allow user to use master key to update any user

controllers/ext_client.go

@@ -346,7 +346,7 @@ func createExtClient(w http.ResponseWriter, r *http.Request) {
 	}
 	var userName string
 	if r.Header.Get("ismaster") == "yes" {
-		userName = logic.Master_uname
+		userName = logic.MasterUser
 	} else {
 		caller, err := logic.GetUser(r.Header.Get("user"))
 		if err != nil {

controllers/user.go

@@ -353,11 +353,18 @@ func updateUser(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "application/json")
 	var params = mux.Vars(r)
 	// start here
-
-	caller, err := logic.GetUser(r.Header.Get("user"))
-	if err != nil {
-		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
+	var caller *models.User
+	var err error
+	var ismaster bool
+	if r.Header.Get("user") == logic.MasterUser {
+		ismaster = true
+	} else {
+		caller, err = logic.GetUser(r.Header.Get("user"))
+		if err != nil {
+			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
+		}
 	}
+
 	username := params["username"]
 	user, err := logic.GetUser(username)
 	if err != nil {
@@ -379,11 +386,11 @@ func updateUser(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	selfUpdate := false
-	if caller.UserName == user.UserName {
+	if !ismaster && caller.UserName == user.UserName {
 		selfUpdate = true
 	}
 
-	if !selfUpdate {
+	if !ismaster && !selfUpdate {
 		if caller.IsAdmin && user.IsSuperAdmin {
 			slog.Error("non-superadmin user", "caller", caller.UserName, "attempted to update superadmin user", username)
 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("cannot update superadmin user"), "forbidden"))
@@ -407,7 +414,7 @@ func updateUser(w http.ResponseWriter, r *http.Request) {
 		}
 
 	}
-	if selfUpdate {
+	if !ismaster && selfUpdate {
 		if user.IsAdmin != userchange.IsAdmin || user.IsSuperAdmin != userchange.IsSuperAdmin {
 			slog.Error("user cannot change his own role", "caller", caller.UserName, "attempted to update user role", username)
 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("user not allowed to self assign role"), "forbidden"))
@@ -415,6 +422,13 @@ func updateUser(w http.ResponseWriter, r *http.Request) {
 
 		}
 	}
+	if ismaster {
+		if !user.IsSuperAdmin && userchange.IsSuperAdmin {
+			slog.Error("operation not allowed", "caller", logic.MasterUser, "attempted to update user role to superadmin", username)
+			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("attempted to update user role to superadmin"), "forbidden"))
+			return
+		}
+	}
 
 	if auth.IsOauthUser(user) == nil {
 		err := fmt.Errorf("cannot update user info for oauth user %s", username)

logic/gateway.go

@@ -232,7 +232,7 @@ func DeleteGatewayExtClients(gatewayID string, networkName string) error {
 
 // IsUserAllowedAccessToExtClient - checks if user has permission to access extclient
 func IsUserAllowedAccessToExtClient(username string, client models.ExtClient) bool {
-	if username == Master_uname {
+	if username == MasterUser {
 		return true
 	}
 	user, err := GetUser(username)

logic/jwts.go

@@ -92,7 +92,7 @@ func VerifyUserToken(tokenString string) (username string, issuperadmin, isadmin
 	claims := &models.UserClaims{}
 
 	if tokenString == servercfg.GetMasterKey() && servercfg.GetMasterKey() != "" {
-		return Master_uname, true, true, nil
+		return MasterUser, true, true, nil
 	}
 
 	token, err := jwt.ParseWithClaims(tokenString, claims, func(token *jwt.Token) (interface{}, error) {

logic/security.go

@@ -10,7 +10,7 @@ import (
 )
 
 const (
-	Master_uname     = "masteradministrator"
+	MasterUser       = "masteradministrator"
 	Forbidden_Msg    = "forbidden"
 	Forbidden_Err    = models.Error(Forbidden_Msg)
 	Unauthorized_Msg = "unauthorized"
@@ -29,7 +29,7 @@ func SecurityCheck(reqAdmin bool, next http.Handler) http.HandlerFunc {
 			return
 		}
 		// detect masteradmin
-		if username == Master_uname {
+		if username == MasterUser {
 			r.Header.Set("ismaster", "yes")
 		}
 		r.Header.Set("user", username)
@@ -50,7 +50,7 @@ func UserPermissions(reqAdmin bool, token string) (string, error) {
 	//all endpoints here require master so not as complicated
 	if authenticateMaster(authToken) {
 		// TODO log in as an actual admin user
-		return Master_uname, nil
+		return MasterUser, nil
 	}
 	username, issuperadmin, isadmin, err := VerifyUserToken(authToken)
 	if err != nil {