Merge branch 'develop' of https://github.com/gravitl/netmaker into feature_v0.5.1_docs

config/config.go

@@ -40,6 +40,7 @@ type ServerConfig struct {
   APIPort   string `yaml:"apiport"`
   GRPCHost   string `yaml:"grpchost"`
   GRPCPort   string `yaml:"grpcport"`
+  DefaultNodeLimit   int32 `yaml:"defaultnodelimit"`
   MasterKey	string `yaml:"masterkey"`
   AllowedOrigin	string `yaml:"allowedorigin"`
   RestBackend string `yaml:"restbackend"`

controllers/dnsHttpController.go

@@ -20,14 +20,14 @@ import (
 
 func dnsHandlers(r *mux.Router) {
 
-	r.HandleFunc("/api/dns", securityCheck(http.HandlerFunc(getAllDNS))).Methods("GET")
-	r.HandleFunc("/api/dns/adm/{network}/nodes", securityCheck(http.HandlerFunc(getNodeDNS))).Methods("GET")
-	r.HandleFunc("/api/dns/adm/{network}/custom", securityCheck(http.HandlerFunc(getCustomDNS))).Methods("GET")
-	r.HandleFunc("/api/dns/adm/{network}", securityCheck(http.HandlerFunc(getDNS))).Methods("GET")
-	r.HandleFunc("/api/dns/{network}", securityCheck(http.HandlerFunc(createDNS))).Methods("POST")
-	r.HandleFunc("/api/dns/adm/pushdns", securityCheck(http.HandlerFunc(pushDNS))).Methods("POST")
-	r.HandleFunc("/api/dns/{network}/{domain}", securityCheck(http.HandlerFunc(deleteDNS))).Methods("DELETE")
-	r.HandleFunc("/api/dns/{network}/{domain}", securityCheck(http.HandlerFunc(updateDNS))).Methods("PUT")
+	r.HandleFunc("/api/dns", securityCheck(true, http.HandlerFunc(getAllDNS))).Methods("GET")
+	r.HandleFunc("/api/dns/adm/{network}/nodes", securityCheck(false, http.HandlerFunc(getNodeDNS))).Methods("GET")
+	r.HandleFunc("/api/dns/adm/{network}/custom", securityCheck(false, http.HandlerFunc(getCustomDNS))).Methods("GET")
+	r.HandleFunc("/api/dns/adm/{network}", securityCheck(false, http.HandlerFunc(getDNS))).Methods("GET")
+	r.HandleFunc("/api/dns/{network}", securityCheck(false, http.HandlerFunc(createDNS))).Methods("POST")
+	r.HandleFunc("/api/dns/adm/pushdns", securityCheck(false, http.HandlerFunc(pushDNS))).Methods("POST")
+	r.HandleFunc("/api/dns/{network}/{domain}", securityCheck(false, http.HandlerFunc(deleteDNS))).Methods("DELETE")
+	r.HandleFunc("/api/dns/{network}/{domain}", securityCheck(false, http.HandlerFunc(updateDNS))).Methods("PUT")
 }
 
 //Gets all nodes associated with network, including pending nodes

controllers/extClientHttpController.go

@@ -24,13 +24,13 @@ import (
 
 func extClientHandlers(r *mux.Router) {
 
-	r.HandleFunc("/api/extclients", securityCheck(http.HandlerFunc(getAllExtClients))).Methods("GET")
-	r.HandleFunc("/api/extclients/{network}", securityCheck(http.HandlerFunc(getNetworkExtClients))).Methods("GET")
-	r.HandleFunc("/api/extclients/{network}/{clientid}", securityCheck(http.HandlerFunc(getExtClient))).Methods("GET")
-	r.HandleFunc("/api/extclients/{network}/{clientid}/{type}", securityCheck(http.HandlerFunc(getExtClientConf))).Methods("GET")
-	r.HandleFunc("/api/extclients/{network}/{clientid}", securityCheck(http.HandlerFunc(updateExtClient))).Methods("PUT")
-	r.HandleFunc("/api/extclients/{network}/{clientid}", securityCheck(http.HandlerFunc(deleteExtClient))).Methods("DELETE")
-	r.HandleFunc("/api/extclients/{network}/{macaddress}", securityCheck(http.HandlerFunc(createExtClient))).Methods("POST")
+	r.HandleFunc("/api/extclients", securityCheck(true, http.HandlerFunc(getAllExtClients))).Methods("GET")
+	r.HandleFunc("/api/extclients/{network}", securityCheck(false, http.HandlerFunc(getNetworkExtClients))).Methods("GET")
+	r.HandleFunc("/api/extclients/{network}/{clientid}", securityCheck(false, http.HandlerFunc(getExtClient))).Methods("GET")
+	r.HandleFunc("/api/extclients/{network}/{clientid}/{type}", securityCheck(false, http.HandlerFunc(getExtClientConf))).Methods("GET")
+	r.HandleFunc("/api/extclients/{network}/{clientid}", securityCheck(false, http.HandlerFunc(updateExtClient))).Methods("PUT")
+	r.HandleFunc("/api/extclients/{network}/{clientid}", securityCheck(false, http.HandlerFunc(deleteExtClient))).Methods("DELETE")
+	r.HandleFunc("/api/extclients/{network}/{macaddress}", securityCheck(false, http.HandlerFunc(createExtClient))).Methods("POST")
 }
 
