ext_client.go 22 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690
  1. package controller
  2. import (
  3. "encoding/json"
  4. "errors"
  5. "fmt"
  6. "net"
  7. "net/http"
  8. "strconv"
  9. "github.com/gorilla/mux"
  10. "github.com/gravitl/netmaker/database"
  11. "github.com/gravitl/netmaker/logger"
  12. "github.com/gravitl/netmaker/logic"
  13. "github.com/gravitl/netmaker/logic/pro"
  14. "github.com/gravitl/netmaker/models"
  15. "github.com/gravitl/netmaker/models/promodels"
  16. "github.com/gravitl/netmaker/mq"
  17. "github.com/skip2/go-qrcode"
  18. "golang.org/x/exp/slog"
  19. "golang.zx2c4.com/wireguard/wgctrl/wgtypes"
  20. )
  21. func extClientHandlers(r *mux.Router) {
  22. r.HandleFunc("/api/extclients", logic.SecurityCheck(false, http.HandlerFunc(getAllExtClients))).Methods(http.MethodGet)
  23. r.HandleFunc("/api/extclients/{network}", logic.SecurityCheck(false, http.HandlerFunc(getNetworkExtClients))).Methods(http.MethodGet)
  24. r.HandleFunc("/api/extclients/{network}/{clientid}", logic.SecurityCheck(false, http.HandlerFunc(getExtClient))).Methods(http.MethodGet)
  25. r.HandleFunc("/api/extclients/{network}/{clientid}/{type}", logic.NetUserSecurityCheck(false, true, http.HandlerFunc(getExtClientConf))).Methods(http.MethodGet)
  26. r.HandleFunc("/api/extclients/{network}/{clientid}", logic.NetUserSecurityCheck(false, true, http.HandlerFunc(updateExtClient))).Methods(http.MethodPut)
  27. r.HandleFunc("/api/extclients/{network}/{clientid}", logic.NetUserSecurityCheck(false, true, http.HandlerFunc(deleteExtClient))).Methods(http.MethodDelete)
  28. r.HandleFunc("/api/extclients/{network}/{nodeid}", logic.NetUserSecurityCheck(false, true, checkFreeTierLimits(clients_l, http.HandlerFunc(createExtClient)))).Methods(http.MethodPost)
  29. }
  30. func checkIngressExists(nodeID string) bool {
  31. node, err := logic.GetNodeByID(nodeID)
  32. if err != nil {
  33. return false
  34. }
  35. return node.IsIngressGateway
  36. }
  37. // swagger:route GET /api/extclients/{network} ext_client getNetworkExtClients
  38. //
  39. // Get all extclients associated with network.
  40. // Gets all extclients associated with network, including pending extclients.
  41. //
  42. // Schemes: https
  43. //
  44. // Security:
  45. // oauth
  46. //
  47. // Responses:
  48. // 200: extClientSliceResponse
  49. func getNetworkExtClients(w http.ResponseWriter, r *http.Request) {
  50. w.Header().Set("Content-Type", "application/json")
  51. var extclients []models.ExtClient
  52. var params = mux.Vars(r)
  53. network := params["network"]
  54. extclients, err := logic.GetNetworkExtClients(network)
  55. if err != nil {
  56. logger.Log(0, r.Header.Get("user"),
  57. fmt.Sprintf("failed to get ext clients for network [%s]: %v", network, err))
  58. logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
  59. return
  60. }
  61. //Returns all the extclients in JSON format
  62. w.WriteHeader(http.StatusOK)
  63. json.NewEncoder(w).Encode(extclients)
  64. }
  65. // swagger:route GET /api/extclients ext_client getAllExtClients
  66. //
  67. // A separate function to get all extclients, not just extclients for a particular network.
