replace auth checks, add network id to role model

controllers/middleware.go

@@ -34,10 +34,21 @@ func userMiddleWare(handler http.Handler) http.Handler {
 			r.Header.Set("TARGET_RSRC", models.NetworkRsrc.String())
 			r.Header.Set("RSRC_TYPE", models.NetworkRsrc.String())
 		}
+		if strings.Contains(r.URL.Path, "acls") {
+			r.Header.Set("TARGET_RSRC", models.AclRsrc.String())
+			r.Header.Set("RSRC_TYPE", models.NetworkRsrc.String())
+		}
 		if strings.Contains(r.URL.Path, "extclients") {
 			r.Header.Set("TARGET_RSRC", models.ExtClientsRsrc.String())
 			r.Header.Set("RSRC_TYPE", models.ExtClientsRsrc.String())
 		}
+		if strings.Contains(r.URL.Path, "enrollment-keys") {
+			r.Header.Set("TARGET_RSRC", models.EnrollmentKeysRsrc.String())
+			r.Header.Set("RSRC_TYPE", models.EnrollmentKeysRsrc.String())
+		}
+		if keyID, ok := params["keyID"]; ok {
+			r.Header.Set("TARGET_RSRC_ID", keyID)
+		}
 		if nodeID, ok := params["nodeid"]; ok {
 			r.Header.Set("TARGET_RSRC_ID", nodeID)
 		}
@@ -53,7 +64,7 @@ func userMiddleWare(handler http.Handler) http.Handler {
 		if userID, ok := params["username"]; ok {
 			r.Header.Set("TARGET_RSRC_ID", userID)
 		}
-		if r.Header.Get("TARGET_RSRC_ID") == "" {
+		if r.Header.Get("TARGET_RSRC_ID") == "" || r.Header.Get("TARGET_RSRC") == models.EnrollmentKeysRsrc.String() {
 			r.Header.Set("IS_GLOBAL_ACCESS", "yes")
 		}
 		handler.ServeHTTP(w, r)

controllers/node.go

@@ -21,8 +21,8 @@ var hostIDHeader = "host-id"
 
 func nodeHandlers(r *mux.Router) {
 
-	r.HandleFunc("/api/nodes", Authorize(false, false, "user", http.HandlerFunc(getAllNodes))).Methods(http.MethodGet)
-	r.HandleFunc("/api/nodes/{network}", Authorize(false, true, "network", http.HandlerFunc(getNetworkNodes))).Methods(http.MethodGet)
+	r.HandleFunc("/api/nodes", logic.SecurityCheck(true, http.HandlerFunc(createEnrollmentKey))).Methods(http.MethodGet)
+	r.HandleFunc("/api/nodes/{network}", logic.SecurityCheck(true, http.HandlerFunc(getNetworkNodes))).Methods(http.MethodGet)
 	r.HandleFunc("/api/nodes/{network}/{nodeid}", Authorize(true, true, "node", http.HandlerFunc(getNode))).Methods(http.MethodGet)
 	r.HandleFunc("/api/nodes/{network}/{nodeid}", logic.SecurityCheck(true, http.HandlerFunc(updateNode))).Methods(http.MethodPut)
 	r.HandleFunc("/api/nodes/{network}/{nodeid}", Authorize(true, true, "node", http.HandlerFunc(deleteNode))).Methods(http.MethodDelete)

controllers/server.go

@@ -38,10 +38,10 @@ func serverHandlers(r *mux.Router) {
 	).Methods(http.MethodPost)
 	r.HandleFunc("/api/server/getconfig", allowUsers(http.HandlerFunc(getConfig))).
 		Methods(http.MethodGet)
-	r.HandleFunc("/api/server/getserverinfo", Authorize(true, false, "node", http.HandlerFunc(getServerInfo))).
+	r.HandleFunc("/api/server/getserverinfo", logic.SecurityCheck(true, http.HandlerFunc(getServerInfo))).
 		Methods(http.MethodGet)
 	r.HandleFunc("/api/server/status", getStatus).Methods(http.MethodGet)
-	r.HandleFunc("/api/server/usage", Authorize(true, false, "user", http.HandlerFunc(getUsage))).
+	r.HandleFunc("/api/server/usage", logic.SecurityCheck(false, http.HandlerFunc(getUsage))).
 		Methods(http.MethodGet)
 }
 

controllers/user.go

@@ -37,7 +37,7 @@ func userHandlers(r *mux.Router) {
 	r.HandleFunc("/api/users_pending/user/{username}", logic.SecurityCheck(true, http.HandlerFunc(deletePendingUser))).Methods(http.MethodDelete)
 	r.HandleFunc("/api/users_pending/user/{username}", logic.SecurityCheck(true, http.HandlerFunc(approvePendingUser))).Methods(http.MethodPost)
 
