqScope)
 
+		if err == nil {
 
+			return nil
 
 		}
 
 	}
 
-
 
 	return errors.New("access denied")
 
 }

+ 22 - 15
logic/user_mgmt.go
Dosyayı Görüntüle 

@@ -30,7 +30,7 @@ var ServiceUserPermissionTemplate = models.UserRolePermissionTemplate{
 
 var NetworkAdminPermissionTemplate = models.UserRolePermissionTemplate{
 
 	ID:                 models.NetworkAdmin,
 
 	Default:            true,
 
-	NetworkID:          "*",
 
+	NetworkID:          "netmaker",
 
 	FullAccess:         true,
 
 	NetworkLevelAccess: make(map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope),
 
 }
 
@@ -39,7 +39,7 @@ var NetworkUserPermissionTemplate = models.UserRolePermissionTemplate{
 
 	ID:                  models.NetworkUser,
 
 	Default:             true,
 
 	FullAccess:          false,
 
-	NetworkID:           "*",
 
+	NetworkID:           "netmaker",
 
 	DenyDashboardAccess: false,
 
 	NetworkLevelAccess: map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope{
 
 		models.RemoteAccessGwRsrc: {
 
@@ -49,10 +49,11 @@ var NetworkUserPermissionTemplate = models.UserRolePermissionTemplate{
 
 		},
 
 		models.ExtClientsRsrc: {
 
 			models.AllExtClientsRsrcID: models.RsrcPermissionScope{
 
-				Read:   true,
 
-				Create: true,
 
-				Update: true,
 
-				Delete: true,
 
+				Read:      true,
 
+				Create:    true,
 
+				Update:    true,
 
+				Delete:    true,
 
+				VPNaccess: true,
 
 			},
 
 		},
 
 	},
 
@@ -146,16 +147,23 @@ func DeleteRole(rid models.UserRole) error {
 
 	if err != nil {
 
 		return err
 
 	}
 
+	role, err := GetRole(rid)
 
+	if err != nil {
 
+		return err
 
+	}
 
 	for _, user := range users {
 
 		for userG := range user.UserGroups {
 
 			ug, err := GetUserGroup(userG)
 
 			if err == nil {
 
-				for _, networkRole := range ug.NetworkRoles {
 
-					if networkRole == rid {
 
-						err = errors.New("role cannot be deleted as active user groups are using this role")
 
-						return err
 
+				if role.NetworkID != "" {
 
+					for _, networkRoles := range ug.NetworkRoles {
 
+						if _, ok := networkRoles[rid]; ok {
 
+							err = errors.New("role cannot be deleted as active user groups are using this role")
 
+							return err
 
+						}
 
 					}
 
 				}
 
+
 
 			}
 
 		}
 
 
@@ -164,12 +172,11 @@ func DeleteRole(rid models.UserRole) error {
 
 			return err
 
 		}
 
 		for _, networkRoles := range user.NetworkRoles {
 
-			for networkRole := range networkRoles {
 
-				if networkRole == rid {
 
-					err = errors.New("active roles cannot be deleted.switch existing users to a new role before deleting")
 
-					return err
 
-				}
 
+			if _, ok := networkRoles[rid]; ok {
 
+				err = errors.New("active roles cannot be deleted.switch existing users to a new role before deleting")
 
+				return err
 
 			}
 
+
 
 		}
 
 	}
 
 	return database.DeleteRecord(database.USER_PERMISSIONS_TABLE_NAME, rid.String())

+ 4 - 3
models/user_mgmt.go
Dosyayı Görüntüle 

@@ -87,9 +87,10 @@ type UserRolePermissionTemplate struct {
 
 }
 
 
 type UserGroup struct {
 
-	ID           string                 `json:"id"`
 
-	NetworkRoles map[NetworkID]UserRole `json:"network_roles"`
 
-	MetaData     string                 `json:"meta_data"`
 
+	ID           string                              `json:"id"`
 
+	PlatformRole UserRole                            `json:"platform_role"`
 
+	NetworkRoles map[NetworkID]map[UserRole]struct{} `json:"network_roles"`
 
+	MetaData     string                              `json:"meta_data"`
 
 }
 
 
 // User struct - struct for Users