  68. //
  69. // Schemes: https
  70. //
  71. // Security:
  72. // oauth
  73. //
  74. // Responses:
  75. // 200: extClientSliceResponse
  76. //
  77. // Not quite sure if this is necessary. Probably necessary based on front end but may
  78. // want to review after iteration 1 if it's being used or not
  79. func getAllExtClients(w http.ResponseWriter, r *http.Request) {
  80. w.Header().Set("Content-Type", "application/json")
  81. headerNetworks := r.Header.Get("networks")
  82. networksSlice := []string{}
  83. marshalErr := json.Unmarshal([]byte(headerNetworks), &networksSlice)
  84. if marshalErr != nil {
  85. logger.Log(0, "error unmarshalling networks: ",
  86. marshalErr.Error())
  87. logic.ReturnErrorResponse(w, r, logic.FormatError(marshalErr, "internal"))
  88. return
  89. }
  90. clients := []models.ExtClient{}
  91. var err error
  92. if len(networksSlice) > 0 && networksSlice[0] == logic.ALL_NETWORK_ACCESS {
  93. clients, err = logic.GetAllExtClients()
  94. if err != nil && !database.IsEmptyRecord(err) {
  95. logger.Log(0, "failed to get all extclients: ", err.Error())
  96. logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
  97. return
  98. }
  99. } else {
  100. for _, network := range networksSlice {
  101. extclients, err := logic.GetNetworkExtClients(network)
  102. if err == nil {
  103. clients = append(clients, extclients...)
  104. }
  105. }
  106. }
  107. //Return all the extclients in JSON format
  108. logic.SortExtClient(clients[:])
  109. w.WriteHeader(http.StatusOK)
  110. json.NewEncoder(w).Encode(clients)
  111. }
  112. // swagger:route GET /api/extclients/{network}/{clientid} ext_client getExtClient
  113. //
  114. // Get an individual extclient.
  115. //
  116. // Schemes: https
  117. //
  118. // Security:
  119. // oauth
  120. //
  121. // Responses:
  122. // 200: extClientResponse
  123. func getExtClient(w http.ResponseWriter, r *http.Request) {
  124. // set header.
  125. w.Header().Set("Content-Type", "application/json")
  126. var params = mux.Vars(r)
  127. clientid := params["clientid"]
  128. network := params["network"]
  129. client, err := logic.GetExtClient(clientid, network)
  130. if err != nil {
  131. logger.Log(0, r.Header.Get("user"), fmt.Sprintf("failed to get extclient for [%s] on network [%s]: %v",
  132. clientid, network, err))
  133. logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
  134. return
  135. }
  136. w.WriteHeader(http.StatusOK)
  137. json.NewEncoder(w).Encode(client)
  138. }
  139. // swagger:route GET /api/extclients/{network}/{clientid}/{type} ext_client getExtClientConf
  140. //
  141. // Get an individual extclient.
  142. //
  143. // Schemes: https
  144. //
  145. // Security:
  146. // oauth
  147. //
  148. // Responses:
  149. // 200: extClientResponse
  150. func getExtClientConf(w http.ResponseWriter, r *http.Request) {
  151. // set header.