-	// User Role handlers
+	// User Role Handlers
 	r.HandleFunc("/api/v1/user/roles", logic.SecurityCheck(true, http.HandlerFunc(listRoles))).Methods(http.MethodGet)
 	r.HandleFunc("/api/v1/user/role", logic.SecurityCheck(true, http.HandlerFunc(getRole))).Methods(http.MethodGet)
 	r.HandleFunc("/api/v1/user/role", logic.SecurityCheck(true, http.HandlerFunc(createRole))).Methods(http.MethodPost)
@@ -259,6 +259,11 @@ func createRole(w http.ResponseWriter, r *http.Request) {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
 		return
 	}
+	if userRole.NetworkID == "" {
+		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "only network roles are allowed to be created"))
+		return
+	}
+	userRole.GlobalLevelAccess = make(map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope)
 	err = logic.CreateRole(userRole)
 	if err != nil {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))

logic/user_mgmt.go

@@ -14,6 +14,7 @@ var SuperAdminPermissionTemplate = models.UserRolePermissionTemplate{
 	Default:    true,
 	FullAccess: true,
 }
+
 var AdminPermissionTemplate = models.UserRolePermissionTemplate{
 	ID:         models.AdminRole,
 	Default:    true,
@@ -23,7 +24,7 @@ var AdminPermissionTemplate = models.UserRolePermissionTemplate{
 var NetworkAdminPermissionTemplate = models.UserRolePermissionTemplate{
 	ID:                 models.NetworkAdmin,
 	Default:            true,
-	IsNetworkRole:      true,
+	NetworkID:          "netmaker",
 	FullAccess:         true,
 	NetworkLevelAccess: make(map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope),
 }
@@ -32,6 +33,7 @@ var NetworkUserPermissionTemplate = models.UserRolePermissionTemplate{
 	ID:                  models.NetworkUser,
 	Default:             true,
 	FullAccess:          false,
+	NetworkID:           "netmaker",
 	DenyDashboardAccess: false,
 	NetworkLevelAccess: map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope{
 		models.RemoteAccessGwRsrc: {
@@ -39,6 +41,14 @@ var NetworkUserPermissionTemplate = models.UserRolePermissionTemplate{
 				Read: true,
 			},
 		},
+		models.ExtClientsRsrc: {
+			models.AllExtClientsRsrcID: models.RsrcPermissionScope{
+				Read:   true,
+				Create: true,
+				Update: true,
+				Delete: true,
+			},
+		},
 	},
 }
 

models/user_mgmt.go

@@ -35,14 +35,15 @@ const (
 	AllHostRsrcID           RsrcID = "all_host"
 	AllRelayRsrcID          RsrcID = "all_relay"
 	AllRemoteAccessGwRsrcID RsrcID = "all_remote_access_gw"
-	AllExtClientsRsrc       RsrcID = "all_extclients"
+	AllExtClientsRsrcID     RsrcID = "all_extclients"
 	AllInetGwRsrcID         RsrcID = "all_inet_gw"
 	AllEgressGwRsrcID       RsrcID = "all_egress"
 	AllNetworkRsrcID        RsrcID = "all_network"
 	AllEnrollmentKeysRsrcID RsrcID = "all_enrollment_key"
 	AllUserRsrcID           RsrcID = "all_user"
 	AllDnsRsrcID            RsrcID = "all_dns"
-	AllFailOverRsrc         RsrcID = "all_fail_over"
+	AllFailOverRsrcID       RsrcID = "all_fail_over"
+	AllAclsRsrcID           RsrcID = "all_acls"
 )
 
 // Pre-Defined User Roles
@@ -74,7 +75,7 @@ type UserRolePermissionTemplate struct {
 	Default             bool                                        `json:"default"`
 	DenyDashboardAccess bool                                        `json:"deny_dashboard_access"`
 	FullAccess          bool                                        `json:"full_access"`
-	IsNetworkRole       bool                                        `json:"network_role"`
+	NetworkID           string                                      `json:"network_id"`
 	NetworkLevelAccess  map[RsrcType]map[RsrcID]RsrcPermissionScope `json:"network_level_access"`
 	GlobalLevelAccess   map[RsrcType]map[RsrcID]RsrcPermissionScope `json:"global_level_access"`
 }