add network roles to invite req

controllers/node.go

@@ -585,7 +585,7 @@ func createIngressGateway(w http.ResponseWriter, r *http.Request) {
 	// create network role for this gateway
 	logic.CreateRole(models.UserRolePermissionTemplate{
 		ID:        models.GetRAGRoleName(node.Network, host.Name),
-		NetworkID: node.Network,
+		NetworkID: models.NetworkID(node.Network),
 		NetworkLevelAccess: map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope{
 			models.RemoteAccessGwRsrc: {
 				models.RsrcID(node.ID.String()): models.RsrcPermissionScope{

controllers/user.go

@@ -393,10 +393,7 @@ func createUser(w http.ResponseWriter, r *http.Request) {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
 		return
 	}
-	if err = logic.IsGroupsValid(user.UserGroups); err != nil {
-		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
-		return
-	}
+
 	if user.PlatformRoleID == "" {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("platform role is missing"), "badrequest"))
 		return

logic/auth.go

@@ -132,6 +132,13 @@ func CreateUser(user *models.User) error {
 	if _, err := GetUser(user.UserName); err == nil {
 		return errors.New("user exists")
 	}
+	SetUserDefaults(user)
+	if err := IsGroupsValid(user.UserGroups); err != nil {
+		return errors.New("invalid groups: " + err.Error())
+	}
+	if err := IsNetworkRolesValid(user.NetworkRoles); err != nil {
+		return errors.New("invalid network roles: " + err.Error())
+	}
 	user.AuthType = models.BasicAuth
 	if IsOauthUser(user) == nil {
 		user.AuthType = models.OAuth
@@ -149,20 +156,13 @@ func CreateUser(user *models.User) error {
 	}
 	// set password to encrypted password
 	user.Password = string(hash)
-	if len(user.NetworkRoles) == 0 {
-		user.NetworkRoles = make(map[models.NetworkID]map[models.UserRole]struct{})
-	}
-	if len(user.UserGroups) == 0 {
-		user.UserGroups = make(map[models.UserGroupID]struct{})
-	}
+
 	_, err = CreateUserJWT(user.UserName, user.PlatformRoleID)
 	if err != nil {
 		logger.Log(0, "failed to generate token", err.Error())
 		return err
 	}
 
-	SetUserDefaults(user)
-
 	// connect db
 	data, err := json.Marshal(user)
 	if err != nil {

logic/jwts.go

@@ -53,7 +53,7 @@ func CreateJWT(uuid string, macAddress string, network string) (response string,
 }
 
 // CreateUserJWT - creates a user jwt token
-func CreateUserJWT(username string, role models.UserRole) (response string, err error) {
+func CreateUserJWT(username string, role models.UserRoleID) (response string, err error) {
 	expirationTime := time.Now().Add(servercfg.GetServerConfig().JwtValidityDuration)
 	claims := &models.UserClaims{
 		UserName: username,

logic/user_mgmt.go

@@ -35,6 +35,9 @@ var FilterNetworksByRole = func(allnetworks []models.Network, user models.User)
 var IsGroupsValid = func(groups map[models.UserGroupID]struct{}) error {
 	return nil
 }
+var IsNetworkRolesValid = func(networkRoles map[models.NetworkID]map[models.UserRoleID]struct{}) error {
+	return nil
+}
 var RemoveNetworkRoleFromUsers = func(host models.Host, node models.Node) {}
 
 var InitialiseRoles = userRolesInit
@@ -42,7 +45,7 @@ var DeleteNetworkRoles = func(netID string) {}
 var CreateDefaultNetworkRoles = func(netID string) {}
 
 // GetRole - fetches role template by id
-func GetRole(roleID models.UserRole) (models.UserRolePermissionTemplate, error) {
+func GetRole(roleID models.UserRoleID) (models.UserRolePermissionTemplate, error) {
 	// check if role already exists
 	data, err := database.FetchRecord(database.USER_PERMISSIONS_TABLE_NAME, roleID.String())
 	if err != nil {

logic/users.go

@@ -55,6 +55,12 @@ func SetUserDefaults(user *models.User) {
 	if user.RemoteGwIDs == nil {
 		user.RemoteGwIDs = make(map[string]struct{})
 	}
+	if len(user.NetworkRoles) == 0 {
+		user.NetworkRoles = make(map[models.NetworkID]map[models.UserRoleID]struct{})
+	}
+	if len(user.UserGroups) == 0 {
+		user.UserGroups = make(map[models.UserGroupID]struct{})
+	}
 }
 