 // TODO: Implement Validation

controllers/intClientHttpController.go

@@ -19,10 +19,10 @@ import (
 
 func intClientHandlers(r *mux.Router) {
 
-	r.HandleFunc("/api/intclient/{clientid}", securityCheck(http.HandlerFunc(getIntClient))).Methods("GET")
-	r.HandleFunc("/api/intclients", securityCheck(http.HandlerFunc(getAllIntClients))).Methods("GET")
-        r.HandleFunc("/api/intclients/deleteall", securityCheck(http.HandlerFunc(deleteAllIntClients))).Methods("DELETE")
-        r.HandleFunc("/api/intclient/{clientid}", securityCheck(http.HandlerFunc(updateIntClient))).Methods("PUT")
+	r.HandleFunc("/api/intclient/{clientid}", securityCheck(false, http.HandlerFunc(getIntClient))).Methods("GET")
+	r.HandleFunc("/api/intclients", securityCheck(false, http.HandlerFunc(getAllIntClients))).Methods("GET")
+        r.HandleFunc("/api/intclients/deleteall", securityCheck(false, http.HandlerFunc(deleteAllIntClients))).Methods("DELETE")
+        r.HandleFunc("/api/intclient/{clientid}", securityCheck(false, http.HandlerFunc(updateIntClient))).Methods("PUT")
 	r.HandleFunc("/api/intclient/register", http.HandlerFunc(registerIntClient)).Methods("POST")
 	r.HandleFunc("/api/intclient/{clientid}", http.HandlerFunc(deleteIntClient)).Methods("DELETE")
 }

controllers/networkHttpController.go

@@ -6,6 +6,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"net"
 	"net/http"
 	"strings"
 	"time"
@@ -22,22 +23,23 @@ import (
 )
 
 func networkHandlers(r *mux.Router) {
-	r.HandleFunc("/api/networks", securityCheck(http.HandlerFunc(getNetworks))).Methods("GET")
-	r.HandleFunc("/api/networks", securityCheck(http.HandlerFunc(createNetwork))).Methods("POST")
-	r.HandleFunc("/api/networks/{networkname}", securityCheck(http.HandlerFunc(getNetwork))).Methods("GET")
-	r.HandleFunc("/api/networks/{networkname}", securityCheck(http.HandlerFunc(updateNetwork))).Methods("PUT")
-	r.HandleFunc("/api/networks/{networkname}", securityCheck(http.HandlerFunc(deleteNetwork))).Methods("DELETE")
-	r.HandleFunc("/api/networks/{networkname}/keyupdate", securityCheck(http.HandlerFunc(keyUpdate))).Methods("POST")
-	r.HandleFunc("/api/networks/{networkname}/keys", securityCheck(http.HandlerFunc(createAccessKey))).Methods("POST")
-	r.HandleFunc("/api/networks/{networkname}/keys", securityCheck(http.HandlerFunc(getAccessKeys))).Methods("GET")
-        r.HandleFunc("/api/networks/{networkname}/signuptoken", securityCheck(http.HandlerFunc(getSignupToken))).Methods("GET")
-	r.HandleFunc("/api/networks/{networkname}/keys/{name}", securityCheck(http.HandlerFunc(deleteAccessKey))).Methods("DELETE")
+	r.HandleFunc("/api/networks", securityCheck(true, http.HandlerFunc(getNetworks))).Methods("GET")
+	r.HandleFunc("/api/networks", securityCheck(true, http.HandlerFunc(createNetwork))).Methods("POST")
+	r.HandleFunc("/api/networks/{networkname}", securityCheck(false, http.HandlerFunc(getNetwork))).Methods("GET")
+	r.HandleFunc("/api/networks/{networkname}", securityCheck(false, http.HandlerFunc(updateNetwork))).Methods("PUT")
+	r.HandleFunc("/api/networks/{networkname}/nodelimit", securityCheck(true, http.HandlerFunc(updateNetworkNodeLimit))).Methods("PUT")
+	r.HandleFunc("/api/networks/{networkname}", securityCheck(true, http.HandlerFunc(deleteNetwork))).Methods("DELETE")
+	r.HandleFunc("/api/networks/{networkname}/keyupdate", securityCheck(false, http.HandlerFunc(keyUpdate))).Methods("POST")
+	r.HandleFunc("/api/networks/{networkname}/keys", securityCheck(false, http.HandlerFunc(createAccessKey))).Methods("POST")
+	r.HandleFunc("/api/networks/{networkname}/keys", securityCheck(false, http.HandlerFunc(getAccessKeys))).Methods("GET")
+        r.HandleFunc("/api/networks/{networkname}/signuptoken", securityCheck(false, http.HandlerFunc(getSignupToken))).Methods("GET")
+	r.HandleFunc("/api/networks/{networkname}/keys/{name}", securityCheck(false, http.HandlerFunc(deleteAccessKey))).Methods("DELETE")
 }
 
 //Security check is middleware for every function and just checks to make sure that its the master calling
 //Only admin should have access to all these network-level actions
 //or maybe some Users once implemented
-func securityCheck(next http.Handler) http.HandlerFunc {
+func securityCheck(reqAdmin bool, next http.Handler) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		var errorResponse = models.ErrorResponse{
 			Code: http.StatusUnauthorized, Message: "W1R3: It's not you it's me.",
@@ -45,7 +47,7 @@ func securityCheck(next http.Handler) http.HandlerFunc {
 
 		var params = mux.Vars(r)
 		bearerToken := r.Header.Get("Authorization")
-		err := SecurityCheck(params["networkname"], bearerToken)
+		err := SecurityCheck(reqAdmin, params["networkname"], bearerToken)
 		if err != nil {
 			if strings.Contains(err.Error(), "does not exist") {
 				errorResponse.Code = http.StatusNotFound
@@ -57,7 +59,8 @@ func securityCheck(next http.Handler) http.HandlerFunc {
 		next.ServeHTTP(w, r)
 	}
 }
-func SecurityCheck(netname, token string) error {
+
+func SecurityCheck(reqAdmin bool, netname, token string) error {
 	hasnetwork := netname != ""
 	networkexists, err := functions.NetworkExists(netname)
 	if err != nil {
@@ -78,8 +81,17 @@ func SecurityCheck(netname, token string) error {
 	}
 	//all endpoints here require master so not as complicated
 	if !hasBearer || !authenticateMaster(authToken) {
-		_, isadmin, err := functions.VerifyUserToken(authToken)
-		if err != nil || !isadmin {
+		_, networks, isadmin, err := functions.VerifyUserToken(authToken)
+		if err != nil {
+                        return errors.New("Error verifying user token")
+		}
+		if !isadmin && reqAdmin {
+                                return errors.New("You are unauthorized to access this endpoint")
+		} else if !isadmin && netname != ""{
+			if !functions.SliceContains(networks, netname){
+				return errors.New("You are unauthorized to access this endpoint")
+			}
+		} else if !isadmin {
 			return errors.New("You are unauthorized to access this endpoint")
 		}
 	}
@@ -344,6 +356,42 @@ func updateNetwork(w http.ResponseWriter, r *http.Request) {
 	json.NewEncoder(w).Encode(returnednetwork)
 }
 
