Merge pull request #2966 from gravitl/NET-1227-b

Net 1227 b

controllers/user.go

@@ -94,7 +94,7 @@ func getUserGroup(w http.ResponseWriter, r *http.Request) {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("group id is required"), "badrequest"))
 		return
 	}
-	group, err := logic.GetUserGroup(gid)
+	group, err := logic.GetUserGroup(models.UserGroupID(gid))
 	if err != nil {
 		logic.ReturnErrorResponse(w, r, models.ErrorResponse{
 			Code:    http.StatusInternalServerError,
@@ -179,7 +179,7 @@ func deleteUserGroup(w http.ResponseWriter, r *http.Request) {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("role is required"), "badrequest"))
 		return
 	}
-	err := logic.DeleteUserGroup(gid)
+	err := logic.DeleteUserGroup(models.UserGroupID(gid))
 	if err != nil {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
 		return

logic/security.go

@@ -19,14 +19,21 @@ const (
 	Unauthorized_Err = models.Error(Unauthorized_Msg)
 )
 
+func GetSubjectsFromURL(URL string) (rsrcType models.RsrcType, rsrcID models.RsrcID) {
+	urlSplit := strings.Split(URL, "/")
+	rsrcType = models.RsrcType(urlSplit[1])
+	if len(urlSplit) > 1 {
+		rsrcID = models.RsrcID(urlSplit[2])
+	}
+	return
+}
+
 func networkPermissionsCheck(username string, r *http.Request) error {
+	// at this point global checks should be completed
 	user, err := GetUser(username)
 	if err != nil {
 		return err
 	}
-	if user.PermissionTemplate.DashBoardAcls.FullAccess {
-		return nil
-	}
 	// get info from header to determine the target rsrc
 	targetRsrc := r.Header.Get("TARGET_RSRC")
 	targetRsrcID := r.Header.Get("TARGET_RSRC_ID")
@@ -42,14 +49,14 @@ func networkPermissionsCheck(username string, r *http.Request) error {
 	}
 	// check if user has scope for target resource
 	// TODO - differentitate between global scope and network scope apis
-	networkPermissionScope, ok := user.PermissionTemplate.DashBoardAcls.NetworkLevelAccess[models.NetworkID(netID)]
-	if !ok {
+	networkPermissionScope, err := GetRole(user.NetworkRoles[models.NetworkID(netID)].String())
+	if err != nil {
 		return errors.New("access denied")
 	}
 	if networkPermissionScope.FullAccess {
 		return nil
 	}
-	rsrcPermissionScope, ok := networkPermissionScope.NetworkRsrcPermissionsScope[models.RsrcType(targetRsrc)]
+	rsrcPermissionScope, ok := networkPermissionScope.NetworkLevelAccess[models.RsrcType(targetRsrc)]
 	if !ok {
 		return fmt.Errorf("access denied to %s rsrc", targetRsrc)
 	}
@@ -71,7 +78,11 @@ func globalPermissionsCheck(username string, r *http.Request) error {
 	if err != nil {
 		return err
 	}
-	if user.PermissionTemplate.DashBoardAcls.FullAccess {
+	userRole, err := GetRole(user.PlatformRoleID.String())
+	if err != nil {
+		return errors.New("access denied")
+	}
+	if userRole.FullAccess {
 		return nil
 	}
 	targetRsrc := r.Header.Get("TARGET_RSRC")
@@ -82,10 +93,7 @@ func globalPermissionsCheck(username string, r *http.Request) error {
 	if r.Method == "" {
 		r.Method = http.MethodGet
 	}
-	if user.PermissionTemplate.DashBoardAcls.FullAccess {
-		return nil
-	}
-	rsrcPermissionScope, ok := user.PermissionTemplate.DashBoardAcls.GlobalLevelAccess[models.RsrcType(targetRsrc)]
+	rsrcPermissionScope, ok := userRole.GlobalLevelAccess[models.RsrcType(targetRsrc)]
 	if !ok {
 		return fmt.Errorf("access denied to %s rsrc", targetRsrc)
 	}

logic/user_mgmt.go

@@ -10,35 +10,30 @@ import (
 
 // Pre-Define Permission Templates for default Roles
 var SuperAdminPermissionTemplate = models.UserRolePermissionTemplate{
-	ID:      models.SuperAdminRole,
-	Default: true,
-	DashBoardAcls: models.DashboardAccessControls{
-		FullAccess: true,
-	},
+	ID:         models.SuperAdminRole,
+	Default:    true,
+	FullAccess: true,
 }
 var AdminPermissionTemplate = models.UserRolePermissionTemplate{
-	ID:      models.AdminRole,
-	Default: true,
-	DashBoardAcls: models.DashboardAccessControls{
-		FullAccess: true,
-	},
+	ID:         models.AdminRole,
+	Default:    true,
+	FullAccess: true,
 }
 