  152. w.Header().Set("Content-Type", "application/json")
  153. var params = mux.Vars(r)
  154. clientid := params["clientid"]
  155. networkid := params["network"]
  156. client, err := logic.GetExtClient(clientid, networkid)
  157. if err != nil {
  158. logger.Log(0, r.Header.Get("user"), fmt.Sprintf("failed to get extclient for [%s] on network [%s]: %v",
  159. clientid, networkid, err))
  160. logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
  161. return
  162. }
  163. gwnode, err := logic.GetNodeByID(client.IngressGatewayID)
  164. if err != nil {
  165. logger.Log(0, r.Header.Get("user"),
  166. fmt.Sprintf("failed to get ingress gateway node [%s] info: %v", client.IngressGatewayID, err))
  167. logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
  168. return
  169. }
  170. host, err := logic.GetHost(gwnode.HostID.String())
  171. if err != nil {
  172. logger.Log(0, r.Header.Get("user"),
  173. fmt.Sprintf("failed to get host for ingress gateway node [%s] info: %v", client.IngressGatewayID, err))
  174. logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
  175. return
  176. }
  177. network, err := logic.GetParentNetwork(client.Network)
  178. if err != nil {
  179. logger.Log(1, r.Header.Get("user"), "Could not retrieve Ingress Gateway Network", client.Network)
  180. logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
  181. return
  182. }
  183. addrString := client.Address
  184. if addrString != "" {
  185. addrString += "/32"
  186. }
  187. if client.Address6 != "" {
  188. if addrString != "" {
  189. addrString += ","
  190. }
  191. addrString += client.Address6 + "/128"
  192. }
  193. keepalive := ""
  194. if network.DefaultKeepalive != 0 {
  195. keepalive = "PersistentKeepalive = " + strconv.Itoa(int(network.DefaultKeepalive))
  196. }
  197. gwendpoint := host.EndpointIP.String() + ":" + strconv.Itoa(host.ListenPort)
  198. newAllowedIPs := network.AddressRange
  199. if newAllowedIPs != "" && network.AddressRange6 != "" {
  200. newAllowedIPs += ","
  201. }
  202. if network.AddressRange6 != "" {
  203. newAllowedIPs += network.AddressRange6
  204. }
  205. if egressGatewayRanges, err := logic.GetEgressRangesOnNetwork(&client); err == nil {
  206. for _, egressGatewayRange := range egressGatewayRanges {
  207. newAllowedIPs += "," + egressGatewayRange
  208. }
  209. }
  210. defaultDNS := ""
  211. if client.DNS != "" {
  212. defaultDNS = "DNS = " + client.DNS
  213. } else if gwnode.IngressDNS != "" {
  214. defaultDNS = "DNS = " + gwnode.IngressDNS
  215. }
  216. defaultMTU := 1420
  217. if host.MTU != 0 {
  218. defaultMTU = host.MTU
  219. }
  220. config := fmt.Sprintf(`[Interface]
  221. Address = %s
  222. PrivateKey = %s
  223. MTU = %d
  224. %s
  225. [Peer]
  226. PublicKey = %s
  227. AllowedIPs = %s
  228. Endpoint = %s
  229. %s
  230. `, addrString,
  231. client.PrivateKey,
  232. defaultMTU,
  233. defaultDNS,
  234. host.PublicKey,
  235. newAllowedIPs,
  236. gwendpoint,
  237. keepalive)
  238. if params["type"] == "qr" {
  239. bytes, err := qrcode.Encode(config, qrcode.Medium, 220)
  240. if err != nil {
  241. logger.Log(1, r.Header.Get("user"), "failed to encode qr code: ", err.Error())
  242. logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
  243. return
  244. }
  245. w.Header().Set("Content-Type", "image/png")
  246. w.WriteHeader(http.StatusOK)
  247. _, err = w.Write(bytes)
  248. if err != nil {
  249. logger.Log(1, r.Header.Get("user"), "response writer error (qr) ", err.Error())
  250. logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
  251. return
  252. }
  253. return
  254. }
  255. if params["type"] == "file" {
  256. name := client.ClientID + ".conf"
  257. w.Header().Set("Content-Type", "application/config")
  258. w.Header().Set("Content-Disposition", "attachment; filename=\""+name+"\"")
  259. w.WriteHeader(http.StatusOK)
  260. _, err := fmt.Fprint(w, config)
  261. if err != nil {
  262. logger.Log(1, r.Header.Get("user"), "response writer error (file) ", err.Error())
  263. logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
  264. }
  265. return
  266. }
  267. logger.Log(2, r.Header.Get("user"), "retrieved ext client config")
  268. w.WriteHeader(http.StatusOK)
  269. json.NewEncoder(w).Encode(client)
  270. }
  271. // swagger:route POST /api/extclients/{network}/{nodeid} ext_client createExtClient
  272. //
  273. // Create an individual extclient. Must have valid key and be unique.