 // SortUsers - Sorts slice of Users by username

migrate/migrate.go

@@ -324,7 +324,7 @@ func syncUsers() {
 					if err == nil {
 						logic.CreateRole(models.UserRolePermissionTemplate{
 							ID:        models.GetRAGRoleName(networkNodeI.Network, h.Name),
-							NetworkID: netI.NetID,
+							NetworkID: models.NetworkID(netI.NetID),
 							NetworkLevelAccess: map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope{
 								models.RemoteAccessGwRsrc: {
 									models.RsrcID(networkNodeI.ID.String()): models.RsrcPermissionScope{
@@ -361,7 +361,7 @@ func syncUsers() {
 				user.AuthType = models.OAuth
 			}
 			if len(user.NetworkRoles) == 0 {
-				user.NetworkRoles = make(map[models.NetworkID]map[models.UserRole]struct{})
+				user.NetworkRoles = make(map[models.NetworkID]map[models.UserRoleID]struct{})
 			}
 			if len(user.UserGroups) == 0 {
 				user.UserGroups = make(map[models.UserGroupID]struct{})
@@ -394,7 +394,7 @@ func syncUsers() {
 					if netRoles, ok := user.NetworkRoles[models.NetworkID(gwNode.Network)]; ok {
 						netRoles[r.ID] = struct{}{}
 					} else {
-						user.NetworkRoles[models.NetworkID(gwNode.Network)] = map[models.UserRole]struct{}{
+						user.NetworkRoles[models.NetworkID(gwNode.Network)] = map[models.UserRoleID]struct{}{
 							r.ID: {},
 						}
 					}

models/user_mgmt.go

@@ -10,7 +10,7 @@ import (
 type NetworkID string
 type RsrcType string
 type RsrcID string
-type UserRole string
+type UserRoleID string
 type UserGroupID string
 type AuthType string
 
@@ -27,8 +27,8 @@ func (rid RsrcID) String() string {
 	return string(rid)
 }
 
-func GetRAGRoleName(netID, hostName string) UserRole {
-	return UserRole(fmt.Sprintf("netID-%s-rag-%s", netID, hostName))
+func GetRAGRoleName(netID, hostName string) UserRoleID {
+	return UserRoleID(fmt.Sprintf("netID-%s-rag-%s", netID, hostName))
 }
 
 var RsrcTypeMap = map[RsrcType]struct{}{
@@ -46,6 +46,7 @@ var RsrcTypeMap = map[RsrcType]struct{}{
 	FailOverRsrc:       {},
 }
 
+const AllNetworks NetworkID = "all_networks"
 const (
 	HostRsrc           RsrcType = "hosts"
 	RelayRsrc          RsrcType = "relays"
@@ -80,15 +81,15 @@ const (
 // Pre-Defined User Roles
 
 const (
-	SuperAdminRole UserRole = "super_admin"
-	AdminRole      UserRole = "admin"
-	ServiceUser    UserRole = "service_user"
-	PlatformUser   UserRole = "platform_user"
-	NetworkAdmin   UserRole = "network_admin"
-	NetworkUser    UserRole = "network_user"
+	SuperAdminRole UserRoleID = "super_admin"
+	AdminRole      UserRoleID = "admin"
+	ServiceUser    UserRoleID = "service_user"
+	PlatformUser   UserRoleID = "platform_user"
+	NetworkAdmin   UserRoleID = "network_admin"
+	NetworkUser    UserRoleID = "network_user"
 )
 
-func (r UserRole) String() string {
+func (r UserRoleID) String() string {
 	return string(r)
 }
 
