|
|
@@ -7,6 +7,7 @@ import (
|
|
|
"time"
|
|
|
|
|
|
"github.com/gravitl/netmaker/database"
|
|
|
+ "github.com/gravitl/netmaker/logger"
|
|
|
"github.com/gravitl/netmaker/logic"
|
|
|
"github.com/gravitl/netmaker/models"
|
|
|
"github.com/gravitl/netmaker/mq"
|
|
|
@@ -555,6 +556,153 @@ func GetUserRAGNodesV1(user models.User) (gws map[string]models.Node) {
|
|
|
return
|
|
|
}
|
|
|
|
|
|
+func GetUserRAGNodes(user models.User) (gws map[string]models.Node) {
|
|
|
+ gws = make(map[string]models.Node)
|
|
|
+ userGwAccessScope := GetUserNetworkRolesWithRemoteVPNAccess(user)
|
|
|
+ logger.Log(3, fmt.Sprintf("User Gw Access Scope: %+v", userGwAccessScope))
|
|
|
+ _, allNetAccess := userGwAccessScope["*"]
|
|
|
+ nodes, err := logic.GetAllNodes()
|
|
|
+ if err != nil {
|
|
|
+ return
|
|
|
+ }
|
|
|
+ for _, node := range nodes {
|
|
|
+ if node.IsIngressGateway && !node.PendingDelete {
|
|
|
+ if allNetAccess {
|
|
|
+ gws[node.ID.String()] = node
|
|
|
+ } else {
|
|
|
+ gwRsrcMap := userGwAccessScope[models.NetworkID(node.Network)]
|
|
|
+ scope, ok := gwRsrcMap[models.AllRemoteAccessGwRsrcID]
|
|
|
+ if !ok {
|
|
|
+ if scope, ok = gwRsrcMap[models.RsrcID(node.ID.String())]; !ok {
|
|
|
+ continue
|
|
|
+ }
|
|
|
+ }
|
|
|
+ if scope.VPNaccess {
|
|
|
+ gws[node.ID.String()] = node
|
|
|
+ }
|
|
|
+
|
|
|
+ }
|
|
|
+ }
|
|
|
+ }
|
|
|
+ return
|
|
|
+}
|
|
|
+
|
|
|
+// GetUserNetworkRoles - get user network roles
|
|
|
+func GetUserNetworkRolesWithRemoteVPNAccess(user models.User) (gwAccess map[models.NetworkID]map[models.RsrcID]models.RsrcPermissionScope) {
|
|
|
+ gwAccess = make(map[models.NetworkID]map[models.RsrcID]models.RsrcPermissionScope)
|
|
|
+ platformRole, err := logic.GetRole(user.PlatformRoleID)
|
|
|
+ if err != nil {
|
|
|
+ return
|
|
|
+ }
|
|
|
+ if platformRole.FullAccess {
|
|
|
+ gwAccess[models.NetworkID("*")] = make(map[models.RsrcID]models.RsrcPermissionScope)
|
|
|
+ return
|
|
|
+ }
|
|
|
+ if _, ok := user.NetworkRoles[models.AllNetworks]; ok {
|
|
|
+ gwAccess[models.NetworkID("*")] = make(map[models.RsrcID]models.RsrcPermissionScope)
|
|
|
+ }
|
|
|
+ if len(user.UserGroups) > 0 {
|
|
|
+ for gID := range user.UserGroups {
|
|
|
+ userG, err := GetUserGroup(gID)
|
|
|
+ if err != nil {
|
|
|
+ continue
|
|
|
+ }
|
|
|
+ for netID, roleMap := range userG.NetworkRoles {
|
|
|
+ for roleID := range roleMap {
|
|
|
+ role, err := logic.GetRole(roleID)
|
|
|
+ if err == nil {
|
|
|
+ if role.FullAccess {
|
|
|
+ gwAccess[netID] = map[models.RsrcID]models.RsrcPermissionScope{
|
|
|
+ models.AllRemoteAccessGwRsrcID: {
|
|
|
+ Create: true,
|
|