+func updateNetworkNodeLimit(w http.ResponseWriter, r *http.Request) {
+        w.Header().Set("Content-Type", "application/json")
+        var params = mux.Vars(r)
+        var network models.Network
+        network, err := functions.GetParentNetwork(params["networkname"])
+        if err != nil {
+                returnErrorResponse(w, r, formatError(err, "internal"))
+                return
+        }
+
+        var networkChange models.NetworkUpdate
+
+        _ = json.NewDecoder(r.Body).Decode(&networkChange)
+
+        collection := mongoconn.Client.Database("netmaker").Collection("networks")
+        ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+        filter := bson.M{"netid": network.NetID}
+
+	if networkChange.NodeLimit !=0 {
+	        update := bson.D{
+	                {"$set", bson.D{
+	                        {"nodelimit", networkChange.NodeLimit},
+	                }},
+	        }
+	        err := collection.FindOneAndUpdate(ctx, filter, update).Decode(&network)
+	        defer cancel()
+	        if err != nil {
+	                returnErrorResponse(w, r, formatError(err, "badrequest"))
+	                return
+	        }
+	}
+        w.WriteHeader(http.StatusOK)
+        json.NewEncoder(w).Encode(network)
+}
+
+
 func UpdateNetwork(networkChange models.NetworkUpdate, network models.Network) (models.Network, error) {
 	//NOTE: Network.NetID is intentionally NOT editable. It acts as a static ID for the network.
 	//DisplayName can be changed instead, which is what shows on the front end
@@ -629,8 +677,8 @@ func CreateAccessKey(accesskey models.AccessKey, network models.Network) (models
 	}
 
 	netID := network.NetID
-	grpcaddress := servercfg.GetGRPCHost() + ":" + servercfg.GetGRPCPort()
-	apiaddress := servercfg.GetAPIHost() + ":" + servercfg.GetAPIPort()
+	grpcaddress := net.JoinHostPort(servercfg.GetGRPCHost(), servercfg.GetGRPCPort())
+	apiaddress := net.JoinHostPort(servercfg.GetAPIHost(), servercfg.GetAPIPort())
 	wgport := servercfg.GetGRPCWGPort()
 
 	accessstringdec := wgport + "|" +grpcaddress + "|" + apiaddress + "|" + netID + "|" + accesskey.Value + "|" + privAddr
@@ -668,7 +716,7 @@ func CreateAccessKey(accesskey models.AccessKey, network models.Network) (models
 func GetSignupToken(netID string) (models.AccessKey, error) {
 
 	var accesskey models.AccessKey
-        address := servercfg.GetGRPCHost() + ":" + servercfg.GetGRPCPort()
+	address := net.JoinHostPort(servercfg.GetGRPCHost(), servercfg.GetGRPCPort())
 
         accessstringdec := address + "|" + netID + "|" + "" + "|"
         accesskey.AccessString = base64.StdEncoding.EncodeToString([]byte(accessstringdec))

controllers/networkHttpController_test.go

@@ -259,20 +259,20 @@ func TestDeleteKey(t *testing.T) {
 }
 func TestSecurityCheck(t *testing.T) {
 	t.Run("NoNetwork", func(t *testing.T) {
-		err := SecurityCheck("", "Bearer secretkey")
+		err := SecurityCheck(false, "", "Bearer secretkey")
 		assert.Nil(t, err)
 	})
 	t.Run("WithNetwork", func(t *testing.T) {
-		err := SecurityCheck("skynet", "Bearer secretkey")
+		err := SecurityCheck(false, "skynet", "Bearer secretkey")
 		assert.Nil(t, err)
 	})
 	t.Run("BadNet", func(t *testing.T) {
-		err := SecurityCheck("badnet", "Bearer secretkey")
+		err := SecurityCheck(false, "badnet", "Bearer secretkey")
 		assert.NotNil(t, err)
 		t.Log(err)
 	})
 	t.Run("BadToken", func(t *testing.T) {
-		err := SecurityCheck("skynet", "Bearer badkey")
+		err := SecurityCheck(false, "skynet", "Bearer badkey")
 		assert.NotNil(t, err)
 		t.Log(err)
 	})

controllers/nodeHttpController.go

@@ -28,8 +28,8 @@ func nodeHandlers(r *mux.Router) {
 	r.HandleFunc("/api/nodes/{network}/{macaddress}/checkin", authorize(true, "node", http.HandlerFunc(checkIn))).Methods("POST")
 	r.HandleFunc("/api/nodes/{network}/{macaddress}/creategateway", authorize(true, "master", http.HandlerFunc(createEgressGateway))).Methods("POST")
 	r.HandleFunc("/api/nodes/{network}/{macaddress}/deletegateway", authorize(true, "master", http.HandlerFunc(deleteEgressGateway))).Methods("DELETE")
-	r.HandleFunc("/api/nodes/{network}/{macaddress}/createingress", securityCheck(http.HandlerFunc(createIngressGateway))).Methods("POST")
-	r.HandleFunc("/api/nodes/{network}/{macaddress}/deleteingress", securityCheck(http.HandlerFunc(deleteIngressGateway))).Methods("DELETE")
+	r.HandleFunc("/api/nodes/{network}/{macaddress}/createingress", securityCheck(false, http.HandlerFunc(createIngressGateway))).Methods("POST")
+	r.HandleFunc("/api/nodes/{network}/{macaddress}/deleteingress", securityCheck(false, http.HandlerFunc(deleteIngressGateway))).Methods("DELETE")
 	r.HandleFunc("/api/nodes/{network}/{macaddress}/approve", authorize(true, "master", http.HandlerFunc(uncordonNode))).Methods("POST")
 	r.HandleFunc("/api/nodes/{network}", createNode).Methods("POST")
 	r.HandleFunc("/api/nodes/adm/{network}/lastmodified", authorize(true, "network", http.HandlerFunc(getLastModified))).Methods("GET")
@@ -186,8 +186,9 @@ func authorize(networkCheck bool, authNetwork string, next http.Handler) http.Ha
 