@@ -96,6 +97,10 @@ func (g UserGroupID) String() string {
 	return string(g)
 }
 
+func (n NetworkID) String() string {
+	return string(n)
+}
+
 type RsrcPermissionScope struct {
 	Create    bool `json:"create"`
 	Read      bool `json:"read"`
@@ -106,11 +111,11 @@ type RsrcPermissionScope struct {
 }
 
 type UserRolePermissionTemplate struct {
-	ID                  UserRole                                    `json:"id"`
+	ID                  UserRoleID                                  `json:"id"`
 	Default             bool                                        `json:"default"`
 	DenyDashboardAccess bool                                        `json:"deny_dashboard_access"`
 	FullAccess          bool                                        `json:"full_access"`
-	NetworkID           string                                      `json:"network_id"`
+	NetworkID           NetworkID                                   `json:"network_id"`
 	NetworkLevelAccess  map[RsrcType]map[RsrcID]RsrcPermissionScope `json:"network_level_access"`
 	GlobalLevelAccess   map[RsrcType]map[RsrcID]RsrcPermissionScope `json:"global_level_access"`
 }
@@ -121,23 +126,23 @@ type CreateGroupReq struct {
 }
 
 type UserGroup struct {
-	ID           UserGroupID                         `json:"id"`
-	NetworkRoles map[NetworkID]map[UserRole]struct{} `json:"network_roles"`
-	MetaData     string                              `json:"meta_data"`
+	ID           UserGroupID                           `json:"id"`
+	NetworkRoles map[NetworkID]map[UserRoleID]struct{} `json:"network_roles"`
+	MetaData     string                                `json:"meta_data"`
 }
 
 // User struct - struct for Users
 type User struct {
-	UserName       string                              `json:"username" bson:"username" validate:"min=3,max=40,in_charset|email"`
-	Password       string                              `json:"password" bson:"password" validate:"required,min=5"`
-	IsAdmin        bool                                `json:"isadmin" bson:"isadmin"` // deprecated
-	IsSuperAdmin   bool                                `json:"issuperadmin"`           // deprecated
-	RemoteGwIDs    map[string]struct{}                 `json:"remote_gw_ids"`          // deprecated
-	AuthType       AuthType                            `json:"auth_type"`
-	UserGroups     map[UserGroupID]struct{}            `json:"user_group_ids"`
-	PlatformRoleID UserRole                            `json:"platform_role_id"`
-	NetworkRoles   map[NetworkID]map[UserRole]struct{} `json:"network_roles"`
-	LastLoginTime  time.Time                           `json:"last_login_time"`
+	UserName       string                                `json:"username" bson:"username" validate:"min=3,max=40,in_charset|email"`
+	Password       string                                `json:"password" bson:"password" validate:"required,min=5"`
+	IsAdmin        bool                                  `json:"isadmin" bson:"isadmin"` // deprecated
+	IsSuperAdmin   bool                                  `json:"issuperadmin"`           // deprecated
+	RemoteGwIDs    map[string]struct{}                   `json:"remote_gw_ids"`          // deprecated
+	AuthType       AuthType                              `json:"auth_type"`
+	UserGroups     map[UserGroupID]struct{}              `json:"user_group_ids"`
+	PlatformRoleID UserRoleID                            `json:"platform_role_id"`
+	NetworkRoles   map[NetworkID]map[UserRoleID]struct{} `json:"network_roles"`
+	LastLoginTime  time.Time                             `json:"last_login_time"`
 }
 
 type ReturnUserWithRolesAndGroups struct {
@@ -147,15 +152,15 @@ type ReturnUserWithRolesAndGroups struct {
 
 // ReturnUser - return user struct
 type ReturnUser struct {
-	UserName       string                              `json:"username"`
-	IsAdmin        bool                                `json:"isadmin"`
-	IsSuperAdmin   bool                                `json:"issuperadmin"`
-	AuthType       AuthType                            `json:"auth_type"`
-	RemoteGwIDs    map[string]struct{}                 `json:"remote_gw_ids"` // deprecated
-	UserGroups     map[UserGroupID]struct{}            `json:"user_group_ids"`
-	PlatformRoleID UserRole                            `json:"platform_role_id"`
-	NetworkRoles   map[NetworkID]map[UserRole]struct{} `json:"network_roles"`
-	LastLoginTime  time.Time                           `json:"last_login_time"`
+	UserName       string                                `json:"username"`
+	IsAdmin        bool                                  `json:"isadmin"`
+	IsSuperAdmin   bool                                  `json:"issuperadmin"`
+	AuthType       AuthType                              `json:"auth_type"`
+	RemoteGwIDs    map[string]struct{}                   `json:"remote_gw_ids"` // deprecated
+	UserGroups     map[UserGroupID]struct{}              `json:"user_group_ids"`
+	PlatformRoleID UserRoleID                            `json:"platform_role_id"`
+	NetworkRoles   map[NetworkID]map[UserRoleID]struct{} `json:"network_roles"`
+	LastLoginTime  time.Time                             `json:"last_login_time"`
 }
 