  274. //
  275. // Schemes: https
  276. //
  277. // Security:
  278. // oauth
  279. func createExtClient(w http.ResponseWriter, r *http.Request) {
  280. w.Header().Set("Content-Type", "application/json")
  281. var params = mux.Vars(r)
  282. nodeid := params["nodeid"]
  283. ingressExists := checkIngressExists(nodeid)
  284. if !ingressExists {
  285. err := errors.New("ingress does not exist")
  286. slog.Error("failed to create extclient", "user", r.Header.Get("user"), "error", err)
  287. logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
  288. return
  289. }
  290. var customExtClient models.CustomExtClient
  291. if err := json.NewDecoder(r.Body).Decode(&customExtClient); err != nil {
  292. logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
  293. return
  294. }
  295. if err := validateCustomExtClient(&customExtClient, true); err != nil {
  296. logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
  297. return
  298. }
  299. extclient := logic.UpdateExtClient(&models.ExtClient{}, &customExtClient)
  300. extclient.IngressGatewayID = nodeid
  301. node, err := logic.GetNodeByID(nodeid)
  302. if err != nil {
  303. logger.Log(0, r.Header.Get("user"),
  304. fmt.Sprintf("failed to get ingress gateway node [%s] info: %v", nodeid, err))
  305. logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
  306. return
  307. }
  308. extclient.Network = node.Network
  309. host, err := logic.GetHost(node.HostID.String())
  310. if err != nil {
  311. logger.Log(0, r.Header.Get("user"),
  312. fmt.Sprintf("failed to get ingress gateway host for node [%s] info: %v", nodeid, err))
  313. logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
  314. return
  315. }
  316. listenPort := logic.GetPeerListenPort(host)
  317. extclient.IngressGatewayEndpoint = fmt.Sprintf("%s:%d", host.EndpointIP.String(), listenPort)
  318. extclient.Enabled = true
  319. parentNetwork, err := logic.GetNetwork(node.Network)
  320. if err == nil { // check if parent network default ACL is enabled (yes) or not (no)
  321. extclient.Enabled = parentNetwork.DefaultACL == "yes"
  322. }
  323. if err := logic.SetClientDefaultACLs(&extclient); err != nil {
  324. slog.Error("failed to set default acls for extclient", "user", r.Header.Get("user"), "network", node.Network, "error", err)
  325. logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
  326. return
  327. }
  328. if err = logic.CreateExtClient(&extclient); err != nil {
  329. slog.Error("failed to create extclient", "user", r.Header.Get("user"), "network", node.Network, "error", err)
  330. logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
  331. return
  332. }
  333. var isAdmin bool
  334. if r.Header.Get("ismaster") != "yes" {
  335. userID := r.Header.Get("user")
  336. if isAdmin, err = checkProClientAccess(userID, extclient.ClientID, &parentNetwork); err != nil {
  337. slog.Error("pro client access check failed", "user", userID, "network", node.Network, "error", err)
  338. logic.DeleteExtClient(node.Network, extclient.ClientID)
  339. logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
  340. return
  341. }
  342. if !isAdmin {
  343. if err = pro.AssociateNetworkUserClient(userID, node.Network, extclient.ClientID); err != nil {
  344. logger.Log(0, "failed to associate client", extclient.ClientID, "to user", userID)
  345. }
  346. extclient.OwnerID = userID
  347. if err := logic.SaveExtClient(&extclient); err != nil {
  348. logger.Log(0, "failed to add owner id", userID, "to client", extclient.ClientID)
  349. }
  350. }
  351. }
  352. slog.Info("created extclient", "user", r.Header.Get("user"), "network", node.Network, "clientid", extclient.ClientID)
  353. w.WriteHeader(http.StatusOK)
  354. go func() {
  355. if err := mq.PublishPeerUpdate(); err != nil {
  356. logger.Log(1, "error setting ext peers on "+nodeid+": "+err.Error())
  357. }
  358. if err := mq.PublishExtCLientDNS(&extclient); err != nil {
  359. logger.Log(1, "error publishing extclient dns", err.Error())
  360. }
  361. }()
  362. }
  363. // swagger:route PUT /api/extclients/{network}/{clientid} ext_client updateExtClient
  364. //
  365. // Update an individual extclient.