 var NetworkAdminPermissionTemplate = models.UserRolePermissionTemplate{
-	ID:      models.NetworkAdmin,
-	Default: true,
-	DashBoardAcls: models.DashboardAccessControls{
-		NetworkLevelAccess: make(map[models.NetworkID]models.NetworkAccessControls),
-	},
+	ID:                 models.NetworkAdmin,
+	Default:            true,
+	IsNetworkRole:      true,
+	FullAccess:         true,
+	NetworkLevelAccess: make(map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope),
 }
 
 var NetworkUserPermissionTemplate = models.UserRolePermissionTemplate{
-	ID:      models.NetworkUser,
-	Default: true,
-	DashBoardAcls: models.DashboardAccessControls{
-		DenyDashboardAccess: true,
-		NetworkLevelAccess:  make(map[models.NetworkID]models.NetworkAccessControls),
-	},
+	ID:                  models.NetworkUser,
+	Default:             true,
+	FullAccess:          false,
+	DenyDashboardAccess: true,
+	NetworkLevelAccess:  make(map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope),
 }
 
 func UserRolesInit() {
@@ -128,18 +123,28 @@ func DeleteRole(rid models.UserRole) error {
 		return err
 	}
 	for _, user := range users {
-		if user.GroupID != "" {
-			ug, err := GetUserGroup(user.GroupID)
-			if err == nil && ug.PermissionTemplate.ID == rid {
-				err = errors.New("role cannot be deleted as active user groups are using this role")
-				return err
+		if user.UserGroup != "" {
+			ug, err := GetUserGroup(user.UserGroup)
+			if err == nil {
+				for _, networkRole := range ug.NetworkRoles {
+					if networkRole == rid {
+						err = errors.New("role cannot be deleted as active user groups are using this role")
+						return err
+					}
+				}
 			}
-			continue
 		}
-		if user.PermissionTemplate.ID == rid {
+
+		if user.PlatformRoleID == rid {
 			err = errors.New("active roles cannot be deleted.switch existing users to a new role before deleting")
 			return err
 		}
+		for _, networkRole := range user.NetworkRoles {
+			if networkRole == rid {
+				err = errors.New("active roles cannot be deleted.switch existing users to a new role before deleting")
+				return err
+			}
+		}
 	}
 	return database.DeleteRecord(database.USER_PERMISSIONS_TABLE_NAME, rid.String())
 }
@@ -162,8 +167,8 @@ func CreateUserGroup(g models.UserGroup) error {
 }
 
 // GetUserGroup - fetches user group
-func GetUserGroup(gid string) (models.UserGroup, error) {
-	d, err := database.FetchRecord(database.USER_GROUPS_TABLE_NAME, gid)
+func GetUserGroup(gid models.UserGroupID) (models.UserGroup, error) {
+	d, err := database.FetchRecord(database.USER_GROUPS_TABLE_NAME, gid.String())
 	if err == nil {
 		return models.UserGroup{}, err
 	}
@@ -211,16 +216,29 @@ func UpdateUserGroup(g models.UserGroup) error {
 }
 
 // DeleteUserGroup - deletes user group
-func DeleteUserGroup(gid string) error {
+func DeleteUserGroup(gid models.UserGroupID) error {
 	users, err := GetUsersDB()
 	if err != nil {
 		return err
 	}
 	for _, user := range users {
-		if user.GroupID == gid {
+		if user.UserGroup == gid {
 			err = errors.New("role cannot be deleted as active user groups are using this role")
 			return err
 		}
 	}
-	return database.DeleteRecord(database.USER_GROUPS_TABLE_NAME, gid)
+	return database.DeleteRecord(database.USER_GROUPS_TABLE_NAME, gid.String())
+}
+
+func HasNetworkRsrcScope(permissionTemplate models.UserRolePermissionTemplate, netid string, rsrcType models.RsrcType, rsrcID models.RsrcID, op string) bool {
+	if permissionTemplate.FullAccess {
+		return true
+	}
+
+	rsrcScope, ok := permissionTemplate.NetworkLevelAccess[rsrcType]
+	if !ok {
+		return false
+	}
+	_, ok = rsrcScope[rsrcID]
+	return ok
 }

models/user_mgmt.go

@@ -10,16 +10,17 @@ type NetworkID string
 type RsrcType string
 type RsrcID string
 type UserRole string
+type UserGroupID string
 
 const (
-	HostRsrc           RsrcType = "host"
-	RelayRsrc          RsrcType = "relay"
+	HostRsrc           RsrcType = "hosts"
+	RelayRsrc          RsrcType = "relays"
 	RemoteAccessGwRsrc RsrcType = "remote_access_gw"
 	InetGwRsrc         RsrcType = "inet_gw"
 	EgressGwRsrc       RsrcType = "egress"
 	NetworkRsrc        RsrcType = "networks"
 	EnrollmentKeysRsrc RsrcType = "enrollment_key"
-	UserRsrc           RsrcType = "user"
+	UserRsrc           RsrcType = "users"
 	AclRsrc            RsrcType = "acl"
 )
 
