allow creation of extclients using masterkey

controllers/ext_client.go

@@ -344,39 +344,44 @@ func createExtClient(w http.ResponseWriter, r *http.Request) {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
 		return
 	}
-	caller, err := logic.GetUser(r.Header.Get("user"))
-	if err != nil {
-		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
-		return
-	}
-	if !caller.IsAdmin && !caller.IsSuperAdmin {
-		if _, ok := caller.RemoteGwIDs[nodeid]; !ok {
-			err = errors.New("permission denied")
-			slog.Error("failed to create extclient", "error", err)
-			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
-			return
-		}
-		// check if user has a config already for remote access client
-		extclients, err := logic.GetNetworkExtClients(node.Network)
+	var userName string
+	if r.Header.Get("ismaster") == "yes" {
+		userName = logic.Master_uname
+	} else {
+		caller, err := logic.GetUser(r.Header.Get("user"))
 		if err != nil {
-			slog.Error("failed to get extclients", "error", err)
 			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
 			return
 		}
-		for _, extclient := range extclients {
-			if extclient.RemoteAccessClientID != "" &&
-				extclient.RemoteAccessClientID == customExtClient.RemoteAccessClientID && nodeid == extclient.IngressGatewayID {
-				// extclient on the gw already exists for the remote access client
-				err = errors.New("remote client config already exists on the gateway")
+		if !caller.IsAdmin && !caller.IsSuperAdmin {
+			if _, ok := caller.RemoteGwIDs[nodeid]; !ok {
+				err = errors.New("permission denied")
+				slog.Error("failed to create extclient", "error", err)
+				logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
+				return
+			}
+			// check if user has a config already for remote access client
+			extclients, err := logic.GetNetworkExtClients(node.Network)
+			if err != nil {
 				slog.Error("failed to get extclients", "error", err)
-				logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
+				logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
 				return
 			}
+			for _, extclient := range extclients {
+				if extclient.RemoteAccessClientID != "" &&
+					extclient.RemoteAccessClientID == customExtClient.RemoteAccessClientID && nodeid == extclient.IngressGatewayID {
+					// extclient on the gw already exists for the remote access client
+					err = errors.New("remote client config already exists on the gateway")
+					slog.Error("failed to get extclients", "error", err)
+					logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
+					return
+				}
+			}
 		}
 	}
 
 	extclient := logic.UpdateExtClient(&models.ExtClient{}, &customExtClient)
-	extclient.OwnerID = caller.UserName
+	extclient.OwnerID = userName
 	extclient.RemoteAccessClientID = customExtClient.RemoteAccessClientID
 	extclient.IngressGatewayID = nodeid
 

logic/jwts.go

@@ -92,7 +92,7 @@ func VerifyUserToken(tokenString string) (username string, issuperadmin, isadmin
 	claims := &models.UserClaims{}
 
 	if tokenString == servercfg.GetMasterKey() && servercfg.GetMasterKey() != "" {
-		return "masteradministrator", true, true, nil
+		return Master_uname, true, true, nil
 	}
 
 	token, err := jwt.ParseWithClaims(tokenString, claims, func(token *jwt.Token) (interface{}, error) {

logic/security.go

@@ -10,7 +10,7 @@ import (
 )
 
 const (
-	master_uname     = "masteradministrator"
+	Master_uname     = "masteradministrator"
 	Forbidden_Msg    = "forbidden"
 	Forbidden_Err    = models.Error(Forbidden_Msg)
 	Unauthorized_Msg = "unauthorized"
@@ -32,13 +32,8 @@ func SecurityCheck(reqAdmin bool, next http.Handler) http.HandlerFunc {
 			return
 		}
 		// detect masteradmin
-		if username == master_uname {
+		if username == Master_uname {
 			r.Header.Set("ismaster", "yes")
-			// set user as superadmin
-			user, err := GetSuperAdmin()
-			if err == nil {
-				username = user.UserName
-			}
 		}
 		r.Header.Set("user", username)
 		next.ServeHTTP(w, r)
@@ -58,7 +53,7 @@ func UserPermissions(reqAdmin bool, token string) (string, error) {
 	//all endpoints here require master so not as complicated
 	if authenticateMaster(authToken) {
 		// TODO log in as an actual admin user
-		return master_uname, nil
+		return Master_uname, nil
 	}
 	username, issuperadmin, isadmin, err := VerifyUserToken(authToken)
 	if err != nil {