                         var isAuthorized = false
 			var macaddress = ""
-                        _, isadmin, errN := functions.VerifyUserToken(authToken)
-                        if errN == nil && isadmin {
+                        _, networks, isadmin, errN := functions.VerifyUserToken(authToken)
+			isnetadmin := isadmin
+			if errN == nil && isadmin {
 	                        macaddress = "mastermac"
                                 isAuthorized = true
 			} else {
@@ -201,6 +202,11 @@ func authorize(networkCheck bool, authNetwork string, next http.Handler) http.Ha
 				}
 				macaddress = mac
 			}
+                        if !isadmin && params["network"] != ""{
+                                if functions.SliceContains(networks, params["network"]){
+                                        isnetadmin = true
+                                }
+                        }
 			//The mastermac (login with masterkey from config) can do everything!! May be dangerous.
 			if macaddress == "mastermac" {
 				isAuthorized = true
@@ -212,8 +218,11 @@ func authorize(networkCheck bool, authNetwork string, next http.Handler) http.Ha
 				case "all":
 					isAuthorized = true
 				case "nodes":
-					isAuthorized = (macaddress != "")
+					isAuthorized = (macaddress != "") || isnetadmin
 				case "network":
+					if isnetadmin {
+						isAuthorized = true
+					} else {
 					node, err := functions.GetNodeByMacAddress(params["network"], macaddress)
 					if err != nil {
 						errorResponse = models.ErrorResponse{
@@ -223,8 +232,13 @@ func authorize(networkCheck bool, authNetwork string, next http.Handler) http.Ha
 						return
 					}
 					isAuthorized = (node.Network == params["network"])
+					}
 				case "node":
-					isAuthorized = (macaddress == params["macaddress"])
+                                        if isnetadmin {
+                                                isAuthorized = true
+                                        } else {
+						isAuthorized = (macaddress == params["macaddress"])
+					}
 				case "master":
 					isAuthorized = (macaddress == "mastermac")
 				default:

controllers/serverHttpController.go

@@ -42,7 +42,7 @@ func securityCheckServer(next http.Handler) http.HandlerFunc {
 		}
 		//all endpoints here require master so not as complicated
 		//still might not be a good  way of doing this
-                _, isadmin, _ := functions.VerifyUserToken(authToken)
+                _, _, isadmin, _ := functions.VerifyUserToken(authToken)
 
 		if !isadmin && !authenticateMasterServer(authToken) {
 				errorResponse = models.ErrorResponse{

controllers/userHttpController.go

@@ -26,8 +26,11 @@ func userHandlers(r *mux.Router) {
 	r.HandleFunc("/api/users/adm/createadmin", createAdmin).Methods("POST")
 	r.HandleFunc("/api/users/adm/authenticate", authenticateUser).Methods("POST")
 	r.HandleFunc("/api/users/{username}", authorizeUser(http.HandlerFunc(updateUser))).Methods("PUT")
+	r.HandleFunc("/api/users/{username}/adm", authorizeUserAdm(http.HandlerFunc(updateUserAdm))).Methods("PUT")
+	r.HandleFunc("/api/users/{username}", authorizeUserAdm(http.HandlerFunc(createUser))).Methods("POST")
 	r.HandleFunc("/api/users/{username}", authorizeUser(http.HandlerFunc(deleteUser))).Methods("DELETE")
 	r.HandleFunc("/api/users/{username}", authorizeUser(http.HandlerFunc(getUser))).Methods("GET")
+        r.HandleFunc("/api/users", authorizeUserAdm(http.HandlerFunc(getUsers))).Methods("GET")
 }
 
 //Node authenticates using its password and retrieves a JWT for authorization.
@@ -96,9 +99,9 @@ func VerifyAuthRequest(authRequest models.UserAuthParams) (string, error) {
 		return "", errors.New("User " + authRequest.UserName + " not found")
 	}
 	// This is a a useless test as cannot create user that is not an an admin
-	if !result.IsAdmin {
-		return "", errors.New("User is not an admin")
-	}
+	//if !result.IsAdmin {
+	//	return "", errors.New("User is not an admin")
+	//}
 
 	//compare password from request to stored password in database
 	//might be able to have a common hash (certificates?) and compare those so that a password isn't passed in in plain text...
@@ -109,7 +112,7 @@ func VerifyAuthRequest(authRequest models.UserAuthParams) (string, error) {
 	}
 
 	//Create a new JWT for the node
-	tokenString, _ := functions.CreateUserJWT(authRequest.UserName, true)
+	tokenString, _ := functions.CreateUserJWT(authRequest.UserName, result.Networks,  result.IsAdmin)
 	return tokenString, nil
 }
 
@@ -123,10 +126,11 @@ func VerifyAuthRequest(authRequest models.UserAuthParams) (string, error) {
 func authorizeUser(next http.Handler) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", "application/json")
+	        var params = mux.Vars(r)
 
 		//get the auth token
 		bearerToken := r.Header.Get("Authorization")
-		err := ValidateUserToken(bearerToken)
+		err := ValidateUserToken(bearerToken, params["username"], false)
 		if err != nil {
 			returnErrorResponse(w, r, formatError(err, "unauthorized"))
 			return
@@ -135,7 +139,24 @@ func authorizeUser(next http.Handler) http.HandlerFunc {
 	}
 }
 
-func ValidateUserToken(token string) error {
+func authorizeUserAdm(next http.Handler) http.HandlerFunc {
+        return func(w http.ResponseWriter, r *http.Request) {
+                w.Header().Set("Content-Type", "application/json")
+	        var params = mux.Vars(r)
+
+                //get the auth token
+                bearerToken := r.Header.Get("Authorization")
+                err := ValidateUserToken(bearerToken, params["username"], true)
+                if err != nil {
+                        returnErrorResponse(w, r, formatError(err, "unauthorized"))
+                        return
+                }
+                next.ServeHTTP(w, r)
+        }
+}
+
+
+func ValidateUserToken(token string, user string, adminonly bool) error {
 	var tokenSplit = strings.Split(token, " ")
 