@@ -47,57 +48,57 @@ func (r UserRole) String() string {
 	return string(r)
 }
 
-type RsrcPermissionScope struct {
-	Create bool `json:"create"`
-	Read   bool `json:"read"`
-	Update bool `json:"update"`
-	Delete bool `json:"delete"`
+func (g UserGroupID) String() string {
+	return string(g)
 }
 
-type NetworkAccessControls struct {
-	NetworkID                   string                                      `json:"network_id"`
-	FullAccess                  bool                                        `json:"full_access"`
-	NetworkRsrcPermissionsScope map[RsrcType]map[RsrcID]RsrcPermissionScope `json:"network_permissions_list"`
+type RsrcPermissionScope struct {
+	Create    bool `json:"create"`
+	Read      bool `json:"read"`
+	Update    bool `json:"update"`
+	Delete    bool `json:"delete"`
+	VPNAccess bool `json:"vpn_access"`
 }
 
-type DashboardAccessControls struct {
-	FullAccess          bool                                        `json:"full_access"`
+type UserRolePermissionTemplate struct {
+	ID                  UserRole                                    `json:"id"`
+	Default             bool                                        `json:"default"`
 	DenyDashboardAccess bool                                        `json:"deny_dashboard_access"`
-	NetworkLevelAccess  map[NetworkID]NetworkAccessControls         `json:"network_access_controls"`
+	FullAccess          bool                                        `json:"full_access"`
+	IsNetworkRole       bool                                        `json:"network_role"`
+	NetworkLevelAccess  map[RsrcType]map[RsrcID]RsrcPermissionScope `json:"network_level_access"`
 	GlobalLevelAccess   map[RsrcType]map[RsrcID]RsrcPermissionScope `json:"global_level_access"`
 }
 
-type UserRolePermissionTemplate struct {
-	ID            UserRole                `json:"id"`
-	Default       bool                    `json:"default"`
-	DashBoardAcls DashboardAccessControls `json:"dashboard_access_controls"`
-}
-
 type UserGroup struct {
-	ID                 string                     `json:"id"`
-	PermissionTemplate UserRolePermissionTemplate `json:"role_permission_template"`
-	MetaData           string                     `json:"meta_data"`
+	ID           string                 `json:"id"`
+	NetworkRoles map[NetworkID]UserRole `json:"network_roles"`
+	MetaData     string                 `json:"meta_data"`
 }
 
 // User struct - struct for Users
 type User struct {
-	UserName           string                     `json:"username" bson:"username" validate:"min=3,max=40,in_charset|email"`
-	Password           string                     `json:"password" bson:"password" validate:"required,min=5"`
-	IsAdmin            bool                       `json:"isadmin" bson:"isadmin"`
-	IsSuperAdmin       bool                       `json:"issuperadmin"`
-	RemoteGwIDs        map[string]struct{}        `json:"remote_gw_ids"`
-	GroupID            string                     `json:"group_id"`
-	PermissionTemplate UserRolePermissionTemplate `json:"role_permission_template"`
-	LastLoginTime      time.Time                  `json:"last_login_time"`
+	UserName       string                 `json:"username" bson:"username" validate:"min=3,max=40,in_charset|email"`
+	Password       string                 `json:"password" bson:"password" validate:"required,min=5"`
+	IsAdmin        bool                   `json:"isadmin" bson:"isadmin"`
+	IsSuperAdmin   bool                   `json:"issuperadmin"`
+	RemoteGwIDs    map[string]struct{}    `json:"remote_gw_ids"`
+	UserGroup      UserGroupID            `json:"user_groups"`
+	PlatformRoleID UserRole               `json:"platform_role_id"`
+	NetworkRoles   map[NetworkID]UserRole `json:"network_roles"`
+	LastLoginTime  time.Time              `json:"last_login_time"`
 }
 
 // ReturnUser - return user struct
 type ReturnUser struct {
-	UserName      string              `json:"username"`
-	IsAdmin       bool                `json:"isadmin"`
-	IsSuperAdmin  bool                `json:"issuperadmin"`
-	RemoteGwIDs   map[string]struct{} `json:"remote_gw_ids"`
-	LastLoginTime time.Time           `json:"last_login_time"`
+	UserName       string                   `json:"username"`
+	IsAdmin        bool                     `json:"isadmin"`
+	IsSuperAdmin   bool                     `json:"issuperadmin"`
+	RemoteGwIDs    map[string]struct{}      `json:"remote_gw_ids"`
+	UserGroups     map[UserGroupID]struct{} `json:"user_groups"`
+	PlatformRoleID string                   `json:"platform_role_id"`
+	NetworkRoles   map[NetworkID]UserRole   `json:"network_roles"`
+	LastLoginTime  time.Time                `json:"last_login_time"`
 }
 
 // UserAuthParams - user auth params struct