 // UserAuthParams - user auth params struct
@@ -166,22 +171,24 @@ type UserAuthParams struct {
 
 // UserClaims - user claims struct
 type UserClaims struct {
-	Role     UserRole
+	Role     UserRoleID
 	UserName string
 	jwt.RegisteredClaims
 }
 
 type InviteUsersReq struct {
-	UserEmails     []string `json:"user_emails"`
-	PlatformRoleID string   `json:"platform_role_id"`
-	Groups         []UserGroupID
+	UserEmails     []string                              `json:"user_emails"`
+	PlatformRoleID string                                `json:"platform_role_id"`
+	UserGroups     map[UserGroupID]struct{}              `json:"user_group_ids"`
+	NetworkRoles   map[NetworkID]map[UserRoleID]struct{} `json:"network_roles"`
 }
 
 // UserInvite - model for user invite
 type UserInvite struct {
-	Email          string        `json:"email"`
-	PlatformRoleID string        `json:"platform_role_id"`
-	Groups         []UserGroupID `json:"groups"`
-	InviteCode     string        `json:"invite_code"`
-	InviteURL      string        `json:"invite_url"`
+	Email          string                                `json:"email"`
+	PlatformRoleID string                                `json:"platform_role_id"`
+	UserGroups     map[UserGroupID]struct{}              `json:"user_group_ids"`
+	NetworkRoles   map[NetworkID]map[UserRoleID]struct{} `json:"network_roles"`
+	InviteCode     string                                `json:"invite_code"`
+	InviteURL      string                                `json:"invite_url"`
 }

pro/auth/azure-ad.go

@@ -3,7 +3,6 @@ package auth
 import (
 	"context"
 	"encoding/json"
-	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -89,29 +88,12 @@ func handleAzureCallback(w http.ResponseWriter, r *http.Request) {
 		if database.IsEmptyRecord(err) { // user must not exist, so try to make one
 			if inviteExists {
 				// create user
-				var newPass, fetchErr = logic.FetchPassValue("")
-				if fetchErr != nil {
-					logic.ReturnErrorResponse(w, r, logic.FormatError(fetchErr, "internal"))
+				user, err := proLogic.PrepareOauthUserFromInvite(in)
+				if err != nil {
+					logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
 					return
 				}
-				user := &models.User{
-					UserName: content.UserPrincipalName,
-					Password: newPass,
-				}
-				for _, inviteGroupID := range in.Groups {
-					_, err := proLogic.GetUserGroup(inviteGroupID)
-					if err != nil {
-						logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("error fetching group id "+inviteGroupID.String()), "badrequest"))
-						return
-					}
-
-					user.UserGroups[inviteGroupID] = struct{}{}
-				}
-				user.PlatformRoleID = models.UserRole(in.PlatformRoleID)
-				if user.PlatformRoleID == "" {
-					user.PlatformRoleID = models.ServiceUser
-				}
-				if err = logic.CreateUser(user); err != nil {
+				if err = logic.CreateUser(&user); err != nil {
 					handleSomethingWentWrong(w)
 					return
 				}

pro/auth/github.go

@@ -3,7 +3,6 @@ package auth
 import (
 	"context"
 	"encoding/json"
-	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -88,29 +87,12 @@ func handleGithubCallback(w http.ResponseWriter, r *http.Request) {
 		if database.IsEmptyRecord(err) { // user must not exist, so try to make one
 			if inviteExists {
 				// create user
-				var newPass, fetchErr = logic.FetchPassValue("")
-				if fetchErr != nil {
-					logic.ReturnErrorResponse(w, r, logic.FormatError(fetchErr, "internal"))
+				user, err := proLogic.PrepareOauthUserFromInvite(in)
+				if err != nil {
+					logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
 					return
 				}
-				user := &models.User{
-					UserName: content.Login,
-					Password: newPass,
-				}
-
-				for _, inviteGroupID := range in.Groups {
-					_, err := proLogic.GetUserGroup(inviteGroupID)
-					if err != nil {
-						logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("error fetching group id "+inviteGroupID.String()), "badrequest"))
-						return
-					}
-					user.UserGroups[inviteGroupID] = struct{}{}
-				}
-				user.PlatformRoleID = models.UserRole(in.PlatformRoleID)
-				if user.PlatformRoleID == "" {
-					user.PlatformRoleID = models.ServiceUser
-				}
-				if err = logic.CreateUser(user); err != nil {
+				if err = logic.CreateUser(&user); err != nil {
 					handleSomethingWentWrong(w)
 					return
 				}