|
+ Read: true,
|
|
|
+ Update: true,
|
|
|
+ VPNaccess: true,
|
|
|
+ Delete: true,
|
|
|
+ },
|
|
|
+ models.AllExtClientsRsrcID: {
|
|
|
+ Create: true,
|
|
|
+ Read: true,
|
|
|
+ Update: true,
|
|
|
+ Delete: true,
|
|
|
+ },
|
|
|
+ }
|
|
|
+ break
|
|
|
+ }
|
|
|
+ if rsrcsMap, ok := role.NetworkLevelAccess[models.RemoteAccessGwRsrc]; ok {
|
|
|
+ if permissions, ok := rsrcsMap[models.AllRemoteAccessGwRsrcID]; ok && permissions.VPNaccess {
|
|
|
+ if len(gwAccess[netID]) == 0 {
|
|
|
+ gwAccess[netID] = make(map[models.RsrcID]models.RsrcPermissionScope)
|
|
|
+ }
|
|
|
+ gwAccess[netID][models.AllRemoteAccessGwRsrcID] = permissions
|
|
|
+ break
|
|
|
+ } else {
|
|
|
+ for gwID, scope := range rsrcsMap {
|
|
|
+ if scope.VPNaccess {
|
|
|
+ if len(gwAccess[netID]) == 0 {
|
|
|
+ gwAccess[netID] = make(map[models.RsrcID]models.RsrcPermissionScope)
|
|
|
+ }
|
|
|
+ gwAccess[netID][gwID] = scope
|
|
|
+ }
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ }
|
|
|
+
|
|
|
+ }
|
|
|
+ }
|
|
|
+ }
|
|
|
+ }
|
|
|
+ }
|
|
|
+ for netID, roleMap := range user.NetworkRoles {
|
|
|
+ for roleID := range roleMap {
|
|
|
+ role, err := logic.GetRole(roleID)
|
|
|
+ if err == nil {
|
|
|
+ if role.FullAccess {
|
|
|
+ gwAccess[netID] = map[models.RsrcID]models.RsrcPermissionScope{
|
|
|
+ models.AllRemoteAccessGwRsrcID: {
|
|
|
+ Create: true,
|
|
|
+ Read: true,
|
|
|
+ Update: true,
|
|
|
+ VPNaccess: true,
|
|
|
+ Delete: true,
|
|
|
+ },
|
|
|
+ models.AllExtClientsRsrcID: {
|
|
|
+ Create: true,
|
|
|
+ Read: true,
|
|
|
+ Update: true,
|
|
|
+ Delete: true,
|
|
|
+ },
|
|
|
+ }
|
|
|
+ break
|
|
|
+ }
|
|
|
+ if rsrcsMap, ok := role.NetworkLevelAccess[models.RemoteAccessGwRsrc]; ok {
|
|
|
+ if permissions, ok := rsrcsMap[models.AllRemoteAccessGwRsrcID]; ok && permissions.VPNaccess {
|
|
|
+ if len(gwAccess[netID]) == 0 {
|
|
|
+ gwAccess[netID] = make(map[models.RsrcID]models.RsrcPermissionScope)
|
|
|
+ }
|
|
|
+ gwAccess[netID][models.AllRemoteAccessGwRsrcID] = permissions
|
|
|
+ break
|
|
|
+ } else {
|
|
|
+ for gwID, scope := range rsrcsMap {
|
|
|
+ if scope.VPNaccess {
|
|
|
+ if len(gwAccess[netID]) == 0 {
|
|
|
+ gwAccess[netID] = make(map[models.RsrcID]models.RsrcPermissionScope)
|
|
|
+ }
|
|
|
+ gwAccess[netID][gwID] = scope
|
|
|
+ }
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ }
|
|
|
+
|
|
|
+ }
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ return
|
|
|
+}
|
|
|
+
|
|
|
func GetFilteredNodesByUserAccess(user models.User, nodes []models.Node) (filteredNodes []models.Node) {
|
|
|
|
|
|
nodesMap := make(map[string]struct{})
|
abhishek9686