 	//I put this in in case the user doesn't put in a token at all (in which case it's empty)
@@ -148,12 +169,16 @@ func ValidateUserToken(token string) error {
 		return errors.New("Missing Auth Token.")
 	}
 
-	username, _, err := functions.VerifyUserToken(authToken)
+	username, _, isadmin, err := functions.VerifyUserToken(authToken)
 	if err != nil {
 		return errors.New("Error Verifying Auth Token")
 	}
-
-	isAuthorized := username != ""
+	isAuthorized := false
+	if adminonly {
+		isAuthorized = isadmin
+	} else {
+		isAuthorized = username == user || isadmin
+	}
 	if !isAuthorized {
 		return errors.New("You are unauthorized to access this endpoint.")
 	}
@@ -214,6 +239,42 @@ func GetUser(username string) (models.User, error) {
 	return user, err
 }
 
+func GetUsers() ([]models.User, error) {
+
+        var users []models.User
+
+        collection := mongoconn.Client.Database("netmaker").Collection("users")
+
+        ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+
+        cur, err := collection.Find(ctx, bson.M{}, options.Find().SetProjection(bson.M{"_id": 0}))
+
+        if err != nil {
+                return users, err
+        }
+
+        defer cancel()
+
+        for cur.Next(context.TODO()) {
+
+                var user models.User
+                err := cur.Decode(&user)
+                if err != nil {
+                        return users, err
+                }
+
+                // add network our array
+                users = append(users, user)
+        }
+
+        if err := cur.Err(); err != nil {
+                return users, err
+        }
+
+        return users, err
+}
+
+
 //Get an individual node. Nothin fancy here folks.
 func getUser(w http.ResponseWriter, r *http.Request) {
 	// set header.
@@ -231,13 +292,27 @@ func getUser(w http.ResponseWriter, r *http.Request) {
 	json.NewEncoder(w).Encode(user)
 }
 
+//Get an individual node. Nothin fancy here folks.
+func getUsers(w http.ResponseWriter, r *http.Request) {
+        // set header.
+        w.Header().Set("Content-Type", "application/json")
+
+        users, err := GetUsers()
+
+        if err != nil {
+                returnErrorResponse(w, r, formatError(err, "internal"))
+                return
+        }
+
+        json.NewEncoder(w).Encode(users)
+}
+
+
 func CreateUser(user models.User) (models.User, error) {
 	hasadmin, err := HasAdmin()
-	if hasadmin {
+	if hasadmin && user.IsAdmin {
 		return models.User{}, errors.New("Admin already Exists")
 	}
-
-	user.IsAdmin = true
 	err = ValidateUser("create", user)
 	if err != nil {
 		return models.User{}, err
@@ -251,7 +326,7 @@ func CreateUser(user models.User) (models.User, error) {
 	//set password to encrypted password
 	user.Password = string(hash)
 
-	tokenString, _ := functions.CreateUserJWT(user.UserName, user.IsAdmin)
+	tokenString, _ := functions.CreateUserJWT(user.UserName,user.Networks, user.IsAdmin)
 
 	if tokenString == "" {
 		//returnErrorResponse(w, r, errorResponse)
@@ -275,7 +350,7 @@ func createAdmin(w http.ResponseWriter, r *http.Request) {
 	var admin models.User
 	//get node from body of request
 	_ = json.NewDecoder(r.Body).Decode(&admin)
-
+        admin.IsAdmin = true
 	admin, err := CreateUser(admin)
 
 	if err != nil {
@@ -286,6 +361,24 @@ func createAdmin(w http.ResponseWriter, r *http.Request) {
 	json.NewEncoder(w).Encode(admin)
 }
 
+func createUser(w http.ResponseWriter, r *http.Request) {
+        w.Header().Set("Content-Type", "application/json")
+
+        var user models.User
+        //get node from body of request
+        _ = json.NewDecoder(r.Body).Decode(&user)
+
+        user, err := CreateUser(user)
+
+        if err != nil {
+                returnErrorResponse(w, r, formatError(err, "badrequest"))
+                return
+        }
+
+        json.NewEncoder(w).Encode(user)
+}
+
+
 func UpdateUser(userchange models.User, user models.User) (models.User, error) {
 
 	err := ValidateUser("update", userchange)
@@ -298,6 +391,9 @@ func UpdateUser(userchange models.User, user models.User) (models.User, error) {
 	if userchange.UserName != "" {
 		user.UserName = userchange.UserName
 	}
+        if len(userchange.Networks) > 0  {
+                user.Networks = userchange.Networks
+        }
 	if userchange.Password != "" {
 		//encrypt that password so we never see it again
 		hash, err := bcrypt.GenerateFromPassword([]byte(userchange.Password), 5)
@@ -325,6 +421,7 @@ func UpdateUser(userchange models.User, user models.User) (models.User, error) {
 		{"$set", bson.D{
 			{"username", user.UserName},
 			{"password", user.Password},
+			{"networks", user.Networks},
 			{"isadmin", user.IsAdmin},
 		}},
 	}
@@ -360,6 +457,7 @@ func updateUser(w http.ResponseWriter, r *http.Request) {
 		returnErrorResponse(w, r, formatError(err, "internal"))
 		return
 	}
+	userchange.Networks = nil
 	user, err = UpdateUser(userchange, user)
 	if err != nil {
 		returnErrorResponse(w, r, formatError(err, "badrequest"))
@@ -368,6 +466,31 @@ func updateUser(w http.ResponseWriter, r *http.Request) {
 	json.NewEncoder(w).Encode(user)
 }
 