pro/auth/google.go

@@ -3,7 +3,6 @@ package auth
 import (
 	"context"
 	"encoding/json"
-	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -94,32 +93,14 @@ func handleGoogleCallback(w http.ResponseWriter, r *http.Request) {
 		if database.IsEmptyRecord(err) { // user must not exist, so try to make one
 			if inviteExists {
 				// create user
-				logger.Log(0, "CALLBACK ----> 4.0")
-				var newPass, fetchErr = logic.FetchPassValue("")
-				if fetchErr != nil {
-					logic.ReturnErrorResponse(w, r, logic.FormatError(fetchErr, "internal"))
+				user, err := proLogic.PrepareOauthUserFromInvite(in)
+				if err != nil {
+					logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
 					return
 				}
-				user := &models.User{
-					UserName: content.Email,
-					Password: newPass,
-				}
-				logger.Log(0, "CALLBACK ----> 4.1")
-				for _, inviteGroupID := range in.Groups {
-					_, err := proLogic.GetUserGroup(inviteGroupID)
-					if err != nil {
-						logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("error fetching group id "+inviteGroupID.String()), "badrequest"))
-						return
-					}
-					user.UserGroups = make(map[models.UserGroupID]struct{})
-					user.UserGroups[inviteGroupID] = struct{}{}
-				}
-				logger.Log(0, "CALLBACK ----> 5")
-				user.PlatformRoleID = models.UserRole(in.PlatformRoleID)
-				if user.PlatformRoleID == "" {
-					user.PlatformRoleID = models.ServiceUser
-				}
-				if err = logic.CreateUser(user); err != nil {
+				logger.Log(0, "CALLBACK ----> 4.0")
+
+				if err = logic.CreateUser(&user); err != nil {
 					handleSomethingWentWrong(w)
 					return
 				}

pro/auth/oidc.go

@@ -2,7 +2,6 @@ package auth
 
 import (
 	"context"
-	"errors"
 	"fmt"
 	"net/http"
 	"strings"
@@ -101,28 +100,12 @@ func handleOIDCCallback(w http.ResponseWriter, r *http.Request) {
 		if database.IsEmptyRecord(err) { // user must not exist, so try to make one
 			if inviteExists {
 				// create user
-				var newPass, fetchErr = logic.FetchPassValue("")
-				if fetchErr != nil {
-					logic.ReturnErrorResponse(w, r, logic.FormatError(fetchErr, "internal"))
+				user, err := proLogic.PrepareOauthUserFromInvite(in)
+				if err != nil {
+					logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
 					return
 				}
-				user := &models.User{
-					UserName: content.Email,
-					Password: newPass,
-				}
-				for _, inviteGroupID := range in.Groups {
-					_, err := proLogic.GetUserGroup(inviteGroupID)
-					if err != nil {
-						logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("error fetching group id "+inviteGroupID.String()), "badrequest"))
-						return
-					}
-					user.UserGroups[inviteGroupID] = struct{}{}
-				}
-				user.PlatformRoleID = models.UserRole(in.PlatformRoleID)
-				if user.PlatformRoleID == "" {
-					user.PlatformRoleID = models.ServiceUser
-				}
-				if err = logic.CreateUser(user); err != nil {
+				if err = logic.CreateUser(&user); err != nil {
 					handleSomethingWentWrong(w)
 					return
 				}