  366. //
  367. // Schemes: https
  368. //
  369. // Security:
  370. // oauth
  371. //
  372. // Responses:
  373. // 200: extClientResponse
  374. func updateExtClient(w http.ResponseWriter, r *http.Request) {
  375. w.Header().Set("Content-Type", "application/json")
  376. var params = mux.Vars(r)
  377. var update models.CustomExtClient
  378. //var oldExtClient models.ExtClient
  379. var sendPeerUpdate bool
  380. err := json.NewDecoder(r.Body).Decode(&update)
  381. if err != nil {
  382. logger.Log(0, r.Header.Get("user"), "error decoding request body: ",
  383. err.Error())
  384. logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
  385. return
  386. }
  387. clientid := params["clientid"]
  388. oldExtClient, err := logic.GetExtClientByName(clientid)
  389. if err != nil {
  390. slog.Error("failed to retrieve extclient", "user", r.Header.Get("user"), "id", clientid, "error", err)
  391. logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
  392. return
  393. }
  394. if oldExtClient.ClientID == update.ClientID {
  395. if err := validateCustomExtClient(&update, false); err != nil {
  396. logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
  397. return
  398. }
  399. } else {
  400. if err := validateCustomExtClient(&update, true); err != nil {
  401. logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
  402. return
  403. }
  404. }
  405. // == PRO ==
  406. //networkName := params["network"]
  407. var changedID = update.ClientID != oldExtClient.ClientID
  408. if r.Header.Get("ismaster") != "yes" {
  409. userID := r.Header.Get("user")
  410. _, doesOwn := doesUserOwnClient(userID, params["clientid"], oldExtClient.Network)
  411. if !doesOwn {
  412. logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("user not permitted"), "internal"))
  413. return
  414. }
  415. }
  416. if changedID && oldExtClient.OwnerID != "" {
  417. if err := pro.DissociateNetworkUserClient(oldExtClient.OwnerID, oldExtClient.Network, oldExtClient.ClientID); err != nil {
  418. logger.Log(0, "failed to dissociate client", oldExtClient.ClientID, "from user", oldExtClient.OwnerID)
  419. }
  420. if err := pro.AssociateNetworkUserClient(oldExtClient.OwnerID, oldExtClient.Network, update.ClientID); err != nil {
  421. logger.Log(0, "failed to associate client", update.ClientID, "to user", oldExtClient.OwnerID)
  422. }
  423. }
  424. if len(update.DeniedACLs) != len(oldExtClient.DeniedACLs) {
  425. sendPeerUpdate = true
  426. logic.SetClientACLs(&oldExtClient, update.DeniedACLs)
  427. }
  428. // == END PRO ==
  429. if update.Enabled != oldExtClient.Enabled {
  430. sendPeerUpdate = true
  431. }
  432. newclient := logic.UpdateExtClient(&oldExtClient, &update)
  433. if err := logic.DeleteExtClient(oldExtClient.Network, oldExtClient.ClientID); err != nil {
  434. slog.Error("failed to delete ext client", "user", r.Header.Get("user"), "id", oldExtClient.ClientID, "network", oldExtClient.Network, "error", err)
  435. logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
  436. return
  437. }
  438. if err := logic.SaveExtClient(&newclient); err != nil {
  439. slog.Error("failed to save ext client", "user", r.Header.Get("user"), "id", newclient.ClientID, "network", newclient.Network, "error", err)
  440. logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
  441. return
  442. }
  443. logger.Log(0, r.Header.Get("user"), "updated ext client", update.ClientID)
  444. if sendPeerUpdate { // need to send a peer update to the ingress node as enablement of one of it's clients has changed
  445. if ingressNode, err := logic.GetNodeByID(newclient.IngressGatewayID); err == nil {
  446. if err = mq.PublishPeerUpdate(); err != nil {
  447. logger.Log(1, "error setting ext peers on", ingressNode.ID.String(), ":", err.Error())
  448. }
  449. }
  450. }
  451. w.WriteHeader(http.StatusOK)
  452. json.NewEncoder(w).Encode(newclient)
  453. if changedID {
  454. go func() {
  455. if err := mq.PublishExtClientDNSUpdate(oldExtClient, newclient, oldExtClient.Network); err != nil {
  456. logger.Log(1, "error pubishing dns update for extcient update", err.Error())
  457. }
  458. }()
  459. }
  460. }
  461. // swagger:route DELETE /api/extclients/{network}/{clientid} ext_client deleteExtClient
  462. //
  463. // Delete an individual extclient.