+func updateUserAdm(w http.ResponseWriter, r *http.Request) {
+        w.Header().Set("Content-Type", "application/json")
+        var params = mux.Vars(r)
+        var user models.User
+        //start here
+        user, err := GetUser(params["username"])
+        if err != nil {
+                returnErrorResponse(w, r, formatError(err, "internal"))
+                return
+        }
+        var userchange models.User
+        // we decode our body request params
+        err = json.NewDecoder(r.Body).Decode(&userchange)
+        if err != nil {
+                returnErrorResponse(w, r, formatError(err, "internal"))
+                return
+        }
+	user, err = UpdateUser(userchange, user)
+        if err != nil {
+                returnErrorResponse(w, r, formatError(err, "badrequest"))
+                return
+        }
+        json.NewEncoder(w).Encode(user)
+}
+
 func DeleteUser(user string) (bool, error) {
 
 	deleted := false

controllers/userHttpController_test.go

@@ -42,7 +42,7 @@ func TestMain(m *testing.M) {
 func TestHasAdmin(t *testing.T) {
 	_, err := DeleteUser("admin")
 	assert.Nil(t, err)
-	user := models.User{"admin", "password", true}
+	user := models.User{"admin", "password", nil, true}
 	_, err = CreateUser(user)
 	assert.Nil(t, err)
 	t.Run("AdminExists", func(t *testing.T) {
@@ -60,7 +60,7 @@ func TestHasAdmin(t *testing.T) {
 }
 
 func TestCreateUser(t *testing.T) {
-	user := models.User{"admin", "password", true}
+	user := models.User{"admin", "password", nil, true}
 	t.Run("NoUser", func(t *testing.T) {
 		_, err := DeleteUser("admin")
 		assert.Nil(t, err)
@@ -79,7 +79,7 @@ func TestDeleteUser(t *testing.T) {
 	hasadmin, err := HasAdmin()
 	assert.Nil(t, err)
 	if !hasadmin {
-		user := models.User{"admin", "pasword", true}
+		user := models.User{"admin", "pasword", nil, true}
 		_, err := CreateUser(user)
 		assert.Nil(t, err)
 	}
@@ -138,7 +138,7 @@ func TestValidateUser(t *testing.T) {
 
 func TestGetUser(t *testing.T) {
 	t.Run("UserExisits", func(t *testing.T) {
-		user := models.User{"admin", "password", true}
+		user := models.User{"admin", "password", nil, true}
 		hasadmin, err := HasAdmin()
 		assert.Nil(t, err)
 		if !hasadmin {
@@ -159,8 +159,8 @@ func TestGetUser(t *testing.T) {
 }
 
 func TestUpdateUser(t *testing.T) {
-	user := models.User{"admin", "password", true}
-	newuser := models.User{"hello", "world", true}
+	user := models.User{"admin", "password", nil, true}
+	newuser := models.User{"hello", "world", nil, true}
 	t.Run("UserExisits", func(t *testing.T) {
 		_, err := DeleteUser("admin")
 		_, err = CreateUser(user)
@@ -179,12 +179,12 @@ func TestUpdateUser(t *testing.T) {
 
 func TestValidateUserToken(t *testing.T) {
 	t.Run("EmptyToken", func(t *testing.T) {
-		err := ValidateUserToken("")
+		err := ValidateUserToken("","",false)
 		assert.NotNil(t, err)
 		assert.Equal(t, "Missing Auth Token.", err.Error())
 	})
 	t.Run("InvalidToken", func(t *testing.T) {
-		err := ValidateUserToken("Bearer: badtoken")
+		err := ValidateUserToken("Bearer: badtoken","",false)
 		assert.NotNil(t, err)
 		assert.Equal(t, "Error Verifying Auth Token", err.Error())
 	})
@@ -193,7 +193,7 @@ func TestValidateUserToken(t *testing.T) {
 		//need authorization
 	})
 	t.Run("ValidToken", func(t *testing.T) {
-		err := ValidateUserToken("Bearer: secretkey")
+		err := ValidateUserToken("Bearer: secretkey","",true)
 		assert.Nil(t, err)
 	})
 }
@@ -228,7 +228,7 @@ func TestVerifyAuthRequest(t *testing.T) {
 	t.Run("Non-Admin", func(t *testing.T) {
 		//can't create a user that is not a an admin
 		t.Skip()
-		user := models.User{"admin", "admin", false}
+		user := models.User{"admin", "admin", nil, false}
 		_, err := CreateUser(user)
 		assert.Nil(t, err)
 		authRequest := models.UserAuthParams{"admin", "admin"}
@@ -239,7 +239,7 @@ func TestVerifyAuthRequest(t *testing.T) {
 	})
 	t.Run("WrongPassword", func(t *testing.T) {
 		_, err := DeleteUser("admin")
-		user := models.User{"admin", "password", true}
+		user := models.User{"admin", "password", nil, true}
 		_, err = CreateUser(user)
 		assert.Nil(t, err)
 		authRequest := models.UserAuthParams{"admin", "badpass"}

functions/helpers.go

@@ -26,6 +26,16 @@ import (
 //Takes in an arbitrary field and value for field and checks to see if any other
 //node has that value for the same field within the network
 
+func SliceContains(slice []string, item string) bool {
+    set := make(map[string]struct{}, len(slice))
+    for _, s := range slice {
+        set[s] = struct{}{}
+    }
+
+    _, ok := set[item] 
+    return ok
+}
+
 func CreateServerToken(netID string) (string, error) {
 	var network models.Network
 	var accesskey models.AccessKey

functions/jwt.go

@@ -28,11 +28,12 @@ func CreateJWT(macaddress string, network string) (response string, err error) {
     return "", err
 }
 
-func CreateUserJWT(username string, isadmin bool) (response string, err error) {
+func CreateUserJWT(username string, networks []string, isadmin bool) (response string, err error) {
     expirationTime := time.Now().Add(60 * time.Minute)
     claims := &models.UserClaims{
         UserName: username,
-        IsAdmin: isadmin,
+	Networks: networks,
+	IsAdmin: isadmin,
         StandardClaims: jwt.StandardClaims{
             ExpiresAt: expirationTime.Unix(),
         },
@@ -47,11 +48,11 @@ func CreateUserJWT(username string, isadmin bool) (response string, err error) {
 }
 