pro/controllers/users.go

@@ -104,19 +104,12 @@ func userInviteSignUp(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	for _, inviteGroupID := range in.Groups {
-		_, err := proLogic.GetUserGroup(inviteGroupID)
-		if err != nil {
-			continue
-		}
-		user.UserGroups = make(map[models.UserGroupID]struct{})
-		user.UserGroups[inviteGroupID] = struct{}{}
-	}
-	user.PlatformRoleID = models.UserRole(in.PlatformRoleID)
+	user.UserGroups = in.UserGroups
+	user.PlatformRoleID = models.UserRoleID(in.PlatformRoleID)
 	if user.PlatformRoleID == "" {
 		user.PlatformRoleID = models.ServiceUser
 	}
-	user.NetworkRoles = make(map[models.NetworkID]map[models.UserRole]struct{})
+	user.NetworkRoles = in.NetworkRoles
 	err = logic.CreateUser(&user)
 	if err != nil {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
@@ -170,13 +163,15 @@ func inviteUsers(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	//validate Req
-	for _, groupID := range inviteReq.Groups {
-		_, err := proLogic.GetUserGroup(groupID)
-		if err != nil {
-			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
-			return
-		}
-
+	err = proLogic.IsGroupsValid(inviteReq.UserGroups)
+	if err != nil {
+		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
+		return
+	}
+	err = proLogic.IsNetworkRolesValid(inviteReq.NetworkRoles)
+	if err != nil {
+		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
+		return
 	}
 
 	for _, inviteeEmail := range inviteReq.UserEmails {
@@ -187,9 +182,10 @@ func inviteUsers(w http.ResponseWriter, r *http.Request) {
 			continue
 		}
 		invite := models.UserInvite{
-			Email:      inviteeEmail,
-			Groups:     inviteReq.Groups,
-			InviteCode: logic.RandomString(8),
+			Email:        inviteeEmail,
+			UserGroups:   inviteReq.UserGroups,
+			NetworkRoles: inviteReq.NetworkRoles,
+			InviteCode:   logic.RandomString(8),
 		}
 		u, err := url.Parse(fmt.Sprintf("%s/invite?email=%s&invite_code=%s",
 			servercfg.GetFrontendURL(), url.QueryEscape(invite.Email), url.QueryEscape(invite.InviteCode)))
@@ -488,7 +484,7 @@ func getRole(w http.ResponseWriter, r *http.Request) {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("role is required"), "badrequest"))
 		return
 	}
-	role, err := logic.GetRole(models.UserRole(rid))
+	role, err := logic.GetRole(models.UserRoleID(rid))
 	if err != nil {
 		logic.ReturnErrorResponse(w, r, models.ErrorResponse{
 			Code:    http.StatusInternalServerError,
@@ -586,7 +582,7 @@ func deleteRole(w http.ResponseWriter, r *http.Request) {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("role is required"), "badrequest"))
 		return
 	}
-	err := proLogic.DeleteRole(models.UserRole(rid))
+	err := proLogic.DeleteRole(models.UserRoleID(rid))
 	if err != nil {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
 		return

pro/initialize.go

@@ -127,6 +127,7 @@ func InitPro() {
 	logic.CreateDefaultNetworkRoles = proLogic.CreateDefaultNetworkRoles
 	logic.FilterNetworksByRole = proLogic.FilterNetworksByRole
 	logic.IsGroupsValid = proLogic.IsGroupsValid
+	logic.IsNetworkRolesValid = proLogic.IsNetworkRolesValid
 	logic.RemoveNetworkRoleFromUsers = proLogic.RemoveNetworkRoleFromUsers
 	logic.InitialiseRoles = proLogic.UserRolesInit
 }

pro/logic/security.go

@@ -44,6 +44,15 @@ func NetworkPermissionsCheck(username string, r *http.Request) error {
 
 	// check if user has scope for target resource
 	// TODO - differentitate between global scope and network scope apis
+	// check for global network role
+	if netRoles, ok := user.NetworkRoles[models.AllNetworks]; ok {
+		for netRoleID := range netRoles {
+			err = checkNetworkAccessPermissions(netRoleID, username, r.Method, targetRsrc, targetRsrcID)
+			if err == nil {
+				return nil
+			}
+		}
+	}
 	netRoles := user.NetworkRoles[models.NetworkID(netID)]
 	for netRoleID := range netRoles {
 		err = checkNetworkAccessPermissions(netRoleID, username, r.Method, targetRsrc, targetRsrcID)
@@ -67,7 +76,7 @@ func NetworkPermissionsCheck(username string, r *http.Request) error {
 	return errors.New("access denied")
 }
 
