4 years ago · 4f531e1c54
--- a/controllers/config/dnsconfig/Corefile
+++ b/controllers/config/dnsconfig/Corefile
@@ -1,8 +0,0 @@
 
				-skynet  {
			
 
				-    reload 15s
			
 
				-    hosts /root/dnsconfig/netmaker.hosts {
			
 
				-	fallthrough	
			
 
				-    }
			
 
				-    forward . 8.8.8.8 8.8.4.4
			
 
				-    log
			
 
				-}
			
--- a/controllers/config/dnsconfig/netmaker.hosts
+++ b/controllers/config/dnsconfig/netmaker.hosts
@@ -1 +0,0 @@
 
				-10.0.0.1         node-4bukt.skynet
			
--- a/controllers/config/environments/dev.yaml
+++ b/controllers/config/environments/dev.yaml
@@ -1,17 +0,0 @@
 
				-server:
			
 
				-  host: "localhost"
			
 
				-  apiport: "8081"
			
 
				-  grpcport: "50051"
			
 
				-  masterkey: "secretkey"
			
 
				-  allowedorigin: "*"
			
 
				-  restbackend: true            
			
 
				-  agentbackend: true
			
 
				-  defaultnetname: "default"
			
 
				-  defaultnetrange: "10.10.10.0/24"
			
 
				-  createdefault: true
			
 
				-mongoconn:
			
 
				-  user: "mongoadmin"
			
 
				-  pass: "mongopass"
			
 
				-  host: "localhost"
			
 
				-  port: "27017"
			
 
				-  opts: '/?authSource=admin'
			
--- a/controllers/networkHttpController.go
+++ b/controllers/networkHttpController.go
@@ -64,10 +64,6 @@ func SecurityCheck(netname, token string) error {
 
				 		return err
			
 
				 	}
			
 
				 	if hasnetwork && !networkexists {
			
 
				-		//errorResponse = models.ErrorResponse{
			
 
				-		//	Code: http.StatusNotFound, Message: "W1R3: This network does not exist.",
			
 
				-		//}
			
 
				-		//returnErrorResponse(w, r, errorResponse)
			
 
				 		return errors.New("This network does not exist")
			
 
				 	}
			
 
				 
			
@@ -81,14 +77,12 @@ func SecurityCheck(netname, token string) error {
 
				 		authToken = tokenSplit[1]
			
 
				 	}
			
 
				 	//all endpoints here require master so not as complicated
			
 
				-	//still might not be a good  way of doing this
			
 
				 	if !hasBearer || !authenticateMaster(authToken) {
			
 
				-		//errorResponse = models.ErrorResponse{
			
 
				-		//	Code: http.StatusUnauthorized, Message: "W1R3: You are unauthorized to access this endpoint.",
			
 
				-		//	}
			
 
				-		//	returnErrorResponse(w, r, errorResponse)
			
 
				-		return errors.New("You are unauthorized to access this endpoint")
			
 
				-	} //else {
			
 
				+		_, isadmin, err := functions.VerifyUserToken(authToken)
			
 
				+		if err != nil || !isadmin {
			
 
				+			return errors.New("You are unauthorized to access this endpoint")
			
 
				+		}
			
 
				+	}
			
 
				 	return nil
			
 
				 }
			
 
				 
			
--- a/controllers/nodeHttpController.go
+++ b/controllers/nodeHttpController.go
@@ -32,7 +32,6 @@ func nodeHandlers(r *mux.Router) {
 
				 	r.HandleFunc("/api/nodes/{network}/{macaddress}/deleteingress", securityCheck(http.HandlerFunc(deleteIngressGateway))).Methods("DELETE")
			
 
				 	r.HandleFunc("/api/nodes/{network}/{macaddress}/approve", authorize(true, "master", http.HandlerFunc(uncordonNode))).Methods("POST")
			
 
				 	r.HandleFunc("/api/nodes/{network}", createNode).Methods("POST")
			
 
				-	//r.HandleFunc("/api/register", registerClient).Methods("POST")
			
 
				 	r.HandleFunc("/api/nodes/adm/{network}/lastmodified", authorize(true, "network", http.HandlerFunc(getLastModified))).Methods("GET")
			
 
				 	r.HandleFunc("/api/nodes/adm/{network}/authenticate", authenticate).Methods("POST")
			
 
				 
			
@@ -184,17 +183,24 @@ func authorize(networkCheck bool, authNetwork string, next http.Handler) http.Ha
 
				 			//A: the token is the master password
			
 
				 			//B: the token corresponds to a mac address, and if so, which one
			
 
				 			//TODO: There's probably a better way of dealing with the "master token"/master password. Plz Halp.
			