 // VerifyToken func will used to Verify the JWT Token while using APIS
-func VerifyUserToken(tokenString string) (username string, isadmin bool, err error) {
+func VerifyUserToken(tokenString string) (username string, networks []string, isadmin bool, err error) {
     claims := &models.UserClaims{}
 
     if tokenString == servercfg.GetMasterKey() {
-        return "masteradministrator", true, nil
+        return "masteradministrator", nil, true, nil
     }
 
     token, err := jwt.ParseWithClaims(tokenString, claims, func(token *jwt.Token) (interface{}, error) {
@@ -59,9 +60,9 @@ func VerifyUserToken(tokenString string) (username string, isadmin bool, err err
     })
 
     if token != nil {
-        return claims.UserName, claims.IsAdmin, nil
+        return claims.UserName, claims.Networks, claims.IsAdmin, nil
     }
-    return "", false, err
+    return "", nil, false, err
 }
 
 // VerifyToken func will used to Verify the JWT Token while using APIS

models/network.go

@@ -22,6 +22,7 @@ type Network struct {
 	NetworkLastModified int64       `json:"networklastmodified" bson:"networklastmodified"`
 	DefaultInterface    string      `json:"defaultinterface" bson:"defaultinterface"`
 	DefaultListenPort   int32       `json:"defaultlistenport,omitempty" bson:"defaultlistenport,omitempty" validate:"omitempty,min=1024,max=65535"`
+	NodeLimit	    int32       `json:"nodelimit" bson:"nodelimit"`
 	DefaultPostUp       string      `json:"defaultpostup" bson:"defaultpostup"`
 	DefaultPostDown     string      `json:"defaultpostdown" bson:"defaultpostdown"`
 	KeyUpdateTimeStamp  int64       `json:"keyupdatetimestamp" bson:"keyupdatetimestamp"`
@@ -52,6 +53,7 @@ type NetworkUpdate struct {
 	NetworkLastModified int64       `json:"networklastmodified" bson:"networklastmodified"`
 	DefaultInterface    string      `json:"defaultinterface" bson:"defaultinterface"`
 	DefaultListenPort   int32       `json:"defaultlistenport,omitempty" bson:"defaultlistenport,omitempty" validate:"omitempty,min=1024,max=65535"`
+	NodeLimit	    int32       `json:"nodelimit" bson:"nodelimit"`
 	DefaultPostUp       string      `json:"defaultpostup" bson:"defaultpostup"`
 	DefaultPostDown     string      `json:"defaultpostdown" bson:"defaultpostdown"`
 	KeyUpdateTimeStamp  int64       `json:"keyupdatetimestamp" bson:"keyupdatetimestamp"`
@@ -89,6 +91,9 @@ func (network *Network) SetDefaults() {
 	if network.DefaultListenPort == 0 {
 		network.DefaultListenPort = 51821
 	}
+        if network.NodeLimit == 0 {
+                network.NodeLimit = 999999999
+        }
 	if network.DefaultPostDown == "" {
 
 	}

models/structs.go

@@ -10,6 +10,7 @@ type AuthParams struct {
 type User struct {
 	UserName string `json:"username" bson:"username" validate:"alphanum,min=3"`
 	Password string `json:"password" bson:"password" validate:"required,min=5"`
+	Networks []string `json:"networks" bson:"networks"`
 	IsAdmin  bool   `json:"isadmin" bson:"isadmin"`
 }
 
@@ -21,6 +22,7 @@ type UserAuthParams struct {
 type UserClaims struct {
 	IsAdmin  bool
 	UserName string
+	Networks []string
 	jwt.StandardClaims
 }
 

netclient/config/config.go

@@ -8,6 +8,7 @@ import (
 	"errors"
 	"strings"
 	"fmt"
+	"net"
 	"log"
 	"gopkg.in/yaml.v3"
 	nodepb "github.com/gravitl/netmaker/grpc"
@@ -435,22 +436,27 @@ func GetCLIConfig(c *cli.Context) (ClientConfig, error){
 
 func GetCLIConfigRegister(c *cli.Context) (GlobalConfig, error){
 	var cfg GlobalConfig
-        if c.String("token") != "" {
-                tokenbytes, err := base64.StdEncoding.DecodeString(c.String("token"))
-                if err  != nil {
-                        log.Println("error decoding token")
-                        return cfg, err
-                }
-                token := string(tokenbytes)
-                tokenvals := strings.Split(token, "|")
-		grpcvals := strings.Split(tokenvals[1],":")
-		apivals := strings.Split(tokenvals[2], ":")
-		cfg.Client.ServerWGPort = tokenvals[0]
-                cfg.Client.ServerPrivateAddress = grpcvals[0]
-                cfg.Client.ServerGRPCPort = grpcvals[1]
-                cfg.Client.ServerPublicEndpoint = apivals[0]
-                cfg.Client.ServerAPIPort = apivals[1]
+	if c.String("token") != "" {
+		tokenbytes, err := base64.StdEncoding.DecodeString(c.String("token"))
+		if err != nil {
+			log.Println("error decoding token")
+			return cfg, err
+		}
+		token := string(tokenbytes)
+		tokenvals := strings.Split(token, "|")
 