-func checkNetworkAccessPermissions(netRoleID models.UserRole, username, reqScope, targetRsrc, targetRsrcID string) error {
+func checkNetworkAccessPermissions(netRoleID models.UserRoleID, username, reqScope, targetRsrc, targetRsrcID string) error {
 	networkPermissionScope, err := logic.GetRole(netRoleID)
 	if err != nil {
 		return err
@@ -87,7 +96,7 @@ func checkNetworkAccessPermissions(netRoleID models.UserRole, username, reqScope
 	if allRsrcsTypePermissionScope, ok := rsrcPermissionScope[models.RsrcID(fmt.Sprintf("all_%s", targetRsrc))]; ok {
 		// handle extclient apis here
 		if models.RsrcType(targetRsrc) == models.ExtClientsRsrc && allRsrcsTypePermissionScope.SelfOnly && targetRsrcID != "" {
-			extclient, err := logic.GetExtClient(targetRsrcID, networkPermissionScope.NetworkID)
+			extclient, err := logic.GetExtClient(targetRsrcID, networkPermissionScope.NetworkID.String())
 			if err != nil {
 				return err
 			}

pro/logic/user_mgmt.go

@@ -25,6 +25,37 @@ var PlatformUserUserPermissionTemplate = models.UserRolePermissionTemplate{
 	FullAccess: false,
 }
 
+var NetworkAdminAllPermissionTemplate = models.UserRolePermissionTemplate{
+	ID:         models.UserRoleID(fmt.Sprintf("global_%s", models.NetworkAdmin)),
+	Default:    true,
+	FullAccess: true,
+	NetworkID:  models.AllNetworks,
+}
+
+var NetworkUserAllPermissionTemplate = models.UserRolePermissionTemplate{
+	ID:         models.UserRoleID(fmt.Sprintf("global_%s", models.NetworkUser)),
+	Default:    true,
+	FullAccess: false,
+	NetworkID:  models.AllNetworks,
+	NetworkLevelAccess: map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope{
+		models.RemoteAccessGwRsrc: {
+			models.AllRemoteAccessGwRsrcID: models.RsrcPermissionScope{
+				Read:      true,
+				VPNaccess: true,
+			},
+		},
+		models.ExtClientsRsrc: {
+			models.AllExtClientsRsrcID: models.RsrcPermissionScope{
+				Read:     true,
+				Create:   true,
+				Update:   true,
+				Delete:   true,
+				SelfOnly: true,
+			},
+		},
+	},
+}
+
 func UserRolesInit() {
 	d, _ := json.Marshal(logic.SuperAdminPermissionTemplate)
 	database.Insert(logic.SuperAdminPermissionTemplate.ID.String(), string(d), database.USER_PERMISSIONS_TABLE_NAME)
@@ -34,23 +65,27 @@ func UserRolesInit() {
 	database.Insert(ServiceUserPermissionTemplate.ID.String(), string(d), database.USER_PERMISSIONS_TABLE_NAME)
 	d, _ = json.Marshal(PlatformUserUserPermissionTemplate)
 	database.Insert(PlatformUserUserPermissionTemplate.ID.String(), string(d), database.USER_PERMISSIONS_TABLE_NAME)
+	d, _ = json.Marshal(NetworkAdminAllPermissionTemplate)
+	database.Insert(NetworkAdminAllPermissionTemplate.ID.String(), string(d), database.USER_PERMISSIONS_TABLE_NAME)
+	d, _ = json.Marshal(NetworkUserAllPermissionTemplate)
+	database.Insert(NetworkUserAllPermissionTemplate.ID.String(), string(d), database.USER_PERMISSIONS_TABLE_NAME)
 
 }
 
 func CreateDefaultNetworkRoles(netID string) {
 	var NetworkAdminPermissionTemplate = models.UserRolePermissionTemplate{
-		ID:                 models.UserRole(fmt.Sprintf("%s_%s", netID, models.NetworkAdmin)),
+		ID:                 models.UserRoleID(fmt.Sprintf("%s_%s", netID, models.NetworkAdmin)),
 		Default:            false,
-		NetworkID:          netID,
+		NetworkID:          models.NetworkID(netID),
 		FullAccess:         true,
 		NetworkLevelAccess: make(map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope),
 	}
 