  464. //
  465. // Schemes: https
  466. //
  467. // Security:
  468. // oauth
  469. //
  470. // Responses:
  471. // 200: successResponse
  472. func deleteExtClient(w http.ResponseWriter, r *http.Request) {
  473. // Set header
  474. w.Header().Set("Content-Type", "application/json")
  475. // get params
  476. var params = mux.Vars(r)
  477. clientid := params["clientid"]
  478. network := params["network"]
  479. extclient, err := logic.GetExtClient(clientid, network)
  480. if err != nil {
  481. err = errors.New("Could not delete extclient " + params["clientid"])
  482. logger.Log(0, r.Header.Get("user"),
  483. fmt.Sprintf("failed to delete extclient [%s],network [%s]: %v", clientid, network, err))
  484. logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
  485. return
  486. }
  487. ingressnode, err := logic.GetNodeByID(extclient.IngressGatewayID)
  488. if err != nil {
  489. logger.Log(0, r.Header.Get("user"),
  490. fmt.Sprintf("failed to get ingress gateway node [%s] info: %v", extclient.IngressGatewayID, err))
  491. logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
  492. return
  493. }
  494. // == PRO ==
  495. if r.Header.Get("ismaster") != "yes" {
  496. userID, clientID, networkName := r.Header.Get("user"), params["clientid"], params["network"]
  497. _, doesOwn := doesUserOwnClient(userID, clientID, networkName)
  498. if !doesOwn {
  499. logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("user not permitted"), "internal"))
  500. return
  501. }
  502. }
  503. if extclient.OwnerID != "" {
  504. if err = pro.DissociateNetworkUserClient(extclient.OwnerID, extclient.Network, extclient.ClientID); err != nil {
  505. logger.Log(0, "failed to dissociate client", extclient.ClientID, "from user", extclient.OwnerID)
  506. }
  507. }
  508. // == END PRO ==
  509. err = logic.DeleteExtClient(params["network"], params["clientid"])
  510. if err != nil {
  511. logger.Log(0, r.Header.Get("user"),
  512. fmt.Sprintf("failed to delete extclient [%s],network [%s]: %v", clientid, network, err))
  513. err = errors.New("Could not delete extclient " + params["clientid"])
  514. logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
  515. return
  516. }
  517. go func() {
  518. if err := mq.PublishDeletedClientPeerUpdate(&extclient); err != nil {
  519. logger.Log(1, "error setting ext peers on "+ingressnode.ID.String()+": "+err.Error())
  520. }
  521. if err = mq.PublishDeleteExtClientDNS(&extclient); err != nil {
  522. logger.Log(1, "error publishing dns update for extclient deletion", err.Error())
  523. }
  524. }()
  525. logger.Log(0, r.Header.Get("user"),
  526. "Deleted extclient client", params["clientid"], "from network", params["network"])
  527. logic.ReturnSuccessResponse(w, r, params["clientid"]+" deleted.")