 
				-			macaddress, _, err := functions.VerifyToken(authToken)
			
 
				-			if err != nil {
			
 
				-				errorResponse = models.ErrorResponse{
			
 
				-					Code: http.StatusUnauthorized, Message: "W1R3: Error Verifying Auth Token.",
			
 
				+
			
 
				+                        var isAuthorized = false
			
 
				+			var macaddress = ""
			
 
				+                        _, isadmin, errN := functions.VerifyUserToken(authToken)
			
 
				+                        if errN == nil && isadmin {
			
 
				+	                        macaddress = "mastermac"
			
 
				+                                isAuthorized = true
			
 
				+			} else {
			
 
				+				mac, _, err := functions.VerifyToken(authToken)
			
 
				+				if err != nil {
			
 
				+					errorResponse = models.ErrorResponse{
			
 
				+						Code: http.StatusUnauthorized, Message: "W1R3: Error Verifying Auth Token.",
			
 
				+					}
			
 
				+					returnErrorResponse(w, r, errorResponse)
			
 
				+					return
			
 
				 				}
			
 
				-				returnErrorResponse(w, r, errorResponse)
			
 
				-				return
			
 
				+				macaddress = mac
			
 
				 			}
			
 
				-
			
 
				-			var isAuthorized = false
			
 
				-
			
 
				 			//The mastermac (login with masterkey from config) can do everything!! May be dangerous.
			
 
				 			if macaddress == "mastermac" {
			
 
				 				isAuthorized = true
			
--- a/controllers/serverHttpController.go
+++ b/controllers/serverHttpController.go
@@ -2,6 +2,7 @@ package controller
 
				 
			
 
				 import (
			
 
				     "github.com/gravitl/netmaker/models"
			
 
				+    "github.com/gravitl/netmaker/functions"
			
 
				     "github.com/gravitl/netmaker/serverctl"
			
 
				     "github.com/gravitl/netmaker/servercfg"
			
 
				     "encoding/json"
			
@@ -38,13 +39,16 @@ func securityCheckServer(next http.Handler) http.HandlerFunc {
 
				 		}
			
 
				 		//all endpoints here require master so not as complicated
			
 
				 		//still might not be a good  way of doing this
			
 
				-		if !hasBearer || !authenticateMasterServer(authToken) {
			
 
				-			errorResponse = models.ErrorResponse{
			
 
				-				Code: http.StatusUnauthorized, Message: "W1R3: You are unauthorized to access this endpoint.",
			
 
				+                _, isadmin, err := functions.VerifyUserToken(authToken)
			
 
				+                if err != nil || !isadmin {
			
 
				+			if (!hasBearer || !authenticateMasterServer(authToken)) && !isadmin {
			
 
				+				errorResponse = models.ErrorResponse{
			
 
				+					Code: http.StatusUnauthorized, Message: "W1R3: You are unauthorized to access this endpoint.",
			
 
				+				}
			
 
				+				returnErrorResponse(w, r, errorResponse)
			
 
				+			} else {
			
 
				+				next.ServeHTTP(w, r)
			
 
				 			}
			
 
				-			returnErrorResponse(w, r, errorResponse)
			
 
				-		} else {
			
 
				-			next.ServeHTTP(w, r)
			
 
				 		}
			
 
				 	}
			
 
				 }
			
--- a/controllers/userHttpController.go
+++ b/controllers/userHttpController.go
@@ -126,7 +126,7 @@ func authorizeUser(next http.Handler) http.HandlerFunc {
 
				 
			
 
				 		//get the auth token
			
 
				 		bearerToken := r.Header.Get("Authorization")
			
 
				-		err := ValidateToken(bearerToken)
			
 
				+		err := ValidateUserToken(bearerToken)
			
 
				 		if err != nil {
			
 
				 			returnErrorResponse(w, r, formatError(err, "unauthorized"))
			
 
				 			return
			
@@ -135,7 +135,7 @@ func authorizeUser(next http.Handler) http.HandlerFunc {
 
				 	}
			
 
				 }
			
 
				 
			
 
				-func ValidateToken(token string) error {
			
 
				+func ValidateUserToken(token string) error {
			
 
				 	var tokenSplit = strings.Split(token, " ")
			
 
				 
			
 
				 	//I put this in in case the user doesn't put in a token at all (in which case it's empty)
			
@@ -148,10 +148,6 @@ func ValidateToken(token string) error {
 
				 		return errors.New("Missing Auth Token.")
			
 
				 	}
			
 
				 
			
 
				-	//This checks if
			
 
				-	//A: the token is the master password
			
 
				-	//B: the token corresponds to a mac address, and if so, which one
			
 
				-	//TODO: There's probably a better way of dealing with the "master token"/master password. Plz Halp.
			
 
				 	username, _, err := functions.VerifyUserToken(authToken)
			
 
				 	if err != nil {
			
 
				 		return errors.New("Error Verifying Auth Token")