 	var NetworkUserPermissionTemplate = models.UserRolePermissionTemplate{
-		ID:                  models.UserRole(fmt.Sprintf("%s_%s", netID, models.NetworkUser)),
+		ID:                  models.UserRoleID(fmt.Sprintf("%s_%s", netID, models.NetworkUser)),
 		Default:             false,
 		FullAccess:          false,
-		NetworkID:           netID,
+		NetworkID:           models.NetworkID(netID),
 		DenyDashboardAccess: false,
 		NetworkLevelAccess: map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope{
 			models.RemoteAccessGwRsrc: {
@@ -98,7 +133,7 @@ func DeleteNetworkRoles(netID string) {
 
 	roles, _ := ListNetworkRoles()
 	for _, role := range roles {
-		if role.NetworkID == netID {
+		if role.NetworkID.String() == netID {
 			DeleteRole(role.ID)
 		}
 	}
@@ -220,7 +255,7 @@ func UpdateRole(r models.UserRolePermissionTemplate) error {
 }
 
 // DeleteRole - deletes user role
-func DeleteRole(rid models.UserRole) error {
+func DeleteRole(rid models.UserRoleID) error {
 	if rid.String() == "" {
 		return errors.New("role id cannot be empty")
 	}
@@ -490,7 +525,7 @@ func GetUserNetworkRolesWithRemoteVPNAccess(user models.User) (gwAccess map[mode
 func GetFilteredNodesByUserAccess(user models.User, nodes []models.Node) (filteredNodes []models.Node) {
 
 	nodesMap := make(map[string]struct{})
-	allNetworkRoles := []models.UserRole{}
+	allNetworkRoles := []models.UserRoleID{}
 	if len(user.NetworkRoles) > 0 {
 		for _, netRoles := range user.NetworkRoles {
 			for netRoleI := range netRoles {
@@ -517,7 +552,7 @@ func GetFilteredNodesByUserAccess(user models.User, nodes []models.Node) (filter
 		if err != nil {
 			continue
 		}
-		networkNodes := logic.GetNetworkNodesMemory(nodes, userPermTemplate.NetworkID)
+		networkNodes := logic.GetNetworkNodesMemory(nodes, userPermTemplate.NetworkID.String())
 		if userPermTemplate.FullAccess {
 			for _, node := range networkNodes {
 				nodesMap[node.ID.String()] = struct{}{}
@@ -603,6 +638,25 @@ func IsGroupsValid(groups map[models.UserGroupID]struct{}) error {
 	return nil
 }
 
+func IsNetworkRolesValid(networkRoles map[models.NetworkID]map[models.UserRoleID]struct{}) error {
+	for netID, netRoles := range networkRoles {
+		_, err := logic.GetNetwork(netID.String())
+		if err != nil {
+			return fmt.Errorf("failed to fetch network %s ", netID)
+		}
+		for netRoleID := range netRoles {
+			role, err := logic.GetRole(netRoleID)
+			if err != nil {
+				return fmt.Errorf("failed to fetch role %s ", netRoleID)
+			}
+			if role.NetworkID == "" {
+				return fmt.Errorf("cannot use platform as network role %s", netRoleID)
+			}
+		}
+	}
+	return nil
+}
+
 func RemoveNetworkRoleFromUsers(host models.Host, node models.Node) {
 	users, err := logic.GetUsersDB()
 	if err == nil {
@@ -625,3 +679,22 @@ func RemoveNetworkRoleFromUsers(host models.Host, node models.Node) {
 		slog.Error("failed to delete role: ", models.GetRAGRoleName(node.Network, host.Name), err)
 	}
 }
+
+// PrepareOauthUserFromInvite - init oauth user before create
+func PrepareOauthUserFromInvite(in models.UserInvite) (models.User, error) {
+	var newPass, fetchErr = logic.FetchPassValue("")
+	if fetchErr != nil {
+		return models.User{}, fetchErr
+	}
+	user := models.User{
+		UserName: in.Email,
+		Password: newPass,
+	}
+	user.UserGroups = in.UserGroups
+	user.NetworkRoles = in.NetworkRoles
+	user.PlatformRoleID = models.UserRoleID(in.PlatformRoleID)
+	if user.PlatformRoleID == "" {
+		user.PlatformRoleID = models.ServiceUser
+	}
+	return user, nil
+}