  528. }
  529. func checkProClientAccess(username, clientID string, network *models.Network) (bool, error) {
  530. u, err := logic.GetUser(username)
  531. if err != nil {
  532. return false, err
  533. }
  534. if u.IsAdmin {
  535. return true, nil
  536. }
  537. netUser, err := pro.GetNetworkUser(network.NetID, promodels.NetworkUserID(u.UserName))
  538. if err != nil {
  539. return false, err
  540. }
  541. if netUser.AccessLevel == pro.NET_ADMIN {
  542. return false, nil
  543. }
  544. if netUser.AccessLevel == pro.NO_ACCESS {
  545. return false, fmt.Errorf("user does not have access")
  546. }
  547. if !(len(netUser.Clients) < netUser.ClientLimit) {
  548. return false, fmt.Errorf("user can not create more clients")
  549. }
  550. if netUser.AccessLevel < pro.NO_ACCESS {
  551. netUser.Clients = append(netUser.Clients, clientID)
  552. if err = pro.UpdateNetworkUser(network.NetID, netUser); err != nil {
  553. return false, err
  554. }
  555. }
  556. return false, nil
  557. }
  558. // checks if net user owns an ext client or is an admin
  559. func doesUserOwnClient(username, clientID, network string) (bool, bool) {
  560. u, err := logic.GetUser(username)
  561. if err != nil {
  562. return false, false
  563. }
  564. if u.IsAdmin {
  565. return true, true
  566. }
  567. netUser, err := pro.GetNetworkUser(network, promodels.NetworkUserID(u.UserName))
  568. if err != nil {
  569. return false, false
  570. }
  571. if netUser.AccessLevel == pro.NET_ADMIN {
  572. return false, true
  573. }
  574. return false, logic.StringSliceContains(netUser.Clients, clientID)
  575. }
  576. // validateCustomExtClient Validates the extclient object
  577. func validateCustomExtClient(customExtClient *models.CustomExtClient, checkID bool) error {
  578. //validate clientid
  579. if customExtClient.ClientID != "" {
  580. if err := isValid(customExtClient.ClientID, checkID); err != nil {
  581. return fmt.Errorf("client validatation: %v", err)
  582. }
  583. }
  584. //extclient.ClientID = customExtClient.ClientID
  585. if len(customExtClient.PublicKey) > 0 {
  586. if _, err := wgtypes.ParseKey(customExtClient.PublicKey); err != nil {
  587. return errInvalidExtClientPubKey
  588. }
  589. //extclient.PublicKey = customExtClient.PublicKey
  590. }
  591. //validate extra ips
  592. if len(customExtClient.ExtraAllowedIPs) > 0 {
  593. for _, ip := range customExtClient.ExtraAllowedIPs {
  594. if _, _, err := net.ParseCIDR(ip); err != nil {
  595. return errInvalidExtClientExtraIP
  596. }
  597. }
  598. //extclient.ExtraAllowedIPs = customExtClient.ExtraAllowedIPs
  599. }
  600. //validate DNS
  601. if customExtClient.DNS != "" {
  602. if ip := net.ParseIP(customExtClient.DNS); ip == nil {
  603. return errInvalidExtClientDNS
  604. }
  605. //extclient.DNS = customExtClient.DNS
  606. }
  607. return nil
  608. }
  609. // isValid Checks if the clientid is valid
  610. func isValid(clientid string, checkID bool) error {
  611. if !validName(clientid) {
  612. return errInvalidExtClientID
  613. }
  614. if checkID {
  615. extclients, err := logic.GetAllExtClients()
  616. if err != nil {
  617. return fmt.Errorf("extclients isValid: %v", err)
  618. }
  619. for _, extclient := range extclients {
  620. if clientid == extclient.ClientID {
  621. return errDuplicateExtClientName
  622. }
  623. }
  624. }
  625. return nil
  626. }