+		cfg.Client.ServerPrivateAddress, cfg.Client.ServerGRPCPort, err = net.SplitHostPort(tokenvals[1])
+		if err != nil {
+			log.Println("error decoding token grpcserver")
+			return cfg, err
+		}
+		cfg.Client.ServerPublicEndpoint, cfg.Client.ServerAPIPort, err = net.SplitHostPort(tokenvals[2])
+		if err != nil {
+			log.Println("error decoding token apiserver")
+			return cfg, err
+		}
+
+		cfg.Client.ServerWGPort = tokenvals[0]
 		cfg.Client.ServerKey = tokenvals[4]
 
                 if c.String("grpcserver") != "" {

netclient/functions/register.go

@@ -3,6 +3,7 @@ package functions
 import (
 	"time"
 	"os"
+	"net"
 	"log"
 	"io/ioutil"
 	"bytes"
@@ -41,7 +42,7 @@ func Register(cfg config.GlobalConfig) error {
         }
 	jsonbytes := []byte(jsonstring)
 	body := bytes.NewBuffer(jsonbytes)
-	publicaddress := cfg.Client.ServerPublicEndpoint + ":" + cfg.Client.ServerAPIPort
+	publicaddress := net.JoinHostPort(cfg.Client.ServerPublicEndpoint, cfg.Client.ServerAPIPort)
 
 	res, err := http.Post("http://"+publicaddress+"/api/intclient/register","application/json",body)
         if err != nil {
@@ -76,7 +77,7 @@ func Register(cfg config.GlobalConfig) error {
 
 func Unregister(cfg config.GlobalConfig) error {
 	client := &http.Client{ Timeout: 7 * time.Second,}
-	publicaddress := cfg.Client.ServerPublicEndpoint + ":" + cfg.Client.ServerAPIPort
+	publicaddress := net.JoinHostPort(cfg.Client.ServerPublicEndpoint, cfg.Client.ServerAPIPort)
 	log.Println("sending delete request to: " + "http://"+publicaddress+"/api/intclient/"+cfg.Client.ClientID)
 	req, err := http.NewRequest("DELETE", "http://"+publicaddress+"/api/intclient/"+cfg.Client.ClientID, nil)
 	if err != nil {

servercfg/serverconf.go

@@ -6,6 +6,7 @@ import (
 	"io/ioutil"
 	"os"
 	"errors"
+	"strconv"
 )
 
 func SetHost() error {
@@ -89,6 +90,18 @@ func GetAPIPort() string {
 	return apiport
 }
 
+func GetDefaultNodeLimit() int32 {
+        var limit int32
+	limit = 999999999
+	envlimit, err := strconv.Atoi(os.Getenv("DEFAULT_NODE_LIMIT"))
+	if err == nil && envlimit != 0 {
+                limit = int32(envlimit)
+        } else if  config.Config.Server.DefaultNodeLimit != 0 {
+                limit = config.Config.Server.DefaultNodeLimit
+        }
+        return limit
+}
+
 func GetGRPCHost() string {
 	serverhost := "127.0.0.1"
 	if IsGRPCWireGuard() {

test/network_test.go

@@ -26,7 +26,7 @@ func TestCreateNetwork(t *testing.T) {
 		err = json.NewDecoder(response.Body).Decode(&message)
 		assert.Nil(t, err, err)
 		assert.Equal(t, http.StatusUnauthorized, message.Code)
-		assert.Contains(t, message.Message, "ou are unauthorized to access this endpoint")
+		assert.Contains(t, message.Message, "rror verifying user toke")
 	})
 	t.Run("CreateNetwork", func(t *testing.T) {
 		response, err := api(t, network, http.MethodPost, baseURL+"/api/networks", "secretkey")
@@ -73,7 +73,7 @@ func TestGetNetworks(t *testing.T) {
 		assert.Nil(t, err, err)
 		assert.Equal(t, http.StatusUnauthorized, response.StatusCode)
 		assert.Equal(t, http.StatusUnauthorized, message.Code)
-		assert.Contains(t, message.Message, "ou are unauthorized to access this endpoint")
+		assert.Contains(t, message.Message, "rror verifying user toke")
 	})
 }
 
@@ -99,7 +99,7 @@ func TestGetNetwork(t *testing.T) {
 		assert.Nil(t, err, err)
 		assert.Equal(t, http.StatusUnauthorized, response.StatusCode)
 		assert.Equal(t, http.StatusUnauthorized, message.Code)
-		assert.Contains(t, message.Message, "ou are unauthorized to access this endpoint")
+		assert.Contains(t, message.Message, "rror verifying user toke")
 	})
 	t.Run("InvalidNetwork", func(t *testing.T) {
 		response, err := api(t, "", http.MethodGet, baseURL+"/api/networks/badnetwork", "secretkey")
@@ -125,7 +125,7 @@ func TestDeleteNetwork(t *testing.T) {
 		assert.Nil(t, err, err)
 		assert.Equal(t, http.StatusUnauthorized, response.StatusCode)
 		assert.Equal(t, http.StatusUnauthorized, message.Code)
-		assert.Contains(t, message.Message, "You are unauthorized to access this endpoint")
+		assert.Contains(t, message.Message, "rror verifying user toke")
 	})
 	t.Run("Badnetwork", func(t *testing.T) {
 		response, err := api(t, "", http.MethodDelete, baseURL+"/api/networks/badnetwork", "secretkey")
@@ -222,7 +222,7 @@ func TestCreateKey(t *testing.T) {
 		err = json.NewDecoder(response.Body).Decode(&message)
 		assert.Nil(t, err, err)
 		assert.Equal(t, http.StatusUnauthorized, message.Code)
-		assert.Contains(t, message.Message, "ou are unauthorized to access this endpoint")
+		assert.Contains(t, message.Message, "rror verifying user toke")
 	})
 	t.Run("Badnetwork", func(t *testing.T) {
 		response, err := api(t, key, http.MethodPost, baseURL+"/api/networks/badnetwork/keys", "secretkey")
@@ -277,7 +277,7 @@ func TestDeleteKey(t *testing.T) {
 		err = json.NewDecoder(response.Body).Decode(&message)
 		assert.Nil(t, err, err)
 		assert.Equal(t, http.StatusUnauthorized, message.Code)
-		assert.Contains(t, message.Message, "ou are unauthorized to access this endpoint")
+		assert.Contains(t, message.Message, "rror verifying user toke")
 	})
 }
 
@@ -314,7 +314,7 @@ func TestGetKeys(t *testing.T) {
 		err = json.NewDecoder(response.Body).Decode(&message)
 		assert.Nil(t, err, err)
 		assert.Equal(t, http.StatusUnauthorized, message.Code)
-		assert.Contains(t, message.Message, "ou are unauthorized to access this endpoint")
+		assert.Contains(t, message.Message, "rror verifying user toke")
 	})
 }